If a process that you started as the admin account gets exploited and an attacker gets a shell on your machine (with the permissions of that process), it's not much different than if he's sitting there. That's why starting internet facing processes as a regular user provides an additional security benefit.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Why shouldn't I use my Mac as an administrator?
- Thread starter moonman239
- Start date
- Sort by reaction score
If a process that you started as the admin account gets exploited and an attacker gets a shell on your machine (with the permissions of that process), it's not much different than if he's sitting there. That's why starting internet facing processes as a regular user provides an additional security benefit.
SSH, prior to privilege separation. This is something that Apple implemented when it was discovered that the version of SSH being used by every unix-based OS at the time spawned its instances as a privileged user (an admin account) before returning back as the normal user who initiated the connection. That instance was able to be pre-empted, leaving the attacker with elevated privileges on the machine. All because the initial process was spawned by an admin account.
Such examples were noted here, here, with a 0-day exploit here.
All of these allow a user to have their privileges elevated to another user or one with higher privileges, which if you are running as an admin account, gets them more privileges and ability to run arbitrary code, as you, and with higher privileges, similar to root. That is a BAD thing.
Again, run as an admin account? poor sysadmin skills, and even worse security skills.
Disclaimer: I've been a Linux sysadmin for 20 years. It is my job to look for and prevent issues like this; I know what I'm talking about.
BL.
As already stated in this thread, the presence of a vulnerability (all systems are vulnerable) does not indicate the presence of an exploit in the wild. As is the case with all software, vulnerabilities exist and are being discovered and patched, most of the time before those vulnerabilities are ever exploited in the real world, as is the case with all the ones you linked.
The real-world fact is an average Mac user running an admin account is no more vulnerable to real (vs hypothetical) threats in the wild than those running a standard user account. You can point to vulnerabilities that could theoretically be exploited and to hypothetical possibilities, but those have no effect on users unless they're actually implemented. If you take your argument further, you can make a case for everyone never using a computer at all, because even with a standard user account, there are vulnerabilities that hypothetically could be exploited.
For responsible, non-paranoid, intelligent computing, using an admin account on OS X is perfectly fine. If someone is paranoid and susceptible to the FUD spread by some, they should certainly use a standard account and probably consider never using a computer at all.
It is quite obvious that you have never had to deal with any kind of security on any unix-based operating system, as such issues and concepts are well and truly beyond your comprehension. As a systems administrator, it is your job to be paranoid, because you can not control what others do on your machine, nor what they could do when they get access to your machine. You simply don't trust anyone with it, which is why you give them the privileges they need, and that's it. If they need anything more, you elevate yourself to your admin account or root account to get them what they need, then you get out of it.
Why do you think that there are all of these exploits out in the wild, and I'm not just talking for OS X? I'm talking Windows, Solaris, Linux, you name it? Because people are not intelligent enough to execute those exploits or open their machine up to be exploited. That's the downfall of the masses who don't know what they are doing, and why there are still machines out there with the Code Red and Nimbda worms on Windows XP. That's why privilege separation was implemented across all Unices, including OS X.
In short, you run the risk of shooting yourself in the foot for running everything under an admin account. It's the equivalent of logging in and doing everything directly as 'root' in Linux or any other Unix OS. You just don't do it. Log in as yourself; your non privileged account, and elevate yourself to the superuser to do the work that requires the superuser, and get out.
You really don't know what you're talking about here, and it clearly shows. I'll take my 20 years professional experience in systems administration over your perceived "real world" any day.
BL.
I wonder if this is the source of the misunderstanding: while the admin account has some more rights than a standard account, it is far from being root.
Every interaction that needs super user power (other than writing to /Application) prompts for the admin's password. The only difference is that on an admin account the 'name' field is filled, while on the standard account you have to know the name of an admin account.
Again, you're talking about procedures and practices for systems administrators, while this thread is about individual OS X users who are running standalone systems where they are the only user. The same rules do not apply.
