9.2.2. UID and GID classes
The UID and GID numbers are divided into classes as follows:
0-99:
Globally allocated by the Debian project, the same on every Debian system. These ids will appear in the passwd
and group
files of all Debian systems, new ids in this range being added automatically as the base-passwd
package is updated.
Packages which need a single statically allocated uid or gid should use one of these; their maintainers should ask the base-passwd
maintainer for ids.
100-999:
Dynamically allocated system users and groups. Packages which need a user or group, but can have this user or group allocated dynamically and differently on each system, should use adduser --system
to create the group and/or user. adduser
will check for the existence of the user or group, and if necessary choose an unused id based on the ranges specified in adduser.conf
.
1000-59999:
Dynamically allocated user accounts. By default adduser
will choose UIDs and GIDs for user accounts in this range, though adduser.conf
may be used to modify this behavior.
60000-64999:
Globally allocated by the Debian project, but only created on demand. The ids are allocated centrally and statically, but the actual accounts are only created on users’ systems on demand.
These ids are for packages which are obscure or which require many statically-allocated ids. These packages should check for and create the accounts in /etc/passwd
or /etc/group
(using adduser
if it has this facility) if necessary. Packages which are likely to require further allocations should have a “hole” left after them in the allocation, to give them room to grow.
65000-65533:
Reserved.
65534:
User nobody
. The corresponding gid refers to the group nogroup
.
65535:
This value must not be used, because it was the error return sentinel value when uid_t
was 16 bits.
65536-4294967293:
Dynamically allocated user accounts. By default adduser
will not allocate UIDs and GIDs in this range, to ease compatibility with legacy systems where uid_t
is still 16 bits.
4294967294:
(uid_t)(-2) == (gid_t)(-2)
must not be used, because it is used as the anonymous, unauthenticated user by some NFS implementations.
4294967295:
(uid_t)(-1) == (gid_t)(-1)
must not be used, because it is the error return sentinel value.