LPI-102: Junior Level Administration

Note:

When no type is given, the type search sequence until one is found is:

1,8,2,3,4,5,6,7,9

6

Scrolling in Man pages Scrolling in Man pages

Move forward one screen

• Spacebar

Move forward one line

• Return

Move back one screen

• b

Move forward one screen

• f

Quit the man command

• q

Find forward

• /string

Find back

• ?string

Find the next occurrence of string

• n

Help more

• h

Last updated: 26 December 2003

7

Example:

$ man 8 mount

–displays the mount administration command

$ man 2 mount

–displays the mount system call

man -a command

–Display all the man page for the command . They are displayed one after the other, each one being terminated with 'q'.

7

Files, programs and variables Files, programs and variables

• /usr/bin/mandb

• MANPATH

– Program to create or update the man page caches.

• /usr/bin/manpath

– Contains the PATHs where mandb looks while indexing pages.

• /etc/manpath.config

– Program to display the paths searched for man pages.

Last updated: 26 December 2003

– mandb configuration file.

8

• man can be searched in multiple directories by setting the MANPATH variable.

MANPATH=/usr/man:/usr/X11R6/man:/usr/share/man

•If the MANPATH is not set then man will assume /usr/man (Redhat: /usr/share/man)

8

Files, programs and variables Files, programs and variables

• /usr/share/man/index.(bt|db|dir|pag)

• /var/cache/man/index.(bt|db|dir|pag)

– A traditional global 'whatis' index database cache.

Last updated: 26 December 2003

– Alternate/FHS compliant global 'whatis' index database cache.

9

9

Locations of man pages Locations of man pages

• /usr/man/*

• /usr/share/man/*

– Old location of man pages

• /usr/local/man/*

– A global manual page hierarchy.

• /usr/local/share/man/*

– Extra man pages for user commands

• /usr/X11R6/man/*

– Extra man pages for user commands

Last updated: 26 December 2003

– X11 Applications man pages

10

10

Locations of man pages Locations of man pages

• /usr/X11R6/man/*

• /opt/gnome/man/*

– X11 Applications man pages

• /opt/kde3/man/*

– Gnome Desktop applications man pages

• /usr/openwin/man/*

– KDE Desktop applications man pages

• /var/cache/man/*

– Openwindows Desktop applications man pages

Last updated: 26 December 2003

– catman pages files and index of manpages

11

Note:

–Most man pages in these directories are classified in subdirectories by their respective type (sections) as in ..../man1/ ..../man2/ –The man pages are normally in compressed (.gz) GROFF source format. They are decompressed automatically before the page is displayed.

–The cat pages are preformatted text man pages including the formatting characters. They are normally saved in .../cat1 .../cat2 .... directories.

11

PAGER variable PAGER variable

• The man pages use a display mode as less by default.

• Change display mode by change the PAGER

environment variable value.

• Example:

export PAGER=/usr/bin/less

– less mode:

export PAGER=/usr/bin/more

Last updated: 26 December 2003

– more mode

12

12

command apropos command apropos

apropos topic

– Searches short descriptions for the topic in the keywords

– Same result as:

• Example

man -k topic

$ apropos password

chage

(1) - change user password expiry information

chpasswd

(8) - update password file in batch

crypt (3) - password and data encryption

endpwent [getpwent] (3) - get password file entry

Last updated: 26 December 2003

13

This command searches whatis database to get result.

So, you must create whatis database first.

# makewhatis

13

command whatis command whatis

– Searches the man page keywords and presents the first short

description of the command.

– Same result as:

man -f command

whatis command

• Example

$ whatis password

password: nothing appropriate

$ whatis passwd

passwd

(1) - update a user's authentication tokens(s)

passwd

(5) - password file

passwd [sslpasswd] (1ssl) - compute password hashes

Last updated: 26 December 2003

14

The exact command must be found otherwise nothing is displayed. It displays the single line description found in the manpage. It first searches in the man page index and then its own database if the man page index file is not found.

You must create whatis database first.

# makewhatis

14

Command info Command info

info [section] [command]

– Info pages are supposed to have more information than the man pages.

• Example

$ info passwd

• Read passwd command info.

$ info 5 passwd

• View passwd file info.

Last updated: 26 December 2003

– Some individuals write a short description of their programs in the man pages and a longer one in the info pages.

15

Not all man pages are being maintained and are therefore out of date, so info yields more current information.

Some topics treated in info are not discussed in man at all, info also uses hypertext links, so it is a more powerful utility.

move forward, Page-Down-Key

move backward, Page-Up-Key

begin of node

b

end of node

e

up node

u

next node

n

previous node

p

directory

d

search * find

s

last text displayed

l

help

h

Navigation through info pages:

15

Find Linux documentation on the Internet Find Linux documentation on the Internet

• http://www.tldp.org

• The Linux Documentation Project web site. Contains Handbooks,

Books, HOWTOs, FAQs and lots more.

• http://www.linux.org/docs/

– Linux Documentation Project

• http://www.google.com/linux

– The official Linux web site with more Documentation and links to other Linux web sites.

Last updated: 26 December 2003

– Google search engine for linux

16

16

Find Linux documentation on the Internet Find Linux documentation on the Internet

• Newsgroups

• Newsgroup Archives

• Mailing lists

Last updated: 26 December 2003

17

Newsgroups

comp.os.linux.advocacy General discussion about the advantages of using Linux vs. other OS. comp.os.linux.announce Commented Linux news comp.os.linux.answers Commented sending of Linux FAQ's. HOWTO's, and README's. comp.os.linux.apps General discussion about Linux Applications. comp.os.linux.development.apps Discussion about programming and porting applications for Linux. comp.os.linux.development.system Discussions about the Linux kernel, device drivers and loadable modules. comp.os.linux.hardware General discussion regarding Linux hardware compatibility. comp.os.linux.misc Different themes about Linux which are not found in other newsgroups. comp.os.linux.networking General discussions regarding networking and communications. comp.os.linux.setup General discussions regarding Linux installation and System Administration.

17

comp.os.linux.x

Discussions about The X Window System under Linux.

alt.os.linux

General discussion regarding Linux.

Newsgroup Archives

http://www.dejanews.com

Archives of all Newsgroups. Google has taken over this function.

Mailing lists

linux-8086 linux-admin linux-alpha linux-apps linux-arm linux-bbs linux-c-programming linux-config linux-console linux-diald linux-doc linux-fido linux-fsf linux-ftp linux-gcc linux-gcc-digest linux-hams linux-hppa linux-ibcs2 linux-ipx linux-isdn linux-japanese linux-kernel linux-kernel linux-kernel-digest linux-kernel-patch linux-laptop linux-linuxss linux-lugnuts linux-mca linux-mips linux-msdos linux-msdos-digest linux-msdow-devel linux-net linux-new-lists linux-newbie linux-newbiew linux-nys linux-oasg linux-oi linux-opengl linux-pkg linux-ppp linux-pro linux-qag linux-raid linux-scsi linux-serial linux-seyon linux-smp linux-sound linux-standards linux-svgalib linux-tape linux-term linux-training@lists.iphil.net linux-userfs linux-word linux-x11 linux-x25 sparclinux ultralinux

The following mailing lists are running off a central Majordomo server. To subscribe to one of these mailing list, send an email to majordomo@vger.kernel.org with the following as the mail text body: subscribe ListName ListName = One of the mailing lists below. The text in the subject area is ignored.

18

related issues Notify users on system--related issues Notify users on system

• /etc/issue

• /etc/issue.net

– pre-login message and identification file

• /etc/motd

– pre-login message and identification file, use for remote user.

– message of the day.

Last updated: 26 December 2003

– The contents of /etc/motd are displayed after a successful login but just before it executes the login shell.

19

Login Sequence

When the system boots-up, right at the end of its default runlevel, init starts the program mingetty for each virtual console defined in /etc/inittab.

Here is the sequence of events:

–The mingetty (getty) process displays the contents of the file /etc/issue.

–Then it displays the “HostName login:” prompt and waits for the user to enter a username.

–When the username is entered and the user presses , mingetty replaces itself with the program login and login gets the username from mingetty and waits for the password from the user. login's configuration file /etc/login.defs describes the behavior of login.

–If the file /etc/nologin exists, login will allow access only to root. Other users will be shown the contents of this file and their logins will be refused.

–If this authentication succeeds, the login process then starts a shell (usually bash).

–bash reads its configuration scripts (/etc/profile etc.) and displays the content of the file /etc/motd (message of the day), then displays its prompt.

19

Overall sequence:

mingetty

--------------->

login

------------->

bash

Waits for password

Shows /etc/motd

Shows /etc/issue waits for user name and prompt

Baudrate of terminal connection (only for serial terminal connection)

\b

Today's date

\d

Operating System Name (eg. 'Linux' )

\s

Name of the current TTY

\l

System Architecture (eg. i386)

\m

Hostname

\n

Domain name

\o

Release number of the Kernel

\r

Present time.

\t

Elapsed time since last login for this user

\u

The word User(s) and the Elapsed time since last login for this user.

\U

Kernel version (Buils Date)

\v

Escaped characters for /etc/issue

20

Summary Summary

• Use and manage local system documentation

• Find Linux documentation on the Internet

• Notify users on system-related issues

Last updated: 26 December 2003

21

Key files, terms, and utilities include:

MANPATH man

apropos

whatis

/etc/issue

/etc/issue.net

/etc/motd

21

22

LPI 102 Linux Junior Level Administration -- LPI 102 Linux Junior Level Administration

Chapter 02

Managing Users Managing Users

Last updated: 26 December 2003

2004, SaigonCTT All rights reserved

1

1

Objectives Objectives

• add, remove, suspend and change user accounts

• add and remove groups

• change user/group info in passwd/group databases

• modify global and user profiles

• set environment variables

• maintain skel directories

Last updated: 26 December 2003

2

LPI-102 Topics:

1.111.1 Manage users and group accounts and related system files

Description: Candidate should be able to add, remove, suspend and change user accounts. Tasks include to add and remove groups, to change user/group info in passwd/group databases. The objective also includes creating special purpose and limited accounts.

1.111.2 Tune the user environment and system environment variables

Description: Candidate should be able to modify global and user profiles. This includes setting environment variables, maintaining skel directories for new user accounts and setting command search path with the proper directory.

2

Part 1 Part 1

Manage Users Manage Users

Last updated: 26 December 2003

3

3

User Account User Account

• /etc/passwd

• /etc/shadow

– information of all users: Login name, User ID, Group ID, Descriptive name, Home directory, Login shell

• /etc/group

– stores parameters to control account access: user’s password hash and password aging information

• /etc/gshadow

– information about user’s groups

Last updated: 26 December 2003

– stores group’s password hash,…

4

4

passwd /etc/passwd /etc/

• Each line in this file correspond to a user

name:password:UID:GID:comment:home directory:shell 5

6

1

4

2

7

3

1. Login name

2. Password (or x if using a shadow file)

3. The UID

4. The GID

5. Text description for the user

6. The user’s home directory

7. The user’s shell

Last updated: 26 December 2003

5

1. Username, up to 8 characters. Case-sensitive, usually all lowercase

2. the password field.

x = reference to /etc/shadow,

empty = no password,

* or ! = no login possible

3. Numeric user id. This is assigned by the ``adduser'' script. Unix uses this field, plus the following group field, to identify which files belong to the user.

4. Numeric group id. Red Hat uses group id's in a fairly unique manner for enhanced file security. Usually the group id will match the user id.

5. Full name of user. I'm not sure what the maximum length for this field is, but try to keep it reasonable (under 30 characters).

6. User's home directory. Usually /home/username (eg. /home/smithj). All user's personal files, web pages, mail forwarding, etc. will be stored here.

7. User's "shell account". Often set to “/bin/bash” to provide access to the bash shell (my personal favorite shell).

# cat /etc/passwd

5

passwd /etc/passwd /etc/

# cat /etc/passwd | grep root

root:$1$K05gMbOv$b7ryoKGTd2hDrW2sT.h:0:0:Super User:/root:/bin/bash

# cat /etc/passwd | grep root

root:x:0:0:Super User:/root:/bin/bash

# cat /etc/shadow | grep root

root:$1$K05gMbOv$b7ryoKGTd2hDrW2sT.h:::::::

Last updated: 26 December 2003

6

Traditional Unix systems keep user account information, including one-way encrypted passwords, in a text file called “/etc/passwd”. As this file is used by many tools (such as “ls”) to display file ownerships, etc. by matching user id #'s with the user's names, the file needs to be world-readable. Consequentally, this can be somewhat of a security risk.

Another method of storing account information, one that I always use, is with the shadow password format. As with the traditional method, this method stores account information in the /etc/passwd file in a compatible format. However, the password is stored as a single "x" character (ie. not actually stored in this file). A second file, called “/etc/shadow”, contains encrypted password as well as other information such as account or password expiration values, etc. The /etc/shadow file is readable only by the root account and is therefore less of a security risk.

6

shadow /etc/shadow /etc/

name:password:lastchange:min:max:warn:inactive:expire:flag

1

2

3

4

5

6

7

8

9

User login name, mapped to /etc/passwd

1

Encrypted password.

2

Number of days since the last password change, from 1/1/70

3

Minimum number of days between password changes

4

Maximum number of days password is valid

5

Number of days before expiration that user will be warned

6

Number of inactivity days allowed for this user

7

Absolute date, beyond which the account will be disabled

8

9

A reserved field

Last updated: 26 December 2003

7

# Description Comments

1 User login name

2 Encrypted password empty = no password * = no login possible

3 never empty Days since Jan 1, 1970 when password was last changed

4 Days until change allowed 0=always allowed to change

5 Days before change required Normal is 10000 days

6 Days warning before expiration empty=no warning

7 Days before account becomes inactive empty= never inactive

8 empty = will never be disabled Days since Jan 1,1970 when account will be disabled

9 Reserved for future use

7

Create / Delete shadow Create / Delete shadow

/usr/sbin/pwconv

– Convert passwd --> shadow

/usr/sbin/pwunconv

Last updated: 26 December 2003

– Convert shadow --> passwd

8

• pwconv command will remove passwords from /etc/passwd and store in the /etc/shadow • Password field in /etc/passwd is replaced by an ‘x’ • Process can be reversed with the pwunconv command

8

Make new user Make new user

– Create new user

– Save user information to /etc/passwd and /etc/shadow

useradd [options] new_user

-u UID

Specify new user ID

-g GID

Specify primary group

-G GID

Secondary groups

-c comment

Description of user

-d directory

Specify home directory

-m

Make home directory

-k skel_dir

Skeleton directory

-s shell

Specify login shell

Last updated: 26 December 2003

• Options

9

•Several users pre-configured and assigned with UID less than 100:

root, bin, daemon, sys, adm, lp, …

•Administration tools allocate UIDs automatically, greater than 100 in general

-u UID Specify new user ID (default: next available number)

-g GID Specify default (primary) group ( default other group )

-G GID

A list of supplementary groups which the user is also a member of. Each group is separated from the next by a comma, with no intervening white space.

-c comment Description of user ( default: blank )

-d directory Define home directory ( default /home/username )

Make home directory if it does not exist. -m

-k skel_dir Skeleton directory ( default /etc/skel )

-s shell Specify login shell ( default /bin/bash )

List system Defaults -D

9

Make new user Make new user

• Example

# groupadd lpiusers

# useradd -g lpiusers -d /home/lpi102 -m -c "LPI's Member" lpi102

# grep lpi102 /etc/passwd

lpi102:x:504:556:LPI's Member:/home/lpi102:/bin/bash

#

Last updated: 26 December 2003

10

Example: List system default

# useradd -D

GROUP=100

HOME=/home

INACTIVE=-1

EXPIRE=

SHELL=/bin/bash

SKEL=/etc/skel

10

File: login.defs File: login.defs

/etc/login.defs

• MAIL_DIR

– the mail spool directory

• PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_MAX_LEN,

PASS_WARN_AGE

– password aging controls

• UID_MIN, UID_MAX

– max/min values for automatic UID selection in useradd

• GID_MIN, GID_MAX

– max/min values for automatic GID selection in groupadd

• CREATE_HOME

Last updated: 26 December 2003

– automatically create a home directory with useradd

11

# cat /etc/login.defs

MAIL_DIR /var/spool/mail

PASS_MAX_DAYS 99999

PASS_MIN_DAYS 0

PASS_MIN_LEN 5

PASS_WARN_AGE 7

UID_MIN 500

UID_MAX 60000

GID_MIN 500

GID_MAX 60000

CREATE_HOME yes

#

11

Directory: skel Directory: skel

/etc/skel/*

• .bashrc

• .bash_profiles

• ...

Last updated: 26 December 2003

– Contains default files that will be copied to the home directory of newly created users:

12

# ls -la /etc/skel/

total 20

drwxr-xr-x

2 root root

4096 Sep 6 18:41 .

drwxr-xr-x

33 root root

4096 Nov 3 10:47 ..

-rw-r--r--

1 root root

24 Feb 11 2003 .bash_logout

-rw-r--r--

1 root root

191 Feb 11 2003 .bash_profile

-rw-r--r--

1 root root

124 Feb 11 2003 .bashrc

#

12

Change Password Change Password

passwd [-l] username

• Example

– l Superuser command which locks account passwd

# passwd blobby

New password:

Re-enter new password:

Password changed

Last updated: 26 December 2003

13

13

Modify user Modify user

usermod [options] username

• Options

– Changing User Attributes

the users directory – d

the users initial GID – g

the user's login name – l

the user's UID – u

• Notice these options are the same as for useradd

Last updated: 26 December 2003

the default shell. – s

14

If you edit files manually, you risk corrupting file, resulting with users not being able to log in at all. Instead, use usermod utility

14

Changing Group Membership Changing Group Membership

• Example

# usermod –g users –c “Henry Blake” henry

# usermod –u 321 –s /bin/ksh majorh

# usermod –e 2004-12-20 majorh

Last updated: 26 December 2003

15

Each user belongs to a primary group:

usermod –g

User can also belongs to secondary groups:

usermod –G

# grep figo /etc/passwd

figo:x:416:400::/home/figo:/bin/bash

# groupadd –g 600 realmadrid

# usermod –g realmarid figo

# grep realmadrid /etc/group

realmadrid:x:600:figo

15

Removing Users Removing Users

userdel [option] username

• Options

– Remove user from system

Last updated: 26 December 2003

This option will remove home directory – r

16

When a user leaves, there are two main concerns:

–Protect the system from unauthorized access via his/her account

–Protect and manage his/her files, directories left on the system.

The userdel command takes care of removing a user account. userdel can remove user’s home directory but does not user’s mail, crontab table, atd queues, …

16

Groups Managing Groups Managing

• Group commands and files

– /etc/group

– /etc/gshadow

– groupadd

– groupmod

– groupdel

– gpasswd

– id

Last updated: 26 December 2003

– groups

17

Groups not only allow for a second level of access control but also allow the members in group to share files in secured environment.

Every new user is assigned to an initial (or primary) group. Two conventions exist.

–Traditionally this primary group is the same for all users and is called users with a group id (GID) of 100. Many Linux distributions adhere to this convention such as Suse and Debian.

–The User Private Group scheme (UPG) was introduced by RedHat and changes this convention without changing the way in which UNIX groups work. With UPG each new user belongs to their own primary group. The group has the same name as the login-name (default), and the GID is in the 500 to 60000 range (same as UIDs).

17

/etc/group /etc/group

name:password:GID:MEMBERs

1

2

3

4

1. Group name 2. The group password (or x if gshadow file exists) 3. The GID

4. A comma separated list of members

• Example

daemon:x:2:root,bin,daemon

Last updated: 26 December 2003

– Contains a list of groups, each on a separate line.

18

The /etc/group is world-readable. Each line is a four field, colon delimited list including the following information:

Group name

–The name of the group. Used by various utility programs to identify the group.

Group password

–If set, this allows users who are not part of the group to join the group by using the newgrp command and typing the password stored here. If a lower case x is in this field, then shadow group passwords are being used.

Group ID (GID)

–The numerical equivalent of the group name. It is used by the system and applications when determining access privileges.

Member list

–A comma delimited list of users in the group.

# cat /etc/group

root:x:0:root

bin:x:1:root,bin,daemon

daemon:x:2:root,bin,daemon

....

18

gshadow /etc/gshadow /etc/

name:password:GroupAdmins:MEMBERs

1

2

3

4

1. Group name

2. The group password

3. Group Administrators

4. Group Members

• Example

general:!!:shelley:juan,bob

Last updated: 26 December 2003

– Contains an encrypted password for each group.

19

The /etc/gshadow file is readable only by the root user, and contains an encrypted password for each group, as well as group membership and administrator information. Just as in the /etc/group file, each group's information is on a separate line. Each of these lines is a four field, colon delimited list including the following information:

Group name

–The name of the group. Used by various utility programs to identify the group.

Encrypted password

–The encrypted password for the group. If set, non-members of the group can join the group by typing the password for that group using the newgrp command. If the value is of this field ! then no user is allowed to access the group using the newgrp command. A value of !! is treated the same as a value of ! only it indicates that a password has never been set before. If the value is null, only group members can log into the group.

Group administrators

–Group members listed here (in a comma delimited list) can add or remove group members using the gpasswd command.

Group members

–Group members listed here (in a comma delimited list) are regular, non- administrative members of the group.

19

Group commands Group commands

groupadd [option] groupname

• Option

– Add group to the system.

• Example

– g gid The numerical value of the group's ID.

# groupadd -g 501 lpiusers # cat /etc/group | grep –i lpiusers lpiusers:x:501:

Last updated: 26 December 2003

20

-g gid

The numerical value of the group's ID. This value must be unique, unless the - o option is used. The value must be non-negative. The default is to use the smallest ID value greater than 500 and greater than every other group. Values between 0 and 499 are typically reserved for system accounts.

20

Group commands Group commands

groupmod [option] groupname

• Option

– modify the parameters of group

– n NewName change the name of group to NewName

• Example

# groupmod –g 505 lpiusers # cat /etc/group | grep –i lpiusers lpiusers:x:505:

Last updated: 26 December 2003

– g gid The numerical value of the group's ID.

21

21

Group commands Group commands

groupdel groupname

• Example

# groupdel lpiusers # cat /etc/group | grep –i lpiusers #

Last updated: 26 December 2003

– Delete group from the system.

22

22

Group commands Group commands

gpasswd groupname

• Example

– Change Group’s password

# groupadd lpiusers # gpasswd lpiusers Changing the password for group lpiusers New Password: Re-enter new password: #

Last updated: 26 December 2003

23

23

Create/Delete ggshadow Create/Delete shadow

/usr/sbin/grpconv

– creates the /etc/gshadow file

/usr/sbin/grpunconv

Last updated: 26 December 2003

– deletes the gshadow file

24

• grpconv command will remove passwords from /etc/group and store in the /etc/gshadow • Password field in /etc/group is replaced by an ‘x’ • Process can be reversed with the grpunconv command

24

Group commands Group commands

id

– List group ID

groups

• Example # id uid=0(root) gid=0(root) groups=0(root), 1(bin), 2(daemon), 3(sys), 4(adm), 10(wheel), 600(sales) # groups

root bin daemon sys adm wheel sales

Last updated: 26 December 2003

– List groups

25

A user can belong to any number of groups. However at any one time (when creating a file for example) only one group is the effective group.

The list of all groups a user belongs to is obtained with either the groups or id commands.

25

Account Security Account Security

– changes the number of days between password changes and the date of

the last password change.

chage [options]

-m

Minimum days

-M

Maximum days

-d

Day last changed

-I

Inactive lock

-E

Expiration (YYYY-MM-DD or MM/DD/YY)

-W

Warning days

Last updated: 26 December 2003

• Options

26

# chage -l blobby Minimum: 0 Maximum: 99999 Warning: 7 Inactive: -1 Last Change: Feb 06, 2002 Password Expires: Never Password Inactive: Never Account Expires: Never

# chage -E 4/3/2002 blobby # chage -l blobby Minimum: 0 Maximum: 99999 Warning: 7 Inactive: -1 Last Change: Feb 06, 2002 Password Expires: Never Password Inactive: NeverAccount Expires: Apr 03, 2002

26

Solution for chage command:

# chage –E 1999-01-01 figo

1. Lock the account password until you are ready to remove it

# find / -user henry –print | cpio ov | gzip >/hold/henry

# find / -user henry –type f –exec rm –f {} \;

# find / -user henry –type d –depth –exec rmdir {}\;

2. Save all file owned by the user somewhere outside the home directory

# chown root /home/figo ; chmod 700 /home/figo

3. Change access permission on saved files to root only

4. Consider crontab and at jobs setup by the user

5. Setup mail forwarding to send mail to a manager

27

User and Group guidelines User and Group guidelines

• Use passwd command to change the password

# passwd current password : new password: retype new password: Choosing password:

• Not use proper words or names

• Use letters and digits

• Include symbols: !, @, #, $, %, …

• Do not allow guest account to login to your system.

Last updated: 26 December 2003

28

When creating a password, it is a good idea to follow these guidelines:

Do Not Do the Following:

1. Do Not Use Only Words or Numbers — You should never use only

numbers or words in a password. – Some examples include the following:

8675309 juan hackme

2. Do Not Use Recognizable Words — Words such as proper names,

dictionary words, or even terms from television shows or novels should be avoided, even if they are bookended with numbers.

john1 DS-9 mentat123

3. Do Not Use Words in Foreign Languages — Password cracking programs

often check against word lists that encompass dictionaries of many languages. Relying on foreign languages for secure passwords is of little use.

28

– Some examples include the following:

cheguevara bienvenido1 1dumbKopf

4. Do Not Use Hacker Terminology — If you think you are elite because you use hacker terminology — also called l337 (LEET) speak — in your password, think again. Many word lists include LEET speak.

– Some examples include the following:

H4X0R 1337

5. Do Not Use Personal Information — Steer clear of personal information. If the attacker knows who you are, they will have an easier time figuring out your password if it includes information such as:

Your name The names of pets The names of family members

• • • • Any birth dates • Your phone number or zip code

6. Do Not Invert Recognizable Words — Good password checkers always

reverse common words, so inverting a bad password does not make it any more secure.

– Some examples include the following:

R0X4H nauj 9-DS

7. Do Not Write Down Your Password — Never store your password on paper. It is much safer to memorize it.

8. Do Not Use the Same Password For All Machines — It is important that

you make separate passwords for each machine. This way if one system is compromised, all of your machines will not be immediately at risk.

29

Do the Following:

1. Make the Password At Least Eight Characters Long — The longer the

password is, the better. If you are using MD5 passwords, it should be 15 characters long or longer. With DES passwords, use the maximum length - eight characters.

2. Mix Upper and Lower Case Letters — Red Hat Linux is case sensitive, so mix cases to enhance the strength of the password.

3. Mix Letters and Numbers — Adding numbers to passwords, especially when added to the middle (not just at the beginning or the end), can enhance password strength.

4. Include Non-Alphanumeric Characters — Special characters such as &, $, and > can greatly improve the strength of a password.

5. Pick a Password You Can Remember — The best password in the world does you little good if you cannot remember it. So use acronyms or other mnemonic devices to aid in memorizing passwords.

30

Part 2 Part 2

User Environment User Environment

Last updated: 26 December 2003

31

31

/etc/profile /etc/profile

$ cat /etc/profile if [ `id -u` = 0 ]; then

pathmunge /sbin pathmunge /usr/sbin pathmunge /usr/local/sbin

fi # No core files by default ulimit -S -c 0 > /dev/null 2>&1 USER="`id -un`" LOGNAME=$USER MAIL="/var/spool/mail/$USER" HOSTNAME=`/bin/hostname` HISTSIZE=1000 export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE INPUTRC <....>

Last updated: 26 December 2003

32

/etc/profile

Files and commands to be executed at login or startup time by the Bourne or C shells. These allow the system administrator to set global defaults for all users.

/etc/profile.d

Shells scripts to be executed upon login to the Bourne or C shells. These scripts are normally called from the /etc/profile file.

32

Environment Files Environment Files

SYSTEM WIDE:

/etc/profile /etc/bashrc

USER 1 USER 1

USER 2 USER 2

USER 3 USER 3

~/.bash_profile ~/.bash_profile ~/.bash_login ~/.bash_login ~/.profile ~/.profile ~/.bashrc ~/.bashrc ~/.bash_logout ~/.bash_logout ~/.inputrc ~/.inputrc

~/.bash_profile ~/.bash_profile ~/.bash_login ~/.bash_login ~/.profile ~/.profile ~/.bashrc ~/.bashrc ~/.bash_logout ~/.bash_logout ~/.inputrc ~/.inputrc

~/.bash_profile ~/.bash_profile ~/.bash_login ~/.bash_login ~/.profile ~/.profile ~/.bashrc ~/.bashrc ~/.bash_logout ~/.bash_logout ~/.inputrc ~/.inputrc

Last updated: 26 December 2003

33

33

Environment Files Environment Files

login

/etc/profile /etc/profile

no

no

bash_profile ~/.~/.bash_profile

bash_login ~/.~/.bash_login

yes

yes

bash_profile ~/.~/.bash_profile

bash_login ~/.~/.bash_login

~/.profile ~/.profile

bash start

bashrc /etc/bashrc /etc/

bashrc ~/.~/.bashrc

logout

bash_logout ~/.~/.bash_logout

Last updated: 26 December 2003

34

34

Environment Variables commands Environment Variables commands

• set

• env

– shows all variables (local and exported)

• unset

– shows only exported variables

Last updated: 26 December 2003

– used to remove variables

35

35

Environment Variables commands Environment Variables commands

• export

• export

– shows exported variables

– make as exported (global) variables

LOCAL

GLOBAL

child

child

parent

parent

VAR=??

VAR=value

VAR=value

export VAR=value

Last updated: 26 December 2003

36

-When you defile new variable as local variable (without export), any child processes can not use it.

-Global variable (with export) allow child processes use it.

36

Summary Summary

• Manage users and group accounts and related system

files

• Tune the user environment and system environment

variables

Last updated: 26 December 2003

37

Key files, terms, and utilities include:

Files Commands

/etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/profile /etc/skel

chage gpasswd groupadd groupdel groupmod grpconv grpunconv passwd pwconv pwunconv useradd userdel usermod env export set unset

37

38

LPI 102 Linux Junior Level Administration -- LPI 102 Linux Junior Level Administration

Chapter 03

Programing Shells, Scripting and Programing Shells, Scripting and

Last updated: 26 December 2003

2004, SaigonCTT All rights reserved

1

1

Objectives Objectives

• Identify Linux shell environments

• Write and configure BASH script using variables, flow controls interactive input, functions, arithmetic and arrays

Last updated: 26 December 2003

2

LPI Topics

1.109.1 Customize and use the shell environment

Candidate should be able to customize shell environments to meet users' needs. This objective includes setting environment variables (e.g. PATH) at login or when spawning a new shell. It also includes writing bash functions for frequently used sequences of commands.

2

Introduction Introduction

• Shell is a interface between OS and user. It provides :

– A facility for launching and managing commands and programs

– An operating environment

– A programming language

– ...

# cat test.sh

#!/bin/bash

cd /var/log

grep “Error” *.log

Last updated: 26 December 2003

3

Shell script :

–a text file that contains a list of commands, variables, comments, flow control structures, loops, functions, … –All comments begin with # except #!

3

Shell Configuration Files Shell Configuration Files

• Type of configuration files :

– Global (system-wide) : apply to all users.

• bash configuration files : – Global: /etc/profile

– Local : apply to each user.

• ~/.bash_profile

• ~/.bash_login

• ~/.profile

Last updated: 26 December 2003

– Local:

4

Type of shell :

–Bourne shell (sh) –Bourne Again shell (bash) –Korn shell (ksh) –C shell (csh,tcsh) –...

A new shell is started when a programs is started;

and it will have separate environments: parameters, variables, functions, aliases ...

4

Shell Environment Shell Environment

• Environment: variables, functions, aliases,...

• Type of variables: local (shell variable), global

(environment variable)

• Commands

– set : define a new variable

– unset : undefine a variable

– export: make a local variable becomes a global variable

– set : list all local variables

Last updated: 26 December 2003

: list all global variables – env

5

Default environment variables:

–PS1, PS2 –HOME, PATH, PWD –LOGNAME –SHELL –PAGER, LPDEST, DISPLAY –...

5

Redirecting Input and Output Redirecting Input and Output

• Redirect input : use (<) or (<0)

• Redirect output, overwrite : use (>) or (1>)

# mailx admin@saigonctt.com < content

# ls –l > list_file

Last updated: 26 December 2003

( Use set –o noclobber : prevent file overwriting )

6

6

Redirecting Input and Output Redirecting Input and Output

• Redirect output, append : use (>>)

• Redirect error : use (2>)

# ls –l >> list_file

Last updated: 26 December 2003

# ls –l > list_file 2>&1

7

7

Pipe and Back ticks ` ` Pipe and Back ticks ` `

• Pipe ( | ) : command1 | command2

– Output of command1 becomes input of command2

• Back ticks (` `) or “$()”

# ls –l |grep samba

# which passwd /usr/bin/passwd # ls –l /usr/bin/passwd

Last updated: 26 December 2003

# ls –l `which passwd`

8

8

Shell Scripts Variables Shell Scripts Variables

• Naming :

• Assigning : not SPACES around “=“

– not begin with a digit, usually in upper case letters

VAR=value : assign value string to VAR

# VAR1=`ls /var/log | wc –l`

# echo $VAR1

65

Last updated: 26 December 2003

VAR=`cmd` : the same VAR=$(cmd) , assign output of cmd to VAR

9

9

Shell Scripts Variables Shell Scripts Variables

• Variable declaration:

$ declare =

• Options:

-i integer

-r read-only

declare –i vcount=1

declare –r vwellcome=‘Hello World’

Last updated: 26 December 2003

-x export: variable retains value outside script

10

10

Shell Scripts Variables Shell Scripts Variables

• Single quotation ' '

• Double quotation " "

– Ignore all special characters

– Ignore all special characters, except $ ' ' \

# VAR=“Hello World”

# echo “$VAR”

Hello World

# echo ‘$VAR’

Last updated: 26 December 2003

$VAR

11

11

Variable Notation Variable Notation

• Use ${VAR}

# VAR1=“This is a String” ; echo $VAR1

This is a String

# VAR2=“$VAR1xyz” ; echo $VAR2

Nothing #default

# VAR3=“${VAR1}xyz” ; echo $VAR3

This is a Stringxyz

# VAR4=‘${VAR1}xyz’ ; echo $VAR4

${VAR1}xyz

Last updated: 26 December 2003

12

12

Passing Information to Script Passing Information to Script

• On the command line, information can be passed to

script through pre-set positional parameters

– $0 The name of the script

– $1-$9 Parameters are being passed to script

– $* List all variables entered at command line

– $# Number of parameters

– $! PID of the most recent backgroud command

Last updated: 26 December 2003

– $$ PID of the current SHELL

13

The shift command will shift the positional parameters one or more position from left to right

$1 --> $2

$2 --> $3

13

Return codes/Exit status Return codes/Exit status

• The variable $? contains the return code of the previous executed command or application.

– 0 Success

• The exit n command will cause the script to quit

and assign the value of n to $? variable

Last updated: 26 December 2003

– ≠0 Failure

14

14

Flow control Flow control

• Loop : do something more than one time

• Loop commands : for, while, until

Last updated: 26 December 2003

15

15

Loop The forfor Loop The

• Syntax :

for in do

# list of commands to do

Last updated: 26 December 2003

done

16

16

Loop Example The forfor Loop Example The

• This script will rename all file .txt in current

directory to .html

#!/bin/bash for files in $(ls *.txt) do

Last updated: 26 December 2003

newname=“$(basename $file .txt).html” mv $file $newname done

17

17

while and

Loop until Loop

The while The

and until

• Syntax :

while do # list of commands to do done

Last updated: 26 December 2003

until do # list of commands to do done

18

18

loop Example while loop Example

The while The

• Code:

count=0 while [ $count –lt 4 ] do

• Output :

0

1

2

3

Last updated: 26 December 2003

echo $count count=$((count+1)) done

19

19

Loop Example until Loop Example

The until The

• Code:

count=0 until [ $count –ge 4 ] do

• Output :

0

1

2

3

Last updated: 26 December 2003

echo $count count=$((count+1)) done

20

20

Tests and Conditions Tests and Conditions

• Test command

• Option:

test FILE

-d FILE : FILE exists and is directory

-f FILE : FILE exists and is file

-e FILE : FILE exists

-x FILE : FILE is executable

-r FILE : FILE is readable

-w FILE : FILE is writable

Last updated: 26 December 2003

-O FILE : FILE is owned by your UID

21

Example: bash exists and executable ?

test –x /bin/bash

Or

[ -f /bin/bash ]

21

Condition Operators Condition Operators

-lt : < -gt : > -le : <= -ge : >= -eq : = -ne : !=

Ex:

Last updated: 26 December 2003

$VAR1 -eq $VAR2 : VAR1 = VAR2

22

22

Tests and Conditions Tests and Conditions

• Test : use “[ ]” around expression

• If-then-else structure:

#commands to do if the exp1 is true

if [ ] # include SPACEs then

#commands to do if the exp2 is true

elif [ ] then

#commands to do if the exp1 and exp2 is NOT true

else

Last updated: 26 December 2003

fi

23

#!/bin/bash

declare name

declare cmd

echo –n “Enter name: “ ; read name

cmd=$1

if [ “$1” = “Hello” ]

then

echo “Hello $name”

elif [ “$cmd” = “Good-bye” ]

then

echo “Bye $name”

else

echo “Did not understand”

done

Example: scriptx.sh

23

Structure case Structure case

case expression in pattern1 )

action ;; pattern2 )

Last updated: 26 December 2003

action ;; * ) default action esac

24

Where:

text) Condition Text D|d) Multiple values for conditions: | = or *) Default case ;; End of condition break

24

Test Example case Test Example case

echo; echo "Hit a key, then hit return." read Keypress

#!/bin/bash #!/bin/bash echo; echo "Hit a key, then hit return." read Keypress

case "$Keypress" in

case "$Keypress" in

[a-z] ) echo "Lowercase letter“

[a-z] ) echo "Lowercase letter“

;;

;;

[A-Z] ) echo "Uppercase letter“

;;

;;

[A-Z] ) echo "Uppercase letter“ [0-9] ) echo "Digit“

[0-9] ) echo "Digit“

;;

;; * ) echo "Punctuation, whitespace, or * ) echo "Punctuation, whitespace, or other“ other“ ;;

;;

esac

esac

Last updated: 26 December 2003

25

25

Command read Command read

• Allow to read values into variables

• Syntax :

• If there is more input than you are looking for, all the

extras are put in the last variable.

Last updated: 26 December 2003

– read VAR1 VAR2 …

26

•We can input information into script when executing the script

•Commands :

read

select

26

Command Example read Command Example read

Last updated: 26 December 2003

#!/bin/bash echo "Enter 2 number, I will add them" read VAR1 VAR2 echo "$VAR1 + $VAR2 = $(($VAR1+$VAR2))"

27

27

Command select Command select

• It is great for creating menu

• Syntax :

Last updated: 26 December 2003

select in do # commands done

28

28

Command select Command select

#!/bin/bash echo

select vday in "MON" "WED" "FRI" do

echo echo "Select $vday." echo break #if no 'break' here, keeps looping forever.

done

Last updated: 26 December 2003

29

29

Functions Functions

• Syntax :

function function_name () { #commands }

Or

Last updated: 26 December 2003

function_name () { #commands }

30

–Functions can be called in main script by function’s name.

–It inherits ALL parameters in the main script –We can change the return code of the function by using return n command

30

Addition functions Addition functions

• seq x y : set of " from x to y "

Ex:

for vitem in $(seq 1 10)

do

#commands

• expr : execute

done

Ex:

Last updated: 26 December 2003

echo ` expr 1 + 1 `

31

31

Deploy Deploy

• Step 1 :

• Step 2 :

– create script file (cat, vi, mc, ...), enter script codes.

• Step 3 :

– add execute permission mode to file ( chmod u+x file )

Last updated: 26 December 2003

– run it (add script directory to PATH environment or use absolute path)

32

32

Summary Summary

• Identify Linux shell environments

• Write and configure BASH script using variables

• Flow controls

• Interactive input, functions

Last updated: 26 December 2003

33

~/.bash_profile

~/.bash_login

~/.profile

~/.bashrc

~/.bash_logout

~/.inputrc

function (Bash built-in command)

export

env

set (Bash built-in command)

unset (Bash built-in command)

Key files, terms, and utilities include:

33

34

LPI 102 Linux Junior Level Administration -- LPI 102 Linux Junior Level Administration

Chapter 4

Boot, Initialization Boot, Initialization Runlevels Shutdown and Runlevels Shutdown and

Last updated: 26 December 2003

2004, SaigonCTT All rights reserved

1

1

Objectives Objectives

• giving commands to the boot loader.

• giving options to the kernel at boot time.

• checking the events in the log files.

• changing to single user mode.

• shutdown or rebooting the system.

• alert users before switching runlevel.

• setting the default runlevel.

Last updated: 26 December 2003

2

LPI topics:

1.106.1 Boot the system

Candidates should be able to guide the system through the booting process. This includes giving commands to the boot loader and giving options to the kernel at boot time, and checking the events in the log files.

1.106.2 Change runlevels and shutdown or reboot system

Candidates should be able to manage the runlevel of the system. This objective includes changing to single user mode, shutdown or rebooting the system. Candidates should be able to alert users before switching runlevel, and properly terminate processes. This objective also includes setting the default runlevel.

2

Boot stages Boot stages

1. BIOS Stage

2. Bootloader Stage

– BIOS checks the system (POST - Power On Self Test)

3. Kernel Stage

– The bootloader loads the second stage into memory

4. Init Stage

– The Kernel is loaded in to memory

Last updated: 26 December 2003

– init load all services and user space tools and mounts all from /etc/fstab

3

Stage 1:

–POST

•Check the system board

•Check memory

•Check system configuration

•Starts the video operation

•...

–Check bootloader in MBR (Master Boot Record)

Stage 2:

–Lilo

1. Firmware loads the LILO bootsector and executes it.

2. LILO loads its map file

3. The User selects which kernel to boot

4. LILO loads the kernel

5. LILO executes the kernel

3

–Grub

GRUB is more advanced bootloader than LILO

1. Firmware loads the GRUB bootsector and executes it.

2. The code loaded using BIOS, with knowledge filesystem

3. GRUB puts up a menu of defined boot options

Stage 3:

–The RAM disk

•load the initial ramdisk

•load the kernel into memory

–nash

•is a very simple script interpreter - not shell

•dedigned to run simple linuxrc scripts

–Kernel stages

•the kernel takes over for bootloader

•the kernel and the initial RAM disk image are already into memory.

Stage 4:

–The final for the boot process is handled by /sbin/init

–Runlevel Scripts

•init call the rc script with an argument that tells it which is the target runlevel.

4

bootloader Giving kernel options to the bootloader Giving kernel options to the

• The list of options supported by the current kernel can

be found in

/usr/src/linux/Documentation/kernel-parameters.txt

• The kernel options used are always readable from the

file

• Example: options given to LILO bootloaders

/proc/cmdline

• Means that the Adaptec SCSI adapter is at address 0x300 IRQ 10

and SCSI-ID 7

Last updated: 26 December 2003

LILO boot: linux aha152x=0x300,10,7

5

Before the kernel loads it is normally possible to give kernel options on the boot loader command line. The can be SCSI adapter addresses, root partition, VGA terminal mode, default runlevel, etc.

5

bootloader Giving kernel options to the bootloader Giving kernel options to the

• Kernel options that must always be used can be entered in the bootloader's configuration file.

• LILO

append=vga=791 hdc=ide-scsi splash=verbose acpi=off

• GRUB

kernel (hd0,2)/boot/vmlinuz.2.4.20 root=/dev/hda3

vga=791 splash=verbose

Last updated: 26 December 2003

6

Note: Options are separated with a space but continuous within the option.

6

modules.conf (or

/etc/modules.conf /etc/

conf.modules)) (or conf.modules

• Kernels can be of 2 types:

– Monolithic: All device drivers are compiled into the kernel.

• Module configuration file:

– Modular: Some device drivers are compiled as loadable modules.

– New name: /etc/modules.conf

Last updated: 26 December 2003

– Old name: /etc/conf.modules

7

For modular kernels the modules can be loaded/unloaded manually or automatically. The parameters needed to define the addresses, irq, dma, etc. for a module, as well as their system alias names.

7

Boot Log files Boot Log files

• As the kernel boots it saves its log messages in an

internal buffer which is readable with the command dmesg

• most of the system messages including kernel

messages are stored in

• The command

– /var/log/messages

• allows you to read the last 10 lines of the log file, refreshing it once

a second.

Last updated: 26 December 2003

– tail -f /var/log/messages

8

8

configuration file LiLoLiLo configuration file

• This file is read by the LiLo boot loader.

$cat /etc/lilo.conf

prompt

timeout=50

default=linux

boot=/dev/sda

map=/boot/map

image=/boot/vmlinuz-2.4.20-8

label=linux

initrd=/boot/initrd-2.4.20-8.img

read-only

append="root=LABEL=/"

Last updated: 26 December 2003

9

The /etc/lilo.conf file contains options and kernel image information. Popular LILO directives are:

boot The name of the hard disk partition that contains the boot sector.

image Refers to a specific kernel file.

install The file installed as the new boot sector.

label Provides a label, or name, for each image.

map Directory where the map file is located.

prompt Prompts the user for input (such as kernel parameters or runlevels) before booting.

read-only The root filesystem should initially be mounted read-only.

root Used following each image, this specifies the device that should be mounted as the / (root) directory.

timeout The amount of time, in tenths of a second, that the system waits for user input.

9

Grub configuration file Grub configuration file

• This file is read by the Grub boot loader.

• Location:

– /boot/grub/grub.conf – /etc/grub.conf – /boot/grub/menu.lst <= origin file <= soft link <= soft link

$ cat /etc/grub.conf default=0 timeout=10 splashimage=(hd0,0)/grub/splash.xpm.gz title Red Hat Linux (2.4.20-8) root (hd0,0)

kernel /vmlinuz-2.4.20-8 ro root=LABEL=/ initrd /initrd-2.4.20-8.img

Last updated: 26 December 2003

10

Some explanations. default=0 and timeout=10 means that unless I say otherwise, Grub will load the first operating system (again counting from zero) - Fedora Core 2 .

splashimage=(hd0,0)/grub/splash.xpm.gz is the full name of the pretty splash image that is placed behind the Grub menu.

10

Runlevels Runlevels

• The default runlevel is defined in /etc/inittab

id:5:initdefault

– Will start the system in runlevel 5

Description Description

Last updated: 26 December 2003

Runlevel Runlevel 0 1 2 3 4 5 6 Shutdown Single user mode Multi-user mode (without Network) Full multi-user mode unused Full multi-user and GUI mode (redhat) Reboot

11

A runlevel is a software configuration of the system which starts a selected group of processes.

Runlevels are identified by: 0 1 2 3 4 5 6 S and s

S & s Scripts to run before entering runlevel 1 (single login).

11

directory init.d directory

The /etc/ The

/etc/init.d

rc.sysinit The startup script launched by init at boot time.

rc.local A script for local startup customizations, started automatically after the system is running.

rc A script used to change runlevels.

Last updated: 26 December 2003

rc[0-6].d Directories containing symlinks to scripts in /etc/init.d

12

Names of the links are in the format

[K|S][nn][init.d_name]

–K and S prefixes mean kill and start, respectively. –The script names starting with S are run with the argument start, and the ones with K are run with the argument stop. –Upon entering a new runlevel:

K scripts are run if their equivalent S scripts had been started in the previous runlevel, S scripts are run if they had not already been started in the previous runlevel.

–Therefore on each change of runlevel, the rc script checks the scripts of the previous and new runlevels to determine which K or S scripts should be run. –nn is a sequence number controlling startup or shutdown order. –init.d_name is the name of the script being linked.

12

runlevel Displaying the current runlevel Displaying the current

runlevel

• Example

# runlevel

runlevel N 3

• The command runlevel displays the Previous ('N' if None) and the

current

• The previous runlevel was None (After Booting) and present: 3

Last updated: 26 December 2003

– Find the current and previous system runlevel.

13

13

runlevel Changing the runlevel Changing the

telinit

– Changes the current runlevel.

• Example

– /sbin/telinit is linked to /sbin/init.

• restart system.

# init 6

• change to single mode.

Last updated: 26 December 2003

# init 1

14

The following arguments serve as directives to telinit:

0,1,2,3,4,5,6 switch to the specified run level.

a,b,c process only those /etc/inittab file entries having runlevel a,b or c.

Q or q re-examine the /etc/inittab file.

S or s switch to single user mode.

U or u re-execute itself (preserving the state). The /etc/inittab file is not re-examined. Run level should be one of Ss12345, otherwise request will be silently ignored.

telinit (or init) can also tell the init process how long it should wait between sending processes the SIGTERM and SIGKILL signals when shutting down a runlevel service. The default is 5 seconds, but this can be changed with the -t sec option.

14

file format inittab file format

/etc/inittab /etc/

• Each line starting with '#' is a comment.

• Each entry uses one line.

• Each entry's syntax is as follows:

Last updated: 26 December 2003

id:runlevels:action:process

15

id

A unique sequence of 1-4 characters which identifies an entry in inittab. Note: For gettys or other login processes, the id field should be the tty suffix of the corresponding tty, e.g. 1 for tty1. Otherwise, the login accounting might not work correctly.

runlevels

Lists the runlevels for which the specified action should be taken. The runlevels field may contain multiple characters for different runlevels. For example,123 specifies that the process should be started in runlevels 1, 2, and 3.

Describes which action should be taken (see below).

action

Specifies the process (or command) to be executed.

process

15

The process will be restarted whenever it terminates (e.g. getty).

respawn

wait

The process will be started once when the specified runlevel is entered and init will wait for its termination.

The process will be executed once when the specified runlevel is entered.

once

boot

The process will be executed during system boot. The runlevels field is ignored.

bootwait

The process will be executed during system boot, while init waits for its termination (e.g. /etc/rc). The runlevels field is ignored.

This does nothing.

off

initdefault

An initdefault entry specifies the default runlevel to use. If not specified, init will ask for a runlevel on the console. The process field is ignored.

ctrlaltdel

The process will be executed when init receives the SIGINT signal. This means that someone on the system console has pressed the CTRL-ALT-DEL key combination. Typically one wants to execute some sort of shutdown either to get into single-user level or to reboot the machine. Often used to reboot the machine in many distributions.

Most common actions:

See man inittab for more info on other actions like:

sysinit, powerwait, powerfail, powerokwait, powerfailnow, resume, kbrequest, ondemand.

16

Shutting down the system properly Shutting down the system properly

• Before the system is turned off, it needs:

– shut down every current runlevel service properly;

• Shutdown – init 0 – shutdown -h now – halt – poweroff

• Reboot

– unmount all filesystems

– init 6

Last updated: 26 December 2003

– shutdown -r now

17

Reboot the system. If /etc/inittab is set accordingly , pressing will also reboot the system.

shutdown -c

–Cancels the already scheduled shutdown.

Note:

The reboot, poweroff and suspend commands are symbolic links to halt.

17

command shutdown command shutdown

– bring the system down.

shutdown [options] time

-c

Cancels a shutdown

-f

Will not run fsck on the reboot

-F

This WILL run fsck on reboot

-h

Halts system after shutdown

-k

Sends warning / does not shutdown

-n

Shuts down without calling init

-r

Reboots, does not halt

-t {Seconds}

Delay time after killing process (before init)

Last updated: 26 December 2003

• Options

18

Time format:

now Well...NOW!

+2m In 2 minutes

4 In 4 minutes

hh:mm At the specified time

Command access rights:

The file /etc/shutdown.allow may contain user names (one per line) who have permission to run the shutdown command.

18

Summary Summary

• giving commands to the boot loader.

• giving options to the kernel at boot time.

• checking the events in the log files.

• changing to single user mode.

• shutdown or rebooting the system.

• alert users before switching runlevel.

• setting the default runlevel.

Last updated: 26 December 2003

19

Key files, terms, and utilities include:

/var/log/messages

/etc/conf.modules or /etc/modules.conf

dmesg

LILO

GRUB

/etc/inittab

shutdown

init

19

20

LPI 102 Linux Junior Level Administration -- LPI 102 Linux Junior Level Administration

Chapter 05

The Linux Kernel The Linux Kernel

Last updated: 26 December 2003

2004, SaigonCTT All rights reserved

1

1

Objectives Objectives

• managing a kernel and kernel loadable modules

• loading and unloading modules as appropriate

• customizing the current kernel

• configuration, building a new kernel

• building kernel modules as appropriate.

• installing the new kernel as well as any modules

Last updated: 26 December 2003

2

LPI Topics:

1.105.1 Manage/Query kernel and kernel modules at runtime

Description: Candidates should be able to manage and/or query a kernel and kernel loadable modules. This objective includes using command-line utilities to get information about the currently running kernel and kernel modules. It also includes manually loading and unloading modules as appropriate. It also includes being able to determine when modules can be unloaded and what parameters a module accepts. Candidates should be able to configure the system to load modules by names other than their file name.

1.105.2 Reconfigure, build, and install a custom kernel and kernel modules

Description: Candidates should be able to customize, build, and install a kernel and kernel loadable modules from source This objective includes customizing the current kernel configuration, building a new kernel, and building kernel modules as appropriate. It also includes installing the new kernel as well as any modules, and ensuring that the boot manager can locate the new kernel and associated files (generally located under /boot, see objective 1.102.2 for more details about boot manager configuration).

2

The Linux Kernel The Linux Kernel

• It’s loaded at initial bootup of Linux system, manages

activities : I/O, memory, processes, network interface,…

• Kernel can be built with 2 basic options :

– Device drivers can be built directly into the kernelbinary itself

Last updated: 26 December 2003

– Device drivers can be built as external modulesto the kernel

3

Why would you want to build a new kernel ? (newer hardware, faster, more stable, …)

3

Kernel Version Numbering Kernel Version Numbering

• Kernel version numbers:

1. The major number

2. The minor number

3. The micro number (patch number)

• Example

4. The patch level , applied by kernel maintainers

2.4.7-10

Last updated: 26 December 2003

4

View kernel version by command : # uname -r

4

Kernel Version Numbering Kernel Version Numbering

(cid:131) Kernel version numbering is very structured :

- The minornumber is even = stable version

- The minornumber is odd = development ver.

(cid:131) To find out what kernel you are running :

- A patchconstitutes a more precise measurement of the kernel version.

Last updated: 26 December 2003

# uname -r

5

Notes: All patchs to the kernel are cumulative. You simply have to obtain and apply the latest patch for the kernel to be sure you have the most up-to-date patched support.

There are many changes from 2.2 to 2.4

-Itanium and X86-64 AMD Hamer CPU support

-Improve PnP/hot swappable device recognition

-Journaling file systems : ext3, ReiserFS, JFS,..

-…

5

command uname command uname

uname [options]

• Options

– Get name and information about current kernel

Combine all the system information. – a

Print the operating system name. – o

• Example

Print the release number of the kernel. – r

# uname -a

Linux lpilabs 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003

i686 i686 i386 GNU/Linux

Last updated: 26 December 2003

6

Some other option:

–i Print the system's hardware platform. –m Print the name of the hardware the system is running on. –n Print the machine's hostname. –p Print the type of processor (not available on all versions). –v Print build information about the kernel.

Example:

$ uname -n lpilabs $ uname -p i686 $ uname -v #1 Thu Mar 13 17:54:28 EST 2003

$ uname -o GNU/Linux $ uname -r 2.4.20-8 $ uname -i i386 $ uname -m i686

6

command make command make

make [targets]

– Determines which pieces of a large program need to be recompiled and compile them.

Last updated: 26 December 2003

– Executes commands in Makefile to update programs or module components.

7

Ref: More about make command and Makefile in LPI-101 course.

7

command make command make

• [targets]

• Configure a new kernel line by line on text mode

config

• Configure a new kernel by text menu

menuconfig

• Configure a new kernel by graphic menu (require X Windows)

==> All three methods will save the configuration file as

/usr/src/linux/.config

Last updated: 26 December 2003

xconfig

8

make menuconfig

–Text based color menus, radiolists & dialogs.

make xconfig

–X windows based configuration tool.

8

Interface menuconfig Interface

make menuconfig make

Last updated: 26 December 2003

9

9

Interface xconfig Interface

make xconfig make

Last updated: 26 December 2003

10

10

command make command make

• [targets]

• Configure a new kernel using an older .config file

oldconfig

• delete *.o files

clean

• Create .depend file

Last updated: 26 December 2003

dep

11

make oldconfig

–Default all questions based on the contents of your existing ./.config file. –It is often easier to configure a new kernel using an older .config file by using the make oldconfig command. This will prompt the user only for new features in the kernel source tree (if the kernel is newer or has been patched).

make clean

–The make command gets instructions from the Makefile and will build what is needed. If some files are already present make will use them as is. In particular files with *.o extensions. To make sure that all the configuration options in .config are used to rebuild the files needed one has to run make clean.

make dep

–.depend file containing paths to header files present in the kernel source tree (/usr/src/linux/include)

11

usr/src/linux/.config //usr/src/linux/.config

• Verify : allow load modules

# cat .config | grep -i module # Loadable module support CONFIG_MODULES=y

• Verify : support ext3

# cat .config | grep -i ext3 CONFIG_EXT3_FS=m CONFIG_EXT3_INDEX=y CONFIG_EXT3_FS_XATTR=y CONFIG_EXT3_FS_XATTR_SHARING=y CONFIG_EXT3_FS_XATTR_USER=y CONFIG_EXT3_FS_POSIX_ACL=y

Last updated: 26 December 2003

12

12

command make command make

• [targets]

• Make a compressed vmlinuz image and update LILO.

zlilo

• Make a simple compressed image

zImage

• Build an image compressed with gzip.

Last updated: 26 December 2003

bzImage

13

13

command make command make

• [targets]

• The modules are compiled with make modules.

modules

• Copy modules file to the /lib/modules/ directory.

modules_install

• move the new kernel and its associated files into the correct

directories.

Last updated: 26 December 2003

install

14

14

The Source Tree The Source Tree

• Kernel source released as a tarball file

Example:

• Should NEVER extract to /usr/src/linux/

linux-2.4.31.tar.bz2

Last updated: 26 December 2003

# tar xjvf linux-2.4.31.tar.bz2 –C /usr/src/

15

15

The Source Tree The Source Tree

(cid:131) Subdirectories in the source tree : /usr/src/linux-2.4.31/

Documentation

kernel

arch

lib

drivers

mm

fs

modules

include

net

init

scripts

ipc

Last updated: 26 December 2003

(cid:131) This is the structure that most kernel sources will follow.

16

16

The Modular Kernel The Modular Kernel

/lib/modules/

– Store the modules for a particular kernel.

/lib/modules//modules.dep

– List of module dependencies

Last updated: 26 December 2003

– Is generated by the depmod command

17

Many components of the Linux kernel may be compiled as modules which the kernel can dynamically load and remove as required.

The best components to modularize are ones not required at boot time, for example peripheral devices and supplementary file systems.

Kernel modules are controlled by utilities supplied by the modutils package:

# ls /lib/modules/`uname -r`

build modules.generic_string modules.parportmap modules.usbmap

–lsmod –rmmod –insmod –modprobe –modinfo

modules.dep

kernel modules.ieee1394map modules.pcimap modules.isapnpmap modules.pnpbiosmap

17

The Modular Kernel The Modular Kernel

/etc/modules.conf or /etc/conf.modules

– Configuration file for loading kernel modules

• Example

alias char-major-10-181 toshiba

options toshiba tosh_fn=0x62

Last updated: 26 December 2003

– Often contains a list of aliases

18

/etc/modules.conf is consulted for module parameters (IRQ and IO ports) but most often contains a list of aliases. These aliases allow applications to refer to a device using a common name. For example the first ethernet device is always referred to as eth0 and not by the name of the particular driver.

# cat /etc/modules.conf alias eth0 pcnet32 alias scsi_hostadapter BusLogic alias sound-slot-0 es1371 post-install sound-slot-0 /bin/aumix-minimal -f /etc/.aumixrc -L >/dev/null 2>&1 || : pre-remove sound-slot-0 /bin/aumix-minimal -f /etc/.aumixrc -S >/dev/null 2>&1 || : alias usb-controller usb-uhci

18

The Modular Kernel The Modular Kernel

lsmod

– Shows information about all loaded modules

depmod [module]

Last updated: 26 December 2003

– Handle dependency descriptions for loadable kernel modules

19

13268 0 (autoclean) (unused)

3976 0 [pcnet32] 3928 6 (autoclean) 2412 1 (autoclean)

15096 2 [ipt_REJECT iptable_filter]

26348 0 (unused) 78784 1 [hid usb-uhci]

51892 2 [ext3]

100796 3 13452 6

The depmod and modprobe utilities are intended to make a Linux modular kernel manageable for all users, administrators and distribution maintainers.

# lsmod Module Size Used by Not tainted autofs pcnet32 18240 1 mii ipt_REJECT iptable_filter ip_tables 2944 0 (unused) keybdev mousedev 5492 0 (unused) hid 22148 0 (unused) input 5856 0 [keybdev mousedev hid] usb-uhci usbcore ext3 70784 2 jbd BusLogic sd_mod scsi_mod

107128 2 [BusLogic sd_mod]

19

The Modular Kernel The Modular Kernel

insmod [module]

– Installs a loadable module in the running kernel.

modprobe [module]

Last updated: 26 December 2003

– Load the module and any dependent modules listed in modules.dep

20

Options for modprobe:

-a, --all

Load all matching modules instead of stopping after the first successful loading.

-c, --showconfig

Show the currently used configuration.

-C, --config config

Use the file config instead of (the optional) /etc/modules.conf to specify the configuration. The environment variable MODULECONF can also be used to select (and override) a different configuration file from the default /etc/modules.conf (or /etc/conf.modules (deprecated)).

20

The Modular Kernel The Modular Kernel

modinfo [module]

• Options

– Display information about a kernel module

– a Display the module's author.

– d Display the module's description.

– n Display the module's filename.

Last updated: 26 December 2003

– p Display the typed parameters that a module may support.

21

Example: Get infomation from the network module driver.

$ modinfo pcnet32

filename: /lib/modules/2.4.20-8/kernel/drivers/net/pcnet32.o

description: "Driver for PCnet32 and PCnetPCI based ethercards"

author: "Thomas Bogendoerfer"

license: "GPL"

parm: debug int, description "pcnet32 debug level (0-6)"

parm: max_interrupt_work int, description "pcnet32 maximum events handled per interrupt"

parm: rx_copybreak int, description "pcnet32 copy breakpoint for copy-only-tiny-frames"

parm: tx_start_pt int, description "pcnet32 transmit start point (0-3)"

parm: pcnet32vlb int, description "pcnet32 Vesa local bus (VLB) support (0/1)"

parm: options int array (min = 1, max = 8), description "pcnet32 initial option setting(s) (0-15)"

parm: full_duplex int array (min = 1, max = 8), description "pcnet32 full duplex setting(s) (1)"

21

The Modular Kernel The Modular Kernel

rmmod [module]

• Options

– Unloads loadable modules from the running kernel.

– a Remove all unused modules

– e Save persistent data, do not unload module

– r Remove stacks, starting at the named module

Last updated: 26 December 2003

– s Use syslog for error messages

22

Example: unloads the raid0 module.

$ lsmod

Module Size Used by Not tainted

raid0 3880 0 (unused)

autofs

13268 0 (autoclean) (unused)

pcnet32 18240 1

3976 0 [pcnet32]

mii

........

$ rmmod raid0

$

22

General Procedure to build kernel General Procedure to build kernel

Step 1: Configure kernel’s parameters and build it

make config or

make menuconfig or

make xconfig

make clean; make dep; make bzImage

Step 2: Compile modules

make modules

Step 3: Install modules

make modules_install

Last updated: 26 December 2003

23

23

General Procedure to build kernel General Procedure to build kernel

Step 4: Copy new kernel to /boot

cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.19-16

Step 5: Copy Sytem.map to /boot

cp Sytem.map /boot/System.map-2.4.19-16

Step 6: Copy .config to /boot

cp .config /boot/config-2.4.19-16

Step 7: Make ramdisk

mkinitrd /boot/initrd-2.4.19-16.img 2.4.19-16

Last updated: 26 December 2003

24

24

General Procedure to build kernel General Procedure to build kernel

Step 8a: Using : lilo

image=/boot/vmlinuz-2.4.19-16

label=linux

initrd=/boot/initrd-2.4.19-16.img

read-only

append="hdc=ide-scsi root=LABEL=/"

(cid:131) Add new entry to /etc/lilo.conf

Execute (cid:131)

/sbin/lilo –v -t

Last updated: 26 December 2003

25

Notes: You must be run “lilo –v” for update lilo map file.

25

General Procedure to build kernel General Procedure to build kernel

Step 8b: Using : grub

title Red Hat Linux (2.4.19-16)

root (hd0,0)

kernel /vmlinuz-2.4.19-16 ro root=LABEL=/ hdc=ide-scsi

initrd /initrd-2.4.19-16.img

Last updated: 26 December 2003

(cid:131) Add new entry to /etc/grub.conf

26

26

Summary Summary

• managing a kernel and kernel loadable modules

• loading and unloading modules as appropriate

• customizing the current kernel

• configuration, building a new kernel

• building kernel modules as appropriate.

• installing the new kernel as well as any modules

Last updated: 26 December 2003

27

Key files, terms, and utilities include:

/lib/modules/kernel- version/modules.dep /etc/modules.conf & /etc/conf.modules /usr/src/linux/* /usr/src/linux/.config /lib/modules/kernel-version/* /boot/* depmod insmod lsmod rmmod modinfo modprobe uname make make targets:

config menuconfig xconfig oldconfig modules install modules_install depmod

27

28

LPI 102 Linux Junior Level Administration -- LPI 102 Linux Junior Level Administration

Chapter 06

System Logging and Automation System Logging and Automation

Last updated: 26 December 2003

2004, SaigonCTT All rights reserved

1

1

Objectives Objectives

• System logging

– syslogd

• Automate tasks

– klogd

– cron

– at

Last updated: 26 December 2003

– anacron

2

LPI Topics:

1.111.3 Configure and use system log files to meet administrative and security needs

This objective includes managing the type and level of information logged, manually scanning log files for notable activity, monitoring log files, arranging for automatic rotation and archiving of logs and tracking down problems noted in logs.

1.111.4 Automate system administration tasks by scheduling jobs to run in the future

Candidate should be able to use cron or anacron to run jobs at regular intervals and to use at to run jobs at a specific time. Task include managing cron and at jobs and configuring user access to cron and at services.

2

Introduction to System logging Introduction to System logging

• One integral part of any UNIX system are the logging

facilities.

• The majority of logging in Linux is provided by two

main programs:

– syslogd : logging services to programs and applications.

Last updated: 26 December 2003

– klogd : logging capability to the Linux kernel.

3

3

Introduction to System logging Introduction to System logging

• klogd

– Sends most messages to the syslogd facility

• syslogd

– But will on occasion pop up messages at the console (i.e. kernel panics).

– Handles the task of processing most messages and sending them to the appropriate file or device.

Last updated: 26 December 2003

– Configuration file: /etc/syslog.conf

4

By default most logging to files takes place in /var/log/

4

Rotating log files Rotating log files

• A common way to keep logging information for a fixed

period is “rotation”.

• Example: rotation policy

#!/bin/sh

cd /var/log

mv logfile.2 logfile.3

mv logfile.1 logfile.2

mv logfile logfile.1

cat /dev/null > logfile

chmod 600 logfile

Last updated: 26 December 2003

5

You keep backup files that are one day old, two days old, and so on. Each day a script or utility program renames the files to push older data toward the end of the chain.

One common problem is figuring out what to do with all of the log messages. If you do a lot of logging (particularly if everything is sent to a central server), you can fill up your filesystem faster than you think. The most obvious and direct solution is to remove them after a specific length of time or when they reach a particular size.

As its name implies, the goal of the logrotate program is to "rotate" log files. This could be as simple as moving a log file to a different name and replacing the original with an empty file.

On the example: every day logfile.7 is lost as logfile.6 overwrites it.

5

Logrotate: manage log files:

A logrotate configuration file consists of a series of specifications for groups of logfiles to be managed.

# Example log rotation policy

errors sa-book@admin.com

rotate 5

weekly

/var/log/messages{

postrotate

/bin/kill –HUP ‘cat /var/run/syslogd.pid

endscript

}

/var/log/samba/*.log{

notifempty

copytruncate

sharedscripts

postrotate

/bin/kill –HUP ‘cat /var/run/syslogd.pid

endscript

}

6

Linux log files Linux log files

/var/log/wtmp

– Contains a record of users’ logins and logouts. Should be rotated .

/var/log/lastlog

Last updated: 26 December 2003

– Records only the time of last login for each user. No need to be rotated.

7

For the most part, linux packages send their logging information to files in the /var/log directory. Some distribution logs are also stored in /var/adm Special log files

/var/log/wtmp

Contains a record of users’ logins and logouts, entries that indicate when the system was rebooted or shut down. Should be rotated.

# who /var/log/wtmp

/var/log/lastlog

It records only the time of last login for each user. Is binary file, indexed by UID. No need to be rotated because its size stay constant unless new users log in.

# lastlog

checksecurity utility

runs every day (from /etc/cron.daily/standard) to enumerate the systems complement of setuid programs( setuid.changes, setuid.today, setuid.yesterday).

Download (debian): http://packages.debian.org/unstable/admin/checksecurity

7

syslogd Configuring syslogd Configuring

• The configuration file /etc/syslog.conf

• Basic format is:

selector action

• Within the selector

mail.info /var/log/maillog

– mail : the facility

– info : the level of priority

Last updated: 26 December 2003

– /var/log/maillog : the action

8

8

Facilities Facilities

• Supported facilities in Linux:

Syslog Facility

Associated Subsystem

authpriv

Login authentication

cron

cron subsystem

daemon

System server processes

kern

Linux kernel

lpr

Spooling subsystem

mail

Mail subsystem

news

News subsystem

Last updated: 26 December 2003

9

Locally-defined syslog facilities N runs from 0 to 7

localN

9

priorities priorities

Description

emergencies, System unusable

Level 0

Keyword emerg

alerts, Immediate action required

Critical condition

1 alert

Error conditions

2 crit

Warning conditions

3 err

notifications, Normal but significant conditions

4 warning

Informational messages

5 notice

Debugging messages

6 info

Last updated: 26 December 2003

7 debug

10

Unlike facilities, which have no relationship to each other, priorities are hierarchical. Possible priorities in Linux are (in increasing order of urgency): debug, info, notice, warning, err, crit, alert and emerg.

As with facilities, the wildcards * and none.

A priority may be preceded by either or both of the modifiers = and !

10

Example Example

.info;mail.none;authpriv.none;cron.none .info;mail.none;authpriv.none;cron.none

/var/log/messages /var/log/messages

– All messages of severity "info" and above are logged, but none from the mail, cron or authentication.

selector

meaning

Mail.info

Select mail-related mesg. Of info prio. And higher

Mail.=info

Select only messages at info priority

Mail.info;mail.!err

Select only prio. Info, notice and warning

Select all priorities except warning

Mail.debug; mail.!=warning

Last updated: 26 December 2003

11

11

action action

• In practice, most log messages are written to files.

• You can send messages other places too.

Action

meaning

Filename

Writes the mesg. To file on the local machine

@hostname

Forward the msg. To syslogd on host name

@ipaddress

Forward the mesg. To the host at ip address ipaddress

\fifoname

Writes the mesg. To the named pipe fifoname

user1,user2,…

Writes the mesg. To user’s screen

*

Writes the mesg. To all users who are logged in

Last updated: 26 December 2003

12

In practice, most log messages are written to files. If you list the full path to a filename as a line's action in syslog.conf, messages that match that line will be appended to that file. (If the file doesn't exist, syslog will create it.)

You can send messages other places too. An action can be a file, a named pipe, a device file, a remote host or a user's screen.

12

file examples Config file examples Config

• Stand-alone machine on a small network.

# emergencies: tell every one who is logged on *.emerge

*

# important messages *.warning; daemon, auth.info,user.non /var/log/messages

# printer errors lpr.debug

/var/log/lpd-errs

Last updated: 26 December 2003

13

The syslog config file can be customized for each host.

Choose stable machine as your logging server, one that is well secured and does not have many logins.

Some very large sites may want to add more levels to the logging hierarchy. Unfortunately syslog retains the name of the originating host for only one hop. If a host “client” sends some log entries to host “server”, which sends them on to host “master,” master will see the data coming from server, not from client.

13

file examples Config file examples Config

• a client machine on a larger network

# emergencies tell everyone who is logged on *.ernerg;user.none

*

# Forward important messages to the central logger *.warning; lpr,local.none daemon,auth.info

@netloghost @netloghost

#cardd logs through facility local1 – send to boulder local1.debug

@boulder.colorado.edu

# keeping printer errors local lpr.debug

/var/log/lpd-errs

# keeping kernel messages local kern.info

/var/log/kern.log

Last updated: 26 December 2003

14

14

Creating a central syslog server

In this example, I will configure our Solaris server environment to send syslog information to a remote Red Hat Linux 8.0 server.

Changes needed on the syslog server (Red Hat Linux 8.0):

vi /etc/sysconfig/syslog

Change: SYSLOGD_OPTIONS="-m 0"

To: SYSLOGD_OPTIONS="-m 0 -r -x"

This change to the syslog daemon enables logging from remote machines and disables DNS lookups on incoming syslog messages.

Changes needed on the syslog clients (Sun Solaris):

1. vi /etc/syslog.conf

Add the following lines: # Send a copy to remote loghost *.info @loghost auth.* @loghost

Note: make sure that you do not have extra whitespace in the Solaris syslog.conf file. Separate the facility and severity from the location with either a single space or with tabs.

2. vi /etc/hosts

Remove any reference to "loghost." By default, Solaris will configure each host to be its own loghost.

3. Send the syslogd process a SIGHUP signal (kill -HUP pid_of_syslogd).

15

Command atat Command

at [options]

– Execute commands at a specified time or run the commands on a batch queue.

Last updated: 26 December 2003

– Reads commands from stdin or file (with –f option) and executes them using user’shell.

16

Example: Run ~/mysqcript at 11h:30’

# at 11:30

at> ~/myscript

Ctrl+d

at>

job 1 at 2005-11-04 11:40

#

The ^D ( ctrl-d ) : sending the end-of-file character to terminate the at command.

16

Listing and Deleting at Jobs Listing and Deleting at Jobs

at –l atq

– List all jobs.

at –d job_id atrm job_id

Last updated: 26 December 2003

– Removes job_id

17

Example

# atq

14 2003-10-31 12:00 a root

# atrm 14

# atq

17

crontab crontab

• crontab is located in three places:

• contains user's crontabs

• based on username

/var/spool/cron

• typically used by software installations

/etc/cron.d

• maintained by system administrator

Last updated: 26 December 2003

/etc/crontab

18

cron's uses

–Remove junk files from the system.

–Reload mail aliases

–Reset / Rotate log files

–Synchronize databases

–Checking network resources

18

how croncron worksworks how

• Cron reads all its config files into memory then sleeps.

• Every minute cron wakes

– checks for updates to its config files

– reloads updated files

• Output of cron is emailed to the owner of the crontab

Last updated: 26 December 2003

– executes any tasks scheduled for that minute.

19

19

fields crontab fields crontab

min hr day month wday [usr] cmd

– minute [0-59]

– hour [0-23]

– day [1-31]

– month [1-12]

Last updated: 26 December 2003

– weekday [0-6 ] (0=Sunday)

20

$ cat /etc/crontab

# run-parts

01 * * * * root run-parts /etc/cron.hourly

02 4 * * * root run-parts /etc/cron.daily

22 4 * * 0 root run-parts /etc/cron.weekly

42 4 1 * * root run-parts /etc/cron.monthly

20

format crontab format crontab

• Comment lines start with #

• Fields are separated by whitespace

• The command should notbe quoted

Last updated: 26 December 2003

– whitespace is taken literally in the command field

21

21

format crontab format crontab

Options

Explanation

*

Is treated as a wild card. Meaning any possible value.

*/5

Is treated as ever 5 minutes, hours, days, or months. Replacing the 5 with another numerical value will change this option.

2,4,6

Treated as an OR, so if placed in the hours, this could mean at 2, 4, or 6 o-clock.

9-17

Treats for any value between 9 and 17. So if placed in day of month this would be days 9 through 17. Or if put in hours it would be between 9 and 5.

Last updated: 26 December 2003

22

Example: Each of the above columns can be in one of the following formats (these examples are for the minute column):

30

Run command at 30 minutes past the hour.

0-59/10

Run command once every 10 minutes, for the entire hour.

15-30

Run command once every minute, from 15 to 30 minutes past the hour.

0,10,50

Run command at 0 minutes past the hour, 10 minutes past the hour, and 50 minutes past the hour.

*

un command once every minute.

22

command crontab command crontab

• Maintain crontab files for individual users

• Options

– e : Edit the current cron table

– l : lists the contents of the user's crontab

– r : removes the user's crontab

• Each user has a personal list of commands kept in the crontab file, stored in /var/spool/cron/ directory.

Last updated: 26 December 2003

– u : specifies a username (root only)

23

23

Examples Examples

• To execute myprogram once per day at 6:15 a.m , use

this crontab entry:

• To execute at 6:15 and 18:15 on the 1st and 15th of

the month, use:

15 6 * * * myprogram

Last updated: 26 December 2003

15 6,18 1,15 * * myprogram

24

24

Administering atat and Administering

and crontab crontab

• Control and configuration files are kept in /etc

at.allow Users allowed to use at

at.deny

cron.allow

cron.deny

Last updated: 26 December 2003

crontab Users denied use of at (only used if no at.allow) Users allowed to use cron Users denied use of cron System cron table

25

25

Administering atat and Administering

and crontab crontab

• /var/spool/cron

• /var/spool/at

– All crontab are stored in the cron spool directory

• Do not edit the files in the spool directories.

– All at jobs are stored in the cron spool directory

• Use tail or tail –f to read logfile.

Last updated: 26 December 2003

– Use the at and crontab utilities to make changes

26

26

command logrotate command logrotate

logrotate [logrotate_config_file]

– Rotates, compresses, and mails system logs.

– Use /etc/logrotate.conf

Last updated: 26 December 2003

– After modify the logrotate.conf, run logrotate – f to take affect.

27

logrotate is designed to ease administration of systems that generate large numbers of log files. It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large. Normally, logrotate is run as a daily cron job. It will not modify a log multiple times in one day unless the criterion for that log is based on the log’s size and logrotate is being run multiple times each day, or unless the -f or -force option is used.

# rotate log files weekly

#weekly

# rotate log files daily

daily

# keep 4 weeks worth of backlogs

#rotate 4

# create new (empty) log files after rotating old ones

create

Sample Contents of /etc/logrotate.conf

27

anacron anacron

• anacron is a task scheduler similar to cron;

• except that it does not require the system to run

continuously.

• To use the anacron service, you must have:

– It can be used to run the daily, weekly, and monthly jobs usually run by cron.

– the anacron RPM package installed

Last updated: 26 December 2003

– the anacron service must be running.

28

28

format anacrontab format anacrontab

• Anacron tasks are listed in the configuration file

/etc/anacrontab.

period delay job-identifier command

frequency (in days) to execute the command – period

delay time in minutes – delay

– job-identifier description of the task.

Last updated: 26 December 2003

command to execute – command

29

29

works ? anacron works ?

How anacron How

• Anacron executes the command specified in the

command field after waiting the number of minutes specified in the delay field.

• After the task is completed, Anacron records the date in a timestamp file in the /var/spool/anacron directory.

Last updated: 26 December 2003

30

For each tasks, Anacron determines if the task has been executed within the period specified in the period field of the configuration file. If it has not been executed within the given period, Anacron executes the command specified in the command field after waiting the number of minutes specified in the delay field.

After the task is completed, Anacron records the date in a timestamp file in the /var/spool/anacron directory. Only the date is used (not the time), and the value of the job-identifier is used as the filename for the timestamp file.

Environment variables such as SHELL and PATH can be defined at the top of /etc/anacrontab as with the cron configuration file.

30

Example anacrontab Example anacrontab

$ cat /etc/anacrontab

# /etc/anacrontab: configuration file for anacron # See anacron(8) and anacrontab(5) for details.

SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/bin

run-parts /etc/cron.daily run-parts /etc/cron.weekly

1 65 cron.daily 7 70 cron.weekly 30 75 cron.monthly run-parts /etc/cron.monthly

Last updated: 26 December 2003

31

31

Summary Summary

• syslogd can be configured for both local and remote

logging.

• In the syslog.conf file, every rule consists these

two fields:

– selector field

• The three major process scheduling utilities:

– action field

– at: executes a process once at a specified time

– cron: executes a process repeatedly at specified intervals

Last updated: 26 December 2003

– anacron: like cron, but can schedule processes with within smaller time intervals than what cron allows

32

Key files, terms, and utilities include:

/etc/syslog.conf

/var/log/*

/etc/anacrontab

/etc/at.deny

/etc/at.allow

/etc/crontab

/etc/cron.allow

/etc/cron.deny

/var/spool/cron/*

at

atq

atrm

crontab

logrotate

tail -f

32

LPI 102 Linux Junior Level Administration -- LPI 102 Linux Junior Level Administration

Chapter 07

Maintain System Maintain System

Last updated: 26 December 2003

2004, SaigonCTT All rights reserved

1

1

Objectives Objectives

• Setting the system date and time

• Setting the BIOS clock to the correct time in UTC

• Configuring the correct timezone for the system

• Configuring the system to correct clock drift to match

NTP clock.

• Dumping a raw device to a file or vice versa

• Performing partial and manual backups

Last updated: 26 December 2003

2

LPI Topics:

1.111.5 Maintain an effective data backup strategy

Tasks include dumping a raw device to a file or vice versa, performing partial and manual backups, verifying the integrity of backup files and partially or fully restoring backups.

1.111.6 Maintain system time

Tasks include setting the system date and time, setting the BIOS clock to the correct time in UTC, configuring the correct timezone for the system and configuring the system to correct clock drift to match NTP clock.

2

Time clocks under Linux Time clocks under Linux

• Linux uses two clocks:

• RTC, RealTimeClock, CMOS Clock, BIOS Clock.

– Hardware Clock:

• System Clock. Runs via the system timer interrupt.

Last updated: 26 December 2003

– Software Clock:

3

Hardware Clock:

– Runs independent of the Operating System and runs even when the computer is turned OFF, as long as the CMOS battery lasts.

Software Clock:

–Counts the number of seconds since 1st. Jan. 1970. Is the main clock under Linux. At boot time it reads the hardware clock and continues alone from there.

3

Clock control programs Clock control programs

• Under Linux 2 main programs are used to control the

2 clocks.

hwclock

– Controls the Hardware Clock

date

Last updated: 26 December 2003

– Controls the System Clock

4

4

Time settings and zones Time settings and zones

• There are 2 standard ways to set the clock.

• Time at this geographic location

– Local time

• Universal Co-ordinate Time. Normal way of setting the time from which a time zone offset is given to calculate the Local Time.

Last updated: 26 December 2003

– UTC

5

UTC is Coordinated Universal Time, GMT is Greenwich Mean Time.

Greenwich (pronounced 'grenn-itch' ) is a town, now part of the south eastern urban sprawl of London, on the south bank of the River Thames in the London Borough of Greenwich.

http://en.wikipedia.org/wiki/Greenwich

5

Setting the time in Linux Setting the time in Linux

• The procedure is relatively simple:

1. Set the Hardware clock to UTC via the BIOS setup.

2. Set the environment variable TZ to the proper time zone:

tzselect

3. To tell Linux that our Hardware clock and system clock are set to UTC run:

Last updated: 26 December 2003

hwclock --utc --hctosys

6

Alternative step 2: Use the program tzconfig which will set a symbolic link in the form of: ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime

$ tzselect Please identify a location so that time zone rules can be set correctly. Please select a continent or ocean.

1) Africa <........> 5) Asia

<.........> #? 5 Please select a country. <.........> 15) Indonesia 32) Nepal 49) Vietnam <.........> #? 49

The following information has been given:

Vietnam

Therefore TZ='Asia/Saigon' will be used. Local time is now: Wed Sep 28 10:58:46 ICT 2005. Universal Time is now: Wed Sep 28 03:58:46 UTC 2005. Is the above information OK? 1) Yes 2) No #? 1

6

hwclock hwclock

hwclock [option]

• Options

– This program is used to display or set the Hardware clock.

• Set the Hardware Clock to the time given by the --date option.

--set

• Set the Hardware Clock to the current System Time.

--systohc

• Indicates that the Hardware Clock is kept in Universal Coordinated

Time.

Last updated: 26 December 2003

--utc

7

Options:

--show

Read the Hardware Clock and print the time to Standard Output. The time shown is always in local time, even if you keep your Hardware Clock in Coordinated Universal Time (UTC).

--hctosys

Set the System Time from the Hardware Clock. Also set the kernel's timezone value to the local timezone as indicated by the TZ environment variable and/or /usr/share/zoneinfo. This is a good option to use in one of the system startup scripts.

--adjust

Add or subtract time from the Hardware Clock to account for systemic drift since the last time the clock was set or adjusted.

--localtime

Indicates that the Hardware Clock is kept in Local Time. It is your choice whether to keep your clock in UTC or local time, but nothing in the clock tells which you've chosen. So this option is how you give that information to hwclock.

7

datedate

date [options]

• Options:

– This program is used to show or set the System time.

• Allows control of the display of the current time /and/or date.

• Example:

# date "+It is now %H Hours and %M Minutes" It is now 14 Hours and 33 Minutes

Last updated: 26 December 2003

– +text_and_metacodes

8

a literal %

%%

%a

locale's abbreviated weekday name (Sun..Sat)

%A

locale's full weekday name, variable length (Sunday..Saturday)

%b

locale's abbreviated month name (Jan..Dec)

%B

locale's full month name, variable length (January..December)

%c

locale's date and time (Sat Nov 04 12:02:33 EST 1989)

%C

century (year divided by 100 and truncated to an integer) [00-99]

%d

day of month (01..31)

%D

date (mm/dd/yy)

%e

day of month, blank padded ( 1..31)

%F

same as %Y-%m-%d

%g

the 2-digit year corresponding to the %V week number

%G

the 4-digit year corresponding to the %V week number

%h

same as %b

%H

hour (00..23)

%I

hour (01..12)

%j

day of year (001..366)

Interpreted sequences are:

8

hour ( 0..23)

%k

hour ( 1..12)

%l

month (01..12)

%m

minute (00..59)

%M

a newline

%n

%N

nanoseconds (000000000..999999999)

%p

locale's upper case AM or PM indicator (blank in many locales)

%P

locale's lower case am or pm indicator (blank in many locales)

%r

time, 12-hour (hh:mm:ss [AP]M)

%R

time, 24-hour (hh:mm)

%s

seconds since `00:00:00 1970-01-01 UTC' (a GNU extension)

%S

second (00..60), the 60 is necessary to accommodate a leap second

%t

a horizontal tab

%T

time, 24-hour (hh:mm:ss)

%u

day of week (1..7) , 1 represents Monday

%U

week number of year with Sunday as first day of week (00..53)

%V

week number of year with Monday as first day of week (01..53)

%w

day of week (0..6), 0 represents Sunday

%W

week number of year with Monday as first day of week (00..53)

%x

locale's date representation (mm/dd/yy)

%X

locale's time representation (%H:%M:%S)

%y

last two digits of year (00..99)

%Y

year (1970...)

%z

RFC-822 style numeric timezone (-0500) (a nonstandard extension)

%Z

time zone (e.g., EDT), or nothing if no time zone is determinable

By default, date pads numeric fields with zeroes. GNU date recognizes the following modifiers between `%' and a numeric directive. ‘-’ (hyphen) do not pad the field ‘_’ (underscore) pad the field with spaces

Time Parameters MMDDhhmm

Set the System time to a specific value

MMDDhhmmYYYY.[ss]

Set the System time to a specific extended value.

Note: In the file /etc/adjtime the correction factor can be saved to keep the clock as accurate as possible.

9

Network Time Service Network Time Service

• This service is used to set the client clocks to a very

precise clock.

• The service compensates for the delay introduced by

TCP.

• Protocol:

• Daemon

– NTP

Last updated: 26 December 2003

– ntpd

10

Methods:

1. Cron job queries the time server using the ntpdate program. 2. Local daemon (ntpd or xntpd) runs on client and polls the time server. Note: This solution transforms the client to a Time Server.

10

ntpdate ntpdate

ntpdate TimeServerName

– This program connects with a Time Server and sets the System time.

• Example:

10 * * * * root /usr/sbin/ntpdate ntp3.fau.de

Last updated: 26 December 2003

– Normally it is regularly called from a cron job.

11

Note: A list of time servers on the Internet is located at:

http://www.eecis.udel.edu/~mills/ntp/clock1a.html

11

ntpd or or xntpd xntpd ntpd

• These daemons poll one or more Time Server(s) every

5 minutes and sets the system time.

• Configuration file:

/etc/ntp.conf

• Example contents:

server ntp3.fau.de

driftfile /etc/ntp.drift

Last updated: 26 December 2003

12

This driftfile will store the local Hardware Clock drift and will be used at boot time to set local System Clock to a more accurate time till a connection to a Time Server is achieved.

Note1: If the local time has drifted off more than 1000 seconds then a syslog message is generated and the clock must be set manually.

Note 2: It is also possible to use both methods: ntpd and ntpdate at the same time.

12

Types of backups Types of backups

• Full Backup

• Differential Backup

• Incremental Backup

Incremental

Incremental

Incremental

Full backup

Differential Backup

Last updated: 26 December 2003

– Backs up all files

13

Backs up all files, regardless of whether they were previously backed up or not. This method uses the most media space. In this case it is recommended to use compression like gzip or other methods to reduce the media space needed.

13

Differential Backup Differential Backup

• Saves only files that have been modified or created

since the last Full Backup.

• Advantages:

• Disadvantages:

– Only the full backup and the last good differential backup are needed to restore the whole of the data.

Last updated: 26 December 2003

– Takes longer to make than incremental backups and needs larger media.

14

Notes: Normally a Full backup is made and then regular differential Backups are performed.

14

Incremental Backup Incremental Backup

• Each backup is an increment since the most recent backup (Full, Differential or previous Incremental).

• Advantages:

• Disadvantages:

– Shorter to make than the differential backups and needs smaller media size.

– All of the incremental backups, up to the last known good one, and the full backup are needed for restoring.

Last updated: 26 December 2003

– If one of the incremental backups has some media fault, the entire backup may be unreliable.

15

15

Restoring data Restoring data

• With differential backups:

1. Read the full backup

• With incremental backups:

2. Read last good differential backup.

1. Read the full Backup

Last updated: 26 December 2003

2. Read sequentially each incremental backup up to the last good one.

16

With differential backups:

–The Full backup and the last good differential backup is needed.

With incremental backups:

–The Full backup and ALL of the incremental backup are needed.

16

Backup media devices files Backup media devices files

/dev/st0 First SCSI Tape Drive

/dev/ft0 First floppy-controller tape drive

/dev/fd0 First floppy disk drive

Last updated: 26 December 2003

/dev/hdx May be an ATAPI Zip or other removable disk

17

To create backups, external media devices are needed. On slide show some common ones used under Linux.

17

Basic backup programs Basic backup programs

tar

• Basic Mode options

– Recursively creates archives of files and directories including file properties.

Create a new archive. – c

List the content of the archive – t

Last updated: 26 December 2003

Extract files from the archive. – x

18

Basic mode options

f tarfile

Unless tar is using standard I/O, use the 'f' option with tar to specify the tarfile. This might be simply a regular file or it may be a device such as /dev/st0.

v

Verbose mode. By default, tar runs silently. When 'v' is specified, tar reports each file as it is transferred.

w

Interactive mode. In this mode, tar asks for confirmation before archiving or restoring files. This option is useful only for small archives.

z

Enable compression. When using 'z', data is filtered through the gzip compression program prior to being written to the tarfile, saving additional space. The savings can be substantial, at times better than an order of magnitude depending on the data being compressed.

18

An archive created using the 'z' option must also be listed and extracted with 'z'; tar will not recognize a compressed file as a valid archive without the 'z' option. Tarfiles created with this option will have the .tar.gz file extension.

j

BZ2 Compression. Similar to the 'z' compression except that it’s compression method is a bit more efficient on the media space used. The filename of the archive should then have the extension .tar.bz2

N date

Store only files newer than the date specified. This option can be used to construct an incremental or differential backup scheme.

V "label"

Adds a label to the .tar archive. Quotes are required to prevent the label from being interpreted as a filename. A label is handy if you find an unmarked tape or poorly named tarfile.

19

Basic backup programs Basic backup programs

dump [-level] [-ua] [-f BackupFile] Source

• Options:

– dump searches through files and decides which ones should be written.

– level 0 to 9

– u Update. Uses the file /etc/dumpdates to know which update to do.

Automatically asks for next medium change. – a

Name of destination filename. – f BackupFile

Last updated: 26 December 2003

– Source Device or directory name to backup.

20

From the BSD UNIX world, dump allows you to backup a whole partition or a full directory. But Linux dump is unique and written specially for ext2. Now a version for ReiserFS is also available.

Output of dump:

Hard Disk, or Tape or File(Option -f)

Feature:

Span files on multiple medias.(medium change).

Max. Backup Levels: 10 (0-9)

Level 0: Full backup

Level 1-9: Incremental backup relative to the lower level backup.

20

Basic backup programs Basic backup programs

Last updated: 26 December 2003

21

•The file /etc/dumpdates contains a list of backups already done. Format:

Source BackupLevel Date_Time

/dev/sda5 0 Sat May 18 23:55:32 2003 /dev/sda5 1 Mon May 20 23:54:13 2003

Ex:

•Shows that on Sat. May 18 a Full backup was made using the command:

dump -0ua -f /dev/tape /dev/hda5

•and an incremental backup relative to the Full backup using the command:

dump -1ua -f /dev/tape /dev/hda5

21

Basic backup programs Basic backup programs

restore -C -f BackupDevice

– Will compare (-C) the content of the BackupDevice (eg. /dev/st0) to the original and the differences will be shown.

restore -i -f BackupDevice

Last updated: 26 December 2003

– Will start in interactive (-i) mode and wait for commands relating to the list of files to restore.

22

This program is the counter part of the backup program dump. It is not only used for restoring but also to compare the backed-up data with the current original data.

The most important commands are:

cd Directory

Changes to another directory on the backed-up medium.

ls [Directory |file]

Lists the current directory (like bash's ls)

add Directory|File

Add the Dir. or File in the list to restore.

delete Directory|File

Delete the Dir or File in the list to restore.

extract

Start the restoring the files listed.

quit

Exit restore program.

22

Important:

When the restore is activated, its restores the files in the current directory. Therefore if files backed-up to /dev/st0 need to be restored to /dev/hda8 which is mounted on /mnt/data, you need to change the current directory to the mount point.

Example:

cd /mnt/data

restore -r -f /dev/st0

Here the full Backup located in /dev/st0 will be restored to the directory /mnt/data which is the mount point of /dev/hda8 partition.

Restoring single files:

restore -x -f BackupDevice File1 File2 File3 ....

Restores File1 File2 File3 etc. from the BackupDevice to the current directory.

23

Basic backup programs Basic backup programs

• Modes of operation:

cpio [options]

• The output of the program is an archive: Backup

– copy-out (-o)

• Files are extracted from the archive: Restore

– copy-in (-i)

• Simple copy of files from one location to another: Copy

Last updated: 26 December 2003

– copy-pass (-p)

24

This back-up utility can handle different types of backup format including the TAR format. Its advantage over tar is that, it takes the list of the files This back-up utility can handle different types of backup format including the TAR format. Its advantage over tar is that, it takes the list of the files to backup from STDIN instead of from the command line. This way it facilitates the use of the find program to feed the list of files to backup.

Example:

cpio -iv < /dev/tape

The above command reads in files from a tape and displays them as it is operating.

find / -name mart* | cpio -pdv /home/martin/backups

Copy all files from the whole system which start with mart to the home subdirectory of martin, creating all the needed subdirectories (-d), using the verbose mode (-v).

24

Basic backup programs Basic backup programs

• Options

cpio [options]

-d Create directories if needed.

-f Specifies a filename

-t Shows the contents of an archive.

-u Overwrites existing files

Last updated: 26 December 2003

-v Runs in verbose mode

25

find . -name "*.old" | cpio -ocBv >/dev/st0

Backup (-o) all files with ext. .old, using the new (SVR4) portable format (-c) and the block size of 5120 Bytes(-B) to a tape drive (/dev/st0), using the verbose mode (-v).

cpio -icdv "*.c" < /dev/st0

Restore (-i) all the *.c files using the new (SVR4) portable format (-c), creating new subdirectories if needed (-d) from the tape drive (/dev/st0), using the verbose mode (-v).

find . -depth | cpio -pd /tmp/newdir

Copy (-p) recursively all files in current directory (.) to /tmp/newdir, creating all the needed subdirectories (-d).

25

Basic backup programs Basic backup programs

• Extra options:

dddd if=InputFile of=OutputFile bs=BlockSize count=NumberOfBlocks

ibs=InputBlockSize

• Sets the input block size and the output block size when they differ.

Last updated: 26 December 2003

obs=OutputBlockSize

26

–The default for bs is the original block size of if=InputFile

–The default for count is the whole device or file.

26

Basic backup programs Basic backup programs

• Example

dddd if=InputFile of=OutputFile bs=BlockSize count=NumberOfBlocks

dd if=/dev/hda4 of=/tmp/hda4_Image.img

• Copy a full partition to a file

dd if=/dev/hda of=/var/backup/MBR.img bs=512 count=1

• Backup the current MBR to a file:

Last updated: 26 December 2003

27

Example

–To create a CD image file from a CD-ROM.

dd if=/dev/cdrom of=/home/martin/images/cdrom2.img

–To create a bcakup of partition to a Streaming Tape:

dd if=/dev/hda4 of=/dev/st0

–To restore the above backup:

dd if=/dev/st0 of=/dev/hda4

27

Summary Summary

• Maintain system time

– Setting the system date and time

– Setting the BIOS clock to the correct time in UTC

– Configuring the correct timezone for the system

• Maintain an effective data backup strategy

– Configuring the system to correct clock drift to match NTP clock.

– Dumping a raw device to a file or vice versa

Last updated: 26 December 2003

– performing partial and manual backups

28

cpio dd dump restore tar

/usr/share/zoneinfo /etc/timezone /etc/localtime /etc/ntp.conf /etc/ntp.drift date hwclock ntpd ntpdate

Key files, terms, and utilities include:

28

LPI 102 Linux Junior Level Administration -- LPI 102 Linux Junior Level Administration

Chapter 8

Printing Printing

Last updated: 26 December 2003

2004, SaigonCTT All rights reserved

1

1

Objectives Objectives

• Manage printers and print queues

• Make sure that you understand the functions of lpr

and lpd.

– lpr sends print jobs to lpd.

• Also familiarize yourself with the options used with lpr.

• Install and configure local and remote printers

Last updated: 26 December 2003

– lpd send the jobs to the printer.

2

LPI topics

1.107.2 Manage printers and print queues

Candidates should be able to manage print queues and user print jobs. This objective includes monitoring print server and user print queues and troubleshooting general printing problems.

1.107.3 Print files

Candidates should be able to manage print queues and manipulate print jobs. This objective includes adding and removing jobs from configured printer queues and converting text files to postscript for printing.

1.107.4 Install and configure local and remote printers

Candidate should be able to install a printer daemon, install and configure a print filter (e.g.: apsfilter, magicfilter). This objective includes making local and remote printers accessible for a Linux system, including postscript, non- postscript, and Samba printers.

2

printing works How lplp printing works How

1. At boot time, lpd is run.

2. A user submits a job.

3. When the printer becomes available, the main lpd

spawns a child lpd to handle the print job.

4. The child lpd executes the appropriate filter(s) for this job and sends the resulting data on to the printer.

Last updated: 26 December 2003

3

1. At boot time, lpd is run. It waits for connections and manages printer queues.

2. A user submits a job with the lpr command or, alternatively, with an lpr front-end like GPR, PDQ, etc. lpr contacts lpd over the network (localhost or remote) and submits both the user's data file (containing the print data) and a control file (containing user options).

3. When the printer becomes available, the main lpd spawns a child lpd to handle the print job.

4. The child lpd executes the appropriate filter(s) (as specified in the if attribute in /etc/printcap) for this job and sends the resulting data on to the printer.

5. The lp system was originally designed when most printers were line printers - that is, people mostly printed plain ASCII. By placing all sorts of magic in the if filter, modern printing needs can be met with lpd (well, more or less; many other systems like CUPS do a better job).

3

Print related commands Print related commands

• lpc

• lpd

– Printer control

• lpq

– Print daemon - should be started as a runlevel service.

Last updated: 26 December 2003

– Print spool control . Display the print jobs in the print queue

4

4

Print related commands Print related commands

• lpr

• lprm

– The print spooler. Sends print jobs to lpd

• pac

– Print job removal. Erases print jobs from the print queue

Last updated: 26 December 2003

– Print account report generation

5

5

Principle of print queues under Linux Principle of print queues under Linux

• The spool is a directory where print jobs are saved,

then erased when finished.

• For each print job there are 2 files:

– Control file

• Name starts with cf. Contains information about the print job.

– Data file

• Name starts with df. Contains the actual data to send to the printer.

Last updated: 26 December 2003

6

This directory is watched by a print queue daemon and jobs are printed sequentially if the printer is available. If the printer is not available for a while, the spool files will remain there until the printer becomes available again and the jobs are printed.

6

printcap Definition of print queues in /etc/printcap Definition of print queues in /etc/

• Each printer gets it's own spool directory:

• The permissions of this directory are:

/var/spool/lpd/printername

• The printer has also a queue control lock file:

drw---S---

Last updated: 26 December 2003

lpd.lock.printername.printer

7

lp|hplaser|PS;r=600x600;q=medium;c=gray;p=a4;m=auto:\ :sd=/var/spool/lpd/lp:\ :lf=/var/spool/lpd/log:\ ................ ................

Each recognized local or network printer queue has an entry in /etc/printcap. These entries are explained in more detail in section 1.107.4.

Note:

lp is the default printer queue. hplaser is the default name for the printer queue. The sd=/var/.... (spool directory) defines the print queue directory. The lf=/var/.... (log file) defines the printer log file .

7

Other files Other files

• /etc/lpd.perm

• /etc/lpd.conf

– Permissions database. Affects the behavior of lpd, lpc and lpq. Controls access to local and remote print jobs.

Last updated: 26 December 2003

– Extensive configuration file for the lpd daemon.

8

8

Controlling the print queues Controlling the print queues

lpc [command] [value]

• Example

– Controlling the print queues

# lpc

lpc> up lp

(result)

lp:

printing enabled

daemon started

Last updated: 26 December 2003

9

?

Prints help about a command

Abort

Kill active print daemon

Clean

Removes unprintable files

Disable

Turn off printers queue

Down

Turn off printers queue

Enable

Turn on printers queue

Help

Prints help about a command

Restart

Shuts down current session - starts a new one

Start

Turns printing ON

Status

Gives a status of queue

Stop

Shuts off the spooling daemon

Topq

Moves jobs to top of queue

Up

Turns ON printer queue

lpc commands:

9

Displaying print jobs Displaying print jobs

lpq [options] [job] [user]

• Options

– Displaying print jobs

• Name of print queue(printqueue) jobs to list. The default is the

default print queue(lp).

– Pprintqueue

• Requests a more verbose (long) reporting format.

– l

• Reports jobs on all printers

Last updated: 26 December 2003

– a

10

This command also shows the status and warnings of the print queue.

Ex:

$ lpq -P clerk

Rank Owner

Job

Files

Total Size

active root

203

filter

9443

1

root

205

(standard input)

6827

2

jdean

206

(standard input)

403

3

jdean

207

cert1.txt

4865

10

Deleting print jobs Deleting print jobs

lprm [options] job [user]

• Options

– Deleting print jobs

• Name of print queue (printqueue) jobs to delete. The default is the

default print queue (lp).

– Pprintqueue

• Single dash (-) will remove all print jobs.

–

• (Optional). Deletes all print jobs of a user.eg. lprm – harry

Last updated: 26 December 2003

– user

11

Ex:

$ lprm -P clerk 207

Request 207 cancelled

11

Important points Important points

• Make sure you are familiar with the following:

• The option -P is used in lpq, lpr and lpc to specify the

printer's name

• lpc's can work off the command line or in interactive

mode.

Last updated: 26 December 2003

– lpq, lprm and lpc commands and options.

12

lpc's syntax:

– it needs the printer(s) to be specified: all or printer

• enable and disable controls the incoming jobs to the printing queue

• stop and start control the sending of printing jobs to the printer

• and lpd's child processes.

– up and down controls all of the above.

12

print queues Controllling print queues Controllling

lpr [options] FileToPrint

– submits files for printing

• LPDEST

• PRINTER

Last updated: 26 December 2003

– For its printer destination, 2 environment variables may be used:

13

Sending a print job:

-Pprintqueue

Name of print queue(printqueue) to use. The default is the default print queue(lp).

-\#n

Number(n) of copies to print (from 1 to 100).

-Kn

Same as above -\#n

-Q spoolqueue

Selects a different spool queue from default.

-R remoteaccnt

Identifies the remote account name when sending remote jobs.

-w width

Defines the width of the page in characters.(default=72)

-h "header"

Defines the page header to print instead of the default.

-l lines

Defines the number of lines per page.(default=66)

-C string

Replace system name on the burst page with string

-J name

Replace the job name on the burst page with name. If omitted, uses the first file's name.

– lpr submits files for printing. Files named on the command line are sent to the named printer (or the system default destination if no destination is specified). If no files are listed on the command-line lpr reads the print file from the standard input. In fact lpr doesn't send the print job directly to the printer, it sends it to the lpd daemon.

13

-T title

Use title as the title when using pr.

-i [cols]

Indent the output. Default is 8 columns. Specify number of columns to indent with the cols argument.

Double the line spacing.

-d

Send mail to notify of completion.

-m

Does not print a banner or a header.

-b

Specifies one of the following print formats:

-F

File has binary content and should be processed anyway.

-Fb

Accept the file as being written by the tex editor.

-Fd

Accept output from troff

-Fn

Same as –n

-Ft

Use pr to format the file before printing.

-Fp

Deletes the file after spooling.

-Fr

Assume a raster image.

-Fv

Ex:

$ lpr -P clerk /etc/hosts

Request id is clerk-167

14

daemon Print engine lpdlpd daemon Print engine

lpd [options] [port]

• Options

– This daemon process is normally started at boot time and watches the print queues for incoming printing jobs.

Run in foreground, log to STDERR – F

– L logfile Append log information to logfile

Show version info – V

• Ex: -D10,remote=5

– sets debug level to 10, remote flag = 5

Last updated: 26 December 2003

Sets debug level and flags – D dbglvl

15

15

Special file types converters for printing Special file types converters for printing

mpage

– Reads a text or Postscript file and prints multiple pages on one sheet.

• Example

– The difference from the above tools is that it reads PostScript as well, including graphics.

• Print 4 pages on one sheet of paper.

Last updated: 26 December 2003

# mpage -4 /etc/passwd

16

16

Special file types converters for printing Special file types converters for printing

a2ps

– Converts ASCII text files to Postscript format.

• Print 2 pages on one sheet of paperEach page is framed incl.

filename, username and print date.

• Options

– Default options results in:

Sends the output to a printer – p printername

– o filename Saves the output to a file.

Sends the output to to STDOUT. – o -

Last updated: 26 December 2003

Pretty-Printing for C code, Bash scripts, etc. – E

17

Others tool:

enscript

–Same functions as a2ps plus a few more including: •Control of the output - Pretty Printing

•Can also output : HTML, ANSI and RTF

•Can output 1,2,4,or 8 pages per printed page.

17

Printer definitions file Printer definitions file

/etc/printcap

• Example

– The printer device is local (:lp=/dev/lp0:)

lp|hplaser:\

:lp=/dev/lp0:\ :sd=/var/spool/lp:\ :mx#0:\ :lf=/var/spool/lp/hp-log:

Last updated: 26 December 2003

– Contain the definitions of local and remote printers.

18

Entries in this file are in reality only one line per printer, the '\' at the end of each line simulates the single line like in bash scripts. Except for the name of the printer each item starts and ends with a ‘:’

lp|ljet4:

lp(default) or ljet4 are 2 alias names of the printer.

:af=Filename:

Account File for the printer

:if=FilterName:

Input Filter Name

:lp=PrinterDevice:

Local Printer device, such as /dev/lp0.

:lf=Log_File:

Error messages log file.

:mx=Max_Size:

Maximum size of a print job in blocks. 0 = no limit

:rm=RemMachineName:

Remote Machine. Printer server name if used remotely.

:rp=RemPrinter:

Remote Printer Name on the remote machine.

:sd=Spool_directory:

Spool Directory under /var/spool/lpd.

:sh:

Suppress Header pages for a single printer definition.

Keywords:

18

Printer definitions file Printer definitions file

/etc/printcap

• Example

– This example doesn't use the keyword lp=, instead it uses rm= for

remote:

lp1|remote printer on marvin:\

:sd=/var/spool/lp1:\ :rm=marvin.mydomain.net:\ :rp=lp:\ :sh:mx#0:

Last updated: 26 December 2003

– Contain the definitions of local and remote printers.

19

Note:

Pay attention to the function of the /etc/printcap and its syntax including the variable's keywords.

19

Using Filters Using Filters

• Filters are used to convert different document formats (txt, HTML, Postscript, graphics, etc) into Postscript format (ps).

• It is then passed on to GhostScript which (if needed) converts it into a raster format (Printer-specific data) and then sends it to the printer.

Last updated: 26 December 2003

20

Filters look at the 'Magic Code' at the beginning of a document to determine the type of file. If it is already a PostScript document it will be sent to GhostScript without changes.

Two of the most popular filters used in Linux (that we need to know for the LPI-102) are Apsfilter and Magicfilter.

20

apsfilter apsfilter

• Its configuration file:

• Its configuration tool:

– /etc/apsfilter/apsfilterrc

• Its location:

– apsfilterconfig

Last updated: 26 December 2003

– /usr/lib/apsfilter/filter/*

21

This popular filter program accepts files in the PostScript, TeX DVI, ASCII, PCL, GIF, TIFF, Sun Raster files, FIG, PNM (pbmplus), HTML, and PDF formats. It sends its own output (in .ps format) to GhostScript. Here are some printcap configuration examples using apsfilter:

ascii|lp1|ljet3d-letter-ascii-mono|ljet3d ascii mono:\

:lp=/dev/lp0:\ :sd=/var/spool/lpd/ljet3d-letter-ascii-mono:\ :lf=/var/spool/lpd/ljet3d-letter-ascii- mono/log:\ :af=/var/spool/lpd/ljet3d-letter-ascii- mono/acct:\ :if=/usr/lib/apsfilter/filter/aps-ljet3d- letter-ascii-mono:\ :mx#0:\ :sh:

21

lp|lp2|ljet3d-letter-auto-mono|ljet3d auto mono:\

:lp=/dev/lp0:\ :sd=/var/spool/lpd/ljet3d-letter-auto-mono:\ :lf=/var/spool/lpd/ljet3d-letter-auto- mono/log:\ :af=/var/spool/lpd/ljet3d-letter-auto- mono/acct:\ :if=/usr/lib/apsfilter/filter/aps-ljet3d- letter-auto-mono:\ :mx#0:\ :sh:

raw|lp3|ljet3d-letter-raw|ljet3d auto raw:\

:lp=/dev/lp0:\ :sd=/var/spool/lpd/ljet3d-raw:\ :lf=/var/spool/lpd/ljet3d-raw/log:\ :af=/var/spool/lpd/ljet3d-raw/acct:\ :if=/usr/lib/apsfilter/filter/aps-ljet3d- letter-raw:\ :mx#0:\ :sh:

As you can see, the installation creates three printer definitions, each with multiple aliases and each using the same output device. This allows some degree of control over the filter, because the selection of the queue implies specific print parameters. The first definition (ascii) is intended to allow the user to force the printing of plain text even if the data is a PostScript program. The second entry (lp, the default) is the standard magic APSfilter, which tries to identify the data type itself. The last definition allows users to force APSfilter to send raw data directly to the printer with no intervention. This can be useful, for example, if you wish to print a PostScript file's programming instructions.

22

Magicfilter Magicfilter

• The magicfilter is expandable and automatic.

• It loads the proper filter dynamically according to the Magic-Number located the beginning of the data to print.

printcap should point to

• The entry if=if= in /etc/

/etc/printcap

one of the pre-configured scripts

• Each one of these scripts starts with the line:

– /etc/magicfilter/

Last updated: 26 December 2003

– #!/usr/sbin/magicfilter

23

GIF87a GIF89a pipe /usr/bin/gif2pnm 2>/dev/null pipe /usr/bin/gif2pnm 2>/dev/null

Which will run (for setting magicfilter options) using the magicfilter script interpreter. The format of the scripts is: FileOffset MagicNumber WhatToDo 0 0 Which tells magicfilter that if the FileToPrint starts with the characters GIF87a or GIF98a then convert the file to a PNM format before sending it to GhostScript. To facilitate the process of configuring these scripts, a configuration script is provided with the magicfilter called magicfilterconfig. Here is an example of an entry of the magicfilter in printcap:

lp|hplj4l|HP Laserjet 4L:\

:lp=/dev/lp1:sd=/var/spool/lpd/hplj4l:\ :sh:pw#80:pl#72:px#1440:mx#0:\ :if=/etc/magicfilter/ljet4l-filter:\ :af=/var/log/lp-acct:lf=/var/log/lp-errs:

The pw#, pl#, px# and mx# are settings of:

PageWidth (pw#) in characters: 80 Chars PageLength (pl#) in lines: 72 Lines PageWidth (px#) in pixels: 1440 Pixels Maximum File Size (mx#): Unlimited file size(0)

23

Linking to a remote Windows print server Linking to a remote Windows print server

• It is possible to point the printing destination to a

printer share installed on a remote Windows or Samba Print Server.

• Example

Last updated: 26 December 2003

lp2|remote-smbprinter:\ :lp=/dev/null:sh:\ :sd=/var/spool/lp2:\ :if=/usr/local/sbin/smbprint:

24

Since the InputFilter entry (if=) in printcap is used to start a particular program to handle the printing, a script using the smbclient program can be used to send the job to an SMB Print server. For this to work we need to install the package containing smbclient. Here we call the script smbprint.

This script (/usr/local/sbin/smbprint) must have the following entries:

–Host Name/IP of the print server

–Printername on the server

–Username and password on the printer server

Syntax:

/usr/bin/smbclient //Server/PrinterName Password -U UserName

/usr/bin/smbclient //prntsrv1/lpdj4 mot3tl6i -U barbara

Example

24

print Daemon lpdlpd print Daemon

•

For the printing system to work a printing process must be started.

1. In this case the lpd daemon should be started,

normally at boot time.

2. Once started it reads /etc/printcap and watches

the print queues in /var/spool/lpd/printername/

3. Controlling which host is allowed to use the printers

is defined in: /etc/hosts.lpd

Last updated: 26 December 2003

25

25

Summary Summary

• Manage printers and print queues

• Make sure that you understand the functions of lpr

and lpd.

– lpr sends print jobs to lpd.

• Also familiarize yourself with the options used with lpr.

• Install and configure local and remote printers

Last updated: 26 December 2003

– lpd send the jobs to the printer.

26

/etc/printcap

/etc/printcap

/etc/apsfilter/*

/var/lib/apsfilter/*/

/etc/magicfilter/*/

/var/spool/lpd/*/

lpr

lpq

mpage

lpc

lpq

lprm

lp

lpd

Key files, terms, and utilities include:

26

LPI 102 Linux Junior Level Administration -- LPI 102 Linux Junior Level Administration

Chapter 09

Networking Fundamentals Networking Fundamentals

Last updated: 26 December 2003

2004, SaigonCTT All rights reserved

1

1

Objectives Objectives

• The IP-addresses, network masks

• The network classes and classless subnets (CIDR)

• The reserved addresses for private network use.

• The function and application of a default route.

• Basic internet protocols (IP, ICMP, TCP, UDP)

• The more common TCP and UDP ports

• Manual and automatic configuration of interfaces.

• Configure Linux as a DHCP client and a TCP/IP host

• The definition of the chat sequence to connect

• Initialization and termination of a PPP connection.

Last updated: 26 December 2003

2

LPI Topics:

1.112.1 Fundamentals of TCP/IP

This objective includes the understanding of IP-addresses, network masks and what they mean (i.e. determine a network and broadcast address for a host based on its subnet mask in "dotted quad" or abbreviated notation or determine the network address, broadcast address and netmask when given an IP-address and number of bits). It also covers the understanding of the network classes and classless subnets (CIDR) and the reserved addresses for private network use. It includes the understanding of the function and application of a default route. It also includes the understanding of basic internet protocols (IP, ICMP, TCP, UDP) and the more common TCP and UDP ports (20, 21, 23, 25, 53, 80, 110, 119, 139, 143, 161).

1.112.3 TCP/IP configuration and troubleshooting

This objective includes manual and automatic configuration of interfaces and routing tables. This especially means to add, start, stop, restart, delete or reconfigure network interfaces. It also means to change, view or configure the routing table and to correct an improperly set default route manually. Candidates should be able to configure Linux as a DHCP client and a TCP/IP host and to debug problems associated with the network configuration.

1.112.4 Configure Linux as a PPP client

This objective includes the definition of the chat sequence to connect (given a login example) and the setup commands to be run automatically when a PPP connection is made. It also includes initialisation and termination of a PPP connection, with a modem, ISDN or ADSL and setting PPP to automatically reconnect if disconnected.

2

OSI and TCP/IP models OSI and TCP/IP models

OSI Model

TCP/IP Stack

Protocols

Process

FTP,Telnet, SSH, HTTP,...

Application Presentation

Host to Host

TCP, UDP

Session Transport

Network

Internetwork

IP, ICMP, ARP, OSPF, EGP

Ethernet, FDDI, AAL5, PPP, PPPoE

Network Interface

Ethernet Frame

Data Link Physical

Last updated: 26 December 2003

3

3

Example:

IP Addresses Classes IP Addresses Classes

Class

Start Address

End Address

Netmask

Normal Internet Addresses (Unicast=Single machine)

1.0.0.0

127.255.255.255

255.0.0.0

A

128.0.0.0

191.255.255.255

255.255.0.0

B

192.0.0.0

223.255.255.255

255.255.255.0

C

Reserved Addresses (Internet Non-Route-able Addresses=Reserved for Intranet) per RFC 1597

10.0.0.0

10.255.255.255

255.0.0.0

A

172.16.0.0

172.31.255.255

255.255.0.0

B

192.168.0.0

192.168.255.255

255.255.255.0

C

Special Addresses (Reserved)

224.0.0.0

239.255.255.255

(Multicasting-Groups)

D

RIPv2

224.0.0.9

All RIPv2 Routers

OSPF

224.0.0.5

All OSPF Routers

OSPF

224.0.0.6

Some OSPF Routers

240.0.0.0

255.255.255.255

(Internet Administration)

E

Last updated: 26 December 2003

4

4

ICMP Messages ICMP Messages

• Error Messages

– 3

Destination unreachable

– 4

Source quench

– 5

Redirect

– 11

Time exceeded

– 12

Parameter Problem

Last updated: 26 December 2003

5

5

ICMP Messages ICMP Messages

• Information Messages

– 0

Echo reply

– 8

Echo request

– 13

Time stamp

– 14

Time stamp reply

– 15

Information request

– 16

Information reply

– 17

Address mask request

– 18

Address mask reply

Last updated: 26 December 2003

6

6

TCP/IP Services TCP/IP Services

Transport Protocol

Protocol

Port

FTP-Data

TCP

20

FTP

TCP

21

SSH

TCP or UDP

22

TELNET

TCP

23

SMTP

TCP

25

DNS

TCP or mostly UDP

53

WWW/HTTP

mostly TCP or UDP

80

POP3

TCP or UDP

110

NNTP

TCP

119

NetBIOS-SSN

TCP or mostly UDP

139

IMAP2

TCP or UDP

143

SNMP

UDP

161

Last updated: 26 December 2003

7

Port

Protocol

Description

FTP-Data

Data Channel of FTP Connection..

20

Control Channel of FTP Connection.

FTP

21

Secure Shell

SSH

22

TELNET

Terminal Emulation over Network

23

Simple Mail Transfer Protocol

SMTP

25

Domain Name Server

DNS

53

WWW/HTTP

Hypertext Transfer Protocol

80

Post Office Protocol

POP3

110

Net News Transfer Protocol

NNTP

119

NetBIOS-SSN

Windows Network Session Service

139

IMAP2

Interim Mail Access Protocol (Encrypted)

143

SNMP

Simple Network Management Protocol

161

7

Networking configuration files Networking configuration files

• /etc/HOSTNAME or /etc/hostname

– Contains the name (FQDN) of the present host

• /etc/hosts

– Contains a translation table of IPs and equivalent hostnames. A short and/or a long name(s) per IP.

• /etc/networks

– Contains a translation table of Network Addresses and

equivalent Network name(s)

Last updated: 26 December 2003

8

$ cat /etc/hosts

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1 localhost.localdomain localhost

192.168.20.136 guardian_angel

Setting the Linux Host Name • Checking your Linux host name

hostname -a

hostname -s

hostname -d

hostname -f

hostname

First, see if your host name is set correctly using the following commands: uname -n

8

If the above commands return correctly with no errors then all may be well; however, you may want to read on to verify that all settings are correct.

•Configuring /etc/hosts

If you have a static IP address, then /etc/hosts is configured as follows:

127.0.0.1

localhost.localdomain localhost

192.168.0.10 mybox.mydomain.com

mybox

•Setting the Host Name using "hostname"

After updating the /etc/hosts file correctly, the "hostname" command should be run as follows to set your hostname:

hostname mybox.mydomain.com

•Checking /etc/HOSTNAME (if present)

You may or may not have the file /etc/HOSTNAME:

mybox.mydomain.com

•Checking /etc/sysconfig/network

If you have a static IP address, then /etc/sysconfig/network is configured as follows:

NETWORKING=yes

HOSTNAME="mybox.mydomain.com“

•Checking /proc/sys/kernel/hostname

This is checked with the following command:

cat /proc/sys/kernel/hostname

If you need to set this file, you can either reboot or set it now with the following command:

echo mybox.mydomain.com > /proc/sys/kernel/hostname

•Dynamic DNS - Updating the local DNS server with your host name and DHCP IP

For Red Hat Linux if you receive your IP address from a DHCP server, you may update the local DNS server by adding the following line to the correct ifcfg file in /etc/sysconfig/network-scripts, such as ifcfg-eth0 or ifcfg-eth1:

DHCP_HOSTNAME="mybox.mydomain.com"

IPADDR='192.168.20.229'

NETMASK='255.255.255.0'

NETWORK='192.168.20.0'

GATEWAY='192.168.20.1’

or if running Debian, edit /etc/network/interfaces as follows (adding the hostname line):

iface eth0 inet dhcp

hostname mybox.mydomain.com

9

Networking configuration files Networking configuration files

• /etc/host.conf

– Contains the sequence that the local resolver should follow

for translating a name to an IP (resolving). Exp:

– multi on

• Multiple names are allowed per host

– order host,bind

• First try to resolve using /etc/hosts then use DNS queries

• /etc/nsswitch.conf

– Same purpose but more refined function as /etc/host.conf.

• /etc/resolv.conf

– List of search domains for resolving short names and list of

(max 3) of IP of NameServers.

Last updated: 26 December 2003

10

$ cat /etc/host.conf

order hosts,bind

$ cat /etc/nsswitch.conf

passwd: files

shadow: files

group: files

hosts: files dns

bootparams: nisplus [NOTFOUND=return] files

ethers: files

netmasks: files

networks: files

protocols: files

<......>

$ cat /etc/resolv.conf

search linux.local

domain linux.local (deprecated)

nameserver 194.25.2.129

nameserver 192.76.144.66

nameserver 145.253.2.171

10

TCP/IP Network Tools TCP/IP Network Tools

• ping

– Sends an ICMP Packet (type 8) to verify the presence of a remote host.

The remote host normally sends an ICMP packet (Type 0) back.

• traceroute

– Displays the Names/IP of routers encountered to a remote destination.

• whois

– Asks a whois server (RFC 812) for the owner and administrator of a DNS

Domain.

• host, nslookup, nsquery, dig

– Ask a DNS (Name Server) to translate an FQDN to an IP or reverse.

Last updated: 26 December 2003

11

• Destination host Unreachable

$ ping 192.168.20.136

PING 192.168.20.136 (192.168.20.136) 56(84) bytes of data.

From 192.168.20.74 icmp_seq=1 Destination Host Unreachable

From 192.168.20.74 icmp_seq=2 Destination Host Unreachable

<.....>

• Destination host avaiable

$ ping 192.168.20.233

PING 192.168.20.233 (192.168.20.233) 56(84) bytes of data.

64 bytes from 192.168.20.233: icmp_seq=1 ttl=255 time=0.322 ms

64 bytes from 192.168.20.233: icmp_seq=2 ttl=255 time=0.492 ms

<.....>

Try following commands:

$ traceroute www.google.com.vn

$ whois www.google.com

$ host www.google.com

$ nslookup www.google.com

$ dig www.google.com.vn

11

TCP/IP Network Tools TCP/IP Network Tools

• dig . ns

– Displays the list of all ROOT DNS Servers. (hint types

servers)

• hostname

– Displays different parts or all of the local host FQDN.

• domainname

– Displays the local NIS domain name (different from DNS

name)

• dnsdomainname

– Displays the local DNS Domain Name.

Last updated: 26 December 2003

12

$ hostname

lpi.lpilinux

$ dnsdomainname

lpilinux

12

TCP/IP Network Tools TCP/IP Network Tools

• ifconfig

– Tool to configure or turn OFF the network interface.

• route

– Tool to display and set and erase entries in the routing table

• netstat

– Tool to display a variety of network information including

• Routing Table

• UNIX and TCP/IP Sockets

• Ports in listening mode

• Present TCP/UDP connections status

Last updated: 26 December 2003

13

inet addr:192.168.20.74 Bcast:192.168.20.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4967 errors:0 dropped:0 overruns:0 frame:0 TX packets:305 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:3527140 (3.3 Mb) TX bytes:35058 (34.2 Kb) Interrupt:10 Base address:0x1080

<....>

•View all interface infomation # ifconfig -a eth0 Link encap:Ethernet HWaddr 00:0C:29:63:82:8F

•Add default gateway # route add default gw 192.168.20.1

13

•Display a variety network information # netstat -na

TCP/IP Network Tools TCP/IP Network Tools

• tcpdump

– A network sniffer program to display the content of network

packets.

• dhcpcd

– DHCP client program (The one used by SuSE)

• pump

– DHCP client program (The one used by RedHat)

• dhclient

– ISC DHCP client program. With extended functions compare

to the above two DHCP clients.

Last updated: 26 December 2003

14

14

Try to use tcpdump: # tcpdump

Boot time scripts Boot time scripts

• These scripts are part of the runlevel system and are

run at boot time.

• They are normally located in:

– /etc/init.d/*

• Notes:

– These scripts often use configuration files located in /etc/

or subdirectories of /etc.

Last updated: 26 December 2003

15

/etc/sysconfig/network/* Frontends for ifconfig and route (ifup and ifdown) are often used to configure the network interface – usage is easier than on the command line.

15

Example:

Connection protocols Connection protocols

• Most TCP/IP connections use one of the following

connection protocols:

– Ethernet with MAC address (ARP protocol)

– SLIP (Serial Line IP): Older and almost not any more used

– PPP (Point to Point Protocol) Mostly used.

Last updated: 26 December 2003

16

16

PPP Protocol PPP Protocol

• PPP Protocol comes in different versions:

PPP

for Analog Modems

syncPPP

for ISDN

PPPoE

for SDL

Last updated: 26 December 2003

17

17

This protocol allows a connection from on host to another via a Point-to-Point Protocol. It can also be used to connect to a host which is a gateway to the Internet. This is the way it is mostly used these days.

Sequence of PPP connection build--upup Sequence of PPP connection build

• 1 - Modem connection build-up

• 2 - PPP Connection via Login chat script

• 3 - PPP Connection set-up

Last updated: 26 December 2003

18

Modem connection build-up

The modem connection build-up is usually done by controlling the analog/ISDN/DSL Modem in order to establish contact between the local and a remote modem. With analog modems this control is achieved via 'AT' (Hayes compatible) commands sent to the modem. After each command, if it is successful, the modem answers with an 'OK'.

Example:

ATZ

Reset the modem to User Settings

AT&F

Reset the modem to Factory Settings

ATD0017853

Dial the number 0017853

Once the Modems have synchronized, the local modem sends a message that contains the word CONNECT (eg. CONNECT 28800) to the dialer. Once the modems have connected and synchronized, they become transparent and simulate a simple serial cable connection between the 2 hosts.

18

The modem connection is then established.

PPP Connection via login chat script PPP Connection via login chat script

• Once the modem connection is completed, the remote getty program (in the ppp server) will then send the message Login: and wait.

• At this point the pppd daemon needs to be started

with its positional parameters which sets:

– The Login program and parameters

– The device connected to the modem

– The speed of connection

Last updated: 26 December 2003

19

pppd "chat -f /etc/ppp/provider" /dev/ttyS1 38400

Example:

Using the Login script (/etc/ppp/provider) the local chat program will start answering the remote getty with the Login Name and its respective password. When the chat program finishes its script successfully, the ppp connection is established.

The authentication protocols supported by the login are:

19

PAP, CHAP MSCHAP

PPP Connection set--upup PPP Connection set

ip-up InterfaceName Device Speed Local_IP Remote_IP

– As soon as the login connection is established, pppd starts the shell script /etc/ppp/ip-up including the following list of positional parameters.

• Example:

ip-up /dev/ttyS1 /dev/ppp0 38400 136.36.27.93 42.94.78.35

– This script will take care of some of the necessary preparations including

• Writing the proper nameserver IPs in /etc/resolv.conf if needed • Start the firewall if needed

• Starting any other needed process if needed.

– The PPP connection is then established.

Last updated: 26 December 2003

20

20

Note: After the pppd has shut down the connection, it starts the /etc/ppp/ip-down script, which is a symbolic link to ip-up.

The dialer wvdial The dialer wvdial

This dialing program will take charge of:

• Dialing the modem with AT commands

• Answering the remote getty with Name and Password

(the chat program is not needed)

• Start the pppd daemon. The pppd daemon is

responsible for starting the ip-up and ip-down scripts.

Last updated: 26 December 2003

21

21

wvdial The dialer wvdial The dialer

• Its configuration file:

/etc/wvdial.conf

• Content of /etc/wvdial.conf:

[Dialer Defaults]

• Default dialing parameters for all connections.

[Dialer ProviderName]

• Dialing parameters for this provider connection.

Last updated: 26 December 2003

22

[Dialer Defaults]

Modem = /dev/modem Baud = 57600 Init1 = ATZ Dial Command = ATDT Idle Seconds = 360 Phone = 0192479264 Username = michel Password = mypasswd

[Dialer provider1]

Phone = 0987654321 Username = hans Password = hanspasswd

[Dialer provider2]

Phone = 0918273645 Login Prompt = mariette: Username = imueller Password = pw5Xvg$

22

Example:

options pppd options pppd

• pppd daemon uses the general options file

/etc/ppp/ options.

• It uses also the individual network interface options

file /etc/ppp/ options.

• Example:

– /etc/ppp/options.modem

•

for the /dev/modem interface.

Last updated: 26 December 2003

23

23

connection Shutting down a pppppp connection Shutting down a

• To shut down a ppp conection, we only need to kill

the pppd process.

• The most appropriate way to do this is to send the

signal -INT to pppd.

kill -INT $(cat /var/run/ppp0.pid)

• Kills the pppd process responsible for the ppp0 connection.

Last updated: 26 December 2003

24

24

Summary Summary

• The IP-addresses, network masks

• The network classes and classless subnets (CIDR)

• The reserved addresses for private network use.

• The function and application of a default route.

• Basic internet protocols (IP, ICMP, TCP, UDP)

• The more common TCP and UDP ports

• Manual and automatic configuration of interfaces.

• Configure Linux as a DHCP client and a TCP/IP host

• The definition of the chat sequence to connect

• Initialization and termination of a PPP connection.

Last updated: 26 December 2003

25

/etc/services /etc/HOSTNAME or /etc/hostname /etc/hosts /etc/networks /etc/host.conf /etc/resolv.conf /etc/nsswitch.conf /etc/ppp/options.* /etc/ppp/peers/* /etc/wvdial.conf /etc/ppp/ip-up /etc/ppp/ip-down the network scripts run during system initialization.

ftp telnet host ping dig traceroute whois ifconfig route dhcpcd, dhcpclient, pump host hostname (domainname, dnsdomainname) netstat ping traceroute tcpdump wvdial pppd

25

Key files, terms, and utilities include:

26

LPI 102 Linux Junior Level Administration -- LPI 102 Linux Junior Level Administration

Chapter 10

Networking Services Networking Services Part 1 Part 1

Last updated: 26 December 2003

2004, SaigonCTT All rights reserved

1

1

Objectives Objectives

• Use tcpwrappers to allow or deny services on a host-

by-host basis.

• Manually start, stop, and restart internet services

• Configure basic network services including telnet and

ftp.

• create mail aliases, start and stop sendmail.

• The domain registration and DNS translation process.

• Key differences in configuration files for bind 4 and

bind 8.

Last updated: 26 December 2003

2

LPI Topics:

1.113.1 Configure and manage inetd, xinetd, and related services

Candidates should be able to configure which services are available through inetd, use tcpwrappers to allow or deny services on a host-by-host basis, manually start, stop, and restart internet services, configure basic network services including telnet and ftp. Set a service to run as another user instead of the default in inetd.conf.

1.113.2 Operate and perform basic configuration of sendmail

Candidate should be able to modify simple parameters in sendmail configuration files (including the "Smart Host" parameter, if necessary), create mail aliases, manage the mail queue, start and stop sendmail, configure mail forwarding and perform basic troubleshooting of sendmail. The objective includes checking for and closing open relay on the mailserver. It does not include advanced custom configuration of Sendmail.

1.113.5 Setup and configure basic DNS services

Requires an understanding of the domain registration and DNS translation process. Requires understanding key differences in configuration files for bind 4 and bind 8.

2

inetd inetd

• The inet daemon acts as a network super server providing several networking services, such as:

Last updated: 26 December 2003

– auth – bootps – Telnet – Ftp – tftp – exec – rsh – rlogin – ....

3

This daemon uses the settings in its configuration file /etc/inetd.conf to determine which service ports will be watched and which service programs are associated with them. When a service port receives a request from a client, inetd can be configured to use a tcpwrapper which will check if the client host is allowed to use this service before the service program is started.

3

inetd.conf The configuration file inetd.conf The configuration file

• Each port that needs to be watched gets one

configuration line.

• The parameters are separated with spaces or TABs.

• Example: service socketType protocol wait user program arguments

ftp stream tcp telnet stream tcp

nowait root /usr/sbin/tcpd wuftpd nowait root /usr/sbin/tcpd telnetd

Last updated: 26 December 2003

4

service

–name of the service referenced in the file /etc/services

socket

–can be stream, dgram, raw, rdm or seqpacket

stream

TCP

dgram

UDP

raw

raw format

rdm

Reliable Delivered Message

seqpacket

Sequenced Packet Socket

4

wait

– Can be wait or nowait Tells inetd whether it should wait for the server to come back before accepting another client connection.

– nowait is used for multi-threaded services(most services)

– wait is used for single-threaded services (some UDP services), eg: comsat, biff, talkd and tftpd

user

–Which local user will be the owner of the service process.

program

–Program to start to provide the service (normally the tcpd tcpwrapper)

arguments

–Either the service program as arguments for the tcpd tcp wrapper or the service program itself without tcpwrapper...NOT recommended.

5

xinetd xinetd

• This more recent superdaemon allows for more

flexibility and security.

• It uses one main configuration file

/etc/xinetd.conf which can be extended to multiple service definition files via the parameter includedir.

• All files in the /etc/xinetd.d/ directory.

Last updated: 26 December 2003

– includedir /etc/xinetd.d

6

6

xinetd over

Advantages of xinetd Advantages of

over inetd inetd

• xinetd uses the control files (hosts.allow and

hosts.deny) directly without the need to use the tcpwrapper tcpd.

• Limits the connections either general, per client or per

service

• Certain clients can be given certain services vs. others

• Protection against Denial Of Serviceattacks

• Produces its own log files independently from

syslogd

Last updated: 26 December 2003

7

7

xinetd over

Advantages of xinetd Advantages of

over inetd inetd

• Possibility to redirect incoming requests to another

server (eg. in a DMZ)

• Full support of IPv6

• Interaction with the client: Messages different for

success vs. failure to connect.

Last updated: 26 December 2003

8

= FILE /var/log/xinetd.log = SYSLOG daemon info

= 192.0.0.0/8

instances = 15 log_type #log_type log_on_success = HOST PID USERID DURATION EXIT log_on_failure = HOST USERID RECORD only_from disabled = shell login exec comsat disabled += telnet ftp disabled += name uucp tftp disabled += finger systat netstat

}

service ftp {

= stream

= 7:00-12:30 13:30-21:00

= 192.168.1.0/24

socket_type wait = no user = root server = /usr/sbin/in.ftpd server_args = -l instances = 4 access_times nice = 10 only_from disabled = yes

}

Example of xinet.conf defaults {

8

xinetd.conf xinetd.conf

• To convert parameters from inetd format to xinetd

• It is delivered with the xinetd package.

• The xinetd.conf contains the default and per-

service definitions.

• The default definitions are used for all of the services.

Last updated: 26 December 2003

– xconv.pl

9

Deactivated parameters starts the line with a '#'. The parameters meanings are somewhat similar to the inetd.conf but allows for more flexibility. The service definition block starts with the word service followed by the service name, then all of the parameters for this service are enclosed within curly brackets. '{....}'. The parameter disable = yes says that the service is disabled. It must be set to no to enable it.

= sets the value, += adds the value (to default values), -= deletes the value (from default values)

9

tcpwrappers tcpwrappers

• The tcpwrappers are programs that use configuration files to check if the client host is allowed to use the requested service.

• One commonly used tcpwrapper is tcpd.

• It uses the /etc/hosts.allow and

/etc/hosts.deny files for this purpose.

• Format of hosts.allow and hosts.deny:

daemon: [client1].... [EXCEPT client2 [client3] ....]

Last updated: 26 December 2003

10

They contain a listing of hosts allowed to use each service. Here is the logic:

–If neither file exists, then all hosts are allowed to use all watched services.

–The access control software consults two files. The search stops at the first match:

• Access will be granted when a (daemon, client) pair matches an entry in the /etc/hosts.allow file. • Otherwise, access will be denied when a (daemon, client) pair matches an entry in the /etc/hosts.deny file. • Otherwise, access will be granted.

The command tcpdchk will verify the syntax of /etc/hosts.allow and /etc/hosts.deny files.

ALL: ALL: in.fingerd: vsftpd:

LOCAL @some_netgroup .foobar.edu EXCEPT terminalserver.foobar.edu .mydomain.com EXCEPT hacker.mydomain.com .mylocal.domains

Examples:

10

Wildcards Wildcards

– The universal wildcard, always matches.

• ALL

– Matches any host whose name does not contain a dot character.

• LOCAL

– Matches any user whose name is unknown, and matches any host

whose name or address are unknown.

• UNKNOWN

– Matches any user whose name is known, and matches any host whose

name and address are known.

• KNOWN

– Matches any host whose name does not match its address.

Last updated: 26 December 2003

• PARANOID

11

ALL

The universal wildcard, always matches.

LOCAL

Matches any host whose name does not contain a dot character.

UNKNOWN

Matches any user whose name is unknown, and matches any host whose name or address are unknown. This pattern should be used with care: host names may be unavailable due to temporary name server problems. A network address will be unavailable when the software cannot figure out what type of network it is talking to.

KNOWN

Matches any user whose name is known, and matches any host whose name and address are known. This pattern should also be used with care for the same reasons as for UNKNOWN.

PARANOID

Matches any host whose name does not match its address. When tcpd is built with -DPARANOID (default), it drops requests from such clients even before looking at the access control tables. Build without -DPARANOID when you want more control over such requests.

11

SMTP Principle

The principle of an SMTP server is that the SMTP daemon runs in the background and watches port 25. A requesting client initiates the contact and then sends the mails. The server will then either save the mails in the local mailboxes or relay them to their destinations by forwarding to the proper remote SMTP server. In the process of reception of mails, a series of checks as well as mail headers content changes can be performed. It all depends on the configuration of the mail server.

12

Mail system components Mail system components

(5) reply from Betty goes to John’s Domain Email Server

<- SMTP

5 2 t r o p

(5) John downloads email from the server when clicking on (Receive) in Outlook

port 110

(3) Betty downloads email port 110

JohnDomain.com Email Server

BettyDomain.com Email Server

3 P O P

5 2 t r o p

- <

(2) email sent to BettyDomain.com Email Server

3 P O P

- <

SMTP ->

John@JohnDomain.com

Betty@BettyDomain.com

(1) John writes email to Betty using Outlook (Email Client)

(4) Betty opens email from John in Kmail (Linux) email client, and sends reply email back to John

Last updated: 26 December 2003

13

13

configuration file sendmail configuration file sendmail

Sendmail uses three MAIN configuration files:

• sendmail.cw

• sendmail.cf

– This file is used to store the names of hosts which will receive email.

• *.mc

– This is a very complex configuration file for Sendmail.

Last updated: 26 December 2003

– This is used to help the administrator configures end mail so hopefully you won’t have to create your own sendmail.cf

14

/etc/sendmail.cf

–The main configuration file of sendmail

Because of its complexity, this file is normally not manually created or edited. Front ends exist that uses a much simpler syntax and these update sendmail.cf. Some minor changes can be done directly without complications.

14

mailboxes sendmail mailboxes sendmail

There are 2 types of mailboxes for sendmail:

• Outgoing queue:

• Incoming queue:

– /var/spool/mqueue or /var/mqueue

Last updated: 26 December 2003

– /var/spool/mail/UserName

15

Outgoing queue: /var/spool/mqueue or /var/mqueue

–Used by MUAs for sending mails. Their content is checked regularly and sent to their destinations. The program mailq (symlink to sendmail) is used to display the content of this mail queue.

Incoming queue:

/var/spool/mail/UserName

–Used by the MTA to store the incoming mails. The local MUA also looks in this directory (belonging to the user running the MUA) and displays it. The POP and IMAP servers are also looking in this directory to pic-up the mail and send it to the requesting client.

15

sendmail Starting sendmail Starting

• Permanent Internet connection

• Receiving mails via SMTP protocol.

• Sending mails via SMTP protocol.

– In this case sendmail has 2 functions:

• Sendmail is started as daemon (-bd) and checks the outgoing mail

queue every 15 minutes.(-q 15)

Last updated: 26 December 2003

sendmail -bd -q15

16

Starting sendmail

The main purpose of sendmail is to receive mail and save the mail in local mailboxes or send the mail to another mail server (relaying). As far as relaying is concerned, there are two possibilities: either the host is permanently connected to the Internet where it has a FQDN name, a fixed IP address or it is temporarily connected to the Internet and used only to send mails.

Permanent Internet connection

For receiving mails, sendmail needs to be running as a daemon in the background and watching port 25 (SMTP). The incoming mails are always received immediately. Normally a command line option is given for sendmail to regularly check and process the mails in the outgoing mail queue. (mqueue)

16

sendmail Starting sendmail Starting

• Temporary Internet connection

– In this case sendmail is only used to send mails.

• Sendmail is started and checks the mails in the outgoing queue,

sends them if any are present and exits when finished.

– sendmail -q

• Sendmail is started in daemon mode to receive incoming mails.

Last updated: 26 December 2003

– sendmail -bd

17

Temporary Internet connection

In this case sendmail is only used to send mails. It is normally called after the Internet connection has been established. The incoming mails are handled by fetchmail or other mail retrieving programs.

sendmail -q

–Sendmail is started and checks the mails in the outgoing queue, sends them if any are present and exits when finished. This command can also be regularly called by a cron job.

sendmail -bd

–Sendmail is started in daemon mode to receive incoming mails.

17

Mail Aliases Mail Aliases

Mail addressed to a non-existent users can be redirected to an existing local user. They are then called aliases of the real user.

martin.hoofer@mybestmail.com sent to the local user martinh

• Example:

• These aliases file: /etc/aliases or /etc/mail/aliases.

AliasName: RealUserName

• aliases file syntax:

martin.hoofer: martinh webmaster: root abuse: root

Last updated: 26 December 2003

• Example:

18

Note1: Aliases are only applicable to incoming mails tfor local users.

Note2: When changes are made to this file, you need to issue the command: newaliases as well as restart the sendmail daemon if needed.

18

Piping mails to programs Piping mails to programs

• It is also possible to send the incoming mail to a

specific local program.

• It is done using the same above file: /etc/aliases.

harry: "| /usr/bin/mail -s 'Forwarded mail'

harry2@remoteserver.com"

Last updated: 26 December 2003

– The mail is sent to the local mail program which sends it on to its proper destination.

19

19

DNS Services DNS Services

.

.com

.edu

.biz

.net

.org

.ie

.cc

.vn

linuxusergroup

abhaile

Last updated: 26 December 2003

20

•DNS organizes hostnames in a domain hierarchy with Top Level Domains and National Domains at the top of the tree

•A domain is a collection of sites that are related in some sense—because they form a proper network ,because they all belong to a certain organization, or because they're simply geographically close

i.e. linuxusergroup.net

•Hosts would have thedomain name tacked onto their hostname, so abhaile would be known as abhaile.linuxusergroup.net

–This is called the fully qualified domain name (FQDN), which uniquely identifies this host worldwide.

20

DNS Services DNS Services

• A number of means to determine a address

– Static local file -/etc/hosts

– Network Information Service (NIS/NIS+)

Last updated: 26 December 2003

– Domain Name Service (DNS)

21

•Domain Name Service is a network based lookup mechanism which permits a client machine to request the IP address of a Host on a Domain or vica versa

•The DNS Server runs a daemon called named which handles the requests by looking up its /etc/named.conf file which will either check with the local zone file or with another DNS Server in the DNS Tree

•The DNS Client is implemented in various system libraries and is collectively known as the 'resolver'

21

nsswitch.conf /etc/nsswitch.conf /etc/

• System Databases and Name Service Switch

This means the host file is consulted then the DNS server

configuration file. $ cat /etc/nsswitch.conf passwd: files shadow: files group: files hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: nisplus automount: files aliases: files nisplus

Last updated: 26 December 2003

22

22

resolv.conf /etc/resolv.conf /etc/

• resolver configuration file

$ cat /etc/resolv.conf domain linuxusergroup.net nameserver 145.7.43.20 nameserver 145.7.43.25 nameserver 145.7.43.30

Last updated: 26 December 2003

23

nslookup

Non Interactive

# nslookup linuxusergroup.net

Server: localhost

Address: 127.0.0.1

Name: linuxusergroup.net

Address: 134.76.5.30

Interactive

# nslookup

Default Server: localhost

Address: 127.0.0.1

> linuxusergroup.net

Server: localhost

Address: 127.0.0.1

Name:linuxusergroup.net

Address: 134.76.5.30

> exit

23

command host command

/etc/hosts file and /etc/hosts

file and host

• /etc/hosts

• host

– The static table lookup for host names

– DNS lookup utility

$ host www.linuxusergroup.net

www.linuxusergroup.net has address 256.167.25.144

Last updated: 26 December 2003

24

24

named v4.x and named v8.x named v4.x and named v8.x

• Bind named v4.x configuration file

• Bind named v8.x configuration file

– /etc/named.boot

– /etc/named.conf

$ cat /etc/named.boot

directory

/var/named

cache .

root.hints

primary 0.0.127.IN-ADDR.ARPA 127.0.0.zone

primary localhost

localhost.zone

Last updated: 26 December 2003

25

• Example of BIND v8 named.conf File

// generated by named-bootconf.pl

options {

directory "/var/named";

};

zone "." {

type hint; file "root.hints";

};

zone "0.0.127.IN-ADDR.ARPA" { type master; file "127.0.0.zone";

};

zone "localhost" {

type master; file "localhost.zone";

}; };

25

Converting BIND v4 to BIND v8 configuration Converting BIND v4 to BIND v8 configuration

• To convert the BIND version 4 configuration file

named.boot to named.conf run the script:

• This script comes with the BIND distribution.

Last updated: 26 December 2003

– named-bootconf

26

26

Summary Summary

• Use tcpwrappers to allow or deny services on a host-

by-host basis.

• Manually start, stop, and restart internet services

• Configure basic network services including telnet and

ftp.

• create mail aliases, start and stop sendmail.

• The domain registration and DNS translation process.

• Key differences in configuration files for bind 4 and

bind 8.

Last updated: 26 December 2003

27

Key files, terms, and utilities include:

/etc/inetd.conf /etc/hosts.allow /etc/hosts.deny /etc/services /etc/xinetd.conf /etc/aliases or /etc/mail/aliases /etc/mail/* ~/.forward mailq sendmail newaliases /etc/hosts /etc/resolv.conf /etc/nsswitch.conf /etc/named.boot (v.4) or /etc/named.conf (v.8) named

27

28

LPI 102 Linux Junior Level Administration -- LPI 102 Linux Junior Level Administration

Chapter 11

Networking Services Networking Services Part 2 Part 2

Last updated: 26 December 2003

2004, SaigonCTT All rights reserved

1

1

Objectives Objectives

• Perform basic configuration of Apache

– Modify simple parameters in Apache configuration files

– Start, stop, and restart httpd

• Set up secure shell (OpenSSH)

– Arrange for automatic restarting of httpd upon boot

– Basic OpenSSH installation and troubleshooting

Last updated: 26 December 2003

– Configure sshd to start at system boot

2

LPI Topics:

1.113.3 Operate and perform basic configuration of Apache

Candidates should be able to modify simple parameters in Apache configuration files, start, stop, and restart httpd, arrange for automatic restarting of httpd upon boot. Does not include advanced custom configuration of Apache.

1.113.7 Set up secure shell (OpenSSH)

Candidate should be able to obtain and configure OpenSSH. This objective includes basic OpenSSH installation and troubleshooting, as well as configuring sshd to start at system boot.

2

Webserver Apache Webserver Apache

• Apache is configured by placing ‘directives’ in plain

text configuration files

• The main configuration file is usually called

httpd.conf

Last updated: 26 December 2003

– The location of this file is set at compile-time, but may be overridden with the -f command line flag.

3

The Apache Project is a collaborative software development effort aimed at creating a robust, commercial-grade,featureful, and freely-available source code implementation of an HTTP (Web) server Apache HTTP Server 2.0

There are important differences between the Apache HTTP Server version 2.0 and version 1.3 (version 1.3 shipped with Red Hat Linux 7.3 and earlier). This section reviews some of the features of Apache HTTP Server 2.0 and outlines important changes: –New Apache API : Modules utilize a new, more powerful set of Application Programming Interfaces (APIs). –Filtering : Modules can act as content filters. Refer to Section 10.2.4 Modules and Apache HTTP Server 2.0 for more on how filtering works. –IPv6 Support : The next generation IP addressing format is supported. –Simplified Directives : A number of confusing directives have been removed while others have been simplified. See Section 10.5 Configuration Directives in httpd.conf for more information about specific directives. –Multilingual Error Responses : When using Server Side Include (SSI) documents, customizable error response pages can be delivered in multiple languages. –Multiprotocol Support : Multiple protocols are supported.

3

Webserver Apache Webserver Apache

• In addition, other configuration files may be added

using the ‘Include’ directive

• Any directive may be placed in any of these

configuration files

• Changes to the main configuration files are only

recognized by Apache when it is started or restarted.

Last updated: 26 December 2003

4

4

Basic configuration files Basic configuration files

httpd.conf

– Contains entire server processing related commands

srm.conf

– Contains server resource information

access.conf

Last updated: 26 December 2003

– Security Definition file controlling access to the server by client browsers

5

All of these files are found in

–/etc/httpd/apache/conf/ or –/etc/httpd/conf/

5

httpd.conf httpd.conf

• Extract from /etc/httpd/httpd.conf

standalone "/etc/httpd" "/var/www/html"

ServerType ServerRoot DocumentRoot

AllowOverride None Options ExecCGI Order allow,deny Allow from all

DocumentRoot "/www/docs/server1" ServerName virtual.mydomain.org

Last updated: 26 December 2003

6

ServerType

–ServerType standalone means that the server is started once and then that server handles all of the connections.

–By default, your Web server is set to ServerType standalone.

ServerRoot

–The ServerRoot is the top-level directory which contains the server's files. Both your secure and non-secure servers are set to use a ServerRoot of "/etc/httpd".

DocumentRoot

–Is the directory which contains most of the HTML files which will be served in response to requests.

– and tags surround any configuration directives which are intended to apply to a virtual host. Most configuration directives can be used within virtual host tags, and then they only apply to that particular virtual host.

VirtualHost

6

Running Apache Running Apache

• Auto start at boot time

/etc/rc.d/init.d/httpd

• Manual start

apachectl [start | stop | restart]

• The main log files

/var/log/httpd/

error_log

access_log

Last updated: 26 December 2003

7

7

OpenSSH OpenSSH

• Why do I need SSH?

– SSH is a secure way to run tar or rsync on a backup client to extract the data.

Last updated: 26 December 2003

– SSH provides strong authentication and encryption of the network data.

8

As I mentioned earlier, ssh is actually a suite of tools:

sshd

daemon that acts as a server to all other commands

ssh

primary end-user tool: remote shell, remote command, and port- forwarding sessions

scp

tool for automated file transfers

sftp

tool for interactive file transfers--COMMERCIAL SSH ONLY

ssh-keygen

generates private-public key pairs for use in RSA and DSA authentication (including host keys)

ssh-agent

dæmon used to automate client's RSA/DSA authentications

ssh-add

loads private keys into ssh-agent process

ssh-askpass

X interface for ssh-add

8

OpenSSH setup OpenSSH setup

• Key generation

ssh-keygen -t rsa

• The public key: ~/.ssh/id_rsa.pub • The private key: ~/.ssh/id_rsa

Last updated: 26 December 2003

– This will save:

9

Depending upon your OpenSSH installation, many of these steps can be replaced by running the scripts ssh-user-config and ssh-host-config included with OpenSSH. You still need to manually exchange the public keys.

Key generation:

–As root on the client machine, use ssh-keygen to generate a public/private key pair.

9

Configuration Files OpenSSH Configuration Files OpenSSH

• OpenSSH has two different sets of configuration files:

– for client programs (ssh, scp, and sftp)

• System-wide SSH configuration information is stored

in the /etc/ssh/

Last updated: 26 December 2003

– the server daemon (sshd).

10

10

Configuration Files OpenSSH Configuration Files OpenSSH

• For the server daemon (sshd)

• The system-wide default SSH client configuration file.

– It is overridden if one is also present in the user's home directory

(~/.ssh/config).

– ssh_config

• The configuration file for the sshd daemon.

– sshd_config

• The DSA private key used by the sshd daemon.

– ssh_host_dsa_key

• The DSA public key used by the sshd daemon.

Last updated: 26 December 2003

– ssh_host_dsa_key.pub

11

$ cat /etc/ssh/sshd_config Port 22 ListenAddress 192.168.1.1 HostKey /etc/ssh/ssh_host_key ServerKeyBits 1024 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin no IgnoreRhosts yes IgnoreUserKnownHosts yes StrictModes yes X11Forwarding no PrintMotd yes SyslogFacility AUTH LogLevel INFO RhostsAuthentication no RhostsRSAAuthentication no RSAAuthentication yes PasswordAuthentication yes PermitEmptyPasswords no AllowUsers admin

11

Port 22

–The option Port specifies on which port number ssh daemon listens for incoming connections. The default port is 22.

ListenAddress 192.168.1.1

–The option ListenAddress specifies the IP address of the interface network on which the ssh daemon server socket is bind. The default is 0.0.0.0; to improve security you may specify only the required ones to limit possible addresses.

HostKey /etc/ssh/ssh_host_key

–The option HostKey specifies the location containing the private host key.

ServerKeyBits 1024

–The option ServerKeyBits specifies how many bits to use in the server key. These bits are used when the daemon starts to generate its RSA key.

LoginGraceTime 600

–The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in.

KeyRegenerationInterval 3600

–The option KeyRegenerationInterval specifies how long in seconds the server should wait before automatically regenerated its key. This is a security feature to prevent decrypting captured sessions.

PermitRootLogin no

–The option PermitRootLogin specifies whether root can log in using ssh. Never say yes to this option.

IgnoreRhosts yes

–The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication. For security reasons it is recommended to no use rhosts or shosts files for authentication.

IgnoreUserKnownHosts yes

–The option IgnoreUserKnownHosts specifies whether the ssh daemon should ignore the user's $HOME/.ssh/known_hosts during RhostsRSAAuthentication.

StrictModes yes

–The option StrictModes specifies whether ssh should check user's permissions in their home directory and rhosts files before accepting login. This option must always be set to yes because sometimes users may accidentally leave their directory or files world-writable.

12

X11Forwarding no

–The option X11Forwarding specifies whether X11 forwarding should be enabled or not on this server. Since we setup a server without GUI installed on it, we can safely turn this option off.

PrintMotd yes

–The option PrintMotd specifies whether the ssh daemon should print the contents of the /etc/motd file when a user logs in interactively. The /etc/motd file is also known as the message of the day.

SyslogFacility AUTH

–The option SyslogFacility specifies the facility code used when logging messages from sshd. The facility specifies the subsystem that produced the message--in our case, AUTH.

LogLevel INFO

–The option LogLevel specifies the level that is used when logging messages from sshd. INFO is a good choice. See the man page for sshd for more information on other possibilities.

RhostsAuthentication no

–The option RhostsAuthentication specifies whether sshd can try to use rhosts based authentication. Because rhosts authentication is insecure you shouldn't use this option. RhostsRSAAuthentication no

–The option RhostsRSAAuthentication specifies whether to try rhosts authentication in concert with RSA host authentication.

RSAAuthentication yes

–The option RSAAuthentication specifies whether to try RSA authentication. This option must be set to yes for better security in your sessions. RSA use public and private key pairs created with the ssh-keygen1utility for authentication purposes.

PasswordAuthentication yes

–The option PasswordAuthentication specifies whether we should use password-based authentication. For strong security, this option must always be set to yes.

PermitEmptyPasswords no

–The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password. If you intend to use the scp utility to make automatic backups over the network, you must set this option to yes.

AllowUsers admin

–The option AllowUsers specifies and controls which users can access ssh services. Multiple users can be specified, separated by spaces.

13

Configuration Files OpenSSH Configuration Files OpenSSH

• For the server daemon (sshd)

• The RSA private key used by the sshd daemon (ssh version 1).

– ssh_host_key

• The RSA public key used by the sshd daemon (ssh version 1).

– ssh_host_key.pub

• The RSA private key used by the sshd daemon (ssh version 2).

– ssh_host_rsa_key

• The RSA public key used by the sshd (ssh version 2).

Last updated: 26 December 2003

– ssh_host_rsa_key.pub

14

14

Configuration Files OpenSSH Configuration Files OpenSSH

• For client programs

• Contains the DSA private key of the user.

– id_dsa

• The DSA public key of the user.

– id_dsa.pub

• The RSA private key used by ssh (ssh version 2).

– id_rsa

• The RSA public key used by ssh (ssh version 2).

Last updated: 26 December 2003

– id_rsa.pub

15

User-specific SSH configuration information is stored in the user's home directory within the ~/.ssh/ directory

15

Configuration Files OpenSSH Configuration Files OpenSSH

• For client programs

• This file holds a list of authorized public keys for servers.

– authorized_keys

• The RSA private key used by ssh (ssh version 1).

– identity

• The RSA public key used by ssh (ssh version 1).

– identity.pub

• This file contains DSA host keys of SSH servers accessed by the

user.

Last updated: 26 December 2003

– known_hosts

16

When the client connects to a server, the server authenticates the client by checking its signed public key stored within this file.

Important

If a SSH server's host key has changed, the client will notify the user that the connection cannot proceed until the server's host key is deleted from the known_hosts file using a text editor. Before doing this, however, contact the system administrator of the SSH server to verify the server is not compromised.

16

Configure OpenSSH Configure

OpenSSH to use TCP

Wrappers to use TCP--Wrappers

1. Edit the inetd.conf

ssh stream tcp nowait root /usr/sbin/tcpd

sshd -i

2. Update your inetd.conf file

#killall -HUP inetd

3. Edit the hosts.allow

sshd: 192.168.1.4

Last updated: 26 December 2003

– Which mean client IP 192.168.1.4 is allowed to sshin to the server.

17

Tcp-Wrappers should be enabled to start and stop our OpenSSH server. Upon execution, inetd reads its configuration information from a configuration file which, by default, is /etc/inetd.conf. There must be an entry for each field of the configuration file, with entries for each field separated by a tab or a space.

17

Summary Summary

• Perform basic configuration of Apache

• Set up secure shell (OpenSSH)

Last updated: 26 December 2003

18

/etc/hosts.allow

/etc/hosts.deny

/etc/nologin

/etc/ssh/sshd_config

/etc/ssh_known

httpd.conf

apachectl

httpd

Key files, terms, and utilities include:

18

LPI 102 Linux Junior Level Administration -- LPI 102 Linux Junior Level Administration

Chapter 12

Distributed File System Distributed File System

Last updated: 26 December 2003

2004, SaigonCTT All rights reserved

1

1

Objectives Objectives

• Mount remote filesystems using NFS

• Configure NFS for exporting local filesystems

• Start, stop, and restart the NFS server.

• Install and configure Samba

• Simple shares with SAMBA

• Fundamental of smb.conf

Last updated: 26 December 2003

2

LPI Topics

1.113.4 Properly manage the NFS, smb, and nmb daemons

Candidate should know how to mount remote filesystems using NFS, configure NFS for exporting local filesystems, start, stop, and restart the NFS server. Install and configure Samba using the included GUI tools or direct edit of the /etc/smb.conf file (Note: this deliberately excludes advanced NT domain issues but includes simple sharing of home directories and printers, as well as correctly setting the nmbd as a WINS client).

2

Network File System NFS NFS -- Network File System

• The NFS is a File system that allows directories on a

remote host to be mounted locally.

• Once mounted the remote directory is seen as a local

directory by all applications.

• The difference is that it might take longer to read and

write to it.

• NFS is mostly used exclusively between variations of

Unixes OS.

Last updated: 26 December 2003

3

3

Mounting an NFS remote directory Mounting an NFS remote directory

mount [-t nfs] RemoteHost:RemoteDir LocalMountPoint [-o MountOptions]

• Example:

mount -t nfs nfsserver:/public /mnt/public -o ro

• This command will mount the remote directory /public located on the remote host nfs server to the local mount point /mnt/public with the option Read Only (ro).

Last updated: 26 December 2003

– Mounting an NFS directory is very similar to mounting a local device. The command used is also mount.

4

Note:

NFS mounts can be specified in /etc/fstab:

nfsserver:/public /public nfs ro 0 0

To mount it, one of the following two commands can then be given:

mount nfsserver:/public

mount /public

4

up the NFS server Setting--up the NFS server Setting

• The server host needs to export the directory via a

NFS server process.

• /etc/exports

• This file provides the NFS server with the following

information:

– The configuration file of the NFS server

– Local directory (NFS share) to be exported

– Which remote hosts are allowed to mount it

• Example: in /etc/exports

/public 192.168.10.0/192.168.10.255(ro) 192.168.10.45(rw)

Last updated: 26 December 2003

– Mount options for the allowed hosts

5

On example above:

–All the hosts residing in the IP range from 192.168.10.0-192.168.10.255 will be allowed to mount the server's nfs share with the option ReadOnly (ro), except the host having the IP 192.168.10.45 which will have ReadWrite (rw) mount privileges.

5

up the NFS server Setting--up the NFS server Setting

To implement the NFS service in a server host, 3

processes need to be running:

• RPC Portmapper daemon portmap.

• Kernel knfsd or userspace rpc.nfsd daemon.

• Mount protocol daemon rpc.mountd

Last updated: 26 December 2003

6

Some processes need to be constantly running as daemons on the NFS server host in order to offer NFS shares to clients. In newer kernels the kernel based nfs daemon knfsd is normally used. This kernel process just needs to be started using the appropriate provided tools. Another and older method is to run a user space daemon called rpc.nfsd. Since nfs is an RPC type service an extra and necessary daemon process needs also to be running: the portmapper portmap daemon.

Without going into details of the RPC based services and the portmapper's functions, here is how it works:

When the NFS daemon starts, it registers its name and listening port number to the portmapper. When a client needs to connect with the NFS server daemon, it connects first to the portmapper on port 111 and asks for the port number where the NFS server daemon listen on, and then connects to it; just like a telephone directory assistance. Another daemon which also needs to be running in the background on the server host is the rpc.mountd. This daemon works together with either the kernel knfsd or the user space daemon rpc.nfsd to fully implement the network mount protocol of the NFS service.

Both NFS and mount daemons use the configuration file /etc/exports to identify and control the access to the server NFS shares.

6

/ *.berlin.de(rw,no_root_squash) /cdrom *(ro) 192.168.10.100(rw) /home 192.168.0.0/255.255.0.0(rw) /public *(rw,sync) *.nebbo.com(ro,sync) /transfer 192.168.0.0/24(ro,intr)

Here are some other examples of the possible share entries and their options:

Note:

Make sure that there are no spaces between the IP addr/Netmask and their corresponding mount options. A space in this area is used for another host/options pair definition like the NFS definition of the /public share above.

If there is a space, then the IP addr/Netmask hosts will be denied access and the access rights will be assigned to all other hosts. Example: /public achow(rw) diamond (ro)

Means: achow host will have read/write access, diamond host is denied access and all other hosts are allowed access with only read permissions.

7

UID and GID in NFS mounted shares UID and GID in NFS mounted shares

• When a client writes a new file or directory into a

remotely mounted share

– assuming it is mounted with the ReadWrite(rw) option

– the NFS server will assign the UID and GID of the file or

Last updated: 26 December 2003

directory being written to the UID and GID of the client user writing it.

8

It means that if the user Mary with UID=500 on the client host writes a file in a mounted share, this file will be effectively be written into the servers share directory. The UID on the server's host might be the UID of the user john.

Be careful with this. One solution would be to make sure that each client user also has an account on the NFS server host and that both UID and GIDs of users are the same on the client and on the servers host.

8

Squashing UID and GID for ALL Squashing UID and GID for ALL

• A 'squashing' function in the mount options of

/etc/exports file:

• All files and directories get the nobody's UID and GID

– all_squash

• Sets the NFS's nobody's UID to 1000

– anonuid=1000

• Sets the NFS's nobody's GID to 2000

• Example:

/public *.dept1.com(rw,all_squash,anonuid=1000,anongid=2000)

Last updated: 26 December 2003

– anongid=2000

9

This is another solution is to use the same UID and GID for ll files and directories written via NFS.

9

Selecting which UIDsUIDs and Selecting which

will be squashed and GIDsGIDs will be squashed

• It is also to set “squashing” which UID or GID.

• Example:

– The mount options are squash_uids and squash_gids

Last updated: 26 December 2003

/public *(rw,squash_uids=0-499,squash_gids=0-100)

10

Makes sure all the files and directories written into this share which originate from users having a UID from 0 to 500 will be written with the UID of user nobody. The same is true for the GIDs from 0 to 100.

10

Mounting share as root user Mounting share as root user

• To turn this option

– use no_root_squash : Allowed share as root.

• Example:

/public *.myfirma.com(rw)

admin.myfirma.com(rw,no_root_squash)

Last updated: 26 December 2003

– not use (default) : Not allowed share as root

11

A special issue concerning this above NFS UID phenomenon is that if the root user on a client's host writes files or directories into the NFS shares, the effective file UID and GID will be of the user nobody instead of the user root for obvious security reasons.

On example, this means that files or directories written by root on the client host admin.myfirma.com will have the UID and GID of the user root on the shares of NFS server's host': root UID=0 and GID=0.

Note: After making any changes to the /etc/exports file, the nfs daemon needs to be told to re-read this file for the new changes to take effect. It is done either via sending the HUP signal to the nfs daemon or by issuing the command:

exportfs -a

11

Simple shares with SAMBA Simple shares with SAMBA

• File and Printing services

• Local and Master Browser (Provides the list of

available shares)

• NT-PDC (Primary Domain Controller for NT networks)

• Windows 95/98 Logon server

• Printer Drivers install services

Last updated: 26 December 2003

12

SAMBA is a Linux program set that offers file and printing services to Microsoft Windows networks. These functions are already available from the Windows systems and Samba can easily replace them. When a Windows host uses these services which are provided by Samba, it sees the services as if a Windows provided it.

12

Simple shares with SAMBA Simple shares with SAMBA

• Windows clients:

• Protocol used:

– Win3.11, 95, 98, 2000, Me, XP

• Programs involved:

– SMB (Server Message Block) based on NetBIOS

• port 139-TCP • Shares and printers data transfer

– smbd

• ports 137-UDP & 138-UDP • WINS, WINS Proxying, Browsing, Name server for NetBIOS Hosts

names

Last updated: 26 December 2003

– nmbd

13

Service type:

–Triggered by inetd (xinetd) or as Daemon processes

Daemon Start/Stop scripts:

/etc/init.d/smb [start|stop|restart]

• for smbd daemon

/etc/init.d/nmb [start|stop|restart]

• for nmbd daemon

13

Structure of smb.conf Structure of smb.conf

• smb.conf is composed of sections and section

parameters.

• Each line is either: a section name, a parameter for

the section or, a comment

– Sections names are enclosed in square brackets eg. [SectionName]

– A parameter line is composed of: keyword(s) = Value

Last updated: 26 December 2003

– A Comment line starts with the character '#'

14

Main configuration file: smb.conf located in /etc or in /etc/samba

14

Structure of smb.conf Structure of smb.conf

• Parameters belonging to a section are listed after the

section name.

• All parameters listed after a section are valid for that

section until another section is declared.

• Parameter keywords and section names are not case

sensitive.

Last updated: 26 December 2003

15

15

Sections in smb.conf Sections in smb.conf

• [global]

• [homes]

– Defines the parameters that controls how the server operates

• [printers]

– Defines parameters for a special share that provides individual home directories for each logged-in users.

• [sharename]

– Defines parameters for a special share that provides printer services

Last updated: 26 December 2003

– Defines parameters for a normal file share.

16

Parameters of section [global]

workgroup = MYWGROUP

netbios name = SAMBA1

Note: Here, only the most used and important parameters used are shown, many more are available.

security = USER

•NetBIOS name of the server

•Possible values: USER, server, SHARE server string = "Samba %v Server on %h"

•TEXT ID of server guest account = nobody

encrypt passwords = yes

•local Linux ID of an unknown guest

printing = BSD

•transfer of passwords is encrypted

•Type of printing system used in this host

16

Parameters of section [homes] Parameters of section [homes]

• comment = "Personal home directory"

• path = /home/%U

• browseable = no

– Home directory for every user

• writable = yes

– do not show this share to other users

Last updated: 26 December 2003

– allow to write into this share

17

Parameters of section [printers]

comment = "All samba printers"

path = /tmp

This section allows samba to poll the local printing system and display all the available printer shares. Parameters are allowing to control its behavior.

create mask = 0700

•Directory where the print jobs will be queued

printable = yes

•maximum access rights of print jobs files written here

browseable = no

•IMPORTANT: needed to make this share a print share

guest ok = yes

•to only display this share as print share and not file share

•allow guests to print through this print share

17

Parameters of a section for a normal share Parameters of a section for a normal share

– Name of the share

• [transfer]

• comment = "Common transfer share"

• path = /var/shares/transfer

– access rights of all files written into this share

• force create mask = 0666

– access rights of all directories created here

• force directory mask = 0777

– same as guest ok = yes, allowing guests to access files (read) from this

• public = yes

– allow users to write files/dirs into this share. same as read only = no

Last updated: 26 December 2003

• writable = yes

18

Parameters of a section for a single printer

[hplj6]

comment = "HP laserjet-6 printer share"

Printer name = lp2 #uses the local printer queue lp2

printable = yes

path = /tmp

create mask = 0700

public = yes #allow everybody to use that printer

18

Setting passwords for share access Setting passwords for share access

• Passwords can be transfered in two modes: encrypted

and non-encrypted.

• This password file is called smbpasswd and is normally located in /etc or in /etc/samba.

• To set passwords for user in this file:

Last updated: 26 December 2003

smbpasswd -a username

19

To transfer the passwords in non-encrypted format (clear text .... insecure!!!) the parameter: encrypt passwords = no must be entered in the [global] section. This way Windows 95 (rev.1) hosts can be authenticated in Samba. In this case the normal linux system passwords file can be used for authentication. To transfer the passwords in encrypted format (recommended and default), the parameter encrypt passwords = yes can be entered in the [global] section. This setting requires that a samba password file be used for authentication because the type of password encryption is not the same as the Linux password encryption.

Note:

The user must already exist as Linux system user before being able to set its samba password. The user doesn't need to have a valid system password.

Security types in Samba authentication To set the security type the parameter security = Value in[global]section is used.

security = user

With this security type, users (host) are logged-on once and identified as so for access to all shares. Most shares would then be accessible to only to properly logged-on users.

19

guest ok = yes or public = yes.

Guests would then only be allowed access to shares that are set with:

security = share

This security type is the lowest one. This means that all the shares are accessible by anybody, whether guest or know user, unless the share is limited to certain user or all known users using the setting: valid users = username1 username2 ...or guest ok = no

within the share settings.

security = server

password server = PWServerNetBIOSName

This security type uses an external password (SMB) server for user authentication. This server can also be a Samba. The password server needs to be specified with the [global] setting:

This password server must be running in security = user mode.

The user must have an account in the password server and in the local samba.

Important: Never give its own samba server name as password server name. This would result in an endless loop rendering the samba server unusable.

security = domain

This security type uses an external PDC server for user authentication. The password server needs to be specified with the [global] setting: password server = PDCServerNetBIOSName1, PDCServerNetBIOSName2,..

The user must have an account in the PDC server and in the local samba.

encrypt passwords = yes

The transfer of the password must also be set to 'encrypted' with the [global] setting:

smbpasswd -j DomainName

The workgroup setting must also set to the domain name of the PDC server. The local samba must also register itself as participant of a domain by setting a special password using the command:

The PDC musl also create an account for the samba server using the program Server Manager for Domains. The samba server NetBIOS name is then given here.

20

Using WINS server for NetBIOS names conversion Using WINS server for NetBIOS names conversion

• Normally a broadcast is sent to all local hosts to find

out an IP for a particular name.

• If a WINS is desired to prevent broadcasting such

requests, include the following setting in [global]

Last updated: 26 December 2003

wins server = WINSServerIP

21

Using Samba as WINS server

To use the local samba as a WINS server then enter the following [global] setting:

wins support = yes

Note:

Never use the local samba as WINS client ( wins server = WINSServerIP) and as WINS server at the same time ( wins support = yes).

21

Typical Configuration of smb.conf

Note: The following configuration parameters are only examples and NOT all of them need to be learned for the LPI 102 exam. It is provided only for reference and understanding purposes.

; TCP protocol fine tuning parameters

[global] workgroup = WORKGROUP kernel oplocks = false socket options = TCP_NODELAY printing = cups ; Printing system. Other possibilities:

printcap name = cups load printers = yes encrypt passwords = yes null passwords = no security = user = share = server = domain

guest account = nobody map to guest = Bad Password

= Bad User

os level = 2

local master = yes preferred master = yes wins support = no wins server = 192.168.1.1

; bsd, sysv, plp, lprng, aix, hpux, qnx, cups ; File listing printer queues and capabilities ; All printer names will be presented as shares? ; Use encrypted samba passwords instead of linux passwd ; Allow users with empty passwords to access shares? ; Users are logged-on once ; Users must log-on for each share ; Samba asks a password server to validate the user. ; Samba asks an PDC server to validate the user. ; Note: server and domain need also the setting of: ; password server = PWServerNetBIOSName ; What usename will guests use in Linux ; Accepts any wrong login is a guest user ; Good name and bad password is refused, ; Bad name or password is accepted as guest ; WinforWorkgroups/Win95/Win98 = 1 ; NT-Desktop = 17 ; NT-Server = 33 ; Samba (nmbd) is the Local Master Browser ? ; Force election for master browser when samba starts? ; Samba is a WINS server ? (lmhosts contains data) ; IP of WINS server if any exists in the network

Server Global Options

Interfaces or networks that samba will respond to

interfaces = eth* eth0 192.168.2.10/24 192.168.3.10/255.255.255.0 loglevel = 7

; Log levels possible 1 to 7 ; ; :1 minimal, 3 normal, 7 a hell of a lot

22

Share names are reserved only for these purposes

[homes] comment =Home directories browseable = no read only = no create mode = 0750

; Name of user share seen by other users ? ; Cannot write ? (same as writable=yes) ; AND with 0766(default) to set the files access rights

[printers] comment = All Printers browseable = no read only = yes printable = yes public = yes directory = /tmp create mode = 0700

; Seen as a directory share? (absolutely NO !) ; We can save files there ? (absolutely NO !) ; We can send print jobs to it ? (absolutely yes !) ; Usable by all users including guests? ; Where print jobs will be saved before printed ; Allow only owners to modify saved print jobs

Standard Shares

; Example of a typical share

[cdrom] comment = CD-ROM path = /media/cdrom writeable = no locking = no public = yes

; Path of the share ; Prevent to writes to CDROMs. (same as read only=yes) ; Prevent samba from locking accessed files while opened ; Usable by all users incl. guests? (same as guest ok = yes)

; Single Printer share settings if load printers = no ; User paul is the only one allowed to use this printer.

; Same as writeable = no

[LaserJet] printable = yes printer = laserjet printing = cups read only = yes valid users = paul

Normal Shares

Global area:

hosts equiv =/etc/hosts.equiv ; List of hosts & users allowed w/o passwords.(Global) ; File Format: ClientFQDNHostname UserName

Shares (services) area:

List of extra usefull share parameters

23

Summary Summary

• Mount remote filesystems using NFS

• Configure NFS for exporting local filesystems

• Start, stop, and restart the NFS server.

• Install and configure Samba

• Simple shares with SAMBA

• Fundamental of smb.conf

Last updated: 26 December 2003

24

Key files, terms, and utilities include:

/etc/exports

/etc/fstab

/etc/smb.conf

mount

umount

24

LPI 102 Linux Junior Level Administration -- LPI 102 Linux Junior Level Administration

Chapter 13

Network Security Network Security

Last updated: 26 December 2003

2004, SaigonCTT All rights reserved

1

1

Objectives Objectives

• Configure TCP wrappers, password aging information.

• Basic knowledge of ipchains and iptables.

• Syslog configuration, shadowed passwords.

• Limits on user logins, processes, and memory usage.

Last updated: 26 December 2003

2

LPI Topics

1.114.1 Perform security administration tasks

Candidates should know how to review system configuration to ensure host security in accordance with local security policies. This objective includes how to configure TCP wrappers, find files with SUID/SGID bit set, verify packages, set or change user passwords and password aging information, update binaries as recommended by CERT, BUGTRAQ, and/or distribution's security alerts. Includes basic knowledge of ipchains and iptables.

1.114.2 Setup host security

Candidate should know how to set up a basic level of host security. Tasks include syslog configuration, shadowed passwords, set up of a mail alias for root's mail and turning of all network services not in use.

1.114.3 Setup user level security

Candidate should be able to configure user level security. Tasks include limits on user logins, processes, and memory usage.

2

About Security About Security

Refer to security websites keep your system up-to-date :

• THE BUGTRAQ MAILING LIST

• CERT/CC ADVISORIES

– http://www.securityfocus.com

Last updated: 26 December 2003

– http://www.cert.org/advisories

3

http://www.freshmeat.net

http://www.insecure.org/

http://www.sans.org/

http://www.debian.org/security/

Other links:

3

TCP WRAPPERS TCP WRAPPERS

• The tcpd program provides three main services

– Responds and verifies network requests

– Logs requests for internet services (via the authpriv facility code of syslog for connection requests)

Last updated: 26 December 2003

– Provides access control method for services checking them against the /etc/hosts.allow and /etc/hosts.deny files (not /etc/inetd.conf)

4

TCP wrappers are a security layer "wrapped" around services (smtp, www, ssh, etc) used to verify requests. The wrapper program, tcpd, can be invoked by ftpd, telnetd, and is an intermediary between inetd and the actual service.

tcpd provides a method of limiting access from external sources both by name and by address. After receiving a network request, tcpd first does its IP address and hostname checks. If those pass, tcpd then consults two control files, named hosts.allow and hosts.deny, for access control information. These are text files that contain rules (one per line) against which incoming network connections are tested: /etc/hosts.allow

tcpd consults this file first. When an incoming network request matches one of these rules, tcpd immediately grants access by passing the network connection over to the server daemon. If none of the rules are matched, the next file is consulted.

/etc/hosts.deny

This file is consulted second. If a network request matches one of these rules, tcpd denies access to the service.

If no matches are made in either of the files, then the connection is allowed. This implies that missing hosts.allow and hosts.deny files means that no access control is implemented.

4

logging tcpd logging tcpd

• When tcpd is enabled, it logs to the authpriv facility in

syslog

• Check your /etc/syslog.conf file to confirm

• Example:

– This /etc/syslog.conf configuration line puts all authpriv messages in /var/log/secure

Last updated: 26 December 2003

authpriv.* /var/log/secure

5

Feb 8 17:50:04 smp login: LOGIN ON 0 BY jdean

FROM 192.168.1.50

Most system service daemons will do some logging on their own. For example, in.telnetd writes the following line to authpriv as the result of a Telnet connection:

Feb 8 17:53:03 smp in.telnetd[1400]: connect

from 192.168.1.50

Feb 8 17:53:07 smp login: LOGIN ON 0 BY jdean

FROM 192.168.1.50

When tcpd is listening to the Telnet port in place of in.telnetd, it logs the request first, does its verifications, and then passes the connection on to in.telnetd, which then starts a login process as before. In this case, /var/log/secure looks like this:

The first line was logged by tcpd. It indicates that a connection was received from 192.168.1.50 bound for the in.telnetd daemon. As you can see, the tcpd report precedes the login report.

5

Finding Executable SUID Files Finding Executable SUID Files

• The find command can perform the searches for

attributes such as SUID

• Example

# find / \

-path '/proc' -prune \

-or \

-perm -u+s \

-exec ls -l {} \; \

> /usr/local/etc/suid_list &

• Find command is constructed that searches the entire filesystem for

files that have the SUID bit set;

• It avoids the /proc filesystem to prevent permission problems.

Last updated: 26 December 2003

6

The set user ID (SUID) capability of the Linux ext2 filesystem. The SUID property was described as both a security enhancement and a security risk. It can be considered an enhancement because it allows administrators to grant superuser privileges to specific, trusted programs that may be executed by anyone on the system. The example given is lpr, which needs special access to manipulate the print spools. Without using the SUID property, everyone on the system would need administrative rights to use lpr, which is clearly undesirable. It is also mentioned that an SUID capability that is granted unwisely can be a security risk, and all applications of SUID must be considered carefully. The reason for this concern is that the potential exists for an attacker to exploit the superuser privilege on an SUID file. For example, if the attacker is able to somehow overwrite the contents of lpr, he could effectively gain superuser access to the system by running an lpr of his own design that changes passwords, adds new accounts, or something else shady and unrelated to printing.

# find . -type f -perm +6000 -xdev -exec ls {} \; -rwsr-sr-x 1 root root 593972 11-09 12:47 ./bin/gpg -r-xr-sr-x 1 root man 38460 01-27 22:13 ./bin/man -rwsr-xr-x 1 root root 15576 09-29 22:51 ./bin/rcp -rwsr-xr-x 1 root root 8256 09-29 22:51 ./bin/rsh -rwsr-xr-x 1 root root 29520 01-17 19:42 ./bin/chfn -rwsr-xr-x 1 root root 27500 01-17 19:42 ./bin/chsh -rwsr-xr-x 1 lp root 8812 01-15 23:21 ./bin/lppasswd -rwsr-x--- 1 root cron 10476 01-15 22:16 ./bin/crontab

6

Checking installed packages Checking installed packages

• rpm –V

• Example

– Verifying a package compares information about the installed files with files in the rpm database.

# rpm -V apache S.5....T c /etc/httpd/conf/httpd.conf .......T c /etc/httpd/conf/srm.conf missing /home/httpd/html/index.html missing /home/httpd/html/poweredby.gif

• In this example, rpm is reporting that four files do not match the

original installed configuration.

• None is an executable file, and all are easy to explain, so no

intruder is suspected here.

Last updated: 26 December 2003

7

If an intruder were able to penetrate your system, it is likely that she would attempt to modify or replace executable files in order to grant herself special abilities. To check for such files, the verification option of the package manager can be used to check installed files.

# rpm -V XFree86-I128

S.5....T /usr/X11R6/bin/XF86_I128

If an executable file does turn up in the list, you may wish to investigate. For example:

This shows that the file XF86_I128 is not the same as the one originally installed. Unless you know why the file has changed, corrective action may be necessary to maintain security. In this case, the file in question is an X Server binary that was intentionally upgraded to a newer version than that supplied in the original package. Again, this is an expected result.

The output from rpm -V consists of an eight-character string, an optional c (indicating that the file is a configuration file), and the filename. Each column in the result string contains a dot when an attribute has not changed.

7

RPM Verification Codes

Dot Code Description

5 The MD5 checksum, a sort of "fingerprint" for the file, is different.

S The file size has changed.

L Symlink attributes have changed.

T The file's modification time (or mtime) has changed.

D Device file has changed.

U The file's user/owner has changed.

G The file's group has changed.

M The file's mode (permissions and file type) has changed.

? Unknown or unexpected result.

# rpm -Va S.5....T c /etc/exports S.5....T c /etc/hosts.deny S.5....T c /etc/printcap S.5....T c /etc/services .M...... /root S.5....T c /usr/share/applnk/Multimedia/aktion.kdelnk S.5....T c /etc/info-dir ..5....T c /etc/mime.types S.5....T c /etc/httpd/conf/httpd.conf .......T c /etc/httpd/conf/srm.conf missing /home/httpd/html/index.html missing /home/httpd/html/poweredby.gif (... list continues ... )

It can be helpful to monitor all of the packages on your system and track changes to the resulting list on a regular basis. To check all installed packages, use the a verification option as follows:

This list will be large. As your system is configured, upgraded, and modified, you're likely to change many of the files from their original configurations. The important part is being able to explain changes that occur, particularly on executable files.

8

Password Management Password Management

• Linux offers you the ability to set expiration dates on

passwords.

• This is done to limit their lifetime, which presumably

enhances security by forcing password changes.

• If a password has been discovered or broken, the

password change will eventually correct the security lapse.

Last updated: 26 December 2003

9

Minimum password age

–The minimum number of days between password changes.

Maximum password age

–The maximum number of days between password changes. The user is forced to change his password before using the account after the number of days has elapsed without a password change.

Last password change

–The date on which the password was last changed.

Password expiration warning

–The number of days' warning that are issued in advance of a password expiration.

Password inactive

–The number of days of inactivity the system allows before locking a password. This is an automated way of avoiding stale but valid user accounts.

Account expiration date

–The date on which an account expires.

9

Password Management Password Management

• Lock|Unlock the user's password

usermod [-L|-U] username or

• Force immediate password expiration

passwd [–l|-u] username

Last updated: 26 December 2003

chage -d 0 username

10

Use usermod and passwd to lock the lpiuser user:

1. Change password

# passwd lpiuser

Changing password for user lpiuser.

New password:

BAD PASSWORD: it is based on a dictionary word

Retype new password:

passwd: all authentication tokens updated successfully.

# grep lpiuser /etc/shadow

lpiuser:$1$nRkFQDO7$c3OSmUCPNikLSE5pQeCQn1:13088:0:99999:7:::

2a. Lock the lpiuser, use “usermod –L” command

# usermod -L lpiuser

# grep lpiuser /etc/shadow lpiuser:!$1$nRkFQDO7$c3OSmUCPNikLSE5pQeCQn1:13088:0:99999:7:::

2b. Unlock the lpiuser

# usermod -U lpiuser

# grep lpiuser /etc/shadow

lpiuser:$1$nRkFQDO7$c3OSmUCPNikLSE5pQeCQn1:13088:0:99999:7:::

10

3a. Lock the lpiuser, use “passwd –l” command

# passwd -l lpiuser

Locking password for user lpiuser.

passwd: Success

# grep lpiuser /etc/shadow lpiuser:!!$1$nRkFQDO7$c3OSmUCPNikLSE5pQeCQn1:13088:0:99999:7:::

3b. UnLock the lpiuser, use “passwd –u” command

# passwd -u lpiuser

Unlocking password for user lpiuser.

passwd: Success.

# grep lpiuser /etc/shadow

lpiuser:$1$nRkFQDO7$c3OSmUCPNikLSE5pQeCQn1:13088:0:99999:7:::

#

11

Turning off unused network services Turning off unused network services

• Some servers are not launched by inetd or xinetd

• This often includes servers such as atd, lpd, sshd,

nfsd,...

• Standalone servers are usually started by the init

system (/etc/init.d/)

• To stop

Last updated: 26 December 2003

scriptname stop

12

Some servers are not launched by inetd or xinetd, but are instead running all the time as "standalone" servers. This often includes servers such as atd, lpd, sshd, nfsd, and others. In fact, inetd and xinetd are both standalone servers themselves, and if you have commented out all of the services in their respective config files, you may choose to turn them off completely.

Standalone servers are usually started by the init system when the system boots up or changes runlevels.

To stop the init system from starting a server, find the symlinks to its startup script in each

runlevel directory, and delete them. The runlevel directories are usually named /etc/rc3.d or /etc/rc.d/rc3.d (for runlevel 3). You'll also want to check the other runlevels.

Once the runlevel symlinks for the service are removed, you will still need to shut down the currently running server. It is best to do this with the service's init script, usually found in /etc/init.d or /etc/rc.d/init.d. For example, to shut down sshd:

# /etc/init.d/sshd stop

* Stopping sshd... [ ok ]

12

iptables Introducing iptables Introducing

• The packet filter rules can be set up to do both

firewall and router activities.

• You can inspect your current rules with the -L option

to iptables: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

Last updated: 26 December 2003

13

The iptables and ipchains commands are used to adjust and inspect the network packet filter rules in a running Linux kernel. The ipchains command was used for 2.2.x versions of the kernel, and although it can still be used with 2.4.x kernels, it has been superseded by iptables.

This is an example of a wide-open system, with no routing or firewalling enabled.

/proc/net/ip_fwchains

/proc/net/ip_fwnames

/proc/net/ip_masquerade

Configutation files:

13

ulimit Setting user limits with ulimit Setting user limits with

• ulimit provides a method for limiting the usage of

resources.

• The limit is inherited by all child processes

• To retrieve the current limits, use ulimit -a:

# ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited file size (blocks, -f) unlimited max locked memory (kbytes, -l) unlimited max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size (512 bytes, -p) 8 stack size (kbytes, -s) unlimited cpu time (seconds, -t) unlimited max user processes (-u) 3071 virtual memory (kbytes, -v) unlimited

Last updated: 26 December 2003

14

The ulimit command in bash provides a method for limiting the usage of resources by a given user. Once a limit is lowered, there is no way to raise the limit for the life of the process. Furthermore, the limit is inherited by all child processes. The effect is that you can call ulimit in /etc/profile, and the limits will irrevocably apply to all users (assuming they're running bash or another shell that runs /etc/profile on login).

It can be quite tricky to set these limits in a way that actually increases the security of your system without causing problems for legitimate users, so be careful when adjusting these settings.

14

ulimit Setting CPU time limits with ulimit Setting CPU time limits with

• Example:

– Try setting the CPU time for a process to 1 second

# time bash # ulimit -t 1 # while true; do true; done Killed real 0m28.941s user 0m1.990s sys 0m0.017s

Last updated: 26 December 2003

15

As an example of ulimit, let's try setting the CPU time for a process to 1 second, then make it timeout with a busy loop. Make sure to start a new bash process (as we do below) in which to try it; otherwise you'll be logged out! In the example above, "user" time plus "sys" time equals total CPU time used by the process. When the bash process reached the 2-second mark, Linux judged that it had exceeded the 1-second limit, so the process was killed. Cool, eh? Note:

One second was just an example. Don't do this to your users! Even multiple hours is bad, since X can really rack up the time (my current session has used 69+ hours of CPU time). For a real implementation, you may want to ulimit something other than CPU time.

You may also want to limit things such as the number of simultaneous logins or disk usage. These aren't covered by ulimit; instead you should look into one of the following packages:

· Clobberd monitors user activity, and meters resources such as time and network activity. · Idled can log out users that have been idle for too long or who have been logged on for too long. It can also prevent users from being logged in too many times, and refuse users from being logged in at all.

15

Logging and Superuser Logging and

Superuser MailMail

• syslog

• sendmail

– necessary to review security breaches and to trace possible perpetrators

Last updated: 26 December 2003

– Some system responses to security problems can come in the form of email to user root.

16

The syslog system is a constant companion to the security-conscious system administrator. Its logs are necessary to review security breaches and to trace possible perpetrators.

You may wish to log in as root regularly to check its mail, but you can make such checking passive by instructing sendmail to forward root 's mail to administrators. To do so, add a line like this to /etc/aliases: jdoe, bsmith root:

Then execute the newaliases command to recompile the aliases database:

# newaliases

Now all email for root goes to both jdoe and bsmith (but not root), who will presumably act on important messages.

16

Other files and utilities Other files and utilities

• socket command

– create an endpoint for communication.

• 1 is returned if an error occurs;

• otherwise the return value is a descriptor referencing the socket

• /sbin/nologin

– Return

– politely refuse a login.

– Example:

# grep nobody /etc/passwd nobody:x:99:99:Nobody:/:/sbin/nologin

• The nobody user can not direct login to system.

Last updated: 26 December 2003

17

# grep nologin /etc/passwd bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin mail:x:8:12:mail:/var/spool/mail:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin

17

Summary Summary

• Configure TCP wrappers, password aging information.

• Basic knowledge of ipchains and iptables.

• Syslog configuration, shadowed passwords.

• Limits on user logins, processes, and memory usage.

Last updated: 26 December 2003

18

Key files, terms, and utilities include:

/etc/inetd.conf or /etc/inet.d/* /etc/nologin

/etc/passwd

/etc/shadow

/etc/syslog.conf

/proc/net/ip_fwchains

/proc/net/ip_fwnames

/proc/net/ip_masquerade

find

ipchains

passwd

socket

iptables

quota

usermod

18

Appendix: Student notes

LinuxIT Technical Education Centre Contents _____________________________________________________________________

Table of Contents

The Linux Kernel.............................................................................................................................. 4 1. Kernel Concepts .................................................................................................................................... 4 2. The Modular Kernel................................................................................................................................ 5 3. Routine Kernel Recompilation.............................................................................................................. 7 4. Exercises............................................................................................................................................... 13

Booting Linux................................................................................................................................. 15 1. Understanding Runlevels.................................................................................................................... 15 2. The joys of inittab................................................................................................................................ 17 3. LILO the Linux boot Loader................................................................................................................ 18 4. From boot to bash................................................................................................................................ 19 5. Exercises............................................................................................................................................... 21

Managing Groups and Users........................................................................................................ 22 1. Creating new users.............................................................................................................................. 22 2. Working with groups........................................................................................................................... 23 3. Configuration files............................................................................................................................... 24 4. Command options................................................................................................................................ 26 5. Modifying accounts and default settings.......................................................................................... 27 6. Exercises............................................................................................................................................... 29

Network Configuration...................................................................................................................30 1. The Network Interface.......................................................................................................................... 30 2. Host Information.................................................................................................................................. 31 3. Stop and Start Networking.................................................................................................................. 32 4. Routing.................................................................................................................................................. 33 5. Common Network Tools...................................................................................................................... 35 6. Exercises............................................................................................................................................... 37

TCP/IP Networks.............................................................................................................................38 1. Binary Numbers and the Dotted Quad............................................................................................... 38 2. Broadcast Address, Network Address and Netmask....................................................................... 38 3. Network Classes................................................................................................................................... 40 4. Subnets................................................................................................................................................. 41 5. The TCP/IP Suite.................................................................................................................................. 42 6. TCP/IP Services and Ports.................................................................................................................. 44 7. Exercices............................................................................................................................................... 45

Network Services........................................................................................................................... 46 1. The inetd daemon (old)....................................................................................................................... 46 2. The xinetd Daemon.............................................................................................................................. 47 3. TCP wrappers ...................................................................................................................................... 47 4. Setting up NFS..................................................................................................................................... 48 5. SMB and NMB....................................................................................................................................... 49 6. DNS services......................................................................................................................................... 51

_____________________________________________________________________

2

LinuxIT Technical Education Centre Contents _____________________________________________________________________

7. Sendmail main Configuration............................................................................................................. 55 8. The Apache server............................................................................................................................... 55 9. Exercises............................................................................................................................................... 57

Bash Scripting................................................................................................................................ 59 1. The bash environment......................................................................................................................... 59 2. Scripting Essentials............................................................................................................................. 60 3. Logical evaluations.............................................................................................................................. 61 4. Flow Control and Loops...................................................................................................................... 62 5. Expecting user input............................................................................................................................ 63 6. Working with Numbers........................................................................................................................ 64 7. Exercises............................................................................................................................................... 65

Basic Security.................................................................................................................................66 1. Local Security....................................................................................................................................... 66 2. Network Security.................................................................................................................................. 67 3. The Secure Shell.................................................................................................................................. 72 4. Time Configuration.............................................................................................................................. 73 5. Kernel security..................................................................................................................................... 74

Linux System Administration........................................................................................................ 76 1. Logfiles and configuration files.......................................................................................................... 76 2. Log Utilities........................................................................................................................................... 77 3. Automatic Tasks................................................................................................................................... 79 4. Backups and Compressions............................................................................................................... 80 5. Documentation..................................................................................................................................... 82 6. Exercises............................................................................................................................................... 85

Setting up PPP............................................................................................................................... 86 1. Serial Modems...................................................................................................................................... 86 2. Dialup Configuration .......................................................................................................................... 87 3. pppd and chat ...................................................................................................................................... 87 4. PPPD peers........................................................................................................................................... 88 5. Wvdial.................................................................................................................................................... 89

Printing............................................................................................................................................ 90 1. Filters and gs........................................................................................................................................ 90 2. Printers and print queues.................................................................................................................... 90 3. Printing Tools....................................................................................................................................... 91 4. The configuration files........................................................................................................................ 92 5. Exercises............................................................................................................................................... 95

_____________________________________________________________________

3

LinuxIT Technical Education Centre The Linux Kernel _____________________________________________________________________

The Linux Kernel

1. Kernel Concepts

The two different types of Linux kernel are:

A:

Monolithic

A monolithic kernel is one which has support for all hardware, network, and filesystem compiled into a single image file.

B:

Modular

A modular kernel is one which has some drivers compiled as object files, which the kernel can load and remove on demand. Loadable modules are kept in /lib/modules.

The advantage of a modular kernel is that it doesn’t always need to be recompiled when hardware is added or replaced on the system. Monolithic kernels boot slightly faster than modular kernels, but do not outperform the modular kernel

_____________________________________________________________________

4

Many components of the Linux kernel may be compiled as modules which the kernel can dynamically load and remove as required.

The modules for a particular kernel are stored in /lib/modules/.

The best components to modularise are ones not required at boot time, for example peripheral devices and supplementary file systems.

Kernel modules are controlled by utilities supplied by the modutils package:

– lsmod – rmmod – insmod – modprobe – modinfo

Many modules are dependant on the presence of other modules. A flat file database of module dependencies /lib/modules//modules.dep is generated by the depmod command. This command is run by the rc.sysinit script when booting the system.

-- modprobe will load any module and dependent modules listed in modules.dep

Search for example for modules that will be loaded at the same time as tvaudio.

grep tvaudio /lib/modules/kernel-version/modules.dep

LinuxIT Technical Education Centre The Linux Kernel _____________________________________________________________________ 2. The Modular Kernel

/lib/modules/kernel-version/kernel/drivers/media/video/tvaudio.o: \ /lib/modules/kernel-version/kernel/drivers/i2c/i2c-core.o

This means that the module i2c-core.o will also be loaded when using modprobe. This dependency is also apparent when listing the module with lsmod:

lsmod

Module Size Used by Not tainted tvaudio 16796 0 (unused) i2c-core 19236 0 [tvaudio]

-- /etc/modules.conf is consulted for module parameters (IRQ and IO ports) but most often contains a list of aliases. These aliases allow applications to refer to a device using a common name. For example the first ethernet device is always referred to as eth0 and not by the name of the particular driver.

_____________________________________________________________________

5

alias eth0 e100 alias usb-core usb-uhc alias sound-slot-0 i810_audio alias char-major-108 ppp_generic alias ppp-compress-18 ppp_mppe

# 100Mbps full duplex options eth0 e100_speed_duplex=4

--modinfo will give information about modules.

modinfo tvaudio

LinuxIT Technical Education Centre The Linux Kernel _____________________________________________________________________ Fig1: Sample /etc/modules.conf file:

filename: /lib/modules/kernel-version/kernel/drivers/media/video/tvaudio.o description: "device driver for various i2c TV sound decoder / audiomux chips" author: "Eric Sandeen, Steve VanDeBogart, Greg Alexander, Gerd Knorr" license: "GPL" parm: debug int parm: probe short array (min = 1, max = 48), description "List of adapter,address pairs to scan additionally" parm: probe_range short array (min = 1, max = 48), description "List of adapter,start-addr,end-addr triples to scan additionally" parm: ignore short array (min = 1, max = 48), description "List of adapter,address pairs not to scan" parm: ignore_range short array (min = 1, max = 48), description "List of adapter,start-addr,end-addr triples not to scan" parm: force short array (min = 1, max = 48), description "List of adapter,address pairs to boldly assume to be present" parm: tda9874a_SIF int parm: tda9874a_AMSEL int parm: tda9874a_STD int parm: tda8425 int parm: tda9840 int

To get information only about parameter option use modinfo -p, to get information about the license type use modinfo -l , etc.

-- kmod is a mechanism that allows the kernel to automatically load modules as needed (one seldom needs to insert modules manually). This is in fact a statically compiled (resident) module that needs to be configured before compiling the kernel. The command used by the kernel to load the modules is defined in /proc/sys/kernel/modprobe.

_____________________________________________________________________

6

LinuxIT Technical Education Centre The Linux Kernel _____________________________________________________________________ 3. Routine Kernel Recompilation

3.1 Source extraction

The kernel source is stored in the /usr/src/linux directory tree, which is a symbolic link to the /usr/src/(kernel-version) directory. When extracting a new kernel source archive it is recommended to:

remove the symbolic link to the old kernel source directory tree

•

rm linux

Kernel sources which have been packaged as an RPM often create a link called linux-2-4

• extract the new source archive (e.g linux-2.4.20.tar.bz2)

tar xjf linux-2.4.29.tar.bz2

Note: The archived 2.2 series kernels create a directory called linux instead of linux-version. This is

why the first step is important, otherwise you may overwrite an old source tree with the new one. Since kernel 2.4 the name of the directory is linux-version.

create a symbolic link called linux from the newly created directory

•

ln -s linux-2.4.20 linux

• The kernel is almost ready to be configured now, but first we need to make sure that all old binary files

are cleared out of the source tree, and this is done with the make mrproper command.

Warning: this command will also delete the kernel configuration file .config discussed later.

cd /usr/src/linux

make mrproper

Note: mrproper is a Scandinavian brand of cleaner that gets things “cleaner than clean”, it is one step beyond “make clean”.

First edit the Makefile and make sure that the “EXTRAVERSION” variable is different from the existing version:

3.2 Kernel Configuration

_____________________________________________________________________

7

VERSION = 2 PATCHLEVEL = 4 SUBLEVEL = 20 EXTRAVERSION = -test

The kernel is now ready to be configured. This essentially means creating a configuration file called .config. This is done from the kernel source tree directory /usr/src/linux with any of the following

LinuxIT Technical Education Centre The Linux Kernel _____________________________________________________________________

make menuconfig make xconfig make config

All these methods will save the configuration file as /usr/src/linux/.config

It is often easier to configure a new kernel using an older .config file by using the make oldconfig command. This will prompt the user only for new features in the kernel source tree (if the kernel is newer or has been patched).

Notice: Some distributions such as RedHat have a configs subdirectory containing files to be used as .config files with predefined configurations.

To enable kernel features (with make menuconfig) you will enter the top level category by moving with the arrow keys and pressing enter to access the desired category. Once in the particular category, pressing the space bar will change the kernel support for a feature or driver.

Possible support types are

supported (statically compiled) [*] • • modular (dynamically compiled) [M] • not supported [ ]

The same choices are available with the other menu editors config and xconfig.

Troubleshooting: The make menuconfig target needs the ncurses header files. These are provided by the ncurses-devel package and must be installed for this target to work.

_____________________________________________________________________

8

Fig 2: The make xconfig top level menu:

LinuxIT Technical Education Centre The Linux Kernel _____________________________________________________________________

3.3 Kernel Compilation

make clean

The make command gets instructions from the Makefile and will build what is needed. If some files are already present make will use them as is. In particular files with *.o extensions. To make sure that all the configuration options in .config are used to rebuild the files needed one has to run make clean (this deletes *.o files)

Notice: you do not need to do “make clean” at this stage if you already prepared the source directory with “make mrproper”

make dep

Once the kernel configuration is complete, it is necessary to reflect these choices in all the subdirectories of the kernel source tree. This is done with the make dep command. Files called .depend containing paths to header files present in the kernel source tree (/usr/src/linux/include) are generated with the dep target..

The kernel itself is compiled compiled with one of the commands: make zImage make bzImage

When the command exits without any errors, there will be a file in the /usr/src/linux/ directory called vmlinux. This is the uncompressed kernel.

_____________________________________________________________________

9

LinuxIT Technical Education Centre The Linux Kernel _____________________________________________________________________

The two other commands will write an additional file in /usr/src/linux/arch/i386/boot/ called zImage and bzImage respectively. These are compressed kernels using gzip and bzip2. See the next section Installing the New Kernel to find out how to proceed with these files.

make modules

The modules are compiled with make modules.

make modules_install

Once the modules are compiled they need to be copied to the corresponding subdirectory in /lib/modules. The make modules_install command will do that.

The sequence of commands are depicted in Fig 3.

Fig 3: kernel compilation commands:

make dep make clean make bzImage make modules make modules_install

The new kernel can be found in /usr/src/linux/arch/i386/boot/bzImage, depending on your architecture of your system. This file must be copied to the /boot directory, and named vmlinuz-

cp /usr/src/linux/arch/i386/boot/bzImage /boot/vmlinuz-

version>

Next the /etc/lilo.conf or /boot/grub/grub.conf file needs to be edited to add our newly compiled kernel to the boot menu. Copy the “image” section from your existing kernel and add a new image section at the bottom of the file, as shown below:

Editing the /etc/lilo.conf file

3.4 Installing a New Kernel

_____________________________________________________________________

10

image=/boot/vmlinuz label=linux root=/dev/hda6 Existing section read-only

image=/boot/vmlinuz- label=linux-new Added section root=/dev/hda6 read-only ----------snip-------------------------------

The symbol table for the various kernel procedures can be copied to the /boot directory:

cp /usr/src/linux/System.map /boot/System.map-

LinuxIT Technical Education Centre The Linux Kernel _____________________________________________________________________ prompt timeout=50 message=/boot/message

On a system, the version of the running kernel can be printed out with

3.5 The full kernel version

uname -r

This kernel version is also displayed on the virtual terminals if the \k option is present in /etc/issue.

If any dynamically compiled kernel modules are required at boot time (e.g a scsi driver, or the filesystem module for the root partition) they will be loaded using an initial ramdisk.

The initial ramdisk is created with the mkinitrd command which only takes two parameters: the filename, and the kernel version number.

If you use an initial ramdisk then you will need to add an initrd= line in your /etc/lilo.conf

mkinitrd /boot/initrd-full-version.img full-version

3.5 Initial Ramdisks

3.6 Optional

_____________________________________________________________________

11

LinuxIT Technical Education Centre The Linux Kernel _____________________________________________________________________ It is recommended to copy the /usr/src/linux/.config file to /boot/config-, just to keep track of the capabilities for the different kernels that have been compiled.

Finally lilo needs to be run in order to update the boot loader . First lilo can be run in test mode to see if there are any errors in the configuration file:

NOTICE

The LILO bootloader needs to be updated using lilo every time a changed is made in /etc/lilo.conf

3.7 Rerunning LILO

_____________________________________________________________________

12

LinuxIT Technical Education Centre The Linux Kernel _____________________________________________________________________

4. Exercises

Before starting with the exercises make sure you don’t have an existing kernel tree in /usr/src/. If you do, pay attention to the /usr/src/linux symbolic link.

1. Manually recompile the kernel following the compilation steps.

- Get the kernel-version.src.rpm package from rpmfind or a CD. Installing this package will also give you a list of dependencies, such as the gcc compiler or binutils package if they haven't yet been met.

- Install the package with –i (this will put all the code in /usr/src/ )

- Go into the /usr/src/linux-version directory and list the configs directory

- Copy the kernel config file that matches your architecture into the current directory and call it .config

- Run

make oldconfig

at the command line to take into account this new .config file.

- Edit the Makefile and make sure the version is not the same as your existing kernel. You can get information on your current kernel by running uname –a at the command line or list the /lib/modules directory.

- Run

make menuconfig (or menu or xconfig)

and remove ISDN support from the kernel. - When you exit the above program the .config file is altered but the changes have not yet taken place in the rest of the source tree. You next need to run

make dep

- Finally to force new object files (.o) to be compiled with these changes you delete all previously compiled code with

make clean

- You can now build the kernel the modules and install the modules with:

make bzImage modules modules_install

- The modules are now installed in the /lib/modules/version directory. The kernel is called bzImage and is in the following directory:

_____________________________________________________________________

13

LinuxIT Technical Education Centre The Linux Kernel _____________________________________________________________________

/usr/src/linux/arch/i386/boot/ We need to manually install this kernel (2 steps):

(i) cp /usr/src/linux/arch/i386/boot/bzImage /boot/vmlinuz-

(ii) That was easy! now edit /etc/lilo.conf and add an ‘image’ paragraph that will tell LILO where to find this kernel and the root filesystem.

- Run /sbin/lilo and reboot

2. Since we downloaded the kernel-version.src.rpm package we can now use this package to recompile a ‘RedHat preconfigured’ kernel. Notice that although no intervention is needed you won’t be able to change the .config menu.

- First rebuild the compiled binary package with

rpm --rebuild kernel-version.src.rpm (...wait!)

- This will eventually generate the kernel-version.i368.rpm in /usr/src/redhat/RPMS/i386/.

- Next, upgrade you kernel with the RPM manager using the –U option.

_____________________________________________________________________

14

LinuxIT Technical Education Centre Booting Linux ____________________________________________________________________

Booting Linux

Overview

Taking a closer look at the booting process helps troubleshooting when dealing with both hardware and administrative tasks.

We first focus on the role of the init program and its' associated configuration file /etc/inittab. The role of LILO at boot time is investigated in greater depth. Finally we summarize the booting process. The document "From Power to Bash Prompt" written by Greg O'Keefe as well as the boot(7) manpage are both good references for this module.

1. Understanding Runlevels

Unlike most non-UNIX operating systems which only have 2 modes of functionality (on and off), UNIX operating systems, including Linux, have different runlevels such as "maintenance" runlevel or "multi-user" runlevel, etc. Runlevels are numbered from 0 to 6.

Listing 1: Linux runlevels Runlevel 0 shuts down the machine safely, Runlevel 6 restarts the machine safely Runlevel 1 is single user mode Runlevel 2 is multi-user mode, but does not start NFS Runlevel 3 is full multi-user mode Runlevel 4 is not defined and generally unused Runlevel 5 is like runlevel 3 but runs a Display Manager as well

Both init and telinit are used to switch from one runlevel to another. Remember that init is the first program launched after the kernel has been initialised at boot time. The PID for init is always 1.

Listing 2: The PID for init is always 1 [root@nasaspc /proc]# ps uax |grep init USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.2 0.0 1368 52 ? S 20:17 0:04 init [3]

At each runlevel the system will stop or start a set of specific services. These programs are kept in /etc/rc.d/init.d. This directory contains all the services that the system may run. Once these programs are launched they will stay active until a new runlevel is called. The following services are also called daemons.

_____________________________________________________________________

15

smb

dhcpd

ls /etc/rc.d/init.d/ kadmin kdcrotate kudzu

random rawdevices snmpd

xfs xinetd

krb5kdc mcserv nscd named ntpd netfs

pcmcia rhnsd linuxconf network portmp rwhod lpd

sendmail

identd anacron cups apmd innd arpwatch functions ipchains keytable ldap atd autofs crond

iptables killall kprop irda krb524 marsrv isdn

gpm halt httpd

nfs pgsql nfslock pppoe single

squid sshd syslog tux

Note: It is possible to stop or start manually a given daemon in /etc/rc.d/init.d by giving the appropriate argument. For example if you want to restart the apache server you would type:

/etc/rc.d/init.d/httpd restart

When working with runlevels you will instruct a specific predefined set of programs to run and another predefined set of programs to stop running. Say you want to be in runlevel 2, you would type

/sbin/init 2

This in turn forces init to read its configuration file /etc/inittab to find out what should happen at this runlevel.

In particular (assuming we are switching to runlevel 2) the following line in inittab is executed:

l2:wait:/etc/rc.d/rc 2

If you look in /etc/inittab the “/etc/rc.d/rc N” command starts all services in the /etc/rc.d/rcN.d starting with an S and will stop of services starting with a K. These services are symbolic links pointing to the rc- scripts in /etc/rc.d/init.d.

If you don't want a process to run in a given runlevel N you can delete the corresponding symlink in /etc/rc.d/rN.d beginning with a K.

LinuxIT Technical Education Centre Booting Linux ____________________________________________________________________ Listing 3: List of typical services (or daemons) in /etc/rc.d/init.d/

_____________________________________________________________________

16

As promised let's take a look at /etc/inttab.

The file has the following structure:

LinuxIT Technical Education Centre Booting Linux ____________________________________________________________________ 2. The joys of inittab

id : runlevel : action : command

Figure 3: the /etc/inittab file:

id:3:initdefault: # System initialization. si::sysinit:/etc/rc.d/rc.sysinit l0:0:wait:/etc/rc.d/rc 0 l1:1:wait:/etc/rc.d/rc 1 l2:2:wait:/etc/rc.d/rc 2 l3:3:wait:/etc/rc.d/rc 3 l4:4:wait:/etc/rc.d/rc 4 l5:5:wait:/etc/rc.d/rc 5 l6:6:wait:/etc/rc.d/rc 6 -----------------------snip---------------------------------- # Trap CTRL-ALT-DELETE ca::ctrlaltdel:/sbin/shutdown -t3 -r now -----------------------snip---------------------------------- # Run gettys in standard runlevels 1:2345:respawn:/sbin/mingetty tty1 2:2345:respawn:/sbin/mingetty tty2 3:2345:respawn:/sbin/mingetty tty3 4:2345:respawn:/sbin/mingetty tty4 5:2345:respawn:/sbin/mingetty tty5 6:2345:respawn:/sbin/mingetty tty6

# Run xdm in runlevel 5 x:5:respawn:/etc/X11/prefdm –nodaemon

The id field can be anything. If a runlevel is specified then the command and the required action will be performed only at that specific runlevel. If no number is specified then the line is executed at any run level.

Recognisable features in the /etc/inittab file:

The default runlevel: this is set at the beginning of the file with the id id and the action initdefault. Notice that no command is given. This line simply tells init what the default runlevel is.

First program called by init: /etc/rc.d/rc.sysinit. This script sets system defaults such as the PATH variable, determines if networking is allowed, the hostname, etc ...

Default runlevel services: If the default runlevel is 3 then only the line "l3" will be executed. The action is "wait", no other program is launched until all services in run level 3 are running.

The getty terminals: The lines with id's 1-to-6 launch the virtual terminals. This is where you can alter the number of virtual terminals.

_____________________________________________________________________

17

Remarks:

1. You can set a modem to listen for connections in inittab. If your modem is linked to /dev/ttyS1 then the following line will allow data connections (no fax) after 2 rings:

S1:12345:respawn:/sbin/mgetty -D -x 2 /dev/ttyS1

2. When making changes to /etc/inittab you need to force init to reread this configuration file. This is most easily done using:

/sbin/init q

LinuxIT Technical Education Centre Booting Linux ____________________________________________________________________ Runlevel 5: The final line in inittab launches the Xwindow manager if runlevel 5 is reached.

3. LILO the Linux boot Loader

Information needed by the loader is updated by /sbin/lilo (the bootloader installer) which in turn reads its' configuration file /etc/lilo.conf.

During bootup LILO needs to know essential information such as where the kernel is kept (usually in /boot) and where the filesystem root partition is. LILO has no understanding of filesystem layout or of where things are. Only offsets on the physical disks. If you are installing a second Linux distribution B that is not running while setting up lilo.conf, you will need to mount partitions such as the /boot partition of B. You must also keep track of where B's root partition is.

init

: parameters

Likewise, LILO can also parse the runlevel parameters to init. Once the kernel is loaded, init takes over the booting process. If no parameters are given, init will launch the default runlevel specified in /etc/inittab.

Passing runlevel instructions to init at the LILO prompt

Boot: linux s

Passing Kernel parameters:

_____________________________________________________________________

18

Parameters for the kernel can be parsed at the LILO prompt or specified in /etc/lilo.conf with the append option.

Examples append= "pci=bisoirq" append=”ram=16M” append=”/dev/hdc=ide-scsi” (for CD writers)

Parameters parsed to the kernel at boot time are intended for modules that have been compiled into the kernel, and often help detecting hardware.

During bootup all kernel messages are logged to /var/log/dmesg by default. This file can either be read or flushed to stdout with the /bin/dmesg utility.

LinuxIT Technical Education Centre Booting Linux ____________________________________________________________________

4. From boot to bash

We can now attempt to go through the steps a Linux system goes through while booting.

If an initial ram disk is specified it is loaded here. Modules are inserted from the initial ram disk.

The kernel is loaded from the medium, specified in LILO's configuration. As it loads it is decompressed.

The kernel then mounts the root (/) filesystem in accordance with the configuration it receives from LILO (usually read-only).

Hence essential programs in /bin and /sbin are made available.

The kernel then loads init - the first 'userspace' process.

_____________________________________________________________________

19

Next init goes into the default runlevel, the gettys start and the boot process is over.

The prompt to login is now managed by the gettys on the ttys. After the user has typed in their username and pressed return;

/bin/login is started.

The user is prompted by /bin/login for the password. The user enters a password and presses return.

The password the user is compared to the password in /etc/passwd or /etc/shadow.

LinuxIT Technical Education Centre Booting Linux ____________________________________________________________________ Init reads /etc/inittab and follows its' instructions. In particular rc.sysinit is run. A filesystem integrity check (fsck) is done on the filesystems in accordance with entries in /etc/fstab.

_____________________________________________________________________

20

LinuxIT Technical Education Centre Booting Linux ____________________________________________________________________

5. Exercises

Take a look at the boot(7) manpage, it covers most of what we did in this module.

1. Use init to change you current runlevel (e.g switch between runlevel 3 and 5).

How do you know what your current runlevel is?

2. Enable the Ctrl+Alt+Del in runlevel 3 only.

How can you force init to read its’ configuration file?

3. Add a new login prompt on tty7.

4. Use dmesg to read the chipset of your ethernet card.

5. Investigate differences between shutdown, halt and reboot.

Which option to shutdown will force an fsck at the next boot?

6. Use the tools chkconfig or ntsysv to disable the sshd daemon in runlevel 2,3,4, and 5

Verify that the symbolic links in the rc2.d, rc3.d, rc4.d and rc5.d directories have changed.

7. Reboot the system. At the boot prompt give the appropriate init= parameter to skip /sbin/init and start a simple bash session.

_____________________________________________________________________

21

LinuxIT Technical Education Centre Managing Groups and Users ______________________________________________________________________

Managing Groups and Users

1. Creating new users

Step 1: Create an account

The /usr/sbin/useradd command adds new users to the system and the symbolic link adduser points to it.

Syntax:

useradd [options] login-name

Example: add a user with login-name rufus

useradd rufus

Default values will be used when no options are specified. You can list these values with useradd –D.

Default options listed with useradd –D

GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel

Notice that this information is also available in the file /etc/default/useradd

Step 2: Activate the account with a new password

To allow a user to access his or her account the administrator must allocate a password to the user using the passwd tool.

Syntax:

passwd login-name

These steps create a new user. This has also defined the user’s environment such as a home directory and a default shell. The user has also been assigned to a group, his primary group.

_____________________________________________________________________

22

Every new user is assigned to an initial (or primary) group. Two conventions exist.

Traditionally this primary group is the same for all users and is called users with a group id (GID) of 100. Many Linux distributions adhere to this convention such as Suse and Debian.

The User Private Group scheme (UPG) was introduced by RedHat and changes this convention without changing the way in which UNIX groups work. With UPG each new user belongs to their own primary group. The group has the same name as the login-name (default), and the GID is in the 500 to 60000 range (same as UIDs).

LinuxIT Technical Education Centre Managing Groups and Users ______________________________________________________________________ 2. Working with groups

As a consequence, when using the traditional scheme for groups the user’s umask (see LPI 101) is set to 022, whereas in the UPG scheme the umask is set to 002.

Belonging to groups

A user can belong to any number of groups. However at any one time (when creating a file for example) only one group is the effective group.

The list of all groups a user belongs to is obtained with either the groups or id commands.

Example for user root:

List all

ID's

:

id

➔ ► uid=0(root) gid=0(root) groups=0(root), 1(bin), 2(daemon), 3(sys),

4(adm), 6(disk), 10(wheel), 600(sales)

List all

groups

:

groups

➔ ► root bin daemon sys adm disk wheel sales

Joining a group

_____________________________________________________________________

23

Joining a group changes the user’s effective group and starts a new session from which the user can then logout. This is done with the newgrp command.

Example: joining the sales group

newgrp sales

If the groups command is issued, the first group on the list would no longer be root but sales.

Creating a new group

The groupadd tool is used to administer groups. This will add an entry in the /etc/group file.

Example: Create the group devel

groupadd devel

Adding a user to a group

Administration tasks can be carried out with the gpasswd tool. One can add (-a) or remove (-d) users from a group and assign an administrator (-A). The tool was originally designed to set a single password on a group, allowing members of the same group to login with the same password. For security reasons this feature no longer works.

Example: Add rufus to the group devel

gpasswd -a rufus devel

LinuxIT Technical Education Centre Managing Groups and Users ______________________________________________________________________

3. Configuration files

The names of all the users on the system are kept in /etc/passwd. This file has the following stucture:

The /etc/passwd and /etc/shadow files:

_____________________________________________________________________

24

1. Login name 2. Password (or x if using a shadow file) 3. The UID 4. The GID 5. Text description for the user 6. The user's home directory 7.The user's shell

These 7 fields are separated by colons. As in the example below.

/etc/passwd entry with encrypted passwd:

george:$1$K05gMbOv$b7ryoKGTd2hDrW2sT.h:Dr G Micheal:/home/georges:/bin/bash

LinuxIT Technical Education Centre Managing Groups and Users ______________________________________________________________________

In order to hide the encrypted passwords from ordinary users you should use a shadow file. The /etc/shadow file then holds the user names and encrypted passwords and is readable only by root.

If you don't have a shadow file in /etc then you should issue the following command:

This will leave an 'x' in the 2nd field of /etc/passwd and create the /etc/shadow file. If you don't wish to use shadow passwords you can do so using

/usr/sbin/pwconv (passwd -> shadow)

/usr/sbin/pwunconv (shadow -> passwd)

Caution: When using a shadow password file the /etc/passwd file may be world readable (644) and the /etc/shadow file must be more restricted (600 or even 400). However when using pwunconv make sure to change the permissions on /etc/password (600 or 400).

The /etc/group and gshadow files:

In the same way, information about groups is kept in /etc/group. This file has 4 fields separated by colons.

1. Group name 2. The group password (or x if gshadow file exists) 3. The GID 4. A comma separated list of members

Example /etc/group entry:

_____________________________________________________________________

25

As for users there is a /etc/gshadow file that is created when using shadow group passwords. The utilities used to switch backwards and forward from shadow to non-shadow files are as follow

/usr/sbin/grpconv

creates the /etc/gshadow file

/usr/sbin/grpunconv

deletes the gshadow file

LinuxIT Technical Education Centre Managing Groups and Users ______________________________________________________________________ java:x:550:jade, eric, rufus

The /etc/login.defs and /etc/skel/ files

The /etc/login.defs file contains the following information:

the mail spool directory:

•

MAIL_DIR

• password aging controls:

PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_MAX_LEN, PASS_WARN_AGE

• max/min values for automatic UID selection in useradd:

UID_MIN, UID_MAX

• max/min values for automatic GID selection in groupadd:

GID_MIN, GID_MAX

• automatically create a home directory with useradd:

CREATE_HOME

The /etc/skel directory contains default files that will be copied to the home directory of newly created users: .bashrc, .bash_profiles, ...

4. Command options

useradd (options)

comment (Full Name) path to home directory initial group (GID). The GID must already exist comma separated list of supplementary groups user’s UID user’s default shell password (md5 encrypted, use quotes!) account expiry date the skel directory switch off the UPG group scheme

-c -d -g -G -u -s -p -e -k -n

_____________________________________________________________________

26

LinuxIT Technical Education Centre Managing Groups and Users ______________________________________________________________________

groupadd (options)

assign a GID

-g

5. Modifying accounts and default settings

All available options while creating a user or a group can be modified. The usermod utility has the following main options:

usermod (options)

the users directory the users initial GID the user's login name the user's UID the default shell.

-d -g -l -u -s

Notice these options are the same as for useradd.

Likewise, you can change details about a group with the groupmod utility. There are mainly two options:

groupmod (options)

the GID the group name.

-g -n

Locking an account

• A user’s account can be locked by prefixing an exclamation mark to the user’s password. This can

also be done with the following command line tools:

Lock passwd -l usermod -L

Unlock passwd -u usermod -U

• When using shadow passwords, replace the x with a *

• A less useful option is to remove the password entirely with passwd -d.

• Finally, one can also assign /bin/false to the user’s default shell in /etc/passwd.

Changing the password expiry dates:

By default a user’s password is valid for 99999 days, that is 273,9 years (default PASS_MAX_DAYS). The user is warned for 7 days that his password will expire (default PASS_WARN_AGE) with the following message as he logs in:

_____________________________________________________________________

27

Warning: your password will expire in 6 days

There is another password aging policy number that is called PASS_MIN_DAYS. This is the minimum number of days before a user can change his password; it is set to zero by default.

The chage tool allows an administrator to change all these options.

Usage: chage [ -l ] [ -m min_days ] [ -M max_days ] [ -W warn ] [ -I inactive ] [ -E expire ] [ -d last_day ] user

The first option –l lists the current policy values for a user. We will only discuss the –E option. This locks an account at a given date. The date is either in UNIX days or in YYYY/MM/DD format.

Notice that all these values are stored in the /etc/shadow file, and can be edited directly.

Removing an account:

A user’s account may be removed with the userdel command line. To make sure that the user’s home directory is also deleted use the -r option.

userdel -r jade

LinuxIT Technical Education Centre Managing Groups and Users ______________________________________________________________________

_____________________________________________________________________

28

LinuxIT Technical Education Centre Managing Groups and Users ______________________________________________________________________

6. Exercises

1. Creating users

Use adduser to create a user called tux with user ID 600 and group ID 550

Use usermod to change this user’s home directory. Does the new directory need to be created? Is the content of /etc/skel copied to the new directory? Can the contents of the old home directory still be accessed by user tux?

Use usermod to add tux to the group wheel.

2. Working with groups

Create a group called sales using groupadd.

Add tux to this group using gpasswd.

Login as tux and join the group sales using newgrp.

3. Conifiguration files

Add a user to the system by editing /etc/passwd and /etc/group Create a group called share and add user tux to this group by manually editing /etc/group

4. Modifying an Account

Change the expiry date for user tux’s account using usermod. Lock the user’s account. (Use tools or edit /etc/shadow ...) Prevent the user from login in by changing the user’s default shell to /bin/false Change the PASS_MAX_DAYS for user tux to 1 in /etc/shadow

5. Changing default settings

Use useradd -D to change the system's default settings such that every new user will be assigned /bin/sh instead of /bin/bash. (Notice that this will change the file in /etc/defaults/)

Edit /etc/login.defs and change the default PASS_MAX_DAYS so that new users need to change their password every 5 days

_____________________________________________________________________

29

LinuxIT Technical Education Centre Network Configuration ______________________________________________________________________

Network Configuration

1. The Network Interface

The network interface card (NIC) must be supported by the kernel. To determine which card you are using you can get information from dmesg, /proc/interrupts, /sbin/lsmod. or /etc/modules.conf

Example:

dmesg

►

Linux Tulip driver version 0.9.14 (February 20, 2001)

PCI: Enabling device 00:0f.0 (0004 -> 0007)

PCI: Found IRQ 10 for device 00:0f.0

eth0: Lite-On 82c168 PNIC rev 32 at 0xf800, 00:A0:CC:D3:6E:0F, IRQ 10.

eth0: MII transceiver #1 config 3000 status 7829 advertising 01e1.

cat /proc/interrupts

►

0: 8729602 XT-PIC timer

1: 4 XT-PIC keyboard

2: 0 XT-PIC cascade

7: 0 XT-PIC parport0

8: 1 XT-PIC rtc

10: 622417 XT-PIC eth0

11: 0 XT-PIC usb-uhci

14: 143040 XT-PIC ide0

15: 180 XT-PIC ide1

/sbin/lsmod

►

Module Size Used by

tulip 37360 1 (autoclean)

From the example above we see that the Ethernet card’s chipset is Tulip, the i/o address is 0xf800 and the IRQ is 10. This information can be used either if the wrong module is being used or if the resources (i/o or IRQ) are not available.

_____________________________________________________________________

30

LinuxIT Technical Education Centre Network Configuration ______________________________________________________________________ This information can either be used to insert a module with a different i/o address (using the modprobe or insmod utilities) or can be saved in /etc/modules.conf (this will save the settings for the next bootup).

2. Host Information

The following files are used to store networking information.

/etc/resolv.conf contains a list of DNS servers

•

nameserver 192.168.1.108

nameserver 192.168.1.1

search linuxit.org

/etc/HOSTNAME is used to give a name to the PC

•

• One can also associate a name to a network interface. This is done in differently across distributions.

/etc/hosts contains your machine's IP number as well as a list of known hosts

•

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1 localhost localhost.localdomain

# other hosts

192.168.1.108 mesa mesa.domain.org

192.168.1.119 pico

•

/etc/sysconfig/network defines if networking must be started. (can also contain the HOSTNAME variable)

NETWORKING=yes

HOSTNAME=mesa.domain.org

GATEWAY=192.168.1.1

GATEWAYDEV=

/etc/sysconfig/network-scripts/ifcfg-eth0 The configuration parameters for eth0

•

DEVICE=eth0

BOOTPROTO=none

BROADCAST=192.168.1.255

IPADDR=192.168.1.108

NETWORK=192.168.1.0

_____________________________________________________________________

31

ONBOOT=yes

USERCTL=no

LinuxIT Technical Education Centre Network Configuration ______________________________________________________________________

3. Stop and Start Networking

● From the command line

The main tool used to bring up the network interface is /sbin/ifconfig. Once initialised the kernel module aliased to eth0 in /etc/modules.conf (e.g tulip.o) is loaded and assigned an IP and netmask value.

As a result the interface can be switched on and off without loosing this information as long as the kernel module is inserted.

Examples: Using ifconfig.

/sbin/ifconfig eth0 192.168.10.1 netmask 255.255.128.0

/sbin/ifconfig eth0 down

/sbin/ifconfig eth0 up

Another tool is /sbin/ifup. This utility reads the system’s configuration files in /etc/sysconfig/ and assigns the stored values for a given interface. The script for eth0 is called ifcfg-eth0 and has to be configured. If a boot protocol such as DHCP is defined then ifup will start the interface with that protocol.

Examples: Using ifup.

/sbin/ifup eth0

/sbin/ifup ppp0

/sbin/ifdown eth0

●. Using the network script

At boot time the ethernet card is initialised with the /etc/rc.d/init.d/network script. All the relevant networking files are sourced in the /etc/sysconfig/ directory.

In addition the script also reads the sysctl options in /etc/sysctl.conf, this is where you can configure the system as a router (allow IP forwarding in the kernel). For example the line:

net.ipv4.ip_forward = 1

will enable ip forwarding and the file /proc/sys/net/ipv4/ip_forward will contain a one.

The network script is started with the following command

/etc/rc.d/init.d/network restart

●. Renewing a DHCP lease

_____________________________________________________________________

32

LinuxIT Technical Education Centre Network Configuration ______________________________________________________________________

The following tools can query the DHCP server for a new IP: pump dhcpclient A client daemon exists called dhcpcd (do not confuse this with the DHCP server daemon dhcpd)

4. Routing

A noticeable difference when using ifup is the system’s routing table. This is because either the /etc/sysconfig/network file is read, where a default gateway is stored, or the DHCP server has sent this information together with the IP number. The routing tables are configured, checked and changed with the /sbin/route tool.

Routing examples:

Add a static route to the network 10.0.0.0 through the device eth1 and use 192.168.1.108 as the gateway for that network:

/sbin/route add -net 10.0.0.0 gw 192.168.1.108 dev eth1

Add a default gateway:

/sbin/route add default gw 192.168.1.1 eth0

Listing the kernel routing table: /sbin/route -n

► Kernel IP routing table

Destination Gateway Genmask Iface

192.168.1.0 0.0.0.0 255.255.255.0 eth0

10.1.8.0 192.168.1.108 255.0.0.0 eth1

127.0.0.0 0.0.0.0 255.0.0.0 lo

0.0.0.0 192.168.1.1 0.0.0.0 eth0

Default Gateway: In the last listing, the Destination field is a list of networks. In particular, 0.0.0.0 means ‘anywhere’. With this in mind, there are two IP’s in the Gateway field. Which one is the default gateway ?

 To avoid having to enter static routes by hand special daemons

gated or routed

are run to dynamically update routing tables across a network

_____________________________________________________________________

33

LinuxIT Technical Education Centre Network Configuration ______________________________________________________________________ If you belong to the 192.168.10.0 network and you add a route to the 192.168.1.0 network you may find that machines in the latter network are not responding. This is because no route has been set from the 192.168.1.0 network back to your host!! This problem is solved using dynamic routing.

Permanent Static Routes If you have several networks with more than one gateway you can use the /etc/sysconfig/static-routes (instead of routing daemons). These routes will be added at boot time by the network script.

A routing scenario:

_____________________________________________________________________

34

Here is a short list of tools helpful when trouble shouting network connections.

ping host:

This tool sends an ICMP ECHO_REQUEST datagram to a host and expects an ICMP ECHO_RESPONSE.

LinuxIT Technical Education Centre Network Configuration ______________________________________________________________________ 5. Common Network Tools

Options for ping: -b -c N -q

ping a broadcast address send N packets quiet mode: display only start and end messages

netstat:

You may get information on current network connections, the routing table or interface statistics depending on the options used.

Options for netstat: -r -I -n -p -v -c

same as /sbin/route display list of interfaces don’t resolve IP addresses returns the PID and names of programs (only for root) verbose continuous update

Example: Output of netstat –-inet –n :

►

Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 192.168.1.10:139 192.168.1.153:1992 ESTABLISHED tcp 0 0 192.168.1.10:22 192.168.1.138:1114 ESTABLISHED tcp 0 0 192.168.1.10:80 192.168.1.71:18858 TIME_WAIT

In the above listing you can see that the local host has established connections on ports 139, 22 and 80.

arp:

_____________________________________________________________________

35

Display the kernel address resolution cache.

Example:

arp

►

Address HWtype HWaddress Iface

192.168.1.71 ether 00:04:C1:D7:CA:2D eth0

traceroute:

Displays the route taken from the local host to the destination host. Traceroute forces intermediate routers to send back error messages (ICMP TIME_EXCEEDED) by deliberately setting the tty (time to live) value too low. After each TIME_EXEEDED notification traceroute increments the tty value, forcing the next packet to travel further, until it reaches its’ destination.

Example:

/usr/sbin/traceroute -n www.redhat.com

CMD: ►

traceroute: Warning: www.redhat.com has multiple addresses; using 216.148.218.197 traceroute to www.redhat.com (216.148.218.197), 30 hops max, 38 byte packets

1 192.168.1.1 0.440 ms 0.347 ms 0.341 ms

---- snip ---

14 12.122.2.145 112.116 ms 110.908 ms 112.002 ms 15 12.122.2.74 156.629 ms 157.028 ms 156.857 ms 16 12.122.255.222 156.867 ms 156.641 ms 156.623 ms 17 216.148.209.66 159.982 ms 157.462 ms 158.537 ms 18 216.148.218.197 157.395 ms 156.789 ms 156.080 ms

Options for traceroute:

do not resolve IP numbers verbose

LinuxIT Technical Education Centre Network Configuration ______________________________________________________________________

-f ttl change the initial time to live value to ttl instead of 1 -n -v -w sec set the timeout on returned packets to sec

_____________________________________________________________________

36

LinuxIT Technical Education Centre Network Configuration ______________________________________________________________________

6. Exercises

1. In the Routing Scenario section of this chapter give the routing table for the LAN’s gateway.

2. Start your network interface manually

ifconfig eth0 192.168.0.x

List the kernel modules. Make sure that the eth0 module is loaded (check /etc/modules.conf).

3. Stop the network interface with:

(i) ifconfig eth0 down

Verify that you can bring the interface back up without entering new information:

(ii) ifconfig eth0 up

4. Stop the interface and remove the kernel module (rmmod module). What happens if you repeat step 3(ii)?

5. Divide the class into two networks A (192.168.1.0) and B (10.0.0.0).

• Try accessing machines across networks • Choose an existing machine to be the gateway (on either network) • On the gateway machine only! do the following:

-- allow IP forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

-- bring up an aliased interface (this will work as a second interface). If you are on the 192.168.1.0 network then do the following

ifup eth0:1 10.0.0.x (where x is a an available IP). add a route to the new network forcing it to use the eth0:1 device

-- add a route to the other network using the gateway machine (you will need to know either the eth0

or eth0:1 setting of this gw depending on which network you are on)

_____________________________________________________________________

37

LinuxIT Technical Education Centre TCP/IP Networks ______________________________________________________________________

TCP/IP Networks

1. Binary Numbers and the Dotted Quad

Binary numbers

10 = 21

100 = 22

101 = 22 + 1

111 = 100 + 010 + 001

This means that a binary number can easily be converted into a decimal as follows:

10000000 01000000 00100000 00010000 00001000 00000100 00000010 00000001

= = = = = = = =

27 26 25 24 23 22 21 20

= = = = = = = =

128 64 32 16 8 4 2 1

The Dotted Quad:

The familiar IP address assigned to an interface is called a dotted quad. In the case of an ipv.4 address this is 4 bytes (4 times 8 bits) separated by dots.

Decimal 192.168.1.1

Binary 11000000.10101000.00000001.00000001

2. Broadcast Address, Network Address and Netmask

An IP number contains information about both the host address (or interface) and network address.

The Netmask

A netmask is used to define which part of the IP address is used for the network, it is also called a subnet mask.

A 16 bit and 17 bit netmask:

255.255.0.0 255.255.128.0

16-bit 17-bit

1 1 1 1 1 1 1 1 . 1 1 1 1 1 1 1 1 . 0 0 0 0 0 0 0 0 . 0 1 1 1 1 1 1 1 1 . 1 1 1 1 1 1 1 1 . 1 0 0 0 0 0 0 0 . 0

The broadcast is usually given in decimal.

_____________________________________________________________________

38

LinuxIT Technical Education Centre TCP/IP Networks ______________________________________________________________________ Example: with a 16-bit netmask the following IPs are on the same networks: 00000001 00000001 . 00100000 . 10000000 .

This means that any bits that are changed inside the box (8+8=16 bits) will change the network address and the interfaces will need a gateway to connect to each other.

In the same way, any bits that are changed ouside the box will change the interface address without changing networks.

For example with a 24-bit netmask the above two IPs would be on different neworks:

00000011 00000000 . 00100000 . 10000000 .

00000001 00100000 . 10000000 . 00000001 .

The Network Address

Every network has a number which is needed when setting up routing. The network number is a portion of the dotted quad. The host address portion is replaced by zero’s.

Typical network address: 192.168.1.0

The Broadcast Address

A machine’s broadcast address is a range of hosts/interfaces that can be accessed on the same network. For example a host with the broadcast address 10.1.255.255 will access any machine with an IP address of the form 10.1.x.x. Typical broadcast: 192.168.1.255

The dotted quad revisited

Simple logical operations can be applied to the broadcast, netmask and network numbers.

To retrieve the network address from an IP number simply AND the IP with the netmask..

Network Address

=

IP

AND Netmask

Similarly the broadcast address is found with the network address OR ‘not MASK’.

Broadcast Address

=

Network

OR

not[Netmask]

Here AND and OR are logical operations on the binary form of these addresses

Example:

Take the IP 192.168.3.5 with a net mask 255.255.255.0. We can do the following operations:

00000011 00100000 . 10000000 . 00000000 .

_____________________________________________________________________

39

Network address

=

IP

AND

MASK

11000000. 10101000.00000011.00000101

(192.168.3.5)

AND

(255.255.255.000)

11111111.11111111.11111111.00000000 _____________________________________________

11000000.10101000.00000011.00000000

(192.168.3.0)

Broadcast Address

=

IP

OR

NOT-MASK

11000000. 10101000.00000011.00000101

(192.168.3.5)

OR

(000.000.000.255)

00000000.00000000.00000000.11111111 _____________________________________________ 11000000.10101000.00000011.11111111

(192.168.3.255)

It is clear from the above example that an IP number together with a netmask is enough to retrieve all the information relative to the network and the host.

LinuxIT Technical Education Centre TCP/IP Networks ______________________________________________________________________

3. Network Classes

• ● Reserved IP addresses

For private networks a certain number of IP addresses are allocated which are never used on the Internet. These reserved IP’s are typically used for LAN’s. The following table displays the various private/reserved classes.

Table1: Reserved addresses

Class A Class B Class C

10.x.x.x 172.16.x.x -- 172.31.x.x 192.168.o.x

1 16 255

• ● IP classes

Class A: 8-bit network address and 24-bit host address The first byte of the IP number is reserved for the network address. So the default subnet mask would be 255.0.0.0. The 3 remaining bytes are available to set host interfaces. Since 255.255.255 and 0.0.0 are invalid host numbers there are 224 – 2 = 16 777 214 possible hosts.

_____________________________________________________________________

40

LinuxIT Technical Education Centre TCP/IP Networks ______________________________________________________________________ IP numbers have the first byte ranging from 1 to 127. This corresponds to a binary range of 00000001 to 01111111. The first two bits of a class A address can be set to “00” or “01”.

Class B: 16-bit network address and 16-bit host address The two first bytes of the IP number are reserved for the network address. The default subnet mask is 255.255.0.0. There are 216 – 2 = 65 534 possible hosts. The first byte ranges from 128 to 191. Notice that the binary range of the first byte is 10000000 to 10111111. That is the first two bits of a class B address are always set to “10”.

Class C: 24-bit network address and 8-bit host address The three first bytes are reserved for the network address. The default subnet mask is 255.255.255.0. There are 28 – 2 = 254 possible hosts. The first byte ranges from 192 to 223. This corresponds to a binary range from 11000000 to 11011111. From this we conclude that the first two bits of a class C address is always set to “11”.

4. Subnets

Subneting occurs when bits reserved for hosts are used for the network. This is determined by the netmask and results in networks being split.

For example a regular class A netmask 255.0.0.0 can be altered to allow the first 1-bit of the second byte to be part of the network. This results in a 9-bit network address and a 23-bit host address IP.

The binary netmask looks like

11111111.10000000.00000000.00000000 or 255.128.0.0

Another way to indicate that a 9-bit network address is in use is to give the IP number 10.1.8.1 as 10.1.8.1/9

We will take the example of a class C address 192.168.1.0. We investigate a 25-bit then a 26-bit network.

25-bit network

Netmask: 11111111.11111111.11111111.10000000 or 255.255.255.128

Since Network = IP AND Netmask, we see from the netmask that two network addresses can be formed depending on the hosts range:

1. Host addresses in the 192.168.1.0xxxxxxx range result in a 192.168.1.0 network. We say the network number is 0 2. Host addresses in the 192.168.1.1xxxxxxx range result in a 192.168.1.128 network. We say the network number is 128

_____________________________________________________________________

41

Substitute with 1’s Broadcast: 127 Broadcast: 255

Substitute with 0’s Network: 0 Network: 128

LinuxIT Technical Education Centre TCP/IP Networks ______________________________________________________________________ Table2: In both cases substitution of the x’s bye zeros or ones have a special meaning

Network address 0 128

We are left with the task of counting the number of hosts on each network. Since the host address is 7-bit long and we exclude 2 values (all 1’s and all 0’s) we have 27 – 2 = 126 hosts on each network or a total of 252 hosts.

Notice that if the default subnet mask 255.255.255.0 is used we have 254 available host addresses. In the above example 192.168.1.127 and 192.168.1.128 have a special meaning and that is why only 252 host addresses can be used.

26-bit network

Netmask: 11111111.11111111.11111111.11000000 or 255.255.255.192

Here again depending on the host’s address 4 different network addresses can be determined with the AND rule.

1. Host addresses in the 192.168.1.00xxxxxx range result in a 192.168.1.0 network. 2. Host addresses in the 192.168.1.01xxxxxx range result in a 192.168.1.64 network. 3. Host addresses in the 192.168.1.10xxxxxx range result in a 192.168.1.128 network. 4. Host addresses in the 192.168.1.11xxxxxx range result in a 192.168.1.192 network.

Substituting the x’s with 1’s in the numbers above give us the corresponding broadcast addresses: 192.168.1.63, 192.168.1.127, 192.168.1.191, 192.168.1.255 Each subnet has 26 – 2 = 62 possible hosts or a total of 248.

5. The TCP/IP Suite

TCP/IP is a suite of protocols used on the Internet. The name is meant to describe that several protocols are needed in order to carry data and programs accross a network. The main two protocols are TCP Transmission Control Protocol and IP Internet Protocol.

To simplify, IP handles packets or datagrams only (destination address, size...) whereas TCP handles the connection between two hosts. The idea is that protocols relay each other, each one doing its’ specialised task. In this context one speaks of the TCP/IP stack.

The protocols intervene therefore at various layers of the networking process.

Table1:The 4 layer TCP/IP model:

Application Transport Internet

application level (FTP, SMTP, SNMP) handles hosts (TCP, UDP) routing (IP, ICMP, IGMP, ARP)

_____________________________________________________________________

42

Network Access

network cards, e.g Ethernet, token ring …

LinuxIT Technical Education Centre TCP/IP Networks ______________________________________________________________________

● Protocol Overview

IP

TCP

UDP

ICMP

PPP

The Internet Protocol (IP) is the transport for TCP, UDP, and ICMP data. IP Provides an unreliable connectionless service, allowing all integrity to be handled by one of the upper layer protocols, I.e. TCP, or some application-specific devices. There is no guarantee that a datagram will reach the host using IP alone. The IP protocol handles the addressing and the routing between networks. IP is the datagram delivery service. Transmission Control Protocol (TCP) provides a reliable connection orientated service to applications that use it. TCP is connection orientated and checks on each host the order in which the packets are sent/received and also verifies that all the packets are transmitted. Applications such as telnet or ftp use the TCP protocol and don’t need to handle issues over data loss etc … The User Datagram Protocol provides direct access to IP for application programs but unlike TCP, is connectionless and unreliable. This provides less overhead for applications concentrated on speed. If some form of packet accounting is needed this has to be provided by the application. The Internet Control Message Protocol is used by routers and hosts to report on the status of the network. It uses IP datagrams and is itself connectionless The Point to Point Protocol establishes a TCP/IP connection over phone lines. It can also be used inside encrypted connections such as pptp.

_____________________________________________________________________

43

The list of known services and their relative ports is generally found in /etc/services. The official list of services and associated ports is managed by the IANA (Internet Assigned Numbers Authority).

Since the port field is a 16-bit digit there are 65535 available numbers. Numbers from 1 to 1023 are privileged ports and are reserved for services run by root. Most known applications will listen on one of these ports.

We will look at the output of portscans. Beware that unauthorised portscanning is illegal although many people use them.

Here is the output of a portscan:

Port State Service 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 70/tcp open gopher 79/tcp open finger 80/tcp open http

This shows open ports, these are ports being used by an application.

The /etc/services main ports:

LinuxIT Technical Education Centre TCP/IP Networks ______________________________________________________________________ 6. TCP/IP Services and Ports

ftp-data 20/tcp ftp 21/tcp telnet 23/tcp smtp 25/tcp mail domain 53/tcp domain 53/udp http 80/tcp # www is used by some broken www 80/tcp # progs, http is more correct pop-2 109/tcp # PostOffice V.2 pop-3 110/tcp # PostOffice V.3 sunrpc 111/tcp sftp 115/tcp uucp-path 117/tcp nntp 119/tcp usenet # Network News Transfer ntp 123/tcp # Network Time Protocol netbios-ns 137/tcp nbns netbios-ns 137/udp nbns netbios-dgm 138/tcp nbdgm netbios-dgm 138/udp nbdgm netbios-ssn 139/tcp nbssn imap 143/tcp # imap network mail protocol NeWS 144/tcp news # Window System

_____________________________________________________________________

44

LinuxIT Technical Education Centre TCP/IP Networks ______________________________________________________________________ snmp 161/udp snmp-trap 162/udp

7. Exercices

Registering a service with xinetd

1. Write a bash script that echo’s “Welcome” to stdout. Save it in /usr/sbin/hi

#!/bin/bash echo Welcome

Change the permission on the script to make it executable.

2. In /etc/xinetd.d create a new file called fudge with the following:

service fudge {

socket_type = stream server =/usr/sbin/hi user = root wait = no disable = no

}

3. Add a service called fudge in /etc/services that will use port 60000. 4. Restart xinetd and telnet to port 60000 5. You have been assigned a range of IPs on the 83.10.11.0/27 network. How many networks have the same first 3 bytes as yours? How many hosts are on your network? What is the broadcast address for this first network?

_____________________________________________________________________

45

LinuxIT Technical Education Centre Network Services _____________________________________________________________________

Network Services

Network services can either continuously run as standalone applications which listen for connections and handle clients directly or they can be called by the network daemon inetd (old) or xinetd.

1. The inetd daemon (old)

This daemon is started at boot time and listens for connections on specific ports. This allows the server to run a specific network daemon only when needed.

For example, the telnet service has a daemon /usr/sbin/in.telnetd which handles telnet sessions. Instead of running this daemon all the time inetd is instructed to listen on port 23. These instructions are set in /etc/inetd.conf.

Fig1: The inetd daemon

_____________________________________________________________________

46

service-name

valid name from /etc/services

socket type

stream for TCP and dgram for UDP

protocol

valid protocol from /etc/protocols

flag

nowait if multithreaded and wait if single-threaded

user/group

run application as user or group.

program

usually tcpd

argument

the name of the program to be run for this service

Example:

pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d

LinuxIT Technical Education Centre Network Services _____________________________________________________________________ The fields of /etc/inetd.conf contain the following:

Notice: The /etc/services file is used to make the correspondence between service names and socket port numbers. The fields in services are as follows:

service-name port/protocol [aliases]

2. The xinetd Daemon

This is the most recent version of inetd. The tcpd daemon is no longer used, instead xinetd does everything. Configuration is done either through a single file /etc/xinetd.conf or by editing individual files in /etc/xinetd.d/ corresponding to the services being monitored by xinetd. It is possible to migrate from the old inetd configuration file to the configuration files for the modern xinetd. Nothing else needs to be done.

Structure of service file in xinetd.d

Service-name {

disable = yes/no

socket_type = stream for TCP and dgram for UDP

protocol = valid protocol from /etc/protocols

wait =

user= the user the application runs as

group= the group the application runs as

server= the name of the program to be run for this service

}

3. TCP wrappers

_____________________________________________________________________

47

Default format for /etc/hosts.{allow,deny} :

LinuxIT Technical Education Centre Network Services _____________________________________________________________________ If programs have been compiled with libwrap then they can be listed in /etc/hosts.allow and /etc/hosts.deny. The libwrap library will verify these files for matching hosts.

DAEMON :

hosts [EXCEPT hosts ] [: spawn command]

One can also use these files to log unauthorised services. This can help as an early warning system. Here are a few examples.

Getting information about a host:

/etc/hosts.allow

• in.telnetd: LOCAL, .my.domain

/etc/hosts.deny

• in.telnetd: ALL : spawn (/usr/sbin/safe_finger –l @%h | mail root) &

Redirect to a bogus service or “honey pot” :

/etc/hosts.allow

• in.telnetd:

ALL : twist

/dtk/Telnetd.pl

The last example comes from the dtk (Deception Tool Kit) that can be downloaded from http://all.net/dtk/download.html

4. Setting up NFS

• Client settings

For a Linux client to mount remote file systems

1. the nfs file system must be supported by the kernel 2. the portmapper daemon must be running.

The portmapper is started by the /etc/rc.d/init.d/portmap script. The mount utility will mount the filesystem. A typical entry in /etc/fstab would be:

nfs-server:/shared/dir

/mnt/nfs

nfs defaults 0 0

Server settings

A NFS server needs portmap to be running before starting the nfs server. The nfs server should be started or stopped with the /etc/rc.d/init.d/nfs script. The main configuration file is /etc/exports.

_____________________________________________________________________

48

Sample /etc/exports file: /usr/local/docs *.local.org(rw, no_root_squash) *(ro)

The /usr/local/docs directory is exported to all hosts as read-only, and read-write to all hosts in the .local.org domain. The default root_squash option which avoids the root user (uid = 0) on the client to access the share on the server can be changed with the no_root_squash option.  The /etc/exports file matches hosts such as *.machine.com where as /etc/hosts.allow/deny match hosts such as .machine.com

If the /etc/exports file has been changed then the exportfs utility should be run. If existing directories in /etc/exportfs are modified then it may be necessary to unmount all nfs shares before remounting them all. Individual directories can be mount or unmounted with exportfs.

Unexporting and exporting all directories in /etc/exports:

exportfs -ua ; exportfs -a

LinuxIT Technical Education Centre Network Services _____________________________________________________________________

5. SMB and NMB

Linux machines can access and provide Windows shared resources (directories and printers). The protocol used for this is the MS Windows Server Message Block SMB. Samba is the most common Linux tool which provides client and server software.

From the Command Line

The smbclient utility is used to list shared resources. Remote directories are typically mounted with smbmount although ‘mount –t smbfs’ can also be used.

Examples:

Send a pop up message to the win98desk computer

smbclient -M win98desk

Mount the shared directory of the winserv computer

smbmount //winserver/shared /mnt/winserver/shared

_____________________________________________________________________

49

Figure1: Nautilus Browsing SMB shares:

LinuxIT Technical Education Centre Network Services _____________________________________________________________________ The Samba server is configured with the /etc/smb.conf file. The server is stopped and started with the /etc/rc.d/init.d/smb script. Notice that smb will also starts the NMB services. This is the NetBIOS Message Block which enables name resolution in the Windows realm.

/etc/smb.conf

:

Main entries in [global]

workgroup = LINUXIT

os level = 2

kernel oplocks = No

security = user

encrypt passwords = Yes

guest account = nobody

map to guest = Bad User

[homes]

comment = Home Directories

read only = No

create mask = 0640

directory mask = 0750

browseable = No

[printers]

comment = All Printers

path = /var/tmp

create mask = 0600

_____________________________________________________________________

50

printable = Yes

browseable = No

LinuxIT Technical Education Centre Network Services _____________________________________________________________________

SWAT and Webmin GUI Configuration

If you install the swat package then you can administrate a samba server via a web-based GUI on port 901.

Another popular general administration tool is webmin. It can be downloaded at www.webmin.com

NOTICE

The configuration file /etc/samba/smb.conf is a good source of documentation. All options are explained and can be switch on by deleting the comment character `;` Also read the smb.conf(5) manpage

6. DNS services

The Resolvers

When a program needs to resolve a host name it uses a mechanism called a resolver. The resolver will first consult the /etc/nsswitch file (previously /etc/host.conf) and determine which method should be used to resolve host names (local files, name server, NIS, or ldap server)

The /etc/host.conf (or /etc/nsswitch.conf) file These files are scanned by the resolver. They indicate whether files, dns servers, ldap databases or nis servers should be consulted.

Example (/etc/nsswitch):

files dns nis

hosts: networks: files

The first line indicates that files (here /etc/hosts) should be queried first and then a DNS server if this fails. The second line instructs to use the /etc/network file for network information.

The /etc/hosts file

With a small number of networked computers it is possible to convert decimal IP numbers into names using the /etc/hosts file. The fields are as follows:

IP

machine

machine.domain

alias

Example /etct/hosts file:

192.168.1.233

io

io.my.domain

61.20.187.42

callisto

callisto.physics.edu

_____________________________________________________________________

51

LinuxIT Technical Education Centre Network Services _____________________________________________________________________

The /etc/resolv.conf file

If the resolver needs to use a domain name server (DNS) then it will consult the /etc/resolv.conf file for a list of available servers to query from.

Hierarchical structure

Name servers have a hierarchical structure. Depending on the location in the fully qualified domain name (FQDM) a domain is called top-level, second-level or third-level.

Example top-level domains

com edu gov mil net org uk

Commercial organisations US educational institutions US government institutions US military institutions Gateways and network providers Non commercial sites UK sites

Types of DNS servers

Domains can be further divided into sbdomains. This limits the amount of information needed to administer a domain. Zones have a master domain name server (previously called a primary DNS) and one or several slave domain name servers (previously called secondary). Administration of a name server consists of updating the information about a particular zone. The master servers are said to be authoritative.

DNS Configuration Files

In old versions of BIND (prior to BIND version 8) the configuration file was /etc/named.boot. With BIND version 8 the /etc/named.conf file is used instead. One can use the named-bootconf.pl utility to convert old configuration files.

The /etc/named.boot file:

/var/named named.ca

directory cache primary primary primary

. myco.org 0.0.127.in-addr.arp 1.168.192.in-addr.arp

named.myco named.local named.rev

The first line defines the base directory to be used. The name.ca file will contain a list of DNS IP addresses for querying external addresses. The third line is optional and contains records for the local LAN. The two next entries are for reverse lookups.

In /etc/named.conf:

_____________________________________________________________________

52

cache secondary primary

is replaced by hint is replaced by slave is replaced by master.

Applying these changes to BIND4 configuration files will generate BIND8 and BIND9 files such as the following.

The /etc/named.conf file:

options

{ directory “/var/named”;

};

zone

“.”

{ type hint; file “named.ca”;

};

zone “myco.org”

{

type master; file “named.myco”;

};

zone “1.168.192.in-addr.arp” {

type master; file “named.rev”;

};

zone “0.0.127.in-addr.arpa” {

type master; file “named.local”;

};

LinuxIT Technical Education Centre Network Services _____________________________________________________________________

DNS zone files

In this example the server is set as a caching-only server. All the zone files contain resource records. Sample

named.local

zone file:

@ IN SOA localhost. root.localhost. ( 2001022700 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS localhost. 1 IN PTR localhost.

This is a very simple zone file but it gives us enough information to understand the basic mechanism of a name server.

_____________________________________________________________________

53

The @ sign will resolve to the related zone declared in /etc/named.conf. This allows any zone file to be used as a template for further zones (see the exercises).

Table1:Common Record Types

Specify the zones primary name server Reverse mapping of IP numbers to hostnames Mail exchange record Associate an IP address with a hostname Associate an alias with the host’s main name

NS PTR MX A CNAME

Table2: Zone parameters

@ IN SOA

serial

refresh

retry

expire

minimum

Start Of Authority. Identifies the zone followed by options enclosed in brackets. Is manually incremented when data is changed. Secondary servers query the master server’s serial number. If it has changed, the entire zone file is downloaded Time in seconds before the secondary server should query the SOA record of the primary domain. This should be at least a day. Time interval in seconds before attempting a new zone transfer if the previous download failed Time after which the secondary server discards all zone data if it contact the primary server. Should be a week at least This is the ttl for the cached data. The default is one day (86400 seconds) but should be longer on stable LANs

LinuxIT Technical Education Centre Network Services _____________________________________________________________________

_____________________________________________________________________

54

LinuxIT Technical Education Centre Network Services _____________________________________________________________________

7. Sendmail main Configuration

Sendmail is the most popular mail transfer agent (MTA) on the Internet. It uses the Simple Mail Transfer Protocol (SMTP) and runs as a daemon listening for connections on port 25.

The sendmail script which stops or starts the sendmail daemon is usually located in the /etc/rc.d/init.d/ directory.

The main configuration file is /etc/mail/sendmail.cf (or /etc/sendmail.cf). Here you can specify the name of the server as well as the names of the hosts from which and to which mail relay is allowed.

The /etc/aliases file contains two fields as follows:

alias: user

When changes to /etc/aliases have been made the newaliases command must be run to rebuild the database /etc/aliases.db.

When mail is accepted by the server it is concatenated in a single file with the name of the user. These files are stored in /var/spool/mail/. Depending on the Mail User Agent used, a user can either store these messages in his home directory or download them on another machine.

If the server is relaying, or if the network is slow and many messages are being sent, mail is stored in the mail queue /var/spool/mqueue. You can query the queue with the mailq utility or sendmail –bp. An administrator can flush the server’s queue with sendmail –q.

Finally in order to register a domain name as a valid email address an MX record needs to be added to the DNS database.

For example if mail.company.com is a mail server, then in order for it to accept mail such as joe@company.com you should have the following configuration:

in a DNS zone file

1. Add company.com to /etc/mail/local-host-names 2. company.com

MX 10 mail.company.com

8. The Apache server

Configuration Files

The /etc/httpd/conf/httpd.conf file contains all the configuration settings Older releases of apache had two extra files, one called access.conf where restricted directories were declared, and another file called srm.conf specifying the server’s root directory.

_____________________________________________________________________

55

LinuxIT Technical Education Centre Network Services _____________________________________________________________________ Configuration Highlights: ServerType standalone/inetd

ServerRoot “/etc/httpd”

DocumentRoot

“/var/www/html”

AllowOverride None Options ExecCGI Order allow,deny Allow from all

“/www/docs/server1”

DocumentRoot ServerName

virtual.mydomain.org

Running Apache

To stop and start the server one can use the /etc/rc.d/init.d/httpd script. On a busy server it is preferable to use apachectl especially with the graceful option which will restart the server only when current connections have been dealt with.

The main log files are in /var/log/httpd/. It may be useful for security reasons to regularly check the error_log and access_log files.

_____________________________________________________________________

56

LinuxIT Technical Education Centre Network Services _____________________________________________________________________

9. Exercises

Setting up a DNS master server

As an exercise we will install the BIND9 rpm package bind9-9.1.3-252.i386.rpm and configure a domain called gogo.com. 1. Carry out the following alterations in /etc/named.conf: Copy/Paste the following paragraphs and alter as follows:

zone "gogo.com" in { type master; file "gogo.zone"; }

zone "localhost" in { becomes type master; file "localhost.zone"; }

zone "0.0.127.in-addr.arpa" in { becomes

zone "2.168.192.in-addr.arpa" in {

type master;

type master;

file "192.168.2.zone";

file "127.0.0.zone";

};

};

2. In /var/named:

cp 127.0.0.zone 192.168.2.zone cp local.zone gogo.zone

3. Change the appropriate fields in the new zone files. Add a host called harissa.

4. Add the line “nameserver 127.0.0.1” to /etc/resolv.conf.

5. Use host to resolve harissa.gogo.com

Apache administration

Basic configurations in /etc/httpd/conf/httpd.conf

1. Change the port directive Port from 80 to 8080. (If you are using http2 then change the Listen directive).

2. Check that apache is responding with telnet localhost 8080. You should get:

Trying 127.0.0.1... Connected to localhost.linuxit.org. Escape character is '^]'.

Next type ‘GET /’ to download the index file.

_____________________________________________________________________

57

IP based virtual server Your ethernet card must be aliased to a new IP (say new-IP)

ifconfig eth0:0 new-IP

Add the following paragraph to /etc/httpd/conf/httpd.conf:

DocumentRoot /var/www/html/virtual ServerName www1

LinuxIT Technical Education Centre Network Services _____________________________________________________________________ 3. Set “StartServer” to 15. Restart the httpd and check that 15 processes are started (instead of the default 8)

Setting up a shared SMB directory

In most cases you won’t need to add smbusers to the system to do this. Simply edit smb.conf and add the following:

[public] comment = Example Shared Directory path = /home/samba guest ok = yes writeable = yes

Setting up a shared printer:

[global] --- snip --- printcap name = /etc/printcap load printers = yes

[printers] comment = All Printers path = /var/spool/samba browseable = no # Set public = yes to allow user 'guest account' to print guest ok = yes writable = no printable = yes

_____________________________________________________________________

58

LinuxIT Technical Education Centre Bash Scripting ____________________________________________________________________

Bash Scripting

1. The bash environment

Variables

When you type a command at the prompt the bash shell will use the PATH variable to find which executable on the system you want to run. You can check the value of path using the echo command:

echo $PATH /usr/bin:/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/sbin/:/usr/local/sbin/

In fact many variables are needed by the shell to accommodate for each user’s environment. For example PWD, HOME, TERM and DISPLAY are such variables.

To initialise and declare a variable the syntax is as follows:

VARIABLE=VALUE

Remember not to put any spaces around the ‘=’ sign. Once a variable is declared and initialised it can be referenced by using the dollar symbol in front as here:

echo $VARIABLE

When a shell session is started a number of configuration files are read and most of the variables are set.

To free a variable from its current value use unset.

Configuration files

One can distinguish configuration files which are read at login time and configuration files which are read for each new bash session.

Login configuration files:

The files which are read at login are /etc/profile and ~/.bash_profile (bash will look for alternative files too such as ~/.profile). Next bash will read it’s runtime control files ~/.bashrc and (if it exists) /etc/bashrc.

The bashrc files:

_____________________________________________________________________

59

Alias and functions can be saved in the ~/.bashrc

Function syntax:

function-name () { command1; command2; }

You can test which files are being read by adding an echo Profile line in /etc/profile, the type:

bash bash -login

No profile is read, you shouldn’t see anything This forces bash to act as a login bash, the word Profile should show up.

The following commands control the way bash starts:

bash -norc bash -noprofile

LinuxIT Technical Education Centre Bash Scripting ____________________________________________________________________ These files are read each time a new shell session is launched (such as a new xterm). The files are /etc/bashrc and ~/.bashrc.

Notice that any new bash session will inherit the parent’s global variables defined in /etc/profile and ~/.bash_profile.

2. Scripting Essentials

The script file

A shell script is a list of instructions saved in a flat file. Only two things are necessary.

1. The script’s first line must be #!/bin/bash (for a bash script) 2. The file must be readable and executable (with 755 permission for example)

If these lines are not present it is possible to run the script program by typing

bash program-name

Passing variables to the script

Variables entered at the command line are referenced inside the script as $1 for the first argument, $2 for the second, etc …

Example script, mycat:

#!/bin/bash cat $1

_____________________________________________________________________

60

This script is expecting one argument, a file, and will display the content of the file using cat. To run this script on the lilo.conf file, you would run:

./mycat /etc/lilo.conf

Another way of passing variables to a script is by letting the script prompt the user for input interactively. This is achieved using the read command. The default name of the read variable is REPLY. Here is the modified script:

Interactively passing:

#!/bin/bash echo -n "Which file shall I display ?" read cat $REPLY

or

read -p “File to display: “ FILENAME cat $FILENAME

LinuxIT Technical Education Centre Bash Scripting ____________________________________________________________________

Special Variables

Special variables can only be referenced and are automatically set by bash. These are the most common special variables you will encounter:

$* $# $0 $! $$ $?

List of all variables entered at the command line Number of arguments entered at the command line The name of the script PID of the most recent background command PID of the current shell Exit code of the last command

For the positional parameters $1, $2 etc … there is a shift operator which renames each parameter in a cyclic way as follows. $2 becomes $1 $3 becomes $2 … etc This can be summarised as $(n+1)  $n

3. Logical evaluations

Logical statements are evaluated with the test command or the brackets [ ]. In both case the result is stored in the $? variable such that: if the statement is true then if the statement is false then

$? is 0 $? is not 0

Here are some examples to illustrate:

using test test –f /bin/bash test -x /etc/passwd

using [ ] [ -f /bin/bash ] [ -x /bin/passwd ]

meaning test if /bin/bash is a file test if /etc/passwd is executable

_____________________________________________________________________

61

One can evaluate more than one statement at a time using the || (OR) and && (AND) logical operators on the command line. For example we could test if /bin/bash is executable and in /etc/inittab exists:

test -x /bin/bash && test /etc/inittab [ -e /bin/kbash ] || [ -f /etc/passwd ]

This is the same as using the flags -o and -a within the test operator for example

test -x /bin/bash -a -f /etc/inittab

[ -e /bin/kbash -o -f /etc/passwd ]

LinuxIT Technical Education Centre Bash Scripting ____________________________________________________________________

4. Flow Control and Loops

if then

CONDITION ; then

Syntax:

if command1 command2 fi

#!/bin/bash

if [ -x /bin/bash ] ; then

echo “The file /bin/bash is executable”

while loop

Syntax: while CONDITION is true; do

command

done

Example: Aligne 10 hashes (#) then exit

#!/bin/bash

COUNTER=0

while [ $COUNTER -lt 100 ]; do

echo -n "#"

sleep 1

_____________________________________________________________________

62

done

LinuxIT Technical Education Centre Bash Scripting ____________________________________________________________________ let COUNTER=COUNTER+1

Until loop

Syntax: until CONDITION is false; do

command

done

Example: Same as above, notice the C style increment for COUNTER

#!/bin/bash

COUNTER=20

until [ $COUNTER -lt 10 ]; do

echo -n "#"

sleep 1

let COUNTER-=1

done

for loop

Syntax for VARIABLE in SET; do command

done

Example: For example the set 'SET' can be the lines of a file

#!/bin/bash for line in `cat /etc/lilo.conf`; do

IMAGE=$(echo $line | grep image)

if [ “$IMAGE” != “” ]; then echo Kernel configured to boot: $line fi done

5. Expecting user input

We assume that the script is waiting for user input, depending on the answer, the rest of the program will execute something accordingly. There are two possible ways to achieve this: select and case.

Using case

Syntax: case $VARIABLE in

_____________________________________________________________________

63

CHOICE command ;; CHOICE command ;; esac

LinuxIT Technical Education Centre Bash Scripting ____________________________________________________________________

Using select

Syntax: select VARIABLE in SET; do

if [ $VARIABLE = CHOICE ]; then

command

fi if [ $VARIABLE = CHOICE ]; then

command

fi

done

6. Working with Numbers

While shell scripts seamlessly handle character strings, a little effort is needed to perform very basic arithmetic operations.

Binary operations

Adding or multiplying numbers together can be achieved using either expr or the $(( )) construct.

Example:

expr 7 + 3; expr 2 \* 10; expr 40 / 4; expr 30 – 11 $((7+3)); $((2*10)); $((40/4)); $((30-11))

Comparing values

Test operators:

Numbers -lt -gt -le -ge -eq -ne

Strings < > <= >= = !=

_____________________________________________________________________

64

1. On the command line export the variable TEST

export TEST=old

2. Write the script

#!/bin/bash

echo old variable: $TEST

export TEST=new

echo exported variable: $TEST

3. What is the value of $TEST once the script has run?

4. The following script called test_shell will print the PID of the shell that is interpreting it

test_shell #!/bin/bash if [ -n $(echo $0 |grep test) ]; then echo The PID of the interpreter is: $$ else echo The PID of the interpreter is: $$ fi

5) Set the permissions to 755 and test the following commands test_shell ./test_shell bash test_shell . test_shell source test_shell exec ./test_shell

_____________________________________________________________________

65

LinuxIT Technical Education Centre Bash Scripting ____________________________________________________________________ 7. Exercises

LinuxIT Technical Education Centre Basic Security _____________________________________________________________________

Basic Security

1. Local Security

The BIOS

If anyone has access to a rescue disks or a linux disk that boots from a floppy or a CDROM it is extremely easy to gain read access to any files on the system. To prevent this the BIOS should be set to boot only off the hard drive. Once this is done set a password on the BIOS.

LILO

LILO can be given options at boot time. In particular some Linux distributions will not ask for a password when starting the system in single user mode or runlevel 1.

There are two options that should be added to the /etc/lilo.conf: the restricted option prompts the user for a password the password="" option, set the password string. Restricted means that LILO cannot be given any parameters without the "password" specified in lilo.conf.

boot=/dev/hda install=/boot/boot.b prompt timeout=50 password="password" restricted

File permissions

To prevent attackers causing too much damage it is recommended to take the following steps.

1) Make vital system tools immutable, or logfiles append-only:

chattr +i /bin/login chattr +i /bin/ps chattr +a /var/log/messages

2) Make directories /tmp and /home nosuid or noexec:

Lines to be changed in /etc/fstab /tmp /home

/tmp /home

ext2 ext2

nosuid noexec

1 2 1 2

3) Find all files on the system that don't belong to a user or a group:

find / -nouser –o –nogroup

66

_____________________________________________________________________

LinuxIT Technical Education Centre Basic Security _____________________________________________________________________ find / -perm +4000

Log Files

The main logs are

/var/log/messages : contains information logged by the syslogd daemon

/var/log/secure. : contains information on failed logins, added users, etc.

The last tool lists all successful logins and reboots. The information is read from the /var/log/wtmp file.

The who and w tools list all users currently logged onto the system using the /var/run/utmp file.

User Limits

When the /etc/nologin file is present (can be empty) it will prevent all users from login in to the system (except user root). If the nologin file contains a message this will be displayed after a successful authentication.

In the /etc/security/ directory are a collection of files that allow administrators to limit user CPU time, maximum file size, maximum number of connections, etc

/etc/security/access.conf : dissallow logins for groups and users from specific locations.

