UID/GID Assignment: Difference between revisions
Jump to navigation
Jump to search
Content deleted Content added
| (6 intermediate revisions by 3 users not shown) | |||
| Line 28: | Line 28: | ||
clubs - other organizations |
clubs - other organizations |
||
= |
= Global system UID/GID's = |
||
501 nvram |
501 nvram |
||
| Line 40: | Line 40: | ||
509 keytab |
509 keytab |
||
510 rtorrent |
510 rtorrent |
||
511 pulse |
|||
512 libuuid |
|||
513 cscbot |
|||
= Website UID/GID's = |
|||
These are used by [[Suexec]] to isolate certain websites in separate user accounts. |
|||
301 www-webmail |
|||
302 www-wiki |
|||
= Special UID/GID's = |
= Special UID/GID's = |
||
| Line 53: | Line 63: | ||
10008 restrict # contains users allowed to ssh to restricted machines |
10008 restrict # contains users allowed to ssh to restricted machines |
||
10009 contest # contest admin/management |
10009 contest # contest admin/management |
||
10010 git |
|||
10011 svn |
|||
10012 music |
|||
10013 pulseaudio |
|||
10014 mirror |
|||
= Observations = |
= Observations = |
||
| Line 60: | Line 75: | ||
* Some groups (e.g. audio) are needed during boot, but also need to have members. We keep them in both files and ldap. Only the copy in LDAP will have any members. |
* Some groups (e.g. audio) are needed during boot, but also need to have members. We keep them in both files and ldap. Only the copy in LDAP will have any members. |
||
* A user and group should have the same ID if and only if they have the same name. So when creating a new user, don't pick the ID of an existing group, and vice versa. |
* A user and group should have the same ID if and only if they have the same name. So when creating a new user, don't pick the ID of an existing group, and vice versa. |
||
[[Category:Systems]] |
|||
Latest revision as of 11:43, 30 January 2012
UID/GID Ranges
Scope Authority Source Purpose
0 99 global Debian both system
100 499 local mixed files system
500 999 global CSC both system
1000 9999 local mixed files users
10000 19999 global CSC ldap misc
20000 29999 global CSC ldap members
30000 39999 global CSC ldap clubs
Scope: global - id is the same on all systems
local - id varies between systems
Authority: Debian - Debian does allocation
mixed - adduser does allocation
CSC - we do allocation
Source: files - files, makes no sense in LDAP
ldap - LDAP, makes no sense in files
both - files, add to LDAP if it has members from LDAP
Purpose: system - root, daemons, devices, etc
users - local users
misc - csc administrivia e.g. sysadmin, office
members - members of the CSC
clubs - other organizations
Global system UID/GID's
501 nvram 502 tss 503 rdma 504 fuse 505 lpadmin 506 camera 507 scanner 508 kvm 509 keytab 510 rtorrent 511 pulse 512 libuuid 513 cscbot
Website UID/GID's
These are used by Suexec to isolate certain websites in separate user accounts.
301 www-webmail 302 www-wiki
Special UID/GID's
10000 sysadmin 10001 syscom 10002 ceo 10003 office 10004 www 10005 csmirror # used by CSCF to rsync our talks to mirror.cs 10006 certs # manages CSC issued certificates 10007 cvsadmin 10008 restrict # contains users allowed to ssh to restricted machines 10009 contest # contest admin/management 10010 git 10011 svn 10012 music 10013 pulseaudio 10014 mirror
Observations
- We don't have any local user accounts in general, save perhaps one created by the installer.
- Only root, local users, and members should have passwords. All other users should not be allowed to log in directly.
- Some groups (e.g. audio) are needed during boot, but also need to have members. We keep them in both files and ldap. Only the copy in LDAP will have any members.
- A user and group should have the same ID if and only if they have the same name. So when creating a new user, don't pick the ID of an existing group, and vice versa.