SPY HILL Research

Poughkeepsie, New York [DIR] [UP]

How to Enable the "root" Account on Mac OS X


Last updated: 8 August 2012

On Becoming root

Whenever you use the "root" or "Admin" accounts it is a good idea to follow the Principle of Least Privilege. You should only take on the extra privileges to do a particular job, and then release those privileges (i.e. go back to using your normal user account).

The sudo command is a good way to do this, because it runs only one command as the "superuser" at a time. For example

% sudo cat /etc/sudoers
will show the contents of the sudoers file, which controls who is allowed to use the sudo command. You will have to give your password for any "sudo" command to work, and your account must be listed in the sudoers file.

If you need to do something which requires more than a single command then you can open a command shell running as "root". You can still use the sudo command to do this. When logged in as the "Admin" user open the Terminal application and give the command

% sudo tcsh
This will spawn a new tcsh command shell running as "root". You can give as many commands as you need, and then type `exit` when you are done.

On MacOS X the "Admin" account is configured so that it is allowed to use the "sudo" command, so you can get by without enabling the "root" account.

The more traditional way to become "root" in Unix is the su command. This will work for the "Admin" user but will fail for a non-privileged user account because of another old Unix custom which is respected by Mac OS X: only members of the "wheel" group are allowed to su to root.

There are two ways around this. First of all, For 10.5 and earlier you can use NetInfo Manager as described below), to add your user account to the "wheel" group. Follow the instructions below to run NetInfo Manager, but select the "groups" map instead of the "users" map. Find the "wheel" group, edit the "users" property, and add the name of your user account to the list. For 10.6 and beyond you can use the 'dscl' command from the command line, as described later.

But there is an easier way. Local users who are not in the "wheel" group cannot su to "root", but can still ssh to the "root" account. Give the command

% ssh root@localhost
and enter the "root" account password and you will have a root shell. Type `exit` when you are done.

Remember, as "root" you should do what needs to be done and then go back to being an unprivileged user.

Start Next >>> <<< Previous

Last modified: Wednesday August 08, 2012 Copyright © 2012 by Spy Hill Research http://www.spy-hill.net /help/apple/EnableRoot1.html