Go Back   The macosxhints Forums > OS X Help Requests > UNIX - Newcomers



Reply
 
Thread Tools Rate Thread Display Modes
Old 10-28-2007, 05:50 PM   #1
regulus6633
Major Leaguer
 
Join Date: Apr 2005
Posts: 478
10.5 and sudo and empty password not working

I'm using 10.5 now, and I can't execute any commands using sudo. I have an empty (blank) password set up on my user account, and it seems bash is not accepting this empty password to execute the command as root. It worked under 10.4, so there must be a configuration file somewhere controlling this.

Does anyone know how to fix this?
regulus6633 is offline   Reply With Quote
Old 10-28-2007, 08:40 PM   #2
trevor
Moderator
 
Join Date: Jun 2003
Location: Boulder, CO USA
Posts: 19,766
Yes. Give yourself a real non-empty password. An empty password is an enormous security hole.

Trevor
trevor is offline   Reply With Quote
Old 10-28-2007, 08:47 PM   #3
hayne
Site Admin
 
Join Date: Jan 2002
Location: Montreal
Posts: 32,298
As an example of the huge security problems with an empty admin password - see this older thread: http://forums.macosxhints.com/showthread.php?t=77831
Be sure to try running the "scaryThing" app that I supply in that thread.

Security has been much improved in Leopard. I'm glad to see that OS X no longer allows an empty admin password to use 'sudo'. I don't have Leopard yet so can't try it, but I guess my "scaryThing" app no longer works in Leopard if you have an empty admin password.
__________________
hayne.net/macosx.html
hayne is online now   Reply With Quote
Old 10-28-2007, 08:48 PM   #4
ThreeDee
Hall of Famer
 
Join Date: Aug 2005
Location: USA
Posts: 3,418
It's probably hard-coded into the system now, as allowing a blank root password is a major security hole. Just make a password and deal with it. :-/
__________________
15" MacBook Pro (Mid 2010), 2.4 GHz Core i5, 10.6.5, 4GB RAM
PowerMac G4 "Quicksilver", 733 MHz, 10.4.11, 1.5GB RAM

iPod Touch 5G, 32GB, iOS 6.1.3
ThreeDee is offline   Reply With Quote
Old 10-29-2007, 01:42 AM   #5
bankai
Triple-A Player
 
Join Date: Nov 2006
Location: Brisbane, QLD, Australia
Posts: 60
If you want to run sudo without being prompted for a password you need to make some changes to the sudoers file. This can be done ( as root ) by running 'visudo'. This will put you in a vi session.
In the sudoers file you'll see something like this:

Quote:
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# Runas alias specification

# User privilege specification
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL

What you need to do is add the following before the "%admin" line:

Quote:
your_user_name ALL=(ALL) NOPASSWD: ALL

Yes, it's insecure and yes, it's dodgy ... but i'm sure you already knew this


edit: You don't need to have a blank password for your user account in order for this to work
bankai is offline   Reply With Quote
Old 10-29-2007, 07:01 AM   #6
regulus6633
Major Leaguer
 
Join Date: Apr 2005
Posts: 478
Quote:
Originally Posted by bankai
Yes, it's insecure and yes, it's dodgy ... but i'm sure you already knew this

Yes I did know this, thanks for your advice. Unfortunately it did not work. I even rebooted to make sure the changes took. The sudoer's file has the change after the reboot, so I'm not sure why it still doesn't work.

Not being able to use sudo has forced me to enable the root user, and now I have to use the root account to make root level changes on my computer. It seems silly for Apple to not allow me to use the computer the way I want, although I've noticed as the years go by that more and more they're trying to take control away from me.

Any other ideas????
regulus6633 is offline   Reply With Quote
Old 10-29-2007, 09:51 AM   #7
hayne
Site Admin
 
Join Date: Jan 2002
Location: Montreal
Posts: 32,298
Apple is forcing you to do the correct thing.
This is a Good Idea (tm).
As pointed out above, having an empty admin password leaves you completely open to disastrous consequences from any trojan since it instantly gets root privileges.

If you insist on not having a password for your account (I'd really like to understand why you feel this is necessary) then you should use a non-admin account for everyday use.
__________________
hayne.net/macosx.html
hayne is online now   Reply With Quote
Old 10-29-2007, 10:25 AM   #8
regulus6633
Major Leaguer
 
Join Date: Apr 2005
Posts: 478
Quote:
Originally Posted by hayne
As pointed out above, having an empty admin password leaves you completely open to disastrous consequences from any trojan since it instantly gets root privileges.

Although security advice is appreciated, I'd rather that along with the security advice you also provide a solution to my problem and allow me to decide how I want to implement security.

Does anyone have any advice which might actually solve my problem?
regulus6633 is offline   Reply With Quote
Old 10-29-2007, 11:57 AM   #9
trevor
Moderator
 
Join Date: Jun 2003
Location: Boulder, CO USA
Posts: 19,766
You've got to understand that you are asking us to help you do something which is a very bad idea. I personally will not help you do this, no matter how much you want to. And I hope that we can talk you out of it.

Trevor
trevor is offline   Reply With Quote
Old 10-29-2007, 01:18 PM   #10
hayne
Site Admin
 
Join Date: Jan 2002
Location: Montreal
Posts: 32,298
Quote:
Originally Posted by regulus6633
provide a solution to my problem

Sorry, but you have failed to explain what your problem is.
Note that I mean the "why", not the "what".
I asked above why you want/need to run without a password, but you have not responded.
__________________
hayne.net/macosx.html
hayne is online now   Reply With Quote
Old 10-29-2007, 02:15 PM   #11
kwahamot
Prospect
 
Join Date: Oct 2007
Posts: 6
I have a similar problem. I cannot change the empty admin password because Leopard won't accept that the old pw is empty. Very annoying!

As far as reasons to run without an admin pw... I work in a lab environment with many users sharing/wiping/restoring machines, so admin passwords are not allowed, except on Windows.
kwahamot is offline   Reply With Quote
Old 10-29-2007, 04:17 PM   #12
regulus6633
Major Leaguer
 
Join Date: Apr 2005
Posts: 478
I'm sure the "why I want to do this" won't satisfy you, because as we all know it's not a really good idea to do it this way. I just find that for my particular situation operating in this manner is not a big risk and it's a lot easier on me. The bottom line is I've always run this way and never had a problem. That's not to say I won't ever have a problem, but if I do it's not a big deal. It's a simple task to reinstall my stuff from the backups I have... in the event that it ever becomes an issue... which in over 20 years of using Macs it never has been. Never once.

The same could be said for antivirus/anti-spyware software. It's certainly prudent to use them because it's a big bad world out there and at some point we may have a problem... but I'm sure most Mac users, including all of you, don't use it. Experience tells us that the risk is small, and if it ever becomes an issue then we'll take action to protect ourselves.

So if you don't want to help that's OK. It's your choice. Just like it's my choice to operate how I choose. I just find that witholding information is not very useful. It doesn't teach anybody anything. What's more useful is to let a person learn from their own experiences. When you make a mistake it's OK! That's how we learn.
regulus6633 is offline   Reply With Quote
Old 10-29-2007, 06:12 PM   #13
Hal Itosis
Hall of Famer
 
Join Date: Apr 2002
Posts: 3,315
Quote:
Originally Posted by regulus6633
Does anyone have any advice which might actually solve my problem?

Good gawd man,
make your password 123
and "suffer" in silence...

-HI-
Hal Itosis is offline   Reply With Quote
Old 10-29-2007, 08:18 PM   #14
bankai
Triple-A Player
 
Join Date: Nov 2006
Location: Brisbane, QLD, Australia
Posts: 60
You could delete the OS X sudo and use GNU sudo. You could probably do this with fink

actually... there's another dodgy way to do what you're wanting to do. If you want to run a command as another user from a cron job or something you can ssh to that user using key based authentication ( without a password ) and send the command as the last parameter. We have a few scripts that do this at my work.

Last edited by bankai; 10-30-2007 at 12:25 AM.
bankai is offline   Reply With Quote
Old 10-29-2007, 11:31 PM   #15
hayne
Site Admin
 
Join Date: Jan 2002
Location: Montreal
Posts: 32,298
Quote:
Originally Posted by kwahamot
I work in a lab environment with many users sharing/wiping/restoring machines, so admin passwords are not allowed

That makes no sense at all. In a lab environment, you usually want to maintain control over the machines. Letting everyone (not just the staff) be admins is a complete loss of control.
The usual thing that is done in a lab environment is to have an algorithm that gives the password - e.g. the password is a base password plus the name of the machine (or something like that) - and then the base password is changed regularly and made known to all who need it at a regular meeting.
__________________
hayne.net/macosx.html

Last edited by hayne; 10-29-2007 at 11:34 PM.
hayne is online now   Reply With Quote
Old 10-30-2007, 04:17 AM   #16
regulus6633
Major Leaguer
 
Join Date: Apr 2005
Posts: 478
Thanks bankai, but that's a little too much trouble considering that my other approach (which is to use the root account) works just as easily for me. I'll keep looking for my answer though because I'd rather be able to use sudo from my admin account. I still believe that there's a configuration file somewhere which holds this key though. I know this is true for ssh access. SSH won't allow empty passwords until you modify the sshd_config file. I don't actually do this with ssh, I'm just pointing out that the setting is in a configuration file.

And a final answer to those security conscience people:
I take security seriously too. I have a hardware firewall with all incoming ports closed. My firewall is also set up to not respond to incoming pings so no one can randomly detect that my network exists. My wireless network does not announce itself, is mac address protected, and is password protected. I use LittleSnitch to protect myself from outgoing traffic. Safari and OSX are set up to not allow unauthorized applications from running without my knowledge. All my sensitive files are stored on encrypted sparse disk images with 128 bit AES encryption and a strong password. All sensitive information and passwords that I use over the internet are protected by the application 1Password, with a strong password and which is set to auto-lock itself after a certain period of inactivity. All of my files are backed up, and the backups are backed up too.

So you can see I'm very careful to protect myself. With all this protection I find that having an administrator password is more of a headache than an actual deterrent. It's not very useful on my home computer which no one else has physical access to but me. And if someone does get physical access than a password wouldn't protect me anyway because it's simple to defeat with an OSX install disk. As I said my sensitive stuff is encrypted so the stuff that's not protected is not worth the trouble of having to enter a password every time I want to do some administrative task on my computer. I choose not to implement that security because with all the other security I have implemented it's just not useful to me.

So that's my reasons for wanting an empty admin password. It makes my life easier and the risk is very minimal to me. You may still think I'm foolish but I think I've taken more than reasonable efforts to protect myself, and I think my security measures do far more than an admin password ever could.
regulus6633 is offline   Reply With Quote
Old 10-30-2007, 09:13 AM   #17
hayne
Site Admin
 
Join Date: Jan 2002
Location: Montreal
Posts: 32,298
Quote:
Originally Posted by regulus6633
I think my security measures do far more than an admin password ever could

You seem to completely miss the main point - that without an admin password, any malicious (or even merely misguided) program that you happen to run will be able to run as root with no further ado.

And the worst thing isn't loss of data (backups take care of that - at least if you test them regularly), the worst thing is the possibility of loosing control of your computer due to some malware with root privileges. (Any sufficiently clever malware can change the internals of the OS such that you will never notice that anything has changed.)
__________________
hayne.net/macosx.html
hayne is online now   Reply With Quote
Old 10-30-2007, 12:47 PM   #18
regulus6633
Major Leaguer
 
Join Date: Apr 2005
Posts: 478
Quote:
Originally Posted by hayne
You seem to completely miss the main point

I knew you'd say that when I mentioned earlier that "I'm sure the "why I want to do this" won't satisfy you".
regulus6633 is offline   Reply With Quote
Old 11-02-2007, 12:20 AM   #19
paygun
Prospect
 
Join Date: Mar 2007
Posts: 4
I do something similar, although I have an admin password. Set up sudo to have auth time out, and make the timeout value sufficiently long so that you only have to enter the password once per session in normal use. I set mine for 2 hours. I almost never have to enter it more than once per day, and it reduces the risk considerably compared to having no password at all.

Last edited by paygun; 11-02-2007 at 12:21 AM. Reason: clarificationizing verbiageness
paygun is offline   Reply With Quote
Old 11-02-2007, 12:31 AM   #20
paygun
Prospect
 
Join Date: Mar 2007
Posts: 4
I should have mentioned too, it's best if you put "sudo -k" in your .bash_logout file, this will wipe out your timeout so it doesn't survive your shell exiting.
paygun is offline   Reply With Quote
Reply

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -5. The time now is 11:07 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.