UID/GID Assignment

From CSCWiki
Jump to navigation Jump to search

UID/GID Ranges

            Scope   Authority  Source  Purpose

    0    99 global  Debian     both    system
  100   499 local   mixed      files   system
  500   999 global  CSC        both    system
 1000  9999 local   mixed      files   users
10000 19999 global  CSC        ldap    misc
20000 29999 global  CSC        ldap    members
30000 39999 global  CSC        ldap    clubs

Scope:      global  - id is the same on all systems
            local   - id varies between systems

Authority:  Debian  - Debian does allocation
            mixed   - adduser does allocation
            CSC     - we do allocation

Source:     files   - files, makes no sense in LDAP
            ldap    - LDAP, makes no sense in files
            both    - files, add to LDAP if it has members from LDAP

Purpose:    system  - root, daemons, devices, etc
            users   - local users
            misc    - csc administrivia e.g. sysadmin, office
            members - members of the CSC
            clubs   - other organizations

Puppet-managed UID/GID's

501     nvram
502     tss
503     rdma
504     fuse
505     lpadmin
506     camera
507     scanner
508     kvm
509     keytab
510     rtorrent

Special UID/GID's

10000   sysadmin
10001   syscom
10002   ceo
10003   office
10004   www
10005   csmirror    # used by CSCF to rsync our talks to mirror.cs
10006   certs       # manages CSC issued certificates
10007   cvsadmin
10008   restrict    # contains users allowed to ssh to restricted machines
10009   contest     # contest admin/management

Observations

  • We don't have any local user accounts in general, save perhaps one created by the installer.
  • Only root, local users, and members should have passwords. All other users should not be allowed to log in directly.
  • Some groups (e.g. audio) are needed during boot, but also need to have members. We keep them in both files and ldap. Only the copy in LDAP will have any members.
  • A user and group should have the same ID if and only if they have the same name. So when creating a new user, don't pick the ID of an existing group, and vice versa.