Each user and group in SLES is assigned a unique numeric value because it is much easier for the operating system to deal with numbers than text strings. The number associated with a user is called a user ID (UID) and the number assigned with a group is called a group ID (GID). By default, SUSE LINUX (all versions) assigns UIDs to regular (nonsystem) users starting at 1000, and GID assignments starting at 100. The Linux standard reserves the UID range from 0 through 99 for the system itself, and the range 100 through 499 for special system users (such as services and applications). To allow room for future expansion, SUSE LINUX thus starts regular user ID values at 1000 (and ends at 60000, by default; the maximum upper limit is 65535). Table 4.1 shows the SLES-created system users, their UIDs, and their primary GIDs.
NOTE Every Linux (and Unix) system has a special, privileged user called root. The root user always has a UID of 0 (zero). There are no special or reserved group names in Linux. WARNING Because the operating system identifies users by their UID, different usernames with the same UID are considered to be one and the same. Consequently, you can set up additional root users by assigning a UID of 0 to these users. By the same token, if you accidentally (or someone maliciously) made a user's UID equal to 0, you have granted that person unlimited privileges over the system. As a precaution, you should periodically audit /etc/passwd (and your LDAP/NIS databases, if you are using them for authentication) to ensure only root and designated users have a UID and GID set to 0. Bastille, mentioned in Chapter 13, "System Security," can be used to automatically detect unauthorized duplicate root accounts. If you need to set up multiple administrators, it is best to either assign these users to a special group (such as the root group) that has been granted the necessary rights or preferably use sudo (as discussed in Chapter 5, "User Environment Management and Security." When you log in to Linux, your active, or current, GID is set to the primary (or default) GID as specified in the user database (such as /etc/passwd), even though you may be a member of multiple groups. The operating system calculates a user's access permissions to files based on the current GID. You can change your active GID to a new one by using the newgrp command, as follows: newgrp groupname NOTE Although usually used to switch your UID to that of the root user, the su command may be used to switch your active UID to that of another user (su username). If you're currently root, no password is required; otherwise, you will need to supply the password of that user. If groupname is not given, the GID is switched back to the primary GID. After you switch to a new group successfullyyou must be a member of the group, or be root, to do soall your actions from then on will have the permissions of that new group. For example, if you create a new file or directory, the group of the new file or directory will be "groupname." Upon executing the newgrp command, you remain logged in, the current directory is unchanged, and a new shell is created. Some implementations of newgrp always replace the current shell with a new shell, even if the command terminates with an error (such as when an unknown group was specified). Consider the confusion that may result: Are you in a new shell and need to use the exit command to return to your original shell, or are you still in your original shell where the exit command would terminate your current session? SUSE's implementation avoids this problem by not creating a new shell should the command fail. To return to the previous GID and shell, use the exit command and not newgrp; otherwise, you start yet another shell. The following illustrates the effects of the newgrp command: Athena:/home/admin # #display my UID, GID, and groups I belong to Athena:/home/admin # id uid=0(root) gid=0(root) groups=0(root),64(pkcs11) Athena:/home/admin # #show my currently running processes Athena:/home/admin # ps PID TTY TIME CMD 7853 pts/1 00:00:00 bash 7875 pts/1 00:00:00 ps Athena:/home/admin # #change group to wheel Athena:/home/admin # newgrp wheel Athena:/home/admin # #check my current settings: Athena:/home/admin # #wheel is now my current GID Athena:/home/admin # id uid=0(root) gid=10(wheel) groups=0(root),10(wheel),64(pkcs11) Athena:/home/admin # #and I have one extra bash shell running! Athena:/home/admin # ps PID TTY TIME CMD 7853 pts/1 00:00:00 bash 7877 pts/1 00:00:00 bash 7885 pts/1 00:00:00 ps Athena:/home/admin # #return to previous setting Athena:/home/admin # exit exit Athena:/home/admin # #and the extra bash shell is gone too Athena:/home/admin # id uid=0(root) gid=0(root) groups=0(root),64(pkcs11) Athena:/home/admin # ps PID TTY TIME CMD 7853 pts/1 00:00:00 bash 7886 pts/1 00:00:00 ps When you return to your original shell, its previous environment (such as shell variables and working directory) is preserved; you are returned to the exact state you were in just before you started the new shell. NOTE The user is prompted for a password if the group has a password and the user is not listed in the /etc/group file as being a member of that group. The only way to create a password for a group is to use the passwd utility and then cut and paste the password from /etc/shadow to /etc/group. Group passwords are antiquated and not often used, but they provide a means for a user who is not listed as a member to take on the identity of that group. Linux reserves the GID range from 0 through 10 for system groups. Similar to UIDs, by default, user-created groups start with a GID of 1000, and the GID value can be as high as 60000. Table 4.2 shows the SLES-created system groups and their GIDs.
|