Advice User IDs 500 vs. 1000

This forum is dedicated to advanced help and support :

Ask here your questions about advanced usage of Mageia. For example you may post here all your questions about network and automated installs, complex server configurations, kernel tuning, creating your own Mageia mirrors, and all tasks likely to be touchy even for skilled users.

Advice User IDs 500 vs. 1000

Postby hankivy » Jul 8th, '15, 06:45

Mageia 5, and Linux systems generally seem to want normal user ids to start at 1000, now. I have four users on my current system with user ids from 500 to 503.

What are the pros and cons of leaving it that way, or moving the users to 1000 to 1003? :?:

I know how to do the move. (Been There, Done That; in the past)

What are the advantages and disadvantages? :?:
hankivy
 
Posts: 128
Joined: May 19th, '14, 20:36

Re: Advice User IDs 500 vs. 1000

Postby filip » Jul 8th, '15, 08:01

I did that several times but I'm not an expert.

    My view on advantages to not change UIDs:
  • Things stay as they are. Many sysadmins say "Don't fix if it's not broken".
  • Files on backup on any media is accessible to the user right away.

    And advantages to change UIDs:
  • File are accessible to the distrohoping user.
  • File are accessible in multiboot environment to the same users.

I've might miss some ;).
filip
 
Posts: 474
Joined: May 4th, '11, 22:10
Location: Kranj, Slovenia

Re: Advice User IDs 500 vs. 1000

Postby doktor5000 » Jul 8th, '15, 09:06

There have been some lengthy discussions on our mailing lists about this topic. Some links:

[dev] Why does Mageia still use uIDs starting from 500?
[dev] Changing min uid limit
[dev] [ANNOUNCE] UIDs now start at 1000+
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17629
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Advice User IDs 500 vs. 1000

Postby hankivy » Jul 10th, '15, 06:06

Status:
1. My existing normal user ids, for people, are assigned 500, and higher.
And system level users have ids that are 499 or lower.
2. The newer versions of Linux are assigning normal user ids starting at 1000.
And system level users have ids that are 999 or lower.
3. There are system level utilities coming that need more and more system level user ids.
How system users start running in the system, or own files, etc. are beyond the scope of this document.
4. A similar issue exists for the group ids.
5. Any online upgrade will try to preserve my normal user ids.

So: Today, I am NOT forced to move my user ids.
I could move now, wait until I choose to move ids, or wait until I am forced to move.

But I think I will try to move before I upgrade to MAGEIA 5.

----

For only a few users, I would do the process manually.
For a lot of users, or a lot of systems, I would write a script in a language like PERL.

----

DETAILED PLAN FOR A MOVE:

Warning: This plan assumes that all normal user names with ids 500-999, have unique names, and unique ids.
It assumes that all of the corresponding default groups also have unique names, and unique ids that need to be changed.
At this point, my college textbooks would say, "Extending the plan is left as an exercise for the reader."

1. Open a Terminal window, switch/login as the root user.
2. Backup the /etc/passwd, and /etc/group files.
# cd /etc
# cp passwd passwd.orig
# cp group group.orig
3. Create new users and groups (with ids >=1000) to later swap with the existing users, with ids < 1000.
-- Repeat the following two commands, substituting your user/group names for hank, and unused ids for 1000.
-- My user name is hank, user id is 500, default group id is 500.
-- The new user will not have a home directory, and has a disabled password,
-- and the default shell would echo a warning message prior to terminating, and a new group.
-- There is defense in depth here to make this user id useless.
-- More later on why and how to use it.
-- Because of the password state, neither a normal login, nor an ftp login, nor an ssh login with password will succeed.
-- Because of the lack of a home directory, an ssh login will fail public key authentication, i.e. fail login.
-- Since the default shell is a restricted shell, any successful login will echo an error message and terminate.
-- I hope MSEC will not mind.
# groupadd -g 1000 hank-old
# adduser --home /dev/null --gid hank-old --uid 1000 --no-log-init -M -N --shell /sbin/nologin hank-old
-- NOTE: By default the new user's password is disabled.
-- NOTE: By using two commands, I control the ids of the user and the group regardless of current system defaults.
4. Again backup the /etc/passwd, and /etc/group files.
# cp passwd passwd.new
# cp group group.new
5. Shut down the system.
6. Using a Mageia live DVD, boot the system on the DVD.
7. Mount the hard drive file systems. Backup the hard drive file systems.
8. Edit the group ids.
# vim /mnt/.../etc/group
[hank is otherwise correct but 500 should become 1000.
hank-old is otherwise correct but 1000 should become 500.]
-- Repeat as needed.
9. Edit the passwd file's user ids.
# vim /mnt/.../etc/passwd
[hank is otherwise correct but both 500 should become 1000.
hank-old is otherwise correct but both 1000 should become 500.]
-- Repeat as needed.
10. Again backup the /etc/passwd, and /etc/group files.
# cd /mnt/.../etc
# cp passwd passwd.final
# cp group group.final
11. Change the ownership and group ids in the file systems on the hard drives.
[The first command is for user id numbers, second for group ids.]
$ sudo find /mnt/.../home -uid 500 -exec sudo chown -h 1000 {} \;
$ sudo find /mnt/.../home -gid 500 -exec sudo chgrp -h 1000 {} \;
[The sudo's are not needed if it is being run by the root user.
Repeat both commands for the other file systems.
Repeat all of those for all of the other user ids and group ids as needed.]

