Mirrors Primary (US) Issues May 2000gwdu111.gwdg.de/misc/dnews/dnews_0005.pdf · Mirrors Primary (US) Issues May 2000 May 2000 Search Submit Article Contact Us How to Help Merchandise

Mirrors Primary (US) IssuesMay 2000

May 2000 Search Submit Article Contact Us How to Help Merchandise

T H I S M O N T H ’ S F E A T U R E S

Get your fingers off my /proc/getpid()/*by Hubert Feyrer

Closing the procfs hole in NetBSD Read More

Spring Comdex 2000by Chris Coleman

What did you miss at the Linux Business Expo? Read More

Blueprints: RAIDFrame from Simulation to Practiceby Greg Oster

The RAIDFrame software RAID system Read More

R E G U L A R C O L U M N S

Adventures in BSD: My Adventures In OpenBSD 2.6by Alison

Another closet geek sees the light Read More

Hey! Mister Answer Manby Todd Whitesel

What’s in this months mailbag? Read More

Newbies’ Corner

From the Editor

Standardsby Brett TaylorCommon Unix binaryexecutable formats

Daily Daemon News

AbiWord 0.7.9 is out SecureBSD? A chance to flex the powerof this site BSD Counter given aproper home Native Java Port

Source Wars

Week 13

Miscellaneous

CreditsThe hard-workingcrew TarballDownload a tar.gzversion of this issue

Newbies’ Cornerby Chris Coleman

After you have BSD installed... what’s next? Read More

The Daemon’s Advocateby Wes Peters

Choices Read More

Search

Search

Advanced

or Search all DaemonNews

Copyright © 1998-2000 DæmonNews. All Rights Reserved.

May 2000 Search Submit Article Contact Us Join Us Merchandise

Standards?

by Brett Taylor [email protected]

Recently there has been a new push for the development, at least in the Linux world, forcommercial vendors to develop true ‘‘Linux’’ binaries and not those for specific distributions.Previously the 86Open Project was formed to try to determine a standard binary executable formatthat all Unix or Unix-like OSes would be able to run, thereby limiting the investment vendors hadto make for development, while potentially maximizing the market for their product.

The project eventually ‘‘defaulted’’ to the Linux ELF format. Clearly though that isn’t enough of adescription to actually give to vendors. Each of these OSes would need to contain a standard set oflibraries as well. There is a Linux Standards group attempting to define what common elementseach of the Linux distributions should have, but I am unsure as to if they are making any progress.

How does this affect BSD? Maybe not at all. I’m frankly slightly pessimistic that a standards effortby such diverse groups will ever be finished. If a standard had been in place initially, then I couldsee where others would follow along in that manner. One common example of this isWord-formatted documents - once Microsoft Word became the dominant word processor, othercompanies needed to be able to write and read that format as well. To maintain their market share,Microsoft changed the format with each revision, requiring other companies to again change theirown software just to keep up. The target was always moving.

Now that many of the Linux distributions have gone public, their first job is to make money fortheir stockholders. Again, one way to differentiate themselves is to have software that wasdeveloped specifically for them. If every distribution can run it, how can they keep or attract newusers? This is really the first test of the new Open Source mentality versus the old way of doingthings.

It’s obviously in all of the users’ best interests to have a standard format and it’s certainly in themajority of the Unix-like OSes’ best interests as well, but can we convince the stockholders that it’sin their best interests as well? I guess that remains to be seen.

This editorial is brought to you by the letter ‘‘T’’ - that stands for tired! Real world work hassignificantly intruded on my life this last month - thanks to the rest of the gang for helping me getstuff done for this month.

Author maintains all copyrights on this article.Images and layout Copyright © 1998-2000 Dæmon News. All Rights Reserved.


Closing the procfs hole in NetBSD

by Hubert Feyrer, [email protected]

Get your fingers off my /proc/getpid()/*

What is procfs?

In every Unix(like) system, there is a lot of information available about the system which you canquery. Information like what network connections are open, settings of kernel parameters,filesystem-specifics and information related to user processes.

All this information is stored inside the the kernel, and to access these data, one has to know inwhich "variables" the kernel stores the information, then dig into the kernel memory to get thevalues. This approach has several disadvantages: it’s not portable, as various operating systemsstore the information in different formats and with different names. Plus access to information can’tbe restricted that way - malicious processes can read/write any information in the kernel, not onlythe one they’re interested in. Access to the kernel memory is usually handled via /dev/kmem, onBSD based systems a user/process has to be a member of the group ‘‘kmem’’ to have access to thisdevice file. If such a process does something it shouldn’t, the system’s security can becompromised - this is often used by programs exploiting so-called ‘‘buffer overruns,’’ writing pastbuffer boundaries to write their own program code to the process, which then executes thismalicious code. The results range from harmless core dumps over Denial of Service attacks tomodifications of the system, usually installing backdoors to the system.

The problems of /dev/kmem-based programs to access kernel data structures has lead to the designof some alternatives. One of them being the ‘‘sysctl’’ facility, usually found on BSD based systems.With sysctl, one accesses information which is stored in a MIB structure like that of SNMP, e.g. toaccess some data of the IP stack, one would specify ‘‘net.inet.tcp.keepidle’’ to access (only) that bitof information. MIB entries are either read-only or read-write, so you cannot modify values like thekernel’s load average which are read-only.

A problem of sysctl is that to access the information, the MIB must be specified as a series ofnumbers instead of strings, and thus contradicts the traditional ‘‘everything is a file’’ approach.

Following this concept more closely are several filesystems, which make certain information fromthe kernel visible to user space via a filesystem interface:

fdesc: Provides access to process’ file descriptors

kernfs:

Provides various kernel related parameters like OS revision, load average, ... procfs:

Provides information related to processes, including a list of running processes (by PID), andfor each process information such as the process’ command line (argv), references to itsexecutable file and process memory, CPU status registers, a facility to send signals from e.g.debuggers, etc.

These three filesystems and the described contents are specific to BSD, other Unix-like operatingsystems provide different filesystems, contents and/or methods to access information stored there.

Background on the procfs Hole

Recently, a procfs related security exploit became available. We’ll tell you about the technicaldetails here, and how this was fixed in a general way in NetBSD. See also the NetBSD SecurityAdvisory SA#2000-001.

Basically the exploit does open /proc/<pid>/mem, seek to a stack address, and then use this filedescriptor as stderr. Then you fork and exec two suid programs, and make one of them write tostderr, which points to /proc/<pid>/mem@stack of the other setuid process. That way, you canmanipulate the second process in an arbitrary way, just like any buffer overflow exploit does.

Writing to the other process’ memory is possible because the procfs descriptor is left open after theparent process exec()s. A possible fix to this is to mark the descriptor as close-on-execautomatically from the kernel, but the process could unset this. A better fix is to invalidate thedescriptor when the process it points to calls exec(2).

Implementation of this invalidation can be done in the exec-module of the kernel, or in a moregeneral fashion, using a generic "process-exec hook", that can be used for other purposes, shouldthe need arise.

The Fix - Interview with Frank van der Linden

Frank van der Linden (<fvdl>) explained to me (<hubertf>) how NetBSD solves the procs securityhole. It boils down to the kernel doing a "get your fingers off my /proc/getpid()/anything" for theexec’ing process:

<hubertf> Frank, can you tell me about the exec-hook you added?

<fvdl> It’s a simple interface, the same as e.g. shutdown hooks.

<hubertf> I can imagine what shutdown hooks do, but exec hooks? Are they called before any exec?

<fvdl> Yes.

<hubertf> This sounds slow. What sort of hooks would one add there?

<fvdl> Why would it be?

<hubertf> Traversing a list of hooks, calling a function, checking the return value - sounds slow tome (but what do I know...)

<fvdl> In this case, there are is only one hook present, and only if a process is sugid, wasaccessed through procfs, and execs. The return value isn’t checked. If you look ateverything that’s going on during an exec(), it’s minor.

<hubertf> So what does that hook then do - check if stderr is on a procfs mem file, and bomb out ifso?

<fvdl> The hook revokes all vnodes that reference the process, through procfs, if it’s about toexec an suid binary.

<hubertf> Why revoke all vnodes, not only the ones for stdin/out/err, i.e. for file descriptors 0, 1and 2?

<fvdl> The kernel should not have knowledge about their special status. Any potentialproblems with their special status should be solved in userspace.

<hubertf> OK. So getting back to the exploit, that evil binary will not get a malliciously setupstderr, even though it tried to do so?

<fvdl> It won’t get a bad stderr, because the vnode for it was nuked.

<hubertf> Like a closed stderr?

<fvdl> The process trying to write it will get EIO, see revoke(2) (a low-level, in-kernel versionof it of course)

<hubertf> Ok. So, this exec-hook basically says "get your fingers off my /proc/.../mem" ?

<fvdl> "get your fingers off my /proc/getpid()/anything"

<hubertf> Thank you for your time! :)

Further reading

For everyone interrested, the changes can be viewed via the NetBSD AnonCVS service using thefollowing commands:

setenv CVSROOT [email protected]:/cvsrootcvs rdiff -r1.106 -r1.107 syssrc/sys/kern/kern_exec.ccvs rdiff -r1.52 -r1.53 syssrc/sys/kern/kern_subr.ccvs rdiff -r1.100 -r1.101 syssrc/sys/sys/systm.hcvs rdiff -r1.27 -r1.28 syssrc/sys/miscfs/procfs/procfs.hcvs rdiff -r1.28 -r1.29 syssrc/sys/miscfs/procfs/procfs_subr.ccvs rdiff -r1.31 -r1.32 syssrc/sys/miscfs/procfs/procfs_vfsops.c

Thanks

This article was composed from facts and hints from Frank van der Linden, Jason Thorpe andCharles Hannum. Many thanks to them for explaining things!



Spring Comdex 2000

By Chris Coleman, [email protected]

Comdex was definitely more work than I had anticipated. The lines were long and the booth wasbusy, but we were glad to be there.

The BSD booth was nestled in the back corner of Comdex, in the midst of the Linux BusinessExpo. We were a stone’s throw from the NetBSD booth, who we visited with often, and wereadjacent to LinuxCare, LinuxMall, and TurboLinux.

BSDi sported a brand new glossy black 24 foot tall booth, with a bright red Daemon embossed onthe top and the letters BSD in bold print. It looked good. However, there were several others aboutthe same size that made it difficult to see from across the floor.

During the show, the booth was full of activity. We were giving away copies of FreeBSD 4.0 andtrial copies of BSD/OS 4.1. There were two lines, and both were constantly long.

There was a photo booth where people could get their picture taken with the BSD Daemon or theDaemonettes.

Susannah Coleman, creator of Source Wars, was invited to attend as part of the BSD boothsponsored by BSDI. She drew an 11 x 17 poster that featured Darcy Daem and a couple ofDaemons. The caption read "Daemons are a Girls best friend."

I was there to hand out the free posters to passers by. They could then have them signed bySusannah. It was surprisingly successful at attracting people. We brought 1500 posters and gavethem all out in the first two days. We had to have more shipped to us overnight. People would lineup to get their posters autographed and while they were waiting, we would tell them about BSD andDaemon News.

We also brought Daemon News t-shirts and Source Wars posters and had them for sale. The t-shirtfeaturing Dixie was a popular item.

The booth also featured a video presentation that did a good job of promoting BSD to people whohad never heard about it. It featured an animated Daemon and professional graphics.

But the real attraction seemed to be the felt Daemon horns we were handing out. People wouldcome from across the show floor in search of them. We ran out of them every day, and had moreshipped to us each night. We were nearly mugged at times for the pairs we were wearing.

The people working the BSD booth with us were a fun group. I got to meet several of the BSDI

developers and marketing staff, as well as many of the former Walnut Creek bunch.

Jordan Hubbard of FreeBSD and Louis Bertrand of OpenBSD showed up the day of the BoF (Birdsof Feather) meeting, as well as John Tucker from Apple, representing Darwin. Charles Hannum ofNetBSD and Doug Urner of BSDI were already present, since they had been manning their boothsduring the previous days. I also got to meet Jim Mock of the FreeBSDzine, a cool FreeBSDmagazine that we have been trying to support since its inception.

At the end of the show, all we could say was that we were exhausted and delighted to be goinghome. The show was fun, but smiling for three days straight made us very weary.

It was clear that the show was a success in terms of marketing, and evident that BSDi spent a greatdeal of money putting on a very good BSD event.

-Chris



RAIDframe: From Simulation to Practice

By Greg Oster, [email protected]

Years ago, when people spoke about RAID (Redundant Array of Inexpensive Disks) systems, theywere often speaking about large servers with many disks, and storage space that was quite out ofthe price range of the average person. Since having additional disks increased the odds that one ofthose disks would fail, redundancy was required for these critical systems to ensure that the entiresystem did not go down if a single disk failed. RAID storage is still quite popular today, but is nolonger limited to enterprise servers in big corporations. With software RAID available in FreeBSD,NetBSD, and OpenBSD, anyone with more than one disk can run some form of software RAID.

This article will discuss the merits and features of RAIDframe. RAIDframe is both a framework forrapid prototyping of RAID systems and the real-life software RAID implementation used inNetBSD and OpenBSD. This article will refer to RAIDframe as it is found in NetBSD, where itscurrent development takes place.

RAIDframe

RAIDframe was developed by the Parallel Data Laboratory at Carnegie Mellon University (CMU).The purpose of RAIDframe was to provide an environment where RAID experiments could easilybe performed, and where new RAID algorithms could easily be implemented and tested. Asdistributed by CMU, RAIDframe consisted of a RAID simulator, a user-land disk driver, and akernel-level device driver for (then) Digital Unix. RAIDframe, as found in NetBSD, is afully-integrated kernel-level device driver. While this driver supports many new features (such ashot spares, component labels, and root on RAID) the core algorithms in RAIDframe have remainedalmost entirely unchanged. The years of testing in the simulation and experimental environmentshave provided an extremely solid RAID foundation on which additional functionality can be built.

Terminology

A RAID set is made up of a number of ’components.’ While some implementations may require acomponent to be an entire disk, in RAIDframe these components are simply partitions on disks orpartitions on other RAID sets. There are no restrictions on the types of disks which can be used.While SCSI and IDE may be the most popular on desktop machines, other types (like HP-IB) havealso been used.

About the Driver

The RAIDframe driver is a pseudo-device which behaves as a normal block and character device.Upper-level drivers talk to it through the regular open(), close(), and strategy() routines, while theunderlying devices (be they other RAID devices, SCSI disks, or virtual devices) are communicated

to via their corresponding IO strategy() routines. These clean and well-defined interfaces make notonly interfacing with the RAID driver easy, but also make maintenance of the RAID driver easieras well. When RAIDframe was in initial testing on NetBSD, the ‘‘disks’’ used were VNDs (VnodeDisks) using files imported via NFS. After it became clear that things were working fairly well,IDE disks were used. Since then, almost all of the testing has been done using SCSI drives.

The devices available to the user are of the form /dev/{r,}raid[0-9][a-h]. These ‘‘disks’’ can bepartitioned, formatted (via ‘‘newfs’’ for FFS, or ‘‘newfs_lfs’’ for LFS) as though they were aregular disk. Swapping to partitions on RAID sets is also supported.

RAID levels supported

RAIDframe supports the ‘‘traditional’’ RAID levels 0, 1, 4, and 5, and includes partial support forother RAID levels such as RAID level 6 (P+Q) and parity logging.

Concatenated components are not supported under RAIDframe. The ccd(4) device works fine ifthat functionality is required. N-way mirroring is also not currently supported.

Component Labels

A key to a number of the new features of RAIDframe is the use of ‘‘component labels.’’ Eachcomponent in a RAID set has a component label. This label contains information such as:

1. the number of rows and columns in the RAID set. 2. the position of this component in the RAID set. 3. a serial number for the RAID set. 4. a ‘‘modification counter’’ 5. the component status 6. other configuration parameters needed to automatically configure the RAID set.

The information stored in the component labels completely describes a RAID set to the point whereonly the information in the component labels is needed to automatically configure the RAID set.Since information in the component labels is independent of the physical ‘‘disk’’ on which itresides, SCSI IDs (for example) can be switched around, and auto-configurable RAID sets will stillconfigure automatically and correctly.

