How good is the user isolation in macOS?
Recently I bought the MacBook Air M1. I have created two accounts. Laptop will be used by two different persons. Both users have administrative permissions.
I have been wondering if that setup will provide privacy.
- Is it possible that another user can easily read the files from the other user?
- Does the user have an access to iCloud files?
- What about bookmarks and tabs from Safari?
Is there a list of areas that are compromised with usage of root rights?
Solution 1:
The purpose of the administrator privilege is to allow full control of the Mac. And part of full control is to have access to very nearly everything.
Access to the other user's files may require a little more than browsing in Finder as many folders have (e.g. ~/Documents
) have permissions which allow access only to the owner. But any user with basic knowledge of Terminal commands can overcome such simple obstacles.
Of your specific questions, iCloud is the only one with some protection. iCloud files which are not currently synchronised with the Mac, will not be accessible.
If you are to have two administrators, they must trust each other not to go rummaging through each others private files. And they will need some care and understanding to make sure that performing administrative tasks does not effect the other's use for the computer.
If there is not full trust, I would advise not keeping any personal files on the computer without some additional protection. As examples of protection:
- Keep private files in a password protected disk image.
- Keep private files in an encrypted external disk which is always removed when not in use.
But even then, a more skilled administrator would be able to install software to capture files when the other user is using them.
Solution 2:
No, that setup will not provide any privacy. In order to enforce any isolation between user accounts, they must not be given administrator privileges.
Any user that is an administrator can easily read the files from any other user. They have access to the "sudo" command, that gives "root" privileges in the underlying Unix system. They have the ability to change the login password of other users. This would enable them to log in as the other user, and see their Safari bookmarks or saved tabs, or any other file or information, provided it is not protected by encryption based on a password separate from the login password, such as an encrypted disk image.
If iCloud is already enabled and the computer is a "trusted device" for things like Contacts, Calendars, etc., or iCloud Drive for other apps like Pages or non-Apple apps, then by logging in to the computer as that user, another user could access those iCloud files. Furthermore, they might have access to the user's e-mail if they use Apple Mail or some other e-mail app on the computer that stores the e-mail password. In that case they may be able to log in directly to icloud.com or appleid.apple.com by changing the iCloud/Apple ID password.
Some of this information could be accessed without the other user noticing. In other cases, the user would notice their passwords being changed. It is not possible to find out what a user's login password is, only to change it.