[darrick]

does switching from running as an admin user to a plain vanilla user screw up the permissions of one's files? i've been running as an admin and i want to switch to running as a plain vanilla user (for security, etc), but i'm afraid my files (i'm thinking of my wordperfect docs and pdf files) will then have permissions that block me from doing what i want to them.

is this just an ignorant fear? even if permissions end up restricting me, i could use BatChmod to fix it, right? what will happen to the permissions on my files when i switch?

i'm trying to prepare for my tiger installation. i expect to have two admin accounts (one as a spare) and two user accounts (one as a spare, one for daily use).

[Geobunny]

This sounds a wee bit over-cautious to me, I fail to see how it will increase security for you. Against that, I don't know your circumstances and you never asked us to comment on that anyway. Besides, this subject has been discussed over and over and I have no desire to rehash it.

As long as you're not creating a new account for yourself, you should still be able to access all your files. In order to do this though, you would need to log in to a second admin account, open the Accounts pane in Sys Prefs, choose your regular user, click the "security" tab and then deselect the box "allow user to administer this computer".

If you do end up having problems, then yes, BatCHmod will be able to help as long as you still keep at least one admin user on the computer.

[Millennium]

Originally posted by darrick:
does switching from running as an admin user to a plain vanilla user screw up the permissions of one's files? i've been running as an admin and i want to switch to running as a plain vanilla user (for security, etc), but i'm afraid my files (i'm thinking of my wordperfect docs and pdf files) will then have permissions that block me from doing what i want to them.

I recently did this myself, and I haven't had any issues. As long as you keep the same user ID, there shouldn't be any trouble. Apple's method of going between normal and Administrator-class users doesn't change your user ID, so that's fine.

what will happen to the permissions on my files when i switch?

Nothing. All that changing from an admin user to a normal user does is change the groups that you're in. It doesn't change the permissions on any files.

This means that if you didn't directly had permissions on a file, but a group that you were in did and you're not in that group anymore, then you won't be able to work with that file anymore. This isn't a common situation on most machines, but it does pop up in the case of two folders: /Applications and /Library. You won't be able to add or delete files in these directories anymore, though the "permission denied" dialog box will give you a chance to enter in an Admin name/password. If you do, then it will add or delete the file normally. Other than that, you're not likely to see much disruption in the way you work.

i'm trying to prepare for my tiger installation. i expect to have two admin accounts (one as a spare) and two user accounts (one as a spare, one for daily use).

You likely won't need the spare accounts, especially not the spare admin account. I would recommend doing without these.

[darrick]

thanks for the responses. really appreciate it.

i am surprised that the spare accounts are not encouraged. i have been seeing advice dictating their use in many places -- for troubleshooting, salvaging a fraked user or system.

again, thanks for the thoughtful responses.

[Will V.]

In the Linux and UNIX world, regular user accounts are virtually mandatory, and you would only switch to a root account when you need to do something only a root can do. This prevents one from running code that would do damage to the system- accidentally or otherwise.

Also, consider this... "rm -rf /" will destroy a system, when run as a root account, but not when run as a regular user.

[CharlesS]

Originally posted by Geobunny:
This sounds a wee bit over-cautious to me, I fail to see how it will increase security for you.

Oh, there are a few reasons.

Originally posted by Will V.:
Also, consider this... "rm -rf /" will destroy a system, when run as a root account, but not when run as a regular user.

When run as a regular user, that command will not destroy the whole system, but it will still destroy all your files that you have write access to...

[eyadams]

i am surprised that the spare accounts are not encouraged. i have been seeing advice dictating their use in many places -- for troubleshooting, salvaging a fraked user or system.

Generally the advice is to create such accounts, if things get screwed up and you need to test whether the problem is the machine, OS, or user. On my rig we have one Admin account, which is only used to install software and updates. The four people who use my machine regularly each have a personal, non-admin account. And there's a severely restricted "guest" account, for when my brother in law comes over.

[Will V.]

Originally posted by CharlesS:

When run as a regular user, that command will not destroy the whole system, but it will still destroy all your files that you have write access to...

Absolutely, which is why that command is not really one that should ever be run. And, it's all the more reason to actually use the computer as a regular user, not a root user.

[CharlesS]

Originally posted by eyadams:
Generally the advice is to create such accounts, if things get screwed up and you need to test whether the problem is the machine, OS, or user. On my rig we have one Admin account, which is only used to install software and updates. The four people who use my machine regularly each have a personal, non-admin account. And there's a severely restricted "guest" account, for when my brother in law comes over.

In such cases, it's easy enough just to create a new user at the time you need it.

Unless you're running as root and modding the user template in /System, I don't really see the need for spare regular users.

[Millennium]

Oh; I almost forgot. There is one more impact that dropping to a regular user may have on you, if you're in the habit of using the Terminal: you can't use sudo from a regular account. This said, it's easy enough to su to the Administrator account and then use sudo from there. It means typing in the Administrator password twice, but it gets the job done.

[m.brown]

Originally posted by Millennium:
[B]I recently did this myself, and I haven't had any issues. As long as you keep the same user ID, there shouldn't be any trouble. Apple's method of going between normal and Administrator-class users doesn't change your user ID, so that's fine.

Nothing. All that changing from an admin user to a normal user does is change the groups that you're in. It doesn't change the permissions on any files.

<snip>

How do you change an Admin account to a "standard" account?

[Geobunny]

Originally posted by m.brown:
How do you change an Admin account to a "standard" account?

The second paragraph of the second response in this thread describes the process.

[m.brown]

Originally posted by Geobunny:
The second paragraph of the second response in this thread describes the process.

Doh! Thanks