Each object and action in Mac OS X takes place in the context of an account. Mac OS X has four types of accounts, as follows:
– Standard users have full permission over their own home directory, but are restricted from the rest of the system. They have read-write access to files that they place in /Users/Shared and /tmp.
– Admin users can configure the OS, and have broader access to system directories, such as /Applications. Admin users can override most limitations on the system, and have near-complete control. Only trusted users should be granted admin-level privileges.
– There is only one root user, and it is not constrained by many of the normal limitations in Mac OS X. The root account is not prompted or initially restrained by the hurdles placed in front of admin-level users. See “Enabling and Disabling the Root Account” in the following section for more information.
– A system account is used by services rather than end users in Mac OS X, which requires that all actions be associated with an account. A system account is not a full account with a home folder or login password. It is preinstalled by Apple, or created by the software that requires it.
Enabling and Disabling the Root Account
For security considerations, the root account is disabled in Mac OS X. In contrast, Mac OS X Server keeps root enabled by default. On either platform, root can be enabled or disabled. You can use the dsenableroot command to enable or disable the root account. An admin-level user simply needs to run the command and answer the prompted questions when asked:
username = marczak
verify root password:
dsenableroot:: ***Successfully enabled root user.
The password for the root account will be set to the password supplied. You can set the -d switch to disable the root account:
$ dsenableroot -d
username = marczak
dsenableroot:: ***Successfully disabled root user.
Mac OS X Server uses the root account while creating an Open Directory replica. If disabled in OS X Server, root must be re-enabled during the replica creation process. Once the replica is created, root can be disabled.