What's the difference between a normal user and a system user?
Some documentation I’m going through has a boolean switch on whether or not a user is a ‘system’ user or a ‘normal’ user (defaulting to ‘normal’).
What is the difference between these two modes of user-ship? I don’t need to learn what a user is or why you need them (even ‘fake’ ones), but this particular distinction isn’t intuitive to me.
That is not a technical difference but an organizational decision. E.g. it makes sense to show normal users in a login dialog (so that you can click them instead of having to type the user name) but it wouldn’t to show system accounts (the UIDs under which daemons and other automatic processes run) there.
Thus a border is defined or rather two ranges for the UIDs for the two groups. In openSUSE the file
/etc/login.defs contains these lines:
# Min/max values for automatic uid selection in useradd # # SYS_UID_MIN to SYS_UID_MAX inclusive is the range for # UIDs for dynamically allocated administrative and system accounts. # UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically # allocated user accounts. # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 100 SYS_UID_MAX 499
# Min/max values for automatic gid selection in groupadd # # SYS_GID_MIN to SYS_GID_MAX inclusive is the range for # GIDs for dynamically allocated administrative and system groups. # GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically # allocated groups. # GID_MIN 1000 GID_MAX 60000 # System accounts SYS_GID_MIN 100 SYS_GID_MAX 499
The main difference is the purpose of the account, so it’s primarily a useful distinction for administrators and auditors. There are a few technical differences — from the
System users will be created with no aging information in
/etc/shadow, and their numeric identifiers are chosen in the
SYS_UID_MAXrange, defined in
/etc/login.defs, instead of
UID_MAX(and their GID counterparts for the creation of groups).
As far as I can tell (I don’t know Puppet), the difference from Puppet’s perspective is whether it passes the
-r option to
For a broader perspective, see Is it possible to "hide" an account from /etc/passwd?
The distinction is in how the accounts UID values are allocated and in how the accounts are used.
Further description at Wikipedia: User identifier:
The Linux Standard Base Core Specification specifies that UID values in the range 0 to 99 should be statically allocated by the system, and shall not be created by applications, while UIDs from 100 to 499 should be reserved for dynamic allocation by system administrators and post install scripts.
End-users conventionally have a UID outside of these ranges, commonly starting at 1000.