macOS High Sierra Has a Severe Vulnerability Giving Anyone Root Access – Here’s How to Fix It [Update]

System Preferences > Users & Groups as Root

macOS High Sierra has the scariest vulnerability I’ve personally confirmed. It gives anyone with physical access to your Mac immediate and easy root privileges, meaning access to everything on your Mac. Fortunately, there’s a fix you can do yourself until Apple fixes this mess.

Update 3: Apple released a patch Wednesday morning that fixes this issue. Below is our original article explaining the problem and the workaround before Apple’s patch.

Update 1: Apple issued a statement to iMore saying:

We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the “Change the root password” section.

What Is Root?

Root is an old Unix and Linux term (it’s also relevant to Android, which is based on the Linux kernel). Root is essentially the most powerful user account in macOS, which has its own origins in Unix. Root has access to everything on a given Mac, and by everything, I mean every user, every folder, and every file. Root can do anything to a Mac it wants, including installing software and deleting anything, even whole users. For instance, someone using this exploit could log onto your Mac, install a keylogger, and log out, all without a password. This is a problem.

Root Access on macOS High Sierra without Password

Here’s the problem: you can log on to a Mac running macOS High Sierra as root without a password, as first mentioned by @lemimorhan (via @flargh). All you have to do is enter “root” (without the quote marks) as the user and leave the password field blank at the boot up login screen. Hit the login button, and you’re good to go. It’s as simple as that. I tested this out, and it worked. I was logged into my Mac as the root user without having had to enter any kind of password. In the screenshot below, I’ve used this security hole to log in as root at the login screen. Once in, I launched the Terminal (see below), which shows me logged in as “root.”

Terminal Showing Me as Root User
Terminal Showing Me as Root User

As root, I had total access to everything on my Mac. Here’s a screenshot of a Finder window showing the contents deep inside my main bryan user folder.

Finder Window Showing Full Access to Everything in macOS High Sierra
Finder Window Showing Full Access to Everything in macOS High Sierra

macOS High Sierra Root Security Hole Also Works in Users & Groups

I was also able to confirm that you can gain root privileges in System Preferences > Users & Groups with the same technique. Click the Lock button, enter “root” as the user (without the quotes), and click on the password field without entering any characters. If you just hit the Unlock button without moving the cursor to the password field, the user name will revert to the user name you’re logged on with.

System Preferences > Users & Groups as Root
System Preferences > Users & Groups as Root

This works as a Guest user or in another Admin account. With root privileges, you can delete any other user right from this window. This includes all their data.

Quick Fix for macOS High Sierra Root Security Hole – Enable Root

Fortunately, there’s a fix, and it’s pretty easy: just set a password for root. This will prevent anyone from logging on as root without a password. Update 2: But, you must enable root for this to work! If root is disabled, setting a password for the user won’t block this security hole. Jeff Gamet tested this with root disabled, and confirmed that setting a password did not block this exploit. Here’s how to check/enable root:

  1. Choose Apple menu () > System Preferences, then click Users & Groups (or Accounts).
  2. Click lock icon, then enter an administrator name and password.
  3. Click Login Options.
  4. Click Join (or Edit).
  5. Click Open Directory Utility.
  6. Click lock icon in the Directory Utility window, then enter an administrator name and password.
  7. From the menu bar in Directory Utility:
    • Choose Edit > Enable Root User, then enter the password that you want to use for the root user.
    • Or choose Edit > Disable Root User.

Quick Fix for macOS High Sierra Root Security Hole

Now that Root is enabled, you’re going to need to use the Terminal to assign it a password, as described by Leo Laporte. To open the Terminal, you can open Spotlight by hitting Command-Space and typing “term.” It will likely default to the Terminal app. Hit return, and it will launch. You can also find it in Applications > Utilities > Terminal.

