Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The new mac_user resource has several critical flaws #9171

chilcote opened this issue Dec 17, 2019 · 0 comments

The new mac_user resource has several critical flaws #9171

chilcote opened this issue Dec 17, 2019 · 0 comments


Copy link

@chilcote chilcote commented Dec 17, 2019


15.6.16 fixed the crashing bug in the mac_user resource, but now that it's not crashing, it has exposed several other critical issues.

  • Setting a home directory with sysadminctl or dscl now require SystemPolicySysAdminFiles whitelisting, which cannot be set indefinitely without an MDM server (i.e. it will prompt every time chef calls the resource, asking you to "allow" Terminal to manage your system.)
  • When creating a user, it does not respect system: true (i.e. all users are >500)
  • When creating a user, it does not set the GID to its numerical GID; it uses the group "name" (i.e. "admin" instead 80)
    • this causes problems when doing things like "chown," or, more critically, using a dir resource to manage a home dir that's not under /Users.

I appreciate the work that went into fixing the crashing bug, and hopefully we can get these addressed as well.

Chef Version


Platform Version


Replication Case

It's as easy as trying to manage a user on macOS. For example, this resource fails all three of the points above.

user 'fooadmin' do
  gid 'admin'
  home '/Users/fooadmin'
  shell '/bin/bash'
  password 'this_is_a_terrible_password'
  iterations 40000
  manage_home true
  system true
  action :create

Client Output

The output looks correct. because the user is being created (and if the process is being called via launchd, then thankfully we don't see the user permission prompts. However, if you set system to true, you can verify that the UID is still >500, and you can inspect the user plist to verify that the UniqueGID is not being set correctly.



Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
1 participant
You can’t perform that action at this time.