Forum Discussion
14 Replies
MNGeeks61 wrote:
Anyone who doesn't immediately change a blank/default admin password...well, seems silly.
anyone here remember MS Sql's blank password issue? :)
Did the OS prompt them to change it? I'd venture to guess most of their users never heard of root.- Anyone who doesn't immediately change a blank/default admin password...well, seems silly.
anyone here remember MS Sql's blank password issue? :) - Apple provided a security update fix for this yesterday. Unfortunately the update has a bug for some users pertaining to file sharing that requires a terminal command to fix.
bwanshoom wrote:
ljr wrote:
From what I've read, the issue occurs even if you have not explicitly enabled root login. That's part of the problem - the OS is seemingly enabling the root account to check the password and that's why when you try the login with a blank password you have to try it twice.
It doesn’t matter unless you’ve enabled root login. “sudo” is a better tool for privileged access anyway.
I’ll take your word for it. The two Macs I could access before I applied the fix have root passwords assigned so I can’t try it.bwanshoom wrote:
Very True - the current reported OS bug bypasses the fact that root is disabled. You simply have to try more than once.ljr wrote:
From what I've read, the issue occurs even if you have not explicitly enabled root login. That's part of the problem - the OS is seemingly enabling the root account to check the password and that's why when you try the login with a blank password you have to try it twice.
It doesn’t matter unless you’ve enabled root login. “sudo” is a better tool for privileged access anyway.
If you have a computer running macOS High Sierra, you can address this immediately by assigning a password to “root” so that unauthorized parties who might attempt to exploit the flaw won’t be able to login in without it. To do this, simply open the “Directory Utility” app and click the “Edit” dropdown menu in the toolbar. You can then click on the “Change Root Password” entry to enter a new password.
I'd have a password for root regardless of any patch.ljr wrote:
From what I've read, the issue occurs even if you have not explicitly enabled root login. That's part of the problem - the OS is seemingly enabling the root account to check the password and that's why when you try the login with a blank password you have to try it twice.
It doesn’t matter unless you’ve enabled root login. “sudo” is a better tool for privileged access anyway.magicbus wrote:
ljr wrote:
It doesn’t matter unless you’ve enabled root login. “sudo” is a better tool for privileged access anyway.
Speaking as a Unix weenie and developer, I can't help but wonder how many of the millions of Mac owner's in the world have a clue what this means. I don't think Apple wants their customer base to have to know or care.
Dave
Speaking as another unix weenie (ret), you’re right. Anybody that knows what root is and how to enable it is probably safe anyway.
The moral of the story is that if you don’t know what we’re talking about you probably don’t need to be concerned about this. You’d have no reason to do the things that would put you at risk.ljr wrote:
It doesn’t matter unless you’ve enabled root login. “sudo” is a better tool for privileged access anyway.
Speaking as a Unix weenie and developer, I can't help but wonder how many of the millions of Mac owner's in the world have a clue what this means. I don't think Apple wants their customer base to have to know or care.
Dave- It doesn’t matter unless you’ve enabled root login. “sudo” is a better tool for privileged access anyway.
- We were just talking about this today in our enterprise security meeting. Didn't effect our organization as High Sierra has not yet been approved as an OS upgrade. Only five isolated test Macs are running it. Though a pretty big oversight by Apple?
I refrain from upgrading my personal Macs until it passes our enterprise security testing.
