adduser results in macports users appearing as interactive users

[michal.vanco@…]

After installing 1.9.99 (on Lion GM) from svn, created macports user started to show up in System Preferences->Sharing->File Sharing list. I think this is bug, because macports is a "non-interractive" user and should not be displayed in lists like this.

[jmroot (Joshua Root)]

As per the ticket guidelines, please don't set the Milestone field.

[jeremyhu (Jeremy Huddleston Sequoia)]

I don't see this for the "macports" user, but I do for other users created by MP (avahi, gdm, message bus, and policykituser). I just did an erase install and used svn trunk as of 2 days ago.

[jeremyhu (Jeremy Huddleston Sequoia)]

What is the output of running this command?

dscl localhost -read /Local/Default/Users/macports

[michal.vanco@…]

Replying to jeremyhu@…:

What is the output of running this command?

dscl localhost -read /Local/Default/Users/macports

mv@Prime:~$ dscl . read /Users/macports
AppleMetaNodeLocation: /Local/Default
AuthenticationAuthority: ;Kerberosv5;;macports@LKDC:SHA1.CB88406D0041F4846FAB8B94FBFC501452925A5B;LKDC:SHA1.CB88406D0041F4846FAB8B94FBFC501452925A5B ;ShadowHash;HASHLIST:<SALTED-SHA512>
GeneratedUID: 955C8DED-B627-4EF8-BCA9-DA2AC02040C4
NFSHomeDirectory: /var/empty
Password: *
PasswordPolicyOptions:
 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>failedLoginCount</key>
	<integer>0</integer>
	<key>failedLoginTimestamp</key>
	<date>2001-01-01T00:00:00Z</date>
	<key>lastLoginTimestamp</key>
	<date>2001-01-01T00:00:00Z</date>
	<key>passwordTimestamp</key>
	<date>2011-07-13T10:25:27Z</date>
</dict>
</plist>

PrimaryGroupID: 502
RecordName: macports
RecordType: dsRecTypeStandard:Users
UniqueID: 504
UserShell: /usr/bin/false

[michal.vanco@…]

Replying to jeremyhu@…:

I don't see this for the "macports" user, but I do for other users created by MP (avahi, gdm, message bus, and policykituser). I just did an erase install and used svn trunk as of 2 days ago.

Only users I see on my install are (here I filtered out all usernames beginning with underscore which are probably users created by OS X itself):

mv@Prime:~$ dscl . list /Users | grep -E -v ^_
daemon
macports
mv
nobody
pa
root

here, mv and pa are interactive users using this system. The only user created by MP is "macports" (right?). Running MP 1.9.99 with following ports installed:

mv@Prime:~$ sudo port list installed
apr                            @1.4.5          devel/apr
apr-util                       @1.3.12         devel/apr-util
autoconf                       @2.68           devel/autoconf
automake                       @1.11.1         devel/automake
bash-completion                @1.3            sysutils/bash-completion
bzip2                          @1.0.6          archivers/bzip2
curl                           @7.21.7         net/curl
curl-ca-bundle                 @7.21.7         net/curl-ca-bundle
cyrus-sasl2                    @2.1.23         security/cyrus-sasl2
db46                           @4.6.21         databases/db46
expat                          @2.0.1          textproc/expat
gdbm                           @1.8.3          databases/gdbm
gettext                        @0.18.1.1       devel/gettext
git-core                       @1.7.6          devel/git-core
glib2                          @2.28.8         devel/glib2
gperf                          @3.0.4          devel/gperf
help2man                       @1.39.3         textproc/help2man
ifstat                         @1.1            sysutils/ifstat
iftop                          @0.17           net/iftop
libiconv                       @1.13.1         textproc/libiconv
libidn                         @1.22           mail/libidn
libpcap                        @1.1.1          net/libpcap
libtool                        @2.4            devel/libtool
m4                             @1.4.16         devel/m4
mp4v2                          @1.9.1          multimedia/mp4v2
mtr                            @0.80           net/mtr
ncurses                        @5.9            devel/ncurses
ncursesw                       @5.8            devel/ncursesw
neon                           @0.29.6         www/neon
openssl                        @1.0.0d         devel/openssl
p5-encode-locale               @1.02           perl/p5-encode-locale
p5-error                       @0.17016        perl/p5-error
p5-file-listing                @6.02           perl/p5-file-listing
p5-html-form                   @6.00           perl/p5-html-form
p5-html-parser                 @3.68           perl/p5-html-parser
p5-html-tagset                 @3.20           perl/p5-html-tagset
p5-http-cookies                @6.00           perl/p5-http-cookies
p5-http-daemon                 @6.00           perl/p5-http-daemon
p5-http-date                   @6.00           perl/p5-http-date
p5-http-message                @6.02           perl/p5-http-message
p5-http-negotiate              @6.00           perl/p5-http-negotiate
p5-io-socket-ssl               @1.44           perl/p5-io-socket-ssl
p5-libwww-perl                 @6.02           perl/p5-libwww-perl
p5-locale-gettext              @1.05           perl/p5-locale-gettext
p5-lwp-mediatypes              @6.01           perl/p5-lwp-mediatypes
p5-lwp-protocol-https          @6.02           perl/p5-lwp-protocol-https
p5-mime-base64                 @3.13           perl/p5-mime-base64
p5-mozilla-ca                  @20110409       perl/p5-mozilla-ca
p5-net-http                    @6.01           perl/p5-net-http
p5-net-libidn                  @0.12           perl/p5-net-libidn
p5-net-ssleay                  @1.36           perl/p5-net-ssleay
p5-svn-simple                  @0.28           perl/p5-svn-simple
p5-term-readkey                @2.30           perl/p5-term-readkey
p5-uri                         @1.58           perl/p5-uri
p5-www-robotrules              @6.01           perl/p5-www-robotrules
perl5                          @5.12.3         lang/perl5
perl5.12                       @5.12.3         lang/perl5.12
pkgconfig                      @0.26           devel/pkgconfig
popt                           @1.16           devel/popt
python27                       @2.7.2          lang/python27
python_select                  @0.3            sysutils/python_select
readline                       @6.2.000        devel/readline
rsync                          @3.0.8          net/rsync
serf                           @0.7.2          www/serf
serf0                          @0.7.2          www/serf0
sqlite3                        @3.7.7.1        databases/sqlite3
subversion                     @1.6.17         devel/subversion
subversion                     @1.6.17         devel/subversion
subversion-perlbindings        @1.6.17         devel/subversion-perlbindings
subversion-perlbindings        @1.6.17         devel/subversion-perlbindings
zlib                           @1.2.5          archivers/zlib

[jeremyhu (Jeremy Huddleston Sequoia)]

r80335 ?

[jeremyhu (Jeremy Huddleston Sequoia)]

Does your install of base have r80335 ? You said "from svn", but I'm not sure if you meant trunk or a particular tag.

[jmroot (Joshua Root)]

Replying to michal.vanco@…:

The only user created by MP is "macports" (right?).

That's the only one created by macports base, but some ports will also create a user when you install them.

[michal.vanco@…]

Replying to jeremyhu@…:

Does your install of base have r80335 ? You said "from svn", but I'm not sure if you meant trunk or a particular tag.

mv@Prime:base$ svn info
Path: .
URL: http://svn.macports.org/repository/macports/trunk/base
Repository Root: http://svn.macports.org/repository/macports
Repository UUID: d073be05-634f-4543-b044-5fe20cf6d1d6
Revision: 80445
Node Kind: directory
Schedule: normal
Last Changed Author: jmr@macports.org
Last Changed Rev: 80443
Last Changed Date: 2011-07-13 11:56:58 +0200 (st , 13 júl 2011)

[michal.vanco@…]

Replying to jmr@…:

Replying to michal.vanco@…:

The only user created by MP is "macports" (right?).

That's the only one created by macports base, but some ports will also create a user when you install them.

Exactly. This is why I attached list of all my installed ports (to see that there is none which creates it's own user). So in my case, there is only one user ("macports" user) created together by MP base and all installed ports.

[jeremyhu (Jeremy Huddleston Sequoia)]

Replying to jmr@…:

Replying to michal.vanco@…:

The only user created by MP is "macports" (right?).

That's the only one created by macports base, but some ports will also create a user when you install them.

Yeah, my issue with adduser should be taken care of with r80800, and based on his dscl output, I'd expect his user to not be listed either ... so I'm perplexed. I'm done stabbing at the dark and am gonna have to do some more research.

[blargh.macfag@…]

using an UniqueID between 100 and 500 for the macports user should fix that. the realname for the user is missing btw., it could be set to something more explanatory like "MacPorts Runtime User"

${DSCL} -q . -create /Users/${RUNUSR} UniqueID $(($(${DSCL} . -list /Users UniqueID | /usr/bin/awk '{print $2}' | awk '$1 > 100' | awk '$1 < 500' | sort -ug | tail -1)+1))

${DSCL} -q . -create /Users/${RUNUSR} RealName "MacPorts Runtime User"

[jmroot (Joshua Root)]

UIDs < 500 are reserved. Not setting RealName is precisely how you stopped an account from showing up in the GUI in past OS X versions BTW. We need an answer from someone at Apple about whether (a) this is working as intended in 10.7 (users don't show up in 10.6 after all), and if so, (b) what the preferred way to hide them is now.

[jeremyhu (Jeremy Huddleston Sequoia)]

loginwindow UI will consider a user as one that can't be logged in if the following occur

the shell is /usr/bin/false

or

the AuthAuthority has ;disableduser; in it.

or

the AuthAuthority doesn't exist or contains ;basic; and the password is missing or is a single asterisk.

or

the record name is missing or blank

or

the uid is missing

loginwindow UI doesn't care about the UIDs number.

