 Questions
and Answers
Amy Rich
Q We have a number of systems that
need the same modification to root's crontab file (security software
that's being added to every machine). What's the best way to go
about doing this with minimal effort?
A The answer to this question depends
on whether you will be doing multiple machine modifications on a
regular basis and want minimal up front or long-term work, or whether
you're just doing this as a one-off. If you're just doing it as
a one-off, then you can whip up a shell script to iterate through
the machine and scp the crontab file over and reload it,
for example:
#!/bin/sh
for i in host1 host2 host2 host4; do
scp master.cron root@${i}:/location/to/crontab/file
ssh root@${i} chmod 0400 /location/to/crontab/file; \
chown root /location/to/crontab/file; \
crontab /location/to/crontab/file; \
crontab -l
The final crontab -l will verify that the correct crontab file
is in place on the new machine. The syntax for various crontab
commands may differ depending on your operating system. Also, your
clients may not support scp'ing or ssh'ing in as root,
so you'd have to change that or copy files over as a normal user and
then later run a script as root to move them into place. Some operating
systems also automatically recognize that the crontab has changed
and do not require the reloading step.
If you're going to be making multi-machine changes on a regular
basis, I suggest investing the time and effort up front to install
software such as rsync if your needs are simplistic, or a
configuration change management tool like cfengine if you
want more fine-grained control.
Q I have a few Sun servers and a
number of Linux desktop clients. I'm trying to set up rsh
so that the users don't have to type in their passwords when connecting
between machines. Right now I have it working between Sun machines,
between Linux machines, and connecting from a Sun machine to a Linux
machine. When people try to connect from a Linux machine to a Sun
machine, it prompts them for a password. I'm at a loss as to why
everything else works, but not this one scenario. Is there an rsh
compatibility issue between Solaris and Linux?
A To start, let me strongly advocate
using a secure connection method like ssh, instead of rsh,
so that your users are not sending sensitive information over the
wire in the clear. That said, the most likely problem is that your
entries in the .rhosts or /etc/hosts.equiv file on
the Sun machines do not include the information being transmitted
by rsh on the Linux machines.
Try rsh'ing from the Linux box to the Sun box and giving
it a valid password. When you're logged in, run the command "who
am i". Note the address from which you appear to be connecting.
It could be a bare hostname, FQDN, or even an IP address. The information
listed is what needs to be in the .rhosts and/or /etc/hosts.equiv
files. If that information matches, then I'd suggest checking any
pertinent log files and running truss against inetd on the
Sun machine to see what it turns up.
Q I've just noticed that our mail
server, running FreeBSD 4.10 and sendmail 8.12.11, has a large number
of files in /var/mail that start with the name BOGUS. I'm
guessing that we've been hacked, but this would seem like a weird
change to make. Here's an ls of one of the BOGUS files from
/var/mail to show what I mean:
-r-------- 1 nobody nobody 1 Sep 19 21:34 BOGUS.root.E
The content of each BOGUS file appears to be normal mail messages
and nothing suspicious. Is this part of a rootkit? Has sendmail been
hacked or something else?
A The first thing that strikes
me as odd is that the files are owned by nobody. Are you
NFS mounting your mail spool and/or delivery area? That's generally
considered a very bad idea because you run into issues with file
locking and, as it appears in your case, permissions. This setup
is probably why you're running into issues and getting BOGUS files,
not a break-in. I suspect you're running procmail as your
local delivery agent and that the BOGUS files are a result of procmail's
not being able to write to the mail file. Check the procmail
log files for an error like the following (from the procmail
man page):
Renaming bogus "x" into "x"
The system mailbox of the recipient was found to be bogus,
procmail performed evasive actions.
The reason for the BOGUS files is also explained in the procmail
man page:
If /var/mail/$LOGNAME is a bogus mailbox (i.e., does not belong to
the recipient, is unwritable, is a symbolic link or is a hard
link), procmail will upon startup try to rename it into a file
starting with 'BOGUS.$LOGNAME.' and ending in an inode-sequence-code.
If this turns out to be impossible, ORGMAIL will have no initial
value, and hence will inhibit delivery without a proper rcfile.
Q I've recently inherited
a division of our company that's running AIX 5 on their servers instead
of Solaris, which our division runs. I'm responsible for keeping these
machines up to date with security patches, and I am wondering whether
there is anything available from IBM similar to Sun's patch club notifications.
Also any Solaris -> AIX command translators you could point me
to would be great.
A If you want listings of IBM's
patches, take a look at:
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs
for the pSeries servers. If you have other hardware/software, look
for something similar on one of the other support pages linked from:
http://www-1.ibm.com/servers/eserver/support/
For a general command translation reference, I'd suggest the UNIX
Rosetta Stone at:
http://bhami.com/rosetta.html
Also read the AIX Reference for Sun Solaris Administrators Redbook
at:
http://www.redbooks.ibm.com/abstracts/sg246584.html
Q I'm attempting to invoke
a command from /etc/inittab on a Solaris 9 machine at boot
time, but it doesn't seem to be working. Here's the /etc/inittab
entry:
logc:2:once:/local/bin/logchart
I followed the syntax for the rest of the entries in the file, so
I don't think that's the issue. I can run the command interactively
and from a script called /etc/rc2.d/logcheck and it works fine.
Any clue what the problem might be?
A It's difficult to tell whether
your program is having issues due to the way it's run because you
don't provide any further information. I suspect that your real
problem is that you're not actually going to run level 2 in the
first place. Unless you've specified booting to run level 2 or you've
modified /etc/inittab to make the initdefault 2 instead
of 3, then you're skipping over run level 2. Here's the default
entry in the inittab:
is:3:initdefault:
Your program works when you execute it as a script from /etc/rc2.d
because those scripts are also run as part of runlevel 3:
s2:23:wait:/sbin/rc2 >/dev/msglog 2<>/dev/msglog </dev/console
If you want your program to behave similarly, then change your rstate
to include runlevel 3 as well as runlevel 2:
logc:23:once:/local/bin/logchart
Q I'm running OS X 10.3.5,
and I have a bunch of jar files that came with the fink install
of Mozilla. I'm trying to find one specific file in one of these jar
files, but I don't want to have to unzip them all to find it. Is there
a quick and easy way to get a listing of every file?
A Jar files are just zip files
with a different extension. If you're looking for a specific file,
then the easiest way would be to use find in conjunction
with unzip in listing mode:
find /dir -name "*.jar" -exec unzip -qql {} "*filename" \; -print
For example, to find the file navigatorOverlay.xul to change
key bindings, you'd execute the following:
find /sw/lib/mozilla . -name "*.jar" -exec unzip -qql {} \
"*navigatorOverlay.xul" \; -print
You want the * in front of the file name because you also want to
match files in subdirectories. If you don't want to match files ending
in navigatorOverlay.xul, then you could use two search terms
instead of one, to catch both a top-level file and a file in a subdirectory:
find /sw/lib/mozilla . -name "*.jar" -exec unzip -qql {} \
"navigatorOverlay.xul" "*/navigatorOverlay.xul" \; -print
Q We run sendmail
8.12.11 in conjunction with cyrus-2.2.3 on our mail servers. The problem
is that we're often hit by dictionary attacks, and sendmail doesn't
know how to reject them because the users are not in the password
file. Is there a way to have sendmail read the Cyrus user auth database
instead of the password file when rejecting mail?
A Take a look at Andrzej Filip's
page on real-time Cyrus integration at:
http://anfi.homeunix.net/sendmail/rtcyrus2.html
which uses a socket map or fstat map and FEATURE('mrs') to check the
existence of Cyrus mail boxes. Since you're running sendmail 8.12
and not 8.13, you'll need the socket map patch:
http://www.sendmail.org/~ca/email/patches/ \
sendmail-8.12.7-socketmap-v4.patch
if you choose to use the socket map method. There's also a patch to
sendmail if you opt to use the fstat method:
http://anfi.homeunix.net/sendmail/fstat-8.12.11.patch.
Q I've just purchased a
used Sun U60 and tried booting it. The machine booted ok, but during
the boot, the screen remained black. I only got a video signal once
the machine had finished booting and it was showing the CDE login
screen. Since I don't have an account on the machine, I tried to boot
off the CDROM. The machine powered on and I hit stop-a to halt
the automatic boot. The monitor was still black, but I blind-typed
boot -s cdrom. The machine accessed the CDROM drive, but I
never got a display. At this point, I hooked up a serial console and
rebooted off the CDROM, and it seemed to work just fine. Why would
I get no video output on the monitor until the machine finished booting,
but the serial console would report everything just fine? Is there
a problem with my monitor, or the OBP code, or my framebuffer, or
something else?
A I would guess that you have one
of two problems. One problem could be that your console output is
set to a device that you're not using, perhaps another framebuffer
or one that got removed. While you have the serial terminal hooked
up, run eeprom and check the output-device. The second issue
could be that your monitor can't/won't sync to the resolution provided
by the OBP. Again, check the output-device variable and modify it
as needed.
Q We have a large number of identical
FreeBSD 4.10 machines that we need to roll out. I don't really want
to run them all through the network installation, especially since
I'm concerned that things on the mirrors may change between the
time we install the first server and subsequent ones. Is there a
better way to get a large number of identical machines?
A If you still want to do the install,
you could keep a local image and not make changes to it until you're
ready, rather than using the images on the FreeBSD servers. Conversely,
you can install one machine and then dump and restore the data to
new boot disks for your other servers. You can also use something
like ghost for UNIX, g4u, to create a disk image that
you can pull from your new servers:
http://www.feyrer.de/g4u/
Q I'm writing a shell script
to generate in-addr.arpa addresses from a list of A records.
I've thought of doing this with rev, but that gives me a mirror
reverse of the IP, not a reverse of the dotted quad. Any suggestions?
A The easiest way to do this is
just change the IFS to . and echo the dotted quads back out in the
reverse order:
#!/bin/sh
# revip.sh - reverse an IP (no error checking)
OLDIFS=${IFS}
IFS='.'
while read a b c d; do
echo "${d}.${c}.${b}.${a}"
done
IFS=${OLDIFS}
Call this script with a file of IP addresses, one per line, as the
input or echo a single IP and pipe it to the script:
./revip.sh < /path/to/ipfile
echo 192.168.0.1 | ./revip.sh
You would want to add some more error checking to this script to make
sure that the input is actually one or more valid IPs.
Q Do you know of any encrypted filesystem
implementations for Solaris 8? I know of things that run on BSD/OS
X, but I can't seem to find anything similar for Solaris, and I
really want to protect my data.
A I'm not aware of any OS-level
support for encrypted filesystems, especially on something as old
as Solaris 8. Some time ago, Matt Blaze wrote an encrypting filesystem
add-on, CFS, that does work under Solaris 8, I believe. It's now
unsupported, but it may fit the bill until something better comes
along. Take a look at:
http://www.crypto.com/software/
for the software and his papers on the topic.
Amy Rich, president of the Boston-based Oceanwave Consulting,
Inc. (http://www.oceanwave.com), has been a UNIX systems
administrator for more than 10 years. She received a BSCS at Worcester
Polytechnic Institute, and can be reached at: qna@oceanwave.com. | 
