Last Week on My Mac: No normal user

Conventional Unix wisdom has been that the great majority of users operate in normal user mode, not as administrators. When Mac OS X first came into use, we used to teach the same: let the system make you that first obligatory admin account, then create a normal user account and work from that.

I always suspected that there was an element of ‘do as I say, not as I do’ in that, as I didn’t know anyone who actually followed that recommendation. Almost every non-corporate Mac user has been content ever since to run their Macs daily from that first admin account. With that, there has been a battle of escalating privileges and rights: from a conventional hierarchy of root/admin/normal, we have now got to super-root/root/admin/normal, with the addition of guests and special managed accounts for children and the like.

This leaves most non-corporate Macs run by admin users, giving the great majority privileges which they shy away from actually using.

Apple has not helped this, and its recent move to prevent normal user accounts from accessing Sierra’s log is a step which makes that normal account even less attractive an option. Anyone running Time Machine for backups wants to be able to know that those backups are being performed correctly and without error. For many, the only reliable way of doing this is to check the log for the last few backups. If a normal user cannot do that, then their best option is to log in as an admin user.

I’m sure that there are other limitations to normal user mode which make it a highly unattractive proposition unless your Mac is part of a well-managed network. One bizarre phenomenon which drove me scatty the last time that I configured a second user account on this iMac, was the number of apps which couldn’t tell that they were running from the same /Applications folder on the same Mac, and wanted to be authorised for use.

In practice, the most pernickety will only validate a single user licence for one user account. You are then forced to decide whether to license them for your admin or normal account, which again makes any second account a major disadvantage.

Does any of this matter, though? Why shouldn’t we all be admin users?

To answer that, you have to consider not just the privileges and rights granted to each user mode, but how they can be escalated. Although malware can be a problem to someone logged in as a normal user, the fact that the user cannot run as root, using sudo, is a significant benefit to their security. If malware tricks you into authenticating with a normal user password, the damage which that can achieve is considerably limited when compared with that achievable from an admin account. If Macs were overwhelmingly used in normal user mode, malware authors should find them a significantly tougher proposition.

I suspect that the great majority of non-corporate Mac users would be quite content with a user mode intermediate between admin and normal, which allowed them to carry out their daily tasks without repeatedly prompting to authenticate, but did not lock them down to the point where they had to log into an admin account to see whether the last few Time Machine backups completed without error.

There is ample scope for Apple to allow that user mode to be customised from the admin account, in much the same way that Parental Controls are configured. For example, I cannot recall the last time that I used either the built-in camera or microphone in this iMac, and would be quite happy to disable both for day-to-day use of my normal account.

Instead we are offered two quite inflexible user modes: the all of admin accounts, or the near-nothing of the standard account. You can’t blame users for making the obvious choice.

2Comments

Add yours

1

Tony on April 16, 2017 at 9:08 pm

I run my user account as a non-admin account and have done for many years. I rarely find a need to authenticate and can still used sudo by supplying my admin user name and password. I do this for some of the reasons that you cite.

I have wondered on occasion if I’m doing the right thing. I was recently advised by an Apple Support Rep NOT to do this but always to run with Admin privileges: he claimed never to have heard of anyone else that ran their account without Admin privilege. This was during a call about my suddenly non-functional Apple ID/account in which he offered various other pieces of advice that should be ignored so perhaps he did not represent the real Apple corporate view.

My usage is mostly iWork, web, mail, Lightroom and Xcode. The only regular inconvenience is a once per reboot request to authenticate when running development apps from Xcode – an inconvenience I find acceptable since it clearly hardens my user account when not using Xcode. However, the non-appearance of logs is a real bind, perhaps it’s a bug? There is no mention (that I can see) of the need for Admin privilege in the Console app’s Help.

LikeLike
- 2
  
  hoakley on April 16, 2017 at 9:15 pm
  
  I wondered if this was just a bug, but to stop the return of any log entries when the user is not logged in as admin requires the addition of code for that purpose, and that purpose alone. I just can’t imagine a situation where fixing another bug, or adding another feature (which didn’t happen) could result in this as an unintentional side-effect. Can you?
  Sadly Apple has not placed any of its new log code into open source.
  Howard.
  
  LikeLike

Share this:

Like this:

Related