Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
OS X Businesses Operating Systems Apple

Root as Primary Login: Why Not? 164

A user writes, "I help moderate a forum dealing with Mac OS X, and I'm having an awful time convincing a fair portion of our readers that logging in as root all the time is a Really Bad Idea. Worse, though, are the ones who try to convince others to log in as root all the time, claiming it's 'more Mac-OS-9-like,' or saying 'it's not really more insecure,' or even that 'a firewall should deter hackers pretty well.' I know all the standard arguments, but they're not working out. Does anyone here have some real-world anecdotes that I can point to?"
This discussion has been archived. No new comments can be posted.

Root as Primary Login: Why Not?

Comments Filter:
  • I'm a newbie and I always initially log in as root because that's the only way I can get adsl-connect going. I guess maybe I installed it as root, because it doesn't show up or run when I log-in as a regular user. Not a big deal but it is annoying to have to log in as root to get online and then to log out and log back in.
    • If it needs root access to devices, which it almost certainly does to ifconfig an interface up, it should be installed suid root (if safe). Also, sudo is a great utility for doing things as root, does it come installed by default?
    • by lexarius ( 560925 ) on Sunday May 05, 2002 @11:07PM (#3468035)
      Well, you could have a script run at boot time to connect the adsl, or one that is set to run as root no matter who runs it.

      As for the original poster, I don't know what to say. In OS X root still has to give his password for authentication screens. The only convenience I can really see it having is to mess around with system libraries and configuration files unchecked. Oh yeah, thats right. Most unices aren't very vulnerable to virii because the user isn't root, so the virus can't get at the important things. The most a trojan could do is take out your home directory. Your system would still run.

      Of course, logging in as root makes the system slightly more vulnerable to local attacks, but that isn't saying much.

      Cmd-S during boot-up.
      fsck -y
      mount /
      SystemStarter
      passwd root

      System compromised.
      But thats a feature. I think it can be disabled, possibly by supplying an OpenFirmware password... auto-logging in as root sort of ruins that, though.
      If people want security similar to Windows, tell them to run as root. OS9 is somewhat more "secure" than OSX because it was meant to be stupid-proof. Running as root in OSX is like telling the computer you really know what you're doing. If you don't, you shouldn't.
      • by Permission Denied ( 551645 ) on Monday May 06, 2002 @07:19AM (#3468848) Journal
        Well, you could have a script run at boot time to connect the adsl, or one that is set to run as root no matter who runs it.

        OS X, like most unices, doesn't honor the set-uid bit for scripts.

        I would just write a trivial C program and make that set-uid:

        #include <unistd.h>

        #define ADSL "/path/to/adsl-connect"

        int main()
        {
        execl(ADSL, ADSL, NULL);
        return 1;
        }

        On OS X, install dev tools, compile as "cc file.c -o my-script" and then "chmod 4755 my-script". You can then run it from a normal user shell and the script is run as root (make sure the file is owned by root).

        NB: I'm not replying directly to you, but rather to the original poster who wanted to know how to do this.

    • because it doesn't show up

      Nobody has yet replied to this point (subtle, this is easy to miss unless you've worked with people).

      This is because adsl-connect is probably not in your PATH (I'm guessing it's in /sbin or /usr/sbin). You can do a 'man bash', hit the '/' key, type in PATH and keep typing 'n' until you find the entry in the manual page explaining how PATH works.

      Short story: type in the following:

      su -
      which adsl-connect
      Make sure to type in the dash in the 'su' command. The second command should tell you exactly where adsl-connect is, and you can go from there.
  • Not yet… (Score:3, Funny)

    by DarkVein ( 5418 ) on Sunday May 05, 2002 @11:09PM (#3468038) Journal
    Does anyone here have some real-world anecdotes that I can point to?
    But I can make some what did you say their addresses were?
    • Read down a few threads to the MacNN link. That foobar posted his domain URL is appears. :rolleyes:

      I read the thread for a few minutes and smiled. Then I remembered there was a real world and had some work to finish up.

      Fools rush in where wise men fear.........
    • Why would logging in as root on the console make you more vulnerable to remote compromise? To trojans, sure, but that's not what you seem to be implying. Last time I checked a root login doesn't expose any bugs in sendmail, bind, etc. so what are you talking about?
  • My main reason for why you don't use root entirely is eventually no matter how careful you are you WILL make a mistake. Be it rm, chmod, mv, it will happen. If you use another account and try to do as much as you can as a none root user and only su up you will be less likely to simply careless do something.

    But that is my 2 cents, my advice would be to present your argument, if they don't want to listen and want to put their boxes at risk, let them. When they accidentally make a mistake bring their system down they will learn. If they don't learn from that and keep recommending bad admin practices to others, well they are morons. But that is another issue.
    • You miss a very important point.

      People who don't understand why you would/wouldn't log in as root are *extremely* unlikely to be playing around with 'rm', 'chmod', and 'mv'.

      You would have a better argument saying something to the effect of "dragging an important system file into the trash" or moving/renaming an important file/folder.

      I find it amazing how many people don't want to *login* to their computers.

      They tell me, "I know that it's safer to log into my computer, but it's such a pain." --to which my usual reply is "You don't know that it's safer to log in."

      • > I find it amazing how many people don't
        > want to *login* to their computers.

        Yes, because most of these people just want to use the computer to get something done, and its the job of the computer to make that easier, rather than toss more obstacles to getting things done.

        Because they didnt have to login, or didnt have to su to get things done in the past, they see this extra work as a waste and thus want to avoid it.

        Computers should be smart enough to handle these things. Like auto updating patches to the OS or virus signatures, or compressing big files, or other 'routine' stuff.

        Maybe extend the analogy to 'have the computer auto-empty the trash for you'. Most people can see that this might be a bad idea, because sometimes you mistakenly delete the wrong file. Then tell them that having to sudo for things rather than always being root is the same - it keeps you from making they types of mistakes that are difficult to recover from.
        • If typing a few characters to login is seen as work than apple has done a piss poor job of educating their customers on security issues. I remember having the same discussion with a graphic artist the company I worked for hired for a project about logging into a vpn from home, these sort of notions are dangerous from a network admin point of view. Apple needs to put biometrics in every keyboard and laptop they sell if they don't want this from becoming more of a problem than it already is.
  • Live and learn (Score:2, Insightful)

    I hate to say it, but they're going to have to get burned before they understand why they shouldn't log in as root all the time. Everyone I know has rm -rf'ed something important once, but just once.
  • by Anonymous Coward on Sunday May 05, 2002 @11:38PM (#3468107)
    Don't smoke it. I did once and got hooked. I ran Mac OS Updates as root. Fuck, I even had sex with my girlfriend as root. Man, that caused some permissions problems. When I started the road to recovery (logging in as Zacks) my girlfriend was all like: "Fuck no! You can't get any cause you don't own me an I don't go groups. You don't have the power to read, write OR execute so get out of my FACE" So I was all HELL NO bitch. And she wuz like you do not have root (superuser) privlages so get out of my TruBlueEnvironment! So then I went chown and chmodded her ass to me. Dat be-otch be up in my hizzouse. What what. Holla!
  • OS 9 like? Nope. (Score:5, Insightful)

    by jasonwileymac.com ( 560445 ) on Sunday May 05, 2002 @11:40PM (#3468112) Homepage
    "...claiming it's 'more Mac-OS-9-like,' "
    Nope. Not at all. OS 9 has the same level of protection for itself that OS X does, it just works a bit differently. Tell your friends to try this... In OS 9, drag your System Folder to the trash. Go on, do it. Whupps - you can't. Why? Because you don't have 'permission' to. You can only do it if you boot from a different source, like a CD or another volume. Unix does this far better than OS 9 could, but it's basically the same idea. Logging in as ROOT lets you do anything you want. Toss your kernel? SURE!!! No problem! BAD idea. I feel that if someone doesn't know why they shouldn't be root, that alone is reason enough for them NOT to be.
    • OS 9 like, sounds like "More Mac like", and logging in as root is not.
      My first Macintosh manual (for the Macintosh 512k) had the following to say about installing the "Programmer's Switch": "The Programmer's Switch is used to create an Interrupt or a Reset. If you do not know what an Interrupt or a Reset is, you do not need this switch". While people may criticize this, it has always been Apple's strategy to protect users from their own stupidity.
      So really to emphasize the parent post, "If you do not know why to log in as root, don't do it." Period. Nuff said

      Alex -- (And I don't even normally log into my BSD box as root)
      • i don't own a mac 512, nor do i plan to own one (i'd like one though). i guess its safe to tell me,

        what exactly does the programmer's switch do? :-D
        • If you have MacsBug installed (the system debugger) it brings it up with a cli.

          If you don't, it brings up a modal dialog box with a prompt that simple remains until you type g on a single line or you hit the hard reset button. Needless to say, not many knew what to write.

          To be fair, you could also type G <address> where address is what you want to set the pc to, but how useful is that in an OS with mandatory PIC?
    • Toss your kernel? SURE!!! No problem! BAD idea.

      Many years ago, as a university sys admin I remember getting a call from the music department for help. Their NeXT machine wouldn't boot at all. They had been "cleaning up" the disk space and - you guessed it - they removed that big "vmunix" file.

      Devon

  • Original Thread (Score:2, Informative)

    by owenc ( 255848 )

    There are a lot of threads at various mac forums with this topic, but a current one is here at MacNN forums [macnn.com].

    MacNN forums seems to have a well deserved reputation for being full of idiots. Especially in the OS X threads.

    Say hello to "Bobby" from Ventura California, who started this thread :)

  • Here's one. (Score:5, Informative)

    by Eagle7 ( 111475 ) on Sunday May 05, 2002 @11:48PM (#3468138) Homepage
    Let's say that you want to change the permissions of all the files in your home directory to go-rwx (which make sense). So, you type:

    chmod go-rwx ~/*

    But by mistake, you hit the space bar, and get:

    chmod go-rwx ~ /*

    By the time you realize the hard disk has churned too long, you'd just gone and wiped the permissions on /bin, /sbin, /var, etc. You're system is now screwed up to the point where it's probably faster to reinstall than change all the permissions. If you weren't root, you'd see something like this (from a Linux-PPC box):

    [pts/2@tardis:/home/dmorriso @00:45] chmod go-rwx ~ /*
    chmod: /bin: Operation not permitted
    chmod: /boot: Operation not permitted
    chmod: /dev: Operation not permitted
    chmod: /etc: Operation not permitted
    chmod: /home: Operation not permitted
    chmod: /lib: Operation not permitted
    chmod: /lost+found: Operation not permitted
    chmod: /mnt: Operation not permitted
    chmod: /opt: Operation not permitted
    chmod: /proc: Operation not permitted
    chmod: /root: Operation not permitted
    chmod: /sbin: Operation not permitted
    chmod: /tmp: Operation not permitted
    chmod: /usr: Operation not permitted
    chmod: /var: Operation not permitted
    [pts/2@tardis:/home/dmorriso @00:46]

    And yes, back in the day, I did make this oops and had to reinstall, because I had used su rather than sudo, and had forgotten to un-su. I started using sudo right afterwards. :)
    • Re:Here's one. (Score:4, Informative)

      by foobar104 ( 206452 ) on Sunday May 05, 2002 @11:57PM (#3468157) Journal
      chmod go-rwx ~ /*

      I just want to second this. I did the same thing once, but on an SGI O2 rather than a Mac. My variation: chown -R foo / when I meant to type chown -R foo .. The dot and the slash are just too damn close together for comfort.

      That was when I learned that you can't boot an SGI if files like /bin/sh and /sbin/init aren't owned by root.

