[MacTUG] MacOS High Sierra Security Bug Allows Root Login Without a Password, Here’s a Fix
Herbert Balagtas
hbalagta at uwaterloo.ca
Wed Nov 29 11:30:16 EST 2017
I’m running 10.13.1 and was able to replicate this, locking down root now, we’ve also found a couple of users who have upgraded to HS and we are emailing them instructions on how to set the root password or to drop by our helpdesk if they need help doing so.
--
Herbert
On 2017-11-29, 10:34 AM, "mactug-bounces at lists.uwaterloo.ca on behalf of Mike Patterson" <mactug-bounces at lists.uwaterloo.ca on behalf of mpatterson at uwaterloo.ca> wrote:
For what it's worth, I was completely unable to replicate this on my out-of-the-box installs of 10.13 until I went into Directory Utility, disabled root, then re-enabled without a password. This experience is far from universal though, other folks in IST could replicate trivially.
We'll likely be posting something to the notice board advising folks disable screen sharing, although our external exposure is, as best we can tell so far, nil.
Mike
--
Mike Patterson - Manager, Information Security Operations
Information Security Services, University of Waterloo
+1 519-888-4567, x47178 / mike.patterson at uwaterloo.ca
Security Operations Centre x41125 / soc at uwaterloo.ca
> On Nov 29, 2017, at 9:49 AM, Marlon A. Griffith <m3griffi at engmail.uwaterloo.ca> wrote:
>
> ""
> What is the root login bug, and why does it matter?
> How to Prevent Root Login Without a Password in MacOS High Sierra
> * Using Directory Utility to Lock Down Root
> * Using the Command Line to Assign a Root Password
> * How do I know if my Mac is impacted by the password-free root login bug?
> * Does the root login bug impact macOS Sierra, Mac OS X El Capitan, or before?
>
> http://osxdaily.com/2017/11/28/macos-high-sierra-root-login-without-password-bug/
> """
> _______________________________________________
> MacTUG mailing list
> MacTUG at lists.uwaterloo.ca
> https://lists.uwaterloo.ca/mailman/listinfo/mactug
_______________________________________________
MacTUG mailing list
MacTUG at lists.uwaterloo.ca
https://lists.uwaterloo.ca/mailman/listinfo/mactug
More information about the MacTUG
mailing list