On May 3, 2013, at 3:21 PM, Anne Keller-Smith <[email protected]> wrote:
> Okay, I have an iMac running Snow Leopard, and way back in the stone age > (2009) after I turned it on I set up an account with a username and password, > then forgot about it except when installing software, where it asked for my > username and password. Ditto with my son's machine, very close model (2008) > which I recently bequeathed to my parents after said kid wanted to build a > Windows PC to play games (!) > > We wiped the drive, did a fresh install of Snow Leopard, and I gave parents > their own username and password, but is this an Admin account? Is this wrong? > Should they be using a plain User account and should I be giving them a new > username password for that? (Don't want to confuse the old birds) Should I be > doing the same on my machine as well? I'm looking now and I'm logged in a > Administrator, I think I've been logged in this way since 2008. Conventional wisdom (based on Unix and Linux) says that you should always run as a plain user not an Admin account. My experience managing Macs under OSX for years and years is 'Meh, conventional wisdom is quite over-rated.' OSX's basic security structure (programs or processes can only ever *ask* to run with administrator rights) has proven to be quite robust. It simplifies matters enormously when users are not required to remember multiple passwords *for their own machines*. Adding an additional account/username required to do thing is a meaningless step when it's the *same* person doing these things all the time. > > Guess I thought Root and Administrator were the same thing (not at all!) and > on Googling, find out really we have three layers of user types. Also I see > Apple suggests disabling Root and not using an Admin account for daily work, > instead creating a plain User for that. > root and Administrator are two different things. root is a real user in OS X and is the 'I can do anything I want!' user in unix. Root is not allowed a login, so you can't run as a user who won't trigger those 'Authenticate to do this' dialogs. Administrative users are members of a group allowed to assume root priveleges for a single process, or a short time. Even modern Linux distros have adopted OSX's scheme, as it significantly strengthens the OS. > Ow! My head hurts. Is that what you all do? Have three different sets of > Usernames/Passwords for three levels? All security in Unix is based on the concept of users and groups. A user has specific priveleges (they can read and write items in their home directory, and execute programs they 'own'), but most of the functionality of the system comes from membership in groups. Read/Write/Execute permissions ofn files directories and programs is also granted to groups. This is how the distinction between Administrators and Users is made. All accounts are users, but only some accounts are in groups that give them certain rights (these are the Administrators) They're members of groups (if I'm a member of the 'admin' group, I'm an administrator, for example.) The only real difference between an admin user and a plain user is that when asked to authenticate, a plain user's login and password won't work and an admin's will. There are NO elevated runtime priveleges awarded to Admin users. Nothing can just install itself, even in an Admin user's account, it always takes action by the user, even if it is just dragging a program from a disk image to the Applications folder. > > On any of our machines there's only one user, so I guess we've been running > them in Admin all this time. > Correct. the first account created under OSX HAS to be an administrator, otherwise you couldn't install anything. > I'm afraid to disable Root, and have no clue if I assigned it a > Username/Password, I thought I did but maybe that is Admin … Root is disabled by default in OS X, so if you haven't taken steps to enable it, you're ok. The only time you make these choices is when you add additional users, like 'teenager' on your main system…definitely NOT admin! 8-) But I run my systems pretty much like 99.999% of the OS X users out there, as a single Administrative user. It works, it's simple, it's actually as safe as doing it the conventional wisdom way. -- Bruce Johnson University of Arizona College of Pharmacy Information Technology Group Institutions do not have opinions, merely customs -- -- You received this message because you are a member of G-Group, a group for those using G3, G4, and G5 desktop Macs - with a particular focus on Power Macs. The list FAQ is at http://lowendmac.com/lists/g-list.shtml and our netiquette guide is at http://www.lowendmac.com/lists/netiquette.shtml To post to this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/g3-5-list --- You received this message because you are subscribed to the Google Groups "G-Group" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
