Category: Apple/Mac (page 1 of 59)

OS X operating system, Apple Mac apps, Mac OS X Server, iOS Devices; iPhone & iPads, Apple Watch, Apple Computers; MacBook, iMac, Mac Pro, Mac mini, Apple Accessories; AirPort, Time Capsule, Apple display

High Sierra security flaw – Root password? Where we’re going we don’t need root password!

Versions 10.13 and 10.13.1 of Apple’s High Sierra Mac operating system have a major flaw that makes it possible to completely bypass all security features  This can be exploited from the login window or any authentication prompt, if “root” is entered for the username and the password is left blank.  After this has been done, the Mac can be accessed as root without a password either locally or remotely via the command line.

While this is an unprecedented Apple security bug, this risk is minimal for most Mac users.  Here’s my need-to-know assessment:

  • Physical access to the Mac is required to “activate” this vulnerability*
  • News of this bug went viral on 11/28/17
  • In less than 24 hours Apple released a patch to fix it: Security Update 2017-001

*The ability to access the Mac as root without a password is one that requires “activation”, and by activation I mean someone with physical access to the Mac would first need to actually enter “root” for the username at the login window or authentication prompt, click into the blank password field, and attempt to continue multiple times (the first few will fail).  If this hasn’t previously been done, the Mac is safe from this bug.

Now that this flaw is public knowledge, Macs running High Sierra 10.13 or 10.13.1 should have the Security Update 2017-001 update applied ASAP.  While the threat is limited in scope, it makes publicly accessible unpatched Macs a prime target.  Once macOS 10.13.2 is released this will all be water under the bridge, because Apple rolls previous security patches into macOS updates.

A few additional items of note:

  • This can only potentially affect Macs that have never had the root user enabled.
  • The Security Update 2017-001 will disable the root user if it has been enabled in the past.  Apple’s instructions for enabling/re-enabling the root user are posted here.
  • There are reports of the Security Update 2017-001 breaking file sharing.  This is limited to Macs running High Sierra 10.13.1, sharing out files via SMB to other Macs. 12/1/17 UPDATE: Apple has posted a fix for this problem.
  • This flaw is not limited to root, it also extents to other faceless user accounts like guest, _applepay, and _uucp.  See this Objective-See blog post for more details on the underlying cause, including what Apple did wrong.
  • Apple has released a followup statement that includes: “We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”

OWC Aura High Sierra firmware install workaround

If a Mac has been upgraded with an OWC Aura SSD, it may fail to install to High Sierra, erroring out with: “macOS could not be installed on your computer.  An error occurred while verifying firmware.”

OWC claims this is limited to certain model MacBook Airs and Mac Pros, but owners of MacBook Pros have also reported the problem.  See this OWC blog post for more information.  They are working with Apple towards a fix.

If you have an OWC Aura SSD and are dead set on installing High Sierra, there is a confirmed workaround.  Temporarily replace the Aura SSD with the original Apple storage, boot from the Apple storage, then install High Sierra.  The High Sierra install will automatically apply the needed firmware update.  Afterwards, replace the original Apple storage with the Aura SSD, boot from the Aura SSD, then install High Sierra.

Supporting High Sierra – the APFS Entanglement

Things have suddenly become more complex when supporting Macs, thanks to High Sierra’s semi-adoption of the new Apple File System, otherwise known as APFS.

For over 30 years all Macs have used Apple’s HFS file system, which last underwent changes in 1998 when HFS+ was introduced (a.k.a. Mac OS Extended).  A file system is the behind-the-scenes mechanism controlling how a volume is formatted, and how the operating system stores or retrieves data.  HFS+ was also the base file system for iOS, tvOS, and watchOS.

APFS is Apple’s replacement for the aging HFS+ file system.  APFS offers many long-awaited improvements including: Support for snapshots, native full disk encryption, delta based file copy (copies of files don’t occupy additional storage space), advanced crash protection, and shared space across multiple volumes.

HFS+ volumes can be converted to APFS, but they can’t be converted back.  Any iPhone or iPad running iOS 10.3 or later has already had its storage converted to APFS.  The same is true with any recently updated Apple TV or Apple Watch.

I believe APFS will ultimately improve all things Apple, but mark my words… From a Mac troubleshooting and support perspective, APFS is the biggest change Apple has made since switching from PowerPC to Intel processors.  It adds a layer of complexity to supporting Macs unlike no other.

Mac savvy engineers should know the following about APFS:

  1. High Sierra only converts SSD boot volume to APFS, HDD and Fusion Drives are not converted… more
  2. Because High Sierra can run on either APFS or HFS+, determining the file system has become an important troubleshooting step… more
  3. APFS volumes cannot be used for Time Machine backups… more
  4. AFP file shares cannot be created on an APFS volume… more
  5. External drives formatted as APFS cannot be mounted on Macs running Mac OS 10.11 or older

Warning: Apple Server 5.4 removes file sharing

Server 5.4 was recently released, which requires Mac OS 10.13 or later.  Older versions of the Server app won’t run on High Sierra, so if you upgrade a Mac “server” to 10.13, you must additionally upgrade the Server app to 5.4.

As crazy as it may sound, Apple has removed many core features in Server 5.4, including: File sharing, Caching server, Time Machine backup server, FTP sharing, and Xcode Server.

