5.6 Ensure the "root" Account Is Disabled

Information

The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some versions of Linux, the system administrator may commonly use the root account to perform administrative functions.

Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell).

Solution

Graphical Method:

Perform the following steps to ensure that the root user is disabled:

- Open /System/Library/CoreServices/Applications/Directory Utility
- Click the lock icon to unlock the service
- Click Edit in the menu bar
- Click Disable Root User

Terminal Method:

Run the following command to disable the root user:

$ /usr/bin/sudo /usr/sbin/dsenableroot -d

username = root
user password:

Run the following command to disable the root user shell:

% /usr/bin/dscl . -create /Users/root UserShell /usr/bin/false

Impact:

Some legacy POSIX software might expect an available root account.

See Also

https://workbench.cisecurity.org/benchmarks/15550