Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Scripts to create users and groups from the Terminal UNIX
Creating users in 10.3+ from the command line has been covered here before, but I just wanted to share some tools I've been working on and using for creating and deleting users and groups. We're starting to get a fair number of Macs around here, and I wanted a useradd-like command for managing accounts. So I did what every good Unix user does and wrote my own set of tools.

You can grab them from my personal software page if you're interested in using them yourself. Please let me know about bugs, etc. that you find. Like I said, I've been using them here a bit, but I'm sure there are cases I haven't found where they might break.
    •    
  • Currently 2.20 / 5
  You rated: 2 / 5 (5 votes cast)
 
[10,781 views]  

Scripts to create users and groups from the Terminal | 4 comments | Create New Account
Click here to return to the 'Scripts to create users and groups from the Terminal' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Scripts to create users and groups from the Terminal
Authored by: lolopb on Dec 19, '05 07:51:23AM

Nice, but in order to function properly in Tiger, groups should be manipulated with the "dseditgroup" command only.

As for users creation, you should have a look at "dscl" command (and of course manpage), it's much more powerful and Mac OS X compliant than what you do, in fact. In your script, for example, you don't create any GeneratedUID for users which can be useful for the system.



[ Reply to This | # ]
Security Flaw in User Addition Script
Authored by: thrig on Dec 19, '05 10:02:16AM
echo "${newuser}:********:${uid}:${pgid}::0:0:${comment}:${newhome}:${shell:-/bin/bash}" > ${tmpfile}

Contains a /tmp security flaw. Any user can create a symbolic link from /tmp/niuser-$(date +%s) to a critical file, and the next time the above code runs, the critical file will be clobbered. Instead, use the mktemp utility to create a temporary file, if needed.



[ Reply to This | # ]
Check existing records
Authored by: ssevenup on Dec 20, '05 10:38:30AM

My general advise for this whole process is to evaluate what either Workgroup Manager or the Preference Panel Accounts GUI produce in the way of a user record and attempt to duplicate it. I have been writing scripts for adding users for the past couple of years and it gets very involved. My current production tools for adding users to Panther (and recently Tiger) are shell scripts wrapped with Platypus and Pashua. I plan to migrate my Tiger scripts to dscl and we have recently added pwpolicy elements. I am also using a hybrid account type with hand rolled mcxrecord properties to achieve some degree of control over the accounts without needing Server. Our users need certain capabilities, but pwpolicy is only honored for non-Admin level accounts (like I said.. complicated).

---
Mark Moorcroft
ELORET Corp. - NASA/Ames RC
Sys. Admin.



[ Reply to This | # ]
dscl mcx question
Authored by: ssevenup on Dec 20, '05 11:46:26PM
I spent the day upgrading my adduser tool to use ds* instead of ni* tools. I have one remaining issue (sorry for the giant code segment). Unless I use niload raw I'm not sure how to manipulate mcx records in the user record. Does anyone know about getting the ds* tools to accomplish this? I have begun to look at dsimport. It looks like this may offer the capability?

nidb_power()
{
niload -r /users/$uname . <<EOF
{
  "name" = ( "$uname" );
  "_writers_picture" = ( "$uname" );
  "shell" = ( "$shell" );
  "_writers_hint" = ( "$uname" );
  "sharedDir" = ( "" );
  "home" = ( "$home" );
  "gid" = ( "$gid" );
  "authentication_authority" = ( ";ShadowHash;" );
  "_writers_realname" = ( "$uname" );
  "picture" = ( "/Library/User Pictures/Nature/Zen.tif" );
  "passwd" = ( "********" );
  "realname" = ( "$irl" );
  "hint" = ( "" );
  "_shadow_passwd" = ( "" );
  "uid" = ( "$uid" );
  "generateduid" = ( "$UUID" );
  "passwordpolicyoptions" = ( "<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>canModifyPasswordforSelf</key>
	<integer>1</integer>
	<key>expirationDateGMT</key>
	<date>1969-12-31T23:59:59Z</date>
	<key>hardExpireDateGMT</key>
	<date>1969-12-31T23:59:59Z</date>
	<key>isSessionKeyAgent</key>
	<integer>0</integer>
	<key>maxChars</key>
	<integer>0</integer>
	<key>maxFailedLoginAttempts</key>
	<integer>0</integer>
	<key>maxMinutesOfNonUse</key>
	<integer>0</integer>
	<key>maxMinutesUntilChangePassword</key>
	<integer>0</integer>
	<key>maxMinutesUntilDisabled</key>
	<integer>0</integer>
	<key>minChars</key>
	<integer>8</integer>
	<key>passwordCannotBeName</key>
	<integer>1</integer>
	<key>requiresAlpha</key>
	<integer>1</integer>
	<key>requiresNumeric</key>
	<integer>1</integer>
	<key>usingExpirationDate</key>
	<integer>0</integer>
	<key>usingHardExpirationDate</key>
	<integer>0</integer>
	<key>usingHistory</key>
	<integer>0</integer>
</dict>
</plist>
" );
  "mcx_settings" = ( "<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>mcx_application_data</key>
	<dict>
		<key>com.apple.Classic</key>
		<dict>
			<key>Forced</key>
			<array>
				<dict>
					<key>mcx_data_timestamp</key>
					<date>2005-03-18T18:30:35Z</date>
					<key>mcx_preference_settings</key>
					<dict>
						<key>ClassicRedirectUserFolders</key>
						<true/>
					</dict>
				</dict>
			</array>
		</dict>
		<key>com.apple.systempreferences</key>
		<dict>
			<key>Forced</key>
			<array>
				<dict>
					<key>mcx_data_timestamp</key>
					<date>2005-03-18T18:30:35Z</date>
					<key>mcx_preference_settings</key>
					<dict>
						<key>EnabledPreferencePanes</key>
						<array>
							<string>com.apple.preference.desktoppictures</string>
							<string>com.apple.preference.dock</string>
							<string>com.apple.preference.general</string>
							<string>com.apple.Localization</string>
							<string>com.apple.preference.screensaver</string>
							<string>com.apple.preference.universalaccess</string>
							<string>com.apple.preference.keyboard</string>
							<string>com.apple.preference.sound</string>
							<string>com.apple.preference.classic</string>
							<string>com.apple.preference.quicktime</string>
							<string>com.apple.preference.displays</string>
							<string>com.apple.preference.energysaver</string>
							<string>com.apple.preference.digihub.discs</string>
							<string>com.apple.preferences.Bluetooth</string>
							<string>com.apple.preference.datetime</string>
							<string>com.apple.preference.internet</string>
							<string>com.apple.preferences.sharing</string>
							<string>com.apple.preferences.users</string>
							<string>com.apple.preference.expose</string>
							<string>com.apple.preference.network</string>
							<string>com.apple.preference.security</string>
							<string>com.apple.preference.desktopscreeneffect</string>
							<string>com.apple.preference.printfax</string>
						</array>
					</dict>
				</dict>
			</array>
		</dict>
	</dict>
</dict>
</plist>
" );
}
EOF
}

---
Mark Moorcroft
ELORET Corp. - NASA/Ames RC
Sys. Admin.

[ Reply to This | # ]