Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Keep UID above 501 for login window account display System

This hint is for those of you who need to change the UID of an account for some reason (such as to co-exist easily with an NFS file system). Before you attempt to change your UID, make sure you read this hint and are aware of what procedure to follow so you don't hose your account. I used the find method mentioned in one of the comments (old UNIX habit), as opposed to using the Perl script in the hint itself, but you can choose whichever you like.

If you change your UID to something below 501, you will no longer show up in the user list on the login window. The account is not locked out or anything -- you can still login by typing your username manually (via the "Other..." option, or by disabling the graphical user list in System Preferences -> Accounts). But your icon and name will disappear from the list.

Apparently, Apple hides the system accounts from showing up in the user list by blindly filtering out all UID's below 501. It doesn't need to be in sequence with the other users or anything like that -- I tried several large values. Just stay above 501 (and not the same as another user, obviously) and you should be fine. Who knows, maybe this feature can be of other use, such as hiding certain accounts from the user list on purpose for some reason...

    •    
  • Currently 2.33 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (3 votes cast)
 
[13,830 views]  

Keep UID above 501 for login window account display | 17 comments | Create New Account
Click here to return to the 'Keep UID above 501 for login window account display' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Keep UID above 501 for login window account display
Authored by: Cap'n Hector on Aug 29, '03 11:06:02AM
This is a feature...it's used on some education computers to hide an administrator account...

[ Reply to This | # ]
Keep UID above 501 for login window account display
Authored by: wgscott on Aug 29, '03 11:21:37AM

pick something larger, random and with more digits. The problem with 501 is that it is everyone's default uid and it therefore presents a security hole when used with NFS.

After you change to another uid number, you will lose access to your directory unless you do this:

sudo chown -R yourname /Users/yourname

This resets the uid on all your files, restoring your permissions.

All of this works much better if you are doing it while logged in as root, or at least as a different admin user.



[ Reply to This | # ]
Keep UID above 501 for login window account display
Authored by: kcamera on Aug 29, '03 03:59:38PM

I didn't mean to imply that the UID *should* be 501, only that numbers less than 501 are filtered out. I agree that you should be careful using any values in the low 500's, but all you have to do is dump the user database from NetInfo and make sure you're not using an existing value. I did NOT try seeing if the OS checks for collisions when creating new accounts -- for example, if you use 503 and then create a third user account using System Preferences, I don't know if OSX will skip that value or cause a problem...

As far as permissions, those issues are covered in the link I included with the hint. Be aware that the user directory is by far the most critical, as you mention in your comment. But there are also some files in /Library, /Applications, and /usr which may be owned by your old UID. Those should be changed as well using a careful script or find command (see the link for an example).



[ Reply to This | # ]
Keep UID above 501 for login window account display
Authored by: kcamera on Aug 29, '03 03:52:45PM

I'm well aware it's a feature to hide administrative accounts from the user list. No one wants to see root, daemon, sshd, ftp, etc. in the list...

My only reason for the slightly sarcastic quotes was the *way* in which they did it, by filtering all UIDs under 501. I would have expected something more robust, like marking an account as hidden in the NetInfo key for the user. Or having an internal list of hidden accounts, much like how the root of the filesystem hides the UNIX/kernel files but not new ones you create.

Sorry for overacting... didn't mean any offense.



[ Reply to This | # ]
Keep UID above 501 for login window account display
Authored by: sharumpe on Aug 29, '03 11:20:38AM

I have a number of accounts that I need for projects I'm working on that I would love to "hide" from the Login screen -- they're not for people logging in, they're for limiting the ability of a program to cause havoc on my system.

So thanks for the hint, though you are using it the other way 'round. :)

Mr. Sharumpe



[ Reply to This | # ]
Keep UID above 501 for login window account display
Authored by: pfig on Aug 29, '03 11:36:35AM

another way to do this is to clear the 'realname' attribute in the netinfo database, as i did until now :) the uid approach is much cleaner, imho.



[ Reply to This | # ]
Keep UID above 501 for login window account display
Authored by: enigmamf on Aug 29, '03 12:15:29PM

Every UNIX system I have ever seen has had UIDs organized such that administrators have lower UIDs than hoi polloi. It is also useful if you are writing a program that must only be run by administrators, e.g. a root-owned program with the SetUID bit turned on: Rather than having a list of users that can run it, it can just check if the Real UID is <= 500.



[ Reply to This | # ]
Keep UID above 501 for login window account display
Authored by: kcamera on Aug 29, '03 04:04:36PM

I agree... I've always seen Joe User's UID kept above 500. But for some reason a company I work for has UID's scattered much lower (I think they offset from 100 or something). Mine was 209 -- I have no idea why :(

But as others have mentioned, maybe this hint can at least be helpful to *hide* additional special accounts from the preference panes and login window, even on a correctly run network where no one would need a UID less than 500.



[ Reply to This | # ]
Not safe
Authored by: SeanAhern on Sep 01, '03 12:09:28AM

Just assuming that a "normal" user's UID can't be <= 500 isn't a very safe way of doing things. Keeping a list of users in the program is also onerous. Better is to have that list be a UNIX group (see /etc/group on a normal system, the group databse in netinfo). Say, "staff". That way, any program can quickly check the group list to see if a given user should be authorized for a particular purpose. And it's easy to maintain.

Just my two cents.

---
-Sean



[ Reply to This | # ]
How to find users below 501?
Authored by: Han Solo on Aug 29, '03 01:19:14PM

So the Accounts control panel will not show user accounts below 501. Seems a simple way for savvy unauthorized users to hide from the less-sophisticated the very knowledge of the former's account. (Especially if they set flags to make their account invisible in the Finder.) Is there a basic Unix command that lists all accounts (UID?) on a system -- preferably with information about what their level of system access is? TIA.



[ Reply to This | # ]
NetInfo Manager
Authored by: hayne on Aug 29, '03 01:37:11PM

On OS X, the user info is held in a database called netinfo. The application "Netinfo Manager" (in Applications/Utilities) can be used to look at the user info.



[ Reply to This | # ]
How to find users below 501?
Authored by: enigmamf on Aug 29, '03 01:37:45PM

OS-X will consult the entries in the NetInfo database, which you can look at using the NetInfo utility in /Applications/Utilities/NetInfo . Click on "Users", and you will get a list of users; click on any user to see various information, such as UID, home directory, default shell. Any user (such as automatic users generated to run a particular task, e.g. the 'www' pseudo-user) who should not be able to log in should have "/dev/null" for a shell.



[ Reply to This | # ]
How to find users below 501?
Authored by: matsur on Aug 29, '03 05:37:04PM

Actually, I was told that setting a shell as /dev/null may pose security risks, so the correct way to do it is to set it to /usr/bin/false or /sbin/nologin. IANAUSA (I Am Not A Unix Systems Administrator), so take it with a grain of salt.



[ Reply to This | # ]
How to find users below 501?
Authored by: SeanAhern on Sep 01, '03 12:12:40AM

Others have pointed you at using NetInfo to get this information. Here's the "basic UNIX command" that you were looking for that does the same thing:

nidump passwd .

This will dump what /etc/passwd would look like on a "normal" UNIX system.

(Warning: I hear rumors that the behavior of nidump may change in 10.3.)

---
-Sean



[ Reply to This | # ]
Keep UID above 501 for login window account display
Authored by: schuz on Aug 30, '03 08:59:37AM

For Mac OS X Server 10.2.x the magic UID number is 100. Accounts numbered below 100 are invisible to Workgroup Manager.



[ Reply to This | # ]
Keep UID above 501 for login window account display
Authored by: daveinthesky on Apr 16, '04 04:05:51AM

I changed my uid to 500 with using a similar 'find' approach on 10.2 and have had no problems logging in/whatever. And my user still appears on the login page.

I did have to tweak a couple of files, though:

in /Library/Caches I had to rename a couple of files that were named *****.501 to *****.500

I actually don't know if that affected anything, but this is where the login photos are stored by the system.


---

it's dave in the sky, with diamonds...



[ Reply to This | # ]
Keep UID above 501 for login window account display
Authored by: Henry Yuan on Jan 05, '05 08:19:29PM

Hi, guys, I am trying to create a mysql user in Mac OS X 10.1.5, and I found this trick or feature does not work.

By either NetInfo Manager or shell script, whenever uid was set to a certain value, no matter it was above 500 or below 501, the invisible user still show in login window. Yes, it did not show in Users panel in System Prefs, but show in login window. I have tried logout and shutdown.

Did I miss something? Is it a bug in Mac OS X 10.1.5? I have not tried other eariler Mac OS 10.1.x version...

Thanks.
Henry



[ Reply to This | # ]