Slashdot Mirror
High Sierra Root Login Bug Was Mentioned on Apple's Support Forums Two Weeks Ago (daringfireball.net)
John Gruber, reporting for DaringFireball: It's natural to speculate how a bug as egregious as the now-fixed High Sierra root login bug could escape notice for so long. It seems to have been there ever since High Sierra 10.3.0 shipped on September 25, and may have existed in the betas through the summer. One explanation is that logging in with the username "root" and a blank password is so bizarre that it's the sort of thing no one would think to try. More insidious though, is the notion that it might not have escaped notice prior to its widespread publicization yesterday -- but that the people who had heretofore discovered it kept it to themselves. This exploit was in fact posted to Apple's own support forums on November 13. It's a bizarre thread. The thread started back on June 8 when a user ran into a problem after installing the WWDC developer beta of High Sierra.
Proof that no one at apple reads their own forums.
And here is the link to the actual support forum: https://forums.developer.apple...
/. needs to link to someone's personal blog for this.
I don't get why
I'm not a complete idiot... Some parts are missing.
Wow, now that's one heck of a security feature. I'll bet somebody did this on purpose...
Did somebody's head roll over there at Apple? This should have been an obvious "feature" in the code change that should have been caught by development in a peer review of the code, should have been caught by the test team as an untested new feature, or should have been caught by the build team as an unverified change.
A bunch of folks should be reprimanded for this slipping though.. Do your jobs people!
What? You don't follow a process that creates multiple points where such a thing would be caught? Nobody can be blamed? If this is true, Apple scares me more than it used to.
Security must be both designed in and part of the process or you are wasting your time.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
If you want to see an even stranger and worrying discussion around a similar enough problem affecting Linux, look at this bug report involving systemd and concerning unusual Linux usernames.
Almost right away Lennart himself declared it "not-a-bug" and closed the issue, claiming it involved "not a valid username" and claiming "I don't think there's anything to fix in systemd here."
Thankfully, others looked into this matter in more detail. They pointed out that the unusual username involved should very well be considered valid, regardless of what the systemd developers believed. They pointed out that it was in fact a serious problem. They pointed out that it should be fixed.
At some point Michael Biebl came in, babbled nonsensically about "trolls" and locked the discussion, basically giving a big "fuck you" to everyone who wanted to work toward getting these problems fixed properly.
Lennart then deleted some user-submitted comments in a show of censorship, and again denied that there was a problem.
The most absurd part is near the bottom, when Lennart states, "don't forget we don't break people's stuff". This is particularly unusual because systemd is well-known for causing all sorts of breakage and problems for many Linux users.
Was the problem affecting macOS a big mistake on Apple's part? I think so. But at least they got a fix out very quickly once they became aware of the issue.
Their approach is much saner than what we're seeing happen with Linux and systemd, as shown by the systemd bug report and absurd handling of the bug as described earlier.
I'll take Apple's approach any day.
No. If you have physical access to a Mac, it is trivial to reboot it into single user (ie root) mode. No extra equipment required, and only as long as the boot time. Unlike other *nix systems, MacOS doesn't require that you login with the root password in single user mode. (Or didn't last time I tried.)
What this bug does is give the casual passerby root access without having to reboot, therefore making it less obvious that it was tampered with.
-- Alastair
Can you encrypt the hard disk with a Mac? Physical access to my Ubuntu laptop isn't gonna get you anything if you don't have the passphrase for decrypting my hard disk.
Yes. Apple has what they call FileVault that does whole-disk encryption (minus a boot volume, I think.)
If FileVault is used, Single User Mode as mentioned above requires login credentials.
If you are ever testing (or writing) a login thing, make sure you test the case with no password.
The claim that nobody thinks to try root with no password is just bullshit. I get daily logs of failed SSH logins on several net-facing devices I have and they always have root/(none) listed multiple times.
"Access to this place or content is restricted. If you think this is a mistake, please contact your administrator or the person who directed you here."
Did anyone think to archive the thread, or is it just gone forever now?
ç
Well that link requires a login -
No problem, just enter "root" for the user name, leave the password field blank, and hit Enter twice.