There was a major security flaw discovered in the latest major version of macOS 10.13 yesterday. It allows any user who has access to an un-patched machine to gain root access without any password. As it was only just discovered, Apple does not yet have any patch or instruction on how to resolve this. Fortunately, the #MacAdmins community is all over this and we have some direction on what action to take.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Note: Apple has since released Security Update 2017-001 to address this issue. That was quick for Apple!
Soo…. no time like the present crisis to write my very first post on what I am specifically doing to address this. There are some simple steps that need to be taken to ensure that the vulnerability is patched and that it cant be easily undone:
-
Set Root Password: Make sure the root user has a fairly complex and randomized password set.
-
Disable Root Login: Set the root users login shell to /usr/bin/false.
The following is a script that be run to address this for users. It is based on a script written by the great Rich Trouten with a few modifications. This is being pushed by our Solarwinds RMM system as a 24x7 script check currently but it can be distributed and run by anything really. One idea would be to use munki and embed it as an installcheck_script.
The code is below so you can inspect it for yourself - but here is basic idea:
- Only run the code is we are running 10.13.X
- Set the root password to a random 32 character string if it has not already been set
- Set the root
UserShellto/usr/bin/falseif it is not already set to that value - Return output with details of what was done
Download the raw script here
#!/bin/bash
majorVer=`sw_vers -productVersion | cut -d'.' -f2`
# Only act on 10.13
if [ "$majorVer" -eq "13" ]; then
# Test to see if the root password has been set
isPasswordSet=$(/usr/bin/dscl . -read /Users/root ShadowHashData 2>/dev/null)
if [[ -z "$isPasswordSet" ]]; then
# Set root password to randomized 32 character long password
rootpassword=$(openssl rand -base64 32)
echo "Setting root password to randomized 32 character long password"
/usr/bin/dscl . -passwd /Users/root "$rootpassword"
fi
# Disable root login by setting root's shell to /usr/bin/false.
# The original UserShell value is as follows:
#
# /bin/sh
#
# To revert it back to /bin/sh, run the following command:
# /usr/bin/dscl . -change /Users/root UserShell /usr/bin/false /bin/sh
rootshell=$(/usr/bin/dscl . -read /Users/root UserShell | awk '{print $2}')
if [[ -z "$rootshell" ]]; then
# If root shell is blank or otherwise not set,
# use dscl to set /usr/bin/false as the shell.
echo "Setting blank root shell to /usr/bin/false"
/usr/bin/dscl . -create /Users/root UserShell /usr/bin/false
else
if [ "$rootshell" != "/usr/bin/false" ]; then
# If root shell is set to an existing value, use dscl
# to change the shell from the existing value and set
# /usr/bin/false as the shell.
echo "Changing root shell from $rootshell to /usr/bin/false"
/usr/bin/dscl . -change /Users/root UserShell "$rootshell" /usr/bin/false
fi
fi
echo "Root disabled"
fi
exit 0
Feeling Adventurous?
Well i mean you only live once so if you want to just run this script on the fly in Terminal all you need to do is run this:
curl -s https://raw.githubusercontent.com/sphen13/munki-scripts/master/Solarwinds%20RMM%20-%20GruntWork/Script%20Checks/block_root_account_login.sh | sudo bash
It will prompt for your admin password.
I hope this helps someone out!
