back to article Pro tip: You can log into macOS High Sierra as root with no password

A trivial-to-exploit flaw in macOS High Sierra, aka macOS 10.13, allows users to gain admin rights, or log in as root, without a password. The security bug can be triggered via the authentication dialog box in Apple's operating system, which prompts you for an administrator's username and password when you need to do stuff …

Silver badge
FAIL

Re: They are busy setting Root passwords...

Ford Pinto> Major PR disaster. Ford is still in business.

The "Ford Pinto" was no less vulnerable to rear impacts causing the fuel tank to explode than other cars in its category ... this was a planted PR attack on Ford ... after the incident and recalls, Ford Pintos were the least vulnerable to rear impacts causing the fuel tank to explode its category, but the damage was already done,

Note, I hate Ford ...

2
1

Not really a fanboy here

But I can't get this to replicate on my own system, no matter what I do. How many times is a few?

0
0
Silver badge
Devil

Re: How worse than Single User Mode?

"but usually physical access is enough to set the root password on *nix."

not entirely true. On FreeBSD, at least, it is possible to require the root password for single-user mode by specifying that the console is 'insecure'. And, Shirley, you COULD also boot a "live CD" (assuming that hasn't been locked out) or "live USB" image, and then mount the hard drive's root partition and do a password reset THAT way (jumping through necessary hoops to do so via the command line) but you can do this in Windows as well.

Or, if you're really desperate, remove the hard drive and plug it into a different computer that has the correct utilities on it for a password reset.

(I'd much rather make miscreants go through that last step)

1
0
Silver badge
Meh

Re: How worse than Single User Mode?

"I'm old fashioned enough never to have been a fan of sudo"

well, if you configure sudo the way a BOFH would, you can lock out anything that's truly "dangerous" and require actually logging in as root for such things.

but most distros that have sudo simply allow any authenticated user to enter his own password to do "whatever he wants" with root credentials. It's convenient, yeah.

1
0
Silver badge
Devil

"Is it that it has no password or that the password hash is set to an invalid value?"

I think it's assigned a random value, but a truly invalid hash would work the same way.

'sudo su' works fine in Ubu if you need to log in as 'root'.

0
0
Silver badge

I'm puzzled

Its amazing how many of these root privilege bypass "bugs" tend to exist in so many OS's - I can't imagine it due to poor coding, its almost as if they were put there deliberately, but who would want to do such a thing ??

I also wonder if they get fixed, or just hidden a bit deeper ?

12
3
Silver badge

Re: I'm puzzled

It's not as though Apple has been great at testing their products. They often haven't been tested on older hardware. Now where could they get their hands on older Apple kit before pushing code out the door? So I am not surprised that a blank root account was created.

7
1
Silver badge

Re: I'm puzzled

So much for OS X being rootless from El Capitan onwards.

7
0
Anonymous Coward

Re: I'm puzzled

It's not as though Apple has been great at testing their products

Citation needed. If you were part of the beta test program you would see multiple iterations before a release goes public. That said, this is simply not acceptable.

2
0
Happy

This is a deliberate feature and it's because Apple cares.

When you need to login as root, it's normally to fix something fundamental. Chances are you need to do it quickly, and are in a bit of a panic, a bit stressed and so on, so having to also remember a password just seems a step too far. So well done Apple, reducing stress with intelligent design!

36
6

Re: This is a deliberate feature and it's because Apple cares.

When things are bad enough you have to use root, it is time to slow down and really think about what you are doing. Flailing about in a panic with full privileges often makes things worse.

25
1
Silver badge

Re: This is a deliberate feature and it's because Apple cares.

If your own account is set up with sudo privileges, you can use your own login details to change stuff, so you don't ever need to use the root account. I never log on as root on either my Mac or FreeBSD machines.

10
0
Silver badge

Re: This is a deliberate feature and it's because Apple cares.

That's likely because FreeBSD is designed so that you very rarely need root. I've been running FreeBSD and TrueOS for about three years now and I can count the times I've used root on one hand.

Thing is, last time I had to anything in the terminal for OS X and needed root, it took me awhile to figure out how to enable the root account as Apple has it disabled by default (or at least did a couple of releases ago around Mavericks) which is usually smart, most users have no need for it. It shouldn't be that easy to escalate privileges in any software. This is the kind of trick that I would have tried back in High School just to see if it'd work, trying root with a blank password, then with "password", and then "administrator" just for shits and grins.

Maybe Apple should hire some decent QA people and give external power users a reason to actually test for them. They won't because they're deluded into thinking that they're perfect, and a lot of that is because of Jobs' blamelessness ("You're holding it wrong"), Ive's very clear desire for form over function, and Cook's issue with keeping quality high so that they can justify their outrageous prices. But it'd be a really good idea.

Thing is, even despite this, I still want a Mac mini whenever they update the hardware. It'd be nice to have a UNIX that I don't have to constantly fuck with to use every now and then.

8
2
Silver badge

Re: This is a deliberate feature and it's because Apple cares.

sudo su

[my user password]

is how I get a root terminal in OSX.

The root user is still disabled by default in the terminal, so I set my root password by doing "sudo passwd root".

4
0
Silver badge

Re: This is a deliberate feature and it's because Apple cares.

"sudo su

[my user password]"

or sudo sh

3
0
Silver badge

Re: This is a deliberate feature and it's because Apple cares.

"It'd be nice to have a UNIX that I don't have to constantly fuck with to use every now and then."

Frank, have you tried Slackware-stable as a day-to-day box? I moved my Wife from WinXP about ten years ago. Granted, it took a little hand-holding at first as she learned where the stuff she wanted to do was located ... but it's three or four laptops later now, and I haven't had to do anything other than new installs and routine updates for her in years. Try it, you might like it.

Hint: If you're new to Slackware, do a complete install. It's not like hard drive space is precious anymore. You can strip out the bits you don't need/want later if the inefficiency annoys you.

Caveat: Slack's KDE-centric, but if you hate KDE it ships with alternatives. And obviously, if you are somewhat computer literate you can easily install any of the desktop environments.

Note: My personal day-to-day box uses the same exact box-stock Slack setup that my wife uses. I never have to fuck with it, it just works. That doesn't mean I don't have a couple of dev boxen with other crap grafted onto them, and a couple of Slackware-current boxes just to keep an eye on development. Hardware's cheap.

7
2
Anonymous Coward

Re: This is a deliberate feature and it's because Apple cares.

"When things are bad enough you have to use root, it is time to slow down"

Would you mind talking to our security team please. They've set our boxes so that only root can see anything other than home directories. The result - everyone does sudo su as soon as they log in.

6
0
Silver badge

Re: This is a deliberate feature and it's because Apple cares.

So well done Apple, reducing stress with intelligent design

I see what you did there: Steve Jobs as the creator of the universe. Makes sense when you think about it and I feel so much better now I know!

2
0
Silver badge
Joke

Re: This is a deliberate feature and it's because Apple cares.

They've set our boxes so that only root can see anything other than home directories. The result - everyone does sudo su as soon as they log in.

Hm, interesting, how do you run sudo, from your home folders ?

0
0
Silver badge

Re: This is a deliberate feature and it's because Apple cares.

Both "sudo su" and "sudo sh" have problems, in that they will not load the root environment, or run the profile.

You really need "sudo su -" to get the full effect as if you had logged on.

1
0
Silver badge
Pint

Mistakes are inevitable

For example: "...the4 password box..." and "...kn own as OS X...".

:-)

3
1
Anonymous Coward

Apple - the rounded edge retail arm of the NSA

That is all

8
3
Anonymous Coward

What is the root cause of this problem?

17
0
Silver badge

The root account is supposed to be disabled in OSX, and you are supposed to use sudo for admin tasks. However, it is set up with no password by default, and there is a way round it being disabled.

1
9
Anonymous Coward

Well in that case lets all root for them to fix it in the next version.

12
0
Anonymous Coward

@katrinab *woosh*

19
0
Silver badge

Bring back Snow Leopard

And the team and management who did that OS.

And I'm not talking about Jobs.

17
0
Anonymous Coward

version?

10.13

They didn't learn from M$ obviously, they skipped version 13 for office. Not that it helped much...

7
2

Re: version?

Ah, someone has been paying attention to the internal Office version shown in the Registry.

5
0
Silver badge

Dev was a twat

What self respecting "developer" spams that sort of message across twatbook?

9
11

Re: Dev was a twat

You know, normally I would agree with you, if this was a technical exploit, or in any way difficult to find or exploit. But in this case, it's such a stupid error, that it is highly likely the exploit is already know about in some black-hat circles.

There is also no guarantee that Apple would have come clean immeadiatly with this exploit, as it is going to severely undermine their reputation. This is not a "security is hard" issue, this is corporate negligence, and Apples lawyers would be loath to admit to it until they were forced to. This is 'class-action' bad.

This means there would be a risk of a severe exploit window between the knowledge being widely known in cracking circles, and the public being warned about.

9
1
Anonymous Coward

Re: Dev was a twat

Yep, seems that ppl were sharing this as a user-space password reset feature on apple.com forums from at least November 13th, so presumably fruit were aware of it by then (tho' i know that they claim they don't read the forums)

8
1
Bronze badge

It's harmless

It's just a small glitch in MacOS. It really can't be exploited by anyone much. A true Mac user would never accidentally type 'root' as a user name. And look at all the flaws in windows. One tiny flaw in Apple is nothing by comparison. I'd sooner use my Mac any day than Windows.

Seriously though, I *DO* use a mac, I do prefer using it, but for fucks sake Apple! This is TERRIBLE!!! Very poor show....

13
13
Silver badge

Re: It's harmless

I think (hope) that you forget the joke icon,

9
0

Not for me?

I'm trying this and having no luck. I'm no fanboi, forced to get a mac for school, but what am I meant to do if I forget my root password now?

2
1
(Written by Reg staff) Silver badge

Re: Not for me?

It only works on public High Sierra macOS (10.13) and only if you don't already have a root password set.

C.

8
0

Re: Not for me?

How often are you expecting to need to use root?!

1
1

Another workaround

I don't have a machine to test this on myself, but I heard changing root's shell to /usr/bin/false is another valid workaround.

3
0
Silver badge

Re: Another workaround

"changing root's shell to /usr/bin/false"

That should work but AFAICS it would break katrinab's suggestion of how to get a root shell from sudo should you want it. sudo sh would still work.

4
0

I always set a root password on sudo-based systems

First thing I do on sudo-based systems is "sudo passwd root". Quite a few such systems would prompt for root's password for filing system repair when booting after an unclean shutdown - you're in trouble if you haven't set one!

I often run several root commands in a row, so I'll often just use "su -" for that (only doable if you set a root password), rather than "sudo bash".

4
0
Headmaster

Re: I always set a root password on sudo-based systems

All 'buntu flavours lock the root account by default, and setting a password will unlock it - I would advise against this. Personally, I prefer a (memorised) strong password on my user account which can be used to gain su privileges, while leaving the root account locked. Just one less thing to keep track of. For passwords, I find it is easier to memorise a phrase of a few words rather than a (shorter) random string - ideally with a few numbers & special characters thrown in for good measure. Faster to type too!

A list of some of the pros of using sudo:

https://help.ubuntu.com/community/RootSudo#Benefits_of_using_sudo

A comparison of different ways of opening a root shell:

https://help.ubuntu.com/community/RootSudo#Special_notes_on_sudo_and_shells

A discussion about character vs. phrase based passwords:

https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/

When it comes to opening a root shell, I prefer to use "sudo -i", since it keeps confusion to a minimum. This will load root's full environment and prevents accidental overwriting of user files with files owned by root, etc. It also decorates your prompt with a # instead of a $, which serves as a visual reminder that you need to think a little more carefully about what you do next...

"su" on the other hand, is not intended specifically for gaining root privileges; it actually stands for "substitute user" and allows you to impersonate *any* user on the system. By including the " - " it will also load that user's environment. This is often handy when you want to test an application which runs under an account for which login is disabled (such as a daemon), and see if/where it runs into permission issues etc (i.e. "su - accountname"). An ommitted account name will default to "root", which is probably why it's often used in the way you suggest, though while the resulting shell is basically the same as what you would get with "sudo -i" I would personally not use "su -" to become root. Just feels wrong.

See also "man sudo" and "man su".

</lecture>

7
1

For the apologists.

Other OSs do it too. So what? Apple and their fans pride themselves on being secure by default. A blank root password is secure by default?

It requires physical access so it's not a vulnerability. It doesn't matter how often I hear this one it makes me laugh. Somebody with physical access can access all your data and that's not a vulnerability? What exactly do you consider a vulnerability then?

You can fix it by setting a root password. You shouldn't have to fix it, how the hell does a "secure” OS manage to install without setting a root password?

It's still more secure than Windows. And? It's not just Apple and Microsoft you know. Neither of the two OS's I'm using these days would allow you to install without setting a password on the root account.

This simple little fuck up shows that Apple's QC can be truly appalling and their attitude to security is not all its cracked up to be.

Never mind fanbois, you still have your badge.

13
5
Silver badge

Or remote access

Remote desktop certainly lets a miscreant in.

Looking at the description, I'm pretty confident that this also lets in all forms of remote access that use macOS accounts to authenticate.

6
0
Silver badge

In fairness, there don't seem ot be too many apologists for once. Presumably, this is so stupid that even Apple fans cannot think up a way to minimize it.

8
2
Silver badge

"It requires physical access so it's not a vulnerability."

To be fair it's not necessarily the worst problem you could have if someone has physical access. But if it's also available remotely as commentards have reported it goes to the top of the class.

Moral - always set a root password - and remember it.

6
1

This post has been deleted by its author

Silver badge

Re: Or remote access

It's a real dumpster fire as they say across the pond.

The very act of trying to authenticate as root enables the root user if it's disabled and then as there was no password set because it was disabled returns "ok, you've got root".

I mean, FFS.

6
0
Silver badge

It requires physical access so it's not a vulnerability. It doesn't matter how often I hear this one it makes me laugh. Somebody with physical access can access all your data and that's not a vulnerability? What exactly do you consider a vulnerability then?

The article has been updated; the trick works from the command line too. So any application that an attacker can get run on the computer can get itself root privileges. So whilst there is no remote vulnerability, it's only one successful social engineering attack away from that.

Pretty dangerous I think, and that alone justifies the early and global dissemination of the news. Leaving this one to fester in private would have left all users everywhere very vulnerable to malicious software.

9
0
Anonymous Coward

There's "physical access" and "physical access"

Sure, if you are alone in a room for a long time with all the needed tools, you can have full physical access, you can disassemble a machine and re-assemble it later, just, if that is one of the glue-assembled ones you need some specific tools and time to take it apart, and put it together again.

But a bug that needs just a few keystrokes to be exploited, doesn't require much "physical access", you just need a few minutes to type on the keyboard - a very different kind of "physical access".

And Macs are not usually machines buried deep in some remote server room...

8
0

Re: There's "physical access" and "physical access"

Or there's I've left my laptop on the train, in the conference room while I'm having lunch/coffee...

3
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018