Admin account security question

[ksgant]

There is an article at blog.cocoia.com about "hardening" the security for OS X. In it, it suggests having a separate account for your admin...which you don't log into....and setting up a "normal" account for you to use everyday.

I've been using my Mac with my account that I set up on day one...which is also the Admin account. Everything I do outside this account...like change system wide preferences....requires the admin password to do. Why would I need to make a separate Admin account and use a "normal" account for day-to-day functions. I mean, it's the same thing, if I wanted to change something system-wide on a normal account, it will still ask for a password.

I could see doing this if the Admin account = root, but it doesn't. But does anyone else out there just run in a Normal account and have a separate, rarely used Admin account?

 

[Chaszmyr]

You'll definitely find some people around here that don't run their admin account. Ideally, it shouldn't really matter, but every once in a while a vulnerability comes along that can only be executed when logged into the admin account.

 

[osirisX]

At first I ran my Mac like that. My account was the admin account. But then that account had some issues. By that time I had read somewhere that you should set up 2 accounts, 1 for yourself which is managed and 1 as an admin. So it set my Mac up like that. It is generally safer to run it like this. The only thing I find annoying is that the admin account's username isn't automatically filled out in the confirmation dialogues.

 

[rhoydotp]

i really don't think this is necessary. macosx, due to its unix root already has a "root" user that has all the authority to do unimaginable things to your machine. your "admin" account is an account that, while it really does not have full authority, can have authority via a "sudo" which gives it "admin" or root-like privileges. everytime it needs "admin" privileges, it will as ask you to type in the password. unless you allow some random code or virus to fool you into typing your password without you thinking about it, you should be fine.

let me know if this makes sense. englis is my secondary language, you know

 

[2ndPath]

i really don't think this is necessary. macosx, due to its unix root already has a "root" user that has all the authority to do unimaginable things to your machine. your "admin" account is an account that, while it really does not have full authority, can have authority via a "sudo" which gives it "admin" or root-like privileges. everytime it needs "admin" privileges, it will as ask you to type in the password. unless you allow some random code or virus to fool you into typing your password without you thinking about it, you should be fine.

let me know if this makes sense. englis is my secondary language, you know

Acutally there is more to the admin user than just the ability to use "sudo". An admin user is member of the unix group admin on Mac OS X. Members of this group have access to some system files and directories without needing to use sudo or the GUI equivalent. So there is additional security to be gained from using a separate account for daily use, which is not an admin account.

 

[rhoydotp]

Acutally there is more to the admin user than just the ability to use "sudo". An admin user is member of the unix group admin on Mac OS X. Members of this group have access to some system files and directories without needing to use sudo or the GUI equivalent. So there is additional security to be gained from using a separate account for daily use, which is not an admin account.

thanks for pointing that out. i guess my point is, don't be stupid, you'll be fine with the admin account.