I was no great fan of Netinfo, and I think it's great that Apple has gone to XML driven Directory Services as a replacement. It turns out that modifying "niutil" scripts isn't too painful; Apple has a post about Converting Scripts for Leopard, but it doesn't give many examples.
Let's look at adding a user to a group. With "niutil", we would have done something like:
sudo niutil -readprop / /groups/uucp users | grep tom
to see if "tom" was already in "uucp", and
sudo niutil -mergeprop / /groups/uucp users tom
to add "tom" to "uucp". How would you do that with Leopard?
First, there are a number of "ds" commands. If you type "ds" in a Terminal window and then hit TAB twice, you'll see these:
dscacheutil dsconfigldap dserr dsmemberutil dscl dseditgroup dsexport dsperfmonitor dsconfigad dsenableroot dsimport dsymutil
Note the "dsenableroot" - if I want to give root a password so that I can actually login, I can do:
dsenableroot -u apl
("apl" is an account with admin privileges)
That will ask me for my password, and then a password for "root". We don't need this (or even "sudo") to add "tom" to "uucp", but I thought I'd mention it in passing.
After reading the various man pages, it looks like "dseditgroup" is the right tool to use, but first I need to check to see if "tom" is already a member, and "dsmemberutil" seems to be the easy way to do that:
$ dsmemberutil checkmembership -U tom -G uucp user is not a member of the group $ dsmemberutil checkmembership -U tom -G tom user is a member of the group
OK, good so far. Well, semi-good so far. Let's take a closer look:
$ dsmemberutil checkmembership -U tom -G uucp user is not a member of the group $ echo $? 0 $ dsmemberutil checkmembership -U tom -G tom user is a member of the group $ echo $? 0
Ugh. It would have been nicer for scripting if dsmemberutil returned 1 on failure. But actually, there's an even nastier problem here..
There is no "uucp" group.
You can verify that by asking dscl to list out the groups for you:
$ dscl . -list /Groups | grep uucp _uucp
No, it's not that all groups have been replaced with these underscored versions:
$ dscl . -read /Groups/uucp AppleMetaNodeLocation: /Local/Default GeneratedUID: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000042 Password: * PrimaryGroupID: 66 RecordName: _uucp uucp RecordType: dsRecTypeStandard:Groups SMBSID: S-1-5-21-166
Notice the "RecordName: _uucp uucp"? It seems like groups can have multiple names? Indeed, that is true. If we had really used a nonexistent group name, we would have got an error:
dsmemberutil checkmembership -U tom -G foo The group foo cannot be found There was an unknown error. Group not found
Ok, here we are, we know "tom" is not a member of "uucp" (or "_uucp"), and we'd like to add that. The man pages seems pretty straightforward; "dseditgroup " seems like the easiest thing to use. The man page even has a very similar example:
dseditgroup -o edit -n /LDAPv3/ldap.company.com -u myusername -p -a username -t user extragroup The group extragroup from the node /LDAPv3/ldap.company.com will have the username added if the username is in a user record on the search policy and if the correct password is presented interactively for the user myusername which also need to have write access.
So, since I am already a member of the admin group, I would do this:
dseditgroup -n . -u apl -a tom -t user uucp $ dsmemberutil checkmembership -U tom -G uucp user is a member of the group
That will ask me for my password, and will add the record. I could do the same thing with "dscl":
$ dscl -u apl . -merge /Groups/uucp GroupMembership tom $ dsmemberutil checkmembership -U tom -G uucp user is a member of the group
Or, I could do:
sudo dscl . -append /Groups/uucp GroupMembership tom
Two changes there: I used "sudo" instead of "-u apl", and I also used -append instead of -merge.
Well, that's good.. at least I can do this. Unfortunately, without checking back with "checkmembership", you'd never know it: if you try to add a user to a group that doesn't exist, "dscl" makes no complaint and returns no error. The "dseditgroup" will complain (as it should).
I really suggest playing around with this stuff before you get too cocky. It's easy enough to create a test group to play with:
sudo dseditgroup -o create -n . foo
You can then practise adding and removing users:
$ dsmemberutil checkmembership -U dean -G foo user is not a member of the group $ dscl -u apl . -append /Groups/foo GroupMembership dean Password: $ dsmemberutil checkmembership -U dean -G foo user is a member of the group $ dscl -u apl . -delete /Groups/foo GroupMembership dean Password: $ dsmemberutil checkmembership -U dean -G foo user is not a member of the group
The actual files are in /var/db/dslocal/nodes/Default (you will need to have enabled root to poke around here). For example, here's the file "foo.plist" in /var/db/dslocal/nodes/Default/groups:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DT Ds/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>generateduid</key> <array> <string>35E0E4DD-2660-44C6-87F8-043672BD386E</string> </array> <key>gid</key> <array> <string>500</string> </array> <key>name</key> <array> <string>foo</string> </array> <key>users</key> <array> <string>apl</string> </array> </dict> </plist>
As "dscl" really gives you everything you need to manipulate these files, you shouldn't need to look at them directly, but it's nice to know that you can, isn't it?
Got something to add? Send me email.
More Articles by Anthony Lawrence © 2012-07-07 Anthony Lawrence
Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing. (Helen Keller)