Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.6: Enable root user on Snow Leopard System 10.6
Accessing the root account is disabled by default in Snow Leopard and the Directory Utility application is not available in the Utilities folder any more.

Here's how to enable root in Snow Leopard:
  1. Open Directory Utility in its new home, which is /System/Library/CoreServices.
  2. Unlock the application by clicking the padlock icon and entering your Administrator login.
  3. Select Edit » Enable Root User.
  4. Choose Edit » Change Root Password, and choose a password for the root user.
That's it! Make sure to re-lock the application by clicking the padlock icon.
Warning: Enabling the root account can leave your Mac vulnerable to security threats. Only enable it if you are aware of the risks and know what you are doing.
[robg adds: I've not had the root account enabled since the earliest days of OS X. If you do need to enable it, though, Terminal provides a simpler solution that appears to still work in 10.6: sudo passwd root. Enter your admin password, then a new password for root, and you're done.]
    •    
  • Currently 2.96 / 5
  You rated: 1 / 5 (23 votes cast)
 
[147,307 views]  

10.6: Enable root user on Snow Leopard | 35 comments | Create New Account
Click here to return to the '10.6: Enable root user on Snow Leopard' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.6: Enable root user on Snow Leopard
Authored by: lukeandrews on Sep 28, '09 07:53:16AM
There's no reason I'm aware of to enable the root user. If you need to do things as root, simply type sudo -s in the Terminal to start a shell with root access and proceed from there.

[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: wildmac on Sep 28, '09 08:30:14AM
Or use sudo su - which makes sure that you keep the same shell settings as you had in you administrator settings

[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: leamanc on Sep 28, '09 09:14:15AM

Actually the "-" runs login scripts for the user you are su'ing as.

For example, create an alias in root's .bash_profile. Something useful like:

alias ll='ls -l'

If you do a "sudo su" and type "ll", you will get a "command not found." If you do a "sudo su -", the alias will work.

Long story short and back around to the point: using the "-" reads in the login scripts for the user your are su'ing as, not YOUR login scripts.

[ Reply to This | # ]

10.6: Enable root user on Snow Leopard
Authored by: bankshot on Sep 28, '09 10:32:43AM
sudo -i is an even quicker way to do this. Just remember, -s gets a root shell with your settings, and -i gets a root shell with root's settings.

[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: andrew112358 on Sep 28, '09 01:53:38PM

You can also do 'sudo sh', or 'sudo bash' or 'sudo zsh', etc, etc. This is why the whole argument about not enabling root is silly. If you have unlimited sudo, which all admin users have by default on OS X, you have for all practical purposes already enabled the root account. I can guarantee you that any hacker that you need to worry about already knows this and won't even be slightly inconvenienced by the root account not being enabled. Just about the only thing you can't do is get a GUI login as root. The single advantage of forcing admin users to use the sudo command is that it makes it a little bit harder to make stupid mistakes as root, but if you're the type of person that is likely to make a stupid mistake (either through inexperience or carelessness) you are still going to do it eventually.



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: cran on Sep 29, '09 12:54:48AM

Well said, I second this. sudo should be written as "pseudo" as in "pseudo-security" :)



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: corienti on Sep 30, '09 02:23:24PM

Glad to see such a refreshing (and correct!) summary.
As long as sudo is configured as it is by default, it's functionally equivalent to having the root account "enabled".

The only other reason worth mentioning to not have root enabled is that if it's enabled and ssh is enabled and the root password is brute-forceable (ie able to be guessed) then a remote attacker is straight in.
Whereas if root is not enabled, even if you have a weak password, the remote attacker first needs to correctly guess or determine your account username, before even having a hope of bruteforcing/guessing the password.

NB, technically the root account is never disabled at all; you merely cannot log into it with a password, as no password is set.
Using "sudo bash" you are running as root. The account is not disabled at all. There is really no such thing as disabling an account on a unix system; just disabling login-by-password.



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: simonpie on Sep 28, '09 01:11:41PM

Here is a good reason.

When I go back to the login window, the system would start the flurry screen saver which basically transform my mac in a small heater. The only way I know (I am not saying the only way known to man kind), or at least a rather simple way, is to login as root and then switch off that screen saver in the preference then deactivate root. It takes a minute, far less time then googling for some other way.



[ Reply to This | # ]
sudo -s is so "un-Mac"
Authored by: iamacat on Sep 29, '09 12:58:07AM

Don't you want to do your administrative tasks graphically? Like maybe running an Automator workflow on *ALL* users' items? Or be able to launch applications in privileged mode graphically rather than sudo the bundle's executable from the Terminal? How do you propose to achieve these things without running Finder, Dock and status bar items as root?

I didn't yet see a reason to enable root account on my machines, but I can easily see how IT professionals may find it handy. As for security, how exactly is this different from a regular administrative user. You might want to yank Safari from the Dock to resist the temptation of downloading/installing apps from random websites as root.



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: babbage on Sep 28, '09 08:35:31AM

Top tip: If you think you need root access, you've been misinformed.

As other reasonable users have already noted, pretty much anything someone may have you told you required root can actually be done just fine through sudo.

If someone is suggesting that you need root, get a better second opinion.

---

--
DO NOT LEAVE IT IS NOT REAL



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: j-beda on Sep 28, '09 08:42:36AM
Enabling root and then logging in as the root user makes it a bit easier to change the "short user name" in 10.5 rather than messing around in the terminal - see for example http://support.apple.com/kb/HT1428

I don't know if that is still the recommended way of doing it in 10.6



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: jeremyp on Sep 28, '09 08:58:03AM

It wasn't the recommended way to do it in Mac OS X 10.5. The recommended way was to simply create a new user with the right short name and copy everything across from the old home directory to the new one.

Note that, all the method saved you was doing the copy - you had to do a rename instead. Note also, that you could do exactly the same stuff with the terminal and sudo.



[ Reply to This | # ]
Changing short name (Account name:) in SL
Authored by: wallsbk on Sep 28, '09 10:15:03AM
The way I'd recommend for Snow Leopard is the go to System Prefs > Accounts, right-click on the user account to change, and select Advanced Options.... Change the Account name: and reboot. I think that's all there is to it, though if you also want to change the Home directory name you have to change the Home directory: listing in the Advanced Options page, and the folder name in /Users.

[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: j-beda on Sep 29, '09 03:32:49AM

"It wasn't the recommended way to do it in Mac OS X 10.5. The recommended way was to simply create a new user with the right short name and copy everything across from the old home directory to the new one."

Well, since I linked to the Apple support database entry on "how to change the short user name" I just figured that that was the recommended method. Since I cannot find anything recommending a file copy method (which could take forever for a large directory, and not be able to fit, and perhaps have some permissions issues) I do not really think you have made your case very well.

In any case, I just saying that some actions were simplified by having a root account that could be logged into. I think there are some other Apple instructions for Server that also recommend enabling the root account. Of course disabling the root account after it has been used to do whatever one needed is probably wise.



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: doneitner on Sep 28, '09 04:49:31PM

Does single user mode work without enabling root? It was always my understanding that it would not. There are times when being able to boot into single user mode is not only helpful but required.



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: tedw on Sep 28, '09 05:01:19PM

single user mode worked fine in Leopard without enabling root, and I don't see why they would change that in SL.



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: blinkintosser on Sep 28, '09 09:24:21PM

One of my reasons for enabling root is to allow my father, who lives out-of-state and has difficulty with complicated computer tasks, an easy method to back up his home folder. After logging out of his normal user, he logs in as root where he has a "burn folder" on the root desktop that contains an alias to his home folder. He just right clicks and chooses the "burn" item to commit his entire home folder to DVD-R that he can file away in his safe deposit box. (Yes, he also has an external Time Machine disk, but that is no substitute for cheap, easily managed, self-contained backups to keep off-site.)

I have no doubt there are a number of other ways to accomplish the same task, but I'm equally sure none are as simple and reliable. Since he's logged out as his normal user, all his files--especially his FileMaker databases--are certain to be in a closed, consistent state. Since he's logged in as root, *every* file can be read and backed up, regardless of any odd permissions that may be encountered. Since he doesn't log into root for any other reason, he doesn't stay in root for any longer than it takes to back up, and he doesn't perform any other tasks while in root, I genuinely don't worry about him breaking something.

For that matter, I honestly don't understand the great panic about anyone enabling root. Sure, it's marginally easier to accidentally break the system while logged in as root, but if all one really cares about is in his home folder, root is no more of a threat than one's own non-root user. After all, the OS and apps can always be reinstalled if they get hosed. On the other hand, if the bogeyman is the risk of infection from trojans, worms, viruses, etc., maybe the advice should simply be to stick to the maintenance task for which you logged in as root, and stay away from the web browsing, email, and unfamiliar executables.

The bottom line is that sometimes root is simply convenient. Sometimes we grown-ups can accept a little risk for a little reward (and we have backups). We'll be OK.



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: tedw on Sep 28, '09 10:24:59PM

not to be a pain, but you could accomplish that just as easily with rsync (and with a skillful application of launchd, your father wouldn't even need to log in and burn - that could be done automatically). I don't really have a position on the whole root-user/no-root-user debate, but as a rule I don't like enabling things that don't need to be enabled.



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: blinkintosser on Sep 29, '09 07:06:24PM

At risk of drifting too far off topic, I'll follow up simply to further illustrate one convenience of an enabled root:

>Posted by Me:
>>One of my reasons for enabling root is to allow my father ... an easy method to back up his home folder.

Posted by tedw:
>...but you could accomplish that just as easily with rsync (and with a skillful application of launchd, your father wouldn't even need to log in and burn - that could be done automatically).

Having written an uncountable number of scripts in a number of languages, I'm keenly aware of the fragility of even the best written of them. While I'm reasonably capable in bash and no novice to rsync--especially under Cygwin where it likes to choke on long and/or Unicode filenames--seeing a claim that "you could accomplish that just as easily with rsync" and "that could be done automatically" leaves me with a lot of questions so easily avoided by enabling root. For example, from the top of my head:

Easier for him? When does he insert the disc? When is it finished? Does he have to boot up without logging in and wait for something to happen? Does he have to log out and wait for something to happen? Do it get triggered upon the insertion of a disc while logged out? What if the burn fails? What if he inserts a non-blank disc? What kind of feedback does he get that the disc was burned correctly and that it contains all of his files and is completely up-to-date?

Easier for me? Do I have to write and debug the script and launchd plist? What if a bug in my script goes undetected and leaves some files uncopied or doesn't properly update the pre-burn mirror directory leaving stale files? What if the scheduled time for the mirror or burn becomes an undesirable time or if he wants to backup at another time? How should I handle all the possible errors or a bad burn? Do I also have to write and debug a script that programmatically confirms that all files are backed up and up-to-date?

While scripting can be a viable method for this type of backup, you'll have to admit no script can ever approach the sheer simplicity, reliability, and certainty of: (1) log out as <user> an in as root; (2) insert disc and click "burn", watching the progress bar if you're bored; (3) log out as root and back in as <user>. If the burn fails verification, it will tell you and you can try again. It if succeeds, it will tell you that, too.



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: tedw on Sep 29, '09 08:32:20PM

It's clear you think this is simpler, and it's clear it's a system that works for you, so fine. Would I recommend it to someone else? Doubtful. For one, I'm picturing your dad's safe deposit box filling up with dozens (or hundreds) of old CDs that will never be looked at again...

There is a vast difference between choosing to do something because it works for you, and suggesting it as a course of action for others. Heck, I've gotten by for years with my laptop swinging around on the back of my motorcycle, but I'm not about to suggest that carrying a laptop that way is generally innocuous. I'm willing to take the risk because I recognize the risk for what it is (and I'm good with computers <i>and</i> motorcycles), as do you in your situation. I don't see any sense in trivializing the risk any more than I see in aggrandizing it.

Your system works (though I still think it's overkill - a normal administrator account could do the same thing - possibly even a burn folder within his own account - unless there's something absurd in your father's home directory), and I don't argue with success. But I still think a cautious approach is a better approach when it comes to security.



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: cran on Sep 29, '09 01:13:08AM

Top tip: if somebody says sudo makes things more secure he doesn't know what he's talking about!



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: merosen on Sep 28, '09 09:22:57AM

To enable root in terminal, Try "dsenableroot". You wil be prompted for your password and then what you want as root password and then a confirmation of the root password. "dsenablerood -d" disbles the root password
Here is part or the man page.

dsenableroot -- enables or disables the root account.

SYNOPSIS
dsenableroot [-d] [-u username] [-p password] [-r rootPassword]

DESCRIPTION
dsenableroot sets the password for the root account if enabling the root user account. Otherwise, if disable [-d] is chosen, the root account passwords are removed and the root user is disabled.

A list of flags and their descriptions:

-u username
Username of a user that has administrative privileges on this computer.

-p password
Password to use in conjunction with the specified username. If this is not specified, you will be prompted for
entry.

-r rootPassword
Password to be used for the root account. If this is not specified for enabling, you will be prompted for
entry.



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: jpbjpbjpbjpb on Sep 28, '09 09:48:27AM

This is an incredibly poor idea. Enabling root doesn't let you do anything you couldn't do with sudo, and opens a potential security hole.

There are good reasons Apple ships the machine with root disabled.



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: cran on Sep 29, '09 01:09:56AM

Enabling root is NOT a security hole (bad passwords are).

There ARE things that can't be done with sudo.



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: babbage on Sep 30, '09 12:44:09PM

Name ONE thing that a root login can do that sudo cannot do.

I'll wait.

---

--
DO NOT LEAVE IT IS NOT REAL



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: corienti on Sep 30, '09 02:39:00PM

Correct; logically there should not be anything you can do by logging in directly as root, that you cannot do by running a shell as root with sudo.

However, at the same time, for all practical intents and purposes, as long as you use a strong password for the root account, there is NO more security risk than there is by having access to run a shell as root via sudo.
(which all admin accounts do, by default).

So your top tip ("If you think you need root access, you've been misinformed") is entirely accurate from a factual point of view.

But it's also somewhat beside the point. From a practical point of view, if you have access to sudo, you might as well just "enable" root.
Not that the root account is ever actually disabled in the first place - it just doesn't have a password set. If you can run a root shell, via sudo or otherwise, then clearly, the account is perfectly well enabled.

So the corresponding tip is: if you think it's effectively any more secure to use sudo instead of "enabling" root, you've been misinformed somewhat and are not fully understanding the difference.
The only difference is how you actually gain root access. Two different ways; exactly the same end result (that is, root shell).




[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: timbloom on Feb 02, '10 10:14:10AM

Fixing a broken admin account/sudoers list. Access GUI utilities with root permissions.

That's 2.


I didn't mean to keep you waiting, but you said you would. :D



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: CyborgSam on Sep 28, '09 09:49:32AM

YMMV, this is IMHO.

I've had root enabled on all my personal Macs, but I don't recommend average users enable root. I do not buy into the mantra that "root enabled is irrefutably wrong, you MUST use sudo." IMHO if you understand the risks involved and are comfortable enabling root, then do so.

IMHO the main risk of enabling root is it is much easier to destroy the system or lose data. IMHO the security risks of enabling root are pertinent only for servers/Macs at high risk from attack. E.g.: an Xserve at work is constantly attacked for every known security weakness (including Windows ASP...).

I enable root for two reasons: to graphically log in and to use su.