For your copy-pasting convenience, here are those instructions in plain text: Open Terminal. Type: sudo su Hit return, and you’ll be asked for your password. This should be the password for the Admin account you are currently logged into your Mac with. Terminal will spit back: sh-3.2# Type: passwd The terminal spits back: Changing password for root. Enter a new password for root. It should be something you can remember. Enter it into 1Password or another password keeper if you use one. Terminal will spit back: Retype new: Enter that new password a second time, and Terminal will complete the process and return: sh-3.2# Type exit to logout as superuser. Here’s what the whole process looks like:

Terminal window for making a password for root.
Terminal window for making a password for root.

Everyone expects Apple to fix this ASAP, and that includes me.

16 thoughts on “macOS High Sierra Has a Severe Vulnerability Giving Anyone Root Access – Here’s How to Fix It [Update]

  • Bad? Yes.
    But I’m not panicking. It requires physical access. I’m not using a MacBook any more. My iMac is in a secure location. Bad, yes, but I’ll wait for the patch from Apple.

    1. Hi Geoduck,

      Make sure your iMac doesn’t allow any sort of remote access … either ssh or VNC or anything like that. Otherwise, you’re still vulnerable.

      And as Bryan’s article points out, this problem can be solved very easily by setting a password for the root account, so why not take the 30 seconds it would take to guarantee that this issue is prevented???

      Old UNIX Guy

      1. Good point. I do not use remote access of any kind on this machine. But that is a legitimate concern that has been overlooked in a lot of the articles I’ve seen.
        As far as why I don’t go in and set the PW, as I see it the risk of not doing something is near zero for my system, but there is a slightly higher risk of changing the password on a critical system with unknown impact. Plus that would be another PW I need to keep track of.
        I’ll let Apple fix it, as I said I think Apple will have it patched within days.

  • Oh yea, and this is the greatest security f*** up of all time on any system anywhere. To have a hole like that, seriously, multiple heads should roll. It’s like the NSA having a web faced login to their most secure databases with no password. Incredible total s***show.

  • They had their security guy leave a while back, forget the dude’s name, but he was very good, and it’s clear that they really needed him. I don’t blame Craig in the sense that he needs to personally test security, that’s not his job. I do blame whoever was responsible for a) letting that great security dude go, and b) didn’t replace him with someone that was at least equally great.

    If that was Craig’s responsibility, then yea, shame on him. It could be cook’s responsibility, because security is not a ‘mac’ role, or an ‘ios’ role, but really it should be a company-wide role. To me that speaks more on cook than anyone else, but am open to hearing correction if anyone happens to know the actual pecking order at apple.

    1. When those two Navy ships had the collisions with other ships at sea the Captain(s) were relieved of their command even though they weren’t on the bridge at the time the accident happened. Why? Because they’re the one ultimately responsible. If those under their charge made inexcusable mistakes then that’s their fault.

      Under the same principle, Craig Federighi needs to go … he’s the “captain” … the Senior VP of Software Development (or whatever his exact title is). No, he didn’t introduce the bug himself … but it’s as inexcusable as a Navy ship colliding with another vessel so the fact that someone under him made such a mistake shows he’s not fit for command.

      I don’t care that he’s a great presenter at WWDC and has great hair. I want the software quality we had back in the Snow Leopard days when Betrand Serlet was in charge…

      Old UNIX Guy

      1. As of 2011 security was a senior VP role on equal footing to software. Meaning the buck didn’t stop with Craig but with svp of security. Don’t know if it’s still that way.

  • Many thanks, Bryan.

    A very important PSA.

    I did not get the ‘Edit’ > ‘Enable Root User’ option in the Directory Utility. However, I did set a root password via terminal.

    Agree with Old Unix Guy; this seems like a glaring and inexcusable omission.

  • Let me ask yet again … why do so many people have a man crush on Craig Federighi?!? This is as bad AND as inexcusable as it gets and the buck stops with him.

    Oh, but wait, Animoji’s work and that’s all that matters, right Craig?

    Old UNIX Guy

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.