 New
Messages
From Mike Davis <mdavis@gltg.com>
Subject: Building a Web Mail Server with SquirrelMail
The section on installing imap is missing make install,
and the section on OpenLDAP is missing make install.
The line just before "Install Apache" about configuring
openldap without BerkleyDB just doesn't work. --with-ldb_api=ndbm
with ndbm not even being an option.
Under Adding the PHP Module, make su-install should be
make install-su.
Overall, the article was very useful, but the details weren't
accurate enough to get a successful install.
Mike
From: Brent Bice <bbice@persistence.com>
Subject: Re: Building a Web Mail Server with SquirrelMail
You're absolutely right.
It appears that the config line has changed a lot since the last
time I built slapd on Solaris. Try this configure line instead:
./configure --prefix=/usr/local/openldap2.0.15 --without-threads --disable-slapd
That disables the need for ANY back-end. I made the mistake of making
a shell script to extract and compile all the packages in order (for
final testing of my instructions on Solaris) and forgot to check that
the newer openldap libraries really got built. I missed the config
error and PHP got rebuilt successfully since I already had the older
libraries installed. Doh. That's what I get for doing all of
the writing in late nights and weekends, I guess. (sheepish grin)
Brent
From: Mike Zeis <mzeis@cisco.com>
Subject: Correction to June article on performance tuning
I'd like to provide a correction to Bob Larson's article
on performance tuning in the June issue. He mentions that as far
as anyone knows the Wait/IO statistic issue for MP systems has not
been fixed by any Unix vendor. While working at SGI in 1998 I fixed
the problem in Irix 6.5. We needed to support 128 CPU Origin server
systems and I worked to get the WIO problem addressed.
The solution I used was to factor in the number of threads waiting
for I/O to complete when assigning idle time to the cpus. For example,
an idle system with 100 CPUs and one thread waiting for I/O will
then correctly report 99% idle and 1% WIO to reflect the one cpu
that was idle because of the one thread waiting for I/O.
I had become very familiar with the WIO MP problem, having fixed
it earlier while at Cray Research working on their Unix OS called
UNICOS in 1994 and before that working at Control Data on their
MP version of the MIPS r6000 Unix OS called EP/IX way back in 1991.
Michael Zeis
Cisco Systems
From: Ben Bennett <fiji@ayup.limey.net>
Subject: SysAdmin Mag, July 2002 error in "Compiling
Palm Apps on Linux"
On page 14 of the July 2002 issue, you say that the code needs
to be changed to accommodate lowercase tags. However, the function
in question (strcasecmp) does a case-insensitive comparison
of the strings so there is no need to change the tags.
Besides which, your proposed solution of adding an "or"
clause for "h1" only works because there is one character
in the string that is case sensitive. I frequently see tags with
capitalized leading characters (e.g., Table vs. TABLE) so adding
cases for all of those possibilities would be overly onerous.
Other than that, it was an interesting article.
Thanks,
Ben
From: Ave Wrigley <Ave.Wrigley@itn.co.uk>
Subject: Using Email ... "in vol 11 no. 5 of Sys Admin"
I have a few comments on Bob Dilworth's article in the current
issue. I have to say, that the title of the article set security
alarm bells ringing in my head, but I thought it sounded interesting,
so I pressed on. I found the article well written and absorbing,
but slightly alarming. Here is why.
Security for the emctl.pl script is based in part on the From:
field in the mail header (not MIME header, incidentally). It is
incredibly easy to spoof mail headers - just telnet to port 25 on
the appropriate machine and type them in! However, even if you don't
know how to do this, the emctl.pl script grabs the From: field from
e-mail messages using a simple regex that is applied to the whole
message - header and body - so as long as you have a line matching
/^[F|f]rom:/ (which, bizarrely, also matches "|rom", but
there you are) and includes one of the valid e-mail addresses you
are OK! This does assume that there isn't an invalid e-mail
address in the mail header, but then a From: value that doesn't
have a "@" in it will be ignored anyway, so depending
on your mail client this is relatively easy to get around.
But, suppose you are careless enough not even to do this, surely
the users.dat restrictings prevent you from executing commands?
Apparently not! If a Command: line is found before a matching From:
line (in the header or the body), it is parsed and executed, and
the result is e-mailed to "noone". Since this will not
result in a failure of the open pipe to mailx in mr_mailman, this
failure is not detected (at least, unless you are reading no one's
mailbox!). OK, possible denial of service attack here; nothing more
serious, due to the emctl.dat restictions. The combination of the
Parse::RecDescent grammar and the emctl.dat file mean that it is
only possible to execute pre-scripted commands, with options that
match the pattern in the grammar, which is fine.
Anyway, I think there is sufficient cause for concern here about
whether this is a sensible approach to remote systems administration.
Apologies if I have misunderstood the script - I am happy to concede
if any of the points I have made are in error, but think this issue
is worth raising nonetheless.
Ave Wrigley
New Media Technology Manager ITN
From: Bob Dilworth <bdilworth@mco.edu>
Subject: Re: "Using Email ..." in vol 11 no. 5 of Sys Admin
Thanks for the email regarding my article in the May, 2002 Sys
Admin. I really do appreciate your comments regarding the flaws
in my script and the fact that you took the time to write me.
Unfortunately, I can't take the article back since it's
already "out there". I can, however, fix it up internally
here at MCO so that it's better behaved, which I will do.
Thanks again!
Bob Dilworth
Medical College of Ohio
| 
