Re: auto-login multiple accounts
- From: Jolly Roger <jollyroger@xxxxxxxxx>
- Date: Sat, 29 Nov 2008 16:54:59 -0600
In article <1ir6bx0.8xnthcrr0mgsN%mikePOST@xxxxxxxxxxxxxxxxxxxxx>,
mikePOST@xxxxxxxxxxxxxxxxxxxxx (Mike Rosenberg) wrote:
ZnU <znu@xxxxxxxxxxxx> wrote:
I don't see why not. That's the default configuration of the system. It
wouldn't be if Apple thought it was a bad idea.
Here we go again! If you go out of your way to look on the Apple support
site, you can find a document for system administrators, and in there
Apple recommends having users use only non-admin accounts. JR has found
and read said document and preaches it as gospel.
Well that's almost true. Actually, I advised this long before I ever
noticed Apple advised it to system administrators. The fact that Apple
advises it to system administrators just bolsters my opinion.
The initial user account Mac OS X creates during installation is indeed
an administrator account, because after all, you do need to have an
administrative account on the machine. A lot of Mac users probably don't
realize it, but you can accomplish all administrative tasks from a
non-administrative account in Mac OS X. Mac OS X prompts normal users
for the username and password of an administrator when you attempt to do
something that requires escalated privileges. So while you do need to
*have* an administrator account, there's really not much of a reason to
log in as administrator for day-to-day use.
Why is it a good idea to avoid logging directly into your administrator
account in Mac OS X? Well, besides the fact that you can do most any
administrative task from a non-administrative account, there are
security reasons. Anyone with significant experience administering a
Unix-like operating system will tell you it's always a good idea to run
with as few escalated privileges as possible, because (a) it reduces the
*chances* of privilege escalation accidents, and (b) it reduces the
*impact* of privilege escalation accidents that do occur.
Could you use an administrative account daily without adverse effects?
Sure - you might even do it for months or years without incident. It's
the one time it matters that I advise Mac users to be concerned about.
For instance, I can't tell you how many times I've seen Mac users ask
for help because they accidentally deleted some file on their system
they might not have deleted so easily had they not been logged into an
administrative account.
The thing to keep in mind is this: when you are logged in as
administrator, everything you do and every program you run (directly or
indirectly, purposefully or inadvertently) is executed with
administrative privileges - meaning it automatically has access to more
parts of the system than normal users. So if you make a mistake while
changing, moving, or deleting system files, or worse, if you unknowingly
run a trojan / worm in your administrative account, you can damage and
alter critical system files with little or no acknowledgment from the
system.
Remember that lots of files and folders in Mac OS X are owned by the
"admin" group, of which every administrative account is a member. The
"Applications" folder is one example of such a folder. When you are
logged in as a normal user, Mac OS X will not allow you to modify such
parts of the system without first entering the user name and password of
an administrative account. This is an additional layer of security you
won't have if you are running as administrator. In contrast, when you
are logged in as administrator, Mac OS X allows you to change, move, and
delete such files and folders without question.
IMO, the secure thing to do is to create an account just for
administration, then remove administrator privileges from your
day-to-day account.
BTW, I think the reason Apple doesn't give this advise to all Mac users
is probably because the long explanation needed to convey the reasons
for it and how to do it would probably not be very well received. Most
users don't know enough about security issues to understand, and
frankly, most just don't want to be bothered. Apple probably could
automate the creation of an initial administrative account and a
non-administrative account, but if users aren't properly educated about
the issues involved, there's no guarantee they would actually use them
properly. It's more involved than just offering a one-liner of advise in
a user's guide. ; )
--
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.
JR
.
- References:
- auto-login multiple accounts
- From: Barry Margolin
- Re: auto-login multiple accounts
- From: Jolly Roger
- Re: auto-login multiple accounts
- From: ZnU
- Re: auto-login multiple accounts
- From: Mike Rosenberg
- auto-login multiple accounts
- Prev by Date: Re: Problems with OneTouch External HD
- Next by Date: Re: auto-login multiple accounts
- Previous by thread: Re: auto-login multiple accounts
- Next by thread: Re: auto-login multiple accounts
- Index(es):
Relevant Pages
|
