SPY HILL Research	Spy-Hill.net
Poughkeepsie, New York	[DIR] [UP]

---

The superuser (i.e. "root") account, which controls everything in Unix, is turned off by default in most Mac OS X installations. These instructions tell you how to enable the Unix "root" account on Mac OS X.

---

Last updated: 9 April 2010

The default Mac OS X installation has the Unix "root" account disabled. This is generally a good thing, because the casual user does not need all the powers granted to this "superuser" account. But it can be useful to be able to become "root" to fix something. You can follow the instructions below to enable the "root" account, which will make it easier for the "root" user to get a command shell prompt.

You can also use these instructions to remove a root password that you have forgotten, or to reset any user password.

Making changes like this to the system requires administrative privileges. You will need to know the password for the "Admin" account on your machine. If you do not have that then the only way to get administrative access to the machine is to reboot from an Installation CD and find the menu item for "Password Reset".

Whenever you use the "root" or "Admin" accounts it is a good idea to follow the Principle of Least Privilege. You should only take on the extra privileges to do a particular job, and then release those privileges when you are done. (Your normal, every day user account should not have administrative privileges!)

If you just want to perform occasional system administration tasks then you don't really need to enable the "root" account. You can log in as the "Admin" user, open the Terminal application, and give any single command prefixed by the sudo command. Examples of this are shown below.

Since this page first started I have become aware of three different ways to enable the root account. The original way I published is the "detailed" method using NetInfo Manager. It is the same way you would reset any user's password on a NeXT computer (and now Mac OS X as well). There is also a much quicker way to enable the root account using a menu item in NetInfo Manager. (However, NetInfo is not included in MacOS&Nbsp;X 10.6 (Snow Leopard)) Or you can open a command shell in the Terminal application and use the sudo command. Pick the one that works best for you:

After you have enabled the root account, there are three different ways that you can become "root" to perform system administration tasks.

On Becoming root

Remember, as "root" you should do what needs to be done and then go back to being an unprivileged user.

Quick Menu Method, using NetInfo Manager

1. If you so desire, you can first verify that the "root" user account is indeed locked. One way to do this is to get a shell prompt by running the Terminal application, found at
   Macintosh HD -> Applications -> Utilities -> Terminal

   At the command prompt type this command:

   % nidump passwd .

   (Don't type the "%" - that represents the Unix command prompt. And don't forget the "dot" at the end, which indicates that the "password" map to be dumped to the screen is the one on this machine, not the password map from a remote server.) You should see a line like this:

   root:*:0:0:System Administrator:/var/root:/bin/tcsh

   The "*" is where the encrypted password for the user would normally go. If the "root" account has a "*" then it is not possible for a user to become "root".

2. To remove the "*" (or any old password) you can run the NetInfo Manager application, which is also in the Utilities folder:
   Macintosh HD -> Applications -> Utilities -> NetInfo Manager

3. With "/" in the left column select the "users" map in the second column and click on the ""root"" user.

4. Click on the lock icon at the bottom of the window marked "Click to make changes". Enter the administrative password as prompted. You are now free to make changes to the users map.

5. Find the "passwd" property and double click on the value field to alter it (it should contain just the "*", or possibly an old encrypted password). Delete the "*" and make sure there are no spaces left in the value field.

   You cannot simply enter a new password here, because Unix stores an encrypted version of the password in the user database (passwd map). You will need to use the passwd command (step 7 below) to enter a new password.

6. Pull down the "Domain" menu from the top bar and select "Save Changes". Confirm that you really want to make the change. At this point your computer has the root account enabled with no password, which is very dangerous.

7. Get a shell prompt (from the Terminal application, as described in step 1 above). Enter the command:

   % su root

   (Don't enter the %, that represents the Unix command prompt.) When prompted for the password, just hit "return". Then add a password with the `passwd root` command, like so:

   # passwd root Changing password for root New password: Verify password:

   (Don't enter the #, that is the root command prompt on Unix.) The password you type won't be printed on the screen, which is why you are asked to type it twice for verification.

   Be sure to pick a good password for the "root" account. If your computer is connected to the Internet is may be possible for someone to get in to your computer as "root" if you have a weak password. Some useful guidelines for picking a good (or bad) password may be found here.

8. Log out and log in as the "root" user to verify that it worked. If the login screen shows a list of users it won't show the "root" user so you will have to select "Other".

9. It's very useful for the "root" user to have the Terminal application always in the Dock. Here is how to do that:

   • First, start up the Terminal application (Macintosh HD -> Applications -> Utilities -> Terminal)

   • Hold down the "control" key as you click on the icon of the Terminal application in the Dock. A menu will appear. Select the item "Keep In Dock".