What's the difference between a normal user and a system user?

Some documentation I’m going through has a boolean switch on whether or not a user is a ‘system’ user or a ‘normal’ user (defaulting to ‘normal’).

What is the difference between these two modes of user-ship? I don’t need to learn what a user is or why you need them (even ‘fake’ ones), but this particular distinction isn’t intuitive to me.

Asked By: Sean Allred

||

That is not a technical difference but an organizational decision. E.g. it makes sense to show normal users in a login dialog (so that you can click them instead of having to type the user name) but it wouldn’t to show system accounts (the UIDs under which daemons and other automatic processes run) there.

Thus a border is defined or rather two ranges for the UIDs for the two groups. In openSUSE the file /etc/login.defs contains these lines:

# Min/max values for automatic uid selection in useradd
#
# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for
# UIDs for dynamically allocated administrative and system accounts.
# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically
# allocated user accounts.
#
UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               100
SYS_UID_MAX               499

and

# Min/max values for automatic gid selection in groupadd
#
# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for
# GIDs for dynamically allocated administrative and system groups.
# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically
# allocated groups.
#
GID_MIN                  1000
GID_MAX                 60000
# System accounts
SYS_GID_MIN               100
SYS_GID_MAX               499
Answered By: Hauke Laging

The main difference is the purpose of the account, so it’s primarily a useful distinction for administrators and auditors. There are a few technical differences — from the adduser documentation:

System users will be created with no aging information in /etc/shadow, and their numeric identifiers are chosen in the SYS_UID_MINSYS_UID_MAX range, defined in /etc/login.defs, instead of UID_MINUID_MAX (and their GID counterparts for the creation of groups).

As far as I can tell (I don’t know Puppet), the difference from Puppet’s perspective is whether it passes the -r option to adduser.

For a broader perspective, see Is it possible to "hide" an account from /etc/passwd?

The distinction is in how the accounts UID values are allocated and in how the accounts are used.

Further description at Wikipedia: User identifier:

The Linux Standard Base Core Specification specifies that UID values in the range 0 to 99 should be statically allocated by the system, and shall not be created by applications, while UIDs from 100 to 499 should be reserved for dynamic allocation by system administrators and post install scripts.[4]

End-users conventionally have a UID outside of these ranges, commonly starting at 1000.

Answered By: Brent Bradburn
Categories: Answers Tags:
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.