Hide users from Mac OS X Snow Leopard logon screen

25

24

Somehow, I managed to set a passwd for my _postgres user on my OS instead of setting it on the postgres role I have as my superuser / root. Anyways since this, I've been struggling with that user showing up in the account section and login screen, which I really would like to avoid. I've read through some docs about this, and setting the password to * should be all that is needed to fix this. But after several attempts doing this with and without dscl to no avail, I'm gotten to a point where I don't know what to do anymore.

I didn't think it would be even hard doing this, but clearly I'm missing something, so how do you do this?

googletorp

Posted 2009-11-13T16:52:52.267

Reputation: 528

Having a password for your _postgres user isn't a particularly bad idea at all. – Hasaan Chop – 2009-11-15T17:36:35.170

1The postgres docs actually recommends the opposite, that way only system users can access postgres, and there is one less password to remember / security risk. – googletorp – 2009-11-16T11:20:18.137

Have you tried deleting and recreating the user? – Chealion – 2009-11-22T19:35:11.540

Yeah, I've tried that a few times actually. You need to somehow set the passwd to disabled as not having a passwd is not enough. This is the pain point I haven't been able to overcome. – googletorp – 2009-11-22T20:33:11.890

Answers

31

The easiest method for hiding system users (if their user ID is < 500) in the login window is to run the following command:

sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE

Alternatively you can manually hide just the username by running

sudo defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array-add '_postgres'

To hide the 'Others...' item from the login window if need be:

sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool FALSE

Chealion

Posted 2009-11-13T16:52:52.267

Reputation: 22 932

Note that this will not hide the user on the initial boot screen if you have FileVault2 on. – James McMahon – 2015-11-19T15:03:13.117

1This is an excellent answer, and precisely answered my question. But you're probably right that it isn't exactly the question you asked. – Bill Michell – 2010-10-07T11:34:17.943

3Hide500Users flag doesn't seem to work under lion anymore. Only the remaining two commands work for Lion – Antony – 2011-11-15T02:51:01.680

2This is a somewhat hacky solution and doesn't actually "solve" the problem, it just hides the symptoms. I have a lot of different system users for stuff like mysql and whatnot, and they don't show up because their password is marked as '*'. This is what I'm trying to accomplish for my postgres user. Your solution would be bad if I had other users I did want to hide, but be able to login with using others. I would really like to go to the root and actually fix this instead of hiding the problem. – googletorp – 2009-11-16T11:19:13.867

12

dscl . create /Users/test
dscl . create /Users/test UniqueID 420
dscl . create /Users/test PrimaryGroupID 420
dscl . create /Users/test UserShell /bin/bash
dscl . create /Users/test NFSHomeDirectory /tmp
dscl . create /Users/test RealName Test
dscl . create /Users/test Password test

This creates a user that's visible in sysprefs/Accounts.

dscl . create /Users/test Password "*"

This hides the user. Make sure you quote the "*" or it won't work.

EDIT: I accidentally managed to recreate googletorp's situation of not being able to hide a user by setting his password to "*", and I discovered how to fix it. This time, I had created a user using dsimport, like this:

dsimport /dev/fd/0 /Local/Default I --template StandardUser << EOF
test:*:520:520:Test user:/Users/test:/bin/bash
EOF

But in that command, the * is taken to represent a literal one-character password of *, and so dsimport creates an AuthenticationAuthority property for the user and sets the password property to the shadow hash of * (which shows up as ******** in dscl, as for all passwords). After that, attempting to set the password to "*" using dscl just keeps setting the password to a literal *, instead of disabling the password. The solution is to delete the unwanted property, and then disable the password:

sudo dscl . delete /Users/test AuthenticationAuthority
sudo dscl . create /Users/test Password "*"

This hides the user.

LaC

Posted 2009-11-13T16:52:52.267

Reputation: 2 263

Instead of the quotes, have you tried escaping the star?

dscl . -create /Users/test Password \* – Eric3 – 2011-05-31T04:19:52.963

As long as dscl sees a literal "*" after "Password", anything goes. – LaC – 2011-05-31T10:19:18.667

7

Just in case you haven't found a viable solution (or in case someone else finds this question from Google), setting the user's shell to /usr/bin/false prevents him from logging in and hides it from the login screen and from the system preferences. To do so, use the following command line:

sudo dscl . -change /Users/[username] UserShell /bin/bash /usr/bin/false

And to revert the change:

sudo dscl . -change /Users/[username] UserShell /usr/bin/false /bin/bash

Where [username] is the name of the user you want to hide (_postgres in your case I assume). I don't know why dscl wants the old value first, but that's what the manpage says, and it works quite well.

zneak

Posted 2009-11-13T16:52:52.267

Reputation: 989

1This solution is very poor as it disables the shell for that user, the very thing that I want to use it for. If I would want to restart the database etc. – googletorp – 2010-03-29T15:00:22.670

@googletorp: You can still do sudo -s -u _postgres from an admin account to get a shell as _postgres; this will work even if his UserShell is set to /usr/bin/false. Besides, doesn't setting its password to "no password", as you tried to do, also disables the account? – zneak – 2010-03-29T23:40:28.730

Asked: 2009-11-13T16:52:52.267

Viewed: 30 387 times

Active: 2013-03-05T22:44:44.723