Run as Admin account everyday; Dangerous?

Discussion in 'macOS' started by lieb39, Feb 16, 2006.

  1. lieb39 macrumors 6502

    lieb39

    Joined:
    Mar 17, 2005
    Location:
    Melbourne, Australia
    #1
    Hello everyone,

    I'm just wondering about one thing. I'm not trying to be a paranoid person or anything, just looking for opinions on this as I've never thought about this.

    In the Windows world I've always run as a Admin because it was way to hard not to with all my installation and removal of hardware, and generally didn't make a difference when I contracted a virus. However, on the mac system it doesn't seem like this.

    I've been running as a admin on my mac from day one, but now I'm thinking that it's 'safer' for any future viruses and in general if I run as a limited user. If I do run as a limited user does that mean that everytime I want to do something that requires Admin rights I'll just be asked for a admin account? Because if it's that simple then I'll switch right now.

    Other then security, are there any other advantages or even disadvantages of running as a limited user?

    Cheers

    lieb39
     
  2. frankblundt macrumors 65816

    frankblundt

    Joined:
    Sep 19, 2005
    Location:
    South of the border
    #2
    that simple, yes. see this thread (and many others...)

    a slight pain switching to admin to install apps, updates etc. that's about it. I find it actually makes maintenance easier cos my admin account has all the utilities reqd in the dock.

    For day to day management you don't generally need to go to the admin account, it'll just ask you for the admin name/password whenever you want to do anything outside the managed account's limitations.
     
  3. thomasp macrumors 6502a

    Joined:
    Sep 18, 2004
    Location:
    UK
    #3
    When you say "Install apps", does that mean dragging and dropping them from a DMG into the Applications Folder?

    What about if they are dropped into another folder?
     
  4. bankshot macrumors 65816

    bankshot

    Joined:
    Jan 23, 2003
    Location:
    Southern California
    #4
    No real disadvantages to running as a normal user, and plenty of security advantages as you already said. I think I've run into maybe one or two installers that required my to switch to my admin account (they were old ports of classic installers). Everything else has been smart enough to ask for the admin name/password when needed, without actually switching users. A few things (MS Office, I believe, and Quicken 2002) required running as admin the very first time, but everything has been fine thereafter running as my normal user.

    I've been running as a normal user, with a completely separate admin user, since coming on board with OS X 10.1.2. My strong unix background simply wouldn't allow me to run day-to-day stuff with elevated privileges. And I've always said that Apple made a big mistake making the first account that's created (and usually the only one that's ever used) an admin. They should have made the installer create a normal account, but then ask for a separate, "administration" password. The installer would then create a special, hidden "admin" user behind the scenes, and novice users would never have to know it was technically a separate account. Then installers and other programs needing admin rights would just ask for the admin password, rather than an admin name/password pair. This would have been just as easy for the user, and far more secure.

    Unfortunately there are millions of Macs out there running with elevated privileges every moment they're turned on. While it's not nearly as bad as running as root (which can silently modify anything, down to the lowest level of the OS; an admin needs explicit permission to modify much of the lower levels), it still gives trojans and viruses an easy way to inject malicious code into commonly used apps. Everything under /Applications is typically writable by admins, so a malicious program only needs to modify some of the commonly used ones like Safari, iChat, etc, to virtually guaratee they get run every time the computer boots. And it can do so silently, without needing to pretend to be a legitimate program asking for admin rights. Not good. Hopefully this doesn't bite Apple (and us!) in the butt when the first real virus comes along.

    Why, oh why, doesn't Apple just listen to me more often? :rolleyes:
     
  5. atszyman macrumors 68020

    atszyman

    Joined:
    Sep 16, 2003
    Location:
    The Dallas 'burbs
    #5
    I've tried to setup Windows boxes to run with a limited user normally and an admin separate, and let me tell you that there is a world of difference in doing this on a Mac than Windows. I've been on a non-admin account on my PowerBook for over a year now and have had no problems with permissions or anything like that. It is so far ahead of Windows in this regard it is not even funny. I almost never log in as admin (except when doing my now weekly backup) and rarely get prompted for a password, when I do it is usually just entering a username and password to authenticate and then everything is hunky-dory. The Windows boxes I keep running at home require logging in as admin on a weekly basis just to make sure that the utilities run as scheduled. I would highly advise doing this on your Mac.

    Thanks for reminding me though I need to lock down my account on Windows again since I have been recently rebuilding the box...
     
  6. lieb39 thread starter macrumors 6502

    lieb39

    Joined:
    Mar 17, 2005
    Location:
    Melbourne, Australia
    #6
    Thanks everyone, I'm now running a standard login with a separate admin user. No differences.. yet. Haha.

    Cheers,

    lieb39
     
  7. Leeloo the 5th macrumors member

    Leeloo the 5th

    Joined:
    Apr 17, 2005
    Location:
    Belgium
    #7
    Thanks for the insight Bankshot and others!
    I've just changed my account to standard after creating a separate Admin account. I'll do the same on my dad's iBook soon.

    Ahh, where would I be without you guys? Still on a pc I guess....
     
  8. YS2003 macrumors 68020

    YS2003

    Joined:
    Dec 24, 2004
    Location:
    Finally I have arrived.....
    #8
    Creat new acct as Admi and make the current one a Normal

    I have been using my Macs under one user (myself as administrator). If I create a new account and make it "Administrator" and make my current account (which is currently a sole account and is a sole administrator) to the normal user (ie. not administrator), does it cause any problem with my files/programs which were created, installed, or maintained prior to this change?

    Since I have files/favorites created with my current account (which runs as administrator), I don't want to go through duplicating all of my personal preferences/files/set up with this new account. So, I though it would be easier to make a new account and make it an administrator and make my current account a normal user.

