Requiring user interaction does not mean it is not a security risk.
----------
That's not relevant. The mere fact that an admin user has greater access to the system increases risk and lessens security. By definition it has to.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Why shouldn't I use my Mac as an administrator?
- Thread starter moonman239
- Start date
- Sort by reaction score
Requiring user interaction does not mean it is not a security risk.
----------
That's not relevant. The mere fact that an admin user has greater access to the system increases risk and lessens security. By definition it has to.
It's quite relevant. Again, more arguments with no evidence of any real-world benefit of running a non-admin account.
I didn't say it wasn't. You quoted me out of context. I claimed, that user interaction is required for both admin and normal users, and in the scenario Alrescha described, the risk would be present for both types of accounts.
Pfftt. And with that I'll leave this thread alone, just like everyone else who seems to know anything about IT security.
You are really really good at uninstalling applications though, I'll give you that!
It's not your logic that is wrong, it is your lack of knowledge of the subject at hand. Al those others who argue that running under a non-admin account have far more knowledge of the subject than you do. They make a certain risk assessment, they are actually *thinking* about what could happen and for that you need to know what an admin account is (what rights does it have, what can it access, etc.) and what a non-admin account is. What I see you do is nothing but shouting "you are wrong". You have not provided any information that shows running as an admin account is as safe as running as a non-admin account (which is what you are claiming).
FYI: if you've actually read peoples posts you'd have seen real-world threats that will affect an admin user and won't affect a non-admin user. Apples security website is full of such examples: https://support.apple.com/kb/HT1222
Now do what you request from others...proof this statement of yours. Fyi, I agree with it but I'm not going to tell you why because then I'm giving the proof for you while it is you who should be giving it.
Now try again. This time use logic, reason, etc. Show us you have an actual technical understanding of it and can make a proper risk assessment. That goes for others as well btw. That's how we should discuss things like this. Not by yelling someone is wrong and demanding proof from them (if you say it is wrong then YOU provide the proof, not the other way around!).
That is not only false, but it's an erroneous assumption made with zero facts. You have absolutely no idea what my knowledge level is on this topic.
Again, your arguments are based on hypothetical threats that have never resulted in real-world exploitations. What could happen is vastly different from what has happened or what is likely to happen.
The evidence that it is just as safe for real-world usage is the fact that not one breach of OS X security has ever been reported that could be avoided by running a non-admin account. Remember, the existence software updates to patch vulnerabilities does not indicate that any of those vulnerabilities was successfully exploited in the wild.
Further evidence is the fact that Apple makes admin accounts standard for all new OS X installations, without requiring the establishment of a standard account for daily use. By contrast, look at the way Apple responded to the real-world threats that existed in the wild regarding Java in Safari, providing updates to have Java disabled by default, and ultimately having it not installed by default. If a similar threat existed regarding admin accounts, common sense would suggest that Apple would respond in similar fashion. They haven't, because no such real-world threat exists.
No, not one has been provided. As already stated, software updates do not imply a breach has occurred in the wild.
I didn't yell. I didn't even demand proof. I stated facts and suggested that if people want to demonstrate my statements are false, they should provide proof. Not one has done so, including you. Neither I nor anyone else is obligated to conform to your idea of how this topic should be discussed.
It is not about saying it is false, it is about proofing it is false
This is not proofing my statement is false, this is proofing you really have no idea what security is about. Security is about ALL threats both theoretical, hypothetical as well as those that actually exist and are actually used. That's how all those guys actually find security issues.
https://support.apple.com/kb/HT1222 tells a different story.
That's why we have news sites like macrumors.com and say slashdot. They report on those issues.
Ah, you mean the same thing Microsoft does in Windows? We all know Windows' track record when it comes to exploits... The same thing you were saying for patches and updates applies here: the fact that Apple or Microsoft make the first user an admin account does not mean it is a good thing. They do so because they look at what the computer is used for. In real life people will complain and sue if they are not the owner of the machine and have full rights in the OS that it is running. That's why those installs have admin users. It is common practice to give out ordinary user accounts to users. If they want to do something more they need to contact the IT department. This is something that you can't do with the average consumer.
Apple responded to a certain Java exploit about 2 months later than Oracle did. Java developers have migrated back to Windows because Apple neglected Java in OS X. In the end this led to Oracle taking back the control. I hope Apple would NOT respond to admin account issues the same way they did with the Java exploits. That would be horrible, they waited too long.
As stated you haven't read those reports.
You also need to read the things you are writing. The first thing you say here is that you don't demand proof. The next sentence is you demanding proof again
Many here have provided proof but you keep denying and ignoring it completely.To repeat myself again: you need to start practicing what you preach and for this discussion you really need to take a science approach to it. You are not really contributing to this discussion with those meaningless posts where you are only scolding others.
You are obligated to conform to forums rules and regulations: https://macrumors.zendesk.com/hc/en-us/articles/201327723-MacRumors-Rules-for-Appropriate-Debate They tell you and everybody else how this topic should be discussed.
No, it doesn't. As already stated, the fact that an update or patch has been released does not prove that an actual exploitation of a vulnerability has occurred. That article does not point to any actual exploit in the wild that affects admin accounts and not standard accounts.
The timeliness of their response is irrelevant to my point; only the fact that they did respond, because there was an exploit in the wild that needed to be addressed. Such is not the case with admin accounts.
That assumes there will be actual exploits related to admin accounts. So far, there are none.
I've read everything posted. Not one actual exploit in the wild that relates only to admin accounts has been posted.
I'm not demanding anything. A suggestion is not a demand.
No, not one has provided proof of any exploit in the wild that affects admin accounts and doesn't affect standard accounts. Not one.
No, I don't need to take any particular approach. I choose to take a practical approach. There has never been an actual exploit in the wild that can affect normal users running OS X admin accounts but not standard accounts. That is the fundamental fact that no one has disproved.
I'm not scolding anyone.
I have abided by those rules. If you find otherwise, report my posts to the moderators. Those rules are completely different than your preconceived ideas about how people should present their arguments.
There is an actual exploit that affects not only Admin accounts but standard accounts as well. It is called PEBKAC.
While an experienced admin may know their way around a machine let alone at the filesystem level, they more than likely know their way around at the filesystem level, what to do/not do, and how to tread carefully with the power that they have on the machine.
Tell that to the inexperienced person in an admin account that for reasons unknown, does a 'rm -rf /' or a 'dd bs=8192 if=/dev/zero of=/' because they read somewhere that that is the quickest way to wipe their drive so they can run a clean install of the latest OS, then complain and ask for urgent 911 help because they want to get their files back after doing something they didn't know about.
It is silly idiotic things like that being done at the admin level that Apple's model is designed to prevent. you don't need to be root all of the time; in fact, it is a hell of a lot more secure to not be root up until you need to run commands as that privileged user, then get the hell out of the account.
the admin is a SuperUser, not a normal user. Treat it as such.
BL.
The response only came after many sites reported on it. There "timeliness" wasn't good at all. I do agree that Apple is mostly doing a better job than some other software manufacturers do. Apple is not doing amazing when it comes to security though (take a look at the current iTunes issue discovered by Dutch-Moroccan hackers).
Xprotect has fixes for a few of those actual exploits related to admin accounts (normal users accounts were not affected by them). These issues have lead to a more advanced Xprotect as well as the use of signed installers. Unfortunately Safari still has the option to open dmg files after download enabled by default (no other browser has it). All these issues have been posted in KB HT1222 and many websites have reported them.
Those rules are exactly the same.
Btw, there still are no traces of proof or examples in your post only "you're incorrect", "that's false", "not true".
Also a good point but it has a bit of a hole in it in this case. Many here are talking about running under a normal user account for added security and using a separate admin account (or even the real root account). In that case they are using things like sudo. The pebkac issue still persists (sudo reboot on the wrong machine is not uncommon amongst sysadmins
). The only way to solve that is to take away their access to any form of admin account (which is what many companies do as a best and common practice: users are users, not admins).
I'm still waiting to see a link to an example of such an exploit that was actually experienced in the wild, as opposed to a vulnerability that was patched before anyone encountered a problem with it.
I agree that option is not in the best interest of security, but it affects both admin and non-admin users.
That's because you can't prove the absence of in-the-wild exploits, but only prove otherwise by posting an example of one that does exist. So far, no one has done that, as it relates to admin accounts but not standard accounts.
Sudo bypass for admin users, does not affect regular users: http://www.exploit-db.com/exploits/27944/
The presence of any proof-of-concept exploit in a database does not mean it has been released into the wild where average users are likely to encounter it. Do you have any evidence of this exploit being encountered in the wild by average OS X users? There are proof-of-concept OS X viruses, but none has ever been found in the wild, so they pose no threat to the user community.
Was about to post that one as it is probably the most known one (and sudo is still a problem since it is configured with a timeout greater than 0 by default; another side note: there are many discussions about whether sudo is actually safer to use). Flashback is another example (later versions of that malware did not require a password because it used an exploit in an old Java version, however, earlier versions did). You can find these in the Xprotect settings (as I said earlier). Note: there is a catch to this one, can you spot it?
There have also been infected iWorks installers (some people who hunted for an illegal version of that got hit by this one) which caused some damage when people used Safari to download it and didn't change the default to open dmg files (keep this in mind when reading the next paragraph).
Hint: use a search engine
Let's not forget that when you are an admin user you get to go places where ordinary users can't go. Makes brute force attacking a bit more interesting (which is sometimes very easy if you look at what passwords people use). Also, when you get infected it will have another really cool effect: it will infect ALL users on that machine whereas a normal user will only be able to infect itself. Search for the word "admin" on the following page and you get this:
What some people do not realise is the power you have when using an admin account. By default it can read/write certain areas that a normal user can't. In such cases it won't trigger a username/password dialog. Since a normal user is very very limited to where it can read/write getting the username/password dialog serves as an additional warning ("why does it want me to enter my admin account?"). That's why the above malware has a more devastating effect under an admin user than under a normal user.
@GGJstudios: I've used the fact that nearly all sudo installs are setup (by default) to keep the users password cached for 5 or 15 minutes numerous times. I only need to enter sudo -i after someone has used his/her password with sudo. This gives me a superuser shell where I don't have to enter the users password any more. It saves me some typing. Most times they knew but sometimes they didn't.
Btw, metasploit is very well known for their pentesting software. They use these security bugs and create exploits for it. If you can find it in tools like that than there is an exploit in the wild.
There have also been infected iWorks installers (some people who hunted for an illegal version of that got hit by this one) which caused some damage when people used Safari to download it and didn't change the default to open dmg files (keep this in mind when reading the next paragraph).
Hint: use a search engine
Let's not forget that when you are an admin user you get to go places where ordinary users can't go. Makes brute force attacking a bit more interesting (which is sometimes very easy if you look at what passwords people use). Also, when you get infected it will have another really cool effect: it will infect ALL users on that machine whereas a normal user will only be able to infect itself. Search for the word "admin" on the following page and you get this:
This is something called OSX/Leap.A and was found here on MacRumors.
What some people do not realise is the power you have when using an admin account. By default it can read/write certain areas that a normal user can't. In such cases it won't trigger a username/password dialog. Since a normal user is very very limited to where it can read/write getting the username/password dialog serves as an additional warning ("why does it want me to enter my admin account?"). That's why the above malware has a more devastating effect under an admin user than under a normal user.
@GGJstudios: I've used the fact that nearly all sudo installs are setup (by default) to keep the users password cached for 5 or 15 minutes numerous times. I only need to enter sudo -i after someone has used his/her password with sudo. This gives me a superuser shell where I don't have to enter the users password any more. It saves me some typing. Most times they knew but sometimes they didn't.
Btw, metasploit is very well known for their pentesting software. They use these security bugs and create exploits for it. If you can find it in tools like that than there is an exploit in the wild.
Last edited:
The fact that the code for the exploit is on a publicly available website and packaged as a working Metasploit module proves it is "in the wild". If you run a version of OS X that includes this version of sudo, you are vulnerable to this exploit. Period.
If you want to keep your head in the sand and claim that it is not valid because you don't personally know someone who was hacked using this exploit, go ahead. You are also free to download the module and run the exploit against the versions of OS X it specifies as vulnerable.
The bottom line is there have been exploits that allow a machine to be rooted using the admin account. Using a regular user account would prevent this exploit from working. No amount of mental gymnastics can make this false.
That is not true. You misunderstand the concept of "in the wild".
The same holds true for any malware or security exploit.
I don't need to personally know someone who was affected by an exploit. Can you show evidence that any average user was ever affected by this exploit?
Unless an exploit has been released into the wild where average users can encounter it, it poses no threat to the OS X user community. You have not demonstrated that any such threat exists or has ever existed in the wild.
That is not true, that is just being unbelievably naive and not understanding things at all. The fact that it is possible means that it actually does pose a threat. How high (or low) that risk is, is what you are (and should be) debating here.
Luckily that's how the fire brigade, police, pilots, etc. are being trained. They train for situations they may never ever encounter but when they do, they at least have some idea on how to react to it. That's what saves life's. That's why OS X has ordinary user accounts, admin user accounts and the root account as well as firewalls, ACLs, sandboxing, gatekeeper, and so on. These are measures to minimise security risks or even prevent them completely.
You should never ever wait for a disaster to happen in order to fix problems. You should fix problems in order to prevent disasters from happening. If disaster happened, you're too late. Since nobody can tell what is going to happen in the future accurately there is no way of knowing if something is ever going to be a real problem. We make educated guesses. Quite a lot of people here are just doing that. They are trying to prevent disaster from striking on their machines.
Since you are able to tell the future do enlighten us: what will the next OS X exploit be?
This is exactly the point I've been making. You have no way of knowing if there will ever be a threat in the future that can be avoided by running a standard vs admin account. You have no idea if the next exploit might attack all accounts, so running a standard account would have no benefit.
The fact is that in the real world where Mac users operate, in the 13 years since OS X was released and continuing to the present time, there has been no disadvantage in operating with an admin account, instead of a standard account. While anything is possible in the future, there is nothing that points to the likelihood that running a standard account will ever provide any protection over an admin account. If any user prefers running a standard account, that's their choice. If they prefer running an admin account, there is no evidence that they are at greater risk.
The issue here is that you are not correlating the release of OS X to Unix, which there is such a disadvantage. With that, you also are not making the connection that you can run your Mac in a multi-user environment, where you could have it running as a server as well as your personal station. When you do that, do you really want every account that could log in have the rights of an admin or an admin account? If so, that is very piss poor system administration skills being utilized, and would effectively show.
As an admin, any given user could easily replace your Safari binary with a shell script that does a 'rm -rf /' and you'd be screwed. Or, someone from the CLI could go out and install XCode or pull down their own version of gcc, compile their own torrent daemon, and use your Mac to serve out pirated software, movies, and childpr0n, leading the
You are not addressing the issue of malicious users on your Mac when set up in a multiuser environment, and them having admin access. That is why you restrict admin access to very few users if any at all, and only use it when required to. Otherwise, standard non-admin users.
Sysadmin 101 there.
BL.
Go back and read the very first post in this thread to understand the context of this discussion. None of what you describe applies to the OP's question.
I'm quoting your original post as it seems peeps are not even reading post #1.
I personally am in the same situation as you and I see no reason to run anything other than my admin account. I am the administrator and no one else has access to this machine (My personally owned machine). I guess some would have you protect yourself from yourself.
Last edited:
It wasn't intended to apply to the OP or the entire discussion; my post is applicable to your assertion that there is no disadvantage to running everything via an admin account versus a non-admin account. That assertion is bogus.
You wouldn't run a Linux box that way, let alone any other Unix-based OS, just based on security alone. Macs are no different, as they are just as Unix-like as Linux.
BL.
The assertion is that a Mac user can run their own Mac as an admin, with no higher risk than running a standard account, which is entirely true. Your argument relates to network administration, which is not part of the assertion or this discussion. Everything being discussed here relates to average Mac users running their own Macs, not to network administrators. It helps if you stay on topic.
This has nothing to do with network administration, as this is relative to a single machine, not a network nor networked machines together. But let's take your single user scenario into consideration.
You assume the bold. as a Sysadmin, you can not assume this, because you do not know the level of knowledge any other user has. So let's say that as an admin account, you let someone else use your Mac, after logging in successfully. In the time that they are using your Mac, they could copy out important information (password keychain, quick copy of your password file, etc.), quickly edit your passwd file and shadow file to remove any password string, etc., change your password so you are effectively locked out of your Mac, so on and so on. You don't know the limit of their knowledge, so you shouldn't assume that you do.
You want to talk about systems and network administration being irrelevant to the discussion at hand? This has nothing to do with those, but more to do with systems administration and security, which has everything to do with any type of administration, whether it be for Unix, Linux, Mac, Windows, VMS, or otherwise.
You really are not understanding the ramifications of what power an admin account has and how it can be exploited in the wrong hands due to negligence of the user.
BL.
Anyone with a modicum of sense knows that if you give someone else access to your Mac, all bets are off, even if you run a standard account. You're grasping at straws by adding scenarios that are not part of the discussion and don't apply to the topic.