[MacTUG] MacOS High Sierra Security Bug Allows Root Login Without a Password, Here’s a Fix

Herbert Balagtas hbalagta at uwaterloo.ca
Wed Nov 29 11:30:16 EST 2017 

I’m running 10.13.1 and was able to replicate this, locking down root now, we’ve also found a couple of users who have upgraded to HS and we are emailing them instructions on how to set the root password or to drop by our helpdesk if they need help doing so.

-- 
 
Herbert

On 2017-11-29, 10:34 AM, "mactug-bounces at lists.uwaterloo.ca on behalf of Mike Patterson" <mactug-bounces at lists.uwaterloo.ca on behalf of mpatterson at uwaterloo.ca> wrote:

    For what it's worth, I was completely unable to replicate this on my out-of-the-box installs of 10.13 until I went into Directory Utility, disabled root, then re-enabled without a password. This experience is far from universal though, other folks in IST could replicate trivially.
    
    We'll likely be posting something to the notice board advising folks disable screen sharing, although our external exposure is, as best we can tell so far, nil.
    
    Mike
    
    -- 
    Mike Patterson - Manager, Information Security Operations
    Information Security Services, University of Waterloo
    +1 519-888-4567, x47178 / mike.patterson at uwaterloo.ca
    Security Operations Centre x41125 / soc at uwaterloo.ca
    
    > On Nov 29, 2017, at 9:49 AM, Marlon A. Griffith <m3griffi at engmail.uwaterloo.ca> wrote:
    > 
    > ""
    > What is the root login bug, and why does it matter?
    > How to Prevent Root Login Without a Password in MacOS High Sierra
    > * Using Directory Utility to Lock Down Root
    > * Using the Command Line to Assign a Root Password
    > * How do I know if my Mac is impacted by the password-free root login bug?
    > * Does the root login bug impact macOS Sierra, Mac OS X El Capitan, or before?
    > 
    > http://osxdaily.com/2017/11/28/macos-high-sierra-root-login-without-password-bug/
    > """
    > _______________________________________________
    > MacTUG mailing list
    > MacTUG at lists.uwaterloo.ca
    > https://lists.uwaterloo.ca/mailman/listinfo/mactug
    
    
    _______________________________________________
    MacTUG mailing list
    MacTUG at lists.uwaterloo.ca
    https://lists.uwaterloo.ca/mailman/listinfo/mactug

More information about the MacTUG mailing list