Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.4: Hide all low UID users from the login window' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Hide all low UID users from the login window
Authored by: tofergregg on May 22, '06 08:37:56AM

I had to do this the other day, but I went about it slightly differently: I opened /Applications/Utilities/Netinfo Manager, found the offending login item (postgres, as it turns out), created the property "passwd", and set its value to "*". Postgres does not show up on the login menu any more.

-Chris



[ Reply to This | # ]
10.4: Hide all low UID users from the login window
Authored by: cshuman on May 22, '06 10:37:49AM

Can you explain further what this actually does? It concerns me to add something called passwd with a value of "*" w/o knowing what it does/why the sysem ignores it in the login window.

Thanks,

Chris

---
Is there anybody out there? Just nod if you can hear me. Is there anyone home?



[ Reply to This | # ]
10.4: Hide all low UID users from the login window
Authored by: adrianm on May 22, '06 11:01:54AM
It's an olde worlde way of preventing a user from logging in. Bit of a hack IMO, but quite normal.

Another common method is to set the default login shell to /usr/bin/false

I think this is mostly from the days when users were defined in the /etc/passwd file.

The login window seems to respect this behaviour.

You can see OSX's /etc/passwd equivalent by typing this in a Terminal window.


nidump passwd /
The second column is the password field. These are all asterisks in this output, but the ones that do not allow login will have a single *.

[ Reply to This | # ]
10.4: Hide all low UID users from the login window
Authored by: rohanl on May 22, '06 09:58:25PM

The convention of having a '*' in the password entry to block logins, started back in the days when the actual encrypted passwd was stored in /etc/passwd.

The encrypted passwd was a string like "hvlAlAxmCi1vc" obtained by using the DES crypt function. An encrypted passwd of "*" was invalid, as no matter what you entered as a passwd it wouldn't encrypt to that.

Nowadays the encrypted passwd is not stored in /etc/passwd to prevent someone from taking the file and working on cracking the passwords in bulk. It's stored elsewhere in a "shadow" file or some other place that is not publicly readable.

But the practice of "*" meaning login disallowed has lived on.



[ Reply to This | # ]
10.4: Hide all low UID users from the login window
Authored by: rohanl on May 22, '06 10:02:27PM

By disabling logins in this way, not only do you prevent someone from loging in via the login window, but they can't log in any other way (ssh, su, ...)

The only way to 'become' the user is to become root first and then su (root can do this without needing to enter a passwd)

This is a good thing for a user that is not meant to be interactive.



[ Reply to This | # ]
10.4: Hide all low UID users from the login window
Authored by: greed on May 24, '06 02:48:32PM

You can use 'sudo -u username' instead of gatewaying through root.

First, use visudo to edit the sudoers file.

Next, you want to add something like this:

dbauser ALL=(postgres) /usr/local/bin/psql, /usr/local/bin/pg_dump

Make dbauser a comma-separated list of all users you need. ALL means any machine; if you're sharing the sudoers file among several machines, then you can put a specific hostname here. The name in parens is the "sudo as" user, it can be a comma-separated list also if you like. (apache,mysql,postgres,mailman) for example. Then a list of allowed commands, or the magic word ALL to allow any command.

Users then can "sudo -u postgres /usr/local/bin/psql", and use their own password, to run as the database superuser.

This is, IMO (and IME), much better than having shared passwords on such accounts. There's several security benefits, AND your users have fewer passwords to remember, so easier to avoid writing them down in a bad place.



[ Reply to This | # ]