PDA

View Full Version : Irix 6.2 efs filesystem on HD - access from other OS's?



paul
November 30th, 2009, 02:33 PM
I have the classic problem of how to delete the root password in /etc/passwd on my newly-acquired SGI Indy. It's my first SGI, running IRIX 6.2 with the efs filesystem. I don't have any IRIX media unfortunately. The machine runs perfectly otherwise and it's essential I don't damage the disk - at least before I can clone it.

From a Sun Ultra1 running OpenBSD 4.3 I can't mount the disk. The error is "the device is not configured." I'm not 100% sure there wasn't a SCSI hardware problem in this case as it eventually locked up in a loop trying to reset the scsi bus. I used the active termination on the disk.

From a PC running Ubuntu 9.04 (live) it can mount the disk but it's not happy. It will list the contents of the root directory but with errors - see below. I can't change to any other directories on the disk or access files. Used different scsi cabling from above and passive termination.

I sent an email in to the original (and only other) owner to see if he remembers the password, but I'm not holding my breath as it hasn't been used in a decade. I also have early 90's machines running NetBSD 1.6.1 and HPUX 10.40 for what's that's worth.

I have an identical Seagate drive to clone the disk, need to understand that process too, presumably best done under IRIX.



ls: cannot access stand: Input/output error
total 3510
lrwxr-xr-x 1 root root 7 1994-11-21 23:53 bin -> usr/bin
drwxr-xr-x 2 root root 512 1995-08-27 22:05 CDROM
lrwxr-xr-x 1 root root 4 1995-03-03 02:20 debug -> proc
?????????? ? ? ? ? ? dev
drwxr-xr-x 3 root root 512 1998-01-13 01:49 dumpster
?????????? ? ? ? ? ? etc
drwxr-xr-x 2 root root 512 1995-12-12 14:44 floppy
?????????? ? ? ? ? ? lib
drwxr-xr-x 2 root root 512 1996-11-21 17:06 lib32
?????????? ? ? ? ? ? lost+found
drwx------ 2 root root 512 1996-04-15 19:45 Mail
?????????? ? ? ? ? ? opt
drwxr-xr-x 2 root root 512 1995-03-03 02:20 proc
?????????? ? ? ? ? ? sbin
?????????? ? ? ? ? ? stand
drwxr-xr-x 2 root root 512 1995-08-27 22:14 swap
drwxrwxrwt 5 sync root 512 2009-12-01 05:17 tmp
-rwxr-xr-x 1 root root 3588108 1996-11-21 17:40 unix
?????????? ? ? ? ? ? usr
?????????? ? ? ? ? ? var
drwxr-xr-x 2 root root 512 1997-09-11 03:49 zip
root@ubuntu:/mnt#

Securix
November 30th, 2009, 02:43 PM
Are you sure it's EFS and not XFS? EFS was typical for pre 6.0 Irix but 6.2 likely used XFS.


I have the classic problem of how to delete the root password in /etc/passwd on my newly-acquired SGI Indy. It's my first SGI, running IRIX 6.2 with the efs filesystem. I don't have any IRIX media unfortunately. The machine runs perfectly otherwise and it's essential I don't damage the disk - at least before I can clone it.

From a Sun Ultra1 running OpenBSD 4.3 I can't mount the disk. The error is "the device is not configured." I'm not 100% sure there wasn't a SCSI hardware problem in this case as it eventually locked up in a loop trying to reset the scsi bus. I used the active termination on the disk.

From a PC running Ubuntu 9.04 (live) it can mount the disk but it's not happy. It will list the contents of the root directory but with errors - see below. I can't change to any other directories on the disk or access files. Used different scsi cabling from above and passive termination.

I sent an email in to the original (and only other) owner to see if he remembers the password, but I'm not holding my breath as it hasn't been used in a decade. I also have early 90's machines running NetBSD 1.6.1 and HPUX 10.40 for what's that's worth.

I have an identical Seagate drive to clone the disk, need to understand that process too, presumably best done under IRIX.

paul
November 30th, 2009, 03:03 PM
Yes, it's EFS - IRIX tells me that under the guest login. I would assume the OS was upgraded to 6.2 from pre 6.0 without the FS change. I don't have any success at all if I try mounting as XFS.

barythrin
November 30th, 2009, 03:37 PM
I beleive you can clone the disk just with dd in any nix. Just dd if=/dev/whateversourcedrive of=/dev/yourdestinationdrive.

That should work even with it not knowing how to read the filesystem since it's just a binary dump. You could then test the duplicated drive in the SGI system to see if it did the copy correctly.

I had that problem too and I ended up having to get copies of the Irix CDs from someone as it wasn't as simple as modifying the drive contents. Upon reflection I MAY have been able to overwrite the hash with a known hash with a drive editor but I think my problem was getting a controller up that recognized the drive period.

paul
November 30th, 2009, 07:50 PM
OK, thanks for that info. The dd worked perfectly under Ubuntu and now I have a backup drive - one less thing to worry about.

barythrin
December 1st, 2009, 01:07 AM
So what you might be able to do since you can read the drive contents fine is the replace the hash trick. Assuming it's using the standard md5 or similar password hashing you can open the device in a hex editor, search for "root:" and replace that encrypted password with your linux password or a known password hash from a similar nix system.

I would note how many times you find the text before modfying the file but as long as it's the same bytes in length you should be able to replace it and log in afterwords.

NeXT
December 1st, 2009, 06:40 AM
I had a similar problem once where I used ubuntu and ddrescue to dump the hard drive to the ubuntu disk under the name "blargh.iso". While ubuntu has very little and very poor support for EFS disk mounting it WILL mount an EFS image. Don't know if it would work but use ddrescue to make two images (one in case you mess up and need somwething to restore to, the other for editing), mount and edit /etc/passwd, save and then use ddrescue to dump the edited image back to the disk (and if that bunks you can just dump the other image you made and keep using that).
An Indy will run with 6.5 (albeit you better have the ram maxed) you know.

tingo
December 2nd, 2009, 01:08 PM
If the password file is readable from the guest account (ie. it doesn't use shadow password files) you can try this:
- copy the passwd file (only the line for 'root' is required) to another machine
- run a password cracker (like crack (http://www.crypticide.com/alecm/security/c50-faq.html)) on that file
- few minutes later you will have the root password.

That was how I found the root password for an Indy I bought.

paul
December 2nd, 2009, 02:07 PM
Ha, what timing! After trying several known unix/irix "exploits" without success this morning I just ran a program under windows called "john the ripper" on the passwd file - copied to a floppy off the guest account.

It found it in two minutes!! Password was "lp250"

Thanks to all who posted suggestions!!

digger
December 5th, 2009, 02:04 PM
So you could just copy the password file to external media using the guest account, after which a cracking tool on a separate machine was able to decipher it within minutes?

Talk about lousy security... :???:

Oh well, at least it worked for you. ;)

paul
December 5th, 2009, 02:29 PM
Well, it kept me out for 3 or 4 days! A lousy password is as much at fault. I would imagine a strong password may not have been as easily been found using a computer of similar vintage. The 1.6 GHz PC still hadn't found the user account password after a half hour, but clearly I didn't need that one.

digger
December 5th, 2009, 04:05 PM
Even if the password was weak, the password file should not have been readable by the guest account.

I think most newer UNIX and Linux systems have been configured not to allow access to that file from non-root accounts. Or am I mistaken?

paul
December 5th, 2009, 09:31 PM
Well, they were back then, and that includes Linux distributions of the time. I don't know how the shadow password file works so I'll defer to others:

http://en.wikipedia.org/wiki/Shadow_password (http://en.wikipedia.org/wiki/Passwd_%28file%29)