Manualshelf

Setup guide

ManualsBrandsApple ManualsNetwork CardMac OS X Server
21222324252627282930
should be changed. Second, any necessary modifications to the root account should
be performed.
3.8.1 Restricting Administrator’s Home Folder
Permissions
The permissions on the home folder of the just-created administrator account allow
any user who logs into the system to browse its contents. To change the permissions
on the administrator’s home folder, issue the following command in a Terminal
window, where <adminname> is the name of the account. The 700 permission
setting allows only the administrator to read and browse files in his home folder.
chmod 700 /Users/<adminname>
3.8.2 Securing the Root Account
Mac OS X Server includes a root account like other Unix-based systems. Initially, its
password is set to that of the first administrator account. Direct root login should
not be allowed because the logs cannot identify which administrator logged in.
Instead, accounts with administrator privileges should be used for login, and then
the sudo command used to perform actions as root. The system uses a file called
/etc/sudoers to determine which users have the authority to use the sudo
program, and this file initially specifies that all accounts with administrator
privileges may use sudo.
To prevent root logins:
1. Log into an administrator account and start the NetInfo Manager
application found in /Applications/Utilities.
2. Click on the users item located in the second column at the top of the
NetInfo Manager panel. This will open the list of users in the third
column.
3. Click on the root item in the users column. The root user’s properties
and any associated values will appear in the bottom panel of the window.
4. Click on the lock in the lower left corner of the NetInfo Manager window.
Type an administrator's short name and password into the authentication
dialog that appears and click the OK button.
5. If the property authentication_authority is listed in the bottom list in
the window, click on it to highlight that property.
6. Go to the top of the NetInfo Manager window and click the Delete icon to
remove that property and value.
7. Double click on the value associated with the passwd property located in
that bottom property list, and the value should become highlighted for
editing. This value will be a single asterisk if the root password has never
been set, and either a string of asterisks or a password hash if a password
19
UNCLASSIFIED