Unix group cleanup

On departmental Linux systems, many Unix groups have been added locally, to facilitate groups of users jointly editing files. Use the shell command “id” to see which groups you are a member of. To avoid malfunctions, we now need to clean up older groups with gid value below 500. This requires your help.

There are two sources of groups:

  • the ones defined by the operating-system distribution in /etc/group
  • the ones added centrally via the departmental LDAP server.

Each group is represented by an integer. The problem: the integer ranges used by both sources overlap. There are many instances where an LDAP group uses the same number as an /etc/group entry, but with a completely different name. As a result, you may see the wrong group name displayed with “id” or “ls -l”, and some people or processes may have unintended access to other people’s files.

The relevant standard (LSB) recommends that group identifiers below 500 are reserved for the operating-system distribution, whereas numbers of 500 and higher are available for local use. Therefore, we aim to ensure now that

  • our LDAP servers do not define group numbers below 500
  • our file server does not have files belonging to groups with identifiers below 500

This will ensure that Linux machines can use our LDAP servers and filer without risking collisions with groups defined in /etc/group.

If you are still a member of an LDAP-announced Unix group with an integer identifier below 500, you will soon be notified by email. If so, please consider first whether you still need these groups today.

If not, then please

  • identify your files on the filer that still belong to this group (see below)
  • chgrp all these files to a more appropriate group
  • check (after 10 minutes) the file /a/elmer-vol0/quota_report to see if there more
  • notify sys-admin that the group can now be deleted

If you still need the group, please contact sys-admin to arrange for your group to be reassigned a number above 500, and that all files on the filer belonging to that group are chgrp-ed accordingly.

Some useful shell commands:

Show all files under the current directory that belong to a group with a number below 500:

find . -name .snapshot -prune -o \( -gid -500 -print0 \) | xargs -0r ls -ld

Change all my files under the current directory with gid=20 to my personal group:

find . -name .snapshot -prune -o \( -user $USER -gid 20 -print0 \) | xargs -0r chgrp $USER

In addition to your $HOME, also check your research-group and project directories.

Some historic generic group numbers that you may encounter in old files:

19=private: until recently, all filer files created from Windows (via CIFS) were in that group
20=users: until a few years ago, this was the primary group of every user

Please chgrp all your files in group 20 to your personal group (CRSId). You can do the same with files in group 19, unless you rely on the file to have a Windows-style access control list (which would be overwritten by the Linux chgrp commands).

(We will soon also need a similar campaign for users with uid below 1000.)

This entry was posted in Local IT systems. Bookmark the permalink.

2 Responses to Unix group cleanup

  1. mgk25 says:

    Many old groups were created for collaboration in projects that are no longer active. If shared write access to project files is no longer needed, and the files now just sit there as an archive readable to others, the simplest solution is to “chown pi123:pi123″ such archival files to the the user id and personal group of the principal investigator (e.g., pi123), or whoever else is today most emotionally attached to these files, and then ask sys-admin to retire the old group.

  2. mgk25 says:

    This Unix/LDAP group cleanup is now largely done. In particular, all Unix groups containing end users have now been reassigned to numeric GIDs > 500, so there should no longer be any incorrect group names displayed by the “id” or “ls -l” shell commands. Special thanks to Martyn Johnson for sorting this out!

Leave a Reply