Preventing macOS root access

A huge security issue in macOS High Sierra has just been revealed on Twitter by Lemi Orhan Ergin:

Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra.
Anyone can login as "root" with empty password after clicking on login button several times.
Are you aware of it @Apple?

I've been able to confirm this on my machine.
This issue occurs when you try to unlock a secure preferences item from the System Preferences app.

This is really bad, as it allows someone with a physical access to the machine to alter any system setting, like changing user passwords, adding admin users, or even decrypting FileVault volumes.

I hope Apple will react soon, providing an update, but in the meantime, here's a simple way to prevent this issue:

Open a new Finder window, and navigate to the /System/Library/CoreServices/Applications directory.
Here you will find an app named Directory

Open it, and unlock it by using the lock icon at the bottom-left of the window.

Directory Utility

Then, from the application's Edit menu, choose Enable root user.

Directory Utility Menu

This will allow you to set a password for the macOS root user.
At this point, the security issue will no longer happen.


10/13/2017 11:30
Thank you, needed to quickly lock up root access as per all exploits that were released in the last few weeks.
now am calm. breathe in . . breathe out :)

Preventing macOS root access

Jean-David Gadina
11/26/2017 21:40
Copyright © Jean-David Gadina
This article is published under the terms of the FreeBSD Documentation License.