Mac OS X Secrets

As far as the classic Mac OS is concerned, a user is a user is a user. But the Unix core of Mac OS X introduces different user levels. At the top of the heap in every Unix system is a single, all-powerful superuser --also named root (after the topmost directory of the Unix file system). If you have root access, you have ultimate power: you can alter or delete any file or folder in that system.

Why Root Access?

First, let's back up for a minute. A user who is designated as an administrator can adjust system preferences (such as the network address), update the OS, and roam almost unhindered throughout that system.

But sometimes almost doesn't cut it. For Unix omnipotence, you want to act as root. For example, you may want to adjust some settings that Apple put out of the reach of administrators--such as some system-configuration files or the built-in Apache Web server (see Mac OS X Secrets, August 2001). Or perhaps you want to install some Unix software before Aqua-friendly installers become available. Or maybe you just can't stand not having absolute control over your operating system.

Whatever your reasons, root access is only a few short commands away.

Words of Caution

Apple doesn't tell you how to enable your root account in OS X--for good reason. As root, you can delete your entire file system in fewer than ten keystrokes. And logging in to your root account opens up your system to the security vulnerability inherent in any Unix system. If someone cracks your root password, for example, your machine can be taken over remotely. But if your root account is not enabled in the first place--as in the default Mac OS X installation--there's a much smaller chance of that happening.

Some Mac users may think they need to enable their Mac OS X machine's root account to do anything serious, but that's just not true. We will show you an alternative that allows you to act as root while keeping your root account disabled, thus protecting against typical network-based attacks.

But root access--even if you don't enable the root account--is risky. To see where you can do the most damage when you gain root access, enter this command in Terminal: ls /. You'll see the folders in the root directory of the file system, including the same folders that you see via the Finder: Applications, Library, System, and Users. But you can also see directories that the Finder does not show, such as bin, etc, and usr. As the superuser, you could recklessly delete files in these hidden directories, unwittingly circumventing the file-access permissions that would otherwise keep you from harming them. Damaging these files can wreak havoc with your system, potentially even keeping it from booting up. And in Unix, there is no undo command.

Using the Sudo Command

The Unix directive you need to execute commands as root is sudo (pronounced soo -doo), which stands for "superuser do." (Type man sudo in the command line to read more information about sudo than you'll ever need.) To use sudo, you must be logged in as an administrator of the system.

To execute a single command as the superuser, insert sudo and a space in the command line, before the Unix command that you want to issue. For example, you can use this command to make user jsmith the owner of the file test.html:

sudo chown jsmith test.html

When you invoke sudo, you'll be asked for a password. Enter the password for your administrator account. Even though you're already logged in as that user, you need to enter your password again (for security reasons). Once you've done so, you have a short time (five minutes by default) during which you can issue other commands using sudo without having to reenter a password.

When issuing a series of commands as root, you might get tired of repeatedly entering sudo. Or perhaps you want to run a shell script--a file that, when executed by root, issues a series of Unix commands. You can get root access for as long as you like by invoking sudo -s. To end a superuser session before the power goes to your head, type exit.

Example: Run CGI Sample Scripts

Now you'll want to try out your superuser status. Let's say you want to run the two CGI scripts, printenv and test-cgi, that Apple includes with OS X for use with Apache. However, as installed, they don't work because the file permissions are set incorrectly. To briefly explain, Apache is con-figured to run CGI scripts that are stored in the folder /Library/WebServer/CGI-Executables, as long as the script files are marked as executable (the demo script files aren't). To reset these permissions, issue the following consecutive commands in Terminal:

cd /Library/WebServer/CGI-Executables

sudo chmod a+x printenv test-cgi

Assuming that you've turned Web sharing on via the Sharing panel of System Preferences, you can now run the two sample CGI scripts by entering these URLs in your Web browser:

http://localhost/cgi-bin/printenv

http://localhost/cgi-bin/test-cgi

Example: Edit Message of the Day

You may also need to assume the mantle of superuser to edit files in the usr, bin, etc, and other hidden directories, but you alter them at your own risk. When you're ready to try it out, one file you can edit with some degree of abandon is the message of the day file in /etc/motd, which is accessible via the command line. The message of the day appears when a remote user logs in to your system from a terminal interface. By default, the Mac OS X message of the day is "Welcome to Darwin!"

To make that message a little more exciting, you can edit /etc/motd with a Unix editor such as pico or vi. The command vi /etc/motd or pico /etc/motd will let you open the file only as read-only. However, if you "sudo" the editing command, you'll be able to save a more informative message, such as "Welcome to Dave's Mac OS X. The system will be down tomorrow for maintenance."

To edit the message of the day or other Unix preferences files via TextEdit instead of pico or vi, drag the TextEdit icon on top of the icon for the shareware application Pseudo ($15; personalpages.tds.net/~brian_hill/pseudo.html ). You can find more information about Pseudo in "Mac OS X First Aid," elsewhere in this issue.

Example: Install Unix Software

Finally, here's a more complex situation: installing Unix software for which a complete, user-friendly Aqua installer has not yet been created. Perhaps you want to install the free MySQL database to go along with your Apache Web server. There isn't a Mac OS X-compiled version available for download from the MySQL Web site, but a Web search turns up (among other choices) Marc Liyanage's Web page ( www.entropy.ch/software/macosx ), where you can download MySQL compiled for Mac OS X.

Without root access, it is impossible to install this piece of software. An Aqua installer handles most of the dirty work, but the instructions do call for a handful of commands to be run with sudo. (The commands are listed on Liyanage's Web page.)

The Bottom Line

There is rarely a need, or a good reason, for OS X users-even those who have above-average skills--to enable the root account. In fact, there are excellent reasons not to enable it--especially since the sudo command allows you to wield the power of root access throughout your system.As our examples demonstrate, sudo gives you the ability to configure (or confound) Mac OS X at its most fundamental level.

DAVID L. HART is a science and technology writer and the author of Mac OS X Web Server Handbook (Prentice Hall PTR, 2001) and The Cross-Platform Mac Handbook (Prentice Hall PTR, 2000).

The Root of the Matter: By typing ls / at the command-line prompt, you can see a list of the folders at your machine's root level (you can't seem them via the Finder) and change permissions using sudo.
1 2 Page 1
Shop Tech Products at Amazon