Editor's note -- Chris Stone has recently posted an update to this tutorial for readers using Mac OS X 10.1.5 or later. The update focuses on Sendmail. All other features in this article continue to work as originally discussed.
The series continues in Learning the Terminal in Mac OS X, Automating Mail from the Mac OS X Terminal, Configuring Email from the Mac OS X Terminal, Customizing the Mac OS X Terminal, and Synchronizing Drives with Cron and the Mac OS X Terminal.
However, none of the first three parts of the series will work in Mac OS X 10.2 (Jaguar) or newer. Jaguar brought several major changes to the OS that require significant changes to the procedure. I'll be posting Jaguar compatible updates to these articles shortly.
Now that you have the regular maintenance cron jobs running at more reasonable times and emailing you their reports, you would probably like to know what those jobs do, and what the reports tell you.
Today we'll first look at both of these things, and then finish up with a couple of “variations on the theme” -- additional procedures to make this process even easier (though with their own trade-offs and caveats).
To begin, let's have another look at the system crontab, specifically the command for the daily job:
sh /etc/daily 2>&1 | tee /var/log/daily.out
| mail -s "`hostname` daily output" root
As you might remember, cron uses the Bourne shell (sh) to run the script found in /etc/daily. The real meat of this cron job, then, exists in that file, which is rather long and complex and would require several articles like this to fully explain. However, the script does contain comments describing each general task, so having a good look at this is informative.
The /etc/daily file is too long to view with cat. Instead, you’ll need an application that can display the files one bite-sized one-screen chunk, or "page," at a time. Such applications are called pagers, and one of the most common pagers is more.
As you did with cat, enter "more" and the file’s pathname to view the first page of the file. To view the daily script, then, enter:
more /etc/daily
To move down to the next page, press the space bar. (To go back up, press B.) At the bottom of the more display, you’ll see the name of the file being viewed, as well as an indicator of the percentage of the file read so far. To exit more, type Q.
As you peruse the script, keep in mind that lines beginning with the #character are ignored as the shell runs through the script. Typically, such lines contain descriptive comments about the script, but they can also be actual command lines that for various reasons are turned off, or "commented out."
A look inside the more window with the percentage of the file read so far.
|
Also, the command lines beginning with echo provides some of the output
that ends up in the report. For example, these first two lines begin the
daily report with a blank line and the quoted line of text:
echo ""
echo "Removing scratch and junk files:"
Again, I can’t detail fully this script here, but what follows are the most pertinent highlights. The skipped parts of the script mostly relate to processes not applicable to a "stock" OS X system.
The first section of the script removes "scratch and junk files" from your system. Specifically, some of these items are:
/tmp that haven’t been accessed or changed in at least the last three days. The /tmp directory contains, among other things, the Temporary Items directory used by many GUI applications, so it’s often chock-full of good trash fodder. /var/tmp that haven’t been accessed in at least a week, or changed in at least the last three days. Some Unix processes leave junk here as well.
The daily script also performs one of the most important tasks of any in these scripts: backing up your NetInfo database. Should your NetInfo database ever need restoring, you can easily do so using NetInfo Manager (in Applications-> Utilities) and the backed-up database, called local.nibak.
The heading of the next section of the script is, as you can see in the cron report, "Checking subsystem status."
Checking subsystem status:
disks:
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/disk0s5 40016844 33274772 6742072 83% /
fdesc 1 1 0 100% /dev
/dev/disk2s1s2 354552 354552 0 100% /Volumes/Q3TA
|
Related Reading 
Mac OS X: The Missing Manual |
This output is a result of the df -k -l command in the daily script, which reports the used and free space on all local disks. This example shows a 40-gigabyte system disk (which will always show as "mounted on" /, or "root") with about 6.7 gigabytes of free space.
You can ignore the fdesc line, which doesn’t refer to any actual disk, but part of the filesystem plumbing.
Any other local volumes you have mounted will also show up in this list. This example shows a disk (in fact, a CD-ROM) mounted on /Volumes/Q3TA. This attribute, known as the disk's "mount point," shows you the path you would take to reach that disk via the CLI. For example, to peek inside the Q3TA CD you would enter ls /Volumes/Q3TA.
You will find all local disks and most network volumes mounted within /Volumes.
The next relevant command simply checks sendmail’s queue for any
undeliverable messages. If the report doesn’t show this directory as empty
(and the procedure in this tutorial is your only use of sendmail) , then
it’s likely you have some sendmail issue.
The daily script then runs the netstat -i command, which outputs the network statistics to the report, a few lines of which look like this:
network:
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
lo0 16384 <Link> 2015 0 2015 0 0
lo0 16384 127 localhost 2015 0 2015 0 0
en1 1500 <Link> 00.30.65.xx.xx.xx 0 0 0 0 0
en0 1500 <Link> 00.30.65.xx.xx.xx 646365 0 670550 0 0
en0 1500 192.168 192.168.0.40 646365 0 670550 0 0
The netstat -i command lists your network interfaces in rows, showing traffic statistics for each (since activation) in the columns. This example actually shows just two hardware interfaces: en1 is an inactive Airport card, and en0 is the active Ethernet port.
You will see some other lines for the IP interfaces, including the "local loop" interface (lo0). At this point, you’ll be fine to only focus on the lines showing "<link>" in the network column. The other pertinent columns are the actual packet-count columns:
Ipkts -- Incoming packets
Ierrs -- Incoming packet errors
Opkts -- Outgoing packets
Oerrs -- Outgoing packet errors
Coll -- Packet collisions
What you should be concerned with, of course, are any non-zero entries in the error and/or collision columns. I won’t go into troubleshooting your network here, but this page might be a good place to start if something does turn up: http://www.princeton.edu/~unix/Solaris/troubleshoot/netstat.html.
  Now that you're up to your knees in command lines, how's it going? | |
The next important job of the daily script is the "rotation" of the system log. This log file, system.log, records the status and error messages from the large number of processes that comprise the OS.
In the case where no backups of system.log yet exist, the script makes the first backup, compresses it using gzip, and numbers it 0. This results in a file called system.log.0.gz. By "rotating" this log file on subsequent days, the script will first rename system.log.0.gz to system.log.1.gz, and then create a new system.log.0.gz.
Each day, the script creates a new system.log.0.gz file after incrementing the other backup filenames by one. Once system.log.7.gz is created, however, there will be no ninth backup file. Instead, on the subsequent backup the system.log.6.gz file (renamed to system.log.7.gz) just overwrites the previous system.log.7.gz file.
This procedure, then, ensures that you’ll have over a week’s worth of logs to refer to in case problems arise, but not so many as to waste disk space, and likely none too large to not view easily.
Next, the script "cleans" the Web server log files by deleting any rotated files that have been around longer than a week.
|
The weekly script performs three important tasks, none of which provides any output to the report except a statement that the command was performed.
One of the most useful Unix CLI utilities is locate, a lightning-fast file finder. locate does its magic by searching through a database of filenames created by indexing every pathname on your system. Instead of scanning your disks to find a file, locate just whips through its pre-indexed database, and returns results almost immediately.
However, locate results are only as accurate as its database. Files added after the database has been built will not be "located." locate is not the tool for every search, but with weekly database rebuilding, it’s great for quickly finding that long-lost file you know is tucked away somewhere on your drive. The first task of the weekly script, then, is to rebuild the locate database.
If you are antsy to try locate for yourself, have a look at the short locate tutorial included in the article found here.
The weekly script updates another important database used by the whatis command. whatis is a nifty little memory jogger that quickly shows you the function of a given command, like this:
[localhost:~] chris% whatis netstat
netstat(1) - show network status
What whatis displays is, in fact, the first line of a command’s "man page". If you’re not already familiar with man pages, you should be. These comprise the massive collection of online Unix documentation included with Mac OS X. Look here for a great tutorial on using man pages.
The weekly script, then, creates a whatis database from all man pages it finds, allowing whatis to return an answer faster than you can say, "Duh!"
Finally, the weekly script also rotates several other log files, including those for ftp and netinfo.
There’s actually very little to the monthly script, but what it does provide can be pretty interesting, if you like to know where all your time goes. The monthly script’s first task is to run the "connect time accounting" utility ac. ("Connect" here means "logged in.")
When run from the monthly script, ac will report the cumulative time, in hours, each user account has been logged in since the last time the script ran, as well as the total for all users:
Doing login accounting:
total 714.22
chris 548.76
miho 101.77
andy 54.39
jonny 9.18
test1 0.06
ftp 0.06
ac calculates these totals by reading the current wtmp log file, which logs every login and logout. You can view this list anytime with the last command:
[localhost:/var/log] chris% last
chris ttyp2 Thu Feb 21 16:18 still logged in
chris ttyp1 Thu Feb 21 16:16 still logged in
chris console localhost Thu Feb 21 16:02 still logged in
reboot ~ Thu Feb 21 16:01
So how does ac know to restart the accounting each month? Well, right after ac reports its findings, the monthly script rotates the wtmp logs, creating a new empty wtmp file to start logging to. The next time the monthly script runs, then, ac will do its accounting based on this new file.
Now that you have a good idea of what the three cron jobs do, and what to look for in the reports, I want to take a final look back at the procedure we followed and give a couple of "variations on the theme."
Of course, not everyone uses Mail.app as their regular email client, and launching it just to read the cron reports is not very convenient. It’s not an entirely hopeless situation, given these two alternatives:
First, use the command line mail utility. Since by now, you probably always have Terminal open anyway :-), you can just type in mail to read any incoming reports. And as you may have noticed, you are alerted of any new mail to your Unix account whenever you open a new Terminal window. Here’s one tutorial on using mail: http://wss.berkeley.edu/unix/faq/mail.html.
Second, add your regular email address to the ~root/.forward file. If you’re lucky enough to have an email account that this works with, this is your best solution. The reasons it might not work are complicated, but the easiest way to test is to use the CLI mail utility to send yourself an email:
[localhost:~] chris% mail chris@oreilly.com
Subject: Test message
Hey, it worked!
