Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
still if that its not the default, that's not making it any better...
You can still post that online which is the whole deal anyway@imnotarobot are you saying that an alternative solution is to set the Name and Password option? It seems that the only solution provided is to set the 'root' password (actually, "Change Root Password" in the Directory Utility Edit menu).
Question for everyone: If the problem is that root is available with a blank password, why not just choose "Disable Root User" in the Directory Utility Edit menu? At least for non-power users, or those power users who don't mind utilizing sudo? Or is that not a viable alternative solution?
Question for everyone: If the problem is that root is available with a blank password, why not just choose "Disable Root User" in the Directory Utility Edit menu? At least for non-power users, or those power users who don't mind utilizing sudo? Or is that not a viable alternative solution?
That's amusing everyone will do that. People wanna use their machine, not have to go through and set specifics up before hand..
hehe... Don't tease the monster
The bug is not that the root user has a blank password, but that the bug forcefully enables the root user (which by default has a blank password). Merely disabling the root user using Directory Utility (which also blanks the password in the process) doesn't prevent it from being enabled again.
Changing the root password leaves it enabled, but as the password is no longer blank, it can't be readily used without knowing the new password.
Someone else was loged in.
Last edited by a moderator:
Exactly. Had this been a MS Windows bug, you can only begin to imagine all the hate thrown at MS...
Can confirm. Just tried on a Mac sitting locked since Sunday. No login tr This is REALLY bad.
ditto. I literally have an almost default setup of the HS with all the patches as of Sunday. No guest, no unlocking anything, just walked over, picked “other user” and bam! In.
Hopefully “Craig’s Hair” has its own employment contract with Apple. We’ll miss keynotes without it.
I suspect it's already fixed, probably just few lines of code changes, with few new unit tests.
The release has to go through the usual testing stages. This will be an interesting example of how quickly a fix gets rolled out to the public.
My guess is Thursday.
/// WITHDRAW ///
Excellent answer; thank you for a thoughtful answer. But it brings up another question, as I looked at my not-yet-upgraded system, and it doesn't have a root password, and 'root' is not enabled. I've got my account as an Admin, and never set a 'root' password. But it isn't getting somehow a problem.
So on High Sierra, yes, 'root' has a blank password, but isn't the bug that the process of upgrading did an enablement. You only upgrade once, so the true bug is just that the status was changed when it shouldn't have been touched -- so setting it back to Disabled fixes it. Or is there some sort of daemon that keeps re-enabling it? If not, then how could 'root' -- blank password or not -- be a viable credential for any purpose at all (including attempting to log in or change the security locks)?
UPDATE: Tried it out -- in fact, the condition reactivates, and 'root' is re-enabled. Presumably not a daemon as the culprit, but the credential challenge routine itself does the deed as part of its work. Oh, my.
Last edited:
It only worked for me at the login screen AFTER I did it in System Preferences first. So while this person was being sarcastic, apparently this issue doesn't actually become an issue until the root account is enabled through the System Preferences first.
I was trying to reproduce this on Sierra (my current OS) to see if it also happens there.
My experience: the root account was disabled, so this bug/exploit wouldn't work. If I enabled the root account (via Directory Utility) without any password, then sure I could log in as root from the login screen without a password, but that's no saying much.
So is the issue that the root account is enabled on High Sierra by default? If someone in High Sierra opens Directory Utility, clicks the lock and enters an admin password, then checks the edit menu, is there a menu item "Enable Root User" or "Disable Root User"?
My experience: the root account was disabled, so this bug/exploit wouldn't work. If I enabled the root account (via Directory Utility) without any password, then sure I could log in as root from the login screen without a password, but that's no saying much.
So is the issue that the root account is enabled on High Sierra by default? If someone in High Sierra opens Directory Utility, clicks the lock and enters an admin password, then checks the edit menu, is there a menu item "Enable Root User" or "Disable Root User"?
Poor Apple - know how has been remarkably declining the last few years - horrible to look at... :-(( they abandoned serious way ... just to laugh at, ridiculous and finally a strong breach
Last edited: