Dave Brown wrote:
I've noticed a bit of an interesting thing with regards to the numbering
of new users and groups when using the useradd and groupadd (and
luseradd / lgroupadd) commands.
Fresh system with no user accounts on it.
Create a group called "myfamily" using "groupadd myfamily" - the file
/etc/group now has the entry "myfamily:x:500".
Create the user "brother" using "useradd brother" - the file
/etc/passwd now has "brother:x:500:501::/home/brother:/bin/bash" and
/etc/group has "brother:x:501"
As you can see the utilities have created the user brother with a userid
of 500 and a groupid of 501. All the system accounts (and if you created
any users before you created the group) will have the groupid equal to
the userid. The unequal userid / groupid combo doesnt cause a problem as
the home directory permissions created for the user are fine.
I've done a fair bit of work with user accounts / groups stored in
OpenLDAP and have had to deal with referencing user accounts and
changing permissions etc by the userid/groupid and not by the name and
have found recently that the above behaviour has been causing me
problems as I have been (stupidly?) assuming that the users groupid is
the same as their userid and inadvertently granting group rights to the
wrong user / group. Talk about creating myself a security problem!!!
Im interested to hear what other people think about this. I am just
being pedantic :o) Does anyone think that the behaviour of these tools
should be changed to utilise a user/group id that is unique within BOTH
the passwd and group files? Has anyone encountered other issues as a
result of this? If im encountering this problem should I just accept it
and change my login.defs file so all userids start at 500 and all groups
at 1000.
By the way i'm using FC4 with the all the latest patches, I cant
remember if this behaviour happened on earlier FCs or RHELs and I dont
have any machines with these OSs handy to give it a quick test.
Cheers
Dave Brown
The issue is you have already used the group id that should have been
given to user 500.
I create custom groups outside the range of the number of users I
expect on the system. At home I created custom groups that were in
the 1000's.
At work we use NIS and when I setup my computer to Linux, I had the
wrong user and group id's for the NIS server as I setup the box before
I had NIS working. What a mess that caused for me.
You are correct that it is a security issue as many items are
controlled by id/group numbers. Recently moving from FC1 to FC4
showed this again as I re-created all the account info. Of course I
had the same problem you did as the groups and users were created out
of order in the original install in their home directories.
It took some time of moving groups around and doing chown chgrp on
various directories to get permissions correct again. At least now I
have room to add some more users without getting into the custom groups.
Maybe the adduser tool should automatically create custom groups in a
high range, such as 60,000 by default. If you just want to add a
group and not user.
