Cover V04, I06
Article

nov95.tar


Questions and Answers

Bjorn Satdeva

The 1995 LISA System Adminstration Conference took place in Monterey, California, September 17 to 22. The technical quality of the presented papers continued the decline begun in recent years, but this conference still represents one of the best opportunities for UNIX system administrators to get together and learn from each other, and from the many tutorials offered. In fact, now that fewer of the presentations are of the "bleeding edge technology" type, the conference will probably have a greater appeal for newer UNIX system administrators. Also, as I have mentioned many times, the social value of the conference can easily outweigh the technical value; if in the year after the conference you are able to place a single phone call, or send a single e-mail to a conference contact, and get an answer to an urgent problem, then the price of admission to the conference will have been paid off with interest.

Meanwhile, LISA continues to grow. More than 1,600 people preregistered this year, making this the largest LISA conference ever.

The most interesting paper on innovations was Roland J. Shemers' "lbnamed: A Load Balancing Name Server in Perl," which described a way to provide load balancing between computer servers; the most promising tool, described by Patric Powell and Justin Mason in "LPRng: An Enhanced Printer Spooler System," was a completely redesigned version of the Berkeley line printer spooler; and the most interesting sharing of experiences was Arnold de Leon's "From Thinnet to 10base-T; From Sys Admin to Network Manager."

You can order LISA proceedings from the USENIX conference office:

USENIX Conference Office 22672 Lambert Street, Suite 613 El Toro, CA 92630 USA (714) 588-8649; FAX: (714) 588-9706 Email: conference@usenix.org

Network Security Conference

Allan Paller, the founder of the System Administration, Networking and Security conferences, is at work on a dedicated conference for security, the Network Security '95 conference, in Washington D.C., November 13-18. He is cochairing this conference with Michele Crabb and Matt Bishop, both of whom are well known and respected in the UNIX security community.

The Network Security '95 conference will be co-located in the Washington D.C. Convention Center with the Open Systems World Conference and the FedUNIX Exposition.

For more information, email: sans@clark.net, or call the Conference Office: 719-599-4303

FTP Archive

The FTP archive on ftp.sysadmin.com is now online. My goal is to provide a single FTP archive where all the good system administration software can be found. It already holds many of the most common utilities, as well as many useful but lesser-known utilities. It also includes the code listings released by Sys Admin magazine. If your favorite system administration program or utility is not in the archive, drop me an e-mail with the relevant information, and I will be happy to add it to the archive. The address of the archive is

ftp.sysadmin.com:/pub/admin

or in URL speak:

ftp://ftp.sysadmin.com/pub/admin

And now for this issue's questions.

 Q My site has recently decided to join the Internet, and to that end, we have installed a dial-up SLIP connection. The problem is that although I can set up the SLIP connection, I haven't been able to set up the mail system.

Thus messages not destined for local addresses do not get sent.

Can you help?

 A There are many possible explanations for your problem. From your very brief description, I gather that you have no form of firewall protection in place, in which case all systems on your internal network are directly connected to the Internet (a scary thought!). In that case, the problem is most likely attributable to missing routing configuration. In the simple case of a single network, you need to set the default route on all your systems.

The default route is used in the kernel's routing tables to determine where to send packets when the local machine does not have a route. Presumably, the machine pointed to in this manner will know how to route the packets successfully. On your gateway host, you will also need to install a default route, but in this case it must point to the host at the other end of the SLIP link.

You can add new routes to the routing table with the route command (the syntax varies slightly among UNIX variants _ check your local man pages):

route add default 123.123.123.123 1

where the add keyword tells route to add a new route, the default keyword tells route that it is adding the default route, 123.123.123.123 is the next machine towards the Internet (use your own IP address, the one shown here will not work in your setup), and 1 is a hop count.

If your gateway is actually configured with some kind of firewall functionality in place, the problem may be that you are unable to establish SMTP (email) connections through that machine. In that case, you will need to make a change to the sendmail configuration in the sendmail.cf file. This is not as difficult as it may sound. Most sendmail configuration files already support some kind of "smart relay host" to which mail can be forwarded. It is assumed that the smart host will be able to do what is necessary to get the mail delivered.

In sendmail 8.6, if you are using the m4 configuration system, you simply need to define the SMART_HOST m4 variable, and if you are editing your sendmail.cf file directly, look for comments referring to "smart" or "relay" to find the right place. In sendmail 8.6, the smart host is defined by a line like:

DSsmtp:your.smart.host

and in Sun sendmail, by

DRyour.smart.host

The actual method will vary from vendor to vendor, because the definition is used in the sendmail header rewrite rules, all of which are defined by the content of sendmail.cf file rather than by the sendmail software itself.

 Q In the past it's been my practice to make a backup of any distribution tape received from our vendor. I did this via the dd command, which worked just fine. However, the new release of our OS came on a CD-ROM, and when I tried to use my script (with the appropriate changes), it just kept on writing to the first filemark and never went beyond that.

 A Using the dd command on a CD-ROM does not make sense, as you will not be able to use the created image very effectively.

A CD-ROM comes with its information stored in a file system, which is why it can be mounted by the mount command. The file system's format is different from those you find on a hard disk. The format used is typically what is known as the Rockridge, or ISA 9660, file system.

To make a usable copy of a CD-ROM to tape, you will need to use an archive command which does not rely on the underlying file format structure. This eliminates dd as well as dump, but leaves tar as a possible method. You should be able to mount the CD-ROM somewhere in your file system (see the man page for mount or talk with your vendor _ there are so many ways to do this that I cannot cover them here) and then make a tar tape, as you would for any other file system.

However, be aware that a backup tape will not do you much good if the CD-ROM is lost, as the installation tools your vendor provides will still assume that you are installing from a CD-ROM.

 Q We have installed the smap program from the Firewall Tool Kit. However, we have a problem with mail getting stuck in the spool queue on the firewall.

 A Let me explain the function of smap to those of you not familiar with this program. smap (and its companion program, smapd) provides a SMTP proxy which protects sendmail on the firewall bastion host from address spoofing attacks. smap receives the mail and drops it into a spool directory, and smapd picks it up and gives it to sendmail for further delivery. smap is a small and simple program, so it is easier to ensure that it works correctly _ without the many problems associated with sendmail over the years. The problem you report is almost certainly caused by your not running sendmail as a daemon. While smap does replace sendmail as the program which listens to the Internet, sendmail must still run as a daemon in order to process mail which could not be delivered on the first attempt and has ended up in the spool queue. If you start sendmail from the rc file in this way:

sendmail -q30m

it will run in background, and rerun the queue every half hour. It will not, however, attempt to attach itself to the SMTP port (which is serviced by smap).

 Q At our site we have decided that there are too many problems with sendmail, and we are looking for an alternative. Is there one that you would recommend?

 A Not really. sendmail certainly has its problems, but there is really no good substitute available. smail 3 works well on small networks and for connections over UUCP, but in my opinion does not work well when used on an Internet-connected site. Also, work on smail3 stopped several years ago, which would leave you up the creek without a paddle if somebody managed to break it. Some people argue that smail3 is more secure because it has not been broken as often as sendmail. However, I think the reason for that is that it is not nearly as common. If given the same scrutiny as sendmail, smail3 would probably prove to be as vulnerable.

If your concern is for firewall security, implementing a SMTP application level proxy, e.g., with samp from the TIS Firewall Toolkit, will probably provide what you require. If the reduced configurability of smail3 is not a problem for you, you could use that, but as explained above, you should be prepared to deal with any security problems on your own.

 Q We want to put up a Web page for our company, but do not know which server to choose. Which do you recommend?

 A With respect to freeware, there is a growing number available. The ones I have used are the httpds from CERN and NCSA. Unfortunately, the latter proved to have a major security hole, which I am not sure has been fixed adequately (I had switched to the CERN server prior to the incident, and have not followed the story of the NCSA server too closely). The CERN server is nice, as it will work as a HTTP server, as a caching server, and as a proxy server. The server at www.sysadmin.com actually performs all three of those functions simultaneously. The use of a caching server, especially at a large site, can cut down on network traffic and response time, as the commonly used pages are likely to be readily available in the server's disk cache.

In spite of security reports for the CERN server, I would strongly advise you to run it under a changed root so that, should someone manage to break into the server, he/she would end up in an environment without any useful tools. Note that you will have to duplicate several of the system files (such as resolv.conf) in the chroot'ed area, since the programs no longer will be able to get to the original locations of those files.

Several servers are available from the sysadmin FTP archive, as well as the chrootuid utility to handle the startup in a chroot'ed environment.

About the Author

Bjorn Satdeva is the president of /sys/admin, inc., a consulting firm which specializes in large installation system administration. Bjorn is also co-founder and former president of Bay-LISA, a San Francisco Bay Area user's group for system administrators of large sites. Bjorn can be contacted at /sys/admin, inc., 2787 Moorpark Ave., San Jose, CA 95128; electronically at bjorn@sysadmin.com; or by phone at (408) 241-3111.