Gnu FDL Oo Lpi 102 0.0

Study Guide for
Linux System Administration II

Lab work for LPI 102 (RPM)
re eased under t!e G"#L by LinuxI$
Licence Agreement
__________________________________________________________________________
Copyright (c) 2003 LinuxIT. Permission is granted to copy, distribute and or modi!y this document under the terms o! the "#$ %ree &ocumentation License, 'ersion (.2 or any )ater *ersion pub)ished by the %ree +o!t,are %oundation,ith the In*ariant +ections being .istory, /c0no,)edgements, ,ith the %ront1Co*er Texts being 2re)eased under the "%&L by LinuxIT3.
G%& "ree #o'umentation Li'ense Version 1.2, November 2002

Copyright (C) 2000,200(,2002 %ree +o!t,are %oundation, Inc. 45 Temp)e P)ace, +uite 330, 6oston, 7/ 02(((1(308 $+/ 9*eryone is permitted to copy and distribute *erbatim copies o! this )icense document, but changing it is not a))o,ed. 0. PREAMBLE The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others. This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software. We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference. 1. APPLICABILITY AND DEFINITIONS This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under the conditions stated herein. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you". You accept the license if you copy, modify or distribute the work in a way requiring permission under copyright law. A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language. A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them. The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none. The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a
_____________________________________________________________________ 2
Licence Agreement
__________________________________________________________________________
Back-Cover Text may be at most 25 words. A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not Transparent if used for any substantial amount of text. A copy that is not "Transparent" is called "Opaque". Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only. The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text. A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as "Acknowledgements", "Dedications", "Endorsements", or "History".) To "Preserve the Title" of such a section when you modify the Document means that it remains a section "Entitled XYZ" according to this definition. The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License. 2. VERBATIM COPYING You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3. You may also lend copies, under the same conditions stated above, and you may publicly display copies. 3. COPYING IN QUANTITY If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects. If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages. If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you
_____________________________________________________________________ 3
Licence Agreement
__________________________________________________________________________
distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public. It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document. 4. MODIFICATIONS You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:
A. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission. B. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has fewer than five), unless they release you from this requirement. C. State on the Title page the name of the publisher of the Modified Version, as the publisher. D. Preserve all the copyright notices of the Document. E. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices. F. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below. G. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice. H. Include an unaltered copy of this License. I. Preserve the section Entitled "History", Preserve its Title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section Entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence. J. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission. K. For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title of the section, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein. L. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles. M. Delete any section Entitled "Endorsements". Such a section may not be included in the Modified Version. N. Do not retitle any existing section to be Entitled "Endorsements" or to conflict in title with any Invariant Section. O. Preserve any Warranty Disclaimers.
If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles. You may add a section Entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard. You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.
_____________________________________________________________________ 4
Licence Agreement
__________________________________________________________________________
The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version. 5. COMBINING DOCUMENTS You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers. The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work. In the combination, you must combine any sections Entitled "History" in the various original documents, forming one section Entitled "History"; likewise combine any sections Entitled "Acknowledgements", and any sections Entitled "Dedications". You must delete all sections Entitled "Endorsements." 6. COLLECTIONS OF DOCUMENTS You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects. You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document. 7. AGGREGATION WITH INDEPENDENT WORKS A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting from the compilation is not used to limit the legal rights of the compilation's users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document. If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one half of the entire aggregate, the Document's Cover Texts may be placed on covers that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate. 8. TRANSLATION Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the original English version of this License and the original versions of those notices and disclaimers. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer, the original version will prevail. If a section in the Document is Entitled "Acknowledgements", "Dedications", or "History", the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title. 9. TERMINATION You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.
_____________________________________________________________________ 5
Licence Agreement
__________________________________________________________________________
10. FUTURE REVISIONS OF THIS LICENSE The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/. Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.
_____________________________________________________________________ 6
LinuxIT Technical Education Centre Introduction

_______________________________________________________________________
Introduction: Acknowledgements
The original material was made available by LinuxIT's technical training centre www.linuxit.com. any than!s to "ndrew eredith #or suggesting the idea in the #irst $lace. " s$ecial than!s to all the students who have hel$ed dilute the technical as$ects o# Linux administration through their many %uestions& this has led to the inclusion o# more illustrations attem$ting to introduce conce$ts in a user#riendly way. 'inally& many than!s to (aul c)nery #or the technical advice and #or starting o## some o# the most di##icult cha$ters such as the ones covering the * server +,-,.& modems +,-2.& security +,-2. and the Linux !ernel +,-2.. The manual is available online at htt$/00savannah.nongnu.org0$ro1ects0l$i2manuals0. Than! you to the 3avannah 4olunteers #or assessing the $ro1ect and $roviding us with the 5eb s$ace.
History
'irst release +version -.-. 6ctober 2--3. 7eviewed by "drian Thomasset. 3econd release +revision,. 8anuary 2--3. 7eviewed by "ndrew eredith
Audience
This course is designed as a 3 to 4 days $ractical course $re$aring #or the L(I ,-2 exam. It is recommended that candidates have at least one year ex$erience doing Linux administration $ro#essionally. 9owever #or those who are ready #or a challenge the training is designed to $rovide as much insight and exam$les as $ossible to hel$ non s$ecialists understand the basic conce$ts and command sets which #orm the core o# Linux com$uting.
The LPI Certification Program

There are currently two L(I certi#ication levels. The #irst level L(I:2, is granted a#ter $assing both exams L(I ,-, and L(I ,-2. 3imilarly $assing the L(I 2-, and L(I 2-2 exams will grant the second level certi#ication L(I:22. There are no $re2re%uisites #or L(I ,-, and ,-2. 9owever the exams #or L(I:22 can only be attem$ted once L(I:2, has been obtained.
No Guarantee
The manual comes with no guarantee at all.
_____________________________________________________________________ ;
LinuxIT Technical Education Centre Introduction

_______________________________________________________________________
esources
www.l$i.org www.linux2$raxis.de www.l$i#orums.com www.tld$.org www.#s#.org www.linuxit.com
Notations
:ommands and #ilenames will a$$ear in the text in !old. The :; symbols are used to indicate a non o$tional argument. The <= symbols are used to indicate an o$tional argument :ommands that can be ty$ed directly in the shell are highlighted as below command or
command
_____________________________________________________________________ <
LinuxIT Technical Education Centre
Contents
_____________________________________________________________________
Ta!le of Contents
Introduction"############################################################################################################################################### $ Acknowledgements.................................................................................................................................. 7 History...................................................................................................................................................... 7 Audience.................................................................................................................................................. 7 The LPI Certification Program................................................................................................................. 7 No Guarantee........................................................................................................................................... 7 esources................................................................................................................................................ ! Notations.................................................................................................................................................. ! The Linux %ernel###################################################################################################################################### && ". #ernel Conce$ts ................................................................................................................................ "" %. The &odular #ernel............................................................................................................................ "% '. outine #ernel ecom$ilation........................................................................................................... "' (. )*ercises............................................................................................................................................ "! 'ooting Linux########################################################################################################################################### () ". +nderstanding unle,els................................................................................................................... %%. The .oys of initta/............................................................................................................................... %% '. LIL0 the Linu* /oot Loader................................................................................................................ %' (. 1rom /oot to /ash.............................................................................................................................. %( 2. )*ercises............................................................................................................................................ %3 *anaging Grou+s and ,sers################################################################################################################## ($ ". Creating new users............................................................................................................................ %7 %. 4orking with grou$s........................................................................................................................... %! '. Configuration files.............................................................................................................................. '(. Command o$tions.............................................................................................................................. '" 2. &odifying accounts and default settings............................................................................................ '% 3. )*ercises............................................................................................................................................ '( Network Configuration############################################################################################################################ -. ". The Network Interface........................................................................................................................ '2 %. Host Information................................................................................................................................. '3 '. 5to$ and 5tart Networking................................................................................................................. '7 (. outing............................................................................................................................................... '! 2. Common Network Tools..................................................................................................................... (3. )*ercises............................................................................................................................................ (% TCP/IP Networks####################################################################################################################################### 0". 6inary Num/ers and the 7otted 8uad............................................................................................... (' %. 6roadcast Address9 Network Address and Netmask.........................................................................(' '. Network Classes................................................................................................................................ (2 (. 5u/nets.............................................................................................................................................. (3 2. The TCP:IP 5uite............................................................................................................................... (7 3. TCP:IP 5er,ices and Ports................................................................................................................ (; 7. )*ercices........................................................................................................................................... 2-
_____________________________________________________________________ =
Contents
_____________________________________________________________________
Network 1er2ices###################################################################################################################################### .& ". The inetd daemon <old=...................................................................................................................... 2" %. The *inetd 7aemon............................................................................................................................ 2% '. TCP wra$$ers........................................................................................................................................ ............................................................................................................................................................... 2' (. 5etting u$ N15................................................................................................................................... 2' 2. 5&6 and N&6................................................................................................................................... 2( 3. 7N5 ser,ices..................................................................................................................................... 23 7. 5endmail main Configuration............................................................................................................. 3!. The A$ache ser,er............................................................................................................................. 3;. )*ercises............................................................................................................................................ 3% 'ash 1cri+ting########################################################################################################################################## 30 ". The /ash en,ironment....................................................................................................................... 3( %. 5cri$ting )ssentials............................................................................................................................ 32 '. Logical e,aluations............................................................................................................................ 33 (. Loo$s................................................................................................................................................. 37 2. )*$ecting user in$ut.......................................................................................................................... 3; 3. 4orking with Num/ers....................................................................................................................... 3; 7. )*ercises............................................................................................................................................ 7'asic 1ecurity########################################################################################################################################### $& ". Local 5ecurity.................................................................................................................................... 7" %. Network 5ecurity................................................................................................................................ 7' '. The 5ecure 5hell................................................................................................................................ 73
_____________________________________________________________________ ,-
The Linux Kernel

_____________________________________________________________________
The Linux Kernel

&# %ernel Conce+ts
The two different ty$es of Linu* kernel are>
A"
*onolithic
A monolithic kernel is one which has su$$ort for all hardware9 network9 and filesystem com$iled into a single image file.
'"
*odular
A modular kernel is one which has some dri,ers com$iled as o/.ect files9 which the kernel can load and remo,e on demand. Loada/le modules are ke$t in /li!/modules.
The ad,antage of a modular kernel is that it doesn?t always need to /e recom$iled when hardware is added or re$laced on the system. &onolithic kernels /oot slightly faster than modular kernels9 /ut do not out$erform the modular kernel
_____________________________________________________________________ ,,
The Linux Kernel

_____________________________________________________________________
(# The *odular %ernel
&any com$onents of the Linu* kernel may /e com$iled as modules which the kernel can dynamically load and remo,e as re@uired. The modules for a $articular kernel are stored in /li!/modules/ AkernelB,ersionC. The /est com$onents to modularise are ones not re@uired at /oot time9 for e*am$le $eri$heral de,ices and su$$lementary file systems. #ernel modules are controlled /y utilities su$$lied /y the modutils $ackage>

lsmod rmmod insmod modprobe modinfo
&any modules are de$endant on the $resence of other modules. A flat file data/ase of module de$endencies /li!/modules/ AkernelB,ersionC/modules#de+ is generated /y the depmod command. This command is run /y the rc.sysinit scri$t when /ooting the system. BB modprobe will load any module and de$endent modules listed in modules#de+ BB /etc/modules.conf is consulted for module $arameters <I 8 and I0 $orts= /ut most often contains a list of aliases. These aliases allow a$$lications to refer to a de,ice using a common name. 1or e*am$le the first ethernet de,ice is always referred to as eth0 and not /y the name of the $articular dri,er.
Fig1: Sample /etc/modules.conf file: alias alias alias alias alias eth0 e100 usb-core usb-uhc sound-slot-0 i810_audio char-major-108 ppp_generic ppp-compress-18 ppp_mppe
# 100Mbps full duplex options eth0 e100_speed_duplex=4
_____________________________________________________________________ ,2
The Linux Kernel

_____________________________________________________________________
-# outine %ernel ecom+ilation

3.1 Source extraction
The kernel source is stored in the /usr/src/linux directory tree9 which is a sym/olic link to the /usr/src/( ernel!"ersion# directory. 4hen e*tracting a new kernel source archi,e it is recommended to>
remo,e the sym/olic link to the old kernel source directory tree
rm linux #ernel sources which ha,e /een $ackaged as an
P& often create a link called linux4(40
e*tract the new source archi,e <e.g linux-2.4.20.tar.bz2.
tar xjf linux-2.4.29.tar.bz2 Note" The archi,ed %.% series kernels create a directory called linux instead of linux-version. This is why the first ste$ is im$ortant9 otherwise you may o,erwrite an old source tree with the new one. 5ince kernel %.( the name of the directory is linux-version.
create a sym/olic link called linux from the newly created directory
ln -s linux-2.4.20 linux
The kernel is almost ready to /e configured now9 /ut first we need to make sure that all old /inary files are cleared out of the source tree9 and this is done with the ma e mrproper command.
Note" mr$ro$er is a 5candina,ian /rand of cleaner that gets things Dcleaner than cleanE9 it is one ste$ /eyond Dmake cleanE.
3.$ Kernel %onfi&uration

1irst edit the *akefile and make sure that the D)FT AG) 5I0NE ,aria/le is different from the e*isting ,ersion> G) 5I0N H % PATCHL)G)L H ( 5+6L)G)L H %)FT AG) 5I0N H -test The kernel is now ready to /e configured. This essentially means creating a configuration file called #config . This is done from the kernel source tree directory /usr/src/linux with any of the following ma e menuconfi& ma e xconfi&
_____________________________________________________________________ ,3
The Linux Kernel

_____________________________________________________________________
ma e confi& All these methods will sa,e the configuration file as /usr/src/linux/#config It is often easier to configure a new kernel using an older .config file /y using the ma e oldconfi& command. This will $rom$t the user only for new features in the kernel source tree <if the kernel is newer or has /een $atched=. Notice" 5ome distri/utions such as edHat ha,e a configs su/directory containing files to /e used as #config files with $redefined configurations. To ena/le kernel features <with make menuconfig = you will enter the to$ le,el category /y mo,ing with the arrow keys and $ressing enter to access the desired category. 0nce in the $articular category9 $ressing the s$ace /ar will change the kernel su$$ort for a feature or dri,er. Possi/le su$$ort ty$es are

su$$orted <statically com$iled= 567 modular <dynamically com$iled= 5*7 not su$$orted 5 7
The same choices are a,aila/le with the other menu editors config and xconfig .
Fig 2: The make xconfig to$ le,el menu:
3.3 Kernel %ompilation

make de+
_____________________________________________________________________ ,4
The Linux Kernel

_____________________________________________________________________
0nce the kernel configuration is com$lete9 it is necessary to reflect these choices in all the su/directories of the kernel source tree. This is done with the ma e dep command. 1iles called .depend containing $aths to header files $resent in the kernel source tree <:usr:src:linu*:include= are generated with the de+ target.. make clean The make command gets instructions from the *akefile and will /uild what is needed. If some files are already $resent make will use them as is. In $articular files with 6#o e*tensions. To make sure that all the configuration o$tions in #config are used to re/uild the files needed one has to run make clean <this deletes I.o files= Notice" you do not need to do Dmake cleanE at this stage if you already $re$ared the source directory with Dmake mr$ro$erE The kernel itself is com$iled com$iled with one of the commands> ma e 'Ima&e ma e b'Ima&e 4hen the command e*its without any errors9 there will /e a file in the /usr/src/linux/ directory called 2mlinux. This is the uncom$ressed kernel. The two other commands will write an additional file in /usr/src/linux/arch/i-83/!oot/ called 9Image and !9Image res$ecti,ely. These are com$ressed kernels using gJi$ and /Ji$%. 5ee the ne*t section Installin& the (e) Kernel to find out how to $roceed with these files. make modules The modules are com$iled with ma e modules. ma e modules*install 0nce the modules are com$iled they need to /e co$ied to the corres$onding su/directory in /li!/modules. The ma e modules*install command will do that. The se@uence of commands are de$icted in 1ig '. Fig 3: kernel compilation commands: ma0e ma0e ma0e ma0e ma0e dep c)ean b>Image modu)es modu)es?insta))
3.+ Installin& a (e) Kernel

The new kernel can /e found in /usr/src/linux/arch/i3,-/boot/b'Ima&e 9 de$ending on your architecture of your system. This file must /e co$ied to the /boot directory9 and named "mlinu'!. full4kernel42ersion/
_____________________________________________________________________ ,5
The Linux Kernel

_____________________________________________________________________
usr src )inux arch i3@A boot b>Image boot *m)inu>1: full-kernel-version>
Ne*t the /etc/lilo#conf or /!oot/gru!/gru!#conf file needs to /e edited to add our newly com$iled kernel to the /oot menu. Co$y the DimageE section from your e*isting kernel and add a new image section at the /ottom of the file9 as shown /elow> diting the /etc/lilo.conf file prompt timeout=50 message=/boot/message image=/boot/vmlinuz label=linux root=/dev/hda6 read-only
(xistin) se'tion
image=/boot/vmlinuz-<full-kernel-version> label=linux-new Added se'tion root=/dev/hda6 read-only BBBBBBBBBBsni$BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
The sym/ol ta/le for the ,arious kernel $rocedures can /e co$ied to the :/oot directory>
cp
usr src )inux +ystem.map
boot +ystem.map1: full-kernel-version ;
3.0 The full ernel "ersion

0n a system9 the ,ersion of the running kernel can /e $rinted out with uname 4r This kernel ,ersion is also dis$layed on the ,irtual terminals if the :k o$tion is $resent in /etc/issue.
3.0 Initial 1amdis s

If any dynamically com$iled kernel modules are re@uired at /oot time <e.g a scsi dri,er9 or the filesystem module for the root $artition= they will /e loaded using an initial ramdisk.
_____________________________________________________________________ ,6
The Linux Kernel

_____________________________________________________________________
The initial ramdisk is created with the m initrd command which only takes two $arameters> the filename9 and the kernel ,ersion num/er. If you use an initial ramdisk then you will need to add an initrd2 line in your /etc/lilo.conf )*am$le>
m0initrd
boot initrd1B(uname 1r).img B(uname 1r)
3.- 3ptional
It is recommended to co$y the /usr/src/linux/#config file to /!oot/config !.fiull! ernel!"ersion/ ! .ust to kee$ track of the ca$a/ilities for the different kernels that ha,e /een com$iled.
3.4 1erunnin& LIL3

1inally lilo needs to /e run in order to u$date the /oot loader . 1irst lilo can /e run in test mode to see if there are any errors in the configuration file>
N0TIC) The LIL0 /ootloader needs to /e u$dated using lilo e,erytime a changed is made in /etc/lilo#conf
_____________________________________________________________________ ,;
The Linux Kernel

