Present Working Directory

Introduction to UNIX

William J. Buchanan BSc, CEng, PhD , in Software Development for Engineers, 1997

35.five Changing directory

The pwd command can be used to determine the nowadays working directory. and the cd command can be used to change the electric current working directory. When irresolute directory either the total pathname or the relative pathname is given. If a / precedes the directory proper noun then it is a full pathname, else information technology is a relative path. Some special character sequences are used to represent other directory, such as the directory above the current directory is specified past a double dot (. .).

Thus to move to the directory above the command cd..can be used. If the cd command is used without any preceding directory specifier then the directory will be changed to the user's home directory. Some example command sessions are given adjacent.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9780340700143500803

Networking

Philip Bourne , ... Joseph McMullen , in UNIX for OpenVMS Users (Third Edition), 2003

13.2.6.1 Trusted Host: rcp

The following examples bear witness various uses of rcp and compares them to their OpenVMS DECnet proxy login counterparts.

In the first example, rcp cuhhmd: /usr/user1/junk myfile copies the file /usr/user1/junk from the trusted remote host cuhhmd to myfile in the nowadays working directory on the local host. In the second example, rcp myfile cuhhmd:/usr/user1/junk copies myfile in the present working directory on the local host to the file junk in the directory /usr/user1 on the remote trusted host cuhhmd. For file transfer to occur, the aforementioned login proper name must own the remote directory /usr/user1 on cuhhmd, too equally the files on the local host, unless modified by a cuhhmd:-user1. rhosts entry. Moreover, the directory /usr/user1 must already exist on cuhhmd; the command will not create it.

OpenVMS UNIX
Course:
$ COPY [ / QUALIFIER (S) ] - NODE-. : source_ file target_file $ rcp hostname-. source_file target_file
Example:
$ Re-create CUHHMD::DUA0: [USER1] - JUNK.DAT MYFILE.DAT $ rcp cuhhmd:/usr/user1/junk myfile
Grade:
$ Copy [ / QUALIFIER (S) ] - source_file NODE: : target_file $ rcp source_file hostname-. target_file
Example:
$ Copy MYFILE . DAT- CUHHMD::DUA0:[USER1]JUNK.DAT $ rcp myfile cuhhmd:/usr/user1 junk
Example:
$ COPY MYFILE CUHHMD::DUA2: [.PROGRAMS]JUNK Form:
$ rcp -r source_directory \ hostname: target_directory
Case:
$ rcp -r -fred/programs cuhhmd:\ /usr/fred/programs
$ rcp myfile cuhhmd:programs /junk
Example:
$ Re-create MYFILE - CUHHMD::DUA2:[.PROGRAMS] $ rcp myfile cuhhmd:programs

The 3rd example, rcp -r ~   fred/programs cuhhmd: /usr/ fred/ programs, illustrates copying a directory structure (− r option for recursive copying) beyond the network. In the UNIX example given hither, the local directory programs, whatsoever subdirectories of programs, and all files therein are recreated on the remote host cuhhmd in the directory /user/fred/programs in the same way every bit the cp command copies directory structures on a unmarried host (see Section eight.3.1).

In the 4th example, rcp myfile cuhhmd:programs/junk illustrates the utilise of a relative pathname to specify a file on the remote host. The command copies myfile to   ~ user/programs/ junk on the remote host. Relative pathnames on a local host start from the present working directory; relative pathnames on a remote host start from the parent directory of the user. Note that if the directory   ~ user/programs on the remote host did non exist, it would not take been created. Rather, an error would have occurred.

The terminal example extends the concept of using a relative pathname. Because rcp myfile cuhhmd:programs does not include an output filename (programs is a directory), the file is copied with the same proper name to ~ user/programs/myfile.

Read full chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9781555582760500133

Malware Incident Response

James M. Aquilina , in Malware Forensics, 2008

Collecting Process Information

Distinguishing between malware and legitimate processes on a Linux organization involves a methodical review of running processes. In some cases, malicious processes will exhibit characteristics that immediately heighten a cherry-red flag, such as established network connections with an Internet Relay Chart (IRC) server, or the executable stored in a subconscious directory. More subtle clues that a process is malicious include files that information technology has open, a process running as root that was launched from a user account that is not authorized to have root access, and the amount of system resources it is consuming. The top command shows which processes are using the most system resources.

The ps command is useful for obtaining an overview of running processes on the discipline organisation, with the options ps -auxeww for all processes, their associated terminal (tty), and their surround such as the control line options and nowadays working directory ("pwd"). A simplified process listing without the environment data tin can exist obtained by excluding the "e" choice or using ps -ealf or -ef options. The post-obit case scenario demonstrates how characteristics of a process can expose malware and lead digital investigators into a cold, dark place of hidden information.

Case Scenario

Entering the Twilight Zone — An LKM Rootkit

The information security department in an organization observed a brute-strength attack against an SSH server on a number of their systems. Subsequent network activities from one of those systems raised sufficient business to capture and examine volatile data. The last 2 items in the process listing on the subject arrangement revealed a procedure named "klogd —10," with "/dev/tyyec" every bit its nowadays working directory shown in bold below. The intruder evidently forgot to hide this procedure, because even a trusted version of the ps command will not brandish information that is concealed by an LKM rootkit.

#/mnt/trustedtools/ps -auxeww

USER   PID   %CPU   %MEM   VSZ   RSS   TTY   STAT   Commencement   TIME   Control

root   1   0.0   0.1   1336   476   ?   S   16:xx   0:04   init HOME=/ TERM=linux

root   2   0.0   0.0   0   0   ?   SW   16:xx   0:00   [keventd]

root   3   0.0   0.0   0   0   ?   SW   16:20   0:00   [kapmd]

root   four   0.0   0.0   0   0   ?   SWN   16:20   0:00   [ksoftirqd_CPU0]

root   five   0.0   0.0   0   0   ?   SW   sixteen:20   0:00   [kswapd]

root   6   0.0   0.0   0   0   ?   SW   16:20   0:00   [bdflush]

root   7   0.0   0.0   0   0   ?   SW   16:xx   0:00   [kupdated]

root   8   0.0   0.0   0   0   ?   SW   16:twenty   0:00   [mdrecoveryd]

root   16   0.0   0.0   0   0   ?   SW   16:20   0:00   [kjournald]

<cutting for brevity>

root   810   0.0   0.v   4144   1436   tty1   S   xvi:21   0:00   -bash HOME=/root PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin SHELL=/bin/bash TERM=linux MAIL=/var/postal service/root LOGNAME=root

root 1885 0.0 0.7 6692 2028 ? Southward 16:24 0:00/usr/sbin/sshd CONSOLE=/dev/panel TERM=linux INIT_VERSION=sysvinit-2.84 PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin RUNLEVEL=3 runlevel=iii PWD=/ LANG=en_US.UTF-8 PREVLEVEL=N previous=N Home=/ SHLVL=2 _=/sbin/initlog

eco 1887 0.0 0.8 6732 2240 ? Due south xvi:24 0:00/usr/sbin/sshd CONSOLE=/dev/console TERM=linux INIT_VERSION=sysvinit-two.84 PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin RUNLEVEL=3 runlevel=3 PWD=/ LANG=en_US.UTF-eight PREVLEVEL=N previous=N HOME=/ SHLVL=2 _=/sbin/initlog

eco 1888 0.0 0.5 4132 1408 pts/eight Due south 16:24 0:00 -bash USER=eco LOGNAME=eco Home=/dwelling/eco PATH=/usr/local/bin:/bin:/usr/bin MAIL=/var/mail/eco SHELL=/bin/bash SSH_CLIENT=172.16.215.131 48799 22 SSH_TTY=/dev/pts/viii TERM=xterm

root 5723 0.0 0.ane 1364 448 pts/eight South 17:26 0:00 klogd -ten PWD=/dev/tyyec SHLVL=ane _=./swapd OLDPWD=/dev/tyyec/ecmf

root 5787 0.0 0.ane 1352 404 pts/8 Due south 17:34 0:00 klogd -ten PWD=/dev/tyyec SHLVL=1 _=./swapd OLDPWD=/dev/tyyec/ecmf

The most obvious problem was that the "/dev/tyyec" directory did not appear in a directory list, but could be accessed by blindly changing the directory to that location, equally shown hither.

#/mnt/cdrom/ls/dev/tyy*

ls:/dev/tyy*: No such file or directory

# cd/dev/tyyec

#/mnt/cdrom/ls

adore-ng.o ava cleaner.o log relink startadore symsed swapd zero.o

Another discrepancy to note is that the name of the process "klogd -x" does not bear whatsoever resemblance to the "swapd" executable that launched the process. In addition, this process was executed from its current directory "./swapd," which is uncommon for system processes and is mostly associated with processes executed past a user. Furthermore, this process is running as root simply the controlling terminal (pts/viii shown in the line preceding those in bold in a higher place) is associated with the "eco" user account, which should not have root access according to the arrangement administrators. These clues led digital investigators to conclude that the Adore LKM rootkit was running on the organisation. If it had not been for the intruder's misstep of non instructing the rootkit to hibernate one running process, the presence of malware might have gone undetected, unless the digital investigators had examined the memory dump from the discipline system, as described in Chapter three.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597492683000025

File Management Revisited

Philip Bourne , ... Joseph McMullen , in UNIX for OpenVMS Users (Third Edition), 2003

8.3.2 Directory Navigation

Both the C beat out and the Korn shell offering extensions to the trounce-independent control cd for irresolute the electric current directory. The C vanquish provides the vanquish variable cdpath and the directory stack, whereas the Korn trounce includes CDPATH and OLDPWD. The Bourne-Again vanquish both recognizes CDPATH and OLDPWD and includes a directory stack. The variables cdpath and CDPATH permit you movement easily to a commonly used directory, irrespective of the current directory. In other words, you can motility from the nowadays working directory to a directory defined past cdpath or CDPATH without regard to the relative or absolute pathname required to get to that directory. The Open VMS Define control achieves a similar result, with one notable deviation: Define establishes a pointer to a specific directory, whereas cdpath and CDPATH establish a search list to potential parent directories of any subdirectory that is used frequently.

OpenVMS UNIX (C beat out)
Grade:
$ Ascertain logical-name - equivalence-proper noun[, . . . ] % ready cdpath = directory-spec
Example:
$ DEFINE TEST DUA2:[USER.Examination] % set cdpath = /user/test
$ Bear witness DEFAULT % pwd
DUA3:[PROGRAMS.NEW] /programs/new
$ SET DEFAULT Examination % cd temp
$ Show DEFAULT % pwd
DUA2:[USER.TEST] /user/test/temp
Example:
$ Ascertain DOC DUA2:[USER.Medico] % set cdpath = (/user/doc /user/com)
$ Define COM DUA2:[USER.COM]

In the showtime instance, Open VMS's DEFINE establishes a synonym, Exam, for the directory specification DUA2: [USER.Test], The UNIX command ready cdpath = /user/test establishes a pointer to all subdirectories of / user/test. Hence, irresolute the directory to temp via a relative file definition makes /user/test/temp the present working directory irrespective of the current directory. The exception is the existence of /programs/new/ temp, in which case that directory would have been preferentially made the present working directory. If you are working with the Korn or Bourne-Again crush, you lot would attain the same results by defining CDPATH as / user/test. The last instance, set cdpath  = (/user/doc /user/com), illustrates giving multiple directory arguments to cdpath by enclosing them in parentheses and separating them with a blank. The Korn and Bourne-Once more shells separate each directory with a colon (merely as they do the directories in the PATH variable) and omit the enclosing parenthesis.

A directory stack is a list of directory specifications retained by the C and Bourne-Again shells for the electric current last session merely. Directory specifications can be fabricated office of the stack and recalled as required. The present working directory is always at the peak of the directory stack. The following scenario illustrates the use of a directory stack.

UNIX (bash and C beat)
Form:
% pushd dir
% pushd +   n
Example:
% pwd # Push /user2/programs/new onto the
/user2/programs/new # stack and make /usr the current
% pushd /usr # directory
/usr /user2/programs/new
Example:
% dirs # Display the directory stack
/usr /user2/programs/new
Example:
% pushd /.etc # Push /usr onto the stack and move to
/etc /usr /user2/programs/new # /etc
Case:
% pushd +   1 # Rotate the stack due north times
/usr /user2/programs/new /etc
Case:
% popd # Discard /usr from directory stack,
/user2/programs/new /etc # change to adjacent on stack, /usr2
% pwd # /programs/new
/user2/programs/new
Example:
% cd /tmp # Replace top entry on stack with /tmp and set working directory there
% dirs.
/tmp /etc

The examples begin in the directory /user2/programs/new. The command pushd /usr places (pushes) the directory /usr onto the directory stack and makes it the present working directory. Note that the pushd control displays the directory stack; other commands that manipulate the stack also display it. Note also that pushd without arguments (not shown) switches the top ii entries of the stack. The C shell command dirs interrogates the contents of the directory stack. Further utilize of the pushd control (pushd /etc) deepens the stack, and /etc becomes the present working directory. The command pushd +   i makes the first directory stack entry the last, and the last the first; that is, information technology rotates the stack +   1 (ane) time. The popd command discards the pinnacle of the directory stack (the present working directory) and makes the second entry in the stack the new present working directory. Note the utilise of cd /tmp, which changes the superlative entry in the stack to /tmp, but does not change other entries in the stack.

While the Korn shell has no such elaborate directory stack, information technology does keep a record of the near recent previous working directory in the OLDPWD variable. You lot tin can thus go back and along between ii directories simply using the command cd $OLDPWD. The Korn and Bourne-Over again shells use a directory sequence, ~–, as equivalent to the variable. Thus, the command cd  ~   – is the same as the command cd $0LDPWD. Similarly, the ii shells interpret   ~   + equally a reserved variable for the current directory, PWD.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B978155558276050008X

File Transfer Protocol

Walter Goralski , in The Illustrated Network (Second Edition), 2017

FTP Data Transfers

At some point in the FTP chat between customer and server port 21, the user volition use a command that will trigger a file transfer. The transfer might non be the bodily file itself, such equally with get or put . Often, the user requests a file directory listing from the present working directory on the server with the dir command, usually to ensure that the desired file is there or to check the spelling after the starting time transfer attempt has failed. These actions require the server to set up an FTP information connexion. (The control connection is only a Telnet remote access session and is inappropriate for bulk data transfer anyway.) The FTP model of command and data connections is shown in Figure 24.eight.

Figure 24.8. FTP command and data connections, showing how both are used in an FTP application.

Consider what happens when a user at an FTP customer types in the dir command to receive a list of the contents of the remote host'southward directory. This requires the establishment of a data connexion on the part of the server. The server ordinarily uses well-known TCP port 20 equally the server end of the data connectedness. Just how does the client know which imperceptible port to mind on for the data?

The server sends an FTP PORT command over the control connection to the client with this data. This tells the client which port should be used at the client end for the data connectedness. And then that there is no misunderstanding, the server includes the customer's IP address as well. Thus, the command really supplies socket information. The PORT command is sent over the control connexion and is formatted equally if it were data to appear on a Telnet final, including control characters such as \due north (new line).

The port number is expressed as two independent numbers. The kickoff is multiplied by 256 and added to the second (which must be in the range 0–255) to give the client'due south port number. So, if the PORT control ends with the numbers fourteen, 234 (excluding the command characters) the port number the client should employ for the data connectedness is 3818 (14×256=3584+234=3818).

The client issues a passive open on port 3818, and the FTP server now sends a TCP SYN message to open the TCP session and transport the dir listing equally requested. The server unremarkably closes the data connection every bit soon every bit the transfer is consummate.

The control connection process of obtaining a simple dir listing from a remote FTP server is shown in Figure 24.9. Note that the client issues FTP commands and the server replies with codes.

Figure 24.ix. FTP control connexion, showing how a directory list proceeds.

The activity on the information connectedness is shown in Effigy 24.x. Although in many cases the data connection uses well-known port 20 on the server, information technology does not have to.

Figure 24.x. FTP data connection. The connection does not accept to use port 20 on the server.

Read full chapter

URL:

https://world wide web.sciencedirect.com/scientific discipline/article/pii/B9780128110270000242