Letters to the Editor

Various

Issue #38, June 1997

Readers sound off.

Where is the E-mail Address?

Just got my comp copies today of the 3/97 issue. Thanks very much. It's always a thrill getting those first copies of a published work.

I am very disappointed on one count, though. My e-mail address was removed from the short bio at the end (page 72). All my esteemed fellow authors included their e-mail addresses, so I assume it was an unconscious mistake on some editor's part. (Not to excuse it; careless mistakes are the most preventable and least forgivable variety in my book.)

Funny thing is, I'm decidedly unimpressed with authors who avoid interaction with their readers. They abdicate the stewardship of knowledge their work otherwise earned them. Now I'm involuntarily guilty of this very sin. The main reason I write articles is to try to make contact with forms of intelligent and enlightened life out there. I missed my chance this time. I guess my lesson for the next time is to insist on a review copy.

In all other respects, it's been a real pleasure working with you folks. Mary Webber, by the way, is wonderful. —Bob Stein bobstein@earthlink.net

Polygon Code

Much to my surprise, I found that in the article “A Point About Polygons” by Bob Stein in the March 1997 issue of Linux Journal, the code in Listing 2 (TESTPOLY.C) was specifically written for Turbo C and the DOS environment. As it was apparently coded back in 1995, one may assume that Stein has since discovered a more mature development platform, but I do hope this is not to be taken as a subtle shift of focus on the part of the editors of LJ. —Robert V. Schipper rvs@gol.com

Author Responds

Thanks for writing, Robert.

You're quite right, TESTPOLY.C was for the Borland/DOS environment. At Galacticomm we've been using Borland's command line development environment for some time, and we continue to do so for both the DOS and NT versions of Worldgroup. So at the time, it was convenient, taking me only an hour or two to use.

If you're hoping I've seen the light and started using Linux I'm afraid I'll disappoint you. Lately I've been using Microsoft's Visual C++ and Sun's Java for graphics programming. I assume my article was accepted for its Websmithing theme [Yes, that's why—Ed.]. —Bob Stein bobstein@earthlink.net

No Dialtone on Modem

I was reading the article titled “Setting Up UUCP” in issue 35, and noticed the author was wondering why his modem dials when there is no dial tone. I have discovered over the years that some modems return:

NO DIALTONE

while others return:

NO DIAL TONE

So, including a line:

chat-fail NO\sDIAL\sTONE

would probably solve his problem. —Scott Barker scott@mostlylinux.ab.ca

MostlyLinux

I am very disappointed that after twice sending information to you guys about my company (the second time was actually about a dozen copies of the same e-mail, sent every week or so until I finally got a reply), you still got it wrong. My company is MostlyLinux, but my entry in the Linux Journal 1997 Buyer's Guide lists me as “Calgary UNIX Users Group”, with my phone numbers, but with their snail-mail address instead of mine, and my e-mail address through them rather than through my own company.

This is going to cause confusion both for myself and the Group (with whom I volunteer, and on whose behalf I have dealt with SSC, which may have caused confusion on your part). I remain a loyal reader of Linux Journal (which I find very useful), but am very unhappy that I am going to have to deal with the problems this creates. For future reference, if you intend to publish another Buyer's Guide, please note that I am: —Scott Barker MostlyLinux, Inc. Voice Mail: 403-209-9406Fax: 403-285-1399E-mail: info@mostlylinux.ab.ca URL: http://www.mostlylinux.ab.ca

Craftwork Solutions

We just received our copy of the Linux Journal 1997 Buyer's Guide. I feel this type of effort is very good for the industry. Craftwork Solutions is focused on making Linux an accepted commercial solution for businesses. We are glad to see SSC make the effort to explain to the general public the benefits of using Linux.

What did trouble me came at the end of the issue. Craftwork Solutions announced back in Sept/Oct '96 our 2.2 release for both the Intel and Alpha architectures. We were across the aisle from SSC at Comdex in November '96, showing our 2.2 releases. Unfortunately, your table included only the out-of-date information on our 2.0 product.

