In This Chapter
Understanding how multiuser systems work
Configuring login settings
Changing the appearance of the login screen
Tightening security during login
Starting applications automatically when you log in
Whether you're setting up Mac OS X for use in a public library or simply allowing your 12-year-old to use your MacBook in your home office, configuring Snow Leopard for multiple users is a simple task. However, you must also consider the possible downsides of a mismanaged multiuser system: files and folders being shared that you didn't want in the public domain, users logging in as one another, and the very real possibility of accidental file deletion (and worse).
Therefore, in this chapter, I show you how to take those first steps before you open Pandora's Box — setting login options, configuring the personal account that you created when you first installed the operating system, and protecting your stuff. (Network administrators call this security check-up locking things down. Better start using the terminology now, even before you buy your suspenders and pocket protector.)
When you create multiple users in Mac OS X, each person who uses your MacBook — hence the term user — has a separate account (much like an account that you might open at a bank). Mac OS X creates a Home folder for each user and saves that user's preferences independently from those of other users. When you log in to Mac OS X, you provide a username and a password, which identifies you. The username/password combination tells Mac OS X which user has logged on — and, therefore, which preferences and Home folder to use.
Each account also carries a specific level, which determines how much control the user has over Mac OS X and the computer itself. Without an account with the proper access level, for example, a user might not be able to display many of the panes in System Preferences.
The three most common account levels are
Root: Also called System Administrator, this über-account can change anything within Mac OS X — and that's usually A Very Bad Thing, so it's actually disabled as a default. (This alone should tell you that the Root account shouldn't be toyed with.) For instance, the Root account can seriously screw up the UNIX subsystem within Mac OS X, or a Root user can delete files within the Mac OS X System Folder.
Administrator: (Or admin for short.) This is the account level that you're asigned when you install Mac OS X. The administrator account should not be confused with the System Administrator account!
Note
It's perfectly okay for you or anyone you assign to use an administrator account. An administrator can install applications anywhere on the system, create/edit/delete user accounts, and make changes to all the settings in System Preferences. However, an administrator can't move or delete items from any other user's Home folder within the Finder, and administrators are barred from modifying or deleting files in the Mac OS X System Folder.
A typical multiuser Mac OS X computer has only one administrator — like a teacher in a classroom — but technically, you can create as many administrator accounts as you like. If you do need to give someone else this access level, assign it only to a competent, experienced user whom you trust.
Standard: A standard user account is the default in Mac OS X. Standard users can install software and save documents only in their Home folders and the Shared folder (which resides in the Users folder), and they can change only certain settings in System Preferences. Thus, they can do little damage to the system as a whole. For example, each of the students in a classroom should be given a standard-level account for the Mac OS X system that they share.
If Parental Controls are applied to a standard account, it becomes a managed account, allowing you to fine-tune what a standard account user can do. (I discuss Parental Controls at length in Book III, Chapter 5.)
Chapter 5 of this minibook covers the entire process of creating and editing a user account.
Take a look at the changes you can make to the login process. First, Mac OS X provides two methods of displaying the login screen, as well as one automatic method that doesn't display the login screen at all:
Logging in with a list: To log in, click your account username in the list, and the login screen displays the password prompt. Type your password — Mac OS X displays bullet characters to ensure security — and press Return (or click the Log In button).
Logging in with username and password: Type your account username in the Name field and press Tab. Then type your password and press Return (or click the Log In button).
Automatic Login: With Automatic Login set, Mac OS X automatically logs in the specified account when you reboot. In effect, you never see the login screen unless you click Log Out from the Apple menu. (Naturally, this is an attractive option to use if your computer is in a secure location — such as your office — and you'll be the only one using your MacBook. However, if your laptop falls into The Wrong Hands, you're inviting trouble ...and identity theft.)
To specify which type of login screen you see — if you see one at all — head to System Preferences, click Accounts, and then click the Login Options button. (If the pane is locked, click the Lock icon and supply your admin password.)
To set Automatic Login, display the Login Options settings and click the Automatic Login pop-up menu. Choose the account that automatically logs in from the list. When Mac OS X displays the user Name and Password sheet that you see in Figure 4-1, type the corresponding password and then click OK.
