Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
faintember said:
So to continue in that vein, With my old admin account as a non-admin now, and the new Admin account with possession of both the /applications and the /library, the only difference that i should notice is when (if) i install a application i should not do it from my non-admin account, but rather do it from my Admin account, rather than just installing in in my non-admin account by using the Admin password, right?

Something like this should be a guide/sticky after this recent trojan happening.

:eek: HUH?? That didnt make sense to me....

Yes, definatley needs a sticky/guide.
 
I knew it was confusing, so here is another go at it...

My old Admin account was demoted to be a non-admin account.
I created a new Admin account, and assigned ownership of the /applications and /library to it.

So the only difference from my previous setup is that i have to install programs via the new Admin account in order to keep my non-Admin account "safe"?
 
Yes, do all your admin-type things -- especially installing software and running Software Update -- from the newly anointed admin account.
 
iMeowbot said:
Yes, do all your admin-type things -- especially installing software and running Software Update -- from the newly anointed admin account.

iMeowbot, I have a question... Rather than having to log in with the admin account each time I want to install software, wouldn't it be as easy to just use the standard account, and then after installing change ownership through command + I? Just a question as to what the difference between both methods is.
 
frenetic said:
iMeowbot, I have a question... Rather than having to log in with the admin account each time I want to install software, wouldn't it be as easy to just use the standard account, and then after installing change ownership through command + I? Just a question as to what the difference between both methods is.
You could do that, but there are drawbacks. Some installers like to scatter files all over the world, not always in the directories you may be expecting. By running installers from the dedicated account, you won't have to worry about missing anything.

I would NOT trust installers to do the right thing with permissions and ownership in other directories. If installers were working with security in mind, this wouldn't be an issue in the first place (there's no need for even the admin user to have write access to all those files!).
 
It's interesting. When ever in the past I have mentioned to fellow Mac users that I have an antivirus application installed mainly because I don't want to unknowingly pass a virus to my pc using friends and colleagues, the general response I get is "...... stuff the pc users. It's their responsibility to deal with virus' not ours..." or "... hey if pc users aren't smart enough to use the proper precautions to avoid downloading virus' then why should we Mac users worry about it..."

Now this small event has taken place and suddenly I read people moaning and berating the person who posted it here. What ever happened to self responsibility?
 
iMeowbot said:
You could do that, but there are drawbacks. Some installers like to scatter files all over the world, not always in the directories you may be expecting. By running installers from the dedicated account, you won't have to worry about missing anything.

I would NOT trust installers to do the right thing with permissions and ownership in other directories. If installers were working with security in mind, this wouldn't be an issue in the first place (there's no need for even the admin user to have write access to all those files!).

Ok, thanks, I hadn't thought about the fact that other files are installed (like in the library/application support). Thanks for the clear explanation...
 
iMeowbot said:
Yeah. Under OS X it's really easy to do that, just use the "Allow user to administer this computer" checkbox in the Accounts preference pane to toggle group membership.

You should follow this up by changing the owner of files in /Applications and probably also /Library away from your original username, either to the new admin account, or to root (if you change ownership through the Finder's Get Info, root will be listed as "system").


About changing ownership of /Library - which library folder does that mean? If it's the library when I'm logged in as admin I'm ok (it's already owned by system).

But if it's the library when I'm logged in as my every-day user, is it the Library under Ann, or the Library under Macintosh HD?

I should probably understand which account you're talking about, but my brain's on overload here, sorry.

I assume I can use a variant of the terminal command I learned yesterday to do this, cd /Library, but then sudo chown -R adminname:admin *.lib (or something like that???)


It's very weird, iMewobot, but your Spock avatar really makes me take everything you say as gospel. I hear the words in your post in Spock's voice :eek: :D


images
 
annk said:
About changing ownership of /Library - which library folder does that mean? If it's the library when I'm logged in as admin I'm ok (it's already owned by system).

It's the Library folder directly under Macintosh HD (or whatever you call it).

There is another one called /System/Library that you may also want to glance at, but generally it is less of an issue because user programs rarely install things there.

I assume I can use a variant of the terminal command I learned yesterday to do this, cd /Library, but then sudo chown -R adminname:admin *.lib (or something like that???)
Yeah. I would just use sudo chown root * (and leave the group alone).
It's very weird, iMewobot, but your Spock avatar really makes me take everything you say as gospel. I hear the words in your post in Spock's voice :eek: :D
That settles it, next week I'm switching to Tinky-Winky :D
 
AppleTalk Aust said:
It's interesting. When ever in the past I have mentioned to fellow Mac users that I have an antivirus application installed mainly because I don't want to unknowingly pass a virus to my pc using friends and colleagues, the general response I get is "...... stuff the pc users. It's their responsibility to deal with virus' not ours..." or "... hey if pc users aren't smart enough to use the proper precautions to avoid downloading virus' then why should we Mac users worry about it..."

Now this small event has taken place and suddenly I read people moaning and berating the person who posted it here. What ever happened to self responsibility?

That's a good point.

I admit I was early to judge and say thsoe who did allow this to run wre stupid. I was wrong. I didn't know that this thing could open without an Admin password.

You're right, but a lot of virus and trojans and worms infect Windows without User interaction. This one has to be initiated by the user. So, as far as Anti-virus goes? I still feel like I'm safe. I know i have to watch out for these things, but I don't worry about it.
 
howesey said:
I'm sure the webmasters on this site would be happy to give the IP address to the police. It's not hard, already known three malware creators and one scammer get arrested and charged off other forums for doining similar things.

It wasn't a well written script. Guessing it was made by a 13 year old scriptkiddie.

Read more here: http://securityresponse.symantec.com/avcenter/venc/data/osx.leap.a.html

1. Anyone who's even remotely intelligent wouldn't submit this to an IP they can be traced from. IT's called Starbucks or a Cyber Cafe'
2. Script kiddies do not write their own code. Script Kiddies USE scripts and apps OTHERS have written to do what they do.
3. The basics of understanding how they could use Spotlight to inflict the damage is a harder conectp to understand than just some average 13 year old kid. Why do you think so few malicious scripts have been found for OS X?
 
It's the Library folder directly under Macintosh HD (or whatever you call it).

When I'm logged in as user, or as admin?


Yeah. I would just use sudo chown root * (and leave the group alone).

So that's a complete command? I just use:

sudo chown root * (after I type in the first command I mentioned)??? I know nothing about commands...



That settles it, next week I'm switching to Tinky-Winky :D

NOOOO!!! I LOVE Spock!
 
annk said:
When I'm logged in as user, or as admin?
You would have to be logged in as the admin or sudo won't work.

So that's a complete command? I just use:

sudo chown root *

Yup. And if you want to let it run down the subdirectories,

sudo chown -R root *

(that would be instead of the other chown command you mentioned earlier.)

NOOOO!!! I LOVE Spock!
But it's EVIL SPOCK! He's got a beard!
 
annk said:
So that's a complete command? I just use:

sudo chown root * (after I type in the first command I mentioned)??? I know nothing about commands...

Right here is the reason things like this will always happen. You say you have no idea what this command does but you are prepared to listen to someone on a forum and just type exactly what they said. This is how this dumbware spreads in the first place. OS X is a UNIX like OS if you have no idea what a command does check out its man page to make sure you aren't breaking your system.

So...

man sudo
man chown

then yeah feel free to do it, it wont hurt!

The problem with these kind of malicious programs is they really can't do crap unless someone is dumb enough to run them in the first place. If you have no idea how a UNIX like OS runs how about you don't muck around with it, and don't use the command line, and don't download and run programs from people you don't know?
 
iMeowbot said:
You would have to be logged in as the admin or sudo won't work.



Yup. And if you want to let it run down the subdirectories,

sudo chown -R root *

(that would be instead of the other chown command you mentioned earlier.)

Got it, thanks.


But it's EVIL SPOCK! He's got a beard!

Oh, yeah, didn't think about that. Lose the beard next week :p


images
 
risc said:
Right here is the reason things like this will always happen. You say you have no idea what this command does but you are prepared to listen to someone on a forum and just type exactly what they said. This is how this dumbware spreads in the first place. OS X is a UNIX like OS if you have no idea what a command does check out its man page to make sure you aren't breaking your system.

So...

man sudo
man chown

then yeah feel free to do it, it wont hurt!

The problem with these kind of malicious programs is they really can't do crap unless someone is dumb enough to run them in the first place. If you have no idea how a UNIX like OS runs how about you don't muck around with it, and don't use the command line, and don't download and run programs from people you don't know?

Umm...point taken, but you have to account for the fact that someone who's been following the forum for a couple years (me), and sees who tends to post helpful advice (iMeowbot among others), can feel reasonably safe in following those peoples' instructions. It's by asking questions and getting information here (among other places) that I've learned and become a more intelligent computer user. I'm sure I'm not alone in feeling that way about MR.
 
risc said:
... if you have no idea what a command does check out its man page to make sure you aren't breaking your system.

So...

man sudo
man chown

excellent point! don't just type what someone says without understanding what's going on...hypothetically, what if he was really 'evil spock' and gave you the command to erase your HD!
 
annk said:
Umm...point taken, but you have to account for the fact that someone who's been following the forum for a couple years (me), and sees who tends to post helpful advice (iMeowbot among others), can feel reasonably safe in following those peoples' instructions.

I have no problem with you listening to iMeowbot but this whole entire thread (and the rest of them) are caused by people downloading and running an app linked to by a NEWBIE. Alarm bells should of gone off right then. This is why I say above "people you don't know" if you trust iMeowbot and I can't see why you wouldn't go for it, take some responsibility though and consider learning how the OS actually works. Also don't take it the wrong way I'm not picking you out of the crowd I just think people need to wake up to how powerful any UNIX like OS is.
 
I think there needs to be a little more of a set up if one wants to be safe.

It requires have 3 accounts.
1 admin account that everything is installed on and all admin stuff is done though.
1 user account that does not have admin accesses

and lastly

1 admin acount that is never used. The last admin account is only used if something goes wrong with the computer because it never been messed with so it is still clean.


But even if you dont want to go though all that trouble everyone should have 1 admin account set aside that is never mess with and it is just a clean admin account.
 
Timepass said:
1 admin acount that is never used. The last admin account is only used if something goes wrong with the computer because it never been messed with so it is still clean.
That one's already built into the system. There are both single user mode and install discs to recover from big problems.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.