Scope Authority Source Purpose 0 99 global Debian both system 100 499 local mixed files system 500 999 global CSC both system 1000 9999 local mixed files users 10000 19999 global CSC ldap misc 20000 29999 global CSC ldap members 30000 39999 global CSC ldap clubs Scope: global - id is the same on all systems local - id varies between systems Authority: Debian - Debian does allocation mixed - adduser does allocation CSC - we do allocation Source: files - files, makes no sense in LDAP ldap - LDAP, makes no sense in files both - files, add to LDAP if it has members from LDAP Purpose: system - root, daemons, devices, etc users - local users misc - csc administrivia e.g. sysadmin, office members - members of the CSC clubs - other organizations
Global system UID/GID's
501 nvram 502 tss 503 rdma 504 fuse 505 lpadmin 506 camera 507 scanner 508 kvm 509 keytab 510 rtorrent 511 pulse 512 libuuid 513 cscbot
These are used by Suexec to isolate certain websites in separate user accounts.
301 www-webmail 302 www-wiki
10000 sysadmin 10001 syscom 10002 ceo 10003 office 10004 www 10005 csmirror # used by CSCF to rsync our talks to mirror.cs 10006 certs # manages CSC issued certificates 10007 cvsadmin 10008 restrict # contains users allowed to ssh to restricted machines 10009 contest # contest admin/management 10010 git 10011 svn 10012 music 10013 pulseaudio 10014 mirror
- We don't have any local user accounts in general, save perhaps one created by the installer.
- Only root, local users, and members should have passwords. All other users should not be allowed to log in directly.
- Some groups (e.g. audio) are needed during boot, but also need to have members. We keep them in both files and ldap. Only the copy in LDAP will have any members.
- A user and group should have the same ID if and only if they have the same name. So when creating a new user, don't pick the ID of an existing group, and vice versa.