_____________________________________________________________________
0# Exercises
6efore starting with the e*ercises make sure you don?t ha,e an e*isting kernel tree in /usr/src/. If you do9 $ay attention to the :usr:src:linu* sym/olic link. &# &anually recom$ile the kernel following the com$ilation ste$s. B Get the kernelBversion#src#r+m $ackage from r$mfind or a C7. Installing this $ackage will also gi,e you a list of de$endencies9 such as the gcc com$iler or !inutils $ackage if they ha,enKt yet /een met. B Install the $ackage with ;i <this will $ut all the code in :usr:src: = B Go into the /usr/src/linux4version directory and list the configs directory B Co$y the kernel config file that matches your architecture into the current directory and call it .config B un
ma0e o)dcon!ig at the command line to take into account this new .config file. B )dit the &akefile and make sure the ,ersion is not the same as your e*isting kernel. Lou can get information on your current kernel /y running uname a at the command line or list the /lib/modules directory. B un
ma0e menucon!ig <or menu or xcon!ig= and remo,e I57N su$$ort from the kernel. B 4hen you e*it the a/o,e $rogram the .con!ig file is altered /ut the changes ha,e not yet taken $lace in the rest of the source tree. Lou ne*t need to run ma0e dep B 1inally to force new o/.ect files < .o= to /e com$iled with these changes you delete all $re,iously com$iled code with ma0e c)ean B Lou can now /uild the kernel the modules and install the modules with> ma0e b>Image modu)es modu)es?insta)) B The modules are now installed in the /lib/modules/version directory. The kernel is called !9Image and is in the following directory> /usr/src/linux/arch/i386/boot/ 4e need to manually install this kernel <% ste$s=>
_____________________________________________________________________ ,<
The Linux Kernel

_____________________________________________________________________
<i= cp usr src )inux arch i3@A boot b>Image boot *m)inu>1:full-kernel-version;
<ii= That was easyM now edit /etc/lilo.conf and add an Nimage? $aragra$h that will tell LIL0 where to find this kernel and the root filesystem. B un /sbin/lilo and re/oot
(# 5ince we downloaded the 0erne)1version.src.rpm $ackage we can now use this $ackage to recom$ile a N edHat $reconfigured? kernel. Notice that although no inter,ention is needed you won?t /e a/le to change the .con!ig menu. B 1irst re/uild the com$iled /inary $ackage with rpm 11rebui)d 0erne)1version.src.rpm <...waitM=
B This will e,entually generate the kernel-version.i368.rpm in /usr/src/redhat/RPMS/i386/. B Ne*t9 u$grade you kernel with the P& manager using the ;, o$tion.
_____________________________________________________________________ ,=
Booting Linux
____________________________________________________________________
5ootin& Linux
>2er2iew
Taking a closer look at the /ooting $rocess hel$s trou/leshooting when dealing with /oth hardware and administrati,e tasks. 4e first focus on the role of the init $rogram and itsK associated configuration file /etc/initta! . The role of LIL0 at /oot time is in,estigated in greater de$th. 1inally we summariJe the /ooting $rocess. The document O1rom Power to 6ash Prom$tO written /y Greg 0K#eefe as well as the /oot<7= man$age are /oth good references for this module.
&# ,nderstanding unle2els

+nlike most nonB+NIF o$erating systems which only ha,e % modes of functionality <on and off=9 +NIF o$erating systems9 including Linu*9 ha,e different runle,els such as OmaintenanceO runle,el or OmultiBuserO runle,el9 etc. unle,els are num/ered from - to 3. "isting 1: "inux runlevels unle,el - shuts down the machine safely9 unle,el 3 restarts the machine safely unle,el " is single user mode unle,el % is multi4user mode9 /ut does not start N15 unle,el ' is full multi4user mode unle,el ( is not defined and generally unused unle,el 2 is like runle,el ' /ut runs a #ispla$ %anager as &ell 6oth init and telinit are used to switch from one runle,el to another. emem/er that init is the first $rogram launched after the kernel has /een initialised at /oot time. The PI7 for init is always ". "isting 2> The PI7 for init is always " <rootCnasaspc proc=D ps uax Egrep init $+9F PI& GCP$ G797 '+H F++ TTI CJ77/#& root ( 0.2 0.0 + 20L(8 0L0M init <3=
+T/T +T/FT (3A@ 42 K
TI79
At each runle,el the system will sto$ or start a set of s$ecific ser,ices. These $rograms are ke$t in /etc/rc#d/init#d. This directory contains all the ser,ices that the system may run. 0nce these $rograms are launched they will stay acti,e until a new runle,el is called. The following ser,ices are also called daemons.
"isting 3: "ist of t$picalservices 'or daemons( in :etc:rc.d:init.d:
_____________________________________________________________________ 20
Booting Linux
____________________________________________________________________
)s etc anacron cu$s a$md dhc$d ar$watch functions atd g$m autofs halt crond htt$d rc.d init.d identd kadmin kr/2kdc innd kdcrotate kudJu i$chains keyta/le lda$ i$ta/les killall linu*conf irda k$ro$ l$d isdn kr/2%( marsr, mcser, named netfs network nfs nfslock nscd nt$d $cmcia $ortm$ $gs@l $$$oe random rawde,ices rhnsd rwhod sendmail single sm/ snm$d s@uid sshd syslog tu* *fs *inetd
Note> It is $ossi/le to sto$ or start manually a gi,en daemon in :etc:rc.d:init.d /y gi,ing the a$$ro$riate argument. 1or e*am$le if you want to restart the a+ache ser,er you would ty$e>
etc rc.d init.d httpd restart
4hen working with runle,els you will instruct a s$ecific $redefined set of $rograms to run and another $redefined set of $rograms to sto$ running. 5ay you want to /e in runle,el %9 you would ty$e
sbin init 2
This in turn forces init to read its configuration file /etc/initta! to find out what should ha$$en at this runle,el. In $articular <assuming we are switching to runle,el %= the following line in initta! is e*ecuted> )2L,aitL etc rc.d rc 2 If you look in /etc/initta! the D/etc/rc#d/rc (E command starts all ser,ices in the /etc/rc#d/rc(.d starting with an 5 and will sto$ of ser,ices starting with a #. These ser,ices are s$m)olic links $ointing to the rcBscri$ts in /etc/rc#d/init#d. If you donKt want a $rocess to run in a gi,en runle,el N you can delete the corres$onding symlink in :etc:rc.d:rN.d /eginning with a #.
_____________________________________________________________________ 21
Booting Linux
____________________________________________________________________
(# The ?oys of initta!
As $romised letKs take a look at /etc/intta!. The file has the following structure>
id " runle2el " action " command Figure 3: the /etc/initta) file: idL3Linitde!au)tL D +ystem initia)i>ation. siLLsysinitL etc rc.d rc.sysinit )0L0L,aitL etc rc.d rc 0 )(L(L,aitL etc rc.d rc ( )2L2L,aitL etc rc.d rc 2 )3L3L,aitL etc rc.d rc 3 )MLML,aitL etc rc.d rc M )4L4L,aitL etc rc.d rc 4 )ALAL,aitL etc rc.d rc A 11111111111111111111111snip1111111111111111111111111111111111 D Trap CTFL1/LT1&9L9T9 caLLctr)a)tde)L sbin shutdo,n 1t3 1r no, 11111111111111111111111snip1111111111111111111111111111111111 D Fun gettys in standard run)e*e)s (L23M4Lrespa,nL sbin mingetty tty( 2L23M4Lrespa,nL sbin mingetty tty2 3L23M4Lrespa,nL sbin mingetty tty3 ML23M4Lrespa,nL sbin mingetty ttyM 4L23M4Lrespa,nL sbin mingetty tty4 AL23M4Lrespa,nL sbin mingetty ttyA D Fun xdm in run)e*e) 4 xL4Lrespa,nL etc N(( pre!dm Onodaemon The id field can /e anything. If a runle2el is s$ecified then the command and the re@uired action will /e $erformed only at that s$ecific runle,el. If no num/er is s$ecified then the line is e*ecuted at an$ run le,el. ecognisa/le features in the :etc:initta/ file> The default runle"el: this is set at the /eginning of the file with the id id and the action initdefault. Notice that no command is gi,en. This line sim$ly tells init what the default runle,el is. 6irst pro&ram called by init: :etc:rc.d:rc.sysinit. This scri$t sets system defaults such as the PATH ,aria/le9 determines if networking is allowed9 the hostname9 etc ... 7efault runle"el ser"ices: If the default runle,el is ' then only the line Ol'O will /e e*ecuted. The action is OwaitO9 no other $rogram is launched until all ser,ices in run le,el ' are running. The &etty terminals: The lines with idKs "BtoB3 launch the ,irtual terminals. This is where you can alter the num/er of ,irtual terminals.
_____________________________________________________________________ 22
Booting Linux
____________________________________________________________________
1unle"el 0: The final line in initta! launches the Fwindow manager if runle,el 2 is reached. emarks> ". Lou can set a modem to listen for connections in initta! . If your modem is linked to :de,:tty5" then the following line will allow data connections <no fa*= after % rings> +(L(23M4Lrespa,nL sbin mgetty 1& 1x 2 de* tty+(
%. 4hen making changes to /etc/initta! you need to force init to reread this configuration file. This is most easily done using>
sbin init P
-# LIL> the Linux !oot Loader

Information needed /y the loader is u$dated /y /s!in/lilo <the /ootloader installer= which in turn reads itsK configuration file /etc/lilo#conf . 7uring /ootu$ LIL0 needs to know essential information such as where the kernel is ke$t <usually in :/oot= and where the filesystem root $artition is. LIL0 has no understanding of filesystem layout or of where things are. 0nly offsets on the $hysical disks. If you are installing a second Linu* distri/ution 6 that is not running while setting u$ lilo#conf 9 you will need to mount $artitions such as the /!oot $artition of 6. Lou must also kee$ track of where 6Ks root $artition is.
init +arameters> Likewise9 LIL0 can also $arse the runle,el $arameters to init. 0nce the kernel is loaded9 init takes o,er the /ooting $rocess. If no $arameters are gi,en9 init will launch the default runle,el s$ecified in /etc/initta! . *arsing runlevel instructions to init at the "+", prompt 6ootL )inux s
_____________________________________________________________________ 23
Booting Linux
____________________________________________________________________
Parsing %ernel +arameters>
Parameters for the kernel can /e $arsed at the LIL0 $rom$t or s$ecified in /etc/lilo#conf with the a++end o$tion. xamples append= "pci=bisoirq" append=ram=16M append=/dev/hdc=ide-scsi
(for CD writers)
Parameters $arsed to the kernel at /oot time are intended for modules that ha,e /een com$iled into the kernel9 and often hel$ detecting hardware. 7uring /ootu$ all kernel messages are logged to /2ar/log/dmesg /y default. This file can either /e read or flushed to stdout with the /!in/dmesg utility.
0# @rom !oot to !ash

4e can now attem$t to go through the ste$s a Linu* system goes through while /ooting. If an initial ram disk is s$ecified it is loaded here. &odules are inserted from the initial ram disk. The kernel is loaded from the medium9 s$ecified in LIL0Ks configuration. As it loads it is decom$ressed. The kernel then mounts the root <:= filesystem in accordance with the configuration it recei,es from LIL0 <usually readBonly=. Hence essential $rograms in /!in and /s!in are made a,aila/le. The kernel then loads init B the first Kusers$aceK $rocess.
_____________________________________________________________________ 24
Booting Linux
____________________________________________________________________
Init reads :etc:initta/ and follows itsK instructions. In $articular rc#sysinit is run. A filesystem integrity check <f sck= is done on the filesystems in accordance with entries in :etc:fsta/. Ne*t init goes into the default runle,el9 the gettys start and the /oot $rocess is o,er. The $rom$t to login is now managed /y the gettys on the ttys. After the user has ty$ed in their username and $ressed returnP bin )ogin is started. The user is $rom$ted /y :/in:login for the $assword. The user enters a $assword and $resses return. The $assword the user is com$ared to the $assword in :etc:$asswd or :etc:shadow.
_____________________________________________________________________ 25
Booting Linux
____________________________________________________________________
.# Exercises
Take a look at the !oot<$= man$age9 it co,ers most of what we did in this module. &# Change the system?s default run le,el to ' and then 2. 2 How do you know your current runle,elQ (# )na/le the CtrlRAltR7el in runle,el ' only. -# Add a new login $rom$t on tty7. 2 How can you force init to read its? configuration fileQ 0# +se dmesg to read the chi$set of your ethernet card. .# In,estigate differences /etween shutdown 9 halt and re!oot. 2 4hich o$tion to shutdown will force an fsck at the ne*t /ootQ 3# +se the tools chkconfig or ntsys2 to disa/le the sshd daemon in runle,el %9'9(9 and 2 Gerify that the sym/olic links in the rc%.d9 rc'.d9 rc(.d and rc2.d directories ha,e changed. $# e/oot the system. At the /oot $rom$t gi,e the a$$ro$riate initA $arameter to ski$ /s!in/init and start a sim$le /ash session.
_____________________________________________________________________ 26
Managing Groups and Users

______________________________________________________________________
8ana&in& 9roups and :sers

&# Creating new users
5te$ "> Create an account The *usr*sbin*useradd command adds new users to the system and the sym/olic link adduser $oints to it. 5ynta*> useradd options! login-name
)*am$le> add a user with loginBname ru!us
useradd ru!us 7efault ,alues will /e used when no o$tions are s$ecified. Lou can list these ,alues with useradd +#. 7efault o$tions listed with useradd +# "FJ$PQ(00 .J79Q home I#/CTI'9Q1( 9NPIF9Q +.9LLQ bin bash +R9LQ etc s0e) Notice that this information is also a,aila/le in the file /etc/default/useradd 5te$ %> Acti,ate the account with a new $assword To allow a user to access his or her account the administrator must allocate a $assword to the user using the ,asswd tool. 5ynta*> pass"d login-name These ste$s create a new user. This has also defined the user?s en,ironment such as a home director$ and a default shell. The user has also /een assigned to a grou$9 his primar$ grou$.
_____________________________________________________________________ 27

______________________________________________________________________
(# Borking with grou+s

),ery new user is assigned to an initial <or primar$= grou$. Two con,entions e*ist. Traditionally this primar$ grou$ is the same for all users and is called users with a grou$ id <GI7= of 100. &any Linu* distri/utions adhere to this con,ention such as 5use and 7e/ian. The +ser Pri,ate Grou$ scheme <+PG= was introduced /y edHat and changes this con,ention without changing the way in which +NIF grou$s work. 4ith +PG each new user /elongs to their own primar$ grou$. The grou$ has the same name as the loginBname <default=9 and the GI7 is in the 2-- to 3---- range <same as +I7s=. As a conse@uence9 when using the traditional scheme for grou$s the user?s umask <see LPI "-"= is set to )((9 whereas in the +PG scheme the umask is set to ))(.
6elonging to grou$s A user can /elong to any num/er of grou$s. Howe,er at any one time <when creating a file for e*am$le= only one grou$ is the effective grou$. The list of all grou$s a user /elongs to is o/tained with either the )rou,s or id commands. )*am$le for user root> List all ID's:
id
S
uidQ0(root) gidQ0(root) groupsQ0(root), ((bin), 2(daemon), 3(sys), M(adm), A(dis0), (0(,hee)), A00(sa)es)
List all groups:
groups
S
root bin daemon sys adm dis0 ,hee) sa)es
_____________________________________________________________________ 28

______________________________________________________________________
Toining a grou$ Toining a grou$ changes the user?s effective grou$ and starts a new session from which the user can then logout. This is done with the new)r, command. )*am$le> .oining the sales grou$
ne,grp sa)es
If the )rou,s command is issued9 the first grou$ on the list would no longer /e root /ut sales.
Creating a new grou$ The )rou,add tool is used to administer grou$s. This will add an entry in the *et'*)rou, file. )*am$le> Create the grou$ de,el
groupadd de*e)
Adding a user to a grou$ Administration tasks can /e carried out with the ),asswd tool. 0ne can add <-a= or remo,e <-d= users from a grou$ and assign an administrator <-A=. The tool was originally designed to set a single $assword on a grou$9 allowing mem/ers of the same grou$ to login with the same $assword. 1or security reasons this feature no longer works. )*am$le> Add rufus to the grou$ de,el
gpass,d 1a ru!us de*e)
_____________________________________________________________________ 29

______________________________________________________________________
-# Configuration files
The /etc/pass)d and /etc/shado) files >
The names of all the users on the system are ke$t in /etc/+asswd. This file has the following stucture> ". Login name %. Password <or * if using a shadow file= '. The +I7 (. The GI7 2. Te*t descri$tion for the user 3. The userKs home directory 7.The userKs shell These 7 fields are se$arated /y colons. As in the e*am$le /elow. /etc/pass&d entr$ &ith encr$pted pass&d: george:$1$K05gMbOv$b7ryoKGTd2hDrW2sT.h:Dr G Micheal:/home/georges:/bin/bash
In order to hide the encry$ted $asswords from ordinary users you should use a shadow file. The /etc/shadow file then holds the user names and encry$ted $asswords and is reada/le only /y root. If you donKt ha,e a shadow file in :etc then you should issue the following command>
usr sbin p,con*
+$asswd 2> shadow.
This will lea,e an KxK in the %nd field of :etc:$asswd and create the :etc:shadow file. If you donKt wish to use shadow $asswords you can do so using
usr sbin p,uncon*
+shadow 2> $asswd.
Caution > 4hen using a shadow $assword file the /etc/+asswd file may /e world reada/le <3((= and the /etc/shadow file must /e more restritcted <3-- or e,en (--=. How,e,er when using +wuncon2 make sure to change the $ermissions on /etc/+assword <3-- or (--=. The /etc/&roup and &shado) files> In the same way9 information a/out grou$s is ke$t in *et'*)rou,. This file has ( fields se$arated /y colons. ". %. '. (. Grou$ name The grou$ $assword <or * if gshadow file e*ists= The GI7 A comma se$arated list of mem/ers
_____________________________________________________________________ 30

______________________________________________________________________
)*am$le /etc/grou+ entry> java:x:550:jade, eric, rufus
As for users there is a *et'*)s!adow file that is created when using shadow grou$ $asswords. The utilities used to switch /ackwards and forward from shadow to nonBshadow files are as follow
/usr/sbin/grpconv
creates the :etc:gshadow file
/usr/sbin/grpunconv
deletes the gshadow file
The /etc/lo&in.defs and /etc/s el/ files The :etc:login.defs file contains the following information>

the mail s$ool directory> &AILU7I $assword aging controls> PA55U&AFU7AL59 PA55U&INU7AL59 PA55U&AFUL)N9 PA55U4A NUAG) ma*:min ,alues for automatic +I7 selection in useradd> +I7U&IN9 +I7U&AF ma*:min ,alues for automatic GI7 selection in )rou,add> GI7U&IN9 GI7U&AF automatically create a home directory with useradd> C )AT)UH0&)
The :etc:skel directory contains default files that will /e co$ied to the home directory of newly created users> .bas!r'9 .bas!/,rofi es9 ...
0# Command o+tions
useradd <o+tions= -' -d -) -G -u -s -, -e -k -n comment <1ull Name= $ath to home directory initial grou$ <GI7=. The GI7 must already e*ist comma se$arated list of su$$lementary grou$s user?s +I7 user?s default shell $assword <md2 encry$ted9 use @uotesM= account e*$iry date the skel directory switch off the +PG grou$ scheme
grou+add <o+tions=
_____________________________________________________________________ 31

______________________________________________________________________
-) assign a GI7
.# *odifying accounts and default settings

All a,aila/le o$tions while creating a user or a grou$ can /e modified. The usermod utility has the following main o$tions> usermod <o+tions= 4d 4g 4l 4u 4s the users directory the users initial GI7 the userKs login name the userKs +I7 the default shell.
Notice these o$tions are the same as for useradd. Likewise9 you can change details a/out a grou$ with the grou+mod utility. There are mainly two o$tions> grou+mod <o+tions= 4g 4n the GI7 the grou$ name.
Locking an account
A user?s account can /e locked /y $refi*ing an e*clamation mark to the user?s $assword. This can also /e done with the following command line tools> ,nlock ,asswd -u usermod -&
Lock ,asswd usermod -L

4hen using shadow $asswords9 re$lace the x with a 6 A less useful o$tion is to remo,e the $assword entirely with ,asswd -d. 1inally9 one can also assign *bin*fa se to the user?s default shell in *et'*,asswd.
Changing the $assword e*$iry dates>
_____________________________________________________________________ 32

______________________________________________________________________
6y default a user?s $assword is ,alid for ;;;;; days9 that is %7'; years <default PA55U&AFU7AL5=. The user is warned for 7 days that his $assword will e*$ire <default PA55U4A NUAG)= with the following message as he logs in> SarningL your pass,ord ,i)) expire in A days There is another $assword aging $olicy num/er that is called PA55U&INU7AL5. This is the minimum num/er of days /efore a user can change his $asswordP it is set to Jero /y default. The '!a)e tool allows an administrator to change all these o$tions. +sage> chage < 1) = < 1m min?days = < 17 max?days = < 1S ,arn = < 1I inacti*e = < 19 expire = < 1d )ast?day = user The first o$tion + lists the current $olicy ,alues for a user. 4e will only discuss the +( o$tion. This locks an account at a gi,en date. The date is either in +NIF days or in LLLL:&&:77 format. Notice that all these ,alues are stored in the *et'*s!adow file9 and can /e edited directly. emo,ing an account> A user?s account may /e remo,ed with the userde command line. To make sure that the user?s home directory is also deleted use the Br o$tion. userdel -r jade
_____________________________________________________________________ 33

______________________________________________________________________
3# Exercises
&# Creating users +se adduser to create a user called tux with user I7 3-- and grou$ I7 22+se usermod to change this user?s home directory. 7oes the new directory need to /e createdQ Is the content of /etc/skel co$ied to the new directoryQ Can the contents of the old home directory still /e accessed /y user tuxQ +se usermod to add tux to the grou$ wheel. (# Borking with grou+s Create a grou$ called sales using grou+add . Add tu* to this grou$ using g+asswd. Login as tu* and .oin the grou$ sales using newgr+. -# Conifiguration files Add a user to the system /y editing :etc:$asswd and :etc:grou$ Create a grou$ called share and add user tu* to this grou$ /y manually editing :etc:grou$ 0# *odifying an Account Change the e*$iry date for user tu*?s account using usermod . Lock the user?s account. <+se tools or edit :etc:shadow ...= Pre,ent the user from login in /y changing the user?s default shell to :/in:false Change the PA55U&AFU7AL5 for user tu* to " in :etc:shadow .# Changing default settings +se useradd -C to change the systemKs default settings such that e,ery new user will /e assigned :/in:sh instead of :/in:/ash. <Notice that this will change the file in :etc:defaults:= )dit :etc:login.defs and change the default PA55U&AFU7AL5 so that new users need to change their $assword e,ery 2 days
_____________________________________________________________________ 34
Network Configuration
______________________________________________________________________
(et)or %onfi&uration
&# The Network Interface
The network interface card <NIC= must /e su$$orted /y the kernel. To determine which card you are using you can get information from dmesg9 /+roc/interru+ts9 /s!in/lsmod . or /etc/modules#conf )*am$le> dmesg S Linux Tu)ip dri*er *ersion 0.5.(M (%ebruary 20, 200() PCIL 9nab)ing de*ice 00L0!.0 (000M 1; 0008) PCIL %ound IFT (0 !or de*ice 00L0!.0 eth0L Lite1Jn @2c(A@ P#IC re* 32 at 0x!@00, 00L/0LCCL&3LA9L0%, IFT (0. eth0L 7II transcei*er D( con!ig 3000 status 8@25 ad*ertising 0(e(.
cat /proc/interrupts S 0L (L 2L 8L @L (0L ((L (ML (4L @825A02 M 0 0 ( A22M(8 0 (M30M0 (@0 NT1PIC NT1PIC NT1PIC NT1PIC NT1PIC NT1PIC NT1PIC NT1PIC NT1PIC timer 0eyboard cascade parport0 rtc eth0 usb1uhci ide0 ide(
/sbin/lsmod S 7odu)e tu)ip +i>e 383A0 $sed by ( (autoc)ean)
1rom the e*am$le a/o,e we see that the )thernet card?s chi$set is Tuli$9 the i:o address is -*f!-- and the I 8 is "-. This information can /e used either if the wrong module is /eing used or if the resources <i:o or I 8= are not a,aila/le.
_____________________________________________________________________ 35
______________________________________________________________________
This information can either /e used to insert a module with a different i:o address <using the mod+ro!e or insmod utilities= or can /e sa,ed in /etc/modules#conf <this will sa,e the settings for the ne*t /ootu$=.
(# Host Information
The following files are used to store networking information.
/etc/resol2#conf contains a list of 7N5 ser,ers
nameserver 192.168.1.108 nameserver 192.168.1.1 search linuxit.org
/etc/H>1TNA*E is used to gi,e a name to the PC 0ne can also associate a name to a network interface. This is done in differently across distri/utions. /etc/hosts contains your machineKs IP num/er as well as a list of known hosts
# Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 # other hosts 192.168.1.108 192.168.1.119 mesa pico mesa.domain.org localhost localhost.localdomain
/etc/sysconfig/network defines if networking must /e started. <can also contain the H05TNA&) ,aria/le= NETWORKING=yes HOSTNAME=mesa.domain.org GATEWAY=192.168.1.1 GATEWAYDEV=
/etc/sysconfig/network4scri+ts/ifcfg4eth) The configuration $arameters for ethDEVICE=eth0 BOOTPROTO=none BROADCAST=192.168.1.255 IPADDR=192.168.1.108 NETWORK=192.168.1.0
_____________________________________________________________________ 36
______________________________________________________________________
ONBOOT=yes USERCTL=no
-# 1to+ and 1tart Networking

V 1rom the command line The main tool used to /ring u$ the network interface is /s!in/ifconfig . 0nce initialised the kernel module aliased to eth- in /etc/modules#conf <e.g tuli$.o= is loaded and assigned an IP and netmask ,alue. As a result the interface can /e switched on and off without loosing this information as long as the kernel module is inserted. )*am$les> +sing ifconfig . /sbin/ifconfig eth0 1 !"1#$"10"1 netmask !%%"!%%"1!$"0 /sbin/ifconfig eth0 do&n /sbin/ifconfig eth0 up Another tool is /s!in/ifu+ . This utility reads the system?s configuration files in /etc/sysconfig/ and assigns the stored ,alues for a gi,en interface. The scri$t for eth) is called ifcfg4eth) and has to /e configured. If a /oot $rotocol such as 7HCP is defined then ifu+ will start the interface with that $rotocol. )*am$les> +sing ifu+ . /sbin/ifup eth0 /sbin/ifup ppp0 /sbin/ifdo&n eth0 V. +sing the network scri$t At /oot time the ethernet card is initialised with the /etc/rc#d/init#d/network scri$t. All the rele,ant networking files are sourced in the /etc/sysconfig/ directory. In addition the scri$t also reads the sysctl o$tions in /etc/sysctl#conf9 this is where you can configure the system as a router <allow IP forwarding in the kernel=. 1or e*am$le the line> net.i$,(.i$Uforward H " will ena/le i$ forwarding and the file /+roc/sys/net/i+20/i+Dforward will contain a one. The network scri$t is started with the following command
/etc/rc"d/init"d/net&ork restart
V.
enewing a 7HCP lease
_____________________________________________________________________ 37
______________________________________________________________________
The following tools can @uery the 7HCP ser,er for a new IP> +um+ dhc+client A client daemon e*ists called dhc+cd <do not confuse this with the 7HCP ser,er daemon dhc+d =
0# outing
A noticea/le difference when using ifu+ is the system?s routing ta/le. This is /ecause either the /etc/sysconfig/network file is read9 where a default gateway is stored9 or the 7HCP ser,er has sent this information together with the IP num/er. The routing ta/les are configured9 checked and changed with the /s!in/route tool. outing e*am$les> Add a static route to the network "-.-.-.- through the de,ice eth" and use ";%."3!."."-! as the gateway for that network> /sbin/route add -net 10"0"0"0 g& 1 !"1#$"1"10$ dev eth1 Add a default gateway> /sbin/route add default g& 1 !"1#$"1"1 eth0 Listing the kernel routing ta/le> /sbin/route -n 'ernel I( routing table Destination 1 !"1#$"1"0 10"1"$"0 1!+"0"0"0 0"0"0"0 )ate&a* 0"0"0"0 1 !"1#$"1"10$ 0"0"0"0 1 !"1#$"1"1 )enmask !%%"!%%"!%%"0 !%%"0"0"0 !%%"0"0"0 0"0"0"0 Iface eth0 eth1 lo eth0
Cefault Gateway> In the last listing9 the 7estination field is a list of networks. In $articular9 -.-.-.- means Nanywhere?. 4ith this in mind9 there are two IP?s in the Gateway field. 4hich one is the default gateway Q To a,oid ha,ing to enter static routes /y hand s$ecial daemons gated or routed are run to dynamically u$date routing ta/les across a network If you /elong to the ";%."3!."-.- network and you add a route to the ";%."3!.".- network you may find that machines in the latter network are not res$onding. This is /ecause no route has /een set from the ";%."3!.".- network /ack to your hostMM This $ro/lem is sol,ed using dynamic routing. Permanent 1tatic outes
_____________________________________________________________________ 38
______________________________________________________________________
If you ha,e se,eral networks with more than one gateway you can use the /etc/sysconfig/static4routes <instead of routing daemons=. These routes will /e added at /oot time /y the network scri$t. . routing scenario>
_____________________________________________________________________ 39
______________________________________________________________________
.# Common Network Tools
Here is a short list of tools hel$ful when trou/le shouting network connections. ping host" This tool sends an IC&P 9C.J?F9T$9+T datagram to a host and e*$ects an IC&P 9C.J?F9+PJ#+9. 0$tions for +ing > 4! $ing a /roadcast address 4c # send # $ackets 4E @uiet mode> dis$lay only start and end messages
netstat: Lou may get information on current network connections9 the routing ta/le or interface statistics de$ending on the o$tions used. 0$tions for netstat> 4r same as :s/in:route 4I dis$lay list of interfaces 4n don?t resol,e IP addresses 4+ returns the PI7 and names of $rograms <only for root= 42 ,er/ose 4c continuous u$date
)*am$le> 0ut$ut of netstat WBinet Wn >
/cti*e Internet connections (, o ser*ers) Proto Fec*1T +end1T Loca) /ddress %oreign /ddress tcp 0 0 (52.(A@.(.(0L(35 (52.(A@.(.(43L(552 tcp 0 0 (52.(A@.(.(0L22 (52.(A@.(.(3@L(((M tcp 0 0 (52.(A@.(.(0L@0 (52.(A@.(.8(L(@@4@
+tate 9+T/6LI+.9& 9+T/6LI+.9& TI79?S/IT
In the a/o,e listing you can see that the local host has esta/lished connections on $orts "';9 %% and !-. arp: 7is$lay the kernel address resolution cache. )*am$le> arp S /ddress (52.(A@.(.8( .Stype ether .Saddress 00L0MLC(L&8LC/L2& I!ace eth0
_____________________________________________________________________ 40
______________________________________________________________________
traceroute: 7is$lays the route taken from the local host to the destination host. Traceroute forces intermediate routers to send /ack error messages <IC&P TI79?9NC99&9&= /y deli/erately setting the tty <time to li,e= ,alue too low. After each TI )?)*))@)@ notification traceroute increments the tty ,alue9 forcing the ne*t $acket to tra,el further9 until it reaches its? destination. )*am$le> C7&L usr sbin traceroute 1n ,,,.redhat.com S tracerouteL SarningL ,,,.redhat.com has mu)tip)e addresses- using 2(A.(M@.2(@.(58 traceroute to ,,,.redhat.com (2(A.(M@.2(@.(58), 30 hops max, 3@ byte pac0ets ( (52.(A@.(.( 0.MM0 ms 0.3M8 ms 0.3M( ms 1111 snip 111 (M (2.(22.2.(M4 ((2.((A ms ((0.50@ ms ((2.002 ms (4 (2.(22.2.8M (4A.A25 ms (48.02@ ms (4A.@48 ms (A (2.(22.244.222 (4A.@A8 ms (4A.AM( ms (4A.A23 ms (8 2(A.(M@.205.AA (45.5@2 ms (48.MA2 ms (4@.438 ms (@ 2(A.(M@.2(@.(58 (48.354 ms (4A.8@5 ms (4A.0@0 ms 0$tions for traceroute> 4f tt) change the initial time to li,e ,alue to tt) instead of " 4n do not resol,e IP num/ers 42 ,er/ose -w sec set the timeout on returned $ackets to sec
_____________________________________________________________________ 41
______________________________________________________________________
3# Exercises
&# In the outing 1cenario section of this cha$ter gi,e the routing ta/le for the LAN?s gateway.
(# 5tart your network interface manually i!con!ig eth0 (52.(A@.0., List the kernel modules. &ake sure that the eth- module is loaded <check :etc:modules.conf=. -# 5to$ the network interface with> <i= i!con!ig eth0 do,n Gerify that you can /ring the interface /ack u$ without entering new information> <ii= i!con!ig eth0 up 0# 5to$ the interface and remo,e the kernel module <rmmod module=. 4hat ha$$ens if you re$eat ste$ '<ii=Q .# 7i,ide the class into two networks A <";%."3!.".-= and 6 <"-.-.-.-=.

Try accessing machines across networks Choose an e*isting machine to /e the gateway <on either network= >n the gateway machine onlyF do the following> BB allow IP forwarding> echo ( ; proc sys net ip*M ip?!or,ard
BB /ring u$ an aliased interface <this will work as a second interface=. If you are on the ";%."3!.".- network then do the following i!up eth0L( (0.0.0., <where x is a an a,aila/le IP=. add a route to the new network forcing it to use the eth)"& de2ice 22 add a route to the other network using the gateway machine <you will need to know either the ethor eth->" setting of this gw de$ending on which network you are on=
_____________________________________________________________________ 42
TCP/IP Networks
______________________________________________________________________
T%;/I; (et)or s
&# 'inary Num!ers and the Cotted Guad
/inar$ num)ers "- H %" "-- H %% "-" H %% R " """ H "-- R -"- R --"
This means that a /inary num/er can easily /e con,erted into a decimal as follows> "-------"-------"-------"-------"-------"-------"-------" The 7otted 8uad> The familiar IP address assigned to an interface is called a dotted @uad. In the case of an i$,.( address this is ( /ytes <( times ! /its= se$arated /y dots. Cecimal ";%."3!."." 'inary ""------."-"-"---.-------".-------" H H H H H H H H %7 %3 %2 %( %' %% %" %H H H H H H H H "%! 3( '% "3 ! ( % "
(# 'roadcast AddressH Network Address and Netmask

An IP num/er contains information a/out /oth the host address <or interface= and network address. The Netmask A netmask is used to define which $art of the IP address is used for the network9 it is also called a su/net mask. . 10 )it and 11 )it netmask> %22.%22.-."3B/it %22.%22."%!."7B/it """"""""#""""""""#--------#""""""""#""""""""#&-------#-
The /roadcast is usually gi,en in decimal.
)*am$le> with a "3B/it netmask the following IPs are on the same networks>
_____________________________________________________________________ 43
TCP/IP Networks
______________________________________________________________________ --"------"----. # "------"------# # -------& -------) # # -------" ------""
This means that any /its that are changed inside the /o* <!R!H"3 /its= will change the network address and the interfaces will need a gateway to connect to each other. In the same way9 any /its that are changed ouside the /o* will change the interface address without changing networks. 1or e*am$le with a %(B/it netmask the a/o,e two IPs would /e on different neworks>
--"------"-----
. #
"------"-------
# #
-------& -------)
# #
-------" ------""
The Network Address ),ery network has a num/er which is needed when setting u$ routing. The network num/er is a $ortion of the dotted @uad. The host address $ortion is re$laced /y Jero?s. Ty$ical network address> ";%."3!.".The 6roadcast Address A machine?s /roadcast address is a range of hosts:interfaces that can /e accessed on the same network. 1or e*am$le a host with the /roadcast address "-.".%22.%22 will access any machine with an IP address of the form "-.".*.*. Ty$ical /roadcast> ";%."3!.".%22 The dotted @uad re,isited 5im$le logical o$erations can /e a$$lied to the /roadcast9 netmask and network num/ers. To retrie,e the network address from an IP num/er sim$ly AN7 the IP with the netmask.. Network Address H IP AN7 Netmask Nnot &A5#?. 0 notXNetmaskY
5imilarly the /roadcast address is found with the network address 0 6roadcast Address H Network
Here AN7 and 0
are logical o$erations on the /inary form of these addresses
)*am$le>
_____________________________________________________________________ 44
TCP/IP Networks
______________________________________________________________________
Take the IP &I(#&38#-#. with a net mask (..#(..#(..#). 4e can do the following o$erations>
Network address AN7
IP
AN7
&A5# <";%."3!.'.2=
""------. "-"-"---.------"".-----"-"
"""""""".""""""""."""""""".-------<%22.%22.%22.---= UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU ""------."-"-"---.------"".-------<&I(#&38#-#)=
6roadcast Address 0
IP
0 <";%."3!.'.2=
N0TB&A5#
""------. "-"-"---.------"".-----"-"
--------.--------.--------."""""""" <---.---.---.%22= UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU ""------."-"-"---.------""."""""""" <&I(#&38#-#(..= It is clear from the a/o,e e*am$le that an IP num/er together with a netmask is enough to retrie,e all the information relati,e to the network and the host.
-# Network Classes
eser,ed IP addresses
1or $ri,ate networks a certain num/er of IP addresses are allocated which are ne,er used on the Internet. These reser,ed IP?s are ty$ically used for LAN?s. The following ta/le dis$lays the ,arious $ri,ate:reser,ed classes. Ta/le"> eser,ed addresses & Class A &3 Class 6 (.. Class C V IP classes
"-.*.*.* "7%."3.*.* BB "7%.'".*.* ";%."3!.o.*
Class A> !B/it network address and %(B/it host address The first /yte of the IP num/er is reser,ed for the network address. 5o the default su/net mask would /e (..#)#)#). The ' remaining /ytes are a,aila/le to set host interfaces. 5ince %22.%22.%22 and -.-.- are in,alid host num/ers there are % %( W % H "3 777 %"( $ossi/le hosts. IP num/ers ha,e the first /yte ranging from & to &($. This corres$onds to a /inary range of -------" to -""""""". The first two /its of a class A address can /e set to D ))E or D)&E. Class '> "3B/it network address and "3B/it host address
_____________________________________________________________________ 45
TCP/IP Networks
______________________________________________________________________
The two first /ytes of the IP num/er are reser,ed for the network address. The default su/net mask is (..#(..#)#). There are %"3 W % H 32 2'( $ossi/le hosts. The first /yte ranges from &(8 to &I&. Notice that the /inary range of the first /yte is "------- to "-"""""". That is the first two /its of a class 6 address are always set to D &)E. Class C> %(B/it network address and !B/it host address The three first /ytes are reser,ed for the network address. The default su/net mask is (..#(..#(..#). There are %! W % H %2( $ossi/le hosts. The first /yte ranges from &I( to ((-. This corres$onds to a /inary range from ""------ to ""-""""". 1rom this we conclude that the first two /its of a class C address is always set to D &&E.
0# 1u!nets
5u/neting occurs when /its reser,ed for hosts are used for the network. This is determined /y the netmask and results in networks /eing s$lit. 1or e*am$le a regular class A netmask %22.-.-.- can /e altered to allow the first "B/it of the second /yte to /e $art of the network. This results in a ;B/it network address and a %'B/it host address IP. The /inary netmask looks like """"""""."-------.--------.-------- or %22."%!.-.Another way to indicate that a ;B/it network address is in use is to gi,e the IP num/er "-.".!." as "-.".!.":; 4e will take the e*am$le of a class C address &I(#&38#&#). 4e in,estigate a %2B/it then a %3B/it network.
$0!bit net)or Netmask> """""""".""""""""."""""""".&))))))) or %22.%22.%22."%! 5ince Network H IP AN7 Netmask9 we see from the netmask that two network addresses can /e formed de$ending on the hosts range> ". Host addresses in the ";%."3!.". )xxxxxxx range result in a ";%."3!.".) network. 4e say the network num/er is %. Host addresses in the ";%."3!.". &xxxxxxx range result in a ";%."3!.".&(8 network. 4e say the network num/er is "%!
2a)le2: +n )oth cases su)stitution of the x3s )$e 4eros or ones have a special meaning Aetwor! address ) &(8 3ubstitute with ,Bs 6roadcast> "%7 6roadcast> %22 3ubstitute with -Bs Network> Network> "%!
_____________________________________________________________________ 46
TCP/IP Networks
______________________________________________________________________
4e are left with the task of counting the num/er of hosts on each network. 5ince the host address is 7B/it long and we e*clude % ,alues <all "?s and all -?s= we ha,e %7 W % H "%3 hosts on each network or a total of %2% hosts. Notice that if the default su/net mask %22.%22.%22.- is used we ha,e %2( a,aila/le host addresses. In the a/o,e e*am$le ";%."3!."."%7 and ";%."3!."."%! ha,e a s$ecial meaning and that is why only %2% host addresses can /e used.
(34!it network Netmask> """""""".""""""""."""""""".&&)))))) or %22.%22.%22.";% Here again de$ending on the host?s address ( different network addresses can /e determined with the AN7 rule. ". Host addresses in %. Host addresses in '. Host addresses in (. Host addresses in the ";%."3!.". ))xxxxxx range result the ";%."3!.". )&xxxxxx range result the ";%."3!.". &)xxxxxx range result the ";%."3!.". &&xxxxxx range result in in in in a ";%."3!.".) network. a ";%."3!.".30 network. a ";%."3!.".&(8 network. a ";%."3!.".&I( network.
5u/stituting the x?s with "?s in the num/ers a/o,e gi,e us the corres$onding /roadcast addresses> ";%."3!.".3'9 ";%."3!."."%79 ";%."3!.".";"9 ";%."3!.".%22 )ach su/net has %3 W % H 3% $ossi/le hosts or a total of %(!.
.# The TCP/IP 1uite

TCP:IP is a suite of $rotocols used on the Internet. The name is meant to descri/e that se,eral $rotocols are needed in order to carry data and $rograms accross a network. The main two $rotocols are TCP Transmission Control Protocol and IP Internet Protocol . To sim$lify9 IP handles $ackets or datagrams only <destination address9 siJe...= whereas TCP handles the connection /etween two hosts. The idea is that $rotocols relay each other9 each one doing its? s$ecialised task. In this conte*t one s$eaks of the TCP:IP stack. The $rotocols inter,ene therefore at ,arious layers of the networking $rocess.
Ta/le">The ( layer TCP:IP model> A$$lication Trans$ort Internet Network Access a$$lication le,el <1TP9 5&TP9 5N&P= handles hosts <TCP9 +7P= routing <IP9 IC&P9 IG&P9 A P= network cards9 e.g )thernet9 token ring Z
_____________________________________________________________________ 47
TCP/IP Networks
______________________________________________________________________
V Protocol 0,er,iew
I; The Internet Protocol <IP= is the trans$ort for TCP9 +7P9 and IC&P data. IP Pro,ides an unrelia/le connectionless ser,ice9 allowing all integrity to /e handled /y one of the u$$er layer $rotocols9 I.e. TCP9 or some a$$licationBs$ecific de,ices. There is no guarantee that a datagram will reach the host using IP alone. The IP $rotocol handles the addressing and the routing /etween networks. IP is the datagram deli,ery ser,ice. Transmission Control Protocol <TCP= $ro,ides a relia/le connection orientated ser,ice to a$$lications that use it. TCP is connection orientated and checks on each host the order in which the $ackets are sent:recei,ed and also ,erifies that all the $ackets are transmitted. A$$lications such as telnet or ft$ use the TCP $rotocol and don?t need to handle issues o,er data loss etc Z The +ser 7atagram Protocol $ro,ides direct access to IP for a$$lication $rograms /ut unlike TCP9 is connectionless and unrelia/le. This $ro,ides less o,erhead for a$$lications concentrated on s$eed. If some form of $acket accounting is needed this has to /e $ro,ided /y the a$$lication. The Internet Control &essage Protocol is used /y routers and hosts to re$ort on the status of the network. It uses IP datagrams and is itself connectionless The Point to Point Protocol esta/lishes a TCP:IP connection o,er $hone lines. It can also /e used inside encry$ted connections such as $$t$.
T%;
:7;
I%8; ;;;
3# TCP/IP 1er2ices and Ports

The list of known ser,ices and their relati,e $orts is generally found in /etc/ser2ices. The official list of ser,ices and associated $orts is managed /y the IANA <Internet Assigned Num/ers Authority=.
_____________________________________________________________________ 48
TCP/IP Networks
______________________________________________________________________
5ince the $ort field is a "3B/it digit there are 322'2 a,aila/le num/ers. Num/ers from " to "-%' are $ri,ileged $orts and are reser,ed for ser,ices run /y root. &ost known a$$lications will listen on one of these $orts. 4e will look at the out$ut of $ortscans. 6eware that unauthorised $ortscanning is illegal although many $eo$le use them. Here is the out$ut of a $ortscan> Port 2( tcp 22 tcp 23 tcp 24 tcp 80 tcp 85 tcp @0 tcp +tate open open open open open open open +er*ice !tp ssh te)net smtp gopher !inger http
This shows o$en $orts9 these are $orts /eing used /y an a$$lication. The :etc:ser,ices main $orts> ftp-data ftp telnet smtp domain domain http ,,, pop12 pop-3 sunrpc s!tp uucp1path nntp ntp netbios1ns netbios1ns netbios1dgm netbios1dgm netbios-ssn imap #eS+ snmp snmp1trap #$/tcp #%/tcp #3/tcp #&/tcp &3/tcp &3/udp 8$/tcp @0 tcp (05 tcp %%$/tcp ((( tcp ((4 tcp ((8 tcp %%*/tcp (23 tcp (38 tcp (38 udp (3@ tcp (3@ udp %3*/tcp %-3/tcp (MM tcp %6%/udp (A2 udp
mail D ,,, is used by some D progs, http is more D PostJ!!ice ' Post(ffice bro0en correct '.2 ).3
usenet nbns nbns nbdgm nbdgm nbssn ne,s
' +et"ork +e"s ,ransfer D #et,or0 Time Protoco)
' imap net"ork mail protocol D Sindo, +ystem
$# Exercices
_____________________________________________________________________ 49
TCP/IP Networks
______________________________________________________________________
egistering a ser2ice with xinetd &# 4rite a /ash scri$t that echo?s D4elcomeE to stdout. 5a,e it in /usr/s!in/hi (# In /etc/xinetd#d create a new file called fudge with the following> ser*ice !udge U soc0et?type Q stream ser*er Q usr sbin hi user Q root ,ait Q no disab)e Q no V -# Add a ser,ice called fudge in /etc/ser2ices that will use $ort 3----. 0# estart xinetd and telnet to $ort 3---.# Lou ha,e /een assigned a range of IPs on the !'."-."".-:%7 network. How many networks ha,e the same first ( /ytes as youQ How many hosts are on your networkQ 4hat is the /roadcast address for this first networkQ
_____________________________________________________________________ 50
Network Services
_____________________________________________________________________
(et)or Ser"ices
Network ser,ices can either continuously run as standalone a$$lications which listen for connections and handle clients directly or they can /e called /y the network daemon inetd <old= or xinetd.
&# The inetd daemon <old=

This daemon is started at /oot time and listens for connections on s$ecific $orts. This allows the ser,er to run a s$ecific network daemon only when needed. 1or e*am$le9 the telnet ser,ice has a daemon /usr/s!in/in#telnetd which handles telnet sessions. Instead of running this daemon all the time inetd is instructed to listen on $ort %'. These instructions are set in /etc/inetd#conf .
Fig1: 2he inetd daemon
_____________________________________________________________________ 51
Network Services
_____________________________________________________________________
The fields of /etc/inetd#conf contain the following> ser*ice1name soc0et type protoco) !)ag user group program argument ,alid name from /etc/ser2ices stream for TCP and dgram for +7P ,alid $rotocol from /etc/+rotocols no,ait if multithreaded and ,ait if singleBthreaded run a$$lication as user or group. usually tcpd the name of the $rogram to /e run for this ser,ice
)*am$le> pop13 stream tcp no,ait root usr sbin tcpd ipop3d
Notice" The /etc/ser2ices file is used to make the corres$ondence /etween ser,ice names and socket $ort num/ers. The fields in ser,ices are as follows> ser.ice-name port/protocol aliases!
(# The xinetd Caemon

This is the most recent ,ersion of inetd . The tc+d daemon is no longer used9 instead xinetd does e,erything. Configuration is done either through a single file /etc/xinetd#conf or /y editing indi,idual files in /etc/xinetd#d/ corres$onding to the ser,ices /eing monitored /y xinetd . It is $ossi/le to migrate from the old inetd configuration file to the configuration files for the modern xinetd. Nothing else needs to /e done. 5tructure of ser,ice file in *inetd.d 5er,iceBname [ socketUty$e H stream for TCP and dgram for +7P $rotocol H ,alid $rotocol from /etc/+rotocols wait H Ayes or noC userH the user the a$$lication runs as grou$H the grou$ the a$$lication runs as ser,erH the name of the $rogram to /e run for this ser,ice \
_____________________________________________________________________ 52
Network Services
_____________________________________________________________________
-# TCP wra++ers
If $rograms ha,e /een com$iled with li/wra$ then they can /e listed in /etc/hosts#allow and /etc/hosts#deny . The li!wra+ li/rary will ,erify these files for matching hosts. 7efault format for /etc/hosts#JallowHdenyK > DAEMON / hosts 0120P, hosts ! / spa"n command!
0ne can also use these files to log unauthorised ser,ices. This can hel$ as an early warning system. Here are a few e*am$les. Getting information a/out a host> :etc:hosts.allow in.telnetd> L0CAL9 .my.domain
:etc:hosts.deny in.telnetd> ALL > s$awn <:usr:s/in:safeUfinger Wl ]^h _ mail root= `
edirect to a /ogus ser,ice or Dhoney $otE > :etc:hosts.allow in.telnetd> ALL > twist
:dtk:Telnetd.$l
The last e*am$le comes from the dtk <7ece$tion Tool #it= that can /e downloaded from htt$>::all.net:dtk:download.html
0# 1etting u+ N@1
Client settings
1or a Linu* client to mount remote file systems ". the nfs file system must /e su$$orted /y the kernel %. the +ortma++er daemon must /e running. The $ortma$$er is started /y the /etc/rc#d/init#d/+ortma+ scri$t. The mount utility will mount the filesystem. A ty$ical entry in /etc/fsta! would /e> n!s1ser*erL shared dir mnt n!s n!s de!au)ts 0 0
1er2er settings
_____________________________________________________________________ 53
Network Services
_____________________________________________________________________
A N15 ser,er needs +ortma+ to /e running /efore starting the nfs ser,er. The nfs ser,er should /e started or sto$$ed with the /etc/rc#d/init#d/nfs scri$t. The main configuration file is /etc/ex+orts. 5am$le :etc:e*$orts file> usr )oca) docs W.)oca).org(r,, no?root?sPuash) W(ro) The :usr:local:docs directory is e*$orted to all hosts as readBonly9 and readBwrite to all hosts in the .local.org domain. The default rootUs@uash o$tion which a,oids the root user <uid H -= on the client to access the share on the ser,er can /e changed with the noUrootUs@uash o$tion. The :etc:e*$orts file matches hosts such as I.machine.com where as :etc:hosts.allow:deny match hosts such as .machine.com If the :etc:e*$orts file has /een changed then the ex+ortfs utility should /e run. If e*isting directories in :etc:e*$ortfs are modified then it may /e necessary to unmount all nfs shares /efore remounting them all. Indi,idual directories can /e mount or unmounted with ex+ortfs. +ne*$orting and e*$orting all directories in :etc:e*$orts>
export!s 1ua - export!s 1a
.# 1*' and N*'

Linu* machines can access and $ro,ide 4indows shared resources <directories and $rinters=. The $rotocol used for this is the &5 4indows 5er,er &essage 6lock 1*'. 5am/a is the most common Linu* tool which $ro,ides client and ser,er software. @rom the Command Line The sm!client utility is used to list shared resources. emote directories are ty$ically mounted with sm!mount although Nmount Wt sm/fs? can also /e used. )*am$les> 5end a $o$ u$ message to the win;!desk com$uter smbc)ient 17 ,in5@des0
&ount the shared directory of the winser, com$uter smbmount ,inser*er shared mnt ,inser*er shared
_____________________________________________________________________ 54
Network Services
_____________________________________________________________________
The 5am/a ser,er is configured with the /etc/sm!#conf file. The ser,er is sto$$ed and started with the /etc/rc#d/init#d/sm! scri$t. Notice that sm! will also starts the N*' ser,ices. This is the Net6I05 &essage 6lock which ena/les name resolution in the 4indows realm. 1igure"> Nautilus 6rowsing 5&6 shares>
&ain entries in /etc/sm!#conf >

<g)oba)= ,or0group Q LI#$NIT os )e*e) Q 2 0erne) op)oc0s Q #o security Q user encrypt pass,ords Q Ies guest account Q nobody map to guest Q 6ad $ser <homes= comment Q .ome &irectories read on)y Q #o create mas0 Q 0AM0 directory mas0 Q 0840 bro,seab)e Q #o <printers= comment Q /)) Printers path Q *ar tmp
_____________________________________________________________________ 55
Network Services
_____________________________________________________________________
create mas0 Q 0A00 printab)e Q Ies bro,seab)e Q #o
1BAT and Be!min G,I Configuration If you install the swat $ackage then you can administrate a sam/a ser,er ,ia a we/B/ased G+I on $ort ;-". Another $o$ular general administration tool is we!min. It can /e downloaded at www.we/min.com N0TIC) The configuration file :etc:sam/a:sm/.conf is a good source of documentation. All o$tions are e*$lained and can /e switch on /y deleting the comment character a La Also read the sm!#conf<.= man$age
3# CN1 ser2ices
The esol2ers
4hen a $rogram needs to resol,e a host name it uses a mechanism called a resol,er. The resol,er will first consult the /etc/nsswitch file <$re,iously /etc/host#conf= and determine which method should /e used to resol,e host names <local files9 name ser,er9 NI59 or lda$ ser,er= The /etc/host#conf <or /etc/nsswitch#conf= file These files are scanned /y the resol,er. They indicate whether files9 dns ser,ers9 lda$ data/ases or nis ser,ers should /e consulted. )*am$le <:etc:nsswitch=> hostsL net,or0sL !i)es dns nis !i)es
The first line indicates that files <here :etc:hosts= should /e @ueried first and then a 7N5 ser,er if this fails. The second line instructs to use the :etc:network file for network information. The /etc/hosts file 4ith a small num/er of networked com$uters it is $ossi/le to con,ert decimal IP num/ers into names using the :etc:hosts file. The fields are as follows> 3P machine machine.domain alias
)*am$le :etct:hosts file>
_____________________________________________________________________ 56
Network Services
_____________________________________________________________________
192.168.1.233 61.20.187.42 io callisto io.my.domain callisto.physics.edu
The /etc/resol2#conf file If the resol,er needs to use a domain name ser,er <7N5= then it will consult the /etc/resol2#conf file for a list of a,aila/le ser,ers to @uery from. Hierarchical structure Name ser,ers ha,e a hierarchical structure. 7e$ending on the location in the fully @ualified domain name <187&= a domain is called to$Ble,el9 secondBle,el or thirdBle,el. )*am$le of to$Ble,el domains com edu go2 mil net org uk Commercial organisations +5 educational institutions +5 go,ernment institutions +5 military institutions Gateways and network $ro,iders Non commercial sites +# sites
Ty+es of CN1 ser2ers 7omains can /e further di,ided into s/domains. This limits the amount of information needed to administer a domain. bones ha,e a master domain name ser,er <$re,iously called a +rimary 7N5= and one or se,eral sla2e domain name ser,ers <$re,iously called secondary=. Administration of a name ser,er consists of u$dating the information a/out a $articular Jone. The master ser,ers are said to /e authoritati,e. CN1 Configuration @iles In old ,ersions of 6IN7 <$rior to 6IN7 ,ersion != the configuration file was /etc/named#!oot . 4ith 6IN7 ,ersion ! the /etc/named#conf file is used instead. 0ne can use the named4!ootconf#+l utility to con,ert old configuration files. 2he /etc/named.)oot file> directory cache $rimary $rimary $rimary :,ar:named . named.ca myco.org named.myco -.-."%7.inBaddr.ar$ named.local "."3!.";%.inBaddr.ar$ named.re,
The first line defines the /ase directory to /e used. The name.ca file will contain a list of 7N5 IP addresses for @uerying e*ternal addresses. The third line is o$tional and contains records for the local LAN. The two ne*t entries are for re,erse looku$s.
_____________________________________________________________________ 57
Network Services
_____________________________________________________________________
In /etc/named#conf > cache secondar$ primar$ is re$laced /y hint is re$laced /y slave is re$laced /y master.
A$$lying these changes to 6IN7( configuration files will generate 6IN7! and 6IN7; files such as the following. The :etc:named.conf file> o$tions \P Jone \P Jone Dmyco.orgE [ ty$e masterP file Dnamed.mycoEP \P Jone D"."3!.";%.inBaddr.ar$E [ ty$e masterP file Dnamed.re,EP \P Jone D-.-."%7.inBaddr.ar$aE [ ty$e masterP file Dnamed.localEP \P CN1 9one files In this e*am$le the ser,er is set as a cachingBonly ser,er. All the Jone files contain resource records. 5am$le named#local Jone file> ] IN 50A localhost. root.localhost. < %--"-%%7-- P 5erial %!!-P efresh "((-P etry '3----- P )*$ire !3(-- = P &inimum localhost. localhost. D.E [ ty$e hintP file Dnamed.caEP [ directory D:,ar:namedEP
"
IN IN
N5 PT
This is a ,ery sim$le Jone file /ut it gi,es us enough information to understand the /asic mechanism of a name ser,er. The M sign will resol,e to the related Jone declared in /etc/named#conf . This allows any Jone file to /e used as a tem$late for further Jones <see the e*ercises=.
_____________________________________________________________________ 58
Network Services
_____________________________________________________________________
Ta/le">Common ecord Ty$es 5$ecify the Jones $rimary name ser,er e,erse ma$$ing of IP num/ers to hostnames &ail e*change record Associate an IP address with a hostname Associate an alias with the host?s main name
A3 (T7 * " :A" ) Ta/le%> bone $arameters ] serial refresh retry e*$ire minimum
IN 50A
5tart 0f Authority. Identifies the Jone followed /y o$tions enclosed in /rackets. Is manually incremented when data is changed. 5econdary ser,ers @uery the master ser,er?s serial num/er. If it has changed9 the entire Jone file is downloaded Time in seconds /efore the secondary ser,er should @uery the 50A record of the $rimary domain. This should /e at least a day. Time inter,al in seconds /efore attem$ting a new Jone transfer if the $re,ious download failed Time after which the secondary ser,er discards all Jone data if it contact the $rimary ser,er. 5hould /e a week at least This is the ttl for the cached data. The default is one day <!3(-seconds= /ut should /e longer on sta/le LANs
_____________________________________________________________________ 59
Network Services
_____________________________________________________________________
$# 1endmail main Configuration

5endmail is the most $o$ular mail transfer agent <&TA= on the Internet. It uses the 5im$le &ail Transfer Protocol <5&TP= and runs as a daemon listening for connections on $ort %2. The sendmail scri$t which sto$s or starts the sendmail daemon is usually located in the /etc/rc#d/init#d/ directory. The main configuration file is /etc/mail/sendmail#cf <or /etc/sendmail#cf=. Here you can s$ecify the name of the ser,er as well as the names of the hosts from which and to which mail relay is allowed. The /etc/aliases file contains two fields as follows> a)iasL user 4hen changes to /etc/aliases ha,e /een made the newaliases command must /e run to re/uild the data/ase /etc/aliases#d! . 4hen mail is acce$ted /y the ser,er it is concatenated in a single file with the name of the user. These files are stored in /2ar/s+ool/mail/ . 7e$ending on the &ail +ser Agent used9 a user can either store these messages in his home directory or download them on another machine. If the ser,er is relaying9 or if the network is slow and many messages are /eing sent9 mail is stored in the mail @ueue /2ar/s+ool/mEueue . Lou can @uery the @ueue with the mailE utility or sendmail ;!+. An administrator can flush the ser,er?s @ueue with sendmail ;E. 1inally in order to register a domain name as a ,alid email address an &F record needs to /e added to the 7N5 data/ase. 1or e*am$le if mai).company.com is a mail ser,er9 then in order for it to acce$t mail such as XoeCcompany.com you should ha,e the following configuration> ". Add company.com to :etc:mail:localBhostBnames %. company.com 7N (0 mai).company.com in a 7N5 Jone file
8# The A+ache ser2er

Configuration @iles The /etc/htt+d/conf/htt+d#conf file contains all the configuration settings 0lder releases of a$ache had two e*tra files9 one called access#conf where restricted directories were declared9 and another file called srm#conf s$ecifying the ser,er?s root directory.
Configuration Highlights>
_____________________________________________________________________ 60
Network Services
_____________________________________________________________________
ServerType ServerRoot standalone/inetd /etc/httpd /var/www/html
DocumentRoot
<Directory /var/www/cgi-bin> AllowOverride None Options ExecCGI Order allow,deny Allow from all </Directory> <VirtualHost 122.234.32.12> DocumentRoot /www/docs/server1 ServerName virtual.mydomain.org </VirtualHost>
unning A+ache To sto$ and start the ser,er one can use the /etc/rc#d/init#d/htt+d scri$t. 0n a /usy ser,er it is $refera/le to use a+achectl es$ecially with the graceful o$tion which will restart the ser,er only when current connections ha,e /een dealt with. The main log files are in /2ar/log/htt+d/ . It may /e useful for security reasons to regularly check the error?)og and access?)og files.
_____________________________________________________________________ 61
Network Services
_____________________________________________________________________
I# Exercises
Settin& up a 7(S master ser"er As an e*ercise we will install the 6IN7; r$m $ackage !indI4I#&#-4(.(#i-83#r+m and configure a domain called gogo.com. &# Carry out the following alterations in /etc/named#conf / Co$y:Paste the following $aragra$hs and alter as follows> Jone OlocalhostO in [ ty$e masterP file Olocalhost.JoneOP \ )ecomes Jone Ogogo.comO in [ ty$e masterP file Ogogo.JoneOP \
Jone O-.-."%7.inBaddr.ar$aO in [ ty$e masterP file O"%7.-.-.JoneOP \P (# In /2ar/named"
)ecomes
Jone O%."3!.";%.inBaddr.ar$aO in [ ty$e masterP file O";%."3!.%.JoneOP \P
cp (28.0.0.>one (52.(A@.2.>one cp )oca).>one gogo.>one -# Change the a$$ro$riate fields in the new Jone files. Add a host called harissa. 0# Add the line Dnameser,er "%7.-.-."E to /etc/resol2#conf . .# +se host to resol,e harissa.gogo.com <pache administration 6asic configurations in :etc:htt$d:conf:htt$d.conf ". Change the $ort directi,e Port from 8) to 8)8). %. Check that a$ache is res$onding with telnet localhost 8)8). Lou should get> Trying (28.0.0.(... Connected to )oca)host.)inuxit.org. 9scape character is YZ=Y. Ne*t ty$e NGET /? to download the inde* file.
_____________________________________________________________________ 62
Network Services
_____________________________________________________________________
'. 5et D1tart1er2erN to "2. default != IP /ased ,irtual ser,er Lour ethernet card must /e aliased to a new IP <say ne&-+*= i!con!ig eth0L0 ne&-I( Add the following $aragra$h to /etc/htt+d/conf/htt+d#conf > :'irtua).ost ne&-I(; &ocumentFoot *ar ,,, htm) *irtua) +er*er#ame """% : 'irtua).ost; Settin& up a shared S85 directory In most cases you won?t need to add sm/users to the system to do this. 5im$ly edit sm!#conf and add the following> <pub)ic= comment Q 9xamp)e +hared &irectory path Q home samba guest o0 Q yes ,riteab)e Q yes 5etting u$ a shared $rinter> <g)oba)= 111 snip 111 printcap name Q etc printcap )oad printers Q yes <printers= comment Q /)) Printers path Q *ar spoo) samba bro,seab)e Q no D +et pub)ic Q yes to a))o, user Yguest accountY to print guest o0 Q yes ,ritab)e Q no printab)e Q yes estart the htt+d and check that "2 $rocesses are started <instead of the
_____________________________________________________________________ 63
Bash Scripting
____________________________________________________________________
5ash Scriptin&
&# The !ash en2ironment
Oaria!les 4hen you ty$e a command at the $rom$t the /ash shell will use the PATH ,aria/le to find which e*ecuta/le on the system you want to run. Lou can check the ,alue of $ath using the echo command> echo BP/T. usr binL binL usr sbinL usr N((FA binL usr )oca) binL sbin L usr )oca) sbin In fact many ,aria/les are needed /y the shell to accommodate for each user?s en,ironment. 1or e*am$le PBC9 H>*E9 TE * and CI1PLAP are such ,aria/les. To initialise and declare a ,aria/le the synta* is as follows> '/FI/6L9Q'/L$9 emem/er not to $ut any s$aces around the NH? sign. 0nce a ,aria/le is declared and initialised it can /e referenced /y using the dollar sym/ol in front as here> echo B'/FI/6L9 4hen a shell session is started a num/er of configuration files are read and most of the ,aria/les are set. To free a ,aria/le from its current ,alue use unset. Configuration files 0ne can distinguish configuration files which are read at login time and configuration files which are read for each new /ash session. Lo&in confi&uration files: The files which are read at login are /etc/+rofile and Q/#!ashD+rofile </ash will look for alternati,e files too such as Q/#+rofile =. Ne*t /ash will read it?s runtime control files Q/#!ashrc and <if it e*ists= /etc/!ashrc.
_____________________________________________________________________
05
Bash Scripting
____________________________________________________________________
The bashrc files: These files are read each time a new shell session is launched <such as a new *term=. The files are /etc/!ashrc and Q/#!ashrc. Alias and functions can /e sa,ed in the Q/#!ashrc 1unction synta*> function-name <= [ command1P command2P \ Lou can test which files are /eing read /y adding an echo Pro!i)e line in /etc/+rofile 9 the ty$e> bash bash 1)ogin No $rofile is read9 you shouldn?t see anything This forces /ash to act as a login /ash9 the word Pro!i)e should show u$.
The following commands control the way /ash starts> bash 1norc bash 1nopro!i)e Notice that any new /ash session will inherit the $arent?s glo/al ,aria/les defined in /etc/+rofile and Q/#!ashD+rofile .
(# 1cri+ting Essentials
The scri+t file A shell scri$t is a list of instructions sa,ed in a flat file. 0nly two things are necessary. ". The scri$t?s first line must /e RF/!in/!ash <for a /ash scri$t= %. The file must /e reada/le and e*ecuta/le <with 722 $ermission for e*am$le= If these lines are not $resent it is $ossi/le to run the scri$t $rogram /y ty$ing bash program-name Passing 2aria!les to the scri+t Garia/les entered at the command line are referenced inside the scri$t as c" for the first argument9 c% for the second9 etc Z
_____________________________________________________________________
06
Bash Scripting
____________________________________________________________________
)*am$le scri$t9 mycat> D[ bin bash cat B( This scri$t is e*$ecting one argument9 a file9 and will dis$lay the content of the file using cat. To run this scri$t on the lilo.conf file9 you would run> . mycat etc )i)o.con!
Another way of $assing ,aria/les to a scri$t is /y letting the scri$t $rom$t the user for in$ut interacti,ely. This is achie,ed using the read command. The default name of the read ,aria/le is EPLP. Here is the modified scri$t> Interacti,ely $assing> D[ bin bash echo 1n \Shich !i)e sha)) I disp)ay K\ read cat BF9PLI or read 1p 2%i)e to disp)ayL 2 %IL9#/79 cat B%IL9#/79 1+ecial Oaria!les 5$ecial ,aria/les can only /e referenced and are automatically set /y /ash. These are the most common s$ecial ,aria/les you will encounter> S6 SR S) SF SS ST List of all ,aria/les entered at the command line Num/er of arguments entered at the command line The name of the scri$t PI7 of the most recent /ackground command PI7 of the current shell )*it code of the last command
1or the $ositional $arameters c"9 c% etc Z there is a shift o$erator which renames each $arameter in a cyclic way as follows. c% /ecomes c" c' /ecomes c% Z etc This can /e summarised as S<nU&= Sn
-# Logical e2aluations
Logical statements are e,aluated with the test command or the /rackets 5 7. In /oth case the result is stored in the ST ,aria/le such that> if the statement is true then ST is if the statement is false then ST is not -
_____________________________________________________________________
00
Bash Scripting
____________________________________________________________________
Here are some e*am$les to illustrate> using test test Wf :/in:/ash test B* :etc:$asswd using 5 7 X Bf :/in:/ash Y X B* :/in:$asswd Y meaning test if :/in:/ash is a file test if :etc:$asswd is e*ecuta/le
0ne can e,aluate more than one statement at a time using the VV <0 = and WW <AN7= logical o$erators on the command line. 1or e*am$le we could test if /!in/!ash is e*ecuta/le and in /etc/initta! e*ists> test -x /bin/bash && test /etc/inittab [ -e /bin/kbash ] || [ -f /etc/passwd ] This is the same as using the flags 4o and 4a within the test o$erator for e*am$le test -x /bin/bash -a -f /etc/inittab [ -e /bin/kbash -o -f /etc/passwd ]
0# Loo+s
if then loop 5ynta*> if fi dM:/in:/ash if X B* :/in:/ash Y P then echo DThe file :/in:/ash is e*ecuta/leE C0N7ITI0N P then command" command%
fi if then else 5ynta*> if C0N7ITI0N P then command" command% else command' fi
_____________________________________________________________________
01
Bash Scripting
____________________________________________________________________
while loop 5ynta*> while C0N7ITI0N is trueP do command done )*am$le> Aligne "- hashes <d= then e*it D[ bin bash CJ$#T9FQ0 ,hi)e < BCJ$#T9F 1)t (00 =- do echo 1n \D\ s)eep ( )et CJ$#T9FQCJ$#T9F]( done
Until loop 5ynta*> until C0N7ITI0N is falseP do command done )*am$le> 5ame as a/o,e9 notice the C style increment for C0+NT) D[ bin bash CJ$#T9FQ20 unti) < BCJ$#T9F 1)t (0 =- do echo 1n \D\ s)eep ( )et CJ$#T9F1Q( done
for loop 5ynta* for GA IA6L) in 5)TP do command done )*am$le> 1or e*am$le the set K5)TK can /e the lines of a file D[ bin bash !or )ine in ^cat etc )i)o.con!^- do I7/"9QB(echo B)ine E grep image) i! < 2BI7/"93 [Q 23 =- then echo Rerne) con!igured to bootL B)ine !i
_____________________________________________________________________
07
Bash Scripting
____________________________________________________________________
done
.# Ex+ecting user in+ut

4e assume that the scri$t is waiting for user in$ut9 de$ending on the answer9 the rest of the $rogram will e*ecute something accordingly. There are two $ossi/le ways to achie,e this> select and case. Using case 5ynta*> case cGA IA6L) in CH0IC) command PP CH0IC) command PP esac Using select 5ynta*> select GA IA6L) in 5)TP do if X cGA IA6L) H CH0IC) YP then command fi if X cGA IA6L) H CH0IC) YP then command fi done
3# Borking with Num!ers

