Last active
January 11, 2019 00:53
-
-
Save dillera/0903fff1b4dd90052dabdf62a5a4e4e6 to your computer and use it in GitHub Desktop.
SGI IRIX Post-Install Checklist
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Here are all the steps I took to configure the new system (as root): | |
1. Secure the password file | |
cp /etc/passwd /etc/passwd.orig | |
# Set root's password | |
passwd | |
# Put * in password field for all other accounts | |
vi /etc/passwd | |
2. New filesystems | |
# Create files for block devices (major and minor device numbers | |
# deduced from existing dks0d1s? files) | |
cd /dev/dsk | |
mknod dks0d1s3 b 22 35 | |
mknod dks0d1s4 b 22 36 | |
mknod dks0d1s5 b 22 37 | |
chmod go-r dks0d1s? | |
# Create files for character devices | |
cd /dev/rdsk | |
mknod dks0d1s3 c 22 35 | |
mknod dks0d1s4 c 22 36 | |
mknod dks0d1s5 c 22 37 | |
chmod go-r dks0d1s? | |
# Create filesystems | |
mkfs /dev/dsk/dks0d1s3 | |
mkfs /dev/dsk/dks0d1s4 | |
mkfs /dev/dsk/dks0d1s5 | |
# Add disks to fstab as /tmp, /usr/tmp, and /usr/local: | |
: /dev/dsk/dks0d1s3 /tmp efs rw,raw=/dev/rdsk/dks0d1s3 0 0 | |
: /dev/dsk/dks0d1s4 /usr/tmp efs rw,raw=/dev/rdsk/dks0d1s4 0 0 | |
: /dev/dsk/dks0d1s5 /usr/local efs rw,raw=/dev/rdsk/dks0d1s5 0 0 | |
vi /etc/fstab | |
# Create mount point for /usr/local | |
mkdir /usr/local | |
# Reboot single-user, clean out /tmp and /usr/tmp so there's no garbage | |
# hidden under the mount point, and reboot multi-user | |
3. Networking | |
# In vadmin, choose the networking tool and open the IRIS host. Set | |
# hostname, IP address, and | |
# hostname alias in the resulting dialog box. Set TCP/IP to | |
# ON and click on Accept. | |
# | |
# Reopen the host (its icon should now have the name you just gave it), | |
# set the NIS domain name, and set Network Information Service | |
# to ON. Click on Accept to reboot the machine with NIS. | |
vadmin | |
cp /etc/hosts /etc/hosts.orig | |
# Remove the multicast group addresses from the hosts file and add an | |
# entry for the default gateway | |
vi /etc/hosts | |
cp /etc/config/netif.options /etc/config/netif.options.orig | |
# Remove the colon before if2name and use that line to set the first | |
# gateway interface to the host named above | |
vi /etc/config/netif.options | |
# Put the desired netmask and broadcast address in ifconfig-1.options | |
vi /etc/config/ifconfig-1.options | |
# List the desired hostresorder, nameservers, and domain in resolv.conf | |
# (see the man page for more details) | |
vi /usr/etc/resolv.conf | |
# Turn on NFS automounter | |
chkconfig automount on | |
# Use auto.direct map from NIS, and /net as mount point for hosts map: | |
: -v /net -hosts -intr,nosuid,nodev /- auto.direct | |
vi /etc/config/automount.options | |
# Turn off dynamic routing | |
chkconfig routed off | |
# Create a network.local script to set up a static default route: | |
: #!/bin/sh | |
: # | |
: # Site-dependent network configuration commands to add static | |
: # routes and publish arp entires belong in this file, which is | |
: # the target of the K39network link in /etc/rc0.d and the | |
: # S31network link in /etc/rc2.d. | |
: # | |
: | |
: case "$1" in | |
: 'start') | |
: /usr/etc/route add net default #.#.#.# 1 | |
: ;; | |
: 'stop') | |
: /usr/etc/route delete net default #.#.#.# 1 | |
: ;; | |
: *) | |
: echo "Usage: $0 {start|stop}" | |
: ;; | |
: esac | |
vi /etc/init.d/network.local | |
chmod 755 /etc/init.d/network.local | |
ln -s /etc/init.d/network.local /etc/rc0.d/K39network | |
ln -s /etc/init.d/network.local /etc/rc2.d/S31network | |
# Reboot and confirm that routing is working properly: routed should | |
# not be running; netstat -r should show a default route; pinging hosts | |
# on the local and outside networks should work as expected | |
4. Aesthetics (optional) | |
# Report what it's doing during boot process | |
chkconfig verbose on | |
# Don't have xdm display icons for each user | |
chkconfig noiconlogin on | |
5. Security | |
# Record all login attempts, etc. (see login(1)): | |
: passwdreq | |
: lastlog | |
: syslog=all | |
vi /etc/config/login.options | |
# Fix known security holes | |
chmod u-s /usr/sbin/cdinstmgr /usr/bin/under | |
chmod g-s /usr/lib/expreserve | |
# Comment out /usr/bin/X11/xhost + | |
vi /usr/lib/X11/xdm/Xsession | |
# Change DisplayManager*authorize from "off" to "True" to enable | |
# MIT-MAGIC-COOKIE-1 authorization | |
vi /usr/lib/X11/xdm/xdm-config | |
# Change XLock.nolock resource from "true" to "false" | |
vi /usr/lib/X11/app-defaults/XLock | |
# Comment out exec (rexecd) and tftpd lines, and add logging options | |
# to applicable daemons: ftpd -lll, rshd -a -L, rlogind -a, fingerd -l, | |
# tftpd -l -s /usr/local/boot | |
vi /usr/etc/inetd.conf | |
killall -HUP inetd | |
# Create portmap.options file to enable logging: | |
: -v | |
vi /etc/config/portmap.options | |
# Create ftpusers file to deny ftp access to privileged accounts: | |
: root | |
: sysadm | |
: diag | |
: daemon | |
: bin | |
: uucp | |
: sys | |
: adm | |
: lp | |
: nuucp | |
: demos | |
: tutor | |
: tour | |
: guest | |
: 4Dgifts | |
: nobody | |
: oper | |
vi /etc/ftpusers | |
5. Mail system | |
cp /usr/lib/aliases /usr/lib/aliases.orig | |
# Uncomment +:+ line to incorporate aliases from NIS | |
vi /usr/lib/aliases | |
mv /usr/lib/sendmail.cf /usr/lib/sendmail.cf.orig | |
cp /usr/lib/sendmail.cf.auto /usr/lib/sendmail.cf | |
/etc/init.d/mail | |
# In response to prompts, supply forwarder and | |
# rootdomain | |
/usr/etc/configmail setup | |
# Notes: | |
# Still need to modify sendmail setup to hide local hostname. | |
# Arrange to mount shared mail spool once mx record is in place, | |
# assuming this affects local as well as remote delivery--i.e., | |
# mail should be delivered only on the host where the mail spool | |
# resides locally. | |
6. Printing | |
/etc/init.d/bsdlpr stop | |
# Get printcap via ftp | |
# (get /usr/share/etc/printcaps/printcap /etc/printcap) | |
# so that the selection of printers will match | |
ftp | |
# Edit printcap to correct lwf spool directory; needs to be | |
# /usr/spool/lpd/lwf rather than /var/spool/lpd/lwf | |
vi /etc/printcap | |
# Make all the spool directories listed in printcap file | |
mkdir /usr/spool/lpd/{lwf,research,...} | |
/etc/init.d/bsdlpr start | |
# If necessary, add hostname to /etc/hosts.lpd on machines | |
# with printers | |
# (Note that this may not help until the host has been added to DNS) | |
7. Backups | |
# Remove the uucp and nuucp groups to avoid GID conflicts with other | |
# hosts; add the sysadmin group and a + to incorporate groups from | |
# NIS (including the operator group required for backups): | |
: sysadmin::14:root | |
: + | |
vi /etc/group | |
# Remove the adm, uucp, and nuucp users to avoid UID conflicts and add | |
# the oper account from NIS: | |
: +oper | |
# (Hopefully removing adm won't interfere with accounting, but this | |
# hasn't been tested) | |
vi /etc/passwd | |
# Change permissions and create the dumpdates file so that backups can | |
# be run from oper account | |
# | |
# Note that making dump setuid may allow anyone to read any file on | |
# the system, which would not be a great idea on a system using | |
# shadow passwords (or one with local home directories) | |
chgrp operator /dev/rdsk/dks0d1s? | |
chmod g+r /dev/rdsk/dks0d1s? | |
touch /etc/dumpdates | |
chgrp operator /etc/dumpdates | |
chmod g+w /etc/dumpdates | |
chmod u+s /usr/etc/dump | |
# Add important filesystems to full backup scripts | |
8. Miscellaneous | |
# Turn off timed so it won't conflict with NTP when it's installed | |
chkconfig timed off | |
# Change time zone; replace the default TZ line with: | |
: TZ=EST5EDT | |
vi /etc/TIMEZONE | |
# Create a hosts.equiv file granting access to other machines on our | |
# network: | |
: +@all_systems | |
vi /etc/hosts.equiv | |
# Have cdromd create an /etc/fsd.auto file specifying CD-ROM drives | |
# that should be automatically mounted | |
cdromd -o ro,nodev,nosuid -p /dev/scsi/sc0d4l0 /CDROM | |
# Create whatis database for man pages (for some reason the initial | |
# whatis database that comes with IRIX is messed up) | |
/usr/lib/makewhatis -M /usr/catman | |
# Modify root's crontab so SYSLOG file is rotated weekly; just remove | |
# the string `` && test "`wc -c SYSLOG`" -ge 10240'' from the line that | |
# moves SYSLOG to oSYSLOG | |
crontab -l > /usr/tmp/crontab | |
vi /usr/tmp/crontab | |
crontab /usr/tmp/crontab | |
rm /usr/tmp/crontab | |
# Make netlsd happy | |
chkconfig glb on | |
sync; sync; reboot | |
9. Accounts | |
# Add other accounts from NIS | |
vipw | |
10. Local software | |
cp /.cshrc /.cshrc.orig | |
# Add /usr/local/bin and /usr/local/etc to root's path, plus a few | |
# other additions: | |
: alias ls 'ls -CAF' | |
: | |
: # Remember last 100 commands | |
: set history = 100 | |
: | |
: set filec | |
: set path = (/usr/local/bin /usr/local/etc /usr/sbin /usr/bsd /usr/bin /bin /etc /usr/etc /usr/bin/X11) | |
vi /.cshrc | |
# Edit /usr/lib/X11/config/sgi.cf to use GNU install once it's installed | |
: #ifdef UseInstalled | |
: #define InstallCmd install | |
: #endif | |
vi /usr/lib/X11/config/sgi.cf | |
# Build and install important software: | |
# GNU install (BSD-style, required by many Makefiles) | |
# tcsh | |
# setchars | |
# vipw | |
# less | |
# xntp (add /etc/init.d/ntp file and /etc/rc2.d/S32ntp link) | |
# emacs | |
# groff (required if you want to use unformatted man pages!) | |
# arch | |
# perl | |
# fixutmp (run from cron to fix bugs in IRIX 4.0.5 utmp handling) | |
Security modifications to IRIX 4.0.5: | |
chmod -s /usr/sbin/cdinstmgr (a setuid shell script!) | |
comment out /usr/bin/X11/xhost + in /usr/lib/X11/xdm/Xsession and change | |
DisplayManager*authorize to True in /usr/lib/X11/xdm/xdm-config to enable | |
MIT-MAGIC-COOKIE-1 authorization | |
change XLock.nolock resource in /usr/lib/X11/app-defaults/XLock from true to | |
false so that xlock will actually lock the screen | |
add logging and security options to network daemons in /usr/etc/inetd.conf: | |
ftpd -lll, rshd -a -L, rlogind -a, fingerd -l, tftpd -l -s /usr/local/boot | |
add /etc/config/portmap.options file containing "-v" to enable logging | |
add /etc/config/login.options file containing passwdreq, lastlog, and | |
syslog=all | |
chmod g-s /usr/lib/expreserve | |
create /etc/ftpusers with all restricted accounts in it | |
inetd | |
The inetd(1M) server provided with IRIX 5.2 is just plain | |
broken. It seems to work reasonably well in its stock con- | |
figuration, but as soon as other services or TCP wrappers | |
are added to /etc/inetd.conf, inetd's behavior becomes un- | |
predictable. These problems have been discussed often on | |
Usenet (and Wietse Venema documents some of them in the | |
README.IRIX file that comes with version 7 of the TCP wrap- | |
pers distribution), so the problems aren't unique to our | |
site; but since they are very intermittent and difficult to | |
reproduce, I don't think SGI will be able to fix them any | |
time soon. | |
After trying several alternative versions of inetd, I de- | |
cided to use munetd(8) because it had a nice feature set, | |
including some decent logging capabilities. In keeping with | |
my local convention, the configuration file for munetd is | |
found in /local/adm/munetd/munetd.conf. | |
Unfortunately, that's not the end of the story. SGI distrib- | |
utes an odd mountd(8) program that apparently interacts with | |
SGI's inetd in strange and undocumented ways. I could not | |
find any way to get mountd to work with munetd, nor could I | |
find an adequate replacement for SGI's mountd. So I adopted | |
the following (somewhat odd, but very practical) solution: | |
All of the SGIs run munetd, with the mountd services com- | |
mented out in munetd.conf. Those machines that export file | |
systems (and therefore need to run mountd) run inetd in ad- | |
dition to munetd, with all services in inetd.conf commented | |
out except for mountd. Thus each ``super-server'' daemon is | |
responsible for those services that it handles better than | |
the other. This is arguably a bad solution, but I wasn't | |
able to find a better one. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment