The system administrator's job includes adding new users to the system and managing the ability of various groups to access different parts of the file system (review Chapter 8).
The easiest way to add a user in Mac OS X is with the Accounts pane in System Preferences (see the following task). This not only adds the user, but it also creates his or her home directory and several files that each user needs.
It is possible to add a user to your system using the command line, but the process is rather complex and is beyond the scope of this book. (If you really must know how, see the sidebar "Adding a User from the Command Line," later in this chapter.)
The Mac OS X System Preferences is a GUI interface for many basic administrative tasks . You access System Preferences from the Apple menu or from the Dock.
To create a new user:
1. | Choose System Preferences from the Apple menu or click its icon in the Dock. The main System Preferences window opens ( Figure 11.3 ). Figure 11.3. The System Preferences window. |
2. | Click the Accounts icon. The Accounts pane opens showing the list of users on the left ( Figure 11.4 ). Figure 11.4. The Accounts pane of System Preferences, showing users.All the current regular users are shown (not shown are special system accounts, including the root account). |
3. | Click the lock icon. You will get a dialog asking for your user name and password ( Figure 11.5 ). This is basically the Aqua version of using sudo you are about to assume root privileges for this task. Fill in the dialog and click OK. Figure 11.5. The Authenticate dialog, asking for your user name and password.
|
4. | Back in the Accounts pane, click the plus (+) button, just above the lock icon. A dialog slides down with fields for the new user's information ( Figure 11.6 ). Figure 11.6. The dialog that appears when you click the plus button on the Accounts pane.
|
5. | Fill in the Name and Short Name fields for the new user. The Name field is just the everyday name, typically including both first and last name. Mac OS X uses the term short name for what all Unix systems call the user name or login name ." On many Unix systems the short name must be eight characters or less and should consist only of lowercase letters and numbers , so you may want to stick with that to be consistent with other Unix systems. But in Mac OS X since 10.2, you can use up to 255 bytes for the short user name. (Note, however, that bytes does not mean characters, because there are multibyte characters, for example, in Japanese.) |
6. | Fill in the user's new password. You type the password twice, and it is displayed as a series of bullets (so someone looking over your shoulder won't see it). |
7. | If you click the key icon next to the Password field (see Figure 11.6), you get the cool Password Assistant dialog ( Figure 11.7 ), which will help you create a good password. Figure 11.7. The Password Assistant dialog.
You may fill in a "password hint" for the user. This will show up in the Aqua Login window if he or she fails three login attempts in a row. (The hint option must also be set in the Login Options pane of the Accounts preferences pane.) |
8. | If you want the new user to have root access on the machine, check the box next to "Allow user to administer this computer." Figure 11.8 shows an example of the new-user dialog filled in and ready to save. Figure 11.8. The new user dialog all filled in and ready to save.
|
9. | Click Create Account. At this point the new user has been added to the system, and that person can log in. The new-user dialog slides away and the Accounts pane shows the new user's name in the list ( Figure 11.9 ). Figure 11.9. The Accounts pane, showing the new user added to the list.The new user's home directory has been created, along with various subdirectories such as his or her Documents folder. Also, a configuration file for the Apache Web server is created for the new user in /etc/httpd/users/ . Add more users if you like. |
10. | Quit System Preferences. |
Tip
Passwords are the backbone of system security. If a malicious person obtained a user's password, he or she could cause serious harm to that person's system: disabling it altogether, obtaining root privileges, or copying any information on the system. Be very careful about giving users the ability to "administer this computer," since that essentially gives them root access and the ability to take complete control of the machine.
Occasionally you'll need to remove a user, and you can use System Preferences to do that as well. It gives you a choice about whether or not to completely delete the user's home directory; the default behavior is to create a disk-image file (a .dmg file) of the user's home directory and place that file in the /Users/Deleted Users directory.
To remove a user:
1. | Open System Preferences. |
2. | Click the Accounts icon. |
3. | Select the user from the list. |
4. | Click the minus () button at the bottom of the list of users (see Figure 11.9). You will get a dialog asking if you want to delete the user's home directory immediately or allow a disk image to be placed in /Users/Deleted Users . |
5. | Choose either OK or Delete Immediately. If you allow the disk image to be created, you can always remove it later. |
6. | Quit System Preferences. |
Choosing a Safer PasswordGood passwords always have a combination of letters, numbers, punctuation marks, and symbols (!@#$%^&*_+-=":;'><,.?/\), and never contain a dictionary word. For example, secret23 would be a terrible password, far too easy for a computerized guessing program to figure out. One way to make a good password is to use the first letter from each word in a song lyric or poem, and change some of the characters to numbers and punctuation. For example, the lyric "Sporting 50-dollar sneakers and all the money's spent" (from Grandmaster Flash's "All Wrapped Up") might become the password S50$s&atm . In addition to the root password, all user passwords, especially those for admin users, must also be excellent in order for your system to have good security. In Mac OS X, having an admin user's password is equivalent to having the root password. (We'll go into more about choosing good passwords in Chapter 12, "Security.") |
Tip
There may be files outside the user's home directory that were owned by that user. For example, if you are running a Web server, you may have allowed users to put HTML files in /Library/WebServer/Documents . You can create a list of all the files in a directory that are owned by unknown users with the -nouser option to the find command:
sudo find /Library/WebServer/Documents -nouser > orphanlist.txt
You can then look at the resulting list and decide which files to delete and which to change the ownership of (so that they are owned by a user still on the system).
Adding a User from the Command LineOK, you want to be a hotshot Unix sysadmin. At the end of this sidebar we provide a list of things you have to do to add a user from the command line. Each of these steps has several substeps .
Before trying this, download the Apple documentation for Mac OS X Server Command-Line Administration: http://images.apple.com/server/ pdfs /Command_Line_v10.4.pdfand please , experiment on a noncritical machine.
The documentation in the PDF file mentioned above refers to some command-line tools ( serversetup , dsimport , createhomedir , and so on). One of them, serversetup , is not installed in the non-Server version of Mac OS X. So unless you are working on the Server version, you will not be able to create new admin users from the command line or perform some of the tests that the documentation describes. The tools are installed in different places on the Server and non-Server versions of Mac OS X. In the non-Server version these commands are installed in /usr/bin and /usr/sbin , so they are already in your PATH . (See Chapter 7 for more about your PATH .) Here is the basic process:
Note: There is a command-line tool called dsidentity that can be used to create a limited type of user account at the command line. The dsidentity tool is intended for creating accounts that are used only for remote file sharing and similar purposes. See man dsidentity for more. |
Perhaps the most common task for a system administrator is to help users who have forgotten their password. While there is no easy way to find a user's current password, it can be changed easily. You can use System Preferences, but you can also do this easily from the command line. Refer to Figure 11.10 throughout the following task.
To change a user's password:
1. | sudo passwd user nam e The user name argument is the same as the short name that was entered when the user's account was created. For example, sudo passwd sarafina If you haven't used sudo in the last 5 minutes, you are prompted for your password, with just Password: After you enter your password, or if you have recently used sudo , you will see a prompt from the passwd command. |
2. | Enter the user's new password. |
3. | Reenter the new password. Because the passwords are not displayed, you have to enter them twice to make sure you have it right. If the entries don't match, you'll be prompted to enter them again. |
Tips
Use a secure method to tell the user his or her new passwordthat is, in person or on a phone line you trust. Never send an (unencrypted) password over e-mail or leave it on a voice-mail system.
The Mac OS X keychain knows when you've changed your password and will prompt you to update your keychain the next time you use it.
Although it's not as common an activity as changing passwords, system administrators occasionally are asked (or decide) to change a user's login shell. For example, a user might want to use the tcsh shell as his or her login shell instead of the Mac OS X default (which is bash ).
The command-line tool for changing a user's shell in Darwin and Mac OS X is quite different from that used in other versions of Unix (in which you would probably use either usermod or chsh ). Darwin and thus Mac OS X use a different system than other flavors of Unix to store and access all the system-configuration information, such as users, groups, and mounted disks. See the sidebar "About lookupd , Open Directory, and Directory Service."
The main command-line tool for dealing with the Directory Services system is dscl ( Directory Service command line ), and that's what you'll use in the following task ( Figure 11.11 )
localhost:~ vanilla$ sudo dscl . -change /users/name=puffball UserShell /bin/bash /bin/tcsh Password: localhost:~ vanilla$ dscl . -read /users/name=puffball UserShell UserShell: /bin/tcsh localhost:~ vanilla$
About lookupd, Open Directory, and Directory ServiceAll Unix systems need a way to store and retrieve system-configuration information about users, groups, networks, and disks. On many other Unix systems, this data is stored (primarily) in text files in the /etc directory. For example, /etc/passwd usually has all the user accounts, and /etc/ group has the list of groups.
While Mac OS X/Darwin is able to use the traditional /etc files (which it calls BSD Flat Files) to manage system-configuration information, at a more fundamental level it uses a system called Open Directory, which uses the DirectoryService and lookupd daemons. Apple has rewritten the low-level software libraries ( get_pw for you C hackers) so that they use lookupd . The lookupd daemon can use a variety of data sources, including BSD Flat Files, Apple's legacy NetInfo database (see the sidebar "Deeper into NetInfo"), an LDAP server, and more. For more on lookupd , see man lookupd . For more on Directory Services, see man DirectoryService and http://developer.apple.com/darwin/projects/opendirectory/. |
To change a user's login shell:
1. | sudo dscl . -change /users/ user UserShell oldshell newshell For example, to change the shell for user puffball from /bin/bash to /bin/tcsh the command line is sudo dscl . -change /users/puffball UserShell /bin/bash /bin/tcsh If sudo prompts you for your password, enter it. Now you can check that the change took place: |
2. | dscl . -read /users/ user UserShell For example: dscl . -read /users/puffball |
Tips
The dscl utility provides man tools for reading and changing system-configuration settings. See man dscl for the complete story.
An interesting feature of dscl is that it offers an interactive shell-like interface. If you run
sudo dscl .
you will get a prompt (just a > ) from which you can navigate around the data hierarchy using cd and ls , and issue all of the various dscl commands, such as read , change , search , and so on. Again, see man dscl for more. Using dscl in interactive mode to change a user's shell could look like this:
localhost:~ vanilla$ sudo dscl . > change /users/puffball UserShell /bin/bash /bin/tcsh > read /users/puffball UserShell Usershell: /bin/tcsh > quit localhost:~ vanilla$
Every time a user logs in, entries are made in three log files. These files enable you to see who is currently using the system and a history of logins to the system.
Table 11.2 lists these files and the commands used to view them.
F ILE | P URPOSE AND C OMMANDS |
---|---|
var/run/utmp | Shows who is logged in right now ( tmp stands for temporary ). Used by the users , w , and who commands. |
/var/log/wtmp | Records each login and logout. A binary file, not human-readable . Used by the last and ac commands. This file is "rolled over" every month by the script /etc /monthly . See "Running Regularly Scheduled Commands," later in this chapter. |
/var/log/lastlog | Records the date and time of each user's last login. The date of the last login is displayed when logging in via a command-line interface (for example, when you open a new Terminal window). |
Using the commands listed in Table 11.2, you can see a good deal of information about who was and is using your system.
To see a list of users logged in right now:
To see a list of users and where they logged in from:
localhost:~ vanilla$ who -Hu NAME LINE TIME IDLE FROM vanilla console Jul 9 16:55 22:32 vanilla ttyp1 Jul 9 12:55 . (g5-imac.matisse.) matisse ttyp2 Jul 9 10:36 . (well.com) vanilla ttyp3 Jul 6 12:39 00:09 vanilla ttyp4 Jul 9 10:37 00:09 localhost:~ vanilla$
Deeper into NetInfoThe NetInfo system is being phased out of Mac OS X/Darwin but is still in use as of Mac OS X 10.4 and probably will be for a while. NetInfo was originally a hierarchical directory service system like LDAP or Active Directory, but it is now used solely for storing local configuration information. The data stored in NetInfo is mostly data that is stored on other Unix systems in plain-text files: The file /etc/passwd has the list of all users, their home directories, and their login shells . In Darwin, /etc/passwd is used only when the machine is in single-user mode, but on most Unix systems, /etc/passwd is the only database of users.
The official Apple overview of the NetInfo system is available as a PDF document at www.apple.com/server/pdfs/UnderstandingUsingNetInfo.pdf. |
To see who is logged in and what they are doing:
localhost:~ vanilla$ w 11:15AM up 3 days, 11:53, 5 users, load averages: 0.39, 0.48, 0.60 USER TTY FROM LOGIN@ IDLE WHAT vanilla co - Sat08AM 21:38 - vanilla p1 - 10:31AM - bash matisse p2 well.com 10:36AM - find vanilla p3 - Sat12PM - mail vanilla p4 - 10:37AM - w localhost:~ vanilla$
Love ya babe 34: w 11:20am up 20 day(s), 5:08, 152 users, load average: 5.98, 6.62, 6.74 User tty login@ idle JCPU PCPU what java pts/3 5:49am 41 22 16 -bash swede pts/8 10:49am 5 5 4 /usr/local/lib/mailwrapper/pine fluffer pts/15 11:04am 4 4 more maxie pts/35 6:14am 1:32 55 -picospan flute pts/58 11:06am 7 2 2 extract -g -f weblog -J -k web / bottle pts/44 10:36am 2 ped -t -z /home/b/o/bottle/.muse risc pts/19 11:11am 3 more artgrrl pts/41 8:35am 1 1 1 ssh -l artgrrl artgrrl.net omni23 pts/100 11:14am lynx villagevoice starboy pts/13 11:14am 2 -bash bunch pts/60 10:26am 39 8 5 -picospan bloomsb pts/162 10:07am 1:08 38 irc NihiAtWrk irc.wagill.com libre pts/134 10:48am 2 2 2 /usr/bin/vi /home/l/i/libre/cf.buf pwolf pts/90 9:53am 1:28 /usr/bin/ksh ....output abbreviated....
To see a history of logins for all users:
localhost:~ vanilla$ last vanillattyp4 Tue Jul 9 10:37 still logged in matissettyp2 well.com Tue Jul 9 10:36 - 11:20 (00:43) vanillattyp1 Tue Jul 9 10:31 still logged in vanillattyp2 Tue Jul 9 10:31 - 10:36 (00:05) vanillattyp3 Sat Jul 6 12:39 still logged in vanillattyp2 Sat Jul 6 10:29 - 10:31 (3+00:02) puffball ttyp2 Sat Jul 6 08:43 - 10:29 (01:45) vanillattyp1 Sat Jul 6 08:34 - 10:09 (01:35) matisseconsole user-112uhed.biz Sat Jul 6 08:32 still logged in root console Fri Jul 5 12:30 - 12:32 (00:01) vanillaconsole user-112uhed.biz Fri Jul 5 12:29 - 12:30 (00:00) puffball ttyp1 playroom.matisse Thu Jul 4 11:00 - 12:36 (1+01:35) vanillattyp2 Tue Jul 2 16:45 - 14:21 (2+21:36) vanillattyp1 Tue Jul 2 16:35 - 11:00 (1+18:24) vanillaconsole user-112uhed.biz Tue Jul 2 16:23 - 12:29 (2+20:05) reboot ~ Tue Jul 2 16:20 shutdown ~ Tue Jul 2 16:14 root console user-112uhed.biz Tue Jul 2 16:14 - 16:14 (00:00) vanillattyp2 Tue Jul 2 15:06 - shutdown (01:08) puffball ttyp1 Tue Jul 2 15:04 - shutdown (01:09) vanillattyp1 Tue Jul 2 15:04 - 15:04 (00:00) vanillattyp3 Tue Jul 2 11:53 - shutdown (04:20) matissettyp1 Tue Jul 2 10:10 - 15:04 (04:53) vanillattyp2 Mon Jul 1 21:43 - 15:06 (17:22) vanillattyp1 Mon Jul 1 21:42 - 10:10 (12:27) wtmp begins Mon Jul 1 09:18 localhost:~ vanilla$
cd /var/log sudo gunzip wtmp.2.gz last -f wtmp.2
To see a history of all logins for one user:
localhost:~ vanilla$ last puffball puffball ttyp2 Sat Jul 6 08:43 - 10:29 (01:45) puffball ttyp1 playroom.matisse Thu Jul 4 11:00 - 12:36 (1+01:35) puffball ttyp1 Tue Jul 2 15:04 - shutdown (01:09) wtmp begins Mon Jul 1 09:18 localhost:~ vanilla$
Tip
You can use last with the pseudouser names reboot, shutdown, and crash to see all the corresponding entries in the last log. For example,
last reboot
shows all the reboots this month.
To see a summary of login times:
localhost:~ vanilla$ ac total 197.22 localhost:~ vanilla$ ac -p vanilla 196.20 root 0.29 puffball 0.73 total 197.22 localhost:~ vanilla$ ac -d Jul 3 total 62.19 Jul 4 total 24.00 Jul 5 total 23.97 Jul 8 total 72.00 Jul 9 total 15.06 localhost:~ vanilla$ ac vanilla total 196.20 localhost:~ vanilla$ ac puffball vanilla total 196.94 localhost:~ vanilla$ ac -p puffball vanilla vanilla 196.21 puffball 0.73 total 196.94 localhost:~ vanilla$ ac -d vanilla Jul 1 total 14.35 Jul 3 total 47.84 Jul 4 total 24.00 Jul 5 total 23.69 Jul 8 total 72.00 Jul 9 total 14.34 localhost:~ vanilla$
Tip
You can use the -w option for ac to have it read a different file from the default.
For example,
cd /var/log sudo gunzip wtmp.0.gz ac -w wtmp.0 -p
shows a per-day summary for the month whose data is in the file.
In Chapter 8, you learned about how Unix uses groups to grant permission for various file operations (read, write, execute) to groups of users. And earlier in this chapter, you learned that Mac OS X allows any user in the admin group to use sudo to execute commands as root.
In this section we're going to show you how to change a user's group assignment, and how to add and remove groups. A common reason to create a new group is if you have several people using your computer and want to allow some of them to have write permission in a directory where the other users do not. You would create a new group and put each of the team members into that group. Users can be members of many groups.
You will be using a Darwin-only tool called dseditgroup to manage group information, as well as the Darwin-only nireport and dscl .
To see all the groups a user belongs to:
Tip
Supposedly, the groups command is being made obsolete by the id command, which has several options and can show more information about a user. Unfortunately, the id command is quite different on different Unix systems. In Mac OS X,
id -Gn username
behaves the same as
groups username
See man id for more.
To see a list of all the groups:
localhost:~ vanilla$ localhost:~ vanilla$ dscl . -list /groups PrimaryGroupID accessibility 90 admin 80 amavisd 83 appowner 87 appserveradm 81 appserverusr 79 authedusers 50 bin 7 clamav 82 consoleusers 53 daemon 1 dancers 500 dialer 68 everyone 12 group 11 16 interactusers 51 jabber 84 kmem 2 lp 26 mail 6 mailman 78 matisse 501 mysql 74 netusers 52 network 69 nobody -2 nogroup -1 operator 5 owner 10 postdrop 28 postfix 27 qtss 76 remote 503 securityagent 92 smmsp 25 sshd 75 staff 20 sys 3 tokend 91 tty 4 unknown 99 utmp 45 uucp 66 vanilla 502 wheel 0 windowserver 88 www 70 xgridagent 86 xgridcontroller 85 localhost:~ vanilla$
To see all the attributes of one group:
localhost:~ vanilla$ dscl . -read /groups/admin AppleMetaNodeLocation: /NetInfo/DefaultLocalNode GeneratedUID: FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000050 ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050 GroupMembership: root matisse vanilla remote Password: * PrimaryGroupID: 80 RealName: Administrators RecordName: admin RecordType: dsRecTypeNative:groups SMBSID: S-1-5-32-544 localhost:~ vanilla$
To see all the users who belong to a group:
dscl . -read /groups/ group name GroupMembership
Compare with Aqua: NetInfo ManagerYou can use the GUI application NetInfo Manager to see who is a member of a group, as well as to add and remove groups. Even though NetInfo Manager is a GUI application, it is far less easy to use than most Mac applications. This is one case where the command-line tools are probably easier than the GUI equivalent. |
To create a new group:
1. | First get the list of all groups as described in the task "To see a list of all the groups": dscl . -list /groups PrimaryGroupID |
2. | Make up a group name that is not in use. Group names should be all lowercase and should contain only letters and numbers. |
3. | sudo dseditgroup -o create groupname You must be root to modify the data sources used by Directory Service, hence the use of sudo . For example, to create a group called "dancers": sudo dseditgroup -o create dancers Enter your password if sudo prompts you for it. If a group already exists with the name you chose, you will be asked if you want to overwrite the existing record. |
Tips
Instead of using sudo , you can use the -p option and you will be prompted for your password:
dseditgroup -p -o create groupname
Or if you are not logged in as an admin user, you may use the -p and -u options to supply an admin user name:
dseditgroup -u user name -p -o create groupname
You'll still need the password, of course.
There are several more options for creating a group with dseditgroup for example, you can add a comment with the -c option. See man dseditgroup for the complete list.
To add a user to an existing group:
sudo dseditgroup -o edit -a fireboy -t user dancers
dscl . read /groups/dancers GroupMembership
Starting in Mac OS X 10.4, you can have groups be members of other groups. Any user who is a member of a subgroup is automatically a member of the higher-level group(s). You may only add groups to groups that were created using the new 10.4 tools, such as dseditgroup , described above. (That is, you will get an error if you try to add a group to a "legacy-style" group.)
To display information about a group:
To add a group to another group:
To remove a user from a group:
To remove a subgroup from a group:
To remove a group:
1. | sudo dseditgroup -o delete groupname For example, to delete a group called "tango": sudo dseditgroup -o delete tango You will get a prompt telling you the group already exists and asking if you really want to delete it: Delete called on existing record - do you really want to delete, y or n : |
2. | y Typing y confirms the request to delete the group. It's gone as soon as you press . |