4hile shell scri$ts seamlessly handle character strings9 a little effort is needed to $erform ,ery /asic arithmetic o$erations. Binary operations Adding or multi$lying num/ers together can /e achie,ed using either ex+r or the S<< == construct. xample> expr 8 ] 3- expr 2 _W (0- expr M0 M- expr 30 O (( B((8]3))- B((2W(0))- B((M0 M))- B((301(())
_____________________________________________________________________
08
Bash Scripting
____________________________________________________________________
Comparing values 2est operators: Num!ers 4lt 4gt 4le 4ge 4eE 4ne
1trings X Y XA YA A FA
$# Exercises
1. ,n the command line export the varia)le 2 S2 export TEST=old %. 4rite the scri$t #!/bin/bash echo old variable: $TEST export $TEST=new echo exported variable: $TEST '. 4hat is the ,alue of $TEST once the scri$t has runQ (. The following scri$t called testUshell will $rint the PI7 of the shell that is inter$reting it testUshell #!/bin/bash if [ -n $(echo $0 |grep test) ]; then echo The PID of the interpreter is: $$ else echo The PID of the interpreter is: $$ fi 2= 5et the $ermissions to 722 and test the following commands test_shell ./test_shell bash test_shell . test_shell source test_shell exec ./test_shell
_____________________________________________________________________
10
Basic Security
_____________________________________________________________________
5asic Security
&# Local 1ecurity
The 'I>1 If anyone has access to a rescue disks or a linu* disk that /oots from a flo$$y or a C7 0& it is e*tremely easy to gain read access to any files on the system. To $re,ent this the 6I05 should /e set to /oot only off the hard dri,e. 0nce this is done set a $assword on the 6I05. LIL> LIL0 can /e gi,en o$tions at /oot time. In $articular some Linu* distri/utions will not ask for a $assword when starting the system in single user mode or runle,el ". There are two o$tions that should /e added to the /etc/lilo.conf > the restricted o$tion $rom$ts the user for a $assword the pass)ord2== o$tion9 set the $assword string. estricted means that LIL0 cannot /e gi,en any $arameters without the O$asswordO s$ecified in lilo#conf . boot=/dev/hda install=/boot/boot.b prompt timeout=50 password="password" restricted @ile +ermissions To $re,ent attackers causing too much damage it is recommended to take the following ste$s. "= &ake ,ital system tools immuta/le9 or logfiles a$$endBonly> chattr -i /bin/login chattr -i /bin/ps chattr -a /var/log/messages %= &ake directories :tm$ and :home nosuid or noe*ec> "ines to )e changed in /etc/fsta) :tm$ :tm$ e*t% :home :home e*t% nosuid noe*ec "% "%
_____________________________________________________________________
11
Basic Security
_____________________________________________________________________
'= 1ind all files on the system that donKt /elong to a user or a grou$> find / -nouser .o .nogroup find / -perm -/000
Log @iles
The main logs are /2ar/log/messages > contains information logged /y the syslogd daemon /2ar/log/secure. > contains information on failed logins9 added users9 etc. The last tool lists all successful logins and re/oots. The information is read from the /2ar/log/wtm+ file. The who and w tools list all users currently logged onto the system using the /2ar/run/utm+ file.
,ser Limits
4hen the /etc/nologin file is $resent <can /e em$ty= it will $re,ent all users from login in to the system <e*ce$t user root=. If the nologin file contains a message this will /e dis$layed after a successful authentication. In the /etc/security/ directory are a collection of files that allow administrators to limit user CP+ time9 ma*imum file siJe9 ma*imum num/er of connections9 etc /etc/security/access#conf > dissallow logins for grou$s and users from s$ecific locations. /etc/security/limits#conf The format of this file is AdomainC domain ty+e item A t$peC A itemC A valueC
a user name9 a grou$ name <with ]grou$= hard or soft core B limits the core file siJe <#6= data B ma* data siJe <#6= fsi4e B ma*imum filesiJe <#6= memlock B ma* lockedBinBmemory address s$ace <#6= nofile B ma* num/er of o$en files cpu B ma* CP+ time <&IN= proc B ma* num/er of $rocesses as B address s$ace limit maxlogins B ma* num/er of simultaneous logins for this user priorit$ B the $riority to run user $rocess with locks B ma* num/er of file locks the user can hold
_____________________________________________________________________
12
Basic Security
_____________________________________________________________________
(# Network 1ecurity
Network security can /e se$arated into two main categories> Host 'ased 1ecurity Access to resources can /e granted /ased on the host re@uesting the ser,ice. This is handled /y tc$Uwra$$ers. The lib)rap li/rary also known as tc$Uwra$$ers $ro,ides host /ased access control lists for a ,ariety of network ser,ices. &any ser,ices9 such as xinetd 9 sshd9 and portmap9 are com$iled against the li/wra$ li/rary there/y ena/ling tcp*)rapper su$$ort for these ser,ices. 4hen a client connects to a ser,ice with tc$Uwra$$er su$$ort9 the /etc/hosts#allow and /etc/hosts#deny files are $arsed to challenge the host re@uesting the ser,ice. 6ased on the outcome the ser,ice will either /e granted or denied. The hostsUaccess files ha,e %9 o$tionally ' colon se$arated fields. The first field is the name of the $rocess9 the second is the fully @ualified host name or domain name with a Oleading dotO9 IP address or su/net with a Otrailing dotO. 4ildcards like ALL and )FC)PT are also acce$ted. The synta* for the /etc/hosts.>allo) ? deny@ file is as follows> ser.ice / hosts 0120P,! hosts
)*am$le> :etc:hosts.deny ALL> ALL )FC)PT .e*am$le.com
:etc:hosts.allow ALL> L0CAL ";%."3!.-. in.ft$d> ALL sshd> .e*am$le.com Tc$Uwra$$ers can run a command locally u$on a host match in the hostUaccess files. This is accom$lished with the s+awn command. 4ith the use of the ^ character9 su/stitutions can /e made for the host name and the ser,ice. )*am$le> :etc:hosts.deny ALL> ALL > s$awn <:/in:echo adatea from ^c for ^d CC :,ar:log:tc$wra$.log .
1or more information on the use of ^ su/stitutions see the hostDaccess <.= man $age.
Port 'ased 1ecurity
_____________________________________________________________________
13
Basic Security
_____________________________________________________________________
4ith $acket filtering functionality /uilt into the Linu* kernel9 it is $ossi/le to limit access to resources /y creating rulesets with utilities such as i$chains and i$ta/les9 which are a/le to e,aluate a $acket entering any of its network interfaces9 and determine what ha$$ens to that $acket. There are three /uilt in chains in i$chains and i$ta/les9 they are the input9 !or,ard and output for i+chains INP+T9 10 4A 79 and 0+TP+T for i+ta!les. 1or e*am$le9 when using i+chains all $ackets entering a network interface will tra,erse the input chain. All $ackets not destined for this host will tra,erse the !or,ard chain. All $ackets generated from within the host and $ackets /eing forwarded will tra,erse the output chain. An i+chains and i+ta!les rule can s$ecify source <s=9 destination <d=9 $rotocol <$=9 and $ort. )*am$le> .ll packets from 182.107.0.265 &ill )e denied ipchains 1/ input 1s (52.(A@.0.24M 1X &9#I
I+chains and i+ta!les rules can /e mani$ulated with the following o$tions BA B7 BP BI B1 BN BF BL A$$end 7elete Change the default Policy for a chain Insert 1lush the rules<s= in a chain Create a user defined chain 7elete a user defined chain List
)*am$le> 2he default polic$ for an ipta)le can )e changed form .99 *2 to # :; as follo&s: i$ta/les BP INP+T )T)CT i$ta/les BP 10 4A 7 )T)CT i$ta/les BP 0+TP+T )T)CT 4ith the de,elo$ment of the %.( Linu* kernel came the de,elo$ment of the Netfilter $ro.ect9 which uses the i$ta/les utility to manage firewall rules. The ma.or difference /etween i$ta/les and i$chains is that i$ta/les has su$$ort for e,aluating the $ackets /ased on their state in terms of other $ackets that ha,e $assed through the kernel. It is this stateful $acket e,aluation that makes i$ta/les far su$erior. 6elow is an e*am$le of how stateful firewalling can /e used9 it is in the form a shell scri$t as there are a num/er of commands to /e ty$ed in order to achie,e the end result.
)*am$le>
_____________________________________________________________________
15
Basic Security
_____________________________________________________________________
. /asic script that &ill &ork &ell for the home user! or an$one &ho does not re<uire an$ connection from the internet! )ut &ill still &ork as a gate&a$ for the local net&ork and allo& connections from the local ".: to ."" services. :ote: 2he addition of the highlighted line &ill no& allo& connections to port 70 ,:"; dM:/in:sh d Garia/les IPTA6L)5HO:s/in:i$ta/lesO LANUI1AC)HOeth-O IN)TUI1AC)HOeth"O IN)TUIPHO".%.'.(O L0CALH05TUIPHO"%7.-.-.":'%O LANUIPHO";%."3!.-.":'%O LANU6CA5THO";%."3!.-.-:%(O d 5etu$ IP &as@uerading echo O"O C :$roc:sys:net:i$,(:i$Uforward cIPTA6L)5 Bt nat BA P05T 0+TING Bo cIN)TUI1AC) B. &A58+) A7) d 5$ecify the default $olicy for the /uilt in chains cIPTA6L)5 BP INP+T 7 0P cIPTA6L)5 BP 10 4A 7 7 0P cIPTA6L)5 BP 0+TP+T 7 0P d 5$ecify INP+T ules cIPTA6L)5 BA INP+T Bi McIN)TUI1AC) B. ACC)PT cIPTA6L)5 BA INP+T B$ TCP Bi cIN)TUI1AC) Bm state BBstate N)4 BBd$ort htt$ B. ACC)PT cIPTA6L)5 BA INP+T Bm state BBstate )5TA6LI5H)79 )LAT)7 B. ACC)PT d 5$ecify 10 4A 7 ules cIPTA6L)5 BA 10 4A 7 Bi cLANUI1AC) B. ACC)PT cIPTA6L)5 BA 10 4A 7 Bm state BBstate )5TA6LI5H)79 )LAT)7 B. ACC)PT d 5$ecify 0+TP+T +L)5 cIPTA6L)5 BA 0+TP+T B$ ALL Bs cL0CALH05TUIP B. ACC)PT cIPTA6L)5 BA 0+TP+T B$ ALL Bs cLANUIP B. ACC)PT
_____________________________________________________________________
16
Basic Security
_____________________________________________________________________
-# The 1ecure 1hell
V Host Authentication
4ith ssh /oth the host and the user authenticate. The host authentication is done /y swa$$ing keys. The host?s $u/lic and $ri,ate keys are usually ke$t in /etc/ssh if you are using 0$en55H. 7e$ending on the $rotocol used the host key file will /e called ssh=host=ke$ for Protocol " and ssh=host=rsa=ke$ or ssh=host=dsa=ke$ for Protocol %. )ach of these keys ha,e their corres$onding $u/lic key9 for e*am$le ssh=host=ke$.pu). 4hen an ssh client connects to a ser,er9 the ser,er will gi,e the hosts $u/lic key. At this stage the user will /e $rom$ted with something like this>
The authenticity o! host Yneptune ((0.0.0.@)Y canYt be estab)ished. F+/ 0ey !ingerprint is @!L25Lc2Lb@Lb4Lb2Le3Le8LecL@5L@0Lb3LdbLM2L08L!M. /re you sure you ,ant to continue connecting (yes no)K
If you acce$t to continue the connection the ser,er?s $u/lic key will /e added to the local cH0&):.ssh:knownDhosts file.
V ,ser Authentication <using +asswords=
Then the user is $rom$ted for the $assword for his account on the remote ser,er and logs in.
V ,ser Authentication <using keys=
The user authentication can also in,ol,e swa$$ing keys. 1or this the user will need to generate a $air of $ri,ate:$u/lic keys. 1or e*am$le> ssh-ke*gen -t dsa -b 10!/ will generate a "-%( /it 75A key. 6y default these keys will /e sa,ed in cH0&):.ssh and in this e*am$le are called idDdsa and idDdsa#+u! . If we assume we ha,e a idDdsa#+u! we can N$lant? this key on a remote account and a,oid ty$ing $asswords for further connections. To do this we need to co$y the content of the file idDdsa#+u! into a file called authori9edDkeys( ke$t in the remote cH0&):.ssh directory.
WARNING All $ri,ate keys in /etc/ssh and Q/#ssh should ha,e a $ermission of 3--
_____________________________________________________________________
10
Basic Security
_____________________________________________________________________
V sshd configuration file 5am$le :etc:ssh:sshdUconfig file>
DPort 22 DProtoco) 2,( DListen/ddress 0.0.0.0 DListen/ddress LL D .ostRey !or protoco) *ersion ( D.ostRey etc ssh ssh?host?0ey D .ostReys !or protoco) *ersion 2 D.ostRey etc ssh ssh?host?rsa?0ey D.ostRey etc ssh ssh?host?dsa?0ey
Vssh configuration file 5am$le :etc:ssh:sshUconfig or cH0&):.ssh:config file>

D .ost W D %or,ardN(( no D Fhosts/uthentication no D FhostsF+//uthentication no D F+//uthentication yes D Pass,ord/uthentication yes D .ostbased/uthentication no D Chec0.ostIP yes D Identity%i)e ` .ssh identity D Identity%i)e ` .ssh id?rsa D Identity%i)e ` .ssh id?dsa D Port 22 D Protoco) 2,( D Cipher 3des
0# Time Configuration
The 1ystem date The system date can /e changed with the date command.The synta* is> date &&77hhmmCCLLX.ssY The Harware Clock The hardware clock can /e directly changed with the hwclock utility. The main o$tions are> Br or WBshow $rints the current times Bw or WBsystohc set the hardware clock to the current system time Bs or WBhctosys set the system time to the current hardware clock time
_____________________________________________________________________
11
Basic Security
_____________________________________________________________________
,sing NTP The Coordinated +ni,ersal Time <+TC= is a standard used to kee$ track of time /ased on the )arthKs rotation a/out itKs a*is. Howe,er /ecause of the slight irregularities of the rotation lea$ seconds need to /e inserted into the +TC scale using atomic clocks. 5ince com$uters are not e@ui$ed with atomic clocks the idea is to use a $rotocol to synchroniJe com$uter clocks across the Internet. NTP stands for Network Time Protocol and is one such $rotocol. Com$uters that are directly u$dated /y an atomic clock are called $rimary time ser,ers and are used to u$date a larger num/er of secondary time ser,ers. This forms a tree structure similar to the 7N5 structure. The root ser,ers are on the first le,el or stratum9 the secondary ser,er on the second and so on. 9onfiguring a client to <uer$ an :2* server> An NTP daemon called nt+d is used to regulary @uery a remote time ser,er.All that is needed is a ser2er entry in /etc/nt+#conf $ointing to a $u/lic or cor$orate NTP ser,er. Pu/lic NTP ser,ers can /e found online. The NTP $rotocol can also estimate the fre@uecy errors of the hardware clock from a se@uence of @ueries9 this estimate is written to a file refered to with the driftfile tag. &ininal :etc:nt$.conf file ser,er nt$%.somewhere.com driftfile :,ar:li/:nt$:drift 0nce nt+d is started it will itself /e an NTP ser,er $ro,iding ser,ices on $ort "%' using +7P. ,ne off <ueries> The nt+ $ackage also $ro,ides the nt+date tool which can /e use to set the time on the command line : ntpdate ntp2.some,here.com
.# %ernel security
There are se,eral security o$tions a,aila/le in the Linu* kernel. These include mainly the synUcookie mechanism. 5tack o,erflow is handled /y a security $atch called o$enwall or 04L. Z tc+Dsyncookies To ena/le this o$tion you sim$ly do the following> Xroot]nasas$c :$rocYdecho O"O C :$roc:sys:net:i$,(:tc$Usyncookies This will instruct the kernel to send a cookie to the client in itKs 5LNRAC# res$onse. In this mode the ser,er then closes the socket and waits for the clientKs AC# with the a$$ro$riate cookie. If the tc$Usyncookies file is not $resent in the :$roc directory then you need to recom$ile the kernel with syncookies su$$ort.
_____________________________________________________________________
17
Basic Security
_____________________________________________________________________
Notice> 6y default9 e,en if syncookies are su$$orted /y the kernel9 you need to acti,ate the su$$ort /y adding a O"O to :$roc:sys:net:i$,(:tc$Usyncookies. This is usually done in /etc/rc#d/rc#local. Howe,er a more efficient solution would /e to add an entry to /etc/sysctl#conf Z The owl security +atch <this section is not an LPI o!?ecti2e= This $atch takes care of most stack related issues and is /eyond the sco$e of this course. It is howe,er easy to test weather or not your system is ,ulnera/le with /inaries $ro,ided with the downloaded $atch. >esources for the o&l patch and the "inux kernel:
htt$/00www.o$enwall.com
htt$>::www.kernel.org:$u/:linu*:kernel:,%.% :
There is only su$$ort for kernel %.%B"; so far. After downloading linu*B%.%.";.tar.gJ and linu*B%.%.";Bow".tar.gJ in the /usr/src/ directory9 make sure you delete the linux sym/olic link. Xroot]nasas$c srcYd$wd :usr:src: Xroot]nasas$c srcYdrm Brf linu* Lou ne*t un/undle the $ackages. Xroot]nasas$c srcYdtar *,Jf linu*B%.%.";.tar.gJ Xroot]nasas$c srcYdtar *,Jf linu*B%.%.";Bowl.tar.gJ To test your system go into the linu*B%.%B";Bowl directory. There is a directory called o$tional that contains a file called stacktest#c. Xroot]nasas$c o$tionalYd$wd :usr:src:linu*B%.%.";Bow":o$tional Xroot]nasas$c o$tionalYdgcc stacktest.c Bo stacktest If you run stacktest you will get a list of o$tions. . successful )uffer overflo& attack: Xroot]nasas$c o$tionalYdstacktest +sage> .:stacktest 0PTI0N NonBe*ecuta/le user stack area tests Bt call a GCC tram$oline Be simulate a /uffer o,erflow e*$loit B/ simulate an e*$loit after a tram$oline call Xroot]nasas$c o$tionalYdstacktest Be Attem$ting to simulate a /uffer o,erflow e*$loit... 5ucceeded. To a$$ly the $atch you need to go into the linux directory. Here are the commands. un the o,erflow emulation.
_____________________________________________________________________
18
Basic Security
_____________________________________________________________________
.ppl$ing the open&all patch: Xroot]nasas$c linu*Yd$wd :usr:src:linu* Xroot]nasas$c linu*Yd$atch B$" A :usr:src:linu*B%.%B";Bowl:linu*B%.%.";Bow".diff Now if you do make menuconfig you should see a new entry called 1ecurity o+tions . The default selections are fine. 1rom here you $roceed with the com$ilation and installation of the kernel as usual.
_____________________________________________________________________
70
Linux System Administration

____________________________________________________________________
Linux System <dministration

>2er2iew
4e will concentrate on the main tasks of system administration such as monitoring log files9 scheduling .o/s using at and cron. This also includes an o,er,iew of the documentation a,aila/le < man+ages and online resources= as well as some /acku$ conce$ts.
&# Logfiles and configuration files

The /"ar/lo&/ directory This is the directory where most logfiles are ke$t. 5ome a$$lications generate their own log files <such as s@uid or sam/a=. &ost of the system logs are managed /y the syslogd daemon. Common system files are > cron mail messages secure kee$s track of messages generated when cron e*ecutes messages relating to mail logs all messages e*ce$t $ri,ate authentication auth$ri,9 cron9 mail and news logs all failed authentications9 users added:deleted etc
The most im$ortant log file is messages where most acti,ities are logged. The /etc/syslo&.conf file 4hen syslogd is started it reads the /etc/syslog#conf configuration file /y default. 0ne can also start syslogd with 4f and the $ath to an alternati,e config file. This file must contain a list of items followed /y a $riority9 followed /y the $ath to the logBfile>
item%.priorit4% 5 item#.priorit4#
/path-to-lo6-file
Galid items are > auth and auth+ri2 cron kern mail news user uuc+
user general and $ri,ate authentication cron daemon messages kernel messages user $rocesses
Galid $riorities are> <from highest to lowest=
________________________________________________________________________
71

____________________________________________________________________
emerg alert crit err warning notice info de!ug 6 none Priorities are minimalM All higher $riorities will /e logged too. To force a $riority to /e info only you need to use an KA[ sign as in> user.Hinfo :,ar:log:userUacti,ity Listing of :etc:syslog.conf d Log all kernel messages to the console. d Logging much else clutters u$ the screen. dkern.I :de,:console d Log anything <e*ce$t mail= of le,el info or higher. d 7onKt log $ri,ate authentication messagesM I.infoPmail.nonePnews.nonePauth$ri,.none d The auth$ri, file has restricted access. auth$ri,.I :,ar:log:secure d Log all the mail messages in one $lace. mail.I :,ar:log:maillog d Log cron stuff cron.I :,ar:log:cron
:,ar:log:messages
d ),ery/ody gets emergency messages9 $lus log them on another d machine. I.emerg I I.emerg ]"-.".".%2( d 5a,e /oot messages also to /oot.log local7.I :,ar:log:/oot.log d news.Hcrit :,ar:log:news:news.crit news.Herr :,ar:log:news:news.err news.notice :,ar:log:news:news.notice
________________________________________________________________________
72

____________________________________________________________________
(# Log ,tilities
The lo&&er command The first utility logger con,eniently logs messages to the :,ar:log:messages file> If you ty$e the following>
logger
program myscipt ERR
The end of /2ar/log/messages should now ha,e a message similar to this> Tul "7 ";>'">-- localhost $enguin> $rogram myscri$t ) local settin&s The logger utility logs messages to :,ar:log:messages /y default. There are local items defined that can hel$ you create your own logfiles as follows. local) to local$ are a,aila/le items for administrators to use. The a,aila/ility de$ends on the system < edHat local$ logs /ootBtime information in :,ar:log:/oot.log=. Add the following line to /etc/syslog#conf > local(.I estart the syslogd :de,:tty;
killall -HUP syslogd The ne*t command will /e logged on the :de,:tty;
logger -p local4.notice
"This script is writing to /dev/tty9"
An interesting de,ice is the :de,:s$eech this is installed with the 1esti,al tools. lo&rotate The log files are u$dated using logrotate. +sually logrotate is run daily as a cron .o/. The configuration file /etc/logrotate#conf contains commands to create or com$ress files.
Listing of logrotate.conf
________________________________________________________________________
73

____________________________________________________________________
# rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # send errors to root errors root # create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed compress # RPM packages drop log rotation information into this directory include /etc/logrotate.d # no packages own lastlog or wtmp -- we'll rotate them here /var/log/wtmp { monthly create 0664 root utmp rotate 1 }
-# Automatic Tasks
:sin& cron The $rogram res$onsi/le for running crons is called crond. ),ery minute the crond will read s$ecific files containing command to /e e*ecuted. These files are called cronta)s. +ser cronta/s are in /2ar/s+ool/cron/ AusernameC. These files should not /e edited directly /y nonBroot users and need to /e edited using the cronta! tool <see /elow=. The system cronta/ is /etc/cronta!. This file will $eriodically e*ectute all the scri$ts in /etc/cron#6 this includes any sym/olic link $ointing to scri$ts or /inaries on the system. To mani$ulate cron entries one uses the cronta! utility. 5cheduled tasks are ,iew with the 4l o$tion as seen /elow> crontab -l
# DO NOT EDIT THIS FILE - edit the master and reinstall # (/tmp/crontab.1391 installed on Tue Jul 17 17:56:48 2001) # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $) 0 * * 07 2 /usr/bin/find /home/penguin -name core -exec rm {} \;
7oes the user root ha,e any cronta/sQ 5imilarly the 4e o$tion will o$en your default editor and lets you enter a cron entry. +ser root can use the 4u to ,iew and change any userKs cron entries
________________________________________________________________________
75

____________________________________________________________________
To delete your cronta/ file use cronta! 4r. This is the format for cronta/s > *inutes<)4.I= Hours<)4(-= Cay of *onth<&4-&= *onth<&4&(= Cay of Beek<)43= command
Permissions> 6y default any user can use cronta!. Howe,er you can control the accessi/ility with /etc/cron#deny and /etc/cron#allow .
Schedulin& )ith AatB The at .o/s are run /y the atd daemon. At .o/s are s$ooled in /2ar/s+ool/at/ The at command is used to schedule a one off task with the synta* at time!
4here time can /e e*$ressed as> now -am U (days midnight &)"&. A+r &( teatime 1or a com$lete list of ,alid time formats see :usr:share:doc:atB***:times$ec. Lou can list commands that are scheduled with atE or at 4l. The at .o/s are sa,ed in :,ar:s$ool:at:> ls /var/spool/at/
a0000(00!d2MMd
spoo)
4hen using atE you should ha,e a list of .o/s $roceeded /y a num/er. Lou can use this num/er to de@ueue it> at0
200(1081(8 (@L2( a root
1rom the atE listing we see that the .o/ num/er is &9 so we can remo,e the .o/ from the s$ool as follows> at -d 1 Permissions> 6y default at is restricted to the root user. To o,erride this you must either ha,e an em$ty /etc/at#deny or ha,e a /etc/at#allow with the a$$ro$riate names.
________________________________________________________________________
76

