Right, this isn’t a good day for Apple.
As first reported on Twitter by Lemi Orhan Ergin, you can bypass just about any security dialog on Mac OSX High Sierra (10.13) by using the root user without a password.
Jul 02, 2020 Setting up/Changing Default Root Password. If you wish to change the default blank root password and set root password enter: $ sudo passwd Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Once the root password is set, you can login as root by using the su command: $ su Password: root@vagrant-ubuntu. It sounds as though you changed the password for root. Did you enable root on your Mac? There really is no need to do that if you have. If you are logged in as root, then you can change the password of the 'Administrator' account in System Preferences-Accounts. Or, create a new user and have that new account have access to administer the Mac. Mysql is the default password for user root.
Use the user root and click _Unlock _several times, you’ll eventually bypass the dialog and be granted root privileges. You can try it if you go to the Users & Groups settings screen and click Lock at the bottom.
I’d be very curious to know the technical reasons why this was possible in the first place.
Update: be sure to disable the root user after test
Turns out, testing this actually creates a root user without a password in the background! Make sure to disable the root user in System Preferences to prevent this from getting any worse than it already is.
For a quick workaround, set a non-default (aka: anything) password on the root user via the terminal.
Once a password has been set, it wont change to an empty value anymore.
Also applicable to Remote Management
If you’ve enabled Remote Management, anyone can log into your Mac using the root user with an empty password.
Woops.
Responsible disclosure?
This issue was first reported on Twitter and is now getting widespread traction. This isn’t exactly a good way to disclose security issues, but I’m willing to bet the reporter perhaps didn’t think it would go this far in the media?
There’s an entire KB about reporting security issues to Apple, if someone ever feels the need to report similar security bugs.
The user account named ”root” is a superuser with read and write privileges to more areas of the system, including files in other macOS user accounts. The root user is disabled by default. If you can log in to your Mac with an administrator account, you can enable the root user, then log in as the root user to complete your task.
The root user account is not intended for routine use. Its privileges allow changes to files that are required by your Mac. To undo such changes, you might need to reinstall your system software. You should disable the root user after completing your task.
It's safer to use the sudo
command in Terminal instead of enabling the root user. To learn about sudo
, open the Terminal app and enter man sudo
.
Default Password For Root In Mac Os
Enable or disable the root user
- Choose Apple menu () > System Preferences, then click Users & Groups (or Accounts).
- Click , then enter an administrator name and password.
- Click Login Options.
- Click Join (or Edit).
- Click Open Directory Utility.
- Click in the Directory Utility window, then enter an administrator name and password.
- From the menu bar in Directory Utility:
- Choose Edit > Enable Root User, then enter the password that you want to use for the root user.
- Or choose Edit > Disable Root User.
Log in as the root user
Default Password For Root In Mac Download
When the root user is enabled, you have the privileges of the root user only while logged in as the root user.
- Choose Apple menu > Log Out to log out of your current user account.
- At the login window, log in with the user name ”root” and the password you created for the root user.
If the login window is a list of users, click Other, then log in.
Remember to disable the root user after completing your task.
Change the root password
Default Password For Root In Mac Catalina
- Choose Apple menu () > System Preferences, then click Users & Groups (or Accounts).
- Click , then enter an administrator name and password.
- Click Login Options.
- Click Join (or Edit).
- Click Open Directory Utility.
- Click in the Directory Utility window, then enter an administrator name and password.
- From the menu bar in Directory Utility, choose Edit > Change Root Password…
- Enter a root password when prompted.