What point is there in using an everyday non-admin account on OS X?

Question

This piece of advice is old but is coming back into fashion. I have seen it a lot recently, on a number of Mac websites or forums. "Your ‘everyday’ user account should not be an admin account. It should be a standard account created for this purpose, and you should log to the admin account only to perform actual admin tasks. »

This seems to be common advice in the Windows world, but for an up-to-date OS X system, I just cannot understand what kind of benefits it brings. Let’s dig into it:

• OS X admin accounts are not root accounts. Any app wanting to go root will ask for your password anyway, so I see no additional security layer here. Try to put /var into the Trash.
• Deep OS modification or code injection into most critical files has been prevented by SIP from El Capitan, whether your are admin, root or nobody. What’s more, in sensitive places where they are still allowed, such modifications would require a root password at the very least, even from an admin account, bringing us back to the first argument.
• For spyware, privacy concerns and this kind of stuff, using standard accounts provides little additional protection, if any. As far as I know, even when used from a standard account, apps have full access to the user’s personal files and have full network access (minus any firewall, etc.). If a bad app wants to send home your docs, it can perfectly do so from a standard account.
• Basic lines of defense (firewall, running trusted apps, and so on) are system wide.
• On the other hand, it is a pain to switch to your admin account, then switch back to your standard account, back and forth. This may actually end up with the user delaying updates or admin maintenance, just to save time and postpone dealing with the hassle.

So, why not use an admin account? I hope this won’t be marked as duplicate, other questions related to this issue didn't address these arguments.

Edit: the question applies to a computer that you own and control.

Answer 1

There is only one root account on every OS X computer and it is disabled by default. It doesn't have a password and you can't login as root unless you specifically use Directory Utility and enable it. It's dangerous, because when logged in as root the system bypasses all authorization - it doesn't even ask for a password. In that aspect, an OS X computer is indeed rootless, which is A Good Thing™.

Admins accounts are simply standard accounts that also happen to be in the admin group. Any action in OS X performed by a logged-in user is checked against the authorization database (you can see its rules in /System/Library/Security/authorization.plist to see whether no authentication is required or is it enough to be authenticated as the session owner (standard user that is logged in), or must you be a member of the admin group. It gives very fine-grained control. So three possibilities might occur, for example in System Preferences when clicking the locked padlock. Upon clicking, it may simply unlock without authentication, it may offer authentication dialog with account name already put in (which means please confirm it's you) or may offer authentication dialog with account name and password fields blank (which means you are not admin, please call an admin to type his credentials in).

A rule of thumb is that anything that can affect other users on the computer (system-wide change) will require administrative authentication. But it's more complex than that. Standard users, for example, can install apps from the Mac App Store in the /Applications folder (which is a system-wide change) but cannot bypass GateKeeper to run unsigned applications even if only within their own data. Standard users cannot invoke sudo which has a bad side-effect of not requiring authentication in a 10-15 minutes window after that. A cleverly designed script will ask you for an admin authentication for something you approve of, but after that it will do all sorts of wacky stuff you know nothing about.

Standard users can also be managed via parental controls or configuration profiles and can have password policies enforced. Admin users can do no such thing.

System Integrity Protection addresses the fact that people have been clicking thru installer packages and providing passwords so easily that the users have become the weakest link. SIP just tries to keep the system afloat, nothing else (and sometimes fails in that, too).

You would not believe how many people I've seen that have only one user on the computer (which is also admin account) and even without an account password, just to perceive a slight decrease in annoyance in form of a login window activity.

I can't agree with your opinion that it is a pain to switch to an admin account when necessary. If you are in Terminal, you only need to su myadminacct before doing anything, including sudo or launching Finder as another user by executing /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder.

In GUI, well, Mac App Store updates (including OS X updates) do not require admin authentication. Those installer packages that end up in Downloads folder, including Adobe Flash updates, yes, you should be very careful before opening those doing the extra work and making triple sure they come from the right place and are not full of nasties.

That's why I think using a Mac with a standard account is better and more secure than with an admin, because it protects me from my own mistakes and oversights. Even the majority of knowledgeable users don't inspect every downloaded script line-by-line to see if there is anything fishy going on.

I hope that the controls could get even stricter in the future, for example introducing conditions or schedules when an app (or script or any executable) can be run or have access to the network or that an executable may not even be started if I didn't explicitly allowed it (authentication dialog) within last month or so.

Answer 2

Security is best implemented as a Multi Layered, Multi Vectored Strategy.

The Principle of Least Privilege (POLP) is just another cog in the machine that keeps your computer secure.

Everything that you listed there are all good but none of that will prevent someone from taking over your computer with an exploit such as the Dropped Drive Hack.

• How does a firewall prevent a user from inserting a USB with an remote control exploit embedded on the drive?

• How does SIP prevent a keylogger from capturing your keystrokes?

• How does having SIP even matter when it can be easily disabled by the Admin?

• How do you prevent unauthorized/illegally licensed software from being installed? A restricted user account will ensure that users who shouldn't be installing software aren't installing software.

Your last line of defence is using an account that is not an Admin account so that you can mitigate the threat by putting up another layer of security (user authentication) when a piece of malware tries to install itself.

I have been saying this for what seems eons now:

"Security" is not a product you buy or a switch you flip on; it's a practice, it's a mindset, to leverage all the tools you can to minimize your risk.

Answer 3

It is generally considered best practice to use an account that has no more privileges than are required. What this means generally is that you should use an account that has the lowest privilege level possible, and elevate your privileges when it is needed for a specific task that requires the higher privileges.

However, this gets annoying rather quickly. The reason for this is that what seems like a simple task to you or me ("I only wanted to turn on the WiFi") is seen as a privileged operation for the OS ("You want to enable a network device and allow the machine to be put onto some random network").

Striking a balance between convenience and security is much harder than it sounds, and my personal feeling is that OS X does a much better job of it than some other OSen out there such as Windows.

If you do run as an administrator all the time, you might accidentally click on an email that contains some link to a site containing crapware, and it automatically runs a script that does some reconfiguration without your knowledge. But if you are running as a non-privileged user, then as soon as that script is run the OS will pop up a dialog saying "this malicious script wants to do something to your computer. Please confirm by typing your password". This would usually cause alarm or surprise, if it is not something you would expect to see at that point.

Also - more importantly, you set up a computer for someone else. Someone not computer-literate in your family. It is an excellent idea to give them a non-privileged login, and keep the admin password for yourself, so next time they click on any old rubbish (as is their wont), they CAN NOT infest the computer with crapware. They sometimes complain when you do this, but you only have to remind them of that time they had 35 toolbars installed on IE 6, and every time they did a google search they got pages of pornographc popups, before they will grudgingly agree that it might be a good idea. The downside is that they will be calling you more often to get you to unlock their computer when they want to update the Flash plugin.

As said before: security is an attitude, not a simple switch that you can flip.

Answer 4

Let me see how your reasons would work or not:

1. Admin accounts are not root. While true, they may be able to call sudo and perhaps they may even have the password ready for input (or sudo was configured not to ask for password).

2. SIP (System Integrity Protection): This is only one layer which is not enough for all attacks. Can be disabled? Even better!

3. Spyware argument: Well, perhaps. Privileges are still not separate enough. But even so, it's still a limitation.

4. Basic lines of defense are system wide: #1 says apps running on admin accounts can gain root.

5. Switching? It's widely known that you can do admin related tasks from standard accounts as long as you enter the admin account password. No need to actually do a real switch of accounts.

Answer 5

If you have other family members who are not computer savvy, or you want to restrict their access (eg children), or you are an employer who wants to restrict access to employees who may use the machine, then absolutely yes; there are still reasons to have non-admin accounts in osx for daily use.

If you own a computer and want to control it, use an administrative account.

If you don't want other users to be able to "administer" anything, then non-admin accounts are very helpful. Also you never know when you may need to lend the machine off the cuff given a moment when someone asks "hey could I just borrow your mac to do something really quickly?", it gives peace of mind to be able to log out and log them into what some may regard as a 'semi-guest' account you have created and tailored permissions for.

Answer 6

There are probably other reasons, but here's mine: it is not possible to place restrictions on the admin account. It is useful to have restrictions in place to prevent oneself from visiting undesirable or dangerous sites.

Answer 7

NOTE: This answer was "in progress" when this question was closed. I am posting it here instead.

Answer:

Your question may be asking for opinions, and it's also similar to this question. I've heard both sides of the argument, and both sides arguments are at least partially subjective. I've not heard a definitive, one-size-fits-all argument for or against it. My conclusion (and my answer) therefore is that it boils down to a matter of personal preference, and individual use case.

On one hand, some of our Macs are single-user machines, and separation of privileges may seem pointless. On the other hand, and speaking only for myself, I rather like the idea of the system "challenging" my decisions because it gives me a chance to think again.

Another aspect of this separation of privileges business arises in which part of macOS you are using: the "Unix part", or the "GUI part"? Things get blurrier here because there are tools and utilities in macOS that "overlap" - that is there are many settings that can be made through the CLI (command line interface, aka Terminal app) that can also be made through the GUI interface.

In the case of the "Unix part" of macOS, default permissions/privileges may be changed in the sudoers file to elevate privileges for a non-Admin user. In the case of the "GUI part" of macOS, permissions and privileges are controlled (in part) through the authorization database (all you want to know is in this Apple resource).

It's all a bit of a muddle methinks. IMHO, if you're system is a single-user system, then you are also the Administrator - regardless of whether you choose to use one login, or two. Therefore, this question boils down to: "personal preference". If it's a multi-user system, that's a horse of a different color, but I would opine in most cases a second Admin account should be created. But once again, that depends upon your situation and your judgments.

Based on all of the above, I have opted to create an unprivileged (regular user) account for "normal" usage, and reserve my Admin account as a backstop for potentially careless decisions. I use the CLI quite a lot, so I've added my regular user account to the sudoers file to grant Admin/root privileges as an exception. This works for me.

P.S. Use a strong password for your Admin account.