[Felix]

Hi

I am practically the sole user of my computer. I have one admin-account.

Is there a reason that I sould set up another user-account for myself? I am not quite familiar with UNIX and wonder if it would give protection or whatsoever to work logged in as a user.

If yes, what would be the best way to make every data accessible both being a user and admin?

Kind regards,

Felix

[OreoCookie]

You should not work as an admin user every day. Apple has made it easy to have access to all System Prefs even when you are logged in as a non-admin user. The danger is that an admin user has access to all system files, so one your admin user has been cracked, he has effectively taken over your whole system.

If the same thing happens with a regular user, only that user's files are affected.

BTW, this has nothing to do with Unix, but applies to Windows as well.

[MacosNerd]

I don't know too many people in the OSX world or their home PC that isn't running as an admin. Oreo is right, but since you're the sole user and if you know your way around the computer the danger isn't that great.

Of course I'm a system administrator so I'm used to having administrator rights.

[Gee4orce]

This isn't entirely accurate, because even when running as an Admin user you will be asked for your password if an application wants to access or write to protected areas of the system (this usually happens when running an installer). In effect, the system is asking you to give the application temporary root access (sudo).

On the other hand, if you work as a non-admin most of the time it's likely that you'll run up against things that you flat-out can't do (especially in the system preferences). This is because non-admin's can't sudo. Personally, I'd find this a major pain in the butt !

So, I've run as admin since day #1 of using Mac OS X over 5 years ago, and never had a problem.

[JonoMarshall]

Everyone I know runs as an admin, ah well.

[Big Mac]

I stopped running as an admin when I realized the security implications. I don't mind logging into the admin account when I need to do something that requires it.

[Simon]

I need to be able to do sudo. So I run as admin. Never ever had a problem.

[Big Mac]

Well, if you're talking about sudo from the Terminal, you do know you can login to your admin from a non-admin and run sudo that way, right?

[OreoCookie]

Originally Posted by Simon 

I need to be able to do sudo. So I run as admin. Never ever had a problem.

su [admin]
Password: %%%%%%
sudo -s
Password: %%%%%%

That's how I've been doing it for years.

[wr11]

I'll put my 2¢ in here too.

Running as a normal user is the way to go — a normal Admin user. Limited accounts will cause more trouble than good. Sure, you can potentially delete all the files on your system, but it's only your personal files that really matter. Admin or not your own personal, user-level, files are always at risk.

You still have to enter passwords for privilege escalation when you are an Admin. If you always run as a limited user you still have to login as an Admin if you want to do anything that could still potentially be risky.

[Simon]

Of course first becoming an admin and then doing sudo will work. But I won't put up with the extra effort if I'm not gaining anything. As I said, I have never had any problems running OS X as admin. As long as you know what you're doing, what you're downloading, and what you're installing there should be no problem. Just my 2¢.

[jmiddel]

Have been running as admin since the days of 10.1 and never had any problem or regrets. I also am the sole user.

[AKcrab]

Lots of paranoia in here.

[Curiosity]

I do most of my activities from my standard account, and run as admin only when I absolutely have to. Where I have a choice, I install software in the standard account. If something running from there suddenly asks for admin login, it serves as a warning that something unusual is happening.

[analogika]

Originally Posted by Felix 

Hi

I am practically the sole user of my computer. I have one admin-account.

Is there a reason that I sould set up another user-account for myself? I am not quite familiar with UNIX and wonder if it would give protection or whatsoever to work logged in as a user.

So, in a nutshell:

Yes, if you're overly paranoid.

The way Apple sets up the default strikes a good balance between minimal annoyance and minimal risk, though, so if you need to ask, you should probably just stick to the standard set-up.

I do.

My 2¢ (Euro).

[Felix]

So, no one can not really report a situation which had him/her wish (s)he would have used a user account instead of admin?

In the bginning I set up two accounts. Being a first time Mac OS X user I felt then annoyed that I would have to configure access to the relevant private-folders if I wanted to be able to do the same being a admin or user. Further, I sort of had problems setting up an iPhoto library in the "all users"-folder in order to establish one shared library.

So I leave it to the more convenient alternative of being a admin.

Thanks,

Felix

[MacosNerd]

As I mentioned, I never had a problem running as an administrator, and why make more work for me. Why should I create a user account, use that, and then if the need arises log off, then into the admin account do the task, log off, and log back in as the user account.

Even if I use fast user switching, its still a pain. Makes no sense, as others have stated, you will be prompted on installs so the true security risk isn't as large as people are making it out as.

[jmiddel]

A clarification from a user running as admin: not only am I sole user;

1) I never ever open any download from an email. Only from trusted sites, directly accessed from the browser such as versiontracker or the developer's site.
2) I am behind a router and OS X's firewall.
3) As others have said, when asked for a password, always look twice, just to make sure.

Maybe too much paranoia

[besson3c]

Felix:

I think people here are making the issue more complicated than it actually is. Since you are experienced with Unix, here is the basic gist...

Admin users are a part of the wheel group, which means they can sudo. That is it. There is nothing bad that is going to happen to your system as an admin without prompting you for your password. If you think about what you are doing all of the time, you'll be fine. If you are not confident, you probably shouldn't. With your Unix experience I'm sure you'll be fine.

[twoodcc]

well i've always logged in as Admin.

[pmenair]

***

[rhymer]

The consensus here seems to be that using a non-administrative account for your main work account is either pointless or unnecessarily paranoid.

Unfortunately, the "pointless" (see besson3c, above) position is simply wrong, and I say this as someone who used to subscribe to it. An admin account gives the user more than just membership in sudoers - it gives you privileges in places where a non-admin user does not. The consequence of this is that there are exploits that work from an admin account, without sudo, ie. *without needing your password*, that do not work from a non-admin account. Look at rixstep.com for more details.

That said, no one seems to be experiencing these exploits in the wild, so it arguably makes sense to balance the (minor) inconvenience of using a non-admin account against the (currently more or less non-existent) threat of your machine being compromised. Just understand that you are allowing a vulnerability to exist.

[rhymer]

To clarify above - by "privileges" I do not mean superuser privileges, I mean ordinary read/write/execute privileges.

[besson3c]

Originally Posted by rhymer 

Unfortunately, the "pointless" (see besson3c, above) position is simply wrong, and I say this as someone who used to subscribe to it. An admin account gives the user more than just membership in sudoers - it gives you privileges in places where a non-admin user does not. The consequence of this is that there are exploits that work from an admin account, without sudo, ie. *without needing your password*, that do not work from a non-admin account. Look at rixstep.com for more details.

I'm pretty sure you have misunderstood something.

An admin user gets added to the wheel group, which is required to use sudo. The OS X GUI password prompt is simply a GUI frontend to sudo. Every file on the system is assigned permissions. If you don't have access to read/write/execute these files, you need escalated privileges. OS X will attempt a sudo in some of these circumstances at the discretion of the developer of the tool you are using, and sudo does hold sessions open so that if you do another sudo command immediately following the last you don't have to reauthenticate.

However, if you do not have access to files, you do not have access to files. There is absolutely no way to get around that. As long as permissions are properly set across your system, you cannot read/write/execute files you don't have access to without becoming root, period.

[besson3c]

Speaking of which, here is another request for a future OS feature:

Apple, please set proper permissions on home directories. Move Public and Drop Box out of user home directories if you must, allow certain pseudo users required by various services in (e.g. "apache") but do *not* set the contents of home directories to be readable. How is OS X supposed to be used in a secure environment where you deal with sensitive files and share the machine with other users? This is just f-ing retarded.

[mdc]

My account is an admin account and has been since I started with OS X.
My wife's account is a standard user since I don't want her accidentally doing things that she shouldn't be.

[rhymer]

...I think that you are misunderstanding.

There are files that admin users can modify and non-admin users cannot. Without sudo. This allows exploits. See, e.g., The Hackers Handbook - Foreword — Developers Workshop.

More prosaically, while you are sudoing away in your admin account, there are trojans (again, as proof of concept only, not in the wild) that sit in your account and wait for you to sudo, at which point they piggyback on the default five minute sudo period to do malicious things. Limiting your use of an admin account limits your access to this type of exploit as well.

I used to think that admin users cannot do anything that makes your system vulnerable without entering a password to allow that specific thing. Conceptually, that's the way things are _supposed_ to work. Apparently, though, it isn't true.

[rhymer]

See also...

New MacOS X trojan/virus alert - Ambrosia Software Web Board

[rhymer]

...which depends on the admin user's ability (without sudo) to modify the contents of the /Applications folder.

[besson3c]

Originally Posted by rhymer 

...I think that you are misunderstanding.

There are files that admin users can modify and non-admin users cannot. Without sudo. This allows exploits. See, e.g., The Hackers Handbook - Foreword — Developers Workshop.

More prosaically, while you are sudoing away in your admin account, there are trojans (again, as proof of concept only, not in the wild) that sit in your account and wait for you to sudo, at which point they piggyback on the default five minute sudo period to do malicious things. Limiting your use of an admin account limits your access to this type of exploit as well.

I used to think that admin users cannot do anything that makes your system vulnerable without entering a password to allow that specific thing. Conceptually, that's the way things are _supposed_ to work. Apparently, though, it isn't true.

Where in your article does it say that there are files that admins can modify without sudo?

I never said that it was impossible to piggyback upon the five minute sudo period, but these trojans still can't get in without a sudo, no?

[besson3c]

Originally Posted by rhymer 

See also...

New MacOS X trojan/virus alert - Ambrosia Software Web Board

I don't see what the big deal is... Using this InputManager hook you can install a trojan that will run without you knowing about it without you having to be an admin... fine. So what? All it can do is affect the files in your home directory. How is this different than running a terminal script that does a rm -rf ~/ ? We've always been able to write all sorts of nasty programs that will blow up your user space.

The whole point is, if you want to affect files you don't have privileges to modify, you need root access, period.

From this article:

--It has thus effectively injected its code in the host application, but it can only do so for applications that the user has write access to--

[rhymer]

"The /Library/Receipts folder on OS X is marked root:admin 0775. That means that both the root account and the admin accounts can modify its contents. That means that anything in /Library/Receipts you don't like can be removed and replaced with something you do like.

The contents of /Library/Receipts is used by the Disk Utility backend diskutil to 'repair permissions'. DU runs its own SUID root agent DiskManagementTool to set them 'correctly'.

But the contents of /Library/Receipts can be modified by any admin user - or program running on behalf of an admin user. And most OS X users are admin users. And once /Library/Receipts is modified it's game over, lights out, and the last person to leave Cupertino please pull the plug."

That's rixstep's attack. The oompa loompa attack (the second article) depends on the more obvious fact that admin users can modify the files in the /Applications folder without enabling superuser privileges.

Re your point about sudo piggybacking, I think it makes a difference which user you are when you sudo, but I may be wrong about that.

[besson3c]

The bottom line is this: the person maintaining any given computer needs to be an admin, or else there are many things you won't be able to do (e.g. install various apps, change network settings, edit accounts, etc.). If you don't need to do any of those things and are afraid that you might accidentally authenticate to do something you shouldn't, don't set yourself as an admin. If you are comfortable using your computer, there is no need to be paranoid. You'll *always* get your password prompt, there is no way to affect files outside of your user space/home directory without elevated privileges.

[rhymer]

besson3c:

It infects applications, something that it could not do without admin privileges. *This does not require a password if you are admin*. This also takes you out of user space, when other users run the application.

The rixstep exploit can install a rootkit.

[besson3c]

Originally Posted by rhymer 

"The /Library/Receipts folder on OS X is marked root:admin 0775. That means that both the root account and the admin accounts can modify its contents. That means that anything in /Library/Receipts you don't like can be removed and replaced with something you do like.

