Help, Guides, and News on making the Switch To Apple Macintosh Computers
Aside from an awesome user interface and a great underlying architecture, Apple built OS X with security in mind. As part of that central security theme, OS X has been designed using three key isolation features:
- System Isolation
- User Isolation
- Memory and Application Isolation
System isolation is where by default, the inner core of the operating system is separate from users and other programs. What this means is that users and programs cannot access the inner workings of OS X without the computer's administration password. The administration password is assigned to the user who setup OS X on the machine, the so called Administrator. When you purchase a new Mac, you are guided through a program called the "Setup Assistant" that creates an Administrator account and associated Administrator password. In daily computing activities, users of OS X should use what is referred to as a "Normal" account, a less privileged user in OS X. I will provide a write-up of the Setup Assistant in a future post.
An advantage of this System isolation design is that a Mac is inherently protected from malware, spyware, viruses, and potential intruders. In February 2006, news hit the wires that alluded to the first Mac virus. The media and those who didn't know better were quick to report that OS X was now vulnerable to the same problems that plague Windows. The program relied on “social engineering”, a process where something is not self-propagating and requires help from the computer user in order for it to work. The program required users to enter the Mac OS X administration password. This mere fact demonstrated that the OS X architecture is safe because the program wasn't able to do anything on its own. It's just common sense not to enter the administration password just because a program requests it. This protection is in stark contrast to the Windows platform where a simple visit to a website or download can compromise the system. In many cases, Windows users are unaware that a program has found its way into the computer without their consent. Check out this great read outlining the major problems with Microsoft's Internet Explorer browser.
Windows users find that over time, their computer doesn't seem to run as fast as it did when it was brand new. Why does this strange behavior occur? The problem has its root in bad design. The Windows System folder (directory) can become a dumping ground for junk left behind by programs and other things. The OS X System folder (directory) does not suffer from this problem because programs can't access the OS X system level directories by default. As a result, junk is not left behind by programs and other things. There is also a difference with software installations between Windows and OS X. With most Windows based programs, a user has the option to install the program in whatever directory/folder he or she chooses. On a Mac, installed software ends up in the "Applications" directory (folder). This "one place for all" implementation keeps OS X more secure, stable (crash resistant), organized, and helps the system run optimally. If by chance an installed program needs to add system level support files in order to operate, those files do not go into the OS X System folder, instead they go into the "Library" folder.
There are actually three different locations of Library folders on OS X all under the Macintosh HD (hard drive):
- /Users/<short name of user>/Library
The /System/Library holds essential inner and restricted files that OS X needs to operate
The /Library folder contains files available to ALL users and applications running on OS X. For example, fonts and printer settings. This folder can be modified by the Administrative user. This is the folder where third-party software and applications place the support files that they need to operate.
The /Users/<short name of user> directory is discussed in the next section, User Isolation. Note that unless you know what you're doing, do not alter the content in the Library folders.
Hence, system isolation is a key feature of Mac OS X that separates and protects the core of the operating system from applications and users.
Each user is separate from the other users in OS X as each user has a "Home" directory. For example, is a system had the users "switchtoamac" and "getamac", the following Users directories would be created:
As a result, the files created and stored by "switchtoamac" will be inaccessible by "getamac" and vice-versa. A user's Home directory is only accessible by the user that is currently logged into OS X. Note however, that in addition to accessing its own Home directory, the OS X Administrator can access the Home directory of each individual user on the system, but note that the Administrator will still have to type the password to get such access. The administrator is not the so called "superuser", referred to as root. A future post will describe the root user. Each user's "Home" folder can store documents, files (including pictures, music, etc ..), settings, and program caches such as cached pages and cookies in Safari. Some benefits of this implementation are easy backups, user experience, and customization. Backups are a breeze. If a user wants to back up their documents and settings, all they need to do is backup their Home folder. Mac users can customize their computing experience as they see fit. Each user's settings only apply to that specific user; other users will not be impacted. An additional benefit is that users, to some degree, can customize how software will work under their account.
Each user also has his or her own Library directory. The /Users/<short name of user>/Library is user specific. This Library folder holds files and settings specific to and individual's preferences, recent items, web site bookmarks, Address Book entries, keychain, and so on.
Just about every Mac OS X application can be customized via each application's preferences settings. Whenever a setting is altered, Mac OS X updates the application's preferences file. These files are identified with a .plist extension. When the application launches, OS X checks the preferences file to determine how to set the application for the user. OS X maintains a separate preferences file for each application and each user. For example, each user has his or her own plist file for Safari stored in the following area:
User isolation is a great feature that Mac OS X uses to separates users from other users.
Memory and Application Isolation
Apple designed OS X to run applications in isolation. There are two major benefits of this feature, Memory Management and Application Isolation.
The UNIX under pinnings of OS X provides a clean, modern, and efficient memory management system. Mac OS X implements “Protected Memory”, a memory management feature that gives each running application its own unique space (chunk) in the computer's memory (RAM). The benefit of this implementation is that OS X prevents the sharing of memory between applications. In other words, a particular running application cannot use the memory used by another running application and most importantly, an application cannot access the memory used by the operating system. This isolation provides an inherent crash-resistant safety feature to OS X because if an application becomes unstable, unresponsive, or it crashes, a Mac doesn't need to be restarted. All that needs to happen is that the application is shutdown or terminated. The benefit is that the operating system and other running applications will not be affected. Windows users are accustomed to an application locking and having a domino effect on the entire system. In many cases, Windows will stop working, the system will crash, or a reboot will be required.
Apple designed OS X to allow applications to be provided to OS X users as an application bundle (packaged unit) or packaged with an installer. An application bundle contains all the essential files to allow the program to run. This makes a bundled application's installation and removal a breeze. All you do to install the program is drag the application's icon to the Applications directory (/Applications). Each application will get its own folder/directory in the /Applications directory allowing each application to be isolated from the other applications in the /Applications directory. To un-install the program, you grab the icon and drag it to the trash bin.
Some applications rely on an installer to install the program. For example, Apple's Final Cut Pro software uses an installer to install the application.
By having all applications in the /Applications directory, additional benefits can be realized. For example, you will be able to easily move your applications to a new Mac by using the OS X "Migration Assistant" or upgrade to a new version of OS X by using the "Archive and Install" option.
System Isolation, User Isolation, Memory and Application Isolation are key features that contribute to a more enjoyable experience for Mac OS X users. For those interested in using the most modern, secure, and stable operating system available on the market, use a Mac.
May 11, 2006:
- Clarified password requirement for Admininstration account
- Clarified information about Application installations
- Added information about the "root" user
- Corrected typos
- Added links to posts about Setup Assistant and Root account