    Is that a good way to do this? Or, does this cause some problem?
     
  9. pjo macrumors regular

    Joined:
    Feb 20, 2006
    #9
    remember to chown

    That should be fine, just remember to check the permissions of the files/folders under the Applications folder. You may need to change some of them to the new "admin" - depending on what you have installed.

    Also it would be nice to create the new admin, check/change permissions in Applications folder, and after you know it's working then demote your current user to an ordinary one.
     
  10. YS2003 macrumors 68020

    YS2003

    Joined:
    Dec 24, 2004
    Location:
    Finally I have arrived.....
    #10
    Thanks for posting your comment on this. I have set up a new Admi account and demoted my sole account (which was Admi) to the standard user. So far, everything works. I recall some software asked me to make that software available for only one user or all users; luckily, I told the installer to make it available for all users on the Mac.

    When I run repair permission from Disk Utility, Mac prompts me to enter Admi name/password before proceeding with the repair permission process. This extra layer of security is good one to have now that Mac is somewhat getting popular and gaining some market share one iota after iota.

    I am planning to do the same set up for my other 2 Macs (12" Al PB and 15" Al PB), after testing out throughly with my 15" Ti and 12" iBook.
     
  11. dogbone macrumors 68020

    dogbone

    Joined:
    Sep 16, 2005
    Location:
    S33.687308617200465 E150.31341791152954
    #11
    I already had a spare trouble shooting admin so all I needed to do was demote my current admin. But funnily enough I still felt a resentment at being 'demoted' to a proletariat standard user.
     
  12. YS2003 macrumors 68020

    YS2003

    Joined:
    Dec 24, 2004
    Location:
    Finally I have arrived.....
    #12
    Now that we are talking about changing the original Admini account to standard user, I had to go through some headache with my Windows XP Tablet. Because I have been using the default Admini account from the get-go on this Fujitsu Tablet, I only had one Admini user account which is named after my name.

    So, I decided to add a new admini so that I can demote my original admini to standard user (so that I can keep the desktop short cuts and all of my personal preferences). Boy, was I wrong. As soon as I created a new admini account, my original admini disappeared! I know it is in the hard drive (as I can see some of the software and files under C drive). But, I had to re-build my personal settings (short cuts on the desktop, downloading some plug in for Gecko tip for Firefox, setting up Outlook, and etc). Then, I created another admini (which is the 2nd new user I just opened) so that I can make this first new admini a standard account.

    So, I found it is easier to work on multiple user accounts with different privileges under Mac than Windose.
     
  13. Dalriada macrumors 6502

    Joined:
    Aug 26, 2004
    Location:
    Moorlough Shore
    #13
    Sorry very silly question (maybe a nomination for next year's Demi Awards ?) I have created a new Admin account and I was planning after changing permissions to demote my daily user account to a Standard user... but I can't log into the new Admin account... (meaning I can only see my daily user account prompt when I boot up ?!?)
     
  14. Kernow macrumors 65816

    Kernow

    Joined:
    Sep 30, 2005
    Location:
    Kingston-Upon-Thames
    #14
    ^^ I have exactly the same issue. You can log in if you go to System Preferences>Users>Login Options and select name and password fields in the login window, but the new administrator does not appear in either the login window when shown as a list of users or the fast user switching menu.

    It hasn't bothered me so much yet, and I haven't had time to get round to troubleshooting this, but if anyone can provide an easy answer, that would be great.
     
  15. YS2003 macrumors 68020

    YS2003

    Joined:
    Dec 24, 2004
    Location:
    Finally I have arrived.....
    #15
    Dalriada, have you tried "log in options" in "Accounts" in System Preferences? There is an option to let Mac show all the user names at the start up so that you can pick the user to log in.

    So far, my Macs are all showing my normal standard user and admini user.

    What I did is make a new admini, do repair permission, log in as new admini to test it out, log out, log in as my original admini and demote it to standard, repair permission, log out, and log in as either this new admini or new standard. So far, everything is working well for me.
     
  16. Kernow macrumors 65816

    Kernow

    Joined:
    Sep 30, 2005
    Location:
    Kingston-Upon-Thames
    #16
    ^^ That's pretty much exactly what I did. The problem is that the new admin user is not appearing in the list of users to log in. The account exists and works fine, as you can log in through the name and password option on the login window, but to get to this, you have to go through system preferences, enter an admin password to make changes etc.

    I am not the only user on my Mac, so it is far more convenient to have the list option, but it is irritating that the Admin user does not appear in this list.
     
  17. Dalriada macrumors 6502

    Joined:
    Aug 26, 2004
    Location:
    Moorlough Shore
    #17
    YS2003 Thanks yours - looks I can log into the new Admin accnt when selecting show name&password but not, as Kernow also says, when selecting show list of users.... I'd like just to use the fast switch with a password rather than having to type each time the full user name.... :confused: :confused:
     
  18. YS2003 macrumors 68020

    YS2003

    Joined:
    Dec 24, 2004
    Location:
    Finally I have arrived.....
    #18
    You have pointed out an interesting issue. When you install programs (either through installer or DMG file) while running as an Admini, do those installed programs tend to be available for all the users who would be using the same computer?

    I am assuming all of the software I installed under my original Admini account would be available for standard users. I recall I only saw a few programs who asked me if I wanted to make that particular software available for that particular user account only; but, natually, I chose make it available for all the user accounts on my Mac.

    The exception to this was Adobe CS2. When I tried to run Adobe Updater for my CS2, I was not able to run it while I was logged in as Standard. So, I logged out and logged in as Admini to run the updater.
     

Share This Page