In addition, and arguably the best precaution, have a separate account with administrator rights and use that only to install software. The account you use on a daily basis should NOT have administrator rights. That way, if some malware wants to install something you wil get a prompt to provide the administrator password and you can, and should, cancel immediately and investigate.
Security is a layered approach. And yes, running software from an account with the minimum privileges necessary for it to run (meaning a non-administrator for most things) is a key layer.
Under normal circumstances, you should never have to actually log in to an administrator account. As long as it exists (and Appleās GUI tools for user management wonāt let you delete the last administrator), then thatās enough.
If you do anything that requires administrative privileges (e.g. install software or modify some system settings), you will be presented with an authentication dialog. Type in an administratorās short user-name and password and youāre good to go.
The only downside here is that the sudo
command (used from command-line shells to execute a single command as root) is only usable by users in the admin
group (that is, administrators), using Appleās default configuration:
But you can work around that by explicitly granting yourself sudo access via its configuration mechanism. For example, I created a file /etc/sudoers.d/011_david
which grants me sudo
access without being in the admin
group:
You can do the same on your system. Just replace ādavidā with the short user name of the account you normally use.
Note that sudo
will still ask you for a password the first time you use it in a given session (and after about 5 minutes of not using it), so itās still pretty secure.
Or, if you donāt want to do that, you can use the su
command to switch your terminal session to another user (e.g. your admin user). Do what you need from there and then exit back again. For example (if your administrator account is named administrator
):
$ su administrator
Password:
Enter the administrator accountās password when prompted. You are now running as administrator (for that terminal session only). Do what you need from there, including use of the sudo
command, as you require.
When youāre done, exit from the su
session:
$ exit
And youāre back to your own account with its original permissions.
I have done this security practice - taken from old days of programming.
However I have found that Apple often wants the Administrator logon to be used instead of a user logon - something to do with Apple ID. Given Appleās claims about security prowess, I find Appleās inability to let users keep private their Administrator account details to be baffling. Moreover, Apple employees never explain to Mac purchasers the value of having a separate Administrator account.
In practice, with modern MacOS, I think having a separate account is a huge hassle with little security benefit. Yes, in theory, itās āmore secure.ā But so much is locked away from user access these days, the admin accounts are easily secure enough that the difference is imperceptible. But if you use a non-admin account, you get lots of prompts to enter an admin username and password. As well as being a huge pain, I think this completely undermines the supposed extra security from running as a non-admin. You get conditioned to entering your admin username/password all the time, so this:
just seems normal and the average user is likely to simply enter the admin username/password.
Iāve yet to see a good argument for normal people to regularly run as a non-admin on modern MacOS. I think itās really a holdover from Unix & Linux in the past (where it was a very good idea not to use an admin account as a matter of course!). And Iāve certainly not seen any data that shows a real (as opposed to theoretical) benefit. If itās out there, I would be interested to see it, and am certainly open to being proved wrong.
I wonder what you are doing or what software you are running that is causing those ālots of promptsā?
I can use my Mac with my standard account for weeks on end without getting any admin prompt. I only get those when I actively choose to do something that indeed requires admin access and entering the credentials then is no hassle at all for me.
Really? I only get these prompts when installing/upgrading software. I canāt think of a time when I needed to provide these credentials for some other purpose.
I think the biggest reason is that admin users have read/write access to the /Applications
folder. Which means they can install, remove and modify application software without any additional authentication.
If youāre not an admin user, then you need to authenticate as a part of accessing anything in that location.
Include me in the group that rarely sees the authentication prompts.
Also when clicking on the padlock in a System Preferences pane.
I too have used a non admin account since macOS moved to UNIX. There is one thing Apple could do to make it more smooth though. As we get the prompt, let us use the fingerprint of our admin account.
Inspired by this thread, I just sent Apple feedback via Feedback - macOS - Apple
Iām with @jzw. I have never used a non-admin account on any Mac I own and administer.
I have never had any malware scanner constantly run in the background. Yuck.
