Developers Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


Developer - UIDs, GIDs, and RIDs

The ClearOS Directory needs to handle the following IDs in a sane way:

  • User IDs
  • Group IDs
  • Relative IDs (part of the Windows Networking Security Identifier/SID)

To start, let's take a look at Linux user IDs (UIDs) and group IDs (GIDs). Not too long ago, the maximum recommended UID/GID on a Linux system was 65,535. Most modern Linux distributions can certainly handle more of course. Though ClearOS 5.x can handle UIDs/GIDs up to 2,147,483,647, the traditional limit of 65,535 is still in use in version 5.x.

Before we can design our ID ranges, it is important to look at the Windows Networking world. The SID (Security Identifier) in Windows is a unique name used on Windows networks. Every user, group and computer is assigned a SID using the following format:

S-1-5-domain-relative ID (RID)

Where domain is an identifier for the Windows domain, and the relative ID (RID) is a unique identifier in the Windows domain. Here's example:

S-1-5-21-7623811015-3361044348-030300820-1013

You can also view SIDs by running pdbedit -L -v on a live ClearOS system. Detailed information on SIDs can be found on Wikipedia and elsewhere. For our purposes, the following rules must be followed.

  • RIDs below 1000 are reserved for special users/groups (e.g. the RID for Domain Admins is 512)
  • RIDs must be unique

Account Types

Now that we have laid out the basic rules around UIDs/GIDs/RIDs, we can now move on to account types. In most Linux distributions, you can find the following account types:

Account TypeDescriptionExamples
System UsersUser accounts used by the underlying operating systemroot, apache, mysql
System GroupsGroup accounts used by the underlying operating systemlp, users
Normal UsersUser accounts representing real peopledave, mike, ben, corinne
Normal GroupsGroup accounts representing real groups of peoplestaff, students

These account types are just a common convention used in most Linux distributions. With the exception of the root account (UID/GID of 0), a Linux system does not really distinguish amongst the account types!

In Windows, there are a number of different account types. For this discussion, all we need to know is that a relative ID (RID) between 0 and 1000 is for these special accounts.

Local Linux Server Only

Before we dive into the specifics of LDAP, lets examine the range of IDs used by the Linux system only. In other words, you won't find these accounts in LDAP or floating around as SIDs on a Windows network. In ClearOS, the following ID ranges are used:

UID/GIDRIDPurposeExamples
System Users0-499n/aSystem user accountsroot, apache, mysql
System Groups0-499n/aSystem group accountslp
Normal Users500-999n/aUser accounts outside of LDAPdevel

System Users – When you install a software daemon like the Apache web server, the software will typically run under its own account – apache in this case.

System Groups – System groups can be used for those cases where sharing permissions is a necessity. For example, the ClamAV antivirus engine needs to share file permissions with the Amavis mail scanner. On a ClearOS system, you will find the clamav user is in the amavis group.

Normal Users – In some circumstances, you may need to add a normal user account outside of LDAP. A range of UIDs have been set aside for this purpose and you can follow this howto.

Global LDAP Directory

In Linux, UIDs and GIDs are independent. In other words, a user account mike with UID 1011 has no special ties or permissions to a GID with the same value of 1011. Since the Windows world uses a unique number across users, groups, and computers, the ClearOS directory will do the same.

The UID, GID and RID ranges are summarized in the following tables.

UserUIDRIDPurposeExamples
System Users0-499n/aLinux system usersroot, apache
Built-in Users300-399 ClearOS built-in usersflexshare, guest
Normal Users1,000-59,9991,000-59,999Normal user usersdave, mike, ben
Windows - Samba Server10,000,000-19,999,999autoWinbind IDMap
Windows - Active Directory20,000,000-29,999,999autoWinbind IDMap

Note: the 500-999 range is reserved for creating non-LDAP user accounts. This is mainly to support sloppy 3rd party packaging that automatically create user user accounts when system accounts are more appropriate.

GroupGIDRIDPurposeExamples
System Groups0-499n/aLinux system groupsclamav
Built-in Groups63,000-63,99963,000-63,999ClearOS built-in groupsallusers
Normal Groups60,000-62,99960,000-62,999Normal group accountsstaff, students
Plugin Groups900,000-999,999 Plugin groupsplugin-proxy, plugin-openvpn
Windows Groups1,000,000-1,001,0000-1000Special RID rangeDomain Admins
Windows - Samba Server10,000,000-19,999,999autoWinbind IDMap
Windows - Active Directory20,000,000-29,999,999autoWinbind IDMap
content/en_us/dev_architecture_directory_uids_gids_and_rids.txt · Last modified: 2015/08/14 09:05 (external edit)

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3Adev_architecture_directory_uids_gids_and_rids&1710841422