Beruflich Dokumente
Kultur Dokumente
Linux files are setup so access to them is controlled. There are three types of access:
1. read
2. write
3. execute
Each file belongs to a specific user and group. Access to the files is controlled by
user, group, and what is called other. The term, other, is used to refer to someone who
is not the user (owner) of the file, nor is the person a member of the group the file
belongs to. When talking about setting permissions for "other" users to use, it is
commonly referred to as setting the world execute, read, or write bit since anyone in
the world will be able to perform the operation if the permission is set in the other
category.
File names and permission characters
File names can be up to 256 characters long with "-", "_", and "." characters along
with letters and numbers.
When a long file listing is done, there are 10 characters that are shown on the left
that indicate type and permissions of the file. File permissions are shown according to
the following syntax example: drwerwerwe
There are a total of 10 characters in this example, as in all Linux files. The first
character indicates the type of file, and the next three indicate read, write, and
execute permission for each of the three user types, user, group and other. Since there
are three types of permission for three users, there are a total of nine permission
bits. The table below shows the syntax:
1 2 3 4 5 6 7 8 9 10
File User Permissions Group Permissions Other Permissions
Type Read Write Execute Read Write Execute Read Write Execute
d r w e r w e r w e
Character 1 is the type of file: - is ordinary, d is directory, l is link.
1|Page
Characters 2-4 show owner permissions. Character 2 indicates read permission,
character 3 indicates write permission, and character 4 indicates execute
permission.
Characters 5-7 show group permissions. Character 5=read, 6=write, 7=execute
Characters 8-10 show permissions for all other users. Character 8=read, 9=write,
10=execute
There are 5 possible characters in the permission fields. They are:
r = read - This is only found in the read field.
w = write - This is only found in the write field.
x = execute - This is only found in the execute field.
s = setuid - This is only found in the execute field.
If there is a "-" in a particular location, there is no permission. This may be
found in any field whether read, write, or execute field.
Examples
Type "ls -l" and a listing like the following is displayed:
total 10
drwxrwxrwx 4 george team1 122 Dec 12 18:02 Projects
-rw-rw-rw- 1 george team1 1873 Aug 23 08:34 test
-rw-rw-rw- 1 george team1 1234 Sep 12 11:13 datafile
Which means the following:
Type and # of Files's File's Size in Date of last Filename
Permission field Links Owner Group Bytes modification
| | | | | | |
drwxrwxrwx 4 george team1 122 Dec 12 18:02 Projects
The fields are as follows:
1. Type field: The first character in the field indicates a file type of one of the
following:
o d = directory
o l = symbolic link
o s = socket
2|Page
o p = named pipe
o - = regular file
o c= character (unbuffered) device file special
o b=block (buffered) device file special
2. Permissions are explained above.
3. Links: The number of directory entries that refer to the file. In our example,
there are four.
4. The file's owner in our example is George.
5. The group the file belongs to. In our example, the group is team1.
6. The size of the file in bytes
7. The last modification date. If the file is recent, the date and time is shown.
If the file is not in the current year, the year is shown rather than time.
8. The name of the file.
Set User Identification Attribute
The file permissions bits include an execute permission bit for file owner, group and
other. When the execute bit for the owner is set to "s" the set user ID bit is set.
This causes any persons or processes that run the file to have access to system
resources as though they are the owner of the file. When the execute bit for the group
is set to "s", the set group ID bit is set and the user running the program is given
access based on access permission for the group the file belongs to. The following
command:
chmod +s myfile
sets the user ID bit on the file "myfile". The command:
chmod g+s myfile
sets the group ID bit on the file "myfile".
The listing below shows a listing of two files that have the group or user ID bit set.
-rws--x--x 1 root root 14024 Sep 9 1999 chfn
-rwxr-sr-x 1 root mail 12072 Aug 16 1999 lockfile
The files chfn and lockfile are located in the directory "/usr/bin". The "s" takes the
place of the normal location of the execute bit in the file listings above. This
special permission mode has no meaning unless the file has execute permission set for
3|Page
either the group or other as well. This means that in the case of the lockfile, if the
other users (world execute) bit is not set with permission to execute, then the user ID
bit set would be meaningless since only that same group could run the program anyhow.
In both files, everyone can execute the binary. The first program, when run is executed
as though the program is the root user. The second program is run as though the group
"mail" is the user's group.
For system security reasons it is not a good idea to set many program's set user or
group ID bits any more than necessary, since this can allow an unauthorized user
privileges in sensitive system areas. If the program has a flaw that allows the user to
break out of the intended use of the program, then the system can be compromised.
Directory Permissions
There are two special bits in the permissions field of directories. They are:
s - Set group ID
t - Save text attribute (sticky bit) - The user may delete or modify only those
files in the directory that they own or have write permission for.
Save text attribute
The /tmp directory is typically world-writable and looks like this in a listing:
drwxrwxrwt 13 root root 4096 Apr 15 08:05 tmp
Everyone can read, write, and access the directory. The "t'' indicates that only the
user (and root, of course) that created a file in this directory can delete that file.
4|Page
If the setgid bit on a directory entry is set, files in that directory will have the
group ownership as the directory, instead of than the group of the user that created
the file.
This attribute is helpful when several users need access to certain files. If the users
work in a directory with the setgid attribute set then any files created in the
directory by any of the users will have the permission of the group. For example, the
administrator can create a group called spcprj and add the users Kathy and Mark to the
group spcprj. The directory spcprjdir can be created with the set GID bit set and Kathy
and Mark although in different primary groups can work in the directory and have full
access to all files in that directory, but still not be able to access files in each
other's primary group.
5|Page
chmod 764 myfile Gives user full access, group read and write access, and other read
access.
chmod 751 myfile Gives user full access, group read and execute permission, and other,
execute permission.
chmod +s myfile Set the setuid bit.
chmod go=rx myfile Remove read and execute permissions for the group and other.
The permission for the creation of new executable files is calculated by subtracting
the umask value from the default permission value for the file type being created. An
example for a text file is shown below with a umask value of 022:
666 Default Permission for text file
-022 Minus the umask value
-----
644 Allowed Permissions
6|Page
Therefore the umask value is an expression of the permissions the user, group and world
will not have as a default with regard to reading, writing, or executing the file. The
umask value here means the group the file belongs to and users other than the owner
will not be able to write to the file. In this case, when a new text file is created it
will have a file permission value of 644, which means the owner can read and write the
file, but members of the group the file belongs to, and all others can only read the
file. A long directory listing of a file with these permissions set is shown below.
-rw-r--r-- 1 root workgrp 14233 Apr 24 10:32 textfile.txt
A example command to set the umask is:
umask 022
The most common umask setting is 022. The /etc/profile script is where the umask
command is usually set for all users.
Linux Directory Structure
Note: Files are grouped according to purpose. Ex: commands, data files, documentation.
Parts of a Unix directory tree. See the FSSTND standard (Filesystem standard)
/ Root
|---root The home directory for the root user
|---home Contains the user's home directories
| |----ftp Users include many services as listed here
| |----httpd
| |----samba
| |----user1
| |----user2
|---bin Commands needed during bootup that might be needed by
normal users
|---sbin Like bin but commands are not intended for normal users. Commands
run by LINUX.
|---proc This filesystem is not on a disk. Exists in the kernels imagination
(virtual). This directory
7|Page
| | Holds information about kernel parameters and system
configuration.
| |----1 A directory with info about process number 1. Each process
| has a directory below proc.
|---usr Contains all commands, libraries, man pages, games and
static files for normal
| | operation.
| |----bin Almost all user commands. some commands are in /bin or
/usr/local/bin.
| |----sbin System admin commands not needed on the root filesystem.
e.g., most server
| | programs.
| |----include Header files for the C programming language. Should be below
/user/lib for
| | consistency.
| |----lib Unchanging data files for programs and subsystems
| |----local The place for locally installed software and other files.
| |----man Manual pages
| |----info Info documents
| |----doc Documentation for various packages
| |----tmp
| |----X11R6 The X windows system files. There is a directory similar
to usr below this
| | directory.
| |----X386 Like X11R6 but for X11 release 5
|---boot Files used by the bootstrap loader, LILO. Kernel images are often
kept here.
|---lib Shared libraries needed by the programs on the root
filesystem
| |----modules Loadable kernel modules, especially those needed to boot the system
after
8|Page
| disasters.
|---dev Device files for devices such as disk drives, serial ports,
etc.
|---etc Configuration files specific to the machine.
| |----skel When a home directory is created it is initialized with
files from this directory
| |----sysconfig Files that configure the linux system for networking,
keyboard, time, and more.
|---var Contains files that change for mail, news, printers log
files, man pages, temp files
| |----file
| |----lib Files that change while the system is running normally
| |----local Variable data for programs installed in /usr/local.
| |----lock Lock files. Used by a program to indicate it is using a
particular device or file
| |----log Log files from programs such as login and syslog which logs
all logins,
| | logouts, and other system messages.
| |----run Files that contain information about the system that is
valid until the system is
| | next booted
| |----spool Directories for mail, printer spools, news and other
spooled work.
| |----tmp Temporary files that are large or need to exist for longer
than they should in
| | /tmp.
| |----catman A cache for man pages that are formatted on demand
|---mnt Mount points for temporary mounts by the system
administrator.
|---tmp Temporary files. Programs running after bootup should
use /var/tmp.
9|Page
Finding Files in Linux
There are three good methods of finding files in linux:
1. The slocate database
2. The whereis command
3. The find command
The slocate database
To use the locate command, you will need to have a slocate database set up on your
system. On many systems it is updated periodically by the cron daemon. Try the slocate
command to see if it will work on your system:
locate whereis
Will list all files that contain the string "whereis". If that command did not work you
will need to run the command:
slocate -u
This command will build the slocate database which will allow you to use the locate
command. This command will take a few minutes to run.
The whereis command
This command will locate binary (or executable) programs and their respective man
pages. The command:
whereis linuxconf
will find all binaries and manpages with the name linuxconf.
The find command
The following are examples of the find command:
Will find every file under the directory /home owned by
find /home -user mark
the user mark.
Will find every file under the directory /usr ending in
find /usr -name *spec
".spec".
Will find every file under the directory /var/spool that
find /var/spool -mtime +40
has data older than 40 days.
10 | P a g e
Find is a very powerful program and very useful for finding files with various
characteristics. For more information, read the man page about find by typing "man
find".
Locating man pages by subject
There is a keyword option in the man command that can be used to find man pages that
have specific words in their descriptions. An example is:
man -k process
to find all man pages that talk about processes. Use the command:
man -k process |grep kernel
to find information on kernel processes. An equivalent command is the apropos command
as follows:
apropos process
The which command
The which(1) program is a useful command for finding the full path of the executable
program that would be executed if the name of the executable program is entered on the
command line. The command:
which startx
Basic Liinux Devices
The first partition on a IDE hard drive is called partition 1, and is called /dev/hda1
if the drive is the primary IDE master.
/dev/fd0 Floppy disk
/dev/hda1 IDE Hard drive 1, partition 1
/dev/hdb3 IDE Hard drive 2, partition 3
/dev/sda1 First SCSI interface (probably hard drive), device id 1
/dev/sdc3 First SCSI interface, device id 3
/dev/cdrom CD ROM drive
Mouse device, sometimes a pointer to another device such as /dev/psaux, a
/dev/mouse
ps/2 mouse driver.
11 | P a g e
primary IDE slave /dev/hdb
secondary IDE master /dev/hdc
secondary IDE slave /dev/hdd
The first partition on a IDE hard drive is called partition 1, and is called /dev/hda1 if the
drive is the primary IDE master.
Linux Tips
Multiple Virtual Terminal access
There are normally 6 virtual terminals in Linux, available by using Alt-F1 through Alt-
F6. Each one can be logged in as a different user. There are normally 6 terminals
available in X also, F7 through F12. The first X session will be on F7 (if on a local
terminal), the second on F8, and so forth. If an X session is started from F1 and you
also have an active session on F2, you can type Ctrl-Alt-F2 to go from the X session to
the virtual console on F2. Also to get back to your X session, you can type Ctrl-Alt-
F7. This example assumes that your terminals are setup in the standard manner with 6
virtual terminals that spawn the getty program available. You can check your setup by
checking your /etc/inittab file. You should have lines like the following in your file.
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6
See the section on init for further information on this file.
Linux Command line shortcuts
If typing a command on the command line, you can press <TAB> before the command is
complete and if there are enough characters for it to be unique, the system will finish
the command for you. If it is not yet unique, and <TAB> is pressed twice, you will be
given choices.
Pasting text in files
12 | P a g e
There is a cut and paste mouse utility that works with virtual consoles called gpm
which runs as a daemon. To use it,
1. Move your mouse to the text you want to cut or paste
2. Hold the left mouse button down
3. Drag the mouse to the end of the selected text
4. Release the mouse button
5. If deleting text, just press the "DEL" key for your final step. If pasting
text, move the text cursor to the location you want to paste to by switching
terminals with function keys, using arrow keys, etc.
6. If pasting, press the right mouse button.
Viewing previously displayed text
Text that has scrolled off the top of the screen may be viewed again using the <SHIFT><PgUp>
key combination. The Keys in the numbers section on the far right of the keypad do not work for
this function, only the grey PgUp and PgDn keys just to the right of the <Enter> key. If you want
other keys to perform this function, it would be necessary to map them for bash shell
keymapping. Pressing any other key other than <SHIFT><PgUp> or <SHIFT><PgDn> will bring you
back to the normal screen location.
Linux System Setup
Linux Filesystem Access Types
For a list of programs used to work with filesystems, see the section "Making amd
Managing Filesystems". To access other filesystems you must first create them or
determine what is currently on your computer. This example assumes you already have
filesystems on your computer such as DOS, Windows, or Other Linux partitions you want
to access.
1. Use one of two methods to determine what partitions are on each drive
1. Type "fdisk /dev/hda" for drive 1, "fdisk /dev/hdb" for drive2. then
type p to see a list of each partition. Type q to exit.
2. An alternate method to do this step assuming you can boot to the
filesystem using LILO is:
1. Type "less /etc/lilo.conf"
2. Look for the label used by lilo to select dos, such as "dos" and
13 | P a g e
use the associated device. The line on my system is
"other=/dev/hda1" so I will use device "/dev/hda1". The
disadvantage here is that this method will not allow
determination of file systems with no operating system such as
partitions that hold data.
2. Make directories for mount points for each of the other filesystems. For
another Linux install such as Debian or Slackware, Type "mkdir /debian" or
"mkdir /slackw" For a foreign operating system partition such as DOS or
Windows98, "type "mkdir /dos" or "mkdir /win98".
3. Type "mount –t msdos /dev/hda1 /dos" where /dev/hda1 is where the dos partition
is. Type "mount /dev/hda4 /win98" to mount the windows filesystem or mount
"/dev/hda3 /slackw". Your filesystems may be on other partitions than those
shown in examples here.
4. You can unmount when done: "umount /dev/hda1", however the exit scripts
unmounts all file systems when the system is shutdown.
The following line in /etc/fstab will cause the system upon bootup to mount an msdos
partition on /dev/hda1 on the directory /dos:
/dev/hda1 /dos vfat defaults 0 0
This works because one of the startup script files "/etc/rc.sysinit" includes a line
"mount -a -t nonfs,smbfs,ncpfs,proc". This command mounts all filesystems listed in the
file "/etc/fstab". You could set the filesystem type to msdos. Read the file,
/usr/src//linux/fs/filesystems.c to find a list of supported filesystems with your
kernel. The file /etc/mtab and /proc/mounts each keep a record of currently mounted
filesystems on your system. Read the mount man page for more information.
Another useful command is "hdparm -g /dev/hda" which is used to determine hard drive
geometry (sectors, heads, cylinders).
15 | P a g e
/dev/hda2 / ext2 defaults 1 1
/dev/hdb1 /data auto defaults 0 0
/dev/hda1 /dos vfat defaults 0 0
/dev/hda3 /slackw ext2 defaults 0 0
/dev/hda4 swap swap defaults 0 0
/dev/cdrom /mnt/cdrom iso9660 noauto,owner,ro 0 0
/dev/fd0 /mnt/floppy ext2 noauto,owner 0 0
none /proc proc defaults 0 0
none /dev/pts devpts gid=5,mode=620 0 0
These are the options:
defaults - Use the default options of rw, suid, dev,exec,auto, nouser, and
async.
auto - Auto detect the type of filesystem.
noauto - The -a option will not mount the filesystem.
owner
ro - Read only
rw - Read and write allowed
user - Users have permission to mount this filesystem
users - Allows a user to mount and another user to unmount the filesystem
The /proc directory is required for tracking processes in memory (RAM). The directories
/data, /dos, and /slackw in this example must exist or their mounts will fail. The
entries for the floppy and cdrom allow them to be automatically dismounted if they are
mounted during shutdown. The option, "noauto" in their entries, keeps these devices
from being mounted at startup.
Note:
If you install an OS that wipes LILO, you can use the fdisk utility to toggle the bootable flag
(change the boot partition). This can help, if the OS that wiped LILO can toggle this partition to a
Linux filesystem.
Accessing Removable Media
Making a Linux Filesystem on a Floppy
16 | P a g e
1. Use fdformat /dev/fd0H1440
2. To make a filesystem on the disk type "mkfs –t filesystem –c /dev/fd0H1440"
where filesystem is the type of filesystem, usually ext2 (linux native).
3. Mount the filesystem "mount –t ext2 /dev/fd0 /mnt/floppy
Mounting floppy and CD-ROM drives
mount /dev/fd0 /mnt/floppy To mount a floppy
umount /dev/fd0 To unmount a floppy
mount /dev/cdrom /mnt/cdrom To mount a cdrom or
Another way to mount a CD-ROM with type
mount -t iso9660 -r /dev/cdrom /mnt/cdrom specified or mount -t auto /dev/cdrom
/mnt/cdrom
Note the CDROM may be on the secondary controller as a master (/dev/hdc) or slave
(/dev/hdd). In fact, your /dev/cdrom is probably actually a softlink to one of these
two devices, if you have an IDE interface. If you use SCSI, you will probably use
something like /dev/sda1 or 2, etc.
Note: in all these examples, the mount points must exist, be empty, and not already
have a device mounted on them. Also you must unmount the device before removing it.
Setting up Removable and External Filesystems to Automatically mount when used
1. The program "autofs" must be setup to run as a daemon upon system startup. To do
this with Redhat Linux, use the program "linuxconf" and select "Control",
"Control panel", "Control Service activity". Activate "autofs" using the menu
selections.
2. Edit the file "/etc/auto.master" to the following:
3. /mnt /etc/auto.misc --timeout 20
The above example sets the program to unmount the device after 20 seconds.
4. Edit the file "/etc/auto.misc" adding lines like:
17 | P a g e
5. cd -fstype=iso9660,ro :/dev/cdrom
6. fl -fstype=auto :/dev/fd0
This will cause the cd-rom to be mounted when you access the directory "/mnt/cd"
and the floppy to be mounted when you access "/mnt/fl". The directories
"/mnt/cd" and "mnt/fl" must not exist in order for this to work.
7. To use automount, put a cd in the CD-ROM drive and type "ls /mnt/cd" or "cd /mnt/cd".
Making and Managing Linux Filesystems
Programs used to manage filesystems
badblocks(8) - Search a device for badblocks. The command "badblocks /dev/hda"
will search the first partition of the first IDE hard drive for badblocks.
cfdisk(8) - A partition table manipulator used to create or delete disk
partitions.
dosfsck(8) - Used to check a msdos filesystem.
dumpe2fs(8) - Lists the superblock and blocks group information on the device
listed. Use with a command like "dumpe2fs /dev/hda2". The filesystem on the
device must be a Linux filesystem for this to work.
fdformat(8) - Performs s lowlevel format on a floppy disk. Ex: "fdformat
/dev/fd0H1440".
fdisk(8) - Used to add or remove partitions on a disk device. It modifies the
partition table entries.
fsck(8) - Used to check and/or repair a Linux filesystem. This should only be
used on systems that are not mounted.
hdparm(8) - Used to get or set the hard disk parameters.
mkdosfs(8) - Used to create a msdos filesystem.
mke2fs(8) - Create a Linux native filesystem which is called a second extended
filesystem. This creates the current version of the Linux filesystem.
mkfs(8) - Used to make a Linux filesystem on a device. The command "mkfs
/dev/hdb1" will create a Linux filesystem on the first partition of the second
IDE drive.
mkswap(8) - Creates a Linux swap area on a device.
mount(8) - Used to mount a filesystem. It supports many types of filesystems.
18 | P a g e
stat(1u) - Used to print out inode information on a file. Usage: stat filename
swapoff(8) - Used to de-activate a swap partition.
swapon(8) - Used to activate a swap partition.
tune2fs(8) - Used to adjust filesystem parameters that are tunable on a Linux
second extended filesystem. The filesystem must not be mounted write when this
operation is performed. Can adjust maximum mount counts between filesystem
checks, the time between filesystem checks, the amount of reserved blocks, and
other parameters.
umount(8) - Unmount a filesystem.
Making a Filesystem
Making a swap partition
type "mkswap -c /dev/hda3 10336"
The -c has swap check for bad blocks. The 10336 is the size of the partition in blocks,
about 10M. The system enables swap partitions at boot time, but if installing a new
system you can type "swapon /dev/hda3" to enable it immediately.
Making an ext2 file system on a floppy
1. fdformat /dev/fd0H1440
2. mkfs -t ext2 -c /dev/fd0H1440
Other file systems:
A normal hard drive can have many types of filesystems on it. To create an ext2 file
system, type "mke2fs -c /dev/hda2 82080" to create an 82 meg filesystem. Note: mkfs is
a front end to many file system types including ext2, minux, and msdos.
Checking a Filesystem
fsck - Used to check and repair a filesystem.
fsck is a front end to a filesystem type specific fsck.ext2, fsck.minix, and
fsck.msdos.
Syntax: fsck -t type device
Ex: fsck -t ext2 /dev/hda3
Linux Emergency Filesystems and Procedures
There are several ways to make a boot floppy, but basically there would be two types of
boot floppys that make sense. The first is a simple boot floppy with a copy of your
19 | P a g e
kernel that will mount your root device which is usually on your hard drive. This will
give you another way to boot to your system and allow you to repair some problems such
as a bad re-compile of a kernel or a lilo failure, but will not do much good if you
develop a serious problem with your root filesystem. The second is a more elaborate
boot floppy including a boot and root floppy and will independently support some tools
that will allow repair of a root filesystem, or at least help you rescue files.
Making a simple Emergency boot floppy
How to make a single boot floppy:
1. Find the kernel. It is usually /vmlinuz or /boot/vmlinuz. The file vmlinuz may
be a softlink to the actual kernel executable. Find the executable kernel.
2. Copy the kernel image to the floppy.
dd if=/vmlinuz of=/dev/fd0
3. Type the command "df" and examine it's output to determine where your root
filesystem is. Your root is "/" and is mounted on something like "/dev/hda2".
4. Set the kernel image on the floppy to the location of your root system.
rdev /dev/fd0 /dev/hda2
Your root filesystem may be somewhere other than "/dev/hda2".
5. Test the floppy by rebooting your system and attempting to boot from it.
You can use the command "badblocks /dev/fd01440 1440" to check the floppy for
badblocks.
Making a Boot Floppy with a Root Filesystem (not yet complete or accurate)
To make a Linux boot floppy with a root floppy will require two floppy disks. One will
be used for the kernel, and the other will hold the root filesystem.
Important functions needed by an emergency boot filesystem:
e2fsck, mount, tar, gzip, insmod, ftape module for kernel if using tape backups
Please note, that it is best to recompile your kernel to do this. This is because most
kernel images use modules for support that are stored on your root filesystem and if
your root filesystem is corrupt, it may not work properly. The good news is, however,
that you will only need a kernel with minimal support, since this is for emergency use
only, and you won't need networking support and some other features. The other option
20 | P a g e
is to use a kernel image already compiled that does not depend on modular support if
you can find one.
1. Compile the kernel:
Most options, you may answer no to with the following exceptions.
o Make processor type 386 to support all machines with 1Gb of memory.
o Enable PCI support with access mode=any and quirks=y.
o CONFIG_SYSVIPC=y
o CONFIG_BINFMT_ELF=Y
o CONFIG_PNP=Y
To compile the kernel make sure you provide floppy, CD-ROM and hard disk support
for your types of devices such as IDE or SCSI. In my compile, I support IDE
only. Set CONFIG_BLK_DEV_IDE=Y and all in the IDE category may be set to Y
except for "other IDE chipset support", CONFIG_IDE_CHIPSETS=N. Ramdisk support
(CONFIG_BLK_DEV_RAM=Y) with initial support. Virtual terminals (CONFIG_VT=Y).
CONFIG_VT_CONSOLE=Y, CONFIG_SERIAL=Y, CONFIG_MOUSE=Y, CONFIG_PS2MOUSE=Y. Under
filesystems I supported all but quota, kernel automounter support, and UMSDOS.
Include all under partition table support. Include VGA text console and Magic
SysRq key.
2. Copy the kernel image to the first floppy.
dd if=/vmlinuz of=/dev/fd0
3. Set the image on the floppy to boot to a root filesystem on your floppy device.
rdev /dev/fd0 /dev/fd0
4. Prepare the root floppy (the second floppy disk)
1. type "fdformat /dev/fd0H1440" to format the floppy
2. type "mkfs -t ext2 -c /dev/fd0H1440" to create a filesystem on the floppy
Linux LILO and Runlevels
There is a LILO mini howto located on Linux websites such as The Linux Documentation
Project and Metalab's Index of Linux publications. Also these howtos are likely to be
on your system in the /usr/doc/HOWTO directory.
LILO is a boot loader that resides on your hard disk that can boot several operating
systems. It runs when the system boots from the hard drive and boots the Linux kernel
21 | P a g e
image stored there. To select an operating system other than the default at bootup,
press <TAB> at the boot prompt and select from a list of operating systems that the
system knows about.
The file /etc/lilo.conf is used to set the configuration up for the boot loader program
what will be installed on the boot sector of a partition. When the command "lilo" is
issued, the contents of the configuration file is read and a binary executable program
is installed on the boot record based on the contents of the configuration file.
Installing and Configuring LILO
To install LILO, edit the configuration file, /etc/lilo.conf. The command "/sbin/lilo"
rewrites the modified lilo.conf configuration to the boot sector of the hard disk, and
must be run every time you modify lilo.conf or your kernel.
23 | P a g e
install = /boot/boot.b # The file containing the boot sector to use
compact # Have LILO perform some optimization.
map = /boot/map #Specifies the map file LILO creates when installed
# Section for Linux root partition on /dev/hda2.
image = /vmlinuz # Location of kernel
label = linux # Name of the OS that is displayed in the LILO boot menu
# Location of root partition, if this isn't here the kernel
root = /dev/hda2
image must have
# this set using the rdev command
read-only # Mount read only on startup, Can also be set by rdev
# Section for MSDOS partition on /dev/hda1.
other = /dev/hda1 # Location of partition
table = /dev/hda # Location of partition table for /dev/hda1
label = msdos # Name of OS (for boot menu)
The first operating system is normally the default operating system for LILO to boot,
but the default command was used to change this. There's no need to use the rdev
program to set the root partition in the kernel image if you use the "root=" command as
in this example.
The options used above are described in the lilo.conf man page invoked by typing
"man.lilo.conf". The option "boot = /dev/hda" is very important and defines what
partition boot record the LILO boot loader will be installed on. The table option in
the section "other" is optional, but if used, lilo must be reinstalled anytime your
drive partitions are changed. Other than that, the comments above explain the options
well.
If you install Windows 95 or 98, the LILO boot manager will be overwritten by windows.
If you are going to do this after installing LILO, create a boot disk first. Boot Linux
with the boot disk and re-install LILO after the Windows installation is done. LILO is
re-installed by typing, as root, the command "lilo". Partitions with Windows 95 or 98
can be configured to boot with LILO using similar lilo.conf entries to those to boot
24 | P a g e
DOS.
To run Linux in single user mode from lilo, at the boot prompt type "rhl single" where
rhl is the name of the linux selection under lilo that you want to boot. This mode will
not normally require a password for access. To prevent others from running the
operating system in single user mode without a password, add the following lines at the
end of the image section:
password="my_password"
restricted
Where "my_password" is the actual password to be entered when the user enters single
user mode. This makes lilo ask for a password any time a user boots to this image in
single user mode. If you do this you will want the "/etc/lilo.conf" file to be readable
only by root so normal users can't get the password.
NOTES:
DOS should always be installed before Linux due to differences in the DOS and Linux
LILO boot sectors.
To copy your MBR to a floppy using 512 character blocks, "dd if=/dev/had of=/fd/MBR
bs=512 count=1"
To restore the boot record: "dd if=/fd/MBR of=/dev/had bs=446 count=1"
Setting parameters for Disk Drives
Some systems may have difficulty with hard disks that do not allow the disk parameters
(heads, sectors per track, and cylinders) to be read. If disk errors make the LILO
installation fail, the disk parameters may be the problem. This is especially true with
SCSI and large drives. It may be necessary to manually enter the disk parameters in the
"/etc/disktab" file to solve this problem. BIOS numbers your disks depending on the
type of device. Numbers are in hex. Some documentation I have read indicates the
numbers for various disks start as follows:
Floppy drives - 100.
The first hard disk - 301.
The second HD - 341.
25 | P a g e
SCSI - 801.
Second SCSI - 811.
Some documentation indicates these numbers, however I am not sure how accurate this is.
According to the LILO man page the BIOS numbers hard disks starting at 0x80. If you
have a problem in this area you may need to do some experimentation to get it to work.
Example file:
disk=/dev/sda
bios=0x80
disk=/dev/hda
bios=0x81
Other possible format (A SCSI drive with 2 partitions):
# Dev. Num BIOS code Secs/track Heads/cyl Cyls Part. Offset
0x800 0x80 32 64 1714 0
0x801 0x80 32 64 1714 1001
Removing LILO
To remove LILO from MS-DOS type "fdisk /MBR".
To remove LILO from linux type "lilo -u /dev/hda", or "dd if=/boot/boot.0300
of=/dev/hda bs=446 count=1". Only 446 bytes should be copied to the mbr. If the hard
drive is scsi, the filename is boot.0800. Make sure when LILO was installed that this
is the correct copy of the MBR and not a bogus copy from a Linux distribution.
Changing Runlevels
A runlevel is a software configuration of the system that allows only a selected group
of processes to exist. Init can run the system in one of eight runlevels. The main
runlevels are 0-6. The system runs in only one of these runlevels at a time. Typically
these runlevels are used for different purposes. For Redhat Linux version 6, they are:
0 - halt
1 - Single user mode
2 - Multiuser, without NFS (The same as 3, if you don't have networking)
3 - Full multiuser mode
4 - unused
26 | P a g e
5 - X11
6 - Reboot
These runlevels can be configured by the administrator. The "/etc/inittab" file
instructs init which runlevel to start the system at and describes the processes to be
run at each runlevel. For a deeper explanation, read my article on "How Linux Works" or
"The Linux Startup Reference Manual"
A running system can be taken to single user mode by using the telinit command to
request run level 1 as follows:
telinit 1
It can be entered when the system boots by giving the word "single" or "emergency" on
the kernel command line. This can be done at the LILO prompt after pressing the <TAB>
key and entering your selection with the word "single" after it. The kernel sends the
command line to the init program and it doesn't use the default run level. The kernel
command line entry is dependent on how you boot the system.
Entering single user mode is necessary when a damaged filesystem needs repaired. You
can run the program fsck to check the filesystem when the damaged partition is not
mounted or running.
LILO and the rdev program
You may have noticed that there are some parameters in LILO that can also be set by a
program called rdev. The rdev program is a program that is used to set the following:
The root partition (root device) The command "rdev -s vmlinuz /dev/hda2" will
set the root device to be /dev/hda2 on the kernel image vmlinuz. In LILO the
command, "root=/dev/hda2", will set the root device.
The video mode. The command "rdev -v vmlinuz 1" will set the video mode as
though the key 0(the first selection) were pressed at the video mode prompt. In
LILO the command, "vga=ask", will cause the system to prompt for video mode. You
are better off to use LILO to set the video mode.
The commands shown above are examples and the actual names and values used may be
different for your system. The program rdev is used to modify the kernel image file so
that it will know where such things as the root device are without LILO passing this
27 | P a g e
information to the kernel. Therefore if you set these parameters in your kernel image
file using rdev, you will not need to set it using LILO. Conversely if you do not set
these commands using rdev, you will need to set them in your /etc/lilo.conf file and
update LILO when you do a kernel recompile or make other changes affecting one or more
of these parameters.
One system parameter LILO can set that rdev cannot set is the amount of system memory
with the command, append="mem=128M". This command sets the memory to 128M.
In addition, rdev provides the ability to set the following parameters that LILO can't
set.:
The swap partition (swap device). The command "rdev -s vmlinuz /dev/hda3" will
set the swap device. There is no command in LILO to do this.
Set the RAMDISK size in kilobytes. The command "rdev -r vmlinuz 627" will set a
RAM disk of 627K.
Some root flags
Linux Init Program
The init program is the first program run after your kernel begins running. It is
configured with the /etc/inittab file. By modifying your /etc/inittab file, you change
your system configuration in the following areas:
1. Start up system run level.
2. Specify processes to be executed during system boot.
3. Specify processes to be run when the specified runlevel is entered.
4. Specify processes to be run on certain runlevels with actions like respawn so
the process is restarted any time it terminates.
5. Specify certain actions or processes to be run if certain signals or user
actions are indicated.
The previous section on LILO explained what runlevels are.
Below is an example inittab file with line numbers added on the left side for
reference:
# inittab This file describes how the INIT process should set up
28 | P a g e
# the system in a certain run-level.
#
# Author: Miquel van Smoorenburg, <miquels@drinkel.nl.mugnet.org>
# Modified for RHS Linux by Marc Ewing and Donnie Barnes
#
# System initialization.
2) si::sysinit:/etc/rc.d/rc.sysinit
3) l0:0:wait:/etc/rc.d/rc 0
4) l1:1:wait:/etc/rc.d/rc 1
5) l2:2:wait:/etc/rc.d/rc 2
6) l3:3:wait:/etc/rc.d/rc 3
7) l4:4:wait:/etc/rc.d/rc 4
8) l5:5:wait:/etc/rc.d/rc 5
9) l6:6:wait:/etc/rc.d/rc 6
29 | P a g e
# Trap CTRL-ALT-DELETE
11) ca::ctrlaltdel:/sbin/shutdown -t3 -r now
# When our UPS tells us power has failed, assume we have a few minutes
# of power left. Schedule a shutdown for 2 minutes from now.
# This does, of course, assume you have powerd installed and your
# UPS connected and working correctly.
12) pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down"
# If power was restored before the shutdown kicked in, cancel it.
13) pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled"
31 | P a g e
"exit", then logout to exit.
Setting noclobber=1 - keeps files from being clobbered by the shell.
Shell Selection for users
The file "/etc/shells" lists the valid shells and shell paths on your system. An
example file is:
/bin/bash
/bin/sh
/bin/tcsh
/bin/csh
/bin/ash
/bin/bsh
/bin/bash2
/bin/ksh
/bin/zsh
The command "chsh" can be used by the user to set his preferred shell. Also the root
user can use this command to set any user's shell. This command with the -l option will
list the available shells. The -s option will allow the user to change their shell. For
example type the following to determine and modify the user's shell.
1. chsh -l
2. chsh -s /bin/sh
The first line will show available shells, and the second entry will change it. The
full path of the shell must be entered for the command to work.
Startup Scripts
The following scripts are run by bash if the –noprofile option is not used with the
shell:
This script file is run first for all users during the login
/etc/profile
process
$HOME/.bash_profile This script file is run for individual user's customized setup
$HOME/.bash_login If the .bash_profile above does not exist, this file is run
$HOME/.profile This script file is run if $HOME/.bash_profile and .bash_login
32 | P a g e
don't exist
If bash is invoked as "sh" it will run only "/etc/profile" and "$HOME/.profile", above.
The man page says that "$HOME/.bashrc" is run for non-login interactive shells. I'm not
sure if it also runs for login interactive shells, but believe it does. If it does, I'm
not sure whether it is run after the scripts above, but believe it is.
$HOME/.bash_logout Run when the user logs off the system.
Key bindings:
If the shell variable "INPUTRC" is set, probably in "/etc/profile" the
keybindings are set by the file declared in the INPUTRC value. Usually this is
"/etc/inputrc". Otherwise the keybindings are set in the file "$HOME/.inputrc"
for each individual user.
$HOME/.inputrc - User's keybindings definition
/etc/inputrc - Global keybindings definition
Other scripts and files:
/etc/bashrc On my Redhat system, this file is run by $HOME/.bashrc.
Used with shadow passwords to set initial PATH and other parameters
/etc/login.defs including how often a user must change passwords and what is
acceptable as a password..
Put any new script files in /usr/bin or /usr/local/bin. If you put them in
/usr/local/bin, they will be easier to keep track of, but you may want to add
/usr/local/bin to your path environment to make them more accessible. You can put the
command "export PATH=$PATH:/usr/local/bin" in one of the above scripts or add it to the
path statement in /etc/profile.
Therefore to modify parameters for all users, edit:
/etc/profile For users environment setup and other customized items.
/etc/inputrc For keybindings on some systems if INPUTRC is set to it.
33 | P a g e
HOME/.bash_profile - Users environment stuff and startup programs
$HOME/.bashrc - user aliases and functions
$HOME/.bash_logout - User actions to be done at logout
$HOME/.inputrc - Contains keybindings and other bits.
The tcsh shell operates as follows:
/etc/csh.login is run
$HOME/.tcshrc or .cshrc is run
$HOME/.login is run
Other files in the users home directory may be:
.emacs - For the emacs editor. Consists of LISP functions.
.exrc - For the vi editor
.fvwmrc - For the fvwm window manager
.twmrc - For the twm window manager
.newsrc - For newsreaders. Contains a list of newsgroups offered at this site.
.Xdefaults - For programs using the X window system
.xinitrc - Shell commands that run when the user logs into an X session.
Linux Kernel
The Kernel and its Modules
Most kernels are compiled so modular support is required except many used on floppy
boot disks.
The package modules.tar.gz contains all the programs needed to manage modules. This
should already be installed on most distributions. The kernel modules are usually in a
directory pertinent to the kernel version in /lib/modules. Modules can be found in
"lib/modules/2.2.12-20" for kernel version 2.2.12-20. They are loadable modules ending
in ".o" that are used to support the kernel.
To load a module type "insmod module" where "module" is the name of the module to load.
Ex: insmod /lib/modules/2.2.12-20/misc/ftape.o
modprobe -l |more Lists all the modules available for your kernel
rmmod module_name Remove a module from the kernel
Finding the Kernel
Locate the kernel image on your hard disk. It should be in the file /vmlinuz, or
/vmlinux. In some installations, /vmlinuz is a soft link to the actual kernel, so you
may need to track down the kernel by following the links. On Redhat 6.1 it is in
"/boot/vmlinuz". To find the kernel being used look in "/etc/lilo.conf".
35 | P a g e
determine defaults while doing the "make config". Back this file up to keep your
original settings if you want.
5. Type "make config" and answer the hundreds of questions asked. On another
terminal, open the file "/usr/src/linux/Documentation/Configure.help" to
determine what each configuration is. Also you can type "make menuconfig" or
from an X session "make xconfig".
6. Type "make dep"
7. Type "make clean"
8. Type "make bzImage" or "make zImage" if the kernel is small.
9. Type "make modules"
10. Type "make modules_install"
11. Copy the file "/usr/src/linux/arch/i386/boot/bzImage" to "/boot/vmlinuz".
12. Copy the file "System.map" from "/usr/src/linux" to the "/boot" directory.
Rename it "System.map=w.x.y" and make sure there is a link file called
"System.map" pointing to it. This step will keep you from getting warning
messages when you boot. It seems to be a step they forgot to include in the
kernel-howto.
o cp /usr/src/System.map /boot/System.map-2.2.14
o cd /boot
o rm System.map
o ln –s System.map-2.2.14 System.map
13. Run rdev on the new kernel image to verify the root filesystem device. "rdev
/boot/vmlinuz /dev/hda2". Please note that this step may be optionally dependent
on whether you want to use the boot loader, lilo, to point to the root device.
14. Make sure the /etc/lilo.conf file is correct (image=/boot/vmlinuz)
15. If your kernel has a feature supported by a module that is required to boot, you
will need to make a RAM disk boot image or your system won't boot.
o Type "lsmod" and look to see if the "loop" module is loaded. If it is
skip the next step.
o Type "insmod /lib/modules/2.2.14/block/loop.o"
Use this command if the loopback module is not installed. This assumes
36 | P a g e
you compiled the support into your kernel. In my example, I used kernel
version 2.2.14, but your kernel version may have a different number.
Substitute the appropriate values.
o Type "mkinitrd /boot/initrd-2.2.14.img 2.2.14"
Again, this example is for kernel version 2.2.14. This command will
create a RAM image module for your kernel to load into.
o Add an entry similar to "initrd=/boot/initrd-2.2.14.img" to the
"/etc/lilo.conf" file for the stanza that is used to boot this kernel.
An example of the stanza follows.
o image=/boot/vmlinuz
o label=rhl
o initrd=/boot/initrd-2.2.14.img
o read-only
o root=/dev/hda2
Read the section about LILO for more information or read the lilo and
lilo.conf man pages.
16. Run lilo by typing "lilo". If you didn't set the root device in step 12, you
will need a line like "root=/dev/hda2" in /etc/lilo.conf in the group of
commands for your kernel. This will tell the kernel where your root filesystem
is.
This step may be necessary if you are using a kernel previous to the 2.2 series. In the
directory "/usr/include" may be several link files such as "asm", "linux", and "scsi".
These are normally softlinks through "/usr/src/linux". If they are, you can direct the
softlink file "usr/src/linux" to your new kernel file which may be in the form "linux-
2.2.14". If you don't have the "linux" softlink file and don't want to create it, you
will need to remove and redirect the softlink files in "/usr/include" to the proper
location of your new kernel source.
The sysctl tool
37 | P a g e
This tool is worth mentioning in this section since it is used to manipulate kernel parameters. If
you type "sysctl -a |more" you will see a long list of kernel parameters. You can use this sysctl
program to modify these parameters. However, I have been unable to add new parameters.
Linux Package Installation and Printing
Generally, a large part of Linux consists of the packages you load on your system.
These packages may be for various specific purposes such as adding shadow passwords,
adding a secure telnet client, adding some type of network service, or perhaps
upgrading the Apache web server. Whatever the reason, you will need to find the
appropriate package on the web, download it, compile it, and install it. The package
will come with instructions on how to do this. Some are easy to install, others may be
complicated. This section gives general instructions commonly found and required when
installing many packages. Please be aware, however, that there may be differences
between these instructions and those that come with your package. You should read the
instructions that come with your package.
Package installations
tar.gz source package general instructions
1. Read the install documentation associated with the installation
2. Put the packed file in the directory you want it to be installed under.
3. Examine the package with the command "tar tvzpf <packagename>.tar.gz" to see
where it will install.
4. Unpack the tar.gz file in one step with "tar xvzpf <packagename>.tar.gz or in
two steps with "gunzip <packagename>.tar.gz" and "tar xpf <packagename>.tar" It
will create a directory like "packagename-2.3.4" and place the extracted
information here.
5. Typically the following outlines the rest of the steps but they will vary from
package to package. Go into the created subdirectory and type "./configure".
6. Type "make all" or "./make"
7. Type "make install" or "./make install"
Installing Redhat Packages
rpm -help To get help
38 | P a g e
Queries the database of installed packages to see if this
rpm -q mypack-1.0.1.rpm
package is installed or what version of it is installed.
rpm -ivh mypack-1.0-1.rpm Installs mypack.
rpm -uvh mypack-2.0-1.rpm Upgrades mypack.
rpm -qip mypack-1.2.2.rpm To query with details about the package.
rpm -qlp mypack-1.2.2.rpm Gives a list of files this package installs.
rpm -e mypack-1.2.2 Removes the package mypack-1.2.2.
Typically RPM packages come with binary files ready for installation so all you need to
do is the install as in the line above. The compilation which is the last three steps
in the tar example in the first section above don't need to be done. If you get a
source file rather than a binary file, you will need to do a compile of code and an
installation. If you just do the binary installation, be sure you get the package from
a reliable source so you don't get lovely extras like trap doors, trojans, or viruses.
Setting Linux Print Spooling
Printing is supported by "lpd" the line printer spooler daemon, which you should
activate to support print services. Once print services are setup, type "lpr ?s
-Pprinter filename" where "printer" is the name of your printer (the default is lp).
The '-s' option tells lpr to use symbolic links to print the file rather than copying
it to its own spool file. If the '-P' option is left out, the default printer name will
be assumed.
Print spooling can be set up easily in Redhat using the "printtool" configuration tool
following the following steps:
1. Type "startx" to enter an x windows session.
2. Open a terminal under x windows
3. Type "printtool" in the terminal and CR.
4. Edit or add a printer. Note that lp is the default printer for the lpd daemon.
5. You can make the name of the printer anything you want. Note: lp is default.
6. The spool directory should be "var/spool/printername"
39 | P a g e
7. The printer server name should be the name of the server computer that the
printer is attached to. Example PRT_SRV1
8. The print queue name is the name of the printer as the printer server computer
perceives it. Example: HP_LASER1.
9. Depending on the network and how the printer resource is shared you may or may
not need a user name and password.
How it works:
1. Note the file "/etc/printcap" defines what filter script file will be used to
output the printfile. Type "man lpd" and "man printcap" for more information.
2. The filter script gets its input from standard input sometimes using such
commands as "cat -", see the cat man page. It also uses "file -" to get a
description of the input.
3. On netware print servers, you must be logged on before it will work. I use the
scripts from the section on "Network printing setup and use" to logon and type
"neton username".
Other useful commands for printing:
lpr - Prints a file to default lp printer
lpq - shows files to print in the print que
lpc - Line printer control program. Type "lpc status" to see status on all printers.
This command can enable or disable printing or queuing.
lprm - Remove a job from the print queue using number reported by lpq. Ex: lprm 14
tunelp - A utility to optimize the printer. "tunelp /dev/lp -q" will display the IRQ
for the device
The directory /var/spool/lpd contains a directory for every printer. This is where the
print files are spooled.
To set up a printer on a parallel or serial port:
A printer on the first parallel port is probably /dev/lp0 or /dev/lp1.
To test the printer type "lptest > /dev/lp1" to send test output directly to the
printer. If the printer is a postscript printer you need to send it a postscript file
by typing "cat test.ps > /dev/lp1". The lptest program is a utility made to test a
40 | P a g e
printer.
If the printer is serial, output is directed to /dev/ttyS0 or /dev/ttyS1.
The /etc/printcap file:
The printcap file begins a comment line with #
Example:
ljet4|lp|ps|Postscript|600dpi 20MB memory|end of hall|local|LPT1:\
:lp=dev/lp0:rw:\
:sd=/var/spool/lpd/ljet4:mx#0:mc#0:pl#72:pw#85:\
:lf=/var/log/lpd-errs:if=/usr/local/cap/ljet4:
On the first line (virtual), the names of the printer are shown with each name
separated by '|'.
Commands include:
The lp line is the device name for output (local printer).
rw is specified if the printer can send data back to the host through the device
file. A network printer uses /dev/null.
mx - Sets the maximum size of a print job.
pl - page length.
pw - page width.
The sd line is the subdirectory the files are spooled in
The if line tells the input filter to use
br-baud rate for a serial port
sh-suppress header
rp-remote printer
rm-remote host that controls remote printer
rs- restrict access to local printers to users with an account
rg-restricted group that can use the printer
Configuration, Logging, and CRON
Linux System Configuration
In the subdirectory "/etc/sysconfig" are groups of files describing your system as
follows:
mouse - Describes the type of mouse and whether a three button mouse is
41 | P a g e
emulated.
keyboard - Describes the keyboard table.
network - Describes if this machine supports networking, IP forwarding, sets
the host name, sets the gateway, and describes the network interface the
gateway will be found on.
hwconf - Describes the hardware devices on your system in terms of vendor ID
and device ID.
init - Defines many initialization items for the system.
static-routes - Defines the static routes if your machine is performing routing
tasking. See the Networking Guide section on routing.
Subdirectories:
o console - Defines your system keymapping. Normally contains the
default.kmap file which is loaded when the system starts.
o network-scripts - This directory contains files used to configure your
ethernet card. such as ifcfg-eth0, ifcfg-eth1, etc. In this file you set
your permanent device name, IP address, netmask and other parameters.
For more information on setting these files up and how they are formatted, read "How
Linux Works".
The /proc filesystem and the sysctl utility
The /proc filesystem is used to store many system configuration parameters. It is a
virtual filesystem that resides in the kernels memory. Some of the areas in this
filesystem cannot be written to by the root user including /proc/sys.
To see how much memory linux is using type:
cat /proc/meminfo
or:
free
cat /proc/cpuinfo To see information about your cpu
cat /proc/interrupts List interrupts in use
cat /proc/version List Linux version
cat /proc/filesystems List the types of filesystems in use
42 | P a g e
lsmod Show the kernel modules currently loaded
The "sysctl" program will list kernel parameters. Type "sysctl -a |more" to see a list
of kernel parameters on your system.
For more in depth information on the proc filesystem, read "How Linux Works".
Linux System logging
The system daemon called syslogd is the program used to log system events such as
kernel messages, login or logout messages, general system messages, etc. The
/etc/syslog.conf file controls where logging information is recorded by syslogd. This
file controls where your logfiles are kept. Typically these files are in the "var/log"
directory.
My "/etc/syslog.conf" file"
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail, news and auth) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;news.none;authpriv.none /var/log/messages
#
# INN
#
news.=crit /var/log/news/news.crit
news.=err /var/log/news/news.err
news.notice /var/log/news/news.notice
The first field is a facility followed by a "." with the second field being the
priority such as "uucp,news.crit" above where the facility is uucp and news and the
priority is crit. The last part of each line specifies the name of the log file where
that log will be kept. This file does not like spaces in it so use tabs between
sections.
Facilities are:
authpriv, auth (depreciated) - Security authorization messages
cron - The clock daemon (cron and at)
daemon - Other system daemons
kern - Kernel messages
lpr - Line printer subsystem
mail - Mail subsystem.
mark - For internal use
news - Usenet news subsystem.
44 | P a g e
security (depreciated, same as authpriv) - should not be used anymore.
syslog - Messages generated internally by syslogd.
user - Generic user level messages
uucp - UUCP (Unix-Unix copy) subsystem.
local0 through local7
The ``authpriv'' facility should be separated from other log data, including attempts
to switch users using /bin/su, login attempts, and other user accounting information.
Priority is one of the following with the least severity listed first:
debug - Debug level message
info - Informational message
notice - Normal but significant conditions
warning, warn (depreciated) - Warning conditions
err, error (depreciated) - Error conditions
crit - Critical conditions
alert - Action must be taken immediately
emerg, panic - System is unusable
An "*" stands for all facilities or all priorities. Many distributions default to only
logging the most basic information. You may want to customize system logging for your
environment.
Linux Logrotate
Going hand in hand with the system logging capability is the logrotate capability which
is used to manage logfiles. The logrotate program is used to rotate, compress, and/or
mail system log files. It is normally run from cron. It can be configured with the file
"/etc/logrotate.conf" which is specified on the command line when logrotate is run..
The logrotate configuration file on my system is listed below:
# see "man logrotate" for details
# rotate log files weekly
weekly
45 | P a g e
rotate 4
/var/log/lastlog {
monthly
rotate 1
}
46 | P a g e
rotate - The number of times log files are rotated before being deleted or
mailed to an address specified in a mail directive.
include - Includes a file in this file as though it were in line. If the file is
a directory, the files under that directory are included. In my copy above,
there are several files under the directory "/etc/logrotate.d" which are used
for logging various daemons.
create - "create mode owner group". Creates the file with the specified mode,
owner and group ids.
copytruncate - truncate the original file after creating a copy so programs
appending data will not have a problem.
compress - Old versions of the log file are compressed with gzip.
nocompress - Old log files are not compressed.
errors - Any errors during logfile processing are mailed to the address "errors
address".
mail - When a log is rotated out of existence, it is mailed to the specified
address "mail address".
There are many other directives associated with the logrotate program. Type "man
logrotate" for more information.
Other system tracking files:
/var/log/wtmp - Binary info on users that have been logged on. The last command uses
this info.
/var/run/utmp - Binary info on users currently logged on. The commands who, w, and
finger use this info.
/var/log/lastlog - Used by finger to tell when a user was last logged in
Scheduling tasks with CRON
Cron runs commands in the /etc/crontab file, the /etc/cron.d directory, and
/var/spool/cron directory that has file names of authorized users in the /etc/passwd
file. Cron commands are scheduled in three locations:
The directory "/var/spool/cron" with files named after accounts in
"/etc/passwd". The format of files here is described in the crontab(1) manpage.
47 | P a g e
The directory "/etc/cron.d". The format of files here is described in the
crontab(5) manpage.
The file called "/etc/crontab". The syntax of each line in this file is:
minute, hour, day of month, Month, day of week, (user name), command
Months are specified using the numbers 1 through 12. The user name is included it the
file is a system crontab file. Some example entries are listed below:
48 | P a g e
/etc/cron.monthly
These files are directories. Therefore you can place any executable program in one of
these directories and it will be run as scheduled above.
There is a crontab program which can be used to install, de install, or list tables
used to drive cron. It has the same name as the configuration file, but is a binary
program. You will see this if you type "whereis crontab".
Cron runs the following on my system:
cron.hourly
1. In the file "inn-cron-nntpsend" the command "/sbin/chkconfig innd && su
- news -c /usr/bin/nntpsend" is run to support internet news service.
cron.daily
1. In the file "inn-cron-expire" the command "/sbin/chkconfig innd && su -
news -c "/usr/bin/news.daily delayrm" " is run.
2. In the file "inn-cron-expire" the command "/sbin/chkconfig innd &&
/usr/bin/rnews -U" is run.
3. In the file "logrotate" the command "/usr/sbin/logrotate
/etc/logrotate.conf" is run.
4. In the file "makewhateis.cron" a file "/var/lock/makewhatis.lock" is
created to keep the cron scripts from stepping on each other. Do a man
on makewhatis for more info.
5. In the file "slocate.cron" the command "/usr/bin/slocate -u -f
"nfs,smbfs,ncpfs,proc,devpts" -e "/tmp,/var/tmp,/usr/tmp,/afs,/net" " is
run to update the file location database.
6. In the file "lsrnpull-expire" the command. Do a "man slrnpull" for more
info.
7. In the file "tetex.cron" TeX formats not used for 10 days are removed.
"man tmpwatch"
8. In the file "tmpwatch"
cron.weekly
1. In the file "makewhateis.cron" a file "/var/lock/makewhatis.lock" is
created to keep the cron scripts from stepping on each other. The
49 | P a g e
makewhatis command updates the apropos database which is the database
used when the command "man -k" is used. For more information, type "man
whatis" or "man apropos".
cron.monthly contains no files
The system administrator can schedule tasks by adding entries to the /etc/crontab (see
crontab(5)) file or on Redhat Linux, by adding entries in one of the cron.hourly,
cron.daily, cron.weekly, or cron.monthly files. Users may be able to schedule cron jobs
if the system is configured to allow it. If neither of the /etc/cron.allow nor the
/etc/cron.deny files exist, either all users will be able to run cron commands or no
users will be able to do it. If /etc/cron.allow exists, the user must be listed there
in order to use cron commands. If /etc/cron.deny exists, the user must not be listed
here or they will be unable to use cron.
One useful entry you can put in the /etc/cron.weekly directory in a file named
something like "cleanold.cron" is:
find /var/spool/myspools -mtime +33 -exec rm -f {} \;
This entry will remove all files in the /var/spool/myspools directory whose data was
changed more than 33 days ago.
The user (if allowed) can schedule cron tasks by following the below procedure:
1. Make a crontab file called for example "mycron".
2. Use the crontab(1) command to submit the command(s) to cron by typing "crontab
mycron".
3. You can view what you have installed by typing "crontab -l".
crontab commands:
Starts vi session by default to edit your crontab file. To use emacs as
crontab -e your editor, type "export VISUAL=emacs" before typing this command. When
you exit the editor, the modified crontab is installed automatically.
Removes your crontab entry from the /var/spool/cron directory. Does not
crontab -r
erase your original crontab file.
50 | P a g e
crontab -l Lists all the user's cron tasks.
To use emacs, type "export VISUAL=emacs" before starting crontab.
Keys and Linux Terminal Configuration
To really understand and work with key mapping, you should read the "Support for text"
section in the "How Linux Works CTDP Guide". It explains how terminal types are set and
the different layers of keymapping along with how to map keys for various applications.
Linux keymapping is complex and this section will just give you a short explanation of
the various utility programs available, and how to do some specific keymapping. If you
must perform custom keymapping, the "How Linux Works CTDP Guide" is necessary.
Linux keymapping is performed on several levels and many programs such as the shell,
less, and emacs have their own support for keymapping. Other programs such as terminal
programs use the terminfo or termcap database for keymapping. The main system wide
keymapping the user may deal with is keymap which maps the keycode to a set of ASC
characters that each keystroke will produce. A file is created which contains these
specific keymappings and it is loaded with the command "loadkeys". There is a man page
describing the structure of this file. It can be accessed by typing "man keymaps".
There are many symbols in this file that describe values for keys. You can see the
value of many of them by typing "dumpkeys --long-info" or "dumpkeys -l". Once the
keymap file is created, the easy way to permanently modify the key settings for the
system is to modify the file /etc/sysconfig/keyboard to a new default value such as
KEYTABLE="/etc/sysconfig/console/mykeymap".
Console key utilities and files
Kernel keyboard driver
o kbd_mode - Report or set the keyboard mode to -s (scancode mode, RAW) -k
(keycode mode, MEDIUMRAW) -a (ASC mode, XLATE) -u (UTF-8 mode, UNICODE).
XLATE is default.
o kbdrate - modify the keyboard repeat rate and delay time after keypress.
o kbdconf - Configures the /etc/sysconfig/keyboard file which specifies
the location of the keyboard map file.
For system key mapping make codes to keycodes
o setkeycodes - used to set a translation between unusual scancodes and
51 | P a g e
keycodes. This utility is not usually needed.
o getkeycodes - Print the kernel scancode to keycode mapping table.
Mapping keycodes to keymaps
o dumpkeys - dump keyboard driver translation tables in the format
specified by keymaps. The output of this program will look similar to
the keytable file in "/usr/lib/kbd/keytables/*.map" and the output can
be saved to a file, and used to generate a new file to be used with the
"loadkeys" command.
o loadkeys - Load the keyboard translation table into the system from a
specified file. Type "loadkeys -d" or "loadkeys defkeymap" to load the
default keymap. Changes keys for all virtual consoles. The keyboard
translation table set in the kernel (compiled in) is in the file
"/usr/src/linux/drivers/char/defkeymap.map". To change the kernels
keymap without having to load a new table after booting, you must modify
the file, then re-compile the kernel. You would only need to do this to
modify keymaps for remote boot systems that don't have access to all
system programs.
o setmetamode - define the keyboard meta key handling. Controls whether
the keystroke <Alt-key>, would send the keycode M-key or the key
sequence ESC followed by key. You can have different setting in
different virtual consoles.
Debugging tools
o showkey - Examine the scancodes and keycodes sent by the keyboard.
Options are -s (show scancodes) -k (show keycodes, default) -m (show
keymap). This program outputs key values that the user presses on the
keyboard. The program terminates when no keys are pressed for 10
seconds.
Termcap and terminfo
o tic - Compiler for terminfo.
o infocmp - Used to examine terminfo files.
o /etc/termcap - The termcap database file.
52 | P a g e
o /usr/share/terminfo - The directory structures containing the terminfo
compiled database.
Other tools
o consolechars - Load console screen font (was called setfont). The
directory "/usr/lib/kbd/consolefonts/" is the default directory for
fonts. "/usr/lib/kbd/consoletrans" is the default directory for ACM's
and SFM's.
o psfaddtable - Add a Unicode character to a console font.
o psfgettable
o pfsstriptable
For terminals and terminal key mapping
o mesg - Use to turn others' write messaging ability to your terminal by
on and off. "mesg on" to turn it on.
o stty - Print or change the terminal line settings.
o setterm - Set terminal attributes.
o tput - Initialize a terminal or query terminfo database.
o setleds - Set or output the keyboard LED settings for caps lock, num
lock, and scroll lock.
o setfont - Never use unless you know what you are doing. There is no man
page for this command.
o chvt - Change virtual terminal. Usage: chvt3.
o deallocvt - De allocate unused virtual terminals
For X
o xmodmap - Used to modify keymaps and pointer button mappings in X. Map X
keycodes to keysyms. Usage "xmodmap mykeys.map".
o xkeycaps - A GUI front end to xmodmap.
o xev - Allows you to see key make and breaks generated on a window.
o showfont - font dumper for X font server
o xset - Set user preferences for the display.
o /etc/X11/xinit/Xmodmap or $HOME/.Xmodmap - File(s) that can be uset to
set keycode mapping in X
53 | P a g e
o $HOME/.Xinitrc - A file run when X starts that is a script file. The
program "xmodmap" can be invoked in this file to set keymappings for X.
o $HOME/.Xresources - Another file where keymappings may be changed for X.
Bash
o /etc/inputrc or $HOME/.inputrc - Where Bash keymapping is done.
Less
o $HOME/.lessrc - Where keymapping is done for less.
Emacs
o $HOME/.emacs - Where keymapping is done for emacs.
tsh
o bindkey - A program supplied by tsh to allow for binding keymaps.
o $HOME/.cshrc
Setting Keystrokes
The stty command - Used to set up keystrokes on terminals
The command <stty erase "^H"> will bind the Backspace key(^H) to the erase function.
Characters that are specified:
eof - End of file
eol - End of line
eol2 - Alternate character for ending a line
erase - Erase the last character typed
intr - The specified character will send an interrupt signal
kill - Erase the current line.
quit - Sends a quit signal.
start - Restart output after having stopped it.
stop - Stops the output.
susp - Sends a terminal stop signal
switch - Switch to a different shell layer
werase - erase the last word typed.
setterm -foreground white - background blue Sets white foreground, and blue background
setterm -store Stores the present terminal values as
54 | P a g e
default
Keys and terminal configuration
Special command line keys:
CTRL U - Delete the line
CTRL C - Abort command
CTRL Z - Suspend command, Type fg to put it back into the foreground
<TAB> - Auto complete command
<ALT>F1 through <ALT>F6 - Select a different virtual terminal
<CRTL><ALT>F7 - Toggle to the first X terminal, if one is running.
<CRTL><ALT>F1 - Toggle to the first text terminal from an X session.
CTRL D - End of file, exits the shell
CTRL W - Delete a word backwards
CTRL / - Quit, weaker than CTRL C but does a core dump.
CTRL S - Stop scrolling, may use "scroll lock" for this function.
CTRL Q - Resume scrolling
Emacs keymapping
To modify the keymap in emacs so pressing the end key will move the cursor to the end
of a line rather than the end of file, add the following lines to your user's
$HOME/.emacs file:
(define-key function-key-map "\e[4~" [end])
(global-set-key [end] 'end-of-line)
Managing Linux Users
Linux Commands for managing users:
adduser(8) - Command used to add user accounts.
chage (1) - Used to change the time the user's password will expire.
chfn(1) - Change a user's finger information
chsh(1) - Change a user's shell.
chgrp (1) - Changes the group ownership of files.
chown (1) - Change the owner of file(s ) to another user.
gpasswd (1) - Used to administer the /etc/group file.
groupadd (8) - Create a new group.
55 | P a g e
grpconv (8) - Creates /etc/gshadow from the file /etc/group which converts to
shadow passwords.
grpunconv (8)- Uses the files /etc/passwd and /etc/shadow to create
/etc/passwd, then deletes /etc/shadow which converts from shadow passwords.
groupdel (8) - Delete a group
groupmod (8) - Modify a group
groups (1) - print the groups a user is in
grpck (8) - Verify the integrity of group files.
id(1) - Print group or user ID numbers for the specified user.
newgrp(1) - Allows a user to log in to a new group.
newusers (8) - Update and create new users in batch form.
nologin (5) - Prevent non-root users from logging onto the system.
passwd (1) - Used to update a user's password. The command "passwd username"
will set the password for the given user.
pwconv (8) - Used to create the file /etc/shadow from the file /etc/passwd to
convert to shadow passwords.
pwunconv (8) - Uses the files /etc/passwd and /etc/shadow to create
/etc/passwd, then deletes /etc/shadow to convert from shadow passwords.
su (1) - run a shell with substitute user and group IDs
useradd (8) - Create a new user or update default new user information
userdel (8) - Delete a user account and their files from the system. The
command "userdel -r newuser" will remove the user and deletes their home
directory.
usermod (8) - Modify a user account.
Other useful commands/examples:
find / -user username -ls Gives a list of all files owned by username.
Changes ownership of all files in mysuer home directory
chown -R myuser /home/myuser
to myuser.
chmod +s filename Sets the uid
Files
56 | P a g e
/etc/passwd - Where the user's name, and other pertinent information are stored.
This includes the password unless your system is using shadow passwords.
/etc/shadow - Where the user's password is stored if you are using shadow
passwords.
/etc/group - Where group names are stored.
/etc/aliases - Where the user's name is matched to a nickname for e-mail.
/etc/sudoers - A list of users with special privileges along with the commands
they can execute.
File Formats
Note group ID numbers start at 100 and user ID numbers start at 500. The file
/etc/group gives groups
57 | P a g e
Firstname,Lastname:username
Then update the database by typing "newaliases".
User Process Accounting
Process accounting is supported by new kernels. To use this feature, you'll need to get
the acct-1.3.73.tar.gz package or later. The package contains some programs used to
manage users. The following commands are useful for user accounting:
ac(1) - Print statistics about users' connect time.
accton (8) - Turn on accounting of processes. To turn it on type "accton
/var/log/pacct".
last(1) - Shows a list of users who have logged in.
lastb(1) - Shows failed login attempts. This command requires the file
/var/log/btmp to exist in order to work. Type "touch /var/log/btmp" to begin
logging to this file.
lastcomm (1) - Display information about previous commands in reverse order.
Works only if process accounting is on.
sa(8) - Generates a summary of information about users' processes that are
stored in the /var/log/pacct file.
utmpdump(1) - Used for debugging.
who(1) - Find out what users are logged onto the system.
Files that hold accounting information
/var/log/wtmp - Stores information about all logins and logouts.
/var/run/utmp - Stores information about who is currently on the system and is
used by the who command.
/var/log/btmp - Used to store information about failed logins.
The /var/log/wtmp file, contains the following information:
Type of Login
Process ID of login process
The device name of the tty used
The init ID or abbreviated ttyname
User Name
Hostname for remote login
58 | P a g e
Exit Status of a process
The session ID
The time entry was made
IP address of remote host
See the man page for wtmp(5) for more information.
The ability to set quotas limits a user's disk storage by setting:
1. The number of inodes the user or group may use.
2. The number of disk blocks a user or group may use.
This limits user's ability to use up all system resources. It only works on ext2
filesystems. Quotas must be set for each filesystem that the user may use. The kernel
must have quota support compiled in.
User Quotas
The ability to set quotas limits a user's disk storage by setting:
1. The number of inodes the user or group may use.
2. The number of disk blocks a user or group may use.
This limits the user's ability to use up all system resources. It only works on ext2
filesystems. Quotas must be set for each filesystem that the user may use. The kernel
must have quota support compiled in.
Commands used to set quotas and limits are:
edquota(8) - Used to edit user or group quotas. This program uses the vi editor
to edit the quota.user and quota.group files. If the environment variable EDITOR
is set to emacs, the emacs editor will be used. Type "export EDITOR=emacs" to
set that variable.
quota(1) - Display users' limits and current disk usage.
quotaoff(8) - Turns system quotas off.
quotaon(8) - Turn system quotas on.
quotacheck(8) - Used to check a filesystem for usage, and update the quota.user
file.
repquota(8) - Lists a summary of quota information on filesystems.
ulimit - A bash builtin command for setting the processes a user can run. The
command "ulimit -n 9000" will set the limit on open files to 9000.
59 | P a g e
Files:
/etc/mtab
quota.user - Resides on the filesystem quotas are being set on.
quota.group
Read the Quota mini howto for more information. Here's roughly what is needed to enable
and set quotas:
1. In your startup scripts, you should use the quotacheck and quotaon commands to
start quota checking at system startup. Read the "How Linux Works" or the "Linux
Startup Manual" for more information on startup scripts. This is already setup
properly in most current versions of Linux.
2. In the /etc/fstab file, add the mount options "usrquota" and "grpquota". You
only need "grpquota" if you are going to set group quotas also. An example
entry:
3. /dev/hda2 / ext2 defaults,usrquota,grpquota 1 1
4. Issue the following commands, where "fs" is the name of the filesystem where
quotas are to be set. The first two commands create the quota files, and the
second two commands keep users from accessing those files.
5. touch /fs/quota.user
6. touch /fs/quota.group
7. chmod 600 /fs/quota.user
8. chmod 600 /fs/quota.group
9. If you use emacs rather than vi to edit files, type "export EDITOR=emacs". You
may want to add this command to your shell startup script such as
$HOME/.bash_profile.
10. Type "edquota username" to edit the quota file. You get a screen like this:
11. Quotas for user george:
12. /dev/hda2: blocks in use: 10672, limits (soft = 0, hard = 0)
13. inodes in use: 1856, limits (soft = 0, hard = 0)
14. /dev/hda3: blocks in use: 0, limits (soft = 0, hard = 0)
15. inodes in use: 0, limits (soft = 0, hard = 0)
60 | P a g e
Enter the limits you want to set and save the file. The soft limits are those
that may be exceeded for limited periods of time, and the hard limits may not be
exceeded.
Linux Passwords
Most versions of Linux come with the shadow password suite of software already
installed. This suite of software is recommended to enhance security since all users
must be able to access the /etc/passwd file. With full access to this file, a "crack"
program can be used by any user to extract all passwords on the system. The shadow
password software places the actual encrypted passwords into the /etc/shadow file
making this file readable only by the root user. If your system has the file
/etc/shadow, you probably already have shadow passwords installed.
Linux Shadow Passwords
If your system did not come with shadow passwords and you are going to install it you
will want to read the Shadow-Password-HOWTO and roughly do the following.
1. Find the latest shadow password suite that will work on your system
2. Backup a copy of your files listed above that the shadow password suite will
replace.
3. Install the shadow password suite.
4. Remove old man pages that may interfere with you seeing the correct replacement
man pages that came with the shadow password suite.
5. run pwconv which creates /etc/npasswd and /etc/nshadow
6. Backup /etc/passwd and copy the files /etc/npasswd and /etc/nshadow to
/etc/passwd and /etc/shadow respectively.
7. Be sure the /etc/shadow and /etc/passwd owners and permissions are the same as
shown in listings in this manual.
8. Verify you can login
9. When you are sure the system runs OK, remove backup files such as the backed up
copy of /etc/passwd.
10. You may need to upgrade your xlock program to get X working. xlock is the screen
saver used to lock the screen.
11. xdm presents the login screen for X. You may need to upgrade xdm.
61 | P a g e
Linux Process Control
Tools for working with processes
accton - Turns process accounting on and off. Uses the file /var/log/pacct. To
turn it on type "accton /var/log/pacct". Use the command with no arguments to
turn it off.
kill - Kill a process by number
killall - Send a signal to a process by name
lastcomm (1) - Display information about previous commands in reverse order.
Works only if process accounting is on.
nice - Set process priority of new processes.
ps(1) - Used to report the status of one or more processes.
pstree(1) - Display the tree of running processes.
renice(8) - Can be used to change the process priority of a currently running
process.
sa(8) - Generates a summary of information about users' processes that are
stored in the /var/log/pacct file.
skill - Report process status.
snice - Report process status.
top - Displays the processes that are using the most CPU resources.
Checking running processes
While logged in as root, type "ps -ax |more" or "ps -aux |more". You will get a list of
all processes running on your computer. You will see the process id (PID), process
status (STAT) various statistics, and the command name. You can kill a process by
typing "kill" and the PID number right afterwards similar to the line below.
kill 1721
You can also stop and restart processes by sending them various signals as in the below
examples:
Stops (suspends) process 1721 by sending the STOP signal to the
kill -STOP 1721 process. This process will still be on the task list. The
process can't catch or ignore the STOP signal.
62 | P a g e
Continue process 1721 causing it to resume. The CONT signal is
kill -CONT 1721
sent to the process.
Terminates process 1721 by sending the TERM signal to the
process. This process will no longer show up on the task list
kill -TERM 1721 if it is actually terminated. Process terminated cannot be
continued. The TERM signal can be caught so TERM is not
guaranteed to kill the process.
Stops, then restarts process 1721. This is usually done when a
process is not working properly or the configuration files for
kill -HUP 1721 that process have been changed. This command sends the HUP
signal to the process which means hangup. This signal can be
caught by the process.
killall -HUP myprint Restarts any process with the name "myprint".
kill -TERM myprint Terminates any process with the name "myprint".
Setting up and doing process control
The examples in this section use the "yes" command as an easy method for an example of
a program that runs continually. The "yes" command outputs the string "y" until it is
killed or stopped. When the output is ported to the /dev/null (null device or bit
bucket), the output is basically dumped. Therefore this command is harmless, but is a
good demonstration. To put the process in the background, append an "&" character to
the end of the command as shown below.
yes > /dev/null &
The system will respond with a job number and process ID or PID similar to:
[1] 10419
Either number can be used to refer to the job. The "jobs" command can be used to check
the job. When the command is entered the system will respond with a list of running
jobs similar to the following:
[1]+ Running yes >/dev/null &
The job can be killed using the process ID or the job number. Either
kill %1
63 | P a g e
or:
kill 10419
Stopping and restarting jobs
Another way to put a job into the background is to
1. Start the job normally like:
yes > /dev/null
The prompt does not come back.
2. Use the <Ctrl-Z> key to stop the job.
3. Use the command "bg" or "bg %1" where 1 is the job number to put the process in
the background. The system reports the job number when you stop the job.
Before the last step, the job was suspended. The "fg" command could have been
used to bring the job into the foreground rather than using the "bg" command to
put it in the background. If the job is running in the foreground, you can type
&@60Ctrl-C> to terminate the process.
Killing or Reconfiguring a Daemon without Restarting
Restarts inetd by sending signal number 1 which is the hangup
killall -1 inetd
signal.
Causes the daemon to reload its config file by sending the hangup
killall -HUP inetd signal. The difference between this example and the previous one
is the signal is called by name here rather than number.
To make changes to inetd:
1. Reconfigure /etc/inetd.conf
2. Restart inetd by sending it the hangup signal
The easy way to reset a service that was started via the rc script files during system
startup:
1. Find the file for the service, you want to start. For example find the file for
the print daemon "lpd". These files should typically be in the directory
"/etc/rc.d/init.d". The file name in this case is "lpd". (Note this is a script
file, that starts the daemon, not the actual binary daemon file).
2. Go to that subdirectory "cd /etc/rc.d/init.d" and type "./lpd restart".
64 | P a g e
3. You should get output to the screen that indicates this service has been shut
down and then started.
Setting process priority
In Linux, processes have a priority number between -20 and 19. The value of -20 is the
highest, and 19 is the lowest priority. Process priority can be set with the nice(1)
command and changed using the renice(8) command. To set a process to have the highest
priority find the process ID number using the ps command. If your process name is
"myprog" type:
ps -ax |grep myprog
You should get something like:
756 tty1 S 0:00 myprog
The first number on the line is your process ID. Enter the command:
renice -20 756
This will set your process (PID=756) to priority of -20. Modify the process ID number
for that of your program running on your system. You can use the nice command to
determine the default priority of new processes by typing "nice" on the command line.
If you want to start a process with a specific priority, use the nice(1) command when
you invoke the process.
Setting limits on the number of processes that can run
The command "ulimit" is used to limit the number of processes users can run along with
available system resources. All processes which will be started from the shell (bash in many
cases), will have the same resource limits. See the bash manual page for more information. To
set the limits for daemons which are running at boot time add ulimit command to boot scripts.
66 | P a g e
depmod - Creates a dependency file, "modules.dep" in the directory
"/lib/modules/x.x.x", later used by modprobe to automatically load the relevant
modules.
insmod - Installs a loadable kernel module into the running kernel.
rmmod - Unloads modules, Ex: rmmod ftape
modprobe - Used to load a module or set of modules. Loads all modules specified
in the file "modules.dep".
General Diagnostic
System resources
free - Show system memory availability and usage
df - Show the amount of disk free space on each mounted filesystem.
du - Show disk usage
lspci - List PCI devices
pnpdump - Lists ISA PNP device resource information.
vmstat - Reports virtual memory statistics.
Other:
env - List the current environment variables.
printenv - Print a copy of the environment.
set - Shows how the environment is set up. This command can be very useful when
debugging the environment.
runlevel - List the current and previous runlevel.
uname - Print system information. In my case, it prints "Linux".
dmesg - Show the last kernel messages printed during the last boot.
Linux Configuration
In this section, the configuration tool, "linuxconf" is discussed. This configuration
tool provides a means to configure much of the system. In this section, attempts are
made to describe the files where this configuration information is stored (unless
documented in other sections), however its accuracy cannot be guaranteed, and these
files will vary somewhat from one Linux system to another.
When filly expanded, the linuxconf menu includes the following:
Config
67 | P a g e
o Networking
Client tasks
Basic host information
Name server specification (DNS)
Routing and Gateways
Defaults
other routes to networks
other routes to hosts
routes to alternate local nets
the routed daemon
Host name search path
Network Information System (NIS)
IPX interface setup
PPP/SLIP/PLIP
Server tasks
Exported file systems (NFS)
IP aliases for virtual hosts
Apache Web server
Defaults
Virtual domains
Sub-directory specs
Files specs
Modules
Performance
mod_ssl configuration
Domain Name Server (DNS)
Config
domains
IP reverse mappings
secondaries
forward zones
68 | P a g e
forwarders
features
IP allocation space
Add/Edit
host information by domain
(quick edit)
Security
Access control lists
Access control
Mail delivery system (sendmail)
Basic
Basic information
special (domain) routing
complex (user) routing
masquerading rules
mail to fax gateway
virtual email domain
the mail queue
user aliases
virtual domain user aliases
/etc/sendmail.cf
Anti-spam filters
Rehected senders
'Relay for' by IP
'Relay for' by name
Relay to hosts
Samba file server
Defaults
Default setup for user's home
Default setup for printers
Netlogon setup
69 | P a g e
Disk shares
Ftp server (wu-ftpd)
Basic configuration
Virtual hosts
Misc
Information about other hosts
Information about other networks
Linuxconf network access
o Users accounts
Normal
User accounts
Group definitions
Change root password
Special accounts
PPP accounts
SLIP accounts via normal login
UUCP accounts
POP accounts (mail only)
Virtual POP accounts (mail only)
Email aliases
user aliases
virtual domain user aliases
Policies
Password & account policies
Available user shells
Available PPP shells
Available SLIP shells
Message of the day - Allows you to type a new message of
the day to be displayed on the console when a user logs
in. This file is stored in /etc/motd.
o File systems
70 | P a g e
Access local drive
Access nfs volume
Configure swap files and partitions
Set quota defaults
Check some file permissions
o Miscellaneous services
Initial system services
Modem
o boot mode
Lilo
LILO defaults (linux boot loader)
LILO linux configurations
LILO other OS configurations
default boot configuration
a new kernel
a kernel you have compiled
Mode
default boot mode
Control
o Control panel
Activate configuration
Shutdown/Reboot
Control service activity
Mount/Unmount file systems
Control configured local drives
Control configured nfs volumes
Mount other NFS file systems
Configure superuser scheduled tasks
Archive configurations
Switch system profile
Control PPP/SLIP.PLIP links
71 | P a g e
o Control files and systems
Configure all configuration files
Configure all commands and daemons
Configure file permission and ownership
Configure Linuxconf modules
Configure system profiles
Override Linuxconf addons
Create Linuxconf addons - This section allows a newly installed
package to be managed using linuxconf
o logs
Boot messages
Linuxconf logs - Shows all configuration commands issued by
linuxconf
o date & time - Allows the time zone to be set and the time to be set as
stored in GMT format or local time. It also lets the time and date to be
set.
o Features - Defines special behavior of linuxconf including the keyboard map
(/etc/sysconfig/keyboard), language selection, and html timeout.
Using Linux PAM
PAM stands for Pluggable Authentication Modules. PAM is a library, used to control the
function of various applications that have the capability to use the PAM libraries. PAM
is based on a series of library modules, some of which depend on configuration files.
Locations of PAM configuration files and library modules are:
All PAM applications are configured in the directory "/etc/pam.d" or in a file
"/etc/pam.conf".
The library modules are normally stored in the directory "/lib/security".
The configuration files are located in the directory "/etc/security".
To configure PAM, on systems already set up for it, you would need to edit the files
for the service you want to modify in the "/etc/pam.d" directory, and modify the
appropriate configuration file in the directory "/etc/security". This page will explain
how to set up the configuration files and how to configure the modules so applications
72 | P a g e
can use them.
The PAM configuration files
PAM is controlled a main configuration file( /etc/pam.conf) or control directory
(/etc/pam.d). Some PAM module's behavior is controlled with configuration files (in
/etc/security)as listed below:
access.conf - Login access control. Used for the pam_access.so library.
group.conf - Group membership control. Used for the pam_group.so library.
limits.conf - Set system resource limits. Used for the pam_limits.so library.
pam_env - Control ability to change environment variables. Used for the
pam_env.so library.
time - Allows time restrictions to be applied to services and user privileges.
Used for the pam_time.so library.
The main pam.conf file or the /etc/pam.d files
The configuration for PAM is normally in the /etc/pam.d directory which has a file for
each PAM controlled application. This file or directory is used to control the behavior
of applications that use the PAM modules. Some examples of PAM controlled applications
are login, samba, and shutdown. PAM is controlled using the configuration file
/etc/pam.conf or the configuration directory, but not both. The directory structure
control has precedence. A general configuration line in one of the PAM application
configuration file has the following form:
module-type control-flag module-path arguments
If the /etc/pam.conf file is used to control PAM rather than the /etc/pam.d directory
structure, the pam.conf lines are the same except they have an additional parameter at
the start which is "service-name". The various parameters on each line are:
1. service-name(not in directory files) - The type of service such as rlogin or
ftp.
2. module-type - The type name of the PAM module used which are
1. auth - Authenticates the user to be sure they are who they claim to be,
usually asking a password then checking it, and setting credentials like
as group memberships or kerberos tickets.
73 | P a g e
2. account - Check to see if the authentication is allowed based on
available system resources such as the maximum number of users or the
location of the user. Access could be denied if the account has expired
or the user is not allowed to log in at this time of day.
3. password - Used to set passwords. Typically, there is one module for
each auth module-type.
4. session - Used to make it possible for a user to use their account once
they have been authenticated. This module does things that need to be
done for the user before or after they can be given service such as
logging of information concerning the opening or closing of some data
exchange with a user, or mounting directories. This module may make the
user's mailbox available.
3. control-flag
1. required - The success of the module is required for the module-type
facility to succeed. Failure of this module will not be apparent to the
user until all of the remaining modules (of the same module-type) have
been executed
2. requisite - If the module returns a failure, control is directly
returned to the application. The return value is that associated with
the first required or requisite module to fail. This flag can be used to
protect against the possibility of a user getting the opportunity to
enter a password over an unsafe medium.
3. sufficient - If this module succeeds and no previous required module has
failed, no more `stacked' modules of this type are invoked. This means
subsequent required modules are not invoked. A failure of this module is
not deemed as fatal to satisfying the application that this module-type
has succeeded.
4. optional - This module is not critical to the success or failure of the
user's application for service. In the absence of any definite successes
or failures of previous or subsequent stacked modules this module will
determine the nature of the response to the application.
74 | P a g e
4. module-path - The path and filename of the PAM library used to control the
function.
5. arguments - Arguments are optional and vary from module to module.
My "/etc/pam.d/rlogin" file looks like this:
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
session required /lib/security/pam_pwdb.so
session optional /lib/security/pam_console.so
76 | P a g e
netstat - Displays information about the systems network connections, including
port connections, routing tables, and more. The command "netstar -r" will
display the routing table.
traceroute - This command can be used to determine the network route from your
computer to some other computer on your network or the internet. To use it you
can type "route IPaddress" of the computer you want to see the route to.
nslookup - Used to query DNS servers for information about hosts.
arp - This program lets the user read or modify their arp cache.
tcpdump - This program allows the user to see TCP traffic on their network.
dig(1) - Send domain name query packets to name servers for debugging or
testing.
Manual Configuration
You can use one of the above tools or configure the network the old fashioned way as
follows:
1. First to use networking on any permanent basis you should setup the file
/etc/sysconfig/network similar to the example shown below.
2. Assign an ip address with "ifconfig eth0 192.168.1.100 netmask 255.255.255.0
up".
3. Tell your machine that a hub is ready for information with the command "route
add -net 192.168.0.0 netmask 255.255.255.0 eth0"
4. To contact hosts outside your network if a machine with IP address 192.168.1.1
is the gateway use the command "route add default gw 192.168.1.1 eth0"
5. If using a dialup connection use the command "route add default ppp0" The word
default says if the packet is not for a machine on your local network, send it
to the default device.
These settings are not permanent, but go away the next time you boot. They are normally
set up in the directory /etc/sysconfig/network-scripts. Add the network interface to
the file /etc/sysconfig/network-scripts/ifcfg-eth*. For example the file ifcfg-eth0 if
for the first ethernet interface, ifcfg-eth1 for the second, ifcfg-lo is for the local
interface. An example file from my system is:
DEVICE="eth0"
77 | P a g e
IPADDR="192.168.1.100"
NETMASK="255.255.0.0"
ONBOOT="yes"
BOOTPROTO="none"
IPXNETNUM_802_2=""
IPXPRIMARY_802_2="no"
IPXACTIVE_802_2="no"
IPXNETNUM_802_3=""
IPXPRIMARY_802_3="no"
IPXACTIVE_802_3="no"
IPXNETNUM_ETHERII=""
IPXPRIMARY_ETHERII="no"
IPXACTIVE_ETHERII="no"
IPXNETNUM_SNAP=""
IPXPRIMARY_SNAP="no"
IPXACTIVE_SNAP="no"
Unless you know what you're doing it is best to use a network configuration tool. I
cannot guarantee the accurateness of how to set these files up on your system.
Configuring an interface for multiple IP addresses
If you want to configure your network card to act as more than one IP address, issue
the following command:
ifconfig dummy 192.168.1.102 netmask 255.255.255.0
This uses the dummy system interface capability supported in the kernel to setup
another virtual interface which operates at IP address 192.168.1.102. Substitute the IP
address that you want your virtual interface to be with an appropriate netmask for your
network. To disable this, issue the following command.
ifconfig dummy down
Another way to use multiple IP addresses on one ethernet card is to set up a new file
in your /etc/sysconfig/network-scripts directory. Copy your ifcfg-eth0 role to ifcfg-
eth0:0. Edit that file and rename the device to "eth0:0" and the IP address to the
desired IP address. You may also want to modify BROADCAST, NETWORK, or NETMASK. You can
78 | P a g e
continue adding IP addresses by using :1, :2, etc such as ifcfg-eth0:2.
To make it effective, you must reboot your system or issue the command
"/etc/rc.d/init.d/network restart" as root.
Dynamically allocated IP addresses
To get the IP address of a dynamically allocated network interface in a script file
enter the following:
dynip=`/sbin/ifconfig | grep -A 4 ppp0 | awk '/inet/ { print $2 } ' | sed -e s/addr://`
Substitute the correct interface that you get your dynamic IP address in for ppp0 in
the example above. This script line gets your dynamic IP address for use in a
masquerade script. You can use the variable $dynip as in any other configuration. The
next time you make a new connection you will need to extract the dynip value again and
re-run the masquerade script.
Networking file formats, examples and considerations
Below are listed some more in depth information about the networking files.
/etc/sysconfig/network
The /etc/inittab file contains the entry "si::sysinit:/etc/rc.d/rc.sysinit"
which causes the system at startup to run the rc.sysinit script. The rc.sysinit
file expects to find the file /etc/sysconfig/network if networking is to be
enabled.
The network file looks like this:
NETWORKING=yes
FORWARD_IPV4=false
HOSTNAME=mymachine.mycompany.com
DOMAINNAME=mycompany.com
GATEWAY=192.168.1.1
GATEWAYDEV=eth0
Where GATEWAYDEV is the network interface card that is attached to the network
the gateway machine is on. The GATEWAY is the actual IP address of the gateway
machine.
/etc/hosts - Defines local hosts.
79 | P a g e
127.0.0.1 localhost localhost.localdomain
192.168.1.100 mymachine.mycompany.com mymachine
/etc/services - Internet network services list. It associates port numbers with
names of services. The file contains three fields which are name, port/protocol,
and aliases with an optional comment.
/etc/protocols - Describes DARPA internet protocols available from the TCP/IP
subsystem. Maps protocol ID numbers to protocol names. It includes protocol
name, number, and aliases. The protocol file on my system:
# /etc/protocols:
# $Id: protocols,v 1.1 1995/02/24 01:09:41 imurdock Exp $
#
# Internet (IP) protocols
#
# from: @(#)protocols 5.1 (Berkeley) 4/17/89
#
# Updated for NetBSD based on RFC 1340, Assigned Numbers (July 1992).
ip 0 IP # internet protocol, pseudo protocol
number
icmp 1 ICMP # internet control message protocol
igmp 2 IGMP # Internet Group Management
ggp 3 GGP # gateway-gateway protocol
ipencap 4 IP-ENCAP # IP encapsulated in IP (officially ``IP'')
st 5 ST # ST datagram mode
tcp 6 TCP # transmission control protocol
egp 8 EGP # exterior gateway protocol
pup 12 PUP # PARC universal packet protocol
udp 17 UDP # user datagram protocol
hmp 20 HMP # host monitoring protocol
xns-idp 22 XNS-IDP # Xerox NS IDP
rdp 27 RDP # "reliable datagram" protocol
80 | P a g e
iso-tp4 29 ISO-TP4 # ISO Transport Protocol class 4
xtp 36 XTP # Xpress Tranfer Protocol
ddp 37 DDP # Datagram Delivery Protocol
idpr-cmtp 39 IDPR-CMTP # IDPR Control Message Transport
rspf 73 RSPF #Radio Shortest Path First.
vmtp 81 VMTP # Versatile Message Transport
ospf 89 OSPFIGP # Open Shortest Path First IGP
ipip 94 IPIP # Yet Another IP encapsulation
encap 98 ENCAP # Yet Another IP encapsulation
/etc/named.conf - Used for domain name service to configure named. Other files
used are dependent on this file. This file is explained further in the DNS
section
/etc/resolv.conf - Specifies the domain to be searched for host names to connect
to, the nameserver address, and the search order for the nameservers.
domain mycompany.com
search mycompany.com mynet.net
nameserver 192.168.1.100
nameserver 192.168.199.1
nameserver 192.168.1.10
The third line specifies that DNS should be tried on my machine first then use
the normal nameserver on the fifth line. The fourth line specifies that my
machine is running nameservices on another network which is using interface
192.168.199.1. This assumes the nameserver is set up on my machine which is
explained in another section.
/etc/host.conf - Specifies the order nameservice looks to resolve names. An
example file:
order hosts, bind
multi on
nospoof on
81 | P a g e
The order specifies that when resolving names to first look in the /etc/host
file, then use BIND8 (DNS) to resolve the name. The line "multi on" specifies
that all valid addresses for a host found in the hosts file should be returned.
The files in /etc/sysconfig/network-scripts control your network interfaces. The
network interface file is described above in the section "Manual Configuration". If you
want or need more in depth knowledge about how these files are used, you will need to
read the document "How Linux Works CTDP Guide" or "The CTDP Linux Startup Manual".
Otherwise you will need to analyze the system startup scripts which is no small task.
Older X windows configuration
In Xwindows a working configuration is set up as follows:
NAMES:
hostname: mymachine.mycompany.com
Domain: mycompany.com
Nameservers: 192.168.1.10
HOSTS:
IP - 192.168.1.100
Name - mymachine.mycompany.com
INTERFACES:
Interface - eth0
IP- 192.168.1.100
proto - none
atboot - yes
Netmask: 255.255.255.0
Network: 192.168.1.0
Broadcast: 192.168.1.255
ROUTING:
Default gateway: 192.168.1.1
Default gateway device: eth0
Interface - 192.168.1.100
Network Address - 192.168.1.0
Network gateway 192.168.1.1
82 | P a g e
Netmask - 255.255.255.0
Routing
Routing table information is used to route incoming and outgoing network diagrams to other
machines. On most simple configurations, there are three routes. One for sending packets to
your own machine, one for sending packets to other machines on your network and one for
sending packets to other machines outside your network through the gateway. Two programs
(ifconfig and route) are used to configure these parameters. They are described in more detail in
the routing section.
Linux Network Tools and Terms
Linux Networking Tools
Address resolution protocol Type "arp -a" to display entries in the arp
arp
cache.
A command line tool used to configure a network interface. There is a man
ifconfig
page available for this program.
ifdown Shuts down a network interface
ifup Starts a network interface such as eth0 or ppp0
ipchains A tool used to administer firewall rules.
netconf The Redhat GUI network configuration tool.
Another network configuration tool which is usually run when the system
netconfig
is installed. Netconf is better.
Type "netstat -rn" to see the routing table. Type "netstat-in" to see the
netstat
interface info.
nslookup Used to test DNS configuration by querying DNS servers.
A network tool used to sent ICMP test packets to other hosts to determine
ping
if they can respond or are reachable.
ripquery A tool to query some routers for their routing table.
route Typing "route -n" will show the routing table
tcpdump A network sniffer tool used to dump headers of packets on a network
83 | P a g e
interface.
Sends data to a remote host to a port that doesn't exist with a TTL field
at 1,2,etc to get the intermediate hosts to send back their addresses
traceroute
reporting errors. The destination will report an unreachable port error
sending its address.
Networking terms
ARP - Address resolution protocol. Used to translate hardware addresses
(ethernet ports) and IP addresses and vice versa. Uses broadcast messages for
resolution.
BOOTP - A protocol used to allow client computers to get their IP address from a
BOOTP server. DHCP supercedes, though does not replace this protocol.
DHCP - Dynamic Host Configuration Protocol, allows clients to get their IP
addresses from a DHCP server. This system "leases" IP addresses to clients for
limited periods of time. If the client has not used their IP address within the
lease time, the IP address is free fro re-assignment.
ICMP - Internet Control Message Protocol. Part of the IP layer. Communicates
error messages and other messages that require attention.
IGMP - Internet Group Management Protocol. Protocol used to manage multicasting
through routers.
IP - Three kinds of IP addresses are unicast, broadcast and multicast.
MBONE - Used to refer to a network that supports multicasting.
NIS - Network information service, is a name service created by Sun
Microsystems.
NFS - Network file sharing, allows two Unix style computers to mount and access
part or all of a file system on a remote computer.
OSPF - Open Shortest Path First dynamic routing protocol intended as a
replacement for RIP.
PPP - Point to point protocol is a serial protocol commonly used to connect
using a modem to the internet
RARP - Reverse ARP, used for clients to determine their IP addresses.
84 | P a g e
RIP - Routing Information Protocol, used by almost all TCP/IP implementation to
perform dynamic routing.
RPC - Remote procedure call is a set of function calls used by a client program
to call functions in a remote server program.
SLIP - Serial line internet protocol
SMTP - Simple mail transport protocol, commonly uset as the mail message
transport protocol.
SNMP - Simple network management protocol.
UDP - User Datagram Protocol, a transport layer protocol
UUCP - Unix to Unix copy is a protocol that allows Unix computers to exchange files.
Linux Novell Access and Printing
Novell Network Access
Use the package ncpfs. The function ncpmount can then be used to mount network drives.
1. Add the line "ipx_configure --auto_interface=on --auto_primary=on" to the end
of the file "/etc/rc.d/rc.local".
Note : Use "ps ax |more" if you want to see all processes including daemons
2. Type "slist" for a list of available servers on the network (Note, you must log
onto the network using the "ncpmount" command before you can see a list of
available servers or printers.)
3. ncpmount - mount all the volumes on a specified Novell fileserver.
Ex: ncpmount -S main_serv1 -U george /mnt/network
4. Note: If you want all users to have this capability, you must install ncpmount
suid root. Do the following:
cd /usr/bin
chmod +s ncpmount
chmod +s ncpumount
5. When done use ncpumount to unmount the drive.
Misc notes:
Type "pqlist" for a list of print spoolers.
Type "slist" for list of servers on the network.
Network Printing setup and use
85 | P a g e
If you are using Novell:
1. After setting ipx_configure up in the above section, Log onto the desired
network server using ncpmount. I have written a "neton" and "netoff" script
file. To logon type "neton" and your username on the same line. To log off,
type netoff. These script files are places in "/usr/bin".
2. Find out what printers are available on the server you're logged in on by
typing "pqlist –S servername". Ex: pqlist -S main_serv1
3. Type "nprint -S server -U username -P password -q queue name -d jobdescription
file". Ex: nprint -S main_serv1 -q HP_lprinter
To set up the printers:
If you are running Redhat Linux you may want to use printtool to set up your printer.
To do this type "startx" to begin an X session. Then bring up a terminal program and
type "printtool". When the printtool screen appears, select "add" to add a printer. The
Following is an example of a completed menu:
Names (name1|name2|…) lp
Spool Directory /var/spool/lpd/lp
File Limit in Kb (0 - no limit) 0
Printer Server Name main_serv1
Print Queue Name HP_lprinter
User george
Password ******
Input Filter *auto* - LaserJet4
Don't forget to enable LF to CRLF translation if you will be printing windows or DOS
files. The name is the name you want to call this printer. You could call it fred. The
spool directory is where the spool files and any other files for this printer will be
stored. Usually I call it "/var/spool/lpd/printername". The file limit limits the size
of the spool files. The print server name is the name of the server the printer is on.
For a Novell system, a list of servers can be found (after logging on) by typing
"slist". The print queue name is the name of the printer on the server. On a Novell
86 | P a g e
system it can be found by typing "pqlist -S servername" after logging on. The user and
password is your username and password you use to log on to the network. The input
filter is setup by printtool. There is no way, that I currently know of, to specify
your own custom filter using printtool directly. Below is an example "/etc/printcap
file created by printtool:
# /etc/printcap
#
# Please don't edit this file directly unless you know what you are doing!
# Be warned that the control-panel printtool requires a very strict format!
# Look at the printcap(5) man page for more info.
#
# This file can be edited with the printtool in the control-panel.
87 | P a g e
undocumented program, apparently for rewinding standard input, probably written by
Redhat called "rewindstdin". This is used to allow the script file to look at the
printer file several times. A variable string is built called "bestpath". This string
will for most standard text files include "cat - |".
For other systems, use a program to format data to avoid the staircase effect like:
magicfilter
The Redhat printtool. Become root and run printtool. Be sure to SETENV DISPLAY :
0.0 and "xhost +".
Below are a list of files that apply to printing.
lpd - Print daemon to provide print services to linux
/etc/printcap - Printer capability data base
smbclient - Used to print through Samba.
nprint - Netware print client
pqlist - Netware list of printers
pserver - Netware print server (daemon)
To see a list of printers on Netware server "main_serv1", type "pqlist -S main_serv1"
A listing of the script file "neton":
main_serv1 $1
88 | P a g e
if test -d $usernetwork
then
echo "Mounting on $usernetwork"
else
if mkdir $usernetwork
then
echo "$usernetwork directory created"
else
echo "Failure creating $usernetwork"
status=0
fi
fi
if [ $status -eq 1 ]
then
if ncpmount -S $1 -U $2 $usernetwork
then
echo "$1 server mounted for user $2 on $usernetwork"
else
echo "Failure mounting $1 server for user $2 on $usernetwork"
fi
fi
Linux Inetd Network services
Services typically provided using inetd include:
auth or identd - This is a server that returns user information to a remote
host that a user is requesting a service from. It can be run as a stand alone
daemon from the startup scripts.
bootpd - A server that allows remote clients to get their IP addresses from a
bootp server using the bootp network protocol. This involves the server having
a /etc/bootptab file containing hardware addresses and associated IP addresses
89 | P a g e
for each computer to be serviced. It can be run as a stand alone daemon from
the startup scripts.
ftp - File transport protocol. Allows users to transport files between remote
sites.
tftp - Trivial file transport protocol. A way for users to transfer files
to/from remote machines without logging in. Normally this transfer is limited
to specific areas and is normally used for transporting files to clients which
are needed for remote booting.
telnet - A protocol used to open user sessions from remote sites.
exec - in.rexecd - Remote execution server allows remote users to execute
commands on the system provided they have proper authorization.
rlogin - An older method of opening remote sessions, being replaced by telnet.
rsh - Remote shell, Used to execute commands on a remote host.
talk - A communication program that allows two users to talk by copying lines
from one user's terminal to the other.
finger - Allows users to get information about users currently logged in on the
local system or remote systems.
comsat - A server that notifies users when they have received mail. The biff
program is used to turn comsat service on and off for each user.
pop-2 - ipop2d - Supports POP2 remote mail access protocol.
pop-3 -ipop3d - Supports POP3 remote mail access protocol.
imap - imapd - Supports the IMAP4rev1 remote mail access protocol which is more
powerful than POP3. See RFC 2060.
uucp - uucico - The daemon that processes Unix to Unix copy (UUCP) file
transfer requests that were queued by uucp or uux.
netstat - Displays network connections, routing tables, and other networking
information about a system. This works on the local system and over a network.
swat - A Samba web administration tool allowing the administrator to configure
the /etc/smb.conf file using a web browser.
These services can be controlled (added/removed) by adding or deleting (commenting out)
lines in the file "/etc/inedt.conf". If you make a change to this file, you will want
90 | P a g e
to restart the inetd daemon with the command:
kill -HUP inetd
Although you can use inetd to run services such as Samba and BOOTP normally, I
recommend using the startup script files which can be configured using the program
"linuxconf" and selecting "Control service activity". If these services are used often,
you will want to run them direct through the startup scripts. To conserve system
resources, you may want to use inetd to control these services if they won't be used
very often, but you can't run them using the start up scripts and using inetd at the
same time.
The inedt configuration file
The file /etc/inetd.conf is used to configure these networking services. Its format is:
service socket type protocol flags user server path server arguments
It is explained in more detail in the "How Linux Works" document.
Limiting services to your machine to specific addresses
1. If your system is not set for services to use the tcpd daemon rather than the
usual deamon by substituting the following in the "/etc/inetd.conf" file"
2. Change lines like this:
3. finger stream tcp nowait nobody
/usr/etc/in.fingerd in.fingerd
4. To this:
5. finger stream tcp nowait nobody
/usr/sbin/tcpd in.fingerd
6. Change the hosts deny file so the following lines are included with the
comments:
7. ALL: ALL
8. ALL: PARANOID
9. Change the hosts.allow file to allow services to desired TCP/IP addresses. Ex:
10. ALL: 10.1.0.153, 10.1.2.252
11. fingerd: 10.1.1.3
12. Note: To see the address of your windows box, select run and run winipcfg.
13. Reset the inetd deamon by issuing the command "kill –HUP inetd".
91 | P a g e
To disable a network service completely
To disable remote services like finger, who, and w, you will want to modify your
/etc/inetd.conf file. To disable finger services for example, change the
/etc/inetd.conf file so the line that says "in.fingerd" at the end, is commented out.
Do the same for any other services you do not want to run. Then make the inetd daemon
reload its configuration file and restart with the command "killall -HUP inetd".
Linux Xinetd Network services
The service, xinetd, is a service designed to provide the same functionality as inetd,
but with better configuration options and better security. It provides the same
services as inetd, so you will not need to run inetd with this service and can
substitute this service for inetd. This service is easy to install and run. It is meant
as a replacement for inetd, but can be run at the same time inetd is being run. If you
decide to run both inetd and xinetd, but you should not run the same services, such as
telnet or ftp, on both inetd and xinetd at the same time. Xinetd will support the
hosts.allow and hosts.deny features using the tcp wrapper daemon, the same as inetd
does.
Obtaining xinetd
It is very easy to obtain, compile, and install xinetd. You may obtain FAQ information
from: http://synack.net/xinetd/faq.html and complete documentation with source and
binaries may be obtained from http://www.synack.net/xinetd/. Also there is a very good
xinetd tutorial which describes installation and configuration (yes, better than this
documentation) at http://www.macsecurity.org/resources/xinetd/tutorial.shtml. It is
written for users running Linux on a MacIntosh, but it applies very well to xinetd and
Linux in general.
Compilation and installation
Download the code to a location like "/usr/local/xinetd" then enter the directory you
downloaded xinetd to. Follow the following procedure to unpack a source tar file,
compile, and install the package:
1. Type "tar xvzf xinetd-2_1_8_9p3_tar.gz" to unpack the file.
2. Type "cd xinetd-2.1.8.8.p3" to enter the directory the files were unpacked to.
92 | P a g e
3. Read the README and INSTALL files with the commands "less README" and "less
"INSTALL".
4. Type "./configure -- with-libwrap --with-loadavg". Some documentation recommends
not using the --with-libwrap option since xinit supports its own method of
providing the same capabilities of hosts.allow and hosts.deny.
5. Type "make".
6. Type "make install". This will install the man pages, xinetd.conf, xinet.log,
xinetd, and itox. These files will be accessible by typing "man" followed by the
name of the file such as "man xinetd". It will also install the binary programs,
xinetd, itox, and xconv.pl.
1. At this point, you may not have ready access to these programs unless
the directory /usr/local/sbin is in your system path. You can find out
by issuing the command "env" and looking at the value of your path
variable. If the directory is named in the path variable, you are set.
If not, you will need to add it to your system path.
2. If you are only going to require these commands while logged in as root
(which is likely), you can edit the .bash_profile file in the root
directory (/root/.bash_profile). This assumes you are using the bash
shell, otherwise edit the appropriate file for the shell you are
running. Add ":/usr/local/bin" to the statement that begins with "PATH".
If no statement starting with "PATH" exists, add the statement
"PATH=$PATH:/usr/local/bin".
3. If you want this path added for all users, you may add the statements as
described above to the /etc/profile file.
7. The xinetd documentation says to issue the command:
xconv.pl < /etc/inetd.conf > /tmp/xinetd.conf
But I recommend using the command:
xconv.pl < /etc/inetd.conf > /etc/xinetd.conf
This will create a configuration file for xinetd from your original inetd.conf
file.
93 | P a g e
8. You now need to start the service. The easy way to do this is to modify the
/etc/rc.d/init.d/inet file and replace all occurrences of inetd by xinetd. Since
xinetd is installed to /usr/local/sbin rather than /usr/sbin, you will need to
account for this in your file modifications or copy xinetd to /usr/sbin.
9. If you have a problem getting the service to run right consider the following
pitfalls:
o If you converted your inetd.conf file to xinetd.conf, and were running
with tcp wrappers in inetd, and did not compile tcp wrapper support into
xinetd with the option --with-libwrap, you will need to either compile
the option in or modify your configuration file so tcp wrappers are no
longer used. this can generally be done by moving the server arguments
to the server value, and the server arguments will be set to what would
have been on the server command line or the value -1. For instance the
entry:
o server = /usr/sbin/tcpd
o server_args = in.ftpd -l -a
becomes:
server = /usr/sbin/in.ftpd
server_args = -l -a
The entry:
server = /usr/sbin/tcpd
server_args = in.telnetd
becomes:
server = /usr/sbin/in.telnetd
server_args = -1
o You may need to add the line "groups = yes" to each service. See the
xinetd.conf man page.
Other Linux Network Services
Network services not normally controlled using the inetd daemon include but are not
limited to:
94 | P a g e
arpwatch - Keeps track of ethernet IP addresses that are resolved using the ARP
protocol. This allows system administrators to note new IP addresses being used.
It maintains a database in /var/arpwatch/arp.dat
bootparamd - Allows remote computers to boot from a Linux box using the BOOTP
network protocol. This allows the remote computer to get its IP address if the
server knows the hardware address of the remote machine. The DHCP protocol is an
upgrade to this protocol since it is more automated.
dhcpd - Provides DHCP services to "lease" out IP addresses to remote machines.
gated - Provides routing services for BGP and other protocols. Alternative to
routed. Supports IGP (Interior gateway protocol) and EGP (Exterior Gateway
Protocol).
httpd - The Apache hypertext transfer protocol Web server.
identd (auth) - Server implementing the TCP/IP proposed standard IDENT user
identification protocol in RFC 1413. It returns user information to a remote
host that a user is requesting a service from. Also called auth.
innd - The Usenet news server
ldap - Lightweight directory access protocol package which provides
client/server based directory database services which runs on UNIX platforms
over TCP/IP. RFC is 1777.
mars-nwe - Loads the MARS Netware compatible file and print server daemon called
nwserv. Allows a Linux machine to be used as a file and printserver for netware
based clients using IPX/SPX.
mcserv - Allows users on remote machines to use the midcommander file manager to
work with files. It uses the PAM library for authentication.
named - Provides DNS services. It is a name server used to translate local IP
addresses to names and vice-versa.
nfs - Provides Network File System server services
nfslock - NFS file locking service. Starts the daemons rpc.locked and rpc.statd.
The rpc.statd daemon implements the Network Status Monitor (NSM) RPC protocol
which is a reboot notification service used to implement file lock recovery when
an NFS server crashes and reboots.
95 | P a g e
portmap - Provides Remote Procedure Call (RPC) support for other protocols like
NFS.
postgresql - Runs the postgres database and provides SQL services. It runs the
daemon postmaster.
pulse - Heartbeat daemon for monitoring the health of lvs (Redhat clustering
services) cluster nodes. This tool is used for clustering machines.
pxe - A preboot execution environment (PXE) server. Allows network boot of other
PXE machines. PXE is a standard developed by Intel for a means of booting
various operating systems on remote machines.
routed - Provides for automatic router table updates using the RIP dynamic
routing information protocol.
rstatd - The rstat protocol allows users on a network to get performance
information for any machine on the network. Runs the rpc.rstatd daemon which
provides performance statistics retrieved from the kernel usually by using the
"rup" command.
rusersd - Provides services that allow users to find one another over the
network.
rwalld - Provides users with an ability to use the rwall command to write
messages on remote terminals.
rwhod - The rwho protocol lets remote users get a list of all users logged onto
a machine by running the rwho daemon.
sendmail - The sendmail mail transport agent daemon used to move e-mail from one
machine to another.
smb - Provides SMB (Samba) client/server services which include file and print
services. It allows Linux computers to exchange file and printer services with
Microsoft Windows based systems.
snmpd - Provides Simple Network Management Protocol support to Linux.
squid - Runs the squid proxy web server
xfs - X font file server
96 | P a g e
xntpd - Starts the Network Time Protocol NTPv3 daemon. NTP provides a means to
synchronize time and coordinate time distribution in a large, diverse internet
operating at all speeds. RFC 1305 describes this protocol.
ypbind - Binds YP/NIS clients to a yellow pages server. NIS is a name service
created by Sun.
yppasswdd - Allows users to change their passwords on systems running YP/NIS
ypserv - This daemon provides the YP/NIS (Network Information System) server
functions.
Linux Samba
For complete information on Samba see the SMB HOWTO. Also refer to the the smb.conf(5),
smbd(8), smbclient(1), smbpasswd(5), smbpasswd(8), and testparm(1) man pages. You may
access the howtos from one of the weblinks listed in the Linux websites section. The
Linux Documentation Project or Metalab's Index of Linux publications will have copies
if these howtos.
You will want to perform the following steps according to the instructions below to set
up samba services on your computer.
1. Set up your Windows based computers for file and print sharing if you want to
access your windows computers from Linux.
2. Decide whether to run Samba through the inetd internet super daemon or through
the startup scripts. Running using the startup scripts is recommended for
better reliability.
3. Edit the /etc/services file to be sure the port services are enabled.
4. Edit the /etc/smb.conf file with encrypted passwords enabled to work with most
modern Windows versions.
5. Add any users as desired to the /etc/smbusers file
6. Optionally add hostnames to /etc/lmhosts.
7. Set up your samba users passwords with the "smbpasswd -a username" command.
8. Start or restart Samba services. When running Samba services through the
startup scripts it can be done in Redhat using the linuxconf program. On other
systems it may be done with one or more of the following commands:
o samba start - Starts samba.
97 | P a g e
o /etc/re.d/init.d/smb start - Starts samba.
o samba restart - Restarts samba.
o /etc/re.d/init.d/smb restart - Restarts samba.
If using inetd to run Samba services, restart/start samba with the command
"killall -HUP inetd".
Check your /usr/doc directory for a directory like "samba-2.0.5a". Enter this directory
with the command "cd /usr/doc/samba-2.0.5a". There is a docs and a samples directory at
this location. There is a sample smb.conf file in the samples directory called
smb.conf.default. Use this file to start your /etc/smb.conf file if you don't have one.
Modify it for your workgroup name, remove the comment from the line "encrypt passwords
= yes" and set up your share definitions as you need.
Configuring Windows
Configuring windows 95 for sharing: (If you want to be able to browse your windows
computer from Linux)
1. Right click on "network neighborhood" and click "properties"
2. Under configuration make sure you have "Client for Microsoft Networks", your
ethernet card driver and TCP/IP
3. Select "Client for Microsoft Networks"
4. Select "File and Print Sharing" and turn on file and printer access, enter a
password to use
5. Select Add?
Setting up the service method
There are two ways to run samba services. You can run them as a deamon, using the
system startup scripts or use the internet super daemon, "inetd". You must choose one
way or the other, you cannot run the service both ways. I recommend using the startup
scripts since the service seems less reliable through inetd.
1. To run as a startup service, if you are using Redhat Linux, you may run
"linuxconf" and go to "Control", then "Control panel", then "Control service
activity", select "smb" and set it to enabled and running. You will also need to
be sure the "/etc/services" file is set up for the named ports below, along with
98 | P a g e
setting up the "/etc/smb.conf", "/etc/smbusers", and possibly the "/etc/lmhosts"
files below.
2. To run on request through inetd, Put these lines in /etc/inedt.conf:
3. # Other services
4. netbios-ssn stream tcp nowait root /usr/sbin/tcpd
/usr/sbin/smbd
5. netbios-ns dgram udp wait root /usr/sbin/tcpd
/usr/sbin/nmbd \
6. -a
Setting up the services
Configure ports for NetBIOS name, datagram, and session services by being sure of
existence of (or adding) the following lines in the /etc/services file:
netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram
Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session
service
netbios-ssn 139/udp
Setting up the Samba configuration file
Edit the Samba configuration file "/etc/smb.conf" to provide suitable services. You
should be able to get a file to start with from /usr/doc/samba-
x.x.x/examples/smb.conf.default, you can copy it to /etc/smb.conf and use an editor to
modify it.
This is the samba file I use: Note: you can use swat (described below) to configure
this file.
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
99 | P a g e
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not many any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]
100 | P a g e
printcap name = /etc/printcap
load printers = yes
# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
; printing = bsd
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Put a capping on the size of the log files (in Kb).
max log size = 50
# Security mode. Most people will want user level security. See
# security_level.txt for details.
security = user
# Use password server option only with security = server
; password server = <NT-Server-Name>
# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
; password level = 8
# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
encrypt passwords = yes
smb passwd file = /etc/smbpasswd
# The following are needed to allow password changing from Windows to
# update the Linux sytsem password also.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
101 | P a g e
# the encrypted SMB passwords. They allow the Unix password
# to be kept in sync with the SMB password.
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
# Unix users can map to different SMB User names
username map = /etc/smbusers
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /etc/smb.conf.%m
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
interfaces = 192.168.199.1/24 10.1.0.100/16
# Configure remote browse list synchronisation here
# request announcement to, or browse list sync from:
# a specific host or from / to a whole subnet (see below)
; remote browse sync = 192.168.3.25 192.168.5.255
# Cause this host to announce itself to local subnets here
; remote announce = 10.1.255.255 192.168.199.2 192.168.2.44
# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
; local master = no
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
102 | P a g e
; os level = 33
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
; domain master = yes
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
; preferred master = yes
# Use only if you have an NT server on your network that has been
# configured at install time to be a primary domain controller.
; domain controller = <NT-Domain-Controller-SMBName>
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
; domain logons = yes
# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
; logon script = %U.bat
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# WINS Proxy - Tells Samba to answer name resolution queries on
103 | P a g e
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no
# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
; preserve case = no
; short preserve case = no
# Default case is normally upper case for all DOS files
; default case = lower
# Be very careful with case sensitivity - it can break things!
; case sensitive = no
admin users = root
dead time=15
hide dot files = yes
max connections = 10
share modes = yes
guest account = nobody
browseable = yes
; invalid users = root
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writeable = yes
path=/home/%S
public = no
# Un-comment the following and create the netlogon directory for Domain Logons
104 | P a g e
; [netlogon]
; comment = Network Logon Service
; path = /home/netlogon
; guest ok = yes
; writable = no
; share modes = no
105 | P a g e
[public]
comment = Public Stuff
path = /home/public
public = yes
writable = yes
printable = no
; write list = @staff
# Other examples.
#
# A private printer, usable only by fred. Spool data will be placed in fred's
# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;[fredsprn]
; comment = Fred's Printer
; valid users = fred
; path = /homes/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes
# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
;[fredsdir]
; comment = Fred's Service
; path = /usr/somewhere/private
; valid users = fred
; public = no
; writable = yes
; printable = no
# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
106 | P a g e
# also use the %u option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
; comment = PC Directories
; path = /usr/pc/%m
; public = no
; writable = yes
# A publicly accessible directory, read/write to all users. Note that all files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of course
# be specified, in which case all files would be owned by that user instead.
;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no
# The following two entries show how to share a directory so that two
# users can put files there that will be owned by specific users. In this
# setup, the directory should be writable by both users & have the sticky
# bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;[myshare]
; comment = Mary's and Fred's stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765
107 | P a g e
[cdrom]
comment = Samba server's CD-ROM
writable = no
locking = no
path = mnt/cdrom
public = no
root preexec = /bin/mount /mnt/cdrom
root postexec = /bin/umount /mnt/cdrom
[etc]
comment = Linux setup files in /etc
public = no
writeable = yes
path = /etc
read only = yes
valid users = george mark
[floppy]
comment = [Samba server's Floppy Drive
browseable = yes
writeable = yes
path = /mnt/floppy
public = no
root preexec = /bin/mount /dev/fd0 /mnt/floppy
root postexec = /bin/umount /mnt/floppy
Notes:
The section that allows unix passwords to be synced with samba passwords does
not seem to work. This may be because I use shadow passwords.
108 | P a g e
To customize samba setups from various machines use the "include =
/etc/smb.conf.%m" line.
To make passwords be sent over the network in encrypted form:
1. In the /etc/smb.conf file add or uncomment the lines:
2. encrypt passwords = yes
3. smb password file = /etc/smbpasswd
4. Type "smbpasswd -a user" then enter the desired passwords
Note: If you are not using shadow passwords, there is a way to convert to secure
passwords without users knowing it. The command "cat /etc/passwd |mksmbpasswd.sh
> /etc/smbpasswd" will create a smbpasswd file. However if you are using shadow
passwords (which you should be), the /etc/passwd file does not contain the
required information to setup the password file and you must still have each
user modify their passwords or do it from root with the "smbpasswd -a username"
command. Read the documentation in /usr/doc/samba-
x.x.x/docs/textdocs/ENCRYPTION.txt. Be sure your smbpasswd file is only readable
and writable by the root user.
Note: Be sure alias is off so hosts can't fool your machine by aliasing their
names.
To deny all hosts access except those you specify use the following example
under [global]:
hosts deny = ALL
hosts allow = 10.1.3.16 10.1.0.100
If you deny hosts, be sure you know what you are doing! The way Microsoft networking
works is that a master browser is picked based on an election process from all
computers that are running Windows networking. If you deny access to the master
browser, you may be unable to browse the network for your computer. Therefore, unless
you know what computer will be the master browser and backup browser that you will use
for browsing, it may be unwise to use this feature.
The smbusers file
109 | P a g e
Edit the /etc/smbusers file to map your machine names to unix users names:
The following file is an example I use:
# Unix_name = SMB_name1 SMB_name2 ...
root = windoze1 windoze2
nobody = guest pcguest smbguest
mark = windoze3
In this case anyone logging in from machines windoze1 or 2 will be mapped as user
"root".
The lmhosts file
You may want to edit the /etc/lmhosts file depending on how you are providing your
samba name services, Below is an example:
127.0.0.1 localhost
10.1.0.100 mymachine
10.1.3.16 george
This file may be used by the system to get IP addresses from host names. It may not be
necessary for you to configure this file. You may need it if you do not have a DNS
server available or your DNS server is not configured properly. If you get a message
like "Resource is unavailable" you should try creating this file.
Upon completion
You will need to issue the following commands to complete the setup of Samba services:
1. Enter the users' passwords with the command "smbpasswd -a user". This command is
used to enter passwords for your users and is required for each user if you are
using encrypted passwords which should be the case.
2. If running the startup daemons, use one of the following choices of "samba
restart", "samba start", "/etc/rc.d/init.d/smb restart", or
"/etc/rc.d/init.d/smb start". Don't forget to set your startup services in
Redhat's linuxconf program to run Samba services the next time you boot your
system.
3. If running Samba from inetd, start it with "killall -HUP inetd".
Examples of commands you may need or want to use
testparm |more To see the results of your changes. May have to restart
110 | P a g e
inetd (below)
To set samba passwords. See the smbpasswd(8) man page
smbpasswd -a user
for more information.
To restart the Samba services when running through the
startup scripts. This allows changes to take effect.
samba restart You can use the command start, stop, or status to
start, stop, or see the status of the service,
respectively.
The same as the Samba restart command, but this command
/etc/rc.d/init.d/smb restart
directly invokes the Samba startup script.
smbclient -L mymachine To tell what services are running under samba
smbmount Used to mount volumes from windows machines
To restart the inetd daemon and therefore allow new
settings for this daemon or any subdaemon to be
killall -HUP inetd
implemented. You will use this command, only if you run
Samba using the inetd daemon.
Common Pitfalls
Many times those setting up Samba services will either have trouble browsing for their
computer on the network or logging in. Below I have listed some possible reasons for
these problems and what you should check:
Unable to browse:
1. Check to be sure the name of your workgroup is correct in the
/etc/smb.conf file with the statement "workgroup = mygroup".
2. Check to be sure the line "browseable = yes" is included in the [global]
section of /etc/smb.conf.
3. You may need to set up the lmhosts file if you do not have a DNS server
or your DNS server is not configured with your samba server IP address
and name.
111 | P a g e
4. Type "ps -ax |grep smb" and you should see a line like "784 ? S 0:00
smbd -D". If you don't your services are not running and you should
start them.
5. If you are attempting to run Samba services from inetd using the
inetd.conf file, run Samba as a startup service and see if that fixes
the problem.
Unable to login with the system producing a message saying the password is
incorrect.
1. Check the log files in the /var/log/samba directory. First look for a
file "log.machinename" where machinename is the name of the machine you
are logging in from. You can "cat log.machinename" or use less or more
to see the file.
2. Be sure your user mapping is correct.
1. Be sure the line "username map = /etc/smbusers" is included in
the /etc/smb.conf file. Also check the log.smb file
2. Be sure the file /etc/smbusers file contain line(s) like
"unixuser = windozemachine1 windozemachine2 winuser1
winuser2 ...". The unix user is normally the name of the
equivalent user you want to log in as such as root. I always put
the machine name and all windows users names in the file to be
sure that if the login is by machine name or Windows user name,
it will be translated to a unix user name. Normally it is Windows
user name. You will find out by examining the file
"log.machinename".
3. Be sure you are logging in using encrypted passwords from both the Linux
and windows sides.
1. Be sure the lines "encrypt passwords = yes" and "smb passwd file
= /etc/smbpasswd" are in the /etc/smb.conf file and are not
commented out with a ';' or '#' character in front of the line.
2. Be sure you have added the users you are trying to log in as with
the "smbpasswd -a user" command where user is the name of the
112 | P a g e
Linux user you want to log in as. For instance the command is
"smbpasswd -a root" to set the password up for the root user.
3. Be sure Windows 95 is sending encrypted passwords. There is an
upgrade patch for Windows 95 from Microsoft to make this change.
This is only necessary for old versions of Windows 95. Windows
98, NT, 2K all send encrypted passwords by default. Therefore
unless you are using one of the first versions of Windows 95 that
came out, you should not have this problem.
Be sure you restart Samba every time you make a change to the /etc/smb.conf file to put
your changes into effect.
Mounting and getting windows files from Linux after samba is installed
There are two programs supporting file services from windows:
1. smbmount - Allows a shared directory on a windows machine to be mounted on the
Linux machine.
2. smbclient - Works similar to an ftp client enabling the user to transfer files
smbmount //winhost/windows /mnt/name_windows -c mylinuxmachine
This command mounts the directory "windows" on the windows computer "winhost" on the
machine named "mylinuxmachine". The directory "windows" must have sharing enabled for
this to work. To unmount:
smbumount /mnt/name_windows
The smbclient program works with the following syntax:
smbclient //winmachine/dirsharename -s /etc/smb.conf
The winmachine is the NetBIOS name of the serving machine with the shared resource on
it.
The dirsharename is the share name of the directory
The "-s /etc/smb.conf" indicates the path of the samba configuration file.
After entering the above command you will get a password prompt. If no password is
required, press "return", otherwise enter the required password. Upon successful login
you can look at the directory with the "dir" command. Below are some available
commands:
dir - directory
113 | P a g e
get remotefile localfile
cd - Change directory
exit, q, or quit - To exit the program
help - for help information
mkdir - make directory
See the man page on smbclient for a full set of commands. Note: I've had trouble
getting this program to work with windozeNT.
Some notes on the smb.conf file format
Variables as found in the smb.conf file are as follows:
%a - The architecture of the client machine such as Samba, WfWg, WinNT, Win95
%d - The PID of the server process.
%g - The group ID of the service's username (The name the client got)
%G - The group ID of the session requested username
%h - The internet (DNS) samba server host name.
%H - The user's home directory.
%I - The client machine's IP address.
%L - The NetBIOS server name
%m - The NetBIOS client name
%M - The internet (DNS) client host name.
%n - .
%N - NIS home directory server name.
%p - The path of the service's home directory from NIS auto.map.
%P - The current services' root directory.
%R - The protocol level. CORE, COREPLUS, LANMAN1, LANMAN2, or NT1.
%S - The name of the current service.
%T - The current data and time.
%u - The client's username
%U - The username the client wanted.
%v - Samba version number.
There are many global and service parameters defined in the smb.conf file. Read the man
page on smb.conf for a complete list. Here is a list of a few global parameters:
114 | P a g e
auto services - Directories automatically visible to all users browsing the
network.
bind interfaces only - Limits the interfaces to serve samba requests.
deadtime - The timeout for inactive connections
debug level - The level of messages for logging.
default service - The service to be connected if the service requested cannot be
found. EX:
default service = docs
[docs] path= /%S
directory mask - Octal file settings used to convert DOS modes to UNIX modes
when creating directories.
directory security mask - Controls file permissions that can be modified by
windows clients.
dns proxy - Specifies that the nmbd daemon if running as WINS server, should
should treat unknown names as DNS names and do a DNS lookup.
lock directory - The path of the directory where lock files are stored.
message command - Samba's command to run in response to WinPopup messages.
name resolve order - The query order for resolution of name to IP addresses.
Values are bcast, hosts, wins and lmhosts.
netbios aliases - Other names the samba server is called and will answer to.
netbios name - The samba server's netbios name.
smb passwd file - The path for the encrypted Samba password file.
smbrun - The path of the smbrun program used to execute shell commands for the
samba daemon.
socket address - Controls the address on which Samba will listen for
connections.
syslog - Sets the threshold for sending messages to syslog
syslog only - Use syslog rather than samba log files
SWAT configuration
SWAT allows an administrator to configure the smb.conf file using a web browser. To use
it you need to do the following:
115 | P a g e
1. Add the following line to your /etc/services file:
2. swat 901/tcp # Swat Samba configuration services
3. Add the following line to your /etc/inted.conf file
4. swat stream tcp nowait.400 root /usr/sbin/swat swat
5. Type "killall -HUP inetd" to reload the inetd.conf file.
6. On your local machine, address your web browser to http://localhost:901/
7. If you connect over the network through a remote machine you should know that
your password will be sent in the clear.
8. SWAT will rewrite your smb.conf file and remove comments. Back up your smb.conf
file before using SWAT.
For more information on NetBIOS, WINS, SMB, and NBNS (NetBIOS Name Server) read "The
CTDP Networking Guide".
Linux Identd (auth)
The identd daemon or service returns user information to a remote host that a user is
requesting a service from. This service is misunderstood by many who seem to think that
it is used for some kind of user authorization. It is a good idea to support this service
which uses port 113. Some remote systems could require it in order to receive requested
services. As a system administrator, it can help you identify users who are abusing
systems. The identd(1) and authuser(3) man pages give more information about the
subject.
Linux X Configuration
Installation
If installing X, install it in "/usr/X11R6/…".
Configuration Files
/etc/X11/XF86Config
This file has the following sections. They are Files, ServerFlags, Keyboard, Pointer,
Monitor, Device (may be more than 1), and Screen (may be more than 1).
Files, Keyboard and Pointer Sections:
The files section sets up the paths for X to use for files that specify screen
colors and fonts. If the directory specified here doesn't exist or is empty
XFree86 will crash or generate error messages. The "Keyboard" section specifies
116 | P a g e
the keyboard protocol, usually standard, and key repeat rates. The "Pointer"
section includes a Protocol and Device line. The device is the mouse device
such as /dev/mouse (This may be a softlink to another device). The Protocol is
one of BusMouse, Logitech, Microsoft, MMSeries, Mouseman, Mousesystems, PS/2,
or MMHitTab.
The monitor section:
In the monitor section the Identifier can be any unique identifier string to
identify that particular monitor. The VendorName and ModelName are for
reference. The HorizSync is in Khz and may be one number, multiple numbers
separated by commas, or a range. Ex: 30-54. Ex 31.5, 35.2. VertRefresh is in Hz
and can be specified similar to HorizSync. VertRefreah and HorizSync specify
valid rates for your monitor. An example "Modeline is shown below:
Modeline "1024X768" 65.00 1024 1032 1176 1344 768 771 777 806 –hsync –vsync
The name is "1024X768", an arbitrary string used to refer to the modeline in
the screen section.
The dot-clock is 65.00 which is the video card's driving clock frequency in MHz
for that resolution mode. It is the rate that the video card should send pixels
to the monitor for that screen mode.
The next four numbers 1024, 1032, 1176, and 1344 are the horizontal values and
the last four are the vertical values. These values specify when the monitor
should fire it's electron gun and when the horizontal and vertical sync pulses
occur.
Read the file /usr/X11R6/lib/X11/doc/VideoModes.doc. It explains how to
configure this section. Also, the file, Monitors shows examples of modelines
for specific monitors.
The device section:
This section describes video cards. The Identifier, VendorName, BoardName and
optional Chipset are strings and are only used for identification. The VideoRam
specifies the amount of video memory in Kb. The data in Clocks should come from
the video board manual. The file Devices in the documentation section should
help with device setup. If your video card is found in the Devices file, that
117 | P a g e
section may be copied into the XF86Config file. Note: Sometimes the card may use
a programmable clock chip, in which case there may be a line specifying
"ClockChip" rather than "Clocks". Some cards may specify a "Ramdac" line. Some
video cards also require other special options using an "Option" line. these
options are described in the README file for the particular chipset.
The screen section:
The section, "screen" is where you can specify what XFree86 server runs with
your X server.
EX:
Section "Screen:
Driver "accle"
Device "Actix GE32+ 2MB"
Monitor "Generic Monitor"
SubSection "Display"
Depth 8
Modes "640x480"
ViewPort 0 0
Virtual 1280 1024
EndSubsection
SubSection "Display"
Depth 16
Weight 565
Modes "640x480"
ViewPort 0 0
Virtual 1024 768
EndSubsection
EndSection
The values for driver can be Accel, SVGA, VGA16, VGA2, or Mono. Accel supports XF86_S3,
XF86_Mach32, XF86_Mach8, XF86_8514, XF86_P9000, XF86_AGX, and XF86_W32 servers. SVGA
supports the XF86_SVGA server. The driver specifies the X server to use.
118 | P a g e
Depth sets the number of pits per pixel. Modes displays a list of the video mode names
defined in the ModeLine option in the Monitor section. The virtual option specifies the
virtual desktop size. Use this if you have enough RAM on the video card but a monitor
that won't support the greater resolution. ViewPort defines the coordinates of the
upper left corner of the virtual desktop when XFree86 starts. In the Screen section,
the driver name indicates the type of X server you are running. The X server is the
program that runs with your monitor, mouse, and keyboard, regardless of the platform or
location. It could be running on the same machine, or on another machine on a network
or on a serial port. For example if I am running a svga server program(XF86_SVGA), the
screen section that will apply would be the one labeled as follows in the screen
section:
Driver "svga"
I believe the X server program that runs is determined by the "xserverrc" file either
in the user's home directory or in the directory "/usr/X11/xinit/". I do not believe
this is used anymore since the Xwrapper program is set up to be the X server program on
current systems. If it is used, it is used to pass parameters to the Xwrapper program.
On my system the X server falls through to the default "X" file which is a link to the
Xwrapper program. See the "How Linux Works CTDP Guide" for more information.
You can use Ctrl-Alt-+ to change the resolution. X starts with the poorest one you
select (by default), you can change that manually by editing /etc/X11/XF86Config.
Configuration tools:
Programs to configure X are:
XF86Setup - A newer X configuration program with a GUI interface which modifies
the "/etc/X11/XF86Config" configuration file.
xf86config - An older X configuration program with a text based interface. It
also modifies the "/etc/X11/XF86Config" configuration file.
Xconfigurator - The Redhat tool used during system setup to configure X.
xvidtune - This program will test video modes on the fly without modification to
your X configuration. Read the usr/X11R6/lib/X11/doc/VideoModes.doc file before
running this program.
119 | P a g e
SuperProbe - A program that probes the video card to determine its type for use
with setting up X. xvidtune - This program will test video modes on the fly
without modification to your X configuration.
The programs reside in "/usr/X11R6/bin" and "/usr/bin/X11". The programs XF86Setup,
xf86config, and Xconfigurator modify the "/etc/X11/XF86Config" configuration file.
XF86Setup is the newer configuration program with a GUI interface and xf86config is
older with a text based interface. I advise users to use XF86Setup when possible, but
use xf86config when they have problems with XF86Setup. To get it configured, you must
provide information about your keyboard, mouse, video card and monitor. You must also
select a screen resolution mode. Usually if you can't find a configuration for your
video card you can select a generic driver such as SVGA. Later to improve performance,
you may want to make manual modifications to your configuration with settings that more
closely match your video card. The main information about your video monitor includes
the maximum vertical and horizontal scan rates. You will want to refer to your
monitor's manual for this information. If you have problems with X and it won't work,
one thing to try is reducing your video mode from a higher to lower resolution. Ex:
Change from 1200X1024 to 800X600. Usually if you can't use higher resolution it is due
to monitor scan frequencies. Your video card memory determines a combination of your
maximum resolution and maximum colors. For example 1200X1024 with 65535 colors requires
1200 times 1024 times 2 bytes of video memory which is 2.4576 M of video memory. Your
video card needs 4M to run this mode.
A handy program for determining your video card type and video RAM is "SuperProbe".
This program could crash your system, but should do no harm, other than having to
reboot and clean the system. It is recommended that you backup your files prior to
running this program, however.
The program xvidtune will let you test video modes on the fly without modification to
your X configuration. Read the /usr/X11R6/lib/X11/doc/VideoModes.doc file before
running this program.
The instructions for configuring X are spread out over several text files. Check the
README, VideoModes.doc, README.Config, and README.Linux. Read the man pages for
Xconfig, XF86Config, XFree86, and Xfree86kbd. Many documentation files for various
120 | P a g e
packages are in "/usr/doc". Many of these files are too in depth for the average user
and describe many X Consortium standards.
Running in terminal mode in run level 5:
You can set the runlevel in the "/etc/inittab" program to run in runlevel 5, which
means you will have the X font server running. This way you can provide remote services
in X to other machines. If you want to boot into terminal mode, however, you must
modify the file "/etc/X11/xdm/Xservers". Comment out the line that shows:
:0 local /usr/X11R6/bin/X
To provide X services to a remote boot machine according to the Linux Terminal Server
Project (LTSP):
Modify the file /etc/rc.d/init.d/xfs. Modify two lines around 22 and 41:
Redhat 6.0
Change the lines that start with <daemon –check xfs su xfs –c \"xfs –port –1\" –
s /bin/sh> to <daemon –check xfs su xfs –c \"xfs –port 7100\" –s /bin/sh>
Redhat 6.1
Change the lines that start with "daemon xfs –droppriv –daemon –port –1" to
"daemon xfs –droppriv –daemon –port 7100
Change the file /etc/X11/XF86Config:
Change the line <FontPath "unix/:-1"> to <FontPath "tcp/localhost:7100">
Change the file /etc/X11/xdm/Xaccess at line 40
# * #any host can get a login window
Remove the first # to enable remote workstation access.
Configuring the Xresources file
In the script file xinitrc explained in the section on "How X works" in the "How Linux
Works" manual is a line like:
userresources=$HOME/.Xresources
There is also a line like:
sysresources=/etc/X11/xinit/Xresources
These resource files are made available to the system with lines like:
xrdb -merge $sysresources
121 | P a g e
xrdb -merge $userresources
This section briefly explains the format of the Xresources file. Each X application
belongs to an application class. Applications use resources such as background,
foreground, font, and geometry. The X programs may have their own resources. The manual
page for X programs specify which resources they use. Resources are also arranged into
classes. A resource line in the Xresources file is in the form:
(ApplicationClass or ApplicationName)*(ResourceClass or ResourceName) : value
The xterm program belongs to the XTerm class.
A sample Xresources file follows:
! Defaults
XTerm*Foreground: white
Xterm*Background: blue
Clock*Geometry: 80x80+10+10
! Specifics
xterm-1*background: black
Linux Domain Name Service (DNS)
Please note: There is a new program version for DNS called BIND 8. The old version used
slightly different setup files such as "named.boot" rather than "named.conf" as in the
new version. This is why you may see confusing documentation in books and on the web. I
have tried to document BIND 8 here.
DNS and its structure is explained in more detail in the "networking" manual written
for this document series. This section explains setup of the name server.
File /etc/named.conf. - This file replaces named.boot in the old configuration. The
first two zones need to be defined for all servers and if they are the only ones
defined, the result would be a caching only nameserver. In each of the rest of the
zones your server can be designated as a master or a slave for that zone.
// generated by named-bootconf.pl
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
124 | P a g e
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "named.local";
};
zone "1.10.in-addr.arpa" {
type master;
file "db.10.1.hosts";
allow transfer { 127.0.0.1; };
};
zone "mycompany.com" {
type master;
file "db.mycompany.com.hosts";
notify yes;
allow transfer { 127.0.0.1; };
};
Commands:
acl - A named IP address control list for access control
include - Allows an additional file to be included in this configuration file.
key - Security key for authentification and authorization.
logging - Determines where DNS logging is stored and what events are logged.
options
o directory - Defines the directory all files are to be found in.
o forwarders - Forward first and forward only are the two choices. Forward
first is the default which causes the server to forward queries not in
125 | P a g e
its own cache to specific servers (forwarders) before querying any
external server. Forward only means the query is only sent to the
forwarders.
server - Gives characteristics of a remote server.
o bogus - yes or no (default). Mark it bogus if it is sending bad data.
o support-ixfr
o transfers - Not yet used but will limit number of concurrent in bound
zone transfers.
o transfer-format - one-answer or many-answers. Many answers works for
bind 8.1 and above and is more efficient.
o keys - Used to identify a key defined by the key statement
zone - Parts of the network (zones) which are to be serviced by the nameserver.
o allow-transfer - Specifies The hosts allowed to receive zone transfers
from the server. Any transfer specification in the zone statement will
override the allow-transfer statement.
o allow-update - Specifies hosts that are allowed to send DNS updates to
the server. No updates are allowed from any hosts as a default.
o also notify - Allows nameservers not in the zone's database record to
receive a DNS NOTIFY message when zone information is updated.
o dialup - yes or no
o type - Defines the type of nameserver for this zone. Choices:
master
slave
hint - Specifies the initial set of nameservers for the root
zone.
forward - Directs all queries to other servers
stub - Replicates only the NS records of a master zone instead of
the entire zone but otherwise is like a slave.
o file - Defines the file name that will provide information for this
zone.
126 | P a g e
o masters - Defines the master server for the zone if this server for this
zone is a slave. Syntax: "masters {192.168.1.6; };"
o notify - Options are "notify no" or "notify yes" which determines if
slave servers will be notified immediately when the zone information is
updated. Notify yes is the default.
There are many more options associated with this file. For more information, read the
BIND configuration file guide for BIND version 8 or higher. The option "allow
transfer", above, limits DNS zone transfers to the loopback address. If there were a
slave nameserver, its IP address should be here. With the allow transfer option set,
other machines cannot get DNS information. This limits the effectiveness of IP spoofers
and spammers.
File: /var/named/named.ca (if you have one, don't modify unless you have to). This
is the hints file that helps the name server locate root nameservers at startup.
Some documentation says to modify the line "A.ROOT-SERVERS.NET." to put your Linux box
address:
A.ROOT-SERVERS.NET. 3600000 A 10.1.0.100
but this is not correct. Some versions of the name server will generate error messages
to var/log/messages if this is done.
I use:
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC registration services
; under anonymous FTP as
; file /domain/named.root
; on server FTP.RS.INTERNIC.NET
; -OR- under Gopher at RS.INTERNIC.NET
127 | P a g e
; under menu InterNIC Registration Services (NSI)
; submenu InterNIC Registration Archives
; file named.root
;
; last update: Aug 22, 1997
; related version of root zone: 1997082200
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 201.12.27.33
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
128 | P a g e
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; temporarily housed at NSI (InterNIC)
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 198.41.0.10
;
; housed in LINX, operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
129 | P a g e
;
; temporarily housed at ISI (IANA)
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; housed in Japan, operated by WIDE
;
;. 3600000 NS M.ROOT-SERVERS.NET.
;M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File
The official root nameserver file is at ftp:.rs.internic.net and is called
/domain/named.root.
File: /var/named/named.local (should not need to change)
unchanged as:
@ IN SOA localhost. root.localhost. (
1999112701 ; Serial number as date and two digit number
YYMMDDXX
28800 ; Refresh in seconds 28800=8H
7200 ; Retry in seconds 7200=2H
3600000 ; Expire 3600000=1 week
86400) ; Minimum TTL 86400=24Hours
@ IN NS localhost.
1 IN PTR localhost.
Create File: /var/named/db.10.1.hosts: Note: The first 2 lines are to be on one
line!! The '\' means continue the line on the next line.
1.10.in-addr.arpa. IN SOA mymachine.mycompany.com.\
root.mymachine.mycompany.com. (
1999112701
10800
3600
130 | P a g e
604800
86400 ) ;Default TTL
1.10.in-addr.arpa. IN NS mymachine.mycompany.com.
100.0.1.10.in-addr.arpa. IN PTR mymachine.mycompany.com.
4.0.1.10.in-addr.arpa. IN PTR mailmachine.mycompany.com.
16.3.1.10.in-addr.arpa. IN PTR george.mycompany.com.
In the SOA section are five parameters as follows:
1. Serial number (1999112701) - If less than master's SN, the slave gets a new copy
of this file from the master.
2. Refresh (10800) - The time in seconds between when the slave compares this
file's SN with the master.
3. Retry (3600) - The time the server should wait before asking again if the master
fails to respond to a file update (SOA request).
4. Expire (604800)- Time in seconds the slave server can respond even though it
cannot get an updated zone file.
5. TTL (86400) - The time to live (TTL) in seconds that a resolver will use data
received from a nameserver before it will ask for the same data again.
131 | P a g e
mailmachine.mycompany.com. IN A 10.1.0.4
george.mycompany.com. IN A 10.1.3.16
Database Record Description:
A - Ties a host name with an IP address.
CNAME - Stands for canonical name which is an alias for a host.
MX - Mail exchanger. The lower associated number for each given mail server
indicates a higher preference to use that server.
NS - Indicates a name server.
PTR - Gives the hostname for an IP address.
SOA - Start of authority shows where the zone's data starts.
132 | P a g e
/etc/nsswitch.conf - Several system administration database source files are defined here This is
in support of the Network Information System (NIS) which can be used to control many
administrative functions on many systems from one location.
Linux DHCP and BOOTP
DHCP Server
There is currently a howto on configuring a DHCP server but it is three years old,
however the DHCP server version 2-0 or later from the Internet Software Consortium
comes with good documentation. There may be some quirks in the install depending on
your system and what you are trying to do. My installation is Redhat 6.1 and I will
mainly cover that, but will give alternatives that should cover most Linux versions.
Pre-installation and Kernel setup
Before you do an install, or configuration for DHCP you need the following kernel
options installed.
1. TCP/IP networking enabled
2. MULTICAST enabled - To check to see if MULTICAST is enabled, type "ifconfig
-a". You should see "MULTICAST" listed in your outputs for your ethernet
devices.
3. CONFIG_PACKET=y
4. CONFIG_FILTER=y
If you need to re-compile your kernel, follow the instructions on the section or the
howto on the kernel. If you make the CONFIG_PACKET and CONFIG_FILTER options modular,
you will need to add lines in your /etc/rc.d/rc.local file to load these two modules.
Installation
If you have a relatively modern Linux version, you should already have the dchpd server
program installed on your system. To tell type "whereis dhcpd" and if you get a dchpd
program listed usually in /usr/sbin, you should be set for the configuration. If you
don't have a modern Linux version, kernel 2.1.x or later, go get one since support for
dhcp can be very hard to do and has bugs on older systems. Also there is better
networking support in many areas with newer Linux versions and kernels.
Steps to install:
133 | P a g e
1. Download the source file from the internet software consortium at
httpd:\\www.isc.org.
2. Put the file on your system in /usr/local/src.
3. Enter the command "tar xvzf dhcp-2.0.tar.gz" (modify the command for your
filename/version). See the section on "Package Installation".
4. Type "cd dhcp-2.0" or the proper name of your directory created by tar.
5. Type "./configure".
6. Type "make". You may want to check the symbolic link file "usr/include/asm" to
be sure it is point to the correct location for the kernel asm headers. On
Redhat 6.1 that location is /usr/srclinux/include/asm. This should be seen in
the file as:
7. lrwxrwxrwx 1 root root 24 Dec 17 05:07 /usr/include/asm ->
../src/linux/include/asm
You may need to delete the file and recreate it with the "ln" command with the
following commands:
1. cd /usr/include
2. rm src
3. ln -s ../src/linux/include/asm asm
8. Type "make install". This copies the man pages and binaries to their correct
locations.
Configuration
In my configuration, I used my second network interface (eth1) to provide DHCP services
to a subnet. You will most likely use eth0, but you will need to substitute your
correct network interface in the example.
1. To get the DHCP server to work for windows clients and possible other clients
you must add a route to your route table to enable the sending of packets to the
IP destination address 255.255.255.255. There are two ways to do this as
follows: (pick one)
1. Modify your /etc/sysconfig/static-routes file and add the following
line:
134 | P a g e
eth1 net 255.255.255.255 netmask 255.255.255.255
Notes:
With this entry in static-routes, it does not show up in the
Redhat "netconf" configuration tool. I think it is because there
is no gateway specified. You could set it up in netconf under
"Routing and gateways", "routes to alternate local nets" and set
the network to 255.255.255.255, the netmask to the same, with the
interface as eth1 (or eth0 or whatever device you are using). It
shows up in the static routes file as "any-net 255.255.255.255
netmask 255.255.255.255 gw eth1". However, I'm not sure setting
it this way with nettool will work.
To implement this change you will need to do one of the
following:
Reboot
Type "/etc/rc.d/init.d/network restart"
Type "route add -host 255.255.255.255 dev eth1"
135 | P a g e
5. Create a /etc/dhcpd.conf file similar to the following:
6. subnet 192.168.199.0 netmask 255.255.255.0 {
7. # --- default gateway
8. option routers 192.168.199.1;
9. option subnet-mask 255.255.255.0;
10.
11. option nis-domain "mynet.net";
12. option domain-name "mynet.net";
13. option domain-name-servers 192.168.199.1;
14.
15. option time-offset -5; # Eastern Standard Time
16. # option ntp-servers 192.168.199.1;
17. # option netbios-name-servers 192.168.199.1;
18. # --- Selects point-to-point node (default is hybrid). Don't change this unless
19. # -- you understand Netbios very well
20. # option netbios-node-type 2;
21.
22. default-lease-time 1209600; # 2 weeks
23. max-lease-time 1814400; # 3 weeks
24.
25. range 192.168.199.10 192.168.199.250;
26.
27. # we want the nameserver to appear at a fixed address
28. host nameserver {
29. next-server nameserver.mynet.net;
30. hardware ethernet 00:10:4b:ca:db:b5;
31. fixed-address 192.168.199.1;
32. }
33. }
You can use this file or use the example file in /usr/doc/dhcp-
2.0/dhcpd.conf.sample. In my setup my network is 192.168.199.0 with a netmask of
136 | P a g e
255.255.255.255. My nameserver and gateway is 192.168.199.1. My domain is called
"mynet.net".
34. According to the documentation, if your DHCP packets must go through a firewall
you will need to allow packets from IP address 0.0.0.0 through 255.255.255.255
on UDP ports 67 and 68. I think this would be correct but you would need to
allow packets on IP addresses 0.0.0.0 and 255.255.255.255, along with any
packets that involve your network. For example if your network and subnets are
covered under the numbers 10.1.x.x, you would need to allow any packets on
10.1.x.x, 0.0.0.0, and 255.255.255.255 on ports 67 and 68.
35. You need to start the dhcp server one of the following ways.
1. Use linuxconf in "control panel", "control service activity", select
dhcpd, select "start", then select the "enabled" box.
2. Type "/etc/rc.d/init.d/dhcpd start" to begin the service. You can add
this line to your /etc/rc.d/rc.local script but usually you want to add
a link to it from one of your runlevel startup directories such as
/etc/rc.d/rc3.d/S65dhcpd. You may also want to add a link in the file
/etc/rc.d/rc5.d to run on bootups to X. If you do this you'll also want
to add kill links to it in the shutdown runlevels such as K35dhcpd in
/etc/rc.d/rc0.d, rc1.d, rc2.d, and rc6.d.
36. If you get errors, one thing to check is to be sure you are not also running a
BOOTP server at the same time. Also check your /etc/dhcpd.conf file.
37. Why doesn't my DHCP server update my DNS entries? This function is not yet
implemented in version 2.0, but the ISC is working on implementing it in version
3.0. There is an issue from a security standpoint of who owns the DNS records.
Specifically the A record and to a certain extent the PTR record. According to
the ISC, it is likely the server will update the records initially whether it be
the "right thing to do" or not.
Configuration File Options
The configuration file is /etc/dhcpd.conf. Its options are:
137 | P a g e
option broadcast-address - Broadcast address in my case would be "option
broadcast-address 192.168.199.255;".
option dhcp-client-identifier - String rather than hardware address used to
identify DHCP clients.
option domain-name - The name of the domain the DHCP server is serving.
option domain-name-servers - The address(es) of the DNS servers on the domain.
Ex: "option domain-name-servers 192.168.199.1, 192.168.199.5;" The names are
separated by a comma and whitespace with a semicolon ending the line.
option host-name - The client's host name.
option lpr-servers - Lists print server addresses.
option nntp-server - Network News Transfer Protocol (NNTP) server address
option pop-server - Mail server address.
option routers - The default router address.
option smtp-server - The SMTP e-mail server address(es).
option subnet-mask - The subnet mask is not necessary since the subnet statement
(see example file) contains a netmask value.
option time-offset - The difference between your time zone and the Coordinated
Universal Time.
option netbios-name-servers - Define the address of the NBNS name server for
samba services.
BOOTP Server
Installing BOOTP is a step back from installing DHCP but it can offer capabilities
independent of DHCP such as remote booting specific client computers.
BOOTP Installation
1. Get bootpd-2.4.tar.gz and put it in a appropriate directory such as
"/usr/local".
2. Type: "tar xvzf bootbd-2.4.tar.gz" which will make a directory "bootpd-2.4" full
of files.
3. Read the README and README-linux files then type "make install".
4. Copy the executables to the "/usr/sbin" directory.
138 | P a g e
5. Copy the man pages to their appropriate directories by typing "cp *.8
/usr/man/man8" and "cp *.5 /usr/man/man5".
6. Read the manual on bootp, and bootptab.
Configuration
1. You can invoke bootp services in redhat linux as an independent daemon by doing
(choice A) below or from the internet super daemon by doing (choice B). Choice
A:
1. Using linuxconf set the bootparamd service to active.
2. Modify the "bootparamd" file in the directory "/etc/rc.d/init.d" so that
everywhere "rpc.bootparamd" occurs, you substitute "bootpd –d".
3. Reboot your system or type "/etc/rc.d/init.d/bootparamd restart".
Choice B:
4. With bootparamd services off, add the following line in the file
"/etc/inetd.conf": bootps dgram udp wait root /usr/sbin/tcpd bootpd -d
5. Type "killall -HUP inetd".
2. Make the file "/etc/bootptab" as shown below:
3. global.prof:\
4. :sm=255.255.0.0:\
5. :ds=10.1.0.100:\
6. :gw=10.1.0.1:\
7. :ht=ethernet:\
8. :bf=dosimage:
9. dos1:td=/tftpboot:hd=/bootfiles:tc=global.prof:ha=006097baa5a2:ip=10.1.0.101
This makes the name of the machine "dos1" with an IP address of "10.1.0.101" and
the bootfile to load in "/tftpboot/bootfiles/dosimage".
10. Add the machine's name and address to the following files:
1. /etc/hosts
2. /var/named/db.mycompany.com.hosts
3. /var/named/db.10.1.hosts
Apache Web Server
Introduction
139 | P a g e
The apache web server is called "httpd". The configuration files for it for many
systems are in "/etc/httpd/conf". Their names are httpd.conf, srm.conf, access.conf,
mime.types, and magic. The file srm.conf specifies the directory location of the root
document with the "DocumentRoot" statement. The "DirectoryIndex" statement gives the
name of the starting file. The file access.conf, is used to control user access to
various html files. On my system, the initial startup file is
"/home/httpd/html/index.html". Documentation is in /home/httpd/html/manual.
Apache Installation
There are many options that can be selected when installing Apache. Among them are
selection of the modules to be compiled with the apache web server. This will be
commented on at the appropriate installation step. In my installation, I installed
Apache with PHP and mysql support. To get the Apache compile to work with mysql
support, it was necessary for mysql to be installed from the source. When mysql was
installed from binary, the apache compile failed. Here's the installation steps for
installing Apache from a tarred and zipped source file:
1. Copy the source file to "/usr/src" or "/usr/local/src". The source file is
called something like apache_1_3_19_tar.gz.
2. Type "cd /usr/src" or "cd /usr/local/src" depending on where you copied your
file.
3. Type "tar xvzf apache_1_3_19_tar.gz" to decompress the source file. The
directory, "apache_1.3.19" is created.
4. Type "ln -s apache_1.3.9 apache" to create a software link to the apache
directory.
1. If installing PHP support with apache, copy the PHP source file "php-
4_0_4pl1.tar.gz" from php.org to "/usr/src" or "/usr/local/src".
2. Type "tar xvzf php-4_0_4pl1.tar.gz" to decompress the source file.
5. Type "cd apache".
6. Documentation at the apache.org web site indicates to enter the "src" directory
to perform the configuration and compile. However by reading the "INSTALL"
files in the apache and apache/src directories, it can be done from inside the
src directory or from the main apache directory. Either approach will work.
140 | P a g e
There are various advantages and disadvantages to each approach. Compiling from
inside the "src" directory allows easier module control by allowing the
changing of the "Configuration" file. If done from the main directory, modules
to be included or excluded from the default setting must be included on the
command line. I have chosen to do the install using the "configure" file in the
main directory since documentation indicates that some parameters may be
overridden here and I am making no changes to the default included modules. If
you want to install PHP support, there is a way to do it as documented in PHP
INSTALL file, but I have not outlined that procedure here and have assumed you
will be performing the install from the main directory if installing PHP. If
you want to change the default modules by compiling in the "src" directory,
follow the subset of instructions below.
1. Type "cd src".
2. Edit the file "Configuration" file.
3. Type "./Configure". I do not believe you can use the options "--
sysconfdir" and "--logfiledir" to specify configuration and loglile
locations as I have done below.
4. Skip the next step (Step 7).
7. Type "./configure --prefix=/usr/local/apache --sysconfdir=/etc/httpd/conf
--logfiledir=/var/log/httpd". I have added the "--sysconfdir" option to set the
location where the apache configuration files will be, and the "--logfiledir"
option to set the location of where logging information is written for apache.
If you are making changes to the default modules use the additional command
line parameters "--enable-module=NAME" and "--disable-module="NAME" where
"NAME" is the name of the module to be enabled or disabled. Read the "INSTALL"
file in the main directory for more information here and read the
"src/Configuration" file to see what the module names are. If installing PHP
support follow the subset of instructions below.
1. Type "cd .."
2. Type "cd php-4.0.4pl1"
3. Type "./configure --with-mysql=/usr/local/mysql --with-apache=../apache
141 | P a g e
--enable-track-vars". This assumes you've already installed mysql in the
"/usr/local/mysql" directory.
4. Type "make".
5. Type "make install".
6. Type "cd ../apache".
7. Type "./configure --prefix=/usr/local/apache
--sysconfdir=/etc/httpd/conf --logfiledir=/var/log/httpd --activate-
module=src/modules/php4/libphp4.a"
8. Type "make". Note: When I did my install, I got a compile error related to the
mysql installation. If you installed the binary version of mysql, you may need
to install it from the source version.
9. Type "make install". If installing PHP support follow the subset of
instructions below.
1. Type "cd ../php-4.0.4pl1".
2. Type "cp php.ini-dist /usr/local/lib/php.ini".
3. Edit "/etc/httpd/conf/httpd.conf" or "/etc/httpd/conf/srm.conf" and add
the following line:
AddType application/x-httpd-php .php
Configuration
At this point it is time to set up the apache configuration by modifying the apache
configuration files and setting apache to start automatically. The apache configuration
files are:
1. httpd.conf - This is the main configuration file. It is used to specify where
the document root for the web server is found, various server parameters,
directory permissions, where mime types for files are found, and addition of
application type definitions and the associated handler for each application.
2. srm.conf - This file is used to configure apache server directives. These
directives are now recommended to be put in the httpd.conf file.
3. access.conf - This file is used to control directory access and who can access
the directories. The directory access control is now recommended to be put in
the httpd.conf file.
