Do you give admin privileges to your day-to-day acct?

Discussion in 'Apple' started by RPS, May 21, 2007.

  1. RPS

    RPS Guest

    I realize it is supposed to be safer to not to give yourself admin
    privileges, but to create a separate account for that purpose? However,
    I am wondering how many people actually do that? Do you?
     
    RPS, May 21, 2007
    #1
    1. Advertisements

  2. RPS

    Jon Guest

    Yes. An extra account takes very little room, and the hassle is neglible
    compared to the nice, cuddly feeling of added security.

    I also have a guest account, as family members sometimes borrow my Mac.
     
    Jon, May 21, 2007
    #2
    1. Advertisements

  3. I do on my Mac, as it's very easy to deal with activities requiring Admin
    privileges kind of "on the fly" by providing the Admin user name and p/w.

    I don't on my PC because it's a pain to have to log in as the Admin to do
    those things. At least, I don't know of any other way to get around it on the
    PC. Ironically, the PC is where I *should not* be logging in as an admin user
    regularly.
     
    Joey DoWop Dee, May 21, 2007
    #3
  4. RPS

    TaliesinSoft Guest

    I have several user accounts which allow me to isolate projects from one
    another. I also have a single admin account which is signed on to only when
    absolutely necessary.
     
    TaliesinSoft, May 21, 2007
    #4
  5. RPS

    Scott Guest

    I only have a few Macs under my control (a Mac mini, a PowerBook G4,
    and a Core 2 Duo MacBook Pro, but all of them use a separate admin
    account. That account is used only when absolutely necessary.

    Regards,
    Scott
     
    Scott, May 21, 2007
    #5
  6. Yes I do, finally, after a couple of abortive tries. It is not that
    much more of a hassle once one is used to it.

    I created AdminUser and checked its "allow user to administer this
    computer", then unchecked "allow user to administer this computer"on
    the first and only account previously created on my Mac.

    I used AdminUser as long name to avoid confusion in my mind with other
    uses of "administrator", "admin" and the like.

    I used adm as short name. Three reasons;

    1, I have seen logs of dictionary attacks running for hours on my port
    22 trying different passwords for user "admin" and I do use ssh,

    2, when you try to set up an account with "admin" as the short name you
    get a dialog indicating "The user "admin" will be created as a
    administrator user and you cannot change this"

    3, adm only needs 3 keystrokes to enter in authorization dialog which
    now comes up more often without a default entry for user id.

    Miscellaneous notes...

    I now have to use Pseudo to read my system log with Console.

    I have become more familiar with the contents of man su and man sudo
    and use su more often.

    Cheers,

    Darrell
     
    Darrell Greenwood, May 21, 2007
    #6
  7. RPS

    Ajanta Guest

    How and where do you look up this log? I use ADSL which assigns new
    internet address all the time, but the computer is on a lot and I'd
    like to be able to check this.
     
    Ajanta, May 21, 2007
    #7
  8. Just checked using Console and the entries now turn up in secure.log
    under /var/log in 10.4.9. Not sure if they weren't in the system log in
    earlier OSX versions.

    e.g.,

    May 21 15:40:40 ibookg3 sshd[1373]: Failed password for darrell from
    10.17.145.2 port 58539 ssh2

    Cheers,

    Darrell
     
    Darrell Greenwood, May 22, 2007
    #8
  9. RPS

    Wes Groleau Guest

    I'm perhaps a bit more paranoid. If I on a single occasion
    saw such an attack, I would set a watch to block all IP traffic
    to or from any location that failed five attempts.

    I'm not likely to see such an attempt, because I only allow
    connections to be established from places that I think I might
    try from.

    --
    Wes Groleau

    Change is inevitable. We need to learn that "inevitable" is
    neither a synonym for "good" nor for "bad."
    -- WWG
     
    Wes Groleau, May 22, 2007
    #9
  10. I have two accounts. My day to day account, which as admin privileges,
    and an account named "test", which gets admin privileges or not,
    depending on what I'm using it for. I rarely use it, though, and it's
    normally not logged in.

    My day-to-day account is password protected, so whenever I log in to it
    or switch to it, I have to enter the password. This is because whenever
    I have a house guest to whom I give access to the computer, I set up a
    non-admin account for her or him.
     
    Michelle Steiner, May 22, 2007
    #10
  11. RPS

    Király Guest

    It's a good idea to remove admin privileges from your day-to-day
    account. Apple recommends it for security reasons. Nearly all admin and
    even root tasks can be done from a non-admin account by supplying the
    admin username/password when prompted. I only have one admin account on my
    Mac and I almost never use it.
     
    Király, May 24, 2007
    #11
  12. It's a good idea to remove admin privileges from your day-to-day
    account. Apple recommends it for security reasons. Nearly all admin
    and even root tasks can be done from a non-admin account by supplying
    the admin username/password when prompted. I only have one admin
    account on my Mac and I almost never use it.[/QUOTE]

    As I said, I have had admin privileges on my day-to-day account from day
    one, and have had absolutely no problems with it. I suspect that the
    overwhelming majority of Macintosh users do too. They get their
    computer, run the setup routine after they turn it on, get their one
    account (which has admin privileges by default), and never even think to
    create another account.
     
    Michelle Steiner, May 24, 2007
    #12
  13. RPS

    Király Guest

    Well, that's good. I wouldn't *expect* you to have any problem with
    it. The issue is not running into problems, it is with security. One
    can run as root all the time too for years and also never have any
    problem. But it cannot be denied that running unnecessarily as root
    exposes oneself to greater security risk. Running unnecessarily as
    admin is no different. It makes one more vulnerable through exploits
    (e.g. trojans) and to simple user error (e.g. "I accidentally dragged
    my /Library folder to the desktop and now my Mac won't boot") that
    could be prevented by simply following Apple's guidelines and only
    using an admin account when it is needed. In fact it is rarely
    required to switch to the admin account, because most admin and root
    tasks can be done from a non-admin account by authenticating when
    prompted. So there is no good reason at all to run all the time as
    admin instead of non-admin. And since the security risk is higher
    when running as admin, why do it?
    This is something that Apple should fix.
     
    Király, May 24, 2007
    #13
  14. Well, that's good. I wouldn't *expect* you to have any problem with
    it. The issue is not running into problems, it is with security.[/QUOTE]

    "No problems" includes no security problems.
    Did you ever try to drag your library folder to the desktop? Mac OS X
    is smart enough to copy it instead of move it.
    On page 40-something of an obscure manual.

    I see no compelling reason to change.
     
    Michelle Steiner, May 25, 2007
    #14
  15. RPS

    Tim Murray Guest

    My regular working account is non-admin. There are so few differences, mostly
    insofar as authentication dialogues ask for name + password instead of
    password only, that it's no big deal.
     
    Tim Murray, May 25, 2007
    #15
  16. RPS

    Király Guest

    You mean in the past. Well, that's good, and even expected. I would
    even have expected the same if somebody had been running as root for
    the last six years and never had any security problem. But it cannot
    be denied that you are more vulnerable to *future* exploits by running
    as root or admin vs. running as non admin. I don't see why, all else
    being more or less equal, one would choose less secure over more
    secure. But, as Jolly Roger said earlier: Do what you want, and have
    fun.
    Do you have a compelling reason for keeping it the same, other than
    forever losing the 15 seconds of time you'll have to spend changing
    it?
     
    Király, May 25, 2007
    #16
  17. You mean in the past. Well, that's good, and even expected. I would
    even have expected the same if somebody had been running as root for
    the last six years and never had any security problem. But it cannot
    be denied that you are more vulnerable to *future* exploits by
    running as root or admin vs. running as non admin.[/QUOTE]

    I have the software firewall running, and I have a hardware firewall in
    my router. Additionally, I have turned off external images in my email
    program, and use a spam filter. Finally, I know not to open unasked for
    enclosures and attachments, etc.
    Not that I need your or his permission. But you and he can do what you
    want, and have fun too, so far as I'm concerned.
    My compelling reason for keeping it the same is the lack of a compelling
    reason to change it.
     
    Michelle Steiner, May 25, 2007
    #17
  18. I have the software firewall running, and I have a hardware firewall in
    my router. Additionally, I have turned off external images in my email
    program, and use a spam filter. Finally, I know not to open unasked for
    enclosures and attachments, etc.
    Not that I need your or his permission. But you and he can do what you
    want, and have fun too, so far as I'm concerned.
    My compelling reason for keeping it the same is the lack of a compelling
    reason to change it.[/QUOTE]

    I begin to realize this is really a religious issue rather than one
    based on technical merits, sort of like asking which is the "best" text
    editor or "boxers or briefs". The Apple document doesn't give
    sufficient reasons other than "for safety" to not run as an admin user.
    The only difference I can see between a regular user and an admin user
    is that the admin user is a member of the admin UNIX group and has
    extended permissions on various directories.

    True, adding another account and using that for the non-admin user is
    trivial _most of time_. That is until I added a non-admin user to my
    machine for the sole purpose of having 2 web sites for testing. It was
    a pain "sudo-ing" back and forth between them. But I was also testing
    my security setup, so I had to do it to make sure I got it right. Now
    that's over and that user and the files are gone.

    I don't see any need to go back. I make daily backups, do all the stuff
    that Michelle does, and am the only user of my machine. I haven't had
    any problems. I actually still have all my toes after 10+ years as a
    sysadmin.

    If I were working in a company where they followed the Apple guidelines,
    that's a different matter. I'm a firm believer in following the
    company's established culture unless it's braindead. Bottom line, it
    works for me and I haven't seen a technical reason to change it.
     
    Michael Vilain, May 25, 2007
    #18
  19. I don't see it as a religious issue at all. I'm not trying to persuade
    anyone to use an admin account for their day-to-day stuff. I'm just
    saying that I see no reason for me not to. It doesn't affect me at all
    if someone does or doesn't run in admin mode, and it doesn't affect them
    if I do.
     
    Michelle Steiner, May 25, 2007
    #19
  20. RPS

    Wes Groleau Guest

    Which means that when not an admin, if I (by mistake or accident)
    drag something into one of those folders, the OS demands authentication.
    If I am admin, the system "assumes" I wanted to do that and I may not
    even realize what happened.

    In the shell, what if I am not in the directory I thought I was in?
    Not being admin, I can only screw up my own account.

    --
    Wes Groleau

    "In the field of language teaching, Method A is the logical
    contradiction of Method B: if the assumptions from which
    A claims to be derived are correct, then B cannot work,
    and vice versa. Yet one colleague is getting excellent
    results with A and another is getting comparable results
    with B. How is this possible?"
    -- Earl W. Stevick
     
    Wes Groleau, May 25, 2007
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.