- Table of Contents
- Copyright
- About the Author
- Acknowledgments
- Tell Us What You Think!
- Introduction
- Part I: Introduction to Mac OS X
- Chapter 1. Mac OS X Component Architecture
- Chapter 2. Installing Mac OS X
- Chapter 3. Mac OS X Basics
- Chapter 4. The Finder: Working with Files and Applications
- Chapter 5. Running Classic Mac OS Applications
- Part II: Inside Mac OS X
- Chapter 6. Native Utilities and Applications
- Chapter 7. Internet Communications
- Chapter 8. Installing Third-Party Applications
- Part III: User-Level OS X Configuration
- Chapter 9. Network Setup
- Chapter 10. Printer and Font Management
- Chapter 11. Additional System Components
- Part IV: Introduction to BSD Applications
- Chapter 12. Introducing the BSD Subsystem
- Chapter 13. Common Unix Shell Commands: File Operations
- Part V: Advanced Command-Line Concepts
- Chapter 14. Advanced Shell Concepts and Commands
- Chapter 15. Command-Line Applications and Application Suites
- Chapter 16. Command-Line Software Installation
- Chapter 17. Troubleshooting Software Installs, and Compiling and Debugging Manually
- Chapter 18. Advanced Unix Shell Use: Configuration and Programming (Shell Scripting)
- Part VI: Server/Network Administration
- Chapter 19. X Window System Applications
- Chapter 20. Command-Line Configuration and Administration
- Chapter 21. AppleScript
- Chapter 22. Perl Scripting and SQL Connectivity
- Chapter 23. File and Resource Sharing with NetInfo
- Chapter 24. User Management and Machine Clustering
- Skeleton User Accounts
- Multiple Users and Multiple Machines: Creating Clusters
- Command-Line Administration Tools
- Summary
- Chapter 25. FTP Serving
- Chapter 26. Remote Access and Administration
- Chapter 27. Web Serving
- Part VII: Server Health
- Chapter 28. Web Programming
- Chapter 29. Creating a Mail Server
- Chapter 30. Accessing and Serving a Windows Network
- Chapter 31. Server Security and Advanced Network Configuration
- Chapter 32. System Maintenance
- Appendix A. Command-Line Reference
- Appendix B. Administration Reference
Command-Line Administration Tools
There are a number of command-line tools that are of assistance in the configuration and maintenance of user accounts. Some of these have functionality duplicated in graphical tools and some do not. For truly sophisticated user management, we again suggest looking to Mac OS X Server because it provides tools that are considerably more powerful.
NetInfo Utilities
The nidump, niutil, and niload commands are particularly useful for user account creation and deletion. It's also a good idea to be familiar with the tar command for backing up NetInfo databases. The command documentation table for each of the NetInfo- specific commands is provided in the previous chapter. tar is documented in Chapter 12. We wouldn't be surprised if someone creates a graphical tool that scripts the sort of account maintenance that has been shown in this chapter, and makes it available on the Net. If we managed to pique your interest in shell programming in the earlier chapters, this would be an ideal problem to attack as a learning experience. Because NetInfo is so vital to the operation of the machine, we recommend that you verify, by using print statements, that the scripts you create output exactly what you want—before you turn them loose on the NetInfo database.
Common BSD Tools
In addition to the NetInfo commands for creating and modifying user accounts themselves, you have access to a number of standard BSD utilities. Primarily, these allow you to operate on the files in user accounts; but one, the passwd command, inserts crypted passwords into the NetInfo user record. (This is a little odd because Apple has circumvented most BSD tools of this nature, and incorporated their functionality into the NetInfo commands. It wouldn't be too surprising if Apple replaces or supercedes this command with another in the future.)
Changing File Ownership: chown
The chown command is used to change the ownership of files. Only the root user can execute the chown command. The simplest form, and the one in which you'll end up using it the most frequently, is chown <username> <filename> , which changes the ownership property of <filename> to belong to the user <username> . The command can optionally be given as chown <username> : <groupname> <filename> to change the user and group at the same time. Additionally, -R can be specified after the command to cause a recursive change in an entire directory, instead of to a single file. The command documentation table is shown in Table 24.1.
