Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Do note that this doesn't fix the problem. The system (at least High Sierra) will happily re-enable the user for every attempt at logging in.


Just change the root password once the account is enabled; this fixes the hole.

sudo passwd -u root

It's sad we have to do this, though.


If you disable the root user using `dsenableroot -d` from the Terminal, this seems to disable the account in a way that leaves its password intact.


The bug isn't in the disabling, it's in the auto-enabling on attempt.


Having tested this by both approaches (disabling through GUI & shell), the above (through shell) seems to prevent this from re-occurring when you attempt to perform this bogus login again. Disabling the account via the GUI causes the failure to re-occur.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: