MacOS High Sierra Security Bug Allows Root Login Without a Password, Heres a Fix
MacOS High Sierra Security Bug Allows Root Login Without a Password, Heres a Fix
A significant security vulnerability has been discovered with macOS High Sierra, potentially allowing any person to log into a Mac with full root administrative capabilities without a password. This is an urgent security problem, and while a software update should arrive to resolve the problem soon, this article will detail how to protect your Mac from this security hole. For some quick background, the security hole allows a person to enter root as a username and then immediately login as root to the Mac, without a password.
The password-less root login can occur directly with a physical machine at the general user login screen seen on boot, from the System Preferences panels which typically require authentication, or even over VNC and Remote Login if those latter two remote access features are enabled.
Any of these scenarios then allow full access to the MacOS High Sierra machine without ever using a password. A root user account provides the highest level of system access possible on a MacOS or any unix based operating system, root grants all capabilities of administrative user accounts on the machine in addition to unrestricted access to any system level components or files.
Mac users impacted by the security bug include anyone running macOS High Sierra 10.13, 10.13.1, or 10.13.2 betas who have not previously or on the Mac before, which is the vast majority of Mac users running High Sierra. Sounds bad, right? It is, but theres a fairly easy workaround that will prevent this security bug from being a problem.
All you have to do is set a root password on the impacted Mac. There are two approaches to preventing root login without a password on a MacOS High Sierra machine, you can use Directory Utility or the command line. Well cover both. Directory Utility is perhaps easier for most users since it is accomplished entirely from the graphical interface on the Mac, whereas the command line approach is text based and generally considered more complex. *** If the root user account is not yet enabled, choose Enable Root User and then set a password instead.
Essentially all you are doing is assigning a password to the root account, meaning that logging in with root will then require a password as it should. If you do not assign a password to root this way, amazingly, a macOS High Sierra machine accepts a root login without a password at all. Users who would prefer to use the command line in macOS can also set or assign a root password with sudo and the regular old passwd command.
Be sure to set the root password to something you will remember, or perhaps even matching your admin password. It appears only macOS High Sierra machines are impacted by this security bug. The easiest way to check to see if your Mac is vulnerable to the root login bug is to try and login as root, without a password.
You can do this from the general boot login screen, or via any admin authentication panel (clicking the lock icon) available in System Preferences like FileVault or Users & Groups. Simply put root as the user, do not enter a password, and click Unlock twice if the bug impacts you, then you will be logged in as root or granted root privileges.
You must hit unlock twice, the first time you click the unlock button it creates the root account with a blank password, and the second time you click unlock it logs in, allowing for full root access. The bug, which is basically a 0day root exploit, was first reported to the public on and has quickly gained steam and media attention due to the potential severity of impact.
Apple is apparently aware of the issue and is working on a software update to resolve the problem. The password-less root login bug appears to only impact macOS High Sierra 10.13.x and does not appear to impact earlier versions of macOS and Mac OS X system software.
Additionally, if you had previously or , or at some other time, the bug would not work on such a macOS High Sierra machine. Remember, Apple is aware of this problem and will issue a security update in the near future to address the bug.
In the meantime, do yourself a favor and set or change the root password on Macs running macOS High Sierra to protect them from unauthorized full access to the machine and all its data and contents.
No comments