Hack77.Clean Up NIS After Users Depart | BSD Sockets Programming from a Multi-Language Perspective (Programming Series)

Hack 77. Clean Up NIS After Users Depart

Don't let your NIS maps go stale! The NIS password map obviously needs maintenance, but don't forget to remove departed users from the groups they belonged to as well.

Many sites use NIS, in part because it's been there for many years and is an extremely reliable, acceptably fast, and relatively low-overhead way to run a centralized authentication directory. Over the years, tons of systems software has been written to take advantage of information supplied by NIS servers for the purposes of providing information or security to the client systems.

Though there are tools available to take care of most user-management tasks when the users reside on the local system, many of these tools don't have full support for NIS, and NIS-specific versions of these tools have yet to appear. As a result, certain portions of your NIS directory can become stale.

The NIS group map is a perfect example of this occurrence. The standard userdel command doesn't support NIS, and the groupmod command doesn't support removing a user from a group, let alone an NIS group. Most of the NIS-specific commands are either for searching the maps (e.g., ypmatch and ypcat), getting information about your client system (e.g., ypwhich and ypdomainname), or getting information about the NIS server (e.g., yppoll). No tools are available for grooming the NIS maps without opening an editor and removing entries by hand.

Therefore, if you haven't been vigilant about maintaining the maps to ensure that they're always consistent with reality, you can build up lots of stale accounts. Many sites are very vigilant about removing users from the password map, but even that is often a manual process involving opening the map in an editor and deleting the line corresponding to the departed user. What I've found, though, is that the group map is often forgotten, so you may wind up with 40 or 50 users who are assigned to groups, but whose accounts no longer exist. This makes the data in that map less usable, and depending on how the data is used, it could cause problems over time.

Take, for example, a mail server that uses the group map to create mail aliases corresponding to group names. A stale group map will place a bunch of nonexistent users in your mail aliases, which will cause your mail logs to grow out of control logging errors about nonexistent usersnot to mention that mail to a "stale" alias will cause end users to receive bounce errors from the mail server.

I've written a Perl script to take care of cleaning up after user accounts that no longer exist. It sifts through the group map, and for each user, it checks for the existence of that user's account in the password map. Any users that aren't listed in the password map are neatly removed from the group map. I call the script cleangroup.

8.10.1. The Code

 #!/usr/bin/perl ## looks up all members of each group via 'ypmatch $user passwd' and ## deletes any users from a given group file which aren't found. ## Output goes to STDOUT! if($#ARGV < 0) {  die "Must specify group file.\n" ; } $grpfile = $ARGV[0] ; open(GRPFILE, "<$grpfile") || die "can't read $grpfile: $!\n" ; while(<GRPFILE>) { chomp ; ($group,$pwd,$id,$members) = split(/:/) ; @unames = split(/,/, $members); foreach $i (@unames){ if($i ne "root"){ if(! `ypmatch $i passwd 2>/dev/null`){ $members =~ s/\b$i\b//g ; } } } $members =~ s/,,/,/ ; $members =~ s/,$// ; $members =~ s/^,// ; print "$group:$pwd:$id:$members\n" ; } close(GRPFILE) ;

8.10.2. Running the Code

I run cleangroup in the directory containing the NIS maps. For safety's sake, I have the script output to stdout instead of changing the map in-place. I redirect the output to a file, run a quick diff to see what was changed, and then copy the new map over the old one. Here are the commands I use:

 # ./cleangroup groupmap >  newgroupmap  # diff groupmap  newgroupmap

This should output lines similar to the following:

   104c104 < stuff:*:20205:ken,maria,mike,tier,matt,jonesy,russ,allen --- > stuff:*:20205:ken,maria,mike,tier,matt,russ,allen 252c252 < things:*:140:dan,chase,chandler,christian,chance,steph,jonesy --- > things:*:140: dan,chase,chandler,christian,chance,steph

You'll notice that in each case the account jonesy was removed, once from the middle of the list and once from the end. I've yet to have any problems with this script, so I hope you find it as useful as I have!