Comments on: Duplicate UIDs On Linux

By: Josef

Josef — Wed, 05 Dec 2012 15:03:27 +0000

I use this to have a second user with bash for sftp-clients.
I use zsh as my shell and have it start in screen at login (so actually screen is my login shell) asd GUI sftp clients don’t work that way. With a second [username]-sftp user with same UID and GID I can transfer files and they have the correct rights.

By: draeath

draeath — Mon, 13 Jun 2011 14:56:44 +0000

I’ve run into a case where the clamd packages were expecting the user clamav, and yet other software was insisting (eg replacing the config change on update) on it being clam. The best solution I found to prevent maintenance headaches was to make sure the clamav and clam users/groups have the same ID numbers.

Since I did this, I have yet to have to go back and fix the thing after an update.

By: Marco Ceppi

Marco Ceppi — Mon, 28 Jun 2010 18:14:06 +0000

AlexP: I used a similar hack for Tomcat – someone needed to upload and modify Tomcat configuration files, and upload webapps, without using SSH (They used SFTP) So I created a user with the same UID/GID as tomcat, as files are modified and written by either the user or tomcat the UID stays the same and permissions can be more restrictive.

However this was, as I consider, a hack. I haven’t seen any negative impacts but with enough brainpower and time I’m sure a better compromise could have been hatched.

I don’t recommend this for production environments.

By: Aaron

Aaron — Tue, 13 Apr 2010 14:56:01 +0000

Not sure I follow. You want to create a folder that gives the apache user write access to it automatically? Probably best to use file ACLs. Check out the ‘setfacl -d’ command.

By: AlexP

AlexP — Thu, 08 Apr 2010 08:20:59 +0000

I realize this post is almost 2 years old, but hopefully someone jumps back on it?

By: AlexP

AlexP — Thu, 08 Apr 2010 08:20:16 +0000

So i ran into this “occasion” where i am trying to figure out the proper way to do it, and my “scrappy” brain decided why not duplicate the UID and GID?…

I am learning/setting up CentOS Server admin. I installed vsftpd and apache, and the problem was, if i made any changes or created a folder with the ftpsecure user via my ftp client then apache didnt have privileges to write to that folder unless i chmod 775 the folder opposed to keeping it at 755.

So if my apache UID and GID were 46, i just created another user “example” and then placed the example above apache so it was found on the first pass.

Now i can create folders via ftp and have apache(php) able to write to them.

Although this works, i get the hunch its not save or stable?

By: rnd

rnd — Fri, 01 Aug 2008 23:36:04 +0000

P.S. Sorry about posting from vista… I’m at work…

By: rnd

rnd — Fri, 01 Aug 2008 23:34:15 +0000

Actually I was thinking about utilizing this to create a second user with the same id as www-data/httpd/apache2 user so I could create a user who could log into a vsftpd chrooted session but be in the doc root with the correct user ID to automatically make files readable to the web server. Of course the real user running the Apache daemon would remain disabled for login. Does anybody foresee a major issue with this idea? Your feedback would be appreciated!

By: Alex

Alex — Sun, 27 Jul 2008 12:39:33 +0000

I once tried this with a regular user, in order to have two KDE stored sessions, depending on if I was online or not. It apparently worked, but then subtle errors which I no longer remember happened down the way. I guess that the ambiguous name given the UID do mattered somewhere. It seemed a good idea at the time, though.

By: Fergus Doyle

Fergus Doyle — Wed, 23 Jul 2008 22:34:21 +0000

One reason to use it is if you are using a certain software package and you want to have say a “menu” log in and “shell” and maybe a reports login. Now what happens is depending on your username you get access to different functionality according to your .profile. But we still need to be careful about permissions because if we are accessing shared memory or stopping / starting processes we need to have the correct permissions. Sure you can do most of this through group permissions rather than user perms ions but shared memory can be more _troublesome_ on some versions of Unix not sure where Linux stands on this one though.

By: grsjst

grsjst — Mon, 21 Jul 2008 08:23:51 +0000

I suppose duplicate uid’s may be helpful for nfs when the same user has differnt uid’s on different machines.

By: Tormod

Tormod — Fri, 18 Jul 2008 13:09:09 +0000

“Further, when testing the account against the /etc/passwd file for existence, upon first successful pass is the winning account. That is why ‘whoami’ shows the ‘test_root’ account rather than the ‘root’ account.”

So if you log in as root (as opposed to test_root in your example) “whoami” will return “test_root”? If whoami is meant to “print the user name associated with the current effective user ID” that’s a reasonable behaviour.

By: Jeff Schroeder

Jeff Schroeder — Fri, 18 Jul 2008 12:25:27 +0000

Editing /etc/passwd is pretty undesirable. If you mess it up, you pork your system. Don’t do that unless you *really* know what you are doing.

Use vipw as it won’t let you save an invalid passwd file, or something along the lines of:
usermod -o -u 0 hax0r

The “-o” allows you to use non-unique uids and doesn’t have a chance of hosing your system. Never try to be too clever, it will bite you in the end.

To answer your question, what if you need to do something that you would normally do with group permissions, but using a group is not really an option? Even if it sounds ugly, it will pop up on the rare occassion.

The solution is generally to use a duplicate UID even if it is discouraged.

@anonymous: Take a look at this simple lockdown script I wrote for Ubuntu, it is intelligent enough to remove the login shells from many users who don’t need it and works from Dapper+ :
http://www.digitalprognosis.com/opensource/scripts/lockdown-ubuntu.sh.txt

By: anonymous

anonymous — Fri, 18 Jul 2008 11:02:55 +0000

A third post certainly feels stupid, even though the aim is not to troll.

A. A typo in the above; “without\with\ the UID/GID-combination”.

B. Perhaps you could blog about the shells in default Ubuntu install. Why on earth there is a valid shell for, say, man-pages? This is one of those things that are not “sensible defaults” and gives a serious messy feeling about Ubuntu’s interiors.

By: anonymous

anonymous — Fri, 18 Jul 2008 10:58:02 +0000

Oh, yes and one more thing:

“Further, I’ve heard applications check for the username “root” rather than the UID “0″ like they should.”

You can not obtain any privileges with the UID/GID-combination. The names are just for convenience; I remember that the getuid() -man page was (once) decent on Linux.

Perhaps you should reread about the standard UNIX/Linux DAC model. For multiple superusers, you need MAC or similar solution (think e.g. SELinux), as you probably are well aware of.