×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Root as Primary Login: Why Not?

pudge posted more than 11 years ago | from the uh dept.

OS X 164

A user writes, "I help moderate a forum dealing with Mac OS X, and I'm having an awful time convincing a fair portion of our readers that logging in as root all the time is a Really Bad Idea. Worse, though, are the ones who try to convince others to log in as root all the time, claiming it's 'more Mac-OS-9-like,' or saying 'it's not really more insecure,' or even that 'a firewall should deter hackers pretty well.' I know all the standard arguments, but they're not working out. Does anyone here have some real-world anecdotes that I can point to?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

164 comments

Mac beats Athlon in After Effects (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#3468000)

Read the article here [digitalvideoediting.com].

Um, its the other way around... (1, Offtopic)

crisco (4669) | more than 11 years ago | (#3468077)

Nice Troll though...

Those pretty bar graphs indicated the time spent getting the job done. That means that the taller one labeled Mac on each of them means the Mac took longer. Generally that means the Mac loses to the Athlon.

besides, its all offtopic anyway :)

Why i have to log in as root. (5, Interesting)

m_evanchik (398143) | more than 11 years ago | (#3468007)

I'm a newbie and I always initially log in as root because that's the only way I can get adsl-connect going. I guess maybe I installed it as root, because it doesn't show up or run when I log-in as a regular user. Not a big deal but it is annoying to have to log in as root to get online and then to log out and log back in.

Re:Why i have to log in as root. (3, Informative)

brunson (91995) | more than 11 years ago | (#3468020)

If it needs root access to devices, which it almost certainly does to ifconfig an interface up, it should be installed suid root (if safe). Also, sudo is a great utility for doing things as root, does it come installed by default?

Re:Why i have to log in as root. (4, Informative)

foobar104 (206452) | more than 11 years ago | (#3468075)

Also, sudo is a great utility for doing things as root, does it come installed by default?

Yup, sure does. As far as I know, it's been there since forever. At least since 10.0.3, which was the earliest version that I used regularly.

Re:Why i have to log in as root. (5, Informative)

lexarius (560925) | more than 11 years ago | (#3468035)

Well, you could have a script run at boot time to connect the adsl, or one that is set to run as root no matter who runs it.

As for the original poster, I don't know what to say. In OS X root still has to give his password for authentication screens. The only convenience I can really see it having is to mess around with system libraries and configuration files unchecked. Oh yeah, thats right. Most unices aren't very vulnerable to virii because the user isn't root, so the virus can't get at the important things. The most a trojan could do is take out your home directory. Your system would still run.

Of course, logging in as root makes the system slightly more vulnerable to local attacks, but that isn't saying much.

Cmd-S during boot-up.
fsck -y
mount /
SystemStarter
passwd root

System compromised.
But thats a feature. I think it can be disabled, possibly by supplying an OpenFirmware password... auto-logging in as root sort of ruins that, though.
If people want security similar to Windows, tell them to run as root. OS9 is somewhat more "secure" than OSX because it was meant to be stupid-proof. Running as root in OSX is like telling the computer you really know what you're doing. If you don't, you shouldn't.

Re:Why i have to log in as root. (0, Offtopic)

foobar104 (206452) | more than 11 years ago | (#3468144)

I'm on a crusade. I intend to post a comment like this one whenever I see anybody use "virii." Please don't interpret this comment as either endorsement of or disagreement with the parent post. Moderators: with your help, we can wipe out "virii" in our lifetime!

The plural of "virus" isn't "virii." There is no such word. The plural of "virus" is "viruses."

Here's a good explanation from cdknow.com [cknow.com], quoted here in its entirety because the people who most need to read this won't click on a link.

The correct English plural of virus is viruses. Please consult any good dictionary before making up words.

For the purists, in Latin, there is a rarely-used plural form:

virus, viri (neuter)

(Forms: almost always restricted to nominative and accusative singular; generally singular in Lucretius, ablative singular in Lucretius)

The point of this is that even in Latin the form "viri" is rarely used. The singular form is used in most every instance. (This is from the Oxford Latin Dictionary.)

So, when considering the Latin: "virii" is incorrect and "viri" was almost never used.

Despite the fact there was little use for the plural form, there is another reason why "viri" was rarely used. The most common Latin word for "man" is "vir" with "viri" being its plural in the form used as the subject of a sentence. Thus, since "men" as the subject of a sentence would be used far more often than "venoms" (virus means venom) the "viri" word was most commonly seen as the plural of "man."

Bottom line: Don't try to make up words using a false Latin plural form. Since the word virus in its English form is now used then the English plural (viruses) should be used.

More plural-of-virus resources:

perl.com [perl.com], the canonical and exhaustive source
The alt.comp.virus FAQ [wisc.edu]
Jonathan de Boyne Pollard's Frequently Given Answer [tesco.net]
Merriam-Webster's "Word for the Wise [m-w.com]," January 20, 2000.

Re:Why i have to log in as root. (0, Offtopic)

reverius (471142) | more than 11 years ago | (#3468345)

Yeah, well, it's 'net speak. You don't see anyone trying to eradicate the usage of "boxen" (even though "boxes" is the proper plural of "box").

I say let it go.

-- The Great and Powerful Reverius has Spoken

Re:Why i have to log in as root. (0)

Anonymous Coward | more than 11 years ago | (#3469283)

I have seen several people trying to get rid of boxen.

Yo sur is smart der missa reverius.

I don't think we should let the language run rampant. I don't mind slang, expressions, etc. but the farther you get from some kind of a base-line the harder it becomes to communicate clearly. There is enough confusion when everyone is speaking properly let alone adding to it. Yes I am against legitimizing Ebonics too.

Re:Why i have to log in as root. (3, Informative)

foobar104 (206452) | more than 11 years ago | (#3469464)

You don't see anyone trying to eradicate the usage of "boxen" (even though "boxes" is the proper plural of "box").

There are two big differences between "boxen" and "virii."

First of all, "boxen" is almost always tongue-in-cheek. It's an old joke, but it's just a joke.

Secondly, "boxen" would be correct, if it weren't for the simple fact that it isn't. It's just one of those quirks of the language: one box plus one box is boxes, and one fox plus one fox is foxes, but one ox plus one ox is oxen. Like a friend of mine said, about fifteen years ago, in my high school English class. "Drive, drove, have driven. Dive, dove, have diven?" "Boxen" is funny because its use points out the arbitrary and inconsistent nature of English pluralization.

As I said, though, "virii" isn't just technically wrong, it's completely wrong. Latin had either no plural at all for "virus," or only a very rarely used and easily confused plural, depending on whose interpretation you accept. "Virii" has zero basis in any kind of fact.

If the correct Latin plural of "virus" had been "virii," and if the use were intended to be sarcastic or humorous, I wouldn't mind so much. But the fact is, people often use "virii" in utter seriousness, as if it were correct and acceptable.

It isn't. It's wrong, wrong, wrong.

