User Accounts

Class Notes from January 11th, 2008

"Enabling" root user really means giving root user a password.  Root user is always there.  It can't be removed (and expect the OS to still work).

/etc/passwd
/etc/master.passwd

Directory Access (10.4) or Directory Utility (10.5) to enable BSD directory.

man 5 passwd

NetInfo and dslocal

dscl & NetInfo Manager

--------

What makes an "admin" user admin?  The Admin group and these 3 things:

/etc/sudoers
/etc/authorization
General file permissions (80 is the admin group and /Library and /Applications are writable by the admin group)

--------

The default home folder comes from:

/System/Library/User Template/English.lproj

Modify it at will.  Keep a backup copy though.

------

Passwords

OFPW

sudo nvram security-mode
sudo nvram security-password

To disable
sudo nvram security-mode=none

To enable
sudo nvram security-mode=none

OFPW Utility (on the installer DVD)

PPC Open Firmware at boot up (hold down option-apple-o-f).  Type:

set-env security-mode none

You will need to supply the password.

User passwords

/var/db/shadow/hash
The files are named after the UUID attribute for the user record.

Auto login password is at
/etc/kcpassword

The file that controls autologin is
/Library/Preferences/com.apple.loginwindow.plist

You can quickly change passwords with ARD (Apple Remote Desktop) with the Send Unix Command by replacing the contents of the files in /var/db/shadow/hash.  You can change the autologin password by replacing the contents of /etc/kcpassword.  You can quickly change the open firmware password by running the command nvram security-password=.....

How?  Change the passwords on one machine.  Open the file (or run nvram security-password), copy the contents, and run the ARD commands:

nvram security-password=paste encrypted password

echo -n paste encrypted password > /var/db/shadow/hash/the_file_you_want_to_change

The file you want to change above is the UUID that corresponds the the user you want to change.

10.5 has a guest user.  The home folder is blown away at login.  It requires no password to use.  It is disabled by default.

The "Master Password" (not /etc/master.passwd) is a master key that unlocks encrypted home folders (File Vault).  The password is stored at:

/Library/Keychains/FileVaultMaster.keychain
The pref for it is at /var/root/Library/Preferences/com.apple.security.plist

User Keychains.  The one thing I want to say about this is that if a user doesn't know their keychain password, delete the user's keychain.  A new one will be created at the next login.  The keychain file is stored in ~/Library/Keychains.  If the user actually used the keychain, you might want to just move it somewhere else rather than delete it.

------

Reseting Passwords

Yeah, the Installer DVD has the password reset utility.

Or you can boot to single user mode or a Firewire drive and run (after fsck -fy and mount -uw /):

rm /var/db/.AppleSetupDone
reboot

At startup, it will run the setup assistant and let you create an admin user.

You can also mess with /var/db/shadow/hash.  For example, you can backup a file in there, replace the contents with a password you know.  Login.  Do what you want.  Logout.  Replace the original file with the backup.  You logged in as that user without needing to know their password.

------

Debugging

Try creating a new non-admin user and login as that user.  If it doesn't work, maybe the problem is permissions.  So create a new admin user and login as that user.  If it still doesn't work, the problem is probably with the system.