TMO Quick Tip - Leopard: Lock Down Your Root User || The Mac Observer

Skip navigational links

Choose text size:

TMO Quick Tip - Leopard: Lock Down Your Root User

by , 7:30 AM EDT, June 13th, 2008

I've mentioned before why it's important to protect your Mac's Root user and explained how Mac OS X 10.4 users can assign a password to their Root user. The steps are different in Mac OS X 10.5, but they aren't any more difficult.

Just like in Tiger, Leopard's Root user is disabled by default, but does not have a password. Assigning a password to your Root user adds an extra layer of protection, which is a great idea because anyone that gains Root-level control over your Mac can do anything they want -- including deleting files, adding and removing applications, and changing settings without your knowledge.

Use Directory Utility to set your Root user password.

Here's how to add a password to your Root user account in Leopard:

Launch Directory Utility. It's hiding in Applications/Utilities.
CLick the padlock in the lower left of the application's window, and enter your administrator user name and password to authenticate.

Enable the Root user so you can assign a password.

Select Edit > Enable Root User.
Enter a password for your root user, and make sure it isn't a password that you are already using for another account on your Mac.
Click OK.
Now select Edit > Disable Root User.
Click the padlock to prevent any other changes.

Enter a password for your Root user.

Password protecting and disabling your Mac's Root user won't protect you from every possible attack, but it is one piece in the bigger security puzzle.

Jeff Gamet is TMO's Morning Editor and Reviews Editor. He lectures, teaches and speaks on Mac OS X and design-related topics, and is the author of The Designer's Guide to Mac OS X from Peachpit Press.

if you have tips or tricks to share, or Mac-related questions you want answered.

Observer Comments

Show: Subjects Only | Full Comments

Close Name:jbruni Posts: 105 Joined: 14 Jul 2006
Mon Jun 16, 2008 3:21 pm Subject: Nonsense

Adding a password to a disabled account does nothing. It is not an "extra layer" and to claim so using visual language is misleading. The password only serves as a means of providing authentication assuming authentication is even checked. If a process is already running as root (uid 0), it is not going to get checked for a password just because you've added one.

For example, one may add a public key to the authorized_keys file within the root home directory to allow login as root via SSH. In this case the authentication is provided by possessing the matching private key. The password will not be checked and you are never prompted for it regardless of whether you've set one or not.

Secondly, the pathway to root does not need to be via the root account. Any administrator whose password you can guess gives you a root shell via "sudo". Disabling the root account and/or setting a password on it does not prevent access to root privileges here either.

Reply | Quote

Comment on this Article

Guest Posts Visible. Hide Them.
Back to top Page 1 of 1

You cannot edit your comments. You cannot delete your comments.

Comments are currently closed. Please email the author instead.

Recent Headlines - Updated July 5th

Fri, 10:29 AM: News - Apple Warns of Learning Interchange Security Breach
7:30 AM: News - Happy Fourth of July!
Thu, 6:07 PM: TMO Scoop - Psystar Moves to Drop Bankruptcy Ahead of Apple Legal Battle
5:37 PM: News - Uncomfirmed Reports Say Apple & Nvidia On The Outs
4:57 PM: News - Microsoft Sick Over Barf Ad
4:09 PM: Product News - KRK Ships R6 Passive Studio Monitor for Recording
3:45 PM: John Martellaro's Blog - Particle Debris (week ending 7/2) Juiced, Joost and Goosed
3:12 PM: Product News - ExactScan 2 Pro Released
1:56 PM: Deal Brothers - Apple TV with 160GB Hard Drive: $324.00 Delivered
12:46 PM: TMO Appearances - TMO Appearances Jeff Gamet Shares iPhone Apps on MacJury
10:41 AM: Product News - Art Text 2.2 Adds New Templates, Layer Options [Updated]
10:04 AM: Hot Forum Topic - Deciphering Mac Sales

The Mac Observer Reader Specials

Download Typestyler, still the Ultimate Styling Tool for Internet, Print and Video Graphics. Works great in Classic with a Native OS X Version on the way. Free Tryout: www.typestyler.com
OWC: Big Drives, High Performance - Not High Prices! SATA 3.5" up to 1.5TB. Notebook up to 500GB. FW up to 6.0TB. 1.0TB Drive Models from as low as $97.99 www.MacSales.com
If you're using a Mac, then you've gotta check out Full Tilt Poker for Mac. This Full Tilt Poker bonus code does the unthinkable, it actually rewards!
RamJet Memory: MacBook and MacBook Pro 4GB kits for $57.99! Mac Pro 4GB Kits $99.99! iMac and Mac mini 4GB Kits for $57.99! 1TB SATA Hard Drives for $109.99! Click here
For the latest Apple products use Ciao, a price comparison website, to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate mobile phones like the Apple iPhone.
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.

© The Mac Observer, Inc. -- All rights reserved. All information presented on this site is copyrighted by The Mac Observer, Inc. except where otherwise noted. No portion of this site may be copied without express written consent. Other sites are invited to link to any aspect of this site provided that all content is presented in its original form and is not placed within another frame. The Mac Observer is an independent publication and has not been authorized, sponsored, or otherwise approved by Apple, Inc.