Enterprise Unix Roundup: The Value of Lean Years
"We're moving from a server company to an IT infrastructure company," said Sun Senior Vice President Larry Singer early this week, confirming the obvious and putting the company's impressive quarterly rollout in perspective as a reflection of a company that suffered and learned a few lessons some of its rivals somehow missed. We sum up Sun's bevy of announcements and ponder how high its chips will go once restacked. SCO litigation mania returned this week, and Free Software Foundation General Counsel Eben Moglen offers clear-headed and useful commentary for those still trying to make sense of it all. Admins seeking a simple tool to root out careless permissions will want to check out modefix.pl.
What was new with Sun's announcements this week? In a nutshell:
- The first of its Opteron-based Sun Fire servers, originally announced last November, are ready.
- It released updates for its UltraSPARC IV-based E servers for more high-end customers.
original "Employee No. 1," co-founder Andy Bechtolsheim, was in-effect rehired through the acquisition of Bechtolsheim's Kealia. The acquisition (which should be final within six months) will net Sun a company with competencies in Opteron-based servers that run Windows and Linux as well as Sun's own Solaris.
(The Kealia acquisition hints that Sun's desperate years did the company some long-term good. Injecting Windows expertise and some attendant diversity into its lineup positions Sun better than clinging only to Solaris would have.)
- Application support for the Java Enterprise System will continue to be expanded, while a reasonable "$100/user" licensing scheme is maintained.
Sun's hardware moves hit a nerve with rival HP, which, to date, doesn't have an Opteron strategy. Back in November, we wondered if HP might be second-guessing its heavy Itanium emphasis, and now we have an answer: "[...] it's too early to announce anything," said HP's director of portfolio marketing for enterprise servers and storage.
Read that as you will, but we read it as an admission that although much of the industry survived the dotcom bust by the skin of its collective teeth, some corners of it didn't learn a whole lot along the way.
Itanium was spawned during a go-go era premised on a limitless sky. Regardless of how you read the financial pages, though; discarding your old application base and hardware in favor of a new architecture during a bust that may or may not end in the next year is just silly. x86-64 might not be a top performer, but it's a good pick for cautious, guardedly optimistic times. Numbers are showing that, and projections for the platform's potential are strong.
Regardless of how its numerous shifts and course corrections of the past year play out, Sun deserves some recognition for suffering through a brutal downturn that made it briefly look like the Job of the tech industry, surviving, and seeming to learn something along the way.
In Other News
- SCO litigation mania ran high this week, with Novell
moving to dismiss SCO's slander of title suit against it, and Free Software Foundation General Counsel Eben Moglen penning a devastating takedown of SCO's claim to exclusive ownership of UNIX. Moglen's bottom line is that SCO is in the unfortunate position of
having to prove its ownership at all, making litigation over Linux licenses (some of which is due to be announced "Real Soon Now") a tough prospect in front of any judge aware that floating questions remain in other courts.
Moglen notes one of the more entertaining aspects of SCO's foundering legal ship:
"Many of the large, sophisticated enterprises who are the targets of SCO's efforts responded to their claims last summer by taking copies of the Linux program, under GPL, from SCO's own FTP server, where the code remained publicly available. They therefore have an auditable license from SCO to use, copy, modify and redistribute the code about which SCO continues to threaten legal action."
We're happy to certify Professor Moglen as a clear and useful voice for anyone trying to parse the SCO flap. The horse he has in this particular race is obvious, but his lucid rundowns of the issues are worth any 10 paranoid screeds claiming SCO is writing worms targeting its own servers to get sympathy.
- Dell launched a Linux-at-Dell Web log, complete with an RSS crawl for people who
just can't subscribe to enough news feeds. Much of the material is fairly dry reading, but there are useful pointers to
recent kernel patches that affect enterprise Dell and Linux users and links to assorted "Linux on Dell gear" fora.
- IBM made a lot of noise about a POWER4+-based supercomputer it built for a team of 12 engineers at the University of California at Irvine who will use it to predict climate changes 300 years out. The "Earth System Modeling Facility," will contain a cluster of seven IBM eServer p655 servers, each equipped with eight Power4+ CPUs, as well as an IBM eServer p690. Two IBM xSeries 335 servers running Red Hat Linux and Sistina's Global File System will provide storage. The system will crank out 528 billion floating-point operations per second.
- OpenBSD suffers from a remote denial of service attack when configured to process IPV6 traffic. FreeBSD isn't affected; no word yet on NetBSD.
- SGI released an update to its Advanced Linux Environment that fixes bugs found in its Red Hat base, such as recent issues with slocate, gaim, and mailman.
- Speaking of mailman, the mailing list software has been patched by a collection of other vendors, including Red Hat and Debian.
- Sun released an update to the bundled version of Apache found in Solaris 8 and 9. A buffer overflow in the Apache modules "mod_alias" and "mod_rewrite" could allow a local or remote unprivileged user to execute arbitrary code with the privileges of the Apache HTTP process.
Tips of the Trade
In recent weeks, with MyDoom and its sequels scorching a path across the Web and Microsoft releasing yet another "must download now" patch, talk has turned to Windows security problems. Microsoft, in fairness, knows the problems with its software and security: Every user is effectively and unwittingly a system administrator for his or her own machine. That's pretty problematic when the user isn't attuned to just what that job entails, and we don't envy the task in front of Microsoft.
In Unix-land, where the multiuser paradigm has been entrenched for much longer, and where multiuser setups are more common anyhow, the strict division between root users and unprivileged users is more strictly maintained. SUSE Linux even goes so far as to make the root user's desktop wallpaper bright red with a picture of an exploding bomb. If you have any doubt about logging in as the administrative user to check your mail and do light housekeeping, the wallpaper is a pretty obvious tipoff.
This is not to say the users on a Unix system can't make life hard on themselves and the sys admin. One area ripe for potential trouble is the uncertainty end users have about how to best use the Unix groups/users/permissions security model.
More than once, we've seen users confronted with the desire to share a file with a friend over a Web server, or to work around nagging permissions issues, simply remove all protection from a file or directory with a quick chmod 777 * or similar.
In a perfect world, end users or junior admins on a system would read the fine man pages for chmod and chown, and draw conclusions such as "Maybe it's best if I limit access from outsiders to 'read only,'" or "Maybe I shouldn't make everything in my mail directory world-readable if I just need to share one attachment."
It also can't hurt to have a simple tool for rooting out careless permissions, and we came across modefix.pl. Modefix automates the process of finding files with questionable permissions and setting them to something more safe.
There are ways to string together commands to do this, but modefix does a nice job of wrapping it all up into one handy package. In particular, check out the -v and -r switches, which provide a useful amount of feedback in terms of what files the script finds with improper permissions and a small report of what it changed as it ran on a given set of files.
If you've got a Unix server with users who are permitted access to the file structure for whatever reason (e.g., a Web development team or less-experienced junior admins), modefix won't provide a silver bullet, but it will allow you to look in periodically and make sure nothing's been left out where a malicious user can get at it.