{"id":967,"date":"2017-11-29T13:09:47","date_gmt":"2017-11-29T11:09:47","guid":{"rendered":"http:\/\/osxadmin.cz\/?p=967"},"modified":"2021-01-10T17:43:10","modified_gmt":"2021-01-10T15:43:10","slug":"chyba-iamroot-v-macos-10-13-high-sierra","status":"publish","type":"post","link":"https:\/\/macadmin.cz\/?p=967","title":{"rendered":"Chyba #iamroot v macOS 10.13 High Sierra"},"content":{"rendered":"<p>Opera\u010dn\u00ed syst\u00e9m macOS 10.13 High Sierra obsahuje z\u00e1va\u017enou bezpe\u010dnostn\u00ed chybu, kdy jak\u00fdkoliv u\u017eivatel (je jedno zda standardn\u00ed nebo administr\u00e1tor) m\u016f\u017ee nastavit heslo jin\u00e9mu u\u017eivateli, kter\u00fd \u017e\u00e1dn\u00e9 heslo nastaven\u00e9 nem\u00e1. Takov\u00fdm u\u017eivatelem je i super u\u017eivatel <code>root<\/code>, pod kter\u00fdm se prov\u00e1d\u00ed nap\u0159\u00edklad instalace nov\u00fdch syst\u00e9mov\u00fdch slu\u017eeb.<\/p>\n<p><strong>Update:<\/strong><br \/>\nApple vydal aktualizaci <a href=\"https:\/\/support.apple.com\/en-us\/HT208315\">Security Update 2017-001<\/a> (<a href=\"https:\/\/support.apple.com\/kb\/DL1942?viewlocale=en_SG&amp;locale=en_SG\">download<\/a>) opravuj\u00edc\u00ed chybu. Tato aktualizace nevy\u017eaduje restart a bude nainstalov\u00e1na na pozad\u00ed bez v\u011bdom\u00ed u\u017eivatele, pokud je v System Preferences -&gt; App Store nastavena automatick\u00e1 instalace syst\u00e9mov\u00fdch soubor\u016f a bezpe\u010dnostn\u00edch aktualizac\u00ed. Prvn\u00ed vyd\u00e1n\u00ed aktualizace (aktualizuje macOS na verzi 17B1002) mohlo v macOS rozb\u00edt slu\u017ebu sd\u00edlen\u00ed soubor\u016f. Apple vydal n\u00e1vod na <a href=\"https:\/\/support.apple.com\/en-us\/HT208317\">opravu<\/a> a n\u00e1sledn\u011b aktualizaci nahradil novou verz\u00ed (-&gt; macOS 17B1003), kter\u00e1 probl\u00e9m se sd\u00edlen\u00edm \u0159e\u0161\u00ed.<br \/>\n<!--more--><\/p>\n<p>U\u017eivatel <code>root<\/code> na macOS standardn\u011b nen\u00ed zapnut\u00fd (nelze se za n\u011bj p\u0159ihl\u00e1sit). Zap\u00edn\u00e1 se pr\u00e1v\u011b nastaven\u00edm hesla, ale tuto mo\u017enost maj\u00ed pouze \u00fa\u010dty administr\u00e1tor\u016f a syst\u00e9m si p\u0159ed \u00fakonem vy\u017e\u00e1d\u00e1 jejich heslo. Chyba umo\u017e\u0148uje jak\u00e9mukoliv u\u017eivateli nastavit rootovi libovoln\u00e9 heslo.<\/p>\n<p>Posti\u017een\u00e9 verze macOS 10.13 High Sierra jsou:<\/p>\n<ul>\n<li>10.13.0<\/li>\n<li>10.13.1<\/li>\n<li>10.13.2 beta verze vydan\u00e9 p\u0159ed 29.11.2017<\/li>\n<\/ul>\n<p>Na soci\u00e1ln\u00edch s\u00edt\u00edch se \u00fatok diskutuje post hashtagem <code>#iamroot<\/code>.<\/p>\n<h2>Princip \u00fatoku<\/h2>\n<ol>\n<li>Libovoln\u00fd u\u017eivatel na Macu vyvol\u00e1 autentiza\u010dn\u00ed dialog. Nap\u0159\u00edklad v System Preferences -&gt; Security &amp; Privacy klepne na ikonu z\u00e1mku.<\/li>\n<li>Do pol\u00ed\u010dka u\u017eivatele zad\u00e1 jm\u00e9no u\u017eivatele <code>root<\/code> a do pol\u00ed\u010dka hesla nap\u00ed\u0161e libovoln\u00e9 heslo (m\u016f\u017ee b\u00fdt i pr\u00e1zdn\u00e9) a klepne na Unlock.<\/li>\n<li>Na prvn\u00ed pokus nedojde k autorizaci (okno se zat\u0159epe), ale kv\u016fli chyb\u011b v syst\u00e9mu je rootovi zadan\u00e9 heslo nastaveno.<\/li>\n<li>Na druh\u00fd pokus se stejn\u00fdm heslem ji\u017e k autorizaci dojde a je mo\u017en\u00e9 m\u011bnit chr\u00e1n\u011bn\u00e1 nastaven\u00ed.<\/li>\n<li>Nyn\u00ed se lze za u\u017eivatele <code>root<\/code> na po\u010d\u00edta\u010di p\u0159ihl\u00e1sit, jak lok\u00e1ln\u011b na Macu, tak p\u0159es s\u00ed\u0165 vzd\u00e1lenou plochou (pokud je zapnut\u00e1).<\/li>\n<\/ol>\n<p>\u00datok lze prov\u00e9st i pomoc\u00ed dal\u0161\u00edch n\u00e1stroj\u016f jako <code>su<\/code> \u010di <code>dscl<\/code> na p\u0159\u00edkazov\u00e9 \u0159\u00e1dce nebo Apple skriptu spou\u0161t\u011bn\u00e9ho s root privilegii.<\/p>\n<p><a href=\"http:\/\/osxadmin.cz\/wp-content\/uploads\/root-copy.png\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/osxadmin.cz\/wp-content\/uploads\/root-copy.png\" alt=\"\" width=\"1000\" height=\"437\" class=\"aligncenter size-full wp-image-975\" srcset=\"https:\/\/macadmin.cz\/wp-content\/uploads\/root-copy.png 1000w, https:\/\/macadmin.cz\/wp-content\/uploads\/root-copy-300x131.png 300w, https:\/\/macadmin.cz\/wp-content\/uploads\/root-copy-768x336.png 768w, https:\/\/macadmin.cz\/wp-content\/uploads\/root-copy-144x63.png 144w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/a><\/p>\n<h2>D\u016fsledky<\/h2>\n<p>Pokud se \u00fato\u010dn\u00edkovi poda\u0159\u00ed na Macu spustit jeho program vyu\u017e\u00edvaj\u00edc\u00ed tuto chybu, extr\u00e9mn\u011b snadno z\u00edsk\u00e1 vzd\u00e1len\u00fd p\u0159\u00edstup k po\u010d\u00edta\u010di.<\/p>\n<h2>\u0158e\u0161en\u00ed<\/h2>\n<p>Dokud Apple chybu neoprav\u00ed, d\u00e1vejte si extr\u00e9mn\u00ed pozor na stahov\u00e1n\u00ed a spou\u0161t\u011bn\u00ed aplikac\u00ed mimo Mac App Store. Rovn\u011b\u017e je velmi nebezpe\u010dn\u00e9 otev\u00edrat jak\u00e9koliv soubory z podez\u0159el\u00fdch zdroj\u016f jako p\u0159\u00edloha emailu z nezn\u00e1m\u00e9\/podez\u0159el\u00e9 adresy \u010di soubor sta\u017een\u00fd z pochybn\u00e9ho webu).<\/p>\n<p>\u00datoku na super u\u017eivatele bez hesla m\u016f\u017eeme p\u0159edej\u00edt t\u00edm, \u017ee mu nastav\u00edme siln\u00e9 heslo my. Pod \u00fa\u010dtem administr\u00e1tora pou\u017eijte p\u0159\u00edkaz dscl:<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\ndscl . -passwd \/Users\/root\n<\/pre>\n<p>Jako nov\u00e9 heslo (New Password) zadejte dostate\u010dn\u011b siln\u00e9 heslo (viz n\u00ed\u017ee). Po vyzv\u00e1n\u00ed k zad\u00e1n\u00ed p\u016fvodn\u00edho hesla (user&#8217;s old password) sta\u010d\u00ed zm\u00e1\u010dkout enter. Zad\u00e1v\u00e1te tak pr\u00e1zdn\u00e9 heslo a vyu\u017e\u00edv\u00e1te chyby k nastaven\u00ed hesla roota. Standardn\u011b (bez p\u0159\u00edtomnosti chyby) by bylo pot\u0159eba spustit p\u0159\u00edkaz se <code>sudo<\/code>, zadat nejprve heslo administr\u00e1tora a z\u00edskat tak opr\u00e1vn\u011bn\u00ed heslo roota zm\u011bnit.