Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.4: Hide all low UID users from the login window System 10.4
Tiger only hintIn the days before 10.4, a user with a user ID lower than 500 would be hidden from the login window. This was especially practical when creating server administration users like postgres. For some reason, 10.4 didn't preserve this behaviour. This hint explains one method of hiding such users by defining each of them in a list. Here's a solution that will simply hide all the users with IDs below 500, as previous OS X releases did by default.

Open Terminal, and type this command:
sudo defaults write /Library/Preferences/com.apple.loginwindow \
Hide500Users -boolean true
This takes care of the login window, as well as the Fast User Switching menu. It also does not add the "Other..." option to the login window.
    •    
  • Currently 3.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (2 votes cast)
 
[12,141 views]  

10.4: Hide all low UID users from the login window | 10 comments | Create New Account
Click here to return to the '10.4: Hide all low UID users from the login window' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Hide all low UID users from the login window
Authored by: tofergregg on May 22, '06 08:37:56AM

I had to do this the other day, but I went about it slightly differently: I opened /Applications/Utilities/Netinfo Manager, found the offending login item (postgres, as it turns out), created the property "passwd", and set its value to "*". Postgres does not show up on the login menu any more.

-Chris



[ Reply to This | # ]
10.4: Hide all low UID users from the login window
Authored by: cshuman on May 22, '06 10:37:49AM

Can you explain further what this actually does? It concerns me to add something called passwd with a value of "*" w/o knowing what it does/why the sysem ignores it in the login window.

Thanks,

Chris

---
Is there anybody out there? Just nod if you can hear me. Is there anyone home?



[ Reply to This | # ]
10.4: Hide all low UID users from the login window
Authored by: adrianm on May 22, '06 11:01:54AM
It's an olde worlde way of preventing a user from logging in. Bit of a hack IMO, but quite normal.

Another common method is to set the default login shell to /usr/bin/false

I think this is mostly from the days when users were defined in the /etc/passwd file.

The login window seems to respect this behaviour.

You can see OSX's /etc/passwd equivalent by typing this in a Terminal window.


nidump passwd /
The second column is the password field. These are all asterisks in this output, but the ones that do not allow login will have a single *.

[ Reply to This | # ]
10.4: Hide all low UID users from the login window
Authored by: rohanl on May 22, '06 09:58:25PM

The convention of having a '*' in the password entry to block logins, started back in the days when the actual encrypted passwd was stored in /etc/passwd.

The encrypted passwd was a string like "hvlAlAxmCi1vc" obtained by using the DES crypt function. An encrypted passwd of "*" was invalid, as no matter what you entered as a passwd it wouldn't encrypt to that.

Nowadays the encrypted passwd is not stored in /etc/passwd to prevent someone from taking the file and working on cracking the passwords in bulk. It's stored elsewhere in a "shadow" file or some other place that is not publicly readable.

But the practice of "*" meaning login disallowed has lived on.



[ Reply to This | # ]
10.4: Hide all low UID users from the login window
Authored by: rohanl on May 22, '06 10:02:27PM

By disabling logins in this way, not only do you prevent someone from loging in via the login window, but they can't log in any other way (ssh, su, ...)

The only way to 'become' the user is to become root first and then su (root can do this without needing to enter a passwd)

This is a good thing for a user that is not meant to be interactive.



[ Reply to This | # ]
10.4: Hide all low UID users from the login window
Authored by: greed on May 24, '06 02:48:32PM

You can use 'sudo -u username' instead of gatewaying through root.

First, use visudo to edit the sudoers file.

Next, you want to add something like this:

dbauser ALL=(postgres) /usr/local/bin/psql, /usr/local/bin/pg_dump

Make dbauser a comma-separated list of all users you need. ALL means any machine; if you're sharing the sudoers file among several machines, then you can put a specific hostname here. The name in parens is the "sudo as" user, it can be a comma-separated list also if you like. (apache,mysql,postgres,mailman) for example. Then a list of allowed commands, or the magic word ALL to allow any command.

Users then can "sudo -u postgres /usr/local/bin/psql", and use their own password, to run as the database superuser.

This is, IMO (and IME), much better than having shared passwords on such accounts. There's several security benefits, AND your users have fewer passwords to remember, so easier to avoid writing them down in a bad place.



[ Reply to This | # ]
10.4: Hide all low UID users from the login window
Authored by: cshuman on May 22, '06 11:07:03AM

Thanks for your help. I have struggled with this in the past. Does it still allow you to login via "Other" at the login window? Are there there other downfalls to using this method? It seems like the easiest one out there but I had not heard it today.

Is there away to do this via CL ssh?

Thanks,

Chris

---
Is there anybody out there? Just nod if you can hear me. Is there anyone home?



[ Reply to This | # ]
10.4: Hide all low UID users from the login window
Authored by: adrianm on May 22, '06 12:49:14PM
I don't think that setting pwd to * will affect the "Other" feature.

I'm not sure what you mean about ssh, but if you wanted to ssh to your Mac as a user with * as the password, it won't work.

However, you could login as you via ssh (or locally) and then


sudo -s -u otherusername
and type *your* pwd (assuming you are an admin) and you will become the otherusername.

There are other ways, like su otherusername but there are issues too numerous to discuss here.

I think that what you actually wanted was simply a way to stop a user from appearing in the loginwindow, but not prevent logins via ssh.

I can't think of anything offhand for this.

[ Reply to This | # ]

10.4: Hide all low UID users from the login window
Authored by: mATTsT on May 22, '06 09:03:12PM

is there a way to use this to hide but not disable the user, or is that something else entirely?

what I would like to be able to do is have the regular users able to click on their name but still be able to click on other to login to my Admin acct..

thanks in advance
mattst



[ Reply to This | # ]
10.4: Hide all low UID users from the login window
Authored by: dragonir on May 23, '06 04:01:24AM
Is the command
sudo defaults write /Library/Preferences/com.apple.loginwindow \
Hide1000Users -boolean true
works too ?

[ Reply to This | # ]