Re: [SC-L] how far we still need to go

Wed, 25 Jul 2007 19:21:39 -0700 

BB, well yes I did gloss over the OS X admin and Unix "root" diffs.

And I agree that the install does create the first user as admin. That's a
problematic scenario.

Furthermore, I probably know too much, because I knew I wanted to create an
ordinary user acc't in addition to admin on my personal machine. And I know
enough to add the ordinary user to the "sudoer" list, so I can get admin
privileges when I want. This is definitely way too much work for someone who
just wants to use the computer.

But I still expect developers to know the difference and build their apps so
that ordinary folk can install them. But, then ordinary folk need to know the
difference between admin and ordinary. ... Uh oh, I'm getting a headache.

Thanks for the clarification.

-Bill

Blue Boar wrote:
> William L. Anderson wrote:
>> I am flabbergasted. When I first encountered Unix in 1983 I was taught that 
>> you
>> always run as an ordinary user, and only use admin (root) privileges when
>> needed. If OS X developers are running as admin, and building and testing 
>> their
>> products as admin, well ... I'm still in shock. And I weep for the species.
> 
> Are you confusing the Mac specifics? "Admin" on OS X is not the same as
> root. Members of the Admin group can elevate privs to do things as the
> equivalent of root, and the Admin group can write to /Applications. The
> app in question could improve, of course, but the fact the Admin has so
> much power and that the first user you create is a member of that group
> is the fault of OS X.
> 
> (At least, that's the way it worked not too long ago, Apple does seem to
> occasionally fix these things over time.)
> 
>                                               BB
>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________

Reply via email to