How to find out which package a user belongs to?
On Debian-based systems (including Ubuntu), packages create users using maintainer scripts, usually postinst. Therefore one way could be to grep through these scripts:
grep -R --include='*.postinst' -e useradd -e adduser /var/lib/dpkg/info/
This assumes, of course, that the postinst script hasn't been deleted (either manually or because you uninstalled the package in question).
Debian policy seems to favour postinst:
[Y]ou must arrange for your package to create the user or group if necessary using
adduserin thepreinstorpostinstscript (again, the latter is to be preferred if it is possible).
The package maintainer can use preinst as well, as long as adduser is a pre-dependency.
The policy also leads us to the other source of accounts: the base-passwd package, as it states in the preceding paragraph:
If you need a statically allocated id, you must ask for a user or group id from the
base-passwdmaintainer, and must not release the package until you have been allocated one. Once you have been allocated one you must either make the package depend on a version of thebase-passwdpackage with the id present in/etc/passwdor/etc/group, or arrange for your package to create the user or group itself with the correct id (usingadduser) in itspreinstorpostinst. (Doing it in thepostinstis to be preferred if it is possible, otherwise a pre-dependency will be needed on the adduser package.)
The base-passwd documentation (/usr/share/doc/base-passwd/users-and-groups.txt.gz or /usr/share/doc/base-passwd/users-and-groups.html) says:
The Debian base-passwd package contains the master versions of /etc/passwd and
/etc/group. The update-passwd tool keeps the entries in these master files in
sync on all Debian systems. They comprise only "global static" ids: that is,
those which are reserved globally for the benefit of packages which need to
include files owned by those users or groups, or need the ids compiled into
binaries.
The users/groups included are (grepped out from /usr/share/doc/base-passwd/users-and-groups.txt.gz):
Users (usually with corresponding groups)
root man majordom irc gdm
daemon lp postgres gnats saned
bin mail www-data nobody klog
sys news backup messagebus syslog
sync uucp operator postfix
games proxy list haldaemon
Groups (without corresponding users)
adm fax audio staff sshd
tty voice src users fetchmail
disk cdrom shadow lpadmin cupsys
kmem floppy utmp sasl nogroup
dialout tape video scanner
dip sudo plugdev ssh
The package README (/usr/share/doc/base-passwd/README) also lists out some users with UIDs in the 60000-64999 range, and states that these are created by the respective packages.
AFAIK there is no native package manager function that creates (or removes) those functional /system users but that is done in a custom pre- or post-install script sections in RPM packages.
Typically the RPM package will create and claim ownership of the home directory of those users e.g. the httpd package creates the user apache and the home directory of the apache user is owned by the httpd package, allowing a round-about way of finding the package:
rpm -qf /var/www
You can verify if indeed the httpd package could have created the apache user with:
rpm -q --scripts httpd
I use Gentoo, So i would extract the 5th field of /etc/passwd to find the info:
cat /etc/passwd | grep cron | gawk -F: '{print $5}'
added by portage for cronbase
Portage is package management system for Gentoo. So cron account is created by portage for the package cronbase.