macOS High Sierra Has a Severe Vulnerability Giving Anyone Root Access – Here’s How to Fix It [Update]

3 minute read
| Quick Tip

macOS High Sierra has the scariest vulnerability I’ve personally confirmed. It gives anyone with physical access to your Mac immediate and easy root privileges, meaning access to everything on your Mac. Fortunately, there’s a fix you can do yourself until Apple fixes this mess.

Update 3: Apple released a patch Wednesday morning that fixes this issue. Below is our original article explaining the problem and the workaround before Apple’s patch.

Update 1: Apple issued a statement to iMore saying:

We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the “Change the root password” section.

What Is Root?

Root is an old Unix and Linux term (it’s also relevant to Android, which is based on the Linux kernel). Root is essentially the most powerful user account in macOS, which has its own origins in Unix. Root has access to everything on a given Mac, and by everything, I mean every user, every folder, and every file. Root can do anything to a Mac it wants, including installing software and deleting anything, even whole users. For instance, someone using this exploit could log onto your Mac, install a keylogger, and log out, all without a password. This is a problem.

Root Access on macOS High Sierra without Password

Here’s the problem: you can log on to a Mac running macOS High Sierra as root without a password, as first mentioned by @lemimorhan (via @flargh). All you have to do is enter “root” (without the quote marks) as the user and leave the password field blank at the boot up login screen. Hit the login button, and you’re good to go. It’s as simple as that. I tested this out, and it worked. I was logged into my Mac as the root user without having had to enter any kind of password. In the screenshot below, I’ve used this security hole to log in as root at the login screen. Once in, I launched the Terminal (see below), which shows me logged in as “root.”

Terminal Showing Me as Root User

Terminal Showing Me as Root User

As root, I had total access to everything on my Mac. Here’s a screenshot of a Finder window showing the contents deep inside my main bryan user folder.

Finder Window Showing Full Access to Everything in macOS High Sierra

Finder Window Showing Full Access to Everything in macOS High Sierra

macOS High Sierra Root Security Hole Also Works in Users & Groups

I was also able to confirm that you can gain root privileges in System Preferences > Users & Groups with the same technique. Click the Lock button, enter “root” as the user (without the quotes), and click on the password field without entering any characters. If you just hit the Unlock button without moving the cursor to the password field, the user name will revert to the user name you’re logged on with.

System Preferences > Users & Groups as Root

System Preferences > Users & Groups as Root

This works as a Guest user or in another Admin account. With root privileges, you can delete any other user right from this window. This includes all their data.

Quick Fix for macOS High Sierra Root Security Hole – Enable Root

Fortunately, there’s a fix, and it’s pretty easy: just set a password for root. This will prevent anyone from logging on as root without a password. Update 2: But, you must enable root for this to work! If root is disabled, setting a password for the user won’t block this security hole. Jeff Gamet tested this with root disabled, and confirmed that setting a password did not block this exploit. Here’s how to check/enable root:

  1. Choose Apple menu () > System Preferences, then click Users & Groups (or Accounts).
  2. Click lock icon, then enter an administrator name and password.
  3. Click Login Options.
  4. Click Join (or Edit).
  5. Click Open Directory Utility.
  6. Click lock icon in the Directory Utility window, then enter an administrator name and password.
  7. From the menu bar in Directory Utility:
    • Choose Edit > Enable Root User, then enter the password that you want to use for the root user.
    • Or choose Edit > Disable Root User.

Quick Fix for macOS High Sierra Root Security Hole

Now that Root is enabled, you’re going to need to use the Terminal to assign it a password, as described by Leo Laporte. To open the Terminal, you can open Spotlight by hitting Command-Space and typing “term.” It will likely default to the Terminal app. Hit return, and it will launch. You can also find it in Applications > Utilities > Terminal.

For your copy-pasting convenience, here are those instructions in plain text: Open Terminal. Type: sudo su Hit return, and you’ll be asked for your password. This should be the password for the Admin account you are currently logged into your Mac with. Terminal will spit back: sh-3.2# Type: passwd The terminal spits back: Changing password for root. Enter a new password for root. It should be something you can remember. Enter it into 1Password or another password keeper if you use one. Terminal will spit back: Retype new: Enter that new password a second time, and Terminal will complete the process and return: sh-3.2# Type exit to logout as superuser. Here’s what the whole process looks like:

Terminal window for making a password for root.

Terminal window for making a password for root.

Everyone expects Apple to fix this ASAP, and that includes me.

16
Leave a Reply

Please Login to comment
9 Comment threads
7 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
8 Comment authors
geoduckaardmanLee DronickJohn KheitOld UNIX Guy Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
geoduck
Member
geoduck

I knew they’d be quick about it.

aardman
Member
aardman

FYI, Apple has released the security update that fixes this. It’s on App Store Updates.

geoduck
Member
geoduck

I knew they’d be quick about it.

geoduck
Member
geoduck

Bad? Yes.
But I’m not panicking. It requires physical access. I’m not using a MacBook any more. My iMac is in a secure location. Bad, yes, but I’ll wait for the patch from Apple.

Old UNIX Guy
Member
Old UNIX Guy

Hi Geoduck,

Make sure your iMac doesn’t allow any sort of remote access … either ssh or VNC or anything like that. Otherwise, you’re still vulnerable.

And as Bryan’s article points out, this problem can be solved very easily by setting a password for the root account, so why not take the 30 seconds it would take to guarantee that this issue is prevented???

Old UNIX Guy

geoduck
Member
geoduck

Good point. I do not use remote access of any kind on this machine. But that is a legitimate concern that has been overlooked in a lot of the articles I’ve seen. As far as why I don’t go in and set the PW, as I see it the risk of not doing something is near zero for my system, but there is a slightly higher risk of changing the password on a critical system with unknown impact. Plus that would be another PW I need to keep track of. I’ll let Apple fix it, as I said I think… Read more »

Lee Dronick
Member
Lee Dronick

As with Geoduck my Macs are in relatively secure location. Those in places such as libraries, schools, and business settings are another story.

John Kheit
Member
John Kheit

Oh yea, and this is the greatest security f*** up of all time on any system anywhere. To have a hole like that, seriously, multiple heads should roll. It’s like the NSA having a web faced login to their most secure databases with no password. Incredible total s***show.

John Kheit
Member
John Kheit

They had their security guy leave a while back, forget the dude’s name, but he was very good, and it’s clear that they really needed him. I don’t blame Craig in the sense that he needs to personally test security, that’s not his job. I do blame whoever was responsible for a) letting that great security dude go, and b) didn’t replace him with someone that was at least equally great. If that was Craig’s responsibility, then yea, shame on him. It could be cook’s responsibility, because security is not a ‘mac’ role, or an ‘ios’ role, but really it… Read more »

Old UNIX Guy
Member
Old UNIX Guy

When those two Navy ships had the collisions with other ships at sea the Captain(s) were relieved of their command even though they weren’t on the bridge at the time the accident happened. Why? Because they’re the one ultimately responsible. If those under their charge made inexcusable mistakes then that’s their fault. Under the same principle, Craig Federighi needs to go … he’s the “captain” … the Senior VP of Software Development (or whatever his exact title is). No, he didn’t introduce the bug himself … but it’s as inexcusable as a Navy ship colliding with another vessel so the… Read more »

John Kheit
Member
John Kheit

As of 2011 security was a senior VP role on equal footing to software. Meaning the buck didn’t stop with Craig but with svp of security. Don’t know if it’s still that way.

wab95
Member
wab95

Many thanks, Bryan.

A very important PSA.

I did not get the ‘Edit’ > ‘Enable Root User’ option in the Directory Utility. However, I did set a root password via terminal.

Agree with Old Unix Guy; this seems like a glaring and inexcusable omission.

nils7
Member
nils7

I do not have such a problem
Just in case, I disabled root

Lee Dronick
Member
Lee Dronick

They will probably fix this pretty quick, unless the FBI gets an injunction to stop them.

Old UNIX Guy
Member
Old UNIX Guy

Let me ask yet again … why do so many people have a man crush on Craig Federighi?!? This is as bad AND as inexcusable as it gets and the buck stops with him.

Oh, but wait, Animoji’s work and that’s all that matters, right Craig?

Old UNIX Guy