Let's not try to blame this on a testing failure or something that just needs to fall on the QA group within Apple. It's very clearly a programming/engineering failure and the development team that coded this loophole should be held fully responsible. If any of the higher management within Apple thinks that this is principally a QA problem then we (as Mac users) have a lot more to worry about than this one bug.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
I’d say don’t mess around with this based on the advice/postulation of a random internet poster. Re-enable root as per the linked article and set a secure password. Leave it until it’s patched.
There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with a blank password and no security check.
The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username "root" with no password. This works when attempting to access an administrator's account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.
To replicate, follow these steps from any kind of Mac account, admin or guest:
1. Open System Preferences
2. Choose Users & Groups
3. Click the lock to make changes
4. Type "root" in the username field
5. Move the mouse to the Password field and click there, but leave it blank
6. Click unlock, and it should allow you full access to add a new administrator account.
At the login screen, you can also use the root trick to gain access to a Mac after the feature has been enabled in System Preferences. At the login screen, click "Other," and then enter "root" again with no password.
This allows for admin-level access directly from the locked login screen, with the account able to see everything on the computer.
It appears that this bug is present in the current version of macOS High Sierra, 10.13.1, and the macOS 10.13.2 beta that is in testing at the moment. It's not clear how such a significant bug got past Apple, but it's likely this is something that the company will immediately address.
Until the issue is fixed, you can enable a root account with a password to prevent the bug from working. We have a full how to with a complete rundown on the steps available here.
Update: An Apple spokesperson told MacRumors that a fix is in the works:
Article Link: Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]
Here's a way shorter method: open a terminal window. Type "sudo su" and your user password when prompted. Once you see the "sh-3.2#" prompt, type "passwd" and enter a new root password, followed by the enter key. Then quit terminal. The bug should now no longer be an issue. Make sure you can remember (or write down somewhere,) your new root password.
Far be it from me, normally, to encourage password reuse, but given the 'bug' appears simply to be that Apple didn't enable the "disable root login" option, if you're the only one who uses your particular Mac, I can't really see why simply making your root password the same as your regular user login password would be a problem. Just bear in mind of course that if you change one, for whatever reason, (i.e., boy/girlfriend who knows your password is now your ex-boy/girlfriend...) you MIGHT want to change BOTH. Making the root password different, (which is just good practice, generally,) eliminates the need to change both when only one is compromised or suspected to be compromised. But it does mean memorizing an extra password, and one you likely won't need much as, bear in mind, your Mac, even with a root password chosen, will still work just as before, where when you need elevated privileges, for, for instance, installing a printer, etc., sudo will still work with your user password, and so when it pops up the "enter password" dialog, your user password will still work.
So honestly... you could theoretically just set your root password to "lskhY4fa8d%g898wyhrto^ainzfakDsdFahfahsd" or the like... but I... wouldn't recommend it.
[doublepost=1511969199][/doublepost]
I can't help but wonder if this only works on High Sierra fresh installs, (versus upgrades,) since (as I've been telling people all morning,) I'm convinced the issue here is simply Apple shipped High Sierra without enabling the "disable root login" option, and the same nonexistent root password many (if not all?) previous versions of macOS and OS X did.
BUT if you had that option set under Sierra or earlier... maybe that setting somehow survived the upgrade, and in that case, your machine would not exhibit this problem.
Right, that is a pre-existing support document on how to enable and disable root. But Apple’s “statement” yesterday specifically said to enable root and set a password and that’s it.
But I agree, it is confusing and Apple’s “statement” to some bloggers is not enough.
Im so glad that I use VeraCrypt, and Cryptomator to encrypt all of my documents and data on my iMac and in iCloud Drive. So even if someone had access to my mac they'd have no chance in hell of opening those files.
Well, that can't be right, because I disabled root, but the vulnerability does not happen for me, no matter how many times I try it.
UPDATE Sorry, yes, after disabling root, the vulnerability did become apparent. It took a few tries. I'll re-enable root now I guess.
But - every time I go to the Directory Utility, to re-enable root, the only option that appears is to Disable the root user...
Last edited:
It's not that. I consider myself an advanced user, and when I read Apple's article, the end statement in that middle paragraph said "You should disable the root user after completing your task.", so being a god boy, I did exactly that. Then noticed that this just en-enables the bug, so I went back a second time, and left the root user enabled for now, and all is well. If someone like me was confused by Apple's blanket statement to see that article, it stands to reason that others are too. I don't think myself and bloggers are trying to invent clickbait, but rather just trying to point out to those who might get confused. Better safe than sorry, ya know?
[doublepost=1511970019][/doublepost]FYI, I think this issue is limited to High Sierra. I tried it on 10.12 and it does not exhibit the flaw. And others have been checking previous macOS versions with similar results.
I experimented a bit with the root account, apparently the usual way of disabling it doesn't work - after one or two tries it goes back to working with an empty password. However, adding ;DisabledUser; to the AuthenticationAuthority key does seem to actually disable the root, which I think is preferable to enabling it with a password.
Script to disable the root this way (and remove the crap inserted into the user records by using this exploit): https://gist.github.com/arkku/faec0a43ccc8c8d4bc2046419f5ade6d
Script to disable the root this way (and remove the crap inserted into the user records by using this exploit): https://gist.github.com/arkku/faec0a43ccc8c8d4bc2046419f5ade6d
My brand new (3 weeks ago) iMac had root enabled, and no password. I did not do a migration. I did do an update. Obviously Apple has either transferred all of their macOS security staff to other projects or they just don't care. With other things going on, I believe the latter.
10.13.1, I replicated the error. Frighteningly nasty bug, Apple. I'm not personally too concerned that up to this point I've been a sitting duck, no one who would want to break into my computer has physical access to it, but still. Now that this is known, it needs to be fixed immediately.
I now wait for the final update for major macOS releases to be released before upgrading. So tired of problems every time I've upgraded my Macs since 2012. I think any knowledgable, tech-savvy person would have to be insane to upgrade to the main 10.x releases until all updates are released. Since my iPhone 6 has been crippled by iOS 11, I'm going to have to start doing that with iOS now too. Not very impressed.
Sorry Apple, but you have, objectively, slipped very considerably in the past few years.
Sorry Apple, but you have, objectively, slipped very considerably in the past few years.
I agree with you! He needs to stop being a celebrity and get to work to fix all this mess!
Thats the thing, if your device has any form of remote management/sharing enabled it can do it remotely using root
I'm getting tired of all this mess. They fix something, then they break something else. In macOS High Sierra, Preview can't display a clear PDF, this is ridiculous.
When a company become a multi-billions dollar, any decision they have made should not be hasty - one or more tiny mistake(s) it will take years to clean up the mess from all department especially for the hardware & software.
Software should be release by target of 99.9% accuracy of bugs free and security loopholes. 0.1% can be patch via software update but this should be a very minimum risk factor.
Apple - you have all the smartest people in the world who is working for you so this is possible not impossible task.
This is really bad. Please don't blame the user calling them idiots and spreading FUD that it's a non issue.
