Hi,
what’s the best practice for disabling root account in macOS?
Script and Policy sound about right but what does everyone else use?
Solved
Best practice for disabling root account
+6Best answer by Phantom5
If you want to disable the 'root' user (uid 0), the following code will do just that. If instead you are trying to disable elevate privileges for admin users, then @BWonderchild script would do.
#!/bin/bash
DSCL_BIN=$(which dscl)
# Read root user authentication authority from local domain using the DSCL command line
rootEnableCheck="$(dscl . read /Users/root | grep AuthenticationAuthority 2>&1 > /dev/null ; echo $?)"
if [ "${rootEnableCheck}" == 1 ]; then
echo "No root user enabled"
else
echo "Deleting the Authentication Authority for root user"
$DSCL_BIN . delete /Users/root AuthenticationAuthority
fi
exit 0
+9I used an old script that was pushed out:
!/bin/bash
Parameters
mgmtAccount="admin" # Required; Example: so_and_so_admin
Variables
userList=$(/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/cut -d " " -f 2-)
Exit out if we don't have our parameters set
[[ -z "$mgmtAccount" ]] && echo "No management account specified to ignore; exiting." && exit 1
Loop through each user and demote them, skipping root and the Jamf Pro management account specified
for userName in $userList; do if [[ "$userName" != "root" ]] && [[ "$userName" != "$mgmtAccount" ]]; then /usr/sbin/dseditgroup -o edit -d "$userName" admin echo "Account "$userName" had admin privileges removed." fi
done
exit 0
+9If you want to disable the 'root' user (uid 0), the following code will do just that. If instead you are trying to disable elevate privileges for admin users, then @BWonderchild script would do.
#!/bin/bash
DSCL_BIN=$(which dscl)
# Read root user authentication authority from local domain using the DSCL command line
rootEnableCheck="$(dscl . read /Users/root | grep AuthenticationAuthority 2>&1 > /dev/null ; echo $?)"
if [ "${rootEnableCheck}" == 1 ]; then
echo "No root user enabled"
else
echo "Deleting the Authentication Authority for root user"
$DSCL_BIN . delete /Users/root AuthenticationAuthority
fi
exit 0
+9If you want to disable the 'root' user (uid 0), the following code will do just that. If instead you are trying to disable elevate privileges for admin users, then @BWonderchild script would do.
#!/bin/bash
DSCL_BIN=$(which dscl)
# Read root user authentication authority from local domain using the DSCL command line
rootEnableCheck="$(dscl . read /Users/root | grep AuthenticationAuthority 2>&1 > /dev/null ; echo $?)"
if [ "${rootEnableCheck}" == 1 ]; then
echo "No root user enabled"
else
echo "Deleting the Authentication Authority for root user"
$DSCL_BIN . delete /Users/root AuthenticationAuthority
fi
exit 0
You the real MVP
+9I used an old script that was pushed out:
!/bin/bash
Parameters
mgmtAccount="admin" # Required; Example: so_and_so_admin
Variables
userList=$(/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/cut -d " " -f 2-)
Exit out if we don't have our parameters set
[[ -z "$mgmtAccount" ]] && echo "No management account specified to ignore; exiting." && exit 1
Loop through each user and demote them, skipping root and the Jamf Pro management account specified
for userName in $userList; do if [[ "$userName" != "root" ]] && [[ "$userName" != "$mgmtAccount" ]]; then /usr/sbin/dseditgroup -o edit -d "$userName" admin echo "Account "$userName" had admin privileges removed." fi
done
exit 0
This was a good starting point for me, so thank you. I just had to do a couple tweaks so it would run (adding a # to the shebang, commenting out 'Parameters' and 'Variables', changing the line spacing a little).
I can confirm the below is working to demote all users, except the ones you exclude (mgmtAccount variable), in the latest Monterey (12.5).
#!/bin/bash
#Parameters
#Required; Example: so_and_so_admin
mgmtAccount=Administrator
#Variables
userList=$(/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/cut -d " " -f 2-)
#Exit out if we don't have our parameters set
[[ -z "$mgmtAccount" ]] && echo "No management account specified to ignore; exiting." && exit 1
#Loop through each user and demote them, skipping root and the Jamf Pro management account specified
for userName in $userList; do if [[ "$userName" != "root" ]] && [[ "$userName" != "$mgmtAccount" ]]; then /usr/sbin/dseditgroup -o edit -d "$userName" admin echo "Account "$userName" had admin privileges removed."
fi
done
exit 0
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.