[blackbird_1.0]

is there an easy way to retireve my osx root password, i can't seem to recall it and i really need it to install some software

[Brass]

No there is no way. The passwords are not stored anywhere. Only a non-reversible encryption of the password is stored.

Anyway, no software should require the root password. You should only need an administrator account. Even for command-line installations you can use your administrator account to "sudo -s" switch to the root user.

Actually, why don't you "sudo -s" to the root user, and then change the root password?

[Art Vandelay]

You can also reset any password using the Password Reset utility while booted from an OS X Install CD.

[blackbird_1.0]

how do I sudo -s to root and change password?

see i've tried installing this software but it says i don't have access priveleges and gives me error 5000s

sometime i have to switch to admin or root to install software b/c it doesn't give the option to enter my admin/root password, it just says i lack priveleges

i've already repaired priveleges earlier

[proton]

Originally posted by blackbird_1.0:
how do I sudo -s to root and change password?

see i've tried installing this software but it says i don't have access priveleges and gives me error 5000s

sometime i have to switch to admin or root to install software b/c it doesn't give the option to enter my admin/root password, it just says i lack priveleges

i've already repaired priveleges earlier

Open up Terminal and run:

sudo -s
Enter you login password when prompted.

A root shell should now appear. Run:
passwd
This will allow you to change root's password.

All done.

- proton

[Cipher13]

sudo passwd root

Enter admin pass, enter new root, confirm, done. Unless you lack admin privs...

[gatorparrots]

Originally posted by Cipher13:
Unless you lack admin privs...

If you lack admin privileges, you can always do this in single user mode:

Code:
mount -uw /
nicl -raw /var/db/netinfo/local.nidb -append /groups/admin users <username>
reboot

[coolmacdude]

Originally posted by gatorparrots:
If you lack admin privileges, you can always do this in single user mode:

Code:
mount -uw /
nicl -raw /var/db/netinfo/local.nidb -append /groups/admin users <username>
reboot

Are you serious? So you are saying any user can just make themselves an admin if they want to? That is a serious security hole if its true.

[Cipher13]

Originally posted by gatorparrots:
If you lack admin privileges, you can always do this in single user mode:

Code:
mount -uw /
nicl -raw /var/db/netinfo/local.nidb -append /groups/admin users <username>
reboot

Yep, or for something more quick and dirty, after single user boot:

mount -uw /
passwd root

Originally posted by coolmacdude:
Are you serious? So you are saying any user can just make themselves an admin if they want to? That is a serious security hole if its true.

Yeah, but only if you're local. If you have physical access, theres nothing you can do to protect your machine, so... it isn't that big a deal. More of a safety net for oneself... single user mode can be disabled (unsupported, not recommended).

[coolmacdude]

Originally posted by Cipher13:
Yeah, but only if you're local. If you have physical access, theres nothing you can do to protect your machine, so... it isn't that big a deal.

Many people work in multiuser environments where the sysadmins would definitely not want just any user to gain admin privileges.

[parsec_kadets]

As the saying goes, physical access is root access. I mean, on PCs you can just stick in a floppy disk and reboot. Given the right stuff on that floppy you can do just about anything.

[Angus_D]

Turn on an open firmware password and you can't boot into single user mode.

[utidjian]

Originally posted by coolmacdude:
Many people work in multiuser environments where the sysadmins would definitely not want just any user to gain admin privileges.

I work in one of those environments (college computing labs). We use Open Firmware Password: http://www.apple.com/downloads/macos...epassword.html

This CAN be defeated by opening the case and fiddling with the system RAM or temporarily removing the NVRAM battery. But that is why we also lock the cases for more "physical" protection. All Apples, for the longest time, have a builtin method for simply locking the case... with the exception of powerbooks. Even the iMac can be locked.

See also: http://a368.g.akamai.net/7/368/51/ed...ecurity_TB.pdf

It seems that there is an "urban legend" (or whatever) that once someone has physical access to the Mac that there is no more security. While this is essentially true of Mac OS prior to Jaguar it is not true now. While physical access to the machine certainly increases the possibility of someone getting admin priveleges... there is still plenty one can do to minimize the risk. Apple is well aware of the problem and has done, at least, something to deal with it. Perhaps, someday, they will enable OFP by default.

[Cadaver]

Originally posted by blackbird_1.0:
see i've tried installing this software but it says i don't have access priveleges and gives me error 5000s

sometime i have to switch to admin or root to install software b/c it doesn't give the option to enter my admin/root password, it just says i lack priveleges

i've already repaired priveleges earlier

Sounds like you are using an account that does not have admin privileges. Ether that or you've been screwing around in root too often and have FUBARed your machine.

You should never need root access to install software; standard administrator should be enough. And you should not use root like you use any other account.

[Person Man]

Originally posted by utidjian:
Perhaps, someday, they will enable OFP by default.

This will never happen... the majority of home users do not need it, and it would just be another obstacle for them.

If you need it, it's trivial to enable it.

[jasong]

Are you serious? So you are saying any user can just make themselves an admin if they want to? That is a serious security hole if its true.

I love how every time someone hears this, they freak out like they discovered some unknown massive security flaw. As everyone here has said, if someone has physical access to your computer, then nothing is secure. This is true for every operating system out there, and it will never change.

-- Jason

[coolmacdude]

Originally posted by jasong:
I love how every time someone hears this, they freak out like they discovered some unknown massive security flaw. As everyone here has said, if someone has physical access to your computer, then nothing is secure. This is true for every operating system out there, and it will never change.

I understand that if you have physical access you can do whatever you want. However, the whole reason for having passwords/user accounts is that it is supposed to secure your computer from someone casually walking buy and looking at your data. Using this, anyone could just walk up and have root access in two minutes. They could leave just as quickly leaving no evidence that they accessed your system. I find that a little disconcerting.

[coolmacdude]

-

[VValdo]

Originally posted by coolmacdude:
I understand that if you have physical access you can do whatever you want. However, the whole reason for having passwords/user accounts is that it is supposed to secure your computer from someone casually walking buy and looking at your data. Using this, anyone could just walk up and have root access in two minutes. They could leave just as quickly leaving no evidence that they accessed your system. I find that a little disconcerting.

Not really. The real point of having passwords is to control access to files from the network.

If you want to stop someone who's "casually" walking by from looking at your data, you can use a number of techniques (log out of your account, use a screensaver w/password, etc.).

But there are different levels of "casual". Someone who has physical access to your computer can do stuff like take out the hard drive and mount it on another machine, boot off a CD-ROM, boot into single-user mode, run Crack or another password dictionary cracker, reset PRAM, etc. Then there are ways to read information directly off the hard drive platter, even traces of stuff that's been deleted several times over. Those "information retrieval" services you can find advertised specialize in that kind of stuff. The government's information forensics labs do it too.

If you're trying to protect against someone who's taking your computer home to try to gain access, well, forget it. Putting a password on the Open Firmware will make the single-user-login techniques discussed above more difficult, but c'mon, if they actually have your computer in their hands, you're probably screwed. At that point, you have to rely on heavy encryption to keep them from getting to the data. And even then, if someone like the National Security Agency wants to decrypt it, they probably will be able to.

The point of all these passwords are not really to stop a determined person with access to your physical computer, it's to stop people from accessing your information remotely over a network.

One last thought-- if you or your users have an easy-to-guess password on your computer, all bets are off. This is probably the biggest security hole of them all. Make sure that your password is not an easily guessed one-- no words that would appear in any dictionary, no last names, no phone numbers, street names, or pet names. Try to use a combination of letters and numbers, etc.

If your admin password is the same as your account name, or the words "sex", "secret", "password", or "apple", change it immediately.

W

[Arkham_c]

I did a GUI port of John The Ripper, a password cracking utility, for OSX. You can get it here:

http://software.theresistance.net/

[coolmacdude]

Nice, although the default JTR settings are useless for all but the most weak passwords. It would be more helpful if you could specify a custom dictionary or use some of the varied options in the command line version.

[coolmacdude]

Originally posted by VValdo:
If you want to stop someone who's "casually" walking by from looking at your data, you can use a number of techniques (log out of your account, use a screensaver w/password, etc.).

That's my point. These will not protect you one bit. Using that single user mode hack, anyone can create an admin account in about one minute.

[piracy]

Originally posted by coolmacdude:
Are you serious? So you are saying any user can just make themselves an admin if they want to? That is a serious security hole if its true.

When you have PHYSICAL ACCESS to the machine, all bets are off. In fact, there are several ways to gain ROOT ACCESS to a machine running Mac OS X 10.2.x:

1. Boot into single user mode and do any number of things

2. Use the Password Reset function of the Mac OS X Install CD to change ANY users password, including any admin user, or the root user

3. Boot from a FireWire drive

4. Etc etc etc

This is *****NOT***** a "serious security hole". Whenever there is physical access, there is implicit root access.

If you want to protect against casual users gaining access, you set an Open Firmware password. This prevents things like booting from other (e.g. external) startup disks, booting to single user mode, booting from CD, booting in target disk mode, etc.; in other words, all the casual ways via which someone might be able to obtain elevated privileges.

But you can even defeat Open Firmware password: the Open Firmware password can be removed by changing the physical amount of RAM in the machine and zapping the PRAM 3 times.

So you lock the case.

But the lock can be cut.

The machine can be stolen.

It can be set on freaking fire, for Christ's sake.

ALL BETS ARE OFF WITH **ALL** COMPUTERS RUNNING **ALL** OSes WHEN YOU HAVE PHYSICAL ACCESS.

It is **NOT** a major security hole, oversight, or anything else. You decide what level of protection you give, but when there is physical access, a certain amount of "ownership" is implied. The only way to truly protect data is to encrypt it with strong encryption (e.g. FileVault, 128-bit FEE, etc.).

[piracy]

Originally posted by coolmacdude:
That's my point. These will not protect you one bit. Using that single user mode hack, anyone can create an admin account in about one minute.

That's not a "hack". You can be root on any Solaris, AIX, or Linux box too JUST BY WALKING UP TO IT (for the most part; other posters, please, let's not get into a semantic technical argument on the exact methods needed to become root on other systems. Suffice it to say it's just as easy).

WHEN YOU HAVE PHYSICAL ACCESS, YOU ARE ROOT.

YES, anyone can become root in less than a minute - even without single user mode or any command line "hacks", as you call them, just by booting from ANY Mac OS X Install CD. Select "Reset Password" from the Installer menu and Voila, set any admin user's, or root's, password to anything you wish. That's why you use an Open Firmware password, to prevent people from doing things like booting from CDs, booting into single user mode, etc.

But, as I said, even that can be defeated, if someone has physical access to the machine. So you use physical security to prevent that, such as locks - but that, too, can be defeated. In fact, the entire machine can be taken and the contents of the disk read by any variety of methods.

In sum, what you are saying is like saying that it's a "serious security hole" that any Mac is light enough to be lifted by a human being - after all, any person could just walk right by, lift it with their bare hands, and walk away with it!

Welcome to the world of data security principles (i.e. encryption) and physical access to machines.

[Squiggle]

Hi all. I have forgotten my root password, and every method i try gives me the same problem - when im asked to enter a password (new), it will not let me type any characters. Whats going on? Any help would be appreciated
Thanks in advance

[Ganesha]

Originally posted by piracy:

In sum, what you are saying is like saying that it's a "serious security hole" that any Mac is light enough to be lifted by a human being - after all, any person could just walk right by, lift it with their bare hands, and walk away with it!

So is that why the G5 weighs so much?

[Chuckit]

Originally posted by Squiggle:
Hi all. I have forgotten my root password, and every method i try gives me the same problem - when im asked to enter a password (new), it will not let me type any characters. Whats going on?

The passwd command does not show the characters you type so that other people can't read them. It's still reading them.

[turtle777]

Originally posted by Angus_D:
Turn on an open firmware password and you can't boot into single user mode.

Yes, but even that is not ultimately safe.

There are ways around it, once someone has physical access to the machine...

-t

edit: when you read the whole thread, the posts will explain in detail...

[Cadaver]

Use the OF password (prevents single-user mode, target disk mode and booting from CD via "C" key) and put a padlock on the case. This makes rooting the machine while seated at it very difficult. Can't boot from CD to reset the password, can't boot to single-user mode, and can't open the machine to void the OF password.

On my PC at the office, I've done something similar. Padlocked the case, enabled the BIOS password and disabled booting from anything but the main HD.

[turtle777]

Originally posted by Cadaver:
Use the OF password (prevents single-user mode, target disk mode and booting from CD via "C" key) and put a padlock on the case. This makes rooting the machine while seated at it very difficult. Can't boot from CD to reset the password, can't boot to single-user mode, and can't open the machine to void the OF password.

On my PC at the office, I've done something similar. Padlocked the case, enabled the BIOS password and disabled booting from anything but the main HD.

How does the padlock keep me from resetting the OF password ?
(Read the whole thread to find out how).

-t