UID/GID Assignment: Difference between revisions

From CSCWiki
Jump to navigation Jump to search
No edit summary
Line 1: Line 1:
= Puppet-managed UID/GID's =

501 nvram
502 tss
503 rdma
504 fuse
505 lpadmin
506 camera
507 scanner
508 kvm
509 keytab
510 rtorrent

= UID/GID Ranges =
= UID/GID Ranges =


Line 40: Line 27:
members - members of the CSC
members - members of the CSC
clubs - other organizations
clubs - other organizations

= Puppet-managed UID/GID's =

501 nvram
502 tss
503 rdma
504 fuse
505 lpadmin
506 camera
507 scanner
508 kvm
509 keytab
510 rtorrent

= Special UID/GID's =

10000 sysadmin
10001 syscom
10002 ceo
10003 office
10004 www
10005 csmirror # used by CSCF to rsync our talks to mirror.cs
10006 certs # manages CSC issued certificates
10007 cvsadmin
10008 restrict # contains users allowed to ssh to restricted machines


= Observations =
= Observations =

Revision as of 02:04, 28 November 2007

UID/GID Ranges

            Scope   Authority  Source  Purpose

    0    99 global  Debian     both    system
  100   499 local   mixed      files   system
  500   999 global  CSC        both    system
 1000  9999 local   mixed      files   users
10000 19999 global  CSC        ldap    misc
20000 29999 global  CSC        ldap    members
30000 39999 global  CSC        ldap    clubs

Scope:      global  - id is the same on all systems
            local   - id varies between systems

Authority:  Debian  - Debian does allocation
            mixed   - adduser does allocation
            CSC     - we do allocation

Source:     files   - files, makes no sense in LDAP
            ldap    - LDAP, makes no sense in files
            both    - files, add to LDAP if it has members from LDAP

Purpose:    system  - root, daemons, devices, etc
            users   - local users
            misc    - csc administrivia e.g. sysadmin, office
            members - members of the CSC
            clubs   - other organizations

Puppet-managed UID/GID's

501     nvram
502     tss
503     rdma
504     fuse
505     lpadmin
506     camera
507     scanner
508     kvm
509     keytab
510     rtorrent

Special UID/GID's

10000   sysadmin
10001   syscom
10002   ceo
10003   office
10004   www
10005   csmirror    # used by CSCF to rsync our talks to mirror.cs
10006   certs       # manages CSC issued certificates
10007   cvsadmin
10008   restrict    # contains users allowed to ssh to restricted machines

Observations

  • We don't have any local user accounts in general, save perhaps one created by the installer.
  • Only root, local users, and members should have passwords. All other users should not be allowed to log in directly.
  • Some groups (e.g. audio) are needed during boot, but also need to have members. We keep them in both files and ldap. Only the copy in LDAP will have any members.
  • A user and group should have the same ID if and only if they have the same name. So when creating a new user, don't pick the ID of an existing group, and vice versa.