Friday, October 07, 2005

Permissions messed in /devices - easy fix?

Subject: [SUMMARY] Permissions messed in /devices - easy fix?

-----
Original Post:
Due to an errant command during a security-tightening process, I have
a Solaris 8 box that has had all of the Other Write bits turned off
on the special files in /devices.

Is there a reasonably easy method to get Solaris to regenerate
/devices from scratch?

I've tried "touch /reconfigure and reboot" - no dice - doesn't seem
to regenerate something that's needed that's already there.

Suggestion: how about nuking /devices and /dev from a script as the
last thing the OS does on the way down then boot -r?

-----

IMHO the best responses came from Casper Dik and David Foster to use
pkgchk -f SUNWcsd
to force the reinstallation (and presumably permissions) of the
devices.

Unfortunately, this advice came too late. What I did was
touch /reconfigure
rm -rf /dev /devices
from single user mode
init 0
at which point the system locked.

From this point on the system would lock sometime shortly after
reading /etc/system. I made many efforts to restore /devices to no
avail after that point. Attempts included:
*) disabled SVM - I could, after all, only really change one side of
the mirror when booting from CD.
*) boot from CD, copy /devices and /dev from the running image to the
boot drive.
*) boot from CD, use the suggested devfsadm -r /tmp/a method to
rebuild the hierarchy.
*) Last message I was getting looked like the system had loaded the
RDAC driver for my SAN disks, so I disabled it.

Basically got the same lock every boot attempt.

Interestingly enough, on all these boot attempts where the 880
locked, it would not even respond to BREAK on the ttya line (what I'm
using for console). In all attempts I had to power cycle the box.

The box is now back in production with a fresh new Solaris 9 load. It
is something we probably should have started at Tuesday noon instead
of Wednesday afternoon, but hindsight is always 20/20.

Thanks for all replies.

-----
This would generally be my experience, from Grant:
I would be careful about the /devices directory. I had to restore a
system from backup, using NetBackup and the system wouldn't boot.
After I rebuilt the system from a full backup, the system wouldn't
boot. I even tried rebooting with -r and even touch /reconfigure.
It turned out the /devices tree wasn't restored (NetBackup doesn't
back up the /devices directory). The system would hang right after
reading the system file. I finally had to boot from cdrom, run
devfsadm on the mounted /a filesystem, and then rebooted. Then it
booted. Hope this helps.
-----
From Tim:
Possibly a red herring, but wouldn't a
sudo find /dev -name '*' -exec chmod o+w \;
do the trick?
Response: Yes, but Yes. Not everything should have write permission.
-----
Remove everything *except* for your boot device, rename
/etc/path_to_inst then 'reboot -- -ra'. It'll ask you if you want to
rebuild the path_to_inst
Response: might have worked, but I didn't need path_to_inst rebuilt
as far as I knew. As stated earlier, keeping the path to the boot
device would have been useful.

0 Comments:

Post a Comment

<< Home