Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Why do people insist on having root enabled??' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Why do people insist on having root enabled??
Authored by: daveschroeder on Feb 20, '03 01:30:12PM

Yet another hint that requires root to be enabled when, as has been pointed out by many others, sudo is what you want to be using!

root does NOT and should NOT, EVER, need to be enabled for 99.9% of all Mac OS X systems. (Yes, there are other enterprise/server/speciality environments where having root enabled for various reasons is appropriate and accepted; I'm NOT talking about those here.)

You can and should do EVERYTHING with sudo.

You can get a root shell with sudo. You can execute any command as any other user as sudo. You can BECOME other users with sudo.

Why do people insist on enabling and using root?

And for the lazy, if you really just refuse to learn any of sudo's capabilities, at a bare minimum, just use 'sudo su' - that right there gives you a root shell, where literally ANYTHING can be done, and is the exact functional equivalent of using 'su' and using root's password.

Repeat: you do NOT need root enabled; you do NOT need to be using 'su' by itself.

Reasons:

1. Getting into the habit of not having root enabled discourages unnecessary uses of root (like logging in as root via the gui), where much harm can be done. Say whatever you will; this is still a good practice.

2. You REALLY CAN do ANYTHING with sudo, just as conveniently. "It's more convenient/quicker/etc to just use su" is NOT a valid excuse, and is totally untrue: if you really need a full root shell, "sudo su" or "sudo -s" gets you one!

3. Having the root account enabled fundamentally exposes you to more exploit possibilities.

4. Encouraging people to use tools like sudo also encourages learning, and more responsible and wise use of the tools at our disposal.

sudo: learn it.

Rob, I'd actually consider removing this hint, or amending it to say something like "sudo su <user>", which accomplishes the same thing, or any number of the other alternate other suggestions that use sudo.



[ Reply to This | # ]
Quit yer Whining
Authored by: bmerlin on Feb 20, '03 02:23:17PM

You know, preaching to people on why not to use root is really pointless. If they want to use root, they will. It's really none of your concern.

You don't like using root? Fine. Don't. Screaming about it whenever someone else mentions using it doesn't help.



[ Reply to This | # ]
Quit yer Whining
Authored by: incongruity on Feb 20, '03 04:59:30PM
You don't like using root? Fine. Don't. Screaming about it whenever someone else mentions using it doesn't help.

Actually, it helped a lot; I didn't really think about some of the points he brought up. Inasmuch as this is a HINTS website, you know, a place where some of us come to learn things that we previously didn't know or hadn't figured out on our own about OS X (including the CLI/ UNIX'ish underpinnings of it, I think that the original poster's comments were infact very helpful. Yours, on the otherhand, was pure flamebait.

[ Reply to This | # ]

Quit yer Whining
Authored by: bidmead on Feb 20, '03 05:08:09PM

Not to mention the fact that sudo as a command can't properly be tailored to a particular system unless someone on the system has access to /etc/sudoers for editing -- ie, is root.

Any properly managed UNIX system needs root access. The trick is to confine root use only to managing the system, not as a general purpose user.

--
el bid



[ Reply to This | # ]
Quit yer Whining
Authored by: ashill on Feb 20, '03 06:39:07PM

Mac OS X is configured so that all administrators are placed in the admin (80) group, and the admin group is given sudo privileges in /etc/sudoers. Therefore, administrators can edit /etc/sudoers by "sudo visudo", and can create more groups and assign individual non-admin users or groups whatever sudo privileges they merit (none, by default). If an administrator removes the admin group's permission to edit the config file, root has to be enabled, but that's why you only give admin access to people you trust!

Mac OS X does not need root access to be properly managed because administrators have the privileges to temporarily become root (via sudo) to do anything that needs to be done, and this is without sharing one root password among (potentially) multiple administrators.

-Alex Hill



[ Reply to This | # ]