chakraviewBlog

My previous post talks about Installation of Cisco Unified Communication manager 7.0 under VMWare. Once you have installed UCM under VMWare, Cisco gives 150 free license units from its demo licenses. As you keep adding phones and enable various services, these license units gets consumed. Once the license unit count reaches to zero; you can not add any more devices in the pool.

License file given by cisco is tied with MAC address of the device it is assigned for. You can not use the same license file on any other UCM machine unless you spoof the MAC address. Hmmm, Now you must be thinking, spoofing MAC address is very simple and can be done in 2 shell commands. Yes, you are right but guys one need root privileges to change the MAC address and UCM do not allow to add new user or to login from root user

So this post is all about gaining root level privileges on UCM box

As we know UCM 7.0 is custom version of Cent OS – 5.x. To achieve our goal we will need Cent OS installation Disk no 1. I have provided direct link to the installation media at the end of post.

Here we go,

• Boot the UCM machine from our Cent OS installation Disk. You might need to change the Boot Sequence from BIOS
• On the installation prompt type – # linux rescue and hit Enter.
• No need to start networking services, just select default options till you get the shell prompt.
• On the shell prompt type – # chroot /mnt/sysimage to change the system root to mounted system image.
• Now change the current directory to /etc by typing – # cd /etc

Now if we try creating new user or group, we will get access denied with following error message on screen. Now question arises – even though you are in rescue mode and have root privileges, why are we not able to add user?

The answer is “lsattr” command. lsattr stand for list attributes and shows the attributes of the file. Whenever we add/modify user or group, following files get modified.

1. /etc/passwd
2. /etc/shadow
3. /etc/group
4. /etc/gshadow

When we run lsattr command on these files to view their attributes, we can see (i) Immutable flag is set for them. Now the next question arises – What is this (i) flag anyway and what is does?

A file with the ‘i’ attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

Now we know why we were not able to add user. Just remove this immutable attribute of above files and we are done. Chattr is the command use to add/remove various attributes to files.

chattr -i /etc/passwd /etc/group /etc/shadow /etc/gshadow

Now lets create new user, and add it in sudoers list using following commands.

# useradd abhijeet

# passwd abhijeet

# vi /etc/sudoers and add following line at the end of file.

abhijeet All=(ALL) ALL

If you are not able to modify the sudeors file; change the file permission to 666 and try adding above line at the end of file.

Now just change the attributes and permission of our modified files to original one using following commands.

# chattr +i  /etc/passwd /etc/group /etc/shadow /etc/gshadow

# chmod 0444 /etc/sudoers

Thats it! Now get out of rescue mode by rebooting the system and boot in UCM. On the login prompt, try newly created login details. It will work and you will have seamless access to UCM.

Now you can use any other license file on your UCM by changing the MAC address or modify UCM scripts or use system for any other purposes.

Happy hacking

References:

• Cent OS 5.4 Installation Disc I

Tags: CentOS, chattr, Cisco License Unit, Cisco UCM, CUCM, Linux Immutable flag

This entry was posted on Sunday, January 3rd, 2010 at 7:12 pm and is filed under HOWTO's, Information Security, VMWare, Voice Over IP. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.