142 | P a g e
Specific configuration parameters:
Specification of the document root where the HTML main web page, "index.html"
should be found. This line should look like:
DocumentRoot "/home/httpd/html"
Additional parameters including:
o ServerRoot - Specifies where the servers main directory is.
ServerRoot "/usr/local/apache"
o ErrorLog amd Loglevel- Specifies where the web server will keep its
error log file and the level at which errors are kept. Loglevel options
are debug, info, notice, warn, error, crit, alert, and emerg.
ErrorLog /var/log/httpd/error_log
LogLevel warn
o Keep alive - Specifies whether persistant connections are to be
supported.
KeepAlive On
o KeepAlive Requests 100 - The maximum keep alive requests to be
supported.
o KeepAliveTimeout 15 - The number of seconds the connection is kept alive
if no additional requests are received from the client.
o The maximum and mininum number of servers that may be created to wait
for client requests and the number of servers to start when the web
server starts.
MinSpareServers 5
MaxSpareServers 10
StartServers 5
o MaxClients 150 - The maximum number of clients that may connect at one
time to the web server.
o Port 80
o The user and group the web server is run as.
User nobody
Group nobody
143 | P a g e
Directory permission entries are used to define various directory options and
permissions. These entries appear similar to the following which defines the
permissions for the document root directory:
<Directory />
Options FollowSymLinks
Allow Override None
</Directory>
Parameters include:
o AllowOverride
o AuthConfig
o FileInfo
o Limit
Options include:
o ExecCGI - Allows CGI programs in the directory to be executed.
o FollowSymLinks
o Includes
o Indexes
o MultiViews
o None - No options
o All - All options except MultiViews
Permissions - Are set with statements such as:
Order deny, allow
Deny from all
or:
Order allow, deny
Allow from all
<Limit> and </Limit> tag pairs along with <LimitExcept> and </LimitExcept> tags
are set with options such as:
o GET
o POST
o OPTIONS
144 | P a g e
o PROPFIND
<Files> and </Files> tag pairs can be set to limit access to specific file types
the same as is done with directory entries above.
CGI Driectory definition which defined what directory CGI application files are
kept in and can be used to run these files. Other directories can be specified
to allow the execution of CGI files if the ExecCGI option is specified in these
directory entries.
<Directory "home/httpd/cgi-bin">
Allow Override None
Options None
Order allow, deny
Allow from all
</Directory>
AddType and Add handler statements. These statements allow file types and
associated programs to handle these file types. You will linely need this set of
entries to run PHP.
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
To run server parsed SHTML files you will need:
AddType text/html .shtml
AddHandler server-parsed .shtml
This is just a partial list of common apache web server options. For a more complete
guide, including setting up virtual hosts, refer to the Apache web server
documentation.
Getting user filled out form data from the web
There are many types of programs that can be written to do this:
1. Perl CGI scripts
2. Shell CGI scripts
3. PHP scripts that are scripts run on the server side when the page is requested.
PHP code is embedded in the HTML page, but files are labeled with the .php
extension.
145 | P a g e
4. Java Servlets
5. Compiled programs based on any language.
The CGI Environment:
The Web server fills in a standard list of environment variables when it runs. It
writes to other environment variables when it is requested to. Since the Apache server
always runs, anything it puts in the environment is readable by other programs, such as
a Perl script program. This is possible as long as the other program knows the names of
the variables to be read.
Terms:
CGI - Common Gateway Interface. A set of rules (interface) for scripting and
exchanging data over the web.
SGML - Standard Generalized Markup Language. HTML is an application of this.
URL - Universal Resource Locator. Includes protocol (HTTP, FTP, FILE, GOPHER),
module name, path name of object.
IIS - Microsoft's Internet Information Server (A web server for NT)
IDC - Internet Database Connector
ISAPI - Microsoft web programming (Internet Server Application Programming Interface)
Linux Network File System (NFS)
Linux Server Setup
NFS requires RPC to operate. The following daemons are run when the linuxconf nfs
service is started:
1. rpc.rquotad - Enforces the set quotas for remote mounted NFS systems.
2. rpc.mountd - Performs the requested mounts.
3. rpc.nfsd - Handles the user interface to the kernel module that performs NFS.
Server Configuration
To set up the server side:
1. Edit the file "/etc/exports" as in one of the examples below.
2. Then type "exportfs -a".
3. Activate NFS services using linuxconf.
4. After making any changes, restart the nfs daemon either by using "linuxconf" or
typing "/etc/rc.d/init.d/nfs restart". Also if you want changes to the
146 | P a g e
/etc/exports file to take place immediately, install them with the "exportfs
-r" command. Doing this, you will not need to restart nfs for changes to be in
effect.
This is an example of an exports file for general use:
/data/installs jimslinux(rw,no_root_squash)
/data/docs *.mycompany.com(ro,root_squash)
/data markslinux(rw,no_root_squash) tomscomputer(ro)
/tftpboot linux3(ro,no_root_squash)
/data tedslinux(ro,no_root_squash)
The third line allows markslinux to have full access even at the root level to all
files in /data, but tomscomputer has read only access, at the world (other) level.
This is an example of an exports file set up for diskless computers with remote
booting:
/tftpboot/lts/ltsroot 10.1.0.101/255.255.0.0(ro,no_root_squash)
/tftpboot/lts/ltsroot 10.1.200.1/255.255.0.0(ro,no_root_squash)
/tftpboot/lts/ltsroot 10.1.200.2/255.255.0.0(ro,no_root_squash)
/tftpboot/lts/linux3 10.1.200.2/255/255.0.0(rw,no_root_squash)
The format of the file is:
directoryname hostname(options)
The hostname can be the IP address followed by the netmask as shown above.
Options include:
no_root_squash - Allows root users on client computers to have root access on
the server. Mount requests for root are not be mounted to the anonomous user.
This option is needed for diskless clients.
root_squash - Requests from root clients are mapped to the nobody user and group
ID so they will only have file privileges associated with other.
ro - read only access
rw - read write access
There are many more options documented in the exports(5) man page.
147 | P a g e
Performing the mount from the client
To do the mount on the remote machine:
1. On the remote boot machine, "linux3", after making a /tmp/mnt directory on the
remote machine "linux3", type "mount -n 10.1.0.100:/tftpboot/lts/linux3 /tmp/mnt
-t nfs".
2. The -n is only needed if the /etc directory on the remote boot machine is read
only.
3. The 10.1.0.100 address is the address of the NFS server machine with the
filesystem being mounted.
Client Setup
To set up the client side on a fully functional Linux machine type "mount -o
rsize=1024,wsize=1024 mymachine:/data /mnt/mymachine/data
Linux Point to Point Protocol (PPP)
Point to point protocol (PPP) is the latest way to set up networking services through a
modem or serial cable.
minicom is a configuration program to set up and use PPP services.
Linux Mail
This page is not complete yet!
Linux Sendmail
Sendmail is the most used mail daemon with Linux and is probably already installed on
your system. Its configuration file is "/etc/sendmail.cf". Also /etc/sendmail.hf,
/etc/aliases, /etc/aliases.db are useful files with sendmail. Sendmail provides full
SMTP support. Many server systems may use sendmail, however clients normally use POP or
IMAP protocols and the supporting software to get mail from the mailbox server.
Compiling Sendmail
The sendmail program can be found at http://www.Sendmail.org/ and the current version
is 8.10.1.
1. Download the sendmail_8_10_1.tar.gz file into the /usr/local directory.
2. Unpack it with the command "tar xvzf sendmail_8_10_1.tar.gz".
3. Change directories to sendmail-8.10.1
4. Read the INSTALL file for further installation instructions which are something
148 | P a g e
like.
1. Type "sh Build"
2. Type "cd cf/cf".
3. cp generic-linux.mc config.mc
4. cd ..
5. less README
6. cd cf
7. emacs config.mc
8. sh Build config.cf
9. Back up your /etc/sendmail.cf file and current sendmail binary file.
10. Install config.cf as /etc/mail/sendmail.cf and copy the sendmail binary
to /usr/sbin. The compiled binary is in obj.Linux2.2.14.i686/sendmail/.
Sendmail configuration files
1. /etc/aliases
2. /etc/sendmail.cf or /etc/mail/sendmail.cf
The aliases file
This is where mail aliases are defined. There are two mandatory aliases that must be
present listed below:
MAILER-DAEMON: postmaster
postmaster: root
There are 5 optional types:
conversion of mail name to unix user name. EX: "george_jones: george"
expand a name into a list of names EX: "friendlybunch: tom, george, fred, mike".
EX: "staff: melissa, tom, george, mark"
mailing list, Sendmail will read a file and use the names in the file as a list
of addressees. EX: "filebunch: :include: /usr/local/manyonteam"
Alias a name to a file. EX: "nobody" /dev/null"
replace a name by a program Ex "myhelp: |/usr/local/bin/helpme"
Here is a typical alias file from Redhat 6.1:
# Well-known aliases.
manager: root
dumper: root
operator: root
150 | P a g e
# Person who should get root's mail
root: mark
#User aliases
mark.zehner: mark
george.jones: george
After modifying the alias file you can rebuild it with the command
newaliases
or
sendmail -bi
The /etc/sendmail.cf configuration file
Seven sections of this file:
1. Local information - Configuration for the local host.
2. Options - Sendmail environment options
3. Message Precedence - Specifies
4. Trusted Users - Specifies which users are allowed to change the sender addresses
when sending mail.
5. Header Format - Specifies the headers that are inserted into the mail.
6. Rule Rewriting - The commands that re-write e-mail addresses into a form that
can be read by the program that delivers the mail.
7. Mailer Definitions - Specifies the programs that deliver the mail.
Setting up a Linux Router
Setting up a static router
If you are unfamiliar with how networking routing is done, you should read The CTDP
Networking Guide. This section contains some information contained in that guide.
Information about how routers and routing works is included in The CTDP Networking
Guide, but that information is not included in this section. This section only explains
how to set up routing and routing tables.
In Linux, the "ifconfig" command is used to configure the NIC and the command "route"
is used to set up routing tables for that machine. Please note that in Redhat Linux,
151 | P a g e
the GUI interface programs "netconf" and "linuxconf" may be used to set this up also.
These GUI interface programs will set these changes up to be permanent by writing them
to files that are used to configure network information. Changes made with "route"
without adding the changes to permanent files will no longer be valid when you reboot
the machine. The command "ifconfig eth0 192.168.2.2 netmask 255.255.255.0" will set the
NIC card up with its address and network number. You can type "netconfig", then select
"basic host information" and do the same thing. The command "route add -net default gw
192.168.2.1 dev eth0" will add the route required for this computer for its gateway.
This can be done using "ifconf" by selecting "routing and gateways" and "defaults",
then setting the address of the default gateway, and enabling routing. Please be aware
that various versions of Linux have different means of storing and retrieving network
and routing information and you must use the tools that come with your system or learn
it well enough to determine what files to modify. On Redhat 6.1 the file
"/etc/sysconfig/static-routes" can be modified to make your route changes permanent,
but this does not apply to your default route. Other files are "/etc/sysconfig/routed"
and "/etc/sysconfig/network". Other files include "/etc/gateways", "/etc/networks",
"/proc/net/route", "/proc/net/rt_cache", and "/proc/net/ipv6_route". The file
"/etc/sysconfig/network-scripts" is a script file that controls the network setup when
the system is booted.
If you type "route" for this machine, the routing table below will be displayed:
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.2 * 255.255.255.255 UH 0 0 0 eth0
192.168.2.0 * 255.255.255.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
Here is a simple explanation of routing tables and their purpose. All computers that
are networked have a routing table in one form or another. A routing table is a simple
set of rules that tell what will be done with network packets. In programming language
it is easiest to think of it as a set of instructions, very similar to a case statement
152 | P a g e
which has a "default" at its end. If can also be thought of as a series of
if..then..elseif..then..else statements. If the lines above are labeled A through C and
a default (the last line), an appropriate case statement is: (Don't count the header
line)
switch(address){
case A: send to me;break;
case B: send to my network;break;
case C: send to my local interface;break;
default: send to gateway 192.168.2.1
An appropriate if statement is:
if (address=me) then send to me;
elseif (address=my network) then send to my network;
elseif (address=my local) then send to my local interface;
else send to my gateway 192.168.2.1;
In everyday terms this is similar to a basic decision process. Imagine you are holding
a letter. If it is addressed to you, you keep it, if it is addressed to someone in your
town, you drop it in the local slot at the post office, but if it is addressed to
someone out of town, you would drop it in the out of town slot.
Note how the routing table is arranged. It is arranged from the most specific to the
least specific. Therefore as you go down the table, more possibilities are covered. You
will notice the first Genmask is 255.255.255.255 and the last is 0.0.0.0. There can be
no doubt that the last line is the default. The genmasks between the start and the end
have a decreasing number of least significant bits set.
The above default routing table may be added manually with the command:
route add -net default gw 192.168.2.1 dev eth0
The routing table for machine a gateway for the network 192.168.2.0 to be routed to
network 192.168.1.0 is as follows. The network card addresses are 192.168.2.1 and
192.168.1.2.
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.1 * 255.255.255.255 UH 0 0 0 eth0
153 | P a g e
192.168.1.2 * 255.255.255.255 UH 0 0 0 eth1
192.168.2.0 192.168.2.1 255.255.255.0 UG 0 0 0 eth0
192.168.2.0 * 255.255.255.0 U 0 0 0 eth0
192.168.1.0 192.168.1.2 255.255.255.0 UG 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
The Iface specifies the card where packets for this route will be sent. The address of
eth1 is 192.168.1.2 and eth0 is 192.168.2.1. The NIC card addresses could have easily
been switched. Line 1 (above) provides for the eth0 address, while line 2 provides for
the address of eth1. Lines 3 and 4 are the rules for traffic going from network
192.168.1.0 to network 192.168.2.0 which will be sent out on NIC eth0. Lines 5 and 6
are the rules for traffic going from network 192.168.2.0 to network 192.168.1.0 which
will be sent out NIC eth1. This may seem confusing, but please note the first value on
lines 3 and 4 is 192.168.2.0 which the header indicates as the destination of the
packet. Don't think of it as source! The last line is the default line which specifies
that any packet not on one of the networks 192.168.1.0 or 192.168.2.0 will be sent to
the gateway 192.168.1.1. This is how the internet access can be attained, though IP
masquerading will probably be used. The flags above mean the following:
U - Route is up
H - Target is a host
G - Use gateway
There are other flags, you can look up by typing "man route". Also the metric value
above, indicating the distance to the target, is not used by current Linux kernels but
may be needed by some routing daemons. Please note that if route knows the name of the
gateway machine, it may list its name rather than the IP address. The same is true for
defined networks. Networks may be defined in the file "/etc/networks" as in the
example:
net1 192.168.1.0
154 | P a g e
net2 192.168.2.0
The routing table above can be set up with the following commands.
route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.1 dev eth0
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.2 dev eth1
Again be aware that you are specifying destination networks here and the ethernet
device and address the data is to be sent on.
In Redhat Linux this can be specified using "netconf" by selecting "routing and
gateways" and "other routes to networks" and entering the following:
Network Netmask Gateway
192.168.2.0 255.255.255.0 192.168.2.1
192.168.1.0 255.255.255.0 192.168.1.2
Alternatively in Redhat Linux, you can add the following two lines to the file
"/etc/sysconfig/static-routes":
eth0 net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.1
eth1 net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.2
The commands to delete the above routes with route are:
route del -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.1 dev eth0 route del -net
192.168.1.0 netmask 255.255.255.0 gw 192.168.1.2 dev eth1
Be aware, the program route is very particular on how the commands are entered. Even
though it may seem that you entered them as the man page specifies, it will not always
accept the commands. I don't know if this is a bug or not, but if you enter them as
described here with the network, netmask, gateway, and device specified, it should
work. The slightest misnomer in network name, netmask, gateway, device, or command
syntax and the effort will fail.
Dynamic Routing
Routed
To run the routed daemon, all you need to do is to start routed. There is no
configuration file. Routed will listen for RIP updates on the network and use them to
build a routing table. RIP is not a good routing choice for very large networks but is
155 | P a g e
easy to administer and works well for small networks.
The /etc/gateways file allows static routes to be added to the routed daemon so that
routes associated with routers that can't provide updates to routing tables are
manually provided for. The format of the file is as follows:
startkeyword destinationaddress gateway gwaddress metric value active/passive
The startkeyword is one of:
1. net - A route to a network
2. host - A route to a host
The destination address tells where the packet. If the destination is 0.0.0.0,
then that is the default route
The gateway defines the external gateway used to reach the destination, with the
gwaddress specifying the IP address of the gateway.
Metric is a required keyword and the metric value is the cost (in hops) to the
destination.
The active/passive value indicates whether a router performs routing updates.
Active indicates it does.
An example follows:
net 0.0.0.0 gateway 10.11.199.1 metric 1 active net 192.168.198.0 gateway 10.11.199.20
metric 1 active
Gated
Gated supports multiple routing protocols.
OSPF
Linux IP Masquerading
For complete information on the setup of IP masquerading, see the following Linux how-
tos:
IPCHAINS-HOWTO
Firewall-HOWTO
IP-Masquerade-HOWTO
Some of the information in this section is based on these how-tos. This section
summarizes and puts in simple steps some of the items you will be required to perform
156 | P a g e
to set up IP masquerading. It is not a replacement for the Linux how to documents, but
a complement to them by giving an overview of what must be done. You may access the
howtos from one of the weblinks listed in the Linux websites section. The Linux
Documentation Project or Metalab's Index of Linux publications will have copies if
these howtos.
IP masquerading allows internal machines that don't have an officially assigned IP
addresses to communicate to other networks and especially the internet. It uses a form
of Network Address Translation (NAT) to accomplish this. In Linux, IP masquerading
support is provided by the kernel. To get it to work you must do essentially three
things:
1. Be sure the kernel has support for IP masquerading.
2. Enable IPv4 forwarding.
3. Be sure modules needed for support are loaded into the kernel.
4. Set up the firewall rules.
Checking for IP Masquerade kernel Support
To determine if IP masquerading is set up in your kernel type:
ls /proc/net
If one of the result files listed is "ip_masquerade", you will not need to recompile
your kernel.
If IP masquerading is not set up you must recompile your kernel with the following
options set (This is for a 2.2.x kernel or higher):
Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?]-
YES
Enable loadable module support (CONFIG_MODULES) [Y/n/?] - YES
Networking support (CONFIG_NET) [Y/n/?] - YES
Packet socket (CONFIG_PACKET) [Y/m/n/?] - YES
Kernel/User netlink socket (CONFIG_NETLINK) [Y/n/?] - YES
Routing messages (CONFIG_RTNETLINK) [Y/n/?] - NO
Network firewalls (CONFIG_FIREWALL) [Y/n/?] - YES
TCP/IP networking (CONFIG_INET) - YES
IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [Y/n/?] - NO
157 | P a g e
IP: verbose route monitoring (CONFIG_IP_ROUTE_VERBOSE) [Y/n/?] - YES
IP: firewalling (CONFIG_IP_FIREWALL) [Y/n/?] - YES
IP: firewall packet netlink device (CONFIG_IP_FIREWALL_NETLINK) [Y/n/?] - YES
IP: always defragment (required for masquerading) (CONFIG_IP_ALWAYS_DEFRAG) [Y/n/?] -
YES
IP: masquerading (CONFIG_IP_MASQUERADE [Y/n/?] - YES
IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP) [Y/n/?] - YES
IP: masquerading special modules support (CONFIG_IP_MASQUERADE_MOD) [Y/n/?] - YES
IP: ipautofw masquerade support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPAUTOFW) [Y/n/?]
- NO
IP: ipportfw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPPORTFW) [Y/n/?] - YES
IP: ip fwmark masq-forwarding support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_MFW)
[Y/m/n/?] - NO
IP: optimize as router not host (CONFIG_IP_ROUTER) [Y/n/?] - YES
IP: GRE tunnels over IP (CONFIG_NET_IPGRE) [N/y/m/?] - NO
IP: TCP syncookie support (not enabled per default) (CONFIG_SYN_COOKIES) [Y/n/?] - YES
Network device support (CONFIG_NETDEVICES) [Y/n/?] - YES
Dummy net driver support (CONFIG_DUMMY) [M/n/y/?] - YES
/proc filesystem support (CONFIG_PROC_FS) [Y/n/?] - YES
These are the kernel options you need for IP Masquerade. You will need to select other
options for your specific hardware and network setup. Read the IP masquerade and kernel
howtos for more information. You may also want the section about how to compile the
Linux kernel in The CTDP Linux User's Guide in the Linux section of this documentation.
Enable IPv4 Forwarding
1. Type "ls /proc/sys/net/ipv4" and look for a file "ip_forward" or
"ip_forwarding". Whichever you find, use its name in the following example. The
example will use "ip_forward".
2. Type "echo "1" > /proc/sys/net/ipv4/ip_forward". This will enable IP forwarding
until the next time you boot.
158 | P a g e
3. If running Redhat Linux, edit the "/etc/sysconfig/network" script. Look for the
line with "FORWARD_IPV4=" on it and make sure it says "FORWARD_IPV4="yes". The
next time you boot, IPv4 forwarding will be enabled. There may be other ways to
set this up on other systems.
Setting up Firewall Rules and Enabling Kernel Modules
Create the following text and place it in a file "/etc/rc.d/rc.firewall". This will
load your needed modules into your kernel and set up your basic firewall rules. If you
copy the file from this page, be sure to remove carriage returns when you get it into
Linux or it may not work properly.
# rc.firewall - Initial SIMPLE IP Masquerade setup for 2.0.x kernels using IPFWADM
#
# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current available IP MASQ
modules
# are shown below but are commented out from loading.
# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp
159 | P a g e
# Supports the masquerading of IRC DCC file transfers
#
/sbin/modprobe ip_masq_irc
160 | P a g e
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your Internet IP address dynamically from SLIP, PPP, or DHCP, enable
this following
# option. This enables dynamic-ip address hacking in IP MASQ, making the life
# with DialD, PPPd, and similar programs much easier.
#
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
#
/sbin/ipchains -M -S 7200 10 160
# DHCP: For people who receive their external IP address from either DHCP or BOOTP
# such as ADSL or Cablemodem users, it is necessary to use the following
# before the deny command. The "bootp_client_net_if_name" should be replaced
# the name of the link that the DHCP/BOOTP server will put an address on to?
# This will be something like "eth0", "eth1", etc.
#
# This example is currently commented out.
#
#
/sbin/ipchains -A input -j ACCEPT -i eth1 -s 0/0 67 -d 0/0 68 -p udp
161 | P a g e
#
# NOTE: The following is an example for an internal LAN address in the 192.168.0.x
# network with a 255.255.255.0 or a "24" bit subnet mask.
#
# Please change this network number and subnet mask to match your internal LAN
setup
#
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 10.1.199.0/24 -j MASQ
This file will load modules you need, and set your firewall rules with ipchains. The
last line in the file sets IP forwarding up for network 10.1.199.*. You will need to
modify this line for your network address. Your network consists of the machines that
you are running IP masquerading for. It should be connected to an ethernet card on your
IP masquerading machine. If your network is 192.168.1.*, you will want "/sbin/ipchains
-A forward -s 192.168.1.0/24 -j MASQ" on the line above. If it is 10.1.*.*, you will
want "/sbin/ipchains -A forward -s 10.1.0.0/16 -j MASQ" on the line above.
Add the following line to the "/etc/rc.d/rc.local" file:
/etc/rc.d/rc.firewall
Of course, the machines that you are configuring to be behind the machine that provides the
masquerading service should be configured to use that as their gateway.
Linux Proxy Servers
For complete information on the use of IP chains and setting up a firewall, see the
following Linux how-tos:
IPCHAINS-HOWTO
Firewall-HOWTO
IP-Masquerade-HOWTO
Some of the information in this section is based on these how-tos. This section
summarizes and puts in simple steps some of the items you will be required to perform
to set up a firewall. It is not meant as a replacement for the Linux how to documents,
but a complement to them by giving an overview of what must be done. You may access the
howtos from one of the websites listed in the Linux websites section. The Linux
162 | P a g e
Documentation Project or Metalab's Index of Linux publications will have copies of
these howtos. Also much of the information in this section is contained in the
firewalls section of The CTDP Networking Guide in the networking section. If you do not
know the various firewall types, you should read that section.
Packet Filtering Firewalls
In a packet filtering firewall, data is forwarded based on a set of firewall rules.
This firewall works at the network level. Packets are filtered by type, source address,
destination address, and port information. These rules are similar to the routing rules
explained in The CTDP Networking Guide and may be thought of as a set of instructions
similar to a case statement or if statement. This type of firewall is fast, but cannot
allow access to a particular user since there is no way to identify the user except by
using the IP address of the user's computer, which may be an unreliable method. Also
the user does not need to configure any software to use a packet filtering firewall
such as setting a web browser to use a proxy for access to the web. The user may be
unaware of the firewall. This means the firewall is transparent to the client. The
ipchains tool is commonly used to configure packet filtering or circuit level relay
firewalls.
Circuit Level Relay Firewall
A circuit level relay firewall is also transparent to the client. It listens on a port
such as port 80 for http requests and redirect the request to a proxy server running on
the machine. Basically, the redirect function is set up using ipchains then the proxy
will filter the package at the port that received the redirect.
Configuring a Proxy Server
The following packages are available in Linux:
Ipchains soon to be replaced by netfilter (Packet filtering supported by the
Linux kernel). It comes with Linux and is used to modify the kernel packet
routing tables.
SOCKS - Circuit Switching firewall. Normally doesn't come with Linux, but is
free.
Squid - A circuit switching proxy. Normally comes with Linux.
163 | P a g e
Juniper Firewall Toolkit - A firewall toolkit product used to build a firewall.
It uses transparent filtering, and is circuit switching. It is available as open
source.
The TIS Firewall Toolkit (FWTK). A toolkit that comes with application level
proxies. The applications include telnet, rlogin, SMTP mail, ftp, http, and X
windows. it can also perform as a transparent proxy for other services.
This section does not explain how to set up and install these packages.
Deny Ping
An easy way to deny ping on your Linux computer:
ipchains -A input -p ICMP -j DENY
Warning: Those not familiar with the ICMP protocol and its uses should be aware that
this command will deny all ICMP message types including useful and important messages.
The ICMP protocol performs many functions and this command may cause network problems
depending on how the machine is used (especially if used for routing) on your network.
Ping is only one feature supported by ICMP. You should not use this command unless you
know what you are doing or you are using it on a system that is not important for
network operation. See the "Internet Control Message Protocol (ICMP)" section in the
The CTDP Networking Guide. Safer examples are shown below.
