2007/02/22

Solaris rescue cd to change forgotten root password

1) Boot off Device Configuration Assistant with
CD in.

2) When the install process gets to "choose type of installation"
1) Interactive
2) Jump Start
3) Web Start

type: boot cdrom -s
(or, if all you can do is get to the prom with stop-A or Ctrl-Break) type boot cdrom -s

3) When you get the root prompt you are in single user mode.

4) Create a mount point: # mkdir /mnt

5) Mount the root slice: # mount /dev/dsk/c0d0s0 /mnt
(or whatever the device is called).
5b) If the filesystem is corrupted, you may need to fsck /dev/rdsk/c0d0s0... before you can mount
(/dev/dsk/* for mount, /dev/rdsk/* for fsck. /etc/vfstab will tell you which device name to use.)
6) Set up TERM variable: # TERM=AT386;export TERM

7) Go to /etc/shadow and clear the password entry for root.
# vi /mnt/etc/shadow
e.g. root:sdfgsdSDGS3832:6445:::::: remove everything between the first two colons.

8) # sync;umount /mnt; sync;reboot

9) When the system comes back up you should be able to log in as root without a
password.

10) Use # passwd to set a new password for root.

2007/02/16

sudo: sudoers examples

Sudo can be used allow users to execute certain commands as other users (including root) on certain machines, with logging.

Edit the sudoers file with visudo. Note that to execute many system commands, your PATH will need to include /sbin:/usr/sbin

See what access is allowed with "sudo -l".

The best example file I found was at http://www.gratisoft.us/sudo/sample.sudoers , except that is uses "!", which is pointless (commands can be copied).

## Sample sudoers file ##
# *** Host_Alias specifications ***
# Host_Alias seems not to be useful, unless you have a
# global sudoers file that is replicated across multiple hosts.

# make LOCAL mean localhost (probably a bad idea, as this will allow it to run on any machine that has the sudoers file)
Host_Alias LOCAL = 127.0.0.1
# Anywhere that "LAN" is specified, these hosts apply:
Host_Alias LAN = ahost.mycompany.com, anotherhost.mycompany.com

# *** User_Alias specifications ***
# User_Alias allows you to group users. (better to use AD/NIS groups, for global/central management?)
# MAILADMINS user alias refers to users dick and jane
User_Alias MAILADMINS = dick, jane

# *** Runas_Alias specifications ***
# This specifies an alias or grouping of whom a command can be run as.
Runas_Alias SOMEONE = larry, tom

# *** Cmd_Alias specifications ***
# alias or group commands with full paths, to make things easier to read later.
Cmnd_Alias SU = /bin/su

Cmnd_Alias SMTP = /sbin/service postfix stop, /sbin/service postfix start, /sbin/service postfix status
Cmnd_Alias REBOOT = /usr/bin/reboot, /sbin/shutdown -r now

# *** Defaults specification ***
# make user john.doe not have to enter a password to run commands as another user
Default:john.doe nopasswd
# make user kate have no timeout, and add env variable "GOO" to the sudo environment, and run as linda by default, but always require the root password
Defaults:kate timestamp_timeout=-1, env_delete+="GOO", runas_default=linda, rootpw
# make user jim have to enter the password of whoever he's running a command as, every time, with 1 attempt allowed
Defaults:jim timestamp_timeout=0, runaspw, passwd_tries=1
# global defaults - log to a specific file.
Defaults logfile=/var/log/sudo.log, log_year

# *** User Privilege specification ***
# This is where we actually say who and where (as whom) can do what
#
user/%group hostname = (user) command
# by default, root can do all commands as all users

root ALL=(ALL) ALL

# users jake and jim, on localhost, can execute crond without entering a password. (probably a bad idea)

jake,jim LOCAL = NOPASSWD: /sbin/service crond restart

# allow MAILADMINS on hosts LAN to run as root the commands SMTP and REBOOT.

MAILADMINS LAN = (root) SMTP, (SOMEONE) REBOOT

# members of the group "wheel" can run, on all hosts, all commands as all users

%wheel ALL=(ALL) ALL

Silver Bullet for booting Linux on legacy hardware

My friend, Jake ( aka the |-,@[V](V)3|2 ), gave me this tip for booting newer linux kernels on older hardware:

Enter this at the boot prompt, instead of pressing to boot:

linux acpi=off noapic nolapic

2007/02/14

Selinux tips

Here are some really good SElinux resources:

http://www.linuxsecurity.com/content/view/120567/49/
http://www.linuxsecurity.com/content/view/120622/49/
http://www.linuxsecurity.com/content/view/120700/49/
http://www.linuxsecurity.com/content/view/120837/169/
http://www.it-observer.com/articles.php?id=1013

Touch up a folder for apache to access (change file context labels recursively):
chcon -R -t httpd_sys_content_t

Touch up a folder for samba to access (change file context labels recursively):
chcon -R -t samba_share_t /backups


To reset the labels on all mounted filesystems:
restorecon -Rv /

If you need the filesystems to be relabeled on bootup, do this and then reboot:
touch /.autorelabel

To boot once with SELinux enforcement disabled, add the enforcing=0 flag to the kernel boot line.

To get the kernel's enforcement status:
getenforce

To change the kernel's enforcement status to "permissive" (aka log-only):
setenforce 0
To change the kernel's enforcement status to "Enforcing" (aka block access):
setenforce 1
(edit /etc/selinux/config to make the changes persistent across reboots)