4

To prevent abuse of the root account (on my macOS, single user) machine, should I always set the root shell to /usr/bin/false (or /sbin/nologin)?

For example should I always:

sudo /usr/bin/dscl . -create /Users/root UserShell /usr/bin/false

or are there common reasons not to do that (other than the obvious and avoidable)?

Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
orome
  • 416
  • Bear in mind that you are only here in the first place because of the bug that ends up creating a root record in the accounts database to order. Apple's intended mechanism for preventing abuse of the root account was, remember, to not have a record by that name in the accounts database to start with. – JdeBP Dec 01 '17 at 19:15
  • @JdeBP: Yes good point (and assumption). I assume now that it's there, the old standing recommendation to macOS users not to create a root account at all is no longer valid. (It also suggests that disabling the shell for that account might be the closest one can get, but they didn't do that in the patch, so perhaps not.) – orome Dec 01 '17 at 19:21

3 Answers3

10

No, you should not, because then if you need to use the root account (as is sometimes the case, even on Macs) for troubleshooting or recovery, you cannot.

You should, however, set the root password:

$ sudo passwd root
DopeGhoti
  • 76,081
  • 1
    I'm getting conflicting advice. And the macOS recommendation generally is (or has been) not to enable root at all. (I have no idea which approach is right. But that advice made sense to me just from a convenience and UX point of view: I didn't what a powerful account around that I'd never use and with a password I'd certainly forget.) – orome Dec 01 '17 at 18:06
  • I have had several occasions where I needed to boot a Mac into Single-User mode (which logs in with the root user's default shell) in order to address filesystem or other issue that (e. g.) Disk Utility on the Recovery image could not remedy. If the root user's shell were (e. g.) /bin/false, this avenue would not have been available to me without moving the drive to another host, and could have been impossible if FileVault were in play. A password, even one you have forgotten, however, is still better than no password. – DopeGhoti Dec 01 '17 at 20:29
  • That makes sense. (In fact, I now recall having to do exactly that once way back when the Mac was still a NeXT.) But I'm still getting conflicting advice (comments here), so I want to be sure. – orome Dec 02 '17 at 13:42
  • I guess this hinges on wether disabling the shell does indeed prevent Single User access. – orome Dec 02 '17 at 13:51
  • That appears to be wrong. The command in the question will not affect Singe User mode. Can you clarify or confirm? – orome Dec 02 '17 at 15:07
  • Can confirm it works. A co-worker's Mac was using zsh in single-user as they had changed root's shell. – DopeGhoti Dec 05 '17 at 15:51
3

If you set the root shell as you outlined, you cannot log in or su - to root. You an, however, still use sudo or even su (without the minus).

Disabling root login is generally a good security measure. You should, however, make sure that you can access the machine in some other way in case of a system failure. When the system behaves strangely, root login might still work when normal accounts don't (that is, for example, why on most Unix systems the root home directory is not in the normal user home directory, but on the system drive).

You can probably still boot into single-user mode, but I am not 100% sure on this with current MacOS versions, you should check. If this is still possible even with a no-login shell, this is your way out of trouble and you can safely disable root login.

If not, it becomes a question of which death you want to die. Decide for yourself what is more likely - someone abusing your root account or your system malfunctioning to the point where you would need that root account.

Tom
  • 158
  • 5
1

Day to day operations

You don't need the root account enabled to perform day to day operations on macOS. And even without an enabled root account and its shell set to /usr/bin/false you are still able to use sudo (and for root shells sudo -s) without problems.

single user mode

Single user mode uses /private/etc/passwd for login authentication, not Open Directory: 

pse@Mithos:~$ grep ^root: /etc/passwd 
root:*:0:0:System Administrator:/var/root:/bin/sh

but

pse@Mithos:~$ sudo dscl . -read /Users/root UserShell
UserShell: /usr/bin/false

So there will be no negative consequences on single user mode.

nohillside
  • 3,251