[OS X TeX] Re: users and groups on Leopard
Bruno Voisin
bvoisin at mac.com
Tue Mar 11 09:32:46 CET 2008
Le 11 mars 08 à 02:56, Alan Litchfield a écrit :
> I missed the original query from Bruno, but to view all the users on
> a unix system, type into a Terminal:
>
> > cat /etc/passwd
>
> You can use the `cut` command to only see one field from the
> password file.
>
> For example, to just see the Unix user names, use the command:
>
> > cat /etc/passwd | cut -d: -f1
>
> To find out more about cut read its man pages.
Hi Alan,
With Leopard the above doesn't seem to apply anymore. If you open /etc/
passwd you'll see that it begins with
##
# User Database
#
# Note that this file is consulted directly only when the system is
running
# in single-user mode. At other times this information is provided by
# Open Directory.
#
# This file will not be consulted for authentication unless the BSD
local node
# is enabled via /Applications/Utilities/Directory Utility.app
#
# See the DirectoryService(8) man page for additional information about
# Open Directory.
##
So it seems the standard Unix permission mechanism has been superseded
by Directory Services, based on Access Control Lists. If I understood
correctly, the purpose is to allow authentication to be delegated to
LDAP or ActiveDirectory servers, instead of being dealt with locally
based on Unix permissions.
Directory Utility (in /Applications/Utilities/) allows to configure
access to such servers, though I imagine the new mechanism is
primarily designed for central administration by a system
administrator via Mac OS X Server. Directory Utility has also
inherited from NetInfo Manager the ability to activate the root user
and change its password.
For example, yesterday when I realized I could not write to my backup
hard drive any longer, I used Get Info in the Finder to set
permissions for the drive. I thought I was redefining standard
ownership (user, group, all) for this volume, redefining the user
(myself) and giving read and write permissions to it. But I realized
afterwards I had just added a new "user" having read and write
permissions for the volume: in Terminal, the permissions and ownership
for the volume hadn't changed (according to ls -l). Thus, some other
mechanism must have taken over.
It seems the dscl command-line tool allows to perform most tasks
related to permissions, though its syntax feels a bit obscure. Thanks
to John Rawnsley, it appears the list of user ids can be gotten from
dscl localhost -list /Local/Default/Users UniqueID
and the list of group ids from
dscl localhost -list /Local/Default/Groups PrimaryGroupID
Apparently these commands can be abbreviated to
dscl . -list /Users UniqueID
dscl . -list /Groups PrimaryGroupID
though I'm not sure what the rules are for such "abbreviations".
Similarly for a given user or group you can use dscl to get detailed
info on this user or group. For example for the user bvoisin and group
admin you can use
dscl localhost -read /Local/Default/Users/bvoisin
dscl localhost -read /Local/Default/Groups/admin
And you can follow these commands by keys to get info on specific keys:
$ dscl . -read /Users/bvoisin RealName UserShell
RealName:
Bruno Voisin
UserShell: /bin/bash
$ dscl . -read /Groups/admin RealName GroupMembership
GroupMembership: root bvoisin
RealName: Administrators
There are still some dark areas though: yesterday I finally
reformatted my external hard drive and did a brand new Time Machine
backup on it. Oddly, the backup directory has owner root from group
bvoisin:
LaCie Disk bvoisin$ ls -al
[...]
drwxr-xr-x+ 3 root bvoisin 102 10 mar 16:57 Backups.backupdb
But there is no such root user in the group bvoisin (me, the first
user defined on my Mac):
$ dscl . -read /Groups/bvoisin GroupMembership
No such key: GroupMembership
To be sure:
$ id
uid=501(bvoisin) gid=501(bvoisin) groups=501(bvoisin),98(_lpadmin),
80(admin)
$ sudo id
Password:
uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),8(procview),2(kmem),
29(certusers),3(sys),9(procmod),4(tty),5(operator),80(admin),20(staff)
Clearly, in my case there's room for more study. Thanks to Denis for
his pointer to the book "Take control of permissions in Leopard", it
seems fairly helpful. It's in the sample pages that I saw mention of
the command "id", of which I was unaware.
Bruno
More information about the macostex-archives
mailing list