Re: creating all users with one primary group?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, Dec 31, 2011 at 9:29 PM, Frantisek Hanzlik <franta@xxxxxxxxxxx> wrote:
> Has anyone experience with situation, when all users on Fedora
> distro have same primary group (i.e. is not created extra group
> for every user?

It's common in some distributions.

(Mac OS X, 10.0 - 10.2 had a common "staff" group into which all login
users went. From 10.3, I think, they went with making a primary group
per user. Of course, that's BSD, no Linux.)

> Namely I'm asking when all programs will be working without problems.
> I want use for all users predefined group "users" (GID=100), which
> seems be intended for that situation; in "/etc/default/useradd" is
> this group defined.

I think that group has been used both ways, actually -- primary or
secondary group for login users. Diferent requirements do different
things there.

> I'm little confused from two things too:
>
> - according to useradd man page, USERGROUPS_ENAB variable in
> "/etc/login.defs" controls, when by default will be for users created
> their own primary group or not. Thus set "USERGROUPS_ENAB no" should
> disable this "feature". But in this file on Fedora distros
> (F14-F16) is weird comment
> "This enables userdel to remove user groups if no members exist"

According to some admin techniques, which are not universal. The
"user" series of user admin tools are by no means the only ways to
manage users.

> - "/etc/login.defs" defines variable "GID_MIN  500". In F16 are min
> UID/GID raised to 1000 and arrives two new variables
> SYS_UID_MIN     201
> SYS_UID_MAX     999

Which seems both sensible and weird to me.

Sensible because it's nice to have lots of headroom for inventing
system users, and weird because it wasn't so long since they added
GID_MIN and set it at 500, and made the associated move from masking
users out of the login dialog by their login shell to masking them out
by lack of password -- which looks to me like a vulnerability just
waiting to happen.

> Poses this that what GID=100 are still "normal user" GID and may be
> used as primary (and only) user group ID?

Probably something they forgot to change. On the other hand, if you
have a default user group, whether assigned primary or secondary, you
don't want to ever assign a login user the same uid number.

> Thanks, Franta

--
Joel Rees
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux