Comments on: Admin Accounts and Mac OS X http://nslog.com/2008/01/22/admin_accounts_and_mac_os_x The Weblog of Erik J. Barzeski Fri, 05 Dec 2008 11:12:22 +0000 http://wordpress.org/?v=2.6.5 By: bbum http://nslog.com/2008/01/22/admin_accounts_and_mac_os_x#comment-45637 bbum Tue, 29 Jan 2008 23:26:25 +0000 http://nslog.com/2008/01/22/admin_accounts_and_mac_os_x#comment-45637 I am a Unix veteran of 25 years and generally know what I'm doing. Which is exactly why I run as a non-admin user. I am a Unix veteran of 25 years and generally know what I'm doing. Which is exactly why I run as a non-admin user.

]]> By: Daniel http://nslog.com/2008/01/22/admin_accounts_and_mac_os_x#comment-45473 Daniel Wed, 23 Jan 2008 11:16:26 +0000 http://nslog.com/2008/01/22/admin_accounts_and_mac_os_x#comment-45473 I run as an admin user. I am a Unix veteran (of nearly 20 years), and I know what I'm doing and am not afraid of screwing up. I run as an admin user. I am a Unix veteran (of nearly 20 years), and I know what I'm doing and am not afraid of screwing up.

]]> By: Carl http://nslog.com/2008/01/22/admin_accounts_and_mac_os_x#comment-45454 Carl Tue, 22 Jan 2008 21:42:30 +0000 http://nslog.com/2008/01/22/admin_accounts_and_mac_os_x#comment-45454 Non-admin. I don't seem to get that many more auth. requests now than I did when I ran things as an admin. Of course, I always install my applications to /Users/Shared/Applications in order to keep them in a nice hierarchy, away from all the unmovable Apple stuff in /Applications, so I guess that helps. Honestly though, I don't think it makes a big security difference one way or the other. Non-admin. I don't seem to get that many more auth. requests now than I did when I ran things as an admin. Of course, I always install my applications to /Users/Shared/Applications in order to keep them in a nice hierarchy, away from all the unmovable Apple stuff in /Applications, so I guess that helps.

Honestly though, I don't think it makes a big security difference one way or the other.

]]> By: Mike http://nslog.com/2008/01/22/admin_accounts_and_mac_os_x#comment-45444 Mike Tue, 22 Jan 2008 18:21:30 +0000 http://nslog.com/2008/01/22/admin_accounts_and_mac_os_x#comment-45444 I run as root, all the time. Just kidding. But I really couldn't switch to a non-admin account, the authorization requests are enough as it is. I run as root, all the time.

Just kidding. But I really couldn't switch to a non-admin account, the authorization requests are enough as it is.

]]> By: bbum http://nslog.com/2008/01/22/admin_accounts_and_mac_os_x#comment-45443 bbum Tue, 22 Jan 2008 17:00:21 +0000 http://nslog.com/2008/01/22/admin_accounts_and_mac_os_x#comment-45443 An admin user is in the group 'admin' (no surprise) and, thus, can write into areas that affect all users (including root, in some limited cases). Specifically, /Applications, /Library, and /Developer are all writable by 'admin'. Personally, I always run with a non-admin user specifically because I have busted multiple applications doing complete jackassery while trying to hide registration information or copy protection data from the user. In one case, a program added 1K of data to the end of a sound file in /Library/. I'm not bothered by "all the password requests". There simply aren't that many in my usage pattern. I'm surprised by how many people seem to indicate they encounter. What are you doing? An admin user is in the group 'admin' (no surprise) and, thus, can write into areas that affect all users (including root, in some limited cases).

Specifically, /Applications, /Library, and /Developer are all writable by 'admin'.

Personally, I always run with a non-admin user specifically because I have busted multiple applications doing complete jackassery while trying to hide registration information or copy protection data from the user. In one case, a program added 1K of data to the end of a sound file in /Library/.

I'm not bothered by "all the password requests". There simply aren't that many in my usage pattern. I'm surprised by how many people seem to indicate they encounter. What are you doing?

]]> By: Steve http://nslog.com/2008/01/22/admin_accounts_and_mac_os_x#comment-45442 Steve Tue, 22 Jan 2008 15:46:28 +0000 http://nslog.com/2008/01/22/admin_accounts_and_mac_os_x#comment-45442 It depends on your definition of harmful. As an admin user you can quite easily delete applications. I'd call that harmful. Do you really install applications every 5 minutes? It depends on your definition of harmful. As an admin user you can quite easily delete applications. I'd call that harmful.

Do you really install applications every 5 minutes?

]]> By: Ted http://nslog.com/2008/01/22/admin_accounts_and_mac_os_x#comment-45441 Ted Tue, 22 Jan 2008 15:20:41 +0000 http://nslog.com/2008/01/22/admin_accounts_and_mac_os_x#comment-45441 I don't really understand why anyone (who was the main user on a box) wouldn't want to be setup as an Admin? I mean, even an Admin account doesn't have sufficient privileges to do anything harmful on their box without entering their password first. If you are setup as a user vs. admin, I don't think you are getting any added security, since you will be (as you have mentioned) entering your password every 5 minutes to do simple things like moving a file to the Applications folder. I think the best way to secure your OS X box is to just use a strong password, and make sure you rotate it out every couple of weeks. I don't really understand why anyone (who was the main user on a box) wouldn't want to be setup as an Admin? I mean, even an Admin account doesn't have sufficient privileges to do anything harmful on their box without entering their password first.

If you are setup as a user vs. admin, I don't think you are getting any added security, since you will be (as you have mentioned) entering your password every 5 minutes to do simple things like moving a file to the Applications folder.

I think the best way to secure your OS X box is to just use a strong password, and make sure you rotate it out every couple of weeks.

]]>