Run as Admin account everyday; Dangerous?

lieb39 · Feb 16, 2006

Hello everyone,

I'm just wondering about one thing. I'm not trying to be a paranoid person or anything, just looking for opinions on this as I've never thought about this.

In the Windows world I've always run as a Admin because it was way to hard not to with all my installation and removal of hardware, and generally didn't make a difference when I contracted a virus. However, on the mac system it doesn't seem like this.

I've been running as a admin on my mac from day one, but now I'm thinking that it's 'safer' for any future viruses and in general if I run as a limited user. If I do run as a limited user does that mean that everytime I want to do something that requires Admin rights I'll just be asked for a admin account? Because if it's that simple then I'll switch right now.

Other then security, are there any other advantages or even disadvantages of running as a limited user?

Cheers

lieb39

frankblundt · Feb 16, 2006

that simple, yes. see this thread (and many others...)

a slight pain switching to admin to install apps, updates etc. that's about it. I find it actually makes maintenance easier cos my admin account has all the utilities reqd in the dock.

For day to day management you don't generally need to go to the admin account, it'll just ask you for the admin name/password whenever you want to do anything outside the managed account's limitations.

thomasp · Feb 16, 2006

When you say "Install apps", does that mean dragging and dropping them from a DMG into the Applications Folder?

What about if they are dropped into another folder?

bankshot · Feb 16, 2006

No real disadvantages to running as a normal user, and plenty of security advantages as you already said. I think I've run into maybe one or two installers that required my to switch to my admin account (they were old ports of classic installers). Everything else has been smart enough to ask for the admin name/password when needed, without actually switching users. A few things (MS Office, I believe, and Quicken 2002) required running as admin the very first time, but everything has been fine thereafter running as my normal user.

I've been running as a normal user, with a completely separate admin user, since coming on board with OS X 10.1.2. My strong unix background simply wouldn't allow me to run day-to-day stuff with elevated privileges. And I've always said that Apple made a big mistake making the first account that's created (and usually the only one that's ever used) an admin. They should have made the installer create a normal account, but then ask for a separate, "administration" password. The installer would then create a special, hidden "admin" user behind the scenes, and novice users would never have to know it was technically a separate account. Then installers and other programs needing admin rights would just ask for the admin password, rather than an admin name/password pair. This would have been just as easy for the user, and far more secure.

Unfortunately there are millions of Macs out there running with elevated privileges every moment they're turned on. While it's not nearly as bad as running as root (which can silently modify anything, down to the lowest level of the OS; an admin needs explicit permission to modify much of the lower levels), it still gives trojans and viruses an easy way to inject malicious code into commonly used apps. Everything under /Applications is typically writable by admins, so a malicious program only needs to modify some of the commonly used ones like Safari, iChat, etc, to virtually guaratee they get run every time the computer boots. And it can do so silently, without needing to pretend to be a legitimate program asking for admin rights. Not good. Hopefully this doesn't bite Apple (and us!) in the butt when the first real virus comes along.

Why, oh why, doesn't Apple just listen to me more often?

atszyman · Feb 16, 2006

lieb39 said:
In the Windows world I've always run as a Admin because it was way to hard not to with all my installation and removal of hardware, and generally didn't make a difference when I contracted a virus. However, on the mac system it doesn't seem like this.

I've tried to setup Windows boxes to run with a limited user normally and an admin separate, and let me tell you that there is a world of difference in doing this on a Mac than Windows. I've been on a non-admin account on my PowerBook for over a year now and have had no problems with permissions or anything like that. It is so far ahead of Windows in this regard it is not even funny. I almost never log in as admin (except when doing my now weekly backup) and rarely get prompted for a password, when I do it is usually just entering a username and password to authenticate and then everything is hunky-dory. The Windows boxes I keep running at home require logging in as admin on a weekly basis just to make sure that the utilities run as scheduled. I would highly advise doing this on your Mac.

Thanks for reminding me though I need to lock down my account on Windows again since I have been recently rebuilding the box...

lieb39 · Feb 16, 2006

Thanks everyone, I'm now running a standard login with a separate admin user. No differences.. yet. Haha.

Cheers,

lieb39

Leeloo the 5th · Feb 19, 2006

Thanks for the insight Bankshot and others!
I've just changed my account to standard after creating a separate Admin account. I'll do the same on my dad's iBook soon.

Ahh, where would I be without you guys? Still on a pc I guess....

YS2003 · Feb 20, 2006

Creat new acct as Admi and make the current one a Normal

I have been using my Macs under one user (myself as administrator). If I create a new account and make it "Administrator" and make my current account (which is currently a sole account and is a sole administrator) to the normal user (ie. not administrator), does it cause any problem with my files/programs which were created, installed, or maintained prior to this change?

Since I have files/favorites created with my current account (which runs as administrator), I don't want to go through duplicating all of my personal preferences/files/set up with this new account. So, I though it would be easier to make a new account and make it an administrator and make my current account a normal user.

Is that a good way to do this? Or, does this cause some problem?

pjo · Feb 20, 2006

remember to chown

YS2003 said:
I have been using my Macs under one user (myself as administrator). If I create a new account and make it "Administrator" and make my current account (which is currently a sole account and is a sole administrator) to the normal user (ie. not administrator), does it cause any problem with my files/programs which were created, installed, or maintained prior to this change?

Since I have files/favorites created with my current account (which runs as administrator), I don't want to go through duplicating all of my personal preferences/files/set up with this new account. So, I though it would be easier to make a new account and make it an administrator and make my current account a normal user.

