macOS High Sierra has the scariest vulnerability I’ve personally confirmed. It gives anyone with physical access to your Mac immediate and easy root privileges, meaning access to everything on your Mac. Fortunately, there’s a fix you can do yourself until Apple fixes this mess.
Update 3: Apple released a patch Wednesday morning that fixes this issue. Below is our original article explaining the problem and the workaround before Apple’s patch.
Update 1: Apple issued a statement to iMore saying:
We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the “Change the root password” section.
What Is Root?
Root is an old Unix and Linux term (it’s also relevant to Android, which is based on the Linux kernel). Root is essentially the most powerful user account in macOS, which has its own origins in Unix. Root has access to everything on a given Mac, and by everything, I mean every user, every folder, and every file. Root can do anything to a Mac it wants, including installing software and deleting anything, even whole users. For instance, someone using this exploit could log onto your Mac, install a keylogger, and log out, all without a password. This is a problem.
Root Access on macOS High Sierra without Password
Here’s the problem: you can log on to a Mac running macOS High Sierra as root without a password, as first mentioned by @lemimorhan (via @flargh). All you have to do is enter “root” (without the quote marks) as the user and leave the password field blank at the boot up login screen. Hit the login button, and you’re good to go. It’s as simple as that. I tested this out, and it worked. I was logged into my Mac as the root user without having had to enter any kind of password. In the screenshot below, I’ve used this security hole to log in as root at the login screen. Once in, I launched the Terminal (see below), which shows me logged in as “root.”
As root, I had total access to everything on my Mac. Here’s a screenshot of a Finder window showing the contents deep inside my main bryan user folder.
macOS High Sierra Root Security Hole Also Works in Users & Groups
I was also able to confirm that you can gain root privileges in System Preferences > Users & Groups with the same technique. Click the Lock button, enter “root” as the user (without the quotes), and click on the password field without entering any characters. If you just hit the Unlock button without moving the cursor to the password field, the user name will revert to the user name you’re logged on with.
This works as a Guest user or in another Admin account. With root privileges, you can delete any other user right from this window. This includes all their data.
Quick Fix for macOS High Sierra Root Security Hole – Enable Root
Fortunately, there’s a fix, and it’s pretty easy: just set a password for root. This will prevent anyone from logging on as root without a password. Update 2: But, you must enable root for this to work! If root is disabled, setting a password for the user won’t block this security hole. Jeff Gamet tested this with root disabled, and confirmed that setting a password did not block this exploit. Here’s how to check/enable root:
- Choose Apple menu () > System Preferences, then click Users & Groups (or Accounts).
- Click , then enter an administrator name and password.
- Click Login Options.
- Click Join (or Edit).
- Click Open Directory Utility.
- Click in the Directory Utility window, then enter an administrator name and password.
- From the menu bar in Directory Utility:
- Choose Edit > Enable Root User, then enter the password that you want to use for the root user.
- Or choose Edit > Disable Root User.
Quick Fix for macOS High Sierra Root Security Hole
Now that Root is enabled, you’re going to need to use the Terminal to assign it a password, as described by Leo Laporte. To open the Terminal, you can open Spotlight by hitting Command-Space and typing “term.” It will likely default to the Terminal app. Hit return, and it will launch. You can also find it in Applications > Utilities > Terminal.
On my Mac, running the current public beta of High Sierra this worked to fix the root problem. Give root a password. Open Terminal. Type: $ sudo su Password: (your password) sh-3.2 # passwd Changing password for root. New password: (enter something you’ll remember) Retype new:
— Leo Laporte, Chief TWiT and The Tech Guy (@leolaporte) November 28, 2017
For your copy-pasting convenience, here are those instructions in plain text: Open Terminal. Type:
sudo su Hit return, and you’ll be asked for your password. This should be the password for the Admin account you are currently logged into your Mac with. Terminal will spit back:
passwd The terminal spits back:
Changing password for root. Enter a new password for root. It should be something you can remember. Enter it into 1Password or another password keeper if you use one. Terminal will spit back:
Retype new: Enter that new password a second time, and Terminal will complete the process and return:
exit to logout as superuser. Here’s what the whole process looks like:
Everyone expects Apple to fix this ASAP, and that includes me.