User and Group IDs

Each user and group in SLES is assigned a unique numeric value because it is much easier for the operating system to deal with numbers than text strings. The number associated with a user is called a user ID (UID) and the number assigned with a group is called a group ID (GID). By default, SUSE LINUX (all versions) assigns UIDs to regular (nonsystem) users starting at 1000, and GID assignments starting at 100.

The Linux standard reserves the UID range from 0 through 99 for the system itself, and the range 100 through 499 for special system users (such as services and applications). To allow room for future expansion, SUSE LINUX thus starts regular user ID values at 1000 (and ends at 60000, by default; the maximum upper limit is 65535). Table 4.1 shows the SLES-created system users, their UIDs, and their primary GIDs.

Table 4.1. SLES Default System User Settings
USERNAME	UID	PRIMARY GID	DESCRIPTION
root	0	0	The root (super) user
bin	1	1	Used by system services, such as lpd
daemon	2	2	Background service
lp	4	7	Printing daemon
mail	8	12	Mailer daemon
news	9	13	News system
uucp	10	14	Unix-to-Unix CoPy system
games	12	100	Games account
man	13	62	Manual pages viewer
at	25	25	Batch jobs daemon
postgres	26	26	PostgreSQL Server
mdom	28	28	Mailing list agent (Majordomo)
wwwrun	30	8	WWW daemon apache
squid	31	65534	WWW-proxy squid
amanda	37	6	AMANDA (backup utility) admin
irc	39	65534	IRC (Internet Relay Chat) daemon
ftp	40	49	FTP account FTP server daemon
named	44	44	Name server (DNS) daemon
gdm	50	15	Gnome Display Manager daemon
postfix	51	51	Postfix daemon
mysql	60	2	MySQL database admin
vscan	65	102	Vscan account used by samba-vscan
pop	67	100	POP admin
sshd	71	65	SSH daemon
Mailman	72	67	GNU mailing list manager
Snort	73	68	Snort network monitor
Ntp	74	65534	NTP (Network Time Protocol) daemon
Ldap	76	70	User for OpenLDAP
Hacluster	90	90	High-Availability cluster heartbeat processes
Cyrus	96	12	User for cyrus-imapd
Stunnel	100	65534	Daemon user for stunnel (universal SSL tunnel)
quagga	101	101	Quagga routing daemon
dhcpd	102	65534	DHCP server daemon
radiusd	103	103	Radius daemon
nobody	65534	65533	Special user for assigning NFS permissions

NOTE

Every Linux (and Unix) system has a special, privileged user called root. The root user always has a UID of 0 (zero). There are no special or reserved group names in Linux.

WARNING

Because the operating system identifies users by their UID, different usernames with the same UID are considered to be one and the same. Consequently, you can set up additional root users by assigning a UID of 0 to these users. By the same token, if you accidentally (or someone maliciously) made a user's UID equal to 0, you have granted that person unlimited privileges over the system. As a precaution, you should periodically audit /etc/passwd (and your LDAP/NIS databases, if you are using them for authentication) to ensure only root and designated users have a UID and GID set to 0. Bastille, mentioned in Chapter 13, "System Security," can be used to automatically detect unauthorized duplicate root accounts.

If you need to set up multiple administrators, it is best to either assign these users to a special group (such as the root group) that has been granted the necessary rights or preferably use sudo (as discussed in Chapter 5, "User Environment Management and Security."

When you log in to Linux, your active, or current, GID is set to the primary (or default) GID as specified in the user database (such as /etc/passwd), even though you may be a member of multiple groups. The operating system calculates a user's access permissions to files based on the current GID. You can change your active GID to a new one by using the newgrp command, as follows:

 newgrp groupname

NOTE

Although usually used to switch your UID to that of the root user, the su command may be used to switch your active UID to that of another user (su username). If you're currently root, no password is required; otherwise, you will need to supply the password of that user.

If groupname is not given, the GID is switched back to the primary GID. After you switch to a new group successfullyyou must be a member of the group, or be root, to do soall your actions from then on will have the permissions of that new group. For example, if you create a new file or directory, the group of the new file or directory will be "groupname."

Upon executing the newgrp command, you remain logged in, the current directory is unchanged, and a new shell is created. Some implementations of newgrp always replace the current shell with a new shell, even if the command terminates with an error (such as when an unknown group was specified). Consider the confusion that may result: Are you in a new shell and need to use the exit command to return to your original shell, or are you still in your original shell where the exit command would terminate your current session? SUSE's implementation avoids this problem by not creating a new shell should the command fail.

To return to the previous GID and shell, use the exit command and not newgrp; otherwise, you start yet another shell. The following illustrates the effects of the newgrp command:

 Athena:/home/admin # #display my UID, GID, and groups I belong to Athena:/home/admin # id uid=0(root) gid=0(root) groups=0(root),64(pkcs11) Athena:/home/admin # #show my currently running processes Athena:/home/admin # ps         PID  TTY          TIME CMD         7853 pts/1    00:00:00 bash         7875 pts/1    00:00:00 ps Athena:/home/admin # #change group to wheel Athena:/home/admin # newgrp wheel Athena:/home/admin # #check my current settings: Athena:/home/admin # #wheel is now my current GID Athena:/home/admin # id uid=0(root) gid=10(wheel) groups=0(root),10(wheel),64(pkcs11) Athena:/home/admin # #and I have one extra bash shell running! Athena:/home/admin # ps         PID  TTY          TIME CMD         7853 pts/1    00:00:00 bash         7877 pts/1    00:00:00 bash         7885 pts/1    00:00:00 ps Athena:/home/admin # #return to previous setting Athena:/home/admin # exit exit Athena:/home/admin # #and the extra bash shell is gone too Athena:/home/admin # id uid=0(root) gid=0(root) groups=0(root),64(pkcs11) Athena:/home/admin # ps         PID  TTY          TIME CMD         7853 pts/1    00:00:00 bash         7886 pts/1    00:00:00 ps

When you return to your original shell, its previous environment (such as shell variables and working directory) is preserved; you are returned to the exact state you were in just before you started the new shell.

NOTE

The user is prompted for a password if the group has a password and the user is not listed in the /etc/group file as being a member of that group. The only way to create a password for a group is to use the passwd utility and then cut and paste the password from /etc/shadow to /etc/group. Group passwords are antiquated and not often used, but they provide a means for a user who is not listed as a member to take on the identity of that group.

Linux reserves the GID range from 0 through 10 for system groups. Similar to UIDs, by default, user-created groups start with a GID of 1000, and the GID value can be as high as 60000. Table 4.2 shows the SLES-created system groups and their GIDs.

Table 4.2. SLES Default System Groups and Their GIDs
GROUP NAME	GID	COMMENTS
Root	0	This is the set of privileged users who are granted special powers in the system. By default, root is the only member of this group. On some Linux distributions, the wheel group is used instead.
Bin	1	This group exists for historical reasons, and some programs (such as `shutdown`) won't run without it. SUSE LINUX does not use this group.
Daemon	2	This group is used by various services and applications, such as mySQL, that do not run with root privileges.
Sys	3	This group exists for historical reasons, and some programs won't run without it.
Tty	5	The terminal devices with names beginning with `/dev/tty` are group accessible to the tty group. Programs such as `write` and `wall` need access to `/dev/tty*` and they set their group id (`sgid`) to tty.
Disk	6	The disk device nodes are group accessible to the disk group. Programs that need access to them set their GID to disk.
Lp	7	Jobs associated with the lp (printer) daemon (lpd) are group accessible to the lp group so that lpd can access them without being root.
www	8	This group is generally used to assign rights to folders containing HTML documents.
Kmem	9	This group is mostly used by programs that need access to `/proc/kmem` (kernel memory).
Wheel	10	Some Linux distributions use the wheel group instead of the root group for users with systems privileges.
Mail	12	The mail spool directories are group accessible to the mail group. Programs that need access to them set their GID to mail.
News	13	The Usenet news spool directories are group accessible to the news group. Programs that need access to them set their GID to news.
Uucp	14	Group members can initiate uucp jobs.
Shadow	15	Group members have rights over the shadow password file, `/etc/shadow`.
Dialout	16	Group members are allowed to initiate dialout connections using ppp or ISDN device nodes.
Audio	17	Members in this group have rights over the sound card/device.
Floppy	19	Users in this group can use the floppy drive (generally `/dev/fd0`, the first drive).
Cdrom	20	This group can use the CD-ROM drive.
Console	21
Utmp	22	Members in this group can access user login and logout records.
At	25	This group is used by `at`, a system task scheduling program.
Postgres	26	This group is used by the Postgres SQL database daemon.
Mdom	28	This group is used by the Majordemo mailing list daemon.
Public	32	This group is used by the ProFTP daemon to control file access when a client is logged in as anonymous.
Video	33	Members in this group have rights over the video card/device.
Games	40	This group is used by games that store user-independent high-score values in `/var/lib/games`.
Xok	41	Members in this group may run X Windows System applications.
Trusted	42	Members of this group can execute the `ncpfs` binaries.
Modem	43	This group can use the modem device.
Named	44	This group is used by the DNS daemon.
ftp	49	This group is used by the FTP daemon.
Postfix	51	This group is used by the Postfix mail daemon.
Maildrop	59	This group is used by the Maildrop mail daemon.
man	62	This group is used by the manual page facility.
pkcs11	64	Members of this group can manage security certificates. The root user is the default member of this group.
Sshd	65	This group is used by the SSH daemon.
Mailman	67	This group is used by the GNU mailing list daemon.
Snort	68	This group is used by the Snort network monitor.
Ldap	70	This group is used by the OpenLDAP daemon.
Ntadmin	71	This group is used by the Samba daemon.
Haclient	90	This group is used by the High-Availability cluster daemon.
Users	100	This is the default group that all users are added to (unless you change the setting in `/etc/default/useradd`). All the members of this group are provided basic privileges in the system as defined by the system administrator. You place files that all users should have access to in this group.
Quagga	101	This group is used by the Quagga routing daemon.
Vscan	102	This group is used by the vscan daemon.
Radiusd	103	This group is used by the radius daemon.
Nobody	65533	This group is used by NFS.
Nogroup	65534	This group is used by NFS.

Table 4.1. SLES Default System User Settings

Table 4.2. SLES Default System Groups and Their GIDs