Re: Apple recommending anti-virus software for Macs?

On 2008-12-07 17:27:06 -0600, Troubled Tony <nonexistent@xxxxxxxxxxx> said:

Lee Murphy <murman56@xxxxxxx> wrote:
Wes Groleau <groleau+news@xxxxxxxxxxxxx> said:

D.F. Manno wrote:
OK, I've seen or heard hundreds of times that it's a bad thing to run
as root, but I have yet to see anyone explain _why_. It seems to be
taken as self-evident.

I don't recall ever seeing that warning without seeing a rationale.
Usually in the same post, always in the same thread.

Wes is a bit of a know-it-all, don't let him bother ya.

I have read "twice" all of the above and I bet I am not the only one
that does not understand it all or even a part of it all.....
So call me dumb I am going to ask..

There are no 'dumb' questions. Almost, anyway.

1. how do I tell if I am "root"

We're really talking about running your daily login as an 'admin'
user, not a direct 'root' login. The reason the two are equated
is because when 'sudo' is used at the commandline (open a Terminal
in the Apps->Utils directory to get one), you are accessing the
root account. This is clearly shown with 'sudo id'.

You can tell whether you are an admin by pulling up SysPrefs->Accounts
and it will show there. Typing 'id' at a commandline will tell you too.
It will show a 'group' of 'admin' in the extended groups list.

2. do I need an anti virus program for my iMac (ver 10.5.5)

No, the Apple article was an attempt to say because people run
virtualizations with virus-prone windbloz OSes, get those
sandboxes the usual protections. It was just really vague
to not offend Microsoft by the particular person who wrote
it. But as the snarky comments on slashdot.org said: they
certainly didn't care about that in the ultra-cool Mac vs.
PeeCee ads. ;-)

3. sorry I have to ask but remember if there were none of us then there
would be no need for the smart one like.........y'all.

Mr. Jolly pointed out that Apple delivers their Darwin Unix (OS X)
with many important directory structures modifyable by any user
with group 'admin.' That's the 'run as root' discussion here.

To see that, pull up Finder, click on your boot drive, click on
the Applications directory (a directory that must be kept "secure").

Do a 'Get Info'. It shows that anyone with group 'admin' can
modify the directory.

Hmmm, it shows it in a cutsey manner. See at the bottom of the 'Get Info'
pane where there are icons of people's heads? One head represents the
main owner of the file. (In this case the file is also a directory.)

It calls the one head "system", but the real name is 'root'.

Two heads mean the group permission details. Any user with group 'admin'
may modify the file, in addition to the owner. Three heads means everyone
else's permission, AKA "world permissions."

The question of why one wants to delete the 'admin' group attribute
from your daily account splits into owner-users and company sysadmins,
both for "security purposes." As described above, an 'admin' account
can easily modify the system, and you don't want anyone getting into
your account or malware you somehow executed to so easily be able to
do its stuff simply by the permissions (group 'admin') of your daily
login account.

For sysadmins, we secure the users' desktops, because while the people
might be really smart at what they do, many will be "security hazards"
with their choices of downloads and executables. That's life.

For owner-desktop users, most of which are also "lusers", it will
help you protect you from yerself for the same reasons. For us
sysadmin owner-desktop admins, we would _never_ install malware
(hey! how did a haxie get on my box! o yeah, I...) and so we
do it in case somehow our Safari loses our "don't automatically
open 'safe' files after download" and we download a jpg that
triggers a rare file format virus, or generally speaking in
case it's through no fault of our own that something gets a
foot in the door. ;-)

Ask again if I only confused you further.

I think it was a poor decision by Apple to make so many system
files writable by group 'admin.'

I thank you. I am sure having to go over and over something for the slow one in the class gets to be a pill so when I say thank you I mean it......

.

Relevant Pages

  • Re: Forest to Child -- Permissions
    ... My account can login to all the DCs and has full administrator priv. ... first DC in the root. ... the member servers only ... never happen unless some admin has been mucking about. ...
    (microsoft.public.windows.server.dns)
  • Re: Forest to Child -- Permissions
    ... My account can login to all the DCs and has full administrator priv. ... first DC in the root. ... the member servers only ... never happen unless some admin has been mucking about. ...
    (microsoft.public.windows.server.dns)
  • Re: Easy way/script to add another user like me?
    ... do to give a user sudo privileges is to add them to the admin group. ... I used my root account to add joker to the "admin group" via ...
    (Ubuntu)
  • Re: Admin account suddenly changing to a standard one
    ... root password by typing su at the terminal's prompt. ... (with admin privileges, ... the system I could login but the account whose short name I changed - the ... sudo command gives you temporary root access, ...
    (comp.sys.mac.system)
  • Re: Apple recommending anti-virus software for Macs?
    ... > That's running as root, ... That's NOT the purpose of sudo. ... root account is an entirely different matter. ... # By default sudo will require the password of an admin ...
    (comp.sys.mac.system)