Mac OS X 10.5 fast system deployment practices-making core system images (2) V1

Document directory

• Local administrator

MacOS X 10.5 fast system deployment practice

Quick system deployment practices for Mac OS X 10.5

Note:
The previous article is here: Mac OS X 10.5 fast system deployment practices-making core system images (2) V1

 

Local administrator

In an enterprise, to facilitate user management, each user has their own permissions to complete the work. To manage each computer, the Administrator must have sufficient rights to manage the computer system. Therefore, a local administrator account with high permissions is essential.

As we all know, Mac OS X is based on BSD UNIX-like systems, and its core is Darwin,
It was launched by Apple as early as 1989. It mainly evolved from FreeBSD, nextstep, and other systems.
Susv3 and posix unix specifications, fully upgraded from version 10.6 to 64-bit encoding. In Mac, the system administrator generally does not need to use the root user to manage the system, but an account with administrator permissions can complete the vast majority of system management work. Therefore, the first step is to create an administrator account.

In fact, when you install the Mac OS X system through the installation disk, the system will prompt the user to generate the first user account. In fact, this account is an administrator account, you can use this account as the local enterprise administrator account. If so, skip this section and carefully read the content of the next section.

It is also easiest to generate an administrator account using the graphical interface. Only one screen is shown below.

 

Use shell commands

You can use shell commands to create an Administrator Account:

Sudo-S Echo "creating system admin account ..." Dscl.-create/users/SysAdmin Dscl.-create/users/SysAdmin usershell/bin/bash Dscl.-create/users/SysAdmin realname "system admin" Dscl.-create/users/SysAdmin uniqueid 501 Dscl.-create/users/SysAdmin primarygroupid 80 Dscl.-create/users/SysAdmin nfshomedirectory/users/SysAdmin Dscl.-passwd/users/SysAdmin "sadigowre4t0au4" Dscl.-append/groups/admin groupmembership SysAdmin   CP-r/system/library/user/template/English. lproj/users/zhangsan Chown-r SysAdmin/users/SysAdmin

In the above bash script, the real name is "system admin", the Unix user name is SysAdmin, the unique unix id is 501, and has the Administrator permission (add to the admin Administrator Group). We can compare the differences between common users and administrator accounts.

Root users are special users in the Unix world. It is the god of the computer and can do anything. users with the Administrator identity can implement the root user function in various ways, generally, root is not used. Therefore, root users are prohibited by MAC by default. You can open the root account if required. Different Versions of Mac OS X in the graphic mode may use different tools,
For detailed operations, see Apple's official documentation: Enable and use root users in Mac OS X.
Use the command line:

Sudo passwd Root

Enter the root user password and confirm the password once.

Of course, we can also use the following command line to enable or disable the root user (
The leopard System of 10.5 has passed the test and the previous system has not been tested.
)

# Enable Root User Account / USR / Sbin / Dsenableroot-u adminusername-P adminuserpassword-r rootpassword

The adminusername after-u is an account with the Administrator identity, followed by-P
Adminuserpassword is the password of the Account, followed by-R
Rootpassword is the password of the reset root user. Note that some special characters need to be escaped when setting the password.

Administrator Account Security and hiding

In order to protect the security of the Administrator account, the account should use a password of the appropriate strength, which is needless to say; only those who need to know the work content can know, it also instructs employees to establish protection for accounts and passwords, correct usage awareness, and management of password storage forms, which ensures long-term effectiveness of this password.

 

To make the system safer, it is recommended that the Administrator account name be hidden from common users. First, common users do not need to know such an account, but also bring obstacles to system cracking.

 

This should be considered from several aspects. First, the Administrator's home directory needs to be hidden, and second, the Administrator account name is not displayed in System Preference>, and the login list cannot be displayed. First, you need to find a free uid smaller than 500, that is,
UID used by the user (system or user. Mac OS
X by default, all user accounts generated by computer users are larger than 500, and those smaller than 500 are reserved for the system itself. To ensure normal operation of the operating system, some accounts are required, such
Web service account _ www, root, and so on. The UID accounts smaller than 500 are not automatically displayed in the graphic interface system by default.
You can use the graphic interface to find uid numbers of different users, such as the user ID:

Use the following command to list the UIDs occupied by all current users:

Dscl. LIST/users uniqueid

Second, you can change the path of the home directory of the Administrator account in a graphical manner. The home directory is the home directory setting of the user. You can change it so that after logging on to the user, this setting will be used.

Or, use the following command:

Dscl.-create/users/SysAdmin nfshomedirectory/users/SysAdmin

Alternatively, you can use commands such as setfile to hide directories to hide extended attributes of directories, such as the graphic interface finder. This method is acceptable, but I think it is more concealed to move the Home Directory than to move the home directory.

Sudo setfile-a v/users/SysAdmin

The above command hides the Home Directory of the SysAdmin Administrator Account in the finder. Then, set loginwindow to not display the specific account. This can be achieved through other software, but more easily through the command line. For example, you can use the cocktail software to hide the display of the Administrator account in the login window, as shown in.

The following command line hides SysAdmin:

Sudo defaults write/library/preferences/COM. Apple. loginwindow hiddenuserslist-array-add SysAdmin

 

Finally, test:
Test is required. The test result may be that one method cannot be solved, and another or multiple methods can be combined to solve the problem.
There is also a way to hide, but it is a bit complicated. The principle is that Unix-like systems use plug-ins to support the concept of modern authentication domains, so that they can be extended, we need to use this feature to add a local authentication domain to the user authentication system. This method has its own advantages. I will not repeat it here.

 

To facilitate remote management, the remote management service usually needs to open necessary management services on the client and confirm that the remote administrator account/user group is authorized with sufficient permissions in these management services, generally, all permissions are granted. Of course, some of them can be "read-only" permissions to manage classification/hierarchy.
In System Preferences-> sharing, select the options X and X, and add users to grant sufficient permissions.

For remote management, you also need to set specific administrator permissions. I have selected all permissions here. For different enterprises, it is likely to be different.

Generally, you need to enable remote login and remote
Management, the administrator can use the SSH command line to manage the client, or use the Apple Remote
Desktop graphical management.
Both methods are provided to the Administrator for remote management. Of course, you must pay attention to the Internal Security Management Regulations of the enterprise. In some cases or not, this setting is not suitable for everyone.

You can also use the command line interface to add an administrator to authorize the remote management service.
The master password and the filevault master password can be used in many places. For example, you can reset the user password without logging in and use it in filevault.
When a user forgets his/her filevault password, the administrator can use the primary password to restore the user's filevault data. Therefore, this primary password is very important and should be unified across all enterprises and versions, A complete change history should be retained even if changes are required. Even if enterprises do not plan to use this function, we recommend that you set this primary password. Currently, there is no Chinese description on the official website. Here is the English description: creating a master password
In fact, it is very easy to enter the security safe label of system preferences, click Set master password, and enter the password. If this item is locked, unlock it first. If you forget/cannot find the primary password, you can delete the primary password file and set a new one. However, if you use filevault, only the original master password can be used for data encryption. The new master password takes effect only after the user data is decrypted. The files related to the master password are stored in the keychain file:/library/keychains/filevaultmaster. keychain and
/Library/keychains/filevaultmaster. Cer. You only need to delete them to reset the master password. To ensure security, check the permission attributes of these two files.

Logon window background

This is a little trick that is not relevant to the appearance of the function, here just to remind you, that is, to change the default loginwindow background screen to with company propaganda or
Brief Description
Background of company rules.

First, make a company background image, which should be in JPG format, in size and stored in any place, but it is best to give everyone the read-only permission, for example, saved in/system/library/coreservices/companylogin.jpg

Then use the following statement to change the background

Sudo defaults write/library/preferences/COM. Apple. loginwindow into toppicture /System/library/coreservices/companylogin.jpg

Log out and check whether it works. Otherwise, check the properties of the graphic file.

Common Tools

There are many system management tools that cannot be fully covered here, but some of them are listed most commonly used. If anyone has a good suggestion, we welcome your feedback.

Cocktail
Onyx

 

 

Continued: fast system deployment practices for Mac OS X 10.5-core system image creation (3) V1

 

 

Tony Liu

2009 Calgary