11Oca
Why is non-admin user allowed to do macOS update?
On macOS Sonoma, when I use any non-admin user, I am able to do a full OS update, or to run commands like softwareupdate --install-rosetta
.
Why is this allowed?
I researched a little and came to this documentation saying:
authorising software updates is allowed by standard users and only requires volume ownership
When I run diskutil apfs listUsers /
to list volume owners (as mentioned is the same document) my non-admin user does appear in the list.
So it appears that any local user is a volume owner and all volume owners are allowed to do OS updates.
How is this secure?
It is even possible to prevent that and to allow only admin users to do updates?