General Leopard Installation Recommendations - with Admin? Postgres, Postgis...

Mon Mar 3 02:33:47 PST 2008

On 3/3/08, Stefan Schwarzer <stefan.schwarzer at grid.unep.ch> wrote:
> Hi there,
>
> I am using a Mac in the office for website development, database
> administration, design etc...
>
> Now, as I am not coming from an admin-, but more from a casual-user-side, I
> did run into some admin/su/etc.-problems or challenges when installing &
> compiling postgres, postgis, etc.
>
> So, I was wondering what you guys do recommend. In the moment, I am the only
> user and the only admin on the same time on the mac. But, from a
> admin/security perspective, there should be already a different account for
> me as a user and another one for the admin, no?

Only in certain specific situations would want to separate your user
and admin accounts in any UNIX system (and most of those situations
are for policy or legal reasons not operations safety). UNIX (and by
extension Linux, *BSD, and Mac OS X) systems can be setup to allow
privilege escalation via the "sudo" mechanism (certain more-tightly
locked down versions of UNIX (Trusted Solaris and SELinux among
others) also allow a user to change roles on the fly for specific
purposes. In all cases the privilege escalation or role change must be
authenticated.

All admin users in Mac OS X are allowed to use the "sudo" command to
perform administrative tasks and all sudo operations are logged.
Experienced administrators (and Mac OS X Server may provide some easy
way to do this) can make the sudo permissions structure far more
subtle than Mac OS X desktop supports in the System Preferences.

So, no, I do not see any reason to create multiple separate accounts
for performing different roles on your computer.

BTW, Windows up to XP did not support any mechanisms for privilege
escalation so separate accounts have to be created for everything, but
your IT folks quickly tire of constantly logging in/logging out and
simply begin working in their admin-rights enabled accounts (at a
former unit, per policy, every IT person had two accounts, one regular
and one admin and it was painful for automated systems to recognize
people who were using the "wrong" account to perform activities, but I
digress...).

> And on the next step, there should be another one for the postgres
> administration, no?

There should not be a separate account for this either. Now
maintaining separate accounts could lead to additional problems (I
speak from experience here) where an account is created for a specific
task and multiple people use it and suddenly you don't know who did
what when.

> Can you give me a recommendation how to "better" (more efficient, more
> correct, not necessarily more "safe") setup my computer?
>
> Thanks for any advice,
>
> Stef
>
> ____________________________________________________________________
>
>
>   Lean Back and Relax - Enjoy some Nature Photography
>   http://photoblog.la-famille-schwarzer.de
>
>   Appetite for Global Data? UNEP GEO Data Portal:
>   http://geodata.grid.unep.ch
>
> ____________________________________________________________________
>
>
>
>
>
>
> _______________________________________________
>  macports-users mailing list
>  macports-users at lists.macosforge.org
> http://lists.macosforge.org/mailman/listinfo.cgi/macports-users
>
>

-- 
Randall Wood
randall.h.wood at alexandriasoftware.com

"The rules are simple: The ball is round. The game lasts 90 minutes.
All the rest is just philosophy."