File Permissions Problem

[bjverzal]

Hi *,

This past weekend, I believe someone did something to our system (I believe I know who, but since most E-mail is tracked, I'll not say here), but alas, I cannot confirm it. I have already change $HISTSIZE in hopes of tracking stuff like this in the past.

I have found that /etc, /usr and /dev all have 777 permissions. Who knows what else...I haven't found any more, but I haven't really looked either. This is a common repair this individual does. If something does not work, just do a chmod 777 *.

Anyway, now our print spooling system is hosed. It stops working after a while and if I do a stopsrc -g spooler, it does not shutdown. I end up doing kills on the processes.

So, this all said, does anyone know why the print spooler system might act like this ? Granted, this type of problem may have a billion (US) possible causes, but I am willing to chase them down.

Here is what I have done so far...

1. I wrote a script that lists files and their numeric permissions, colon delimited
2. Ran the script on a freshly installed system for each of the above directories
3. Wrote another script that reads the files and numeric permission and chmod's them on my quirky system

This seems to have fixed some of the problems we were having, but this print spooler one still exists.

Any thoughts ?

Thanks, Bill.

 

[gileb]

Hi,

Sorry for you because people with root pass on a sensible system can do a LOT of trouble. You maybe should have a look to the tcbcheck command (to use with care) which can help having the permissions setback.

To trace down who may have caused trouble, you should ermove root direct login in order to oblige user to make a su to root (each user should have a different login) then after that it's easier to know via sulog who did the su and at what time.

For your spooler pb i don't have a clue : could you stop every processes one by one to know which one causes troubles: it should be qdaemon... maybe it has child processes, which cannot stop (piojetd for example...)


Hope that helps !

 

[aixqueen]

Sudo may be a good thing to consider for your system to keep that person from root
and yes, I know what you need to do to fix your printing, However, if any of the other major fields are messed permission wise, the system notices there is an intrusion and will prohibit a whole bunch of things...I guess you are lucky you can log in.........
-----------------------------------------------------------------
File Permissions, Owners and Groups
(YOU may not have all of these, but check to be sure if you do)

Path is for that version first instead of the real version..........
which lp should produce /usr/bin/lp
which enq should also produce /usr/bin/enq

Sometimes an update to a third party software will change the permissions of
/ with the owner and group. Or put another shell program for lp. Look for it with
the which command. Also try printing with lp and enq and see if one works
and the other doesn't.

At minimum the following should be checked. This is especially true if only
root user (superuser) can print:


-r-sr-s--- 1 root printq 58989 Oct 26 1994 /usr/sbin/qdaemon
-r-sr-s--- 1 root printq 50099 Oct 26 1994 /usr/sbin/lpd
-r-sr-sr-x 1 root printq 59262 Oct 26 1994 /bin/enq
-r-xr-xr-x 1 bin bin 31493 Oct 26 1994 /bin/qprt
-r-xr-xr-x 1 bin bin 30397 Oct 26 1994 /bin/lp
-r-xr-xr-x 1 bin bin 31421 Oct 26 1994 /bin/lpr
-r-xr-xr-x 1 bin bin 30909 Oct 26 1994 /bin/lpstat
-r-xr-sr-x 1 bin printq 54633 Oct 13 1994 /usr/lib/lpd/piobe
-r-sr-x--- 1 root printq 38205 Oct 26 1994 /usr/lib/lpd/digest
-r-sr-x--- 1 root printq 52088 Oct 26 1994 /usr/lib/lpd/qstatus
-r-sr-xr-x 1 root printq 49626 Aug 14 1995 /usr/lib/lpd/pio/etc/pioout
crw-rw-rw- 1 root system 2, 2 Jul 09 08:56 /dev/null
-rw-rw-r-- 1 root printq 6198 Sep 27 10:55 /etc/qconfig

More to check but you may not have all of them, based on what you installed.

