Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]

QUICK FIX FOR "NO ROOT PASSWORD" VULNERABILITY IN HIGH SIERRA:

1. Log out
2. Log in as "Other"
3. Username "Root" (no password, ****!)
4. Open settings and go to Users
5. Set a password, leave "Current Password" blank
6. Log out.



MacRumors said:



There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with with a blank password and no security check.

The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username "root" with no password. This works when attempting to access an administrator's account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.

rootbug-800x583.jpg

To replicate, follow these steps from any kind of Mac account, admin or guest:

1. Open System Preferences
2. Choose Users & Groups
3. Click the lock to make changes
4. Type "root" in the username field
5. Move the mouse to the Password field and click there, but leave it blank
6. Click unlock, and it should allow you full access to add a new administrator account.

At the login screen, you can also use the root trick to gain access to a Mac after the feature has been enabled in System Preferences. At the login screen, click "Other," and then enter "root" again with no password.

This allows for admin-level access directly from the locked login screen, with the account able to see everything on the computer.

It appears that this bug is present in the current version of macOS High Sierra, 10.13.1, and the macOS 10.13.2 beta that is in testing at the moment. It's not clear how such a significant bug got past Apple, but it's likely this is something that the company will immediately address.

Until the issue is fixed, you can enable a root account with a password to prevent the bug from working. We have a full how to with a complete rundown on the steps available here.

Article Link: Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix
Click to expand...
 
SJ, wherever he may be, is about to go thermonuclear.

This stuff wouldn't have happened under him.

Or someone would have been canned for it.

I'm not happy about this. What a bug!
 
ispcolohost said:
Unless your computer is set up to, umm, show a username / password box at initial login screen. Then no additional steps are needed, root / <blank> and you're in.
Click to expand...

Have you tried doing that on a Mac where you haven't done the Users & Groups procedure?

I can't log in on a machine where that hasn't been done, and only an admin can do that.

What happens is that going through the Users & Groups procedure enables the root user with no password. It's easy to check using Directory Utility.
 
  • Like
Reactions: Duane Martin and Dragon M.
At our schools I have kept all our Macs running on El Cap except the ones we bought over the summer. Pulling some of these machines out and testing this on them, I can verify it's a bug in High Sierra only.
 
  • Like
Reactions: bernuli
Dr.MacGuyver said:
QUICK FIX FOR "NO ROOT PASSWORD" VULNERABILITY IN HIGH SIERRA:

1. Log out
2. Log in as "Other"
3. Username "Root" (no password, ****!)
4. Open settings and go to Users
5. Set a password, leave "Current Password" blank
6. Log out.
Click to expand...

Or open /System/Library/CoreServices/Applications/Directory Utility

Disable the root user in the Edit menu.
 
JLL said:
It seems that the passwordless too login only works if an admin has "enabled" the root user by doing the System Preferences trick first.

Users at workplaces and schools are not likely admins.
Click to expand...
So the user would have to login using their normal non-admin account, do the trick in System Preferences, then log back out before being able to login as root. Little bit better that way, but still way too easy.

Edit: According to the article, the user does not have to be an admin to do the trick in System Preferences.
 
JLL said:
It seems that the passwordless too login only works if an admin has "enabled" the root user by doing the System Preferences trick first.

Users at workplaces and schools are not likely admins.
Click to expand...
Incorrect. You can use this trick from a non-admin account. This is basically giving root access to any user account (even guest), which is honestly the least troublesome piece of this cluster.
 
  • Like
Reactions: the johnmc
flowsy said:

*...and it also provides access at the login screen of a locked Mac.*
Click to expand...

Only if you have changed from the default list users to show username/password.

While not good, it's far from a universal threat. Ironically it will affect power users more :)
 
faded_glory said:
So it requires physical access to a Mac that's not just "unlocked" but that has the Users dialogue open with the padlock showing that the pane is unlocked as well. So, no risk if no one else has physical access to the machine or those that do don't know the password. Not exactly like anyone can log in with root, requiring no unlocking at all. So, a bug? Yes. A catastrophic and highly embarrassing failure? Not really.
Click to expand...

If you get into any user's desktop session, you can just open System Preferences, access any of the padlocked sections there and walk in. In addition, if the machine sits in the lock screen after possible FileVault has been decrypted, there is an additional "Other..." option available in the list of accounts. Root and blank password works there too, giving you a full desktop session with the highest possible privileges. Luckily the Other option is not available straight after a reboot at least if FileVault is enabled. Didn't have a non-FileVaulted High Sierra Mac available to try if that one makes a difference.

But yes, this is bad and highly embarrassing. Stuff like this should not pass QA.
 
Doesn't surprise me in the least. Trying to run a business with all Macs and a Mac server here and there are nothing but permissions issues. Especially on the server. I've had senior enterprise support stumped several times and had to clean install the server and all users several times to get it to the mostly functional point we're at now. Apple's software engineering is becoming a joke.
 
So...Should I leave the Root account enabled or disabled? (after following the recommended steps)
 
If you're trying to minimize the effect of this bug, you don't understand it. That's great if you're a single-user/single-computer and you know where your MAC is at all times. For business/healthcare/etc users, this is very concerning. It's basically undermining all the safeguards that locking down user accounts provide.
 
DocNo said:
Only if you have changed from the default list users to show username/password.

While not good, it's far from a universal threat. Ironically it will affect power users more :)
Click to expand...

Or you have logged out for whatever reason. I have the default list in use and if I log out, there's an additional Other option available there, and from there you can walk in as root. Fortunately it's not available straight after a reboot, at least not when FileVault is enabled.
 
vieque said:
So...Should I leave the Root account enabled or disabled? (after following the recommended steps)
Click to expand...

Leave it enabled and change the password to a long, secure passphrase. That means no-one can use the bug to enable a passwordless root account.
 
  • Like
Reactions: vieque
I noticed the same. FileVault enabled it wasn't possible but on a Mac without FileVault worked fine on a second try. Same for others?
 
DocNo said:
Only if you have changed from the default list users to show username/password.

While not good, it's far from a universal threat. Ironically it will affect power users more :)
Click to expand...

Not true, you can access the manual login screen:
PensDevil user says:

"Select the option to show a list of Users to choose from at the login screen. When that screen appears, press the down arrow once to highlite whatever user happens to show up. Next, hold down the "Option" key and press "Return". The login screen should ow prompt you for a user name and password"
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back