CentOS 7 UIDs
-
In reading a book on CentOS 7, it is discussing user creation and UID. It specifies that, when creating the user, you can set the UID, but suggests that you should never use a UID less than 500. You should use only everything 500 and above.
My question is, why is this significant? Is this range from 0 (I am assuming to start at 0) to 499 reserved for root or system processes or something else?
Part of the Adventures into Learning CentOS 7 series
-
Convention. You can use numbers however you like, but convention has always been that under 500 is reserved for system services and over 500 is open for normal "log in" users. It's so you don't have to go looking through random IDs to find accounts. But at the end of the day, it is purely a convention and not something intrinsic to any part of the platform.
-
An important value to this convention is that you can be confident that installing Apache, for example, on one server is not going to randomly grab a UID above 500 that you might want to have used as a user standard across your environment.
-
@NerdyDad You've got it.
Root is almost always zero. With system accounts being assigned numbers starting with 1. A quick example from my jumpbox.
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:997:995::/var/lib/chrony:/sbin/nologinThat's on a CentOS 7 install where user accounts start at 1000. Different distributions start user accounts at different places with 500 and 1000 being the most common.
-
I look at it the same way standard ports are used. You can usually use whatever you want, but kind of the same reasons you shouldn't.
-
@Tim_G said in CentOS 7 UIDs:
I look at it the same way standard ports are used. You can usually use whatever you want, but kind of the same reasons you shouldn't.
I like that.
-
@Tim_G said in CentOS 7 UIDs:
I look at it the same way standard ports are used. You can usually use whatever you want, but kind of the same reasons you shouldn't.
Ah, but I do not change ports. The bots will try the SSH protocol on all of them anyway. Once it finds the one that answers it will be added to some hackers database of known working ip/port combos and go up for sale.
Yeah, it can clean up the log a bit just because of the sheer amount of bots that hit 22. But still you have to mitigate the same way, with things like
fail2ban, SSH Keys, and IP restrictions. -
Picture from my passwd file.
Normally I wouldn't do this, but since this is isolated from the rest of the world for now...
-
All of the RHEL/CentOS 7 stuff I've used has started at 1000. Identity Management sets users in a random range around 1,000,000,000.
