Re: ID Numbering in Group and Passwd

• Previous message: Bob Chiodini: "Re: WG: Change NIC names (thus the order)"
• In reply to: Dave Brown: "ID Numbering in Group and Passwd"
• Next in thread: Craig White: "Re: ID Numbering in Group and Passwd"
• Reply: Craig White: "Re: ID Numbering in Group and Passwd"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 23 Nov 2005 10:46:08 -0700
To: For users of Fedora Core releases <fedora-list@redhat.com>

Dave Brown wrote:
> I've noticed a bit of an interesting thing with regards to the numbering
> of new users and groups when using the useradd and groupadd (and
> luseradd / lgroupadd) commands.
>
> Fresh system with no user accounts on it.
> Create a group called "myfamily" using "groupadd myfamily" - the file
> /etc/group now has the entry "myfamily:x:500".
> Create the user "brother" using "useradd brother" - the file
> /etc/passwd now has "brother:x:500:501::/home/brother:/bin/bash" and
> /etc/group has "brother:x:501"
>
> As you can see the utilities have created the user brother with a userid
> of 500 and a groupid of 501. All the system accounts (and if you created
> any users before you created the group) will have the groupid equal to
> the userid. The unequal userid / groupid combo doesnt cause a problem as
> the home directory permissions created for the user are fine.
>
> I've done a fair bit of work with user accounts / groups stored in
> OpenLDAP and have had to deal with referencing user accounts and
> changing permissions etc by the userid/groupid and not by the name and
> have found recently that the above behaviour has been causing me
> problems as I have been (stupidly?) assuming that the users groupid is
> the same as their userid and inadvertently granting group rights to the
> wrong user / group. Talk about creating myself a security problem!!!
>
> Im interested to hear what other people think about this. I am just
> being pedantic :o) Does anyone think that the behaviour of these tools
> should be changed to utilise a user/group id that is unique within BOTH
> the passwd and group files? Has anyone encountered other issues as a
> result of this? If im encountering this problem should I just accept it
> and change my login.defs file so all userids start at 500 and all groups
> at 1000.
>
> By the way i'm using FC4 with the all the latest patches, I cant
> remember if this behaviour happened on earlier FCs or RHELs and I dont
> have any machines with these OSs handy to give it a quick test.
>
> Cheers
> Dave Brown
>

The issue is you have already used the group id that should have been
given to user 500.

I create custom groups outside the range of the number of users I
expect on the system. At home I created custom groups that were in
the 1000's.

At work we use NIS and when I setup my computer to Linux, I had the
wrong user and group id's for the NIS server as I setup the box before
I had NIS working. What a mess that caused for me.

You are correct that it is a security issue as many items are
controlled by id/group numbers. Recently moving from FC1 to FC4
showed this again as I re-created all the account info. Of course I
had the same problem you did as the groups and users were created out
of order in the original install in their home directories.

It took some time of moving groups around and doing chown chgrp on
various directories to get permissions correct again. At least now I
have room to add some more users without getting into the custom groups.

Maybe the adduser tool should automatically create custom groups in a
high range, such as 60,000 by default. If you just want to add a
group and not user.

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

• Previous message: Bob Chiodini: "Re: WG: Change NIC names (thus the order)"
• In reply to: Dave Brown: "ID Numbering in Group and Passwd"
• Next in thread: Craig White: "Re: ID Numbering in Group and Passwd"
• Reply: Craig White: "Re: ID Numbering in Group and Passwd"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]