Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Is having a separate admin and normal account actually helpful? #167
[based on a conversation we had in person some months ago, and then promptly forgot about]
Having separate admin and normal accounts is good advice on Windows, but Microsoft has invested a great deal of effort in this part of Windows and the Windows ecosystem has followed suit.
I've seen little evidence that making normal accounts work as a security boundary has the same priority for Apple or for Mac software vendors, and enough breakage that I suspect that they're mostly designed and tested to make it harder for kids to mess up a family computer:
Does anyone have thoughts? / data on the effectiveness of this advice on the Mac? / ideas on how to catch privilege escalations when the system doesn't?
I am not sure I understand what you are saying. The fact of the matter is that running with an admin account exposes you to flaws in programs that you execute with elevated privileges, like sudo and Apple’s security framework (this is what allows you to change system settings in System Preferences without ever having to enter a password). There was a bug in this framework in Yosemite’s time that allowed an attacker to gain elevated privileges due to the mere fact that the user was already authorised as an admin. Until Sierra, sudo was also configured insecurely (it arguably still is) as it allowed any program to obtain root privileges during the timeout window. There are many little flaws like these that make this a worthwhile consideration, as it reduces potential attack vectors.
I am also not sure why you had so many bad experiences, because I have had none of those. OS X is still a multi-user system at its heart and correctly installed software works for each user in the same way. Applications bundles in /Applications and binary images in /bin, /sbin and so forth are accessible to all users. I have been running with two accounts for a while and never had to log in using the GUI login window at all. Everything is done with prompts and the command line and the interaction with the admin account is kept at a minimum this way.
Separate admin and user accounts are preferable. You can also set up brew under the admin account, so it cannot be directly run without being logged in as the other admin. Then you can also lock down the standard user account ever further. Or, you could even set up a completely separate user for brew alone and only allow brew tasks. Privilege segmentation is preferable, but it may impact usability for noobs.
Never had any of the issues you encountered while updating my apps from the internet, always had to authenticate as privileged user during the update process.
+1 to the prior comments on utilizing separate admin accounts. Never used an admin account for anything other than updating and/or making system changes, ever.
I don't consider macOS to be flawless with its security posture so I'm not surprised there were (and potentially still are) privilege escalation vulnerabilities...
It's all about minimizing risks, really.
Edit: And I'm highly dubious towards BlockBlock, or anything from Objective-See for that matter.
It's not fair to always bash objective-see apps.
Patrick Wardle is now involved in several projects to enhance privacy.
If you are really paranoiac, check the oldest vpn...
I'm very far for most experts here, but I think all this should be divided in different goals: stay hidden few days for journalists/activists, stay away from all advertisers/insurances blood suckers, stay away of malware.