So sad that these days I treat Apple like I treat Microsoft - I don't upgrade/update until fully tested, and several patch versions have been released first. I'm also skipping entire OS releases, and not buying the latest hardware (usually waiting 1 year). Who'd have thought we'd ever see this day?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
I don't think this is a bug, this is straight up lazy programing, this is just unacceptable under any standards, first the disk utility encryption vulnerability , now this , maybe Tim and his team were focus on Black Friday and cyber Monday deals instead of being focus on macOS and their loyal customers, who are still waiting on a new Mac Pro, hello Tim Mac Pro is from 2013 we are almost in 2018, what happened to the 5 years obsolete rule from apple. this is not a bug this a vulnerability.
Are you ******** me? I'm a huge Apple supporter, but this is a nightmare situation. Someone needs to be fired for this.
Oh, BTW @MacRumors, if you follow the Apple spokespersons instructions in that article, be sure to point out to your readers NOT to do the last part as Apple suggested, and disable the root account after changing the password. It re-enables the flaw. Just tested it myself. You MUST leave the root account enabled after changing the password. (for now, until a fix is available).
Oh, BTW @MacRumors, if you follow the Apple spokespersons instructions in that article, be sure to point out to your readers NOT to do the last part as Apple suggested, and disable the root account after changing the password. It re-enables the flaw. Just tested it myself. You MUST leave the root account enabled after changing the password. (for now, until a fix is available).
Last edited by a moderator:
UPDATE:
The issue is fixed when the root account is active and root password changed. However I can still enter if the root account is disabled. You can try yourself, disable the root user, close all locks. logout then re-login. Try to modify the users/groups by clicking the lock icon. Enter root, space in the password field, remove the space the click unlock. Then another window will show. Type again root, space then backspace in the password field and unlock (need to be done 2 ou 3 times).
The issue is fixed when the root account is active and root password changed. However I can still enter if the root account is disabled. You can try yourself, disable the root user, close all locks. logout then re-login. Try to modify the users/groups by clicking the lock icon. Enter root, space in the password field, remove the space the click unlock. Then another window will show. Type again root, space then backspace in the password field and unlock (need to be done 2 ou 3 times).
Luckily I did that, something just told me to leave it alone with the password enabled.
Dude that has been the fix all along since the fix was talked about. No where did Apple say to disable root once you e changed the password. The fix from the beginning had been to leave root enabled but with a password and you’ll be safe until the patch comes out. People have been trying to tell you that.
remember what magneto told doctor Charles Xavier "Why Do You Ask Questions To Which You Already Know The Answers"
the answer to your question is very simple, apple under Steve was one thing but apple under Tim is a totally different story , the passion is gone and is starting to reflect in their job
I confirm this too. I disabled root access then rebooted my iMac. I have now a "other" login window. I entered root with no password and had full access on the computer and a beautiful "setting up your mac" screen.
Had exactly the same pesky problem and, presto, solved!The crazy thing is that even though the "root" user is not listed on the accounts settings, it now shows at the log in screen!!! This is nuts. How do I remove it!?
To remove "Other..." I used the Terminal command:
sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool FALSE
(Note: You will be challenged for the Admin-rights password)
And. presto, peskiness removed.
Last edited:
Don't disable the root user. That's all you need to do. When you disable root, you allow the vulnerability again!
I like (hate) how since High Sierra, a spotlight search doesn't return a file, even though I can open the folder it's in and stare right at it. WTF is going on with that?
I have never done this, but I don't work at Apple's QA department.
When developing test cases to test the security of an operating system, wouldn't that be top priority, trying to log in as root? Wouldn't you test edge cases? Wouldn't "no password" be such a case?
This should never have happened. This bug is a disaster that discovered an organizational problem at Apple.
The fact is, if you remove a hard drive or SSD and connect it as an external drive on another computer, it's wide open, FileVault or not
That is not correct. If you attach a FileVault enabled disk to another Mac you will not be able to see the contents without entering the FileVault password.
To be fair you should have a root user with a password already but yea apple needs to fix this before the weekend.
Looking at https://support.apple.com/en-us/HT204012 there is a section that offers either enable or disable root. Which I decided to disable root as I didn't want root access. Which I now see is wrong so why offer it in the article. Confusing unless you have read this entire thread to understand the situation better.
Edit: This is better,missed it myself, Doh! https://www.macrumors.com/how-to/temporarily-fix-macos-high-sierra-root-bug/
Um, what? FileVault encrypts my files with my password. Gaining access to the root user account shouldn't have to do anything with that. Having physical access to the SSD should not change that either.