PDA

View Full Version : Should I be using the admin account?



snark
24th April 2007, 06:39 PM
I've been following the recent news about OS X security vulnerabilities linked to Quicktime/Java, and it made me wonder what account I should be using for day to day use - eg. web browsing, iTunes, mail, some video editing, some photo work, etc. I don't take security for granted, but I'm less concerned about it on OS X than if I was on a Windows machine. This may be somewhat naive....

I'm currently logged is as an Admin - the account I created when I first powered up my mini two years ago. But presumably, if someone were to get control of my 'puter via a malicious web site, they would then get the same (admin) access, right?

So how would I go about downgrading my account to a normal user? Is it worth it, and what are risks or hassles in doing so? Would I be locked out of any of my documents or iPhoto libraries? Are there different types of "normal" user accounts to consider?

I await the collective wisdom of the MacTalkers....

decryption
24th April 2007, 06:41 PM
I use the admin account :p
I don't know if it's a "bad thing" or not, but I've been using a Mac for almost 4 years now and my Mac hasn't imploded yet! That said, I did the same thing on Windows for many years and didn't have any issues either.

hawker
24th April 2007, 06:50 PM
I'd be more worried if someone got access to your root account (if you set it up)... Using your admin access is fine, just watch who uses your computer though.

zbaron
24th April 2007, 06:57 PM
I use a non-admin account. If something that needs admin access, I just type the name of the admin account and password.

In the past, there have been cases of directories like /Library/StartupItems that have been created such that anyone in the admin group could write to it without prompting. This has now been fixed and was caused by installers not setting the correct umask when installing, but it could have been exploited to have something run with root privalages on next reboot.

feeze
24th April 2007, 06:59 PM
I myself use a standard account. I do it as I think it's an extra layer of security (which can never go astray).

Although that said, all the data *I* care the most about are all in my account anyway, so if someone hijacks my account, they can still do quite a lot of damage. Also standard users can still install apps within their own home folder (including malicious apps)

If you do decide to downgrade your account (but still keep the same username), I would recommend backing up all your data and doing an OS re-install and create the accounts at install. If you just go and create a new admin account and then downgrade your current account you will run into permission issues. :)

snark
24th April 2007, 07:34 PM
So installing apps is almost as easy when you're using a non-admin account, as it is if you're using an admin account? You just have to authenticate?

feeze - thanks for the feedback about downgrading. That is exactly the sort of problem I want to avoid, should I decide to proceed.

hawker - I don't think I set one up, but what would a root account look like?

decryption - just because you haven't had any problems yet doesn't mean you can't get owned by the next 0 day exploit...

jubilantjeremy
24th April 2007, 07:55 PM
When I started up with my mac, a (beardy) bloke I knew at the time told me to set up another admin account, and change my own to 'non admin' priveledges.. If you're a mac noob (like me) it also helped prevent doing stupid things - like accidentally dragging system folders around..

It makes no difference, except that you are constantly asked to authenticate when changing system prefs and installing apps. Did this for awhile but it got annoying, so now I just have my account (which is an administrator) and a guest account. Works fine for me.. I guess it depends on what kind of stuff you use your mac for (web, email, CS), and who has access to it (only my immedate family).

I think there's some terminal trick to enable the root user. I don't think you want to do that though. Hey, you can always create another admin account, then change your own to non-admin priveleges and see how it goes..

Oh, and a windows guest account is not the same as a mac guest account. On a guest account on mac, you're asked to authenticate with an admin account whenever you want to do something funky. On windows, you're just told you can't and that's it.

- Jeremy