[jeremyhu (Jeremy Huddleston Sequoia)]

Replying to michal.vanco@…:

Replying to jeremyhu@…:

What is the output of running this command?

dscl localhost -read /Local/Default/Users/macports

mv@Prime:~$ dscl . read /Users/macports
AppleMetaNodeLocation: /Local/Default
AuthenticationAuthority: ;Kerberosv5;;macports@LKDC:SHA1.CB88406D0041F4846FAB8B94FBFC501452925A5B;LKDC:SHA1.CB88406D0041F4846FAB8B94FBFC501452925A5B ;ShadowHash;HASHLIST:<SALTED-SHA512>
GeneratedUID: 955C8DED-B627-4EF8-BCA9-DA2AC02040C4
NFSHomeDirectory: /var/empty
Password: *
PasswordPolicyOptions:
 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>failedLoginCount</key>
	<integer>0</integer>
	<key>failedLoginTimestamp</key>
	<date>2001-01-01T00:00:00Z</date>
	<key>lastLoginTimestamp</key>
	<date>2001-01-01T00:00:00Z</date>
	<key>passwordTimestamp</key>
	<date>2011-07-13T10:25:27Z</date>
</dict>
</plist>

PrimaryGroupID: 502
RecordName: macports
RecordType: dsRecTypeStandard:Users
UniqueID: 504
UserShell: /usr/bin/false

This doesn't match with my experience nor what I've found out "from the horses mouth" (above) ... are you absolutely positive that this record corresponds to a user that you are seeing listed? Can you reboot just to make sure everything is clean?

[jmroot (Joshua Root)]

The above is correct for loginwindow and the Users & Groups prefpane. The "Options..." button for File Sharing in the Sharing prefpane behaves differently though, as does the + button in the same prefpane for adding permissions on a shared folder.

[jeremyhu (Jeremy Huddleston Sequoia)]

Ah... hrm...

[jeremyhu (Jeremy Huddleston Sequoia)]

Try deleting AuthAuthority (and making sure the password is missing, blank, or *) ... that's a stab in the dark btw...

[blargh.macfag@…]

Replying to jmr@…:

UIDs < 500 are reserved.

reserved for what? how does that stop anyone from using these UIDs? BTW, system-users have realnames and they are hidden.

[danielluke (Daniel J. Luke)]

Replying to blargh.macfag@…:

reserved for what? how does that stop anyone from using these UIDs?

Reserved by Apple, for Apple's use.

If we use them, we run the risk of having problems later (when Apple decides to use the one we were using), so it's not something that we're going to do.

[200309@…]

Replying to jmr@…:

UIDs < 500 are reserved. Not setting RealName is precisely how you stopped an account from showing up in the GUI in past OS X versions BTW. We need an answer from someone at Apple about whether (a) this is working as intended in 10.7 (users don't show up in 10.6 after all), and if so, (b) what the preferred way to hide them is now.

If RealName is blank, Tiger 10.4.11 > System Preferences > Accounts Preference Panel will NOT open.

[jeremyhu (Jeremy Huddleston Sequoia)]

r81558 fixed in trunk

[blargh.macfag@…]

Macports stilll appears in the System Preferences > Sharing > File Sharing | Screen Sharing | etc. > Add User dialog.

[michal.vanco@…]

Replying to blargh.macfag@…:

Macports stilll appears in the System Preferences > Sharing > File Sharing | Screen Sharing | etc. > Add User dialog.

Just to confirm this. Upgraded to 2.0.1 by port selfupdate and macports still appears as interactive user

[jeremyhu (Jeremy Huddleston Sequoia)]

Yes, the problem is only fixed for newly created users. You'll need to manually change the record for the old user.

[rich@…]

Replying to dluke@…:

Replying to blargh.macfag@…:

reserved for what? how does that stop anyone from using these UIDs?

Reserved by Apple, for Apple's use.

If we use them, we run the risk of having problems later (when Apple decides to use the one we were using), so it's not something that we're going to do.

I'd be interested to see where Apple have stated that UIDs < 500 are reserved by Apple - I've had a good search through Apple documentation and can't seem to find anything stating this, would it maybe be an option to get feedback from Apple on this?

I've reopened this bug because I noticed that Workgroup Manager (bundled with Apple's Server Tools) for one seems to consider UIDs and GIDs > 500 as local users/groups and displays them as such within the "Accounts" section of the application.

I realise that this is far less of an issue than the previously reported bug, but nevertheless this is something that is worth looking into?

[jeremyhu (Jeremy Huddleston Sequoia)]

Rich, you can consider my words, "from Apple"

What is your radar number for WGM? Are you *sure* it is unbiasly showing users >= id 500? It should be showing all users which fit the rules I listed above.

I highly recommend not using ids < 500 for the reasons stated above.

[cooljeanius (Eric Gallager)]

Cc Me!

[papp.gergely@…]

This might be connected - macports user has a folder created under /private/var/folders. Most notably, it has a ~1GB com.apple.Iconservices folder. I believe this is unnecessary. Same for macports-created users with UUID > 500 (e.g. polkituser) There must be a setting which disables the generation of the iconcache, this should be the default for the macports user (and related users). Unfortunately I haven't been able to find the said setting myself.