TMO Quick Tip - Leopard: Lock Down Your Root User || The Mac Observer

Skip navigational links

Choose text size:

TMO Quick Tip - Leopard: Lock Down Your Root User

by , 7:30 AM EDT, June 13th, 2008

I've mentioned before why it's important to protect your Mac's Root user and explained how Mac OS X 10.4 users can assign a password to their Root user. The steps are different in Mac OS X 10.5, but they aren't any more difficult.

Just like in Tiger, Leopard's Root user is disabled by default, but does not have a password. Assigning a password to your Root user adds an extra layer of protection, which is a great idea because anyone that gains Root-level control over your Mac can do anything they want -- including deleting files, adding and removing applications, and changing settings without your knowledge.

Use Directory Utility to set your Root user password.

Here's how to add a password to your Root user account in Leopard:

Launch Directory Utility. It's hiding in Applications/Utilities.
CLick the padlock in the lower left of the application's window, and enter your administrator user name and password to authenticate.

Enable the Root user so you can assign a password.

Select Edit > Enable Root User.
Enter a password for your root user, and make sure it isn't a password that you are already using for another account on your Mac.
Click OK.
Now select Edit > Disable Root User.
Click the padlock to prevent any other changes.

Enter a password for your Root user.

Password protecting and disabling your Mac's Root user won't protect you from every possible attack, but it is one piece in the bigger security puzzle.

Jeff Gamet is TMO's Morning Editor and Reviews Editor. He lectures, teaches and speaks on Mac OS X and design-related topics, and is the author of The Designer's Guide to Mac OS X from Peachpit Press.

if you have tips or tricks to share, or Mac-related questions you want answered.

Observer Comments

Show: Subjects Only | Full Comments

Close Name:jbruni Posts: 105 Joined: 14 Jul 2006
Mon Jun 16, 2008 3:21 pm Subject: Nonsense

Adding a password to a disabled account does nothing. It is not an "extra layer" and to claim so using visual language is misleading. The password only serves as a means of providing authentication assuming authentication is even checked. If a process is already running as root (uid 0), it is not going to get checked for a password just because you've added one.

For example, one may add a public key to the authorized_keys file within the root home directory to allow login as root via SSH. In this case the authentication is provided by possessing the matching private key. The password will not be checked and you are never prompted for it regardless of whether you've set one or not.

Secondly, the pathway to root does not need to be via the root account. Any administrator whose password you can guess gives you a root shell via "sudo". Disabling the root account and/or setting a password on it does not prevent access to root privileges here either.

Reply | Quote

Comment on this Article

Guest Posts Visible. Hide Them.
Back to top Page 1 of 1

You cannot edit your comments. You cannot delete your comments.

Comments are currently closed. Please email the author instead.

Recent Headlines - Updated March 16th

Tue, 5:00 PM: Games - New App Store Games: Frogger Inferno, More
4:28 PM: News - Flurry Finds Google Nexus One Sales Lagging Through 74 Days [UPDATED]
3:02 PM: iPad - A Diamond-Encrusted iPad Can Be Yours For $20K
2:41 PM: iPad - Could E-Textbooks be the iPad’s ‘Killer App’?
2:22 PM: iPhone - New Google Hire Tim Bray Fires a Volley in the Android vs. iPhone War
1:49 PM: Quick Look Review - Hippus HandShoeMouse
1:48 PM: Games - Blizzard: Starcraft II Beta For Mac in April
1:31 PM: iPhone - Research Firm Flurry Sees 185 Percent Jump in iPhone App Development
10:36 AM: Product News - PayPal App Adds Bump to Pay Support
9:51 AM: News - Apple Hires Wearable Tech Guru
9:27 AM: Product News - PasswordWallet 4.5 Adds MobileMe Sync Support
9:15 AM: Hot Forum Topic - Finding the iPad’s Target Market

The Mac Observer Reader Specials

TypeStyler For Mac OS X is Now Shipping! Download The Free Fully Functional 60 Day Tryout at www.typestyler.com
Mac Memory and Hard Drives: MacBook Pro Memory 8GB kits $349.99! iMac Memory 4GB DDR Kits for $109.99! Mac Pro Memory 4GB Kits for $135.99! Mac Hard Drives 1.5TB Seagate SATA II for $147.99! Click Here!
CarMD Handheld Device & Mac/PC Software System saves you time and money on car maintenance and repair. Buy at www.CarMD.com! Save $10 with code TMO2.
If you're using a Mac, then you've gotta check out Full Tilt Poker for Mac. This Full Tilt Poker bonus code does the unthinkable, it actually rewards!
For the latest Apple products use Ciao, a price comparison website, to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate mobile phones like the Apple iPhone.

© The Mac Observer, Inc. -- All rights reserved. All information presented on this site is copyrighted by The Mac Observer, Inc. except where otherwise noted. No portion of this site may be copied without express written consent. Other sites are invited to link to any aspect of this site provided that all content is presented in its original form and is not placed within another frame. The Mac Observer is an independent publication and has not been authorized, sponsored, or otherwise approved by Apple, Inc.