Admin or normal account

[Seppola]

Hi

I read on www.mactricksandtips.com that I should use a normal acc instead of an admin acc.
What do you think?

 

[t0mat0]

Day to day, it makes more security sense, right?

 

[angelwatt]

Depends how much security you want/need. There's been a couple of threads on this before. I use a standard account exclusively. Never need to login into my admin account. It's also necessary for where I work for my work machine. In the end, it's up to you. There's not a ton out there that can hurt a Mac.

 

[Seppola]

Thanks, but what are the differences exactly?

 

[angelwatt]

Thanks, but what are the differences exactly?

A standard account doesn't have as many permissions. Installing/copying files into the Applications folder will require you to enter your admin account info (which can be done while logged in as a standard user). Certain System Preferences will require you to enter your admin credentials (though some even require admin users). Things like that. Talking about everything would take too long and likely wouldn't be things that effect you.

 

[gusious]

I say admin account as long as you know what you're doing but as all the other said it's more safe to use normal account. I have an admin account.

 

[kasakka]

I use an admin account as well because I just can't be bothered to type my password every time I change some simple setting.

 

[J the Ninja]

Admins can:

Write to /Applications
Write to /Library
Read several log files normal users cannot
Change system prefs without authenticating (this one can be disabled)
Run sudo
Authenticate (technically, that is just running sudo, so this goes under the previous one)


There are some other things I missed, I'm sure, but those are the major ones. Really, I don't think running as admin day-to-day is a big deal. In fact, the admin account is MEANT to be a day-to-day account, that is the whole point. It's an account with some extra privileges you might need regularly, plus the authority to get the remaining privileges by proving it's you (via sudo)

 

[mslide]

I use an admin account. It's really more a personal preference thing. All running a standard account means, for the average Mac user, is that you'll have to type in a password a few more times than if you used an admin account. Running either one, on a day to day basis, is really not much better/worse than the other as long as you understand the implications. The other reason I like to use the admin account all the time is so I can run sudo, which I tend to do often.

Now, would I want my wife's account to be an admin account? No. She has no reason to install apps or do things that require elevated privileges.

 

[Steve-M]

The concept of using a standard, non administrator account, for your daily use is strictly from a security stand point. If you are doing your daily thing from an account that has system wide write permission, any virus, trojan, or spyware that you run into will also have system wide write permission. On the other hand, if your daily account is a standard user account, any malicious program you run into will not be able to write beyond the home folder of the account your logged into. Thus the malicious program will be at the very least handicapped, if not disabled.

That being said, Mac OS X does have some security precautions built in to help protect the system. For example, nothing gets installed with out your administrator password being entered. I prefer my daily account to be a standard account. The only real difference you will notice in OS X is that you will have to enter your administrator name and password, vs. just the password, and you can not sudo. There are ways around the later, the easiest would be to su into your administrator account before issuing sudo.

 

[MarkMS]

The other reason I like to use the admin account all the time is so I can run sudo, which I tend to do often.

Now, would I want my wife's account to be an admin account? No. She has no reason to install apps or do things that require elevated privileges.

This is why everyone who doesn't know what they are doing should use a Standard account for daily use. I've exclusively use Standard accounts only on all of my machines, even though I know the implications of using an Admin account. I even advise and help set this up for my family and friends. It takes a few seconds to enter your credentials into the dialogue box, but it's worth it.

OS X is become a bigger platform and hackers are slowly beginning to exploit the system. It's better to be prepared now than wait until later. "Socially-engineered" trojans are already on the prowl for OS X machines. Along with the "open safe files after downloading" setting in Safari, OS X can be overtaken by hacker if the user isn't careful. This can become even worse if there is an active exploit that Apple doesn't know about or decides to wait to patch it up.

Just the other day I was reading about someone looking for the Health club shooters blog and stumbled on a site which automatically downloaded a .dmg. He had the open Safe files setting in Safari turned on and it actually opened the .dmg and started the installer without asking him. Luckily, he caught on that it was some weird app and canceled the installer. Most computer illiterate people would have clicked through until the dialogue box was gone.

EDIT: +1 to what Steve-M said.

 

[Steve-M]

Just the other day I was reading about someone looking for the Health club shooters blog and stumbled on a site which automatically downloaded a .dmg. He had the open Safe files setting in Safari turned on and it actually opened the .dmg and started the installer without asking him. Luckily, he caught on that it was some weird app and canceled the installer. Most computer illiterate people would have clicked through until the dialogue box was gone.

Case in point, never surf the web as root.

 

[maflynn]

Personally, I've always logged in as the admin on my computers, be they windows, OSX or Linux (Ubuntu). I never log in as root, as the risk of messing something up is great but as for admin. It seems to make too much sense, at least for me.

 

[mslide]

Case in point, never surf the web as root.

I agree, however, there's a big difference between an OSX admin account and the root account.

 

[Steve-M]

I agree, however, there's a big difference between an OSX admin account and the root account.

This is true, but with the use of sudo, one can do anything from a admin account that root can do. I guess it just boils down to personal preference.

 

[J the Ninja]

This is true, but with the use of sudo, one can do anything from a admin account that root can do. I guess it just boils down to personal preference.

So disable the sudo timeout and use a good password. You can also change the commands that users from group admin can run away from the default of "ALL"

 

[Emmanuel]

If I remember correctly, administrative users are part of the "admin" group, I have also heard people call it the "wheel" group. Basically it allows those users to do some admin level tasks.

It's actually the same as in Ubuntu Linux on the technical side. The root account is disabled, and all administrators use "sudo" (or the graphical equivalent) to get higher privileges.

 

[Steve-M]

The concept of using a standard, non administrator account, for your daily use is strictly from a security stand point. If you are doing your daily thing from an account that has system wide write permission, any virus, trojan, or spyware that you run into will also have system wide write permission. On the other hand, if your daily account is a standard user account, any malicious program you run into will not be able to write beyond the home folder of the account your logged into. Thus the malicious program will be at the very least handicapped, if not disabled.

It is a very basic security precaution not to use a administrator account for your daily account. The above quote is one reason why.

 

[J the Ninja]

If I remember correctly, administrative users are part of the "admin" group, I have also heard people call it the "wheel" group. Basically it allows those users to do some admin level tasks.

It's actually the same as in Ubuntu Linux on the technical side. The root account is disabled, and all administrators use "sudo" (or the graphical equivalent) to get higher privileges.

admin and wheel are two different groups.

 

[Consultant]

If you are doing your daily thing from an account that has system wide write permission, any virus, trojan, or spyware that you run into will also have system wide write permission.

This part is completely false. In OSX, no matter what account type you are using, any operation that happens outside the user folder will have to be authenticated.

 

[dmmcintyre3]

I choose nether. I run as root all the time my computer is on. Never have to type my password at all except on login

 

[J the Ninja]

I choose nether. I run as root all the time my computer is on. Never have to type my password at all except on login

:O

 

[MisterMe]

I choose nether. I run as root all the time my computer is on. Never have to type my password at all except on login

I believe that this poster is beyond help. Lest anyone else be tempted, running as root is an incredibly bad idea. Having run MacOS X since it went online in 2001, I have never had the need to enable my root account. The minor inconvenience incurred in typing my password is a small price to pay for the insurance that I never need to worry about malware.

 

[Steve-M]

This part is completely false. In OSX, no matter what account type you are using, any operation that happens outside the user folder will have to be authenticated.

Please see below.

 

[Steve-M]

I wondered what apple had to say about using a administrator account for daily use. I'm going to quote apples leopard security guide below. You can download and read it for yourself here.

Creating Initial System Accounts

After completing the initial steps in Setup Assistant, you’re presented with the Create Your Account step. In this step, you create a system administrator account. Make this account as secure as possible. Important: The system administrator account should be used only when absolutely necessary to perform administrative tasks. Create additional accounts for nonadministrative use. For more information, see “Types of User Accounts” on page 61.

And from page 61

Unless you need administrator access for specific system maintenance tasks that cannot be accomplished by authenticating with the administrator’s account while logged in as a normal user, always log in as a nonadministrator user. Log out of the administrator account when you are not using the computer as an administrator. Never browse the web or check email while logged in to an administrator’s account. If you are logged in as an administrator, you are granted privileges and abilities that you might not need. For example, you can potentially modify system preferences without being required to authenticate. This authentication bypasses a security safeguard that prevents malicious or accidental modification of system preferences.