96

I have enabled the root user on my Mac so I can log into it and run Finder etc. Being the lazy person that I am, just transferred everything from my home directory to /var/root. I'm not too sure of doing this, so I may move everything back. Is it technically 'OK' to be using this like a normal user? (I am the only one who can access my computer.)

user3439894
  • 58,676
智障的人
  • 1,087
  • 6
    Good question with root-less 'el Capitan' around the corner. – CousinCocaine Jun 21 '15 at 19:40
  • 5
    What specifically does (access my computer) mean. You likely connect to the Internet. You don't specify what software you give access to the computer. What does 'OK' look like to you? Kudos for getting some great general answers. Probably better to ask the more detailed question (if one exists) as a follow up question. – bmike Jun 22 '15 at 12:27
  • 7
    You can use a root account as normal user provided you know the answer for the question "Is it 'OK' to use the root user as a normal user?". Once you know the answer, you won't . ;-) – Dakshinamurthy Karra Jun 25 '15 at 10:49
  • You might want to add the distinction between root, admin, and normal user. I believe admin is the default. – Steve Moser Jun 26 '15 at 14:49
  • 6
    "I am the only one who can access my computer" <-- Lol – Tim Jun 27 '15 at 19:19
  • @CousinCocaineas I understand it El Capitan will still have a root account, it just means authentication for apps will work differently... but let's find out for sure – Josh Jun 27 '15 at 20:43

10 Answers10

365

Using your computer logged in as root all the time is like always carrying around all your keys, your passport, $5,000 in cash, that piece of paper with all your passwords written on it and the only photo you have of Flopsy, the adorable rabbit whose death broke your seven-year-old heart. Oh, and a chainsaw.

Which is to say, it's mighty convenient from time to time, because it means you can do whatever you want, whenever you want, without needing to go back home to get stuff or talk to your bank manager. But it also puts you at great risk of losing stuff, having it stolen (don't think that chainsaw will help you: you'll be streets away before you notice your wallet's gone), doing things you really regret later (impulse-buying plane tickets to Vegas while drunk), taking dangerous shortcuts (chainsawing through the lion enclosure fence because that's the fastest way to the pandas) and over-reacting (chainsawing your neighbour's car because his dog barks too much). And, when you think about it, mostly, you're just going to the office, going grocery shopping, hanging out with your friends. You don't need all that stuff with you all the time just for the convenience of needing it, what?, once a month? Once a week?

So, no, it's not OK to use the root account all the time. It gives you a tiny amount of convenience but puts you in a lot of danger. There's the danger of stupid mistakes having catastrophic results ("Hey, why is rm -rf * taking so long to run? **** I'm in /!"). There's the danger of acclimating yourself to the idea that all files are equal and you can just mess about with whatever you want, anywhere in the directory tree. There's the danger that any hack to your account is immediately a hack to the whole system, so now every single piece of software on your machine is security-critical. And even if you think you don't care about your machine getting hacked (after all, that photo of Flopsy is a real piece of glossy paper, not some ephemeral JPEG), I care about your machine getting hacked because then it's on the botnet that's mounting the DDOS attack against whatever internet service I can't access today.

Root is your spiderman costume. It gives you great power but requires great responsibility. It's there in the closet whenever you need it, so you don't have to wear it all the time.

David Richerby
  • 2,725
  • 2
    I wish I had enough rep to vote up, the first paragraph cracked me up. – 智障的人 Jun 20 '15 at 15:54
  • 57
    Not only was this an entertaining and well written piece, it also rings of the truth and is well deserving of the accepted answer – wrossmck Jun 20 '15 at 21:35
  • 20
    I keep on coming back to this. This is genuine advice with the largest amount of humor you can put into something and still have it be serious. – 智障的人 Jun 21 '15 at 14:44
  • 1
    Post on super user and Linux.se too, this is too true, and very well written – Canadian Luke Jun 21 '15 at 18:53
  • 4
    Funny, in Windows, you're basically always root. – sudo Jun 21 '15 at 19:31
  • 19
    @9000 That's not been the case since at least XP. – David Richerby Jun 21 '15 at 19:49
  • 30
    is flopsy's death and the chainsaw related ? – Sirex Jun 21 '15 at 19:55
  • 4
    I joined just to up vote for the botnet part. – March Ho Jun 21 '15 at 20:39
  • 29
    "Root is your spiderman costume". I'm dying here. – GeminiDomino Jun 21 '15 at 23:17
  • 2
    @DavidRicherby UAC is NOT a security boundary. If you're logged in as admin, assume you're root all the time. – Yet Another User Jun 23 '15 at 00:20
  • 3
    Unless you know that the first user you create on a Windows install is a member of the Adminstrators group, and that you have to create a second user with limited powers in order to not be logged in as admin, then @9000 is quite correct. – hBy2Py Jun 23 '15 at 03:42
  • 6
    Someone needs to make this into a video. – William T Froggard Jun 23 '15 at 05:26
  • 1
    TIL I play Fallout as root. – moopet Jun 23 '15 at 10:54
  • @YetAnotherUser And if I'm not logged in as admin, I'm not "basically always root". – David Richerby Jun 23 '15 at 11:17
  • 9
    @YetAnotherUser and Brian, No, 9000 is not correct for any system past XP (and not even for a correctly-installed XP, 2000, or NT system.) UAC IS a security boundary. You are running as a user that does not have administrative privileges until you elevate under UAC. They're actually separate security tokens. And that's even if you're using an 'administrative' account. For a non-admin account, you need to enter the credentials of an admin account in order to elevate. – reirab Jun 23 '15 at 15:49
  • 6
    @GeminiDomino: sudo definitely thinks that it is your spiderman costume: look at the source code. It's spelled out right there in the display_lecture function. – jgibson Jun 24 '15 at 17:15
  • While this is entertaining, this is only really applicable if the person using root doesn't know what they're doing. I really don't see any problem using root all the time, as long as you know what you're doing and don't deal a fatal blow to your system. – GDP2 Jun 24 '15 at 21:06
  • 9
    @GDP2 Being root makes the consequences of your mistakes potentially greater. Even if you know what you're doing, you can still have accidents. Using only the privilege you actually need for the job at hand is an important way to manage risk. – David Richerby Jun 24 '15 at 21:49
  • I can only write EPIC ;) – dbf Jun 25 '15 at 17:02
  • 5
    @GDP2 in other words, running as root all the time is pretty similar to driving an F1 racecar. Sure, some people can do it safely, but it requires a lot more discipline, training, and concentration. And even then there are still spectacular crashes. – Wayne Werner Jun 26 '15 at 15:50
  • 2
    StackExchange tweeted about this answer on twitter. – Qix - MONICA WAS MISTREATED Jun 26 '15 at 17:45
  • 2
    @Qix It's kind of funny to think that a question that I was legitimately wondering about got this good of an answer and that answer attracted this many people. – 智障的人 Jun 26 '15 at 21:28
  • 2
    @GDP2 It's not even necessarily your mistake. The way most shell scripts are written, it really isn't hard to slip a rm -rf / in there. One relatively big-name example being Steam. At least on Windows, deleting the whole C drive usually doesn't work (even before UAC and even when using an administrator account) - it will tend to break before deleting anything, usually (while trying to delete something that can't be deleted). rm on the other hand will happily delete system files, files in use and such. Mistakes like that are easily introduced - especially if you're using auto-updates. – Luaan Jun 29 '15 at 09:04
  • 2
    A clever attacker could put an alias for sudo into your .bashrc or something, after compromising your user account, and then pretty soon they'd have root. I used to run a filesharing program that was potentially buggy, but connected to random strangers on the Internet. I ran it as a different user (unpriv-peter) that was a member of the same Unix group as my account, but had a different UID. Priv escalation after compromising that account would be somewhat tougher, e.g. an attack via X11 keyboard-simulation (unless I run it in an Xvnc session). – Peter Cordes Jul 10 '15 at 07:41
  • 1
    I cried tears of laughing and my stomach still hurts from LOL so much. :-) Best answer ever... – Martin Allert Dec 21 '15 at 11:51
  • Analogies tend to break, rather make your point in simple English. – bbaassssiiee Aug 29 '18 at 19:20
  • the funny part of this answer, to me, is that it implies just about every use of a home computer from 1979 to the mid 2000s was "not OK", since in MSDOS, classic mac os, amiga, commodore, windows 95, etc you were always the equivalent of root. – don bright Feb 02 '20 at 17:49
23

You can, but it's a major security and stability risk. Doing so allows any application full access to your computer. You can't know what they're doing with that access. It's unnecessary, and just really unsafe.

For a lot more background information on this, see

Community
  • 1
William T Froggard
  • 5,507
17

Honestly, I agree that there are a lot of risks associated with using the root user as default. But let me just run through them and criticize some of the arguments a bit

  • Defending against applications: Practically the permission system of *nix is not strong enough (by far) to allow running arbitrary programs. A malicious program on *nix is able to do enough evil stuff (like stealing your bank credentials) without root permissions. It will be somewhat harder for a non-root application than for a root application (e.g. instead of directly installing a root-certificate and intercepting the connection to the bank you will need to mess around with the browser instead, but hey, that's actually quite doable and you likely had to do that anyways to make sure the user doesn't notice anything)
  • Defending against user mistakes (like running a wrong command and deleting all system files): Absolutely true, but even though a non-root user will save the system, all the important files will normally be lost already (as the user owned files are far more likely to be unique).
  • Defending against exploitable bugs in applications you run: Now this is more like it. E.g. when you run a web server where a lot of applications are open to the outside and thus any exploitable bugs will be easily reached. The same still applies of course even if you are sitting behind a router and firewall, though the extent of the danger is far less significant. Once again however the question becomes how much the permission system will realistically defend on a private system. Without root permissions all private files can still be accessed and intercepting network data is also possible... the two most important things you can wish for as an attacker of a private system.
    • (Now, on top of the standard *nix file permission system Apple has also introduced an application sandboxing system. As far as I know that one is still fully functional even when logged in as root. If however it weren't then that would be a total deal breaker.)

Either way, all considered I do not think it's as terrible an idea as some others claim. Mind you, I am not saying it's a good idea either, but I think that people overestimate the usefulness of the *nix file system permission model in protecting you. Yes, it's incredibly useful for certain things (e.g. multi user systems, complex multi-application servers, keeping the system running no matter what happens (running, but not necessary usable), locking important files away (though you're better off encrypting those...), etc.), but it's not some magical protection that prevents bad stuff from happening.

In the comments I came up with an analogy which seems quite adequate in describing the situation. In Dutch we have a word for the little closet where you can find all the meters and the toggle for the main water supply, etc. Running as the root user account is like taking the lock off that little closet. Ironic fact: Most people don't have locks on it in the first place. Now, just like with the root user that's not to say that it's not useful to lock it away in certain cases, for example in offices or other semi-public buildings it's often locked away, but in normal houses it's far more important to have a strong lock on the front door (not installing random things, firewall, etc.) and putting all your important stuff in a safe (making backups, encrypting stuff, etc.). Will an extra lock on that closet hurt? Nope, so it might be a good idea to have it in place just in case, but in all likelihood it's going to be quite useless.

Running as the root user is nothing like taking all the locks of your house and carrying all the stuff in the safe with you all the time as is claimed by David Richerby. Your passport (identity) is in no way protected by the *nix file system, your money (bank account) is in no way protected by the *nix file system, your important passwords are likely not protected by the *nix file system (if you're using Safari however they might actually protected partially by the *nix file system permission model, but without root you can still add an invisible extension to Safari and next just intercept the password the next time you use it), your photos are definitely not protected by the *nix file system and if you're using the terminal you're already carrying a chainsaw around with you (per point 2 above).

David Mulder
  • 310
  • 2
    If you downvote an answer, do please point out what would be incorrect in my analysis. I am perfectly aware that my answer is a bit unorthodox, but I would expect ICT to be progressive enough that answers will be judged by their content, and not how well they fit the traditional dogmas. – David Mulder Jun 21 '15 at 22:16
  • I agree on the analysis. One extra harm from using root account is that cleanup after security breach / malware becomes more difficult. It can also be harder to detect compared to malware running at normal user privileges. However with the tiny amount of actual malware out there it is hard to say how the differences play out in practice. – jpa Jun 22 '15 at 06:05
  • @jpa True that, a malicious program can hide better when it has root priviliges, but it's not like cleanup is done by hand. People either use antiviruses (which already have to assume any malicious program got root priviliges, because tricking the user into giving them isn't that hard) or re-install a system typically after infection. But either way, I do see your point. – David Mulder Jun 22 '15 at 14:24
  • 3
    This deserve more up votes. The only things I really care about on my computer are files owned by my (non root) user. They represent my photos, my music, videos of my daughters.. the rest can be reinstalled easily! – Isak Savo Jun 22 '15 at 19:03
  • @Froggard Yes there are a lot of technologies that can prevent the destruction of local files locally. That's the entire point of this answer. Just because the *nix file permission system can't limit (real) dangerous actions doesn't mean other technologies can't. The Apple sandbox is a simple example of this, though something like the ChromeOS application system takes this a lot lot further. E.g. within it an application is unable to access files until a user 'opens' (using a dialog) the file or directory. So a malicious application can typically do nothing at all. – David Mulder Jun 22 '15 at 21:18
  • 6
    This logic is basically the same as saying because remote garage door openers are pretty weak sauce it really wouldn't be a big deal if nobody closed their garage doors. The premise is true but the advice is bogus. Effective security is made up of lots of little pieces working together. Like everybody in a neighborhood keeping there garages closed. It makes the neighborhood safer for everyone. – Caleb Jun 23 '15 at 19:16
  • 1
    @Caleb: Nope, it's not the same thing at all, because on a typical private system the root user isn't protecting anything of value. It's like putting a huge lock on the cupboard with all the meters and home controls like water and electricity and where the phone line comes in (don't know the English name). Putting a lock there might prevent certain things from happening, but any burglar is still able to do everything you don't wish him to do. (Cont.) – David Mulder Jun 23 '15 at 19:40
  • Same thing with the root user, in a commercial semi public building locking those things away is critical, in a private home a good safe and lock on the front door is far more important. – David Mulder Jun 23 '15 at 19:40
  • The last time any typical user's system was private was before AOL dialup came on the scene. The fact that this user asked this question on this site means they are out in public...and if are logged in as root they are carrying around a whole plethora of unsecured valuables. – Caleb Jun 23 '15 at 19:47
  • 2
    @Caleb There is a huge difference between owning a house in a neighborhood and inviting anybody in. And by the time somebody does enter your house there is little to stop him on standard nix systems. That's what I am describing in this answer: Once somebody does break into your system the nix file system permissions are not going to help, because they aren't protecting the things you consider important on a private system. The only thing it is (cont.) – David Mulder Jun 24 '15 at 05:09
  • 2
    protecting is the system, but users care about what's on the system, not the system itself. Not to say it's a bad idea to protect the system, but other things are far more important, and if you're not protecting those it's of questionable benefit to protect the system. It's like carrying thousands and thousands of dollar openly in your pocket whilst you carry a heavy safe around with in it your $100 smartphone. – David Mulder Jun 24 '15 at 05:09
  • 2
    So, the whole argument boils down to "your system has ineffective security against nation-state funded attacks, so just go ahead and toss it all in the trash." The metaphors used as backup are inaccurate - I can't use your home's mechanical room to attack people all over the world; all I can do is shut off your water or run up your phone bill or burn down your house. That all only affects you, so you can decide to accept that risk. Your even more easily compromised computer can attack everyone else in the world, though. That affects your friends. – dannysauer Jun 24 '15 at 16:52
  • 2
    In any event, the main argument I usually use is that frequently using root leads to carelessness, because you are no longer paying close attention to what you're doing - whatever you type, it'll work! If you live long enough in a world where you're never reminded that things can hurt you, you start to forget that you're not invincible. And that's when things go wrong. :) – dannysauer Jun 24 '15 at 17:04
  • @dannysauer Having access to the root user on a private system is so not going to help in compromising other systems... – David Mulder Jun 25 '15 at 13:31
  • 3
    Not having root doesn't prevent it, sure. But that's a subtly different statement; sort of like how I said "attack," not "compromise." You can do so much more on the network with root. If your zombie machine is participating in a simple ICMP flood, for a simple example, you need raw socket access to generate that ICMP traffic (which is why ping is suid root). Same goes for several other useful malicious packet modifications. – dannysauer Jun 25 '15 at 19:21
  • @dannysauer Ah yeah, that's true. So yeah, I agree that a DDoS will be somewhat more effective with root, but for all practical purposes it doesn't make much of a difference. Once you're part of a botnet you have far bigger things to worry about (private documents are compromised, your identity (passwords, etc.) are likely (to be) compromised, etc.). Honestly, I am not saying that the *nix file system permission model is bad or useless, just that's it's massively overrated on private systems in traditionalist ICT circles. – David Mulder Jun 25 '15 at 19:26
  • 1
    Stealing your bank account credentials on a Mac actually does require elevated permissions. If you're not root, you can't: 1) install a new certificate, 2) mess with Safari (it's not writable by normal users), 3) install a tampered Safari in the user's directory and change the dock link (code signing will catch that), or 4) disable the code signing check (you need administrator rights to change that setting). You would need some kind of exploit, and if you can do that, you're in anyway. – marinus Jun 27 '15 at 13:00
  • @marinus At least 3 or 4 years ago I was able to 'inject' an extension into safari without root and without doing any real weird stuff (I did it with some kind of macro tool). Stuff might have changed since then, but I can't check as I don't have a mac anymore (and I forgot 90% of my Mac specific knowledge either way). – David Mulder Jun 27 '15 at 20:33
15

Back around 1990 I was working on a project with a guy named Tom. We were using a SUN server running SunOS (a Unix derivative, predecessor to Solaris). This was back in the days before CD drives and flash drives, so if you messed up the OS on your hard drive there was no way to recover.

Tom used to routinely log in as root. I told him that was a bad idea, but he did not listen. One day I heard him say "Uh-oh". He had meant to type comething like this:

mv something* .

Unfortunately he left off the final dot, so the shell expanded all the file and directory names which matched this pattern. Then the mv command used whatever ended up as the final name in the list as the destination directory, and moved everything else into it. Also unfortunately, he was currently at the root directory, so basically the entire file system got moved into one of its subdirectories.

I used up-arrow to bring back the previous command and saw what had happened. The first thing I then said was, "Don't log off! Or you will never be able to log in again."

No problem, right? We could just move everything back. We could, except that the mv command was not one of the built-in commands of the shell. Instead, it was an executable program, stored in one of the files which had been moved. Luckily, ls was a built-in command, so after using ls to confirm where the commands had moved to, I was able to find the mv command, invoke it with its full path name, and put things back where they were supposed to be.

And then I told him, "Tom, this is why it is a bad idea to routinely log in as root."

Mike Ciaraldi
  • 151
  • 3
10

Generally you want to keep ownership of your personal files separate from the root user. This is why you create a account for yourself as an administrator. The accepted way, under OS X, to gain root level access is to use the sudo command from the Terminal application. For example, if you want to see the partitioning of your internal drive the command is

gpt -r show /dev/disk0

which if entered will result in the following error message.

gpt show: unable to open device '/dev/disk0': Permission denied

To use the command, you need to use sudo as shown below.

sudo gpt -r show /dev/disk0

If you want to become the root user to avoid entering sudo, you can just enter sudo sh. The exit command can be used to exit from being the root user.

If you want to execute an application as the root user, you can by using the Terminal application. For example, if you want to launch the Finder as the root user, enter the following command.

sudo /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder &

To avoid the confusion of having two Finder applications open at the same time, it is usually best to quit your Finder application first. This can be done using the following terminal command.

osascript -e 'tell application "Finder" to quit'

One word of caution: preceding a command with sudo is not the same as becoming the root user. For example, the commands 

sudo echo $USER
sudo echo $SUDO_USER

result in the same output as the commands shown below.

echo $USER
echo $SUDO_USER

If you become the root user (the superuser), then the same commands result in a different output. This can be verified by entering the commands shown below.

sudo sh
echo $USER
echo $SUDO_USER
sudo echo $USER
sudo echo $SUDO_USER
exit
Jonathan Leffler
  • 129
David Anderson
  • 40,244
4

In case the other reasons weren't good enough... Don't forget that you can't use Homebrew as root (which is actually a huge pain). Other programs also don't let you use them as root or run into permissions problems when you do, often times for no apparent reason, because their programmers assume that they won't be run as root. I think Steam is one of them.

It's also nice to have all the system and user stuff separate for various reasons.

I don't know if it's that bad of a security issue. I'd personally be more worried about problems with organization and permissions than anything else.

sudo
  • 1,055
4

Just a few examples why it's not ok to always run as root:

  • Root user can easily place files in locations that are far more difficult to track down.
  • Root user has raw access to interfaces and so can put an interface into promiscuous or monitor mode and log ALL network traffic.
  • Root user has raw access to device nodes and can thrash a disk making it far harder to recover files than a simple 'rm' at user level. Root user can also potentially modify boot sectors of a drive, making malware persistent even after a reinstall of the operating system.

I could go on. The point is that there ARE good reasons not to run as root. I don't disagree that to most people their most personal data is in their home directory anyhow, but running as root still does put that data, and the entire system, at a greater risk. The advice to not run as root is not misplaced. If a person does not understand the implications of running as root, they definitely should not be doing so. Suggesting anything else is irresponsible.

nohillside
  • 100,768
bodangly
  • 141
1

Unless you're using backtrack/kali for a specific task: NO. Treat the super user as you would a loaded gun: if you have an immediate need and intention to use it: OK. If you can solve your problem in any other manner, however (e.g. "sudo"), do that.

Sam
  • 121
0

NO! This will get your system broken into in a very short amount of time. Instead, su or sudo into root as necessary. If you absolutely, positively, must run as root, at least log out at any time when you're not using the computer. If your system is capable of running multiuser, but no users are configured, I suggest you create a privileged user (i.e: one that can sudo/su into root as necessary.) ASAP!!!

tucker twomey CodeZypher
  • 11
0

Simply use SUDO

My guess is the OP does not know how easy it is to use sudo on the occasions you need to use root.

OP, all your problems are over. Immediately restore your Mac to a normal state.

And just use sudo as needed. Phew.

Community
  • 1
Fattie
  • 178
  • 1
  • 5
  • 25