back to article Pro tip: You can log into macOS High Sierra as root with no password

A trivial-to-exploit flaw in macOS High Sierra, aka macOS 10.13, allows users to gain admin rights, or log in as root, without a password. The security bug can be triggered via the authentication dialog box in Apple's operating system, which prompts you for an administrator's username and password when you need to do stuff …

  1. Anonymous Coward
    Anonymous Coward

    Big Christmas bonus for the person who found the photograph to accompany this article :-)

    1. tfewster Silver badge
      Facepalm

      Appropriate on another level too: She's saying "It's a UNIX system, I know this!"

      1. William Towle
        Pirate

        "How do you create a really secure password?"

        1. bombastic bob Silver badge
          Devil

          "How do you create a really secure password?"

          Having forked FBSD's userland, it should be possible to create a random root password with command line tools (like 'pw') assuming those tools exists on a mac...

          then you can just do the 'sudo su' trick when you want to do things as 'root' for a while...

    2. el kabong Silver badge

      Siri found it.

    3. Brewster's Angle Grinder Silver badge

      I think you'll find they're the devs writing the relevant code.

      1. AlbertH

        Tee Hee

        There are kiddies in every Apple store getting Admin rights and typing rm - rf just to see what happens!

    4. Hans 1 Silver badge
      FAIL

      Big Christmas bonus for the person who found the photograph to accompany this article :-)

      Indeed, have an upvote. (I was 100th)

      As for the blunder, this is Windows-like security.

      Cupertino, stop hiring devs from Redmond, they know jack-shit about coding, have never heard of tests, let alone unit tests .... crikey, this vuln is EPIC.

      How Apple get away with this, I dunno !

  2. Grease Monkey

    Hang on, where are all the fanbois telling us this isn't really a vulnerability?

    1. Michael B.

      They won't, they will point to Windows and engage in Whataboutery.

    2. Anonymous Coward
      Anonymous Coward

      How worse than Single User Mode?

      I'm no fanboi, but usually physical access is enough to set the root password on *nix. Root passwords get forgotten like other passwords, after all.

      Is it exploitable over a remote desktop connection? That would be worse.

      It does raise serious questions about basic quality control, nevertheless.

      1. Anonymous Coward
        Anonymous Coward

        Re: How worse than Single User Mode?

        That's why a lot of distros prefer the "sudo" approach. You never actually log in as root, you just temporarily give the account root permissions...just long enough to run that one command, then you go back to a standard user.

        1. Doctor Syntax Silver badge

          Re: How worse than Single User Mode?

          "That's why a lot of distros prefer the "sudo" approach. You never actually log in as root, you just temporarily give the account root permissions...just long enough to run that one command, then you go back to a standard user."

          I'm not an Apple user but from the account it seems as if this is how macOS has been supposed to work. It hasn't turned out well here.

          I'm old fashioned enough never to have been a fan of sudo. It's always struck me as being an additional attack surface. I suppose it's more convenient than having multiple admin IDs with access to restricted subsets of root functionality such as bin to own system S/W & lpadmin to administer printers & the like but convenience and security don't often mix too well.

          1. bombastic bob Silver badge
            Meh

            Re: How worse than Single User Mode?

            "I'm old fashioned enough never to have been a fan of sudo"

            well, if you configure sudo the way a BOFH would, you can lock out anything that's truly "dangerous" and require actually logging in as root for such things.

            but most distros that have sudo simply allow any authenticated user to enter his own password to do "whatever he wants" with root credentials. It's convenient, yeah.

      2. John H Woods

        Re: How worse than Single User Mode?

        Physical access to the system is different from "terminal" access. Try getting root access on a well-configured Linux system using just the keyboard and the mouse. If you've got physical access to the box, however, you have everything except the content of encrypted drives.

        Although presumably one could splice a wired KB or Mouse to connect a USB storage device and boot from that?

      3. mrfantastic

        Re: How worse than Single User Mode?

        Er, because it bypassed FileVault for all users? You don't get access to an encrypted volume in Linux in single-user mode.

      4. Anonymous Coward
        Anonymous Coward

        Re: How worse than Single User Mode?

        "Is it exploitable over a remote desktop connection? That would be worse."

        Check again. It *IS* exploitable over a RDC!

      5. Wensleydale Cheese
        Unhappy

        Re: How worse than Single User Mode?

        "Is it exploitable over a remote desktop connection? That would be worse."

        Yes.

        I am running a headless Mac mini here, connected via Screen Sharing using an unprivileged username/password, and logged into a non-privileged account.

        I didn't test the main login screen, but the exploit using Preferences > Users and Groups > Unlock worked as described in the article.

        1. Wensleydale Cheese

          Re: How worse than Single User Mode?

          "I am running a headless Mac mini here, connected via Screen Sharing using an unprivileged username/password, and logged into a non-privileged account."

          Having said the above, when you enable Remore Desktop access, you can restrict the functions available to the remote user. This is done on the target computer via System Preferences > Sharing > Remote Management > Options

      6. bazza Silver badge

        Re: How worse than Single User Mode?

        Is it exploitable over a remote desktop connection? That would be worse.

        According to the update to the article it can be done on the command line too. So not vulnerable to a remote attack unless the perpetrator can get something run on the computer first (malicious but otherwise innocuous app, etc). Fishing attack might open up the doors for that.

        I have to say that between Apple and Intel we're seeing some stinking cock ups in recent times. It's almost funny. All we need now is for Windows or Linux to join in and we may as well throw every single computer in the planet into the bin. Apart from the ones running Solaris.

        1. 404 Silver badge

          Re: How worse than Single User Mode?

          Don't tempt me, I still have some Solaris x86 install software laying around...

      7. d3vy Silver badge

        Re: How worse than Single User Mode?

        "Is it exploitable over a remote desktop connection? That would be worse."

        Yes.

        RTFA

      8. dlxMachine

        Re: How worse than Single User Mode?

        Can we login without password on any linux distro from login screen? It is the case here.

        1. Chemist

          Re: How worse than Single User Mode?

          "Can we login without password on any linux distro from login screen? It is the case here."

          Good of you to join to ask that question. !

          The answer ( for all the ones I use) is NO

      9. bombastic bob Silver badge
        Devil

        Re: How worse than Single User Mode?

        "but usually physical access is enough to set the root password on *nix."

        not entirely true. On FreeBSD, at least, it is possible to require the root password for single-user mode by specifying that the console is 'insecure'. And, Shirley, you COULD also boot a "live CD" (assuming that hasn't been locked out) or "live USB" image, and then mount the hard drive's root partition and do a password reset THAT way (jumping through necessary hoops to do so via the command line) but you can do this in Windows as well.

        Or, if you're really desperate, remove the hard drive and plug it into a different computer that has the correct utilities on it for a password reset.

        (I'd much rather make miscreants go through that last step)

    3. Daniel B.
      Boffin

      OSX user here, and it's a vulnerability. It's probably somewhat mitigated in the sense that setting a password for root plugs the hole, but it's still an embarassment. Not sure if it's remotely exploitable, which would be bad. If it allows for su - without a password, it's probably bad, but it would still require someone to log in with a valid username/password before exploiting it.

      If someone already has physical access to the system, there are larger issues at hand.

    4. kain preacher Silver badge

      Would you have root in linux with no password ? Would you have windows account with admin rights but no passowrd ?

      1. handleoclast

        Linux root p/w

        @kain preacher

        Would you have root in linux with no password ?

        Every Linux distro I've installed has asked you to set a root p/w. Never checked if you can leave it blank during install. Even if you can't leave it blank at that stage, it's possible to set a null p/w later. Either way, if you end up with a null p/w for root, it's because you deliberately chose to have it that way. You can't have a null root p/w by accident, or simply by doing nothing as you install the system.

        And no, I wouldn't set a null root p/w deliberately. That would be crazy. I have a somewhat warped mind but I cannot conceive of any circumstance, no matter how bizarre, in which I would legitimately (no criminal intent) want a null root p/w (feel free to prove your mind is more warped than mine by coming up with one).

        I remember the time DEC persuaded me that remote diagnostics were a great idea and that I should have one of those new-fangled modem dooberries. They said I could ensure it would only pick up when I was around to allow them in (which was true). We gave it a try. They told me they couldn't get in with FIELD/SERVICE (those standard superuser accounts had their passwords changed as the very first thing I did on that box) and would I mind changing it back. I gave them a hell of a bollocking over that one. Got a free curry out of it by way of an apology. If they'd suggested I leave the p/w blank on the FIELD account I'd have nuked them from orbit. Null password for superuser accounts? No fucking way.

        1. chuckufarley

          Re: Linux root p/w

          Why not just edit /etc/shadow and expire the root account from there? Sudo will still work and no system processes will fall over, but nobody and nothing will be able to log in as root until the the expiration field is reset in /etc/shadow.

        2. fedoraman

          Re: Linux root p/w

          I used to be an operator on a DEC system (just a MicroVax II), I was amazed when I found out about the FIELD/SERVICE super user login. There was another one, <googles.....> Ah yes, SYYSTEM and MANAGER. Ahh, those days at the Satellite Station!

        3. Anonymous Coward
          Anonymous Coward

          Re: Linux root p/w

          Not true, I'm a Linux sysadmin and none of the Ubuntu variants I've installed over the past 10 years have asked. You have to do this manually after install..

          1. handleoclast

            Re: Linux root p/w

            Not true, I'm a Linux sysadmin and none of the Ubuntu variants I've installed over the past 10 years have asked. You have to do this manually after install..

            From what I've read in other responses, root logins are disabled. So you still have to consciously choose to have a passwordless root login.

        4. tfb Silver badge

          Re: Linux root p/w

          If every Linux distribution you've installed has asked you for a root password then you've never installed Ubuntu.

        5. unimaginative

          Re: Linux root p/w

          The Debian installer lets you leave the root password blank, but if you do it disables root login and gives sudo to the non-root user you create during installation.

        6. This post has been deleted by its author

        7. arctic_haze Silver badge

          Re: Linux root p/w

          I cannot conceive of any circumstance, no matter how bizarre, in which I would legitimately (no criminal intent) want a null root p/w (feel free to prove your mind is more warped than mine by coming up with one).

          The protagonist of the Martian movie could have had a null root password in his abandoned Martian base, at least until he regained some semblance of communication with the Earth.

      2. Doctor Syntax Silver badge

        "Would you have root in linux with no password ?"

        Ubuntu & derivatives. No password but root logins disabled. You're supposed to use sudo and re-enter your own password so if you're in sudoers and someone gets your password they've got root. Wonderful. I don't often use Ubuntu these days.

        1. chuckufarley

          "Ubuntu & derivatives. No password but root logins disabled. You're supposed to use sudo and re-enter your own password so if you're in sudoers and someone gets your password they've got root. Wonderful. I don't often use Ubuntu these days."

          Is it that it has no password or that the password hash is set to an invalid value? It could be the former but I thought it was the latter.

          1. tfb Silver badge

            The password hash is '!' which is an invalid hash but also means the account is locked (anything starting with '!' means that).

          2. Charles 9 Silver badge

            "Ubuntu & derivatives. No password but root logins disabled. You're supposed to use sudo and re-enter your own password so if you're in sudoers and someone gets your password they've got root. Wonderful. I don't often use Ubuntu these days."

            Wouldn't they have enough access under similar systems since the group that would include sudo'ers here would likely be the ones with significant group access otherwise? At least with sudo it's like UAC, the high-level access isn't on all the time.

            PS. sudo doesn't have to be root. You can sudo as other users, too, with their own access restrictions. Again, this creates a temporary privilege escalation, but one you can control better.

            PSS. The sudoers file is also how users can be restricted using sudo, even regarding the root privilege. So instead of it being an all-or-nothing thing like su, it can be turned into a tuned ACL.

          3. bombastic bob Silver badge
            Devil

            "Is it that it has no password or that the password hash is set to an invalid value?"

            I think it's assigned a random value, but a truly invalid hash would work the same way.

            'sudo su' works fine in Ubu if you need to log in as 'root'.

        2. Wensleydale Cheese

          "Ubuntu & derivatives."

          With you on that.

          The Debian distro for the Raspberry Pi allows passwordless sudo from the default account.

          1. smot

            "The Debian distro for the Raspberry Pi allows passwordless sudo from the default account."

            But everytime you log in while it's set that way you get a reminder that you should change it. Gets quite annoying too, so you end up changing it just to get rid of the message.

    5. Anonymous Coward
      Anonymous Coward

      They are busy setting Root passwords...

      BTW a co-worker has just informed me this works on ARD (Apple Remote Desktop) as well, so this is potentially a remote root exploit for anyone with ARD turned on. Might be an issue for other network services, though the SSH default config will probably block that.

      1. Hckr

        Re: They are busy setting Root passwords...

        Oh fcuk...

        Apple is going to crapster. First the scam with faulty MBP, then getting rid of the earphone jack. This is the final step to bankrupcy.

        1. mrdalliard
          Headmaster

          Re: They are busy setting Root passwords...

          >>This is the final step to bankrupcy.

          I should very much doubt this is the final step to bankruptcy. You've seen how much money they have in the bank, right?

        2. Captain Scarlet Silver badge
          Paris Hilton

          Re: They are busy setting Root passwords...

          "Oh fcuk...Apple is going to crapster. First the scam with faulty MBP, then getting rid of the earphone jack. This is the final step to bankrupcy."

          I assume this is missing a troll icon?

        3. This post has been deleted by its author

          1. Wisteela

            Re: They are busy setting Root passwords...

            Yep, with Apple, crap sells.

          2. Joe Gurman

            Re: They are busy setting Root passwords...

            In the long-ago 1970s, I remember several proud Pinto owners (who couldn't afford to replace them) driving around with "Caution: Flammable" stickers on their rear bumpers.

          3. Hans 1 Silver badge
            FAIL

            Re: They are busy setting Root passwords...

            Ford Pinto> Major PR disaster. Ford is still in business.

            The "Ford Pinto" was no less vulnerable to rear impacts causing the fuel tank to explode than other cars in its category ... this was a planted PR attack on Ford ... after the incident and recalls, Ford Pintos were the least vulnerable to rear impacts causing the fuel tank to explode its category, but the damage was already done,

            Note, I hate Ford ...

    6. macjules Silver badge

      Wow, only 2 downvotes. All those fanbois must have been playing World of Warcraft late into the night.

    7. Not also known as SC
      Joke

      "Hang on, where are all the fanbois telling us this isn't really a vulnerability?"

      It's not a vulnerability - you're all just pressing enter wrongly.

    8. TVU

      "Hang on, where are all the fanbois telling us this isn't really a vulnerability?"

      It most definitely is a significant vulnerability but at least with the Unices, really critical bugs tend to get sorted out pretty darn quickly and they don't have to be outed by Google to remind them to get their act together.

    9. tommy_qwerty

      Not really a fanboy here

      But I can't get this to replicate on my own system, no matter what I do. How many times is a few?

  3. Dwarf Silver badge

    I'm puzzled

    Its amazing how many of these root privilege bypass "bugs" tend to exist in so many OS's - I can't imagine it due to poor coding, its almost as if they were put there deliberately, but who would want to do such a thing ??

    I also wonder if they get fixed, or just hidden a bit deeper ?

    1. redpawn Silver badge

      Re: I'm puzzled

      It's not as though Apple has been great at testing their products. They often haven't been tested on older hardware. Now where could they get their hands on older Apple kit before pushing code out the door? So I am not surprised that a blank root account was created.

      1. Anonymous Coward
        Anonymous Coward

        Re: I'm puzzled

        It's not as though Apple has been great at testing their products

        Citation needed. If you were part of the beta test program you would see multiple iterations before a release goes public. That said, this is simply not acceptable.

    2. Dan 55 Silver badge

      Re: I'm puzzled

      So much for OS X being rootless from El Capitan onwards.

  4. Anonymous Coward
    Happy

    This is a deliberate feature and it's because Apple cares.

    When you need to login as root, it's normally to fix something fundamental. Chances are you need to do it quickly, and are in a bit of a panic, a bit stressed and so on, so having to also remember a password just seems a step too far. So well done Apple, reducing stress with intelligent design!

    1. DWRandolph

      Re: This is a deliberate feature and it's because Apple cares.

      When things are bad enough you have to use root, it is time to slow down and really think about what you are doing. Flailing about in a panic with full privileges often makes things worse.

      1. Anonymous Coward
        Anonymous Coward

        Re: This is a deliberate feature and it's because Apple cares.

        "When things are bad enough you have to use root, it is time to slow down"

        Would you mind talking to our security team please. They've set our boxes so that only root can see anything other than home directories. The result - everyone does sudo su as soon as they log in.

        1. Hans 1 Silver badge
          Joke

          Re: This is a deliberate feature and it's because Apple cares.

          They've set our boxes so that only root can see anything other than home directories. The result - everyone does sudo su as soon as they log in.

          Hm, interesting, how do you run sudo, from your home folders ?

    2. katrinab Silver badge

      Re: This is a deliberate feature and it's because Apple cares.

      If your own account is set up with sudo privileges, you can use your own login details to change stuff, so you don't ever need to use the root account. I never log on as root on either my Mac or FreeBSD machines.

      1. FrankAlphaXII

        Re: This is a deliberate feature and it's because Apple cares.

        That's likely because FreeBSD is designed so that you very rarely need root. I've been running FreeBSD and TrueOS for about three years now and I can count the times I've used root on one hand.

        Thing is, last time I had to anything in the terminal for OS X and needed root, it took me awhile to figure out how to enable the root account as Apple has it disabled by default (or at least did a couple of releases ago around Mavericks) which is usually smart, most users have no need for it. It shouldn't be that easy to escalate privileges in any software. This is the kind of trick that I would have tried back in High School just to see if it'd work, trying root with a blank password, then with "password", and then "administrator" just for shits and grins.

        Maybe Apple should hire some decent QA people and give external power users a reason to actually test for them. They won't because they're deluded into thinking that they're perfect, and a lot of that is because of Jobs' blamelessness ("You're holding it wrong"), Ive's very clear desire for form over function, and Cook's issue with keeping quality high so that they can justify their outrageous prices. But it'd be a really good idea.

        Thing is, even despite this, I still want a Mac mini whenever they update the hardware. It'd be nice to have a UNIX that I don't have to constantly fuck with to use every now and then.

        1. katrinab Silver badge

          Re: This is a deliberate feature and it's because Apple cares.

          sudo su

          [my user password]

          is how I get a root terminal in OSX.

          The root user is still disabled by default in the terminal, so I set my root password by doing "sudo passwd root".

          1. Doctor Syntax Silver badge

            Re: This is a deliberate feature and it's because Apple cares.

            "sudo su

            [my user password]"

            or sudo sh

            1. Peter Gathercole Silver badge

              Re: This is a deliberate feature and it's because Apple cares.

              Both "sudo su" and "sudo sh" have problems, in that they will not load the root environment, or run the profile.

              You really need "sudo su -" to get the full effect as if you had logged on.

        2. jake Silver badge

          Re: This is a deliberate feature and it's because Apple cares.

          "It'd be nice to have a UNIX that I don't have to constantly fuck with to use every now and then."

          Frank, have you tried Slackware-stable as a day-to-day box? I moved my Wife from WinXP about ten years ago. Granted, it took a little hand-holding at first as she learned where the stuff she wanted to do was located ... but it's three or four laptops later now, and I haven't had to do anything other than new installs and routine updates for her in years. Try it, you might like it.

          Hint: If you're new to Slackware, do a complete install. It's not like hard drive space is precious anymore. You can strip out the bits you don't need/want later if the inefficiency annoys you.

          Caveat: Slack's KDE-centric, but if you hate KDE it ships with alternatives. And obviously, if you are somewhat computer literate you can easily install any of the desktop environments.

          Note: My personal day-to-day box uses the same exact box-stock Slack setup that my wife uses. I never have to fuck with it, it just works. That doesn't mean I don't have a couple of dev boxen with other crap grafted onto them, and a couple of Slackware-current boxes just to keep an eye on development. Hardware's cheap.

    3. Charlie Clark Silver badge

      Re: This is a deliberate feature and it's because Apple cares.

      So well done Apple, reducing stress with intelligent design

      I see what you did there: Steve Jobs as the creator of the universe. Makes sense when you think about it and I feel so much better now I know!

  5. JeffyPoooh Silver badge
    Pint

    Mistakes are inevitable

    For example: "...the4 password box..." and "...kn own as OS X...".

    :-)

  6. Anonymous Coward
    Anonymous Coward

    Apple - the rounded edge retail arm of the NSA

    That is all

  7. Anonymous Coward
    Anonymous Coward

    What is the root cause of this problem?

    1. katrinab Silver badge

      The root account is supposed to be disabled in OSX, and you are supposed to use sudo for admin tasks. However, it is set up with no password by default, and there is a way round it being disabled.

      1. Anonymous Coward
        Anonymous Coward

        Well in that case lets all root for them to fix it in the next version.

      2. Anonymous Coward
        Anonymous Coward

        @katrinab *woosh*

  8. Dan 55 Silver badge

    Bring back Snow Leopard

    And the team and management who did that OS.

    And I'm not talking about Jobs.

  9. Anonymous Coward
    Anonymous Coward

    version?

    10.13

    They didn't learn from M$ obviously, they skipped version 13 for office. Not that it helped much...

    1. Daniel B.

      Re: version?

      Ah, someone has been paying attention to the internal Office version shown in the Registry.

  10. Gordon 10 Silver badge

    Dev was a twat

    What self respecting "developer" spams that sort of message across twatbook?

    1. HMcG

      Re: Dev was a twat

      You know, normally I would agree with you, if this was a technical exploit, or in any way difficult to find or exploit. But in this case, it's such a stupid error, that it is highly likely the exploit is already know about in some black-hat circles.

      There is also no guarantee that Apple would have come clean immeadiatly with this exploit, as it is going to severely undermine their reputation. This is not a "security is hard" issue, this is corporate negligence, and Apples lawyers would be loath to admit to it until they were forced to. This is 'class-action' bad.

      This means there would be a risk of a severe exploit window between the knowledge being widely known in cracking circles, and the public being warned about.

      1. Anonymous Coward
        Anonymous Coward

        Re: Dev was a twat

        Yep, seems that ppl were sharing this as a user-space password reset feature on apple.com forums from at least November 13th, so presumably fruit were aware of it by then (tho' i know that they claim they don't read the forums)

  11. anthonyhegedus Silver badge

    It's harmless

    It's just a small glitch in MacOS. It really can't be exploited by anyone much. A true Mac user would never accidentally type 'root' as a user name. And look at all the flaws in windows. One tiny flaw in Apple is nothing by comparison. I'd sooner use my Mac any day than Windows.

    Seriously though, I *DO* use a mac, I do prefer using it, but for fucks sake Apple! This is TERRIBLE!!! Very poor show....

    1. AMBxx Silver badge

      Re: It's harmless

      I think (hope) that you forget the joke icon,

  12. MistakeNot

    Not for me?

    I'm trying this and having no luck. I'm no fanboi, forced to get a mac for school, but what am I meant to do if I forget my root password now?

    1. diodesign (Written by Reg staff) Silver badge

      Re: Not for me?

      It only works on public High Sierra macOS (10.13) and only if you don't already have a root password set.

      C.

    2. Mine's a Large One

      Re: Not for me?

      How often are you expecting to need to use root?!

  13. adamr001

    Another workaround

    I don't have a machine to test this on myself, but I heard changing root's shell to /usr/bin/false is another valid workaround.

    1. Doctor Syntax Silver badge

      Re: Another workaround

      "changing root's shell to /usr/bin/false"

      That should work but AFAICS it would break katrinab's suggestion of how to get a root shell from sudo should you want it. sudo sh would still work.

  14. Richard Lloyd

    I always set a root password on sudo-based systems

    First thing I do on sudo-based systems is "sudo passwd root". Quite a few such systems would prompt for root's password for filing system repair when booting after an unclean shutdown - you're in trouble if you haven't set one!

    I often run several root commands in a row, so I'll often just use "su -" for that (only doable if you set a root password), rather than "sudo bash".

    1. Lomax
      Headmaster

      Re: I always set a root password on sudo-based systems

      All 'buntu flavours lock the root account by default, and setting a password will unlock it - I would advise against this. Personally, I prefer a (memorised) strong password on my user account which can be used to gain su privileges, while leaving the root account locked. Just one less thing to keep track of. For passwords, I find it is easier to memorise a phrase of a few words rather than a (shorter) random string - ideally with a few numbers & special characters thrown in for good measure. Faster to type too!

      A list of some of the pros of using sudo:

      https://help.ubuntu.com/community/RootSudo#Benefits_of_using_sudo

      A comparison of different ways of opening a root shell:

      https://help.ubuntu.com/community/RootSudo#Special_notes_on_sudo_and_shells

      A discussion about character vs. phrase based passwords:

      https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/

      When it comes to opening a root shell, I prefer to use "sudo -i", since it keeps confusion to a minimum. This will load root's full environment and prevents accidental overwriting of user files with files owned by root, etc. It also decorates your prompt with a # instead of a $, which serves as a visual reminder that you need to think a little more carefully about what you do next...

      "su" on the other hand, is not intended specifically for gaining root privileges; it actually stands for "substitute user" and allows you to impersonate *any* user on the system. By including the " - " it will also load that user's environment. This is often handy when you want to test an application which runs under an account for which login is disabled (such as a daemon), and see if/where it runs into permission issues etc (i.e. "su - accountname"). An ommitted account name will default to "root", which is probably why it's often used in the way you suggest, though while the resulting shell is basically the same as what you would get with "sudo -i" I would personally not use "su -" to become root. Just feels wrong.

      See also "man sudo" and "man su".

      </lecture>

  15. Grease Monkey

    For the apologists.

    Other OSs do it too. So what? Apple and their fans pride themselves on being secure by default. A blank root password is secure by default?

    It requires physical access so it's not a vulnerability. It doesn't matter how often I hear this one it makes me laugh. Somebody with physical access can access all your data and that's not a vulnerability? What exactly do you consider a vulnerability then?

    You can fix it by setting a root password. You shouldn't have to fix it, how the hell does a "secure” OS manage to install without setting a root password?

    It's still more secure than Windows. And? It's not just Apple and Microsoft you know. Neither of the two OS's I'm using these days would allow you to install without setting a password on the root account.

    This simple little fuck up shows that Apple's QC can be truly appalling and their attitude to security is not all its cracked up to be.

    Never mind fanbois, you still have your badge.

    1. Richard 12 Silver badge

      Or remote access

      Remote desktop certainly lets a miscreant in.

      Looking at the description, I'm pretty confident that this also lets in all forms of remote access that use macOS accounts to authenticate.

