Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
OS X Businesses Operating Systems Apple

Root as Primary Login: Why Not? 164

Posted by pudge from the uh dept.
A user writes, "I help moderate a forum dealing with Mac OS X, and I'm having an awful time convincing a fair portion of our readers that logging in as root all the time is a Really Bad Idea. Worse, though, are the ones who try to convince others to log in as root all the time, claiming it's 'more Mac-OS-9-like,' or saying 'it's not really more insecure,' or even that 'a firewall should deter hackers pretty well.' I know all the standard arguments, but they're not working out. Does anyone here have some real-world anecdotes that I can point to?"
This discussion has been archived. No new comments can be posted.

Root as Primary Login: Why Not? More

Root as Primary Login: Why Not?

Comments Filter:

  • Live and learn (Score:2, Insightful)

    by Dirty Pickle ( 576372 ) on Monday May 06, 2002 @12:22AM (#3468071)
    I hate to say it, but they're going to have to get burned before they understand why they shouldn't log in as root all the time. Everyone I know has rm -rf'ed something important once, but just once.

  • OS 9 like? Nope. (Score:5, Insightful)

    by jasonwileymac.com ( 560445 ) on Monday May 06, 2002 @12:40AM (#3468112) Homepage
    "...claiming it's 'more Mac-OS-9-like,' "
    Nope. Not at all. OS 9 has the same level of protection for itself that OS X does, it just works a bit differently. Tell your friends to try this... In OS 9, drag your System Folder to the trash. Go on, do it. Whupps - you can't. Why? Because you don't have 'permission' to. You can only do it if you boot from a different source, like a CD or another volume. Unix does this far better than OS 9 could, but it's basically the same idea. Logging in as ROOT lets you do anything you want. Toss your kernel? SURE!!! No problem! BAD idea. I feel that if someone doesn't know why they shouldn't be root, that alone is reason enough for them NOT to be.

  • Re:Real world example....... (Score:3, Insightful)

    by irony nazi ( 197301 ) on Monday May 06, 2002 @12:50AM (#3468142)
    You miss a very important point.

    People who don't understand why you would/wouldn't log in as root are *extremely* unlikely to be playing around with 'rm', 'chmod', and 'mv'.

    You would have a better argument saying something to the effect of "dragging an important system file into the trash" or moving/renaming an important file/folder.

    I find it amazing how many people don't want to *login* to their computers.

    They tell me, "I know that it's safer to log into my computer, but it's such a pain." --to which my usual reply is "You don't know that it's safer to log in."

  • Not a new problem (Score:3, Insightful)

    by Permission Denied ( 551645 ) on Monday May 06, 2002 @04:10AM (#3468563) Journal
    I knew this physics guy that bought a Linux box so he could do his Fortran numerical analysis on his own, without relying on the insanely big, fast and reliable physics servers (go figure). Smart physics guy, complete unix newbie.

    I'll only tell you the anectdote salient to this article. He would, of course, only log in as root as the KDE rpm front-end wouldn't work when you're logged in as a regular user and he didn't want to figure out how to use the the command-line rpm (I don't know if currently KDE does a sudo/su-type thing using the GUI, but it didn't back then - if you ran kfm as non-root, you couldn't use the RPM front-end).

    At one point he could no longer log in. Problem? / was full. He was downloading all his stuff into /root (a one gig partition) and /home (20 gig partition) was completely empty. You could log in from console, but not from XDM since XDM creates files in /tmp upon login. He had no idea how to get from XDM to another virtual console, so he was effectively locked out of his machine.

    My point? Give up. Don't worry about it. They will not learn why logging in as root is bad until they get burned. Especially since you're just a forum moderator - if you were getting paid to do this and your job depended on these machines staying up, you would have every responsibility to ensure people were properly following your policies; but, as a mere guru to these people, allow them to learn in the most effective fashion: trial by error.

