sec_salvage_db(8sec)
Recovers a corrupted registry database
Synopsis
sec_salvage_db -print [-dbpath db_pathname] [-prtpath print_pathname] [print_options] [-verbose]
sec_salvage_db -reconstruct [-dbpath db_pathname] [-prtpath print_pathname]
[reconstruct_options] [-verbose] sec_salvage_db -check [-dbpath db_pathname]
[db_options] [-verbose] sec_salvage_db -fix [-dbpath db_pathname] [db_options]
[-force] [-verbose]
Options
-check Checks the database elements specified by db_options for inconsistencies. This option sends a list to standard output of all bad list links, internal ID
references, and database keys and any detectable data inconsistencies. The -check option does not check fields for legal values.
db_options Specifies the database elements to be acted on by the -check or -fix options. If no db_options are specified, all are selected.
The db_options are:
-princ - Principals
-group - Groups
-org - Organizations
-acct - Accounts
-acl - ACLs
-policy - Policy
-state - Database State
-replicas - Replicas
Note The mkey.prt file and the princ.prt file contain unencrypted authentication keys. Ensure that only the privileged account can access these files and that
they are never transferred over a network for viewing or backup.
-fix Checks the database for inconsistencies and prompt for whether to fix each inconsistency. After all inconsistencies have been processed, the option prompts for whether to
save all fixes.
-force Checks the database for inconsistencies and fix each one without prompting. After all inconsistencies have been processed, the option prompts for whether to save all
fixes. This option is valid only when used with the -fix option.
-print Creates files containing ASCII-formatted database records. These files are used by the -reconstruct option as a source for recreating the database. You can also
manually edit the files to change information or fix problems. A separate file is created for each of the print_options specified.
By default, the -print option stores the master key file in the current directory and the database files in the rgy_print directory in the current directory. The -prtpath
option lets you specify a different directory.
print_options Specify the database elements to be acted on by the -print option. If the files exist, they are overwritten. If no print_options are specified, all are
selected. The print_options and the files they create are:
· -princ Put principal records in the file princ.prt and master key information in the file .mkey.prt.
· -group Put group records in the file group.prt.
· -org Put organization records in the file org.prt.
· -policy Put policy records in the file policy.prt.
· -state Put information about the state of the database in the file rgy_state.prt.
· -replicas Put replica information in the file replicas.prt.
· -reconstruct Reconstructs the registry database from the ASCII-formatted print files created by the -print option. The
reconstruct_options specify the print files to use.
reconstruct_options Specifies which elements of the registry database to reconstruct. If no reconstruct_options are specified, all are selected. The
reconstruct_options are:
· -pgo Use data in the princ.prt, group.prt, org.prt, and .mkey.prt files to reconstruct: - Principals,
groups, organizations - Principals accounts - ACLs on database objects - The master key file
· -policy Use data from the policy.prt file to reconstruct registry policies.
· -state Use data from the rgy_state.prt file to reconstruct information about the state of the database.
· -replicas Use data from the replicas.prt file to reconstruct the master replica list.
-dbpath db_pathname For the -print and -check options, -dbpath specifies the directory in which the registry database and the master key file
are located.
For the -reconstruct and -fix options, -dbpath specifies the directory in which to store the reconstructed or salvaged database.
The -print and -check options expects to find the master key file, .mkey, in the directory above the directory that holds the database files. For example, if
db_pathname is dcelocal/var/security/new_rgy, the options look for the master key file in dcelocal/var/security and the database files in
dcelocal/var/security/new_rgy.
If this option is not specified, the default path name is dcelocal/var/security/rgy_data.
db_pathname can be a global path name or a cell-relative name.
-prtpath print_pathname For the -print and -reconstruct options only, -prtpath specifies the directory in which to create (-print)
the print files, or find (-reconstruct) the print files from which to reconstruct the database.
By default, the -print option creates and the -reconstruct option looks for the master key file in the current directory and the database files in the rgy_print
subdirectory of the current directory. The -prtpath option lets you specify the directory that should be used instead of the current directory. For example, if you specify
print_pathname as dcelocal/var/security/registry, the master key print file will be created in that directory and the database print files in
dcelocal/var/security/registry/rgy_print.
If any or all of the print files exist in print_pathname or the default directory, their contents are overwritten.
print_pathname can be a global path name or a cell-relative name.
Description
The sec_salvage_db tool is an aid to database administration and troubleshooting. Although day-to-day administration is handled by the rgy_edit command, sec_salvage_db
can be useful for listing registry data, reconstructing databases, and salvaging corrupted databases.
The sec_salvage_db command supports two methods of operation: the check and fix method, and the print and reconstruct method. These methods can be used in tandem.
Check and Fix Method Note that the -check and -fix options are not currently available.
The check and fix method recovers data from a corrupted database, fixing corrupted data links, data retrieval keys, and other internal references. You can use it on a database so corrupted that it
prevents the security server (secd) from running or registry clients from operating correctly. The check and fix method repairs the database structure so that secd can
run. (Note that data may be lost if corrupted pointers in the registry data files irreversibly sever the links between records.) The check and fix method uses the sec_salvage_db
-check, -fix, and -force options.
The -check option accesses each record in the database and reports all errors, but makes no fixes. Although you can run it to see the state of the database before you run the -fix
option, it is not required to be run.
The -fix option also accesses each record in the database and reports all errors, but as it finds each error, it prompts for whether or not to fix the error. When processing is complete,
sec_salvage_db prompts for whether or not to save the changes.
The -force option can only be used with the -fix option. If you use it, sec_salvage_db does not prompt for confirmation before it fixes each error it finds.
sec_salvage_db will still prompt for confirmation before it saves the changes.
The Print and Reconstruct Method The print and reconstruct method allows you to reconstruct a database. It first creates ASCII files, called print files, that contain
all accessible data in the database. Then, it reads the data in these files to construct a new database. If you cannot start a security server on the database host machine, you cannot use the print
and reconstruct method, but must use the check and fix method. (Note that before you run sec_salvage_db with the -print and -reconstruct options, you must stop the
security server.)
In addition to reconstructing the database, the print and reconstruct method has other uses. You can use it to
· Make changes to the database by manually editing the print files created by the -print option and then reconstructing them from the changed print files. This can be
especially useful for changing many user passwords, which may be necessary if the master key file is corrupted or for re-adding data missing from a corrupted database.
· Obtain a listing of database contents.
· Copy databases between different platforms.
To use the print and reconstruct method, run sec_salvage_db first with the -print option and then with the -reconstruct option.
The -print option creates the ASCII print files from the registry database files. These files can be reviewed and edited to correct faulty information, such as name-to-UNIX ID mismatches or
missing data, or to update existing data. The -reconstruct option recreates the registry database files from the print files.
Because the -print option creates files containing all data in the database and the -reconstruct option recreates the database based on these files, you can use this method to move
a database to another machine or even another cell. For example, if you run sec_salvage_db -print on an uncorrupted database, you can then run sec_salvage_db -reconstruct and
specify a path name on a different machine for where the database should be created.
Editing the Print Files To edit the print files, your entries must be in the following format:
field_name optional_white_space=optional_white_space value
Although you can leave spaces between the field name, the equals sign, and the value, field names and values cannot contain white space.
A sample group.prt file follows:
Record_Number = 7 Object_Type = ADMIN Name = group/admin UUID = 0000001b9-7b61-21cf-bd01-0800097086cb Unix_ID = 441
Is_Alias_Flag = false Is_Required_Flag = false Projlist_Ok_Flag = true Num_Attr_List_Entries = 0 Fullname = Member_Name
= admin_1 Member_Name = admin_2 Member_Name = admin_3 Foreign_Member_Name = /
/engobe/person1
Cell_UUID = 964dc902-7b54-11cf-b1ff-08000919bba7
Princ_UUID = 0000006a-7b54-11cf-bb00-08000919bba7 Foreign_Member_Name = /
/engobe/person10 Cell_UUID = 964dc902-7b54-11cf-b1ff-08000919bba7
Princ_UUID = 0000006a-7b54-11cf-bb00-08000919bba7 Obj_Acl_Def_Cell_Name = /.../abc.com Num_Acl_Entries = 6 Obj_Acl_Entry = any_other:r-t-----
Obj_Acl_Entry = group:acct-admin:rctDnfmM Obj_Acl_Entry = group_obj:r-t----- Obj_Acl_Entry = other_obj:r-t----- Obj_Acl_Entry =
unauthenticated:r-t----- Obj_Acl_Entry = user:cell-admin:rctDnfmM
Updating Entries To update existing entries, simply supply a new value. For example, to update a principals full name, the entry in the princ.prt file is
Fullname = fullname
The fullname variable is the principals full name. The princ.prt file contains the following entry that allows you to update a principals password in plain text:
Plaintext_Passwd =
This field does not display the principals password. To update the password, simply enter the new one in plain text after the equals sign. When the database is reconstructed, the password is
encrypted and any keys derived from that password are regenerated and used to overwrite any existing encryption key entries.
To specify a NULL value, delete the existing value. For example, to specify a NULL value for a fullname in the princ.prt file, the entry is
Fullname =
Print File Fields and Values The following lists describe the fields in the princ.prt, group.prt, org.prt, .mkey.prt, policy.prt,
rgy_state.prt, and replicas.prt files. In the lists, an * (asterisk) indicates a segment or field that can appear multiple times in succession; a + (plus sign)
indicates that if a stored UUID does not map to a name required for the field, the UUID is displayed.
The princ.prt File The fields in the princ.prt file follow:
For all records:
Record_Number The sequential number of the record in the database.
Object_Type An indication of the type of object: PRINC=principal, DIR=directory.
Name Name of the object.
UUID Unique Identifier of the object.
For principals:
Unix_ID The principals UNIX ID.
Is_Alias_Flag An indication of whether or not the principal name is an alias or a primary name: true=alias, false=primary.
Is_Required_Flag An indication of whether or not the principal is reserved: true=principal is reserved and cannot be deleted, false=principal is not reserved.
Quota The principals object creation quota: a non-negative integer or unlimited.
Fullname The principals full name: a text string.
Member_Name* The names of the groups to which the principal belongs.
Obj_Acl_Def_Cell_Name The default cell name of this principals object ACL.
Num_Acl_Entries The number of entries in the principals object ACL.
Obj_Acl_Entry*+ The contents of the principals object ACL.
Acct_Group_Name The accounts group name.
Acct_Org_Name The accounts organization name.
Acct_Creator_Name The name of principal who created this account.
Acct_Creation_Time The date and time the account was created in yyyy/mm/dd.hh:mm format. The first two digits of the year, the hours, and the minutes are optional.
Acct_Changer_Name Name of principal who last changed the account.
Acct_Change_Time The date and time the account was last changed in yyyy/mm/dd.hh:mm format. (The first two digits of the year, the hours and the minutes are optional.)
Acct_Expire_Time The date and time the account expires or none for no expiration date. The date and time are in yyyy/mm/dd.hh:mm format. (The first two
digits of the year, the hours and the minutes are optional.)
Acct_Good_Since_Time The date and time the principals account was last known to be in an uncompromised state in yyyy/mm/dd.hh:mm, format or no for current time
and date. (The first two digits of the year, the hours and the minutes are optional.)
Acct_Valid_For_Login_Flag An indication of whether or not the account can be logged into: true=account is valid for login, false=account cannot be logged into.
Acct_Valid_As_Server_Flag Indicates whether or not the account is a server and can engage in authenticated communication: true=account is a server,
false=account is not server.
Acct_Valid_As_Client_Flag Indicates whether or not the account is a client and can log in, acquire tickets, and be authenticated: true=account is a client,
false=account is not a client.
Acct_Post_Dated_Cert_Ok_Flag Indicates whether or not tickets with a start time some time in the future can be issued to the accounts principal: true=postdated tickets
can be issued, false=postdated tickets cannot be issued.
Acct_Forwardable_Cert_Ok_Flag Indicates whether or not a new ticket-granting ticket with a network address that differs from the present ticket-granting address can be issued to
the accounts principal: true=account can get forwardable certificates, false=account cannot.
Acct_TGT_Auth_Cert_Ok_Flag Indicates whether or not tickets issued to the accounts principal can use the ticket-granting-ticket authentication mechanism: true=tickets
can use the ticket-granting-ticket authentication mechanism, false=they cannot.
Acct_Renewable_Cert_Ok_Flag Indicates whether or not tickets issued to the principals ticket-granting ticket to be renewed: true=tickets can be renewed,
false=tickets cannot be renewed.
Acct_Proxiable_Cert_Ok_Flag Indicates whether or not a new ticket with a different network address than the present ticket can be issued to the accounts principal:
true=such a ticket can be issued, false=such a ticket cannot be issued.
Acct_Dup_Session_Key_Ok_Flag Indicates whether or not tickets issued to the accounts principal can have duplicate keys: true=account can have duplicate session keys,
false=account cannot.
Unix_Key The account principals encrypted UNIX password: ASCII string.
Plaintext_Passwd Stores the principals password in plain text. This field is provided to allow principals passwords to be changed. When the princ.prt file is
processed by the sec_salvage_db -reconstruct option, this password is encrypted using UNIX system encryption. This encrypted password is then stored as the principals encrypted UNIX
password in the Unix_Key field.
Home_Dir The account principals home directory: text string.
Shell The account principals login shell: text string.
Gecos The accounts GECOS information: text string.
Passwd_Valid_Flag Indicates whether or not the account principals password is valid: true=password is valid, false=password not valid.
Passwd_Change_Time The date and time the account principals password was last changed in yyyy/mm/dd.hh:mm format or now for the current date and time. The
first two digits of the year, the hours and the minutes are optional.
Max_Certificate_Lifetime The number of hours before the Authentication Service must renew the account principals service certificates: an integer indicating the time in hours or
default-policy to use the registry default.
Max_Renewable_Lifetime The number of hours before a session with the account principals identity expires and the principal must log in again to reauthenticate: an integer
indicating the time in hours or default-policy to use the registry default.
Master_Key_Version The version of the master key used to encrypt the account principals key.
Num_Auth_Keys The number of the account principals authentication keys.
Auth_Key_Version* A list of the version numbers of the account principals authentication key. The first version number on the list represents the current authentication key.
Auth_Key_Pepper* The pepper algorithm used for the account principals key: a text string or blank to use the default pepper algorithm.
Auth_Key_Len* The length in bytes of the account principals authentication key.
Auth_Key* The account principals authentication key: hexadecimal string.
Auth_Key_Expire_Time* The date and time the account principals authentication key expires or none for no expiration. Date and time are in yyyy/mm/dd.hh:mm
format. (The first two digits of the year, the hours and the minutes are optional.)
For directories:
Obj_Acl_Def_Cell_Name+ The default cell name of the directorys object ACL.
Num_Acl_Entries The number of entries in the directorys object ACL.
Obj_Acl_Entry*+ The contents of the directorys object ACL.
Init_Obj_Acl_Def_Cell_Name+ The default cell name of the directorys initial object ACL.
Num_Acl_Entries The number of entries in the directorys initial object ACL.
Init_Obj_Acl_Entry*+ The contents of the directorys initial object ACL.
Init_Cont_Acl_Def_Cell_Name+ The default cell name of the directorys initial container ACL.
Num_Acl_Entries The number of entries in the directorys initial container ACL.
Init_Cont_Acl_Entry*+ The contents of the directorys initial container ACL.
The group.prt File The fields in the group.prt file follow:
For all records:
Record_Number The sequential number of the record in the database.
Object_Type An indication of the type of object: GROUP=group, DIR=directory.
Name Name of the object.
UUID Unique Identifier of the object.
For groups:
Unix_ID UNIX ID of the group.
Is_Alias_Flag An indication of whether or not the group name is an alias or a primary name: true=alias, false=primary.
Is_Required_Flag An indication of whether or not the group is reserved: true=group is reserved and cannot be deleted, false=group is not reserved.
Projlist_Ok_Flag An indication of whether or not the group can be included in project lists: true=group can be included on project lists, false=group cannot be
included.
Fullname The groups full name: a text string.
Member_Name* The names of the groups local members.
Foreign_Member_Name The names of the groups foreign members.
Cell_UUID The UUID of the cell for the principal identified in Foreign_Member_Name.
Princ_UUID The UUID of the principal identified in Foreign_Member_Name.
Obj_Acl_Def_Cell_Name+ The default cell name of this groups object ACL.
Num_Acl_Entries The number of entries in the groups object ACL.
Obj_Acl_Entry* The contents of the groups object ACL.
For directories:
Obj_Acl_Def_Cell_Name+ The default cell name of this directorys object ACL.
Num_Acl_Entries The number of entries in the directorys object ACL.
Obj_Acl_Entry* The contents of the directorys object ACL.
Init_Obj_Acl_Def_Cell_Name+ The default cell name of the directorys initial object ACL.
Num_Acl_Entries The number of entries in the directorys initial object ACL.
Init_Obj_Acl_Entry*+ The contents of the directorys initial object ACL.
Init_Cont_Acl_Def_Cell_Name+ The default cell name of the directorys initial container ACL.
Num_Acl_Entries The number of entries in the directorys initial container ACL.
Init_Cont_Acl_Entry*+ The contents of the directorys initial container ACL.
The org.prt File The fields in the org.prt file follow:
For all records:
Record_Number The sequential number of the record in the database.
Object_Type An indication of the type of object: ORG=organization, DIR=directory.
Name Name of the object.
UUID Unique Identifier of the object.
For organizations:
Unix_ID UNIX ID of the organization.
Is_Alias_Flag An indication of whether or not the organization is an alias or a primary name: true=alias, false=primary.
Is_Required_Flag An indication of whether the organization is reserved: true=organization is reserved and cannot be deleted, false=organization is not reserved.
Fullname The organizations full name: a text string.
Member_Name* The names of the organizations members.
Obj_Acl_Def_Cell_Name The default cell name of this organizations object ACL.
Num_Acl_Entries The number of entries in the organizations object ACL.
Obj_Acl_Entry*+ The contents of the organizations object ACL.
For organizations with policy:
Acct_Lifetime The period during which accounts for the organization are valid: a integer number representing days or forever.
Passwd_Min_Len The minimum length of the organizations password: a non-negative integer.
Passwd_Lifetime The span in days of the lifetime of the organizations password: an integer or forever.
Passwd_Expire_Time The date and time the organizations password expires in yyyy/mm/dd.hh:mm format. (The first two digits of the year, the hours and the minutes are
optional.)
Passwd_All_Spaces_Ok An indication of whether or not the organizations password can consist of all spaces: true=can consist of spaces, false=cannot.
Passwd_All_Alphanumeric_Ok An indication of whether or not the organizations password can consist of all alphanumeric characters: true=can be all alphanumeric,
false=cannot.
For directories:
Obj_Acl_Def_Cell_Name+ The default cell name of the directorys object ACL.
Num_Acl_Entries The number of entries in the directorys object ACL.
Obj_Acl_Entry*+ The contents of the directorys object ACL.
Init_Obj_Acl_Def_Cell_Name+ The default cell name of the directorys initial object ACL.
Num_Acl_Entries The number of entries in the directorys initial object ACL.
Init_Obj_Acl_Entry*+ The contents of the directorys initial object ACL.
Init_Cont_Acl_Def_Cell_Name+ The default cell name of the directorys initial container ACL.
Num_Acl_Entries The number of entries in the directorys initial container ACL.
Init_Cont_Acl_Entry*+ The contents of the directorys initial container ACL.
The .mkey.prt File The fields in the .mkey.prt file follow:
Master_Key_Version The integer version of the master key.
Master_Key_Keytype Always des.
Master_Key_Length The length of the master key in bytes.
Master_Key The master key in hexadecimal string format.
The policy.prt File The fields in the policy.prt file follow:
Rgy_Policy_File_Version An integer representing the version of the policy information.
Prop_Read_Version A number indicating the property records read version.
Prop_Write_Version A number indicating the property records write version.
Min_Certificate_Lifetime The minimum amount of time before the principals ticket must be renewed in weekswdaysdhourshminutesm format.
Default_Certificate_Lifetime The default lifetime for tickets issued to principals in this cells registry in weekswdaysdhourshminutesm format.
Low_Unix_ID_Principal The starting point for principal UNIX IDs automatically generated by the Security Service when a principal is added: an integer, which must be less than
Max_Unix_ID.
Low_Unix_ID_Group The starting point for UNIX IDs automatically generated by the Security Service when a group is added: an integer, which must be less than Max_Unix_ID.
Low_Unix_ID_Org The starting point for UNIX IDs automatically generated by the Security Service when an organization is added using: an integer, which must be less than
Max_Unix_ID.
Max_Unix_ID The highest number that can be supplied as a UNIX ID when principals are created: an integer.
Rgy_Readonly_Flag An indication of whether or not the registry is read-only: true=read only, false=updateable.
Auth_Certificate_Unbound_Flag An indication of whether or not certificates are generated for use on any machine: true=yes, false=no.
Shadow_Passwd_Flag Determines whether encrypted passwords are sent over the network: true=encrypted passwords are not sent over the network, false=encrypted
passwords are sent over the network.
Embedded_Unix_ID_Flag Determines if UNIX IDs are embedded in person, group, and organization UUIDs: true=UNIX IDs are embedded, false=UNIX IDs are not embedded.
Realm_Name The name of the full global pathname of realm running the secd.
Realm_UUID The UUID of the realm running the secd.
Unauthenticated_Quota The quota of unauthenticated users: a number or unlimited.
Acct_Lifetime The period during which accounts are valid: a integer number representing days or forever.
Passwd_Min_Len
The minimum length of passwords: a non-negative integer.
Passwd_Lifetime The span in days of the password lifetimes: an integer or forever.
Passwd_Expire_Time The date and time the passwords expire in yyyy/mm/dd.hh:mm format. (The first two digits of the year, the hours and the minutes are optional.)
Passwd_All_Spaces_Ok An indication of whether or not passwords can consist of all spaces: true=can consist of spaces, false=cannot.
Passwd_All_Alphanumeric_Ok An indication of whether or not passwords can consist of all alphanumeric characters: true=can be all alphanumeric, false=cannot.
Max_Certificate_Lifetime The number of hours before the Authentication Service must renew service certificates: an integer indicating the time in hours or
default-policy to use the registry default.
Max_Renewable_Lifetime The number of hours before sessions expire and the session principal must log in again to reauthenticate: an integer indicating the time in hours or
default-policy to use the registry default.
Princ_Cache_State The timestamp of the principal cache.
Group_Cache_State The timestamp of the group cache.
Org_Cache_State The timestamp of the organization cache.
My_Name The cell-relative name of the security server.
Master_Key_Version The integer version of current master key.
Master_Key_Keytype Always des.
Master_Key_Length The length of the master key in bytes.
Master_Key The master key in hexadecimal string format.
Old_Master_Key_Version The version of the previous master key.
Old_Master_Key_Keytype Always des.
Old_Master_Key_Length The length of the previous master key in bytes.
Old_Master_Key The previous master key in hexadecimal string format.
Obj_Acl_Def_Cell_Name The default cell name of the policy object ACL.
Num_Acl_Entries The number of entries in the policy object ACL.
Obj_Acl_Entry*+ The contents of the policy object ACL.
The rgy_state.prt File The fields in the rgy_state.prt file follow:
Rgy_State_File_Version The integer version number of the format of the rgy_state file.
Replica_State The state of the master registry: unknown_to_master, uninitialized, in_service, in_maintenance, closed,
deleted, or initializing.
Cell_UUID The UUID of cell in which the secd resides.
Server_UUID The UUID of this secd.
Initialization_UUID The UUID of the last initialization event.
Master_File_Version The version number of the master replica.
Master_Known_Flag An indicate of whether or not the master replica is know to this replica: true=known, false=not known. Only if this field is true
do the other master field contain valid information.
Master_UUID The UUID of the master replica.
Master_Seqno: The two-digit sequence number of the event when the master became the master in \*vn.n format.
The replicas.prt File The fields in the replicas.prt file follow:
Record_Number The sequential number of the record in the database.
Replica_UUID The UUID listed for the replica in the replica list.
Replica_Name The name of the replica as known to the Cell Directory Service.
Num_Towers The number of towers.
Tower_Length* The length of the next tower (in bytes).
Tower* The tower used to communicate with the replica (a byte stream that can be broken on word boundaries).
Propagation_Type An indication of whether the replica is initialized, initializing, in the process of being updated, or in the process of being deleted.
Initialization_UUID UUID of the last initialization.
Error Conditions
You receive the following error message if the default rgy_data directory is being used and there is an advisory lock on the rgy_state data file:
Registry: Error - database is locked. Put secd into maintenance mode or clear advisory lock on rgy_state file in db_pathname
The existence of the advisory lock implies that secd is in service. Use the sec_admin command to put secd in maintenance mode. If secd is not running, the advisory lock
may be the result of an ungraceful shutdown of secd. To remove the advisory lock, use the mv command to rename the dcelocal/var/security/rgy_data/rgy_state file,
and then change it back to its original name. Then rerun the sec_salvage_db command.
|