About Users and Groups

Because Unix is a multiuser system, it is quite normal to have many users (also called user accounts ) on your computer. You could even have hundreds if your computer is being used as a server that many people can access, perhaps to retrieve their e-mail.

To help manage system security, Unix uses groups to organize several users together so that you can grant file access to all of them. A user is always a member of at least one group and may be a member of many groups. Think of how employees in a company might be organizedeveryone has access to the e-mail system, but only certain people in the accounting department have access to financial information. Thus, the people in accounting are members of two different groups for security purposes: They are members of group "staff" and also group "finance."

Every single file and directory on a Unix machine is owned by one user and one group. When a file is created, its ownership and permissions are based on the user who created it.

A file starts its existence under the ownership of the user who created it and within one of the groups that user belongs to (usually the user's primary group for more on groups, see the following section, and the entries for 2775 and 2000 in Tables 8.3 and 8.4, respectively). The file also has a set of permissions assigned to it, based on the umask of the user; the umask defines which permissions are not granted (or are "masked out") for files you create (review "Changing your umask " in Chapter 7, "Configuring Your Environment with Unix").

Every user account on a Unix system has a name and a number. The name is what Mac OS X calls your short name . In the Unix world, this short name is variously referred to as your login name , your user name , and frequently simply user. The number is referred to as the user ID , or uid.

Every user account on a Unix system belongs to at least one group . Like users, groups have both names and ID numbers . A Unix group contains a list of users. As we mentioned, users are frequently members of more than one group. The group's ID number is often referred to as the gid . See Chapter 11, "Introduction to System Administration," to learn how to add users to a group.

In some Unix systems (including Mac OS X 10.4 Tiger) a new group is normally created when you create a new user account. The new group has the same name as the user's user name, and the gid number is the same as the new uid number. The new user will be the only member of this user private group . The group ownership on users' home directories will be their user private group. On other Unix systems (and Mac OS X before 10.3), new user accounts typically all belong to a single group and their home directories have that group ownership. On Mac OS X before 10.4 this would be the staff group.

Seeing all the users and groups on your system

Even if you created only one account when you installed Mac OS X, you still have more than a dozen "users" on your system. This is because Unix has a number of special user accounts that are never intended to be directly used by any human. These other "users" exist so that system files and processes may be owned and operated with differing sets of privileges. There are also a number of groups that exist for the same purpose.

To see a list of all the users on your system:

  • nidump passwd .

    The nidump command ( NetInfo dump ) is a Darwin-specific command (derived from the NeXT operating system) that displays information from a database called NetInfo ( Figure 8.1 ).

    Figure 8.1. Using nidump to see a list of all the user accounts on the system. Your list will differ .
     localhost:~ vanilla$  nidump passwd .  nobody:*:-2:-2::0:0:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0::0:0:System Administrator:/var/root:/bin/sh daemon:*:1:1::0:0:System Services:/var/root:/usr/bin/false unknown:*:99:99::0:0:Unknown User:/var/empty:/usr/bin/false lp:*:26:26::0:0:Printing Services:/var/spool/cups:/usr/bin/false postfix:*:27:27::0:0:Postfix User:/var/spool/postfix:/usr/bin/false www:*:70:70::0:0:World Wide Web Server:/Library/WebServer:/usr/bin/false eppc:*:71:71::0:0:Apple Events User:/var/empty:/usr/bin/false mysql:*:74:74::0:0:MySQL Server:/var/empty:/usr/bin/false sshd:*:75:75::0:0:sshd Privilege separation:/var/empty:/usr/bin/false qtss:*:76:76::0:0:QuickTime Streaming Server:/var/empty:/usr/bin/false cyrusimap:*:77:6::0:0:Cyrus IMAP User:/var/imap:/usr/bin/false mailman:*:78:78::0:0:Mailman user:/var/empty:/usr/bin/false appserverusr:*:79:79::0:0:Application Server:/var/empty:/usr/bin/false clamav:*:82:82::0:0:Clamav User:/var/virusmails:/bin/tcsh amavisd:*:83:83::0:0:Amavisd User:/var/virusmails:/bin/tcsh jabber:*:84:84::0:0:Jabber User:/var/empty:/usr/bin/false xgridcontroller:*:85:85::0:0:Xgrid Controller:/var/xgrid/controller:/usr/bin/false xgridagent:*:86:86::0:0:Xgrid Agent:/var/xgrid/agent:/usr/bin/false appowner:*:87:87::0:0:Application Owner:/var/empty:/usr/bin/false windowserver:*:88:88::0:0:WindowServer:/var/empty:/usr/bin/false matisse:********:501:20::0:0:Matisse Enzer:/Users/matisse:/bin/bash vanilla:********:502:502::0:0:Sample User:/Users/vanilla:/bin/bash howard:********:503:503::0:0:Howard Baldwin:/Users/howard:/bin/bash jose:********:504:20::0:0:Jose Marquez:/Users/jose:/bin/bash whitney:********:505:20::0:0:Whitney Walker:/Users/whitney:/bin/bash securityagent:*:92:92::0:0:SecurityAgent:/var/empty:/usr/bin/false tokend:*:91:91::0:0:Token Daemon:/var/empty:/usr/bin/false remote:eq2myO/rZb/v2:503:503::0:0:Remote Desktop User:/Users/remote:/bin/bash appserver:*:79:79::0:0:Application Server:/var/empty:/usr/bin/false localhost:~ vanilla$ 

    Each line of output from nidump is a colon -separated series of entries for one user.

Figure 8.2 shows the meanings of the most important entries. Notice the primary group ID entry. Every user is a member of at least one group, called his or her primary group .

Figure 8.2. Diagram showing the important parts of each line in the output from nidump passwd .


  • nidump reads from a database that contains a variety of system information. The database is a series of files in /var/db/netinfo . If you are experienced with other Unix systems, then nidump is one big difference with Mac OS X/Darwin. The output from nidump looks like the /etc/passwd file that other Unix systems use. See also the sidebar "Creating Users and Groups."

To see a list of all the groups on your system:

  • nidump group .

    Figure 8.3 shows the output of this command, and Figure 8.4 is a diagram showing what the parts of each line mean. Note that several users shown in Figure 8.1 have group 20 as their primary group. In Figure 8.3 we see that group 20 is called "staff."

    Figure 8.3. Using nidump to get a list of all the groups on the system. Your results will differ.
     localhost:~ vanilla$  nidump group .  nobody:*:-2: nogroup:*:-1: wheel:*:0:root daemon:*:1:root kmem:*:2:root sys:*:3:root tty:*:4:root operator:*:5:root mail:*:6: bin:*:7: staff:*:20:root lp:*:26: postfix:*:27: postdrop:*:28: utmp:*:45: uucp:*:66: dialer:*:68: network:*:69: www:*:70: mysql:*:74: sshd:*:75: qtss:*:76: mailman:*:78: appserverusr:*:79:matisse,vanilla,remote admin:*:80:root,matisse,vanilla,remote appserveradm:*:81:matisse,vanilla,remote clamav:*:82: amavisd:*:83: jabber:*:84: xgridcontroller:*:85: xgridagent:*:86: appowner:*:87: windowserver:*:88: accessibility:*:90: unknown:*:99: everyone::12: authedusers::50: interactusers::51: netusers::52: consoleusers::53: owner::10: group::11: smmsp::25: matisse:*:501: vanilla:*:502: howard:*:503 jose:*:504 whitney:*:505 securityagent:*:92: tokend:*:91: remote:*:503: peachpit:*:1000:matisse,whitney localhost:~ vanilla$ 

    Figure 8.4. Diagram showing the important parts of each entry in the list of groups.


  • Even though only the root user is listed in the entry for group staff, there are still users who are members of itthey are those users who have group 20 listed as their primary group in Figure 8.1. So to see all the users who are a member of a group, you have to look in two places: the output of both

    nidump passwd .


    nidump group .

It is very easy to see which groups a particular user belongs to.

To see which groups you belong to:

  • groups

    The groups command displays a list of all the groups you are a member of ( Figure 8.5 ).

    Figure 8.5. Using the groups command to see which groups you belong to. Your results will differ.
     localhost:~ vanilla$  groups  vanilla appserveradm appserverusr admin localhost:~ vanilla$ 

To see which groups another user belongs to:

  • groups username

    You use the same groups command to see which groups a user other than yourself belongs to. For example, to see which groups the user vanilla belongs to, type

    groups vanilla

    Figure 8.6 shows sample results using users and groups from Figures 8.1 and 8.3.

    Figure 8.6. Using the groups command to see the groups another user belongs to. Again, your results will differ.
     localhost:~ vanilla$  groups matisse  matisse appserveradm appserverusr admin peachpit localhost:~ vanilla$ 


  • Membership in groups is not secret information. Any user on the system can see which groups other users are members of.

Creating Users and Groups

The Darwin methods for adding, modifying, and deleting users and groups are different from those used by all other Unix systems. The current (Mac OS X 10.4) approach uses something called Directory Service and is an evolved version of software developed by NeXT.

Using the Mac OS X graphical interface, users may be added or deleted, and their passwords may be changed, from the Accounts pane in System Preferences. See Chapter 11 for more and the man pages for DirectoryService , dscl , and dseditgroup .

Why Mac OS X Uses sudo Instead of a Root Login

By emphasizing the use of the sudo command, Apple made it slightly less convenient for users to perform commands as root. Its goal: discouraging average Mac OS X users from working as root because of the danger that they could irreparably damage their systems, requiring a reinstall of the operating system. Apple probably thought it was making this more inconvenient than it actually did. Its intent, thoughthat naive users be protected from accidentally messing up their systemswas a good idea.

Unix for Mac OS X 10. 4 Tiger. Visual QuickPro Guide
Unix for Mac OS X 10.4 Tiger: Visual QuickPro Guide (2nd Edition)
ISBN: 0321246683
EAN: 2147483647
Year: 2004
Pages: 161
Authors: Matisse Enzer

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net