High Sierra Root Login Bug Was Mentioned on Apple's Support Forums Two Weeks Ago

John Gruber, reporting for DaringFireball: It's natural to speculate how a bug as egregious as the now-fixed High Sierra root login bug could escape notice for so long. It seems to have been there ever since High Sierra 10.3.0 shipped on September 25, and may have existed in the betas through the summer. One explanation is that logging in with the username "root" and a blank password is so bizarre that it's the sort of thing no one would think to try. More insidious though, is the notion that it might not have escaped notice prior to its widespread publicization yesterday -- but that the people who had heretofore discovered it kept it to themselves. This exploit was in fact posted to Apple's own support forums on November 13. It's a bizarre thread. The thread started back on June 8 when a user ran into a problem after installing the WWDC developer beta of High Sierra.

An even stranger discussion involving systemd.....

If you want to see an even stranger and worrying discussion around a similar enough problem affecting Linux, look at this bug report involving systemd and concerning unusual Linux usernames.

Almost right away Lennart himself declared it "not-a-bug" and closed the issue, claiming it involved "not a valid username" and claiming "I don't think there's anything to fix in systemd here."

Thankfully, others looked into this matter in more detail. They pointed out that the unusual username involved should very well be considered valid, regardless of what the systemd developers believed. They pointed out that it was in fact a serious problem. They pointed out that it should be fixed.

At some point Michael Biebl came in, babbled nonsensically about "trolls" and locked the discussion, basically giving a big "fuck you" to everyone who wanted to work toward getting these problems fixed properly.

Lennart then deleted some user-submitted comments in a show of censorship, and again denied that there was a problem.

The most absurd part is near the bottom, when Lennart states, "don't forget we don't break people's stuff". This is particularly unusual because systemd is well-known for causing all sorts of breakage and problems for many Linux users.

Was the problem affecting macOS a big mistake on Apple's part? I think so. But at least they got a fix out very quickly once they became aware of the issue.

Their approach is much saner than what we're seeing happen with Linux and systemd, as shown by the systemd bug report and absurd handling of the bug as described earlier.

I'll take Apple's approach any day.

Re:Password could be anything....

[AJWM]

No. If you have physical access to a Mac, it is trivial to reboot it into single user (ie root) mode. No extra equipment required, and only as long as the boot time. Unlike other *nix systems, MacOS doesn't require that you login with the root password in single user mode. (Or didn't last time I tried.)

What this bug does is give the casual passerby root access without having to reboot, therefore making it less obvious that it was tampered with.