[6206] in Release_7.7_team
Re: Low UIDs and GIDs
daemon@ATHENA.MIT.EDU (Jonathan Reed)
Wed Feb 11 12:07:32 2009
Cc: release-team@mit.edu
Message-Id: <E830C2C0-2C1E-4443-AB82-285D7C28B339@mit.edu>
From: Jonathan Reed <jdreed@MIT.EDU>
To: "Michael R. Gettes" <gettes@mit.edu>
In-Reply-To: <118D8A13-B13C-4A0F-BCBE-C38972856470@mit.edu>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v919.2)
Date: Wed, 11 Feb 2009 12:06:54 -0500
X-Spam-Flag: NO
X-Spam-Score: 0.00
> ok, so a proper response to this analysis (from me) would be "oh
> crap".
Yup.
> This is quite a significant problem from a user support perspective.
> Do we think there is some "easy-ish" mechanism we could put in place
> to migrate users to different UIDs and hopefully deal with the
> problems
> as they come thru such a mechanism? Maybe a web page to "heal my UID"
> and it does all the right magic behind the scenes if the user is
> logged
> out of all unix instances? Maybe same thing for the GIDs?
I believe the answer is "No, not really", since while we can easily
change the UID, and mostly easily fix permissions in the user's
locker, we can't easily crawl AFS and find every instance of a
directory with that PTS ID on it and fix it, as well as fixing the
owner/group of the files themselves. Nor do I think can we leave it
to the users to fix it every time they encounter something in AFS they
used to be able to access but no longer can.
It may be that the majority of these users don't have much in AFS
outside their homedir, but we can't know that until we crawl AFS, for
which we currently lack a tool (ops' "janitor" can, in theory, be
modified).
-Jon
