09-16-2012, 10:01 PM
|
#21 |
|
MVP
Join Date: Apr 2008
Location: Berkeley CA USA
Posts: 1,009
|
A principle of Unix security is that you should never run a complex program as root. The more complex the program, the likelier it is to have security hole.
An program that has a GUI interface is ipso facto too complex to be safely run as root. (This is just a guideline, of course. We pretty much have to make an exception for the OS Installer. Still, the smaller and more focused tools you allow root to run, the better.) Actually logging in as root violates that rule in spades. You're running ALL of your GUI applications as root. Never mind that Apple themselves, in their trouble-shooting tech notes, sometimes advise you to do just that. As Gandalf said to Pippin, "the long explanations needed by the young are so wearisome." It's still a really bad idea, and never necessary. When it comes down to a choice of "I can tell you in five pages how to do it right, fifty pages if I include a litany of all the things you have to watch for and how to deal with them. Or I can tell you in five paragraphs the quick and sloppy (and therefore wrong) way to do it," even Apple sometimes takes the easy way out. I repeat: It is never necessary to log in as root. It is never a good idea to log in as root. It is a very bad idea to even enable root login. Judicious use of sudo or, in extreme cases, Single User Mode is all you ever need. |
|
|
|
09-16-2012, 10:14 PM
|
#22 | |||||||||||||||||||||||
|
All Star
Join Date: Aug 2009
Posts: 662
|
Not if you're logging in from a terminal, and not unless you exclude "su" as a method of logging in. In any case, "chown" is hardly a "complex" program. Nevertheless, whether you choose to "sudo chown -R user dir" or whether you choose to "su" and THEN "chown -R user dir" - it amounts to the same thing - a solution to enable the user to access the dir. |
|||||||||||||||||||||||
|
|
|
09-16-2012, 10:24 PM
|
#23 | |||||||||||||||||||||||
|
MVP
Join Date: Jan 2009
Posts: 1,682
|
OK..so, while I am in as Root, can I process all of these folders that now have prohibit on them, and make it so that my ordinary user can manipulate and access all the contents as usual? if so, what is that process like? thank you! a |
|||||||||||||||||||||||
|
|
|
|
09-16-2012, 10:31 PM
|
#24 |
|
League Commissioner
Join Date: Sep 2003
Location: Tokyo
Posts: 6,045
|
Scroll up to post #15.
|
|
|
|
|
09-16-2012, 10:53 PM
|
#25 | |||||||||||||||||||||||
|
All Star
Join Date: Aug 2009
Posts: 662
|
Yes. If you want user "user" to own and have access to "dir" and everything it contains, you just need to do this at the terminal: chown -R user dir |
|||||||||||||||||||||||
|
|
|
|
09-16-2012, 11:14 PM
|
#26 |
|
Site Admin
Join Date: Jan 2002
Location: Montreal
Posts: 31,939
|
To be more precise/specific, the appropriate command for acme would be:
sudo chown -R Lion /Volumes/Jupiter
__________________
hayne.net/macosx.html Last edited by hayne; 09-17-2012 at 07:12 AM. Reason: clarify this is only for acme |
|
|
|
|
09-16-2012, 11:25 PM
|
#27 | |||||||||||||||||||||||
|
League Commissioner
Join Date: Sep 2003
Location: Tokyo
Posts: 6,045
|
For future readers, this only works on Acme's system as of today. (That's him, not me. One of us needs a different username.) DON'T try it on your own box. |
|||||||||||||||||||||||
|
|
|
|
09-18-2012, 11:06 PM
|
#28 | |||||||||||||||||||||||
|
MVP
Join Date: Apr 2008
Location: Berkeley CA USA
Posts: 1,009
|
Don't confuse "running as root" with "logging in as root". To "log in as root", you have to log in, using root's password. That entails root having a password. That, all by itself, is a security risk. If (as is usually meant by the phrase "log in as root") you log in through LoginWindow, supplying root's password when asked, you get the whole GUI, including Finder, running as root. That's a bull walking around in your china shop. There are ways to "run as root". We've both mentioned one: sudo. When you use sudo, you supply your admin password, not root's password, and indeed using sudo doesn't even require that root have a password. Nor is sudo generally used to launch GUI applications. Even sudo -s, which gives you a shell running as root, is not a login. If you try to exit that shell by entering the logout command, you'll be politely reminded that you are not in a login shell, and should use exit to get out. A shell, even one running as root, is not a GUI application. I have no qualms about using root when needed, but I get very nervous when people start suggesting logging in as root. Especially when they repeatedly suggest that to a novice user who is already in over his head about permissions. |
|||||||||||||||||||||||
|
|
|
|
09-18-2012, 11:14 PM
|
#29 | ||||||||||||||||||||||||||||||||||||||||||
|
All Star
Join Date: Aug 2009
Posts: 662
|
I don't. And given that anyone who can "sudo" can simply "sudo su" there isn't much that someone who can "sudo" can't do.
I dunno why you're on about GUI - I never said a word about using a GUI. Last edited by onceagain; 09-18-2012 at 11:19 PM. |
||||||||||||||||||||||||||||||||||||||||||
|
|
|
|
09-19-2012, 12:15 AM
|
#30 | ||||||||||||||||||||||||||||||||||||||||||||||
|
MVP
Join Date: Apr 2008
Location: Berkeley CA USA
Posts: 1,009
|
That's still not a login! I think you actually do not yet get the distinction between "logging in as root" and "using root". As for there not being much that a user who can sudo can't do, well, that's precisely my point. Rather than tell a novice user to log in as root, it would be safer to steer them towards sudo. At least then, the elevated privileges can be contained to just the few commands that need them.
Because the phrase "logging in as root" generally means "following the procedure spelled out in http://support.apple.com/kb/ht1528, Enabling and using the "root" user in Mac OS X. Pay special attention to the section, about half way down, titled "How to log in as root". Following those instructions gets you a GUI running as root. IOW, you said "log in", which on a Mac generally means "using the GUI". (Not always, of course. su -l username and ssh are both ways to log in without bringing up a GUI, but even those commands, unless you've enabled root, won't get you logged in as root.) (It's not necessary for anyone to chime in with how to log in as root without enabling root and without introducing a GUI. I do know how to do it. But you still can't do anything you couldn't do without logging in as root.) |
||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|
09-19-2012, 12:26 AM
|
#31 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
All Star
Join Date: Aug 2009
Posts: 662
|
OK (:
Oh please. The root user and logging into as the root user has been around LONG before Apple and OS X.
Sure, if you make big assumptions and constrain your world view. For example - way back when (which would be 1990) on my Mac IIci running A/UX, I got poor one semester and sold my monitor, but I had an actual terminal I got from university surplus. I had the system set up so that it spawned a login prompt on the terminal, which was connected via the serial port. No GUI there! And that's just one example. Anyway - but I dunno why you want to create an argument out of it - so, you're right, I'm wrong - I have no clue about anything whatsoever. Any time someone logs in, they simply MUST be using a GUI - esp. as root! It's just so obvious to me now - I dunno what I was thinking - thanks for clearing it up. So, there - you can rest easy now. Last edited by onceagain; 09-19-2012 at 12:32 AM. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|
09-19-2012, 12:34 AM
|
#32 |
|
League Commissioner
Join Date: Sep 2003
Location: Tokyo
Posts: 6,045
|
What happened in the Mac II days is hardly relevant today. Observe the last item in the Apple menu, the second-last item in the user-switching menu, the initial user/password window, and a few places in System Preferences -> Accounts. They all say "Log In/Out" in the context of the GUI, and that's what it means to the vast majority of users. Command-line jockeys are expected to already know the difference.
The man page for sudo only mentions the phrase "login" in the more arcane options. |
|
|
|
|
09-19-2012, 12:56 AM
|
#33 | ||||||||||||||||||||||||||||||||||||||||||
|
All Star
Join Date: Aug 2009
Posts: 662
|
Well pardon me, for using the term "log in" in terms of what it has meant to me (and pretty much any "computer person" I've known) for the past 28 or so years - which, incidentally, is nothing more than "access a computer with a specific user account or specific credentials" and having nothing, whatsoever to do with a GUI. And you know what? When you do "sudo whoami" and provide a (suitable) password, it will tell you that you are root. Some people just want to argue I guess. OK, so instead of:
how about: Secure the user permissions necessary (one way or another) and simply use the "chown -R" command on the directory of interest to assign ownership to the user of interest. Will that make the Apple documentation gods smile? Last edited by onceagain; 09-19-2012 at 01:32 AM. |
||||||||||||||||||||||||||||||||||||||||||
|
|
|
|
09-19-2012, 05:08 AM
|
#34 |
|
MVP
Join Date: Jan 2009
Posts: 1,682
|
thank you all for contributing suggestions...I ended up operating as Root for a time...
while as root, I fished out some of the user folder back up goodies I was after, and while at it, checked ignore ownership at the top level of the hard drive in question, which, once back in my regular user, enabled me to access my files the same way I was accustomed to doing prior to installing Mt. Lion. I'm still baffled as to why Mt. Lion hosed up my files and time machine... a |
|
|
|
|
09-19-2012, 07:00 AM
|
#35 | |||||||||||||||||||||||
|
League Commissioner
Join Date: Aug 2006
Posts: 5,039
|
I think ganbustein is just after a bit of clarity and precision. Saying "log in as root" to a user (who presumably is not that familiar with the Unix underpinnings of the OS) is likely to suggest enabling the root password and logging "completely" into OS X, in the GUI, as root, which we all know is unwise, particularly if he forgets to disable it again afterwards. If you mean "start a shell as root" or "use sudo", then it is perhaps better to say that explicitly, rather than something else which has dangerous ambiguity. I think that is what he's suggesting. Last edited by benwiggy; 09-19-2012 at 07:02 AM. |
|||||||||||||||||||||||
|
|
|
|
09-19-2012, 09:15 AM
|
#36 | |||||||||||||||||||||||
|
All Star
Join Date: Aug 2009
Posts: 662
|
...or maybe when someone says "login" they mean to simply type "login" at the prompt and, you know, log in....especially when they're talking about commands that require a prompt...which have nothing to do with a GUI. |
|||||||||||||||||||||||
|
|
|
|
09-19-2012, 09:48 AM
|
#37 | |||||||||||||||||||||||
|
League Commissioner
Join Date: Aug 2006
Posts: 5,039
|
Maybe. But we can only guess at what they mean if they don't actually spell it out. However -- if root password is disabled, can you actually login (using "login") as root in the Terminal? Are we not trying to offer people ways of "gaining root" without actually enabling the root user password? Last edited by benwiggy; 09-19-2012 at 10:16 AM. |
|||||||||||||||||||||||
|
|
|
|
09-19-2012, 11:47 AM
|
#38 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
All Star
Join Date: Aug 2009
Posts: 662
|
Ah well. One man's clarify is another man's muddy waters I suppose.
Probably not - I wouldn't know since I enable a root password fairly instantly when I get a new Mac. Fortunately, setting a root password is pretty easy.
Some of you are - but not me. As far as I'm concerned, if a person gets "root access" it really doesn't matter how they got there, their ability to do "whatever" is the same. Last edited by onceagain; 09-19-2012 at 11:59 AM. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|
09-19-2012, 12:01 PM
|
#39 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
All Star
Join Date: Aug 2009
Posts: 662
|
HAHAHA! Way to go man.
Good job OP - glad your problem is solved.
Software written by humans, running on hardware designed by humans. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|
09-19-2012, 01:16 PM
|
#40 | |||||||||||||||||||||||
|
Site Admin
Join Date: Jan 2002
Location: Montreal
Posts: 31,939
|
You don't need to say it. It is the default meaning of "login" in the OS X world and on these forums - except possibly in the Unix sections. Users will assume you are talking about the GUI unless you make it clear that you are not.
__________________
hayne.net/macosx.html |
|||||||||||||||||||||||
|
|
|
 |
| Thread Tools | |
| Display Modes | Rate This Thread |
|
|
Linear Mode
