IRIX Setup 101


For newcomers to IRIX, setting up IRIX for the first time can be daunting. This aims to break it down into selective, easy-to-follow sections for a post-install IRIX.

Forenotes

Due to specificity of various hardware and IRIX versions, this guide primarily assumes IRIX 6.5.21+ and that the user is interested in running Nekoware, optxeno, or another product offered on IRIXNet. It is advised to go into this understanding what the goals of the user are exactly.

Per the Style Guide all root commands will be prefixed with #, all user-level commands will be prefixed with % (for the tcsh shell).

First Steps

Securing root

Either login on the login screen to root, or serial in via root. Open a terminal window by clicking Desktop - > Open Unix Shell. This is the root shell of the account, and for clarity sake, most commands will be performed via terminal. Type # passwd and set a secure password for the root user. If doing this from GUI (i.e. EZSetup, this will cover most of the important settings covered there) be warned IRIX will not accept passwords greater than 8 chars in length. From the commandline, there is no such limitations.

Network Setup

A detailed article can be found at Network Setup.

Date and Time

Again, a detailed article can be found at Keeping Time

Move $HOME for root

Now it is necessary to make a space for root. Due to IRIX's default install, root's home directory is effectively /, the root of the filesystem. This is bad. Do not skip this step.

Home directories are defined in /etc/passwd. First, make the directory: # mkdir /root; chmod go-wrx /root And then update the root line to look like so: root::0:0:Super-User:/root:/bin/tcsh This can be automated (carefully) with a perl, awk, or sed command, but be careful.

Now clean up: # cd /; rm -rf Desktop dumpster .Sgiresources .cshrc .login .profile .varupdate .wshttymode .desktop-IRIS .desktophost

Log out and log back in again.

Securing IRIX

Lock unsafe accounts

IRIX by default is installed with several accounts without passwords. Checking this is easy: # passwd -as

Locking the accounts on a normal IRIX install is easy:

# foreach account (lp EZsetup nuucp demos guest OutOfBox sys adm sysadm cmwlogin auditor dbadmin sgiweb 4Dgifts); passwd -l $account; end

Creating a user account

Next, create a user account for normal usage, as running as root 24/7 is dangerous. It's easily and safely done using tools in the privbin: # /usr/sysadm/privbin/addUserAccount -l username -S `which tcsh` -H /usr/people/username -C -u 1034 -g 20

The above example will create a user called username with a default shell of tcsh, a home directory of /usr/people/username (/home is NOT a thing on IRIX), create the directory (-C flag) with a uid of 1034 and membership in the user group (ID 20). It may also be advisable to create a group with the same username created by the command above, however that requires manually adding a group to /etc/group and editing permissions on the home directory. This may be covered in a future installment.

Enable Shadow Passwords

By default IRIX uses crypt() hashes in /etc/passwd

This is now discouraged and insecure, so it is preferred to enable /etc/shadow. Run pwconv to enable it.

Edit system defaults

The file /etc/default/login controls primary login behavior. Edit the files options to look something akin to this:

CONSOLE=/dev/console
PASSREQ=YES
ALTSHELL=YES
MANDPASS=YES
UMASK=027
TIMEOUT=60
DISABLETIME=300
MAXTRYS=3
LOGFAILURES=4
IDLEWEEKS=2
PATH=/usr/sbin:/usr/bsd:/sbin:/usr/bin:/bin:/usr/bin/X11:
SUPATH=/usr/sbin:/usr/bsd:/sbin:/usr/bin:/bin:/etc:/usr/etc:/usr/bin/X11:
SYSLOG=ALL
INITGROUPS=YES
LANG=C
SVR4_SIGNALS=NO
LOCKOUT=4
LOCKOUTEXEMPT=root

Note that it is a good opportunity to add extra pathnames that all users will have in PATH. Examples include /usr/nekoware/bin, /opt/xeno/bin, et cetera.

chmod the file to 444 next: # chmod 444 /etc/default/login

File Alteration Monitor

For security reasons, edit /etc/fam.conf to have local_only = true instead of local_only = false.

Disable Vulnerable Network Services

The following network services are wholly unnecessary for most installations and can be disabled with the following command string:

# chkconfig sgi_apache off; chkconfig webface_apache off; chkconfig appletalk off; \
chkconfig timed off; chkconfig timeslave off; chkconfig esp off; chkconfig ipaliases off; \
chkconfig ypmaster off; chkconfig yp off; chkconfig sendmail off; chkconfig sendmail_cf off; \
chkconfig webface off; chkconfig named off; chkconfig rsvpd off; chkconfig privileges off

Additionally, disabling the following services in /etc/inetd.conf is prudent, except telnet if an ssh server isn't installed yet, and the system is a server. If that's the case, hold off on that one:

finger
bootp
tftp
echo
telnet
ftp
discard
chargen
daytime
time
rstatd
walld
rusersd
rquotad
sprayd
ttdbserverd
shell
exec
http
wn-http
ntalk
mountd
sgi_mountd
rexd
bootparam
ypupdated
sgi_videod
sgi_toolkitbus
sgi_snoopd
sgi_pcsd
sgi_pod
sgi_espd
sgi-esphttp
tcpmux/sgi_scanner

Some of the above can be re-enabled depending on what is necessary, but the esp ones should not be re-enabled.

Secure the X server

Edit /var/X11/xdm/xdm-config and change the DisplayManager*authorize line to read: DisplayManager*authorize: on

Tune the kernel for security

Changing these if they are not in use is prudent:

# printf 'y' | systune ipforwarding 0
# printf 'y' | systune ip6forwarding 0
# printf 'y' | systune icmp_dropredirects 1
# printf 'y' | systune tcp_2msl 60
# printf 'y' | systune allow_brdaddr_srcaddr 0
# printf 'y' | systune tcpiss_md5 1
# printf 'y' | systune restricted_chown 1
# printf 'y' | systune ncargs 131072

run # /etc/autoconfig -vf to rebuild the kernel, and then reboot for full changes to take effect.

Install Patches

A collection of patches obtained from user backups of sgi.com's support centre is here: http://ftp.irixnet.org/sgi-irix/patches/

Install all patches for the IRIX version being ran. (inst will not install irrelevant patches on the system).

Customizing IRIX

Now that security is improved, the actual fun can begin to customizing the IRIX experience.

Setup flexlm

Place licenses for products in /var/flexlm/license.dat. Softwindows and a few others use different locations. There is a license file in the wiki as well. (search for it!)

Enable 24 bit X

Unless the graphics in the system are 8-bit (such as an Indy with an XL/8 card), enabling Truecolor will improve the user experience. Edit /var/X11/xdm/Xservers to be :0 secure /usr/bin/X11/X -bs -nobitscale -c -class TrueColor -depth 24 -solidroot sgilightblue -cursorFG red -cursorBG white

Enable scrollwheel.

IRIX by default can't use a scroll wheel. This can be rectified in the kernel:

# systune pcmouse_mode 2

This sets the scroll wheel to work as on a PC. Mode 3 will set any additional buttons on the mouse to scroll. (it only detects 2 extra buttons)

Reduce gamma

Set gamma with the following command as root: gamma 1.2 or another value. This will lower the default to a more natural level.

Custom tcsh prompt

tcsh is a fast, simple UNIX shell that supports most of the same features as bash from an interactive standpoint, and is faster at startup.

Here is a configuration file for root:

# Prompt
set red="%{\033[1;31m%}"
set green="%{\033[0;32m%}"
set yellow="%{\033[1;33m%}"
set blue="%{\033[1;34m%}"
set magenta="%{\033[1;35m%}"
set cyan="%{\033[1;36m%}"
set white="%{\033[0;37m%}"
set end="%{\033[0m%}"
set prompt="${red}%n${blue}@%m ${yellow}%~ ${red}%%${end} "
# History
if ($?prompt) then
# An interactive shell — set some stuff up
set filec
set history = 1000
set savehist = (1000 merge)
set autolist = ambiguous
# Use history to aid expansion
set autoexpand
set autorehash
set mail = (/var/mail/$USER)
if ( $?tcsh ) then
bindkey "^W" backward-delete-word
bindkey -k up history-search-backward
bindkey -k down history-search-forward
endif

endif

# Fix some IRIXisms
stty intr ^C
setenv TERM xterm


This sets a red prompt as a reminder. The colors can be changed in the prompt section to one's liking, just don't mess with color values.

# Prompt
set red="%{\033[1;31m%}"
set green="%{\033[0;32m%}"
set yellow="%{\033[1;33m%}"
set blue="%{\033[1;34m%}"
set magenta="%{\033[1;35m%}"
set cyan="%{\033[1;36m%}"
set white="%{\033[0;37m%}"
set end="%{\033[0m%}"
set prompt="${cyan}%n${blue}@%m ${yellow}%~ ${green}%%${end} "
# History
if ($?prompt) then
# An interactive shell — set some stuff up
set filec
set history = 1000
set savehist = (1000 merge)
set autolist = ambiguous
# Use history to aid expansion
set autoexpand
set autorehash
set mail = (/var/mail/$USER)
if ( $?tcsh ) then
bindkey "^W" backward-delete-word
bindkey -k up history-search-backward
bindkey -k down history-search-forward
endif

endif

# Fix some IRIXisms
stty intr ^C
setenv TERM xterm

And here is a version that is used for normal users.

PATH should be set using setenv PATH '/usr/sbin:/usr/bsd:/sbin:/usr/bin:/bin:/usr/bin/X11' and more paths added with a colon-delimited list in the rc file

Setting Desktop parameters

Use "Desktop->Customize->Utilities" from the toolchest menu to specify default applications. Using the full path is necessary. "Desktop->Customize->Icons" from the toolchest menu will set the icon size and enable the global setting "Open in Place" which prevents the file manager from creating a new window when opening a new directory.

Xdefaults file

Here is a sample configuration that dates to the Nekochan.net era:

*clientDecoration: +resizeh +border +minimize +maximize +menu
*DesksOverview*clientDecoration: none
4Dwm*clock*clientDecoration: none

Overview.geometry: +10-10
Overview*viewWindowName: true
Overview*Frame.marginHeight: 1
Overview*Frame.marginWidth: 1

4Dwm*interactivePlacement: False
4DWm*clientAutoPlace: False
4Dwm*usePPosition: True
4Dwm*positionOnScreen: True
4Dwm*iconImageBackground black
4Dwm*iconImageForeground: white
4Dwm*iconPlacement: left top tight
4Dwm*iconPlacementMargin: 1
4Dwm*resizeBorderWidth: 1
4Dwm*frameBorderWidth: 1
4Dwm*SG_frameOutline: false
4Dwm*SG_titleOutline: false
4Dwm*SG_titlePadding: 0
4Dwm*SG_useDecals: false
4Dwm*iconDecoration: label image

The desktop can be heavily customized as needed. To customize 4Dwm, read its manpage

Setting up SSH

IRIX came with a very old OpenSSH version, and Nekoware has OpenSSH as well. However, these are no longer maintained. A better option is available at SSH Setup on IRIX 6.5.

Amend toolchest

A full explanation of toolchest is available on its manpage. toolchest reads the following files:

/usr/lib/X11/system.chestrc
~/.chestrc
~/.auxchestrc
/usr/lib/X11/nodesktop.chestrc
/usr/lib/X11/app-chests/*.chest
/usr/lib/X11/app-defaults/Toolchest
/usr/lib/X11/remote.chestrc

The first three are relevant to most users. To remove entries, remove Itemname in a ~/.auxchestrc is sufficient. Creating entries is easy as well:

menu ToolChest
{
"My Favorite Things" f.menu mystuff
}
menu mystuff
{
"dolphins" f.exec "/usr/demos/bin/atlantis"
"Test Program" f.exec "source ~/.variables;~/testprog"
"games" f.menu mygames
}
menu mygames
{
"flight simulator" f.exec /usr/demos/bin/flight
"arena" f.exec /usr/demos/bin/arena
}

Is the manpage example.

Setting Backgrounds

An article on this is available at Setting Backgrounds

Wrapping up

This is the end of IRIX Setup 101. For practical reasons this ends most common "first time" setup questions and was patterned after the popular, though poorly-written "IRIX Installation and Customization". Further guides will explore how to perform more advanced configurations.