Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Admin account versus non-admin account for daily work on OS X
180 views
Skip to first unread message
Paul Sture
Apr 22, 2012, 4:39:06 PM4/22/12
to
Problem statement: A long time ago I decided that doing most of my daily
work in a non-admin account was the only sensible thing to do. For me
it's a matter of discipline and good practice.
I have now come across someone who is technically very competent but is
telling OS X newbies that using an admin account for daily work is much
safer than in Windows and actually encouraging it.
For me it's a no brainer to say no, he's wrong, but I could do with some
technical arguments and hopefully examples to explain my point of view.
Cheers in advance for your input.
--
Paul Sture
work in a non-admin account was the only sensible thing to do. For me
it's a matter of discipline and good practice.
I have now come across someone who is technically very competent but is
telling OS X newbies that using an admin account for daily work is much
safer than in Windows and actually encouraging it.
For me it's a no brainer to say no, he's wrong, but I could do with some
technical arguments and hopefully examples to explain my point of view.
Cheers in advance for your input.
--
Paul Sture
Jolly Roger
Apr 22, 2012, 9:01:53 PM4/22/12
to
In article <as6e69-...@news.sture.ch>, Paul Sture <pa...@sture.ch>
wrote:
The initial user account Mac OS X creates during installation is an
administrator account, because after all, you do need to have an
administrative account on the machine. A lot of Mac users probably don't
realize it, but you can accomplish all administrative tasks from a
non-administrative account in Mac OS X. Mac OS X prompts normal users
for the username and password of an administrator when you attempt to do
something that requires escalated privileges. So while you do need to
*have* an administrator account, there's really not much of a reason to
log in as administrator for day-to-day use.
Why is it a good idea to avoid logging directly into your administrator
account in Mac OS X? Well, besides the fact that you can do most any
administrative task from a non-administrative account, there are
security reasons. Anyone with significant experience administering a
Unix-like operating system will tell you it's always a good idea to run
with as few escalated privileges as possible, because (a) it reduces the
*chance* of privilege escalation accidents, and (b) it reduces the
*impact* of privilege escalation accidents that do occur.
Could you use an administrative account daily without adverse effects?
Sure - you might even do it for months or years without incident. It's
the one time it matters that you may want to be concerned about. For
instance, I can't tell you how many times I've seen Mac users ask for
help because they accidentally deleted some file on their system they
might not have deleted so easily had they not been logged into an
administrative account.
The thing to keep in mind is this: when you are logged in as
administrator, everything you do and every program you run (directly or
indirectly, purposefully or inadvertently) is executed with
administrative privileges - meaning it automatically has access to more
parts of the system than standard users. So if you make a mistake while
changing, moving, or deleting system files, or worse, if you unknowingly
run a trojan / worm in your administrative account, you can damage and
alter critical system files with little or no acknowledgment from the
system.
Remember that lots of files and folders in Mac OS X are owned by the
"admin" group, of which every administrative account is a member. When
you are logged in as a normal user, Mac OS X will not allow you to
modify such parts of the system without first entering the user name and
password of an administrative account. This is an additional layer of
security you won't have if you are running as administrator. In
contrast, when you are logged in as administrator, Mac OS X allows you
to change, move, and delete such files and folders without question.
BTW, I think the reason Apple doesn't give this advise to all Mac users
is probably because the long explanation needed to convey the reasons
for it and how to do it would probably not be very well received. Most
users don't know enough about security issues to understand, and
frankly, most just don't want to be bothered. Apple probably could
automate the creation of an initial administrative account and a
non-administrative account, but if users aren't properly educated about
the issues involved, there's no guarantee they would actually use them
properly. It's more involved than just offering a one-liner of advice in
a user's guide. ; )
But if you need it hear it from a more credible source than some dude on
the internet, here's what Apple themselves have to say about it (from
page 61 of the Mac OS X Security Configuration Guide @
http://tinyurl.com/augt3w):
"Unless you need administrator access for specific system maintenance
tasks that cannot be accomplished by authenticating with the
administrator's account while logged in as a normal user, always log in
as a non-administrator user. Log out of the administrator account when
you are not using the computer as an administrator. Never browse the web
or check email while logged in to an administrator's account."
--
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.
JR
wrote:
administrator account, because after all, you do need to have an
administrative account on the machine. A lot of Mac users probably don't
realize it, but you can accomplish all administrative tasks from a
non-administrative account in Mac OS X. Mac OS X prompts normal users
for the username and password of an administrator when you attempt to do
something that requires escalated privileges. So while you do need to
*have* an administrator account, there's really not much of a reason to
log in as administrator for day-to-day use.
