Operating System - HP-UX
1748256 Members
3926 Online
108760 Solutions
New Discussion юеВ

Re: touch on /dev/vg00/lvol9

 
Simon Bradish
New Member

touch on /dev/vg00/lvol9

A customer ran the command
touch /dev/vg00/lvol9
Now instead of:
brw-r----- 1 root sys 64 0x000009 Jun 17 08:36 /dev/vg00/lvol9

We have:
-rw-rw-r-- 1 root sys 0 Aug 14 09:26 /dev/vg00/lvol9

Obviously the contents of the file are AWOL.
Anyone suggest a way to recover the file ... only option I can think of is to recreate the lvol and then restore from a backup?

TIA
Simon
9 REPLIES 9
Peter Godron
Honored Contributor

Re: touch on /dev/vg00/lvol9

Simon,
are you sure that is all that happened?
1. The file is still owned by root. So the user who did this had root access ?
2. I have just tried to recreate the problem and the touch command does not change the file format, only the date, as the file already exists.

So did the user delete the file first and then try to cover up with touch?
Simon Bradish
New Member

Re: touch on /dev/vg00/lvol9

It is quite possible that they did so, the customer (user) does indeed have root access as they own the machine and they have a history of messing about (... so to speak).

A colleague has suggested running mknod with the correct arguments but is at a loss as to the correct arguments. Our HP/UX guru is on honeymoon, so uncontactable!
melvyn burnard
Honored Contributor

Re: touch on /dev/vg00/lvol9

hmm, I dont think that using touch on an exisiting file would make those changes, this appears to be a case of the file was not actually there when the touch command was run!

To recreate the file:
rm /dev/vg00/lvol9
mknod /dev/vg00/lvol9 b 64 0x000009

(Make sure it is 5 0's followed by a 9)
then just make sure th eperms and ownership are ok.
My house is the bank's, my money the wife's, But my opinions belong to me, not HP!
Pete Randall
Outstanding Contributor

Re: touch on /dev/vg00/lvol9

make that

mknod /dev/vg09/group c 64 0x090000


Pete

Pete
melvyn burnard
Honored Contributor

Re: touch on /dev/vg00/lvol9

Uh, Pete?
It is not the group file that has been whacked, but the lvol9 device file
My house is the bank's, my money the wife's, But my opinions belong to me, not HP!
Tvs
Regular Advisor

Re: touch on /dev/vg00/lvol9

touch will update the time stamp only for a existing file.


To recreate the file:
delete the file
rm /dev/vg00/lvol9

create the block file

mknod /dev/vg00/lvol9 b 64 0x000009
Pete Randall
Outstanding Contributor

Re: touch on /dev/vg00/lvol9

Yeah, sorry Melvyn - lack of coffee.

;^)


Pete

Pete
rariasn
Honored Contributor

Re: touch on /dev/vg00/lvol9

Hi Simon,

melvyn burnard is goog solution.

Verify also /dev/vg00/rlvol9

Sample output "touch":

No "root" user,

$ touch /dev/vgxxxx/lvxxxx
touch: cannot change times on /dev/vgxxxx/lvxxxx

With "root" user,
#ll /dev/vgxxxx/lvxxxx
brw-r----- 1 root sys 64 0x190001 Aug 23 2004 /dev/vgxxxx/lvxxxx
#touch /dev/vgxxxx/lvxxxx
#ll /dev/vgxxxx/lvxxxx
brw-r----- 1 root sys 64 0x190001 Aug 14 14:16 /dev/vgxxxx/lvxxxx

#chmod 644 /dev/vgxxxx/lvxxxx
#ll /dev/vgxxxx/lvxxxx
brw-r--r-- 1 root sys 64 0x190001 Aug 14 14:16 /dev/vgxxxx/lvxxxx

#chmod 640 /dev/vgxxxx/lvxxxx
#ll /dev/vgxxxx/lvxxxx
brw-r----- 1 root sys 64 0x190001 Aug 14 14:16 /dev/vgxxxx/lvxxxx


rgs,

ran
Bill Hassell
Honored Contributor

Re: touch on /dev/vg00/lvol9

You will need to do a sanity check on all the device files in your volume groups and at the same time, print out a copy of root's .sh_history file. There may be a LOT more damage than this one device file. I would not reboot at this point as the system may not come back depending on what else is broken.

Once you fix the missing lvol9, run the vgdisplay command. It should not report any errors. Also try mount -a which should report that all mountpoints are already mounted. Then look over all the commands in .sh_history for anything that changes the system (touch rm mv chmod chown vi, etc)


Bill Hassell, sysadmin