Step 0 - Be Patched Up To Date

  I can not stress this enough. You can not expect your operating system to be at peak performance and stability if you do not perform regular software maintainance. You will need to apply the Solaris 10 Recommended patch set as a minimum. After that is complete you may then proceed.

    Step 1 - Install pkg-get

  To do much of anything you will need pkg-get on your system. Thanks to a few new features in the pkgadd command you can do this directly from the Blastwave.org site with no need for fancy footwork. Simply do the following :


  Those of you that are very security conscious may choose to manually fetch the package and check the MD5 sig. Here then is the link that you will need :

$ digest -v -a md5 pkg_get.pkg
md5 (pkg_get.pkg) = 4121665c56b38967124d618a379c45a2

    So download pkg-get software from here. n.b.: md5sum = 4121665c56b38967124d618a379c45a2

    Step 2 - Edit the pkg-get configuration file

  You may be located in Germany or United States or Kalamazoo. In each of these cases you should edit the pkg-get configuration file in order that we will get software packages from a nearby source.


  The other option is to use a Blastwave Mirror server near you and to ensure that the url in the /opt/csw/etc/pkg-get.conf reflects your choice.

    Step 3 - Install the complete wget package

  We will now use pkg-get to install the complete wget package along with all its dependencies.

Simply type the following :


N O T E : do not be alarmed if you see a large amount of text streaming across your screen.
This is just pkg-get doing its job for you.

A complete log of what you can expect to see is here.


  You may now install GNOME and KDE and Mozilla and XFCE or SeaMonkey or anything else that you want.

• To install GNOME :
  
  

  # pkg-get -i gnome

  
  
• To install KDE :
  
  

  # pkg-get -i kde_gcc

  
  
• To install Mozilla :
  
  

  # pkg-get -i mozilla

  
  
• To install SeaMonkey :
  
  

  # pkg-get -i seamonkey

  
  

Note : By default you may be asked confirmation questions many many many times. This is very annoying when you are installing large suites of software like GNOME or KDE. Something that you should do is look at the man page for pkg-get with the following command :

  If you actually read that man page you will find a section titled "MORE AUTOMATION" in which you will learn that you can configure the pkgadd ( the software package maintainance utility ) to NOT ASK YOU these questions.

Simply do the following : You must be root for this

Now you will be able to run a “pkg-get install foobar” and not get any questions about any of the dependencies of foobar. This makes life very easy. To install a massive package like GNOME you can type “# pkg-get -i gnome” and then walk away for a coffee. Everything will be done for you!

    Step 4 - Best Practices

  What I have to say here will be “Motherhood” statements at best. Really just a bit of advice if you are making the leap from Linux and wonder where to set the PATH for your users and things like that.

Firstly we need to talk about the root user.

Don't mess with the root user account!

That was less than clear so I guess I had better elaborate.

It seems to be common practice to change the root users default shell.

Don't do that unless you have Solaris 10

What I do recommend is that you change the root users home directory location to /root and nothing more fancy than that. You can edit the /etc/passwd file and change the entry for the root user thus :

root:x:0:1:Super-User:/root:/sbin/sh

Be very diligent about creating the root users home directory right away and ensure that it is only readable by the root user :



Also, you may be wondering why you should not change the root users default shell to bash. Simply put, any other shell than /sbin/sh will be a dynamically linked executable with dependencies. If you were to check /sbin/sh you would find that it is a standalone program :


That means that your machine can suffer some horrible disaster and still be able to function in single user mode if you can boot the kernel and get to a running shell with the root user. That is becuase the root user only needs /sbin/sh to have a fully functional shell. If you were to use bash or any other shell then you would need a stack of dependencies. Those dependencies may not exist if they are on some other file system or on a damaged file system.

Solaris 10 is different. Solaris 10 has a default Bourne Shell /sbin/sh that is not statically linked anymore. This was done intentionally when the single/multi threaded process model was unified and the statically linked libc was removed. Solaris 10 commands in /sbin should only link with things in /lib. There are symlinks in /usr/lib to /lib for some libraries for backwards compatibility reasons. In fact, Solaris 10 is so smart that both su and login will fall back to /sbin/sh if the shell you specify in /etc/passwd for root can not be executed for some reason. What I am saying here is that you can change root's shell in Solaris 10 and still sleep well at night.

Next item is the default PATH for the root user and regular users. You can set this in the files /etc/default/login and /etc/default/su. Please feel free to be pedantic and set PATH and SUPATH in both of those files to something useful thus :


Really you can leave /opt/csw/bin out of there entirely if you want. The software from Blastwave is isolated in /opt/csw and will not interfere with your other software. You can use GNOME from somewhere else if you want. Your users can have there own .profile files that determine that they run JDS if they want.

On the other hand your users may place /opt/csw/bin first in their PATH and then will be running with the desktop software and applications from Blastwave. Again, this will be isolated. Don't be surprised if you have problems switching back and forth from different distributions of GNOME however. There are a lot of configuration files that get created in the users home directory and you can really only depend on them to work consistently when you stay on one edition of KDE or GNOME.

    Last Word - Security Concerns !

The software repository at Blastwave is built in such a fashion that each and every software package has a digital signature applied to it. That signature ensures that you are actually getting the software that we packaged and checked for you. If the signature does not match then you know that something has been tampered with. Its that simple.

Now how do you take advantage of these security precautions that we have put in place for you?

Let me take you through that step by step !

Install gnupg and md5(gmd5sum)

As the root user you need to use pkg-get to install gnupg and an md5 program.
[Solaris 10 comes with /usr/bin/digest which can do md5 checksums, but otherwise you will need to install the textutils package as well]


{ Here you will see the license displayed as well as every action taken. }

.
.
.

{ You will now see a large number of dependencies installed. }
At this point it is worth while to have a look in your /var/sadm/pkg directory to see the number of CSW packages that have been installed. If you see a list similar to this than you are doing well :


You may have more CSW packages than those listed above as the CSWcommon package and a few others would have preceded CSWiconv. The short list above is a time ordered list of CSWgnupg and its dependencies. Here are a few details on what they are :

Import the PGP public key

You need to carefully copy the PGP keyblock from the mirrors webpage and you need to ensure that you include everything from the BEGIN line to the END line. If your system has a connection to the internet then you can simply use wget to fetch the page with the command :


You must then have a file called pgp.key which will contain the PGP public key in it.
Use the following command to import the PGP key :


The end result of these actions will be a greater degree of software package security for your system.

WARNING : You will only get the added benefit of digital signature checking if your pkg-get.conf file is correctly configured. The following two lines must NOT be uncommented in your /opt/csw/etc/pkg-get.conf file :



Proof - How do we know that this works ?

We at Blastwave are quite serious about security and quality and thus this digital signature process must be tested and demonstrated. In order to verify functionality we simply corrupt a package on our own internal mirror and then test thus :

First we check the sig on the a2ps package :

Then we add some garbage data to that package file :

Lastly we try to install that package with another machine from our now corrupted mirror server :

Thus you see that the package install stops right away and alerts you to the fact that the checksum is wrong.

Corollary - Software Package Security

If you carefully followed these steps then you should now be able to install or download a package with the digital signature being verified for you.

Each and every package will be checked for a valid signature and thus your software package integrity can be trusted.


Written by Dennis Clarke

This page was updated Wed Sep 19 13:26:06 EDT 2007