Re:Why i have to log in as root. (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#3468357)

I'm on a crusade. I intend to post a comment like this one whenever I see anybody use "virii."

Thanks for warning me so I can put you on my foe list.

Re:Why i have to log in as root. (1, Funny)

BtAFMB (574756) | more than 11 years ago | (#3468364)

You wouldn't think someone with a name like foobar104 would get so hot and bothered about the creative use of language.

Re:Why i have to log in as root. (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#3468480)

I'm sorry, the answer we were looking for was: "I know I'm a cocksucker, but I like to post about things only I care about." Thank you for playing. Have a nice day.

This poster's name secretly replaced with Folgers Crystal Meth

Re:Why i have to log in as root. (4, Informative)

Permission Denied (551645) | more than 11 years ago | (#3468848)

Well, you could have a script run at boot time to connect the adsl, or one that is set to run as root no matter who runs it.

OS X, like most unices, doesn't honor the set-uid bit for scripts.

I would just write a trivial C program and make that set-uid:

#include <unistd.h>

#define ADSL "/path/to/adsl-connect"

int main()
{
execl(ADSL, ADSL, NULL);
return 1;
}

On OS X, install dev tools, compile as "cc file.c -o my-script" and then "chmod 4755 my-script". You can then run it from a normal user shell and the script is run as root (make sure the file is owned by root).

NB: I'm not replying directly to you, but rather to the original poster who wanted to know how to do this.

Re:Why i have to log in as root. (2, Informative)

Permission Denied (551645) | more than 11 years ago | (#3468873)

because it doesn't show up

Nobody has yet replied to this point (subtle, this is easy to miss unless you've worked with people).

This is because adsl-connect is probably not in your PATH (I'm guessing it's in /sbin or /usr/sbin). You can do a 'man bash', hit the '/' key, type in PATH and keep typing 'n' until you find the entry in the manual page explaining how PATH works.

Short story: type in the following:

su -
which adsl-connect
Make sure to type in the dash in the 'su' command. The second command should tell you exactly where adsl-connect is, and you can go from there.

Re:Why i have to log in as root. (0)

Anonymous Coward | more than 11 years ago | (#3469530)

You don't have to, and must not login as root in OS X. I did that a couple of times (in the graphical environment) before getting used to the CLI and sudo. Now, after I had to reinstal the system, [...] I never reactivated the root account.

The neat trick to avoid working as root if you are not familiar with the CLI is to boot in OS 9 and do your "modifications" there. You can override all the permissions there. You have to know what you do, but if you mess up, you can always undelete!

Re:Why i have to log in as root. (0)

Anonymous Coward | more than 11 years ago | (#3470278)

if you installed it as root, login as root, cd to the dir that holds the adsl-connect dir:

chown -R michel.michel adsl-connect/

chown = change ownership
-R = recursive (all sub-directories)
michel.michel = whatever your user name and group is (if you dont know, "ll" will tell you, best to do in your "home" dir [/home/michel])

or am i missing something more obvious?

or, edit the file that starts adsl-connect, and have it login as you first, start adsl-connect, and than logout of you.

try linuxbewbie.org or linuxdocs.org

Apple News on Slashdot (-1, Offtopic)

peel (242881) | more than 11 years ago | (#3468028)

This is a very interesting post but I can't help but feel that it would be beter suited as an 'Ask Slashdot' article. While I am glad that /. is covering a lot more Apple stuff these days, I can't help but feel the way it is being treated by the moderators is only giving Apple a bad reputation with the /. community. I think maybe a little more thought should go into how Apple stories are handled in the future. And while I'll probably get moderated down for this I am far from a troll or a karma whore so I could care less.I just wanted to voice my opinon so the three people that will read this post will have some comments to read. -peel

Not yet… (3, Funny)

DarkVein (5418) | more than 11 years ago | (#3468038)

Does anyone here have some real-world anecdotes that I can point to?
But I can make some what did you say their addresses were?

Re:Not yet… (1)

marktwain (523893) | more than 11 years ago | (#3468452)

Read down a few threads to the MacNN link. That foobar posted his domain URL is appears. :rolleyes:

I read the thread for a few minutes and smiled. Then I remembered there was a real world and had some work to finish up.

Fools rush in where wise men fear.........

Re:Not yet… (1)

SirRichardPumpaloaf (563323) | more than 11 years ago | (#3468539)

Why would logging in as root on the console make you more vulnerable to remote compromise? To trojans, sure, but that's not what you seem to be implying. Last time I checked a root login doesn't expose any bugs in sendmail, bind, etc. so what are you talking about?

Real world example....... (2, Informative)

jsimon12 (207119) | more than 11 years ago | (#3468041)

My main reason for why you don't use root entirely is eventually no matter how careful you are you WILL make a mistake. Be it rm, chmod, mv, it will happen. If you use another account and try to do as much as you can as a none root user and only su up you will be less likely to simply careless do something.

But that is my 2 cents, my advice would be to present your argument, if they don't want to listen and want to put their boxes at risk, let them. When they accidentally make a mistake bring their system down they will learn. If they don't learn from that and keep recommending bad admin practices to others, well they are morons. But that is another issue.

Re:Real world example....... (3, Insightful)

irony nazi (197301) | more than 11 years ago | (#3468142)

You miss a very important point.

People who don't understand why you would/wouldn't log in as root are *extremely* unlikely to be playing around with 'rm', 'chmod', and 'mv'.

You would have a better argument saying something to the effect of "dragging an important system file into the trash" or moving/renaming an important file/folder.

I find it amazing how many people don't want to *login* to their computers.

They tell me, "I know that it's safer to log into my computer, but it's such a pain." --to which my usual reply is "You don't know that it's safer to log in."

Re:Real world example....... (1)

vample (30259) | more than 11 years ago | (#3468264)

> I find it amazing how many people don't
> want to *login* to their computers.

Yes, because most of these people just want to use the computer to get something done, and its the job of the computer to make that easier, rather than toss more obstacles to getting things done.

Because they didnt have to login, or didnt have to su to get things done in the past, they see this extra work as a waste and thus want to avoid it.

Computers should be smart enough to handle these things. Like auto updating patches to the OS or virus signatures, or compressing big files, or other 'routine' stuff.

Maybe extend the analogy to 'have the computer auto-empty the trash for you'. Most people can see that this might be a bad idea, because sometimes you mistakenly delete the wrong file. Then tell them that having to sudo for things rather than always being root is the same - it keeps you from making they types of mistakes that are difficult to recover from.

Re:Real world example....... (1)

linzeal (197905) | more than 11 years ago | (#3469062)

If typing a few characters to login is seen as work than apple has done a piss poor job of educating their customers on security issues. I remember having the same discussion with a graphic artist the company I worked for hired for a project about logging into a vpn from home, these sort of notions are dangerous from a network admin point of view. Apple needs to put biometrics in every keyboard and laptop they sell if they don't want this from becoming more of a problem than it already is.

Sometimes (0)

Anonymous Coward | more than 11 years ago | (#3468052)

...you just have to let the rat get caught in the trap to learn.

Relax and get out of the way. You can't take responsibility for protecting them from themselves. Let them screw things up a few times, and once they learn from heir mistake(s), they will be your best promoters.

It sounds more like you're hurt they don't respect your input. Big deal...if they want to trash their system, make it clear you aren't responsible for the time lost when you have to come fix it later. Have them sign a waiver and go on with your life.

Live and learn (2, Insightful)

Dirty Pickle (576372) | more than 11 years ago | (#3468071)

I hate to say it, but they're going to have to get burned before they understand why they shouldn't log in as root all the time. Everyone I know has rm -rf'ed something important once, but just once.

Root is like crack (5, Funny)

Anonymous Coward | more than 11 years ago | (#3468107)

Don't smoke it. I did once and got hooked. I ran Mac OS Updates as root. Fuck, I even had sex with my girlfriend as root. Man, that caused some permissions problems. When I started the road to recovery (logging in as Zacks) my girlfriend was all like: "Fuck no! You can't get any cause you don't own me an I don't go groups. You don't have the power to read, write OR execute so get out of my FACE" So I was all HELL NO bitch. And she wuz like you do not have root (superuser) privlages so get out of my TruBlueEnvironment! So then I went chown and chmodded her ass to me. Dat be-otch be up in my hizzouse. What what. Holla!

Re:Root is like crack (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#3468492)

This was fucking hilarious! Of course, I'm stoned at the moment...

This poster's name secretly replaced with Folgers Crystal Meth

OS 9 like? Nope. (5, Insightful)

jasonwileymac.com (560445) | more than 11 years ago | (#3468112)

"...claiming it's 'more Mac-OS-9-like,' "
Nope. Not at all. OS 9 has the same level of protection for itself that OS X does, it just works a bit differently. Tell your friends to try this... In OS 9, drag your System Folder to the trash. Go on, do it. Whupps - you can't. Why? Because you don't have 'permission' to. You can only do it if you boot from a different source, like a CD or another volume. Unix does this far better than OS 9 could, but it's basically the same idea. Logging in as ROOT lets you do anything you want. Toss your kernel? SURE!!! No problem! BAD idea. I feel that if someone doesn't know why they shouldn't be root, that alone is reason enough for them NOT to be.

Re:OS 9 like? Nope. (3, Insightful)

WalterSobchak (193686) | more than 11 years ago | (#3468661)

OS 9 like, sounds like "More Mac like", and logging in as root is not.
My first Macintosh manual (for the Macintosh 512k) had the following to say about installing the "Programmer's Switch": "The Programmer's Switch is used to create an Interrupt or a Reset. If you do not know what an Interrupt or a Reset is, you do not need this switch". While people may criticize this, it has always been Apple's strategy to protect users from their own stupidity.
So really to emphasize the parent post, "If you do not know why to log in as root, don't do it." Period. Nuff said

Alex -- (And I don't even normally log into my BSD box as root)

Re:OS 9 like? Nope. (1)

Hadlock (143607) | more than 11 years ago | (#3469350)

i don't own a mac 512, nor do i plan to own one (i'd like one though). i guess its safe to tell me,

what exactly does the programmer's switch do? :-D

Original Thread (2, Informative)

owenc (255848) | more than 11 years ago | (#3468137)

There are a lot of threads at various mac forums with this topic, but a current one is here at MacNN forums [macnn.com].

MacNN forums seems to have a well deserved reputation for being full of idiots. Especially in the OS X threads.

Say hello to "Bobby" from Ventura California, who started this thread :)

Re:Original Thread (0, Flamebait)

owenc (255848) | more than 11 years ago | (#3468171)

The idea of this guy [macnn.com] logging in as root all the time makes me cackle with glee.

Re:Original Thread (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#3468217)

funniest post ever.

Here's one. (5, Informative)

Eagle7 (111475) | more than 11 years ago | (#3468138)

Let's say that you want to change the permissions of all the files in your home directory to go-rwx (which make sense). So, you type:

chmod go-rwx ~/*

But by mistake, you hit the space bar, and get:

chmod go-rwx ~ /*

By the time you realize the hard disk has churned too long, you'd just gone and wiped the permissions on /bin, /sbin, /var, etc. You're system is now screwed up to the point where it's probably faster to reinstall than change all the permissions. If you weren't root, you'd see something like this (from a Linux-PPC box):

[pts/2@tardis:/home/dmorriso @00:45] chmod go-rwx ~ /*
chmod: /bin: Operation not permitted
chmod: /boot: Operation not permitted
chmod: /dev: Operation not permitted
chmod: /etc: Operation not permitted
chmod: /home: Operation not permitted
chmod: /lib: Operation not permitted
chmod: /lost+found: Operation not permitted
chmod: /mnt: Operation not permitted
chmod: /opt: Operation not permitted
chmod: /proc: Operation not permitted
chmod: /root: Operation not permitted
chmod: /sbin: Operation not permitted
chmod: /tmp: Operation not permitted
chmod: /usr: Operation not permitted
chmod: /var: Operation not permitted
[pts/2@tardis:/home/dmorriso @00:46]

And yes, back in the day, I did make this oops and had to reinstall, because I had used su rather than sudo, and had forgotten to un-su. I started using sudo right afterwards. :)

Re:Here's one. (4, Informative)

foobar104 (206452) | more than 11 years ago | (#3468157)

chmod go-rwx ~ /*

I just want to second this. I did the same thing once, but on an SGI O2 rather than a Mac. My variation: chown -R foo / when I meant to type chown -R foo .. The dot and the slash are just too damn close together for comfort.

That was when I learned that you can't boot an SGI if files like /bin/sh and /sbin/init aren't owned by root.

And yeah, it was easier and faster to just reinstall the OS than it was to try to fix the ownerships.

Re:Here's one. (0)

Anonymous Coward | more than 11 years ago | (#3468412)

You better not have been that SGI customer in Denver that called me after doing this. It took about two hours to figure out that this was, in fact, what had happened....users these days....

Stupid /. humor (1)

andaru (535590) | more than 11 years ago | (#3469032)

  1. The dot and the slash are just too damn close together for comfort.

What's wrong with /.? :)

Re:Here's one. (0)

trollbot (542020) | more than 11 years ago | (#3468383)

Nice story, but people whologin as root to be more "OS 9-like" DON'T USE CHMOD. They probably DON'T USE TERMINAL.

But yeah, I live in perpetual fear of :
rm -f * ~

Re:Here's one. (1)

qeL3-i (577868) | more than 11 years ago | (#3468546)

How about:
rm ugly-pron. *
ARRRRRR! MY PRON! MY Beautiful PRON!

Re:Here's one. (2, Informative)

Permission Denied (551645) | more than 11 years ago | (#3468581)

rm ugly-pron. *

Dude, you're using the wrong shell:

% ls
good-pr0n1.jpg good-pr0n3.jpg good-pr0n6.jpg good-pr0n9.jpg
good-pr0n10.jpg good-pr0n4.jpg good-pr0n7.jpg ugly-pr0n1.jpg
good-pr0n2.jpg good-pr0n5.jpg good-pr0n8.jpg ugly-pr0n2.jpg
% rm ugly-pr0n *
zsh: sure you want to delete all the files in /home/pd/.pr0n [yn]? n
rm: ugly-pr0n: No such file or directory
% ls
good-pr0n1.jpg good-pr0n3.jpg good-pr0n6.jpg good-pr0n9.jpg
good-pr0n10.jpg good-pr0n4.jpg good-pr0n7.jpg ugly-pr0n1.jpg
good-pr0n2.jpg good-pr0n5.jpg good-pr0n8.jpg ugly-pr0n2.jpg

NB: this is zsh figuring out my typo, not 'rm' being annoying.

Re:Here's one. (3, Funny)

Eagle7 (111475) | more than 11 years ago | (#3468807)

NB: this is zsh figuring out my typo, not 'rm' being annoying.

You mean, that's zsh being annoying. :)

Re:Here's one. (1)

Permission Denied (551645) | more than 11 years ago | (#3468531)

How about this:

You want to change all your .emacs, .exrc, .whatever to be world-readable so everyone can see just how clever you are:

chmod -R go+r .*

Well, not so clever after all. '.*' expands to include '..' and '.' and the -R flag combines with this in a Very Bad Way. I got burned by this once (different circumstances, however, I su'ed into root to change some stuff in /tmp). This also depends on what shell you use: with bash, you're screwed, with zsh, you're OK.

Re:Here's one. (3, Informative)

tunah (530328) | more than 11 years ago | (#3468670)

Mine was worse.

I don't have rpm installed, but I found a program that was only available as rpm. So I ran rpm2targz on it and then tar xvzf. It then extracted a whole bunch of files into a new usr folder in my current working directory, as I had forgotten to cd /. I was still root. So now to get rid of the directory I tried to type:

rm -r usr/

What I actually typed was this:

rm -r /usr

Oops!

Re:Here's one. (1)

Merlin42 (148225) | more than 11 years ago | (#3469088)

I pulled something like that when I was still a linux newbie (and logging in as root regularly). I was having some trouble with a program and decided it must be a problem with one of those 'dot files' , so I figured I would be slick and delete all of them:

rm -rf .*

that should do it ...

...

why is the disk still churning ...

/me slaps forehead

.* matches ..

I have never logged in as root since, and I'm very carefull with su

Re:Here's one. (3, Informative)

Eimi Metamorphoumai (18738) | more than 11 years ago | (#3469640)

Ahhh, yes. Been there, done that. Of course, mine looked so innocent. Messing around in /proc, tried to make everything readable (to see how the proc virtual filesystem interacts with permissions). "chmod -R a+rwx *" Even made sure I was in the right place first. What I quickly (but not nearly quickly enough) learnt was that chmod -R follows symlinks, and that symlink to / made that command much less fun than it should have been. To this day, I loath commands that follow symlinks recursively (cp -r, chmod -R, I'm sure there are others), but I have gotten much better at "find -print0 | xargs -0".

You don't log in as root in macosx (4, Interesting)

Bart van der Ouderaa (32503) | more than 11 years ago | (#3468141)

For the old unix hacker it looks like you're logging in as root, but that's not really the case. At install time the system creates two users, both have the same name and the same password!

One is just a user, the other is root. In previous versions ( i haven't tested it lately) you could change the password of one but it wouldn't result in a password change of the other (which gave alot of headaches).

Now if you log in you're the normal user, and you can't do anything really dangerous. You need su (which needs to be activated, it isn't possible by default) or sudo to do something as root. Also when you're doing an install that requires root the installer will ask for a super user.

In both cases you use your own username and password (if your user is created at startup). So If somebody sneaks behind my computer when I'm gone to do something else, they can't really do anything dangerous. They would still need a password!

You can make more users if you want without any rights (that's easy), but the system works better than it looks because you don't log in as root!

You can if you want to btw. The password of root is the same as the password of the user.
It does nail down the importance of good passwords which is something that alot of macusers are new to.

Re:You don't log in as root in macosx (2, Informative)

owenc (255848) | more than 11 years ago | (#3468155)

At install there is no root user created. So by default you cannot log in as root from the gui or via su. sudo is available however to users who are set as "admin".
You can enable root through the netinfo config utility. It asks for a new root password.

Re:You don't log in as root in macosx (4, Informative)

Drakino (10965) | more than 11 years ago | (#3468275)

At install there is no root user created. So by default you cannot log in as root from the gui or via su. sudo is available however to users who are set as "admin".

You can enable root through the netinfo config utility. It asks for a new root password.


Partially correct. root is created on install just like any other Unix, and is the owner of most files on the system initially. Just who knows what the password is. Netinfo lets you set a different password, but all it is is a pretty GUI for "sudo su; passwd root".

Re:You don't log in as root in macosx (4, Insightful)

Phroggy (441) | more than 11 years ago | (#3469718)

For the old unix hacker it looks like you're logging in as root, but that's not really the case. At install time the system creates two users, both have the same name and the same password!

Um, no. This may have been true in pre-release versions, but in 10.0 and later, only your regular non-root account shows up in System Preferences. The root account doesn't have your name on it, and the encrypted password is set to "*" meaning logins are disabled altogether.

One is just a user, the other is root. In previous versions ( i haven't tested it lately) you could change the password of one but it wouldn't result in a password change of the other (which gave alot of headaches).

They are not the same account, so changing a user password will not change the root password, and vice-versa.

Now if you log in you're the normal user, and you can't do anything really dangerous. You need su (which needs to be activated, it isn't possible by default) or sudo to do something as root. Also when you're doing an install that requires root the installer will ask for a super user.

If you're an Administrator, you do have write access to the contents of /Applications and /Library, just not /System. The reason su doesn't work by default is, root doesn't have a password by default. However, any Administrator can run any command as root with sudo - for example, "sudo tcsh" will get you a root prompt.

In both cases you use your own username and password (if your user is created at startup). So If somebody sneaks behind my computer when I'm gone to do something else, they can't really do anything dangerous. They would still need a password!

If you're doing something that actually requires root privaleges, such as changing system settings or installing software, you must authenticate as an Administrator, even if you're already logged in as an Administrator. If you type "sudo tcsh", sudo will prompt you for your password. It's an excellent system.

You can make more users if you want without any rights (that's easy), but the system works better than it looks because you don't log in as root!

What?

You can if you want to btw. The password of root is the same as the password of the user.

As I said before, this is wrong. As I recall, the Public Beta set the root password to the same as the user password at install time; the final version didn't do this.

If you do want to enable root logins, there are three ways to do it:

A) open NetInfo Manager, click the padlock icon, authenticate, then go to select the Domain/Security/Enable Root User menu item

B) open NetInfo Manager, click the padlock icon, authenticate, browse to /users/root, and change the value of the passwd item to an encrypted password

C) open Terminal, type "sudo passwd", authenticate, and set a root password.

It does nail down the importance of good passwords which is something that alot of macusers are new to.

I set my system to automatically log me in at boot time, so it doesn't nail down anything.

My stupid story (1)

mfos.org (471768) | more than 11 years ago | (#3468184)

Mix root with a nice, easy to use GUI and you've got trouble. Having a CLI provides a level of protection (But still, the difference between rm -rf /tmp/somedirectory and / tmp/somedirectory may only be a space, but I hope you've got backups).

Anyways I was using the Gnome filemanager at the time and was logged in as root, and moved the /lib directory into the /usr directory. As libc couldn't be found, I was unable to run any commands, and this resulted in a reinstall, as I didn't have the skills to restore the problem.

Re:My stupid story (2)

tps12 (105590) | more than 11 years ago | (#3468755)

All you had to do was boot from a floppy or CD, mount your disk, and move the directory back. I have had to do this after toasting libc before.

Necessary for GUI users? (3, Informative)

dh003i (203189) | more than 11 years ago | (#3468207)

As a command-line user, I understand the value of not logging in as root all the time.

However, most Mac users couldn't use a command line if their life depended on it and probably don't even know that MacOSX has a command line.

The MacOSX user who's a classic mac user will probably never use the command line; if they have to rename a thousand files to add an extension or a prefix or whatever, they'll do it by hand, not by using a tcsh script.

So, the question is, how much damage can one do from the MacOSX GUI at root? I don't know. I have accounts on other ppl's MacOSX computer (namely, at my University) but have never been logged in as root.

Of course, not logging in as root doesn't only protect you from yourself. It also protects you from "trogan" install programs, which say they'll do one thing, and in fact delete the entire hard drive or something else like that.

Re:Necessary for GUI users? (0)

Anonymous Coward | more than 11 years ago | (#3468760)

Joe Mac User sees the kernel in the Finder and says, "gee, what's this? Probably some scrap file." Then he deletes it. He's root, so he can do that.

Re:Necessary for GUI users? (1)

chigaze (98602) | more than 11 years ago | (#3469693)

Actually, I'd use an applescript or a utility such as A Better Finder Rename [versiontracker.com]. The lack of a command line does not mean the lack of scripting tools for repetitive tasks.

Misconception of mac users (1)

uglyhead69 (186990) | more than 11 years ago | (#3469702)

I agree with your position that GUIs are less dangerous while root than CLIs are because GUIs execute gestures which have zero chance of a wildcard typo error. If one examines most of the other arguments presented by slashdotters for not using root, they seem to have to do with chowns, and rms gone awry. There is certainly no risk of that in a GUI.

However, I think you have a misconception of "classic" mac users. I would argure that because in order to log in as root in the first place, the user had to go out of her way to enable root in netinfo, this implies a certain level of sophistication, or a least a desire to learn the ropes and gain a greater understanding of the system. The behavior could have been motivated by doing a lot of su commands that the user viewed as tedious and hence sought an alternative. Which implies command line use.

I think the important question is WHY on earth do these users find themselves requiring superuser privleges in the first place? Its probably because they want to tweak the system, which mac users are notorious for, so they may as well resign themselves to having to re-install the system at some point.

I think the problem lies in recommending root-running to others. The argument should be presented like this:

root is there as a layer of protection, to protect you from yourself, and to protect your system from things you might download that could do bad things to your system intentionally or not.

If you run as root, you lose that protection. Take it or leave it, but if you recommend that others also abandon the protection that root provides, please provide them with the coutesy of explaining roots purspose in protecting them from themselves.

Re:Necessary for GUI users? (2)

Phroggy (441) | more than 11 years ago | (#3469735)

So, the question is, how much damage can one do from the MacOSX GUI at root?

Muck around in /System and you can render the OS unbootable.

Strike fear into their hearts! :D (1)

The Evil Beaver (175641) | more than 11 years ago | (#3468214)

Make them use Windoze for a week or two, all the while passing all relevant details of their machines to every cracker you know. They'll be begging you to never let them use root again. :)

Seriously though, a lot of the time when I'm running Linux, I'm in both using my normal account and my root account (though root is on a console and just running top). If there's danger even in that (other than killing the wrong processes), I'd love to hear about them -- better safe than sorry!

Re:Strike fear into their hearts! :D (0)

Anonymous Coward | more than 11 years ago | (#3468764)

If there's danger even in that (other than killing the wrong processes), I'd love to hear about them -- better safe than sorry!
You could unwittingly be running trojans.

Let's say you install some software. But little do you know that that software checks to see if you're root, and if it finds that you are, replaces programs like ls and echo with boobie trapped ones.

Same Q for Administrator with Windows XP Pro...? (1)

FransUNC (518475) | more than 11 years ago | (#3468251)

Are there any problems or security issues doing everything as administrator with Windows XP Professional? I'm just a personal user, and other than using client software for many internet uses, I don't server anything. And problems other than "the fact that Windows sucks" would be nice. ;)

Re:Same Q for Administrator with Windows XP Pro... (1)

the_greywolf (311406) | more than 11 years ago | (#3468534)

Administrator on Win2k and WinXP are very different from root on a *nix. Win2k and WinXP both treat Administrator as a normal user, but this normal user has certain permissions that allow them to install/remove any software, read/write any file, or even delete a system file (which Windoze quickly replaces with a fresh copy). AFAIK, Administrator doesn't pose any serious security problems unless your computer is one accessed by more than one user - like a spouse or children. create an account for each and stay logged out when away from the computer.

my only recommendation is MAKE SURE IIS IS NOT INSTALLED. script kiddies and horny teens can gain Administrator access without a password. (unless you're insane and actually want to USE it.)

Re:Same Q for Administrator with Windows XP Pro... (0)

Anonymous Coward | more than 11 years ago | (#3468781)

Administrator on Win2k and WinXP are very different from root on a *nix. Win2k and WinXP both treat Administrator as a normal user, but this normal user has certain permissions that allow them to install/remove any software, read/write any file,
Sounds like root to me. In the eyes of the kernel, root isn't much different from the other users. He just happens to have a special uid of zero, and the kernel just happens to let uid 0 do anything it wants.

Re:Same Q for Administrator with Windows XP Pro... (0)

Anonymous Coward | more than 11 years ago | (#3468556)

If a nasty IE or Outlook(or whatever) exploit ever appears, you can end up with much more damage done to your system if running as admin. If you're logged in under a normal account, only files that you have permission to can be deleted/modified (mp3s, docs .. presumably stuff you've backed up). As Admin, if the trojan/worm is nasty enough, you may need to completely reinstall OS and all your software. Think of permissions as low level, last resort anti-[virus|worm|trojan] protection.

The Mac OS X security story direct from Apple (5, Interesting)

plsuh (129598) | more than 11 years ago | (#3468446)

First, my credentials: I'm a Curriculum Developer with Apple's WorldWide Training and Communications group. I am the author of the Network Security chapter in Apple's Network Administration course. I gave a talk at the last MacWorld on Mac OS X firewalling, and I must have done something right since they asked me to do it again in July in New York. In this post, unlike most of my other postings, I am speaking in my Apple voice.

That said, Mac OS X has a root user, but root does not have a valid password on installation. The first user that is created via the setup assistant is what is known as an admin user. These are users who are members of the group "admin", a predefined group. Apple provides an API whereby a GUI application can ask for an admin user's password, and thus gain sudo-style privileges for actions such as installing software (which might need to put things in places that can only be touched by root). Also, the /Applications directory also is writable by admin users, so apps where the install is just drag and drop (such as OmniWeb or MSOffice) can also be installed by an admin user and do not require root privileges.

In addition, admin users have access to the /Library directory, which is where resources specific to a particular machine should be stored. There are four Library locations that Mac OS X searches for resources such as fonts and frameworks:
  • ~/Library - for user-specific items
  • /Network/Library - for resources made available to an entire NetInfo network
  • /Library - for resources specific to a particular machine
  • /System/Library - the base system installation; this area is in general reserved for Apple use, and most people have no need to change anything inside here.

Note that the /Library tree in general has ownership root:admin with privileges 775. This means that any admin user can add or remove resources from his or her own machine without resorting to using root directly. In fact, if you wanted to add a set of resources that would affect only a particular user (say, give only the graphic artist access to the full set of 300 fonts, and leave everyone else with just the usual system set of fonts), you could install them under the user's ~/Library directory. Because of the default search order, resources in ~/Library and /Library take precedence over those in /System/Library, so you can simply install a framework in /Library and override the OS's default behavior.

If a user were to log in as root, he or she would immediately gain write access to the /System/Library area, which contains the really sensitive bits of the operating system. As it were on the warning labels, "No user serviceable parts inside!" Logging in as root is the equivalent of unscrewing the cover of a piece of equipment with that warning label. If you know what you're doing and you're careful, you may be able to do something in there, but if you're not careful or don't know what you're doing, you are likely to get hurt. I know of several users who had the bad habit of looking at a bunch of files in their System Folders and thinking, "I don't know what this does, I can just throw it out to gain more disk space," in older versions of the Mac OS. Turning one of these guys loose as root on Mac OS X is likely to cause major headaches.

From the command line side of the house, admin users are allowed to do anything via the sudo command, which is preinstalled on Mac OS X. If you need root access, you can use sudo to do just about anything from the command line. If you really, really need a root shell, you can always do "sudo -s" and get one.

In summary: Mac OS X has the tools that you need to perform system administration tasks form either the GUI side or the command line side without needing to log in as root. Logging in as root is the equivalent of opening up a piece of machinery with the warning label, "No user serviceable parts inside", and you should not be surprised if you get hurt when you do this.

Paul Suh
psuh@apple.dontbotherspammingmeigetwaytoomuch alrea dy.com

Note: on Mac OS X Server, root is enabled by default. This is considered less of an issue since it is expected that servers will be run by people who have a better understanding of the issues involved and are more likely to be doing things that need root access, even from the GUI level.

Re:The Mac OS X security story direct from Apple (1)

Alex Thorpe (575736) | more than 11 years ago | (#3470399)

A very nice post, thank you.

I've never enabled root on my system, as I've heard a few warnings a while back, and I've never needed it. The only time I may have been tempted was when StuffIt Expander(the main archive decompressor for the Mac) was updated, and I didn't have permission to delete the old version that came with OS X. I ended up deleting it from 9.22. I do use my Admin account all the time. I tried a personal user account once to see if things would run faster, but there was no change, and a new account felt like a whole new machine to configure to my preferences.

All it takes is.... (1)

phagstrom (451510) | more than 11 years ago | (#3468489)

What if you want to clear up all the tmp files you made and you make a small typo
rm -rf / tmp
After doing something like that, you know why NOT to use root. ;-)

Re:All it takes is.... (1)

Erik K. Veland (574016) | more than 11 years ago | (#3468622)

Been there, done that.

That's all the frickin' real world example you ever need. Thank god it was on a partition. But I lost my entire MP3-collection.

Bad karma will do that to you.

Re:All it takes is.... (2)

__past__ (542467) | more than 11 years ago | (#3468706)

Do you want to say that "sudo rm -rf / tmp" is any better, or that one shouldn't try to clean /tmp? After all, you have to get root somehow to do such stuff.

The problem is, IMHO, the mere existence of root, as opposed to a more fine-grained approach - things would be much nicer if "may bind to a port <1024" wouldn't automatically imply "may rf -rf /". It's nice to see that some unixes seem to move in this direction, but, well, HURRY THE F*CK UP, developers! ;)

Something I was told. (1)

abdulla (523920) | more than 11 years ago | (#3468536)

While doing work experience at SGI, I was told of their awards that they give out every month (in the form of two movie tickets), you get one if you do something great (help the community, fix a mass bug, etc) or if you do something really stupid. Well they had a main Origin 2000 server (snort), and a couple of months prior, one of the engineers (the one looking after me, I believe he was working on XFS at the time) has accidentally done rm -rf / while logged in as root on snort, there went everyone's stuff, snort was like the workhorse and the big storage yard. This is the result of their liberal policies (once your within the building you have all access to everything inside). I still love SGI! :)

Not a new problem (3, Insightful)

Permission Denied (551645) | more than 11 years ago | (#3468563)

I knew this physics guy that bought a Linux box so he could do his Fortran numerical analysis on his own, without relying on the insanely big, fast and reliable physics servers (go figure). Smart physics guy, complete unix newbie.

I'll only tell you the anectdote salient to this article. He would, of course, only log in as root as the KDE rpm front-end wouldn't work when you're logged in as a regular user and he didn't want to figure out how to use the the command-line rpm (I don't know if currently KDE does a sudo/su-type thing using the GUI, but it didn't back then - if you ran kfm as non-root, you couldn't use the RPM front-end).

At one point he could no longer log in. Problem? / was full. He was downloading all his stuff into /root (a one gig partition) and /home (20 gig partition) was completely empty. You could log in from console, but not from XDM since XDM creates files in /tmp upon login. He had no idea how to get from XDM to another virtual console, so he was effectively locked out of his machine.

My point? Give up. Don't worry about it. They will not learn why logging in as root is bad until they get burned. Especially since you're just a forum moderator - if you were getting paid to do this and your job depended on these machines staying up, you would have every responsibility to ensure people were properly following your policies; but, as a mere guru to these people, allow them to learn in the most effective fashion: trial by error.

Re:Not a new problem (2)

JabberWokky (19442) | more than 11 years ago | (#3468702)

(I don't know if currently KDE does a sudo/su-type thing using the GUI, but it didn't back then - if you ran kfm as non-root, you couldn't use the RPM front-end).

Yes it does, and to give you an idea of how old your ancedote is, kfm was dropped in favor of Konqueror two major versions ago (since 2.x).

--
Evan

Re:Not a new problem (1)

Permission Denied (551645) | more than 11 years ago | (#3468809)

I am aware of Konqueror; the anecdote is still relevant. Even if you are now using GDM or KDM instead of XDM, those still create those authorization files and will not work if the file system is full.

Please, actually work with these people before trying to tell me how it would be so easy to convert them to unix. It's completely different in a corporate environment than the home environment (and I don't see OS X being targetted at corporate environments, so we're talking about mom and pop and their home computer here). In a corporate environment, they have you to get the machine working and install new software, etc. You try to put unix in a mom-and-pop home environment, and you'll be inundated with phone calls. You'll fix something for them (which will require root privs) and then you'll get another phone call 20 minutes later.

Try installing a mozilla build without using a command line, logged in as a regular user. Sure, you just install it to your home directory, but how many people are going to figure out that they need to change the default value in the dialog box? After you've installed it to your home directory, how do you start it up? Well, maybe it installed an icon on your KDE/GNOME desktop, maybe not. Let's assume it has. Now, what if you're in Konqueror and you want to use the "Open using Mozilla" menu option. Do you think that will work? Nope. Mozilla is not in your PATH (and that is what the latest version of Konqueror uses - it just does an execvp). Do you walk your grandmother through editing her .bashrc using emacs?

These people don't know the difference between a slash and a backslash - you'll have difficulties telling them over the telephone exactly which characters to type in, one at a time. When I say "et-see are see dot dee init dot dee" you think "/etc/rc.d/init.d" but mom-and-pop thinks "WTF?" You'll then give up, go to their physical location, enable ssh, and fix everything remotely from then on.

I have a lot of patience - I regularly deal with intelligent non-computer people (I have a real job, you see) and I've very good at explaining technical matters to non-technical people, but dealing with this audience is a completely different matter - you will become frustrated sooner or later. It's not really a matter of patience, but a matter of communication. When filesystem permissions and the simple relationship between users and groups doesn't make sense to someone, you simply don't have a common vocabulary to communicate expediently. They will log in as root no matter what you tell them. Ask yourself how many people are running Windows 2000/XP on their laptops and how many of those people bothered to create a non-Administrator account.

Re:Not a new problem (2)

JabberWokky (19442) | more than 11 years ago | (#3469001)

the anecdote is still relevant

Didn't mean to imply that it wasn't relavant. I hold that *way* too many *nix apps break when they run out of disk space. Quite often in rather spectacular, data lossly ways, or in a quiet "I'll just throw this data away without ever alerting anybody" manner. Ditto for when the filesize exceeds the filesystem limit (less of a problem now, at least in Linux, but I hated that old damn 2GB limit).

--
Evan

Re:Not a new problem (1)

Permission Denied (551645) | more than 11 years ago | (#3469060)

Cool, OK, I misunderstood you. I'd agree that lots of *nix apps die spectacularly when they run out of disk. Funny thing is, I've seen Windows and MacOS apps deal with this by popping up a dialog or something, whereas the *nix apps will dump core, at best.

Another thing I've noticed is that most good *nix programmers do indeed check for out-of-memory errors (eg, they always check return value of malloc), but their error handlers aren't all that great.

My usual way of dealing with out-of-memory is to propagate the error back up the call stack until someone really wants to deal with it. Most times, dealing with it just means printing an error and dumping core.

It may be that us *nix programmers are used to good virtual memory implementations where it's really hard to run out of memory, whereas the Windows/MacOS programmers have actually had to deal with these issues directly. Not sure.

Don't bother (1)

TheHans (155993) | more than 11 years ago | (#3468682)

When you're right in the middle of typing rm -fr /usr/something/ and you hit the enter key accidentaly hit the enter key just after the /usr/ part because you had to reach for napkins to clean up the gin and tonic that you spilled in your lap you learn that when you're root you can seriously fuck things up. Don't waste your breath--or keystrokes--on people who don't want to listen. They're bound to learn why they ought not log in as root all the time.

Re:Don't bother (0)

Anonymous Coward | more than 11 years ago | (#3468846)

I can't say I support logging in as root, but I don't think this argument holds much water. just add an

alias 'rm' rm -i

wherever, and you have the same protection. I think people need to hear better reasons than that to stop them logging in as root.

Re:Don't bother (1)

TheHans (155993) | more than 11 years ago | (#3468961)

I think you missunderstood the point I was trying to make.
I was simply saying that people will likely learn from experience that logging in as root all the time is a bad idea and because of this there's no point in arguing with them. Let them make their mistakes and they will learn from them.
Also if you're using the gnu fileutils version of rm you might wish to read the info page on rm. Aliasing rm to rm -i won't help you one bit if you type rm -fr. I don't know about other rm versions.

Re:Don't bother (2)

Van Halen (31671) | more than 11 years ago | (#3469983)

alias 'rm' rm -i

I hate it when some systems add this to the default .cshrc/bashrc/whateverc. IMO, relying on such an alias is asking for trouble. What happens if you're on another machine that doesn't have that aliased? What if the alias didn't take effect (something bad in your .cshrc caused it to stop parsing before that)? I've seen people use this alias to get into the habit of typing 'rm *' and just saying N to the files they wanted to keep. Bad idea.

The intentions are good, but I think if you're playing with fire (doing things as root), you should be forced to be absolutely careful and type everything out just as you really meant it.

Why (we) do it ;-) (0)

Anonymous Coward | more than 11 years ago | (#3468784)

I think this issues is mostly a holdover from the early DP and Public Beta versions of OS X. Without Unix knowledge, it was impossible getting things done without being root, and doing things as root caused so many permissions issues that many of us gave up and simply logged in as root all the time, just to be able to use the system. Things are *much* better now, but there are still issues that crop up making me wish that things worked more like OS 9. Mac users are used to having 100% control of their systems, OS X can be extremely frustrating to those of us who, for example, want to replace our System file with a backup copy because things are getting strange and you think corruption of the System files might be the cause.

Most of you posting here are Unix geeks, don't forget that there the Unix "way" is not, and never has been the Mac "way." Ted and MacFixit put it best (this quote is from memory):

"Any time you are *forced* to use the command-line to fix a problem (get something done?), it is a failure of the OS."

Re:Why (we) do it ;-) (1)

pudge (3605) | more than 11 years ago | (#3468911)

"Any time you are *forced* to use the command-line to fix a problem (get something done?), it is a failure of the OS."

Bah. Any GUI that can provide everything that *I* need to get done is going to be unwieldy, at best. The GUI cannot perceive of everything that I might need to do. It's simply not possible. And if you call that a failure of the OS, then the very concept of GUIs is fundamentally flawed. The GUI should be as complete as possible/reasonable, but it cannot ever cover every need of the user.

hehe did this a long time ago: (1)

yod@ (21039) | more than 11 years ago | (#3468790)

while addin a new disk ( was migrating data )..

mv /usr/lib /tmp

no command worked after that cause everythign was dynamically linked.

Aqua skin for slashdot? (2, Funny)

Space (13455) | more than 11 years ago | (#3468836)

I realize this is slightly offtopic and I can probably kiss some karma points goodbye but, did anyone else notice a modified image at the top of this page? This image [cyberscope.net] was at the top of this story.

Re:Aqua skin for slashdot? (0)

Anonymous Coward | more than 11 years ago | (#3470290)

sir, you are either a complete moron, or a troll. That 'skin' has been there since apple.slashdot.org was opened (over a month now)

No root please (1)

pvera (250260) | more than 11 years ago | (#3468862)

It comes down to good practices. When I started playing with Suse I remember how I would get kick/banned on the spot for trying to get into #linux on Undernet while logged as root. I asked them and they simply explained it was to teach me to use SU instead of a real root.

I think we all agree root itself is too dangerous to leave it on for more than a few minutes, even if you really know what you are doing. Even us windows weenies are trying to enforce this: my IT folks spent a week adding garbled (read: cannot memorize) local passwords for all our servers and for administration are using an obscure account with the proper permissions. It is impossible to guess by name that this account is a local administrator for all machines in our network.

For OS X and BSD I guess you should be able to do whatever you need without logging as root, that is what SU is used for.

#1 argument aginst being root (1)

h0tblack (575548) | more than 11 years ago | (#3468932)

user:
cd /
rm -rf *
"OMG! where have all my files gone"
reply:
"PEBKAC"

All people need to do is enable root and then su or sudo if they absolutely have to. If they can't fix any problem they are having not being logged in as root, then they should go and read some books. Hopefully some Mac users who are new to the *nix world will get some benefit from O'Reilly's new "Learning Unix for Mac OS X" book. Not that there aren't plenty of other books that should teach them the lie of the land, but I have a feeling this one will be popular as it's focussed on OS X.

Real-world anecdote... (0)

Anonymous Coward | more than 11 years ago | (#3468963)

Windows; windows 9x.

Windows 9x is always logged in as root.
Windows 9x makes it easy to mess up your computer, due to the lack of security.
Not logging in as root increases your security.

:. always logging in as root makes it easy to mess up your computer.

Who cares? (1)

gabe (6734) | more than 11 years ago | (#3469136)

MacOS has always run with the simplicity of giving the [single] user complete access to the entire system. It wasn't until they bought NeXT and started working on OSX (parts of which, like permissions, made it into OS9 to smooth the transition) that permissions were involved in the OS at all.

What does it matter if someone can wreck the entire installation? They could do it before in OS8 and lower. Why does it matter now?

Folks from a *NIX background, like a good portion of the /. readers, obviously object to this because it's not what they're used to. So, they will create their own [admin] account and play nice accordingly. Folks who are primarily from a Mac background may give up on the idea of an admin user and just set a root password and leave that account logged in all the time.

Do you really care if some random mac user wants to be able to trash their system? Do you?

my 1.5 cents (1)

bigdog79 (576132) | more than 11 years ago | (#3469211)

i've been using OSX for just over a year now, and root scares the hell out of me. Call me unadventurous, but when something says "do not touch" i damn well won't touch it until i know what i'm doing. the only time i'll mess with it is if someone's holding my hand and pointing the way (ie. there's a nice step-by-step thing in MacAddict or something). and considering the number of typos i always make, i'd be one of those people who'd delete my entire drive or start global thermonuclear war from my iMac. :p

typical (0)

Anonymous Coward | more than 11 years ago | (#3469429)

Most Mac users are always finding something about OS X to whine about. If it's not that the Chooser is gone, it's that they can't be root all the time. Honestly, is it really that hard to type in your password anytime you wish to update or make a system altering change? They have been blessed with this beautiful OS, a perfect blend of form and function, yet all I hear from Mac users is, "I hope the next release is more like OS 9." What is wrong with you people? OS 9 is antiquated. I switched to the Mac platform because I was tired of that other major OS churning out the same garbage for a decade. Troll me down but it's true, Mac users don't know how lucky they are.

It's all about functionality and user experience. (1)

fluor2 (242824) | more than 11 years ago | (#3469430)

I use an account that is an administrator-member every day on my Windows.

My uptime on this workstation is 40days and I have never been hacked (i dont run any firewalls, but a small network monitor). By the way, there exist a nice freeware portblocker at http://www.analogx.com/contents/download/network.h tm if you want to use a firewall.

Now back to topic. Why can't users use root all the time? Every time I have to do changes on my Linux box I have to use a root-user, thus I use root almost every day. It sux, and I've started using root as my primary login. Ofcoz I could do a rm -R / * or similar, but guess what? I don't care!

It's all about functionality and user experience. Security people can just "stfu" coz they just disable the most used features at your computer.

In the end you have to respect users and their need to
a) learn about the computer by doing mistakes
b) trust that the general hacker do not want to hack you unless he has a good reason
c) see in the real world how things seem to work, even if you did not protect it like a child in a baby buggy

Re:It's all about functionality and user experienc (0)

Anonymous Coward | more than 11 years ago | (#3469493)

Is typing su really all that difficult? I can agree on running windows as administrator (as long as your change the account name) but only for the simple reason that to do much of anything useful you have to log off and log back in. If I could just open the command prompt and switch to admin, I would never log in as admin again.

Why not root? (1)

sheriff_smith (575566) | more than 11 years ago | (#3469444)

I am a UNIX geek and I have used UNIX all my computer life and as such I expect a level of security with my systems. I have always built my own firewalls and reinstalled my systems when they came preinstalled. So as a UNIX geek I would never log in as root, however most sane people just want to use their computers and not worry about logins and such. Most of them have a different level of security that they want and are used to. I think more than anything this is a personal preference issue on a SINGLE user system.

root is ok (1)

mozkill (58658) | more than 11 years ago | (#3469871)

don't forget that part of the reason that people make such a big deal about logging in as root is that Linux geeks have ego. they like to think that since they always SU and SSH, they are "cooler" than the next guy, and so this Root problem gets preached a little more than it should.

on the other hand, the dangers of logging in as root are valid. personally, i log in as root all of the time because there isn't a single thing on my system that i couldn't fix if i needed to. for me, its "cool" to be challenged to fix it, so as far as i am concerned, "bring on the hackers"...

in a production environment, its obvious that perfect paranoia is the only way to go though. :-)

It's funny... (2)

gamgee5273 (410326) | more than 11 years ago | (#3470070)

Those of us who would be able to responsibly handle using root as our primary login don't.

Those of us who might not be able to responsibly handle using root as our primary login want to.

For the record, I have root enabled - but I rarely log in with it.

wrong question... (2)

teridon (139550) | more than 11 years ago | (#3470333)

The question should be, "Why do people who don't understand root access have it?"

Perhaps you should lobby the companies these people work for to have their root (or admin) access removed :)

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...