Name

grep– search a file for a pattern

Synopsis

/usr/bin/grep [-bchilnsvw] limited-regular-expression 
     [filename]...

/usr/xpg4/bin/grep [-E | -F] [-c | -l | -q] [-bhinsvwx] -e pattern_list... 
     [-f pattern_file]... [file]...

/usr/xpg4/bin/grep [-E | -F] [-c | -l | -q] [-bhinsvwx] 
     [-e pattern_list]... -f pattern_file... [file]...

/usr/xpg4/bin/grep [-E | -F] [-c | -l | -q] [-bhinsvwx] pattern 
     [file]...

Description

The grep utility searches text files for a pattern and prints all lines that contain that pattern. It uses a compact non-deterministic algorithm.

Be careful using the characters $, *, [, ^, |, (, ), and \ in the pattern_list because they are also meaningful to the shell. It is safest to enclose the entire pattern_list in single quotes ´...´.

If no files are specified, grep assumes standard input. Normally, each line found is copied to standard output. The file name is printed before each line found if there is more than one input file.

/usr/bin/grep

The /usr/bin/grep utility uses limited regular expressions like those described on the regexp(5) manual page to match the patterns.

/usr/xpg4/bin/grep

The options -E and -F affect the way /usr/xpg4/bin/grep interprets pattern_list. If -E is specified, /usr/xpg4/bin/grep interprets pattern_list as a full regular expression (see -E for description). If -F is specified, grep interprets pattern_list as a fixed string. If neither are specified, grep interprets pattern_list as a basic regular expression as described on regex(5) manual page.

Options

The following options are supported for both /usr/bin/grep and /usr/xpg4/bin/grep:

-b

Precedes each line by the block number on which it was found. This can be useful in locating block numbers by context (first block is 0).

-c

Prints only a count of the lines that contain the pattern.

-h

Prevents the name of the file containing the matching line from being prepended to that line. Used when searching multiple files.

-i

Ignores upper/lower case distinction during comparisons.

-l

Prints only the names of files with matching lines, separated by NEWLINE characters. Does not repeat the names of files when the pattern is found more than once.

-n

Precedes each line by its line number in the file (first line is 1).

-s

Suppresses error messages about nonexistent or unreadable files.

-v

Prints all lines except those that contain the pattern.

-w

Searches for the expression as a word as if surrounded by \< and \>.

/usr/xpg4/bin/grep

The following options are supported for /usr/xpg4/bin/grep only:

-e pattern_list

Specifies one or more patterns to be used during the search for input. Patterns in pattern_list must be separated by a NEWLINE character. A null pattern can be specified by two adjacent newline characters in pattern_list. Unless the -E or -F option is also specified, each pattern is treated as a basic regular expression. Multiple -e and -f options are accepted by grep. All of the specified patterns are used when matching lines, but the order of evaluation is unspecified.

-E

Matches using full regular expressions. Treats each pattern specified as a full regular expression. If any entire full regular expression pattern matches an input line, the line is matched. A null full regular expression matches every line. Each pattern is interpreted as a full regular expression as described on the regex(5) manual page, except for \( and \), and including:

1. A full regular expression followed by + that matches one or more occurrences of the full regular expression.

2. A full regular expression followed by ? that matches 0 or 1 occurrences of the full regular expression.

3. Full regular expressions separated by | or by a new-line that match strings that are matched by any of the expressions.

4. A full regular expression that is enclosed in parentheses () for grouping.

The order of precedence of operators is [ ], then * ? +, then concatenation, then | and new-line.

-f pattern_file

Reads one or more patterns from the file named by the path name pattern_file. Patterns in pattern_file are terminated by a NEWLINE character. A null pattern can be specified by an empty line in pattern_file. Unless the -E or -F option is also specified, each pattern is treated as a basic regular expression.

-F

Matches using fixed strings. Treats each pattern specified as a string instead of a regular expression. If an input line contains any of the patterns as a contiguous sequence of bytes, the line is matched. A null string matches every line. See fgrep(1) for more information.

-q

Quiet. Does not write anything to the standard output, regardless of matching lines. Exits with zero status if an input line is selected.

-x

Considers only input lines that use all characters in the line to match an entire fixed string or regular expression to be matching lines.

Operands

The following operands are supported:

file

A path name of a file to be searched for the patterns. If no file operands are specified, the standard input is used.

/usr/bin/grep

pattern

Specifies a pattern to be used during the search for input.

/usr/xpg4/bin/grep

pattern

Specifies one or more patterns to be used during the search for input. This operand is treated as if it were specified as -e pattern_list.

Usage

The -e pattern_list option has the same effect as the pattern_list operand, but is useful when pattern_list begins with the hyphen delimiter. It is also useful when it is more convenient to provide multiple patterns as separate arguments.

Multiple -e and -f options are accepted and grep uses all of the patterns it is given while matching input text lines. Notice that the order of evaluation is not specified. If an implementation finds a null string as a pattern, it is allowed to use that pattern first, matching every line, and effectively ignore any other patterns.

The -q option provides a means of easily determining whether or not a pattern (or string) exists in a group of files. When searching several files, it provides a performance improvement (because it can quit as soon as it finds the first match) and requires less care by the user in choosing the set of files to supply as arguments (because it exits zero if it finds a match even if grep detected an access or read error on earlier file operands).

Large File Behavior

See largefile(5) for the description of the behavior of grep when encountering files greater than or equal to 2 Gbyte ( 2³¹ bytes).

Examples

---

Example 1 Finding All Uses of a Word




To find all uses of the word “Posix” (in any case) in the file text.mm, and write with line numbers:

example% /usr/bin/grep -i -n posix text.mm

---

---

Example 2 Finding All Empty Lines




To find all empty lines in the standard input:

example% /usr/bin/grep ^$

or

example% /usr/bin/grep -v .

---

---

Example 3 Finding Lines Containing Strings




All of the following commands print all lines containing strings abc or def or both:

example% /usr/xpg4/bin/grep 'abc def' example% /usr/xpg4/bin/grep -e 'abc def' example% /usr/xpg4/bin/grep -e 'abc' -e 'def' example% /usr/xpg4/bin/grep -E 'abc|def' example% /usr/xpg4/bin/grep -E -e 'abc|def' example% /usr/xpg4/bin/grep -E -e 'abc' -e 'def' example% /usr/xpg4/bin/grep -E 'abc def' example% /usr/xpg4/bin/grep -E -e 'abc def' example% /usr/xpg4/bin/grep -F -e 'abc' -e 'def' example% /usr/xpg4/bin/grep -F 'abc def' example% /usr/xpg4/bin/grep -F -e 'abc def'

---

---

Example 4 Finding Lines with Matching Strings




Both of the following commands print all lines matching exactly abc or def:

example% /usr/xpg4/bin/grep -E '^abc$ ^def$' example% /usr/xpg4/bin/grep -F -x 'abc def'

---

Environment Variables

See environ(5) for descriptions of the following environment variables that affect the execution of grep: LANG, LC_ALL, LC_COLLATE, LC_CTYPE, LC_MESSAGES, and NLSPATH.

Exit Status

The following exit values are returned:

0

One or more matches were found.

1

No matches were found.

2

Syntax errors or inaccessible files (even if matches were found).

Attributes

See attributes(5) for descriptions of the following attributes:

/usr/bin/grep

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWcsu
CSI	Not Enabled

/usr/xpg4/bin/grep

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWxcu4
CSI	Enabled
Interface Stability	Committed
Standard	See standards(5).

See Also

egrep(1), fgrep(1), sed(1), sh(1), attributes(5), environ(5), largefile(5), regex(5), regexp(5), standards(5)

Notes

/usr/bin/grep

Lines are limited only by the size of the available virtual memory. If there is a line with embedded nulls, grep only matches up to the first null. If the line matches, the entire line is printed.

/usr/xpg4/bin/grep

The results are unspecified if input files contain lines longer than LINE_MAX bytes or contain binary data. LINE_MAX is defined in /usr/include/limits.h.

해커들의 리눅스 로그 삭제법

침입자들이 쉘을얻어내어 루트권한을 따내고 자취를 감출때 해커들이 하는 방법을 알아보자 ..

/etc/syslog.conf 에서 로그상태를 분석해서 로그를 찾아나간다.
/var/adm/messages 에서 자신의 흔적을 지운다.
/var/adm/sulog 에서 su 명령어를 쓴 자신의 흔적을 지운다.
/.history 에서 자신이 쳤던 명령어 리스트를 지운다.
/var/log/syslog 에서 자신의 흔적을 지운다.
/var/log/authlog 에서 자신의 흔적을 지운다.
/var/adm/utmp 에서 자신의 흔적을 지운다.
/var/adm/wtmp 에서 자신의 흔적을 지운다.
/tmp/ 에서 자신의 흔적을 지운다.

위의 내용은 보통 로그에서 자신의 흔적을 살며시 지우는 행위이다.
zap3을 이용해서 utmp 와 wtmp 에서 자신을 훔치고 로그를 조작한다네요..

출처 : http://hackeracademy.tistory.com/

How the ufsdump Command Works

The ufsdump command makes two passes when it backs up a file system. On the first pass, this command scans the raw device file for the file system and builds a table of directories and files in memory. Then, this command writes the table to the backup media. In the second pass, the ufsdump command goes through the inodes in numerical order, reading the file contents and writing the data to the backup media.

Determining Device Characteristics

The ufsdump command needs to know only an appropriate tape block size and how to detect the end of media.

Detecting the End of Media

The ufsdump command writes a sequence of fixed-size records. When the ufsdump command receives notification that a record was only partially written, it assumes that it has reached the physical end of the media. This method works for most devices. If a device is not able to notify the ufsdump command that only a partial record has been written, a media error occurs as the ufsdump command tries to write another record.

DAT devices and 8-mm tape devices detect end-of-media. Cartridge tape devices and 1/2-inch tape devices do not detect end-of-media.

The ufsdump command automatically detects the end-of-media for most devices. Therefore, you do not usually need to use the -c, -d, -s, and -t options to perform multivolume backups.

You need to use the end-of-media options when the ufsdump command does not understand the way the device detects the end-of-media.

To ensure compatibility with the restore command, the size option can still force the ufsdump command to go to the next tape or diskette before reaching the end of the current tape or diskette.

Copying Data With the ufsdump Command

The ufsdump command copies data only from the raw disk slice. If the file system is still active, any data in memory buffers is probably not copied. The backup done by the ufsdump command does not copy free blocks, nor does it make an image of the disk slice. If symbolic links point to files on other slices, the link itself is copied.

Purpose of the /etc/dumpdates File

The ufsdump command, when used with the -u option, maintains and updates the /etc/dumpdates file. Each line in the /etc/dumpdates file shows the following information:

• The file system backed up

• The dump level of the last backup

• The day, date, and time of the backup

For example:

# cat /etc/dumpdates
/dev/rdsk/c0t0d0s0               0 Wed Jul 28 16:13:52 2004
/dev/rdsk/c0t0d0s7               0 Thu Jul 29 10:36:13 2004
/dev/rdsk/c0t0d0s7               9 Thu Jul 29 10:37:12 2004

When you do an incremental backup, the ufsdump command checks the /etc/dumpdates file to find the date of the most recent backup of the next lower dump level. Then, this command copies to the media all files that were modified since the date of that lower-level backup. After the backup is complete, a new information line, which describes the backup you just completed, replaces the information line for the previous backup at that level.

Use the /etc/dumpdates file to verify that backups are being done. This verification is particularly important if you are having equipment problems. If a backup cannot be completed because of equipment failure, the backup is not recorded in the /etc/dumpdates file.

If you need to restore an entire disk, check the /etc/dumpdates file for a list of the most recent dates and levels of backups so that you can determine which tapes you need to restore the entire file system.

The /etc/dumpdates file is a text file that can be edited. However, edit it only at your own risk. If you make changes to the file that do not match your archive tapes, you might be unable to find the tapes (or files) you need.

Backup Device (dump-file) Argument

The dump-file argument (to the -f option) specifies the destination of the backup. The destination can be one of the following:

• Local tape drive

• Local diskette drive

• Remote tape drive

• Remote diskette drive

• Standard output

Use this argument when the destination is not the default local tape drive /dev/rmt/0. If you use the -f option, then you must specify a value for the dump-file argument.

The dump-file argument can also point to a file on a local disk or on a remote disk. If done by mistake, this usage can fill up a file system.

Local Tape or Diskette Drive

Typically, the dump-file argument specifies a raw device file for a tape device or diskette. When the ufsdump command writes to an output device, it creates a single backup file that might span multiple tapes or diskettes.

You specify a tape device or a diskette on your system by using a device abbreviation. The first device is always 0. For example, if you have a SCSI tape controller and one QIC-24 tape drive that uses medium-density formatting, use this device name:

/dev/rmt/0m

When you specify a tape device name, you can also type the letter “n” at the end of the name to indicate that the tape drive should not rewind after the backup is completed. For example:

/dev/rmt/0mn

Use the “no-rewind” option if you want to put more than one file onto the tape. If you run out of space during a backup, the tape does not rewind before the ufsdump command asks for a new tape. For a complete description of device-naming conventions, see Backup Device Names.

Remote Tape or Diskette Drive

You specify a remote tape device or a remote diskette by using the syntax host:device. The ufsdump command writes to the remote device when superuser on the local system has access to the remote system. If you usually run the ufsdump command as superuser, the name of the local system must be included in the /.rhosts file on the remote system. If you specify the device as user@host:device, the ufsdump command tries to access the device on the remote system as the specified user. In this case, the specified user must be included in the /.rhosts file on the remote system.

Use the naming convention for the device that matches the operating system for the system on which the device resides, not the system from which you run the ufsdump command. If the drive is on a system that is running a previous SunOS release (for example, 4.1.1), use the SunOS 4.1 device name (for example, /dev/rst0). If the system is running Solaris software, use the SunOS 5.9 convention (for example, /dev/rmt/0).

Using Standard Output With the ufsdump Command

When you specify a dash (-) as the dump-file argument, the ufsdump command writes to standard output.

The -v option (verify) does not work when the dump-file argument is standard output.

You can use the ufsdump and ufsrestore commands in a pipeline to copy a file system by writing to standard output with the ufsdump command and reading from standard input with the ufsrestore command. For example:

# ufsdump 0f - /dev/rdsk/c0t0d0s7 | (cd /home; ufsrestore xf -)

Specifying Files to Back Up

You must always include filenames as the last argument on the command line. This argument specifies the source or contents of the backup.

For a file system, specify the raw device file as follows:

/dev/rdsk/c0t0d0s7

You can specify the file system by its mount point directory (for example, /export/home), as long as an entry for it exists in the /etc/vfstab file.

For a complete description of device-naming conventions, see Backup Device Names.

For individual files or directories, type one or more names separated by spaces.

When you use the ufsdump command to back up one or more directories or files (rather than a complete file system), a level 0 backup is done. Incremental backups do not apply.

Specifying Tape Characteristics

If you do not specify any tape characteristics, the ufsdump command uses a set of defaults. You can specify the tape cartridge (c), density (d), size (s), and number of tracks (t). Note that you can specify the options in any order, as long as the arguments that follow match the order of the options.

Limitations of the ufsdump Command

The ufsdump command cannot do the following:

• Automatically calculate the number of tapes or diskettes that are needed for backing up file systems. You can use the dry run mode (S option) to determine how much space is needed before actually backing up file systems.

• Provide built-in error checking to minimize problems when it backs up an active file system.

• Back up files that are remotely mounted from a server. Files on the server must be backed up on the server itself. Users are denied permission to run the ufsdump command on files they own that are located on a server.

Name

ftpusers– file listing users to be disallowed ftp login privileges

Synopsis

/etc/ftpd/ftpusers

Description

The ftpusers file lists users for whom ftp login privileges are disallowed. Each ftpuser entry is a single line of the form:

name

where name is the user's login name.

The FTP Server, in.ftpd(1M), reads the ftpusers file. If the login name of the user matches one of the entries listed, it rejects the login attempt.

The ftpusers file has the following default configuration entries:

root
daemon
bin
sys
adm
lp
uccp
nuucp
smmsp
listen
nobody
noaccess
nobody4

These entries match the default instantiated entries from passwd(4). The list of default entries typically contains the superuser root and other administrative and system application identities.

The root entry is included in the ftpusers file as a security measure since the default policy is to disallow remote logins for this identity. This policy is also set in the default value of the CONSOLE entry in the /etc/default/login file. See login(1). If you allow root login privileges by deleting the root entry in ftpusers, you should also modify the security policy in /etc/default/login to reflect the site security policy for remote login access by root.

Other default entries are administrative identities that are typically assumed by system applications but never used for local or remote login, for example sys and nobody. Since these entries do not have a valid password field instantiated in shadow(4), no login can be performed.

If a site adds similar administrative or system application identities in passwd(4) and shadow(4), for example, majordomo, the site should consider including them in the ftpusers file for a consistent security policy.

Lines that begin with # are treated as comment lines and are ignored.

Files

/etc/ftpd/ftpusers

A file that lists users for whom ftp login privileges are disallowed.

/etc/ftpusers

See /etc/ftpd/ftpusers. This file is deprecated, although its use is still supported.

/etc/default/login

/etc/passwd

password file

/etc/shadow

shadow password file

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWftpr
Interface Stability  /etc/ftpd/ftpusers	External
Interface Stability  /etc/ftpusers	Obsolete

See Also

login(1), in.ftpd(1M), ftpaccess(4), ftphosts(4), passwd(4), shadow(4), attributes(5), environ(5)

Synopsis

useradd [-c comment] [-d dir] [-e expire] [-f inactive]
[-g group] [-G group [, group...]] [-m [-k skel_dir]]
[-u uid [-o]] [-s shell] [-A authorization [,authorization...]]
[-P profile [,profile...]] [-R role [,role...]]
[-p projname] [-K key=value] login
useradd -D [-b base_dir] [-e expire] [-f inactive]
[-g group] [-A authorization [,authorization...]]
[-P profile [,profile...]] [-R role [,role...]]
[-p projname] [-K key=value]

Options

-A authorization
One or more comma separated authorizations defined in auth_attr(4). Only a user or role
who has grant rights to the authorization can assign it to an account.
-b base_dir
The default base directory for the system if -d dir is not specified. base_dir is concatenated
with the account name to define the home directory. If the -m option is not used, base_dir
must exist.
-c comment
Any text string. It is generally a short description of the login, and is currently used as the
field for the user's full name. This information is stored in the user's /etc/passwd entry.

-d dir
The home directory of the new user. It defaults to base_dir/account_name, where base_dir
is the base directory for new login home directories and account_name is the new login
name.
-D
Display the default values for group, base_dir, skel_dir, shell, inactive, expire, proj,
projname and key=value pairs. When used with the -g, -b, -f, -e, -A, -P, -p, -R, or -K
options, the -D option sets the default values for the specified fields. The default values are:
group other (GID of 1)
base_dir /home
skel_dir /etc/skel
shell /bin/sh
inactive 0
expire null
auths null
profiles null
proj 3
projname default
key=value (pairs
defined in
user_attr(4)
not present
roles null
-e expire
Specify the expiration date for a login. After this date, no user will be able to access this
login. The expire option argument is a date entered using one of the date formats included
in the template file /etc/datemsk. See getdate(3C).
If the date format that you choose includes spaces, it must be quoted. For example, you can
enter 10/6/90 or "October 6, 1990". A null value (" ") defeats the status of the expired
date. This option is useful for creating temporary logins.
-f inactive
The maximum number of days allowed between uses of a login ID before that ID is
declared invalid.Normal values are positive integers. A value of 0 defeats the status.

-g group
An existing group's integer ID or character-string name. Without the -D option, it defines
the new user's primary group membership and defaults to the default group. You can reset
this default value by invoking useradd -D -g group. GIDs 0-99 are reserved for allocation
by the Solaris Operating System.
-G group
An existing group's integer ID or character-string name. It defines the new user's
supplementary group membership. Duplicates between group with the -g and -G options
are ignored.No more than NGROUPS_MAX groups can be specified. GIDs 0-99 are reserved
for allocation by the Solaris Operating System.
-K key=value
A key=value pair to add to the user's attributes.Multiple -K options may be used to add
multiple key=value pairs. The generic -K option with the appropriate key may be used
instead of the specific implied key options (-A, -P, -R, -p). See user_attr(4) for a list of
valid key=value pairs. The “type” key is not a valid key for this option. Keys may not be
repeated.
-k skel_dir
A directory that contains skeleton information (such as .profile) that can be copied into a
new user's home directory. This directory must already exist. The system provides the
/etc/skel directory that can be used for this purpose.
-m
Create the new user's home directory if it does not already exist. If the directory already
exists, it must have read, write, and execute permissions by group, where group is the user's
primary group.
-o
This option allows a UID to be duplicated (non-unique).
-P profile
One or more comma-separated execution profiles defined in prof_attr(4).
-p projname
Name of the project with which the added user is associated. See the projname field as
defined in project(4).
-R role
One or more comma-separated execution profiles defined in user_attr(4). Roles cannot
be assigned to other roles.
-s shell
Full pathname of the program used as the user's shell on login. It defaults to an empty field
causing the system to use /bin/sh as the default. The value of shell must be a valid
executable file.

-u uid
The UID of the new user. This UID must be a non-negative decimal integer below MAXUID
as defined in <sys/param.h>. The UID defaults to the next available (unique) number
above the highest number currently assigned. For example, if UIDs 100, 105, and 200 are
assigned, the next default UID number will be 201. UIDs 0-99 are reserved for allocation by
the Solaris Operating System.