Make sure you’re safe from this Mac security risk

Classic Mac OS, in contrast, had no concept of multiple users built-in to the system. Any person sitting down at a Mac and any process launched on that Mac could access and change anything on that system. Even though the concept of sharing your computer is now relegated to some classroom labs and supercomputer clusters, this model still is present in every macOS and iOS device today.

On iOS it is completly invisible to the user, unless a jailbreak is applied. On macOS, however, users and especially admins have to deal with it every day.

Before you can add a new user, you have to unlock the preference pane by clicking the lock icon in the lower left corner. Then the system will prompt for an username and password with adminstrative privileges. When the account you are logged in as has admin privileges, its name will be pre-filled. This sound simple, but membership in this group bestows many additional benefits.

Your Answer

In day-to-day use Administrator accounts and Standard accounts behave the same. However, there are many situations and workflows on macOS which require authenticating as an Administrator account. The first user created on an unmanaged Mac out of the box will always be an Adminstrator user. Most Mac users use an Administrator account.

Many of the workflows built-in to macOS assume an adminstrator account. One example is setting up a new printer. With an Administrator account you can install third party software.

How to Enable the Root User and Change the Root User Password in macOS High Sierra

You can also install malicious software. Often malicious software will trick users into installing by masquerading as or hiding in an installer for something useful. However, since you get prompted to authenticate even with an administrative account, the better advice is to take these prompts very seriously and consider what confirming this prompt will really do or install.

The only difference you get when using a standard account is that you need to enter a different username and password in an authentication box instead of just the password. If this helps you pause and consider what you are actually doing, then great! Then this is the proper workflow for you. However, I suspect that most users would be just as non-considerate of this dialog with a separate username and password as they would otherwise. The only difference between Adminstrator accounts and Standard accounts is the membership of the admins group.

You can check whether a given user is a member of the admin group with the dseditgroup tool:. The authorization database controls access privileges everywhere else. Mainly the root account can read, update, delete all local user accounts. It can control file and folder privileges and ownership. It can start system services running in the background and assign system network ports with a port number lower than Most of this is managed by a process called launchd which is the first process to run on macOS.

How to Enable the Root User on Your Mac

Many commands require to be run as root or with elevated root privileges. On macOS, however, there are limits to what the root account can do. System Integrity Protection is a mechanism which protects important parts of the OS from mnodification, even with root permissions. Only certain processes signed by Apple are allowed to modify these protected files and directories.

Mac OS X Recover Lost Root Password

Usually this means Apple signed installer pkgs for software and security updates. Apple lists a set of top-level directories that are protected. However, the list is a bit more detailed. Files and Folders marked with restricted are protected by SIP.

Log In As root

SIP provides more protection than just certain parts of the file system, it also protects changing the boot volume and some other aspects of the OS. While these limitations on even the root account can be annoying, they provide a level of security that parts of the OS have not been tampered with or changed by other software.

A terrible bug in early Click Open Directory Utility. Log in as the root user When the root user is enabled, you have the privileges of the root user only while logged in as the root user. If the login window is a list of users, click Other, then log in. Remember to disable the root user after completing your task.

How to activate root user account in Mac OS X Terminal

Yes No. Character limit: Maximum character limit is Start a Discussion in Apple Support Communities. Ask other users about this article.