Cover V08, I02


Questions and Answers

Bjorn Satdeva

 Q How can I install a network laser printer?

 A Most network printers (all the ones I am aware of) support the common printing protocols. You should therefore be able to treat the printer as if it is a remote print server using, for example, the Berkeley lpd protocol.

 Q How can I take incremental backup of databases from the operating system, not from the database?

 A The short answer is that you can't. The reason is because the UNIX backup utilities do not understand the database internals. What UNIX sees is either one or more large files, or in the case of a database residing on a raw filesystem, a disk partition without a filesystem. You will need to use whatever means your database vendor has provided for you to make your backup of the database.

 Q In SCO UNIX, I can configure devices, etc. by using mkdev. Is there any equivalent command in Sun and HP UNIX systems?

 A The command for creating a single device file is called mknod. In SunOS, you can create groups of device files using the MAKEDEV script (located in the /dev directory). For Solaris, all necessary device files are created at boot time, if you do a boot -r.

 Q How can I hide a .profile file from users so that no user can delete it even though every user runs it when logging into the system?

 A There is no good way to do this. If you change the file to be read-only, and it is owned by root, your users will not be able to modify the file. But unless you take away their write permissions to their home directory, they will still be able to remove it (and potentially re-create it with a different content). However, taking away write permissions would also mean they could no longer create any files in their home directory.

 Q I have one DLT drive and one DAT drive. When using the utility mt, the default device is DLT. I would like to change the default drive to DAT. How do I make this modification?

 A Usually, the default device is hard coded in the mt command. If you try to execute the following command (with an appropriate path to the mt command), you should be able to see from the output whether this information is configurable:

strings -a /bin/mt | grep '^/' | sort -u

This command will give you a list of all fully qualified filenames in the executable image for the command. If you want to modify the default value, it will be necessary to recompile the program with the desired value. However, since you most likely do not have the sources, there are two other possibilities you can consider (besides living with your current default). First, you could try to switch the device files for the two drives. You might be able to do this by switching the SCSI ID for the two devices (if they are on the same controller), or by renaming the two devices, so they switch places. However, either of these solutions will also affect other programs that access these two devices and probably cause unintended side effects. Second, you could use a binary editor (or any program capable of modifying a binary file). You can then substitute the default string with the desired one, as long as the new string is no longer than the old one. If the new string is shorter, you must explicitly terminate the string with a null value to make this work. If you attempt the second method, make sure that you make the modification on a copy of the program. Do not install it in place of the official version of mt until you know it works.

 Q What is the command to find the version of our SUN ULTRA1?

 A To my knowledge, there is no way to get this information from the operating system. You can get the processor type, however, by typing the command uname -a.

 Q I'm an IS Manager with background in mainframe and Novell networks. Recent migrations have replaced the mainframe with RS6000's and AIX. We have employed regimented daily backup procedures over the years that have caused me some concerns in the AIX world. My preference is to have our night shift computer operators take the daily backups at a quiet time in the system. However, we're using backup and maksysb to complete the tasks, and the operators must be logged in as root to successfully complete the jobs. Can you recommend a procedure where the operators can log in as themselves and run complete system backups without needing superuser authority? I'd appreciate any assistance you can provide.

 A One way to avoid giving the operators root permission is to write a "wrapper" program for each application they must run as root, which does a setuid to root. If you are careful, you can write such wrappers in either C or Perl. Make sure that your program is verifying the argument list, and that no shell meta characters are allowed. Do not just take the arguments provided by the operator and pass them unchecked to your program, because a clever user could then can use them to get root permission at any time.

 Q We provide CSH login for our users. I want to save the history command of IDLE logins before I kill them to study the commands executed by users.

 A First of all, you will need to be careful, because doing this might be seen as a breach of the users' privacy. With that said, there are a number of possibilities that may or may not work for you. You can use the script command from the users' .login file. This will create a sub-shell and keep a history of all commands in a file. Or you can set the csh variable savehist, which will cause the csh to save the specified number of lines from the history list to the file ~/.history when the user logs out. Neither of these methods is really suited to your purpose, but short of modifying the csh command itself, they are your only options.

 Q Management has mandated a need for performance monitoring on our servers/hosts. Aside from the various "stat" tools, are there any packages that monitor the performance/usage of hosts? Our environment is Sun/Solaris.

 A The only option available that does not require third party software is to turn on "sar" (system activity reporter). It does not provide the details that vmstat, iostat and netstat do, but it is recorded automatically (when set up correctly from cron). The Sun System Administration Guide will give you the necessary information on how to use this set of utilities to generate daily system activity reports.

 Q I use SunOS version 5.5.1, and I want to change the IP address of my workstation. I used command ifconfig, but did not succeed. Please tell me how to do this.

 A If you do a manual reconfiguration of the interface, you must shut down that interface first. For example, if your interface is hme0, use the command:

ifconfig hme0 down
This will allow you to reconfigure that interface with a new IP address. This change will of course only be effective until next time the machine is rebooted. At that time, it will revert to its old IP address.

If you wish to change the IP address for an interface permanently, then use the /usr/sbin/sys-unconfig to unconfigure the machine, and then reconfigure it when it comes up after the next reboot (sys-unconfig will shut down the machine). The IP addresses are kept in a number of places in the machine, and the probability that you get it all right the first time is relatively small.

 Q I have a Sun machine running Solaris 2.6. I would like the user accounts in the machine to be locked or disabled if any user attempts to login consecutively for five times with a wrong password. If I configure the /etc/nologin for the same, will it not affect all the users? What should I do to disable accounts of individual users who made five unsuccessful logins?

 A As far as I know, Solaris does not support automatic disabling of accounts after a number of incorrect passwords. There is a very good reason for this. While it sounds like an attractive solution, it has been used in the past by intruders to lock out people who can spot their activities (such as the system administrator). Thus, a system administrator may find herself locked out from her machine.

Solaris instead will (after five incorrect logins) log all login attempts in the file /var/adm/loginlog (if the file exists) and then drop the line. It will also pause for five seconds after a wrong password, making it a very time-consuming process to try to gain access by brute force password guessing.

About the Author

Bjorn Satdeva is the president of /sys/admin, inc., a consulting firm which specializes in large installation system administration. Bjorn is also co-founder and former president of Bay-LISA, a San Francisco Bay Area user's group for system administrators of large sites. Bjorn can be reached at