I deleted the root user! Help!

You've forgotten to specify the domain. Please note the lowly '.' in the command. That's actually the domain (even though I forgot it in my example which thus properly should have been : sudo niutil -destroy . 29

There's no harm done as the command simply refused to run.
It's strange how the lowly '.' can have such consequenses :rolleyes:

And one of you ought to have spotted the difference between the two instances I had given of the command ::angel::

And simbalala : you are putting the opts in the wrong place :mad: . Correct would have been
sudo niutil -destroy -P <password> . 12 -or- sudo niutil -destroy -p . 12
 
Dumb question time.

The man page says

niutil -destroy [ opts ] domain path

It's not clear to me why the domain is '.' .

Is it localhost?
 
simbalala said:
Dumb question time.

The man page says

niutil -destroy [ opts ] domain path

It's not clear to me why the domain is '.' .

Is it localhost?
Click to expand...
1) there are no dumb questions (unless it's something I've already answered ::angel:: )
2) the '.' is more correctly the current domain. The local computer is '/' . So if you haven't changed domain in some way '.' and '/' are the same.

The whole niutil and 'Netinfo Manager' is so bloody complicated when we are talking about the domain situation. I must confess that I've only ever messed around with the local domain and I'm not at all sure about how to use other domains.
 
sinclair_tm said:
well lurk, there is no pw requested when you enable root for the first time, so the first one to do it gets to pick the pw. so if some one sits down to your machine or some how gets in remotely and you havn't done this, they can and then have more power over your mac then you.
Click to expand...

OK I see your reasoning, but unfortunately it is wrong. The fact that passwd asks you for the old password when run by root is irrelevant, I was not aware that it did so under Os X and it certainly does not when run by root on other *nix versions I have used.

The reason that this provides no security whatsoever is that once I have access to an admin account with that account's password (the necessary condition for both cases) I can just directly edit the password file and set it to whatever I want. If I set that field to the original "*" then I suspect if I ran the passwd program it would not prompt me. But who cares since I already can edit the password file!

This is a text book example of cargo culting if I ever saw one.

ObHumility: I don't know how this interacts with NetInfo but I strongly suspect that it is a direct parallel to "who cares since you can directly edit the database".
 
If you can 'sudo' you aren't prompted for the old password of the account:
Code: 
[16:26:40@System]$ sudo passwd root
Changing password for root.
New password:
Retype new password:
[16:28:12@System]$ passwd
Changing password for bjarne.
Old password:
New password:
Retype new password:
[16:28:53@System]$ sudo passwd bjarne
Changing password for bjarne.
New password:
Retype new password:
[16:29:04@System]$
 
alright, well I was able to get rid of the user named with *'s but the two blank users I can't destroy. the first time I ran the destroy command on a blank user it acted like it destroyed it but then i list the users and they still show up... so I try to destroy again and this time it says something:
% sudo niutil -destroy . 12
niutil: can't destroy directory 12: No such directory

so they still show up, but they've been destroyed??
 
little-ol-me said:
The fact that passwd asks you for the old password when run by root is irrelevant, I was not aware that it did so under Os X and it certainly does not when run by root on other *nix versions I have used.
Click to expand...
To wit the reply came...
BjarneDM said:
If you can 'sudo' you aren't prompted for the old password of the account:
Click to expand...

Thank you, sir, for verifying that OS X is like every other unix in this regard. I will be able to sleep better now that my world view is back in alignment. :)
 
lurk said:
To wit the reply came...


Thank you, sir, for verifying that OS X is like every other unix in this regard. I will be able to sleep better now that my world view is back in alignment. :)
Click to expand...

If you use the NetInfo menu bar menu to change the password it requires the old password. Making the world safer for newbies...

But down below, in the main options field it appears that you can change the password there as well. I haven't tried that.
 
BjarneDM said:
what result do you get now when running the command from http://www.macosx.com/forums/showpost.php?p=1248379&postcount=47 ?

Let me see your output from : niutil -list . /users
Click to expand...
Now, root is the only "System Administrator"

$ niutil -list . /users
11 nobody
12
13 daemon
14 unknown
15 lp
16 postfix
17 www
18 eppc
19 mysql
20 sshd
21 qtss
22 cyrusimap
23 mailman
24 appserver
25 clamav
26 amavisd
27 jabber
28 xgridcontroller
29 xgridagent
30 appowner
31 windowserver
32 tokend
33 securityagent
92 jordan
94
93 root



$ echo -e $( nidump -r /users . | \
> sed -nE -e '/(\{|"uid"|"name"|"realname"|"home"|\})/p' |\
> tr -d '\n' | tr -s ' ' | sed -E 's/ \{/\\n\{/g' \
> )
{ "name" = ( "users" );
{ "name" = ( "nobody" ); "uid" = ( "-2" ); "realname" = ( "Unprivileged User" ); "home" = ( "/var/empty" ); },
{ "name" = ( "daemon" ); "uid" = ( "1" ); "realname" = ( "System Services" ); "home" = ( "/var/root" ); },
{ "name" = ( "unknown" ); "uid" = ( "99" ); "realname" = ( "Unknown User" ); "home" = ( "/var/empty" ); },
{ "name" = ( "lp" ); "uid" = ( "26" ); "realname" = ( "Printing Services" ); "home" = ( "/var/spool/cups" ); },
{ "name" = ( "postfix" ); "uid" = ( "27" ); "realname" = ( "Postfix User" ); "home" = ( "/var/spool/postfix" ); },
{ "name" = ( "www" ); "uid" = ( "70" ); "realname" = ( "World Wide Web Server" ); "home" = ( "/Library/WebServer" ); },
{ "name" = ( "eppc" ); "uid" = ( "71" ); "realname" = ( "Apple Events User" ); "home" = ( "/var/empty" ); },
{ "name" = ( "mysql" ); "uid" = ( "74" ); "realname" = ( "MySQL Server" ); "home" = ( "/var/empty" ); },
{ "name" = ( "sshd" ); "uid" = ( "75" ); "realname" = ( "sshd Privilege separation" ); "home" = ( "/var/empty" ); },
{ "name" = ( "qtss" ); "uid" = ( "76" ); "realname" = ( "QuickTime Streaming Server" ); "home" = ( "/var/empty" ); },
{ "name" = ( "cyrusimap" ); "uid" = ( "77" ); "realname" = ( "Cyrus IMAP User" ); "home" = ( "/var/imap" ); },
{ "name" = ( "mailman" ); "uid" = ( "78" ); "realname" = ( "Mailman user" ); "home" = ( "/var/empty" ); },
{ "name" = ( "appserver" ); "uid" = ( "79" ); "realname" = ( "Application Server" ); "home" = ( "/var/empty" ); },
{ "name" = ( "clamav" ); "uid" = ( "82" ); "realname" = ( "Clamav User" ); "home" = ( "/var/virusmails" ); },
{ "name" = ( "amavisd" ); "uid" = ( "83" ); "realname" = ( "Amavisd User" ); "home" = ( "/var/virusmails" ); },
{ "name" = ( "jabber" ); "uid" = ( "84" ); "realname" = ( "Jabber User" ); "home" = ( "/var/empty" ); },
{ "name" = ( "xgridcontroller" ); "uid" = ( "85" ); "realname" = ( "Xgrid Controller" ); "home" = ( "/var/xgrid/controller" ); },
{ "name" = ( "xgridagent" ); "uid" = ( "86" ); "realname" = ( "Xgrid Agent" ); "home" = ( "/var/xgrid/agent" ); },
{ "name" = ( "appowner" ); "uid" = ( "87" ); "realname" = ( "Application Owner" ); "home" = ( "/var/empty" ); },
{ "name" = ( "windowserver" ); "uid" = ( "88" ); "realname" = ( "WindowServer" ); "home" = ( "/var/empty" ); },
{ "name" = ( "tokend" ); "uid" = ( "91" ); "realname" = ( "Token Daemon" ); "home" = ( "/var/empty" ); },
{ "name" = ( "securityagent" ); "uid" = ( "92" ); "realname" = ( "SecurityAgent" ); "home" = ( "/var/empty" ); },
{ "name" = ( "jordan" ); "home" = ( "/Users/jordan" ); "uid" = ( "501" ); "realname" = ( "Jordan" ); },
{ "uid" = ( "0" ); "home" = ( "/var/root" ); "name" = ( "root" ); "realname" = ( "System Administrator" ); }}
 
