Feed
 

High Sierra Root access bug -- fix

Avatar Euan Williams
As splashed all over the (BBC) news and internet this morning (29th November), there is a security bug affecting High Sierra users.

Pending Apple's, a simply written 'fix' (with screen shots) has been posted by OSX Daily here.

Re: High Sierra Root access bug -- fix

Avatar Tony Still
Thanks Euan, I too had this bad news from the BBC news this morning. This is not the sort of publicity that should make Apple's macOS team proud.

Euan links to Apple's advice on how to deal with this. I am not offering advice but I will say that I do have the problem but I do not intend to follow Apple's advice. The problem with Apple's workaround is that it requires one to enable the root account. In macOS, root is supreme so it is not enabled by default ... for security reasons; Apple's advice requires enabling it - this is a dilemma. The big concern is that you then need to remember to disable it again once the problem has been fixed.

My personal risk assessment goes like this: I do not have the Guest account enabled (general security advice is to disable Guest account unless you really need it). I have the log-in screen showing the list (icons) of user accounts. I do not have remote access (ie any form of sharing) enabled. My Mac is not physically accessible to anyone I don't know and trust. My vulnerability is thus to malware being created that can exploit the problem, I think the risk of me encountering this before Apple issues a fix is low (lower than the risks of me enabling root). So I am constructively going to do nothing.

I would welcome any comments on my approach. I am not recommending it to others, just describing the logic.

Re: High Sierra Root access bug -- fix

Avatar Mick Burrell
I agree with Tony but perhaps from a different angle. Like many users, I don't want to be typing a password into my desk machine when I start it, I have it log straight into my account. So nobody needs a password to access my machine - just switch it on!

(OK, for the pedants out there I do know that root can do more than an administrator and that I could use a Standard rather than an Administrator account but like most people, I don't!)

Re: High Sierra Root access bug -- fix

Avatar Douglas Cheney
I see that Apple has posted a security update to fix this problem

Re: High Sierra Root access bug -- fix

Avatar Euan Williams
The workaround set out by OSX Daily and others relies on making sure that Users protect Root with a password. This is to prevent a hacker getting at Root directly to do all manner of surreptitious evil activities.

Apple's Security update corrects the "no password required for access to Root" situation, and also removes any password or enabling that users may have set in the last 24 hours or so when using the "OSX Daily workaround". The System will now function normally but safely.

The Urgent Security update is available through the App store. Happy Christmas one and all :)

Re: High Sierra Root access bug -- fix

Avatar Euan Williams
There may be file sharing consequences after installing Apple's Root security fix. Apple has posted this further fix for anyone affected.

Re: High Sierra Root access bug -- fix

Avatar Trevor Hewson
Do we need a law imposing a minimum interval,of, say, 3 years between OS updates. Maybe then we could get away from this ever increasing rush to release buggy software.

Or maybe my cold is making me grumpy? (Pause for outpouring of sympathy)

Re: High Sierra Root access bug -- fix

Avatar Tony Still
The problem with a minimum update period of 3 years is that we'd be stuck with the likes Yosemite for 3 years. For me, at least, Sierra was an improvement and I hope that High Sierra will also be in time.

As to the security problem, don't the gross nature of the error and the speed of the fix together suggest that someone left some debug code enabled?

And no, no sympathy for you having a virus - you caught it, you kill it.

Re: High Sierra Root access bug -- fix

Avatar Euan Williams
We're not yet entirely out of this particular wood, sadly. WIRED reports more complexities for some. Report repeated elsewhere by Ars Technica among others.

Re: High Sierra Root access bug -- fix

Avatar Trevor Hewson
You're a hard man Tony! Mind you, I may have caught a cold, but I haven't yet installed High Sierra :)

Re: High Sierra Root access bug -- fix

Avatar Tony Still
I was surprised that the fix didn't need a reboot. As it happened, I had some other problems when I installed it and the recent iWork updates so I did reboot anyway. My issue was disappearing app icons: the updated iWork apps and also a bunch of other apps all reverted to the generic application icon, weird.

I also read elsewhere (I forget where) from someone who had analysed the fix that the problem appeared to be a software error, not just a compile option for some test software. Worrying.

It seems that Apple does about as much software testing as we give sympathy to Trevor.

Re: High Sierra Root access bug -- fix

Avatar Euan Williams
Maybe time to widen out this conversation? Here's an interesting and positive analysis :)

Re: High Sierra Root access bug -- fix

Avatar Tony Still
I am optimistic that High Sierra will continue the gentle upward path of macOS quality that seemed to start with Sierra (YMMV). However, the lack of testing of the OS, and of the security features in particular, is disgraceful and unprofessional.

Software engineering of big systems is hard (which is why so many clever people get it wrong in so many cases) and it bears little relationship to programming. Those that don't recognise this are doomed to make mistakes of the sort Apple has made over the past several years. I have never allowed my software teams to do some of these things (which is hard and makes you unpopular) and I would not expect Apple's software professionals to do them either.
 
Feed