fast-switching users
 

Is there a way to get the root user on the fast-switching list?
The are loads of way to get users off the list but I can not find one post on how to get them on :)

I hope not.
It is not generally considered a good idea to enable the 'root' account in OS X. Everything can and should be done via the use of 'sudo' when issuing commands in Terminal.
Using the 'root' account with the GUI is a bad idea since GUI programs are more complicated and thus more likely to have security holes.

do you know how to then mate?

I would have thought that after reading what I said above that you would understand that I am trying to dissuade people from using the 'root' account. Thus I wouldn't tell you how to do it even if I knew. But I don't know how - and since I do practise what I preach (I don't have the 'root' account enabled on any of my systems), I'm unlikely to find out.

I believe WinSwitch (free) can add root to the list. It's so frickin' useful anyway, just install it.

though I do have to agree, why use root when you can use something like sudo. Running as root is like throwing out the security advantage of Mac over Windows.

Thanks Styrafome for the link. Hayne I am not being funny but if I asked about added root to my fast-switching list not about root access read here for more info about that. I am not going to go into why i have to add root to the fast-switching list but I do.

And saying things like is not nice & sounds derogatory mate. why post your not going to help on a help forum? I do know a lot about computers and there are something I don't know that why I was asking for help.

Do apart from that I think you sound like a nice guy mate so lets forget it ;)

I also use WinSwitch for this purpose. It works really well.

I represent that minority of OS X users who enables root on every machine I own (but uses it very sparingly). ;)

What I'd like to see is the ability to switch between accounts (already previously logged in) without having to enter the password. I use my notebook for presentations all the time and the ability to rapidly switch to another account already setup for a particular demo would be nice. Of course, I know I could do it by having no password on the account, but this would defeat the security of the system.

So would fast user switching without passwords. ;)

Chris

No it wouldn't. At least not completely. What Vegas is asking for makes a lot of sense.

Many of us have our Macs at home, and we don't need to keep family members out of our accounts, but we want to be able to require a password to login from another computer, just in case a hacker gets through from the internet. Having the ability to turn on truly fast user switching would be ideal for us.

Suppose little-Johnny downloads this cool enhancement program for his computer game and this program turns out to be a trojan-horse - i.e. some sort of malware.
Do you need to keep this trojan-horse out of your account?

its silly apple did not make it so admins can switch between accounts without passwords.
Because if someone is a admin then they can get to your files anyway

Not without giving their password.
I.e. what scenario are you thinking of where an admin can access another user's files? Isn't there a point in this scenario where they will be asked for their password?

AFAIK, root (uid 0) is the only user who can access anyone's files (assuming they're not encrypted).

I've seen both sides of the issue, and I tend to believe that the correct approach is to err on the side of security and require the passwords to switch users. Once you start making compromises in that area you fall down the same hole that Redmond is trying to crawl out of, because people will always keep asking for more compromises of security for temporary convenience.

No little-Johnny here. There are plenty of people who don't have kids or whose kids are grown.
;)

I'm not saying that this feature should be automatic. I think that each account should have the option of turning it on for that account. For example, why couldn't you have three open accounts, and only two allow you to switch without a password?

It sounds like you're asking for virtual desktops. Search MacUpdate for "virtual desktop" and you'll find a few.

Chris

The only way you are getting access to all user file on the Computer, short of Root-Access, is to enable target-disk mode and mount the machine to another. When Mounted as an external FW Drive, one can look through all visible folders with impunity.

That being said, for normal operation, I think the use of passwords is very necessary. If I allow someone to log into their account on my computer, I do not want them being able to get back into mine, just because they are an admin.

Note that you can prevent access via target-disk mode if you set an Open Firmware password:
http://docs.info.apple.com/article.html?artnum=106482

Just to make sure you understand the situation - any admin user can access your files if they desire. But they will need to supply their password (e.g. via 'sudo'). You shouldn't make someone an admin unless you want them to have full control over the computer.

It looks like a bit more than I'm asking for, but I'll try it! :)

What about if apple use the Keychain system to remember the fast switching password? That way it would not compromises the systems security more then it already is.

virtual desktops are a good idea if your looking for more desktop space.
but if you want to uses multiply finder's, X11, ect it is a lot more easy to use fast switching

That would be about the only feasible way to implement this, that I can see. But in that case, each user that you might want to switch to/from would have to have every other user(s) information that you might want to switch to/from stored in their Keychain. This could turn into a real maintenance nightmare pretty quickly with 3 or more users, and you'd be dealing with the dialog to update each Keychain after most system and security updates.

At that point you might just as well use no passwords at all.

Sorry for reopening an old thread, but I couldn't resist on commenting on this nonsensical statement.

Of cause, presenting some information in a window requires more effort from a programmer than a simple printf("whatever");
But commandline-apps are more complicated to use than gui-apps, that's especially true for most of those old unix tools with their switches and options and arguments and the constant danger of typos - the biggest security hole in every computing environment is always sitting in front of the console.
While commandline tools are really first class for automating repeating tasks with scripts, they suck in every day use, when I have to read the man-page once again to find the right switch, when a good gui had taken me fractions of the time to find the right radio-button.

And if you're going to find a severe security hole in the software, it will most likely not be in any gui-app, but in those background service tasks, that are started from the system and are running in root-context.

Now imagine a non-GUI version of netinfo-manager (you probably wouldn't want us to use it either...)

hayne's statement makes perfect sense.

Remember the last couple of bad security problems (Safari-Help.app for example). Apple starts to get the hang of rolling out patches for bugs which get fixed in *.BSD, yet they manage to be a lot sloppier with their own, not-open-source stuff.

There are right now pretty bad, published problems with OS X unfixed for months.

While it is easy to write sloppy code for both CLI and GUI and stupid users are definitely a big danger to any computer, limiting priviledges also on GUI-programs still is a good idea.

Tu verras en viellissant, mon jeune ami, tu verras...

Amen. I think of the commandline as an unfinished project, and while it's nice to have it available, I often wonder if it isn't a giant step backwards. It being available certainly doesn't encourage people to write software with a better user interface.

You mean like /usr/bin/niutil & /usr/bin/nicl?

I think one becomes accustomed to what they use. I use both GUI and command line every day and feel quite conformable in both. I don't think either one has more or less security holes due to their nature of being GUIfied or not, nor does radio buttons and args/switchs have a whole lot of baring on 'security'. Remember that many of the utilities that you use are simply GUIfied front-ends for existing CLI binaries.

I believe the thrust of hayne's argument is that you really don't need root enabled. 99.999999% of the things you need to do as root can be done using sudo or your admin account. Why add an extra layer of potential exploit by enabling root? How often do you log in as root? Would you immediately know if root's password was compromised? Why risk it unless you need it?

Personally, I need it for various reasons. But 75% of Mac users out there do not. At least 50% of those never venture into the CLI and don't need it. 14% of Mac sysadmins know that. :)

It takes me a lot longer to connect to a remote Mac with Timbuktu, kick the user off, log in as myself, run Software Update, press buttons, enter passwords, click more buttons and wait...

Then it does for me to passwordless ssh into the same box, sudo run a shell script I wrote to do that same, enter my password, and be done with it.

The same goes for supporting a Mac OS X box versus an OS 9 box. I have SO many more tools at my fingertips for troubleshooting/fixing a Mac OS X box then I ever did on an OS 9 box.

And I, for one, welcome our new CLI Overlords. I'd like to remind them that as a trusted forum personality I could be helpful in rounding up other GUI-users to toil in their underground sugar caves.

There will always be things that one is good at and the other isn't. My worry is that many of the things that should be done in a gui won't be, simply because it's possible to do it from the cli, although not easily, efficiently, or even securely.

I wouldn't worry too much about that.. I'm pretty sure most developers for Mac OS X write GUI apps. I cannot think of a single (non-apple) group that is writing (NOT porting existing binaries!) stuff strictly for the CLI. Doesn't mean they don't exist however..

A lot of the recent discussion has been merely presenting the argument that GUI apps are easier to use than CLI apps and thus the user will be less likely to make a mistake.
I'm not arguing with that.

But the whole thread is about logging in as root, not merely using one special utility with root privileges.
When you log in as root, you will have the whole windowing environment running as root. And all apps that you run will be running as root. E.g. you want to look at some instructions for the procedure you are doing, so you open up a web browser and go to some web page - all of which is done with root privileges. That means that any exploit in one of those apps will automatically have root privileges and thus have full control of your machine.

I see nothing wrong with judicious use of trusted GUI apps with root privileges. But you should start these up one at a time with something like "Pseudo" - or preferably, these utilities should ask you to authenticate so they can obtain root privileges as required. The idea is to minimize the time that you are without a safety net.

And I note that when people talk about security issues, they aren't talking about users making mistakes and destroying their system. When you make a mistake like that you usually notice it. There is a fate worse than (system) death - it is having your system taken over by a mal-doer and you not even being aware of it.

I realize I'm a bit off topic, but here I go anyway:

What I'm worried about is subtler than developers writing GUI software or not. It's that there are functions that depend on the CLI simply because nobody has written a GUI and nobody is likely to.

Even if some one does, it may be only to give a function a GUI appearance, and that would likely mean forgetting about ease of use. Just look at the best apps for the PC. Most were originally written for the Mac. And many of the worst on the Mac are direct ports from the PC. My scanner software: Canoscan for example, is a GUI, but poorly done, and a PC port.

The long term effect will be to water down one of the Macs best attributes. I'd hate to wake up one day to hear people saying that Macs are fine as long as they're "properly configured" like some other systems. We all know that's just code for "they're trouble."

Have there been any updates to this idea that any of you know of? My wife and I just started sharing my new G5, and we're already getting kind of sick of typing in our passwords whenever we use FUS. We're both admins (though I'm primarily in charge of all maintenance, etc), but like FUS so we each have our own desktops, bookmarks, mail, etc. There's no 'little kids' running around to download malicious things, so in that sense security is of no concern.

Ideally OS X would still authenticate on application installs, etc... just not FUS.