FOLLOWUP to SUMMARY: Lost access to Solaris 10 11/06 after renaming /usr/lib/

From: Doug Yatcilla <>
Date: Thu Jun 28 2007 - 11:03:21 EDT
For anybody who is interested, a clever reader described a 
way to solve this problem without a reboot (but I found out after I had already 
rebooted to fix the problem.)

> Even though, I had lost the ability to log in as root or any
> other user into the global zone, a few suggested renaming the file
> from a NFS client with root access to /usr/lib (but I was not sharing
> that filesystem) or getting root access via another program (such as
> modifing a script run by root's crontab.)  But, the lack of
> seemed to have also shut down cron (even through "svcs cron" reported it
> was still online and neither /var/svc/log/system-cron:default.log nor
> /var/adm/messages had errors.)

The broken server was already exporting several NFS filesystems (and
"nosetuid" NFS option was NOT set).  I logged into one of the NFS
client systems as root and created either of these programs and chown
root + chmod 4755 (to make them setuid-root on execution):

In perl:

  $> = 0;
  $< = 0;

In C:

  main() {

Now, back on the broken system/NFS server, I just needed to execute
either program to get a root shell.  I duplicated my original problem
on a test system and was able to successfully gain root access.  

Amazing!  This tip courtesy of to "James W. Abendschan" <jwa#AT#jammed(DOT)com>
I hope I never need to do something like that again.  Thanks also for
a reminder to have a healthy respect for ways to workaround system
security using NFS! 

Also, I had unkind words about system recovery:

> Even though I did not use the failsafe kernel, I dread having to use
> it.  Since I use Solaris Volume Manager to mirror the root filesystem,
> the failsafe kernel complains that it cannot mount it on /a.  So, what
> good is this for me?  If I cannot mount the root filesystem directly,
> I would need to do all of this:

Hidden in the Solaris documentation is a clear description of how to
mount a SVM mirrored filesystem on a Solaris 10 system:
(warning: outrageously slow site!)

You still need to know ahead of time a disk slice containing at least
one side of your root filesystem mirror (or use format to examine
disks and take a guess.)  But, using "update_drv" works better than
the procedure I described earlier.  It works for both x86 and SPARC
versions of Solaris.

If you are using x86 Solaris with GRUB boot menu and want to boot to
single-user mode and forgot to restart your system with "reboot --
-s", then you can wait until the GRUB menu appears and edit the entry
that boots the system.  Press the "e" key to edit, then modify the 
"kernel" line to add a "-s" to it, then select it to be booted and it
will boot to the single-user milestone.

Thanks also to:
Brad Morrison <brad.morrison*AT*gmail^DOT^com>
Dan Lorenzini <lorenzd$AT$gcm&DOT&com>
sunmanagers mailing list
Received on Thu Jun 28 11:03:39 2007

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:06 EST