Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
fuser functionality seems to have changed in AIX 6.1 TL8 and AIX 7.1
1,225 views
Skip to first unread message
steven_nospam at Yahoo! Canada
Jul 10, 2013, 5:25:23 PM7/10/13
to
Hi AIX Gurus,
Our company has some scripts that are used to check if users are logged into a specific directory or file system, and the script uses the fuser command.
What we do is look at the PIDs listed in "fuser ${pathname}" to determine which users are accessing what files. This is done so we can do maintenance at times. We make sure all users are out of the directory, have a method to keep them out, then do our backups or maintenance or whatever.
The problem we are encountering is with AIX 6.1 TL8 and above. It seems that IBM may have made a change so that a non-root user can only see their own PIDs when running fuser, and not all of the PIDs associated with that path.
Example from AIX 5.1, 5.3, and early 6.1 systems:
# whoami
office1
# oslevel -s
6100-06-01-1043
# fuser -u /qc/sample
/qc/sample: 2490476c(postgres) 5767176c(postgres) 6094882c(postgres) 6750434c(postgres) 6815922c(postgres) 7143588c(postgres) 7471358c(postgres) 7799036c(postgres) 8913140c(postgres) 11600120c(postgres) 11731066c(1008) 12976256c(postgres) 13303960c(postgres) 13500622c(postgres) 13566180c(postgres) 13893696c(postgres) 15138826c(postgres) 15466614c(postgres) 16842792c(postgres) 18153666c(1009) 18612404c(postgres) 18743530c(postgres) 19071062c(1010) 19202252c(postgres) 19267626c(postgres) 19595344c(postgres) 20709580c(postgres) 20840526c(postgres) 23658578c(postgres) 23986214c(postgres) 25100526c(postgres) 25493664c(postgres) 25952288c(postgres) 26148996c(1004) 26542084c(postgres) 26935550c(postgres)
And here is the behavior from AIX 6.1 TL8 and AIX 7.1:
# whoami
steven
# oslevel -s
7100-00-03-1115
# fuser -u /qc/sample
/qc/sample: 18153580c(steven)
---(switching to root login)---
# whoami
root
# fuser -u /liv/spl
/qc/sample: 11665606c(informix) 14417932c(root) 18153580c(steven) 18284670c(informix)
The result of this change means that our scripts are not seeing all the users that they are supposed to. At least it still works as long as the user running the script is root, but we don't want our operators all logging on as root to do their maintenance.
My question therefore is this: Is there an alternative to fuser that we can use to get a list of PIDs or usernames that are accessing a specific directory? I know that lsof is supposed to do something similar, but not sure how to get it to list the PIDs so I can track this back to a specific user.
Here is the logic that exists in the script, in case it helps to clarify what we are trying to accomplish:
DIRPIDS="$(fuser ${W_DIR} 2>/dev/null)"
WHOPIDS="$(ps -eo pid="",tty="",comm=""|egrep -v " \- |getty|defunct"|awk '{print $1}')"
QBPIDS="$(cat /var/spool/lpd/stat/p.queue?.str* 2>/dev/null)"
USRCNT=0
TLIST=""
for PLOOP in ${WHOPIDS}
do
###################################################################
# Get the PID number and see if it is in our list of directory pids
# If it is, then add the tty or pts to our list
###################################################################
PNUM=$(echo ${DIRPIDS} | tr -s ' ' '\n' | grep "^${PLOOP}$")
if test ! "${PNUM}" = ""
then
################################################################
# If it is a tty, it only shows up as a number #
# eg. 4 instead of tty4 #
# To correct that, we have to check and add "tty" if not a pts #
################################################################
TNUM="$(ps -o tty="" -p ${PNUM} | awk '{print $1}')"
if test "$(echo ${TNUM}|cut -c1)" = "p"
then
TLIST="${TLIST} ${TNUM}"
else
TLIST="${TLIST} tty${TNUM}"
fi
fi
done
When all is said and done, the $TLIST variable contains a list of tty or pts of the logged on users in the directory. What I need is some way to achieve that same list with a different command if the fuser has changed. Either that or I explore a compiled program with S-bit turned on.
Any suggestions? My next stop is to ask IBM why they changed the fuser, since I did not see details of this new requirement in the man pages or the differences guide.
Thx.
SteveN
Our company has some scripts that are used to check if users are logged into a specific directory or file system, and the script uses the fuser command.
What we do is look at the PIDs listed in "fuser ${pathname}" to determine which users are accessing what files. This is done so we can do maintenance at times. We make sure all users are out of the directory, have a method to keep them out, then do our backups or maintenance or whatever.
The problem we are encountering is with AIX 6.1 TL8 and above. It seems that IBM may have made a change so that a non-root user can only see their own PIDs when running fuser, and not all of the PIDs associated with that path.
Example from AIX 5.1, 5.3, and early 6.1 systems:
# whoami
office1
# oslevel -s
6100-06-01-1043
# fuser -u /qc/sample
/qc/sample: 2490476c(postgres) 5767176c(postgres) 6094882c(postgres) 6750434c(postgres) 6815922c(postgres) 7143588c(postgres) 7471358c(postgres) 7799036c(postgres) 8913140c(postgres) 11600120c(postgres) 11731066c(1008) 12976256c(postgres) 13303960c(postgres) 13500622c(postgres) 13566180c(postgres) 13893696c(postgres) 15138826c(postgres) 15466614c(postgres) 16842792c(postgres) 18153666c(1009) 18612404c(postgres) 18743530c(postgres) 19071062c(1010) 19202252c(postgres) 19267626c(postgres) 19595344c(postgres) 20709580c(postgres) 20840526c(postgres) 23658578c(postgres) 23986214c(postgres) 25100526c(postgres) 25493664c(postgres) 25952288c(postgres) 26148996c(1004) 26542084c(postgres) 26935550c(postgres)
And here is the behavior from AIX 6.1 TL8 and AIX 7.1:
# whoami
steven
# oslevel -s
7100-00-03-1115
# fuser -u /qc/sample
/qc/sample: 18153580c(steven)
---(switching to root login)---
# whoami
root
# fuser -u /liv/spl
/qc/sample: 11665606c(informix) 14417932c(root) 18153580c(steven) 18284670c(informix)
The result of this change means that our scripts are not seeing all the users that they are supposed to. At least it still works as long as the user running the script is root, but we don't want our operators all logging on as root to do their maintenance.
My question therefore is this: Is there an alternative to fuser that we can use to get a list of PIDs or usernames that are accessing a specific directory? I know that lsof is supposed to do something similar, but not sure how to get it to list the PIDs so I can track this back to a specific user.
Here is the logic that exists in the script, in case it helps to clarify what we are trying to accomplish:
DIRPIDS="$(fuser ${W_DIR} 2>/dev/null)"
WHOPIDS="$(ps -eo pid="",tty="",comm=""|egrep -v " \- |getty|defunct"|awk '{print $1}')"
QBPIDS="$(cat /var/spool/lpd/stat/p.queue?.str* 2>/dev/null)"
USRCNT=0
TLIST=""
for PLOOP in ${WHOPIDS}
do
###################################################################
# Get the PID number and see if it is in our list of directory pids
# If it is, then add the tty or pts to our list
###################################################################
PNUM=$(echo ${DIRPIDS} | tr -s ' ' '\n' | grep "^${PLOOP}$")
if test ! "${PNUM}" = ""
then
################################################################
# If it is a tty, it only shows up as a number #
# eg. 4 instead of tty4 #
# To correct that, we have to check and add "tty" if not a pts #
################################################################
TNUM="$(ps -o tty="" -p ${PNUM} | awk '{print $1}')"
if test "$(echo ${TNUM}|cut -c1)" = "p"
then
TLIST="${TLIST} ${TNUM}"
else
TLIST="${TLIST} tty${TNUM}"
fi
fi
done
When all is said and done, the $TLIST variable contains a list of tty or pts of the logged on users in the directory. What I need is some way to achieve that same list with a different command if the fuser has changed. Either that or I explore a compiled program with S-bit turned on.
Any suggestions? My next stop is to ask IBM why they changed the fuser, since I did not see details of this new requirement in the man pages or the differences guide.
Thx.
SteveN
Ed Ravin
Jul 10, 2013, 10:46:33 PM7/10/13
to
From somewhere in cyberspace, "steven_nospam at Yahoo! Canada" <steven...@yahoo.ca> said:
...
configuration options for showing files of other users? Also,
have you compared the permissions of fuser on the working systems
with the new ones?
The most straightforward and manageable solution is to install sudo
and set it up so that the desired user(s) can run fuser as root
without a password.
lsof will also work, you can install it setuid or run it out of
sudo, but since you're used to fuser you should probably stick with
that, as lsof may require separate maintenance after OS upgrades.
-- Ed
--
Ed Ravin | Warning - this email may contain rhetorical
| devices, metaphors, analogies, typographical
eravin@ | errors, or just plain snarkiness. A sense of
panix.com | humor may be required for proper interpretation.
...
>The problem we are encountering is with AIX 6.1 TL8 and above. It seems
>that IBM may have made a change so that a non-root user can only see
>their own PIDs when running fuser, and not all of the PIDs associated
>with that path.
Have you checked the man pages of fuser to see if they have any
>that IBM may have made a change so that a non-root user can only see
>their own PIDs when running fuser, and not all of the PIDs associated
>with that path.
configuration options for showing files of other users? Also,
have you compared the permissions of fuser on the working systems
with the new ones?
The most straightforward and manageable solution is to install sudo
and set it up so that the desired user(s) can run fuser as root
without a password.
lsof will also work, you can install it setuid or run it out of
sudo, but since you're used to fuser you should probably stick with
that, as lsof may require separate maintenance after OS upgrades.
-- Ed
--
Ed Ravin | Warning - this email may contain rhetorical
| devices, metaphors, analogies, typographical
eravin@ | errors, or just plain snarkiness. A sense of
panix.com | humor may be required for proper interpretation.
Thomas Braunbeck
Jul 11, 2013, 5:31:52 AM7/11/13
to
Am 10.07.2013 23:25, schrieb steven_nospam at Yahoo! Canada:
> The problem we are encountering is with AIX 6.1 TL8 and
> above. It seems that IBM may have made a change so that
> a non-root user can only see their own PIDs when running
> fuser, and not all of the PIDs associated with that path.
Call IBM support and open a service request and refer to
> The problem we are encountering is with AIX 6.1 TL8 and
> above. It seems that IBM may have made a change so that
> a non-root user can only see their own PIDs when running
> fuser, and not all of the PIDs associated with that path.
APAR IV45190 (so level 1 support does not waste too much
time).
steven_nospam at Yahoo! Canada
Jul 12, 2013, 11:09:24 AM7/12/13
to
> Have you checked the man pages of fuser to see if they have any
> configuration options for showing files of other users? Also,
> have you compared the permissions of fuser on the working systems
> with the new ones?
Hi Ed,
> configuration options for showing files of other users? Also,
> have you compared the permissions of fuser on the working systems
> with the new ones?
Yes, I checked man to see if they added any new flags or mentioned any new restrictions for fuser. Nothing. And the permissions are the same:
AIX 5.3
-r-sr-xr-x 1 root system 19084 Mar 20 2009 /usr/sbin/fuser
AIX 7.1
-r-sr-xr-x 1 root system 38380 Dec 17 2012 /usr/sbin/fuser
We don't have sudo installed. I have pushed for that, but hose higher up want to use software products that are available on the supplied AIX media. I believe lsof is actually included in the AIX Expansion Pack.
steven_nospam at Yahoo! Canada
Jul 12, 2013, 11:11:33 AM7/12/13
to
> Call IBM support and open a service request and refer to
> APAR IV45190 (so level 1 support does not waste too much
> time).
I see the APAR on Fix Central. Thanks for pointing me in that direction. So looks like others have reported it, but no fix available yet. Guess I call and report it too.
> APAR IV45190 (so level 1 support does not waste too much
> time).
My other option at this point is to setuid on our scripts and make them run as root. Or Sudo as Ed pointed out earlier.
Thanks guys.
Tony
Jul 12, 2013, 11:49:30 AM7/12/13
to
In comp.unix.aix, "steven_nospam at Yahoo! Canada" <steven...@yahoo.ca>
wrote:
>My other option at this point is to setuid on our scripts
You can use setuid on scripts. Binaries only.
--
Tony Evans
Seeking archives for uk.* from 1998 and older. Especially interested
in uk.net.news.* and any groups which preceded uk.net.news.* for
hierarchy management (uk.misc? uk.net?).
wrote:
>My other option at this point is to setuid on our scripts
--
Tony Evans
Seeking archives for uk.* from 1998 and older. Especially interested
in uk.net.news.* and any groups which preceded uk.net.news.* for
hierarchy management (uk.misc? uk.net?).
Ted Linnell
Jul 12, 2013, 10:38:44 PM7/12/13
to
allow setuid on scripts.
Ted.
==============================================================
| Ted Linnell <edli...@acslink.net.au> |
| |
| Nunawading, Victoria , Australia |
==============================================================
Thomas Braunbeck
Jul 13, 2013, 1:06:54 AM7/13/13
to
Am 12.07.2013 17:11, schrieb steven_nospam at Yahoo! Canada:
> Guess I call and report it too.
request an ifix from IBM. The code change should be in fuser
> Guess I call and report it too.
only - so this ifix can be installed without the need to reboot.
As a quick work around you may use an fuser from a lower AIX TL/SP,
one without the fix for IV29289 (read this APAR, it is a security
issue, users can kill processes of other users). Use the TL8 SP1
fuser.
0 new messages