sudo loses environment variables

Jun 25, 2008
HPUX, linux, Solaris, UNIX

Tricky. When a user uses sudo to “su” to another user, certain environment variables will not remain.

From the man page:

Variables that control how dynamic loading and binding is done can be used to subvert the program that sudo runs. To combat this the LD_*, _RLD_*, SHLIB_PATH (HP-UX only), and LIBPATH (AIX only) environment variables are removed from the environment passed on to all commands executed. sudo will also remove the IFS, ENV, BASH_ENV, KRB_CONF, KRBCONFDIR, KRBTKFILE, KRB5_CONFIG, LOCALDOMAIN, RES_OPTIONS, HOSTALIASES, NLSPATH, PATH_LOCALE, TERMINFO, TERMINFO_DIRS and TERMPATH variables as they too can pose a threat. If the TERMCAP variable is set and is a pathname, it too is ignored. Additionally, if the LC_* or LANGUAGE
variables contain the / or % characters, they are ignored. If sudo has been compiled with SecurID support, the VAR_ACE, USR_ACE and DLC_ACE variables are cleared as well. The list of environment variables that sudo clears is contained in the output of sudo -V when run as root.

Share
Tagged ,

Solaris 10 mount point permissions are important

May 13, 2008
Solaris

rm: cannot determine if this is an ancestor of the current working directory

This is caused by an underlying mount point permission that is too strict (700). You can change the permissions on the mount point without unmounting the volume by using lofs creatively:

#create temp directory

server1> mkdir -m 755 /fix-mnt 

# mount the directory which contains the mount point, not the mount point itself, but its parent directory.

server1> mount -F lofs -o nosub /users/zones/server1-z3/root/users/  /fix-mnt
server1> ls -ld /fix-mnt/mountpoint        #confirms the permssions are not 775
server1> chmod 775 /fix-mnt/mountpoint
server1> umount /fix-mnt
server1> rmdir /fix-mnt

Share
2 Comments
Tagged , , ,

Speed up metasync

Apr 21, 2008
Solaris

It’s amazing how slowly a resync happens with Solaris Volumen Manager (SVM). You can dramatically reduce your time to sync up your mirrors with SVM by adding a setting to /etc/system and rebooting.

set md_mirror:md_resync_bufsz = 1024

I’ve tried 2048 (the max) as well, but not as big a gain in speed, so I stick with 1024.

Harmless on “modern” Sun machines. Just don’t try this on your SPARC 20 or it may lock up on you. As long as you have >1GB of RAM you’ll probably be ok.

Share
5 Comments
Tagged , , ,

Increasing socket buffer size in Linux

Feb 26, 2008
linux

Got error message:
2008-02-25 16:53:21.944 Tangosol Coherence AE 3.2.2/371 (thread=Main Thread, member=n/a): UnicastUdpSocket failed to set receive buffer size to 1428 packets (2096304 bytes); actual size is 89 packets (131071 bytes). Consult your OS documentation regarding increasing the maximum socket buffer size. Proceeding with the actual value may cause sub-optimal performance.

Add this to /etc/sysctl.conf and reload with “sysctl -p”:

# increase TCP max buffer size setable using setsockopt()
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216

Check current values with “sysctl net.core.wmem_max”

RHEL 3

Share
4 Comments

Port redirection using iptables

Feb 14, 2008
firewall, linux

A user did not have root access, but wanted his web server to appear to be listening on port 80. Came up a nice way to redirect port 80 requests to another port, where he ran his web server.

iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8070
 
Share
No Comments
Tagged , , , ,

Creating a firedrill service group for Veritas Cluster

Feb 14, 2008
vcs

fdsetup-srdf2

We use SRDF replication here, and the fd-srdf script provided with the SRDF agent only copies over a small percentage of the resources in our service groups (no zones, no IPs, no Oracle resources, etc). I modified it to grab all of these things and copy them over. The special things about this script is that it changes all the disk groups and mounts to diskgroup_fd resources for the names and mount points for a firedrill service group. Helps if you have >50 mount points like me.

Share
No Comments
Tagged , , , ,
Newer Posts »