Admin Accounts and Mac OS X
Posted January 22nd, 2008 @ 09:32am by Erik J. Barzeski
My primary account is an admin account. I tried setting up a special "admin only" account and reverting my standard one to a plain old user, but the constant authorization requests to do darn near everything got so annoying I switched back.
I realize it's a bit less safe, but especially now with Time Machine (and still with my daily backups to yet another hard drive), I feel safer in "living on the edge" a bit. Additionally, I'm very safe with downloaded files, and the last time I opened an email attachment from an unknown source it was a Windows virus written in VBScript that I opened in BBEdit about six years ago. 🙂
So, I ask:
Posted 22 Jan 2008 at 10:20am #
I don't really understand why anyone (who was the main user on a box) wouldn't want to be setup as an Admin? I mean, even an Admin account doesn't have sufficient privileges to do anything harmful on their box without entering their password first.
If you are setup as a user vs. admin, I don't think you are getting any added security, since you will be (as you have mentioned) entering your password every 5 minutes to do simple things like moving a file to the Applications folder.
I think the best way to secure your OS X box is to just use a strong password, and make sure you rotate it out every couple of weeks.
Posted 22 Jan 2008 at 10:46am #
It depends on your definition of harmful. As an admin user you can quite easily delete applications. I'd call that harmful.
Do you really install applications every 5 minutes?
Posted 22 Jan 2008 at 12:00pm #
An admin user is in the group 'admin' (no surprise) and, thus, can write into areas that affect all users (including root, in some limited cases).
Specifically, /Applications, /Library, and /Developer are all writable by 'admin'.
Personally, I always run with a non-admin user specifically because I have busted multiple applications doing complete jackassery while trying to hide registration information or copy protection data from the user. In one case, a program added 1K of data to the end of a sound file in /Library/.
I'm not bothered by "all the password requests". There simply aren't that many in my usage pattern. I'm surprised by how many people seem to indicate they encounter. What are you doing?
Posted 22 Jan 2008 at 1:21pm #
I run as root, all the time.
Just kidding. But I really couldn't switch to a non-admin account, the authorization requests are enough as it is.
Posted 22 Jan 2008 at 4:42pm #
Non-admin. I don't seem to get that many more auth. requests now than I did when I ran things as an admin. Of course, I always install my applications to /Users/Shared/Applications in order to keep them in a nice hierarchy, away from all the unmovable Apple stuff in /Applications, so I guess that helps.
Honestly though, I don't think it makes a big security difference one way or the other.
Posted 23 Jan 2008 at 6:16am #
I run as an admin user. I am a Unix veteran (of nearly 20 years), and I know what I'm doing and am not afraid of screwing up.
Posted 29 Jan 2008 at 6:26pm #
I am a Unix veteran of 25 years and generally know what I'm doing. Which is exactly why I run as a non-admin user.