Gid choosen on site creation

akoopal · March 18, 2025, 12:56pm

I have just installed the trial version of checkmk. There it creates an account for the site. Per standards system users should be created with a UID < 1000. The same with the group and the GID < 1000

The user was indeed created with a UID of 983, but the GID was 10865

We have a central system to push accounts, that will ignore the system accounts < 1000, but the rest are overwritten, so the created group was removed again, resulting in a failure. While easily fixed (created group with a lower GID, set the group for the user to that and do chgrp for /omd/sites/, this seems to be a bug to me. Can this be looked at.

aeckstein · March 18, 2025, 3:56pm

Hi Andre,

you can force to create the omd site with a specific groupid with the -g flag:

omd create -u 6100 -g 180 mysite

akoopal · March 18, 2025, 4:06pm

Hi Andre, that is good to know and helpful if we decide to go with checkmk, but main reason for the post is that these choices are against the policy on uid/gid selection. That should have selected both a uid and a gid under 1000.

elheladero · April 29, 2025, 1:11pm

Hi Andre,
an internal bug ticket (CMK-23220) has been opened regarding this issue.
Best
Dennis

elheladero · June 16, 2025, 2:32pm

Hi Andre,
as omd uses ‘useradd --system …’ here:
What are the settings for UID_MIN, UID_MAX, GID_MIN and GID_MAX in /etc/login.defs ?
Best regards
Dennis

akoopal · June 16, 2025, 2:57pm

Hi Dennis,

The relevant parts of login.defs:

#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               201
SYS_UID_MAX               999
...
#
# Min/max values for automatic gid selection in groupadd(8)
#
GID_MIN                  1000
GID_MAX                 60000
# System accounts
SYS_GID_MIN               201
SYS_GID_MAX               999

which is as expected.

akoopal · June 23, 2025, 9:10am

Decided to do a more complete test:

ssmmon-test0# grep testsite /etc/passwd /etc/group
ssmmon-test0# useradd --system testsite
ssmmon-test0# grep testsite /etc/passwd /etc/group
/etc/passwd:testsite:x:981:980::/home/testsite:/bin/bash
/etc/group:testsite:x:980:
ssmmon-test0# userdel testsite
ssmmon-test0# grep testsite /etc/passwd /etc/group
ssmmon-test0# omd create testsite
...
ssmmon-test0# grep testsite /etc/passwd /etc/group
/etc/passwd:testsite:x:981:10865:OMD site testsite:/omd/sites/testsite:/bin/bash
/etc/group:omd:x:983:ssm_idn,testsite
/etc/group:testsite:x:10865:apache

So it seems there is more to it. Just useradd does it correctly so the scripts must do something more.

Regards,

Andre