Single User Mode – Booting with Disabled Root Shell

single-user

It's been suggested that, since the root account now appears in the accounts database on macOS 10.13.1+ by "default" (by accident it seems), it might be a good security measure to disable shell access for that account.

Will doing so disable the ability to boot into Single User Mode?

Best Answer

As @fd0 already commented, "single user mode uses /private/etc/passwd for login authentication, not Open Directory":

pse@Mithos:~$ grep ^root: /etc/passwd 
root:*:0:0:System Administrator:/var/root:/bin/sh

but

pse@Mithos:~$ sudo dscl . -read /Users/root UserShell
UserShell: /usr/bin/false

So single user mode will happily read the content of /etc/passwd and start a root shell with /bin/sh even if you set the shell to false with dscl.

Best Answer

Related Solutions

MacOS – How to protect Single User Mode to require a password

MacOS – Running shell scripts in single-user mode

Related Question