- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: I need to find any copies of /etc/passwd on a ...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-16-2006 04:25 AM
тАО02-16-2006 04:25 AM
thanks
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-16-2006 04:34 AM
тАО02-16-2006 04:34 AM
Re: I need to find any copies of /etc/passwd on a server
$ grep -l ":x:" /etc/*passwd*
/etc/passwd
/etc/passwd.090305
/etc/passwd.bak
/etc/passwd.orig
If not grep for a pattern like "/bin/sh"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-16-2006 04:54 AM
тАО02-16-2006 04:54 AM
Re: I need to find any copies of /etc/passwd on a server
A user could do this:
cat /etc/passwd > myfile
Well, now there is a copy of the passwd file - but it is called my file....
So, you will need to do a find -type file, build a list, then grep for a pattern in those files to be really sure you have all the files that contain passwd info....
Rgds...Geoff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-16-2006 05:02 AM
тАО02-16-2006 05:02 AM
Re: I need to find any copies of /etc/passwd on a server
find . -print | xargs grep :/usr/bin/ksh > list
that would generate a file called list with all the files that "could" be a passwd file.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-16-2006 05:15 AM
тАО02-16-2006 05:15 AM
SolutionSomething like this shoould work.
#!/usr/bin/sh
find . -type f | while read F
do
file "${F}" | grep -q -i "text"
STAT=${?}
if [[ ${STAT} -eq 0 ]]
then # is a text file
grep -q -E -e '^[A-Z][a-z][A-Za-z0-9_]+:[^:]+:[0-9]+:[0-9]+:'
STAT=${?}
if [[ ${STAT} -eq 0 ]]
then
echo "${F}"
fi
fi
done
cd to desired starting directory and run it. The grep is looking for a string that begins with a valid login name format and then also verifies that numerics are found where the UID and GID fields are expected. If at least one line in the file qualifies, then the filename is echo'ed on stdout.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-16-2006 05:39 AM
тАО02-16-2006 05:39 AM
Re: I need to find any copies of /etc/passwd on a server
Geoff: your concern is a valid one, but for now, I'm containing my query to *passwd* named text files. I thought of Paul's and James' recommendation, but on some servers the login shells vary, and may even be customized. I think Clay's solution may fit the need.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-16-2006 06:02 AM
тАО02-16-2006 06:02 AM
Re: I need to find any copies of /etc/passwd on a server
And then on the text file you could search for multiple ":" with something like:
awk 'idx1=substr($0,":"); if ((idx1>0)&&(index(substr($0,idx1+1))>0)) {print FILENAME;exit}' < FILE
Where FILE is the name of the file to check.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-16-2006 06:10 AM
тАО02-16-2006 06:10 AM
Re: I need to find any copies of /etc/passwd on a server
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-16-2006 06:36 AM
тАО02-16-2006 06:36 AM
Re: I need to find any copies of /etc/passwd on a server
grep -q -E -e '^[A-Z][a-z][A-Za-z0-9_]+:[^:]+:[0-9]+:[0-9]+:'
should be:
grep -q -E -e '^[A-Z][a-z][A-Za-z0-9_]+:[^:]+:[0-9]+:[0-9]+:' "${F}"
Note the "-q" quiet option. We aren't worried about outputting the matching strings but rather that any such strings are found. In that case, the exit status is set to 0 and that is what we are testing for. You could also copy the line and leave off the "-q" just below the 'echo "${F}"' line and it would output the matchings lines.