|
User and Group Names - UID/GID Numbers
On an AIX or Unix system, files are not stored by filename, they are
stored by "inode number". Each file has an inode and is identified by
an inode number, sometimes called an i-number in the file system where
it resides. Inodes provide important information on files
such as user and group ownership, access permissions and file type.
Each file on a Unix system is associated with exactly one user (owner)
and one group.
Similar to the filename/inode relationship, the file owner and group
membership is designated and stored by the UID/GID numbers. Each user
on a Unix system is assigned a UID number and each group a GID number.
These numbers are used by the inode to assign ownership and group
membership to files.
In Business Continuity Planning, it is important to recognize that
UID/GID numbers should be uniquely assigned to users and groups on an
enterprise wide basis.
If these UID/GID numbers are not enterprise wide unique, there will
be security issues as well as conflicts during high availability or
disaster recovery failovers. Security issues will also arise when a
backup is restored onto a machine where the UID/GID numbers do not match
those stored in the backup.
The following are recommended policies, standards, guidelines, and
procedures, as related to "User and Group Names - UID/GID Numbers":
Policies: User and Group Names - UID/GID Numbers
- Each user provided access to any system shall have an enterprise
wide unique username assigned to them. This username will be
implemented on each system to which this user requires access.
- Each user provided access to any system shall have an enterprise
wide unique UID number assigned to them. This UID number will be
implemented on all systems requiring a username/UID association.
- Each group name implemented on a Unix system shall have an
enterprise wide unique GID number assigned to it. This GID number will
be implemented on every system where this group name is implemented.
Guidelines: User and Group Names - UID/GID Numbers
- It is important to choose a format for user names that provides
enterprise wide flexibility for use with as many platforms as possible.
A user name format that appears to be supported on the widest range of
platforms (AIX, Linux, AS/400, MVS, VSE, MS Windows, Unix) is a seven
character username, the first three characters being lowercase letters,
the last four characters being digits from 0 - 9.
- In order to avoid the maintenance and support issues of keeping
a database of UID/GID values and their associated user and group names,
a reproducible algorithm should be used to calculate the UID/GID values.
This algorithm should be executable on any Unix system and provide the
same UID/GID number for a given user or group name. Since the UID/GID
numbers are reproducible on any Unix platform, the only values that must
be maintained are the enterprise wide unique user and group names.
Standards: User Names and UID Numbers
- In order to facilitate normal maintenance, disaster recovery and
business continuity, it is recommended that each enterprise wide unique
user and group name, also be assigned enterprise wide unique UID or GID
number.
- This will cause files whose owners/groups are not defined in the
/etc/password file to appear in a long listing with the enterprise wide
unique UID and GID numbers for the owner and group. This condition may
indicate which users need to be added to the system, or which files need
to be removed from the system. Regardless of the fix, file security
will remain intact and uncompromised.
- Instead of keeping a database of username/UID and group name/GID
associations, it is preferred to use an algorithm to generate the
UID/GID values based on the username/group name. This algorithm must
be reproducible across all systems that require a UID/GID number.
A typical algorithm for performing a UID/GID calculation is to
use the "sum" command with the "-r" option to generate the Berkeley
cksum value. The "-r" option is supported by AIX and appears to be
consistently implemented across a wide variety of other Unix platforms
as well. An example of using this technique (all commands shown in this
series of documents are expressed in Korn shell syntax):
$ print "abc1234" | sum -r
29247 1
A limitation of this technique is that it will only calculate
numbers between about 600 and 65,000 for the specified username format
of three lowercase letters followed by 4 digits. So the number of users
and groups, enterprise wide, is limited to less than 65,000, and the
possibility of duplicates does exist with this algorithm. These
limitations may be acceptable for some organizations; however most will
want to expand this concept of UID/GID calculation.
The recommended UID/GID calculation algorithm uses a base 26
numbering system to represent the first three characters of the
username, and then converts the calculated base 26 number to a base 10
(decimal) value. An example script implementing this technique is shown
below.
---- Cut Here ----
#!/usr/bin/ksh93
################################################################
function usagemsg_mkuid {
print "
Program: mkuid
This function generates a UID number for a username,
that username must consist of 3 letters followed by 4
digits, or 4 letters followed by 3 digits. The
username is assumed to be the first argument to the
function. The username must also be exactly 7
characters long.
Usage: ${1##*/} username
Where:
username = XXX#### - 3 letters followed by 4 digits
Generates UID between 1,000,000 and 176,759,999
or
username = XXXX### - 4 letters followed by 3 digits
Generates UID between 176,760,000 and 633,735,000
Author: Dana French (dfrench@mtxia.com) Copyright 2004
\"AutoContent\" enabled
"
}
################################################################
####
#### Description:
####
#### This function generates a UID number for a username, that
#### username must consist of 3 letters followed by 4 digits,
#### or 4 letters followed by 3 digits. The username is assumed
#### to be the first argument to the function.
####
#### Assumptions:
####
#### This function assumes the username is constructed with
#### either 3 or 4 contiguous alphabetic characters followed
#### by 4 or 3 contiguous digits. The total number of
#### characters in the user name must be exactly 7.
####
#### Dependencies:
####
#### The "mkuid" function is dependent upon the external
#### function "mkascii" to produce an associative array
#### of ascii decimal values for the lower case letters.
####
#### Products:
####
#### Upon successful completion this function prints a single
#### decimal value to standard output.
####
#### For usernames consisting of 3 lower case letters
#### followed by 4 digits, the resulting UID values are
#### between 1,000,000 and 176,759,999.
####
#### For usernames consisting of 4 lower case letters
#### followed by 3 digits, the resulting UID values are
#### between 176,760,000 and 633,735,000.
####
#### Configured Usage:
####
#### The "mkuid" function can be called from the command
#### line, script, or another function.
####
#### Details:
####
################################################################
function mkuid
{
typeset -l LET
typeset NUMLET=0
[[ "${1}" == "-?" ]] && usagemsg_mkuid "${0}" && return 1
####
#### If the total number of characters in the username
#### command line argument is not equal to 7, display an
#### error message, followed by the usage message, and return
#### from the function with an unsuccessful return code.
####
if (( ${#1} != 7 ))
then
print -u 2 "ERROR: Number of characters in username ${1} is not equal to 7\n"
usagemsg_mkuid "${0}"
return -1
fi
####
#### Extract only the alphabetic characters from the
#### username command line argument and count the number
#### of characters extracted.
####
NUMLET="${1//([!a-zA-Z])/}"
NUMLET="${#NUMLET}"
####
#### If the number of alphabetic characters in the username
#### command line argument is not equal to 3 or 4, display an
#### error message, followed by the usage message, and return
#### from the function with an unsuccessful return code.
####
if (( NUMLET != 3 )) && (( NUMLET != 4 ))
then
print -u 2 "ERROR: Number of letters in username ${1} is not equal to 3 or 4\n"
usagemsg_mkuid "${0}"
return -1
fi
#### Determine the base 10 order of magnitude for the
#### numeric portion of the user name and store this value.
(( ORDMAG = 10 ** ( 7 - NUMLET ) ))
#### Initialize the decimal value of the lower limit for the
#### UID number to one million. The lowest value allowed for
#### a calculated UID number will be this value.
typeset LOWLIM=1000000
#### Initialize the decimal value of the UID number using a
#### base 26 calculation. The lower limit is added to this
#### value to insure the calculated UID number is greater
#### than the lower limit.
(( LOWUID = ( 26 ** ( NUMLET - 1 ) * LOWLIM / 100 ) + LOWLIM ))
(( NUMLET == 3 )) && (( LOWUID = LOWLIM ))
#### Initialize several variables containing values used
#### while iterating through each character of the username.
typeset BASE=26
typeset NVALUE=""
typeset LVALUE=0
typeset BASEORDMAG=0
typeset SUBTOT=0
typeset TOT=0
typeset MULT=0
####
#### Define an associative array to contain an ascii table of
#### values, the array index is the alphabetic character, the
#### value is the decimal number associated with the
#### character. Call the external function "mkascii" to
#### create this array.
####
typeset -A LETTERS
mkascii LETTERS
# print " ${LETTERS[@]}"
####
#### Divide the username into individual characters and store
#### each character in an array. Iterate thru this array one
#### element at a time to calculate the base 26 value of each
#### alphabetic character and the decimal value of each
#### number.
####
eval EACHLET="( ${1//(?)/ \1} )"
for LET in "${EACHLET[@]}"
do
####
#### If the current interation character is a lower case
#### letter, subtract the decimal value of 97 from the ascii
#### value for this character ( 97 is the ascii value of the
#### lowercase letter "a" ). This will cause the value of
#### "a" to be zero, "b" = 1, "c" = 2, etc. Assign a
#### variable to contain this decimal value for the letter.
####
if [[ "_${LET}" = _[a-z] ]]
then
LVALUE="$(( ${LETTERS[${LET}]} - 97 ))"
####
#### If the current iteration character is not a lower case
#### letter, then it is a number from 0 - 9. Set the letter
#### value to zero (indicating the iteration character is not
#### a letter) and append the number to the end of the
#### numeric value.
####
else
LVALUE="0"
NVALUE="${NVALUE}${LET}"
fi
####
#### Calculate a base 26 multiplier for the current iteration
#### of the loop. Each loop iteration should increase this
#### multiplier by a base 26 order of magnitude.
####
(( MULT = BASE ** BASEORDMAG ))
####
#### Multiply the decimal letter value by the base 26
#### multiplier and add the product to a running total for
#### each iteration of the loop.
####
(( SUBTOT = SUBTOT + ( LVALUE * MULT ) ))
####
#### Add a value of 1 to the loop counter, which is used to
#### determine the base 26 order of magnitude.
####
(( BASEORDMAG = BASEORDMAG + 1 ))
done
####
#### Multiply the value calculated for the alphabetic
#### characters by the base 10 order of magnitude for the
#### numeric portion of the user name. Add the numeric
#### portion of the user name and the lower limit value to
#### arrive at a final value for the calculated UID number.
#### Print this value to standard output and return from this
#### function with a successful return code.
####
(( TOT = ( ( SUBTOT * ORDMAG ) + NVALUE ) + LOWUID ))
print ${TOT}
return 0
}
################################################################
function usagemsg_mkascii {
print "
Program: mkascii
This function accepts an associative array variable name
as the first command line argument, and builds an ASCII
table of characters in that array. The index of the
associative array is the ASCII character. The value
contained in each array element is the decimal, hex, or
octal number associated with the ASCII character array
index.
Usage: ${1##*/} ArrayName
Where:
ArrayName = Name of a predefined associative array
Author: Dana French (dfrench@mtxia.com) Copyright 2004
\"AutoContent\" enabled
"
}
################################################################
####
#### Description:
####
#### The "mkascii" function returns an ASCII table of
#### characters in an associative array. The index of the
#### associative array is the ASCII character. The value
#### contained in each array element is the decimal, hex, or
#### octal number associated with the ASCII character array
#### index.
####
#### The "mkascii" function will accept one or two command
#### line arguments. The first is the name of a predefined
#### associative array, the optional second command line
#### argument can be specified to designate the type of value
#### (decimal, octal, hexidecimal) to return in the
#### associative array. Decimal values are returned
#### default. If the value of the second command line
#### argument is "8", octal values are returned, if the value
#### of the second command line argument is "16", hexidecimal
#### values are returned.
####
#### Assumptions:
####
#### It is assumed the first command line argument is the
#### name of a predefined associative array. If the second
#### command line argument is not specified, it is assumed
#### the user is requesting decimal values be returned in the
#### array.
####
#### Dependencies:
####
#### The only valid values for the second command line
#### argument are "8" (octal) and "16" (hexidecimal).
#### Any other values for the second command line argument
#### will result in an error.
####
#### Products:
####
#### The product of the "mkascii" function is the completion
#### of a predefined associative array indexed by the ASCII
#### character whose value is the decimal, octal, or
#### hexidecimal number that represents the ASCII character.
####
#### Configured Usage:
####
#### The "mkascii" function can be called from the command
#### line, script, or another function.
####
#### Details:
####
################################################################
function mkascii
{
####
#### If the first command line argument is a literal "-?",
#### display the usage message and exit the function with an
#### unsuccessful return code.
####
[[ "${1}" == "-?" ]] && usagemsg_mkascii "${0}" && return 1
####
#### Establish a value variable to contain a decimal value associated
#### with each ASCII character. The variable containing the
#### decimal value is unevaluated because the evaluation will
#### take place later.
####
typeset VAL='${CNT}'
####
#### If the second command line argument is "8", change the
#### value variable to contain a statement that will be
#### evaluated later to octal values.
####
[[ "_${2}" != "_" && "_${2}" = "_8" ]] && VAL='$( printf "%o" 0x${i}${j} )'
####
#### If the second command line argument is "16", change the
#### value variable to contain a statement that will be
#### evaluated later to hexidecimal values.
####
[[ "_${2}" != "_" && "_${2}" = "_16" ]] && VAL='${i}${j}'
####
#### Using the first command line argument as the name of a predefined
#### associative array, create a name reference to that array.
####
nameref ASCII_TABLE="${1}"
####
#### Initialize a loop counter incremented by one each time
#### through the loop. This counter is used to represent the
#### decimal value of the ascii character.
####
typeset CNT=0
####
#### Loop through the double digit hexidecimal values for all
#### ASCII characters.
####
for i in 0 1 2 3 4 5 6 7 8 9 A B C D E F
do
for j in 0 1 2 3 4 5 6 7 8 9 A B C D E F
do
####
#### Evaluate the ASCII character from the double digit
#### hexidecimal value for the current iteration of the
#### loops. Also evaluate the decimal, octal or hexidecimal
#### value associated with the ASCII character. Assign
#### the resulting value to the associative array using the
#### "nameref" variable.
####
eval ASCII_TABLE[\\$(print -- $( printf "\\\0%o" 0x${i}${j} ) )]=\"${VAL}\" 2>/dev/null
####
#### Increment the loop counter by one (used to represent
#### decimal values of each ASCII character
####
(( CNT = CNT + 1 ))
####
#### Return to the beginning of the loop to evaluate the next
#### character in the ASCII sequence.
####
done
done
}
################################################################
####
#### Call the "mkuid" function with all command line arguments
mkuid "${@}"
---- Cut Here ----
In the "usage message" areas of the above script, the phrase
"AutoContent Enabled" appears. This refers to a technique of commenting
scripts in such a way that documentation can be automatically generated
from the script. This has the added benefit that whenever updates to
the script are made, the documentation is automatically updated also.
Notice that all comments in the script begin with 4 hash marks (#)
followed by a space, this pattern is used to designate text used as
documentation. This automated documentation technique, referred to here
as "AutoContent", will be discussed in a later document.
The "mkuid" script shown above is composed of shell functions so
that, if desired, the script can be separated into individual components
and called from a shell function library. Otherwise, it can be executed
as-is from the command line.
Standards: Group Names and GID Numbers
- Since the group names will likely not conform to the same
standard selected for the usernames, a different mechanism is required
to provide the group name/GID number associations. Software vendors,
suppliers, and internal operations will specify group names that must be
implemented as-is. For instance the Informix database will require the
group name "informix" be implemented on each system running the
database.
- The recommended UID calculation method which implements a base
26 conversion of the username to a decimal value cannot be used in this
instance, because it will generate decimal values greater than that
supported by AIX and/or HACMP. Therefore and alternate method is needed
for GID calculations. The previously mentioned Berkeley "sum -r" method
will likely suffice for this purpose. The limitation of 65,536 names
does not cause a problem in reference to defining group names, because
it is extremely unlikely that this limitation would ever be reached.
So the recommended algorithm to use for defining the group name/GID
number associations is the Berkeley "sum -r" method:
$ print "informix" | sum -r
21883 1
Whatever unique UID/GID calculation algorithm is selected, chosen,
or written, it is important that it be implemented enterprise wide to
eliminate security issues and failover conflicts during high
availability or disaster recovery events. This technique also provides
added security during normal maintenance activities by insuring files
are not accidentally assigned to a user or group that does not own the
file.
Procedures: User and Group Names - UID/GID Numbers
- As part of the standard build for each AIX system, copy the
"mkuid" script to each system, the recommended location is:
/usr/local/sh/mkuid
- When implementing a new user on an AIX system thru the "SMIT"
interface, the UID number should first be calculated. An example is
shown for a username "abc1234":
/usr/local/sh/mkuid abc1234
- The resulting number should be used as the "User ID" value when
adding the user "abc1234" on an AIX system thru the "SMIT"
interface.
- When implementing a new user thru a script, the resulting number
from the "mkuid" calculation should be captured into a variable and used
as the UID number.
- When implementing a new group on an AIX system thru the "SMIT"
interface, the GID number should first be calculated using the Berkeley
"sum -r" method. An example is shown for a group name "informix":
$ print "informix" | sum -r | awk '{ print $1 }'
21883
- The value "21883" should be used as the Group ID number when
adding the group "informix" on an AIX system thru the "SMIT" interface.
- When implementing a new group thru a script, the resulting
number from the "sum -r" calculation should be captured into a variable
and used as the GID number.
Conclusion:
The result of standardizing user names, group names, UID numbers,
and GID numbers includes the following:
- Individual login names for each user
- Capable of centralized user/group management
- Increased security
- Improved auditing capabilities
- Avoidance of user name conflicts
- Avoidance of group name conflicts
- Avoidance of UID conflicts
- Avoidance of GID conflicts
- Avoidance of Security holes during and after DR
Conflict avoidance is important during a disaster recovery effort
because conflicts tend to consume large amounts of time. The last place
you want to redesign and implement new user/group standards are when you
are at your disaster recovery site attempting to recover your production
systems. For most organizations, their disaster recovery provisions are
not an exact duplicate of their production systems. In a disaster
recovery implementation, multiple systems may be consolidated onto a
single platform. This consolidation will expose conflicts such as
user/group names and ID numbers, and will require these conflicts be
resolved before the production systems can be recovered.
For those organizations where the disaster recovery provisions are
an exact duplicate of their production systems, standardization of
user/group names and ID numbers using this technique, is also highly
desirable for the purpose of simplifying user/group support, maintenance
and security. Again, file security on AIX is enforced by UID/GID
numbers, not user/group names; therefore the production and disaster
recovery systems must be synchronized on this aspect.
The best way to avoid conflicts during disaster recovery is to
implement and enforce policies, guidelines, standards, and procedures to
eliminate conflicts as part of your enterprise wide business continuity
planning.
The next document in this series will discuss naming structures for
machines, hosts, adapters, resource groups, and aliases for use in a
business continuity environment.
|
|