Adventures in being a Sysadmin

[BKEHOE%widener at pucc.princeton.edu]

A while back I posted a list of questions about various problems I was
having getting our system set up..I received an amazing load of
information. This list probably has the best turn-around time on questions
I've ever seen!  What follows is a list of things I've discovered, in
combination with the replies I received to my questions. Included are a
few other things. I think that much of this will be of interest...as was
evidenced by the replies I got, I am far from being the only one to
experience them.

1. Yellow Pages.

I wanted to figure out how to set up a way to make a certain set of
accounts to be system-wide; I came up with this fix:

if [ -f /usr/etc/rpc.yppasswdd ]; then
        /usr/etc/rpc.yppasswdd /etc/yppasswd -m passwd;
        (echo -n ' yppasswdd')  >/dev/console
fi

The file /etc/yppasswd contains all of the 'network-wide' accounts. The
Makefile just has to have PASSFILE changed to PASSFILE=/etc/yppasswd.  One
problem occurred when I tried to make the system C2 secure (see below).

2. Idle users

Many suggestions came for how to handle the logging out of idle
users...they included:

 A) use 'untamo', available from j.cc.purdue.edu.
 B) use 'fido', available from any c.s.unix archive, Volume 16.

One snag came up though -- what if a person's in SunView? They can be on a
pseudo-terminal in a window ... what if they don't use a window for the
designated amount of time? Hmm ... anyway.

3. selection_svc

I couldn't understand why selection_svc was always there, owned by the
last person that used sunview (I hadn't read the entire Fantastic sunview
Manual). It's started up for keyboard & mouse activity, & kept up.  I'd
originally intended to just add this to /etc/rc.local:

if [ -f /usr/bin/selection_svc ]; then
        /usr/bin/selection_svc &
                                (echo -n ' selection_svc') >/dev/console
fi

This will make root own it & it won't look like a garbage process.  Peter
Shipley's recent posting about the hole in selection_svc has made me
remove this entry (since, if it were owned by root, anyone with a decent
handle on rpc programming could read anything they wanted).

4. SunView dying on the diskless client.

Basically, I have a diskless client that screams and dies with a last gasp
of "Watchdog reset!" whenever I try to enter sunview on it.  It was the
concensus that there's probably a hardware problem of some sort with the
client, and that I should look into either getting a site license for
OpenLook, or send away a tape for X11R4.  After calling Sun, they concur
that it's most likely a motherboard that's on its last legs.

5. system-wide login file.

I needed a way to setup some things that every user would have in effect
(like limit coredumpsize 0).  Many people advised the same thing --
putting a call at the beginning of each user's .login to use something
like 'source /usr/local/lib/Login', which I've implemented (also the
.cshrc as /usr/local/lib/Cshrc to set up system-wide aliases).

6. Setting up the system using YP & NFS to allow a seemingly
   'network-wide' mailbox.

I have to thank Stephen Karamatos (steve at cs.uwindsor.ca) for his
invaluable help with this one.  What I tried to do was mount
/var/spool/mail from the server to diskless clients, so wherever anyone
logged in they'd be able to send & receive mail without any problems.
After some experimentation (and a good deal of cursing), I finally got it
working! Basically, what I had to do was:

 1. Add the following to /etc/fstab on the clients:
 server:/var/spool/mail /var/spool/mail nfs rw,bg,hard,intr,secure 0 0
 2. Add the following to /etc/exports on the server:
 /var/spool/mail -access=Clients,secure
 3. Add the clients to /etc/netgroup in the group Clients
 4. Add 'mailhosts' to the server's entry in /etc/hosts on the server.
 5. Now the tricky part that took forever to figure out..in the
    /etc/sendmail.cf on the client, comment OUT the OR line. Then edit
    the DR and CR lines to read:
  DRmailhost
  CRmailhost
    Finally (and this was the end of the rainbow), go through the
    sendmail.cf for the client and take out EVERY BLANK LINE. I hope
    someone can shed some light on why this has to be. Before I did
    this, sendmail's attempt from the client would die. I don't know
    why it worked exactly, but for the time being I'm happy. (This has
    been an ongoing problem for upwards of 4 months now.)
    With the OR line included, the client would flood the server with
    sendmail connections, til the process table was full. I'll be damned
    if I can find where the loop was created.

7. Hooking up an HP LaserJet II.

This has been quite a headache. My thanks to everybody that answered my
question on this one..if I still had the mail I'd gladly give you the
credit you well deserve.  This is the final printcap entry I came up with:

lp|hp|HP|laserjet|HP LaserJet II with Filter:\
 :lp=/dev/ttya:sd=/var/spool/printers/hp:br#9600:fs#06020:fc#0300:\
 :of=/usr/local/filters/offil:lf=/var/adm/printers/hp-errs:\
 :pw#80:ms=-parity,-cstopb,-clocal,-cread,crtscts,ixon,-opost:

The program /usr/local/filters/offil is something I picked up along the
way. There's an accompanying iffil. By doing echo "hi" | offil | hd I was
able to discover the characters that the filter sends to the printer..it
sends:

  <Esc>E<Esc>&k3G

then sends the text you request. I'll send Robert Greene the tar of iffil
& offil if there's an interest..but I think you should be able to work up
a program that just sends that sequence to stdout then copies stdin to
stdout.  Next, the wiring of it. If you've got a laserjet that's all
yours, just hook up a serial line -- it works like a dream. If you have
"I/O=Optional" set (the 3 or 4 modular-jack thing on the back of it that
spools requests), you have a little more work to do. It uses pins 2, 3, 5,
6, and 7. We had some modular to 25-pin connectors (one end the modular
jack, the other the rs232).  I just took the two contacts on the modular
jack that connected to pins 2 & 3 on the rs232 and reversed them (they
were in pins 1 and 3 on the modular jack, if I remember right), and
everything worked like a charm. (This is after 3 hours of doing
pin-switching between the modular's rs232 end and the cable coming from
the SS1 .. it took quite a while to realize that it needed those 5 lines
connected [I was working with a 4-pin connector between them]).

8. C2 security

I still don't have this set up...it created way too many problems. I grew
impatient with the C2 script and did the work by hand, and it still didn't
do everything.  First, on the server, it seemed to set up okay...the only
problem arose with the aforementioned /etc/yppasswd file. I moved it into
/etc/security, and ran a script with just these 4 lines in it, to create
the yppasswd.adjunct file:

#!/bin/sh
cp yppasswd yppasswd.bak
sed -e 's,^\([^:+]*\):\([^:]*\):\(.*\)$,\1:\2:::::,' yppasswd > yppasswd.adjunct
sed -e 's,^\([^:+]*\):\([^:]*\):\(.*\)$,\1:##\1:\3,' yppasswd > yppasswd

 Next, I made yppasswd come up with:
/usr/etc/rpc.yppasswd /etc/security/yppasswd /etc/security/yppasswd.adjunct \
-m passwd
 Then edited the Makefile so PASSFILE=/etc/security/yppasswd.

I set the permissions on yppasswd and yppasswd.adjunct to 0400. But then I
logged in on one of the network accounts defined in /etc/yppasswd and
attempted to change my password...it worked fine! Then I went into
/etc/security, and lo and behold, the permissions on yppasswd.adjunct were
at 644! Nothing I did could get it to not give world-read on it. Any and
all insight into this would be gladly accepted.  Trying to set up C2 on
the client was a dismal failure...it would come up fine, but then when
auditing started, it would go into a deadly spiral..  for some reason,
whenever it tried to read the last accounting file it created, it would
fail and start up a new one (this I discovered with auditd -d)...and keep
this going ad infinitum, forcing me to audit -t all the time.  Needless to
say, this has been a real problem..any suggestions?

Whew! That was quite a mouthful..whelp, those have been my successes and
failures lately.  Thanks to everybody who answered my questions..your help
has been invaluable.

Brendan Kehoe (bkehoe at widener.bitnet) -- Sun Systems Manager

PS:

After just reading a recent post to the list, I remembered two things that
I omitted in the section about setting up /var/spool/mail .. sendmail is
disabled on the clients, and all users are aliased to user at server (thru
YP).