Best way to change master user acts & 1Password? Moving 1Password to include std account?

RunInCircles
RunInCircles
Community Member
edited November 2014 in Mac

Question is in the header.

Latest recommendation is to avoid admin accounts as much as possible in Yosemite & earlier
while online as there is a newly discovered security vulnerability that has not been remedied. (Intego blog).

The quandary: How best to either move the admin act, or manage 1password between the admin account &
standard accounts after it was been set up differently a long time ago.

In my case, many of the apps & the password is set for the admin account only. (Adobe apps don’t always play nice, for example).

I’m at a point where I can do without a cascade of complications if it goes awry to either try make a new admin acct
(which I think may collide with external email accounts, the ISP and Apple), or slide items around.

Any suggestions?

Comments

  • RunInCircles
    RunInCircles
    Community Member

    Addendum: SHARING a vault seems like one option, though not sure its the best way to resolve this.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @RunInCircles‌

    To be honest this has always been best practice anyway, ever since I moved to OS X that's how I've run all my machines. An admin account that I barely touch and then my normal user account.

    Can you not make a new admin account and then reduce your previous account to that of standard user? that way you wouldn't have to start moving massive amounts of stuff around.

  • RunInCircles
    RunInCircles
    Community Member
    edited November 2014

    Hi. Thanks, littlebobbytables:

    Your suggestion is one option & what seems to be the most direct & logical.
    It may be what I will resort to, but I don’t think it will be painless.

    Investigating this in the past - appears to have other complications.
    (The details escape me at this early hour. Actually I think some applications HAVE to be run from the ‘parent’ account, & it may impact iCloud accounts. I was hoping not to have to reconstruct that digression from scratch, as I don’t actually remember all the complications any longer).

    I was looking for “gotchas” in advance of jumping in with both feet. My first cut at research did not yield an answer, thus I thought I’d ask, in the hopes that someone would have fresher insights: It seemed smarter than discovering after-the-fact, that there was a better way to go about it.


    A little off-topic:
    I understand maintaining a pristine admin account is the best practice option - unfortunately, it must be seen as too complex for average users. You never see it well recommended on first set up.

    I have to cynically conclude that, because no one offers this as a valid initial set up, that it is because they are trying to make it all as simple as possible for the newest users.

    I have a novel’s worth of things to say there, and explanations why -but its off-topic.
    Suffice it to say that it may impact other family users on a machine.

  • RunInCircles
    RunInCircles
    Community Member

    OK, so once I get the user & admin accounts swapped:
    The next question is about changing the keychain.

    One default keychain predominantly, however its now in the std user log-in.
    This doesn’t seem like a wise place for all passwords. Best way to move the keychain to the new admin act selectively?

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    @RunInCircles‌

    Actually I'd leave the keychain well alone, it can be pretty sensitive to being prodded.

    I could be mistaken but the goal at the moment is to reduce the scope of damage because of a serious bug, and until they fix it the best practice is simply to not run as an administrator, is that correct? My user keychain holds almost all my stuff in it as it's the account I use. The admin account in setups like this is to restrict items from installing anywhere they please. Basically you're limiting write access to large parts of the filesystem or easy access to altering System Preferences etc without it being unlocked. All of these sorts of things will push up an authentication confirmation dialog requiring the username and password of an administrator. With terminal it gives an extra layer of security too. I can ssh into my machine under my user account but I can't ssh in as the administrator and so I can't escalate my privileges to root without first su'ing into the admin account (which isn't named admin).

    I'm happy to post based on my knowledge but you might find the apple discussion boards another good place to ask some of these questions. Apple staff don't tend to post but there is a pretty active user base there.

    You're right by the way, getting the typical user to think of security in these terms and be wiling to go through the extra steps, well lets face it, it isn't likely. It's exactly what I've done with my mother's own machine though (Windows). I'm the administrator and nothing gets installed without me remotely connecting and doing it myself. She doesn't care and I know the machine stays safe. It still annoys my younger brother that at the tender age of 35 I still won't supply the password :stuck_out_tongue: The results speak volumes though, the only issue we've had was an update to the ethernet video card that came via Windows Update trashed the system forcing an unscheduled visit home to sort the whole mess out. Okay, I'm digressing now.

  • RunInCircles
    RunInCircles
    Community Member
    edited November 2014

    Hi littlebobbytables,

    _Its been awhile since I checked back in here:

    Sorry for the lack of a prompt response._

    Once a machine is set up less than ideally – its a nightmare to clean up & organize.

    Leaving the keychain alone at this point [converting former admin to standard & creating a new, more secure admin] per your recommendation is what I’e already done.
    * It means that when I log in as admin – I don’t have access to the password vault, however.

    This gets messy when something doesn’t go right in an app install, my keychain is one place & the admin account in another. Some apps require installation from the MASTER - or admin account. User switching works, but not always well.

    It also makes the 1Ppassword feature aggravating in conjunction with user switching. Which generates frustration that gets heaped, or misapplied to all the apps which confound a clean process!

    For example
    I have an app update that isn’t working as it previously did in the earlier version. A draw/3d app that requires materials installation.

    Tech support for that product decides I have a corrupt install (easy tech support "out”) & provides detailed instructions for a clean install.

    I suspect its just the lowest impact on tech support that is being addressed in the claim of corruption.

    One rarely gets a good accounting of how they store the files - (in this case, not entirely per Apple’s usual scheme) and this makes it wonderfully easy to lose things like predefined paper sizes and other customizations & macros, etc. Presumably SOME of these should be in a library preference folder, but I’m not betting on it!!!

    Re: FORUMS
    Yes, there are good things on the Apple Forums, but those get clogged after awhile - with inane & indecipherable headers.
    Headers l’ve seen on [other] forums are “I have this problem too.” Which is really [not] useful when it comes to finding specific similar issues - and if it turns out easier to pose the question & winds up being a duplicate topic post, people get all pissy.

    Further, you get cranky forum moms on the discussion boards that regale you with reminders that the Apple forums are really just for APPLE software
    & you should go elsewhere for 3rd party apps.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @RunInCircles‌

    So there are a couple of bits in there.

    App installation. To be honest it's pretty rare for me to actually log into my administrative account to add software. Most mac software is simply drag and drop and OS X will bring up an authentication request dialog. Depending on how you feel about it you could reduce these requests by allowing your standard account write privileges to /Applications and subfolders - any naughty program still couldn't simply place files wherever it pleases.

    If a program requires an installer because it wants to spread its files about then as long as they're using a reasonable installer it should ask for admin privileges. That means for most programs you can install them whilst never leaving your standard user account. I'm sure there are a few they don't behave but it should be rare.

    If you find you do need to switch between the two accounts and access to your vault in both is required that is possible. If you already sync your vault with Dropbox or iCloud then that should be easy enough. The process for syncing with another computer should work for a second account. If you don't want a copy of your keychain leaving your computer that's fine too. There is a /Users/Shared folder. In your standard user account you could set up Folder Sync and use that folder as a location (sync is in 1Password's preferences in the Sync tab). I'd then recommend going to the folder and bringing up the inspector (with the keychain select it's the keyboard shortcut ⌘i). In there you want to set both you and your admin account to read/write privileges on the keychain and its contents. Then from your admin account you should be able to sync with the keychain. That's actually the purpose of the Shared folder but you have to watch out for who can read/write as it's still part of the OS X file space and so privileges matter.

    If I've missed any points you raised let me know :smile:

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @RunInCircles‌

    In researching permissions and /Users/Shared I found a rather annoying issue regarding permissions. If you go down this route let me know as I've found two workarounds, I just haven't put anything down on paper (so to speak). If it's desirable though I will. Without one of these workarounds it would be best to only alter/add entries to the vault via your standard account and assume read only access to the vault in your admin account. If you don't mind that the use of /Users/Shared/ works without any additional effort.

This discussion has been closed.