Mac OS X El Capitan Installer Removes Custom Group ID and Membership
As always, after Apple releases their new operating system, my systems are upgraded. This time the upgrade was less of a surprise in terms of what it brings because I'd been beta testing the new release for the past couple of weeks, however I was still caught off guard.
On OS X, by default all user accounts start at ID 501 and count up, so if you
have two accounts, you will have user ID 501 and 502 in use. For most people
they will most likely never change this, and all is well. The default group ID
for all new user accounts is staff which has a group ID of 20. So if you have
a single account named for example janedoe her user ID would be 501 and her
group ID would be 20 (staff).
Coming from a FreeBSD world and running a lot of FreeBSD systems, user accounts
start at 1001, and count up. When you create a new user account on FreeBSD, by
default that user is also added to a group with the same name as the username,
with the same ID. So you end up with an account with ID 1001 and default group
ID 1001. Using the same example, a user named janedoe would have a user ID of
1001, and a group ID of 1001 (janedoe).
When I first installed OS X, and almost every single new installation since, I have followed these steps to change my user ID and group ID to match those on my FreeBSD systems:
- Assumption is that you have a separate user account other than the one you are about to modify that you can temporarily use that has administrator privileges on the local Mac; I create an "Administrator" account for that reason.
- System Preferences
- Users and Groups
- Click the
+(You may need to click the lock in the bottom left first) - Change the dropdown to
group - Enter Full Name:
janedoe - Create group
- Right click on group (
janedoe) - Advanced Options...
- Change the Group ID to 1001
- Okay
- Right click on user (
janedoe) - Advanced Options...
- Change User ID from 501 to 1001
- Change Group from
stafftojanedoe - Okay
- Close System Preferences
- Open Terminal, become root user (sudo su)
cd /Users/janedoe- find . -uid 501 -print0 | xargs -0 chown 1001:1001
This allows me to have the same user ID and group ID on both my Mac OS X and on FreeBSD, thereby making it easier to use tools like rsync that keeps ownership and permissions, as well as using NFS. Other ways to do something similar is using LDAP/Kerberos with shared directory service, but that is a little heavy handed for a home network.
This has worked for me without issues since OS X 10.8, even upgrading from 10.8 to
10.9 and then 10.10 did not change anything. However as soon as I did the
upgrade to El Capitan (10.11) I noticed that all of my ls -lah output looked
like this:
drwxr-xr-x+ 13 xistence 1001 442B Oct 1 16:58 Desktop drwx------+ 28 xistence 1001 952B Aug 31 12:17 Documents drwx------+ 89 xistence 1001 3.0K Oct 1 15:56 Downloads drwx------@ 72 xistence 1001 2.4K Oct 2 00:16 Library
and id provided this valuable output:
uid=1001(xistence) gid=20(xistence) groups=20(xistence),12(everyone),61(localaccounts),399(com.apple.access_ssh),402(com.apple.sharepoint.group.2),401(com.apple.sharepoint.group.1),100(_lpoperator)
Wait, what happened to the staff group that I am supposed to be a member of,
and why is my xistence group ID now stating it is 20 and not 1001 as I was
expecting.
I wondered if the upgrade had messed up my group somehow, and it was
confirmed when I checked with dscl.
$ dscl . -read /Groups/xistence [...] Password: * PrimaryGroupID: 20 RealName: xistence RecordName: xistence RecordType: dsRecTypeStandard:Groups
Do note that the group xistence does not show up in System Preferences ->
Users and Groups, so we'll have to do some command line magic.
Well, that's worrisome, why is this matching a built-in group's ID? Specifically
let's check the staff group and make sure it still has the appropriate group
ID.
$ dscl . -read /Groups/staff [...] GroupMembership: root Password: * PrimaryGroupID: 20 RealName: Staff RecordName: staff BUILTIN\Users RecordType: dsRecTypeStandard:Groups
Next I had to check to see what my user account was set to as the default group ID:
$ dscl . -read /Users/xistence [...] NFSHomeDirectory: /Users/xistence Password: ******** PrimaryGroupID: 20 RealName: Bert JW Regeer RecordName: xistence bertjw@regeer.org com.apple.idms.appleid.prd.53696d524c62372b48344a53755864634e4f374b32513d3d RecordType: dsRecTypeStandard:Users UniqueID: 1001 UserShell: /bin/bash
Well, that is not entirely what I was expecting either, at last it didn't touch my user ID. Time to fix things.
First let's change the xistence group's group ID to 1001, and then change the
Primary Group ID for the user xistence to group ID 1001.
# dscl . -change /Groups/xistence PrimaryGroupID 20 1001 # dscl . -change /Users/xistence PrimaryGroupID 20 1001
After that id looked a little bit more sane:
uid=1001(xistence) gid=1001(xistence) groups=1001(xistence),12(everyone),61(localaccounts),399(com.apple.access_ssh),402(com.apple.sharepoint.group.2),401(com.apple.sharepoint.group.1),100(_lpoperator)
However now the group staff is missing from the list of groups that the user
xistence is a member of, which I don't think will hurt anything, but we still
want to be able to read/write any folders that are designated as staff
elsewhere in the OS, and any other privileges that entails. So let's add the
user xistence to the staff group:
# dscl . -append /Groups/staff GroupMembership xistence
Let's verify, and check id again:
uid=1001(xistence) gid=1001(xistence) groups=1001(xistence),12(everyone),20(staff),61(localaccounts),399(com.apple.access_ssh),402(com.apple.sharepoint.group.2),401(com.apple.sharepoint.group.1),100(_lpoperator)
For this to fully take effect, log out and log back in. This will make sure that all new files have the correct user ID/group ID set.
After the change to the Group ID, the group still doesn't show up in System Preferences -> Users and Groups, which I find weird since it is not a built-in group.
Luckily everything is back to the way it was before the upgrade, and my backup scripts and NFS shares work again without issues.