MacOS High Sierra Security Bug Allows Root Login Without a Password, Here’s a Fix

Nov 28, 2017 - 35 Comments

macOS High Sierra root password bug

A significant security vulnerability has been discovered with macOS High Sierra, potentially allowing any person to log into a Mac with full root administrative capabilities without a password.

This is an urgent security problem, and while a software update should arrive to resolve the problem soon, this article will detail how to protect your Mac from this security hole.

Important Update: Apple has released Security Update 2017-001 for macOS High Sierra to fix the root login bug, download it now. If you are running macOS High Sierra, download the update as soon as possible to your Mac.

What is the root login bug, and why does it matter?

For some quick background, the security hole allows a person to enter ‘root’ as a username and then immediately login as root to the Mac, without a password. The password-less root login can occur directly with a physical machine at the general user login screen seen on boot, from the System Preferences panels which typically require authentication, or even over VNC and Remote Login if those latter two remote access features are enabled. Any of these scenarios then allow full access to the MacOS High Sierra machine without ever using a password.

A root user account provides the highest level of system access possible on a MacOS or any unix based operating system, root grants all capabilities of administrative user accounts on the machine in addition to unrestricted access to any system level components or files.

Mac users impacted by the security bug include anyone running macOS High Sierra 10.13, 10.13.1, or 10.13.2 betas who have not previously enabled the root account or changed a root user account password on the Mac before, which is the vast majority of Mac users running High Sierra.

Sounds bad, right? It is, but there’s a fairly easy workaround that will prevent this security bug from being a problem. All you have to do is set a root password on the impacted Mac.

How to Prevent Root Login Without a Password in MacOS High Sierra

There are two approaches to preventing root login without a password on a MacOS High Sierra machine, you can use Directory Utility or the command line. We’ll cover both. Directory Utility is perhaps easier for most users since it is accomplished entirely from the graphical interface on the Mac, whereas the command line approach is text based and generally considered more complex.

Using Directory Utility to Lock Down Root

  1. Open Spotlight on the Mac by hitting Command+Spacebar (or clicking the Spotlight icon in the upper right corner of the menubar) and type in “Directory Utility” and hit return to launch the app
  2. prevent root password less login bug

  3. Click the little lock icon in the corner and authenticate with an admin account login
  4. prevent root password less login bug

  5. Now pull down the “Edit” menu and choose “Change Root Password…” ***
  6. prevent root password less login bug

  7. Enter a password for the root user account and confirm, then click “OK”
  8. prevent root password less login bug

  9. Close out of Directory Utility

*** If the root user account is not yet enabled, choose “Enable Root User” and then set a password instead.

Essentially all you are doing is assigning a password to the root account, meaning that logging in with root will then require a password as it should. If you do not assign a password to root this way, amazingly, a macOS High Sierra machine accepts a root login without a password at all.

Using the Command Line to Assign a Root Password

Users who would prefer to use the command line in macOS can also set or assign a root password with sudo and the regular old passwd command.

  1. Open the Terminal application, found in /Applications/Utilities/
  2. Type the following syntax exactly into the terminal, then hit the return key:
  3. sudo passwd root

  4. Enter your admin password to authenticate and hit return
  5. At “New password”, enter a password you won’t forget, hit return, and confirm it
  6. Stop no password root login but in macOS High Sierra from command line

Be sure to set the root password to something you will remember, or perhaps even matching your admin password.

How do I know if my Mac is impacted by the password-free root login bug?

It appears only macOS High Sierra machines are impacted by this security bug. The easiest way to check to see if your Mac is vulnerable to the root login bug is to try and login as root, without a password.

You can do this from the general boot login screen, or via any admin authentication panel (clicking the lock icon) available in System Preferences like FileVault or Users & Groups.

Simply put ‘root’ as the user, do not enter a password, and click “Unlock” twice – if the bug impacts you, then you will be logged in as root or granted root privileges. You must hit “unlock” twice, the first time you click the “unlock” button it creates the root account with a blank password, and the second time you click “unlock” it logs in, allowing for full root access.

The macOS root login bug allows root login without a password

The bug, which is basically a 0day root exploit, was first reported to the public on Twitter by @lemiorhan and has quickly gained steam and media attention due to the potential severity of impact. Apple is apparently aware of the issue and is working on a software update to resolve the problem.

Does the root login bug impact macOS Sierra, Mac OS X El Capitan, or before?

The password-less root login bug appears to only impact macOS High Sierra 10.13.x and does not appear to impact earlier versions of macOS and Mac OS X system software.

Additionally, if you had previously enabled root via the command line or by Directory Utility, or changed the root password at some other time, the bug would not work on such a macOS High Sierra machine.

Remember, Apple is aware of this problem and will issue a security update in the near future to address the bug. In the meantime, do yourself a favor and set or change the root password on Macs running macOS High Sierra to protect them from unauthorized full access to the machine and all its data and contents.

.

Related articles:

Posted by: Paul Horowitz in Mac OS, News, Security, Tips & Tricks

35 Comments

» Comments RSS Feed

  1. TechRider says:

    After the dust settles and the patch(es) are applied to fix this, I’m left wondering…

    Should the root password be changed whether this issue had been exposed or not?

    Apple publishes an IT Configuration Guide and this isn’t mentioned in it anywhere

    • Paul says:

      If you use root, yes change the password.

      If you do not use root, do not enable the root account.

      Root is for very advanced users only, it only needs to be enabled if you actually use it.

  2. WTS says:

    How do i know if i installed the update correctly ?

  3. accadakka says:

    And password has been set for a root user

  4. accadakka says:

    Found directory utility, and my root account is disabled. Why is it that spotlight is not bringing it up but it can be found following fdkn’s post

  5. PanduanMac says:

    Thank you. I hope Apple will be release patch soon.
    I was tried in to my mac that running mac os x el capitan too.

  6. Jams Ludtke says:

    I have a root account set up since who knows with a proper password. I alway update to a new system by retaining my data.
    This always set up my root account with the password from the previous system.

    So, unless the High Sierra installer acts different in this respect, I and others, who upgrade with data retention should not be affected with this bug, Only clean installs would be affected.

    Can anyone confirm this?

    • kyle says:

      Try logging in as ‘root’ without a password, hit login/unlock twice. If it works, your Mac is impacted.

      If you have previously enabled root and set the password, it should not work at all however, because even if you updated to High Sierra from a previous macOS build it should carry that user account with it forward with the password.

      But Apple has issued a patch now, in App Store > Updates

  7. Lee says:

    People are still using this rubbish BETA lol, amazing

  8. RM says:

    If root password was previously set, or your admin account was created upon setup, this backdoor will not work.

    I can’t replicate it on any machine running High Sierra.

  9. scott says:

    The “change root password” option was greyed out for me until I went back in and tried to make the exploit work by signing in under “root” with no password. Once the blank password was created, I could then go back and assign a root password.

  10. VJR says:

    Thank you, that security repair also seems to have given me back my guest user login!

  11. Andrew says:

    What if you don’t display the username and password input fields on the login page? How do you the enter ‘root’ and no password then?

    See Login options under Users & Groups in System Prefs – Display login window as List of Users, not Name and password.

  12. Malcolm MacINTYRE-READ says:

    Following your ‘Using Directory Utility to Lock Down Root’ process does not open the Directory Utility.

    Hitting Command+Spacebar does not open anything.

    Clicking the Spotlight icon, then typing in “Directory Utility” (whether using capital or lowercase D’s & U’s) then hitting return does not launch the app, but does show a list of various of ‘Council’ website options, and then opening the website for ‘The Law DONUT – Legal resources for your business – employment law, company law and more … a site I have not linked to – or even known about – previously.

    Does this failure mean that my iMac is infected, and if so, what do I do about that please?

    If it is not YET infected, how can I ensure that I can keep it safe, other than following what you have already suggested?

    Either way, thanks for your always useful advice.

    • fdkn says:

      The Directory Utility app is on your Mac but your Spotlight must be configured to use a different keystroke.

      Directory Utility can be located at:

      /System/Library/CoreServices/Applications/Directory\ Utility.app

  13. PeterO says:

    10.13.1 – Can not replicate even after several attempts.

  14. mark says:

    More time spend on security and bug fixing before release and less time make the next iPhone 0.00000001 mm thinner.

  15. Dun says:

    Maybe focus more on security and less on androgynous ‘promotional’ videos.

  16. Armand says:

    Apparently the scope of the bug is somewhat limited. I have macOS High Sierra, and I am not affected by this.

    • Dun says:

      Every one is affected. It works on the second try.

      • J-L says:

        I have tried it multiple times and cannot replicate this security issue. 10.13.1

        • Dodo says:

          Probably because it’s affecting only people with encrypted disks. I wouldn’t be surprised if it’s kind of NSA backdoor.

        • Darren Currie says:

          I’ve tried it multiple times and cannot get it to work either. Here is why: My root user account is not enabled. I enabled it, chose to not enter a password, logged out as my user and successfully logged in as root. I then set the root account back to disabled and was not able to get in as root with no password. Verified with a colleague that he could get in as root, but found out his root was enabled.
          Hope this helps…

      • RM says:

        This does not work if you already changed the root password.

    • Frgough says:

      According to the article, if you had previously enabled root with a password, even in a prior version of OS X, you have already implemented the workaround fix and are not affected. This is likely what has happened in your case.

  17. accakdakka says:

    I have a Mac High Sierra 10.13.1 but I cann’t bring up Directory utility … it does not come up in spotlight search

  18. Annoyed Aaron says:

    Yikes, this is a big deal. How many millions of Macs are impacted? How did this glaring security bug even ship?

    Imagine being able to unlock an iPhone just by picking it up and typing no passcode or no Touch ID or Face ID? That’s basically what this is.

    What a mess the “High Sierra” is, I will never update to it. Apple must have been “high” on something to release it. Apple is training customers to never update their software by consistently releasing buggy underperforming garbage which now also includes terrible security flaws. Come on Apple, get it together, why have you neglected the Mac?

    Makes you wonder, how long was this “bug” known before it was dumped into the world? Does anyone really think this is the first time someone was made aware of it? You can guess that hackers or spies were aware somewhere…

Leave a Reply

 

Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks

News

iPhone / iPad

Mac

Troubleshooting

Shop on Amazon to help support this site