01/29/96, 4FAX# 4253 Resetting File Permissions SPECIAL NOTICES Information in this document is correct to the best of our knowledge at the time of this writing. Please send feedback by fax to "AIXServ Information" at (512) 823-4009. Please use this information with care. IBM will not be responsible for damages of any kind resulting from its use. The use of this information is the sole responsibility of the customer and depends on the customer's ability to eval- uate and integrate this information into the customer's operational environment. +----------------------------------------------------------+ | | | NOTE: The information in this document is NOT appli- | | cable for AIX 4.1. | | | +----------------------------------------------------------+ ABOUT THIS DOCUMENT This document describes several possible mechanisms for restoring incorrect file permissions: o Manually determine correct permissions by examining mksysb tape or another system, and manually set permis- sions. | o Manually determine correct permissions by examining | mksysb or install tape and manually set permissions. | o Automatically determine and set permissions based on | mksysb or tape. o Automatically determine and set permissions based on sysck.cfg file. The sections on the manual methods and the sysck.cfg method apply to all AIX 3.x versions but have not been verified with AIX 4.1 or later. The section on automatically setting | permissions from a mksysb tape will not work with AIX 4.1 or | later as 4.1 mksysb uses Backup & Restore and the table of | contents does not show permissions and owners NOTES: 1. If you use ACLs (access control lists), using the chmod numerical parameters will erase the ACLs. The document "Backup and Restore Access Control Lists During mksysb" may be helpful. It is available in these locations: o Document number 2685 from 1-800-IBM-4FAX within the U.S. or from 415-855-4FAX outside the U.S. Outside Resetting File Permissions 1 01/29/96, 4FAX# 4253 the U.S., the number must be dialed from a fax machine phone. o World-wide web http://aix.boulder.ibm.com. (Follow menu choices for AIX/USA/Electronic Services.) 2. Before using the methods in this document, you may wish to save a record of your current permissions by redi- recting the output of the following to a file: ls -lR / MANUALLY SETTING PERMISSIONS | Examining a mksysb Image or Instal Tape If you have a recent mksysb, you can examine the permissions of the backed up files by skipping to the file storage portion of the tape and performing a tape listing. Assuming the archive device is /dev/rmt0, the following commands will produce a listing of all files on the tape. You can refer to InfoExplorer for documentation on the chown, chmod, tar, and tctl commands. tctl -f /dev/rmt0.1 fsf 3 tar -tvf /dev/rmt0 > /tmp/mksysb.listing The file /tmp/mksysb.listing will contain the tar listing of every file on the tape. You can use the grep command to locate the line in which you are interested and then use the chown and chmod commands to set the file ownership and per- missions. Examining Another System If you have a similar system you may examine the permissions of the file in question on the other system. Differences in file ownership or permissions can then be corrected with the chown and chmod commands. | AUTOMATICALLY SETTING PERMISSIONS | Setting Permissions With a mksysb or Install Tape Symptom: All the permissions and/or ownerships on my files (or the whole system) are changed! How do I reset all per- missions and ownership? Answer: This solution depends upon having a mksysb tape. If you have a system backup that was not made by mksysb (using tar format) you will have to make modifications to the script. | Note when using an Install tape, only the bos protion is in | tar format and can be used by this process. Resetting File Permissions 2 01/29/96, 4FAX# 4253 Steps 1. In the following script, replace "rmtx" with the name for your tape drive, such as "rmt0". 2. Insert the mksysb tape and run the following script, which will create another script called reset.perms.out. 3. Carefully examine reset.perms.out and modify it if needed before running it on your system. 4. Run reset.perms.out to change all ownership, group, and permissions to what they were at the time of the last mksysb backup. The Script NOTES: 1. Please note that page headers and footers may appear in the following code. They should be removed before the code is used. Also, revision bars (vertical bars in the left margin which mark changes in the document) may appear to the left of the code and should be removed before the code is used. 2. Be sure that the string "#!/bin/ksh" starts in the first column on the first line of the file containing the code. Here is the script: #!/bin/ksh rm reset.perms.out 2>/dev/null cd /tmp tctl -f /dev/rmtx rewind tctl -f /dev/rmtx.1 fsf 3 tar -tvf /dev/rmtx | awk '{ if ( NF == "9" ) { printf ("chown %s.%s %s\n",$2,$3,$9) { perms=0 if(substr($1,2,1) == "r") perms = perms + 400 if(substr($1,3,1) == "w") perms = perms + 200 if(substr($1,4,1) == "x") perms = perms + 100 if(substr($1,4,1) == "S") perms = perms + 4000 if(substr($1,4,1) == "s") perms = perms + 4100 if(substr($1,5,1) == "r") perms = perms + 40 if(substr($1,6,1) == "w") perms = perms + 20 if(substr($1,7,1) == "x") Resetting File Permissions 3 01/29/96, 4FAX# 4253 perms = perms + 10 if(substr($1,7,1) == "S") perms = perms + 2000 if(substr($1,7,1) == "s") perms = perms + 2010 if(substr($1,8,1) == "r") perms = perms + 4 if(substr($1,9,1) == "w") perms = perms + 2 if(substr($1,10,1) == "x") perms = perms + 1 if(substr($1,10,1) == "T") perms = perms + 1000 if(substr($1,10,1) == "t") perms = perms + 1001 printf("chmod %d %s # %s\n",perms,$9,$1) } } }' >reset.perms.out chmod 755 reset.perms.out AUTOMATICALLY SETTING PERMISSIONS USING SYSCK.CFG sysck or tcbck Command The sysck command was renamed to tcbck in AIX 3.2, but is referred to as sysck in this document for historical con- sistency. The sysck command was designed to strictly enforce file own- ership and permissions according to file descriptions in /etc/security/sysck.cfg. When file contents are found to disagree with file size and checksum information, sysck revokes access to the file by removing all permission attri- butes. For this reason, "sysck" may be unsuited to many environments. +--- WARNING ----------------------------------------------+ | | | sysck can render a system unusable. | | | | If the "-y" option will be used, the system adminis- | | trator should verify that the sysck.cfg file has the | | correct information. If the checksum and size for any | | file are not correct in the sysck.cfg, that file will be | | made inaccessible. | | | +----------------------------------------------------------+ To update a single file using sysck, enter the command sysck -t where is the name of the file being changed. If you receive any messages indicating that the file size or Resetting File Permissions 4 01/29/96, 4FAX# 4253 checksum is incorrect, you must answer the prompt "no" to indicate that you do not wish the changes for that value made. If you wish for every file listed in sysck.cfg to be checked, replace with the keyword "ALL". fileck Script +--- WARNING ----------------------------------------------+ | | | This script automatically applies the values in | | /etc/security/sysck.cfg without concern for the actual | | file contents (it does not check checksum and size). | | The checksum and size information in sysck.cfg exists to | | prevent Trojan horses and other security violations from | | occurring. Using this script may prevent your system | | from detecting certain types of security-related prob- | | lems. | | | +----------------------------------------------------------+ The attached script should be copied to a local directory and named "fileck". This script implements many of the rules used by sysck but does not perform file-size or checksum tests. Since these two tests in sysck can result in the disabling of a file- system object, the potential for damage using "fileck" is much less than that of sysck. However, fileck may prevent the system from detecting certain security-related problems. fileck operates in single-file or "ALL" mode, similar to sysck. The syntax is fileck { ALL | } Files must be specified with the full path as found in /etc/security/sysck.cfg. When called with one or more file names on the command line, fileck will examine the sysck.cfg to determine the correct owner, group, permissions, hard links, and symbolic links. In "ALL" mode, fileck checks all files listed in sysck.cfg. fileck returns a message for each file that is processed and reports the names of any files specified on the command line that could not be found in sysck.cfg. NOTES: 1. Please note that page headers and footers may appear in the following code. They should be removed before the code is used. Also, revision bars (vertical bars in the left margin which mark changes in the document) may appear to the left of the code and should be removed before the code is used. 2. Be sure that the string "#!/bin/ksh" starts in the first column on the first line of the file containing the code. Resetting File Permissions 5 01/29/96, 4FAX# 4253 3. You must be logged in as the root user to run this command. Here is the fileck script: #!/bin/ksh # # fileck -- perform sysck-like processing without the grief # fixmode() { file=${1} modes=$(echo ${2} | tr ',' ' ') TCB=N SUID=u-s SGID=g-s SVTX=-t for mode in ${modes} ; do case ${mode} in TCB) TCB=Y ;; [0-9]*) PERM=${mode} ;; [-r]*) u=${mode%%??????} r=${mode##???} g=${r%%???} o=${r##???} PERM=$(echo u=${u},g=${g},o=${o} | tr -d '-') ;; SUID) SUID=u+s ;; SGID) SGID=g+s ;; SVTX) SVTX=+t ;; esac done chmod ${PERM},${SUID},${SGID},${SVTX} ${file} if [ ${TCB} = Y ]; then chtcb on ${file} else chtcb off ${file} fi } fixsymlinks() { file=${1} links=$(echo ${2} | tr ',' ' ') for link in ${links} ; do if [ -L ${link} ]; then rm -f ${link} ln -s ${file} ${link} fi done } fixlinks() { file=${1} links=$(echo ${2} | tr ',' ' ') Resetting File Permissions 6 01/29/96, 4FAX# 4253 ls -i ${file} | read inum_a junk for link in ${links} ; do if [ -f ${link} ]; then ls -i ${link} | read inum_b junk else inum_b=0 fi if [ ${inum_a} != ${inum_b} ]; then ln -f ${file} ${link} fi done } fixall() { scratch=/tmp/fixall$$ file=${1} grep -p "^${file}:" /etc/security/sysck.cfg > ${scratch} read real_file junk < ${scratch} real_file=${real_file%%:} if [ ! -s ${scratch} ]; then echo "no matches for ${file}" 1>&2 return fi echo "checking ${file}" while read attr junk value ; do case ${attr} in owner) chown ${value} ${file} ;; group) chgrp ${value} ${file} ;; links) fixlinks ${file} ${value} ;; symlinks) fixsymlinks ${file} ${value} ;; mode) fixmode ${file} ${value} ;; esac done < ${scratch} /usr/bin/rm -f ${scratch} } if [ $# = 0 ] ; then echo "usage: fileck { ALL | file ... }" exit 1 elif [ "${1}" = "ALL" ]; then list=/tmp/fileck$$ grep '^/.*:$' /etc/security/sysck.cfg | sed -e 's/://' > ${list} while read FILE ; do fixall ${FILE} done < ${list} /usr/bin/rm -f ${list} else for FILE in $* ; do fixall ${FILE} done fi Resetting File Permissions 7 01/29/96, 4FAX# 4253 READER'S COMMENTS Please fax this form to (512) 823-4009, attention "AIXServ Informa- tion". You may also e-mail comments to: elizabet@austin.ibm.com. These comments should include the same customer information requested below. Use this form to tell us what you think about this document. If you have found errors in it, or if you want to express your opinion about it (such as organization, subject matter, appearance) or make sug- gestions for improvement, this is the form to use. If you need technical assistance, contact your local branch office, point of sale, or 1-800-CALL-AIX (for information about support offer- ings). These services may be billable. Faxes on a variety of sub- jects may be ordered free of charge from 1-800-IBM-4FAX. Outside the U.S. call 415-855-4329 using a fax machine phone. When you send comments to IBM, you grant IBM a nonexclusive right to use or distribute your comments in any way it believes appropriate without incurring any obligation to you. NOTE: If you have a problem report or item number, supplying that number may help us determine why a procedure did or did not work in your specific situation. Problem Report or Item #: Branch Office or Customer #: Be sure to print your name and fax number below if you would like a reply: Name: Fax Number: ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ END OF DOCUMENT (reset.file.perms.cmd, 4FAX# 4253) Resetting File Permissions 8