Skip to main content
Solved

How to disable root for users that have enabled root on their machine

  • July 22, 2021
  • 7 replies
  • 72 views
beeboo
Forum|alt.badge.img+7

In my fleet there are a small handful of users that enabled the root account.

This is the EA i use to determine it from someone on this forum

#!/bin/bash rootCheck=`dscl . read /Users/root | grep AuthenticationAuthority 2>&1 > /dev/null ; echo $?` if [ "${rootCheck}" == 1 ]; then echo "<result>Disabled</result>" else echo "<result>Enabled</result>" fi

 

My questions are:

  1. how can i prevent this happening in the future? right now its a small number of people but if word gets out it could be bad
  2. since the user's set up root themselves, i dont know the password to disable it, is there a way to get it resolved to disable root for users that have it enabled?

 

Thanks! 

Best answer by mm2270

It looks like it might not be possible to disable root without knowing the password of the account it was enabled for, according to what I can see in the dsenableroot command. I'm not quite sure how best to handle this, outside of contacting those users and explaining to them that enabling root is a security risk and against company policy (I assume it's against policy), and asking them to disable it.

As for preventing it? Short of removing their admin rights, it sounds like something where you will need to publish to all users as policy that will be enforced and then just monitor for violations as you're already doing. As the saying goes, once someone is admin, all bets are off.

    B

    7 replies

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • Answer
    • July 22, 2021

    It looks like it might not be possible to disable root without knowing the password of the account it was enabled for, according to what I can see in the dsenableroot command. I'm not quite sure how best to handle this, outside of contacting those users and explaining to them that enabling root is a security risk and against company policy (I assume it's against policy), and asking them to disable it.

    As for preventing it? Short of removing their admin rights, it sounds like something where you will need to publish to all users as policy that will be enforced and then just monitor for violations as you're already doing. As the saying goes, once someone is admin, all bets are off.

    beeboo
    K
    Forum|alt.badge.img+6
    • Keith_L
    • Contributor
    • July 27, 2021
    #!/bin/bash # remove the AuthenticationAuthority from the user's account dscl . delete /Users/root AuthenticationAuthority # Put a single asterisk in the password entry, thus locking the acount. dscl . -create /Users/root Password '*' # Disable root login by setting root's shell to /usr/bin/false dscl . -create /Users/root UserShell /usr/bin/false exit 0

    I agree with @mm2270 that once a user is Admin, all bets are off. But if you are worried about the default 'root' user being used for any exploits, the above script should help you disable 'root' on a recurring basis.

    S
    Y
    junjishimazaki
    Forum|alt.badge.img+10

    I'm wondering why those particular users are setting up the root account. Are they developers/engineers?  There has to be a reason why they are doing this. The fact that you are concerned that other users may do this tells me it's not allowed.  I would take this to your reporting manager and if you have one an information security team about this issue. Have them set the policy of what users are and are not allowed to do on the company computer. Then you can or them can notify the users of their actions and to delete those root accounts. 

    beeboo
    Forum|alt.badge.img+7
    • beeboo
    • Author
    • Contributor
    • August 23, 2021

    Sure, I can do that, but its not entirely feasible for the users who are noncompliance.

    Just like forcing an app update, I feel like JSS needs to be able to prevent or reverse this.

    If there was a config profile that could be set as preventative measure thatd be awesome, but aside from having a user do it themselves, which may or may not be possible, itd be nice to force it from an admin perspective. 

    J
    Forum|alt.badge.img+14
    • jhuls
    • Valued Contributor
    • August 23, 2021

    Sure, I can do that, but its not entirely feasible for the users who are noncompliance.

    Just like forcing an app update, I feel like JSS needs to be able to prevent or reverse this.

    If there was a config profile that could be set as preventative measure thatd be awesome, but aside from having a user do it themselves, which may or may not be possible, itd be nice to force it from an admin perspective. 


    I think you're asking for Jamf to do something that I'm not sure is doable.

    We haven't had issues with anyone enabling root other than people on my own team forgetting to disable it when it was needed. I have a smartgroup that recognizes when root is enabled and then runs a script via a policy set to ongoing to disable it automatically. It's not a prevention technique but does what I need it to do. If someone else unofficially insisted that they had to enable root, I would imagine this would get very irritating for them.

    I'd say the right direction at this point is to make sure that there's a company/institution policy of this not being enabled and then you can use Jamf for reporting if/when it does occur. Let administration deal with possible discipline.

    beeboo
    Forum|alt.badge.img+7
    • beeboo
    • Author
    • Contributor
    • August 23, 2021

    I think you're asking for Jamf to do something that I'm not sure is doable.

    We haven't had issues with anyone enabling root other than people on my own team forgetting to disable it when it was needed. I have a smartgroup that recognizes when root is enabled and then runs a script via a policy set to ongoing to disable it automatically. It's not a prevention technique but does what I need it to do. If someone else unofficially insisted that they had to enable root, I would imagine this would get very irritating for them.

    I'd say the right direction at this point is to make sure that there's a company/institution policy of this not being enabled and then you can use Jamf for reporting if/when it does occur. Let administration deal with possible discipline.


    what was your solution to disable it? same as listed by another user above?

    J
    Forum|alt.badge.img+14
    • jhuls
    • Valued Contributor
    • August 23, 2021

    what was your solution to disable it? same as listed by another user above?


    I'm just using dsenableroot.

    Terms & ConditionsCookie settingsAccessibility statement