Problem with enabling/disabling root user

simX

Unofficial Mac Genius
Before anyone says anything, yes, I am entirely aware of the risks of enabling the root user, and that's why I intended to disable it after I was finished working with it. (Unfortunately, the only easy way to set the keyboard layout of the login window is to enable root user, change the keyboard layout of the root user, and then log out and disable the root user. Using the Setup Assistant again isn't an option because it requires you to go through all the other options as well.)

Normally I enable the root user through the NetInfo Manager utility, log in as root, do what I need to do, and then log out and disable the root user through the NetInfo Manager again. Unfortunately, on one of my iMacs (bondi blue, 233 MHz Rev. A), the NetInfo Manager didn't do anything when I selected the "Enable Root User" menu item. It would prompt me for my administrator password, but then would never actually enable the root user. Finally I got fed up, and just went to the terminal and used the "sudo passwd root" command to enable it manually.

Bad idea. Now the root user is stuck on. The NetInfo Manager application still simply has an "Enable Root User" menu item, and it still doesn't do anything when I try to select it -- it authenticates me, then does nothing. (If the root user is already enabled, the "Enable Root User" menu item changes to "Disable Root User".)

So now my root user is stuck enabled. It's not a big security risk since it's behind a firewall anyway, but I'd rest easier if it were disabled. Does anybody know why this problem with the NetInfo Manager is happening and how to fix it? Alternatively, does someone know how to disable the root user from the command line? Any help would be much appreciated.

(Also, of note, is the fact that my 800 MHz 17" G4 iMac does not have this problem -- the NetInfo Manager application enables and disables the root user fine. My bondi blue iMac has all the latest updates and is running Mac OS X Panther version 10.3.4.)
 
Hm... Under OS X 10.2 and below, I'd know what to do, but I'm not familiar with the shadow password scheme that 10.3 uses. Compare though:

$ niutil -read . /users/mark
...
authentication_authority: ;ShadowHash;
...
passwd: ********
...
$ niutil -read . /users/postfix
...
passwd: *
...
(there is no authentication_authority field)

So, maybe on the iMac that doesn't have the problem, enable and disable root, and compare the netinfo listing via niutil with it on and off. Then try making the changes by hand with niutil on the other one.
 
scruffy said:
Hm... Under OS X 10.2 and below, I'd know what to do, but I'm not familiar with the shadow password scheme that 10.3 uses. Compare though:

$ niutil -read . /users/mark
...
authentication_authority: ;ShadowHash;
...
passwd: ********
...
$ niutil -read . /users/postfix
...
passwd: *
...
(there is no authentication_authority field)

So, maybe on the iMac that doesn't have the problem, enable and disable root, and compare the netinfo listing via niutil with it on and off. Then try making the changes by hand with niutil on the other one.

I got some recommendations from other places to simply change the root password as shown in NetInfo Manager to '*', which simply means a blank password. Then the NetInfo Manager can enable/disable root normally, supposedly. What's weird is that I did this, and NetInfo Manager does seem to be able to disable/enable root (the menu item changes from "Enable Root User" to "Disable Root User", and it actually asks me to put in a non-blank root password). But none of the changes done in NetInfo Manager seem to take effect -- even though NetInfo Manager says root is disabled, or that the password is blank, the ACTUAL root user is always still enabled and always retains the original password that I entered when I first used the "sudo passwd root" command.

So it seems that the NetInfo Manager app doesn't seem to actually be connected to the real NetInfo database on my bondi blue iMac, while it is on my 17" iMac. It looks like I'll have to find a solution that doesn't involve NetInfo Manager, or else I need to reconnect the database to the app somehow.
 
Is the line
authentication_authority: ;ShadowHash;
still there for the root user?

Because that instructs netinfo to look elsewhere for the password - a shadow file that's not accessible to regular users - presumably ignoring the password that's set in the user-visible netinfo database. Deleting that line might be necessary also. As I said, I'm not familiar with the shadow scheme used in OS X; in most Unix OS's those passwords are found in /etc/shadow but that's not present on a Mac.
 
scruffy said:
Is the line
authentication_authority: ;ShadowHash;
still there for the root user?

Because that instructs netinfo to look elsewhere for the password - a shadow file that's not accessible to regular users - presumably ignoring the password that's set in the user-visible netinfo database. Deleting that line might be necessary also. As I said, I'm not familiar with the shadow scheme used in OS X; in most Unix OS's those passwords are found in /etc/shadow but that's not present on a Mac.

The only thing that seems to be different after enabling the root user is that it's password doesn't have an asterisk in front of it. That is, when disabled, it says something like "*3cte7302bjwpc49", whereas when it is enabled, it says "3cte7302bjwpc49". But putting an asterisk in front of the password on the bondi blue iMac doesn't do anything -- just like the other recommendations, it seems like doing anything in NetInfo Manager doesn't actually affect the root account for some reason.
 
scruffy, you were right. The "authentication_authority" property simply needed to be deleted from the root user. It turns out that if you have an "authentication_authority" property for the root user in the NetInfo database (use NetInfo Manager to easily check), then the root user will not be disabled. Deleting this property (and then checking the NetInfo Manager utility to make sure the Security menu says root is disabled) will properly disable the root user.

I tested out doing the "sudo passwd root" command in the Terminal, and guess what? It enters an "authentication_authority" property for the root user when changing the root user's password. So this explains the whole problem. (It's likely that changing the root user's password via System Preferences when actually logged in as root will also do the same thing.) Note that these methods also introduce a "generateduid" property in the root user -- for good measure, you should make sure your root user doesn't have that property either.

Moral of the story: either 1) use a utility like Pseudo to change the root user's System Preference settings, or 2) always use the NetInfo Manager utility to enable or disable the root user.
 
Interesting thread...

I enabled my root user eons ago back in OS X 10.0 the manual way (before Netinfo had the GUI way). I've done an update for every version since then and mine it sin the same state that simX described. I know I've changed my password at the command line too.
 
Looks like they fixed this in the 2004-12-04 Security Update:

http://docs.info.apple.com/article.html?artnum=61798 said:

NetInfo
Manager
Available for: Mac OS X v10.3.5 and Mac OS X Server v10.3.5
CVE-ID: CAN-2004-0924
Impact: Incorrect indication of account status
Description: The NetInfo Manager utility can enable the "root" account, but after a single "root" login it is no longer possible to use NetInfo Manager to disable the account and it incorrectly appears to be disabled.
 
Actually, this was fixed in the "Security Update 2004-09-30" update which was released on October 4, as the page you linked to specifies. :)
 
Back
Top