Project65.Manage User Accounts


Project 65. Manage User Accounts

"How do I create a new Unix user or group from the command line?"

This project focuses on Apple's Directory Services Command Line (dscl) tool. This general-purpose utility is used to view and change Directory Services, where information regarding Unix user accounts and groups is held. The project covers the commands dscl, nifind, and nireport. Project 7 explains users, groups, and user and group identification numbers (UIDs and GIDs).

DIY UIDs and GIDs

The tools Apple includes with OS X for managing user accounts are adequate for many tasks, but they lack flexibility. The Accounts pane in System Preferences lets you create a new user account but does not give you the tools to create a user account with a specific UID, create a new group, or add a user to a new group. Similarly, the NetInfo Manager utility lets you view and change local user information but offers no easy method for creating and maintaining accounts. For those tasks, you need the power of Unix.

Account details are held in a local NetInfo database unless you are part of a network with centrally maintained user accounts. The examples in this project assume that account information is held on the local machine, not on a central server.

To let you view and change account information from the command line, and perhaps write your own shell scripts to create new users and groups, Apple provides the dscl tool and a few other commands, such as nifind and nireport. It would take a chapter or two to cover dscl in detail, so this project aims only to present some ideas and tips to get you started. As usual, man pages for the utilities provide additional information.

First, let's take a look at how we might view account information.

View Account Information

Type the following command to discover what information is maintained by dscl.

$ dscl . list / AFPUserAliases Aliases Groups ... Users


The first argument to dscl is the Directory Services datasource, which we'll always specify as dot (.) to mean the default NetInfo directory on the local machine. The second, list, is a dscl command to list information; the path / says to start at the root, or top level, of the information hierarchy. The results reveal that information is maintained on, among others, groups and users. Specify the paths /Users and /Groups to list all users and groups. (Paths used by dscl refer to the NetInfo database and have nothing to do with Unix filename paths.)

$ dscl . list /Users amavisd appowner saruman ... $ dscl . list /Groups accessibility admin ...


If we try to list /Users/saruman, we'll find that it contains no further paths.

$ dscl . list /Users/saruman


What it does contain is information about the user account saruman in the form of property and values pairs. We view this with the read command of dscl. To view the for user saruman, for example, type

$ dscl . read /Users/saruman _shadow_passwd: ... PrimaryGroupID: 501 RealName: Adrian Mayo ...


Similarly, to view comparable information for group admin, type

$ dscl . read /Groups/admin ... PrimaryGroupID: 80 RealName: Administrators RecordName: admin ...


This information, which corresponds to what you see in NetInfo Manager, is presented in the form

Property Name: Property Value


Report and Find

Two useful utilities, nireport and nifind, display account information.

The nireport command searches for specific properties across many paths. Display the UID, username, and shell for all users (path /users) by typing

$ nireport . /users uid name shell -2      nobody  /usr/bin/false 0       root    /bin/sh 501     saruman /bin/bash ...


The nifind utility reports on whether a particular path exists. We test whether user saruman exists by checking the path /users/saruman.

$ nifind /users/saruman . /users/saruman found in ., id = 92


When a path does not exist, nifind reports nothing.

$ nifind /users/xxx . $


(Note that users must be in lowercase, and nifind requires the datasource, dot, to be the last argument, not the first.)

Note

Assign "500" UID numbers to new user accounts. Numbers below 500 are not recognized as user accounts by Apple's graphical interface and won't, for example, appear in the login window or the Accounts pane in System Preferences.


Here's how we might employ nireport and nifind in a script. Let's assume that we are writing a script to create a new account with username testuser and UID 511. Every user's primary-group name and short username should be identical, as should their UID and primary GID, so our script must first check that no user or group already has been assigned our intended name or ID number.

The script extract below assumes that the shell variable user is set to the user's intended short name/primary-group name and that the shell variable uid is set to the UID/GID. (Script lines beginning with the hash mark [#] are comments, provided for the benefit of human readers and ignored by Unix.)

... # search NetInfo for the given user - it should not exist str="$(nifind /users/$user .)" if [ ! -z "$str" ]; then   echo "Error: User $user already exists"; exit fi # search NetInfo for the given uid - it should not exist str="$(nireport . /users uid | grep -w $uid)" if [ ! -z "$str" ]; then   echo "Error: User ID $uid already exists"; exit fi # search NetInfo for the given group - it should not exist str="$(nifind /groups/$user.)"if [ ! -z "$str" ]; then  echo "Error: Group $user already exists"; exit fi # search NetInfo for the given gid - it should not exist str="$(nireport. /groups gid | grep -w $uid)" if [ ! -z "$str" ]; then  echo "Error: Group ID $uid already exists"; exit fi ...


Learn More

Projects 9 and 10 introduce shell scripts, and the projects in Chapter 9 cover the subject in more detail.


Change Account Information

To add or modify account information, we use dscl and its create command: Run dscl as user root, either via the sudo command or from a root shell gained by typing sudo -s. (See "How to Become the Root User" in Project 2.) The hash prompt, shown in place of a dollar sign in the examples below, signifies a root shell.

To create a new path, type a command such as

# dscl . create /Path/name


To add properties and values to the new path, type a command such as

# dscl . create /Path/name property-name value


Check that what you've done has worked correctly: Invoke dscl with the list and read commands described earlier, or view from NetInfo Manager.

We'll clarify this with some examples.

Create a New Group

Here's how we might create a new group called testgroup. First, we create the path /Groups/testgroup by typing (as root)

# dscl . create /Groups/testgroup


Then we add the necessary properties and their values. We've chosen a GID of 600.

# dscl . create /Groups/testgroup name testgroup # dscl . create /groups/testgroup passwd "*" # dscl . create /groups/testgroup gid 600


Naturally, we must first ensure that the group and its GID do not already exist. Check by hand or as part of a script, as in the examples given earlier.

Tip

Password fields contain a one-way hash encoding of the password (not the actual password, for obvious security reasons). A very short hash, like star (*), has no corresponding password and, therefore, can be assigned to "locked" accounts that should never be used as login accounts. A star hash is used for groups and for users such as www that exist only to run daemons.


Verify that our new group was created by typing

# dscl . read /Groups/testgroup AppleMetaNodeLocation: /NetInfo/DefaultLocalNode GeneratedUID: 3D5386BA-EBBA-4777-9211-A4842CE0BCEA Password: * PrimaryGroupID: 600 RecordName: testgroup RecordType: dsRecTypeStandard:Groups


Learn More

Project 64 covers the groups command.


Add a User to a Group

To add information to an existing entry, we use the dscl command merge. To add a user to a group, for example, we merge the user's name into the users property of the group entry. If the users property does not already exist, it will be created; if it does exist, the new value will be added to the list of values already assigned to the property.

Tip

Add a user to the groups admin, appserveradm, and appserverusr to make that user an administrator.


Let's add the users saruman and loraine to our new group.

# dscl . merge /Groups/testgroup users saruman # dscl . merge /Groups/testgroup users loraine


Now check the group membership (it may take a few seconds for the newly added information to register).

$ groups saruman appserveradm testgroup appserverusr admin $ groups loraine loraine testgroup


Remove a User from a Group

To remove a user from a group, we delete the user's name from the users property. Select the delete command, and specify the path, property, and value to delete. To delete loraine from our new group, testgroup, type

# dscl . delete /Groups/testgroup users loraine $ groups loraine loraine


Change a User's Shell

To change information such as a user's shell, we use the dscl command change, and specify the path, property, and value to change. Because a path may contain a list of properties, it's necessary to specify the old value too. To change Loraine's shell from tcsh to bash, type

# dscl . change /Users/loraine shell /bin/tcsh /bin/bash


Create a New User

Creating a new user is more involved. We do the following:

  • Verify that none of the steps we are about to perform will overwrite an existing user, group, UID, GID, or home directory.

  • Create a new user by using dscl and its create command.

  • Create a primary group with the same name as the user.

  • If the new user is an administrator, add her to the groups admin, appserveradm, and appserverusr.

  • Create a new home directory from the template home directory.

  • Set a password for the new user.

Here's an example in which we create the user jan with a UID of 520.

$ sudo -s Password:


First, we create the user.

# dscl . create /users/jan # dscl . create /users/jan name jan # dscl . create /users/jan passwd "*" # dscl . create /users/jan uid 520 # dscl . create /users/jan gid 520 # dscl . create /users/jan home /Users/jan # dscl . create /users/jan shell /bin/bash # dscl . create /users/jan realname "Jan Forbes"


Then we create the group.

# dscl . create /groups/jan # dscl . create /groups/jan name jan # dscl . create /groups/jan passwd "*" # dscl . create /groups/jan gid 520


Next, we create Jan's home directory by copying the English-language template home directory.

# mkdir /Users/jan # ditto -rsrc /System/Library/User\ Template/¬      English.lproj/ /Users/jan


We make the new directory owned by user jan and group jan.

# chown -R jan:jan /Users/jan


Finally, we set a password for the new account.

# passwd jan Changing password for jan. New password: Retype new password:


If you examine entries for users created from System Preferences, you'll notice other (nonessential) properties that we haven't set here, such as picture and _shadow_passwd. They may be set in exactly the same manner.

You should be able to login as the new user from the login window. It may take a while for the new user to appear in the Fast User Switching menu.

Delete a Group or User

To delete a user or group, we use the dscl command delete, just as we did when removing a user from a group. It's not necessary to specify a property and valuejust the path to the user or group to be deleted. The following command deletes all information associated with the group testgroup.

# dscl . delete /Groups/testgroup





Mac OS X UNIX 101 Byte-Sized Projects
Mac OS X Unix 101 Byte-Sized Projects
ISBN: 0321374118
EAN: 2147483647
Year: 2003
Pages: 153
Authors: Adrian Mayo

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net