Linked by Eugenia Loli on Wed 22nd Mar 2006 02:44 UTC
Mac OS X In Mac OS X, the root account is disabled by default. The first user account created is added to the admin group and that user can use the sudo command to execute other commands as root. The conventional wisdom is that sudo is the most secure way to run root commands, but a closer look reveals a picture that is not so clear.
Thread beginning with comment 106611
To read all comments associated with this story, please click here.
The article misses the point.
by subterrific on Wed 22nd Mar 2006 04:46 UTC
subterrific
Member since:
2005-07-10

- Commands executed in a root shell aquired with sudo -s are logged to the users shell history file. Besides, if someone has gained root on your box you've got bigger problems than "what commands did they execute". You might as well wipe the box clean.

- If you think someone can guess your user password and then gain root with sudo, the solution isn't to enable root. The solution is to pick a better password and change it often.

I still haven't heard one good reason for enabling the root user.

Reply Score: 5

somebody Member since:
2005-07-07

- Commands executed in a root shell aquired with sudo -s are logged to the users shell history file. Besides, if someone has gained root on your box you've got bigger problems than "what commands did they execute". You might as well wipe the box clean.

and root are logged to root history file. Besides if someone were to gain root access? It is easier to gain sudo access than su (or at least equaly hard). And if it gains sudo, enabling root is just one command away.

no diff here.

- If you think someone can guess your user password and then gain root with sudo, the solution isn't to enable root. The solution is to pick a better password and change it often.

Nope, often changing doesn't help here, if you think it does then you're naive. One way to do it on *X is brute force attack. No system provides trigger that would start screaming when too many false logons would suddenly spawn. But the good thing is that on *X trigger is usualy 10 lines of scripts away (and log redirection).

Just one page that describes what can people find on net. Just google for "password cracking methods"
http://www.password-crackers.com/en/articles/12/

I still haven't heard one good reason for enabling the root user.

With allowed sudo, there is no value to enable root. Except if one preffers it that way. Disabling sudo and enabling root is the only sensible thing to do if you preffer working with root instad sudo way.

Reply Parent Score: 1

kadymae Member since:
2005-08-02

I still haven't heard one good reason for enabling the root user.

Word

I've been running OS X since 10.1 days and I've never needed to sudo or create a root account to do any vital task on my computers.

As the sysadmin, pretty much the only things I don't own are the absoutely critical files that make the OS go.

Why on Earth would I want to go dinking around in those files anyway? It's like handling radioactive material with an oven mitt -- not a good idea.

The same goes with Ubuntu. Yes, I have to Sudo to install software but once again, outside of that, why do I want to be making changes to the mission critical files? I have no business there, and I'm greatful for a system that locks me or other users out of accidentally deleting the wrong folders.

Reply Parent Score: 1

macisaac Member since:
2005-08-28

except think of this. you have sshd. however, you also have permit root logins set to no. now, if a remote user wants root access, they need to compromise two accounts with two passwords to get there (regular user su -> root).

with sudo, your regular user will almost certainly be allowed remote logins, but now if the attacker has it's password, it also has root via sudo...

personally there's only one legitamite reason I could think of enabling sudo is in a multi admin situation where you want to delegate limited priviledges to certain folk.

other than that, it's basically just a false security blanket, which personally I find annoying to use.

Reply Parent Score: 3