Tux

...making Linux just a little more fun!

Talkback:issue52/okopnik.html

[ In reference to "/okopnik.html" in LG#issue52 ]

Ben Okopnik [ben at linuxgazette.net]


Thu, 2 Aug 2007 11:34:49 -0400

Hi, Garrett -

[ cc'd to The Answer Gang ]

On Tue, Jul 31, 2007 at 08:37:39PM -0700, [email protected] wrote:

> (Also sent to ben-fuzzybear@yahoo, but I wasn't sure that address remained valid.)
> 
> Mr. Okopnik,
> 
> An article of yours from the April 2000 Linux Gazette may have just
> saved me from hours of beating my head against my desk. Granted, I'd
> already spent about 12 hours beating my head against my desk, so
> further damage (if possible) has been averted.

Heh. I've left the imprint of my forehead on at least a few brick walls, so - yes, that sounds like a positive effect.

> See, I was doing some basic security changes on several hundred
> systems. My Expect powers are not yet strong enough to automate this
> task, but that's an aside. I've spent the last several days running
> find commands with various -exec, and as it turns out, I managed to
> annhiliate a RHEL4 Selinux system with the following:
> 
> find / -user root -perm -o+w -exec chmod 0600 '{}' \;
> # I forgot "-type f" eek!

('-type f' wouldn't have helped much, I'm afraid. It would have stopped you from messing up, say, the entries in '/dev' - but that's about it.)

Ouch! You've "discovered" (and I use that in the most sympathetic way possible) the power of the 'find' command. It's very similar to a Milwaukee "Hole Hawg" drill: it will drill any hole you want it to - whether it's through concrete, steel, or your leg...

(See this love paean to a Super Hawg: http://www99.epinions.com/content_246549155460)

Unix tools are kinda like that. Huge amounts of power - and the safety is assumed to come from experience and forethought. Experience, however, is what you get when you didn't have enough experience and forethought!

> For hours afterwards, nothing would execute even when I restored
> execute permissions (on binaries only) from a Rescue CD. Your article
> pointed out the need for +x on some (if not all) shared libs, and that
> allowed me to rescue the machine.
> 
> Thank you. Thank you. I owe you one, two, or ten beers.

[smile] Thanks, Garrett. I probably shouldn't say this - it's likely to lose me a beer or two - but if I was in your place, I'd actually reinstall the system from scratch; at the very least, I'd run a comparison of everything in '{,/usr}{/bin,/sbin,/lib}/' against a "normal" system. Given that you now have an uncertain set of permissions, all sorts of security vulnerabilities and possible future problems seem likely. The fact that your system works now gives you some breathing room time-wise - but I wouldn't call it a closed case.

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *

Top    Back


Ben Okopnik [ben at linuxgazette.net]


Mon, 6 Aug 2007 18:57:07 -0400

On Sat, Aug 04, 2007 at 07:10:26PM -0700, [email protected] wrote:

> 
> ---- Ben Okopnik <[email protected]> wrote: 
> > 
> > [smile] Thanks, Garrett. I probably shouldn't say this - it's likely to
> > lose me a beer or two - but if I was in your place, I'd actually
> > reinstall the system from scratch; at the very least, I'd run a
> > comparison of everything in '{,/usr}{/bin,/sbin,/lib}/' against a
> > "normal" system. Given that you now have an uncertain set of
> > permissions, all sorts of security vulnerabilities and possible future
> > problems seem likely. The fact that your system works now gives you some
> > breathing room time-wise - but I wouldn't call it a closed case.
> 
> You'll probably be very amused by this, then. Before seeing your
> reply, I arrived at the same conclusion. I manged to get the box
> booting again, and all necessary services were starting. Since the box
> needs to go into production, however, I suggested that the build team
> perform a restore on the host. They did this, but they unfortunately
> chose to restore over /lib while the machine was running, this
> reducing libc to a 1 byte file and "paperweighting" the host once
> again. It has since been rebuilt from scratch. Oh the joys of this
> work, but I do enjoy learning new things.

Well... that's where experience comes from, ultimately. :) I've had a large number of this kind of episodes in the past - which is why I know enough to talk about them now. Welcome to the club.

> Cheers, and no beers were lost by your suggestion. ;)

These days, I seem to be doing a tour of the East Coast - Atlanta last week, Boston this week (hell of a drive, that was!), and New York in two weeks, with a break at home (northern Florida) in between. If you're anywhere along that route, I'll be happy to share some beers with you - I'll even buy a round or two myself. :)

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *

Top    Back