-
-
Save arkku/faec0a43ccc8c8d4bc2046419f5ade6d to your computer and use it in GitHub Desktop.
| #!/bin/bash | |
| # This script will disable the root account on macOS. | |
| # At the time of writing there is a severe security flaw in macOS High Sierra, | |
| # which allows the root account to be used without any password to gain admin | |
| # access from any of the GUI password dialogs (it will fail once the first time, | |
| # but on subsequent attempts it will accept the empty password). | |
| # | |
| # The commonly circulated workaround is to set a password for the root account, | |
| # but IMO it is preferable to disable the account altogether. Curiously, the | |
| # usual method of setting an asterisk '*' as the Password does not work by | |
| # itself here - is this a deliberate backdoor for the root account? | |
| # | |
| # - Kimmo Kulovesi, 2017-11-29 | |
| set -e -o pipefail | |
| DSCL="dscl ." | |
| ROOT="Users/root" | |
| keys="ShadowHashData KerberosKeys HeimdalSRPKey accountPolicyData _writers_passwd" | |
| for key in $keys; do | |
| key="dsAttrTypeNative:$key" | |
| echo "Deleting key $key..." | |
| $DSCL -delete "$ROOT" "$key" | |
| done | |
| echo 'Disabling password...' | |
| $DSCL -create "$ROOT" Password '*' | |
| echo 'Disabling authentication...' | |
| $DSCL -create "$ROOT" AuthenticationAuthority ';DisabledUser;;ShadowHash;' | |
| echo | |
| $DSCL -read "$ROOT" |
There's an official security update now. That being said, if you enabled root account earlier, you might want to disable it again.
How to FIRST, passively JUST CHECK if my root account has a password set or not, before I touch anything else?
If following command reports 'Password: *' does that (single star) definitely indicate I have no root password set?
dscl . -read /Users/root Password
If root account gets disabled, and then re-enabled would a previously set password still be there?
Can one safely/usefully use dscl command's -delete to delete Password key on root account?
@sto6 It is safe to erase the password with dscl . -create Users/root Password '*'. This is the traditional way to disable the password; it does not set the password itself to *. I wouldn't delete the Password record altogether.
Prior to Apple's security update (2017-001), this method of disabling the password did not work, because the first time you tried to authenticate as root with an empty password, it would enable the account with an empty password. I discovered that adding ;DisabledUser; to AuthenticationAuthority did succeed in disabling this backdoor, but after the security update it again suffices to just set Password to *. Then again, there shouldn't be any harm in running the above script, either.
Obviously the script itself needs to be run as root, e.g.,
sudo bash disable-root.sh