It's impossible to have full-disk encryption with that config, right? (i.e., does FileVault work for the root user?)
If you can get in from an install CD, you can reset passwords as needed.
If I were writing this patch, I'd probably check to see if the root user's password was indeed blank, but given that use of the root account only is extremely unsupported I cannot get too upset about Apple breaking that use case as long as you can get back in.
The issue wasn’t actually specific to a blank password. You could try to log in as root using any password, and as long as root had never had a password set, it would fail but set root’s password to whatever you entered.
I just installed the patch on a system where I had logged into root with a blank to confirm the issue. Root login no longer works in the unlock dialog. I didn't try a more sophisticated test.
So you have only one user on your Mac and that user is named "root"? Really? That would be very strange.
I'm fairly confident most Mac users never enable the root account at all. We don't need to. I'm not sure people who've only used other Unix systems understand that; I didn't when I came to the Mac after using Linux and FreeBSD in the 1990s. You need an administrator account, but that's not really the same thing. I haven't had a root account enabled on a Mac in about 15 years. (Well, except for a 14 hour or so stretch from yesterday evening to this morning, between the time I enabled it with a strong password as a "fix" for this bug and the time the actual fix was pushed by Apple.)
At any rate, I'd be very surprised if there was even a single user literally locked out of their Mac because of this change. I think it'd have been better on general principle if they'd done some kind of check that boiled down to "if the root user is enabled but it doesn't have a password set, disable it, otherwise leave it enabled," but there may be perfectly valid reasons that they couldn't do that.
> So you have only one user on your Mac and that user is named "root"? Really? That would be very strange.
It might be the only local user with a password set, with all other users coming from a remote directory service. Think university labs.
Also, you can always pardon a single incident. But Apple got so aggressive with casualties caused by their system updates that I'm really pissed off by it.
System updates regularly reset configuration to factory settings, breaking things in the progress. Note that I'm not talking about modified system files (those we expect to get reset and thus try hard not to touch) but documented configuration points.
This arrogant mindset is best described as "you surely didn't meant to deviate from our divine default settings, so let me fix that for you!".
For some files they recently started to move your modified files out of the way (creating a backup blah.conf.$(date) or whatever) before forcing the factory config anyway. Not that we need it, but it's probably all we'll ever get.
[0]
> If you require the root user account on your Mac, you will need to re-enable the root user and change the root user's password after this update.