Even if you are the only human user of the system, there are well over a dozen accounts on the system. Most of these user accounts are not intended for use by you or any user on the system but are set up for use by various services and programs on the system. These nonhuman accounts let applications, such as the Apache web server and the Postfix mail server, run in a controlled environment so if they are breached by a hacker, the potential damage is limited. Table 6-1 lists some of the nonhuman users that are defined on the system.
Table 6-1. Some of Mac OS X’s nonhuman users
|
Username |
User ID |
Description |
|---|---|---|
|
|
|
The administrative user |
|
|
|
Core system daemons |
|
|
|
Printing service |
|
|
|
The Postfix SMTP server |
|
|
|
The Apache web server |
|
|
|
A user with greatly restricted access |
Many of the nonhuman users, such as cyrusimap and qtss, aren’t used on the average person’s system but instead are defined for use on Mac OS X Server. Others, such as postfix and www, are used only when you run the Postfix mail server or the Apache web server. Under most conditions, you’ll notice only processes owned by either your own ID or by the root user when viewing processes in the Activity Monitor or with the ps command.
As in all Unix systems, Mac OS X has a special user, named root, that is not subject to the control of the permissions structure. The root user, sometimes called the superuser, can modify any part of the filesystem as well as execute any program. It can also stop the execution of any running program on the system.
The root user is a dangerous one. Some commands executed as root, such as rm -rf /, can immediately disable a system; you really have to think about what you are doing with every command you issue using root. To help prevent mishaps, Mac OS X is configured by default to allow access to the root user only through the sudo
(superuser do) program. To use this program, you must be an administrative user, and simply preface the command you want to enter with sudo. Example 6-3 shows how to use sudo to print out some of the contents of secure.log
, a file that is visible only to the root user and that contains the records of the various actions of Mac OS X’s security systems.
Example 6-3. Using sudo
$sudo tail /var/log/secure.logPassword:********Jun 11 14:04:42 ronin SecurityAgent[447]: Showing Login Window Jun 11 14:04:46 ronin SecurityAgent[447]: User Authenticated: continue login process Jun 11 14:04:46 ronin com.apple.SecurityServer: authinternal authenticated user jldera (uid 501).
Because sudo keeps an internal timer, you can execute multiple commands without typing your password each time. It also logs each use in /var/log/system.log, so you can go back and see a list of commands that were executed (a procedure covered in Chapter 12). This is handy when you have multiple users with administrative privileges on a system.
If you prefer to live a bit more dangerously, you can get a shell as the root user by issuing the following command:
$sudo -sPassword:********#
The prompt changes to # indicating that every command typed will be run as the root user.
Warning
Even though it takes more work, you should avoid opening root shells using the sudo command. By doing so, you are less likely to make a horrific mistake and hose your system. If you do make a mistake, each command will still be logged, allowing you to figure out what went wrong.
Some people really want to be able to log into their system as root. For some reason having administrative privileges and the ability to execute any command using sudo isn’t enough. If you are one of these people, you can enable the root user so that you can log in either to the GUI or the command line and have unfettered and unmonitored access to your system. I don’t recommend that you do this, but if you insist, here’s how:
Launch NetInfo Manager (
/Applications/Utilities).Authenticate yourself using the Security → Authenticate... menu.
Enable the
rootuser using the Security → Enable Root User menu.Give the
rootuser a password; one that is as secure as any password you would give an admin user of the system.
If you follow this procedure, you will have a fully functional root user. You can even log out of your system and log in as the root user. Remember: you should stick to using sudo instead of using the root user.
If you want to enable the root user from the command line, you can do so by executing the following command:
$ sudo passwd rootAfter setting the password, the root user account is active.