Groups | Search | Server Info | Login | Register
Groups > comp.os.linux.misc > #80179
| From | jayjwa <jayjwa@atr2.ath.cx.invalid> |
|---|---|
| Newsgroups | comp.os.linux.misc |
| Subject | Re: Cleaning up group identities |
| Date | 2025-12-31 13:20 -0500 |
| Organization | Atr2 RG 2025 |
| Message-ID | <87344qfr7j.fsf@atr2.ath.cx> (permalink) |
| References | <slrn10laggp.2v3in.lars@cleo.beagle-ears.com> |
Lars Poulsen <lars@beagle-ears.com> writes:
> I found that GID 51 and GID 486 were both in /etc/group as the
> group smmsp (sendmail sending profile?). And it turns out that
> there are a number of these:
> mailnull 47 and 487
> apache 48 and 489
> smmsp 51 and 486
> openvpn 994 and 982
> ...
After anything I install, I check that the passwd/group files have not
been molested. I don't want my passwd/group looking like a phone book
for New York City. There's alot of fluff that gets installed. You can
run 'grpck' and 'pwck' to keep things tidy. One group name should not
have multiple GIDs IMHO, but who knows how it's being done now? I also
hate multiple nobody/nogroups and names for every single thing. One name
for ftp is fine. Adding more entries gives hackers more users to try to
breach a system with and someday you will forgot to lock one that you
didn't even know was added and now it's relaying spam (happened to a guy
on LQ).
> The scripts to do this will be a pain to write, so I wonder
> - if others have had the same problems,
> - what you did about it,
> - and are there scripts to automate the process?
My users/groups go 1000:1000 and above on Linux. Some other Unix use
100:100. Prevention is the best remedy. Of course, that won't help you now.
> Part of the immediate cleanup will be moving old user-ids out of
> the 500-999 range. When doing that, it would be good to also align
> the UIDs and GIDs of the users. (Which means setting aside a range
> groups like "family", "friends", "coworkers" that do not have a
> unique user associated.)
You can stay with lower ranges as long as you make sure nothing you
install from your distro messes with them (it likely will).
> And by the way, is there a canonical list of "preferred" values
> for system service UID and GID?
This is probably distro-specific. After any install that touches passwd,
I delete any "toor", "operator", 'haldaemon", or "wheel" I find.
--
PGP Key ID: 781C A3E2 C6ED 70A6 B356 7AF5 B510 542E D460 5CAE
"The Internet should always be the Wild West!"
Back to comp.os.linux.misc | Previous | Next — Previous in thread | Next in thread | Find similar
Cleaning up group identities Lars Poulsen <lars@beagle-ears.com> - 2025-12-31 15:32 +0000
Re: Cleaning up group identities Richard Kettlewell <invalid@invalid.invalid> - 2025-12-31 16:56 +0000
Re: Cleaning up group identities jayjwa <jayjwa@atr2.ath.cx.invalid> - 2025-12-31 13:20 -0500
Re: Cleaning up group identities Lawrence D’Oliveiro <ldo@nz.invalid> - 2025-12-31 21:03 +0000
Re: Cleaning up group identities Rich <rich@example.invalid> - 2026-01-01 16:03 +0000
Re: Cleaning up group identities - SOLVED Lars Poulsen <lars@beagle-ears.com> - 2026-01-01 16:42 +0000
csiph-web