Mac OS X machines have the root user disabled by default. Is this the right setting for a web environment?
Specifically, the computer would be running Apache 2, MySQL 5, PHP 5, and other useful web serving software. Administrators would deal with compiling such software, updating and enhancing that software, and other similar tasks. Would a root user be beneficial in this situation?
More broadly, in what situations should a root user be enabled on OS X? What are the pros and cons of enabling this user?
-
Many people think that it is much better to have users login as a non-privileged account and then use a tool like sudo to gain privileges as needed.
If root is not active, it cannot be logged into. Leaving it disabled won't make your system secure, but it is just one additional layer of defense.
Tools like sudo provide audit logs about what the administrator is doing, and it may help you go back and see who, and how something got broke.
Even with the root account disabled you can still connect as root via SSH using key-based authentication. Which is what you should be using for remote access anyway.
Since pretty much everything you would need to do can be done via alternate methods that are arguably more secure, it is probably better to leave it disabled.
I suspect one of the few things you cannot do is follow some howtos on the web word for word and step for step because they will be written assuming you have the root account enabled. You will need to know what the howto is telling you to do, and when you really need root privileges.
From Zoredache
0 comments:
Post a Comment