Archive for November 28, 2017

Blocking logins to the root account on macOS High Sierra

November 28, 2017 7 comments

A security vulnerability was discovered in macOS High Sierra today, where you could enable and log into the root account without providing a password.

Update 11-29-2017: Apple has released Security Update 2017-001 to fix this issue. Please install this update as soon as possible.

Update 11-30-2017: Apple is now automatically installing Security Update 2017-001 on vulnerable Macs.

To address this this issue until Apple releases an update to fix it, there’s two steps you can take which will block logins to the root account:

  1. Set a password for the root account on your Mac
  2. Change the root’s account’s login shell to /usr/bin/false

When you set the root account’s login shell to /usr/bin/false, the shell is changed to point to a command that does nothing except return a status code which reports an error. The login process will interpret that error status code as being a failed login, so it will stop the login process at that point and prompt for the password again.

Since the login process will always receive the error code from the false command, the login process will never succeed. For more details, see below the jump.

Read more…

Categories: Mac administration, macOS
%d bloggers like this: