61

Whenever I try to issue su I get this: 

$ su  
Password:  
su: Sorry

Needless to say, I'm entering the correct admin password which does work with sudo. What I want is not having to enter sudo each time.

airsquared
  • 5,107
Petruza
  • 2,845

7 Answers7

56

In MacOS X, the root user is disabled by default, therefore su will not work. As others have stated, it's best to use sudo.

If you must enable the root user, see Apple's technote: Enabling and using the "root" user in Mac OS X.

ghoppe
  • 8,046
  • 26
    sudo su still works, so it is not really disabled. It just has no password. – Fake Name May 23 '11 at 09:34
  • 2
    @FakeName This is the most hilarious backdoor! If you can run sudo su, what in the world is the point of disabling su then? – Kellen Stuart Dec 27 '16 at 20:10
  • 7
    @KolobCanyon - The point isn't really to "disable su", it's to prevent root login. By disallowing login as root, you prevent a bunch of possible security issues. Not allowing someone who can sudo to su is kind of silly. Basically, su just changes the current user-id, and executes a command (a shell, if not specified). If the user-id is already 0 (root), such as when executed with sudo, there's nothing for it to do, so it just executes the shell. You can get a similar effect by doing sudo bash. – Fake Name Dec 27 '16 at 21:34
  • 2
    @FakeName Still confused. What's the difference between logging in as root and running 'sudo su'? Isn't it effectively the same level? – Kellen Stuart Dec 28 '16 at 01:20
  • 3
    @KolobCanyon - Nope. Basically, if you disable login, it means that if there is a vulnerability in the login process, a hacker cannot use it to get root directly. Basically, it moves the required root compromise from "login compromise" to "login comprimise for user account + privesc". It's basically done as a defence-in-depth thing. – Fake Name Dec 28 '16 at 01:56
  • To get root using terminal: sudo su – jmp Jan 02 '23 at 16:14
  • Here's what I don't get: I ran sudo su - and entered the current user's password, and got a root shell. Then I tried su otheruser -, from my root shell, and got su: Sorry. WTF, Apple? I'm root, don't tell me "Sorry"! Is this (terrible) behavior actually documented somewhere official? – James B Jan 29 '23 at 16:02
  • @JamesB - try su - otheruser. This is documented under man su – Devin Stewart Jan 29 '24 at 20:12
22

You have two options. The first is to use sudo -s - this will give you superuser access, but you will still remain 'yourself' (so to speak), so things like ~ will still be your home directory. Alternatively, you can use sudo su, which gives you a shell as the actual root user of your Mac.

Kyle Cronin
  • 23,242
  • 21
  • 83
  • 143
  • 6
    The Apple Way(tm) is to use sudo to run commands that require elevated privileges, not to switch to a root shell and work from that. – Ian C. May 23 '11 at 01:04
  • 5
    @Ian C. - No, that's actually the unix way. Apple just uses it because it is *nix based too. – Fake Name May 23 '11 at 09:34
  • @Fake Name: Apple goes through great pains to never talk or expose the root shell to users. You could say they take the sudo ethos to the extreme. But whatever: semantics. Don't use root shells in OS X. – Ian C. May 23 '11 at 13:05
  • 1
    @Ian C - Apple doesn't do much more than the *nix designers do, Apple just doesn't talk about it much. In both cases, it's there, only with things like linux, they tell you how to use it easily. If that makes it more widely used, it doesn't indicate an underlying architecture difference. – Fake Name May 23 '11 at 18:24
7

Modern solution: sudo -u

To run as another use, use sudo -u.

For example, to run a text-editor such as nano:

sudo -u someuser nano

…and enter your Mac admin user password when prompted. At this juncture, it is your Mac admin user who is invoking sudo, not the someuser user so you do not enter the someuser password.

  • sudo means to run something using superuser privileges.
  • -u means “run a specified command as this specified user”.
  • someuser should be replaced with your desired user name.

To simulate an initial login as a particular user, including running their startup scripts, use -I.

sudo -u someuser -i nano

This runs the nano app as the user someuser but only after having run the startup scripts for that user.

If we opt to not specify a command or app to run, we get an interactive shell running as that user.

sudo -u someuser -i

Old-school: sudo su someuser

Another approach uses the su command in combination with the sudo. The su command means “switch user”. 

sudo su someuser

Or, to include running the user's startup scripts, add the hyphen.

sudo su - someuser

root user

The root user in Unix-related operating systems have absolute power to do anything.

Apple has chosen to disable the root account in macOS, to avoid security vulnerability exploits and to protect you from shooting yourself in the foot. Apple created the idea of the Administrator user accounts who have many powers, more powers than a Standard user account, but not absolute power like root has. See this Apple Support note for discussion.

If need be, you can enable the root user in macOS and then switch to that user. This is strongly discouraged. I would go down this path only as a desperate last resort.

For discussion of this within the context of the postgres user running the Postgres database system on macOS, see this Question on the sister site, DBA Stack Exchange.

Basil Bourque
  • 12,634
2

I think you can't do this as a "normal" user...

If there is another user account with admin rights you have to use this one

restricted user$ su
Password:(the root password here)
Sorry!

restricted user$ su - (an admin account here)
password:(the admin account password)
$ su - root
Password:(The root password here)
# -> You are root user now
nohillside
  • 100,768
user302849
  • 21
  • This is because of a line in /etc/pam.d/su. account required pam_group.so ... is telling the system to only allow su to root if you are switching from an account in the admin or wheel group. You can comment-off this line if you really want to, but I wouldn't since it isn't really necessary for those (hopefully rare) occasions when you need to become root. – David C. Mar 09 '21 at 23:10
1

For instance, if you need move files or use git using the CLI then, in that case, the best solution will be to use the sudo -s command. After that command, you don't have to keep entering the password again and again.

Kahef Mirza
  • 11
0

I had this same problem and as @Nohillside suggested, there is no way to access root through the su command as a normal user just using su. As stated, adding the admin account to the su command is recognized. I was able to connect as root that way. It's not something I will do often. I just wanted to test it and the result was an immediate connection.

> admin-server:~ admin$ su
> Password:
> su: Sorry
> admin-server:~ admin$ su - admin
> Password:
> admin-server:~ admin$
Malinda
  • 1
-2

Try the password alpine?! Legend has it that alpine was the root password on macOS for many years! You can get to root from an admin account shell with:

sudo su

I recommend then changing the password for root with:

passwd

After this I can just run su and type the actual root password. Handy for going root from a regular user account.

Tomachi
  • 135