Recently, a user on Reddit gave information on a huge Mac OS High Sierra vulnerability. Access to “root” permissions is as easy as an empty password, potentially leaving users extremely vulnerable. If someone has physical access to a Mac OS High Sierra system, they can access personal files and change anything without any admin credentials.
This is a huge vulnerability for Mac users. Developer Lemi Orhan Ergin contacted apple to inform them of the vulnerability. Apple at the time had no update ready for such an issue, however informed of users a way to mitigate the possibility of someone gaining root access.
Disable guest users
Opening up the system preferences and finding the “Users & Groups” section you can select guest users and uncheck “Allow guests to log into this computer.”
By doing this, no one can log into a guest user account and give them direct access to the root permissions option.
Change root password on Mac OS High Sierra
Another means of mitigating this issue, is by actually assigning a password to the root permissions, so if someone did attempt to enter with an empty password, they would be outright blocked.
- Launch systems and preferences
- Select users and groups
- Login options
- Join which is next to the “Network Account Server”
- Open Directory Utility
- Click the lock icon, and enter your password to gain access
- Once inside, in the menu bar of directory utility, select “Change Root Password”
That’s it! Make your own password for the Root access and ensure it is strong to keep it worth this effort!
Apple has informed that they are working on a quick patch, so the problem shouldn’t be relevant for too long, however it is always good to become familiar with this side of your system and learn of it’s layout, in case something in the future pops-up involving the same issue.