Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.4: A fix for users disappearing from the login window System 10.4
Tiger only hintSomewhere in the 10.4.1 or 10.4.2 update cycle, I noticed that all but two of the users on my computer disappeared from the Fast User Switching menu and the Login Window list. I think it was after I updated to 10.4.1, but I'm not sure (I didn't get around to trying to figure out the problem until today). Thinking that it was probably a permissions problem, I repaired permissions using Disk Utility, but that didn't fix it.

I finally discovered that the common characteristic between all of the accounts which had disappeared from the menus (but which were otherwise functional) was that I had set their shell to /usr/bin/false in NetInfo Manager. I tried changing one of the account's shell values back to /bin/bash, just to see what happened. Sure enough, when I went to the Login Window, that account had reappeared on the list. I subsequently changed the shell setting for the other accounts, and they reappeared as well.

So if anyone is tearing their hair out trying to figure out why a bunch of users have suddenly disappeared from the list of accounts, this might be your answer. I just hope this is a bug, because I liked the ability to set the shell to false for non-administrator accounts.
    •    
  • Currently 2.50 / 5
  You rated: 4 / 5 (6 votes cast)
 
[14,226 views]  

10.4: A fix for users disappearing from the login window | 15 comments | Create New Account
Click here to return to the '10.4: A fix for users disappearing from the login window' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: A fix for users disappearing from the login window
Authored by: boredzo on Jul 29, '05 10:39:57AM
what happens if you use true instead of false?

[ Reply to This | # ]
10.4: A fix for users disappearing from the login window
Authored by: leenoble_uk on Jul 29, '05 10:51:45AM

Can you still log in as these missing users if you use option-(was it right arrow?) to get to the username/password box at the login screen?

I don't have Tiger yet and was frustrated when the ability to hide user accounts by changing the real_name attribute in Jaguar was disabled in Panther. This sounds like it would be a good solution for purposely hiding accounts at the login screen.

---
So, I said ... well, I can't actually remember exactly what I said. But it was one of the most enormously cruel and frighteningly witty put downs ever.



[ Reply to This | # ]
10.4: A fix for users disappearing from the login window
Authored by: magnamous on Jul 29, '05 05:57:30PM

Yes - if I set the login screen to username and password fields, I could log into the accounts just fine. The accounts appeared to be working fine, except that the didn't appear in the login window list or in the fast user switching list.



[ Reply to This | # ]
10.4: A fix for users disappearing from the login window
Authored by: mdzorn on Jul 29, '05 11:38:38AM
This is almost certainly the desired behavior: setting the shell to
/usr/bin/false
is the standard Unix way to prevent login from an account and is the shell set for users nobody, daemon, lp, postfix, www, and so forth. If you don't want to have people login into these accounts, you certainly don't want them to show up in FastUserSwitching.

My guess is that you made the change in NetInfo that might have been ignored in the past. With the recent upgrade some of that NetInfo behavior might have changed, causing the user names to disappear from your list.

[ Reply to This | # ]

10.4: A fix for users disappearing from the login window
Authored by: boredzo on Jul 29, '05 12:18:50PM

This is almost certainly the desired behavior: setting the shell to

/usr/bin/false

is the standard Unix way to prevent login from an account…

or /sbin/nologin. that one gives you a nice error message when you do console login.



[ Reply to This | # ]
10.4: A fix for users disappearing from the login window
Authored by: magnamous on Jul 29, '05 06:14:42PM
This is almost certainly the desired behavior: setting the shell to /usr/bin/false is the standard Unix way to prevent login from an account and is the shell set for users nobody, daemon, lp, postfix, www, and so forth. If you don't want to have people login into these accounts, you certainly don't want them to show up in FastUserSwitching.
My goal wasn't to disable these accounts completely - just their access to the shell environment. I took my cue from a comment in this hint (search for /usr/bin/false), which seems to suggest that you can do just that. I made that change to several accounts on my machine using NetInfo, and it worked as expected. I made the changes, logged into each account, and tried opening the Terminal. Each time it loaded the false shell.
My guess is that you made the change in NetInfo that might have been ignored in the past. With the recent upgrade some of that NetInfo behavior might have changed, causing the user names to disappear from your list.
I'm sorry - I don't quite understand what you're saying. Would you mind rephrasing it?

[ Reply to This | # ]
10.4: A fix for users disappearing from the login window
Authored by: Steff-X on Jul 30, '05 09:01:17AM

Why don't you simply restrict the use of unwanted applications in System Preferences ?

[ Reply to This | # ]

10.4: A fix for users disappearing from the login window
Authored by: silentaccord on Jul 30, '05 10:21:28AM

/sbin/nologin is the proper way to disable the shell in netinfo. If you only disable terminal in system prefs, the account can still be accessed via ssh.



[ Reply to This | # ]
10.4: A fix for users disappearing from the login window
Authored by: tbdavis on Jul 29, '05 01:09:25PM
I just hope this is a bug, because I liked the ability to set the shell to false for non-administrator accounts.

To restrict usage of Terminal.app you might try using *NIX file permissions (or even Access Control Lists in Tiger). Make sure the group is set to admin and remove any permissions for Others to No Access. Keep in mind that applications in OS X are directories, so the permissions of the contents should probably also be changed.

The problem with this solution is that there could be other terminal applications installed (X windows xterm for instance) and there are even widgets which can access the shell. On the other hand, if people can login to a desktop, there is nothing which can prevent them from running any executable for which they have permissions, even if there is no shell. And remember, there were shells for Macintosh OS 9 including macperl and MacX which would not use the *NIX account preferences in Net Info.

If you really want to lock down your machines and not just make it less obvious how to access a command line, you must put a bit more into it than restricting shell access. I always like to approach security in the way that the protagonist in Neil Stephenson's novel Zodiac approaches bicycle safety. He didn't trust drivers to avoid him because he was wearing bright colors, he chose to pretend that everyone was out to run him down, and so he bicycled accordingly.



[ Reply to This | # ]
10.4: A fix for users disappearing from the login window
Authored by: magnamous on Jul 29, '05 06:42:40PM
The problem with this solution is that there could be other terminal applications installed (X windows xterm for instance) and there are even widgets which can access the shell. On the other hand, if people can login to a desktop, there is nothing which can prevent them from running any executable for which they have permissions, even if there is no shell. And remember, there were shells for Macintosh OS 9 including macperl and MacX which would not use the *NIX account preferences in Net Info.
The possibility of other terminal programs is one of the reasons I liked the way I did it. Are you saying that if I were to install a widget that accesses the shell or another terminal-capable program (like PathFinder), it'd just use whatever shell it wants, regardless of what I've set the shell to in NetInfo? If that's the case, do you know any method of globally disallowing shell access for a particular user (by that I mean the sort of one-step method I tried with /usr/bin/false, which was intended to completely cut off the user's access to the shell environment)?

I liked your bicycle analogy, by the way, but I'm not doing anything mission-critical. The machine I'm using is an old Pismo PowerBook - I just want to secure it enough to make it un-worthwhile for the casual mischief-maker. I have a hardware firewall, a router, I use OS X's software firewall, I have ssh turned off, etc. From what I've been led to understand, if a determined hacker has physical access to the machine, it's almost impossible to completely secure the machine and prevent him from getting whatever it is he wants. I'm just trying not to make it easy.

[ Reply to This | # ]

10.4: A fix for users disappearing from the login window
Authored by: vonleigh on Jul 30, '05 02:25:38AM

Personally I think you're playing with fire. If you have everything in System Preferences > Sharing turned off, changing the shell of those accounts is not really making you any safer. If you want more security, put more interesting (longer, alpha-numeric, upper-lower case, symbol) passwords on those accounts.

-v



[ Reply to This | # ]
10.4: A fix for users disappearing from the login window
Authored by: jdurchen on Jul 29, '05 04:36:02PM

After upgrading to 10.4.2 I had an even worse situation. My login screen would no longer appear. I tried everything I could think of to get it to show up.

I finally shelled into the machine with my laptop. Nothing seemed frozen and nothing seemed to be taking up all the CPU so of course my first though was "bad .plist"

Sure enough, I moved the LoginWindow .plist to com.apple.LoginWindow.plist.bak and bam, almost instantly the login window re-appeared with the default layout of all users displayed in the list.

I wonder if the upgrade someone broke this configuration file as well. I am glad I had the skills to do this or I would have been pretty upset.

Hope this his helpful to others who may have run across this.



[ Reply to This | # ]
10.4: A fix for users disappearing from the login window
Authored by: kaih on Jul 30, '05 05:08:29AM

I haven't tested this again in Tiger, but in 10.3 and previous, any user account with UID of less than 500 also won't show up in the Login Window.
Not exactly a solution to your problem, but worth keeping in mind also if you want to hide user accounts

Rather than using /usr/bin/false, you can get scponly from a variety of sources - my personal favourite method is Darwin Ports - port install scponly.

This provides a shell that can be used as the login shell so a user can't log in interactively, however can scp/sftp files to/from their account...

Cheers,
Kai

---
k:.



[ Reply to This | # ]
10.4: A fix for users disappearing from the login window
Authored by: magnamous on Aug 01, '05 04:13:58AM
I've actually been playing with that method in NetInfo on 10.4 this evening, and it doesn't seem to work any more. I had one user's info set like this:

shell /bin/bash
uid 504

I changed it to:

shell /bin/bash
uid 400

But it didn't seem to produce the desired effect (that is, it was still visible in the Login Window). Then I changed it to this:

shell /usr/bin/false
uid 400

When I went to the login window, that user had disappeared from the list. And then I changed it to this:

shell /usr/bin/false
uid 504

Which also worked. However, when I changed it to this:

shell /sbin/nologin
uid 504

The user re-appeared in the Login Window list.

I would prefer to be able to use /sbin/nologin because of the error message it gives, but then the user is visible in the list. I wish there was a way to have my cake and eat it too: I want /sbin/nologin as the shell, but I want to be able to set whether the user is visible in the list or not independently from the shell variable. :P

[ Reply to This | # ]

10.4: A fix for users disappearing from the login window
Authored by: Will Graham on Aug 30, '05 12:26:30PM

I've had this problem with my Tiger upgrade, but the missing account's shell setting is fine. I've also tried jdurchen's suggestion with the loginwindow.plist file, and it's made no difference. Any other ideas?



[ Reply to This | # ]