User Account Types in Mac OS X

« Previous article.
Next article. »


By: switchtoamac at: 1:36 PM on June 27, 2006 | Comments (0)
Although Apple released the desktop version of Mac OS X (10.0) in March 2001, the under pinning of the OS X operating system are over 30 years old.  In simplistic terms, Mac OS X is based on the BSD implementation of the UNIX operating system.  BSD in turn is a derivative of the original UNIX created by AT&T which was originally created in the 1960's and 1970's.  This article will describe the user account types as they are implemented in Mac OS X.

Mac OS X is a multi-user operating system that allows multiple users the ability to use the same computer at the same time.  A multi-user operating system also implements the feature that all files and programs are associated with a specific user.  Although most Mac users will be the only user logged into the system at any given time, multiple users can actually be logged into the system.

Each user account in OS X has certain "privileges" and "permissions".  It's kind of like saying that each user can only do certain things and is only allowed to access certain things/areas.  This multiple user model feature allows Mac OS X to allow and most importantly, restrict access to parts of the system.

The following user account types are available in Mac OS X:

  • Root
  • Administrator (admin)
  • User

Root, also termed the "super user", is the most powerful account in Mac OS X.  It's the do all account; it can access, control, modify, delete, read, write, stop, start, or do anything it pleases.  While other users have to have "permissions" and "restrictions" on what they can access and do, root has access to everything on the operating system and can do whatever, no questions asked.  Apple has turned off the root user in default installations of OS X.   This lockdown has numerous advantages as it prevents:

  • a user and even the Administrator from accidentally doing something that could severely damage the operating system
  • unauthorized access from users
  • viruses, spyware, and malware from getting to the inner core of the operating system

As a result, Apple has significantly decreased the likelihood that an attack against OS X will succeed.  The disabling of the root account allows OS X to be secured from accidental mistakes that can break the system.  It also protects OS X from the harmful programs and user intentions whose goals are to compromise and damage the system.  This isolation feature is a key protection feature in OS X.  In most cases, users will never need to use the root account but note that the root account can be enabled.  The process to enable root is beyond the scope of this article.  A warning, if root is enabled, you must guard access to it, this cannot be stressed enough.  Many UNIX attacks are based on the ability to access a system as root or running a "process" that has root privileges.  This is a main reason for Apple locking down the root account.

To overcome the root lockdown, Mac OS X uses an Administrator (admin) account.  When you setup a new Mac or install OS X, you create the Administrator account.  The administrator is a less powerful user than root but a more powerful user than any individual user on the system.  Administrators can do things such as install system-wide software, create users, and alter system settings and preferences.  In simplistic terms, the administrator account can do most of the tasks that root can do but with a few but critical limitations.  The most important is that it cannot directly modify, add, or delete OS X system level files, the core files that make up the operating system.  Although an administrator can access the directories and files of a normal user, the administrator still needs to authenticate themselves via the administrator username and password.  The same holds true for some tasks such as making changes to the system.  The Administration Account should only be used to install software and to setup/configure your Mac.  You should use a "User" account for daily use, even if you are the only user on your Mac.

The User account should be configured for daily use of your Mac.  By default, this account type is the least privileged user in OS X.  I say default because a normal user does not have the ability to undertake administrative tasks.  They can however be assigned administrator privileges.  This is not a very common occurrence on most Macs but it can be done.  For example, in situations where more than one Administrator is needed.  If you plan to have or currently have more than one user on your Mac, there's a good chance that all but one is a User type account unless those users have been assigned administrator privileges.  Just make it a habit to use a User account for daily use. 

By default, this type of account does not have the ability to alter system-wide settings or perform certain configuration changes.  What they can do is make changes that will only impact their account and how OS X will work for them.  For example, altering their desktop settings, their background picture, and screen saver behavior.  They can also change how an application will behave on an individual basis.  For example, a particular application can be configured to appear and function differently between user "switchtoamac" and user "getamac".

Further control can be imposed by Administrators on User accounts.  They can limit things such as the ability to alter a password, remove items from the Dock, or using certain applications.  If a standard user attempts to make modification to a system level setting or feature, he/she will be asked to enter the administrator username and password modification prior to continuing.  If entered incorrectly, no alteration will occur.  Thus, a User account type is a great way to prevent damage to OS X as this type of user does not have the privileges to undertake actions that can damage the system.  This account type also protects OS X from the same type of harmful entities that can damage non UNIX based and OS X operating systems.

Speak your mind - Leave a Comment