Command-Line Administration Tools

Previous page
Table of content
Next page
   

There are a number of command-line tools that are of assistance in the configuration and maintenance of user accounts. Some of these have functionality duplicated in graphical tools and some do not. For truly sophisticated user management, we again suggest looking to Mac OS X Server because it provides tools that are considerably more powerful.

NetInfo Utilities

The nidump , niutil , and niload commands are particularly useful for user account creation and deletion. It's also a good idea to be familiar with the tar command for backing up NetInfo databases. We wouldn't be surprised if someone creates a graphical tool that scripts the sort of account maintenance that has been shown in this chapter and makes it available on the Net. If we managed to pique your interest in shell programming in the earlier chapters, this would be an ideal problem to attack as a learning experience. Because NetInfo is so vital to the operation of the machine, we recommend that you verify, by using print statements, that the scripts you create output exactly what you want ”before you turn them loose on the NetInfo database.

Common BSD Tools

In addition to the NetInfo commands for creating and modifying user accounts themselves , you have access to a number of standard BSD utilities. Primarily, these allow you to operate on the files in user accounts; but one, the passwd command, inserts crypt ed passwords into the NetInfo user record. (This is a little odd because Apple has circumvented most BSD tools of this nature and incorporated their functionality into the NetInfo commands. It wouldn't be too surprising if Apple replaces or supercedes this command with another in the future.)

Changing File Ownership: chown

The chown command is used to change the ownership of files. Only the root user can execute the chown command. The simplest form, and the one you'll end up using most frequently, is chown <username> <filename> , which changes the ownership property of <filename> to belong to the user <username> . The command can optionally be given as chown <username> : <groupname> <filename> to change the user and group at the same time. Additionally, -R can be specified after the command to cause a recursive change in an entire directory, rather than to a single file. The command documentation table is shown in Table 10.1.

Table 10.1. The Command Documentation Table for chown

Option

Description

chown

Changes file owner and group. 

 chown [-R [-H  -L  -P]] [-fh]  <owner> <file1> <file2> ...  chown [-R [-H  -L  -P]] [-fh] :  <group> <file1> <file2> ...  chown [-R [-H  -L  -P]] [-fh]  <owner>:<group> <file1> <file2> ...  
  -R

Recursively descends through directory arguments to change the user ID and/or group ID. 

  -H

If “R is specified, symbolic links on the command line are followed. Symbolic links encountered in tree traversal are not followed. 

  -L

If “R is specified, all symbolic links are followed. 

  -P

If “R is specified, no symbolic links are followed. 

  -f

Forces an attempt to change user ID and/or group ID without reporting any errors. 

  -H

If the file is a symbolic link, the user ID and/or group ID of the link is changed.

The -H , -L , and -P options are ignored unless -R is specified. Because they also override each other, the last option specified determines the action that is taken.

The -L option cannot be used with the -h option.

It is not necessary to provide both <owner> and <group> ; however, one must be specified. If group is specified, it must be preceded with a colon ( : ).

The owner may be either a numeric user ID or a username. If a username exists for a numeric user ID, the associated username is used for the owner. Similarly, the group may be either a numeric group ID or a group name. If a group name exists for a group ID, the associated group name is used for the group.

Unless invoked by the superuser, chown clears set-user-id and set-group-id bits.

Changing File Group Ownership: chgrp

The chgrp command functions like the chown command, except that it changes only the group ownership of a file. This can be particularly useful when you want to give a user, or group of users, access to files owned by a number of different users. Instead of changing the ownership of each, or issuing a separate chown < userid > : <groupid> for each file, you can instead change the file's group en masse to one that the intended user or group can read, while not affecting the actual ownership of the files.

The command documentation table for chgrp is shown in Table 10.2.

Table 10.2. The Command Documentation Table for chgrp

Option

Description

chgrp

Changes group.

chgrp [-R [-H -L -P]] [-fh] <group> <file1> <file2> ... 

  -R

Recursively descends through directory arguments to change the group ID. 

  -H

If -R is specified, symbolic links on the command line are followed. Symbolic links encountered in tree traversal are not followed. 

  -L

If -R is specified, all symbolic links are followed. 

  -P

If -R is specified, no symbolic links are followed. 

  -f

Forces an attempt to change group ID without reporting any errors. 

  -H

If the file is a symbolic link, the group ID of the link is changed.

Unless -h , -H , or -L is specified, chgrp on symbolic links always succeeds and has no effect.

The -H , -L , and -P options are ignored unless -R is specified. Because they also over ride each other, the last option specified determines the action that is taken.

The group may be either a numeric group ID or a group name. If a group name exists for a group ID, the associated group name is used for the group.

The user invoking chgrp must belong to the specified group and be the owner of the file, or be the superuser.

Unless invoked by the superuser, chgrp clears set-user-id and set-group-id bits.

Setting a User's Password: passwd

The passwd command, somewhat unexpectedly, changes a user's password. If you look at the man page for passwd , you will see that there are a number of related password and account management commands that come from BSD Unix. With the exception of the passwd command, all the others appear to operate on the local files only, and do not seem to affect the NetInfo database information. Because the local authentication files (such as /etc/passwd and /etc/group ) are used only in single-user mode, none of the other commands currently have any significant use in OS X. (We'd like to think that Apple is working on making more of them operate with the NetInfo database, but we really have no idea whether the BSD utilities are coming or going.)

Simply issued as passwd , with no other options, the passwd command enables a user to change her password. The root user can issue passwd <username> to force the password for the user <username> to change. The command documentation table for passwd is shown in Table 10.3.

Table 10.3. The Command Documentation Table for passwd

Option

Description

passwd

Modifies a user's password

 

passwd [-l] [-k] [-y] [ <user> ]

 

passwd changes the user's local, Kerberos, or YP password. The user is first prompted for her old password. The user is next prompted for a new password, and then prompted again to retype the new password for verification.

 

The new password should be at least six characters in length. It should use a variety of lowercase letters, uppercase letters , numbers , and metacharacters. 

  -L

Updates the user's local password. 

  -k

Updates the Kerberos database, even if the user has a local password. After the password has been verified , passwd transmits the information to the Kerberos authenticating host. 

  -y

Updates the YP password, even if the user has a local password. The rpc.yppasswdd (8) daemon should be running on the YP master server.

If no flags are specified, the following occurs:

  • If Kerberos is active, the user's Kerberos password is changed, even if the user has a local password.

  • If the password is not in the local database, an attempt to update the YP password occurs.

To change another user's Kerberos password, run kinit (1) followed by passwd . The superuser is not required to supply the user's password if only the local password is being modified.

   
Top

Previous page
Table of content
Next page
Mac OS X Maximum Security
Maximum Mac OS X Security
ISBN: 0672323818
EAN: 2147483647
Year: 2003
Pages: 158
Authors: John Ray, William C. Ray
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Interprocess Communications in Linux: The Nooks and Crannies
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
Comparing, Designing, and Deploying VPNs
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy