Enabling the Root User in Snow Leopard

| How-To

Apple has, yet again, changed the method for enabling the root user in Snow Leopard. This time, the Directory Utility in Leopard's Utilities folder has been moved (buried) in the Accounts section of System Preferences.

Leopard

In Leopard, you start at the Directory Utility in /Applications/Utilities.

Directory Utility

Leopard Utilities

After launching the app as an admin user, you go to the Edit Menu and there's a Menu item entitled: "Enable root user." Easy enough.

Enable root user (Leopard)

Directory Utility, Edit menu

Snow Leopard

That must have been too easy in Leopard, so Apple buried it in Snow Leopard ever further. You must be using an admin account:

1. Go to System preferences.

2. Select Accounts.

Accounts (SL)

System Preferences -> Accounts

3. Click on Login Options.

4. Under Network Account Server, click on "Join."

 

Join (Snow Leopard)

Yet more techie details

5. When the new window slides down, click on "Open Directory Utility."

6. Now you can select, from the Edit Menu, "Enable Root User."

Enable root user (Snow Leopard)

Back where we belong

Sidebar: Apple has, I surmise, changed the method to bury this function even further. Each step results in an ever more alarming and technically imposing dialog box designed to keep all but the expert (or most steadfast tinkerer) away. The reason, of course, is that enabling the root user is a less secure way to operate the Mac. Some users elect to run as an admin user and some as an unprivileged standard user, but one should never login as the root user for routine work because of the damage one could inadvertently cause to the OS.

This facility is there for experienced UNIX users who know what they're doing. They know how to do what they need to do, then get out, then disable the root user.

Normally, the installer of Mac OS X is the admin user who has plenty of privileges to get things done, but doesn't have complete root privileges so that the system integrity and security is maintained. That admin user is in the sudoers list (/etc/sudoers), so if necessary, some UNIX commands can be conducted on the command line with "sudo."

I've added this sidebar so Mac users learning UNIX or newbie IT managers new to the Mac can get a feeling for what's going on. For those who aren't into UNIX and don't use the command line, you'll just want to stay away from this feature altogether.

 

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

17 Comments Leave Your Own

falconneil

It’s not nearly that complicated. The Directory Utility has simply been moved to System/Library/CoreServices. Then simply use it as you always did in Leopard.

Jeff Gamet

It?s not nearly that complicated. The Directory Utility has simply been moved to System/Library/CoreServices.

Yes, Directory Utility is hiding in CoreServices, but there are plenty of Mac users that don’t feel comfortable opening the System folder and rooting around for applications. Knowing how to get at the utility without directory-diving will probably feel more comfortable for them even though it takes a couple more steps. The upside is that both methods work just fine, so users that don’t mind digging around in the System folder are still welcome to dive in.

Nemo

Thanks John:  I followed the procedure above just to check that Root User was not enabled, only to discover that the installation of Snow Leopard had removed my password for Root User.  I had to reset my password and then disable Root User.  Had it not been for your article, I would probably have never checked.

Anon E Mouse

1) Launch Terminal
2) sudo passwd root
3) Enter admin password

Doesn’t get much simpler than that, and if someone can’t handle Terminal, they shouldn’t be enabling root anyway.

Ted Landau

Directory Utility is hiding in CoreServices, but there are plenty of Mac users that don?t feel comfortable opening the System folder

I’d go a bit further. There is NO software in the CoreServices folder that is intended to be launched directly. From Archive Utility to AddPrinter to DiskImageMounter etc., these are all designed to be accessed either only by the OS itself or by a user via an option in some other application.

By moving Directory Utility here, Apple is implicitly stating that you should stay away from this app, unless you know enough to access it as described in this article.

Of course, you can still ignore Apple’s advice and launch it directly.

Overall, I see no problem here. The vast majority of endusers will never need Directory Utility, and would only be confused if they discovered it in the Utilities folder and launched it. However, I would have preferred if Apple took the root user feature out of Directory Utility and put it somewhere a bit more accessible, such as an admin-only root user option in the Security System Preferences pane.

John Martellaro

Ted: I like that idea.  It’s a clean, logical place to put it.  Perhaps, as we’ve discussed, however, too much in the open.

dude

If you think you ever need to enable the root user to do any kind of task, you are wrong. Period. End of story. If someone tries to convince you otherwise, they don’t know what they’re doing. If you think otherwise, you’re also Doing It Wrong.

vpndev

@dude: close but not 100%.  There are some weird scenarios with remote access where you do need to log in as root, and su/sudo won’t cut it. But these are hairy edge cases.

For the vast majority of usage, one should prefer “sudo -s” as the way to get a root shell. The good-security-practices people like it too because it makes log entries of who is using root. If root is enabled and shared between admins, there’s no hard audit trail of who did what.

Gridmaster

I’ve made a habit of activating the root user with the sole purpose to have a password assigned to it so that nobody else can assign this role to him/herself, either remote, or on the spot with fysical access to the computer.

ry

There is NO software in the CoreServices folder that is intended to be launched directly. From Archive Utility to AddPrinter to DiskImageMounter etc., these are all designed to be accessed either only by the OS itself or by a user via an option in some other application.

The Core Service “Screen Sharing” app HARDLY fits this criterium.  One could say the same about the very pedestrian “Network Diagnostics” app.  And yet…

Ted Landau

The Core Service ?Screen Sharing? app HARDLY fits this criterium.? One could say the same about the very pedestrian ?Network Diagnostics? app.? And yet?

Maybe we’re starting to argue semantics here, but I would contend that they DO fit the criterion. Screen Sharing is typically accessed via a button in a Finder window. Network Diagnostics is accessed most often via an option in the Network System Preferences pane. In neither case, do you go to the CoreServices folder to launch these apps directly.

CCardona

Help?

Avoiding all the other theological issues of enabling root, I believe it’s sometimes easier to administer Mac OS X Server from the Terminal by logging in as root: su -. Recently, though I am able to login to the Server as root, I can’t login to the Terminal as root: entering the correct password gives me: “Sorry”. I know the password’s correct because I can login to the server as root, and because I can login as sudo with that password.

What am I doing wrong, how do I fix it? (Note: after reading vpndev above, I tried sudo -s, and I get “bash-3.2#” as the prompt, and the root commands work! I still want to know what’s wrong with su - (enter password) to get root#:

falconneil

when you sudo you use your regular admin user password, not the root password.

CCardona

Right, good clarification, but when you install OS X Server it automatically enables root and gives it the same password as the admin, so unless you change it, it’s the same password. Nonetheless, I can’t get to the root prompt in Terminal with it.

falconneil

gotcha. I missed the bit where you said Server. Sorry about that.

CCardona

BTW, this happens with every user on that box. If I login to the box as root, then open Terminal I of course get root#: if I then su - admin, I get admin#: but then, if I su - (or su root) all I get is “Sorry”. ??? I was just root, why won’t it go back? It’s like some corrupt Terminal preference that I can’t find?

CCardona

Sorry, not root#, but root$.

Log-in to comment