You made room for both the 3.0 and 4.0 releases of Red Hat. I would have expected that at least our 2.2 information would have been used! Craftwork Solutions has advertised with LJ since 1995. I would very much like to understand how this oversight occurred.

Your publishing of our old data makes us look like a company that is not concerned about the direction of the industry and not interested in providing the best product and support to its customers. I personally take that very hard. My staff worked long weeks during the summer to have the new releases ready for Comdex.

I realize the information we filled out for you back in May '96, reflected the 2.0 product. What confuses me is that the Red Hat 4.0 wasn't available back in May '96 either. Please explain to me how this mixup occurred, and how we can prevent it from occurring in the future. —Lee Morse, Chief Technology Officer lmorse@craftwork.com Craftwork Solutions, Inc.

Data is Our Life

This was our first buyer's guide and we made some mistakes, but we learned from them and plan to have an even better issue next time. One of the things we are most concerned about is data gathering methods. For this issue, other than the sunsite listings, we printed only what was sent to us. If you did not send in updated information, we would not have updated it for you. Red Hat obviously did send in updated information. If you did send in updated information, then I apologize for the table not getting updated. Actually, in either case, I apologize. Next time, we'll include a check for the latest distributions in our procedure. We do know what the current distributions are.

File Locking Services

Mr. Kraft's comments in the March 1997 issue of Linux Journal, regarding Linux's lack of network file locking services, are dead on the mark; however, I would now like to make it publicly known that there is an ongoing development effort to provide a lockd and statd for Linux.

This effort is currently combined with an effort, led by Olaf Kirch, to revise major portions of the Linux NFS implementation. A kernel-space lockd, written by Olaf, and a user-space statd, initially written by me and then significantly modified by Olaf, are currently part of Olaf's NFS development distribution “snapshots”.

A developers' mailing list exists for people who wish to contribute to, or participate in the alpha/beta testing of, this development effort. The list address is lockd-statd@linux.nrao.edu, and the list's subscription address is majordomo@linux.nrao.edu. Current snapshots of the linux-nfs development code can be retrieved from the following anonymous FTP directories:

ftp.mathematik.th-darmstadt.de:/pub/linux/okir/dontuse/ linux.nrao.edu:/pub/people/linux/okir/dontuse/

There are currently plans to publish an introduction to network file locking, together with a description of the Linux implementation, in an upcoming issue of Linux Journal. In addition, I will be giving a short presentation on this subject at the April 1997 Linux Expo in Raleigh, North Carolina. —Jeff Uphoff juphoff@nrao.edu

Security Issues

If you are going to do a security article, get it right. People get cgi and suid programs wrong on their own without your printing an article that contains serious errors. A good article on cgi security would have been just what is needed. Unfortunately this wasn't it.

Let's take this:

exit(system("/home/foo/www/bin/counter.sh"));

If I run this handy provided example by doing:

cd HACKDIR
cp /bin/hash ./home
ln -s suidxi—program ./foo
IFS='/'
export IFS
 ./foo
I get a shell as the person it is setuid to.

Why? Because the system runs the command through the shell, and the shell uses IFS as its “white space” definition.

This is basic setuid security stuff.

The procmail-based example at least does use a magic cookie to stop fake mails. It has other bugs; notably, it forgets sendmail may deliver multiple mails in parallel using data, but then I guess it makes it plain it's just trying to show the trick, not do it right. —Alan Cox alan@cymru.net

On-Line Linux Users Group

Hi. I have been a longtime reader of LJ and it has been a great help to me, and I am sure that applies to many in the Linux Community! Now, my friends on the Net and I have also done something as a contribution to Linux which I thought would be interesting to you and helpful to your readers. We have created an On-Line Linux Users Group for people interested in learning more about Linux, providing help to other Linuxers, and promoting Linux:

http://www.linuxware.com/ —Peter Lazecky peter@linuxware.com