Apple Mac OS X has its roots in a development of BSD Unix and as such the command line should be pretty familiar to most Unix sysadmins. It does have one significant security flaw though – the default privilege level for a user is admin (although, to be fair, that is not the same as root, which needs to be enabled manually if required). Such routine use of administrative privileges is a dangerous practice – one which many Mac users will be happy to criticise Windows for; however, unlike versions of Windows prior to Vista, it is perfectly easy to operate a Mac using the principle of least user privilege – indeed, I perform all of my Mac OS X activities as a standard user although I’m asked to authenticate using an admin account for certain activities (in a similar manner to Windows Vista user access control).
Rather than enabling root access, OS X uses the sudo command to temporarily escalate privileges when required in a terminal shell (Linux Box Admin has an interesting article comparing sudo with root); however, by default, sudo will not work for a standard user – when I tried to run sudo command earlier today I got the following response:
WARNING: Improper use of the sudo command could lead to data loss
or the deletion of important system files. Please double-check your
typing when using sudo. Type “man sudo” for more information.
To proceed, enter your password, or type Ctrl-C to abort.
Password:
username is not in the sudoers file. This incident will be reported.
I could edit /etc/sudoers (the guide at MDLog:/sysadmin gives a good introduction to sudo) but I don’t know what security holes I might open in the process. One workaround is to enable the root account and use ssh root@localhost but enabling root access is really an unnecessary step. Instead, I prefer to use su - adminaccountname, after which I can sudo the appropriate command(s) and exit to return to a standard shell.
Good tip, thanks.
I only just saw this, whilst searching for something else. Must have missed it the first time around. Excellent tip. Like you, I didn’t want to edit the sudoers list; it seemed as though it would negate the point of running as a standard user. It will come in very useful, cheers.
Thanks mate. Glad you found it useful. M
I don’t like either to use an administrator as a primary user, instead of ssh root@localhost you could just do ssh adminuser@localhost (this will avoid to enable the root account).
However there’s still a problem with that solution: you cannot use programs that have a graphical interface, for example ethereal/wireshark which launches inside X11. (even if you ssh -X)
$su – zioadmin
Password:
[zioadmin@Tijuana.local:~]
$sudo ethereal
Password:
(wireshark:12570): Gtk-WARNING **: cannot open display:
I could -almost- guarantee that by *correctly editing /etc/sudoers file will not affect/compromise your system’s security. At least Apple did some odd work there (which I don’t think so), editing /etc/sudoers is exactly the same on any BSD-like system: do NOT edit it just with ‘vi’ command, or any other text editor; instead, the CORRECTLY way of editing /etc/sudoers is by: visudo command. That way, you could add your Standard user account there, and properly give it access to ALL/or specifically the commands you want/need.
Thanks anonymous – that’s useful information; however I wouldn’t give a standard user admin privileges in the GUI… so I shouldn’t at the command line either. Surely it’s much better to
suto an administrative user and thensudoas required for those tasks that need elevated permissions?