topic Re: Login "login incorrect" w/ no oppertunity for password in Operating System - HP-UX

Login "login incorrect" w/ no oppertunity for password

Toby Ragsdale — Thu, 12 May 2005 16:21:30 GMT

I recently purchased a A400 to match my production box as a test system. I was in the process of setting the test environment to match production, when I made what seems like a mistake. I did a "chmod 777 -R *" on /usr, and received several errors. Now, I can't login to the box with any id. I don't even get chance to enter a password before it replys with "login incorrect"

Starting over is a possiblity, but I would like to correct the problem without a rebuild.

Any thoughts suggestions?

Thanks
TBR

Re: Login "login incorrect" w/ no oppertunity for password

Toby Ragsdale — Thu, 12 May 2005 16:24:04 GMT

.
Sorry, should have added that I can get to a prompt in single user mode, I just dont know what to change back, fix, whatever I might have done to /usr

TBR

Re: Login "login incorrect" w/ no oppertunity for password

Uday_S_Ankolekar — Thu, 12 May 2005 16:55:15 GMT

If you have a backup of /usr from your production server ( may be a ignite tape??) just restore /usr

-USA..

Re: Login "login incorrect" w/ no oppertunity for password

Toby Ragsdale — Thu, 12 May 2005 17:00:17 GMT

Thanks for the reply.

I can get /usr from the production box. Could I just FTP it from procution-->test? I don't want to cause any problems on the production server.

Thoughts?

Re: Login "login incorrect" w/ no oppertunity for password

Uday_S_Ankolekar — Thu, 12 May 2005 17:05:53 GMT

Can you run rcp? That will be better choice for now.

rcp -p will preserve file permissions.

-USA..

Re: Login "login incorrect" w/ no oppertunity for password

Toby Ragsdale — Thu, 12 May 2005 18:29:11 GMT

Well... I cant login with FTP, I would bet same with rcp, so I will try from tape.

Let you all know the results.

Any ideas of why chmod would do this? Was it something else?

Re: Login "login incorrect" w/ no oppertunity for password

Steven E. Protter — Thu, 12 May 2005 21:27:22 GMT

If you have been doing make_tape_recovery backups, now would be a good time to boot off the tape and restore the system.

You could also risk removing all files in /usr and extracting the files off of a recent backup or the production system.

SEP

Re: Login "login incorrect" w/ no oppertunity for password

Bill Hassell — Thu, 12 May 2005 22:24:34 GMT

chmod -R is one of the 4 MOST DANGEROUS commands in Unix. The other 3 are: mv, cp -r, and rm -r. There are more than 4,000 files and 1,600, all of which now have bad permissions. You have to change *all* of them back and if you check your production server, you'll a wide variety of values--they are set that way for a reason.

As a rule, 777 should *NEVER* be used for anything!!! New sysadmins often see the permission denied message and (very poor) Unix books will recommend this permission. Here are some issues with 777:

1. Because there is 7 for all other users on the syetem, every file can be trashed by any user and any directory can have it's contents destroyed, accidently or on purpose.

2. There are several special bit settings (1000, 2000 and 4000) which are critical for certain programs to run, not the least of which is login and passwd. The 777 setting wiped out these bits which is why you can never login again.

Permission denied should be dealt with on a specific file or directory, but changed only when there is a good reason. If tghe change was to make other users into sysadmins, read carefully the HP-UX Security book and many similar posts here in the ITRC about 'helping' the HP settings on system files and directories.

As fas as getting things back to normal, if you've a couple of free days, you can change each file and directory one by one, using the production system as a guide. As mentioned, restorin /usr from another server may cause even more problems. That's because /usr/lib and many system-dependent files are present in /usr and it's likely there are different patches on each system. ftp and rcp won't work because they won't run or they won't authenticate.

If you regularly made an Ignite tape backup of the new system, you can indeed restore your system. Otherwise, re-install from scratch.

Re: Login "login incorrect" w/ no oppertunity for password

Toby Ragsdale — Tue, 17 May 2005 11:28:24 GMT

OK, no use with anything other than tape or cd. Can someone tell me how to restore /usr from the restore cd?

Thanks
TBR

Re: Login "login incorrect" w/ no oppertunity for password

Pete Randall — Tue, 17 May 2005 11:31:33 GMT

Toby,

I don't believe you can restore just /usr from the install CD. Your best bet at this point would be to re-install.

Pete

Re: Login "login incorrect" w/ no oppertunity for password

Bill Hassell — Tue, 17 May 2005 11:44:12 GMT

As mentioned, directories and file in /usr have customized data (from patches) and many executables and libraries depend on other files in other directories (like /opt or /etc or /var). So if you restore from a source that that does not have matching patches installed, you'll find strange problems starting to show up. You could be lucky but most likely you'll spend weeks troubleshooting problems.

Since this is a test box, you will save massive amounts of time by making an Ignite/UX backup of the production box and restoring it to the test box. Just change the hostname and IP address after installing the Ignite backup and you're 100% in sync (including patches and settings) with the production box.

Re: Login "login incorrect" w/ no oppertunity for password

Victor BERRIDGE — Tue, 17 May 2005 12:07:06 GMT

Hi
To start by doing a chmod 777 on /usr you have modified the permission of /usr/bin/login which should be
-r-sr-xr-x 1 root bin 53248 Sep 13 2002 /usr/bin/login
Noticed the SUID?...

Setting this correctly should solve the logging issue...

As for the rest, I would think of using ignite in order to have an identical box if the idea were to match the production
(seems the fastest way to go...)
My 2 cents

All the best
Victor

Re: Login "login incorrect" w/ no oppertunity for password

Bharat Katkar — Tue, 17 May 2005 15:13:10 GMT

Hi,
Now the best option would be to anaylse the entire /usr structure and keep changing persimission of all file. Thought it is painfull it is the only safest and reliable way to come out of this problem,
Regards,

Re: Login "login incorrect" w/ no oppertunity for password

Toby Ragsdale — Thu, 19 May 2005 12:41:59 GMT

All,

Thanks to everyone.

As this endeavor was a learning experience, as well as a practical addition to my network, I consider the outcome a success. I tried each of your suggestions, and through this have a much better grip on how to recover from trouble situations in the future while the pressure was off. To repair the problem, I did end up reinstalling from scratch, but the suggested solutions lead me through recovery paths I would not have started down otherwise.

The box is not working perfictlet in its roll as a test/backup server for my production server. I feel much better knowing its there.

TBR

Re: Login "login incorrect" w/ no oppertunity for password

Toby Ragsdale — Thu, 19 May 2005 12:43:09 GMT

"now", not "not" working. Sorry.