[SPARCbook] Hosed /etc/passwd file

Sunder sunder at sunder.net
Tue Jan 11 14:49:44 CST 2000 

On 11-Jan-00 at 05:03, James D. Meacham (jmeacham at hume.jhuccp.org) wrote:
>
> So, I'm going against the Conventional Wisdom and editing /etc/passwd on
> my 3GX running 2.6 by hand.  Although I've been trying to teach my 22
> mo/old son proper computer values by giving him his own Intel machine (an
> old 486) to bang on while telling him at all times to respect the unix
> equiptment, while I was edit the file, he jumped into my lap.  Now the
> shell section of root line in /etc/passwd reads /bin/bashXY .So now I
> can't login or su to root.  It won't even let me run commands as root
> 'cause there is no shell to handle them.  Even booting into single-user
> mode doesn't work; I just get a "no shell" message and it boots into
> multi-user.  Very frustrating, because I didn't notice it had happened at
> the time, and i've been using it in root mode doing systems suspends for
> the last few weeks.  Anyone have any suggestions, or am I going to have to
> boot from an external CD?  Jeez.

Found it:

I'm not sure if this will work for root as well, but I tried this on my own
box.  I created an account called "xray" to test this with and it worked.  The
xray accound did have a messed up shell.  Precisely /usr/local/bin/bashXX. :)

As long as you still know the root password:

This worked:

su - xray -c "/bin/touch /tmp/xray-wuz-here"
(enter the password here)

When I did ls -Fla /tmp/xray*, the file showed up.  I can't guarantee that this
will work, but you could try something like this:

su - root -c "/bin/echo toor:root:x:0:1:Super-User:/:/sbin/sh >>/etc/passwd"

followed by

su - root -c "/bin/echo toor:::::::: >>/etc/shadow"

Be especially careful to have two >'s in the above commands or you'll blow away
your password or shadow file!  Check twice before hitting enter. :)

Also be careful with the number of :'s in the shadow entry.

This will add another account called 'toor' with the same uid as root, but with
a valid shell, and *NO PASSWORD*.

Immediatly after you make this change, be sure to fix the entry for root and
then either set a password on toor or delete it. :)  Hell, to be safe, I'd boot
with my sparcbook off the net. :)

Good luck and let us know if you fix it.


Before I tried the above, this is what I was about to suggest:

Got ssh on the box?  You could for example scp a new copy of /etc/passwd if you
did.  

I'd also say, if you didn't disable ftp for user root, but that requires you to
edit /etc/shells to put in the shell that root has. :)  Which if you could do,
you'd be able to edit /etc/passwd...

Did you patch this box?  If not check bugtraq/rootshell/etc for root
exploits... Might be something to help you there...


-- 
---------------------------- Kaos Keraunos Kybernetos -------------------- 
 + ^ +  Sunder              "Only someone completely distrustful of   /|\ 
  \|/   sunder at sunder.net    all government would be opposed to what /\|/\ 
<--*--> -------------------- we are doing with surveillance cameras" \/|\/ 
  /|\   You're on the air.   -- NYC Police Commish H. Safir.          \|/ 
 + v +  Say 'Hi' to Echelon  "Privacy is an 'antisocial act'" - The FedZ.
---------------------------- http://www.sunder.net -----------------------
I love the smell of Malathion in the morning, it smells like brain cancer.

More information about the SPARCBook mailing list