Re: Creating users that don't need a specific group
Randy McMurchy wrote: That said, what should we do for users that don't need group ID? I've always thought that it was good to dump these types of users into the users group, but thinking about it, perhaps not. I'd appreciate input from the group. I really don't think that it matters a whole lot so long as the chosen group does exist ;-) and is not given perms where they're not needed, but I'll throw out a suggestion anyway. The group 'nogroup' might work well. For me personally on my own systems, I will use a matching group name to ease (or furthur complicate) administrationbut I do this for all users anyway and match gid and uid as well. I know RH's useradd defaults used to work this way, I'm not sure of their current practice. -- DJ Lucas -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Creating users that don't need a specific group
Archaic wrote these words on 09/26/05 00:56 CST: I've always preferred to segregate them in their own group. But if the group ID is truly never going to be used, and there is no security implication of allowing these types of programs to share a group, then perhaps the nogroup group? That is a good idea. Let's see if others respond with any different suggestions. If not, I'll go with nogroup and change the PostgreSQL instructions as well. -- Randy rmlscsi: [GNU ld version 2.15.94.0.2 20041220] [gcc (GCC) 3.4.3] [GNU C Library stable release version 2.3.4] [Linux 2.6.10 i686] 01:09:01 up 1 day, 9:33, 3 users, load average: 1.00, 0.85, 0.47 -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Creating users that don't need a specific group
On Mon, Sep 26, 2005 at 01:10:38AM -0500, Randy McMurchy wrote: That is a good idea. Let's see if others respond with any different suggestions. If not, I'll go with nogroup and change the PostgreSQL instructions as well. Just to clarify, the first preference was for uid=gid. The latter was definitely a distant secondary preference. -- Archaic Want control, education, and security from your operating system? Hardened Linux From Scratch http://www.linuxfromscratch.org/hlfs -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Creating users that don't need a specific group
DJ Lucas wrote these words on 09/26/05 01:09 CST: I really don't think that it matters a whole lot so long as the chosen group does exist ;-) and is not given perms where they're not needed, but I'll throw out a suggestion anyway. The group 'nogroup' might work well. For me personally on my own systems, I will use a matching group name to ease (or furthur complicate) administrationbut I do this for all users anyway and match gid and uid as well. I know RH's useradd defaults used to work this way, I'm not sure of their current practice. I'm starting to think that BLFS needs a short section on how to create regular users of the system. Best I can recall, nowhere do we identify how to set up a regular user of the system. Though it seems trivial, some do it one way (create a users group) and others do it another way (how you suggest, creating a matching group name for each user name). BLFS should probably have a paragraph in the About System Users and Groups section in Chapter 3 that recommends one way or another. Thoughts from the group would be appreciated... -- Randy rmlscsi: [GNU ld version 2.15.94.0.2 20041220] [gcc (GCC) 3.4.3] [GNU C Library stable release version 2.3.4] [Linux 2.6.10 i686] 01:12:01 up 1 day, 9:36, 3 users, load average: 1.18, 1.00, 0.60 -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Creating users that don't need a specific group
On Mon, Sep 26, 2005 at 01:15:46AM -0500, Randy McMurchy wrote: Thoughts from the group would be appreciated... A generic users groups seems like it could be a security nightmare for a sysadmin. People who do need to share files generally belong to a descriptive group such as research, marketing, admin, etc... and they are put in those groups deliberately and not because useradd said 'x' gid was where they should go. -- Archaic Want control, education, and security from your operating system? Hardened Linux From Scratch http://www.linuxfromscratch.org/hlfs -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Creating users that don't need a specific group
Randy McMurchy wrote: I'm creating instructions for the BLFS book to add the D-BUS package. There is a user that needs to be created but this user has no specific group that it needs to be added to. In its short life, I believe tradition has this user set up as 'messagebus' in group 'messagebus'. I know it doesn't answer the full question, for that I'm in vehement agreement with archaic - just put users that don't specifially need group membership in their own group. Regards, Matt. -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Creating users that don't need a specific group
Matthew Burgess wrote these words on 09/26/05 01:44 CST: In its short life, I believe tradition has this user set up as 'messagebus' in group 'messagebus'. I know it doesn't answer the full question, for that I'm in vehement agreement with archaic - just put users that don't specifially need group membership in their own group. Agreed on the messagebus user. However, no documentation I could find shows anything about a gid. Consensus from the group though, seems that gid=uid is the most proper solution. Thanks to everyone for their input so far. I'm hoping that Bruce throws his two cents in as well, as I noticed when he created the groups/users table recently, the PostgreSQL user does not have a gid assigned to it. Perhaps this was because he was just going on what was in the book and didn't want to make changes. I do notice that on Anduin, gid=uid is the norm in almost all cases. -- Randy rmlscsi: [GNU ld version 2.15.94.0.2 20041220] [gcc (GCC) 3.4.3] [GNU C Library stable release version 2.3.4] [Linux 2.6.10 i686] 01:47:01 up 1 day, 10:11, 3 users, load average: 0.00, 0.01, 0.14 -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Creating users that don't need a specific group
Archaic wrote: On Mon, Sep 26, 2005 at 01:15:46AM -0500, Randy McMurchy wrote: Thoughts from the group would be appreciated... A generic users groups seems like it could be a security nightmare for a sysadmin. People who do need to share files generally belong to a descriptive group such as research, marketing, admin, etc... and they are put in those groups deliberately and not because useradd said 'x' gid was where they should go. I think that means that Randy is right, and we need a short explanation. Your reasoning should go in it. But in the end it's a sysadmin decision and will depend on the situation, and that needs to be made clear. There will always be a minority of BLFS readers who want a 'prescription', but we should tell them forcibly that they are going to have to 'think' rather than 'cutpaste'. I'd then change the package instructions to take out the prescriptive groups and say 'Create a unique group and unpriviledged user...'. R. -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
RE: Creating users that don't need a specific group
Consensus from the group though, seems that gid=uid is the most proper solution. Thanks to everyone for their input so far. I'm hoping that Bruce throws his two cents in as well, as I noticed when he created the groups/users table recently, the PostgreSQL user does not have a gid assigned to it. Perhaps this was because he was just going on what was in the book and didn't want to make changes. I do notice that on Anduin, gid=uid is the norm in almost all cases. I like the uid=gid system too. :) Dave -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Creating users that don't need a specific group
Randy McMurchy wrote: Matthew Burgess wrote these words on 09/26/05 01:44 CST: In its short life, I believe tradition has this user set up as 'messagebus' in group 'messagebus'. I know it doesn't answer the full question, for that I'm in vehement agreement with archaic - just put users that don't specifially need group membership in their own group. Agreed on the messagebus user. However, no documentation I could find shows anything about a gid. Consensus from the group though, seems that gid=uid is the most proper solution. Thanks to everyone for their input so far. I'm hoping that Bruce throws his two cents in as well, as I noticed when he created the groups/users table recently, the PostgreSQL user does not have a gid assigned to it. Perhaps this was because he was just going on what was in the book and didn't want to make changes. I do notice that on Anduin, gid=uid is the norm in almost all cases. I too normally make uid==gid with the same names. This creates consistency. When I added the section About System Users and Groups, I didn't analyze each section, but basically grepped for useradd and groupadd instructions and added those. I didn't notice the users group in the useradd instruction. It certainly wouldn't be hard to add a postgres group 41 and put a groupadd instruction into the postgresql instructions. That seems like the best alternative to me. Do you want me to do it? -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Creating users that don't need a specific group
Bruce Dubbs wrote these words on 09/26/05 10:39 CST: When I added the section About System Users and Groups, I didn't analyze each section, but basically grepped for useradd and groupadd instructions and added those. I didn't notice the users group in the useradd instruction. It certainly wouldn't be hard to add a postgres group 41 and put a groupadd instruction into the postgresql instructions. That seems like the best alternative to me. Do you want me to do it? Yes, please. I added the messagebus user/group with uid/gid=19. Change this to something else if you want. You may also want to grep for the creation of the 'sendmail' user and see if there is any group associated with this user. It is not from the Sendmail instructions, but I'm sure some other Mail Server package. -- Randy rmlscsi: [GNU ld version 2.15.94.0.2 20041220] [gcc (GCC) 3.4.3] [GNU C Library stable release version 2.3.4] [Linux 2.6.10 i686] 11:14:01 up 1 day, 19:38, 3 users, load average: 1.02, 0.97, 0.60 -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Creating users that don't need a specific group
Instead of assigning a specific UID and GID, we could use the following commands when creating the system users (FYI I use a similar construct for my pkg-user pkg manager). This way we don't need to hard code values for each user/group and it is guaranteed to not clash with any existing UID/GID: groupadd -K GID_MIN=20 -K GID_MAX=100 GROUP_NAME useradd -K UID_MIN=20 -K UID_MAX=100 -g GROUP_NAME USER_NAME -- Tushar Teredesai mailto:[EMAIL PROTECTED] http://www.linuxfromscratch.org/~tushar/ -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Creating users that don't need a specific group
Tushar Teredesai wrote: Instead of assigning a specific UID and GID, we could use the following commands when creating the system users (FYI I use a similar construct for my pkg-user pkg manager). This way we don't need to hard code values for each user/group and it is guaranteed to not clash with any existing UID/GID: groupadd -K GID_MIN=20 -K GID_MAX=100 GROUP_NAME useradd -K UID_MIN=20 -K UID_MAX=100 -g GROUP_NAME USER_NAME -- Tushar Teredesai mailto:[EMAIL PROTECTED] http://www.linuxfromscratch.org/~tushar/ I'd rather suggest hard coded ids as they are more consistent from system to system. The users are, of course, free to use anything they want. -- Bruce P.S. Glad to see all the Houstonites back on the job now. :) -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Creating users that don't need a specific group
Bruce Dubbs wrote these words on 09/26/05 12:15 CST: P.S. Glad to see all the Houstonites back on the job now. :) That would be Houstonians. :-) -- Randy rmlscsi: [GNU ld version 2.15.94.0.2 20041220] [gcc (GCC) 3.4.3] [GNU C Library stable release version 2.3.4] [Linux 2.6.10 i686] 12:47:00 up 1 day, 21:11, 3 users, load average: 0.25, 0.13, 0.18 -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Creating users that don't need a specific group
Randy McMurchy wrote: Bruce Dubbs wrote these words on 09/26/05 12:13 CST: sendmail uses the group mail. Indirectly, I suppose. I have Sendmail installations, with mailboxes, and there is not one file on my systems that have group ownership of 'mail'. Anduin is the same way. I believe 'smmsp' is the main group used by the Sendmail package. Yes, I agree. My earlier comments have to do with the sendmail *user*, which is created by some package other than Sendmail (though I cannot figure out which one). OK. I checked through the Bat book and I couldn't find where it is necessary. I'll put in a Bug to review the users/groups for sendmail. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: Creating users that don't need a specific group
On Mon, Sep 26, 2005 at 12:45:29AM -0500, Randy McMurchy wrote: That said, what should we do for users that don't need group ID? I've always thought that it was good to dump these types of users into the users group, but thinking about it, perhaps not. I've always preferred to segregate them in their own group. But if the group ID is truly never going to be used, and there is no security implication of allowing these types of programs to share a group, then perhaps the nogroup group? -- Archaic Want control, education, and security from your operating system? Hardened Linux From Scratch http://www.linuxfromscratch.org/hlfs -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
