MTU System Administration Council J. Myles MTU Request For Comments: 0005 Michigan Technological University Category: Standard February 2006 Michigan Technological University Unix Group ID Standardization, Allocation, and Management Status of this Memo This document specifies a Technical Standard for the Michigan Technological University community, as provided for by the Constitution of the MTU System Administration Council. Distribution of this memo is unlimited. Abstract This Unix Group ID (GID) normalization standard describes an opt-in method for ensuring that GIDs are standardized between Departments or Divisions that share information using GID-based authorization methods (such as the Network File System). Conventions used in this document Terms such as Department, Division, and Voting Member are defined in the Constitution of the MTU System Administration Council. Table of Contents 1. Introduction .......................................... 1 2. Group ID Ranges ....................................... 2 2.1 Unrestricted Ranges ............................... 2 2.2 Restricted Ranges ................................. 2 3. Assigned Group ID Ranges .............................. 3 4. Requesting a Restricted Group ID Range ................ 3 5. Security Considerations ............................... 4 6. References ............................................ 4 7. Acknowledgments ....................................... 4 1. Introduction Group IDs, in Unix and Unix-like operating systems, can be used to control access to resources such as file shares. Identifying a Department or Division responsible for ranges of GIDs will aid in preventing unauthorized access to shared resources. Consistency of GIDs will also prevent re-numbering of GIDs for projects that span Departments or Divisions. Myles Standard [Page 1] MTURFC 0005 Unix GID Standardization February 2006 This standard may also lay the foundation for a group naming standard, should one become necessary. 2. Group ID Ranges GID ranges are divided into two classes, Unrestricted and Restricted. 2.1 Unrestricted Ranges GIDs below 1000 and above 59999 are Unrestricted. Groups may exist which use GIDs in these ranges, but membership in these groups cannot be restricted. Any system administrator may place a user in a group that uses an Unrestricted GID. GIDs below 1000 and above 59999 should be used for authorization purposes only after considering potential security risks. 2.2 Restricted Ranges GIDs between 1000 and 59999, inclusive, are considered to be Restricted. Restricted ranges are allocated to Departments and Divisions. Only the assignee may allocate GIDs within an assigned range. Users may only be placed in groups using Restricted GIDs by prior arrangement or agreement with the Department or Division to which the corresponding range is assigned. 3. Assigned Restricted Group ID Ranges The following is a complete list of assigned Restricted Group ID ranges, and the Department or Division to which each range is assigned. Gaps in these ranges are available for assignment as Restricted Group ID ranges. Myles Standard [Page 2] MTURFC 0005 Unix GID Standardization February 2006 1000 - 1499 Auxiliary Services 1500 - 1999 Center for Experimental Computation 2000 - 2499 Computer Science 2500 - 2999 Mathematical Sciences 3000 - 3499 Physics 3500 - 3599 Humanities 4000 - 4499 West Engineering Computing Network 5000 - 5499 Electrical and Computer Engineering 5500 - 5999 School of Technology 6000 - 6999 West Engineering Computing Network 7000 - 7499 Geological and Mining Engineering and Sciences, Remote Sensing Institute 7500 - 7999 Biological Sciences, Social Sciences, Psychology, Exercise Physiology, Seaman Mineral Museum 8000 - 8999 East Engineering Computing Network 9000 - 9499 School of Business & Economics 10000 - 10099 MTU System Administration Council 11000 - 11999 School of Technology 12000 - 12999 System Administration Services 13000 - 13499 Distributed Computing Services 13500 - 13999 Student Organizations 14000 - 14499 School of Forest Resources and Environmental Science 15000 - 15499 J. R Van Pelt Library 4. Requesting a Restricted Group ID Range New Restricted GID ranges may be requested by any Department or Division. A GID range will be issued in a quantity of 100, 500, or 1000 GIDs, as space allows. Requests for new Restricted GID ranges must be brought to the MTU System Administration Council by a Voting Member. Requested ranges shall be issued unless there is reasonable objection. Myles Standard [Page 3] MTURFC 0005 Unix GID Standardization February 2006 5. Security Considerations Authorization restrictions may be bypassed if a GID standard is not followed. For example, a system administrator who grants rights to a Unix group may find that he unintentionally grants rights to users in another Department or Division that does not follow the same GID standard. 6. References [Constitution of the MTU System Administration Council] Adopted 10 Dec 2002. 7. Acknowledgments This document is the result of the work of the ad-hoc Group ID Standardization Committee of the MTU System Administration Council, composed of Robert Landsparger, Pat Krogel, James Bialas, and Joshua Myles. A draft of this standard, written by Robert Landsparger on 22 Jul 2004, is the basis for this document. Myles Standard [Page 4]