Well it's not so simple to change the password of any user in 'Netinfo Manager' as Mac OS X is using shadowed passwords. There is a way, but it's rather convoluted, and if you can use 'Netinfo Manager' you can also use 'sudo passwd' in 'Terminal' which is way simpler :)

Having said that, if you replace the 'generateduid' of one user with the 'generateduid' of another, they get the same password. I suppose this could be used as a way of setting up several users with the exact same password (change one and all are changed - it's working), but it seems to give problems: in the 'Fast User Switching' menu you'll still have all the users present, but in the login window only one of these users will be present.
 
hmmm ...

I must confess I don't understand why you are still getting those two empty names. They might or might not disappear after a reboot, but if you get the message that they don't exist, I guess they don't hurt !

But it seems as if you've successfully gotten rid of your duplicate "System Administrator"s, so congratulations. So, are you back at getting the correct prompt when 'sudo -s' ?
 
BjarneDM said:
hmmm ...

I must confess I don't understand why you are still getting those two empty names. They might or might not disappear after a reboot, but if you get the message that they don't exist, I guess they don't hurt !

But it seems as if you've successfully gotten rid of your duplicate "System Administrator"s, so congratulations. So, are you back at getting the correct prompt when 'sudo -s' ?
Click to expand...

that works now too!
% sudo -s
Password:
:~ root# whoami
root
:~ root#
 
Phew ... finally ::ha::

Now (putting on my best imitation of A Stern School Master), I do hope, my dear Sir, that you've learned something from this whole sordid tale ::evil:: Otherwise, you'll have to read the whole thread ten times in a row and do a written disposition in front of the class tomorrow ::evil::

Now, go to the blackboard and write 100 times:
I will never ever again try to modify my root account in 'Netinfo Manager' - I do so solemny promise !!!

:) :) :) :) :)
 
BjarneDM said:
Phew ... finally ::ha::

Now (putting on my best imitation of A Stern School Master), I do hope, my dear Sir, that you've learned something from this whole sordid tale ::evil:: Otherwise, you'll have to read the whole thread ten times in a row and do a written disposition in front of the class tomorrow ::evil::

Now, go to the blackboard and write 100 times:
I will never ever again try to modify my root account in 'Netinfo Manager' - I do so solemny promise !!!

:) :) :) :) :)
Click to expand...

lol, thanks man, this is the best help i've ever gotten when it comes to anything related to unix
 
starboardman said:
lol, thanks man, this is the best help i've ever gotten when it comes to anything related to unix
Click to expand...

I'm waiting for the next person to come along with a difficult problem so we can have another lesson. I've never had a Unix box to play on before so I kind of follow along on my own machine. I don't think I'll do something dumb though and break the system on purpose, I'll leave that to others.

:p
 
BjarneDM said:
Phew ... finally ::ha::

Now (putting on my best imitation of A Stern School Master), I do hope, my dear Sir, that you've learned something from this whole sordid tale ::evil:: Otherwise, you'll have to read the whole thread ten times in a row and do a written disposition in front of the class tomorrow ::evil::

Now, go to the blackboard and write 100 times:
I will never ever again try to modify my root account in 'Netinfo Manager' - I do so solemny promise !!!

:) :) :) :) :)
Click to expand...

Glad to see that you were able to solve his problem.
 
simbalala said:
I'm waiting for the next person to come along with a difficult problem so we can have another lesson. I've never had a Unix box to play on before so I kind of follow along on my own machine.
Click to expand...
Well, if you are interested in that kind of thing then you might be interested in the three threads I've started :)
 
You must log in or register to reply here.
Back
Top