blob: caa6ac3ebd6dc1c6112838317278c5a9567dc976 [file] [log] [blame]
In accordance with http://www.gentoo.org/proj/en/glep/glep-0027.html,
Chromium OS has implemented a mechanism that allows users and groups
to be managed stably and centrally for a given build profile. Each
user and group is defined in a file underneath the appropriate
profiles/base/accounts/ subdirectory.
For example, the 'chronos' user is defined as follows in a file at
profiles/base/accounts/user/chronos:
user:chronos
password:*
uid:1000
gid:1000
gecos:system_user
home:/home/chronos/user
shell:/bin/bash
The 'cras' group is defined in a similarly constructed file at
profiles/base/accounts/group/cras:
group:cras
password:!
gid:220
users:chronos,power
Notice how the membership of the group is provided in the group
definition, even though traditionally this is done at user-creation
time.
The password field can be set to one of the following:
! - The account is locked and may not be logged into (This is the default).
* - No password yet, but the account has the ability to have one added,
so this should be used for accounts that people expect to have a password
set for, or want to otherwise login as remotely.
x - The password is shadowed but the account is for an internal feature;
people should not set a password themselves.
An encrypted password as per crypt(3).
---------
Choosing UIDs and GIDs
Every UID on CrOS has an associated GID with the same value. The
opposite does not hold true, however.
CrOS system daemon UIDs (and associated GIDs) range from 200-299. If
you're creating a new user, pick the first UID in this range that is
not currently used, and create both a user and a group with this ID.
FUSE-based filesystem daemons have UID/GIDs that range from 300-399.
If you're adding a daemon that will be talking to cros_disks and
managing some kind of volumes (archives mounted as volumes, external
disks, network-mounted storage, etc.) then you should create a user
and group with IDs in this range
Groups that have no associated user should be given GIDs in the 400 range.
The 'chronos' user, which all user-facing processes in CrOS run as, is
UID/GID 1000. There is also a special user/group that has access to
many resources owned by chronos, called 'chronos-access', which has
the UID/GID 1001.