Skip to content

Sysadmin FAQ

February 29, 2012

My own personal Solaris/Sysadmin FAQ 

Generic Sysadmin Tips
Hardware Hacks
Shell questions/Programming
Sysadmin Theory/Documentation

Generic Sysadmin Tips

Q: How do I tell the last time a machine was shutdown?
A: last reboot (or search for "shutdown" in /var/adm/messages 
Q: how do I show all the remote mounts by directory?
A: showmount -a 
Q: how do I get a message to appear before the login prompt?
A: - edit /etc/issue.  If this doesn't exist, the system pops the output
of uname -sr (which prints out what version of Solaris you're running)
by default.  If you don't want any text to appear, edit /etc/default/telnetd
and put a line BANNER="" in it. 
Q: how do I alter the priority of a process?
A: priocntl: nice in Solaris 2.x...or try /usr/ucb/renice (all three exist)
Q: What does sync do at the OK prompt/prom level?
A: causes core dump, save core can be enabled after machine dumps....
will write core file to location specified.  You can also issue "boot -d"
to force a kernel panic and crash dump. 
Q: Why does ps and top's process sizes differ?
A: Top shows memory usage in Kilobytes, ps in page units (usually 4k pages) 
Q: How do I identify high CPU usage processes w/o top?
- Use the "old" Berkeley style ps: /usr/ucb/ps -auxgwwwr | head -15
- ps -efo pcpu,pid,args | sort -nr | head  
Q: How do i delete files after X number of days?
- find /tmp -mtime -X -exec rm {} \;
- find . -mtime 6 | xargs rm

(using GNU find; allows more precision than mtime days
-/usr/local/bin/find /export/home/grant -type d -mmin +360 -exec rm -rf {} \;

- You can also use a temp file touched:
touch -acm MMDDhhmm foo
find . -newer foo -exec rm {} \; 
Q: How do you remove filenames with control characters?
A: easiest way is to do a rm -i * in a directory (interactive rm). 
Q: How do I tell how much space is left on my tape?
A: /usr/sbin/nsr/mminfo -m (but this is Legato Networker software) 
Q: how do i find files that are actually hard links to other files?
- find
 ! -type d -links +1 -ls | sort -n
- alternatively, the link count is the 2nd column of ls -l; a link count of
anything more than 1 indicates a hardlink.  Files can only be hardlinked to
each other if they're on the same file system.  Doing the same find command
with "-type l" would find SOFT links, which are normally much easier to
find since a) they have an "l" filetype and they have the location in ls -l
Q: How do i tell if there are other files hardlinked to a specific file?
- find the inode number associated with the file (ls -li), then
- find the mount point of the disk (df .), then run
- find /mount-point -xdev -inum NNNNN -ls  
Q: How do i detect bad soft links?  (links to files which no longer exist?)
A: Some os's (Linux) has a program called symlinks.  Otherwise, run:
find / -type l -printf '%p\t%l\n'.  This will print all links and their
targets...audit the output and detect bad links.  (though it didn't work on
my Solaris box...perhaps you have to put it in a perl script?) 
Q: How do I "clean" a system and prepare it for re-configuration?
A: sys-unconfig (note; Solaris 8's sys-unconfig has bugs apparently). 
Q: What files do I modify to change hostname, ip, subnet mask, DNS?
A: (in later versions, files moved from /etc->/etc/inet
- hostname: /etc/hosts , /etc/hostname, /etc/hostname.hme0 or le0,
/etc/nodename, /etc/net/ticots/hosts, /etc/net/ticlts/hosts,
/etc/net/ticotsord/hosts (these are loopback config files)
- ip addr: ifconfig, /etc/inet/hosts, run ifconfig le0 ip_addr
- subnet; /etc/netmasks and /etc/defaultrouter
- DNS: /etc/nsswitch.conf, /etc/resolv.conf 
Q: How do i get changes made to the default route to become active w/o booting?
A: vi /etc/defaultrouter, make changes
then route add default 'cat /etc/defaultrouter' 
Q: How do i get a Sun box to recognize changes made to the configuration?
A: boot -r or touch /.reconfigure (or is it /reconfigure or /etc/reconfigure?)
Not needed for some dynamic changes (mods to /etc/system) but definitly
needed if you add devices.  
Q; How do I configure xntp to work correctly?
A: find an atomic server, edit these files in /etc/inet/:
ntp.conf, ntp.client, and ntp.server 
Q: What are some good ways to view snoop output?
- snoop -V hostname | grep ETHER
- snoop -o test -v
- snoop -i test -x 0 
Q: How can i use large files in Solaris 2.x?
A: mount -o largefiles /file_system; this enables the use of files > 2gb
in size.  This is only an option in Solaris 2.6 and up.  In Solaris 2.7+
the mount option largefiles is default. 
Q: how do i map sdXX disks (as outputted in sar -d e.g.) to their actual
disk names (c?d?t?s?)
A: ls -l /dev/sd*, or look at the /etc/path_to_inst file.  Note: iostat -xn
shows i/o activity in "controller" names (c0t0d0). 
Q: how do i change the HostID of a Sun box (reason; Disaster recovery of
license hosts?)
A: HID package,  
Q: How do I tell how many semaphores (semmns)  my system is using?
- icps -s:  shows how many active
- sysdef -i:  shows how many defined (in /etc/system)
- sar -m 10 5: shows how many used per second 
Q: How do I add more ptys to my system?
A: vi /etc/system, add line "set pt_cnt = XXX", boot - -r
Solaris 2.x supports 3000+ but the default value in the kernel is 48 
Q: How can I Find defunct/zombie processes?
A: ps -ef |grep defunct
Q: How do i exclude particular directories while doing a tar?
A: -X option; though i have never gotten it to work.
tar -cvf filename.tar /target/dir -X exclude.file
tar -cvf filename.tar -I include.file: works well; uses relative pathnames. 
Q: How do i get core files to have unique names when they get created?
A: coreadm -p core.%f.%p $$
note: in Solaris 2.8+ you can get coreadm to produce files that
look like core.. 
Q: how do i tell who a user is if we're using NIS+
- ypcat passwd | grep id
- finger id
Q: Whats the best way to move lots of files from one location to another?
A: 2 good methods
- cd source; cpio: find . -depth -print | cpio -cpdvmu target
- cd target; ufsdump 0f - /source | ufsrestore rfv -
- (3rd party): use rsync: 
Q: How do i print out yesterday's date?
- use gnu's version of date; more flexible than built in unix date
- scripting solution: perl -le 'print scalar localtime time-60*60*24' 
Q: Whats a good way to confirm the validity of raw partitions (since there's no command akin to fsck)?
A: Use dd: dd if=/dev/rdsk/whatever bs=1024k of=/dev/null and watch
both the dd output and console for errors.
Q: How do i get a sum total report of disk space free in all mounted filesystems?
A: df -k | grep dev | awk '{total += $4} END {print "Total: ", total, "KFree"}'
(to make this work on HP, use bdf | ... not df -k) 
Q: How does one use a standard unix mail package to send a mail with an attachment?
A: Thanks to Gary Kuever ( 4/13/01 who bounced me this:
/usr/bin/uuencode dest.txt src.txt  | mailx -s "Subject"
cat aa.txt | uuencode aa1.txt | mailx -s 'Subject' 
note...this did NOT work for HP have to add "-m" to the mailx
command...idiosyncrasy w/ HP/UX. 
Q: how do you do reverse DNS lookup?  (i.e., lookup an IP address and get its hostname?)
A: getent hosts  
Q: How do you log into a system without having your startup scripts run?
A: ?? (i know there's a way, i can't remember...a switch after the username?)
Q: how do you find a string in a file that is somewhere in a filesystem?
- find /filesystem -print -exec grep "string" {} \; (this prints out
every file name; you should be able to figure out a way to pipe non-matching
output files elsewhere.
- grep "string" */* (works in Cygwin, not sure about Solaris)
Q: What are some quick commands one can run to find large files?
A: as posted in a summary to Sun Managers 6/28/01 
- du -sk /directory/* | sort -rn | head (10 largest files/subdirs)
- find /directory -size +2000 -exec ls -l {} \; 2> /dev/null (all files > 1mb)
- find /directory -size +2000 -exec du -sk {} \; sort -rn | head (10 largest) 
Q: How do i list all files and sort by size?
A: du -k
 | sort -n 
Q: How do i setup a user so that he/she only has ftp access?
A: Create the account in /etc/passwd as normal, but put /etc/false as the
shell.  Then, add /etc/false to /etc/shells so that the user can ftp in. 
Q: I can't find the file XXX in my path.  How do i find it on my system?
A: First,
- grep XXX /var/sadm/install/contents: this will get any file that was
added via pkgadd on a SVR4 box
- cd /; find . -name "XXX" -print: this is brute method and will work,
but will take a long time and take up resources. 
Q: How do I disable the GUI login from appearing on my console?
A: Remove or rename /etc/rc2.d/S99dtlogin and reboot
dtconfig -d (as root) 
Q: How do you touch a file and reset its date/time stamp?
A: touch -acm MMDDhhmm foo 
Q: Why does the "size" of a directory vary?  When doing an 'ls -l' on a
directory, the size varies (512 bytes on creation, increasing to 1024, etc?)
A: the "size" of a directory is the number of inodes it is configured
to hold.  There's a default value for new directories, but as files get
added the kernel automatically adds more as needed.  Lost&Found directories
are created with a massive number of inodes for recovery purposes, and
thus have a size of 8192 by default. 

Hardware Hacks 

Q: how do I issue an "L1-A" or "Stop-A" without a Sun Keyboard connected as the terminal?
A: Several answers, depending on connection method:
- Newer Sun Keyboards: Stop-A == L1A
- Wyse vt100 terminals: ctrl-break
- Conmon: ~%b == ctrl break (L-1a)
- Terminal server: ctrl-], "send break" if telnetted into console
- PC Style Sun keybard: shift-pause-A 
Q: How do I disable L1-A on Sun boxes?
A: Several methods  [this is in the FAQ]:
- Solaris 2.5+: Turn key to "Secure" position on actual hardware: this
overrides any software settings below
- Solaris 2.6+: edit /etc/default/kbd, set KEYBOARD_ABORT=disable
- Solaris 2.6+: kbd -a disable command
- Solaris 2.4 and below: edit /etc/system, set abort_enable = 0 
Q: How do I tell what position the Key is in from the system?
A: prtdiag, or run this:
/usr/platform/`uname -i`/sbin/prtdiag -v | grep Keyswitch | awk '{ print $5 }'
as root (doesnt' seem to work when run as normal user. 
Q: How do I reconfigure devices realtime?
A: disks, drvconfig  
Q: How do I enable/disable individual CPUs?
A: psrxxx commands...control processors; psradm can enable/disable
individual CPUs.  psrinfo for info, psrset to bind processes to CPUs.
Q: how do I disable the suspend key?
- vi /usr/openwin/lib/
- comment the lines "SunPowerSwitch" and "SunPowerSwitchShift"
- logout, log back in.  
Q: How do I tell what the speed is of my network interfaces?
A: leX are 10-base-T, hmeX are 100-base-T. (on suns) 
Q: How can i tell if I'm running at 32-bit or 64-bit?
A: isainfo -b 
Q: How can i emulate the OK> probe-scsi-all command in OS?
A: No true emulation, but you can try:
- shareware scsiinfo
- iostat -E 
Q: How do I display the MAC address of a machine?
A: (from Sunnet managers email list 2/5/02)
ifconfig -a  (as root)
or arp -a | grep 'hostname'

Shell questions/Programming 

Q: how do I set file completion for csh/tcsh/bash?
A: set filec 
Q: How do I do my own poor mans Dos2Unix?  (how do I strip Ctrl-M ^M from the end of all my lines?) 
A: You can match like this:
– sh:
cr=$( print “15” )
grep “[$cr]” *
– perl:
– vi or sed
:1,$ s/^M$//g (create the ^M by hitting ctrl-V then ctrl-M)
– command line
tr -d ’12’ < inputfile > outputfile
tr -d ’15’ < inputfile > outputfile
dos2unix is a Solaris binary that can be invoked from the command line to perform this task.
dos2unix abc.txt abc.txt
Q: What are the config files read in by each popular shell, and what is the order by which they are called?
- Bourne/Korn shell
/etc/profile, $home/.profile
- Csh
Solaris: /etc/.login, $home/.login, $home/.cshrc
SunOS/Linux: /etc/csh.cshrc, $home/.login, $home/.cshrc
- tcsh
Solaris: /etc/.login, /etc/.cshrc, $home/.login, $home/.tcshrc, $home/.cshrc
Linux: /etc/csh.cshrc, home/.login, $home/.tcshrc, $home/.cshrc
at logout: /etc/.logout, $home/.logout
but apparently tcsh can be compiled to use any location??
- bash
Linux: /etc/bashrc?, $home/.bash_profile (some people just put hacks in to have
.bash_profile execute .bashrc in the home directory; but its not needed)
Cygwin: $home/.bashrc 
Q: I need a quick way to convert files with all uppercase names to lowercase (as if I had copied a number of files from a PC/NT box to a Unix box)?
A: a quick shell script w/ a tr function. 
for name in `ls capitalized files`
  newname=`echo $name | tr -s “[A-Z]” “[a-z]”`
  mv $name $newname
Q: How can i replace a string in a file without editing it?
A: perl -pi.bak -e 's#STRING#REPLACE#g;'  filename.txt
(a backup of the file will remain in filename.txt.bak)
Q: How do I setup an automatic ftp job?
A: Can be done in perl or expect, but this works fine in shell.   You can also
populate .ftprc with "machine  login  password " and automate
the ftp line, but this isn't terribly secure. 
echo “open
user username password-for-username
type binary
put local-file remote-file
quit”  | ftp -in > /tmp/ftp.logfile.$$ 2>&1 
# sample automatic ftp script to dump a file
ftp -v -n $host << EOF
user $login_name  $password
cd $dir
put $file
Q: Someone chmod 777 * on my Server (or someone chown xxx * or chgrp yyy *).
How do i get the correct permissions/owner/group back?
A: You can write a quick little shell script that scrolls through the
/var/sadm/install/contents file (which contains the original ownership,
group and permissions of every file installed on a box through pkgadd)
and changes them back.  This will NOT fix any files added outside of pkgadd
(ie tar files, user files, ftp'd files).  Tripwire will automate this job
very easily. 
Q: how do i write a quick script to kill off particular processes?
for line in `ps -aef | grep qmail | grep -v grep`
   pid = `echo $line | awk ‘{ print $2 }’`
   kill -9 $pid

Sysadmin Theory/Documentation

Q: Where do I find Solaris’s EOL information?
A: /usr/share/release_info/Solaris_2.6/C/eof, or search online

Q: What version of SunOS refers to what version of Solaris?
A: (this is in the FAQ)
SunOS 4.1.x    ->   Solaris 1.x
SunOS 5.1 ->   Solaris 2.1

(SunOS 5.5.1    ->   Solaris 2.5.1)
SunOS 5.6 ->   Solaris 2.6
SunOS 5.7 ->   Solaris 7
SunOS 5.8 ->   Solaris 8

Q: Whats the largest amount of Shared Memory configurable in Solaris?
A: Depends:
– 4gb (2^32 bytes): Any 32 bit Solaris (2.6, 32 bit Solaris 7)
– Somewhere north of 18,446 Terabytes (2^64 bytes): almost unlimited in
64-bit solaris. 
Recommended: no larger than 75% of your physical memory.

Q: How do I Analyze core dump files?
– Book: “Panic! UNIX System Crash Dump Analysis”
– file core: to find out what program dumped it
– adb core
– crash, strings commands
– Search sunsolve: several white papers available.
– Solaris script available; iscda

Q: What information should be obtained when a Sun box mysteriously drops
to the OK prompt?
A: type and record the output of these commands:
– .registers
– .locals
– .psr
– ctrace
– wd-dump (on Sparc 1000,2000 only).
– go/resume will tell the machine to resume processing.  sync will force a
core file to be created and reboot.

Q: What is lost+found directory, why is it 8192 filesize, and how do you
work with files found within?
A: lost+found is where fsck sticks file fragments it finds and can’t reallocate
in the case of errors.  The directories are created with large numbers of
inodes in preparation of large numbers of files being put there, so do not
just arbitrarily rm the dirctory.  If you remove the directory, you cannot just
mkdir it again to replace it; you must write a quick script to make a large
number of files and delete them.  IF files are placed in the directory by fsck,
there is no automated tool to replace the files; it must be done by hand.

Q: What are good places to look/do when the root directory (/) is full?
(if /var isn’t its own seperate filesystem…)
– Directories: /tmp, /var/tmp, /var/cron/log, /var/spool, /var/log. 
– Files: /var/adm/wtmp, /var/adm/messages and associated.
– Look in /dev; sometimes a failed dump command can cause a huge file to
be located in /dev.  (eg; if you try to dump something to /dev/rmt/0 but
type in /dev/rmt/O (capital O instead of 0) you’ll have a huge file called
“O” in /dev/rmt).
– Look at your print spooling and mail spooling configuration.  Run lpshut
and lpsched and examine space freed.
– from top line directory, do a du -s * | more and look for directories
NOT mounted themselves.  This should show your culpret directory.
– fsck /, looking for misallocated files.

Q: What are good places to look/do when /var is full?
– Directories:
/var/tmp: empty
/var/crash: empty
/var/mail: check for large incoming mail files
/var/spool/mqueue: check for large outgoing mail jobs
/var/spool/lp: look for large stuck print jobs
– Files:
/var/adm/*tmp* (e.g. /var/adm/wtmp): can be zeroed (cat /dev/null > file)
find /var -name core -exec rm {} \; : delete all core files
– Do NOT remove things out of /var/sadm: these are crucial system files

Q: How do I troubleshoot Network slowdowns on my Sun box?
– use snoop to check packets – snoop -d hme0
– Ensure the switch and the NIC match speed and duplex
– Turn off autonegotiate on the sun boxes and force to a particular speed
– LSF might be misconfigured and cause headaches

Q: How do i tell what distribution version of Solaris i’m using?
A: /etc/release

Q: What is the difference between different levels of SCSI?
A: True explanation depends on a serious Electrical Engineering discussion…
– (orig) SE: Single ended; voltage referenced to ground signal.  One wire
for each signal that needs to be carried.  8-bit bus.
– LVD: Low Voltage differential: immune to external noise
– HVD: High voltage differential:
– Differential: allows for longer cables.  Two wires for each signal, each
wire carries the logical inversion of the other’s signal; the receiver
takes the difference of the pair’s signals (hence the name) and interprets
the signal.  This allows for less noise susceptability and thus greater
cable length.
– Fast SCSI, Fast Wide SCSI, Ultra Wide SCSI; all work w/ original SE
SCSI specs, just faster.

Q: What is better: one filesystem or many?
A: Pros and cons to both
One large filesystem:
Pro: no issues ever again w/ mis-sized partitions (/ and /usr are mostly
static except when adding s/w and can fill up easily with extra man pages)
Con: rogue processes typically limited to /var or user programs out of control
in /home can affect the entire system
Many file systems:
Pro: /var, /home limited in space they can occupy.  Static file systems
such as /usr and / can be capped.  This is especially important with
some types of Database Systems (Oracle and MS Sql Server in particular)
which have “auto-grow” features on them.  If you don’t cap the available
space to these engines, a run-away process can fill its log to max disk
Con: inflexible partitioning can render the multiple-file system model
useless if not done correctly at install (this is avoided by using Veritas
Volume Manager on Solaris or if you’re in HP/UX or AIX, where file systems
can be “grown” easily). 

Q: What are the repercussions of changing root’s shell in /etc/passwd?
A: Solaris is a dynamic library OS.  Changing the root user’s shell from
the default /sbin/sh to *any* shell not in /sbin has the following consequenses:
if you crash your system and somehow can only mount / (and not /usr where
all the libraries are located) you will not be able to log into the root
user (you’ll get an invalid shell error).
A Better solution would be to create a second uid=0 account and modify this
second user’s shell to be your desired working shell (call the user rootc
and give it a shell of /bin/csh e.g.).  This way, you’ll still have superuser
capabilities but won’t jeopardize future disaster recovery concerns.

Q: Can i remove obsoleted patches?
A: Yes, but in some cases patchrm won’t be able to because of file dependencies.
If you’re looking to save space you can remove the undo.Z files for the
obsolete patches in /var/sadm/pkg/SUNW/save//
Generally speaking, its best to leave patches alone, even if obsoleted.



Q: How do i allow root to telnet into a machine
A: vi /etc/default/login, comment out the “CONSOLE=/dev/console” line

Q: What are some things I can check if I believe i’ve been hacked?
A: (from a posting by Serge Maandag
( to Linux-Admin 12/19/00
– is there an entry in your /etc/passwd file that shouldn’t be there?
– is there a daemon enabled in /etc/inetd.conf that shouldn’t be? (these
only show up in your process list when someone is logged in)
– are there processes running that you haven’t started?  (e.g., flood pings
like ping -f -s 65000 )
– check /var/log/messages for messages like “Accepted password for …”,
is there any logon by someone other than you? They may be logging in as
root or as lp (lineprinter), in which case you won’t even find an
unusual entry in your passwordlist
– Do a find / -name … as root. replace … by known hacking tools like
synk4 or powerdrop or synscan or nmap. see sites like for more.
– Use netstat to see all your connections and see if there is a
conspicuous one.
– run fuser on strange ports, see who owns them (port 666 commonly hacked)

Q: how can i generate random passwords?
A: no tool, but you can do it in perl:
@chars = ( “A” .. “Z”, “a” .. “z”, 0 .. 9, qw(! @ $ % ^ & *) );
$password = join(“”, @chars[ map { rand @chars } ( 1 .. 8 ) ]);
Another solution would be to select a random word out of /usr/dict/words.

Q: how do I reset the supposedly unresettable eeprom password?
– actually reset the eeprom chip on the motherboard
– as root, “eeprom security-mode=” will prompt for a new pwd. 
– strings /dev/eeprom |head : might be able to see it.

Q: How do I trace the source of an email message, analyzing normal headers?
A: It used to be very straightforward to trace email by analyzing headers.
However, nowadays spam artists are adept at stripping the headers out
of email messages, spoofing sendmail servers and generally making it
impossible to trace mail back to he source.  Here’s a couple of good
sites none the less:


Q: how do I unlock a locked Framemaker file?
A: Control-R, capital F, lk

Q: How do I make vi use an area different from /tmp (or /var/tmp?)  (Useful
when /tmp is full and you can’t find an admin!)
A: Several options:
– .exrc file (vi startup config) add a line “se directory={new-tmp-directory}”
(or add the “directory=(new-tmp-dir)” part to the end of a multiple se
options setting line
– set the shell variable EXINIT=”se directory={new-tmp-directory}”
– from within vi: :se dir={new-tmp-directory}

Q: How do i map arrow keys to be functional in vi?
A: in your ~/.exrc file: (note that  ^[ is the ESCAPE character, which in
vi can be inserted when pressing CONTROL-V and then the ESC key)
map  ^[OA k
map  ^[OB j
map  ^[OD h
map  ^[OC l
map! ^[OA ^[k
map! ^[OB ^[j
map! ^[OD ^[
map! ^[OC ^[ll
The first four lines work in command mode, the other 4 in insert/replace mode.

From → OS, Unix

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: