Last week, researchers revealed a new bug in macOS High Sierra. The bug enables the root superuser on a Mac with a blank password and no security check. In other words, the bug essentially gives anyone full access to your Mac.
Apple issued a security patch last week. However, there are some reports that the update itself is also causing problems.
Regardless, here’s a workaround that you can quickly implement yourself to keep your Mac systems safe from unauthorized access.
Enable the Root Account
Essentially, you need to enable the root account by giving the account “root” a password. To do this, use your Directory Utility or, from a Terminal, issue the following command:
sudo passwd root
Then follow the prompts to enter a new password. (And don’t forget to change the password frequently.)
Privileged Account Management
With the root account enabled, users can no longer simply reenter their own password to obtain root-level (administrator) privileges. This allows more granularity in setting privileges because now a separate elevated account must be called to perform administrative functions.
This account can be managed and secured independently of the normal user account by using privileged account management solutions like our RED Identity Management. With RED Identity Management you can randomize and securely store the account password, and provide a delegated and audited interface to obtain the password as needed.
Issue Sudo Commands
Now that that’s taken care of, you need to make sure the sudo command is available to those who need it. Keep in mind the three levels of users in OS X: users, admin and root. By default, users can’t issue sudo commands; only admins and root users can.
If you don’t want your users to have admin permissions, but you do want them to be able to issue sudo commands when necessary, you will need to enable sudo for the users on your OS X system. You can do this either by editing the /private/etc/sudoers file to include specific users or by uncommenting the example line in the screenshot below that starts with ‘%wheel’ and then adding your users to the wheel group.
By following the steps outlined here, you can allow the root password of your Mac systems to be managed by automated processes that would randomly generate a new password on a regular basis or following password recovery. Thus your systems can remain compliant with your company’s policies, as well as regulatory compliance mandates put forth by PCI-DSS, HIPAA and others.
As an added benefit, you will also stop your users and admins from being able to unthinkingly elevate their privileges by simply retyping their own password.
Want to learn more about managing the privileged accounts on your systems? Request a demo.
By Chris Stoneff, Vice President Technical Management, Lieberman Software
Chris Stoneff oversees product management, quality assurance and technical support at Lieberman Software, and is instrumental in guiding the development of the Lieberman Software products portfolio.
If you like this topic, please subscribe to our Cyber Defense Newsletter.