:/usr/lib/lpd/pio/etc
r--r--r-- 1 root printq 741 Jul 27 1994 ascii.attach
-r-xr-xr-x 1 bin bin 557 Nov 11 1994 bull.head
-r-xr-xr-x 1 bin bin 1037 Nov 11 1994 bull.header
-r-xr-xr-x 1 bin bin 390 Nov 11 1994 bull.trail
-r-xr-xr-x 1 bin bin 732 Nov 11 1994 bull.trailer
-r-xr-xr-x 1 bin bin 1081 Nov 11 1994 bullps.header
-r-xr-xr-x 1 bin bin 938 Nov 11 1994 bullps.trailer
-rw-rw-r-- 1 root printq 18990 Jan 26 1994 codepage.txt
-r--r--r-- 1 root printq 736 Jul 27 1994 file.attach
-r--r--r-- 1 root printq 767 Feb 6 1997 hpJetDirect.attach
-r--r--r-- 1 root printq 779 Jul 27 1994 local.attach
-r--r--r-- 1 root printq 935 Sep 16 1994 mbcs.tbl
-r--r--r-- 1 root printq 3646 Aug 30 1994 nls.dir
-r--r--r-- 1 root printq 49288 Mar 20 1996 pioattr1.cat
-r--r--r-- 1 root printq 61196 Aug 27 1994 piobe.cat
-r-xr-xr-x 1 bin bin 15038 Jan 6 1996 pioburst
-r-xr-xr-x 1 bin bin 52286 Jan 6 1996 piocfapi
-r-xr-xr-x 1 bin bin 11800 Jan 6 1996 piochdfq
-r-xr-xr-x 1 bin bin 4062 Nov 11 1994 piochpq
-r-xr-x--- 1 root printq 9239 Nov 11 1994 piodmgr
-r-sr-sr-x 1 root printq 2890 Jan 6 1996 piodmgrsu
-r-xr-xr-x 1 bin bin 47778 Jan 6 1996 pioevattr
-r-xr-xr-x 1 bin bin 54492 Feb 26 1996 pioformat
-r-xr-xr-x 1 bin bin 1626 Jan 22 1995 piofquote
-r-xr-xr-x 1 root printq 22998 Jun 1 1996 piohpnpf
-r-xr-xr-x 1 bin bin 589 Nov 11 1994 pioinit
-r-xr-xr-x 1 root printq 618 Nov 11 1994 piojetd
-r-xr-xr-x 1 bin bin 5199 Nov 11 1994 piolpx
-r-xr-xr-x 1 bin bin 18164 Jan 6 1996 piolspt
-r-xr-xr-x 1 bin bin 40754 Jan 6 1996 piolsvp
-r-xr-xr-x 1 bin bin 13396 Jan 6 1996 piomgpdev
-r-xr-xr-x 1 bin bin 11757 Apr 30 1996 piomisc_ext
-r-xr-sr-x 1 root printq 39014 Jan 6 1996 piomkapqd
-r-xr-xr-x 1 root printq 4733 Mar 22 1995 piomkjetd
-r-sr-x--- 1 root printq 33736 Jan 6 1996 piomkpq
-r-xr-xr-x 1 bin bin 8774 Jan 6 1996 piomsg
-r-sr-xr-x 1 root printq 49570 May 30 1996 pioout
-r-xr-xr-x 1 bin bin 9654 Jan 26 1994 pioqms100
-r-xr-xr-x 1 bin bin 4288 Nov 11 1994 piorlfb
-r--r--r-- 1 root printq 1819 Aug 27 1994 piosplp.cat
-r--r--r-- 1 root printq 19153 Jul 27 1994 printers.inv
-r--r--r-- 1 root printq 684 Jul 27 1994 remote.attach
r-s r-s - - 1 root printq 58989 /usr/sbin/qdaemon
r-s r-s - - 1 root printq 50099 /usr/sbin/lpd
r-s r-s r-x 1 root printq /bin/enq
r-x r-x r-x 1 bin bin /bin/qprt
r-x r-x r-x 1 bin bin /bin/lp
r-x r-x- r-x 1 bin bin /bin/lpr
r-x r-x r-x 1 bin bin /bin/lpstat

/usr/lib/lpd
-r-xr-sr-x 1 bin printq 80036 Feb 26 1996 piobe
-r-xr-xr-x 1 bin bin 17254 Jun 25 1996 plotgbe
-r-xr-xr-x 1 root printq 14450 Apr 9 1995 plotlbe
-r-sr-x--- 1 root printq 53266 Jul 20 1996 qstatus
-r-sr-x--- 1 root printq 50280 Sep 10 1996 rembak
-r-sr-x--- 1 root printq 39178 Jun 13 1996 digest
lrwxrwxrwx 1 root printq 13 Oct 17 2025 lpd -> /usr/sbin/lpd
drwxrwxr-x 9 root printq 512 Feb 6 1997 pio
r-s r-x r-x 1 root printq /usr/lib/lpd/pio/etc/pioout
crw-rw-rw 1 root system /dev/null
rw- rw-r-- 1 root printq /etc/qconfig
rw rw - - 1 root printq /etc/qconfig.bin
drwxr-xr-x bin bin /
drwxrwxr-x bin bin /var
drwxrwxr-x bin bin /var/spool
drwxrwxr-x bin printq /var/spool/lpd
drwxrwxr-x root printq /var/spool/lpd/qdir
drwxrwxr-x root printq /var/spool/lpd/stat
drwxrwxr-x bin printq /var/spool/qdaemon
drwxr-xr-x bin bin /usr
drwxr-xr-x bin bin /usr/bin
drwxr-xr-x bin bin /usr/sbin
drwxrwxr-x root system /etc
-rw-rw-r-- root system /etc/hosts
drwxrwsrwt bin bin /tmp



