[Tip] Housekeeping Tasks Made Easy - User Home directories and Leftover Files

UNIX for Beginners Q & A
1

We have regularly questions about how to create users and user accounts. But regularly user accounts need to be deleted too. It is quite easy to delete the user account itself but usually the HOME directory of the user remains.

It is good style to remove these directories but simply deleting them can pose a problem: just because an account does no longer exist doesn't mean all its files are useless. It makes sense to backup these directories therefore but keep the backups somewhere safe in case they are needed again.

Here is a little script that: searches the /home directory for directories with no owner - these usually are the leftover hoe directories of deleted accounts - and then creates a gzipped tar-archive and finally deletes the directory itself.

Here it is:

root@system # find /home/* -type d -prune -nouser | while read DIR ; do
                  cd "${DIR%/*}"
                  tar cf - "${DIR##*/}" | gzip -9 > /home/${DIR##*/}.tar.gz
                  rm -rf "${DIR}"
              done

After running this look for "*tar.gz" files in /home . These are the archives. Put them on long-term storage or whatever you want to do with them.

Another thing is files and directories with no owner. In principle such a thing should not exist but updates (even from renowned manufacturers like IBM) regularly introduce these, because they forget to remove their developers ownerships when they create their packages for the rollout. The last years i regularly found such files in freshly updated AIX systems.

Tarballs also regularly introduce such files because their restore their content with all the ownership information of the system the tarball was created at. Usually this is an intended effect but if you download something from a foreign system (i.e. from somewhere on the internet) this poses a problem.

First, search for surch files to get an impression of what the problem is:

find / -nouser -print > /tmp/found_files

You may want to exclude some directory - i.e. application directories - from this search because the application team is responsible for them and have to take care for these. You can exclude a directory like this:

find / -name dir_to_exclude -prune -o -nouser -print > /tmp/found_files

I suggest you carefully analyze the content of the file /tmp/found_files . It is always better to check first than to fix later. If you are satisfied and want all the files to be changed - usually to root:system , root:root or something similar, depending on your system - you can run:

find / -name dir_to_exclude -prune -o -nouser -exec chown root:system {} \;

If you want to give some of the files to other users/groups just do that (manually or by a variation of the above line) before running this command. Once they have a proper ownership they are ignored because of the -nouser clause.

I hope this helps.

bakunin

4 Likes
2

I once had two scripts for our customer:

  1. scanning "unowned" homedirs for recently accessed files. If nothing found, delete. If something found, display it and stop the search - and do not delete.
  2. scanning shared project directories in "deepest first fashion" (find -depth), and assign each "unowned" directory to the owner of its parent directory.
1 Like
3

I run a similar, but different, script like this to scan an enter web file system and check ownership and permissions of each file and directory in that part of the filesystem, as a security measure.

When filesystems are secure, it is difficult for malicious code from the web to write to the file system using flaws in the web code.

1 Like
4

Yes, that is another possible solution. A problem could be that users put things in their homedir crontab and so some files get regularly accessed even if the accounts are deleted. If this or my solution is better is perhaps depending on the environment you work in, policies in place and - last but not least - personal taste. The real point, though, is to take care of (removed users) data in some way in specific and to not let accumulate data waste on the system in general.

This is a very good idea! I will update the above script eventually when i find time.

I hope this helps.

bakunin