blob: 97f7b40eefa2131cf15db63d03091e8f17fea7f4 [file] [log] [blame] [view]
# UIDs and GIDs on COS
In COS we identify a user by a value called a user identifier (UID) and group by
a group identifier (GID). These are used to determine which system resources a
user or group can access. The UID and GID ranges between [0, 2^32).
In COS, there are some UIDs that are inherited from CroS system and some of the
UIDs are owned by COS itself. We need to make sure that the UID and GIDs doesn't
conflict for users created by different parts of the system.
There are three general classes of users on a COS instance:
* Statically allocated users used by system daemons reserved at build time
* Includes ChromeOS owned user & group IDs (ex: chronos, chronos_access)
* Includes COS owned user & group IDs (docker, systemd*)
* Users reserved for special purposes, e.g., ‘nobody’
* Dynamically allocated users created by a user manager on the system On COS,
this includes cloud-init, the Google accounts daemon, and OS Login
Cloud-init today already uses [2000, 4999] range for this purpose.
Documented here.
* Explicitly allocated user/group IDs based on the allocation in user’s
Organization For example, an organization might explicitly want to allocate
UIDXXXX to its users when they log-into to COS (or any GCE) instance.
UID Range | Purpose
--------------- | ----------------------------------------------
[0, 1998] | To be used by daemons owned by ChromeOS or COS
1999 | User COS added to the non GCP boards.
[2000, 4999] | Users added through cloud-init
[5000, 65533] | To be used by daemons owned by ChromeOS or COS
65534 | User Nobody
65535 | Will not use
[65536, 2^32-1) | Free to use.
Apart from the above ranges, some of the guidelines from the Chromium OS
guidelines in choosing the UID for the system daemons. CrOS system daemon UIDs
(and associated GIDs) range from 200-299 and from 20100-29999.
FUSE-based filesystem daemons have UID/GIDs that range from 300-399. If you're
adding a daemon that will be talking to cros-disks and managing some kind of
volumes (archives mounted as volumes, external disks, network-mounted storage,
etc.) then you should create a user and group with IDs in this range.
Groups that have no associated user should be given GIDs in the 400 range.
Groups and users that are shared with programs running in different user
namespaces should be in the 600-699 range.
The chronos user, which all user-facing processes in CrOS run as, is UID/GID
1000. There is also a special user/group that has access to many resources owned
by chronos, called chronos-access, which has the UID/GID 1001.
** Resources
* http://go/uid-ranges-on-cos-design
*