On Mar 27, 2013, at 7:05 PM, Wayne Stewart <[email protected]> wrote:
> I wasn't talking about giving anyone read + write access to the entire file > tree except the administrator. Jane siad she was the sole person and the > administrator on that computer. Giving herself access shouldn't be a security > issue. You're giving the logged-on user access to things they shouldn't have; because Jane is logged on as a member of the Administrator's group does not mean she is 'root'. It means she can ask to do things as 'root' (via sudo or the GUI authorization systems) which also means that processes running under her login cannot automatically do things to large swaths of the OS. This mechanism is defined by the permsissions system on files and folders. If you just grant read&write access to the entire filesystem by a logged-in user *any* process running under that user's id can read and write to the entire filesystem. This is the precise reason 'root' does NOT have a login shell in OS X. You can only accomplish things as root by invoking sudo (or explicitly enabling the root as a login account, but this is not reccomended.) Many Linux distrubutions have started going this way as well, precisely because it is a safer way to operate. This is analogous to the bad old days of Windows XP and local admin users. Any process, even a rogue one started via malware in a web page or email can do anything it wants to the system *without asking*. This mechanism of permsissions and rights are what have kept OS X safe from malware, for the most part, for well over a decade (and Unix for many decades prior). Numerous Linux distributions have gone to this model as well. -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs -- -- You received this message because you are a member of G-Group, a group for those using G3, G4, and G5 desktop Macs - with a particular focus on Power Macs. The list FAQ is at http://lowendmac.com/lists/g-list.shtml and our netiquette guide is at http://www.lowendmac.com/lists/netiquette.shtml To post to this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/g3-5-list --- You received this message because you are subscribed to the Google Groups "G-Group" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
