Questions and Answers

Amy Rich

Q I'm running Solaris 8 on an E420R. Looking through process listings, I note that sometimes ps runs as root, and sometimes it runs as a normal user. My own ps process is always run by me, so I'm wondering if these other users have somehow cracked root or something. I took a look at both /usr/bin/ps and /usr/ucb/ps just to make sure that one of them was not SUID root, and neither is:

-r-xr-xr-x   39 root     bin      5256 Jan  5  2000 /usr/bin/ps
-r-xr-xr-x   39 root     bin      5256 Jan  5  2000 /usr/ucb/ps

A If you're running Solaris 8, /usr/ucb/ps is just a wrapper that calls the appropriate version of ps based on the version of SPARC hardware. If you look at /usr/ucb/sparcv7 and/or /usr/ucb/sparcv9, you'll see that the ps binary contained within is SUID root. This is not to say that you haven't been cracked, but if this is your only indication, then most likely you don't have anything to worry about.

Q Since Verisign has put in wildcard records for .com and .net, a bunch of our spam filtering has broken. How can I fix things and ignore their bogus wildcard entry?

A Various DNS software developers have put out patches to their software to ignore the wildcard redirect. If you're running BIND, you can install 9.2.2-P3 and use delegation-only for .com and .net:

zone "com" { type delegation-only; };
zone "net" { type delegation-only; };

options {
 root-delegation-only exclude { "de"; "lv"; "museum"; "us"; };
};

http://tinydns.org/djbdns-1.05-ignoreip2.patch

echo 64.94.110.11 >/service/dnscache/env/IGNOREIP
svc -t /service/dnscache

Q I'd like to use a USB scanner on FreeBSD 4.8-STABLE, but I'm not having much success finding out what may or may not be supported. Is there a reference anywhere?

A USB scanners are handled via SANE http://www.sane-project.org/ with the uscanner(4) driver. SANE, standing for "Scanner Access Now Easy," is an API that provides standardized access to any raster image scanner hardware. The SANE API http://sane-project.org/html/doc009.html is public domain, and the current source code is under the GPL. The FreeBSD 4-STABLE release notes specifically mention the Perfection 636U, and the HP ScanJet 4100C, 5200C, and 6300C as supported devices.

Q I'm trying to download an appropriate version of IOS for a piece of Cisco gear that I have, and I'm baffled by what all of the letters mean. Is there some definitive guide somewhere?

A To learn what each letter or letter/number combination stands for (assuming you have a TAC account), take a look at:

http://www.cisco.com/warp/customer/620/5.shtml#identifiers

http://www.cisco.com/cgi-bin/Support/CompNav/Index.pl

./configure --with-random=/dev/urandom --with-tcp-wrappers \
  --with-ssl-dir=/usr/local/lib --with-default-path=/usr/bin:/ \
  usr/ucb:/usr/local/bin:/usr/local/sbin:/usr/local/libexec:/  \
  bin:/sbin:/usr/sbin:/usr/ccs/bin:/usr/bin/X11:/usr/openwin/bin

# sshd : LOCAL 192.168.1. : ALLOW
imapd : LOCAL 192.168.1. : ALLOW
imapd : ALL : banners /usr/local/etc/banners : DENY
ALL : ALL : banners /usr/local/etc/banners : DENY

sshd -d -d -d
debug2: read_server_config: filename /usr/local/etc/sshd_config
debug1: sshd version OpenSSH_3.7.1p2
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #2 type 1 RSA
debug1: Bind to port 22 on ::.
Server listening on :: port 22.

# ssh -v localhost
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Connecting to localhost [::1] port 22.
debug1: connect to address ::1 port 22: Network is unreachable
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /users/foo/.ssh/identity type -1
debug1: identity file /users/foo/.ssh/id_rsa type -1
debug1: identity file /users/foo/.ssh/id_dsa type -1
debug1: ssh_exchange_identification: No access

ssh_exchange_identification: Connection closed by remote host
debug1: Calling cleanup 0x2cda4(0x0)

sshd : ALL : ALLOW

tcpdmatch sshd localhost
warning: sshd: no such process name in /etc/inet/inetd.conf
client:   hostname localhost
client:   address  127.0.0.1
server:   process  sshd
matched:  /etc/hosts.deny line 1
option:   ALLOW
access:   granted

A The key to identifying your problem lies in your sshd debug statements. When you start up sshd, it claims that it's binding to ::, an IPv6 address, but it never says anything about starting a service on 127.0.0.1, an IPv4 address. On the other hand, your hosts.deny file explicitly names IPv4 addresses. I would guess that your sshd_config file contains the line:

ListenAddress ::

ListenAddress 0.0.0.0

Q I have an APC UPS in which the batteries died. I replaced the batteries, charged them up for a day, and then tested them by hitting the test button and unplugging the wall power. Instead of keeping steady power, it turned off and back on a couple times! I powercycled it and the UPS seemed very unhappy. Unfortunately, I don't have a spare UPS of this type to test things in, so I can't be sure it's a bad battery or a bad UPS. Can you tell from my description what the problem might be?

