Help

How do you detect a user account beginning with a .?

sdagley
Esteemed Contributor II

Posted on ‎04-04-2019 01:31 PM

Ran into a new, and at the same time old, question today. You can create a hidden account in macOS by using a . as the leading character of the account name similar to creating a hidden file/directory. Running dscl . list /Users UniqueID does not show that account. What would be the recommended way to list users which would handle account names bingeing with a period? Just checking /Users wouldn't be sufficient since the home directory won't necessarily be there.

0 Kudos
Reply
5 REPLIES 5

mickgrant
Contributor III

Posted on ‎04-04-2019 03:12 PM

i cant take credit for this script but i found this handy explainer and script on - This website
i highly recommend you give it a read as it will explain what the script does and why.

if you have any hidden user accounts this should display them

#! /bin/bash
# script by Phil Stokes, applehelpwriter.com

lw="/Library/Preferences/com.apple.loginwindow"
# dlu="/Library/Preferences/com.apple.preferences.accounts"

printf "Current users:
%s `w`"

declare -a arr=("daemon" "nobody" "root" "Guest")
printf " User	ID
"
for i in `dscl . -list /Users | grep -v '^_'`;
do

        if [[ ! "${arr[@]}" =~ "$i" ]]; then
            k=`id -u $i`
            printf "	%s		%s
 $i $k"
        fi
done
printf "

Loginwindow: %s `defaults read "$lw"`"
# printf "

Deleted Users: %s `defaults read "$dlu"`"
0 Kudos
Reply

sdagley
Esteemed Contributor II

Posted on ‎04-04-2019 06:47 PM

@mickgrant Thanks for the reference, but that script fails for the reason mentioned in my original post. Calling dscl . -list /Users does not report accounts that have a name beginning with a period.

0 Kudos
Reply

mickgrant
Contributor III

Posted on ‎04-04-2019 08:13 PM

ok so i found this page - https://unix.stackexchange.com/questions/123917/display-only-files-starting-with-hidden
after reading and testing i found that 

ls -a |grep -E  "^."

will display the hidden users in the /users folder that start with a . but you wanted the ability to look in places other than just /users thats gunna kinda suck for you 

find . -type f | grep  "^./."

will find all hidden files for you but then your going to have to search it to find what your looking for

good luck

0 Kudos
Reply

sdagley
Esteemed Contributor II

Posted on ‎04-05-2019 05:58 AM

@mickgrant Yeah, I don't think it's a simple one. Thanks for the commiseration and research.

0 Kudos
Reply

sdagley
Esteemed Contributor II

Posted on ‎04-05-2019 06:26 AM

An associate discovered /private/var/db/dslocal/nodes/Default/users which appears to contain a .plist for each account on a Mac no matter what its home directory. Enumerating that is an option if a cleaner approach isn't possible.

0 Kudos
Reply