[nycbug-talk] A couple of security related questions

Isaac Levy ike
Mon Oct 4 11:56:42 EDT 2004

Hi All,

A Darwin Tangent on this topic- sudo rocks,

On Oct 4, 2004, at 11:34 AM, Dave Steinberg wrote:

> chmod 500 /usr/bin/su
> And use caution with your sudoers file to make sure nobody can do 
> 'sudo ksh' or use sudo to launch anything that can execute shell 
> commands (vi, emacs, etc).

Darwin, by default, does not allow any user to directly su to root, 
from a console, or otherwise.  The root user 'is not enabled', and 
therefore all root level access control is done via sudo.  (the system 
root user has no password)

Here's Apple's current official word on the subject:

Here's some info on how to bypass this idea and enable root for your 
Darwin box:

That stated, it is basically manditory that users with root priviliges 
use 'sudo csh' or 'sudo ksh' or 'sudo bash' or whatever shell, to get a 
full root shell- but of course, this is strongly discouraged.  I 
personally feel this has been a strong positive decision from the 
Darwin teams, made early on, insomuch as it requires application and 
system design to adhere to sudo usage, which in the end, can be a MUCH 
safer and saner way of working.
In the early days of Darwin, enabling root was somewhat necessary, but 
after years of working with sudo now, I much prefer this way of 
working, and don't enable root login via su on any mac I touch- desktop 
or server.
I have also somewhat implemented this sort of policy once on a FreeBSD 
server, with ok success.  (by making the root shell /sbin/nologin )

With regard to root login, all you need to know for the ssh daemon is 
in it's config file, usually in /etc/sshd_config .


More information about the talk mailing list