A Your description is pretty vague, but if you've just replaced the batteries in your UPS, there's a good chance that you'll need to readjust the microprocessor that controls the batteries by performing a runtime calibration. Once you've charged the batteries, attach a non-critical load of at least 30% to the UPS. Be sure the load is non-critical, because the power to the device(s) will be shut off when the batteries are drained.

Once you have the 30+% load attached, unplug the wall power from the UPS. Allow the battery to drain until it shuts off completely. Then plug the UPS back into the wall, turn it off, and let it recharge fully. While APC only discusses going through this process once, I've heard from several people that it may take several iterations of charge/discharge to get a reasonably accurate calibration of remaining battery life.

Q With the recent flood of worms and viruses, our mail server is consuming a lot of space/bandwidth sending back big bounced messages. The worst is when the return address is invalid, and the bounce message just sits in our queue until it expires. Is there a way to tell sendmail (8.12.10) to bounce only the headers and an explanation and not to include the entire message body?

A You can make sendmail include only headers of the original message in the bounce by adding nobodyreturn to the PrivacyOptions setting. In your mc file, add the following line:

define('confPRIVACY_FLAGS', 'nobodyreturn')dnl

define('confPRIVACY_FLAGS', 'nobodyreturn,authwarnings,noexpn,novrfy')dnl

Q I have a SunFire V880, which I've halted. Normally at the ok prompt, I see:

{2} ok

{3} ok

A The number to the left of the ok prompt is the CPU that the machine's OpenBoot process is currently executing on. This allows you to run/debug code on a specific CPU. You can switch the current CPU by using the switch-cpu command. The following would change the current CPU to 2:

2 switch-cpu

A You might look at the Bonnie (written in C by Tim Bray) or Bonnie++ (written in C++ by Russell Coker) benchmark suites. If you're using the FreeBSD ports collection, these two programs can be found in /usr/ports/benchmarks/bonnie and /usr/ports/benchmarks/bonnie++, respectively. The Web sites for each are as follows:

http://www.textuality.com/bonnie/
http://www.coker.com.au/bonnie++/

A URLs are difficult to identify because there are various types and syntaxes to deal with. For a good discussion on Perl regular expressions that match URLs, take a look at:

http://www.foad.org/~abigail/Perl/url2.html

http://www.foad.org/~abigail/Perl/url3.regex

http://www.foad.org/~abigail/Perl/url3.pl

Q I'm trying to do some log rotation via root's crontab entry:

0 5 * * * /usr/bin/mv /var/log/testlog \
  /var/log/testlog-`/ usr/bin/date +%Y%m%d.%H%M'

A Cron uses the percent (%) character as a separator between code executed by the shell and command arguments. Here's an excerpt from the Solaris man page for crontab:

Only the first line (up to a ' or end of line) of the command field is executed by the shell. Other lines are made available to the command as standard input.

You can escape the percent symbols with backslashes (\) to have your command run correctly, or you can put your command into a shell script that is called from cron as a workaround.

Q I'm running OS X 10.2.8 and I spend most of my time in X. I come from a FreeBSD background, and I'm really missing ctwm and the ability to have root window menus. Has anyone created a window manager that's got virtual screens and can do root window menus?

A Annoyingly, OS X is designed not to have such a thing as a root window (if you click on the root window, you just get the finder). What I use as a decent compromise is blackbox-rootless (built and installed via fink). It has virtual windows and a pop-up bar (like the dock) from which you can invoke menus and switch virtual screens. It's not as good as having root menus, but it's the best I've found so far at simulating that functionality.

Amy Rich, president of the Boston-based Oceanwave Consulting, Inc. (http://www.oceanwave.com), has been a UNIX systems administrator for more than 10 years. She received a BSCS at Worcester Polytechnic Institute, and can be reached at: qna@oceanwave.com.