Re: [SAGE] Looking for reuse: Script to change users UID, changegroup GID & re-permission files on large scale

[Richard Chycoski <rac@cisco.com>]

It needs to be at least a two step process:

Get the uid and gid information for every file on the system.
Go back and apply the new uid/gid to every file.

You can't safely walk the filesystem changing uids and gids, unless you 
know *absolutely* that no mounts or links are going to get you into a 
loop. It's safer to take a complete inventory of files and then apply 
the necessary changes.

You can apply the changes to the authentication data before or after the 
filesystem changes, but it is important that nobody is signed on (except 
your job that is modifying the filesystem) during the changes. This 
isn't something that you can easily do in phases.

We've done this when bringing groups of servers into the company (yes, 
we do like our acquistions :-). We don't have a comprehensive automatic 
tool to do it - but 'find' with a little Perl behind it will do most of 
the filesystem work. The authentication data (passwd & group files/maps) 
are a separate issue for us, as we never put the 'old' data into our 
systems at all - we build new authentication data (often including new 
usernames to prevent clashes with the existing accounts) and then only 
attach the 'new' filesystems once they have had their uids and gids 
converted. Note that it you have scripts that refer to explicit uids or 
gids, or if you are changing usernames as well, there will always be 
some manual work to do after the conversion.

- Richard


Allan West wrote:

> Steve Simmons wrote:
>
>> On Tue, Jan 18, 2005 at 01:33:01PM -0800, Carlson, Scott wrote:
>>
>>
>>> We've created an opportunity (!!) within my company here that I need to
>>> renumber (read UID and GID's) approximately 3000 UNIX accounts 
>>> across 2000
>>> aix/solaris/redhat machines.
>>>
>>> Rather then spend time writing sets of scripts to do this, or worry 
>>> if I got
>>> my find parameters right, I'm hoping that someone out there will 
>>> have this
>>> exact thing sitting in their script repository.  Anyone care to share
>>> anything that has worked miracles for them when they've renumbered 
>>> accounts
>>> in this manner?
>>
>>
>>
>> *Long* ago there was a wonderful little utility called 'uidswap' that 
>> did
>> just what you describe, fast and efficient.  I dunno where it went 
>> to, but
>> hey, google is your friend...
>
>
> Don't forget to check file ownerships. If you chown and chgrp files as 
> you update uids you're less likely to wind up with files owned by the 
> wrong user. This is expecially important for root directory files 
> which allow the user to log in, but it's more difficult to keep track 
> of for files in shared spaces (web folders, mail spools, etc.) as you 
> change the uids.