CNET también está disponible en español.

Ir a español

Don't show this again


About the root user in Activity Monitor

Even though the root account is "disabled" by default in OS X, you will still see many system processes running under this account when you open Activity Monitor, which might be confusing to some people.

OS X is a multiuser environment in which besides standard user and administrative accounts there are a number of hidden or background accounts that are reserved for system-level tasks. One of these is the commonly referenced "root" user, which is the main and fully unrestricted administrator account on the system.

Because the root user has unrestricted access to all aspects of the system, running it interactively can pose a security risk as well as result in inadvertent system alterations. Therefore enabling it is highly discouraged, and the only time we recommend temporarily setting its stats to "enabled," it is for brief troubleshooting efforts that cannot be fixed by other means.

Activity Monitor showing root user activity
Most system processes will be run under the root account, even if logging in via the root account is disabled. To not show the root processes in Activity Monitor, choose "My Processes" from the All Processes menu.

Even though the root account is in a disabled status by default, you will still see many system processes running under this account when you open Activity Monitor, which might be confusing to some people. This is because the labeling of the account as being disabled is not correct. In truth, the account's disabled status only means users are prevented from using this account interactively (i.e., logging in). For other uses the account is very much active and enabled.

User hierarchy and process organization

When a Mac starts up, the firmware and hardware initializes, locates a boot volume, and then loads the kernel. When the kernel is done checking the hardware configuration it switches over to "userland" processes, which is where it starts up applications and background tasks under specific account names and controls access through permissions settings.

The first account to start up is initiated by the kernel itself and is called "root," and the type of processes run by root are low-level programs and services such as the main system launcher (launchd), the disk manager (diskarbitrationd), and the kernel extension manager (kextd), just to name a few.

All processes in the system, even if they are run in administrator accounts or standard accounts, are run under the umbrella of the root user account. This allows them to be activated and deactivated (or logged in and logged out) without affecting other system processes or other user accounts. Therefore, system tasks in OS X can remain alive even when other users log out, and as such can still offer computing services like file sharing, Web sharing, printer services, and numerous other features without a user logging in and enabling these options.

While the built-in low-level system processes that run these services are generally run as root, some third-party tools that need to have full system access (e.g., antivirus scanners or firewalls) will be installed so they are run at startup with root privileges.

Prevent user interaction via root

The reason interaction via the root account is not enabled by default is because of security concerns about user interactivity. Background tasks supplied with the OS by Apple, and legitimate third-party options like servers, firewalls, and malware scanners should be securely coded so they only perform the desired tasks (i.e., file sharing or malware scanning) and not affect other processes or system files. These processes are noninteractive tasks on the system and therefore can be launched with root privileges without much concern over problems (though security flaws can pose security risks, and are regularly patched through software updates).

On the other hand, interactive programs like Safari are often used to form numerous connections to external sources and do tasks that the system has no real control over. Various plugins, JavaScript programs, Java applets, and download files (programs, scripts, etc.) can be loaded in a program like Safari, and can potentially be a security risk to the system. Besides programs, the user itself can inadvertently overwrite, move, or delete system files.

If you are logged in as a standard user or even as an administrator, then any attempt to modify system files or settings will result in a permissions denied error or a prompt for administrative credentials. However, if you are logged in as root then you will not be prompted and alterations will be made immediately.

Alternatives for accessing root

While enabling login for the root user is one way to interact with the system with root privileges, there are other more secure ways to do this. If you are familiar with the Terminal you can boot the system into Single-User (with the "single-user" being the "root" account) mode by holding Command-S at startup. Additionally you can always use the "sudo" command in the Terminal before each command you run (provided your account is an administrative account), in order to run your commands with root privileges.

Lastly, when performing administrative tasks on a system, two of the most commonly used applications will be a file-system browser and a text editor, and the included "Finder" and "TextEdit" programs in OS X are rather limited in what files they can access. Alternatives to these that do allow for authentication and better access to the full system are Path Finder and TextWrangler.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.