-
All replies
-
Helpful answers
-
Feb 25, 2016 2:07 AM in response to Dan Vendelby chroot,Root isn't an account type but is an account. Unless you absolutely need root, you should not login as root.
-
by John Lockwood,Feb 25, 2016 3:09 AM in response to Dan Vendel
John Lockwood
Feb 25, 2016 3:09 AM
in response to Dan Vendel
Level 6 (9,349 points)
Servers EnterpriseWhat you are indirectly referring to is a security concept generally called UAC - User Access Control. This is designed to stop unauthorised users doing things they should not and equally to help prevent malware from doing the same.
I would argue that Microsoft who also have a form of UAC in Windows do this wrong. Microsoft also have two levels of user 'normal' and 'administrator' but if you are logged in as an administrator level account they do not force you to enter a password in order to perform administrator level functions, I would argue this is a huge potential security risk and it is why Windows experts would strongly advise not logging in directly to the computer as an administrator level user. If you are logged in as a normal user and need to do an admin function then you get asked for the name and password of an admin user which is the proper way to do things.
So for a business environment 'normal' Mac users should only login as 'user' level accounts and not administrator level accounts. I would say that all administrator functions should require a password to stop the possibility of malware simply running in an administrator session and not needing to ask for a password.
(I have seen instances in the early days of ordinary users who did have administrator level access deleting operating system folders in order to 'free up space' or because they did not know what they were for and considered them 'unimportant' and thereby completely breaking the computer.)
Now if this is a private home machine then it is your machine and you can chose to ignore good security practise because then if something goes wrong you only have yourself to blame. There are therefore some steps you can do.
- Open System Preferences
- Click on Security & Privacy
- If needed 'unlock' the padlock in the bottom left
- Now click on the 'Advanced' button in the bottom right
- Untick the option 'Require an administrator password to access system-wide preferences' (if it is ticked)
You can also use Keychain Access (in the Utilities folder) to give applications free access to certain passwords as stored in the Keychain so you don't get asked to give permission each time. You can also edit some security settings in /private/etc/pam.d but you need to know what your doing, and you can also use /usr/bin/security to alter some security settings, again if you know what your doing. As examples I have altered the permissions for managing printers and screen saver security.
You should also be aware that security is constantly being tightened by both Apple and Microsoft and others. Even root level access i.e. 'sudo' cannot as standard modify some stuff in El Capitan any more as Apple are now securing the main parts of the operating system with a new security feature called SIP (System Integrity Protection).
-
Feb 25, 2016 4:50 AM in response to Dan Vendelby Barney-15E,I can't tell if you have a problem or just don't like the way El Capitan works.
I Don't have to log in to use the keychain. Did you change your account password and not change the keychain password?
I only have to authenticate the System Prefs on security-related functions. Normal stuff doesn't require unlocking.
Finally, even if you logged in as root, El Capitan disables much of root's power.
-
Feb 25, 2016 11:22 PM in response to Barney-15Eby chroot,The System Integrity Protection feature of El Capitan protects the contents of specific folders and pre-installed OS X app such as Mail and Messages.
-
Feb 26, 2016 4:42 AM in response to chrootby Barney-15E,chroot wrote:
The System Integrity Protection feature of El Capitan protects the contents of specific folders and pre-installed OS X app such as Mail and Messages.
Yes, as I stated, it removes some of root's power by preventing all users, including root, from changing those files.
-
Feb 26, 2016 4:48 AM in response to Barney-15Eby chroot,Barney-15E wrote:
Yes, as I stated, it removes some of root's power by preventing all users, including root, from changing those files.
But remember; when all else fails, keep calm and change root.
$ chroot