Go | New | Find | Notify | Tools | Reply | |
Seeker of Clarity |
I wonder, how many home users (i.e.: you and I) take the extra care to have an everyday user account that they themselves use, that is less privileged than Admin-level, for normal surfing and day to day tasks? What this means is that if you need to install software or perform other functions, you'd have to log-out, and log back in as a more privileged, or admin-level user to perform those tasks. If you don't know the answer, you're likely at the Admin-level. Unless someone else set up your computer, and takes care of it for you.  | ||
|
Baroque Bloke |
I’ll mention that I edited my Mac’s /etc/sudoers file so that I can “sudo” in my user account. Very handy. By default “sudo” is usable only in an admin account. Serious about crackers | |||
|
| Seeker of Clarity |
That's pretty much beyond my knowledge. I've had to go there once for something, with the help of Google and forums. But I'm not a command line guy anymore. And never learned Mac (Unix) to that level. It sounds like you use a non-privileged account and step up through CLI to Admin? | |||
|
W07VH5 |
I normally run admin at all my computers except for the servers. However, I’ve recently begun rethinking this and any new installs get non-admin privileges. | |||
|
quarter MOA visionary |
Just you and a single computer or multiple computers on a LAN with multiple users? It boils down to who you trust in the network. | |||
|
| W07VH5 |
Good point. I run a VLAN for me, my wife and the app server, another for the NAS that is only accessible from our two computers, another for guests and finally one for IoT and my son’s devices. IoT includes cameras, TVs, garage openers, vehicles and phones that connect with TVs. | |||
|
| Three Generations of Service  |
Seeing as I'm the only one that uses this computer AND it's the only computer in the house connected to the innerwebz, I use the Admin account. That way if I need to change something or download a new program, I don't have to change users. Be careful when following the masses. Sometimes the M is silent. | |||
|
| Seeker of Clarity |
To be clear -- My thinking is, if I run across some website that injects an attack on me in my current account, that any possible compromise would be thwarted (or far less likely) by my active account not having escalated privileges. | |||
|
| quarter MOA visionary |
All installs will have an admin account or it cannot be installed (MS). I don't see an inherit advantage to using a daily computer logged in as a less than admin account unless you walk away unlocked and someone in your clan gets on to cause mischief. For your kids or guests then that is another consideration. Normally most are concerned with the content on their local computer and getting out to the Internet. If multiple users are using the the same computer then set up a different user which will have it's own profile and content. In those cases if those users are also admins they would have access to other profile info. Note: talking home computers ~ business LAN's are another story. | |||
|
Optimistic Cynic |
Unix has long given a normal user the ability to "raise privilege" so as to accomplish otherwise disallowed administrative tasks. The user account "root" (userid "0") is traditionally the only "administrator account" that has superuser privileges. So one would use the "su" utility to shift user to root by entering the root password. You can also su to any other user if you need to operate as that user. Many other operating systems employ this paradigm as well. The su utility was eventually supplemented by a utility called sudo which, instead of becoming superuser, privileges are granted to a single command following sudo on the command line, e.g. '% sudo lsof' will list files opened by all users rather than just the ones opened by the issuer. The user issuing the sudo command is prompted for their own password (rather than the root password) before the second command is executed. This allows more control over who can perform administrative tasks, and theoretically at least, limit the amount of damage they can do. Most implementations allow the sudoers file to apply policy to various aspects of the sudo command (e.g. restricting which users can run it, restricting what commands can be run with privilege, etc.) OF course, one could simply run a command shell under sudo if one wanted to operate as the superuser for an extended period. Sudo has so taken over from su that I suspect there are many Unix administrators out there who have never worked extensively under a "#" shell command prompt. The Bourne, C, and most other command shells change the default prompt from "% " to "# " when operating as the superuser. In Unix GUI-based user environments, including macOS, a user trying to perform an administrative action will get a pop-up authentication window which will prompt them to enter appropriate credentials. Under the hood of this pop-up is sudo, or a library using the same concepts. So in modern Unix-based OS's whether fronted by a GUI or not, the concept of a user being a "regular user" or an "admin user" is not really accurate if one is inclined to strict definitions at least. | |||
|
| quarter MOA visionary |
Normally, it takes an elevated permission and you would be prompted to accept. DON"T DO IT. ... and stay off those sites to begin with... 
Honestly, I don't see anything flawed with that. I would add to most: * Change the administrator account name (anything other than admin or administrator) * Create a complex password that you can remember. | |||
|
Member |
One way to protect your Mac or PC is to only use the admin account for machine set up and maintenance. If you log in as a user, without admin privileges, I am told that you cannot install software, etc. So, that machine is protected. I deal with this protection every day on my work laptop, where I can't even delete unnecessary shortcuts on my desktop without admin credentials. When I replace the HDD with a SSD in this Mac mini next month, I'll probably create two users to invoke this form of protection. ------- Trying to simplify my life... | |||
|
Nullus Anxietas |
Except MS-Windows, at least as of MS-Win7, disabled the Administrator account, by default. Non-Admin user accounts could be granted permissions to elevate to Admin rights, but they did not run full-time with Admin rights.
I sincerely hope what we have here is confusion in terminology and you're not truly suggesting you see nothing wrong with end-users running with Admin rights full-time. Microsoft finally establishing some real controls wrt Admin rights was perhaps the single greatest improvement to MS-Windows ever.
Disagree. Why do you think personal computers bacame such a bane to the Internet? In addition to poorly-designed, poorly-coded software, end-user computers with users running with Admin rights full-time are, or were, a major factor. In answer to the OP's question: Neither I, nor, when I was employed, did my end-users run with Admin rights on any system, MS-Win, Mac OS X, or Unix/Linux. Nor do I at home. Administrators, Engineers, and road-warriors (laptop users) could elevate to Admin rights. (Laptop users because sometimes it became necessary while they were on the road. If they were found to be being lazy or irresponsible with the privilege, it would be revoked. That happened rarely. They feared the wrath of the BOFH [Bastard Operator From Hell].) Safe computing practices are safe computing practices regardless of environment. "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
| quarter MOA visionary |
What are you "protected" from (except yourself)? | |||
|
| quarter MOA visionary |
It just disabled the Administrator named account. The install asks for a new user name which will be a member of the local administrators group aka an admin.
Sure but you have to weigh the risk and simply running a single computer in as an administrator in your home is not inherently risky. Even if you run the computer as a user ~ there is still is an administrator account. You don't have to be logged on to be vulnerable. | |||
|
| Nullus Anxietas |
The difference is: Virus', worms, and trojans installed w/o Admin rights cannot infect the system. They can infect only the end-user's space. (Except where the system is b0rk3d and vulnerabilities allow elevation to Admin privs when not intended, which does happen--on all systems.) Plus, if you're not running with Admin rights full-time, you're limited in what damage you can do to the system inadvertently. Again: I'm not talking having the ability to temporarily elevate to Admin rights, as-necessary, but running with Admin rights full-time. It's a truly bad idea. "Running as root is like driving without seatbelts." -- Peter Da Silva "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
| The success of a solution usually depends upon your point of view |
I have always set up my PC using an admin account and then created a user account we share for our daily use. There is very little I need to do that requires elevated permissions so it is not really an inconvenience when I do need them. “We truly live in a wondrous age of stupid.” - 83v45magna "I think it's important that people understand free speech doesn't mean free from consequences societally or politically or culturally." -Pranjit Kalita, founder and CIO of Birkoa Capital Management | |||
|
| quarter MOA visionary |
Don't forget to wear a mask while operating your computer.  However, the real risk is YOU (user) that makes stupid decisions and almost always "clicks" to allow whatever whatever mischief they get into. So yes in you are really protecting yourself from you ~ not a mysterious foreign enemy. They need your assistance most of the time to complete your demise. So as a local admin on a single computer network just browsing the Internet and email ~ the risk is minimal with "safe" practices. Like don't click on shit you don't understand. Not saying if your want to run as a user is wrong - it's not. In fact most of the time it is just fine. The more locks on your door only does so much. Bottom line is use common sense browsing and you should be ok. | |||
|
| Seeker of Clarity |
Respectfully -- I'm not sure you're following what I'm/we're talking about, which is remote execution from another bad actor, using our accounts. I.E. that vulnerabilities exist in all software from time to time, that allow shit to happen. And this can happen from anywhere, not just from certain sites that you can just "stay away from". Any site can become a watering hole, through which exploits can be leveraged against vulnerabilities that we might have on our computers at any given time. But those exploits would only have the foothold within the account we're using when it happens. So the power that WE give it via our present account. It would be invisible to us. But if we have full admin over the account at that time, then the exploit does too. Behind the scenes they can bring down lots of bad tools and execute them to do bad things. Like watch us enter our banking information etc. Well known best practice is not to use admin level privileges for normal day to day stuff. But I still do it,.. because I've never bothered to "grow up" so to speak, and stop doing it. Hehe. But I was about to do so, and thought I'd see if I was the last one to the party or not.  | |||
|
| quarter MOA visionary |
I am not trying to minimize running as a user vs admin but just want to clarify some misgivings. Microsoft UAC is a feature that help with the "mysterious behind the scene activity" that most think happen. However, most all of the time the issues are initiate by us and accepted by us when prompted. From THERE if we are an admin then it becomes a problem, and as a user it can be thwarted easier. In general just browsing as an admin isn't unsafe - it what we do and the aftermath decisions that as an admin allows it to happen. Also lots of great AV software to assist in watching out as well. Don't forget to back up. | |||
|
| Powered by Social Strata | Page 1 2 3 |
 | Please Wait. Your request is being processed... |
|
© SIGforum 2024