cancel
Showing results for 
Search instead for 
Did you mean: 

unix command sanity check

SOLVED
Go to solution
john guardian
Super Advisor

unix command sanity check

could someone please look at the attached text doc and execute the awk command I placed in the attachment and let me know what you get for screen output.

Greatly appreciated. Thanks.
21 REPLIES
R.K. #
Honored Contributor
Solution

Re: unix command sanity check

No attachment
Don't fix that what ain't broke
john guardian
Super Advisor

Re: unix command sanity check

Sorry. The attachment was there. Let's try this again.

Thx.
R.K. #
Honored Contributor

Re: unix command sanity check

I tried this command on a test server, below is the exact o/p I got:

root# cmd=`which java`
root# echo `/usr/bin/awk '/assemblyIdentity version=/ {print $2} $cmd`

awk: Field $() is not correct.
The input line number is 1.
The source line number is 1.
Don't fix that what ain't broke
john guardian
Super Advisor

Re: unix command sanity check

OK. So if that's an incorrect usage, what would be the correct form?
R.K. #
Honored Contributor

Re: unix command sanity check

Hi Again,

Looks like the command is meant to find line containing "assemblyIdentity version=" from the output of "which java".

# which java > /tmp/a1
# awk '/assemblyIdentity version=/ {print $2}' /tmp/a1
# rm /tmp/a1

This should give same results.
Don't fix that what ain't broke
Steven Schweda
Honored Contributor

Re: unix command sanity check

> [...] what would be the correct form?

What are you trying to do?
john guardian
Super Advisor

Re: unix command sanity check

I'm attempting to acquire the application major/minor version number w/o having to execute the java -version cmd.
john guardian
Super Advisor

Re: unix command sanity check

Note to RK:

Did you actually try to run the cmd you sent?

I'm getting nothing back from it?

If you did, can you send me the cmd used along with the screen output?
Steven Schweda
Honored Contributor

Re: unix command sanity check

> I'm attempting to acquire the application
> major/minor version number w/o having to
> execute the java -version cmd.

Huh? What is "the application"? Java
itself, or some Java program? If you want
the Java version, what's wrong with "java
-version"?

> What are you trying to do?

Still a mystery. What, exactly, are you
trying to do?
john guardian
Super Advisor

Re: unix command sanity check

Why not run the java cmd for the version?

That's a very good question. Long story short is that some cellar-dweller mushroom-head of a Solaris Admin in the Montgomery, AL area reported a potential security issue (root priv escalation) when running ANY command, not just JAVA with the -v, -V, -version or version arg options, etc. So management all over the company is jumping on this OMIGOD bandwagon and all the admins here need to find a reliable alternative to check apps, like java, for versioning across our entire enterprise. Not just HP-UX though. We also have other vendor 'Nix products as well.

I just happen to have responsibility for the JAVA app(s) that run across all computer systems.

Thx.
Steven Schweda
Honored Contributor

Re: unix command sanity check

Still rivaling mud in the clarity department.

So, you're trying to determine the versions
of some set of programs of some type or other
without actually running those programs?

Good luck.

This whole thing sounds like nonsense, by the
way. If you're worried about, say, a
non-root user running, say, "java -version",
and blowing up the world, then you may as
well just turn off all your computers.

man strings

(On the bright side, "strings" doesn't seem
to have a "-v"-like option, at least on
HP-UX.)


> [...] reported [...]

Sounds like an interesting report. Goofy,
but interesting.
john guardian
Super Advisor

Re: unix command sanity check

No. The worry isn't that a normal user would do this. Just that root would. The thought is that the binary might actually be a malicious root toolkit that root activates when running the cmd to interrogate it for the version.
john guardian
Super Advisor

Re: unix command sanity check

BTW: strings might work great for "some" of our systems. But others use backporting to update the executable, so strings wouldn't pick that up as most if not all vendors who use backporting don't bother to update the version, and thus the version string reported by the strings command.

That's why I'm looking for a single "best" approach to making the job easier and more generic.
Steven Schweda
Honored Contributor

Re: unix command sanity check

> [...] Just that root would. [...]

So, not really a "root priv escalation"
problem, more of a root priv exploitation
problem.

> [...] don't bother to update the version,
> and thus the version string reported by the
> strings command.

And if someone patches a program to insert
this greatly feared exploit, then you _would_
expect to find a changed version? Really?

It sounds to me as if your actual concern is
(or should be) the integrity of your files.
This can sometimes be verified using
checksums or direct comparison with
known-good files. I can't imagine how
extracting some kind of version string from
any executable will reveal anything of any
great value.

> That's why I'm looking for a single "best"
> approach to making the job easier and more
> generic.

Again, good luck. Unless I completely
misunderstand your goal, you would seem to be
doomed. (To either hard work, or meaningless
results. Probably both.)
john guardian
Super Advisor

Re: unix command sanity check

we have to check versions from time to time when upgrading OTHER apps.

Checksums are great, but that requires ALOT of manual labor locally on every machine.

Look, I can't go into detailed explanations here because there's a book's worth of info I'd have to tell you.

Rather than knocking or wondering why I'm trying to get this info w/o using the above described method, could you offer any other positive, tried and true means of doing so?

I'm looking for solutions, not discussions within an encounter group.

Thx
Steven Schweda
Honored Contributor

Re: unix command sanity check

> Checksums are great, but that requires ALOT
> of manual labor locally on every machine.

Why "manual" labor? Why not a shell script,
or some other automated scheme?

> Look, I can't go into detailed explanations
> here [...]

> [...] could you offer any other positive,
> tried and true means of doing so?

So, you want precise solutions, but you don't
want to provide a precise description of the
problem? My psychic powers are too weak to
be of much use in such a situation.

From your description so far, it's unclear to
me exactly what you want, partly because what
you seem to be looking for would seem to me
to have approximately no value.

> I'm looking for solutions, not discussions
> within an encounter group.

You may need what you're not seeking more
than what you are.
Dennis Handly
Acclaimed Contributor

Re: unix command sanity check

>If you did, can you send me the cmd used along with the screen output?

After fixing the missing single quote I get more awk errors:
awk '/assemblyIdentity version=/ {print $2}' $(whence java)
awk: Input line cannot be longer than 3,000 bytes.
The input line number is 61. The file is /opt/java1.4/jre/bin/java.
The source line number is 1.
Dennis Handly
Acclaimed Contributor

Re: unix command sanity check

>If you did, can you send me the cmd used along with the screen output?

After fixing the missing single quote I get more awk errors:
awk '/assemblyIdentity version=/ {print $2}' $(whence java)
awk: Input line cannot be longer than 3,000 bytes.
The input line number is 61. The file is /opt/java1.4/jre/bin/java.
The source line number is 1.

strings -a doesn't find anything either.
john guardian
Super Advisor

Re: unix command sanity check

To Steven S: The company I'm doing this temp job for requires that I be as non-specific as I have been. It is NOT how I would like to present and talk about the issue. When working for someone else, I simply respect their wishes, even if it means it's that much harder to solve a problem. I asked a simple question, "please run a cmd and copy me with what your output looks like". Instead you answered my question with more questions. Not helpful, but thanks for the reply.

To Dennis H: Yes Dennis, I know there's a missing single quote. One of the hazards of typing too fast, but you've never done that, correct?

Your reply could have been much more helpful if you had attached whatever output you were getting from a screenshot or cut-and-paste, whether it was good, bad or otherwise. But thanks, as it was more helpful than some of the other replies in terms of actually trying the cmd to get some output.
john guardian
Super Advisor

Re: unix command sanity check

Many/most responses were helpful to some degree, however it's clear I'll have to look for the answer somewhere else due to time constraints.

Many thx to everyone who replied.
Dennis Handly
Acclaimed Contributor

Re: unix command sanity check

>Your reply could have been much more helpful if you had attached whatever output you were getting from a screenshot or cut-and-paste

I did. I got an awk error because awk doesn't work reliably on binaries, only text files. I then used strings and I didn't find the string you wanted.

If you wanted to check the version of java on HP-UX, you could use swlist(1M).