.
EOT
[localhost:~] chris%
If you do get the message, then you can simply add the address to the .forward file, or, if you’ll never be checking your Unix mail, replace the one that’s there using pico. Here’s the easy command to get right into it:
[localhost:~] chris% sudo pico ~root/.forward
To add an address, follow the previous one with a comma and a space before entering the next address:
chris, chris@oreilly.com
Mail forwarded to your regular account, then, will show up in whatever email client you use. Using Eudora or Entourage, for example, you could also create a rule to route the cron reports into their own folder.
|
As your remember, we needed to change the permissions for the root directory to get sendmail to work. While in most cases this does work, it’s really just a workaround that comes with a few of its own trade-offs. For one, some Apple updaters will revert the permissions, so you’ll need to chmod again to get sendmail back on track.
Secondly, and more importantly, there's a reason why Apple wants the root directory to be group-writable. Many Classic installer applications (and even some native ones) are programmed to place items in the root directory, and unless you’ve given these applications admin privileges to do this, they just might choke during an installation. Apple’s workaround for this possibility, then, is to keep the root directory group-writable.
Of course, that causes problems for sendmail, which requires these permissions for security reasons. At this point, then, you might feel stuck between a rock and a hard place. But wouldn’t it be great if you could just tell sendmail (as Ben Franklin might), "Hey, I’m willing to give up a little security if you just give me the liberty to keep my permissions!"
|
Previously in the Series Learning the Terminal in Jaguar, Part 3 Learning the Terminal in Jaguar, Part 2 |
In fact, sendmail allows you to set just that option by adding a single line to its configuration file. This is from the sendmail documentation:
"You may have to tweak your environment to make it safer for sendmail to run. If you find that some of the safeties in sendmail are too restrictive for your environment, they can be turned off by setting the option DontBlameSendmail. The option is appropriately named as sendmail is not to be blamed for problems resulting from unsafe permissions on directories and files."
As long as you’re using sendmail as described in the tutorial and are the primary user of the machine, the security risk is small in setting this option. If, however, you aren’t able to control access to your machine either physically or remotely, and you are compromised, please don’t blame me either ;-)
So if you’re ready to go, the file you need to edit is /etc/mail/sendmail.cf. You’ll first want to make a backup. Since the /etc/mail directory is only root-writable, you’ll need sudo:
sudo cp -p sendmail.cf sendmail.cf.bak
Note the use of the -p option flag in this command line, which preserves the permissions settings of the original in the copy of the file. This will make things a little easier, should you need to quickly restore the file.
You can then edit this file using pico, as you have with others. Since sendmail.cf is only writable by root, you’ll need to use sudo here as well.
sudo pico /etc/mail/sendmail.cf
This file is over 1,200 lines long and might be intimidating, but since you’ll just be adding a single line near the top and then getting the heck out, you should have nothing to worry about.
The line you’re looking for is a commented-out "DonBlameSendmail" line about 70 lines down from the top. The quickest way to get there in pico is by pressing Contol + W, entering "DontBlame", and pressing Return. You should then see these lines:
# level 9 config file format
V9/Berkeley
# override file safeties - setting this option compromises system security,
# addressing the actual file configuration problem is preferred
# need to set this before any file actions are encountered in the cf file
#O DontBlameSendmail=safe
# default LDAP map specification
Next, add a new line after the found line and enter (or paste in) this line:
O DontBlameSendmail=GroupWritableDirPathSafe
When you’re done, the lines should look like this:
# override file safeties - setting this option compromises system security,
# addressing the actual file configuration problem is preferred
# need to set this before any file actions are encountered in the cf file
#O DontBlameSendmail=safe
O DontBlameSendmail=GroupWritableDirPathSafe
# default LDAP map specification
As usual, press Control + O to save the file, Return to confirm the name, and Control + X to exit pico. You can now reset the root directory’s permissions to the factory default with this command:
[localhost:/etc/mail] chris% sudo chmod g+w /
If everything went well, sendmail will in fact send its mail the next time it’s beckoned, even with a group-writable root directory.
If you’re still having problems with anything, make sure to look at the TalkBack sections for all parts of this tutorial, where readers and I have covered most of the common problems and made some corrections.
Also, if you would like to learn lots more about cron, here’s another tutorial for you.
Now that your feet (or even your knees) are wet working with Terminal and Unix, you have an entire ocean left to explore. I hope this tutorial has given you the confidence to dive in. There are other articles here on the Mac DevCenter you should now be ready for, as well as plenty more around the Internet.
I also plan to have some more of my own articles in the near future, so feel free to make any requests in the TalkBacks. See you there!
Special thanks to Fred Coffman for his help with this article.
Chris Stone is a Senior Macintosh Systems Administrator for O'Reilly, coauthor of Mac OS X in a Nutshell and contributing author to Mac OS X: The Missing Manual, which provides over 40 pages about the Mac OS X Terminal.
Return to the Mac DevCenter.
Copyright © 2009 O'Reilly Media, Inc.