Apple - How do I protect myself from the root vulnerability in macOS High Sierra?
Edit November 29, 2017:
Apple released a security update today that fixes the issue. It's important to install this update using App Store > Updates. When updated, the build number of macOS will be 17B1002. Here is more information on the update: Security Update 2017-001
When you want to use the root account again, you will need to re-enable the root user and change the root user's password. (See below)
It's mandatory to enable the Root User and to set a strong (and perhaps random) password for the root user. This disables the security bypass. You are now as secure as the root password is unguessable.
Enabling the root user and changing the root password
- Choose Apple menu () > System Preferences, then click Users & Groups (or Accounts).
- Click lock icon, then enter an administrator name and password.
- Click Login Options.
- Click Join (or Edit).
- Click Open Directory Utility.
- Click lock icon in the Directory Utility window, then enter an administrator name and password.
- From the menu bar in Directory Utility: Choose Edit > Enable Root User, then enter the password that you want to use for the root user.
Apple support article (https://support.apple.com/en-us/HT204012)
Apple's statement
“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
Apple's statement (9to5mac)
If you allow remote log in (ssh), you might also want to disable the log in shell for the root user if you want to prevent any chance of that password or user logging in to a shell.
/usr/bin/dscl . -create /Users/root UserShell /usr/bin/false
Here's a guide for administrators if they want to secure a fleet of Mac from this. The second link is a handy script to do both actions quite well with error checking.
- https://derflounder.wordpress.com/2017/11/28/blocking-logins-to-the-root-account-on-macos-high-sierra/
- https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/block_root_account_login/block_root_account_login.sh
Run a software update from the App Store. Apple released a security update this morning.
About the security content of Security Update 2017-001
Apple security updates
Update:
Apple released a security update to all Macs running macOS High Sierra on 28 November, available in the App Store. To install it, follow these steps:
- Open the App Store.
- Navigate to Updates in the top bar
- At the very top of the page, you should see an update that looks something like this:
If you cannot access the App Store for whatever reason, you can download the security update for Apple's website here.
- Click Update - there's no restart required for this update so it is recommended you install it immediately.
You can learn more about security update 2017-001 here
To check and see if your Mac has installed the patch, navigate to - About this Mac. Click the version number. If the number in parentheses is 17B1002 or higher, your computer is safe from this vulnerability.
If you need the root user on your computer, you will need to re-enable it.
All you need to do to protect yourself from this vulnerability at this moment is change the root account's password.
Changing the root password
- Open Terminal with an administrator account
- Type the following into the terminal:
sudo passwd -u root
- Create a new, secure password. It is suggested to use numbers, capital and lowercase letters, and symbols.
- That's it!