How do I protect myself from the root vulnerability in macOS High Sierra?

Edit November 29, 2017:

Apple released a security update today that fixes the issue. It's important to install this update using App Store > Updates. When updated, the build number of macOS will be 17B1002. Here is more information on the update: Security Update 2017-001

When you want to use the root account again, you will need to re-enable the root user and change the root user's password. (See below)


It's mandatory to enable the Root User and to set a strong (and perhaps random) password for the root user. This disables the security bypass. You are now as secure as the root password is unguessable.

Enabling the root user and changing the root password

  1. Choose Apple menu () > System Preferences, then click Users & Groups (or Accounts).
  2. Click lock icon, then enter an administrator name and password.
  3. Click Login Options.
  4. Click Join (or Edit).
  5. Click Open Directory Utility.
  6. Click lock icon in the Directory Utility window, then enter an administrator name and password.
  7. From the menu bar in Directory Utility: Choose Edit > Enable Root User, then enter the password that you want to use for the root user.

Apple support article (https://support.apple.com/en-us/HT204012)

Apple's statement

“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”

Apple's statement (9to5mac)

If you allow remote log in (ssh), you might also want to disable the log in shell for the root user if you want to prevent any chance of that password or user logging in to a shell.

/usr/bin/dscl . -create /Users/root UserShell /usr/bin/false

Here's a guide for administrators if they want to secure a fleet of Mac from this. The second link is a handy script to do both actions quite well with error checking.

  • https://derflounder.wordpress.com/2017/11/28/blocking-logins-to-the-root-account-on-macos-high-sierra/
  • https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/block_root_account_login/block_root_account_login.sh

Run a software update from the App Store. Apple released a security update this morning.

  • About the security content of Security Update 2017-001

  • Apple security updates


Apple just released an update to fix the issue.

Security Update 2017-001 https://support.apple.com/en-us/HT208315

Also to prevent unauthorized access to your Mac computers, you should enable the root user account and set a password specifically for the root user.

https://support.apple.com/en-ph/HT204012

If your root user account is active already, make sure that you change the password just to make sure that the blank password vulnerability isn't set.