You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Serious bug in administrative authorisation for software update in Ventura?

Trying to update to 13.1 from a nonadministrative account, software update did not accept my administrative credentials for this upgrade.


Trying a few things I then entered the nonadministrative account credentials from which I usually use that Mac and it worked, software update accepted the nonadministrative account for the software upgrade and it is now downloading.


I do not recall, but it may be that I originally set up the Mac with this currently nonadministrative account, then set up another administrative account, removed administrative privileges from the first account to use it as a nonadministrative account (I have been setting up my Macs like this for a long time). In that case software update is remembering only the original administrative account, not the current one.


Not sure how serious this is, but I never encountered this problem before Ventura. Software update done from the nonadministrative account would usually accept the administrative account login and password info on request. This now is completely different in Ventura.


Is this deliberate? Does this open the possibility that other software can be loaded onto the Mac from the nonadministrative account and w/o special privileges? If so, this might be a critical vulnerability that may need to be fixed ASAP by Apple.

Posted on Dec 16, 2022 2:51 PM

Reply
Question marked as Top-ranking reply

Posted on Dec 17, 2022 10:21 AM

Well 99% of Mac users have one account, the first account and never create a secondary account.


But now you know there are potential gotcha's to worry about when you setup a multiple user Mac or attempt to move accounts around or remove accounts.

5 replies

Dec 17, 2022 9:23 AM in response to tutlek

It is deliberate. The system part of macOS is read-only and a bootable APFS snapshot is created then signed and sealed. Apple updates are also signed by Apple and trusted. Apple Silicon hardware is strict about that chain of trust so it's impossible to boot from an external drive if the internal SSD is blank or damaged. You must use a working Mac with Apple Configurator 2 that obtains macOS online and delivers it to a Mac in DFU mode. This is to preserve that chain of trust. Apple Silicon Macs add the Erase all Settings and Content feature from iOS / iPadOS so you can factory reset an Apple Silicon Mac. No need to wipe and install via external flash drive which will no longer work and Internet Recovery is not available on Apple Silicon M1 / M2 Macs.


3rd party software cannot install without admin rights but Apple updates coming through the chain of trust will install without admin rights going forward.


Apple has adopted the newer mobile software update (MSU) process for macOS 12.6.1 Monterey and in macOS Ventura, from its origins on iOS. That allows for major and minor updates to be smaller, depending on the origin OS and the target OS.


  • Delta updates do not require admin rights to install
  • Delta updates are substantially smaller 
  • Delta updates install substantially faster


Because Apple can verify the chain of trust from the hardware to the OS they can install delta reduced size updates without administrative rights.


Best practice is not to mess around with the initial admin account created when installing macOS. It has special properties and is more trusted than all subsequent accounts. It would be better to create additional accounts but leave the first account alone. Flip-flopping your initial account admin rights with a newly created user account is quite risky.


Dec 17, 2022 10:27 AM in response to James Brickley

Well, when I got my first Mac in 2007, the standard advice at the time was to have a separate administrative account and not to use that account for daily work with the Mac. So I have been practicing this since that time.


Next time I get a new Mac I will take your advice and set up the device differently. "Unfortunately", I now have 3 devices with Apple silicon, so I am years away from this. Hopefully will not forget what you told me today.


Thanks.

Dec 17, 2022 1:19 PM in response to tutlek

tutlek wrote:

the standard advice at the time was to have a separate administrative account and not to use that account for daily work with the Mac. So I have been practicing this since that time.

There is nothing wrong with that. I think you just had a funky way of doing it. I agree that there could be some risk to that due to group ownership of files and directories. If you want to use a standard account, it is better to just continue as before and setup an initial admin account. But only use that admin account to create a new standard account. Then use that standard account for all day-to-day use. In most cases, it won't be a problem. If you are prompted for administrator credentials, then you will have to supply both the administrator user account and password.


For most end-users, I would recommend the default. When you create a new account, it gets created as an administrator account. Then you just use that account. No worries. If you want to make a separate, backup account with administrator privileges to use in case something goes wrong with your primary account, go for it. No harm there.


Sometimes there are bugs in 3rd party and Apple software when using a standard account. If you are prepared to deal with them, then you shouldn't have a standard account. The only people who really need to use a standard account are macOS developers and enterprise setups with their funky enterprise things. For example, I normally use a standard account so I know when my own app behaves differently with more restricted permissions. But I'm a developer, don't do what I do. For any non-developer activities, I always stick with defaults unless I have a very good reason not to.

Serious bug in administrative authorisation for software update in Ventura?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.