Filter
Top Products
Chapter 8 Working with Users and Groups 127
Securing the Root Account
Mac OS X Server includes a root account like other UNIX-based systems. Initially, its
password is set to that of the first administrator account. Direct root login should not
be allowed, because the logs cannot identify which administrator logged in. Instead,
accounts with administrator privileges should be used for login, and then the sudo tool
used to perform actions as root.
The computer uses a file called /etc/sudoers to determine which users have the
authority to use the sudo program, and this file initially specifies that all accounts with
administrator privileges may use sudo.
To disable root login:
1 Start the dscl tool in interactive mode, specifying the computer you are using as the
source of directory service data:
$ dscl localhost
>
2 Change the current folder to /NetInfo/root/Users by entering the path at the prompt:
> cd /NetInfo/root/Users
3 Authenticate as an administrator by entering the following command, replacing
adminusername with your administrator user name, and entering your administrator
password when prompted:
> auth
adminusername
4 The following commands disable the root login by removing the
AuthenticationAuthority property and its value, and modifying the root password
property.
> delete root AuthenticationAuthority ;ShadowHash;
> delete root AuthenticationAuthority
Any user with administrative privileges can reenable root login by entering
passwd root in a Terminal window.
Restricting Use of the sudo Tool
The list of administrators allowed to use the sudo tool should be limited to only those
administrators who require the ability to run commands as root.
To change the /etc/sudoers file:
1 Edit the /etc/sudoers file using the visudo tool, which allows for safe editing of the file.
The command must be run as root:
$ sudo visudo
2 Enter the root password when prompted.