Level up your business security with free, on-demand training and certification. Explore 1Password Academy today →
Forum Discussion
Why the requirement for group id >= 1000?
In various places people have had to discover, and workaround the fact that the 1Password Browser-Helper and CLI not only require being in a specific group (fine), and have setgid set (also fine), but the gid of that group must by greater or equal to 1000 for the integration to work:
- Arch: Can not connect to desktop app | 1Password Community
- Gentoo: [SOLVED] Browser support error on Gentoo Linux | 1Password Community
- NixOS: https://github.com/NixOS/nixpkgs/commit/2a58907251af76c67c6d14c1e84e73f7eaeb95e8
I've been working on a distro package for a Linux distribution I'm building and also had to discover this. As per the previous implementation in the AUR, my package uses systemd-sysusers to automatically manage users and groups required by packages. By default these automatically assigned gids are less than 1000, which causes the browser integration to fail. I can work around by hard-coding a gid, but it would be better if it just worked with the automatically assigned one.
I'm wondering what's the reason for the >= 1000 requirement, and can the need for it be removed to make packaging simpler, cleaner, and consistent with other packages that need specific users and groups.
3 Replies
There is a de facto standard for Linux and some other unix platforms for the IDs for users and groups by which human users have UIDs and GIDs starting at 1000. Look for `UID_MIN` and `GID_MIN` in useradd(8) and groupadd(8).
Note that this is distinct from the reserved or built-in system UIDs and GIDs, which are traditionally below 101.After writing that, I see that systemd-sysusers(8) references Users, Groups, UIDs and GIDs on systemd Systems.
There is a de facto standard for Linux and some other unix platforms for the IDs for users and groups by which human users have UIDs and GIDs starting at 1000.
Yes I'm aware of that. I don't understand why the `onepassword` group, which is a group for software, not a human user requires the GID to be greater than 1000.
I'm aware of that.
I strongly suspected you would be, but since you didn't indicate so and for the audience, I thought it worth mentioning.
I don't understand why the `onepassword` group, which is a group for software, not a human user requires the GID to be greater than 1000.
Nor do I, but I suspect that the use of SETGID is a factor, since it means that users' processes will be running with this GID. That said, it seems wrong to tread on ground which should be exclusive to us meat machines.
From the ancient low number IDs to the countdown-from-999 assignments for "system" IDs, I don't even have an opinion on what right in this case (which is a rarity).I hope that someone better informed weighs in with a good explanation.