  • Re:OS 9 like? Nope. (Score:3, Insightful)

    by WalterSobchak ( 193686 ) on Monday May 06, 2002 @05:24AM (#3468661) Homepage Journal
    OS 9 like, sounds like "More Mac like", and logging in as root is not.
    My first Macintosh manual (for the Macintosh 512k) had the following to say about installing the "Programmer's Switch": "The Programmer's Switch is used to create an Interrupt or a Reset. If you do not know what an Interrupt or a Reset is, you do not need this switch". While people may criticize this, it has always been Apple's strategy to protect users from their own stupidity.
    So really to emphasize the parent post, "If you do not know why to log in as root, don't do it." Period. Nuff said

    Alex -- (And I don't even normally log into my BSD box as root)

  • Re:You don't log in as root in macosx (Score:4, Insightful)

    by Phroggy ( 441 ) <slashdot3@ p h roggy.com> on Monday May 06, 2002 @11:12AM (#3469718) Homepage
    For the old unix hacker it looks like you're logging in as root, but that's not really the case. At install time the system creates two users, both have the same name and the same password!

    Um, no. This may have been true in pre-release versions, but in 10.0 and later, only your regular non-root account shows up in System Preferences. The root account doesn't have your name on it, and the encrypted password is set to "*" meaning logins are disabled altogether.

    One is just a user, the other is root. In previous versions ( i haven't tested it lately) you could change the password of one but it wouldn't result in a password change of the other (which gave alot of headaches).

    They are not the same account, so changing a user password will not change the root password, and vice-versa.

    Now if you log in you're the normal user, and you can't do anything really dangerous. You need su (which needs to be activated, it isn't possible by default) or sudo to do something as root. Also when you're doing an install that requires root the installer will ask for a super user.

    If you're an Administrator, you do have write access to the contents of /Applications and /Library, just not /System. The reason su doesn't work by default is, root doesn't have a password by default. However, any Administrator can run any command as root with sudo - for example, "sudo tcsh" will get you a root prompt.

    In both cases you use your own username and password (if your user is created at startup). So If somebody sneaks behind my computer when I'm gone to do something else, they can't really do anything dangerous. They would still need a password!

    If you're doing something that actually requires root privaleges, such as changing system settings or installing software, you must authenticate as an Administrator, even if you're already logged in as an Administrator. If you type "sudo tcsh", sudo will prompt you for your password. It's an excellent system.

    You can make more users if you want without any rights (that's easy), but the system works better than it looks because you don't log in as root!

    What?

    You can if you want to btw. The password of root is the same as the password of the user.

    As I said before, this is wrong. As I recall, the Public Beta set the root password to the same as the user password at install time; the final version didn't do this.

    If you do want to enable root logins, there are three ways to do it:

    A) open NetInfo Manager, click the padlock icon, authenticate, then go to select the Domain/Security/Enable Root User menu item

    B) open NetInfo Manager, click the padlock icon, authenticate, browse to /users/root, and change the value of the passwd item to an encrypted password

    C) open Terminal, type "sudo passwd", authenticate, and set a root password.

    It does nail down the importance of good passwords which is something that alot of macusers are new to.

    I set my system to automatically log me in at boot time, so it doesn't nail down anything.

  • Have your grandmother try to read this thread... (Score:2, Insightful)

    by frenchgates ( 531731 ) on Monday May 06, 2002 @12:41PM (#3470495)
    ...to understand why *nix is not ready for home user desktop prime time.

  • Two good reasons together make ..... (Score:3, Insightful)

    by Dimes ( 10216 ) on Monday May 06, 2002 @04:14PM (#3472265) Homepage
    ....an even more significant reason:

    1)As root you have the ability to not only do damage to your own user files...but you have the ability to damage/destroy the whole system. Being a user on a UnixOS is one of its beauties. No matter how bad you screw up as a user, its only your files...the system will still be there.

    2)OSX runs a number of Microsoft Applications....i.e. the Office Suite, and Outlook...which are notoriously prone to security problems.(albeit, quite a bit less on Mac)

    Mix those two reasons and you get something like Windows, where one script sent by email, clicked on by an /uneducated/ user(and sometimes not even clicked on...just received by something like Outlook) while logged in as root....and poof there goes the whole machine....lucky, at least for the rest of us cause at least that users box is gone.....or really unlucky for the net community at large if the virus/worm/et.al. keeps the machine and starts doing nasty self propagation.

    So, just dont do it. There is so little a regular user needs root for...and for that Apple has provided sudo....built in from the start.

    Dimes

Slashdot Top Deals

An Ada exception is when a routine gets in trouble and says 'Beam me up, Scotty'.

Close