HPE Community
Operating System - HP-UX
1753479 Members
5162 Online
108794 Solutions
New Discussion юеВ

Re: I need to find any copies of /etc/passwd on a server

 
SOLVED
Go to solution
Luis Toro
Regular Advisor

тАО02-16-2006 04:25 AM

тАО02-16-2006 04:25 AM

I need to find any copies of /etc/passwd on a server

Anyone know of a good method/tool/script to find copies or portions of /etc/passwd on a server ? I've been able to list all *passwd* files, next I filter out the non-ascii files. I was going to check for "^root:" in the first line, but I came across a file with just portions of a passwd file. Of course, anything that does not have the 'passwd' string in the name will not be captured.
thanks
0 Kudos
8 REPLIES 8
James Brand
Frequent Advisor

тАО02-16-2006 04:34 AM

тАО02-16-2006 04:34 AM

Re: I need to find any copies of /etc/passwd on a server

If you have shadow passwd enabled try something like this:

$ grep -l ":x:" /etc/*passwd*
/etc/passwd
/etc/passwd.090305
/etc/passwd.bak
/etc/passwd.orig

If not grep for a pattern like "/bin/sh"
0 Kudos
Geoff Wild
Honored Contributor

тАО02-16-2006 04:54 AM

тАО02-16-2006 04:54 AM

Re: I need to find any copies of /etc/passwd on a server

From your question, "I need to find any copies of /etc/passwd on a server" - means that you may have to look at all files...

A user could do this:

cat /etc/passwd > myfile

Well, now there is a copy of the passwd file - but it is called my file....

So, you will need to do a find -type file, build a list, then grep for a pattern in those files to be really sure you have all the files that contain passwd info....

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Paul Sperry
Honored Contributor

тАО02-16-2006 05:02 AM

тАО02-16-2006 05:02 AM

Re: I need to find any copies of /etc/passwd on a server

lets say the most common shell on the server is ksh. Then I'd do this

find . -print | xargs grep :/usr/bin/ksh > list

that would generate a file called list with all the files that "could" be a passwd file.
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

тАО02-16-2006 05:15 AM

тАО02-16-2006 05:15 AM

Solution

Re: I need to find any copies of /etc/passwd on a server

First of all, it's not safe on all flavors of UNIX to grep files of any type. Grepping a binary file on some UNIX'es will dump core. You need to test with the file command and look for "text" in the output then it's safe to grep for a passwd-like pattern.

Something like this shoould work.

#!/usr/bin/sh

find . -type f | while read F
do
file "${F}" | grep -q -i "text"
STAT=${?}
if [[ ${STAT} -eq 0 ]]
then # is a text file
grep -q -E -e '^[A-Z][a-z][A-Za-z0-9_]+:[^:]+:[0-9]+:[0-9]+:'
STAT=${?}
if [[ ${STAT} -eq 0 ]]
then
echo "${F}"
fi
fi
done

cd to desired starting directory and run it. The grep is looking for a string that begins with a valid login name format and then also verifies that numerics are found where the UID and GID fields are expected. If at least one line in the file qualifies, then the filename is echo'ed on stdout.
If it ain't broke, I can fix that.
0 Kudos
Luis Toro
Regular Advisor

тАО02-16-2006 05:39 AM

тАО02-16-2006 05:39 AM

Re: I need to find any copies of /etc/passwd on a server

Thanks for the replies.
Geoff: your concern is a valid one, but for now, I'm containing my query to *passwd* named text files. I thought of Paul's and James' recommendation, but on some servers the login shells vary, and may even be customized. I think Clay's solution may fit the need.
0 Kudos
Kent Ostby
Honored Contributor

тАО02-16-2006 06:02 AM

тАО02-16-2006 06:02 AM

Re: I need to find any copies of /etc/passwd on a server

Well, you could make your list more generic and find all files on the server and then get rid of the non-text files.

And then on the text file you could search for multiple ":" with something like:

awk 'idx1=substr($0,":"); if ((idx1>0)&&(index(substr($0,idx1+1))>0)) {print FILENAME;exit}' < FILE

Where FILE is the name of the file to check.

"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
0 Kudos
Luis Toro
Regular Advisor

тАО02-16-2006 06:10 AM

тАО02-16-2006 06:10 AM

Re: I need to find any copies of /etc/passwd on a server

closing thread
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

тАО02-16-2006 06:36 AM

тАО02-16-2006 06:36 AM

Re: I need to find any copies of /etc/passwd on a server

Ooops, I was so concerned about getting the regular expression right that I left out the filename to search.

grep -q -E -e '^[A-Z][a-z][A-Za-z0-9_]+:[^:]+:[0-9]+:[0-9]+:'

should be:

grep -q -E -e '^[A-Z][a-z][A-Za-z0-9_]+:[^:]+:[0-9]+:[0-9]+:' "${F}"

Note the "-q" quiet option. We aren't worried about outputting the matching strings but rather that any such strings are found. In that case, the exit status is set to 0 and that is what we are testing for. You could also copy the line and leave off the "-q" just below the 'echo "${F}"' line and it would output the matchings lines.

If it ain't broke, I can fix that.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.