In COS we identify a user by a value called a user identifier (UID) and group by a group identifier (GID). These are used to determine which system resources a user or group can access. The UID and GID ranges between [0, 2^32).
In COS, there are some UIDs that are inherited from CroS system and some of the UIDs are owned by COS itself. We need to make sure that the UID and GIDs doesn't conflict for users created by different parts of the system.
There are three general classes of users on a COS instance:
| UID Range | Purpose |
|---|---|
| [0, 1998] | To be used by daemons owned by ChromeOS or COS |
| 1999 | User COS added to the non GCP boards. |
| [2000, 4999] | Users added through cloud-init |
| [5000, 65533] | To be used by daemons owned by ChromeOS or COS |
| 65534 | User Nobody |
| 65535 | Will not use |
| [65536, 2^32-1) | Free to use. |
Apart from the above ranges, some of the guidelines from the Chromium OS guidelines in choosing the UID for the system daemons. CrOS system daemon UIDs (and associated GIDs) range from 200-299 and from 20100-29999.
FUSE-based filesystem daemons have UID/GIDs that range from 300-399. If you're adding a daemon that will be talking to cros-disks and managing some kind of volumes (archives mounted as volumes, external disks, network-mounted storage, etc.) then you should create a user and group with IDs in this range.
Groups that have no associated user should be given GIDs in the 400 range.
Groups and users that are shared with programs running in different user namespaces should be in the 600-699 range.
The chronos user, which all user-facing processes in CrOS run as, is UID/GID 1000. There is also a special user/group that has access to many resources owned by chronos, called chronos-access, which has the UID/GID 1001.
** Resources