If auto-detection of RAID components and auto-configuration of RAID sets is enabled, the kernelwill examine each disk partition of type ‘‘RAID’’ to see if it has a valid component label. Thecomponent matching algorithms group together related components, and if enough matchingcomponents are available the corresponding RAID set is configured. Because thisauto-configuration occurs before the root partition is mounted, a partition on a RAID set can beused for the root filesystem, further increasing the robustness of the system. (The author’s mainmachine has the root filesystem on a RAID 1 set.)

Since misconfiguration of a previously configured RAID set can destroy the data on the set, theconfiguration code takes great pains to attempt to ensure that the components being configuredreally belong together. Using the standard configuration techniques, the component labels are usedto ensure that the components are specified in the correct order in the configuration file. (Theordering of components in the configuration file will probably become irrelevant at some point,with component labels being used as the sole determinant of where a component belongs).

RAID sets can be layered. That is, a RAID 0 set consisting of three RAID 1 sets is perfectlyacceptable.

Dealing with component failures

The ability to deal gracefully with component failures is probably the most important feature of anyRAID system. The second most important feature is the ability to reconstruct the lost component(s)so that redundant operation can be resumed.

RAIDframe handles component failures quite gracefully. A number of different drives died duringstress-testing of the RAID subsystem, and the tests continued on without a hitch, albeit in degradedmode. The author’s main system suffered a disk failure on a RAID 5 set, and it was a week beforethe author even realized that a disk had failed! (Yes, the author is intending on improving theadministrator notification when a component fails :) ) More recently, one of two disks in theauthor’s RAID 1 set experienced a number of read errors, and again the system continued tofunction properly. The ailing disk has since been replaced (it was less than 3 days old when itstarted having problems) and the new disks have been functioning perfectly (36 days of uptime).

Hot-swappable drives

While there is nothing in RAIDframe that requires the use of hot-swappable drives, the availabilityof such drives further reduces the need to take a machine off-line in the event of a drive failure. Tosimulate a hot-swappable drive, the author uses an external drive with its own power switch, whichallows easy ‘‘failing’’ of a drive at the hardware level. A typical test procedure is often:

1. start doing heavy IO on a fully functioning RAID 5 set. 2. ‘‘fail’’ the external disk (say sd3) by turning it off. The system continues to run in

degraded mode. 3. turn the external disk back on. Since the disk is marked as ‘‘failed’’ by

RAIDframe, it will not be accessed. Turning the disk back on simulates thehot-adding of a new drive.

4. use:

scsictl scsibus0 scan any any

to tell NetBSD to look for ‘‘new’’ drives on the first SCSI bus. 5. at that point the ‘‘new’’ disk is ready for disklabelling, partitioning, etc. 6. do an in-place reconstruction of the failed drive:

raidctl -R /dev/sd3e raid0

(assuming sd3e is the component on the failed drive, on RAID set raid0 ). 7. once the reconstruct finishes, the RAID set is back in its former state, all without

having taken the machine down.

IO can be taking place on the RAID set during the entire operation, which means that withhot-swappable disks the machine should never need to go down due to disk failure.

Architectures

It was slow, and the kernel had to be gutted of other important things (like networking!) to make

enough room, but the Sun 3/50 *did* run RAID 5 over 3 SCSI disks. The HP380 with 5 SCSI diskson one RAID 5 set and 4 HP-IB disks on another RAID 5 set doesn’t exactly scream either, but itdoes work, and it does give a small (by today’s standards) amount of redundant storage for thatclass of machine:

Filesystem 1K-blocks Used Avail Capacity Mounted on/dev/sd1a 23663 19288 3191 85% //dev/sd1d 248430 99979 136029 42% /usr/dev/raid0d 2507757 483365 1899004 20% /mnt/dev/raid1d 1900526 242974 1562525 13% /mnt2

The i386 architecture has been used for most of the RAID testing. Everything from 486dx50’sthrough P133’s to AMD K6@233’s and K6-2@350’s have been used in testing. Pmax, sparc, andalpha architectures have also been tested.

Performance

An often-sited disk performance benchmark these days is Bonnie. Performance values for RAID 0,and 1 sets (2GB test size) are given in Table 1. The system (at time of print) is an AMD K6-2@350,with an AdvanSys ASB3940U2W-00 SCSI controller. The disks used in the tests are FujitsuMAE3182 18.2GB U2W drives. NetBSD-1.4.1 and NetBSD-current are the OSes used(performance under -current is slightly better).

Table 1

-------Sequential Output-------- ---Sequential Input-- --Random-- -Per Char- --Block--- -Rewrite-- -Per Char- --Block--- --Seeks--- K/sec %CPU K/sec %CPU K/sec %CPU K/sec %CPU K/sec %CPU /sec %CPURAID-0 11819 87.5 24502 55.0 4676 16.5 10697 94.9 30217 89.4 89.8 5.7RAID-1 10088 79.6 14948 32.7 4648 18.3 11051 95.3 19874 42.6 85.0 5.7

Note that the RAID-1 performance on reads is somewhat under-estimated by this benchmark, sinceRAIDframe will do load-balancing across the drives, and thus achieve closer to RAID-0 (on twodrives) performance when there are two or more reads taking place.

Table 2 shows the performance of various RAID/ccd configurations on the same machine, but withdifferent controllers (two ASUS SC875’s) and different drives (Seagate ST32155W Fast/Wide).RAID-0a shows the performance of 5 of these drives in a RAID-0 configuration. RAID-0b showsthe performance of 4 of these drives in a RAID-0 configuration. RAID-5 has the same storagecapacity as RAID-0b, but uses 5 disks instead of 4. The ccd entry reveals that for all the additionalcomplexity in the RAIDframe driver, the RAIDframe driver is still on par with the ccd driver whenit comes to simple striping.

Table 2

-------Sequential Output-------- ---Sequential Input-- --Random-- -Per Char- --Block--- -Rewrite-- -Per Char- --Block--- --Seeks--- K/sec %CPU K/sec %CPU K/sec %CPU K/sec %CPU K/sec %CPU /sec %CPURAID-0a 11534 95.0 20724 48.1 3571 9.7 9317 92.5 22349 56.4 33.8 2.0ccd 13035 96.2 17690 34.1 3130 6.7 10594 92.8 18880 43.9 33.5 1.3RAID-0b 11991 92.9 16924 36.9 3110 8.5 10025 92.0 18904 53.5 33.3 2.1RAID-5 3069 22.1 3039 5.4 2052 7.5 10234 88.7 16174 49.0 24.4 1.9

These drives are fairly slow by today’s standards, but as is seen here, even slow disks can be turned

into a reasonably fast RAID set.

Conclusions

RAID is no longer only an option for expensive and high-end servers. RAIDframe, which started asa simulation framework, is now available for general use on a wide variety of architectures inNetBSD and OpenBSD. RAIDframe, as a fully-integrated kernel device driver, provides a robustand reliable RAID system. Real-life device failures have provided the additional proof thatRAIDframe has moved well beyond the simulation stage -- it also works very well in practice.

Bibliography

1. RAIDframe pages at CMU 2. Author’s RAID pages



My Adventures In... OpenBSD 2.6

by Alison [email protected]

A UNIX system at home? The concept seems woefully geeky. For about six months I had beenavoiding the temptation in the (evidently false) belief that I was far too cool for that sort of thing. InFebruary 2000 the penny finally dropped: one can’t deny one’s inherently geeky nature. (And here Iwas hoping for a life of glamour and glitter, fashion and fame, damnit.) February 29 2000 saw meinstalling an OpenBSD 2.6 system on a second home computer.

The BSD Selection

Unfortunately I don’t really have any delightfully inflammatory reasons for choosing OpenBSDover any other flavor. My primary requirement was that it be cheap. Alas, that ruled out my favorite- Digital (sorry, I mean Compaq (can you say, like, total weird-out?)). NetBSD was my firstlow-cost choice - it doesn’t have the certified adherence to established standards that Digital does,but the platform portability ethic made up for it. I waited ten days for a reply from the Australiandistributor about its availability before giving up and going for NetBSD’s "ultra-secure" offspring -OpenBSD. (As an aside, I have still not heard anything from the Australian NetBSD distributor andam now liking OpenBSD too much to switch anyway - too bad guys.)

Installation

The first step of the installation was to transfer the CD-ROM drive from jem (my Windows 98 PC)to the as-yet unnamed Pentium 75 lying rather unceremoniously on the floor. This proved to bequite the battle, the machines inflicting heavy casualties on the human side: one chipped nail andone broken nail. Whoever invented those impossibly tight power supply plugs should be shot. Infact, the person who dreamt up the concept of hardware deserves a bullet too - as if getting thedamn stuff plugged in wasn’t hard enough, we then have those erratic and entirely unexplainable‘‘failures’’ to deal with. Thanks, Charles, for bringing us the most frustrating aspect of computingtoday.

With the CD-ROM drive transplanted and the floppy image written, it was crunch time. After theinfamous OpenBSD installation article on linux.com that sparked such lively discussion, I wasexpecting the worst - this was to be my first ever UNIX installation. I was, in fact, pleasantlysurprised. The install script was practical, simple and straightforward. Granted, it may have savedme some frustration if I had bothered to read the documentation a little more thoroughly than just tofind out which disk image to rawrite, but I’m sure it wouldn’t have been nearly as much fun. (Hey,partitioning disks by sectors instead of megabytes is fun, right? Okay, so I really need a life.)

Configuration

Once I saw that familiar little hash prompt, it was time to get kimber configured. Forgetafterboot(8), I wanted tcsh. INSTALL.I386 told me to install it using pkg_add. That was a mistake.No chance to edit the Makefile? No source? This reminded me way too much of Debian’s dselect or(dare I say it?) Microsoft’s Windows Update where files that you never remember installing end updotted all over the place. Needless to say, after experiencing pkg_add, my first priority changed togetting ppp working so I could install programs properly.

After a long sigh at the sight of the three ‘‘p’’s finally going uppercase, I downloaded the RSAencryption library, then proceeded to get another fundamental - lynx... only to find it had beeninstalled already. Some digging revealed that not only was lynx already there (configured totallydifferently from how I use it), but so were apache, perl and a few other conspicuously unnecessarybinaries. This was the so-called ‘‘base install?’’ It would have been nice to be able to selectprecisely which programs to install rather than the all-encompassing ‘‘base26.tar.gz.’’ (Actually, itwould have been real nice to be able to select install locations of each program too, so that theGPL-licensed programs could be separated from the rest of the operating system, but perhaps that’smore a philosophical issue than a practical one.)

Aftermath

The next week or two was spent with those small ‘‘moving into a new place’’ tasks such asinstalling smbclient, getting NAT up and running for jem, commenting out the annoying /tmpcleanup from /etc/rc and getting frustrated trying to get FreeBSD’s gnat-3.12p package working.(The latter has left me completely stumped - if anyone has any hints on how to get a native gnat tobuild from emulated binaries I would love to hear them!) Uptime after my unnecessary-but-lazyreboot to set up ipmon and named is now 11 days and looking very stable. Of course that will resetwith the inevitable monthly brownout Australia appears so adept at delivering, but at least for thetime being it feels impressive next to jem’s single-digit record.

As an interesting side-note, I have since this OpenBSD install had the (dis)pleasure of installingRed Hat 6.1 on a computer at my work. I couldn’t believe the completely non-intuitive andüber-gaudy interface or the total lack of control over what was happening. While admittedly suchthings are only to be expected of Linux distributions, the immense contrast between thatfaux-simple confusion and the genuinely-simple, streamlined, shell-escapable OpenBSD installscript really drove the point home for me. The minor reservations I had been having about goingwith OpenBSD instead of a (probably imaginary) slimmer operating system disappeared in just afew thousand presses of the tab button.

I know it’s been said before, but what the hell: when it all comes down to it, BSD users are reallygetting the best deal in the free operating system market. Contrary to popular opinion, however, Ithink it’s not just a matter of reliability, but also of clarity and simplicity - two very important andoft-overlooked characteristics of computer software.

My Continuing Adventures In...

In closing I would like to thank Theo de Raadt and the OpenBSD commit team for putting togetherthis operating system, the ubiquitous Regents of the University of California for laying the opensource groundstones and the unnamed sweetie who introduced me to BSD, helping me realize that‘‘the UNIX thing’’ really wasn’t as lame as Linux had made it out to be. My Microsoft Windows9x bubble is now officially and categorically burst. Well, perhaps not categorically enough to startme using the X Window System. Still, the possibility looms closer, and the biggest hurdle isprobably already behind me: accepting the guilty pleasure of being a geek. Okay, damn. UNIX

rules. Where’s my BSD polo shirt?



Hey! Mister Answer Man

by Todd Whitesel

When it rains, it pours...

Many of you wrote in to point out my gaffe on last time’s shutdown script question, as well as toflesh out other answers from last time and to answer a couple of the mailbag items. Also, we havesome intriguing essay questions this month.

And The land of weird hardware returns!

List of Topics

I’ve got an /etc/rc.shutdown script here that works great, but you said in your last column that noscripts were run during system shutdown. Mysterious cc1 coredumps have not gone away! any other ideas? Sharing disks with Windows: here’s another option. Mounting ISO9660 image files on FreeBSD, what’s the scoop? Printing to NT printers from BSD: any other ways? Would you please explain that bit from your last column about "charging down" machines? Can you point me to a "UNIX and Network Firewalls for Dummies" web site? Why does BSD report fragmentation on the disks even after a fresh install? I want to pretend I have another IP address, so I can use my work machines from home. I want to use amd which is already installed; how do I turn it on? How can I share a Linux tape drive with a FreeBSD machine? Why are BSD’s more sensitive to overclocking than Linux? Why is FreeBSD so awesome, I mean, why do I love it so much? What’s the latest news from the Land of Weird Hardware? This month’s mailbag has a cloud on one side, a flower on the other, and a cute embroideredrainbow running around one end to connect them.

Q:I’ve got an /etc/rc.shutdown script here that works great, but you said in your last column that noscripts were run during system shutdown.

A:Yeah, looks like I flat out goofed that one. I’ve never needed to customize this on my systems, so Ihadn’t ever looked before I saw that question. I recall checking some man pages, but must havemissed it somehow.

As I’ve now learned, the implementation varies quite a bit between the BSDs. Depending on yourdistribution, /etc/rc.shutdown will be run (if it exists) at some point in the shutdown/reboot/haltsequences, and you may have support for /etc/rc.shutdown.local too.

# grep -l rc.shutdown /etc/*

This is the simplest way to get started finding your way around, and it’s a generally usefultechnique. :)

Q:Mysterious cc1 coredumps have not gone away! any other ideas?

A reader writes in:

A:Another possible cause is that your L2 cache chip(s) are going bad. To test for this, try compilingproblem programs (e.g. eval.c from guile) both with and without external cache enabled in theBIOS.

Q:Sharing disks with Windows: here’s another option.

A reader writes in:

A:I have done this successfully with the NetBSD rumba package.

With this package installed, mounting Win95 disks is as easy as:

1. Make a Win95 disk shareable under a name, say "theotherdisk" 2. mount the disk using

rumba //theothercomputer/theotherdisk /mnt

This makes the entire tree of "theotherdisk" visible in /mnt.

Q:Mounting ISO9660 image files on FreeBSD - what’s the scoop?

Numerous readers wrote in:

A:FreeBSD vnconfig supplies a default geometry which is acceptable to the cd9660 filesystem code,so the following "just works":

# vnconfig -c /dev/vn0 /mnt/image.iso # mount -t cd9660 /dev/vn0 /disk/cdrom ... use files in /disk/cdrom ... # umount /disk/cdrom # vnconfig -u /dev/vn0

Q:Printing to NT printers from BSD - any other ways?

A:A reader writes in:

I saw your answer in Answer Man regarding printing on NT servers from BSD. I have actuallyfound that using NT’s built-in lpd service, it is really easy to share an NT printer without having toinstall any Samba stuff, and just use BSD’s native lpr commands.

Q:Would you please explain that bit from your last column about "charging down" machines?

I have never heard of that before...

A:It has to do with the actual construction of semiconductors, and the fact that designs are getting sohuge and complicated that nobody can really test them as completely as they probably need to betested. People have been accusing software of this for a long time, but it happens with hardwaretoo.

Certain types of design mistakes (or even aggressive design practices) in on-chip circuits can resultin the accidental creation of things that behave like memory even though they’re not supposed to.Like memory, these can get turned on in a stable way, either by software mistake or by running fora time while overclocked, or perhaps by plugging something into the back of the machine veryincorrectly.

