Header Shadow Image


AIX Linux Permissions Problems and Solution of CHMOD 0

Nuking your permissions problems on a server is typically just as bad as wiping out the server.  Before you start trying to compare permissions server to server based on what they were elsewhere on a similar host, take a backup of the already misconfigured host.  Yeah your system is already messed up but at least you can get back to square one if something goes haywire:

mksysb -ip /backup/folder/$(hostname).mksysb;  # AIX

The steps here were forwarded to me from a good colleague of mine and how he went about solving this one:

First things first, get the list of files with no permissions.  Here's the source with 000 or no permissions on the problem server, acquired with this command:

find / -ls |grep "\———-" |grep -v save |grep -v "\/proc" >/tmp/noperm.out

Here are some example files with the permission problem:

/tmp/noperm.out;
95113   25 ———-  1 root      system       24670 Jan 22  2008 /usr/sbin/dnssec-signkey
95114   64 ———-  1 root      system       65442 Mar  9  2012 /usr/sbin/dnssec-signzone
94626   65 ———-  1 root      system       66335 Nov 15  2011 /usr/sbin/dpid2
94684    6 ———-  1 root      system        5532 Mar 30  2009 /usr/sbin/fingerd
95111 2388 ———-  1 root      system     2445108 Mar  9  2012 /usr/sbin/gated
94986   42 ———-  1 root      system       42216 Mar  9  2012 /usr/sbin/gdc
94845    7 ———-  1 root      system        6754 Aug  4  2011 /usr/sbin/gettable
After using this command to get the permissions on another server like:
 
for FILE in $(cat /tmp/noperm.out |awk '{print $11}'); do
ls -l $FILE >>/tmp/goodperm.out;
done
The obvious content of the file will be:
 
/tmp/goodperm.out
-r-xr-xr–    1 root     system        24670 Jan 22 2008  /usr/sbin/dnssec-signkey
-r-xr-xr–    1 root     system        65442 Mar  9 2012  /usr/sbin/dnssec-signzone
-rwxr-x—    1 root     system        66335 Nov 15 2011  /usr/sbin/dpid2
-r-xr-xr-x    1 root     system         5532 Mar 30 2009  /usr/sbin/fingerd
-r-xr-xr–    1 root     system      2445108 Mar  9 2012  /usr/sbin/gated
-r-xr-xr–    1 root     system        42216 Mar  9 2012  /usr/sbin/gdc
-rwxr-xr-x    1 root     system         6754 Aug  4 2011  /usr/sbin/gettable
 
Run this script against the file (goodperm.out above) with the proper permissions in it:
 
#!/bin/ksh
if [[ -a /tmp/perm-chmod.out ]]
then
rm /tmp/perm-chmod.out # Delete existing target File for chmods if it exists.
fi
 
cat /tmp/goodperm.out|
awk '{
        if ( NF == "9" )
        {
                {
                perms=0
                if(substr($1,2,1) == "r")
                        perms = perms + 400
                if(substr($1,3,1) == "w")
                        perms = perms + 200
                if(substr($1,4,1) == "x")
                        perms = perms + 100
                if(substr($1,4,1) == "S")
                        perms = perms + 4000
                if(substr($1,4,1) == "s")
                        perms = perms + 4100
                if(substr($1,5,1) == "r")
                        perms = perms + 40
                if(substr($1,6,1) == "w")
                        perms = perms + 20
                if(substr($1,7,1) == "x")
                        perms = perms + 10
                if(substr($1,7,1) == "S")
                        perms = perms + 2000
                if(substr($1,7,1) == "s")
                        perms = perms + 2010
                if(substr($1,8,1) == "r")
                        perms = perms + 4
                if(substr($1,9,1) == "w")
                        perms = perms + 2
                if(substr($1,10,1) == "x")
                        perms = perms + 1
                if(substr($1,10,1) == "T")
                        perms = perms + 1000
                if(substr($1,10,1) == "t")
                        perms = perms + 1001
                printf("\nchmod %d %s     # %s ",perms,$9,$1)
                }
        }
}' >/tmp/perm-chmod.out
chmod 755 /tmp/perm-chmod.out
That file should look like this (note the comments on the right to ensure that the result is what’s expected.):
 
/tmp/perm-chmod.out
chmod 554 /usr/sbin/dnssec-keygen          # -r-xr-xr–
chmod 554 /usr/sbin/dnssec-makekeyset      # -r-xr-xr–
chmod 554 /usr/sbin/dnssec-signkey         # -r-xr-xr–
chmod 554 /usr/sbin/dnssec-signzone        # -r-xr-xr–
chmod 750 /usr/sbin/dpid2                  # -rwxr-x—
chmod 555 /usr/sbin/fingerd                # -r-xr-xr-x
chmod 554 /usr/sbin/gated                  # -r-xr-xr–
chmod 554 /usr/sbin/gdc                    # -r-xr-xr–
chmod 755 /usr/sbin/gettable               # -rwxr-xr-x
 
Hopefully all the permissions match up.  Run this perm-chmod.out to set the permissions (Note we only generate the file so it can be checked against what's needed):
 
set -x /tmp/perm-chmod.out
Naturally, there might be problems with this.  This is where the mksysb you took earlier will help so you can at least get back to square one.  :)
 
Just like with any toys for big boys, clean up after it's all done:
rm /tmp/perm-chmod.out
Another way to do the above would be to combine this with the comparison logic we did earlier in the AWK For Human Beings post.  By loading the an array with [PERM]_[FILENAME] elements into the associative array then comparing that against the affected host.
 
Enjoy!  Leave a comment letting us know your recovery success story.
 
Cheers,
TK
  

 

Leave a Reply

 


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License