On Becoming root
Whenever you use the "root" or "Admin" accounts it is a good idea to
follow the Principle of Least Privilege.
You should only take on the extra privileges to do a particular job,
and then release those privileges (i.e. go back to using your normal
user account).
The sudo command is a good way to do this, because it runs
only one command as the "superuser" at a time. For example
% sudo cat /etc/sudoers
will show the contents of the sudoers file, which controls
who is allowed to use the sudo command. You will have to
give your password for any "sudo" command to work, and your
account must be listed in the sudoers file.
If you need to do something which requires more than a single command
then you can open a command shell running as "root".
You can still use the sudo command to do this.
When logged in as the "Admin" user open the Terminal application and
give the command
% sudo tcsh
This will spawn a new tcsh command shell running as "root". You can
give as many commands as you need, and then type `exit` when you are done.
On MacOS X the "Admin" account is configured so that it is
allowed to use the "sudo" command, so you can get by without enabling
the "root" account.
The more traditional way to become "root" in Unix is the su
command.
This will work for the "Admin" user but will fail for a non-privileged
user account because of another old Unix custom which is respected by
Mac OS X: only members of the "wheel" group are allowed to su to
root.
There are two ways around this.
First of all, For 10.5 and earlier you can use NetInfo Manager as
described below), to add your user account to the "wheel" group.
Follow the instructions below to run NetInfo Manager, but select the
"groups" map instead of the "users" map.
Find the "wheel" group, edit the "users" property, and add the name of
your user account to the list. For 10.6 and beyond you can use the
'dscl' command from the command line, as described later.
But there is an easier way.
Local users who are not in the "wheel" group cannot su to "root", but
can still ssh to the "root" account.
Give the command
% ssh root@localhost
and enter the "root" account password and you will have a root shell.
Type `exit` when you are done.
Remember, as "root" you should do what needs to be done and then go
back to being an unprivileged user.
Quick Menu Method, using NetInfo Manager or Directory Utility
This is the easiest method to enable the "root" account on a Mac if
you are more of a GUI person. For older versions of
Mac OS X you used NetInfo Manager, but for newer Mac's you
use the Directory Utility. Either way, once you launch the utility,
the proceedures are very similar.
NetInfo - (Mac OS X 10.4 or ealier)
If you have version 10.4 or realier then the proceedure is:
- Log in on the Admin account.
- Start the NetInfo Manager application, which is in
the Application/Utilities
folder: Macintosh HD -> Applications -> Utilities
-> NetInfo Manager.
If you don't have this in the dock for the Admin account you
should probably drag it there.
It is very useful for system administration.
- From the top menu bar pull down the "Security" item and select
"Enable root user".
You will have to enter the administrator's password to
authenticate yourself.
Directory Utility - (Mac OS X 10.4 or later)
For Mac OS X 10.5 and later you can use the Directory
Utility instead of NetInfo.
For just Mac OS X 10.5 you will find it in the
Application/Utilities folder.
For Mac OS X 10.6 and later you start the Directory Utility
from the System Preferences as follows:
- Start System Preferences and select "Accounts".
- Under the list of users press the "Login Options", and then
next to that press the "Join..." button next to
Network Account Server. (You will not be joining a network
account server, this is just the convoluted way to get
to the Directory Utility).
- Press the button to "Open Directory Utility..."
Once you launch the Directory Utility, however you do it,
then enable the root account by doing the following:
- Click on the Lock icon and give the Administrator password
to authenticate.
- Pull down the "Edit" menu to "Enable Root User"
- Pull down the "Edit" menu to "Change Root Password..." and
enter a good, strong password for the root user.
Quick Method using the Command Line Interface (CLI)
This is the easiest method to enable the "root" account on a Mac
if you are more of a Command Line Interface person:
-
Log in on the Admin account.
(Your normal, every day user account should not have administrative
privileges!).
- Open up a command shell in the Terminal application with
Macintosh HD -> Applications -> Utilities
-> Terminal.
At the command prompt type this command:
% sudo passwd root
Enter Password:
Changing password for root
New password:
Verify password:
The first password you are asked for is the already existing password
for the Admin account, to prove that you are authorized to
make changes to this system.
After that, you enter the new root password (twice, for verification).
That is all, the "root" account is now enabled, with that password.
Incidentally, it is also relatively easy to add your own personal
login
to the "wheel" group from the command line. Recall that
Mac OS X respects the BSD Unix tradition of only allowing
members of the "wheel" group to su to root. We showed a simple way
around this above (simply `ssh root@localhost`), but you
don't even need to do that if your personal account is in the wheel
group.
For Mac OS X 10.6 and beyond, which use the Directory
Service to keep track of users and groups, the command is simply
# dscl . -append /Groups/wheel GroupMembership "myers"
As the "#" in the command prompt implies, you must be 'root' (or at
least an Administrator) to give this command. Don't miss the "dot"
after the command name; that is the "data source", and the dot means
the local machine, rather than a remote directory service.
Be sure to replace "myers" with the name of your own user account.
You can verify that it worked with the traditional Unix `groups`
command, or by saying
# dscl . -read /Groups/wheel
Detailed Method using NetInfo Manager
These instructions allow you to enable the "root" account, or to reset
the password for any user, not just "root".
This only works for Mac OS X 10.4 or earlier, because
NetInfo Manager was removed after that.
-
If you so desire, you can first verify that the "root" user
account is indeed locked.
One way to do this is to get a shell prompt by running the Terminal
application, found at
Macintosh HD -> Applications -> Utilities -> Terminal
At the command prompt type this command:
% nidump passwd .
(Don't type the "%" - that represents the Unix command prompt.
And don't forget the "dot" at the end, which indicates that the "password"
map to be dumped to the screen is the one on this machine, not the
password map from a remote server.)
You should see a line like this:
root:*:0:0:System Administrator:/var/root:/bin/tcsh
The "*" is where the encrypted password for the user would normally
go.
If the "root" account has a "*" then it is not possible for a user to
become "root".
-
To remove the "*" (or any old password) you can run the
NetInfo Manager application, which is also in the Utilities
folder:
Macintosh HD -> Applications -> Utilities -> NetInfo Manager
-
With "/" in the left column select the "users" map in the
second column and click on the ""root"" user.
-
Click on the lock icon at the bottom of the window marked "Click to
make changes".
Enter the administrative password as prompted.
You are now free to make changes to the users map.
-
Find the "passwd" property and double click on the value field
to alter it (it should contain just the "*", or possibly an old
encrypted password).
Delete the "*" and make sure there are no spaces left in the value
field.
You cannot simply enter a new password here, because Unix stores
an encrypted version of the password in the user database
(passwd map).
You will need to use the passwd command (step 7 below) to
enter a new password.
-
Pull down the "Domain" menu from the top bar and select
"Save Changes".
Confirm that you really want to make the change.
At this point your computer has the root account enabled with no
password, which is very dangerous.
-
Get a shell prompt (from the Terminal application, as
described in step 1 above).
Enter the command:
% su root
(Don't enter the %, that represents the Unix command prompt.)
When prompted for the password, just hit "return".
Then add a password with the `passwd root` command, like so:
# passwd root
Changing password for root
New password:
Verify password:
(Don't enter the #, that is the root command prompt on Unix.)
The password you type won't be printed on the screen, which is why
you are asked to type it twice for verification.
Be sure to pick a good password for the "root" account.
If your computer is connected to the Internet is may be possible for
someone to get in to your computer as "root" if you have a weak
password.
Some useful guidelines for picking a good (or bad) password may be
found here.
-
Log out and log in as the "root" user to verify that it worked.
If the login screen shows a list of users it won't show the
"root" user so you will have to select "Other".
-
It's very useful for the "root" user to have the Terminal application
always in the Dock.
Here is how to do that:
-
First, start up the Terminal application
(Macintosh HD -> Applications -> Utilities
-> Terminal)
-
Hold down the "control" key as you click on the icon of the
Terminal application in the Dock.
A menu will appear. Select the item "Keep In Dock".
To disable the "root" account, or any user account, follow the
directions above to edit the "user" map with NetInfo Manager, and put
a "*" in the passwd field.
References
The GUI proceedures for all versions of Mac OS X
are documented by Apple at
http://support.apple.com/kb/ht1528
In Mac OS X 10.7 (Lion) it seems to be the case that you
sometimes cannot login directly as root.
See the Apple discussion forums at
https://discussions.apple.com/thread/3274744
Acknowledgments
Many thanks to all those who have given me feedback on this page,
including Stephen Zinn, Damian Drape, Cary Swoveland, and Aaron Shipley.
SPY
HILL
Research