Recovering lost RIM passwords using strace or truss

Have you ever lost a DB password? Perhaps the fascist DBA change the database password on you and you need the old password to change the RIM object. Up to now you have had no option but to delete and re create the RIM object. If your rim object runs on a Unix or Linux host you are in luck. With strace (Linux) and truss (Solaris/AIX) you can recover your passwords.

The truss and strace utilities trace system calls as a process runs, either from start to finish or by attaching to a currently running process. See the appropriate man page for a full explanation of the utility's usage and syntax.

Now, I lost the password to my TEC Oracle database user. Here is how I recover it.

First I need to identify the main RIM process for the TEC object.

# ps -ef | grep RIM
nobody 1259 1156 0 19:03 ? 00:00:00 RIM_Oracle_prog
nobody 1669 1259 0 19:41 ? 00:00:00 RIM_Oracle_Agent
nobody 1670 1669 0 19:41 ? 00:00:00 RIM_Oracle_Agent
nobody 1671 1670 0 19:41 ? 00:00:00 RIM_Oracle_Agent
nobody 1672 1670 0 19:41 ? 00:00:00 RIM_Oracle_Agent
nobody 1676 1259 0 19:41 ? 00:00:00 RIM_Oracle_Agent
nobody 1677 1676 0 19:41 ? 00:00:00 RIM_Oracle_Agent
nobody 1679 1677 0 19:41 ? 00:00:00 RIM_Oracle_Agent
nobody 1680 1677 0 19:41 ? 00:00:00 RIM_Oracle_Agent
root 1691 1413 0 19:41 pts/0 00:00:00 grep RIM

As you can see the main process is 1259, the Agent processes are active connections. We need to clear those out. So we stop the event server.

# wstopesvr

# ps -ef | grep RIM
nobody 1259 1156 0 19:03 ? 00:00:00 RIM_Oracle_prog
root 1695 1413 0 19:43 pts/0 00:00:00 grep RIM

Identifying the primary RIM daemon is easy if the system is only running one RIM object. If multiple RIMs run on a host you and identify the process using a command such as this:

# odstat -dv -o $TMR.1.348 | egrep `wlookup -r RIM tec | sed 's/\./\\\./g' | cut -d\# -f1`
1259 MO -1 1147945310.1.705 /linux-ix86/TAS/RIM /RIM_Oracle_prog

In this case we are looking for daemon methods running on the specified ManagedNode referenced by the given OID. The wlookup/sed/cut calls get the OID of the tec RIM object and format the results for use in egrep.

Now that there are no active connections, we use strace in another terminal to attach to the running RIM process.
# strace -o /tmp/strace.out -f -p 1259

The 'o sends the output to the file /tmp/strace.out, -f causes the program to trace the execution of forked processes, and 'p tells strace which process to attach to and trace.

Next we connect to the TEC database.
# wrimtest -l tec
Resource Type : RIM
Resource Label : tec
Host Name : familiar
User Name : tmetec
Vendor : Oracle
Database : TECDB
Database Home : /usr/oracle
Server ID : TECDB
Instance Home :
Instance Name :
Opening Regular Session...Session Opened
RIM : Enter Option >x
Releasing session

After the exit the wrimtest command, we click over to our running strace and control-c out.

Use your paging (more/less/cat) or editor of choice to review the strace output for the connection information:
1572 read(6, "\4\0\0\0", 4) = 4
1572 read(6, "TECDB", 5) = 5
1572 read(6, "\6\0\0\0", 4) = 4
1572 read(6, "tmetec", 6) = 6
1572 read(6, "\10\0\0\0", 4) = 4
1572 read(6, "pwd12345", 8) = 8
1572 read(6, "\v\0\0\0", 4) = 4
1572 read(6, "/usr/oracle", 11) = 11
1572 read(6, "\4\0\0\0", 4) = 4
1572 read(6, "TECDB", 5) = 5
1572 read(6, "\0\0\0\0", 4) = 4
1572 read(6, "\0\0\0\0", 4) = 4
1572 read(6, "7\0\0\0", 4) = 4

As you probably have guessed, the password is pwd12345. I hope you don't have to change the combination on your luggage now.

The truss program has similar options and capabilities as strace. This process has been tested on Linux/Oracle and AIX/DB2.