SGI Developer Toolbox 6.1

home *** CD-ROM | disk | FTP | other *** search

/ SGI Developer Toolbox 6.1 / SGI Developer Toolbox 6.1 - Disc 1.iso / toolbox / FAQs / SGIfaqs / SGI-Admin-faq < prev next >

Wrap

Text File | 1996-11-11 | 76.9 KB | 1,969 lines

From: sgi-faq@viz.tamu.edu (The SGI FAQ group) Newsgroups: comp.sys.sgi.misc,comp.answers,news.answers Subject: SGI admin Frequently Asked Questions (FAQ) Supersedes: <admin_786697207@viz.tamu.edu> Followup-To: comp.sys.sgi.misc Date: 20 Dec 1994 06:56:33 GMT Organization: Visualization Lab, Texas A&M University Lines: 1950 Approved: news-answers-request@mit.edu Expires: 17 Jan 1995 07:00:07 GMT Message-ID: <admin_787906807@viz.tamu.edu> Reply-To: sgi-faq@viz.tamu.edu (The SGI FAQ group) NNTP-Posting-Host: viz.tamu.edu Originator: sgi-faq@viz Archive-name: sgi/faq/admin Last-modified: Sat Dec 17 12:14:08 CST 1994 SGI admin Frequently Asked Questions (FAQ) This is one of the Silicon Graphics FAQ series, which consists of: SGI admin FAQ - IRIX system administration SGI apps FAQ - Applications and miscellaneous programming SGI audio FAQ - Audio applications and programming SGI graphics FAQ - Graphics and user environment customization SGI hardware FAQ - Hardware SGI impressario FAQ - IRIS Impressario SGI inventor FAQ - IRIS Inventor SGI misc FAQ - Introduction & miscellaneous information SGI movie FAQ - Movies SGI performer FAQ - IRIS Performer SGI pointer FAQ - Pointer to the other FAQs Read the misc FAQ for information about the FAQs themselves. Each FAQ is posted to comp.sys.sgi.misc and to the news.answers and comp.answers newsgroups (whose purpose is to store FAQs) twice per month. If you can't find one of the FAQs with your news program, you can get it by anonymous FTP from one of these sites: viz.tamu.edu:/pub/sgi/faq/ rtfm.mit.edu:/pub/usenet/news.answers/sgi/faq/ ftp.uu.net:/usenet/news.answers/sgi/faq/ Note that rtfm.mit.edu is home to many other FAQs and informational documents, and is a good place to look if you can't find an answer here. If you can't use FTP, send mail to mail-server@rtfm.mit.edu with the word 'help' on a line by itself in the text, and it will send you a document describing how to get files from rtfm.mit.edu by mail. Send the command 'send usenet/news.answers/sgi/faq/misc' to get the SGI misc FAQ, and similarly for the other FAQs. Finally, the FAQs are on the World Wide Web at http://www.cis.ohio-state.edu/hypertext/faq/usenet/sgi/top.html The SGI FAQs are freely distributable and we encourage wide circulation. You MUST keep the FAQs intact, including headers and this notice. The contents are accurate as far as we know, but the usual disclaimers apply. (In particular, copies of the SGI FAQs published on paper or CD-ROM are certain to be out of date!) Please send additions and changes to sgi-faq@viz.tamu.edu. Topics covered in this FAQ: --------------------------- -1- DIAGNOSTICS -2- How can I determine which release of IRIX I'm running? -3- How can I determine my SGI's Ethernet (and/or FDDI) address? -4- My SGI crashed and generated a file, /usr/adm/crash/vmcore.1. How can I examine this file to see what crashed my system? -5- DISKS -6- How big can a file be? -7- Why is /debug or /proc full of huge files? -8- How do I extend an existing filesystem onto a new disk? -9- How do I know if I need more memory and/or swap space? -10- How much swap space should I have per megabyte of memory? -11- How can I increase my swap space? -12- What are virtual and logical swap space? How do they work in IRIX 3.x, 4.0.x and 5.x? -13- BOOTING -14- How can I boot directly into single-user mode? -15- How can I boot from a non-default disk? -16- How can I boot my machine using a server on the other side of a router? -17- How do I make a bootable tape from an IRIX CD? -18- Why can't I boot one of the stand-alone programs on a tape or CD? -19- INSTALLING -20- Is it possible to remotely install IRIX over a network? -21- Which IRIX CD is the program 'foo' on? -22- How can I extract a single file from an 'inst' subsystem? -23- Why doesn't 'inst' work? -24- Why doesn't 'inst' work remotely? -25- I reinstalled an IRIX subsystem to restore a missing file or get rid of a corrupted file, but it didn't help. Why not? -26- How can I install IRIX onto a second disk which I can then move to another machine? -27- How can I copy my system disk onto a second disk which I can then move to another machine? -28- NETWORKING -29- Why isn't my network working? -30- How can I measure my network's reliability? -31- How do I add a static route? -32- How can I make the 'slip' command advertise the Ethernet address of the SLIP client? -33- I've just edited inetd.conf, and nothing changed. Why? -34- Why can't I 'rdist' files between Suns and SGIs? -35- Why isn't the objectserver working? -36- What is sending packets to the sgi-dog.mcast.net multicast address? -37- MAIL -38- How can I set up 'sendmail' to pass 8-bit characters? -39- Why are my mailbox files changing ownership in IRIX 4.0.x? -40- Why isn't a valid user getting their mail? -41- How can SGIs and Suns share a mail spool? -42- What's an "unknown mailer error"? -43- What's "mailbox: Error 0"? -44- Why can't I receive mail on an NFS-mounted mail spool under IRIX 5.2? -45- NFS -46- How can I tell what hostname to use in /etc/exports? -47- Why can't I export an NFS-mounted filesystem? -48- Why can't Ultrix automount SGI filesystems? -49- Why does 'tar' work strangely on a filesystem mounted from an SGI? -50- Is 'pcnfsd' available for the SGI? -51- Can I export a CD-ROM from my SGI to a non-SGI? -52- Why can't I export an ISO 9660 CD-ROM using NFS? -53- How can I read an IRIX (EFS) CD-ROM on a machine which doesn't use EFS? + -54- How can I get quotas to work on an NFS filesystem? -55- PRINTING -56- Why can't 'lp' read my file? -57- How can I use 'lpr' to print to my local printer? -58- How can I use 'lp' to print to an 'lpr'-controlled printer? -59- How can I tell 'lp' to turn banner printing or page reversal off or on? -60- SECURITY -61- Where can I learn about Unix and IRIX security? -62- How can I check my system for security problems? ! -63- How can I configure IRIX more securely? -64- How can I log more information about logins? -65- How can I make an anonymous or restricted FTP account? -66- How can I get X authorization to work? ! -67- What security-related bugs does IRIX have? -68- I think I've found a security hole in IRIX; whom do I notify at SGI? -69- BUGS -70- Why is my network license daemon ('netlsd') exiting? -71- What's this 'iotim' error in my syslog in IRIX 4.0.x? -72- Why do 'who', 'rusers', etc. show users who aren't really logged in in IRIX 4.0.x? -73- Why do some programs parse /etc/fstab incorrectly in IRIX 4.0.5? -74- Why is my Indigo's Ethernet performance dog-slow under IRIX 4.0.x? -75- Why is my Indigo getting SIGSEGVs and crashing under IRIX 4.0.5IOP? -76- Why is my Indigo2 panicking under IRIX 4.0.5? -77- What's wrong with ftpd in IRIX 5.2? -78- Why isn't /usr/adm/SYSLOG being updated? -79- I just edited /etc/inittab, and now I can't start up or shut down my SGI! What's wrong? -80- Why does timed say "bind: Cannot assign requested address"? -81- Why is famd hammering my NFS server? -82- MISCELLANEOUS -83- How do I set the number of processes allowed on my machine? -84- Where can I get a termcap file for 'iris-ansi-net' to install on my non-SGI system? + -85- How can I make my SGI understand strange terminal types from other Unix systems? -86- Can I change my full name or login shell without being superuser? -87- How can I administer my Iris without a graphics terminal? -88- How can I use the visual admin tools on a system with graphics to administer a system without graphics? -89- Can I put my own picture in the 'clogin' display? ---------------------------------------------------------------------- Subject: -1- DIAGNOSTICS Date: 15 May 94 00:00:01 EST These questions discuss how to find out things about your system. ------------------------------ Subject: -2- How can I determine which release of IRIX I'm running? Date: 07 Feb 94 00:00:01 CST 'uname -a' gives you all the kernel info; see the uname(1) manpage for other options. Of more general use, since kernels don't always reflect installed software, is the 'versions' command. 'versions' with no arguments lists all the installed software subsystems. IRIX 5.2's System Manager ('chost') has the IRIX version number under "IRIX Version" and a listing of installed software under "Software" (the "Show Installed" button). ------------------------------ Subject: -3- How can I determine my SGI's Ethernet (and/or FDDI) address? Date: 07 Feb 94 00:00:01 CST Many thanks to Miguel Sanchez <miguel@oasis.csd.sgi.com> for providing the original version of the following discussion, and to Dave Olson <olson@sgi.com> for comments. Andrew Cherenson <arc@sgi.com> reminded us that all these methods except the first apply to FDDI as well, but we'll just say "Ethernet" below. Every system on an Ethernet network must have a unique Ethernet address for the network to operate properly. The physical Ethernet address of your system is the unique number assigned to the Ethernet hardware on your system. This unique number is assigned to the manufacturer of your Ethernet hardware by the IEEE (formerly by Xerox, one of the original developers of Ethernet). This is not to be confused with the IP address, which can be set arbitrarily. You may need to determine your system's Ethernet address if your network manager requires it before connecting your system to a network. How to do so depends on whether IRIX is running and what operating system version is loaded. Method 1 only provides the Ethernet address of the primary interface. If you have multiple Ethernet interfaces (boards) in a system, use method 2, 3, 4 or 5 to determine the address(es) of any other interface(s). METHOD 1: eaddr If IRIX is not running, and the system is a Personal IRIS (4D20, 25, 30, or 35), Indigo, Crimson, Onyx or Challenge, you can obtain the Ethernet address by typing 'eaddr' (older machines) or 'printenv eaddr' (newer) at the PROM monitor prompt. On some machines (4D30 or later) you can say 'nvram eaddr' while IRIX is running to get the same result. METHOD 2: netstat Under IRIX 4.0.1 or later, you can use the netstat command. For example, % /usr/etc/netstat -ia Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll ec0 1500 siligrph luey7 7765678 21648 384477 0 30338 192.48.200.251 192.0.0.1 08:00:69:06:17:c2 lo0 32880 loopback localhost 41438 0 41438 0 0 192.0.0.1 As seen on the fourth address line, the address of the system luey7's primary Ethernet interface, "ec0", is 08:00:69:06:17:c2. METHOD 3: arp You can obtain the Ethernet address of a Silicon Graphics system by using another system on your network. 'ping' the system whose Ethernet address you want, then use 'arp'. For example, % /usr/etc/ping -c 1 luey6 PING luey6.sgi.com (192.48.200.250): 56 data bytes 64 bytes from 192.48.200.250: icmp_seq=0 ttl=255 time=0 ms ----luey6.sgi.com PING Statistics---- 3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms) min/avg/max = 0/0/0 % /usr/etc/arp luey6 luey6 (192.48.200.250) at 8:0:69:6:c:40 % METHOD 4: NetVizualyzer/FDDIVizualyzer and the like SGI's NetVizualyzer/FDDIVizualyzer network monitoring software and at least one public domain equivalent ('netman', at ftp.cs.curtin.edu.au:/pub/netman/) allow you to find the Ethernet address corresponding to any IP address. Read the manual. METHOD 5: System Manager The Network Setup part ('cnet') of IRIX 5.2's System Manager tool ('chost') shows the Ethernet address of each interface. 4DDN: A Special Case DECnet uses a one-to-one relationship between the DECnet node ID and the Ethernet address. If the DECnet address is changed the Ethernet address is changed. DECnet Ethernet addresses always start with aa:, so you can identify systems running DECnet with 'arp -a'. 4DDN is Silicon Graphics' DECnet interconnection product. The Ethernet address of an IRIS running 4DDN will change when 4DDN is started. Method 1 will return the original Ethernet address for the system. Methods 2-5 will show the Ethernet address currently in use. sysinfo /etc/sysinfo is intended to return a unique identifier, which on some machines includes part or all of the Ethernet address. This is best regarded as an amusing coincidence, like HAL's name in "2001". Don't rely on it. ------------------------------ Subject: -4- My SGI crashed and generated a file, /usr/adm/crash/vmcore.1. How can I examine this file to see what crashed my system? Date: 12 Jul 94 00:00:01 EST For a start, you can use 'dbx' like so: dbx -k /var/adm/crash/{unix,vmcore}.# t &putbuf/1000s Some machines have a special 'dbx' for crash dumps, /usr/adm/crash/dbx. If it exists, use it instead of /usr/bin/dbx. The IRIX 5.x Electronic Services package includes a script, 'crpt', which does this and more automagically. A copy of the IRIX 5.2 version lives at viz.tamu.edu:/pub/sgi/software/crpt/. ------------------------------ Subject: -5- DISKS Date: 15 May 94 00:00:01 EST These questions deal with disks and swap space. ------------------------------ Subject: -6- How big can a file be? Date: 29 Oct 94 00:00:01 EST SGI EFS filesystems can be up to 8G in size, but a file on an EFS filesystem can only be 2GB in size. ------------------------------ Subject: -7- Why is /debug or /proc full of huge files? Date: 10 Dec 93 00:00:01 EST Those aren't disk files, they're interfaces to running processes. Read the debug(4) (IRIX 4.0.x) and/or proc(4) (IRIX 5.x) manpages. ------------------------------ Subject: -8- How do I extend an existing filesystem onto a new disk? Date: 24 Jan 94 00:00:01 EST Back up the existing filesystem (just in case) then run 'mklv' and 'growfs'. 'mklv' and 'growfs' are nondestructive, so you don't need to restore the backup unless you screw up. Don't use 'mkfs', which does destroy existing data. ------------------------------ Subject: -9- How do I know if I need more memory and/or swap space? Date: 20 Feb 94 00:00:01 EST If processes are killed due to lack of memory/swap, you need more memory and/or swap space. If your CPU is always waiting for swapping (run 'osview' and look at the "%Swap" entry under "Wait Ratio") you need more memory. ------------------------------ Subject: -10- How much swap space should I have per megabyte of memory? Date: 20 Feb 94 00:00:01 EST An oft-recommended ratio is X memory:2.5 X swap, but this may be too slow. Decide how much of your favorite program (plus IRIX) needs to be resident for good performance and how much doesn't, and make sure you have enough memory for the former and enough memory plus swap for the latter. Put "rmem" and "swp" in your ~/.grosview file, run 'gr_osview' and run your favorite program to see what it needs. ------------------------------ Subject: -11- How can I increase my swap space? Date: 26 Jul 94 00:00:01 EST The Jan/Feb 93 and May/Jun 94 Pipelines have detailed writeups on how to do this in IRIX 4.0.x and 5.x respectively. The Jul/Aug Pipeline has a correction to the latter article. If you like you can call the TAC and have them fax you the very latest version. ------------------------------ Subject: -12- What are virtual and logical swap space? How do they work in IRIX 3.x, 4.0.x and 5.x? Date: 05 Jul 94 00:00:01 EST Two terms whose meanings should already be clear: Physical swap space is an area on disk, either a partition or (in IRIX 5.x) a swap file. Virtual memory is the sum of physical memory and swap space. IRIX 3.x accepts a memory request only if enough virtual memory is free. Even if a process isn't using most of the memory it requested (which happens often, e.g. when a large process forks and execs a small process, or with Fortran 77 programs which allocate all storage statically), its memory is unavailable to other processes until it exits. IRIX 3.x has no virtual or logical swap space. In IRIX 4.0.x, IRIX accepts every memory request, and does not allocate virtual memory until a process actually tries to use it. This allows programs which request more memory than they use to run with much less memory than would otherwise be required. If too many processes actually use their memory requests so that virtual memory is in danger of filling up, IRIX kills one or more processes. IRIX usually kills the process which is using the most virtual memory, which may well not be the process which most recently requested virtual memory. IRIX 5.x works like IRIX 4.0.x, but one can set the amount of virtual memory which IRIX is allowed to overallocate. This amount is called "virtual swap space". "Logical swap space" is the sum of physical and virtual swap. There is no virtual swap space by default, so IRIX 5.x behaves like IRIX 3.x. One can set virtual swap to any amount of memory; if it is set sufficiently high, memory requests will always be granted, just like IRIX 4.0.x. Using jargon retroactively, IRIX 4.0.x has an infinite amount of virtual swap space. Large or infinite amounts of virtual swap space work well for many people, because most programs don't use all the virtual memory they request, at least not at once. If your programs do use all their virtual memory, they'll be killed and you'll see "Process killed due to insufficient memory/swap" messages in your SYSLOG. Under IRIX 4.0.x, you can only turn virtual swap off completely. Set the kernel variable availsmem_accounting to 1: edit /usr/sysgen/master.d/kernel, do 'autoconfig -f' and reboot. Doing so makes IRIX 4.0.x behave like IRIX 3.x, allocating memory only if it is actually available. Under IRIX 5.x, you can turn virtual swap on or off by doing 'chkconfig vswap off' or 'chkconfig vswap on', or change the size of virtual swap by editing /etc/config/vswap.options, and rebooting. You can also use 'swap -v' to do any of these things directly and without rebooting. Remember that IRIX 5.x comes with virtual swap turned off and set to zero. If you were happy with IRIX 4.0.x, you should turn virtual swap on and set its size to a very large number. If programs are killed, decrease the size of virtual swap or turn it off. See the swap(1M) and swapctl(2) manpages for details. ------------------------------ Subject: -13- BOOTING Date: 15 May 94 00:00:01 EST As the song says, "There must be fifty ways to boot your Iris." ------------------------------ Subject: -14- How can I boot directly into single-user mode? Date: 20 Feb 94 00:00:01 EST Use the PROM monitor's 'single' command. For machines earlier than 4D35s, whose PROMs don't have that command, say 'boot dksc(0,1,0)unix initstate=s'. Replace 'dksc(0,1,0)' with the appropriate device and partition if your boot volume is something other than a SCSI device partitioned in the standard manner; see the chapter on the PROM monitor in the "Advanced Site and Server Administration Guide". ------------------------------ Subject: -15- How can I boot from a non-default disk? Date: 20 Jan 94 00:00:01 CST Says Justin Mason <jmason@iona.ie>: If your disk is SCSI ID 4, do boot -f dksc(0,4,8)sash dksc(0,4,0)unix root=dks0d4s0 or setenv bootfile dksc(0,4,8)sash setenv path dksc(0,4,8) setenv root dks0d4s0 # This is the tricky part auto from the PROM. The first method works once, so that subsequent reboots use SCSI ID 1, and the second method sets the PROM to boot from ID 4 every time (until you reset the PROM variables). ------------------------------ Subject: -16- How can I boot my machine using a server on the other side of a router? Date: 24 Jan 94 00:00:01 EST Tell the router to forward BOOTP packets. If it can't, NFS-mount the remote volumes on another machine on the same subnet and use the nearby machine for your boot server. ------------------------------ Subject: -17- How do I make a bootable tape from an IRIX CD? Date: 22 Nov 94 00:00:01 EST See the Sep/Oct 93 Pipeline and/or viz.tamu.edu:/pub/sgi/software/distcp/making-bootable-tape for a detailed description, or just follow Dave Olson <olson@sgi.com>'s summary: Take a look at the distcp(1M) manpage, and do something like tapehost# mount -o ro cdhost:/CDROM /mnt tapehost# distcp /mnt/dist /dev/nrtape Note that 'fx', 'ide', and 'sash' for all machines are in the dist/sa file. 'sa' is an image of the first part of the tape; use 'mkbootape -f sa -l' to see the contents. ------------------------------ Subject: -18- Why can't I boot one of the stand-alone programs on a tape or CD? Date: 03 Apr 94 00:00:01 EST One reason is that some CPU names are preceded by periods and some aren't. Another is that the Indigo R4000 and later CPUs use the suffix 'ARCS', not 'IP20' or whatever as one might expect from 'hinv'. For example, the correct command to boot fx directly from the PROM monitor on an Indigo R4000 is 'boot -f dksc(ctlr,unit,8)sashARCS dksc(ctlr,unit,7)stand/fx.ARCS'. Note the use of 'ARCS' instead of 'IP20' and the missing period in 'sashARCS'. ------------------------------ Subject: -19- INSTALLING Date: 15 May 94 00:00:01 EST These questions discuss software installation. ------------------------------ Subject: -20- Is it possible to remotely install IRIX over a network? Date: 20 May 93 00:00:01 CST Yes. You can install IRIX from a remote machine which has a CD-ROM, a tape drive, or an IRIX distribution directory. All of these scenarios (and several others) are described in detail in the "IRIS Software Installation Guide". Examples are provided. ------------------------------ Subject: -21- Which IRIX CD is the program 'foo' on? Date: 25 May 94 00:00:01 EST Mount the CD and try 'grep foo /CDROM/dist/*.idb'. If you don't get any output, 'foo' isn't on that CD. If you do, it is, and one of the fields is the subsystem in which 'foo' lives. Entries in *.idb files don't have a leading slash so you must leave it out if you grep for a full path, e.g. 'grep usr/bin/lp /CDROM/dist/*.idb', not 'grep /usr/bin/lp /CDROM/dist/*.idb'. ------------------------------ Subject: -22- How can I extract a single file from an 'inst' subsystem? Date: 25 May 94 00:00:01 EST 'inst' guru Paul Jackson <pj@sgi.com> reveals all: - Find the subsystem in which the file lives, as described in the previous question. For this example we'll extract /sbin/ed, which lives in eoe1.sw.unix. - Follow the bouncing prompt: > su > cd /usr/tmp > mkdir -p tmproot/var/inst > inst -f /CDROM/dist/eoe1 -r /usr/tmp/tmproot > Inst> keep * > Inst> install eoe1.sw.unix > Inst> go > Inst> q > ls -l /usr/tmp/tmproot/sbin/ed -rwxr-xr-x 1 root sys 75480 May 24 13:57 /usr/tmp/tmproot/sbin/ed - Move your file somwhere else and 'rm -r /usr/tmp/tmproot'. - That was under IRIX 5.x. Under IRIX 4.0.x or earlier, use '/usr/tmp/tmproot/usr/lib/inst' for a temporary inst directory instead of '/usr/tmp/tmproot/var/inst'. ------------------------------ Subject: -23- Why doesn't 'inst' work? Date: 16 Jan 94 00:00:01 EST One possibility is that you're using an old 'inst' with new software. Always use an 'inst' at least as new as what you're installing. ------------------------------ Subject: -24- Why doesn't 'inst' work remotely? Date: 05 May 94 00:00:01 EST Usually because it can't log in to the machine with the distribution media. 'inst' uses the guest account to do so, so make sure that guest on the machine on which you want to install software can rlogin to guest on the machine with the distribution media without a password. ------------------------------ Subject: -25- I reinstalled an IRIX subsystem to restore a missing file or get rid of a corrupted file, but it didn't help. Why not? Date: 13 Apr 94 00:00:01 EST 'inst' doesn't bother to install a subsystem if the same or a newer version is already installed. Tell it to install anyway by saying 'set neweroverride' before you say 'go'. Removing the subsystem and reinstalling it will do more or less the same thing. ------------------------------ Subject: -26- How can I install IRIX onto a second disk which I can then move to another machine? Date: 20 Jan 94 00:00:01 EST With difficulty. Many parts of the installation process assume that you're installing IRIX onto your system disk (SCSI ID 1). Just fiddle with SCSI ID switches and/or move disks around to make the disk onto which you want to install IRIX the system disk for the duration of the installation. Furthermore, IRIX has many hardware dependencies, so you should only move system disks between absolutely identical machines. If you want to make a system disk for a machine without a network connection, CD-ROM or tape drive, the easiest and safest way is to borrow another CD-ROM or tape drive. If you want to try anyway, Justin Mason <jmason@iona.ie> reports that the following works under IRIX 5.1.1: Set up the disk, e.g. with SCSI id 4, fx a generic "[bo]otable" partition setup onto it, and mkfs the partitions. Copy sash, etc. from your system disk to the new disk with dvhtool. Boot up the miniroot as usual, go into inst, choose "admin" from the menu and do the following, replacing SCSI IDs and partition numbers as appropriate: umount /root umount /root/usr mount /dev/dsk/dks0d4s0 /root mount /dev/dsk/dks0d4s6 /root/usr mount # Just to check return # Go back to main inst menu Then install as you like. ------------------------------ Subject: -27- How can I copy my system disk onto a second disk which I can then move to another machine? Date: 17 Jun 94 00:00:01 EST See the article in the Jul/Aug 92 Pipeline and the addendum in the Nov/Dec 92 Pipeline, and note that the warning about hardware dependencies in the previous question applies here too. Steve Kotsopoulos <steve@ecf.toronto.edu> has written a script which does this automatically; you can FTP it from viz.tamu.edu:/pub/sgi/software/clonedisk/clonedisk. Be sure to read the comments before running it! ------------------------------ Subject: -28- NETWORKING Date: 15 May 94 00:00:01 EST These questions discuss general networking. ------------------------------ Subject: -29- Why isn't my network working? Date: 08 Oct 94 94 00:00:01 EST A list of good things to try is at viz.tamu.edu:/pub/sgi/lists/network-checklist. ------------------------------ Subject: -30- How can I measure my network's reliability? Date: 16 Oct 94 00:00:01 EST Don't worry about collisions. They are part of normal operation on a crowded Ethernet. You *should* worry about late collisions (which are logged to the console) and lost packets (which you can easily measure with the command 'ping -fs 3000 -c 1000 someotherhost'), which usually mean network hardware problems or a misconfigured bridge or router. See Chapter 18 of the "IRIX Advanced Site and Server Administration Guide" and the Sep/Oct 93 Pipeline for more. ------------------------------ Subject: -31- How do I add a static route? Date: 13 Nov 94 00:00:01 EST Some sites handle IP routing by designating a routing machine and having all other hosts define a static route to that machine. The way to do this on SGIs is in the /etc/init.d/network.local script. 1) Read the paragraph just before the copyright at the top of /etc/init.d/network and make the links it specifies. 2) Put something like the following in /etc/init.d/network.local, replacing ROUTER'S.IP.ADDRESS.HERE with the address of your router. #! /bin/sh IS_ON=/sbin/chkconfig case "$1" in 'start') if $IS_ON network; then # network must be chkconfig'ed on /usr/etc/route add default 130.132.25.1 1 fi ;; 'stop') /usr/etc/route delete default 130.132.25.1 ;; *) echo "Usage: $0 {start|stop}" ;; esac Check the script with 'sh -v /etc/init.d/network.local'. If you NFS-mount disks from the other side of the static route, they will not be unmounted properly during shutdown. You can fix this by making the links so that /etc/init.d/network.local runs before /etc/init.d/network: 'ln -s /etc/init.d/network.local /etc/rc0.d/K41network' instead of '/etc/rc0.d/K39network'. ------------------------------ Subject: -32- How can I make the 'slip' command advertise the Ethernet address of the SLIP client? Date: 10 Dec 93 00:00:01 EST You can't. Just add something like /usr/etc/arp -s $USER `netstat -ia | grep :` pub to the shell script in which you start the SLIP process. $USER is the SLIP client. The 'netstat | grep' part gets the host's Ethernet address, and 'arp' advertises the host as an ARP server for $USER. See also the arp(1M) manpage. ------------------------------ Subject: -33- I've just edited inetd.conf, and nothing changed. Why? Date: 10 Dec 93 00:00:01 CST You need to make 'inetd' reread the file. Do 'killall -HUP inetd' or reboot. ------------------------------ Subject: -34- Why can't I 'rdist' files between Suns and SGIs? Date: 10 Dec 93 00:00:01 EST Sun's 'rdist' expects SGI's 'rdist' to live in /usr/ucb, but it's actually in /usr/bsd. Make a symbolic link from /usr/ucb/rdist to /usr/bsd/rdist and all will be well. ------------------------------ Subject: -35- Why isn't the objectserver working? Date: 04 Nov 94 00:00:01 EST Anne Eagle <annee@sgi.com> posted most of the following: - Its database may be corrupt. If the objectserver appears to start OK but crashes later, this is probably the case. Rebuild it like so: /etc/init.d/cadmin stop /etc/init.d/cadmin clean /etc/init.d/cadmin start If the preceding doesn't work, try this /etc/init.d/cadmin stop mv /var/Cadmin/data /var/Cadmin/data.old /usr/Cadmin/bin/parseclasses /etc/init.d/cadmin start Note that either method destroys "Privileged User" and "Business Card" information. - One of your system configuration files (including but not limited to /etc/exports, /etc/fstab, /etc/inittab, /etc/mtab, /etc/passwd) may have minor format problems which don't bother IRIX proper but do bother the objectserver. Such problems include a last line which doesn't end with a linefeed, a backspace not preceded by a space in /etc/exports, or unprintable characters. One sign that you have such a problem is a core file in /var/Cadmin/data. If you find and fix a problem, rebuild the databases as above. If you can't find the problem, try the following: par -s -i -N open -l -SS /usr/Cadmin/bin/objectserver -d The last file objectserver opens is probably where the problem is. If you're really desperate, the TAC will give you an objectserver compiled with -g and help you run dbx on it. - You may be swamping the objectserver with NIS (YP) users. There are several ways around this: - Start a directoryserver on a machine on your local network. - Use netgroups or the "+user" form in /etc/passwd instead of just a "+" and rebuild the databases as above. - Most severely, remove the NIS object definition files so that the objectserver will not create NIS objects, rebuild the objectserver database (without the NIS objects) and restart the objectserver as follows. You will not be able to manipulate NIS users with Cadmin if you do this. killall fm mediad -k killall objectserver mv /var/Cadmin/data /var/Cadmin/data.orig cp -pr /usr/Cadmin/classes /usr/Cadmin/classes.orig rm /usr/Cadmin/classes/groupObject.op rm /usr/Cadmin/classes/nisAccountObject.op rm /usr/Cadmin/classes/peopleNISObject.op rm /usr/Cadmin/classes/peopleObject.op /usr/Cadmin/bin/parseclasses /usr/Cadmin/bin/objectserver ps -ef | grep obj Wait until you see 2 objectserver processes running, then do mediad fm -lrb & - Chris Riney <chris.riney@tandy.com> says: "We have just discovered here at our site that if you do not have a route defined for the SGI multicast subnet, then objectserver will gobble up memory. I established a route for 224.0.0.0, and objectserver has been up for over a week without consuming additional memory." This route is defined in the stock /etc/init.d/network. - Andreas Klingler <andreas.klingler@rrze.uni-erlangen.de> fixed his objectserver by removing /usr/Cadmin/classes/printerObject.op and then rebuilding /var/Cadmin/data as above. See also "Indigo Magic Tips and Tricks" in the Sep/Oct 94 Pipeline. ------------------------------ Subject: -36- What is sending packets to the sgi-dog.mcast.net multicast address? Date: 15 Jun 94 00:00:01 EST The objectserver. ------------------------------ Subject: -37- MAIL Date: 15 May 94 00:00:01 EST These questions discuss mail configuration and problems. ------------------------------ Subject: -38- How can I set up 'sendmail' to pass 8-bit characters? Date: 12 Feb 94 00:00:01 EST Dunno, offhand, but many experts say "don't try". RFC822 requires mail transport agents to *clear* the eighth bit, and many hosts do. Some which don't may crash when they get mail with the eighth bit set. Instead, use a MIME-compatible mail program. MIME, described in RFC1521, is a standard for enclosing non-RFC822 material in your mail. The apps FAQ discusses several mail programs which support it. Nonetheless, if someone wants to tell us about putting SGI's 'sendmail' into 8-bit mode we'll note it here. ------------------------------ Subject: -39- Why are my mailbox files changing ownership in IRIX 4.0.x? Date: 13 Nov 94 00:00:01 EST If your mail directory is mounted from another machine, your machine does not have root access, and the other machine has BSD-style "restricted chown" (either because it's not an SGI or because someone turned restricted chown on), /bin/mail will change mail file ownership when delivering local mail. Without unrestricted chown or root access, /bin/mail is unable to give mail files back to their owners after delivering mail. You can fix the problem by turning off restricted chown on the other machine (if it's an SGI), exporting the mail directory with root access for your machine, or upgrading to IRIX 5.2, in which the problem is fixed. ------------------------------ Subject: -40- Why isn't a valid user getting their mail? Date: 24 Jan 94 00:00:01 EST IRIX' mail system requires "valid users" to have both valid password file entries (whether local or via NIS) and home directories. The latter often trips one up when installing POP servers and whatnot, where home directories aren't really necessary. Just make a fake one. ------------------------------ Subject: -41- How can SGIs and Suns share a mail spool? Date: 05 Feb 94 00:00:01 EST Paul Riddle <paulr@umbc.edu> has written up how he did it. Read ftp.umbc.edu:/pub/sgi/shared-spool.text. ------------------------------ Subject: -42- What's an "unknown mailer error"? Date: 20 Feb 94 00:00:01 EST There's a list in viz.tamu.edu:/pub/sgi/software/mail/mail-errors. ------------------------------ Subject: -43- What's "mailbox: Error 0"? Date: 05 Mar 94 00:00:01 EST It's a harmless bug; don't worry about it. It is fixed in IRIX versions 4.0.5H/4.0.5IOP and later. ------------------------------ Subject: -44- Why can't I receive mail on an NFS-mounted mail spool under IRIX 5.2? Date: 29 Aug 94 00:00:01 EST IRIX 5.2 NFS has a bug which prevents writing to a zero-length file if the writing process has group write permission but not group read (or user write) permission. IRIX 5.2 /bin/mail likes to set the permissions of /var/mail/<user> to mode 620, exactly what is needed to exercise the NFS bug. There is no patch for the NFS bug (although it will be fixed in IRIX 5.3) but you can get a /bin/mail from the TAC which leaves mail files mode 660 and thus doesn't exercise the bug. ------------------------------ Subject: -45- NFS Date: 15 May 94 00:00:01 EST These questions discuss NFS. ------------------------------ Subject: -46- How can I tell what hostname to use in /etc/exports? Date: 07 Feb 94 00:00:01 EST NFS servers may need a particular form of a client's name in /etc/exports to allow the client access. This may not be obvious, for example if the server is also a router. Log in from the client to the server and say 'echo $REMOTEHOST' to see what the server thinks the client is called, and put that in /etc/exports. The System Manager ('chost') should be able to determine the correct hostname for you. ------------------------------ Subject: -47- Why can't I export an NFS-mounted filesystem? Date: 10 Dec 93 00:00:01 CST This is known as multi-hop NFS. It is not allowed or supported in (Sun's) NFS because it is not in general possible to detect errors such as infinite mount loops, on either the client or the server. ------------------------------ Subject: -48- Why can't Ultrix automount SGI filesystems? Date: 10 Dec 93 00:00:01 CST Ultrix's automount uses an "untrusted" port for mount requests. Add an '-n' to the mountd lines in /usr/etc/inetd.conf (/etc/inetd.conf in IRIX 5.x), like so: mountd/1 stream rpc/tcp wait root /usr/etc/rpc.mountd mountd -n mountd/1 dgram rpc/udp wait root /usr/etc/rpc.mountd mountd -n then 'killall mountd' and 'killall -HUP inetd' or reboot. ------------------------------ Subject: -49- Why does 'tar' work strangely on a filesystem mounted from an SGI? Date: 03 Apr 94 00:00:01 EST When user A extracts a file owned by user B from a tar archive, 'tar' makes the file owned by user A unless user A is the superuser. Some systems allow users to give files away (e.g. IRIX); some do not (e.g. SunOS). On some systems with the restricted behavior (SunOS among them), 'tar' tries to give the file to user B whether or not user A is the superuser, assuming that the chown system call will fail if user A is not. This is not true if user A is using 'tar' on (e.g.) a Sun to extract files onto a filesystem NFS-mounted from (e.g.) an SGI. 