Last week (and in our Panther Special Report) we covered the change in Panther that lets any administrative user move, or even delete, important system-level files by simply authenticating (providing their admin account password) when trying to perform the action.
What we didn't cover at the time is the fact that what is actually happening "behind the scenes" is something similar to what happens when you use the Unix sudo command -- a way to temporarily perform actions with root-level access -- in Terminal to execute the desired action. The sudo command has a built in timer: once you've authenticated, it provides you with that root-level access for five minutes (by default). The Finder appears to have this same "timer." So after you've first authenticated, subsequent actions -- even dangerous ones that could render OS X inoperable -- can be performed without requiring you to authenticate again. Obviously, this could result in a messy situation. However, at least you're aware that you've authenticated, so you know to be careful what you do for the next five minutes or so.
The real danger of this "feature" -- as pointed out to us by Chris Breen, Macworld Magazine's 911 columnist -- is that when an admin-level user logs in, the act of logging in itself constitutes an authentication. In other words, for the first five minutes after logging in, the Finder has root-level access and you probably aren't even aware of it. You can move or delete system-level files without being warned and without being prompted to authenticate -- it just works. After those first five minutes are up, you resume your normal level of access. As Chris pointed out, these first five minutes can be quite risky:
"I've confirmed this by dragging my System folder to the Trash. And no, I couldn't get it out again without booting into Mac OS 9 and recovering it from the .Trashes file."
We would add that sometimes people accidentally delete files -- using the command delete keyboard combination in Mac OS X's column view sometimes makes it easy to delete an enclosing folder rather than the sub-folder you actually wanted to delete. In fact, Chris makes another good point about the risks of this situation:
"Although some may argue that this is perfectly acceptable because you shouldn't be an Admin if you don't know what you're doing, bear in mind that any new Mac owner -- your aged Aunt who's upgrading from her trusty Performa -- is an Admin."
UPDATE: We've reworded a few sentences in the article for technical accuracy.