MacOS High Sierra Security Bug Allows Root Login Without a Password, Here’s a Fix
A significant security vulnerability has been discovered with macOS High Sierra, potentially allowing any person to log into a Mac with full root administrative capabilities without a password.
This is an urgent security problem, and while a software update should arrive to resolve the problem soon, this article will detail how to protect your Mac from this security hole.
Important Update: Apple has released Security Update 2017-001 for macOS High Sierra to fix the root login bug, download it now. If you are running macOS High Sierra, download the update as soon as possible to your Mac.
What is the root login bug, and why does it matter?
For some quick background, the security hole allows a person to enter ‘root’ as a username and then immediately login as root to the Mac, without a password. The password-less root login can occur directly with a physical machine at the general user login screen seen on boot, from the System Preferences panels which typically require authentication, or even over VNC and Remote Login if those latter two remote access features are enabled. Any of these scenarios then allow full access to the MacOS High Sierra machine without ever using a password.
A root user account provides the highest level of system access possible on a MacOS or any unix based operating system, root grants all capabilities of administrative user accounts on the machine in addition to unrestricted access to any system level components or files.
Mac users impacted by the security bug include anyone running macOS High Sierra 10.13, 10.13.1, or 10.13.2 betas who have not previously enabled the root account or changed a root user account password on the Mac before, which is the vast majority of Mac users running High Sierra.
Sounds bad, right? It is, but there’s a fairly easy workaround that will prevent this security bug from being a problem. All you have to do is set a root password on the impacted Mac.
How to Prevent Root Login Without a Password in MacOS High Sierra
There are two approaches to preventing root login without a password on a MacOS High Sierra machine, you can use Directory Utility or the command line. We’ll cover both. Directory Utility is perhaps easier for most users since it is accomplished entirely from the graphical interface on the Mac, whereas the command line approach is text based and generally considered more complex.
Using Directory Utility to Lock Down Root
- Open Spotlight on the Mac by hitting Command+Spacebar (or clicking the Spotlight icon in the upper right corner of the menubar) and type in “Directory Utility” and hit return to launch the app
- Click the little lock icon in the corner and authenticate with an admin account login
- Now pull down the “Edit” menu and choose “Change Root Password…” ***
- Enter a password for the root user account and confirm, then click “OK”
- Close out of Directory Utility
*** If the root user account is not yet enabled, choose “Enable Root User” and then set a password instead.
Essentially all you are doing is assigning a password to the root account, meaning that logging in with root will then require a password as it should. If you do not assign a password to root this way, amazingly, a macOS High Sierra machine accepts a root login without a password at all.
Using the Command Line to Assign a Root Password
Users who would prefer to use the command line in macOS can also set or assign a root password with sudo and the regular old passwd command.
- Open the Terminal application, found in /Applications/Utilities/
- Type the following syntax exactly into the terminal, then hit the return key:
- Enter your admin password to authenticate and hit return
- At “New password”, enter a password you won’t forget, hit return, and confirm it
sudo passwd root
Be sure to set the root password to something you will remember, or perhaps even matching your admin password.
How do I know if my Mac is impacted by the password-free root login bug?
It appears only macOS High Sierra machines are impacted by this security bug. The easiest way to check to see if your Mac is vulnerable to the root login bug is to try and login as root, without a password.
You can do this from the general boot login screen, or via any admin authentication panel (clicking the lock icon) available in System Preferences like FileVault or Users & Groups.
Simply put ‘root’ as the user, do not enter a password, and click “Unlock” twice – if the bug impacts you, then you will be logged in as root or granted root privileges. You must hit “unlock” twice, the first time you click the “unlock” button it creates the root account with a blank password, and the second time you click “unlock” it logs in, allowing for full root access.
The bug, which is basically a 0day root exploit, was first reported to the public on Twitter by @lemiorhan and has quickly gained steam and media attention due to the potential severity of impact. Apple is apparently aware of the issue and is working on a software update to resolve the problem.
Does the root login bug impact macOS Sierra, Mac OS X El Capitan, or before?
The password-less root login bug appears to only impact macOS High Sierra 10.13.x and does not appear to impact earlier versions of macOS and Mac OS X system software.
Additionally, if you had previously enabled root via the command line or by Directory Utility, or changed the root password at some other time, the bug would not work on such a macOS High Sierra machine.
Remember, Apple is aware of this problem and will issue a security update in the near future to address the bug. In the meantime, do yourself a favor and set or change the root password on Macs running macOS High Sierra to protect them from unauthorized full access to the machine and all its data and contents.
After the dust settles and the patch(es) are applied to fix this, I’m left wondering…
Should the root password be changed whether this issue had been exposed or not?
Apple publishes an IT Configuration Guide and this isn’t mentioned in it anywhere
If you use root, yes change the password.
If you do not use root, do not enable the root account.
Root is for very advanced users only, it only needs to be enabled if you actually use it.
How do i know if i installed the update correctly ?
This article details two different ways to see if you installed the security update correctly.
https://osxdaily.com/2017/11/28/macos-high-sierra-root-login-without-password-bug/
I would read the entire article and I would also install the security update for all High Sierra Macs, it is a bad bug.
And password has been set for a root user
Found directory utility, and my root account is disabled. Why is it that spotlight is not bringing it up but it can be found following fdkn’s post
Thank you. I hope Apple will be release patch soon.
I was tried in to my mac that running mac os x el capitan too.
I have a root account set up since who knows with a proper password. I alway update to a new system by retaining my data.
This always set up my root account with the password from the previous system.
So, unless the High Sierra installer acts different in this respect, I and others, who upgrade with data retention should not be affected with this bug, Only clean installs would be affected.
Can anyone confirm this?
Try logging in as ‘root’ without a password, hit login/unlock twice. If it works, your Mac is impacted.
If you have previously enabled root and set the password, it should not work at all however, because even if you updated to High Sierra from a previous macOS build it should carry that user account with it forward with the password.
But Apple has issued a patch now, in App Store > Updates
People are still using this rubbish BETA lol, amazing
If root password was previously set, or your admin account was created upon setup, this backdoor will not work.
I can’t replicate it on any machine running High Sierra.
The “change root password” option was greyed out for me until I went back in and tried to make the exploit work by signing in under “root” with no password. Once the blank password was created, I could then go back and assign a root password.
Thank you, that security repair also seems to have given me back my guest user login!
What if you don’t display the username and password input fields on the login page? How do you the enter ‘root’ and no password then?
See Login options under Users & Groups in System Prefs – Display login window as List of Users, not Name and password.
Following your ‘Using Directory Utility to Lock Down Root’ process does not open the Directory Utility.
Hitting Command+Spacebar does not open anything.
Clicking the Spotlight icon, then typing in “Directory Utility” (whether using capital or lowercase D’s & U’s) then hitting return does not launch the app, but does show a list of various of ‘Council’ website options, and then opening the website for ‘The Law DONUT – Legal resources for your business – employment law, company law and more … a site I have not linked to – or even known about – previously.
Does this failure mean that my iMac is infected, and if so, what do I do about that please?
If it is not YET infected, how can I ensure that I can keep it safe, other than following what you have already suggested?
Either way, thanks for your always useful advice.
The Directory Utility app is on your Mac but your Spotlight must be configured to use a different keystroke.
Directory Utility can be located at:
/System/Library/CoreServices/Applications/Directory\ Utility.app
10.13.1 – Can not replicate even after several attempts.
On my FileVault enabled Mac it does *NOT* work. On my non encrypted Mac it works like a charm…. Is your FileVault enabled??? I’m trying to get a better understanding of this bug
That’s interesting; this is the only place I’ve seen anyone talk about FileVault possibly preventing this bug. Can anyone else confirm this?
That’s because 10.13.1 was just released today and fixes the security issue.
Unfortunately macOS 10.13.1 alone does not fix the issue, instead there is a separate Security Update for macOS 10.13.1 that fixes the issue. The Security Update is available in the App Store if you are running 10.13.1, otherwise it will push to the Mac automatically if it is on 10.13.1. This is discussed here:
https://osxdaily.com/2017/11/29/security-update-macos-high-sierra-root-password-bug-released/
More time spend on security and bug fixing before release and less time make the next iPhone 0.00000001 mm thinner.
Maybe focus more on security and less on androgynous ‘promotional’ videos.
Apple dont care about OS X anymore, its all phones, TV and watches, pathetic
Apparently the scope of the bug is somewhat limited. I have macOS High Sierra, and I am not affected by this.
Every one is affected. It works on the second try.
I have tried it multiple times and cannot replicate this security issue. 10.13.1
Probably because it’s affecting only people with encrypted disks. I wouldn’t be surprised if it’s kind of NSA backdoor.
I’ve tried it multiple times and cannot get it to work either. Here is why: My root user account is not enabled. I enabled it, chose to not enter a password, logged out as my user and successfully logged in as root. I then set the root account back to disabled and was not able to get in as root with no password. Verified with a colleague that he could get in as root, but found out his root was enabled.
Hope this helps…
This does not work if you already changed the root password.
According to the article, if you had previously enabled root with a password, even in a prior version of OS X, you have already implemented the workaround fix and are not affected. This is likely what has happened in your case.
I have a Mac High Sierra 10.13.1 but I cann’t bring up Directory utility … it does not come up in spotlight search
If you type it correctly it will come up.
it does not matter how I type it, I still can bring it up
Yikes, this is a big deal. How many millions of Macs are impacted? How did this glaring security bug even ship?
Imagine being able to unlock an iPhone just by picking it up and typing no passcode or no Touch ID or Face ID? That’s basically what this is.
What a mess the “High Sierra” is, I will never update to it. Apple must have been “high” on something to release it. Apple is training customers to never update their software by consistently releasing buggy underperforming garbage which now also includes terrible security flaws. Come on Apple, get it together, why have you neglected the Mac?
Makes you wonder, how long was this “bug” known before it was dumped into the world? Does anyone really think this is the first time someone was made aware of it? You can guess that hackers or spies were aware somewhere…