Fixing the Apple Root Bug (Permanently)

It’s been a pretty bad week for Apple software, both for their macOS computer software and their iOS smartphone and tablet software. But today I’m going to focus on a truly horrendous software bug that somehow slipped through Apple’s normally stellar quality control process. This one screw up could allow someone to quickly and easily take over your Macintosh computer – potentially even remotely. It’s like leaving the master key to a building on the front doormat. Not under the doormat, mind you – on top of it, with a label saying “master key”. So without further ado, let’s tell you how to fix the Apple root bug, for good.

What is the Apple Root Bug?

Apple’s macOS software – the operating system for its Macintosh computers – is based on the Unix operating system. Unix and its various Linux variants all come with a standard administrator account called “root”. This account can do absolutely anything. It has the highest possible level of permissions and privileges – it’s the “superuser”. This account is extremely powerful and Apple normally disables this by default.

But a recent update to Apple’s latest OS (High Sierra, or 10.13) somehow allowed access to this super user account with no password whatsoever. That’s right. You could successfully log into a Mac with user ID “root” and leave the password field empty. There was basically zero security on the most powerful user account on the system. In most cases, this would require physical access to an unlocked Mac, if you have remote access enabled, then you could log in remotely, as well. That’s about as bad as it gets, folks.

It’s Fixed. No Wait, It’s Broken Again.

To Apple’s credit, they released an emergency fix for this bug within about 24 hours (Security Update 2017-001). If you had your auto-update enabled, this fix was even¬† installed for you. That’s great. All software companies will have bugs from time to time,¬† so what really counts is how they respond. Apple responded quickly with a fix. Yay!

This fix was obviously rushed out because in addition to fixing the root bug, it broke Apple’s file sharing feature. While that’s bad, it’s still a good trade off. But it gets worse. A day or two later, Apple released a new full update to macOS (10.13.1) that reintroduced the same root bug! I’ve seen some reports that say if you just reboot your Mac, the root bug will be fixed again… but that’s silly. There’s a real fix that will be permanent…

Fixing the Root Bug Permanently

The underlying issue here is that the root account apparently has no password or somehow a fail-safe mechanism was broken that allowed failed logins to succeed… I’m not sure. But if you just explicitly set the root user’s password, the problem goes away. So how do you do that?

First of all, be sure that a) you generate a strong password for this account and b) you store this password away somewhere. It’s okay to write this on a piece of paper, as long as you put that paper somewhere safe. (Consider using a password manager to both generate and store the password.)

You can set the root password in at least two ways. The official way, according to Apple, is to do the following (using the instructions here):

  1. Enable the root account
  2. Change the root account password
  3. Disable the root account

However, I find that too cumbersome. There’s a simpler way and it feels a lot cooler: use the Terminal application.

  1. Launch the Terminal application from your Applications > Utilities folder. You will get a text-based window with a little “$” prompt.
  2. In the terminal, you will need to switch to “superuser”. Type “sudo su” and hit Return. Then enter the password for your current account (you have one, right?):
    • $ sudo su
    • Password: (your password)
  3. Now you should be logged in under the root account, and you’ll have a new prompt. To change the root password, type “passwd” and enter the new password (twice).
    • # passwd
    • Changing password for root.
    • New password: (enter something you’ll remember)
    • Retype new: (type it again)

This should fix the problem once and for all. Again, make sure you keep that password somewhere safe!