Creating Hidden Administrator Accounts


A hidden administrator account is a functional account that, similar to the root account, is not visible to normal users. It differs from the root account, however, in that privileges can be customized to suit multiple levels of administration. There are two main ways to accomplish this: by modifying an admin account and by manually adding a user to a BSD flat user file.

Tip

If you don't expect your users to require any administrator access, after you create your hidden administrator account, you can delete the original admin account that was configured when Mac OS X was installed. With this configuration, only Normal user accounts are visible in System Preferences.


Modifying an Admin Account

For the first method, use NetInfo Manager (/Applications/Utilities), an administration tool for configuring and managing NetInfo data to edit the account. NetInfo is the central database for user accounts, groups, passwords, printers, computers, and other configuration information in Mac OS X.

Note

NetInfo Manager is an advanced and very powerful application that should be used with care. Do not make changes to the NetInfo data unless you have a specific task to accomplish and understand the changes you are making. Making changes in NetInfo Manager may damage the system and require reinstalling Mac OS X.


Create and configure a new admin user account using System Preferences. Then, in NetInfo Manager, change the User ID (uid) and Group ID (gid) to a free number just below 500. This will keep the account from appearing in System Preferences. Next, change the user's home folder to a location that is not visible to general usersfor example, /var/usernameand then actually move that home folder to the new location:

 sudo mv /Users/username/var/ 


Warning

Verify that you are not giving the hidden account an ID that is already used. Because accounts with IDs below 500 are usually system accounts, the result of assigning identical IDs is potentially destructive to Mac OS X. Counting down from 499 is usually safe. You can use the id command from a Terminal prompt to check to see if a uid is in use already. Example: id 499.


When you change a user's uid number, Mac OS X sees the user as a different user, and the account loses access to its home folder. To fix this, run the chown command in Terminal to change the owner and group of the recently moved home folder:

 sudo chown -R new_uid:new_uid /var/username 


Once the home folder information, uid, and gid are changed, you will modify com.apple.loginwindow.plist, the preference file for both the Login window and the Fast User Switching list, so that the account will not appear in either list. You will add the short name of the user account you want to hide to the HiddenUsersList key in that .plist file using the defaults command. For example,

[View full width]

sudo defaults write /Library/Preferences/com.apple.loginwindow.plist HiddenUsersList -array-add hadmin


In order for the hidden administrator account to log in, you must configure the Login window to prompt for a name and password. This is configured in the Login Options of the Accounts pane in System Preferences. Additionally, the user won't appear in the Remote Desktop user list in the Sharing pane of System Preferences. Therefore, if you would like to give this user Remote Desktop access, you must do so before changing the user's uid.

When the user is logged in, the account appears in System Preferences, where basic settings can be modified.

Creating a User Account in the BSD Files

The second method, adding a user to a BSD flat user file, requires manually editing the /etc/master.passwd file and enabling the BSD Open Directory plug-in in the Directory Access utility, located in the Utilities folder.

The /etc/master.passwd file contains one user per line, with each line containing ten colon-delimited attributes. For example:

 hadmin:*:499:499::0:0:Hidden Administrator:/var/hadmin:/bin/bash 


The first attribute is the short user name (hadmin). The second attribute is the encrypted account password (an asterisk indicates there is no password associated with that user). This value should only be changed on the command line with the passwd utility. The third and fourth attributes are the user and primary group IDs, also known as uid and gid, respectively (499). The next attribute after the group ID should be the account's general classification. This attribute is often left empty. The next two attributes are for the password change time and account expiration time, followed by the user's long name (Hidden Administrator). The next attribute is the path to the user's home folder (/var/hadmin). Be sure to create a folder here, and change the owner of it using chown. The final attribute is the default shell (/bin/bash).

To change the user's password, use the passwd command with the -i file parameter to specify that the crypt password should be stored in the BSD flat file:

 sudo passwd -i file hadmin 


To direct Mac OS X to allow user accounts in the BSD flat files to log in:

1.

Launch Directory Access and select the Services tab.

2.

Select BSD Flat Files and NIS, and click the Configure button.

3.

In the dialog that appears, select "Use BSD local (/etc) files for authentication" and click OK.

4.

In the Directory Access dialog, click the Authentication tab and choose "Custom path" from the Search pop-up menu.

5.

Click Add, and then select /BSD/local from the list of available directories.

6.

Click Add, and then click Apply.

Note

User accounts in BSD flat files are not listed in System Preferences because they don't exist in the local NetInfo database; the Accounts pane is not aware of them. If you were to create additional accounts in System Preferences, you could potentially create accounts that had conflicting user IDs or names. If you create user accounts using BSD flat files, use extra caution when managing all user accounts on the computer.


Managing Home Folders

Methods such as NetBoot start up your computer each time with a fresh copy of an image on the network. This fresh image also includes a clean version of the local home folders found under /Users. Any modifications that are made, either to settings or to saved documents, are lost with each restart. This is great news if you wish to present a clean volume for multiple users, but it can present a challenge if you wish to allow users to maintain customized individual experiences or permanently save documents in their home folders.

To allow user customization, you use Open Directory in Mac OS X Server to provide network user accounts and network mounts. This configuration lets users log in to any computer on your network and access their home folders located on a server. When you log in to a computer started up from a NetBoot volume using a network user account, the client computer retrieves the networked user's home folder location from a share point. As shown in the following figure, this share point typically resides on a server other than the one your computer is started up from.

Using Setup Assistant

When deploying images in single-user environments, you may find it useful to force Setup Assistant to run when the user first starts up the computer. This prompts users to create their own unique accounts.

To force Setup Assistant to run, delete the file .AppleSetupDone located in /var/db/ on the startup volume. Use the following command in Terminal for the current startup volume:

 sudo rm /var/db/.AppleSetupDone 


If the startup disk you wish to use is not your current startup volume, use the following command:

 sudo rm /Volumes/startup_disk_name/var/db/.AppleSetupDone 


You may also want to remove any accountsalong with their home foldersthat you added during setup (for example, the admin account).

To delete an account, perform the following commands for the current startup disk:

 sudo nicl -raw /var/db/netinfo/local.nidb delete /users/account_name sudo rm -rf /Users/account_name 


If the startup disk you wish to use is not your current startup disk, use the following command:

 sudo nicl -raw /Volumes/startup_disk_name/var/db/netinfo/local.nidb delete /users/account_name sudo rm -rf /Volumes/startup_disk_name/Users/account_name 


Note

The /users/account_name at the end of the nicl command is case sensitive: the u in users is lowercase! This location refers to an entry in the NetInfo database, not a folder in the file system.


Warning

Deleting an account from the NetInfo database does not remove the user's local home folder, but the above command WILL remove ALL items in the user's home folder and those items will be completely unrecoverable.





Apple Training Series(c) Mac OS X v10. 4 System Administration Reference
Apple Training Series: Mac OS X v10.4 System Administration Reference, Volume 2
ISBN: 0321423151
EAN: 2147483647
Year: 2006
Pages: 128

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net