Why is it you have to enter a password

Discussion in 'macOS' started by nec207, Apr 25, 2011.

  1. nec207 macrumors 6502

    Joined:
    Mar 21, 2011
    #1
    I'm not sure why you have to keep entering password somes times and other times not.

    Also why is it some stuff you install need a password and other stuff not.

    What is with passward thingy that comes up all all the time for password to so some stuff and other stuff not.

    Why is it some times ans other times not.
     
  2. Intell macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #2
    The password is similar to Windows Vista/7's User Account Control feature. Its designed to protect system files from malicious software and unintended file alterations. Some applications don't need to install system files to run. Thus, they don't ask for your password.
     
  3. Dalton63841 macrumors 65816

    Dalton63841

    Joined:
    Nov 27, 2010
    Location:
    SEMO, USA
    #3
    Welcome to unix buddy. The password is required for anything that needs administrative rights. It is not required for anything accomplished using your basic user rights.
     
  4. nec207 thread starter macrumors 6502

    Joined:
    Mar 21, 2011
    #4

    so why do some programs need it and other programs not.
     
  5. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #5
    In Mac OS X, it is rare for apps to install in the system level of the OS. Apps that require elevated privileges to run but are installed in the user level of the system will require authentication at launch. This increases security and provides feedback to the user about how much the app can modify the system.

    In Windows, it is not typical that apps are installed in the user level of the system. The only exception to this I can think of is Chrome. Most apps in Windows are installed in the area of the system that requires elevated privileges to complete the installation. These apps may run with restricted privileges, so also prompt for authentication to modify the system level. Or the apps may run with elevated privileges by default, such as AV software, and do not ask for authentication to modify the system level of the OS.

    The user can not distinguish how the app will modify the system during installation in Windows because almost every app requires authentication to install.

    In Mac OS X, most apps will not ask for authentication to install if the app is installed in the appropriate location for the user account type. Apps that install without authentication or do not prompt for authentication at launch can not modify the system level. These apps are sandboxed from the security sensitive levels of the OS. The manner in which apps are installed in Mac OS X allows users to distinguish which apps are sandboxed from the system level.
     
  6. nec207 thread starter macrumors 6502

    Joined:
    Mar 21, 2011
    #6
    So that me explain if I understand your reply

    OS X has 3 layer system.


    1. User level ( user level no root user)
    2. System level ( root user )
    3. Kernel ( supper root user)

    No one can acess Kernel it is locked down by apple only apple can access it.

    All system files and drivers are in the System level .The System level is what keeps the OS running.

    In windows you have 2 layer system
    1 System level ( root user )
    2 Kernel ( supper root user)

    No one can acess Kernel it is locked down by Microsoft only Microsoft can access it.


    And windows use of account permission of read and write acess.But most programs run has root user in windows.
     
  7. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #7
    OSs have more than two layers in terms of how they function. But, in general, an OS has two layers in relation to privileges.

    Mac OS X has two layers in relation to privileges (unless using root account). User level with permissions defined by the user account type. System level which includes permissions to modify drivers and kernel. Apps in OS X are usually installed at the user level. This includes any app that is installed via drag and drop.

    Windows has two layers in relation to privileges (except for XP admin account and Vista/7 admin account with UAC disabled where everything has system level privileges). User level with permissions defined by the user account type. System level which includes permission to modify drivers and kernel. Apps in Windows usually installed at the system level (UAC authentication required to install) even if do not need to be installed at this level to function. Non-default install locations may be definable by the user.
     
  8. John T macrumors 68020

    John T

    Joined:
    Mar 18, 2006
    Location:
    UK.
    #8
    Is this user only available in the evenings? ;) Sorry! couldn't resist!
     
  9. nec207 thread starter macrumors 6502

    Joined:
    Mar 21, 2011
    #9
    So you saying both windows and OS X has 3 layer system

    1. User level ( user level no root user)
    2. System level ( root user )
    3. Kernel ( supper root user)


    Only difference is OS X install programs in User level and windows install programs in System level?
     
