This piece of advice is old but is coming back into fashion. I have seen it a lot recently, on a number of Mac websites or forums. "Your ‘everyday’ user account should not be an admin account. It should be a standard account created for this purpose, and you should log to the admin account only to perform actual admin tasks. »
This seems to be common advice in the Windows world, but for an up-to-date OS X system, I just cannot understand what kind of benefits it brings. Let’s dig into it:
- OS X admin accounts are not root accounts. Any app wanting to go root will ask for your password anyway, so I see no additional security layer here. Try to put
/var
into the Trash. - Deep OS modification or code injection into most critical files has been prevented by SIP from El Capitan, whether your are admin, root or nobody. What’s more, in sensitive places where they are still allowed, such modifications would require a root password at the very least, even from an admin account, bringing us back to the first argument.
- For spyware, privacy concerns and this kind of stuff, using standard accounts provides little additional protection, if any. As far as I know, even when used from a standard account, apps have full access to the user’s personal files and have full network access (minus any firewall, etc.). If a bad app wants to send home your docs, it can perfectly do so from a standard account.
- Basic lines of defense (firewall, running trusted apps, and so on) are system wide.
- On the other hand, it is a pain to switch to your admin account, then switch back to your standard account, back and forth. This may actually end up with the user delaying updates or admin maintenance, just to save time and postpone dealing with the hassle.
So, why not use an admin account? I hope this won’t be marked as duplicate, other questions related to this issue didn't address these arguments.
Edit: the question applies to a computer that you own and control.
Best Answer
There is only one root account on every OS X computer and it is disabled by default. It doesn't have a password and you can't login as root unless you specifically use Directory Utility and enable it. It's dangerous, because when logged in as root the system bypasses all authorization - it doesn't even ask for a password. In that aspect, an OS X computer is indeed rootless, which is A Good Thing™.
Admins accounts are simply standard accounts that also happen to be in the admin group. Any action in OS X performed by a logged-in user is checked against the authorization database (you can see its rules in /System/Library/Security/authorization.plist to see whether no authentication is required or is it enough to be authenticated as the session owner (standard user that is logged in), or must you be a member of the admin group. It gives very fine-grained control. So three possibilities might occur, for example in System Preferences when clicking the locked padlock. Upon clicking, it may simply unlock without authentication, it may offer authentication dialog with account name already put in (which means please confirm it's you) or may offer authentication dialog with account name and password fields blank (which means you are not admin, please call an admin to type his credentials in).
A rule of thumb is that anything that can affect other users on the computer (system-wide change) will require administrative authentication. But it's more complex than that. Standard users, for example, can install apps from the Mac App Store in the /Applications folder (which is a system-wide change) but cannot bypass GateKeeper to run unsigned applications even if only within their own data. Standard users cannot invoke sudo which has a bad side-effect of not requiring authentication in a 10-15 minutes window after that. A cleverly designed script will ask you for an admin authentication for something you approve of, but after that it will do all sorts of wacky stuff you know nothing about.
Standard users can also be managed via parental controls or configuration profiles and can have password policies enforced. Admin users can do no such thing.
System Integrity Protection addresses the fact that people have been clicking thru installer packages and providing passwords so easily that the users have become the weakest link. SIP just tries to keep the system afloat, nothing else (and sometimes fails in that, too).
You would not believe how many people I've seen that have only one user on the computer (which is also admin account) and even without an account password, just to perceive a slight decrease in annoyance in form of a login window activity.
I can't agree with your opinion that it is a pain to switch to an admin account when necessary. If you are in Terminal, you only need to su myadminacct before doing anything, including sudo or launching Finder as another user by executing /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder.
In GUI, well, Mac App Store updates (including OS X updates) do not require admin authentication. Those installer packages that end up in Downloads folder, including Adobe Flash updates, yes, you should be very careful before opening those doing the extra work and making triple sure they come from the right place and are not full of nasties.
That's why I think using a Mac with a standard account is better and more secure than with an admin, because it protects me from my own mistakes and oversights. Even the majority of knowledgeable users don't inspect every downloaded script line-by-line to see if there is anything fishy going on.
I hope that the controls could get even stricter in the future, for example introducing conditions or schedules when an app (or script or any executable) can be run or have access to the network or that an executable may not even be started if I didn't explicitly allowed it (authentication dialog) within last month or so.