Sunday, July 12, 2015

How to Enable & Disable root User from Command Line in OS X


Though most advanced Mac users will find it easiest to enable root with Directory Utility from the GUI of OS X, another option is to turn to the command line. No, we’re not talking about using sudo or su, we’re talking about enabling the actual root user account, which can be appropriate for some complex situations.

For those who are familiar with the Terminal and comfortable with command line syntax, enabling the root user account in OS X from the command line may even be easier than doing so from the Directory Utility application, as there are fewer steps necessary to both enable and disable the root user account, either widely or on a per-user basis. This is also advantageous in that it can be enabled remotely via SSH on any Mac that can be connected to.

It’s very important to point out that enabling the root user account is only for advanced users who understand when and why it may be necessary to have universal superuser privileges. This is rarely necessary for anything beyond systems administrators or for troubleshooting some particularly advanced and complex issues, and for the vast majority of purposes, simply using sudo or launching a GUI app as root is usually sufficient for the vast majority of situations.

If you do not know what you’re doing, do not enable the root user account, and do not use the root user account. Because the root user has universally privileged access to everything in OS X, it’s quite easy to mess something up, and leaving the account active can lead to a security risk. This is truly only for advanced Mac users.
Enable root User Account from the Command Line of OS X with dsenableroot

A simple command line tool appropriately called ‘dsenableroot’ will quickly enable the root user account in OS X. At it’s most simple form, simply type ‘dsenableroot’ into the Terminal prompt, enter the users password, then enter and verify a root user password.
% dsenableroot
username = Paul
user password:
root password:
verify root password:
dsenableroot:: ***Successfully enabled root user.
When you see the “dsenableroot:: ***Successfully enabled root user.” message, you know the root user has been enabled with the password that was just defined.

If you wish, you can also enable the root user on a per user account basis by specifying the -u flag:

dsenableroot -u Paul


Replacing ‘Paul’ with any user name that is on the specific Mac will work.

Of course, once you’re done with root user, you may wish to disable root account access as well.
Disable Root User Account from the Command Line in OS X

Passing the -d flag to the same dsenableroot command string will disable the root user universally, like so:

% dsenableroot -d
username = Paul
user password:
dsenableroot:: ***Successfully disabled root user.

The message “dsenableroot:: ***Successfully disabled root user.” indicates the root account is now disabled.

Similar to enabling a specific user, you can also disable for a specific user with the -d and -u flag:

dsenableroot -d -u Paul
This may be appropriate for a situation where a particular user account no longer requires root account privilege.

Generally speaking, leaving the root user account disabled is a good idea.

The dsenableroot utility works in OS X Yosemite, OS X Mavericks, Mountain Lion, etc. For users who are on much older versions of OS X like Snow Leopard, use the sudo passwd method instead.

No comments:

Post a Comment