Creating a basic padded cell
A tutorial with sample scripts
January 1999
![[Next story]](/sunworldonline/icons/tb-next.gif){kind=icon}
![[Table of Contents]](/sunworldonline/icons/tb-toc.gif){kind=icon}
![[Search]](/sunworldonline/icons/tb-search.gif){kind=icon}
|
|
Creating a basic padded cellA tutorial with sample scripts |
January 1999
|
SunWorld's new security wizard, Carole Fennelly, steps you through padded cells this month. Carole provides scripts written by her partner, Jonathan Klein, as learning examples. These scripts were originally written to generate a basic mini-Unix cell and make Carole and Jonathan's job easier, so consider them an alpha release. They'll require modification to work in other environments or with other applications and they come with no warranties -- but that's all part of the learning experience. (3,800 words)
 Mail this article to a friend |
s
regular readers of SunWorld probably know, Peter Galvin has
abdicated as SunWorld's security czar to start a new system
administration column for this magazine (see
Pete's Super Systems in this issue). Following Peter's lead, this column
will continue to provide practical, technical information about
computer security based on real-world experiences.
I'm currently working as an independent security consultant in the New York financial market. This gives me the opportunity to design and implement solutions in different environments in parallel. Because every environment is unique, it's possible that something that worked out great for me will be totally wrong for you. There's no single solution or product that is optimal for all people at all times. My goal is to provide the gory technical details of problems encountered and solutions that have worked in most environments.
As has been discussed numerous times, most security problems are the result of human negligence. If more programmers followed the advice set forth in Peter's April 1998 column (see Resources below), there wouldn't be as much to write about here. I've worked with developers who refuse to even follow basic source code control such as SCCS (for more on this, see Hal Stern's July 1995 SysAdmin column, linked in Resources). Unfortunately, system administrators often have no control over the development environment and are unable to impose proper development procedures.
What the administrator can do is to consider the application suspect and place it in a padded cell using chroot.
I cowrote with Peter the May and June 1998 Security columns (again, see Resources below), which described the installation of a Web server in a padded cell environment that my partner, Jonathan Klein, and I installed at a client site. I was rather surprised at all the feedback complaining that padded cells are too difficult to set up correctly. While it's true that there's a lot of technical detail involved in creating a padded cell, and while it certainly isn't a procedure for novices, it is worthwhile to learn since it's a proven procedure that has been used for years. To help make the learning process easier, this column includes scripts written by Jonathan to create a basic padded cell.
Creating a basic padded cell
A padded cell is a unique environment specifically tailored for an
application. As such, these scripts probably won't work for your
particular application -- you'll need to edit the sample list
files. We've used these to configure the Netscape server, Sendmail,
FTP, and list servers, and we edit the list files each time.
Sample padded cell scripts
The following shell scripts can be used (with modification) to create a basic padded cell:
The shell scripts use the following ASCII input files:
There's also a C program to create the proper device permissions:
You can click on the links above to see the scripts; I'll also provide quick explanations of them below.
make_cell
This is a top-level master script that calls and runs all the other
scripts.
mkdir_cell
This script creates the directory structure needed to simulate a
mini-Unix operating environment. It creates directories such as
/etc, /usr, /lib, /usr/lib, and so on. The script decides which
directories to create based on the input file, dirlist. The file
provided here is an example only and needs to be edited for your
particular application.
mksymdir_cell
This script makes all the required symbolic links for directories.
For example, it will create the symbolic link from $root/bin to
$root/usr/bin. The input file for this script is symdirlist.
mkdev_cell
This script creates the devices in the cell directory that will be
required by the application. It also creates the symbolic links as
required. The input file for this script is devlist. Be very careful
to edit this file and include only the devices you will need.
Remember, the devices listed are only a guide. This script also uses
a C program, mkperm.c, to set the correct permissions for the
devices.
cpfile_cell
This script copies into the cell the system files you will need to run
the application. The input file is filelist.
Important note! Some of the files that are copied in must be modified to remove information you don't want public, such as the root password.
Files that must be modified include:
- passwd and shadow: These files need to be in the cell so the application will work. However, they need to be stripped of all the user data that isn't needed in the cell. Although the root account should be in the cell's passwd and shadow files, the password data is meaningless and must not be valid. The real root account works outside the cell.
- hosts and services: Again, just put in here what you need in the cell, although a cracker could easily find out what services you are running by running portscan.
Additional files, such as nsswitch.conf and inetd.conf, may need to be modified.
mksymfile_cell
This script creates all the file symbolic links that are required such
as the lib.so files. The input file is symfilelist.
|
|
|
|
|
Using the scripts
It is highly recommended that you run this on a test system first if
you are unfamiliar with chroot. If you are installing a padded cell
for production use, you should have it reside on a dedicated
filesystem. For testing and/or learning purposes, you can just make a
directory in a filesystem with sufficient space.
Copy the scripts into /usr/local/bin. In this directory, make a directory called lists and copy in the five list files (dirlist, symdirlist, devlist, filelist and symfilelist). Edit the list files accordingly. To find out which libraries the application needs, run ldd on the application. For example:
# ldd /usr/lib/sendmail
libresolv.so.2 => /usr/lib/libresolv.so.2
libsocket.so.1 => /usr/lib/libsocket.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libkstat.so.1 => /usr/lib/libkstat.so.1
libc.so.1 => /usr/lib/libc.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libdl.so.1 (SUNW_0.7) => (version not found)
libdl.so.1 (SISCD_2.3) => (version not found)
libintl.so.1 => /usr/lib/libintl.so.1
libmp.so.1 => /usr/lib/libmp.so.1
libdl.so.1 (SUNW_0.7) => (version not found)
libdl.so.1 (SUNWprivate_1.1) => (version not found)
libdl.so.1 (SISCD_2.3) => (version not found)
libw.so.1 => /usr/lib/libw.so.1
#
If you're creating a production cell, make a filesystem just for the cell (e.g., /usr/local/cell) and mount it as /usr/local/cell (or whatever). If you're just using this for testing or learning purposes, it isn't necessary to make a separate filesystem. For test purposes, I'm using a directory, /tmp/cell_test as an example.
# /usr/local/bin/make_cell /usr/local/bin/lists /tmp/cell_test Make Directory Entries Make Directory Symbolic Links Make Device Entries Copying Files Make File Symbolic Links Padded Cell creation complete # # ls -lR /tmp/cell_test
(Click here if you want to see the output of
ls -l in the example above.)
Don't forget to clean up /etc/passwd and /etc/shadow! Also check all the other system files that were copied in. In this case, I copied in /bin/sh to use as an example. If you don't need it in the cell, remove it.
Here's a basic example of how the cell works:
# pwd /usr/local/bin # /usr/sbin/chroot /tmp/cell_test /bin/sh # pwd / # cd /usr/bin # ./ls ./ls: not found # /usr/bin/ls /usr/bin/ls: not found [control-D] # pwd /usr/local/bin
Because I didn't copy /usr/bin/ls into the cell, it isn't found when I run /bin/sh under chroot.
Copy the application binaries into the cell. For an application that needs to be built, run the build outside the cell because it will require system resources for the build that aren't necessary to run the application. When you copy the binaries in, remember that you are considering the directory /tmp/cell_test to be root (/). For example, Sendmail would be copied in to /tmp/cell_test/usr/lib/sendmail. Make sure the appropriate permissions are set.
# cp -p /usr/lib/sendmail tmp/cell_test/usr/lib # ls -l /tmp/cell_test/usr/lib/sendmail r-sr-x--x 1 root bin 378264 Dec 6 15:09 /tmp/cell_test/usr/lib/sendmail
Test to make sure the application works in the cell:
# /usr/sbin/chroot /tmp/cell_test /usr/lib/sendmail -bt ld.so.1: /usr/lib/sendmail: fatal: libresolv.so.2: open failed: No such file or directory Killed
Sometimes the errors are pretty obvious, as in the example above. For the more obscure errors, use truss as follows:
mount /proc as a loopback filesystem for debugging purposes:
# mkdir /tmp/cell_test/proc
# mount -F lofs /proc /tmp/cell_test/proc
# cp /usr/bin/truss /tmp/cell_test/usr/bin/truss
# /usr/sbin/chroot /tmp/cell_test /usr/bin/truss /usr/lib/sendmail 2>& 1 | tee>/tmp/out
# more /tmp/out
execve("/usr/lib/sendmail", 0xEFFFFE28, 0xEFFFFE30) argc = 1
open("/dev/zero", O_RDONLY) = 3
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE, 3, 0) = 0xEF
7C0000
open("/usr/lib/libresolv.so.2", O_RDONLY) Err#2 ENOENT
ld.so.1: /usr/lib/sendmail: fatal: libresolv.so.2: open failed: No such file or
directory
write(2, " l d . s o . 1 : / u s".., 90) = 90
getpid() = 23561 [23559]
*** process killed *** +
In this case, I'm missing libresolv.so.2. (Actually, I removed it to generate the error.) Using truss can be rather painful, but it's very helpful in identifying missing devices.
Once you get all the libraries and devices the application needs in the cell, test it again to see what else it may need:
# /usr/sbin/chroot /tmp/cell_test /usr/lib/sendmail -bt /etc/sendmail.cf: line 59: fileclass: cannot open /etc/mail/sendmail.cw: No such file or directory dbm map "Alias0": missing map file /etc/mail/aliases: No such file or directory WARNING: cannot open alias database /etc/mail/aliases; reading text version ADDRESS TEST MODE (ruleset 3 NOT automatically invoked) Enter <ruleset> <address> >[control-D]
The cell is missing some files that Sendmail needs, such as /etc/mail/aliases and /etc/sendmail.cw. (I previously copied in a basic /etc/sendmail.cf file.) As always, check any file you copy into the cell to make sure it's something you want public. After you have the required files for the application, try it again:
# /usr/sbin/chroot /tmp/cell_test /usr/lib/sendmail -bt ADDRESS TEST MODE (ruleset 3 NOT automatically invoked) Enter <ruleset> <address> > 3,0,4 fennelly@wkeys.com rewrite: ruleset 3 input: fennelly @ wkeys . com rewrite: ruleset 96 input: fennelly < @ wkeys . com > rewrite: ruleset 96 returns: fennelly < @ wkeys . com . > rewrite: ruleset 3 returns: fennelly < @ wkeys . com . > rewrite: ruleset 0 input: fennelly < @ wkeys . com . > rewrite: ruleset 199 input: fennelly < @ wkeys . com . > rewrite: ruleset 199 returns: fennelly < @ wkeys . com . > rewrite: ruleset 98 input: fennelly < @ wkeys . com . > rewrite: ruleset 98 returns: $# local $: fennelly rewrite: ruleset 0 returns: $# local $: fennelly rewrite: ruleset 4 input: $# local $: fennelly rewrite: ruleset 4 returns: $# local $: fennelly > 3,0,4 user@sunworld.com rewrite: ruleset 3 input: user @ sunworld . com rewrite: ruleset 96 input: user < @ sunworld . com > rewrite: ruleset 96 returns: user < @ sunworld . com . > rewrite: ruleset 3 returns: user < @ sunworld . com . > rewrite: ruleset 0 input: user < @ sunworld . com . > rewrite: ruleset 199 input: user < @ sunworld . com . > rewrite: ruleset 199 returns: user < @ sunworld . com . > rewrite: ruleset 98 input: user < @ sunworld . com . > rewrite: ruleset 98 returns: $# smtp $@ firebox $: user < @ sunworld . com . > rewrite: ruleset 0 returns: $# smtp $@ firebox $: user < @ sunworld . com . > rewrite: ruleset 4 input: $# smtp $@ firebox $: user < @ sunworld . com . > rewrite: ruleset 4 returns: $# smtp $@ firebox $: user < @ sunworld . com . > >
At this point, it looks like my application is working and I can proceed with production testing. When the application is considered ready for production, the system startup files can be modified to start the application in the padded cell, as in a modified version of /etc/init.d/sendmail to start Sendmail in the padded cell. The modified startup of Sendmail could look something like this:
PADDED_CELL=/usr/local/cell
/usr/sbin/chroot ${PADDED_CELL} /usr/lib/sendmail -bd -q15m
Conclusion
The downside of using chroot to create a padded cell is that it
requires some technical sophistication. In a society geared
towards point-and-click functionality, this is becoming rare. I'd like to
help change that for those interested in learning more.
Another criticism I've heard about using chroot involves vendor
implementations. Often in a vendor implementation, the application
is started with the full system resources. At a certain point, the
application invokes the chroot system call. However, the
application already has access to all the system resources, leaving you
dependent on the vendor to not make any programming mistakes. I'd
rather not make that assumption.
Additional notes
I hadn't fully appreciated (until now) all of Peter's efforts in producing
his past columns. Aside from the technical dish of the day, he also
commented on reported bugs, break-ins, conferences, and new books.
I'll do my best to maintain that standard. Meanwhile, I'll offer a couple
of links I've found to be useful
(which I don't recall Peter mentioning). I have no affiliation with
these sites and take no responsibility for content. Can you tell I
work in New York?
http://www.kumite.com/myths
This is an extremely useful site to point users to when they
report "viruses" or "Bill Gates wants to give the 13,000th e-mail
recipient $5,000!!!!!" e-mails. Many urban legends are also listed.
http://www.hackernews.com
This is a news site run by the hacker underground "to
deliver the real news from the computer underground for the computer
underground." The site is updated daily and is surprisingly
professional.
Next month
OK, I'll leave this one up to you: I'll either talk about audits from
hell or how to configure Sendmail 8.9.2 for a firewall. First e-mail from a reader
decides the vote!
Disclaimer: The information and software in this article are provided as-is and should be used with caution. Each environment is unique and the reader is cautioned to investigate with his or her company as to the feasibility of using the information and software in the article. No warranties, implied or actual, are granted for any use of the information and software in this article and neither author nor publisher is responsible for any damages, either consequential or incidental, with respect to use of the information and software contained herein.
|
|
Resources
About the author
Carole Fennelly is a partner in Wizard's Keys Corporation, a company
specializing in computer security consulting. She has been a Unix
system administrator for more than 15 years on various platforms and has
particularly focused on Sendmail configurations of late. Carole
provides security consultation to several financial institutions in
the New York City area.
Reach Carole at carole.fennelly@sunworld.com.
|
|
|
|
![[(c) Copyright Web Publishing Inc., and IDG Communication company]](/sunworldonline/icons/b-copyright99.gif){kind=icon}
If you have technical problems with this magazine, contact webmaster@sunworld.com
URL: http://www.sunworld.com/swol-01-1999/swol-01-security.html
Last modified:
#!/bin/ksh # # Copyright 1998 - Jonathan Klein, Wizards Keys Corporation, All Rights # Reserved. # # Top-level script to make a padded cell. The following scripts and lists # are also required to build the padded cell. Please note: The lists that # are included here were used on a Solaris 2.5.1 system running Netscape # suitespot and Sendmail 8.8.8. These lists are fluid and may change for # other applications. You will have to play with the lists until you get # what you are looking for in a padded cell. # # The following is a list of scripts and lists that are used: # # Script List Aux_Pgm Description # ------ ---- ------- ----------- # mkdir_cell dirlist Make the padded cell directory structure. # mksymdir_cell symdirlist Create any directory symbolic links. # mkdev_cell devlist mkperm Create devices and dev directory. The script # will set the ownership and permission of # the devices to the exact same values as is # in the real devices and dev directories # cpfile_cell filelist Copy in all necessary files into padded cell # mksymfile_cell symfilelist Make any file symbolic links (e.g., .so files) # # Note: If you upgrade the system or load any patches, you may need to rebuild # the padded cell so these files are updated to the new ones. I Found # that if I delete dev, devices, and lib, the padded cell remakes successfully. # Good luck. # # DISCLAIMER: These scripts are provided AS IS. No warranty of merchantibility # or fitness for a particular purpose is granted. User uses these scripts at # his or her own risk and author accepts no responsibility whatsoever for any # damages, either consequential or incidental, for their use. User may freely # distribute these scripts without restrictions as long as this disclaimer # is not removed from the script. # Make sure the root directory and directory containing lists are not empty if [ "$1" = "" -o "$2" = "" ] then echo "Usage: make_cell listdir root_dir" fi # Make top level root directory if [ ! -d $2 ] then /usr/bin/mkdir -p $2 if [ $? -ne 0 ] then print "Could make directory $2" exit 2 fi fi # Make subdirectory entries echo "Make Directory Entries" /usr/local/bin/mkdir_cell $1/dirlist $2 # Make any directory symbolic links echo "Make Directory Symbolic Links" /usr/local/bin/mksymdir_cell $1/symdirlist $2 # Make the devices and dev directory echo "Make Device Entries" /usr/local/bin/mkdev_cell $1/devlist $2 # Copy the system files into the padded cell echo "Copying Files" /usr/local/bin/cpfile_cell $1/filelist $2 # Symbolically link any required files echo "Make File Symbolic Links" /usr/local/bin/mksymfile_cell $1/symfilelist $2 echo "Padded Cell creation complete"
#!/bin/ksh # # Copyright 1998 - Jonathan Klein, Wizards Keys Corporation, All Rights # Reserved. # # mkdir_cell -- Make padded cell directory structure # # Parameters: # $1 - List of directory entries # $2 - Root directory of entries # # DISCLAIMER: These scripts are provided AS IS. No warranty of merchantibility # or fitness for a particular purpose is granted. User uses these scripts at # his or her own risk and author accepts no responsibility whatsoever for any # damages, either consequential or incidental, for their use. User may freely # distribute these scripts without restrictions as long as this disclaimer # is not removed from the script. list=$1 root=$2 if [ "$list" = "" -o "$root" = "" ] then print "$0: Directory and List variable must be populated" exit 1 fi if [ ! -f $list ] then print "Cannot open directory list" exit 2 fi if [ ! -d $root -o ! -w $root ] then print "Root Variable must be an existing directory and be writable" exit 3 fi # Cycle through the list and create each sub directory cat $list | while : do x=`/usr/bin/line` # Get a directory entry if [ "$x" = "" ] then break fi # Make the directory /usr/bin/mkdir -p $2/$x done
