Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.sys.mac.system > #95273
| From | Jolly Roger <jollyroger@pobox.com> |
|---|---|
| Newsgroups | comp.sys.mac.system |
| Subject | Re: System error or Firefox error? |
| Date | 2016-10-05 03:18 +0000 |
| Organization | People for the Ethical Treatment of Pirates |
| Message-ID | <e5j9opF1qa7U2@mid.individual.net> (permalink) |
| References | (6 earlier) <1mujj7q.15u0dlgya74fkN%dempson@actrix.gen.nz> <nssvba$16oe$1@gioia.aioe.org> <MsKdnZIMJL9oj2nKnZ2dnUU7-YXNnZ2d@earthlink.com> <e5iqvfFtbcsU1@mid.individual.net> <RtGdnSJHt_67yWnKnZ2dnUU7-N2dnZ2d@earthlink.com> |
On 2016-10-05, Paul Magnussen <magiconinc@earthlink.net> wrote: > Jolly Roger wrote: > >> There's no reason for any of that nonsense. Have one admin account, >> share the password between you and your wife, then whenever an >> application asks for the admin user name and password, either of you can >> provide it without having to log into any other account. > > So if the wife is to have my admin password, what's the advantage over > simply giving her account admin privileges, as at present? The initial user account Mac OS X creates during installation is an administrator account, because at the bare minimum you do need to have at least one administrative account on the machine. A lot of Mac users probably don't realize it, but you can accomplish all administrative tasks from a non-administrative account in Mac OS X. Mac OS X prompts normal users for the user name and password of an administrator when you attempt to do something that requires escalated privileges. So while you do need to *have* an administrator account, there's really not much of a reason to log in as administrator for day-to-day use. Why is it a good idea to avoid logging directly into your administrator account in Mac OS X? Well, besides the fact that you can do most any administrative task from a non-administrative account, there are security reasons having to do with a widely accepted principle of "least privilege" (<https://en.wikipedia.org/wiki/Principle_of_least_privilege>). It's always a good idea to run with as few escalated privileges as possible, because it reduces the chance of privilege escalation accidents while also reducing the impact of privilege escalation accidents should they occur. While you certainly could use an administrative account daily without adverse effects, even for months or years without incident, it's the one time it matters that you may want to be concerned about. For instance, I can't tell you how many times I've seen Mac users ask for help because they accidentally deleted some file on their system they might not have deleted so easily had they not been using escalate privileges at the time. When you are logged in as administrator or root, everything you do and every program you run (directly or indirectly, purposefully or inadvertently) is executed with administrative or root privileges - meaning it automatically has access to more parts of the system than standard user accounts. This means if you make a mistake while changing, moving, or deleting system files, or running programs, or worse, if you unknowingly run a trojan / worm in your administrative account, you can damage and alter critical system files with little or no protection or acknowledgment from the system. While the majority of the files in you home folder are owned by you, lots of files and folders in Mac OS X are owned by the "admin" group, of which every administrative account is a member. When you are logged in as a normal user, Mac OS X will not allow you to modify such parts of the system without first entering the user name and password of an administrative account. This is an additional layer of security you won't have if you are running as administrator. In contrast, when you are logged in as administrator, Mac OS X allows you to change, move, and delete such files and folders without question. And when you are logged in as root, you are given even more power since the system allows you to change *all* files on the entire system without question. I think the reason Apple doesn't give this advise to all Mac users is probably because the long explanation needed to convey the reasons for it and how to do it would probably not be very well received. Most users don't know enough about security issues to understand, and frankly, most just don't want to be bothered. Apple probably could automate the creation of an initial administrative account and a non-administrative account, but if users aren't properly educated about the issues involved, there's no guarantee they would actually use them properly. It's more involved than just offering a one-liner of advice in a user's guide. ; ) But if you need it hear it from a more credible source than some dude on the internet, here's what Apple themselves have to say about it (from page 61 of the Mac OS X Security Configuration Guide @ http://tinyurl.com/augt3w): "Unless you need administrator access for specific system maintenance tasks that cannot be accomplished by authenticating with the administrator's account while logged in as a normal user, always log in as a non-administrator user. Log out of the administrator account when you are not using the computer as an administrator. Never browse the web or check email while logged in to an administrator's account." So, a secure thing to do is to create an account just for administration, then remove administrator privileges from your day-to-day account. Here's how to do it: First, open and unlock the System Preferences > Accounts panel. 1. Open System Preferences. 2. Click Users & Groups (or Accounts). 3. Click the lock icon to unlock the panel (if needed). Next, create a new administrator account: 1. Click the [+] button. A new user account sheet appears. 2. If you are running Mac OS X 10.5 or later, from the New Account menu at the top, choose Administrator. 