MAC OS X tiger help for a Windows technician

Karl Kuehn larkost at softhome.net
Thu Jun 14 13:43:14 PDT 2007 

On Jun 14, 2007, at 4:18 PM, Dan Shoop wrote:

> And since he can't do that since he doesn't have access to an admin  
> account how do you propose he get that done?

	... and how do you propose that he turn on root then? Same issue.  
Both of us should have mentioned that you can change a password with  
the password change tool when booted off the instal DVD. That is what  
is really going to solve this.

> As for this "never login as root or have root enabled" myth, get  
> over it. If you're too feeble as a sysadmin to work in a root  
> environent find another job. One where you ask about fries.

	Are you intentionally being rude? Does this really work for you? Do  
you really think it is appropriate on a public forum? Do you really  
think it brings the conversation any further?

	"too feeble"? I think of it as more cautious, and working in an  
environment where your work should leave an audit trail. I know I  
make mistakes, and having to put "sudo" in front of my commands at  
least gives me a little more time to think. I have found that most of  
the time I would have made a big mistake I also forgot to put "sudo"  
in front of things. Thus not being root has saved me from myself.

> If you're concerned that someone other than you will guess your  
> root password and login then you need to find someone else who be  
> your security manager b/c you clearly have no clue. You can have  
> root enabled, just like it is on millions of systems worldwide, and  
> still be secure. Well, may you can't but the real sysadmins and  
> security managers can.

	Rather than insulting people because they don't agree with you, you  
could put out reasonable arguments. For example I could point out  
that most of the SSH scripts (and any other takeover kit) aim at  
'root' as one of their dictionary attacks. If you

	And "real sysadmins", as in the ones on big boxes (solaris ones)  
generally don't even know the root password. That is a random string  
that is printed out and put in a safe, just in case. They all use  
some varient of delegated admin rights... just like I am proposing. I  
do have to admit that certain OS's (Suse) fail to do this... but that  
is an annoyance to "real admins" like me.

	If there ever is a compromise, then I want to be able to revoke a  
single account. And if I have done my job correctly then that account  
only has a limited number of privileges. Then I can take my time  
figuring out if I have to re-create the system from scratch. You  
can't revoke root (note I am not talking about the password).

--
		Karl Kuehn
			larkost at softhome.net

More information about the MacOSX-admin mailing list