Safe UID/GID for custom system user?

Rocky Linux General
1

Hi,

I’m currently sanding down some remaining rough edges with the Citrix Workspace client app. So far it works OK, but I’m dealing with some details now.

Installing the RPM package creates a new citrixlog user and group. It’s supposed to be a system user and group, but the packagers have done a bad job, so citrixlog gets a UID of 1001 (next available) and the corresponding group gets a GID of 1001. As a result, citrixlog shows up in SDDM. Meh.

I’m planning on changing that to something more sensible like 999 for the UID and the GID. But before doing that, I’d like to know: which UID/GID combination is safe to use, e. g. there’s no package/service/whatever that will create a system user/group with the same UID/GID combination?

2

Check the following files:

  • /usr/share/doc/setup/uidgid
  • /etc/login.defs
2 Likes
3

Some packages that do create system account&group do not request specific UID&GID but let the system give “next available”.

For example, ‘munge’ does so:

$ rpm -q --scripts munge
preinstall scriptlet (using /bin/sh):

# generated from munge.sysusers
getent group 'munge' >/dev/null || groupadd -r 'munge'
getent passwd 'munge' >/dev/null || \
    useradd -r -g 'munge' -d '/run/munge' -s '/sbin/nologin' -c 'Runs Uid 'N' Gid Emporium' 'munge'

The -r in the above commands do select from SYS_UID_MIN…SYS_UID_MAX and SYS_GID_MIN…SYS_GID_MAX (set in /etc/login.defs).

That is,

  • all in the 201–999 range might not be free
  • if you pick dynamically, then all systems may not get identical accounts/groups
1 Like
4

And that is exactly what my question was about. How can I found out one UID/GID pair in the 201-999 range that is free ?

For example, here’s the last 10 lines of /etc/group on my Rocky Linux 8 workstation:

[kikinovak@alphamule:~] $ tail /etc/group
saslauth:x:76:
libvirt:x:976:kikinovak
rpcuser:x:29:
qemu:x:107:
setroubleshoot:x:975:
mock:x:135:kikinovak
stapusr:x:156:
stapsys:x:157:
stapdev:x:158:
pesign:x:974:

Is there a way to know if the 999/999 (or 998/998 etc.) UID/GID pair will be taken up (or not) by some other preinstall script in some other package?

Back in the days when I used Slackware, the SlackBuilds team kept such a list for all third-party additions to the distribution. It’s still available (and maintained) here:

https://slackbuilds.org/uid_gid.txt

Is there something similar for Rocky Linux ?

5

I’d guess that

is the list of predetermined IDs. They seem all to be under SYS_?ID_MIN.
That also implies that 201–999 is “free for all (services)”.

A trivial (but not necessarily practical) solution is to create your service accounts before installing any packages that also use the range.

I do usually peek accounts and groups with:

getent passwd | sort -t: -k3n
getent group | sort -t: -k3n

(One could obviously pipe those to awk -F: '{if (200 < $3 && $3 < 1000) print $0}'