What are 'com.apple.access_ssh' and 'com.apple.access_screensharing'; can I delete them?

security permission user-account darwin

When I examine the list of users and groups on my machine (OSX 10.9) with id I get:

uid=501(Rax)
gid=20(staff)
groups=20(staff)
       103(Rax),
       12(everyone),
       61(localaccounts),
       80(admin),
       98(_lpadmin),
       33(_appstore),
       100(_lpoperator),
       204(_developer),
       398(com.apple.access_screensharing),
       399(com.apple.access_ssh)

I don't (currently) have any sharing enabled. What are the last two groups and where did they come from? Can I delete them; if so how?

Using sudo dscl . -read /Groups/com.apple.access_ssh I get:

AppleMetaNodeLocation: /Local/Default
Comment:
 SSH Service ACL
GeneratedUID: XXX...
NestedGroups: XXX...
Password: *
PrimaryGroupID: 399
RealName:
 SSH Service ACL
RecordName: com.apple.access_ssh
RecordType: dsRecTypeStandard:Groups

And using sudo dscl . -read /Groups/com.apple.access_screensharing I get:

AppleMetaNodeLocation: /Local/Default
Comment:
 Screensharing Service ACL
GeneratedUID: XXX...
NestedGroups: XXX...
Password: *
PrimaryGroupID: 398
RealName:
 Screensharing Service ACL
RecordName: com.apple.access_screensharing
RecordType: dsRecTypeStandard:Groups

(Though I'm not sure what any of that means.)


Solution 1:

The main admin user on my 10.9 VM is also part of both those groups, so I guess it's normal.

Tests-Mac:~ test$ id
uid=501(test) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),401(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),398(com.apple.access_screensharing),399(com.apple.access_ssh)

Membership in the com.apple.access_screensharing group seems to correspond to the user (or a group it's a member of) being included in this list:

When I created a new standard account, it was not a member of the com.apple.access_screensharing group by default, but after I added the account to the list above, it became a member of the group.

Similarly, membership in the com.apple.access_ssh group seems to correspond to the user being included in the list in the Remote Login section.

Solution 2:

I'll try to answer correctly to the 1st question (and not wait the delay I would need to make a correct answer to 2nd question).

What are the groups:

   398(com.apple.access_screensharing),
   399(com.apple.access_ssh)

for?

These groups are created to separate priviledges.

To be able to manage the access to the screen sharing setting, you just need to be in group 398. You don't need to be root, you don't need to be in the group wheel.

This is a good security policy. This priviledges separation is a real security improvment.

Related

Location-aware hostname resolution
Moving large system directories to another drive and using symlink?
How to link SVG files to Inkscape?
Is there a music app that lets me start/pause playback by tapping anywhere on screen?
Discrepancy between availble space and capacity on external HD
Opening text files from finder: Unable to find application
Offline (Python) documentation? (for ActivePython Mac or similar)
Icons Within Apple Apps Disappearing in Mavericks
iPhone pictures won't delete and keeps "restoring" after deletion using iTunes sync
Connecting a Dell U2412M to a 2013 Retina MacBook Pro using DisplayPort to Mini DisplayPort
Transferring Mail data from one MBP to an other
How to use Ctrl+left/Ctrl+Right (instead of Alt+left/Alt+right) to move to the previous/next word