On Wed, 2005-11-23 at 10:46 -0700, Robin Laing wrote: > Dave Brown wrote: > > I've noticed a bit of an interesting thing with regards to the numbering > > of new users and groups when using the useradd and groupadd (and > > luseradd / lgroupadd) commands. > > > > Fresh system with no user accounts on it. > > Create a group called "myfamily" using "groupadd myfamily" - the file > > /etc/group now has the entry "myfamily:x:500". > > Create the user "brother" using "useradd brother" - the file > > /etc/passwd now has "brother:x:500:501::/home/brother:/bin/bash" and > > /etc/group has "brother:x:501" > > > > As you can see the utilities have created the user brother with a userid > > of 500 and a groupid of 501. All the system accounts (and if you created > > any users before you created the group) will have the groupid equal to > > the userid. The unequal userid / groupid combo doesnt cause a problem as > > the home directory permissions created for the user are fine. > > > > I've done a fair bit of work with user accounts / groups stored in > > OpenLDAP and have had to deal with referencing user accounts and > > changing permissions etc by the userid/groupid and not by the name and > > have found recently that the above behaviour has been causing me > > problems as I have been (stupidly?) assuming that the users groupid is > > the same as their userid and inadvertently granting group rights to the > > wrong user / group. Talk about creating myself a security problem!!! > > > > Im interested to hear what other people think about this. I am just > > being pedantic :o) Does anyone think that the behaviour of these tools > > should be changed to utilise a user/group id that is unique within BOTH > > the passwd and group files? Has anyone encountered other issues as a > > result of this? If im encountering this problem should I just accept it > > and change my login.defs file so all userids start at 500 and all groups > > at 1000. > > > > By the way i'm using FC4 with the all the latest patches, I cant > > remember if this behaviour happened on earlier FCs or RHELs and I dont > > have any machines with these OSs handy to give it a quick test. > > > > Cheers > > Dave Brown > > > > The issue is you have already used the group id that should have been > given to user 500. > > I create custom groups outside the range of the number of users I > expect on the system. At home I created custom groups that were in > the 1000's. > > At work we use NIS and when I setup my computer to Linux, I had the > wrong user and group id's for the NIS server as I setup the box before > I had NIS working. What a mess that caused for me. > > You are correct that it is a security issue as many items are > controlled by id/group numbers. Recently moving from FC1 to FC4 > showed this again as I re-created all the account info. Of course I > had the same problem you did as the groups and users were created out > of order in the original install in their home directories. > > It took some time of moving groups around and doing chown chgrp on > various directories to get permissions correct again. At least now I > have room to add some more users without getting into the custom groups. > > Maybe the adduser tool should automatically create custom groups in a > high range, such as 60,000 by default. If you just want to add a > group and not user. ---- I think that you will a number of these 'defaults' can be adjusted by editing: /etc/default/useradd /etc/login.defs Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
