TMO Quick Tip - Leopard: Lock Down Your Root User || The Mac Observer

Skip navigational links

Choose text size:

TMO Quick Tip - Leopard: Lock Down Your Root User

by , 7:30 AM EDT, June 13th, 2008

I've mentioned before why it's important to protect your Mac's Root user and explained how Mac OS X 10.4 users can assign a password to their Root user. The steps are different in Mac OS X 10.5, but they aren't any more difficult.

Just like in Tiger, Leopard's Root user is disabled by default, but does not have a password. Assigning a password to your Root user adds an extra layer of protection, which is a great idea because anyone that gains Root-level control over your Mac can do anything they want -- including deleting files, adding and removing applications, and changing settings without your knowledge.

Use Directory Utility to set your Root user password.

Here's how to add a password to your Root user account in Leopard:

Launch Directory Utility. It's hiding in Applications/Utilities.
CLick the padlock in the lower left of the application's window, and enter your administrator user name and password to authenticate.

Enable the Root user so you can assign a password.

Select Edit > Enable Root User.
Enter a password for your root user, and make sure it isn't a password that you are already using for another account on your Mac.
Click OK.
Now select Edit > Disable Root User.
Click the padlock to prevent any other changes.

Enter a password for your Root user.

Password protecting and disabling your Mac's Root user won't protect you from every possible attack, but it is one piece in the bigger security puzzle.

Jeff Gamet is TMO's Morning Editor and Reviews Editor. He lectures, teaches and speaks on Mac OS X and design-related topics, and is the author of The Designer's Guide to Mac OS X from Peachpit Press.

if you have tips or tricks to share, or Mac-related questions you want answered.

Observer Comments

Show: Subjects Only | Full Comments

Close Name:jbruni Posts: 105 Joined: 14 Jul 2006
Mon Jun 16, 2008 3:21 pm Subject: Nonsense

Adding a password to a disabled account does nothing. It is not an "extra layer" and to claim so using visual language is misleading. The password only serves as a means of providing authentication assuming authentication is even checked. If a process is already running as root (uid 0), it is not going to get checked for a password just because you've added one.

For example, one may add a public key to the authorized_keys file within the root home directory to allow login as root via SSH. In this case the authentication is provided by possessing the matching private key. The password will not be checked and you are never prompted for it regardless of whether you've set one or not.

Secondly, the pathway to root does not need to be via the root account. Any administrator whose password you can guess gives you a root shell via "sudo". Disabling the root account and/or setting a password on it does not prevent access to root privileges here either.

Reply | Quote

Comment on this Article

Guest Posts Visible. Hide Them.
Back to top Page 1 of 1

You cannot edit your comments. You cannot delete your comments.

Comments are currently closed. Please email the author instead.

Recent Headlines - Updated February 12th

Sat, 4:11 PM: MacOS KenDensed - MacOS KenDensed: iPad 3 Frenzy, Big-time Apple & Steve Jobs, G-Man
Fri, 8:10 PM: News - Apple Sues Motorola Mobility in California Over German Case
7:54 PM: Free on iTunes - OnLive Desktop: Windows & Office on Your iPad
7:43 PM: Product News - Apple Rolls Out MacBook Air Configurations for Education
6:35 PM: Just a Peek - Battle Pocket Bulge With The Hint for iPhone
6:01 PM: Rumor - Apple Reportedly Bringing MacBook Air Styling to Pro Line
4:50 PM: Particle Debris - The Hidden Gotchas of Browser Security
3:56 PM: Apple Stock Watch - Analyst: Paying a Dividend Makes Sense for Apple
2:58 PM: Deal Brothers - iMac 27-inch 2.93GHz Intel Quad-Core i7 processor: $1,999
2:45 PM: In-Depth Review - Theodolite App for iOS is Breathtaking
12:52 PM: Apple Stock Watch - Mizuho Securities Starts Apple Coverage with $635 Target
11:35 AM: Hot Forum Topic - Forum Poll: Are You Planning on Buying a New iPad?

The Mac Observer Reader Specials

TypeStyler 11 is now in the Mac App Store!! -- Special Introductory Price of $59.95!! -- To Buy From The Mac App Store Click Here Now!! Or buy direct from Strider Software.
Mac RAM Upgrades: MacBook Pro 16GB kits $475, 8GB Kits for $119.99! iMac 16GB RAM Kits (4x 4GB) for $229.99! Mac Pro Memory 32GB Kit for $399.99, 64GB Kit for $889.99! Mac Hard Drives 2TB Seagate SATA II for $249.99! Click Here!
If you're using a Mac, then you've gotta check out Online Poker Mac. This mac poker and online casino mac site actually does the unthinkable, it actually rewards!

© The Mac Observer, Inc. -- All rights reserved. All information presented on this site is copyrighted by The Mac Observer, Inc. except where otherwise noted. No portion of this site may be copied without express written consent. Other sites are invited to link to any aspect of this site provided that all content is presented in its original form and is not placed within another frame. The Mac Observer is an independent publication and has not been authorized, sponsored, or otherwise approved by Apple, Inc.