 Questions
and Answers
Amy Rich
Readers,
I'm just writing to let everyone know that I have transitioned
all Q&A responsibilities to Amy Rich. With my current job, I
am no longer in front of a UNIX system every day and have become
too far removed from the technology to contribute the quality of
material you're used to. Please give Amy the same support you
gave me (it's actually a pretty tough job writing a monthly
column!) I've really enjoyed writing for all of you, and I
invite you to continue to contact me. Thanks -- Jim McKinstry
Q I have a number of POP
users that receive huge email attachments and then can't download
their mail in any reasonable amount of time. Is there some way I
can set the maximum message size that sendmail will accept,
so that my users don't get these huge pieces of mail in the
first place?
A You can probably increase the
timeout value on your POP server or switch your users over to IMAP
to make the downloading of huge messages easier. You can set the
maximum message size in sendmail, though, too. You want to
change the confMAX_MESSAGE_SIZE m4 variable and rebuild your
cf file. Check the following docs for more information:
http://www.sendmail.org/m4/readme.html
http://www.sendmail.org/m4/tweakingoptions.html
Q What's the difference between
A/UX, OS X, and Darwin? I've heard that OS X will run on Intel
hardware. Is this true, and, if so, where can I get the Intel distribution?
A Darwin is the core of Mac OS
X. It's a UNIX-like OS based on FreeBSD, using a mach 3.0-based
kernel. Darwin runs on PowerPC-based Macintosh computers, and a
version is also available for x86-compatible computers. You can
pick up source code and other information about Darwin on Apple's
Web site: http://www.opensource.apple.com/projects/darwin/.
OS X is essentially the GUI front-end to Darwin. It includes components
like the Cocoa and Carbon toolkits. These bits are not available
for x86 hardware, only for the Mac family. Darwin can run without
OS X, but OS X cannot run without Darwin.
A/UX was Apple's first implementation of UNIX (Apple's
UniX) for earlier Macintosh computers, merging UNIX and the Macintosh
Finder OS. AU/X was based on SysV 2.2 with extensions such as networking,
the fast file system, job control, lpr, NFS and NIS, and sendmail
from SysV 3, SysV 4, and BSD 4.2/4.3. Apple incorporated System
7 for the Mac with A/UX versions 3.x.x, so that many Mac applications
could be run under A/UX. For more information on A/UX, you can take
a look at the AU/X FAQ: http://www.cs.uu.nl/wais/html/na-dir/aux-faq/.html.
A/UX hasn't been supported in quite some time, though, so,
unless you have a very old Mac, Darwin/OS X is your best bet.
Q We're looking at getting
a high-speed line at our office. One of the options is DSL, and
the other is to get a fractional or full T1. In the price quote
for the T1 is a CSU/DSU. What is a CSU/DSU, and what does it do?
Is this the router?
A The CSU/DSU (Channel Service
Unit/Data Service Unit) isolates your network from your ISP's
network, handling the timing and the low-level framing information.
In the case of a T1, the CSU/DSU also recombines the channels of
the multiplexed signal into one or more data streams. The CSU/DSU
then sends the synchronous data stream into the serial port of your
router, which interprets the WAN protocol sent on the wire (PPP,
HDLC, frame relay, etc). The router then has one or more connections
to your LAN segments.
The router is an extra piece, and if it's not in your quote,
the ISP probably expects you to provide it. If you don't know
how to configure the router, you may want to ask your ISP to handle
that piece for you as well.
Q I have a file that is zero length
and has no filename. How do I remove it? An ls shows it as:
-rw-rw----1 user group 0 Mar 11 01:12
A First, it does have a name (all files
must have names). Depending on the version of UNIX you're running,
there are different flags to ls to make it show an octal dump.
If you have GNU ls installed, for example, try:
ls -lab
It will probably show the entry as:
-rw-rw----1 user group 0 Mar 11 01:12 \
This indicates that the file name is a space (" ").
You can remove this file by doing:
rm " "
Also, depending on the contents of the file, this may be an indication
that you've been cracked. Crackers often try to hide files and
directory names by using spaces or spaces and dots so that you're
less likely to notice these new entries. If you have some sort of
security software in place (md5 checksumming, for example), make sure
that nothing changed without your knowing about it.
Q How do I send mail through our
firewall on a port other than 25?
A This depends on whether you're
trying to send mail out to a port other than 25 or whether you're
trying to receive mail on a port other than 25. If you're trying
to listen on a port other than 25, you can change the DAEMON_OPTIONS
m4 setting to the following (assuming your alternate port is 1080):
DAEMON_OPTIONS(`Port=1080, Name=MTA')
If you mean that the machine in question should be sending mail to
an alternate port, you want probably want to change RELAY_MAILER_ARGS:
define(`RELAY_MAILER_ARGS', `TCP $h 1080')
This will apply to any mail sent via the "relay" mailer,
which is the one used for things like smarthost. RELAY_MAILER_ARGS
is also the default for other relay definitions, like mailertable
entries, so you need to check that you don't mistakenly misdirect
mail.
Q I want to automatically post news
from a script that I'm writing, but the only news programs
that I know of are interactive ones (Netscape, trn, slrn,
tin, etc.). Is there a way to send stuff directly from the
command line like mailx does for mail?
A Yes, there's a program called
inews that comes with INN and trn that will
take a file (or standard in) as input and speak NNTP to the news
server. inews adds a few headers and does some rudimentary
error checking as well. If the new server cannot be reached, inews
will spool the article, so you'll probably want to run rnews
-U (similar to running sendmail -q for mail) periodically
to make sure that spooled articles actually make it out to the server.
Q I have an ISP account and a work
account. I want to keep a copy of all mail sent to my work account
at my ISP. I have the following line in my .forward at my
work account:
\username,username@isp.net
This all works fine except when my ISP is unreachable for some reason.
If this happens, then the people who sent mail to my work account
get an error message saying that the mail has not been delivered and
will be tried again in four hours (this is the standard sendmail
unreachable error). I want to eliminate this message from going back
to these people when the ISP is unreachable. Is there any way to do
this?
A Check with your company to make
sure that forwarding your mail offsite is allowed by company policy.
Some companies frown upon that and have forbidden it in the employee
contract.
To ensure that people don't get error messages from trying
to deliver to username@isp.net, though, you can change your
.forward to the following:
\username,"|/usr/sbin/sendmail '-f<>' username@isp.net"
The -f switch to sendmail sets the envelope sender of
the forwarded messages. The angle brackets denote the null address
that gets used for bounces (most often seen as MAILER DAEMON). You
will now receive all error messages for the mail forwarded to username@isp.net
via this .forward. Be sure to use the right path to the sendmail
binary on your system, and take a look at the sendmail man
page and RFC 821 for more information on using -f and <>.
Q I want to give a certain user
the ability to shut down a Solaris machine on our network but give
him no other root privileges and as little access to the system
as possible. Is a chrooted sudo or something the best way to do
this?
A The easiest solution to your
problem is to create a special user called "shutdown".
Give this account a real password and a shell of /usr/sbin/shutdown
(with whatever flags are appropriate). When this person needs to
shut down the machine, he can just log in as the shutdown user.
This was a common trick back in the days of SunOS.
Q We're attempting to determine
the backup/retention cycle for our UNIX servers at work. Are there
any rules of thumb or guidelines that would help us determine what
our cycle should be?
A The backup cycle and retention
times for data are something that must really be considered on a
case-by-case basis. Sometimes even different machines within the
same organization will have different cycles. When determining how
often to back up and how long to retain backups, there are a few
things you want to take into consideration.
1. How important is the data? If you're backing up corporate
financials or legal information and the company would suffer severely
if things were lost, you want to back up the data often. If you're
running an in-house news server and there's no critical company
information in the spool, you may not want to back it up at all.
2. How often does your data change? If your data only changes
once a month, then there's really no reason to back it up more
than once a month or so. If your data changes continuously, then
you may want to back it up one or more times a day.
3. How long does it take to back up the data? If you have huge
amounts of data that take half a day to do a full backup, you're
probably better off backing them up incrementally for the most part
and only doing full backups every once in a while.
4. How long does it take to restore the data, and how quickly
can it be regenerated by other methods? If you have gigs and gigs
of source code builds that take five hours to back up and six hours
to restore, but can be rebuilt from the source in three hours, don't
bother to back up the object files.
5. How far in the future will you need this data? This is similar
to how important the data is but adds a slightly different dimension.
You may have data that is only moderately important now but that
may become more important for legacy reasons (i.e., documentation
on how the 15-year-old voicemail system was set up). If you may
need to restore data from far in the past, you'll want to keep
regular offsite archive dumps.
6. Will you have the hardware to restore archives X years down
the road? If you wind up with nine-track tapes and no nine-track
tape drive, it may be expensive or impossible to find such a drive
to do a restore. If you're on the cusp of phasing out a media
type, you may want to restore certain old datasets and rearchive
them onto the new media type (i.e., restore some or all of your
nine-track tapes and burn them to CD).
Having said all of that, a very common backup scheme is keep five
weeks of full dumps on Sundays and incrementals on Monday through
Saturday, then doing a permanent archive backup once a month or
quarter.
Always be sure to verify that your data is good, too. It's
a gut-wrenching feeling to experience a catastrophic failure and
realize that you've had no good backups for three months.
Q I'm getting the following
weird error when I try to su on my Solaris box:
$ su - root
Password:
su: No default project!
What is a default project, and how do I fix this? Have I been cracked
or something?
A You don't say what version
of Solaris you're running, but I'm going to guess that
it's Solaris 8 06/00 or later. The "default project"
that su is looking for is /etc/project, which should
look something like the following:
system:0::::
user.root:1::::
noproject:2::::
default:3::::
group.staff:10::::
Project accounting was introduced in the 06/00 release. See the man
pages for project, projadd, and projdel for more
information. As to why it's missing, perhaps you deleted it not
knowing it was important. There is always some chance that you've
been cracked, too, but it was more than likely an oversight on the
part of the sysadmin (perhaps as part of security measures).
Q I just upgraded to FreeBSD 4.3-STABLE
from 4.1.1, and now sshd no longer works properly. I had
built my own from the ports collection, but I notice that it's
now part of the default distribution. I get the following error
message in /var/log/messages:
sshd[8962]: no modules loaded for 'sshd' service
sshd[8962]: fatal: PAM session setup failed[6]: Permission denied
Obviously something broke in the change from my OpenSSH compile to
the system default with a make world. How do I fix this? I
tried a quick Web search but found nothing with either of those strings.
A If you read /usr/src/UPDATING,
you'll note that that they've added OpenSSH things to
PAM, and it includes the new lines that you'll need to add
to make it work.
20010112:
Important new FreeBSD-version stuff: PAM support has been
worked in, partially from the "UNIX" OpenSSH version. This
requires adding the following in pam.conf:
sshd auth sufficient pam_skey.so
sshd auth required pam_unix.sotry_first_pass
sshd session required pam_permit.so
You may also want to take a look at the mergemaster program to help
you merge your config files after an upgrade.
Q I have a bunch of ndd lines
that I want to add to the startup sequence of my Ultra 5 running
Solaris 8. Where should I put the ndd lines? Into /etc/init.d/rootuser,
maybe? Is there a better place?
A As a rule of thumb, you should
not change stock Solaris boot scripts because there's always
the chance that they will be overwritten during a patching session
or an upgrade. Your best bet is to create your own boot script that's
run at the appropriate time. For example, you could create the following
/etc/init.d/tunedriver script:
case "$1" in
'start')
/usr/sbin/ndd -set /dev/ip ip_forwarding 0
/usr/sbin/ndd -set /dev/ip ip6_forwarding 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0
;;
'stop')
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
Q How do I print the contents of a file
in reverse order (e.g., line 1 will be the last line printed, and
the last line will be printed as the first)? Is it easier to do this
with a shell script, a C program, or some sort of editor macro?
A Probably the easiest way to do
this is a one-liner in perl:
perl -e 'print reverse <>' < your_file
You can, of course, incorporate the print reverse into a larger perl
script if there's other processing you want to do.
Q What's the difference between
NAS and SAN?
A NAS stands for Network Attached
Storage, storage devices attached directly to a computer via fiber/SCSI.
SAN stands for Storage Area Network, usually self-contained devices
that are attached directly to the LAN via Ethernet, FDDI, or ATM.
Many people currently prefer NAS over SAN because SCSI is currently
faster than LAN speeds. With recent technology improvements in LAN
connections, though, this may change the near future. If you're
looking for some specific products on either end of the spectrum,
two of the most popular are Network Appliance (http://www.netapp.com/)
for SAN, and EMC (http://www.emc.com/) for NAS. For more
information on SAN and NAS, you may want to take a look at the NAS/SAN
site:
http://www.nas-san.com/
or look at vendor Web sites.
Q I need to run a script every 10
seconds to gather statistics on my HP/UX. Under normal circumstances,
I'd use cron to do this, but the granularity on cron
isn't fine enough. Is there some way to make the granularity
on cron finer, or what's the best way to do this?
A If you need to run something
as often as every 10 seconds, you may still be able to use cron
or at, but you may want to look into writing something that
runs at boot time and never exits instead. If you're going
to do a cron job, you may want something like the following:
#!/bin/sh
i=5
while [ $i -ge 0 ]; do
run command
i='expr $i - 1'
sleep 10
done
However, I'd suggest running a continuous process from boot time.
You can then trim it down to:
run command
sleep 10
If you're doing this to collect system information, you're
probably writing things out to a file. Be sure that 10 seconds is
enough time to actually collect the data and write it out, or you're
going to run into issues with the multiple processes running at the
same time and possible file-locking issues.
Q I need to see modification times
of files down to seconds, but ls only appears to have minutes
as its finest granularity. Is there something else out there that
will work, or will I have to resort to writing my own code?
A If you install GNU ls,
part of fileutils, you can use the --full-time flag.
If you want to write your own C code, though, it's not overly
difficult. (Note that some function calls and required header files
may vary depending on your OS):
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <sys/types.h>
#include <sys/stat.h>
main(int argc, char **argv) {
struct stat filestat;
while(argv[1] != NULL) {
if (lstat(argv[1], &filestat) != 0) {
perror(argv[1]);
exit(EXIT_FAILURE);
}
printf("%s: %s", argv[1], ctime(&filestat.st_mtime));
argv++;
}
}
If you compile and run this program with one or more files as arguments,
it should print out the file name, a colon, and then the mtime
of the file for each file in argv. You can, of course, print
out more information by accessing other parts of the stat structure.
Amy Rich, president of the Boston-based Oceanwave Consulting,
Inc. (http://www.oceanwave.com), has been a UNIX systems
administrator for more than five years. She received a BSCS at Worcester
Polytechnic Institute, and can be reached at: arr@oceanwave.com.
| 