I run Malwarebytes in its free version perhaps once a week and it has never reported anything odd. I believe I do this just to make myself feel good, but I doubt thereās really good reason to run it. I keep up with Appleās security updates. And I honestly donāt give two hoots about Win folks getting malware. They always end up getting something somewhere. Their choice.
I like what Iāve heard from Howard and friends about the new XProtect so far.
I am very cautious who I hand out my information to, usually minimize that, and Iām even more restrictive when it comes to accepting stuff from others, clicking on stuff, installing apps, etc. I rely heavily on malware and ad blockers when surfing.
I have never had any infection or malware issue on any Mac I own or administer. But sure, maybe itās all just because I always got lucky.
But I donāt see the practical security benefits of this. Applications can be run from practically anywhere on MacOS, so this isnāt going to prevent malware from running.
And I should clarify that obviously Iām not getting prompts if Iām doing general work or basic activities (e.g. writing, browsing, etc). But my memory from when Iāve tried using a non-admin account (and itās been a while now!) is that anytime I need to manage the system or do any development work, it gets irritating pretty quickly. Itās not an insurmountable problem, but I still donāt see what Iām gaining, so even marginal hassle makes it not worth it for me. And it would make remote support of others even harder, so I never recommend running from a non-admin account for family/friends.
As a long time sysadmin and computer security personā¦I would have to quote the knight from the Indiana Jones movieā¦he chose poorly. Nothing personal of courseā¦and youāre completely free to operate as you wishā¦but a non admin daily driver seems like a no brained to almost all sysadmins.
Grantedā¦macs are much less susceptible to those sorts of thingsā¦but running non admin daily driver costs you absolutely nothing and prevents potential bad things as well as oopsies. One can easily just provide the admin credentials when asked even logged in as non admin.
This is Apples take on this subject:
āAdministrators can create, manage, and delete other users; install and remove software; and change settings. For these reasons, an administrator should create a standard user account to use when administrator privileges are not needed. If the security of a standard user is compromised, the potential harm is far more limited than if the user has administrator privileges. If multiple people use your Mac, limit the number of users with administrator privileges.ā
Howard Oakley has recently set out the difference between normal and admin account, noting that thereās not really any extra security associated with normal accounts in modern MacOS.
(And @mjtsai has the same conclusion I did regarding non-admin accounts being more hassle than theyāre worth. Michael Tsai - Blog - Standard Mac User Accounts)
While I agree with Howard and Michaelās conclusions for those of us who are tech-savvy, I do not agree with the conclusions for the less technically inclined that share a computer. Uncontrolled software installation from sources outside of the Mac App Store by those who would simply āclick throughā with admin privileges without any realization of what theyāre doing is an exposure that I would like to mitigate for systems under my control. Itās one thing if it is done by the owner of the computer. Itās another thing if itās a shared computer or a computer that needs to be secured by a company.
The phrase āA manās got to know his limitationsā comes to mind. And giving admin privileges to those that donāt know their limitations is a prescription for disaster.
thereās not really any extra security associated with normal accounts
Since you can authenticate with an admin account when neededā¦it just adds a second step to prevent any inadvertent stupidity from letting you be dumb. Iāve done it that way since the beginning of macOS Xā¦but I do add my account to the sudoers file for terminal thingsā¦even though I need to keep redoing that after just about every update.
When it became evident my mother was suffering from dementia, I downgraded her to a regular user. She certainly canāt remember an administratorās password and has forgotten anywhere to look for it. So in that limited case, the downgrade seems to have its intended benefit.
To avoid system updates from clobbering your changes, donāt edit /etc/sudoers
. Instead, create a file in /etc/sudoers.d
. The main sudoers
file will include everything in there and Appleās installers donāt wipe the contents.
In mine, I have a file that adds my and my wifeās non-admin accounts. Changing names to protect the innocent, it looks like:
$ cd /etc/sudoers.d
$ cat 011_wifeandme
# My wife and I can call sudo without being admins
david ALL=(ALL) ALL
davidswife ALL=(ALL) ALL
Donāt edit sudoers
Thanksā¦did not know that so will add it and not worry about it anymore.