As I go back and forth between Vista and OS X, I’ve been trying to map out the similarities and differences of their respective security models.
On both systems you can be either the administrator or a standard user, but you are never the fully-privileged root, or superuser.
When you want to change a secure setting (like the firewall), or install an application, you have to temporarily elevate your privileges.
On a default OS X system, the administrator can write a secure file or alter a secure setting without being prompted. A standard user who tries to do these things is prompted for an administrator’s name and password.
On my OS X system, as administrator, I’m prompted for name/password even to change a secure system setting, because I’ve checked the Require password to unlock each secure system preference option. Because I’d forgetten that I’d done that, the Apple ads dinging Vista for its chatty security prompts initially made no sense. From my perspective OS X was chattier than Vista.
On a default Vista system, the administrator and standard users are both prompted, but in different ways. For the administrator it’s a click-through dialog, for the standard user it requires (as on OS X) an admin’s name and password.
On my Vista system I’d prefer to mimic the OS X behavior and require a full name/password challenge. I believe that’s possible using the Local Security Policy editor but in my case, since my system is part of a managed domain, I might not be able to make that change myself.
Another thing that initially made no sense to me was that the account on my freshly-installed Vista system came up as an administrator, not as a standard user. That’s because I’d made a faulty conceptual mapping between XP and Vista. On XP, you can try to implement the old Unix best practice of creating and mostly running as a standard user, reserving the root account for occasional privilege elevation. That strategy rarely works, though, and I had initially thought that Vista’s User Account Control (UAC) system was a way to remove the obstacles that prevent it from working.
In fact Vista’s model is less like Unix or XP, where root and administrator mean basically the same thing, and more like OS X where they mean different things.
It would be extremely helpful to me, and I’m sure to many others, to see a comparative chart of exactly what those meanings are. If someone can point to one, that’d be great, because there’s been some confusing semantic drift. That word ‘administrator’: I do not think it means what you think it means.
Despite the separation of root and administrator, the old best practice of relinquishing the administrative account remains available on both OS X and Vista. Given that it’s not the default on either system this is mostly an academic question, but does anyone think that it should still be a best practice? If so, why?
On interesting data point comes from a recent interview in which Charles Torre speaks with UAC gurus Jon Schwartz and Chris Corio. (If, like me, you don’t have 65 minutes of viewing time but do have 65 minutes of listening time, you can find just the audio here.) Towards the end of the interview Jon Schwartz mentions that he considered, and rejected, the idea of setting up his parents’ machine so they’d only be able to log in to user accounts.
Because I’ve lived through the evolution of all this stuff, I still feel a twinge of guilt for running as administrator on both OS X and Vista. But most people never knew why that might be a problem, and now it’s water under the bridge — with one huge exception. There are hordes of people on XP today who will be there for years to come. So while it’s difficult to use standard accounts routinely on XP, anything that can be done to make that strategy more viable will be a huge benefit to everyone.
March 8, 2007 at 1:09 pm
The Bitfrost page on the OLPC site serves as a good reminder to programmers (myself included) that what once made sense (in terms of security), most certainly does not make sense in the end-user market.
March 8, 2007 at 1:17 pm
I wish everyone would at least try their installers in non-Admin mode. Here at work, I’m a “Power User” and able to install software — but only for my account. You’d be surprised how many installers balk at that – they only run as Admin.
March 8, 2007 at 9:25 pm
I have to agree with Corporate user. It makes thing a bit easier.
Bob Hasko
http://www.TeesMyBody.com T-Shirts
March 9, 2007 at 8:35 am
Interesting, particularly the point about semantic drift of the word administrator.
On OS X, it seems to me that my role is a regular user, not an administrator. I am only promopted for my password when I install software, change networking settings, and other things of similar impact. Thus I’m only occassionally asked for credentials and it makes perfect sense at those times.
If I remember correctly, this works like (or uses) the UNIX sudo program, which grants a temporary higher-level privelege to a regular user for a specific command. If this is so, I am running as a regular user, except when I install something, which runs the brief installation command as an administrator after I authorize it via password.
I can’t remember whether this is the default behavior for OS X, or I changed something since installing, but it seems like a pretty good way of doing things. Maybe someone running Linux can comment on whether they do things in a similar way.
March 9, 2007 at 10:11 am
I run Ubuntu, a popular Linux distribution, and it uses sudo exactly as John describes. Most of the time I run as a normal user with no privileges whatsoever. Only when I try to install programs or modify system files does it ask me for my password (just my normal login password) so to momentarily elevate my privileges. I like the Linux security model and find it fairly painless to use.
March 9, 2007 at 5:36 pm
“On OS X, it seems to me that my role is a regular user, not an administrator.”
“I run Ubuntu, a popular Linux distribution, and it uses sudo exactly as John describes.”
Right. This is relatively new though. Historically on Unix systems — and also on XP — you wound up by default as root. Demoting yourself to a regular user was a best practice, though one much less easily implemented on XP which lacks a sudo-like mechanism.
Then OS X made a distinction between superuser and administrator. Now we see that same distinction being made in Ubuntu and Vista. It’s all good, I’m just noticing that there are some different meanings of administrator in play now.
March 19, 2007 at 4:34 pm
“On XP, you can try to implement the old Unix best practice of creating and mostly running as a standard user, reserving the root account for occasional privilege elevation. That strategy rarely works, though”
Wow. What kind of problems did you encounter? I’ve been developing on XP for at least 4 years as a standard user and there are only a handful of tasks that require elevation. I was hoping for smoother behavior in Vista, but have resorted to my XP coping mechanisms (run cmd prompt as admin) because Vista is too chatty for the standard account (two prompts per elevation?).
March 21, 2007 at 3:04 am
“there are only a handful of tasks that require elevation”
I guess installing apps is the big one for me. I try a lot of stuff.
August 7, 2009 at 11:34 am
[...] already riffed on that classic bit in the titles of two other items. Now I’m compelled to do it again because when I talk about events, vis-a-vis the [...]