Painless installations: (Was SUMMARY: Weird behaviour ...)

From: Russell Page <>
Date: Fri Jun 24 2005 - 02:29:23 EDT
Most of the systems I look after are tightly locked down, and sit on the 
perimeter of a highly sensitive network. Various apps running on them 
include firewalls, proxy servers, and virus scanners. The apps are managed 
by a small group of security engineers, who for various reasons need root 
access. We are based Australia.

A previous employee created a Jumpstart environment, that among other things 
installed sudo and bash.

When we switched to Solaris 8 a couple of years ago, I built a new Jumpstart 
environment, but essentially kept the user environments the same so as not 
the cause users too much pain.

All user shells, and the default root shell are set to bash. All kinds of 
weird things are set up through a byzantine maze of global initialization 
files. For instance, "rm, cp, and mv" are aliases and the umask for everyone 
is set to 0077 (no sharing). Some of these systems have managed to end up 
running in the en_AU locale, where apparently RE's and string matches are 
case insensitive.

As a consequence of these facts we end up with an environment that tends to 
break installation and patch scripts. Often it is not always obvious what 
has gone wrong, and why. The latest thing to break was the installation 
script that comes with IWSS from TrendMicro.

Here is how I fixed it:
1. I created an account called "install". Here is the configuration:
# grep install /etc/passwd /etc/shadow
# cat /opt/export_home/install/.profile
LANG="C" export LANG
umask 0022
2. I ran "sudo su - install" to get a shell.
3. I then ran the Trend install script.
4. Voila! a flawless installation!


In case you didn't notice, this is an alias for root.

Because the password is locked, "su - install" won't work. If you don't 
have, and don't want sudo (you should have it, and you do need it!) then you 
need to give the account a password. I suggest you do this immediately 
before you use it, and then immediately lock it when you have finished with 

If you want a quiet and normal life (thanks Warren Zevon) then stick with 
the bourne shell for this account. It's not going to suck in any weird 

You should also use this environment when you are installing patches. The 
(relatively) permissive umask will kill those pesky "checkinstall" failures.

If I was doing this from scratch I just wouldn't touch the root environment 
at all and none of these problems would arise. However I have to run with 
the culture I inherited from my predecessor.

-- Russell Page.

Certified Solaris Network Administrator
Metaphors be with you.
sunmanagers mailing list
Received on Fri Jun 24 02:29:51 2005

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:49 EST