[tekacs]

And you might want to disable the root account again with `dsenableroot -d` as well, so that the root account stays disabled after the vulnerability is patched.

Unlike doing this through the GUI, this seems to retain the root password and prevent this vuln from re-occuring.

[LeoPanthera]

Don't disable root. The bug re-enables it with a new blank password.

[tekacs]

It doesn't if you disable it from the shell like this, as I note in my comment.

I've tested both approaches - disabling via the GUI causes this bug to re-occur next time you try, disabling via the shell does not.

[ukblewis]

Bizarrely though, you can still use the root user (with the password that you set) to login to the Directory Utility even while it is supposed to be disabled... This behaviour seems super weird.

[tekacs]

Yeah I've noticed this myself - I'm on the fence as to whether this is actually disabling the account or simply creating that impression (it does show as disabled in Directory Utility after you perform this command).

My hope in recommending people disable this way is that with the additional scrutiny on this subsystem, accounts disabled this way will remain genuinely disabled in a future update. Either way this doesn't seem to reintroduce the bug.

... but the whole thing is a mess overall.

[kofejnik]

I confirm, disabling from shell does seem to prevent further logins

[skygazer]

As far as I can tell, "dsenableroot -d" seems to have no useful effect. After having "* Successfully disabled root user." with it, I can still log in to the root account with the password I set, both at the command line with "login" and from a remote machine via screen sharing.

To be flippant, I might say HN discussions seem to QA using Apple methods.