[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RfD: documentation for statically assigned uid and gid



As far as I know, there is no "official" document that describes what
the statically allocated users and groups on a Debian system do, gives
rationales for their existence and suggests what to do with them. I'd
like to see such a document (maybe as part of the policy?) and have
written a description as I understand the users and groups. The
description might be wrong, so I'd like to see that discussed. Harald
Weidner did a description of the groups and I translated it since our
original discussion was in german.

Users
=====
root:x:0:0:root:/root:/bin/bash
no description needed

daemon:x:1:1:daemon:/usr/sbin:/bin/sh
uid to run various non-root daemons (for example the portmapper).

bin:x:2:2:bin:/bin:/bin/sh
(didn't find any processes or files belonging to that uid on my test
system).

sys:x:3:3:sys:/dev:/bin/sh
(didn't find any processes or files belonging to that uid on my test
system).

sync:x:4:100:sync:/bin:/bin/sync
login shell /bin/sync allows a user without account on that system to
sync disks from the console.

games:x:5:100:games:/usr/games:/bin/sh
(didn't find any processes or files belonging to that uid on my test
system).

man:x:6:100:man:/var/cache/man:/bin/sh
uid used by man-db for file access control.

lp:x:7:7:lp:/var/spool/lpd:/bin/sh
uid for the line printer daemon

mail:x:8:8:mail:/var/spool/mail:/bin/sh
uid for the MTA for file access control.

news:x:9:9:news:/var/spool/news:/bin/sh
uid for the news server for file access control. Is this used by other
packages than INN and CNEWS?

uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
uid for UUCP for file access control.

proxy:x:13:13:proxy:/bin:/bin/sh
(didn't find any processes or files belonging to that uid on my test
system). Used by web proxies?

majordom:*:30:31:Majordomo:/usr/lib/majordomo:/bin/sh
uid for majordomo.

postgres:x:31:32:postgres:/var/lib/postgres:/bin/sh
uid for postgres.

www-data:x:33:33:www-data:/var/www:/bin/sh
uid for web server software.

backup:x:34:34:backup:/var/backups:/bin/sh
(didn't find any processes or files belonging to that uid on my test
system).

msql:x:36:36:Mini SQL Database Manager:/var/lib/msql:/bin/sh
uid for msql.

operator:x:37:37:Operator:/var:/bin/sh
(didn't find any processes or files belonging to that uid on my test
system).


list:x:38:38:SmartList:/var/list:/bin/sh
(didn't find any processes or files belonging to that uid on my test
system).

irc:x:39:39:ircd:/var:/bin/sh
user for ircd.

gnats:x:41:41:Gnats Bug-Reporting System
(admin):/var/lib/gnats/gnats-db:/bin/sh
(didn't find any processes or files belonging to that uid on my test
system).

alias:x:70:65534:qmail alias:/var/qmail/alias:/bin/sh
qmaild:x:71:65534:qmail daemon:/var/qmail:/bin/sh
qmails:x:72:70:qmail send:/var/qmail:/bin/sh
qmailr:x:73:70:qmail remote:/var/qmail:/bin/sh
qmailq:x:74:70:qmail queue:/var/qmail:/bin/sh
qmaill:x:75:65534:qmail log:/var/qmail:/bin/sh
qmailp:x:76:65534:qmail pw:/var/qmail:/bin/sh
uids for qmail




Groups
======
root:x:0:
root's primary group

daemon:x:1:
group for non-root daemons

bin:x:2:
sys:x:3:
existing for historical reasons, some programs won't run without these

adm:x:4:
log files are group readable to adm. Include people who should be able
to read log files.

tty:x:5:
/dev/tty are group accessible to tty. Programs that need access to tty
(write, wall) are sgid tty.

disk:x:6:
disk device nodes are group accessible to disk. Programs that need
access to them are sgid disk.

lp:x:7:lp
lpd jobs are group accessible to lp so that lpd can access them
without being root.

mail:x:8:
mailbox spool directories belong to group mail, MUA software runs
setgid mail. This makes dot locking possible. Also, mailboxes must be
writeable by group mail (Policy Manual, 3.1.1.1, 5.6).

news:x:9:
standard group for user news. Why does news have its own group, and
many of the other daemon uids don't?

uucp:x:10:
uucp jobs are group accessible to uucp.

proxy:x:13:
web cache files are group accessible to proxy.

kmem:x:15:
/proc/kmem is group accessible to kmem. Programs that need access are
sgid kmem.

dialout:x:20:
ppp- and isdn device nodes are group accessible to dialout. Include
users allowed to initiate dialout in this group.

fax:x:21:
fax jobs are group accessible to fax.

voice:x:22:
voice messages are group accessible to voice (vgetty)

cdrom:x:24:
floppy:x:25:
tape:x:26:
for device nodes. Include users allowed to access these in the
appropriate groups.

sudo:x:27:
historical reasons?

audio:x:29:
for device nodes. Include users allowed to access sound in this group

dip:x:30:
majordom:*:31:majordom
postgres:x:32:
For daemons running under their own uid/gid. Why are these static?

www-data:x:33:
This has been discussed in the past, and the discussion is not finally
finished. Today, www data files belong to this group and the web
servers run with that group, thus being able to write the files.
This has been considered a security hole, but was not yet changed.

backup:x:34:
(Don't have an explanation yet)

msql:x:36:
For daemons running under their own uid/gid. Why are these static?

operator:x:37:
historical reasons?

list:x:38:
irc:x:39:
For daemons running under their own uid/gid. Why are these static?

src:x:40:
Include people who should be able to write /usr/src in this group.
What is its intended use?

gnats:x:41:
For daemons running under their own uid/gid. Why are these static?

shadow:x:42:
Programs that should be able to access the shadow passwords are sgid
shadow.

utmp:*:43:
Programs that should be able to access utmp are sgid utmp.

video:*:44:
for device nodes?

staff:x:50:
Include users who should be able to write to /usr/local and /var/local

games:x:60
games that store user independent high score values in /var/lib/games
are sgid games

qmail:x:70:
used for qmail

users:x:100:
for files that all users should be able to access.




I'd like to see the possibility of finding consent about the
users/groups and this information to be added to official docs.

Greetings
Marc

-- 
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber          |   " Questions are the         | Mailadresse im Header
Karlsruhe, Germany  |     Beginning of Wisdom "     | Fon: *49 721 966 32 15
Nordisch by Nature  | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29



Reply to: