[MacTUG] MacOS High Sierra Security Bug Allows Root Login Without a Password, Here’s a Fix
Mike Patterson
mpatterson at uwaterloo.ca
Wed Nov 29 10:33:47 EST 2017
For what it's worth, I was completely unable to replicate this on my out-of-the-box installs of 10.13 until I went into Directory Utility, disabled root, then re-enabled without a password. This experience is far from universal though, other folks in IST could replicate trivially.
We'll likely be posting something to the notice board advising folks disable screen sharing, although our external exposure is, as best we can tell so far, nil.
Mike
--
Mike Patterson - Manager, Information Security Operations
Information Security Services, University of Waterloo
+1 519-888-4567, x47178 / mike.patterson at uwaterloo.ca
Security Operations Centre x41125 / soc at uwaterloo.ca
> On Nov 29, 2017, at 9:49 AM, Marlon A. Griffith <m3griffi at engmail.uwaterloo.ca> wrote:
>
> ""
> What is the root login bug, and why does it matter?
> How to Prevent Root Login Without a Password in MacOS High Sierra
> * Using Directory Utility to Lock Down Root
> * Using the Command Line to Assign a Root Password
> * How do I know if my Mac is impacted by the password-free root login bug?
> * Does the root login bug impact macOS Sierra, Mac OS X El Capitan, or before?
>
> http://osxdaily.com/2017/11/28/macos-high-sierra-root-login-without-password-bug/
> """
> _______________________________________________
> MacTUG mailing list
> MacTUG at lists.uwaterloo.ca
> https://lists.uwaterloo.ca/mailman/listinfo/mactug
More information about the MacTUG
mailing list