UID/GID Assignment: Difference between revisions

From CSCWiki
Jump to navigation Jump to search
 
(6 intermediate revisions by 3 users not shown)
Line 28: Line 28:
clubs - other organizations
clubs - other organizations


= Puppet-managed UID/GID's =
= Global system UID/GID's =


501 nvram
501 nvram
Line 40: Line 40:
509 keytab
509 keytab
510 rtorrent
510 rtorrent
511 pulse
512 libuuid
513 cscbot

= Website UID/GID's =

These are used by [[Suexec]] to isolate certain websites in separate user accounts.

301 www-webmail
302 www-wiki


= Special UID/GID's =
= Special UID/GID's =
Line 53: Line 63:
10008 restrict # contains users allowed to ssh to restricted machines
10008 restrict # contains users allowed to ssh to restricted machines
10009 contest # contest admin/management
10009 contest # contest admin/management
10010 git
10011 svn
10012 music
10013 pulseaudio
10014 mirror


= Observations =
= Observations =
Line 60: Line 75:
* Some groups (e.g. audio) are needed during boot, but also need to have members. We keep them in both files and ldap. Only the copy in LDAP will have any members.
* Some groups (e.g. audio) are needed during boot, but also need to have members. We keep them in both files and ldap. Only the copy in LDAP will have any members.
* A user and group should have the same ID if and only if they have the same name. So when creating a new user, don't pick the ID of an existing group, and vice versa.
* A user and group should have the same ID if and only if they have the same name. So when creating a new user, don't pick the ID of an existing group, and vice versa.

[[Category:Systems]]

Latest revision as of 11:43, 30 January 2012

UID/GID Ranges

            Scope   Authority  Source  Purpose

    0    99 global  Debian     both    system
  100   499 local   mixed      files   system
  500   999 global  CSC        both    system
 1000  9999 local   mixed      files   users
10000 19999 global  CSC        ldap    misc
20000 29999 global  CSC        ldap    members
30000 39999 global  CSC        ldap    clubs

Scope:      global  - id is the same on all systems
            local   - id varies between systems

Authority:  Debian  - Debian does allocation
            mixed   - adduser does allocation
            CSC     - we do allocation

Source:     files   - files, makes no sense in LDAP
            ldap    - LDAP, makes no sense in files
            both    - files, add to LDAP if it has members from LDAP

Purpose:    system  - root, daemons, devices, etc
            users   - local users
            misc    - csc administrivia e.g. sysadmin, office
            members - members of the CSC
            clubs   - other organizations

Global system UID/GID's

501     nvram
502     tss
503     rdma
504     fuse
505     lpadmin
506     camera
507     scanner
508     kvm
509     keytab
510     rtorrent
511     pulse
512     libuuid
513     cscbot

Website UID/GID's

These are used by Suexec to isolate certain websites in separate user accounts.

301     www-webmail
302     www-wiki

Special UID/GID's

10000   sysadmin
10001   syscom
10002   ceo
10003   office
10004   www
10005   csmirror    # used by CSCF to rsync our talks to mirror.cs
10006   certs       # manages CSC issued certificates
10007   cvsadmin
10008   restrict    # contains users allowed to ssh to restricted machines
10009   contest     # contest admin/management
10010   git
10011   svn
10012   music
10013   pulseaudio
10014   mirror

Observations

  • We don't have any local user accounts in general, save perhaps one created by the installer.
  • Only root, local users, and members should have passwords. All other users should not be allowed to log in directly.
  • Some groups (e.g. audio) are needed during boot, but also need to have members. We keep them in both files and ldap. Only the copy in LDAP will have any members.
  • A user and group should have the same ID if and only if they have the same name. So when creating a new user, don't pick the ID of an existing group, and vice versa.