  10. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #10
    As I stated in my previous post, there are two layers in relation to permissions. This is also a very simplistic description as it excludes layers created by mandatory access controls (MAC). System level includes being able to modify the kernel.

    Yes, basically.

    Authentication is required to modify the folders where apps are typically installed in Windows if the user is not using an account set up with elevated privileges by default.

    Drag and drop apps in Mac OS X typically do not require authentication to install because the installation process does not modify folders that require elevated privileges to write to. This is due to these apps being self-contained bundles.
     
  11. nec207 thread starter macrumors 6502

    Joined:
    Mar 21, 2011
    #11
    There seems to be confusion of System level ( root user ) and Kernel ( supper root user).

    Are you say this 1 layer use mandatory access controls than needing 2 layers here?
     
  12. Hastings101 macrumors 68020

    Hastings101

    Joined:
    Jun 22, 2010
    Location:
    K
    #12
    If it asks for a password that means system files are being added or changed, so it protects you from allowing programs you don't trust editing/adding to systemy stuff.
     
  13. munkery, Apr 27, 2011
    Last edited: Apr 27, 2011

    munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #13
    In Mac OS X, root privileges refers to being able to modify the system level of the OS.

    In Windows, superuser privileges refers to being able to modify the system level of the OS.

    superuser = root, two ways to refer to the same thing. These terms are interchangeable.

    EDIT: In Windows, there is a user called "local system" that has special privileges to a limited set of functions related to networking but this separation has no consequences in relation to security. "local system" is not the system level user account. The account types that are superuser in Windows have been defined in one of my previous posts.

    Mandatory access controls are unrelated to these two layers. I was just trying to show that my description of privilege separation is being kept very basic.

    If you are trying to understand basic privilege separation in an OS, you only need to know the difference between system level privileges (also referred to as root or superuser) and user level privileges.
     
  14. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #14
    In relation to security, it is better that the user modify the system level of the OS as little as possible given that this level of the OS represents a greater security risk if modified inappropriately.

    The more a user has to modify the system level then the more likely that level will be modified in a malicious way, such as rootkit install, due to human error.

    Windows creates more opportunities for human error to occur because it requires modification of the system level of the OS more often due to the way apps are typically installed in Windows.
     
  15. GFLPraxis macrumors 604

    GFLPraxis

    Joined:
    Mar 17, 2004
    #15
    Essentially, anything that has to add system-level files will prompt for a password.

    Most apps just have to add themselves to the Applications folder. However, some want to add hooks to other parts of the OS. Those will prompt for a password.
     
  16. nec207 thread starter macrumors 6502

    Joined:
    Mar 21, 2011
    #16
    Okay I understand. That explain some times it ask for a password and other times not.

    I thing there are ways to limit the password pop ups or turn it off.

    The the relationship of System level and Kernel is hard to understand and how this ties in.
     
  17. iThinkergoiMac macrumors 68030

    Joined:
    Jan 20, 2010
    Location:
    Terra
    #17
    You can't simply turn off the password prompts as then certain aspects of using the OS wouldn't function properly.
     
  18. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #18
    You can turn off the prompts by using the root user account which is disabled by default. But, using the root user account is very dangerous as it turns off discretionary access controls which is the fundamental component of Mac OS X security. The password prompt is there for a reason.

    I think you are confusing functional separations in the structure of the OS with the separation of privileges in relation to modifying the OS.

    System level includes kernel, drivers, security sensitive APIs, and any folders that can only be written to with system level privileges.
     
  19. iThinkergoiMac macrumors 68030

    Joined:
    Jan 20, 2010
    Location:
    Terra
    #19
    DO NOT EVER CONSIDER DOING THIS!!!

    Running as root on your computer all the time is a really dangerous idea. You could just as easily screw up your system beyond repair as have nothing happen. It's a very bad idea, unless you really, REALLY know what you are doing.
     

Share This Page