Comments on: Duplicate UIDs On Linux https://pthree.org/2008/07/17/duplicate-uids-on-linux/ Linux. GNU. Freedom. Sun, 13 May 2018 18:21:35 +0000 hourly 1 https://wordpress.org/?v=5.0-alpha-43006 By: Josef https://pthree.org/2008/07/17/duplicate-uids-on-linux/#comment-119311 Wed, 05 Dec 2012 15:03:27 +0000 http://pthree.org/?p=631#comment-119311 I use this to have a second user with bash for sftp-clients.
I use zsh as my shell and have it start in screen at login (so actually screen is my login shell) asd GUI sftp clients don't work that way. With a second [username]-sftp user with same UID and GID I can transfer files and they have the correct rights.

]]>
By: draeath https://pthree.org/2008/07/17/duplicate-uids-on-linux/#comment-115808 Mon, 13 Jun 2011 14:56:44 +0000 http://pthree.org/?p=631#comment-115808 I've run into a case where the clamd packages were expecting the user clamav, and yet other software was insisting (eg replacing the config change on update) on it being clam. The best solution I found to prevent maintenance headaches was to make sure the clamav and clam users/groups have the same ID numbers.

Since I did this, I have yet to have to go back and fix the thing after an update.

]]>
By: Marco Ceppi https://pthree.org/2008/07/17/duplicate-uids-on-linux/#comment-111014 Mon, 28 Jun 2010 18:14:06 +0000 http://pthree.org/?p=631#comment-111014 AlexP: I used a similar hack for Tomcat - someone needed to upload and modify Tomcat configuration files, and upload webapps, without using SSH (They used SFTP) So I created a user with the same UID/GID as tomcat, as files are modified and written by either the user or tomcat the UID stays the same and permissions can be more restrictive.

However this was, as I consider, a hack. I haven't seen any negative impacts but with enough brainpower and time I'm sure a better compromise could have been hatched.

I don't recommend this for production environments.

]]>
By: Aaron https://pthree.org/2008/07/17/duplicate-uids-on-linux/#comment-110805 Tue, 13 Apr 2010 14:56:01 +0000 http://pthree.org/?p=631#comment-110805 Not sure I follow. You want to create a folder that gives the apache user write access to it automatically? Probably best to use file ACLs. Check out the 'setfacl -d' command.

]]>
By: AlexP https://pthree.org/2008/07/17/duplicate-uids-on-linux/#comment-110795 Thu, 08 Apr 2010 08:20:59 +0000 http://pthree.org/?p=631#comment-110795 I realize this post is almost 2 years old, but hopefully someone jumps back on it?

]]>
By: AlexP https://pthree.org/2008/07/17/duplicate-uids-on-linux/#comment-110794 Thu, 08 Apr 2010 08:20:16 +0000 http://pthree.org/?p=631#comment-110794 So i ran into this "occasion" where i am trying to figure out the proper way to do it, and my "scrappy" brain decided why not duplicate the UID and GID?...

I am learning/setting up CentOS Server admin. I installed vsftpd and apache, and the problem was, if i made any changes or created a folder with the ftpsecure user via my ftp client then apache didnt have privileges to write to that folder unless i chmod 775 the folder opposed to keeping it at 755.

So if my apache UID and GID were 46, i just created another user "example" and then placed the example above apache so it was found on the first pass.

Now i can create folders via ftp and have apache(php) able to write to them.

Although this works, i get the hunch its not save or stable?

]]>
By: rnd https://pthree.org/2008/07/17/duplicate-uids-on-linux/#comment-105647 Fri, 01 Aug 2008 23:36:04 +0000 http://pthree.org/?p=631#comment-105647 P.S. Sorry about posting from vista... I'm at work...

]]>
By: rnd https://pthree.org/2008/07/17/duplicate-uids-on-linux/#comment-105646 Fri, 01 Aug 2008 23:34:15 +0000 http://pthree.org/?p=631#comment-105646 Actually I was thinking about utilizing this to create a second user with the same id as www-data/httpd/apache2 user so I could create a user who could log into a vsftpd chrooted session but be in the doc root with the correct user ID to automatically make files readable to the web server. Of course the real user running the Apache daemon would remain disabled for login. Does anybody foresee a major issue with this idea? Your feedback would be appreciated!

]]>
By: Alex https://pthree.org/2008/07/17/duplicate-uids-on-linux/#comment-105166 Sun, 27 Jul 2008 12:39:33 +0000 http://pthree.org/?p=631#comment-105166 I once tried this with a regular user, in order to have two KDE stored sessions, depending on if I was online or not. It apparently worked, but then subtle errors which I no longer remember happened down the way. I guess that the ambiguous name given the UID do mattered somewhere. It seemed a good idea at the time, though.

]]>
By: Fergus Doyle https://pthree.org/2008/07/17/duplicate-uids-on-linux/#comment-104912 Wed, 23 Jul 2008 22:34:21 +0000 http://pthree.org/?p=631#comment-104912 One reason to use it is if you are using a certain software package and you want to have say a "menu" log in and "shell" and maybe a reports login. Now what happens is depending on your username you get access to different functionality according to your .profile. But we still need to be careful about permissions because if we are accessing shared memory or stopping / starting processes we need to have the correct permissions. Sure you can do most of this through group permissions rather than user perms ions but shared memory can be more _troublesome_ on some versions of Unix not sure where Linux stands on this one though.

]]>
By: grsjst https://pthree.org/2008/07/17/duplicate-uids-on-linux/#comment-104680 Mon, 21 Jul 2008 08:23:51 +0000 http://pthree.org/?p=631#comment-104680 I suppose duplicate uid's may be helpful for nfs when the same user has differnt uid's on different machines.

]]>
By: Tormod https://pthree.org/2008/07/17/duplicate-uids-on-linux/#comment-104466 Fri, 18 Jul 2008 13:09:09 +0000 http://pthree.org/?p=631#comment-104466 "Further, when testing the account against the /etc/passwd file for existence, upon first successful pass is the winning account. That is why ‘whoami’ shows the ‘test_root’ account rather than the ‘root’ account."

So if you log in as root (as opposed to test_root in your example) "whoami" will return "test_root"? If whoami is meant to "print the user name associated with the current effective user ID" that's a reasonable behaviour.

]]>
By: Jeff Schroeder https://pthree.org/2008/07/17/duplicate-uids-on-linux/#comment-104465 Fri, 18 Jul 2008 12:25:27 +0000 http://pthree.org/?p=631#comment-104465 Editing /etc/passwd is pretty undesirable. If you mess it up, you pork your system. Don't do that unless you *really* know what you are doing.

Use vipw as it won't let you save an invalid passwd file, or something along the lines of:
usermod -o -u 0 hax0r

The "-o" allows you to use non-unique uids and doesn't have a chance of hosing your system. Never try to be too clever, it will bite you in the end.

To answer your question, what if you need to do something that you would normally do with group permissions, but using a group is not really an option? Even if it sounds ugly, it will pop up on the rare occassion.

The solution is generally to use a duplicate UID even if it is discouraged.

@anonymous: Take a look at this simple lockdown script I wrote for Ubuntu, it is intelligent enough to remove the login shells from many users who don't need it and works from Dapper+ :
http://www.digitalprognosis.com/opensource/scripts/lockdown-ubuntu.sh.txt

]]>
By: anonymous https://pthree.org/2008/07/17/duplicate-uids-on-linux/#comment-104462 Fri, 18 Jul 2008 11:02:55 +0000 http://pthree.org/?p=631#comment-104462 A third post certainly feels stupid, even though the aim is not to troll.

A. A typo in the above; "without\with\ the UID/GID-combination".

B. Perhaps you could blog about the shells in default Ubuntu install. Why on earth there is a valid shell for, say, man-pages? This is one of those things that are not "sensible defaults" and gives a serious messy feeling about Ubuntu's interiors.

]]>
By: anonymous https://pthree.org/2008/07/17/duplicate-uids-on-linux/#comment-104461 Fri, 18 Jul 2008 10:58:02 +0000 http://pthree.org/?p=631#comment-104461 Oh, yes and one more thing:

"Further, I’ve heard applications check for the username “root” rather than the UID “0″ like they should."

You can not obtain any privileges with the UID/GID-combination. The names are just for convenience; I remember that the getuid() -man page was (once) decent on Linux.

Perhaps you should reread about the standard UNIX/Linux DAC model. For multiple superusers, you need MAC or similar solution (think e.g. SELinux), as you probably are well aware of.

]]>
By: anonymous https://pthree.org/2008/07/17/duplicate-uids-on-linux/#comment-104460 Fri, 18 Jul 2008 10:53:39 +0000 http://pthree.org/?p=631#comment-104460 @Another John:

Yeah, the so-called "toor-user" is in NetBSD too.

@Aaron:

This has nothing to do with “back door” root account, but instead it is typically due different shells:

root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again superuser:/root:/bin/sh

Of course in Linux it is Bash all the way down, so there is no real reason for this odd feature.

]]>
By: T Steffen https://pthree.org/2008/07/17/duplicate-uids-on-linux/#comment-104459 Fri, 18 Jul 2008 10:43:26 +0000 http://pthree.org/?p=631#comment-104459 I used to work in a place ages ago where everybody had the same user id. This was on HP, but I guess Linux is broadly similar.

For access restrictions, the UID is the only thing that matters. But you can still have separate home directories and profiles, because those are set based on the actual user name. Also the variable $USER can be used if necessary - as you have found out already.

]]>
By: Another John https://pthree.org/2008/07/17/duplicate-uids-on-linux/#comment-104458 Fri, 18 Jul 2008 10:41:49 +0000 http://pthree.org/?p=631#comment-104458 On FreeBSD you have a special account called 'toor' that works in the way John Gill describes. See http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/security.html#TOOR-ACCOUNT

]]>
By: John Gill https://pthree.org/2008/07/17/duplicate-uids-on-linux/#comment-104448 Fri, 18 Jul 2008 07:18:31 +0000 http://pthree.org/?p=631#comment-104448 Only use I can think of is to have a way to log on with different default shells for the same user.

]]>
By: John Myers https://pthree.org/2008/07/17/duplicate-uids-on-linux/#comment-104444 Fri, 18 Jul 2008 05:00:04 +0000 http://pthree.org/?p=631#comment-104444 useradd does allow creating users with duplicate IDs with the -o option

]]>