Issue #17 March 2006

Ask Shadowman

Shadowman is waiting for Fedora Core 5. And he knows he's not the only one. It's coming any day now. Yes, sir... any day now.

When it comes, you'll know it, you Linux freaks. It'll hit you like a bus full of kernel developers. It'll make you weep with joy. It'll whiten your teeth and shrink your waistline. It's just about everything that is beautiful and pure in the free and/or open source world.

You want a nice steaming cup of free Java? It's in there. You want some sweet new candy for your eyeballs? Have a look-see. You want a security blanket to protect you from the big scary world? Snuggle up. You want to run machines inside of machines inside of machines like those Russian nesting dolls? Play to your heart's content.

Yes sir... any day now. Isn't the waiting the best part? Nothing like a little tension to keep things all tingly and exciting. You know what Shadowman's saying.

Got a question that you'd like Shadowman to answer? Ask him.

Vishal asked:

Please help me configure qmail to replace sendmail for Red Hat ES4.

To which Shadowman replies:

Vishal, there are some things that Shadowman can't help you with. Sadly, qmail is one of those things.

Not that qmail isn't great, because it is. Some of Shadowman's best friends run their mail servers on qmail; it's lightweight and speedy and powerful. A great little mail transfer agent.

Unfortunately, it's not quite... exactly... free.

See, here's the thing: Shadowman takes his software licensing pretty seriously. Whether it's licensed GPL or BSD, "free" or "open source", all of Shadowman's favorite software projects share one thing in common: they grant broad rights to their users, allowing them to use, modify, and redistribute the bits freely.

It's on that last point -- redistribution -- that qmail takes a different stand. The license for qmail is very particular, and specifically prohibits repackaged binary versions of qmail. That includes RPMs, and Debian packages too, for that matter -- which certainly annoys some people in the Debian community.

One thing's for sure, though: be sure to blast every trace of sendmail, or any other mail transfer agent, if you expect to get qmail to work.

edraper asked:

What is the default firewall shipped with Red Hat Enterprise Linux AS v.4? what is the service name so that I can check if it's running?

To which Shadowman replies:

Time to learn about iptables, Ed. And rather than bore you and other readers with lots of arcana, Shadowman will give you two simple answers.

Answer 1: the link to the iptables documentation for RHEL4.

Answer 2: as root, "/sbin/service iptables status".

An astute reader asked:

How does an ordinary user manage to use finger?

ls -l /usr/bin/finger
-rwx--x--x  1 root root 23088 Mar  4  2005 /usr/bin/finger

To which Shadowman replies:

Hoisted on his own petard again, Shadowman is.

A wise man once told Shadowman, many years ago, never to set executables as execute-only files -- "avoid the 111 permission, young Shadowman, because it will cause you nothing but grief in the long term," this wise man said to Shadowman. And Shadowman, ever the trusting soul, believed the wise man's counsel.

Years passed, and this wise counsel took on the patina of well-established truth. This truth was reinforced by the permissions of just about every bin directory that Shadowman ever came across.

But an alert reader points out the anomalous case of finger:

[shadowman@localhost bin]$ ls -l /usr/bin | grep x--x--x
-rwx--x--x   1 root root      19120 Mar  4  2005 finger
[shadowman@localhost bin]$ finger shadowmn 
Login: shadowmn                        Name: (null)
Directory: /home/shadowmn              Shell: /bin/bash
On since Mon Mar 13 08:00 (EST) on :0 (messages off)
On since Mon Mar 13 08:01 (EST) on pts/1 from :0.0
No mail.
To figure out why it is, exactly, that finger is the only application 
in /usr/bin with -rwx--x--x permissions.

So finger runs perfectly well, even though Shadowman doesn't actually have read permissions on finger. Hmm.

Obviously, Shadowman has become enamored with an utterly false truth. Witness Shadowman's new experiments in fact:

[root@localhost bin]# ls -l ls
-rwxr-xr-x  1 root root 91012 May 25  2005 ls
[root@localhost bin]# chmod 111 ls
[root@localhost bin]# ls -l ls
---x--x--x  1 root root 91012 May 25  2005 ls
[root@localhost bin]# 

All great truths raise more questions than they answer, though, and Shadowman is stumped. So Shadowman asks various smart people, "why is the permission for finger set to 711 by default, when the vast majority of applications are set to 755?" And various smart people answer, "Huh. Dunno. It works, though. Why do you care?"

Shadowman cares because Shadowman's entire foundation has been shaken, and now Shadowman has no choice but to consult a higher power -- his readers.

Shadowman asks his readers:

Why is the permission for finger set to 711 by default, when the vast majority of applications are set to 755?