How to Enable & Disable root User from Command Line in Mac OS X
Though most advanced Mac users will find it easiest to enable root with Directory Utility from the GUI of Mac OS X, another option is to turn to the command line. No, we’re not talking about using sudo or su, we’re talking about enabling the actual root user account, which can be appropriate for some complex situations.
For those who are familiar with the Terminal and comfortable with command line syntax, enabling the root user account in Mac OS X from the command line may even be easier than doing so from the Directory Utility application, as there are fewer steps necessary to both enable and disable the root user account, either widely or on a per-user basis. This is also advantageous in that it can be enabled remotely via SSH on any Mac that can be connected to.
It’s very important to point out that enabling the root user account is only for advanced users who understand when and why it may be necessary to have universal superuser privileges. This is rarely necessary for anything beyond systems administrators or for troubleshooting some particularly advanced and complex issues, and for the vast majority of purposes, simply using sudo or launching a GUI app as root is usually sufficient for the vast majority of situations.
If you do not know what you’re doing, do not enable the root user account, and do not use the root user account. Because the root user has universally privileged access to everything in Mac OS X, it’s quite easy to mess something up, and leaving the account active can lead to a security risk. This is truly only for advanced Mac users.
Enable root User Account from the Command Line of Mac OS X with dsenableroot
A simple command line tool appropriately called ‘dsenableroot’ will quickly enable the root user account in Mac OS X. At it’s most simple form, simply type ‘dsenableroot’ into the Terminal prompt, enter the users password, then enter and verify a root user password.
username = Paul
verify root password:
dsenableroot:: ***Successfully enabled root user.
When you see the “dsenableroot:: ***Successfully enabled root user.” message, you know the root user has been enabled with the password that was just defined.
If you wish, you can also enable the root user on a per user account basis by specifying the -u flag:
dsenableroot -u Paul
Replacing ‘Paul’ with any user name that is on the specific Mac will work.
Of course, once you’re done with root user, you may wish to disable root account access as well.
Disable Root User Account from the Command Line in Mac OS X
Passing the -d flag to the same dsenableroot command string will disable the root user universally, like so:
% dsenableroot -d
username = Paul
dsenableroot:: ***Successfully disabled root user.
The message “dsenableroot:: ***Successfully disabled root user.” indicates the root account is now disabled.
Similar to enabling a specific user, you can also disable for a specific user with the -d and -u flag:
dsenableroot -d -u Paul
This may be appropriate for a situation where a particular user account no longer requires root account privilege.
Generally speaking, leaving the root user account disabled is a good idea.
The dsenableroot utility works in MacOS Sierra, OS X El Capitan, OS X Yosemite, OS X Mavericks, Mountain Lion, etc. For users who are on much older versions of OS X like Snow Leopard, use the sudo passwd method instead.
Generally speaking, ENABLING the root account is the best idea one could have! Because sudo is prone to errors and once you managed to lock out yourself, you will be glad you can at least call su.
Yes I agree + for me I have tried many time using su ,in all possible forms to conquer root access on my Mac Bash. But it never resulted others then picking my brain till it bleed into an internal horror show, featuring Self Doubt and Frustrated Rage: As a Student ,a NewBe in Cyber Security I just wanted to know how to get it done, so I can rapidly move on to the next learning challenge. Thank’s this article & dsenableroot.
Due to a bug in Mac High Sierra update… my user account is no longer Admin. I can log in but I cannot unlock the lock in Users & Groups for e.g. I was the only Admin on the system before this bug happened. I had logged in with root to verify the High Sierra bug… changed root password after confirming the bug… did a software update to “fix” the issue … and now I am locked out of doing anything which requires Admin rights on my own Mac…
Any idea how to fix this?
Yes if you login as root user you can then change the primary account back to Administrator. Root is superior to Admin and can change accounts as well.
Am I able to do this in a machine that I don’t know the Administrator password?
`dsenableroot’ works just fine in Snow Leopard, at least as of 10.6.8