unable to logon to the server for all users

aleemuddin · ‎12-24-2008

hi guys

i am getting the following error

fare login :open_module: module /usr/lib/security/hpux32/libpam_hpsec.so .1 writable by group

---------

all i did was chmod -R 777 /usr

and i think this has caused the whole problem

-----

for the solution
i tried loging on in single user mode
using

HPUX> boot -lm vmunix
and i was successfull to get the # prompt

i changer the permission back to 555 for usr directory

chmod -R 555 usr

and i restarted the surver in multiuser mode and i get the same error as mentioned above.

i thaught of changing the permission of the file libpam_hpsec.so but when i changed directory to usr i could not see any other sub directories or files.

i need a solution ASAP

F Verschuren · ‎12-24-2008

The probem is that in /usr some files have to have setUID

examlpe:
-r-sr-xr-x for /usr/bin/vgdsiplay.
-r-xr-sr-x for war

the best way is to restore the data, (ore copy the permisions form a other server

make sure that /usr/bin/login shows:
-r-sr-xr-x
and logins:
-r-xr-xr-x

than maybe you are able to login again to start a restore....

kind regards,

Freek

Ganesan R · ‎12-24-2008

Hi,

chmod -R 777 /usr

This command should have changed all the permission to all sub directories and files. It makes all the damage.

I came across the same situation once and ultimately we have reinstalled the OS. Because we cannot go and change all the files and directory permission to old one.

So I would recommand you to restore the os from recent ignite backup.

>>>i thaught of changing the permission of the file libpam_hpsec.so but when i changed directory to usr i could not see any other sub directories or files.<<<

You need to mount the /usr since /usr will not be mounted on single user mode. Run the following commands to mount /usr

#fsck -F full /dev/vg00/rlvolx --> x is the lvol number of /usr mount point.

#mount /usr

Now you can access the /usr filesystem

Best wishes,

Ganesh.

aleemuddin · ‎12-24-2008

hi

this is the only server we have .
i would like to know if we start the server
using this command
HPUX> boot -lm vmunix
can we see the contents of /usr

i could see the contents of /dev
but not usr

please beare with me as i am very new to unix.

thanks

Suraj K Sankari · ‎12-24-2008

Hi,

That means your /usr is not having any file or directory.
In this case I suggest restore your OS with ignite backup.

Suraj

aleemuddin · ‎12-24-2008

hi ganesh

after loging on to the server
and when i do a listing ls i get the list of all the files which includes dev,usr,........

but i cannot see the contents of usr when i change directory to usr

thanks

Ganesan R · ‎12-24-2008

Hi Aleemudin,

I clearly mentioned in my previous reply that, /usr will not be mounted on single user mode or maintanance mode. You need to manually mount as per the steps I have given.

#fsck -F full /dev/vg00/lvol6
#mount /usr

You are just seeing the directory /usr which is in root filesystem. There is no logical volume mounted on /usr as such.

And /dev directory also in root filesytem. It is not a seperate mount point like /usr.

Hope this helps..

Best wishes,

Ganesh.

Dennis Handly · ‎12-24-2008

>all I did was chmod -R 777 /usr

Why in the world would you want to do that? Besides messing up any setuid bits, it creates a security hole big enough for a Mac truck!

As Ganesan says, you are hosed.

If you have hours and hours of time, you could change files one by one. If you could get swverify working, you could use "swverify -F \*" to fix the permissions.

>i cannot see the contents of usr when i change directory to usr

As Ganesan mentioned, get out of that directory and mount /usr.

Pete Randall · ‎12-24-2008

Your "boot -lm vmunix" will boot you into LVM maintenance mode. I would think you would rather be in single user mode "boot -is vmunix".

In any case, you can't see /usr because it's not mounted. Do a "mount -a" to mount all the file systems. If you get any errors during the mount you might need to run fsck against them. Once you get things mounted, then you can look at /usr and see what you may need to do to fix things.

I would suggest that you take away from this experience one very valuable lesson: the as-installed permissions on your root file systems are the way they are for a reason. Do NOT play with them.

Pete

Pete

aleemuddin · ‎12-24-2008

hi ganesh

how can i know lvol number of /usr mount point

thanks

Ganesan R · ‎12-24-2008

Hi Aleemudin,

After booting the system into single user mode run the below command.

#/sbin/cat /etc/fstab

or

#/sbin/cat /etc/fstab |grep /usr

The above commands will give you the logical volume details. Usually lvol6 will be the logical volume of /usr

Best wishes,

Ganesh.

