Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[sevenlayermuddle]

Posted in 'News', rather than 'Apple'  as I think it will be of interest/amusement to non Apple users too.

http://www.bbc.co.uk/news/technology-42161823

I just tried it, and it works.   Don't know why BBC say you have to "hit enter a few times" which makes it sound more subtle than it is,  hitting enter just the once suffices as with any other login. 

Ooooops. 

[broadstairs]

I just saw this on Victoria Derbyshire with Rory Cellan-Jones. How on earth can this happen - have they not heard of testing before release? Does not happen on any of my Linux systems 

Stuart

[sevenlayermuddle]

I just saw this on Victoria Derbyshire with Rory Cellan-Jones. How on earth can this happen - have they not heard of testing before release? Does not happen on any of my Linux systems 

Good question!

I don't think Root ever had a password by default on Mac OS, it was just rendered inaccessible by default.  You couldn't login directly as Root and if you wanted to do something as Root from command line, you used 'sudo', and confirmed with your own user password.  You could manually enable Root, and assign a password, after which you could login from the GUI or su from the command line,  but enabling Root involved a few non-obvious steps.   High Sierra seems to have Root enabled by default (though interestingly, su from the command line does not seem to work with the default configuration).

Another thing that seems to have changed is, on the main login GUI, in addition to Icons for each configured user there is one called 'other' which allows you to login by typing a user name, including Root.   I don't think 'other' was present on the login GUI before, even with Root enabled, but not certain.

Pure speculation, but this new configuration would be very useful to Apple developers and testers pre-release, as it would allow them to sometimes rescue a damaged system.   Don't suppose it was enabled temporarily during dev, and they just forgot to disable it before release?     

Thought some of you'd be amused though, including you, Stuart.   

[broadstairs]

I am very reluctant to use or configure sudo. Ubuntu and its derivatives use sudo and have root disabled by default, IMHO a very bad way to go. Much better to have root available, maybe set it to not be available as a login user, and then make sure you set a password for root which is difficult to guess. Using sudo with users p/w by default is I think a bad way to go. Same applies to the wheel group I think because it only uses the user p/w.

Stuart

PS I actually think they probably made a change the result of which was allowing this root access and it is unlikely to be deliberate, however because of the power of root it is quite astonishing they dont test it thoroughly.

[Bowdon]

I like how the BBC tells everyone how to do it 

[broadstairs]

I like how the BBC tells everyone how to do it 

Well it was on a public forum so not really a secret anyway.

Stuart

[sevenlayermuddle]

Worth bearing in mind, unless encryption is used, Unrestricted access to the filestore of any PC to which you have physical access is trivialially easy, be it Unix, Linux or Windows.  You just remove or copy the disks, and mount them elsewhere.

With that in mind,  I know a few knowledgeable experts who knowingly set Root password to ‘blank’ on Linux and Unix boxes, on the basis that the security it provides is just an illusion.   Personally I do set a password.

[sevenlayermuddle]

Interesting that the story seems to have broken as a result of a seemingly innocent character, casually offering it as a solution to a problem on a forum, blissfuly unaware of the gravity of his ‘discovery’. 

https://forums.developer.apple.com/thread/79235#

[petef]

Here is a revised suggestion for Apple to use

[kitz]

Not amused.   Just shows that no system is infallible.  This one is a bit of a big oopsie though

[jelv]

Can you imagine what Apple would have had to say if it was Microsoft that made a similar error?

[licquorice]

I am very reluctant to use or configure sudo. Ubuntu and its derivatives use sudo and have root disabled by default, IMHO a very bad way to go. Much better to have root available, maybe set it to not be available as a login user, and then make sure you set a password for root which is difficult to guess. Using sudo with users p/w by default is I think a bad way to go. Same applies to the wheel group I think because it only uses the user p/w.

Stuart

With sudo the hacker needs to know 2 variables, username and password. With root, only the password is needed.

[broadstairs]

With sudo the hacker needs to know 2 variables, username and password. With root, only the password is needed.

Yes but a user name is easy to get. Guessing my root password at 20 characters is far more problematic.

Stuart

[stevebrass]

Dear me. What a mess.

But on my machine on logging in from start up or sleep I don't get the chance to enter a username. I don't have the guest account enabled either.

So in this case would this only be exploitable if my machine was left logged on?

[licquorice]

Yes but a user name is easy to get. Guessing my root password at 20 characters is far more problematic.

Stuart

Yes, but no username is even easier and username + 20 character password is even harder.