Best practice for disabling root account

CrawfordRobson
New Contributor III

Hi,

what’s the best practice for disabling root account in macOS?

Script and Policy sound about right but what does everyone else use?

 

1 ACCEPTED SOLUTION

Phantom5
Contributor II

If you want to disable the 'root' user (uid 0), the following code will do just that. If instead you are trying to disable elevate privileges for admin users, then @BWonderchild script would do.

 

#!/bin/bash

DSCL_BIN=$(which dscl)

# Read root user authentication authority from local domain using the DSCL command line
rootEnableCheck="$(dscl . read /Users/root | grep AuthenticationAuthority 2>&1 > /dev/null ; echo $?)"

if [ "${rootEnableCheck}" == 1 ]; then
echo "No root user enabled"
else
echo "Deleting the Authentication Authority for root user"
$DSCL_BIN . delete /Users/root AuthenticationAuthority
fi

exit 0

 

View solution in original post

4 REPLIES 4

BWonderchild
New Contributor III

I used an old script that was pushed out:

!/bin/bash
Parameters
mgmtAccount="admin" # Required; Example: so_and_so_admin

Variables
userList=$(/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/cut -d " " -f 2-)

Exit out if we don't have our parameters set
[[ -z "$mgmtAccount" ]] && echo "No management account specified to ignore; exiting." && exit 1

Loop through each user and demote them, skipping root and the Jamf Pro management account specified
for userName in $userList; do if [[ "$userName" != "root" ]] && [[ "$userName" != "$mgmtAccount" ]]; then /usr/sbin/dseditgroup -o edit -d "$userName" admin echo "Account "$userName" had admin privileges removed." fi
done

exit 0

This was a good starting point for me, so thank you. I just had to do a couple tweaks so it would run (adding a # to the shebang, commenting out 'Parameters' and 'Variables', changing the line spacing a little).

I can confirm the below is working to demote all users, except the ones you exclude (mgmtAccount variable), in the latest Monterey (12.5).

#!/bin/bash

#Parameters

#Required; Example: so_and_so_admin
mgmtAccount=Administrator

#Variables
userList=$(/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/cut -d " " -f 2-)

#Exit out if we don't have our parameters set

[[ -z "$mgmtAccount" ]] && echo "No management account specified to ignore; exiting." && exit 1

#Loop through each user and demote them, skipping root and the Jamf Pro management account specified

for userName in $userList; do if [[ "$userName" != "root" ]] && [[ "$userName" != "$mgmtAccount" ]]; then /usr/sbin/dseditgroup -o edit -d "$userName" admin echo "Account "$userName" had admin privileges removed." 
	
    fi
		done

exit 0

 

Phantom5
Contributor II

If you want to disable the 'root' user (uid 0), the following code will do just that. If instead you are trying to disable elevate privileges for admin users, then @BWonderchild script would do.

 

#!/bin/bash

DSCL_BIN=$(which dscl)

# Read root user authentication authority from local domain using the DSCL command line
rootEnableCheck="$(dscl . read /Users/root | grep AuthenticationAuthority 2>&1 > /dev/null ; echo $?)"

if [ "${rootEnableCheck}" == 1 ]; then
echo "No root user enabled"
else
echo "Deleting the Authentication Authority for root user"
$DSCL_BIN . delete /Users/root AuthenticationAuthority
fi

exit 0

 

You the real MVP