Since it would be impossible for an ordinary user to move directories that are owned by root (or sys or bin) with the proper permissions (755 on all the main HP-UX directories), I would be VERY concerned that your system is seriously compromised. For instance, and system directory (and most especially /) that has 777 permissions means you might as well start over and cold install the system. Now if Billy was logged in as root, then permissions aren't going to help.
777 is a big red flag that untrained sysadmins sometimes use when things don't work right. 777 on a directory means that nothing in the directory at ANY level can be trusted. And unfortunately, your umask may never have been setup (an absolute requirement after an install). That means you probably have dozens, perhaps hundreds of files and directories that have wrong permissions, all created by root since the install occurred.
If this system is in production and downtime is a problem, Billy never gets the root password, period. If Billy is your assistant, then pick specific, low-risk tasks like adding users or cancelling print jobs and use either restricted sam (see the sam man page) or install sudo and setup Billy with a few commands. sudo can even restrict the parameters that are allowed for the commands (like mount and umount).
Since you mentioned .rhosts in conjunction with the / (root) directory, it saounds like you have not moved root's $HOME to a safe location. Root's $HOME should NEVER be in the / directory and the above situation is one example of the problem. One scenario that Billy may have used is to move dotfiles using the very dangerous command:
mv .* /someplace
The reason this is dangerous is that .* matches not only dotfiles like .rhosts, it also matches .. and that is the parent of the current working directory. So if Billy was root (never allow DBAs to have root passwords) and typedsomething like:
cd /opt/le
mv * .* /u01/app/billy
then not only would all the files in the current directory be moved, but /opt would be moved. Another guess is that some strange application was installed and it filled the root filesystem because it refused to ask the installer where it should be located (should be /opt). So Billy dutifully read the Unix for Newbies book and typed something like this:
cd /StrangeAppLocation
mv * .* /u01/app/billy
and away all the directories go...A very good technique is to put the word echo or print in front of dangerous commands like mv and rm to see what they will do. Example:
echo mv * .* /u01/app/billy
Now you'll see how the shell expanded (globbing) the filenames given to mv.
As soon as possible, change the root password, perform a cold install and reinstall all your apps. Set umask 022 in /etc/profile and /etc/csh.profile, create /root and move all ordinary files from / to /root (move the dotfiles using: mv /.[!.]* /root which moves all files except those with ..
And you may want to make root's versions of the dangerous commands always ask permission by adding this to .profile:
alias mv='/usr/bin/mv -i' # ask before overlaying
alias cp='/usr/bin/cp -i' # ask before overlaying
alias rm='/usr/bin/rm -i' # ask before removing
Finally, once your system is stable, download Ignite/UX from HP's website and run make_tape_recovery! This wil avoid another cold install in the future.
Bill Hassell, sysadmin
