Cover V13, i12



Questions and Answers

Amy Rich

Q We have a number of systems that need the same modification to root's crontab file (security software that's being added to every machine). What's the best way to go about doing this with minimal effort?

A The answer to this question depends on whether you will be doing multiple machine modifications on a regular basis and want minimal up front or long-term work, or whether you're just doing this as a one-off. If you're just doing it as a one-off, then you can whip up a shell script to iterate through the machine and scp the crontab file over and reload it, for example:

for i in host1 host2 host2 host4; do
  scp master.cron root@${i}:/location/to/crontab/file
  ssh root@${i} chmod 0400 /location/to/crontab/file; \
    chown root /location/to/crontab/file; \
    crontab /location/to/crontab/file; \
    crontab -l
The final crontab -l will verify that the correct crontab file is in place on the new machine. The syntax for various crontab commands may differ depending on your operating system. Also, your clients may not support scp'ing or ssh'ing in as root, so you'd have to change that or copy files over as a normal user and then later run a script as root to move them into place. Some operating systems also automatically recognize that the crontab has changed and do not require the reloading step.

If you're going to be making multi-machine changes on a regular basis, I suggest investing the time and effort up front to install software such as rsync if your needs are simplistic, or a configuration change management tool like cfengine if you want more fine-grained control.

Q I have a few Sun servers and a number of Linux desktop clients. I'm trying to set up rsh so that the users don't have to type in their passwords when connecting between machines. Right now I have it working between Sun machines, between Linux machines, and connecting from a Sun machine to a Linux machine. When people try to connect from a Linux machine to a Sun machine, it prompts them for a password. I'm at a loss as to why everything else works, but not this one scenario. Is there an rsh compatibility issue between Solaris and Linux?

A To start, let me strongly advocate using a secure connection method like ssh, instead of rsh, so that your users are not sending sensitive information over the wire in the clear. That said, the most likely problem is that your entries in the .rhosts or /etc/hosts.equiv file on the Sun machines do not include the information being transmitted by rsh on the Linux machines.

Try rsh'ing from the Linux box to the Sun box and giving it a valid password. When you're logged in, run the command "who am i". Note the address from which you appear to be connecting. It could be a bare hostname, FQDN, or even an IP address. The information listed is what needs to be in the .rhosts and/or /etc/hosts.equiv files. If that information matches, then I'd suggest checking any pertinent log files and running truss against inetd on the Sun machine to see what it turns up.

Q I've just noticed that our mail server, running FreeBSD 4.10 and sendmail 8.12.11, has a large number of files in /var/mail that start with the name BOGUS. I'm guessing that we've been hacked, but this would seem like a weird change to make. Here's an ls of one of the BOGUS files from /var/mail to show what I mean:

-r--------   1 nobody   nobody        1 Sep 19 21:34 BOGUS.root.E
The content of each BOGUS file appears to be normal mail messages and nothing suspicious. Is this part of a rootkit? Has sendmail been hacked or something else?

A The first thing that strikes me as odd is that the files are owned by nobody. Are you NFS mounting your mail spool and/or delivery area? That's generally considered a very bad idea because you run into issues with file locking and, as it appears in your case, permissions. This setup is probably why you're running into issues and getting BOGUS files, not a break-in. I suspect you're running procmail as your local delivery agent and that the BOGUS files are a result of procmail's not being able to write to the mail file. Check the procmail log files for an error like the following (from the procmail man page):

Renaming bogus "x" into "x"
The system mailbox of the recipient was found to be bogus, 
procmail performed evasive actions.
The reason for the BOGUS files is also explained in the procmail man page:

If /var/mail/$LOGNAME is a bogus mailbox (i.e., does not belong to 
the recipient, is unwritable, is a symbolic link or is a hard 
link), procmail will upon startup try to rename it into a file 
starting with 'BOGUS.$LOGNAME.' and ending in an inode-sequence-code. 
If this turns out to be impossible, ORGMAIL will have no initial 
value, and hence will inhibit delivery without a proper rcfile.
Q I've recently inherited a division of our company that's running AIX 5 on their servers instead of Solaris, which our division runs. I'm responsible for keeping these machines up to date with security patches, and I am wondering whether there is anything available from IBM similar to Sun's patch club notifications. Also any Solaris -> AIX command translators you could point me to would be great.

A If you want listings of IBM's patches, take a look at:
for the pSeries servers. If you have other hardware/software, look for something similar on one of the other support pages linked from:
For a general command translation reference, I'd suggest the UNIX Rosetta Stone at:
Also read the AIX Reference for Sun Solaris Administrators Redbook at:
Q I'm attempting to invoke a command from /etc/inittab on a Solaris 9 machine at boot time, but it doesn't seem to be working. Here's the /etc/inittab entry:

I followed the syntax for the rest of the entries in the file, so I don't think that's the issue. I can run the command interactively and from a script called /etc/rc2.d/logcheck and it works fine. Any clue what the problem might be?

A It's difficult to tell whether your program is having issues due to the way it's run because you don't provide any further information. I suspect that your real problem is that you're not actually going to run level 2 in the first place. Unless you've specified booting to run level 2 or you've modified /etc/inittab to make the initdefault 2 instead of 3, then you're skipping over run level 2. Here's the default entry in the inittab:

Your program works when you execute it as a script from /etc/rc2.d because those scripts are also run as part of runlevel 3:

s2:23:wait:/sbin/rc2     >/dev/msglog 2<>/dev/msglog     </dev/console
If you want your program to behave similarly, then change your rstate to include runlevel 3 as well as runlevel 2:

Q I'm running OS X 10.3.5, and I have a bunch of jar files that came with the fink install of Mozilla. I'm trying to find one specific file in one of these jar files, but I don't want to have to unzip them all to find it. Is there a quick and easy way to get a listing of every file?

A Jar files are just zip files with a different extension. If you're looking for a specific file, then the easiest way would be to use find in conjunction with unzip in listing mode:

find /dir -name "*.jar" -exec unzip -qql {} "*filename" \; -print
For example, to find the file navigatorOverlay.xul to change key bindings, you'd execute the following:

find /sw/lib/mozilla . -name "*.jar" -exec unzip -qql {} \
  "*navigatorOverlay.xul" \; -print
You want the * in front of the file name because you also want to match files in subdirectories. If you don't want to match files ending in navigatorOverlay.xul, then you could use two search terms instead of one, to catch both a top-level file and a file in a subdirectory:

find /sw/lib/mozilla . -name "*.jar" -exec unzip -qql {} \
  "navigatorOverlay.xul" "*/navigatorOverlay.xul" \; -print
Q We run sendmail 8.12.11 in conjunction with cyrus-2.2.3 on our mail servers. The problem is that we're often hit by dictionary attacks, and sendmail doesn't know how to reject them because the users are not in the password file. Is there a way to have sendmail read the Cyrus user auth database instead of the password file when rejecting mail?

A Take a look at Andrzej Filip's page on real-time Cyrus integration at:
which uses a socket map or fstat map and FEATURE('mrs') to check the existence of Cyrus mail boxes. Since you're running sendmail 8.12 and not 8.13, you'll need the socket map patch: \
if you choose to use the socket map method. There's also a patch to sendmail if you opt to use the fstat method:
Q I've just purchased a used Sun U60 and tried booting it. The machine booted ok, but during the boot, the screen remained black. I only got a video signal once the machine had finished booting and it was showing the CDE login screen. Since I don't have an account on the machine, I tried to boot off the CDROM. The machine powered on and I hit stop-a to halt the automatic boot. The monitor was still black, but I blind-typed boot -s cdrom. The machine accessed the CDROM drive, but I never got a display. At this point, I hooked up a serial console and rebooted off the CDROM, and it seemed to work just fine. Why would I get no video output on the monitor until the machine finished booting, but the serial console would report everything just fine? Is there a problem with my monitor, or the OBP code, or my framebuffer, or something else?

A I would guess that you have one of two problems. One problem could be that your console output is set to a device that you're not using, perhaps another framebuffer or one that got removed. While you have the serial terminal hooked up, run eeprom and check the output-device. The second issue could be that your monitor can't/won't sync to the resolution provided by the OBP. Again, check the output-device variable and modify it as needed.

Q We have a large number of identical FreeBSD 4.10 machines that we need to roll out. I don't really want to run them all through the network installation, especially since I'm concerned that things on the mirrors may change between the time we install the first server and subsequent ones. Is there a better way to get a large number of identical machines?

A If you still want to do the install, you could keep a local image and not make changes to it until you're ready, rather than using the images on the FreeBSD servers. Conversely, you can install one machine and then dump and restore the data to new boot disks for your other servers. You can also use something like ghost for UNIX, g4u, to create a disk image that you can pull from your new servers:
Q I'm writing a shell script to generate addresses from a list of A records. I've thought of doing this with rev, but that gives me a mirror reverse of the IP, not a reverse of the dotted quad. Any suggestions?

A The easiest way to do this is just change the IFS to . and echo the dotted quads back out in the reverse order:

# - reverse an IP (no error checking)


while read a b c d; do
  echo "${d}.${c}.${b}.${a}"

Call this script with a file of IP addresses, one per line, as the input or echo a single IP and pipe it to the script:

./ < /path/to/ipfile
echo | ./
You would want to add some more error checking to this script to make sure that the input is actually one or more valid IPs.

Q Do you know of any encrypted filesystem implementations for Solaris 8? I know of things that run on BSD/OS X, but I can't seem to find anything similar for Solaris, and I really want to protect my data.

A I'm not aware of any OS-level support for encrypted filesystems, especially on something as old as Solaris 8. Some time ago, Matt Blaze wrote an encrypting filesystem add-on, CFS, that does work under Solaris 8, I believe. It's now unsupported, but it may fit the bill until something better comes along. Take a look at:
for the software and his papers on the topic.

Amy Rich, president of the Boston-based Oceanwave Consulting, Inc. (, has been a UNIX systems administrator for more than 10 years. She received a BSCS at Worcester Polytechnic Institute, and can be reached at: