|
UNIX Hints & Hacks |
 |
||||||||||||||||||||||||||||||||||||
|
Chapter 5: Account Management |
|
||||||||||||||||||||||||||||||||||||
|
Group IDs (GID) are mapped to the groups defined in the /etc/group file. These numbers should be managed from a central point within your environment as the UIDs are. Almost every environment already has a list of predefined groups in a master /etc/group file and a list of users belonging to each group. Although there is no naming standard, it is best to name the group of users after a project, department, or group within the department. Use something that associates all the users and files with one thing.
If you are fortunate to start building your list or migrating from an old list because it was never done from the start, select a high GID number such as 500 for the first group.
vi/etc/group
root::0:root bin::1:root,bin,daemon daemon::2:root,bin,daemon users::20:eric,bryan,scott,gary finance::500:chris,lisa,bob
This way, as new groups of users are added to the newly formed GIDs it is easy to pick out which accounts still need to be migrated or added. In a lot of cases, preexisting admins and users would take the default and the group ID 10 and 20 which would be "users" or "staff" on most flavors.
#vi /etc/group
staff::10: users::20:
|
Note - There is no way to lock this file so two people cannot make changes to it at the same time. If an administrative tool is available on your flavor, use the tool rather than a simple editor. Only then can you know that one person at a time will make changes to the file. |
If you are migrating existing users, plan out your strategy for the migration. Some might be easy and some might take an extensive amount of time. Work closely with your users on the location of all their data, and the data they need access to. It saves you a lot of time in the end.
If a user has files only in their home directory to change the GID on, a recursive chgrp is all that is needed.
# chgrp -R 520 /home/tom
Some flavors of UNIX enable you to pass the GID along with the UID at the same time with the chown command (check your man pages to see whether your chown supports this feature):
# chown -R tom.500 /home/tom
If the user has a large collection of files spread throughout the system or across the network to other fileservers, you might want to perform a search for all their files. Approach the user and discuss what will and won't happen to the files. The user might be able to provide more insight into how his or her files are grouped and make the conversion process easier in the end.
# find /disk2 -print -user tom > /usr/tmp/files.txt
Redirect the list out to a file, so you can discuss the user's directory tree and the settings of the files. If the group for all the files that the user owns needs to be changed, execute a find command to search for all the users' files and execute the chgrp command on them
# find /disk2 -user tom -exec chgrp 500 {} \;
This particular find command searches /disk2 for any file being owned by the user tom and changes the GID of the file to 500.
If this is not controlled, an internal security risk to your user's files and your environment might exist.
Watch for system GID conflicts when different flavors of UNIX are cross-mounted. In the group file, where the group with the ID number 2 could be bin on one flavor of UNIX and daemon on another flavor. This takes place when multiple flavors coexist on the same network. If you are running NIS/YP between multiple flavors you are almost guaranteed to see this. Before you go into production, attempt to merge the system group IDs into one working table.
Man pages:
chown, find, group
|
UNIX Hints & Hacks |
|
||||||||||||||||||||||||||||||||||||
|
Chapter 5: Account Management |
|
||||||||||||||||||||||||||||||||||||
|
© Copyright Macmillan USA. All rights reserved.