Is that a good way to do this? Or, does this cause some problem?

That should be fine, just remember to check the permissions of the files/folders under the Applications folder. You may need to change some of them to the new "admin" - depending on what you have installed.

Also it would be nice to create the new admin, check/change permissions in Applications folder, and after you know it's working then demote your current user to an ordinary one.

YS2003 · Feb 20, 2006

pjo said:
That should be fine, just remember to check the permissions of the files/folders under the Applications folder. You may need to change some of them to the new "admin" - depending on what you have installed.

Also it would be nice to create the new admin, check/change permissions in Applications folder, and after you know it's working then demote your current user to an ordinary one.

Thanks for posting your comment on this. I have set up a new Admi account and demoted my sole account (which was Admi) to the standard user. So far, everything works. I recall some software asked me to make that software available for only one user or all users; luckily, I told the installer to make it available for all users on the Mac.

When I run repair permission from Disk Utility, Mac prompts me to enter Admi name/password before proceeding with the repair permission process. This extra layer of security is good one to have now that Mac is somewhat getting popular and gaining some market share one iota after iota.

I am planning to do the same set up for my other 2 Macs (12" Al PB and 15" Al PB), after testing out throughly with my 15" Ti and 12" iBook.

dogbone · Feb 20, 2006

I already had a spare trouble shooting admin so all I needed to do was demote my current admin. But funnily enough I still felt a resentment at being 'demoted' to a proletariat standard user.

YS2003 · Feb 20, 2006

Now that we are talking about changing the original Admini account to standard user, I had to go through some headache with my Windows XP Tablet. Because I have been using the default Admini account from the get-go on this Fujitsu Tablet, I only had one Admini user account which is named after my name.

So, I decided to add a new admini so that I can demote my original admini to standard user (so that I can keep the desktop short cuts and all of my personal preferences). Boy, was I wrong. As soon as I created a new admini account, my original admini disappeared! I know it is in the hard drive (as I can see some of the software and files under C drive). But, I had to re-build my personal settings (short cuts on the desktop, downloading some plug in for Gecko tip for Firefox, setting up Outlook, and etc). Then, I created another admini (which is the 2nd new user I just opened) so that I can make this first new admini a standard account.

So, I found it is easier to work on multiple user accounts with different privileges under Mac than Windose.

Dalriada · Feb 22, 2006

Sorry very silly question (maybe a nomination for next year's Demi Awards ?) I have created a new Admin account and I was planning after changing permissions to demote my daily user account to a Standard user... but I can't log into the new Admin account... (meaning I can only see my daily user account prompt when I boot up ?!?)

Kernow · Feb 22, 2006

^^ I have exactly the same issue. You can log in if you go to System Preferences>Users>Login Options and select name and password fields in the login window, but the new administrator does not appear in either the login window when shown as a list of users or the fast user switching menu.

It hasn't bothered me so much yet, and I haven't had time to get round to troubleshooting this, but if anyone can provide an easy answer, that would be great.

YS2003 · Feb 22, 2006

Dalriada, have you tried "log in options" in "Accounts" in System Preferences? There is an option to let Mac show all the user names at the start up so that you can pick the user to log in.

So far, my Macs are all showing my normal standard user and admini user.

What I did is make a new admini, do repair permission, log in as new admini to test it out, log out, log in as my original admini and demote it to standard, repair permission, log out, and log in as either this new admini or new standard. So far, everything is working well for me.

Kernow · Feb 22, 2006

^^ That's pretty much exactly what I did. The problem is that the new admin user is not appearing in the list of users to log in. The account exists and works fine, as you can log in through the name and password option on the login window, but to get to this, you have to go through system preferences, enter an admin password to make changes etc.

I am not the only user on my Mac, so it is far more convenient to have the list option, but it is irritating that the Admin user does not appear in this list.

Dalriada · Feb 22, 2006

YS2003 Thanks yours - looks I can log into the new Admin accnt when selecting show name&password but not, as Kernow also says, when selecting show list of users.... I'd like just to use the fast switch with a password rather than having to type each time the full user name....

YS2003 · Feb 22, 2006

pjo said:
That should be fine, just remember to check the permissions of the files/folders under the Applications folder. You may need to change some of them to the new "admin" - depending on what you have installed.

Also it would be nice to create the new admin, check/change permissions in Applications folder, and after you know it's working then demote your current user to an ordinary one.

You have pointed out an interesting issue. When you install programs (either through installer or DMG file) while running as an Admini, do those installed programs tend to be available for all the users who would be using the same computer?

I am assuming all of the software I installed under my original Admini account would be available for standard users. I recall I only saw a few programs who asked me if I wanted to make that particular software available for that particular user account only; but, natually, I chose make it available for all the user accounts on my Mac.

The exception to this was Adobe CS2. When I tried to run Adobe Updater for my CS2, I was not able to run it while I was logged in as Standard. So, I logged out and logged in as Admini to run the updater.

Search

Search

Run as Admin account everyday; Dangerous?

lieb39

macrumors 6502

frankblundt

macrumors 65816

thomasp

macrumors 6502a

bankshot

macrumors 65816

atszyman

macrumors 68020

lieb39

macrumors 6502

Leeloo the 5th

macrumors member

YS2003

macrumors 68020

pjo

macrumors regular

YS2003

macrumors 68020

dogbone

macrumors 68020

YS2003

macrumors 68020

Dalriada

macrumors 6502

Kernow

macrumors 65816

YS2003

macrumors 68020

Kernow

macrumors 65816

Dalriada

macrumors 6502

YS2003

macrumors 68020

Our Staff