Is having a separate admin and normal account actually helpful?

[willangley]

[based on a conversation we had in person some months ago, and then promptly forgot about]

Having separate admin and normal accounts is good advice on Windows, but Microsoft has invested a great deal of effort in this part of Windows and the Windows ecosystem has followed suit.

I've seen little evidence that making normal accounts work as a security boundary has the same priority for Apple or for Mac software vendors, and enough breakage that I suspect that they're mostly designed and tested to make it harder for kids to mess up a family computer:

• When I used a Mac that was configured with separate admin and normal accounts (through El Capitan in late 2015) many of my installed-from-the-Internet apps would not update properly. The level of frustration was pretty much steady between late 2009, when I started running with reduced privileges, and late 2015, when I retired that Mac. I would be surprised if this has gotten better.

  My instinct is that apps largely work fine if you have an admin user logging in regularly, less so in the case where the admin user never logs in interactively like this guide suggests.

• macOS has privilege escalation vulnerabilities discovered regularly and historically receives fixes for them more slowly than iOS does.

• The local intrusion prevention software in this guide, like BlockBlock, seem to mostly target actions that could only be performed by an attacker already running code as an admin user.

• I don't see anything else in this guide that will detect local privilege escalation that is not immediately exploited, either from a known or an unknown source. (The audit logs might, but I don't feel like I've learned how to see such an attack from reading this guide.)

Does anyone have thoughts? / data on the effectiveness of this advice on the Mac? / ideas on how to catch privilege escalations when the system doesn't?

[Eitot]

I am not sure I understand what you are saying. The fact of the matter is that running with an admin account exposes you to flaws in programs that you execute with elevated privileges, like sudo and Apple’s security framework (this is what allows you to change system settings in System Preferences without ever having to enter a password). There was a bug in this framework in Yosemite’s time that allowed an attacker to gain elevated privileges due to the mere fact that the user was already authorised as an admin. Until Sierra, sudo was also configured insecurely (it arguably still is) as it allowed any program to obtain root privileges during the timeout window. There are many little flaws like these that make this a worthwhile consideration, as it reduces potential attack vectors.

I am also not sure why you had so many bad experiences, because I have had none of those. OS X is still a multi-user system at its heart and correctly installed software works for each user in the same way. Applications bundles in /Applications and binary images in /bin, /sbin and so forth are accessible to all users. I have been running with two accounts for a while and never had to log in using the GUI login window at all. Everything is done with prompts and the command line and the interaction with the admin account is kept at a minimum this way.

[gripedthumbtacks]

Separate admin and user accounts are preferable. You can also set up brew under the admin account, so it cannot be directly run without being logged in as the other admin. Then you can also lock down the standard user account ever further. Or, you could even set up a completely separate user for brew alone and only allow brew tasks. Privilege segmentation is preferable, but it may impact usability for noobs.

[Eitot]

This is what MacPorts does as well. It has its own user account.

[marcus-cr]

Never had any of the issues you encountered while updating my apps from the internet, always had to authenticate as privileged user during the update process.

+1 to the prior comments on utilizing separate admin accounts. Never used an admin account for anything other than updating and/or making system changes, ever.

I don't consider macOS to be flawless with its security posture so I'm not surprised there were (and potentially still are) privilege escalation vulnerabilities...

It's all about minimizing risks, really.

Edit: And I'm highly dubious towards BlockBlock, or anything from Objective-See for that matter.

[kopischke]

And I'm highly dubious towards BlockBlock, or anything from Objective-See for that matter.

Out of genuine curiosity: would you care to elaborate on that, @marcus-cr?

[rawtaz]

Oh, don't get it started again :-)

[kopischke]

@rawtaz problem is I have no idea what I would start? I surmise from your comment there is some long standing quarrel? Having just recently been pointed towards the Objective-See apps and feeling a bit unsure what to think of them, I would be glad for pointers.

[Eitot]

@kopischke: #90

[TraderStf]

It's not fair to always bash objective-see apps.
All are very useful, if you doubt just check what's sent over internet.

Patrick Wardle is now involved in several projects to enhance privacy.
If I had to embrace similar career, I would also try to get my first job in 'official' rat-nest, to learn as much as possible.

If you are really paranoiac, check the oldest vpn...
If I was nssa, I would create a cheap, high level security vpn, so I can directly track all users.

I'm very far for most experts here, but I think all this should be divided in different goals: stay hidden few days for journalists/activists, stay away from all advertisers/insurances blood suckers, stay away of malware.

[marcus-cr]

Not bashin', just sayin'. I'm sure their apps are useful. @kopischke: the best intro would be Eitot's comment with #90

[kristovatlas]

Also relevant to this discussion: SIP

This provides some of the mitigation effect previously offered by non-administrative accounts.

[drduh]

Added a link to this discussion under caveats.