Using xfsdump On Linux With IRIX Version 1 FS?

Sean Elble elbles at sessys.com
Fri Jul 24 14:13:20 CDT 2009 

On 7/24/09 1:11 PM, "Matthias Schniedermeyer" <ms at citd.de> wrote:

> On 24.07.2009 11:36, Sean Elble wrote:
>> On 7/24/09 3:30 AM, "Matthias Schniedermeyer" <ms at citd.de> wrote:
>> 
>>> 
>>> I'd guess the disc isn't very big.
>>> 
>>> You just dd it completly (for backup).
>>> 
>>> Then search for the content of the shadow-file and blank out the entry
>>> with a hex-editor. Make sure that you don't change the filesize, pad
>>> the previous/following entry with any character you have to remove.
>> 
>> Right, the disk is only 2 GB.  Presumably, to back the disk up, all I'd have
>> to do would be something like:
>> 
>>     dd if=/dev/sda of=IRIXbackup
>> 
>> Correct?  No need to specify bs or count, I presume...
> 
> Exactly.
> 
>> Then, I could use hexedit in the following manner to edit the disk:
>> 
>>     hexedit -d -f /dev/sda
> 
> Don't know hexedit. Last time i used a hex editor it was "khexedit",
> worked good enough.
> 
>> I suppose I could search for the encrypted password string itself, but as
>> Chris Wedgwood suggested, I might be better off finding the offset of the
>> /etc/shadow file by doing something like the following:
>>     
>>     xfs_ncheck /dev/sda | grep /etc/shadow
>> 
>> I'm not sure if I can use the inode number directly as an offset or not, but
>> I *think* I could use it in conjunction with a xfs_db convert command to get
>> something usable as an offset.  Something like the following, perhaps?
>> 
>>     xfs_db -c convert inode <inode from xfs_ncheck command> daddr /dev/sda
> 
> 2GB is small enough to just use "brute force".
> 
> - Make a backup-copy of the image
> - Open the image in a/the hexeditor
> - Search for something that appears in the shadow file
>   it should be pretty obvious if the hit is inside the shadow file.
> - Make the changes, (Remember filesize has to stay the same!)
> - dd the image back to the HDD.
> 
> Not very complicated and it still shouldn't take too long. :-)
> 

Yeah, that's probably what I'll do then.  I figure the disk will thrash for
a while during the search for a string in /etc/shadow, but hopefully it'll
work.  Thanks for all the advice!

-Sean

-- 
+-------------------------------------------------
|  Sean Elble      
|  Virginia Tech, Class of 2009
|  E-Mail:   elbles at sessys.com
|  Web:      http://www.sessys.com/~elbles/
|  Cell:     860.946.9477
+-------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2139 bytes
Desc: not available
URL: <http://oss.sgi.com/pipermail/xfs/attachments/20090724/9c55f511/attachment.p7s>

More information about the xfs mailing list