best practice: standard vs administrator

E

evolutionkid

Registered
I couldn't find a thread that addressed this topic already, so I'm throwing it out there for discussion...

Background: I'm a former Windows user (at home anyway, I still have to use it at work), I switched a little over a year ago. I've done tech support for a long time, and I'm a self-declared "power user" in Windows (comfortable editing the registry, using the MS-DOS shell, etc). I've never dealt with spyware or viruses on my own Windows machines, and have often helped others rid their Windows boxes of that stuff.

I still feel somewhat new to the Mac/OSX world, but I'm getting better. I'm slowly getting comfortable with Terminal.app and UNIX commands. I decided a long time ago that as a security "best practice" I would run my OSX user account as a standard user. I realize that there are currently no known viruses/malware for OSX, but I guess I just figured I'd play it safe in case something shows up in the wild one day. I created a separate administrator account and I only use it when absolutely necessary. So far that's been fine -- I can still install software etc, I just have to provide the admin credentials first. If I have to 'sudo' to do something, I just log into that admin account and do it from there. I've only run into a couple problems with this, and they're minor. One example is that Software Update behaves weird when you're a standard user -- I figured out that it reads from and writes to a system-wide prefs file that I don't have write access to as a standard user. Also, sometimes it's annoying to have to switch user accounts just to run a simple 'sudo' command. Anyway, here's...

The Point: What do you long time OSX users think of running as standard vs. administrator? Am I just being paranoid about threats that don't exist? I've heard that even if I was running as administrator in OSX, I'd still have to provide credentials to touch anything system critical...is that true? Is it possible that I (or some yet-to-be-devised malicious software) could 'accidentally' touch system or kernel level files if I run as admin, or would I *always* have to provide 'sudo' credentials to do any real damage? What are your thoughts? Any articles on the web you can link to regarding this?

Thanks for chiming in, I'm curious as to what people think about this...
 
Hello!

I think it is important to not confuse "Admin Privileges" with a Linux ROOT account or a Windows "ADMINISTRATOR" account. The flag for admin privilages in OS X just simply means that the user has the power to do things which could be damaging to the system. But, since you are not logged in as root, you will still have to provide your password creditionals when you go to make changes to various settings, sudo commands for things via terminal, etc.

In the Linux would, you typically don't want your primary user account to be root. It would be best to either SU to root or, use sudo to accomplish what it is you want to do.

OS X institutes this "Best Practice" by default. In fact, you can't even SU to root, unless you specifically set it up so you can do that. By having Admin privileges, it simply means, you have the power to sudo various commands, make changes to network configs, etc.
 
Best practice would be to create two users. The first one, automatically created at install time, would be the admin account. You then add another account which is _not_ an admin, but a "normal" user account. You'd use that one to do all of your work. When Mac OS X asks you for admin privileges, you'd enter the user name and password of the _admin_ user.
 
fryke said:
Best practice would be to create two users. The first one, automatically created at install time, would be the admin account. You then add another account which is _not_ an admin, but a "normal" user account. You'd use that one to do all of your work. When Mac OS X asks you for admin privileges, you'd enter the user name and password of the _admin_ user.
Click to expand...

The only problem with this is you have to switch to your admin account in order to do any system maintenance. Kind of a hassle...but I do have two user accounts.
 
The all-powerful Root user is the only one who can do deep level system stuff. and it's not the easiest thing to do to get into the Root user, it's certainly not possible to do by accident, and also should be used very carefully.

standard admin account can do everything else. install stuff etc.
 
As long as you play it safe, you should be fine as an Admin. You can create a limited account, but it will be a hassle to change things. I live on the edge, and use an administrative account. (I do have backups, though)
 
You don't have to switch to an admin user in order to do administrative tasks. It'll prompt you for an admin name and password, just like it would when using an admin user. The difference is that this time, you'll enter _another_ user's name (the admin's) and password. The important thing is that being logged in as a normal user, you can do less harm to the system. Even without authentication, an admin user can still do too much havoc if you want to be safe.

And hey: This is not about things _you_ might do as an admin, only. It's about scripts you might download from the 'net. It's about worms that might one day be created for Mac OS X etc. ...
 
First, I will say that I have precisely one user account on my machine, which is obviously an admin account. I do have backups, though and I've finally managed to do these routinely and to do these for my entire volume. (I acquired an external drive.) In particular, my system is backed up completely almost every day.

Apple's use of sudo is *not* consistent with the original purpose of this command. There are *no* limitations on the commands an admin user can run via sudo. Indeed, one can do "sudo su root" if one has enabled the root account and then forgotten the password. If the account is not already enabled, it can be enabled from the command line using a similar trick. This means that any programme which can get sudo access can get everything. Moreover, sudo has a timeout of 5 minutes. This means one only has to supply a password every five minutes. So, if one has sudoed something and not deauthenticated, there are five minutes during which any programme can sudo _anything_ without providing the admin password. It makes no difference, so far as I know, if one has changed to another account first. To deauthenticate, do "sudo -k". This will force the next sudo command to be reauthenticated via a password check.

Anytime you give your admin password to an installer, it can do anything it likes to your system. So, whoever you are logged in as, one key is to be very, very reluctant to give installers your admin password. I especially dislike doing this with packaged software I haven't compiled myself. If I can avoid doing so, I do and I almost always look through the package before installing so I have some idea what it is going to do. If it plans to put something in /usr/bin, say, it gets installed only if I am very confident it is safe and very sure I cannot (easily) avoid it. Even then, I immediately move whatever it is to /usr/local/bin if possible.

I do install software in /usr/local as root. This has disadvantages. I used to use a normal standard account for installing in /usr/local. That is, my normal account was an admin account, but I switched to the standard account for installs. This turned out to be rather complicated, though, and the system kept reverting my permissions back to what they "should be". In addition, some things needed to be installed as root for security reasons etc., so I gave this up in the end even though I'd recommend it if you can stand dealing with the complications. (I got this idea from a book.)

I do almost always install command line things by doing "make -n install..." before doing make install as root, but I'm not claiming this is adequate protection.

Another thing I do is ensure that none of my browsers open files but always download everything. Everything gets downloaded to a directory where it is scanned for viruses. If it is clean, it gets moved to another directory. If not, it gets left there for further investigation. When possible, I confirm checksums and signatures of software. This is apparently not very common. When Apple redid a security download without updating the checksum, I was evidently the first (only?) person to question this even though I did not install it immediately.

I use clamav (antivirus), rkhunter (a rootkit hunter), tripwire (which I would like to replace with something more manageable), snort (an IDS) and monit (to monitor processes and to try to restart them if possible). I use anacron to run rkhunter, tripwire, monit, freshclam and assorted other jobs, as well as the cron jobs, automatically. I also mostly use pine for email which, among other things, makes it a bit harder to catch an email virus. (This isn't why I use it, but it is a nice side-effect.) This proves, I think, that I am perfectly capable of paranoia in my own right.

I would say that if you are going to need to switch to the admin account extremely frequently, the additional security is likely not worth the hassle as it will be minimised by the frequency of switching anyway. On the other hand, if you don't need to switch that often, the extra safety might be worth the slight inconvenience. In addition, if you are not yet comfortable with the system and, especially, if you are using the command line but not very used to unix commands yet, the case for a standard user account is fairly strong. (A case of do what I say, not what I did.) I have rendered my computer unbootable. I have also used my knowledge to render an unbootable computer bootable (and not only when I rendered it unbootable in the first place). There are some things you might want to configure in unix to give yourself a bit more security from yourself. I have created an alias for myself which maps mv to mv with a no-overwrite option. This prevents me accidently overwriting files.

The safest way to handle the root account is often thought to be to briefly enable it, set the password and than disable it. I take no notice of this, but I'm not convinced sudoing is any safer for the reasons given above. This appears to be a minority view, though, so take it with a good pinch of salt.

- cfr
 
Yes, a best practice would be to run daily as a non-admin user, and have one or more separate accounts that are administrators. It's a bit of a hassle, but then 'best practices' usually are...

I say that, even though I don't do this myself..
 
You must log in or register to reply here.
Back
Top