Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the '10.6: Enable root user on Snow Leopard' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.6: Enable root user on Snow Leopard
Authored by: andrew112358 on Sep 28, '09 01:53:38PM

You can also do 'sudo sh', or 'sudo bash' or 'sudo zsh', etc, etc. This is why the whole argument about not enabling root is silly. If you have unlimited sudo, which all admin users have by default on OS X, you have for all practical purposes already enabled the root account. I can guarantee you that any hacker that you need to worry about already knows this and won't even be slightly inconvenienced by the root account not being enabled. Just about the only thing you can't do is get a GUI login as root. The single advantage of forcing admin users to use the sudo command is that it makes it a little bit harder to make stupid mistakes as root, but if you're the type of person that is likely to make a stupid mistake (either through inexperience or carelessness) you are still going to do it eventually.

[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: cran on Sep 29, '09 12:54:48AM

Well said, I second this. sudo should be written as "pseudo" as in "pseudo-security" :)

[ Reply to This | # ]
10.6: Enable root user on Snow Leopard
Authored by: corienti on Sep 30, '09 02:23:24PM

Glad to see such a refreshing (and correct!) summary.
As long as sudo is configured as it is by default, it's functionally equivalent to having the root account "enabled".

The only other reason worth mentioning to not have root enabled is that if it's enabled and ssh is enabled and the root password is brute-forceable (ie able to be guessed) then a remote attacker is straight in.
Whereas if root is not enabled, even if you have a weak password, the remote attacker first needs to correctly guess or determine your account username, before even having a hope of bruteforcing/guessing the password.

NB, technically the root account is never disabled at all; you merely cannot log into it with a password, as no password is set.
Using "sudo bash" you are running as root. The account is not disabled at all. There is really no such thing as disabling an account on a unix system; just disabling login-by-password.

[ Reply to This | # ]