How to create a daemon user in installer?
How to create a daemon user in installer?
- Subject: How to create a daemon user in installer?
- From: Matt Arsenault <email@hidden>
- Date: Wed, 09 Jan 2013 16:41:11 -0500
Hi,
I'm trying to write an installer that adds a new launch daemon that runs as a separate user. The only other programs I've looked at all use the deprecated AuthorizationExecuteWithPrivileges to run dscl again and again with the necessary arguments. The alternative to this I've found very frustrating. First dscl is miserable to work with, first because it requires you to figure out a UniqueID on your own, and then because it doesn't let you initialize the fields for a user in a single command.
I've been submitting this privileged task with:
SMJobSubmit(kSMDomainSystemLaunchd, ….)
with the RunAtLoad option set (and Debug), followed up immediately after with an SMJobRemove. This feels wrong. Does launchd really need to be involved here?
If I need to reinvoke a new launchd job for every single user (plus the group it should belong to) parameter that needs to be set for a daemon user (UserShell, NFSHomeDirectory, UniqueID, PrimaryGroupID, Password), it's a huge pain. Instead of doing this I'm right now trying to submit a single job with a bash script that does all of the user creation. I set the ProgramArguments array in my submitted plist as /bin/bash, -c, my script string.
As a test script:
#define STRINGIFY(...) # __VA_ARGS__
CFStringRef testScript = CFSTR(STRINGIFY(
echo "Hello";
output=$(dscl -q . -list /Users UniqueID);
echo "Output ${output}";
));
If I check the file I set to StandardOutPath / StandardErrorPath, after running this the contents will be "Hello". It then just ends at the part where dscl runs. This works with just about every other command I've tried (ls, cat, …). Their output as expected is logged. My guess was that somehow dscl was special because it will use the network to talk to opendirectoryd. If I replace the dscl command with something else that uses the network (e.g. ping -c 3 www.google.com), it also just ends and says "Hello." I see nothing in the system logs about launchd killing my job or anything. Strangely, it works if I use dseditgroup -v which I would expect to do essentially the same thing as dscl, so now I don't know why dscl or ping are special. Is there something I need to do to launchd to allow these to run?
What's the correct way to automate adding a user? Why does this script silently end when dscl should run?
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden