Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
Perhaps they are focused on too many products these days.
First it was just the Mac they had to focus on, then came iPod, then came iPhone and iPad and Apple TV and Car Play and Air Pods and Apple Watch and now VR headsets.
Or does it come down to the respective teams (of each product) not having enough staff to achieve better results?
Or is there too much pressure coming from above to meet unrealistic deadlines?
Or is Apple chopping and changing all the time during the development process, and thus perhaps what was a tested/working OS component/idea is being scrapped and another idea/decision is being made/rushed in last minute?
3. limited funding
4. macOS is mostly not open source
Bean counter Tim just didn't want to allocate Mac too much money.
Old Mac vs PC advertisements mock todays Apple badly. Just look at few of them, Mac has become PC.
This is literally the biggest security flaw possible if someone has physical access to a mac (which is pretty damn easy in an office environment - lunch breaks, evenings, weekends).
Just open the lid, boom you've got root access.
When the regular press finally understand what that actually means this is going to be very big news.
Just open the lid, boom you've got root access.
When the regular press finally understand what that actually means this is going to be very big news.
Nice, I haven't been keeping up-to-date any unsupported Macs lately. I assume the install process is similar to Sierra though, with a change to PlatformSupport.plist and LegacyUSBInjector.kext?I've kept the installation packages and partitioned disks from multiple betas back when I was testing unsupported Mac functionality.
So many issues with this it's tough to know where to start.
"If someone knows the password of a user on your system". If someone knows your password to your admin user you pretty much deserve whatever happens.
"You just have to remote into the machine". SSH and Screen sharing are disabled by default.
"Start a GUI shell". Enlighten me how to "start a GUI shell" without Screen Sharing being explicitly enabled.
There's more but that seems enough.
[doublepost=1511910388][/doublepost]
No. Just open the lid and boom you have a login prompt.
You click "Other" and your type "Root" and hit return. So yes... boom you have root access.[/QUOTE]
Well, no, unless someone already enabled the root user. No.
Holy Hannah Batman!!! Really? Tim, you're a nice guy, you were "Mr. Logistics" under Steve, but this is a "This is ****!" thing that should never have slipped by. Your Achilles heel is showing once again, or should I say your High Sierra heel (whoops, no support under High Sierra for the billion fusion drives we've pushed out the door).
I'm getting tired of saying it now, so I won't do so again, but people are acting like this is the first exploit on OS X, or it's any way related to Tim Cook and could not possibly have happened under Steve, but that simply isn't true. There has been at least one root exploit for every version of OS X
https://forums.macrumors.com/thread...-to-fix-updated.2091696/page-10#post-25529131
You should leave the root user enabled and set a good password.
Edit: just saw the article update. Apple says set a password while they work on the fix.
Are you using a Mac with Touch ID by chance? Wonder if having a Secure Enclave has something to do with certain people not being able to do this.
I can reproduce the bug without problem on my Macbook Pro with Touch ID.
[doublepost=1511911377][/doublepost]
Can users that have "Other..." because they are on a network log in as root like this without the root user being enabled? I am not able to test it.
Well, no, unless someone already enabled the root user. No.[/QUOTE]
Again if you have only a single administrator account & the guest account is disabled you will not be able to login even with the root account enabled & password left blank .. There will be no option to choose another user .
Again if you have only a single administrator account & the guest account is disabled you will not be able to login even with the root account enabled & password left blank .. There will be no option to choose another user .
View attachment 738926[/QUOTE]
What about macs on a network?
Typing option-return at the login window will bring up a name and password field even if you don't have another user enabled.
Just as an interesting side note… This doesn't happen on the command line. You can't "su root" with a blank password. The bug probably lies in the actual authentication challenge dialog. My guess you really don't get 'root' but you do get admin level access (possible debug code left in the build).