Cover V05, I07


Questions and Answers

Bjorn Satdeva

In the May column, I wrote about the security risk with Postscript. I mentioned that it was based on the programming language Forth, which caused a frustrated reader to write to me stating "I know Forth, and Postscript is certainly not Forth!" I cannot claim that I know Forth; I worked with it very briefly more than 10 years ago when a co-worker tried to convince me that it was the best invention since sliced bread. However, it did not appeal to me, and I have not used it ever since. On the other hand, the statement that Postscript is based on Forth has been made by numerous people in the security community over the years, so I decided to get to the bottom of this.

Postscript is a graphical page description language invented by Chuck Getsche and John Warnock (the President and CEO of Adobe). Its syntax looks a little bit like Forth, because it is derived from Forth; however, Postscript's internal implementation has nothing to do with Forth. Postscript was written from scratch. So, now we all know the correct story. Nevertheless, it does not change my previous statement about the security risks of Postscript. Postscript allows embedded commands, such as removing a file, to be executed, so you still need to be aware of these risks.

Some other comments to the May article were in regard to the question about wanting xlock to log occurrences of failed access. One suggestion was not to log password information. This is certainly always true.

Another reader provided reference to an implementation that will syslog failed attempts. This modified xlock program, xlockmore-3.8, is available at:

To enable the syslog functionality, it is necessary to enable -DSYSLOG in the Imakefile before running xmkmf.

In the June issue, I mentioned the need for system administrators to keep track of their time. Since then, I have found a neat tool that can help with this, and I have been using it with great results.

It is a small gadget slightly bigger than a pager that is manufactured by the Stratos company. It is called "The Time Machine." This is probably a valid name, but I cannot help associating "Time Machine" with H. G. Wells' novel about traveling back in time. This gadget will not allow you travel back to yesterday to do the backup you need to restore that disk today (although that would certainly be useful). It will, however, allow you to keep track of how you spend your time.

The product actually consists of two parts, one is the abovementioned gadget, and the other is some software that runs under MS-Windows. Using the supplied cable, you can load information about the tasks you want to track. When starting a new activity, you just select the category, then push a bottom to start an internal timer, and push the same bottom when the task is complete (or interrupted). Later, you can download the collected data into your PC and generate reports showing how much time is spent on various activities.

Although this tool probably is mainly aimed at consultants, lawyers, and other people who charge for their time, I think it could be a very valuable tool for all people who need to keep track of how they are spending time, if only to make themselves more effective.

If you manage a group of people, you can supposedly combine them into a single database and generate a single report showing how the time has been spent for the entire department. I have not yet tested this, but I would think it should be able to generate highly valuable data for those who need to justify the budget for the system administration group, for example.

I am by no means overwhelmed by the quality of the current implementation of the concept. Both the hardware and software could use improvements, and the very flimsy user's manual needs to be completely redone. In spite of its shortcomings, I still consider this tool one of the best productivity enhancement tools I have seen in a long time.

If you are interested in checking out the Time Machine, you can order it from "Hello Direct" ( Customers have 30 days to return the product if they do not like it, so a trial run is relatively risk free. The purchase price is just under $300.

One noteworthy event that took place during the past month was the security seminar put on by Sun Microsystem and conducted by Dan Farmer and Wietse Venema. They are probably best known for their collaboration on the SATAN security scanner, but they have done other work independently, such as Dan Farmer's COPS and Wietse Venema's TCP Wrappers. The seminar was a one-time event and was mainly held as part of the collaboration on a new project writing a book on security and security audits. Dan Farmer hinted that the slides would be put up on his ftp server,, for anonymous retrieval. If and when that happens, I will publish the URL in this column.

Tool of the Month

For the tool this month, I have zeroed in on top. top is a ps alternative, written by William LeFever. Although ps will give you a single output listing all the active processes; top will limit itself to show only the top 15 active processes, and will update this information every 5 seconds. In addition, top will show other useful information, such as the number of active processes, the number of inactive ones, and the current load average of the system.

top provides a very nice tool for continually monitoring which processes are running on the system, and what kind of load they are placing on it. If you are running top regularly on your important systems, it will provide you with a good feel for what is "normal" for those systems. This could make it easier to determine the cause of problems when things start acting abnormally.

top is ported to a large number of BSD-based systems. It is ported to at least some System V-based systems, but depending on the flavor, it might not be available for all of your platforms.

top is available from the system administration ftp archives at:

 Q I have a medical system, and I need to run an automated routine. What I'm trying to accomplish is this: Enter application, make selection through multiple screens, print report to file. Is there a utility that can record these functions and have it saved to a filename? Any input would be appreciated.

 A Depending on the nature of your application, you might be able to use the script command to capture whatever you type. script was designed to work with plain ascii terminals. If your application uses menus displayed on a basic terminal, it might be usable, but will need editing, as it also saves the output printed to the terminal. If the application uses a X11-based solution, you are out of luck.

 Q I want a utility, or set of, that will help me watch packets between nodes, their types, and throughput in a graphical format. I need something that will help me determine what type of traffic I'm getting and how much bandwidth I'm using both overall and between nodes.

 A It sounds to me, as if you are looking for a full-blown network analyzer. There are several commercial products that can do what you are asking for, but they do not come cheap. There are also some MS-Windows-based packages that do at least some of these tasks, but with a much lower price tag. However, I have never used any of those, and do not know how well they compare to a "real" network analyzer.

You can get some of this information by running tcpdump, and recording the output. It is, also relatively trivial to write a Perl script that will count the various packets, thus, you will get an idea of the type of traffic you have and will be able to get some understanding of what is using up your bandwidth. This will not, however, take into account the size of the packets. These tools, together with the netstat -s command, will help you get some feel for what is going on in your network.

If you are finding that you have lots of NFS traffic, nfswatch and nfstrace can be of value, too. Both of those, and tcpdump as well, are available from the system administration ftp archive on

 Q I tried to ftp to an anonymous ftp server, but I don't know the User ID and Password.

 A The convention used for anonymous ftp is that you log in as user ftp or anonymous and give your email address as password. If this does not work, then the server is either not configured correctly, or much more likely, does not support anonymous ftp. If you want a description on how to configure an anonymous ftp server, see my column in the April issue.

 Q In the February 1996 column, you listed a utility called op that is available from your ftp server. I downloaded the op-1.1.tar.gz file but have been unable to extract its contents. I've tried uncompress, winzip, and some others but none seem to recognize the contents. How can I extract the contents of this file?

 A All the files on that server are compressed with the GNU compress program, called gzip. Most ftp sites are using either gzip or compress to compress the archives to save disk space and network bandwidth. The common convention is that files that are compressed with gzip have a .gz extension, and files compressed with compress have a .Z extension. gzip is the newer of the two programs, and will usually do a much better job of compressing the files. The two programs use different compression algorithms and do not understand each other's formats. The compression programs from the PC world, such as unzip do not work with either format, so you really need to get one of these programs before you can get much usage out of the Internet ftp archives.

You will find the uncompressed sources to both programs in the system administration ftp archives:

 Q Are you aware of an X GUI-based software package released in the last 2 years that provides a front end to configure

 A I am afraid I'm not. If any of our readers know of such a package, I would be very interested to hear about it.

About the Author

Bjorn Satdeva is the president of /sys/admin, inc., a consulting firm which specializes in large installation system administration. Bjorn is also co-founder and former president of Bay-LISA, a San Francisco Bay Area user's group for system administrators of large sites. Bjorn can be contacted at /sys/admin, inc., 2787 Moorpark Ave., San Jose, CA 95128; electronically at; or by phone at (408) 241-3111.