One of the reasons we looked forward to upgrading our Mac labs to OS X was the increased control we’d have over the systems in our multimedia lab. We carefully set up the lab machines with specific user-level capabilities — users can run this but not that, open this preference panel but not that one, and so on.
And then we installed Digidesign Pro Tools 6.0. Guess what? It wouldn’t run under the normal user account that every other piece of software on the machine ran under. A dialog (a DigiDesign dialog, not Apple) appears, reading the equivalent of: “You must have administrative access to run Pro Tools.”
A closer read of the documentation confirmed that this is true. Requiring admin access to install software is one thing, but requiring it to run software is totally unacceptable. For one thing, Apple (and Unix history) have carefully created a system that would allow administrators to lock things down, so that users can run applications without danger of causing system-level harm. For this system to function requires a basic level of conformance to the platform’s application model, to the understanding that users should be able to run the applications the administrators say they can run. And can do so without causing damage. Standards matter.
When an app vendor requires admin access to run a program, the sysadmin has a few choices:
- Not allow the program on the computer at all (not an option here)
- Give the user account admin access, thus subverting all the careful work the sysadmin has done to secure the system
- Create a separate account with admin privileges but minimal capabilities.
At first blush, option #3 seems like the ideal solution. But as we discovered, when you give an acct admin access, the “Edit Capabilities” button is grayed out. In other words, admin privs are an all or nothing affair. So it looks like #2 is where we’re going to land - giving god-like privileges to all our unprivileged users just so they can run ProTools (an activity which consumes about 3% of the attention of the entire Multimedia Skills program).
And why exactly is it so damned important that Pro Tools be run with admin access? There’s not a single other Mac OS X app I know of that requires this. Why is Digi special in this regard? I found this in Digi’s knowledge base:
Yes. Pro Tools is capable of creating and deleting huge files on a system, and if a user with no Administrator privileges isn’t normally allowed to delete these files then Pro Tools shouldn’t let him/her delete them either.
I’m shaking my head here. Final Cut Pro is creating files just as huge or huger, and it doesn’t require admin access. And what exactly is it about deleting large files that is supposedly admin-specific? Since when can’t normal users delete huge files? The simple truth is, no other user-level app on the platform requires admin access. This is just Digi making up their own rules, and getting away with it because of their position in the industry.
Security-wise, we’re right back where we were with OS 9. Thanks for being such excellent platform citizens, Digi.
Am I missing something? Is there another way to deal with this problem, or is Digi being as obnoxious as I think they are?