if root has not been enabled in os x 10.3 server, can someone access/enable it without an admin user/pass? my understanding was that you can't. is that correct? thanks.
if root has not been enabled in os x 10.3 server, can someone access/enable it without an admin user/pass? my understanding was that you can't. is that correct? thanks.
No, you cannot access any version of MacOS X 10.3 with an administrative password. However, you may startup the computer in single-user mode without any password at all. For that, you need physical access to the machine. Also single-user mode is strictly commandline BSD. You cannot use the GUI.
I feel like I just got two snippets of two different conversations.
rts: One always needs a login/password to access any MacOS X machine remotely. It doesn't matter if it is a root account, or a user restricted to Simple Finder, you still need that login/password. If you're asking if someone can access the *root account*, then no. If it hasn't been activated, it hasn't been activated. You still can't access it if you have an admin account - admin accounts are hybrid beasts, with some but not all of root's capabilities, and are different than having full powers of the root account.
Mr. Me: You are correct that one can always boot into single-user mode and bypass any login requirement if one has physical access to the machine... but of course if one has that, one can just pop out the hard drive, place it in another machine, and get the files that way. The assumption is that you can never completely secure a machine against someone sitting at it, short of hardware modifications.
...admin accounts are hybrid beasts, with some but not all of root's capabilities, and are different than having full powers of the root account.
I thought that the sudo command gives admin accounts full root power (after providing of course the admin password so that sudo can be executed), at least temporarily.
I thought that the sudo command gives admin accounts full root power (after providing of course the admin password so that sudo can be executed), at least temporarily.
Also of interest:
sudo capabilities are configurable down to specific user ids and executables.
(Not that I'm geek enough to do that on my home desktop)
You could also sudo passwd root enter your login pwd and change the root passwd then su - and you have root access.
If you have a program that parses commands then put a sticky bit on it and give it 555 permission and you have a backdoor to the machine without using a password.
You could also sudo passwd root enter your login pwd and change the root passwd then su - and you have root access.
If you have a program that parses commands then put a sticky bit on it and give it 555 permission and you have a backdoor to the machine without using a password.
Well except for the password to use the account that has been given sudo permission in the first place... so you don't really gain anything.
This only works if you are allowed to sit down at a machine that is already logged in as admin, *and* they've used sudo within the past 5 minutes. Also, your password change would be logged.
Well except for the password to use the account that has been given sudo permission in the first place... so you don't really gain anything.
This only works if you are allowed to sit down at a machine that is already logged in as admin, *and* they've used sudo within the past 5 minutes. Also, your password change would be logged.
Quite, I've not currently seen a successful way to gain root priv without being at the console (apart from snooping the ip and waiting for someone to login via ftp or telnet with an admin login etc).
Remember in 10.0 or 10.1 where you opened netinfo (can't remember if authentication was required) then a teminal window and your terminal window had root access. Again I'm pretty sure you needed an admin passwd in the first place.
I don't think it is possible to run the GUI in single-user mode. Most certainly your link does not say that it is possible to do so.
Oh, sorry, I should have read the post more carefully, I thought you just meant a way to switch to single user mode using the GUI. You're right though, as I discovered this morning - for people who aren't that command-line-savvy it's best not to start up in single user mode in the first place.
Comments
Originally posted by running with scissors
if root has not been enabled in os x 10.3 server, can someone access/enable it without an admin user/pass? my understanding was that you can't. is that correct? thanks.
No, you cannot access any version of MacOS X 10.3 with an administrative password. However, you may startup the computer in single-user mode without any password at all. For that, you need physical access to the machine. Also single-user mode is strictly commandline BSD. You cannot use the GUI.
I feel like I just got two snippets of two different conversations.
rts: One always needs a login/password to access any MacOS X machine remotely. It doesn't matter if it is a root account, or a user restricted to Simple Finder, you still need that login/password. If you're asking if someone can access the *root account*, then no. If it hasn't been activated, it hasn't been activated. You still can't access it if you have an admin account - admin accounts are hybrid beasts, with some but not all of root's capabilities, and are different than having full powers of the root account.
Mr. Me: You are correct that one can always boot into single-user mode and bypass any login requirement if one has physical access to the machine... but of course if one has that, one can just pop out the hard drive, place it in another machine, and get the files that way. The assumption is that you can never completely secure a machine against someone sitting at it, short of hardware modifications.
Originally posted by Kickaha
...admin accounts are hybrid beasts, with some but not all of root's capabilities, and are different than having full powers of the root account.
I thought that the sudo command gives admin accounts full root power (after providing of course the admin password so that sudo can be executed), at least temporarily.
For all intents and purposes, for specific commands to be executed, yes, admin + sudo will get the job done as root.
It's not *quite* the same as having root exposed for security purposes though.
Originally posted by PB
I thought that the sudo command gives admin accounts full root power (after providing of course the admin password so that sudo can be executed), at least temporarily.
Also of interest:
sudo capabilities are configurable down to specific user ids and executables.
(Not that I'm geek enough to do that on my home desktop)
If you have a program that parses commands then put a sticky bit on it and give it 555 permission and you have a backdoor to the machine without using a password.
Dobby.
Originally posted by dobby
You could also sudo passwd root enter your login pwd and change the root passwd then su - and you have root access.
If you have a program that parses commands then put a sticky bit on it and give it 555 permission and you have a backdoor to the machine without using a password.
Well except for the password to use the account that has been given sudo permission in the first place... so you don't really gain anything.
This only works if you are allowed to sit down at a machine that is already logged in as admin, *and* they've used sudo within the past 5 minutes. Also, your password change would be logged.
Originally posted by dfiler
Also of interest:
sudo capabilities are configurable down to specific user ids and executables.
(Not that I'm geek enough to do that on my home desktop)
Oh no. Me neither.
Originally posted by Kickaha
Well except for the password to use the account that has been given sudo permission in the first place... so you don't really gain anything.
This only works if you are allowed to sit down at a machine that is already logged in as admin, *and* they've used sudo within the past 5 minutes. Also, your password change would be logged.
Quite, I've not currently seen a successful way to gain root priv without being at the console (apart from snooping the ip and waiting for someone to login via ftp or telnet with an admin login etc).
Remember in 10.0 or 10.1 where you opened netinfo (can't remember if authentication was required) then a teminal window and your terminal window had root access. Again I'm pretty sure you needed an admin passwd in the first place.
Dobby.
Andrew
Originally posted by SquidThing
I think Cocktail can start up in single user mode with GUI.
Andrew
I don't think it is possible to run the GUI in single-user mode. Most certainly your link does not say that it is possible to do so.
Originally posted by Mr. Me
I don't think it is possible to run the GUI in single-user mode. Most certainly your link does not say that it is possible to do so.
Oh, sorry, I should have read the post more carefully, I thought you just meant a way to switch to single user mode using the GUI. You're right though, as I discovered this morning - for people who aren't that command-line-savvy it's best not to start up in single user mode in the first place.
Andrew