# What is GROUP 1000?



## IT_Architect (Jul 28, 2018)

What is GROUP 1000?  I have multiple files that show:

server# ls -l passwd
-rw-r--r--  1 root  1000  2181 Jan 30  2013 passwd

If I show properties of passwd in WinSCP is shows:
root [0]
1000 [1000]

There is no 1000 in the group file.

Thanks!


----------



## ralphbsz (Jul 28, 2018)

I think some OSes (perhaps some Linux distributions, or AIX or HP-UX) use UIDs starting at 1001, 1002, ... (or 501, 502, ...) for users, and then use GID 1000 or 500 for "staff".  I've seen that at some place I've worked.

But a much bigger concern is this: Is the file you are talking about /etc/passwd?  That makes very little sense, as it is supposed to be owned by UID=0 and GID=0 (meaning "root wheel" in FreeBSD default setups).  If that's true, then I wonder how you managed to get the file group ownership changed.  You should probably check the content of the file too, this might be a little bit suspicious.

You know the meme with Alex Jones (with lots of hair) saying at the top "I'm not saying it's aliens...", and at the bottom "... but it's aliens"?  You might want to look for hackers around your system, if that file changed.


----------



## rigoletto@ (Jul 28, 2018)

Just confirming user UIDs start at 1000 on FreeBSD but GIDs ( UID for groups ) IDK , but the group name is what should appear on `ls` and not its GID number, unless you ( or someone ) deleted the group.


----------



## ShelLuser (Jul 28, 2018)

IT_Architect said:


> What is GROUP 1000?  I have multiple files that show:
> 
> server# ls -l passwd
> -rw-r--r--  1 root  1000  2181 Jan 30  2013 passwd


That is bad news(tm) because anything above GID 1000 is user defined, just like with UID's. It's simple really: normally user and group names get 'translated' with the information found in /etc/passwd and /etc/group respectfully. But despite the names being present the system always works with the numeric values first and foremost.

So what you're seeing here is a mis-configured GID. The GID was set to 1000 without any matching entry in /etc/group.

It's something which can happen when you share a filesystem with another server (using NFS for example) and on the other host someone creates a file while the hosts user information doesn't match the one on the main host.

But for it to show up on system files is pretty bizarre and, as I mentioned, bad news.

Is this server connected to the Internet by any chance?


----------



## SirDice (Jul 30, 2018)

lebarondemerde said:


> Just confirming user UIDs start at 1000 on FreeBSD but GIDs ( UID for groups ) IDK


First user account starts at 1001. First group is typically the same as the first user and has the same ID.


----------



## SirDice (Jul 30, 2018)

IT_Architect said:


> What is GROUP 1000? I have multiple files that show:
> 
> server# ls -l passwd
> -rw-r--r-- 1 root 1000 2181 Jan 30 2013 passwd


Got Pwned? Only root is able to change the group ownership of /etc/passwd.


----------



## phoenix (Jul 30, 2018)

At some point, someone created a new group and gave it GID 1000. Then they changed the group of a bunch of files to that group, thus setting the GID of those files to 1000. When doing an "ls -l", you'd see the group name as the shell translated from the GID to the name (as listed in /etc/group)

Later, that group was removed from the system, but the GID of the files was left alone. Now, when you do an "ls -l", it just shows you the GID as there's no group name to translate to.

If you don't remember creating a group with GID 1000, and there's no one else with riot access to your system, then you've probably been compromised.


----------

