Resetting File Permissions

This document describes several possible mechanisms for restoring incorrect file permissions. You can:

• manually determine correct permissions by examining a mksysb tape or another system, and manually set permissions
• manually determine correct permissions by examining a mksysb or install tape and manually set permissions
• automatically determine and set permissions based on a mksysb or tape
• automatically determine and set permissions based on a sysck.cfg file

The sections on the manual methods and the sysck.cfg method apply to all AIX 3.x Versions but have not been verified for AIX Versions 4.1 or later. The section on automatically setting permissions from a mksysb tape will not work with AIX Versions 4.1 or later because a version 4.1 mksysb uses Backup & Restore and the table of contents does not show permissions and owners.

NOTES:

1. If you use access control lists (ACLs), using the chmod numerical parameters will erase the ACLs.

2. Before using the methods in this document, you may wish to save a record of your current permissions by redirecting the output of the following to a file:

      ls -lR / 
   

If you have a recent mksysb, you can examine the permissions of the backed up files by skipping to the file storage portion of the tape and performing a tape listing. Assuming the archive device is /dev/rmt0, the following commands will produce a listing of all files on the tape. For AIX Versions 4.2 and earlier, refer to InfoExplorer for documentation on the chown, chmod, tar, and tctl commands.

   tctl -f /dev/rmt0.1 fsf 3 
   tar -tvf /dev/rmt0 > /tmp/mksysb.listing 

The file /tmp/mksysb.listing will contain the tar listing of every file on the tape. You can use the grep command to locate the line in which you are interested and then use the chown and chmod commands to set the file ownership and permissions.

If you have a similar system, you can examine the permissions of the file in question on the other system. Differences in file ownership or permissions can then be corrected with the chown and chmod commands.

Situation: All the permissions or ownerships on my files (or the whole system) are changed! How do I reset all permissions and ownership?

Redress: This solution depends upon having a mksysb tape. If you have a system backup that was not made by mksysb (using tar format), you will have to make modifications to the script.

NOTE: When you are using an install tape, only the bos portion is in tar format and can be used by this process.

1. In the following script, replace rmtx with the name for your tape drive, such as rmt0.
2. Insert the mksysb tape and run the following script, which will create another script called reset.perms.out.
3. Carefully examine reset.perms.out and modify it if needed before running it on your system.
4. Run reset.perms.out to change all ownership, group, and permissions to what they were at the time of the last mksysb backup.

1. Page headers and footers may appear in the following code. They should be removed before the code is used. Also, revision bars (vertical bars in the left margin which mark changes in the document) may appear to the left of the code and should be removed before the code is used.
2. Be sure that the string #!/bin/ksh starts in the first column on the first line of the file containing the code.

Here is the script:

#!/bin/ksh 
rm reset.perms.out 2>/dev/null 
cd /tmp 
tctl -f /dev/rmtx rewind 
tctl -f /dev/rmtx.1 fsf 3 
tar -tvf /dev/rmtx | 
awk '{ 
        if ( NF == "9" ) 
        { 
                printf ("chown %s.%s %s 
",$2,$3,$9) 
                { 
                perms=0 
                if(substr($1,2,1) == "r") 
                        perms = perms + 400 
                if(substr($1,3,1) == "w") 
                        perms = perms + 200 
                if(substr($1,4,1) == "x") 
                        perms = perms + 100 
                if(substr($1,4,1) == "S") 
                        perms = perms + 4000 
                if(substr($1,4,1) == "s") 
                        perms = perms + 4100 
                if(substr($1,5,1) == "r") 
                        perms = perms + 40 
                if(substr($1,6,1) == "w") 
                        perms = perms + 20 
                if(substr($1,7,1) == "x") 
                        perms = perms + 10 
                if(substr($1,7,1) == "S") 
                        perms = perms + 2000 
                if(substr($1,7,1) == "s") 
                        perms = perms + 2010 
                if(substr($1,8,1) == "r") 
                        perms = perms + 4 
                if(substr($1,9,1) == "w") 
                        perms = perms + 2 
                if(substr($1,10,1) == "x") 
                        perms = perms + 1 
                if(substr($1,10,1) == "T") 
                        perms = perms + 1000 
                if(substr($1,10,1) == "t") 
                        perms = perms + 1001 
                printf("chmod %d %s     # %s 
",perms,$9,$1) 
                } 
        } 
}' >reset.perms.out 
chmod 755 reset.perms.out 

The sysck command was renamed to tcbck in AIX 3.2 but is referred to as sysck in this document for historical consistency.

The sysck command was designed to strictly enforce file ownership and permissions according to file descriptions in /etc/security/sysck.cfg. When file contents are found to disagree with file size and checksum information, sysck revokes access to the file by removing all permission attributes. For this reason, sysck may be unsuited for many environments.

WARNING: sysck can render a system unusable. If the -y option is used, the system administrator should verify that the sysck.cfg file has the correct information. If the checksum and size for any file are not correct in the sysck.cfg, that file will be made inaccessible.

To update a single file using sysck, enter the command

   sysck -t [file] 

If you wish for every file listed in sysck.cfg to be checked, replace file with the keyword ALL.

The following script should be copied to a local directory and named fileck.

This script implements many of the rules used by sysck but does not perform file size or checksum tests. Since these two tests in sysck can result in the disabling of a file system object, the potential for damage using fileck is much less than that of sysck. However, fileck may prevent the system from detecting certain security-related problems.

Like sysck, fileck operates in single file or ALL mode. The syntax is

   fileck { ALL | [files] } 

files must be specified with the full path as found in /etc/security/sysck.cfg.

When called with one or more file names on the command line, fileck examines the sysck.cfg to determine the correct owner, group, permissions, hard links, and symbolic links. In ALL mode, fileck checks all files listed in sysck.cfg. fileck returns a message for each file that is processed and reports the names of any files specified on the command line that could not be found in sysck.cfg.

NOTES:

1. Page headers and footers may appear in the following code. They should be removed before the code is used. Also, revision bars (vertical bars in the left margin which mark changes in the document) may appear to the left of the code and should be removed before the code is used.
2. Be sure that the string #!/bin/ksh starts in the first column on the first line of the file containing the code.
3. You must be logged in as the root user to run this command.

Here is the fileck script:

#!/bin/ksh 
# 
#   fileck -- perform sysck-like processing without the grief 
# 
fixmode() 
{ 
   file=${1} 
   modes=$(echo ${2} | tr ',' ' ') 
   TCB=N 
   SUID=u-s 
   SGID=g-s 
   SVTX=-t 
   for mode in ${modes} ; do 
      case ${mode} in 
         TCB) TCB=Y ;; 
         [0-9]*) PERM=${mode} ;; 
         [-r]*)  u=${mode%%??????} 
                 r=${mode##???} 
                 g=${r%%???} 
                 o=${r##???} 
                 PERM=$(echo u=${u},g=${g},o=${o} | tr -d '-') 
                 ;; 
         SUID)   SUID=u+s ;; 
         SGID)   SGID=g+s ;; 
         SVTX)   SVTX=+t ;; 
      esac 
   done 
   chmod ${PERM},${SUID},${SGID},${SVTX} ${file} 
   if [ ${TCB} = Y ]; then 
      chtcb on ${file} 
   else 
      chtcb off ${file} 
   fi 
} 
fixsymlinks() 
{ 
   file=${1} 
   links=$(echo ${2} | tr ',' ' ') 
   for link in ${links} ; do 
      if [ -L ${link} ]; then 
         rm -f ${link} 
         ln -s ${file} ${link} 
      fi 
   done 
} 
fixlinks() 
{ 
   file=${1} 
   links=$(echo ${2} | tr ',' ' ') 
   ls -i ${file} | read inum_a junk 
   for link in ${links} ; do 
      if [ -f ${link} ]; then 
         ls -i ${link} | read inum_b junk 
      else 
         inum_b=0 
      fi 
      if [ ${inum_a} != ${inum_b} ]; then 
         ln -f ${file} ${link} 
      fi 
   done 
} 
fixall() 
{ 
   scratch=/tmp/fixall$$ 
   file=${1} 
   grep -p "^${file}:" /etc/security/sysck.cfg > ${scratch} 
   read real_file junk < ${scratch} 
   real_file=${real_file%%:} 
   if [ ! -s ${scratch} ]; then 
      echo "no matches for ${file}" 1>&2 
      return 
   fi 
   echo "checking ${file}" 
   while read attr junk value ; do 
      case ${attr} in 
         owner)          chown ${value} ${file} ;; 
         group)          chgrp ${value} ${file} ;; 
         links)       fixlinks ${file}  ${value} ;; 
         symlinks) fixsymlinks ${file}  ${value} ;; 
         mode)         fixmode ${file}  ${value} ;; 
      esac 
   done < ${scratch} 
   /usr/bin/rm -f ${scratch} 
} 
if [ $# = 0 ] ; then 
   echo "usage: fileck { ALL | file ... }" 
   exit 1 
elif [ "${1}" = "ALL" ]; then 
   list=/tmp/fileck$$ 
   grep '^/.*:$' /etc/security/sysck.cfg | sed -e 's/://' > ${list} 
   while read FILE ; do 
      fixall ${FILE} 
   done < ${list} 
   /usr/bin/rm -f ${list} 
else 
   for FILE in $* ; do 
      fixall ${FILE} 
   done 
fi 

[ Doc Ref: 90605219314822     Publish Date: Feb. 11, 2000     4FAX Ref: 4253 ]