Difference between admin and normal user

An Admin user is added to an admin group. Members of the admin group are allowed to use the Unix 'sudo' command. The Unix sudo command allows the user to become the Unix 'root' account for the duration of one command/utility/program.

Apple wraps GUI's around the use of sudo, but it is the heart of any Unix system administration.

Google 'sudo' if you want more details.

That's pretty much all, yes. Presuming no bypasses, the downside of running an admin user is largely you can potentially end up installing more than you bargained for. There are folks that deliberately choose not to run as Admin users, so that there's simply no way that they can install anything system-wide short of a security bypass.

For further reading and improving your knowledge security beyond "root" and "sudo", there are Apple's security guides and the US NSA/CIA operating system security configuration guides. Both of these resources are a little dated, but the underpinnings of the operating system and its security have not changed significantly; what you learn will still be valid, though there can be some features of newer releases (such as the profile manager, the lack of installed Java) that might be useful.

Wo ist die Diskussion, bitte?

And that's all? The user is member of the admin group and is allowed to use sudo?

'root' is the ONLY truly privileged account on a Unix system. Once you can be root, you can do anything. Permissions can be used to put safeties in front of some root actions, but root can undo them if it wants to.

If you want to verify, then create 2 accounts. Give one account "Adimin" and leave the other as a non-Admin user.

Now from an Applications -> Utilties -> Terminal session enter the following commands:

id normal_user_short_name
id admin_user_short_name

Check the list of groups each use is associated with. The only difference should be that the Admin user should have the 80(admin) associated with it.

Then the /etc/sudoers file (which you will need sudo to read) has an entry that gives Admin users "ALL" privileges, just like root:

...
# User privilege specification
root    ALL=(ALL) ALL
%admin    ALL=(ALL) ALL
...

There are some subtle differences between an admin account and a standard account. I believe an admin account can do things like copy files to the /Applications directory and maybe /Library. It is possible that feature has been removed in Mountain Lion. I'm not sure. I am sure that there is no real reason for your primary user account to be an admin account. I have admin accounts dedicated to that purpose. If I need to modify some system setting, instead of being prompted for my password, I must supply the username and password of the admin account. If I need to so something on the command line, I can just "su" into the admin account and run sudo from there.

OS X Lion: About administrator accounts

Odd. The link is not broken here; opens fine with Safari.

It isn't just that link. Anything other than the home page of nsa.gov seems to be broken. It is ".gov" you know.

prontosystems wrote:

I'm able to open the link under the Linux section for example or did you mean that ironically? ;-)

No irony intended. I am very familiar with .gov IT. The Linux link works because it is hosted on the NSA's site. One of the Mac links, and one of the Windows links, is a redirect to the vendor site that doesn't work. On the NSA site, you must also use the appropriate menu navigation to find any of those links. The search feature returns another one of those internal server errors. Government IT definitely prefers Linux. They can burn through taxpayer dollars faster with Linux than with any other OS.

It's worth noting that no one uses MS Windows user token technique outside of Windows; it was primarily put in place originally to try and shoehorn some psuedo-privilage separation into Windows around the same time that NTFS provided a filesystem capable of actually providing multi-user protections at the filesystem level.

It's both elegant and grotesque, in ways that can't really be appreciated until you see it being used in the context of Group Policy Objects being pushed by Active Directory in a full up Windows domain or forest.

And not really very secure at all.