Associated with each user name is a user identification (UID) number. The UID number identifies the user name to any system on which the user attempts to log in, and it is used by systems to identify the owners of files and directories. If you create user accounts for a single individual on a number of different systems, always use the same user name and user ID. In that way, the user can easily move files between systems without ownership problems.
UID numbers must be a whole number less than or equal to 2147483647, and they are required for both regular user accounts and special system accounts. Table 1-1 lists the UID numbers reserved for user accounts and system accounts.
Table 1-1 Reserved UID Numbers
User ID Numbers |
Login Accounts |
Reserved For ... |
---|---|---|
0 - 99 |
root, daemon, bin, sys, etc. |
System accounts |
100 - 2147483647 |
Regular users |
General purpose accounts |
60001 |
nobody |
Unauthenticated users |
60002 |
noaccess |
Compatibility with Solaris 2.0 and compatible versions and SVR4 releases |
Although UID numbers 0 through 99 are reserved, you can add a user with one of these numbers. However, do not use them for regular user accounts. By definition, root always has UID 0, daemon has UID 1, and pseudo-user bin has UID 2. In addition, you should give uucp logins and pseudo user logins, like who, tty, and ttytype, low UIDs so they fall at the beginning of the passwd file.
As with user (login) names, you should adopt a scheme to assign unique UIDs. Some companies assign unique employee numbers, and administrators add 1000 to the employee number to create a unique UID number for each employee.
To minimize security risks, you should avoid reusing the UIDs from deleted accounts. If you must reuse a UID, "wipe the slate clean" so the new user is not affected by attributes set for a former user. For example, a former user may have been denied access to a printer--by being included in a printer deny list--but that attribute may not be appropriate for the new user. If need be, you can use duplicate UIDs in an NIS+ domain if the supply of unique UIDs is exhausted.
Previous Solaris software releases used 32-bit data types to contain the user IDs (UIDs) and group IDs (GIDs), but UIDs and GIDs were constrained to a maximum useful value of 60000. Starting with the Solaris 2.5.1 release and compatible versions, the limit on UID and GID values has been raised to the maximum value of a signed integer, or 2147483647.
UIDs and GIDs over 60000 do not have full functionality and are incompatible with many Solaris features, so avoid using UIDs or GIDs over 60000. See Table 1-2 for a complete list of interoperability issues with Solaris products and commands.
Table 1-2 describes interoperability issues with previous Solaris and Solaris product releases.
Table 1-2 Interoperability Issues for UIDs/GIDs Over 60000
Category |
Product/Command |
Issues/Cautions |
---|---|---|
NFSTM Interoperability |
SunOS 4.0 NFS software and compatible versions |
NFS server and client code truncates large UIDs and GIDs to 16 bits. This can create security problems if SunOS 4.0 and compatible machines are used in an environment where large UIDs and GIDs are being used. SunOS 4.0 and compatible systems require a patch. |
Name Service Interoperability |
NIS name service File-based name service |
Users with UIDs above 60000 can log in or use the su command on systems running the Solaris 2.5 and compatible versions, but their UIDs and GIDs will be set to 60001 (nobody). |
|
NIS+ name service |
Users with UIDs above 60000 are denied access on systems running Solaris 2.5 and compatible versions and the NIS+ name service. |
Printed UIDs/GIDs |
OpenWindows File Manager |
Large UIDs and GIDs will not display correctly if the OpenWindowsTM File Manager is used with the extended file listing display option. |
Table 1-3 Large UID/GID Limitation Summary