[OS X TeX] Re: users and groups on Leopard

Tue Mar 11 09:32:46 CET 2008

Le 11 mars 08 à 02:56, Alan Litchfield a écrit :

> I missed the original query from Bruno, but to view all the users on  
> a unix system, type into a Terminal:
>
> > cat /etc/passwd
>
> You can use the `cut` command to only see one field from the  
> password file.
>
> For example, to just see the Unix user names, use the command:
>
> > cat /etc/passwd | cut -d: -f1
>
> To find out more about cut read its man pages.

Hi Alan,

With Leopard the above doesn't seem to apply anymore. If you open /etc/ 
passwd you'll see that it begins with

##
# User Database
#
# Note that this file is consulted directly only when the system is  
running
# in single-user mode.  At other times this information is provided by
# Open Directory.
#
# This file will not be consulted for authentication unless the BSD  
local node
# is enabled via /Applications/Utilities/Directory Utility.app
#
# See the DirectoryService(8) man page for additional information about
# Open Directory.
##

So it seems the standard Unix permission mechanism has been superseded  
by Directory Services, based on Access Control Lists. If I understood  
correctly, the purpose is to allow authentication to be delegated to  
LDAP or ActiveDirectory servers, instead of being dealt with locally  
based on Unix permissions.

Directory Utility (in /Applications/Utilities/) allows to configure  
access to such servers, though I imagine the new mechanism is  
primarily designed for central administration by a system  
administrator via Mac OS X Server. Directory Utility has also  
inherited from NetInfo Manager the ability to activate the root user  
and change its password.

For example, yesterday when I realized I could not write to my backup  
hard drive any longer, I used Get Info in the Finder to set  
permissions for the drive. I thought I was redefining standard  
ownership (user, group, all) for this volume, redefining the user  
(myself) and giving read and write permissions to it. But I realized  
afterwards I had just added a new "user" having read and write  
permissions for the volume: in Terminal, the permissions and ownership  
for the volume hadn't changed (according to ls -l). Thus, some other  
mechanism must have taken over.

It seems the dscl command-line tool allows to perform most tasks  
related to permissions, though its syntax feels a bit obscure. Thanks  
to John Rawnsley, it appears the list of user ids can be gotten from

	dscl localhost -list /Local/Default/Users UniqueID

and the list of group ids from

	dscl localhost -list /Local/Default/Groups PrimaryGroupID

Apparently these commands can be abbreviated to

	dscl . -list /Users UniqueID
	dscl . -list /Groups PrimaryGroupID

though I'm not sure what the rules are for such "abbreviations".

Similarly for a given user or group you can use dscl to get detailed  
info on this user or group. For example for the user bvoisin and group  
admin you can use

	dscl localhost -read /Local/Default/Users/bvoisin
	dscl localhost -read /Local/Default/Groups/admin

And you can follow these commands by keys to get info on specific keys:

$ dscl . -read /Users/bvoisin RealName UserShell
RealName:
  Bruno Voisin
UserShell: /bin/bash
$ dscl . -read /Groups/admin RealName GroupMembership
GroupMembership: root bvoisin
RealName: Administrators

There are still some dark areas though: yesterday I finally  
reformatted my external hard drive and did a brand new Time Machine  
backup on it. Oddly, the backup directory has owner root from group  
bvoisin:

LaCie Disk bvoisin$ ls -al
[...]
drwxr-xr-x+   3 root     bvoisin    102 10 mar 16:57 Backups.backupdb

But there is no such root user in the group bvoisin (me, the first  
user defined on my Mac):

$ dscl . -read /Groups/bvoisin GroupMembership
No such key: GroupMembership

To be sure:

$ id
uid=501(bvoisin) gid=501(bvoisin) groups=501(bvoisin),98(_lpadmin), 
80(admin)
$ sudo id
Password:
uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),8(procview),2(kmem), 
29(certusers),3(sys),9(procmod),4(tty),5(operator),80(admin),20(staff)

Clearly, in my case there's room for more study. Thanks to Denis for  
his pointer to the book "Take control of permissions in Leopard", it  
seems fairly helpful. It's in the sample pages that I saw mention of  
the command "id", of which I was unaware.

Bruno