Why is it a good idea to avoid logging directly into your administrator
account in Mac OS X? Well, besides the fact that you can do most any
administrative task from a non-administrative account, there are
security reasons. Anyone with significant experience administering a
Unix-like operating system will tell you it's always a good idea to run
with as few escalated privileges as possible, because (a) it reduces the
*chance* of privilege escalation accidents, and (b) it reduces the
*impact* of privilege escalation accidents that do occur.
Could you use an administrative account daily without adverse effects?
Sure - you might even do it for months or years without incident. It's
the one time it matters that you may want to be concerned about. For
instance, I can't tell you how many times I've seen Mac users ask for
help because they accidentally deleted some file on their system they
might not have deleted so easily had they not been logged into an
administrative account.
The thing to keep in mind is this: when you are logged in as
administrator, everything you do and every program you run (directly or
indirectly, purposefully or inadvertently) is executed with
administrative privileges - meaning it automatically has access to more
parts of the system than standard users. So if you make a mistake while
changing, moving, or deleting system files, or worse, if you unknowingly
run a trojan / worm in your administrative account, you can damage and
alter critical system files with little or no acknowledgment from the
system.
Remember that lots of files and folders in Mac OS X are owned by the
"admin" group, of which every administrative account is a member. When
you are logged in as a normal user, Mac OS X will not allow you to
modify such parts of the system without first entering the user name and
password of an administrative account. This is an additional layer of
security you won't have if you are running as administrator. In
contrast, when you are logged in as administrator, Mac OS X allows you
to change, move, and delete such files and folders without question.
BTW, I think the reason Apple doesn't give this advise to all Mac users
is probably because the long explanation needed to convey the reasons
for it and how to do it would probably not be very well received. Most
users don't know enough about security issues to understand, and
frankly, most just don't want to be bothered. Apple probably could
automate the creation of an initial administrative account and a
non-administrative account, but if users aren't properly educated about
the issues involved, there's no guarantee they would actually use them
properly. It's more involved than just offering a one-liner of advice in
a user's guide. ; )
But if you need it hear it from a more credible source than some dude on
the internet, here's what Apple themselves have to say about it (from
page 61 of the Mac OS X Security Configuration Guide @
http://tinyurl.com/augt3w):
"Unless you need administrator access for specific system maintenance
tasks that cannot be accomplished by authenticating with the
administrator's account while logged in as a normal user, always log in
as a non-administrator user. Log out of the administrator account when
you are not using the computer as an administrator. Never browse the web
or check email while logged in to an administrator's account."
--
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.
JR
Alan Baker
Apr 23, 2012, 1:13:25 AM4/23/12
to
Any time you need administrator rights while using a non-admin
account... ...you've got 'em.
--
Alan Baker
Vancouver, British Columbia
"If you raise the ceiling four feet, move the fireplace from that wall
to that wall, you'll still only get the full stereophonic effect if you
sit in the bottom of that cupboard."
JF Mezei
Apr 23, 2012, 1:31:33 AM4/23/12
to
Alan Baker wrote:
> Any time you need administrator rights while using a non-admin
> account... ...you've got 'em.
At the GUI level, I am somewhat puzzled on why some activities can be
> Any time you need administrator rights while using a non-admin
> account... ...you've got 'em.
performed without spaecial stuff on an admit account, some require entry
of the administrator password, and others can't be done, you need to go
command line and sudo the command to get it done.
Jamie Kahn Genet
Apr 23, 2012, 3:11:03 AM4/23/12
to
including ways that can result in a non-functional install and loss of
important data. It also opens the doors for either badly written or
outright malicious scripts and apps to wreck havoc.
Why make it easier for things to go wrong? I mean - how often are people
accessing protected folders and preferences in a standard user account?
I install at least one app a day (nightly builds I test), but that's
unusual. I also maybe change a system preference requiring
authentication once a week. Oh, and I run Software Update daily.
So I have to enter my login info three times max, and usually only twice
most days. It's not even worth debate. For a few seconds a day I get
greater peace of mind from my own mistakes, other people's mistakes, and
malicious attempts to take control of my Mac.
Running as a standard user isn't some invunerability shield, but it's
the difference between locking your front door and leaving it wide open.
You don't make it easier for things to go wrong if the downsides are
negligible - it's that simple :-)
--
If you're not part of the solution, you're part of the precipitate.
dorayme
Apr 23, 2012, 3:15:17 AM4/23/12
to
In article <alangbaker-91FE1...@news.shawcable.net>,
The best argument I know is that if anyone does break into your
account while online or physically while you are logged in as admin,
they have access to far more than they would if you were not so logged
in and can cause more trouble and that it is therefore basically
sensible from a security point of view to normally run as non-admin.
Why tempt fate?
--
dorayme
Alan Baker <alang...@telus.net> wrote:
> In article <as6e69-...@news.sture.ch>, Paul Sture <pa...@sture.ch>
> wrote:
>
> > Problem statement: A long time ago I decided that doing most of my daily
> > work in a non-admin account was the only sensible thing to do. For me
> > it's a matter of discipline and good practice.
> >
> > I have now come across someone who is technically very competent but is
> > telling OS X newbies that using an admin account for daily work is much
> > safer than in Windows and actually encouraging it.
> >
> > For me it's a no brainer to say no, he's wrong, but I could do with some
> > technical arguments and hopefully examples to explain my point of view.
> >
> > Cheers in advance for your input.
>
> There is no need to explain your point of view.
You his mother, they often say what their sons do and do not need?
> In article <as6e69-...@news.sture.ch>, Paul Sture <pa...@sture.ch>
> wrote:
>
> > Problem statement: A long time ago I decided that doing most of my daily
> > work in a non-admin account was the only sensible thing to do. For me
> > it's a matter of discipline and good practice.
> >
> > I have now come across someone who is technically very competent but is
> > telling OS X newbies that using an admin account for daily work is much
> > safer than in Windows and actually encouraging it.
> >
> > For me it's a no brainer to say no, he's wrong, but I could do with some
> > technical arguments and hopefully examples to explain my point of view.
> >
> > Cheers in advance for your input.
>
> There is no need to explain your point of view.
The best argument I know is that if anyone does break into your
account while online or physically while you are logged in as admin,
they have access to far more than they would if you were not so logged
in and can cause more trouble and that it is therefore basically
sensible from a security point of view to normally run as non-admin.
Why tempt fate?
--
dorayme
Message has been deleted
You're Kidding?
Apr 23, 2012, 8:37:54 AM4/23/12
to
In article <jollyroger-E9B75...@news.individual.net>,
YK
--- Posted via news://freenews.netfront.net/ - Complaints to ne...@netfront.net ---
Jolly Roger <jolly...@pobox.com> wrote:
> A lot of Mac users probably don't
> realize it, but you can accomplish all administrative tasks from a
> non-administrative account in Mac OS X.
Not "all", but most of them.
> A lot of Mac users probably don't
> realize it, but you can accomplish all administrative tasks from a
> non-administrative account in Mac OS X.
YK
--- Posted via news://freenews.netfront.net/ - Complaints to ne...@netfront.net ---
Jolly Roger
Apr 23, 2012, 9:09:12 AM4/23/12
to
In article <foobar-AE1D3F....@freenews.netfront.net>,
"You're Kidding?" <foo...@wattsit.net> wrote:
> In article <jollyroger-E9B75...@news.individual.net>,
> Jolly Roger <jolly...@pobox.com> wrote:
>
> > A lot of Mac users probably don't
> > realize it, but you can accomplish all administrative tasks from a
> > non-administrative account in Mac OS X.
>
> Not "all", but most of them.
Ok then name one.
> In article <jollyroger-E9B75...@news.individual.net>,
> Jolly Roger <jolly...@pobox.com> wrote:
>
> > A lot of Mac users probably don't
> > realize it, but you can accomplish all administrative tasks from a
> > non-administrative account in Mac OS X.
>
> Not "all", but most of them.
Király
Apr 23, 2012, 11:22:57 AM4/23/12
to
Adding an item to Software Update's ignore list.
--
K.
Lang may your lum reek.
--
K.
Lang may your lum reek.
Jolly Roger
Apr 23, 2012, 12:09:04 PM4/23/12
to
In article <jn3s4h$5s1$1...@dont-email.me>, m...@home.spamsucks.ca (Király)
wrote:
> Jolly Roger <jolly...@pobox.com> wrote:
> > > Not "all", but most of them.
> >
> > Ok then name one.
>
> Adding an item to Software Update's ignore list.
No, that can definitely be done with the softwareupdate command-line
tool.
There's probably a way to do it from the GUI in a non-administrator
account as well, if by no other means than by running the Software
Update tool with escalated privileges.
wrote:
> Jolly Roger <jolly...@pobox.com> wrote:
> > > Not "all", but most of them.
> >
> > Ok then name one.
>
> Adding an item to Software Update's ignore list.
tool.
There's probably a way to do it from the GUI in a non-administrator
account as well, if by no other means than by running the Software
Update tool with escalated privileges.
Király
Apr 23, 2012, 12:32:00 PM4/23/12
to
Jolly Roger <jolly...@pobox.com> wrote:
> > Adding an item to Software Update's ignore list.
>
> No, that can definitely be done with the softwareupdate command-line
> tool.
>
> There's probably a way to do it from the GUI in a non-administrator
> account as well, if by no other means than by running the Software
> Update tool with escalated privileges.
Right, so no built-in way to do that task using the GUI exclusively,
> > Adding an item to Software Update's ignore list.
>
> No, that can definitely be done with the softwareupdate command-line
> tool.
>
> There's probably a way to do it from the GUI in a non-administrator
> account as well, if by no other means than by running the Software
> Update tool with escalated privileges.
from a non-admin account.
