How to disable root for users that have enabled root on their machine

beeboo
Contributor

In my fleet there are a small handful of users that enabled the root account.

This is the EA i use to determine it from someone on this forum

#!/bin/bash

rootCheck=`dscl . read /Users/root | grep AuthenticationAuthority 2>&1 > /dev/null ; echo $?`
if [ "${rootCheck}" == 1 ]; then
	echo "<result>Disabled</result>"
else
	echo "<result>Enabled</result>"
fi

 

My questions are:

  1. how can i prevent this happening in the future? right now its a small number of people but if word gets out it could be bad
  2. since the user's set up root themselves, i dont know the password to disable it, is there a way to get it resolved to disable root for users that have it enabled?

 

Thanks! 

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor II

It looks like it might not be possible to disable root without knowing the password of the account it was enabled for, according to what I can see in the dsenableroot command. I'm not quite sure how best to handle this, outside of contacting those users and explaining to them that enabling root is a security risk and against company policy (I assume it's against policy), and asking them to disable it.

As for preventing it? Short of removing their admin rights, it sounds like something where you will need to publish to all users as policy that will be enforced and then just monitor for violations as you're already doing. As the saying goes, once someone is admin, all bets are off.

View solution in original post

7 REPLIES 7

mm2270
Legendary Contributor II

It looks like it might not be possible to disable root without knowing the password of the account it was enabled for, according to what I can see in the dsenableroot command. I'm not quite sure how best to handle this, outside of contacting those users and explaining to them that enabling root is a security risk and against company policy (I assume it's against policy), and asking them to disable it.

As for preventing it? Short of removing their admin rights, it sounds like something where you will need to publish to all users as policy that will be enforced and then just monitor for violations as you're already doing. As the saying goes, once someone is admin, all bets are off.

View solution in original post

Keith_L
New Contributor II
#!/bin/bash

# remove the AuthenticationAuthority from the user's account
dscl . delete /Users/root AuthenticationAuthority

# Put a single asterisk in the password entry, thus locking the acount.
dscl . -create /Users/root Password '*'

# Disable root login by setting root's shell to /usr/bin/false

dscl . -create /Users/root UserShell /usr/bin/false

exit 0

I agree with @mm2270 that once a user is Admin, all bets are off. But if you are worried about the default 'root' user being used for any exploits, the above script should help you disable 'root' on a recurring basis.

junjishimazaki
Contributor II

I'm wondering why those particular users are setting up the root account. Are they developers/engineers?  There has to be a reason why they are doing this. The fact that you are concerned that other users may do this tells me it's not allowed.  I would take this to your reporting manager and if you have one an information security team about this issue. Have them set the policy of what users are and are not allowed to do on the company computer. Then you can or them can notify the users of their actions and to delete those root accounts. 

beeboo
Contributor

Sure, I can do that, but its not entirely feasible for the users who are noncompliance.

Just like forcing an app update, I feel like JSS needs to be able to prevent or reverse this.

If there was a config profile that could be set as preventative measure thatd be awesome, but aside from having a user do it themselves, which may or may not be possible, itd be nice to force it from an admin perspective. 

jhuls
Contributor III

I think you're asking for Jamf to do something that I'm not sure is doable.

We haven't had issues with anyone enabling root other than people on my own team forgetting to disable it when it was needed. I have a smartgroup that recognizes when root is enabled and then runs a script via a policy set to ongoing to disable it automatically. It's not a prevention technique but does what I need it to do. If someone else unofficially insisted that they had to enable root, I would imagine this would get very irritating for them.

I'd say the right direction at this point is to make sure that there's a company/institution policy of this not being enabled and then you can use Jamf for reporting if/when it does occur. Let administration deal with possible discipline.

what was your solution to disable it? same as listed by another user above?

jhuls
Contributor III

I'm just using dsenableroot.