How to find out which package a user belongs to?

On Debian-based systems (including Ubuntu), packages create users using maintainer scripts, usually postinst. Therefore one way could be to grep through these scripts:

grep -R --include='*.postinst' -e useradd -e adduser /var/lib/dpkg/info/

This assumes, of course, that the postinst script hasn't been deleted (either manually or because you uninstalled the package in question).


Debian policy seems to favour postinst:

[Y]ou must arrange for your package to create the user or group if necessary using adduser in the preinst or postinst script (again, the latter is to be preferred if it is possible).

The package maintainer can use preinst as well, as long as adduser is a pre-dependency.

The policy also leads us to the other source of accounts: the base-passwd package, as it states in the preceding paragraph:

If you need a statically allocated id, you must ask for a user or group id from the base-passwd maintainer, and must not release the package until you have been allocated one. Once you have been allocated one you must either make the package depend on a version of the base-passwd package with the id present in /etc/passwd or /etc/group, or arrange for your package to create the user or group itself with the correct id (using adduser) in its preinst or postinst. (Doing it in the postinst is to be preferred if it is possible, otherwise a pre-dependency will be needed on the adduser package.)

The base-passwd documentation (/usr/share/doc/base-passwd/users-and-groups.txt.gz or /usr/share/doc/base-passwd/users-and-groups.html) says:

The Debian base-passwd package contains the master versions of /etc/passwd and
/etc/group. The update-passwd tool keeps the entries in these master files in
sync on all Debian systems. They comprise only "global static" ids: that is,
those which are reserved globally for the benefit of packages which need to
include files owned by those users or groups, or need the ids compiled into
binaries. 

The users/groups included are (grepped out from /usr/share/doc/base-passwd/users-and-groups.txt.gz):

Users (usually with corresponding groups)

root    man     majordom    irc         gdm
daemon  lp      postgres    gnats       saned
bin     mail    www-data    nobody      klog
sys     news    backup      messagebus  syslog
sync    uucp    operator    postfix
games   proxy   list        haldaemon

Groups (without corresponding users)

adm     fax     audio       staff       sshd
tty     voice   src         users       fetchmail
disk    cdrom   shadow      lpadmin     cupsys
kmem    floppy  utmp        sasl        nogroup
dialout tape    video       scanner
dip     sudo    plugdev     ssh

The package README (/usr/share/doc/base-passwd/README) also lists out some users with UIDs in the 60000-64999 range, and states that these are created by the respective packages.


AFAIK there is no native package manager function that creates (or removes) those functional /system users but that is done in a custom pre- or post-install script sections in RPM packages.

Typically the RPM package will create and claim ownership of the home directory of those users e.g. the httpd package creates the user apache and the home directory of the apache user is owned by the httpd package, allowing a round-about way of finding the package:

rpm -qf /var/www

You can verify if indeed the httpd package could have created the apache user with:

rpm -q --scripts httpd

I use Gentoo, So i would extract the 5th field of /etc/passwd to find the info:

cat /etc/passwd | grep cron | gawk -F: '{print $5}'

added by portage for cronbase

Portage is package management system for Gentoo. So cron account is created by portage for the package cronbase.