Archive-name: sgi/faq/admin
Last-modified: Tue Jul  5 20:54:49 CDT 1994

    SGI admin Frequently Asked Questions (FAQ)

This is one of the Silicon Graphics FAQ series, which consists of:

    SGI admin FAQ - IRIX system administration
    SGI apps FAQ - Applications and miscellaneous programming
    SGI graphics FAQ - Graphics and user environment customization
    SGI hardware FAQ - Hardware
    SGI Impressario FAQ - IRIS Impressario
    SGI Inventor FAQ - IRIS Inventor
    SGI misc FAQ - Introduction & miscellaneous information
    SGI movie FAQ - Movies
    SGI Performer FAQ - IRIS Performer
    SGI pointer FAQ - Pointer to the other FAQs

Read the misc FAQ for information about the FAQs themselves.  Each FAQ
is posted to comp.sys.sgi.misc and to the news.answers and comp.answers
newsgroups (whose purpose is to store FAQs) twice per month.  If you
can't find one of the FAQs with your news program, you can get it by
anonymous FTP from one of these sites:

    rtfm.mit.edu:/pub/usenet/comp.sys.sgi.misc/
    rtfm.mit.edu:/pub/usenet/news.answers/sgi/faq/
    rtfm.mit.edu:/pub/usenet/comp.answers/sgi/faq/
    viz.tamu.edu:/pub/sgi/faq/

Note that rtfm.mit.edu is home to many other FAQs and informational
documents, and is a good place to look if you can't find an answer
here. If you can't use FTP, send mail to mail-server@rtfm.mit.edu with
the command 'send usenet/news.answers/ftp-list/faq' on a line by itself
in the text, and it will send you a document describing how to FTP by
mail. You can also read a hypertext version of the FAQs at

    http://www.cis.ohio-state.edu/hypertext/faq/usenet/sgi/top.html

The SGI FAQs are freely distributable and we encourage wide circulation.
The contents are accurate as far as we know, but the usual disclaimers
apply. Please send additions and changes to sgi-faq@viz.tamu.edu.

Topics covered in this FAQ:
---------------------------
   -1- DIAGNOSTICS
   -2- How can I determine which release of IRIX I'm running?
   -3- How can I determine my SGI's Ethernet (and/or FDDI) address?
   -4- My SGI crashed and generated a file, /usr/adm/crash/vmcore.1. How
       can I examine this file to see what crashed my system?
   -5- DISKS
   -6- Why is /debug or /proc full of huge files?
   -7- How do I extend an existing filesystem onto a new disk?
   -8- How do I know if I need more memory and/or swap space?
   -9- How much swap space should I have per megabyte of memory?
! -10- How can I increase my swap space?
+ -11- What are virtual and logical swap space? How do they work in IRIX
       3.x, 4.0.x and 5.x?
  -12- BOOTING
  -13- How can I boot directly into single-user mode?
  -14- How can I boot from a non-default disk?
  -15- How can I boot my machine using a server on the other side of a
       router?
  -16- How do I make a bootable tape from an IRIX 4.0.X CD?
  -17- Why can't I boot one of the stand-alone programs on a tape or CD?
  -18- INSTALLING
  -19- Is it possible to remotely install IRIX over a network?
  -20- Which IRIX CD is the program 'foo' on?
  -21- How can I extract a single file from an 'inst' subsystem?
  -22- Why doesn't 'inst' work?
  -23- Why doesn't 'inst' work remotely?
  -24- I reinstalled an IRIX subsystem to restore a missing file or get
       rid of a corrupted file, but it didn't help. Why not?
  -25- How can I install IRIX onto a second disk which I can then move
       to another machine?
  -26- How can I copy my system disk onto a second disk which I can then
       move to another machine?
  -27- NETWORKING
  -28- How can I measure my network's reliability?
  -29- How do I add a static route?
  -30- How can I make the 'slip' command advertise the Ethernet address
       of the SLIP client?
  -31- I've just edited inetd.conf, and nothing changed. Why?
! -32- Why isn't the objectserver working?
  -33- What is sending packets to the sgi-dog.mcast.net multicast
       address?
  -34- MAIL
  -35- How can I set up 'sendmail' to pass 8-bit characters?
  -36- Why are my mailbox files changing ownership?
  -37- Why isn't a valid user getting their mail?
  -38- How can SGIs and Suns share a mail spool?
  -39- What's an "unknown mailer error"?
  -40- What's "mailbox: Error 0"?
  -41- NFS
  -42- How can I tell what hostname to use in /etc/exports?
  -43- Why can't I export an NFS-mounted filesystem?
  -44- Why can't Ultrix automount SGI filesystems?
  -45- Why does 'tar' work strangely on a filesystem mounted from an
       SGI?
  -46- Is 'pcnfsd' available for the SGI?
  -47- Can I export a CD-ROM from my SGI to a non-SGI?
  -48- Why can't I export an ISO 9660 CD-ROM using NFS?
  -49- How can I read an IRIX (EFS) CD-ROM on a machine which doesn't
       use EFS?
  -50- PRINTING
  -51- Why can't 'lp' read my file?
  -52- How can I use 'lpr' to print to my local printer?
  -53- How can I use 'lp' to print to an 'lpr'-controlled printer?
  -54- How can I tell 'lp' to turn banner printing or page reversal off
       or on?
  -55- SECURITY
  -56- Where can I learn about Unix and IRIX security?
! -57- How can I configure IRIX more securely?
  -58- How can I log more information about logins?
  -59- How can I make an anonymous or restricted FTP account?
  -60- How can I get X authorization to work?
! -61- What security-related bugs does IRIX have?
  -62- I think I've found a security hole in IRIX; whom do I notify at
       SGI?
  -63- BUGS
  -64- Why is my network license daemon ('netlsd') exiting?
! -65- Why isn't /usr/adm/SYSLOG being updated?
  -66- What's this 'iotim' error in my syslog?
  -67- Why do 'who', 'rusers', etc. show users who aren't really logged
       in?
! -68- What's wrong with ftpd in IRIX 5.2?
  -69- Why do some programs parse /etc/fstab incorrectly?
  -70- My Indigo's Ethernet performance is dog-slow. What gives?
  -71- My Indigo running 4.0.5IOP is getting SIGSEGVs and crashing. What
       gives?
  -72- Why is my Indigo2 panicking?
  -73- Why can't I 'rdist' files between Suns and SGIs?
! -74- I just edited /etc/inittab, and now I can't start up or shut down
       my SGI! What's wrong?
  -75- MISCELLANEOUS
  -76- How do I set the number of processes allowed on my machine?
  -77- Where can I get a termcap file for 'iris-ansi-net' to install on
       my non-SGI system?
  -78- Can I change my full name or login shell without being superuser?
  -79- How can I administer my Iris without a graphics terminal?
  -80- Can I use the visual admin tools on a system with graphics to
       administer a system without graphics?

----------------------------------------------------------------------

Subject:    -1- DIAGNOSTICS
Date: 15 May 94 00:00:01 EST

These questions discuss how to find out things about your system.

------------------------------

Subject:    -2- How can I determine which release of IRIX I'm running?
Date: 07 Feb 94 00:00:01 CST

'uname -a' gives you all the kernel info; see the uname(1) manpage for
other options.

Of more general use, since kernels don't always reflect installed
software, is the 'versions' command.  'versions' with no arguments
lists all the installed software subsystems.

IRIX 5.2's System Manager ('chost') has the IRIX version number under
"IRIX Version" and a listing of installed software under "Software"
(the "Show Installed" button).

------------------------------

Subject:    -3- How can I determine my SGI's Ethernet (and/or FDDI)
                address?
Date: 07 Feb 94 00:00:01 CST

Many thanks to Miguel Sanchez <miguel@oasis.csd.sgi.com> for providing
the original version of the following discussion, and to Dave Olson
<olson@sgi.com> for comments. Andrew Cherenson
<arc@sgi.com> reminded us that all these methods except
the first apply to FDDI as well, but we'll just say "Ethernet" below.

Every system on an Ethernet network must have a unique Ethernet address
for the network to operate properly. The physical Ethernet address of
your system is the unique number assigned to the Ethernet hardware on
your system. This unique number is assigned to the manufacturer of your
Ethernet hardware by the IEEE (formerly by Xerox, one of the original
developers of Ethernet). This is not to be confused with the IP
address, which can be set arbitrarily.

You may need to determine your system's Ethernet address if your
network manager requires it before connecting your system to a
network.  How to do so depends on whether IRIX is running and what
operating system version is loaded.  Method 1 only provides the
Ethernet address of the primary interface.  If you have multiple
Ethernet interfaces (boards) in a system, use method 2, 3, 4 or 5 to
determine the address(es) of any other interface(s).

METHOD 1: eaddr

    If IRIX is not running, and the system is a Personal IRIS (4D20,
    25, 30, or 35), Indigo, Crimson, Onyx or Challenge, you can obtain
    the Ethernet address by typing 'eaddr' (older machines) or
    'printenv eaddr' (newer) at the PROM monitor prompt.  On some
    machines (4D30 or later) you can say 'nvram eaddr' while IRIX is
    running to get the same result.

METHOD 2: netstat

    Under IRIX 4.0.1 or later, you can use the netstat command. For
    example,

    % /usr/etc/netstat -ia
    Name  Mtu    Network   Address            Ipkts   Ierrs   Opkts  Oerrs  Coll
    ec0   1500   siligrph  luey7              7765678 21648  384477     0  30338
			    192.48.200.251
			    192.0.0.1
			    08:00:69:06:17:c2
    lo0   32880  loopback localhost           41438       0   41438     0      0
			    192.0.0.1

    As seen on the fourth address line, the address of the system
    luey7's primary Ethernet interface, "ec0", is 08:00:69:06:17:c2.

METHOD 3: arp

    You can obtain the Ethernet address of a Silicon Graphics system by
    using another system on your network. 'ping' the system whose
    Ethernet address you want, then use 'arp'. For example,

    % /usr/etc/ping -c 1 luey6
    PING luey6.sgi.com (192.48.200.250): 56 data bytes
    64 bytes from 192.48.200.250: icmp_seq=0 ttl=255 time=0 ms
    ----luey6.sgi.com PING Statistics----
    3 packets transmitted, 3 packets received, 0% packet loss
    round-trip (ms)  min/avg/max = 0/0/0
    % /usr/etc/arp luey6
    luey6 (192.48.200.250) at 8:0:69:6:c:40
    %

METHOD 4: NetVizualyzer/FDDIVizualyzer and the like

    SGI's NetVizualyzer/FDDIVizualyzer network monitoring software and
    at least one public domain equivalent ('netman', at
    ftp.cs.curtin.edu.au:/pub/netman/) allow you to find the Ethernet
    address corresponding to any IP address. Read the manual.

METHOD 5: System Manager

    The Network Setup part ('cnet') of IRIX 5.2's System Manager tool
    ('chost') shows the Ethernet address of each interface.

4DDN: A Special Case

    DECnet uses a one-to-one relationship between the DECnet node ID
    and the Ethernet address. If the DECnet address is changed the
    Ethernet address is changed. DECnet Ethernet addresses always start
    with aa:, so you can identify systems running DECnet with 'arp -a'.

    4DDN is Silicon Graphics' DECnet interconnection product. The
    Ethernet address of an IRIS running 4DDN will change when 4DDN is
    started.  Method 1 will return the original Ethernet address for
    the system.  Methods 2-5 will show the Ethernet address currently
    in use.

sysinfo

    /etc/sysinfo is intended to return a unique identifier, which on
    some machines includes part or all of the Ethernet address. This is
    best regarded as an amusing coincidence, like HAL's name in "2001".
    Don't rely on it.

------------------------------

Subject:    -4- My SGI crashed and generated a file,
                /usr/adm/crash/vmcore.1. How can I examine this file to
                see what crashed my system?
Date: 10 Dec 93 00:00:01 EST

For a start, you can use 'dbx' like so:

  dbx -k /usr/adm/crash/{unix,vmcore}.#
  t
  &putbuf/1000s

Some machines have a special 'dbx' for crash dumps,
/usr/adm/crash/dbx.  If it exists, use it instead of /usr/bin/dbx.

There is also a script, 'crpt', which does this and more
automagically.  One version lives at
viz.tamu.edu:/pub/sgi/software/crpt/, but ask the TAC when you call to
make sure you have the latest and greatest.

------------------------------

Subject:    -5- DISKS
Date: 15 May 94 00:00:01 EST

These questions deal with disks and swap space.

------------------------------

Subject:    -6- Why is /debug or /proc full of huge files?
Date: 10 Dec 93 00:00:01 EST

Those aren't disk files, they're interfaces to running processes.  Read
the debug(4) and/or proc(4) manpages.

------------------------------

Subject:    -7- How do I extend an existing filesystem onto a new disk?
Date: 24 Jan 94 00:00:01 EST

Back up the existing filesystem (just in case) then run 'mklv' and
'growfs'. 'mklv' and 'growfs' are nondestructive, so you don't need to
restore the backup unless you screw up. Don't use 'mkfs', which does
destroy existing data.

------------------------------

Subject:    -8- How do I know if I need more memory and/or swap space?
Date: 20 Feb 94 00:00:01 EST

If processes are killed due to lack of memory/swap, you need more
memory and/or swap space. If your CPU is always waiting for swapping
(run 'osview' and look at the "%Swap" entry under "Wait Ratio") you
need more memory.

------------------------------

Subject:    -9- How much swap space should I have per megabyte of
                memory?
Date: 20 Feb 94 00:00:01 EST

An oft-recommended ratio is X memory:2.5 X swap, but this may be too
slow. Decide how much of your favorite program (plus IRIX) needs to be
resident for good performance and how much doesn't, and make sure you
have enough memory for the former and enough memory plus swap for the
latter. Put "rmem" and "swp" in your ~/.grosview file, run 'gr_osview'
and run your favorite program to see what it needs.

------------------------------

Subject: ! -10- How can I increase my swap space?
Date: 23 Jun 94 00:00:01 EST

The Jan/Feb 93 and May/Jun 94 Pipelines have detailed writeups on how to
do this in IRIX 4.0.x and 5.x respectively. If you like you can call the
TAC and have them fax you the very latest version.

------------------------------

Subject: + -11- What are virtual and logical swap space? How do they
                work in IRIX 3.x, 4.0.x and 5.x?
Date: 05 Jul 94 00:00:01 EST

Two terms whose meanings should already be clear: Physical swap space
is an area on disk, either a partition or (in IRIX 5.x) a swap file.
Virtual memory is the sum of physical memory and swap space.

IRIX 3.x accepts a memory request only if enough virtual memory is
free. Even if a process isn't using most of the memory it requested
(which happens often, e.g. when a large process forks and execs a small
process, or with Fortran 77 programs which allocate all storage
statically), its memory is unavailable to other processes until it
exits. IRIX 3.x has no virtual or logical swap space.

In IRIX 4.0.x, IRIX accepts every memory request, and does not allocate
virtual memory until a process actually tries to use it. This allows
programs which request more memory than they use to run with much less
memory than would otherwise be required. If too many processes actually
use their memory requests so that virtual memory is in danger of filling
up, IRIX kills one or more processes. IRIX usually kills the process
which is using the most virtual memory, which may well not be the
process which most recently requested virtual memory.

IRIX 5.x works like IRIX 4.0.x, but one can set the amount of virtual
memory which IRIX is allowed to overallocate. This amount is called
"virtual swap space". "Logical swap space" is the sum of physical and
virtual swap. There is no virtual swap space by default, so IRIX 5.x
behaves like IRIX 3.x. One can set virtual swap to any amount of memory;
if it is set sufficiently high, memory requests will always be granted,
just like IRIX 4.0.x. Using jargon retroactively, IRIX 4.0.x has an
infinite amount of virtual swap space.

Large or infinite amounts of virtual swap space work well for many
people, because most programs don't use all the virtual memory they
request, at least not at once. If your programs do use all their virtual
memory, they'll be killed and you'll see "Process killed due to
insufficient memory/swap" messages in your SYSLOG.

Under IRIX 4.0.x, you can only turn virtual swap off completely. Set the
kernel variable availsmem_accounting to 1: edit
/usr/sysgen/master.d/kernel, do 'autoconfig -f' and reboot. Doing so
makes IRIX 4.0.x behave like IRIX 3.x, allocating memory only if it is
actually available.

Under IRIX 5.x, you can turn virtual swap on or off by doing 'chkconfig
vswap off' or 'chkconfig vswap on', or change the size of virtual swap
by editing /etc/config/vswap.options, and rebooting. You can also use
'swap -v' to do any of these things directly and without rebooting.

Remember that IRIX 5.x comes with virtual swap turned off and set to
zero.  If you were happy with IRIX 4.0.x, you should turn virtual swap
on and set its size to a very large number. If programs are killed,
decrease the size of virtual swap or turn it off.

See the swap(1M) and swapctl(2) manpages for details.

------------------------------

Subject:   -12- BOOTING
Date: 15 May 94 00:00:01 EST

As the song says, "There must be fifty ways to boot your Iris."

------------------------------

Subject:   -13- How can I boot directly into single-user mode?
Date: 20 Feb 94 00:00:01 EST

Use the PROM monitor's 'single' command.

For machines earlier than 4D35s, whose PROMs don't have that command,
say 'boot dksc(0,1,0)unix initstate=s'. Replace 'dksc(0,1,0)' with the
appropriate device and partition if your boot volume is something other
than a SCSI device partitioned in the standard manner; see the chapter
on the PROM monitor in the "Advanced Site and Server Administration
Guide".

------------------------------

Subject:   -14- How can I boot from a non-default disk?
Date: 20 Jan 94 00:00:01 CST

Says Justin Mason <jmason@iona.ie>: If your disk is SCSI ID 4, do

  boot -f dksc(0,4,8)sash dksc(0,4,0)unix root=dks0d4s0

or

  setenv bootfile dksc(0,4,8)sash
  setenv path dksc(0,4,8)
  setenv root dks0d4s0			# This is the tricky part 
  auto

from the PROM. The first method works once, so that subsequent reboots
use SCSI ID 1, and the second method sets the PROM to boot from ID 4
every time (until you reset the PROM variables).

------------------------------

Subject:   -15- How can I boot my machine using a server on the other
                side of a router?
Date: 24 Jan 94 00:00:01 EST

Tell the router to forward BOOTP packets. If it can't, NFS-mount the
remote volumes on another machine on the same subnet and use the nearby
machine for your boot server.

------------------------------

Subject:   -16- How do I make a bootable tape from an IRIX 4.0.X CD?
Date: 20 Feb 94 00:00:01 EST

See the Sep/Oct 93 Pipeline for a detailed description, or just follow
Dave Olson <olson@sgi.com>'s summary: Take a look at the distcp(1M)
manpage, and do something like

    tapehost# mount -o ro cdhost:/CDROM /mnt
    tapehost# distcp /mnt/dist /dev/nrtape

Note that 'fx', 'ide', and 'sash' for all machines are in the dist/sa
file.  'sa' is an image of the first part of the tape; use 'mkbootape
-f sa -l' to see the contents.

------------------------------

Subject:   -17- Why can't I boot one of the stand-alone programs on a
                tape or CD?
Date: 03 Apr 94 00:00:01 EST

One reason is that some CPU names are preceded by periods and some
aren't. Another is that the Indigo R4000 and later CPUs use the suffix
'ARCS', not 'IP20' or whatever as one might expect from 'hinv'. For
example, the correct command to boot fx directly from the PROM monitor
on an Indigo R4000 is 'boot -f dksc(ctlr,unit,8)sashARCS
dksc(ctlr,unit,7)stand/fx.ARCS'. Note the use of 'ARCS' instead of
'IP20' and the missing period in 'sashARCS'.

------------------------------

Subject:   -18- INSTALLING
Date: 15 May 94 00:00:01 EST

These questions discuss software installation.

------------------------------

Subject:   -19- Is it possible to remotely install IRIX over a network?
Date: 20 May 93 00:00:01 CST

Yes. You can install IRIX from a remote machine which has a CD-ROM, a
tape drive, or an IRIX distribution directory.  All of these scenarios
(and several others) are described in detail in the "IRIS Software
Installation Guide".  Examples are provided.

------------------------------

Subject:   -20- Which IRIX CD is the program 'foo' on?
Date: 25 May 94 00:00:01 EST

Mount the CD and try 'grep foo /CDROM/dist/*.idb'. If you don't get any
output, 'foo' isn't on that CD. If you do, it is, and one of the fields
is the subsystem in which 'foo' lives. Entries in *.idb files don't
have a leading slash so you must leave it out if you grep for a full
path, e.g. 'grep usr/bin/lp /CDROM/dist/*.idb', not 'grep /usr/bin/lp
/CDROM/dist/*.idb'.

------------------------------

Subject:   -21- How can I extract a single file from an 'inst'
                subsystem?
Date: 25 May 94 00:00:01 EST

'inst' guru Paul Jackson <pj@sgi.com> reveals all:

- Find the subsystem in which the file lives, as described in the
  previous question. For this example we'll extract /sbin/ed, which
  lives in eoe1.sw.unix.

- Follow the bouncing prompt:

  > su
  > cd /usr/tmp
  > mkdir -p tmproot/var/inst
  > inst -f /CDROM/dist/eoe1 -r /usr/tmp/tmproot
  > Inst> keep *
  > Inst> install eoe1.sw.unix
  > Inst> go
  > Inst> q
  > ls -l /usr/tmp/tmproot/sbin/ed
  -rwxr-xr-x    1 root     sys        75480 May 24 13:57 /usr/tmp/tmproot/sbin/ed

- Move your file somwhere else and 'rm -r /usr/tmp/tmproot'.

- That was under IRIX 5.x. Under IRIX 4.0.x or earlier, use
  '/usr/tmp/tmproot/usr/lib/inst' for a temporary inst directory
  instead of '/usr/tmp/tmproot/var/inst'.

------------------------------

Subject:   -22- Why doesn't 'inst' work?
Date: 16 Jan 94 00:00:01 EST

One possibility is that you're using an old 'inst' with new software.
Always use an 'inst' at least as new as what you're installing.

------------------------------

Subject:   -23- Why doesn't 'inst' work remotely?
Date: 05 May 94 00:00:01 EST

Usually because it can't log in to the machine with the distribution
media.  'inst' uses the guest account to do so, so make sure that
guest on the machine on which you want to install software can rlogin
to guest on the machine with the distribution media without a
password.

------------------------------

Subject:   -24- I reinstalled an IRIX subsystem to restore a missing
                file or get rid of a corrupted file, but it didn't help.
                Why not?
Date: 13 Apr 94 00:00:01 EST

'inst' doesn't bother to install a subsystem if the same or a newer
version is already installed. Tell it to install anyway by saying 'set
neweroverride' before you say 'go'. Removing the subsystem and
reinstalling it will do more or less the same thing.

