Wandering Thoughts archives

2005-11-24

SlowPatchInstalls

Solaris 9's slow patch installs

Yesterday was my first time installing the Solaris 9 recommended patch set on a production machine; we rolled it onto a basically unpatched server. Because it was a server, I did it in single user mode (the patch set recommends this, as some patches in the patch set say explicitly to apply them in single-user mode).

I already knew that installing the patch set was achingly slow on my test machine, but my test machine is an Ultra 10 so I wasn't surprised. The machine from yesterday was a Sunfire V210, which has modern CPUs and more importantly modern amounts of memory and fast SCSI disks.

It still took an hour.

There are 134 patches in the patch set, so Solaris was only able to average a patch every 26 seconds. Considering how much work a modern machine can do in 26 seconds, I believe I can safely say that the Solaris patch install system is hideously inefficient.

(And, as previously noted it spews incomprehensible and alarming messages on the screen.)

Fortunately it doesn't demand I answer any questions during its run, so next time around I'll know to just go back to my office for a while. Still, an hour is an irritatingly long time to have a production server down in single-user mode.

SlowPatchInstalls written at 22:54:58; Add Comment

2005-11-19

SolarisRelayingSendmail

Solaris 9 sendmail irritations

Here's how to give a system administrator a heart attack: the default Solaris 9 sendmail configuration apparently allows other machines that your Solaris machine thinks are in your local domain to relay through you. I say 'apparently' because there's nothing in the sendmail.mc about this, and nothing clear in the generated /etc/mail/sendmail.cf either.

In other fun discoveries, the default sendmail configuration is also set up to relay all your mail through a machine called 'mailhost' in your domain. We don't have such a machine in our subdomain here, so god knows where any administrative mail my test machine may have been trying to send for the past month or so may have wound up.

Solaris 9 was shipped in 2002, and Sun actually started to care about security by that point; for example, it ships with tcpwrappers. In 2002, I would have thought that Sun would know that any open relaying is a bad idea.

In fact it turns out that Solaris sendmail's default configuration has other dubious features, even for 2002: for example, it will happily accept MAIL FROM addresses without domains or with unresolvable domains. None of this is set visibly and explicitly in their supplied .mc files; it is hiding away in the 'solaris-generic' set of settings that those use.

The light at the end of the tunnel is that Solaris 9 actually includes another set of settings, 'solaris-antispam'; changing from 'solaris-generic' to these will give you much stronger settings. (These are in fact the default Sendmail settings, so Solaris deliberately shipped with a less secure, more open to spam and abuse sendmail configuration.)

SolarisRelayingSendmail written at 00:34:18; Add Comment

(Previous month | Next month)
By day for November 2005: 19 24; before November; after November.

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Twitter: @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.