Run as root or not?

The default user account is not root, but an admin account, which is perfectly fine to use on a daily basis. It is not necessary to set up a different account than the one you started with, unless you're adding another user.

 

A normal Admin account is not running with root privileges. Running a normal Admin account is nothing to be feared of, as everything that wants access to system files or folders asks for a password anyway.

 

No, it's not necessary.
Yes, it does add an extra layer of security.

 

What layer? There is no security advantage to setting up a separate non-admin account.

 

The Mac admin account and root are two different things. By default root is disabled.

Yes you can create a new non-admin user and run as that user.

In most cases root should stay disable and if you need elevated privileges just use "sudo -i"

 

It asks you to type in the admin account name as well as the password, instead of just the password for any system changes.

Pretty useless I know, but it's an extra "step". Also, I think it all really depends on if you're the sole user of the computer or not. If you're sharing it with others, then it's best to use a standard at all times and keep the admin user/password combo to yourself if you're the admin.

Also, a simple google search shows not running even as admin even though it doesn't have root access if preferable security wise (if you want to believe them or not its up to you).
https://www.google.com/search?q=adv...s=org.mozilla:en-US:official&client=firefox-a

 

A standard user can install some apps for that user without entering an admin password, so there is no extra step in many cases.

If you're sharing with others, it's best to set up a separate account for each user, whether your account is standard or admin. Again, no advantage to running standard.

Yes, I know many people claim it's preferable, but they're just repeating what they heard. I think many carry over this line of thought from Windows, where there is more of a security difference. They don't provide any proof that there is an advantage on Mac OS X.

There is no security benefit to running a standard vs an admin account.

 

A standard user is almost always asked to authenticate (enter admin username and password) when installing a new app while an admin is not. That's the extra step of protection. Unless they changed this in Mountain Lion, it has always been that way as far as I remember under OSX.

Is it worth the extra step of protection if you're the only user and you know what you're doing? Probably not. However with more and more malware available, it's an added step of security. Again, it's up to the user if they want it or not.

EDIT: I noticed you placed "some" in front of apps, which I agree with. However, it is not all, and that's an added step of security.

 

That's not true. Create a standard user account. Download, install and launch iStat Pro. Download and launch All2MP3. This is just 2 examples where no password is requested or required. Some apps will ask for a password; many don't.

 

I edited my "always" to an "almost always" realizing this. Download Adium and it requests a password. I imagine it requests to authenticate if it has to write anything to the system library as opposed to just the user library.

So, I'll rewrite my original post.

 

Running as non-admin should add an authentication step when deleting standard installed-with-the-OS programs.

How many times have people come here and posted "I accidentally deleted my System Preferences? Where do I get a replacement?".

 

Any app that installs without password authentication in an admin account can be installed in a standard account by adding an Applications folder in the user's home directory and then installing apps in that Application folder instead of the default Applications folder.

Sources referring to the admin accounts on Mac being dangerous always refer to files being modified by malware that require password authentication to modify. For example, files in the /System folder.

The logic being if a user can authenticate the change then it is a dangerous account type. So, if your the admin you don't want non-admins to have that capability.

But on a single user system where the user will know the admin password even if running as a standard user it makes no difference because the user can authenticate using the admin account credentials from the standard account.

Sources making admin accounts on Mac sound like a security risk seem to make it sound like the referred to modifications occur without password authentication, which is untrue.

 

All default (installed-with-the-OS) apps can't be modified or deleted. The user isn't even asked to authenticate.

The apps can still be modified if you "Show package contents" of the application bundle and make changes to the files within the bundle. You will be prompted for password authentication to complete the changes.

I believe this started with Lion? In SL, these apps could be modified or deleted with password authentication.

Mac App Store apps require password authentication to modify and delete since the introduction of the Mac App Store.

 

BTW, Ubuntu account types are the same as OS X.

Root is deactivated but can elevate privileges via sudo, which requires admin password.