How to recover file owner and permissions using a recovery archive

From Wiki-UX.info
Jump to: navigation, search

Abstract

This article presents a method to extract the owner and file permissions information from an Ignite-UX recovery tape or network recovery archive and recuperate the permission settings on a system where a major unintended permission change was made, as in chmod <octal> /.

This is particularly useful when commands like chown or chmod have been running against entire file system like /usr or /opt or the entire root file system (/).

Keep in mind that only the data corresponding to the file systems included in the Ignite-UX recovery archive will be available for this procedure.

Extract the symbolic permissions from the network archive or tape

This operation may take a while to complete because the whole archive will be read and decompressed on-the-fly to obtain the information.

Network archive

1. Get into the directory that contains the archive by default /var/opt/ignite/recovery/archives/<hostname>

# cd /var/opt/ignite/recovery/archives/<hostname>

2. Define which archive you will use to extract the permissions

# ls -l
total 102720
-rw-r-----   1 root       sys        42507544 Oct 13 18:21 2009-10-12,16:11
# file 2009-10-12,16:11
2009-10-12,16:11:       gzip compressed

3. Extract the owner and permissions information from the archive and move it to a temporary file

# gzcat "2009-10-12,16:11" | pax -v > /tmp/permissions.out
  • Note: Ignite-UX uses the pax command to write and create the recovery archives. The pax command will automatically recognize any of the supported archive formats: tar, cpio, or pax (pax format archives are not supported on 11.11 and on 11.23. They require patches and an enhancement bundle).

Recovery Tape

The following information refers to the hardware architecture of the system where the tape was created, not to the type system where these commands are running.

In older versions of Ignite-UX (6.2 and earlier) only PA-RISC formatted tapes were created. If for some reason you cannot skip forward to file 23 using the mt command, try forwarding to file 2 using the PA-RISC commands to see if you can access the archive.

HP-9000 (PA-RISC):

# mt -f /dev/rmt/<#>mn rew
# mt -f /dev/rmt/<#>mn fsf 1
# pax -vf /dev/rmt/<#>mn > /tmp/permissions.out

Integrity (Itanium):

# mt -f /dev/rmt/<#>mn rew
# mt -f /dev/rmt/<#>mn fsf 22
# pax -vf /dev/rmt/<#>mn > /tmp/permissions.out

Review the output file:

The output generated by the pax command will be similar to this:

# head /tmp/permissions.out
dr-xr-xr-x  0 bin      bin               Oct 11 17:03 stand/
drwxr-xr-x  0 root     root              Oct 11 11:44 stand/lost+found/
-rw-r--r--  0 root     sys          4584 Oct 11 17:02 stand/ioconfig
-rw-rw-r--  0 root     sys          8280 Oct 11 17:02 stand/ext_ioconfig.lkg
-rw-r--r--  0 root     sys          8280 Oct 11 17:02 stand/ext_ioconfig
-rw-r--r--  0 root     sys            19 Oct 11 11:45 stand/bootconf
lrwxr-xr-x  0 root     root              Oct 11 17:02 stand/system -> nextboot/system
-rw-r--r--  0 root     sys             0 Oct 11 12:03 stand/.kc.lock
drwxr-xr-x  0 root     sys               Oct 11 17:04 stand/krs/
-rw-r--r--  0 root     root         4240 Oct 11 17:04 stand/krs/system.krs

Translate the symbolic permissions to octal values

1. Save the following sed script at /tmp/octalperm.sed to translate the symbolic permissions of the previous file to octal values

cat >> /tmp/octalperm.sed << EOF
# Translate directory octal permission lists
# Based on the work of David Cornish (www.davidcornish.com)
#
# File types (b)lock, (c)haracter, (d)irectory, (link), (p)ipe
s/^\([-bcdlp]\)/\1 /

# First value - normal (0), sticky (1), sgid (2), suid (4)
s/\(^. \)/\10/
s/\(^.\) .\(........\)t/\1 1\2x/
s/\(^.\) 0\(..\)s/\1 4\2x/
s/\(^.\) 1\(..\)s/\1 5\2x/
s/\(^.\) 0\(.....\)s/\1 2\2x/
s/\(^.\) 1\(.....\)s/\1 3\2x/
s/\(^.\) 4\(.....\)s/\1 6\2x/
s/\(^.\) 5\(.....\)s/\1 7\2x/

# Read (4)/write (2)/execute (1) permissions
s/rwx/7/g
s/rw-/6/g
s/r-x/5/g
s/r--/4/g
s/-wx/3/g
s/-w-/2/g
s/--x/1/g
s/---/0/g
EOF

2. Process the pax output with the sed command. In very large reports, the whole process may take a while to complete

# sed -f /tmp/octalperm.sed /tmp/permissions.out > /tmp/permissions.octal

The output will be similar to this:

# head /tmp/permissions.octal
d 0555  0 bin      bin                   Oct 11 17:03 stand/
d 0755  0 root     root                  Oct 11 11:44 stand/lost+found/
- 0644  0 root     sys              4584 Oct 11 17:02 stand/ioconfig
- 0664  0 root     sys              8280 Oct 11 17:02 stand/ext_ioconfig.lkg
- 0644  0 root     sys              8280 Oct 11 17:02 stand/ext_ioconfig
- 0644  0 root     sys                19 Oct 11 11:45 stand/bootconf
l 0755  0 root     root                  Oct 11 17:02 stand/system -> nextboot/system
- 0644  0 root     sys                 0 Oct 11 12:03 stand/.kc.lock
d 0755  0 root     sys                   Oct 11 17:04 stand/krs/
- 0644  0 root     root             4240 Oct 11 17:04 stand/krs/system.krs

3. Create a batch job to set the files ownership and permissions

Using the awk command, create a list of the required chmod and chown to match the file system, the file ownership and permissions with the report. This list can be executed as a batch job.

# cat /tmp/permissions.octal | awk '{
   if($1 == "d" || $1 == "l" || $1 =="p") filename=$9
   else if($1 == "c" || $1 == "b") filename=$11
   else if(NF == "-") filename=$10
   printf "chown %s:%s %s\nchmod %s %s\n", $4, $5, filename, $2, filename
}' > /var/tmp/setpermissions.sh

The output will look like this:

# tail /var/tmp/setpermissions.sh
chown root:root var/run/daemon/
chmod 0644 var/run/daemon/
chown root:root var/run/daemon/
chmod 0644 var/run/daemon/
chown root:root var/run/daemon/
chmod 0644 var/run/daemon/
chown root:root var/run/daemon/
chmod 0644 var/run/daemon/
chown root:root var/run/envd_diag
chmod 0600 var/run/envd_diag

At this point, it is important to review at least one part of the script that has been produced to ensure that it has been created correctly and will set permissions and ownership the way you intended.

Run the batch job

To set the ownership and permissions, run the script from the root (/) directory. This is necessary as the paths in the script are relative, if you run it from another directory, the commands will fail.

# cd /
# sh /var/tmp/setpermissions.sh

Using SD-UX to review the update

It is also important that you run the swverify command to ensure that permissions and ownership are set the way SD-UX you expected. If you still have permissions issues reported by swverify, you can determine which permissions and ownership SD-UX expect files to have using the following command to print out this information for all of the files SD-UX knows about:

# swlist -l file -a mode -a owner -a group

Reference

Authors

Editor