11

What is the right way to create a user on MacOS X, from the command line, which will be used only for running a sever application? For example, there is already the '_www' user for Apache httpd, but for the new application I want it to be using its own account.

Andre M
  • 6,649
  • 7
  • 52
  • 93

1 Answers1

16

There is no "adduser" command. The Mac approach is to use the dscl command, which is the "Directory Service Command Line Utility". Directory Services is similar in notion to LDAP, but is a different solution.

The examples below will use 'mydaemon' as the intended account, though typically you would use a value matching the name of your daemon application.

All daemon users are prefixed with an underscore, such as _www.

To list the attributes on an existing entry:

   sudo dscl . -read /Users/_www

Before creating a user, create a group choosing an unused group id (here we chose 300):

   sudo dscl . -create /Groups/_mydaemon
   sudo dscl . -create /Groups/_mydaemon PrimaryGroupID 300

Once done, we create a new user (we use the same id as we did for the group, that won't be using a shell:

   sudo dscl . -create /Users/_mydaemon UniqueID 300
   sudo dscl . -create /Users/_mydaemon PrimaryGroupID 300
   sudo dscl . -create /Users/_mydaemon UserShell /usr/bin/false

The above is based on reading up on various information sources and verifying the process myself. One reference, that I found useful is:

http://minecraft.gamepedia.com/Tutorials/Create_a_Mac_OS_X_startup_daemon

Note, there is also GUI version of dscl (location based on MacOS X 10.10):

/System/Library/CoreServices/Applications/Directory\ Utility.app/

Andre M
  • 6,649
  • 7
  • 52
  • 93
  • The last used GID can be found with the command `dscacheutil -q group | grep gid | tail -n 1` – Sphinges Jan 18 '16 at 16:18
  • 3
    The command suggested by [@sphinges](https://stackoverflow.com/users/1710017/sphinges) is wrong. The group ids are not necessarily listed in ascending order so the last, but not necessarily the highest is returned ```dscacheutil -q group | grep gid | awk '{print $2}' | sort -n | tail -n 1``` should work better, although I much prefer to see the last 15 or so, since above 260 they tend to be pretty sparse ```dscacheutil -q group | grep gid | awk '{print $2}' | sort -n | tail -n 15``` – Scott Oct 25 '17 at 20:39
  • 3
    I found some duplicates coming out of the suggestion by @Scott. Also, I like to see what the names that go with the ids. This produces a nice line with that info: `dscacheutil -q group | awk 'BEGIN { ORS="" } /name/ { print $2 " " } /gid/ { print $2 "\n" }' | sort -unk 2`. Pass to `tail` to clip to the last lines. – Hod Aug 09 '18 at 01:17
  • Adding to @Hod ’s comment, if you’d like to see all the UIDs and their associated user account names, substitute `group` for `user` and substitute `/gid/` for `/uid/`, like so: `dscacheutil -q user | awk 'BEGIN { ORS="" } /name/ { print $2 " " } /uid/ { print $2 "\n" }' | sort -unk 2` – アリスター Nov 03 '22 at 14:23