Author: Kitty Source: [arrogance Eagle network security Shinkansen] a radical new plan to solve the introduction UNIX system administrator password is forgotten problem ---- SCOUNIX for the majority of the operating system administrator, the most unforgivable One of the faults is to forget the administrator password (ie superuser password). This negligence leads to extremely serious consequences, and people who have unix operating system common sense should know. Unfortunately, it is still very people who come to find the wrong person today. It is necessary to blame them, but since the problem is objective, we always have to face the reality and want to solve it. ---- For a long time, many people have published various views on the issues of super user passwords. Some people recognize that once the super user password is forgotten, it can only reload the operating system, so there is no way. Another part is firmly opposed to this "re-installation", and they have put forward some solutions that have been successfully practiced, making the "re-installation" to defeat. Now we can definitely say that forget the super user password is a solution. --- But we have to admit that the current solution has a lot of limitations, these limitations determine how the existing programs cannot become the most thorough solution with powerful vitality. Program. Limitations of traditional solutions ---- Talk above, there are currently a variety of solutions for the "super user password being forgotten. In order to describe the convenience, this article collects these programs as traditional solutions. The traditional solution seems to be different, but after careful analysis and summalling, it will find that they have the following commonality: there must be a set (two) EmergencyBootfloppy (emergency boot floppy disk). This floppy disk is file system format, must be made on Scounix, and the emergency boot floppy disk created on different types cannot be universal. After starting with the emergency start floppy disk, put the hard drive root file system mount into a directory (generally / mnt directory), then enter the directory (ie, enter the root directory of the hard disk file system), modify the relevant directory and superuser password The information is related (the differences in various programs are mainly reflected here). Finally, return to the root directory of the floppy disk, remove / dev / hd0root, restart the machine. ---- These common points actually reflect the limitations of traditional programs: ---- First, the limitations of operation platform: Requirements must be implemented on the Scounix operating system platform from beginning to end. ---- Second, the limitations of operating tools: the dependence of the emergency start floppy disk is too large. If the floppy disk is damaged, you must find a type of machine to make a set, which is the "special" limit ". ---- Third, the limitations of operation objects: must rely on the support of the hard disk file system. That is, the operator is separated by the file system (referring to the information related to the super user password), and the operator cannot directly modify the object, and can only call the service modification provided by the file system. This method is an embodiment of the hierarchical idea advocated in the information science. Under normal circumstances; but anything has two-sided, in very case-, such as solving the forgetting super user password The problem - this method may bring trouble. ---- Three major limitations illustrate the vulnerability and narrowness of traditional solutions, which also determine the shortcomings of high-level programs that are over the file system. So, breaking these limitations, exploring a new solution, has become a new topic in front of all UNIX researchers. New topic ---- The so-called new topic is to find a new solution that breaks through the limitations of traditional programs.
