 Questions
and Answers
Amy Rich
Q Does FreeBSD have support for
802.11g? I just purchased a new Apple Base Station Extreme, and
I'd like to run everything as 802.11g so I'm pushing bits across
the wire faster. Unfortunately, I have a number of FreeBSD laptops
as well as the Apple laptops to worry about.
A The ath driver, which provides
support for wireless adapters based on the Atheros AR5210, AR5211,
and AR5212 chips, was committed to FreeBSD-current in June. The
R5212-based devices support 802.11g, so that may be something to
work with. FreeBSD-current may not be stable enough for your environment,
though, so you may want to set up two separate networks -- one for
your 802.11b users and one for your 802.11g users.
Q I'm trying to set up mailman on
a Solaris 8 box running Apache 1.3.26. I've successfully done the
mailman install, and I've added the following line to httpd.conf:
ScriptAlias /mailman/ "/usr/local/mailman/cgi-bin/"
Running apachectl configtest shows that the syntax is good. However,
when I try to go to http://www.my.domain/mailman/create, I
get garbage. The first line has a bunch of empty boxes and the word
ELF. Later it shows some HTML:
Content-type: text/html
<head>
<title>Mailman CGI error!!!</title>
</head><body>
<h1>Mailman CGI error!!!</h1>
The Mailman CGI wrapper encountered a fatal error.
This entry is being stored in your syslog:
<pre>
</pre>
--with-cgi-gid
web
CGI
--with-mail-gid
mail
Failure to find group name %s. Try adding this group
to your system, or re-run configure, providing an
existing group name with the command line option %s.
Group mismatch error. Mailman expected the %s
wrapper script to be executed as group "%s", but
the system's %s server executed the %s script as
group "%s". Try tweaking the %s server to run the
script as group "%s", or re-run configure,
providing the command line option s=%s'.
PATH=
PYTHONHOME=
PYTHONPATH=
Mailman cgi-wrapper (create)
create
www
driver
Then there's a bunch of what looks like compiler output.
as: Sun WorkShop 6 99/08/18
@(#)SunOS 5.8 Generic February 2000
GCC: (GNU) 2.95.3 20010315 (release)
My apache is running with the username and group of www. I made sure
to specify --with-cgi-gid=www when I ran configure before compiling
mailman. This error seems to indicate that it can't find the www group.
Is there someplace else I need to specify things?
A This doesn't look like a problem
with mailman; this looks like a problem with your apache. It appears
to be opening the create binary as a regular file. Your ScriptAlias
line looks fine, but maybe you have it under a VirtualHost
or Directory container that isn't applicable? Another possibility
is that you're not loading mod_cgi. Make sure the following two
lines exist in your httpd.conf:
LoadModule cgi_module libexec/mod_cgi.so
AddModule mod_cgi.c
Q I'm running OS X 10.2.6, and I've
installed fink to grab a bunch of GNU packages. Sometimes when I select
packages within dselect, I get a bunch of garbage in my window. This
makes it impossible to do anything, and I wind up having to kill dselect.
Did I somehow misconfigure something, or is this a bug?
A There are known issues with dselect
and the OS X Terminal.app termcap. You can work around this by changing
your terminal type to xterm-xfree86:
setenv TERM xterm-xfree86
Q I'm trying to use logadm as supplied
with Solaris 9. Most of the logs rotate ok, but for very large log
files, I get this message:
logadm: Warning: /var/log/<logfile>: Value too large for defined data type
I take this to mean that logadm is not largefile capable, which seems
rather counter-intuitive, since it's supposed to be handling "endlessly
growing log files." Is there a patch out for this that I just can't
track down?
A If you have a Sunsolve account,
you can log in and search for logadm. The third hit is bugid 4763519
dated June 19th, 2003: "logadm fails to rotate > 2GB files."
Apparently this is fixed in s10_37, so I would expect a backwards
patch for Solaris 9 sometime in the future. If this is critical
and you have a support contract, you can try to escalate and/or
obtain a T patch.
Q I was attempting to upgrade the
FreeBSD ports collection with portupgrade when it segfaulted and
dumped core on me:
[Updating the pkgdb <format:bdb1_btree> in /var/db/pkg ... \
- 239 packages found (-4 +7)
(...)/usr/local/lib/ruby/site_ruby/1.6/pkgdb.rb:454: [BUG] \
Segmentation fault ruby 1.6.8 (2003-03-26) [i386-freebsd4]
Abort trap (core dumped)
I tried running and compiling some other programs because I thought
maybe it was a problem with my hardware or the compiler, or libraries,
etc. Everything else checks out ok, though, so I'm stumped. Portupgrade
was working just fine a few weeks ago, and it hasn't been touched
in ages. What could have gone wrong between now and then?
A Most likely you have run into
a known bug with portupgrade. Do you also encounter errors when
running pkgdb? From the BUGS section in the portupgrade(1) man page:
Sometimes a database may get corrupt and the pkgtools commands
start to abort due to segmentation fault. In such cases, run "pkgdb
-fu" to rebuild the database, and the problems will go away.
Q I want to configure all of our
internal machines to use an ntp server so that they're always in
sync with each other. I have ntp installed, but I'm wondering who
I should use as my ntp server?
A To begin, it's bad form to have
all of your internal hosts hammer an external ntp server. You should
set up a few of your own machines as internal ntp servers and have
all of your other internal machines sync off them. You want more
than one machine acting as an ntp server internally in case you
have a hardware failure. Each of these internal servers should in
turn sync off three to five public stratum 2 or stratum 3 servers.
Your ISP may offer ntp servers, and/or you can use some from the
list of public ntp servers at:
http://www.eecis.udel.edu/~mills/ntp/servers.html
The best configuration includes multiple ntp servers that are close
to you (network-wise, not geographically) but on different networks
for redundancy's sake.
Q I've configured sendmail 8.12.9
to authenticate clients with LOGIN and PLAIN via saslauthd. For
security purposes, I'm running sendmail as a non-root user. Authentication
is working, but I receive the following error message:
Sep 10 15:31:21 mailhost sendmail[3841]: OTP unavailable because
can't read/write key database /etc/opiekeys: Permission denied
The error makes sense since /etc/opiekeys is owned by root, but I
don't want opie enabled at all.
A You compiled SASL with opie,
so it will attempt to use it unless you specify otherwise. You can
recompile SASL specifying the --with-opie=no switch, or you
can add a mech_list line to sendmail's SASL configuration
file (usually /usr/lib/sasl/Sendmail.conf):
mech_list: LOGIN PLAIN
Q We have a lab with a lot of generic
machines without interesting names. Each of them is called cslab-X
where X is the last portion of the dotted quad IP. Instead
of creating all of these entries by hand, I've heard there's a bind
directive called GENERATE that will take a range of numbers and create
A and PTR records for me. I'm having a bit of trouble with the syntax,
though. Would it be possible for you to provide an example?
A If you want to automatically
generate A records, you must be running BIND 9. BIND 8 will only
generate PTR, NS, and CNAME records. Assuming you're running BIND
9, let's say that you have the class C-sized address 192.168.1.x
and you want to have cslab-128.my.domain through cslab-253.my.domain.
The entry for your PTR records would be:
$ORIGIN 1.168.192.IN-ADDR.ARPA
$GENERATE 128-253 $ PTR cslab-$.my.domain.
The $ORIGIN line provides a base for the LHS of the $GENERATE directive.
If the LHS isn't fully qualified, the $ORIGIN will be tacked onto
the end. If you didn't use an $ORIGIN statement, you would write your
$GENERATE line as:
$GENERATE 128-253 $.1.168.192.IN-ADDR.ARPA PTR cslab-$.my.domain.
Similarly, your A records would be generated by:
$GENERATE 128-253 cslab-$ A 192.168.1.$
Q I'm trying to install UW-IMAP to use
strong SSL encryption mechanisms. Following the SSL build/install
instructions, I can get a binary that will accept any encryption mechanism,
but I don't see a way to configure IMAP not to accept weak ciphers.
Is there such a beast, or do I need to switch IMAP servers (which
would be difficult)?
A There are no configuration settings
to specify which ciphers you want UW-IMAP to accept, but there is
a place in the code to change this before compilation. In the file
src/osdep/unix/ssl_unix.c, define SSLCIPHERLIST to whatever you
want. For example:
#define SSLCIPHERLIST "RC4-MD5:RC2-CBC-MD5:DES-CBC-MD5:DES-CBC3-MD5:RC4-64-MD5"
Q We're running OpenSSH 3.6.1p1 at our
site. When we try to ssh with compression turned on (specifying -C
on the command line), the connection is terminated prematurely, and
we receive the error:
buffer_append_space: alloc 10506240 not supported
If we turn off compression, everything works just fine. This feels
like a bug, but we have some machines with the exact same version
of OpenSSH that work just fine. I'm rather stumped.
A I've heard of this bug cropping
up when there were issues with the version of zlib that OpenSSH
was linked against (the compression bits are done by libz). You
can try upgrading your version of zlib or using the same version
of zlib that's installed on the working machines.
Q Our company is considering setting
up 802.11b networks in buildings we share with other companies.
Our security officer is concerned about these other companies obtaining
data from the wireless network and using it to piggyback our Internet
connections. Is there a resource that explains 802.11b security
and the like?
A There is a Wireless LAN Security
FAQ available at:
http://www.iss.net/wireless/WLAN_FAQ.php
which should answer most of your questions. The short of it is that
it's very hard to secure a wireless network if you're in close proximity
to untrusted neighbors.
Q We run sendmail 8.12.9 on HP/UX
machines, and we see a lot of spam that originates from sites without
a valid reverse DNS entry. Is there a way to block these people
entirely using sendmail alone? Maybe a milter or a ruleset or a
database entry?
A Rejecting mail from sites that
fail a reverse DNS test often leads to dropping valid email. Putting
a block like this in place isn't highly recommended, especially
for businesses that usually see mail from a variety of places, but
it is possible. Neil Rickert wrote a ruleset called require_rdns
that will do what you desire. It can be found at:
http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4
Q I'm trying to mount a Linux NFS partition
on an AIX machine, but I'm not having much luck. On the Linux box,
/etc/exports contains the following simple entry:
/nfspart aix
When I try to do the mount as root on the AIX box, I get:
linux:/nfspart
vmount: Operation not permitted.
/var/log/messages on the Linux machine logs that looks like it might
be relevant (where XXXXXXXX is the hostid):
Sep 12 10:07:21 linux rpc.mountd: authenticated mount request
from aix:1248 for /nfspart (/nfspart)
Sep 12 10:07:22 linux kernel: nfsd: request from insecure port
(XXXXXXXX:34375)!
A Your problem is that the AIX box
is trying to talk to the Linux machine's nfsd on non-privileged ports,
and the Linux machine will only accept connections from privileged
ports. You can force the AIX box to send its requests on privileged
ports by using the nfs_use_reserved_ports tuning parameter.
You can add the following to /etc/rc.nfs on your AIX box to make changes
persist through a reboot (adjust the path to nfso accordingly based
on your OS version):
if [ -x /usr/sbin/nfso ]; then
echo "Tuning nfso paramters to force nfs reserved ports"
/usr/sbin/nfso -o nfs_use_reserved_ports=1
fi
For more information on this and other AIX tunable parameters, see:
http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/prftungd/2365a83.htm#IDX2758
Q I'm running Solaris 9 and have my
shell set to ksh. My path is set as follows:
echo $PATH
/usr/ucb/sparcv9:/usr/local/bin:/usr/local/sbin:/usr/ \
local/libexec:/usr/xpg4/bin:/usr/sfw/bin:/usr/sfw/sbin:/ \
usr/bin:/usr/sbin::/sbin:/usr/openwin/bin:/usr/ccs/bin:/ \
usr/ucb:/usr/local/etc:/usr/etc:/etc:/opt/RICHPse/bin:.
As you can see, I have . last in my path, which means that the current
directory should always be the last thing searched. This seems not
to be the case, though, because when I accidentally created a file
called xterm in my current directory, it tried to run that instead
of /usr/openwin/bin/xterm!
$ which xterm
/usr/openwin/bin/xterm
$ cd /tmp; touch ./xterm
$ which xterm
/tmp/xterm
$ cd ~
$ which xterm
/usr/openwin/bin/xterm
This seems like pretty broken and dangerous behavior to me, and I'm
not sure why it's happening. Is there a bug in ksh that needs patching?
I looked around Sunsolve but didn't turn up anything that looked appropriate.
A It took me a while to discover
your problem, and I'll bet that your eye has just glossed over it,
too. Between /usr/sbin and /sbin you have, not one, but two colons.
A null entry in your PATH equates to the same thing as a dot. The
ksh man page covers this case in a section called "Execution" about
half way through:
The shell variable PATH defines the search path for the directory
containing the command. Alternative directory names are separated
by a colon (:). The default path is /bin:/usr/bin: (specifying /bin,
/usr/bin, and the current directory in that order). The current
directory can be specified by two or more adjacent colons, or by
a colon at the beginning or end of the path list. If the command
name contains a / then the search path is not used. Otherwise, each
directory in the path is searched for an executable file. If the
file has execute permission but is not a directory or an a.out file,
it is assumed to be a file containing shell commands. A sub-shell
is spawned to read it. All non-exported aliases, functions, and
variables are removed in this case. A parenthesized command is executed
in a sub-shell without removing non-exported quantities.
Amy Rich, president of the Boston-based Oceanwave Consulting,
Inc. (http://www.oceanwave.com), has been a UNIX systems
administrator for more than 10 years. She received a BSCS at Worcester
Polytechnic Institute, and can be reached at: qna@oceanwave.com.
| 
