> Yuri Volobuev wrote:
>
> [lots of stuff about SGI incompetence, especially with regards to security.]
>
> I've recently been playing with our O2 too. I spotted the webdist.cgi problem
> immediately (by luck, it was the first script I bothered to look at). The
> presence of symlinks makes everything worse. There are dozens of them, some
> going outside the /var/www area. These point to other places (eg /usr/demos)
> with yet more links. I couldn't obviously find any that pointed to something
> as daft as /, but I did verify from another host on our network that it's
> possible to download SoftWindows95 from the O2 web server!
And the last thing we want is for SoftWindoze95 to spread.
> My initial idea for this was to disable external WWW access for now, and
> complete removal later. (We'd like it available to localhost (bugs and all)
> for a while just to have some fun with the demos :-)) Then I realised that I
> can't figure out how to disable it.
See the chkconfig man page. The scripts in /etc/init.d are keyed off
config files in /etc/config. The chkconfig command lets you manipulate
some of the /etc/config files to make it simpler to enable or disable
certain features. (You can also edit the files directly if you want.)
I think 'chkconfig outbox off' will disable the httpds. You can always
mangle the scripts in /etc/init.d directly too.
> There's the ACL stuff in
> /usr/ns-home/httpacl which apparently claims that the default is the deny
> anyone and allow localhost. I don't understand the file format though so I'm
> unsure of why this isn't working. The SGI documentation on such things simply
> refers me to ns-admin.
The moment I spotted all those httpds running on our Indys after I
upgraded them to IRIX 6.2, I just turned them all off and left them
off, except the one running on the actual web server, which was ours, not
SGI's. I didn't even bother taking a close look at them.
> So, I started ns-admin and connected to localhost:81. What a pile of cack - it
> just doesn't work! I can't get anything out of it other than the message "this
> requires netscape version 2 or above". It's just as well really as it had a
> default account of admin with no password. So now we haven't only got to be
> wary of which passwordless accounts they create in /etc/passwd, but in other
> places too. As for the version mismatch - I was using SGIs own web browser
> supplied on the system, so I simply put that down to bug ridden code.
Netscape is not SGI's code, but I won't contest the bug-ridden part. :)
> The bugs continue from there. It's not only the WWW stuff. I have a problem
> mounting NFS disks. I did my usual 'edit /etc/fstab' and cut and pasted my
> standard lumps in there. "mount -vat nfs" verified that it worked. However
> this isn't done on bootup. I haven't had time to see why yet, but I decided to
> use the "official" way using the file system manager GUI. This simply told me
> "The NFS subsystem is not installed on this machine". AGGHGH! If I get one
> more stupid BUGGY error then it's going out the window.
Uhm, careful. You didn't state whether or not you actually purchased NFS
for this machine. Yes, that's right: I said purchased. SGI holds the
distinction of being the only major UNIX workstation/server vendor I know
of that doesn't include NFS and NIS with the main OS distribution. Don't
bother searching your IRIX CD(s) for it: it's not there. You need to buy
it seperately. So if you haven't purchased it, then the error message is
correct: you don't have it installed. If you have purchased it, then you
probably need to do 'chkconfig nfs on' on order to activate it.
-Bill
-- ============================================================================= -Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= "Now, that's "Open" as used in the sentence "Open your wallet", right?" =============================================================================