Creating a basic padded cell

Unix Insider –

As regular readers of Unix Insider probably know, Peter Galvin has abdicated as Unix Insider's security czar to start a new system administration column for this magazine. Following Peter's lead, this column will continue to provide practical, technical information about computer security based on real-world experiences.

I'm currently working as an independent security consultant in the New York financial market. This gives me the opportunity to design and implement solutions in different environments in parallel. Because every environment is unique, it's possible that something that worked out great for me will be totally wrong for you. There's no single solution or product that is optimal for all people at all times. My goal is to provide the gory technical details of problems encountered and solutions that have worked in most environments.

As has been discussed numerous times, most security problems are the result of human negligence. If more programmers followed the advice set forth in Peter's April 1998 column, there wouldn't be as much to write about here. I've worked with developers who refuse to even follow basic source code control such as SCCS. Unfortunately, system administrators often have no control over the development environment and are unable to impose proper development procedures.

What the administrator can do is to consider the application suspect and place it in a padded cell using chroot.

I cowrote with Peter the May and June 1998 Security columns, which described the installation of a Web server in a padded cell environment that my partner, Jonathan Klein, and I installed at a client site. I was rather surprised at all the feedback complaining that padded cells are too difficult to set up correctly. While it's true that there's a lot of technical detail involved in creating a padded cell, and while it certainly isn't a procedure for novices, it is worthwhile to learn since it's a proven procedure that has been used for years. To help make the learning process easier, this column includes scripts written by Jonathan to create a basic padded cell.

Creating a basic padded cell

A padded cell is a unique environment specifically tailored for an application. As such, these scripts probably won't work for your particular application -- you'll need to edit the sample list files. We've used these to configure the Netscape server, Sendmail, FTP, and list servers, and we edit the list files each time.

Sample padded cell scripts

The following shell scripts can be used (with modification) to create a basic padded cell:

The shell scripts use the following ASCII input files:

There's also a C program to create the proper device permissions:

You can click on the links above to see the scripts; I'll also provide quick explanations of them below.

make_cell

This is a top-level master script that calls and runs all the other scripts.

mkdir_cell

This script creates the directory structure needed to simulate a mini-Unix operating environment. It creates directories such as /etc, /usr, /lib, /usr/lib, and so on. The script decides which directories to create based on the input file, dirlist. The file provided here is an example only and needs to be edited for your particular application.

mksymdir_cell

This script makes all the required symbolic links for directories. For example, it will create the symbolic link from $root/bin to $root/usr/bin. The input file for this script is symdirlist.

mkdev_cell

This script creates the devices in the cell directory that will be required by the application. It also creates the symbolic links as required. The input file for this script is devlist. Be very careful to edit this file and include only the devices you will need. Remember, the devices listed are only a guide. This script also uses a C program, mkperm.c, to set the correct permissions for the devices.

cpfile_cell

This script copies into the cell the system files you will need to run the application. The input file is filelist.

Important note! Some of the files that are copied in must be modified to remove information you don't want public, such as the root password.

Files that must be modified include:

  • passwd and shadow: These files need to be in the cell so the application will work. However, they need to be stripped of all the user data that isn't needed in the cell. Although the root account should be in the cell's passwd and shadow files, the password data is meaningless and must not be valid. The real root account works outside the cell.
  • hosts and services: Again, just put in here what you need in the cell, although a cracker could easily find out what services you are running by running portscan.

Additional files, such as nsswitch.conf and inetd.conf,

may need to be modified.

mksymfile_cell

This script creates all the file symbolic links that are required such as the lib.so files. The input file is symfilelist.

Using the scripts

It is highly recommended that you run this on a test system first if you are unfamiliar with chroot. If you are installing a padded cell for production use, you should have it reside on a dedicated filesystem. For testing and/or learning purposes, you can just make a directory in a filesystem with sufficient space.

Copy the scripts into /usr/local/bin. In this directory, make a directory called lists and copy in the five list files (dirlist, symdirlist, devlist, filelist and symfilelist). Edit the list files accordingly. To find out which libraries the application needs, run ldd on the application. For example:

<font face="Courier">
# ldd /usr/lib/sendmail
        libresolv.so.2 =>        /usr/lib/libresolv.so.2
        libsocket.so.1 =>        /usr/lib/libsocket.so.1
        libnsl.so.1 =>   /usr/lib/libnsl.so.1
        libkstat.so.1 =>         /usr/lib/libkstat.so.1
        libc.so.1 =>     /usr/lib/libc.so.1
        libdl.so.1 =>    /usr/lib/libdl.so.1
        libdl.so.1 (SUNW_0.7) =>         (version not found)
        libdl.so.1 (SISCD_2.3) =>        (version not found)
        libintl.so.1 =>  /usr/lib/libintl.so.1
        libmp.so.1 =>    /usr/lib/libmp.so.1
        libdl.so.1 (SUNW_0.7) =>         (version not found)
        libdl.so.1 (SUNWprivate_1.1) =>  (version not found)
        libdl.so.1 (SISCD_2.3) =>        (version not found)
        libw.so.1 =>     /usr/lib/libw.so.1
#
</font>

If you're creating a production cell, make a filesystem just for the cell (e.g., /usr/local/cell) and mount it as /usr/local/cell (or whatever). If you're just using this for testing or learning purposes, it isn't necessary to make a separate filesystem. For test purposes, I'm using a directory, /tmp/cell_test as an example.

<font face="Courier">
# /usr/local/bin/make_cell  /usr/local/bin/lists  /tmp/cell_test
Make Directory Entries
Make Directory Symbolic Links
Make Device Entries
Copying Files
Make File Symbolic Links
Padded Cell creation complete
#

# ls -lR /tmp/cell_test 
</font>

(Click here if you want to see the output of

<font face="Courier">ls -l</font>
in the example above.)

Don't forget to clean up /etc/passwd and /etc/shadow! Also check all the other system files that were copied in. In this case, I copied in /bin/sh to use as an example. If you don't need it in the cell, remove it.

Here's a basic example of how the cell works:

<font face="Courier">
# pwd
/usr/local/bin
# /usr/sbin/chroot  /tmp/cell_test  /bin/sh
# pwd
/
# cd /usr/bin
# ./ls
./ls: not found
# /usr/bin/ls
/usr/bin/ls: not found
[control-D]
# pwd
/usr/local/bin
</font>

Because I didn't copy /usr/bin/ls into the cell, it isn't found when I run /bin/sh under chroot.

Copy the application binaries into the cell. For an application that needs to be built, run the build outside the cell because it will require system resources for the build that aren't necessary to run the application. When you copy the binaries in, remember that you are considering the directory /tmp/cell_test to be root (/). For example, Sendmail would be copied in to /tmp/cell_test/usr/lib/sendmail. Make sure the appropriate permissions are set.

<font face="Courier">
# cp -p /usr/lib/sendmail  tmp/cell_test/usr/lib
# ls -l  /tmp/cell_test/usr/lib/sendmail
r-sr-x--x   1 root     bin       378264 Dec  6 15:09 /tmp/cell_test/usr/lib/sendmail
</font>

Test to make sure the application works in the cell:

<font face="Courier">
# /usr/sbin/chroot  /tmp/cell_test  /usr/lib/sendmail  -bt
ld.so.1: /usr/lib/sendmail: fatal: libresolv.so.2: open failed: No such file or
directory
Killed
</font>

Sometimes the errors are pretty obvious, as in the example above. For the more obscure errors, use truss as follows:

<font face="Courier">
 mount /proc as a loopback filesystem for debugging purposes:
# mkdir /tmp/cell_test/proc
# mount -F lofs /proc  /tmp/cell_test/proc
# cp  /usr/bin/truss  /tmp/cell_test/usr/bin/truss
	# /usr/sbin/chroot  /tmp/cell_test /usr/bin/truss  /usr/lib/sendmail 2>& 1 | tee>/tmp/out
	# more  /tmp/out

execve("/usr/lib/sendmail", 0xEFFFFE28, 0xEFFFFE30)  argc = 1
open("/dev/zero", O_RDONLY)                     = 3
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE, 3, 0) = 0xEF
7C0000
open("/usr/lib/libresolv.so.2", O_RDONLY)       Err#2 ENOENT
ld.so.1: /usr/lib/sendmail: fatal: libresolv.so.2: open failed: No such file or
directory
write(2, " l d . s o . 1 :   / u s".., 90)      = 90
getpid()                                        = 23561 [23559]
        *** process killed *** +
</font>

In this case, I'm missing libresolv.so.2. (Actually, I removed it to generate the error.) Using truss can be rather painful, but it's very helpful in identifying missing devices.

Once you get all the libraries and devices the application needs in the cell, test it again to see what else it may need:

<font face="Courier">
	# /usr/sbin/chroot /tmp/cell_test /usr/lib/sendmail -bt

/etc/sendmail.cf: line 59: fileclass: cannot open /etc/mail/sendmail.cw: No such
 file or directory
dbm map "Alias0": missing map file /etc/mail/aliases: No such file or directory
WARNING: cannot open alias database /etc/mail/aliases; reading text version
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
>[control-D]
</font>

The cell is missing some files that Sendmail needs, such as /etc/mail/aliases and /etc/sendmail.cw. (I previously copied in a basic /etc/sendmail.cf file.) As always, check any file you copy into the cell to make sure it's something you want public. After you have the required files for the application, try it again:

<font face="Courier">
# /usr/sbin/chroot /tmp/cell_test /usr/lib/sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> 3,0,4 fennelly@wkeys.com
rewrite: ruleset   3   input: fennelly @ wkeys . com
rewrite: ruleset  96   input: fennelly < @ wkeys . com >
rewrite: ruleset  96 returns: fennelly < @ wkeys . com . >
rewrite: ruleset   3 returns: fennelly < @ wkeys . com . >
rewrite: ruleset   0   input: fennelly < @ wkeys . com . >
rewrite: ruleset 199   input: fennelly < @ wkeys . com . >
rewrite: ruleset 199 returns: fennelly < @ wkeys . com . >
rewrite: ruleset  98   input: fennelly < @ wkeys . com . >
rewrite: ruleset  98 returns: $# local $: fennelly
rewrite: ruleset   0 returns: $# local $: fennelly
rewrite: ruleset   4   input: $# local $: fennelly
rewrite: ruleset   4 returns: $# local $: fennelly
> 3,0,4 user@unixinsider.com
rewrite: ruleset   3   input: user @ unixinsider . com
rewrite: ruleset  96   input: user < @ unixinsider . com >
rewrite: ruleset  96 returns: user < @ unixinsider . com . >
rewrite: ruleset   3 returns: user < @ unixinsider . com . >
rewrite: ruleset   0   input: user < @ unixinsider . com . >
rewrite: ruleset 199   input: user < @ unixinsider . com . >
rewrite: ruleset 199 returns: user < @ unixinsider . com . >
rewrite: ruleset  98   input: user < @ unixinsider . com . >
rewrite: ruleset  98 returns: $# smtp $@ firebox $: user < @ unixinsider . com . >
rewrite: ruleset   0 returns: $# smtp $@ firebox $: user < @ unixinsider . com . >
rewrite: ruleset   4   input: $# smtp $@ firebox $: user < @ unixinsider . com . >
rewrite: ruleset   4 returns: $# smtp $@ firebox $: user < @ unixinsider . com . >
>
</font>

At this point, it looks like my application is working and I can proceed with production testing. When the application is considered ready for production, the system startup files can be modified to start the application in the padded cell, as in a modified version of /etc/init.d/sendmail to start Sendmail in the padded cell. The modified startup of Sendmail could look something like this:

<font face="Courier">
	PADDED_CELL=/usr/local/cell
	/usr/sbin/chroot ${PADDED_CELL} /usr/lib/sendmail -bd -q15m
</font>

Conclusion

The downside of using chroot to create a padded cell is that it requires some technical sophistication. In a society geared towards point-and-click functionality, this is becoming rare. I'd like to help change that for those interested in learning more. Another criticism I've heard about using chroot involves vendor implementations. Often in a vendor implementation, the application is started with the full system resources. At a certain point, the application invokes the chroot system call. However, the application already has access to all the system resources, leaving you dependent on the vendor to not make any programming mistakes. I'd rather not make that assumption.

Next month

OK, I'll leave this one up to you: I'll either talk about audits from hell or how to configure Sendmail 8.9.2 for a firewall. First e-mail from a reader decides the vote!

Disclaimer: The information and software in this article are provided as-is and should be used with caution. Each environment is unique and the reader is cautioned to investigate with his or her company as to the feasibility of using the information and software in the article. No warranties, implied or actual, are granted for any use of the information and software in this article and neither author nor publisher is responsible for any damages, either consequential or incidental, with respect to use of the information and software contained herein.

 

make_cell script

<font face="Courier">
#!/bin/ksh
#
#  Copyright 1998 - Jonathan Klein, Wizards Keys Corporation, All Rights 
#  Reserved.
#
#  Top-level script to make a padded cell. The following scripts and lists
#  are also required to build the padded cell. Please note: The lists that
#  are included here were used on a Solaris 2.5.1 system running Netscape
#  suitespot and Sendmail 8.8.8. These lists are fluid and may change for 
#  other applications. You will have to play with the lists until you get
#  what you are looking for in a padded cell.
#
#  The following is a list of scripts and lists that are used:
#
#  Script        List    Aux_Pgm   Description
#  ------        ----    -------   -----------
#  mkdir_cell    dirlist           Make the padded cell directory structure.
#  mksymdir_cell symdirlist        Create any directory symbolic links.
#  mkdev_cell    devlist mkperm    Create devices and dev directory. The script
#                                  will set the ownership and permission of
#                                  the devices to the exact same values as is
#                                  in the real devices and dev directories
#  cpfile_cell   filelist          Copy in all necessary files into padded cell
#  mksymfile_cell symfilelist      Make any file symbolic links (e.g., .so files)
#
# Note: If you upgrade the system or load any patches, you may need to rebuild
# the padded cell so these files are updated to the new ones. I Found
# that if I delete dev, devices, and lib, the padded cell remakes successfully.
# Good luck.
#
# DISCLAIMER: These scripts are provided AS IS. No warranty of merchantibility
# or fitness for a particular purpose is granted. User uses these scripts at
# his or her own risk and author accepts no responsibility whatsoever for any
# damages, either consequential or incidental, for their use. User may freely
# distribute these scripts without restrictions as long as this disclaimer
# is not removed from the script.

# Make sure the root directory and directory containing lists are not empty

if [ "$1" = ""  -o "$2" = "" ]
then
	echo "Usage: make_cell listdir root_dir"
fi
# Make top level root directory

if [ ! -d $2 ]
then
	/usr/bin/mkdir -p $2
	if [ $? -ne 0 ]
	then
		print "Could make directory $2"
		exit 2
	fi
fi

# Make subdirectory entries

echo "Make Directory Entries"
/usr/local/bin/mkdir_cell $1/dirlist $2

# Make any directory symbolic links

echo "Make Directory Symbolic Links"
/usr/local/bin/mksymdir_cell $1/symdirlist $2

# Make the devices and dev directory

echo "Make Device Entries"
/usr/local/bin/mkdev_cell $1/devlist $2

# Copy the system files into the padded cell

echo "Copying Files"
/usr/local/bin/cpfile_cell $1/filelist $2

# Symbolically link any required files

echo "Make File Symbolic Links"
/usr/local/bin/mksymfile_cell $1/symfilelist $2

echo "Padded Cell creation complete"
</font>

Return to script list

 

mkdir_cell script

<font face="Courier">
#!/bin/ksh
#
# Copyright 1998 - Jonathan Klein, Wizards Keys Corporation, All Rights 
# Reserved.
#
# mkdir_cell -- Make padded cell directory structure
#
# Parameters:
# $1 - List of directory entries
# $2 - Root directory of entries
#
# DISCLAIMER: These scripts are provided AS IS. No warranty of merchantibility
# or fitness for a particular purpose is granted. User uses these scripts at
# his or her own risk and author accepts no responsibility whatsoever for any
# damages, either consequential or incidental, for their use. User may freely
# distribute these scripts without restrictions as long as this disclaimer
# is not removed from the script.

list=$1
root=$2

if [ "$list" = "" -o "$root" = "" ]
then
	print "$0: Directory and List variable must be populated"
	exit 1
fi
if [ ! -f $list ]
then
	print "Cannot open directory list"
	exit 2
fi
if [ ! -d $root  -o ! -w $root ]
then
	print "Root Variable must be an existing directory and be writable"
	exit 3
fi

# Cycle through the list and create each sub directory

cat $list | while :
do
	x=`/usr/bin/line`

#	Get a directory entry

	if [ "$x" = "" ]
	then
		break
	fi

#	Make the directory

	/usr/bin/mkdir -p $2/$x
done
</font>

Return to script list

 

mksymdir_cell script

<font face="Courier">
#!/bin/ksh
#
# Copyright 1998 - Jonathan Klein, Wizards Keys Corporation, All Rights 
# Reserved.
#
# mkdir_cell - Make padded cell directory structure
#
# Parameters:
# $1 - List of directory entries
# $2 - Root directory of entries
#
# DISCLAIMER: These scripts are provided AS IS. No warranty of merchantibility
# or fitness for a particular purpose is granted. User uses these scripts at
# his or her own risk and author accepts no responsibility whatsoever for any
# damages, either consequential or incidental, for their use. User may freely
# distribute these scripts without restrictions as long as this disclaimer is not
#removed from the script.

list=$1
root=$2

if [ "$list" = "" -o "$root" = "" ]
then
	print "$0: Arguments 1 and/or 2 are null"
	exit 3
fi
if [ ! -f $list ]
then
	print "$0: Cannot open file symbolic link list"
	exit 1
fi
if [ ! -d $root -o ! -w $root ]
then
	print "$0: Root directory entry must be a writable directory"
	exit 2
fi
cat $list | while :
do
	x=`/usr/bin/line`
	if [ "$x" = "" ]
	then
		break
	fi
# Pull out the linker and the linkee
	y=$(echo $x | cut -f1 -d" ")
	z=$(echo $x | cut -f2 -d" ")
	if [ "$y" = "" -o "$z" = "" ]
	then
		continue
	fi
# The first argument (y) is the name of the file. The
# second argument (z) is the relative path/file name from the top of
# the padded cell root. The last component of the file is going to be
# the name of the symbolic link.
	( cd `dirname $root/$z`; /usr/bin/ln -s $y `basename $z` )
done
</font>

Return to script list

 

mkdev_cell script

<font face="Courier">
#!/bin/ksh
# Copyright 1998 - Jonathan Klein, Wizards Keys Corporation, All Rights 
# Reserved.
#
# mkdev_cell - Make padded cell dev and devices/pseudo directory
#
# Parameters:
# $1 - List of devices entries
# $2 - Root directory of dev and devices/pseudo
#
# DISCLAIMER: These scripts are provided AS IS. No warranty of merchantibility
# or fitness for a particular purpose is granted. User uses these scripts at
# his or her own risk and author accepts no responsibility whatsoever for any
# damages, either consequential or incidental, for their use. User may freely
# distribute these scripts without restrictions as long as this disclaimer
# is not removed from the script.

root=$2
list=$1

if [ "$list" = "" -o "$root" = "" ]
then
	exit
fi
if [ ! -f $list ]
then
	print "$0: Cannot open file device name list"
	exit 1
fi
if [ ! -d $root -o ! -w $root ]
then
	print "$0: Root directory entry must be a writable directory"
	exit 2
fi
cat $list | while :
do

#	Get a devices entry

	x=`/usr/bin/line`
	if [ "$x" = "" ]
	then
		break
	fi

# Get the real devices entry long list (get permission, owner group)

	e=$(ls -l /devices/pseudo/$x)
	if [ $? -ne 0 ]
	then
		continue
	fi
# Peel off permission string (e.g. crw-rw-rw)

	perm=$(echo $e | cut -f1 -d" ")

# Convert the string into an octal that chmod understands

	perm_num=$(/usr/local/bin/mkperm $perm)

# Peel off device type (first letter of permission

	dev_type=$(echo $perm | sed -e 's/\(.\).*/\1/')

# If the entry is not a block special or character special file, skip it

	if [ $dev_type != "c" -a $dev_type != "b" ]
	then
		continue;
	fi

# Peel off owner, group, major and minor device number off the long list

	owner=$(echo $e | cut -f3 -d" ")
	group=$(echo $e | cut -f4 -d" ")
	major=$(echo $e | cut -f5 -d" " | sed -e 's/,.*//')
	minor=$(echo $e | cut -f5 -d" " | sed -e 's/.*,//')

# If for some reason, this device has none, skip it.

	if [ "$minor" = "" -o "$minor" = " " ]
	then
		minor=$(echo $e | cut -f6 -d" ")
	fi

# Make the entry with the type, major and minor number and set the ownership
# group and permissions of the entry

	/usr/sbin/mknod $2/devices/pseudo/$x $dev_type $major $minor
	/usr/bin/chown $owner $2/devices/pseudo/$x
	/usr/bin/chgrp $group $2/devices/pseudo/$x
	/usr/bin/chmod $perm_num $2/devices/pseudo/$x

# Strip off the everything before the colon (e.g., mm@0:null to null)

	y=$(echo $x | sed -e "s/\(.*\):\(.*\)/\2/")

# Link the entry to the dev directory
	(cd $2/dev; /usr/bin/ln -s ../devices/pseudo/$x $y)

done
</font>

Return to script list

 

cpfile_cell script

<font face="Courier">
#!/bin/ksh
#
# Copyright 1998 - Jonathan Klein, Wizards Keys Corporation, All Rights 
# Reserved.
#
# cpfile_cell - Copy files into padded cell
#
# Parameters:
# $1 - List of File entries to copy
# $2 - Root directory of padded cell
#
# DISCLAIMER: These scripts are provided AS IS. No warranty of merchantibility
# or fitness for a particular purpose is granted. User uses these scripts at
# his or her own risk and author accepts no responsibility whatsoever for any
# damages, either consequential or incidental, for their use. User may freely
# distribute these scripts without restrictions as long as this disclaimer
# is not removed from the script.

list=$1
root=$2

if [ "$list" = "" -o "$root" = "" ]
then
	print "$0: Arguments 1 and/or 2 are null"
	exit 3
fi
if [ ! -d $root -o ! -w $root ]
then
	print "$0: Padded cell root has to be a writable directory"
	exit 1
fi

if [ ! -f $list -o ! -r $list ]
then
	print "$0: Cannot open copy file list"
	exit 2
fi
cat $list | while :
do
	x=`/usr/bin/line`
	if [ "$x" = "" ]
	then
		break
	fi
	/usr/bin/cp $x $root/$x
done
</font>

Return to script list

 

mksymfile_cell script

<font face="Courier">
#!/bin/ksh
#
# Copyright 1998 - Jonathan Klein, Wizards Keys Corporation, All Rights 
# Reserved.
#
# mksymfile_cell - Make padded cell symbolic file list
#
# Parameters:
# $1 - List of file symbolic links
# $2 - Root directory of entries
#
# DISCLAIMER: These scripts are provided AS IS. No warranty of merchantibility
# or fitness for a particular purpose is granted. User uses these scripts at
# his or her own risk and author accepts no responsibility whatsoever for any
# damages, either consequential or incidental, for their use. User may freely
# distribute these scripts without restrictions as long as this disclaimer
#is not removed from the script.

list=$1
root=$2

if [ "$list" = "" -o "$root" = "" ]
then
	exit
fi
if [ ! -f $list ]
then
	print "$0: Cannot open file symbolic link list"
	exit 1
fi
if [ ! -d $root -o ! -w $root ]
then
	print "$0: Root directory entry must be a writable directory"
	exit 2
fi
cat $list | while :
do
	x=`/usr/bin/line`
	if [ "$x" = "" ]
	then
		break
	fi
# Pull out the linker and the linkee

	y=$(echo $x | cut -f1 -d" ")
	z=$(echo $x | cut -f2 -d" ")

# Skip if the entry is invalid

	if [ "$y" = "" -o "$z" = "" ]
	then
		continue
	fi
# The first argument (y) is the name of the file. The
# second argument (z) is the relative path/file name from the top of
# the padded cell root. The last component of the file is going to be
# the name of the symbolic link.
	( cd `dirname $root/$z`; /usr/bin/ln -s $y `basename $z` )
done
</font>

Return to script list

 

dirlist file

<font face="Courier">
dev
devices/pseudo
etc
etc/default
etc/inet
usr/lib
usr/share/lib/zoneinfo/US
usr/bin
usr/local/bin
usr/local/etc
var/spool/list
tmp
</font>

Return to script list

 

symdirlist file

<font face="Courier">
usr/lib lib
usr/bin bin
</font>

Return to script list

 

devlist file

<font face="Courier">
clone@0:ip
clone@0:tcp
clone@0:udp
clone@0:zsh
cn@0:console
cn@0:syscon
cn@0:systty
log@0:conslog
mm@0:null
mm@0:zero
sy@0:tty
tl@0:ticlts
tl@0:ticots
tl@0:ticotsord
</font>

