*BSD News Article 92049


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.mira.net.au!news.vbc.net!vbcnet-west!knews.uk0.vbc.net!vbcnet-gb!azure.xara.net!xara.net!netcom.net.uk!ix.netcom.com!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!news.sprintlink.net!news-peer.sprintlink.net!news-pull.sprintlink.net!news.sprintlink.net!news-dc-5.sprintlink.net!neonramp.com!cynjut.neonramp.com!cynjut.neonramp.com!not-for-mail
From: burgess@cynjut.neonramp.com (Dave Burgess)
Newsgroups: comp.unix.bsd.netbsd.announce,comp.unix.bsd.freebsd.announce,comp.answers,news.answers,comp.unix.openbsd.announce
Subject: [comp.unix.bsd] NetBSD, FreeBSD, and OpenBSD FAQ (Part 5 of 10)
Supersedes: <386bsd-faq-5-858240003@cynjut.neonramp.com>
Followup-To: comp.unix.bsd.netbsd.misc
Date: 27 Mar 1997 06:55:16 -0600
Organization: Dave's House in Omaha
Lines: 491
Approved: news-answers-request@MIT.Edu,cgd@sun-lamp.cs.berkeley.edu
Expires: 04/14/97 03:00:03 CDT
Message-ID: <386bsd-faq-5-859467259@cynjut.neonramp.com>
References: <386bsd-faq-1-859467259@cynjut.neonramp.com>
Reply-To: burgess@cynjut.neonramp.com (BSD FAQ Maintainer)
NNTP-Posting-Host: cynjut.neonramp.com
Keywords: FAQ 386bsd NetBSD FreeBSD !Linux
X-Posting-Frequency: Posted on/about the 13th and the 27th of every month.
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.netbsd.announce:393 comp.unix.bsd.freebsd.announce:513 comp.answers:22986 news.answers:9556

Posted-By: auto-faq 3.1.1.2
Archive-name: 386bsd-faq/part5

Section 4.	(System Additions)

4.0	Introduction

	If you have written some addition to the kernel or some other 
	part of the system, or know of one that feel should be mentioned, 
	send mail to Dave Burgess (burgess@cynjut.neonramp.com) with all 
	the relevant information, and it will be added for the next 
	release.

4.1	Common Kernel-related problems

4.1.6	What about the termio, termios, and termcap stuff?

4.1.6.1	Sometimes I have trouble with my system resetting the terminal
	to seven bit mode.  Isn't BSD eight bit clean?

	The answer is "sort of".  The problem seems to come from the
	fact that the <sgtty.h> interface is not guaranteed to be eight
	bit clean.  The <termios.h> interface is better, and should be
	eight bit clean in all cases.  If you find an application that
	uses the <sgtty.h> interface, you should either contact the
	author and try and get them to use the termios interface or port
	the code yourself.


4.1.8	How do you implement quotas on Net/2 derived BSD systems?

	From: tinguely@plains.NoDak.edu (Mark Tinguely)

 	maybe you did not complete the setup, here is a step-by-step 
 	instructions to get them to work:

	1)  make a kernel with "options QUOTA" installed

	2)  edit /etc/fstab and include the kinds of quotas you want, 
	    below I used "userquota", you could also add "groupquota".

	/dev/wd0h		/usr		ufs	rw,userquota 1 2

	3)  for each filesystem that is in /etc/fstab that uses quota,
	    create the file "quota.user" (and "quota.group if appropriate).
	    Above I have user quotas in the /usr filesystem, so I would:

	    # touch /usr/quota.user

	4)  scan filesystem for files ownership (and/or group ownership).

	    # quotacheck -a

	5)  now you can add individual quota limits, if you want to add 
	    the same quotas to the many people, then make a template and 
	    replicate the template.  If they change for each user, then 
	    edit seperately.

	    # edquota tinguely

	 (an editor is kicked up and says something like:

	Quotas for user tinguely:
	  /usr: blocks in use: 11876, limits (soft = 0, hard = 0)
	        inodes in use: 891, limits (soft = 0, hard = 0)

	 a limit of 0 means "unlimited".  Change these to the appropriate 
	 number of blocks.  A soft limit generates a warning, and can be 
	 exceed for period of time (7 days?), after which time a soft limit 
	 is treated like a hard limit.  A hard limit denies new writes.

 	to replicate a template (for this example let us assume "tinguely" 
 	is the template):

	    # edquota -p tinguely user1 user2 user3 ... userN

	6)  turn quotas on (usually done in the /etc/rc file, but turn it 
	    on manually so you do not have to reboot right now:

	    # quotaon

	that should take care of setting up quotas.  You can look at the 
	status of use of files with repquota, the -a option lists all 
	filesystems with quotas.

4.1.9	What are the correct permissions for the /tmp, /usr/tmp, and
	/var/tmp directories?

	All of these directories should be owned by bin, group bin, mode
	1777.  This turns on the sticky bit, so that the only people who
	can remove a file from these directories are the owner and root.


4.2	Available kernel add-ons

4.2.7	Loadable Kernel Modules

	Several strides have been made in the past to reduce the amount
	of 'cruft' that gets into the default kernel.  One way is to
	make the kernel so hard to use that practically no one but a
	person with precisely the 'right' hardware would be able to use
	the system

	Another way is to implement something called 'LKM's or "Loadable
	Kernel Modules".  These are run-time extensions to the system
	that allow the distribution kernel to not include things that
	people might want, but not nxbeed until they get the system up
	and running.  While the security concerns of LKMs are valid,
	their implementation is such a win that the research to
	implement them is well worth it.

	It was really _very_ simple to make these, so this is nothing
	spectacular.  Just something to keep from having to recompile just to
	add msdosfs support to a machine.  ;)

	To try this:

		1)  get ftp://ftp.flame.org/pub/netbsd/lkm.tar.gz

		2)  untar it somewhere.  It will create a subdirectory 
		    called lkm and all extracted files will go in it. 
		    (I use /usr/src, but that may be a bad place)

		3)  follow the directions in lkm/README

	Please mail suggestions, and (especially) fixes and more 
	modules to Michael Graff <explorer@flame.org>.  Once it is 
	clean enough, I'll send it in as a send-pr and see what 
	happens.  :)

	One question which still needs to be resolved is where should 
	these *.o LKM's be installed?  The directory '/usr/lkm' would 
	be a good idea, with the output (modload's -o option) in 
	/var/run/lkm or something like that.


4.3	Other program building type problems.

4.3.1	I am building a program that requires access to the crypt library.  
	Either I have it and it isn't getting copied into the executable, 
	or I don't have it; why?

	This is actually two separate questions, but they are close enough
	to the same that I can answer them here.  The first problem that
	anyone building a 'crypt' aware program needs to remember is that
	the crypt library is a separate library and requires a '-lcrypt' 
	to be added at the end of the link line.  The other half of the 
	problem is the 'US Non Export' policy for DES encryption.  There 
	are several good sources (about one per country) for non-US
	crypt libraries.  IF you are outside the US and need one, look 
	around on some of the NetBSD/FreeBSD/OpenBSD FTP sites in the 
	'local area'.  By the way. I don't have any good URLs for Mars,
	so you might be out of luck.


4.3.2	I am having trouble with long file names in my libraries.  It
	seems like there is a 16 character limit in the library
	somewhere.

	There is a 16 character limit, sort of.  The most likely symptom
	for this is that the header for the file _after_ the long file
	name will be mangled.  It turns out that there is a "T" option
	that may not be documented very well that provides the correct
	functionality for long filename support in ar.

4.3.3	I'm getting annoyed with having this "conflicting types for 
	`sys_errlist'" problem show up nearly every time I build a 
	program.  What do I need to do?

	Remove the sys_errlist reference in the source you're compiling.
	You can either delete it (there are advantages to just deleting
	it) or you can wrap a "#ifdef __NetBSD__/#endif" pair around it.
	There are religious issues regarding the use of sys_errlist that
	involve either system security (most declaration allow the error
	list to be written to) or system internals (there's already a
	well-defined library call that performs the sys_errlist lookup).
	An anonymous example is included below:

	Most stupid packages such as GCC expects extern 
	(char*)sys_errlist[] whereas 4.4Lite based systems have more 
	secure extern const (char*) const sys_errlist[] declaration.  
	Just kick that "cccp.c" in the butt and modify the suspicious 
	line.  Hard to believe GCC still doesn't do that.  You're going 
	to have to do lots of this modification as you encounter more of 
	such programs.