After a clean install and before adding 3rd party software, I color label items in /System and /Library. This makes it easier to identify 3rd party fonts, extensions, startup items, launch items, et al.

In Terminal (I prefer iTerm) I often just su because I get tired of typing sudo over and over and re-entering my password.




[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: Anonymous on Sep 28, '09 12:11:51PM

Good grief. Learn about security before you start vomiting out puerile nonsense like that.

All Macs are at high risk of attack, because they're a stable platform, and many (like yours) come with *smug* installed.



[ Reply to This | # ]
Launching Directory Utility
Authored by: wallsbk on Sep 28, '09 10:06:14AM
You can launch Directory Utility from /System/Core Services as documented in this hint. However the "official" way to get to Directory Utility now is through System Preferences > Accounts > Login Options. At the bottom of the panel you'll see Network Account Server:. Click on the Edit button and there is a listing of directory services. The button in the bottom left-hand corner says Open Directory Utility.... Click on this to launch.

[ Reply to This | # ]
To all who believe in the sudo myth
Authored by: cran on Sep 29, '09 12:49:26AM

I am using sudo for a lot of purposes and I like it. It totally makes sense to me to use sudo (e. g. sudo -s) instead of logging in as or su'ing to root. But I want to make clear that the following myths are indeed myths:

  1. sudo inherently makes things "more secure".
  2. there is nothing you cannot do with sudo (when you would use root otherwise).

I won't talk about 1. because it would become an endless discussion. But I want to give an example for 2.:

  scp foo.conf user@server:/etc/foo.conf

This won't work if /etc/foo.conf on server is only writable for root. Sudo won't help here. Now some smart ass might come up with seemingly cool stuff like:

  tar cf - foo.conf | ssh user@server '(cd /etc/ && sudo tar xpf -)'

This just sucks and has great potential for mistakes. How much easier is this:

  scp foo.conf root@server:/etc/foo.conf

So, to all people who say enabling root is, by itself, dangerous: Stop babbling and use SSH keys with very good passwords or at least very good passwords. And use sudo where appropriate.



[ Reply to This | # ]
To all who believe in the sudo myth
Authored by: babbage on Sep 30, '09 12:46:29PM

You let people log in as root via ssh ?

You are a very brave person.

And I'm glad I don't work with you. :-)

---

--
DO NOT LEAVE IT IS NOT REAL



[ Reply to This | # ]
To all who believe in the sudo myth
Authored by: corienti on Sep 30, '09 02:46:07PM

I let a select set of people - that is, the unix team - ssh in as root.

Noone else can, naturally.

In internet-facing interfaces, I also use source IP filtering, and root can only login using ssh key, not via password.
And I also have the firewall configured to block IPs retrying connections too rapidly.

SSHing as root is quite as safe as anything else as long as you restrict it to the right people and put the appropriate security measures around it.



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: oink on Oct 01, '09 06:18:31PM

The amount of fear! There is a chance a car will hit and kill me everytime I walk down the street, but I continue to be a pedestrian. I don't feel "brave" or "stupid". I couldn't care less your reason about not wanting to walk, as long as it doesn't interfer with my path!

I can't stand to read another "Apple disabled it for a reason" crap. There is a reason why there is root access in Unix. Last I check, some of the most useful applications are on Cydia because they were rejected by Apple's AppStore.

I enable root access because it is my choice. A PC can do everything a Mac can doesn't mean I should use a PC!

I read this thread because I thought there's something new regarding root access in 10.6 and wow, some of these comments!



---
blurred visionary



[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: chiggsy on Jul 15, '11 11:18:57PM

When you sudo to a root shell, your $LOGNAME will show where you came from.

/var/root is there, it's the home of the root user. This fear is unworthy.

Set your sudoers file properly:

Defaults tty_tickets

added to the Defaults section will ensure that sudo only works for the tty you sudo from.

Otherwise an intruder would only have to watch the log files, wait until you went sudo, and then sudo bash and they have a root shell too.



[ Reply to This | # ]