standard user accounts - uucp,gopher,adm, nobody... - what are they, why are they there, when shall they be used?
An example /etc/passwd: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin /etc/groups root:x:0:root bin:x:1:root,bin,daemon daemon:x:2:root,bin,daemon sys:x:3:root,bin,adm adm:x:4:root,adm,daemon tty:x:5: disk:x:6:root lp:x:7:daemon,lp mem:x:8: kmem:x:9: wheel:x:10:root mail:x:12:mail,postfix news:x:13:news uucp:x:14:uucp man:x:15: games:x:20: gopher:x:30: dip:x:40: ftp:x:50: lock:x:54: nobody:x:99:
More complete list is in the documentation, which lists them, but does not explain what they are:
Why do we need gopher and uucp account on every single RHEL instance?
Does anyone have a policy of assigning users to particular system groups?
I can start by saying that wheel group is for users that should be able to become root through sudo. This would depend on the /etc/sudoers settings.
nobody is for users that should not be able to log in to the system. For example cron jobs can be run as nobody user.
Responses
Great discussion idea Sergey! I actually just had a customer I was working with that was asking about this. Their security department decided to change the uid/gid on several system accounts to comply with their Corporate Security Policy, and now the Ops team was having issues installing updates since the package expected certain accounts and values to be in place.
We worked off of this document:
Description and purpose of standard system user accounts
https://access.redhat.com/knowledge/solutions/225183
And this from the RHEL6 Migration Planning Guide:
Many of the accounts you reference are part of the Linux Standard Base (LSB), with some details to be found in that first link and then these from Linuxbase.org:
http://refspecs.linuxbase.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/book1.html
http://refspecs.linuxbase.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/usernames.html
God... So many of those accounts/groups are there for what amounts to decades' old habits. Frankly, most of these user accounts should only exist on a system if you're using the associated protocols/have the associated RPMs installed. That said: does anyone use UUCP any more; are there any active GOPHER servers any more?.
I know some people who still use uucp for offline transfer of mail, and gopher is indeed quite unused ( even if i have read a article less than 1 year about how gopher would be ideal for some mobile application ). I would be in favor of not creating theses accounts by default.
A technical solution could be to have them added by the lsb rpm ( like any system user is added if needed, for example user for apache ), so people installing it would be lsb compliant with the account, while the others who do not care would have more uid for system users. This would also permit to slowly deprecate them in a clean way, by removing them from lsb rpm as time goes by and LSB change.
Could someone fill a bug report for that in Fedora or RHEL, so the issues is tracked by the developpers, and discussed more widely ?
Has anyone filed a bug report, as recommended by Michael above? We have filed a case asking if some of these LSB-spec'd users can be removed (like `adm'), for example, and will there be, if any, significant impact on the system.
I think this topic needs to get some more attention again.
Interestingly, most of the deprecated / legacy user names are 'optional' in the LSB 4.1 spec, so there is no need for them to be included to be LSB compliant.
Spec can be found here (Page 649):
http://refspecs.linuxfoundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic.pdf
are there any active GOPHER servers any more?.
There are some: (from the Wikipedia entry for Gopher Protocol):
As of 2012, there are approximately 160 gopher servers indexed by Veronica-2,[17] reflecting a slow growth from 2007 when there were fewer than 100,[18] although many are infrequently updated. Within these servers Veronica indexed approximately 2.5 million unique selectors.
and client support is available in RHEL6:
[ray@rhel6 ~]$ lynx -dump gopher://gopher.quux.org | head -n 10
Gopher MenuWelcome to gopher at quux.org!
This server has a lot of information of historic interest,
funny, or just plain entertaining -- all presented in Gopher.
There are many mirrors here of rare or valuable files with the
aim to preserve them in case their host disappears. PLEASE READ
"About This Server" FOR IMPORTANT NOTES AND LEGAL INFORMATION.(FILE) [1]About This Server
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
