TMO Quick Tip - Leopard: Lock Down Your Root User
by , 7:30 AM EDT, June 13th, 2008
I've mentioned before why it's important to protect your Mac's Root user and explained how Mac OS X 10.4 users can assign a password to their Root user. The steps are different in Mac OS X 10.5, but they aren't any more difficult.
Just like in Tiger, Leopard's Root user is disabled by default, but does not have a password. Assigning a password to your Root user adds an extra layer of protection, which is a great idea because anyone that gains Root-level control over your Mac can do anything they want -- including deleting files, adding and removing applications, and changing settings without your knowledge.
 Use Directory Utility to set your Root user password. |
|---|
Here's how to add a password to your Root user account in Leopard:
- Launch Directory Utility. It's hiding in Applications/Utilities.
- CLick the padlock in the lower left of the application's window, and enter your administrator user name and password to authenticate.
- Select Edit > Enable Root User.
- Enter a password for your root user, and make sure it isn't a password that you are already using for another account on your Mac.
- Click OK.
- Now select Edit > Disable Root User.
- Click the padlock to prevent any other changes.
 Enable the Root user so you can assign a password. |
|---|
 Enter a password for your Root user. |
|---|
Password protecting and disabling your Mac's Root user won't protect you from every possible attack, but it is one piece in the bigger security puzzle.
Jeff Gamet is TMO's Morning Editor and Reviews Editor. He lectures, teaches and speaks on Mac OS X and design-related topics, and is the author of The Designer's Guide to Mac OS X from Peachpit Press.
if you have tips or tricks to share, or Mac-related questions you want answered.
Observer Comments
Adding a password to a disabled account does nothing. It is not an "extra layer" and to claim so using visual language is misleading. The password only serves as a means of providing authentication assuming authentication is even checked. If a process is already running as root (uid 0), it is not going to get checked for a password just because you've added one.
For example, one may add a public key to the authorized_keys file within the root home directory to allow login as root via SSH. In this case the authentication is provided by possessing the matching private key. The password will not be checked and you are never prompted for it regardless of whether you've set one or not.
Secondly, the pathway to root does not need to be via the root account. Any administrator whose password you can guess gives you a root shell via "sudo". Disabling the root account and/or setting a password on it does not prevent access to root privileges here either.
Comments are currently closed. Please email the author instead.
Recent Headlines - Updated November 22nd
- Fri, 7:07 PM
- Games - Soccer Sim Championship Manager 2010 Released for Mac
- 6:47 PM
- Games - EA Publishes Original Monopoly for iPhone
- 6:15 PM
- News - Original Apple I on Ebay for $50K, w/Letter from Steve Jobs
- 6:11 PM
- Games - New iPhone Games: Secret of the Lost Cavern Ep 1, New DJ Nights, More
- 5:47 PM
- Games - Star Trek D-A-C Game Headed to the Mac Next Month
- 4:57 PM
- Product News - TidBITS Releases “Take Control of Syncing Data in Snow Leopard”
- 4:26 PM
- John Martellaro's Blog - Particle Debris (week ending 11/20) Stationery Pads Go Poof
- 2:59 PM
- Free on iTunes - Musée du Louvre, Art Lite, SketchBook Mobile X and More.
- 1:50 PM
- Deal Brothers - Acer P215H bmid 21.5” Widescreen LCD Monitor: $139.99
- 11:24 AM
- TMO Appearances - Jeff Gamet Shares More Holiday Gift Ideas on MacJury
- 10:43 AM
- Product News - Cocktail 4.5 for Leopard Adds QuickLook Cache Clearing
- 10:06 AM
- News - Hack Enables Mac OS X 10.6.2 on Netbooks
The Mac Observer Reader Specials
- TypeStyler For Mac OS X is Now Shipping! Download The Free Fully Functional 60 Day Tryout at www.typestyler.com
OWC: Plug & Play Hardware RAID up to 8.0TB. High Performance, Data Redundant Solutions. FireWire 800, FireWire 400, USB2, or eSATA. Hot Swappable Bays, Data Rates over 200MB/s. Click here
If you're using a Mac, then you've gotta check out Full Tilt Poker for Mac. This Full Tilt Poker bonus code does the unthinkable, it actually rewards!For the latest Apple products use Ciao, a price comparison website, to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate mobile phones like the Apple iPhone.
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.