Deny Telnet Connections
This example will deny telnet functions to your machine.
ipchains -A input -p TCP -s 0/0 telnet -j DENY
Using this command to block telnet is worthwhile it you are interested in using a more
secure means of providing remote sessions. Secure shell is a good substitute for telnet
for those who require a secure environment.
Ipchains and Linux Packet filtering
The administration of data packet management is controlled by the kernel. Therefore to
provide support for things like IP masquerading, packet forwarding, and port redirects,
the support must be compiled into the kernel. The kernel contains a series of tables
that each contain 0 or more rules. Each table is called a chain. A chain is a sequence
of rules. Each rule contains two items.
164 | P a g e
1. Characteristics - Characteristics such as source address, destination address,
protocol type (UDP, TCP, ICMP), and port numbers.
2. Instructions - Instructions are carried out if the rule characteristics match
the data packet.
The kernel filters each data packet for a specific chain. For instance when a data
packet is received, the "input" chain rules are checked to determine the acceptance
policy for the data packet. The rules are checked starting with the first rule (rule
1). If the rule characteristics match the data packet, the associated rule instruction
is carried out. If they don't match, the next rule is checked. The rules are
sequentially checked, and if the end of the chain is reached, the default policy for
the chain is returned.
Rules and Programming Comparison
For those who are familiar with programming the ipchains rule set can be compared to a
sequence of if statements.
if (packet=characteristics1) then perform action1;
elseif (packet=characteristics2) then perform action2;
elseif (packet=characteristics3) then perform action3;
else perform default action4;
The comparisons are made depending on the type of packets, their source or destination
or a variety of characteristics entered using the ipchains command. If the packet
matches the established characteristics, the action specified by the ipchains command
is carried out.
Chain Specification
Chains are specified by name. There are three chains that are available and can't be
deleted. They are:
1. Input - Regulates acceptance of incoming data packets.
2. Forward - Defines permissions to forward packets that have another host as a
destination.
3. Output - Permissions for sending packets.
Each rule has a branch name or policy. Policies are listed below:
ACCEPT - Accept the data packet.
165 | P a g e
REJECT - Drop and the packet but send a ICMP message indicating the packet was
refused.
DENY - Drop and ignore the packet.
REDIRECT - Redirect to a local socket with input rules only even if the packet
is for a remote host. This applies to TCP or UDP packets.
MASQ - Sets up IP masquerading. Works on TCP or UDP packets.
RETURN - The next rule in the previous calling chain is examined.
You can create more chains then add rules to them. The commands used to modify chains
are as follows:
-N Create a new chain
-X Delete an empty chain
-L List the rules in the chain
-P Change the policy for a chain
-F Flush=Delete all the rules in a chain
-Z Zero the packet and byte counters in all chains
Commands to manipulate rules inside the chain are:
-A Append a new rule to a chain.
-I Insert a new rule at some position in a chain.
-R Replace a rule at some position in a chain.
-D Delete a rule at some position in a chain.
Options for masquerading:
o -M with -L to list the currently masqueraded connection.
o -M with -S to set the masquerading timeout values.
IPchains Options for setting rule specifications:
-s Source
-d Destination
-p Protocol=tcp, upd, icmp, all or a name from /etc/protocols
-j Jump target, Specifies the target of the rule. The target can be a user
defined chain, but not the one this rule is in.
-i Interface=Name of the interface the packet is received on or the interface
where the packet will be sent
166 | P a g e
-t Mask used to modify the type of service (TOS) field in the IP header. This
option is followed by two values, the first one is and'ed with the TOS field,
and the second is exclusive or'ed. The masks are eight bit hexadecimal values.
An example of use is "ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01
0x10" These bits are used to set priority. See the section on IP message
formats.
-f Fragment
When making changes to firewall rules, it is a good idea to deny all packages prior to
making changes with the following three commands:
ipchains -I input 1 -j DENY
ipchains -I output 1 -j DENY
ipchains -I forward 1 -j DENY
These commands inserts a rule at location 1 that denies all packages for input, output,
or forwarding. This is done so no unauthorized packets are not let through while doing
the changes. When your changes have been completed, you need to remove the rules at
position 1 with the following commands:
ipchains -D input 1
ipchains -D output 1
ipchains -D forward 1
Examples of the use of ipchains to allow various services
Create a new chain:
ipchains -N chainame
The option "-N" creates the chain.
Add the chain to the input chain:
ipchains -A input -j chainame
Allow connections to outside http servers from inside our network:
ipchains -A chainame -s 10.1.0.0/16 1024: -d 0.0.0.0/0 www -j ACCEPT
The "-A chainame" adds a rule to the chain called "chainame". The "-s 10.1.0.0/16
1024:" specifies any traffic on network 10.1.0.0 at port 1024 or above. The "-d
0.0.0.0/0 www" specifies any destination for www service (in the /etc/services file)
and the "-j ACCEPT" sets the rule to accept the traffic.
167 | P a g e
Allow connections from the internet to connect with your http server:
ipchains -A chainame -s 0.0.0.0/0 www -d 10.1.1.36 1024: -j ACCEPT
The "-A chainame" adds a rule to the chain called "chainame". The "-s 0.0.0.0/0 www"
specifies traffic from any source for www service. The "-d 10.1.1.36 1024:" specifies
the http server at IP address 10.1.1.36 at ports above 1024 and the "-j ACCEPT" sets
the rule to accept the traffic.
Allow DNS to go through the firewall:
ipchains -A chainame -p UDP -s 0/0 dns -d 10.1.0.0/16 -j ACCEPT
The "-A chainame" adds a rule to the chain called "chainame". The "-p UDP" specifies
UDP protocol. The "-s 0/0 dns" specifies any dns traffic from any location. The "-d
10.1.0.0/16" specifies our network and the "-j ACCEPT" sets the rule to accept the
traffic. This allows DNS queries from computers inside our network to be received.
Allow e-mail to go from our internal mail server to mailservers outside the network.
ipchains -A chainame -s 10.1.1.24 -d 0/0 smtp -j ACCEPT
The "-A chainame" adds a rule to the chain called "chainame". The "-s 10.1.1.24"
specifies any traffic from 10.1.1.24 IP address. The "-d 0/0 smtp" specifies any smtp
type of service going anywhere and the "-j ACCEPT" sets the rule to accept the traffic.
Allow e-mail to come from any location to our mail server:
ipchains -A chainame -s 0/0 smtp -d 10.1.1.24 smtp -j ACCEPT
The "-A chainame" adds a rule to the chain called "chainame". The "-s 0/0 smtp"
specifies mail traffic from anywhere. The "-d 10.1.1.24 smtp" specifies mail traffic
going to our mail server and the "-j ACCEPT" sets the rule to accept the traffic.
Perform a HTTP port redirect for a transparent proxy server:
ipchains -A input -p tcp -s 10.1.0.0/16 -d 0/0 80 -j REDIRECT 8080
The "-A input" adds a rule to the input chain. The "-p tcp" specifies the protocol TCP.
The "-s 10.1.0.0/16" specifies the source as a network with netmask 255.255.0.0. The "-
d 0/0" specifies a destination of anywhere. The number 80 is the HTTP port number, and
the command "-j REDIRECT 8080" redirects the traffic to port 8080.
Give telnet transmissions a higher priority
ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10"
168 | P a g e
The bits at the end of the line specified in hexadecimal format are used to set the
priority of the IP message on the network. The first value is and'ed with the TOS field
in the IP message header, and the second value is exclusive or'ed. See the section on
IP message formats for more information.
Using ipchains-save and ipchains-restore to make rules permanent
When you are done setting your ipchains rules, use the following procedure while logged
on as root to make them permanent:
1. Type the command "ipchains-save > /etc/iprules.save".
2. Create the following script named "packetfw":
3. #! /bin/sh
4. # Packet filtering firewall script to be used turn the firewall on or off
5.
6. if [ -f /etc/iprules.save ]
7. then
8. case "$1" in
9. start)
10. echo -n "Turning on packet filtering firewall:"
11. /sbin/ipchains-restore < /etc/iprules.save
12. echo 1 > /proc/sys/net/ipv4/ip_forward
13. echo "."
14. ;;
15. stop)
16. echo -n "Turning off packet filtering:"
17. echo 0 > /proc/sys/net/ipv4/ip_forward
18. /sbin/ipchains -X
19. /sbin/ipchains -F
20. /sbin/ipchains -P input ACCEPT
21. /sbin/ipchains -P output ACCEPT
22. /sbin/ipchains -P forward ACCEPT
23. echo "."
24. ;;
169 | P a g e
25. *)
26. echo "Usage: /etc/init.d/packetfw {start|stop}"
27. exit 1
28. ;;
29. esac
30. exit 0
31. else
32. echo the /etc/iprules.save file does not exist.
33. exit 1
34. fi
35. Save the file in the /etc/rc.d/init.d directory.
36. In the /etc/rc.d/rc3.d and the /etc/rc.d/rc5.d directories make a symbolic link called
S07packetfw to the /etc/rc.d/init.d/packetfw file with the command "ln -s
/etc/rc.d/rc3/S07packetfw /etc/rc.d/init.d/packetfw". This applies to runlevel 3. Do the
same for the runlevel 5 initialization directory. Note: You may need to use a different
number than the "S07" string to number your link file. Look in your /etc/rc.d/rc3.d
and /etc/rc.d/rc5.d directories to determine what number is available to give this file.
Try to give it a number just below your network number file. On my system the
S10network file is used to start my network.
Linux UUCP
This section is not yet complete!
UUCP which stands for Unix to Unix copy is primarily used for copying files between
Unix systems but can also perform other functions. It typically does not do the tasking
immediately, but executes tasking based on queued requests. Tasking is done based on a
specific schedule set up by the administrator. This form of intersystem tasking has
been used in the past to send information over telephone lines at times when rates were
low.
Much information on this page was developed from the Taylor UUCP Version 1.06
Documentation by Lance Taylor. This document comes on Redhat Linux 6.1 systems in the
file /usr/doc/uucp-1.06.1/uucp.html. For complete information, you should read this
file. This page only attempts to give a few examples with explanations to get you up
170 | P a g e
and running quicker.
UUCP Configuration files
Configuration files are located in "/etc/uucp" or "/usr/lib/uucp" on older Linux
versions.
172 | P a g e
16. Files may be upload ed by unknown hosts to the public directory (~) which is
/var/spool/uucp or the /var/spool/uucp/upload directory.
The command,
unknown receive-request no
Will not allow unknown hosts to receive files from this host.
Setting the public directory permits users on systems that call in to request a file by prefixing it
with `~/' to get a file from the public directory. To retrieve the file "/var/spool/public/database"
from the server "ourserver", a user on a remote host can enter "uucp ourserver!~/INDEX ~"; The
file would be sent to the user's local public directory. When using `csh' or `bash' the ! and the
second ~ must be quoted. This example applies if the user's host is known to the server. If it is
unknown, the user would get the file from /var/spool/uucp/INDEX.
Linux Network Security
Linux Firewall management
Regardless of your firewall type (proxy, packetfiltering, etc), it is not a good idea
to have a firewall performing any more services than absolutely necessary. The services
are best limited to the minimum services required to run the machine. I recommend that
you do not provide NFS, TFTP, BOOTP, DHCP, web services, mail services, samba services,
FTP, or telnet on your firewall unless absolutely necessary. If you must provide these
services, be careful with wild cards in their configuration files that may allow blocks
of systems or users to have access to your machine. Also if you are running these
services, you should monitor security postings on these services so you are aware of
any security holes associated with that particular service. If you must provide telnet
or FTP, be sure you configure your tcp wrapper in the inetd.conf file for these
services, and set the hosts.all and hosts.deny files as restrictive as possible. See
the section on inetd services for information on how to do this. Policies for a
firewall:
1. Disable IP forwarding
2. Limit services
3. Monitor log files carefully including logfiles on any services running.
4. Limit write access to files and directories on the firewall.
173 | P a g e
5. Implement policies to prevent denial of services attacks along with IP spoofing
and IP fragmentation attacks. Enabling user quotas can help prevent denial of
service attacks.
6. Limit access to services with the hosts.allow and hosts.deny files.
7. Set parameters in your TCP wrapper and any other services to protect against
anyone pretending to have another host's name or address. See the section on
inetd.
8. Be sure your /etc/securetty file will not allow root logins from unsecured
locations.
System monitoring
Check your system log files often. They are in the /var/log directory. Check the log
files /var/log/secure and var/log/messages daily. Also carefully monitor log files on
any extra services you are running on your firewall.
General network policies
Configure the identd protocol to allow for user name lookups from client to
server machines. This will make it easier to track down any user who abuses the
system.
Use network monitoring tool software to detect abnormal activity on your system
or an intrusion.
The Chroot environment
A chroot environment is an isolated environment which is separate from the real operating
system. It has its own root environment complete with necessary programs, libraries, and
modules required to run independently of the real operating system. In this way it can become
more difficult to break into the real operating system and damage it. A program that has root
privileges, can, however still get into the real operating system but it becomes more work for an
intruder. Some network services that can be configured to run in a chroot environment include
bind and Apache. This chroot system is designed to prevent someone who has exploited a
security problem in a service from getting access to the real system.
Linux Secure Shell
Much of this information is from the secure shell website and is intended as a
supplement for introductory purposes and an aid to enable users to get secure shell
174 | P a g e
running.
Why you should use secure shell
When a user logs on to a Linux system using the standard telnet or ftp services, the
password during the logon process is sent in the clear. Anyone with a network sniffer
can intercept the password and then break into the system. Secure shell uses password
encryption and implements several other important security measures which allows users
to remotely logon to Linux systems without worrying about security.
Getting secure shell
Refer to the weblinks section under "Sites for specific programs" to locate secure
shell documentation and downloadable copies of secure shell. Secure shell is a
commercial product for corporate use, but may be used by individuals and educational
institutions without charge. The secure shell website contains a FAQ section from which
you can link to mirror sites for documentation and downloading.
Installation on Linux
Place the secure shell downloaded package in /usr/local/source and issue the following
commands:
1. Unpack the file with "tar xvzf ssh-2_2_0_tar.gz". The directory "ssh-2.2.0"
will be created.
2. Enter the directory with the command "cd ssh-2.2.0"
3. Type "./configure" to configure the package for the build.
4. Type "make" to build the package.
5. Type "make install" to install the package.
6. Optionally type "make clean-up-old" to remove *.old files.
This assumes you are installing from a source tarred and zipped file.
Installation on a Windows platform
1. Double click on the SSHWin-2_2_0.EXE file that you downloaded. An install wizard
will begin.
2. Perform the install, reading and accepting the license agreement. The copy I
tested was a 30 day evaluation copy.
175 | P a g e
3. Click on "Start" -> "Programs" -> "SSH Secure Shell" -> "Secure Shell Client" to
start the secure shell program. This program has an excellent help menu that can
be activated by selecting "Help" -> "Contents".
4. Click on "Edit" -> "Settings" , select "Connection" and enter your hostname and
user name then click OK.
5. Click on "Edit" -> "Settings" , select "User Keys" and click on the "Generate
New Key Pair" button to generate a set of keys. You will need to enter a
password phrase later required key authentication. This will take a few minutes,
so this is a good time to start services on the host side.
6. Start SSH on the host side. On Linux you can type "/usr/local/sbin/sshd2" on the
command line. The program is normally installed in the /usr/local/sbin
directory. To get the program to start at bootup, the above command may be
placed in the /etc/rc.d/rc.local file.
7. Logon from the Windows side by pressing ENTER or selecting "File" -> "Connect".
8. Enter your Linux user name and the user password for your Linux account.
9. Upload the public key file generated earlier to the users home directory ~/.ssh2
directory.
1. Click on "Edit" -> "Settings" , select "Host Settings", and click
"Browse" to locate the public key file generated earlier. It may be in
C:\Program Files\SSH Communications
Security\Users\computername\userkeys\user.pub.
2. Click on "Window" -> "NewFileTransfer"
3. Select "View" -> "Show Hidden Files"
4. Enter the /$HOME/.ssh2 directory.
5. Select "Operation -> "Upload"
10. Create a file called "authorization" in the users $HOME/.ssh2 directory. You may
use an editor with the string "Key" followed by the name of the file you upload
ed or type the following:
1. cd ~/.ssh2
2. echo "Key username.pub" > authorization
176 | P a g e
11. The next time you login, if you enter your password in the "Connect to remote
Host" dialog box, you are using password authentication and must enter your
Linux user's password. If you press ENTER when you see this box, you will be
able to enter your pass phrase to use the private key for authentication.
Congratulations, you are done, unless you are interested in setting your Linux computer
as a client. Also, if you are interested in using your Windows computer as a host, you
may need another program (if one exists) since the above program is a Windows SSH2
client program.
Configuring SSH for Linux
This section and the sections below are useful if you want to connect from one Linux
computer to another, or use a Linux on the client side. The following steps are
documented in the README file and the SSH2.QUICKSTART file of the SSS package, but
there are additional comments here which may be of some use. It is recommended,
however, that you rely on the package documentation for correct documentation since
programs change and the procedures may change.
You will be generating key sets to allow secure communications in the following steps.
Keep in mind that on the server side, you will need a public key and an authorization
file, and on the client side, you will need a private key and an identification file.
The public key on the server and private key on the client must be a matching pair of
keys as generated by the SSS-key gen program. You should know that you can use either
host based authentication or user based authentication. If you use user based
authentication, key files mentioned below must be set up in the user's home directory.
If host based authentication is used, the host that is being authenticated, must have
the appropriate key files. The instructions below set up user authentication.
1. Be sure your computer has the device "/dev/random" which is used to generate
keys. If it does not, you will need to use the ssh-keygen2 utility to generate
security keys.
2. Set up the following files (Note: The ~ symbol indicates the user's home
directory):
o Files needed on the client host to login to a remote server host.
177 | P a g e
1. ~/.ssh2/id_ds a_1024_a and ~/.ssh2/id_ds a_1024_a.pub - The first
is a 1024 bit DSA private key and the second is a 1024 bit DSA
public key. the second key may be distributed to other computers
that you will want to log in on. The first key must be held only
by the user.
Create these files while logged in as the user you want to create
them for and type:
SSS-key gen
You will need to enter a password phrase. It will create the two
files in the location shown above.
2. ~/.ssh2/identification - Lists the private keys to be used for
authentication. the contents of the file should be:
# identification
id key id_ds a_1024_a
This can be created using an editor or by running the ssh-
pubkeymgr script program. The following commands will also create
this file:
1. cd ~/.ssh2
2. echo "id key id_ds a_1024_a" > identification
o Files needed on the server host to enable users to login from a remote
client host.
1. Step 1, above, should be repeated on the server host to set up
the user's .ssh2 directory, using a optionally different password
phrase. Then the public key, id_ds a_1024_a.pub, must be copied
to this directory on this server host. Perform step 2, above, if
you want to use the remote machine to logon to other remote
machines.
2. Copy the public key file, "~/.ssh2/id_ds a_1024_a.pub" from the
local host above to this remote host and call it
"serverhostname.pub", placing it in the ~/.ssh2 directory.
178 | P a g e
3. ~/.ssh2/authorization - Anyone holding any of the matching
private keys to this public key may log in as the user whose
public key their private key matches.
4. # authorization
5. Key serverhostname.pub
179 | P a g e
2. ssh-keygen2 -P /etc/hostkey
See the ssh2_config and sshd2_config man pages for more configuration file format
information.
About SSH2
SSH is now using SSH2 which has improved security over SSH1. The binary programs
include:
ssh2 - The secure shell client which replaces rlogin and rsh.
sshd2 - The secure shell daemon.
sftp2 - The secure shell FTP client.
sftp-server2 - The secure shell FTP server which is executed from the sshd2
daemon program.
scp2 - The scp client. I have no idea what scp is, as of right now.
ssh-keygen2 - A utility for generating security keys.
ssh-add2 - Adds identities to the authentication agent.
ssh-agent2 - The authentication agent.
ssh-askpass2 - X utility for quering passwords.
ssh-signer2 - Signs host based authentication packets.
ssh-probe2 - Probes a network for ssh2 servers.
SSS-pubkeymgr - A script file utility program used to generate public keys.
SSS-chrootmgr - A utility that makes it easier to set the chroot environment up.
Additional man page is "ssh2_config".
Linux Text Processing
Groff
GNU's version of nroff and troff. Groff produces output both for printing and plain ASC
text. Macro packages are provided for different types of documents.
Macros:
mgs - Writing papers
man - For writing man pages
To make a man page from a created file(see the section on how to make a man page) type:
groff -t -man -Tascii viewmod.txt > viewmod.1
-Tascii Procuces ASCII text -Tps Produces postscript -Tdvi Output similar to TeX (DVI -
180 | P a g e
Device Independent)
TEX and LaTeX
LaTeX is a set of macros on top of TEX that is concerned with the structure of a
document such as chapters, footnotes and sections.
TEX Commands:
Choices: article, report, book, letter. They specify global
\documentstyle{letter}
macros
\begin Begin document
\End End document
\\ Line break
Starts a command, If backslach is trailing, a space is
\
forced
Forces a space between tow words or characters without a
~
line break
{\em } Text within brackets is emphasized
\bf Boldfaced
\tt Typwriter text
Example:
\documentstyle{letter}
\address{123 Desert Rd \\Unit 2B\\Wayside, AZ 08821}
\signature{John Smith}
\begin{document}
\begin{letter}{Mr.~George~Lunuxuser\\
1100 N East Street \\
California, MD 20190}
\opening{Dear George,}
I would like to inform you that I have just discovered \LaTex\ and it is the greatest
thing since sliced bread. You should use it for all your text processing needs.
\closing{Most Sincerely,}
\end{letter}
181 | P a g e
\end{document}
Save as tolinux.tex
Type "latex tolinux"
Results are output in tolinux.dvi
Use "dvips" to make a postscript file from the dvi file, Ex: dvips –o tolinux.ps
tolinux.dvi
To see the output, you can use "xdvi" from X windows.
The program "dvilj" will print dvi files on Laserjet printers.
The program "eps" will print dvi files on epson printers.
182 | P a g e
@c %**start of header
@setfilename test.info
@settitle An example texinfo file
@c %**end of header
@titlepage
@sp 10
@comment This is to be in large font
@center @titlefont(This Test Title)
@end titlepage
@menu
* First Chapter:: The only chapter
* Concept Index:: Index of Concepts
@end menu
@c A numbered list
@enumerate
@item
183 | P a g e
The first one
@item
The second one
@end enumerate
@printindex cp
@contents
@bye
If the file is called test.texi, type "makeinfo test.texi" to make an info file called test.info.
Linux Shell Programming
This section on shell programming, is a brief introduction to shell programming, and
only talks about the bash shell. For more complete information, refer to "The CTDP
Linux Programmer's Guide".
Linux Variables
When variables are used they are referred to with the $ symbol in front of them. There
are several useful variables available in the shell program. Here are a few:
$$ = The PID number of the process executing the shell.
$? = Exit status variable.
$0 = The name of the command you used to call a program.
$1 = The first argument on the command line.
$2 = The second argument on the command line.
$n = The nth argument on the command line.
184 | P a g e
$* = All the arguments on the command line.
$# The number of command line arguments.
The "shift" command can be used to shift command line arguments to the left, ie $1
becomes the value of $2, $3 shifts into $2, etc. The command, "shift 2" will shift 2
places meaning the new value of $1 will be the old value of $3 and so forth.
Iteration, control and if statements
if - Used to execute one or more statements on a condition. An example:
if [ ! -d /mnt ] # be sure the directory /mnt exists
then
mkdir /mnt
fi
case - Used to execute specific commands based on the value of a variable. An
example:
case $NUM of
1)
echo The number is 1
;;
2)
echo The number is 2
;;
*)
echo The number is not 1 or 2
;;
esac
for - Used to loop for all cases of a condition. In the example below, it is
used to copy all files found in /mnt/floppy to the /etc directory. The lines
were numbered for reference with descriptions:
1. The for loop statement will loop until all files have been found.
2. A test to be sure the file is a normal file and not a directory.
3. A comment line.
185 | P a g e
4. This line extracts the name of the file from its full path pointed to by
the variable $i and puts it in the variable $filename. The method used
here is called parameter expansion and is documented in the bash man
page. For more information on parameter expansion read the "Linux
Programmer's Guide".
5. This line sends a statement to the standard output, telling what file is
being copied.
6. This line performs the copy command using the -p option to preserve file
attributes. Note: Much ability to perform script programming is couched
in the ability to know and use the various commands, programs and tools
available in Linux rather than a strict understanding of syntax. This is
obvious to anyone who reads the system startup script files in /etc/rc.d
and associated directories.
7. This line ends the if statement.
8. This line ends the for statement.
1. for i in /mnt/floppy/*; do
2. if [ -f $i ]; then
3. # if the file is there
4. filename=${i#/mnt/floppy/}
5. echo copying $i to /etc/$filename
6. cp -p $i /etc/$filename
7. fi
8. done
until - Cycles through a loop until some condition is met. The syntax for the
command is shown below:
until [ expression ]
do
statements
done
while - Cycles through a loop while some condition is met. The below example
will cycle through a loop forever:
186 | P a g e
while [ 1 ]
do
statement(s)
done
Tests
There is a function provided by bash called test which returns a true or false value
depending on the result of the tested expression. Its syntax is:
test expression
It can also be implied as follows:
[ expression ]
The tests below are test conditions provided by the shell:
-b file = True if the file exists and is block special file.
-c file = True if the file exists and is character special file.
-d file = True if the file exists and is a directory.
-e file = True if the file exists.
-f file = True if the file exists and is a regular file
-g file = True if the file exists and the set-group-id bit is set.
-k file = True if the files' "sticky" bit is set.
-L file = True if the file exists and is a symbolic link.
-p file = True if the file exists and is a named pipe.
-r file = True if the file exists and is readable.
-s file = True if the file exists and its size is greater than zero.
-s file = True if the file exists and is a socket.
-t fd = True if the file descriptor is opened on a terminal.
-u file = True if the file exists and its set-user-id bit is set.
-w file = True if the file exists and is writable.
-x file = True if the file exists and is executable.
-O file = True if the file exists and is owned by the effective user id.
-G file = True if the file exists and is owned by the effective group id.
file1 –nt file2 = True if file1 is newer, by modification date, than file2.
file1 ot file2 = True if file1 is older than file2.
187 | P a g e
file1 ef file2 = True if file1 and file2 have the same device and inode numbers.
-z string = True if the length of the string is 0.
-n string = True if the length of the string is non-zero.
string1 = string2 = True if the strings are equal.
string1 != string2 = True if the strings are not equal.
!expr = True if the expr evaluates to false.
expr1 –a expr2 = True if both expr1 and expr2 are true.
expr1 –o expr2 = True is either expr1 or expr2 is true.
The syntax is :
arg1 OP arg2
188 | P a g e