      And yeah, it was easier and faster to just reinstall the OS than it was to try to fix the ownerships.
    • D'oh - I forgot the -R in that example, which is the real kicker.
    • How about this:

      You want to change all your .emacs, .exrc, .whatever to be world-readable so everyone can see just how clever you are:

      chmod -R go+r .*

      Well, not so clever after all. '.*' expands to include '..' and '.' and the -R flag combines with this in a Very Bad Way. I got burned by this once (different circumstances, however, I su'ed into root to change some stuff in /tmp). This also depends on what shell you use: with bash, you're screwed, with zsh, you're OK.

    • Re:Here's one. (Score:3, Informative)

      by tunah ( 530328 )
      Mine was worse.

      I don't have rpm installed, but I found a program that was only available as rpm. So I ran rpm2targz on it and then tar xvzf. It then extracted a whole bunch of files into a new usr folder in my current working directory, as I had forgotten to cd /. I was still root. So now to get rid of the directory I tried to type:

      rm -r usr/

      What I actually typed was this:

      rm -r /usr

      Oops!

    • I pulled something like that when I was still a linux newbie (and logging in as root regularly). I was having some trouble with a program and decided it must be a problem with one of those 'dot files' , so I figured I would be slick and delete all of them:

      rm -rf .*

      that should do it ...

      ...

      why is the disk still churning ...

      /me slaps forehead

      .* matches ..

      I have never logged in as root since, and I'm very carefull with su
    • Ahhh, yes. Been there, done that. Of course, mine looked so innocent. Messing around in /proc, tried to make everything readable (to see how the proc virtual filesystem interacts with permissions). "chmod -R a+rwx *" Even made sure I was in the right place first. What I quickly (but not nearly quickly enough) learnt was that chmod -R follows symlinks, and that symlink to / made that command much less fun than it should have been. To this day, I loath commands that follow symlinks recursively (cp -r, chmod -R, I'm sure there are others), but I have gotten much better at "find -print0 | xargs -0".
  • by Bart van der Ouderaa ( 32503 ) on Sunday May 05, 2002 @11:49PM (#3468141)
    For the old unix hacker it looks like you're logging in as root, but that's not really the case. At install time the system creates two users, both have the same name and the same password!

    One is just a user, the other is root. In previous versions ( i haven't tested it lately) you could change the password of one but it wouldn't result in a password change of the other (which gave alot of headaches).

    Now if you log in you're the normal user, and you can't do anything really dangerous. You need su (which needs to be activated, it isn't possible by default) or sudo to do something as root. Also when you're doing an install that requires root the installer will ask for a super user.

    In both cases you use your own username and password (if your user is created at startup). So If somebody sneaks behind my computer when I'm gone to do something else, they can't really do anything dangerous. They would still need a password!

    You can make more users if you want without any rights (that's easy), but the system works better than it looks because you don't log in as root!

    You can if you want to btw. The password of root is the same as the password of the user.
    It does nail down the importance of good passwords which is something that alot of macusers are new to.
    • At install there is no root user created. So by default you cannot log in as root from the gui or via su. sudo is available however to users who are set as "admin".
      You can enable root through the netinfo config utility. It asks for a new root password.
      • by Drakino ( 10965 ) on Monday May 06, 2002 @12:33AM (#3468275) Journal
        At install there is no root user created. So by default you cannot log in as root from the gui or via su. sudo is available however to users who are set as "admin".

        You can enable root through the netinfo config utility. It asks for a new root password.


        Partially correct. root is created on install just like any other Unix, and is the owner of most files on the system initially. Just who knows what the password is. Netinfo lets you set a different password, but all it is is a pretty GUI for "sudo su; passwd root".
    • by Phroggy ( 441 ) <slashdot3@@@phroggy...com> on Monday May 06, 2002 @10:12AM (#3469718) Homepage
      For the old unix hacker it looks like you're logging in as root, but that's not really the case. At install time the system creates two users, both have the same name and the same password!

      Um, no. This may have been true in pre-release versions, but in 10.0 and later, only your regular non-root account shows up in System Preferences. The root account doesn't have your name on it, and the encrypted password is set to "*" meaning logins are disabled altogether.

      One is just a user, the other is root. In previous versions ( i haven't tested it lately) you could change the password of one but it wouldn't result in a password change of the other (which gave alot of headaches).

      They are not the same account, so changing a user password will not change the root password, and vice-versa.

      Now if you log in you're the normal user, and you can't do anything really dangerous. You need su (which needs to be activated, it isn't possible by default) or sudo to do something as root. Also when you're doing an install that requires root the installer will ask for a super user.

      If you're an Administrator, you do have write access to the contents of /Applications and /Library, just not /System. The reason su doesn't work by default is, root doesn't have a password by default. However, any Administrator can run any command as root with sudo - for example, "sudo tcsh" will get you a root prompt.

      In both cases you use your own username and password (if your user is created at startup). So If somebody sneaks behind my computer when I'm gone to do something else, they can't really do anything dangerous. They would still need a password!

      If you're doing something that actually requires root privaleges, such as changing system settings or installing software, you must authenticate as an Administrator, even if you're already logged in as an Administrator. If you type "sudo tcsh", sudo will prompt you for your password. It's an excellent system.

      You can make more users if you want without any rights (that's easy), but the system works better than it looks because you don't log in as root!

      What?

      You can if you want to btw. The password of root is the same as the password of the user.

      As I said before, this is wrong. As I recall, the Public Beta set the root password to the same as the user password at install time; the final version didn't do this.

      If you do want to enable root logins, there are three ways to do it:

      A) open NetInfo Manager, click the padlock icon, authenticate, then go to select the Domain/Security/Enable Root User menu item

      B) open NetInfo Manager, click the padlock icon, authenticate, browse to /users/root, and change the value of the passwd item to an encrypted password

      C) open Terminal, type "sudo passwd", authenticate, and set a root password.

      It does nail down the importance of good passwords which is something that alot of macusers are new to.

      I set my system to automatically log me in at boot time, so it doesn't nail down anything.
  • Mix root with a nice, easy to use GUI and you've got trouble. Having a CLI provides a level of protection (But still, the difference between rm -rf /tmp/somedirectory and / tmp/somedirectory may only be a space, but I hope you've got backups).

    Anyways I was using the Gnome filemanager at the time and was logged in as root, and moved the /lib directory into the /usr directory. As libc couldn't be found, I was unable to run any commands, and this resulted in a reinstall, as I didn't have the skills to restore the problem.
    • All you had to do was boot from a floppy or CD, mount your disk, and move the directory back. I have had to do this after toasting libc before.
  • by dh003i ( 203189 ) <dh003i@gmai[ ]om ['l.c' in gap]> on Monday May 06, 2002 @12:15AM (#3468207) Homepage Journal
    As a command-line user, I understand the value of not logging in as root all the time.

    However, most Mac users couldn't use a command line if their life depended on it and probably don't even know that MacOSX has a command line.

    The MacOSX user who's a classic mac user will probably never use the command line; if they have to rename a thousand files to add an extension or a prefix or whatever, they'll do it by hand, not by using a tcsh script.

    So, the question is, how much damage can one do from the MacOSX GUI at root? I don't know. I have accounts on other ppl's MacOSX computer (namely, at my University) but have never been logged in as root.

    Of course, not logging in as root doesn't only protect you from yourself. It also protects you from "trogan" install programs, which say they'll do one thing, and in fact delete the entire hard drive or something else like that.
    • Actually, I'd use an applescript or a utility such as A Better Finder Rename [versiontracker.com]. The lack of a command line does not mean the lack of scripting tools for repetitive tasks.
    • I agree with your position that GUIs are less dangerous while root than CLIs are because GUIs execute gestures which have zero chance of a wildcard typo error. If one examines most of the other arguments presented by slashdotters for not using root, they seem to have to do with chowns, and rms gone awry. There is certainly no risk of that in a GUI.

      However, I think you have a misconception of "classic" mac users. I would argure that because in order to log in as root in the first place, the user had to go out of her way to enable root in netinfo, this implies a certain level of sophistication, or a least a desire to learn the ropes and gain a greater understanding of the system. The behavior could have been motivated by doing a lot of su commands that the user viewed as tedious and hence sought an alternative. Which implies command line use.

      I think the important question is WHY on earth do these users find themselves requiring superuser privleges in the first place? Its probably because they want to tweak the system, which mac users are notorious for, so they may as well resign themselves to having to re-install the system at some point.

      I think the problem lies in recommending root-running to others. The argument should be presented like this:

      root is there as a layer of protection, to protect you from yourself, and to protect your system from things you might download that could do bad things to your system intentionally or not.

      If you run as root, you lose that protection. Take it or leave it, but if you recommend that others also abandon the protection that root provides, please provide them with the coutesy of explaining roots purspose in protecting them from themselves.
    • So, the question is, how much damage can one do from the MacOSX GUI at root?

      Muck around in /System and you can render the OS unbootable.
    • Any halfway smart(lazy) mac user that needed to rename 1,000 files would use DropRename or some other util.
  • Make them use Windoze for a week or two, all the while passing all relevant details of their machines to every cracker you know. They'll be begging you to never let them use root again. :)

    Seriously though, a lot of the time when I'm running Linux, I'm in both using my normal account and my root account (though root is on a console and just running top). If there's danger even in that (other than killing the wrong processes), I'd love to hear about them -- better safe than sorry!
  • Are there any problems or security issues doing everything as administrator with Windows XP Professional? I'm just a personal user, and other than using client software for many internet uses, I don't server anything. And problems other than "the fact that Windows sucks" would be nice. ;)
    • Administrator on Win2k and WinXP are very different from root on a *nix. Win2k and WinXP both treat Administrator as a normal user, but this normal user has certain permissions that allow them to install/remove any software, read/write any file, or even delete a system file (which Windoze quickly replaces with a fresh copy). AFAIK, Administrator doesn't pose any serious security problems unless your computer is one accessed by more than one user - like a spouse or children. create an account for each and stay logged out when away from the computer.

      my only recommendation is MAKE SURE IIS IS NOT INSTALLED. script kiddies and horny teens can gain Administrator access without a password. (unless you're insane and actually want to USE it.)
  • by plsuh ( 129598 ) <plsuh@@@goodeast...com> on Monday May 06, 2002 @01:52AM (#3468446) Homepage
    First, my credentials: I'm a Curriculum Developer with Apple's WorldWide Training and Communications group. I am the author of the Network Security chapter in Apple's Network Administration course. I gave a talk at the last MacWorld on Mac OS X firewalling, and I must have done something right since they asked me to do it again in July in New York. In this post, unlike most of my other postings, I am speaking in my Apple voice.

    That said, Mac OS X has a root user, but root does not have a valid password on installation. The first user that is created via the setup assistant is what is known as an admin user. These are users who are members of the group "admin", a predefined group. Apple provides an API whereby a GUI application can ask for an admin user's password, and thus gain sudo-style privileges for actions such as installing software (which might need to put things in places that can only be touched by root). Also, the /Applications directory also is writable by admin users, so apps where the install is just drag and drop (such as OmniWeb or MSOffice) can also be installed by an admin user and do not require root privileges.

    In addition, admin users have access to the /Library directory, which is where resources specific to a particular machine should be stored. There are four Library locations that Mac OS X searches for resources such as fonts and frameworks:
    • ~/Library - for user-specific items
    • /Network/Library - for resources made available to an entire NetInfo network
    • /Library - for resources specific to a particular machine
    • /System/Library - the base system installation; this area is in general reserved for Apple use, and most people have no need to change anything inside here.

    Note that the /Library tree in general has ownership root:admin with privileges 775. This means that any admin user can add or remove resources from his or her own machine without resorting to using root directly. In fact, if you wanted to add a set of resources that would affect only a particular user (say, give only the graphic artist access to the full set of 300 fonts, and leave everyone else with just the usual system set of fonts), you could install them under the user's ~/Library directory. Because of the default search order, resources in ~/Library and /Library take precedence over those in /System/Library, so you can simply install a framework in /Library and override the OS's default behavior.

    If a user were to log in as root, he or she would immediately gain write access to the /System/Library area, which contains the really sensitive bits of the operating system. As it were on the warning labels, "No user serviceable parts inside!" Logging in as root is the equivalent of unscrewing the cover of a piece of equipment with that warning label. If you know what you're doing and you're careful, you may be able to do something in there, but if you're not careful or don't know what you're doing, you are likely to get hurt. I know of several users who had the bad habit of looking at a bunch of files in their System Folders and thinking, "I don't know what this does, I can just throw it out to gain more disk space," in older versions of the Mac OS. Turning one of these guys loose as root on Mac OS X is likely to cause major headaches.

    From the command line side of the house, admin users are allowed to do anything via the sudo command, which is preinstalled on Mac OS X. If you need root access, you can use sudo to do just about anything from the command line. If you really, really need a root shell, you can always do "sudo -s" and get one.

    In summary: Mac OS X has the tools that you need to perform system administration tasks form either the GUI side or the command line side without needing to log in as root. Logging in as root is the equivalent of opening up a piece of machinery with the warning label, "No user serviceable parts inside", and you should not be surprised if you get hurt when you do this.

    Paul Suh
    psuh@apple.dontbotherspammingmeigetwaytoomuch alrea dy.com

    Note: on Mac OS X Server, root is enabled by default. This is considered less of an issue since it is expected that servers will be run by people who have a better understanding of the issues involved and are more likely to be doing things that need root access, even from the GUI level.
    • A very nice post, thank you.

      I've never enabled root on my system, as I've heard a few warnings a while back, and I've never needed it. The only time I may have been tempted was when StuffIt Expander(the main archive decompressor for the Mac) was updated, and I didn't have permission to delete the old version that came with OS X. I ended up deleting it from 9.22. I do use my Admin account all the time. I tried a personal user account once to see if things would run faster, but there was no change, and a new account felt like a whole new machine to configure to my preferences.
      • You could probably have handled this without being root, and w/o rebooting. In Terminal in an Admin account, do:

        sudo rm -rf HideousStuffitDirectory

        And as for moving your personal environment to a new account, you would get 99% of it by something like:

        sudo ditto ~oldUser/Library ~newUser/Library
        shudo chown -r newUser.newGroup ~newUser/Library

        Really I can't see any reason not to do that for the entire home directory. Just lop off the "/Library" parts.

    • Logging in as root is the equivalent of opening up a piece of machinery with the warning label, "No user serviceable parts inside",
      ...and pouring in a bag of marbles
      ...and putting the machinery in a paint shaker :)

      Thanks for a lucid an enlightening post. It's going into my "I might need this to show a user someday" file.
  • What if you want to clear up all the tmp files you made and you make a small typo
    rm -rf / tmp
    After doing something like that, you know why NOT to use root. ;-)
    • Been there, done that.

      That's all the frickin' real world example you ever need. Thank god it was on a partition. But I lost my entire MP3-collection.

      Bad karma will do that to you.
    • Do you want to say that "sudo rm -rf / tmp" is any better, or that one shouldn't try to clean /tmp? After all, you have to get root somehow to do such stuff.

      The problem is, IMHO, the mere existence of root, as opposed to a more fine-grained approach - things would be much nicer if "may bind to a port <1024" wouldn't automatically imply "may rf -rf /". It's nice to see that some unixes seem to move in this direction, but, well, HURRY THE F*CK UP, developers! ;)

  • While doing work experience at SGI, I was told of their awards that they give out every month (in the form of two movie tickets), you get one if you do something great (help the community, fix a mass bug, etc) or if you do something really stupid. Well they had a main Origin 2000 server (snort), and a couple of months prior, one of the engineers (the one looking after me, I believe he was working on XFS at the time) has accidentally done rm -rf / while logged in as root on snort, there went everyone's stuff, snort was like the workhorse and the big storage yard. This is the result of their liberal policies (once your within the building you have all access to everything inside). I still love SGI! :)
  • Not a new problem (Score:3, Insightful)

    by Permission Denied ( 551645 ) on Monday May 06, 2002 @03:10AM (#3468563) Journal
    I knew this physics guy that bought a Linux box so he could do his Fortran numerical analysis on his own, without relying on the insanely big, fast and reliable physics servers (go figure). Smart physics guy, complete unix newbie.

    I'll only tell you the anectdote salient to this article. He would, of course, only log in as root as the KDE rpm front-end wouldn't work when you're logged in as a regular user and he didn't want to figure out how to use the the command-line rpm (I don't know if currently KDE does a sudo/su-type thing using the GUI, but it didn't back then - if you ran kfm as non-root, you couldn't use the RPM front-end).

    At one point he could no longer log in. Problem? / was full. He was downloading all his stuff into /root (a one gig partition) and /home (20 gig partition) was completely empty. You could log in from console, but not from XDM since XDM creates files in /tmp upon login. He had no idea how to get from XDM to another virtual console, so he was effectively locked out of his machine.

    My point? Give up. Don't worry about it. They will not learn why logging in as root is bad until they get burned. Especially since you're just a forum moderator - if you were getting paid to do this and your job depended on these machines staying up, you would have every responsibility to ensure people were properly following your policies; but, as a mere guru to these people, allow them to learn in the most effective fashion: trial by error.

    • (I don't know if currently KDE does a sudo/su-type thing using the GUI, but it didn't back then - if you ran kfm as non-root, you couldn't use the RPM front-end).

      Yes it does, and to give you an idea of how old your ancedote is, kfm was dropped in favor of Konqueror two major versions ago (since 2.x).

      --
      Evan

      • I am aware of Konqueror; the anecdote is still relevant. Even if you are now using GDM or KDM instead of XDM, those still create those authorization files and will not work if the file system is full.

        Please, actually work with these people before trying to tell me how it would be so easy to convert them to unix. It's completely different in a corporate environment than the home environment (and I don't see OS X being targetted at corporate environments, so we're talking about mom and pop and their home computer here). In a corporate environment, they have you to get the machine working and install new software, etc. You try to put unix in a mom-and-pop home environment, and you'll be inundated with phone calls. You'll fix something for them (which will require root privs) and then you'll get another phone call 20 minutes later.

        Try installing a mozilla build without using a command line, logged in as a regular user. Sure, you just install it to your home directory, but how many people are going to figure out that they need to change the default value in the dialog box? After you've installed it to your home directory, how do you start it up? Well, maybe it installed an icon on your KDE/GNOME desktop, maybe not. Let's assume it has. Now, what if you're in Konqueror and you want to use the "Open using Mozilla" menu option. Do you think that will work? Nope. Mozilla is not in your PATH (and that is what the latest version of Konqueror uses - it just does an execvp). Do you walk your grandmother through editing her .bashrc using emacs?

        These people don't know the difference between a slash and a backslash - you'll have difficulties telling them over the telephone exactly which characters to type in, one at a time. When I say "et-see are see dot dee init dot dee" you think "/etc/rc.d/init.d" but mom-and-pop thinks "WTF?" You'll then give up, go to their physical location, enable ssh, and fix everything remotely from then on.

        I have a lot of patience - I regularly deal with intelligent non-computer people (I have a real job, you see) and I've very good at explaining technical matters to non-technical people, but dealing with this audience is a completely different matter - you will become frustrated sooner or later. It's not really a matter of patience, but a matter of communication. When filesystem permissions and the simple relationship between users and groups doesn't make sense to someone, you simply don't have a common vocabulary to communicate expediently. They will log in as root no matter what you tell them. Ask yourself how many people are running Windows 2000/XP on their laptops and how many of those people bothered to create a non-Administrator account.

        • the anecdote is still relevant

          Didn't mean to imply that it wasn't relavant. I hold that *way* too many *nix apps break when they run out of disk space. Quite often in rather spectacular, data lossly ways, or in a quiet "I'll just throw this data away without ever alerting anybody" manner. Ditto for when the filesize exceeds the filesystem limit (less of a problem now, at least in Linux, but I hated that old damn 2GB limit).

          --
          Evan

          • Cool, OK, I misunderstood you. I'd agree that lots of *nix apps die spectacularly when they run out of disk. Funny thing is, I've seen Windows and MacOS apps deal with this by popping up a dialog or something, whereas the *nix apps will dump core, at best.

            Another thing I've noticed is that most good *nix programmers do indeed check for out-of-memory errors (eg, they always check return value of malloc), but their error handlers aren't all that great.

            My usual way of dealing with out-of-memory is to propagate the error back up the call stack until someone really wants to deal with it. Most times, dealing with it just means printing an error and dumping core.

            It may be that us *nix programmers are used to good virtual memory implementations where it's really hard to run out of memory, whereas the Windows/MacOS programmers have actually had to deal with these issues directly. Not sure.

    • Give up. Don't worry about it. They will not learn why logging in as root is bad until they get burned. Especially since you're just a forum moderator - if you were getting paid to do this and your job depended on these machines staying up, you would have every responsibility to ensure people were properly following your policies; but, as a mere guru to these people, allow them to learn in the most effective fashion: trial by error.

      I would add to this that you should reproduce for your readers some of the excellent advice already posted, but tell them to print out a hardcopy for themselves. Then, when they wreck their system, they can read what you posted and realize you were right.

  • When you're right in the middle of typing rm -fr /usr/something/ and you hit the enter key accidentaly hit the enter key just after the /usr/ part because you had to reach for napkins to clean up the gin and tonic that you spilled in your lap you learn that when you're root you can seriously fuck things up. Don't waste your breath--or keystrokes--on people who don't want to listen. They're bound to learn why they ought not log in as root all the time.
  • while addin a new disk ( was migrating data )..

    mv /usr/lib /tmp

    no command worked after that cause everythign was dynamically linked.
  • I realize this is slightly offtopic and I can probably kiss some karma points goodbye but, did anyone else notice a modified image at the top of this page? This image [cyberscope.net] was at the top of this story.
  • It comes down to good practices. When I started playing with Suse I remember how I would get kick/banned on the spot for trying to get into #linux on Undernet while logged as root. I asked them and they simply explained it was to teach me to use SU instead of a real root.

    I think we all agree root itself is too dangerous to leave it on for more than a few minutes, even if you really know what you are doing. Even us windows weenies are trying to enforce this: my IT folks spent a week adding garbled (read: cannot memorize) local passwords for all our servers and for administration are using an obscure account with the proper permissions. It is impossible to guess by name that this account is a local administrator for all machines in our network.

    For OS X and BSD I guess you should be able to do whatever you need without logging as root, that is what SU is used for.
  • user:
    cd /
    rm -rf *
    "OMG! where have all my files gone"
    reply:
    "PEBKAC"

    All people need to do is enable root and then su or sudo if they absolutely have to. If they can't fix any problem they are having not being logged in as root, then they should go and read some books. Hopefully some Mac users who are new to the *nix world will get some benefit from O'Reilly's new "Learning Unix for Mac OS X" book. Not that there aren't plenty of other books that should teach them the lie of the land, but I have a feeling this one will be popular as it's focussed on OS X.
  • MacOS has always run with the simplicity of giving the [single] user complete access to the entire system. It wasn't until they bought NeXT and started working on OSX (parts of which, like permissions, made it into OS9 to smooth the transition) that permissions were involved in the OS at all.

    What does it matter if someone can wreck the entire installation? They could do it before in OS8 and lower. Why does it matter now?

    Folks from a *NIX background, like a good portion of the /. readers, obviously object to this because it's not what they're used to. So, they will create their own [admin] account and play nice accordingly. Folks who are primarily from a Mac background may give up on the idea of an admin user and just set a root password and leave that account logged in all the time.

    Do you really care if some random mac user wants to be able to trash their system? Do you?
  • i've been using OSX for just over a year now, and root scares the hell out of me. Call me unadventurous, but when something says "do not touch" i damn well won't touch it until i know what i'm doing. the only time i'll mess with it is if someone's holding my hand and pointing the way (ie. there's a nice step-by-step thing in MacAddict or something). and considering the number of typos i always make, i'd be one of those people who'd delete my entire drive or start global thermonuclear war from my iMac. :p
  • I use an account that is an administrator-member every day on my Windows.

    My uptime on this workstation is 40days and I have never been hacked (i dont run any firewalls, but a small network monitor). By the way, there exist a nice freeware portblocker at http://www.analogx.com/contents/download/network.h tm if you want to use a firewall.

    Now back to topic. Why can't users use root all the time? Every time I have to do changes on my Linux box I have to use a root-user, thus I use root almost every day. It sux, and I've started using root as my primary login. Ofcoz I could do a rm -R / * or similar, but guess what? I don't care!

    It's all about functionality and user experience. Security people can just "stfu" coz they just disable the most used features at your computer.

    In the end you have to respect users and their need to
    a) learn about the computer by doing mistakes
    b) trust that the general hacker do not want to hack you unless he has a good reason
    c) see in the real world how things seem to work, even if you did not protect it like a child in a baby buggy
    • First off, if you have any sort of connection to any sort of public network, especially the Internet, YOU ARE A DESIRABLE TARGET.Your machine gets bandwidth, and bandwith begets DOS attacks.

      Secondly, I log in to an NT workstation as an admin a lot too. But on NT, a lot of system stuff of hard to get to and accidentally delete. If I happen to be in the wrong path on a UNIX system and type 'rm -fr *' I could be in deep shit, but if I don't go around carelessly wielding a root UID, then I protect myself. It's a bit like keeping the safety on a rifle. It's just a good idea.
  • I am a UNIX geek and I have used UNIX all my computer life and as such I expect a level of security with my systems. I have always built my own firewalls and reinstalled my systems when they came preinstalled. So as a UNIX geek I would never log in as root, however most sane people just want to use their computers and not worry about logins and such. Most of them have a different level of security that they want and are used to. I think more than anything this is a personal preference issue on a SINGLE user system.
  • don't forget that part of the reason that people make such a big deal about logging in as root is that Linux geeks have ego. they like to think that since they always SU and SSH, they are "cooler" than the next guy, and so this Root problem gets preached a little more than it should.

    on the other hand, the dangers of logging in as root are valid. personally, i log in as root all of the time because there isn't a single thing on my system that i couldn't fix if i needed to. for me, its "cool" to be challenged to fix it, so as far as i am concerned, "bring on the hackers"...

    in a production environment, its obvious that perfect paranoia is the only way to go though. :-)
  • Those of us who would be able to responsibly handle using root as our primary login don't.

    Those of us who might not be able to responsibly handle using root as our primary login want to.

    For the record, I have root enabled - but I rarely log in with it.

  • The question should be, "Why do people who don't understand root access have it?"

    Perhaps you should lobby the companies these people work for to have their root (or admin) access removed :)

  • ...to understand why *nix is not ready for home user desktop prime time.
  • The concept of permissions is too far above your average Mac user... But they'll eventually learn the hard way by getting hacked or removing something like the file system. But the common thread i see here is: "I don't really care" ... I say: With that attitude, niether should you.
  • As a user with no privelidges and see what happens and then as root.

    After they have wiped out thier system ask them if they know how to install the OS ;-)

    Its sort of like NT do you give all your users admin priveledges or just the ones you trust?

  • Not Running as root is a general safety factor in many aspects some that are stated and some that are not.

    1. Running as root is not forgiving of simple typo's rm ~ /* is a desasterous command. Also sometime I acedently click and drag a folder into an other folder. Doing this as root would alow me to move stuff that needs to be in its place to an other spot.

    2. Not running as root is one of the first line of defence from protecting yourself from Viruses and Trojans. If you dont have access to mess up your system good chances the file attachment you opened up will not have permission.
    3. Programming as non-root is good it could prevent you from accedently messing up important files Say you open("file","w") except for a open("file","r") and say file was /etc/passwd

    4. Stops you from making a mess of your file system. Say you were in /lib directory but you forgot about it and downloaded a file there. Then when you actually needed the file you cant find it so you have to run the find command. With a restriced access it allerts you that something is not right before you wast time.

    5. You know when you are doing something that may cause problems. If you cant do it as your own account then do an sudo to run it this makes you concious that you may be doing something that may damage the system so you will be more alert.

    6. Sometimes other people use your computer and they may not be as carefull as you.

    7. On multy user systems it may make people feel unconfortable if you use root all the time because they have no sience of privacy of there home directory. (This is a weak one but its true)

    8. It is a lot easier to crash the computer as root and running apps as root. You cant always trust other people code

    9. Loggin in as root all the time increases the chance that someone snooping your network will find the root password and create real damage.

    10. Some programs may give them selfs a lower (nice) level and eatup your system resourses.

    In generally running as root needs you be on on edge when ever you do something and the potential cost outwaigh the benefits
  • OOoops
  • As an OSX user, I'll submit that most users aren't going to use the terminal. For me though, sudoing root makes sense, mostly because if, god forbid, my HD is wiped out, backing up my ~ directory means all my stuff is in the right place when I reinstall. Brian.
  • by Dimes ( 10216 ) on Monday May 06, 2002 @03:14PM (#3472265) Homepage
    ....an even more significant reason:

    1)As root you have the ability to not only do damage to your own user files...but you have the ability to damage/destroy the whole system. Being a user on a UnixOS is one of its beauties. No matter how bad you screw up as a user, its only your files...the system will still be there.

    2)OSX runs a number of Microsoft Applications....i.e. the Office Suite, and Outlook...which are notoriously prone to security problems.(albeit, quite a bit less on Mac)

    Mix those two reasons and you get something like Windows, where one script sent by email, clicked on by an /uneducated/ user(and sometimes not even clicked on...just received by something like Outlook) while logged in as root....and poof there goes the whole machine....lucky, at least for the rest of us cause at least that users box is gone.....or really unlucky for the net community at large if the virus/worm/et.al. keeps the machine and starts doing nasty self propagation.

    So, just dont do it. There is so little a regular user needs root for...and for that Apple has provided sudo....built in from the start.

    Dimes
  • In my analysis, there are three reasons.

    1. To make individual administrators accountable for their actions by creating an audit trail. If multiple individuals use the "Administrator" or "root" account, the source of errors is obscured.
    2. To implement the principal of "least priviledge". Where possible, system access accounts will be assigned the least amount of priviledge possible (e.g. put a name service administrator into the "DNS Admins" group instead of "Enterprise Admins"). This may limit the degree of damage caused when a particular priviledged account is compromised, although it introduces communication complexity among system administrators and users.
    3. To limit the impact of accidents. By forcing administrators to use a non-priviledged account for regular tasks, the chances of accidentally damaging the network or any shared resources are reduced.
  • Why root? (Score:2, Informative)

    by zenasprime ( 207132 )
    I don't get it. Why do people feel the need to be root anyway? I have been an OS X user since Beta. I host my website on OS X and recently OS X server. I have configured Apache, BIND, Sendmail (ugh) and Postfix. I compile C++ source from the command line. If for some reason need to run a command as root (which can be frequent) i use sudo. There is a program called pseudo that will run apps as if they are root by drag/drop-ing files on top of it. If the user is an admin, they can config the system and install by simply providing their passwd. I have activated root from NetInfo to access certain functions but never once needed to log in as root. What is all the fuss is about?

    z(p)
  • I understand that you can accidentally delete every file on your hard drive, but it's not as easy to accidentally do as so many people claim. You have to want to recursively delete all the files at a certain point in your directory tree - I personally never use rm -r and most people who don't understand the trouble with root wouldn't even know how to use the command. They're much less likely to type it in, and then even less likely to type it in when their pwd is '/'.

    I think that the classic example also downplays the dangers of typing in 'rm -rf ~/' - back when I did helpdesk work I had many more reports of people erasing their personal files than system files. It's much worse in my opinion to lose all your personal files than to lose important operating system files because they can't be replaced as easily (and these people almost never make backups). These were Windows 3.1 and 95 machines usually, so there was not much stopping them from deleting crucial files except their lack of knowledge. And all they would have had to type is "deltree c:\windows" or "del /y c:\windows\*.*" from any command prompt.

    So my point is that home users logging in as root is bad practice, but not likely to cause any problems that couldn't easily happen on most Windows systems (since XP creates passwordless administrator accounts by default I am including it in this category). If an OS X user (or desktop linux user for that matter) logs in as root all the time, and then one day royally screws up his/her system, he/she will probably be able to reinstall, or find somebody to reinstall, the system files that only root can destroy. The personal files, those which the user could have destroyed without root, will be deleted either way:

    Geek Friend: You really hosed your system this time! This wouldn't have happened if you logged in with your unprivileged account.
    User: So if I was logged in with my user account I wouldn't have been able to run 'rm -rf /*'? Odd that I typed in a command like that, which I don't even slightly understand...
    GF: Yep, that would have prevented it. Lucky for you I can reinstall your operating system and applications.
    U: How about all my important personal documents? Can you reinstall them?
    GF: Nope, they're hosed. Too bad you logged in as root.
    U: So if I logged in as myself those documents would still be safe??
    GF: Well, no. You'd be just as hosed, minus me spending two hours reinstalling everything else.
    So the lesson is: don't log in as root unless you know how to reinstall the OS.
  • and what led me to the question was the nth time i was unable, as the admin (the name put in at install time), i am often stopped at the gates when trying to read/write something to/from my wife's subdirectory /users/hotchick.

    One fateful night, i was, yet again, doing some printing for her (the printer's upstairs where my machine and the printer is) from her TiBook, and so i logged in as me on her TiBook to print her stuff...

    well, i couldn't get into her subdir... so i tried batchmod - and that doesn't (apparently) have a -R on it, so then i went to the CLI to

    sudo chmod -R 777 /users

    fine.

    the GUI STILL wouldn't let me into her subdir until i rebooted the Finder... damnit.

    then, later on that night, when she went to work on one of the files later, it turned out that when i had opened one up and made some changes for her, is changed the owner to adminboy - and hotchick couldn't open the files any more...

    arrrrgggh!!!! Its my fscking computer, and i want me or my wife to be able to read/write either/or's files to our heart's content. This includes ~/pictures (where things _have_ to be for iPhoto) and other "predetermined" subdirectories.

    i even went so far as to repartition the machine with a 18 gig primary drive, and a 2 gig hotchick_HD so that i could turn off file permissions..

    of course.. that check box doesn't ACTUALLY work - because not a day later - after the fresh install and all - all her stuff is on the 2 gig part - and when i maked some changes, she wasn't able to open those files later.

    so - if i have 2, and only 2, users on a machine that want to have separate logins (login-time differences, like desktops, Dock position, etc) but we want complete control of each other's files on the machine..

    i don't want it when i edit a Word file for her that it makes it "read only" when she logs in later to work on the file.

    so - that was, in a rage after the 100th time she came to me complaining that the computer wouldn't do what WE wanted it to do... in Pudge's conference..

    :FOR THE LOVE OF GOD, I"M JUST GOING TO LOGIN AS ROOT FOR NOW ON, DAMNIT!

    i didn't mean it.. but my quandry - non-system files being universally unprotected for all users to see and use - and how to get there in a very Mac OS 9-like way.... is still unresolved.

Brain off-line, please wait.

Working...