      1. Dan 55 Silver badge

        Re: Or remote access

        It's a real dumpster fire as they say across the pond.

        The very act of trying to authenticate as root enables the root user if it's disabled and then as there was no password set because it was disabled returns "ok, you've got root".

        I mean, FFS.

    2. Naselus

      In fairness, there don't seem ot be too many apologists for once. Presumably, this is so stupid that even Apple fans cannot think up a way to minimize it.

      1. Anonymous Coward
        Anonymous Coward

        In fairness, there don't seem ot be too many apologists for once. Presumably, this is so stupid that even Apple fans cannot think up a way to minimize it.

        We're also not all "fanbois" or "apologists", but simply people who want desktops to work to an acceptable standard of safety and security, which until now happened to be easiest to achieve by using MacOS based systems. Frankly, I am both appalled and incensed by this and I feel rather let down by Apple that this ever made it past QC.

        I expect more than just the usual silence from Apple on this. It is quite simply unacceptable - there ARE no excuses for this.

    3. Doctor Syntax Silver badge

      "It requires physical access so it's not a vulnerability."

      To be fair it's not necessarily the worst problem you could have if someone has physical access. But if it's also available remotely as commentards have reported it goes to the top of the class.

      Moral - always set a root password - and remember it.

      1. This post has been deleted by its author

    4. bazza Silver badge

      It requires physical access so it's not a vulnerability. It doesn't matter how often I hear this one it makes me laugh. Somebody with physical access can access all your data and that's not a vulnerability? What exactly do you consider a vulnerability then?

      The article has been updated; the trick works from the command line too. So any application that an attacker can get run on the computer can get itself root privileges. So whilst there is no remote vulnerability, it's only one successful social engineering attack away from that.

      Pretty dangerous I think, and that alone justifies the early and global dissemination of the news. Leaving this one to fester in private would have left all users everywhere very vulnerable to malicious software.

    5. Anonymous Coward
      Anonymous Coward

      There's "physical access" and "physical access"

      Sure, if you are alone in a room for a long time with all the needed tools, you can have full physical access, you can disassemble a machine and re-assemble it later, just, if that is one of the glue-assembled ones you need some specific tools and time to take it apart, and put it together again.

      But a bug that needs just a few keystrokes to be exploited, doesn't require much "physical access", you just need a few minutes to type on the keyboard - a very different kind of "physical access".

      And Macs are not usually machines buried deep in some remote server room...

      1. thondwe

        Re: There's "physical access" and "physical access"

        Or there's I've left my laptop on the train, in the conference room while I'm having lunch/coffee...

  16. Phil Endecott Silver badge

    GOTO FAIL;

    1. Wensleydale Cheese
      Happy

      "GOTO FAIL;"

      Now that was cruel.

      Have an upvote. :-)

    2. Adam 1 Silver badge

      I knew there must have been a superfluous GOTO FAIL; in there.

  17. jonnycando

    I configured a root password AGES ago, perhaps way back when MacOS X was a new thing! Really who would fail to do such trivial security work?.........uh........forget I asked..........

    1. NightFox

      Macs are consumer devices. The vast majority of users/owners aren't going to even know what root access is, and nor should they need to.

      "IT people" who look down on users who don't have a professional level of IT knowledge and roll their eyes at them whenever this type of things happen just reinforce the Moss stereotype. A total failure to understand and therefore accommodate the user's average expected level (or lack) of knowledge is also a reason so many issues occur in the first place.

  18. Black Rat
    Devil

    2017 Fail Award

    I think we have a winner

  19. Captain DaFt

    AFK

    I'll read the comments later. ☺

    I'm off to play in the Apple Store! ☺

    Only kidding! Honest! ☺

    1. Anonymous Coward
      Anonymous Coward

      Re: AFK

      You're not one of those who'd go into Dixons and type the magic sequence of peeks and pokes into an Amstrad CPC464 (or whichever one it was, someone out there will know) that would render it a smoking ruin in a few minutes time?

      (It was possible to get two peripherals driving the data bus at the same time - a logic design error. Get one of them trying to write all 0's, and the other all 1's, and you'd made a short circuit from software. Some chip would then get hot enough to let the magic smoke out...).

      1. ta6rma

        Re: AFK

        Dragon 32 I thought?

      2. Børge Nøst

        Re: AFK

        "a smoking ruin in a few minutes time?"

        For real? What chip was sending smoke signals from that? (Never heard about this HCF before.)

  20. cheekybuddha
    Pirate

    You're logging in wrong!

  21. Gordon Pryra

    Possibly one of the worst oversights to date on any flavor of any OS

    Considering the cost of a machine that you need to pay in order to have one that runs High Sierra (MACs are stupidly expensive for the specification) You would think that the manufacturer could engage in some basic testing of security.

    With the numbers of people who own these items, there is no way that this wasn't found on the day of release by someone, and WILL have been used in a malicious manner.

    There is a (good) argument that this OS is not fit for purpose and refunds should be given.

    Luckely most organisations with MACs will also be using active directory or novell for their network infrastructure, and so a user having local admin privileges isn't that big an issue. That said, MAC users tend not to be that technical, claiming artistry over technology, and store all sorts of important stuff locally......

  22. Oflife
    FAIL

    Works for me first time on 10.13.1!

    If you do not click in the password field, you cannot get in, at least I could not even after 3 attempts. But clicking in the Password field and leaving it blank let's me in right away. Oh Apple, really! TC is too focused on matters of the bedroom than product.

