LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

March 2015

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS March 2015

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Linux UID/GID issues
From:	Tom H <[log in to unmask]>
Reply To:	Tom H <[log in to unmask]>
Date:	Wed, 4 Mar 2015 05:22:53 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (77 lines)

On Tue, Mar 3, 2015 at 6:50 PM, P. Larry Nelson <[log in to unmask]> wrote:
>
> Thanks Chris for the info on login.defs.  I did not realize that
> file existed.  Other than the occasional rants on this list, I pretty
> much learn something new every day, and I've been at this a long time.
>>
>> On 03/03/2015 04:44 PM, Chris Schanzle wrote:
>>> On 03/03/2015 03:33 PM, P. Larry Nelson wrote:
>>> That used to happen in the old days before
>>> system-config-users pretty much kept generated UIDs/GIDs well out
>>> of the range that an installed piece of software might use.
>>> I believe the rule is now that real people users get a UID > 500
>>> and installed apps (like ntop, UID:103, GID:160) use UIDs < 500,
>>> but I don't know if that's a hard and fast rule with apps or not.
>>> I do the same thing with any local group I create - give it a
>>> GID > 500.
>>
>> The authoritative source used by useradd (perhaps others) is
>> /etc/login.defs:
>>
>> grep ^UID_MIN /etc/login.defs
>> UID_MIN              500
>>
>> Historically it was UID >= 500 (note 500 was the first), in recent
>> Fedora's and EL7, it's now 1000:
>>
>> grep ^UID_MIN /etc/login.defs
>> UID_MIN                  1000
>>
>>
>> Note new systems also have min/max values for system accounts in
>> login.defs:
>>
>> # Min/max values for automatic uid selection in useradd
>> #
>> UID_MIN                  1000
>> UID
>> # System accounts
>> SYS_UID
>> SYS_UID_MAX               999
>
> So, as I understand this, login.defs is only used by useradd (which
> I assume system-config-users must invoke)?
>
> What is to govern (other than perhaps some sort of gentleman's
> agreement in the app world) what UID/GID an application decides
> to grab upon install?
>
> I used the ntop app as an example in a previous post under the
> previous thread and noted that it grabbed UID:103, GID:160.
> What's to prevent an app from grabbing a UID and GID > 500
> (or 1000 in newer releases)?

UIDs between 0-200 are allocated statically:

/usr/share/doc/setup-*/uidgid

UIDs between 201-999 are allocated dynamically; from "/etc/login.defs":

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               201
SYS_UID_MAX               999

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN                  1000
GID_MAX                 60000
# System accounts
SYS_GID_MIN               201
SYS_GID_MAX               999

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV