Update:

Apple has pushed a security update to patch the authentication issue, which automatically re-disables root user for everyone who configured it to secure their systems. Best practice is to leave it disabled unless you have a good reason to need it, and if you need help on how to enable it, you likely don't actually need it.

You can check if you have the update from terminal by running the command:

$ what /usr/libexec/opendirectoryd

If you are using High Sierra 10.13.1 you should see:

/usr/libexec/opendirectoryd PROGRAM:opendirectoryd PROJECT:opendirectoryd-483.20.7

And on High Sierra 10.13 you should see:

/usr/libexec/opendirectoryd PROGRAM:opendirectoryd PROJECT:opendirectoryd-483.1.5





Official notes from Apple:









_______________________________________________

This morning, @lemiorhan posted on twitter about a very serious security issue in MacOS High Sierra. All settings options can be unlocked without a password if the username is "root".

If you've tried to recreate this inside settings—naturally, I tried it immediately out of curiosity—the root account has been enabled on your Mac and can be used to log in from the main login screen by clicking "other" and entering "root" as the username and leaving the password blank.

If you have tried the bug in settings, anyone with physical access to your computer can log in with full permissions without a password.

Here's how to disable the root account again (it should always be disabled).

From system preferences, go to Users & Groups, then select Login Options, and click "Join..." next to "Network Account Server".

From the pane that drops down, select "Open Directory Utility..."

Once the Directory Utility is unlocked by clicking the lock in the corner, select "Edit > Disable Root User" in the menu bar. If these options are greyed out, you need to unlock the Directory Utility window, and if the option says "Enable Root User" then the root account is already disabled and will not show up on your login screen.

Protect Yourself:

If you want to protect yourself from this exploit, selecting "Enable Root User" and configuring a very secure, long password appears to be a workable stopgap measure.

In any case, you must have screen sharing disabled—this attack can be performed remotely. It is probably best to both disable screen sharing and set a root password.

In any case, you must have screen sharing disabled—this attack can be performed remotely. It is probably best to both disable screen sharing and set a root password.

This password must be incredibly strong, because it allows complete privilege escalation, so it's best to use a password generator here.

However, OS X best practice is to have root user disabled, so if you choose to do this, you should re-disable the root account once the bug is fixed.

We are all infosec.















