- Jamf Nation Community
- Products
- Jamf Pro
- Re: Disabled Root now devs having problems
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-02-2015 05:44 AM
So I disabled root by changing the shell they log into. Works well, they can enable it all they want, but they can't login. The downside is that some of their developer apps that they use install and update via script that calls root. This is as designed by the vendor of the apps. Anybody have any suggestions how to keep them happy while addressing our security dept concerns of having it enabled?
Solved! Go to Solution.
Labels:
- Labels:
-
Tips & Tricks
2 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-02-2015 09:23 AM
Apologies, that was a code snippet for the whole EA. You need to echo out your result in brackets as @mm2270 points out. Let me see if I can clean this up a bit more for you and make it a little more useful.
If your management account is not 'mgmtaccount', you will need to change the text that it searches for.
#!/bin/bash
# Determine if the 'root' account is enabled for login.
if [ "$(dscl . -read /Users/root Password | grep -c '**')" -gt '0' ]; then
result=',root-enabled,'
else
result=','
fi
# Grab array of all non-service accounts.
userArray=()
while read line; do
userArray+=("${line}")
done <<< "$(/usr/sbin/jamf listUsers | awk -F '[<>]' '/<name>/ { print $3 }')"
# Loop through all the accounts gathered.
for i in "${userArray[@]}"; do
# Ignore case.
i="$(tr '[:upper:]' '[:lower:]' <<< "${i}")"
# Flag mgmtaccount as the management account
if [ "${i}" == 'mgmtaccount' ]; then
result="${result}${i}-management"
else
# Check to see if it is a domain/mobile account.
if [ "$(dscl . -read /Users/${i} AuthenticationAuthority | grep -ic 'LocalCachedUser')" -gt '0' ]; then
result="${result}${i}-mobile"
else
result="${result}${i}-local"
fi
fi
# Check to see if the account is a member of the admin group.
if [ "$(dscl . -read /Groups/admin GroupMembership | tr ' ' '
' | grep -ic "^${i}$")" -gt "0" ]; then
result="${result}-admin"
fi
# Use a comma to separate accounts.
result="${result},"
done
printf "<result>%s</result>" "${result}"
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-14-2015 09:27 AM
Sure. Simple change to allow "match this" or "match that".
if [ "${i}" == 'mgmtaccount' ] || [ "${i}" == 'otheraccount' ]; thenYou might find this useful, I know I did: http://www.tldp.org/LDP/abs/html/
Reply
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-02-2015 06:17 AM
We have an Ext. Attribute that inventories the user accounts and various attributes of the account, whether they are local or mobile or if they are admins for example, and one of the things it checks for is if root is enabled:
if [ "$(dscl . -read /Users/root Password | grep -c '**')" -gt '0' ]; then
result=',root-enabled,'
else
result=','
fiWe then have a policy with a one-liner which disables root, scoped to every machine that the previously mentioned EA has a match like ',root-enabled,':
dscl . -passwd /Users/root 'randomstring'; dsenableroot -d -u root -p 'randomstring''randomstring' is a randomly generated string of characters. It has to be the same in both commands, and I guess it doesn't technically have to be the secure since you're disabling the root account that uses that password for - but that line of thinking makes me nervous so I use an actual long string of randomly generated characters.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-02-2015 07:04 AM
would that still allow root to work then I assume?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-02-2015 07:09 AM
Yep. The root account still works and still exists, and has a shell that can be used. But it disables it in the sense that it removes any password that could be used to log into it directly.
Admin users will need to use sudo in order to elevate their privileges to root.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-02-2015 09:11 AM
so i set it up a while ago, but none of the information is populating, i set it up as a script and added bin/sh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-02-2015 09:15 AM
No echo line with <result> </result> tags
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-02-2015 09:23 AM
Apologies, that was a code snippet for the whole EA. You need to echo out your result in brackets as @mm2270 points out. Let me see if I can clean this up a bit more for you and make it a little more useful.
If your management account is not 'mgmtaccount', you will need to change the text that it searches for.
#!/bin/bash
# Determine if the 'root' account is enabled for login.
if [ "$(dscl . -read /Users/root Password | grep -c '**')" -gt '0' ]; then
result=',root-enabled,'
else
result=','
fi
# Grab array of all non-service accounts.
userArray=()
while read line; do
userArray+=("${line}")
done <<< "$(/usr/sbin/jamf listUsers | awk -F '[<>]' '/<name>/ { print $3 }')"
# Loop through all the accounts gathered.
for i in "${userArray[@]}"; do
# Ignore case.
i="$(tr '[:upper:]' '[:lower:]' <<< "${i}")"
# Flag mgmtaccount as the management account
if [ "${i}" == 'mgmtaccount' ]; then
result="${result}${i}-management"
else
# Check to see if it is a domain/mobile account.
if [ "$(dscl . -read /Users/${i} AuthenticationAuthority | grep -ic 'LocalCachedUser')" -gt '0' ]; then
result="${result}${i}-mobile"
else
result="${result}${i}-local"
fi
fi
# Check to see if the account is a member of the admin group.
if [ "$(dscl . -read /Groups/admin GroupMembership | tr ' ' '
' | grep -ic "^${i}$")" -gt "0" ]; then
result="${result}-admin"
fi
# Use a comma to separate accounts.
result="${result},"
done
printf "<result>%s</result>" "${result}"
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-14-2015 07:11 AM
thank you for this... real quick, we have 2 management account, one for the JSS that only me and a couple other people have (but it's on every box), and then the local admin that the IT staff has.
how would I modify the magmtaccount info to allow for either this or that?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-14-2015 09:27 AM
Sure. Simple change to allow "match this" or "match that".
if [ "${i}" == 'mgmtaccount' ] || [ "${i}" == 'otheraccount' ]; thenYou might find this useful, I know I did: http://www.tldp.org/LDP/abs/html/
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-14-2015 10:21 AM
thank you, I will take a look at that link and see if I can learn something.
