|
|
#1 |
|
Major Leaguer
Join Date: Apr 2005
Posts: 478
|
10.5 and sudo and empty password not working
I'm using 10.5 now, and I can't execute any commands using sudo. I have an empty (blank) password set up on my user account, and it seems bash is not accepting this empty password to execute the command as root. It worked under 10.4, so there must be a configuration file somewhere controlling this.
Does anyone know how to fix this? |
|
|
|
|
|
#2 |
|
Moderator
Join Date: Jun 2003
Location: Boulder, CO USA
Posts: 19,853
|
Yes. Give yourself a real non-empty password. An empty password is an enormous security hole.
Trevor |
|
|
|
|
|
#3 |
|
Site Admin
Join Date: Jan 2002
Location: Montreal
Posts: 32,473
|
As an example of the huge security problems with an empty admin password - see this older thread: http://forums.macosxhints.com/showthread.php?t=77831
Be sure to try running the "scaryThing" app that I supply in that thread. Security has been much improved in Leopard. I'm glad to see that OS X no longer allows an empty admin password to use 'sudo'. I don't have Leopard yet so can't try it, but I guess my "scaryThing" app no longer works in Leopard if you have an empty admin password.
__________________
hayne.net/macosx.html |
|
|
|
|
|
#4 |
|
Hall of Famer
Join Date: Aug 2005
Location: USA
Posts: 3,418
|
It's probably hard-coded into the system now, as allowing a blank root password is a major security hole. Just make a password and deal with it. :-/
__________________
15" MacBook Pro (Mid 2010), 2.4 GHz Core i5, 10.6.5, 4GB RAM PowerMac G4 "Quicksilver", 733 MHz, 10.4.11, 1.5GB RAM iPod Touch 5G, 32GB, iOS 6.1.3 |
|
|
|
|
|
#5 | ||||||||||||||||||||||||||||||||||||||
|
Triple-A Player
Join Date: Nov 2006
Location: Brisbane, QLD, Australia
Posts: 60
|
If you want to run sudo without being prompted for a password you need to make some changes to the sudoers file. This can be done ( as root ) by running 'visudo'. This will put you in a vi session.
In the sudoers file you'll see something like this:
What you need to do is add the following before the "%admin" line:
Yes, it's insecure and yes, it's dodgy ... but i'm sure you already knew this edit: You don't need to have a blank password for your user account in order for this to work |
||||||||||||||||||||||||||||||||||||||
|
|
|
|
|
#6 | |||||||||||||||||||||||
|
Major Leaguer
Join Date: Apr 2005
Posts: 478
|
Yes I did know this, thanks for your advice. Unfortunately it did not work. I even rebooted to make sure the changes took. The sudoer's file has the change after the reboot, so I'm not sure why it still doesn't work. Not being able to use sudo has forced me to enable the root user, and now I have to use the root account to make root level changes on my computer. It seems silly for Apple to not allow me to use the computer the way I want, although I've noticed as the years go by that more and more they're trying to take control away from me. Any other ideas???? |
|||||||||||||||||||||||
|
|
|
|
|
#7 |
|
Site Admin
Join Date: Jan 2002
Location: Montreal
Posts: 32,473
|
Apple is forcing you to do the correct thing.
This is a Good Idea (tm). As pointed out above, having an empty admin password leaves you completely open to disastrous consequences from any trojan since it instantly gets root privileges. If you insist on not having a password for your account (I'd really like to understand why you feel this is necessary) then you should use a non-admin account for everyday use.
__________________
hayne.net/macosx.html |
|
|
|
|
|
#8 | |||||||||||||||||||||||
|
Major Leaguer
Join Date: Apr 2005
Posts: 478
|
Although security advice is appreciated, I'd rather that along with the security advice you also provide a solution to my problem and allow me to decide how I want to implement security. Does anyone have any advice which might actually solve my problem? |
|||||||||||||||||||||||
|
|
|
|
|
#9 |
|
Moderator
Join Date: Jun 2003
Location: Boulder, CO USA
Posts: 19,853
|
You've got to understand that you are asking us to help you do something which is a very bad idea. I personally will not help you do this, no matter how much you want to. And I hope that we can talk you out of it.
Trevor |
|
|
|
|
|
#10 | |||||||||||||||||||||||
|
Site Admin
Join Date: Jan 2002
Location: Montreal
Posts: 32,473
|
Sorry, but you have failed to explain what your problem is. Note that I mean the "why", not the "what". I asked above why you want/need to run without a password, but you have not responded.
__________________
hayne.net/macosx.html |
|||||||||||||||||||||||
|
|
|
|
|
#11 |
|
Prospect
Join Date: Oct 2007
Posts: 6
|
I have a similar problem. I cannot change the empty admin password because Leopard won't accept that the old pw is empty. Very annoying!
As far as reasons to run without an admin pw... I work in a lab environment with many users sharing/wiping/restoring machines, so admin passwords are not allowed, except on Windows.
|
|
|
|
|
|
#12 |
|
Major Leaguer
Join Date: Apr 2005
Posts: 478
|
I'm sure the "why I want to do this" won't satisfy you, because as we all know it's not a really good idea to do it this way. I just find that for my particular situation operating in this manner is not a big risk and it's a lot easier on me. The bottom line is I've always run this way and never had a problem. That's not to say I won't ever have a problem, but if I do it's not a big deal. It's a simple task to reinstall my stuff from the backups I have... in the event that it ever becomes an issue... which in over 20 years of using Macs it never has been. Never once.
The same could be said for antivirus/anti-spyware software. It's certainly prudent to use them because it's a big bad world out there and at some point we may have a problem... but I'm sure most Mac users, including all of you, don't use it. Experience tells us that the risk is small, and if it ever becomes an issue then we'll take action to protect ourselves. So if you don't want to help that's OK. It's your choice. Just like it's my choice to operate how I choose. I just find that witholding information is not very useful. It doesn't teach anybody anything. What's more useful is to let a person learn from their own experiences. When you make a mistake it's OK! That's how we learn. |
|
|
|
|
|
#13 | |||||||||||||||||||||||
|
Hall of Famer
Join Date: Apr 2002
Posts: 3,315
|
Good gawd man, make your password 123 and "suffer" in silence... -HI- |
|||||||||||||||||||||||
|
|
|
|
|
#14 |
|
Triple-A Player
Join Date: Nov 2006
Location: Brisbane, QLD, Australia
Posts: 60
|
You could delete the OS X sudo and use GNU sudo. You could probably do this with fink
actually... there's another dodgy way to do what you're wanting to do. If you want to run a command as another user from a cron job or something you can ssh to that user using key based authentication ( without a password ) and send the command as the last parameter. We have a few scripts that do this at my work. Last edited by bankai; 10-30-2007 at 01:25 AM. |
|
|
|
|
|
#15 | |||||||||||||||||||||||
|
Site Admin
Join Date: Jan 2002
Location: Montreal
Posts: 32,473
|
That makes no sense at all. In a lab environment, you usually want to maintain control over the machines. Letting everyone (not just the staff) be admins is a complete loss of control. The usual thing that is done in a lab environment is to have an algorithm that gives the password - e.g. the password is a base password plus the name of the machine (or something like that) - and then the base password is changed regularly and made known to all who need it at a regular meeting.
__________________
hayne.net/macosx.html Last edited by hayne; 10-30-2007 at 12:34 AM. |
|||||||||||||||||||||||
|
|
|
|
|
#16 |
|
Major Leaguer
Join Date: Apr 2005
Posts: 478
|
Thanks bankai, but that's a little too much trouble considering that my other approach (which is to use the root account) works just as easily for me. I'll keep looking for my answer though because I'd rather be able to use sudo from my admin account. I still believe that there's a configuration file somewhere which holds this key though. I know this is true for ssh access. SSH won't allow empty passwords until you modify the sshd_config file. I don't actually do this with ssh, I'm just pointing out that the setting is in a configuration file.
And a final answer to those security conscience people: I take security seriously too. I have a hardware firewall with all incoming ports closed. My firewall is also set up to not respond to incoming pings so no one can randomly detect that my network exists. My wireless network does not announce itself, is mac address protected, and is password protected. I use LittleSnitch to protect myself from outgoing traffic. Safari and OSX are set up to not allow unauthorized applications from running without my knowledge. All my sensitive files are stored on encrypted sparse disk images with 128 bit AES encryption and a strong password. All sensitive information and passwords that I use over the internet are protected by the application 1Password, with a strong password and which is set to auto-lock itself after a certain period of inactivity. All of my files are backed up, and the backups are backed up too. So you can see I'm very careful to protect myself. With all this protection I find that having an administrator password is more of a headache than an actual deterrent. It's not very useful on my home computer which no one else has physical access to but me. And if someone does get physical access than a password wouldn't protect me anyway because it's simple to defeat with an OSX install disk. As I said my sensitive stuff is encrypted so the stuff that's not protected is not worth the trouble of having to enter a password every time I want to do some administrative task on my computer. I choose not to implement that security because with all the other security I have implemented it's just not useful to me. So that's my reasons for wanting an empty admin password. It makes my life easier and the risk is very minimal to me. You may still think I'm foolish but I think I've taken more than reasonable efforts to protect myself, and I think my security measures do far more than an admin password ever could. |
|
|
|
|
|
#17 | |||||||||||||||||||||||
|
Site Admin
Join Date: Jan 2002
Location: Montreal
Posts: 32,473
|
You seem to completely miss the main point - that without an admin password, any malicious (or even merely misguided) program that you happen to run will be able to run as root with no further ado. And the worst thing isn't loss of data (backups take care of that - at least if you test them regularly), the worst thing is the possibility of loosing control of your computer due to some malware with root privileges. (Any sufficiently clever malware can change the internals of the OS such that you will never notice that anything has changed.)
__________________
hayne.net/macosx.html |
|||||||||||||||||||||||
|
|
|
|
|
#18 | |||||||||||||||||||||||
|
Major Leaguer
Join Date: Apr 2005
Posts: 478
|
I knew you'd say that when I mentioned earlier that "I'm sure the "why I want to do this" won't satisfy you". |
|||||||||||||||||||||||
|
|
|
|
|
#19 |
|
Prospect
Join Date: Mar 2007
Posts: 4
|
I do something similar, although I have an admin password. Set up sudo to have auth time out, and make the timeout value sufficiently long so that you only have to enter the password once per session in normal use. I set mine for 2 hours. I almost never have to enter it more than once per day, and it reduces the risk considerably compared to having no password at all.
Last edited by paygun; 11-02-2007 at 01:21 AM. Reason: clarificationizing verbiageness |
|
|
|
|
|
#20 |
|
Prospect
Join Date: Mar 2007
Posts: 4
|
I should have mentioned too, it's best if you put "sudo -k" in your .bash_logout file, this will wipe out your timeout so it doesn't survive your shell exiting.
|
|
|
|
![]() |
|
|