As you know, every file in your Unix OS belongs to some user and some group. It is very easy to confirm the ownership of any file because user id and group id which own the file are always linked to the file. However, sometimes you can’t tell which user owns the file, and today I’m going to explain why. It’s a rather lengthy post and a complicated matter, so please leave questions or comments to help me polish this article off.
If you look at any file using ls command, you will see an output like the one shown below – it reveals file access permissions, user and group id of the owner, the modification timestamp and the file name itself:
In this example, the /tmp/myfile file belongs to me, hence the username is greys. It also belongs to my default (primary) Unix group – admin.
Similarly, ownership of any file or any directory can be confirmed for every object in available filesystems. Here’s just a few more examples, these are the standard system files belonging to root:
Sometimes though, you will look at a file and instead of the username you will see a numeric ID:
The reason numberic ID (1006 in the example above) is shown instead of a username is because your system doesn’t recognize this ID – it can’t be associated to any username known to your Unix OS.
There are a few possible scenarios for this to happen, but most likely the user has been removed since the file was created. Naturally, deleting any User doesn’t automatically mean removing every single file belonging to such a user, that’s why the files stay but can no longer be associated with the existing user. All they have to show is the user ID which once owned the file.
Unfortunately, there are no easy ways to recover the username (or any other user-specific information) based on a misterious user ID some of your files might have. There are a few things can try though.
It can be the case that Unix account was a local one automatically created by your system administrators. There’s still a chance the same uid exists on other systems. Log into a few of them and verify if they have a user with the same user id (read this post for more information: How to Find Out user id):
The same tip applies in case of more mature environments where Unix systems don’t have local users, but instead rely on NIS or LDAP for accessing user accounts information.
If your system for whatever reason can’t access the centralized storage for users, you will experience the same symptoms – most of files belonging to users will appear to have numeric IDs instead of usernames. Most likely though, you’ll have more important problems in this case – like not being able to log in as anything else but root (which is an administrative account always created locally on each system).
When a new user is added to Unix system, it usually gets a home directory assigned to it. Creating a home directory is not a default behaviour at times, but it’s a good practice and so there’s a very high probability that the user you’re looking for had a home directory. Removing home directories isn’t usually done at the same time when a user is removed, so there’s also a good chance that even though the user isn’t found anymore, the home directory is still there.
What you should be looking for is a home directory which belongs to the same user id which some of the unidentified files of yours belong to.
Simply do an ls command under /home directory and see if any of the directories there appear to have numeric IDs instead of usernames:
As you can see, sometimes you might get lucky – the directory is there, and since most home directories usually have the same name as the username which owns them, you can deduct that the username of the user id 1006 was “mike”. You can now recreate Mike’s account and it will be immediately reflected for all the files owned by user id 1006:
Sometimes users are created in batches, and you can guess who the user was by looking which users were created before and after. All you have to do is to use the same getent passwd approach for user ids which are smaller or larger than the one you want to identify.
Another way to user other users’ information to your advantage is to verify which groups they belong to and to then query the groups to see if they have any members not currently known to your system. This will only work for NIS/LDAP groups, not local ones. What could happen is that even though a user was removed, the username is still listed in a few NIS groups.
That’s it for today. Hope this post helps you in your investigations, and stay tuned for more!