ID Numbering in Group and Passwd

Dave Brown daveb21 at gmail.com
Wed Nov 23 17:25:21 UTC 2005 

I've noticed a bit of an interesting thing with regards to the numbering of
new users and groups when using the useradd and groupadd (and luseradd /
lgroupadd) commands.

Fresh system with no user accounts on it.
Create a group called "myfamily" using "groupadd myfamily" - the file
/etc/group now has the entry "myfamily:x:500".
Create the user "brother" using "useradd brother"  - the file /etc/passwd
now has "brother:x:500:501::/home/brother:/bin/bash" and /etc/group has
"brother:x:501"

As you can see the utilities have created the user brother with a userid of
500 and a groupid of 501. All the system accounts (and if you created any
users before you created the group) will have the groupid equal to the
userid. The unequal userid / groupid combo doesnt cause a problem as the
home directory permissions created for the user are fine.

I've done a fair bit of work with user accounts / groups stored in OpenLDAP
and have had to deal with referencing user accounts and changing permissions
etc by the userid/groupid and not by the name and have found recently that
the above behaviour has been causing me problems as I have been (stupidly?)
assuming that the users groupid is the same as their userid and
inadvertently granting group rights to the wrong user / group. Talk about
creating myself a security problem!!!

Im interested to hear what other people think about this. I am just being
pedantic :o) Does anyone think that the behaviour of these tools should be
changed to utilise a user/group id that is unique within BOTH the passwd and
group files? Has anyone encountered other issues as a result of this? If im
encountering this problem should I just accept it and change my
login.defsfile so all userids start at 500 and all groups at 1000.

By the way i'm using FC4 with the all the latest patches, I cant remember if
this behaviour happened on earlier FCs or RHELs and I dont have any machines
with these OSs handy to give it a quick test.

Cheers
Dave Brown
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20051123/9e2d658f/attachment-0001.htm>

More information about the fedora-list mailing list