I need to manage multiple ssh users for different Heroku accounts, explained here. I've created different users and logging in to Heroku with those works fine. These are the users I have:
computer_owner (admin rights)
user1 (admin rights)
user2 (admin rights)
But I want user1 and user2 to share the same files and folders as computer_owner, i.e. all folders/files. Is this possible and if so, how do I do this?
OS X is a UNIX compliant operating system. If you set the rights on files and folders correctly, you can provide access to all of the users. There's a tutorial here on how to manage the access rights and many more around if you search for something like "Unix Permissions"
Ideally, create a separate group using dscl and add the required members. Next, set the files to be owned by that group and each will have access to those files
So, an example would be something like this: -
# create the group
sudo dscl . create /Groups/heroku_ssh
# add members
sudo dscl . append /Groups/heroku_ssh GroupMembership computer_owner
sudo dscl . append /Groups/heroku_ssh GroupMembership user1
sudo dscl . append /Groups/heroku_ssh GroupMembership user2
Assuming a directory called testDirectory: -
# set full permissions for the owner and group
# 770 is read, write and execute for owner and group
sudo chmod -R 770 testDirectory
# set ownership of a file
sudo chown -R computer_owner:heroku_ssh testDirectory
This sets the owner to be the user computer_owner and the group heroku_ssh, so the owner and any member in the group can access the files in testDirectory
Related
I have a deep directory called root,with a lot of folders,each folder is set with different permissions and there're several users registered in the system.In the subfolders of root these users have different privileges and i don't want to change them,but i need to give to the admin user rwx permissions on all files and subdirectories in root.I can do that manually by using the get info menu with the second mouse button on each file that is still not with rwx permission for the admin user but that would require too much time.So the question is,how can i give permissions on a folder recursively to a specific user without changing files and folders owners and permissions for other users?is there no way to do something like
chmod -R specific_user=rwx root_directory
?
On the Mac, login as Local Admin and at the Terminal, run:
sudo dseditgroup -o edit -a [username] -t user admin
Where [username] is the user you want to give admin permissions.
For example if the username was "User1", then the command would be:
sudo dseditgroup -o edit -a User1 -t user admin
http://community.centrify.com/t5/Centrify-Express/OSX-give-an-Ad-User-local-admin-permissions/td-p/8022
When I execute following code in terminal:
dscl . -list /Users UniqueID
The output shows two users with uid 0: one named root, the other named newuser.
But when I execute:
cat /etc/passwd
There is only one user with uid 0, i.e. root.
I want to know why the answers of above commands are different, and how I can delete the newuser.
I am using the newest version of Mac OS X.
I found this question when I failed to install parallels desktop trial edition. The error message is:
Cannot install Parallels Desktop because there is a non-root user account with the UID 0 in your system (http://kb.parallels.com/cn/122763)
I've already called apple support for help, but they had no solution.
Update:
It seems that newuser runs the processes which root should run. Furthermore, the ps command is also run by newuser, but my user name is xlnwel
What on earth is this newuser?
Update 2:
I have no idea what I have done yesterday (maybe just reboot the computer), but today these processes are run by root. but there are still two users with 0 when I run:
dscl . -list /Users UniqueID
Interesting.
There is no strict 1-1 mapping from user name to user id in most of *NIX systems, so technically it's all fine to have a few user names with same UID. The reason why you don't see it in /etc/passwd is that the file is used for legacy accounts, and directory services are expected to be the source of truth.
I guess you never created the newuser? You must understand that the user is effectively a root backdoor into your system, as anyone having the password can act as UID 0 and have full access to your machine.
I'd check for existence of "newuser" in Users & Groups preference pane. You surely should be able to just remove it with sudo /usr/bin/dscl . -delete "/Users/newuser". The important part is to figure how that user got into your machine in the first place.
Immediate solution: remove the user using the command above.
Actual fix: reinstall the machine clean and restore your data from backups.
I will answer your questions in turn:
1. "... why the answers of above commands are different?"
The reason the answers from the two commands are different is because they are looking at two different records sets.
The /etc/passwd file is only used by OSX in single user mode, as pointed out at the top of the file:
##
# User Database
#
# Note that this file is consulted directly only when the system is running
# in single-user mode. At other times this information is provided by
# Open Directory.
#
# See the opendirectoryd(8) man page for additional information about
# Open Directory.
##
As Directory Services is used for users and resources (printers, servers) you will most likely have more entries in a Directory Services listing than the number of entries in /etc/passwd file.
2. "... how I can delete the new user?"
To delete the user you can use dscl commands as pointed out by Farcaller above:
a) check the details for the user and group with:
dscacheutil -q user
And then:
dscacheutil -q group
I would also check to see what other users are in the same group that "newuser" is in, what files are in /Users/newuser, and then make decisions based on that information.
b) If all looks OK, delete the user with:
sudo dscl . delete /Users/newuser
This will delete everything under the specified directory. If you want to remove the user's home directory you will need to do this manually with:
rm -rf /Users/newuser
If the "newuser" was in its own group, I would also look at deleting the group with:
sudo dscl . delete /Groups/<<GROUP_NAME_OF_NEWUSER_FROM_A_ABOVE>>
Hope that helps.
I have a solution that helped me
Check list of IDs
dscl . -list /Users UniqueID
change the UID to a not used number with the phrase:
sudo dscl . -change /Users/newuser UniqueID 0 599
where 599 is unique ID and "newuser" is a second user with 0
What is the right way to create a user on MacOS X, from the command line, which will be used only for running a sever application? For example, there is already the '_www' user for Apache httpd, but for the new application I want it to be using its own account.
There is no "adduser" command. The Mac approach is to use the dscl command, which is the "Directory Service Command Line Utility". Directory Services is similar in notion to LDAP, but is a different solution.
The examples below will use 'mydaemon' as the intended account, though typically you would use a value matching the name of your daemon application.
All daemon users are prefixed with an underscore, such as _www.
To list the attributes on an existing entry:
sudo dscl . -read /Users/_www
Before creating a user, create a group choosing an unused group id (here we chose 300):
sudo dscl . -create /Groups/_mydaemon
sudo dscl . -create /Groups/_mydaemon PrimaryGroupID 300
Once done, we create a new user (we use the same id as we did for the group, that won't be using a shell:
sudo dscl . -create /Users/_mydaemon UniqueID 300
sudo dscl . -create /Users/_mydaemon PrimaryGroupID 300
sudo dscl . -create /Users/_mydaemon UserShell /usr/bin/false
The above is based on reading up on various information sources and verifying the process myself. One reference, that I found useful is:
http://minecraft.gamepedia.com/Tutorials/Create_a_Mac_OS_X_startup_daemon
Note, there is also GUI version of dscl (location based on MacOS X 10.10):
/System/Library/CoreServices/Applications/Directory\ Utility.app/
I need to create a new user account on a system drive (10.10.1) because I am unable to log in to the only existing one. I can however get into the OSX setup from a prepared USB flash drive, and launch Terminal there.
I guess it would be possible to add the user account "testuser" with the following method:
dscl . create /Users/testuser
dscl . create /Users/testuser UserShell /bin/bash
dscl . create /Users/testuser RealName "Test User"
dscl . create /Users/testuser UniqueID 503
dscl . create /Users/testuser PrimaryGroupID 1000
dscl . create /Users/testuser NFSHomeDirectory /Local/Users/testuser
dscl . passwd /Users/testuser PASSWORD
dscl . append /Groups/admin GroupMembership testuser
Now entering
-bash-3.2# dscl . create /Users/testuser
what I get from Terminal is this:
-bash: dscl: command not found
I am not the most experienced with command line tools, and am clueless on how to get it to work.
Any help is greatly appreciated.
I'm not sure how you prepared the USB drive, but it looks like it doesn't include dscl. You can use the copy of dscl from the regular startup volume, but it'd still be trying to create a user on the USB disk. To fix that, you'd need to use dscl's -f option to point it to the user database you actually wanted to edit (see here for something similar).
"/Volumes/Macintosh HD/usr/bin/dscl" -f "/Volumes/Macintosh HD/var/db/dslocal/nodes/Default" localonly -create /Local/Target/Users/testuser
...etc. But even then, I'm not sure it'll handle setting the user's password correctly (there used to be a bug relating to that, but I think it got fixed).
There's a much easier way. Just delete the file /var/db/.AppleSetupDone from your regular volume (not the USB disk):
rm "/Volumes/Macintosh HD/var/db/.AppleSetupDone"
... then reboot normally and it'll run through the Setup Assistant, including letting you create a new admin account (note that existing accounts will be preserved). You can use the new admin to clean up whatever needs to be fixed (reset PW on old admin account?), then delete it when everything is back to normal.
I'm attempting to configure a OSX Mavericks server running Apache and Lasso. For security and convenience I only want users belonging to a specific "web" group to be able to access the web root. I have succeeded in letting both permitted regular users and Apache (_www) access the files, but I cannot for my life manage to set the correct permissions for Lasso. I'm hoping someone here can point me in the right direction.
Basically, what I have done is the following:
sudo dseditgroup -o create web
sudo dseditgroup -o edit -a _www -t user web
sudo dseditgroup -o edit -a _lasso -t user web
sudo chgrp -R web webroot
sudo chmod -R 770 webroot
This apparently works for Apache, but any lasso files merely output a Lasso permission error:
An unhandled failure during a web request
Error Code: 13
Error Msg: Permission denied - While opening //Library/Server/Web/Data/Sites/...
I have also tried adding the _www and _lasso groups to the web group, as well as creating a new Lasso instance in the instance manager with the effective group set to "web".
Strangely, setting permissions to the _lasso user or group directly on the files (i.e. not through the web group) seems to work which makes me believe there's something wrong with how I'm creating my ACLs.
A little more info:
ls -l#e example.lasso
-rwxrwx---+ 1 danielpervan web 0 Feb 19 15:20 example.lasso
0: user:_spotlight inherited allow read,execute
I've encountered problems similar to this when I have ACLs above and beyond the standard Unix permissions. From your post, it looks like there are some ACLs on the example.lasso file. I would run the following script on your web root to remove all ACLs from every folder / file:
sudo chmod -R -N /path/to/webroot/
If that doesn't work, verify that the _lasso user is part of the web group:
dscl . -read /groups/web | grep GroupMembership