mac_user: fixing gid and system properties, and adding hidden property #9275
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Goals:
mac_user
provider will now use the numeric GID when creating a user, instead of passing what was literally in the resource (e.g. it will use 80 instead of "admin")system true
from the olddscl
provider.hidden
which will set theIsHidden
value in the user plist.Description
The GID will fix issues where the system does not recognize the user (for
chown
operations, orid
, etc)The
system: true
works, but there are still macOS quirks. For instance, if you run chef manually in terminal, you'll be prompted to give Terminal.app privacy protection rights to be able to set the UID. When run via launchd, which is how most orgs would use chef, macOS just ignores the UID you pass and pulls its own (usually starting at 502 and going up to the next available one). This seems to be a limitation in thesysadminctl
tool itself, in conjunction with the added privacy protections around updating a UID for a user. The fix for this behavior would involve signing chef (or chef's ruby) and whitelisting it forSystemPolicySysAdminFiles
via MDM.Since what most of us are interested in is not specifically assigning a UID under 500 (which Apple doesn't even support), I'm also adding in support to this resource for the
IsHidden
dscl attribute. Setting this to1
(which, apple terms, means "true"), the account will not show up in System Prefs or at the Login Window.Related Issue
#9171
Types of changes
Checklist: