Root is (typically) the superuser.

Some unprivileged daemons that need to be able to write to some files on disk run as daemon.daemon (portmap, atd, jabberd, lambdamoo, mon, and others). Daemons that don't need to own any files sometimes run as nobody.nogroup instead; it is generally better practice to use a dedicated user, and more complex or security-conscious daemons certainly do this. The daemon user is also handy for locally installed daemons, probably.

LSB 1.3 lists daemon as legacy, and says: "The 'daemon' UID/GID was used as an unprivileged UID/GID for daemons to execute under in order to limit their access to the system. Generally daemons should now run under individual UID/GIDs in order to further partition daemons from one another."

HELP: No files on my system are owned by user or group bin. What good are they? Historically they were probably the owners of binaries in /bin? It is not mentioned in the FHS, Debian Policy, or the changelogs of base-passwd or base-files.

LSB 1.3 lists bin as legacy, and says: "The 'bin' UID/GID is included for compatibility with legacy applications. New applications should no longer use the 'bin' UID/GID."

HELP: As with bin, except I don't even know what it was good for historically.

I'm told that /var/spool/cups is owned by group sys, dunno why.

The shell of user sync is /bin/sync. Thus, if its password is set to something easy to guess (such as ""), anyone can sync the system at the console even if they have no account on the system.

Many games are sgid to games so they can write their high score files. This is explained in Debian Policy.

The man program (sometimes) runs as user man, so it can write cat pages to /var/cache/man and update its databases there.

The lp* devices are writable by this group so that users in it can access the parallel ports directly. Traditionally this job is taken by a printer daemon instead which will only need to run in this group.

The lpr system keeps its spool directories owned by lp/lp. Its daemon and frontend tools (through setuid) run as user root.

HELP: what do other print systems (rlpr, cupsys, lprng, ...) do?

Mailboxes in /var/mail are owned and writeable by group mail, as is explained in Debian Policy. The user and group is used for other purposes as well by various MTAs and MUAs.

Various news servers and other associated programs (such as suck) use user and group news in various ways. Files in the news spool are often owned by user and group news. Programs such as inews that can be used to post news are typically sgid news.

The uucp user and group is used by the UUCP subsystem. It owns spool and configuration files. Users in the uucp group may run uucico.

Like daemon, this user and group is used by some daemons (specifically, proxy daemons) that don't have dedicated user ids and that need to own files. For example, group proxy is used by pdnsd, and squid runs as user proxy.

Majordomo has a statically allocated uid on Debian systems for historical reasons. It is not installed on new systems.

Postgresql databases are owned by this user and group.

Some web servers run as www-data. Web content should not be owned by this user, or a compromised web server would be able to rewrite a web site. Data written out by web servers, including log files, will be owned by www-data.

Presumably so backup/restore responsibilities can be locally delegated to someone without full root permissions?

HELP: Is that right? Amanda reportedly uses this, details?

Operator is historically (and practically) the only "user" account that can login remotely, and doesn't depend on NIS/NFS.

In BSD, the operator user can read and write to tapes and read from disks, so that operators can perform backups. For some reason Linux seems to have lost this.

Mailing list archives and data are owned by this user and group. Some mailing list programs may run as this user as well.

Used by IRC daemons. A statically allocated user is needed only because of a bug in ircd: it setuid()s itself to a compiled-in user id on startup.

HELP: Evidently used by gnats. And it needs a static set why?

Daemons that need not own any files sometimes run as user nobody and group nogroup, although using a dedicated user is far preferable. Thus, no files on a system should be owned by this user or group.

(Technically speaking, it does no harm for a file to be owned by group nogroup as long as the ownership confers no additional privileges, that is if the group and other permission bits are equal. However, this is sloppy practice and should be avoided.)

If root-squashing is in use over NFS, root access from the client is performed as user nobody on the server.

Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole.

Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group.

HELP: Perhaps policy should state the purpose of this group so users may be safely added to it, in certainty that all they'll be able to do is read logs. Wouldn't hurt to rename it 'log' either ...

Tty devices and /dev/vcs* are owned by this group. This is used by write and wall to enable them to write to other people's ttys.

Raw access to disks. Mostly equivalent to root access.

HELP: Well, I have some disk devices in /dev owned by the group, but I can't see the point. On another system, I noticed that some of the files lilo puts in /boot are also owned by disk. I can imagine local uses for such a group, like if you want to give some users in the group direct access to some hard disk. But these uses I've found on my systems seem to preclude doing that easily; if I put a user in group disk here, they'd have write access to the root filesystem.

/dev/kmem and similar files are readable by this group. This is mostly a BSD relic, but any programs that need direct read access to the system's memory can thus be made setgid kmem.

Full and direct access to serial ports. Members of this group can reconfigure the modem, dial anywhere, etc.

The group's name stands for "Dialup IP". Being in group dip allows you to use a tool such as ppp or dip to dial up a connection.