Hello!

Is there any definition for the word "privileged user" in the Linux
(especially RedHat) environment?

I am currently learning RedHat OpenShift and the courses include a
question where the answer is that 2 containers run with UID 27 are
called privileged. (DO190 ch03s08 if you have access).

I am aware that it is common that normal (real people) users start with
1000 ongoing, server process users are below. Is there a difference on
the IDs or is that just tradition?

--
kind regards
Marco

On 8/28/24 2:21 AM, Marco Moock wrote:
> Hello!
>
> Is there any definition for the word "privileged user" in the Linux
> (especially RedHat) environment?

User 'root' is the only, initially, "privileged user".

Open a terminal, type 'su', enter the password (which
should be DIFFERENT from that of any other user you
created during install). Root has access to EVERYTHING,
therefore the desire for the different password.

(note that 'sudo' kinda breaks this security measure, so
research and set it CAREFULLY). You do NOT have to use
'visudo' ... but then it's on YOU to get it 100% right.
Anything 'vi' I tend to REMOVE because I find line-editors
SO offensive these days.

When IBM-PCs, DOS 1.x, came out there was 'edlin' - a
"line editor". You were expected to use it when editing
text/config files. I despised the concept SO much I wrote
a 'nano'-like editor, in assembler lang, as a replacement.
I just REALLY hate line editors ...... the tech do do
much better existed from WAY back.

> I am currently learning RedHat OpenShift and the courses include a
> question where the answer is that 2 containers run with UID 27 are
> called privileged. (DO190 ch03s08 if you have access).
>
> I am aware that it is common that normal (real people) users start with
> 1000 ongoing, server process users are below. Is there a difference on
> the IDs or is that just tradition?

It is "tradition" now to set the first 'regular' user
to ID 1000, group 1000. Not all 'unix-like' systems
may obey the same traditions, but Linux distros kinda
all go that way.

The SYSTEM doesn't really care about the ID numbers.

While there are terminal-line utilities, you can also
edit /etc/groups and /etc/passwd using something like
'nano' and add/remove users from the privileges of
the root user. DO be CAREFUL ! Get it right. Plenty
of docs on the net.

Linux has a rep for security. To keep that intact
please do NOT run apps and such as "root" unless
absolutely necessary.

Yea, yea ... with Win you have to use the Administrator
privs kinda often or you can't do dick .......

As for 'sudo' ... there ARE ways to force it to
require the ROOT password instead of the regular
USER password. This is much more secure. DO
research it on the net. The /etc/sudoers file
is where you make the, careful, changes.

Oh, Raspberry Pi's ... 'sudo' often requires NO
password. NOT great.

On Wed, 28 Aug 2024 03:53:18 -0400 "186282@ud0s4.net"
<186283@ud0s4.net> wrote:

> On 8/28/24 2:21 AM, Marco Moock wrote:
> > Hello!
> >
> > Is there any definition for the word "privileged user" in the Linux
> > (especially RedHat) environment?
>
> User 'root' is the only, initially, "privileged user".

Ok, but what does privileged then mean in the RHEL/ROCP environment?

I know that stuff like sudo exists, but I'm mostly asking about the
term.

> (note that 'sudo' kinda breaks this security measure, so
> research and set it CAREFULLY). You do NOT have to use
> 'visudo' ... but then it's on YOU to get it 100% right.
> Anything 'vi' I tend to REMOVE because I find line-editors
> SO offensive these days.

I love vim, but this is irrelevant here. :-)

> > I am currently learning RedHat OpenShift and the courses include a
> > question where the answer is that 2 containers run with UID 27 are
> > called privileged. (DO190 ch03s08 if you have access).
> >
> > I am aware that it is common that normal (real people) users start
> > with 1000 ongoing, server process users are below. Is there a
> > difference on the IDs or is that just tradition?
>
> It is "tradition" now to set the first 'regular' user
> to ID 1000, group 1000. Not all 'unix-like' systems
> may obey the same traditions, but Linux distros kinda
> all go that way.
>
> The SYSTEM doesn't really care about the ID numbers.

Aren't there some applications/scripts that check those IDs?
IIRC in Debian some bash environment/profile stuff checks the UID to
set environment variables different for root.

> Oh, Raspberry Pi's ... 'sudo' often requires NO
> password. NOT great.

IIRC this is related to the OS installed on it. I run them with Debian
and Debian asks the user PW when using sudo by default, but this can be
easily changed in sudoers.

On Wed, 28 Aug 2024 08:21:01 +0200, Marco Moock wrote:

> Hello!
>
> Is there any definition for the word "privileged user" in the Linux
> (especially RedHat) environment?

That's a question with a complicated answer.

Linux has adopted the concept of "capabilities", which
a) subdivide privileges into categories, and
b) can be assigned (with limitations) to unprivileged UIDs

Processes run by the "root" user (UID 0), within the initial
"host" environment (i.e., not running in a container) have all
capabilities, until they drop one or more of those capabilities.
If/when a "privileged" process fork()s, the child process does
not receive full capabilities; instead, it inherits the retained
capability set of it's parent process.

A common way to delegate UID 0 privileges is for the binary owned
by UID 0 to have the SETUID permission bit set. This permits the
binary, when run with the UID of an unprivileged user, to act as
UID 0, with all it's permissions. Some general purpose utilities,
such as su(1) and sudo(8) work this way.

> I am currently learning RedHat OpenShift and the courses include a
> question where the answer is that 2 containers run with UID 27 are
> called privileged. (DO190 ch03s08 if you have access).

Containers have different restrictions. Containers initiated by
privileged processes retain the privileges of the process that started
them, and (subject to certain rules relating to the /type/ of container)
may even regain privileges /within the processes in the container/.

Containers initiated by unprivileged processes may gain new privileges,
again, /within the processes in the container/. However, there are
privileges that such process cannot gain.
> I am aware that it is common that normal (real people) users start with
> 1000 ongoing, server process users are below. Is there a difference on
> the IDs or is that just tradition?

UID 0 is the only privileged UID. All the other UIDs start off "unprivileged".
The distinction between the UIDs below 1000 and those above is purely
artificial and administrative. There are other separations, other than
"privilege" that are applied by UID (and/or GID), and this numbering
convention permits the distribution to fit those distinctions in without
affecting the UID assignments that the sysadmin will also implement.

HTH
--
Lew Pitcher
"In Skills We Trust"

On 2024-08-28, Marco Moock <mm+usenet-es@dorfdsl.de> wrote:
> On Wed, 28 Aug 2024 03:53:18 -0400 "186282@ud0s4.net"
><186283@ud0s4.net> wrote:
>
>> On 8/28/24 2:21 AM, Marco Moock wrote:
>> > Hello!
>> >
>> > Is there any definition for the word "privileged user" in the Linux
>> > (especially RedHat) environment?
>>
>> User 'root' is the only, initially, "privileged user".
>
>
> Ok, but what does privileged then mean in the RHEL/ROCP environment?
>
> I know that stuff like sudo exists, but I'm mostly asking about the
> term.
>
>> (note that 'sudo' kinda breaks this security measure, so
>> research and set it CAREFULLY). You do NOT have to use
>> 'visudo' ... but then it's on YOU to get it 100% right.
>> Anything 'vi' I tend to REMOVE because I find line-editors
>> SO offensive these days.
>
> I love vim, but this is irrelevant here. :-)
>
>> > I am currently learning RedHat OpenShift and the courses include a
>> > question where the answer is that 2 containers run with UID 27 are
>> > called privileged. (DO190 ch03s08 if you have access).
>> >
>> > I am aware that it is common that normal (real people) users start
>> > with 1000 ongoing, server process users are below. Is there a
>> > difference on the IDs or is that just tradition?
>>
>> It is "tradition" now to set the first 'regular' user
>> to ID 1000, group 1000. Not all 'unix-like' systems
>> may obey the same traditions, but Linux distros kinda
>> all go that way.
>>
>> The SYSTEM doesn't really care about the ID numbers.
>
> Aren't there some applications/scripts that check those IDs?
> IIRC in Debian some bash environment/profile stuff checks the UID to
> set environment variables different for root.
>
>> Oh, Raspberry Pi's ... 'sudo' often requires NO
>> password. NOT great.
>
> IIRC this is related to the OS installed on it. I run them with Debian
> and Debian asks the user PW when using sudo by default, but this can be
> easily changed in sudoers.
>

There is nothing special about the different UID's, apart from the root user.

ID's start at 1000 so they don't overlap with ID's which may be used for
system processes and the like. When I started using Linux, they typically
started at 500.

What you are referring to, is specifically a RedHat OpenShift thing,
presumably permissions and restrictions that the containerised
environment adds. In this case, this is RedHat specific, rather than
Linux per-se. You'd need to research OpenShift specifically, because
from what you describe, this is OpenShift technology at work.

On Wed, 28 Aug 2024 06:01:14 -0400, Marco Moock <mm+usenet-es@dorfdsl.de> wrote:
> On Wed, 28 Aug 2024 03:53:18 -0400 "186282@ud0s4.net"
> <186283@ud0s4.net> wrote:
>
>> On 8/28/24 2:21 AM, Marco Moock wrote:
>> > Hello!
>> >
>> > Is there any definition for the word "privileged user" in the Linux
>> > (especially RedHat) environment?
>>
>> User 'root' is the only, initially, "privileged user".
>
>
> Ok, but what does privileged then mean in the RHEL/ROCP environment?
>
> I know that stuff like sudo exists, but I'm mostly asking about the
> term.

There are "privileged users". Those with a uid in what is shown by
(as root) "grep SYS_UID /etc/login.defs".

The only benefit I'm aware of is the ability to increase the priority
for their own processes. See "man renice". There are probably other
benefits, but I don't recall any others off hand.

Regards, Dave Hodgins

Xref: unconfigured comp.os.linux.misc:2213
On Wed, 28 Aug 2024 12:01:14 +0200, Marco Moock wrote:

On Wed, 28 Aug 2024 12:01:14 +0200, Marco Moock wrote:
> On Wed, 28 Aug 2024 03:53:18 -0400 "186282@ud0s4.net"

> <186283@ud0s4.net> wrote:
> On Wed, 28 Aug 2024 03:53:18 -0400 "186282@ud0s4.net"
>
> <186283@ud0s4.net> wrote:
>> On 8/28/24 2:21 AM, Marco Moock wrote:
>
>> > Hello!
>> On 8/28/24 2:21 AM, Marco Moock wrote:
>> >
>> > Hello!
>> > Is there any definition for the word "privileged user" in the Linux
>> >
>> > (especially RedHat) environment?
>> > Is there any definition for the word "privileged user" in the Linux
>> >
>> > (especially RedHat) environment?
>> >
>> > I am currently learning RedHat OpenShift and the courses include a
>> > question where the answer is that 2 containers run with UID 27 are
>> > called privileged. (DO190 ch03s08 if you have access).
>> >
>> > I am aware that it is common that normal (real people) users start with
>> > 1000 ongoing, server process users are below. Is there a difference on
>> > the IDs or is that just tradition?
>>
>> User 'root' is the only, initially, "privileged user".
>
>
> Ok, but what does privileged then mean in the RHEL/ROCP environment?

Strictly speaking "privileged user" just means a user with sufficient
permissions to perform the task. That user is often root since root
can do anything. But it could be a regular user that has been placed into
the appropriate group (/etc/group) or configured via SELinux etc..

At the kernel level, there are no special UIDs except 0 for root.

