Help

Best practice for disabling root account

Go to solution
CrawfordRobson
New Contributor III

Posted on ‎02-12-2022 10:01 AM

Hi,

what’s the best practice for disabling root account in macOS?

Script and Policy sound about right but what does everyone else use?

 

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
Phantom5
Contributor II

Posted on ‎02-14-2022 06:21 PM

If you want to disable the 'root' user (uid 0), the following code will do just that. If instead you are trying to disable elevate privileges for admin users, then @BWonderchild script would do.

 

#!/bin/bash

DSCL_BIN=$(which dscl)

# Read root user authentication authority from local domain using the DSCL command line
rootEnableCheck="$(dscl . read /Users/root | grep AuthenticationAuthority 2>&1 > /dev/null ; echo $?)"

if [ "${rootEnableCheck}" == 1 ]; then
echo "No root user enabled"
else
echo "Deleting the Authentication Authority for root user"
$DSCL_BIN . delete /Users/root AuthenticationAuthority
fi

exit 0

 

View solution in original post

Reply
4 REPLIES 4

Go to solution
BWonderchild
New Contributor III

Posted on ‎02-14-2022 02:38 PM

I used an old script that was pushed out:

!/bin/bash
Parameters
mgmtAccount="admin" # Required; Example: so_and_so_admin

Variables
userList=$(/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/cut -d " " -f 2-)

Exit out if we don't have our parameters set
[[ -z "$mgmtAccount" ]] && echo "No management account specified to ignore; exiting." && exit 1

Loop through each user and demote them, skipping root and the Jamf Pro management account specified
for userName in $userList; do if [[ "$userName" != "root" ]] && [[ "$userName" != "$mgmtAccount" ]]; then /usr/sbin/dseditgroup -o edit -d "$userName" admin echo "Account "$userName" had admin privileges removed." fi
done

exit 0

Reply

Go to solution
whiteb
Contributor II
In response to BWonderchild

Posted on ‎08-09-2022 04:24 PM

This was a good starting point for me, so thank you. I just had to do a couple tweaks so it would run (adding a # to the shebang, commenting out 'Parameters' and 'Variables', changing the line spacing a little).

I can confirm the below is working to demote all users, except the ones you exclude (mgmtAccount variable), in the latest Monterey (12.5).

#!/bin/bash

#Parameters

#Required; Example: so_and_so_admin
mgmtAccount=Administrator

#Variables
userList=$(/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/cut -d " " -f 2-)

#Exit out if we don't have our parameters set

[[ -z "$mgmtAccount" ]] && echo "No management account specified to ignore; exiting." && exit 1

#Loop through each user and demote them, skipping root and the Jamf Pro management account specified

for userName in $userList; do if [[ "$userName" != "root" ]] && [[ "$userName" != "$mgmtAccount" ]]; then /usr/sbin/dseditgroup -o edit -d "$userName" admin echo "Account "$userName" had admin privileges removed." 
	
    fi
		done

exit 0

 

0 Kudos
Reply

Go to solution
Phantom5
Contributor II

Posted on ‎02-14-2022 06:21 PM

If you want to disable the 'root' user (uid 0), the following code will do just that. If instead you are trying to disable elevate privileges for admin users, then @BWonderchild script would do.

 

#!/bin/bash

DSCL_BIN=$(which dscl)

# Read root user authentication authority from local domain using the DSCL command line
rootEnableCheck="$(dscl . read /Users/root | grep AuthenticationAuthority 2>&1 > /dev/null ; echo $?)"

if [ "${rootEnableCheck}" == 1 ]; then
echo "No root user enabled"
else
echo "Deleting the Authentication Authority for root user"
$DSCL_BIN . delete /Users/root AuthenticationAuthority
fi

exit 0

 

Reply

Go to solution
BWonderchild
New Contributor III
In response to Phantom5

Posted on ‎02-15-2022 12:57 PM

You the real MVP

0 Kudos
Reply