____________________________________________________________________
0# 'acku+s and Com+ressions

5ac up strate&ies There are three main strategies to /ack u$ a system> Full> co$y all files +ncremental> The first incremental co$ies all files added or changed since the last full /acku$9 and su/se@uently co$ies all the files added or changed since the last incremental /acku$ #ifferential> Co$ies all files added or changed since the last full /acku$ )*am$le> If you made a full /acku$ and ' differential /acku$s /efore a crash9 how many ta$es would you need to restore Q %reatin& archi"es )ith tar The main o$tion to create an archi,e with tar is 4c. Lou can also s$ecify the name of the archi,e as the first argument if you use the 4f flag. tar -cf home"tar /home/
If you donKt s$ecify the file as an argument tar 4c will sim$ly out$ut the archi,e as standard out$ut> tar -c /home/ > home"tar
Cxtractin& archi"es )ith tar )*tracting is straight forward. e$lace the 4c flag with an 4x. This will cause the archi,e file to create directories if necessary and co$y the archi,ed files in your current directory. To redirect the out$ut of the e*tracted archi,e into the directory :usr:share:doc9 for e*am$le9 you can do> tar ,f backeddocs"tar -1 /usr/share/doc %ompressions All archi,es can /e com$ressed using different com$ression utilities. These flags are a,aila/le when creating9 testing or e*tracting an archi,e> tar o+tion \ 9 ? The cpio utility The c+io utility is used to co$y files to and from archi,es. List of files must /e gi,en to c+io either through a $i$e <as when used with find= or ,ia a file redirection such as withP com+ression ty+e com$ress gJi$ /Ji$%.
________________________________________________________________________
70

____________________________________________________________________
B )*tract an archi,e on a ta$e> cpio -i 2 /dev/tape
B Create an archi,e for the :etc directory> find /etc 3 cpio -o > etc"cpio
.# Cocumentation
*an+ages and the whatis data!ase The man$ages are organised in sections NA&) the name of the item followed /y a short one line descri$tion. 5LN0P5L5 the synta* for the command 7)5C IPTI0N a longer descri$tion 0PTI0N5 a re,iew of all $ossi/le o$tions and their function 1IL)5 files that are related to the current item <configuration files etc= 5)) AL50 other man$ages related to the current to$ic These are the main sections one would e*$ect within a man$age. The whatis data/ase stores the NA&) section of all the man$ages on the system. This is done through a daily cron. The whatis data/ase has the following two entries> name7ke48 one line description
The synta* for whatis "hatis 9strin6:
is/
The out$ut is the full NA&) section of the man$ages where string matched named'ke$( 0ne can also use the man command to @uery the whatis data/ase. The synta* is man -k 9strin6: +nlike whatis this will @uery /oth the DnameE and the Done line descri$tionE entries of the data/ase. If the string matches a word in any of these fields the a/o,e @uery will return the full NA&) section.
)*am$le> <the matching string has /een highlighted= &hatis lilo
________________________________________________________________________
71

____________________________________________________________________
lilo lilo.con! <)i)o= man -k grubby lilo lilo.con! <)i)o= lilo (@) (@) (4) 1 command )ine too) !or con!iguring grub, lilo, and elilo 1 insta)) boot )oader 1 con!iguration !i)e !or lilo (@) (4) 1 insta)) boot )oader 1 con!iguration !i)e !or )i)o
The 1H5 recommends man$ages to /e ke$t in /usr/share/man &an$age 5ections 5ection " 5ection % 5ection ' 5ection ( 5ection 2 5ection 3 5ection 7 5ection ! 5ection ; Information on e*ecuta/les 5ystem calls9 e.g mkdir<%= Li/rary calls9 e.g stdio<'= 7e,ices <files in :de,= Configuration files and formats Games &acro $ackages Administration commands #ernel routines
To access a s$ecific section : one has to enter> man N command
)*am$les> man mkdir man ! mkdir
man crontab man % crontab
Info +ages
________________________________________________________________________
77

____________________________________________________________________
The 1H5 recommends info $ages /e ke$t in /usr/share/info . These $ages are com$ressed files that can /e read with the info tool. The original GN+ tools used info $ages rather than man$ages. 5ince then most info $ages ha,e /een rewritten as man$ages. Howe,er information a/out GN+ $ro.ects such as gcc or gli!c is still more e*tensi,e in the info $ages com$ared to the man$ages. >nline documents GN+ $ro.ects include documents such as a 1A89 )A7&)9 CHANG)L0G and sometimes user:admin guides. The formats can either /e A5CII te*t9 HT&L9 LateF or $ostscri$t. These documents are ke$t in the /usr/share/doc/ directory. H>BT>s and The Linux Cocumentation Pro?ect The Linu* 7ocumentation Pro.ect $ro,ides many detailed documents on s$ecific to$ics. These are structured guides e*$laining conce$ts and im$lementations. The we/site + L is www.tld$.org. The L7P documents are freely redistri/uta/le and can /e contri/uted too using a GPL ty$e licence. ,senet News Grou+s The main newsgrou$s for Linu* are the com+#os#linux#6 grou$s <e.g com$.os.linu*.networking9 com$.os.linu*.security ...=. 0nce you ha,e setu$ a news reader to connect to a news ser,er <usually a,aila/le through an I5P or a +ni,ersity cam$us= one downloads a list of all e*isting discussion grou$s and su/scri/es:unsu/scri/es to a gi,en grou$. There are many e*$erienced as well as new users which rely on the newsgrou$s to get information on s$ecific tasks or $ro.ects. Take the time to answer some of these @uestions if you feel you ha,e the rele,ant e*$erience.
N0TIC) The man 4k o$tion @ueries /oth fields in the whatis data/ase. This will find e,erything a/out a gi,en item. There is a tool called a+ro+os <meaning a)out= which will do the same thing as man 4k.
________________________________________________________________________
78

____________________________________________________________________
.# Exercises
Logging
,. Change :etc:syslog.conf to out$ut some of the logs to :de,:tty; <make sure you restart syslogd and that
the out$ut is $ro$erly redirected= %. Add a custom local2 item with critical $riority to :ect:syslog.conf and direct the out$ut to :de,:tty"-. estart syslogd and use logger to write information ,ia local2. '. ead the /etc/rc#d/init#d/syslog scri$t and change /etc/sysconfig/syslog to allow remote hosts to send log out$uts. 5cheduling (.Create a cron entry which starts *clock e,ery % minutes. ,aria/les such as PATH and CI1PLAP. 2. +se at.to start *clock in the ne*t fi,e minutes. Archi,ing 3. +se find to list all files that ha,e /een modified during the $ast %( hours. <hint> edirect the out$ut of !ind 1mtime O( to a file= 7.+se c+io to create an archi,e called Incrementa).cpio. <ans> +se the file created a/o,e and do cat 1IL) _ c+io ;o2 C Incremental.c$io= ! +se xargs and tar to create an archi,e of all files last accessed or changed 2 mins ago. ;. 7o the same using the ;exec o$tion to find . Note that the files listed /y find can /e referenced /y the JK sym/ol. "-. )*tract the archi,e you ha,e .ust created. emem/er that cron is unaware of system
________________________________________________________________________
80
Setting up PPP
_____________________________________________________________________
Settin& up ;;;
&# 1erial *odems
Linu* assumes in general that serial modems are connected to a serial $ort <one of the :de,:tty5 # de,ices=. 5o you first need to find out which serial $ort the modem is connected to. The setserial ;g command will @uery the serial $orts. If the resource is not a,aila/le then the +A T ,alue will /e unknown. 5am$le out$ut for setserial> setseria) 1g de* de* tty+0, $/FTL de* tty+(, $/FTL de* tty+2, $/FTL de* tty+3, $/FTL tty+<013= (A440/, PortL 0x03!@, IFTL M (A440/, PortL 0x02!@, IFTL 3 un0no,n, PortL 0x03e@, IFTL M un0no,n, PortL 0x02e@, IFTL 3
1or nonBserial modems it is $ossi/le to get information a/out a,aila/le resources in /+roc/+ci. Here the i:o and I 8 settings can /e transferred to a free /de2/tty1Q de,ice. This is achie,ed with the following % lines> setseria) setseria) de* tty+2 port 0x2000 irP 3 de* tty+2 autocon!ig
The last line sim$ly deals with setting u$ the $ro$er +A T settings. These settings will /e lost at the ne*t /oot and can /e sa,ed in /etc/rc#serial. This scri$t is one of the last scri$ts e*ecuted /y rc#sysinit at /oot time. The rc#serial scri$t> D[ bin bash TTIQ de* tty+2 PJFTQ0x2000 IFTQ3 echo \+etting up +eria) Card ...\ bin setseria) BTTI port BPJFT irP BIFT 2; de* nu)) bin setseria) BTTI autocon!ig 2; de* nu))
__________________________________________________________________________
81
Setting up PPP
_____________________________________________________________________
(# Cialu+ Configuration
0nce the modem is known to /e connected to a serial de,ice it is $ossi/le to send modem s$ecific instruction such as AT\ or ATCT. 0ne tool that will act as a terminal interface is minicom. minicom screenshot>
Another common tool is w2dialconf. This tool will automatically scan for modems on the tty5?s and create a configuration file. This file is used to handle $assword authentication and initialise the +++d daemon once the connection is esta/lished.
-# +++d and chat

1irst of all the chat scri$t is used to communicate with a remote host?s modem. It is a series of e*$ect:send strings. The format is> ]ex+ected Euery^ ]answer^
)*$ected @ueries from the modem are> ]] ]>%^ ]C>NNECT^ ]login^ ]+assword^ ]TI*E>,T^ ]Y^
The scri$t is read se@uentially and starts with the em$ty @uery ] ] which is matched with the command ]AT\^ . 0nce the modem is initialised it sends /ack the @uery ]>%^. To this the scri$t will answer with a ]ATCT^
__________________________________________________________________________
82
Setting up PPP
_____________________________________________________________________
dialing command. This con,ersation goes on and on until the ]Y^ $rom$t is reached at which stage one can run +++d . Sample chat script > Y/6JFTY Y6$+IY Y/6JFTY Y9FFJFY Y/6JFTY Y#J C/FFI9FY Y/6JFTY Y#J &I/LTJ#9Y Y/6JFTY YIn*a)id LoginY Y/6JFTY YLogin incorrectY YY Y/THY YJRY Y/T&T0((823M(2(2Y YCJ##9CTY YY YoginLY YadrianY YordLY Yadrianpass,dY YTI79J$TY Y4Y Y;Y pppd 0f course this is one way of doing things. 0ne can also start +++d manually and then in,oke the chat scri$t as follows> pppd de* tty+2 ((4200 _ nodetach _ )oc0 _ debug _ crtscts _ asyncmap 0000000 _ connect \ usr sbin chat 1!
etc syscon!ig net,or01scripts chat1ppp0\
The lines /elow the +++d commands can /e sa,ed in /etc/+++/o+tions . This file contains most of the features which makes the strength and fle*i/ility of +++d . 1or e*am$le reEuire4cha+ will use the /etc/+++/cha+4secrets for authentication.
0# PPPC +eers
There is a directory called +eers in /etc/+++/ . In this directory one can create a file that contains all the necessary command line o$tions for +++d . In this way $eer connections can /e started /y all users. 6elow is an e*am$le of a PPP $eer file> C This option!i)e ,as generated by pppcon!ig 2.0.(0. hide1pass,ord noauth connect \ usr sbin chat 1! etc syscon!ig net,or01scripts chat1ppp0\ de* tty+0 ((4200 de!au)troute noipde!au)t user u02 The $re,ious $eer file <called uk%= would /e used as follows>
__________________________________________________________________________
83
Setting up PPP
_____________________________________________________________________
D pppd ca)) u02 This will dial the num/er s$ecified in the Dchat scri$tE and authenticate as the user Duk%E. (lease noteNote that this re@uires a corres$onding entry in the :etc:$$$:cha$Bsecrets9 and :etc:$$$:$a$Bsecrets. The format for $a$ and cha$ secrets is as follows> D +ecrets !or authentication using C./P D c)ient ser*er secret u02 W \u02\ W IP addresses
This format allows different $asswords to /e used if you connect to different ser,ers. It also allows you to s$ecify an IP address. This is $ro/a/ly not going to work when connecting to an I5P9 /ut when making $ri,ate connections9 you can s$ecify IP addresses if there is a need. 0ne e*am$le would /e where you need to audit your network acti,ity9 and want to s$ecify which users get a certain IP address.
.# B2dial
This is the default method used /y ed Hat to connect to a dial u$ network. To configure w,dial9 it is easier to use one of the configuration tools $ro,ided with either Gnome or #7). They configure the /etc/w2dial#conf file. 6elow is a sam$le w,dial.conf file> D odem-E odem F 0dev0tty3Gaud F ,,52-@ial :ommand F "T@T Init, F "TH 'low:ontrol F 9ardware +:7T3:T3. D@ialer IJ2E Isername F u!2 (assword F u!2 (hone F -<456-=,3;Inherits F odemTo use w,dial from the command line9 you would e*ecute it with the following synta*> D ,*dia) :dia)er1name; In the e*am$le configuration file the following command would dial the connection called Duk%E D ,*dia) u02
__________________________________________________________________________
85
Printing
____________________________________________________________________
;rintin&
The two o/.ecti,es of this cha$ter are firstly to introduce the GN+ $rinting tools a,aila/le on Linu* machines and secondly to understand the configuration files for a $rint ser,er.
&# @ilters and gs

1or nonBte*t formats Linu* and +NIF systems generally use filters. These filters translate aP9" or tro!! file formats into a $ostscri$t ty$e format. This could directly /e sent to a $ostscri$t $rinter9 /ut since not all generic $rinters can handle $ostscri$t9 an intermediate N,irtual $ostscri$t $rinter? is used called gs <ghostscri$t=9 finally translating the $ostscri$t into PCL. The commercial ,ersion of ghostscri$t is Aladdin Ghostscri$t and the GN+ ,ersion is an older ,ersion. The gs utility has a data/ase of $rinter dri,ers it can handle <this list is usually u$ to date9 for e*am$le many +56 $rinters are su$$orted= and con,erts the $ostscri$t directly into PCL for these known models. The gs utility $lays a central role in Linu* $rinting.
(# Printers and +rint Eueues

As seen a/o,e sim$le ascii te*t $rinting is not handled in the same way as image or $ostscri$t files. If you only ha,e one $rinter and you would like to $rintout your mail for e*am$le9 it may not /e necessary to use a filter. Lou may want to define a @ueue without filters9 which would $rint mail faster. Lou could also define a @ueue on the same $rinter9 which would only handle $ostscri$t files. All @ueues and $rinters are defined in /etc/+rintca+. Here is the full configuration of a remote $rinter ";%."3!.".%- using the remote @ueue named Nl$?> )pL_ LsdQ *ar spoo) )pd )pL_ LmxD0L_ LshL_ LrmQ(52.(A@.(.20L_ LrpQ)pL The essential o$tions here are rm the remote host9 sd the s$ool directory and r+ the name of the remote @ueue. Notice that no filters are s$ecified <you would use if for in$ut filter=. All the filtering is done on the remote host.
_________________________________________________________________________
86
Printing
____________________________________________________________________
-# Printing Tools
l+r" The l+r utility is used to su/mit .o/s to a $rinter. This is a modern ,ersion of l+ <line $rint=. 1rom a user?s $oint of ,iew it is hel$ful to understand that a $rinter can /e associated with more than one @ueue. Here are two e*am$les to $rint a file called L)TT) . Send ?o) to default printer: )pr L9TT9F 5end .o/ to the? l.et? @ueue> )pr 1P)Xet L9TT9F 2a)le1: %ain ,ptions for lpr 4Rnum 4PpP 4s l+E" A user can monitor the status of $rint @ueues with the l+E utility. Here are a few e*am$les. Sho& ?o)s in default <ueue: )pP Sho& ?o)s for all <ueues on the s$stem: )pP 1a Sho& ?o)s in the @remote3 <ueue: )pP 1Premote l+rm" 7e$ending on the o$tions in /etc/l+d#+erms users may /e allowed to delete @ueued .o/s using l+rm. >emove last ?o) su)mitted: )prm >emove ?o)s su)mitted )$ user dhill: )prm dhi)) Print num copies 5$ecify the $rint @ueue pP &ake a sym/olic link in the s$ool directory rather than co$y the file in
_________________________________________________________________________
80
Printing
____________________________________________________________________
>emove all su)mitted ?o)s: )prm 1a <or sim$ly )prm 1) It is $ossi/le to remo,e a s$ecific s$ooled .o/ /y referencing the .o/ num/erP this num/er is gi,en /y l+E. l+c" The Line Printer Control utility is used to control the $rint @ueues and the $rinters. The $rint @ueues can /e disa/led or ena/led. Notice that l+rm on the other hand can remo,e .o/s from the @ueue /ut doesn?t sto$ the @ueue. 0ne can either use l+c interacti,ely <l+c has its own $rom$t=9 or on the command line. Here is an out$ut of l+c ;hel+> C7&L usr sbin )pc he)p S Commands may be abbre*iated. abort c)ean enab)e exit disab)e he)p do,n Puit Commands areL restart status start stop topP up K
The ena!le/disa!le/to+E/u+ o$tions relate to @ueues The start/sto+/down o$tions relate to $rinters
0# The configuration files

/etc/+rintca+ As seen earlier in the cha$ter9 this file defines all $rinters and @ueues that the system can use <remote and local=. The default $rinter can /e s$ecified with either ,aria/les LP7)5T or P INT) > P INT) Hl$ If no en,ironmental ,aria/le is set the default $rinter is the first $rinter defined in /etc/+rintca+. The main definitions are> l+ de,ice name9 usually :de,:l$- for the $arallel $ort mx ma*imum file siJe <JeroHnolimit= sd s$ool directory <:,ar:s$ool:l$d: :Pueuename; ) if in$ut filter rm remote host address or IP r+ remote @ueue name If this file is modified you will need to restart the l+d daemon. /etc/l+d#conf This is a ,ery lengthy file and /y default all o$tions are commented out. This file is used if an administrator wishes to ha,e more control <i.e remote access authentication9 user $ermissions Z= o,er the $rinting.
_________________________________________________________________________
81
Printing
____________________________________________________________________
/etc/l+d#+erms This file controls $ermission for the l+c9 l+E and l+rm utilities. In $articular you can grant users the right to de@ueue their current .o/ <using the l+rm tool= with the line > /CC9PT +9F'IC9Q7 +/79.J+T +/79$+9F
LP ng uses a system of keys to shorten the entries in l+d#+erms. This is howe,er not ,ery to understand. 1or e*am$le the ser,ice N7? corres$onds to l+rm in the a/o,e line. 5am$le /etc/l+d#+erms file>
DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD DD Permissions are chec0ed by the use o! Y0eysY and matches. %or each o! the !o))o,ing LPF acti*ities, the !o))o,ing 0eys ha*e a *a)ue. Rey 7atch Connect aob +poo) +9F'IC9 + YNY YFY $+9F + 1 a$+F .J+T + F. a. "FJ$P + 1 a$+F IP IP FIP aIP PJFT # PJFT PJFT F97JT9$+9F + 1 a$+F F97JT9.J+T + F. F. F97JT9"FJ$P + 1 a$+F F97JT9IP IP FIP FIP CJ#TFJLLI#9 + 1 CL PFI#T9F + 1 PF %JFS/F& ' 1 +/ +/79.J+T ' 1 +/ +/79$+9F ' 1 1 +9F'9F ' 1 +' LPC + 1 1 /$T. ' 1 /$ /$T.TIP9 + 1 /$ /$T.$+9F + 1 /$ /$T.%FJ7 + 1 /$ /$T.+/79$+9F + 1 /$ aob Print YPY a$+F a. a$+F aIP 1 a$+F a. a$+F aIP CL PF 1 1 1 1 1 /$ /$ /$ /$ /$ LPT YTY a$+F a. a$+F FIP PJFT a$+F F. a$+F FIP CL PF 1 +/ +$ +' 1 /$ /$ /$ /$ /$ LPF7 Y7Y a$+F a. a$+F aIP PJFT C$+F F. C$+F FIP CL PF +/ +/ +$ +' 1 /$ /$ /$ /$ /$ LPC YCY a$+F a. a$+F aIP PJFT C$+F F. C$+F FIP CL PF +/ +/ +$ +' LPC /$ /$ /$ /$ /$
R9IL a. Q .J+T host in contro) !i)e F. Q F97JT9.J+T connecting host name a$+F Q $+9F user in contro) !i)e /$T. ,i)) match (true) i! authenticated trans!er /$T.TIP9 ,i)) match authentication type /$T.$+9F ,i)) match c)ient authentication type /$T.%FJ7 ,i)) match ser*er authentication type and is #$LL i! not !rom ser*er /$T.+/79$+9F ,i)) match c)ient authentication to sa*e authentication in Xob 9xamp)e Permissions D /)) operations a))o,ed except those speci!ica))y !orbidden &9%/$LT /CC9PT DFeXect connections !rom hosts not on subnet (30.(5(.0.0 D or 9ngineering pcYs F9a9CT +9F'IC9QN #JT F97JT9IPQ(30.(5(.0.0 244.244.0.0
_________________________________________________________________________
87
Printing
____________________________________________________________________
DD F9a9CT +9F'IC9QN #JT F97JT9.J+TQengpcW DD DD D&o not a))o, anybody but root or papo,e)) on DD Dastart(.astart.com or the ser*er to use contro) DD D!aci)ities. DD /CC9PT +9F'IC9QC +9F'9F F97JT9$+9FQroot DD /CC9PT +9F'IC9QC F97JT9.J+TQastart(.astart.com F97JT9$+9FQpapo,e)) DD DD D/))o, root on ta)0er.astart.com to contro) printer hpXet DD /CC9PT +9F'IC9QC .J+TQta)0er.astart.com PFI#T9FQhpXet F97JT9$+9FQroot DD DFeXect a)) others DD F9a9CT +9F'IC9QC DD DD D&o not a))o, !or,arded Xobs or rePuests DD F9a9CT +9F'IC9QF,C,7 %JFS/F& DD D D a))o, root on ser*er to contro) Xobs /CC9PT +9F'IC9QC +9F'9F F97JT9$+9FQroot D a))o, anybody to get ser*er, status, and printcap /CC9PT +9F'IC9QC LPCQ)pd,status,printcap D reXect a)) others F9a9CT +9F'IC9QC D D a))o, same user on originating host to remo*e a Xob /CC9PT +9F'IC9Q7 +/79.J+T +/79$+9F D a))o, root on ser*er to remo*e a Xob /CC9PT +9F'IC9Q7 +9F'9F F97JT9$+9FQroot F9a9CT +9F'IC9Q7 D a)) other operations a))o,ed &9%/$LT /CC9PT
/etc/hosts#Jl+dHeEui2K These files were used /y the LP $rinting suite and $resented a security risk. 4hen running a $rint ser,er you needed to s$ecify which hosts could access the $rinter in /etc/hosts#l+d . Lou also needed to add the hosts to /etc/hosts#eEui2 . These files are now re$laced in LP ng /y the /etc/l+d#+erms file
_________________________________________________________________________
88
Printing
____________________________________________________________________
.# Exercises
&# (# 5tart +rinttool and create a new local @ueue called l$. Customise the de,ice :de,:tty"- as the $rinter de,ice <remem/er to do chmod 333 /de2/tty&) to allow $rinting on this de,ice=. Lou now ha,e a ,irtual $rinter on your systemM 5end .o/s to the $rint @ueue using l+r and +r <$reBformatting tool= 4ith your system?s $rint tool9 define different remote @ueues> B a +NIF @ueue B a 5&6 @ueue If you are the ser,er9 make sure the a$$ro$riate rules are defined in /etc/l+d#+erms In each case B check the /etc/+rintca+ file. 4hich filter is usedQ How is the remote host definedQ B check the /2ar/s+ool/l+d/ directory. .# 3# $# 5to$ the ,arious $rinter @ueues and $rinters with l+c. Check the contents of each @ueue with l+E 7eB@ueue selected .o/s with l+rm
-# 0#
_________________________________________________________________________
100
Appendix
__________________________________________________________________________
L;I 1D$ 3bEecti"es

&# %ernel &anage:8uery kernel and kernel modules at runtime &anage a kernel and kernel loada/le modules. +se commandBline utilities to get information a/out the kernel modules and the running kernel. Load modules with correct $arameters and unload them. Load modules using aliases. Keywords: )ib modu)es kernel-version modu)es.dep, etc modu)es.con!, etc con!.modu)es de,mod& insmod& smod& rmmod& modinfo& mod,robe& uname econfigure9 /uild9 and install a custom kernel and kernel modules Customise9 /uild9 and install a kernel and kernel loada/le modules from source Customise the current kernel. 6uild a new kernel or new kernel modules as needed. Install the new kernel and reconfigure the /oot loader. Keywords: usr src )inux W, usr src )inux .con!ig& )ib modu)es kernel-version W& boot W make& 'onfi)& menu'onfi)& x'onfi)& o d'onfi)& modu es& insta & modu es/insta & de,mod (# 'ootH InitialisationH 1hutdown and unle2els
6oot the system 1ollow the system through the /ooting $rocess. Parse $arameters to the /oot loader <runle,el and kernel o$tions=. Check e,ents in the log files. Keywords: dmes)& *ar )og messages, etc modu)es.con!, LIL6& K7IG Change runle,els and shutdown or re/oot system &anage the system?s runle,els. The default runle,el. The single user mode. 5hutdown and re/oot. Alert users /efore switching runle,el. Keywords: s!utdown& init& etc inittab -# Printing &anage $rinters and $rint @ueues &anage $rint @ueues and $rint .o/s. &onitor $rint ser,er and user $rint @ueues. Trou/leshoot general $rinting $ro/lems. Keywords: ,'& ,0& ,rm& ,r& etc printcap Print files &anage $rint @ueues and mani$ulate $rint .o/s. Add and remo,e .o/s from $rinter @ueues. Con,ert te*t files to $ostscri$t for $rinting. Keywords: ,r& ,0& m,a)e Install and configure local and remote $rinters Install a $rinter daemon. Install and configure a $rint filter <e.g.> a$sfilter9 magicfilter=. &ake local and remote $rinters accessi/le for a Linu* system. 5&6 shared $rinters. Keywords: ,d& etc printcap, etc aps!i)ter W, *ar )ib aps!i)ter W, etc magic!i)ter W, *ar spoo) )pd W
_________________________________________________________________________
.ll original materials are A2002 "inux+2. .ll >ights >eserved. Bleesh 9onsultants "td 2/. "inux+2 registered in ngland :o:05510521. Cisit &&&.linuxit.com for more information. 101
Appendix
__________________________________________________________________________
0# Cocumentation +se and manage local system documentation +se and administer the man$ages and the material in :usr:share:doc. 1ind rele,ant man $ages. 5earch man $age sections. 1ind a command and all the documentation related to it. Configure access to man sources and the man system. Keywords: man& a,ro,os& w!atis& 7/#P/T. 1ind Linu* documentation on the Internet 1ind and use Linu* documentation. +se Linu* documentation from sources such as the "inux #ocumentation *ro?ect <L7P=9 ,endors and thirdB$arty we/sites. Linu* s$ecific newsgrou$s. Newsgrou$ archi,es. &ailing lists. Notify users on systemBrelated issues Notify users a/out current issues related to the system. Logon messages. Keywords: etc issue, etc issue.net, etc motd
.# 1hellsH 1cri+tingH Programming and Com+iling Customise and use the shell en,ironment Customise shell en,ironments to meet usersK needs. 5et en,ironment ,aria/les at login9 or when s$awning a new shell. 4rite /ash functions for fre@uently used se@uences of commands. Keywords: ` .bash?pro!i)e& ` .bash?)ogin& ` .pro!i)e& ` .bashrc& ` .bash?)ogout& ` .inputrc fun'tion& ex,ort& en1& set& unset Customise or write sim$le scri$ts Customise e*isting scri$ts. 4rite sim$le new shell scri$ts. +se standard sh synta* <loo$s9 tests=. +se command su/stitution. Test command returnB,alues and file status. Conditionally mailing the su$eruser. The sheB/ang <dM= sign. &anage location9 ownershi$9 e*ecution and suid rights of scri$ts. Keywords: w!i e& for& test& '!mod 3# Administrati2e Tasks &anage users and grou$ accounts and related system files Add9 remo,e9 sus$end and change user accounts. &anage grou$s. Change user:grou$ info in $asswd:grou$ data/ases. Create s$ecial $ur$ose and limited accounts. Keywords: '!a)e& ),asswd& )rou,add& )rou,de & )rou,mod& )r,'on1& )r,un'on1& ,asswd& ,w'on1& ,wun'on1& useradd& userde & usermod etc pass,d& etc shado,& etc group& etc gshado, Tune the user en,ironment and system en,ironment ,aria/les &odify glo/al and user $rofiles. 5et u$ en,ironment ,aria/les. &aintain the skel directory. 5et command search $ath. Keywords: en1& ex,ort& set& unset& etc pro!i)e& etc s0e)
_________________________________________________________________________
Appendix
__________________________________________________________________________
Configure and use system log files to meet administrati,e and security needs Configure system logs. &anage ty$e and le,el of information logged. &anually scan log files for nota/le acti,ity. &onitoring log files> automatic rotation and archi,ing. Track down $ro/lems noted in logs. Keywords: o)rotate& tai +f& etc sys)og.con!& *ar )og W Automate system administration tasks /y scheduling .o/s to run in the future +se cron or anacron to run .o/s at regular inter,als. +se at to run .o/s once. &anage cron and at .o/s. Configure user access to cron and at ser,ices. Keywords: at& at0& atrm& 'rontab etc anacrontab& etc at.deny& etc at.a))o,& etc crontab& etc cron.a))o,& etc cron.deny& *ar spoo) cron W &aintain an effecti,e data /acku$ strategy Plan a /acku$ strategy. Automatically /acku$ filesystems to ,arious media. 7um$ a raw de,ice to a file and ,ice ,ersa. Perform $artial and manual /acku$s. Gerify the integrity of /acku$ files. Partially or fully restor /acku$s. Keywords: ',io& dd& dum,& restore& tar &aintain system time &aintain the system time and synchroniJe the clock o,er NTP. 5et the system date and time. 5et the 6I05 clock to the correct time in +TC9 configuring the correct timeJone for the system and configuring the system to correct clock drift to match NTP clock. Keywords: date& !w' o'k & nt,d& nt,date usr share >onein!o, etc time>one, etc )oca)time, etc ntp.con!, etc ntp.dri!t $# Networking @undamentals 1undamentals of TCP:IP +nderstand IPBaddresses9 network masks and /roadcast address. 7etermine the network address9 /roadcast address and netmask when gi,en an IPBaddress and the num/er of /its. Network classes and classless su/nets <CI7 = and the reser,ed addresses for $ri,ate network use. It includes the understanding of the function and a$$lication of a default route. It also includes the understanding of /asic internet $rotocols <IP9 IC&P9 TCP9 +7P= and the more common TCP and +7P $orts <%-9 %"9 %'9 %29 2'9 !-9 ""-9 "";9 "';9 "('9 "3"=. Keywords: etc ser*ices& ft,& te net& !ost& ,in)& di)& tra'eroute& w!ois
TCP:IP configuration and trou/leshooting Giew9 change and ,erify configuration settings for ,arious network interfaces. &anual and on/oot configuration for interfaces and routing ta/les. Configure and correct routing ta/les. Configure Linu* as a 7HCP client. Keywords: etc .J+T#/79 or etc hostname, etc hosts, etc net,or0s, etc host.con!, etc reso)*.con!, etc nss,itch.con! if'onfi)& route& d!','d& d!',' ient& ,um,& !ost& !ostname (domainname2 dnsdomainname)& netstat& ,in)& tra'eroute& t',dum, Configure Linu* as a PPP client
_________________________________________________________________________
Appendix
__________________________________________________________________________
+nderstand the /asics of the PPP $rotocol. Configure PPP for out/ound connections. 7efine the chat se@uence when connecting. Initialisation and termination of a PPP connection with a modem9 I57N or A75L. 5et u$ PPP to automatically reconnect if disconnected. Keywords: etc ppp options.W, etc ppp peers W, etc ,*dia).con! *et'*,,,*i,-u,& *et'*,,,*i,-down& w1dia & $$$d
8# Networking 1er2ices Configure and manage inetd9 *inetd9 and related ser,ices Configure ser,ices a,aila/le through inetd. +se tc$wra$$ers. 5tart9 sto$9 and restart internet ser,ices. Configure /asic network ser,ices including telnet and ft$. 5et a ser,ice to run as another user instead of the default in inetd.conf. Keywords: etc inetd.con!, etc hosts.a))o,, etc hosts.deny, etc ser*ices, etc xinetd.con!, etc xinetd.)og 0$erate and $erform /asic configuration of sendmail &odify sim$le $arameters in sendmail configuration files. Create mail aliases. &anage the mail @ueue. 5tart and sto$ sendmail. Configure mail forwarding and $erform /asic trou/leshooting of sendmail. The o/.ecti,e includes checking for and closing o$en relay on the mailser,er. It does not include ad,anced custom configuration of 5endmail. Keywords: etc sendmai).c!, etc a)iases, etc mai) W, ` .!or,ard mai 0& sendmai & newa iases
0$erate and $erform /asic configuration of A$ache &odify sim$le $arameters in A$ache configuration files. 5tart9 sto$9 and restart htt$d. 7oes not include ad,anced custom configuration of A$ache. Keywords: a,a'!e't & !tt,d& httpd.con! Pro$erly manage the N159 sm/9 and nm/ daemons &ount remote filesystems using N15. Configure N15 for e*$orting local filesystems. 5tart9 sto$9 and restart the N15 ser,ices. Install and configure 5am/a using G+I tools or direct edit of the :etc:sm/.conf file. 5haring of home directories and $rinters9 as well as correctly setting the nm/d as a 4IN5 client. Keywords: etc exports& etc !stab& etc smb.con!& mount& umount
5etu$ and configure /asic 7N5 ser,ices Configure hostname looku$s and trou/leshoot $ro/lems with local cachingBonly name ser,er. +nderstand the domain registration and 7N5 translation $rocess. 7ifferences /etween /ind ( and /ind ! configuration files. Keywords: etc hosts, etc reso)*.con!, etc nss,itch.con!, etc named.boot +v.4. or etc named.con! +v.<.& named 5et u$ secure shell <0$en55H= 0/tain and configure 0$en55H. 6asic 0$en55H installation and trou/leshooting. Configure sshd to start at system /oot. Keywords: etc hosts.a))o,, etc hosts.deny, etc no)ogin,
_________________________________________________________________________
Appendix
__________________________________________________________________________
etc ssh sshd?con!ig, ss!d& ss!-key)en etc ssh?0no,n?hosts, etc sshrc
I# 1ecurity Perform security administration tasks )nsure local security $olicies. Configure TCP wra$$ers. 1ind files with 5+I7:5GI7 /it set. Gerify $ackages. 5et or change user $asswords and $assword aging information. +$date /inaries as recommended /y C) T9 6+GT A8 or distri/utionKs security alerts. 6asic knowledge of i+chains and i+ta!les. Keywords: proc net ip?!,chains, proc net ip?!,names, proc net ip?masPuerade, find& i,'!ains& ,asswd& so'ket& i,tab es 5etu$ host security 5et u$ a /asic le,el of host security. Configure syslog 9 shadowed $asswords. 5et u$ a mail alias for root. Turn off unused network ser,ices. Keywords: etc inetd.con! or etc inet.d W, etc no)ogin, etc pass,d, etc shado,, ets sys)og.con! 5etu$ user le,el security Configure user le,el security. Limits on user logins9 $rocesses9 and memory usage. Keywords: 0uota& usermod
_________________________________________________________________________
Index
__________________________________________________________________________
Index
:etc:shadow %; chage'% cron7;9 !" date;' de$mod "% g$asswd%! grou$add'-9 '" grou$add %! grou$s %7 id %7 init";9 %-9 %"9 %% insmod"% LIL0"79 %%9 %' logrotate!" l$d;( lsmod"% make /JImage "2 make clean"2 make config"' make de$"( make menuconfig"' make modules "2 make modulesUinstall"2 make oldconfig"( make *config"' make JImage "2 man7% modinfo"% mod$ro/e "% modules.conf"% modules.de$"% $asswd%3 $eers;" rmmod"%9 (" route'7 sendmail2; shutdown%" socket2" syslog.conf7; tar!( test77 useradd%39 '-9 '" usermod'"

Gnu FDL Oo Lpi 102 0.0

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Gnu FDL Oo Lpi 102 0.0

Hochgeladen von

Copyright:

Verfügbare Formate

Study Guide for

Linux System Administration II

re eased under t!e G"#L by LinuxI$

G%& "ree #o'umentation Li'ense Version 1.2, November 2002

LinuxIT Technical Education Centre Introduction

The LPI Certification Program

LinuxIT Technical Education Centre Introduction

www.l$i.org www.linux2$raxis.de www.l$i#orums.com www.tld$.org www.#s#.org www.linuxit.com

LinuxIT Technical Education Centre

LinuxIT Technical Education Centre

LinuxIT Technical Education Centre

The Linux Kernel

The Linux Kernel

LinuxIT Technical Education Centre

The Linux Kernel

(# The *odular %ernel

lsmod rmmod insmod modprobe modinfo

# 100Mbps full duplex options eth0 e100_speed_duplex=4

LinuxIT Technical Education Centre

The Linux Kernel

-# outine %ernel ecom+ilation

rm linux #ernel sources which ha,e /een $ackaged as an

P& often create a link called linux4(40

e*tract the new source archi,e <e.g linux-2.4.20.tar.bz2.

3.$ Kernel %onfi&uration

LinuxIT Technical Education Centre

The Linux Kernel

Fig 2: The make xconfig to$ le,el menu:

3.3 Kernel %ompilation

LinuxIT Technical Education Centre

The Linux Kernel

3.+ Installin& a (e) Kernel

LinuxIT Technical Education Centre

The Linux Kernel

image=/boot/vmlinuz-<full-kernel-version> label=linux-new Added se'tion root=/dev/hda6 read-only BBBBBBBBBBsni$BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

usr src )inux +ystem.map

boot +ystem.map1: full-kernel-version ;

3.0 The full ernel "ersion

3.0 Initial 1amdis s

LinuxIT Technical Education Centre

The Linux Kernel

boot initrd1B(uname 1r).img B(uname 1r)

3.4 1erunnin& LIL3

LinuxIT Technical Education Centre

The Linux Kernel

LinuxIT Technical Education Centre

The Linux Kernel

LinuxIT Technical Education Centre

&# ,nderstanding unle2els

+T/T +T/FT (3A@ 42 K

"isting 3: "ist of t$picalservices 'or daemons( in :etc:rc.d:init.d:

LinuxIT Technical Education Centre

etc rc.d init.d httpd restart

LinuxIT Technical Education Centre

(# The ?oys of initta!

LinuxIT Technical Education Centre

-# LIL> the Linux !oot Loader

LinuxIT Technical Education Centre

0# @rom !oot to !ash

LinuxIT Technical Education Centre

LinuxIT Technical Education Centre

LinuxIT Technical Education Centre

Managing Groups and Users

"-...* "7%."3.. BB "7%.'".. ";%."3!.o.*