Tiger, Root User, SuperUser, FileVault, and Master Password

Hi,

Can someone explain to me how Tiger works with respect to login
security and traditional Unix logins? I have a single administrator
user with filevault turned on. I have also set a master password under
Security. In terminal, passwd su gives >password for "user" response.

In checking Apple support for "root user", I get an article which
states that to enable the root user, use NetInfo under utilities. But
the Security > Enable Root User option is inactive when I do so.

Is my single administrator login the actual root user? Then why
doesn't su - > password for admin login fail due to a rejected
password? I just want to know if there exists a root user so that I
can lock it down with a password if necessary.

Help is appreciated...

Thanks!

 

Got it. I didn't figure "authenticate" was related. Thanks.

 

Giving a password to root does not "lock it down". To the contrary, by
default, a Mac OS X system has no root password, meaning _nobody_ can
log in as root. If you give it a password, then it _is_ possible to log
in as root. Using administrator authentication or sudo, it is virtually
never necessary to use root.

 

Of course, you will have to remove those non-priv users from the sudoers
list in some manner, otherwise you haven't changed a thing. Well,
you've added a super-user account that anyone who gets/steals/guesses
the password can use, carte blanche, without any auditing.

For me, it is perfectly reasonable that "mere" Admin users also be given
the ability to sudo to root when necessary. If you tightly control who
is an Admin and you do not have a proper root login, then you tightly
control who can act as root.

The comment above is absolutely correct: simply giving root a password
does not add security. In fact, it reduces security. Think of it as a
master key. Instead of having a single key that opens all doors, why
not have a few keys distributed to people that open some doors.
Furthermore, some doors are audited so we know when someone used their
key to access them.

 

But don't. The root user is disabled when you install Mac OS X and you
should leave it like that. Enabling the root user is a security risk.

No. It's just a mundane user who is a member of the 'admin' group.

Because 'su' doesn't respond to just the root user.

By the way, for Mac OS, the 'sudo' command is considered more appropriate
than 'su'. 'su' will still work but presents security risks and can lead
to accidentally using a command as root when you didn't intend to.

I already answered this but it's nice to see you're asking the right
questions.

Simon.

 

It's not nonsense. Re-read my comments. I'm refuting that enabling the
root account adds security for most people. This /is/ nonsense. I
disagree with the idea that the Administrative users on OS X are "mere"
users. For most people who will have, at most, a handful of accounts it
makes total sense to leave the damn knobs alone and stay will the
defaults. If you are the only Admin on your box, how does adding a root
login and taking away those sudoer privs change anything? It is still
only a password. Exchanging one password for another does nothing for
security.

Better to have a good password that you use everyday as the passkey to
those rooms you need access to. Change this password regularly as part
of a sensible routine and you are being as secure as simple
authentication can let you be.

It is an established fact that the less time one stays logged in as root
means fewer catastrophic user error.

Of course. Mine is often renamed to "help" because that is how I
learned to do it.

But we are talking about OS X here, and default settings for most home
users. Having an "Admin" be able to sudo in is Good Enough. Having the
primary user of that box be the only Admin is reasonably good practice.
sudo is your friend. Use it.

I don't even know what you are arguing about anymore. If you are
talking about a true multi-user environment then you restrict sudoers a
lot and keep root absolutely secret except for the Chosen Few. Fine.
However, in the context of this thread (namely, activating the root
account on a single OS X box that will have a handful of users, few of
them ever logged in at the same time) then simply activating root,
*especially* without restricting sudoers, is just adding yet another
hole to the system.

Adding another password does not add security. Putting secure checks
and balances around who has these passwords does.

 

Thanks for the comments guys. In a somewhat-related question, if the
root user is not enabled, then the OS X install disc cannot be used to
reset the root password and login to the system with full access
privilages, Filevault or not. Correct?

If correct, then that would be a very good reason to leave the root
login disabled.

 

No, not quite. You can always use the install disk to reset the password
for any user account, but this will not get you around Filevault.

The mere fact that assigning a root password opens up a security hole is
reason enough.

 

I am not comparing apples and oranges. I am merely stating that the act
of assigning a root password makes a Mac OS X system less secure than it
was without a root password.

You are quite confused if you think I am going to reopen this discussion
with you.

 

Mu. The installation disk isn't used to reset the root password.
You can use it to reset any password. No part of Apple's software
for OS X Client depends on the root password. Enabling or
disabling the root account makes no difference to this procedure.

There is a way to disable the use of the installation disk: set an
Open Firmware password. Doing so prevents the user from starting
up the computer from anything except the already-nominated boot
drive. Since the Open Firmware password isn't stored on a hard
disk it can't be cracked by reading the hard disk. However, if
your cracker can take a screwdriver to the box it's possible to
defeat the Open Firmware password too.

Among security professions it's recognised that physical
possession of the box is an end to all security measures that can
be taken by the operating system. Once your cracker has the box
in his hands he can clone the hard drive, take it back to his
junkfood-carton- and porn-strewn crackhouse (or, equally likely,
to FBI headquarters) and spend however long he wants cracking any
passwords or encryption systems you're using.

There are many other reasons why having a root account enabled is
a bad idea. Mostly, that if someone manages to remotely compromise
your box they can't immediately attack the root account to get
admin privileges on your box.

Simon.