Welcome to our tutorial article explaining how to deal with the 'root access flaw' discovered in macOS High Sierra. The latest development is that Apple's fix for the problem disappears (temporarily) if you upgrade from macOS 10.13 to 10.13.1 - click here to read about that situation.
A flaw in macOS High Sierra was discovered on Tuesday 28 November 2017 that allows root access to a Mac without the need for a password. This means that all anyone needs to do to adjust settings on your Mac is to enter root as the user name - no password is required.
For example, the user could access your Security & Privacy settings in System Preferences, enter root as User Name, without any need for a password, and gain all the administrator rights. Allowing them to change the user password, change your settings for downloading applications, access keychain data, and more.
The first time they attempt to log in, it won't work. But if they keep trying eventually they will be granted access.
They would, of course, need to have access to your Mac to log in as root. So this may not be a concern for you if there is no change of someone with malicious intentions accessing your Mac (beware that someone could already have gained access to your Mac remotely and under those circumstances this would allow them to access your settings, but that's not very likely).
Our colleagues at Macworld US tried using Root to log into a MacBook Pro running macOS High Sierra 10.13.1, and the root login worked. See their video below.
Our reporter noted that the issue only seemed to work after they had are logged into the Mac under a different user name, though.
A hacker can't use root and no password at the Mac's user login screen that appears at startup. This hack only works once you are logged on to your Mac (which you will obviously have a strong password set up for - if not, here's how to choose a strong password).
When we tried using root ourselves it took six attempts before root was accepted.
Apple promptly issued a statement confirming that it was working on a fix: "We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorised access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."
We said that Apple was likely to issue a fix for the flaw within a few days, and sure enough the company rolled out a patch within 24 hours of the issue being highlighted.
"When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes this security hole," Apple said. "This morning [Wed 29th Nov], as of 8:00 am, the update is available for download and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra."
Needless to say we recommend updating to avail yourself of this patch: more details here. (You'll find more information about the latest version of MacOS here.) However, the Guardian has noticed that this patch appears to create a problem in turn: it prevents some users from connecting to file shares.
Security Update 2017-001
Apple issued Security Update 2017-001 for macOS High Sierra 10.13 and macOS High Sierra 10.13.1 on 29 November.
The security update addressed the root bug issue where an attacker could bypass administrator authentication without supplying the administrator’s password, according to Apple's accompanying notes.
Apple also notes that if you recently updated from macOS High Sierra 10.13 to 10.13.1, you should reboot your Mac to make sure the Security Update is applied properly.
Apple offers this guide for those who wish to confirm that their Mac has Security Update 2017-001:
- Open the Terminal app, which is in the Utilities folder of your Applications folder.
- Type what /usr/libexec/opendirectoryd and press Return.
- If Security Update 2017-001 was installed successfully, you will see one of these project version numbers:
- opendirectoryd-483.1.5 on macOS High Sierra 10.13
- opendirectoryd-483.20.7 on macOS High Sierra 10.13.1
Apple issued this apology for the problem: "Security is a top priority for every Apple product and regrettably we stumbled with this release of macOS... We greatly regret this error and we apologise to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development process to help prevent this from happening again."
Following on from the file share issue mentioned above, a further problem has been discovered with Apple's security fix: it reverts if the user upgrades their machine to macOS 10.13.1. Once the update process is complete, your Mac is again vulnerable to the root access flaw.
This isn't a catastrophic problem, because the reversion is itself reverted the next time you reboot the Mac - the fix comes back and you're safe from hacking. But some of us tend not to reboot very often; so it's worth making sure you've run a reboot since updating.
Apple has acknowledged this issue by updating its advice page on the fix, so that it now says: "If you recently updated from macOS High Sierra 10.13 to 10.13.1, reboot your Mac to make sure the Security Update is applied properly."
Apple has since issued macOS High Sierra 10.13.2.
How to fix the root security issue yourself
Apple's fix should sort the problem, but if for some reason you are unable or unwilling to install this, the following method should fix the issue manually:
- Open the Finder.
- Click on Go > Go to Folder.
- Type: /System/Library/CoreServices/Applications/ in the text box.
- Click Go.
- Open Spotlight by pressing Command+Space.
- Search for the Directory Utility app and open it.
- Click on the lock icon so you can make changes.
- Enter your name and password in the pop-up window.
- Click Modify Configuration.
- Click on Edit.
- Select Change Root Password.
- Enter your new password and verify it.
- Click OK.
- Now click the lock again to lock it so no more changes can be made.
- Quick Directory Utility.
Now if anyone tries to log on as root they will need to enter a password.
Read more of our Mac security tips here. Plus find out about other ways you can protect your Mac from malware and hackers.