Thanks to its Unix heritage, Mac OS X is a multiuser operating system through and through. This simple fact means there can be more than one user of your system. You can have accounts for every member of a household on one machine, and everyone’s stuff will remain independent and safe. Even better, with Fast User Switching , multiple users can be logged into the same machine at the same time. While only one user at a time can use the screen, with a quick click of a menu, you can switch effortlessly between user sessions.
What isn’t obvious at first glance is that the concept of users runs quite deep in Mac OS X. Not only are human users treated as separate entities by the system, but many nonhuman users exist on the system as well. This means different tasks can be performed safely and in isolation from other tasks. Users can also be associated with groups , allowing the system to treat many users the same way.
From the operating system’s point of view, a user isn’t necessarily a real person who taps away at the keyboard. A user is simply an entity that can own files and execute programs. A user is defined in terms of an account that has a set of properties including a numeric user ID, such as 501, and a username. Internally the system uses the user ID to keep track of the files and processes that belong to a user. The username is a more human-readable form that is used heavily throughout the system so that you don’t have to think in terms of numbers.
Each user is also part of one or more groups. A group is a collection of users that the system can treat as a unit. Like a user, the system defines a group in terms of a numeric group ID and a more readable group name. Associating users with groups gives you the ability to control various resources of the system, and not just on a case-by-case basis. For example, the system uses the admin group to indicate users that can administer the computer. If your user ID is associated with the admin group, you have the ability to perform administrative tasks on the system.
To take a look at your user and group IDs, log into the command line and execute the id
command, as shown in Example 6-1.
The results of this example tell us that the currently logged-in user is named jldera, has a user ID of 501, and is a member of the jldera and admin groups. If you take a look at a non-administrative user, you will see something like the output shown in Example 6-2.
Example 6-2. Using the id command for a specific user
$ id panic
uid=502(panic) gid=502(panic) groups=502(panic)This user isn’t part of the admin group and therefore won’t be allowed to administer the computer. Typical users have access to their Home folders and to the System Preferences panels that customize their user experience, but the rest of the system will be off limits (at least it will be if they don’t know an administrator’s username and password).
You’ll notice in the examples above that the user IDs are 501 and 502. And if you are the only user on your machine, you’ll notice that your user ID is also 501. This pattern is not coincidental; it follows the numbering scheme
that Mac OS X uses to separate out users that should appear in the login window from those that should not. The rule is that users with an ID less than 500 won’t appear. Those with an ID greater than 500 will appear.
Administrative users represent a special class of users on the system. Here are just a few things that they are allowed to do that users without administrative privileges aren’t:
Install new programs in the
/ApplicationsfolderAdd items to the
/Libraryfolder such as startup items that take effect when the system is bootedChange network settings using the Network preference panel
Change the system time using the Date & Time preference panel
Add users to or remove them from the system
Set up or remove printers
Without administrative privileges, users are pretty much restricted to their Home folders and are only able to change the settings in System Preferences that relate to their desktops such as screen backgrounds and Finder preferences. The various System Preferences panels that require administrator access have a closed padlock on them, indicating that the user is not able to change the settings.
When you first install Mac OS X, the user that you create during the installation process automatically has administrative privileges. However, users created after that time will not have administrative privileges unless the person who creates their accounts (an administrator) grants the users admin privileges in the Accounts panel of System Preferences. You should consider your security needs and determine whether the user ID that you use for your normal work on the machine should have administrative privileges.