Even if you are the only human user of the system, there are well over a dozen accounts on the system. Most of these user accounts are not intended for use by you or any user on the system but are set up for use by various services and programs on the system. These nonhuman accounts let applications, such as the Apache web server and the Postfix mail server, run in a controlled environment so if they are breached by a hacker, the potential damage is limited. Table 6-1 lists some of the nonhuman users that are defined on the system.
Table 6-1. Some of Mac OS X’s nonhuman users
Username |
User ID |
Description |
---|---|---|
|
|
The administrative user |
|
|
Core system daemons |
|
|
Printing service |
|
|
The Postfix SMTP server |
|
|
The Apache web server |
|
|
A user with greatly restricted access |
Many of the nonhuman users, such as cyrusimap
and qtss
, aren’t used on the average person’s system but instead are defined for use on Mac OS X Server. Others, such as postfix
and www
, are used only when you run the Postfix mail server or the Apache web server. Under most conditions, you’ll notice only processes owned by either your own ID or by the root
user when viewing processes in the Activity Monitor or with the ps
command.
As in all Unix systems, Mac OS X has a special user, named root
, that is not subject to the control of the permissions structure. The root
user, sometimes called the superuser, can modify any part of the filesystem as well as execute any program. It can also stop the execution of any running program on the system.
The root
user is a dangerous one. Some commands executed as root
, such as rm -rf /
, can immediately disable a system; you really have to think about what you are doing with every command you issue using root
. To help prevent mishaps, Mac OS X is configured by default to allow access to the root
user only through the sudo
(superuser do) program. To use this program, you must be an administrative user, and simply preface the command you want to enter with sudo
. Example 6-3 shows how to use sudo
to print out some of the contents of secure.log
, a file that is visible only to the root
user and that contains the records of the various actions of Mac OS X’s security systems.
Example 6-3. Using sudo
$sudo tail /var/log/secure.log
Password:********
Jun 11 14:04:42 ronin SecurityAgent[447]: Showing Login Window Jun 11 14:04:46 ronin SecurityAgent[447]: User Authenticated: continue login process Jun 11 14:04:46 ronin com.apple.SecurityServer: authinternal authenticated user jldera (uid 501).
Because sudo
keeps an internal timer, you can execute multiple commands without typing your password each time. It also logs each use in /var/log/system.log
, so you can go back and see a list of commands that were executed (a procedure covered in Chapter 12). This is handy when you have multiple users with administrative privileges on a system.
If you prefer to live a bit more dangerously, you can get a shell as the root
user by issuing the following command:
$sudo -s
Password:********
#
The prompt changes to #
indicating that every command typed will be run as the root
user.
Even though it takes more work, you should avoid opening root shells using the sudo
command. By doing so, you are less likely to make a horrific mistake and hose your system. If you do make a mistake, each command will still be logged, allowing you to figure out what went wrong.
Some people really want to be able to log into their system as root
. For some reason having administrative privileges and the ability to execute any command using sudo
isn’t enough. If you are one of these people, you can enable the root
user so that you can log in either to the GUI or the command line and have unfettered and unmonitored access to your system. I don’t recommend that you do this, but if you insist, here’s how:
Launch NetInfo Manager (/Applications/Utilities
).
Authenticate yourself using the Security → Authenticate... menu.
Enable the root
user using the Security → Enable Root User menu.
Give the root
user a password; one that is as secure as any password you would give an admin user of the system.
If you follow this procedure, you will have a fully functional root
user. You can even log out of your system and log in as the root
user. Remember: you should stick to using sudo
instead of using the root
user.
If you want to enable the root
user from the command line, you can do so by executing the following command:
$ sudo passwd root
After setting the password, the root
user account is active.