Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

How to use Handbrake with Standard user account?

B

bramhall

macrumors newbie
Original poster
Nov 25, 2014
22
2
Hi, I want to install Handbrake to transcode for the AppleTV and would be grateful if Handbrake users could advise on installing this software.

I have sole use of a Mac Mini but use a "Standard" account for day to day working (in case it is more secure than the "Admin" account) and all my files are in this "Standard" account.

  1. Is it best to install Handbrake in the "Admin" account or just in the "Standard" account, where my files are?
  2. If I install it in "Admin", will it be available and run OK in the "Standard" account, where my files are located, or do I have to run it in "Admin" with, presumably, elevated privileges?
Sorry for the simple nature of the questions but I am new to Macs, having previously used Handbrake on PC's, and it's the first thing I want to install.

Many thanks for any replies. :)
 
Just drag the app from the installation disk image to the Application folder. It will be available for use by all users from all accounts. Going forward just make sure the final output is going to a directory that your "standard" account has access to. Worst case: you may be prompted to enter the Admin password to continue the workflow.
 
Hi, thanks for all the replies.

With Handbrake being non-app store/unsigned I was wondering whether it was safer to just install and run it from a Standard account, if it would work from one.

However, if as T'hain Esh Kelch, above, says "A standard account is not more secure" I will just install it from the Admin account and hopefully it will be available and run OK in the Standard account where my files are.
 
It doesn't matter what account you "install" it with (since it doesn't actually install anything, it is just the app bundle). It takes on the permissions of the account it is run with. So if you run from the standard account, it has the standard account's permissions, even if it was "installed" by the admin user.

And I disagree with the comment that the standard account isn't more secure. But if they mean that it doesn't matter which account installs it, then yes, absolutely correct.

When running a malicious app, because it has your permissions, running it in a standard account will limit the damage it can do to things your account can do. So it shouldn't be able to modify apps installed by the admin, and it shouldn't be able to write to /Library. Not without asking for a password first, for the most part, which should be a red flag.

But if it isn't sandboxed, then it can access the files in your account. But that's always true for any app not sandboxed running as your account. If handbrake were to sandbox itself, then it would have even less access. And because of things like sandboxing and system integrity protection, the difference between using an admin account and a standard account is getting smaller over time.
 
  • Like
Reactions: 26139
BTW... Since HandBrake doesn't come from the Mac App store you may need to adjust the security settings to let it run. System Prefs-> Security & Privacy (hnlock padlock)-> General-> Allow apps downloaded from: App Store & identified developers
 
Thanks for the reply Krevnik, I will run it from my Standard account, even if I install in the Admin account.

Also, thanks to Longkeg.
 
T'hain Esh Kelch said:
A standard account is not more secure, unless you don't know the password to the admin user.
Click to expand...
This is not accurate. A user who is a member of the admin group has write access to a number of locations that a standard user doesn't. That includes for example the Applications directory, so a process (e.g. malware) that is inadvertantly started by an admin user could e.g. inject code into an application binary.
1 or 2 doesn't matter.
Click to expand...
True. If you install the app into the Application directory, the system will ask you for admin credentials before it can proceed. Once the app is installed, it normally starts under the currently logged in user (unless you explicitly tell the system otherwise), no matter which account you used to install it.
 
Longkeg said:
BTW... Since HandBrake doesn't come from the Mac App store you may need to adjust the security settings to let it run. System Prefs-> Security & Privacy (hnlock padlock)-> General-> Allow apps downloaded from: App Store & identified developers
Click to expand...

Pro-tip:

In this situation, right-click and select "Open" on the app. This will let you bypass the signing check for that app, and will whitelist that app by itself. No change of security settings needed.

I use this mostly because it forces me to be aware of exactly which apps aren't signing their stuff.
 
Rigby said:
This is not accurate. A user who is a member of the admin group has write access to a number of locations that a standard user doesn't. That includes for example the Applications directory, so a process (e.g. malware) that is inadvertantly started by an admin user could e.g. inject code into an application binary.
Click to expand...
Hence why I wrote that as long as you know the admin password it doesn't matter. A malware installation from the Standard user account would also require the administrator password, and would be no different from the Administrator user as you give it the same access priviledges.
 
T'hain Esh Kelch said:
Hence why I wrote that as long as you know the admin password it doesn't matter. A malware installation from the Standard user account would also require the administrator password, and would be no different from the Administrator user as you give it the same access priviledges.
Click to expand...

That only applies when there is an installer that needs elevation. And Handbrake isn't one of the few that does.
 
T'hain Esh Kelch said:
Hence why I wrote that as long as you know the admin password it doesn't matter. A malware installation from the Standard user account would also require the administrator password, and would be no different from the Administrator user as you give it the same access priviledges.
Click to expand...
When running under an admin account, any (non-sandboxed) app you start can write into /Applications (and a number of other sensitive locations) without prompting.

Try this: start a terminal under your admin account and type "touch /Applications/test123". You will get no prompt and a file has been created in /Applications. You could just as well have overwritten some application binary with a malicious version. Now try the same again under a standard user account. You'll get "permission denied".

The same is true for any application you run. And if that application happens to have a vulnerability that e.g. allows remote code execution, it can be used to inject malware into your system. SIP ("rootless") protects a number of critical system directories, but there are still enough locations left that are not protected.

A basic principle of computer security is to always run with the least privileges necessary.
 
Last edited:
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back