4.4	System Administration Questions
4.4.1	Where can I get good books about NetBSD or FreeBSD?

	There is a set of books produced by O'Reilly and associates that
	describe in some detail the 4.4 BSD system.  The six volume set
	includes a book on system administration which directly pertains
	to the operation and management of NetBSD and FreeBSD.  Also see
	the Section 1 for a good list of the books that folks use for
	the system.  There is also a good list of books (specifically
	about writing device drivers) in the 'pcvt' distributions in
	NetBSD, FreeBSD, and OpenBSD.  It is in a file called
	'Bibliography' and contains the pcvt author's list of device
	driver books.


4.4.2	I am concerned about system security.  What should I do to
	protect my system from net attacks?

	With the release of the System Administrators Tool for Analyzing
	Networks (SATAN), network security has suddenly become a serious
	issue.  There are a few things you can do.

	--  Get, read, and understand the CERT advisories
	--  Get SATAN and run it against your own system or network.
	Fix whatever it finds as holes
	--  Get courtney, a program that was written to recognize a
	SATAN attack pattern and notify you whenever someone tries to
	probe your system
	--  Log all failed login attempts (see below)


4.4.3	How can I log failed login attempts?
	
	Failed logins are logged (without the attempted login name) at
	LOG_NOTICE priority.  Failed logins are logged _with_ the 
	attempted login name at LOG_NOTICE priority, and with the 
	LOG_AUTHPRIV facility.

	If you set up some lines in syslog.conf like:

	# The authpriv log file should be restricted access;
	# these messages shouldn't go to terminals or publically-readable files.
	authpriv.*                                      /var/log/secure

	Make absolutely sure, though, that it's really what you want:  
	logging actual supplied logins is often a great way to offer 
	cleartext passwords to an adversary...

	Which is why you have 
	    authpriv.*			/var/log/secure
	...,authpriv.none,...		/var/log/messages

	So none of the authpriv messages (those that actually display 
	the failed login) goto /var/log/messages, but they do go to
	/var/log/secure (which you have with 600 perms.)  Bear in mind
	that this still does not prevent someone that has hacked into
	your system with root privs from reading them.  See 4.4.2 for
	more information.


4.4.4	Can I use a Concatenated Filesystem with NetBSD?

	The "ccd" device (in -current) provides the capability to span a
	file system across multiple hard drive partitions.  Jason Thorpe
	<thorpej@nas.nasa.gov> has been working on it; if you try it and 
	have problems, here are the debug instructions:


4.4.4.1	Why, when I type "ccdconfig ccd0 16 none /dev/wd0a > /dev/wd1a", do
	I get back "ccdconfig: ioctl (CCDIOCSET): /dev/ccd0d: Device not
	configured"?

	Considering that the error comes froom the ioctl (rather than the 
	open) I'm tempted to say it comes from either the vn_open() or 
	subsequent VOP_*() operations on the components.  If you compile 
	your kernel with `options CCDDEBUG' and set the ccddebug variable 
	(near the top of ccd.c or with the ddb) to 0x03, you should be able 
	to see where it fails.  If you could send me that information, 
	that would be most helpful.

	Might be the same problem I had; it turns out that the partitions 
	that you build your concatenated disk device from must not be 
	marked "unused" in their native disks' labels.  This "device not 
	configured" is the way ccdconfig informs you of this condition...  :-)

	Actually, I guess this indicates a need for a special "ccd 
	component" type entry for disklabel?  Or should the partition 
	simply be marked as a "raw" partition, sharing this type with 
	database log partitions etc?