3. In the Name text box, enter a name, such as "Administrator" (without quotes). While I personally find "Administrator" to be handy, there is nothing special about this name. Just pick something you can remember. 4. In the Short Name text box, enter a short name, such as "admin" (without quotes). While I personally find "admin" to be handy, there is nothing special about this name. Just pick something you can remember. 5. In the Password text box, enter a secure password. If you need help creating a secure password, click the little key icon next to this text box and an assistant will help you come up with a secure password. Personally, I prefer to use an entire phrase (with appropriate spacing, capitalization, and punctuation) as my password. I try to pick phrases that contain one or two numbers or special characters. The goal is to pick a password phrase that you will easily remember, and easy to type, but will be difficult to guess. 6. In the Verify text box re-enter the secure password. 7. If you are running Mac OS X 10.4 or earlier, check the "Allow user to administer this computer" checkbox. 8. Click Create Account. Next, remove administrator abilities from your normal user account: 1. Log out of your normal user account, and log into the new administrative account you just created. 2. Open System Preferences. 3. Click Accounts. 4. Click the lock icon to unlock the panel (if needed). 5. From the account list on the left side of the Accounts panel, highlight your normal user account name. 6. Clear the "Allow user to administer this computer" checkbox. 7. Log back into your normal user account. That's it. Now whenever you are asked for an administrator account's credentials, you can enter the administrator user name and associated secure password. -- E-mail sent to this address may be devoured by my ravenous SPAM filter. I often ignore posts from Google. Use a real news client instead. JR
Back to comp.sys.mac.system | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
System error or Firefox error? Paul Magnussen <magiconinc@earthlink.net> - 2016-10-01 12:06 -0700
Re: System error or Firefox error? Jolly Roger <jollyroger@pobox.com> - 2016-10-01 21:05 +0000
Re: System error or Firefox error? Jolly Roger <jollyroger@pobox.com> - 2016-10-01 21:07 +0000
Re: System error or Firefox error? dempson@actrix.gen.nz (David Empson) - 2016-10-02 11:38 +1300
Re: System error or Firefox error? Jolly Roger <jollyroger@pobox.com> - 2016-10-02 03:12 +0000
Re: System error or Firefox error? dempson@actrix.gen.nz (David Empson) - 2016-10-02 18:21 +1300
Re: System error or Firefox error? Jolly Roger <jollyroger@pobox.com> - 2016-10-02 18:22 +0000
Re: System error or Firefox error? dempson@actrix.gen.nz (David Empson) - 2016-10-03 11:32 +1300
Re: System error or Firefox error? Jolly Roger <jollyroger@pobox.com> - 2016-10-02 23:17 +0000
Re: System error or Firefox error? Lewis <g.kreme@gmail.com.dontsendmecopies> - 2016-10-03 04:10 +0000
Re: System error or Firefox error? "Happy.Hobo" <Happy.Hobo@Spam.Invalid> - 2016-10-03 01:56 -0500
Re: System error or Firefox error? "Happy.Hobo" <Happy.Hobo@Spam.Invalid> - 2016-10-03 01:54 -0500
Re: System error or Firefox error? dempson@actrix.gen.nz (David Empson) - 2016-10-04 00:14 +1300
Re: System error or Firefox error? "Happy.Hobo" <Happy.Hobo@Spam.Invalid> - 2016-10-03 14:27 -0500
Re: System error or Firefox error? Lewis <g.kreme@gmail.com.dontsendmecopies> - 2016-10-03 22:50 +0000
Re: System error or Firefox error? Jolly Roger <jollyroger@pobox.com> - 2016-10-03 23:59 +0000
Re: System error or Firefox error? Paul Magnussen <magiconinc@earthlink.net> - 2016-10-04 13:37 -0700
Re: System error or Firefox error? dempson@actrix.gen.nz (David Empson) - 2016-10-05 10:49 +1300
Re: System error or Firefox error? Jolly Roger <jollyroger@pobox.com> - 2016-10-04 23:06 +0000
Re: System error or Firefox error? Paul Magnussen <magiconinc@earthlink.net> - 2016-10-04 18:15 -0700
Re: System error or Firefox error? Jolly Roger <jollyroger@pobox.com> - 2016-10-05 03:18 +0000
Re: System error or Firefox error? "Happy.Hobo" <Happy.Hobo@Spam.Invalid> - 2016-10-06 00:56 -0500
Re: System error or Firefox error? Lewis <g.kreme@gmail.com.dontsendmecopies> - 2016-10-06 07:07 +0000
Re: System error or Firefox error? "Happy.Hobo" <Happy.Hobo@Spam.Invalid> - 2016-10-06 10:37 -0500
Re: System error or Firefox error? Lewis <g.kreme@gmail.com.dontsendmecopies> - 2016-10-06 22:40 +0000
Re: System error or Firefox error? Jolly Roger <jollyroger@pobox.com> - 2016-10-07 00:37 +0000
Re: System error or Firefox error? "Happy.Hobo" <Happy.Hobo@Spam.Invalid> - 2016-10-07 14:43 -0500
Re: System error or Firefox error? Jolly Roger <jollyroger@pobox.com> - 2016-10-07 20:06 +0000
Re: System error or Firefox error? "Happy.Hobo" <Happy.Hobo@Spam.Invalid> - 2016-10-07 23:06 -0500
Re: System error or Firefox error? Jolly Roger <jollyroger@pobox.com> - 2016-10-08 04:16 +0000
Re: System error or Firefox error? Lewis <g.kreme@gmail.com.dontsendmecopies> - 2016-10-08 11:36 +0000
Re: System error or Firefox error? "Happy.Hobo" <Happy.Hobo@Spam.Invalid> - 2016-10-08 14:22 -0500
Re: System error or Firefox error? Lewis <g.kreme@gmail.com.dontsendmecopies> - 2016-10-08 20:48 +0000
Re: System error or Firefox error? Lewis <g.kreme@gmail.com.dontsendmecopies> - 2016-10-07 21:59 +0000
Re: System error or Firefox error? Alan Browne <alan.browne@freelunchvideotron.ca> - 2016-10-06 16:33 -0400
Re: System error or Firefox error? dempson@actrix.gen.nz (David Empson) - 2016-10-05 15:42 +1300
Re: System error or Firefox error? Jolly Roger <jollyroger@pobox.com> - 2016-10-05 03:23 +0000
Re: System error or Firefox error? Lewis <g.kreme@gmail.com.dontsendmecopies> - 2016-10-02 07:27 +0000
Re: System error or Firefox error? Paul Magnussen <magiconinc@earthlink.net> - 2016-10-02 13:40 -0700
csiph-web