Questions and Answers
Before I get started, first a correction to the previous
Canadian company which sells UNIX tools for MS-DOS was
correct name is MKS, and the software is called the
MKS Toolkit. MKS
can be reached at:
Mortice Kern Systems, Inc. (MKS)
35 King Street North
Waterloo, Ontario N2J 2W9
Report from SANS
SANS 4 took place in Washington, DC in April. This conference
and is in its own right becoming a major event for UNIX
It differs from LISA, which is also aimed at the UNIX
community, in that it has a somewhat more commercial
are more welcome, and are better integrated into the
is not, however, a vendor-driven conference, as is the
case with so
many of the conferences that feature large vendor shows.
SANS is still
less than half the size of LISA, which makes it a pleasant,
experience. Two of my favorite papers from this year's
were "How To Find Good System Administrators in
Twelve Easy Questions"
and "Building a Security Infrastructure: What You
Want vs. What
You Need vs What You Can Afford," both by Michele
D. Crabb, a
security specialist from NASA Ames. Another very good
paper is "People
Skills for the System Administrator," by P. David
Parks. The best
ad-hoc tool was described in "The NetScanner Network
Tool," by Jack Stewart.
The conference proceedings contain the full text of
all papers, along
with the results of the 1994 System Administration Salary
(An overview of those results was published in the Jan/Feb
The conference proceedings, should you be interested,
can be purchased
from USENIX, a co-sponsor of the SANS conference:
USENIX Conference Office
22672 Lambert Street, Suite 613
El Toro, CA 92630 USA
(714) 588-8649; FAX: (714) 588-9706
Sun Microsystems Sunscreen
Sun finally unveiled its new firewall, cutely named
had been rumored for some time. It is essentially a
filter, apparently similar to screend, running under
on a Sparc 5 platform. The packet filter is managed
by a graphical
user interface, running on a separate Windows machine.
While the screening
mechanism was a disappointment, SunScreen has a number
details that are worth mentioning. It uses what the
folks call a unique "stealth" design -- ethernet
which implement only the lower part of TCP/IP protocol
stack and therefore
do not provide any means of getting access to the machine
The product also offers encrypted traffic across the
this is not as newsworthy, as almost all other firewall
offer it already, or are scrambling to provide it soon.
All in all, this is not an unattractive packet, although
as a basic system starts at $40,000, and according to
Sun, a more
realistic implementation would go for $100,000.
One More Word on SATAN
Ironically, SATAN, the much discussed security checking
to be a security risk in itself. If you are using SATAN,
you are advised
to use the latest version, currently version 1.1.1.
And now to this month's questions.
We have a number of servers which I would like our
to be able to access in a round-robin manner. Is this
It is not (yet) supported in the standard version of
BIND (Berkeley Internet Domain -- the UNIX implementation
nameserver). However, this feature has been discussed
for some time,
and there is at least one BIND code patch floating around
that implements it. However, if you are not a regular
you will have to be a bit patient, as modifying BIND
is not for the
weak of heart. The sooner Paul Vixie (the current main
gets around to including this feature, the better for
the rest of
We are about to install News on our site. As I never
have done this before, I have two questions: how difficult
is it to
do, and which News software should we use?
Another question where the answer is: It depends. There
are two main packages currently used as News transfer
one to choose depends on the local circumstances. C-News,
by Geoff Collyer and Henry Spencer, which is the older
of the two
(the name is chosen for historical reasons; C-News was
to the older B-News transfer agent), was originally
UUCP as the underlying transfer mechanism, although
it can use NNTP
when the separate nntp package is added (nntp is just
one implementation of the NNTP [Network News Transfer
This package is still a good choice for smaller News
sites -- that
is, sites which do not receive a full news feed -- whether
or NNTP is used as the underlying transfer mechanism.
sites will probably want to use the newer INN (Internet
written by Rich Salz. INN is a faster and more efficient
than C-News, at the cost of being a memory hog. However,
enables INN to keep up with the heavy traffic load in
For smaller sites, there is a third alternative to be
If you have a reasonable amount of network bandwidth,
but not many
users who read News, then you should consider reading
News from another
site. You can do this by providing your users with a
News reader which
uses NNTP to read News, rather than depending on local
files. If this
works for you, you do not need to install and maintain
a News agent.
Many Internet service providers can provide you with
or you may get permission to read News from a large
site in your area
(but choose somebody using the same provider; you get
I am relatively new to System V, and am trying to get
an overview of the RC files used by that system. The
makes it difficult for me to understand as well as I
The System V release 4 implementation of RC files is
a great example of a good idea taken far beyond a reasonable
Unfortunately, that seems to be typical for that flavor
of UNIX. These
files are an example of the linked files from Hell.
Before you start
looking at the content of the files, you will need to
figure out which
files are linked together. As hard links are used, you
will need to
sort them out according to their inode numbers. The
files that have
the same inode numbers are really a single file which
appears to be
in more than one place. When you have done this, you
will end up with
many fewer files, and you only have to read one version
of each set
of linked files. It is still messy, but at least you
have a chance
to figure out what the system does at boot time.
Perl 5 has been out for some time now. Should I upgrade?
That would probably be a very good idea. Perl 5 appears
to be almost perfectly backwards compatible with perl
4. In addition,
the interpreter is faster, and there are a number of
to the language. I especially appreciate the better
facility for data
structures and pointers, which opens the language up
We are connected to the rest of the world by UUCP.
few weeks ago, we suddenly started having problems receiving
although we had made no changes to the UUCP configuration,
UUCP feed claims that they had not made any changes
either. What could
I think both of you should check your modems, and ensure
that modem flow control is enabled. If you are using
which almost everyone does these days, make sure that
you are using
hardware flow control, as software flow control might
not be fast
enough, particularly if the machine the modem is connected
to is slow
or heavily loaded.
If a UUCP file transfer starts up, runs for a while,
and then for
some mysterious reason stops or gets very slow, you
can almost always
place a safe bet that it is a modem problem. In fact,
I do not remember
ever having seen this problem not be caused by misconfigured
Where can I find the newest version of the UNIX Name
You can get it by anonymous ftp from ftp.vix.com/pub/bind/testing
(or in URL speak ftp://ftp.vix.com/pub/bind/testing).
version is semi-public and primarily intended for testing
however, it appears to be fairly stable.
The last version that has been officially fully released
from ftp.uu.net, in the directory /networking/ip/dns/bind.
I'm a subscriber to Sys Admin magazine, and I've
been downloading code listings via UUNET's 900 number.
UUNET has cancelled that service. The people at Sys
I email you and ask if the ftp site you're setting up
allow ftp via email (I have a uucp Internet connection
I have no immediate plans for adding ftp via
e-mail for the sysadmin ftp archive, as I want the archive
to become more complete before venturing out into other
In the meantime, you can ftp by mail, using the service
decwrl. Send email to email@example.com, with
the necessary ftp commands in the mail body.
I am having a problem uncompressing may95.tar.Z.
I downloaded the file from ftp.sysadmin.com to my PC,
used binary ftp to transfer it to our UNIX workstation.
When I do
an "uncompress" or "compress -d may95.tar,"
an error message "file not in compressed format."
When I look
at the file it sure looks compressed. Nothing is recognizable.
Most of the files on ftp.sysadmin.com are compressed
with the gzip program. You can recognize which compression
algorithm has been used by looking at the extension
of the file. A
".Z" extension used the older, and less efficient,
program, while files with a ".gz" extension
have been compressed
by the much more efficient gzip program. You can find
source for both programs in the compress directory.
I have changed the files with Sys Admin content to no
I work as a system administrator, supporting our IBM
RS/6000 line of workstations running AIX. Recently,
I was posed an
interesting and seemingly impossible question by one
of our clients.
The site where they are working has a large number of
on one machine. This site is a hospital, and when a
report or memo
is typed up and saved on this machine, at best it is
meant to be read
only by people in their group. To enforce this security,
has set up each department within the hospital in its
own group on
Unfortunately, this has led to a problem. From what
we can determine,
NIS will ignore anything past the 512th character in
the file /etc/groups.
This is not good since many of these groups have large
My question is this: Is there a third-party application
that we can
run that allows for more users in a group?
I don't like NIS, in part for basic design considerations,
but especially for reasons of security. I therefore
avoid using NIS
whenever I have the chance to do so, and it seems ironic
client is basing security on a piece of software that
can be broken
You might be able to solve your problem by not using
the NIS maps
for the /etc/group file. Instead, start distributing
information using rdist (get the new version from the
of Southern California). This will also remove one security
or less -- NIS will leave another open). However, because
not only using NIS, but also AIX, you might have a worse
because SMIT, the AIX system administration tool, makes
very difficult to work out in practice. You might also
check to see
if your vendor is planning to migrate to NIS+, which
fixes many of
the problems identified in NIS.
About the Author
Bjorn Satdeva is the president of /sys/admin, inc.,
firm which specializes in large installation system
Bjorn is also co-founder and former president of Bay-LISA,
a San Francisco
Bay Area user's group for system administrators of large
can be contacted at /sys/admin, inc., 2787 Moorpark
Ave., San Jose,
CA 95128; electronically at firstname.lastname@example.org; or by
at (408) 241-3111.