 |
 |
root access
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Nov 2005
Status:
Offline
|
|
ok, I'm not the smartest bean on the planet but..
I have a little G4 (450, osx 10.4.7, static IP with personal web sharing enabled) workstation at work that I use as a 'pet server', meaning implement here before bringing it to realworld service on a different server.
Well for some reason, even though I am the administrator of this particular machine, I forgot the password for 'root'. So now that at I'm at home to finish off my shift and wanted to try something requiring root access, I couldn't do it via the terminal [su and then password] (sorry). So I figured, what the heck, sudo reboot and then the password I thought it to be and it booted... Hmm. sudo apachectl stop, password, worked. Hmmmmmm, So again I figured and while SSH'd in to the remote machine again (via terminal I decided to try) passwrd root and to my surprise I was able to change the root password.
I understand that having physical access to the machine has it's let downs on any system and/or server but I'm thinking that if all I need is an autologin enabled mac with OSX or even the administrator info, then who cares about the Installer CD or if I have any login info that is so-called 'administrator level', I (or someone) could really do some really funky (if not compromising or damaging) stuff.
Is this old news, old story, or repetitive topic from the past archives?
Is there a fix for this?
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Nov 2001
Status:
Offline
|
|
By default, the "root" password (though you cannot log in as root from login window as root) is the same as the first administrator's password. So if you do sudo <command> and give your admin password, then it will execute the command as root.
By default, you cannot su to root, as in:
su root
or
su -
You can do sudo -s though to get a root *shell*. This is different in very subtle ways than being root.
Anyway, you've sorta opened a back door, by doing
sudo passwd root
This will actually enable the root account, so you could now log in from login window as root. This is less secure as well, because someone could ssh to your machine remotely, and try to login as root, and if they guess your root password, they get root access. Normally they have to guess your short name, as well as the password, and *then* also guess the root password.
At any rate, if you want to turn off root, then go into NetInfo manager, and do so. In fact because what you did from the CLI may get things out of sync, you may need to first enable the root account, and *then* deactivate it.
Oh, and don't do 'sudo passwd root' again :-)
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Nov 2005
Status:
Offline
|
|
Originally Posted by CatOne 
By default, the "root" password (though you cannot log in as root from login window as root) is the same as the first administrator's password. So if you do sudo <command> and give your admin password, then it will execute the command as root.
By default, you cannot su to root, as in:
su root
or
su -
You can do sudo -s though to get a root *shell*. This is different in very subtle ways than being root.
Anyway, you've sorta opened a back door, by doing
sudo passwd root
This will actually enable the root account, so you could now log in from login window as root. This is less secure as well, because someone could ssh to your machine remotely, and try to login as root, and if they guess your root password, they get root access. Normally they have to guess your short name, as well as the password, and *then* also guess the root password.
At any rate, if you want to turn off root, then go into NetInfo manager, and do so. In fact because what you did from the CLI may get things out of sync, you may need to first enable the root account, and *then* deactivate it.
Oh, and don't do 'sudo passwd root' again :-)
Actually I can; usershortname~: su
usershortname~: su -
and get the sorry reply in terminal after being prompted and then entering the PW
shortname~: sudo command (like apachectl stop/start/reboot/shutdown works fine) using the password that I thought it to be.
but from the administrator level at the same time, not being able pico the apache.conf file and save changes with same PW as mentioned above does not work [yes I can pico it, just can't save changes until now as I mentioned in my first post].
just try it on your own machine. it's messed up IMHO
so in the mean time, I'll just disable root till I need it again. Thank you for that info 
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Nov 2005
Status:
Offline
|
|
forgot one thing, I didn't sudo passwrd root. I simply and wasn't logged in as root as obviously posted above, I opened the terminal and simply typed in passwrd root
This obviously occurred while logged in as the administrator while the administrator password didn't match the root's.
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Jun 2001
Location: Northwest Ohio
Status:
Offline
|
|
Originally Posted by CatOne
By default, the "root" password (though you cannot log in as root from login window as root) is the same as the first administrator's password. So if you do sudo <command> and give your admin password, then it will execute the command as root.
Wrong, and wrong.
By default, there is NO password for root. It is not set to be the same as the first administrator's password. The password is empty, which effectively disables root. You can log in to the GUI as root, if the root account is enabled, because the login panel either displays an "other" selection you can choose, where you can enter root as the user name and then the password to log in.
By default, you cannot su to root, as in:
su root
or
su -
You can do sudo -s though to get a root *shell*. This is different in very subtle ways than being root.
Anyway, you've sorta opened a back door, by doing
sudo passwd root
This will actually enable the root account, so you could now log in from login window as root. This is less secure as well, because someone could ssh to your machine remotely, and try to login as root, and if they guess your root password, they get root access. Normally they have to guess your short name, as well as the password, and *then* also guess the root password.
At any rate, if you want to turn off root, then go into NetInfo manager, and do so. In fact because what you did from the CLI may get things out of sync, you may need to first enable the root account, and *then* deactivate it.
Oh, and don't do 'sudo passwd root' again :-)
The rest is accurate.
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Nov 2005
Status:
Offline
|
|
uhg....
<b>By default in the terminal window <i>I can in fact:</i></b>
su root
enter PW
and all is root#
I can also su -
enter PW
and all is root#
This should not be confused with the login window of the GUI when starting up an OSX enabled Mac where we may be horribly faced with using the mouse to hover over the username and clicking on a username with the photograph of some butterfly or eight ball and then entering a PW, or whereby entering other if you can and then the name root and going from there.
What I am saying from a non-nerd view is that I was able and you can try this too, is too, ssh into an OSX machine and simply type "passwrd root" and follow the stupid directions and then obtain a password that differs from the first administrator or any for that matter for your own needs. That this is a problem that needs addressing.
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
|
Top