	'Der Mouse' (mouse@collatz.mcrcim.mcgill.edu) adds:

	Personally, I think ccd has no business looking at those 
	partition types.  But I definitely think a special ccd-component 
	partition type is _not_ the way to go; if nothing else, it makes 
	life hard for people running ports using non-NetBSD disk 
	partitions.  For example, under NetBSD/sparc on a disk with 
	a SunOS label, there are no partition types in the label, so 
	it would be impossible to use a ccd that insisted on a special 
	partition type on such a disk.


4.4.5	I am really new to Unix System Administration.  I need some real
	basic help.

4.4.5.1	What is the System Administrator's user name?
4.4.5.2	I can't log in as 'su'.  What does that message mean when I log
	in as root.

	Both of these indicate a newness to Unix System Administration
	that many of the core team members don't even remember.  The
	sysadmin user-id is "root", although you typically don't want to 
	log in directly as root.  A better solution is to log in as root 
	once, create a user-id and password for yourself.  Once you are 
	done with that, you need to modify the /etc/groups file.  This
	identifies the users that are allowed to be part of particular
	groups.  Add your UID to the "wheel" group and log off.  With a
	real UID and password and your UID identified as a "wheel"
	member. you will be able to use the 'su' command to log in as
	yourself and then "switch users" to root.  That, by the way, is
	also what that cryptic message "Don't log in as 'root', use 'su'
	instead." means.

4.4.5.3	Are there any books I can 'bootstrap' myself with?

	Yes.  Here are a couple:


	(1) Nemeth, Snyder, and Seebass, "Unix System Administration i
		Handbook"

	(2) Horspool, "The Berkeley Unix Environment"


4.4.5.4	How about some code examples?


	ftp://ftp.sterling.com:/usenet/alt.sources/        
	ftp://ftp.sterling.com:/usenet/comp.sources/misc
	ftp://ftp.sterling.com:/usenet/comp.sources.unix

	ftp://wuarchive.wustl.edu:/usenet/alt.sources/articles/
 	                          /usenet/comp.sources.misc/
 	                          /usenet/comp.sources.unix/

	ftp://src.doc.ic.ac.uk:/usenet/alt.sources/articles/
 	                       /usenet/comp.sources.misc/
 	                       /usenet/comp.sources.unix/



4.5	Daemon questions
4.5.1	I'd like to use amd to mount a file system (/dev/sd0f aka 
	/usr/local) on another machine as "/usr/local".  What's the 
	magic?

	There are several ways to achieve 'amd nirvana'.  Each of these
	elements below is an important consideration for getting amd to
	work correctly.

	The "-" means use these as defaults, so you need an entry without 
	a "-".  Also, I think one "-..." overrides the previous one 
	completely.

	As a start, you can use the following in your amd.project file:

	usr/local	opts:=rw;type:=nfs;rhost:=hostname;rfs:=/usr/local

	Then run "amd /usr/local /your/map/name -type:=direct".

	One word of warning, however.  In NetBSD 1.0, I couldn't get direct
	mount points to work for some reason.  I don't know if this has been
	fixed or not.

	If you are using a NetBSD 1.0 (or earlier) system, make /usr/local 
	a real symbolic link into an automount filesystem.

	Another instance of the amd.project file might look like this:
	/defaults type:=nfs;opts:=rw,soft,intr,grpid
	local	\
		host==hostname;type:=link;fs=/usr/local ||\
		host!=hostname;rhost:=hostname;rfs:=/usr/local
	
	You amd.master file might look like this:
	/project amd.project

	Here's another example which auto-mounts /usr/src from another 
	machine:

	grizu% ls -lad /usr/src
	lrwxr-xr-x  1 root  wheel  29 Dec 30 15:33 \ (split by ed.)
		/usr/src -> /tmp_mnt/mounts/src10/usr/src

	grizu% cat /etc/amd/master
	/net            /etc/amd/net
	/tmp_mnt/mounts /etc/amd/src
	
	grizu% cat /etc/amd/net
	/defaults       type:=host;fs:=${autodir}/${rhost};rhost:=${key}
	*               opts:=ro,soft,intr

	grizu% cat /etc/amd/src
	/defaults       type:=host;fs:=${autodir}/${rhost};
	src10           opts:=rw,soft,intr;rhost:=rfhu1001

	grizu% grep ^amd /etc/netstart
	amd=YES
	amd_dir=/tmp_mnt                # AMD's mount directory
	amd_master=/etc/amd/master      # AMD 'master' map
	
	grizu% ls -la /tmp_mnt
	total 9
	drwxr-xr-x   5 root  wheel   512 Jan  3 12:09 .
	drwxr-xr-x  26 root  wheel  1024 Jan  3 12:09 ..
	dr-xr-xr-x   3 root  wheel   512 Nov 20 19:29 ftp.uni-regensburg.de
	dr-xr-xr-x   2 root  wheel   512 Jan  4 10:43 mounts
	dr-xr-xr-x   4 root  wheel   512 Dec 11 08:18 rfhu1001
	
	grizu% ls -la /tmp_mnt/mounts
	total 3
	dr-xr-xr-x  2 root  wheel  512 Jan  4 10:43 .
	drwxr-xr-x  5 root  wheel  512 Jan  3 12:09 ..

	I guess that's all. rfhu1001 is the NFS server, grizu the client.
	

4.5.2	I am having trouble with my nameserver refusing to accept
	'nslookup's from my SunOS machine after I installed the resolver
	fix.  The exact error message is "*** Can't find server name for 
	address 194.100.46.2: Query refused". Can you help?

  	From the README file in the BIND distribution:

	    Versions of NSLOOKUP up through BIND 4.8.3's used IQUERY to 
	    ask the local server for information about the server's own 
	    name.  I assume that this was done in a "what the heck, 
	    nothing uses these, how can we contrive a need?" sort of 
	    spirit.  I removed this code as of BIND 4.9's NSLOOKUP and 
	    had it use the standard gethostbyaddr() mechanisms (which 
	    depend on normal queries of PTR data).  Disabling INVQ and 
	    putting "options fake-iquery" in the boot file will cause 
	    IQUERY to be answered bogusly but in a way that old nslookup 
	    programs won't trip on.  INVQ is disabled by default in 
	    conf/options.h.

	So, your options are:

	    -   Add "options fake-iquery" to named.boot and restart the 
		server

	    -   Replace your old, broken nslookup with the one in the 
	        4.9.3 BIND distribution.

	    --  Enable INVQ in conf/options.h, then rebuild and re-install 
		named.  This latter option isn't guaranteed to work.  If 
		you point an old version of nslookup at a server, and the 
		server either is not authoritative for a zone containing 
		the A RR matching the address you are sending the query to, 
		or if this A RR is not in it's cache, then nslookup will 
		still fail even if the server has the INVQ option turned on.


4.5.3	Are there any alternatives to 'NIS' available for NetBSD, et al.?

	Yes, there is 'hesiod' which provides (according to Ted Lemon 
	<mellon@fugue.com>i)another way of distributing databases like
	/etc/passwd, /etc/services, /etc/groups, and so on.  It uses
	DNS, which is (IMHO) slightly more robust and less easily
	subverted than NIS, and doesn't claim to provide authentication
	(authentication is Kerberos's job), so as part of a complete
	system, I think it's a much better solution.  It certainly has 
	a smaller installed base than NIS, though.

	There is also Kerberos IV, which provides similar functionality.
	NetBSD (1.0 or -current) now has a new set of changes to the 
	kerberosIV tree in

	ftp://ftp.unit.no/pub/NetBSD/ports/kerberosIV.diffs-0.1-0.2

	The author of the patches has also renamed the other Kerberos 
	files in the same directory to adhere to this private version
	number scheme, to allow for changes that will come later.


4.6	Adding new users.
4.6.1	Where can I FTP the 'adduser' program?

	There is one you can FTP (see the URL below).  You will need to
	be able to use 'vipw' to make it work, but that shouldn't be a
	big problem for most people.

	    ftp://ftp.quick.com.au/pub/unix/adduser.sh

	The man page is there too..

	    ftp://ftp.quick.com.au/pub/unix/adduser.8



-- 
Dave Burgess  (The man of a thousand E-Mail addresses)
*bsd FAQ Maintainer / SysAdmin for the NetBSD system in my spare bedroom
"Just because something is stupid doesn't mean there isn't someone that 
doesn't want to do it...."