AIX Linux Permissions Problems and Solution of CHMOD 0

Nuking your permissions problems on a server is typically just as bad as wiping out the server. Before you start trying to compare permissions server to server based on what they were elsewhere on a similar host, take a backup of the already misconfigured host. Yeah your system is already messed up but at least you can get back to square one if something goes haywire:

mksysb -ip /backup/folder/$(hostname).mksysb; # AIX

The steps here were forwarded to me from a good colleague of mine and how he went about solving this one:

First things first, get the list of files with no permissions. Here's the source with 000 or no permissions on the problem server, acquired with this command:

find / -ls |grep "\———-" |grep -v save |grep -v "\/proc" >/tmp/noperm.out

Here are some example files with the permission problem:

/tmp/noperm.out;

95113   25 ———- 1 root      system       24670 Jan 22 2008 /usr/sbin/dnssec-signkey

95114   64 ———- 1 root      system       65442 Mar 9 2012 /usr/sbin/dnssec-signzone

94626   65 ———- 1 root      system       66335 Nov 15 2011 /usr/sbin/dpid2

94684    6 ———- 1 root      system        5532 Mar 30 2009 /usr/sbin/fingerd

95111 2388 ———- 1 root      system     2445108 Mar 9 2012 /usr/sbin/gated

94986   42 ———- 1 root      system       42216 Mar 9 2012 /usr/sbin/gdc

94845    7 ———- 1 root      system        6754 Aug 4 2011 /usr/sbin/gettable

After using this command to get the permissions on another server like:

for FILE in $(cat /tmp/noperm.out |awk '{print $11}'); do

ls -l $FILE >>/tmp/goodperm.out;

done

The obvious content of the file will be:

/tmp/goodperm.out

-r-xr-xr–    1 root     system        24670 Jan 22 2008 /usr/sbin/dnssec-signkey

-r-xr-xr–    1 root     system        65442 Mar 9 2012 /usr/sbin/dnssec-signzone

-rwxr-x—    1 root     system        66335 Nov 15 2011 /usr/sbin/dpid2

-r-xr-xr-x    1 root     system         5532 Mar 30 2009 /usr/sbin/fingerd

-r-xr-xr–    1 root     system      2445108 Mar 9 2012 /usr/sbin/gated

-r-xr-xr–    1 root     system        42216 Mar 9 2012 /usr/sbin/gdc

-rwxr-xr-x    1 root     system         6754 Aug 4 2011 /usr/sbin/gettable

Run this script against the file (goodperm.out above) with the proper permissions in it:

#!/bin/ksh

if [[ -a /tmp/perm-chmod.out ]]

then

rm /tmp/perm-chmod.out # Delete existing target File for chmods if it exists.

fi

cat /tmp/goodperm.out|

awk '{

        if ( NF == "9" )

        {

                {

                perms=0

                if(substr($1,2,1) == "r")

                        perms = perms + 400

                if(substr($1,3,1) == "w")

                        perms = perms + 200

                if(substr($1,4,1) == "x")

                        perms = perms + 100

                if(substr($1,4,1) == "S")

                        perms = perms + 4000

                if(substr($1,4,1) == "s")

                        perms = perms + 4100

                if(substr($1,5,1) == "r")

                        perms = perms + 40

                if(substr($1,6,1) == "w")

                        perms = perms + 20

                if(substr($1,7,1) == "x")

                        perms = perms + 10

                if(substr($1,7,1) == "S")

                        perms = perms + 2000

                if(substr($1,7,1) == "s")

                        perms = perms + 2010

                if(substr($1,8,1) == "r")

                        perms = perms + 4

                if(substr($1,9,1) == "w")

                        perms = perms + 2

                if(substr($1,10,1) == "x")

                        perms = perms + 1

                if(substr($1,10,1) == "T")

                      perms = perms + 1000

                if(substr($1,10,1) == "t")

                        perms = perms + 1001

                printf("\nchmod %d %s     # %s ",perms,$9,$1)

                }

        }

}' >/tmp/perm-chmod.out

chmod 755 /tmp/perm-chmod.out

That file should look like this (note the comments on the right to ensure that the result is what’s expected.):

/tmp/perm-chmod.out

chmod 554 /usr/sbin/dnssec-keygen # -r-xr-xr–

chmod 554 /usr/sbin/dnssec-makekeyset # -r-xr-xr–

chmod 554 /usr/sbin/dnssec-signkey # -r-xr-xr–

chmod 554 /usr/sbin/dnssec-signzone # -r-xr-xr–

chmod 750 /usr/sbin/dpid2 # -rwxr-x—

chmod 555 /usr/sbin/fingerd # -r-xr-xr-x

chmod 554 /usr/sbin/gated # -r-xr-xr–

chmod 554 /usr/sbin/gdc # -r-xr-xr–

chmod 755 /usr/sbin/gettable # -rwxr-xr-x

Hopefully all the permissions match up. Run this perm-chmod.out to set the permissions (Note we only generate the file so it can be checked against what's needed):

set -x /tmp/perm-chmod.out

Naturally, there might be problems with this. This is where the mksysb you took earlier will help so you can at least get back to square one. 🙂

Just like with any toys for big boys, clean up after it's all done:

rm /tmp/perm-chmod.out

Another way to do the above would be to combine this with the comparison logic we did earlier in the AWK For Human Beings post. By loading the an array with [PERM]_[FILENAME] elements into the associative array then comparing that against the affected host.

Enjoy! Leave a comment letting us know your recovery success story.

Cheers,
TK

This entry was posted on Tuesday, July 30th, 2013 at 10:06 pm and is filed under NIX Posts. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

You must be logged in to post a comment.

Thoughts and Scribbles | MicroDevSys.com