[Dorset] Off Topic: SunOS Help needed
Hi, We have a customer who is using SunOS on Sparc Workstations to run a test station. Some time ago, we developed a number of test programs for this system and we are now in the business of supporting them. These programs all run inside their own environment and are written in a test specific language. However, we needed to do something special for one of these programs so we produced a small utility in C to interrupt the testing from inside a loop. At the time, we knew little about Unix programming (because our coders are all Windows folks), so this list gave me some pointers (especially Ralph). This program has been in use regularly, but infrequently, ever since and has been working fine. However, the customer has recently gone through an upgrade program and the utility no longer works. They have new physical hardware, but the old machine exhibits the same problem. The change is the version of the OS which has gone from 5.7 to 5.8. We asked them to list the contents of the directory that contains the binary, and they got: merlin:admin:>ls -la total 42 drwxrwxrwx 2 admin mats 512 Feb 16 09:24 ./ drwxrwxrwx 13 root root 1024 Feb 23 07:05 ../ -rwxrwxrwx 1 admin mats 9373 Feb 16 09:24 checkforstop* -rwxrwxrwx 1 admin mats 8942 Feb 16 09:24 startloopstop* The user admin is listed as the account for installing software and he gets a csh to use. I'm fairly unfamiliar with the csh, so I've had to feel my way around using our reference machine (which is still running SunOS 5.7) to remind myself what we did. Here is what I've found: 1. If I enter ./startloopstop, I get the small dialogue box which gives the user control over the running program. When this is pressed a small file is written to the local directory, which is the signal, via checkforloopstop, to the running test program to exit the loop. This works fine for me. When the customer tries to do this, he gets 'Permission denied' when he types ./startloopstop. What other things could prevent execution, bearing in mind the file and directory permissionsseem to allow anyone to do anything? 2. If I open the passwd file, it tells me that the user called admin is a member of the mats group with the following entry: admin:x:500:1208: Administration Account for Installing Software: /home/: /bin/csh (the mats group has the ID 1208.) 2a. Does the x signify that the user has execute priveledge or is that something else? 2b. If I type group mats I get permission denied, even when logged in as root. Why is that? I understood that this is a valid command. 2c. There is a file called profile in /etc, is that relevant? It seems to be a script. At the bottom of this file is the single line umask 022. 3. In a csh, how do I find where I am? 4. In a csh, should appropos work? I can do man apropos, but foobar anything simply lists the paths that it has searched and failed to find man pages. All help gratefully received. -- Next meeting: Dorchester, Tue 2010-03-02 20:00 http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.org&channel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
Re: [Dorset] Off Topic: SunOS Help needed
On 23/02/10 14:47, d-...@hadrian-way.co.uk wrote: > > The user admin is listed as the account for installing software and he gets a > csh to use. I'm fairly unfamiliar with the csh, so I've had to feel my way > around using our reference machine (which is still running SunOS 5.7) to > remind > myself what we did. Here is what I've found: > > 1. If I enter ./startloopstop, I get the small dialogue box which gives the > user control over the running program. When this is pressed a small file is > written to the local directory, which is the signal, via checkforloopstop, to > the running test program to exit the loop. This works fine for me. When the > customer tries to do this, he gets 'Permission denied' when he types > ./startloopstop. What other things could prevent execution, bearing in mind > the > file and directory permissionsseem to allow anyone to do anything? Remember anyone can run the file but it doesn't mean the programme can write to the directory, so this is most likely the problem. For security, startloopstop should not have write access, so should be set to either 755 or 555. > 2. If I open the passwd file, it tells me that the user called admin is a > member of the mats group with the following entry: > admin:x:500:1208: Administration Account for Installing Software: /home/: > /bin/csh > (the mats group has the ID 1208.) > 2a. Does the x signify that the user has execute priveledge or is that > something > else? The x signifies the password is kept in a separate file called /etc/shadow (the original passwd format held the actual password in that field but was moved to a different file for security (only root has access to /etc/shadow). > 2b. If I type group mats I get permission denied, even when logged in as > root. > Why is that? I understood that this is a valid command. On Linux and Solaris it is "groups matt" > 2c. There is a file called profile in /etc, is that relevant? It seems to be > a > script. At the bottom of this file is the single line umask 022. sequence of startup-files for sh, ksh, bash: 1. /etc/profile, 2.$HOME/.profile csh: 1. /etc/.login, 2. $HOME/.cshrc, 3. $HOME/.login > 3. In a csh, how do I find where I am? csh all commands are the same as bash or sh, but uses .login and .cshrc instead of .bashrc or .bash_profile when you logon or start a csh. Check if both of these files exists. Path will be set using set path = ($path $home/bin .) > 4. In a csh, should appropos work? I can do man apropos, but foobar anything > simply lists the paths that it has searched and failed to find man pages. > Sounds like your path is not set up. http://developers.sun.com/solaris/articles/man_pages.html#4 -- -- Discover Linux - Open Source Solutions to Business and Schools http://discoverlinux.co.uk -- -- Next meeting: Dorchester, Tue 2010-03-02 20:00 http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.org&channel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
Re: [Dorset] Off Topic: SunOS Help needed
On Tuesday 23 Feb 2010, John Cooper wrote: > On 23/02/10 14:47, d-...@hadrian-way.co.uk wrote: > > 1. If I enter ./startloopstop, I get the small dialogue box which gives > > the user control over the running program. When this is pressed a small > > file is written to the local directory, which is the signal, via > > checkforloopstop, to the running test program to exit the loop. This > > works fine for me. When the customer tries to do this, he gets > > 'Permission denied' when he types ./startloopstop. What other things > > could prevent execution, bearing in mind the file and directory > > permissionsseem to allow anyone to do anything? > > Remember anyone can run the file but it doesn't mean the programme can > write to the directory, so this is most likely the problem. For > security, startloopstop should not have write access, so should be set > to either 755 or 555. That's the part I don't understand. The directory listing shows read/write/execute permissions to everyone, eg, users, group, world. The admin user can write to the directory, because he installed the software in the first place. He is in the mats group and so is the program binary startloopstop, so why can't startloopstop write to the directory? It has been able to in the past, so what could have changed? > > 2. If I open the passwd file, it tells me that the user called admin is > > a member of the mats group with the following entry: > > admin:x:500:1208: Administration Account for Installing Software: > > /home/: /bin/csh > > (the mats group has the ID 1208.) > > 2a. Does the x signify that the user has execute priveledge or is that > > something else? > > The x signifies the password is kept in a separate file called > /etc/shadow Thanks. > > 2b. If I type group mats I get permission denied, even when logged in as > > root. Why is that? I understood that this is a valid command. > > On Linux and Solaris it is "groups matt" OK. I'll try that when I get back to work tomorrow. However, why did I get 'permission denied' instead of 'command not found'? > > 2c. There is a file called profile in /etc, is that relevant? It seems > > to be a script. At the bottom of this file is the single line umask 022. > > sequence of startup-files for > > sh, ksh, bash: 1. /etc/profile, 2.$HOME/.profile > > csh: 1. /etc/.login, 2. $HOME/.cshrc, 3. $HOME/.login OK. Thanks. > > 3. In a csh, how do I find where I am? > > csh all commands are the same as bash or sh, but uses .login and .cshrc > instead of .bashrc or .bash_profile when you logon or start a csh. Check > if both of these files exists. Path will be set using > > set path = ($path $home/bin .) It was the command 'pwd' I was trying to find. I couldn't find it on the Sparc box because apropos didn't work. I don't have access to a Linux box at work and the Sparc box isn't connected to a network. On my Linux box, I never need to use pwd, because the bash prompt tells me where I am. > > 4. In a csh, should appropos work? I can do man apropos, but foobar > > anything simply lists the paths that it has searched and failed to find > > man pages. > > Sounds like your path is not set up. > > http://developers.sun.com/solaris/articles/man_pages.html#4 I assumed that too, but why did 'man apropos' work? -- Terry Coles 64 bit computing with Kubuntu Linux -- Next meeting: Dorchester, Tue 2010-03-02 20:00 http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.org&channel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
Re: [Dorset] Off Topic: SunOS Help needed
Terry Coles wrote: > On Tuesday 23 Feb 2010, John Cooper wrote: > >> On 23/02/10 14:47, d-...@hadrian-way.co.uk wrote: >> >>> 1. If I enter ./startloopstop, I get the small dialogue box which gives >>> the user control over the running program. When this is pressed a small >>> file is written to the local directory, which is the signal, via >>> checkforloopstop, to the running test program to exit the loop. This >>> works fine for me. When the customer tries to do this, he gets >>> 'Permission denied' when he types ./startloopstop. What other things >>> could prevent execution, bearing in mind the file and directory >>> permissionsseem to allow anyone to do anything? >>> >> Remember anyone can run the file but it doesn't mean the programme can >> write to the directory, so this is most likely the problem. For >> security, startloopstop should not have write access, so should be set >> to either 755 or 555. >> > > That's the part I don't understand. The directory listing shows > read/write/execute permissions to everyone, eg, users, group, world. The > admin user can write to the directory, because he installed the software in > the first place. He is in the mats group and so is the program binary > startloopstop, so why can't startloopstop write to the directory? > > It has been able to in the past, so what could have changed? Unlikely but plausible - additional security software has since been installed or switched into deny mode that overrides standard Unix permissions. eTrust/SeOS [1] used to be the bane of our lives in this regard, but obviously we knew what we were dealing with and were prepared for it when it reared its ugly head. However, if memory serves, the errors you are getting aren't consistent with that product, but it might be worth ensuring that you are not butting up against something similar before you proceed. The SA should hopefully be able to tell you about any updates, installs or switching from warning to deny that might have triggered this behaviour. Sean [1] http://sunsite.uakom.sk/sunworldonline/swol-07-1996/swol-07-security.html -- And I've made disapointment My very best friend [Anton Newcombe - Straight Up And Down] -- Next meeting: Dorchester, Tue 2010-03-02 20:00 http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.org&channel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
Re: [Dorset] Off Topic: SunOS Help needed
On Tuesday 23 Feb 2010, Sean Gibbins wrote: > Unlikely but plausible - additional security software has since been > installed or switched into deny mode that overrides standard Unix > permissions. eTrust/SeOS [1] used to be the bane of our lives in this > regard, but obviously we knew what we were dealing with and were > prepared for it when it reared its ugly head. > [1] > http://sunsite.uakom.sk/sunworldonline/swol-07-1996/swol-07-security.html They might have done something like this, but I suspect not this product. >From your link SeOS provides amongst other things: 'SuperUser ID Protection. Root login is disallowed, and su's to root are allowed only for authorized users. All root operations are logged, with the user's real identity indicated. set-uid programs are protected by being "thumbprinted" -- if the thumbprint changes the program is no longer executable' I was able to log in as root, and I didn't do it by su. Of course, it's possible that the executable hasn't been thumbprinted, so that's worth checking. If that's the problem, then I'll need to establish what security tool they have installed so I can find out how to add this to the list of trusted executables. We are going to the customer's site on Thursday, so we can have a look at their machine and compare it's behaviour to our reference set. I'm trying to get as much insight into the possible cause before I go. -- Terry Coles 64 bit computing with Kubuntu Linux -- Next meeting: Dorchester, Tue 2010-03-02 20:00 http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.org&channel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
Re: [Dorset] Off Topic: SunOS Help needed
Hi Terry,
> We asked them to list the contents of the directory that contains the
> binary, and they got: Â
>
> merlin:admin:>ls -la
> total 42
> drwxrwxrwx  2 admin   mats        512 Feb 16 09:24 ./
> drwxrwxrwx 13 root    root       1024 Feb 23 07:05 ../
> -rwxrwxrwx  1 admin   mats       9373 Feb 16 09:24
> checkforstop*
> -rwxrwxrwx  1 admin   mats       8942 Feb 16 09:24
> startloopstop*
(I'm surprised ls(1) is showing a * (for executable) against those two
files by default. Perhaps they've got it aliased to `ls -F' or
something.)
What does
file ./checkforstop ./startloopstop
show? Also, if you shipped those executables to them, can they confirm
they're still byte-for-byte OK, e.g. do
cksum ./checkforstop ./startloopstop
on your machine and theirs. You should both have that, it's a
polynomial CRC so robust enough. Compare the outputs.
> The user admin is listed as the account for installing software and he
> gets a csh to use.
OK.
> 1. If I enter ./startloopstop, I get the small dialogue box which
> gives the user control over the running program. When this is pressed
> a small file is written to the local directory, which is the signal,
> via checkforloopstop, to the running test program to exit the loop.Â
> This works fine for me. When the customer tries to do this, he gets
> 'Permission denied' when he types ./startloopstop.
If you're at all dubious about their ability to enter what they say
they're entering, have him type
ls ./startloopstop
!$
The first command should just ls(1) that one file, confirming the
filename, including the leading `./', is entered correctly. The second
is a history substitution that's replaced by the last word of the last
command; the thing we now know is entered correctly. But I guess
they're used to do this pre-upgrade?
> What other things could prevent execution, bearing in mind the file
> and directory permissionsseem to allow anyone to do anything?
Are they both C executables? I forget their history. Perhaps, after
the OS upgrade, the shared libraries they depend on aren't available or
are incompatible?
ldd(1), as on Linux, will get 5.8 to list the libraries needed by a
file. It shows the system recognises it as an binary executable file
along the way.
ldd ./startloopstop
The user's PATH won't matter since they're being run with a `/' in their
name, so it's important they're run as ./startloopstop. Does
./checkforstop work? Have they a C compiler on that machine? What if
they do
echo 'main() { puts("hello"); return 0; }' >hello.c
cc hello.c
./a.out
Does ./a.out run and print "hello"?
"Permission denied" is the normal text for the EACCES errno value. If
we assume csh(1) is getting as far as running execve(2) to kick off
./startloopstop then the error, from execve(2), means:
EACCES
Search permission is denied for a directory listed in the new
process file's path prefix; the new process file is not an ordinary
file; or the new process file mode denies execute permission.
The file's path prefix is `./' and everyone has search permission ('x')
on `.' according to the ls(1) output above. Perhaps the executable file
being in the old Solaris 7 format, or not having all the shared
libraries availble maps onto "is not an ordinary file", but I doubt it.
And there's clearly execute permission for all ('x') on the file itself.
If they can compile C and run ./a.out, have them create run.c in that
directory containing
#include
#include
#include
main() {
int i;
errno = 0;
i = execl("./startloopstop", "startloopstop", (char *)0);
printf("%d %d\n", i, errno);
perror("as text");
return 0;
}
They build ./run with
cc -o run run.c
and then do
./run
It's taking the place of csh kicking off startloopstop. If it fails
then it'll print out execl(3)'s return value, i, which will be -1
(failure), the numeric value of errno, and what is the normal text
version of it, e.g. "Permission denied". That may shed some light.
> 2c. There is a file called profile in /etc, is that relevant? It
> seems to be a script. At the bottom of this file is the single line
> umask 022.
umask, whatever it is, and wherever it's being set, just influences the
default permissions of newly created files.
> 3. In a csh, how do I find where I am?
`pwd', print-working-directory. It's a built-in in C shell, as in
(ba)?sh.
> 4. In a csh, should appropos work? I can do man apropos, but foobar
> anything simply lists the paths that it has searched and failed to
> find man pages.
Does `man man' work? If so, try `man -k foo' instead of `apropos foo'.
apropos is normally just a short-cut for `man -k'.
If the system had strace(1) we could just go for a simple
strace csh -c ./startloopstop
and see exactly what the csh was trying to do and how far it got. But
it hasn't. :-)
Cheers,
Ral
[Dorset] Next Meeting. One Week Tonight
The next pub meeting is in Dorchester, next Tuesday. Tuesday 2010-03-02 20:00 http://dorset.lug.org.uk/wiki/doku.php?id=meetings:pub#the_royal_oak I'll see you there. -- Terry Coles 64 bit computing with Kubuntu Linux -- Next meeting: Dorchester, Tue 2010-03-02 20:00 http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.org&channel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
Re: [Dorset] Off Topic: SunOS Help needed
Hi Terry, > > > 4. In a csh, should appropos work? I can do man apropos, but > > > foobar anything simply lists the paths that it has searched and > > > failed to find man pages. > > > > Sounds like your path is not set up. > > > > http://developers.sun.com/solaris/articles/man_pages.html#4 > > I assumed that too, but why did 'man apropos' work? If `man man' works, but `man -k man' doesn't list anything then the database man's -k/apropos is searching hasn't been built. Quite possible on a newly-installed machine I suppose. Does /usr/share/man/windex exist? The catman(1) command builds it. Cheers, Ralph. -- Next meeting: Dorchester, Tue 2010-03-02 20:00 http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.org&channel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
