Are UIDs/GIDs minor than 100 considered a vulnerability problem or not?

This document (7003591) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Desktop 10 Service Pack 1
SUSE Linux Enterprise Desktop 10 Service Pack 2
SUSE Linux Enterprise Desktop 11
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10 Service Pack 1
SUSE Linux Enterprise Server 10 Service Pack 2
SUSE Linux Enterprise Server 9 Service Pack 4
SUSE Linux Enterprise Server 9 Service Pack 3
SUSE Linux Enterprise Server 9 Service Pack 2
SUSE Linux Enterprise Server 9 Service Pack 1

Situation

Customer is worried about user and group ids that are minor than 100 being a vulnerability problem

Resolution

The numeric value has no special meaning at all (except for root and nobody in some cases). It doesn't matter at all whether e.g. the 'at' user has uid 25, 666 or 4711. Also 100 is no magic value. Just legacy from former timers when system users were not created dynamically. Nowadays the uids for system users is allocated dynamically in the range defined in /etc/login.defs.

Customers should not perform such invasive changes to the system. In the best case it doesn't help anything, in the worst case it causes trouble due to broken permissions.

Regarding to the group membership ids is not quite correct either. It's of course correct that system users like 'at' or 'haldaemon' are member of special groups. Normal users however should not be member of system groups on SUSE. Device permissions on SUSE Linux Enterprise 10 are handled by resmgr (resource manager client) so there is no need to be member of e.g. 'audio' or 'cdrom'. Exception here is 'video', you need to be member of that group if you use proprietary video drivers. Being member of the 'dialout'  group is needed for users that should be able to control dial-up connections via smpppd (SuSE Meta PPP Daemon).

100 is no magic value either (/etc/login.defs), in fact 100 is the gid of the 'users' group where every (non-system) user greated by useradd is member by default.

Check /etc/login.defs file for details about the minimum and maximum values for UID/GID

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7003591
  • Creation Date: 19-Jun-2009
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center