|
Home > Archive > Unix administration > August 2006 > How to efficiently change gid and uid?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How to efficiently change gid and uid?
|
|
|
| I posted this message on comp.unix.shell. Sorry for reposting here.
Need Quick help please ...
Hi all,
I have a Unix box: a group called "testgrp", gid=321
dozens of users belonging to this group, e.g. tuser01 (uid=241),
tuser02 (uid=257), ... not sequential...
Now I have to rearrange gid and uids to keep them consistent
with other systems, i.e. testgrp's gid will be changed to 7000,
tuser01's uid=7001, tuser02's uid=7002, etc...
All files owned by the group and users also need to be updated
accordingly.
The way I am currently implemented is
update gid first
1) find /!(tmp|var|proc) -group testgrp -o -group 321 -print >
filelist1
2) groupmod -g 7000 testgrp
3) cat filelist1 | xargs chgrp testgrp
update uid
4) find /!(tmp|var|proc) -user tuser01 -o -user 241 -print > filelist2
5) usermod -u 7001 -g testgrp tuser01
6) cat filelist2 | xargs chown tuser01:testgrp
7) repeat 4)-6) for each user
Now the problems are
a) machine is a little busy and the hard drive is 300G, so each "find"
takes about 30 minutes.
b) we have a dozen of such groups and over 200 users to be updated
in the above way.
I wondered if some redundancies could be removed from the above
process, or there is any faster way to do it.
Many thanks,
James
| |
| Horst Scheuermann 2006-08-15, 7:29 am |
| "James" <jzheng22@gmail.com> writes:
> I posted this message on comp.unix.shell. Sorry for reposting here.
> Need Quick help please ...
> Hi all,
> I have a Unix box: a group called "testgrp", gid=321
> dozens of users belonging to this group, e.g. tuser01 (uid=241),
> tuser02 (uid=257), ... not sequential...
> Now I have to rearrange gid and uids to keep them consistent
> with other systems, i.e. testgrp's gid will be changed to 7000,
> tuser01's uid=7001, tuser02's uid=7002, etc...
> All files owned by the group and users also need to be updated
> accordingly.
> The way I am currently implemented is
> update gid first
> 1) find /!(tmp|var|proc) -group testgrp -o -group 321 -print >
> filelist1
why not /var think of crontabs ....
> 2) groupmod -g 7000 testgrp
> 3) cat filelist1 | xargs chgrp testgrp
chgrp -h
> update uid
> 4) find /!(tmp|var|proc) -user tuser01 -o -user 241 -print > filelist2
> 5) usermod -u 7001 -g testgrp tuser01
> 6) cat filelist2 | xargs chown tuser01:testgrp
chown -h
> 7) repeat 4)-6) for each user
> Now the problems are
> a) machine is a little busy and the hard drive is 300G, so each "find"
> takes about 30 minutes.
> b) we have a dozen of such groups and over 200 users to be updated
> in the above way.
> I wondered if some redundancies could be removed from the above
> process, or there is any faster way to do it.
> Many thanks,
> James
| |
| Doug Freyburger 2006-08-16, 1:24 am |
| James wrote:
>
> I have a Unix box: a group called "testgrp", gid=321
> dozens of users belonging to this group, e.g. tuser01 (uid=241),
> tuser02 (uid=257), ... not sequential...
>
> Now I have to rearrange gid and uids to keep them consistent
> with other systems, i.e. testgrp's gid will be changed to 7000,
> tuser01's uid=7001, tuser02's uid=7002, etc...
> All files owned by the group and users also need to be updated
> accordingly.
>
> The way I am currently implemented is
> update gid first
> 1) find /!(tmp|var|proc) -group testgrp -o -group 321 -print >
> filelist1
Because you have a list getting mapped to a list, you can do it in
N passes using this sort of shell scripting, or you can do it in one
pass with a bit of Perl. This is exactly the sort of problem PERL was
designed to handle. Before PERL came along I would have written
a small C program to do it to avoid so many passes.
On the other hand, do it once and you're done. Run it over night
and it will be finished in the morning. Not a wrong answer really.
| |
| Michael Paoli 2006-08-27, 7:25 am |
| James wrote:
> I have a Unix box: a group called "testgrp", gid=321
> dozens of users belonging to this group, e.g. tuser01 (uid=241),
> tuser02 (uid=257), ... not sequential...
> Now I have to rearrange gid and uids to keep them consistent
> with other systems, i.e. testgrp's gid will be changed to 7000,
> tuser01's uid=7001, tuser02's uid=7002, etc...
> All files owned by the group and users also need to be updated
> accordingly.
> The way I am currently implemented is
> update gid first
> 1) find /!(tmp|var|proc) -group testgrp -o -group 321 -print >
> filelist1
> 2) groupmod -g 7000 testgrp
> 3) cat filelist1 | xargs chgrp testgrp
> update uid
> 4) find /!(tmp|var|proc) -user tuser01 -o -user 241 -print > filelist2
> 5) usermod -u 7001 -g testgrp tuser01
> 6) cat filelist2 | xargs chown tuser01:testgrp
> 7) repeat 4)-6) for each user
> Now the problems are
> a) machine is a little busy and the hard drive is 300G, so each "find"
> takes about 30 minutes.
> b) we have a dozen of such groups and over 200 users to be updated
> in the above way.
> I wondered if some redundancies could be removed from the above
> process, or there is any faster way to do it.
Among other potential problems, the approach above also has race
condition vulnerabilities (no mention was made of locking out all the
applicable UIDs/GIDs and terminating their PIDs from before the data
for the changes is gathered through completion of making the
applicable UID/GID changes), and issues with security of file
pathnames and xargs (what happens when the pathname contains one or
more newlines?).
Doug Freyburger also wrote in
<news:1155688139.817609.30630@m79g2000cwm.googlegroups.com>:
> Because you have a list getting mapped to a list, you can do it in
> N passes using this sort of shell scripting, or you can do it in one
> pass with a bit of Perl. This is exactly the sort of problem PERL was
> designed to handle. Before PERL came along I would have written
> a small C program to do it to avoid so many passes.
This is actually a type of problem I've largely used PERL to deal with
- at least for much of the "heavy lifting" portions of doing much of
the work. That and a bunch of comparatively minor scripts (shell and
Perl) to gather, analyze, and prepare the relevant data, and to handle
stuff like passing data to usermod to make relevant changes, etc.
Have a look at:
http://www.rawbw.com/~mp/perl/
most notably there you'll find:
multichown
to handle the heavy duty UID/GID changes on files, and also
disable_users
not only handy for disabling user accounts in a quite secure manner,
but also quite handy for temporarily disabling accounts before doing
UID/GID changes on files, and reversing most of the disabling effects
after the UID/GID changes on files and other changes are done.
|
|
|
|
|