Last Week on My Mac: No normal user

Conventional Unix wisdom has been that the great majority of users operate in normal user mode, not as administrators. When Mac OS X first came into use, we used to teach the same: let the system make you that first obligatory admin account, then create a normal user account and work from that.

I always suspected that there was an element of ‘do as I say, not as I do’ in that, as I didn’t know anyone who actually followed that recommendation. Almost every non-corporate Mac user has been content ever since to run their Macs daily from that first admin account. With that, there has been a battle of escalating privileges and rights: from a conventional hierarchy of root/admin/normal, we have now got to super-root/root/admin/normal, with the addition of guests and special managed accounts for children and the like.

This leaves most non-corporate Macs run by admin users, giving the great majority privileges which they shy away from actually using.

Apple has not helped this, and its recent move to prevent normal user accounts from accessing Sierra’s log is a step which makes that normal account even less attractive an option. Anyone running Time Machine for backups wants to be able to know that those backups are being performed correctly and without error. For many, the only reliable way of doing this is to check the log for the last few backups. If a normal user cannot do that, then their best option is to log in as an admin user.

I’m sure that there are other limitations to normal user mode which make it a highly unattractive proposition unless your Mac is part of a well-managed network. One bizarre phenomenon which drove me scatty the last time that I configured a second user account on this iMac, was the number of apps which couldn’t tell that they were running from the same /Applications folder on the same Mac, and wanted to be authorised for use.

In practice, the most pernickety will only validate a single user licence for one user account. You are then forced to decide whether to license them for your admin or normal account, which again makes any second account a major disadvantage.

Does any of this matter, though? Why shouldn’t we all be admin users?

To answer that, you have to consider not just the privileges and rights granted to each user mode, but how they can be escalated. Although malware can be a problem to someone logged in as a normal user, the fact that the user cannot run as root, using sudo, is a significant benefit to their security. If malware tricks you into authenticating with a normal user password, the damage which that can achieve is considerably limited when compared with that achievable from an admin account. If Macs were overwhelmingly used in normal user mode, malware authors should find them a significantly tougher proposition.

I suspect that the great majority of non-corporate Mac users would be quite content with a user mode intermediate between admin and normal, which allowed them to carry out their daily tasks without repeatedly prompting to authenticate, but did not lock them down to the point where they had to log into an admin account to see whether the last few Time Machine backups completed without error.

There is ample scope for Apple to allow that user mode to be customised from the admin account, in much the same way that Parental Controls are configured. For example, I cannot recall the last time that I used either the built-in camera or microphone in this iMac, and would be quite happy to disable both for day-to-day use of my normal account.

Instead we are offered two quite inflexible user modes: the all of admin accounts, or the near-nothing of the standard account. You can’t blame users for making the obvious choice.