Securing the root user on macOS High Sierra
Photo by Luca Bravo on Unsplash
Update: Apple has released an update that fixes this security vulnerability. See https://support.apple.com/en-us/HT208315 for more information.
A developer in Turkey recently tweeted about a significant security vulnerability in macOS High Sierra
For those who don’t know, the “root” user exists on all Mac and Linux boxes and is the ultimate super user. There’s nothing that root cannot do. Getting access to the root user is considered the ultimate goal when trying to compromise a computer, whether that’s locally or remotely through the Internet or local intranet. Getting unauthorized access to the root user is a bad, bad thing.
As such, our first thought was no, that can’t possible be true, but sure enough it was as trivially reproducible given the steps provided in the tweet. Even worse, it’s possible to sign in as root from the login screen with no password whatsoever (you’ll end up logged in as “System Administrator”)! How could such a thing happen?
Well I don’t have an answer for how but we were able to figure out what is happening. By default the root account is supposed to be disabled, but by default the root user also has a blank password. For some reason, the system is first enabling the root user (which is supposed to be disabled by default) then doing a password check. With no set password, submitting a blank password matches and you’re in.
There is an easy fix: set the root user’s password. There are two ways of going about this, the command line via Terminal, iTerm, and the like, or through the Directory Utility tool.
On the command line, you can set your computer’s root password thus:
sudo passwd -u root
This will first ask you for your current account password (as with any use of
sudo or an installer). Then you’ll be asked to enter a new password twice.
Alternatively, in Directory Utility, you’ll need to unlock administrator changes (which can be done with “root” and no password here too!):
Once unlocked, go to Edit and Change Root Password. Enter in the new password twice.
Disabling the root account will not close this hole because the system insists on re-enabling the account as soon as a log in as “root” is attempted.
With an explicit password set, you’re now protected against this vulnerability.