standard user accounts - uucp,gopher,adm, nobody... - what are they, why are they there, when shall they be used?

Latest response

 

An example /etc/passwd:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin

/etc/groups
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail,postfix
news:x:13:news
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
dip:x:40:
ftp:x:50:
lock:x:54:
nobody:x:99:
 

More complete list is in the documentation, which lists them, but does not explain what they are:

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-users-groups-standard-users.html

 

Why do we need gopher and uucp account on every single RHEL instance?

Does anyone have a policy of assigning users to particular system groups?

 

I can start by saying that wheel group is for users that should be able to become root through sudo. This would depend on the /etc/sudoers settings.

nobody is for users that should not be able to log in to the system. For example cron jobs can be run as nobody user.

Responses

Great discussion idea Sergey!  I actually just had a customer I was working with that was asking about this.  Their security department decided to change the uid/gid on several system accounts to comply with their Corporate Security Policy, and now the Ops team was having issues installing updates since the package expected certain accounts and values to be in place.

We worked off of this document:

 

   Description and purpose of standard system user accounts

     https://access.redhat.com/knowledge/solutions/225183 

And this from the RHEL6 Migration Planning Guide:

     https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Migration_Planning_Guide/sect-Migration_Guide-Security_Authentication-System_users.html

 

Many of the accounts you reference are part of the Linux Standard Base (LSB), with some details to be found in that first link and then these from Linuxbase.org:

     http://refspecs.linuxbase.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/book1.html

     http://refspecs.linuxbase.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/usernames.html

Thank you, Christopher.

It looks like most of these accounts are for LSB compatibility.

I am looking forward to people sharing stories of deleting these accounts or actually using them. Maybe for absolutely different purposes then what is in LSB :-) And of problems they faced doing this :-(

Sergey, I'm the one who wrote the Description and purpose of standard system user accounts article. If you have any specific questions that weren't addressed by it, please ask so I can make it better. :)

God... So many of those accounts/groups are there for what amounts to decades' old habits. Frankly, most of these user accounts should only exist on a system if you're using the associated protocols/have the associated RPMs installed. That said: does anyone use UUCP any more; are there any active GOPHER servers any more?.

I know some people who still use uucp for offline transfer of mail, and gopher is indeed quite unused ( even if i have read a article less than 1 year about how gopher would be ideal for some mobile application ). I would be in favor of not creating theses accounts by default.

A technical solution could be to have them added by the lsb rpm ( like any system user is added if needed, for example user for apache ), so people installing it would be lsb compliant with the account, while the others who do not care would have more uid for system users. This would also permit to slowly deprecate them in a clean way, by removing them from lsb rpm as time goes by and LSB change.

Could someone fill a bug report for that in Fedora or RHEL, so the issues is tracked by the developpers, and discussed more widely  ?

Has anyone filed a bug report, as recommended by Michael above? We have filed a case asking if some of these LSB-spec'd users can be removed (like `adm'), for example, and will there be, if any, significant impact on the system.

I think this topic needs to get some more attention again.

Interestingly, most of the deprecated / legacy user names are 'optional' in the LSB 4.1 spec, so there is no need for them to be included to be LSB compliant.

Spec can be found here (Page 649):
http://refspecs.linuxfoundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic.pdf

 are there any active GOPHER servers any more?.

There are some: (from the Wikipedia entry for Gopher Protocol):

As of 2012, there are approximately 160 gopher servers indexed by Veronica-2,[17] reflecting a slow growth from 2007 when there were fewer than 100,[18] although many are infrequently updated. Within these servers Veronica indexed approximately 2.5 million unique selectors.

and client support is available in RHEL6:

[ray@rhel6 ~]$ lynx -dump gopher://gopher.quux.org | head -n 10
                                  Gopher Menu

       Welcome to gopher at quux.org!
       This server has a lot of information of historic interest,
       funny, or just plain entertaining -- all presented in Gopher.
       There are many mirrors here of rare or valuable files with the
       aim to preserve them in case their host disappears.  PLEASE READ
       "About This Server" FOR IMPORTANT NOTES AND LEGAL INFORMATION.

(FILE) [1]About This Server
 

Ryan,

thank you for writing the article https://access.redhat.com/knowledge/solutions/225183

I will quote you:

"Typically, the first dozen or so users in /etc/passwd are users that are specified in the Linux Standard Base. With the exception of "root" and "lp", they're virtually all unnecessary and rarely used on modern systems, but have been around for many many years. For example, in the past the "shutdown" user was used to make it easy for people to have rights to shutdown the system -- if one knew the password for the shutdown user, one could simply login and the system would start shutting down. (The "sync" and "halt" users were for the same sort of thing.) "

Can this paragraph be added to the Deployment guide?

 

And is there a similar KB article on standard groups?

Any ideas on improving the article itself we'll put as comments to the KB.

Hi guys,

I'm the maintainer of the Deployment Guides for RHEL 5 and 6 and I'd like to address this issue in the docs. Can we maybe cooperate on it somehow?

Thank you,

Bara