Solaris ksh variations

Today i have read, and in the parallel - discovered, that Solaris has got three ksh variants.
Two of them are ksh88, and one ksh93.

$ grep -i ver /usr/bin/ksh /usr/xpg4/bin/sh /usr/dt/bin/dtksh
/usr/bin/ksh:@(#)Version M-11/16/88i
/usr/xpg4/bin/sh:@(#)Version M-11/16/88i
/usr/dt/bin/dtksh:@(#)Version M-12/28/93d
/usr/dt/bin/dtksh:@(#)Version M-12/28/93
/usr/dt/bin/dtksh:@(#)Version 12/28/93

The standard one - /usr/bin/ksh, and a POSIX-compliant veriant of ksh88 - /usr/xpg4/bin/sh.
Both of them are the components of SUNWcsu (Core Solaris (Usr)) package.
dtksh comes from SUNWdtbas.

$ ls -li /usr/bin/ksh /usr/xpg4/bin/sh /usr/dt/bin/dtksh
       489 -r-xr-xr-x   3 root     bin       171412 Aug  7 13:27 /usr/bin/ksh
     26709 -r-xr-xr-x   1 root     bin       620144 Jan 23  2005 /usr/dt/bin/dtksh
      1536 -r-xr-xr-x   1 root     bin       171412 Aug  7 13:27 /usr/xpg4/bin/sh
$ file /usr/bin/ksh /usr/xpg4/bin/sh /usr/dt/bin/dtksh
/usr/bin/ksh:   ELF 32-bit LSB executable 80386 Version 1, dynamically linked, stripped
/usr/xpg4/bin/sh:       ELF 32-bit LSB executable 80386 Version 1, dynamically linked, stripped
/usr/dt/bin/dtksh:      ELF 32-bit LSB executable 80386 Version 1, dynamically linked, not stripped, no debugging information available

As you can already saw (on the ls -li listing) there are also the three brothers-in-inode:

# ls -li /usr/bin/*ksh
       489 -r-xr-xr-x   3 root     bin       171412 Aug  7 13:27 /usr/bin/ksh
       489 -r-xr-xr-x   3 root     bin       171412 Aug  7 13:27 /usr/bin/pfksh
       489 -r-xr-xr-x   3 root     bin       171412 Aug  7 13:27 /usr/bin/rksh

It's the highest inode count from all of the Solaris shells (10u8, SUNWCall), the second place goes to csh with only two file names binded to its inode.

Fascinating.

Make yourself a package

In the world where the Good Security Practices becomes Science Fiction, there was an Admin who wants to train himself in Solaris Packaging.
He has written down the script, which has made his Lord the Legend ;-)
Now, let's put some light on it.

The script takes .ssh folder files from the specified user of template machine, and turns it into .ssh folder of root user on target host. There are also the configuration changes, inside of either /etc/default/login file, or /etc/ssh/sshd_config one.
Do not try this at (production) home!

# ./rootbox.sh
Generating package files
prototype
pkginfo
checkinstall
postinstall
postremove
login.sed
sshd_config.sed
Making package MMWrootbox.1.0.i386.pkg [/tmp]
success
Translating package format to a datastream
success
# cd /tmp
# pkgadd -d MMWrootbox.1.0.i386.pkg

The following packages are available:
1 MMWrootbox Root box
(i386) 1.0

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:

Processing package instance from

Root box(i386) 1.0
Marcin Marian Wisnios
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of [y,n,?] y

Installing Root box as

## Installing part 1 of 1.
/root/.ssh/authorized_keys
[ verifying class ]
Modifying /etc/default/login
Modifying /etc/ssh/sshd_config
[ verifying class ]
## Executing postinstall script.

Installation of was successful.
# date;svcs -x ssh| grep -i state
Sun Nov 22 08:50:57 CET 2009
State: online since Sun Nov 22 08:50:42 2009
# diff /etc/ssh/sshd_config /tmp/rootbox.bak/sshd_config
128c128
< PermitRootLogin without-password
---
> PermitRootLogin no
# diff /etc/default/login /tmp/rootbox.bak/login
18c18
< #CONSOLE=/dev/console
---
> CONSOLE=/dev/console
# pkginfo MMWrootbox
system MMWrootbox Root box
# pkginfo -l MMWrootbox
PKGINST: MMWrootbox
NAME: Root box
CATEGORY: system
ARCH: i386
VERSION: 1.0
BASEDIR: /
VENDOR: Marcin Marian Wisnios
DESC: Methods and keys to allow remote root user access
PSTAMP: 20091122085002
INSTDATE: Nov 22 2009 08:50
EMAIL: wisnios@gmail.com
STATUS: completely installed
FILES: 4 installed pathnames
2 shared pathnames
1 directories
3 blocks used (approx)

# pkgrm MMWrootbox

The following package is currently installed:
MMWrootbox Root box
(i386) 1.0

Do you want to remove this package? [y,n,?,q] y

## Removing installed package instance

This package contains scripts which will be executed with super-user
permission during the process of removing this package.

Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package dependencies in global zone
## Processing package information.
## Removing pathnames in class
Modifying /etc/ssh/sshd_config
Modifying /etc/default/login
## Removing pathnames in class
/root/.ssh/authorized_keys
/root/.ssh
## Executing postremove script.
## Updating system information.

Removal of was successful.
# svcs -x ssh|grep -i state; date
State: online since Sun Nov 22 08:52:33 2009
Sun Nov 22 08:52:50 CET 2009
# diff /etc/ssh/sshd_config /tmp/rootbox.bak/sshd_config
# diff /etc/default/login /tmp/rootbox.bak/login


http://cs-tools.googlecode.com/files/rootbox.sh

Enjoy.

Paranoid

So, have you ever seen the Solaris 10 boot process, line by line?
I do not talk about the kernel -m verbose mode, which only shows the particular SMF identifiers.
Have you ever wondered why the boot process has hanged? and what's the cause?

The Wisnios way is as follow.
I've decided to replace the master restarter binary with a shell script.

# mv /lib/svc/bin/svc.startd /lib/svc/bin/svc.startdd
# vi /lib/svc/bin/svc.startd


  #!/bin/sh
  truss -fa -t exec /lib/svc/bin/svc.startdd


# chmod 555 /lib/svc/bin/svc.startd
# chgrp sys /lib/svc/bin/svc.startd


You could also choose the more verbose mode by adding the -e switch to truss command.
Truss -f option follows all fork/vfork children, -a shows the argument strings within the exec() calls and -e shows the environment variables (for ex. SMF_FMRI).

Other traces are limited by imagination only.

rmdom.pl

I've just started the google code project called cs-tools (Commandline Support Tools).
This will be a container for my set of scripts supporting the administration of Sun Java Communications Suite components.
Project Home: http://code.google.com/p/cs-tools/

There's also the first one perl program - rmdom.pl - you could use to simplify the deletion and purge process of hosted domain.

Sample session:

# perl rmdom.pl 
fe  : frontend.localdomain
be  : backend.localdomain
ldap: ldap.localdomain:389
%%%%%%%%%%%%%%%%%%%%%%%%%%
bind dn: cn=dirmgr
bind passwd: 
domain: rmdom.pl
mail domain ok
cal domain ok
active users: 2
active groups: 1
are you sure (yes to confirm)? yes
domain deleted
domain purged

Enjoy.

DateTime set: Object cannot be written

Very lately (about fifteen minutes ago) I had to resolve the time issue from the ELOM level of Sun Fire X2200.
It couldn't be done, because:

/SP/AgentInfo -> show 

  /SP/AgentInfo
    Targets:
        PEF
        PET
        SEL
        console
        mail
        SNMP

    Properties:
[...]
        DateTime = 01/03/1970-02:56:23
[...]

/SP/AgentInfo -> set DateTime="09/22/2009-00:22:00"
set: Object cannot be written

So, it's the place where the ipmitool could be used.
Ipmitool need the three kernel modules to be loaded:
* ipmi_si
* ipmi_devintf
* ipmi_msghandler

The time can be adjusted with an argument set of the ipmitool's SEL (System Event Log) subcommand.
Sample Linux command line session:

# ipmitool sel time get
Could not open device at /dev/ipmi0 or /dev/ipmi/0: No such file or directory
Get SEL Time command failed
# lsmod | grep ipmi
# modprobe ipmi_devintf 
# modprobe ipmi_si      
# lsmod | grep ipmi
ipmi_si                57164  0 
ipmi_devintf           20624  0 
ipmi_msghandler        50680  2 ipmi_si,ipmi_devintf
# ipmitool sel time get
01/01/1970 22:07:22

# ipmitool sel time set "09/22/2009 00:22:00"

# ipmitool sel time get
09/22/2009 00:22:03

Arming Messaging Server

Today I've got the three recipes to tighten the unwanted malicious user activity.
All of them are related to mappings file rules.

First i want to prohibit all the unauthenticated users from sending emails.
It could be achieved with a following line in the FROM_ACCESS table:

TCP|*|25|*|*|SMTP*|*|tcp_local|*@*|*    $C$}$6,_canonical_name_{$N$ -$ Authentication$ required$ when$ sending$ with$ this$ envelope$ sender$ domain$E

The second step is to block attemtps of faking From header, after successful authentication
(for ex. using stolen password, or personal account in a negative manner).
I've prepared the suitable lines, also in FROM_ACCESS table:

*|SMTP*|*|tcp_auth|*@*|*@$4*            $Y
*|SMTP*|*|tcp_auth|*@*|*@*              $N$_Sender$ address$ rejected$ for$ $4

It reject the use of tcp_auth channel when domain of authenticated account is different from the one used within the From header.

The third method take advantage of check_metermaid.so library (included in Messaging Server installation).
MeterMaid could be used to throttle the agressive usage of mail server.
I've used two rules (to block them all ;-) ).
First one restrict the number of connections (15) in a unit of time (60 s.).
It's assigned under PORT_ACCESS table:

*|*|*|*|*      $C$:A$[/opt/sun/comms/messaging64/lib/check_metermaid.so,throttle,ext_throttle,$3]$N421$ Connection$ declined$ at$ this$ time$E

Related thresholds are defined with a configutil command or by edition of msg.conf:

metermaid.config.secret = [your shared secret to authenticate incoming connections]
metermaid.config.serverhost = [host name or ip address of your metermaid server]
metermaid.table.ext_throttle.data_type = string
metermaid.table.ext_throttle.options = nocase
metermaid.table.ext_throttle.quota = 15
metermaid.table.ext_throttle.quota_time = 60

Ex.

# configutil -o metermaid.config.serverhost -v somehost.somedomain
# configutil -o metermaid.config.secret -v somesecret
and so on...

ext_throttle is defined by you throttling table name, and must be the same within the mappings and msg.conf files.

The second rule restrict number of total recipients sent to by a user (i've used the same limit values, but you could add the next throttle table with required thresholds).
It should be addes within the ORIG_SEND_ACCESS mapping tables:

tcp_auth|*|*|*      $C$[/opt/sun/comms/messaging64/lib/check_metermaid.so,throttle,ext_throttle,$0]$NExcessive$ email$ sent$ -$ Please$ try$ again$ later$E

So, run imsimta cnbuild && imsimta restart and...

[...]
235 2.7.0 LOGIN authentication successful.
250 2.5.0 Address Ok.
250 2.1.5 marcin.wisnios@somedomain OK.
354 Enter mail, end with a single ".".
250 2.5.0 Ok.
250 2.5.0 Address Ok.
250 2.1.5 marcin.wisnios@somedomain OK.
354 Enter mail, end with a single ".".
250 2.5.0 Ok.
250 2.5.0 Address Ok.
250 2.1.5 marcin.wisnios@somedomain OK.
354 Enter mail, end with a single ".".
250 2.5.0 Ok.
[...]
250 2.5.0 Address Ok.
250 2.1.5 marcin.wisnios@somedomain OK.
354 Enter mail, end with a single ".".
250 2.5.0 Ok.
250 2.5.0 Address Ok.
550 5.7.1 Excessive email sent - Please try again later: marcin.wisnios@somedomain

Enjoy.

Disable IPv6 in OpenSolaris 2009.06

I always want the system works in a way I like it. This way comes with running only the things I really need.
I do not want IPv6 protocol stack when it's useless.

Here, it's a short recipe how it could be achieved.

First, remove the IPv6 from network auto-magic interface configuration.
Add the following entry to /etc/nwam/llp file:

e1000g0 noipv6 dhcp

Now, you could permanently disable the ndp with:

svcadm disable ndp

It's no persistant across reboots without the modification of /etc/nwam/llp.

The second step is not so obvious. Some people in OpenSolaris team want it / like it / need it. I don't care.
I want it to be disabled.
The loopback inet6 interface is being plumbed form inside the /lib/svc/method/net-loopback method of SMF - svc:/network/loopback:default
I replace the original call with an IF condition of IPv6 entry existence inside the /etc/inet/hosts

# IPv6 loopback
if ( egrep "^::1" /etc/inet/hosts ); then
   /sbin/ifconfig lo0 inet6 plumb ::1 up
fi

To polish the final result we should disable the sendmail ipv6 interface binding.
I commented out the relevant line of /etc/mail/sendmail.cf file:

0 DaemonPortOptions=Name=MTA-v4, Family=inet
#0 DaemonPortOptions=Name=MTA-v6, Family=inet6

Enjoy.