Blocking logins to the root account on macOS High Sierra

A security vulnerability was discovered in macOS High Sierra today, where you could enable and log into the root account without providing a password.

Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?

— Lemi Orhan Ergin (@lemiorhan) November 28, 2017

---

Update 11-29-2017: Apple has released Security Update 2017-001 to fix this issue. Please install this update as soon as possible.

---

---

Update 11-30-2017: Apple is now automatically installing Security Update 2017-001 on vulnerable Macs.

---

To address this this issue until Apple releases an update to fix it, there’s two steps you can take which will block logins to the root account:

1. Set a password for the root account on your Mac
2. Change the root’s account’s login shell to /usr/bin/false

When you set the root account’s login shell to /usr/bin/false, the shell is changed to point to a command that does nothing except return a status code which reports an error. The login process will interpret that error status code as being a failed login, so it will stop the login process at that point and prompt for the password again.

Since the login process will always receive the error code from the false command, the login process will never succeed. For more details, see below the jump.

Read more…