Securing Local Accounts


There are four basic categories of accounts available on a Mac OS X computer:

  • Normal users: In the Mac OS X security model, normal (nonadministrator) users are more or less restricted to their own worlds within their accounts. They have full Finder access to the contents of their own home directories, and are permitted only read-only access to other users' Public folders and write-only access to others' Drop Boxes. They are also permitted read/write access only to items they own that are placed in the /Users/Shared directory and the /tmp directory. In general, normal users are fully subject to the limitations that the operating system and administrators choose to place on them.

  • Administrator users: Administrator users have the power to control and configure the operating system. Administrator users are still subject to things like file permissions, but they have a variety of override mechanisms that allow them to get around these limitations. Directly or indirectly, administrators have complete control over the computer; as a result, administrative access should be given only to highly trusted users.

  • Root (also known as System Administrator, System, or the superuser): Quite simply, the root user (there is only one) is not constrained by many of the normal limitations of the Mac OS X security model. For example, root ignores normal file permissions. Because of this, root is extremely dangerous to the computer's integrity. An administrator user can go beyond the normal system constraints, but must go through overrides that help make it clear that something unusual and potentially dangerous is being done. With the root account there are very few warnings (especially on the command line), and deleting something critical takes no more than one typo.

    Because it is so dangerous, the root account is disabled by default on Mac OS X. It exists but does not have a password, and thus cannot be logged into directly.

  • System accounts: These are identities used to keep track of and control various parts of the operating system (like www, used as the identity of the Apache Web server, and sshd, used for the remote login server). They are not full accounts in the sense that they do not have home folders or login passwords. They are used by programs, not by human users.

    These system accounts are automatically configured as needed for the software included with Mac OS X. For most purposes, you can safely ignore them.

Many traditional UNIX administrators are used to logging into the root account to perform administrative duties; in Mac OS X this is strongly discouraged. The vast majority of administrative tasks can be performed from a standard administrator user account (or even a nonadministrator account) by using the padlock icon and its analogs to authenticate as an administrator for just the specific actions that require administrator access. If you have enabled the root account and decide later that you want to disable it, open NetInfo Manager and choose Security > Disable root.

Never log in as an Admin user for routine tasks such as checking mail and creating documents. Not only is there potential that you may forget to log out when you leave your desk or allow an intruder easy access to your computer, but viruses run as an administrative user are potentially much more destructive than those run as a normal user. If administrators have two accountsone with administrator rights and one withoutthey can perform all necessary administrative functions but not accidentally invoke or give away that access when they're logged into their nonadministrator account.

For example, an administrator without special authentication can write to some parts of the file structure (like the Applications directory). If an administrator is tricked into running a malicious program (or one is launched through a security hole in a Web browser), that program will run as the administrative user and can modify or delete those administrator-accessible files. If the user were logged into a normal account instead, the damage would be limited to that one account.




Apple Training Series. Mac OS X System Administration Reference, Volume 1
Apple Training Series: Mac OS X System Administration Reference, Volume 1
ISBN: 032136984X
EAN: 2147483647
Year: 2005
Pages: 258
Authors: Schoun Regan

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net