Jolly Roger
Apr 23, 2012, 1:12:10 PM4/23/12
to
In article <jn4060$mn$1...@dont-email.me>, m...@home.spamsucks.ca (Király)
wrote:
My point is almost everything you need can be done from a non-admin
account. One can argue that there a great many things where there is no
built-in way to do from a non-admin account, but that doesn't mean they
cannot be done.
wrote:
account. One can argue that there a great many things where there is no
built-in way to do from a non-admin account, but that doesn't mean they
cannot be done.
You're Kidding?
Apr 23, 2012, 7:02:52 PM4/23/12
to
In article <jollyroger-CC3DE...@news.individual.net>,
Jolly Roger <jolly...@pobox.com> wrote:
> In article <foobar-AE1D3F....@freenews.netfront.net>,
> "You're Kidding?" <foo...@wattsit.net> wrote:
>
> > In article <jollyroger-E9B75...@news.individual.net>,
> > Jolly Roger <jolly...@pobox.com> wrote:
> >
> > > A lot of Mac users probably don't
> > > realize it, but you can accomplish all administrative tasks from a
> > > non-administrative account in Mac OS X.
> >
> > Not "all", but most of them.
>
> Ok then name one.
Run Apple Remote Desktop.
> In article <foobar-AE1D3F....@freenews.netfront.net>,
> "You're Kidding?" <foo...@wattsit.net> wrote:
>
> > In article <jollyroger-E9B75...@news.individual.net>,
> > Jolly Roger <jolly...@pobox.com> wrote:
> >
> > > A lot of Mac users probably don't
> > > realize it, but you can accomplish all administrative tasks from a
> > > non-administrative account in Mac OS X.
> >
> > Not "all", but most of them.
>
> Ok then name one.
Jolly Roger
Apr 23, 2012, 7:47:42 PM4/23/12
to
In article <foobar-88680F....@freenews.netfront.net>,
daily.
"You're Kidding?" <foo...@wattsit.net> wrote:
> In article <jollyroger-CC3DE...@news.individual.net>,
> Jolly Roger <jolly...@pobox.com> wrote:
>
> > In article <foobar-AE1D3F....@freenews.netfront.net>,
> > "You're Kidding?" <foo...@wattsit.net> wrote:
> >
> > > In article <jollyroger-E9B75...@news.individual.net>,
> > > Jolly Roger <jolly...@pobox.com> wrote:
> > >
> > > > A lot of Mac users probably don't
> > > > realize it, but you can accomplish all administrative tasks from a
> > > > non-administrative account in Mac OS X.
> > >
> > > Not "all", but most of them.
> >
> > Ok then name one.
>
> Run Apple Remote Desktop.
>
> YK
Remote Desktop runs fine in a non-administrator account. I do it almost
> In article <jollyroger-CC3DE...@news.individual.net>,
> Jolly Roger <jolly...@pobox.com> wrote:
>
> > In article <foobar-AE1D3F....@freenews.netfront.net>,
> > "You're Kidding?" <foo...@wattsit.net> wrote:
> >
> > > In article <jollyroger-E9B75...@news.individual.net>,
> > > Jolly Roger <jolly...@pobox.com> wrote:
> > >
> > > > A lot of Mac users probably don't
> > > > realize it, but you can accomplish all administrative tasks from a
> > > > non-administrative account in Mac OS X.
> > >
> > > Not "all", but most of them.
> >
> > Ok then name one.
>
> Run Apple Remote Desktop.
>
> YK
daily.
TaliesinSoft
Apr 23, 2012, 11:19:56 PM4/23/12
to
I have seven accounts on my iMac, one administrator and six user
account. One of the user accounts is for my day to day internet
exploring and such. The remaining five user accounts are for projects I
am working on and where I like to keep all of the parts of the project
isolated. Maybe this won't work for others but it works just fine for
me.
--
James Leo Ryan - Austin, Texas
account. One of the user accounts is for my day to day internet
exploring and such. The remaining five user accounts are for projects I
am working on and where I like to keep all of the parts of the project
isolated. Maybe this won't work for others but it works just fine for
me.
--
James Leo Ryan - Austin, Texas
bi...@mix.com
Apr 24, 2012, 12:39:23 AM4/24/12
to
See "Types of User Accounts and Account Philosophy" starting on page 6.
Who is SANS?
http://www.sans.org/about/sans.php
Billy Y..
--
sub #'9+1 ,r0 ; convert ascii byte
add #9.+1 ,r0 ; to an integer
bcc 20$ ; not a number
Király
Apr 24, 2012, 2:36:33 AM4/24/12
to
kids. One non-admin test account for troubleshooting. One non-admin
account used only for EyeTV and watching movies, and one admin
account. The account that is used the least is the admin account. I
can't remember the last time anybody has logged in to it. No need to.
0 new messages