MacPorts that use dscl create group records with password keys -- is this an error?

Tabitha McNerney tabithamc at
Fri Aug 15 00:07:40 PDT 2008

Hello all --

Recently I have been industrializing my company's use of MacPorts on Xserve,
and I noticed something interesting today, namely, that password record are
created by some MacPorts installations for Group record types. Do Groups
need passwords? I'm not so sure they do and this could be a bug.

As many here in the community already know, some MacPorts require daemons to
be run with local directory domain usernames and groups. For example, the
nagios and openldap ports.

In the case of nagios, a user named nagios is created in the local directory
domain when its port is installed. But also a *group* named nagios is
created in the local directory domain. Similarly, for openldap, both a user
named ldap and a *group* named ldap are created.

Let's take the *nagios* example. When I look at the *group* named nagios
which is most definitely created after a "port -v install nagios", I get

$ dscl . -read /Groups/nagios
AppleMetaNodeLocation: /Local/Default
GeneratedUID: AAAAAFFF-F094-4DB8-ADD3-C7DD66B5A5A1
*Password: **
PrimaryGroupID: 502
RealName: nagios
RecordName: nagios
RecordType: dsRecTypeStandard:Groups

I'm not sure that a Password key should exist at all (regardless of what the
value is for the key, in this case an asterisk I think means its a "crypt"
type of password). Interestingly enough, the user record also named nagios
also has a Password key and value which is the same as the nagio group

$ dscl . -read /Users/nagios
AppleMetaNodeLocation: /Local/Default
GeneratedUID: AAAAA715-6AB3-4E12-B608-BE91E78E46A6
NFSHomeDirectory: /dev/null
*Password: **
PrimaryGroupID: -1
RealName: nagios
RecordName: nagios
RecordType: dsRecTypeStandard:Users
UniqueID: 502
UserShell: /dev/null

The Password key and its value for the user record is understandable, but I
am not so sure about the Group. Is the inclusion of a Password key (with a
value such as "*") merely a way to impose a password type on all users that
become a member of that group? It could be a something as simple as that.
Then again, maybe a group does not need a Password key after all?


-------------- next part --------------
An HTML attachment was scrubbed...

More information about the macports-users mailing list