HPE Community
Operating System - HP-UX
1834740 Members
3139 Online
110070 Solutions
New Discussion

Re: Weird .sh_history behaviour

 
SOLVED
Go to solution
Andreas Mueller_1
Advisor

‎03-19-2004 12:46 AM

‎03-19-2004 12:46 AM

Weird .sh_history behaviour

Guru's,
my employer is not in favor of using sudo (don't even ask). Currently, I added the following to to root's .profile:
HISTFILE=${HOME}/.sh_history_`who am i|awk '{ print $1}'`
date >>$HISTFILE
export HISTFILE
HISTSIZE=50000
export HISTSIZE
In essence, when a user su's to root, it creates a .sh_history_userid file, where I can track what they typed while su'd to root.

I have one user, which sometimes creates the following .sh_history files:
ls -b .sh*
.sh_history_amueller
.sh_history_lreamy
.sh_history_mswirzin\012mswirzin
.sh_history_jrejent\012mswirzin

When doing an ll .sh*:
-rw------- 1 root sys 14198 Mar 19 00:00 .sh_history_cain
-rw------- 1 root sys 5846 Mar 19 00:00 .sh_history_jrejent
-rw------- 1 root sys 16 Feb 19 14:23 .sh_history_jrejent
mswirzin

The only way I can remove these files is by doing an rm -i .sh* and then answering y/n to the ones I want to remove / keep.
I checked mswirzin's .profile, root's .profile, etc. This will happen on multiple servers, and only to user mswirzin, his \012mswirzin extension will usually be added to his .sh_history file and anothers' (jrejent).
Our make_tape_recovery will fail, when these files exist (flist complains). We can not reproduce how this occurs. Anyone got any ideas?
Thanks, Andy
0 Kudos
Reply
10 REPLIES 10
David Burgess
Esteemed Contributor

‎03-19-2004 12:57 AM

‎03-19-2004 12:57 AM

Re: Weird .sh_history behaviour

Not entirely sure, but according to the man page who looks at utmp. So maybe have them log out, clear that down and have them log in again.

From the man page for who

The who command can list the user's name, terminal line, login time,
elapsed time since input activity occurred on the line, the user's
host name, and the process-ID of the command interpreter (shell) for
each current system user. It examines the /etc/utmp file to obtain
its information. If file is given, that file is examined. Usually,
file is /var/adm/wtmp, which contains a history of all of the logins
since the file was last created.

Regards,

Dave.
0 Kudos
Reply
RAC_1
Honored Contributor

‎03-19-2004 01:02 AM

‎03-19-2004 01:02 AM

Re: Weird .sh_history behaviour

su to mswirzin and do who am i|awk '{ print $1}. What you get is what is going in HISTFILE=${HOME}/.sh_history_`who am i|awk '{ print $1}'`

Need to modify your code. Just use whoami.

Anil
There is no substitute to HARDWORK
Reply
Mark Grant
Honored Contributor

‎03-19-2004 01:06 AM

‎03-19-2004 01:06 AM

Re: Weird .sh_history behaviour

Absolutely, your "who am i" is what is causing your the headache.

Personally, I'd use "id -u" instead. OK, it only gives you a user id but at least that is far more difficult to break.
Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
Steve Steel
Honored Contributor

‎03-19-2004 01:13 AM

‎03-19-2004 01:13 AM

Solution

Re: Weird .sh_history behaviour

Hi

Check /etc/passwd

grep swirzin /etc/passwd|od -c|cut -f1 -d":"

Check for a correct loginname

It takes the first 8 so a linefeed and more after will be the problem


Example
grep andref /etc/passwd|od -c|cut -f1 -d":"
0000000 a n d r e f


Steve Steel
If you want truly to understand something, try to change it. (Kurt Lewin)
Reply
Andreas Mueller_1
Advisor

‎03-19-2004 01:25 AM

‎03-19-2004 01:25 AM

Re: Weird .sh_history behaviour

I think Steve may have found the problem,

[casey:/home/root] grep swirzin /etc/passwd|od -c|cut -f1 -d":"
0000000 m s w i r z i n
0000020 0
0000040 r z i n
0000060 \n
0000061

There seems to be a line feed (\n).
Now, how do I fix that?
There also is a problem when I issue (as me) the who am i, it will show my userid and mswirzin.
0 Kudos
Reply
RAC_1
Honored Contributor

‎03-19-2004 01:32 AM

‎03-19-2004 01:32 AM

Re: Weird .sh_history behaviour

Backup /etc/passwd.

vipw. delete the user and add it again. Beofre you do that keep all information required with you.

Anil
There is no substitute to HARDWORK
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎03-19-2004 02:53 AM

‎03-19-2004 02:53 AM

Re: Weird .sh_history behaviour

who (and whoami and who am i) were really designed for interactive usage and is affected by utmp. Change who to $(id -un) as in:

export HISTFILE=${HOME}/.sh_history_$(id -un)

Also use pwck to see if the passwd file has errors.


Bill Hassell, sysadmin
0 Kudos
Reply
John Kittel
Trusted Contributor

‎03-19-2004 02:42 PM

‎03-19-2004 02:42 PM

Re: Weird .sh_history behaviour

I'm doing the following. If anyone has comments on my method I am interested in hearing them.

Method: When someone su-s to root, the new (root) shell has the variable PPID, the pid of the process that started the new shell as root. Use ps command to get info on the parent process, cut the first 8 characters ( username) remove any leading spaces or tabs. Use result as suffix for history file. Like this:

Suname=`ps -fp$PPID |grep $PPID |cut -c 1-8 |sed 's/^[ ]*//'`

export HISTFILE=.sh_$Suname

- John Kittel
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎03-21-2004 11:43 AM

‎03-21-2004 11:43 AM

Re: Weird .sh_history behaviour

ps will do all the work for you:

Suname=$(UNIX95= ps -p$PPID -o ruser | tail -1)

One of the most common errors in using ps is to grep something. If your PPID is 123 then you will get a match for 123 1234 21234 anda even userID=user123. ps (with the XPG4 option) is an amazingly versatile command. ps and grep don't mix well because grep doesn't understand fields.


Bill Hassell, sysadmin
0 Kudos
Reply
John Kittel
Trusted Contributor

‎03-22-2004 03:37 AM

‎03-22-2004 03:37 AM

Re: Weird .sh_history behaviour

Thanks Bill. I always learn a great deal from your responses.

- John
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.