Can I still boot into Single User Mode if I disable the shell for root?
-
18-04-2021 - |
Question
It's been suggested that, since the root
account now appears in the accounts database on macOS 10.13.1+ by "default" (by accident it seems), it might be a good security measure to disable shell access for that account.
Will doing so disable the ability to boot into Single User Mode?
Solution
As @fd0 already commented, "single user mode uses /private/etc/passwd for login authentication, not Open Directory":
pse@Mithos:~$ grep ^root: /etc/passwd
root:*:0:0:System Administrator:/var/root:/bin/sh
but
pse@Mithos:~$ sudo dscl . -read /Users/root UserShell
UserShell: /usr/bin/false
So single user mode will happily read the content of /etc/passwd
and start a root
shell with /bin/sh
even if you set the shell to false with dscl
.
Licensed under: CC-BY-SA with attribution
Not affiliated with apple.stackexchange