UID/GID Assignment: Difference between revisions
Jump to navigation
Jump to search
(6 intermediate revisions by 3 users not shown) | |||
Line 28: | Line 28: | ||
clubs - other organizations |
clubs - other organizations |
||
= |
= Global system UID/GID's = |
||
501 nvram |
501 nvram |
||
Line 40: | Line 40: | ||
509 keytab |
509 keytab |
||
510 rtorrent |
510 rtorrent |
||
511 pulse |
|||
512 libuuid |
|||
513 cscbot |
|||
= Website UID/GID's = |
|||
These are used by [[Suexec]] to isolate certain websites in separate user accounts. |
|||
301 www-webmail |
|||
302 www-wiki |
|||
= Special UID/GID's = |
= Special UID/GID's = |
||
Line 53: | Line 63: | ||
10008 restrict # contains users allowed to ssh to restricted machines |
10008 restrict # contains users allowed to ssh to restricted machines |
||
10009 contest # contest admin/management |
10009 contest # contest admin/management |
||
10010 git |
|||
10011 svn |
|||
10012 music |
|||
10013 pulseaudio |
|||
10014 mirror |
|||
= Observations = |
= Observations = |
||
Line 60: | Line 75: | ||
* Some groups (e.g. audio) are needed during boot, but also need to have members. We keep them in both files and ldap. Only the copy in LDAP will have any members. |
* Some groups (e.g. audio) are needed during boot, but also need to have members. We keep them in both files and ldap. Only the copy in LDAP will have any members. |
||
* A user and group should have the same ID if and only if they have the same name. So when creating a new user, don't pick the ID of an existing group, and vice versa. |
* A user and group should have the same ID if and only if they have the same name. So when creating a new user, don't pick the ID of an existing group, and vice versa. |
||
[[Category:Systems]] |
Latest revision as of 11:43, 30 January 2012
UID/GID Ranges
Scope Authority Source Purpose 0 99 global Debian both system 100 499 local mixed files system 500 999 global CSC both system 1000 9999 local mixed files users 10000 19999 global CSC ldap misc 20000 29999 global CSC ldap members 30000 39999 global CSC ldap clubs Scope: global - id is the same on all systems local - id varies between systems Authority: Debian - Debian does allocation mixed - adduser does allocation CSC - we do allocation Source: files - files, makes no sense in LDAP ldap - LDAP, makes no sense in files both - files, add to LDAP if it has members from LDAP Purpose: system - root, daemons, devices, etc users - local users misc - csc administrivia e.g. sysadmin, office members - members of the CSC clubs - other organizations
Global system UID/GID's
501 nvram 502 tss 503 rdma 504 fuse 505 lpadmin 506 camera 507 scanner 508 kvm 509 keytab 510 rtorrent 511 pulse 512 libuuid 513 cscbot
Website UID/GID's
These are used by Suexec to isolate certain websites in separate user accounts.
301 www-webmail 302 www-wiki
Special UID/GID's
10000 sysadmin 10001 syscom 10002 ceo 10003 office 10004 www 10005 csmirror # used by CSCF to rsync our talks to mirror.cs 10006 certs # manages CSC issued certificates 10007 cvsadmin 10008 restrict # contains users allowed to ssh to restricted machines 10009 contest # contest admin/management 10010 git 10011 svn 10012 music 10013 pulseaudio 10014 mirror
Observations
- We don't have any local user accounts in general, save perhaps one created by the installer.
- Only root, local users, and members should have passwords. All other users should not be allowed to log in directly.
- Some groups (e.g. audio) are needed during boot, but also need to have members. We keep them in both files and ldap. Only the copy in LDAP will have any members.
- A user and group should have the same ID if and only if they have the same name. So when creating a new user, don't pick the ID of an existing group, and vice versa.