Disabling login to the root account by changing the root account’s user shell

While discussing various issues with a colleague, he mentioned that he was seeing the root account enabled on several machines where it should not have been. In general, the root account on macOS is not needed for system administration and should be disabled so he asked if there was a way to use the dsenableroot command to disable the root account without also needing to provide a password.

Unfortunately, disabling the root account by using the dsenableroot -d command does require providing a password as part of the command.

However, it is possible to disable logins to the root account without using the dsenableroot -d command. For more details, see below the jump.

In Unix operating systems, there are two commands whose only purpose is to exit and return a pre-determined message on exit:

• true – returns a successful exit message
• false – returns an unsuccessful exit message

Another use for the false command is to block account logins. By setting the account’s shell setting to the path of the false command, any interactive login (either via the OS login window or via command line) will fail to successfully complete. This has the effect of blocking login to the affected account.

On macOS, you can set the root account’s shell to the false command by running the following command with root privileges:

/usr/bin/dscl . -create /Users/root UserShell /usr/bin/false

Once the root account’s shell has been set to /usr/bin/false, it will no longer be possible to log into the root account at either the OS’s loginwindow or in the Terminal.

It will still be possible to run commands with root privileges by using the sudo utility.