Yesterday my system administrator told me that administrator privileges were going to be taken away from my account on my university laptop. As a computer science professor who does a lot of software development, I crumpled at this news. Let me share a few reasons why revoking administrator privileges is a bad idea:
- Yesterday, my computer was a car in which I could go where I pleased when I pleased. Tomorrow, this car turns into a bus. It will still look like a car, but I will be able to travel only on predefined routes and at the mercy of my system administrator. Certainly I can request new routes and they will probably be granted, but what took an instant yesterday will take days in the future. In respectable industrial settings, developers have administrator privileges on their personal machines. These companies are aware that locking machines down too much ruins employees’ productivity. There’s no way I can possibly anticipate what software I might need before I need it.
- My research on a programming language for 3D models requires a webserver. I run one locally on my laptop for testing. It is not shared outside this computer. The most recent versions of the Macintosh OS expect the served files to live in a system directory. Altering these files and configuring this server requires administrator privileges. Crippling my permissions will make it annoying and difficult to develop this project further.
- My job is to know technologies and teach others how use them. I am not a user of a computer. I am a developer. If a large part of the machine on which I work is inaccessible, my ability to educate is impaired. I often have to advise students how to install or configure software on their personal machines. If I do not have first-hand experience with this, I can be of little help to them.
- I use multiple accounts on my machine: my primary account and an account for grading students’ work. The grader account is needed to protect myself against malicious student code. (The malice is usually not intended.) Without administrator privileges, I must install and configure some of the software I use twice, once for each account.
- The reason administrator privileges are being revoked is because my account represents a threat to my university’s technology infrastructure. If my machine falls into the wrong hands, my elevated privileges can do some major damage. The problem here is that I don’t want or need privileges beyond this machine. I do not use shared drives. I rarely print anything. I am happy to update and configure my own software. I do not have any automated backups. I only want to be able to treat my computer as a computer and not as a pre-programmed kiosk.
Every discipline has its tools. When you lock down microscopes, you limit what the biologists and geologists can do. When you lock down burets and fume hoods, you limit what the chemists can do. When you lock down french horns, you limit what the musicians can do. When you lock down computers, you limit what the computer scientists can do. The computer is my tool, and emasculating it so that I can’t even do reasonable things on it—like my job—is the wrong response.