Cover V07, I09
Article

sep98.tar


New Messages

Please send letters via email to saletter@mfi.com.

From: Ryan Roehrich (ryan@futureone.com)
Subject: "The Journal for UNIX Systems Adminstrators"..yeh right
Have you noticed lately what that the little caption says under the title of your magazine? I think the key word here is "UNIX Administrators". How can you call your magazine that when you have a whole issue in July devoted to NT? This is a disgrace to the UNIX community. I for one am cancelling my subscription to your magazine. If I wanted to know about NT I'd go read something else, NOT a magazine about UNIX. Please think about this the next time you pull this crap and think about money first before your readers.

Ryan:
While you are obviously free to do as you wish, allow me to point out a couple of things, particularly in light of your complaint about an issue that hadn't come out yet when your letter was written.

Each issue has a theme, taken from topics that our readers have indicated are important to them. The articles related to the theme usually amount to about 50% of the feature articles, excluding regular columns. As a significant percentage of our UNIX system administrator readers have indicated that NT and the integration thereof into their UNIX environments is important to them, we cover those topics from a decidedly UNIX perspective. Few of our UNIX readers have the luxury of not having to deal with things Microsoft. We have preauthorized those who do have that luxury to skip over the few NT-related pages.

Precisely because we *are* driven by the desires of the majority of our UNIX system administrator readers, we plan to continue discussing NT matters from a UNIX perspective. We also plan to announce that in the Call for Papers section and in our editorial calendar. In that vein, I ask would you quit your church because your pastor announced that he planned to talk about the devil?

Regards,
Ralph Barker

Dear Editor,
Much to my chagrin, an astute reader has pointed out a security hole in my man.sh shell script ("Web-Enabled man Pages", Sys Admin May 1998). The security hole allows anyone to execute system commands with the same privileges as the Web server. It's possible, for example, to display the contents of /etc/passwd. The patched version of man.sh has been posted to www.samag.com. It may also be obtained from me via email.

The problem is with eval and the parsing of QUERY_STRING. By embedding characters that have special meaning to the SHELL, for example backtics ('), it's possible to make the Web server run a program. The fix is simple. Strip out suspect characters before they get to eval; and for added safety, only allow the expected variables to be expanded.

gsub(/[^-_=+%a-zA-Z0-9]/, ".", x) # strip out any funny chars
if ( x ~ /^(man|srch)=/ ) print x # only accept man=, srch=

Nelson H. F. Beebe (beebe@math.utah.edu) mentioned two other approaches that may be of interest to readers. Direct conversion of the output of man(1) to HTML, and of the input to man(1) to HTML.

ftp://ftp.cs.berkeley.edu/ucb/people/phelps/tcltk
http://www.math.utah.edu/pub/sgml/index.html#man2html http://www.math.utah.edu/html-pretty.html

Paul E. Black (p.black@acm.org) explained the bug I thought I had found in several browsers. When using the keywords '&lt' and '&gt' for < and >, I was forced to add an HTML comment to make it always come out right: &lt<!-- -->. But really all that's required is the concluding semicolon. &lt; and &gt;.

http://www.w3.org/TR/REC-html40/charset.html#entities

Several readers pointed out my bad habit of using "continue" in awk programs when "next" is the correct keyword. Also I neglected to remove an obsolete call to the exit_script function. These problems have been fixed in the updated version.

And finally, thanks again to Bob Moniot (moniot@dsm.fordham.edu) for pointing out the security hole.

Sincerely,
Steve Isaacson
(steven.isaacson@enduracorp.com)

From: Alan B. Stone (stoneab@zam0.attnet.or.jp)
Subject: FreeBSD is Unix

I've read several of the articles published by Sys Admin on the subject of FreeBSD. FreeBSD is UNIX. Linux is UNIX-like. There is a difference and I use both OS's. FreeBSD is just as much UNIX as Solaris is UNIX. FreeBSD is based on the 4.4BSD release, and whether they are allowed by copyright laws to call it UNIX or not is irrelevant. It is still UNIX. "A rose by any other name...." Thanks, I enjoy your publication.

Alan,
Thanks for your comments. I agree with the distinction you make between Linux and "real" UNIX (absent consideration for X/Open's obligatory legal position on such matters). Was there phrasing in one or more of the articles that was misleading?

Regards,
Ralph