IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User

Welcome to IWETHEY!

New A Mac security question on Ashton’s behalf
Ashton may be offline for a few days as he sets up a unit to replace an iMac he believes to have been compromised—it is difficult for me to be certain from his somewhat free-associative recounting of the symptoms whether this is actually the case, but he’s quite persuaded of it—and which is at all events definitely superannuated. I’ve brokered him the purchase of a very recent model that should give him good service for years. In the course of a discussion today, he was floored and horrified, as I gave him pointers on configuration, at the notion of ever going online as an “Administrator”: it has been his custom, I gather, to use a “Standard” account for these things. I told him that he was being needlessly, even absurdly cautious here, and some cursory research appears to bear out this conclusion, but he asked me to put the question to the great and good minds of IWT. If anyone has useful thoughts on the matter, I’ll pass them on.

New Been using an admin account for years
I've been running Macs basically full-time since, oh, 2008-ish. On all of my computers since, my user account has been marked as an Administrator. In fact, even on the corporate-locked-down laptop that I've received from $CLIENT, my user is an Administrator.


"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759 Historical Review of Pennsylvania
New It's a bad idea
You should use a standard account on Windows or Mac, and then elevate privileges as required.

Ashton's approach is correct.
New So let me try to understand this
You're helping Ash to set up a new box. This is a Mac. And in the Mac world, which is really a subset of the Unix world, you have to be a certain account. And this account has administrator privileges by default. Which is scary, and should be. My confusion is that whenever you need an administrator level privilege you need to, I guess super use, SU, this is how we deal with it on Linux, etc.

So this is basically an account that can step up its privileges. The question is are these privileges on by default or does there need to be an acknowledgment of it?

Or is this account zero? Which nobody, ever, should be logging into.
New Mac administration
Every modern Mac has at least one admin account. It’s required in order for the user to adjust many of the machine settings. I need to enter my system password in order to change the fucking time zone, for example, or even whether I want the clock display in the menu bar to display the date. So far as I’m aware, most exploits aimed at Mac users from bad actors aim to trick the user into granting access—loading or launching dodgy code, for example—by tricking the victim into abusing his admin status and uttering “Open Sesame.” The OS will generally display a cautionary note in this event: “You sure you wanna do this, buddy?”

Of course, our naïve user has likely ventured already into some of the gamier precincts of the online world in search of smut or bootlegs, and if he is powerless to download what purports to be a torrent feed for a current blockbuster as a “standard” user, he can certainly log back in as an Übermensch. As many others have observed, it is difficult to make anything foolproof, since fools are so very resourceful and ingenious.

It will do Ashton no harm to continue going online with a standard account, as he has apparently been doing thus far. I was just surprised at how shocked he was that anyone might do otherwise. Anyway, I’ll report back on these opinions, and welcome further input.

New root and admin are different.
You can't log in to root on OS X. It just doesn't work. I don't think you can even set the password. AFAIK, you _must_ use "sudo" to go root.

Admin is different. At its simplest, admin gives your user the right to ask to be some subset of root depending on the context. I hope I've explained this well enough.

     A Mac security question on Ashton’s behalf - (rcareaga) - (5)
         Been using an admin account for years - (mvitale) - (4)
             It's a bad idea - (pwhysall) - (3)
                 So let me try to understand this - (crazy) - (2)
                     Mac administration - (rcareaga)
                     root and admin are different. - (static)

Close to the edge.
43 ms