0
I have a Mac and I'm the only user of it. I have admin privileges and I just want to know what some of the things that could go wrong are.
So here are my questions:
What can go wrong if I use an account with admin privileges all the time?
Should I create another account just for the admin and then downgrade my current account and only use it?
Jacob
Posted 2012-01-18T21:40:50.350
Reputation: 127
1
Your user account does not have permanently "active" administration privileges.
All actions that require elevated privileges require you to enter your password. If you weren't an administrator, you'd need to enter an administrator's user name and password instead.
These actions include:
root privileges somewhere along the line (e.g. for driver installation)Without entering your own account's password, you can do nothing that requires elevated privileges.
What appears to be "automatic privileges", such as the ability to write to /Applications, is realized using group memberships. Your admin account is a member of the wheel and admin groups, and /Applications is group-writeable for members of the admin group. Very few locations in the system have privileges like these. Here, it's simply a convenience feature.
The difference between having one admin account, or a primary, regular account and a secondary admin account are basically the permissions you lose by missing out on some group memberships, and slightly more hassle with granting administrator privileges both in the GUI and on the command-line (sudo doesn't work anymore, as you're not a member of wheel).
Daniel Beck
Posted 2012-01-18T21:40:50.350
Reputation: 98 421
Ok this makes sense. I think I will just keep my one and only account as it can't really do any harm unless I do something really stupid. – Jacob – 2012-01-18T22:36:17.140
@Jake It's possible to engineer a problem, e.g. planting an application in /Applications without you noticing, and then expect you to grant it admin privileges when you start it to see what it is. Other than that, there's little difference. – Daniel Beck – 2012-01-18T22:44:10.387
@DavidBeck: But he asked about advantage and disadvantage. My answer covers his complex question and it's include speed and password, too. I don't try to just make it looks like a technical thing!!!! – Gigamegs – 2012-01-18T22:44:19.463
@)ake: I don't deserve you change your opinion. This answer is fud. – Gigamegs – 2012-01-18T22:45:18.167
@DanielBeck: Mine isn't wrong because I don't use Mac but Linux and if you can read I wrote ROOT folder. It seems like you Mac doesn't have it although it's a Unix/Linux thing. So what do you recommend now what he should do? – Gigamegs – 2012-01-18T22:53:44.397
@David The problem is that you answered a completely different question. Administrator on Mac OS X is about the equivalent to a sudoer on Linux that needs to enter his own password every time. It presents itself similar to Administrator on Windows with UAC activated. root account exists, of course, but that's not an option available via the OS X GUI. – Daniel Beck – 2012-01-18T22:56:28.103
0
If you are the only user then there isn't an advantage to use the admin user all the time over not using the admin user at all. However it's not very recommended to use it because programs you install will install into the root folder and programs you run will have elevated privilege but your system won't become slower and the program you start with the gui wouldn't have admin privilege. If you have 2 accounts then you need to memorize 2 passwords. This can be hard to memorize, as such I don't think you need another account but you can make the user account without a password and use the admin account only when it's necessary.
Gigamegs
Posted 2012-01-18T21:40:50.350
Reputation: 1 784
Most installers require you to enter the password anyway, and as administrator you can install regular applications (app bundles) to ~/Applications without problems. – Daniel Beck – 2012-01-18T22:08:23.610
@DanielBeck: When I mean install then all configurations file is in root folder. – Gigamegs – 2012-01-18T22:11:26.273
@David I don't see much harm in continuing with using the admin account. – Jacob – 2012-01-18T22:13:34.210
@David That's just plain wrong. All your programs' preferences are stored in your user profile, unless the program specifically needs to write them globally, and then you either need to give it elevated permissions every time it runs, or approve it to set setuid or setgid permissions. This approval is basically the same for both Administrator and User accounts. – Daniel Beck – 2012-01-18T22:19:10.520
1Programs are (with very few exceptions) executed with the privileges of the user you started them. They don't automatically have elevated privileges, neither through the user who installed them, nor the user who launched them. – Daniel Beck – 2012-01-18T22:53:00.200
@DanielBeck: This is FUD answer because I wrote a solution to the OP anwser. He can configure his user account to not having a password!!!!! This would solve his problem of having 2 password and always need to log into an admin account. Then he has also an admin account. I think it helps a lot when you READ what I write. – Gigamegs – 2012-01-19T02:12:40.100
Look up the definition of FUD. Its pretty much the opposite of clearly stating the facts. You're answer is simply wrong and I point this out. // Nothing I wrote in these comments mentions the two separate passwords. That's probably the only part of your answer that isn't wrong. – Daniel Beck – 2012-01-19T09:43:28.480
@DanielBeck: It's your personal view of right or wrong but I presented a solution when you just make a comment. Your already didn't read ROOT folder although you claim to have big expertise and know the difference between Linux and Mac. I appreciate your help but I hate you get votes for this. – Gigamegs – 2012-01-19T09:51:43.143
@DanielBeck: O.K. I didn't meant to hurt you and Linux isn't Mac and you show great patience but what about just use autologon or disable the password for the user account? Then he has 2 accounts and he would benefit from this whole user management thing? – Gigamegs – 2012-01-19T10:23:44.400
Then he doesn't have the (very few) additional permissions the group memberships grant. Authorising commands is still more work, similar to using SU instead of sudo. And it would help that much, since even an administrator doesn't have root permissions, he just can grant them himself. Similar to being a sudoer. You wouldn't advice others to not use an account authorised to sudo either, would you? Except for this ability, there's very little difference between the account types. It's different from e.g. Logging in as root (which is rather insane) in Linux. – Daniel Beck – 2012-01-19T10:36:00.673
@DanielBeck: My answer has this error about starting the programs and also I wrote an all or nothing question at the beginning. But my conclusion at the end is similar to your conclusion and I think he and you get the MEANING of my answer. Plus I presented a solution to just not use a password for the user account. My other argument was speed. For someone who use a computer it's important. About why Mac administrator doesn't have root rights I don't know. BTW. I don't log into Linux with root but I use a terminal with root all the time. – Gigamegs – 2012-01-19T10:47:12.840
As I said, it's like sudo. You don't have the permissions all the time, but if you need them, you get prompted for it (kind of like "this program requires root privileges to run") and grant them. – Daniel Beck – 2012-01-19T10:52:59.100
@DanielBeck: Or you can make the 2 accounts use the same password if you are alone. But I think I will delete this answer. Doesn't make any sense. – Gigamegs – 2012-01-19T11:31:22.770
2Malware makers have finally waken up to the fact that Macs are popular enough to be valid targets. Don't make their job easier. – Mark Ransom – 2012-01-18T21:44:11.217
@MarkRansom Could you point me to any evidence of that (both actual malware, and how having an Administrator account on OS X enables them? And I don't mean fake DivX installers where you need to enter your admin password to "install". A nine year old can do that. – Daniel Beck – 2012-01-18T23:01:04.913
@DanielBeck, sorry I don't have any direct evidence, I'm not a Mac user. I do know that recent contests to take over a machine have been won by someone attacking OS X. And surely there wouldn't be admin privileges if they weren't protecting something important, would there? – Mark Ransom – 2012-01-18T23:11:43.913
@MarkRansom There are (or were) remote exploits, e.g. weaknesses in Webkit and/or the image libraries, but they just get you onto the system with the current user's privileges, which, by default, aren't endangering the system. Regarding admin/user accounts, see my answer. It's largely the difference between entering your own password, or another user's, when prompted. If you're the only person using the machine, it doesn't make a difference. – Daniel Beck – 2012-01-18T23:22:05.083