On a UNIX system, there are two types of users: those with root privileges and those without. By going root, you have full access to every aspect of a UNIX sys- tem and can roam the system at will, installing software in privileged locations, updating system configuration files, and deleting any file you wish. Basically, you are free to make the system hum along—but you can easily take it to its knees with a misplaced command.
Apple recognized that a middle ground exists between user and root privileges, so it introduced new administrator privileges. Users with administrator privileges have all the rights of a normal user but can also install new programs, create direc- tories outside the home directory, and add new users to the system. However, you can’t do some things with administrator privileges, such as manipulate the System Folder, view the contents of another user’s directory, or edit many system configu- ration files. For these operations, you still need root access.
Figure 2.4
Mac OS X applications include online help through Apple Help Viewer.
Because Mac OS X is first a consumer operating system, Apple naturally dis- courages users from obtaining root access; toward this end, the root account is disabled, to protect inexperienced users from clobbering their system. However, if you plan to do any work that involves tuning the system, configuring system services, or general hacking, root is a must.
2.4.1 Creating user accounts
You create user accounts from the System Preference application (available from the Dock or within /Applications), using the Users pane (see figure 2.5). When you create a user, you can assign normal privileges or administrator privileges, but not root. There are two primary ways to permit root privileges under Mac OS X: by using the sudo (“soo-doo”) command and by directly enabling the root account.
The sudo command
The sudo command lets a user execute a command as root. Only certain users can use this command, and only certain commands can be run; these are defined as configuration parameters and stored in /etc/sudoers. Mac OS X installs the sudo program as part of the default load and permits users with administrator privileges to use the command.
You can use the command two ways. First, you can add the prefix sudo to the command you wish to run as root. The following example shows the result of a command run first as a regular user and then as root, using the sudo command:
Figure 2.5 You add users to the system and assign administrator privileges using the System Preference program’s Users pane.
% more /etc/master.passwd
/etc/master.passwd: Permission denied
% sudo more /etc/master.passwd Password:
##
# User Database
#
# Note that this file is consulted when the system is running
# in single-user mode. At other times this information is handled
# by lookupd. By default, lookupd gets information from NetInfo,
# so this file will not be consulted
# unless you have changed lookupd's configuration.
##
nobody:*:-2:-2::0:0:Unprivileged User:/dev/null:/dev/null root:*:0:0::0:0:System Administrator:/var/root:/bin/tcsh daemon:*:1:1::0:0:System Services:/var/root:/dev/null unknown:*:99:99::0:0:Unknown User:/dev/null:/dev/null
www:*:70:70::0:0:World Wide Web Server:/Library/WebServer:/dev/null
(In the preceding example, type your password at the password prompt.) This method enables you to run a command as root for a defined interval (usually five minutes) without retyping your password.
Second, to enable root access indefinitely, use sudo with the –s option and enter your password at the password prompt:
% sudo -s Password:
Now, commands run under root. Typing exit will end the session.
Enabling the root account
You can also run commands as root by enabling the root account. To do this, you need to run the NetInfo Manager system administration tool. NetInfo (located in /Applications/Utilities) is used to perform administrative tasks on Mac OS X. The program, originally used under NeXTSTEP, is a hierarchical distributed database of system information.
To use NetInfo Manager to enable the root account on your system, follow these steps:
1 Launch the program and select Domain→Security→Authenticate. (Under Jaguar—Mac OS X 10.2—select Security→Authenticate; the program is no longer under Domain.)
2 Enter your password when prompted and click OK (remember, for this technique to work you must have administrator privileges).
3 Select Domain→Security→Enable Root User. Reauthenticate by selecting Domain→Security→Authenticate and entering your password.
To test the root account, open a shell (using the Terminal program) and substi- tute your user identity with root:
% su - Password:
root#