Would you mind explaining, what you did, in order to create those accounts? It would be very helpful to me.
(EDIT: I'm a bit embarrassed! AFTER writing all this up I found out that even though I did create a separate daemon user account in this way, I've been running rsyslog as root this whole time.
The reason is that when I ran it as _rsyslogd, it didn't have permissions to write to /var/log (where I wanted the log file to go) nor to /var/run (where the default pid-file is written) nor could it bind to the default port 514, and thus rsyslog would fail. So I must have given up on running it as _rsyslogd. I've successfully run other services as special daemon accounts and I guess I got them mixed up in my memory.
I'll post this write-up anyway, since it's still works as a way to create a daemon account and it has worked for two other services I've configured. Maybe the 'dscl' commands will still be helpful to someone.)
My notes are incomplete, but I
think this covers everything...
Decide upon a daemon account name. I tried to make the rsyslog daemon account look like the various daemon accounts Apple creates by default; most of them seem to begin with an underscore. I decided on '_rsyslogd'.
Find a free User ID number (UID) and a free Group ID number (GID). Apple's seem to range from double-digits up to the high 200's. Normal user accounts use UIDs in the 500's. There didn't seem to be any existing usage of the 300's so I chose UID=300 for my _rsyslogd account, and GID=300. (I don't know if you
need a new separate Group for _rsyslogd, but I noticed that Apple had set up its various daemons with their own corresponding Groups, so I copied that convention.)
You can see what account names and UIDs are in use with
dscl . readall /Users UniqueID
You can see what group names and GID are in use with
dscl . readall /Groups PrimaryGroupID
-------------------------------------
First I created the group:
Code:
sudo dscl . -create /Groups/_rsyslogd
sudo dscl . -create /Groups/_rsyslogd PrimaryGroupID 300
You can see what the group entry looks like with
dscl . read /Groups/_rsyslogd
Mine looks like:
Code:
AppleMetaNodeLocation: /Local/Default
GeneratedUID: 26DCF65A-76A3-4D58-9B6F-28B39435E0D4
Password: *
PrimaryGroupID: 300
RealName: rsyslog Daemon
RecordName: _rsyslogd
RecordType: dsRecTypeStandard:Groups
I don't remember how I got the RealName in there... probably something like
sudo dscl . -create /Groups/_rsyslogd RealName "rsyslog Daemon"
--------------------------------------
Now, create a standard User account with no login ability and no home directory:
Code:
sudo dscl . -create /Users/_rsyslogd UniqueID 300
sudo dscl . -create /Users/_rsyslogd PrimaryGroupID 300
sudo dscl . -create /Users/_rsyslogd UserShell /usr/bin/false
You can see what your entry looks like with
dscl . -read /Users/_rsyslogd
Mine looks like this:
Code:
AppleMetaNodeLocation: /Local/Default
GeneratedUID: 9BA2AE22-ADAB-4E0C-9488-D19F5C7D3BFA
NFSHomeDirectory: /var/empty
Password: *
PrimaryGroupID: 300
RealName: _rsyslogd
RecordName: _rsyslogd
RecordType: dsRecTypeStandard:Users
UniqueID: 300
UserShell: /usr/bin/false
I think I compared that against other "standard" daemon accounts and it seemed right. Now in your /Library/LaunchDaemons/rsyslog.plist file you can put this key/value in order to run rsyslog as user _rsyslogd:
<key>UserName</key>
<string>_rsyslogd</string>