Image of the glider from the Game of Life by John Conway
Skip to content
{ 2008 07 17 }

Duplicate UIDs On Linux

This may be old hat for some, but I just discovered today that it is possible to have duplicate user IDs on the same Linux machine. The 'useradd' and 'adduser' commands will not allow it:

root@kratos:~# useradd -u 0 test_root
useradd: UID 0 is not unique

However, not to fear. Hand-editing the /etc/passwd file is possible, and further, giving the ability for a successful login. For example, here are the first 10 lines of my /etc/passwd:

root@kratos:~# head /etc/passwd
test_root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
root@kratos:~# pwconv

I ran the 'pwconv' command to update the /etc/shadow file for the password aging information on the 'test_user'. Now, to test with a login shell:

root@kratos:~# passwd test_root
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
root@kratos:~# ssh test_root@localhost
test_root@localhost's password: 
test_root@kratos:~# whoami
test_root

As you probably know, Linux doesn't care much about the username itself, as much as it does the UID of the username. Further, when testing the account against the /etc/passwd file for existence, upon first successful pass is the winning account. That is why 'whoami' shows the 'test_root' account rather than the 'root' account.

Why would you do this? Doesn't this just seem silly? To be honest, the only solution I can see with multiple UIDs, would be for the root account as demonstrated above. This way, if you lock out the root account, say with PAM or otherwise, you have a "back door" root account that you can use. Unfortunately, this leads to bad overhead, and sloppy administration. Further, I've heard applications check for the username "root" rather than the UID "0" like they should, thus generating broken apps when using the backdoor account. Definitely, a better solution to this scenario would be proper delegation of the 'sudo' command via the /etc/sudoers file.

I would be interested on further insight for those who have encountered this scenario before. Please comment.

Posted by Aaron Toponce on Thursday, July 17, 2008, at 9:35 pm. Filed under Ubuntu. Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog. For IM, Email or Microblogs, here is the Shortlink.

{ 20 } Comments