Section 7.4. The Local Domain and NetInfo

Previous page
Table of content
Next page

7.4. The Local Domain and NetInfo

The local domain is the default directory domain of the system. It consists of the following parts:

  • The local NetInfo database that is created when the operating system is first installed. It is located in the /var/db/netinfo directory.

  • The local Shadow Password database , created when the operating system is first installed, located in the /var/db/shadow directory.

  • Bonjour, SLP, and SMB for discovery of shared filesystems and other network services.

The Shadow Password database was a new feature in Panther. In prior versions of Mac OS X, the passwords were encrypted (using the crypt command-line tool) into a hash form and stored directly in the NetInfo database. However, because the information in the NetInfo database is available to anybody on the machine, the passwords were vulnerable to decryption attempts. All you had to do was dump out the NetInfo database (you'll see the commands to do that later in this chapter) to a flat file and then run any number of password-cracking utilities against the file. You could even do so on a separate machine once you had the flat file.

The Shadow Password database changes this, locking passwords into a directory where they can be accessed only by the root user of the system, thereby closing this security vulnerability. When the system needs to authenticate a user, Open Directory looks at the user's NetInfo record, sees that the password is in the Shadow Password database, and then compares the information given to it against the user's

NetInfo Is Dead, Long Live NetInfo

Since the first release of Mac OS X, Apple has been slowly putting together all the pieces to move away from NetInfo and use LDAP for directory services. Panther marked the completion of the migration on the server side. When you install Mac OS X Server, the directory server in use is LDAP, and the only options in the Server Admin tools related to NetInfo are to migrate the data from a NetInfo database to LDAP.

However, on the client side, NetInfo is still the default local directory. So, the rumors of NetInfo's death are still premature.


password. Unless you have root privileges on the machine, there's no way to get to the data that Open Directory uses to authenticate a user.

The move to shadow passwords breaks some Unix-based tools that still expect to be able to find a crypt-based password. These tools need to be updated to use the PAM-based authentication libraries. The Unix tools that ship as part of the default Mac OS X installation use PAM. However, if you are compiling your own tools, you'll need to be sure they use PAM in order to avoid authentication problems.


To modify information about users and groups in the local domain, typically you use the Accounts preference panel. Whenever you create or modify a user, the user information is stored in the local NetInfo database. Whenever you modify a password, either with the Accounts preference panel or the passwd command-line tool, that password is updated in the local Shadow Password database. In addition to these easy-to-use GUI tools in the System Preferences, Mac OS X provides the GUI-based NetInfo Manager (/Applications/Utilities) and a set of command-line tools to manipulate NetInfo data.

7.4.1. Examining NetInfo Data with NetInfo Manager

When you first launch NetInfo Manager, you see an interface with two parts, as shown in Figure 7-2. The top part of the interface is a browser that allows you to navigate through the tree hierarchy of the NetInfo database. The leftmost column of the browser displays /, which is the root of the NetInfo database tree. The column to the right of / is the set of top-level directories (not to be confused with filesystem directories!) that are in the database. Unlike other Apple applications, NetInfo Manager doesn't have a help system (-?). This is a sign that this tool isn't for beginners but has given NetInfo a rap that it's a gnarly beast, when in fact it's rather easy to use, you just have to get used to it.

Each directory node in the database can, in addition to holding subdirectories, hold a set of properties. These properties are displayed in the bottom part of the NetInfo

Figure 7-2. NetInfo Manager


Manager interface. As shown in Figure 7-2, the users directory contains subdirectories for each user on the system as well as a single property, name, that contains the name of the directory.

Because the NetInfo database is inherited from NEXTSTEP and is designed to serve as both a local and distributed directory, it contains many entries that you won't typically use on a single local system. The top-level subdirectories of greatest use on a local system are:


groups

Contains a listing of the groups and the users that belong to each group. The information in this subdirectory is analogous to the information stored in the classic Unix /etc/group file.


users

Contains a listing of the users and the various properties associated with those users. This information serves the same purpose as the Unix /etc/passwd file.

By directly using NetInfo Manager to edit the local directory services domain, you could potentially create many problems and cause your system to start up incorrectly or not at all. Exercise great care before making changes.


7.4.1.1. Managing user information

When you create an account with the Accounts preference panel, all the properties about that user are stored in the local NetInfo database managed by Open Directory. By selecting the /users directory in NetInfo, you'll be able to see all the users on your system, and when you select your username, you should see something similar to Figure 7-3. Every setting that controls how a user behaves on the system is stored right here. These settings are (in the order that they typically appear for a user managed by the Accounts preference panel):


hint

This is the password hint that gets displayed in the login window when a user enters an incorrect password more than three times.


sharedDir

Name of the shared folder in the user's Home folder that can be shared with other users on the system or network. By default, this is the ~/Public folder.


_writers_passwd

Lists the users that are allowed to change the password for this user. Typically you'll see only the username of the user record this setting applies to. However, an admin user can always change a password for a user in the Accounts preference panel.


authentication_authority

Indicates the authentication resource against which to authenticate the user. By default in Tiger, this will be ;ShadowHash;, indicating that the system should authenticate the user against the Shadow Password database in /var/db/shadow. If you created an account with Jaguar or a previous release of Mac OS X and migrated it to Tiger, this setting might be basic.


name

The Unix username for the user. This is the same thing as the Short Name field in the Accounts preference panel.


home

The location on the filesystem of the user's Home folder.


passwd

By default, when the authentication_authority is set to ;ShadowHash;, the property contains a set of asterisks. If the authentication_authority is set to basic, this property contains the password for the user in a hashed form.


_writers_hint

Lists the users that are allowed to change the hint of the user's password. By default, this will only contain the name of the user's record.


_shadow_passwd

A legacy key left from older versions of Mac OS X and NEXTSTEP. Currently it's not used.

Figure 7-3. Examining a user subdirectory in NetInfo Manager


_writers_picture

Lists the users that can change the picture for this user.


realname

The long name of the user. This property corresponds to the Name field in the Accounts preference panel.


uid

The numeric user ID of the user.


shell

The default shell of the user; by default, this will be /bin/bash on Tiger.


generateduid

A string that serves as a unique identifier for the user, not only on the local system but anywhere in the world. This string is used inside the Shadow Password database as a key to find the information to validate passwords.


gid

The primary group ID of the user.


_writers_tim_password

A legacy key left from older versions of Mac OS X and NEXTSTEP. Currently it's not used.


picture

The user's picture.


_writers_realname

Lists the users that can change the real name for this user.

Given access to this information, it becomes very easy to make substantial changes to the user records on your system. For example, if you want to change the default shell for a user from /bin/bash to /bin/tcsh, you can edit the shell property as follows:

  1. First, make sure you are authenticated by clicking the padlock at the lower-left corner of NetInfo Manager's window. If the padlock is closed, you'll need to authenticate as an administrative user.

  2. Select the user that you want to modify.

  3. Find the shell property and double-click the name of the shell (/bin/bash by default), as shown in Figure 7-4.

  4. Change the value to /bin/tcsh.

  5. Click the padlock icon to prevent further changes from being made, or use Security Deauthenticate.

  6. Save Changes (-S).

7.4.1.2. Managing group information

The only way to affect the group settings for a user in the Accounts preferences panel is to grant the user administrator privileges. No other group manipulation is exposed. However, using NetInfo Manager, you can define new groups on the system and associate users with them. For example, to give the user alisa administrative privileges, follow this process:

  1. Navigate to the /groups/admin subdirectory using the browser window at the top of the NetInfo Manager interface.

  2. Select the users property, as shown in Figure 7-5.

  3. Use the Directory New Value (Option--N) menu to create a new value in the users property.

  4. Change the new_value string that was inserted to alisa.

  5. Save the change with Domain Save Changes (-S).

When you check the "Allow user to administer this computer" checkbox in the Accounts preference panel, the system is simply adding the user to the admin group (just as was done here). Likewise, when you uncheck the administration checkbox in the Accounts preference panel, the system removes the user's name from the /groups/admin list in the NetInfo database.

Figure 7-4. Editing a user's shell in NetInfo Manager


7.4.1.3. Creating a nonhuman user

If you need to create a nonhuman user, meaning an account that is used to run some server program securely (not an account for a dog or a fish), it's best not to create that user with the Accounts preference panel, as a nonhuman user doesn't need to have a Home folder created. Instead, you can create an account by directly editing the NetInfo database. Usually, it's easiest to duplicate an existing user and then edit the various properties to give your new user the correct setup. Here's the step-by-step guide:

  1. Launch NetInfo Manager and authenticate as an admin user by clicking the padlock or using Security Authenticate. When prompted, enter your password and hit Return.

  2. Click the duplicate button in the toolbar or use Edit Duplicate (-D). A duplicate of the unknown user will be created after you accept the dialog box challenge.

    Figure 7-5. Editing the /groups/admin subdirectory in NetInfo Manager

  3. In the property-value editor at the bottom of the application window, change the uid (user ID) property to a number that isn't already assigned to some other user. By convention, you should use an ID between 100 and 500. IDs less than 100 are reserved for use by Mac OS X, and IDs greater than 500 appear in the login window. Be sure not to use an ID already in use. To be safe, check the various other user entries to make sure you aren't using their IDs before proceeding. Although NetInfo Manager is perfectly happy allowing you to create multiple user entries with the same user ID, the system itself won't be happy with this situation.

  4. Assign a group ID that is the same number as the user ID. You'll create the group for the user in a minute.

  5. If the user needs a Home directory (not likely for a nonhuman user, but the documentation for the software that you are creating the nonhuman user for may indicate that it is needed), set the home property to the filesystem location of the directory. If you do assign a Home directory, you are responsible for creating that directory. You can always add or change the home property later.

  6. If the user needs to use a shell (once again, not likely, but consult the documentation for the software that you are creating the nonhuman user for), set the shell property to the shell you'd like to use (for example, bash, tcsh, zsh). /usr/bin/false, a program that doesn't do anything but return a nonzero exit code, is a good choice when you want to make sure that the user can't use a shell.

  7. Set the realname property to something that makes sense.

  8. Move to the groups entry in the browser.

  9. Duplicate the unknown group.

  10. Change the name of the group to be the same as the name of the new user.

  11. Change the gid (group ID) number to match the user ID number.

Figure 7-6. Duplicating a user entry




Previous page
Table of content
Next page
Running Mac OS X Tiger
Running Mac OS X Tiger: A No-Compromise Power Users Guide to the Mac (Animal Guide)
ISBN: 0596009135
EAN: 2147483647
Year: 2004
Pages: 166
Authors: Jason Deraleau, James Duncan Davidson
BUY ON AMAZON
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
Managing Enterprise Systems with the Windows Script Host
Cisco IOS Cookbook (Cookbooks (OReilly))
MySQL Cookbook
Microsoft WSH and VBScript Programming for the Absolute Beginner
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy