Slashdot Mirror
High Sierra Root Login Bug Was Mentioned on Apple's Support Forums Two Weeks Ago (daringfireball.net)
John Gruber, reporting for DaringFireball: It's natural to speculate how a bug as egregious as the now-fixed High Sierra root login bug could escape notice for so long. It seems to have been there ever since High Sierra 10.3.0 shipped on September 25, and may have existed in the betas through the summer. One explanation is that logging in with the username "root" and a blank password is so bizarre that it's the sort of thing no one would think to try. More insidious though, is the notion that it might not have escaped notice prior to its widespread publicization yesterday -- but that the people who had heretofore discovered it kept it to themselves. This exploit was in fact posted to Apple's own support forums on November 13. It's a bizarre thread. The thread started back on June 8 when a user ran into a problem after installing the WWDC developer beta of High Sierra.
Password could be anything.... It didn't need to be blank and it would set the root password to whatever password you used.
Proof that no one at apple reads their own forums.
Apple does not care aboyt the Mac anymore. They make all their money on Iphones now. In fact, if they portted Xcode to FreeBSD they could save a lot of money by just killing the Mac off.
You can bet that's going in as an automated test ASAP, but this is a perfect example of how increased velocity leads to previously unthinkable bugs going unnoticed, or dropped in the rush to ship code. No one wants to go back to full-on waterfall where the software you crank out 3 years later doesn't do what's needed now, but IMO the dev pendulum has gone too far the other way.
Especially in something as big and important as an operating system, some group with enough big-picture thinking and enough intelligence to think up breaking tests needs to make sure everything hangs together right. Individual developers can unit-test their little pieces, but plugging together thousands of little pieces is often what causes big bugs like this.
Right now we're getting the third wave of DevOps adoption, and it's interesting to see how different it is. The first wave was all the cool kids at startups doing microservices, containerizing apps with Docker and Kubernetes, deploying with Jenkins/Chef/Puppet and writing in whatever web framework someone working for Google open-sourced that week. The second wave is all the big software companies who do this for a living. The third wave is the companies who don't have a good handle on their current dev processes now, let alone any clue on how to change them. This is being driven by a massive fear of missing out and consulting companies/tool vendors are making billions off companies that don't really get what they're buying. Expect bugs like this in internal systems as overworked developers are forced to crank out more half-baked code because the Agile book their manager read said they had to ship no matter what.
Go Apple, embrace your higher market share and the shitty testing procedures the big boys employ.
If you want to see an even stranger and worrying discussion around a similar enough problem affecting Linux, look at this bug report involving systemd and concerning unusual Linux usernames.
Almost right away Lennart himself declared it "not-a-bug" and closed the issue, claiming it involved "not a valid username" and claiming "I don't think there's anything to fix in systemd here."
Thankfully, others looked into this matter in more detail. They pointed out that the unusual username involved should very well be considered valid, regardless of what the systemd developers believed. They pointed out that it was in fact a serious problem. They pointed out that it should be fixed.
At some point Michael Biebl came in, babbled nonsensically about "trolls" and locked the discussion, basically giving a big "fuck you" to everyone who wanted to work toward getting these problems fixed properly.
Lennart then deleted some user-submitted comments in a show of censorship, and again denied that there was a problem.
The most absurd part is near the bottom, when Lennart states, "don't forget we don't break people's stuff". This is particularly unusual because systemd is well-known for causing all sorts of breakage and problems for many Linux users.
Was the problem affecting macOS a big mistake on Apple's part? I think so. But at least they got a fix out very quickly once they became aware of the issue.
Their approach is much saner than what we're seeing happen with Linux and systemd, as shown by the systemd bug report and absurd handling of the bug as described earlier.
I'll take Apple's approach any day.
This is what happens when you fire the entire QA team.
Apple is paying more attention to Slashdot press than their own support forums?
Employees that are paid better are harder to bribe. That's not a new thing.
Although the face loss for Apple on this is enormous (but probably without long term consequence), an amusing aspect of this whole story is that from a technical standpoint the Apple bug was probably a net gain for the users of OSX...
How so? Well, in the provided link you see several stories of people using this login bug to restore accounts, that would have been harder to restore otherwise.
Meanwhile are there any stories of macs actually compromised by this bug? I haven't seen any.
So technically this incredibly head-slapping bug was actually of more use to users than harm, as they were easily able to restore account access!
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Fortunately, there are still Linux distros available that don't use systemd. I'll take sysv init any day.
-- Alastair
that logging in with the username "root" and a blank password is so bizarre that it's the sort of thing no one would think to try.
If you are ever testing (or writing) a login thing, make sure you test the case with no password. Not only is it so obvious that many laypeople think of it, but also this bug keeps happening, most recently on Intel chips. Not only that, it apparently works on any disabled user account, not just root
"First they came for the slanderers and i said nothing."
and running your defined test cases. Sheesh, get with the 90's Apple. Gah. And to the OP's point, as a sysadmin I would have thought of root + 'blank', just like the NSA and CIA.
No such thing
in all those recent stories? That anyone could just type root, leave password blank, and get an unlimited access to all the data he/she wanted without any hacking?
You lose credibility when you fail to mention the bug submission includes this bit, "I searched google and found that it was not right to named a linux user with 0day". It's not valid. Because some other apps don't adhere to standards, they're doing it wrong. Use proper context if you want to have a conversation, not whine like a bitch.
+1 insightful. I never understood the pressing need to "ship" software regularly. Customers aren't going to try out new software every couple of months. Customers would rather just have software that works and keep it around.
I.e. any "it was overlooked" theory must also include incompetence. "root" is one of a handful of well-known accounts, and of course you try to get into it without giving credentials.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
You're the one who should have read the goddamn bug report's discussion.
When you say nonsense like
you're full of bullshit.
What fucking standards would those be? Wait, there is no standard in this case! That's a huge part of the fucking problem!
This comment makes a good argument in favor of it being a valid username when considering certain possibly-applicable standards.
Even Poettering himself states that "some distributions are less restrictive".
Later on, Poettering himself points out that there is no standard: "please work with the POSIX, shadow-utils, libuser communities, as well with the other Linux distributions to come up with a single unified set of rules".
So don't give us this bullshit about "standards". There are no fucking standards, meaning that a username like "0day" should be accepted by systemd, and if it doesn't support such a username then systemd is in the wrong.
Your pathetic attitude is why so much software today is so flawed and insecure. You cry and moan about "conforming to standards" instead of doing the responsible thing and making your software properly handle unusual cases that are perfectly valid and reasonable.
Well, the fact remains that the systemd idiots do not understand "Defense in Depth". That makes them unsuitable to develop anything with security impact. Their reaction also clearly shows that they are unwilling to learn and consider them to understand everything quite well. A sure recipe for disaster.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Hackers doing what? Pretty much all random hackers are script kiddies attacking common services. If you have an internet facing machine chances are they are going to try SMB authentication, check if you have wordpress running, and check if you have SSH running. If they are going to try remote access they'll use Windows RDP.
Why target a MacOS system specifically? The only thing you'll achieve is rule out 94% of desktop targets and 100% of server targets.
Stay off the evening news.
And if you do get on, make sure you tell your boss before he sees it.
Or have enough market share so you don't have to worry about it.
"Access to this place or content is restricted. If you think this is a mistake, please contact your administrator or the person who directed you here."
Did anyone think to archive the thread, or is it just gone forever now?
ç
I changed my password to ********* ... post yours here, this forum converts password characters to *!
A username with a leading digit is absolutely valid. It's documented as being valid in POSIX, with explicit details about how names vs UID/GIDs are disambiguated when used as command-line arguments. It goes without saying that systemd got it completely backwards, ignoring existing standards and conventions, which is the root cause of this bug.
Not finding a bug like that would have gotten a tester put on a PIP at Microsoft in 2000.
In my former SDET opinion, It shows that Apple doesnâ(TM)t do enough professional testing.
Apple put it there so there would be a way in to the system, and as long as there were no headlines, they were happy to ignore any mention of it. They only fixed it now and apologized because it garnered headlines and lots of criticism.
Do you still believe Apple are honest and think about their customers, and your data? Think again.
If you mean a rambling off-topic rant now removed, sure. Took a few days, but it thankfully no longer litters devForums.