You could have put "Local" in the headline. I'm sure I'm not the only one here looking after a group of Mac for business or family who'd really appreciate direct triage information in the headline.
Hilarious! We’re arguing about how this actually works and what to do about it. So many experts, so little expertise to confuse the issue and tie it up in knots. I decided to use iMore’s Rene Ritchie’s advice to enable root, set a strong password, and leave root enabled until the patch is made, probably in 10.13.2.
That works too. DO NOT forget the password. In the meantime, some system operations may bug you for it, when you wouldn't ordinarily expect to enter it.
It cannot be overstated how important it is to remember the root password, if set.
This is a horrible bug that was missed by Apple, but lets keep things in perspective. If a user has physical access to the machine, its already at risk, especially if a firmware password is not enabled on the system. Disabling root or changing the root password does not prevent someone from accessing your Mac using single user mode (and then accessing system as root), or, booting up your Mac with an external drive with macOS installed on it.
I never understood the whole guest access thing, but I've always disabled it during "hardening" of a system image, and in hindsight it was probably a good decision.
Does this not put a ton of Mac servers with services forwarded to the WAN at risk? Users with Screen or File Sharing enabled browsing at coffee shops? Or am I missing something here?
EDIT: confirmed, just screenshared in to another random Mac on our network via Bonjour in the Finder (wasn't even the Mac I thought it was) using this exploit.
Boy am I glad I've left my office's mini server on Sierra for now (and my laptop)!
My root account has been disabled since day 1. If I enable root and assign a password, will I start getting prompted for the root password by system processes that use root?
Does this not put a ton of Mac servers with services forwarded to the WAN at risk? Users with Screen or File Sharing enabled browsing at coffee shops? Or am I missing something here?
EDIT: confirmed, just screenshared in to another random Mac on our network via Bonjour in the Finder (wasn't even the Mac I thought it was) using this exploit.
Boy am I glad I've left my office's mini server on Sierra for now (and my laptop)!
You need to give password to root. I can't stress enough if you worry about security,
add a password.
Problem solved.
ps: I assume people already know how to add a password to root, but apparently not. Just in case. There are 2 ways to do this, but I prefer below, faster.
1. Open a terminal window (Command-Space for spotlight, type 'terminal') 2. Type `sudo passwd root`. Enter your password, and then a new password twice.
Does this not put a ton of Mac servers with services forwarded to the WAN at risk? Users with Screen or File Sharing enabled browsing at coffee shops? Or am I missing something here?
EDIT: confirmed, just screenshared in to another random Mac on our network via Bonjour in the Finder (wasn't even the Mac I thought it was) using this exploit.
Boy am I glad I've left my office's mini server on Sierra for now (and my laptop)!
You need to give password to root. I can't stress enough if you worry about security,
add a password.
Problem solved.
ps: I assume people already know how to add a password to root, but apparently not. Just in case. There are 2 ways to do this, but I prefer below, faster.
1. Open a terminal window (Command-Space for spotlight, type 'terminal') 2. Type `sudo passwd root`. Enter your password, and then a new password twice
I keep hearing this but why? I've disabled Root access on my Macs and then tested every possible scenario I could think of. Since I never have Guest User enabled there's no Other option during login in which one can input Root as the user, but for the sake of being thorough I did a normal logout which brings me back to a screen to input a username and password (an option you don't get with a boot up with FV2 enabled—a feature I don't care for with macOS since it already tells a would-be their what my username is), and tried using the Root login with a blank password. Nothing. It doesn't work because Root access has been disabled.
I even brought up Screen Sharing, accessed my Mac via the LAN with its static IP address and tried to use Root to access it. It doesn't work.
If you're so certain that having both Guest User and Root Access disabled will let someone access my device then please walk me thought the steps so I can test this.
Sigh. Apple needs to either scale their ambitions for annual MacOS releases way the fuck back, or return to an 18 month schedule.
— Eric “still wakes up to a kernel panic if he leaves his MBP plugged in to a Thunderbolt Display and some backup drives overnight" WVGG
Here here. It's disgusting what today's (actually 2013's) Apple feels is acceptable.
Have you two thought this through?
Since iCloud and iOS services syncing though iCloud is a major part of how all their modern OSes work, how exactly would it help Apple to have, say a new iPhone come out in the Autumn and then have to wait for a great feature added to iOS will finally work as expected when macOS won't be updated for 6 to 18 months.
There's a clear reason why they announce all the new features at WWDC and release the new OS betas and updated OSes around the same time.
I also think you two are forgetting that these bugs are not a new thing. You, like most people, have forgotten all the issues that have plagued Apple's HW and SW back when the Mac was their own major product offering. Hell, they even had an egregious bug in macOS about 2 decades ago that would let you log into any account simply by overflowing the buffer by typing in an excessive number of characters into the password field.
Shit happens and it's unfortunate, especially when it's a security flaw, but nothing is gained by looking at Apple's past through rose-colored glasses.
Shit happens and it's unfortunate, especially when it's a security flaw, but nothing is gained by looking at Apple's past through rose-colored glasses.
But it’s all about going negative on Apple at every opportunity, big or small. People wake up in the morning hoping for this stuff. As I said in another thread, so many experts with so little expertise, armchair critics everywhere.
In the tech universe there have been many critical, apocalyptic, world ending security flaws lately, from the Krack Hack going back to SSL a few years ago. But never have I read a report of a confirmed attack using one of these exploits. As for Apple’s list of flaws I have yet to see someone (credible) come here to report they were compromised by any of them. Flaws come, they get fixed, they go. There is so much hand wringing, so much paranoia, so much hysterical commentary coming from those CLAIMING to be competent in these matters. Just look at the comments in the AI forums. These ‘competent’ experts can’t even agree as to what’s going on and how to deal with it.
Does this not put a ton of Mac servers with services forwarded to the WAN at risk? Users with Screen or File Sharing enabled browsing at coffee shops? Or am I missing something here?
EDIT: confirmed, just screenshared in to another random Mac on our network via Bonjour in the Finder (wasn't even the Mac I thought it was) using this exploit.
Boy am I glad I've left my office's mini server on Sierra for now (and my laptop)!
Comments
ALSO A REMOTE EXPLOIT
if you have some sharing services enabled (screen sharing, remote management, file sharing too I think, so on).Does this not put a ton of Mac servers with services forwarded to the WAN at risk? Users with Screen or File Sharing enabled browsing at coffee shops? Or am I missing something here?
EDIT: confirmed, just screenshared in to another random Mac on our network via Bonjour in the Finder (wasn't even the Mac I thought it was) using this exploit.
Boy am I glad I've left my office's mini server on Sierra for now (and my laptop)!
add a password.
Problem solved.ps: I assume people already know how to add a password to root, but apparently not. Just in case. There are 2 ways to do this, but I prefer below, faster.
1. Open a terminal window (Command-Space for spotlight, type 'terminal')
2. Type `sudo passwd root`. Enter your password, and then a new password twice.
I even brought up Screen Sharing, accessed my Mac via the LAN with its static IP address and tried to use Root to access it. It doesn't work.
If you're so certain that having both Guest User and Root Access disabled will let someone access my device then please walk me thought the steps so I can test this.
I can't believe the usual "homer" suspects aren't weighing in...They come out in droves to support some of the "editorials"....
Since iCloud and iOS services syncing though iCloud is a major part of how all their modern OSes work, how exactly would it help Apple to have, say a new iPhone come out in the Autumn and then have to wait for a great feature added to iOS will finally work as expected when macOS won't be updated for 6 to 18 months.
There's a clear reason why they announce all the new features at WWDC and release the new OS betas and updated OSes around the same time.
I also think you two are forgetting that these bugs are not a new thing. You, like most people, have forgotten all the issues that have plagued Apple's HW and SW back when the Mac was their own major product offering. Hell, they even had an egregious bug in macOS about 2 decades ago that would let you log into any account simply by overflowing the buffer by typing in an excessive number of characters into the password field.
Shit happens and it's unfortunate, especially when it's a security flaw, but nothing is gained by looking at Apple's past through rose-colored glasses.
In the tech universe there have been many critical, apocalyptic, world ending security flaws lately, from the Krack Hack going back to SSL a few years ago. But never have I read a report of a confirmed attack using one of these exploits. As for Apple’s list of flaws I have yet to see someone (credible) come here to report they were compromised by any of them. Flaws come, they get fixed, they go. There is so much hand wringing, so much paranoia, so much hysterical commentary coming from those CLAIMING to be competent in these matters. Just look at the comments in the AI forums. These ‘competent’ experts can’t even agree as to what’s going on and how to deal with it.