- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: unix command sanity check
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-11-2009 06:29 AM
тАО12-11-2009 06:29 AM
Re: unix command sanity check
That's a very good question. Long story short is that some cellar-dweller mushroom-head of a Solaris Admin in the Montgomery, AL area reported a potential security issue (root priv escalation) when running ANY command, not just JAVA with the -v, -V, -version or version arg options, etc. So management all over the company is jumping on this OMIGOD bandwagon and all the admins here need to find a reliable alternative to check apps, like java, for versioning across our entire enterprise. Not just HP-UX though. We also have other vendor 'Nix products as well.
I just happen to have responsibility for the JAVA app(s) that run across all computer systems.
Thx.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-11-2009 06:44 AM
тАО12-11-2009 06:44 AM
Re: unix command sanity check
So, you're trying to determine the versions
of some set of programs of some type or other
without actually running those programs?
Good luck.
This whole thing sounds like nonsense, by the
way. If you're worried about, say, a
non-root user running, say, "java -version",
and blowing up the world, then you may as
well just turn off all your computers.
man strings
(On the bright side, "strings" doesn't seem
to have a "-v"-like option, at least on
HP-UX.)
> [...] reported [...]
Sounds like an interesting report. Goofy,
but interesting.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-11-2009 06:56 AM
тАО12-11-2009 06:56 AM
Re: unix command sanity check
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-11-2009 06:59 AM
тАО12-11-2009 06:59 AM
Re: unix command sanity check
That's why I'm looking for a single "best" approach to making the job easier and more generic.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-11-2009 07:11 AM
тАО12-11-2009 07:11 AM
Re: unix command sanity check
So, not really a "root priv escalation"
problem, more of a root priv exploitation
problem.
> [...] don't bother to update the version,
> and thus the version string reported by the
> strings command.
And if someone patches a program to insert
this greatly feared exploit, then you _would_
expect to find a changed version? Really?
It sounds to me as if your actual concern is
(or should be) the integrity of your files.
This can sometimes be verified using
checksums or direct comparison with
known-good files. I can't imagine how
extracting some kind of version string from
any executable will reveal anything of any
great value.
> That's why I'm looking for a single "best"
> approach to making the job easier and more
> generic.
Again, good luck. Unless I completely
misunderstand your goal, you would seem to be
doomed. (To either hard work, or meaningless
results. Probably both.)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-11-2009 07:46 AM
тАО12-11-2009 07:46 AM
Re: unix command sanity check
Checksums are great, but that requires ALOT of manual labor locally on every machine.
Look, I can't go into detailed explanations here because there's a book's worth of info I'd have to tell you.
Rather than knocking or wondering why I'm trying to get this info w/o using the above described method, could you offer any other positive, tried and true means of doing so?
I'm looking for solutions, not discussions within an encounter group.
Thx
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-11-2009 01:11 PM
тАО12-11-2009 01:11 PM
Re: unix command sanity check
> of manual labor locally on every machine.
Why "manual" labor? Why not a shell script,
or some other automated scheme?
> Look, I can't go into detailed explanations
> here [...]
> [...] could you offer any other positive,
> tried and true means of doing so?
So, you want precise solutions, but you don't
want to provide a precise description of the
problem? My psychic powers are too weak to
be of much use in such a situation.
From your description so far, it's unclear to
me exactly what you want, partly because what
you seem to be looking for would seem to me
to have approximately no value.
> I'm looking for solutions, not discussions
> within an encounter group.
You may need what you're not seeking more
than what you are.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-11-2009 10:46 PM
тАО12-11-2009 10:46 PM
Re: unix command sanity check
After fixing the missing single quote I get more awk errors:
awk '/assemblyIdentity version=/ {print $2}' $(whence java)
awk: Input line cannot be longer than 3,000 bytes.
The input line number is 61. The file is /opt/java1.4/jre/bin/java.
The source line number is 1.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-11-2009 10:49 PM
тАО12-11-2009 10:49 PM
Re: unix command sanity check
After fixing the missing single quote I get more awk errors:
awk '/assemblyIdentity version=/ {print $2}' $(whence java)
awk: Input line cannot be longer than 3,000 bytes.
The input line number is 61. The file is /opt/java1.4/jre/bin/java.
The source line number is 1.
strings -a doesn't find anything either.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-12-2009 04:24 AM
тАО12-12-2009 04:24 AM
Re: unix command sanity check
To Dennis H: Yes Dennis, I know there's a missing single quote. One of the hazards of typing too fast, but you've never done that, correct?
Your reply could have been much more helpful if you had attached whatever output you were getting from a screenshot or cut-and-paste, whether it was good, bad or otherwise. But thanks, as it was more helpful than some of the other replies in terms of actually trying the cmd to get some output.