Interop

Managing the Root Password on Your Mac

Chris Stoneff

 

At a Glance:

  • Elevating privileges on the Mac
  • Enabling the root account
  • Making the sudo command available to users Item

The basic situation on a Macintosh running OS X is not unlike Windows Vista with User Account Control (UAC) still enabled: you are stripped of your admin rights, the root or admin account is disabled, and you are prompted to elevate your rights when you do something that requires admin privileges. In Windows Vista, you probably know how to manage and use your admin account when you need it. But if you're new to the Mac, it may be not be immediately obvious.

On a Mac, in order to perform administrative functions (especially in Terminal), you need to be able to issue the sudo command, which requires authenticating. That's easy—the way Macs are configured out of the box, all you need to do is reenter your own password to provide the necessary authentication.

Too easy, some would say, because just as with Windows, it means that if your password is guessed or stolen or cracked and it provides access to your system locally or via SSH, the attacker can take over your box exactly as if you had root enabled it (root is equivalent to administrator in Windows). Even worse, if attackers initiate a shell using "sudo –s", virtually nothing will be entered into your system log.

So how do you give your Mac users the rights they need on an as-needed basis and improve security at the same time? Oddly enough, by enabling the root account.

By default, OS X has the root account disabled, which follows generic safety measures. The problem is that in this state, as noted above, a user need only retype his own credentials to obtain elevated privileges. To ensure that users cannot simply reenter their own credentials to obtain root-level (administrator) access, you need to enable the root account by giving the account "root" a password. To do this, use your Directory Utility or, from a Terminal, issue the following command:

sudo passwd root

Then follow the prompts to enter a new password (see Figure 1). Don't forget to change the password regularly.

fig1.gif

Figure 1 Creating a password for root (Click the image for a larger view)

With the root account enabled, users can no longer simply reenter their own password to obtain root-level (administrator) privileges. This allows more granularity in setting privileges because now a separate elevated account must be called in order to perform administrative functions. This account can be managed and secured independently of the normal user account by using third-party solutions to randomize and securely store the account password and provide a delegated and audited interface to obtain the password as needed.

Now that that's taken care of, you need to make sure the sudo command is available to those who need it. Keep in mind the three levels of users in OS X: users, admins, and root. By default, users can't issue sudo commands; only admins and root users can. If you don't want your users to have admin permissions, but you do want them to be able to issue sudo commands when necessary, you will need to enable sudo for the users on your OS X system. You can do this either by editing the /private/etc/sudoers file to include specific users or by uncommenting the example line in Figure 2 that starts with '%wheel' and then adding your users to the wheel group.

fig2.gif

Figure 2 Enabling sudo for specified users (Click the image for a larger view)

By following the items outlined here, you can allow the root password of your Mac systems to be managed by automated processes that would randomly generate a new password on a regular basis or following password recovery. Thus your systems can remain compliant with your company's policies as well as governance put forth by the Payment Card Industry (PCI) Data Security Standard, Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and others. You will also stop users and admins from being able to unthinkingly elevate their privileges by simply retyping their own password.

Chris Stoneff is a Product Manager at Lieberman Software, a security and systems management software developer. His biggest drive is not just to know how something works a certain way, but why.