Article

Questions and Answers

Bjorn Satdeva

First some loose ends from an earlier column. On the subject of sharing files between SunXX architectures, James Hutchinson writes:

Only a few files need to be saved to make this move; all you really need to do is backup everything from the sun4m system, and then pick up the /kernel and /usr/platform dirs from a sun4u system. Restore first the sun4m stuff first, then apply the sun4u stuff over the top, making sure you delete the dir trees for /kernel and /usr/platform. Also it's important to note that an Ultra I and an UltraII and Ultra5/10 use different drivers to boot from - actually, different hardware. Ultra1 uses the single-ended ESP driver, Ultra II uses the FAS fast wide driver, and I forget what Ultra5/10 uses. This requires copying the required driver into the /kernel/drv dir.

After finishing the above, delete the /dev and /devices dirs and then use drvconfig, devlinks, and disks (in that order) to rebuild the /dev and /devices trees.

On another topic, spam email is becoming an increasing problem; and spam filters are more and more common. However, unless they are implemented with great care, they can cause trouble. Last week, one site, for whatever reason, decided that sysadmin.com was a spam site. I don't know how they came to that conclusion, because we simply do not do any kind of spam. Normally, I would not have cared much, but in this specific case, the remote site is the home of the list maintainer of several very large mailing lists running on one of our servers. When the spam filter was put in place, any mail to the list maintainer was returned to the list, which in turn decided it was suspicious mail and forwarded it to the list maintainer for inspection. In other words, a mail loop was established, resulting in queues and log files filling up beyond their capacity. Unintentionally, the remote site had effectively created a denial of service attack on the mailing lists, and the list server had to be shut down until the whole mess was straightened out.

What really bothered me, though, was that the site started blocking all mail from us, without first contacting us or in any way notifying us of what they intended to do. To me, this seems like a serious procedural error.

Rather than blocking mail from anybody who might send spam mail, we could make reverse lookups on all incoming mail, and refuse to receive mail from nonexistent domains. If we also put on shields that prevent remailing, then it will take care of some of the problem. It will undoubtedly be necessary to block notorious spammers too, but that, I think, should be done with great care and according to well-thought out policies.

I'm an avid reader of your monthly column in Sys Admin. I find both the questions and answers to be both thoughtful and accurate. I also have a question. I am an administrator for several large-scale Sun Solaris servers and have been looking for a secure ftp (with both anonymous and UID login), which provides directory security and such similar to the shareware wftpd for Windows. I have seen a number of packages that accomplish this; however, I can't decide which is best for this environment. Do you have any ideas? I'd be willing to look at something shareware, but would prefer something I could buy with confidence.

When you talk about a secure ftp server, I am assuming that you want to establish the server in a manner that does not provide a way for an intruder to gain unauthorized access.

First of all, you will need to plug all the security holes in your operating system. Depending on the vendor and type of OS, that can be a major job. Personally, I prefer to use a BSD 4.4 system for this purpose, as I have the sources, and the kernel is a lot simpler than the SVR4 counterpart. It does not matter how much work you do to secure the anonymous ftp, if the underlying OS is easy to penetrate.

Setting up a secure ftp server is not too difficult. You will need to download the Firewall Toolkit from ftp.tis.com, which contains instructions for how to get to the hidden source.

The documentation shows you how to configure the Firewall Tool Kit ftp proxy as a front end to your ftp daemon. This is important because the tool kit can be configured to do a chroot. This command creates a small compartment where only the software inside the compartment can be accessed. This will ensure that even if an intruder is successful in penetrating ftp, they will not be able to get to the rest of the machine. You will also need to compile and static link the ftp daemon and the ls program so it can be used without access to the dynamically loaded libraries.

I know that some version of the ftp daemon is doing a chroot of their own. If your ftpd is capable of doing that, I suggest you use that facility, as well as use the ftp proxy from TIS. While the ftpsd chroot is not 100% reliable, it does add an extra layer that must be penetrated by the intruder.

Once ftp is set up as I have described above, you will need to supply all the configuration files used into the chroot'ed directory. That includes a version of the passwd file (with only user ftp) and group file, as well as the resolver file (/.etc/resolv.conf).

How do I enable users to mount and umount a cd-rom without root access?

Some operating systems allow you to do this under certain conditions. However, if you want a generalized situation where the users can do just that, the op program can be configured to do so. It is available at:

ftp://ftp.sysadmin.com/pub/admin/usenet/comp.sources.unix/ \
volume26/op

Can we assign multiple IP addresses to a single interface?

Yes, you can do this in most versions of UNIX by using an alias argument to ifconfig. Depending on the version of your OS you might only be able to add a single IP address, for others you can add several. Unfortunately, the syntax varies widely between different versions of UNIX. In many versions, you actually use the keyword "alias" in a second ifconfig line. Check the man page for ifconfig on the system where you want to do this.

On an HP-UX machine, how can you turn off the banner page from the command line when using lp?

I don't think this is possible. You will need to change the configuration of lp to achieve this. I must admit that I do not understand why you want to do this from the command line. The banner page is inserted to show where one print job stops and the next one starts, and is not intended to be something which under user control. If you are the only user of the printer, and do not want to use paper for the banner pages, then why not reconfigure lp?

I am using HP-UX. If I type ls, the machine starts to boot. What is the problem? Could you please help me out?

This one is new to me. The ls program should not be able to do this. Either your machine is severely brain damaged and should be reinstalled, or somebody has played a joke with you and is causing you to execute a different program. Try to do an ls using its complete path name, (i.e., /bin/ls), and see if you get the same result.

If not, check your search path and aliases to see if you are getting another program called ls. If /bin/ls is really the one who creates the behavior you describe, reinstall the original from your installation media (not from a backup tape). If this does not help, you will probably need to reinstall the machine.

I am a stupid newbie and need to solve this. I am trying to move files between two UNIX systems and keep all permissions. Someone said to use tar but I can't make it work.

First of all, I have to object to the implication that being a newbie means you are stupid. All of us started there, and we're all still learning.

As for getting tar to work here, you need to do a few things on the system where you are doing the restore. First of all, make sure you are root; if not, tar will restore the files as owned by the user who does the restore. There are some very good security reasons for this behavior. Second, make sure that your umask is set to 000, so all permissions are set as they are on the tape. Finally, make sure you use the -p option to tar (if it has it); this option tells tar to preserve the files User Id, Group Id, file mode, and access/modification times.

If you do the above, you should have covered all bases. However, depending on your version of tar, you might not need everything. Try to experiment with a small archive, and see what happens.

If one of the machines trusts the other, then the transfer can be performed easily over the network. Below is an example of how /usr/local/bin can be transferred in this manner.

rsh machine "cd /usr/local/bin; tar -cvf - ." | tar -xvpf -

Good luck. If you hang in there, you'll soon be one of the people who has the answers.

Following is the printcap (not shown), on my print server. The problem is: the printer prints the converted postscript file (converted to dj form) but does not print a simple text file that has more than one line of text.

You will need to put software in place that can recognize when the text is not postscript, and step in and make the conversion from plain ascii to postscript. There are a number of commercial packages available that can do this, and probably several freeware packages. The one I have used for years is called pfs, and can be found at:

ftp://ftp.sysadmin.com/pub/admin/usenet/comp.sources.misc/ \
  volume27/psf3

There are four patches for the above. The first two can be found at:

ftp://ftp.sysadmin.com/pub/admin/usenet/comp.sources.misc/ \
  volume28/psf3

The third can be found at:

ftp://ftp.sysadmin.com//pub/admin/usenet/comp.sources.misc/ \
  volume30/psf3

And, the fourth patch can be found at:

ftp://ftp.sysadmin.com/pub/admin/usenet/comp.sources.misc/ \
  volume35/psf3

How can I convince our company's MIS department to give me access to files that I need to improve the system for our users?

This is a tough one. This is a policy problem; and without knowing a lot about the corporate environment of your site, it is nearly impossible to give any general advice.

However, in situation such as this, your best chance is to show the cost benefit of the changes. That is, how much money will your organization save over a period of time, such as one or five years, if your proposed changes are put in place.

It is important to understand that most MIS departments are based in the old mainframe culture, and their idea of modern computing is often based on Microsoft or Novell. They often do not understand UNIX, and are not willing to spend any time to learn about it. Microsoft's strong point is marketing, and they have managed to obtain a major market share with what, in my opinion, is inferior software and systems. Still, it may be difficult to show an MIS department that better and more reliable solutions are available. Perhaps in their experience, UNIX is unreliable, because they have tried to run UNIX systems with people who do not have the appropriate background.

The exact scenario in your environment may be different, but unless you understand where the MIS people are coming from, and try to address their concerns and fears, it will be nearly impossible for you to do anything at all.

I know I haven't been in this business quite as long as you (only eight-plus years), but it seems to me that nslint and dnswalk, although useful DNS debugging tools, both have one critical flaw - they require you to be able to do zone transfers. If you've secured your nameservers so that only your known secondaries can pull zone transfers from them, it is impossible to debug DNS problems from anywhere but your primary and secondary nameservers.

The only DNS debugging tool I know of that doesn't have this problem is "doc - Domain Obscenity Control". Of course, I am somewhat biased towards it, since I took over maintenance of this tool from Steve Hotz and Paul Mockapetris. Nevertheless, when it comes to debugging DNS structure problems, I find it to be a very valuable tool, although not a replacement for dnswalk or nslint, since the latter can both do things as a result of looking at the entire contents of the zone.

However, if nslint is considering the existence of multiple IP addresses for a name to be an "error", then I think it needs a significant rewrite. In this day and age of multi-homed and virtual hosts, such silliness is less than useless because it amounts to crying wolf. There's no sense in having this default to be an error or even a warning - maybe a notice or info, but nothing more serious.

One of the very nice things about UNIX is that it allows us to do the same thing in many different ways. If doc works for you, there is no reason to switch to another checker.

I like nslint because it is a single program, which performs the checks quickly and efficiently. More important though, is the fact that doc requires access to the root servers. I run behind a firewall that uses forwarders and proxies without any direct Internet access, which means that I cannot use doc. This does not make doc a bad tool, it just makes it inappropriate to use here.

I do, however, want to address your point of the need for zone transfers. I use nslint for domains that I am responsible for, thus, I can always set it up so that is not an issue. If somebody else wants to use either tool on my nameservers, they will not be able to, because I use a split nameserver approach. No tool will therefore be able to get to the bulk of my nameserver configuration from the outside.

I'm rather a new user/Solaris x86 admin. but I'm running into a problem. Solaris x86 comes in a raw state, and I would like to know if there is a standard where to install applications, such as compilers, shells, email client, and browers. The executables are no problem (just throw them in a bin directory), but what about the configuration and source files?

I would like to recommend to you, as strongly as possible, NOT to drop any binaries into the standard bin directories. Sooner or later, you will need to upgrade your OS, and during that process you are likely to lose your local additions. A common way of installing local additions is to create a /usr/local, and below that create necessary directories, such as bin, etc, libs, and man.

I will also recommend that you make /usr/local a mountable directory, which again will come in handy when you upgrade, as you can protect your local directory by simply having it unmounted during the upgrade. You will still need to have a good backup of everything on your system.

The exception to the above is for pre-existing packages, which are expected to live in specific places. For example, sendmail and configuration files should go into /etc with the standard configurations files. Whatever you do, /etc will always need some special loving care when you upgrade a system. As always, it is important to think ahead, and choose solutions that will work best over time. I know that as a new system administrator that can be very difficult. But regardless of the amount of experience you have, learn from your mistakes and attempt to make it better next time around.

How do I ask the cron job, which does weekly backup, to send mail to a particular ID after successful completion of the backup. I am using dump level 0 for weekly backups?

You can use a pipe to mail in the command line part of the cron table. This will email you the output of the command. If you want the mail to be dependent on the execution status information of the job, you are better off writing a small Perl or shell script that does what you want. But please be careful. Over the years, I have seen a lot of homegrown backup scripts, and a common mistake was that they did not do exception handling correctly, resulting in situations where backup failures went undetected by the system administrators for months.

I recommend that you consider a backup management package such as Amanda. Amanda is not perfect, but it does a much better job than most people can do with shell or Perl scripts in a few weeks.

Will sendmail security problems be solved soon? Who is working on it?

The short answer is probably never. Computer security and security fixes are in an arms race with the system intruder community. sendmail is solving a very complex set of problems, many of which require root access in order to be performed. Some people solve the problem by replacing sendmail with a different mail agent. In my opinion, this is security through obscurity. Any other mail agent, which will get the same kind of usage sendmail has today, will be placed under intense scrutiny by intruders looking for weaknesses in design or implementation, resulting in security flaws being found and utilized.

Older versions of sendmail have many such security flaws. A few years back, Eric Allman, the author of the original sendmail package took a renewed interest in sendmail and has made many redesigns, improvements, and security enhancements. It is now much more difficult to break into a system or get root access to the local system if a current version of sendmail is installed (currently version 8.8.8). If you need additional security, such as on a firewall or a very large mail server, I recommend that you install smap from the TIS firewall tool kit. This will implement a wrapper around sendmail, which makes it extremely difficult for an intruder to gain access through that avenue.

We have two HP9000 units. What are the best tools for monitoring the load of the units, and is there a tool that will notify the sys admin of a runaway process?

The main tool is ps. Run it on a regular basis and get to know what is normal for each machine. Over time you will gain a familiarity with each machine that an automated tool will be unlikely to provide. Also, the uptime or w command will give you a number called the load average. Either of these two commands will display the current time, the length of time the system has been up, the number of users, and the load average of the system over the last 1, 5, and 15 minutes. The load average is a more or less arbitrary number, which gives the number of jobs in the run queue averaged over 1, 5, and 15 minutes, and the value is not comparable between systems. However, when you know what the normal load average is for your system, you will be able to spot and fix anomalies, such as runaway jobs.

Also, all modern versions of UNIX have per process limits that prevent a single process from hogging all the machine resources. If you still have to troubleshoot a machine that has become unbearably slow due to high load, you can, as a superuser, increase your job priority with the nice program. By default, a job is running with a priority of 10. A higher number means lower priority. Likewise, the superuser can get higher priority by using a lower number. Therefore, a nice 0 will give you higher priority than the other running processes, and thus a bigger piece of the pie in terms of CPU time.

What is the major difference between sed and awk?

sed is a streaming editor, which provides a way of editing files in batch more. It was originally developed for editing large files in an early version of UNIX, probably version five or six.

awk is a pattern scanning and processing language named for its three authors Aho, Weinberger, and Kernighan. Like sed, it is a very old tool and has lost much of its use for new implementation of new tools.

Today, both sed and awk have been superseded by Perl, which contains nearly all of the functionality of both awk and sed, in addition to being a complete programming language. Unless you have a special situation that requires you to use or learn awk and sed, you will be much better off learning and using Perl. Besides better overall functionality, Perl allows you to write better, clearer code. It is often difficult, even for skilled awk programmers, to understand old awk and sed scripts. n

Additional Questions and Answers, moderated by Jim McKinstry of Sprint Paranet, can be found on our Web site: www.samag.com.

About the Author

Bjorn Satdeva is the president of /sys/admin, inc., a consulting firm which specializes in large installation system administration. Bjorn is also co-founder and former president of Bay-LISA, a San Francisco Bay Area user's group for system administrators of large sites. Bjorn can be contacted at /sys/admin, inc., 2787 Moorpark Ave., San Jose, CA 95128; electronically at bjorn@sysadmin.com; or by phone at (408) 241-3111.