Yes, you heard me right, Server 5.4 no longer provides the option to setup network file shares!

Furthermore, if you had previously setup the Server app to serve out these features that were removed, then upgrade to High Sierra and Server 5.4… too bad, you lose!

Apple is downplaying this change, dismissing most of it as a sidenote saying “Caching Server, Time Machine Server, and File Sharing advanced options are now built directly into macOS”.  This translates to the Sharing system preference pane in High Sierra has few new features.  It now includes an option for enabling a Content Caching service, plus a non-intuitive process* has been added for configuring a network Time Machine destination or advanced file sharing.

So that’s it for me, Macs are officially out of the game when it comes to file servers.  Apple has further pushed themselves away from this segment of the Enterprise market. The Server app has become a tool targeted at Profile Management (pushing configuration profiles to iOS devices).

*I’m not recommending a Mac running High Sierra be utilized as a file server or network Time Machine destination, but the process for accessing these configuration options is worth sharing.  From within the Sharing system preference pane, enable file sharing and add a shared folder.  Now control-click on that shared folder and, select Advanced Options from the contextual menu.

History lesson
Apple’s last server operating system was Mac OS X Server 10.6.  Back in the late 2000s this was a robust server offering, and it came with a price tag of $999 for an unlimited license (then you had to spend 2-4k for an Xserve to run it on!).

In 2012 Apple introduced their $19.99 Server app, which can be installed on any Apple hardware including Mac minis.  The capabilities of the Server app were diminished, and it was clear that Apple had removed themselves from the Enterprise server market.

Apple’s $19.99 Server app has been upgraded over the years, and some features were dropped along the way (like Workgroup Manager support in Server 4).  Even so, if properly configured the Server app could do one thing well… share files out over the AFP protocol to a small group of Macs.

The Server app could also perform a lot of other “server” functions too, like mail or DHCP services, but personally I rarely recommended these capabilities because I felt they were afterthoughts and not well supported by Apple.  My mentality was “you get what you pay for”, so getting a solid Mac file server for less than $20 was pushing things anyway.

R.I.P. Office for Mac 2011 – No High Sierra Support from Microsoft

Microsoft Office for Mac 2011 has officially reached end of life, and Microsoft is no longer supporting or updating it.

Furthermore, Microsoft has stated that Office 2011 apps have not been tested with Mac OS 10.13, and that users should upgrade to Office 2016 for High Sierra compatibility.  While Office 2011 apps may appear functional to one degree or another after upgrading to Mac OS 10.13, it is not a supported configuration, and should be considered use-at-your-own-risk.

High Sierra APFS conversion formula

Upon installing High Sierra, if the boot volume is a SSD it will be automatically converted to the APFS format.  If the boot volume is a HDD or Apple Fusion Drive, it will not be converted and remain formatted as HFS+ (Mac OS Extended).

SSD is any solid-state drive (a.k.a. flash based storage), HDD is a traditional spinning hard drive, and Apple Fusion Drives are a combination of the two.

This means that depending on the Mac’s hardware configuration, High Sierra may be running on either APFS or HFS+.

There is no way to opt-out of 10.13’s APFS conversion of SSD boot volumes, and both Apple OEM and internal after-market SSDs are treated the same.  If everything goes smoothly, no data is lost during this conversion.

If the Mac has additional internal or external volumes, they will not be converted to APFS during the High Sierra install, even if they are SSD.

Apple has also committed to making APFS work with Fusion Drives in the near future.  When this happens a High Sierra update will likely also convert them.

HDDs can manually be converted to APFS, but beta testers have reported poor speed and boot volumes stability.  It is unknown if Apple will be able to address this in the future.

Checking volume format for APFS or HFS+

In High Sierra you can easily determine if a volume is formatted as APFS or HFS+ (Mac OS Extended) by using the Finder to highlight the volume name, then click on File->Get Info, and see what’s listed as the Format.

Determining the format type is an important High Sierra troubleshooting step, because depending on the hardware configuration some Macs running 10.13 will be booted from APFS and other will be booted from HFS+.  These file systems are very different under-the-hood, and apps may exhibit problems with one but not the other.  For example, the automatic backup option in Quicken 2007 is reported to fail with APFS, but works with HFS+.

Time Machine can’t backup to APFS

Time Machine only supports backing up locally connected volumes formatted as HFS+ (Mac OS Extended).  If you attempt to select an APFS volume in High Sierra as the Time Machine backup destination, you will be prompted to erase the drive because “it has an incompatible file system”.  Erasing/re-initializing is the only way to get change from APFS back to HFS+

APFS drops support for AFP shares

If you turn on File Sharing (from the Sharing system preference pane) on a Mac running High Sierra, and select a folder to share that resides on a APFS formatted volume, it can only be shared out as SMB.  Selecting a folder to share that resides on an HFS+ formatted volume will allow it to be shared as either AFP or SMB.

Illustrator issues with High Sierra

Adobe has posted a list of known issues with Illustrator (CC 2017.1 or earlier) and Mac OS 10.13 High Sierra.  Problems currently include screen rendering glitches with some GPU cards and unexpected behavior when using the Color Settings dialog box.  These issues will be addressed in a future Illustrator CC 2017 update.

Older posts

© 2018 ATS Blog

Theme by Anders NorenUp ↑