#!/bin/ksh # # Copyright 1998 - Jonathan Klein, Wizards Keys Corporation, All Rights # Reserved. # # mkdir_cell - Make padded cell directory structure # # Parameters: # $1 - List of directory entries # $2 - Root directory of entries # # DISCLAIMER: These scripts are provided AS IS. No warranty of merchantibility # or fitness for a particular purpose is granted. User uses these scripts at # his or her own risk and author accepts no responsibility whatsoever for any # damages, either consequential or incidental, for their use. User may freely # distribute these scripts without restrictions as long as this disclaimer is not #removed from the script. list=$1 root=$2 if [ "$list" = "" -o "$root" = "" ] then print "$0: Arguments 1 and/or 2 are null" exit 3 fi if [ ! -f $list ] then print "$0: Cannot open file symbolic link list" exit 1 fi if [ ! -d $root -o ! -w $root ] then print "$0: Root directory entry must be a writable directory" exit 2 fi cat $list | while : do x=`/usr/bin/line` if [ "$x" = "" ] then break fi # Pull out the linker and the linkee y=$(echo $x | cut -f1 -d" ") z=$(echo $x | cut -f2 -d" ") if [ "$y" = "" -o "$z" = "" ] then continue fi # The first argument (y) is the name of the file. The # second argument (z) is the relative path/file name from the top of # the padded cell root. The last component of the file is going to be # the name of the symbolic link. ( cd `dirname $root/$z`; /usr/bin/ln -s $y `basename $z` ) done
#!/bin/ksh # Copyright 1998 - Jonathan Klein, Wizards Keys Corporation, All Rights # Reserved. # # mkdev_cell - Make padded cell dev and devices/pseudo directory # # Parameters: # $1 - List of devices entries # $2 - Root directory of dev and devices/pseudo # # DISCLAIMER: These scripts are provided AS IS. No warranty of merchantibility # or fitness for a particular purpose is granted. User uses these scripts at # his or her own risk and author accepts no responsibility whatsoever for any # damages, either consequential or incidental, for their use. User may freely # distribute these scripts without restrictions as long as this disclaimer # is not removed from the script. root=$2 list=$1 if [ "$list" = "" -o "$root" = "" ] then exit fi if [ ! -f $list ] then print "$0: Cannot open file device name list" exit 1 fi if [ ! -d $root -o ! -w $root ] then print "$0: Root directory entry must be a writable directory" exit 2 fi cat $list | while : do # Get a devices entry x=`/usr/bin/line` if [ "$x" = "" ] then break fi # Get the real devices entry long list (get permission, owner group) e=$(ls -l /devices/pseudo/$x) if [ $? -ne 0 ] then continue fi # Peel off permission string (e.g. crw-rw-rw) perm=$(echo $e | cut -f1 -d" ") # Convert the string into an octal that chmod understands perm_num=$(/usr/local/bin/mkperm $perm) # Peel off device type (first letter of permission dev_type=$(echo $perm | sed -e 's/\(.\).*/\1/') # If the entry is not a block special or character special file, skip it if [ $dev_type != "c" -a $dev_type != "b" ] then continue; fi # Peel off owner, group, major and minor device number off the long list owner=$(echo $e | cut -f3 -d" ") group=$(echo $e | cut -f4 -d" ") major=$(echo $e | cut -f5 -d" " | sed -e 's/,.*//') minor=$(echo $e | cut -f5 -d" " | sed -e 's/.*,//') # If for some reason, this device has none, skip it. if [ "$minor" = "" -o "$minor" = " " ] then minor=$(echo $e | cut -f6 -d" ") fi # Make the entry with the type, major and minor number and set the ownership # group and permissions of the entry /usr/sbin/mknod $2/devices/pseudo/$x $dev_type $major $minor /usr/bin/chown $owner $2/devices/pseudo/$x /usr/bin/chgrp $group $2/devices/pseudo/$x /usr/bin/chmod $perm_num $2/devices/pseudo/$x # Strip off the everything before the colon (e.g., mm@0:null to null) y=$(echo $x | sed -e "s/\(.*\):\(.*\)/\2/") # Link the entry to the dev directory (cd $2/dev; /usr/bin/ln -s ../devices/pseudo/$x $y) done
#!/bin/ksh # # Copyright 1998 - Jonathan Klein, Wizards Keys Corporation, All Rights # Reserved. # # cpfile_cell - Copy files into padded cell # # Parameters: # $1 - List of File entries to copy # $2 - Root directory of padded cell # # DISCLAIMER: These scripts are provided AS IS. No warranty of merchantibility # or fitness for a particular purpose is granted. User uses these scripts at # his or her own risk and author accepts no responsibility whatsoever for any # damages, either consequential or incidental, for their use. User may freely # distribute these scripts without restrictions as long as this disclaimer # is not removed from the script. list=$1 root=$2 if [ "$list" = "" -o "$root" = "" ] then print "$0: Arguments 1 and/or 2 are null" exit 3 fi if [ ! -d $root -o ! -w $root ] then print "$0: Padded cell root has to be a writable directory" exit 1 fi if [ ! -f $list -o ! -r $list ] then print "$0: Cannot open copy file list" exit 2 fi cat $list | while : do x=`/usr/bin/line` if [ "$x" = "" ] then break fi /usr/bin/cp $x $root/$x done
#!/bin/ksh # # Copyright 1998 - Jonathan Klein, Wizards Keys Corporation, All Rights # Reserved. # # mksymfile_cell - Make padded cell symbolic file list # # Parameters: # $1 - List of file symbolic links # $2 - Root directory of entries # # DISCLAIMER: These scripts are provided AS IS. No warranty of merchantibility # or fitness for a particular purpose is granted. User uses these scripts at # his or her own risk and author accepts no responsibility whatsoever for any # damages, either consequential or incidental, for their use. User may freely # distribute these scripts without restrictions as long as this disclaimer #is not removed from the script. list=$1 root=$2 if [ "$list" = "" -o "$root" = "" ] then exit fi if [ ! -f $list ] then print "$0: Cannot open file symbolic link list" exit 1 fi if [ ! -d $root -o ! -w $root ] then print "$0: Root directory entry must be a writable directory" exit 2 fi cat $list | while : do x=`/usr/bin/line` if [ "$x" = "" ] then break fi # Pull out the linker and the linkee y=$(echo $x | cut -f1 -d" ") z=$(echo $x | cut -f2 -d" ") # Skip if the entry is invalid if [ "$y" = "" -o "$z" = "" ] then continue fi # The first argument (y) is the name of the file. The # second argument (z) is the relative path/file name from the top of # the padded cell root. The last component of the file is going to be # the name of the symbolic link. ( cd `dirname $root/$z`; /usr/bin/ln -s $y `basename $z` ) done
dev devices/pseudo etc etc/default etc/inet usr/lib usr/share/lib/zoneinfo/US usr/bin usr/local/bin usr/local/etc var/spool/list tmp
usr/lib lib usr/bin bin
clone@0:ip clone@0:tcp clone@0:udp clone@0:zsh cn@0:console cn@0:syscon cn@0:systty log@0:conslog mm@0:null mm@0:zero sy@0:tty tl@0:ticlts tl@0:ticots tl@0:ticotsord
/etc/passwd /etc/shadow /etc/group /etc/resolv.conf /etc/inet/hosts /etc/inet/inetd.conf /etc/inet/netmasks /etc/inet/networks /etc/inet/protocols /etc/inet/services /etc/nsswitch.conf /etc/netconfig /etc/ttysrch /etc/syslog.pid /etc/default/init /usr/lib/ld.so /usr/lib/ld.so.1 /usr/lib/libdl.so.1 /usr/lib/libelf.so.1 /usr/lib/libintl.so.1 /usr/lib/libnsl.so.1 /usr/lib/libresolv.so.1 /usr/lib/libsocket.so.1 /usr/lib/libw.so.1 /usr/lib/libc.so.1 /usr/lib/libkstat.so.1 /usr/lib/libmp.so.1 /usr/lib/libthread.so.1 /usr/lib/nss_dns.so.1 /usr/lib/nss_files.so.1 /usr/lib/libc2.so.1 /usr/lib/libc2stubs.so.1 /usr/lib/libresolv.so.2 /usr/lib/libthread_db.so.1 /usr/lib/libposix4.so.1 /usr/lib/libm.so.1 /usr/lib/libmp.so.1 /usr/share/lib/zoneinfo/US/Eastern /bin/sh
./inet/hosts etc/hosts ./inet/inetd.conf etc/inetd.conf ./inet/netmasks etc/netmasks ./inet/networks etc/networks ./inet/protocols etc/protocols ./inet/services etc/services ./default/init etc/TIMEZONE libdl.so.1 usr/lib/libdl.so libelf.so.1 usr/lib/libelf.so libintl.so.1 usr/lib/libintl.so libnsl.so.1 usr/lib/libnsl.so libresolv.so.2 usr/lib/libresolv.so libsocket.so.1 usr/lib/libsocket.so libw.so.1 usr/lib/libw.so libc.so.1 usr/lib/libc.so libkstat.so.1 usr/lib/libkstat.so libmp.so.1 usr/lib/libmp.so libthread.so.1 usr/lib/libthread.so nss_dns.so.1 usr/lib/nss_dns.so nss_files.so.1 usr/lib/nss_files.so libc2.so.1 usr/lib/libc2.so libc2stubs.so.1 usr/lib/libc2stubs.so libthread_db.so.0 usr/lib/libthread_db.so libposix4.so.1 usr/lib/libposix4.so libm.so.1 usr/lib/libm.so
#includemain(argc,argv) int argc; char **argv; { int i; int perm = 0; if (argc !=2 ) { fprintf(stderr,"Usage: mkperm permstring\n"); exit(1); } for (i = 1; i < 10; i++) { switch(argv[1][i]) { case 'r': perm += (04 << shift(i)); break; case 'w': perm += (02 << shift(i)); break; case 'x': perm += (01 << shift(i)); break; case 's': perm += (i == 3) ? 04100 : 02010; break; case 'l': perm += (i == 3) ? 04000 : 02000; break; case 't': perm += 01001; break; case '-': default: } } printf("%o",perm); } shift(i) { return((9 - i)/3*3); }
/tmp/cell_test: total 64 lrwxrwxrwx 1 root other 7 Dec 28 12:28 bin -> usr/bin drwxr-xr-x 2 root other 600 Dec 28 12:28 dev drwxr-xr-x 3 root other 108 Dec 28 12:28 devices drwxr-xr-x 4 root other 764 Dec 28 12:28 etc lrwxrwxrwx 1 root other 7 Dec 28 12:28 lib -> usr/lib drwxr-xr-x 2 root other 69 Dec 28 12:28 tmp drwxr-xr-x 6 root other 217 Dec 28 12:28 usr drwxr-xr-x 3 root other 107 Dec 28 12:28 var /tmp/cell_test/dev: total 112 lrwxrwxrwx 1 root other 31 Dec 28 12:28 conslog -> ../devices/pseu do/log@0:conslog lrwxrwxrwx 1 root other 30 Dec 28 12:28 console -> ../devices/pseu do/cn@0:console lrwxrwxrwx 1 root other 28 Dec 28 12:28 ip -> ../devices/pseudo/cl one@0:ip lrwxrwxrwx 1 root other 27 Dec 28 12:28 null -> ../devices/pseudo/ mm@0:null lrwxrwxrwx 1 root other 29 Dec 28 12:28 syscon -> ../devices/pseud o/cn@0:syscon lrwxrwxrwx 1 root other 29 Dec 28 12:28 systty -> ../devices/pseud o/cn@0:systty lrwxrwxrwx 1 root other 29 Dec 28 12:28 tcp -> ../devices/pseudo/c lone@0:tcp lrwxrwxrwx 1 root other 29 Dec 28 12:28 ticlts -> ../devices/pseud o/tl@0:ticlts lrwxrwxrwx 1 root other 29 Dec 28 12:28 ticots -> ../devices/pseud o/tl@0:ticots lrwxrwxrwx 1 root other 32 Dec 28 12:28 ticotsord -> ../devices/ps eudo/tl@0:ticotsord lrwxrwxrwx 1 root other 26 Dec 28 12:28 tty -> ../devices/pseudo/s y@0:tty lrwxrwxrwx 1 root other 29 Dec 28 12:28 udp -> ../devices/pseudo/c lone@0:udp lrwxrwxrwx 1 root other 27 Dec 28 12:28 zero -> ../devices/pseudo/ mm@0:zero lrwxrwxrwx 1 root other 29 Dec 28 12:28 zsh -> ../devices/pseudo/c lone@0:zsh /tmp/cell_test/devices: total 8 drwxr-xr-x 2 root other 683 Dec 28 12:28 pseudo /tmp/cell_test/devices/pseudo: total 0 crw-rw---- 1 root sys 11, 3 Dec 28 12:28 clone@0:ip crw-rw-rw- 1 root sys 11, 42 Dec 28 12:28 clone@0:tcp crw-rw-rw- 1 root sys 11, 41 Dec 28 12:28 clone@0:udp crw-rw-rw- 1 root sys 11, 71 Dec 28 12:28 clone@0:zsh crw--w---- 1 root tty 0, 0 Dec 28 12:28 cn@0:console crw--w---- 1 root tty 0, 0 Dec 28 12:28 cn@0:syscon crw--w---- 1 root tty 0, 0 Dec 28 12:28 cn@0:systty crw-rw-rw- 1 root sys 21, 0 Dec 28 12:28 log@0:conslog crw-rw-rw- 1 root sys 13, 2 Dec 28 12:28 mm@0:null crw-rw-rw- 1 root sys 13, 12 Dec 28 12:28 mm@0:zero crw-rw-rw- 1 root tty 22, 0 Dec 28 12:28 sy@0:tty crw-rw-rw- 1 root sys 105, 2 Dec 28 12:28 tl@0:ticlts crw-rw-rw- 1 root sys 105, 0 Dec 28 12:28 tl@0:ticots crw-rw-rw- 1 root sys 105, 1 Dec 28 12:28 tl@0:ticotsord /tmp/cell_test/etc: total 136 lrwxrwxrwx 1 root other 14 Dec 28 12:28 TIMEZONE -> ./default/init drwxr-xr-x 2 root other 106 Dec 28 12:28 default -rw-r--r-- 1 root other 292 Dec 28 12:28 group lrwxrwxrwx 1 root other 12 Dec 28 12:28 hosts -> ./inet/hosts drwxr-xr-x 2 root other 315 Dec 28 12:28 inet lrwxrwxrwx 1 root other 17 Dec 28 12:28 inetd.conf -> ./inet/inetd .conf -rw-r--r-- 1 root other 1064 Dec 28 12:28 netconfig lrwxrwxrwx 1 root other 15 Dec 28 12:28 netmasks -> ./inet/netmask s lrwxrwxrwx 1 root other 15 Dec 28 12:28 networks -> ./inet/network s -rw-r--r-- 1 root other 690 Dec 28 12:28 nsswitch.conf -r--r--r-- 1 root other 832 Dec 28 12:28 passwd lrwxrwxrwx 1 root other 16 Dec 28 12:28 protocols -> ./inet/protoc ols -rw-r--r-- 1 root other 42 Dec 28 12:28 resolv.conf lrwxrwxrwx 1 root other 15 Dec 28 12:28 services -> ./inet/service s -r-------- 1 root other 474 Dec 28 12:28 shadow -rw-r--r-- 1 root other 5 Dec 28 12:28 syslog.pid -rw-r--r-- 1 root other 1408 Dec 28 12:28 ttysrch /tmp/cell_test/etc/default: total 8 -r-xr-xr-x 1 root other 462 Dec 28 12:28 init /tmp/cell_test/etc/inet: total 56 -r--r--r-- 1 root other 162 Dec 28 12:28 hosts -r--r--r-- 1 root other 4687 Dec 28 12:28 inetd.conf -r--r--r-- 1 root other 567 Dec 28 12:28 netmasks -r--r--r-- 1 root other 372 Dec 28 12:28 networks -r--r--r-- 1 root other 499 Dec 28 12:28 protocols -r--r--r-- 1 root other 2152 Dec 28 12:28 services /tmp/cell_test/tmp: total 0 /tmp/cell_test/usr: total 32 drwxr-xr-x 2 root other 104 Dec 28 12:28 bin drwxr-xr-x 2 root other 1782 Dec 28 12:28 lib drwxr-xr-x 4 root other 141 Dec 28 12:28 local drwxr-xr-x 3 root other 105 Dec 28 12:28 share /tmp/cell_test/usr/bin: total 176 -r-xr-xr-x 1 root other 89564 Dec 28 12:28 sh /tmp/cell_test/usr/lib: total 4192 -rwxr-xr-x 1 root other 24576 Dec 28 12:28 ld.so -rwxr-xr-x 1 root other 124720 Dec 28 12:28 ld.so.1 lrwxrwxrwx 1 root other 9 Dec 28 12:28 libc.so -> libc.so.1 -rwxr-xr-x 1 root other 665508 Dec 28 12:28 libc.so.1 lrwxrwxrwx 1 root other 10 Dec 28 12:28 libc2.so -> libc2.so.1 -rwxr-xr-x 1 root other 13768 Dec 28 12:28 libc2.so.1 lrwxrwxrwx 1 root other 15 Dec 28 12:28 libc2stubs.so -> libc2stub s.so.1 -rwxr-xr-x 1 root other 13768 Dec 28 12:28 libc2stubs.so.1 lrwxrwxrwx 1 root other 10 Dec 28 12:28 libdl.so -> libdl.so.1 -rwxr-xr-x 1 root other 3484 Dec 28 12:28 libdl.so.1 lrwxrwxrwx 1 root other 11 Dec 28 12:28 libelf.so -> libelf.so.1 -rwxr-xr-x 1 root other 75784 Dec 28 12:28 libelf.so.1 lrwxrwxrwx 1 root other 12 Dec 28 12:28 libintl.so -> libintl.so.1 -rwxr-xr-x 1 root other 15720 Dec 28 12:28 libintl.so.1 lrwxrwxrwx 1 root other 13 Dec 28 12:28 libkstat.so -> libkstat.so .1 -rwxr-xr-x 1 root other 6432 Dec 28 12:28 libkstat.so.1 lrwxrwxrwx 1 root other 9 Dec 28 12:28 libm.so -> libm.so.1 -rwxr-xr-x 1 root other 110820 Dec 28 12:28 libm.so.1 lrwxrwxrwx 1 root other 10 Dec 28 12:28 libmp.so -> libmp.so.1 -rwxr-xr-x 1 root other 15720 Dec 28 12:28 libmp.so.1 lrwxrwxrwx 1 root other 11 Dec 28 12:28 libnsl.so -> libnsl.so.1 -rwxr-xr-x 1 root other 573912 Dec 28 12:28 libnsl.so.1 lrwxrwxrwx 1 root other 14 Dec 28 12:28 libposix4.so -> libposix4. so.1 -rwxr-xr-x 1 root other 11456 Dec 28 12:28 libposix4.so.1 lrwxrwxrwx 1 root other 14 Dec 28 12:28 libresolv.so -> libresolv. so.2 -rwxr-xr-x 1 root other 35436 Dec 28 12:28 libresolv.so.1 -rwxr-xr-x 1 root other 65580 Dec 28 12:28 libresolv.so.2 lrwxrwxrwx 1 root other 14 Dec 28 12:28 libsocket.so -> libsocket. so.1 -rwxr-xr-x 1 root other 68780 Dec 28 12:28 libsocket.so.1 lrwxrwxrwx 1 root other 14 Dec 28 12:28 libthread.so -> libthread. so.1 -rwxr-xr-x 1 root other 112568 Dec 28 12:28 libthread.so.1 lrwxrwxrwx 1 root other 17 Dec 28 12:28 libthread_db.so -> libthre ad_db.so.0 -rwxr-xr-x 1 root other 21700 Dec 28 12:28 libthread_db.so.1 lrwxrwxrwx 1 root other 9 Dec 28 12:28 libw.so -> libw.so.1 -rwxr-xr-x 1 root other 39932 Dec 28 12:28 libw.so.1 lrwxrwxrwx 1 root other 12 Dec 28 12:28 nss_dns.so -> nss_dns.so.1 -rwxr-xr-x 1 root other 9504 Dec 28 12:28 nss_dns.so.1 lrwxrwxrwx 1 root other 14 Dec 28 12:28 nss_files.so -> nss_files. so.1 -rwxr-xr-x 1 root other 21288 Dec 28 12:28 nss_files.so.1 /tmp/cell_test/usr/local: total 16 drwxr-xr-x 2 root other 69 Dec 28 12:28 bin drwxr-xr-x 2 root other 69 Dec 28 12:28 etc /tmp/cell_test/usr/local/bin: total 0 /tmp/cell_test/usr/local/etc: total 0 /tmp/cell_test/usr/share: total 8 drwxr-xr-x 3 root other 110 Dec 28 12:28 lib /tmp/cell_test/usr/share/lib: total 8 drwxr-xr-x 3 root other 104 Dec 28 12:28 zoneinfo /tmp/cell_test/usr/share/lib/zoneinfo: total 8 drwxr-xr-x 2 root other 109 Dec 28 12:28 US /tmp/cell_test/usr/share/lib/zoneinfo/US: total 8 -rw-r--r-- 1 root other 817 Dec 28 12:28 Eastern /tmp/cell_test/var: total 8 drwxr-xr-x 3 root other 106 Dec 28 12:28 spool /tmp/cell_test/var/spool: total 8 drwxr-xr-x 2 root other 69 Dec 28 12:28 list /tmp/cell_test/var/spool/list: total 0
