Some third-party servers should be run under a special user for security reasons (eg, PostgreSQL is typically run by "postgres"). Of course, these service users should not show up in the Mac OS X login windows. I know how to create hidden users using dscl
or dsimport
, but I'm wondering what the best policy is for assigning UIDs (and matching GIDs). Apple's documentation states that UIDs from 0 to 100 are reserved (pg. 69), but OS X comes with several special users and groups outside that range. I used to use ids from 401 onwards for services, but I noticed that OS X 10.6 has started using that range for groups created by the Sharing pane in System Preferences.
What is the recommended ID range to use for third-party services, then? Perhaps I should just use IDs in the 500 range, since all that is needed to hide a user in Snow Leopard is setting his password to "*"?
Also, most of Apple's services have names starting with an underscore, with an alias sans underscore; eg, _sandbox
and sandbox
. Is there any special significance to this? Should I do the same for my services?
Edit: although I said "or dsimport
", one should really use dscl
to create hidden users. See this post for details!
Best Answer
Amusingly, I found this while trying to sort out some weird behavior we've been getting reports of during Big Sur updates, and then a few days later stumbled on a very recent, vaguely-canonical answer!
In Big Sur, the usage information for the
sysadminctl
command is updated with a new asterisk, and some new options for the -addUser action. I'll quote the relevant parts (with new options bolded), but here's the only public copy I could find of the full usage.If you try to use the -roleAccount option, it will indeed make you use a username with an underscore, and a UID in the 200-400 range.