Cover V12, I10



Questions and Answers

Amy Rich

Q Does FreeBSD have support for 802.11g? I just purchased a new Apple Base Station Extreme, and I'd like to run everything as 802.11g so I'm pushing bits across the wire faster. Unfortunately, I have a number of FreeBSD laptops as well as the Apple laptops to worry about.

A The ath driver, which provides support for wireless adapters based on the Atheros AR5210, AR5211, and AR5212 chips, was committed to FreeBSD-current in June. The R5212-based devices support 802.11g, so that may be something to work with. FreeBSD-current may not be stable enough for your environment, though, so you may want to set up two separate networks -- one for your 802.11b users and one for your 802.11g users.

Q I'm trying to set up mailman on a Solaris 8 box running Apache 1.3.26. I've successfully done the mailman install, and I've added the following line to httpd.conf:

ScriptAlias     /mailman/       "/usr/local/mailman/cgi-bin/"
Running apachectl configtest shows that the syntax is good. However, when I try to go to, I get garbage. The first line has a bunch of empty boxes and the word ELF. Later it shows some HTML:

Content-type: text/html
<title>Mailman CGI error!!!</title>
<h1>Mailman CGI error!!!</h1>
The Mailman CGI wrapper encountered a fatal error.
This entry is being stored in your syslog:
Failure to find group name %s.  Try adding this group
to your system, or re-run configure, providing an
existing group name with the command line option %s.
Group mismatch error.  Mailman expected the %s
wrapper script to be executed as group "%s", but
the system's %s server executed the %s script as
group "%s".  Try tweaking the %s server to run the
script as group "%s", or re-run configure,
providing the command line option s=%s'.
Mailman cgi-wrapper (create)
Then there's a bunch of what looks like compiler output.

as: Sun WorkShop 6 99/08/18
@(#)SunOS 5.8 Generic February 2000
GCC: (GNU) 2.95.3 20010315 (release)
My apache is running with the username and group of www. I made sure to specify --with-cgi-gid=www when I ran configure before compiling mailman. This error seems to indicate that it can't find the www group. Is there someplace else I need to specify things?

A This doesn't look like a problem with mailman; this looks like a problem with your apache. It appears to be opening the create binary as a regular file. Your ScriptAlias line looks fine, but maybe you have it under a VirtualHost or Directory container that isn't applicable? Another possibility is that you're not loading mod_cgi. Make sure the following two lines exist in your httpd.conf:

LoadModule cgi_module          libexec/
AddModule mod_cgi.c
Q I'm running OS X 10.2.6, and I've installed fink to grab a bunch of GNU packages. Sometimes when I select packages within dselect, I get a bunch of garbage in my window. This makes it impossible to do anything, and I wind up having to kill dselect. Did I somehow misconfigure something, or is this a bug?

A There are known issues with dselect and the OS X termcap. You can work around this by changing your terminal type to xterm-xfree86:

setenv TERM xterm-xfree86
Q I'm trying to use logadm as supplied with Solaris 9. Most of the logs rotate ok, but for very large log files, I get this message:

logadm: Warning: /var/log/<logfile>: Value too large for defined data type
I take this to mean that logadm is not largefile capable, which seems rather counter-intuitive, since it's supposed to be handling "endlessly growing log files." Is there a patch out for this that I just can't track down?

A If you have a Sunsolve account, you can log in and search for logadm. The third hit is bugid 4763519 dated June 19th, 2003: "logadm fails to rotate > 2GB files." Apparently this is fixed in s10_37, so I would expect a backwards patch for Solaris 9 sometime in the future. If this is critical and you have a support contract, you can try to escalate and/or obtain a T patch.

Q I was attempting to upgrade the FreeBSD ports collection with portupgrade when it segfaulted and dumped core on me:

[Updating the pkgdb <format:bdb1_btree> in /var/db/pkg ... \
  - 239 packages found (-4 +7)
(...)/usr/local/lib/ruby/site_ruby/1.6/pkgdb.rb:454: [BUG] \
  Segmentation fault ruby 1.6.8 (2003-03-26)     [i386-freebsd4]
Abort trap (core dumped)
I tried running and compiling some other programs because I thought maybe it was a problem with my hardware or the compiler, or libraries, etc. Everything else checks out ok, though, so I'm stumped. Portupgrade was working just fine a few weeks ago, and it hasn't been touched in ages. What could have gone wrong between now and then?

A Most likely you have run into a known bug with portupgrade. Do you also encounter errors when running pkgdb? From the BUGS section in the portupgrade(1) man page:

Sometimes a database may get corrupt and the pkgtools commands start to abort due to segmentation fault. In such cases, run "pkgdb -fu" to rebuild the database, and the problems will go away.

Q I want to configure all of our internal machines to use an ntp server so that they're always in sync with each other. I have ntp installed, but I'm wondering who I should use as my ntp server?

A To begin, it's bad form to have all of your internal hosts hammer an external ntp server. You should set up a few of your own machines as internal ntp servers and have all of your other internal machines sync off them. You want more than one machine acting as an ntp server internally in case you have a hardware failure. Each of these internal servers should in turn sync off three to five public stratum 2 or stratum 3 servers. Your ISP may offer ntp servers, and/or you can use some from the list of public ntp servers at:
The best configuration includes multiple ntp servers that are close to you (network-wise, not geographically) but on different networks for redundancy's sake.

Q I've configured sendmail 8.12.9 to authenticate clients with LOGIN and PLAIN via saslauthd. For security purposes, I'm running sendmail as a non-root user. Authentication is working, but I receive the following error message:

Sep 10 15:31:21 mailhost sendmail[3841]: OTP unavailable because 
can't read/write key database /etc/opiekeys: Permission denied
The error makes sense since /etc/opiekeys is owned by root, but I don't want opie enabled at all.

A You compiled SASL with opie, so it will attempt to use it unless you specify otherwise. You can recompile SASL specifying the --with-opie=no switch, or you can add a mech_list line to sendmail's SASL configuration file (usually /usr/lib/sasl/Sendmail.conf):

mech_list: LOGIN PLAIN
Q We have a lab with a lot of generic machines without interesting names. Each of them is called cslab-X where X is the last portion of the dotted quad IP. Instead of creating all of these entries by hand, I've heard there's a bind directive called GENERATE that will take a range of numbers and create A and PTR records for me. I'm having a bit of trouble with the syntax, though. Would it be possible for you to provide an example?

A If you want to automatically generate A records, you must be running BIND 9. BIND 8 will only generate PTR, NS, and CNAME records. Assuming you're running BIND 9, let's say that you have the class C-sized address 192.168.1.x and you want to have through The entry for your PTR records would be:

$GENERATE 128-253 $ PTR cslab-$.my.domain.
The $ORIGIN line provides a base for the LHS of the $GENERATE directive. If the LHS isn't fully qualified, the $ORIGIN will be tacked onto the end. If you didn't use an $ORIGIN statement, you would write your $GENERATE line as:

$GENERATE 128-253 $.1.168.192.IN-ADDR.ARPA PTR cslab-$.my.domain.
Similarly, your A records would be generated by:

$GENERATE 128-253 cslab-$ A 192.168.1.$
Q I'm trying to install UW-IMAP to use strong SSL encryption mechanisms. Following the SSL build/install instructions, I can get a binary that will accept any encryption mechanism, but I don't see a way to configure IMAP not to accept weak ciphers. Is there such a beast, or do I need to switch IMAP servers (which would be difficult)?

A There are no configuration settings to specify which ciphers you want UW-IMAP to accept, but there is a place in the code to change this before compilation. In the file src/osdep/unix/ssl_unix.c, define SSLCIPHERLIST to whatever you want. For example:

Q We're running OpenSSH 3.6.1p1 at our site. When we try to ssh with compression turned on (specifying -C on the command line), the connection is terminated prematurely, and we receive the error:

buffer_append_space: alloc 10506240 not supported
If we turn off compression, everything works just fine. This feels like a bug, but we have some machines with the exact same version of OpenSSH that work just fine. I'm rather stumped.

A I've heard of this bug cropping up when there were issues with the version of zlib that OpenSSH was linked against (the compression bits are done by libz). You can try upgrading your version of zlib or using the same version of zlib that's installed on the working machines.

Q Our company is considering setting up 802.11b networks in buildings we share with other companies. Our security officer is concerned about these other companies obtaining data from the wireless network and using it to piggyback our Internet connections. Is there a resource that explains 802.11b security and the like?

A There is a Wireless LAN Security FAQ available at:
which should answer most of your questions. The short of it is that it's very hard to secure a wireless network if you're in close proximity to untrusted neighbors.

Q We run sendmail 8.12.9 on HP/UX machines, and we see a lot of spam that originates from sites without a valid reverse DNS entry. Is there a way to block these people entirely using sendmail alone? Maybe a milter or a ruleset or a database entry?

A Rejecting mail from sites that fail a reverse DNS test often leads to dropping valid email. Putting a block like this in place isn't highly recommended, especially for businesses that usually see mail from a variety of places, but it is possible. Neil Rickert wrote a ruleset called require_rdns that will do what you desire. It can be found at:
Q I'm trying to mount a Linux NFS partition on an AIX machine, but I'm not having much luck. On the Linux box, /etc/exports contains the following simple entry:

/nfspart aix
When I try to do the mount as root on the AIX box, I get:

vmount: Operation not permitted.
/var/log/messages on the Linux machine logs that looks like it might be relevant (where XXXXXXXX is the hostid):

Sep 12 10:07:21 linux rpc.mountd: authenticated mount request 
from aix:1248 for /nfspart (/nfspart)
Sep 12 10:07:22 linux kernel: nfsd: request from insecure port 
A Your problem is that the AIX box is trying to talk to the Linux machine's nfsd on non-privileged ports, and the Linux machine will only accept connections from privileged ports. You can force the AIX box to send its requests on privileged ports by using the nfs_use_reserved_ports tuning parameter. You can add the following to /etc/rc.nfs on your AIX box to make changes persist through a reboot (adjust the path to nfso accordingly based on your OS version):

if [ -x /usr/sbin/nfso ]; then
  echo "Tuning nfso paramters to force nfs reserved ports"
  /usr/sbin/nfso -o nfs_use_reserved_ports=1
For more information on this and other AIX tunable parameters, see:
Q I'm running Solaris 9 and have my shell set to ksh. My path is set as follows:

echo $PATH
       /usr/ucb/sparcv9:/usr/local/bin:/usr/local/sbin:/usr/ \
         local/libexec:/usr/xpg4/bin:/usr/sfw/bin:/usr/sfw/sbin:/ \
         usr/bin:/usr/sbin::/sbin:/usr/openwin/bin:/usr/ccs/bin:/ \
As you can see, I have . last in my path, which means that the current directory should always be the last thing searched. This seems not to be the case, though, because when I accidentally created a file called xterm in my current directory, it tried to run that instead of /usr/openwin/bin/xterm!

$ which xterm
$ cd /tmp; touch ./xterm
$ which xterm
$ cd ~
$ which xterm
This seems like pretty broken and dangerous behavior to me, and I'm not sure why it's happening. Is there a bug in ksh that needs patching? I looked around Sunsolve but didn't turn up anything that looked appropriate.

A It took me a while to discover your problem, and I'll bet that your eye has just glossed over it, too. Between /usr/sbin and /sbin you have, not one, but two colons. A null entry in your PATH equates to the same thing as a dot. The ksh man page covers this case in a section called "Execution" about half way through:

The shell variable PATH defines the search path for the directory containing the command. Alternative directory names are separated by a colon (:). The default path is /bin:/usr/bin: (specifying /bin, /usr/bin, and the current directory in that order). The current directory can be specified by two or more adjacent colons, or by a colon at the beginning or end of the path list. If the command name contains a / then the search path is not used. Otherwise, each directory in the path is searched for an executable file. If the file has execute permission but is not a directory or an a.out file, it is assumed to be a file containing shell commands. A sub-shell is spawned to read it. All non-exported aliases, functions, and variables are removed in this case. A parenthesized command is executed in a sub-shell without removing non-exported quantities.

Amy Rich, president of the Boston-based Oceanwave Consulting, Inc. (, has been a UNIX systems administrator for more than 10 years. She received a BSCS at Worcester Polytechnic Institute, and can be reached at: