Disabled Root now devs having problems

jwojda
Valued Contributor II

So I disabled root by changing the shell they log into. Works well, they can enable it all they want, but they can't login. The downside is that some of their developer apps that they use install and update via script that calls root. This is as designed by the vendor of the apps. Anybody have any suggestions how to keep them happy while addressing our security dept concerns of having it enabled?

2 ACCEPTED SOLUTIONS

Josh_S
Contributor III

Apologies, that was a code snippet for the whole EA. You need to echo out your result in brackets as @mm2270 points out. Let me see if I can clean this up a bit more for you and make it a little more useful.

If your management account is not 'mgmtaccount', you will need to change the text that it searches for.

#!/bin/bash

# Determine if the 'root' account is enabled for login.
if [ "$(dscl . -read /Users/root Password | grep -c '**')" -gt '0' ]; then
    result=',root-enabled,'
else
    result=','
fi

# Grab array of all non-service accounts.
userArray=()
while read line; do
    userArray+=("${line}")
done <<< "$(/usr/sbin/jamf listUsers | awk -F '[<>]' '/<name>/ { print $3 }')"

# Loop through all the accounts gathered.
for i in "${userArray[@]}"; do
    # Ignore case.
    i="$(tr '[:upper:]' '[:lower:]' <<< "${i}")"

    # Flag mgmtaccount as the management account
    if [ "${i}" == 'mgmtaccount' ]; then
        result="${result}${i}-management"
    else
        # Check to see if it is a domain/mobile account.
        if [ "$(dscl . -read /Users/${i} AuthenticationAuthority | grep -ic 'LocalCachedUser')" -gt '0' ]; then
            result="${result}${i}-mobile"
        else
            result="${result}${i}-local"
        fi
    fi

    # Check to see if the account is a member of the admin group.
    if [ "$(dscl . -read /Groups/admin GroupMembership | tr ' ' '
' | grep -ic "^${i}$")" -gt "0" ]; then
        result="${result}-admin"
    fi

    # Use a comma to separate accounts.
    result="${result},"
done

printf "<result>%s</result>" "${result}"

View solution in original post

Josh_S
Contributor III

Sure. Simple change to allow "match this" or "match that".

if [ "${i}" == 'mgmtaccount' ] || [ "${i}" == 'otheraccount' ]; then

You might find this useful, I know I did: http://www.tldp.org/LDP/abs/html/

View solution in original post

9 REPLIES 9

Josh_S
Contributor III

We have an Ext. Attribute that inventories the user accounts and various attributes of the account, whether they are local or mobile or if they are admins for example, and one of the things it checks for is if root is enabled:

if [ "$(dscl . -read /Users/root Password | grep -c '**')" -gt '0' ]; then
    result=',root-enabled,'
else
    result=','
fi

We then have a policy with a one-liner which disables root, scoped to every machine that the previously mentioned EA has a match like ',root-enabled,':

dscl . -passwd /Users/root 'randomstring'; dsenableroot -d -u root -p 'randomstring'

'randomstring' is a randomly generated string of characters. It has to be the same in both commands, and I guess it doesn't technically have to be the secure since you're disabling the root account that uses that password for - but that line of thinking makes me nervous so I use an actual long string of randomly generated characters.

jwojda
Valued Contributor II

would that still allow root to work then I assume?

Josh_S
Contributor III

Yep. The root account still works and still exists, and has a shell that can be used. But it disables it in the sense that it removes any password that could be used to log into it directly.

Admin users will need to use sudo in order to elevate their privileges to root.

jwojda
Valued Contributor II

so i set it up a while ago, but none of the information is populating, i set it up as a script and added bin/sh5c0015e4e1624ceeb2044abec2c59908

mm2270
Legendary Contributor III

No echo line with <result> </result> tags

Josh_S
Contributor III

Apologies, that was a code snippet for the whole EA. You need to echo out your result in brackets as @mm2270 points out. Let me see if I can clean this up a bit more for you and make it a little more useful.

If your management account is not 'mgmtaccount', you will need to change the text that it searches for.

#!/bin/bash

# Determine if the 'root' account is enabled for login.
if [ "$(dscl . -read /Users/root Password | grep -c '**')" -gt '0' ]; then
    result=',root-enabled,'
else
    result=','
fi

# Grab array of all non-service accounts.
userArray=()
while read line; do
    userArray+=("${line}")
done <<< "$(/usr/sbin/jamf listUsers | awk -F '[<>]' '/<name>/ { print $3 }')"

# Loop through all the accounts gathered.
for i in "${userArray[@]}"; do
    # Ignore case.
    i="$(tr '[:upper:]' '[:lower:]' <<< "${i}")"

    # Flag mgmtaccount as the management account
    if [ "${i}" == 'mgmtaccount' ]; then
        result="${result}${i}-management"
    else
        # Check to see if it is a domain/mobile account.
        if [ "$(dscl . -read /Users/${i} AuthenticationAuthority | grep -ic 'LocalCachedUser')" -gt '0' ]; then
            result="${result}${i}-mobile"
        else
            result="${result}${i}-local"
        fi
    fi

    # Check to see if the account is a member of the admin group.
    if [ "$(dscl . -read /Groups/admin GroupMembership | tr ' ' '
' | grep -ic "^${i}$")" -gt "0" ]; then
        result="${result}-admin"
    fi

    # Use a comma to separate accounts.
    result="${result},"
done

printf "<result>%s</result>" "${result}"

jwojda
Valued Contributor II

thank you for this... real quick, we have 2 management account, one for the JSS that only me and a couple other people have (but it's on every box), and then the local admin that the IT staff has.

how would I modify the magmtaccount info to allow for either this or that?

Josh_S
Contributor III

Sure. Simple change to allow "match this" or "match that".

if [ "${i}" == 'mgmtaccount' ] || [ "${i}" == 'otheraccount' ]; then

You might find this useful, I know I did: http://www.tldp.org/LDP/abs/html/

jwojda
Valued Contributor II

thank you, I will take a look at that link and see if I can learn something.