You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: LRembrandt
LRembrandt Author
User level: Level 1
10 points

What's the difference between the Admin and Root accounts in Mac OS X?

Does anyone know what the difference is between the Admin account and Root user option on Snow Leopard?


I've read on Network Security forums that I should have two accounts on my Macs (I'm the owner and only user), 1 for Admin controls / access and another for general use. I was under the impression that I only needed one account, and even though it was specified as an "Admin" account I didn't really need to worry about it as I would still need to go into Directory Utility and "Enable Root User" to really allow a program to gain access / control of my Mac.


Can somebody please clear this up for me?


Thanks in advance

L Rembrandt

'10 MacBook Pro & '11 MacPro, Mac OS X (10.6.7), Logic 9, ProTools 9, Sibelius 6

Posted on Jun 19, 2011 7:35 PM

Reply
Question marked as Top-ranking reply
User profile for user: Király
Király
User level: Level 6
10,017 points

Posted on Jun 29, 2011 9:14 AM

  • Root can do anything, without further authentication. There is only one root account and it is disabled by default.
  • An admin user can do many things without further authentication, but can become root by authenticating with his own password. There can be any number of admin users.
  • A standard (non-admin) user can only modify the contents of his own home folder, but can become and do admin and even root tasks by authenticating with an administrator's username and password, if he knows it.


Most security professionals recommend running with the fewest privileges as are necessary, elevating to the higher privilege only when needed, and returning to the lower privilege when the higher one is no longer needed.


Apple recommends running as a non-admin user all the time. It is the best for security, and is convenient too, since nearly all admin and root tasks can be done from a non-admin account, simply by authenticating with an admin username/password when prompted. I do admin and root tasks from my non-admin account all the time this way. My admin account almost never gets used; it has been months since I actually logged in to it.


If you are not already using a non-admin account, it's easy to switch: Just create a new account with admin privileges, and then remove admin privileges from your own account.

View in context
6 replies
Question marked as Top-ranking reply
User profile for user: Király
Király
User level: Level 6
10,017 points

Jun 29, 2011 9:14 AM in response to LRembrandt

  • Root can do anything, without further authentication. There is only one root account and it is disabled by default.
  • An admin user can do many things without further authentication, but can become root by authenticating with his own password. There can be any number of admin users.
  • A standard (non-admin) user can only modify the contents of his own home folder, but can become and do admin and even root tasks by authenticating with an administrator's username and password, if he knows it.


Most security professionals recommend running with the fewest privileges as are necessary, elevating to the higher privilege only when needed, and returning to the lower privilege when the higher one is no longer needed.


Apple recommends running as a non-admin user all the time. It is the best for security, and is convenient too, since nearly all admin and root tasks can be done from a non-admin account, simply by authenticating with an admin username/password when prompted. I do admin and root tasks from my non-admin account all the time this way. My admin account almost never gets used; it has been months since I actually logged in to it.


If you are not already using a non-admin account, it's easy to switch: Just create a new account with admin privileges, and then remove admin privileges from your own account.

Reply
User profile for user: Barney-15E
Barney-15E
User level: Level 10
116,656 points

Jun 29, 2011 9:14 AM in response to LRembrandt

The root user in a unix system has the power to do anything at will.

A user that can administer a Mac OS X computer has the ability to ask for privilege escalation in order to perform tasks that only root can do.

Running as an Admin user currently is only a danger to yourself accidentally messing things up. As hackers get better, there may be a possibility that they could exploit that power the admin user has to take over your computer.

Running as a standard user might prevent that threat since the standard user shouldn't be able to elevate their privileges.

Reply
User profile for user: Király
Király
User level: Level 6
10,017 points

Jun 29, 2011 9:15 AM in response to K T

If you follow K T's advice, be aware that you will not be following Apple's own security configurations guidelines. Apple says to use admin accounts only for tasks that really need to be run from them, and to keep admin accounts logged out at all other times. They even go so far as to say to "never check e-mail or browse the web while logged in to an administrator account".


Your choice.

Reply

What's the difference between the Admin and Root accounts in Mac OS X?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up