How to use Handbrake with Standard user account?

Discussion in 'Apple TV and Home Theater' started by bramhall, Jan 17, 2017.

  1. bramhall macrumors newbie

    Joined:
    Nov 25, 2014
    #1
    Hi, I want to install Handbrake to transcode for the AppleTV and would be grateful if Handbrake users could advise on installing this software.

    I have sole use of a Mac Mini but use a "Standard" account for day to day working (in case it is more secure than the "Admin" account) and all my files are in this "Standard" account.

    1. Is it best to install Handbrake in the "Admin" account or just in the "Standard" account, where my files are?
    2. If I install it in "Admin", will it be available and run OK in the "Standard" account, where my files are located, or do I have to run it in "Admin" with, presumably, elevated privileges?
    Sorry for the simple nature of the questions but I am new to Macs, having previously used Handbrake on PC's, and it's the first thing I want to install.

    Many thanks for any replies. :)
     
  2. T'hain Esh Kelch macrumors 601

    T'hain Esh Kelch

    Joined:
    Aug 5, 2001
    Location:
    Denmark
    #2
    A standard account is not more secure, unless you don't know the password to the admin user.

    1 or 2 doesn't matter.
     
  3. mallbritton macrumors 6502a

    Joined:
    Nov 26, 2006
    #3
    Install Handbrake into the Standard User Account. It ought to run fine.
     
  4. Longkeg macrumors regular

    Joined:
    Jul 18, 2014
    Location:
    S. Florida
    #4
    Just drag the app from the installation disk image to the Application folder. It will be available for use by all users from all accounts. Going forward just make sure the final output is going to a directory that your "standard" account has access to. Worst case: you may be prompted to enter the Admin password to continue the workflow.
     
  5. bramhall thread starter macrumors newbie

    Joined:
    Nov 25, 2014
    #5
    Hi, thanks for all the replies.

    With Handbrake being non-app store/unsigned I was wondering whether it was safer to just install and run it from a Standard account, if it would work from one.

    However, if as T'hain Esh Kelch, above, says "A standard account is not more secure" I will just install it from the Admin account and hopefully it will be available and run OK in the Standard account where my files are.
     
  6. Krevnik macrumors 68040

    Krevnik

    Joined:
    Sep 8, 2003
    #6
    It doesn't matter what account you "install" it with (since it doesn't actually install anything, it is just the app bundle). It takes on the permissions of the account it is run with. So if you run from the standard account, it has the standard account's permissions, even if it was "installed" by the admin user.

    And I disagree with the comment that the standard account isn't more secure. But if they mean that it doesn't matter which account installs it, then yes, absolutely correct.

    When running a malicious app, because it has your permissions, running it in a standard account will limit the damage it can do to things your account can do. So it shouldn't be able to modify apps installed by the admin, and it shouldn't be able to write to /Library. Not without asking for a password first, for the most part, which should be a red flag.

    But if it isn't sandboxed, then it can access the files in your account. But that's always true for any app not sandboxed running as your account. If handbrake were to sandbox itself, then it would have even less access. And because of things like sandboxing and system integrity protection, the difference between using an admin account and a standard account is getting smaller over time.
     
  7. Longkeg macrumors regular

    Joined:
    Jul 18, 2014
    Location:
    S. Florida
    #7
    BTW... Since HandBrake doesn't come from the Mac App store you may need to adjust the security settings to let it run. System Prefs-> Security & Privacy (hnlock padlock)-> General-> Allow apps downloaded from: App Store & identified developers
     
  8. bramhall thread starter macrumors newbie

    Joined:
    Nov 25, 2014
    #8
    Thanks for the reply Krevnik, I will run it from my Standard account, even if I install in the Admin account.

    Also, thanks to Longkeg.
     
  9. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #9
    This is not accurate. A user who is a member of the admin group has write access to a number of locations that a standard user doesn't. That includes for example the Applications directory, so a process (e.g. malware) that is inadvertantly started by an admin user could e.g. inject code into an application binary.
    True. If you install the app into the Application directory, the system will ask you for admin credentials before it can proceed. Once the app is installed, it normally starts under the currently logged in user (unless you explicitly tell the system otherwise), no matter which account you used to install it.
     
  10. Krevnik macrumors 68040

    Krevnik

    Joined:
    Sep 8, 2003
    #10
    Pro-tip:

    In this situation, right-click and select "Open" on the app. This will let you bypass the signing check for that app, and will whitelist that app by itself. No change of security settings needed.

    I use this mostly because it forces me to be aware of exactly which apps aren't signing their stuff.
     
  11. T'hain Esh Kelch macrumors 601

    T'hain Esh Kelch

    Joined:
    Aug 5, 2001
    Location:
    Denmark
    #11
    Hence why I wrote that as long as you know the admin password it doesn't matter. A malware installation from the Standard user account would also require the administrator password, and would be no different from the Administrator user as you give it the same access priviledges.
     
  12. Krevnik macrumors 68040

    Krevnik

    Joined:
    Sep 8, 2003
    #12
    That only applies when there is an installer that needs elevation. And Handbrake isn't one of the few that does.
     
  13. T'hain Esh Kelch macrumors 601

    T'hain Esh Kelch

    Joined:
    Aug 5, 2001
    Location:
    Denmark
    #13
    Your point being?
     
  14. Rigby, Jan 18, 2017
    Last edited: Jan 18, 2017

    Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #14
    When running under an admin account, any (non-sandboxed) app you start can write into /Applications (and a number of other sensitive locations) without prompting.

    Try this: start a terminal under your admin account and type "touch /Applications/test123". You will get no prompt and a file has been created in /Applications. You could just as well have overwritten some application binary with a malicious version. Now try the same again under a standard user account. You'll get "permission denied".

    The same is true for any application you run. And if that application happens to have a vulnerability that e.g. allows remote code execution, it can be used to inject malware into your system. SIP ("rootless") protects a number of critical system directories, but there are still enough locations left that are not protected.

    A basic principle of computer security is to always run with the least privileges necessary.
     
  15. Krevnik macrumors 68040

    Krevnik

    Joined:
    Sep 8, 2003
    #15
    At what point does elevation matter when the app doesn't elevate to run or install?
     

Share This Page