Return to script list

 

filelist file

<font face="Courier">
/etc/passwd
/etc/shadow
/etc/group
/etc/resolv.conf
/etc/inet/hosts
/etc/inet/inetd.conf
/etc/inet/netmasks
/etc/inet/networks
/etc/inet/protocols
/etc/inet/services
/etc/nsswitch.conf
/etc/netconfig
/etc/ttysrch
/etc/syslog.pid
/etc/default/init
/usr/lib/ld.so
/usr/lib/ld.so.1
/usr/lib/libdl.so.1
/usr/lib/libelf.so.1
/usr/lib/libintl.so.1
/usr/lib/libnsl.so.1
/usr/lib/libresolv.so.1
/usr/lib/libsocket.so.1
/usr/lib/libw.so.1
/usr/lib/libc.so.1
/usr/lib/libkstat.so.1
/usr/lib/libmp.so.1
/usr/lib/libthread.so.1
/usr/lib/nss_dns.so.1
/usr/lib/nss_files.so.1
/usr/lib/libc2.so.1
/usr/lib/libc2stubs.so.1
/usr/lib/libresolv.so.2
/usr/lib/libthread_db.so.1
/usr/lib/libposix4.so.1
/usr/lib/libm.so.1
/usr/lib/libmp.so.1
/usr/share/lib/zoneinfo/US/Eastern
/bin/sh
</font>

Return to script list

 

symfilelist file

<font face="Courier">
./inet/hosts etc/hosts
./inet/inetd.conf etc/inetd.conf
./inet/netmasks etc/netmasks
./inet/networks etc/networks
./inet/protocols etc/protocols
./inet/services etc/services
./default/init etc/TIMEZONE
libdl.so.1 usr/lib/libdl.so
libelf.so.1 usr/lib/libelf.so
libintl.so.1 usr/lib/libintl.so
libnsl.so.1 usr/lib/libnsl.so
libresolv.so.2 usr/lib/libresolv.so
libsocket.so.1 usr/lib/libsocket.so
libw.so.1 usr/lib/libw.so
libc.so.1 usr/lib/libc.so
libkstat.so.1 usr/lib/libkstat.so
libmp.so.1 usr/lib/libmp.so
libthread.so.1 usr/lib/libthread.so
nss_dns.so.1 usr/lib/nss_dns.so
nss_files.so.1 usr/lib/nss_files.so
libc2.so.1 usr/lib/libc2.so
libc2stubs.so.1 usr/lib/libc2stubs.so 
libthread_db.so.0 usr/lib/libthread_db.so 
libposix4.so.1 usr/lib/libposix4.so
libm.so.1 usr/lib/libm.so
</font>

Return to script list

 

mkperm.c program

<font face="Courier">
#include <stdio.h>
main(argc,argv)
int argc;
char **argv;
{
	int i;
	int perm = 0;
	if (argc !=2 ) {
		fprintf(stderr,"Usage: mkperm permstring\n");
		exit(1);
	}
	for (i = 1; i < 10; i++) {
		switch(argv[1][i]) {
			case 'r':
				perm += (04 << shift(i));
				break;
			case 'w':
				perm += (02 << shift(i));
				break;
			case 'x':
				perm += (01 << shift(i));
				break;
			case 's':
				perm += (i == 3) ? 04100 : 02010;
				break;
			case 'l':
				perm += (i == 3) ? 04000 : 02000;
				break;
			case 't':
				perm += 01001;
				break;
			case '-':
			default:
		}
	}
	printf("%o",perm);
}
shift(i)
{
	return((9 - i)/3*3);
}
</font>

Return to script list

 

Output of # ls -lR/tmp/cell_test

<font face="Courier">
/tmp/cell_test:
total 64
lrwxrwxrwx   1 root     other          7 Dec 28 12:28 bin -> usr/bin
drwxr-xr-x   2 root     other        600 Dec 28 12:28 dev
drwxr-xr-x   3 root     other        108 Dec 28 12:28 devices
drwxr-xr-x   4 root     other        764 Dec 28 12:28 etc
lrwxrwxrwx   1 root     other          7 Dec 28 12:28 lib -> usr/lib
drwxr-xr-x   2 root     other         69 Dec 28 12:28 tmp
drwxr-xr-x   6 root     other        217 Dec 28 12:28 usr
drwxr-xr-x   3 root     other        107 Dec 28 12:28 var
/tmp/cell_test/dev:
total 112
lrwxrwxrwx   1 root     other         31 Dec 28 12:28 conslog -> ../devices/pseu
do/log@0:conslog
lrwxrwxrwx   1 root     other         30 Dec 28 12:28 console -> ../devices/pseu
do/cn@0:console
lrwxrwxrwx   1 root     other         28 Dec 28 12:28 ip -> ../devices/pseudo/cl
one@0:ip
lrwxrwxrwx   1 root     other         27 Dec 28 12:28 null -> ../devices/pseudo/
mm@0:null
lrwxrwxrwx   1 root     other         29 Dec 28 12:28 syscon -> ../devices/pseud
o/cn@0:syscon
lrwxrwxrwx   1 root     other         29 Dec 28 12:28 systty -> ../devices/pseud
o/cn@0:systty
lrwxrwxrwx   1 root     other         29 Dec 28 12:28 tcp -> ../devices/pseudo/c
lone@0:tcp
lrwxrwxrwx   1 root     other         29 Dec 28 12:28 ticlts -> ../devices/pseud
o/tl@0:ticlts
lrwxrwxrwx   1 root     other         29 Dec 28 12:28 ticots -> ../devices/pseud
o/tl@0:ticots
lrwxrwxrwx   1 root     other         32 Dec 28 12:28 ticotsord -> ../devices/ps
eudo/tl@0:ticotsord	
lrwxrwxrwx   1 root     other         26 Dec 28 12:28 tty -> ../devices/pseudo/s
y@0:tty
lrwxrwxrwx   1 root     other         29 Dec 28 12:28 udp -> ../devices/pseudo/c
lone@0:udp
lrwxrwxrwx   1 root     other         27 Dec 28 12:28 zero -> ../devices/pseudo/
mm@0:zero
lrwxrwxrwx   1 root     other         29 Dec 28 12:28 zsh -> ../devices/pseudo/c
lone@0:zsh

/tmp/cell_test/devices:
total 8
drwxr-xr-x   2 root     other        683 Dec 28 12:28 pseudo

/tmp/cell_test/devices/pseudo:
total 0
crw-rw----   1 root     sys       11,  3 Dec 28 12:28 clone@0:ip
crw-rw-rw-   1 root     sys       11, 42 Dec 28 12:28 clone@0:tcp
crw-rw-rw-   1 root     sys       11, 41 Dec 28 12:28 clone@0:udp
crw-rw-rw-   1 root     sys       11, 71 Dec 28 12:28 clone@0:zsh
crw--w----   1 root     tty        0,  0 Dec 28 12:28 cn@0:console
crw--w----   1 root     tty        0,  0 Dec 28 12:28 cn@0:syscon
crw--w----   1 root     tty        0,  0 Dec 28 12:28 cn@0:systty
crw-rw-rw-   1 root     sys       21,  0 Dec 28 12:28 log@0:conslog
crw-rw-rw-   1 root     sys       13,  2 Dec 28 12:28 mm@0:null
crw-rw-rw-   1 root     sys       13, 12 Dec 28 12:28 mm@0:zero
crw-rw-rw-   1 root     tty       22,  0 Dec 28 12:28 sy@0:tty
crw-rw-rw-   1 root     sys      105,  2 Dec 28 12:28 tl@0:ticlts
crw-rw-rw-   1 root     sys      105,  0 Dec 28 12:28 tl@0:ticots
crw-rw-rw-   1 root     sys      105,  1 Dec 28 12:28 tl@0:ticotsord
/tmp/cell_test/etc:
total 136
lrwxrwxrwx   1 root     other         14 Dec 28 12:28 TIMEZONE -> ./default/init
drwxr-xr-x   2 root     other        106 Dec 28 12:28 default
-rw-r--r--   1 root     other        292 Dec 28 12:28 group
lrwxrwxrwx   1 root     other         12 Dec 28 12:28 hosts -> ./inet/hosts
drwxr-xr-x   2 root     other        315 Dec 28 12:28 inet
lrwxrwxrwx   1 root     other         17 Dec 28 12:28 inetd.conf -> ./inet/inetd
.conf
-rw-r--r--   1 root     other       1064 Dec 28 12:28 netconfig
lrwxrwxrwx   1 root     other         15 Dec 28 12:28 netmasks -> ./inet/netmask
s
lrwxrwxrwx   1 root     other         15 Dec 28 12:28 networks -> ./inet/network
s
-rw-r--r--   1 root     other        690 Dec 28 12:28 nsswitch.conf
-r--r--r--   1 root     other        832 Dec 28 12:28 passwd
lrwxrwxrwx   1 root     other         16 Dec 28 12:28 protocols -> ./inet/protoc
ols
-rw-r--r--   1 root     other         42 Dec 28 12:28 resolv.conf
lrwxrwxrwx   1 root     other         15 Dec 28 12:28 services -> ./inet/service
s
-r--------   1 root     other        474 Dec 28 12:28 shadow
-rw-r--r--   1 root     other          5 Dec 28 12:28 syslog.pid
-rw-r--r--   1 root     other       1408 Dec 28 12:28 ttysrch

/tmp/cell_test/etc/default:
total 8
-r-xr-xr-x   1 root     other        462 Dec 28 12:28 init
/tmp/cell_test/etc/inet:
total 56
-r--r--r--   1 root     other        162 Dec 28 12:28 hosts
-r--r--r--   1 root     other       4687 Dec 28 12:28 inetd.conf
-r--r--r--   1 root     other        567 Dec 28 12:28 netmasks
-r--r--r--   1 root     other        372 Dec 28 12:28 networks
-r--r--r--   1 root     other        499 Dec 28 12:28 protocols
-r--r--r--   1 root     other       2152 Dec 28 12:28 services
/tmp/cell_test/tmp:
total 0

/tmp/cell_test/usr:
total 32
drwxr-xr-x   2 root     other        104 Dec 28 12:28 bin
drwxr-xr-x   2 root     other       1782 Dec 28 12:28 lib
drwxr-xr-x   4 root     other        141 Dec 28 12:28 local
drwxr-xr-x   3 root     other        105 Dec 28 12:28 share

/tmp/cell_test/usr/bin:
total 176
-r-xr-xr-x   1 root     other      89564 Dec 28 12:28 sh

/tmp/cell_test/usr/lib:
total 4192
-rwxr-xr-x   1 root     other      24576 Dec 28 12:28 ld.so
-rwxr-xr-x   1 root     other     124720 Dec 28 12:28 ld.so.1
lrwxrwxrwx   1 root     other          9 Dec 28 12:28 libc.so -> libc.so.1
-rwxr-xr-x   1 root     other     665508 Dec 28 12:28 libc.so.1
lrwxrwxrwx   1 root     other         10 Dec 28 12:28 libc2.so -> libc2.so.1
-rwxr-xr-x   1 root     other      13768 Dec 28 12:28 libc2.so.1
lrwxrwxrwx   1 root     other         15 Dec 28 12:28 libc2stubs.so -> libc2stub
s.so.1
-rwxr-xr-x   1 root     other      13768 Dec 28 12:28 libc2stubs.so.1
lrwxrwxrwx   1 root     other         10 Dec 28 12:28 libdl.so -> libdl.so.1
-rwxr-xr-x   1 root     other       3484 Dec 28 12:28 libdl.so.1
lrwxrwxrwx   1 root     other         11 Dec 28 12:28 libelf.so -> libelf.so.1
-rwxr-xr-x   1 root     other      75784 Dec 28 12:28 libelf.so.1
lrwxrwxrwx   1 root     other         12 Dec 28 12:28 libintl.so -> libintl.so.1
-rwxr-xr-x   1 root     other      15720 Dec 28 12:28 libintl.so.1
lrwxrwxrwx   1 root     other         13 Dec 28 12:28 libkstat.so -> libkstat.so
.1
-rwxr-xr-x   1 root     other       6432 Dec 28 12:28 libkstat.so.1
lrwxrwxrwx   1 root     other          9 Dec 28 12:28 libm.so -> libm.so.1
-rwxr-xr-x   1 root     other     110820 Dec 28 12:28 libm.so.1
lrwxrwxrwx   1 root     other         10 Dec 28 12:28 libmp.so -> libmp.so.1
-rwxr-xr-x   1 root     other      15720 Dec 28 12:28 libmp.so.1
lrwxrwxrwx   1 root     other         11 Dec 28 12:28 libnsl.so -> libnsl.so.1
-rwxr-xr-x   1 root     other     573912 Dec 28 12:28 libnsl.so.1
lrwxrwxrwx   1 root     other         14 Dec 28 12:28 libposix4.so -> libposix4.
so.1
-rwxr-xr-x   1 root     other      11456 Dec 28 12:28 libposix4.so.1
lrwxrwxrwx   1 root     other         14 Dec 28 12:28 libresolv.so -> libresolv.
so.2
-rwxr-xr-x   1 root     other      35436 Dec 28 12:28 libresolv.so.1
-rwxr-xr-x   1 root     other      65580 Dec 28 12:28 libresolv.so.2
lrwxrwxrwx   1 root     other         14 Dec 28 12:28 libsocket.so -> libsocket.
so.1
-rwxr-xr-x   1 root     other      68780 Dec 28 12:28 libsocket.so.1
lrwxrwxrwx   1 root     other         14 Dec 28 12:28 libthread.so -> libthread.
so.1
-rwxr-xr-x   1 root     other     112568 Dec 28 12:28 libthread.so.1
lrwxrwxrwx   1 root     other         17 Dec 28 12:28 libthread_db.so -> libthre
ad_db.so.0
-rwxr-xr-x   1 root     other      21700 Dec 28 12:28 libthread_db.so.1
lrwxrwxrwx   1 root     other          9 Dec 28 12:28 libw.so -> libw.so.1
-rwxr-xr-x   1 root     other      39932 Dec 28 12:28 libw.so.1
lrwxrwxrwx   1 root     other         12 Dec 28 12:28 nss_dns.so -> nss_dns.so.1
-rwxr-xr-x   1 root     other       9504 Dec 28 12:28 nss_dns.so.1
lrwxrwxrwx   1 root     other         14 Dec 28 12:28 nss_files.so -> nss_files.
so.1
-rwxr-xr-x   1 root     other      21288 Dec 28 12:28 nss_files.so.1
/tmp/cell_test/usr/local:
total 16
drwxr-xr-x   2 root     other         69 Dec 28 12:28 bin
drwxr-xr-x   2 root     other         69 Dec 28 12:28 etc

/tmp/cell_test/usr/local/bin:
total 0

/tmp/cell_test/usr/local/etc:
total 0

/tmp/cell_test/usr/share:
total 8
drwxr-xr-x   3 root     other        110 Dec 28 12:28 lib

/tmp/cell_test/usr/share/lib:
total 8
drwxr-xr-x   3 root     other        104 Dec 28 12:28 zoneinfo

/tmp/cell_test/usr/share/lib/zoneinfo:
total 8
drwxr-xr-x   2 root     other        109 Dec 28 12:28 US
/tmp/cell_test/usr/share/lib/zoneinfo/US:
total 8
-rw-r--r--   1 root     other        817 Dec 28 12:28 Eastern
/tmp/cell_test/var:
total 8
drwxr-xr-x   3 root     other        106 Dec 28 12:28 spool

/tmp/cell_test/var/spool:
total 8
drwxr-xr-x   2 root     other         69 Dec 28 12:28 list

/tmp/cell_test/var/spool/list:
total 0
</font>
 

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies