Specifications

ManualsBrandsApple ManualsComputer equipmentXserve Up Mac OS X Server

131

132

133

134

135

136

137

138

139

140

132 Chapter 8 Managing User and Group Accounts

The computer uses a file called /etc/sudoers to determine which users have the

authority to use the sudo program. This file initially specifies that all accounts with

administrator privileges can use

sudo.

To disable root login:

1 Start the

dscl tool in interactive mode, specifying the computer you are using as the

source of directory service data:

$ dscl localhost

2 Change the current folder to /Local/Users by entering the path at the prompt:

> cd /Local/Users

3 Authenticate as an administrator by entering the following command, replacing

adminusername with your administrator user name, and entering your administrator

password when prompted:

> auth

adminusername

4 Use the following commands to disable the root login by removing the

AuthenticationAuthority property and its value, and modifying the root password

property.

> delete root AuthenticationAuthority ;ShadowHash;

> delete root AuthenticationAuthority

Any user with administrative privileges can reenable root login by entering

passwd root in a Terminal window.

Restricting Use of the sudo Tool

Limit the list of administrators allowed to use the sudo tool to those administrators who

require the ability to run commands with root user privileges.

To change the /etc/sudoers file:

1 Edit the /etc/sudoers file using the visudo tool, which allows for safe editing of the file.

Run the following command with root user privileges:

$ sudo visudo

2 When prompted, enter your administrator password.

There is a timeout value associated with the sudo tool. This value indicates the number

of minutes until the sudo tool prompts for a password again.

The default value is 5, which means that after issuing the sudo command and entering

the correct password, additional sudo commands can be entered for 5 minutes without

re-entering the password. This value is set in the /etc/sudoers file.

For more information, see the sudo and sudoers man pages.

3 In the Defaults specification section of the file, add the following line:

Defaults timestamp_timeout=0