'tar' may create zero-length files or give away directories and then be unable to extract files into them. Work around the problem by doing the 'tar' on the SGI or extracting onto a Sun filesystem. It is possible that third-party versions of 'tar' (e.g. GNU tar) are smarter; let us know if so. Don't turn the restricted_chown kernel variable on on the SGI; while this will fix the problem at hand, it will break SGI programs which need to give files away without running as root (notably /bin/mail). ------------------------------ Subject: -50- Is 'pcnfsd' available for the SGI? Date: 27 Feb 94 00:00:01 EST For IRIX 4.0.x, look in ftp.sgi.com:/support/pcnfsd.sysV/. (Note that although SGI makes this available, they do not support it.) For IRIX 5.x, look in viz.tamu.edu:/pub/sgi/software/pcnfsd/. ------------------------------ Subject: -51- Can I export a CD-ROM from my SGI to a non-SGI? Date: 10 Dec 93 00:00:01 EST Not in IRIX 4.0.x. You can in IRIX 5.x, as you would any other filesystem. ------------------------------ Subject: -52- Why can't I export an ISO 9660 CD-ROM using NFS? Date: 13 Nov 94 00:00:01 EST You're using IRIX 4.0.x. Under IRIX 5.x, it just works. Under IRIX 4.0.x you can, but only to another SGI (see the previous question) and there's a catch. Add the CD-ROM filesystem to /etc/exports and export it with 'exportfs' *before* you mount the CD-ROM. For more detail, read viz.tamu.edu:/pub/sgi/hardware/exporting-iso-9660-cdrom or the article in the Jan/Feb 93 Pipeline, or for an up-to-date copy call the TAC and ask for SGI's writeup on "Mounting an ISO 9660 CD Across NFS". ------------------------------ Subject: -53- How can I read an IRIX (EFS) CD-ROM on a machine which doesn't use EFS? Date: 09 Jan 94 00:00:01 EST You want 'efslook', in viz.tamu.edu:/pub/sgi/software/efslook/. ------------------------------ Subject: + -54- How can I get quotas to work on an NFS filesystem? Date: 16 Dec 94 00:00:01 EST + Mount the filesystem with the 'quotas' option, by adding it to + /etc/fstab or the automounter map as appropriate, and make sure the + nfs.sw.nis subsystem, which contains the NFS quota daemon + (/usr/etc/rpc.rquotad) is installed. That's nfs.sw.nis, not + nfs.sw.nfs! See fstab(4), rquotad(1M) and perhaps automount(1M) for + details. ------------------------------ Subject: -55- PRINTING Date: 15 May 94 00:00:01 EST These questions discuss printing. ------------------------------ Subject: -56- Why can't 'lp' read my file? Date: 10 Dec 93 00:00:01 EST 'lp' is setuid, so it can only read world-readable files. You can say 'lp < file' if you don't want to make your file world-readable. ------------------------------ Subject: -57- How can I use 'lpr' to print to my local printer? Date: 10 Dec 93 00:00:01 EST SGI provides 'lpr' for printing on remote printers, and does not support it for local printing. One way to do it anyhow is to make an /etc/printcap entry with an output filter which is just a wrapper around 'lp'. If that isn't crystal-clear, call the TAC and ask for their "faxable" on "Integrating The AT&T Spooler With The BSD LPR Print Spooler". A not-guaranteed-to-be-up-to-date copy is at viz.tamu.edu:/pub/sgi/software/lp-lpr/lpr-to-lp. ------------------------------ Subject: -58- How can I use 'lp' to print to an 'lpr'-controlled printer? Date: 19 Jun 94 00:00:01 EST Two possible ways: - Write an 'lp' interface script that calls 'lpr'. Impressario 1.1 or later can do this for you; see the Impressario FAQ. If you don't have Impressario you can do it yourself or call SGI and ask for their writeup, "LPTOLPR, A Model File for LP", which includes (in fact, consists of) just such an interface script. A not-guaranteed-to-be-up-to-date copy is at viz.tamu.edu:/pub/sgi/software/lp-lpr/lp-to-lpr. - Write an 'lp' replacement script that calls 'lpr'. One such script is at viz.tamu.edu:/pub/sgi/software/lp-lpr/lp-wrapper-for-lpr. ------------------------------ Subject: -59- How can I tell 'lp' to turn banner printing or page reversal off or on? Date: 13 Nov 94 00:00:01 EST 'lp' controls printers via shell scripts, called 'models', which live in /var/spool/lp/model. When you install a printer, the appropriate model script is copied to /var/spool/lp/interface/<name-of-printer>. To temporarily change a printer's behavior, look at the manpage for its interface script (or, if there is none, the script itself) to see what options it wants, and pass them to the script with 'lp's '-o' option. For example, 'lp -o"-nobanner" file' tells a "Generic Postscript" printer (described in the gpsinterface(1) manpage) to print 'file' without a banner page. To permanently change a printer's behavior, edit its interface script. The following are true for "Generic Postscript" printers, but the idea is the same for others: - To turn banner printing off or on, change the line 'BANNER=1' to 'BANNER=0' or vice versa. - To turn page reversal off or on, change the line 'send=/usr/lib/print/lptops' to 'send="/usr/lib/print/lptops -U"' (note the quotes) or vice versa. In IRIX 5.x, you can change these settings in the printpanel. You can also turn banner printing off on a per-user basis by doing 'echo nobanner >> /var/spool/lp/settings/<printername>/<yourusername>'. ------------------------------ Subject: -60- SECURITY Date: 15 May 94 00:00:01 EST These questions discuss security. ------------------------------ Subject: -61- Where can I learn about Unix and IRIX security? Date: 03 Dec 94 00:00:01 EST The Jul/Aug 94 Pipeline has an article discussing general Unix security with some IRIX-specific aspects. Read rtfm.mit.edu:/pub/usenet/news.answers/security-faq and the books and papers listed therein for general discussions of Unix security. Look in ftp.cert.org:/, ciac.llnl.gov:/pub/ciac/ and ftp.tansu.com.au:/pub/docs/security/8lgm/ for CERT, CIAC and 8lgm material (respectively) and general security information and tools. If you have a lot of spare time, consider the comp.security.unix newsgroup. ------------------------------ Subject: -62- How can I check my system for security problems? Date: 09 Oct 94 00:00:01 EST Get Nate Sammons' <nate@vis.colostate.edu> 'securscan' from ftp://ftp.vis.colostate.edu/pub/irix/security/. It checks for many common IRIX-specific security bugs and problems. You might also want to try a generic Unix security-checking tool such as COPS or tiger and/or a password checker such as Crack. The security FAQ referenced above gives their locations. ------------------------------ Subject: ! -63- How can I configure IRIX more securely? Date: 16 Dec 94 00:00:01 EST Several aspects of SGI's default IRIX configuration were chosen for convenience, not security. Unless your machine is not networked, you may be more concerned about security than SGI assumed. Note that these items have been discussed on Usenet many times, and Usenet chatter is not a good way to change SGI policy. If they bother you, complain to your sales rep and then fix them yourself as follows. + Many thanks to Paul "Shag" Walmsley <ccshag@showme.missouri.edu> for + several of the items here and elsewhere in the SECURITY section. Under any version of IRIX, - Several accounts come without passwords, including (but not limited to) guest, 4Dgifts, demos, tutor, tour and particularly lp. Examine /etc/passwd and lock all unnecessarily open accounts. Note that 1) parts of IRIX (e.g. 'inst') use the open guest account by default, and 2) remote 'lp' clients need access to the lp account to print, so you'll need to make other arrangements. - 'xdm' does 'xhost +' by default when you log in. This allows anyone to open windows on your display and even to record what you type at your keyboard. Close this hole by removing the 'xhost +' from /usr/lib/X11/xdm/Xsession, /usr/lib/X11/xdm/Xsession-remote and (in IRIX 5.x) /usr/lib/X11/xdm/Xsession.dt. In IRIX 5.2 and later you can use X authority to control access to remote displays; see below. In IRIX 5.1.x and earlier X authority doesn't work, so you'll need to use 'xhost' judiciously to get to remote displays: say 'xhost +localhost' to run DGL programs and 'xhost +otherhost' to display remote X programs. - At least some of the possible default values of the PATH environment variable begin with the current directory. (The system interprets either a period or the empty string in any component of PATH as the current directory. PATH is colon-separated, so if it begins with a colon the first component is the empty string.) This exposes you to Trojan horse programs. Set PATH to a safe value (remove the current directory, or at least move it to the end) in /etc/cshrc and/or /etc/profile for regular users and /.login for root. - By default, /etc/config/ypbind.options contains the -ypsetme option. This allows someone who can fake your IP address to change your YP binding. Remove the option to close the hole and add the -s option for a little extra protection. If your site runs ypbind with the -v (verbose) option, you may also want to add 'YPSET=true' to /etc/config/ypmaster.options and comment out the 'ypset' line in /var/yp/ypmake. See the ypbind(1) and ypset(1) manpages for more. - If you use SLIP (see slip(1M)), be sure that SLIP accounts' home directories are not world-writable. SLIP accounts are uid 0, so it's bad if just anyone can mess with their .forward files and the like. /tmp, which is recommended in the "IRIX Advanced Site and Server Administration Guide", is necessarily world-writable and a bad choice. You may want to make an empty, root-owned, mode 755 directory to the effect of /usr/slip and use that. Any number of SLIP accounts can use a single home directory without conflict. - You *might* want to disallow .rhosts files, by adding the '-l' flag to the rlogind and rshd lines in /usr/etc/inetd.conf. However, this removes real functionality, and should not be done without reason. ! See the rlogind(1M) and rshd(1M) manpages. Note, however, that the ! rlogind flag does not work in IRIX 5.2. It does work in IRIX 5.3. - Read the rest of the entries in this section and make the changes they describe if necessary. Under IRIX 5.x only, - Turn on shadow passwords, which are not used by default. Run 'pwconv' to move your passwords to /etc/shadow, where only root can read them. Note that you'll have to update /etc/shadow by hand for NIS users. See the pwconv(1M) and shadow(4) manpages. - Limit the hosts from which portmap(1) will accept RPC requests by using the -a option in /etc/config/portmap.options. For example, if your machine is www.xxx.yyy.zzz and your subnet is www.xxx.yyy you can reject RPC requests from outside your subnet by putting '-a ! 255.255.255.0 www.xxx.yyy.0' in that file. This list is guaranteed to be incomplete. Keep your eyes open. ------------------------------ Subject: -64- How can I log more information about logins? Date: 22 Nov 94 00:00:01 EST - 'last', 'who', etc. get remote login information from /var/adm/xutmp and /var/adm/xwtmp. That information is only logged into these files if they already exist. To create them, just say 'touch /var/adm/xutmp /var/adm/xwtmp'. - As described in the login(1) manpage, you can add the line 'syslog=all' to /etc/config/login.options (IRIX 4.0.x) or change the line 'SYSLOG=FAIL' in /etc/default/login to 'SYSLOG=ALL' (IRIX 5.x) to log all login attempts, not just successful ones, in /var/adm/SYSLOG. - 'ftpd', 'rshd' and 'tftpd' all have options ('-l' or '-L') which cause them to log all accesses. See their manpages. 'ftpd' also has '-ll' and '-lll' options (undocumented before IRIX 5.x) which log individual file transfers and the sizes of those files respectively. Add the options to the last fields (not the second-to-last) of the appropriate lines of /etc/inetd.conf, then do 'killall -HUP inetd' or reboot. - Consider using TCP wrappers. These allow you to restrict connections to individual TCP daemons to particular hosts and prevent some forms of address spoofing. You can get source code from ftp://ftp.win.tue.nl/pub/security/. ------------------------------ Subject: -65- How can I make an anonymous or restricted FTP account? Date: 04 May 94 00:00:01 EST Read the ftpd(1M) manpage and/or the article in the March/April 1994 Pipeline. However, both discussions have a serious error: the ftp account's home directory (/usr/people/ftp) should be owned and writable only by root, NOT ftp. You might also want to make the 'pub' directory "sticky" with 'chmod +t' (like /tmp and /usr/tmp) so that one user can't delete another's files. A script which sets up a secure anonymous FTP account is at viz.tamu.edu:/pub/sgi/software/ftp/make-anonftp. ------------------------------ Subject: -66- How can I get X authorization to work? Date: 27 Apr 94 00:00:01 EST Under IRIX 5.1.x or earlier, don't try. The MIT-MAGIC-COOKIE-1 protocol did not work, and DGL programs did not understand X authority. Under IRIX 5.2 or later, heed the wise words of Mark Kilgard of SGI's X Window Systems group <mjk@hoot.asd.sgi.com>: The basic mechanism for the MIT-MAGIC-COOKIE-1 authorization protocol is implemented by the X server, Xlib, and xdm, and does work in IRIX 5.x. MIT-MAGIC-COOKIE-1 is the only supported protocol. Two caveats before I describe how to enable X authorization: 1) Old remote IRIS GL programs probably will not be able to connect to the X server when X authority is enabled. (More on this below.) 2) Due to a problem with how the local hostname is handled, to use X authority in the IRIX 5.x releases, you will need to make sure your /etc/sys_id file has a simple hostname, ie. hoot instead of a fully resolved hostname like hoot.asd.sgi.com This problem has already been fixed for the next general release of IRIX. TO ENABLE X AUTHORIZATION, do the following to your IRIX 5.2 system: 1) Edit /var/X11/xdm/xdm-config as root and change the line saying DisplayManager*authorize: off to say DisplayManager*authorize: on 2) Edit /var/X11/xdm/Xsession, /var/X11/xdm/Xsession-remote, and /var/X11/xdm/Xsession.dt as root and change the line saying /usr/bin/X11/xhost + to say #/usr/bin/X11/xhost + This disables the "xhost +" by commenting out the command. 3) Make sure your /etc/sys_id file has no periods in it. For example, change as root: hoot.asd.sgi.com to say hoot 4) Reboot the machine OR restart a new xdm and X server. This can be done as root with the following command: (/usr/gfx/stopgfx; killall xdm; /usr/gfx/startgfx) & 5) Log in. X authorization should be enabled. If you want to disable X authorization and return to the default system state where X clients can connect to the X server from any machine, reverse the changes in steps 1 and 2 and repeat step 4. If you want more information on X authorization, see the manpages for xdm(1), Xserver(1), Xsgi(1), Xsecurity(1), xauth(1) and xhost(1). X AUTHORITY AND REMOTE IRIS GL PROGRAMS: One of the major reaons for Silicon Graphics shipping its window system so that an X client from any machine could connect to the X server was because IRIS GL programs running remote using the DGL (distributed GL) protocol didn't interoperate with the X authorization mechanism; the dgld daemon that would run on the machine with graphics hardware had no way to get the correct X authority information to connect to the X server. This has been fixed for IRIX 5.2, but the fix only applies to IRIX 5 binaries running remotely on an IRIX 5.2 system connecting to an IRIX 5.2 X server. In particular, remotely run IRIX 4 IRIS GL binaries will continue to not interoperate with an IRIX 5.2 X server (or a pre-IRIX 5.2 X server). If you recompile your old IRIS GL binaries on IRIX 5.2, they then will work remotely connecting to IRIX 5.2 X servers running X authority. The bottom line is that if you want an IRIS GL program to run remotely on an X server using X authorization, you need to make sure the program is an IRIX 5 binary running on an IRIX 5.2 machine and the machine with the X server is also an IRIX 5.2 machine. To avoid a possible misconception: IRIS GL programs RUNNING LOCALLY (ie, not using DGL) WILL WORK FINE on an IRIX 5.2 system no matter if they are IRIX 4 or IRIX 5 binaries. The problem with X authority is only for REMOTE IRIS GL programs. Also note that for X authorization to work for remote hosts, the remote program must have access to the correct X authorization magic cookie (normally read from ~/.Xauthority). If you don't have a shared NFS mounted home directory, you'll probably need to use the xauth command to transfer the X authorization magic cookie to the remote ~/.Xauthority file. THE FUTURE: Hopefully in the next general release of IRIX, a mechanism to enable and disable X authorization using a chkconfig option will be supported. The problem with /etc/sys_id not having periods will definitely be fixed in the next general release of IRIX. The problem with pre-IRIX 5.2 X servers and binaries not interoperating with X authorization will likely not be fixed. Fixing the problem required a DGL protocol extension which both the IRIS GL program and dgld must know about; this can't be fixed in already shipped software. ------------------------------ Subject: ! -67- What security-related bugs does IRIX have? Date: 16 Dec 94 00:00:01 EST Some general comments before we start: - IRIX is too complex for us to guarantee that this list is complete. We only discuss problems we know about. We don't discuss insecurely designed systems (like YP) or ways in which you might misconfigure your system, only bugs. We don't discuss third-party software, free or not. - Prudence and space permit us to describe only how to close holes, not to exploit them. Try comp.security.unix. - Some of the fixes involve installing a new version of a setuid binary. Be sure that you 1) make it executable, setuid and owned by the correct user and group (or it won't work), and 2) remove the old version so bad guys can't use it! Now for the holes themselves: - CERT advisory CA-92:08, which you can get from ftp.cert.org:/pub/cert_advisories/CA-92:08.SGI.lp.vulnerability describes problems with the permissions of 'lp'-related parts of IRIX which allow anyone who can log in as lp to get root access. They are fixed in IRIX 4.0.5. Briefly, the fix is su root cd /usr/lib chmod a-s,go-w lpshut lpmove accept reject lpadmin chmod go-ws lpsched vadmin/serial_ports vadmin/users vadmin/disks cd /usr/bin chmod a-s,go-w disable enable chmod go-ws cancel lp lpstat - CIAC Bulletin F-01, which you can get from ciac.llnl.gov:/pub/ciac/bulletin/f-fy95/f-01.ciac-SGI-IRIX-serial-ports describes a race condition in IRIX 4.0.x's /usr/lib/vadmin/serial_ports which allows any user to become root in IRIX 4.0.x. 'chmod 700' it to close the hole; it will still work fine. /usr/lib/vadmin/serial_ports is part of IRIX 4.0.x and should not exist on IRIX 5.x systems, but some users have reported problems with upgrading from 4.0.x to 5.x which leave old binaries behind. If the file exists on your 5.x system, remove it. (5.x's equivalent, /usr/Cadmin/bin/cports, does not have the problem.) - CERT advisory CA-93:16, which you can get from ftp.cert.org:/pub/cert_advisories/CA-93:16.sendmail.vulnerability describes a hole or holes in /usr/lib/sendmail which allow anyone root access, whether they can log in initially or not! At least some of these are present in every version if IRIX up to and including 5.2. Fixed versions are in ftp.sgi.com:/sgi/IRIX4.0/sendmail/ ftp.sgi.com:/sgi/IRIX5.0/sendmail/ - CERT advisory CA-93:17, which you can get from ftp.cert.org:/pub/cert_advisories/CA-93:17.xterm.logging.vulnerability describes a hole in /usr/bin/X11/xterm which allows any user root access. It is fixed in IRIX 5.x. A fixed version for IRIX 4.x is at ftp.sgi.com:/sgi/IRIX4.0/xterm/ The 'fix', incidentally, is that logging is completely disabled. - /usr/bin/under is an unused (!) part of 'rexd'. It is setuid root and may allow root access, so 'chmod -s' it just in case. Note that SGI ships IRIX with 'rexd' turned off because 'rexd' is itself a security problem. It is not shipped in IRIX 5.x. - /usr/bsd/rdist has several holes which allow any user root access in all versions of IRIX up to and including 5.2, including the 4.0.5 and 5.x binaries on ftp.sgi.com. Under IRIX 5.2, you can install patch 130 to close all known holes. Under IRIX 4.0.x, you must close the hole with 'chmod -s'. rdist will then work only when used by root. If your non-root users need 'rdist', there is a free version which claims to be free of all known holes in usc.edu:/pub/rdist/. Make sure you get version 6.1 beta 3 or later. As for advisories, CERT advisory CA-91:20, at ftp.cert.org:/pub/cert_advisories/CA-91:20.rdist.vulnerability is badly out of date. 8lgm advisory 1, at ftp.tansu.com.au:/pub/docs/security/8lgm/8lgm-Advisory-1.UNIX.rdist.23-Apr-1991 describes only one of the several holes. - The 'lpr' subsystem in IRIX 4.0.x and 5.x, up to and including 5.2, has several holes which allow a non-root user to become root. Note that 'lp' is SGI's usual printing system; you only need 'lpr' if you need to deal with remote printers. If you don't need 'lpr', make sure it isn't installed. (It lives in the eoe2.sw.lpr subsystem.) If you do need 'lpr', there are fixed versions at ftp.sgi.com:/sgi/IRIX4.0/lpr/lpr.latest.Z ftp.sgi.com:/sgi/IRIX5.0/lpr/lpr.latest.Z The versions dated 29 and 26 April, respectively, work with NIS (YP). The IRIX 5.x version is also available from the TAC as patch 131. - /usr/etc/arp is setgid sys in IRIX up to and including 5.2, allowing anyone who can log into your machine to read files which should be readable only by group 'sys'. Close the hole with 'chmod -s'. This prevents non-root users from using 'arp' at all, but they don't generally need it. - /usr/sbin/cdinstmgr is setuid root in IRIX 4.0.5[A-F] and /etc/init.d/audio is setuid root in IRIX 5.2. They are scripts; setuid scripts are a well-known Unix security problem. IRIX ignores the setuid bit by default, but 'chmod -s' the scripts just in case. - /usr/sbin/colorview is setuid root in IRIX 5.x up to and including 5.2, allowing anyone to use it to read any file regardless of permissions. Close the hole with 'chmod -s /usr/sbin/colorview'. - /usr/bin/newgrp is group-writable in IRIX 5.2. It doesn't need to ! be, and it might be a problem depending on your use of group sys ! and/or the presence of the 'sadc' bug (described elsewhere in this ! list) on your system. 'chmod g-w' it. - /usr/sbin/printers has a bug in IRIX 5.2 (and possibly earlier 5.x versions) which allows any user to become root. Call the TAC and request patch 5. You might want to 'chmod -s' it while you're waiting. - /usr/sbin/sgihelp has a bug in IRIX 5.2 (and possibly earlier 5.x versions) which allows any user to become root. This is so bad that the patch (#65, along with the prerequisite patch 34) is FTPable from ftp.sgi.com:/security/, and SGI is preparing a CD containing only that patch. Call the TAC if you can't FTP. You should 'chmod -x /usr/sbin/sgihelp' while you're waiting. - The version of inst which comes with patch 34, which is required for installation of all other patches (even those with lower numbers) saves old versions of binaries in /var/inst/patchbase. It does not remove execution or setuid permissions! 'chmod 700' that directory so evil users can't get to the old binaries. - /usr/bsd/newaliases (which is just a symlink to /usr/lib/sendmail) creates /etc/aliases.{dir,pag} with mode 666. Any user can thus add aliases which can run programs or steal mail. This is true up to and including IRIX 5.2. Close the hole by running newaliases (if you haven't already) and doing 'chmod go-w /etc/aliases.dir /etc/aliases.pag'. Once those files exist and have proper permissions, you're OK. - 8lgm advisory 11, which you can get from ftp.tansu.com.au:/pub/docs/security/8lgm/8lgm-Advisory-11.UNIX.sadc.07-Jan-1992 describes a bug in the System V accounting program /usr/lib/sa/sadc ! which allows any user to write files in directories owned by sys. ! The manifestation of this bug in IRIX 5.2 (and probably earlier ! versions) is relatively harmless: it only allows users to create ! garbage files in sys-writable directories or blow away files that ! are writable by group sys, such as the group-writable ! /usr/bin/newgrp described elsewhere in this list. If you don't use ! the accounting subsystem you might want to 'versions remove' it just ! to be safe. - 8lgm advisory 12, which you can get from ftp.tansu.com.au:/pub/docs/security/8lgm/8lgm-Advisory-12.UNIX.suid_exec.27-Jul-1991 describes a bug in /etc/suid_exec (part of ksh) which allows any user to become root. It is not known whether this bug is present in any version of IRIX, but if you don't use setuid ksh scripts you might want to 'chmod -s /etc/suid_exec' just to be safe. + - /usr/etc/mount_dos, IRIX's DOS-filesystem floppy mounter, has a + serious bug in IRIX 5.2 (and probably earlier releases of 5.x as + well) which allows anyone with an account on and physical access to + a machine with a floppy drive root access. This bug can be fixed + with patch 167 from the TAC and is reportedly fixed in IRIX 5.3. + Perhaps the easiest interim "fix" (which essentially disables all + removable media drives) is to disable mediad: "mediad -k" kills the + current instance of mediad, and "chkconfig mediad off" prevents + mediad from starting during the next reboot. + - /usr/etc/rpc.ypupdated may have a security hole in all versions of + IRIX. It is completely unnecessary in most networks; the only + instance that we could think of that might require this daemon would + be NIS networks that include Sun diskless clients. You should + probably comment it out of /etc/inetd.conf, or just not install the + nfs.sw.nis subsystem, of which it is a part. It is commented out by + default in IRIX 5.3. ------------------------------ Subject: -68- I think I've found a security hole in IRIX; whom do I notify at SGI? Date: 10 Dec 93 00:00:01 CST In general, if you find a security problem (or think you have), you can send it to postmaster@sgi.com. This address gets a lot of mail, so you may want to CC your mail to one of the SGI employees who regularly post to Usenet. (Several have indicated that they will be glad to know about such things.) You can also notify CERT <cert@cert.org>, who will contact the appropriate people from their contact list. They may take some time. ------------------------------ Subject: -69- BUGS Date: 15 May 94 00:00:01 EST These questions discuss miscellaneous bugs in IRIX. ------------------------------ Subject: -70- Why is my network license daemon ('netlsd') exiting? Date: 20 May 93 00:00:01 CST For netlsd to run, you need to have 'llbd' and 'glbd' installed and running. A complete debugging procedure is in the netls release notes, which can be read with 'relnotes netls_eoe 5'. Please let us know if this problem went away in recent IRIXes. ------------------------------ Subject: -71- What's this 'iotim' error in my syslog in IRIX 4.0.x? Date: 13 Nov 94 00:00:01 EST It's a bug in 'rpc.rstatd' which affects several programs including 'ruptime' and 'sysmeter'. Before IRIX 4.0.5H, 'rpc.rstatd' says rstatd[4840]: read: iotim: No such device or address If you see this, upgrade to a newer IRIX or get the patched 'rpc.rstatd' from ftp.sgi.com:/support/rpc.rstatd. In 4.0.5H and IOP 'rpc.rstatd' ignores the problem (returning all but the SCSI disk stats which cause the error) but still generates the following message: rstatd[4941]: read: bad iotim, no disk stats: No such device or address This may be ignored. In IRIX 5.x, the problem is completely fixed. ------------------------------ Subject: -72- Why do 'who', 'rusers', etc. show users who aren't really logged in in IRIX 4.0.x? Date: 30 Dec 93 00:00:01 EST There is a well-known bug in IRIX 4.0.x wherein /etc/utmp is not updated properly after a user logout. These programs are simply reporting the non-updated contents of /etc/utmp. Fixes have been provided by jer@blaise.cif.rochester.edu, David Hinds <dhinds@allegro.stanford.edu> and Patrick M. Ryan <pat@gsfc.nasa.gov>. They can be found in viz.tamu.edu:/pub/sgi/software/utmp/. ------------------------------ Subject: -73- Why do some programs parse /etc/fstab incorrectly in IRIX 4.0.5? Date: 10 Dec 94 00:00:01 EST In IRIX 4.0.5, some programs (e.g. 'fsr') misinterpret lines in /etc/fstab, so that, e.g., /dev/usr /usr efs rw,raw=/dev/rusr,quota 0 0 would cause 'fsr' to think that the raw device pathname was "/dev/rusr,quota" instead of "/dev/rusr". There is no such device, so /dev/rusr would never be defragmented. You can work around this by putting the "raw" option last: /dev/usr /usr efs rw,quota,raw=/dev/rusr 0 0 This is fixed in IRIX 5.x. ------------------------------ Subject: -74- Why is my Indigo's Ethernet performance dog-slow under IRIX 4.0.x? Date: 13 Nov 94 00:00:01 EST You need the "E++" patch to IRIX 4.0.5, IRIX 4.0.5IOP ("Indigo Only Patch"), which includes the E++ patch, or IRIX 5.x. ------------------------------ Subject: -75- Why is my Indigo getting SIGSEGVs and crashing under IRIX 4.0.5IOP? Date: 13 Nov 94 00:00:01 EST Make sure you've installed the 4.0.5IOP NFS maintenance patch along with the rest of 4.0.5IOP. If you're sure you have, call the TAC. You may need the "IP20 ethernet patch". This comes *after* 4.0.5IOP, and is not to be confused with the older "E++ patch" (see the previous question). ------------------------------ Subject: -76- Why is my Indigo2 panicking under IRIX 4.0.5? Date: 13 Nov 94 00:00:01 EST There are several keyboard-related bugs in IRIX 4.0.5H and 4.0.5IOP which cause Indigo2s to crash or freeze. One sign that these particular bugs are responsible is the message "PANIC: Timeout Table Overflow" or "WARNING: Couldn't allocate streams buffer" in /usr/adm/SYSLOG. Get the "Indigo2 keyboard patch" (aka "pckm patch") from SGI or upgrade to IRIX 5.2. ------------------------------ Subject: -77- What's wrong with ftpd in IRIX 5.2? Date: 08 Nov 94 00:00:01 EST It doesn't maintain utmp properly, so ftp logins will appear in the output of 'who' and similar commands even after they've logged out, and it dies during 'mget's. Get patch 41, 142 or 162 from the TAC. (These are all essentially the same patch, but some people have reported that patch 142 does not work.) ------------------------------ Subject: -78- Why isn't /usr/adm/SYSLOG being updated? Date: 23 Jun 94 00:00:01 CST Popular causes include: - running out of disk space. Once syslogd is unable to write to /usr/adm/SYSLOG, it won't try again until it is `killall -HUP syslogd`ed. - installing IRIX 4.0.x and failing to heed the nagging from the system when it is rebooted to run 'versions changed' and combine new and old configuration files. In this case, the trouble is in /usr/spool/cron/crontabs/root. - Separating fields in /etc/syslog.conf with spaces instead of tabs. If you use tabs, syslogd will silently segv when it reads that file. This should be fixed in IRIX 5.3. ------------------------------ Subject: -79- I just edited /etc/inittab, and now I can't start up or shut down my SGI! What's wrong? Date: 03 Dec 94 00:00:01 EST If the last line of /etc/inittab is a comment, init will screw up horribly. If your machine is still running, remove the comment and everything will be OK. If not, go to the miniroot, run the shell and remove the comment from there. The following sequence of commands is one possible way to do this: cd /root/etc cat inittab # Decide how many lines to remove (say three) wc inittab # See how many lines inittab has (say 120) head -117 inittab > inittab.new # Keep the first 120 - 3 lines mv inittab inittab.old mv inittab.new inittab cat inittab # Just making sure and reboot. Don't forget the 'cd'; from the miniroot's point of view, /etc/inittab is /root/etc/inittab. The problem should be fixed in IRIX 5.3. ------------------------------ Subject: -80- Why does timed say "bind: Cannot assign requested address"? Date: 29 Oct 94 00:00:01 EST timed is incompatible with the rld which comes with patchSG0000023, which is needed for DeltaCC. There are two solutions to this problem (thanks to Alan Davis <davis@masig.fsu.edu>): - Get a new timed from SGI. - Replace the following line in /etc/init.d/network.options (line 664 in an unmodified IRIX 5.2 file) /usr/etc/timed -M `cat $CONFIG/timed.options 2> /dev/null` & with env _RLD_ARGS="-clearstack" /usr/etc/timed `cat $CONFIG/timed.options 2> /dev/null` & ------------------------------ Subject: -81- Why is famd hammering my NFS server? Date: 22 Nov 94 00:00:01 EST It's partly a bug. Get patch 165 for IRIX 5.2 and patch 166 for IRIX 5.3. It's partly just famd's nature; you can try to calm it down by changing its polling interval (6 seconds by default, specified by the '-t 6' flag) in /etc/inetd.conf. ------------------------------ Subject: -82- MISCELLANEOUS Date: 15 May 94 00:00:01 EST Everything else. ------------------------------ Subject: -83- How do I set the number of processes allowed on my machine? Date: 13 Nov 94 00:00:01 EST Use systune(1M) to change 'nproc' (in the 'numproc' group of parameters) and reboot. ------------------------------ Subject: -84- Where can I get a termcap file for 'iris-ansi-net' to install on my non-SGI system? Date: 20 May 93 00:00:01 CST SGIs use terminfo, so you need to translate the terminfo description to termcap. 'infocmp -Cr iris-ansi-net' will produce an iris-ansi-net termcap file. See infocmp(1) for more. Note that 'infocmp' is in the eoe2.sw.terminf subsystem, which is not installed by default. ------------------------------ Subject: + -85- How can I make my SGI understand strange terminal types from other Unix systems? Date: 16 Dec 94 00:00:01 EST + If the other system uses terminfo, use 'infocmp -I whatever > file' to + extract the terminfo entry for the terminal. Transfer the file to your + SGI and do 'tic file' (as root) to put the entry into the terminfo + database. + If the other system uses termcap, snip the termcap entry out of + /etc/termcap (or wherever) with an editor, transfer it to your SGI + and (as root) do 'captoinfo file > newfile' and 'tic newfile'. + See also the infocmp(1), captoinfo(1), tic(1) and terminfo(4) + manpages, and make sure you've installed eoe2.sw.terminf, which + contains all of the programs. ------------------------------ Subject: -86- Can I change my full name or login shell without being superuser? Date: 16 Mar 94 00:00:01 EST Maybe. IRIX has no 'chfn' or 'chsh', so if you're a local user you're stuck. However, if your account is on NIS (Yellow Pages) you can use 'ypchpass'. You might also ask your superuser to install one of the many free implementations of 'chfn' and/or 'chsh'; one is in volume 3 of comp.sources.unix (ftp.uu.net:/usenet/comp.sources.unix/volume3/). ------------------------------ Subject: -87- How can I administer my Iris without a graphics terminal? Date: 13 Apr 94 00:00:01 EST The visual admin tools in IRIX 4.0.x ('vadmin') need GL, and do not work on X terminals or workstations without GL. You can use 'sysadm' on text terminals for some tasks, but beware of bugs and inadequacies: SGI judged 'sysadm' to be too buggy to be worth updating for IRIX 5.x. The visual admin tools in IRIX 5.2 and later should display on any X display, *except* for the backup/restore tool which is an exact port from IRIX 4.0.x and requires GL. Some images will be missing when GL is unavailable, but the tools will function properly. As for text terminals, you're out of luck: 'sysadm' does not exist in IRIX 5.x. Of course, you can always use a text editor and write scripts, or see the next question. ------------------------------ Subject: -88- How can I use the visual admin tools on a system with graphics to administer a system without graphics? Date: 12 Feb 94 00:00:01 EST rlogin to the graphics-less system and run 'vadmin' (IRIX 4.0.x) or 'chost' (IRIX 5.x). Make sure that the DISPLAY environment variable is set correctly and that both the vadmin/sysadmdesktop and the shared library subsystems are installed on the graphics-less system (which they are in the default installation). Under IRIX 5.x, look at the READMEs in /var/sysadmdesktop/rsysmanapps and /var/sysadmdesktop/sysmanapps to find out how to use 'chost' to run commands on remote systems. Finally, in a future release of IRIX 5.x, the sysadmdesktop tools will be able to manage remote systems *without* doing an rlogin. ------------------------------ Subject: -89- Can I put my own picture in the 'clogin' display? Date: 20 Aug 94 00:00:01 EST Not in IRIX 5.0-5.2. You could in IRIX 4.0.x and earlier, and you will be able to again in IRIX 5.3. ------------------------------ End of sgi/faq/admin Digest ****************************** -- The SGI FAQ group sgi-faq@viz.tamu.edu Finger us for info on the SGI FAQs, or look in viz.tamu.edu:/pub/sgi.