UID/GID allocation

From Computer Laboratory System Administration
Revision as of 11:10, 10 September 2014 by mgk25 (talk | contribs) (first shot)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Departmental UID/GID allocation

This page is a draft policy for how in future the user and group IDs exported by the departmental Unix LDAP server (ldap-serv1.cl.cam.ac.uk, etc.) should be allocated.

Goal of this policy is to ensure that self-managed machines can make of of the /etc/passwd and /etc/group tables exported by the departmental LDAP servers without risk of collisions with entries defined by the operating system or the user locally.

Rules

  • The LDAP server should not export any numeric UID or GID with a value below 1005.
    • This helps to avoid collisions with locally created users (e.g., family members on a private laptop), which which some operating systems allocate starting at 1000 upwards.
  • The LDAP server should also not export any numeric UID or GID of -2, -1, 32767, 65534, or 65535.
    • This helps to avoid collisions with the POSIX return value -1 of some related system calls, as well as with the entry "nobody" used on some systems.
  • UID and GID range 0 to 999: is reserved for use by either operating system distributions, or user entries created locally on client machines without any corresponding LDAP entry
  • UID and GID range 1000-1005: reserved for user entries created locally on client machines without any corresponding LDAP entry

UID range allocation

  • 0-999: not used by LDAP, reserved for OS-specific entries or host-specific user entries
  • 1000-1004: not used by LDAP, reserved for host-specific user entries
  • 1005-1099: historic departmental allocations, can stay, but should not be reused
  • 1100-4999: departmental users (real people)
  • 5000-5499: departmental pseudo users (role accounts, server accounts, etc.)
  • 5500-5999: not used by LDAP, to avoid collissions with departmental groups
  • 6000-8999: departmental users (real people)

GID range allocation

  • 0-999: not used by LDAP, reserved for OS-specific entries or host-specific user entries
  • 1005-5499: personal groups associated with the corresponding UID name and value
  • 5500-5999: departmental groups
  • 6000-8999: personal groups associated with the corresponding UID name and value

Background

  • Keeping the range 1000-1004 free of departmental allocations helps to avoid collisions with locally created users (e.g., family members on a private laptop), which which some operating systems allocate starting at 1000 upwards.
  • Avoiding -2, -1, 32767, 65534, and 65535 helps to avoid collisions with the POSIX return value -1 of some related system calls, as well as

Operating system conventions

Linux

The Linux Standard Base Core Specification specifies that UID values in the range 0 to 99 should be statically allocated by the system, and shall not be created by applications, while UIDs from 100 to 499 should be reserved for dynamic allocation by system administrators and post install scripts. See also LSB 3.0, Section 9.3: UID Ranges.

In practice, Linux distributions start allocating local regular user IDs from either 500 (Red Hat) or 1000 (SUSE, Debian). On many Linux systems, these ranges are specified in /etc/login.defs, for useradd and similar tools.

Mac OS X

Mac OS X allocates locally created users from 500 upwards and uses the UIDs and GIDs 0-999 for the operating system.

FreeBSD

For both UIDs and GIDs, the range 0-49 is reserved for core OS allocations, and the range 50-999 can be allocated by package porters for use by specific software packages in the files ports/UIDs and ports/GIDs. See also FreeBSD Porter's Handbook, Section 6.26: Adding Users and Groups.

See also

Retrieved from "https://wiki.cam.ac.uk/wiki/cl-sys-admin/index.php?title=UID/GID_allocation&oldid=79"