Run as root or not?

Forkjulle

macrumors regular
Original poster
Aug 1, 2012
211
1
I read in another forum that after getting a Mac, one should create another login account (without admin privileges) so that one doesn't log in as root (for security reasons).

Is this necessary?
 

GGJstudios

macrumors Westmere
May 16, 2008
44,419
758
I read in another forum that after getting a Mac, one should create another login account (without admin privileges) so that one doesn't log in as root (for security reasons).

Is this necessary?
The default user account is not root, but an admin account, which is perfectly fine to use on a daily basis. It is not necessary to set up a different account than the one you started with, unless you're adding another user.
 
Nov 28, 2010
22,684
27
located
A normal Admin account is not running with root privileges. Running a normal Admin account is nothing to be feared of, as everything that wants access to system files or folders asks for a password anyway.
 

Forkjulle

macrumors regular
Original poster
Aug 1, 2012
211
1
So, admin and root are not the same? Okay. (I come from an Ubuntu background.)
 

lostngone

macrumors 65816
Aug 11, 2003
1,356
2,954
Anchorage
I read in another forum that after getting a Mac, one should create another login account (without admin privileges) so that one doesn't log in as root (for security reasons).

Is this necessary?
The Mac admin account and root are two different things. By default root is disabled.

Yes you can create a new non-admin user and run as that user.

In most cases root should stay disable and if you need elevated privileges just use "sudo -i"
 

killerrobot

macrumors 68020
Jun 7, 2007
2,218
0
127.0.0.1
What layer? There is no security advantage to setting up a separate non-admin account.
It asks you to type in the admin account name as well as the password, instead of just the password for any system changes.

Pretty useless I know, but it's an extra "step". Also, I think it all really depends on if you're the sole user of the computer or not. If you're sharing it with others, then it's best to use a standard at all times and keep the admin user/password combo to yourself if you're the admin.

Also, a simple google search shows not running even as admin even though it doesn't have root access if preferable security wise (if you want to believe them or not its up to you).
https://www.google.com/search?q=advantages+setup+non+admin+account+mac&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
 
Last edited:

GGJstudios

macrumors Westmere
May 16, 2008
44,419
758
It asks you to type in the admin account name as well as the password, instead of just the password for any system changes.
A standard user can install some apps for that user without entering an admin password, so there is no extra step in many cases.
If you're sharing it with others, then it's best to use a standard at all times and keep the admin user/password combo to yourself if you're the admin.
If you're sharing with others, it's best to set up a separate account for each user, whether your account is standard or admin. Again, no advantage to running standard.

Also, a simple google search shows not running even as admin even though it doesn't have root access if preferable security wise (if you want to believe them or not its up to you).
Yes, I know many people claim it's preferable, but they're just repeating what they heard. I think many carry over this line of thought from Windows, where there is more of a security difference. They don't provide any proof that there is an advantage on Mac OS X.

There is no security benefit to running a standard vs an admin account.
 
Last edited:

killerrobot

macrumors 68020
Jun 7, 2007
2,218
0
127.0.0.1
A standard user can install apps for that user without entering an admin password, so there is no extra step in many cases.
A standard user is almost always asked to authenticate (enter admin username and password) when installing a new app while an admin is not. That's the extra step of protection. Unless they changed this in Mountain Lion, it has always been that way as far as I remember under OSX.

Is it worth the extra step of protection if you're the only user and you know what you're doing? Probably not. However with more and more malware available, it's an added step of security. Again, it's up to the user if they want it or not.

EDIT: I noticed you placed "some" in front of apps, which I agree with. However, it is not all, and that's an added step of security.
 

GGJstudios

macrumors Westmere
May 16, 2008
44,419
758
A standard user is almost always asked to authenticate (enter admin username and password) when installing a new app while an admin is not.
That's not true. Create a standard user account. Download, install and launch iStat Pro. Download and launch All2MP3. This is just 2 examples where no password is requested or required. Some apps will ask for a password; many don't.
 

killerrobot

macrumors 68020
Jun 7, 2007
2,218
0
127.0.0.1
That's not true. Create a standard user account. Download, install and launch iStat Pro. Download and launch All2MP3. This is just 2 examples where no password is requested or required. Some apps will ask for a password; many don't.
I edited my "always" to an "almost always" realizing this. Download Adium and it requests a password. I imagine it requests to authenticate if it has to write anything to the system library as opposed to just the user library.

So, I'll rewrite my original post.

No it's not necessary.
It CAN create an additional layer of security.
 

chown33

Moderator
Staff member
Aug 9, 2009
8,560
4,626
inter-prandial
Running as non-admin should add an authentication step when deleting standard installed-with-the-OS programs.

How many times have people come here and posted "I accidentally deleted my System Preferences? Where do I get a replacement?".
 

munkery

macrumors 68020
Dec 18, 2006
2,217
1
A standard user is almost always asked to authenticate (enter admin username and password) when installing a new app while an admin is not. That's the extra step of protection. Unless they changed this in Mountain Lion, it has always been that way as far as I remember under OSX.
Any app that installs without password authentication in an admin account can be installed in a standard account by adding an Applications folder in the user's home directory and then installing apps in that Application folder instead of the default Applications folder.

Is it worth the extra step of protection if you're the only user and you know what you're doing? Probably not. However with more and more malware available, it's an added step of security. Again, it's up to the user if they want it or not.
Sources referring to the admin accounts on Mac being dangerous always refer to files being modified by malware that require password authentication to modify. For example, files in the /System folder.

The logic being if a user can authenticate the change then it is a dangerous account type. So, if your the admin you don't want non-admins to have that capability.

But on a single user system where the user will know the admin password even if running as a standard user it makes no difference because the user can authenticate using the admin account credentials from the standard account.

Sources making admin accounts on Mac sound like a security risk seem to make it sound like the referred to modifications occur without password authentication, which is untrue.
 
Last edited:

munkery

macrumors 68020
Dec 18, 2006
2,217
1
Running as non-admin should add an authentication step when deleting standard installed-with-the-OS programs.

How many times have people come here and posted "I accidentally deleted my System Preferences? Where do I get a replacement?".
All default (installed-with-the-OS) apps can't be modified or deleted. The user isn't even asked to authenticate.

The apps can still be modified if you "Show package contents" of the application bundle and make changes to the files within the bundle. You will be prompted for password authentication to complete the changes.

I believe this started with Lion? In SL, these apps could be modified or deleted with password authentication.

Mac App Store apps require password authentication to modify and delete since the introduction of the Mac App Store.
 

Attachments

Last edited:

munkery

macrumors 68020
Dec 18, 2006
2,217
1
So, admin and root are not the same? Okay. (I come from an Ubuntu background.)
BTW, Ubuntu account types are the same as OS X.

Root is deactivated but can elevate privileges via sudo, which requires admin password.