Last week (and in our Panther Special Report) we covered the change in Panther that lets any administrative user move, or even delete, important system-level files by simply authenticating (providing their admin account password) when trying to perform the action.
What we didn't cover at the time is the fact that what is actually happening "behind the scenes" is that you are actually using the Unix sudo command -- a way to temporarily perform actions with root-level access -- to execute the desired action.
Why this is important is that the sudo command has a built in timer: once you've authenticated, it provides you with that root-level access for five minutes (by default). So after you've first authenticated, subsequent actions -- even dangerous ones that could render OS X inoperable -- can be performed without requiring you to authenticate again. Obviously, this could result in a messy situation. However, at least you're aware that you've authenticated, so you know to be careful what you do for the next five minutes or so.
The real danger of this "feature" -- as pointed out to us by Chris Breen, Macworld Magazine's 911 columnist -- is that when an admin-level user logs in, the act of logging in itself constitutes an authentication. In other words, for the first five minutes after logging in, you have root-level access and you probably aren't even aware of it. You can move or delete system-level files without being warned and without being prompted to authenticate -- it just works. After those first five minutes are up, you resume your normal level of access. As Chris pointed out, these first five minutes can be quite risky:
"I've confirmed this by dragging my System folder to the Trash. And no, I couldn't get it out again without booting into Mac OS 9 and recovering it from the .Trashes file."
We would add that sometimes people accidentally delete files -- using the command+delete keyboard combination in Mac OS X's column view sometimes makes it easy to delete an enclosing folder rather than the sub-folder you actually wanted to delete. In fact, Chris makes another good point about the risks of this situation:
"Although some may argue that this is perfectly acceptable because you shouldn't be an Admin if you don't know what you're doing, bear in mind that any new Mac owner -- your aged Aunt who's upgrading from her trusty Performa -- is an Admin."
This new "feature" is for convenience, but in the long run I do not see what its purpose is for. It does not safeguard people from deleting things they do not know are critical for the system to function. This was a bad choice, IMO, on Apple's part to include in Panther. The fact that you are blessed with root privs for 5 minutes after login
is also unacceptable for the most part
I say for the most part
because I myself know what root is. There is a small portion of the Mac OS X crowd who know, and understand what root is, and how to (not) use it. Being able to delete a file that is being belligerent is a nice "feature" but I do not think it should have been included in Panther for the reason Chris Breen described above. I know why a file will not delete when I tell it to, it is because I do not have the access privs. to delete it. There are usually reasons why I don't have privs. to delete it. The only reason I like this feature is because I know and understand why I am being asked for my admin password when I try and delete a file and I am prompted for this info. Most people do not.
Also posted at BlogCritics.