Are you an administrator?

Discussion in 'Mac Apps and Mac App Store' started by Koodauw, Apr 15, 2004.

  1. Koodauw macrumors 68040

    Koodauw

    Joined:
    Nov 17, 2003
    Location:
    Madison
    #1
    I was watching TechTV the other day and Leo recemended that if you are running OSX, you should be set it up so when you log in for regular use you log in as a "user" and have a seperate "Admin" account for when you need to access admin stuff. I think it was for security reasons, but I only caught part of it. My question is if your admin account is password protected, what is the benefit of this? Does anyone else do this? Thanks for any info.
     
  2. Makosuke macrumors 603

    Joined:
    Aug 15, 2001
    Location:
    The Cool Part of CA, USA
    #2
    I expect, generally speaking, that the advantage of not having your regular login being an admin user is that you won't accidentally mung something up while working. This is pretty good advice for most people, I'd say; I don't have any of the other household users set up as admins, and when I set up workplace computers I don't usually give admin privleges to the "working" account.

    Although I do personally work in an admin account; being that I'm not likely to screw anything up (unintentionally) this seems ok, and since the account'd exist either way, it's not equivalent to turning on Root as a security risk.
     
  3. PlaceofDis macrumors Core

    Joined:
    Jan 6, 2004
    #3
    i dont do this, but i always make sure to have an extra admin account on my computer just incase something goes wrong with the one i use on a daily basis because then i have a user just for troubleshooting
     
  4. stcanard macrumors 65816

    stcanard

    Joined:
    Oct 19, 2003
    Location:
    Vancouver
    #4
    Absolutely. It helps with things like the Trojan issue that was discussed earlier. You should run with as little privilige as possible. I found that creating a seperate admin account was not actually enough, and had to add one more step (as an admin account):

    sudo chown -R root:admin /Applications
    sudo chmod -R o-w /Applications

    Then run fix permissions to fix anything you broke :D Those two steps ensure your default account cannot even write to the Applications directory.

    In OSX it is really not inconvenient to have a seperate administrator account. You'll notice two things:

    1) When you have to do something with admin priv, you are now asked for a username and password; you don't need to use FUS or anything like that

    2) When you try to use finder to do something in a system directory, you will be told you don't have permission, and do you want to authenticate, if you say yes you are again asked for a username / password.

    So even with the changes above, you can still drag an app into /Applications, you'll just have to give a username and password to be allowed to do it.

    On the plus side, the account is denied access to anything outside of /Users, so it really cuts the damage a virus, trojan, or worm can do to your system.
     
  5. stcanard macrumors 65816

    stcanard

    Joined:
    Oct 19, 2003
    Location:
    Vancouver
    #5
    It's more for the virus / trojan / worm issue. While you're right that it is not as bad as root, an admin account has write access into an awful lot of the system to these can do damage.
     
  6. Counterfit macrumors G3

    Counterfit

    Joined:
    Aug 20, 2003
    Location:
    sitting on your shoulder
    #6
    I'm an admin on three computers, my PB, my Beige G3, and my parents' iMac. My brother is also an admin on the iMac and my beige, and I have a backup admin account on my PB. I usually run as admin, and haven't yet had a problem due to user error. Well, nothing that screwed me up at least :D
     
  7. 7on macrumors 601

    7on

    Joined:
    Nov 9, 2003
    Location:
    Dress Rosa
    #7
    I think this tip was for WinXP, to "simulate" OSX's root user. I use admin and all that can do is change things in the Users, Library, and Applications folder. As long as my system is alright it's fine. I personally recommend setting a separate pass for the Root account though. Keeps you from accidentally granting the wrong ownership (and I've found a few apps with typos in their pass/user when asking for the root password, but only needing the admin pass).
     
  8. Counterfit macrumors G3

    Counterfit

    Joined:
    Aug 20, 2003
    Location:
    sitting on your shoulder
    #8
    I personally recommend not using root unless you have to and you know how. ;)
     
  9. janey macrumors 603

    janey

    Joined:
    Dec 20, 2002
    Location:
    sunny los angeles
    #9
    what are you talking about? There is no OS X virus/virii yet, they're all proof of concept(s), nothing more.
    Anyway, having an extra admin account is a VERY good idea. And root/su/sudo shouldnt be messed with unless you know what you are doing (sudo rm -rf / anyone? :p )
    I personally like to be an admin because its just a pain in the neck if you're not in OS X.
     
  10. Sparky's macrumors 6502a

    Sparky's

    Joined:
    Feb 11, 2004
    #10
    I am admin for our Pre-press LAN, and after being out for a few days I found out my e-mail was being opened and a few of my personal documents and stuff accessed. Soo I set up a Generic User account with the "look and feel" of my account but set all kinds of restrictions on what could be accessed in the way of folders, applications (my mail account) and now I can go on vacation and feel a little safer(or private) Even though my boss (the owner of the company) owns the equipment I still feel its MY computer. :mad:
     
  11. Westside guy macrumors 601

    Westside guy

    Joined:
    Oct 15, 2003
    Location:
    The soggy side of the Pacific NW
    #11
    I don't really see the problem with one's primary account being in the admin group, since you're generally prompted for your password before screwing things up royally system-wide. The main drawback, I suppose, is if you're worried you might do something that you'd regret later (such as the aforementioned 'sudo rm -Rf /' hehe). But since you can always su to an admin account, you're not bulletproof even if your account isn't privileged - basically if you are bound and determined to screw things up you always will have a way to do so.

    It's not like a Windows admin account, which is analogous to 'root' on OS X rather than what we're talking about. In that case, once you're logged in you can do most anything without the smallest roadblock.

    Of course if you just type your password in whenever prompted, without thinking "am I doing something that should require root privileges?" then yeah, you shouldn't have an admin account by default. :D
     
  12. stcanard macrumors 65816

    stcanard

    Joined:
    Oct 19, 2003
    Location:
    Vancouver
    #12
    Remember the Boy Scout motto...
     
  13. stcanard macrumors 65816

    stcanard

    Joined:
    Oct 19, 2003
    Location:
    Vancouver
    #13
    It depends on your level of paranoia. You're right it is _far_ more secure than a Windows Admin because of the use of sudo for any administration features.

    At the same time, the admin group does have write access to some sensitive areas of the filesystem ("/" for instance), and using a seperate account is really no more inconvenient than running as admin.

    Remember: always run with the least privilige possible. Since there is no incovenience to running as a non-admin account (try it and see what I mean), why take the risk?

    There may be no virus's / trojans in the wild now, but would you really leave your car running in the driveway overnight just because nobody's stolen a car in your neighbourhood since you moved in?
     
  14. stcanard macrumors 65816

    stcanard

    Joined:
    Oct 19, 2003
    Location:
    Vancouver
    #14
    Are you on jaguar still? I'll admit I've never used jaguar to know how it behaves.

    In Panther there is no pain...

    If you need admin privilige it asks for an admin username / password

    If you try to modify a file it asks you to authenticate, and you type in an admin username / password

    If you want to administer from the command line, you either su to your admin account or (what I did) add yourself to the /etc/sudoers file.

    I have never once had to FUS to my admin account to do something. But even if I did, it's only one FUS away...
     
  15. Koodauw thread starter macrumors 68040

    Koodauw

    Joined:
    Nov 17, 2003
    Location:
    Madison
    #15
    Thanks for the input every one. I guess I am not worried about me screwing my computer up by being the admin, I don't mess aaround with stuff that would really do damage. I guess I was wondering about it from a security stand point. (I.E. others using my computer or it being stolen) Any benefits to not being the admin then?

    Also, is there a way to de-authorize my admin account, and make it just a regular one, and authorize another account? That way I don't have to remake my dock, desktop, hot corners etc...
     
  16. stcanard macrumors 65816

    stcanard

    Joined:
    Oct 19, 2003
    Location:
    Vancouver
    #16
    Yup.

    Create the new admin account, then switch to it. You can then just take the admin priv off your original account, in the users panel in system preferences.

    That's the way I deauthorized mine.
     
  17. Westside guy macrumors 601

    Westside guy

    Joined:
    Oct 15, 2003
    Location:
    The soggy side of the Pacific NW
    #17
    Actually, this kinda bugs me (not your post, but the point you bring up). OS X differs substantially from Linux or BSD in this regard. In either of those, only root has write access to locations like /usr/bin (equivalent to /Applications) or /. To install an application into these locations you have to use sudo, which requires your password before allowing access.

    Since Apple is already using this model for some things, why aren't they doing that more consistently? It'd make OS X more secure, at least on a multi-user system, and wouldn't really add any significant level of complexity (since there are already some applications that basically use this model on OS X).
     
  18. Koodauw thread starter macrumors 68040

    Koodauw

    Joined:
    Nov 17, 2003
    Location:
    Madison
    #18
    Oops

    Sorry, had a question, but I figured it out.
     
  19. Koodauw thread starter macrumors 68040

    Koodauw

    Joined:
    Nov 17, 2003
    Location:
    Madison
    #19
    Ok. New question. Is there anyway I can set it up so I need to enter in a password when I boot up the computer?
     
  20. janey macrumors 603

    janey

    Joined:
    Dec 20, 2002
    Location:
    sunny los angeles
    #20
    i'm using panther, but i still find it sorta....meh...
    i just feel more comfortable as an admin.

    and btw i have no idea wtf the boy scout motto is...sorry i'm not a guy :p
     
  21. janey macrumors 603

    janey

    Joined:
    Dec 20, 2002
    Location:
    sunny los angeles
    #21
    yeah. search for "open firmware password" on http://www.info.apple.com
    mind you its not the most convenient thing to do...forget the password and theres no way to get it back.
     
  22. stcanard macrumors 65816

    stcanard

    Joined:
    Oct 19, 2003
    Location:
    Vancouver
    #22
    I felt the same way until I tried it for a while

    funny, your typing looks so gender unspecific :p

    The motto is "be prepared" :)
     
  23. Counterfit macrumors G3

    Counterfit

    Joined:
    Aug 20, 2003
    Location:
    sitting on your shoulder
    #23
    I thought it was "exclude homosexuals" :p


    I kid I kid! :D
     

Share This Page