username/uid restrictions

Fri Dec 2 15:52:08 UTC 2005

Ben Stringer wrote:
> On Fri, 2005-12-02 at 10:31 +0000, T. Horsnell wrote: 
> 
>>'morning all,
>>I see from my new RHEL4 sysadmin guide that uid's up to 500 are
>>reserved for system use. When I first began setting up my
>>Unix userbase some 15 years ago, I unfortunately chose to start
>>at uid 100, so I now have to change the uid's of some 400 users,
>>36 million files, on a hundred or so boxes. OK, this is do-able
>>and should be more-or-less 'transparent to the user'.
>>(Since I'm going to make a change, should I start at 1000 and change
>>the lot? How reliable is the 500?)
> 
> 
> Hi Terry,
> 
> I also ran into this problem recently, and it was easily fixed with a
> change to /etc/login.defs. Just claim UID 100 onwards as yours! 
> 
> If there are any clashes, change the system UID to something new, making
> sure to modify the shadow and group files, and chown any files of the
> old UID to the new UID.
> 
> 
> 
>>The thing that concerns me more, is the plethora of reserved
>>usernames. There seems to be no rule to distinguish a reserved
>>username (presumably the list in the RHEL sysadmin guide is
>>going to grow) and its only a matter of time before some
>>newly allocated name collides with one which has been given to
>>a user. In fact, I cant find anywhere what the rules are for
>>usernames. Character-set? How many chars?
>>Pity that reserved names arent systematic in some way (like
>>always starting with sys_ or somesuch).
>>
> 
> 
> As all "system" users are added by RPMs (possibly with the exeception of
> root), you can query the RPM packages to find out if they create users.
> Unfortunately, this looks to require some "roll-your-own" scripting.
> 
> This is not a solution to your problem, just some "tools" to make
> dealing with it easier.
> 
> --- cut here ---
> rpm -qa | while read package
> do
>   USERADDED=`rpm -q $package --scripts | grep useradd`
>   if [ "${USERADDED}" != "" ]
>   then
>      echo "package $package added user using this line"
>      echo ${USERADDED}
>      echo
>   fi
> done
> 
> --- cut here ---
> 
>>I'm not looking forward to the day when a new system-username
>>duplicates the username of one of the directors, which he has
>>had for the last 15 years, and which is also his email address 
>>held on mailing lists and institutions all over the place...
>>
>>Any advice out there? 
>>
> 
> 
> If you _really_ want to keep a username for a real user, just change the
> system name to something else. In most cases, there should be no issue,
> in some cases you may need to track down and modify other packages that
> depend on a given username.
> 
> Cheers, Ben
> 

I wouldn't change the start UID from 500 as old users are deleted, new 
users will be above 500 so this problem will slowly be corrected. 
Also, users can slowly be moved above 500 over time when we get those 
rare spare minutes. :)

Robin