4

On macOS Sonoma, when I use any non-admin user, I am able to do a full OS update, or to run commands like softwareupdate --install-rosetta.

Why is this allowed?

I researched a little and came to this documentation saying:

authorising software updates is allowed by standard users and only requires volume ownership

When I run diskutil apfs listUsers / to list volume owners (as mentioned is the same document) my non-admin user does appear in the list.

So it appears that any local user is a volume owner and all volume owners are allowed to do OS updates.

How is this secure?

It is even possible to prevent that and to allow only admin users to do updates?

Ivan
  • 141
  • 1
  • 1
    How is that not secure? What risks are you imagining? So, you have a non-admin user who is the normal user for the device. A security update is released. Do you want to force a delay in updating until an admin can gain access to the device and apply the update? Or would you rather allow the user to install a signed update from an authorised source to mitigate the risks the update is designed to address? – schroeder Jan 11 '24 at 09:02
  • Either the software update is a genuine update coming from apple, then it’s safe and users can apply it. Or it was created by a hacker who managed to get around apples and your macs defences (which should not be possible) then requiring an admin to do the update won’t help. – gnasher729 Jan 11 '24 at 20:25
  • 1
    It is not only security updates but any updates, as well as optional OS features (as above mentioned Rosetta, or for example Xcode Command Line Tools). If I create an account for a child to use my laptop, I don't want them to download and apply multi-gigabyte optional OS features. Even if you want to apply an update, you want to do it in a controlled way. In any (multiuser) OS I ever used, only admin users could do such operations. – Ivan Jan 12 '24 at 01:39
  • 1
    That problem is solved by being a parent. And if you are afraid of gigabyte downloads, you better block videos, audiobooks etc. War and peace on LibriVox is over a gigabyte alone, and they have about 20,000 free audiobooks. – gnasher729 Jan 12 '24 at 13:05

0 Answers0