Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Application user control?' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Application user control?
Authored by: babbage on Mar 10, '02 11:46:43PM
Is this a way to control which "virtual" users are displayed at login? In order to support some of the background processes I have going on my Mac -- special accounts for Apache, MySQL, PostgreSQL, etc -- and some of these are blocked from the login screen while others show up. I don't want anyone logging into my system as Postgres, but I can't figure out how to block that account from performing system logins. (I wouldn't mind keeping process based logins -- "su postgres -c command" -- but if this had to go I could live without it.)

I know that OSX doesn't use the same /etc based text system that a lot of older Unixes do, but rather that it has NetInfo working (and apparently requests for e.g. /etc/passwd end up getting channeled through the NetInfo databases), so I've been poking around there and only getting confused by what I've found. I can find all the user accounts, and each of them has a list of properties (from around half a dozen to maybe 20 or so), but I can't tell what properties are working in such a way that logins are blocked for some but allowed for others. Maybe this password trick will help -- I didn't want to mess around with that field blindly because I don't want to trigger any nasty side effects...

[ Reply to This | # ]

This would work for you
Authored by: Xeo on Mar 11, '02 01:07:07AM

This method would work for you as a way to disable the accounts. You could use the AppleScript I made to toggle these users on and off. When off, there is no way to login as these users. It's probably not what you need, though.

Most people just use NetInfo Manager to change the "passwd" property of the daemon users to "*" which disables them permanently (until you used sudo or something to regive it a password). That is probably the best way to go since there really isn't a good reason to log in as these users. You can use sudo if you need to run things as them by hand.

This method uses the same concept of changing the passwd to "*" but still keeps the old password around so it's easily "turned back on". You don't really need that functionality for a daemon user.



[ Reply to This | # ]
Don't display user accounts
Authored by: Jaharmi on Mar 11, '02 02:47:29PM

If you change the user account to have a UID of less than 500 (as I recall), then that user account should not be displayed in the picture-button version of the loginwindow. I haven't done this, so I'm not sure of the procedure ... of the top of my head, it would probably require work in NetInfo Manager and chown at the Terminal prompt.

However, if you really want that security, you might just want to switch to use the other version of loginwindow, which just displays blank username and password fields.



[ Reply to This | # ]
Don't display user accounts
Authored by: babbage on Mar 12, '02 11:41:20AM

Well, I'm not *really* worried about locking it down that badly -- it's a home computer, and 99% of the time my fiance & I are the only ones around the computer, nevermind using it. I just want it so that we have pushbutton login access for her, me, and the guest user accounts, and I want to disable login at that level for all the daemon accounts. Very rarely it's useful to be able to switch to one of those user accounts while logged in as myself (mainly for issuing commands as the postgres user), but for the most part I want to make them be dormant. Setting the password to '*' worked, though the UID<500 trick sounds like it's on the right track too (yes, this is easy to do in NetInfo Manager, thogh you could probably use the ni* commands too).



[ Reply to This | # ]