Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Looks like changing root’s password blocks the exploit but if you disable the root user, it re-enables the exploit.

Protect yourself by changing root’s password: ⌘ (Command) + Space, Directory Utility, click the lock and enter your password, Edit -> Change Root Password…, then do NOT disable Root User.

Or open a terminal and do:

    sudo passwd


> click the lock and enter your password

or just enter root with no password


Ha, ya. That way you know it's still needed!


Disabling the root user again with

  dsenableroot -d
does not re-enable the exploit


    sudo passwd
Does that change the password for the current user without authentication, or does it change the password for root without authentication?

I think it would be best to recommend an unambiguous

    sudo passwd root


"sudo foo" with no other arguments runs "foo" as root. "passwd" with no other arguments changes the password of the user it is running as.

"sudo passwd" unambiguously changes the password of root.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: