I was watching TechTV the other day and Leo recemended that if you are running OSX, you should be set it up so when you log in for regular use you log in as a "user" and have a seperate "Admin" account for when you need to access admin stuff. I think it was for security reasons, but I only caught part of it. My question is if your admin account is password protected, what is the benefit of this? Does anyone else do this? Thanks for any info.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Are you an administrator?
- Thread starter Koodauw
- Start date
- Sort by reaction score
I expect, generally speaking, that the advantage of not having your regular login being an admin user is that you won't accidentally mung something up while working. This is pretty good advice for most people, I'd say; I don't have any of the other household users set up as admins, and when I set up workplace computers I don't usually give admin privleges to the "working" account.
Although I do personally work in an admin account; being that I'm not likely to screw anything up (unintentionally) this seems ok, and since the account'd exist either way, it's not equivalent to turning on Root as a security risk.
Although I do personally work in an admin account; being that I'm not likely to screw anything up (unintentionally) this seems ok, and since the account'd exist either way, it's not equivalent to turning on Root as a security risk.
i dont do this, but i always make sure to have an extra admin account on my computer just incase something goes wrong with the one i use on a daily basis because then i have a user just for troubleshooting
Absolutely. It helps with things like the Trojan issue that was discussed earlier. You should run with as little privilige as possible. I found that creating a seperate admin account was not actually enough, and had to add one more step (as an admin account):
sudo chown -R root:admin /Applications
sudo chmod -R o-w /Applications
Then run fix permissions to fix anything you broke
Those two steps ensure your default account cannot even write to the Applications directory.
In OSX it is really not inconvenient to have a seperate administrator account. You'll notice two things:
1) When you have to do something with admin priv, you are now asked for a username and password; you don't need to use FUS or anything like that
2) When you try to use finder to do something in a system directory, you will be told you don't have permission, and do you want to authenticate, if you say yes you are again asked for a username / password.
So even with the changes above, you can still drag an app into /Applications, you'll just have to give a username and password to be allowed to do it.
On the plus side, the account is denied access to anything outside of /Users, so it really cuts the damage a virus, trojan, or worm can do to your system.
sudo chown -R root:admin /Applications
sudo chmod -R o-w /Applications
Then run fix permissions to fix anything you broke
Those two steps ensure your default account cannot even write to the Applications directory.In OSX it is really not inconvenient to have a seperate administrator account. You'll notice two things:
1) When you have to do something with admin priv, you are now asked for a username and password; you don't need to use FUS or anything like that
2) When you try to use finder to do something in a system directory, you will be told you don't have permission, and do you want to authenticate, if you say yes you are again asked for a username / password.
So even with the changes above, you can still drag an app into /Applications, you'll just have to give a username and password to be allowed to do it.
On the plus side, the account is denied access to anything outside of /Users, so it really cuts the damage a virus, trojan, or worm can do to your system.
I'm an admin on three computers, my PB, my Beige G3, and my parents' iMac. My brother is also an admin on the iMac and my beige, and I have a backup admin account on my PB. I usually run as admin, and haven't yet had a problem due to user error. Well, nothing that screwed me up at least
I think this tip was for WinXP, to "simulate" OSX's root user. I use admin and all that can do is change things in the Users, Library, and Applications folder. As long as my system is alright it's fine. I personally recommend setting a separate pass for the Root account though. Keeps you from accidentally granting the wrong ownership (and I've found a few apps with typos in their pass/user when asking for the root password, but only needing the admin pass).
what are you talking about? There is no OS X virus/virii yet, they're all proof of concept(s), nothing more.stcanard said:
Anyway, having an extra admin account is a VERY good idea. And root/su/sudo shouldnt be messed with unless you know what you are doing (sudo rm -rf / anyone?
)I personally like to be an admin because its just a pain in the neck if you're not in OS X.
Koodauw said:
I am admin for our Pre-press LAN, and after being out for a few days I found out my e-mail was being opened and a few of my personal documents and stuff accessed. Soo I set up a Generic User account with the "look and feel" of my account but set all kinds of restrictions on what could be accessed in the way of folders, applications (my mail account) and now I can go on vacation and feel a little safer(or private) Even though my boss (the owner of the company) owns the equipment I still feel its MY computer.
I don't really see the problem with one's primary account being in the admin group, since you're generally prompted for your password before screwing things up royally system-wide. The main drawback, I suppose, is if you're worried you might do something that you'd regret later (such as the aforementioned 'sudo rm -Rf /' hehe). But since you can always su to an admin account, you're not bulletproof even if your account isn't privileged - basically if you are bound and determined to screw things up you always will have a way to do so.
It's not like a Windows admin account, which is analogous to 'root' on OS X rather than what we're talking about. In that case, once you're logged in you can do most anything without the smallest roadblock.
Of course if you just type your password in whenever prompted, without thinking "am I doing something that should require root privileges?" then yeah, you shouldn't have an admin account by default.
It's not like a Windows admin account, which is analogous to 'root' on OS X rather than what we're talking about. In that case, once you're logged in you can do most anything without the smallest roadblock.
Of course if you just type your password in whenever prompted, without thinking "am I doing something that should require root privileges?" then yeah, you shouldn't have an admin account by default.
Westside guy said:
It depends on your level of paranoia. You're right it is _far_ more secure than a Windows Admin because of the use of sudo for any administration features.
At the same time, the admin group does have write access to some sensitive areas of the filesystem ("/" for instance), and using a seperate account is really no more inconvenient than running as admin.
Remember: always run with the least privilige possible. Since there is no incovenience to running as a non-admin account (try it and see what I mean), why take the risk?
There may be no virus's / trojans in the wild now, but would you really leave your car running in the driveway overnight just because nobody's stolen a car in your neighbourhood since you moved in?
übergeek said:
Are you on jaguar still? I'll admit I've never used jaguar to know how it behaves.
In Panther there is no pain...
If you need admin privilige it asks for an admin username / password
If you try to modify a file it asks you to authenticate, and you type in an admin username / password
If you want to administer from the command line, you either su to your admin account or (what I did) add yourself to the /etc/sudoers file.
I have never once had to FUS to my admin account to do something. But even if I did, it's only one FUS away...
Thanks for the input every one. I guess I am not worried about me screwing my computer up by being the admin, I don't mess aaround with stuff that would really do damage. I guess I was wondering about it from a security stand point. (I.E. others using my computer or it being stolen) Any benefits to not being the admin then?
Also, is there a way to de-authorize my admin account, and make it just a regular one, and authorize another account? That way I don't have to remake my dock, desktop, hot corners etc...
Also, is there a way to de-authorize my admin account, and make it just a regular one, and authorize another account? That way I don't have to remake my dock, desktop, hot corners etc...
stcanard said:
Actually, this kinda bugs me (not your post, but the point you bring up). OS X differs substantially from Linux or BSD in this regard. In either of those, only root has write access to locations like /usr/bin (equivalent to /Applications) or /. To install an application into these locations you have to use sudo, which requires your password before allowing access.
Since Apple is already using this model for some things, why aren't they doing that more consistently? It'd make OS X more secure, at least on a multi-user system, and wouldn't really add any significant level of complexity (since there are already some applications that basically use this model on OS X).
i'm using panther, but i still find it sorta....meh...
i just feel more comfortable as an admin.
and btw i have no idea wtf the boy scout motto is...sorry i'm not a guy
i just feel more comfortable as an admin.
and btw i have no idea wtf the boy scout motto is...sorry i'm not a guy
yeah. search for "open firmware password" on http://www.info.apple.comKoodauw said:
mind you its not the most convenient thing to do...forget the password and theres no way to get it back.