Apple Pro Training Series: OS X Support Essentials 10.10: Supporting and Troubleshooting OS X Yosemite: User Account Essentials
Reference 5.1 User Account Essentials
With the exception of the rarely used OS X Recovery system or single-user modes, you must log in with a user account to perform any task on a Mac. Even when the computer has just been started up and is showing the login window, and you haven’t yet authenticated, the system is still using a handful of system user accounts to maintain background services. Every single file and folder on a Mac computer’s hard disk, every item and process, belongs to some type of user account. Consequently, you need a thorough understanding of user accounts to effectively administer and troubleshoot OS X.
User Account Types
The majority of home Mac users are only aware of, and therefore only use, the account created when their computer was initially set up with Setup Assistant. OS X is engineered to mimic a single-user operating system by default. However, OS X supports multiple simultaneous user accounts. The system also supports several types of user accounts to facilitate different levels of access. Essentially, you choose a specific account type to grant the defined level of access that best meets the user’s requirements.
User accounts are categorized into five types: standard accounts, administrative accounts, the guest account, sharing-only accounts, and the root account. Apple has made these different account types available to provide greater flexibility for managing user access. Because each account type is designed to allow different levels of access, you should also be aware of each account type’s potential security risk.
Standard accounts strike the best balance between usability and security; they are also commonly used when multiple people share a computer. This account type is very secure, assuming an appropriate password is set. Standard accounts have read access to most items, preferences, and applications.
Standard user accounts are allowed to use nearly all the resources and features of the Mac, but they generally can’t change anything that might affect other users on the system. The lone exception to this rule is that standard account users can install application and system updates from the Mac App Store. This ability includes applying system updates, which obviously have systemwide effects. If your organization restricts this type of activity for standard account users, then an administrator can disable automatic software updates from App Store preferences in the System Preferences application.
Even though standard accounts are allowed full access to the Mac App Store, they are not allowed to manually modify the /Applications folder or use other traditional installation methods. This means that standard account users are not allowed to install most software distributed outside the Mac App Store. This may seem unfair for developers that don’t distribute via the Mac App Store. However, Apple has instituted tight controls over Mac App Store distribution that provide assurance that the content remains safe for standard account users to install.
Administrative accounts aren’t much different from standard accounts, with one important distinction: Administrative accounts are part of the admin group and are allowed full access to almost all applications and preferences, and most system files. By default, administrative account users do not have access to protected system files or other users’ items outside of shared items like the Public folders. Despite this, administrative account users can bypass these restrictions both in the graphical environment and using Terminal, if needed. For example, administrative account users are allowed to install and run any software as long as they successfully authenticate when the installer application asks for authorization.
Because an administrative account is the initial account type created when the Mac is configured for the first time using Setup Assistant, many use this as their primary account type. This is advantageous because it lets the user change literally anything on the computer, as is required for system management. The downside is that this user is allowed to make changes or install software that can render the system insecure or unstable.
Additional administrative accounts can be used for daily tasks, but this isn’t always the best idea, because, again, all administrative accounts are created equal. In other words, all administrative accounts have the ability to make changes to anything on the system, including deleting or changing the passwords to other administrative user accounts. Administrative users can also change the administrative rights for any other user account, either disabling current administrators or changing standard users into administrators. Further, opening poorly written or intentionally malicious software as an administrative user could seriously harm the system software.
Most significantly, though, any administrative user can enable the root account or change an existing root account password using the Directory Utility application located in the /System/Library/CoreServices/Applications folder. For these reasons, you should seriously consider limiting the number of administrative user accounts on your Mac systems. Additional standard accounts can be created for more secure daily use, but managing OS X requires access to at least one administrative account.
Because enabling the guest account may be considered a security risk, it is disabled by default on OS X. Once enabled, the default guest account is similar to a nonadministrative user, but without a password. Anyone with physical access to the computer can use it to log in.
However, when the guest user logs out, the guest account’s home folder is deleted, including any home folder items that would be normally saved, like preference files or web browser history. The next time someone logs in as a guest, a brand-new home folder is created for that user.
Even though the guest home folder is deleted every time a guest logs out, the obvious security risk here is that literally anyone has access equivalent to that of a standard user account, including access to the /Users/Shared folder and users’ Public folders. Unlike the guest user’s home folder, the contents of these other folders remain after the guest logs out. This means a guest user could execute some potentially nasty applications or fill your disk with unwanted files. Guest users can also restart or shut down your Mac, potentially allowing them to compromise the system during startup.
Fortunately, parental controls enable you to restrict the guest account from running unapproved applications or restarting the Mac. Giving the guest account only limited access, as covered in “Reference 5.3 Parental Controls”, can provide a safe mechanism for temporary user access. Additionally, you can change the access permissions on shared folders so the guest account is not allowed to copy any items to your disk. Changing file and folder permissions is covered in Lesson 11 “Permissions and Sharing”.
OS X allows special user accounts to be created that have access only to shared files and folders. Sharing-only accounts have no home folder and cannot log in to the Mac computer’s user interface or Terminal. Sharing-only user accounts are, by default, allowed file sharing access to users’ Public and Drop Box folders, so, like the guest user, these users could potentially fill the disk with unwanted files.
On the other hand, sharing-only user accounts cannot log in to the Mac otherwise, and can be required to use a password, so designating sharing accounts is generally much safer than using the guest account for file sharing. You can further control sharing-only account users’ access to your files by adjusting file and folder permissions
The root account, also known as the System Administrator, is turned off by default on OS X clients, and for good reason: The root account has unlimited access to everything on the Mac, and a user logged in as root could do anything at all with the system. The root account can read, write, and delete any file; modify any setting; and install any software. Since many system processes run as the root account, it needs to exist on the system; otherwise, OS X wouldn’t be able to start up.
The potential for nefarious activity is literally unlimited with root account access. To help prevent abuse of this account, the default OS X configuration does not have a password set for the root account, therefore you cannot log in with the account.
However, as covered previously, any administrative user can choose to enable the root account or change an existing root account password using the Directory Utility application. Again, because it only takes an administrative account to initially access the root account, strictly limiting administrative usage is the key to safeguarding the root account.
Local Group Accounts
Essentially, a group account is nothing more than a list of user accounts. Groups are primarily used to allow greater control over file and folder access. OS X uses several dozen built-in groups to facilitate secure system processes and sharing. For instance, all user accounts are members of the staff group; administrative user accounts are also members of the admin group; and the root account has its own group, known as wheel. Using groups to manage sharing is discussed in Lesson 11 “Permissions and Sharing”.