MacPorts is hijacking account on MacOSXServer
Rodolfo Aramayo
raramayo at gmail.com
Mon Jul 25 19:16:11 PDT 2011
On Mon, Jul 25, 2011 at 20:50, David L Ballenger
<dlb at davidlballenger.com> wrote:
>
> On Jul 25, 2011, at 5:50 PM, Scott Webster wrote:
>
>> On Mon, Jul 25, 2011 at 5:43 PM, David L Ballenger
>> <dlb at davidlballenger.com> wrote:
>>> - Install macports on client B, macports created as local account on B with UID 1042.
>>> - Create another OD account, it gets UID 1042 since WorkGroup Manager can't see
>>> the local directory of client B. Now user with UID 1042 can't log in to client B.
>>>
>>
>> Wouldn't this be a problem with any account being created on client B?
>> If you choose to use UID 1042 for whatever reason, then the server
>> won't know about it. I guess if you are using this OD system then you
>> are just not supposed to create UIDs on client machines in a possible
>> OD range?
>>
>> Scott
>
> It potentially could be a problem.
>
> However, it seems that if you're using System Preferences to create local accounts it seems to work it's way up from 501, with 501 being your first user account. It does seem to skip holes. For example, on my laptop I currently have the following local user account UIDs, not counting those "systems accounts below 500:
>
> - 501 - the local administrator account
> - 503 - messagebus from some install of dbus that probably got
> pulled in as some dependency. Note that this must have been
> before I bound my laptop to the OD domain on my OS X Server.
> - 999 - macports, or rather what I changed macports to after I saw
> Rodolfo's original message in this trhead and realized
> it was conflicting with my OD accounts.
> - 1025 - my personal account, a mobile account on my laptop (in the
> local domain, and paired to my account in the OD domain).
> Before binding my laptop to my OD domain, my personal account
> had UID 502, which is why there is a hole in the sequence.
> It also involved much shuffling of files, yada, yada, yada.
>
> - When I created the local test account with this setup the resulting UID was 504
>
> I don't know if the system is explicitly keeping track of account deletions, but it's not just simply going with 1+ the highest UID of the local accounts.
>
> WorkGroup Manager with OS X Server creates Open Directory accounts starting with UID 1025. If for some reason you have a local account on the Open Directory master that has a UID ≥ 1025, WorkGroup Manager won't reuse that.
>
> So if you go through the standard GUI's you're probably not going to encounter this unless you've got a lot (500+) local accounts.
>
> If the account creation process in macports followed a similar process to what System Preferences uses to find a free UID it seems like we would have a better chance of avoiding the problem.
>
> - David
David is right. This is a hard issue and believe me I have burn many,
many candles during Holidays and weekends trying to solve userIDs
conflicts in MacOSServers.
It looks to me that MacPorts installer has these options:
1. Look if the machine is a server
2. If NOT a server then:
3. Either just create the 'user:macports group:macports' account picking:
a. the next available UUID account number (somewhere in the 500s)
b. using a pre-determined UUID and GUID, say 600...
c. giving the user the option to select which one or what
=>I assume that if the machine is not a server but IS listening to a
server through OD it does not matter, as long as there are UUIDs in
the 500s available
4. If the machine is a server then:
5. Check if the server is listening to an OD and if yes then either
quit and request a user 'macports' and a group 'macports' be created
on the master OD or proceed to create the user 'macports' and a group
'macports' on the master OD.
6. If however the server is running a 'local directory' then test if
all 500 numbers are taken and of they are proceed to create a user
'macports' and a group 'macports' in the 1000s. Because the server is
running a local directory this should be OK, because all the users in
the 1000s should be accounted for.
The problem is when you pick a user 'macports' and a group 'macports'
without testing the server/non-server/local/master OD configuration
Am I missing something?
--Rodolfo
More information about the macports-users
mailing list