MacPorts is hijacking account on MacOSXServer

David L Ballenger dlb at davidlballenger.com
Mon Jul 25 17:43:07 PDT 2011


The "." in the dscl command specifies the local directory domain.  If you change that "." in the dscl command to "/Search"  it will pickup the OD Users as well as the local users of the current system. 

However, just doing that won't fix the problem since it can then still create a local account with a UID in the OD UID range. If you do this on the OD master, then WorkGroup manager will see the UID in the local domain and not reuse it  when creating an OD account.  However, when you install macports on a client system you could have problems, when you next create an account in the OD master, since WorkGroup Manger won't see the accounts in the local directories on the clients.  For example:

 - Highest UID in OD master is 1039.
 - Install macports on OD master and macports is created as a local account with UID 1040.
 - Install macports on client A and macports is created as local account UID 1040. 
   All is still okay. The /Search still only turns up 1039 as the highest UID, since
   macports was created in the local directory of the OD master and the client doesn't
   see that.
 - Create a new OD account, it gets UID 1041.
 - Install macports on client B, macports created as local account on B with UID 1042.
 - Create another OD account, it gets UID 1042 since WorkGroup Manager can't see
   the local directory of client B. Now user with UID 1042 can't log in to client B.

There might be ways around this but it seems like it would be simpler to first try to look for free UIDs in the local domain that are below 1000. If there are none, then maybe create it but issue a warning that it might conflict with network accounts.

What I'll probably do is pick a UID below 1000 that is unused on any of my systems, then I'll have puppet use it to create a macports account on all my systems before upgrading to 2.0.



- David


On Jul 25, 2011, at 4:10 PM, Rainer Müller wrote:

> On 2011-07-26 00:53 , Daniel J. Luke wrote:
>> On Jul 25, 2011, at 6:26 PM, David L Ballenger wrote:
>>> On my laptop, which is connected to my Open Directory domain, my personal 
>>> account is set up as a mobile accoun, which means I have an account int the
>>> local domain with a UID of 1025 and macports got an ID of 1026.  That meant
>>> that the Open Directory user with that ID (my wife) could no longer log into
>>> her network account using my laptop.
>> 
>> So, there was already an OD account with ID 1026 (or did you try to set up your wife's account later, and that failed?)
>> 
>> I _think_ getpwuid() should pull in the information from OD (and maybe there's a lion change/bug that is causing the issue?). Certainly the manpage on 10.6 says "These functions obtain information from DirectoryService(8)"
> 
> The macports user itself is not being created there, but in the
> portmgr/dmg/postflight script.
> 
> The essential command is this one:
> 
> ${DSCL} -q . -create /Users/${RUNUSR} UniqueID $(($(${DSCL} . -list
> /Users UniqueID | /usr/bin/awk '{print $2}' | sort -ug | tail -1)+1))
> 
> So here we are looking for the greatest ID in use and take the next one.
> 
> Could it be that this kind of account is not recognized as we are
> querying "." (the local domain) only?
> 
> Rainer



More information about the macports-dev mailing list