| # UIDs and GIDs on COS |
| |
| In COS we identify a user by a value called a user identifier (UID) and group by |
| a group identifier (GID). These are used to determine which system resources a |
| user or group can access. The UID and GID ranges between [0, 2^32). |
| |
| In COS, there are some UIDs that are inherited from CroS system and some of the |
| UIDs are owned by COS itself. We need to make sure that the UID and GIDs doesn't |
| conflict for users created by different parts of the system. |
| |
| There are three general classes of users on a COS instance: |
| |
| * Statically allocated users used by system daemons reserved at build time |
| * Includes ChromeOS owned user & group IDs (ex: chronos, chronos_access) |
| * Includes COS owned user & group IDs (docker, systemd*) |
| * Users reserved for special purposes, e.g., ‘nobody’ |
| * Dynamically allocated users created by a user manager on the system On COS, |
| this includes cloud-init, the Google accounts daemon, and OS Login |
| Cloud-init today already uses [2000, 4999] range for this purpose. |
| Documented here. |
| * Explicitly allocated user/group IDs based on the allocation in user’s |
| Organization For example, an organization might explicitly want to allocate |
| UIDXXXX to its users when they log-into to COS (or any GCE) instance. |
| |
| UID Range | Purpose |
| --------------- | ---------------------------------------------- |
| [0, 1998] | To be used by daemons owned by ChromeOS or COS |
| 1999 | User COS added to the non GCP boards. |
| [2000, 4999] | Users added through cloud-init |
| [5000, 65533] | To be used by daemons owned by ChromeOS or COS |
| 65534 | User Nobody |
| 65535 | Will not use |
| [65536, 2^32-1) | Free to use. |
| |
| Apart from the above ranges, some of the guidelines from the Chromium OS |
| guidelines in choosing the UID for the system daemons. CrOS system daemon UIDs |
| (and associated GIDs) range from 200-299 and from 20100-29999. |
| |
| FUSE-based filesystem daemons have UID/GIDs that range from 300-399. If you're |
| adding a daemon that will be talking to cros-disks and managing some kind of |
| volumes (archives mounted as volumes, external disks, network-mounted storage, |
| etc.) then you should create a user and group with IDs in this range. |
| |
| Groups that have no associated user should be given GIDs in the 400 range. |
| |
| Groups and users that are shared with programs running in different user |
| namespaces should be in the 600-699 range. |
| |
| The chronos user, which all user-facing processes in CrOS run as, is UID/GID |
| 1000. There is also a special user/group that has access to many resources owned |
| by chronos, called chronos-access, which has the UID/GID 1001. |
| |
| ** Resources |
| |
| * http://go/uid-ranges-on-cos-design |
| * |