UID/GID Ranges
Scope Authority Source Purpose
0 99 global Debian both system
100 499 local mixed files system
500 999 global CSC both system
1000 9999 local mixed files users
10000 19999 global CSC ldap misc
20000 29999 global CSC ldap members
30000 39999 global CSC ldap clubs
Scope: global - id is the same on all systems
local - id varies between systems
Authority: Debian - Debian does allocation
mixed - adduser does allocation
CSC - we do allocation
Source: files - files, makes no sense in LDAP
ldap - LDAP, makes no sense in files
both - files, add to LDAP if it has members from LDAP
Purpose: system - root, daemons, devices, etc
users - local users
misc - csc administrivia e.g. sysadmin, office
members - members of the CSC
clubs - other organizations
Puppet-managed UID/GID's
501 nvram
502 tss
503 rdma
504 fuse
505 lpadmin
506 camera
507 scanner
508 kvm
509 keytab
510 rtorrent
511 pulse
512 libuuid
Special UID/GID's
10000 sysadmin
10001 syscom
10002 ceo
10003 office
10004 www
10005 csmirror # used by CSCF to rsync our talks to mirror.cs
10006 certs # manages CSC issued certificates
10007 cvsadmin
10008 restrict # contains users allowed to ssh to restricted machines
10009 contest # contest admin/management
10010 git
10011 svn
10012 music
10013 pulseaudio
10014 mirror
Observations
- We don't have any local user accounts in general, save perhaps one created by the installer.
- Only root, local users, and members should have passwords. All other users should not be allowed to log in directly.
- Some groups (e.g. audio) are needed during boot, but also need to have members. We keep them in both files and ldap. Only the copy in LDAP will have any members.
- A user and group should have the same ID if and only if they have the same name. So when creating a new user, don't pick the ID of an existing group, and vice versa.