Dennis Handly · ‎12-24-2008

>how can i know lvol number of /usr mount point

You could always do: /sbin/mountall

F Verschuren · ‎12-24-2008

Can you post the unix flaver (11.00, 11.11, 11.23, etc?)
If you post this it is poseble that I (ore somewane els) post all the permisions of all files. After booting up in signle urer mode you can change all the files "manaly"

When you are in sigle user mode first do a mount -a to see the contenst of /usr.
ad first you can use the folowing list.. if cou can ad your unix type I can mail/past you a ls -al of all files in /usr...

chmod 2555 /usr/sbin/wall
chmod 2555 /usr/sbin/lanscan
chmod 4555 /usr/sbin/vg*
chmod 4555 /usr/sbin/lv*
chmod 744 /usr/sbin/lvmmigrate
chmod 4555 /usr/sbin/swpackage
chmod 4555 /usr/sbin/swlist
chmod 4555 /usr/sbin/rlpstat
chmod 4555 /usr/sbin/rlpdaemon
chmod 4555 /usr/sbin/rcancel
chmod 4555 /usr/sbin/ping
chmod 4555 /usr/sbin/lvchange.run
chmod 4555 /usr/sbin/lpshut
chmod 4555 /usr/sbin/lpsched
chmod 4555 /usr/sbin/lpmove
chmod 4555 /usr/sbin/lpfence
chmod 4555 /usr/sbin/lpadmin
chmod 4555 /usr/sbin/keyenvoy
chmod 4555 /usr/sbin/arp
chmod 4555 /usr/sbin/accept

chmod 4555 /usr/bin/at
chmod 4555 /usr/bin/passwd
chmod 4555 /usr/bin/rexec
chmod 4555 /usr/bin/rlogin
chmod 4555 /usr/bin/login
chmod 4555 /usr/bin/cancel
chmod 4555 /usr/bin/df
chmod 4555 /usr/bin/rexec

F Verschuren · ‎12-24-2008

ps restore is the quickest solution (if you have a backup)

Dennis Handly · ‎12-24-2008

>F Verschuren: I can mail/paste you a ls -al of all files in /usr ...
>chmod 2555 /usr/sbin/wall

I have a script on the ITRC that will generate those chmods. (Another for chown.) See my Mar 22, 06:54:46 reply in:
http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1215123

aleemuddin · ‎12-27-2008

thanks heaps to all the guys involved in helping me out .

i mounted /usr and changed the permissions to 555

i am now able to log on to the server in multiuser mode .

these r the files in the /usr with the permissions.

lrwxr-xr-x 1 root sys 8 Aug 10 04:34 adm -> /var/adm
dr-xr-xr-x 6 bin bin 16384 Aug 14 10:08 bin
dr-xr-xr-x 6 bin bin 96 Aug 10 02:42 ccs
dr-xr-xr-x 6 bin bin 96 Aug 10 02:12 conf
dr-xr-xr-x 15 bin bin 8192 Aug 10 03:24 contrib
dr-xr-xr-x 4 bin bin 96 Aug 10 03:03 dt
dr-xr-xr-x 3 bin bin 8192 Aug 10 04:35 etc
dr-xr-xr-x 7 bin bin 96 Aug 10 03:50 examples
dr-xr-xr-x 24 bin bin 8192 Aug 10 18:50 include
lrwxr-xr-x 1 bin bin 14 Aug 10 03:25 keysh -> /usr/lib/keysh
dr-xr-xr-x 9 bin bin 8192 Aug 10 13:56 lbin
dr-xr-xr-x 35 bin bin 8192 Aug 11 21:10 lib
dr-xr-xr-x 8 bin bin 8192 Aug 10 02:14 local
dr-xr-xr-x 2 root root 96 Aug 10 01:55 lost+found
lrwxr-xr-x 1 bin bin 14 Aug 10 02:12 man -> /usr/share/man
dr-xr-xr-x 9 bin bin 8192 Aug 10 03:47 newconfig
lrwxr-xr-x 1 root sys 9 Aug 10 04:34 news -> /var/news
dr-xr-xr-x 4 bin bin 96 Aug 10 01:57 obam
dr-xr-xr-x 3 bin bin 96 Aug 10 02:13 old
lrwxr-xr-x 1 root sys 13 Aug 10 04:44 preserve -> /var/preserve
lrwxr-xr-x 1 bin bin 18 Aug 10 02:14 pub -> /usr/share/lib/pub
dr-xr-xr-x 8 bin bin 8192 Aug 10 03:27 sam
dr-xr-xr-x 7 bin bin 16384 Aug 14 11:39 sbin
dr-xr-xr-x 8 bin bin 8192 Aug 10 03:48 share
lrwxr-xr-x 1 bin bin 10 Aug 10 02:14 spool -> /var/spool
lrwxr-xr-x 1 root root 8 Aug 10 02:14 tmp -> /var/tmp
dr-xr-xr-x 8 bin bin 8192 Aug 10 03:50 tsm
dr-xr-xr-x 4 bin bin 96 Aug 10 02:56 vue

can anyone mail me the exact permissions for the files in /usr .

Thanks Aleem

OldSchool · ‎12-27-2008

you might try reading what Dennis posted...you know...where he told you he had a script and gave you the link

Dennis Handly · ‎12-27-2008

>OldSchool: where he told you he had a script and gave you the link

Aleem may be asking for volunteers to run the first half of the script since he only has the one system?

Johnson Punniyalingam · ‎12-28-2008

Hi Aleem,

>>>>can anyone mail me the exact permissions for the files in /usr <<<<

As requested have posted permissions for the files in /usr

# ll -d /usr
dr-xr-xr-x 23 bin bin 1024 Jun 24 2005 /usr
# cd /usr
# ll
total 82
lrwxr-xr-t 1 root sys 8 Jun 23 2005 adm -> /var/adm
dr-xr-xr-x 6 bin bin 10240 Nov 24 16:23 bin
dr-xr-xr-x 5 bin bin 96 Jun 23 2005 ccs
dr-xr-xr-x 24 bin bin 1024 Jun 24 2005 conf
dr-xr-xr-x 13 bin bin 1024 Mar 14 2007 contrib
dr-xr-xr-x 9 bin bin 1024 Jun 23 2005 dt
dr-xr-xr-x 4 bin bin 1024 Jun 23 2005 etc
dr-xr-xr-x 5 bin bin 96 Jun 23 2005 examples
dr-xr-xr-x 2 bin bin 96 Jun 23 2005 hpC2400
dr-xr-xr-x 18 bin bin 5120 Jul 18 2005 include
lr-xr-xr-t 1 root sys 14 Jun 23 2005 keysh -> /usr/lib/keysh
dr-xr-xr-x 10 bin bin 2048 Mar 14 2007 lbin
dr-xr-xr-x 34 bin bin 9216 Dec 19 12:03 lib
drwxrwxr-x 8 bin bin 1024 Feb 22 2007 local
drwxr-xr-x 2 root root 96 Jun 23 2005 lost+found
lrwxrwxrwt 1 root sys 9 Jun 23 2005 mail -> /var/mail
lr-xr-xr-t 1 root sys 14 Jun 23 2005 man -> /usr/share/man
lrwxrwxrwt 1 root sys 13 Jun 23 2005 netls -> /var/opt/ifor
dr-xr-xr-x 7 bin bin 1024 Jun 23 2005 newconfig
lrwxrwxrwt 1 root sys 9 Jun 23 2005 news -> /var/news
dr-xr-xr-x 4 bin bin 96 Jun 23 2005 obam
dr-xr-xr-x 6 bin bin 1024 Jun 23 2005 old
lrwxrwxrwt 1 root sys 13 Jun 23 2005 preserve -> /var/preserve
lr-xr-xr-t 1 root sys 18 Jun 23 2005 pub -> /usr/share/lib/pub
dr-xr-xr-x 6 bin bin 96 Jun 23 2005 sam
dr-xr-xr-x 8 bin bin 7168 Mar 14 2007 sbin
dr-xr-xr-x 7 bin bin 96 Jun 23 2005 share
lrwxr-xr-t 1 root sys 10 Jun 23 2005 spool -> /var/spool
lrwxrwxrwt 1 root sys 8 Jun 23 2005 tmp -> /var/tmp
dr-xr-xr-x 8 bin bin 1024 Jun 23 2005 tsm
dr-xr-xr-x 4 bin bin 96 Jun 23 2005 vue

Thx,
Johnson

Problems are common to all, but attitude makes the difference

aleemuddin · ‎12-28-2008

hi

Thanks guys i shall check all the permissions of /usr now .

there is one thing i have observed ie when i logon to the server with root user or any application user and trying to change to another user from the same session it gives me "su: Unknown id: oravis" .if anyone can share the solution for the same would be good .

thanks

Dennis Handly · ‎12-28-2008

>gives me "su: Unknown id: oravis".

What are the permissions of /usr/bin/su? As F Verschuren mentioned in the first reply, su probably lost its setuid bit.

>Johnson: As requested have posted permissions for the files in /usr

Actually Aleem needs the permissions of the whole directory tree.

aleemuddin · ‎12-29-2008

hi
these r the permissions of /usr/bin/su

-r-xr-xr-x 1 root bin 80104 Feb 16 2007 su

thanks

Aleem

Dennis Handly · ‎12-29-2008

>these are the permissions of /usr/bin/su
>-r-xr-xr-x 1 root bin 80104 Feb 16 2007 su

It must be setuid. Is the system working well enough for you to do:
swverify -F \*

aleemuddin · ‎12-29-2008

hi dennis

i am not a unix admin guy and i am not sure if i can run swif... and the inpact on the server.i work as an oracle apps dba and have always worked with a unix admin along side and in my current project there is no unix admin and the comp is in a process of hiring one so till then its better that i wait.
if changing some permission for the /usr/bin/su would solve my issue i would do it else the server with oracle application is running absolutely fine.

thanks

Dennis Handly · ‎12-29-2008

>I am not sure if I can run swverify

That's why you try it, without the -F if you want.

>the impact on the server.

It will fix some of the bad permissions. That's its major purpose

>if changing some permission for the /usr/bin/su would solve my issue I would do it

It will solve the current issue but not all future issues.

>the server with oracle application is running absolutely fine.

This is just an illusion. :-)
You need to get those permissions corrected, find out why that chmod -R was done and get an ignite backup.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

unable to logon to the server for all users

unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users

Re: unable to logon to the server for all users