[ASIDE: If I were the admin of a lot of systems, with a lot of user ids 500-999,
I would write three non-shell scripts to automate this.
The first, for steps 2-4, would analyse the group and passwd file,
then build a data file with the matching old and new groups/users,
then create all of the new groups/users.
It would validate the new ids, and names, and automate the creation.
The second would automate steps 8, 9, and 10.
The third, for step 11, would search the file systems, and change the uid/gid of the files itself.
It would scan each file system once, and only once; not twice for each changed user.
It would never fork, not twice for each file owned by a changed user.]

12. Shutdown the live system, and reboot from the hard drives.

New Status -
Any backups, thumb drives, tar files, etc. that contain a file owned by 500 are owned by hank-old.
Administrators would know the person that had owned the file. Any files in a folder or thumb drive
could be dealt with individually, or all together by repeating step 11 above.

When ever the *-old groups and user ids are no longer needed to support or explain backup files,
then they can be deleted.

-- There is only one way I know to run a shell with the user id for hank-old.
$ sudo su --preserve-environment hank-old
-- HOME, SHELL, USER and LOGNAME are as before the command.
-- The shell that is running will be the same as the shell when the sudo command was started.
-- This is useful to change permissions, ownership, read, or write files owned by hank-old.
hankivy
 
Posts: 128
Joined: May 19th, '14, 20:36

Done - Move User IDs 500 to 1000

Postby hankivy » Jul 14th, '15, 23:14

I executed my Detailed Plan above to move the user ids. (There was a defect in my plan, and it is corrected in my post. The current state of the post is good.)

After rebooting, both the old and new user ids were listed by the graphical login screen. To get the old user ids out of the list, I did the following:

  • Logged in as myself.
  • Launched "System Settings Configure Your Desktop".
  • On the "Systems Settings Window", in the "System Administration" group of icons, select "Login Screen" and type the Enter key.
  • On the "Login Screen - System Settings" window, select the "users' tab.
  • Under the "System UIDs", change the 'Below" field to 1000.
  • Click the "Apply" button, in the lower right hand corner.
  • Authenticate with the root user password.
:D
hankivy
 
Posts: 128
Joined: May 19th, '14, 20:36

Reply post issue on this topic

Postby hankivy » Dec 16th, '15, 22:59

I received an email stating there was a reply to my post by "lando", and to click on a link to see the reply.
The link informs me that "You are not authorised to read this forum." What is happening? :?:
Hello hankivy,

You are receiving this notification because you are watching the topic,
"Advice User IDs 500 vs. 1000" at "Mageia forum". This topic has received a
reply by lando since your last visit. You can use the following link to
view the replies made, no more notifications will be sent until you visit
the topic.

If you want to view the newest post made since your last visit, click the
following link:
viewtopic.php?f=8&t=10001&p=61178&e=61178
hankivy
 
Posts: 128
Joined: May 19th, '14, 20:36

Re: Reply post issue on this topic

Postby doktor5000 » Dec 16th, '15, 23:41

hankivy wrote:I received an email stating there was a reply to my post by "lando", and to click on a link to see the reply.
The link informs me that "You are not authorised to read this forum." What is happening? :?:


That's because the post is from a user who was banned for spamming.
His posts have been moved to an internal forum reserved for moderation purposes, where you don't have access.
The notification mail you quoted includes direct links to posts, that's why you saw that message.

Rest of your thread is untouched.
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17629
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Advice User IDs 500 vs. 1000

Postby zeebra » Jan 10th, '18, 18:25

hankivy wrote:Mageia 5, and Linux systems generally seem to want normal user ids to start at 1000, now. I have four users on my current system with user ids from 500 to 503.

What are the pros and cons of leaving it that way, or moving the users to 1000 to 1003? :?:

I know how to do the move. (Been There, Done That; in the past)

What are the advantages and disadvantages? :?:


You can use whatever user ID you want. One advantage of using another user ID alltogether is in the form of file permissions. If you set your file permissions to owner ID 8650 and group ID 6787, then only users with those ID's have the permitted file access to those files. Not even your own user name if you have another user ID and group ID will have access to those files. The owner will stand as 8650 and group 6787.

This is an obvious advantage of using something else than 500 or 1000.
zeebra
 
Posts: 125
Joined: Sep 7th, '13, 21:20

Re: Advice User IDs 500 vs. 1000

Postby doktor5000 » Jan 11th, '18, 09:40

@zeebra: Did you have a look at year/date of the last reply? Can you please stop arbitrarily replying to old threads?
Apart from that your answer doesn't really add anything helpful to the topic.
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17629
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Advice User IDs 500 vs. 1000

Postby duncangareth » Oct 26th, '18, 20:42

Without wanting to annoy anyone by adding yet another posting to this old thread, I should like to make a general observation concerning user ids. In the old days of UNIX, the convention of setting the first ordinary user id to 500 was established. It was an arbitrary value, decided on perhaps because it was thought unlikely that there would ever be any likelihood of system accounts reaching that number. Things change, and with the proliferation of software over the years, it has become more usual in modern distributions to start at 1000. Bear in mind that this is also an arbitrary value. There is nothing of any deep mystical significance to user ids (except root perhaps), and it is perfectly possible to alter entries in the /etc/passwd and /etc/shadow files in order to change user ids. Once these files are changed, it is merely a matter of using chown to change the ownership of the relevant files and directories. It is not rocket science, and as long as one keeps one's mind on the task in an orderly and logical manner, no runtime problems result. I have to do this kind of thing often on various servers, especially when migrating clients' domains, etc.
duncangareth
 
Posts: 66
Joined: Oct 24th, '13, 21:05


Return to Advanced support

Who is online

Users browsing this forum: No registered users and 1 guest

cron