undefined | Better HN

0 pointsrwc8y ago0 comments

It's worse than that. You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user.

0 comments

LeoPanthera8y ago

You can simply set a root password with "sudo passwd" to close the hole.

thomastjeffery8y ago

Then you better remember the password you set, or be sure that you will always have sudo access.

tekacs8y ago

And you might want to disable the root account again with `dsenableroot -d` as well, so that the root account stays disabled after the vulnerability is patched.

Unlike doing this through the GUI, this seems to retain the root password and prevent this vuln from re-occuring.

LeoPanthera8y ago

Don't disable root. The bug re-enables it with a new blank password.

1 more reply

skygazer8y ago

As far as I can tell, "dsenableroot -d" seems to have no useful effect. After having "* Successfully disabled root user." with it, I can still log in to the root account with the password I set, both at the command line with "login" and from a remote machine via screen sharing.

To be flippant, I might say HN discussions seem to QA using Apple methods.

DavideNL8y ago

...unless you set a password, right?

mcintyre19948y ago

I haven't upgraded to High Sierra yet and this doesn't happen on my install atm. Does adding a password to the root user stop this vulnerability? If it does then that seems way better than disabling the account until this is fixed.

j / k navigate · click thread line to collapse

0 comments

LeoPanthera8y ago

You can simply set a root password with "sudo passwd" to close the hole.

thomastjeffery8y ago

Then you better remember the password you set, or be sure that you will always have sudo access.

tekacs8y ago

And you might want to disable the root account again with `dsenableroot -d` as well, so that the root account stays disabled after the vulnerability is patched.

Unlike doing this through the GUI, this seems to retain the root password and prevent this vuln from re-occuring.

LeoPanthera8y ago

Don't disable root. The bug re-enables it with a new blank password.

1 more reply

skygazer8y ago

To be flippant, I might say HN discussions seem to QA using Apple methods.

DavideNL8y ago

...unless you set a password, right?

mcintyre19948y ago

j / k navigate · click thread line to collapse