SCIENTIFIC-LINUX-USERS Archives

March 2015

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Linux UID/GID issues
From:
"P. Larry Nelson" <[log in to unmask]>
Reply To:
[log in to unmask]
Date:
Tue, 3 Mar 2015 17:50:16 -0600
Content-Type:
text/plain
Parts/Attachments:
text/plain (94 lines) 
[I'm starting a new thread here as I know many of our colleagues out
there prefer that to happen when a current thread starts to veer a
little off the original topic.  So I've copy/pasted the last entry
under the old thread to this reply.]

Thanks Chris for the info on login.defs.  I did not realize that
file existed.  Other than the occasional rants on this list, I pretty
much learn something new every day, and I've been at this a long time.

It is humbling.

Further comments in-line below.

- Larry

 > -------- Forwarded Message --------
 > Subject: Re: Bizarre bug
 > Date: Tue, 3 Mar 2015 17:00:31 -0600
 > From: Ken Teh <[log in to unmask]>
 > Organization: Argonne National Laboratory
 > To: Chris Schanzle <[log in to unmask]>, 
[log in to unmask] <[log in to unmask]>
 >
 > I set mine at uid/gid=2000 and pray it's good till I retire :)

Years ago ('89 I think was my first foray into unix - SunOS), I
chose 666 for my UID and I've made it follow me everywhere since.
Devilishly clever, I thought.  :-)

There's more.  Scroll on down....

 > On 03/03/2015 04:44 PM, Chris Schanzle wrote:
 >> On 03/03/2015 03:33 PM, P. Larry Nelson wrote:
 >> That used to happen in the old days before
 >> system-config-users pretty much kept generated UIDs/GIDs well out
 >> of the range that an installed piece of software might use.
 >> I believe the rule is now that real people users get a UID > 500
 >> and installed apps (like ntop, UID:103, GID:160) use UIDs < 500,
 >> but I don't know if that's a hard and fast rule with apps or not.
 >> I do the same thing with any local group I create - give it a
 >> GID > 500.
 >
 > The authoritative source used by useradd (perhaps others) is 
/etc/login.defs:
 >
 > grep ^UID_MIN /etc/login.defs
 > UID_MIN              500
 >
 > Historically it was UID >= 500 (note 500 was the first), in recent 
Fedora's and EL7, it's now 1000:
 >
 > grep ^UID_MIN /etc/login.defs
 > UID_MIN                  1000
 >
 >
 > Note new systems also have min/max values for system accounts in 
login.defs:
 >
 > # Min/max values for automatic uid selection in useradd
 > #
 > UID_MIN                  1000
 > UID
 > # System accounts
 > SYS_UID
 > SYS_UID_MAX               999
 >

So, as I understand this, login.defs is only used by useradd (which
I assume system-config-users must invoke)?

What is to govern (other than perhaps some sort of gentleman's
agreement in the app world) what UID/GID an application decides
to grab upon install?

I used the ntop app as an example in a previous post under the
previous thread and noted that it grabbed UID:103, GID:160.
What's to prevent an app from grabbing a UID and GID > 500
(or 1000 in newer releases)?

BTW, as an aside, if you haven't discovered and installed ntop
(epel repo), I highly recommend it.  An amazing admin net tool
that's web based and I'm still learning what all it can do and
display.

- Larry

-- 
P. Larry Nelson (217-244-9855) | IT Administrator
461 Loomis Lab                 | High Energy Physics Group
1110 W. Green St., Urbana, IL  | Physics Dept., Univ. of Ill.
MailTo:[log in to unmask]    | http://www.brf-llc.com/lnelson/
-------------------------------------------------------------------
  "Information without accountability is just noise."  - P.L. Nelson

ATOM RSS1 RSS2