Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Isn't this the default?' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Isn't this the default?
Authored by: romulis on Feb 11, '05 04:31:11AM

This is where marketing and reality don't quite coincide the way they should.

Marketing: Apple delivers OS-X with the root account disabled.
Reality: The root account ALWAYS exists on every unix machine.

The difference is that Apple is talking about login in directly as root (ie: when you sit down at your mac and login in as root from the login window, or at the shell's login prompt)

Unix, however, relies heavily on the root account. The root account is there, but the password has been set such that it can't be typed. Since root access is required to do anything with the system, the admin user has access to root via "sudo" (see the manpage for details). This makes the system fairly secure because you can't log in as root directly from anywhere, in short, apple has done it right.

The PermitRootLogin setting in ssh is really "yet another check" - even if someone could guess your root password, ssh would simply prevent that login from taking place - ignoring passwords, public keys etc.

The only "problem" is that if someone can guess YOUR password, they can log in as you, then they can run sudo, and then they have root access. Of course if you change root's password, then the ssh option might be of some help.

In short, if you're using a default setup, and YOUR password is relatively secure, you should have nothing to worry about... at least in this regard ;-)

Cheers,

Steve



[ Reply to This | # ]