“Demonstrated Damage
To demonstrate this, I created an installer package set to require only Administrator access that echoed its user ID to a temporary file in both the pre- and post-flight scripts, replaced the /etc/sudoers file with a version that requires no password for any existing admin to become root…”

Now, all the problems come IF you modify/replace your sudoers file with one that doesn’t require a password! Definately a bomb ready to go off here. For all you folks not familiar with sudo, do a Google search for man sudo () and read up on the documentation. It’s a pretty secure package.

Your default sudoers file on a Mac OS X contains the following config line for Admin accounts:
%admin| ALL=(ALL) ALL

You’d need to change the above line to the following to have the problem mentioned at MacGeekery:
%admin| ALL=(ALL) NOPASSWD:ALL

Still laughing…

My opinion: go ahead and use your Admin rights account for day-to-day operation, there’s not a whole lot of harm in it.

Thanks for the example. Yes, that is a concern (as opposed to recitation of received wisdom). It _shouldn’t be_, but it is.

On the other hand, the article you cite also advises people to examine installer packages before they run, something that the folks on this thread are unlikely to do. Again, it’s a balance between security and convenience (as suggested by the article title).

http://www.macgeekery.com/tips/security/how_a_malformed_installer_package_can_crack_mac_os_x

Still not clear how the “virgin” account works. Are you using the preferences pane to limit that account’s access to software?

The “wife account” is an approach that I take in reverse — my wife wants a limited universe of things that will distract/irritate her in her account, so I hide things from her. Your approach makes sense in your situation, however, from what I’ve heard, some applications are persnickity about not being installed in /Applications. This shouldn’t be an issue, but but apparently sometimes is, so it may be something to at least keep in mind.

As far as sudo, I think that the warning that comes up the first time that you use it says it all…

…but I was using sudo to (try to) explain why admin accounts are different than root accounts. When you are authenticating an install by typing your password into the GUI, you are essentially authorizing super-user privileges for your process, just like when you use sudo. (You may be _literally_ doing that. I don’t know.) This is different, from a security standpoint, from just being logged in as root. Plus, as mentioned above, Mac has an extra level of protection in restricting some things to single-user console mode root access — even if you _are_ in a root shell, you cannot do some things in OS X.

I have my account with Full Admin Access Privs. I then allow my Wife’s account to “install” software into her account. I don’t want to have access to that software. But 90% of all Apps are installed by the Admin into the Applications folder for All to access. I also have a Guest account for well guest. no install allowed. And of course i have a Virgin Account. I have used this method since day one of Mac OS X. I have never used my ROOT access *except* with caution to perform some special installs and tinkering… say mySQL installs. There is very few times you need to use SUDO, and if you do … trend at your own risk.

Please explain or at least give me a cite to any source describing a potential security breach taking advantage of this scenario. I’m not saying that Mac OS is invulnerable, I’m saying that I don’t see how this specific usage scenario creates a vulnerability. All I am hearing from everyone is “maybe this will protect you from some potential threat, and it is not such a hassle, so why not do it?” Which is true, but also a slippery slope. It is not such a hassle to open an internet connection only when you need it, so why do most people have always up internet connections? Because people thought about it, and decided that the convenience was worth it.

Folks, there may not be any malicious exploits in the wild RIGHT NOW, but there will be. Security researchers are finding holes in the Mac OS on a fairly regular basis now, and some of them do allow at least current logged-in user access.

If you are running as admin, then you are screwed! They can mess with the whole bannana, but as a user level account, they can only mess with that account.

That’s why the safety is with being user level most of the time.