User profile for user: DocJoc
DocJoc Author
User level: Level 1
15 points

user and group IDs

Starting point: new install, Tiger (10.4.2), adding new user accounts from the accounts' panel

Creating new users is really easy with this approach. However, what I find interesting is that every new user also ends up in a new group (id 502, 503, etc). Group permissions are then rather useless...

Why has this approach been chosen?

Can it be changed easily? (like offering a group in the setup somewhere)

Or would only Netinfo give me the full control on assigning users to designated groups?

Posted on Sep 25, 2005 6:07 AM

Reply
8 replies
User profile for user: Matt Clifton
Matt Clifton
User level: Level 7
29,981 points

Sep 25, 2005 6:17 AM in response to DocJoc

Hi DocJoc

You can create a new user in the Terminal, and assign them to whatever group you like, but the Account Preferences (or original setup) user creation is limited to fixing the group to the user. While the underlying Darwin system requires groups, they're not really useful to a large number of Mac users, so it's a pretty decent default.

OS X Server provides a much more flexible user/group management system, but in regular OS X you're limited to Netinfo.

Matt
Reply
User profile for user: DocJoc
DocJoc Author
User level: Level 1
15 points

Sep 25, 2005 11:13 AM in response to Matt Clifton

Hi Matt,

thanks for your swift answer - the link is about what I have been looking for, very good pointer, very much appreciated. Reminds me a bit of the good old "adduser" shell scripts.

I probably agree with you that groups are of little concern to the average Mac user but if you want to do some more specific things... 😉

OS X Server is a little overkill for me with a Mac Mini and a Powerbook (but then I did not specify the platform in the first place) and with the info above I am fine.

Thanks again
DocJoc
Reply
User profile for user: Scott Radloff
Scott Radloff
User level: Level 6
14,496 points

Sep 26, 2005 1:13 AM in response to DocJoc

DocJoc,

Obviously, you are concerned about this because you want to "Share" files among users in a common group. This is perfectly achievable in OS X, but not by default; you will have to do a little "tweaking."

It might be simpler for you to create users normally (using System Preferences>Accounts), then adding users as needed to common groups that you will create for this purpose. While you could use the command line to do this, Netinfo Manager is a perfectly good GUI tool for doing so, and the one I would recommend.

If you are interested in this information, take a look at all of the instructions I give in this thread. I give instructions that will take you from start to finish, so make sure you read all of my posts in chronologic order. If you have further questions about the info there, just ask here.

Scott
Reply
User profile for user: DocJoc
DocJoc Author
User level: Level 1
15 points

Sep 26, 2005 6:28 AM in response to Scott Radloff

Hi Scott,

this looks pretty impressive, I must admit - lots of info to digest 🙂 I will read through this on the train home tonight, and let you know what I can use from it.

You are right that I want to make files accessible to several users (but with some other thoughts in mind than sharing iTunes MP3 files as what seems to be the case in the thread you are referring to).

Thanks
DocJoc
Reply
User profile for user: DocJoc
DocJoc Author
User level: Level 1
15 points

Sep 27, 2005 5:41 AM in response to Scott Radloff

Hi Scott,

having read and digested the thread you pointed out I must admit that I have more questions... I believe I understand what you are suggesting there to Shawn and Karl. I suspect that I get mixed up between my understanding of groups from the UNIX side (a bit rusty, I must admit), and the group definition in Open Directory (did not yet dig into that at all, so you may safely assume that besides general knowledge about Directory setups I do not know anything specific about Open Directory).

As stated in my initial post, I found that for every new user I create in MacOS 10.4 I also create a new group. For simplicity let's assume that the initial user created as part of the installation process is called
useradmin
and it will have admin rights. It will receive uid 501 and a group of same name "useradmin" will be created with the gid being 501 as well.

Checking out NetInfo I find the group "admin" which has two users listed: "root", and "useradmin". This looks natural to me because both would have administrative rights.

I also find my user "useradmin" listed as only user under the two groups named "appserveradm" (App Server Admins) and "appserverusr" (Application Server). While I am not clear about the exact function of these two groups (any info available somewhere on this?) they at least sound natural to me, too.

With the above said I also find the group "useradmin" in NetInfo where I would have expected that it also lists "useradmin" as a user, but this group does not have a "users" entry what gets me a bit confused now. The only link between user and group seems to be that name and id are the same. Running "ls -al" in a terminal I will still see owner and group designated both as "useradmin" for files at $HOME.

This leaves me a bit puzzled. Would you be able to shed some light here or point me to a resource for further reading?

I find a similar behaviour for other users. For simplicity let's assume that I create two new users named "Amy" and "Fred", none of them with admin rights. I would then find
uid=gid=502 Amy Amy
uid=gid=503 Fred Fred
Again, all files in their respective $HOME directories show Amy and Fred as owners and group. I also find the corresponding groups but again both groups do not have a users' entry.

I am most likely missing a very basic point here and please accept my apologies for asking you to help me understand it.

Thanks
DocJoc
Reply
User profile for user: Scott Radloff
Scott Radloff
User level: Level 6
14,496 points

Sep 27, 2005 11:22 AM in response to DocJoc

DocJoc,

UNIX (and thus OS X) thinks of users in terms of their UID and GID numbers, but will display them, many times, by their short names. You can think of this as any incident of a particular UID or GID being mapped to a short name.

Now, starting with 10.3, OS X began creating users with unique "default" groups, these groups being created using the short name for the user. So, a user "fred" would have a default group of "fred," and would be the sole member of this group. Prior to 10.3, the standard UNIX practice of placing all users in group "staff" was used. In both of these cases, there is/was no necessity to actually include users in the "users" property of the designated group in Netinfo. Maybe you are being confused by the difference between a user having a designated "default" group listed as a property of that user, and a group having a list of included users in a "users" property. Users can be listed in, and belong to, any number of groups, but they will have only one "default" group.

You can safely ignore all of this, anyway, when you want to "Share" files. In order to "Share," you simply create a new group using Netinfo Manager, then include your desired users in this group's "users" property. I give instructions for doing so in that thread.

Next, you create a "Shared" directory. A good location for this is the "Shared" folder in the "Users" folder, but you can create it anywhere. You then set the group ownership of this created directory to your custom-created group.

When files are saved or copied to a directory, they will "inherit" the group ownership of that directory, as long as the user belongs to the group. If this user has changed their default umask, as I have instructed in the referenced thread, that new file will also be read/write for every member of that group. This will enable the "Sharing."

Scott
Reply
User profile for user: DocJoc
DocJoc Author
User level: Level 1
15 points

Oct 1, 2005 4:59 PM in response to Scott Radloff

Hi Scott,

having digested your write-up and played around on 10.4.2 I found that I could not entirely get your approach to work for me because of the setup I was planning - and which differs from sharing iTunes or whatever incl write access for several users.

I only got what I wanted after the following steps
a) create new users with the GUI and thereby create a new group with every new user automatically; this is the standard process and no tampering has happened up to here 😉
b) using TinkerTool and umask to define corresponding rights for group and world of every user, similar to what you suggested. In particular I do not allow the general world read/execute access which seems to come as standard setting in 10.4.2 for standard users.
c) using netinfo to create a new group with a specific gid and the list of users which shall belong to the group; so far also not different from your suggestion
d) then again using netinfo to change the gid of those users to the specific group gid; this is new... and has the effect that all new files created for a user also get the corresponding common gid just as planned
e) chgrp -R for the desired group in the directory trees of those users; this is also new and only with steps d and e combined I was able to really manage the access rights between group members via the group settings as I had intended, restricting group and world access in directories for each user which I do not wish to share - just as I am used to it when I was working UNIX systems years ago.

Well, in the end I got what I wanted and your compilation was a very good starter because it contained several important pieces of information for me as a newbie to OS X.

Thanks again for your support
DocJoc
Reply
User profile for user: Scott Radloff
Scott Radloff
User level: Level 6
14,496 points

Oct 1, 2005 5:50 PM in response to DocJoc

DocJoc,

OK, I see what you have done, and I see nothing wrong with your scheme. In almost all cases (yours being one exception), we would only want to "Share" particular files, not entire HOME folders. Any files we want to share would be saved by a common-group member in a specific "group shared" directory inside the "Shared" directory in "Users." This group shared directory would, of course, have a group ownership matching that common group, and any files saved to it by a group member would "inherit" that same group ownership; the member's GID need not be changed, as long as they are included as a member of the common group.

This simplifies any dealings with permissions, and the umask for users in the common group only needs to be changed from "022" to "002." Otherwise, OS X's default permissions can be left in place. Only the "group shared" directory, itself, need be chmod'd such that only group members have read and execute permission, all others will be "locked out." We need not worry about the permissions for the files that are saved within this directory, other than to insure that all group members have write access.

In this scenario, HOME folders will be left untouched, and each user will retain exclusive access to the folders inside.

If you have specific need to share entire HOME folders, there is nothing wrong with your setup. If not, I suggest you consider what I have outlined as an alternative. It is your computer, and your environment, so only you can make this decision. I merely want to illustrate how this is typically streamlined.

Scott
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

user and group IDs

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up