major *root* concerns

X Rocks

Registered
first: commands using "sudo" require a different password than root in the login window at startup. big problem

:mad: second: this is the thing that really gets on my nerves and I have NO idea what the problem is. I can't remove ("rm") a file in Terminal using sudo, and i can't switch users to root in the terminal anymore. The later may be a X.1 thing but i hadn't heard anything about it.

i've been working on th problem for several hours off and on. I've started up with the boot disk and changed the root password that way, but to no avail. I changed it in NetInfo Manager, and a few other minor options.
 

blb

`'
Originally posted by X Rocks
first: commands using "sudo" require a different password than root in the login window at startup. big problem
Actually, this is exactly how sudo is supposed to work; this way, other non-root types can have limited access, through sudo, to do root-level items, without compromising the root password, by instead using the user's own password. You control who can do what via the sudoers file (in /etc, but use the visudo command to change). By default, Mac OS X gives full root access to all administrator-level users.

:mad: second: this is the thing that really gets on my nerves and I have NO idea what the problem is. I can't remove ("rm") a file in Terminal using sudo, and i can't switch users to root in the terminal anymore. The later may be a X.1 thing but i hadn't heard anything about it.

i've been working on th problem for several hours off and on. I've started up with the boot disk and changed the root password that way, but to no avail. I changed it in NetInfo Manager, and a few other minor options.
The biggest problem that's been experienced with being unable to remove a file (even as root) is if it is tagged as immutable. First run chflags nouchg <filename> against the file, then try to remove it.
As far as having problems switching to root, is this by doing an su? If so, you need to be a member of the wheel group to do this. You can also, however, use sudo -s or sudo tcsh (or whatever shell) to get a root shell.
 

blb

`'
Originally posted by testuser
blb,

Could you please explain what types of limits can be imposed through the /etc/sudoers file, and perhaps give some examples of these modifications?
If you want the whole, gigantic description of all you can do with sudoers, see its manpage (that thing is quite large).

In a nutshell, you can do things based on a user's group (which is what OS X does now, you should see a line beginning with %admin, which is anyone in that group), or just specific users. If you want user joe to just be able to, for example, start and stop Apache on the command line, you could do:

joe ALL=(root) /usr/sbin/apachectl

You can also be more specific; say you only want joe to be able to start it, but nothing else:

joe ALL=(root) /usr/sbin/apachectl start

One other thing is you have control over who the eventual program is run as. Usually, that's root, but you can allow joe to run some program as user jane:

joe ALL=(jane) /Users/jane/bin/someprogram

If you note my example for the apachectl, I specifically specified only root, so if joe tried something like sudo -u jane apachectl start it wouldn't work.

In some cases, the option to not have to even use a password can be useful; this looks like,

joe ALL=(root) NOPASSWD:/usr/sbin/apachectl start

Now, when joe runs sudo apachectl start it won't ask for his password.

Again, if you have plenty of spare time and motivation, the sudoers manpage covers tons of stuff...probably more than anyone needs, but at least it's there.
 

jimr

McInstigator
Originally posted by testuser
Thanks a lot blb. That tip about the NOPASSWD is worth its weight in gold; now I can happily restart Apache with even less effort (I already have an alias for this).

I'll have some fun man reading this evening!
don't do that unless you and your computer are behind closed and locked doors....

in fact all of the "local" security issues fit in this category.

there are many "shortcuts that can be taken when you are the guaranteed only user.

the problem is that if you establish a pattern of operation while alone, you will have problems when confronted by professional situations. If that is ever your intention.

any sudoer description with the NOPASS flag is essentially equivalent to root.

speaking of locks.....

one of the reasons that files may not be deleted even by Root is that ocassionally, a file has a finder flag of locked.

so if you get info in the finder... you see a little checkmark on the locked...button

only on macOSX.....
 
Top