Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Newbie Question? Is there a root in Mac OSX (Darwin)?

Greetings,

On Tue, 24 Jul 2001, paul w brown wrote:

> ... I was talking about how unix disables an account ... change the
> password of the account to a phrase that starts with an asterick (*) ...
> not that it is really really really dumb to have any password with less
> than six (6) characters ... and any root pasword should be treated more
> seriously ... that just to suggest the emphasis on not having set your
> password to an asterick (*) but to an asterick in front of another phrase
> like so:

No, this is _not_ how you disable an account in Unix, and indeed it
will not disable the account. A password with an asterisk at the
beginning is a password just like any other.

The business with the asterisk is this: you can disable an account by
setting the _password_field_ in the passwd file to `*'.

Unix authentication works[1] by taking the password, hashing it, and
storing the hash in the passwd file. Any password (in principle, but
never in practice, there can be more than one) which hashes to the
same thing, authenticates successfully. This is why you can't
determine the password from the passwd file, and why in turn the
passwd file has traditionally been world-readable.

If you set that field to `*', there is nothing will will hash to this,
so there exists no valid password for that account.

Any random string, inserted in the password field, will work the same
way, the asterisk is simply traditional, and flags that this (invalid)
entry is a deliberate disabling, rather than some weird typing
mistake.

So much for traditional Unix. If I understand correctly, this is what
is being suggested by some of the other contributions in this thread,
when they talk of making `*' entries in the nidb, which replaces the
passwd file. If these are simply concerned with changing the account
password then (unless MacOS X is even more different than I'm coming to
understand) they're not talking about disabling the account.

I hope this is of some help, or interest,

Norman


[1] In the main. Some Unixes, such as OpenBSD for example, and the
whole pam business with Linux, have started to extend the semantics
of authenticationn tokens.

--
---------------------------------------------------------------------------
Norman Gray http://www.astro.gla.ac.uk/users/norman/
Physics and Astronomy, University of Glasgow, UK email@hidden

References: 
 >Re: Newbie Question? Is there a root in Mac OSX (Darwin)? (From: paul w brown <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.