Most important............check first then look at the ones above:
Appendix B: File permissions, owners and groups

At minimum, the following should be checked. This is especially true if only the root user (superuser) can print.

-r-sr-s--- 1 root printq 58989 Oct 26 1994 /usr/sbin/qdaemon
-r-sr-s--- 1 root printq 50099 Oct 26 1994 /usr/sbin/lpd
-r-sr-sr-x 1 root printq 59262 Oct 26 1994 /bin/enq
-r-xr-xr-x 1 bin bin 31493 Oct 26 1994 /bin/qprt
-r-xr-xr-x 1 bin bin 30397 Oct 26 1994 /bin/lp
-r-xr-xr-x 1 bin bin 31421 Oct 26 1994 /bin/lpr
-r-xr-xr-x 1 bin bin 30909 Oct 26 1994 /bin/lpstat
-r-xr-sr-x 1 bin printq 54633 Oct 13 1994 /usr/lib/lpd/piobe
-r-sr-x--- 1 root printq 38205 Oct 26 1994 /usr/lib/lpd/digest
-r-sr-x--- 1 root printq 52088 Oct 26 1994 /usr/lib/lpd/qstatus
-r-sr-xr-x 1 root printq 49626 Aug 14 1995 /usr/lib/lpd/pio
/etc/pioout
crw-rw-rw- 1 root system 2, 2 Jul 09 08:56 /dev/null
-rw-rw-r-- 1 root printq 6198 Sep 27 10:55 /etc/qconfig
-rw-rw---- 1 root printq 26876 Sep 27 10:55 /etc/qconfig.bin
drwxr-xr-x 33 bin bin 2048 Sep 17 00:39 /
drwxr-xr-x 12 bin bin 512 Jul 10 14:45 /var
drwxrwxr-x 12 bin bin 512 Sep 13 18:53 /var/spool
drwxrwxr-x 5 bin printq 14336 Sep 14 11:51 /var/spool/lpd
drwxrwxr-x 2 root printq 42496 Sep 15 17:19 /var/spool/lpd/qdir
drwxrwxr-x 2 root printq 2048 Sep 15 17:18 /var/spool/lpd/stat
drwxrwxr-x 2 bin printq 6656 Sep 15 15:23 /var/spool/qdaemon
drwxr-xr-x 21 bin bin 512 Jan 17 1995 /usr
drwxr-xr-x 3 bin bin 11776 Sep 16 23:31 /usr/bin
drwxr-xr-x 4 bin bin 9216 Sep 16 23:32 /usr/sbin
drwxrwxr-x 15 root system 8192 Sep 27 10:55 /etc
drwxrwsrwt 16 bin bin 4608 Nov 27 14:32 /tmp

To check directories, enter:

ls -ld <path/directory>

For example, ls -ld / would return information for root directory, and ls -ld /etc would return information for the
etc directory.

http://techsupport.services.ibm.com...mode=9&documents=090605208614738&database=aix

 

[vantandem]

We have had similar issues with users and root access, though fortunately for us we have not ran into this issue. What I can suggest is a product called Power Broker. PowerBroker will help to reduce security administration, risks, and audit difficulties inherent on Unix systems and will increase accountability. One key feature of PowerBroker is the keystroke logging, this feature will log every keystroke from any one user. If a user decided to rsh or telnet to another server PowerBroker has the ability to follow them and will log them. This product is very robust.

vantandem

 

[bjverzal]

Everyone - thanks for the responses. I've also received good responses from the AIX-L list.

Just one note...I believe the offender is my manager...

BV

 

[MikeLacey]

Hmmmm <wry smile> I used to have a manager who managed to do a 'rm -fr /' on a live system. Twice... Bless him. Mike
michael.j.lacey@ntlworld.com
Email welcome if you're in a hurry or something -- but post in tek-tips as well please, and I will post my reply here as well.

 

[Guest_imported]

Your print spooler problem may indicate the queue file is corrupt. what you need to do is use the file checker utility for the print spool file and then ask your mummy