Skip to content

Instantly share code, notes, and snippets.

@arkku
Last active November 30, 2017 12:01
Show Gist options
  • Save arkku/faec0a43ccc8c8d4bc2046419f5ade6d to your computer and use it in GitHub Desktop.
Save arkku/faec0a43ccc8c8d4bc2046419f5ade6d to your computer and use it in GitHub Desktop.
Script to disable root account on macOS High Sierra
#!/bin/bash
# This script will disable the root account on macOS.
# At the time of writing there is a severe security flaw in macOS High Sierra,
# which allows the root account to be used without any password to gain admin
# access from any of the GUI password dialogs (it will fail once the first time,
# but on subsequent attempts it will accept the empty password).
#
# The commonly circulated workaround is to set a password for the root account,
# but IMO it is preferable to disable the account altogether. Curiously, the
# usual method of setting an asterisk '*' as the Password does not work by
# itself here - is this a deliberate backdoor for the root account?
#
# - Kimmo Kulovesi, 2017-11-29
set -e -o pipefail
DSCL="dscl ."
ROOT="Users/root"
keys="ShadowHashData KerberosKeys HeimdalSRPKey accountPolicyData _writers_passwd"
for key in $keys; do
key="dsAttrTypeNative:$key"
echo "Deleting key $key..."
$DSCL -delete "$ROOT" "$key"
done
echo 'Disabling password...'
$DSCL -create "$ROOT" Password '*'
echo 'Disabling authentication...'
$DSCL -create "$ROOT" AuthenticationAuthority ';DisabledUser;;ShadowHash;'
echo
$DSCL -read "$ROOT"
@sto6
Copy link

sto6 commented Nov 30, 2017

How to FIRST, passively JUST CHECK if my root account has a password set or not, before I touch anything else?
If following command reports 'Password: *' does that (single star) definitely indicate I have no root password set?
dscl . -read /Users/root Password
If root account gets disabled, and then re-enabled would a previously set password still be there?
Can one safely/usefully use dscl command's -delete to delete Password key on root account?

@arkku
Copy link
Author

arkku commented Nov 30, 2017

@sto6 It is safe to erase the password with dscl . -create Users/root Password '*'. This is the traditional way to disable the password; it does not set the password itself to *. I wouldn't delete the Password record altogether.

Prior to Apple's security update (2017-001), this method of disabling the password did not work, because the first time you tried to authenticate as root with an empty password, it would enable the account with an empty password. I discovered that adding ;DisabledUser; to AuthenticationAuthority did succeed in disabling this backdoor, but after the security update it again suffices to just set Password to *. Then again, there shouldn't be any harm in running the above script, either.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment