Unix for Mac OS X 10.4 Tiger: Visual QuickPro Guide (2nd Edition)

The system administrator's job includes adding new users to the system and managing the ability of various groups to access different parts of the file system (review Chapter 8).

The easiest way to add a user in Mac OS X is with the Accounts pane in System Preferences (see the following task). This not only adds the user, but it also creates his or her home directory and several files that each user needs.

It is possible to add a user to your system using the command line, but the process is rather complex and is beyond the scope of this book. (If you really must know how, see the sidebar "Adding a User from the Command Line," later in this chapter.)

Adding and deleting users with System Preferences

The Mac OS X System Preferences is a GUI interface for many basic administrative tasks . You access System Preferences from the Apple menu or from the Dock.

To create a new user:

Tip

• Passwords are the backbone of system security. If a malicious person obtained a user's password, he or she could cause serious harm to that person's system: disabling it altogether, obtaining root privileges, or copying any information on the system. Be very careful about giving users the ability to "administer this computer," since that essentially gives them root access and the ability to take complete control of the machine.

Occasionally you'll need to remove a user, and you can use System Preferences to do that as well. It gives you a choice about whether or not to completely delete the user's home directory; the default behavior is to create a disk-image file (a .dmg file) of the user's home directory and place that file in the /Users/Deleted Users directory.

To remove a user:

Tip

• There may be files outside the user's home directory that were owned by that user. For example, if you are running a Web server, you may have allowed users to put HTML files in /Library/WebServer/Documents . You can create a list of all the files in a directory that are owned by unknown users with the -nouser option to the find command:

  sudo find /Library/WebServer/Documents -nouser > orphanlist.txt

  You can then look at the resulting list and decide which files to delete and which to change the ownership of (so that they are owned by a user still on the system).

Managing passwords

Perhaps the most common task for a system administrator is to help users who have forgotten their password. While there is no easy way to find a user's current password, it can be changed easily. You can use System Preferences, but you can also do this easily from the command line. Refer to Figure 11.10 throughout the following task.

To change a user's password:

Tips

• Use a secure method to tell the user his or her new passwordthat is, in person or on a phone line you trust. Never send an (unencrypted) password over e-mail or leave it on a voice-mail system.

• The Mac OS X keychain knows when you've changed your password and will prompt you to update your keychain the next time you use it.

Changing a user's login shell

Although it's not as common an activity as changing passwords, system administrators occasionally are asked (or decide) to change a user's login shell. For example, a user might want to use the tcsh shell as his or her login shell instead of the Mac OS X default (which is bash ).

The command-line tool for changing a user's shell in Darwin and Mac OS X is quite different from that used in other versions of Unix (in which you would probably use either usermod or chsh ). Darwin and thus Mac OS X use a different system than other flavors of Unix to store and access all the system-configuration information, such as users, groups, and mounted disks. See the sidebar "About lookupd , Open Directory, and Directory Service."

The main command-line tool for dealing with the Directory Services system is dscl ( Directory Service command line ), and that's what you'll use in the following task ( Figure 11.11 )

Figure 11.11. Using dscl to change a user's login shell from /bin/bash to /bin/tcsh .

localhost:~ vanilla$ sudo dscl . -change /users/name=puffball UserShell /bin/bash /bin/tcsh Password: localhost:~ vanilla$ dscl . -read /users/name=puffball UserShell UserShell: /bin/tcsh localhost:~ vanilla$

To change a user's login shell:

Tips

• The dscl utility provides man tools for reading and changing system-configuration settings. See man dscl for the complete story.

• An interesting feature of dscl is that it offers an interactive shell-like interface. If you run

  sudo dscl .

  you will get a prompt (just a > ) from which you can navigate around the data hierarchy using cd and ls , and issue all of the various dscl commands, such as read , change , search , and so on. Again, see man dscl for more. Using dscl in interactive mode to change a user's shell could look like this:

  localhost:~ vanilla$ sudo dscl . > change /users/puffball UserShell /bin/bash /bin/tcsh > read /users/puffball UserShell Usershell: /bin/tcsh > quit localhost:~ vanilla$

Tracking who uses the system

Every time a user logs in, entries are made in three log files. These files enable you to see who is currently using the system and a history of logins to the system.

Table 11.2 lists these files and the commands used to view them.

Table 11.2. Files Used to Track User Logins

Using the commands listed in Table 11.2, you can see a good deal of information about who was and is using your system.

To see a list of users logged in right now:

• users

  The users command simply lists the user name of anyone who is currently logged in. The output looks like this:

  vanilla matisse puffball

To see a list of users and where they logged in from:

• who

  The who command shows you one line for each login shell each user is running. So if you had three Terminal windows open and another user was logged in over the Internet, who would show five entries ( Figure 11.12 ).

  Figure 11.12. Annotated output from the who command.

  That's one entry for your Aqua login (the console entry), the three Terminal windows (the ttyp1 , ttyp3 , and ttyp4 entries), and an entry for a user logged in over the Internet. The entry for the remote user shows where he or she is logged in from (the host well.com).

  ttyp means teletypewriter, pseudo . In the old days, people used electromechanical teletypewriters (TTYs) to log in to computers; now those TTYs are emulated in software, hence the pseudo .

  Using the -H option adds a line of headings to the output.

  The -u option adds the idle time for each entry (in hours:minutes).

  Figure 11.13 shows the output with the -Hu options.

  Figure 11.13. Output from the who command with -Hu options.

  localhost:~ vanilla$ who -Hu NAME LINE TIME IDLE FROM vanilla console Jul 9 16:55 22:32 vanilla ttyp1 Jul 9 12:55 . (g5-imac.matisse.) matisse ttyp2 Jul 9 10:36 . (well.com) vanilla ttyp3 Jul 6 12:39 00:09 vanilla ttyp4 Jul 9 10:37 00:09 localhost:~ vanilla$

To see who is logged in and what they are doing:

• w

  The w command shows output similar to who -Hu but adds a line of information reporting system uptime and load (actually, it is the output from the uptime command; see "Monitoring System Usage," later in this chapter). It also tries to show the last command that each user executed. Figure 11.14 shows output from w on a Mac OS X system, and Figure 11.15 shows partial output from w on another Unix system (running Sun's Solaris 2.6 operating system). Notice that that system had 152 users logged in at the time the command was run. Also notice the customized shell prompt ( Love ya babe 34: ) at the top of the code listing.

  Figure 11.14. Output of w on Mac OS X.

  localhost:~ vanilla$ w 11:15AM up 3 days, 11:53, 5 users, load averages: 0.39, 0.48, 0.60 USER TTY FROM LOGIN@ IDLE WHAT vanilla co - Sat08AM 21:38 - vanilla p1 - 10:31AM - bash matisse p2 well.com 10:36AM - find vanilla p3 - Sat12PM - mail vanilla p4 - 10:37AM - w localhost:~ vanilla$

  Figure 11.15. Abbreviated output from w on a machine running Sun's Solaris 2.6 version of Unix.

  Love ya babe 34: w 11:20am up 20 day(s), 5:08, 152 users, load average: 5.98, 6.62, 6.74 User tty login@ idle JCPU PCPU what java pts/3 5:49am 41 22 16 -bash swede pts/8 10:49am 5 5 4 /usr/local/lib/mailwrapper/pine fluffer pts/15 11:04am 4 4 more maxie pts/35 6:14am 1:32 55 -picospan flute pts/58 11:06am 7 2 2 extract -g -f weblog -J -k web / bottle pts/44 10:36am 2 ped -t -z /home/b/o/bottle/.muse risc pts/19 11:11am 3 more artgrrl pts/41 8:35am 1 1 1 ssh -l artgrrl artgrrl.net omni23 pts/100 11:14am lynx villagevoice starboy pts/13 11:14am 2 -bash bunch pts/60 10:26am 39 8 5 -picospan bloomsb pts/162 10:07am 1:08 38 irc NihiAtWrk irc.wagill.com libre pts/134 10:48am 2 2 2 /usr/bin/vi /home/l/i/libre/cf.buf pwolf pts/90 9:53am 1:28 /usr/bin/ksh ....output abbreviated....

To see a history of logins for all users:

• last

  The last command shows a history of all sessions (login/logout pairs) for the current month ( Figure 11.16 ).

  Figure 11.16. Output from the last command showing all login sessions, reboots, shutdowns, and crashes for the current month.

  localhost:~ vanilla$ last vanillattyp4 Tue Jul 9 10:37 still logged in matissettyp2 well.com Tue Jul 9 10:36 - 11:20 (00:43) vanillattyp1 Tue Jul 9 10:31 still logged in vanillattyp2 Tue Jul 9 10:31 - 10:36 (00:05) vanillattyp3 Sat Jul 6 12:39 still logged in vanillattyp2 Sat Jul 6 10:29 - 10:31 (3+00:02) puffball ttyp2 Sat Jul 6 08:43 - 10:29 (01:45) vanillattyp1 Sat Jul 6 08:34 - 10:09 (01:35) matisseconsole user-112uhed.biz Sat Jul 6 08:32 still logged in root console Fri Jul 5 12:30 - 12:32 (00:01) vanillaconsole user-112uhed.biz Fri Jul 5 12:29 - 12:30 (00:00) puffball ttyp1 playroom.matisse Thu Jul 4 11:00 - 12:36 (1+01:35) vanillattyp2 Tue Jul 2 16:45 - 14:21 (2+21:36) vanillattyp1 Tue Jul 2 16:35 - 11:00 (1+18:24) vanillaconsole user-112uhed.biz Tue Jul 2 16:23 - 12:29 (2+20:05) reboot ~ Tue Jul 2 16:20 shutdown ~ Tue Jul 2 16:14 root console user-112uhed.biz Tue Jul 2 16:14 - 16:14 (00:00) vanillattyp2 Tue Jul 2 15:06 - shutdown (01:08) puffball ttyp1 Tue Jul 2 15:04 - shutdown (01:09) vanillattyp1 Tue Jul 2 15:04 - 15:04 (00:00) vanillattyp3 Tue Jul 2 11:53 - shutdown (04:20) matissettyp1 Tue Jul 2 10:10 - 15:04 (04:53) vanillattyp2 Mon Jul 1 21:43 - 15:06 (17:22) vanillattyp1 Mon Jul 1 21:42 - 10:10 (12:27) wtmp begins Mon Jul 1 09:18 localhost:~ vanilla$

  Besides showing user sessions, the last log also shows entries for shutdowns, reboots, and crashes.

  The information is taken from the /var/log/wtmp file, which is emptied out and started again each month by the /etc/month script. Last month's file is /var/log/wtmp.0.gz , the prior month is wtmp.1.gz , and so on up to wtmp.4.gz . You can uncompress the older files and supply the filename as an argument with the -f option to last to look at a previous month's data:

  cd /var/log sudo gunzip wtmp.2.gz last -f wtmp.2

To see a history of all logins for one user:

• last username

  If you supply a user name as an argument to last , it limits the output to the sessions for that user. For example,

  last puffball

  gives output like that in Figure 11.17 .

  Figure 11.17. Output from last showing only one user.

  localhost:~ vanilla$ last puffball puffball ttyp2 Sat Jul 6 08:43 - 10:29 (01:45) puffball ttyp1 playroom.matisse Thu Jul 4 11:00 - 12:36 (1+01:35) puffball ttyp1 Tue Jul 2 15:04 - shutdown (01:09) wtmp begins Mon Jul 1 09:18 localhost:~ vanilla$

Tip

• You can use last with the pseudouser names reboot, shutdown, and crash to see all the corresponding entries in the last log. For example,

  last reboot

  shows all the reboots this month.

To see a summary of login times:

• ac

  Short for connect time accounting , this shows the total of all sessions since the start of this month (the data comes from /var/log/wtmp ).

  For example, the output could be

  total 197.15

  You can supply a list of one or more user names to get a total for the selected users only. For example,

  ac puffball

  shows a total (in hours:minutes) of all of puffball's sessions for the current month, and

  ac puffball vanilla

  shows the total for the two users.

  You may use the -p option to get a per-user breakdown of the time, or the -d option to get a daily subtotal , but not both.

  Figure 11.18 shows several different results for the ac command with different arguments and options.

  Figure 11.18. Output from using the ac command with a variety of arguments and options.

  localhost:~ vanilla$ ac total 197.22 localhost:~ vanilla$ ac -p vanilla 196.20 root 0.29 puffball 0.73 total 197.22 localhost:~ vanilla$ ac -d Jul 3 total 62.19 Jul 4 total 24.00 Jul 5 total 23.97 Jul 8 total 72.00 Jul 9 total 15.06 localhost:~ vanilla$ ac vanilla total 196.20 localhost:~ vanilla$ ac puffball vanilla total 196.94 localhost:~ vanilla$ ac -p puffball vanilla vanilla 196.21 puffball 0.73 total 196.94 localhost:~ vanilla$ ac -d vanilla Jul 1 total 14.35 Jul 3 total 47.84 Jul 4 total 24.00 Jul 5 total 23.69 Jul 8 total 72.00 Jul 9 total 14.34 localhost:~ vanilla$

Tip

• You can use the -w option for ac to have it read a different file from the default.

  For example,

  cd /var/log sudo gunzip wtmp.0.gz ac -w wtmp.0 -p

  shows a per-day summary for the month whose data is in the file.

Managing groups

In Chapter 8, you learned about how Unix uses groups to grant permission for various file operations (read, write, execute) to groups of users. And earlier in this chapter, you learned that Mac OS X allows any user in the admin group to use sudo to execute commands as root.

In this section we're going to show you how to change a user's group assignment, and how to add and remove groups. A common reason to create a new group is if you have several people using your computer and want to allow some of them to have write permission in a directory where the other users do not. You would create a new group and put each of the team members into that group. Users can be members of many groups.

You will be using a Darwin-only tool called dseditgroup to manage group information, as well as the Darwin-only nireport and dscl .

To see all the groups a user belongs to:

• groups username

  For example,

  groups puffball

  lists all the groups that puffball is a member offor example,

  puffball www

Tip

• Supposedly, the groups command is being made obsolete by the id command, which has several options and can show more information about a user. Unfortunately, the id command is quite different on different Unix systems. In Mac OS X,

  id -Gn username

  behaves the same as

  groups username

  See man id for more.

To see a list of all the groups:

• dscl . -list /groups PrimaryGroupID

  This shows a list of all the groups on your system. Each line has the group name and its group ID number as shown in Figure 11.19 . If you omit PrimaryGroupID , then the gid numbers are omitted from the output.

  Figure 11.19. Using dscl to see a list of all the groups. Your output will differ .

  localhost:~ vanilla$ localhost:~ vanilla$ dscl . -list /groups PrimaryGroupID accessibility 90 admin 80 amavisd 83 appowner 87 appserveradm 81 appserverusr 79 authedusers 50 bin 7 clamav 82 consoleusers 53 daemon 1 dancers 500 dialer 68 everyone 12 group 11 16 interactusers 51 jabber 84 kmem 2 lp 26 mail 6 mailman 78 matisse 501 mysql 74 netusers 52 network 69 nobody -2 nogroup -1 operator 5 owner 10 postdrop 28 postfix 27 qtss 76 remote 503 securityagent 92 smmsp 25 sshd 75 staff 20 sys 3 tokend 91 tty 4 unknown 99 utmp 45 uucp 66 vanilla 502 wheel 0 windowserver 88 www 70 xgridagent 86 xgridcontroller 85 localhost:~ vanilla$

To see all the attributes of one group:

• dscl . -read /groups/ groupname

  For example:

  Dscl . -read /groups/admin

  This produces a list of all the attributes for the admin group, as shown in Figure 11.20 .

  Figure 11.20. Using dscl to see all the attributes for one group (the admin group in this example).

  localhost:~ vanilla$ dscl . -read /groups/admin AppleMetaNodeLocation: /NetInfo/DefaultLocalNode GeneratedUID: FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000050 ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050 GroupMembership: root matisse vanilla remote Password: * PrimaryGroupID: 80 RealName: Administrators RecordName: admin RecordType: dsRecTypeNative:groups SMBSID: S-1-5-32-544 localhost:~ vanilla$

To see all the users who belong to a group:

• There isn't any easy way to do this. Yes, we know it seems strange , but it's true.

  One partial solution is with

  dscl . -read /groups/ group name GroupMembership

  That command reads the Directory Service data and shows the users who have been directly added to the group. If there are no users associated with that group, the message "No such key:GroupMembership" will appear. The problem is that there is more than one place where a user can be included in a group. One is in Directory Service data for groups, in which each group has a list of users that belong to it. The command line above will read that for you. But when a user is created, he or she is assigned one group as his or her "primary" group, and that information is stored in the record for the user , not for the group.

  In Mac OS X 10.4, new users have a private group as their primary groupa group with the same name as the user name. Prior to 10.4, a user's primary group was set to "staff." In either case their user names do not appear in the Directory Service database record for the group itself, so the dscl . -read command shown above won't find it.

  In order to really find out who all the members of a group are, you would have to examine every user on the system, as well as the group entry in Directory Services. You could write a script to do this, but there's no single command to do it. Sorry.

To create a new group:

Tips

• Instead of using sudo , you can use the -p option and you will be prompted for your password:

  dseditgroup -p -o create groupname

  Or if you are not logged in as an admin user, you may use the -p and -u options to supply an admin user name:

  dseditgroup -u user name -p -o create groupname

  You'll still need the password, of course.

• There are several more options for creating a group with dseditgroup for example, you can add a comment with the -c option. See man dseditgroup for the complete list.

To add a user to an existing group:

• sudo dseditgroup -o edit -a username

  -t user groupname

  This adds the user username to the group groupname . For example, to add user "fireboy" to group "dancers":

  sudo dseditgroup -o edit -a fireboy -t user dancers

  The change takes effect the next time fireboy logs in.

  Be sure to check your addition with

  dscl . read /groups/dancers GroupMembership

  to ensure that the user fireboy is added, since dseditgroups provides little feedback on failure or success

Starting in Mac OS X 10.4, you can have groups be members of other groups. Any user who is a member of a subgroup is automatically a member of the higher-level group(s). You may only add groups to groups that were created using the new 10.4 tools, such as dseditgroup , described above. (That is, you will get an error if you try to add a group to a "legacy-style" group.)

To display information about a group:

• dseditgroup group name

  This will display all the known attributes of the group. Figure 11.21 shows an annotated example.

  Figure 11.21. Annotated output from dseditgroup group name .

To add a group to another group:

• sudo dseditgroup -o edit -a subgroup

  -t group parentgroup

  This adds the group subgroup to parent group . All users who are in the subgroup are now also members of the parent group. Note that while you can remove subgroups (see below), there is currently no easy way to see a list of subgroups for a particular group.

To remove a user from a group:

• sudo dseditgroup -o edit -d username

  -t group groupname

  This removes the user username from group groupname .

To remove a subgroup from a group:

• sudo dseditgroup -o edit -d subgroup

  -t group groupname

  This removes the subgroup subgroup from group groupname .

To remove a group: