Skip to content
Thoughtful, detailed coverage of everything Apple for 34 years
and the TidBITS Content Network for Apple professionals

High Sierra Bug Provides Full Root Access

[Update: Apple quickly released Security Update 2017-001 to fix this bug. Read our current coverage at “Apple Pushes Updates to Block the Root Vulnerability Bug” (30 November 2017).]

You can expect a macOS 10.13 High Sierra update or security update in the next few days. That’s because developer Lemi Orhan Ergin has revealed a huge security vulnerability in High Sierra that anyone can exploit to gain full admin privileges and access to the root account on your Mac. 10.12 Sierra is not vulnerable to this bug, and I doubt earlier versions of OS X are either.

Many people have confirmed Ergin’s discovery, and if you’re running High Sierra, you can check it yourself. Just open System Preferences > Security & Privacy and click the lock button at the bottom of the window. In the User Name field, enter root and leave the password field blank. Press Return or click the Unlock button a few times — I’ve seen it both accept on the first try and require a couple of additional tries. But it will unlock eventually.

That’s not all. If your Mac displays the name and password fields on the login window, instead of a list of users, you can also log into the entire Mac as root, without a password. If you do that, High Sierra promptly sets up a new account called System Administrator and a home folder located in /private/var/root. That is the full Unix root account, which has superuser privileges that enable it to see and modify any file in any account.

Wait, it gets worse. I’ve confirmed that if you have Screen Sharing (or Remote Management) enabled in System Preferences > Sharing, someone can connect to your Mac over the local network or, depending on your Internet setup, the outside world. I did this from a guest account on my MacBook Air and ended up at a login window on my iMac, from which I was able to click the Other button, enter root and no password in the appropriate fields, and create a root user account on my iMac.

The practical upshot is that anyone who has local or network access to your Mac can log in and access all files with impunity. If you have FileVault enabled, you’re in better shape, since High Sierra won’t let someone log into the root account at the login window.

The reason this shouldn’t work is that the root user isn’t supposed to be enabled. The workaround is to change the root password, which requires a few steps:

  1. Activate Spotlight by clicking the magnifying glass in the right corner of the menu bar or pressing Command-Space.

  2. Enter Directory Utility and press Return to launch it. (If you want to navigate to it manually, it’s in /System/Library/CoreServices/Applications.)

  3. Click the lock icon in Directory Utility’s window and authenticate. Yes, using root with no password works here too.

  4. Choose Edit > Change Root Password and enter a new, non-trivial password. If Change Root Password is grayed out, you may have to choose Edit > Enable Root User first. In another lapse, Directory Utility lets you set the root password to blank — just leave both fields empty and click OK. Apple should at least prompt here to make sure that’s what you want.

  5. If you don’t need remote access, consider disabling Screen Sharing or Remote Management in the Sharing preference pane as well.

Apple has said it’s working on a fix, so setting a root password should be sufficient protection for now.

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 33 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

This site is protected by reCAPTCHA. The Google Privacy Policy and Terms of Service apply.

Comments About High Sierra Bug Provides Full Root Access