How do I disable or remove the root account created as a side effect from this High Sierra security bug?
Patch available, click here, or just update on the machine
Interestingly enough there is no patch for the beta and developer versions of OSX yet as far as I know. I'll update this answer as soon as I hear of them.
Download the patch above. Leaving the rest of the post for history :-)
The CVE is CVE-2017-13872 and NIST will update the analysis in the near future.
Original answer, relevant without patch
First off, do not disable the root account via the GUI, having a "disabled" root account is the cause of the problem.
You shall enable the root user and give it a password. This is important, since the vulnerability is available remotely as well, via VNC and Apple Remote Desktop (to name a few)(another source).
There are two basic ways to do this; GUI and terminal.
First off, GUI
To enable the root account, go to "Directory Utility", ie cmd + space and search. Press the lock to unlock "admin mode", then enable the root account through edit -> "Enable Root User".
It should ask for a root password, for now enter your normal password (so you don't forget it). If it doesn't ask for a password, use Edit -> "Change Root Password..." above.
Terminal
If you are more of a terminal person, use the below:
sudo passwd -u root
## Enter passwords as needed....
## (if you are using the terminal you should know what you are doing...)
This is enough with a terminal, the problem with the GUI way is that we have to enable the account to set a password, which we don't have to with the terminal.
Notes
Even if you have a password set for the root account your computer it will become vulnerable if you disable the root account. The action of disabling the root account seems to be the culprit. So I repeat, the root user should be enabled and have a password if using the GUI, whilst via terminal only using ´passwd´ is "ok" (although this state is unreachable via only the GUI). It seems that the "Disable Root User" in "Directory Utility" removes the password for the root account, in a sense giving you a password-less root account which is vulnerable.
It seems like trying to log in with "root" in a systems login-window enables the root account if it is disabled previously. Ie with a disabled root account you need to enter root twice in a systems login-windows to gain root access, and (according to my testing) on the first try the root account is enabled (with no password if not set via passwd
), and on the second try you go through.
It seems that the issue has been in the open since at least 2017-11-13 (13th of November), when it is mentioned in the Apple support forum.
Please prove me wrong, I would really appreciate to be wrong right now.
Scary update
After enabling the passwordless root account (i.e. through the system preferences panel and clicking a "lock" and entering "root" with blank password one, two or three times (number of times depends on initial state)) it is possible to log on to the computer from the main login screen using "root" and a blank password (!). SSH / Telnet does not seem to work, but Apple Remote Desktop, Screen Sharing and VNC are vulnerable.
So for networks admins it might be of interest to temporarily drop packets to the following ports:
- 5900-5905(ish, to be ninja safe) to get the most common VNC ports. VNC starts at 5900 by default and enumerates upwards if you are using multiple displays (uncommon though). Screen Sharing and Apple Remote Desktop also seems to use these ports (list of Apple software ports)
- 3283 and 5988 for Apple Remote Desktop (list of Apple software ports)
Additional reading:
A valiant attempt to reference other sources dealing with the issue. Do edit and update my answer if you have more.
- Hackernews article
- Arstechnica article
- Techcrunch article
- Objective-See blog explaining the fault (I haven't updated this answer to fully match the technical explanation, will do that tonight, but it is close enough for a layman)
- MITRE page for CVE
- NIST entry for CVE
- The original entry from 2017-11-13 in Apple developer forums (since 2017-11-30 removed by Apple)
- Google cache link to original entry in Apple developer forums (since 2017-12-01 removed from Google cache)
- Screenshot of above forumpost by chethan177:
If you can’t install the official patch or don't want to trust that it worked, then
You don't want to disable root user on High Sierra only.
To secure your Mac, enable root with a long secure password.
We are not changing this at work until the next full point release is out for macOS which would likely be 10.13.2
Unless you take action, root user is disabled out of the box and this is bad if your Mac isn't patched correctly.
If you want, optionally harden the shell until Apple has an official patch or fix.
Here is a great script to set a random root password and change / set the root shell to /usr/bin/false
so that even if the password is guessed, the root shell can't log in:
- https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/block_root_account_login/block_root_account_login.sh
It basically does three key things:
rootpassword=$(openssl rand -base64 32)
/usr/bin/dscl . -passwd /Users/root "$rootpassword"
/usr/bin/dscl . -create /Users/root UserShell /usr/bin/false
The UserShell create is if the shell is not set, and the full script checks for an existing shell and -change
es it instead of -create
ing it.
How do I protect myself from the root vulnerability in macOS High Sierra?