[I'm starting a new thread here as I know many of our colleagues out
there prefer that to happen when a current thread starts to veer a
little off the original topic. So I've copy/pasted the last entry
under the old thread to this reply.]
Thanks Chris for the info on login.defs. I did not realize that
file existed. Other than the occasional rants on this list, I pretty
much learn something new every day, and I've been at this a long time.
It is humbling.
Further comments in-line below.
- Larry
> -------- Forwarded Message --------
> Subject: Re: Bizarre bug
> Date: Tue, 3 Mar 2015 17:00:31 -0600
> From: Ken Teh <[email protected]>
> Organization: Argonne National Laboratory
> To: Chris Schanzle <[email protected]>,
[email protected] <[email protected]>
>
> I set mine at uid/gid=2000 and pray it's good till I retire :)
Years ago ('89 I think was my first foray into unix - SunOS), I
chose 666 for my UID and I've made it follow me everywhere since.
Devilishly clever, I thought. :-)
There's more. Scroll on down....
> On 03/03/2015 04:44 PM, Chris Schanzle wrote:
>> On 03/03/2015 03:33 PM, P. Larry Nelson wrote:
>> That used to happen in the old days before
>> system-config-users pretty much kept generated UIDs/GIDs well out
>> of the range that an installed piece of software might use.
>> I believe the rule is now that real people users get a UID > 500
>> and installed apps (like ntop, UID:103, GID:160) use UIDs < 500,
>> but I don't know if that's a hard and fast rule with apps or not.
>> I do the same thing with any local group I create - give it a
>> GID > 500.
>
> The authoritative source used by useradd (perhaps others) is
/etc/login.defs:
>
> grep ^UID_MIN /etc/login.defs
> UID_MIN 500
>
> Historically it was UID >= 500 (note 500 was the first), in recent
Fedora's and EL7, it's now 1000:
>
> grep ^UID_MIN /etc/login.defs
> UID_MIN 1000
>
>
> Note new systems also have min/max values for system accounts in
login.defs:
>
> # Min/max values for automatic uid selection in useradd
> #
> UID_MIN 1000
> UID
> # System accounts
> SYS_UID
> SYS_UID_MAX 999
>
So, as I understand this, login.defs is only used by useradd (which
I assume system-config-users must invoke)?
What is to govern (other than perhaps some sort of gentleman's
agreement in the app world) what UID/GID an application decides
to grab upon install?
I used the ntop app as an example in a previous post under the
previous thread and noted that it grabbed UID:103, GID:160.
What's to prevent an app from grabbing a UID and GID > 500
(or 1000 in newer releases)?
BTW, as an aside, if you haven't discovered and installed ntop
(epel repo), I highly recommend it. An amazing admin net tool
that's web based and I'm still learning what all it can do and
display.
- Larry
--
P. Larry Nelson (217-244-9855) | IT Administrator
461 Loomis Lab | High Energy Physics Group
1110 W. Green St., Urbana, IL | Physics Dept., Univ. of Ill.
MailTo:[email protected] | http://www.brf-llc.com/lnelson/
-------------------------------------------------------------------
"Information without accountability is just noise." - P.L. Nelson
