Section 6.1. What Is a User Anyway?

6.1. What Is a User Anyway?

From the operating system's point of view, a user isn't necessarily a real person who taps away at the keyboard. A user is simply an entity that can own files and execute programs. A user is defined in terms of an account that has a set of properties including a numeric user ID, such as 501, and a username. Internally the system uses the user ID to keep track of the files and processes that belong to a user. The username is a more human-readable form that is used heavily throughout the system so that you don't have to think in terms of numbers.

Each user is also part of one or more groups. A group is a collection of users that the system can treat as a unit. Like a user, the system defines a group in terms of a numeric group ID and a more readable group name. Associating users with groups gives you the ability to control various resources of the system, and not just on a case-by-case basis. For example, the system uses the admin group to indicate users that can administer the computer. If your user ID is associated with the admin group, you have the ability to perform administrative tasks on the system.

To take a look at your user and group IDs, log into the command line and execute the id command, as shown in Example 6-1.

Example 6-1. Using the id command

 $ id uid=501(jldera) gid=501(jldera) groups=501(jldera), 80(admin)

The results of this example tell us that the currently logged-in user is named jldera, has a user ID of 501, and is a member of the jldera and admin groups. If you take a look at a non-administrative user, you will see something like the output shown in Example 6-2.

Example 6-2. Using the id command for a specific user

 $ id panic uid=502(panic) gid=502(panic) groups=502(panic)

This user isn't part of the admin group and therefore won't be allowed to administer the computer. Typical users have access to their Home folders and to the System Preferences panels that customize their user experience, but the rest of the system will be off limits (at least it will be if they don't know an administrator's username and password).

You'll notice in the examples above that the user IDs are 501 and 502. And if you are the only user on your machine, you'll notice that your user ID is also 501. This pattern is not coincidental; it follows the numbering scheme that Mac OS X uses to separate out users that should appear in the login window from those that should not. The rule is that users with an ID less than 500 won't appear. Those with an ID greater than 500 will appear.

6.1.1. Administrative Users

Administrative users represent a special class of users on the system. Here are just a few things that they are allowed to do that users without administrative privileges aren't:

• Install new programs in the /Applications folder

• Add items to the /Library folder such as startup items that take effect when the system is booted

• Change network settings using the Network preference panel

• Change the system time using the Date & Time preference panel

• Add users to or remove them from the system

• Set up or remove printers

Without administrative privileges, users are pretty much restricted to their Home folders and are only able to change the settings in System Preferences that relate to their desktops such as screen backgrounds and Finder preferences. The various System Preferences panels that require administrator access have a closed padlock on them, indicating that the user is not able to change the settings.

When you first install Mac OS X, the user that you create during the installation process automatically has administrative privileges. However, users created after that time will not have administrative privileges unless the person who creates their accounts (an administrator) grants the users admin privileges in the Accounts panel of System Preferences. You should consider your security needs and determine whether the user ID that you use for your normal work on the machine should have administrative privileges.