Again, as a single-user on their own computer, if they can't trust themselves, they shouldn't be using a computer.
There certainly are exploits in the wild for other platforms, but to date there have been none for OS X that require running as a standard user to avoid.
No, it is not the same as logging in as root. Clearly you're thinking too much about Linux or other Unix systems and not thinking about how OS X works. The root user in OS X is different than the admin user.
Again, another assumption about what I know or don't know. It's always amusing to me that these comments usually come from someone flaunting their years of experience without thinking that they may be talking to someone with far more experience, who just prefers not to brag about it.
I think that certainly may be the case.
As already discussed in this thread, proof-of-concepts and unexploited vulnerabilities are irrelevant to this discussion. There are no exploits of that vulnerability in the wild, so there is still no real-world advantage in running a regular vs admin account. You're also still talking about hacking, which is quite different from malware. As also already stated, the chances of an average OS X user having their computer hacked are ridiculously remote.
I say absolutely NOT irrelevant. You're in denial if you think your computer is not at risk. It's fortunate that Emil Kvarnhammar is an ethical security researcher and has given Apple the opportunity to fix the OS X flaw he's identified. If he and others like him chose to make use of that kind of vulnerability in, say, a drive-by attack, your defence would be the hope that the attack vector will only have a small distribution. That's beyond your control. The simple expedient of running as a non-admin account is not.
Of the roughly 75 million computers running OS X, name one, just one, that has been hacked or affected by this vulnerability in the wild. Like so many who have cried "wolf!" about malware, hacking and vulnerabilities, you play the "what if" game, theorizing about some non-existent future attack that never comes. Any zero day attack would be so well publicized that the vast majority of Mac users would be alerted long before they ever encountered a threat.
Based on 13+ years of historical evidence, the overwhelming majority of average Mac users will likely never encounter malware for as long as they own their Macs, and almost zero Mac users will ever be hacked. There is no need for any Mac user to run a non-admin account, unless they're extremely paranoid or uninformed or they simply choose to. There are no threats that will be avoided by doing running a non-admin account, as every example of such types of threats are not in the wild.
Are you being deliberately obtuse? You have zero evidence that 'future attacks' never come, and you do not know how many Macs have in fact been infected with malware (although it's at least in the many hundreds of thousands). The article I linked to demonstrates convincingly that an attack on non-admin accounts is quite possible. The author knows this; your typical Sys Admin knows this.
On the balance of probabilities, a lone researcher with a good heart figuring out how to make use of this OS X flaw is likely to be a small fish in the big pond of nation state hackers.
It's a straw man argument to ask me to provide you with a list of infected computers and how that was achieved. By its very nature malware writers are a secretive bunch.
I didn't ask you to provide a list. I said to name just one computer that has been affected by that vulnerability in the wild.
You can talk all day about possible future threats and hypothetical scenarios, but that doesn't mean an average user needs to modify their behavior for fear of something that, based on historical evidence, is highly unlikely to ever occur. Could a vulnerability be exploited in the future that could affect admin users but not standard users? Of course, it's hypothetically possible. But nothing of the kind has ever existed in the wild to this present day, and there is nothing to suggest an even small possibility of that happening in the future. If that changes in the future, the vast majority of users would be made aware of it long before they would have a chance to encounter it. Your arguments may be sufficient for you to take such action, but they are certainly not compelling enough to prompt an informed, prudent Mac user to refrain from running an admin account on a regular basis.
Prove it. Prove that there are no such exploits in the wild. Prove that the NSA isn't making use of this kind of exploit right now. Go on, prove it. You can't.
Rather than take your advice, I will listen to security experts. I will continue to run my daily operations as a non-admin user because it adds virtually zero inconvenience.
I didn't think so.
You can disprove the absence of such exploits in the wild by providing evidence of just one exploited Mac in the wild. You have failed to do that, as expected.
Good for you!
