Mac OS X 10.3: Administrator authentication allows root privileges in Finder for 5 minutes

If you authenticate with an administrator account to allow a restricted task in the Mac OS X 10.3 Finder, the logged-in account will have root privileges for 5 minutes. Also, each time you log in with an administrator account, you have root access for 5 minutes.

Note: This document applies to Mac OS X 10.3 through 10.3.9. This document also applies to Mac OS X Server 10.3 through 10.3.2.

This behavior changes in Mac OS X 10.3.3 and later, which require an administrator to authenticate each Finder action that needs authentication, such as installing software.

When a user authenticates and is granted root privileges in the Finder, she can edit or delete system files, among other things.

Example: You can log in with an administrator account and perform a root-level task in the Finder within the first 5 minutes, including dragging the System directory to the Trash. There is no warning when you do this. After 5 or more minutes of logging in, Finder asks you to authenticate to before performing the same task.

Example: A user who does not have administrator privileges tries to copy a .kext file to the /System/Library/Extensions/ directory. An authentication dialog appears. A person with an administrator account authenticates and Finder copies the .kext file. For the next 5 minutes, the user who does not have administrator privileges can perform any action in the Finder that usually requires administrator authentication.

This is the expected behavior for Mac OS X 10.3 through 10.3.2. Download and install Mac OS X 10.3.3 Update or later if you wish to avoid this.

	Related documents
	25591	Mac OS X 10.3: Terminal Commands That Require Authentication Unlock Other Applications