Re: Running as Administrator (was Re: Need help w/BootX icon)

In article <110520081009406204%its@xxxxxxx>, Bleuler <its@xxxxxxx>
wrote:

I'm not sure what you mean by "running as administrator" or why
that would be bad idea. Who else could be administrator? I'm the only
one who uses this computer.

The initial user account Mac OS X creates during installation is an
administrator account. But running with higher privileges than needed is
never a good idea. When you are logged in as administrator, everything
you do, every program you run (directly or indirectly, purposefully or
inadvertently) is executed with administrative privileges with access to
more parts of the system than normal users. So if you make a mistake, or
worse, if you unknowingly run a trojan / worm in that account, you can
damage and alter critical system files with little or no acknowledgment
from the system. Remember that some files in Mac OS X are owned by the
"admin" group, of which the administrator account is a member. The
Applications folder is just one example of such a folder. When you are
logged in as administrator, Mac OS X allows you to modify these files at
will.

Mac OS X is designed such that you can accomplish all administrative
tasks from a non-administrative account simply by entering the username
and password of an administrator when prompted. So while you do need to
*have* an administrator account, there's really not much of a reason to
run as administrator for day-to-day use.

The secure thing to do is to create an account just for administration,
then remove administrator privileges from your day-to-day account.
Here's how to do it:

First, open and unlock the System Preferences > Accounts panel.

1. Open System Preferences.
2. Click Accounts.
3. Click the lock icon to unlock the panel (if needed).

Next, create a new administrator account:

1. Click the [+] button. A new user account *** appears.
2. If you are running Mac OS X 10.5 or later, from the New Account menu
at the top, choose Administrator.
3. In the Name text box, enter a name, such as "Administrator" (without
quotes). There is nothing special about this name. Just pick something
you can remember.
4. In the Short Name text box, enter a short name, such as "admin"
(without quotes). There is nothing special about this name. Just pick
something you can remember.
5. In the Password text box, enter a secure password. If you need help
creating a secure password, click the little key icon to the right of
this text box, and an assistant will help you come up with a secure
password. Personally, I prefer to use a phrase as my password. I try to
pick phrases that contain one or two numbers or special characters, and
use spaces and punctuation. The goal is to pick a password phrase that
you will easily remember, and easy to type, but will be difficult to
guess.
6. In the Verify text box re-enter the secure password.
7. If you are running Mac OS X 10.4 or earlier, check the "Allow user to
administer this computer" checkbox.
8. Click Create Account.

Next, remove administrator abilities from your normal user account:

1. Open System Preferences.
2. Click Accounts.
3. Click the lock icon to unlock the panel (if needed).
4. From the account list on the left side of the Accounts panel,
highlight your normal user account name.
5. Clear the "Allow user to administer this computer" checkbox.
6. Log out for the changes to take effect.

That's it. Now whenever you are asked for an administrator account's
credentials, you can enter the administrator user name and associated
secure password.

--
Please send all responses to the relevant news group. E-mail sent to
this address may be devoured by my very hungry SPAM filter. I do not
read posts from Google Groups. Use a real news reader if you want me to
see your posts.

JR
.