There has been a large amount of confusion around Security Update 2017-001, especially due to rumors of the fix being reverted when running macOS version 10.13.1.
I am looking for a way to be fully sure that my Mac is protected. In this question I'll detail the steps I followed in trying to ensure that my device is secure, and note the conflicting information I have found which points to no precise answer.
Looking at the end of Apple's support page related to this update, I see:
[If] you see MRTConfigData 1.27 in the Installations list under
Software in System Report, your Mac is also protected.
Under Software in System Report, the latest version I see of MRTConfigData is 1.26 dated December 1, 2017.
The second part of this paragraph also notes:
- Open the Terminal app, which is in the Utilities folder of your Applications folder.
- Type
what /usr/libexec/opendirectorydand press Return. - If Security Update 2017-001 was installed successfully, you will see one of these project version numbers:
opendirectoryd-483.1.5 on macOS High Sierra 10.13
opendirectoryd-483.20.7 on macOS High Sierra 10.13.1
Running the above command correctly lists PROJECT:opendirectoryd-483.20.7 on my machine, which is indicated by Apple as the correct version.
If I attempt to reproduce the original bug by going to Preferences > Users & Groups, then clicking the lock icon and trying to log in as root using an empty password multiple times, the login dialog does not let me through.
The fact that I won't be allowed to log in as root no matter how many times I try gives me an indication that the issue might indeed be solved, but I am still receiving conflicting information about this from my system.
In Directory Utility, when I open the Edit menu, I see the option Enable Root User. This tells me that the root user is currently disabled, which as far as I know is one of the conditions for triggering the bug: the root account gets enabled once you attempt to log in with it once, and then works without a password.
Lastly, what is most suspicious is that in Directory Utility, when I search for root in Directory Editor, the root user account is listed with a password of *. Unless it is a placeholder for any password, this looks suspiciously similar to a one-character (or even empty) password. I am confused whether this means that a password for this account is set at all.
How can I conclusively determine whether the root account issue is fully solved on my computer?
Best Answer
You can't at this point. The security patch only runs once and Apple hasn't released a new full point installer that guarantees you're patched.
What you can do is set a secure root password and watch for log in attempts and successes and disable sharing until Apple releases a full OS point release with no need for a Security patch to be put on top of one or more unpatched full point releases.
My answer here stands:
If you can’t install the official patch or don't want to trust that it worked, then
You don't want to disable root user on High Sierra only.
To secure your Mac, enable root with a long secure password.
We are not changing this at work until the next full point release is out for macOS which would likely be 10.13.2
I reason that since this was a race condition and Apple pushed the patch so quickly - we're pretty sure it's solid, but what if you got the patch before you upgraded to 10.13.1 and now it needs that patch a second time or what if the installer didn't really do it's job. Low chance either happened, but only you know how bad a breach would be on your computer with someone having total control.