Wow, this is a super-ancient thread that I found while thinking about my - also ancient - practice of using a standard user for daily tasks. Thanks for everyone's very different and, I think, mostly well-argued viewpoints.
I found more recent contributions (with one answer edited as recently as yesterday) to this general discussion by folks again more experienced and knowledgeable than I in this specific apple.stackexchange thread.
In the top answer with community reputation of 50+, the main arguments that are FOR standard-user-for-daily-use are primarily around protecting users from themselves as the weakest link in the security chain.
It will not likely shift GGJstudios' and others' just-use-admin-if-you-like-if-you're-the-solo-user-of-your-Mac stance (I hope that's fair?) - and that's okay - but I do appreciate the additional protection against my accidentally doing stupid things. FWIW (maybe not much), I have been in IT / software dev for 20+ years. That doesn't prevent me from accidentally - or out of laziness - doing foolish things.
I found more recent contributions (with one answer edited as recently as yesterday) to this general discussion by folks again more experienced and knowledgeable than I in this specific apple.stackexchange thread.
In the top answer with community reputation of 50+, the main arguments that are FOR standard-user-for-daily-use are primarily around protecting users from themselves as the weakest link in the security chain.
It will not likely shift GGJstudios' and others' just-use-admin-if-you-like-if-you're-the-solo-user-of-your-Mac stance (I hope that's fair?) - and that's okay - but I do appreciate the additional protection against my accidentally doing stupid things. FWIW (maybe not much), I have been in IT / software dev for 20+ years. That doesn't prevent me from accidentally - or out of laziness - doing foolish things.
I too like see an old thread clinging to life with gritty determination, especially when all the issues raised are still relevant. Here's my take. The hobbyist computer user with sole access to a machine should not restrict their access to it in any manner. So yes, use administrator login as a matter of routine.
Let's keep in mind there is no such thing as an admin user on unix and unix-like systems. There is only God (root) and plebs (regular users). If you are an admin user on OSX, it basically means you are part of the plebs but added to the sudoers group and are allowed to elevate to root. If you are not, and you have to provide a username/password for an admin user, you are basically using the su command to execute something with root privileges. It's a little more complicated due to the use of ACL's, but that is essentially what is happening in the background.
The difference between sudo and su being, that for sudo you need to provide your own password to validate you are authorized to become root, whereas for su you have to provide the username and password of a different account with the appropiate privileges.
So no, in my opinion it doesn't matter much. That said, anything that adds another step is obviously more secure so in that regard using a regular user is good. However any system that allows privilege elevation through the use of tools is open to security vulnerabilities, regardless of what type of user is being used. So in that regard, it doesn't matter much but makes life a little more convenient.
The difference between sudo and su being, that for sudo you need to provide your own password to validate you are authorized to become root, whereas for su you have to provide the username and password of a different account with the appropiate privileges.
So no, in my opinion it doesn't matter much. That said, anything that adds another step is obviously more secure so in that regard using a regular user is good. However any system that allows privilege elevation through the use of tools is open to security vulnerabilities, regardless of what type of user is being used. So in that regard, it doesn't matter much but makes life a little more convenient.
I disagree. Even though I am the sole user of my Mac in the house, that doesn't necessarily mean that someone else (unbeknownst to me) might not get access to said Mac and attempt some form of mischievous prank or worse.
In relation to the aforementioned, you never know when a newly installed update (or new M1 system) suddenly locks you out of your admin account for some unknown reason and your saving grace at that moment is having a second admin account for emergency use.
As if the first two scenarios (in great brevity) weren't enough risk, bad problems can arise just from traveling to and or interacting with a website such as ransomeware etc., not to mention vulnerabilities and exposits found and manipulated by bad actors.
In my opinion, it is better to not be logged in as admin in case something unforeseen happens. Having to switch user is a minor quibble if it helps mitigate any potential threat.
I also remove the account names from the login screen, to add another level of safety and security.
