I checked out the /etc/passwd file and I'm surprised to see that there are 35 different accounts, even though I'm the only user on this computer. I see that the accounts have names like mail, news, www-data, irc, pulse, etc. Why do those each have their own accounts and how are they used?
Linux – Why Each Program Has Its Own Account in /etc/passwd
accountsdaemonusers
Related Solutions
You can use a configuration management system to do this. Personally, I use Puppet for this. I have a single /etc/passwd
and /etc/shadow
file and I have Puppet sync it across all my systems. There is an interesting learning curve with them, but definitely tutorials for doing exactly what you want on their website.
I would, however, definitely recommend using LDAP and Kerberos. I know the learning curve is steep, but the security is really good. I know kerbs can be a burden sometimes, but LDAP would probably be acceptable. I have been meaning to set one up.
Per-user groups
I too don't see a lot of utility in per-user groups. The main use case is if a user wanted to allow "friends" access to their files, they can have the friend user added to their group. Few systems I've encountered actually use it this way.
When USERGROUPS_ENAB
in /etc/login.defs
is set to "no", useradd
adds all the created users to the group defined in /etc/default/useradd
by the GROUP
field. On most of distributions, this is set to the GID 100
which usually corresponds to the users
group.
This does allow you to have a more generic management of users. Then, if you need finer control, you can manually add these groups and add users to them that makes sense.
Default created groups
Most of them came about from historic reasons, but many still have valid uses today :
- disk is the group that owns most disk drive devices
- lp owns parallel port (and sometimes is configured for admin rights on cups)
- uucp often owns serial ports (including USB serial ports)
- cdrom is required for mounting privileges on a cd drive
- Some systems use wheel for sudo rights; some not
- etc.
Other groups are used by background scripts. For example, man
generates temp files and such when it's run; its process uses the man group for some of those files and generally cleans up after itself.
According to the Linux Standard Base Core Specification though, only 3 users that are root, bin and daemon are absolutely mandatory. The rationale behind the other groups is :
The purpose of specifying optional users and groups is to reduce the potential for name conflicts between applications and distributions.
So it looks as it is better to keep these groups in place. It's theorically possible to remove them without breakage, although for some, "mysterious" things may start to not work right (eg, some man pages not rendering if you kill that group, etc). It doesn't do any harm to leave them there, and it's generally assumed that all Linux systems will have them.
Best Answer
This is done for 2 reasons. Security and auditing. From a security perspective each service is put into it's own "silo" so that it can be given access to only the resources it needs on the system. These resources can be diskspace, access to files, or allocations of RAM or CPU.
Additionally each service can be walled off from every other service so that only interactions that make sense are allowed.
From an auditing perspective this allows the administrator of the system to easily identify which processes are performing what activities on the system.
References