UIDs for service users in Mac OS X
Posted
by
LaC
on Super User
See other posts from Super User
or by LaC
Published on 2011-01-11T22:42:46Z
Indexed on
2011/01/11
22:55 UTC
Read the original article
Hit count: 232
Some third-party servers should be run under a special user for security reasons (eg, PostgreSQL is typically run by "postgres"). Of course, these service users should not show up in the Mac OS X login windows. I know how to create hidden users using dscl
or dsimport
, but I'm wondering what the best policy is for assigning UIDs (and matching GIDs). Apple's documentation states that UIDs from 0 to 100 are reserved (pg. 69), but OS X comes with several special users and groups outside that range. I used to use ids from 401 onwards for services, but I noticed that OS X 10.6 has started using that range for groups created by the Sharing pane in System Preferences.
What is the recommended ID range to use for third-party services, then? Perhaps I should just use IDs in the 500 range, since all that is needed to hide a user in Snow Leopard is setting his password to "*"?
Also, most of Apple's services have names starting with an underscore, with an alias sans underscore; eg, _sandbox
and sandbox
. Is there any special significance to this? Should I do the same for my services?
© Super User or respective owner