UID/GID Assignment: Difference between revisions

From CSCWiki
Jump to navigation Jump to search
(New page: = Puppet-managed UID/GID's = 501 nvram 502 tss 503 rdma 504 fuse 505 lpadmin 506 camera 507 scanner 508 kvm 509 keytab 510 rtorrent = UI...)
 
 
(9 intermediate revisions by 4 users not shown)
Line 1: Line 1:
= Puppet-managed UID/GID's =

501 nvram
502 tss
503 rdma
504 fuse
505 lpadmin
506 camera
507 scanner
508 kvm
509 keytab
510 rtorrent

= UID/GID Ranges =
= UID/GID Ranges =


Line 40: Line 27:
members - members of the CSC
members - members of the CSC
clubs - other organizations
clubs - other organizations

= Global system UID/GID's =

501 nvram
502 tss
503 rdma
504 fuse
505 lpadmin
506 camera
507 scanner
508 kvm
509 keytab
510 rtorrent
511 pulse
512 libuuid
513 cscbot

= Website UID/GID's =

These are used by [[Suexec]] to isolate certain websites in separate user accounts.

301 www-webmail
302 www-wiki

= Special UID/GID's =

10000 sysadmin
10001 syscom
10002 ceo
10003 office
10004 www
10005 csmirror # used by CSCF to rsync our talks to mirror.cs
10006 certs # manages CSC issued certificates
10007 cvsadmin
10008 restrict # contains users allowed to ssh to restricted machines
10009 contest # contest admin/management
10010 git
10011 svn
10012 music
10013 pulseaudio
10014 mirror


= Observations =
= Observations =
Line 45: Line 73:
* We don't have any local user accounts in general, save perhaps one created by the installer.
* We don't have any local user accounts in general, save perhaps one created by the installer.
* Only root, local users, and members should have passwords. All other users should not be allowed to log in directly.
* Only root, local users, and members should have passwords. All other users should not be allowed to log in directly.
* Some users/groups (e.g. audio) are needed during boot, but also need to have members. We keep them in both files and ldap. Only the copy in LDAP will have any members.
* Some groups (e.g. audio) are needed during boot, but also need to have members. We keep them in both files and ldap. Only the copy in LDAP will have any members.
* A user and group should have the same ID if and only if they have the same name. So when creating a new user, don't pick the ID of an existing group, and vice versa.
* A user and group should have the same ID if and only if they have the same name. So when creating a new user, don't pick the ID of an existing group, and vice versa.

[[Category:Systems]]

Latest revision as of 11:43, 30 January 2012

UID/GID Ranges

            Scope   Authority  Source  Purpose

    0    99 global  Debian     both    system
  100   499 local   mixed      files   system
  500   999 global  CSC        both    system
 1000  9999 local   mixed      files   users
10000 19999 global  CSC        ldap    misc
20000 29999 global  CSC        ldap    members
30000 39999 global  CSC        ldap    clubs

Scope:      global  - id is the same on all systems
            local   - id varies between systems

Authority:  Debian  - Debian does allocation
            mixed   - adduser does allocation
            CSC     - we do allocation

Source:     files   - files, makes no sense in LDAP
            ldap    - LDAP, makes no sense in files
            both    - files, add to LDAP if it has members from LDAP

Purpose:    system  - root, daemons, devices, etc
            users   - local users
            misc    - csc administrivia e.g. sysadmin, office
            members - members of the CSC
            clubs   - other organizations

Global system UID/GID's

501     nvram
502     tss
503     rdma
504     fuse
505     lpadmin
506     camera
507     scanner
508     kvm
509     keytab
510     rtorrent
511     pulse
512     libuuid
513     cscbot

Website UID/GID's

These are used by Suexec to isolate certain websites in separate user accounts.

301     www-webmail
302     www-wiki

Special UID/GID's

10000   sysadmin
10001   syscom
10002   ceo
10003   office
10004   www
10005   csmirror    # used by CSCF to rsync our talks to mirror.cs
10006   certs       # manages CSC issued certificates
10007   cvsadmin
10008   restrict    # contains users allowed to ssh to restricted machines
10009   contest     # contest admin/management
10010   git
10011   svn
10012   music
10013   pulseaudio
10014   mirror

Observations

  • We don't have any local user accounts in general, save perhaps one created by the installer.
  • Only root, local users, and members should have passwords. All other users should not be allowed to log in directly.
  • Some groups (e.g. audio) are needed during boot, but also need to have members. We keep them in both files and ldap. Only the copy in LDAP will have any members.
  • A user and group should have the same ID if and only if they have the same name. So when creating a new user, don't pick the ID of an existing group, and vice versa.