13

I understand* the primary admin user is given a user ID of 501 and subsequent users get incremental numbers (502, 503, …). But why 501? What’s special about 50x, what’s the historical/technical reason for this choice?

* I started looking into this when I got curious as to why my external hard drive had all its trashed files inside .Trashes/501. My search led me to the conclusion 501 is the user ID for the primary admin in *nix systems (I am on macOS), but not why.

user137369
  • 477
  • 2
  • 4
  • 13

2 Answers2

24

Many Unix systems start handing out UIDs to users at some particular number. Solaris will give the first general purpose user UID 100, on OpenBSD it's 1000, and on macOS it appears it's UID 501 that will be the UID for the first created interactive user, which is also likely a macOS admin user (which is not the same as the root user).

The accounts with lower numbers are system user accounts for daemons etc. This makes it easier to distinguish interactive "human" accounts from system services accounts. This may also make user management, authentication etc. easier in various software. YP/NIS, a slightly outdated system for keeping user accounts (and other information) on a central server without having to create local users on multiple client machines, for example, has a MINUID and MAXUID setting for the range of user accounts that it should handle.

On some Unices, a range of the system service accounts may be allocated to third-party software, such as UIDs 50 to 999 on FreeBSD or 500 to 999 on OpenBSD.

All of these ranges are chosen by the makers and maintainers of the individual Unices according to the expected needs of their operating system. The POSIX standard does not say anything about these things. The lowest and highest allocatable UID (and GID) is often configurable by a local admin (see your adduser manual).

Most Unices reserve UID 0 for root, the super-user, and assigns the highest possible UID (or at least some high value) to the user nobody (Solaris uses UID 60001, OpenBSD uses 32768, but UIDs may be much larger than that).

(See comments about UID 0 always being root (or not), which is a slight digression from this topic)

Update: The OpenBSD project recently rejected the idea of randomizing UID/GID allocation.

Kusalananda
  • 320,670
  • 36
  • 633
  • 936
  • Note also that these are merely CONVENTIONS. In Unix and Unix-like systems, there's nothing inherently magical about a UID. Root could arbitrarily be given a UID of 65535 and the first interactive user could be assigned as UID 0. – Deacon Apr 15 '17 at 11:51
  • @DougR. Possibly, but it would quite likely break a number of existing pieces of software. POSIX tends to say a _process_ needs "appropriate privileges", not a _user_. See also the definition of "appropriate privileges" (which mentions UID 0 as "superuser" on some systems): http://pubs.opengroup.org/onlinepubs/9699919799/xrat/V4_xbd_chap03.html – Kusalananda Apr 15 '17 at 12:20
  • Privilege over user was the point of my comment, even if I didn't state it as clearly as you just did. The only software that should break is software that relies on its UID being in a specific range. Not certain what, if anything, does that. – Deacon Apr 15 '17 at 12:42
  • @DougR. Related: https://superuser.com/questions/626843/does-the-root-account-always-have-uid-gid-0 – Kusalananda Apr 15 '17 at 12:47
8

For distributions which follow the LSB, they allocate UIDs and GIDs 0-99 statically. UIDs 100-499 are allocated dynamically, but these also are for the system, and not for login accounts.

For example, printing daemons like cups tend to be allocated their own user account. So if a vulnerability in the daemon is exploited, the daemon is not running as root with full power over the system. (Nor does it necessarily have the power to interfere with other daemons).

On more recent Linux distributions, the system range is extended up to 999.

This would leave UIDs 500 upwards (or 1000 upwards) for login accounts.

Debian additionally has a static allocation for UIDGID 100, although I can't imagine that deviation causing any particular problem.

It's easy to imagine another system with an off-by-one deviation, which additionally reserves UID 500. (I assume this would still be compliant; I can't imagine all the Linux'es have been violating the LSB for this long, without it being updated).

The first login account doesn't have to be either an admin account nor the primary admin account. Systems don't necessarily use sudo (particularly if they pre-date it :). You might say the "primary admin account" is root in that case. Other than that, *nix and general-purpose Linux distributions don't recognise a specific "primary admin account".

sourcejedi
  • 48,311
  • 17
  • 143
  • 296
  • Not sure why you are talking about Linux, when OP specifically asks about Mac OS X. – user Apr 14 '17 at 18:31
  • > edited 7 hours ago > in *nix systems – sourcejedi Apr 14 '17 at 19:25
  • 4
    `On more recent Linux distributions, the system range is extended up to 999.` - I always had users id from 1000 upwards and I started using Linux in 2005. I wouldn't call it "recent". – Mirek Długosz Apr 14 '17 at 22:11
  • What makes you think 100 is static on Debian? Looking at a couple of my systems it looks dynamic to me (on one it was systemd-timesync, on another it was sshd). – plugwash Apr 14 '17 at 23:46
  • When the question was edited 12:22 UTC the OP added the [osx] tag along with the mention of OS X in the question body. Your answer was posted ten minutes later and appears to not take this into account at all. – user Apr 15 '17 at 06:32