<\/p>\n<p>Heslo roota nen\u00ed pot\u0159eba si pamatovat, proto\u017ee pokud na Macu standardn\u011b pot\u0159ebujete z\u00edskat opr\u00e1vn\u011bn\u00ed super u\u017eivatele, dostanete jej do\u010dasn\u011b pro dan\u00fd \u00fakon zad\u00e1n\u00edm jm\u00e9na a hesla administr\u00e1torsk\u00e9ho \u00fa\u010dtu. Siln\u00e9 heslo m\u016f\u017eete vygenerovat pomoc\u00ed Password Assistant v System Preferences -&gt; Change Password&#8230; -&gt; Ikona z\u00e1mku \u010di p\u0159\u00edkazem:<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nopenssl rand -base64 32\n<\/pre>\n<h2>Zdroje<\/h2>\n<ul>\n<li><a href=\"https:\/\/derflounder.wordpress.com\/2017\/11\/28\/blocking-logins-to-the-root-account-on-macos-high-sierra\/\">p\u0159\u00edsp\u011bvek<\/a> na blogu Der Flounder,<\/li>\n<li><a href=\"https:\/\/macmule.com\/2017\/11\/28\/iamroot-high-sierra-root-vulnerability\/\">p\u0159\u00edsp\u011bvek<\/a> na blogu macmule,<\/li>\n<li>testov\u00e1n\u00ed v Logicworks.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Opera\u010dn\u00ed syst\u00e9m macOS 10.13 High Sierra obsahuje z\u00e1va\u017enou bezpe\u010dnostn\u00ed chybu, kdy jak\u00fdkoliv u\u017eivatel (je jedno zda standardn\u00ed nebo administr\u00e1tor) m\u016f\u017ee nastavit heslo jin\u00e9mu u\u017eivateli, kter\u00fd \u017e\u00e1dn\u00e9 heslo nastaven\u00e9 nem\u00e1. Takov\u00fdm u\u017eivatelem je i super u\u017eivatel root, pod kter\u00fdm se prov\u00e1d\u00ed nap\u0159\u00edklad instalace nov\u00fdch syst\u00e9mov\u00fdch slu\u017eeb. Update: Apple vydal aktualizaci Security Update 2017-001 (download) opravuj\u00edc\u00ed chybu. &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/macadmin.cz\/?p=967\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Chyba #iamroot v macOS 10.13 High Sierra&#8221;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[4,33],"tags":[36,35,34,37],"class_list":["post-967","post","type-post","status-publish","format-standard","hentry","category-macos","category-security","tag-bug","tag-highsierra","tag-macos","tag-security"],"_links":{"self":[{"href":"https:\/\/macadmin.cz\/index.php?rest_route=\/wp\/v2\/posts\/967","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/macadmin.cz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/macadmin.cz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/macadmin.cz\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/macadmin.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=967"}],"version-history":[{"count":22,"href":"https:\/\/macadmin.cz\/index.php?rest_route=\/wp\/v2\/posts\/967\/revisions"}],"predecessor-version":[{"id":1006,"href":"https:\/\/macadmin.cz\/index.php?rest_route=\/wp\/v2\/posts\/967\/revisions\/1006"}],"wp:attachment":[{"href":"https:\/\/macadmin.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=967"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/macadmin.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=967"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/macadmin.cz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=967"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}