Since these unintended memory cells are not supposed to be there in the first place, there is nothingin the design to see that they get cleared on a reset, and if the conditions that set them are rareenough, normal product testing will never reveal their existence. They can even be caused by amarginal manufacturing run, in which case only a small group of units are actually vulnerable, andthe chance of early discovery is even lower.

A simple example is two large wires that run over each other. These create a small capacitor,because that’s what physics has found to be true of any conductors in close proximity to each other.Usually its capacitance is so small that the other circuits connected to it will swamp it out, and itwon’t have any effect. But if those circuits are marginal, or noise sensitive, then a good charge onthat accidental capacitor will have an effect, which can snowball through the design until somethingobservable happens.

When one of these things gets wedged, the hardware mysteriously begins to behave differently. Ihave personally observed a PC parallel port that didn’t want to transmit data for days (windows

gave some obscure error), and a VME single-board computer (since discontinued) that refused torun downloaded test programs for hours, and my weird file server freezing problem that plagued mefor a month, all of which required a "charge down" to ultimately fix them. In all of these cases,regular flip-flip power cycles were insufficient, but the hardware recovered immediately after along "charge down" procedure.

Why are these things so tenacious? Depending on their proximity to outside power sources, wedgedmemory cells may be able to maintain themselves as long as outside power reaches them, also dueto how modern semiconductors work. Nearly all silicon-based integrated circuits are in some waysjust a huge beach of electrical tidal pools that are all connected to the main silicon crystal (a bigresistor) by diodes. Fortunately these diodes all point in the same direction, so if outside power isapplied, every single diode becomes reverse-biased and won’t let any current through. This keepsthe individual circuits on the chip electrically isolated while something is running.

By unplugging everything from the PC that has its own power source (AC line cord, monitor,network, etc.) you remove all possible routes for fresh power to enter the machine and keep the"tidal pools" isolated from each other. This allows the power in the ’wedged’ things to drain away,and eventually they will un-wedge themselves. When I suspect this kind of wedging, I check for itby powering off and waiting at least a minute; when I’m really paranoid, I leave something off forten minutes or even overnight.

But what about clock chips that have their own internal battery? This is in principle a seriousproblem, but in practice it’s not. Most clock chips are good at keeping their backup power fromleaking out into the motherboard, to help them last in long-term storage. You’re far more likely tohave problems with stored settings getting corrupted than with the clock battery poweringsomething on the motherboard and enabling it to stay wedged.

Q:Can you point me to a "UNIX and Network Firewalls for Dummies" web site?

I am a university student (Computer Science, even!) Windows user, who is trying to learn themysterious art of UNIX. (At the moment I’m trying to set up an OpenBSD Firewall and Proxyserver.)

My question is broad: Where do I start!? Please don’t tell me to read man pages. Knowing the 100command line options for every single program on the system is nice but it doesn’t tell me whichfile to edit or which command to run first.

Is there anywhere on the Internet that explains all one needs to know about UNIX and Networkingin a step by step for dummies manner?

A:It’s being worked on. We’d all like to have better documentation sooner, but relatively few peoplestep up to the plate to actually write it.

A NetBSD/mac68k user posted some tips in late March. A quick AltaVista search turned up a website dedicated to FreeBSD tutorials, one of which covers firewalls.

I’m sure there are more; search engines are your friends.

Q:Why does BSD report fragmentation on the disks even after a fresh install?

A:Because fragmentation doesn’t mean the same thing on BSD as it does on DOS.

BSD filesystems don’t worry about making every file completely contiguous. Instead, they requirethat large files be allocated into medium sized (usually 16 or 8 sector) contiguous runs (aligned ontheir size) and try to keep them reasonably close to each other on the disk. These medium sized runsare the "block size" reported by disklabel and other filesystem commands.

Data for small files, and the last few sectors from the ends of large files, are combined together sothat they fill up these contiguous runs also. When files grow, sectors will be moved around to allowmore contiguous runs to be filled. This algorithm effectively self-defragments the filesystem duringnormal operation. It operates very well over a wide range of activity loads and is generally onlyfoiled when the disk becomes almost totally full.

Depending on the exact mixture of file sizes on the disk, it won’t always be possible to completelypack everything. And on disks that are not very full, space is typically pre-reserved for large files togrow into, rather than actually using it to store small files. (These pre-reservations get revokedwhen the disk starts to really fill up, of course.)

Because of all this, it is typical for a BSD filesystem to contain contiguous runs that are only partlyfull, and some portion of the free disk space is going to be located inside these. Fragmentation onBSD simply means this portion of the free disk space.

If your disks report fragmentation of 10% or less, ignore it.

Q:I want to pretend I have another IP address, so I can use my work machines from home.

I can connect to a server from work and cannot from home. The server checks the originating IPaddress and won’t let me on. I know what IP address it wants. How can I make the server think I’mconnecting from another IP address?

A:Sorry, but the ways you might try to do this won’t actually work.

Nearly all home-to-work setups use proper IP routing, and the routers know who is on each side ofthe connection by looking at the IP address. Even if you did pretend to be another IP address (andyou can), the return packets would go wherever the router thinks that machine is, and not to you.

In the case where your home machine is "transparently" on the office network, using the IP addressof another live machine is dangerous because it can seriously confuse some programs and OSes,and cause other trouble that will make you regret trying.

At my day job we regularly work on borrowed pre-release hardware that needs to be added to the

network. Whenever someone misprograms an IP address to cause a conflict, we see all kinds ofweird behavior, and people send around emails asking for whoever is using IP address x.x.x.x toplease stop it.

My personal take on IP spoofing is that it is only useful to criminals. For legitimate purposes, ittends to cause more problems than it solves.

Q:I want to use amd which is already installed; how do I turn it on?

A:Edit /etc/rc.conf . Find the line that starts with:

amd=NO

Change the NO to a YES. The next time you boot, amd will be started automatically.

You also need to create an /etc/amd.conf file. Your system should have at least one of/usr/share/examples/amd and /etc/amd.map, which you can look in for sample configurations.

Q:How can I share a Linux tape drive with a FreeBSD machine?

I’ve got two boxes at home, one P233 running Linux which now has a tape drive, and one P100running FreeBSD 3.4 (but with much more disk). They are connected by a crossover 10baseTEthernet cable. I’d like to start backing up the FreeBSD machine to the Linux machine’s tape.

Also, what are the best command-line options for FreeBSD’s tar? (I just recently found out aboutpreserving permissions under Linux.)

A:Check out GNU cpio and rmt.

As for tar options, it’s the same GNU tar you’re used to on Linux. I generally use

# tar czf tarfile directory

to back things up, and

# tar xzpf tarfile directory

to restore. (Also use the B flag if you’re piping into tar from somewhere.)

Q:

Why are BSDs more sensitive to overclocking than Linux?

As a somewhat long-term user of Linux I am intrigued by ’REAL’ UNIXes and in talking with ouroffice FreeBSD guru (you can tell he is, he hates the title), it seems that BSDs don’t sufferoverclocking well. Aside from the much over-publicized religious fight, why is UNIX so intolerantof CPU and motherboard timings? I solved my personal overclocking issue by getting aninexpensive ABIT BP-6 dual 500 Mhz Celeron system (not the fastest, but far more interesting).

A:The short answer is that (for better or for worse) UNIX expects people to fix hardware when it isn’tworking right. UNIX was originally designed and run on expensive high-quality hardware, whereasPC operating systems were all born into a universe of hardware chaos.

The only time overclocking is safe is when the CPU was deliberately sold at a lower speed ratingthan the one for which it was manufactured and tested. Otherwise, overclocking runs the CPU atspeeds that either were never tested, or were tested and failed.

Since the CPU failed a test (or might have failed it had the test been run), some operation orcombination of operations on the chip is going to screw up. The stuff that fails first is often themost complicated, and thus happens less frequently. As you crank the speed up, simpler andsimpler operations become unreliable, until finally the chip can’t do anything without crashingitself.

But in the huge gray zone between the rated speed and the red line, your CPU is silently flippingbits a few times a minute. Sooner or later one or more of those flipped bits will cause trouble.

It might be a spurious SEGV in cc1. It might be an Illegal Instruction in the shell. Or it could simply get written out to disk, to cause terror at some later date.

Depending on how often you wipe and reinstall your machines, you may never directly notice thecorruption from overclocking, or you may simply blame it on bugs in pre-release software you’rerunning.

Getting back to your original question: UNIX is more sensitive to hardware errors because it freelyuses sophisticated algorithms that trust the hardware to remember a lot of data correctly. Thisincludes common performance boosters like managing smart hardware (like network and diskDMA engines) to offload tasks from the main CPU as much as possible.

When the hardware misbehaves, kernel assertions attempt to detect and diagnose the problemwithout causing undue drags on system performance. When corruption is found, the system isusually panic’d on the assumption that things will only go downhill from there. Severe corruption isfar harder to debug than a clean crash.

IMHO overclocking is great for systems that don’t need to be backed up. A dedicated gamemachine, for example. Otherwise, overclocking is a daily lottery of instability which is not worththe long-term headache.

Q:

Why is FreeBSD so awesome, I mean, why do I love it so much? I love it more than a mustang athigh speed! I LOVE FreeBSD! Am I crazy? (Dunno, what’s your doctor say? -toddpw)

A:BSDs are awesome because they work. And when they don’t do what you expect, they always dosomething reasonable, or at the very least something comprehensible.

BSDs try hard to prevent and eliminate internal conflicts in the design of the system. Such conflictsare responsible for most of the frustrating unpredictable behavior of many software systems.

BSDs don’t waste resources in a futile effort to read the minds of countless individual users.Instead, they support teachable methods for getting things done, knowing they can rely on usereducation to close the gap between the crock of ‘‘intuitively obvious’’ and the practicality ofknowing one’s way around a toolbox (as opposed to puzzling through a swiss army knife of featurebloat).

BSDs don’t try to be all things to all users. They make considered judgements about what the O/Sshould do, and then they focus on doing it well, leaving everything else to 3rd party software.

BSDs don’t have chips on their shoulders. They don’t rush code out the door just to say they’ve gotsomething too. It’s much better for things to really work the first time you release them.

BSDs aren’t paranoid. With a license that explicitly allows people to totally desecrate their code,new BSD developers either get used to the meritocracy or they get out. Not unlike Adam Smith’sinvisible hand of capitalism, this is an incredibly powerful filter that keeps everyone developingsensibly.

BSDs prefer to learn from history, and shun the alternative. Their only ulterior motive is to makethe most complicated things reasonable, even if that means doing something non-obvious, and itoften does.

So while BSDs don’t always want to work the way you thought they might, they always want towork.

Q:What’s the latest news from the Land of Weird Hardware?

A:We return to the Land of Weird Hardware for a look at the newest member of the family: the IBMWorkPad z50.

Apparently this was IBM’s first Windows CE (oops, Pocket PC) device, and probably their last,since at a list price of $999 it was creamed in the marketplace by both the lack of insanely greatsoftware support and competition from fully-functional Celeron mini-laptops costing not muchmore, such as IBM’s own ThinkPad 240 which even uses the same basic case design.

In mid-February web stores began dumping the WorkPad z50 at bargain prices and in March IBMquietly discontinued it. After a few canceled orders from other web stores, I managed to get onefrom outpost.com for $369. I eventually settled on Mobile Planet for my accessories:

1. beefy double-size Li-Ion battery 2. 32 MB memory upgrade 3. low power compact flash ethernet card

Initially I used an old 160 MB Type III PCMCIA hard drive as the boot disk, but in mid-April theprices on SanDisk 192 MB CompactFlash finally went commodity (meaning, about $2 a megabyte)so I snagged one from buy.com and managed to get it for just under $400 (after tax, even).

The WorkPad z50 with 48 megs of ram and 183.5 megs of disk (192,000,000 bytes -- shoulda seenthat coming, grr) is a pretty spiffy machine. You can pack an entire distribution ofNetBSD/hpcmips from mid-March on it and still have some room left over. It’s totally quiet (nomoving parts) and weighs only a few pounds. The two batteries easily last for more than 5 and 10hours of full use at normal LCD brightness.

Not all the hardware is supported yet; in particular the X server and the power management stuff isstill in progress as I write this. But it’s already useful enough that I’m taking it to meetings, and I’vesuccessfully used it to track my comic book collection (while I’m at the store!) so I can avoidbuying the same back issue twice (argh...). And it’s also nice to have the entire BSD gamescollection available any time I need a pleasant diversion. :)

Q.This month’s mailbag has a cloud on one side, a flower on the other, and a cute embroideredrainbow running around one end to connect them.

1. I’m trying to install OpenBSD 2.6 on a Compaq 1850. Using the internal ncr53C8XX SCSIcontroller and 1 drive for now... It says there are errors with port 1, which is fine because I’musing port 0. It formats fine, and installs fine, but when I reboot there is a message

Using Drive : 0 Partition 3

and that’s it... It hangs there. I have tried this on 3 different Compaq 1850’s, all with the sameresult. Also, I can take the same CD and install OpenBSD on a desktop machine with IDE?

2. I have an ASUS AGP-6600 video card with NVidia GeForce 256 and when I use startx I getFailure VGA(0) driver can’t support depth 24. It says there are Screens found, but nonehave a usable configuration. How do I get X windows working? Newbie-level answersplease!

3. I have a ’turbocomm’ serial card by Pacific Commware. I have been trying to get thisworking with FreeBSD since early 3.x. The card has a TI 16750 UART, and I attach myexternal ISDN TA to it. I find that it is superior to the NS16550 comm ports on themotherboard, but FreeBSD seems unable to use it at any baud rate higher than 2400!!

4. Can someone provide a list of SoundBlaster PCI cards supported by FreeBSD? 5. I’m trying to install FreeBSD 3.x/4.x on an IBM 486 DX Valuepoint with a Pentium

Overdrive in it; the 2.2.7 release worked fine on this machine. When I try to boot the newlyinstalled systems, I always get this:

not ufs not ufs No /boot/loader

I tried both of the following:

0:ad(0,a)/kernel 0:ad(0,a)/boot/loader

The error returned is:

not ufs no /kernel

Using the boot floppies I can verify that all these files do exist on the disk.

By the way, this Valuepoint (6384 N50) is also using Ontrack’s latest disk manager, version9.47. Even with the latest BIOS, the machine needs Ontrack. Still, the FreeBSD root partitionends well below cylinder 1,024. (Win 95 and NT 4.0 are on 2 other fdisk partitions whichprecede the FreeBSD slice. They boot up fine using the Boot manager that comes withFreeBSD and the NT Loader boot manager.)

Do you have questions for the BSD Answer Man? Send them to [email protected] email sent to this address is assumed intended for publication and will become the propertyof Dæmonnews. That’s all for this month, folks. Until next time, remember: there’s no shame in asking RTFMquestions any more, because these days, there is just too much FM to R.

About the Author

Todd Whitesel has been grokking computers for fun since his first grade school Apple II in 1980,and doing it for a living since 1992, when he escaped from Caltech with a B.S. degree. He helpspromote Japanese Animation in America by running Registration for Anime Expo, and helpspromote NetBSD by way of his NetBSD Architecture Farm.

[home| mail]



What to do AFTER you have BSD installed

by Chris Coleman, [email protected]

The first time you install BSD, you may face a huge learning curve. Unless you come from a UNIXenvironment, it’s a totally new way of thinking. There are several things that people assume youknow and therefore leave out of the documentation, or they have arranged the documentation insuch a way that you have to know about it to find it. This happens a lot in the UNIX world. Theman(1) pages (commands found in the manual are often tagged with their manual section inparenthesis like this; the ’man’ command is found in section 1 of the manual. Try typing ’man man’for more information on the ’man’ command.), which are the primary source of UNIX onlinedocumentation, assume that you already know what command you are trying to learn about andhow it is spelled. If you don’t already know the command you are trying to learn, the man pageswon’t help much. Another place people seem to cut short on documentation is immediately afterinstallation.

The install process on BSD is getting easier and easier, therefore more people with fewer UNIXskills are getting through the install process. Because of this, there seems to be a growing numberof people that get BSD installed, and have no clue what to do when presented with the first loginprompt.

Darwin/BSD (localhost) (console)

login:

Because BSD is a highly secure operating system, unless the new user knows the default loginname and password, the newly installed BSD system is useless to them. The command lineinterface is also foreign to most new generation users.

The Default Login

On all BSD systems, the initial default user name is ’root’. It is the only user on the system that isallowed to login initially and generally, root is not allowed to login remotely.

Allowing root to login remotely would be a bad security policy, because root is also the superuser.The superuser has full administrative access to the system, and can cause the most harm throughmistake or misuse.

For those who come from single user systems, such as Windows 95/98, DOS, or Macintosh, theconcept of having to log in to your own machine can be quite strange. BSD is inherently multi-user,even on a desktop machine that only one person is using. When you aren’t there, there could be 5different automated users can be performing scheduled functions. Things such as e-mail, logging,

task scheduling, and volume indexing are performed by various internal users with different levelsof security authorization.

Generally, root doesn’t have a initial password by default. However, you may have been promptedto set the root password during the installation. If the root password is unset, it is important to set it.

Setting the root password

The command ’passwd’ will change a password. If you type ’passwd’ by itself, it will change yourpassword. If you are the root user, you can use it to change other people’s passwords. To changeanother person’s password, type ’passwd username’, substituting the actual user’s login name for’username’.

# passwd Changing local password for root New Password: Retype New Password:

When you type the new password, it will not be displayed on the screen; however, it will berecorded. It will make you retype the password to confirm that you really typed what you wantedto. If you do not enter a password of at least 6 characters, or the password only contains lowercaseletters, it will make you start over and choose a more secure password.

Creating another user

BSD has a script, called adduser, that makes it easy to create a new user. All you have to know tocreate a new user is the name of the person, and what you want the login account to be - the scriptcan take care of the rest. It does, however, allow you the option of overriding the default valueswith your own. For now, the defaults should be sufficient.

# adduser -silent Use option ‘‘-verbose’’ if you want to see more warnings and questions or try to repair bugs.

I used the -silent flag to tell it I didn’t want the extra information and options that are available.You only have to use the -silent flag once and it will remember it until you use the -verbose flag toswitch it back.

Enter username [a-z0-9_-]: chrisc Enter full name []: Chris Coleman Enter shell csh date no sh [sh]: sh

The shell is your command line interpreter. It reads in the commands you type and tries to decipherthem. There are several different shells to choose from. Most people use either bash or tcsh as theirshell, however only csh and sh are installed by default. If you want to use a different shell, and youdon’t have it installed now, you can change your shell later using the ’chpass’ command.

Enter home directory (full path) [/home/chrisc]: Uid [1002]:

The uid is the User ID number that the system uses to keep track of people. These should be uniqueon the system and the default number here should be sufficient.

Enter login class: default []:

The login class is a new feature in some versions of BSD. It allows you to set up resource limits forgroups of users.

Login group chrisc [chrisc]: Login group is ‘‘chrisc’’. Invite chrisc into other groups: guest no [no]: wheel

The login group tells UNIX what security group you belong to. The group ’wheel’ is an importantgroup that classes you with the superuser. If you aren’t in the group ’wheel,’ you can’t gain rootaccess remotely. You can invite special users into the group ’wheel,’ or create a separate securitygroup for people who need to work together.

Enter password []: Enter password again []:

You will be asked for the user’s password twice and it will not be displayed. Afterwards, it willdisplay all of the user’s information and ask if it is correct.

Name: chrisc Password: **** Fullname: Chris Coleman Uid: 1002 Gid: 1002 (chrisc) Class: Groups: chrisc wheel HOME: /home/chrisc Shell: /bin/sh OK? (y/n) [y]:

If you make a mistake, you can start over, or its possible to correct most of this information usingthe ’chpass’ command.

Editing User Information.

The command ’chpass’ allows you to edit user information. Typed by itself, chpass will edit yourpersonal information. As root, you can use it to modify anyone’s information.

chpass uses your default editor to make changes to the user. If you haven’t changed it, it is often setto use ’vi’. Vi is a powerful text editor, but it is often very difficult for a new user to understand. Ifyou get started using ’vi’, you can easily get stuck and not be able to get out of it.

You can change the default editor using ’setenv EDITOR vi’ on some shells, and using ’setEDITOR=vi ; export EDITOR’ on others. (Change ’vi’ to the editor you feel most comfortableusing, be careful of word wrap though!)

# chpass chrisc

This will bring up information about the user ’chrisc’ in the ’vi’ editor. The password line isencrypted, so dont change it, unless you are trying to disable the user. Then just add a ’#’ in front ofthe password string, so you can easily remove it later when you want to re-activate the user.

#Changing user database information for chrisc. Login: chrisc Password: $1$cFQcwB4t$/rMNdZRE0N./06hHYHJft0 Uid [#]: 1000

Gid [# or name]: 1000 Change [month day year]: Expire [month day year]: Class: Home directory: /home/chris Shell: /bin/sh Full Name: Chris Office Location: Office Phone: Home Phone: Other information: ~ ~ ~ ~ ~ ~ ~ ~ /etc/pw.yw5377: unmodified: line 1

(The little ’~’ characters are a give away that this is vi. It indicates an empty section in the document.)

Quick and Dirty Vi Commands

Vi has two modes, a command mode and text entry mode. There are more things it can do besidesthose two modes, but we will save that for later. In command mode, you can use the letters ’j’ and’k’ to move up and down lines. The letters ’h’ and ’l’ move the cursor left and right.

To change the shell for this user, use the ’j’ key to move the cursor down to the correct line, thenuse the ’l’ key to move the cursor to the left until it meets the first ’/’. At this point, press ’C’ and viwill enter text entry mode and modify everything from the cursor to the end of the line. Type in thelocation of the new shell. Something like ’/usr/local/bin/tcsh’, or ’/usr/local/bin/bash’. When youare done typing in the path, press the ’ESC’ key. This will return you to command mode.

When your change is complete, and you are back in command mode, press ’:wq’ to save and exit. Ifyou make a mistake, return to command mode and press ’u’. It will undo one change. If you reallyscrew things up and don’t want to save your changes so you can start over, press ’:q!’ fromcommand mode and it will force it to exit without saving.

That should be all you need to know to get in and make the necessary change. Please consult acomplete vi tutorial to learn how to make it work for you. The man pages for vi are also helpful.

Mere Mortal Users

Now that you have created another user account, you should log out as root and log in as the newuser. It’s much safer to learn the new system as a ’mere mortal’. You run a much lower risk ofscrewing up the system beyond repair. While you are a mere-mortal, you can switch to root usingthe ’su’ command. If you type ’su’ by itself, it assumes that you want to become the superuser,however, you can use it to become any other user provided you know their password. The root userdoesn’t need to know any passwords to become other users.

There is a catch though, you can’t switch to the root user if you are not included in the securitygroup wheel. All group member lists are kept in the /etc/group file. If the login name is not listed in

the /etc/group file as a member of the ’wheel’ group, they can’t ’su’ to root.

To add a user to the wheel group, edit the /etc/group file and add the user name. The list of loginnames is delimited by commas.

# vi /etc/group wheel:*:0:root,chrisc daemon:*:1:daemon kmem:*:2:root sys:*:3:root tty:*:4:root operator:*:5:root chris:*:1000: ftp:*:1001: nogroup:*:65533: nobody:*:65534: ~ /etc/group: unmodified: line 1

In vi, the cursor should already be on the correct line. Just press ’A’ to start appending to the end ofthe line and type a ’, username’. The ’,’ separates the usernames. Then press ’ESC’ to get back intocommand mode and type ’:wq’ to save and quit.

You can now ’su’ to root using the user you just added to the wheel group in /etc/group.

# su Password:

Very little exciting happens when you successfully ’su’ to root. Your prompt will change to a ’#’ ifit isn’t one already. However, if you fail in your attempt to ’su’ to root, it gets logged in the systemlogs.

Now if you need to log in remotely, you can log in as the normal user and use ’su’ to switch to root.If you plan on using root remotely, it is advised that you install ssh to provide encryption duringyour connection.

At this point, you should be able to:

Log in as the root user. Change passwords. Choose a shell. Create a user. Add a user to the ’wheel’ group. Switch to the root user from a normal user. Get out into and out of vi safely.

Now you need to look around the system.

Learning about commands on your own

The BSD system comes with online documentation for all of its commands. This documentation isaccessed throught the ’man’ command and information about commands are referred to as ’manpages’. The BSD system keeps most of the commands that you need to learn in a few directories.

User commands are kept in /bin, /usr/bin and /usr/local/bin, while commands typically used foraltering system status (reconfiguring a network interface, rebooting the system, mounting a newfilesystem, etc.) are kept in /sbin, /usr/sbin, and /usr/local/sbin.

#cd /bin #ls [ dd kill ps sh cat df link pwd sleep chio domainname ln rcp stty chmod echo ls red sync cp ed mkdir rm test csh expr mv rmail unlink date hostname pax rmdir

The command ’cd’ will change directories to the directory you want to look in, and ’ls’ will giveyou a listing of the files in there. Each file in those directories is a command that you can learnmore about. Type ’man’ followed by the command that you want to learn about and it will bring upthe documentation.

#man ls

LS(1) FreeBSD General Commands Manual LS(1)

NAME ls - list directory contents

SYNOPSIS ls [-ABCFHLPRTWabcdfgikloqrstu1] [file ...]

DESCRIPTION For each operand that names a file of a type other than directory, ls displays its name as well as any requested, associated information. For each operand that names a file of type directory, ls displays the names of files contained within that directory, as well as any requested, associated information.

Pressing the SPACE bar will advance you a page and pressing ’q’ will quit the man page. The waythe man page is displayed is controlled by your pager, usually ’more’. You can learn more abouthow to make the man page scroll up and down by reading up on ’more’.

#man more

MORE(1) FreeBSD General Commands Manual MORE(1)

NAME more - file perusal filter for crt viewing

SYNOPSIS more [-ceinsu] [-t tag] [-x tabs] [-/ pattern] [file ...]

DESCRIPTION More is a filter for paging through text one screenful at a time. It uses termcap(3) so it can run on a variety of terminals. There is even limited support for hardcopy terminals. (On a hardcopy terminal, lines which should be printed at the top of the screen are prefixed with an up- arrow.) File may be a single dash (‘‘-’’), implying stdin.

This should be enough to get you started using the BSD system and learning about generalcommands. Take some time to look through all the directories listed above and try out thecommands after you have read the man pages for them.


What is BSD? Get BSD Contact Us Join Us Search FAQ

FreeBSDzineFreeBSD RocksOpenBSD ExplainedBSD Driver DatabaseBSD Applications

By Susannah Coleman, <[email protected]>and Seth Claybrook, <[email protected]>

Previous Posters Next

First Episode T-Shirts High Res

Previous Posters Next

First Episode T-Shirts High Res


The Daemon’s Advocate

by Wes Peters, [email protected]

BSD Anywhere

Dateline: Goblin Valley, Utah, USA. As I write this, I am sitting at a picnic table overlooking thisfascinating geological aberration, writing on my laptop computer running BSD. Looking at the spanof BSD systems, in terms of time and equipment, I am once again amazed. The scope of thissystem, ranging from the early PDP-11 systems to modern wonders like this laptop, and the amountof sheer human ingenuity represented never fails to impress.

This laptop is quite mundane by modern standards; a Mobile Pentium II processor at 300 MHz, 64MB SDRAM [1], and a 4 GB hard drive. Compared to the PDP-11 and VAX systems BSD wasoriginally developed on, though, it is a supercomputer. In fact, it probably outperforms the firstcomputers given that label by a wide margin.

One of the recurring threads on the various BSD developer mailing lists goes something like‘‘microkernels are so much better than monolithic kernels, why don’t we make BSD more likename your favorite microkernel OS here?’’.

Oddly enough, I cannot think of a single microkernel operating system I would prefer to be using atthis moment, even for such an ordinary task as writing prose. I have had quite a bit of experiencewith microkernel embedded systems in the past few years, and I am glad to be leaving them behind.I can think of no advantages a microkernel offers over the standard BSD monolithic kernel forrunning a system like my laptop. If you find one, let me know, I’ll be glad to try it out. Keep inmind my definition of an operating system: low-level code that allows me to run Emacs. And, sinceI’m a cheapskate, it has to be free.

A battle lost, a war won.

In my March column I said ‘‘Free, open source, gratis software projects produce better softwarethan commercial projects because the people wo work on open projects do so because they wantto.’’ In fact, I made quite a bit of the point, and some readers were not so impressed with myviewpoint.

They countered with an opinion I’ve heard a number of times before but don’t share: that for-profitsoftware is better because the profit motive drives people to excel. In point of fact this is rarely true,for a variety of reasons. Not the least of these is that those who create commercial software rarelyshare in the financial success of their employer to any great extent. In the United States at least, thesocietal norms dictate that executives are rewarded first, and quite handsomely, the primary

investors second, the sales staff a distant third, and those who actually produce the products fourthif at all.

Some of these readers also asked me from what pinnacle of experience I based myrecommendations on. Given that I have so ardently preached the inclusion of BSD in embeddedsystems in this column and in other fora a number of times, they reasonably asked for theembedded BSD experience in my resume.

Here’s the embarrassing little secret: I have none. My employers, and even a few I have consultedfor, have not yet made the leap of faith to base an important product on a free operating system,despite the protestations of suitability from myself and other members of the technical staff. Untilnow.

Taking the plunge

Dateline: Kodachrome Basin, Utah, USA. Yes, I’m still computing on the road. I have what may bethe most mobile BSD system ever invented: a laptop, a power inverter, and a Land Cruiser.[2]

Unfortunately, I did not manage to convince management to scrap their plans based on yet anotherunder-powered, over priced RTOS for their new embedded product. In fact, they decided to buy alicense upgrade, obliterating years of work improving the 7 year old version of the inadequateRTOS in favor of the new, improved version of the same inadequate RTOS. I’m certain the vendorhas availed themselves of the opportunity to introduce hundreds, perhaps thousands of new bugs, orperhaps features, in the updated version. Worse yet, they would not even negotiate for a sourcelicense this time around, eliminating any possibility of fixing new or old bugs in their system.Another battle lost.

Then a funny thing happened after work one night. I went to give a presentation about BSD to thelocal Linux Users’ Group. It was quite a fun presentation, and drew a respectable crowd. We pulledabout 50% more attendees than average, talked about the healthy competition in the BSD arena,gave out a box of FreeBSD CD-ROMs, and generally did well with a very educated butLinux-centric crowd. Then, at the end of the meeting, an energetic young man joined us toannounce his start up company had just received their first round of venture capital and needed tohire a few software engineers.

I was muttering to myself ‘‘Oh, great, another clueless company jumping on the Linuxbandwagon’’ as he was talking about the interesting security features the product is to offer, whenhe astonished me, saying they had chosen OpenBSD for the system. My wife, sitting in theaudience, said she actually saw my ears perk up. I muttered a bit louder as the young man walkedby ‘‘we need to talk.’’

And talk we did. I spoke with the principals in this company two days later, and walked awayknowing this was a once in a lifetime opportunity. It was as if somebody looked at the last 10 yearsof my career, picked out all the important elements, including especially my interest in and variouscontributions to the BSD community, and designed a job around them. Just to clinch the deal, theythrew in a customer base that I care for deeply, and conveniently located themselves a few milesfrom my home.

So, like many others in the BSD world of late, I have taken the plunge and located a full-time BSDjob. What the future holds, we cannot see, but I am certain it will be a fascinating ride. One of thenegotiating points never under dispute in this new job was my contributions to the BSD

community, both through Dæmon’s Advocate and coding, that is a given. We will also contributeback to the community any bug fixes or feature additions we make that do not contain code under aNon-Disclosure Agreement. We fully intend to be participants in the BSD community.

You will certainly read more about my new company, my job, and our products in future columns.As I am writing this, I have not started work on this project; this vacation with my family willprobably be the last for awhile. Remember my comments about time to market last column? Theyhave come back to haunt me; like all start-ups this one will be very driven by time to market for thefirst stretch.

Unlike many, this one is clever enough to realize the fastest path to greatness is to stand on theshoulders of giants.

[1] Now that I’ve loaded Star Office (just to view a .ppt file) I’ve found 64 MB is no longeradequate, so I may have to upgrade. Sigh. return

[2] Yes, I know articles aren’t supposed to have more than one dateline, but bear with me. Thisarticle is covering nearly as much territory as the author. return


Documents

Mirrors Primary (US) Issues May 2000gwdu111.gwdg.de/misc/dnews/dnews_0005.pdf · Mirrors Primary (US) Issues May 2000 May 2000 Search Submit Article Contact Us How to Help Merchandise