Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

User Management

I've made a few daemon accounts with 'dscl', but unfortunately I didn't take good notes on what commands I issued. I had found decent instructions on creating a minecraft server on macOS which was really useful but now I can't seem to find it. :(

You can see what's "necessary" by examining one of the built-in daemons. For example,

dscl . read /Users/_sshd

Shows me:
AppleMetaNodeLocation: /Local/Default GeneratedUID: FFFFEEEE-DDDD-CCCC-BBBB-AAAA0000004B NFSHomeDirectory: /var/empty Password: * PrimaryGroupID: 75 RealName: sshd Privilege separation RecordName: _sshd sshd RecordType: dsRecTypeStandard:Users UniqueID: 75 UserShell: /usr/bin/false

You'll need to figure out an appropriate UniqueID that isn't being use on your system. IIRC numbers starting at 300 were unused, so that's where I made mine.

This will show you all the UniqueID's on your system:
dscl . readall /Users UniqueID

Oh yeah, the existing Apple daemons also belong to their own unique group -- I doubt that's necessary and you could just assign your to group 'staff' (i.e., 20). Otherwise you'd ahve to create the group records, too.


Oh, found one of the sources I used:

https://minecraft.fandom.com/wiki/T...startup_daemon#The_hard_.28and_correct.29_way

Hope that helps some.
 
bogdanw said:
What exactly are you trying to accomplish? Creating a new user might be unnecessary.
See https://developer.apple.com/library...stemStartup/Chapters/CreatingLaunchdJobs.html
https://www.launchd.info
Click to expand...
I need to set up two servers. For security reasons, as you probably know, it's recommended to start the server with a unique user, created specifically for that purpose. So I'm trying to set up my daemon to start as that specific user.
I created everything running under my username but now I'm trying to set things up properly with specific respective users.
I've seen those two sites, they don't talk about user creation.
Brian33 said:
I've made a few daemon accounts with 'dscl', but unfortunately I didn't take good notes on what commands I issued. I had found decent instructions on creating a minecraft server on macOS which was really useful but now I can't seem to find it. :(

You can see what's "necessary" by examining one of the built-in daemons. For example,

dscl . read /Users/_sshd

Shows me:
AppleMetaNodeLocation: /Local/Default GeneratedUID: FFFFEEEE-DDDD-CCCC-BBBB-AAAA0000004B NFSHomeDirectory: /var/empty Password: * PrimaryGroupID: 75 RealName: sshd Privilege separation RecordName: _sshd sshd RecordType: dsRecTypeStandard:Users UniqueID: 75 UserShell: /usr/bin/false

You'll need to figure out an appropriate UniqueID that isn't being use on your system. IIRC numbers starting at 300 were unused, so that's where I made mine.

This will show you all the UniqueID's on your system:
dscl . readall /Users UniqueID

Oh yeah, the existing Apple daemons also belong to their own unique group -- I doubt that's necessary and you could just assign your to group 'staff' (i.e., 20). Otherwise you'd ahve to create the group records, too.


Oh, found one of the sources I used:

https://minecraft.fandom.com/wiki/T...startup_daemon#The_hard_.28and_correct.29_way

Hope that helps some.
Click to expand...
Yep, I've seen the Minecraft tutorial. As per that tutorial, I'm not sure whether having a log in is a good idea or even necessary.

As for referring to .plist files provided by default, not sure how much I will learn from things that I don't know the purpose of. For example the _sshd daemon has a password of *. In my time playing around with creating users, I have been unable to set a * password to my user, no idea how to do that.
 
Standard account
Code: 
sudo sysadminctl -addUser u_service_1 -fullName "User for Service 1" -password "anyPass"

in the daemon plist
Code: 
<key>UserName</key>
    <string>u_service_1</string>
 
Thanks, I cobbled together a user finally. No idea how right or wrong it is to be honest. I'll go with it for now. I used dscl but I'll bare the sysadminctl in mind for the future.
 
I inserted:

Code: 
<key>UserName</key>
<string>MyUser</string>

into my plist, however, the daemon loads as root for some reason. Any clues as to why this might be the case?
 
That key and string look right. Did you insert your lines within the <dict> tag? That is, between the <dict> and </dict> lines.
 
This is just a guess, maybe it needs to be loaded with
launchctl bootstrap user/503/
where 503 is the UniqueID of the user MyUser
You can find that with
dscl . list /Users UniqueID | grep MyUser
 
Check the ownership of the plist file, too.

I think it needs to be owned by the given UserName. Or I could be misremembering.
 
bogdanw said:
This is just a guess, maybe it needs to be loaded with
launchctl bootstrap user/503/
where 503 is the UniqueID of the user MyUser
You can find that with
dscl . list /Users UniqueID | grep MyUser
Click to expand...
I don't think so. According to:

A launchd Tutorial

A launchd primer covering configuration, administration and troubleshooting. Complete with examples.
www.launchd.info www.launchd.info

It says "the name of the user/group, not the id"

chown33 said:
Check the ownership of the plist file, too.

I think it needs to be owned by the given UserName. Or I could be misremembering.
Click to expand...
According to documentation, it needs to be set to root and wheel which is what I've got it set as. It doesn't start if it's set wrong.
 
I only have one launch daemon that uses the UserName key, it’s from Stubby Manager 0.2.6 and it runs with UserName root.
https://dnsprivacy.org/dns_privacy_daemon_-_stubby/installation/stubby_gui_for_macos/
The content of the file /Library/LaunchDaemons/org.getdns.stubby.plist

Code: 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-/Apple/DTD PLIST 1.0/EN" "http:/www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>Label</key>
    <string>org.getdns.stubby</string>
    <key>KeepAlive</key>
    <true/>
    <key>RunAtLoad</key>
    <true/>
    <key>ProgramArguments</key>
    <array>
      <string>/Applications/StubbyManager.app/Contents/MacOS/stubby</string>
      <string>-l</string>
      <string>-C</string>
      <string>/Applications/StubbyManager.app/Contents/MacOS/stubby.yml</string>
    </array>
    <key>UserName</key>
    <string>root</string>
    <key>StandardErrorPath</key>
    <string>/var/log/stubby.log</string>
    <key>StandardOutPath</key>
    <string>/var/log/stubby.log</string>
  </dict>
</plist>

I’ve tried to make it run under my admin account in Big Sur, but it fails to start.
There may be additional restrictions regarding the ownership of the paths of the executable run or the log files.

As there is no recent official documentation from Apple, maybe it’s not possible anymore to run launch daemons under a different user. Possibly related to some security vulnerabilities. ("Environmental Disaster: A LaunchServices Tale" - Ron Waisberg)

Anyway, is a launch daemon really necessary?
You could just start it with
su MyUser -c /Path/To/UNIX/Executable
 
I figured it out, it was an issue with the program I was trying to run.
 
Last edited:
Could you post what the program was, and the issue that was identified, so anyone else who comes across this thread in the future can read the result? Thanks.

Just as a matter of curiosity, and because I haven't played with launchd plists in years, I'm wondering what the actual problem was. My more recent adventures in this area involve a Raspberry Pi and systemd files, which is quite a different kettle of fish (or bag of hurt) than launchd plists.
 
The program was PostgreSQL. The problem was permissions for the data folder were set to <user> upon installation and you need to change them to be your daemons owner. The only problem is I've run into another issue. Every time I load the service, it knocks out every 5th service. Well every 5th or so service suddenly has a status of -9 but the computer doesn't appear to be crashing or anything of the sort. Everything seems to be working fine. I can't find any info on the -9 error code.

launchctl error -9
Click to expand...

produces

4294967287: (null)
Click to expand...

so that's no help. Google is of no help either. Totally clueless about how to solve this one seemingly final step.

Aaaand fixed the -9 issue by setting the group to daemon's group as well.
 
Last edited:
  • Like
Reactions: Brian33
There are some options for KeepAlive, like Crashed

<key>KeepAlive</key>
<dict>
<key>Crashed</key>
<true/>
</dict>
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back