The contents of /Library/Receipts is used by the Disk Utility backend diskutil to 'repair permissions'. DU runs its own SUID root agent DiskManagementTool to set them 'correctly'.

But the contents of /Library/Receipts can be modified by any admin user - or program running on behalf of an admin user. And most OS X users are admin users. And once /Library/Receipts is modified it's game over, lights out, and the last person to leave Cupertino please pull the plug."

That's rixstep's attack. The oompa loompa attack (the second article) depends on the more obvious fact that admin users can modify the files in the /Applications folder without enabling superuser privileges.

Re your point about sudo piggybacking, I think it makes a difference which user you are when you sudo, but I may be wrong about that.

This does not state that non-admin users can edit /Library/Receipts, but simply that admin users can edit this directory without needing root. The files in /Library are user space files, but for all users on the computer. Admin users need to be able to modify things for all users on the computer. If admin users can write to /System/Library without root, this would be a problem.

[besson3c]

Originally Posted by rhymer 

besson3c:

It infects applications, something that it could not do without admin privileges. *This does not require a password if you are admin*. This also takes you out of user space, when other users run the application.

The rixstep exploit can install a rootkit.

The vulnerability can only affect files the person running the application has access to. A non-admin can only install applications to their own home directory anyway. The fact that other users can read and run stuff out of your home directory is exactly the Apple bug I was alluding to earlier in this post, but this requires that the app be installed in the user's home directory (and not in a subfolder such as "Desktop", "Movies", etc.), and this requires other users making a conscious decision to rummage around home directories that don't belong to them.

Like I said before, you don't need a vulnerability such as this to destroy files that belong to you. The only reason this vulnerability is a big deal is because it makes it easy to conceal the fact that this thing is running malicious code that will affect your personal files.

Whether you are downloading a file, opening an email, whatever, there is *always* ways to trick people into destroying their personal files. Whether you are an admin or non-admin doesn't change this.

[rhymer]

besson3c:

Yes, and the /Library/Receipts contents are used to repair permissions using disk utility, so modifying them enables you to change permissions in other places. He claims to be able to install a rootkit as a consequence. Do you have some reason to doubt him?

The bottom line is that you're wrong. Using an admin account as your primary account creates vulnerabilities, and there is no reason why you "need" to do this, other than convenience.

[rhymer]

Again, oompa loompa changes things in the /Applications folder, which can then affect other users.

[besson3c]

Originally Posted by rhymer 

besson3c:

Yes, and the /Library/Receipts contents are used to repair permissions using disk utility, so modifying them enables you to change permissions in other places. He claims to be able to install a rootkit as a consequence. Do you have some reason to doubt him?

No, this much is true, but the repair permissions script can only be executed by an admin, and takes a conscious effort to run. If you were concerned about this exploit, wouldn't a better solution be to not run this script?

The bottom line is that you're wrong. Using an admin account as your primary account creates vulnerabilities, and there is no reason why you "need" to do this, other than convenience.

Of course it does, but these vulnerabilities are not set into motion without your consent (in this case, making the decision to run an administrative task as an administrator). In theory, while it would certainly be understandable for somebody to run the repair permissions script without thinking twice about the risk, in theory you should always know what an administrative script you are running can do to your system. It is a shame that many Mac users do these sorts of tasks (prior to repairing permissions it was zapping the PRAM) to solve problems that repairing permissions will not affect in the slightest (e.g. "my computer is running slow", "my screensaver is not coming on", etc.

Being an administrator does require responsibilities, yes, there are always risks, ways to be tricked into entering your password thinking you are doing one thing when you actually aren't (you could just as easily mess up your system by entering your password as prompted by an application installer). However, admin access is required for full operation of your computer. If you want absolute protection, you might as well not use a computer at all.

[besson3c]

Regarding the receipts exploit, why doesn't Apple just get its application installer (which , I'm assuming, is the only installer to create receipts) to do a chown or chmod of their receipts after installation? This would prevent the receipts from being altered without root.