/etc/security/limits.conf

The format of this file is

domain type item

a user name, a group name (with @group) hard or soft core data fsize memlock nofile cpu proc as maxlogins priority - locks

- limits the core file size (KB) - max data size (KB) - maximum filesize (KB) - max locked-in-memory address space (KB) - max number of open files - max CPU time (MIN) - max number of processes - address space limit - max number of simultaneous logins for this user the priority to run user process with - max number of file locks the user can hold

2. Network Security

Network security can be separated into two main categories:

Host Based Security

67

_____________________________________________________________________

Access to resources can be granted based on the host requesting the service. This is handled by tcp_wrappers. The libwrap library also known as tcp_wrappers provides host based access control lists for a variety of network services. Many services, such as xinetd, sshd, and portmap, are compiled against the libwrap library thereby enabling tcp_wrapper support for these services.

When a client connects to a service with tcp_wrapper support, the /etc/hosts.allow and /etc/hosts.deny files are parsed to challenge the host requesting the service. Based on the outcome the service will either be granted or denied.

The hosts_access files have 2, optionally 3 colon separated fields. The first field is the name of the process, the second is the fully qualified host name or domain name with a "leading dot", IP address or subnet with a "trailing dot". Wildcards like ALL and EXCEPT are also accepted.

The syntax for the /etc/hosts.{allow | deny} file is as follows:

LinuxIT Technical Education Centre Basic Security _____________________________________________________________________

service :

hosts [EXCEPT] hosts

Example:

/etc/hosts.deny ALL:

ALL

EXCEPT

.example.com

/etc/hosts.allow ALL: in.ftpd: sshd:

LOCAL 192.168.0. ALL .example.com

Tcp_wrappers can run a command locally upon a host match in the host_access files.

This is accomplished with the spawn command. With the use of the % character, substitutions can be made for the host name and the service.

Example:

/etc/hosts.deny

ALL:

ALL : spawn (/bin/echo `date` from %c for %d >> /var/log/tcpwrap.log)

For more information on the use of % substitutions see the hosts_access (5) man page.

Port Based Security

With packet filtering functionality built into the Linux kernel, it is possible to limit access to resources by creating rulesets with utilities such as ipchains and iptables, which are able to evaluate a packet entering any of its network interfaces. The rules determine what happens to each packet.

We will cover ipchains and iptables separately. However Ipchains and iptables share the following options

-A

-D

Append rule to a chain Delete a rule

68

_____________________________________________________________________

-P -I -F -N -X -L

Change the default Policy for a chain Insert Flush the rules(s) in a chain Create a user defined chain Delete a user defined chain List

LinuxIT Technical Education Centre Basic Security _____________________________________________________________________

-- ipchains

There are three built in chains in ipchains:

input, forward and output

These chains, respectively are evaluated when the packets 1) enter the network interface 2) transit to another interface or host 3) exit the network interface and have been either generated by the local host or forwarded

TARGETS:

The possible actions (or TARGETS) are ACCEPT,DENY,REJECT,MASQ, REDIRECT and RETURN, or can possibly point to another user defined chain. Targets are specified with the -j flag.

Example: All packets from 192.168.0.254 will be logged and denied

ipchains -A input -s 192.168.0.254 –-log -j DENY

POLICY: If a packet has gone through all the rules in a specific chain unaltered then it will be dealt with by the default policy rule for that chain. Valid policy targets are DENY (silently drop the packets) or ACCEPT.

Example: Set the policy for all chains to DENY

ipchains -P input DENY

ipchains -P forward DENY

ipchains -P output DENY

-- iptables

One of the main differences with ipchains is that the filtering rules (decisions to allow or deny a packet, etc..) have been separated from packet alteration operations (network address translation (NAT), etc). This has been achieved by introducing independent tables, each table is assigned a specific role and each table contains its own built-in chains.

Iptables has three tables each containing the following built-in chains:

this table is the default and deals with filtering rules using its built-in chains INPUT, OUTPUT and

only network address translation (NAT) operations are defined in this table. The built-in chains are

filter: FORWARD nat: PREROUTING,

POSTROUTING and INPUT

69

_____________________________________________________________________

LinuxIT Technical Education Centre Basic Security _____________________________________________________________________ mangle:this table handles packet alterations other than natting. There are two built-in chains PREROUTING and OUTPUT.

NOTICE: the built-in chains are all in UPPERCASE!! TARGETS: Different targets are valid depending on the table. Valid targets for the filter table are DROP, REJECT, ACCEPT or MIRROR. Valid targets for the nat table are REDIRECT (in the PREROUTING and OUTPUT chains), MASQUERADE (in the POSTROUTING chain), DNAT (in the PREROUTING and OUTPUT chains) and SNAT (in the POSTROUTING and OUTPUT chains).

Example: All packets from 192.168.0.254 will be logged and denied

iptables -A input -s 192.168.0.254 -j LOG

iptables -A input -s 192.168.0.254 -j DROP

POLICY: The chain policy can be set to either DROP or ACCEPT

Example: The default policy is set to drop all packets iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP

-- more background

With the development of the 2.4 Linux kernel came the development of the Netfilter project, which uses the iptables utility to manage firewall rules. Another major difference between iptables and ipchains is that iptables has support for evaluating the packets based on their state in terms of other packets that have passed through the kernel. It is this stateful packet evaluation that makes iptables far superior.

1)Deny all packets on the INPUT chain:

Example: ipchains -P INPUT DENY

2) Accept established connections that have been initiated by the host:

ipchains -A INPUT -m state –-state ESTABLISHED -j ACCEPT

Example:

A Basic script that will work as a gateway. Here are the highlights:

- allow IP forwarding:

echo "1" > /proc/sys/net/ipv4/ip_forward

- masquerade:

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

- allow connections to port 80 ONLY:

$IPTABLES -A INPUT -p TCP -i $INET_IFACE -m state --state NEW --dport http -j ACCEPT

70

_____________________________________________________________________

# Setup IP Masquerading

echo "1" > /proc/sys/net/ipv4/ip_forward $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

# Specify the default policy for the built in chains $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP

# Specify INPUT Rules $IPTABLES -A INPUT -i !$INET_IFACE -j ACCEPT $IPTABLES -A INPUT -p TCP -i $INET_IFACE -m state --state NEW --dport http -j ACCEPT $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Specify FORWARD Rules $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Specify OUTPUT RULES $IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT

LinuxIT Technical Education Centre Basic Security _____________________________________________________________________ #!/bin/sh # Variables IPTABLES="/sbin/iptables" LAN_IFACE="eth0" INET_IFACE="eth1" INET_IP="1.2.3.4" LOCALHOST_IP="127.0.0.1/32" LAN_IP="192.168.0.1/32" LAN_BCAST="192.168.0.0/24"

71

_____________________________________________________________________

LinuxIT Technical Education Centre Basic Security _____________________________________________________________________

3. The Secure Shell

• ● Host Authentication

With ssh both the host and the user authenticate. The host authentication is done by swapping keys. The host’s public and private keys are usually kept in /etc/ssh if you are using OpenSSH. Depending on the protocol used the host key file will be called ssh_host_key for Protocol 1 and ssh_host_rsa_key or ssh_host_dsa_key for Protocol 2. Each of these keys have their corresponding public key, for example ssh_host_key.pub.

When an ssh client connects to a server, the server will give the hosts public key. At this stage the user will be prompted with something like this:

The authenticity of host 'neptune (10.0.0.8)' can't be established. RSA key fingerprint is 8f:29:c2:b8:b5:b2:e3:e7:ec:89:80:b3:db:42:07:f4. Are you sure you want to continue connecting (yes/no)?

If you accept to continue the connection the server’s public key will be added to the local $HOME/.ssh/known_hosts file.

• ● User Authentication (using passwords)

Then the user is prompted for the password for his account on the remote server and logs in.

• ● User Authentication (using keys)

The user authentication can also involve swapping keys. For this the user will need to generate a pair of private/public keys. For example:

ssh-keygen -t dsa -b 1024

will generate a 1024 bit DSA key. By default these keys will be saved in $HOME/.ssh and in this example are called id_dsa and id_dsa.pub.

If we assume we have a id_dsa.pub we can ‘plant’ this key on a remote account and avoid typing passwords for further connections. To do this we need to copy the content of the file id_dsa.pub into a file called authorized_keys2 kept in the remote $HOME/.ssh directory.

WARNING

All private keys in /etc/ssh and ~/.ssh should have a permission of 600

● sshd configuration file

72

_____________________________________________________________________

#Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress ::

# HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key

●ssh configuration file

Sample /etc/ssh/ssh_config or $HOME/.ssh/config file:

# Host * # ForwardX11 no # RhostsAuthentication no # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # CheckHostIP yes # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2,1 # Cipher 3des

LinuxIT Technical Education Centre Basic Security _____________________________________________________________________ Sample /etc/ssh/sshd_config file:

4. Time Configuration

The System date

The system date can be changed with the date command.The syntax is:

date MMDDhhmmCCYY[.ss]

The Harware Clock

The hardware clock can be directly changed with the hwclock utility. The main options are:

-r or –-show

prints the current times

-w or –-systohc set the hardware clock to the current system time

-s or –-hctosys set the system time to the current hardware clock time

Using NTP

The Coordinated Universal Time (UTC) is a standard used to keep track of time based on the Earth's

73

_____________________________________________________________________

Since computers are not equiped with atomic clocks the idea is to use a protocol to synchronize computer clocks across the Internet. NTP stands for Network Time Protocol and is one such protocol.

Computers that are directly updated by an atomic clock are called primary time servers and are used to update a larger number of secondary time servers. This forms a tree structure similar to the DNS structure. The root servers are on the first level or stratum, the secondary server on the second and so on.

Configuring a client to query an NTP server:

An NTP daemon called ntpd is used to regulary query a remote time server.All that is needed is a server entry in /etc/ntp.conf pointing to a public or corporate NTP server. Public NTP servers can be found online.

The NTP protocol can also estimate the frequecy errors of the hardware clock from a sequence of queries, this estimate is written to a file refered to with the driftfile tag.

Mininal /etc/ntp.conf file

server ntp2.somewhere.com

driftfile /var/lib/ntp/drift

Once ntpd is started it will itself be an NTP server providing services on port 123 using UDP.

One off queries:

The ntp package also provides the ntpdate tool which can be use to set the time on the command line:

ntpdate ntp2.somewhere.com

LinuxIT Technical Education Centre Basic Security _____________________________________________________________________ rotation about it's axis. However because of the slight irregularities of the rotation leap seconds need to be inserted into the UTC scale using atomic clocks.

5. Kernel security

There are several security options available in the Linux kernel. These include mainly the syn_cookie mechanism. Stack overflow is handled by a security patch called openwall or OWL.

● tcp_syncookies

To enable this option you simply do the following:

[root@nasaspc /proc]#echo "1" > /proc/sys/net/ipv4/tcp_syncookies

This will instruct the kernel to send a cookie to the client in it's SYN+ACK response. In this mode the server then closes the socket and waits for the client's ACK with the appropriate cookie.

If the tcp_syncookies file is not present in the /proc directory then you need to recompile the kernel with syncookies support.

Notice: By default, even if syncookies are supported by the kernel, you need to activate the support by adding a "1" to /proc/sys/net/ipv4/tcp_syncookies. This is usually done in /etc/rc.d/rc.local. However a more efficient solution would be to add an entry to /etc/sysctl.conf

74

_____________________________________________________________________

LinuxIT Technical Education Centre Basic Security _____________________________________________________________________

● The owl security patch (this section is not an LPI objective)

This patch takes care of most stack related issues and is beyond the scope of this course. It is however easy to test weather or not your system is vulnerable with binaries provided with the downloaded patch.

Resources for the owl patch and the Linux kernel: http://www.openwall.co http://www.kernel.org/pub/linux/kernel/v2.2

/

There is only support for kernel 2.2-19 so far. After downloading linux-2.2.19.tar.gz and linux-2.2.19-ow1.tar.gz in the /usr/src/ directory, make sure you delete the linux symbolic link.

[root@nasaspc src]#pwd /usr/src/ [root@nasaspc src]#rm -rf linux

You next unbundle the packages. [root@nasaspc src]#tar xvzf linux-2.2.19.tar.gz [root@nasaspc src]#tar xvzf linux-2.2.19-owl.tar.gz

To test your system go into the linux-2.2-19-owl directory. There is a directory called optional that contains a file called stacktest.c.

[root@nasaspc optional]#pwd /usr/src/linux-2.2.19-ow1/optional [root@nasaspc optional]#gcc stacktest.c -o stacktest

[root@nasaspc optional]#stacktest Usage: ./stacktest OPTION Non-executable user stack area tests

-t call a GCC trampoline -e simulate a buffer overflow exploit -b simulate an exploit after a trampoline call

[root@nasaspc optional]#stacktest -e Attempting to simulate a buffer overflow exploit... Succeeded.

To apply the patch you need to go into the linux directory. Here are the commands.

Applying the openwall patch:

[root@nasaspc linux]#pwd /usr/src/linux [root@nasaspc linux]#patch -p1 < /usr/src/linux-2.2-19-owl/linux-2.2.19-ow1.diff

Now if you do make menuconfig you should see a new entry called Security options. The default selections are fine. From here you proceed with the compilation and installation of the kernel as usual.

m

75

_____________________________________________________________________

LinuxIT Technical Education Centre Linux System Administration ____________________________________________________________________

Linux System Administration

Overview

We will concentrate on the main tasks of system administration such as monitoring log files, scheduling jobs using at and cron. This also includes an overview of the documentation available (manpages and online resources) as well as some backup concepts.

1. Logfiles and configuration files

The /var/log/ directory

This is the directory where most logfiles are kept. Some applications generate their own log files (such as squid or samba). Most of the system logs are managed by the syslogd daemon. Common system files are :

cron mail messages secure

keeps track of messages generated when cron executes messages relating to mail logs all messages except private authentication authpriv, cron, mail and news logs all failed authentications, users added/deleted etc

The most important log file is messages where most activities are logged.

The /etc/syslog.conf file

When syslogd is started it reads the /etc/syslog.conf configuration file by default. One can also start syslogd with -f and the path to an alternative config file. This file must contain a list of items followed by a priority, followed by the path to the log-file:

item1.priority1 ; item2.priority2 /path-to-log-file

Valid items are :

user general and private authentication cron daemon messages kernel messages

user processes

auth and authpriv cron kern mail news user uucp

Valid priorities are: (from highest to lowest)

emerg alert crit

76

________________________________________________________________________

LinuxIT Technical Education Centre Linux System Administration ____________________________________________________________________

err warning notice info debug * none

Priorities are minimal! All higher priorities will be logged too. To force a priority to be info only you need to use an '=' sign as in:

user.=info /var/log/user_activity

Listing of /etc/syslog.conf

# Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;news.none;authpriv.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages, plus log them on another # machine. *.emerg * *.emerg @10.1.1.254 # Save boot messages also to boot.log local7.* /var/log/boot.log # news.=crit /var/log/news/news.crit news.=err /var/log/news/news.err news.notice /var/log/news/news.notice

2. Log Utilities

The logger command

The first utility logger conveniently logs messages to the /var/log/messages file: If you type the following:

77

________________________________________________________________________

logger program myscipt ERR

The end of /var/log/messages should now have a message similar to this:

Jul 17 19:31:00 localhost penguin: program myscript ERR

LinuxIT Technical Education Centre Linux System Administration ____________________________________________________________________

local settings

The logger utility logs messages to /var/log/messages by default. There are local items defined that can help you create your own logfiles as follows. local0 to local7 are available items for administrators to use. The availability depends on the system (RedHat local7 logs boot-time information in /var/log/boot.log). Add the following line to /etc/syslog.conf:

local4.*

/dev/tty9

Restart the syslogd

killall -HUP syslogd

The next command will be logged on the /dev/tty9

logger -p local4.notice "This script is writing to /dev/tty9"

An interesting device is the /dev/speech this is installed with the Festival tools.

logrotate

The log files are updated using logrotate. Usually logrotate is run daily as a cron job. The configuration file /etc/logrotate.conf contains commands to create or compress files.

Listing of logrotate.conf

# rotate log files weekly

weekly

# keep 4 weeks worth of backlogs

rotate 4

# send errors to root

errors root

78

________________________________________________________________________

create

# uncomment this if you want your log files compressed

compress

# RPM packages drop log rotation information into this directory

include /etc/logrotate.d

# no packages own lastlog or wtmp -- we'll rotate them here

/var/log/wtmp {

monthly

create 0664 root utmp

rotate 1

}

LinuxIT Technical Education Centre Linux System Administration ____________________________________________________________________ # create new (empty) log files after rotating old ones

3. Automatic Tasks

Using cron

The program responsible for running crons is called crond. Every minute the crond will read specific files containing command to be executed. These files are called crontabs.

User crontabs are in /var/spool/cron/. These files should not be edited directly by non-root users and need to be edited using the crontab tool (see below).

The system crontab is /etc/crontab. This file will periodically exectute all the scripts in /etc/cron.* this includes any symbolic link pointing to scripts or binaries on the system.

To manipulate cron entries one uses the crontab utility. Scheduled tasks are view with the -l option as seen below:

crontab -l

➔ # DO NOT EDIT THIS FILE - edit the master and reinstall

# (/tmp/crontab.1391 installed on Tue Jul 17 17:56:48 2001)

# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)

0 * * 07 2 /usr/bin/find /home/penguin -name core -exec rm {} \;

Does the user root have any crontabs?

Similarly the -e option will open your default editor and lets you enter a cron entry. User root can use the -u to view and change any user's cron entries To delete your crontab file use crontab -r.

This is the format for crontabs :

Minutes(0-59) Hours(0-23) Day of Month(1-31) Month(1-12) Day of Week(0-6) command

79

________________________________________________________________________

LinuxIT Technical Education Centre Linux System Administration ____________________________________________________________________ Permissions:

By default any user can use crontab. However you can control the accessibility with /etc/cron.deny and /etc/cron.allow.

Scheduling with “at”

The at jobs are run by the atd daemon. At jobs are spooled in /var/spool/at/

The at command is used to schedule a one off task with the syntax

at [time]

Where time can be expressed as:

now 3am + 2days midnight 10:15 Apr 12 teatime

For a complete list of valid time formats see /usr/share/doc/at-xxx/timespec.

You can list commands that are scheduled with atq or at -l. The at jobs are saved in /var/spool/at/:

ls /var/spool/at/

➔ a0000100fd244d spool

When using atq you should have a list of jobs proceeded by a number. You can use this number to dequeue it:

atq

➔ 1 2001-07-17 18:21 a root

From the atq listing we see that the job number is 1, so we can remove the job from the spool as follows:

at -d 1

Permissions:

By default at is restricted to the root user. To override this you must either have an empty /etc/at.deny or have a /etc/at.allow with the appropriate names.

4. Backups and Compressions

Backup strategies

80

________________________________________________________________________

There are three main strategies to back up a system:

Full: copy all files Incremental: The first incremental copies all files added or changed since the last full backup, and subsequently copies all the files added or changed since the last incremental backup Differential: Copies all files added or changed since the last full backup

Example: If you made a full backup and 3 differential backups before a crash, how many tapes would you need to restore ?

LinuxIT Technical Education Centre Linux System Administration ____________________________________________________________________

Creating archives with tar

The main option to create an archive with tar is -c. You can also specify the name of the archive as the first argument if you use the -f flag.

tar -cf home.tar /home/

If you don't specify the file as an argument tar -c will simply output the archive as standard output:

tar -c /home/ > home.tar

Extracting archives with tar

Extracting is straight forward. Replace the -c flag with an -x. This will cause the archive file to create directories if necessary and copy the archived files in your current directory. To redirect the output of the extracted archive into the directory /usr/share/doc, for example, you can do:

tar xf backeddocs.tar -C /usr/share/doc

Compressions

All archives can be compressed using different compression utilities. These flags are available when creating, testing or extracting an archive:

compression type compress gzip bzip2.

tar option Z z j

The cpio utility

The cpio utility is used to copy files to and from archives. List of files must be given to cpio either through a pipe (as when used with find) or via a file redirection such as with;

81

________________________________________________________________________

cpio -i < /dev/tape

- Create an archive for the /etc directory:

find /etc | cpio -o > etc.cpio

LinuxIT Technical Education Centre Linux System Administration ____________________________________________________________________ - Extract an archive on a tape:

The dump and restore utilities

Finally, it is also possible to perform backups per device using dump. Remember that the field after the options in /etc/fstab is used to specify if a device should be backed up or not.

Information about the previous full or incremental backups is stored in /etc/dumpdates. Dump can automatically do upto 9 incremental backups.

By default dump will save the archive to /dev/st0.

What to backup

The following table extracted from the FHS document is used to determine how often specific directories need to be backed up:

shareable

unshareable

static

/usr, /opt

/etc, /boot

variable

/var/mail

/var/run, /var/spool/mail

5. Documentation

Manpages and the whatis database

The manpages are organised in sections NAME SYNOPSYS DESCRIPTION OPTIONS FILES SEE ALSO

the name of the item followed by a short one line description. the syntax for the command a longer description a review of all possible options and their function files that are related to the current item (configuration files etc) other manpages related to the current topic

These are the main sections one would expect within a manpage.

The whatis database stores the NAME section of all the manpages on the system. This is done through a daily cron. The whatis database has the following two entries:

82

________________________________________________________________________

LinuxIT Technical Education Centre Linux System Administration ____________________________________________________________________

name(key) – one line description

The syntax for whatis is: whatis

The output is the full NAME section of the manpages where string matched named(key)

One can also use the man command to query the whatis database. The syntax is

man -k

Unlike whatis this will query both the “name” and the “one line description” entries of the database. If the string matches a word in any of these fields the above query will return the full NAME section.

Example: (the matching string has been highlighted)

whatis lilo

lilo (8) - install boot loader

lilo.conf [lilo] (5) - configuration file for lilo

man -k lilo

grubby (8) - command line tool for configuring grub, lilo, and elilo

lilo (8) - install boot loader

lilo.conf [lilo] (5) - configuration file for lilo

The FHS recommends manpages to be kept in /usr/share/man

Manpage Sections

Section 1

Information on executables

Section 2

System calls, e.g mkdir(2)

Section 3

Library calls, e.g stdio(3)

Section 4

Devices (files in /dev)

Section 5

Configuration files and formats

Section 6

Games

Section 7

Macro packages

Section 8

Administration commands

Section 9

Kernel routines

To access a specific section N one has to enter:

man N command

Examples:

83

________________________________________________________________________

man mkdir

man 2 mkdir

man crontab

man 5 crontab

LinuxIT Technical Education Centre Linux System Administration ____________________________________________________________________

Info pages

The FHS recommends info pages be kept in /usr/share/info. These pages are compressed files that can be read with the info tool.

The original GNU tools used info pages rather than manpages. Since then most info pages have been rewritten as manpages. However information about GNU projects such as gcc or glibc is still more extensive in the info pages compared to the manpages.

Online documents

GNU projects include documents such as a FAQ, README, CHANGELOG and sometimes user/admin guides. The formats can either be ASCII text, HTML, LateX or postscript.

These documents are kept in the /usr/share/doc/ directory.

HOWTOs and The Linux Documentation Project

The Linux Documentation Project provides many detailed documents on specific topics. These are structured guides explaining concepts and implementations. The website URL is www.tldp.org. The LDP documents are freely redistributable and can be contributed too using a GPL type licence.

Usenet News Groups

The main newsgroups for Linux are the comp.os.linux.* groups (e.g comp.os.linux.networking, comp.os.linux.security ...). Once you have setup a news reader to connect to a news server (usually available through an ISP or a University campus) one downloads a list of all existing discussion groups and subscribes/unsubscribes to a given group. There are many experienced as well as new users which rely on the newsgroups to get information on specific tasks or projects. Take the time to answer some of these questions if you feel you have the relevant experience.

NOTICE

The man -k option queries both fields in the whatis database. This will find everything about a given item. There is a tool called apropos (meaning about) which will do the same thing as man -k.

84

________________________________________________________________________

LinuxIT Technical Education Centre Linux System Administration ____________________________________________________________________

6. Exercises

Logging

the output is properly redirected)

2. Add a custom local5 item with critical priority to /ect/syslog.conf and direct the output to /dev/tty10.

Restart syslogd and use logger to write information via local5.

3. Read the /etc/rc.d/init.d/syslog script and change /etc/sysconfig/syslog to allow remote hosts to send log outputs.

Scheduling

4.Create a cron entry which starts xclock every 2 minutes. Remember that cron is unaware of system variables such as PATH and DISPLAY.

5. Use at.to start xclock in the next five minutes.

Archiving

6. Use find to list all files that have been modified during the past 24 hours. (hint: Redirect the output of find -mtime –1 to a file)

7.Use cpio to create an archive called Incremental.cpio.

(ans: Use the file created above and do cat FILE | cpio –ov > Incremental.cpio)

8 Use tar to create an archive of all files last accessed or changed 5 mins ago. (HINT: use find to create a list of files, then save the list to a file. The tar tool has a switch to take input from a file.

9. Test the archive before extracting it.

10. Extract the archive you have just created.

1. Change /etc/syslog.conf to output some of the logs to /dev/tty9 (make sure you restart syslogd and that

85

________________________________________________________________________

LinuxIT Technical Education Centre Setting up PPP _____________________________________________________________________

Setting up PPP

1. Serial Modems

Linux assumes in general that serial modems are connected to a serial port (one of the /dev/ttySN devices). So you first need to find out which serial port the modem is connected to.

The setserial –g command will query the serial ports. If the resource is not available then the UART value will be unknown.

Sample output for

setserial

:

setserial -g /dev/ttyS[0-3] /dev/ttyS0, UART: 16550A, Port: 0x03f8, IRQ: 4 /dev/ttyS1, UART: 16550A, Port: 0x02f8, IRQ: 3 /dev/ttyS2, UART: unknown, Port: 0x03e8, IRQ: 4 /dev/ttyS3, UART: unknown, Port: 0x02e8, IRQ: 3

For non-serial modems it is possible to get information about available resources in /proc/pci. Here the i/o and IRQ settings can be transferred to a free /dev/ttyS? device. This is achieved with the following 2 lines:

setserial /dev/ttyS2 port 0x2000 irq 3 setserial /dev/ttyS2 autoconfig

The last line simply deals with setting up the proper UART settings.

These settings will be lost at the next boot and can be saved in /etc/rc.serial. This script is one of the last scripts executed by rc.sysinit at boot time.

The

rc.serial

script

:

#!/bin/bash

TTY=/dev/ttyS2 PORT=0x2000 IRQ=3

echo "Setting up Serial Card ..." /bin/setserial $TTY port $PORT irq $IRQ 2>/dev/null /bin/setserial $TTY autoconfig 2>/dev/null

86

__________________________________________________________________________

Once the modem is known to be connected to a serial device it is possible to send modem specific instruction such as ATZ or ATDT. One tool that will act as a terminal interface is minicom.

LinuxIT Technical Education Centre Setting up PPP _____________________________________________________________________ 2. Dialup Configuration

minicom screenshot:

Another common tool is wvdialconf. This tool will automatically scan for modems on the ttyS’s and create a configuration file. This file is used to handle password authentication and initialise the pppd daemon once the connection is established.

3. pppd and chat

First of all the chat script is used to communicate with a remote host’s modem. It is a series of expect/send strings. The format is:

‘expected query’ ‘answer’

Expected queries from the modem are:

‘ ‘

‘OK’

‘CONNECT’

‘login’

‘password’

‘TIMEOUT’

‘>’

The script is read sequentially and starts with the empty query ‘ ‘ which is matched with the command ‘ATZ’. Once the modem is initialised it sends back the query ‘OK’. To this the script will answer with a

87

__________________________________________________________________________

Sample chat script: 'ABORT' 'BUSY' 'ABORT' 'ERROR' 'ABORT' 'NO CARRIER' 'ABORT' 'NO DIALTONE' 'ABORT' 'Invalid Login' 'ABORT' 'Login incorrect' '' 'ATZ' 'OK' 'ATDT01172341212' 'CONNECT' '' 'ogin:' 'adrian' 'ord:' 'adrianpasswd' 'TIMEOUT' '5' pppd '>'

Of course this is one way of doing things. One can also start pppd manually and then invoke the chat script as follows:

pppd /dev/ttyS2 115200 \ nodetach \ lock \ debug \ crtscts \ asyncmap 0000000 \ connect "/usr/sbin/chat -f /etc/sysconfig/network-scripts/chat-ppp0"

LinuxIT Technical Education Centre Setting up PPP _____________________________________________________________________ ‘ATDT’ dialing command. This conversation goes on and on until the ‘>’ prompt is reached at which stage one can run pppd.

The lines below the pppd commands can be saved in /etc/ppp/options. This file contains most of the features which makes the strength and flexibility of pppd. For example require-chap will use the /etc/ppp/chap-secrets for authentication.

4. PPPD peers

There is a directory called peers in /etc/ppp/. In this directory one can create a file that contains all the necessary command line options for pppd. In this way peer connections can be started by all users.

Below is an example of a PPP peer file:

# This optionfile was generated by pppconfig 2.0.10. hide-password noauth connect "/usr/sbin/chat -f /etc/sysconfig/network-scripts/chat-ppp0" /dev/ttyS0 115200 defaultroute noipdefault user uk2

88

__________________________________________________________________________

The previous peer file (called uk2) would be used as follows:

# pppd call uk2

This will dial the number specified in the “chat script” and authenticate as the user “uk2”. Please noteNote that this requires a corresponding entry in the /etc/ppp/chap-secrets, and /etc/ppp/pap-secrets. The format for pap and chap secrets is as follows:

# Secrets for authentication using CHAP # client

secret

IP addresses

uk2

"uk2"

*

server *

This format allows different passwords to be used if you connect to different servers. It also allows you to specify an IP address. This is probably not going to work when connecting to an ISP, but when making private connections, you can specify IP addresses if there is a need. One example would be where you need to audit your network activity, and want to specify which users get a certain IP address.

LinuxIT Technical Education Centre Setting up PPP _____________________________________________________________________

5. Wvdial

This is the default method used by Red Hat to connect to a dial up network. To configure wvdial, it is easier to use one of the configuration tools provided with either Gnome or KDE. They configure the /etc/wvdial.conf file.

Below is a sample wvdial.conf file:

[Modem0] Modem = /dev/ttyS0 Baud = 115200 Dial Command = ATDT Init1 = ATZ FlowControl = Hardware (CRTSCTS) [Dialer UK2] Username = uk2 Password = uk2 Phone = 08456091370 Inherits = Modem0

To use wvdial from the command line, you would execute it with the following syntax:

# wvdial

In the example configuration file the following command would dial the connection called “uk2”

# wvdial uk2

89

__________________________________________________________________________

LinuxIT Technical Education Centre Printing ____________________________________________________________________

Printing

The two objectives of this chapter are firstly to introduce the GNU printing tools available on Linux machines and secondly to understand the configuration files for a print server.

1. Filters and gs

For non-text formats Linux and UNIX systems generally use filters. These filters translate JPEG or troff file formats into a postscript type format. This could directly be sent to a postscript printer, but since not all generic printers can handle postscript, an intermediate ‘virtual postscript printer’ is used called gs (ghostscript), finally translating the postscript into PCL.

The commercial version of ghostscript is Aladdin Ghostscript and the GNU version is an older version.

The gs utility has a database of printer drivers it can handle (this list is usually up to date, for example many USB printers are supported) and converts the postscript directly into PCL for these known models. The gs utility plays a central role in Linux printing.

2. Printers and print queues

As seen above simple ascii text printing is not handled in the same way as image or postscript files. If you only have one printer and you would like to printout your mail for example, it may not be necessary to use a filter. You may want to define a queue without filters, which would print mail faster. You could also define a queue on the same printer, which would only handle postscript files.

All queues and printers are defined in /etc/printcap. Here is the full configuration of a remote printer 192.168.1.20 using the remote queue named ‘lp’:

lp:\

:sd=/var/spool/lpd/lp:\

:mx#0:\ :sh:\ :rm=192.168.1.20:\ :rp=lp:

The essential options here are rm the remote host, sd the spool directory and rp the name of the remote queue. Notice that no filters are specified (you would use if for input filter). All the filtering is done on the remote host.

90

_________________________________________________________________________

LinuxIT Technical Education Centre Printing ____________________________________________________________________

3. Printing Tools

lpr:

The lpr utility is used to submit jobs to a printer. This is a modern version of lp (line print). From a user’s point of view it is helpful to understand that a printer can be associated with more than one queue. Here are two examples to print a file called LETTER.

Send job to default printer: lpr LETTER

Send job to the’ ljet’ queue: lpr -Pljet LETTER

Table1: Main Options for lpr

Print num copies Specify the print queue pq Make a symbolic link in the spool directory rather than copy the file in

-#num -Ppq -s

lpq:

A user can monitor the status of print queues with the lpq utility. Here are a few examples.

Show jobs in default queue: lpq

Show jobs for all queues on the system: lpq -a

Show jobs in the ‘remote’ queue: lpq -Premote

lprm:

Depending on the options in /etc/lpd.perms users may be allowed to delete queued jobs using lprm.

Remove last job submitted: lprm

Remove jobs submitted by user dhill: lprm dhill

91

_________________________________________________________________________

Remove all submitted jobs: lprm -a (or simply lprm -)

It is possible to remove a specific spooled job by referencing the job number; this number is given by lpq.

LinuxIT Technical Education Centre Printing ____________________________________________________________________

lpc:

The Line Printer Control utility is used to control the print queues and the printers. The print queues can be disabled or enabled. Notice that lprm on the other hand can remove jobs from the queue but doesn’t stop the queue.

One can either use lpc interactively (lpc has its own prompt), or on the command line.

Here is an output of lpc –help:

CMD: /usr/sbin/lpc help ► Commands may be abbreviated. Commands are:

abort enable disable help restart status topq ? clean exit down quit start stop up

The enable/disable/topq/up options relate to queues The start/stop/down options relate to printers

4. The configuration files

/etc/printcap

As seen earlier in the chapter, this file defines all printers and queues that the system can use (remote and local).

The default printer can be specified with either variables LPDEST or PRINTER: PRINTER=lp If no environmental variable is set the default printer is the first printer defined in /etc/printcap.

The main definitions are: lp mx sd if rm rp

device name, usually /dev/lp0 for the parallel port maximum file size (zero=nolimit) spool directory (/var/spool/lpd//) input filter remote host address or IP remote queue name

If this file is modified you will need to restart the lpd daemon.

/etc/lpd.conf

This is a very lengthy file and by default all options are commented out. This file is used if an administrator wishes to have more control (i.e remote access authentication, user permissions …) over the printing.

92

_________________________________________________________________________

This file controls permission for the lpc, lpq and lprm utilities. In particular you can grant users the right to dequeue their current job (using the lprm tool) with the line :

ACCEPT

SERVICE=M

SAMEHOST SAMEUSER

LPRng uses a system of keys to shorten the entries in lpd.perms. This is however not very to understand. For example the service ‘M’ corresponds to lprm in the above line.

LinuxIT Technical Education Centre Printing ____________________________________________________________________ /etc/lpd.perms

Sample

/etc/lpd.perms

file

:

## Permissions are checked by the use of 'keys' and matches. For each of ## the following LPR activities, the following keys have a value. ## ## Key Match Connect Job Job LPQ LPRM LPC ## Spool Print ## SERVICE S 'X' 'R' 'P' 'Q' 'M' 'C' ## USER S - JUSR JUSR JUSR JUSR JUSR ## HOST S RH JH JH JH JH JH ## GROUP S - JUSR JUSR JUSR JUSR JUSR ## IP IP RIP JIP JIP RIP JIP JIP ## PORT N PORT PORT - PORT PORT PORT ## REMOTEUSER S - JUSR JUSR JUSR CUSR CUSR ## REMOTEHOST S RH RH JH RH RH RH ## REMOTEGROUP S - JUSR JUSR JUSR CUSR CUSR ## REMOTEIP IP RIP RIP JIP RIP RIP RIP ## CONTROLLINE S - CL CL CL CL CL ## PRINTER S - PR PR PR PR PR ## FORWARD V - SA - - SA SA ## SAMEHOST V - SA - SA SA SA ## SAMEUSER V - - - SU SU SU ## SERVER V - SV - SV SV SV ## LPC S - - - - - LPC ## AUTH V - AU AU AU AU AU ## AUTHTYPE S - AU AU AU AU AU ## AUTHUSER S - AU AU AU AU AU ## AUTHFROM S - AU AU AU AU AU ## AUTHSAMEUSER S - AU AU AU AU AU ## ## KEY: ## JH = HOST host in control file ## RH = REMOTEHOST connecting host name ## JUSR = USER user in control file ## AUTH will match (true) if authenticated transfer ## AUTHTYPE will match authentication type ## AUTHUSER will match client authentication type ## AUTHFROM will match server authentication type and is NULL if not from server ## AUTHSAMEUSER will match client authentication to save authentication in job ## ## Example Permissions ## ## # All operations allowed except those specifically forbidden ## DEFAULT ACCEPT ## ## #Reject connections from hosts not on subnet 130.191.0.0 ## # or Engineering pc's ## REJECT SERVICE=X NOT REMOTEIP=130.191.0.0/255.255.0.0 ## REJECT SERVICE=X NOT REMOTEHOST=engpc* ## ## #Do not allow anybody but root or papowell on

93

_________________________________________________________________________

LinuxIT Technical Education Centre Printing ____________________________________________________________________ ## #astart1.astart.com or the server to use control ## #facilities. ## ACCEPT SERVICE=C SERVER REMOTEUSER=root ## ACCEPT SERVICE=C REMOTEHOST=astart1.astart.com REMOTEUSER=papowell ## ## #Allow root on talker.astart.com to control printer hpjet ## ACCEPT SERVICE=C HOST=talker.astart.com PRINTER=hpjet REMOTEUSER=root ## #Reject all others ## REJECT SERVICE=C ## ## #Do not allow forwarded jobs or requests ## REJECT SERVICE=R,C,M FORWARD ## # # allow root on server to control jobs ACCEPT SERVICE=C SERVER REMOTEUSER=root # allow anybody to get server, status, and printcap ACCEPT SERVICE=C LPC=lpd,status,printcap # reject all others REJECT SERVICE=C # # allow same user on originating host to remove a job ACCEPT SERVICE=M SAMEHOST SAMEUSER # allow root on server to remove a job ACCEPT SERVICE=M SERVER REMOTEUSER=root REJECT SERVICE=M # all other operations allowed DEFAULT ACCEPT

/etc/hosts.{lpd,equiv}

These files were used by the LPR printing suite and presented a security risk. When running a print server you needed to specify which hosts could access the printer in /etc/hosts.lpd. You also needed to add the hosts to /etc/hosts.equiv.

These files are now replaced in LPRng by the /etc/lpd.perms file

94

_________________________________________________________________________

LinuxIT Technical Education Centre Printing ____________________________________________________________________

5. Exercises

1.

Start printtool and create a new local queue called lp.

2.

Customise the device /dev/tty10 as the printer device (remember to do chmod 666 /dev/tty10 to allow printing on this device). You now have a virtual printer on your system!

3.

Send jobs to the print queue using lpr and pr (pre-formatting tool)

4.

With your system’s print tool, define different remote queues:

- a UNIX queue - a SMB queue

If you are the server, make sure the appropriate rules are defined in /etc/lpd.perms

In each case - check the /etc/printcap file. Which filter is used? How is the remote host defined? - check the /var/spool/lpd/ directory.

5.

Stop the various printer queues and printers with lpc.

6.

Check the contents of each queue with lpq

7.

De-queue selected jobs with lprm

95

_________________________________________________________________________