Cover V07, I06


Questions and Answers

Bjorn Satdeva

 Q Is it possible to control print jobs between ATT UNIX SRV4 and Win95?

 A There are several ways to do it. If you are using Sun PCNFS, you can forward print jobs using that suite. Otherwise, you can use a publicly available package called Samba. Samba is distributed under the GNU license.

 Q To run sniffit in interactive mode, is it necessary to have ncurses installed? What is ncurses and how do I install it?

 A ncurses, or New Curses, is a re-implementation of the old curses package with many bug fixes. ncurses is a library, which implements a number of function calls that a programmer can use to write a terminal independent screen I/O code. You will need to download ncurses from an archive somewhere on the Internet, compile it, and then recompile and re-link sniffit using the ncurses library.

 Q How do you configure tcp-wrappers to run? When I run it, the program generates a core file and doesn't do anything.

 A It sounds like you have a compile problem. Even if a C program compiles and produces an executable, that is no guarantee that it actually compiles correctly. Look for compile time error messages and warnings when you build the program. It might also be helpful to use a debugger (e.g., gdb if you are using the GNU compiler suite) to get a stack trace.

tcp-wrappers has been around for a long time and has been ported to a large number of platforms. Unless you are trying to compile it on a new platform, your problem is most likely a misconfiguration somewhere.

 Q I just found out about an HP product called ignite that allows you to make a recovery tape in case your boot disk goes bad. It allows you to boot from the tape drive, and it recreates the disk information and reinstalls all of the software for you automatically. Do you know of any such product for SUN Solaris machines?

 A When I see announcements for such products, I am very suspicious. Often vendors are offering packages that are supposed to help the system administrator, but the implementation have been done by people without real life system administration experience. The way you describe this product sounds exactly like such a situation. I would have a hard time trusting a software package claiming that it will reinstall all my software after a disk crash. I also wonder why I should rely on such a package and not my backup tapes. I will need my backup anyway for the user's data files, and I doubt that the program will be able to configure any software it installs to my specific needs, let alone installing publicly available software from the 'Net, something I am using heavily. Examples of the latter are bind (DNS) and sendmail where the vendors are always behind the latest release.

So, for the reinstall part of what you describe, I suggest you stick with your backups. That is what they are there for and should do a much better job of bringing the system back. If you do not trust your backups, you have a serious problem, which this product will not address.

As for the other part of your question, a Solaris system can be booted directly from the CD-ROM. Do a boot cdrom from the monitor prompt, and the system should come up with the CD-ROM as the root disk. You can do whatever repairs or restores necessary.

 Q I would like to backup a Linux box from a tape drive attached to a FreeBSD server. Can I NFS mount the Linux box root file system from the BSD box by creating an exports file on the Linux box? Can I then backup via NFS?

 A Personally, I do not trust NFS-mounted file systems for backup purposes. There are simply too many things that can go wrong. I suggest that you use rdump to make your backup across the network, or even better, install Amanda as your backup management system.

The backup is your last line of defense, and should be treated with great care. You not only need to make sure that you have a good backup system, you also need to implement a good quality control system. Unfortunately, the latter is rarely done. The system administrators that I know who are doing quality control of backups are the ones who have been caught in a situation that required a restore and learned the hard way.

 Q We have a UNIX system with three system administrators in two different cities. We would like to create three ROOT access users that can be named to identify which system admin is logged on. And we'd also like to log root commands to a log file. How is the best way to achieve these objectives?

 A You have not stated the most important objective, which is why you want to do this. You are clearly interested in implementing a strategic solution to some problems you have experienced, which is a very good thing. However, before you start to implement such a solution, you must be very, very clear about what problem you are solving. Do you not trust your system administrators, and so need an extensive audit trail of their actions? Or are you simply looking for a good way to ensure that the system administrators are working together and are keeping each other informed about changes and modifications? Depending on what you really want to achieve, your actual solution can be very different for each type of problem. In either case, you have a human problem, and it should be addressed as such.

If you are looking for a fool proof audit trail, I think you are out of luck unless you go with the kind of system that is used by financial organizations and classified government systems (and which I don't know much about). In that case, you either need system administrators you can trust or a consultant who can help you install a fool proof audit system.

However, if you are simply looking for a method to help system administrators work together, there are many solutions that can help you. First of all, get the three system administrators together in the same room from time to time. The personal contact will in most cases prove to be very beneficial, as they now are people with faces rather than user IDs.

Second, train them to understand that it is okay to make mistakes, as long as they accept responsibility for them. We are all human, and we all make mistakes.

 Q How can I schedule my compilation job in order to finish quickly? There are several other compilation jobs in the queue; I have only one user license.

 A How about switching to a compiler that does not require licenses? The GNU compilers are some of the best around, and if you need commercial support, it can be purchased from Cygnus. If you have some requirements that do not allow you to use a different compiler, then maybe you should consider either purchasing enough licenses or building a batch queuing system for the compiler. However, while the latter may solve some of your problems, it might also drive everybody nuts. These days, nobody is accustomed to having to wait for a job to run.

 Q I administer a small server with 10 PC clients using Netmanage UNIX link97 software. I have enabled the pcnfsd daemon and password protection along with entries in the dfstab in order to enforce some level of security. But is there more that I can do?

 A Unfortunately, security and PCs is an oxymoron. But, in order to increase the level of security, you first need to determine exactly what assets you are trying to protect, and how important they are to your organization. Only then can you expect to build any kind of reasonable security. There is no such thing as "a secure network". Security increases by degrees, and if you build more security that you need, you are wasting money. It is also very likely that unless you plan your security carefully, it will be implemented unevenly, providing high security in some areas at the cost of convenience, with low security in other areas, eliminating the positive effect of the high security.

Any suggestions I could give you would be dependent on knowing your objective. When working on a security infrastructure, you should view it like building a wall around some asset you want to protect. That wall needs to be uniformly high everywhere. It will not matter if the wall is 12 feet tall in some places, if it is only a few feet high in others.

 Q We recently purchased two Sun systems. I assumed they would come bundled with a C compiler. They weren't. I've searched the Internet for compilers, and I am unable to find one that would be binary coded for the Sun running Solaris 2.5.1. Do you have any suggestions?

 A In the past, I have downloaded a precompiled GNU C compiler and used it to build the compiler I needed for my systems. A quick and dirty search on the Internet revealed that the sites I have used in the past no longer have pre-compiled GNU compilers online. If any of our readers know of a site where they may be available, please send me email, and I will create links to those sites from /sys/admin's Web server.

About the Author

Bjorn Satdeva is the president of /sys/admin, inc., a consulting firm which specializes in large installation system administration. Bjorn is also co-founder and former president of Bay-LISA, a San Francisco Bay Area user's group for system administrators of large sites. Bjorn can be contacted at /sys/admin, inc., 2787 Moorpark Ave., San Jose, CA 95128; electronically at; or by phone at (408) 241-3111.