Associated with each user name is a user identification (UID) number. The user UID identifies the user name to any system on which the user attempts to log in. And, the user UID is used by systems to identify the owners of files and directories. If you create user accounts for a single individual on a number of different systems, always use the same user name and user ID. In that way, the user can easily move files between systems without ownership problems.
UID numbers must be a whole number less than or equal to 2147483647. UID numbers are required for both regular user accounts and special system accounts. The following table lists the UID numbers reserved for user accounts and system accounts.
Table 4–1 Reserved UID Numbers
User ID Numbers |
Use or Login Accounts |
Description |
---|---|---|
0 - 99 |
root, daemon, bin, sys, and so on. |
System accounts |
100 - 2147483647 |
Regular users |
General purpose accounts |
60001 and 65534 |
nobody and nobody4 |
Anonymous users |
60002 |
noaccess |
Non-trusted users |
Although UID numbers 0 through 99 are reserved, you can add a user with one of these numbers. However, do not use 0 through 99 for regular user accounts. By definition, root always has UID 0, daemon has UID 1, and pseudo-user bin has UID 2. In addition, you should give uucp logins and pseudo user logins, like who, tty, and ttytype, low UIDs so they fall at the beginning of the passwd file.
As with user (login) names, you should adopt a scheme to assign unique UIDs. Some companies assign unique employee numbers, and administrators add a number to the employee number to create a unique UID number for each employee.
To minimize security risks, you should avoid reusing the UIDs from deleted accounts. If you must reuse a UID, “wipe the slate clean” so the new user is not affected by attributes set for a former user. For example, a former user might have been denied access to a printer by being included in a printer deny list, but that attribute might not be appropriate for the new user.
UIDs and GIDs can be assigned up to the maximum value of a signed integer, or 2147483647.
However, UIDs and GIDs over 60000 do not have full functionality and are incompatible with many Solaris features, so avoid using UIDs or GIDs over 60000.
The following table describes interoperability issues with Solaris products and previous Solaris releases.
Table 4–2 Interoperability Issues for UIDs or GIDs Over 60000
Category |
Product or Command |
Issues or Cautions |
---|---|---|
NFSTM Interoperability |
SunOSTM 4.0 NFS software and compatible releases |
NFS server and client code truncates large UIDs and GIDs to 16 bits. This situation can create security problems if systems running SunOS 4.0 and compatible releases are used in an environment where large UIDs and GIDs are being used. Systems running SunOS 4.0 and compatible releases require a patch to avoid this problem. |
Name Service Interoperability |
NIS name service and file-based name service |
Users with UIDs greater than 60000 can log in or use the su command on systems running the Solaris 2.5 and compatible releases, but their UIDs and GIDs will be set to 60001 (nobody). |
|
NIS+ name service |
Users with UIDs greater than 60000 are denied access on systems running Solaris 2.5 and compatible releases and the NIS+ name service. |
Table 4–3 Large UID or GID Limitation Summary