Home > Mac administration, Mac OS X, macOS, Unix > Disabling login to the root account by changing the root account’s user shell

Disabling login to the root account by changing the root account’s user shell

While discussing various issues with a colleague, he mentioned that he was seeing the root account enabled on several machines where it should not have been. In general, the root account on macOS is not needed for system administration and should be disabled so he asked if there was a way to use the dsenableroot command to disable the root account without also needing to provide a password.

Unfortunately, disabling the root account by using the dsenableroot -d command does require providing a password as part of the command.

Screen Shot 2017 03 19 at 4 55 17 PM

However, it is possible to disable logins to the root account without using the dsenableroot -d command. For more details, see below the jump.

In Unix operating systems, there are two commands whose only purpose is to exit and return a pre-determined message on exit:

  • true – returns a successful exit message
  • false – returns an unsuccessful exit message

Another use for the false command is to block account logins. By setting the account’s shell setting to the path of the false command, any interactive login (either via the OS login window or via command line) will fail to successfully complete. This has the effect of blocking login to the affected account.

On macOS, you can set the root account’s shell to the false command by running the following command with root privileges:

/usr/bin/dscl . -create /Users/root UserShell /usr/bin/false

Once the root account’s shell has been set to /usr/bin/false, it will no longer be possible to log into the root account at either the OS’s loginwindow or in the Terminal.

Root disabled

Screen Shot 2017 03 19 at 4 51 39 PM

It will still be possible to run commands with root privileges by using the sudo utility.

Screen Shot 2017 03 19 at 4 52 31 PM

  1. JayB
    March 20, 2017 at 2:25 am

    Edit /etc/passwd to reverse.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: