diff --git a/debian/changelog b/debian/changelog
index 4046c3bf..551053a4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+livecd-rootfs (2.274) UNRELEASED; urgency=low
+
+  * live-build/ubuntu-core/hooks/00-uid-gid-fix.chroot_early:
+    - port static uid/gid setup from ubuntu-touch
+
+ -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 07 Jan 2015 09:36:11 +0100
+
 livecd-rootfs (2.274) vivid; urgency=medium
 
   [ Michael Vogt ]
diff --git a/live-build/ubuntu-core/hooks/00-uid-gid-fix.chroot_early b/live-build/ubuntu-core/hooks/00-uid-gid-fix.chroot_early
new file mode 100755
index 00000000..bb8cab52
--- /dev/null
+++ b/live-build/ubuntu-core/hooks/00-uid-gid-fix.chroot_early
@@ -0,0 +1,206 @@
+#!/bin/sh -eu
+
+# Known good post-debootstrap values
+passwd_bootstrap="9738946debbc125bd6cf3f197582a8a5"
+shadow_bootstrap="4d299751999cae6de045390dd568812c"
+group_bootstrap="dd4a0ebdd3f5d170d5a46e6bade5c6c3"
+gshadow_bootstrap="42025e85925432105b429b7c801a50a4"
+
+# Current post-debootstrap values
+passwd_hash=$(set -- $(md5sum /etc/passwd) && echo $1)
+shadow_hash=$(set -- $(cat /etc/shadow | sed "s/:.*:0:99999:/:0:99999:/g" | md5sum) && echo $1)
+group_hash=$(set -- $(md5sum /etc/group) && echo $1)
+gshadow_hash=$(set -- $(md5sum /etc/gshadow) && echo $1)
+
+# /etc/passwd
+if [ "$passwd_bootstrap" = "$passwd_hash" ]; then
+    cat > /etc/passwd <<'EOF'
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+messagebus:x:100:103::/var/run/dbus:/bin/false
+clickpkg:x:101:104::/nonexistent:/bin/false
+sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
+systemd-timesync:x:103:108:systemd Time Synchronization,,,:/run/systemd:/bin/false
+systemd-network:x:104:109:systemd Network Management,,,:/run/systemd/netif:/bin/false
+systemd-resolve:x:105:110:systemd Resolver,,,:/run/systemd/resolve:/bin/false
+systemd-bus-proxy:x:106:111:systemd Bus Proxy,,,:/run/systemd:/bin/false
+EOF
+else
+    echo "/etc/passwd post-debootstrap hash doesn't match record" >&2
+    exit 1
+fi
+
+# /etc/shadow
+if [ "$shadow_bootstrap" = "$shadow_hash" ]; then
+    cat > /etc/shadow <<'EOF'
+root:*:16329:0:99999:7:::
+daemon:*:16329:0:99999:7:::
+bin:*:16329:0:99999:7:::
+sys:*:16329:0:99999:7:::
+sync:*:16329:0:99999:7:::
+games:*:16329:0:99999:7:::
+man:*:16329:0:99999:7:::
+lp:*:16329:0:99999:7:::
+mail:*:16329:0:99999:7:::
+news:*:16329:0:99999:7:::
+uucp:*:16329:0:99999:7:::
+proxy:*:16329:0:99999:7:::
+www-data:*:16329:0:99999:7:::
+backup:*:16329:0:99999:7:::
+list:*:16329:0:99999:7:::
+irc:*:16329:0:99999:7:::
+gnats:*:16329:0:99999:7:::
+nobody:*:16329:0:99999:7:::
+messagebus:*:16413:0:99999:7:::
+clickpkg:*:16413:0:99999:7:::
+sshd:*:16413:0:99999:7:::
+systemd-timesync:*:16413:0:99999:7:::
+systemd-network:*:16413:0:99999:7:::
+systemd-resolve:*:16413:0:99999:7:::
+systemd-bus-proxy:*:16413:0:99999:7:::
+EOF
+else
+    echo "/etc/shadow post-debootstrap hash doesn't match record" >&2
+    exit 1
+fi
+
+# /etc/group
+if [ "$group_bootstrap" = "$group_hash" ]; then
+    cat > /etc/group <<'EOF'
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:syslog
+tty:x:5:
+disk:x:6:
+lp:x:7:
+mail:x:8:
+news:x:9:
+uucp:x:10:
+man:x:12:
+proxy:x:13:
+kmem:x:15:
+dialout:x:20:
+fax:x:21:
+voice:x:22:
+cdrom:x:24:
+floppy:x:25:
+tape:x:26:
+sudo:x:27:
+audio:x:1005:
+dip:x:30:
+www-data:x:33:
+backup:x:34:
+operator:x:37:
+list:x:38:
+irc:x:39:
+src:x:40:
+gnats:x:41:
+shadow:x:42:
+utmp:x:43:
+video:x:44:
+sasl:x:45:
+plugdev:x:46:
+staff:x:50:
+games:x:60:
+users:x:100:
+nogroup:x:65534:
+netdev:x:101:
+crontab:x:102:
+messagebus:x:103:
+clickpkg:x:104:
+ssh:x:105:
+systemd-journal:x:106:
+systemd-journal-remote:x:107:
+systemd-timesync:x:108:
+systemd-network:x:109:
+systemd-resolve:x:110:
+systemd-bus-proxy:x:111:
+EOF
+else
+    echo "/etc/group post-debootstrap hash doesn't match record" >&2
+    exit 1
+fi
+
+# /etc/gshadow
+if [ "$gshadow_bootstrap" = "$gshadow_hash" ]; then
+    cat > /etc/gshadow <<'EOF'
+root:*::
+daemon:*::
+bin:*::
+sys:*::
+adm:*::syslog
+tty:*::
+disk:*::
+lp:*::
+mail:*::
+news:*::
+uucp:*::
+man:*::
+proxy:*::
+kmem:*::
+dialout:*::
+fax:*::
+voice:*::
+cdrom:*::
+floppy:*::
+tape:*::
+sudo:*::
+audio:*::pulse
+dip:*::
+www-data:*::
+backup:*::
+operator:*::
+list:*::
+irc:*::
+src:*::
+gnats:*::
+shadow:*::
+utmp:*::
+video:*::
+sasl:*::
+plugdev:*::
+staff:*::
+games:*::
+users:*::
+nogroup:*::
+netdev:!::
+crontab:!::
+messagebus:!::
+clickpkg:!::
+ssh:!::
+systemd-journal:!::
+systemd-journal-remote:!::
+systemd-timesync:!::
+systemd-network:!::
+systemd-resolve:!::
+systemd-bus-proxy:!::
+EOF
+else
+    echo "/etc/gshadow post-debootstrap hash doesn't match record" >&2
+    exit 1
+fi
+
+
+# Record the current state for later comparison
+for file in /etc/passwd /etc/shadow /etc/group /etc/gshadow; do
+    rm -f ${file}-
+    cp ${file} ${file}.orig
+done