On 3/3/08, Stefan Schwarzer <stefan.schwarzer@grid.unep.ch> wrote:

Hi there,

I am using a Mac in the office for website development, database administration, design etc...

Now, as I am not coming from an admin-, but more from a casual-user-side, I did run into some admin/su/etc.-problems or challenges when installing & compiling postgres, postgis, etc.

So, I was wondering what you guys do recommend. In the moment, I am the only user and the only admin on the same time on the mac. But, from a admin/security perspective, there should be already a different account for me as a user and another one for the admin, no?

Only in certain specific situations would want to separate your user and admin accounts in any UNIX system (and most of those situations are for policy or legal reasons not operations safety). UNIX (and by extension Linux, *BSD, and Mac OS X) systems can be setup to allow privilege escalation via the "sudo" mechanism (certain more-tightly locked down versions of UNIX (Trusted Solaris and SELinux among others) also allow a user to change roles on the fly for specific purposes. In all cases the privilege escalation or role change must be authenticated. All admin users in Mac OS X are allowed to use the "sudo" command to perform administrative tasks and all sudo operations are logged. Experienced administrators (and Mac OS X Server may provide some easy way to do this) can make the sudo permissions structure far more subtle than Mac OS X desktop supports in the System Preferences. So, no, I do not see any reason to create multiple separate accounts for performing different roles on your computer. BTW, Windows up to XP did not support any mechanisms for privilege escalation so separate accounts have to be created for everything, but your IT folks quickly tire of constantly logging in/logging out and simply begin working in their admin-rights enabled accounts (at a former unit, per policy, every IT person had two accounts, one regular and one admin and it was painful for automated systems to recognize people who were using the "wrong" account to perform activities, but I digress...).

And on the next step, there should be another one for the postgres administration, no?

There should not be a separate account for this either. Now maintaining separate accounts could lead to additional problems (I speak from experience here) where an account is created for a specific task and multiple people use it and suddenly you don't know who did what when.

Can you give me a recommendation how to "better" (more efficient, more correct, not necessarily more "safe") setup my computer?

Thanks for any advice,

Stef

____________________________________________________________________

Lean Back and Relax - Enjoy some Nature Photography http://photoblog.la-famille-schwarzer.de

Appetite for Global Data? UNEP GEO Data Portal: http://geodata.grid.unep.ch

____________________________________________________________________

_______________________________________________ macports-users mailing list macports-users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/macports-users

-- Randall Wood randall.h.wood@alexandriasoftware.com "The rules are simple: The ball is round. The game lasts 90 minutes. All the rest is just philosophy."