Folks,

Many of you will probably have heard me talk about this before, but the single most important thing that you can do for your own security is to run as a standard user for day-to-day activities, not as an admin user. OK, but most of the time you just use the first user account that you set up on Mac OS X when you first booted up the machine -- but that is an admin account. How do you get from an admin account to a standard account without losing all of your preferences, your home directory access, etc.? These are the step by step instructions.

1. BACK UP YOUR COMPUTER. Everyone on this list has a current back no more than 24 hours old, so this step shouldn't even be necessary, right? ;-)
2. Create a new admin account. Go into the Accounts preference pane, unlock it, and click on the plus sign at the bottom. Create a new account with the long name "Local Administrator", short name "localadmin", and a good password. Make sure that the "Allow user to administer this computer" option is checked.
3. Log out of your personal account and log in to the newly created Local Administrator account. Go into the Accounts preference pane, unlock it, and select your personal account. Uncheck the "Allow user to administer this computer" option. Congratulations! Your personal account is no longer an admin user account. But that's not enough. (Cue ominous Halloween music...)
   

Why is this not enough? There are probably many files and folders in the /Applications and /Library folders that you copied in using the Finder when you were an administrator. You still own those files and folders -- which means that even as a non-admin user you can still make changes that will affect the entire system. You need to find any files and folders in those two trees that belong to your personal user account and change them so that they are owned by root. To make it more complicated, there are files and folders in the /Library folder that you *should* own, inside the /Library/Caches and /Library/Logs/Console folders.

There's an additional complication; when you drag-install an application and authenticate in the Finder, the application retains its ownership. If you mount a disk image with an application, you are the owner of the original application. If you drag install it, you are still the owner when it is sitting in /Applications. This is bad. I personally feel that it is a bug — the copy should change ownership to root regardless of where you are copying the file or folder into, not leave the ownership as it was before. Your intent was to copy a file into a restricted location — not provide unrestricted access to that file forever after.

The easiest way to do this is to use the command line.

4. Open up a terminal window and execute the following four commands:

sudo find /Applications -not -user root -exec chown root:admin '{}' ';'

sudo find /Library -not -user root -and -not '(' -path '*Caches*' -or -path '*Console*' ')' -exec chown root:admin '{}' ';'

sudo chown -R root:wheel /Library/StartupItems

sudo chown -R appserver:appserverusr /Library/WebObjects

The first command ensures that everything in /Applications is owned by root and is group admin. The second ensures that everything in /Library is owned by root and is group admin, *except* for files and folders inside /Library/Caches and /Library/Logs/Console. The third and fourth fix up specific paths within /Library.


5. Log out of the Local Admin account and log back in as yourself. Congratulations!

--Paul