How to…Root Around in Mac OS X
Workstation and server-class operating systems typically require administrator privileges in order to perform tasks such as installing device drivers, changing the system time or profiling system performance. The information presented here may be a departure for those accustomed to Microsoft operating systems—here we will be dealing with how to enable and use the built-in administrator account in Apple’s Mac OS X operating system.
Most Microsoft Windows administrators know that the Windows Server and Professional operating systems ship with a built-in default administrator account (appropriately called Administrator) that is granted full-control privileges on the local computer. In Mac OS X version 10.3 (aka Panther), there are actually two types of administrative accounts.
Local administrators in Panther are user accounts that have the “Allow user to administer this computer” option enabled for them in the Accounts panel in System Preferences. While local administrators have full-control access to many aspects of the Mac OS X operating system, local administrators do not have administrator-level access to the underlying BSD UNIX subsystem upon which Panther is based. To gain this level of administrative access, you must log on as the root user, or the super user (su).
By default, the root-user account is disabled in Panther for security reasons. There are two methods by which the root-user account can be enabled to allow you to carry out root-privilege tasks in Mac OS X Panther. You will need to proceed with caution: Because the root account has full-control access to both the operating system and the file system, it is possible to inadvertently damage critical system files and render the operating system unstable at best or unusable at worst. In Panther, it is considered a best practice to enable the root account only when necessary, and to disable the root account when root-level access is not required.
The straightforward method for enabling the root account in Panther is by using the NetInfo Manager utility. This GUI tool, which is somewhat analogous to the Regedit utility in Windows, is used to manipulate the local directory database in Mac OS X. You can start NetInfo Manager by navigating to the Utilities folder in your Mac’s hard drive and double-clicking the NetInfo Manager icon. (See Figure 1.)
The first step in the process is to authenticate to the operating system as a local administrator. To do this, choose the Authenticate option from the Security menu. After successfully entering administrative credentials, you are free to enable the root account on the machine. Next, click Security and Enable Root User in NetInfo Manager. The dialog box that appears will inform you that the default password for the root account is blank and that you must change the password at this time. (See Figure 2.)
You will then have the opportunity to select a non-trivial password for the root account by typing and confirming a new password in the Set Root Password dialog box. To complete the configuration, click OK in the Set Root Password dialog box, click the lock icon in NetInfo Manager to prevent any additional changes, and then quit the NetInfo Manager application.
Accessing the root account through the Panther GUI can be accomplished in several different ways. You can log on to the computer by supplying root as the user name and the root password as the password, provided that the root user is enabled on the local computer. Alternatively, you can supply the root user credentials whenever Panther asks you to authenticate as an administrator. Panther typically will prompt you for administrator credentials whenever you attempt to perform an administrator-level task, such as installing a new application, applying an operating system update or creating a new user account.
The Power User Way
For those of you who already possess some familiarity with UNIX or Linux, you might be more comfortable with issuing commands from a traditional Terminal session. Because Panther springs forth from a BSD UNIX kernel, you have full command-line functionality in Mac OS X.
To enable the root account through the Terminal application, you must first start a Terminal session by navigating to the Utilities folder and by double-clicking the Terminal icon. Next, you must wrap your mind around what first appears to be a Zen-like puzzle: How do you enable the root account, which is an administrator-level function, without first identifying yourself as a super user (su) to the BSD subsystem? (For those who are not UNIX-savvy, root and su refer to the same user account.)
Here is one way to approach the solution to this problem: The UNIX passwd command is used to change a user’s password from a Terminal session. What if you used the sudo (pronounced sue-due) command to change the password of the root account? The BSD subsystem will ask for an administrator-level password for authentication, and as long as you supply the password for an account that is designated as an administrator in the Macintosh’s local user database, you will be able to define a password for the root account, and thus enable the root account. Fair enough?
Therefore, the specific syntax for this command is “sudo passwd root.” After entering a local administrator’s password, type and confirm a password for the root account. You will notice that the command prompt will change from the standard dollar sign ($) prompt to the octothorpe (#) prompt, which lets you know that you are logged in as root. (See Figure 3.)
To log out as the root user, type “exit” at the root prompt. In the future, whenever you want to log in as the root user, you can simply provide either su or su root at the $ prompt. Also, as expected, you’ll be prompted for your trusty new password. After entering it, you’ll be authenticated as root, and you’ll have full-control access to the computer.
Temporarily Enabling the Root Account
In the previous section, we used the sudo command along with the passwd command to change the password of the root-user account. What exactly does the sudo command do? It allows you to enable the root account for a one-time access. Windows administrators might be able to draw an analogy between the sudo command and the Windows Run As command.
The syntax of the sudo command is straightforward enough: You simply type “sudo commandname” at the command prompt. Naturally, you’ll be asked to authenticate by typing the current root password. Provided that you have supplied the correct password, the command that you’ve requested will then execute under root-level context, after which you’ll be returned to your previous user context.
My hope is that you have a newfound appreciation for the Mac OS X operating system—one that you might not have had before. It never hurts to broaden your computing horizons and become a more well-rounded IT professional. You can learn more about Panther by visiting the Mac OS X home page at www.apple.com/macosx/. If you want to learn more about IT certifications that Apple offers, visit train.apple.com/certification/. If you have any comments or questions, please don’t hesitate to e-mail me.
Tim Warner is director of information technology for Ensworth High School in Nashville, Tenn. He also owns an Internet security consulting business and teaches computer networking courses in his spare time. He can be reached at firstname.lastname@example.org.