Table 24.1. The Command Documentation Table for chown
| chown | Changes file owner and group. |
chown [-R [-H | -L | -P]] [-fh] <owner> <file1> <file2> ... chown [-R [-H | -L | -P]] [-fh] :<group> <file1> <file2> ... chown [-R [-H | -L | -P]] [-fh] <owner>:<group> <file1> <file2> ... |
|
| -R | Recursively descends through directory arguments to change the user ID and/or group ID. |
| -H | If –R is specified, symbolic links on the command line are followed. Symbolic links encountered in tree traversal are not followed. |
| -L | If –R is specified, all symbolic links are followed. |
| -P | If –R is specified, no symbolic links are followed. |
| -f | Forces an attempt to change user ID and/or group ID without reporting any errors. |
| h | If the file is a symbolic link, the user ID and/or group ID of the link is changed. |
|
The -H, -L, and -P options are ignored unless -R is specified. Because they also override each other, the last option specified determines the action that is taken. The -L option cannot be used with the -h option. It is not necessary to provide both <owner> and <group> ; however, one must be specified. If group is specified, it must be preceded with a colon (:). The owner may be either a numeric user ID or a username. If a username exists for a numeric user ID, the associated username is used as for the owner. Similarly, the group may be either a numeric group ID or a group name. If a group name exists for a group ID, the associated group name is used for the group. Unless invoked by the super user, chown clears set-user-id and set-group-id bits. |
Changing File Group Ownership: chgrp
The chgrp command functions like the chown command, except that it changes only the group ownership of a file. This can be particularly useful when you want to give a user, or group of users, access to files owned by a number of different users. Instead of changing the ownership of each, or issuing a separate chown <userid> : <groupid> for each file, you can instead change the file's groups en masse to one that the intended user or group can read, while not affecting the actual ownership of the files.
The command documentation table for chgrp is shown in Table 24.2.
Table 24.2. The Command Documentation Table for chgrp
| chgrp | Changes group. |
chgrp [-R [-H | -L | -P]] [-fh] <group>
<file1><file2> ...
|
|
| -R | Recursively descends through directory arguments to change the group ID. |
| -H | If -R is specified, symbolic links on the command line are followed. Symbolic links encountered in tree traversal are not followed. |
| -L | If -R is specified, all symbolic links are followed. |
| -P | If -R is specified, no symbolic links are followed. |
| -f | Forces an attempt to change group ID without reporting any errors. |
| -h | If the file is a symbolic link, the group ID of the link is changed. |
|
Unless -h, -H, or -L is specified, chgrp on symbolic links always succeeds and has no effect. The -H, -L, and -P options are ignored unless -R is specified. Because they also override each other, the last option specified determines the action that is taken. The group may be either a numeric group ID or a group name. If a group name exists for a group ID, the associated group name is used for the group. The user invoking chgrp must belong to the specified group and be the owner of the file, or be the super user. Unless invoked by the super user, chgrp clears set-user-id and set-group-id bits. |
Setting a User's Password: passwd
The passwd command, somewhat unexpectedly, changes a user's password. If you look at the man page for passwd, you will see that there are a number of related password and account management commands that come from BSD Unix. With the exception of the passwd command, all the others appear to operate on the local files only, and do not seem to affect the NetInfo database information. Because the local authentication files (such as /etc/passwd and /etc/group) are used only in single-user mode, none of the other commands currently have any significant use in OS X. (We'd like to think that Apple is working on making more of them operate with the NetInfo database, but we've really got no idea whether the BSD utilities are coming or going.)
Simply issued as passwd, with no other options, the passwd command enables a user to change her password. The root user has the ability to issue passwd <username> to force the password for the user <username> to change. The command documentation table for passwd is shown in Table 24.3.
Table 24.3. The Command Documentation Table for passwd
| passwd | Modifies a user's password |
passwd [-l] [-k] [-y][<user>] |
|
|
passwd changes the user's local, Kerberos, or YP password. The user is first prompted for her old password. The user is next prompted for a new password, and then prompted again to retype the new password for verification.
The new password should be at least six characters in length. It should use a variety of lowercase letters, uppercase letters, numbers, and metacharacters. |
|
| -l | Updates the user's local password. |
| -k | Updates the Kerberos database, even if the user has a local password. After the password has been verified, passwd transmits the information to the Kerberos authenticating host. |
| -y | Updates the YP passwd, even if the user has a local password. The rpc.yppasswdd (8) daemon should be running on the YP master server. |
|
If no flags are specified, the following occurs: If Kerberos is active, the user's Kerberos password is changed, even if the user has a local password. If the password is not in the local database, an attempt to update the YP password occurs. To change another user's Kerberos password, run kinit (1) followed by passwd. The super user is not required to supply the user's password if only the local password is being modified. |
Summary | Next Section
Account Sign In
View your cart