------------------------------

Subject:   -25- How can I install IRIX onto a second disk which I can
                then move to another machine?
Date: 20 Jan 94 00:00:01 EST

With difficulty. Many parts of the installation process assume that
you're installing IRIX onto your system disk (SCSI ID 1). Just fiddle
with SCSI ID switches and/or move disks around to make the disk onto
which you want to install IRIX the system disk for the duration of the
installation.

Furthermore, IRIX has many hardware dependencies, so you should only
move system disks between absolutely identical machines. If you want to
make a system disk for a machine without a network connection, CD-ROM
or tape drive, the easiest and safest way is to borrow another CD-ROM
or tape drive.

If you want to try anyway, Justin Mason <jmason@iona.ie> reports that
the following works under IRIX 5.1.1:

Set up the disk, e.g. with SCSI id 4, fx a generic "[bo]otable"
partition setup onto it, and mkfs the partitions. Copy sash, etc. from
your system disk to the new disk with dvhtool. Boot up the miniroot
as usual, go into inst, choose "admin" from the menu and do the
following, replacing SCSI IDs and partition numbers as appropriate:

  umount /root
  umount /root/usr
  mount /dev/dsk/dks0d4s0 /root
  mount /dev/dsk/dks0d4s6 /root/usr
  mount					# Just to check
  return				# Go back to main inst menu

Then install as you like.

------------------------------

Subject:   -26- How can I copy my system disk onto a second disk which I
                can then move to another machine?
Date: 17 Jun 94 00:00:01 EST

See the article in the Jul/Aug 92 Pipeline and the addendum in the
Nov/Dec 92 Pipeline, and note that the warning about hardware
dependencies in the previous question applies here too. Steve
Kotsopoulos <steve@ecf.toronto.edu> has written a script which does
this automatically; you can FTP it from
viz.tamu.edu:/pub/sgi/software/clonedisk/clonedisk. Be sure to read
the comments before running it!

------------------------------

Subject:   -27- NETWORKING
Date: 15 May 94 00:00:01 EST

These questions discuss general networking.

------------------------------

Subject:   -28- How can I measure my network's reliability?
Date: 13 Feb 94 00:00:01 EST

Don't worry about collisions. They are part of normal operation on a
crowded Ethernet. You *should* worry about late collisions (which are
logged to the console) and lost packets (which you can easily measure
with the command 'ping -fs 3000 -c 1000 someotherhost'), which usually
mean network hardware problems or a misconfigured bridge or router.

------------------------------

Subject:   -29- How do I add a static route?
Date: 10 Mar 94 00:00:01 EST

Some sites handle IP routing by designating a routing machine and
having all other hosts define a static route to that machine. The way
to do this on SGIs is in the /etc/init.d/network.local script.

1) Read the paragraph just before the copyright at the top of
   /etc/init.d/network and make the links it specifies.

2) Put something like the following in /etc/init.d/network.local,
   replacing ROUTER'S.IP.ADDRESS.HERE with the address of your router.

  #! /bin/sh
  case "$1" in
  'start')
      /usr/etc/route add default ROUTER'S.IP.ADDRESS.HERE 1 ;;
  'stop')
      /usr/etc/route delete default ROUTER'S.IP.ADDRESS.HERE ;;
  *)
      echo "Usage: $0 {start|stop}" ;;
  esac

If you NFS-mount disks from the other side of the static route, they
will not be unmounted properly during shutdown. You can fix this by
making the links so that /etc/init.d/network.local runs before
/etc/init.d/network: 'ln -s /etc/init.d/network.local
/etc/rc0.d/K41network' instead of '/etc/rc0.d/K39network'.

------------------------------

Subject:   -30- How can I make the 'slip' command advertise the Ethernet
                address of the SLIP client?
Date: 10 Dec 93 00:00:01 EST

You can't. Just add something like

  /usr/etc/arp -s $USER `netstat -ia | grep :` pub

to the shell script in which you start the SLIP process. $USER is the
SLIP client. The 'netstat | grep' part gets the host's Ethernet
address, and 'arp' advertises the host as an ARP server for $USER. See
also the arp(1M) manpage.

------------------------------

Subject:   -31- I've just edited inetd.conf, and nothing changed. Why?
Date: 10 Dec 93 00:00:01 CST

You need to make 'inetd' reread the file. Do 'killall -HUP inetd' or
reboot.

------------------------------

Subject: ! -32- Why isn't the objectserver working?
Date: 30 Jun 94 00:00:01 EST

Check the files /etc/fstab, /etc/exports and /etc/inittab carefully
for format problems. One such problem might be that the last line
doesn't end with a linefeed.

If you've found and fixed a problem, or if the objectserver is just
confused, you should rebuild its databases like so:

    /etc/init.d/cadmin stop
    /etc/init.d/cadmin clean
    /etc/init.d/cadmin start

If this doesn't work, try this

    /etc/init.d/cadmin stop
    rm -rf /var/Cadmin/data
    /usr/Cadmin/bin/parseclasses
    /etc/init.d/cadmin start

If you're running NIS with 1000s of users, you can remove the NIS object
definition files so that the objectserver will not create NIS objects,
rebuild the objectserver database (without the NIS objects) and restart
the objectserver as follows (thanks to Anne Eagle <annee@sgi.com>). You
will not be able to manipulate NIS users with Cadmin if you do this.

    killall fm
    mediad -k
    killall objectserver
    mv /var/Cadmin/data /var/Cadmin/data.orig
    cp -pr /usr/Cadmin/classes /usr/Cadmin/classes.orig
    rm /usr/Cadmin/classes/groupObject.op
    rm /usr/Cadmin/classes/nisAccountObject.op
    rm /usr/Cadmin/classes/peopleNISObject.op
    rm /usr/Cadmin/classes/peopleObject.op
    /usr/Cadmin/bin/parseclasses
    /usr/Cadmin/bin/objectserver
    ps -ef | grep obj
    
    Wait until you see 2 objectserver processes running, then do

    mediad
    fm -lrb &

------------------------------

Subject:   -33- What is sending packets to the sgi-dog.mcast.net
                multicast address?
Date: 15 Jun 94 00:00:01 EST

The objectserver.

------------------------------

Subject:   -34- MAIL
Date: 15 May 94 00:00:01 EST

These questions discuss mail configuration and problems.

------------------------------

Subject:   -35- How can I set up 'sendmail' to pass 8-bit characters?
Date: 12 Feb 94 00:00:01 EST

Dunno, offhand, but many experts say "don't try". RFC822 requires mail
transport agents to *clear* the eighth bit, and many hosts do. Some
which don't may crash when they get mail with the eighth bit set.
Instead, use a MIME-compatible mail program. MIME, described in
RFC1521, is a standard for enclosing non- RFC822 material in your
mail.  The apps FAQ discusses several mail programs which support it.

Nonetheless, if someone wants to tell us about putting SGI's 'sendmail'
into 8-bit mode we'll note it here.

------------------------------

Subject:   -36- Why are my mailbox files changing ownership?
Date: 17 Jan 94 00:00:01 CST

If your mail directory is mounted from another machine, your machine
does not have root access, and the other machine has BSD-style
"restricted chown" (either because it's not an SGI or because someone
turned restricted chown on), /bin/mail will change mail file ownership
when delivering local mail. Without unrestricted chown or root access,
/bin/mail is unable to give mail files back to their owners after
delivering mail. You can fix the problem by turning off restricted
chown on the other machine (if it's an SGI), exporting the mail
directory with root access for your machine, or waiting for IRIX 5.2,
in which the problem will be fixed.

------------------------------

Subject:   -37- Why isn't a valid user getting their mail?
Date: 24 Jan 94 00:00:01 EST

IRIX' mail system requires "valid users" to have both valid password
file entries (whether local or via NIS) and home directories. The
latter often trips one up when installing POP servers and whatnot,
where home directories aren't really necessary. Just make a fake one.

------------------------------

Subject:   -38- How can SGIs and Suns share a mail spool?
Date: 05 Feb 94 00:00:01 EST

Paul Riddle <paulr@umbc.edu> has written up how he did it. Read
ftp.umbc.edu:/pub/sgi/shared-spool.text.

------------------------------

Subject:   -39- What's an "unknown mailer error"?
Date: 20 Feb 94 00:00:01 EST

There's a list in viz.tamu.edu:/pub/sgi/software/mail/mail-errors.

------------------------------

Subject:   -40- What's "mailbox: Error 0"?
Date: 05 Mar 94 00:00:01 EST

It's a harmless bug; don't worry about it. It is present in IRIX 4.0.x
before 4.0.5H/4.0.5IOP and fixed in those and later versions.

------------------------------

Subject:   -41- NFS
Date: 15 May 94 00:00:01 EST

These questions discuss NFS.

------------------------------

Subject:   -42- How can I tell what hostname to use in /etc/exports?
Date: 07 Feb 94 00:00:01 EST

NFS servers may need a particular form of a client's name in
/etc/exports to allow the client access. This may not be obvious, for
example if the server is also a router. Log in from the client to the
server and say 'echo $REMOTEHOST' to see what the server thinks the
client is called, and put that in /etc/exports.

IRIX 5.2's System Manager ('chost') should be able to determine the
correct hostname for you.

------------------------------

Subject:   -43- Why can't I export an NFS-mounted filesystem?
Date: 10 Dec 93 00:00:01 CST

This is known as multi-hop NFS. It is not allowed or supported in
(Sun's) NFS because it is not in general possible to detect errors such
as infinite mount loops, on either the client or the server.

------------------------------

Subject:   -44- Why can't Ultrix automount SGI filesystems?
Date: 10 Dec 93 00:00:01 CST

Ultrix's automount uses an "untrusted" port for mount requests. Add
an '-n' to the mountd lines in /usr/etc/inetd.conf (/etc/inetd.conf
in IRIX 5.x), like so:

mountd/1    stream  rpc/tcp wait    root    /usr/etc/rpc.mountd     mountd -n
mountd/1    dgram   rpc/udp wait    root    /usr/etc/rpc.mountd     mountd -n

then 'killall mountd' and 'killall -HUP inetd' or reboot.

------------------------------

Subject:   -45- Why does 'tar' work strangely on a filesystem mounted
                from an SGI?
Date: 03 Apr 94 00:00:01 EST

When user A extracts a file owned by user B from a tar archive, 'tar'
makes the file owned by user A unless user A is the superuser.  Some
systems allow users to give files away (e.g. IRIX); some do not (e.g.
SunOS).  On some systems with the restricted behavior (SunOS among
them), 'tar' tries to give the file to user B whether or not user A is
the superuser, assuming that the chown system call will fail if user A
is not. This is not true if user A is using 'tar' on (e.g.) a Sun to
extract files onto a filesystem NFS-mounted from (e.g.) an SGI. 'tar'
may create zero-length files or give away directories and then be
unable to extract files into them.

Work around the problem by doing the 'tar' on the SGI or extracting
onto a Sun filesystem. It is possible that third-party versions of
'tar' (e.g. GNU tar) are smarter; let us know if so. Don't turn the
restricted_chown kernel variable on on the SGI; while this will fix the
problem at hand, it will break SGI programs which need to give files
away without running as root (notably /bin/mail).

------------------------------

Subject:   -46- Is 'pcnfsd' available for the SGI?
Date: 27 Feb 94 00:00:01 EST

For IRIX 4.0.x, look in ftp.sgi.com:/support/pcnfsd.sysV/. (Note that
although SGI makes this available, they do not support it.) For IRIX 5.x,
look in viz.tamu.edu:/pub/sgi/software/pcnfsd/.

------------------------------

Subject:   -47- Can I export a CD-ROM from my SGI to a non-SGI?
Date: 10 Dec 93 00:00:01 EST

Not in IRIX 4.0.x. You can in IRIX 5.x, as you would any other
filesystem.

------------------------------

Subject:   -48- Why can't I export an ISO 9660 CD-ROM using NFS?
Date: 20 Feb 94 00:00:01 EST

You can, but only to another SGI (see the previous question) and
there's a catch. Add the CD-ROM filesystem to /etc/exports and export
it with 'exportfs' *before* you mount the CD-ROM.  This chicanery is
not necessary in IRIX 5.x. For more detail, read
viz.tamu.edu:/pub/sgi/hardware/exporting-iso-9660-cdrom or the article
in the Jan/Feb 93 Pipeline, or for an up-to-date copy call the TAC and
ask for SGI's writeup on "Mounting an ISO 9660 CD Across NFS".

------------------------------

Subject:   -49- How can I read an IRIX (EFS) CD-ROM on a machine which
                doesn't use EFS?
Date: 09 Jan 94 00:00:01 EST

You want 'efslook', in viz.tamu.edu:/pub/sgi/software/efslook/.

------------------------------

Subject:   -50- PRINTING
Date: 15 May 94 00:00:01 EST

These questions discuss printing.

------------------------------

Subject:   -51- Why can't 'lp' read my file?
Date: 10 Dec 93 00:00:01 EST

'lp' is setuid, so it can only read world-readable files. You can say
'lp < file' if you don't want to make your file world-readable.

------------------------------

Subject:   -52- How can I use 'lpr' to print to my local printer?
Date: 10 Dec 93 00:00:01 EST

SGI provides 'lpr' for printing on remote printers, and does not
support it for local printing. One way to do it anyhow is to make an
/etc/printcap entry with an output filter which is just a wrapper
around 'lp'. If that isn't crystal-clear, call the TAC and ask for
their "faxable" on "Integrating The AT&T Spooler With The BSD LPR Print
Spooler". A not-guaranteed-to-be-up-to-date copy is at
viz.tamu.edu:/pub/sgi/software/lp-lpr/lpr-to-lp.

------------------------------

Subject:   -53- How can I use 'lp' to print to an 'lpr'-controlled
                printer?
Date: 19 Jun 94 00:00:01 EST

Two possible ways:

- Write an 'lp' interface script that calls 'lpr'. Impressario 1.1 or
  later can do this for you; see the Impressario FAQ. If you don't
  have Impressario you can do it yourself or call SGI and ask for
  their writeup, "LPTOLPR, A Model File for LP", which includes (in
  fact, consists of) just such an interface script. A
  not-guaranteed-to-be-up-to-date copy is at
  viz.tamu.edu:/pub/sgi/software/lp-lpr/lp-to-lpr.

- Write an 'lp' replacement script that calls 'lpr'. One such script
  is at viz.tamu.edu:/pub/sgi/software/lp-lpr/lp-wrapper-for-lpr.

------------------------------

Subject:   -54- How can I tell 'lp' to turn banner printing or page
                reversal off or on?
Date: 19 Jun 94 00:00:01 EST

'lp' controls printers via shell scripts, called 'models', which live
in /usr/spool/lp/model. When you install a printer, the appropriate
model script is copied to /usr/spool/lp/interface/<name-of-printer>.

To temporarily change a printer's behavior, look at the manpage for its
interface script (or, if there is none, the script itself) to see what
options it wants, and pass them to the script with 'lp's '-o' option.
For example, 'lp -o"-nobanner" file' tells a "Generic Postscript"
printer (described in the gpsinterface(1) manpage) to print 'file'
without a banner page.

To permanently change a printer's behavior, edit its interface script.
The following are true for "Generic Postscript" printers, but the idea
is the same for others:

- To turn banner printing off or on, change the line 'BANNER=1' to
  'BANNER=0' or vice versa.

- To turn page reversal off or on, change the line
  'send=/usr/lib/print/lptops' to 'send="/usr/lib/print/lptops -U"'
  (note the quotes) or vice versa.

In IRIX 5.x, you can change these settings in the printpanel. You can
also turn banner printing off on a per-user basis by doing 'echo
nobanner > /usr/spool/lp/settings/<printername>/<yourusername>'.

------------------------------

Subject:   -55- SECURITY
Date: 15 May 94 00:00:01 EST

These questions discuss security.

------------------------------

Subject:   -56- Where can I learn about Unix and IRIX security?
Date: 15 May 94 00:00:01 EST

Read rtfm.mit.edu:/pub/usenet/news.answers/security-faq and the books
and papers listed therein for general discussions of Unix security.
Look on ftp.cert.org:/ for CERT advisories, descriptions of what CERT
and CERT advisories are, and other security-related material. If you
have a lot of spare time, consider the comp.security.unix newsgroup.

------------------------------

Subject: ! -57- How can I configure IRIX more securely?
Date: 23 Jun 94 00:00:01 EST

Several aspects of SGI's default IRIX configuration were chosen for
convenience, not security. Unless your machine is not networked, you
may be more concerned about security than SGI assumed.  Note that these
items have been discussed on Usenet many times, and Usenet chatter is
not a good way to change SGI policy. If they bother you, complain to
your sales rep and then fix them yourself as follows:

- Several accounts come without passwords, including (but not limited
  to) guest, 4Dgifts, demos, tutor, tour and particularly lp. Examine
  /etc/passwd and lock all unnecessarily open accounts.  Note that 1)
  parts of IRIX (e.g. 'inst') use the open guest account by default,
  and 2) remote 'lp' clients need access to the lp account to print, so
  you'll need to make other arrangements.

- 'xdm' does 'xhost +' by default when you log in. This allows anyone to
  open windows on your display and even to record what you type at your
  keyboard. Close this hole by removing the 'xhost +' from
  /usr/lib/X11/xdm/Xsession, /usr/lib/X11/xdm/Xsession-remote and (in
  IRIX 5.x) /usr/lib/X11/xdm/Xsession.dt.  In IRIX 5.2 and later you can
  use X authority to control access to remote displays; see below. In
  IRIX 5.1.x and earlier X authority doesn't work, so you'll need to use
  'xhost' judiciously to get to remote displays: say 'xhost +localhost'
  to run DGL programs and 'xhost +otherhost' to display remote X
  programs.

- At least some of the possible default values of the PATH environment
  variable begin with the current directory. (The system interprets
  either a period or the empty string in any component of PATH as the
  current directory. PATH is colon-separated, so if it begins with a
  colon the first component is the empty string.) This exposes you to
  Trojan horse programs. Set PATH to a safe value (remove the current
  directory, or at least move it to the end) in /etc/cshrc and/or
  /etc/profile.

- Read the rest of the entries in this section and make the changes
  they describe if necessary.

Please note that this list is guaranteed to be incomplete. Keep your
eyes open.

------------------------------

Subject:   -58- How can I log more information about logins?
Date: 22 Jan 94 00:00:01 EST

- 'last', 'who', etc. get remote login information from /etc/xutmp and
  /etc/xwtmp. That information is only logged into these files if they
  already exist. To create them, just say 'touch /etc/xutmp
  /etc/xwtmp'. In IRIX 5.x, 'touch /var/adm/utmpx /var/adm/wtmpx'.

- As described in the login(1) manpage, you can add the line
  'syslog=all' to /etc/config/login.options to log all login attempts,
  not just successful ones, in /usr/adm/SYSLOG.

- 'ftpd', 'rshd' and 'tftpd' all have options ('-l' or '-L') which
  cause them to log all accesses. See their manpages. 'ftpd' also has
  '-ll' and '-lll' options (undocumented before IRIX 5.x) which log
  individual file transfers and the sizes of those files respectively.
  Add the options to the last fields (not the second-to-last) of the
  appropriate lines of /usr/etc/inetd.conf (/etc/inetd.conf in IRIX
  5.x), then do 'killall -HUP inetd' or reboot.

------------------------------

Subject:   -59- How can I make an anonymous or restricted FTP account?
Date: 04 May 94 00:00:01 EST

Read the ftpd(1M) manpage and/or the article in the March/April 1994
Pipeline. However, both discussions have a serious error: the ftp
account's home directory (/usr/people/ftp) should be owned and
writable only by root, NOT ftp. You might also want to make the 'pub'
directory "sticky" with 'chmod +t' (like /tmp and /usr/tmp) so that
one user can't delete another's files. A script which sets up a secure
anonymous FTP account is at
viz.tamu.edu:/pub/sgi/software/ftp/make-anonftp.

------------------------------

Subject:   -60- How can I get X authorization to work?
Date: 27 Apr 94 00:00:01 EST

Under IRIX 5.1.x or earlier, don't try. The MIT-MAGIC-COOKIE-1 protocol
did not work, and DGL programs did not understand X authority.

Under IRIX 5.2 or later, heed the wise words of Mark Kilgard of SGI's
X Window Systems group <mjk@hoot.asd.sgi.com>:

The basic mechanism for the MIT-MAGIC-COOKIE-1 authorization protocol
is implemented by the X server, Xlib, and xdm, and does work in IRIX
5.x.  MIT-MAGIC-COOKIE-1 is the only supported protocol.

Two caveats before I describe how to enable X authorization:

1) Old remote IRIS GL programs probably will not be able to connect to
   the X server when X authority is enabled. (More on this below.)

2) Due to a problem with how the local hostname is handled, to use X
   authority in the IRIX 5.x releases, you will need to make sure your
   /etc/sys_id file has a simple hostname, ie. hoot instead of a fully
   resolved hostname like hoot.asd.sgi.com  This problem has already
   been fixed for the next general release of IRIX.

TO ENABLE X AUTHORIZATION, do the following to your IRIX 5.2 system:

    1)  Edit /var/X11/xdm/xdm-config as root and change the line saying

DisplayManager*authorize:               off

      to say

DisplayManager*authorize:               on

    2) Edit /var/X11/xdm/Xsession, /var/X11/xdm/Xsession-remote, and
       /var/X11/xdm/Xsession.dt as root and change the line saying

/usr/bin/X11/xhost +

       to say

#/usr/bin/X11/xhost +

       This disables the "xhost +" by commenting out the command.

    3) Make sure your /etc/sys_id file has no periods in it.  For
       example, change as root:

hoot.asd.sgi.com

       to say

hoot

    4) Reboot the machine OR restart a new xdm and X server.  This can
       be done as root with the following command:

(/usr/gfx/stopgfx; killall xdm; /usr/gfx/startgfx) &

    5) Log in.  X authorization should be enabled.

If you want to disable X authorization and return to the default system
state where X clients can connect to the X server from any machine,
reverse the changes in steps 1 and 2 and repeat step 4.

If you want more information on X authorization, see the manpages for
xdm(1), Xserver(1), Xsgi(1), Xsecurity(1), xauth(1) and xhost(1).

X AUTHORITY AND REMOTE IRIS GL PROGRAMS: One of the major reaons for
Silicon Graphics shipping its window system so that an X client from
any machine could connect to the X server was because IRIS GL programs
running remote using the DGL (distributed GL) protocol didn't
interoperate with the X authorization mechanism; the dgld daemon that
would run on the machine with graphics hardware had no way to get the
correct X authority information to connect to the X server.

This has been fixed for IRIX 5.2, but the fix only applies to IRIX 5
binaries running remotely on an IRIX 5.2 system connecting to an IRIX
5.2 X server.  In particular, remotely run IRIX 4 IRIS GL binaries will
continue to not interoperate with an IRIX 5.2 X server (or a pre-IRIX
5.2 X server).  If you recompile your old IRIS GL binaries on IRIX 5.2,
they then will work remotely connecting to IRIX 5.2 X servers running X
authority.

The bottom line is that if you want an IRIS GL program to run remotely
on an X server using X authorization, you need to make sure the program
is an IRIX 5 binary running on an IRIX 5.2 machine and the machine with
the X server is also an IRIX 5.2 machine.

To avoid a possible misconception: IRIS GL programs RUNNING LOCALLY
(ie, not using DGL) WILL WORK FINE on an IRIX 5.2 system no matter if
they are IRIX 4 or IRIX 5 binaries.  The problem with X authority is
only for REMOTE IRIS GL programs.

Also note that for X authorization to work for remote hosts, the remote
program must have access to the correct X authorization magic cookie
(normally read from ~/.Xauthority).  If you don't have a shared NFS
mounted home directory, you'll probably need to use the xauth command
to transfer the X authorization magic cookie to the remote
~/.Xauthority file.

THE FUTURE:  Hopefully in the next general release of IRIX, a mechanism
to enable and disable X authorization using a chkconfig option will be
supported.  The problem with /etc/sys_id not having periods will
definitely be fixed in the next general release of IRIX.  The problem
with pre-IRIX 5.2 X servers and binaries not interoperating with X
authorization will likely not be fixed. Fixing the problem required a
DGL protocol extension which both the IRIS GL program and dgld must
know about; this can't be fixed in already shipped software.

------------------------------

Subject: ! -61- What security-related bugs does IRIX have?
Date: 01 Jul 94 00:00:01 EST

Some general comments before we start:

- IRIX is too complex for us to guarantee that this list is complete. We
  only discuss problems we know about. We don't discuss insecurely
  designed systems (like YP) or ways in which you might misconfigure
  your system, only bugs.  We don't discuss third-party software, free
  or not.

- Prudence and space permit us to describe only how to close holes, not
  to exploit them. Try comp.security.unix.

- Some of the fixes involve installing a new version of a setuid
  binary.  Be sure that you 1) make it executable, setuid and owned by
  the correct user and group (or it won't work), and 2) remove the old
  version so bad guys can't use it!

Now for the holes themselves:

- CERT advisory CA-92:08, which you can get from

    ftp.cert.org:/pub/cert_advisories/CA-92:08.SGI.lp.vulnerability

  describes problems with the permissions of 'lp'-related parts of IRIX
  which allow anyone who can log in as lp to get root access. They are
  fixed in IRIX 4.0.5.  Briefly, the fix is

    su root
    cd /usr/lib
    chmod a-s,go-w lpshut lpmove accept reject lpadmin
    chmod go-ws lpsched vadmin/serial_ports vadmin/users vadmin/disks
    cd /usr/bin
    chmod a-s,go-w disable enable
    chmod go-ws cancel lp lpstat

- CERT advisory CA-93:16, which you can get from

    ftp.cert.org:/pub/cert_advisories/CA-93:16.sendmail.vulnerability

  describes a hole in /usr/lib/sendmail which allows anyone root
  access, whether they can log in initially or not!  Fixed versions for
  IRIX 4.0.x and 5.x (before 5.3) are at

    ftp.sgi.com:/sgi/IRIX4.0/sendmail/
    ftp.sgi.com:/sgi/IRIX5.0/sendmail/

- CERT advisory CA-93:17, which you can get from

    ftp.cert.org:/pub/cert_advisories/CA-93:17.xterm.logging.vulnerability

  describes a hole in /usr/bin/X11/xterm which allows any user root
  access. It is fixed in IRIX 5.x.  A fixed version for IRIX 4.x is at

    ftp.sgi.com:/sgi/IRIX4.0/xterm/

  The 'fix', incidentally, is that logging is completely disabled.

- /usr/bsd/rdist has several holes which allow any user root access.
  Some are fixed in IRIX 4.0.5x, but some are still present in all
  versions of IRIX 4.0.x and 5.x, including the 4.0.5 version on
  ftp.sgi.com. Close the hole with 'chmod -s'. rdist will then work
  only when used by root.

  If your non-root users need 'rdist', there is a free version which
  claims to be free of all known holes in usc.edu:/pub/rdist/.  Make
  sure you get version 6.1 beta 3 or later.

  Note that CERT advisory CA-91:20
  (ftp.cert.org:/pub/cert_advisories/CA-91:20.rdist.vulnerability) is
  badly out of date.

- The 'lpr' subsystem in IRIX 4.0.x and 5.x has several holes which
  allow a non-root user to become root. Note that 'lp' is SGI's usual
  printing system; you only need 'lpr' if you need to deal with remote
  printers. If you don't need 'lpr', make sure it isn't installed. (It
  lives in the eoe2.sw.lpr subsystem.) If you do need 'lpr', there are
  fixed versions for IRIX 4.0.x and 5.x at

    ftp.sgi.com:/sgi/IRIX4.0/lpr/lpr.latest.Z
    ftp.sgi.com:/sgi/IRIX5.0/lpr/lpr.latest.Z

  The version dated 29 April works with NIS (YP).

- /usr/bin/under is an unused (!) part of 'rexd'. It is setuid root and
  may allow root access, so 'chmod -s' it just in case. Note that SGI
  ships IRIX with 'rexd' turned off because 'rexd' is itself a security
  problem.

- /usr/etc/arp is setgid sys in IRIX 5.x before 5.3, allowing anyone who
  can log into your machine to read files which should be readable only
  by group 'sys'.  Close the hole with 'chmod -s'. This prevents
  non-root users from using 'arp' at all, but they don't generally need
  it.

- /usr/sbin/cdinstmgr is setuid root in IRIX 4.0.5[A-F] and
  /etc/init.d/audio is setuid root in IRIX 5.2. They are scripts; setuid
  scripts are a well-known Unix security problem. IRIX ignores the
  setuid bit by default, but 'chmod -s' the scripts just in case.

- /usr/sbin/colorview is setuid root in IRIX 5.x before 5.3, allowing
  anyone to use it to read any file regardless of permissions. Close the
  hole with 'chmod -s /usr/sbin/colorview'.

------------------------------

Subject:   -62- I think I've found a security hole in IRIX; whom do I
                notify at SGI?
Date: 10 Dec 93 00:00:01 CST

In general, if you find a security problem (or think you have), you can
send it to postmaster@sgi.com. This address gets a lot of mail, so you
may want to CC your mail to one of the SGI employees who regularly post
to Usenet. (Several have indicated that they will be glad to know about
such things.)

You can also notify CERT <cert@cert.org>, who will contact the
appropriate people from their contact list. They may take some time.

------------------------------

Subject:   -63- BUGS
Date: 15 May 94 00:00:01 EST

These questions discuss miscellaneous bugs in IRIX.

------------------------------

Subject:   -64- Why is my network license daemon ('netlsd') exiting?
Date: 20 May 93 00:00:01 CST

For netlsd to run, you need to have 'llbd' and 'glbd' installed and
running.  A complete debugging procedure is in the netls release notes,
which can be read with 'relnotes netls_eoe 5'.

------------------------------

Subject: ! -65- Why isn't /usr/adm/SYSLOG being updated?
Date: 23 Jun 94 00:00:01 CST

Popular causes include:

- running out of disk space. Once syslogd is unable to write to
  /usr/adm/SYSLOG, it won't try again until it is `killall -HUP
  syslogd`ed.

- installing IRIX 4.0.x and failing to heed the nagging from
  the system when it is rebooted to run 'versions changed' and combine
  new and old configuration files.  In this case, the trouble is in
  /usr/spool/cron/crontabs/root.

- Separating fields in /etc/syslog.conf with spaces instead of tabs.
  If you use tabs, syslogd will silently segv when it reads that file.
  This should be fixed in IRIX 5.3.

------------------------------

Subject:   -66- What's this 'iotim' error in my syslog?
Date: 12 Feb 94 00:00:01 EST

It's a bug in 'rpc.rstatd' which affects several programs including
'ruptime' and 'sysmeter'. In IRIX 4.0.5H and later, 'rpc.rstatd'
ignores the problem (returning all but the SCSI disk stats which cause
the error) but still generates a message.  The problem is completely
fixed in IRIX 5.x.  The pre-4.0.5H 'rpc.rstatd' says

  rstatd[4840]: read: iotim: No such device or address

and the post-4.0.5H 'rpc.rstatd' says

  rstatd[4941]: read: bad iotim, no disk stats: No such device or address

If you see the former, get the patched 'rpc.rstatd' from
ftp.sgi.com:/support/rpc.rstatd or (for Indigos) upgrade to IRIX
4.0.5IOP. If you see the latter, relax and wait for IRIX 5.x.

------------------------------

Subject:   -67- Why do 'who', 'rusers', etc. show users who aren't
                really logged in?
Date: 30 Dec 93 00:00:01 EST

There is a well-known bug in IRIX 4.0.x wherein /etc/utmp is not
updated properly after a user logout. These programs are simply
reporting the non-updated contents of /etc/utmp.

Fixes have been provided by jer@blaise.cif.rochester.edu, David Hinds
<dhinds@allegro.stanford.edu> and Patrick M. Ryan <pat@gsfc.nasa.gov>.
They can be found in viz.tamu.edu:/pub/sgi/software/utmp/.

------------------------------

Subject: ! -68- What's wrong with ftpd in IRIX 5.2?
Date: 29 Jun 94 00:00:01 EST

It doesn't maintain utmp properly, so ftp logins will appear in the
output of 'who' and similar commands even after they've logged out, and
it dies during 'mget's. Get the ftpd binary from an IRIX 5.1.1.3 (or
thereabouts, but not 4.0.5x!) system or use the WUarchive ftpd.

------------------------------

Subject:   -69- Why do some programs parse /etc/fstab incorrectly?
Date: 10 Dec 94 00:00:01 EST

In IRIX 4.0.5, some programs (e.g. 'fsr') misinterpret lines in
/etc/fstab, so that, e.g.,

  /dev/usr /usr efs rw,raw=/dev/rusr,quota 0 0

would cause 'fsr' to think that the raw device pathname was
"/dev/rusr,quota" instead of "/dev/rusr". There is no such device, so
/dev/rusr would never be defragmented. You can work around this by
putting the "raw" option last:

  /dev/usr /usr efs rw,quota,raw=/dev/rusr 0 0

This is fixed in IRIX 5.x.

------------------------------

Subject:   -70- My Indigo's Ethernet performance is dog-slow. What
                gives?
Date: 10 Dec 93 00:00:01 EST

Call the TAC. You need the "E++" patch, or IRIX 4.0.5IOP ("Indigo Only
Patch"), which includes the E++ patch.

------------------------------

Subject:   -71- My Indigo running 4.0.5IOP is getting SIGSEGVs and
                crashing. What gives?
Date: 12 Jan 94 00:00:01 EST

Make sure you've installed the 4.0.5IOP NFS maintenance patch along
with the rest of 4.0.5IOP. If you're sure you have, call the TAC.
You may need the "IP20 ethernet patch".  This comes *after* 4.0.5IOP,
and is not to be confused with the older "E++ patch" (see the previous
question).

------------------------------

Subject:   -72- Why is my Indigo2 panicking?
Date: 10 Jan 94 00:00:01 EST

There are several keyboard-related bugs in IRIX 4.0.5H and 4.0.5IOP
which cause Indigo2s to crash or freeze. One sign that these particular
bugs are responsible is the message "PANIC: Timeout Table Overflow" or
"WARNING: Couldn't allocate streams buffer" in /usr/adm/SYSLOG.  They
will be fixed in IRIX 5.2, and in the meantime you can get the "Indigo2
keyboard patch" (aka "pckm patch") from SGI.

------------------------------

Subject:   -73- Why can't I 'rdist' files between Suns and SGIs?
Date: 10 Dec 93 00:00:01 EST

Sun's 'rdist' expects SGI's 'rdist' to live in /usr/ucb, but it's
actually in /usr/bsd. Make a symbolic link from /usr/ucb/rdist to
/usr/bsd/rdist and all will be well.

------------------------------

Subject: ! -74- I just edited /etc/inittab, and now I can't start up or
                shut down my SGI! What's wrong?
Date: 23 Jun 94 00:00:01 EST

If the last line of /etc/inittab is a comment, init will screw up
horribly.  If your machine is still running, remove the comment and
everything will be OK. If not, go to the miniroot, run the shell and
remove the comment from there. (Note that from the miniroot's point of
view, /etc/inittab is /root/etc/inittab.) The problem should be fixed in
IRIX 5.3.

------------------------------

Subject:   -75- MISCELLANEOUS
Date: 15 May 94 00:00:01 EST

Everything else.

------------------------------

Subject:   -76- How do I set the number of processes allowed on my
                machine?
Date: 23 Jan 94 00:00:01 CST

Change NPROC in usr/sysgen/master.d/kernel, run '/etc/autoconfig -f'
and reboot. In IRIX 5.x, use 'systune'.

------------------------------

Subject:   -77- Where can I get a termcap file for 'iris-ansi-net' to
                install on my non-SGI system?
Date: 20 May 93 00:00:01 CST

SGIs use terminfo, so you need to translate the terminfo description to
termcap. 'infocmp -Cr iris-ansi-net' will produce an iris-ansi-net
termcap file. See infocmp(1) for more. Note that 'infocmp' is in the
eoe2.sw.terminf subsystem, which is not installed by default.

------------------------------

Subject:   -78- Can I change my full name or login shell without being
                superuser?
Date: 16 Mar 94 00:00:01 EST

Maybe. IRIX 4.x has no 'chfn' or 'chsh', so if you're a local user
you're stuck. However, if your account is on NIS (Yellow Pages) you can
use 'ypchpass'. You might also ask your superuser to install one of the
many free implementations of 'chfn' and/or 'chsh'; one is in volume 3 of
comp.sources.unix (ftp.uu.net:/usenet/comp.sources.unix/volume3/).

------------------------------

Subject:   -79- How can I administer my Iris without a graphics
                terminal?
Date: 13 Apr 94 00:00:01 EST

The visual admin tools in IRIX 4.0.x ('vadmin') need GL, and do not
work on X terminals or workstations without GL. You can use 'sysadm' on
text terminals for some tasks, but beware of bugs and inadequacies: SGI
judged 'sysadm' to be too buggy to be worth updating for IRIX 5.x.

The visual admin tools in IRIX 5.x (x > 2) should display on any X
display, *except* for the backup/restore tool which is an exact port
from IRIX 4.0.x and requires GL. Some images will be missing when GL is
unavailable, but the tools will function properly. As for text
terminals, you're out of luck: 'sysadm' does not exist in IRIX 5.x.

Of course, you can always use a text editor and write scripts, or see
the next question.

------------------------------

Subject:   -80- Can I use the visual admin tools on a system with
                graphics to administer a system without graphics?
Date: 12 Feb 94 00:00:01 CST

Yes: just rlogin to the graphics-less system and run 'vadmin' (IRIX
4.0.x) or 'chost' (IRIX 5.x).  Make sure that the DISPLAY environment
variable is set correctly and that both the vadmin/sysadmdesktop and
the shared library subsystems are installed on the graphics-less system
(which they are in the default installation).

Under IRIX 5.x, look at the READMEs in /var/sysadmdesktop/rsysmanapps
and /var/sysadmdesktop/sysmanapps to find out how to use 'chost' to run
commands on remote systems. Finally, in a future release of IRIX 5.x,
the sysadmdesktop tools will be able to manage remote systems *without*
doing an rlogin.

------------------------------

End of sgi/faq/admin Digest
******************************
-- 
The SGI FAQ group                                sgi-faq@viz.tamu.edu
Finger us for info on the SGI FAQs, or look in viz.tamu.edu:/pub/sgi.
