Command to dump/restore user info OSR5 - SCO

This is a discussion on Command to dump/restore user info OSR5 - SCO ; I am suffering from a bad case of CRS today, and don't remember the command on OpenServer that dumps all the user and group information from the tcb database. I seem to remember that it requires a -g option to ...

+ Reply to Thread
Results 1 to 13 of 13

Thread: Command to dump/restore user info OSR5

  1. Command to dump/restore user info OSR5

    I am suffering from a bad case of CRS today, and don't remember
    the command on OpenServer that dumps all the user and group
    information from the tcb database. I seem to remember that it
    requires a -g option to get the proper group information, and -4
    to restore from a dump file, but don't remember the command name.

    Any help?

    Bill
    --
    INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
    URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
    FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676

    The trouble with fighting for human freedom is that one spends most of
    one's time defending scoundrels. For it is against scoundrels that
    oppressive laws are first aimed, and oppression must be stopped at the
    beginning if it is to be stopped at all. -- H. L. Mencken

  2. Re: Command to dump/restore user info OSR5

    On Sat, 22 Mar 2008, Bill Campbell wrote:
    > I am suffering from a bad case of CRS today, and don't remember
    > the command on OpenServer that dumps all the user and group
    > information from the tcb database. I seem to remember that it
    > requires a -g option to get the proper group information, and -4
    > to restore from a dump file, but don't remember the command name.
    >
    > Any help?


    ap

    --
    Boyd Gerber
    ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

  3. Re: Command to dump/restore user info OSR5

    Bill Campbell wrote:
    > I am suffering from a bad case of CRS today, and don't remember
    > the command on OpenServer that dumps all the user and group
    > information from the tcb database. I seem to remember that it
    > requires a -g option to get the proper group information, and -4
    > to restore from a dump file, but don't remember the command name.
    >
    > Any help?


    "pa"?

  4. Re: Command to dump/restore user info OSR5

    Bill Campbell wrote:
    > I am suffering from a bad case of CRS today, and don't remember
    > the command on OpenServer that dumps all the user and group
    > information from the tcb database. I seem to remember that it
    > requires a -g option to get the proper group information, and -4
    > to restore from a dump file, but don't remember the command name.
    >
    > Any help?


    "pa"?

  5. Re: Command to dump/restore user info OSR5

    On Sat, Mar 22, 2008, Boyd Lynn Gerber wrote:
    >On Sat, 22 Mar 2008, Bill Campbell wrote:
    >> I am suffering from a bad case of CRS today, and don't remember
    >> the command on OpenServer that dumps all the user and group
    >> information from the tcb database. I seem to remember that it
    >> requires a -g option to get the proper group information, and -4
    >> to restore from a dump file, but don't remember the command name.
    >>
    >> Any help?

    >
    >ap


    /tcb/bin/ap -- thanks.

    Bill
    --
    INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
    URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
    FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676

    What's this script do?
    unzip ; touch ; finger ; mount ; gasp ; yes ; umount ; sleep
    Hint for the answer: not everything is computer-oriented. Sometimes you're
    in a sleeping bag, camping out.
    (Contributed by Frans van der Zande.)

  6. Re: Command to dump/restore user info OSR5

    Boyd Lynn Gerber typed (on Sat, Mar 22, 2008 at 05:08:59PM -0600):
    | On Sat, 22 Mar 2008, Bill Campbell wrote:
    | > I am suffering from a bad case of CRS today, and don't remember
    | > the command on OpenServer that dumps all the user and group
    | > information from the tcb database. I seem to remember that it
    | > requires a -g option to get the proper group information, and -4
    | > to restore from a dump file, but don't remember the command name.
    | >
    | > Any help?
    |
    | ap
    |
    | --
    | Boyd Gerber
    | ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

    Boyd,

    Can 'ap' be used to determine if ones password has been changed?
    especially root's password? .... other then grepping '/etc/shadow'
    for a user and checking for a change?

    TIA,
    - Jeff H

  7. Re: Command to dump/restore user info OSR5

    On Mon, 24 Mar 2008, Jeff Hyman wrote:
    > Boyd Lynn Gerber typed (on Sat, Mar 22, 2008 at 05:08:59PM -0600):
    > | On Sat, 22 Mar 2008, Bill Campbell wrote:
    > | > I am suffering from a bad case of CRS today, and don't remember
    > | > the command on OpenServer that dumps all the user and group
    > | > information from the tcb database. I seem to remember that it
    > | > requires a -g option to get the proper group information, and -4
    > | > to restore from a dump file, but don't remember the command name.
    > | >
    > | > Any help?
    > | ap
    > |
    > Can 'ap' be used to determine if ones password has been changed?
    > especially root's password? .... other then grepping '/etc/shadow'
    > for a user and checking for a change?


    yes with the right options. What I have done is a nightly shell script
    that dumps everything and then does a diff on the saved know good and the
    new dump. This lets me know when some makes changes. I am working on a
    port of rkhunter that would be better, as it checks for a lot of other
    things.

    --
    Boyd Gerber
    ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

  8. Re: Command to dump/restore user info OSR5

    Jeff Hyman typed (on Mon, Mar 24, 2008 at 01:25:25PM -0400):
    |
    | Can 'ap' be used to determine if ones password has been changed?
    | especially root's password? .... other then grepping '/etc/shadow'
    | for a user and checking for a change?

    Not at all. 'ap' just takes a snapshot of current parameters.

    Just what would you grep for in /etc/shadow to tell you that a password
    had changed? The file's mtime would be more relevant, but that would
    just indicate some change somewhere in, and not *which* change.

    You might want to check the times recorded in /tcb/files/auth/r/root.

    --
    JP

  9. Re: Command to dump/restore user info OSR5

    Jean-Pierre Radley wrote:
    > Jeff Hyman typed (on Mon, Mar 24, 2008 at 01:25:25PM -0400):
    > |
    > | Can 'ap' be used to determine if ones password has been changed?
    > | especially root's password? .... other then grepping '/etc/shadow'
    > | for a user and checking for a change?
    >
    > Not at all. 'ap' just takes a snapshot of current parameters.
    >
    > Just what would you grep for in /etc/shadow to tell you that a password
    > had changed? The file's mtime would be more relevant, but that would
    > just indicate some change somewhere in, and not *which* change.
    >
    > You might want to check the times recorded in /tcb/files/auth/r/root.
    >


    You'd compare it to the previous night's /etc/shadow snapshot.

  10. Re: Command to dump/restore user info OSR5

    On Mon, Mar 24, 2008, Boyd Lynn Gerber wrote:
    >On Mon, 24 Mar 2008, Jeff Hyman wrote:
    >> Boyd Lynn Gerber typed (on Sat, Mar 22, 2008 at 05:08:59PM -0600):
    >> | On Sat, 22 Mar 2008, Bill Campbell wrote:
    >> | > I am suffering from a bad case of CRS today, and don't remember
    >> | > the command on OpenServer that dumps all the user and group
    >> | > information from the tcb database. I seem to remember that it
    >> | > requires a -g option to get the proper group information, and -4
    >> | > to restore from a dump file, but don't remember the command name.
    >> | >
    >> | > Any help?
    >> | ap
    >> |
    >> Can 'ap' be used to determine if ones password has been changed?
    >> especially root's password? .... other then grepping '/etc/shadow'
    >> for a user and checking for a change?

    >
    >yes with the right options. What I have done is a nightly shell script
    >that dumps everything and then does a diff on the saved know good and the
    >new dump. This lets me know when some makes changes. I am working on a
    >port of rkhunter that would be better, as it checks for a lot of other
    >things.


    One could use ap, but that's kinda like my father's old saying, ``anything
    is possible, even intercourse in a hammock standing up''.

    You're probably better off using software designed to maintain a
    database of system information, and look for changes in critical
    files. Aide and tripwire are often used for this.

    Bill
    --
    INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
    URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
    FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676

    Rights is a fictional abstraction. No one has ``Rights'', neither
    machines nor flesh-and-blood. Persons... have opportunities, not rights,
    which they use or do not use.
    -- Lazarus Long

  11. Re: Command to dump/restore user info OSR5

    In article <20080324172525.GA22411@lonestar.cactus.com>,
    Jeff Hyman wrote:
    > Can 'ap' be used to determine if ones password has been changed?
    >especially root's password? .... other then grepping '/etc/shadow'
    >for a user and checking for a change?


    To see when a user's password was last changed, do:

    passwd -s

    The third field printed is the date of the last password change.
    Of course, root is free to edit the information that this relies upon.

    John
    --
    John DuBois spcecdt@armory.com KC6QKZ/AE http://www.armory.com/~spcecdt/

  12. Re: Command to dump/restore user info OSR5

    ----- clipped -----
    | > Can 'ap' be used to determine if ones password has been changed?
    | > especially root's password? .... other then grepping '/etc/shadow'
    | > for a user and checking for a change?
    |
    | yes with the right options. What I have done is a nightly shell script
    | that dumps everything and then does a diff on the saved know good and the
    | new dump. This lets me know when some makes changes. I am working on a
    | port of rkhunter that would be better, as it checks for a lot of other
    | things.
    |
    Boyd,

    Till you wrap up 'rkhunter' can you share the 'ap' syntax to monitor
    ones password change ?

    - Jeff H


  13. Re: Command to dump/restore user info OSR5


    ----- Original Message -----
    From: "Jeff Hyman"
    Newsgroups: comp.unix.sco.misc
    To:
    Sent: Monday, March 24, 2008 4:27 PM
    Subject: Re: Command to dump/restore user info OSR5


    > ----- clipped -----
    > | > Can 'ap' be used to determine if ones password has been changed?
    > | > especially root's password? .... other then grepping '/etc/shadow'
    > | > for a user and checking for a change?
    > |
    > | yes with the right options. What I have done is a nightly shell script
    > | that dumps everything and then does a diff on the saved know good and the
    > | new dump. This lets me know when some makes changes. I am working on a
    > | port of rkhunter that would be better, as it checks for a lot of other
    > | things.
    > |
    > Boyd,
    >
    > Till you wrap up 'rkhunter' can you share the 'ap' syntax to monitor
    > ones password change ?
    >
    > - Jeff H


    There is no such syntax.
    Write a script that does a dump and then compares (using whatever utility you like) the current dump against the previous such dump.
    Then run that script from cron every day or every hour or whatever schedule you like.

    A _crude_ starter script just to illustrate the base idea might look like this:

    -----top-----
    #!/bin/sh
    # Monitor user database for changes daily.
    # Relies on the "ap" (account propogation) utility, and so, only works on SCO.
    D=/u/apmon
    [ -d $D ] || mkdir -p $D || exit 1
    cd $D || exit 1
    mv -f ap02 ap03 >/dev/null 2>&1
    mv -f ap01 ap02 >/dev/null 2>&1
    mv -f ap00 ap01 >/dev/null 2>&1
    ap -d -g > ap00
    diff -c ap01 ap00 |egrep "(u_name|u_pwd)" |mail -s "AP Monitor" root
    -----end-----

    You don't have a diff unless you install the devsys or gnutools.
    And in the case of gnutools you'd want to add /usr/gnu/bin to PATH in /etc/default/cron and /etc/profile and /.profile
    The -c option luckily just happens to be a valid option that exists in both the native and gnu diff, and does the same thing in both. It provides enough context lines around the actually changed lines such that when a password is changed, you can see the user it applied to. The egrep ignores lines you probably don't care about.

    Output looks like this:

    # diff -c ap01 ap00 |egrep "(u_name|u_pwd)"
    stewie:u_name=stewie:u_id#242:\
    ! :u_pwd=8OUrdPXqmkKT61x3ZmEHmuFc:\
    stewie:u_name=stewie:u_id#242:\
    ! :u_pwd=wdhsdhsjkkwjhfjwej:\

    So user stewie's password changed since the last time the script was run.
    The order of the filenames on the diff command line, and the way the script renumbers filenames, means that the first instance is the old password and the next instance is the new password.

    The sample script maintains a constant 3 day history, ap00 is always the last dump, ap01 is always the one before that, etc...

    Probably this is not useful enough yet either since a simple diff of the two dumps I think will always find differences every day even if nothing you care about changed, because I think there is last login timestamps in there that will change every time somene logs in. So you'd want to add more filtering than that egrep in there to ignore some of the diff output.

    Or really, you really want to write an awk or perl script that parses the ap data and only looks at selective parts and compares that, instead of using diff at all. That was just a real quick & dirty way to start.

    Since it's not as simple as any magic single command, thats why things like rkhunter and other root kit & invasion detectors were written and are rather non trivial apps and why I too am interested that someone is porting one to OSR5.

    --
    Brian K. White brian@aljex.com http://www.myspace.com/KEYofR
    +++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++.
    filePro BBx Linux SCO FreeBSD #callahans Satriani Filk!


+ Reply to Thread