Most of the systems I look after are tightly locked down, and sit on the perimeter of a highly sensitive network. Various apps running on them include firewalls, proxy servers, and virus scanners. The apps are managed by a small group of security engineers, who for various reasons need root access. We are based Australia. A previous employee created a Jumpstart environment, that among other things installed sudo and bash. When we switched to Solaris 8 a couple of years ago, I built a new Jumpstart environment, but essentially kept the user environments the same so as not the cause users too much pain. All user shells, and the default root shell are set to bash. All kinds of weird things are set up through a byzantine maze of global initialization files. For instance, "rm, cp, and mv" are aliases and the umask for everyone is set to 0077 (no sharing). Some of these systems have managed to end up running in the en_AU locale, where apparently RE's and string matches are case insensitive. As a consequence of these facts we end up with an environment that tends to break installation and patch scripts. Often it is not always obvious what has gone wrong, and why. The latest thing to break was the installation script that comes with IWSS from TrendMicro. Here is how I fixed it: 1. I created an account called "install". Here is the configuration: ----snip--------snip--------snip--------snip--------snip---- # grep install /etc/passwd /etc/shadow /etc/passwd:install:x:0:1::/opt/export_home/install:/usr/bin/sh /etc/shadow:install:*LK*:::::365:: # cat /opt/export_home/install/.profile LANG="C" export LANG umask 0022 # ----snip--------snip--------snip--------snip--------snip---- 2. I ran "sudo su - install" to get a shell. 3. I then ran the Trend install script. 4. Voila! a flawless installation! Notes: In case you didn't notice, this is an alias for root. Because the password is locked, "su - install" won't work. If you don't have, and don't want sudo (you should have it, and you do need it!) then you need to give the account a password. I suggest you do this immediately before you use it, and then immediately lock it when you have finished with it. If you want a quiet and normal life (thanks Warren Zevon) then stick with the bourne shell for this account. It's not going to suck in any weird aliases. You should also use this environment when you are installing patches. The (relatively) permissive umask will kill those pesky "checkinstall" failures. If I was doing this from scratch I just wouldn't touch the root environment at all and none of these problems would arise. However I have to run with the culture I inherited from my predecessor. -- Russell Page. Certified Solaris Network Administrator Metaphors be with you. _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Fri Jun 24 02:29:51 2005
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:49 EST