From: Digestifier To: Linux-Admin@senator-bedfellow.mit.edu Reply-To: Linux-Admin@senator-bedfellow.mit.edu Date: Sun, 26 Sep 93 16:19:08 EDT Subject: Linux-Admin Digest #77 Linux-Admin Digest #77, Volume #1 Sun, 26 Sep 93 16:19:08 EDT Contents: Re: Linux Administration books (G. Engels) Re: Linux Administration books (G. Engels) Creating /dev/hda9 (Carl Kumaradas) Re: security and Linux binaries (Craig Groeschel) Re: security and Linux binaries (Craig Groeschel) Re: Creating /dev/hda9 (Charles T Wilson -- Personal Account) Re: Creating /dev/hda9 (Carl Kumaradas) Linux Clusters anyone ? (Vince Taluskie) Re: SECURITY HOLE in SLS (anyone can shutdown!) [FIX] (Warner Losh) Re: SECURITY HOLE in SLS (anyone can shutdown!) [FIX] (Christopher Lau) Re: SMAIL: problems with MXed sites in SLS (Chris Royle) ---------------------------------------------------------------------------- From: engelsg@uni-duesseldorf.de (G. Engels) Subject: Re: Linux Administration books Date: 25 Sep 1993 20:59:25 GMT >>OK, I read quite a bit of Linux documentation, from old FAQ's to new >>HOWTO's and even ALPHA version of SAG, but I haven't found an answer >>to this question (which is why I'm posting it to this newsgroup): >>I'm going to install Linux on my machine within next two weeks. I'll >>be the sole user and administrator of it so I want to get a good >>sys admin book on this. I read a few bibliographies, and in Unix >>Review August 1992, Richard Morin writes "BSD (SunOS 4.x) administrators >>should get the classic _UNIX System Administrator's Handbook_. SVR4 >>(SunOS 5.x) administrators should buy UNIX System V Release 4 Admini- >>stration..." >>Well, here is the problem: which one of these is more applicable to >>Linux administration since it is neither/both BSD and SVR4?? Or maybe >>some of you have some other personal favorite that you could recommend to >>me? BTW, I've got the SAG ALPHA 1, and it is really ALPHA. I definitely >>need some other book in addition to it. >A Good book is: >"Unix System administration handbook" by Evi Nemeth, Garth Snyder and Scott >Seebass. Prentice Hall , Englewood Cliffs, 1989 >ISBN 0-13-933441-6 >Robert Stockmann Matt Welsh wrote in his ftp'able book ''Linux Installation and getting started'' that there is a manual called ''The Linux System Administrator's Guide'' in development as a part of the Linux documentation project. What's the status of this book? I can only check some german ftp-servers because down here at the university of duesseldorf they seemed to cut off every connection to others countries this weekend (I hate hate hate them) and I couldn't find it down here. Is there something available at sunsite or tsx? engelsg@uni-duesseldorf.de ------------------------------ From: engelsg@uni-duesseldorf.de (G. Engels) Subject: Re: Linux Administration books Date: 25 Sep 1993 21:01:20 GMT >Matt Welsh wrote in his ftp'able book ''Linux Installation and getting >started'' that there is a manual called ''The Linux System Administrator's >Guide'' in development as a part of the Linux documentation project. What's >the status of this book? I can only check some german ftp-servers because >down here at the university of duesseldorf they seemed to cut off every >connection to others countries this weekend (I hate hate hate them) and I >couldn't find it down here. Is there something available at sunsite or tsx? >engelsg@uni-duesseldorf.de Ups, forget this posting. I have to learn to decode abbreviations. ------------------------------ From: ckumarad@chip.oci.utoronto.ca (Carl Kumaradas) Subject: Creating /dev/hda9 Date: Sat, 25 Sep 1993 23:23:43 GMT I just got linux installed and working with X. The only problem I have is that I have too many logical partitions. I created one for the swap file, but there aren't enough drivers in /dev to access it. How do I create /dev/hda9 so that I may swap on that partition. Another problem I have is that I would like to boot linux using OS/2's boot manager. I have linux booting from the boot floppy now. How can I setup linux to boot off the hard drive using OS/2's boot manager? I hav looked at the Linux FAQ and other sources, but I cannot get answeres to these two questions. Carl. -- J. Carl Kumaradas Ontario Cancer Institute ckumarad@pip.oci.utoronto.ca University of Toronto ------------------------------ From: craig@adikia.sccsi.com (Craig Groeschel) Subject: Re: security and Linux binaries Date: Sat, 25 Sep 1993 19:51:09 GMT In article <1993Sep24.121238.6625@black.ox.ac.uk> mbeattie@black.ox.ac.uk (Malcolm Beattie) writes: >In article bogstad@blaze.cs.jhu.edu (Bill Bogstad) writes: >> I agree with you in general; but binary distributions are not going >>to go away. One thing that might help (a little) is if people who put >>together packages would provide some kind of checksum of the package as a >>whole.... > >Even better would be for the author or otherwise trusted person >to make a list of checksums of the files in a package and then >sign that list with PGP. That way, provided the checksum method >is strong (and the checksums match :-) you can trust the package >as much as you trust the author (or whoever PGP-signed the list). If I am ftp'ing, say, the latest gem from the FSF, I'll often just grab it from a nearby site and check to see if the SIZE is the same as on prep.ai.mit.edu. Or I might even get the software from prep. Insecure, I know, but I am willing to accept that much risk, and I'll discount the possibility of someone spoofing the network connection. I thought it would be better to compare both size and checksum. But in the readme for the TAMU security package, the authors tell how crackers managed to alter files such that the sizes and checksums remained the same. [!!!] So I guess out of band strong crypto--excuse me, authentication--such as pgp is the way to go. That, and acquiring the data from a trusted source. -- Proud owner of a new Peugeot...pepper mill. Do not play this piece fast. It is never right to play Ragtime fast. --Joplin Ask me about the new & improved Bill of Rights. ------------------------------ From: craig@adikia.sccsi.com (Craig Groeschel) Subject: Re: security and Linux binaries Date: Sat, 25 Sep 1993 21:09:05 GMT I hope that it would be obvious, but let me say in advance that I'm not flaming the poster. In article <27q3rk$99l@osshe.edu> ritchiej@osshe.edu (John Ritchie) writes: >Recently I was reading some Unix System's administration book or other.... Reference, please. >The book, furthermore, stated that a sysadmin should carefully read through >any public-domain source code (or other source code of questionable, well, >source) before compiling it, and not compile it if there is anything that >isn't understood. A lot of my argument depends on how you define "questionable". Oh well, here goes: Flame on. I'm going to assume that the author(s) of the book meant "freely distributable" when he/she/they wrote "public domain". That's fine for code that is on the order of two pages (see the recent discussion on the firewalls list), but what about packages like gcc or GNU emacs--or Linux? Are you (you in general) going to "read and understand" the entire package? Would you have caught the setgid hole in emacs? If so, you've better things to do with your time. Where I used to work, the Internet was evil, all software on it was "public-domain", and it all had viruses, even the source code. You weren't allowed to ftp (or buy on tape) gcc and install it, but it would be ok if you read it first to be sure it was free of bugs. "Bugs or viruses?" I asked, and got a grudging "viruses" in reply. It would also be ok if you typed it in yourself. Some people were thinking of forming a committee to vote on whether a particular source distribution was virus-free. Gee, there's an objective evaluation. All of this while the "high-security" computers were running MIT X11R5 and GNU emacs binaries included by a vendor with their product. Flame off. Having the source gives me a warm fuzzy feeling, but I don't know how legitimate that feeling is. It may just be the opposite of FUD. What am I going to do? Grep for "exec" "system" "unlink" "open" "#define"? Getting source code from a reputable, uh, source--e.g., tsx-11 or prep--may also be a good idea. In the commercial world this is trusting your vendor. Having the whole Internet (hi everybody) as beta testers (guinea pigs? :-) 1/2 Hey, I'm one too.) is the biggest plus for me. (I remember one time someone posted some Mac program infected with the nVIRa virus. You should have seen the hue and cry!) >Although I think that the above view is a bit on the paranoid side, it >does raise a hairy question for the Linux community. Most Linux users >are _extremely_ vulnerable to security attacks, especially since Linux >is becoming so popular among Unix neophytes who install binaries >packaged by a thousand different "vendors", without reading or >understanding the source code. I haven't read gcc, yet I don't consider myself a Unix neophyte. >I guess the point I want to make is three-fold: First, users, be aware >of the possibility that binaries you use may not be as secure as you >assume they are; Second, packagers (such as SLS or Slackware), many >users are trusting your packages to contain clean binaries so YOU >should be sure that they all are clean; and thirdly, this problem once >again points out the importance of the Copyleft policy of having >source-code freely available. If you can't find source code for >something to inspect and compile yourself, realize that you're taking >an increased risk by using that package. (Aside: The TAMU (Gig 'em Ags) distribution contains source.) It all boils down to this: You have to know the risks, and you have to decide which ones you're willing to accept. -- Proud owner of a new Peugeot...pepper mill. Do not play this piece fast. It is never right to play Ragtime fast. --Joplin Ask me about the new & improved Bill of Rights. ------------------------------ From: ctwilson@rock.concert.net (Charles T Wilson -- Personal Account) Subject: Re: Creating /dev/hda9 Date: 26 Sep 1993 02:41:00 GMT In article ckumarad@chip.oci.utoronto.ca (Carl Kumaradas) writes: >Another problem I have is that I would like to boot linux using >OS/2's boot manager. I have linux booting from the boot floppy now. >How can I setup linux to boot off the hard drive using OS/2's >boot manager? > You need to add the linux partition that you're going to install lilo on (your root partition usually) to the bootmanager menu. Then use linux's fdisk to change the partition id to 83 ( or 2 or 3, for that matter, but 83 is best). Install lilo to boot that partition. Don't use any linux app (like fdisk) to toggle the partition active; it's not needed, and you may hose your partition table (from OS/2's point of view, anyway. That's it.. -- /-----------------------------------------------------------------------\ | Tom Wilson | "I can't complain, but sometimes | | ctwilson@rock.concert.net | I still do." | | | -Joe Walsh | ------------------------------ From: ckumarad@chip.oci.utoronto.ca (Carl Kumaradas) Subject: Re: Creating /dev/hda9 Date: Sun, 26 Sep 1993 05:14:57 GMT In article <282vfs$6j9@inxs.concert.net> ctwilson@rock.concert.net (Charles T Wilson -- Personal Account) writes: >In article ckumarad@chip.oci.utoronto.ca (Carl Kumaradas) writes: >>Another problem I have is that I would like to boot linux using >>OS/2's boot manager. I have linux booting from the boot floppy now. >>How can I setup linux to boot off the hard drive using OS/2's >>boot manager? >> >You need to add the linux partition that you're going to install >lilo on (your root partition usually) to the bootmanager menu. Then >use linux's fdisk to change the partition id to 83 ( or 2 or 3, for >that matter, but 83 is best). Install lilo to boot that partition. >Don't use any linux app (like fdisk) to toggle the partition active; >it's not needed, and you may hose your partition table (from OS/2's >point of view, anyway. That's it.. > Thank you to everyone who helped. I've got both problems resolved and am enjoying Linux a LOT. Carl. -- J. Carl Kumaradas Ontario Cancer Institute ckumarad@pip.oci.utoronto.ca University of Toronto ------------------------------ From: taluskie@utpapa.ph.utexas.edu (Vince Taluskie) Subject: Linux Clusters anyone ? Date: 26 Sep 1993 08:36:24 GMT I'm guessing that most Linux machines are used primarily by a single person (the owner of the 386/486). I'm very interested in hearing comments from people who have setup Linux clusters as part of a cost-effective general facility. I'm aware that NIS is not currently available - is there any support for diskless clients or /usr clients ? Any projected release dates for NIS ? Is RPC available ? Have people tried using an application such as PVM to utilize the entire cluster in a computation ? What are the strategies for upgrading groups of machines (around 15-20) ? Looking forward to hearing the comments of Linux admins on these topics... Vince Taluskie -- Vince Taluskie | Welcome my son, welcome to the machine. UNIX Systems Administration | Where have you been ? UT Physics Computer Group | It's alright we know where you've been. taluskie@utpapa.ph.utexas.edu | You've been in the pipeline, filling in time... Voice: (512) 471-5821 | --Pink Floyd, "Welcome to the Machine" ------------------------------ From: imp@boulder.parcplace.com (Warner Losh) Subject: Re: SECURITY HOLE in SLS (anyone can shutdown!) [FIX] Date: Sun, 26 Sep 1993 18:20:54 GMT In article <2815qk$5tc@usenet.INS.CWRU.Edu> bf703@cleveland.Freenet.Edu (Patrick J. Volkerding) writes: >Anyway - source and a binary for an in.rshd that uses shadow passwords >(and thus avoids this problem) can be found in /pub/linux/binaries on >ftp.cdrom.com. I've merged it into the 1.0.4 disks I have here, so it >will be fixed in the next release. In the meantime, *especially if you >are on the net*, you should check the security of your in.rshd, and >replace it if you need to. If you need a "quick fix" you can put '*' in the password entry for root. That solved the problem for me, and should have been what the shadow routines should have done in the first place. Note that rshd becomes worthless at this point for all users with passwords in the shadow file. It does keep the wolves at bay until you can grab a new, improved version of rsh. I saw a note about the shadow stuff needed to be udpated to a newer version that has this failsafe in it. Maybe it is time to do so. Warner -- Warner Losh imp@boulder.parcplace.COM ParcPlace Boulder I've almost finished my brute force solution to subtlety. ------------------------------ From: clau@acs.ucalgary.ca (Christopher Lau) Subject: Re: SECURITY HOLE in SLS (anyone can shutdown!) [FIX] Date: Sun, 26 Sep 1993 19:31:10 GMT bf703@cleveland.Freenet.Edu (Patrick J. Volkerding) writes: > > In a previous article, gold@wpfx01.physik.uni-wuerzburg.de (Werner Gold) says: > > >If you want to shutdown any Linux machine based on SLS try: > > > >rsh -l root /etc/halt > > ^^^^^^^^ > > or anything else !!! > > > >Do that from any host you like. > > > > Ouch! This worked with Slackware, too. I don't know about other > distributions. > Hmm.. this is a bug in NET2 that doesn't exist in NET1 (or whatever the pre-pl12 networking utilities are known as..).. Another reason not to use NET2 for at least another revision or two.. > -- > Patrick Volkerding > volkerdi@mhd1.moorhead.msus.edu > bf703@cleveland.freenet.edu c4.. Still running .99pl9 and proud of it.. -- Christopher Lau | Dammit Jim, I'm a doctor, The University of Calgary | not an engineer! Dept. of Electrical & Computer Engg. | Well, you're an engineer now.. lau@enel.ucalgary.ca -OR- clau@acs.ucalgary.ca -OR- root@fusion.cuc.ab.ca ------------------------------ From: c@royle.org (Chris Royle) Subject: Re: SMAIL: problems with MXed sites in SLS Date: Sun, 26 Sep 1993 11:19:55 GMT In comp.os.linux.admin, Michael 'Moose' Dinn (dinn@ug.cs.dal.ca) wrote: :> smail doesn't seem to want to send mail to sites with only MX records and no :> "real" IP addresses. :> Anyone else find this problem, or have a fix? I found that when i had a SLIP connection to a certain UK Dialup IP provider that I wouldn't like to mention. I need a fix fairly soon too because the machine is about to be "internetted"... Chris. -- Chris Royle Cheap mail & news feeds over UUCP from UKP5/mo Managing Director Windows / X-Windows code, 386s from UKP540 Objectronix Limited Desktop publishing Leeds, UK Tel. +44 532 661536 ------------------------------ ** FOR YOUR REFERENCE ** The service address, to which questions about the list itself and requests to be added to or deleted from it should be directed, is: Internet: Linux-Admin-Request@NEWS-DIGESTS.MIT.EDU You can send mail to the entire list (and comp.os.linux.admin) via: Internet: Linux-Admin@NEWS-DIGESTS.MIT.EDU Linux may be obtained via one of these FTP sites: nic.funet.fi pub/OS/Linux tsx-11.mit.edu pub/linux sunsite.unc.edu pub/Linux End of Linux-Admin Digest ******************************