[SUMMARY] Recovering file ownership/permissions after recursive chown/chmod

From: foster@bial1.ucsd.edu
Date: Tue May 18 1999 - 13:22:36 CDT


Problem:

  User did "chown -R novice-user root"...can I recover file attributes
  without having to re-install OS?

  Note: I should have mentioned that there were *no* backups available.

Answer: Yes!

  1) Boot single-user from cdrom: ok boot cdrom -s

  2) Mount affected file systems at /a, for example

        mount /dev/dsk/c0t0d0s0 /a
        mount /dev/dsk/c0t0d0s1 /a/var
        etc...

  3) pkgchk -R /a -f

Since the user had ctrl-c'd out fairly quickly, damage was limited to /usr,
which is a good thing in terms of using pkgchk to correct it. Turns out,
only a handful of left-over files remained that had to be chown'd by hand.

This machine is urgently needed for getting ready for grand deadlines,
so this is my solution for now. If anything turns up broken I will do
a re-install of the OS.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Some other interesting solutions included (1) writing a script to use the
permissions in /var/sadm/install/contents to create a script of chown
commands for all or effected files; or (2) using find on a "clean" system with
the same OS (and hopefully same patches) to generate a script of
chown commands for the files, and running this on the broken system.

Andrew Watkins provided a script to do (1) for files owned by a specified user:

   # cat fixit.sh
   find /MountPointOfRoot -user novice-user -exec grep {} /var/sadm/install/contents \; | \
   nawk ' {
        if ( $2 != "s" ) {
                print "chown "$5, $1
        }

   }'

Another approach to do (1) was provided by Dave Mitchell (assuming root
disk mounted on /a):

   #!/bin/sh
   grep -v '^#' /a/var/sadm/install/contents | \
   awk '{
        if ($2 == "c")
                print "chown "$7" /a"$1
        if ($2 ~ /^[defv]$/)
                print "chown "$5" /a"$1
        }' | sh

Jochen Bern provided a handy command do do (2):

find / -fstype ufs -o -ls | awk '{ printf "chown %s %s\n",$5,$11 }' > /some/file

Some suggested doing a "chown -R /" and then changing ownership on
user directories and such, but others (including myself) caution
against this, as many files are not owned by root, and this would
break things and create security holes.

One person suggested using rdist:

   On goodhost, mount / as a loopback fs to avoid crossing mount points:
   mkdir /root
   mount -F lofs /dev/dsk/c0t0d0s0 /root
   rdist -cv /root badhost:/

   This form of rdist will NOT change anything on badhost, but will report
   which files are different. When you remove -v from rdist, it will copy
   files from goodhost to badhost when they are different.

I wasn't feeling this adventuresome.

Some said that a re-install of the OS was the best/only solution to
ensure that the file attributes are correct.

One person suggested the "aset" command. While this command can restore
file attributes, it is intended to check for security holes, and therefore
only checks certain files for attribute problems.

Quote of The Day:

   "You won't find this situation in any book, because in the real world
   novice users don't get the root password." -Colin Melville

   A-freakin-men!!

Best Advice: (Gerhard den Hollander)

   Your safest bet is to
   1) Shoot the machine owner
   2) Shoot the novice user
   3) Hide the bodies
   4) reinstall the OS

A HUGE thanks to the following (I was overwhelmed by the number of people
who took their time to help):

aravind.mallipudi@us.socgen.com
Marco Greene <cmgreene@netcom.ca>
Jonathan.Loh@BankAmerica.com
Ken Brush <kn-brush@uchicago.edu>
stephen.w.mclaughlin@bellatlantic.COM
Michael Steeves (msteeves@applix.com)
Mark Lundy <mlundy@atd.sprintcorp.com>
Alex Lattanzi <alattanzi@impsat1.com>
"Kruse, Jason K." <jason.kruse@teldta.com>
Michael Kriss <kriss@fnal.gov>
Sanjaya Srivastava <sanjaya.srivastava@eng.sun.com>
Jochen Bern <bern@penthesilea.uni-trier.de>
Colin_Melville@mastercard.com
Forrest Black/"Peter L. Wargo" <plw@ncgr.org>
Todd Boss <boss@netcom.com>
Richard Smith <rc.smith@ibm.net>
"Marcos Padilla <mpadilla@cientec.cl>
"Deepak Wilson" <dwilson@imsn.net>
Fischer Jens <fischjns@kat.ina.de>
"David Evans" <DJEVANS@au.oracle.com>
Casper Dik <casper@holland.sun.com>
"Goldthorp, Jonathan" <GoldthJJ@BankofBermuda.com>
Cliff Skolnick <cliff@steam.com>
Gerhard den Hollander <gerhard@james.jason.nl>
Anthony Worrall <adw@isg.cs.reading.ac.uk>
Andrew Watkins <andrew@dcs.bbk.ac.uk>
"Hemming, Oliver" <HemmingO@nasd.com>
davem@fdgroup.co.uk (David Mitchell)
"Petersen, Dwight" <dpeters@nswc.navy.mil>
Daniel Ellis <dellis@frycomm.com>

Original Question:

> I have an urgent problem on a system whose owner gave out the root
> passwords to its users, and one rather novice user promptly did:
>
> chown -R novice-user /
>
> He realized what he did and ctrl-c'd out, but the damage has been done,
> we cannot login from the console (or remotely of course).
>
> So once I login from CDROM and mount the drives, is there a way to restore
> default permissions for system files? Is a re-install of the OS necessary?
> The system is Solaris 2.6 with Recommended patches.
>
> I've checked the FAQ and several sys-admin books, but didn't find anything.
> I'll continue searching but need to come up with something fast, and I'd
> really appreciate any help.
>
> Thanks and I'll summarize.
>
> Dave Foster
>

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    David S. Foster Univ. of California, San Diego
     Programmer/Analyst Brain Image Analysis Laboratory
     foster@bial1.ucsd.edu Department of Psychiatry
     (619) 622-5892 8950 Via La Jolla Drive, Suite 2240
                            La Jolla, CA 92037
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:20 CDT