A significant security vulnerability has been discovered with macOS High Sierra, potentially allowing any person to log into a Mac with full root administrative capabilities without a password.
This is an urgent security problem, and while a software update should arrive to resolve the problem soon, this article will detail how to protect your Mac from this security hole.
What is the root login bug, and why does it matter?
For some quick background, the security hole allows a person to enter ‘root’ as a username and then immediately login as root to the Mac, without a password. The password-less root login can occur directly with a physical machine at the general user login screen seen on boot, from the System Preferences panels which typically require authentication, or even over VNC and Remote Login if those latter two remote access features are enabled. Any of these scenarios then allow full access to the MacOS High Sierra machine without ever using a password.
A root user account provides the highest level of system access possible on a MacOS or any unix based operating system, root grants all capabilities of administrative user accounts on the machine in addition to unrestricted access to any system level components or files.
Mac users impacted by the security bug include anyone running macOS High Sierra 10.13, 10.13.1, or 10.13.2 betas who have not previously enabled the root account or changed a root user account password on the Mac before, which is the vast majority of Mac users running High Sierra.
Sounds bad, right? It is, but there’s a fairly easy workaround that will prevent this security bug from being a problem. All you have to do is set a root password on the impacted Mac.
How to Prevent Root Login Without a Password in MacOS High Sierra
There are two approaches to preventing root login without a password on a MacOS High Sierra machine, you can use Directory Utility or the command line. We’ll cover both. Directory Utility is perhaps easier for most users since it is accomplished entirely from the graphical interface on the Mac, whereas the command line approach is text based and generally considered more complex.
Using Directory Utility to Lock Down Root
- Open Spotlight on the Mac by hitting Command+Spacebar (or clicking the Spotlight icon in the upper right corner of the menubar) and type in “Directory Utility” and hit return to launch the app
- Click the little lock icon in the corner and authenticate with an admin account login
- Now pull down the “Edit” menu and choose “Change Root Password…” ***
- Enter a password for the root user account and confirm, then click “OK”
- Close out of Directory Utility
*** If the root user account is not yet enabled, choose “Enable Root User” and then set a password instead.
Essentially all you are doing is assigning a password to the root account, meaning that logging in with root will then require a password as it should. If you do not assign a password to root this way, amazingly, a macOS High Sierra machine accepts a root login without a password at all.
Using the Command Line to Assign a Root Password
Users who would prefer to use the command line in macOS can also set or assign a root password with sudo and the regular old passwd command.
- Open the Terminal application, found in /Applications/Utilities/
- Type the following syntax exactly into the terminal, then hit the return key:
sudo passwd root
- Enter your admin password to authenticate and hit return
- At “New password”, enter a password you won’t forget, hit return, and confirm it
Be sure to set the root password to something you will remember, or perhaps even matching your admin password.
How do I know if my Mac is impacted by the password-free root login bug?
It appears only macOS High Sierra machines are impacted by this security bug. The easiest way to check to see if your Mac is vulnerable to the root login bug is to try and login as root, without a password.
You can do this from the general boot login screen, or via any admin authentication panel (clicking the lock icon) available in System Preferences like FileVault or Users & Groups.
Simply put ‘root’ as the user, do not enter a password, and click “Unlock” twice – if the bug impacts you, then you will be logged in as root or granted root privileges. You must hit “unlock” twice, the first time you click the “unlock” button it creates the root account with a blank password, and the second time you click “unlock” it logs in, allowing for full root access.
The bug, which is basically a 0day root exploit, was first reported to the public on Twitter by @lemiorhan and has quickly gained steam and media attention due to the potential severity of impact. Apple is apparently aware of the issue and is working on a software update to resolve the problem.
Does the root login bug impact macOS Sierra, Mac OS X El Capitan, or before?
The password-less root login bug appears to only impact macOS High Sierra 10.13.x and does not appear to impact earlier versions of macOS and Mac OS X system software.
Additionally, if you had previously enabled root via the command line or by Directory Utility, or changed the root password at some other time, the bug would not work on such a macOS High Sierra machine.
Remember, Apple is aware of this problem and will issue a security update in the near future to address the bug. In the meantime, do yourself a favor and set or change the root password on Macs running macOS High Sierra to protect them from unauthorized full access to the machine and all its data and contents.