Re: ID Numbering in Group and Passwd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dave Brown wrote:
I've noticed a bit of an interesting thing with regards to the numbering of new users and groups when using the useradd and groupadd (and luseradd / lgroupadd) commands.

Fresh system with no user accounts on it.
Create a group called "myfamily" using "groupadd myfamily" - the file /etc/group now has the entry "myfamily:x:500". Create the user "brother" using "useradd brother" - the file /etc/passwd now has "brother:x:500:501::/home/brother:/bin/bash" and /etc/group has "brother:x:501"

As you can see the utilities have created the user brother with a userid of 500 and a groupid of 501. All the system accounts (and if you created any users before you created the group) will have the groupid equal to the userid. The unequal userid / groupid combo doesnt cause a problem as the home directory permissions created for the user are fine.

I've done a fair bit of work with user accounts / groups stored in OpenLDAP and have had to deal with referencing user accounts and changing permissions etc by the userid/groupid and not by the name and have found recently that the above behaviour has been causing me problems as I have been (stupidly?) assuming that the users groupid is the same as their userid and inadvertently granting group rights to the wrong user / group. Talk about creating myself a security problem!!!

Im interested to hear what other people think about this. I am just being pedantic :o) Does anyone think that the behaviour of these tools should be changed to utilise a user/group id that is unique within BOTH the passwd and group files? Has anyone encountered other issues as a result of this? If im encountering this problem should I just accept it and change my login.defs file so all userids start at 500 and all groups at 1000.

By the way i'm using FC4 with the all the latest patches, I cant remember if this behaviour happened on earlier FCs or RHELs and I dont have any machines with these OSs handy to give it a quick test.

Cheers
Dave Brown


The issue is you have already used the group id that should have been given to user 500.

I create custom groups outside the range of the number of users I expect on the system. At home I created custom groups that were in the 1000's.

At work we use NIS and when I setup my computer to Linux, I had the wrong user and group id's for the NIS server as I setup the box before I had NIS working. What a mess that caused for me.

You are correct that it is a security issue as many items are controlled by id/group numbers. Recently moving from FC1 to FC4 showed this again as I re-created all the account info. Of course I had the same problem you did as the groups and users were created out of order in the original install in their home directories.

It took some time of moving groups around and doing chown chgrp on various directories to get permissions correct again. At least now I have room to add some more users without getting into the custom groups.

Maybe the adduser tool should automatically create custom groups in a high range, such as 60,000 by default. If you just want to add a group and not user.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux