Enterprise Unix Roundup — Linux Looks Beyond SCO – page 2

Security Roundup

• SGI Advanced Linux Environment 3 Security Update #1 covers a lot of bugs, including problems with OpenSSL, ipsec-tools, squid, ethereal, Apache, and elfutils.
• Popular mailing list software Mailman has been patched for a bug that could allow malicious users to retrieve mailing list member passwords from the server. So far, just Mandrake and Conectiva have released fixes.
• Apple released a fix for the bug we reported last week, but security firm Secunia says not so fast. A variant on the bug remains unpatched. Secunia's CTO had some harsh words for Apple, which remains in the habit of issuing fairly terse and uninformative announcements when it releases a security patch — unlike most of the rest of the Unix world.

Tips of the Trade

The ability to script and automate any Linux/Unix system administration chore is the great strength of the *nix world. But it's also one of the greatest vexations because of the differences between the various Unix, BSD, and Linux distros. This leaves us admins with a host of unattractive choices: Do we script for portability, thereby surrendering power and functionality, or script to take advantage of shell and language features, dooming ourselves to writing mounds of specialized scripts? Or do we become experts at conditional statements, and craft towering edifices of intricately nested 'if-then-else-oh crap' constructs?

Cfengine (configuration engine) to the rescue! Cfengine groups PCs and servers into classes, then rolls out changes to an entire class. It's almost as easy as administering a single system. Dissimilar platforms and types of hardware can belong to the same class. When a new system joins a class, it is quickly brought into the same state as the others.

One of its nicest features is file-permissions monitoring and fixing. For example, to maintain correct permissions on Web server files, add the following lines to your cfagent.conf:

 
file:
# Fix permissions on Web pages, we are tired of 404 errors 
# from incorrect file permissions
/var/www/ owner=root group=root mode=0644 action=fixall recurse=inf

This particular feature has all kinds of uses, such as foiling mischief on important system files:

/etc/passwd mode=644 owner=root group=root action=fixall
/etc/group mode=644 owner=root group=root action=fixall
/etc/shadow mode=600 owner=root group=root action=fixall

If you don't want to wait for Cfengine to push these changes out at its scheduled time, you can activate them right away with:

# cfagent

Want to learn more? Steve Rader's Terse Guide to Cfengine offers an excellent introductory how-to tutorial. Additional documentation is also available at Cfengine's home page.

Carla Schroder writes the Tips of the Trade section of Enterprise Unix Roundup. She also appears on Crossnodes every Wednesday, and is the author of the site's popular Scripting Clinic, which deals with Unix/Linux scripting issues.

>> To Main
>> To Other News