Web lists-archives.com

Re: System user names, uids, and gids




Dan Purgert <dan@xxxxxxxx> writes:

> No, package management doesn't touch usernames.  They're kept as a
> reference so that when you look at a logfile (etc.) that's still owned
> by that UID, you'll get the username instead of just an ID number.

Well, the package management *does* create users and groups when
packages are installed so I would prefer at least an option to delete
them when the package is purged.

> Granted, if nothing is owned by debian-exim anymore, then deleting the
> entry will not cause any problems.

Of course I've already checked that.

> This gets messy, since the ID number is what matters to the system.
> Changing *that* information may very well break things.  It's completely
> fixable (i.e. change /etc/group and then find all the files group-owned
> by the old GID, and update the ownership).

Of course the file uids/gids have to be changed too, but that's easy
(in single user mode, when no daemons are running using these IDs).
The question is whether Debian expects certain users/groups to have a
fixed value or if I am allowed to change them.

My impression is that uids and gids below 100 are fixed and more are
created dynamically when packages are installed and that the next free
number above 100 is chosen.  When some packages only need a user or
only a group, then uids/gids are not incremented in sync.  If this
assumption is true it shouldn't matter which numeric IDs these users
and groups have and it shouldn't cause problems if I change them.  But
I'd like to be sure.

> If anything, this is the one thing I wouldn't touch on a system, unless
> I was building it from scratch (e.g. LFS) -- a better approach to the
> GID/UID mismatch would perhaps be talking to the package maintainers.

Hm, is this something the package maintainer has to deal with or is
this a function of the package management system?  I would imagine that
the package management system provides a function "please, find an
unused system uid and gid and create user foo and group foo".  Then
the package management system would need to be changed to give
matching IDs if a package wants a user and a group (probably of the
same name).

Steve