Disable Root

dpecht1221
New Contributor II

I work for a School District and our admin password before we had JAMF was compromised and since then has been changed. But I believe while the students knew the admin password they enabled the root account on several computers.

How do I disable it remotely? I am fairly new to JAMF and scripting so if can please be detailed.

Thanks
Dave

4 REPLIES 4

tlarkin
Honored Contributor

dsenable root

bash-3.2# dsenableroot help

dsenableroot:: Enable or disable root user with Directory Services. Version 10.5.3 Usage: dsenableroot [-d] [-u username] [-p password] [-r rootPassword] Example 1: dsenableroot Attempt to enable root account. Your username will be used. Both passwords will be prompted for. Example 2: dsenableroot -d -u username Attempt to disable root account. Only user password will be prompted for. In all cases passwords cannot be empty strings.

Also Casper has built in features to change passwords in the accounts tabs of machines scoped. You can do it from the web interface via policy.

-Tom

Walter
New Contributor II

The problem with "dsenableroot -d" for disabling root is that it prompts for a password. If you use the -u and -p arguments to pass username and password so it doesn't prompt for a password, you risk those credentials showing up in the process table in clear text. You also risk them being passed over the network in clear text unless you use a secure protocol for all your JSS client communication.

# remote the AuthenticationAuthority from the user's account dscl . delete /Users/root AuthenticationAuthority

# Put a single asterisk in the password entry, thus locking the acount. dscl . -create /Users/root Password '*'

We put the commands above in a policy script which is scoped appropriately.
--
Walter Rowe, System Hosting
Enterprise Systems / OISM
walter.rowe at nist.gov<mailto:walter.rowe at nist.gov>
301-975-2885

ImAMacGuy
Valued Contributor II

what's the difference between doing

# remote the AuthenticationAuthority from the user's account dscl . delete /Users/root AuthenticationAuthority # Put a single asterisk in the password entry, thus locking the acount. dscl . -create /Users/root Password '*'

and

# Disable root login by setting root's shell to /usr/bin/false dscl . -create /Users/root UserShell /usr/bin/false

ftiff
Contributor

@jwojda the first method disable all authentication, while the second one only disable logging in.

It's not a very complete response, but the first one is safer.