
User accounts¶
Principles¶
Users are either humans or non-human users for services.
All users of a project are configured (e.g. visible via getent) on all hosts of a project.
The following attributes are globally unique: username, UID, group name, GID.
The bijections between username/UID and group name/GID are globally unique.
The presence of an account alone does not imply any permission assignments.
Human users¶
The primary group is users.
The home directory is located in
/home/$USER
.
Service users¶
The primary group is service.
The home directory is located in
/srv/$USER
.No SSH login is allowed by default to support the general data protection guidelines. In exceptional cases SSH access may be granted.
human users that have the sudo-srv permission in a project are allowed to change to the service user (sudo -u <service_user_name> -i) and execute commands as a service user (sudo -u <service_user_name> <command>)
Permissions¶
Users own a separate set of permissions for every project they are a member of. Common permissions include:
- login
Perform interactive shell login on a machine (via SSH).
- manager
Add or remove other users from the project. Define permissions for users in the project.
- sudo-srv
Sudo into service users on a machine (password not necessary)
- stats
View system statistics (e.g., performance, availability, or web access statistics)
There are more permissions that are not considered critical for general
operations. The full list is documented in /etc/local/permission.desc
.