Where do you get started? Let us take a look at the three limitations. ---- Operating platform limitations don't seem badly, because other operating systems have not recognized Unix file system formats. ---- Operating tool limitations seem to be more difficult, because the emergency start floppy is to be made on UNIX, so it is not possible to use on UNIX, so if the operation platform is limited, it can't break through. ---- Last look at the limitations of operation objects. Operation objects are fully managed by file system, the operator must access them through a file system. In case the file system crashes, even if the file below is intact, the operator can only recognize that these files have been lost - because the file system cannot access (such as Mount is not up). In fact, there is still a way to find those files, the method is to access the physical hard drive. The reason is very simple: in essence, the file system is just a logical organization that is built on the physical hard disk. Usually we have access to physical hard drives; now this organization is endless, can no longer serve us, so we I have to "do my own, and eat enough food." Direct access to physical hard drives can not only make the file "loss", and there is another important meaning - break through the limitations of operation objects. ---- Once the limitations of operation objects have been broken, we will surprise that the two major limitations can be said to be a chapter. Because although other operating systems do not recognize UNIX file system format, we can access physical hard drives on any operating system; as long as it is a software with access to physical hard disk, it can be our operating tool. ---- Now we have to do it is just: Find a software that everyone is most familiar with and a software that can access physical hard drives. ---- Everyone's most familiar operating system is undoubtedly DOS. You can access a lot of software for physical hard drives, but you can easily find debug.exe. The so-called most easy to find, because Debug is a DOS itself an external command, it can be said that it can be found on the machine installed in the DOS. A person who knows one or two of Debug may indicate that the command does not provide an option to access the physical hard disk, but please don't forget that debug is a compilation language debugger for DOS to provide users, we can use it to write, debug and implement one Compilation applets to access physical hard drives. It should be said that this is not difficult for people who can obtain system administrators. ---- In summary, running DEBUG on DOS to break the Unix administrator password, which is a new solution for the solution of the Solution of the Solution of the SCOUNIX Super User Password. The application of the new program ---- New program has been proposed, let's take a look at how it is applied to practice. ---- First, it is important to point out that due to the limitations of articles and nature, this paper cannot introduce all knowledge involved in the implementation of the new scheme in "entry lecture". Therefore, before reading this section, the reader should have the following foundation: familiar with the construction of hard disk main guidance sectors and UNIX partitions and UNIX file systems (this is not a problem for UNIX system administrators), understand the meaning of interrupt 13h entrance parameters, Use the debug command. ---- A CompaqDeskProxl / 466 server, the motherboard contains one of the PCISi-2 controllers, and one of the Rusdom hard drives, the main parameters of the hard drive are: 1041 cylinders, 64 heads, 32. The hard drive is equipped with Scounix Systemv / 386Release3.2OperatingSystemVersion4.2. It is now assumed that its super-user holm is forgotten. ---- First, please find a computer installed DOS, make a DOS system disk, and copy a debug.exe file on the system disk.
C: / DOS> Format / SA: C: / DOS> CopyDebug.exea: ---- Then insert the disk into the COMPAQ server A drive, boot the DOS operating system, execute the debug command. A: /> Debug ---- Now we write a assembly language program (hereinafter referred to as app) to read the contents of the hard disk 0 column 0 header. The sector is stored by the main boot record, and it is read out to determine the starting position of the Scounix partition. The app is implemented in the interrupt 13h, and we must use it repeatedly, and of course the entrance parameters will change the physical address of the read content. -A 2039: 0100Movax, 0201 2039: 0103Movbx, 1000 2039: 0106MoVCX, 0001 2039: 0109MOVDX, 0080 2039: 010CINT13 2039: 010EINT20 2039: 0110 -g programtermterminetedNORMALLY ---- Now we can use the "dump" command to view the read The sector content in memory. From the offset 11beh, it is a partition table, where the type flag byte is a partition of 63h is a Scounix partition. The partition starts at 1 cylindrical 0 magnetic head 1 fan. ---- Next, read the first sector of the UNIX root file system I-Node table to determine the physical location of the root directory. ---- According to UNIX partition starting position, the root file system begins in 2 column 0 head 1. Also, since the 2-column 0 head 1 fan is a guide block, the 2 fan is a super block, 3, 4 fan is interval, so the I-Node table must be set to the 5th. ---- We read it with APP (the assignment of CX should be changed to "0205"). ---- After reading, use the "dump" command to view 64 bytes of offset 1040h to 107fh, which is the No. 2 i-node, the I-Node of the root directory. ---- Let's calculate the physical address of the root directory based on I-Node. ---- We look from offset 1040h: ---- ED41H indicates that the file type and access rights are "drwxr-xr-x"; ---- 1000h indicates that the file connection is 16; ---- 0000H Represents the file owner ID 0; ---- 0200h indicates that the file group ID is 2; ---- 80020000h indicates that the number of file bytes is 640; ---- DA0500h represents the first data block address. Since the other 12 data block addresses are 0, it can determine the root directory on the hard disk only accounts for only one data block. Now we must calculate this data block in the second pillar surface of the hard disk in accordance with DA0500H, the second number of magnetic heads, and the second sector. The calculation formula is as follows: c = trunc (p / (h * s)) C1 = C0 C H1 = trunc ((PC * H * S) / s) S1 = PC * h * S-H1 * S 1 - - Among them: ---- C1, H1, S1 are data block physical address column nickname, head number, sector number ---- P is equal to the data block address to translate into a decimination number, 2 ---- H is the number of hard drives ---- S is the number of each magnetic head fan area ---- C0 is the root file system start cylinder ---- C is just a middle amount ---- the DA0500H is substituted into the above formula, and according to the above H = 64, S = 32, C0 = 2, can calculate C1 = 3, H1 = 29, S1 = 21. Therefore, the physical address of the root directory is: 3 cylinders 29 heads 21. ---- Use an app to read it (the assignment of CX and DX should be changed to "0315" and "1D80").
---- After reading, use the "dump" command to see the offset 1050h to 105fh is the I-Node number and file name of the / etc directory, where the I-Node number is 22h, ie 34D. Because each sector has 8 I-NODEs, I-NODE is only 0 heads in 2 cylinders. ---- Read it with the APP (the assignments of CX and DX are changed to "0209" and "0080"). ---- Use the "dump" command to see the I-Node of the offset 1040h to 107FH is the / etc directory. We also read its data blocks. First calculate the physical address of the first data block. The 2D0700H is brought to the formula, calculated that the first data block physical address of the / ETC is 3 cylindrical 50 heads 27. ---- Read it with an APP (the assignment of CX and DX is changed to "031b" and "3280"). ---- Use the "dump" command to see the offset 11A0H to 11AFH is the passwd file name under the / etc directory. We change it to ZLS with the "Enter" command, and then run the app (AX assignment should be changed to 0301). ---- Now quit the debug command. ---- Take the floppy disk, restart the machine, and guide the UNIX operating system. ---- In accordance with the guidance order, UNIX shows the hardware configuration information, it will ask the super user password, but it suddenly discovered that the / etc / passwd file was missing! (It is actually just renamed ZLS, but UNIX does not know about this.) No file, UNIX can't ask the super user password, so it has the following information on the screen and allows users to enter the system directly in system administrators maintenance state: su: Unknownid: root / etc / tcbck: file / etc / passwd ismissingorzerolength / etc / tcbck: eitherslash (/) ismissingfrom / etc / auth / system / filesortherearemalformedentries in / etc / passwdor / etc / group / etc / smmck : restoremissingfiles frombackupordistribution. init: singleusermode **** passwordfilemissing! **** EnteringsystemmaintenanceMode # - After entering the maintenance state, of course, you can "do what you want". But it is best to set up a new super user. To do this, you must first restore the Passwd file name. # mv / etc / zls / etc / passwd - then set the new super user password with the / bin / passwd command. Conclusion ---- When this paper will end, let's make a small summary. ---- Traditional solution has operation platform, operating tools, and operational object limitations. The new solution broke through these three major limitations. ---- First, the new program breaks through the limitations of the operating platform. Traditional scenarios must be UNIX, and the new solution is DOS. DOS is much more popular than UNIX, and most of China's computer users are unfamiliar with UNIX, but they are familiar with DOS, and they also have intimate feelings. ---- Second, the new program breaks through the limitations of operating tools. The operating tools for the traditional solution must be two emergency boot software, and the new program uses only one DOS system disk, and only one debug.exe file is copied. The emergency start floppy disk can only be dedicated, but the DOS system disks do not exist - the system disc produced by DOS on any machine can be used to solve the Unix super user password on any machine to be forgotten. problem. As for the software that uses the physical hard disk, it is certainly not defbug, any software - just supports access to physical discs - all.