  23. J J Carter Silver badge
    Windows

    Other OS are available

    I don't blame Mac owners for installing Windows 10. Secure by design.

  24. Anonymous Coward
    Anonymous Coward

    Absolutely not acceptable

    Honestly, there are no excuses for this. WTF, Apple? WT freaking F?

    Microsoft has at least the decency to hide its problems and make it a bit of a challenge. I have never seen a decent company so dramatically drop the ball in quite some time. Even Microsoft Vista wasn't that exposed from a security angle.

    Whoever was responsable for this cockup, firing is too good for them. At a minimum, this ought to involve tar & feathers.

  25. chivo243 Silver badge
    Meh

    Only if....

    You have enabled root previously. Root account should not be enabled in macOS.

    Consider enabling root to be like jailbreaking or rooting your android. all bets are off? No?

    1. Anonymous Coward
      Anonymous Coward

      Re: Only if....

      This is the thing. There is a root account. Active. With, apparently, no password. Why on earth there hasn't been a randomised one set (as you have sudo access anyway) is not clear to me and I am disappointed that someone at Apple made that mistake. This is NOT trivial, and I expect fairly harsh words and probably a pink slip event as a consequence for one or more people.

  26. Charles Calthrop

    Rooster

    Who was that apple bashing user, named rooster* ?

    I’d love to hear his take on this

  27. wolfetone Silver badge

    Imagine if the space ship in 2001: A Space Oddessy used this version of macOS.

    "I can't let you do that Dave"

    *clicks unlock a few times*

    "OK Dave, here you go."

  28. This post has been deleted by its author

  29. windows 92

    All aboard the fail bus

    I have to agree with some folk here, since Johnnie Ives took over Mac OS it has got steadily worse (I still don't know how he got involved with the Apple with the fail that was the PowerBook G4, maybe Steve liked it's flimsy disposable build quality)....

    iOS has become absolute rubbish under his design leadership, used to love my iPhone, now can't wait to dump it for an Android phone (I don't have to jail break Android to get basic UI features that should be on all UI designers lips...)

    And this 0day root access flaw is just another example of how Apple are not focused correctly...

  30. Naselus

    Simple workaround

    Don't buy a Mac.

    1. the-it-slayer

      Re: Simple workaround

      Better than that (not everyone wants Wobbly Windows); take a pro's advice (I'm not one, but took it anyway); run the previous or 2nd previous major OS version for stability if it's supported and you don't need the latest and greatest features.

      I'm sure El Capitan and Sierra are supported on most Macs that are still in active Apple Support lifecycle.

      1. Eddy Ito Silver badge

        Re: Simple workaround

        Are we certain the previous versions aren't susceptible to the same problem? I often wonder how issues like this pop up suddenly.

      2. Jonathan 27 Bronze badge

        Re: Simple workaround

        If you don't want Windows, Linux is a better option.

        Running old versions of OS isn't really a good option, due to the fact that Apple cuts support very quickly.

  31. Tom 7 Silver badge

    Physical access is a problem

    with a server. I dont know if there is a single installation of the leaky OS on a server anywhere in the world tho. Access to a laptop is normally, to use the technical term, a piece of piss.

  32. Mateus109
    FAIL

    Changing/disabling the root account doesn't work via Directory Utility! You have to use Terminal. OMG, what a fuck-up!

  33. firebits

    Not all installs of High Sierra are affected

    I have checked a dozen mac's with High Sierra version 10.13.1 and not all installs appear to be affected, only 1 out of the 12 has a blank root password. I have reset the root password on all devices anyway however, I am struggling to see why only 1 of the 12 has this condition? Any thoughts other than someone else reset the password?

    1. Peter X

      Re: Not all installs of High Sierra are affected

      ...only 1 out of the 12 has a blank root password. I have reset the root password on all devices anyway however, I am struggling to see why only 1 of the 12 has this condition? Any thoughts other than someone else reset the password?

      Total guess, but perhaps if you've upgraded the OS then you'd have a root password set previously, whereas a fresh install fails because of a bug in the new installer?

      At risk of #whataboutism, there was an issue with Ubuntu way way way back, where the installer stored the root password in a temporary file and then failed to delete it after install. Leaving it world-readable. That, from a technical standpoint, was similarly embarrassing!

      To be fair, it was fixed quickly. And Canonical's entire annual development budget was probably a pittance compared with Apple. But embarrassing bugs are embarrassing. And for some reason I always remember those ones.

      Heh... in many ways, far far worse! ;-)

  34. Max Jalil
    Thumb Up

    Great pic

    #positivefeedback

  35. el kabong Silver badge

    One more aple gadget that fails in use.

  36. adam payne Silver badge

    If you type in "root" as the username, leave the password box blank, hit "enter" and then click on unlock a few times, the prompt disappears and, congrats, you now have admin rights. You can do this from the user login screen, too.

    Wow just wow!

  37. commonsense
    Facepalm

    Reality distortion field

    "However, a member of Apple's support forums had posted details of the flaw more than two weeks ago, though the message appears to suggest the vulnerability could be a useful feature for troubleshooting rather than a critical security threat."

    The force is strong.

  38. John Savard Silver badge

    Bug?

    "If you have configured a root password, the above blank password trick will not work."

    So if root doesn't have a password, you can log on to root without a password. Isn't that how it's supposed to work?

    That doesn't mean there isn't a bug, though - the bug is instead in the procedure for installing the operating system on the computer, which apparently fails to notify the user that having a password on root is recommended.

    Oh, wait, Macintosh computers come with the operating system preinstalled, don't they? But isn't there still some sort of personalization program you go through when you use the computer the first time? That's what should be fixed; being allowed to not have a root password may be a feature that is too risky to leave in, but it isn't really a bug in itself.

    1. Richard 12 Silver badge

      Re: Bug?

      No, what's supposed to happen is that the root account doesn't exist.

      This is a consumer product. The intended users don't even know what root *is*.

  39. MacGuru42
    Happy

    and this is why...

    we advise people NOT to update to the latest and greatest version of macOS until all these problems have been fixed.. and yes, that may mean we keep our customers on 10.12.6 for up to 6 months post release, but this and all the other issue with 10.13 are making look a lot like 10.7 (shudder).

    Better to have a working, stable, supportable release for a production machine, than jumping on the bleeding edge..

  40. petef

    https://twitter.com/petef4/status/935893902397190144

  41. Wisteela
    Mushroom

    Again?

    I forget the version now, but at least one old version allowed you login in as root with no password by just choosing to log in as another user.

  42. andy 103
    FAIL

    It Just Works

    I tried it, and, It Just Works.

  43. Jonathan 27 Bronze badge

    Yet more proof that Apple doesn't care even slightly about security. And they can get away with it. Why? because of low market share and lack of businesses using Mac OS. Seriously, if this was a bug in Windows it would be on the front-page of every news outlet in the country.

    Overall though, this is a symptom of Apple's attitude about Mac OS. They clearly don't care anymore and it leaves me wondering if they're going to discontinue Macs 5-10 years down the line. They keep reducing the product line and updates are coming slower and slower. X-Serve, dead. Mac Pro, 4 years old. Mac Mini 3 years old. iMac 3 years (although a new one is coming 3 years a a huge wait). All tower Macs are dead, and even the laptops miss CPU updates.

  44. Del_Varner

    This is what happens when you have to have a new version of the OS every year, and skimp on the testing to make the deadline. (Someone else has probably already said this)

  45. Joe Gurman

    Patch now available

    https://support.apple.com/en-us/HT208315

    1. JCDenton

      Re: Patch now available

      That was fast. As embarrassing as this bug may be, at least Apple patches severe issues very quickly.

      1. coconuthead

        Re: Patch now available

        Yes, well, it was fast but according to reports it also broke SMB sharing between High Sierra machines.

        The workaround is (drum roll) to use sudo at the command line to run some obscure utility in libexec.

        It seems to me not so much a lack of testing—probably testers would never have thought of that anyway—but someone monkeying around in the code without having a deep understanding of how it works.

        High Sierra was supposed to be a maintenance/performance release, with a new filesystem and window manager. It's hard to see how any of the touted changes could have required messing around with the login logic. Someone needs to put an iron fist down and limit the changes in each release to what's necessary, and in particular to forbid random reimplementations of modules just because they're not in Swift or not yet common to iOS.

  46. Triumphantape

    Sure...

    It's a bug,*eyeball roll* just like the SSH "bug" a few years back.

  47. tempemeaty
    Meh

    ...

    We need a new Apple.

  48. Anonymous Coward
    Anonymous Coward

    Can't believe they were dumb enough to leave the root password blank

    Many years ago when I was a spotty teenager, I hacked into the local university's PR1ME computers because of a similar stupidity. They had SYSTEM (i.e. root) accounts on some of them without a password. Since they didn't have a project (i.e. resources for CPU time, storage, etc.) assigned if you tried logging in as SYSTEM it would immediately log you out - the equivalent of setting the shell to /bin/false on Unix.

    However, when I was exploring I found out about a command called 'arid' - add remote ID - which would enable you to visit the filesystem of another network connected PR1ME from the one you logged into, and you'd have the rights of the remote ID you'd given in 'arid' instead of your own rights. So basically I was SYSTEM on the ones that had a blank password. I was able to use that permission to run the user creation program and create myself a system level account and used the project number of one of their sysadmins who had nearly unlimited resources. That enabled me to login and have ability to do anything I wanted (which really wasn't much, I wasn't causing any damage)

    Took them a while to catch me since I was dialing in and they didn't have caller ID on their PBX. I think at some point I was lazy and logged in to my created account on the same phone call I had logged in to my dad's account instead of disconnecting and redialing like I always did. Their main interest when they caught me was finding out how I did it, and I have to admit I enjoyed seeing the hand hitting forehead moment for the head guy when I told him it was because of there was no password set on some of the system accounts, and he said "but you can't login to them" and I told him about 'arid' :)

  49. mgbrown

    Don't keep your Mac in a Merc

    So things I've learnt this week about security:

    1. Disable remote access

    2. Don't keep your Mac in a Merc http://www.bbc.co.uk/news/uk-england-birmingham-42132689

  50. richard0x4a
    FAIL

    Apple's guidance not quite correct - do not disable the root user!

    Apple's guidance isn't quite correct. They say "you should disable the root user after completing your task". However, if you set a root password, then disable the root user, it resets the password back to blank and reintroduces the vulnerability.

    You need to set a root password, then make sure you leave the root account enabled. Only then do you defeat the vulnerability.

  51. Anonymous Coward
    Anonymous Coward

    Rooted

    Mate!

  52. thetjb

    No no no, its not an epic fail on Apples part, you are just holding it wrong.

  53. Duffaboy
    Trollface

    Any Fanbois posting comments on here

    Nope, Thought not

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019