 Questions
and Answers
Amy Rich
Q I'm on a Solaris machine running
5.8, and I'm trying to capture some information with ps.
Something keeps going awry with a job in the middle of the night,
and I want to verify which arguments were passed to the command.
I've been using ps -ef, but that seems to truncate the output.
A /usr/bin/ps will pull up to 80
unmodified characters straight from the kernel but stop there. The
other caveat is that /usr/bin/ps separates the arguments by spaces,
so if you had embedded spaces in the command line, it would be impossible
to tell from looking at the ps output.
If you've installed SUNWscpux (or SUNWscpu if you're not on a
64-bit machine), you may want to try /usr/ucb/ps. If you give it
enough w flags (they're cumulative), /usr/ucb/ps auwww will show
all args, as modified by the process and stored in /proc. Programs
like sendmail modify their arguments, though, so this may not give
you exactly what you're looking for, either.
Solaris 9 contains a program called pargs in SUNWesu/SUNWesux
that will examine a process or core file and print the program's
arguments and environment variables and values.
Q I'm running BIND 9.2.2, and I'm
trying to lock down security on my zones via the named.conf configuration
file. I want to ensure that transfers are only allowed from hosts
that match a certain IP and that have a matching TSIG key. I can
easily do one or the other, but I can't seem to AND them together.
Here's a snippet of my config file:
include "keys.txt";
acl slaves {
10.2.1.1;
};
acl notslaves { ! slaves; };
options {
directory "/etc/named";
listen-on { 10.1.1.1; };
allow-transfer { ! notslaves; key tsigkey; };
};
So, based on this, zone transfers should happen only if the request
comes from 10.2.1.1 and has the correct TSIG key. What I see is that
10.2.1.1 can transfer without a TSIG key. If I reverse the order to:
allow-transfer { key tsigkey; ! notslaves; };
then anyone with the key can initiate a transfer. How do I AND them
so that BOTH are required?
A BIND processes the checks in
order and then stops when it finds a match. If you want to make
sure that both requirements are met, you can do so by changing your
notslaves acl:
include "keys.txt";
acl slaves {
10.2.1.1;
};
acl notslaves { ! slaves; any; };
options {
directory "/etc/named";
listen-on { 10.1.1.1; };
allow-transfer { ! notslaves; key tsigkey; };
};
Q I'm running sendmail 8.12.9 on Solaris
9. I've been adding some anti-spam measures to my mc file, but I'm
having issues getting this one to work as expected.
FEATURE('dnsbl', 'proxies.blackholes.easynet.nl', '"550 5.7.1 Open
Proxy Server "$&(client_name)" DENIED by easynet DNSBL see
http://proxies.blackholes.easynet.nl/errors.html"', '')dnl
The mail is rejected as expected, but I'm getting an error in my log
file:
Oct 23 17:03:12 mailhub.my.domain sendmail[3102]: [ID 374821 mail.crit] \
h82IJEeM023344: SYSERR(root): rewrite: map client_name not found
Oct 23 17:03:12 mailhub.my.domain sendmail[3102]: [ID 374821 \
mail.notice] h82IJEeM023344: ruleset=check_relay, \
arg1=cpe-066-056-232-106.ec.rr.com, arg2=66.56.232.106, \
relay=cpe-066-056-232-106.ec.rr.com [66.56.232.106], reject=550 \
5.7.1 Open Proxy Server)DENIED by easynet DNSBL see \
http://proxies.blackholes.easynet.nl/errors.html
I double-checked the documentation, and client_name should be a valid
variable from which I can extract information. Why is sendmail refusing
to give me the name/address of the offending host?
A Your problem is that you used
parentheses instead of braces when you specified client_name. You
want "$&{client_name}" not "$&(client_name)".
Q I've just acquired a Sun Blade
100 that I'm setting up as a headless box in the machine room. Sun's
default serial baud rate is 9600, but I know it can go up to 38400.
I've tried changing this in /etc/ttydefs, but it doesn't seem to
work properly. I know it's not the other end (a console server),
because I can get other machines to connect to the exact same port
at the higher speed, and I can get the Sun to connect to the port
at 9600.
A To begin, I recommend against
setting the console speed to something non-standard unless you're
documenting it well. You don't actually list what errors or incorrect
behavior you experienced, but there are multiple places where the
console speed must be changed so that the serial port speed is consistent
throughout all of the states the machine could be in.
You said you've changed /etc/ttydefs, which should now have:
console:38400 hupcl opost onlcr:38400::console
instead of:
console:9600 hupcl opost onlcr:9600::console
This modifies the port speed after the machine is done booting and
init spawns ttymon. At any point before this, you're still going to
be at the wrong speed.
You must also change the OpenBoot ttya-mode setting so that the
serial port speed is correct before the kernel loads (while you're
at the OBP, for example). From a running system:
eeprom ttya-mode=38400,8,n,1,-
You can also drop to the OBP and set it there with:
setenv ttya-mode 38400,8,n,1,-
Additionally, /kernel/drv/options.conf and /etc/ioctl.syscon contain
output in stty -g format. The former specifies the port speed after
the kernel is loaded, and the latter specifies it after init starts
running, but before ttymon is spawned. The easiest way to change these
two files is to modify /etc/ttydefs and the eeprom data first and
then reboot. Next, log in as root on the console, making sure that
root has no stty information in any of its login resource files. Save
the current stty information by running:
/usr/bin/stty -g > /tmp/stty
Create backup copies of /kernel/drv/options.conf and /etc/ioctl.syscon.
In /kernel/drv/options.conf, replace the information between the quotes
with the contents of /tmp/stty:
ttymodes="2502:1805:bd:8a3b:3:1c:7f:15:4:0:0:0:11:13:1a:19:12:f:17:16";
You can then just mv /tmp/stty over the old /etc/ioctl.syscon. To
make sure that everything was modified correctly, power off the machine
with init 5 and then watch the boot sequence after the machine is
powered back on.
Q I'm running FreeBSD 4.8-STABLE,
and I want to build something from the ports directory using different
configuration options. I tried editing the makefiles in the src
directory, but they seem to get overwritten every time I try the
build. I suppose I could just make the package from scratch, but
I'd rather have it listed in the package database so it's easy to
update/remove/reinstall later.
A Generally, the best way to modify
the configuration options is to do so on the command line while
you're making the port in question. If you're making modifications
from the command line (this assumes a Bourne-like shell), you can
either override the existing configuration options:
CONFIGURE_ARGS="--opt1=arg --opt2" make install
or you can append to them:
make CONFIGURE_ARGS="--opt1=arg --opt2"
You can also edit the port's Makefile directly (e.g., /usr/ports/lang/perl5.8/Makefile)
before you run make, but be aware that your modified Makefile will
likely be overwritten by your next cvsup.
Q I have a couple of Netra T1 105s
running Solaris 8 that are both attached to the same external disk
pack. I'm using SDS to set up a JBOD RAID on this disk pack. I want
to set up a poor man's failover and mount the disk pack on the second
machine if the first one should fail. I know I could purchase software
from Sun, but I need to do this on the cheap. I'm just not sure
where to start...
A What you want to accomplish is
possible, but it's not supported by Sun. You want to create (using
the metaset command) a diskset, an SDS object that can be
shared exclusively and non-concurrently by two hosts. To get started,
take a look at the SDS 4.2.1 User's Guide:
http://docs.sun.com/db/doc/806-3205
If you want a Sun-supported configuration, you need to use Sun Cluster
as well.
Q I get a bunch of spam that has
no To: address, so I thought I'd whip up a sendmail ruleset to reject
such mail. I thought it would be pretty trivial, since there already
appears to be a mechanism to check the To: header, but it doesn't
seem to be working. I'm running 8.12.9, and here's the important
part of my mc:
HTo: $>CheckTo
SCheckTo
R$@ $#error $@ 5.7.1 $: "554 ERROR: No user specified."
The mail comes through with a blank To: header every time I try to
test, so I'm guessing that I wrote my ruleset wrong. Could you point
out where my mistake is?
A There is no mistake in your rule
per se, but there is a bug with sendmail. From the KNOWNBUGS file
in the sendmail source tree:
Header checks are not called if header value is too long or empty.
If the value of a header is longer than 1250 (MAXNAME + MAXATOM
- 6) characters or it contains a single word longer than 256 (MAXNAME)
characters then no header check is done even if one is configured
for the header.
Until that bug gets fixed, your best bet is to use a milter or,
if you'd rather separate it completely from sendmail, procmail.
The procmail rule to send messages with empty or space-filled To:
headers to /dev/null would be:
:0
* ^To:( )*$
/dev/null
Q I've been administering DNS for quite
a few years now, but I recently came across a term I had never heard
before, and I was wondering whether you could provide a definition/example.
The term was "in bailiwick," and it seemed to have something to do
with nameservers.
A The reason you haven't heard
this term before is probably because the only place it's generally
used is in reference to djbdns or DJBs arguments against DNAME and
A6. If you've mainly used BIND (or something else), then it's unlikely
you would ever come across this term. As far as I know, there is
no formal definition for the term. My interpretation is that your
bailiwick is the realm of things (a domain, for example) over which
you have control. The common usage of the phrase is along the lines
of "keeping at least one name server for a domain in bailiwick,"
meaning that the nameserver for my.domain should be contained within
my.domain (e.g., ns1.my.domain).
There seem to be two main reasons for keeping a nameserver in
bailiwick: speed and security. If the nameserver for my.domain is
located in this.otherdomain, trust is spread out and more points
of exposure are added to equation. Also, every out of bailiwick
reference creates an opportunity for a loop. In regard to speed,
each out of bailiwick reference means more queries per lookup and
more opportunities for delay. Also, caches must limit the number
of queries and the amount of memory per lookup. Time or memory could
be exceeded before that lookup is successfully completed.
Q A user with a Sun Blade 1000 as
his desktop wants to attach some USB devices. I know that not everything
is supported by Sun, but is there was a canonical hardware compatibility
list somewhere?
A Sun maintains a list of tested/verified
USB products at:
http://www.sun.com/io_technologies/USB.html
If you're running Solaris 9, the following documentation might also
be useful:
http://docs.sun.com/db/doc/817-0798/6mgisnq8g?a=view
Q I'm running FreeBSD 4.7-STABLE as
a PDC. I need to add users that end in $, but the adduser script keeps
telling me that this is not a valid username. I've seen this done
before, so I know it's possible, but I'm not sure whether there's
some additional argument I need to pass to adduser or what.
A You can add users that end in
$ by using vipw instead of adduser, or you can modify /etc/adduser.conf
to let adduser know that the username you're trying to enter is
valid. /etc/adduser.conf contains a regular expression, usernameregexp,
that usernames are checked against. The default is:
usernameregexp = '^[a-z0-9_][a-z0-9_-]*$'
To allow users with dollar signs at the end, change this line to:
usernameregexp = '^[a-z0-9_][a-z0-9_-]*\$*$'
Q I have both gcc and the Sun compiler
installed on my machine. I've been trying to build some software,
but I have a feeling I'm running into incompatibilities between the
two compilers. My suspicion is that some of the libraries I'm trying
to link with were compiled with one compiler and some were compiled
with the other.
A There are a few methods you can
use to try to extract data. The most reliable will probably be:
/usr/ccs/bin/mcs -p /path/to/file
/usr/bin/strings - /path/to/file |grep GCC (if it was compiled with GCC)
The following may also be useful in helping debug your problem:
/usr/ccs/bin/nm /path/to/file
/usr/ccs/bin/dump -c /path/to/file
Amy Rich, president of the Boston-based Oceanwave Consulting, Inc.
(http://www.oceanwave.com), has been a UNIX systems administrator
for more than 10 years. She received a BSCS at Worcester Polytechnic
Institute, and can be reached at: qna@oceanwave.com.
| 
