Re: System user names, uids, and gids
- Date: Tue, 23 Oct 2018 10:11:41 -0500
- From: David Wright <deblis@xxxxxxxxxxxxxxxxx>
- Subject: Re: System user names, uids, and gids
On Tue 23 Oct 2018 at 15:09:05 (+0200), Steve Keller wrote:
> Dan Purgert <dan@xxxxxxxx> writes:
> > No, package management doesn't touch usernames. They're kept as a
> > reference so that when you look at a logfile (etc.) that's still owned
> > by that UID, you'll get the username instead of just an ID number.
> Well, the package management *does* create users and groups when
> packages are installed so I would prefer at least an option to delete
> them when the package is purged.
> > Granted, if nothing is owned by debian-exim anymore, then deleting the
> > entry will not cause any problems.
> Of course I've already checked that.
> > This gets messy, since the ID number is what matters to the system.
> > Changing *that* information may very well break things. It's completely
> > fixable (i.e. change /etc/group and then find all the files group-owned
> > by the old GID, and update the ownership).
> Of course the file uids/gids have to be changed too, but that's easy
> (in single user mode, when no daemons are running using these IDs).
> The question is whether Debian expects certain users/groups to have a
> fixed value or if I am allowed to change them.
> My impression is that uids and gids below 100 are fixed and more are
> created dynamically when packages are installed and that the next free
> number above 100 is chosen. When some packages only need a user or
> only a group, then uids/gids are not incremented in sync. If this
> assumption is true it shouldn't matter which numeric IDs these users
> and groups have and it shouldn't cause problems if I change them. But
> I'd like to be sure.
> > If anything, this is the one thing I wouldn't touch on a system, unless
> > I was building it from scratch (e.g. LFS) -- a better approach to the
> > GID/UID mismatch would perhaps be talking to the package maintainers.
> Hm, is this something the package maintainer has to deal with or is
> this a function of the package management system? I would imagine that
> the package management system provides a function "please, find an
> unused system uid and gid and create user foo and group foo". Then
> the package management system would need to be changed to give
> matching IDs if a package wants a user and a group (probably of the
> same name).
And if your wishes are granted, you end up with systems where *you*
can assume that UID=GID. Except that now you've built a false
assumption, because the system's fixed UIDs and GIDs don't obey it,
and you *can't* change their numbers.
A similar argument applies to names. Here we have an assumption that
the names chosen by Debian can be used as such for lookups on passwd
and group. If you change messagebus to msgbus, that assumption (which
is a legitimate one unlike yours) breaks down. Debian policy can force
constraints on Debian systems: you don't have that clout.
So it seems to me that you're making your system more fragile just to
make it look "tidier".