User and group IDs
There are two classes of user IDs: system IDs and normal user IDs. System IDs are reserved for ownership of protected subsystems and special system administration functions. Normal user IDs are assigned to individuals who use the system interactively.
- System user ID
- 0 to 127
- Normal user ID
- 128 to MAXUID
- Normal group ID
- 0 to MAXUID-1
Care should be taken when assigning user ID values for new users. If a normal user is inadvertently assigned a user ID value less than 128, the user will not be able to log onto the system.
User ID values should not be reused. When a user is deleted, it is recommended that the entries remain in the /etc/passwd and /etc/security/passwd files and the account be locked. You can do this with the smit command. This prevents a user from logging in and the ID from being reused. Not reusing the ID prevents a new user from accessing files that belong to the previous user and that may not have been removed. This also allows the audit trail to be reconstructed with no ambiguity.
The /etc/passwd, /etc/security/passwd, and /etc/group files can be managed with the mkuser, chuser, rmuser, pwdadm, and passwd commands. These commands enforce all of the above precautions as well as all other system security considerations. The mkuser command can only add normal users to the system.
- Never reassign a previous used user ID to a new user
- Never assign duplicate user IDs
- Never assign a system ID to a normal user
- Never assign MAXUID as a user ID or group ID