undefined | Better HN

0 pointsJedd8y ago0 comments

Not the case.

Once you enable root access - by 'testing' this - others can remotely & silently access the system as root.

GP is right - don't encourage people to test this, as there's nothing to gain from it. If you're on a shared machine you need to mitigate. If you're on your own dedicated machine you need to not share it until this is fixed.

0 comments

thomastjeffery8y ago

> others can remotely & silently access the system as root.

They already can:

https://gfycat.com/gifs/detail/sentimentalnaiveantelopegroun...

sitharus8y ago

This does not work if the root user has not been enabled locally.

Source: Just tried it myself.

tekacs8y ago

Even if you're on a dedicated machine, this vulnerability enables a local user to bypass the authentication prompt on things like System Preferences or other auth checks.

I'm advising folks (incl. non-tech) to set a root password and then re-disable the account (specifically via shell), which prevents this from re-occuring:

https://www.facebook.com/amar.sood/posts/10209545863036116

ztjio8y ago

Uh I tested redisabling the root account and it reenabled the flaw. You have to keep the root account enabled.

tekacs8y ago

See https://news.ycombinator.com/item?id=15802113

biktor_gj8y ago

No, root is root and has always been there. It's the super user account and cannot be removed, I think, from any modern unix like os (well, you can rename it to whatever you want in linux but UID 0 will always be there). The difference might be that if you do log in for the first time you will have lots of stuff on /private/var/root (talking from memory but it was something like that in OSX) and lots of preferences will be set, maybe even a /Users/root folder I hope that the SSH server, which is disabled by default, will also handle root login in a sensible way, but given the size of the f* up, I'm not so sure.

Really bad stuff

ztjio8y ago

Root can absolutely be disabled. OS X normally runs rootless. This vulnerability actually both gives access AND enables that disabled root account in one action. From that point on, root is active with no password regardless of how you authenticate whereas the initial issue is only on password GUI screens.

biktor_gj8y ago

No, by default, root has an undefined password and cannot log in from a terminal or ssh, but that doesn't mean it doesnt exist. If you make a SSH key for the root user and place it on his folder you wont need to set up a password and will be able to login just fine as UID 0. If you do 'sudo -s' as an administrator and then run 'passwd' to set the root passwd, you're not magically creating a root account, you're only changing the settings for that user, but it was already there

djrogers8y ago

> Once you enable root access - by 'testing' this - others can remotely & silently access the system as root.

That's not accurate. The user appears to be there either way, but attempting to log in to a machine remotely using 'root' and no password does not work - even after doing the preference pane thing...

JeddOP8y ago

I don't have access to a vulnerable machine -- just going by comments in the other HN thread.

root account is 'there' all the time, yes. This process enables the account proper (rather than just sudo). Evidently some remote mechanisms using root work after the account is enabled.

geoelectric8y ago

Wonder if people tried screen share/vnc with that theory. I'd suspect anything gui-driven.

j / k navigate · click thread line to collapse

0 comments

thomastjeffery8y ago

> others can remotely & silently access the system as root.

They already can:

https://gfycat.com/gifs/detail/sentimentalnaiveantelopegroun...

sitharus8y ago

This does not work if the root user has not been enabled locally.

Source: Just tried it myself.

tekacs8y ago

Even if you're on a dedicated machine, this vulnerability enables a local user to bypass the authentication prompt on things like System Preferences or other auth checks.

I'm advising folks (incl. non-tech) to set a root password and then re-disable the account (specifically via shell), which prevents this from re-occuring:

https://www.facebook.com/amar.sood/posts/10209545863036116

ztjio8y ago

Uh I tested redisabling the root account and it reenabled the flaw. You have to keep the root account enabled.

tekacs8y ago

See https://news.ycombinator.com/item?id=15802113

biktor_gj8y ago

Really bad stuff

ztjio8y ago

biktor_gj8y ago

djrogers8y ago

> Once you enable root access - by 'testing' this - others can remotely & silently access the system as root.

That's not accurate. The user appears to be there either way, but attempting to log in to a machine remotely using 'root' and no password does not work - even after doing the preference pane thing...

JeddOP8y ago

I don't have access to a vulnerable machine -- just going by comments in the other HN thread.

root account is 'there' all the time, yes. This process enables the account proper (rather than just sudo). Evidently some remote mechanisms using root work after the account is enabled.

geoelectric8y ago

Wonder if people tried screen share/vnc with that theory. I'd suspect anything gui-driven.

j / k navigate · click thread line to collapse