[rhymer]

besson3c:

You are wrong. Both of these linked articles describe exploits that (a) depend on the malicious code being run by an admin user, (b) do not require that user to authenticate or otherwise gain superuser privileges, and (c) affect users other than just the admin user. You aren't seeing this for some reason, and I can't make you see it, so I give up. Feel free to declare victory.

[besson3c]

Another way around this bug is to add a command to your cron.daily jobs to alter the permissions on /Library/Receipts/* (but not the parent folder) to prevent admins from altering files currently in this folder...

[besson3c]

Originally Posted by rhymer 

besson3c:

You are wrong. Both of these linked articles describe exploits that (a) depend on the malicious code being run by an admin user, (b) do not require that user to authenticate or otherwise gain superuser privileges, and (c) affect users other than just the admin user. You aren't seeing this for some reason, and I can't make you see it, so I give up. Feel free to declare victory.

I'd be happy to award you with a semantic victory if the object here is to "win". I don't really care who the victor is.

What I was saying (or meant to say, if I wasn't clear) was that you cannot read/write/execute files you don't have access to on a Unix system. This vulnerability doesn't disprove this fact.

What it does address is the idea that running as an admin user is without risk. Then again, running as any user carries a risk, obviously there is no such thing as absolute security. I tried to explain why I feel that the risk outlined here does not justify avoiding admin access, since admin access is required for full administrative computer operation. This exploit cannot be spread outside of your home directory automatically, it requires an administrator to be tricked into doing something.

Generally speaking, I think it's better to learn about your own system and securing it rather than sheltering yourself at all costs, even if this means crippling your own usage. Some layers of protection are a good thing, but this is sort of like avoiding taking your car on the highway.

[Chuckit]

Originally Posted by besson3c 

I tried to explain why I feel that the risk outlined here does not justify avoiding admin access, since admin access is required for full administrative computer operation.

There's a difference between avoiding admin access and only acquiring admin privileges when they're needed.

[0157988944]

Log in as Admin. Never had anything happen.

[besson3c]

Originally Posted by Chuckit 

There's a difference between avoiding admin access and only acquiring admin privileges when they're needed.

So what are you proposing people do? Switch to an admin user whenever they access? Run apps via a: sudo open /path/to/Application in the terminal?

[Chuckit]

In general, tasks requiring admin rights will request admin rights when you try to do them. What problems are you running into?

[Big Mac]

Originally Posted by besson3c 

Generally speaking, I think it's better to learn about your own system and securing it rather than sheltering yourself at all costs, even if this means crippling your own usage. Some layers of protection are a good thing, but this is sort of like avoiding taking your car on the highway.

I stopped being admin sometime during Panther due to security issues Apple corrected with Tiger. I realized that it really doesn't make sense to be admin all the time. Sure, the risk is small because OS X is very secure (and getting even more secure with Leopard), but why increase the risk unnecessarily for very little reward? I rarely have to login to my admin account to do things I can't otherwise do with my regular user. Sometimes a crappy installer refuses to run without being run from an admin account, but those cases are very rare. I realize it's an embellishment, but what you're advocating sounds a bit like the rationale given by people who always run as root.

[Simon]

Originally Posted by Big Mac 

...but what you're advocating sounds a bit like the rationale given by people who always run as root.

I think that's unfair. Always running as root implies you can make all the changes you want to every location on your local FS and you're never warned/prompted/etc. Running from an admin account doesn't equate to that. You still have to give your consent to writes to protected areas. You are still warned when the installer suddenly wants to do a sudo. Always running as root is definitely not the same thing as running from an admin account.

The bottom line is that you can run as admin w/o any problems. You can also chose to run as non-admin in order to stay clear of a theoretical scenario (again, no exploits in the wild!) in which you could assist in compromising your machine. In the end it's a tradeoff between absolute comfort and absolute safety. Since I don't believe in the latter, I'll gladly take the former. My 2¢.

[besson3c]

Originally Posted by Chuckit 

In general, tasks requiring admin rights will request admin rights when you try to do them. What problems are you running into?

I don't understand where this question is coming from. Have you been reading this thread?