Stupid Apple

[ewx]

You didn't want password changes to take effect immediately, did you?

At each password prompt I just hit return.

kakajou$ su test -c id;echo $?;date
Password:
uid=100(test) gid=4294967294(nobody) groups=4294967294(nobody),0(wheel)
0
Tue Jan 15 22:31:27 GMT 2008
kakajou$ sudo dscl / -create /Users/test Password \*;date
Tue Jan 15 22:31:31 GMT 2008
kakajou$ su test -c id;echo $?;date
Password:
uid=100(test) gid=4294967294(nobody) groups=4294967294(nobody),0(wheel)
0
Tue Jan 15 22:31:34 GMT 2008
kakajou$ su test -c id;echo $?;date
Password:
uid=100(test) gid=4294967294(nobody) groups=4294967294(nobody),0(wheel)
0
Tue Jan 15 22:31:46 GMT 2008
kakajou$ su test -c id;echo $?;date
Password:
su: Sorry
1
Tue Jan 15 22:31:49 GMT 2008
kakajou$ 

Having the default password be "" ain't exactly hot either.

(To summarize: if you want to mechanically create a user on a Mac then this week's tool is dscl. You have to fill out all the fields yourself rather than use a single tool which gets it all right for you and knows which API to use (like FreeBSD's pw for example or Linux's useradd). One of the fields you have to fill out is the password, and before you've done so the new user is wide open; moreover even when you do it takes some time to take effect. You can probably mitigate this by not setting a usable shell until the password is sorted, but sheesh.)

Updated July 2009: this bug doesn't exist in OS X 10.5.7. Good.

Comments

[emperor]

...or you could use the GUI :-/

[ewx.livejournal.com]

"mechanically"

[ewx.livejournal.com]

Oh, and you can't create system users using the GUI (i.e. ones that don't show up in the GUI).

[baljemmett.livejournal.com]

Hmm, interesting -- I shall have to make a note of that, there are some rumblings that we might need to support OS X in our account management stuff soon...

[ewx.livejournal.com]

Unless I find better documentation than I have so far I'll write up a little web page on what I've discovered. Watch this space.

[fluffymormegil.livejournal.com]

Wow. That's... special.

[ewx.livejournal.com]

I assume that what's going on is that there is some kind of cache between su and the directory service (or netinfo if su is going direct). Caching, say, a (name, uid) relation would be perfectly sensible, but passwords really ought to be excluded.

[aardvark179.livejournal.com]

Try doing a quick

dscacheutil -flushcache

and see if that changes things.

[ewx.livejournal.com]

I'll give it a go this evening l-)

[ewx.livejournal.com]

chymax$ dscacheutil -flushcache
-bash: dscacheutil: command not found

[aardvark179.livejournal.com]

Ah, you're still on 10.4? Bugger, I can't remember how that handled directory service caching.

[drj11.livejournal.com]

I thought one was supposed to use nicl?

[ewx.livejournal.com]

Apple say use dscl (http://developer.apple.com/documentation/Porting/Conceptual/PortingUnix/additionalfeatures/chapter_10_section_9.html). I hear that Netinfo is on the way out.

[drj11.livejournal.com]

Right. I think an earlier version of that document had the dscl example but using nicl instead.

[ewx.livejournal.com]

Mm. I wish they'd do a coherent useradd (etc) command like the free Unixes have had for years. They could still have their never-ending software upheaval but nobody else would have to care.