An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#47053 - 11/28/17 12:39 PM high sierra, everyone's root!
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
_________________________
I work for the Department of Redundancy Department

Top
#47054 - 11/28/17 03:57 PM Re: high sierra, everyone's root! [Re: Virtual1]
jchuzi Offline


Registered: 08/04/09
Loc: New York State
_________________________
Jon

macOS 10.15.6, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#47055 - 11/28/17 04:27 PM Re: high sierra, everyone's root! [Re: jchuzi]
pbGuy Offline


Registered: 08/04/09
Loc: Portland, Oregon
iMore provides instructions on setting the root password, which eliminates the issue.

Link: Setting root Password
_________________________
MBP15 i7 (2017) - 1TB PCIe-SSD - 10.15.6, iPhone X & iPadPro 11 WiFi, Watch4

Top
#47056 - 11/29/17 04:42 AM Re: high sierra, everyone's root! [Re: pbGuy]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
Is physical access required or can Remote Access also exploit this vulnerability?
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#47057 - 11/29/17 05:57 AM Re: high sierra, everyone's root! [Re: Pendragon]
pbGuy Offline


Registered: 08/04/09
Loc: Portland, Oregon
Good question. ...According to the guy, who discovered this issue, physical access is required.

However, Apple details (at the Support Page linked below) that root user is disabled by default; but, if one logs in to one's Mac using an administrator account, one could enable the root user, then log in as the root user to complete a task. ...Again, I'm not sure is this could be done remotely (with administrator login password).

Here's Apple's root PW Instructions

Regardless, setting a root user password (a strong & unique one) would defeat this security issue. (My unique, root PW is a 13 alpha-numeric-character PW I'll never remember; so, I saved it to 1PW.)

I used the "Change root password" method within System Preferences (as iMore detailed wherein they advised keeping "Enable root user" - after setting root password - since subsequently disabling will delete the just-initiated password). Done. cool


Edited by pbGuy (11/29/17 08:09 AM)
Edit Reason: update about access
_________________________
MBP15 i7 (2017) - 1TB PCIe-SSD - 10.15.6, iPhone X & iPadPro 11 WiFi, Watch4

Top
#47061 - 11/29/17 08:08 AM Re: high sierra, everyone's root! [Re: pbGuy]
jchuzi Offline


Registered: 08/04/09
Loc: New York State
Apple just issued this security update for High Sierra. From the language, I'm not positive that it addresses the root user issue, but it sounds as if it might.
_________________________
Jon

macOS 10.15.6, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#47062 - 11/29/17 08:23 AM Re: high sierra, everyone's root! [Re: jchuzi]
pbGuy Offline


Registered: 08/04/09
Loc: Portland, Oregon
I just completed the Security Update (no Restart required), available through Mac Apple Store update. My macOS 10.13.1 build did change to that referenced on the Support page.

Thanks for the link. ...And, I found this sentence ("If you require the root user account on your Mac, you will need to re-enable the root user and change the root user's password after this update.) about the Update, interesting as it implies the update resets the "enable root & its password." ....Hmmm. smirk
_________________________
MBP15 i7 (2017) - 1TB PCIe-SSD - 10.15.6, iPhone X & iPadPro 11 WiFi, Watch4

Top
#47066 - 11/29/17 09:01 AM Re: high sierra, everyone's root! [Re: Pendragon]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: Pendragon
Is physical access required or can Remote Access also exploit this vulnerability?

Basically the problem is that before you "enable the root user", he's already there and enabled because he has to be, but can't authenticate by default if his password is blank. except for this one place that someone forgot to lock down in HS.

It does lead me to wonder though, surely they will find the person ultimately responsible for this, I wonder what will happen to them? What is the penalty for a major embarrassment?
_________________________
I work for the Department of Redundancy Department

Top
#47073 - 11/29/17 10:23 AM Apple to review software practices [Re: Virtual1]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
_________________________
I work for the Department of Redundancy Department

Top
#47074 - 11/29/17 10:35 AM Re: high sierra, everyone's root! [Re: pbGuy]
MacManiac Online
Moderator

Registered: 08/04/09
Loc: Paradise....on the central Ore...
Same positive result for the security update here....however, I'm fairly certain that you meant to say that the build for 13.1 did NOT show up after install.

Mine has NO build associated with the Mac OS X 10.13.1 listed under "About This Mac" under the Apple Menu.....

It DID disable the previously enabled root user....and it DID properly test to validate that the previous root bypass issue was resolved....and I was able to re-enable and disable the root user appropriately with both the Terminal and with the Directory Utility.
_________________________
Freedom is never free....thank a Service member today.

Top
#47077 - 11/29/17 10:47 AM Re: high sierra, everyone's root! [Re: MacManiac]
pbGuy Offline


Registered: 08/04/09
Loc: Portland, Oregon
Originally Posted By: MacManiac
...Mine has NO build associated with the Mac OS X 10.13.1 listed under "About This Mac" under the Apple Menu.....


In the "About" window, click on the version number; you'll then see the Build added.

Additionally, you could also use the Sys Info app (Utilities), click on Software. You'll also see the System Version with the Build.
_________________________
MBP15 i7 (2017) - 1TB PCIe-SSD - 10.15.6, iPhone X & iPadPro 11 WiFi, Watch4

Top
#47080 - 11/29/17 03:58 PM Re: high sierra, everyone's root! [Re: pbGuy]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
Apparently, today's Security Fix causes a problem with File Sharing. See this.

FWIW, I ran the fix and it seems to have worked as divined.
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#47081 - 11/29/17 08:37 PM Re: high sierra, everyone's root! [Re: Pendragon]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
Originally Posted By: Pendragon
Is physical access required or can Remote Access also exploit this vulnerability?


At first, it appeared that physical access was required. It now appears this is not the case. If a user can be tricked into running a malicious app or shell script, the malicious app or shell script can silently enable the root user and then make any changes whatsoever to the system.

You will still need to trick the user into running malicious code, however.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#47084 - 11/29/17 10:24 PM Re: high sierra, everyone's root! [Re: pbGuy]
MacManiac Online
Moderator

Registered: 08/04/09
Loc: Paradise....on the central Ore...
Thanks for that....I missed the change in how About This Mac delivered info as obviously it no longer shows the build until you click on the version number.
_________________________
Freedom is never free....thank a Service member today.

Top
#47087 - 11/30/17 02:30 AM Re: high sierra, everyone's root! [Re: MacManiac]
jchuzi Offline


Registered: 08/04/09
Loc: New York State
_________________________
Jon

macOS 10.15.6, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#47088 - 11/30/17 05:57 AM Re: high sierra, everyone's root! [Re: jchuzi]
pbGuy Offline


Registered: 08/04/09
Loc: Portland, Oregon
The update to the SU update is now available. ...Other than correcting the File Sharing issue, the 10.13.1 Build is now 17B1003.
_________________________
MBP15 i7 (2017) - 1TB PCIe-SSD - 10.15.6, iPhone X & iPadPro 11 WiFi, Watch4

Top
#47099 - 11/30/17 10:30 AM found it! [Re: Virtual1]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
and this is where it all began, accidentally, WEEKS AGO:

https://forums.developer.apple.com/thread/79235
_________________________
I work for the Department of Redundancy Department

Top
#47100 - 11/30/17 11:31 AM High Sierra [Re: Virtual1]
pbGuy Offline


Registered: 08/04/09
Loc: Portland, Oregon
My 2¢...

While this coding episode should not have occurred and should be / is an embarrassment to Apple, IMHO, I think those using this episode to voice denigrating comments about High Sierra, are a bit over the mark. (I am not implying any posts in this Thread have done so; but, I have read such shortsighted comments elsewhere.)

Apple deserves a knock for allowing both issues (the High Sierra root vulnerability & the subsequent File Share) to get past code quality control.

Apple reacted quickly to fix both; I think that counts for something. ...Other issues will, no doubt, subsequently arise with macOS (& iOS); I have confidence Apple will be responsive in getting those quickly fixed.

I've been using High Sierra from day one. As my MBP has an SSD, I've using APFS from day one as the upgrade auto converted my drive. ...I've not had any fundamental issues (with Keychain, iCloud, Time Machine, my HS compatible apps, my total system) causing me to even consider rolling back to Sierra. Progress is going forward, not the opposite.

I'm aware some have had certain issues, and FTM is the place to seek help as the active participants are highly knowledgeable & willing to assist. But, again IMHO, I do not believe there are fundamental issues with High Sierra itself, when its installed on a hardware setup that will effectively and efficiently run High Sierra.
_________________________
MBP15 i7 (2017) - 1TB PCIe-SSD - 10.15.6, iPhone X & iPadPro 11 WiFi, Watch4

Top
#47101 - 11/30/17 12:16 PM Re: High Sierra [Re: pbGuy]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: pbGuy
Apple deserves a knock for allowing both issues (the High Sierra root vulnerability & the subsequent File Share) to get past code quality control.

And don't forget the file vault storing the password in the hint recently.... there's a reason Apple is calling a meeting with their devs to "discuss recent security".
_________________________
I work for the Department of Redundancy Department

Top

Moderator:  alternaut, dkmarsh, joemikeb