some one changed file mode access in /var/

Rocktor · ‎12-05-2007

Today is the first time I use "make_tape_recovery" in a system. But got following error which discribed in syslog.log.
Dec 5 17:01:52 jl-xz-db avrd[15481]: ioctl error on HP.C5683A.013 (device 0, /dev/rmt/c3t3d0BESTnb) thru tape driver, Ih18C&
Dec 5 17:05:06 jl-xz-db avrd[15481]: Cleaning media in drive HP.C5683A.013 (drive index 0)

I don't know why but I when I "ll /var/",the access permissions of the files in /var are different with other system:

# ll /var/
total 144
drwxr-xr-x 3 108 bin 96 Nov 23 00:00 X11
drwxr-xr-x 17 adm adm 8192 Dec 5 23:36 adm
drwxr-xr-x 4 108 sys 8192 Nov 29 05:07 dt
drwxr-xr-x 2 108 sys 96 Nov 23 00:10 empty
drwxrwxrwt 2 108 bin 96 Nov 22 22:03 home
drwxr-xr-x 4 108 sys 96 Nov 23 00:04 jail
drwxrwxr-x 2 108 mail 96 Dec 5 23:45 mail
drwxrwxrwt 2 108 108 96 Nov 22 23:50 news
dr-xr-xr-x 34 108 108 8192 Nov 23 00:09 opt
drwxrwxrwt 2 108 108 96 Nov 23 00:00 preserve
dr-xr-xr-x 2 108 108 8192 Dec 5 23:36 run
drwxrwxr-x 11 108 108 8192 Nov 29 04:35 sam
dr-xr-xr-x 12 108 108 8192 Nov 23 01:12 spool
drwxr-xr-x 4 108 108 96 Nov 23 01:12 statmon
drwxr-xr-x 6 108 other 96 Nov 23 00:02 stm
drwxrwxrwt 5 108 108 8192 Dec 6 08:51 tmp
drwxr-xr-x 2 108 108 8192 Dec 5 23:38 tombstones
dr-xr-xr-x 6 108 108 96 Nov 22 23:59 uucp
dr-xr-xr-x 5 108 108 96 Nov 23 01:13 vx
drwxr-xr-x 2 108 108 8192 Nov 22 23:51 yp

There is no use 108 and group 108 in my system. Obviously someone change the file mode to a UID 108 user and delete the user later. Can I find a way to find out when,who and how he/she did it?

BTW: Is this the problem that cause my make_tape_recovery fail?

MarkSyder · ‎12-05-2007

I've just checked one of my systems and the directories which belong to 108 on yours belong to bin on mine, but bin's UID is 2. Have you checked for bin in your /etc/passwd? Has your passwd file changed recently?

Mark Syder (like the drink but spelt different)

The triumph of evil requires only that good men do nothing

Srikanth Arunachalam · ‎12-05-2007

Hi Rocktor,

I dont see any dependency of the error with respect to permission problem on /var. There are ioctl error on tape device. Recommending you to run few mt command manually to check if the tape drive is read writable and there is no problem with respect to the tape driver.

Thanks,
Srikanth

Torsten. · ‎12-05-2007

Why the command is failing?

See yourself:

"Cleaning media in drive"

try a tape for data ;-)

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!

F Verschuren · ‎12-05-2007

who this was you maybe still can see in the /.sh_history ore in the sudo log, just grep on chmod,

This can cause a lot of problems and you need to fix it..
if the problem is only one layer you can fix it by running on a good system:
ll /var |awk '{ print "chmod " $3 ":"$4 " " $9 } ' > chmod.sh
and run the chmod.sh on the corrupted system,
this wil fiks most of the dirs.
after this please run a
find /var -nouser
to see if there are still files that are not asigned corectly

F Verschuren · ‎12-05-2007

ps a posble cause is a lock file in /var/tmp, it can not been trown away if you are not the owner... because you have the filepermisions on 1777

Rocktor · ‎12-05-2007

bin is OK in my passwd.
# more .sh_history
^A^Atelnet 10.136.47.111
clear
pwd
pwd
exit

if root didn't use ksh, I still can get history of the command?

Rocktor · ‎12-05-2007

Hi Verschuren,

thanks for you reply. How can i fix this problem except recovery the OS?

Rocktor · ‎12-05-2007

" ps a posble cause is a lock file in /var/tmp, it can not been trown away if you are not the owner... because you have the filepermisions on 1777" ?

tmp still there, and files' permission in tmp looks ok. (no 108 UID).

MarkSyder · ‎12-05-2007

Have you any backup copies of your passwd file? You could find out who UID 108 was:

cd /etc
grep 108 passwd*

Mark

The triumph of evil requires only that good men do nothing

Rocktor · ‎12-05-2007

thank u Mark. I only have the original backup of OS. As I talk about in my question, I can't find any user info of 108 in my system even in /etc/passwd. It looks like some one create it and delete it later.

F Verschuren · ‎12-05-2007

you can just copy the owner ship fron a other system... see my first replay, if the problem is deeper and alsow the files in /var/tmp are changed you can use:
on a goot system:

find /var -exec ll -d {} ";" |awk '{ print "chown " $3 ":" $4 " " $9 } ' > script.sh

copy she script.sh to the bad system
After the script has runned you can check whit the find that I posted if there are still files that are not ok

run the sript as root.
the script wil look as
chown bin:bin /var
chown root:root /var/lost+found
chown adm:adm /var/adm
chown root:root /var/adm/crash
chown root:sys /var/adm/crash/lost+found
chown root:sys /var/adm/crash/scc
chown root:sys /var/adm/crash/scc/data

ps a full restore is the safist but not all system managers can afort the downtime...
so this is a good workarount....

Rocktor · ‎12-05-2007

Hi Verschuren,

How to find all files own by UID 108 on my system? I want to confirm no more files affect by same problem.

F Verschuren · ‎12-05-2007

you can use find for this:
find / -nouser -exec ll -d {} ";" |grep 108

ps properly there is a way to to it whitout the grep but the line works, for more details man find.

(I do not have a sesion ad the moment so can't read the manpage my self....

kind regards, Freek

Rocktor · ‎12-05-2007

I will try to find a solution in copying another system's permission to error system.

Tape issue i need to change a tape tommorow.

MarkSyder · ‎12-05-2007

According to the man page for find:

find -user 108

should work.

Mark

The triumph of evil requires only that good men do nothing

Dennis Handly · ‎12-05-2007

>when I "ll /var/",the access permissions of the files in /var are different with other system:

You can use swverify to check ownership:
# swverify \*

And add -F to fix them.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

some one changed file mode access in /var/

some one changed file mode access in /var/

Re: some one changed file mode access in /var/

Re: some one changed file mode access in /var/

Re: some one changed file mode access in /var/

Re: some one changed file mode access in /var/

Re: some one changed file mode access in /var/

Re: some one changed file mode access in /var/

Re: some one changed file mode access in /var/

Re: some one changed file mode access in /var/

Re: some one changed file mode access in /var/

Re: some one changed file mode access in /var/

Re: some one changed file mode access in /var/

Re: some one changed file mode access in /var/

Re: some one changed file mode access in /var/

Re: some one changed file mode access in /var/

Re: some one changed file mode access in /var/

Re: some one changed file mode access in /var/