On Sun, Sep 01, 2002 at 10:04:08AM +0300, Muli Ben-Yehuda wrote:
> On Sun, Sep 01, 2002 at 09:58:08AM +0300, Yedidyah Bar-David wrote:
>
> > I did grep *some* sources. I didn't think about useradd.
> > This is indeed the "shadow" package (useradd, vipw, ...).
> >
> > Thanks for anyone who replied!
>
> Ok, here's a way to figure out which package uses a file.
>
> 1. get syscalltrack
> 2. upload a rule to log any acess to said file (or any open with
> O_RDWR|O_WRONLY, or any write to the file, etc. Something that will
> narrow down the options). This rule would look like this (untested):
>
> rule {
> syscall_name = open
> rule_name = open_etc_passwd
> when = before
> filter_expression { PARAMS[1] == "/etc/passwd-" }
> action {
> type = LOG
> log_format { "process %pid(%comm) called %sname(%params) on /etc/passwd-"
>}
> }
> }
>
> 3. see which binaries access said file
This is the catch, at least for me. I do not use adduser, useradd, or
vipw. When I add a user (every few years), I simply use vi (at home -
at work we use NIS, which is updated from an external DB, hopefully
soon moving to LDAP).
> 4. figure out which package they belong to (dpkg --search on debian,
> rpm -qf on redhat).
> 5. get the source for the package in question and peruse at will.
>
> > However, even though still off-topic, I am still interested in ideas
> > about the second problem, of how to find such things, and I think
> > others are too. I do hope to get more answers then "ask your favourite
> > ML" (which did work!). "grep the entire sources of the packages you
> > have installed" is also not what I expect, although having the option
> > is great.
>
> See above. This is not the fastest way to do it, but it will
> definitely give you the answer eventually.
Yes, but "eventually" might be a few years ahead. Not good enough :-)
>
> As for you original question, of how to use google with special chars,
> write their customer support and ask them. I'd be interested in the
> answer as well.
>
I think I will, but don't hold your breath. I sent them a question
a month ago and haven't got a reply yet. And I do not blame them -
this is simply something that smart algorithms can't solve. I guess
they get tons of questions, many of them very boring :-( .
>
>
Didi
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