For openshift, idk, but these might be helpful
https://www.redhat.com/en/blog/a-guide-to-openshift-and-uids
https://learn.redhat.com/t5/Containers-DevOps-OpenShift/Container-image-on-the-exam/td-p/35223

On 28.08.2024 um 09:40 Uhr David W. Hodgins wrote:

> There are "privileged users". Those with a uid in what is shown by
> (as root) "grep SYS_UID /etc/login.defs".
>
> The only benefit I'm aware of is the ability to increase the priority
> for their own processes. See "man renice". There are probably other
> benefits, but I don't recall any others off hand.

Thanks. I will check that.

--
kind regards
Marco

Send spam to 1724830817muell@cartoonies.org

Borax Man <rotflol2@hotmail.com> wrote:
>ID's start at 1000 so they don't overlap with ID's which may be used for
>system processes and the like. When I started using Linux, they typically
>started at 500.

That is local configuration with defaults set by the distribution. See
/etc/login.defs.

Greetings
Marc
--
----------------------------------------------------------------------------
Marc Haber | " Questions are the | Mailadresse im Header
Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402

On 8/28/24 03:01, Marco Moock wrote:
> On Wed, 28 Aug 2024 03:53:18 -0400 "186282@ud0s4.net"
> <186283@ud0s4.net> wrote:
>
>> On 8/28/24 2:21 AM, Marco Moock wrote:
>>> Hello!
>>>
>>> Is there any definition for the word "privileged user" in the Linux
>>> (especially RedHat) environment?
>>
>> User 'root' is the only, initially, "privileged user".

But root can assign other users certain privileges.
For example I am root on my system but I have assigned myself
certain administrative privilegs so that for example I
can do updates with my user password.
In Multiple user systems user may be allowed the use
of certain tools to maintain their own accounts.

>
>
> Ok, but what does privileged then mean in the RHEL/ROCP environment?
>
> I know that stuff like sudo exists, but I'm mostly asking about the
> term.
>
>> (note that 'sudo' kinda breaks this security measure, so
>> research and set it CAREFULLY). You do NOT have to use
>> 'visudo' ... but then it's on YOU to get it 100% right.
>> Anything 'vi' I tend to REMOVE because I find line-editors
>> SO offensive these days.
>
> I love vim, but this is irrelevant here. :-)
>
>>> I am currently learning RedHat OpenShift and the courses include a
>>> question where the answer is that 2 containers run with UID 27 are
>>> called privileged. (DO190 ch03s08 if you have access).
>>>
>>> I am aware that it is common that normal (real people) users start
>>> with 1000 ongoing, server process users are below. Is there a
>>> difference on the IDs or is that just tradition?
>>
>> It is "tradition" now to set the first 'regular' user
>> to ID 1000, group 1000. Not all 'unix-like' systems
>> may obey the same traditions, but Linux distros kinda
>> all go that way.
>>
>> The SYSTEM doesn't really care about the ID numbers.
>
> Aren't there some applications/scripts that check those IDs?
> IIRC in Debian some bash environment/profile stuff checks the UID to
> set environment variables different for root.
>
>> Oh, Raspberry Pi's ... 'sudo' often requires NO
>> password. NOT great.
>
> IIRC this is related to the OS installed on it. I run them with Debian
> and Debian asks the user PW when using sudo by default, but this can be
> easily changed in sudoers.
>
bliss

--
b l i s s - S F 4 e v e r at D S L E x t r e m e dot com

On 8/28/24 2:33 PM, Bobbie Sellers wrote:
> On 8/28/24 03:01, Marco Moock wrote:
>> On Wed, 28 Aug 2024 03:53:18 -0400 "186282@ud0s4.net"
>> <186283@ud0s4.net> wrote:
>>
>>> On 8/28/24 2:21 AM, Marco Moock wrote:
>>>> Hello!
>>>>
>>>> Is there any definition for the word "privileged user" in the Linux
>>>> (especially RedHat) environment?
>>>
>>>     User 'root' is the only, initially, "privileged user".
>
>     But root can assign other users certain privileges.

Ergo my word 'initially'.

Yes, you CAN assign a vast number of 'elevated' privs
for any user. My concern for newbies is that they may
go too far that way - compromising security.

You CAN make Linux as horribly insecure as Winders.

Marco Moock wrote:
> Hello!
>
> Is there any definition for the word "privileged user" in the Linux
> (especially RedHat) environment?
>
> I am currently learning RedHat OpenShift and the courses include a
> question where the answer is that 2 containers run with UID 27 are
> called privileged. (DO190 ch03s08 if you have access).
>
> I am aware that it is common that normal (real people) users start with
> 1000 ongoing, server process users are below. Is there a difference on
> the IDs or is that just tradition?
>

Would users in the "wheel" group be priveleged? They can do anything
with sudo.

On 2024-08-28, Marc Haber <mh+usenetspam1118@zugschl.us> wrote:
> Borax Man <rotflol2@hotmail.com> wrote:
>>ID's start at 1000 so they don't overlap with ID's which may be used for
>>system processes and the like. When I started using Linux, they typically
>>started at 500.
>
> That is local configuration with defaults set by the distribution. See
> /etc/login.defs.
>
> Greetings
> Marc

Yes, you can change it. Distro's defaulted to 500, now its typically
1000. I have my UID set at 500, because I've wanted to maintain the
same UID since I first started using Linux.

I'll change it one day, but all my backups will have to change too.

On 29/08/2024 11:59, Borax Man wrote:
> On 2024-08-28, Marc Haber <mh+usenetspam1118@zugschl.us> wrote:
>> Borax Man <rotflol2@hotmail.com> wrote:
>>> ID's start at 1000 so they don't overlap with ID's which may be used for
>>> system processes and the like. When I started using Linux, they typically
>>> started at 500.
>>
>> That is local configuration with defaults set by the distribution. See
>> /etc/login.defs.
>>
>> Greetings
>> Marc
>
> Yes, you can change it. Distro's defaulted to 500, now its typically
> 1000. I have my UID set at 500, because I've wanted to maintain the
> same UID since I first started using Linux.
>
> I'll change it one day, but all my backups will have to change too.

Wow. It was always 1000 on most systems I ever came in contact with.

--
In todays liberal progressive conflict-free education system, everyone
gets full Marx.

Woozy Song <suzyw0ng@outlook.com> wrote:
> Marco Moock wrote:
>> Hello!
>>
>> Is there any definition for the word "privileged user" in the Linux
>> (especially RedHat) environment?
>>
>> I am currently learning RedHat OpenShift and the courses include a
>> question where the answer is that 2 containers run with UID 27 are
>> called privileged. (DO190 ch03s08 if you have access).
>>
>> I am aware that it is common that normal (real people) users start
>> with 1000 ongoing, server process users are below. Is there a
>> difference on the IDs or is that just tradition?
>>
>
> Would users in the "wheel" group be priveleged? They can do anything
> with sudo.

For some definitions of "privledged" that would be a yes.

But as some other poster pointed out, Marco seems to be dealing with
OpenShift internals, so he likely needs to find OpenShift's definition
(wherever that might be).

On 29/08/2024 13:06, The Natural Philosopher wrote:
> Wow. It was always 1000 on most systems I ever came in contact with.

FWIW, didn't actually go to 1000 by default until RHEL7 in 2014 for
Redhat/Redhat-oids...

https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/migration_planning_guide/chap-red_hat_enterprise_linux-migration_planning_guide-major_changes_and_migration_considerations#sect-Red_Hat_Enterprise_Linux-Migration_Planning_Guide-System_Management-Changes-to-system-accounts

> This change might cause problems when migrating to Red Hat Enterprise
Linux 7 with existing users having UIDs and GIDs between 500 and 999.
The default ranges of UID and GID can be manually changed in the
/etc/login.defs file.

I'm sure Debian/Debian-oids used 1000 far earlier. debian-policy 3.8.0
from 2008 is just the earliest I can find in its present-day git, and it
was already 1000 then.

https://salsa.debian.org/dbnpolicy/policy/-/blob/v3.8.0.0/policy.sgml#L5722

On 8/28/24 01:21, Marco Moock wrote:
> Hello!

Hi,

> Is there any definition for the word "privileged user" in the Linux
> (especially RedHat) environment?

IMHO "privileged" vs "unprivileged" is really a relative thing in that
the privileged user has more privileges than an unprivileged user.

Simply saying a user account is "privileged" doesn't convey what those
privileges are.

Often, those privileges are the ability to gain root access via some
means like su, sudo, doas, run0, capabilities, etc. How many of those
privileges are granted becomes difficult to say.

There is also the for something like a DBA to log in with their
unprivileged individual account and gain the privileges of the user that
the database runs as. Similarly, it's possible for a backup & recovery
administrator to log in with their unprivileged individual account and
gain the privileges of the user the backup daemon runs as which isn't
always root.

> I am currently learning RedHat OpenShift and the courses include a
> question where the answer is that 2 containers run with UID 27 are
> called privileged. (DO190 ch03s08 if you have access).

Some systems have configurations where a UID or GID below a specific
value is considered privileged for some thing. But that's a subsystem /
daemon configuration.

> I am aware that it is common that normal (real people) users start with
> 1000 ongoing, server process users are below. Is there a difference
> on the IDs or is that just tradition?

I've seen 100, 250, 500, and 1000. The exact number is a convention and
more or less common depending on the time and the family of the distro
in question.

--
Grant. . . .

On 8/28/24 02:53, 186282@ud0s4.net wrote:
> Root has access to EVERYTHING

I question the veracity of that.

Especially when you consider different name spaces; mount, network, etc.

Root should always have the ability to gain access to something. But I
can think of various scenarios where root doesn't inherently have access
to things.

A simple example is an immutable file which root can't remove without
disabling the immutability first.

> (note that 'sudo' kinda breaks this security measure, so research and
> set it CAREFULLY). You do NOT have to use 'visudo' ... but then it's
> on YOU to get it 100% right.

> Anything 'vi' I tend to REMOVE because I find line-editors SO offensive
> these days.

So set EDITOR and / or VISUAL and / or FCEDIT to your preferred editor.
visudo will happily use them. Or live dangerously.

> The SYSTEM doesn't really care about the ID numbers.

There are some things that check to see if a UID and / or GID is below a
threshold for various reasons.

> While there are terminal-line utilities, you can also edit /etc/groups
> and /etc/passwd using something like 'nano' and add/remove users from
> the privileges of the root user. DO be CAREFUL ! Get it right. Plenty
> of docs on the net.

Don't forget to edit the shadow counterparts; /etc/gshadow and
/etc/shadow respectively. Lest some tools get cranky when files and
their shadows don't match.

ProTip: Use tools, like visud -- configured to use your preferred
editor -- as they often sanity check file syntax and / or synchronize
other files and generally try to help you.

I've learned that the more you're fighting the system, the more likely
that you're doing something wrong or shouldn't be doing for some reason.

> As for 'sudo' ... there ARE ways to force it to require the ROOT
> password instead of the regular USER password. This is much more
> secure.

How is having multiple users knowing a shared password more secure than
each user only knowing their own password?

> Oh, Raspberry Pi's ... 'sudo' often requires NO password. NOT great.

Agreed. But that's a distribution configuration, not a software
requirement.

Upstream sudo will ask for the running user's password. The intention
is for the running user to authenticate themselves to sudo and then sudo
allows or disallows them to do what they've asked to do based on the
configuration of the sudoers file.

--
Grant. . . .

On Wed, 28 Aug 2024 08:21:01 +0200, Marco Moock wrote:

> I am currently learning RedHat OpenShift and the courses include a
> question where the answer is that 2 containers run with UID 27 are
> called privileged. (DO190 ch03s08 if you have access).

What they might mean is the the containers have to be managed by a
privileged user. Because some container technologies allow nonprivileged
users to create and manage their own containers.

On 30/08/2024 03:17, Grant Taylor wrote:
> IMHO "privileged" vs "unprivileged" is really a relative thing in that
> the privileged user has more privileges than an unprivileged user.

STOP ROOT PRIVILEGE NOW!

--
In theory, there is no difference between theory and practice.
In practice, there is.
-- Yogi Berra

On 30.08.2024 um 03:05 Uhr Lawrence D'Oliveiro wrote:

> On Wed, 28 Aug 2024 08:21:01 +0200, Marco Moock wrote:
>
> > I am currently learning RedHat OpenShift and the courses include a
> > question where the answer is that 2 containers run with UID 27 are
> > called privileged. (DO190 ch03s08 if you have access).
>
> What they might mean is the the containers have to be managed by a
> privileged user. Because some container technologies allow
> nonprivileged users to create and manage their own containers.

If I understood it properly the true answers were containers where the
UID was 2x. Other processes ran under 1001 and those answers weren't
correct.

--
kind regards
Marco

Send spam to 1724979908muell@cartoonies.org

On 2024-08-29, David De La Harpe Golden <david@harpegolden.net> wrote:
> On 29/08/2024 13:06, The Natural Philosopher wrote:
>> Wow. It was always 1000 on most systems I ever came in contact with.
>
>
> FWIW, didn't actually go to 1000 by default until RHEL7 in 2014 for
> Redhat/Redhat-oids...
>
> https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/migration_planning_guide/chap-red_hat_enterprise_linux-migration_planning_guide-major_changes_and_migration_considerations#sect-Red_Hat_Enterprise_Linux-Migration_Planning_Guide-System_Management-Changes-to-system-accounts
>
>
> > This change might cause problems when migrating to Red Hat Enterprise
> Linux 7 with existing users having UIDs and GIDs between 500 and 999.
> The default ranges of UID and GID can be manually changed in the
> /etc/login.defs file.
>
>
> I'm sure Debian/Debian-oids used 1000 far earlier. debian-policy 3.8.0
> from 2008 is just the earliest I can find in its present-day git, and it
> was already 1000 then.
>
> https://salsa.debian.org/dbnpolicy/policy/-/blob/v3.8.0.0/policy.sgml#L5722

I first used Linux in 2000. I'm sure I didn't change any default, so
RedHat back then was configured to start at 500. That changed to 1000
sometimes after, but because all my files, backups, external drives were
already tagged "uid 500" I just kept that uid for newer installs, than
change all my files on all my machines.

One day, I'll change the UID. Changing the ownership of files to match
the new UID isn't too hard. There's just a lot of drives and archives
that will be affected.

On Thu, 29 Aug 2024 21:17:50 -0500, Grant Taylor wrote:

> On 8/28/24 01:21, Marco Moock wrote:
>>
>> I am aware that it is common that normal (real people) users start with
>> 1000 ongoing, server process users are below. Is there a difference on
>> the IDs or is that just tradition?
>
> I've seen 100, 250, 500, and 1000. The exact number is a convention and
> more or less common depending on the time and the family of the distro
> in question.

I can remember 10-20 years ago it was 500, these days it is typically
1000. That’s just a reflection of the greater variety of packages that
implement services that should be fenced off behind their own user ID,
that users might want to install. I think it’s configurable.

On Wed, 28 Aug 2024 13:22:50 -0000 (UTC), Lew Pitcher wrote:

> UID 0 is the only privileged UID. All the other UIDs start off
> "unprivileged".

Note that Linux also has its “capability” mechanism, to allow you to
selectively assign particular privileges to particular executables and
processes, instead of the traditional *nix all-or-nothing approach.

On Thu, 29 Aug 2024 21:28:12 -0500, Grant Taylor wrote:

> A simple example is an immutable file which root can't remove without
> disabling the immutability first.

So it takes the root user two steps to modify/delete that file, instead of
one.

A better example would be RBAC setups, where “root” becomes “just another
user”.