serinde: (I see stupid people)
serinde ([personal profile] serinde) wrote2008-02-05 04:11 pm
  • Add Memory
  • Share This Entry

"I do not think that word means what you think it does"

A vanilla install of OS X Server gives you an admin user (who is not root). This user's vanilla primary group is GID 20, which is group "staff", which is named "Users". You cannot change that group's name(s) without causing some glorious breakage (or else knowing a lot more than I do at present).

o_O

Now maybe (or even probably) I'm just an artifact of But We Always Did Things *This* Way, and I know I'm weaker than I ought to be on sysadmin theory; but it seems to my undereducated brane that 1) you would differentiate between a group that is "staff", i.e. people who are of some degree of elevated privilege, and "all users"; and 2) you would not want your very very privileged user's native group to be the most hoi polloi-ish of your extant options.

There is logic and reason here, it just isn't what I'm used to, and it will probably cost me some time and effort to wrap my head around it. (I found [livejournal.com profile] sweh's comparison to djbware very en pointe--though in that case I understood it, and just didn't LIKE it. Also I find DJB much more irritating than Apple.)
Flat | Top-Level Comments Only

[identity profile] fivetonsflax.livejournal.com 2008-02-05 09:59 pm (UTC)(link)
I don't get it. Group "staff" is named "Users"? Isn't it named ... "staff"?

[identity profile] syringavulgaris.livejournal.com 2008-02-05 10:06 pm (UTC)(link)
Its "Short Name" (and what appears in /etc/group) is "staff".
Its "Name" is "Users".

This seems to be analogous to the "short name" and "name" of a regular user account. I have not yet meditated sufficiently on the manual (nor poked around enough) to see the practical functionality of this differentiation, other than that you can make the "Name" to be whatever stupidity you like whereas the "Short Name" is presumably limited by the usual Unixisms.

[identity profile] spride.livejournal.com 2008-02-06 12:06 am (UTC)(link)
see below

[identity profile] spride.livejournal.com 2008-02-06 12:06 am (UTC)(link)
It's because the only local users of the server will be sysadmins, i.e. IT staff, hence unix-group 'staff'. Ordinary lusers don't get local accounts on the sever-local directory - only in Open Directory, where they can be contained and controlled. See?

[identity profile] syringavulgaris.livejournal.com 2008-02-06 02:02 am (UTC)(link)
Ah! Okay--and that's even consonant with my own purpose.

But--what if that isn't what I was doing? I could see wanting a server that had users who just had accounts for going about their business, who were nevertheless not sysadmins on THAT host.

[identity profile] spride.livejournal.com 2008-02-06 03:05 am (UTC)(link)
Well, what would such a server be for in the Apple world? OS X "client" is already a multiuser UNIX that runs ordinary stuff. The rationale behind having a server version of OS X is for the value of the apps it runs: OD, and the server apps like iChat, blog, wiki as well as the management things like Workgroup Manager, DHCP and so on. A big meaty-disked machine running vanilla OS X is a bit pointless, really.
Flat | Top-Level Comments Only