Re: ID Numbering in Group and Passwd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2005-11-23 at 10:46 -0700, Robin Laing wrote:
> Dave Brown wrote:
> > I've noticed a bit of an interesting thing with regards to the numbering 
> > of new users and groups when using the useradd and groupadd (and 
> > luseradd / lgroupadd) commands.
> > 
> > Fresh system with no user accounts on it.
> > Create a group called "myfamily" using "groupadd myfamily" - the file 
> > /etc/group now has the entry "myfamily:x:500".
> > Create the user "brother" using "useradd brother"  - the file 
> > /etc/passwd now has "brother:x:500:501::/home/brother:/bin/bash" and 
> > /etc/group has "brother:x:501"
> > 
> > As you can see the utilities have created the user brother with a userid 
> > of 500 and a groupid of 501. All the system accounts (and if you created 
> > any users before you created the group) will have the groupid equal to 
> > the userid. The unequal userid / groupid combo doesnt cause a problem as 
> > the home directory permissions created for the user are fine.
> > 
> > I've done a fair bit of work with user accounts / groups stored in 
> > OpenLDAP and have had to deal with referencing user accounts and 
> > changing permissions etc by the userid/groupid and not by the name and 
> > have found recently that the above behaviour has been causing me 
> > problems as I have been (stupidly?) assuming that the users groupid is 
> > the same as their userid and inadvertently granting group rights to the 
> > wrong user / group. Talk about creating myself a security problem!!!
> > 
> > Im interested to hear what other people think about this. I am just 
> > being pedantic :o) Does anyone think that the behaviour of these tools 
> > should be changed to utilise a user/group id that is unique within BOTH 
> > the passwd and group files? Has anyone encountered other issues as a 
> > result of this? If im encountering this problem should I just accept it 
> > and change my login.defs file so all userids start at 500 and all groups 
> > at 1000.
> > 
> > By the way i'm using FC4 with the all the latest patches, I cant 
> > remember if this behaviour happened on earlier FCs or RHELs and I dont 
> > have any machines with these OSs handy to give it a quick test.
> > 
> > Cheers
> > Dave Brown
> > 
> 
> The issue is you have already used the group id that should have been 
> given to user 500.
> 
> I create custom groups outside the range of the number of users I 
> expect on the system.  At home I created custom groups that were in 
> the 1000's.
> 
> At work we use NIS and when I setup my computer to Linux, I had the 
> wrong user and group id's for the NIS server as I setup the box before 
> I had NIS working.  What a mess that caused for me.
> 
> You are correct that it is a security issue as many items are 
> controlled by id/group numbers.  Recently moving from FC1 to FC4 
> showed this again as I re-created all the account info.  Of course I 
> had the same problem you did as the groups and users were created out 
> of order in the original install in their home directories.
> 
> It took some time of moving groups around and doing chown chgrp on 
> various directories to get permissions correct again.  At least now I 
> have room to add some more users without getting into the custom groups.
> 
> Maybe the adduser tool should automatically create custom groups in a 
> high range, such as 60,000 by default.  If you just want to add a 
> group and not user.
----
I think that you will a number of these 'defaults' can be adjusted by
editing:

/etc/default/useradd
/etc/login.defs

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux