Why do UID values of system users matter?

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Why do UID values of system users matter?

Steffen Dettmer
Hi,

just for my curiosity I wonder why the numeric UID values matter at all, for example:

  update-passwd has found a difference between your system
  accounts and the current Debian defaults. It is advisable to
  allow update-passwd to change your system; without those
  changes some packages might not work correctly. For more
  documentation on the Debian account policies, please see
  /usr/share/doc/base-passwd/README.

  The proposed change is:

  Change the UID of user "man" from 13 to 6

(Apparently man used uid 13 in Debian 8 / Jessi but 6 in Debian 9 / Stretch). Normally I would assume that the numeric values would not be use anywhere at all, only the symbolic names.
If the numeric value matters, why are their values no kept across releases?

Steffen

Reply | Threaded
Open this post in threaded view
|

Re: Why do UID values of system users matter?

Dan Hitt


On Fri, Aug 16, 2019 at 2:28 PM Steffen Dettmer <[hidden email]> wrote:
Hi,

just for my curiosity I wonder why the numeric UID values matter at all, for example:


I believe file ownership is tracked by numeric UID rather than user name.

So, for example, if you multi-boot, a file owned by user 500 in one system will be owned by user 500 on every other system, even if it does not correspond to the same user name.

That's been my experience anyway, and an occasional issue.

dan
Reply | Threaded
Open this post in threaded view
|

Re: Why do UID values of system users matter?

Pascal Hambourg-2
In reply to this post by Steffen Dettmer
Le 16/08/2019 à 23:27, Steffen Dettmer a écrit :
>
> (Apparently man used uid 13 in Debian 8 / Jessi but 6 in Debian 9 /
> Stretch).

AFAICS, user "man" has had UID 6 since at least Debian 6/squeeze.

Reply | Threaded
Open this post in threaded view
|

Re: Why do UID values of system users matter?

Steffen Dettmer
Hi,

thanks for your quick reply.

I see, multiboot with different /etc but shared /usr or /local could invite a lot of trouble if using different UIDs, indeed! Thanks for the quick explanation.

> (Apparently man used uid 13 in Debian 8 / Jessi but 6 in Debian 9 /
> Stretch).

AFAICS, user "man" has had UID 6 since at least Debian 6/squeeze

 Ohh, this is interesting, so I wonder why I had a different value then, maybe something else was wrong with my system then...

Steffen

Reply | Threaded
Open this post in threaded view
|

Re: Why do UID values of system users matter?

Kenneth Parker-2


On Fri, Aug 16, 2019 at 10:18 PM Steffen Dettmer <[hidden email]> wrote:
Hi,

thanks for your quick reply.

I see, multiboot with different /etc but shared /usr or /local could invite a lot of trouble if using different UIDs, indeed! Thanks for the quick explanation.

> (Apparently man used uid 13 in Debian 8 / Jessi but 6 in Debian 9 /
> Stretch).

AFAICS, user "man" has had UID 6 since at least Debian 6/squeeze
 
From looking at an Ubuntu 16.04 System I administer, User "man" (uid 6) is, apparently the owner of /var/cache/man, which appears to be an area for translating man pages.  Who creates this User?  

 Ohh, this is interesting, so I wonder why I had a different value then, maybe something else was wrong with my system then...

Could  there be multiple Packages that might attempt to Create that User (man)?  

Best regards,

Kenneth Parker
Reply | Threaded
Open this post in threaded view
|

Re: Why do UID values of system users matter?

David Wright-3
In reply to this post by Steffen Dettmer
On Fri 16 Aug 2019 at 23:27:27 (+0200), Steffen Dettmer wrote:

>
> just for my curiosity I wonder why the numeric UID values matter at all,
> for example:
>
>   update-passwd has found a difference between your system
>   accounts and the current Debian defaults. It is advisable to
>   allow update-passwd to change your system; without those
>   changes some packages might not work correctly. For more
>   documentation on the Debian account policies, please see
>   /usr/share/doc/base-passwd/README.
>
>   The proposed change is:
>
>   Change the UID of user "man" from 13 to 6
>
> (Apparently man used uid 13 in Debian 8 / Jessi but 6 in Debian 9 /
> Stretch).

Very odd. The master lists are in /usr/share/base-passwd/*master and
the jessie version (3.5.37) has man as 6 and 12. Going back to woody
(Debian 3.0 from 2002), the UID is still 6, though the GID at that
time was 100, the "users" group, shared by several system UIDs.

> Normally I would assume that the numeric values would not be use
> anywhere at all, only the symbolic names.

OSes and filesystems use numbers rather than names for efficiency:
even a modern 32-bit UID only uses the space of four ASCII characters,
whereas some of the UID/GID names are long, eg systemd-bus-proxy
and debian-security-support.

> If the numeric value matters, why are their values no kept across releases?

Because that presents too much administrative effort, which dynamic
allocation is designed to avoid. You just have to exercise care
if/when you copy files between different systems in "inappropriate"
ways, eg using cp when you have two installations in the same PC.

Cheers,
David.

Reply | Threaded
Open this post in threaded view
|

Re: Why do UID values of system users matter?

David Wright-3
In reply to this post by Steffen Dettmer
On Sat 17 Aug 2019 at 04:18:00 (+0200), Steffen Dettmer wrote:
>
> I see, multiboot with different /etc but shared /usr or /local could invite
> a lot of trouble if using different UIDs, indeed! Thanks for the quick
> explanation.

Sure. Most system files can be copied between different /etc
partitions on the same host because they're owned by root.root
or by one of the invariant system users.

But there are a few that can catch you out. For example, it's
obvious that you might want to copy your mail submission passwords
between two systems to save typing them all in again, but
/etc/exim4/passwd.client is owned by root.Debian-exim, and that
GID is >100, so potentially different:

  $ ls -l /agogs/etc/exim4/passwd.client /etc/exim4/passwd.client
  -rw-r----- 1 root mlocate     663 May 30  2018 /agogs/etc/exim4/passwd.client
  -rw-r----- 1 root Debian-exim 663 May 30  2018 /etc/exim4/passwd.client
  $ ls -n /agogs/etc/exim4/passwd.client /etc/exim4/passwd.client
  -rw-r----- 1 0 118 663 May 30  2018 /agogs/etc/exim4/passwd.client
  -rw-r----- 1 0 120 663 May 30  2018 /etc/exim4/passwd.client
  $

> > (Apparently man used uid 13 in Debian 8 / Jessi but 6 in Debian 9 /
> > > Stretch).
> >
> > AFAICS, user "man" has had UID 6 since at least Debian 6/squeeze
> >
>  Ohh, this is interesting, so I wonder why I had a different value then,
> maybe something else was wrong with my system then...

Difficult to say. My reaction would be to check the ownership of all
non-root-owned files. Because of the potential for trouble like the
above, I routinely keep a list on each system.

# find / -mount \( ! -group 0 -o ! -user 0 \) -ls | awk '{printf "%s %s %s\n", $5, $6, $11}' | sort -k 3 > /root/non-root-owned-files

Cheers,
David.

Reply | Threaded
Open this post in threaded view
|

Re: Why do UID values of system users matter?

tomas@tuxteam.de
In reply to this post by Steffen Dettmer
On Sat, Aug 17, 2019 at 04:18:00AM +0200, Steffen Dettmer wrote:
> Hi,
>
> thanks for your quick reply.
>
> I see, multiboot with different /etc but shared /usr or /local could invite
> a lot of trouble if using different UIDs, indeed! Thanks for the quick
> explanation.

Not only that. A system update changing the UID (without changing the
ownership of relevant files) would be at least as confusing.

Cheers
-- t

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Why do UID values of system users matter?

Greg Wooledge
In reply to this post by Kenneth Parker-2
On Fri, Aug 16, 2019 at 11:03:48PM -0400, Kenneth Parker wrote:
> >From looking at an Ubuntu 16.04 System I administer, User "man" (uid 6) is,
> apparently the owner of /var/cache/man, which appears to be an area for
> translating man pages.  Who creates this User?

I don't know about Ubuntu, because this is debian-user.  In Debian,
the preinst script for the base-passwd package will create a bunch
of system users if /etc/passwd is not present, and groups if /etc/group
is not present.

See /var/lib/dpkg/info/base-passwd.preinst for details.

One might ponder under what conditions, exactly, this script would be
executed while these files are not yet present.  I don't know the inner
workings of the debian-installer, so I'm not sure whether this is just
a safety net, or an expected part of a normal system installation.

Reply | Threaded
Open this post in threaded view
|

Re: Why do UID values of system users matter?

Greg Wooledge
In reply to this post by David Wright-3
On Fri, Aug 16, 2019 at 11:42:12PM -0500, David Wright wrote:
> Difficult to say. My reaction would be to check the ownership of all
> non-root-owned files. Because of the potential for trouble like the
> above, I routinely keep a list on each system.
>
> # find / -mount \( ! -group 0 -o ! -user 0 \) -ls | awk '{printf "%s %s %s\n", $5, $6, $11}' | sort -k 3 > /root/non-root-owned-files

The use of $11 here assumes the filename doesn't contain any whitespace.
It'll break if one does.  You'd be better off using GNU find's -printf
features, than parsing the output of -ls with awk.

Looks like you want the username, groupname, and filename.  So that would
be:

find / -mount \( ! group 0 -o ! -user 0 \) -printf '%u  %g  %p\n' |
    sort -k 3 > /root/non-root-owned-files

Reply | Threaded
Open this post in threaded view
|

Re: Why do UID values of system users matter?

David Wright-3
On Mon 19 Aug 2019 at 09:24:59 (-0400), Greg Wooledge wrote:

> On Fri, Aug 16, 2019 at 11:42:12PM -0500, David Wright wrote:
> > Difficult to say. My reaction would be to check the ownership of all
> > non-root-owned files. Because of the potential for trouble like the
> > above, I routinely keep a list on each system.
> >
> > # find / -mount \( ! -group 0 -o ! -user 0 \) -ls | awk '{printf "%s %s %s\n", $5, $6, $11}' | sort -k 3 > /root/non-root-owned-files
>
> The use of $11 here assumes the filename doesn't contain any whitespace.
> It'll break if one does.  You'd be better off using GNU find's -printf
> features, than parsing the output of -ls with awk.

Yes, I expect the reason I haven't lost anything in my listing is that
whitespace is sensibly avoided in these system files.

> Looks like you want the username, groupname, and filename.  So that would
> be:
>
> find / -mount \( ! group 0 -o ! -user 0 \) -printf '%u  %g  %p\n' |
>     sort -k 3 > /root/non-root-owned-files

Much appreciated improvement. (The - in -group got lost in transcription.)
Using \t tidies up the columniation too:

# find / -mount \( ! -group 0 -o ! -user 0 \) -printf '%u\t%g\t%p\n' | …

Cheers,
David.

Reply | Threaded
Open this post in threaded view
|

Re: Why do UID values of system users matter?

David Wright-3
In reply to this post by Greg Wooledge
On Mon 19 Aug 2019 at 09:17:21 (-0400), Greg Wooledge wrote:

> On Fri, Aug 16, 2019 at 11:03:48PM -0400, Kenneth Parker wrote:
> > >From looking at an Ubuntu 16.04 System I administer, User "man" (uid 6) is,
> > apparently the owner of /var/cache/man, which appears to be an area for
> > translating man pages.  Who creates this User?
>
> I don't know about Ubuntu, because this is debian-user.  In Debian,
> the preinst script for the base-passwd package will create a bunch
> of system users if /etc/passwd is not present, and groups if /etc/group
> is not present.
>
> See /var/lib/dpkg/info/base-passwd.preinst for details.
>
> One might ponder under what conditions, exactly, this script would be
> executed while these files are not yet present.  I don't know the inner
> workings of the debian-installer, so I'm not sure whether this is just
> a safety net, or an expected part of a normal system installation.

base-passwd is the first package installed at "Install the base system"
which follows "Partition disks", so it would normally expect to be
installed into an empty partition. I should add, though, that it gets
re-unpacked, re-installed and set up a few seconds later, when about
a score of other packages have been set up. I would assume a preinst
script would run on the first occurrence.

What's odd to me is that the base-passwd preinst file has two Here
documents which duplicate its /usr/share/base-passwd/*master files.
Perhaps ok for files that only change on a time-scale of decades, but
I wonder why the /etc versions are not just copied from the masters.

Cheers,
David.