Warning
Never set the Automatic Login feature to an admin-level account unless you're sure to be the only one using your MacBook. If the computer is rebooted, you're opening the door for anyone to simply sashay in and wreak havoc!
To determine whether Mac OS X uses a list login screen, you must again visit the Login Options settings pane (see Figure 4-2). Select the List of Users radio button for a list login screen or select the Name and Password radio button for a simple login screen where you must type your username and password.
Tip
To change settings specific to your account — no matter what your access level — log in with your account, open System Preferences, and click Accounts. From here, you can change your account password and picture, the card marked as yours within the Address Book, and the Login Items launched automatically when you log in. (Peruse more information on the Address Book in Book I, Chapter 6.)
To log out of Mac OS X without restarting or shutting down the computer, choose the Apple menu and then choose Log Out or just press
You can also enable Fast User Switching from the Login Options pane. This feature allows another user to sit down and log in while the previous user's applications are still running in the background. When you enable switching, Snow Leopard displays the currently active user's full name or account icon at the right side of the Finder menu bar. Click the name, and a menu appears; click Login Window, and another user can then log in as usual. (From the Login Options pane, you can also choose to display the current user by the account's short name or the account icon.)
Even though you're playing musical chairs, the Big X remembers what's running and the state of your Desktop when you last left it. (When you decide to switch back, Snow Leopard prompts you for that account's login password for security ...just in case, you understand.)
If security is a potential problem and you still need to share a Mac between multiple users, lock things down. To protect Mac OS X from unauthorized use, take care of these potential security holes immediately:
Disable the Sleep, Restart, and Shut Down buttons. Any computer can be hacked when it's restarted or turned on, so disable the Restart and Shut Down buttons on the login screen. (After a user has successfully logged in, Mac OS X can be shut down normally by using the menu item or the keyboard shortcuts that I cover earlier.) Open the Accounts pane in System Preferences, click the Login Options button, and deselect the Show the Sleep, Restart, and Shut Down Buttons check box. Press
Disable list logins. With a list login, any potential hacker already knows half the information necessary to gain entry to your system — and often the password is easy to guess. Therefore, set Mac OS X to ask for the username and password on the Login screen, as I describe earlier. This way, someone has to guess both the username and the password, which is a much harder proposition.
Disable Automatic Login. A true no-brainer. As I mention earlier in the chapter, Automatic Login is indeed very convenient. However, all someone has to do is reboot your MacBook, and the machine automatically logs in one lucky user! To disable Automatic Login, display the Accounts pane in System Preferences and click the Login Options button; then click the Automatic Login pop-up menu and click the Off entry.
Disable the password hint. By default, Mac OS X obligingly displays the password hint for an account after three unsuccessful attempts at entering a password. Where security is an issue, this is like serving a hacker a piece of apple pie. Therefore, head to System Preferences, display the Accounts settings, click the Login Options button, and make sure that the Show Password Hints check box is empty.
Select passwords intelligently. Although using your mother's maiden name for a password might seem like a great idea, the best method of selecting a password is to use a completely random group of mixed letters and numbers. If you find a random password too hard to remember, at least add a number after your password, like dietcoke1 — and no, that isn't one of my passwords. (Nice try.) My editor suggests a favorite location spelled backwards, with a number mixed in — easier to remember than a completely random sequence of characters!
Tip
For even greater security, make at least one password character uppercase, and use a number at the beginning and ending of the password. Or, do the "c001" thing and replace characters with numbers, like the zero that you insert in dietc0ke.
Here's one other advantage to logins: Each account can have its own selection of applications that run automatically when that user logs in. These applications are Login Items, and they appear as a list in the Accounts pane (shown in Figure 4-4). A caveat or two:
The user setting his or her Login Items must be logged in. Only the user can modify his or her own Login Items.
Users must have access to System Preferences. If the person is using a standard-level account, it must allow access to System Preferences.
Including an application in your Login Items list is easy: Click the button with the plus sign to navigate to the desired application, select it, and then click Add. (Alternatively, you can just drag items from a Finder window and drop them directly into the list.) Note that items in the list are launched in order — if something needs to run before something else, you can drag the item entries into any sequence.
To launch the application in hidden mode — which might or might not display it in the Dock, depending on the application itself — click the list entry for the desired item and select its Hide check box.