Security vs. Convenience

36 Comments

UsersMy Powerbook’s hard drive died last summer, so when I rebuilt it I set up three users, one as the “Super Duper All Powerful” User, and one for my day job (“mike-work”) and one for my personal stuff (“mike-home”). The Admin user is only used for system upgrades and installing software. I don’t have to worry about any kind of rogue software that I run doing bad things to the entire system, just the one user. I use Retrospect to keep things backed up to my iMac. This setup worked very well.

Well, I’m no longer working for the non-profit I used to work for. I’m now a stay-at-home contractor, and loving it. Which means I don’t need two separate work and home accounts. I’m wondering if I should re-install my computer with only one user, and run everything as the Super Duper All Powerful User, or if I should have the admin user, and one account that is for my day to day usage. While the security of using a non-admin user for daily tasks is important, the loss of convenience is a bit of hassle. I’d love to hear the thoughts of other Mac users and experts out there about the balance of security and convenience.

36 Comments

Paul

Vanni,

Still not clear how the “virgin” account works. Are you using the preferences pane to limit that account’s access to software?

The “wife account” is an approach that I take in reverse — my wife wants a limited universe of things that will distract/irritate her in her account, so I hide things from her. Your approach makes sense in your situation, however, from what I’ve heard, some applications are persnickity about not being installed in /Applications. This shouldn’t be an issue, but but apparently sometimes is, so it may be something to at least keep in mind.

As far as sudo, I think that the warning that comes up the first time that you use it says it all…

…but I was using sudo to (try to) explain why admin accounts are different than root accounts. When you are authenticating an install by typing your password into the GUI, you are essentially authorizing super-user privileges for your process, just like when you use sudo. (You may be _literally_ doing that. I don’t know.) This is different, from a security standpoint, from just being logged in as root. Plus, as mentioned above, Mac has an extra level of protection in restricting some things to single-user console mode root access — even if you _are_ in a root shell, you cannot do some things in OS X.

vanni

@Paul: interesting approach, although I have heard reports of issues with some applications >when they are installed in home folders. Is that what you are doing, or are you limiting >access to applications in the /Applications folder through the accounts management tool?

I have my account with Full Admin Access Privs. I then allow my Wife’s account to “install” software into her account. I don’t want to have access to that software. But 90% of all Apps are installed by the Admin into the Applications folder for All to access. I also have a Guest account for well guest. no install allowed. And of course i have a Virgin Account. I have used this method since day one of Mac OS X. I have never used my ROOT access *except* with caution to perform some special installs and tinkering… say mySQL installs. There is very few times you need to use SUDO, and if you do … trend at your own risk.

Paul

rahrens:

Please explain or at least give me a cite to any source describing a potential security breach taking advantage of this scenario. I’m not saying that Mac OS is invulnerable, I’m saying that I don’t see how this specific usage scenario creates a vulnerability. All I am hearing from everyone is “maybe this will protect you from some potential threat, and it is not such a hassle, so why not do it?” Which is true, but also a slippery slope. It is not such a hassle to open an internet connection only when you need it, so why do most people have always up internet connections? Because people thought about it, and decided that the convenience was worth it.

rahrens

I have to agree with Christian Kaas, here.

Folks, there may not be any malicious exploits in the wild RIGHT NOW, but there will be. Security researchers are finding holes in the Mac OS on a fairly regular basis now, and some of them do allow at least current logged-in user access.

If you are running as admin, then you are screwed! They can mess with the whole bannana, but as a user level account, they can only mess with that account.

That’s why the safety is with being user level most of the time.

Joey Livingston

I don’t think it’s that inconvenient to run as a non-admin. I learned this practice from some Macintosh security expert (whose time eludes me at the moment), who also told me that, also a password is usually required even from an admin to do critical operations, this is not always the case. There is a way for a potentially damaging process to run without asking for your password first, if you are an admin. But if you are a standard user, this can’t happen.

Running as a standard user is a minor inconvenience for me, but the trade-off is a little extra boost in my confidence in the security of my machine.

Steven Jobs

i use the admin account all the time. You can do stupid thinks like you used to do in vista or xp but if you have to be carefull you will be promted with a password box. this is the way i like it the most:all the rights but you have to confirm it ( not the way as vista!)

ps i still have to change this name but it won’t let me lol

Christian Kaas

Run your day to day work as a normal user.
Even when there EVER will be a malicious software out there (i am pretty damn sure it will show up) it will only be able to infiltrate into that account as all other areas on your harddrive is protected.
Programm updates with a non admin account is no pain just identify typing in username and password.
Also there’s no need to install a new user.
I’m back from Windows to the Mac after a 12 year diaspora and some rules being used in the windows world to prevent malicious software aren’t bad!
As a general rule always use the highest possible security configuration and you will stay safe and happy.
For example i have all my personal information in a encrypted disc image (which is located in documents folder) mounted on the desktop. I can save password files there with no hazzle.
I ALWAYS lock my mac when leaving – it lock’s itself after 5 minutes. Keep your data and machine safe!

Jordan

I use my admin account as my personal account. Why would I need seperate accounts for everyday stuff and administration??

mdmunoz

There is no added risk in using an admin account unless your password is a matter of public record.

Just don’t use a root account day-to-day.

And yes, as has already been said, those are two different things.

Christian

Keep using an non-admin account, it’s a no-brainer security wise, whether it’s a precaution against local abuse or possible future virus or hijack threat.

So you have to very infrequently stuff in the admin username and password. Big Deal – small price to pay for peace of mind.

And yes, you should be using SuperDuper and not Retrospect…..

Paul

Twist: Does that enable su root at the command line as well? Interesting. Although I absolutely cannot imagine why you would want to be in the GUI as root…

Sachin: What security? Yes, this is received wisdom, but I think that the reasoning behind the advice is to limit people’s access by new users to their own machines as opposed to limiting access by potential malicious intruders.

Sachin

Though I only switched to a Mac in September, one thing I was quickly advised to do was to use a Standard account for my day-to-day usage, and only touch the Admin account when absolutely necessary. The only downside is having to type in the Admin password every time I copy an app into the Apps folder. But security comes at a small price.

Mike

I don’t even use terminal all that much, so I don’t even think it matters – just have the one account for both – thats what I have at home, I would get sick of changing accounts! I just wish seperate copies of mail could be configured to only recieve mail from certain aliases thats all!

Steve

Let your normal user be an admin (as others have stated, this is not the same as root). It’s pretty hard to do stupid things in OS X that will trash the computer. It’s just not worth the hassle to have your day-to-day user not have admin privs. Some installers don’t give you the option of installing for all users or just the current user, and they install only for the current user, so then you have to login as each user and run it again. Running as a non-admin is overkill paranoia. I’d suggest using a non-admin user if you have little kids around who aren’t smart enough to stay off your Mac and you’ve manually set all passwords in your keychain to automatic (no confirmation).

Stephen Paul

I used to have my always login as a admin, but then realized the absolute stupidity. I now have three accounts – One Admin, one normal user, and one Guest, which is restricted to only run Safari, Word, Rita (a drawing app), and a Game, so that I don’t have to worry about my little brother or anyone else messing with my settings. The Guest user is actually my most important user because I really, really hate it when any settings are off. Really. Like, to the point that I’m completely unproductive when my Safari window is a few pixels off of it’s normal place and size (almost full screen with just a small amount of room on the right so that I can comfortably access my dock).

Michael Clark

The only times this has been annoying is when I open an application, and it checks and finds an update. I don’t let it install the update, because I’m worried it amy somehow screw up the applications’ permissions. So what ends up happening is once a week or so I log out of my mike-home account into my Admin account, and do tons of updates.

Right now I’m leaning towards the two account system, once the Admin account, and one as a do-everything-here account.

Twist

I have a couple of single user machines and I just login to a normal admin account on both of them. I have found in the past that Software Update can do some wonky things if you try to run it from a non-admin account (even when you authorize it with an admin username/password) and so do many application and driver installers. I have been running with my personal account as an admin account since 10.2 with no problems (and I ran 10.1 as a root user with no problems either). I agree with all the points that Margaret made, although I run as an admin on my laptop as well as my desktop. If you are worried about it getting stolen and someone having access to your account it would be better to set it up to logout on sleep than to use different accounts. And in the end if they have your hardware you are pretty much screwed anyway since your password can easily be reset with the Mac OS X install disc. If you are super paranoid use FileVault (or better yet don’t do stupid things like walk away from your laptop in a public place).

P.S. Yes you can login to the GUI as a root user. You first have to enable it in NetInfo Manager and unless they have changed stuff you have to set the login window to ask for the username and password instead of having it choose from a list. I really have no idea why you would bother with root access on a Mac though. I haven’t needed to access anything as a root user since 10.1.

Paul

Clair,

Yes, in this sense, mac “let’s you be root.” However, there still are some heavy lifting “root only” things that you cannot do in that root shell unless you in single-user console mode. Granted, I have had to do this exactly once.

Folks,

And I still do not see the harm in giving admin privileges to my working account. If this is a serious security problem, I genuinely would like to know _why_.

Paul

Clair,

Yes, in this sense, mac “let’s you be root.” It would have been more accurate to say that the mac doesn’t let you log in as root, by default. However, there still are some heavy lifting “root only” things that you cannot do in that root shell unless you in single-user console mode. Granted, I have had to do this exactly once.

Folks,

And I still do not see the harm in giving admin privileges to my working account. If this is a serious security problem, I genuinely would like to know _why_.

Margaret

I’ve always used an admin account as my main account because (1) it’s a desktop in a home office and only I have access to it; (2) I take good precautions to keep my network secure; (3) I’m a knowledgeable Mac user and know what boneheaded moves are likely to be dangerous; (4) I regularly install software; (5) I use lots of Adobe products; (6) I am totally sick of being asked for passwords; (7) no one’s been able to give me a single dangerous and PLAUSIBLE scenario when running admin; (8) Mac pundits seem to always say “don’t run admin” but then their main login accounts are admin accounts.

I may rethink this when I switch to a laptop as my main machine — but only if I start carrying it around regularly.

Clair

On the subject, you don’t need to enable the root account to get a root shell. I only do this when I absolutely have to (which is round about never)…

sudo -s

Harper

I created a separate admin account (not named admin) and removed admin privileges from my user account. When I do something that requires admin privileges I have to type the name of the admin account as well as the password rather than just typing the pwd. Some apps, like Adobe CS2, won’t let you check for updates unless you login as an admin.

Minor inconveniences but worth it for the extra peace of mind.

I also have Secure VM and FileVault turned on, and I have super-long and complex passphrases.

Paul

vanni – interesting approach, although I have heard reports of issues with some applications when they are installed in home folders. Is that what you are doing, or are you limiting access to applications in the /Applications folder through the accounts management tool?

Paul

Oh, yeah, one thing that I didn’t mention is that an admin account can change preferences through the GUI (including sharing preferences, account preferences, etc.) without having to retype the password. So if someone has physical access to your computer, and you leave it logged in to an admin account and unattended, they could do malicious things like add an account that they would have access to and change your firewall settings, without having to unlock preferences. I don’t see that being a problem in the scenario described above, but it would be something to consider in a work setting.

Honza

Theres no need to be root for any day to day usage.

Login as yourself (normal guy) and when something needs admin/root access it will ASK for it.

I am a unix guy, and I know what i’m doing around the shell, and I dont even use root unless what I need to do can’t be done as me. Ok I don’t use ‘sudo’ cos I enabled the root account, but generally you shouldn’t do this.

Paul

Um…

An administrative account is not a root account. You still get asked for a password nearly every time that you do anything that you would have to sudo as an ordinary user at the command line (the only exceptions that I can think of being read and write privileges in, e.g., the Applications folder). Mac doesn’t even let you be root. It just lets you grant or deny sudo power to an account. What’s the harm in having that account also be your work account?

It’s easy to go around calling people stupid, but it would be _helpful_ to us ordinary, stupid people examples and explanations in response to their questions, right? Exactly what is the risk that you run by doing your work (email, word processing) in an account with sudo privileges? Are you afraid that you’ll accidentally open terminal.app and type sudo rm -r * and then your password?

The only problem with this approach that I can think of is if you enable ssh (off by default) and do something that will allow people to guess the name of your admin account, which would give them a target for a dictionary attack. Which will fail, unless you have a bad password.

What am I missing?

vanni

Always keep one user as a “virgin” account. pure as the day the computer was uncrated. Your regular account can als obe the Admin account…ie the one that authorizes installation of programs. You can then choose to install “other” software only for this user. The “virgin” account only runs software that came with the machine. this way yo ucan tell if the problems you may be having has to do with recent installed apps or utilities etc.

Adam Wolf

The Mac default of having your day-to-day user be an admin account has all the power of Unix, and all the stupidity of Windows.

Rich

There is no way you should ever use the root account (your super duper all powerful guy :) ) as your day to day login. It’s good practice to only use it when needed.

Comments are closed.