So, a friend of mine at a US .edu site drops me a line via IM – some clueless admin just did chmod -R 700 /etc in the name of ‘hardening’ it. Apparently the fact that anyone could read /etc/passwd upset him, and he thought that mode 700 on /etc was a good idea. This promptly broke the box, as quite a few things rely on being able to read /etc, and after all, /etc/passwd doesn’t actually have passwords any more on a modern Linux system.
A quick bit of thought, and checking of my sort-of-close CentOS 4 box, and I was able to supply him with the basic commands to at least fix /etc, passwd, shadow and the whole init scripts area. This still left the fixing of all of /etc, and the first method I came up with was to execute ls -lR | awk ‘{ printf(“%s %s\n”, $1 $9); }’ on a good box, and the bad box, and feed the output to diff. This involves lots of human work though, and that’s bad.
Punted it to a workmate, who suggested find -ls, which works, but prints out the file mode in text, not octal (and to be fair, the initial ls was like that too). This prompted me to delve into the man page for the GNU variant of find, and resulted in
for i in `find /etc -printf "%m,%h/%f\n"` ; do
P=`echo $i | awk -F, '{print $1}'`;
F=`echo $i | awk -F, '{print $2}'`;
echo "chmod $P $F";
done
That could be run on the good box, piped to a file and copied to the bad box to recover the full set of permissions on /etc.
That clueless admin? He’s had his privileges revoked, and will probably get a right chewing out.
Comments
Leave a comment Trackback