So now I'm a bit annoyed that googling 'access hidden administrator accounts Mac' returns only how to create hidden accounts, not how to access them. How do I uncover the hidden Administrator accounts and folders that are on my system?
iMac
Your concern is much ado about nothing.
Millions of people use OS X every day; yet any system that's been compromised has been via a social engineering trick.
Unless you've been messing around with permissions and enabled the root account, you're perfectly safe.
You're overthinking the whole thing.
Now, if this thread was about that 'other' operating system, you might have something to be concerned about.
There are quite a few users (I've got 78 on my system), and these "users" also include processes that may be running such as authentication, network, printing, screensaver, www, etc, in addition to any human users. These other users follow the same permissions as everything else, so you would need to look at the specific user to see what group they belong to, but most don't run with any elevated privileges such as root.
You can get a list of the users and their uid/gid, their home directory (if there is one), and what they are by copy/pasting the following into the Terminal:
dscacheutil -q userYou can get a list of the groups by using the same command, just replace the word user with group.
[This post is in replacement for the post submitted inadvertantly earlier today.]
Greetings Folks: I read this thread with keen interest because of the unique experience I had in the last year of my six years in support of and then on the team with the system developers of the Terrorist Screening Development Center. [SEE useful info AT THE END OF MY DIATRIBE:-)ElLucero]
In 2009 I watched in growing alarm as the Mac Pro I had managed successfully for the two previous years as the only Mac/Unix system on that volatile classified (i.e., "closed") network came under the control of some anonymous third party that, given the nature of the TSC mission, I would guess were/are terrorists of the suited engineering type.
I've owned/worked on dozens of Macs since '84, and used OS X professionally and privately since it came out. Since I had cut my technical publishing teeth at CACI (1988-93) finding the most efficient ways to document the simulation and modeling products developed there on Sun, SGI, and HP Unix workstations — using the Macs/PCs of the era — I was well aware of the power/danger of superuser (root), the panoply of daemons, permissions, processes etc., and the various Unix commands for navigating, changing permissions, listing processes, editing files and so on.
The TSDC Mac Pro did not have an Airport (wireless) card by rule, and every door to the space had a large "Turn Off All Wireless and Bluetooth Devices" sign above the access code-input keypad.
That Mac Pro was the only machine on that classified network that was explicitly not supported or understood by the TSDC (D=Development) IT staff. They thought that, with no wireless network card and with Bluetooth turned off (via System Prefs) that the machine was secure in that closed environment.
If IT had known the following facts, they would not have cleared that Mac for TSDC use without first removing the Bluetooth hardware:
Why am I including these allegations in the context of your thread? Because it was Apple's failure to document these and other security holes related to its "convenience-ware" that led to my failure to convince the TSDC IT staff and security officer of the reality of the smoking gun I had found after months of research and Apple support calls: a fully configured MobileMe, clandestinely installed and operating under my logon. You cannot (that is, could not) accidentally configure a MobileMe account. It required a valid credit card with the owner's name on it, even for the trial version — and that name was displayed in the configured MobileMe system preference panel. (I found the MobileMe when I accidentally clicked on an iDisk icon in the Finder sidebar pane and, instead of being presented with the unconfigured MobileMe preference pane, I was presented with a sync prompt (Allow Once, Always Allow, Deny …). I launched System Preferences: MobileMe and found the clandestine MM configuration. I failed to educate the TSDC IT and mgmt. staff regarding the nature of the incursion because:
It took me months (after being whistle-blown out of the TSDC) to find an Apple tech who admitted that BDUN cannot be shut off, and a year more to identify the mechanism on the TSDC Mac Pro to connect it to the MobileMe Appleshare server in the sky: the scripted use of the tty.Bluetooth-Modem and tty.Bluetooth-PDA-Sync files located in the /dev directory.Here is the useful info I promised above. This info should be made available to all Apple customers:
The manual is a gold mine and is every bit as applicable to non-server users as it is to server users.
Good luck,
ElLucero
I'm afraid that we really don't have much choice but to take your story with a grain of salt. You've provided no real concrete details or evidence that can be verified by someone else. I mean no offense to you, but I've seen many people here who were absolutely convinced they had malware or had discovered a security flaw when that was definitely not the case. As is often said around here, extraordinary claims require extraordinary evidence.
I could certainly understand if you didn't want to post that evidence here, where someone may find it and make malicious use of it. However, if there's actually something to your story, and you know exactly what is causing the problem, those details need to be shared with the security community, and with Apple themselves. To contact Apple regarding this:
Well I found the user accounts cache in Terminal. There are 51 users. Does that mean they all have administrator access, or root access?
Is there any way to get a more detailed list of why each user is there, and what they are able to do on my system?
How many users are on a system after installing the OS, Final Cut Studio, and Xcode on a new Mac? (Did all these users get added through the two small apps I downloaded, and the internet?)
Obviously, I want a better way to know who the users are, what they can do, and how to get rid of them if I don't want them on the system. Is that too much to ask?
Do all these users look like they should be there? Do they all have root privileges? Where do I go to find out more about what each one does?
AMaVis Daemon:
Application Owner:
Application Server:
Apple Remote Desktop:
ATS Server, Calendar:
Card DAV Service:
ClamAV Daemon:
CVMS Root:
CVS Server:
Cyrus Administrator:
Developer Documentation:
Dovecot Administrator:
DP Audio:
Apple Events User:
Installer:
Jabber XMPP Server:
Local Delivery Agent:
Location Daemon:
Printing Services:
Mailman List Server:
MCX AppLaunch:
mDNSResponder:
MySQL Server:
Podcast Producer Agent:
Podcast Producer Server:
Postfix Mail Server:
QuickTime Streaming Server:
Seatbelt:
Screensaver:
SecurityAgent:
Serial Number Daemon:
Software Update Service:
sshd Privilege separation:
SVN Server:
TeamServer:
AutoTimeZoneDaemon:
Token Daemon:
Trust Evaluation Agent:
Unknown User:
Update Sharing:
iPhone OS Device Helper:
Unix to Unix Copy Protocol:
WindowServer:
World Wide Web Server:
Xgrid Controller:
System Services:
Unprivileged User:
As mentioned in one of my replies in passing, the base command for getting the groups is the same. The group doesn't show in the Activities Monitor, but the user does, and you can also see what processes are being run by the sytem. Typically each user also has a group with the same name, but some are members of other groups such as:
group gid everyone 12 nobody -2 nogroup -1 staff 20 wheel 0 mail 6Any given process has the privileges of whatever is running them - a user process has the privileges of that user, and various system proceses may run with elevated privileges depending on what it needs to do.
So the good news is that since I've taken a more active role as 'an' administrator on my own computer, the processes have gone from around 46 to around 8. The performance has also improved.
So it looks like the next step, in managing groups that have access to the computer while I'm connected to the internet is to become the server administrator instead of a passive client to the internet? I'm not sure how many ways there are to do that, but it's starting to look like paying AT&T for networking instead of making a server of your own computer is like paying cable for TV when there is so much programming available over the net?
There are a few processes under other users such as _spotlight and _windowserver, but most are either your user or the system (root). There is a lot that can be running in the background, so it depends on what you have installed.
Apparently there was 6 times more running in the background before I checked the root access, set up other accounts for browsing, and changed passwords.
So the groups that are listed now are user groups that access my computer regularly, whenever I'm connected to the internet? And right now, I'm acting as a passive internet client for these groups? I'm not sure what I have to do to gain positive control over preventing people from accessing my computer, if all these groups have access, and I have no way of knowing who they are or why or how they have access to my computer, and to what parts they have access. Is that simply something that can't be controlled once you connect to the internet?
Does 'public' internet access come with the implied consent that the public (or anyone who knows a group that is connected) can access your computer?
Don't get me wrong, I'd love to set up a project, and this current project in particular, over the internet. But without positive control over who has access, or at least knowing who is accessing my computer, that simply isn't an option.
OF course I'm over thinking everything. There's no other way to reach the limits of something about which one is known to be ignorant.
At the end of the day, an operating system is a vastly complicated network, built on long histories of mutual cooperation, confidence and trust, facilitating the sharing of intelligence and information and knowledge by all.
A 'different' system simply cannot be built...it is the current system that must be accepted, learned, and improved in any way possible.
And when it comes to working with this system or the other system, that puts this whole thread in a ridiculous perspective. Something like comparing the sun to the moon.
The various background applications and daemons can spawn their own user processes, just as you running an application will spawn a process under your user. These processes only have the access needed to do their thing (for example, a file application will need to access files), and any random application can't just go into your account. The processes you see in the Activity Monitor are those running on your machine, and aren't neccessarily related to the internet, although a few obviously are such as your web browser, email, time server, etc.
You are totally in control of who accesses your computer and to what extent through use of the Sharing Control Panel. You should probably also check the Security CP Firewall settings to make sure it's on and in "Stelth Mode".
Purchase Little Snitch to control what goes out over the Internet and to monitor what applications are sending and receiving data over your network connection in real-time.
One could also stick one's head in the gas oven ... or the Lion's mouth ... given your inclination. Lion is a giant step backward in the OS X GUI evolution ... actually sideways ... jumping the tracks towards another increasingly confusing windowed GUI (and it ain't the ancient Motif). Assuming it will fix such fundamental problems, especially problems Apple glosses over by taking advantage of its long-standing thin docs and its long-since obsolete reputation for "virus" security, uses the word "assume" as the english god (et al) designed it to be used.
HiddenAccountsandFolders
