Lab work for LPI 102 released under the GFDL by LinuxI Copyright (c) 2005 LinuxIT.
Permission is granted to copy, distribute andor modi!y this document under the terms o! the "#$ %ree &ocumentation License, 'ersion (.2 or any )ater *ersion pub)ished by the %ree +o!t,are %oundation- ,ith the In*ariant +ections being .istory, /c0no,)edgements, ,ith the %ront1Co*er Texts being 2re)eased under the "%&L by LinuxIT3. see full GFDL li!ense a"reement on #$1%& LinuxI e!hni!al 'du!ation (entre Introdu!tion __________________________________________________________ Introduction: A!knowled"ements The original material was made available by LinuxIT's technical training centre www.linuxit.com. Many thanks to Andrew Meredith for suggesting the idea in the first place. A special thanks to all the students who have helped dilute the technical aspects of Linux administration through their many uestions! this has led to the inclusion of more illustrations attempting to introduce concepts in a userfriendly way. "inally! many thanks to #aul Mc$nery for the technical advice and for starting off some of the most difficult chapters such as the ones covering the % server &'(')! modems &'(*)! security &'(*) and the Linux kernel &'(*). The manual is available online at http+,,savannah.nongnu.org,pro-ects,lpi.manuals,. Thank you to the /avannah 0olunteers for assessing the pro-ect and providing us with the 1eb space. )istory "irst release &version (.() 2ctober *((3. 4eviewed by Adrian Thomasset. /econd release &revision') 5anuary *((3. 4eviewed by Andrew Meredith 4elease &version '.'.test) March *((6. 4eviewed by Adrian Thomasset. 4eviewed in 5anuary.5une *((7 by Adrian Thomasset Audien!e This course is designed as a 3 to 6 days practical course preparing for the L#I '(* exam. It is recommended that candidates have at least one year experience doing Linux administration professionally. 8owever for those who are ready for a challenge the training is designed to provide as much insight and examples as possible to help non specialists understand the basic concepts and command sets which form the core of Linux computing. he LPI (ertifi!ation Pro"ram There are currently two L#I certification levels. The first level L#I9.' is granted after passing both exams L#I '(' and L#I '(*. /imilarly passing the L#I *(' and L#I *(* exams will grant the second level certification L#I9.*. There are no pre.reuisites for L#I '(' and '(*. 8owever the exams for L#I9.* can only be attempted once L#I9.' has been obtained.
'xam *e"istration _____________________________________________________________________ iii LinuxI e!hni!al 'du!ation (entre Introdu!tion __________________________________________________________ In order to register for an L#I exam you first need to get a uniue L#I at www.lpi.org. :ou will also need to register with one of the testing organisations such as www.vue.com or www.prometric.com +o Guarantee The manual comes with no guarantee at all. *esour!es www.lpi.org www.linux.praxis.de www.lpiforums.com www.tldp.org www.fsf.org www.linuxit.com +otations 9ommands and filenames will appear in the text in bold. The 45 symbols are used to indicate a non optional argument. The 67 symbols are used to indicate an optional argument Commands that can be typed directly in the shell are highlighted as below command or command _____________________________________________________________________ iv LinuxI e!hni!al 'du!ation (entre Contents _____________________________________________________________________ he Linux ,ernel$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1 '. ;ernel 9oncepts ...................................................................................................................................... * *. The Modular ;ernel.................................................................................................................................. 3 3. 4outine ;ernel 4ecompilation.................................................................................................................. 7 6. $xercises and /ummary........................................................................................................................ '' -ootin" Linux$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1. '. <nderstanding 4unlevels....................................................................................................................... '7 *. /ervices and 4untime 9ontrol /cripts .................................................................................................. '= 3. The -oys of inittab................................................................................................................................... '> 6 LIL2 and ?4<@...................................................................................................................................... 'A 7. "rom boot to bash.................................................................................................................................. ** =. $xercises and /ummary........................................................................................................................ *6 /ana"in" Grou#s and 0sers$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 21 '. 9reating new users................................................................................................................................. *B *. 1orking with groups............................................................................................................................... *> 3. 9onfiguration files.................................................................................................................................. 3( 6. 9ommand options.................................................................................................................................. 3* 7. Modifying accounts and default settings................................................................................................ 3* =. $xercises and /ummary........................................................................................................................ 36 +etwork (onfi"uration$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ %1 '. The Cetwork Interface............................................................................................................................ 3B *. 8ost Information..................................................................................................................................... 3> 3. /top and /tart Cetworking...................................................................................................................... 3A 6. 4outing................................................................................................................................................... 6( 7. 9ommon Cetwork Tools......................................................................................................................... 6* =. $xercises and /ummary........................................................................................................................ 67 (P2IP +etworks$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ .3 '. @inary Cumbers and the Dotted Euad................................................................................................... 6A *. @roadcast Address! Cetwork Address and Cetmask............................................................................. 6A 3. Cetwork 9lasses..................................................................................................................................... 7' 6. 9lassless /ubnets.................................................................................................................................. 7* 7. The T9#,I# /uite................................................................................................................................... 73 =. T9#,I# /ervices and #orts.................................................................................................................... 76 B. $xercices and /ummary........................................................................................................................ 7= +etwork Ser4i!es$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 5& '. The inetd daemon &old).......................................................................................................................... 7> *. The xinetd Daemon................................................................................................................................ 7A 3. Telnet and "T#...................................................................................................................................... =( 3. T9# wrappers ........................................................................................................................................ =' 6. /etting up C"/....................................................................................................................................... =* 7. /M@ and CM@........................................................................................................................................ =6 =. DC/ services.......................................................................................................................................... == B. /endmail main 9onfiguration................................................................................................................. B' >. The Apache server................................................................................................................................. B3 A. $xercises and /ummary........................................................................................................................ B6 _____________________________________________________________________ v LinuxI e!hni!al 'du!ation (entre Contents _____________________________________________________________________ -ash S!ri#tin"$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ &3 '. The bash environment............................................................................................................................ BA *. /cripting $ssentials................................................................................................................................ >' 3. Logical evaluations................................................................................................................................. >* 6. "low 9ontrol and Loops.......................................................................................................................... >3 7. $xpecting user input............................................................................................................................... >7 =. 1orking with Cumbers........................................................................................................................... >7 B. $xercises and /ummary........................................................................................................................ >= -asi! Se!urity$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33 '. Local /ecurity......................................................................................................................................... >A *. Cetwork /ecurity.................................................................................................................................... A' 3. The /ecure /hell.................................................................................................................................... A7 6. Time 9onfiguration................................................................................................................................. AB 7. $xercises and /ummary...................................................................................................................... '(( Linux System Administration$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 102 '. Logfiles and configuration files............................................................................................................. '(3 *. Log <tilities........................................................................................................................................... '(7 3. Automatic Tasks................................................................................................................................... '(= 6. @ackups and 9ompressions................................................................................................................. '(> 7. Documentation..................................................................................................................................... ''( =. $xercises and /ummary...................................................................................................................... ''6 _____________________________________________________________________ vi LinuxI e!hni!al 'du!ation (entre he Linux ,ernel ___________________________________________________________ The Linux Kernel Prere6uisites <nderstand shell tools and commands &see L#I '(') $xperience compiling and installing software from source &see L#I '(') Goals Manage Linux kernel modules 9onfigure the kernel source 9ompile and install a kernel (ontents he Linux ,ernel$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1 '. ;ernel 9oncepts ...................................................................................................................................... * *. The Modular ;ernel.................................................................................................................................. 3 3. 4outine ;ernel 4ecompilation.................................................................................................................. 7 3.' /ource extraction........................................................................................................................... 7 3.* ;ernel 9onfiguration...................................................................................................................... = 3.3 ;ernel 9ompilation........................................................................................................................ B 3.6 Installing a Cew ;ernel.................................................................................................................. > 3.7 The full kernel version .................................................................................................................. A 3.7 Initial 4amdisks............................................................................................................................. A 3.= 2ptional....................................................................................................................................... '( 3.B 4e.installing LIL2........................................................................................................................ '( 6. $xercises and /ummary........................................................................................................................ '' _____________________________________________________________________ ' LinuxI e!hni!al 'du!ation (entre he Linux ,ernel ___________________________________________________________ 1$ ,ernel (on!e#ts The two different types of Linux kernel are+ A7 /onolithi! A monolithic kernel is one which has support for all hardware! network! and filesystem compiled into a single image file. -7 /odular A modular kernel is one which has some drivers compiled as ob-ect files! which the kernel can load and remove on demand. Loadable modules are kept in 2lib2modules. The advantage of a modular kernel is that it doesnFt always need to be recompiled when hardware is added or replaced on the system. Monolithic kernels boot slightly faster than modular kernels! but do not outperform the modular kernel _____________________________________________________________________ * LinuxI e!hni!al 'du!ation (entre he Linux ,ernel ___________________________________________________________ 2$ he /odular ,ernel Many components of the Linux kernel may be compiled as modules which the kernel can dynamically load and remove as reuired. The modules for a particular kernel are stored in 2lib2modules2Gkernel.versionH. The best components to modularise are ones not reuired at boot time! for example peripheral devices and supplementary file systems. ;ernel modules are controlled by utilities supplied by the modutils package+ lsmod list currently loaded modules rmmod remove a single module insmod insert a single module modprobe insert a module and dependencies listed in modules$de# modinfo list information about the author! license type and module parameters Many modules are dependant on the presence of other modules. A flat file database of module dependencies 2lib2modules2Gkernel.versionH2modules$de# is generated by the depmod command. This command is run at boot time &for example by the rc.sysinit script). .. modprobe will load any module and dependent modules listed in modules$de# &or !onf$modules) /earch for example for modules that will be loaded at the same time as tvaudio. grep tvaudio /lib/modules/kernel-version/modules.dep /lib/modules/kernel-version/kernel/drivers/media/video/tvaudio.o: \ /lib/modules/kernel-version/kernel/drivers/i2c/i2c-core.o This means that the module i2c-core.o will also be loaded when using mod#robe. This dependency is also apparent when listing the module with lsmod+ lsmod Module Size Used by Not tainted tvaudio 16796 0 (unused) i2c-core 19236 0 [tvaudio]
.. /etc/modules.conf is consulted for module parameters &I4E and I2 ports) but most often contains a list of aliases. These aliases allow applications to refer to a device using a common name. "or example the first ethernet device is always referred to as eth0 and not by the name of the particular driver. _____________________________________________________________________ 3 LinuxI e!hni!al 'du!ation (entre he Linux ,ernel ___________________________________________________________ /ample 2et!2modules$!onf file alias eth0 e100 alias usb-core usb-uhc alias sound-slot-0 i810_audio alias char-major-108 ppp_generic alias ppp-compress-18 ppp_mppe # 100Mbps full duplex options eth0 e100_speed_duplex=4 --modinfo will give information about modules. modinfo tvaudio filename: /lib/modules/kernel-version/kernel/drivers/media/video/tvaudio.o description: "device driver for various i2c TV sound decoder / audiomux chips" author: "Eric Sandeen, Steve VanDeBogart, Greg Alexander, Gerd Knorr" license: "GPL" parm: debug int parm: probe short array (min = 1, max = 48), description "List of adapter,address pairs to scan additionally" parm: probe_range short array (min = 1, max = 48), description "List of adapter,start-addr,end-addr triples to scan additionally" parm: ignore short array (min = 1, max = 48), description "List of adapter,address pairs not to scan" parm: ignore_range short array (min = 1, max = 48), description "List of adapter,start-addr,end-addr triples not to scan" parm: force short array (min = 1, max = 48), description "List of adapter,address pairs to boldly assume to be present" parm: tda9874a_SIF int parm: tda9874a_AMSEL int parm: tda9874a_STD int parm: tda8425 int parm: tda9840 int To get information only about parameter option use modinfo 8#! to get information about the license type use modinfo 8l ! etc. .. kmod is a mechanism that allows the kernel to automatically load modules as needed &one seldom needs to insert modules manually). This is in fact a statically compiled &resident) module that needs to be configured before compiling the kernel. The command used by the kernel to load the modules is defined in 2#ro!2sys2kernel2mod#robe.
_____________________________________________________________________ 6 LinuxI e!hni!al 'du!ation (entre he Linux ,ernel ___________________________________________________________ %$ *outine ,ernel *e!om#ilation 3.1 Source extraction The kernel source is stored in the /usr/src/linux directory tree! which is a symbolic link to the /usr/src/kernel!"ersion# directory. 1hen extracting a new kernel source archive it is recommended to+
remove the symbolic link to the old kernel source directory tree rm linux ;ernel sources which have been packaged as an 4#M often create a link called linux828. extract the new source archive &e.g linux-2.4.20.tar.bz2) tar xjf linux-2.4.29.tar.bz2 +ote7 The archived *.* series kernels create a directory called linux instead of linux-version. This is why the first step is important! otherwise you may overwrite an old source tree with the new one. /ince kernel *.6 the name of the directory is linux-version. create a symbolic link called linux from the newly created directory ln -s linux-2.4.20 linux The kernel is almost ready to be configured now! but first we need to make sure that all old binary files are cleared out of the source tree! and this is done with the make mrproper command. 9arnin"7 this command will also delete the kernel configuration file $!onfi" discussed later. cd /usr/src/linux make mrproper +ote7 mrproper is a /candinavian brand of cleaner that gets things Icleaner than cleanJ! it is one step beyond Imake cleanJ. 3.$ Kernel %onfi&uration "irst edit the /akefile and make sure that the I$%T4A0$4/I2CJ variable is different from the existing version+ _____________________________________________________________________ 7 LinuxI e!hni!al 'du!ation (entre he Linux ,ernel ___________________________________________________________ 0$4/I2C K * #AT98L$0$L K 6 /<@L$0$L K *( $%T4A0$4/I2C K -test The kernel is now ready to be configured. This essentially means creating a configuration file called $!onfi". This is done from the kernel source tree directory 2usr2sr!2linux with any of the following make menuconfi& make xconfi& make confi& All these methods will save the configuration file as 2usr2sr!2linux2$!onfi"
It is often easier to configure a new kernel using an older .config file by using the make oldconfi& command. This will prompt the user only for new features in the kernel source tree &if the kernel is newer or has been patched). +oti!e7 /ome distributions such as 4ed8at have a !onfi"s subdirectory containing files to be used as $!onfi" files with predefined configurations. To enable kernel features &with make menu!onfi") you will enter the top level category by moving with the arrow keys and pressing enter to access the desired category. 2nce in the particular category! pressing the space bar will change the kernel support for a feature or driver. #ossible support types are supported &statically compiled) :;< modular &dynamically compiled) :/< not supported : < The same choices are available with the other menu editors !onfi" and x!onfi". roubleshootin"7 The make menu!onfi" target needs the n!urses header files. These are provided by the n!urses8de4el package and must be installed for this target to work. _____________________________________________________________________ = LinuxI e!hni!al 'du!ation (entre he Linux ,ernel ___________________________________________________________ Fig 2: The make xconfig top level menu: 3.3 Kernel %ompilation make !lean The make command gets instructions from the /akefile and will build what is needed. If some files are already present make will use them as is. In particular files with ;$o extensions. To make sure that all the configuration options in $!onfi" are used to rebuild the files needed one has to run make !lean &this deletes L.o files) +oti!e7 you do not need to do Imake cleanJ at this stage if you already prepared the source directory with Imake mrproperJ make de# 2nce the kernel configuration is complete! it is necessary to reflect these choices in all the subdirectories of the kernel source tree. This is done with the make dep command. The files named .depend containing paths to header files present in the kernel source tree &,usr,src,linux,include) are generated this way. The kernel itself is compiled with one of the commands+
make 'Ima&e make b'Ima&e 1hen the command exits without any errors! there will be a file in the 2usr2sr!2linux2 directory called 4mlinux. This is the uncompressed kernel. _____________________________________________________________________ B LinuxI e!hni!al 'du!ation (entre he Linux ,ernel ___________________________________________________________ The two other commands will write an additional file in 2usr2sr!2linux2ar!h2i%312boot2 called =Ima"e and b=Ima"e respectively. These are compressed kernels using gMip and bMip*. /ee the next section Installin& the (e) Kernel to find out how to proceed with these files. make modules The modules are compiled with make modules. make modules*install 2nce the modules are compiled they need to be copied to the corresponding subdirectory in 2lib2modules. The make modules*install command will do that. The seuence of commands are depicted in "ig 3. Kernel compilation commands: ma0e dep ma0e c)ean ma0e b8Image ma0e modu)es ma0e modu)es9insta)) 3.+ Installin& a (e) Kernel The new kernel can be found in /usr/src/linux/arch/i3,-/boot/b'Ima&e! depending on your architecture of your system. This file must be copied to the /boot directory! and named "mlinu'!.full8kernel84ersion/ cp usrsrc)inuxarchi:;<bootb8Image boot*m)inu814full-kernel- version> Cext the 2et!2lilo$!onf or 2boot2"rub2"rub$!onf file needs to be edited to add our newly compiled kernel to the boot menu. 9opy the IimageJ section from your existing kernel and add a new image section at the bottom of the file! as shown below+ Editing the /etc/lilo.conf file _____________________________________________________________________ > LinuxI e!hni!al 'du!ation (entre he Linux ,ernel ___________________________________________________________ prompt timeout=50 message=/boot/message image=/boot/vmlinuz label=linux root=/dev/hda6 'xistin" se!tion read-only image=/boot/vmlinuz-<full-kernel-version> label=linux-new Added se!tion root=/dev/hda6 read-only ..........snip............................... The symbol table for the various kernel procedures can be copied to the ,boot directory+ cp usrsrc)inux+ystem.map boot+ystem.map14full-kernel-version5 3.0 The full kernel "ersion 2n a system! the version of the running kernel can be printed out with uname 8r This kernel version is also displayed on the virtual terminals if the >k option is present in 2et!2issue. 3.0 Initial 1amdisks If any dynamically compiled kernel modules are reuired at boot time &e.g a scsi driver! or the filesystem module for the root partition) they will be loaded using an initial ramdisk. The initial ramdisk is created with the mkinitrd command which only takes two parameters+ the filename! and the kernel version number. If you use an initial ramdisk then you will need to add an initrd2 line in your /etc/lilo.conf m0initrd bootinitrd1full-version.img full-version 3.- 3ptional _____________________________________________________________________ A LinuxI e!hni!al 'du!ation (entre he Linux ,ernel ___________________________________________________________ It is recommended to copy the 2usr2sr!2linux2$!onfi" file to 2boot2!onfi"!.full!kernel!"ersion/, -ust to keep track of the capabilities for the different kernels that have been compiled. 3.4 1e!installin& LIL3 "inally lilo needs to be run in order to update the boot loader . "irst lilo can be run in test mode to see if there are any errors in the configuration file+
C2TI9$ The LIL2 bootloader needs to be updated using lilo every time a changed is made in 2et!2lilo$!onf
_____________________________________________________________________ '( LinuxI e!hni!al 'du!ation (entre he Linux ,ernel ___________________________________________________________ .$ 'xer!ises and Summary "iles Description ,etc,modules.conf used by mod#robe before inserting a module ,lib,modules,Gkernel-versionH, directory where the modules for given kernel version are stored ,lib,modules,Gkernel-versionH,modules.dep list of module dependencies created by de#mod 9ommand Description depmod de#mod?3@ N kernel modules can provide services &called OsymbolsO) for other modules to use &using $%#24TP/:M@2L in the code). If a second module uses this symbol! that second module clearly depends on the first module. De#mod creates a list of module dependencies! by reading each module under ,lib,modules,version and determining what symbols it exports! and what symbols it needs. @y default this list is written to modules$de# in the same directory insmod insmod?3@ N a trivial program to insert a module into the kernel+ if the filename is a hyphen! the module is taken from standard input. Most users will want to use mod#robe?3@ instead! which is cleverer make clean delete all ob-ect files in the source tree make config configure the Linux kernel make dep creates a list of extra headers in files called .depend needed to satisfy module dependencies make menuconfig configure the Linux kernel using a menu make modules compile all the external,dynamic modules for this kernel make modulesPinstall install the compiled modules in 2lib2module2kernel-version make oldconfig create a default $!onfi" if it doesn't exist. If a .config file already exists the chosen configuration is unchanged. If the source tree has changed! for example after a patch &see L#I *(') or the .config file corresponds to an older kernel! then extra configuration options must be supplied make xconfig configure a Linux kernel using a menu lsmod list all dynamically loaded modules modinfo print information about a kernel module such as the author &8a)A the description &8d)! the license &8l) or parameters &8#) modprobe mod#robe?3@ . will automatically load all base modules needed in a module stack! as described by the dependency file modules.dep. If the loading of one of these modules fails! the whole current stack of modules loaded in the current session will be unloaded automatically rmmod rmmod?3@ N tries to unload a set of modules from the kernel! with the restriction that they are not in use and that they are not referred to by other modules _____________________________________________________________________ '' LinuxI e!hni!al 'du!ation (entre he Linux ,ernel ___________________________________________________________ @efore starting with the exercises make sure you donFt have an existing kernel tree in /usr/src/. If you do! pay attention to the ,usr,src,linux symbolic link. 1$ Manually recompile the kernel following the compilation steps. . ?et the kernel.version$sr!$r#m package from an "T# mirror site or a 9D. Installing this package will also give you a list of dependencies! such as the "!! compiler or binutils package if they haven't yet been met. . Install the package with Bi &this will put all the code in ,usr,src, ) . ?o into the 2usr2sr!2linux8version directory and list the !onfi"s directory . 9opy the kernel config file that matches your architecture into the current directory and call it .config . 4un ma0e o)dcon!ig at the command line to take into account this new .config file. . $dit the Makefile and make sure the version is not the same as your existing kernel. :ou can get information on your current kernel by running uname a at the command line or list the /lib/modules directory. . 4un ma0e menucon!ig &or menu or xcon!ig) and remove I/DC support from the kernel.
. 1hen you exit the above program the .con!ig file is altered but the changes have not yet taken place in the rest of the source tree. :ou next need to run ma0e dep . "inally to force new ob-ect files &.o) to be compiled with these changes you delete all previously compiled code with ma0e c)ean . :ou can now build the kernel the modules and install the modules with+ ma0e b8Image modu)es modu)es9insta)) . The modules are now installed in the /lib/modules/version directory. The kernel is called b=Ima"e and is in the following directory+ _____________________________________________________________________ '* LinuxI e!hni!al 'du!ation (entre he Linux ,ernel ___________________________________________________________ /usr/src/linux/arch/i386/boot/ 1e need to manually install this kernel &* steps)+ ?i@ cp usrsrc)inuxarchi:;<bootb8Image boot*m)inu814full-kernel-version5 ?ii@ That was easyQ 1e next edit the bootloader configuration file+ if you are using LIL2! edit /etc/lilo.conf and add an RimageF paragraph that will tell LIL2 where to find this kernel and the root filesystem. 4un /sbin/lilo and reboot if your are using ?4<@! edit /boot/grub/grub.conf or /boot/grub/menu.lst 2$ /ince we downloaded the 0erne)1version.src.rpm package we can now use this package to recompile a R4ed8at preconfiguredF kernel. Cotice that although no intervention is needed you wonFt be able to change the .con!ig menu. . "irst rebuild the compiled binary package with rpm 11rebui)d 0erne)1version.src.rpm &...waitQ) . This will eventually generate the kernel-version.i368.rpm in /usr/src/redhat/RPM/i386/. . Cext! upgrade you kernel with the 4#M manager using the B0 option. _____________________________________________________________________ '3 LinuxI e!hni!al 'du!ation (entre -ootin" Linux ____________________________________________________________________________ 5ootin& Linux Prere6uisites Cone Goals Manage services &e.g mail! webserver! etc) using runlevels <nderstand the role of the init process and its configuration file 2et!2inittab 4ecognise the three phases of the booting process+ @ootlloader! ;ernel and Init (ontents -ootin" Linux$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1. '. <nderstanding 4unlevels....................................................................................................................... '7 *. /ervices and 4untime 9ontrol /cripts .................................................................................................. '= 3. The -oys of inittab................................................................................................................................... '> 6 LIL2 and ?4<@...................................................................................................................................... 'A 7. "rom boot to bash.................................................................................................................................. *3 =. $xercises and /ummary........................................................................................................................ *6 _____________________________________________________________________ 14 LinuxI e!hni!al 'du!ation (entre -ootin" Linux ____________________________________________________________________________ C4er4iew Taking a closer look at the booting process helps troubleshooting when dealing with both hardware and software problems. 1e first focus on the role of the init program and its' associated configuration file 2et!2inittab. The role of LIL2 or ?4<@ is investigated in greater depth. "inally we summarise the booting process. The document O"rom #ower to @ash #romptO written by ?reg 2';eefe as well as the boot&B) manpage are both good references for this module. 1$ 0nderstandin" *unle4els <nlike most non.<CI% operating systems which only have * modes of functionality &on and off)! <CI% operating systems! including Linux! have different runlevels such as OmaintenanceO runlevel or Omulti.userO runlevel! etc. 4unlevels are numbered from ( to = and will vary from one Linux distribution to another. The description for each runlevel functionality is sometimes documented in 2et!2inittab. $xample Linux runlevels 4unlevel ( shuts down the machine safely the operating system will also attempt to poweroff the system if possible 4unlevel ' is sin"le user mode only one terminal is available for the &single) user root all other users are logged out 4unlevel * is multi8user mode! but does not start C"/ most network services like email or web services are also stopped 4unlevel 3 is full multi8user mode. /elected network services are all on 4unlevel 6 is not defined and generally unused 4unlevel 7 is like runlevel 3 but runs a ispla! "anager as #ell 4unlevel $ restarts the machine safel! 8ighlighted runlevels 0! 1 and 1 offer to the same functionalities for all Linux flavours. I+I (ontrols *unle4els @oth init and telinit are used to switch from one runlevel to another. 4emember that init is the first program launched after the kernel has accessed the root device. At boot time init is instructed which runlevel to reach in 2et!2inittab with the line+ id=5=initde!au)t=
1hen the system is started it is possible to change runlevels by invoking init &or telinit which is a symbolic link pointing at init). _____________________________________________________________________ 15 LinuxI e!hni!al 'du!ation (entre -ootin" Linux ____________________________________________________________________________ "or example we switch to runlevel 6 with either of the next commands+ init > te)init > The #ID for init is always '''. It is possible to find out which runlevel the system is currently in with the command runle4el . run)e*e) ! " The first number is the previous runlevel &or C if not applicable) and the second number is the current runlevel. 2$ Ser4i!es and *untime (ontrol S!ri#ts $ach runlevel is characterised by a set of services that are either started or stopped. The services are controlled by runtime control scripts kept in 2et!2r!$d2init$d or 2et!2init$d. $ach rc.script will control the daemon associated with the service using an argument. $xample+ restarting the a#a!he server+ etcrc.dinit.dhttpd restart $xpected arguments restart do stop the start stop stop the daemon associated with the service start start the service status return the status of the services &running or stopped) %!pical services in ,etc,rc.d,init.d, _____________________________________________________________________ 16 LinuxI e!hni!al 'du!ation (entre -ootin" Linux ____________________________________________________________________________ )s etcrc.dinit.d anacron cups identd kadmin krb7kdc mcserv nscd random smb xfs apmd dhcpd innd kdcrotate kudMu named ntpd rawdevices snmpd xinetd arpwatch functions ipchains keytable ldap netfs pcmcia rhnsd suid atd gpm iptables killall linuxconf network portmp rwhod sshd autofs halt irda kprop lpd nfs pgsl sendmail syslog crond httpd isdn krb7*6 marsrv nfslock pppoe single tux 2nce a service is started it will run until a new runlevel is started. Sele!tin" Ser4i!es #er *unle4el
1e will follow what happens when we switch from one runlevel to another. /ay you want to be in runlevel *! you would type+ sbininit 2 This in turn forces init to read its configuration file 2et!2inittab. 1e will look at this file in detail in the next section. "or now we are concerned with the single line in 2et!2inittab that will start all the services++ L2=2=,ait=etcrc.drc 2 The I2et!2r!$d2r! 2J command will start scripts in 2et!2r!$d2r!2.d starting with an S and will stop of services starting with a K. The next sample listing shows that the htt#d deamon will be stopped! while the syslo"d daemon )s etcrc.drc2.d 1) ? egrep @httpd?sys)og@ )r,xr,xr,x ( root root (5 Aar 2: 2(=0( etcrc.drc2.d#$"httpd 15 ..init.dhttpd )r,xr,xr,x ( root root (< Aar 20 20=0: etcrc.drc2.d$%s&slog 15 ..init.dsys)og 2ne can also see that the scripts are s!m&olic links pointing to the rc.scripts in 2et!2r!$d2init$d. Therefore! if you don't want a process to run in a given runlevel C you can delete the corresponding symlink in ,etc,rc.d,rC.d beginning with a / and add one beginning with a ;. *untime 'ditors ¬ an L#I ob-ective) _____________________________________________________________________ 17 LinuxI e!hni!al 'du!ation (entre -ootin" Linux ____________________________________________________________________________ A runtime editor will automatically manage these symbolic links allowing a system administrator to switch a service on or off per runlevel as needed. 2nce again different distributions use different tools. /ince the L#I certification is vendor independent none of these tools are examinable.
%$ he Doys of inittab As promised we next take a closer look at 2et!2inttab. The file has the following structure+ id 7 runle4el 7 a!tion 7 !ommand The 2et!2inittab file id=:=initde!au)t= B +ystem initia)i8ation. si==sysinit=etcrc.drc.sysinit )0=0=,ait=etcrc.drc 0 )(=(=,ait=etcrc.drc ( )2=2=,ait=etcrc.drc 2 ):=:=,ait=etcrc.drc : )>=>=,ait=etcrc.drc > )5=5=,ait=etcrc.drc 5 )<=<=,ait=etcrc.drc < 11111111111111111111111snip1111111111111111111111111111111111 B Trap CTCL1/LT1&DLDTD ca==ctr)a)tde)=sbinshutdo,n 1t: 1r no, 11111111111111111111111snip1111111111111111111111111111111111 B Cun gettys in standard run)e*e)s (=2:>5=respa,n=sbinmingetty tty( 2=2:>5=respa,n=sbinmingetty tty2 :=2:>5=respa,n=sbinmingetty tty: >=2:>5=respa,n=sbinmingetty tty> 5=2:>5=respa,n=sbinmingetty tty5 <=2:>5=respa,n=sbinmingetty tty< B Cun xdm in run)e*e) 5 x=5=respa,n=etcE((pre!dm Fnodaemon The id field can be anything. If a runle4el is specified then the !ommand and the reuired a!tion will be performed only at that specific runlevel. If no number is specified then the line is executed at an! run level. 4ecognisable features in the ,etc,inittab file+ The default runle"el: this is set at the beginning of the file with the id id and the action initdefault. Cotice that no command is given. This line simply tells init what the default runlevel is. 6irst pro&ram called by init: ,etc,rc.d,rc.sysinit. This script sets system defaults such as the #AT8 variable! determines if networking is allowed! the hostname! etc ... _____________________________________________________________________ 18 LinuxI e!hni!al 'du!ation (entre -ootin" Linux ____________________________________________________________________________ 7efault runle"el ser"ices: If the default runlevel is 3 then only the line Ol3O will be executed. The action is OwaitO! no other program is launched until all services in run level 3 are running. The &etty terminals: The lines with id's '.to.= launch the virtual terminals. This is where you can alter the number of virtual terminals. 1unle"el 0: The final line in inittab launches the %window manager if runlevel 7 is reached. 4emarks+ '. :ou can set a modem to listen for connections in inittab. If your modem is linked to ,dev,tty/' then the following line will allow data connections &no fax) after * rings+ +(=(2:>5=respa,n=sbinmgetty 1& 1x 2 de*tty+( *. 1hen making changes to 2et!2inittab you need to force init to reread this configuration file. This is most easily done using+ sbininit G . LILC and G*0- During boot.up! boot loaders need to know where the kernel is &usually in ,boot) and which device is the root.device. @22TL2AD$4 ....H ;$4C$L ....H , ....H ,sbin,init Alternatively! a boot loader can load a 4AM disk into memory containing scripts and kernel modules needed to access the root device. This will be the case when the root.device is handled by non.resident &also called dynamic) modules. @22TL2AD$4 .....H ICIT4D ....H ;$4C$L ....H , ....H ,sbin,init 9ommon dynamic modules ext% Third extended filesystem type _____________________________________________________________________ 19 LinuxI e!hni!al 'du!ation (entre -ootin" Linux ____________________________________________________________________________ l4m Logical volume support raidx software raid level x support s!si /9/I support
Installin" LILC The bootloader LIL2 is installed by 2sbin2lilo &the bootloader mapper or installer) which in turn reads configuration options from the file 2et!2lilo$!onf. . LIL2 cannot read filesystems! only offsets on the physical disks. Therefore the mapper will read information from the 2et!2lilo$!onf file &e.g which second stage bootloader to use! which kernel or which initial ram disk) and will translate this information using a system of maps for LIL2 to read at boot time. The main options in 2et!2lilo$!onf are specified here bootL where LIL2 should be installed &,dev,hda is the M@4) install which second stage to install &boot$b is the default) #rom#t give the user a chance to choose an 2/ to boot default name of the image that will be booted by default timeout used with prompt! causes LIL2 to pause &units are ','( of a sec) ima"eL path to the kernel to boot &one can use RotherF to chain load) labelL name of the image. This is the name a user can type at the boot prompt rootL the name of the disk device which contains the root filesystem 2 read8onlyL mount the root filesystem read.only for fs!k to work properly a##end give kernel parameters for modules that are statically compiled. linear2lba% these options are mutually exclusive. @oth ask LIL2 to read the disk using Linear @lock Addressing. linear is typically used for very large disks. lba%2 is used to allow boot time access to data beyond the first '(*6 cylinders &also see p.$rror+ 4eference source not found) Installin" G*0- The ?4<@ boot loader is installed with the command "rub8install. 9onfiguration options are stored in the file 2boot2"rub2menu$lst or 2boot2"rub2"rub$!onf. <nlike LIL2! ?4<@ is a small shell that can read certain filesystem. This allows ?4<@ to read information in the "rub$!onf or menu$lst files. Main sections in 2boot2"rub2"rub$!onf+or menu$lst '. ?eneral,?lobal default image that will boot by default &the first entry is () timeout prompt timeout in seconds *. Image _____________________________________________________________________ 20 LinuxI e!hni!al 'du!ation (entre -ootin" Linux ____________________________________________________________________________ title name of the image root where the * nd stage bootloader and kernel are e.g &hd(!() is ,dev,hda kernel path for the kernel starting from the previous root e.g ,vmlinuM ro read.only root the filesystem root initrd path to the initial root disk -ootloader C#tions It is possible to give parameters at boot time to both LIL2 and ?4<@. @oth loaders have a limited interface which can read user input. #assing parameters at the LIL2 prompt+ boot= )inux s #assing parameters at the ?4<@ prompt+ 2nce the ?4<@ boot loader has successfully started you will see the main menu screen with a list of menu titles. Do the following+ '. press 'e' to edit a given menu title *. scroll down to the line containing 'kernel' and press 'e' again 3. you can add any options here 6. to boot with the current options type '&' N 2therwise -ust press return to get the unaltered line back Cotice that pressing the $/9 key will bring you back to a previous stage. :ou can navigate back to the main menu this way. Alternatively the boot loader configuration files &lilo$!onf or "rub$!onf) can be used to save these option Passin" init #arameters + @oot loaders can passe the runlevel parameter to init. 2nce the kernel is loaded! it will start 2sbin2init by default which then takes over the booting process. 9ommon runlevels are sAsin"leASA1A2A%A.A5 If no parameters are given! init will launch the default runlevel specified in 2et!2inittab. Passin" ,ernel #arameters + ;ernel options are of the form item'value. 9ommon kernel parameters a!#iE enable,disable A9#I initE tell the kernel which program to start from the root device _____________________________________________________________________ 21 LinuxI e!hni!al 'du!ation (entre -ootin" Linux ____________________________________________________________________________ memE specify amount of 4AM to use rootE specify the root device 9arnin"F The boot loader kernel parameters are passed to the resident kernel modules only.
In 2et!2lilo$!onf kernel parameters are declared with the a##end option. Examples append= "pci=bisoirq" append=ram=16M append=/dev/hdc=ide-scsi (for CD writers) During bootup all kernel messages are logged to 24ar2lo"2dmes" by default. This file can either be read or flushed to stdout with the 2bin2dmes" utility.
5$ From boot to bash 1e can now attempt to go through each stage of the booting process. 1$ -oot Loader sta"e7 If the bootloader is successful it will start it's second stage which displays a prompt or a splash image with a list of operating systems or kernels to boot _____________________________________________________________________ 22 LinuxI e!hni!al 'du!ation (entre -ootin" Linux ____________________________________________________________________________ If an initial ram disk is specified it is loaded here. The kernel is loaded into memory 2$ ,ernel Sta"e The kernel is loaded from the medium! specified in the lilo$!onf2"rub$!onf configuration file. As it loads it is decompressed. If an initial ramdisk is loaded! extra modules are loaded here The kernel will scan the hardware in the system+ 9#<! 4AM! #9I bus! etc The kernel then mounts the root device as read.only. "rom here on programs in 2bin and 2sbin are made available. The kernel then loads 2sbin2init . the first 'userspace' process. %$ he I+I sta"e Init reads 2et!2inittab and follows the instructions the default runlevel is read the r!$sysinit is run+ . alll local filesystems are mounted or! if needed! an integrity check &f s!k) is performed in accordance with entries in 2et!2fstab . uotas are started! etc ... next init goes into the default runlevel 2et!2r!$d2r! ( the "ettys start and the boot process is over The prompt to login is now managed by the gettys on the ttys. After the user has typed in their username and pressed returnS bin)ogin is started. The user is prompted by ,bin,login for the password. The user enters a password and presses return. The password the user is compared to the password in ,etc,passwd or ,etc,shadow. _____________________________________________________________________ 23 LinuxI e!hni!al 'du!ation (entre -ootin" Linux ____________________________________________________________________________ 1$ 'xer!ises and Summary Files "iles Description ,etc,init.d directory containing all the scripts used to stop and start services at boot time ,etc,inittab inittab?5@ . The inittab file describes which processes are started at boot.up and during normal operation. Init distinguishes multiple runlevels! each of which can have its own set of processes that are started (ommands 9ommands Description init init?3@ N is the parent of all processes. Its primary role is to create processes from a script stored in the file 2et!2inittab shutdown shutdown?3@ N brings the system down in a secure way. All logged.in users are notified that the system is going down! and login&') is blocked. It is possible to shut the system down immediately or after a specified delay. All processes are first notified that the system is going down by the signal /I?T$4M. This gives programs like vi&') the time to save the file being edited! mail and news processing programs a chance to exit cleanly! etc. shutdown does its -ob by signalling the init process! asking it to change the runlevel *eferen!es Take a look at the boot?&@ manpage! it covers most of what we did in this module _____________________________________________________________________ 24 LinuxI e!hni!al 'du!ation (entre -ootin" Linux ____________________________________________________________________________ 'xer!i!es 1$ <se init to change you current runlevel &e.g switch between runlevel 3 and 7). 8ow do you know what your current runlevel isT 2$ $nable the 9trlUAltUDel in runlevel 3 only. 8ow can you force init to read itsF configuration fileT %$ Add a new login prompt on ttyB. .$ <se dmes" to read the chipset of your ethernet card. 5$ Investigate differences between shutdown! halt and reboot. 1hich option to shutdown will force an fs!k at the next bootT 1$ <se the tools !hk!onfi" or ntsys4 to disable the sshd daemon in runlevel *!3!6! and 7 0erify that the symbolic links in the rc*.d! rc3.d! rc6.d and rc7.d directories have changed. &$ 4eboot the system. At the boot prompt give the appropriate initE parameter to skip 2sbin2init and start a simple bash session. _____________________________________________________________________ 25 LinuxI e!hni!al 'du!ation (entre /ana"in" Grou#s and 0sers __________________________________________________________ 8ana&in& 9roups and :sers Prere6uisites Cone Goals Manage user accounts Manage group accounts Modify accounts settings (ontents /ana"in" Grou#s and 0sers$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 21 '. 9reating new users................................................................................................................................. *B *. 1orking with groups............................................................................................................................... *> 3. 9onfiguration files.................................................................................................................................. 3( 6. 9ommand options.................................................................................................................................. 3* 7. Modifying accounts and default settings................................................................................................ 3* =. $xercises and /ummary........................................................................................................................ 36 _____________________________________________________________________ 26 LinuxI e!hni!al 'du!ation (entre /ana"in" Grou#s and 0sers __________________________________________________________ 1$ (reatin" new users /tep '+ 9reate an account The 2usr2sbin2useradd command adds new users to the system and the symbolic link adduser points to it. /yntax+ useradd 'options( login-name $xample+ add a user with login.name ru!us useradd ru!us Default values will be used when no options are specified. :ou can list these values with useradd BD. Default options listed with useradd BD "CH$PI(00 .HADIhome I#/CTI'DI1( DEPICDI +.DLLIbinbash +JDLIetcs0e) Cotice that this information is also available in the file 2et!2default2useradd /tep *+ Activate the account with a new password To allow a user to access his or her account the administrator must allocate a password to the user using the #asswd tool. /yntax+ pass)d login-name These steps create a new user. This has also defined the userFs environment such as a home director! and a default shell. The user has also been assigned to a group! his primar! group. _____________________________________________________________________ 27 LinuxI e!hni!al 'du!ation (entre /ana"in" Grou#s and 0sers __________________________________________________________ 2$ 9orkin" with "rou#s $very new user is assigned to an initial &or primar!) group. Two conventions exist. Traditionally this primar! group is the same for all users and is called users with a group id &?ID) of 100. Many Linux distributions adhere to this convention such as /use and Debian. The <ser #rivate ?roup scheme &<#?) was introduced by 4ed8at and changes this convention without changing the way in which <CI% groups work. 1ith <#? each new user belongs to their own primar! group. The group has the same name as the login.name &default)! and the ?ID is in the 7(( to =(((( range &same as <IDs). As a conseuence! when using the traditional scheme for groups the userFs umask &see L#I '(') is set to 022! whereas in the <#? scheme the umask is set to 002. @elonging to groups A user can belong to any number of groups. 8owever at any one time &when creating a file for example) only one group is the effective group. The list of all groups a user belongs to is obtained with either the "rou#s or id commands. $xample for user root+ List all ID's : id V uidI0(root) gidI0(root) groupsI0(root), ((bin), 2(daemon), :(sys), >(adm), <(dis0), (0(,hee)), <00(sa)es) List all groups : groups V root bin daemon sys adm dis0 ,hee) sa)es _____________________________________________________________________ 28 LinuxI e!hni!al 'du!ation (entre /ana"in" Grou#s and 0sers __________________________________________________________ 5oining a group 5oining a group changes the userFs effective group and starts a new session from which the user can then logout. This is done with the new"r# command. $xample+ -oining the sales group ne,grp sa)es If the "rou#s command is issued! the first group on the list would no longer be root but sales. 9reating and deleting groups The "rou#add tool is used to add new groups. It will add an entry in the 2et!2"rou# file. $xample+ 9reate the group devel groupadd de*e)
The "rou#del tool is used to delete groups. This will remove relevant entries in the 2et!2"rou# file. $xample+ Delete the group devel groupde) de*e)
Adding a user to a group Administration tasks can be carried out with the "#asswd tool. 2ne can add &8a) or remove &8d) users from a group and assign an administrator &8A). The tool was originally designed to set a single password on a group! allowing members of the same group to login with the same password. "or security reasons this feature no longer works. $xample+ Add rufus to the group devel gpass,d 1a ru!us de*e) _____________________________________________________________________ 29 LinuxI e!hni!al 'du!ation (entre /ana"in" Grou#s and 0sers __________________________________________________________ %$ (onfi"uration files The /etc/pass)d and /etc/shado) files+ The names of all the users on the system are kept in 2et!2#asswd. This file has the following stucture+ '. Login name *. #assword &or x if using a shadow file) 3. The <ID 6. The ?ID 7. Text description for the user =. The user's home directory B.The user's shell These B fields are separated by colons. As in the example below. /etc/pass#d entr! #ith encr!pted pass#d: george:$1$K05gMbOv$b7ryoKGTd2hDrW2sT.h:Dr G Micheal:/home/georges:/bin/bash In order to hide the encrypted passwords from ordinary users you should use a shadow file. The 2et!2shadow file then holds the user names and encrypted passwords and is readable only by root. If you don't have a shadow file in ,etc then you should issue the following command+ usrsbinp,con* &passwd .H shadow) This will leave an 'x' in the * nd field of ,etc,passwd and create the ,etc,shadow file. If you don't wish to use shadow passwords you can do so using usrsbinp,uncon* &shadow .H passwd) (aution+ 1hen using a shadow password file the 2et!2#asswd file may be world readable &=66) and the 2et!2shadow file must be more restricted &=(( or even 6((). 8owever when using #wun!on4 make sure to change the permissions on 2et!2#assword &=(( or 6((). The /etc/&roup and &shado) files+ _____________________________________________________________________ 30 LinuxI e!hni!al 'du!ation (entre /ana"in" Grou#s and 0sers __________________________________________________________ In the same way! information about groups is kept in 2et!2"rou#. This file has 6 fields separated by colons. '. ?roup name *. The group password &or x if gshadow file exists) 3. The ?ID 6. A comma separated list of members $xample 2et!2"rou# entry+ java:x:550:jade, eric, rufus As for users there is a 2et!2"shadow file that is created when using shadow group passwords. The utilities used to switch backwards and forward from shadow to non.shadow files are as follow /usr/sbin/grpconv creates the ,etc,gshadow file /usr/sbin/grpunconv deletes the gshadow file The /etc/lo&in.defs and /etc/skel/ files The ,etc,login.defs file contains the following information+ the mail spool directory+ MAILPDI4 password aging controls+ #A//PMA%PDA:/! #A//PMICPDA:/! #A//PMA%PL$C! #A//P1A4CPA?$ max,min values for automatic <ID selection in useradd+ <IDPMIC! <IDPMA% max,min values for automatic ?ID selection in "rou#add+ ?IDPMIC! ?IDPMA% automatically create a home directory with useradd+ 94$AT$P82M$ The ,etc,skel directory contains default files that will be copied to the home directory of newly created users+ $bashr!! $bashG#rofiles! ... .$ (ommand o#tions useradd ?o#tions@ _____________________________________________________________________ 31 LinuxI e!hni!al 'du!ation (entre /ana"in" Grou#s and 0sers __________________________________________________________ 8! comment &"ull Came) 8d path to home directory 8" initial group &?ID). The ?ID must already exist 8G comma separated list of supplementary groups 8u userFs <ID 8s userFs default shell 8# password &md7 encrypted! use uotesQ) 8e account expiry date 8k the skel directory 8n switch off the <#? group scheme "rou#add ?o#tions@ 8" assign a ?ID 5$ /odifyin" a!!ounts and default settin"s All available options while creating a user or a group can be modified. The usermod utility has the following main options+ usermod ?o#tions@ 8d the users directory 8" the users initial ?ID 8l the user's login name 8u the user's <ID 8s the default shell. Cotice these options are the same as for useradd. Likewise! you can change details about a group with the "rou#mod utility. There are mainly two options+ "rou#mod ?o#tions@ 8" the ?ID 8n the group name. Locking an account A userFs account can be locked by prefixing an exclamation mark to the userFs password. This can also be done with the following command line tools+ Lo!k 0nlo!k #asswd 8l #asswd 8u _____________________________________________________________________ 32 LinuxI e!hni!al 'du!ation (entre /ana"in" Grou#s and 0sers __________________________________________________________ usermod 8L usermod 80 1hen using shadow passwords! replace the x with a ; A less useful option is to remove the password entirely with #asswd 8d. "inally! one can also assign 2bin2false to the userFs default shell in 2et!2#asswd. 9hanging the password expiry dates+ @y default a userFs password is valid for AAAAA days! that is *B3!A years &default #A//PMA%PDA:/). The user is warned for B days that his password will expire &default #A//P1A4CPA?$) with the following message as he logs in+ Karning= your pass,ord ,i)) expire in < days There is another password aging policy number that is called #A//PMICPDA:/. This is the minimum number of days before a user can change his passwordS it is set to Mero by default. The !ha"e tool allows an administrator to change all these options. <sage+ chage 6 1) 7 6 1m min9days 7 6 1A max9days 7 6 1K ,arn 7 6 1I inacti*e 7 6 1D expire 7 6 1d )ast9day 7 user The first option Bl lists the current policy values for a user. 1e will only discuss the B' option. This locks an account at a given date. The date is either in <CI% days or in ::::,MM,DD format. Cotice that all these values are stored in the 2et!2shadow file! and can be edited directly. 4emoving an account+ A userFs account may be removed with the userdel command line. To make sure that the userFs home directory is also deleted use the .r option. userdel -r jade _____________________________________________________________________ 33 LinuxI e!hni!al 'du!ation (entre /ana"in" Grou#s and 0sers __________________________________________________________ 1$ 'xer!ises and Summary Files "ile Description ,etc,group contains the names of all the groups on the system ,etc,gshadow contains &optionally) passwords associated to a group ,etc,login.defs contains predefined values needed when adding a new user such as the minimum and maximum <ID and ?ID! the minimum password length! etc ,etc,passwd #asswd?5@ N text file that contains a list of the systemFs accounts! giving for each account some useful information like user ID! group ID! home directory! shell! etc. 2ften! it also contains the encryptedpasswords for each account. It should have general read permission &many utilities! like ls&') use it to map user IDs to user names)! but write access only for the superuser ,etc,shadow shadow?5@ N contains the encrypted password information for userFs accounts and optional the password aging information ,etc,skel, directory containing files and directories to be copied into the home directory of every newly created user
(ommands 9ommands Description chage !ha"e?1@ N changes a user's password expiry information gpasswd "#asswd?1@ N administer the ,etc,group file groupadd add a new group to the system groupmod modify an exiting group groups print out all the groups a user belongs to id print out the <ID as well as the ?IDs of all the groups a user belongs to passwd change the password for an account useradd add a new user to the system usermod modify an existing user account 1$ (reatin" users <se adduser to create a user called tux with user ID =(( and group ID 77( <se usermod to change this userFs home directory. Does the new directory need to be createdT &8int+ check the effect of the 8m flag) Is the content of /etc/skel copied to the new directoryT <se usermod to add tux to the group wheel. 2$ 9orkin" with "rou#s _____________________________________________________________________ 34 LinuxI e!hni!al 'du!ation (entre /ana"in" Grou#s and 0sers __________________________________________________________ 9reate a group called sales using "rou#add. Add tux to this group using "#asswd. Login as tux and -oin the group sales using new"r#. %$ (onifi"uration files Add a user to the system by editing ,etc,passwd and ,etc,group 9reate a group called share and add user tux to this group by manually editing ,etc,group .$ /odifyin" an A!!ount 9hange the expiry date for user tuxFs account using usermod. Lock the userFs account. &<se tools or edit ,etc,shadow ...) #revent the user from login in by changing the userFs default shell to ,bin,false 9hange the #A//PMA%PDA:/ for user tux to ' in ,etc,shadow 5$ (han"in" default settin"s <se useradd -D to change the system's default settings such that every new user will be assigned ,bin,sh instead of ,bin,bash. &Cotice that this will change the file in ,etc,defaults,) $dit ,etc,login.defs and change the default #A//PMA%PDA:/ so that new users need to change their password every 7 days _____________________________________________________________________ 35 LinuxI e!hni!al 'du!ation (entre +etwork (onfi"uration ___________________________________________________________ (et)ork %onfi&uration Prere6uisites 8ardware configuration &see L#I '(') Goals 9onfigure a Linux system for networking <nderstand routing <se network troubleshouting tools (ontents +etwork (onfi"uration$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ %1 '. The Cetwork Interface............................................................................................................................ 3B *. 8ost Information..................................................................................................................................... 3> 3. /top and /tart Cetworking...................................................................................................................... 3A 6. 4outing................................................................................................................................................... 6( 7. 9ommon Cetwork Tools......................................................................................................................... 6* =. $xercises and /ummary........................................................................................................................ 67 _____________________________________________________________________ 36 LinuxI e!hni!al 'du!ation (entre +etwork (onfi"uration ___________________________________________________________ 1$ he +etwork Interfa!e The network interface card &CI9) must be supported by the kernel. To determine which card you are using you can get information from dmes"! 2#ro!2interru#ts! 2sbin2lsmod. or 2et!2modules$!onf $xample+ dmesg V Linux Tu)ip dri*er *ersion 0.L.(> (%ebruary 20, 200() PCI= Dnab)ing de*ice 00=0!.0 (000> 15 000M) PCI= %ound ICN (0 !or de*ice 00=0!.0 eth0= Lite1Hn ;2c(<; P#IC re* :2 at 0x!;00, 00=/0=CC=&:=<D=0%, ICN (0. eth0= AII transcei*er B( con!ig :000 status M;2L ad*ertising 0(e(. cat /proc/interrupts V 0= ;M2L<02 ET1PIC timer (= > ET1PIC 0eyboard 2= 0 ET1PIC cascade M= 0 ET1PIC parport0 ;= ( ET1PIC rtc (0= <22>(M ET1PIC eth0 ((= 0 ET1PIC usb1uhci (>= (>:0>0 ET1PIC ide0 (5= (;0 ET1PIC ide( /sbin/lsmod V Aodu)e +i8e $sed by tu)ip :M:<0 ( (autoc)ean) "rom the example above we see that the $thernet cardFs chipset is Tulip! the i,o address is (xf>(( and the I4E is '(. This information can be used either if the wrong module is being used or if the resources &i,o or I4E) are not available. _____________________________________________________________________ 37 LinuxI e!hni!al 'du!ation (entre +etwork (onfi"uration ___________________________________________________________ This information can either be used to insert a module with a different i,o address &using the mod#robe or insmod utilities) or can be saved in 2et!2modules$!onf &this will save the settings for the next system boot). 2$ )ost Information The following files are used to store networking information. 2et!2resol4$!onf contains a list of DC/ servers nameserver 192.168.1.108 nameserver 192.168.1.1 search linuxit.org
2et!2)CS+A/' or 2et!2hostname is used to give a name to the #9 2ne can also associate a name to a network interface. This is done in differently across distributions. 2et!2hosts contains your machine's I# number as well as a list of known hosts
# Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost localhost.localdomain # other hosts 192.168.1.108 mesa mesa.domain.org 192.168.1.119 pico 2et!2sys!onfi"2network defines if networking must be started. &can also contain the 82/TCAM$ variable) NETWORKING=yes HOSTNAME=mesa.domain.org GATEWAY=192.168.1.1 GATEWAYDEV= 2et!2sys!onfi"2network8s!ri#ts2if!f"8eth0 The configuration parameters for eth( DEVICE=eth0 BOOTPROTO=none BROADCAST=192.168.1.255 IPADDR=192.168.1.108 _____________________________________________________________________ 38 LinuxI e!hni!al 'du!ation (entre +etwork (onfi"uration ___________________________________________________________ NETWORK=192.168.1.0 ONBOOT=yes USERCTL=no %$ Sto# and Start +etworkin" W "rom the command line The main tool used to bring up the network interface is 2sbin2if!onfi". 2nce initialised the kernel module aliased to eth( in 2et!2modules$!onf &e.g tulip.o) is loaded and assigned an I# and netmask value. As a result the interface can be switched on and off without loosing this information as long as the kernel module is inserted. $xamples+ <sing if!onfi". /sbin/ifconfig eth0 1!"1#$"10"1 netmask !%%"!%%"1!$"0 /sbin/ifconfig eth0 do&n /sbin/ifconfig eth0 up Another tool is 2sbin2ifu#. This utility reads the systemFs configuration files in 2et!2sys!onfi"2 and assigns the stored values for a given interface. The script for eth0 is called if!f"8eth0 and has to be configured. If a boot protocol such as D89# is defined then ifu# will start the interface with that protocol. $xamples+ <sing ifu#. /sbin/ifup eth0 /sbin/ifup ppp0 /sbin/ifdo&n eth0 W. <sing the network script At boot time the ethernet card is initialised with the 2et!2r!$d2init$d2network script. All the relevant networking files are sourced in the 2et!2sys!onfi"2 directory. In addition the script also reads the sys!tl options in 2et!2sys!tl$!onf! this is where you can configure the system as a router &allow I# forwarding in the kernel). "or example the line+ net.ipv6.ipPforward K ' will enable ip forwarding and the file 2#ro!2sys2net2i#4.2i#Gforward will contain a one. _____________________________________________________________________ 39 LinuxI e!hni!al 'du!ation (entre +etwork (onfi"uration ___________________________________________________________ The network script is started with the following command /etc/rc"d/init"d/net&ork restart W. 4enewing a D89# lease The following tools can uery the D89# server for a new I#+ #um# dh!#!lient A client daemon exists called dh!#!d &do not confuse this with the D89# server daemon dh!#d) .$ *outin" A noticeable difference when using a system script such as ifu# rather than if!onfi" on its own! is that the systemFs routing tables are set in one case and not in the other. This is because either the 2et!2sys!onfi"2network file is read! where a default "ateway is stored! or the D89# server has sent this information together with the I# number. The routing tables are configured! checked and changed with the 2sbin2route tool. 4outing examples+ Add a static route to the network '(.(.(.( through the device eth' and use 'A*.'=>.'.'(> as the gateway for that network+ /sbin/route add -net 10"0"0"0 g& 1!"1#$"1"10$ dev eth1 Add a default gateway+ /sbin/route add default g& 1!"1#$"1"1 eth0 Listing the kernel routing table+
/sbin/route -n ( 'ernel I( routing table Destination )ate&a* )enmask Iface 1!"1#$"1"0 0"0"0"0 !%%"!%%"!%%"0 eth0 10"1"$"0 1!"1#$"1"10$ !%%"0"0"0 eth1 1!+"0"0"0 0"0"0"0 !%%"0"0"0 lo 0"0"0"0 1!"1#$"1"1 0"0"0"0 eth0 Default Gateway+ _____________________________________________________________________ 40 LinuxI e!hni!al 'du!ation (entre +etwork (onfi"uration ___________________________________________________________ In the last listing! the Destination field is a list of networks. In particular! (.(.(.( means RanywhereF. 1ith this in mind! there are two I#Fs in the ?ateway field. 1hich one is the default gateway T To avoid having to enter static routes by hand special daemons "ated or routed are run to dynamically update routing tables across a network If you belong to the 'A*.'=>.'(.( network and you add a route to the 'A*.'=>.'.( network you may find that machines in the latter network are not responding. This is because no route has been set from the 'A*.'=>.'.( network back to your hostQQ This problem is solved using dynamic routing. Permanent Stati! *outes If you have several networks with more than one gateway you can use the 2et!2sys!onfi"2stati!8routes &instead of routing daemons). These routes will be added at boot time by the network script. +amin" +etworks <sing the 2et!2networks file it is possible to assign names to network numbers &for network numbers see T9#,I# Cetworks on p. 6>). 2et!2networks format net,or01name net,or01number a)iases "or example! the network number(0.0.0.0 can be called o!!ice.org! following the above format. It is then possible to use network names with tools like route as below+ route add 1net o!!ice.org netmas0 255.0.0.0 ) routing scenario+ _____________________________________________________________________ 41 LinuxI e!hni!al 'du!ation (entre +etwork (onfi"uration ___________________________________________________________ 5$ (ommon +etwork ools 8ere is a short list of tools helpful when trouble shouting network connections. pin&7 This tool sends an I9M# DC.H9CDN$D+T datagram to a host and expects an I9M# DC.H9CD+PH#+D. 2ptions for #in" 8b ping a broadcast address 8! # send # packets 86 uiet mode+ display only start and end messages t!#dum#+ This is a tool used to analyse network traffic by capturing network packets. The following commands illustrate some options+ Let tcpdump autodetect network interface tcpdump /pecify a network interface to capture packets from tcpdump 1i ,)an0 ?ive an expression to match tcpdump host (L2.(<;.(0.( and port ;0 _____________________________________________________________________ 42 LinuxI e!hni!al 'du!ation (entre +etwork (onfi"uration ___________________________________________________________ Cotice that in a switched environment the switch may be configured to send packets to a given network interface only if those packets were addressed to that interface. In that case it is not possible to monitor the whole network. netstat: :ou may get information on current network connections! the routing table or interface statistics depending on the options used. 2ptions for netstat+ 8r same as ,sbin,route 8I display list of interfaces 8n donFt resolve I# addresses 8# returns the #ID and names of programs &only for root) 84 verbose 8! continuous update $xample+ 2utput of netstat N.inet Nn + V /cti*e Internet connections (,o ser*ers) Proto Cec*1N +end1N Loca) /ddress %oreign /ddress +tate tcp 0 0 (L2.(<;.(.(0=(:L (L2.(<;.(.(5:=(LL2 D+T/OLI+.D& tcp 0 0 (L2.(<;.(.(0=22 (L2.(<;.(.(:;=(((> D+T/OLI+.D& tcp 0 0 (L2.(<;.(.(0=;0 (L2.(<;.(.M(=(;;5; TIAD9K/IT In the above listing you can see that the local host has established connections on ports '3A! ** and >(. arp: Display the kernel address resolution cache. $xample+ arp V /ddress .Ktype .Kaddress I!ace (L2.(<;.(.M( ether 00=0>=C(=&M=C/=2& eth0 _____________________________________________________________________ 43 LinuxI e!hni!al 'du!ation (entre +etwork (onfi"uration ___________________________________________________________ traceroute: Displays the route taken from the local host to the destination host. Traceroute forces intermediate routers to send back error messages &I9M# TIAD9DECDD&D&) by deliberately setting the ttl &time to live) value too low. After each TIM$P$%$$D$D notification tra!eroute increments the ttl value! forcing the next packet to travel further! until it reaches itsF destination. 2ptions for tra!eroute+ 8f tt) change the initial time to live value to tt) instead of ' 8n do not resolve I# numbers 84 verbose 8w sec set the timeout on returned packets to sec _____________________________________________________________________ 44 LinuxI e!hni!al 'du!ation (entre +etwork (onfi"uration ___________________________________________________________ 1$ 'xer!ises and Summary Files "ile Description ,etc,resolv.conf file containing a list of DC/ servers used to resolve computer host names ,etc,sysctl.conf configuration file for the sysctl tool used to customise kernel settings in 2#ro!2sys2 , proc,sys,net,ipv6,i pPforward file containing information about the kernel forwarding status. The kernel will either forward or not packets that are addressed to a different host depending if the file contains a ' or a ( (ommands 9ommand Description arp print the kernel A4# cache dhcpcd a D89# client daemon dhcpclient a D89# client daemon ifconfig if!onfi"?3@ N is used to configure the kernel.resident network interfaces. It is used at boot time to set up interfaces as necessary netstat netstat?3@ N print information about network connections! routing tables! interface statistics! etc ping #in"?3@ N uses the I9M# protocolFs mandatory $982P4$E<$/T datagram to elicit an I9M# $982P4$/#2C/$ from a host or gateway. $982P4$E<$/T datagrams &RRpingsFF) have an I# and I9M# header! followed by a struct timeval and then an arbitrary number of RRpadFF bytes used to fill out the packet pump #um#?3@ N is a daemon that manages network interfaces that are controlled by either the D89# or @22T# protocol. 1hile pump may be started manually! it is normally started automatically by the ,sbin,ifup script for devices configured via @22T# or D89# route route?3@ N manipulates the kernelFs I# routing tables. Its primary use is to set up static routes to specific hosts or networks via an interface after it has been configured with the ifconfig&>) program. 1hen the add or del options are used! route modifies the routing tables. 1ithout these options! route displays the current contents of the routing tables sysctl sys!tl?3@ N is used to modify kernel parameters at runtime. The parameters available are those listed under ,proc,sys, traceroute tra!eroute?3@ . utiliMes the I# protocol Rtime to liveF field and attempts to elicit an I9M# TIM$P$%9$$D$D response from each gateway along the path to some host 1$ In the *outin" S!enario section of this chapter give the routing table for the LACFs gateway. 2$ /tart your network interface manually i!con!ig eth0 (L2.(<;.0., List the kernel modules. Make sure that the eth( module is loaded &check ,etc,modules.conf). %$ /top the network interface with+ _____________________________________________________________________ 45 LinuxI e!hni!al 'du!ation (entre +etwork (onfi"uration ___________________________________________________________ &i) i!con!ig eth0 do,n 0erify that you can bring the interface back up without entering new information+ &ii) i!con!ig eth0 up .$ /top the interface and remove the kernel module &rmmod module). 1hat happens if you repeat step 3&ii)T 5$ Divide the class into two networks A &'A*.'=>.'.() and @ &'(.(.(.(). First Senario B at least % hosts Try accessing machines across networks &this shouldn't workQ) 9hoose an existing machine to be the gateway &on either network) If you choose the router to be on the existing 'A*.'=>.'.( network then do the following on that router+ _____________________________________________________________________ 46 LinuxI e!hni!al 'du!ation (entre +etwork (onfi"uration ___________________________________________________________ .. create an aliased interface on the '(.(.(.( network &x is any available number) i!up eth0=( (0.0.0., .. allow I# forwarding echo ( 5 procsysnetip*>ip9!or,ard
.. add a route to the other network using the gateway machine &you will need to know either the eth( or eth(+' setting of the gateway depending on which network you are on). Se!ond s!enario B at least . hosts Make sure the routers force routing through the aliased interface. "or example on router AS route add 1net (L2.(<;.(.02> g, (M2.(<.0.(0 de* eth0=0 _____________________________________________________________________ 47 LinuxI e!hni!al 'du!ation (entre (P2IP +etworks ____________________________________________________________ T%;/I; (et)orks Prere6uisites Cetwork configuration &p. 3=) Goals <nderstand formal T9#,I# network concepts Manage subnets <nderstand the four layer T9#,I# model Introduce service port numbers (ontents (P2IP +etworks$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ .3 '. @inary Cumbers and the Dotted Euad................................................................................................... 6A *. @roadcast Address! Cetwork Address and Cetmask............................................................................. 6A 3. Cetwork 9lasses..................................................................................................................................... 7' 6. 9lassless /ubnets.................................................................................................................................. 7* 7. The T9#,I# /uite................................................................................................................................... 73 =. T9#,I# /ervices and #orts.................................................................................................................... 77 B. $xercices and /ummary........................................................................................................................ 7= _____________________________________________________________________ 48 LinuxI e!hni!al 'du!ation (entre (P2IP +etworks ____________________________________________________________ 1$ -inary +umbers and the Dotted Huad *inar! num&ers '( K * ' '(( K * * '(' K * * U ' ''' K '(( U ('( U ((' This means that a binary number can easily be converted into a decimal as follows+ '((((((( K * B K '*> ('(((((( K * = K =6 (('((((( K * 7 K 3* ((('(((( K * 6 K '= (((('((( K * 3 K > ((((('(( K * * K 6 (((((('( K * ' K * (((((((' K * ( K ' The Dotted Euad + The familiar I# address assigned to an interface is called a dotted uad. In the case of an ipv.6 address this is 6 bytes &6 times > bits) separated by dots. De!imal -inary 'A*.'=>.'.' ''((((((.'('('(((.((((((('.((((((('
2$ -road!ast AddressA +etwork Address and +etmask An I# number contains information about both the host address &or interface) and network address. The Cetmask A netmask is used to define which part of the I# address is used for the network! it is also called a subnet mask. ) +$ &it and +, &it netmask+ *77.*77.(.( '=.bit ' ' ' ' ' ' ' ' $ ' ' ' ' ' ' ' ' $ ( ( ( ( ( ( ( ( $ ( *77.*77.'*>.( 'B.bit ' ' ' ' ' ' ' ' $ ' ' ' ' ' ' ' ' $ 1 ( ( ( ( ( ( ( $ ( The netmask is usually given in decimal. $xample+ with a '=.bit netmask the following I#s are on the same networks+
_____________________________________________________________________ 49 LinuxI e!hni!al 'du!ation (entre (P2IP +etworks ____________________________________________________________ (('((((( $ '((((((( $ (((((((1 $ (((((((' (('((((( $ '((((((( $ (((((((0 $ (((((('' This means that any bits that are changed inside the box &>U>K'= bits) will change the network address and the interfaces will need a gateway to connect to each other. In the same way! any bits that are changed ouside the box will change the interface address without changing networks. "or example with a *6.bit netmask the above two I#s would be on different neworks+ (('((((( $ '((((((( $ (((((((1 $ (((((((' (('((((( $ '((((((( $ (((((((0 $ ((((((''
The Cetwork Address $very network has a number which is needed when setting up routing. The network number is a portion of the dotted uad. The host address portion is replaced by MeroFs. Typical network address+ 'A*.'=>.'.( The @roadcast Address A machineFs broadcast address is a range of hosts,interfaces that can be accessed on the same network. "or example a host with the broadcast address '(.'.*77.*77 will access any machine with an I# address of the form '(.'.x.x. Typical broadcast+ 'A*.'=>.'.*77 The dotted uad revisited /imple logical operations can be applied to the broadcast! netmask and network numbers. To retrieve the network address from an I# number simply ACD the I# with the netmask.. Cetwork Address K I# ACD Cetmask /imilarly the broadcast address is found with the network address 24 Rnot MA/;F. @roadcast Address K Cetwork 24 notXCetmaskY 8ere ACD and 24 are logical operations on the binary form of these addresses $xample+ Take the I# 1I2$113$%$5 with a net mask 255$255$255$0. 1e can do the following operations+ Cetwork address K I# ACD MA/; ''((((((. '('('(((.((((((''.((((('(' &'A*.'=>.3.7) _____________________________________________________________________ 50 LinuxI e!hni!al 'du!ation (entre (P2IP +etworks ____________________________________________________________ ACD ''''''''.''''''''.''''''''.(((((((( &*77.*77.*77.((() PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP ''((((((.'('('(((.((((((''.(((((((( &1I2$113$%$0) @roadcast Address K I# 24 C2T.MA/; ''((((((. '('('(((.((((((''.((((('(' &'A*.'=>.3.7) 24 ((((((((.((((((((.((((((((.'''''''' &(((.(((.(((.*77) PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP ''((((((.'('('(((.((((((''.'''''''' &1I2$113$%$255) It is clear from the above example that an I# number together with a netmask is enough to retrieve all the information relative to the network and the host. %$ +etwork (lasses W 4eserved I# addresses "or private networks a certain number of I# addresses are allocated which are never used on the Internet. These reserved I#Fs are typically used for LACFs. The following table displays the various private,reserved classes. Table'+ 4eserved addresses 1 9lass A '(.x.x.x 11 9lass @ 'B*.'=.x.x .. 'B*.3'.x.x 255 9lass 9 'A*.'=>.o.x W I# classes (lass A+ >.bit network address and *6.bit host address The first byte of the I# number is reserved for the network address. /o the default subnet mask would be 255$0$0$0. The 3 remaining bytes are available to set host interfaces. /ince *77.*77.*77 and (.(.( are invalid host numbers there are * *6 N * K '= BBB *'6 possible hosts. I# numbers have the first byte ranging from 1 to 12&. This corresponds to a binary range of (((((((' to ('''''''. The first two bits of a class A address can be set to I00J or I01J. (lass -+ '=.bit network address and '=.bit host address The two first bytes of the I# number are reserved for the network address. The default subnet mask is 255$255$0$0. There are * '= N * K =7 736 possible hosts. The first byte ranges from 123 to 1I1. Cotice that the binary range of the first byte is '((((((( to '(''''''. That is the first two bits of a class @ address are always set to I10J. _____________________________________________________________________ 51 LinuxI e!hni!al 'du!ation (entre (P2IP +etworks ____________________________________________________________ (lass (+ *6.bit network address and >.bit host address The three first bytes are reserved for the network address. The default subnet mask is 255$255$255$0. There are * > N * K *76 possible hosts. The first byte ranges from 1I2 to 22%. This corresponds to a binary range from ''(((((( to ''('''''. "rom this we conclude that the first two bits of a class 9 address is always set to I11J. .$ (lassless Subnets /ubneting occurs when bits reserved for hosts are used for the network. This is determined by the netmask and results in networks being split. "or example a regular class A netmask *77.(.(.( can be altered to allow the first '.bit of the second byte to be part of the network. This results in a A.bit network address and a *3.bit host address I#. The binary netmask looks like ''''''''.'(((((((.((((((((.(((((((( or *77.'*>.(.( Slash +otation A network can be described using a slash notation. The following notations are euivalent+ '(.(.(.(,A network '(.(.(.(! netmask *77.'*>.(.( 1e will take the example of a class 9 address 1I2$113$1$0. 1e investigate a *7.bit then a *=.bit network. $0!bit net)ork Cetmask+ ''''''''.''''''''.''''''''.10000000 or *77.*77.*77.'*> /ince Cetwork K I# ACD Cetmask! we see from the netmask that two network addresses can be formed depending on the hosts range+ '. 8ost addresses in the 'A*.'=>.'.0xxxxxxx range result in a 'A*.'=>.'.0 network. 1e say the network number is ( *. 8ost addresses in the 'A*.'=>.'.1xxxxxxx range result in a 'A*.'=>.'.123 network. 1e say the network number is '*> -n &oth cases su&stitution of the x.s &!e /eros or ones have a special meaning
Cetwork address /ubstitute with (Fs /ubstitute with 'Fs 0 Cetwork+ ( @roadcast+ '*B 123 Cetwork+ '*> @roadcast+ *77 _____________________________________________________________________ 52 LinuxI e!hni!al 'du!ation (entre (P2IP +etworks ____________________________________________________________ 1e are left with the task of counting the number of hosts on each network. /ince the host address is B.bit long and we exclude * values &all 'Fs and all (Fs) we have * B N * K '*= hosts on each network or a total of *7* hosts. Cotice that if the default subnet mask *77.*77.*77.( is used we have *76 available host addresses. In the above example 'A*.'=>.'.'*B and 'A*.'=>.'.'*> are taken for the first broadcast and second network respectively! this is why only *7* host addresses can be used. 218bit network Cetmask+ ''''''''.''''''''.''''''''.11000000 or *77.*77.*77.'A* 8ere again depending on the hostFs address 6 different network addresses can be determined with the ACD rule. '. 8ost addresses in the 'A*.'=>.'.00xxxxxx range result in a 'A*.'=>.'.0 network. *. 8ost addresses in the 'A*.'=>.'.01xxxxxx range result in a 'A*.'=>.'.1. network. 3. 8ost addresses in the 'A*.'=>.'.10xxxxxx range result in a 'A*.'=>.'.123 network. 6. 8ost addresses in the 'A*.'=>.'.11xxxxxx range result in a 'A*.'=>.'.1I2 network. /ubstituting the xFs with 'Fs in the numbers above give us the corresponding broadcast addresses+ 'A*.'=>.'.=3! 'A*.'=>.'.'*B! 'A*.'=>.'.'A'! 'A*.'=>.'.*77 $ach subnet has * = N * K =* possible hosts or a total of *6>. 5$ he (P2IP Suite T9#,I# is a suite of protocols used on the Internet. The name is meant to describe that several protocols are needed in order to carry data and programs accross a network. The main two protocols are T9# ransmission (ontrol Proto!ol and I# Internet Proto!ol. To simplify! I# handles packets or datagrams only &destination address! siMe...) whereas T9# handles the connection between two hosts. The idea is that protocols relay each other! each one doing itsF specialised task. In this context one speaks of the T9#,I# stack. The protocols intervene therefore at various layers of the networking process. The 6 layer T9#,I# model + Application application level &"T#! /MT#! /CM#) Transport handles hosts &T9#! <D#) Internet routing &I#! I9M#! I?M#! A4#) Cetwork Access network cards! e.g $thernet! token ring Z
_____________________________________________________________________ 53 LinuxI e!hni!al 'du!ation (entre (P2IP +etworks ____________________________________________________________ W #rotocol 2verview I# The Internet #rotocol &I#) is the transport for T9#! <D#! and I9M# data. I# #rovides an unreliable connectionless service! allowing all integrity to be handled by one of the upper layer protocols! I.e. T9#! or some application.specific devices. There is no guarantee that a datagram will reach the host using I# alone. The I# protocol handles the addressing and the routing between networks. I# is the datagram delivery service. T%; Transmission 9ontrol #rotocol &T9#) provides a reliable connection orientated service to applications that use it. T9# is connection orientated and checks on each host the order in which the packets are sent,received and also verifies that all the packets are transmitted. Applications such as telnet or ftp use the T9# protocol and donFt need to handle issues over data loss etc Z :7; The <ser Datagram #rotocol provides direct access to I# for application programs but unlike T9#! is connectionless and unreliable. This provides less overhead for applications concentrated on speed. If some form of packet accounting is needed this has to be provided by the application. I%8; The Internet 9ontrol Message #rotocol is used by routers and hosts to report on the status of the network. It uses I# datagrams and is itself connectionless ;;; The #oint to #oint #rotocol establishes a T9#,I# connection over phone lines. It can also be used inside encrypted connections such as pptp.
1$ (P2IP Ser4i!es and Ports The list of known services and their relative ports is generally found in 2et!2ser4i!es. The official list of services and associated ports is managed by the IACA &Internet Assigned Cumbers Authority). /ince the port field is a '=.bit digit there are =7737 available numbers. Cumbers from ' to '(*3 are privileged ports and are reserved for services run by root. Most known applications will listen on one of these ports. _____________________________________________________________________ 54 LinuxI e!hni!al 'du!ation (entre (P2IP +etworks ____________________________________________________________ 1e will look at the output of portscans. @eware that unauthorised portscanning is illegal although many people use them.
8ere is the output of a portscan+ Port +tate +er*ice 2(tcp open !tp 22tcp open ssh 2:tcp open te)net 25tcp open smtp M0tcp open gopher MLtcp open !inger ;0tcp open http This shows open ports! these are ports being used by an application. The ,etc,services main ports+ ftp-data %*/tcp ftp %$/tcp ssh %%/udp ssh %%/tcp telnet %3/tcp smtp %"/tcp mail domain "3/tcp domain "3/udp http 8*/tcp B ,,, is used by some bro0en pop-3 $$*/tcp + Post,ffice -.3 sunrpc (((tcp s!tp ((5tcp uucp1path ((Mtcp nntp $$./tcp usenet + !et)ork !e)s /ransfer ntp (2:tcp B #et,or0 Time Protoco) netbios1ns (:Mtcp nbns netbios1ns (:Mudp nbns netbios1dgm (:;tcp nbdgm netbios1dgm (:;udp nbdgm netbios-ssn $3./tcp nbssn imap $03/tcp + imap net)ork mail protocol #eK+ (>>tcp ne,s B Kindo, +ystem snmp $6$/udp snmp1trap (<2udp &$ 'xer!i!es and Summary _____________________________________________________________________ 55 LinuxI e!hni!al 'du!ation (entre (P2IP +etworks ____________________________________________________________ *e"isterin" a ser4i!e with xinetd 1$ 1rite a bash script that echoFs I1elcomeJ to stdout. /ave it in 2usr2sbin2hi #!/bin/bash echo Welcome 9hange the permission on the script to make it executable. 2$ In 2et!2xinetd$d create a new file called fud"e with the following+ ser*ice !udge P soc0et9type I stream ser*er Iusrsbinhi user I root ,ait I no disab)e I no Q %$ Add a service called fud"e in 2et!2ser4i!es that will use port =((((. .$ 4estart xinetd and telnet to port =(((( 5$ :ou have been assigned a range of I#s on the >3.'(.''.(,*B network. 8ow many networks have the same first 3 bytes as yoursT 8ow many hosts are on your networkT 1hat is the broadcast address for this first networkT
_____________________________________________________________________ 56 LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________ (et)ork Ser"ices Prere6uisite @ooting Linux &p.'6) Cetwork 9onfiguration &p. 3=) Goals <nderstand the difference between inetd and xinetd <se the libwra# or IT9# wrapperJ mechanism to secure services 9onfigure C"/ and /M@ shares 9onfigure network services+ DC/ &@ICD)! /endmail and Apache (ontents +etwork Ser4i!es$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 5& '. The inetd daemon &old).......................................................................................................................... 7> *. The xinetd Daemon................................................................................................................................ 7A 3. Telnet and "T#...................................................................................................................................... =( 3. T9# wrappers ........................................................................................................................................ =* 6. /etting up C"/....................................................................................................................................... =3 7. /M@ and CM@........................................................................................................................................ =6 =. DC/ services.......................................................................................................................................... == B. /endmail main 9onfiguration................................................................................................................. B' >. The Apache server................................................................................................................................. B3 A. $xercises and /ummary........................................................................................................................ B6 _____________________________________________________________________ 57 LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________ Cetwork services can either continuously run as standalone applications which listen for connections and handle clients directly or they can be called by the network daemon inetd &old) or xinetd. 1$ he inetd daemon ?old@ This daemon is started at boot time and listens for connections on specific ports. This allows the server to run a specific network daemon only when needed. "or example! the telnet service has a daemon 2usr2sbin2in$telnetd which handles telnet sessions. Instead of running this daemon all the time inetd is instructed to listen on port *3. These instructions are set in 2et!2inetd$!onf. %he inetd daemon The fields of 2et!2inetd$!onf contain the following+ _____________________________________________________________________ 58 LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________ ser*ice1name valid name from 2et!2ser4i!es soc0et type stream for T9# and dgram for <D# protoco) valid protocol from 2et!2#roto!ols !)ag no,ait if multithreaded and ,ait if single.threaded usergroup run application as user or group. program usually tcpd argument the name of the program to be run for this service $xample+ pop1: stream tcp no,ait root usrsbintcpd ipop:d +oti!e7 The 2et!2ser4i!es file is used to make the correspondence between service names and socket port numbers. The fields in services are as follows+ ser1ice-name port/protocol 'aliases(
2$ he xinetd Daemon This is the most recent version of inetd. The t!#d daemon is no longer used! instead xinetd does everything. 9onfiguration is done either through a single file 2et!2xinetd$!onf or by editing individual files in 2et!2xinetd$d2 corresponding to the services being monitored by xinetd. It is possible to migrate from the old inetd configuration file to the configuration files for the modern xinetd. Cothing else needs to be done. /tructure of service file in xinetd.d /ervice.name [ disable K yes,no socketPtype K stream for T9# and dgram for <D# protocol K valid protocol from 2et!2#roto!ols wait K Gyes or noH userK the user the application runs as groupK the group the application runs as serverK the name of the program to be run for this service \ %$ elnet and FP _____________________________________________________________________ 59 LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________ Telnet and ftp are common examples of services using the inetd,xinetd mechanism to listen for incoming connections. 'L+' is the name of the application layer protocol used to establish a 3bi1directiona) communication !aci)ity3 &4"9>76). 2Its primary goa) is to a))o, a standard method o! inter!acing termina) de*ices and termina)1oriented processes to each other3. The server runs a telnet daemon &usually in$telnetd) and communications are initiated from the client using a telnet client &called telnet too). "or 4#M based machines the server package is called telnet8ser4er and the client package is called telnet. 2nce the telnet8ser4er package is installed the configuration files 2et!2inetd$!onf or ,et!2xinetd$!onf need the following options+ ,etc,inetd.conf &for the inetd daemon) te)net stream tcp no,ait root usrsbintcpd in.te)netd ,etc,xinted.conf &for the xinetd daemon) ser*ice te)net P disab)e I no !)ags I CD$+D soc0et9type I stream ,ait I no user I root ser*er I usrsbinin.te)netd )og9on9!ai)ure RI $+DCI& Q The next command attempts to connect to the host 'A*.'=>.'(.*3. Cotice that the content of 2et!2issue$net is also displayed+ te)net (L2.(<;.(0.2: /r&ing $.%.$68.$*.%3... 2onnected to )s**$ 3$.%.$68.$*.%34. 5scape character is 67(6. 8edora 2ore release 3 39eidelberg4 #ernel %.6.$$-$.$0:823 on an i686 login; FP is the Ifiles transfer protocolJ. The ob-ectives of this application layer protocol stated in 4"9A7A are 2() to promote sharing o! !i)es (computer programs andor data), 2) to encourage indirect or imp)icit (*ia programs) use o! remote computers, :) to shie)d a user _____________________________________________________________________ 60 LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________ !rom *ariations in !i)e storage systems among hosts, and >) to trans!er data re)iab)y and e!!icient)y3 There are several ftp servers available for Linux. In these notes we choose to configure 4sft#d &very safe "T# server) which is available as a package of the same name. There are many "T# clients provided by the packages ft#! n!ft#! lft# or "ft# &graphical). The 4sft#d can be started as a stand alone server &recommended) but can also use inetd or xinetd to handle incoming connections with the following options ,etc,vsftpd,vsftpd.conf )istenI#H ,etc,inetd.conf !tp stream tcp no,ait root usrsbintcpd usrsbin*s!tpd ,etc,xinetd.conf ser*ice !tp P soc0et9type I stream ,ait I no user I root ser*er I usrsbin*s!tpd nice I (0 disab)e I yes Q It is possible to log onto an "T# server either as an anomymous user or as a regular system user &e.g a user with an entry in 2et!2#asswd). Anonymous "T# allows a user to login with the username.password pair anonymous and emai)1address. A regular user will initially have access to his or her home directory where as anonymous users can only browse the contents of 24ar2ft#2. !tp (L2.(<;.(0.2: 2onnected to $.%.$68.$*.%3. %%* 31s8/Pd %.*.$4 "3* Please login )ith <5R and P=. #5R>5R,:-0 re?ected as an authentication t&pe !ame 3$.%.$68.$*.%3;tux4 _____________________________________________________________________ 61 LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________ %$ (P wra##ers If programs have been compiled with the libwrap library then they can be listed in the files 2et!2hosts$allow and 2et!2hosts$deny. The libwra# library will verify these files for matching hosts. Default format for 2et!2hosts$JallowAdenyK + DAEMON ; hosts '5@25P/ hosts ( '; spa)n command( 2ne can also use these files to log unauthorised services. This can also help as an early warning system. 8ere are a few examples. ?etting information about a host+ ,etc,hosts.allow in.telnetd+ L29AL! .my.domain ,etc,hosts.deny in.telnetd+ ALL + spawn &,usr,sbin,safePfinger Nl ]^h _ mail root) 4edirect to a bogus service or Ihoney potJ + ,etc,hosts.allow in.telnetd+ ALL + twist ,dtk,Telnetd.pl The last example comes from the dtk &Deception Tool ;it) that can be downloaded from http+,,all.net,dtk,download.html The inetd and xinetd daemons as well as some stand alone servers such as sshd and 4sft#d have been dynamically compiled with libwrap+ )dd usrsbinxinetd ? grep )ib,rap )ib,rap.so.0 I5 usr)ib)ib,rap.so.0 (0x00:da000) )dd usrsbinxinetd ? grep )ib,rap )ib,rap.so.0 I5 usr)ib)ib,rap.so.0 (0x00:da000) )dd usrsbin*s!tpd ? grep )ib,rap )ib,rap.so.0 I5 usr)ib)ib,rap.so.0 (0x0020>000) _____________________________________________________________________ 62 LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________ .$ Settin" u# +FS (lient settin"s "or a Linux client to mount remote file systems '. the nfs file system must be supported by the kernel *. the #ortma# daemon must be running. The portmapper is started by the 2et!2r!$d2init$d2#ortma# script. The mount utility will mount the filesystem. "or example we can create a new directory called 2mnt2nfs and mount a shared directory from the server nfs.server called ,shared,dir . This can be done by adding the following line to 2et!2fstab ,etc,fstab n!s1ser*er=shareddir mntn!s n!s de!au)ts 0 0 If no entry is set in 2et!2fstab then the complete command would be+ mount -t nfs nfs-server:/shared/dir /mnt/nfs Ser4er settin"s A C"/ server needs #ortma# to be running before starting the nfs server. The nfs server should be started or stopped with the 2et!2r!$d2init$d2nfs script. The main configuration file is 2et!2ex#orts. /ample ,etc,exports file usr)oca)docs S.)oca).org(r,, no9root9sGuash) S(ro) The ,usr,local,docs directory is exported to all hosts as read.only! and read.write to all hosts in the .local.org domain. The default rootPsuash option which avoids the root user &uid K () on the client to access the share on the server can be changed with the noProotPsuash option.
The ,etc,exports file matches hosts such as L.machine.com where as ,etc,hosts.allow,deny match hosts such as .machine.com If the 2et!2ex#orts file has been changed then the ex#ortfs utility should be run. If existing directories in ,etc,exportfs are modified then it may be necessary to unmount all nfs shares before remounting them all. Individual directories are made available for mounting with ex#ortfs. _____________________________________________________________________ 63 LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________ <nexporting and exporting all directories in ,etc,exports+ export!s 1ua - export!s 1a
5$ S/- and +/- Linux machines can access and provide 1indows shared resources &directories and printers). The protocol used for this is the M/ 1indows /erver Message @lock S/-. /amba is the most common Linux tool which provides client and server software. From the (ommand Line The smb!lient utility is used to list shared resources. 4emote directories are typically mounted with smbmount although Rmount Nt smbfsF can also be used. $xamples+ /end a pop up message to the winA>desk computer smbc)ient 1A ,inL;des0 Mount the shared directory of the winserv computer smbmount ,inser*ershared mnt,inser*ershared The /amba server is configured with the 2et!2smb$!onf file. The server is stopped and started with the 2et!2r!$d2init$d2smb script. Cotice that smb will also starts the +/- services. This is the Cet@I2/ Message @lock which enables name resolution in the 1indows realm. "igure'+ Cautilus @rowsing /M@ shares+ _____________________________________________________________________ 64 LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________ Main entries in 2et!2smb$!onf + 6g)oba)7 ,or0group I LI#$EIT os )e*e) I 2 0erne) op)oc0s I #o security I user encrypt pass,ords I Tes guest account I nobody map to guest I Oad $ser 6homes7 comment I .ome &irectories read on)y I #o create mas0 I 0<>0 directory mas0 I 0M50 bro,seab)e I #o 6printers7 comment I /)) Printers path I *artmp create mas0 I 0<00 printab)e I Tes bro,seab)e I #o S9A and 9ebmin G0I (onfi"uration _____________________________________________________________________ 65 LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________ If you install the swat package then you can administrate a samba server via a web.based ?<I on port A('. Another popular general administration tool is webmin. It can be downloaded at www.webmin.com C2TI9$ The configuration file ,etc,samba,smb.conf is a good source of documentation. All options are explained and can be switch on by deleting the comment character `L` Also read the smb$!onf?5@ manpage
1$ D+S ser4i!es Findin" a +ame with 2et!2nsswit!h$!onf The file 2et!2nsswit!h$!onf &previously 2et!2host$!onf) holds all the information needed by an application to find a name. The types of names are designated by a keyword. 9ommon Cames keyword description pass,d user names group group names hosts host names net,or0s network names Cames are searched in a number of 'databases'. $ach database can be accessed by a specialised library. "or example there will be libraries called libnssPfiles! libnssPnis and libnssPdns to deal with each databases listed below. 9ommon databases keyword description !i)es flat files! generally in ,etc nis a map from a CI/ server dns a DC/ server CAM$T _____________________________________________________________________ 66 application ,etc,nsswitch.conf files libnssPfiles LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________
/ample ,etc,nsswitch.conf hosts= !i)es dns net,or0s= !i)es nis )dap The first line indicates that files &here 2et!2hosts) should be ueried first and then a DC/ server if this fails. The second line instructs to use the 2et!2networks file for network information. he *esol4er 1hen a program needs to resolve a host name using a DC/ server it uses a library called a resolver. The resolver will first consult the 2et!2resol4$!onf file and determine which DC/ server to contact. /ample ,etc,resolv.conf search example.com nameserver 'A*.'=>.'*3.' If the resolver needs to use a domain name server &DC/) then it will consult the 2et!2resol4$!onf file for a list of available servers to uery from. he 2et!2hosts file 1ith a small number of networked computers it is possible to convert decimal I# numbers into names using the ,etc,hosts file. The fields are as follows+ AP machine machine.domain alias _____________________________________________________________________ 67 nis dns libnssPnis libnssPdns libresolv ,etc,resolv.conf
list of DC/ servers LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________ $xample ,etct,hosts file+ 192.168.1.233 io io.my.domain 61.20.187.42 callisto callisto.physics.edu )ierar!hi!al stru!ture Came servers have a hierarchical structure. Depending on the location in the fully ualified domain name &"EDM) a domain is called top.level! second.level or third.level. $xample top.level domains !om 9ommercial organisations edu </ educational institutions "o4 </ government institutions mil </ military institutions net ?ateways and network providers or" Con commercial sites uk <; sites y#es of D+S ser4ers Domains can be further divided into sub.domains. This limits the amount of information needed to administer a domain. aones have a master domain name server &previously called a #rimary DC/) and one or several sla4e domain name servers &previously called se!ondary). Administration of a name server consists of updating the information about a particular Mone. The master servers are said to be authoritative.
D+S (onfi"uration Files In old versions of @ICD &prior to @ICD version >) the configuration file was 2et!2named$boot. 1ith @ICD version > the 2et!2named$!onf file is used instead. 2ne can use the named8boot!onf$#l utility to convert old configuration files. %he /etc/named.&oot file+ directory ,var,named cache . named.ca primary myco.org named.myco primary (.(.'*B.in.addr.arp named.local primary '.'=>.'A*.in.addr.arp named.rev _____________________________________________________________________ 68 LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________ The first line defines the base directory to be used. The name.ca file will contain a list of DC/ I# addresses for uerying external addresses. The third line is optional and contains records for the local LAC. The two next entries are for reverse lookups. In 2et!2named$!onf+ cache is replaced by hint secondar! is replaced by slave primar! is replaced by master. Applying these changes to @ICD6 configuration files will generate @ICD> and @ICDA files such as the following. The ,etc,named.conf file+ options [ directory I,var,namedJS \S Mone I.J [ type hintS file Inamed.caJS \S Mone Imyco.orgJ [ type masterS file Inamed.mycoJS \S Mone I'.'=>.'A*.in.addr.arpJ [ type masterS file Inamed.revJS \S Mone I(.(.'*B.in.addr.arpaJ [ type masterS file Inamed.localJS \S D+S =one files In this example the server is set as a caching.only server. All the Mone files contain resource records. /ample named$lo!al Mone file+ ] IC /2A localhost. root.localhost. & *(('(**B(( S /erial *>>(( S 4efresh '66(( S 4etry 3=((((( S $xpire _____________________________________________________________________ 69 LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________ >=6(( ) S Minimum IC C/ localhost. ' IC #T4 localhost. This is a very simple Mone file but it gives us enough information to understand the basic mechanism of a name server. The M sign will resolve to the related Mone declared in 2et!2named$!onf. This allows any Mone file to be used as a template for further Mones &see the exercises). Table'+9ommon 4ecord Types C/ /pecify the Mones primary name server #T4 4everse mapping of I# numbers to hostnames M% Mail exchange record A Associate an I# address with a hostname 9CAM$ Associate an alias with the hostFs main name Table*+ aone parameters ] IC /2A /tart 2f Authority. Identifies the Mone followed by options enclosed in brackets. serial Is manually incremented when data is changed. /econdary servers uery the master serverFs serial number. If it has changed! the entire Mone file is downloaded refresh Time in seconds before the secondary server should uery the /2A record of the primary domain. This should be at least a day. retry Time interval in seconds before attempting a new Mone transfer if the previous download failed expire Time after which the secondary server discards all Mone data if it contact the primary server. /hould be a week at least minimum This is the ttl for the cached data. The default is one day &>=6(( seconds) but should be longer on stable LACs
estin" 8ere we only check the records of type /N. 2ther types are A+O! A or +S. 9heck local domain+ di" and host do the same thing except that di" will printout results that can be used in a Mone file+ dig @127.0.0.1 gogo.com MX host -t mx gogo.com 127.0.0.1 _____________________________________________________________________ 70 LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________ <se local caching server to uery any domain+ replace the domain gogo.com in the commands above with any other domain you wish to uery. &$ Sendmail main (onfi"uration /endmail is the most popular mail transfer agent &MTA) on the Internet. It uses the /imple Mail Transfer #rotocol &/MT#) and runs as a daemon listening for connections on port *7. The sendmail script which stops or starts the sendmail daemon is usually located in the 2et!2r!$d2init$d2 directory. (onfi"uration Features The main configuration file is 2et!2mail2sendmail$!f &or 2et!2sendmail$!f). 8ere you can specify the name of the server as well as the names of the hosts from which and to which mail relay is allowed. 9A*+I+G :ou do not need to know how to write sendmail.cf rules. In fact all the rules can be generated using the sendmail$m. or sendmail$m! macro file to produce a sendmail$!f file by running the following m6 sendmail.mc H sendmail.cf This process is not part of the L#I ob-ectives sendmail$!f options (w the mailer hostname. 9an also contain a list of hostnames or domain names the mailer will assume but it is better to use "w for this Fw path to the file containing domain names sendmail will receive mail for Ds address for 'smart host' ! this is a mailer that will relay our outgoing mail "iles in 2et!2mail a!!ess list of hosts authorised to use the server to relay mail lo!al8host8names list of domain names Aliases and mail forwardin" The 2et!2aliases file contains two fields as follows+ a)ias= user "or example if the mail server has a regular <CI% account for user foo then maill addressed to mr.foo will reach this user only if the following line is included in 2et!2aliases+ mr.!oo= !oo _____________________________________________________________________ 71 LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________ 2r if you want to forward all mail to an external address+ mr.!oo= !ooUsomeisp.net
"or other options see the manpage aliases?5@. 1hen changes to the 2et!2aliases file are made the newaliases command must be run to rebuild the database 2et!2aliases$db. 1hen mail is addressed to a local user &say foo) then this user can choose to forward this mail to a list of other users using a local file P2$forward &one address per line). In L#I *(* we will see that mail can also be forwarded to a file! a pipe or an include file.
he /ail Hueues 1hen mail is accepted by the server it is concatenated in a single file with the name of the user. These files are stored in 24ar2s#ool2mail2. Depending on the Mail <ser Agent used &mutt! pine! elm ...)! a user can either store these messages in his home directory or download them on another machine. All outgoing mail is spooled in 24ar2s#ool2m6ueue If the network is down or very slow! or if many messages are being sent! then mail accumulates in the mail ueue 24ar2s#ool2m6ueue. :ou can uery the ueue with the mail6 utility or sendmail Bb#. An administrator can flush the serverFs ueue with sendmail B6. *e"isterin" a /ailer for a Domain "inally in order to use a domain name as a valid email address an M% record needs to be added on an authoritative name server for your domain &usually your I/#). "or example if mai).company.com is a mail server! then in order for it to receive mail such as VoeUcompany.com you should have the following configuration+ '. Add company.com to ,etc,mail,local.host.names *. company.com AE (0 mai).company.com in a DC/ Mone file 3$ he A#a!he ser4er (onfi"uration Files The 2et!2htt#d2!onf2htt#d$!onf file contains all the configuration settings _____________________________________________________________________ 72 LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________ 2lder releases of apache had two extra files! one called a!!ess$!onf where restricted directories were declared! and another file called srm$!onf specifying the serverFs root directory. 9onfiguration 8ighlights+
ServerType standalone/inetd ServerRoot /etc/httpd DocumentRoot /var/www/html <Directory /var/www/cgi-bin> AllowOverride None Options ExecCGI Order allow,deny Allow from all </Directory> <VirtualHost 122.234.32.12> DocumentRoot /www/docs/server1 ServerName virtual.mydomain.org </VirtualHost> *unnin" A#a!he To stop and start the server one can use the 2et!2r!$d2init$d2htt#d script. 2n a busy server it is preferable to use a#a!he!tl especially with the "ra!eful option which will restart the server only when current connections have been dealt with. The main log files are in 24ar2lo"2htt#d2. It may be useful for security reasons to regularly check the error9)og and access9)og files. _____________________________________________________________________ 73 LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________ I$ 'xer!ises and Summary
Files "ile Description ,etc,hosts.allow ,etc,hosts.deny file used by the libwrap library to determine access to a service from a given host! network or domain ,etc,aliases aliases?5@ . file describes user ID aliases used by sendmail. $ach line is of the form name= addr9(, addr92, ... where name is a local username to alias and addr9n can be another alias! a local username! a local file name! a command! an include file! or an external address ,etc,exports ex#orts?3@ N the file ,etc,exports serves as the access control list for file systems which may be exported to C"/ clients. It is used by exportfs&>) to give information to mountd&>) and to the kernel based C"/ file server daemon nfsd&>) ,etc,host.conf main configuration filefor the resolver ,etc,hosts database of host I#s and names ,etc,inetd.conf configuratiion file for the inetd daemon ,etc,mail,L directory containing all the sendmail configuration files ,etc,named.boot name of the @ICD6 version of named ,etc,named.conf name of the @ICD> and A versions of named ,etc,nsswitch.conf nsswit!h$!onf?5@ N /ystem Databases and Came /ervice /witch configuration file. ,etc,resolv.conf list of DC/ servers used by the resolver to determine host names ,etc,sendmail.cf the main configuration file for sendmail 9w option within sendmail.cf that specifies the name of the server &may be a domain name) Ds option to specify a smarthost in sendmail.cf "w option setting the name of the file that contains all the names of the mail server ,etc,smb.conf main configuration file for the samba server smbd ,etc,xinetd.conf configuration file for the xinetd daemon ,var,spool,mail, directory containing received mail for local users ,var,spool,mueue spool directory for outgoing mail b,.forward file containing a list of addresses where valid local account mail is forwarded to , etc,httpd,conf,access. conf configuration file containing web directories that need extra identification mechanisms such as htaccess &old) , etc,httpd,conf,httpd.co nf main configuration file for web server daemon htt#d , etc,httpd,conf,srm.con f configuration file defining the document root of the web server &old) _____________________________________________________________________ 74 LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________ (ommands 9ommand Description apachectl a#a!he!tl?3@ N apache 8TT# server control interface. 2n the command line the script will simply pass all the given arguments to the htt#d server dig di"?1@ N &domain information groper) is a flexible tool for interrogating DC/ name servers. It performs DC/ lookups and displays the answers that are returned from the name server&s) that were ueried host host?1@ N a simple utility for performing DC/ lookups. It is normally used to convert names to I# addresses and vice versa exportfs exportfs&>) N command is used to maintain the current table of exported file systems for C"/. This list is kept in a separate file named ,var,lib,nfs,xtab which is read by mountd when a remote host reuests access to mount a file tree! and parts of the list which are active are kept in the kernelFs export table inetd see xinetd mail mail6?1@ N prints a summary of the mail messages ueued for future delivery portmap #ortma#?3@ N is a server that converts 4#9 program numbers into DA4#A protocol port numbers. It must be running in order to make 4#9 calls. 1hen an 4#9 server is started! it will tell portmap what port number it is listening to! and what 4#9 program numbers it is prepared to serve. 1hen a client wishes to make an 4#9 call to a given program number! it will first contact portmap on the server machine to determine the port number where 4#9 packets should be sent. #ortmap must be started before any 4#9 servers are invoked smbclient smb!lient?1@ N is a client that can FtalkF to an /M@,9I"/ server. It offers an interface similar to that of the ftp program &see ftp&')). 2perations include things like getting files from the server to the local machine! putting files from the local machine to the server! retrieving directory information from the server and so on smbmount smbmount?3@ N mounts a Linux /M@ filesystem. It is usually invoked as mount.smbfs by the mount&>) command when using the O.t smbfsO option. This command only works in Linux! and the kernel must support the smbfs filesystem sendmail sendmail?3@ N sends a message to one or more recipients! routing the message over whatever networks are necessary. /endmail does internetwork forwarding as necessary to deliver the message to the correct place xinetd xinetd?3@ N performs the same function as inetd+ it starts programs that provide Internet services. Instead of having such servers started at system initialiMation time! and be dormant until a connection reuest arrives! xinetd is the only daemon process started and it listens on all service ports for the services listed in its configuration file. 1hen a reuest comes in! xinetd starts the appropriate server. @ecause of the way it operates! xinetd &as well as inetd) is also referred to as a super.server Settin& up a 7(S master ser"er As an exercise we will install the @ICDA rpm package bindI8I$1$%8252$i%31$r#m and configure a domain called gogo.com.
1$ 9arry out the following alterations in 2et!2named$!onf+ 9opy,#aste the following paragraphs and alter as follows+ _____________________________________________________________________ 75 LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________ Mone OlocalhostO in [ &ecomes type masterS file Oa2C$"IL$.for.localhostOS \ Mone Ogogo.comO in [ type masterS file Ogogo.MoneOS \ Mone O(.(.'*B.in.addr.arpaO in [ &ecomes type masterS file Oa2C$"IL$.for.'*B.(.(OS \S Mone O*.'=>.'A*.in.addr.arpaO in [ type masterS file O'A*.'=>.*.MoneOS \S 2$ In 24ar2named7 cp WH#D%ILD1!or1(2M.0.0 (L2.(<;.2.8one cp WH#D%ILD1!or1)oca)host gogo.8one %$ 9hange the appropriate fields in the new Mone files. Add a host called harissa. .$ Add the line Inameserver '*B.(.(.'J to 2et!2resol4$!onf. 5$ <se host to resolve harissa.gogo.com
<pache administration @asic configurations in ,etc,httpd,conf,httpd.conf '. 9hange the port directive Port from 30 to 3030. &If you are using http* then change the Listen directive). *. 9heck that apache is responding with telnet lo!alhost 3030. :ou should get+ Trying (2M.0.0.(... Connected to )oca)host.)inuxit.org. Dscape character is XY7X. Cext type RG' 2F to download the index file. 3. /et IStartSer4erQ to '7. 4estart the htt#d and check that '7 processes are started &instead of the default >) I# based virtual server
:our ethernet card must be aliased to a new I# &say ne#--0) i!con!ig eth0=0 ne&-I(
Add the following paragraph to 2et!2htt#d2!onf2htt#d$!onf+ _____________________________________________________________________ 76 LinuxI e!hni!al 'du!ation (entre +etwork Ser4i!es __________________________________________________________ 4'irtua).ost ne&-I(5 &ocumentCoot *ar,,,htm)*irtua) +er*er#ame )))$ 4'irtua).ost5 Settin& up a shared S85 directory In most cases you wonFt need to add smbusers to the system to do this. /imply edit smb$!onf and add the following+ 6pub)ic7 comment I Dxamp)e +hared &irectory path I homesamba guest o0 I yes ,riteab)e I yes /etting up a shared printer+ 6g)oba)7 111 snip 111 printcap name I etcprintcap )oad printers I yes 6printers7 comment I /)) Printers path I *arspoo)samba bro,seab)e I no B +et pub)ic I yes to a))o, user Xguest accountX to print guest o0 I yes ,ritab)e I no printab)e I yes _____________________________________________________________________ 77 LinuxI e!hni!al 'du!ation (entre -ash S!ri#tin" __________________________________________________________ 5ash Scriptin& Prere6uisite Cone Goals 4eview the main configuration files associated with the bash shell 1rite and execute shell scripts /yntax for logical evaluations! flow controls and loops Miscellaneous features &Cot part of the L#I '(* ob-ectives) (ontents -ash S!ri#tin"$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ &3 '. The bash environment............................................................................................................................ BA *. /cripting $ssentials................................................................................................................................ >' 3. Logical evaluations................................................................................................................................. >* 6. "low 9ontrol and Loops.......................................................................................................................... >3 7. $xpecting user input............................................................................................................................... >7 =. 1orking with Cumbers........................................................................................................................... >7 B. $xercises and /ummary........................................................................................................................ >= _____________________________________________________________________ ,1 LinuxI e!hni!al 'du!ation (entre -ash S!ri#tin" __________________________________________________________ 1$ he bash en4ironment Rariables 1hen you type a command at the prompt the bash shell will use the PA) variable to find which executable on the system you want to run. :ou can check the value of path using the echo command+ echo ZP/T. usrbin=bin=usrsbin=usrE((C<bin=usr)oca)bin=sbin=usr)oca)sbin In fact many variables are needed by the shell to accommodate for each userFs environment. "or example P9D! )C/'! '*/ and DISPLAO are such variables. To initialise and declare a variable the syntax is as follows+ '/CI/OLDI'/L$D 4emember not to put any spaces around the RKF sign. 2nce a variable is declared and initialised it can be referenced by using the dollar symbol in front as here+ echo Z'/CI/OLD This declares a local variable &only available for the current process) that can be listed with set. It is possible to get an exported variable &available to all child processes spawned after the variable has been defined) using ex#ort. $xported variables are listed with the en4 command. 1hen a shell session is started a number of configuration files are read and most of the variables are set. To free a variable from its current value use unset. (onfi"uration files 2ne can distinguish configuration files which are read at login time and configuration files which are read for each new bash session. The profiles The first file to be read at login is 2et!2#rofile! after that the shell will search for the files P2$bashG#rofileA P2$bashGlo"in and P2$#rofile and execute the commands from the first available on. "or every new shell &for example if an xterm emulator is started) these profiles are not read again. (ontents+ the profiles are used to define exported variable &e.g #AT8) that will be available for every subseuent program. The bashrc files _____________________________________________________________________ ,2 LinuxI e!hni!al 'du!ation (entre -ash S!ri#tin" __________________________________________________________ The runtime control files P2$bashr! and 2et!2bashr! are sourced every time a shell is started
(ontents7 the runtime control files will store aliases and functions. Cotice that non.interactive shells read neither of these files. Instead a @A/8P$C0 variable pointing to the file to be sourced is declared in the script. Fun!tion syntax function-name &) [ command+S command2S \ :ou can test which files are being read by adding an echo Pro!i)e line in 2et!2#rofile! the type+ bash Co profile is read! you shouldnFt see anything bash 1)ogin This forces bash to act as a login bash! the word Pro!i)e should show up. The following commands control the way bash starts+ bash 1norc bash 1nopro!i)e +oti!e that any new bash session will inherit the parentFs global variables defined in 2et!2#rofile and P2$bashG#rofile. (ontrollin" readline The ?C< library readline is used by programs that expect user input. It also offers extensive vi and emacs style editing functionality. $xample+ the readline default editor setting for bash is emacs. 2ne can for example use S' to go to the end of a line. 1hat happens when we next start! as below! a shell without editing supportT bash 11noediting The files 2et!2in#utr! or P2$in#utr! are used to control the readline library. 2ne can for example link a keyboard combination to an action. $xample options for in#utr!+ set editing.mode vi change the initial editor style &default is emacs) 9ontrol.o+ OH outputO bind the seuence 9trlUo will cause the string IH output J to be printed TA@+ complete automatically complete commands and file names &is set by default) set bell.style none input errors are not audible &other option is audi&le3 "inally! when a user logs out! the shell will read commands from P2$bashGlo"out if it exists. This file usually contains the clear command which clears the screen once the shell exits. _____________________________________________________________________ 10 LinuxI e!hni!al 'du!ation (entre -ash S!ri#tin" __________________________________________________________ 2$ S!ri#tin" 'ssentials he s!ri#t file A shell script is a list of instructions saved in a flat file. 2nly two things are necessary. '. The scriptFs first line must be TF2bin2bash &for a bash script) *. The file must be readable and executable &with B77 permission for example) Assuming the script is in your current directory it can be started with .script1name
C2TI9$ The interpreter specified after the TF sign &pronounce she.bangQ) is used to read the commands in the script. If no interpreter is specified then the shell will attempt to interpret the commands itself.
Alternative methods bash script-name start a new interactive bash which will run the script then exit source script1name force your current shell to run the script . script1name same as sour!e exec .script1name same as $2s!ri#t8name except that the current shell will exit one the script has run Passin" 4ariables to the s!ri#t 0ariables entered at the command line are referenced inside the script as c' for the first argument! c* for the second! etc Z $xample script! mycat+ B[binbash cat Z( This script is expecting one argument! a file! and will display the content of the file using !at. To run this script on the lilo.conf file! you would run+ .mycat etc)i)o.con! _____________________________________________________________________ 1+ LinuxI e!hni!al 'du!ation (entre -ash S!ri#tin" __________________________________________________________ Another way of passing variables to a script is by letting the script prompt the user for input interactively. This is achieved using the read command. The default name of the read variable is *'PLO. 8ere is the modified script+ Interactively passing+ B[binbash echo 1n @Khich !i)e sha)) I disp)ay \@ read cat ZCDPLT or read 1p 2%i)e to disp)ay= 2 %ILD#/AD cat Z%ILD#/AD S#e!ial Rariables /pecial variables can only be referenced and are automatically set by bash. These are the most common special variables you will encounter+ U; List of all variables entered at the command line UT Cumber of arguments entered at the command line U0 The name of the script UF #ID of the most recent background command UU #ID of the current shell UV $xit code of the last command "or the positional parameters c'! c* etc Z there is a shift operator which renames each parameter in a cyclic way as follows. c* becomes c' c3 becomes c* Z etc This can be summarised as U?nW1@ Un %$ Lo"i!al e4aluations Logical statements are evaluated with the test command or the brackets : <. In both case the result is stored in the UV variable such that+ if the statement is true then UV is ( if the statement is false then UV is not ( 8ere are some examples to illustrate+ using test using : < meaning test Nf ,bin,bash X .f ,bin,bash Y test if ,bin,bash is a file test .x ,etc,passwd X .x ,bin,passwd Y test if ,etc,passwd is executable _____________________________________________________________________ 12 LinuxI e!hni!al 'du!ation (entre -ash S!ri#tin" __________________________________________________________ 2ne can evaluate more than one statement at a time using the XX &24) and YY &ACD) logical operators on the command line. "or example we could test if 2bin2bash is executable and in 2et!2inittab exists+ test -x /bin/bash && test -f /etc/inittab [ -e /bin/kbash ] || [ -f /etc/passwd ] This is the same as using the flags 8o and 8a within the test operator for example test -x /bin/bash -a -f /etc/inittab [ -e /bin/kbash -o -f /etc/passwd ] .$ Flow (ontrol and Loo#s if then /yntax+ if 92CDITI2C S then command' command* fi #!/bin/bash if [ -x /bin/bash ] ; then echo The file /bin/bash is executable )hile loop /yntax+ while 92CDITI2C is trueS do command done $xample+ Aligne '( hashes &d) then exit B[binbash CH$#TDCI0 _____________________________________________________________________ 14 LinuxI e!hni!al 'du!ation (entre -ash S!ri#tin" __________________________________________________________ ,hi)e 6 ZCH$#TDC 1)t (00 7- do echo 1n @B@ s)eep ( )et CH$#TDCICH$#TDCR( done :ntil loop /yntax+ until 92CDITI2C is falseS do command done $xample+ /ame as above! notice the 9 style increment for 92<CT$4 B[binbash CH$#TDCI20 unti) 6 ZCH$#TDC 1)t (0 7- do echo 1n @B@ s)eep ( )et CH$#TDC1I( done for loop /yntax for 0A4IA@L$ in /$TS do command done $xample+ the set '/$T' can be the lines of a file B[binbash !or )ine in ]cat etc)i)o.con!]- do IA/"DIZ(echo Z)ine ? grep image) i! 6 2ZIA/"D3 [I 23 7- then echo Jerne) con!igured to boot= Z)ine !i done 5$ 'x#e!tin" user in#ut _____________________________________________________________________ 15 LinuxI e!hni!al 'du!ation (entre -ash S!ri#tin" __________________________________________________________ 1e assume that the script is waiting for user input! depending on the answer! the rest of the program will execute something accordingly. There are two possible ways to achieve this+ sele!t and !ase. :sin& case /yntax+ case c0A4IA@L$ in 678-6E+@ command+ LL 678-6E2@ command2 LL esac :sin& select /yntax+ select 0A4IA@L$ in /$TS do if X c0A4IA@L$ K 982I9$ YS then command fi if X c0A4IA@L$ K 982I9$ YS then command fi done 1$ 9orkin" with +umbers 1hile shell scripts seamlessly handle character strings! a little effort is needed to perform very basic arithmetic operations. 5inary operations Adding or multiplying numbers together can be achieved using either ex#r or the U?? @@ construct. Example+ expr M R :- expr 2 ^S (0- expr >0 >- expr :0 F (( Z((MR:))- Z((2S(0))- Z((>0>))- Z((:01(())
%omparin& "alues %est operators: +umbers Strin"s 8lt Z &sort strings lexicographically) 8"t [ &sort strings lexicographically) 8le +2a 8"e +2a 8e6 EE 8ne FE &$ 'xer!ises and Summary Files _____________________________________________________________________ 19 LinuxI e!hni!al 'du!ation (entre -ash S!ri#tin" __________________________________________________________ "iles Description ,etc,bashrc a system wide startup file for interactive bash sessions &used for setting up the #/' prompt) ,etc,inputrc startup file for the readline library used by the shell to read and edit user input. This file combines keyboard combinations with editing commands but can also be used to associate keyboard combinations to any command ¯o) ,etc,profile system wide configuration file for bash. It contains exported variables such as the #AT8 and is always read at login b,.bashPprofile the user's customised configuration file for bash. It contains exported variables an is always read at login b,.bashrc the user's customised startup file for bash. It is read every time a new interactive shell is started unless the Nnorc option is given b,.inputrc the user's customised startup file for the readline library S!ri#tin" items Item Description c&& )) operator used to substitute the result of a numerical evaluation in a command line expr perform a numerical evaluation for loop see p.B* if then see p.B' until loop see p.B* while loop see p.B' (ommands 9ommand Description test test?1@ N check file types and compare values unset &bash built.in) command that removes a variable value or a function env print all exported &global) variables defined in the current shell export &bash built.in) command that makes a variable part of the environment of subseuent processes set &bash built.in) command that when started with no arguments prints the value of all shell variables defined
+. 8n the command line export the varia&le %E:% export TEST=old *. 1rite the script #!/bin/bash _____________________________________________________________________ 1$ LinuxI e!hni!al 'du!ation (entre -ash S!ri#tin" __________________________________________________________ echo old variable: $TEST export TEST=new echo exported variable: $TEST 3. 1hat is the value of $TEST once the script has runT 6. The following script called testPshell will print the #ID of the shell that is interpreting it testPshell #!/bin/bash if [ -n $(echo $0 |grep test) ]; then echo The PID of the script is: $$ else echo The PID of the interpreter is: $$ fi 7) /et the permissions to B77 and test the following commands test_shell ./test_shell bash test_shell . test_shell source test_shell exec ./test_shell _____________________________________________________________________ 1, LinuxI e!hni!al 'du!ation (entre -asi! Se!urity ________________________________________________________ 5asic Security Prere6uisites Cone Goals 2verview of local and network security issues <nderstand the secure shell 9onfigure a CT# server (ontents -asi! Se!urity$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33 '. Local /ecurity......................................................................................................................................... >A *. Cetwork /ecurity.................................................................................................................................... A' 3. The /ecure /hell.................................................................................................................................... A7 6. Time 9onfiguration................................................................................................................................. AB 7. $xercises and /ummary........................................................................................................................ AA ________________________________________________________________________________
11 LinuxI e!hni!al 'du!ation (entre -asi! Se!urity ________________________________________________________ 1$ Lo!al Se!urity he -ICS If anyone has access to a rescue disks or a linux disk that boots from a floppy or a 9D42M it is extremely easy to gain read access to any files on the system. To prevent this the @I2/ should be set to boot only off the hard drive. 2nce this is done set a password on the @I2/. LILC LIL2 can be given options at boot time. In particular some Linux distributions will not ask for a password when starting the system in single user mode or runlevel '. There are two options that should be added to the /etc/lilo.conf+ the restricted option prompts the user for a password the pass)ord2== option! set the password string.
4estricted means that LIL2 cannot be given any parameters without the OpasswordO specified in lilo$!onf. boot=/dev/hda install=/boot/boot.b prompt timeout=50 password="password" restricted File #ermissions To prevent attackers causing too much damage it is recommended to take the following steps. ') Make vital system tools immutable! or logfiles append.only+ chattr -i /bin/login chattr -i /bin/ps chattr -a /var/log/messages *) Make directories ,tmp and ,home nosuid or noexec+ ;ines to &e changed in /etc/fsta& tmp tmp ext2 nosuid ( 2 /home /home e,t! noe,ec 1 ! ________________________________________________________________________________
12 LinuxI e!hni!al 'du!ation (entre -asi! Se!urity ________________________________________________________ 3) "ind all files on the system that don't belong to a user or a group+ find / -nouser .o .nogroup find / -perm -/000 Lo" Files The main logs are 24ar2lo"2messa"es + contains information logged by the syslo"d daemon 24ar2lo"2se!ure. + contains information on failed logins! added users! etc. The last tool lists all successful logins and reboots. The information is read from the 24ar2lo"2wtm# file. The who and w tools list all users currently logged onto the system using the 24ar2run2utm# file. 0ser Limits 1hen the 2et!2nolo"in file is present &can be empty) it will prevent all users from login in to the system &except user root). If the nolo"in file contains a message this will be displayed after a successful authentication. In the 2et!2se!urity2 directory are a collection of files that allow administrators to limit user 9#< time! maximum file siMe! maximum number of connections! etc 2et!2se!urity2a!!ess$!onf + dissallow logins for groups and users from specific locations. 2et!2se!urity2limits$!onf The format of this file is GdomainH Gt!peH GitemH GvalueH domain a user name! a group name &with ]group) ty#e hard or soft item core . limits the core file siMe &;@) data . max data siMe &;@) fsi/e . maximum filesiMe &;@) memlock . max locked.in.memory address space &;@) nofile . max number of open files cpu . max 9#< time &MIC) proc . max number of processes as . address space limit maxlogins . max number of simultaneous logins for this user priorit! . the priority to run user process with locks . max number of file locks the user can hold ________________________________________________________________________________
20 LinuxI e!hni!al 'du!ation (entre -asi! Se!urity ________________________________________________________ 2$ +etwork Se!urity In this section we breakdown the network security into host based security and port based security. )ost -ased Se!urity Access to resources can be granted based on the host reuesting the service. This is handled by tcpPwrappers. The lib)rap library also known as tcpPwrappers provides host based access control lists for a variety of network services. Many services! such as xinetd! sshd! and portmap! are compiled against the libwrap library thereby enabling tcp*)rapper support for these services. 1hen a client connects to a service with tcpPwrapper support! the 2et!2hosts$allow and 2et!2hosts$deny files are parsed to challenge the host reuesting the service. @ased on the outcome the service will either be granted or denied. The hostsPaccess files have *! optionally 3 colon separated fields. The first field is the name of the process! the second is the fully ualified host name or domain name with a Oleading dotO! I# address or subnet with a Otrailing dotO. 1ildcards like ALL and $%9$#T are also accepted. The syntax for the /etc/hosts.>allo) ? deny@ file is as follows+ ser1ice ; hosts '5@25P/( hosts $xample+ ,etc,hosts.deny ALL+ ALL $%9$#T .example.com ,etc,hosts.allow ALL+ L29AL 'A*.'=>.(. in.ftpd+ ALL sshd+ .example.com TcpPwrappers can run a command locally upon a host match in the hostPaccess files. This is accomplished with the s#awn command. 1ith the use of the ^ character! substitutions can be made for the host name and the service. $xample+ ,etc,hosts.deny ALL+ ALL + spawn &,bin,echo `date` from ^c for ^d HH ,var,log,tcpwrap.log) "or more information on the use of ^ substitutions see the hostsGa!!ess ?5@ man page. Port -ased Se!urity ________________________________________________________________________________
2+ LinuxI e!hni!al 'du!ation (entre -asi! Se!urity ________________________________________________________ 1ith packet filtering functionality built into the Linux kernel! it is possible to limit access to resources by creating rulesets with utilities such as ipchains and iptables! which are able to evaluate a packet entering any of its network interfaces. The rules determine what happens to each packet. 1e will cover i#!hains and i#tables separately. 8owever I#!hains and i#tables share the following options .A Append rule to a chain .D Delete a rule .# 9hange the default #olicy for a chain .I Insert ." "lush the rules&s) in a chain .C 9reate a user defined chain .% Delete a user defined chain .L List 88 ipchains There are three built in chains in i#!hains+ input! !or,ard and output These chains! respectively are evaluated when the packets ') enter the network interface *) transit to another interface or host 3) exit the network interface and have been either generated by the local host or forwarded TA4?$T/+ The possible actions &or TA4?$T/) are A99$#T!D$C:!4$5$9T!MA/E! 4$DI4$9T and 4$T<4C! or can possibly point to another user defined chain. Targets are specified with the 8D flag. $xample+ )ll packets from +22.+$1.0.295 #ill &e logged and denied ipchains 1/ input 1s (L2.(<;.0.25> F1)og 1V &D#T #2LI9:+ If a packet has gone through all the rules in a specific chain unaltered then it will be dealt with by the default policy rule for that chain. 0alid policy targets are D$C: &silently drop the packets) or A99$#T. $xample+ :et the polic! for all chains to D$C: ipchains -P input DENY ipchains -P forward DENY ipchains -P output DENY 88 iptables ________________________________________________________________________________
22 LinuxI e!hni!al 'du!ation (entre -asi! Se!urity ________________________________________________________ 2ne of the main differences with i#!hains is that the filtering rules &decisions to allow or deny a packet! etc..) have been separated from packet alteration operations &network address translation &CAT)! etc). This has been achieved by introducing independent tables! each table is assigned a specific role and each table contains its own built.in chains. "igure+ The Cetfilter kernel framework for i#tables I#tables has three tables each containing the following built.in chains+ filter+ this table is the default and deals with filtering rules using its built.in chains IC#<T! 2<T#<T and "241A4D nat+ only network address translation &CAT) operations are defined in this table. The built.in chains are #4$42<TIC?! #2/T42<TIC? and IC#<T mangle+this table handles packet alterations other than natting. There are two built.in chains #4$42<TIC? and 2<T#<T. +CI('+ the built.in chains for i#tables are all in <##$49A/$QQ
TA4?$T/+ Different targets are valid depending on the table. 0alid targets for the filter table are D42#! 4$5$9T! A99$#T or MI4424. 0alid targets for the nat table are 4$DI4$9T &in the #4$42<TIC? and 2<T#<T chains)! MA/E<$4AD$ &in the #2/T42<TIC? chain)! DCAT &in the #4$42<TIC? and 2<T#<T chains) and /CAT &in the #2/T42<TIC? and 2<T#<T chains). $xample+ )ll packets from +22.+$1.0.295 #ill &e logged and denied ________________________________________________________________________________
24 LinuxI e!hni!al 'du!ation (entre -asi! Se!urity ________________________________________________________ iptab)es 1/ I#P$T 1s (L2.(<;.0.25> 1V LH" iptab)es 1/ I#P$T 1s (L2.(<;.0.25> 1V &CHP #2LI9:+ The iptables chain policy can be set to either D42#! A99$#T or MI4424
$xample+ %he default polic! is set to drop all packets iptab)es 1P I#P$T &CHP iptab)es 1P %HCK/C& &CHP iptab)es 1P H$TP$T &CHP 88 more back&round 1ith the development of the *.6 Linux kernel came the development of the Cetfilter pro-ect! which uses the iptables utility to manage firewall rules. Another ma-or difference between iptables and ipchains is that iptables has support for evaluating the packets based on their state in terms of other packets that have passed through the kernel. It is this stateful packet evaluation that makes iptables far superior. $xample+ ')en! all packets on the IC#<T chain: ipchains 1P I#P$T &D#T *) )ccept esta&lished connections that have &een initiated &! the host: ipchains 1/ I#P$T 1m state F1state D+T/OLI+.D& 1V /CCDPT $xample+ ) *asic script that #ill #ork as a gate#a!. 7ere are the highlights: - allo# -0 for#arding: echo <+< = /proc/s!s/net/ipv5/ip>for#ard ________________________________________________________________________________
25 LinuxI e!hni!al 'du!ation (entre -asi! Se!urity ________________________________________________________ - mas?uerade: @-0%)*;E: -t nat -) 08:%A8B%-CD -o @-CE%>-F)6E -E "):FBEA)E - allo# connections to port 10 8C;G: @-0%)*;E: -) -C0B% -p %60 -i @-CE%>-F)6E -m state --state CEH --dport http -E )66E0% dQ,bin,sh d 0ariables I#TA@L$/KO,sbin,iptablesO LACPI"A9$KOeth(O IC$TPI"A9$KOeth'O IC$TPI#KO'.*.3.6O L29AL82/TPI#KO'*B.(.(.',3*O LACPI#KO'A*.'=>.(.',3*O LACP@9A/TKO'A*.'=>.(.(,*6O d /etup I# Masuerading echo O'O H ,proc,sys,net,ipv6,ipPforward cI#TA@L$/ .t nat .A #2/T42<TIC? .o cIC$TPI"A9$ .- MA/E<$4AD$ d /pecify the default policy for the built in chains cI#TA@L$/ .# IC#<T D42# cI#TA@L$/ .# "241A4D D42# cI#TA@L$/ .# 2<T#<T D42# d /pecify IC#<T 4ules cI#TA@L$/ .A IC#<T .i QcIC$TPI"A9$ .- A99$#T cI#TA@L$/ .A IC#<T .p T9# .i cIC$TPI"A9$ .m state ..state C$1 ..dport http .- A99$#T cI#TA@L$/ .A IC#<T .m state ..state $/TA@LI/8$D!4$LAT$D .- A99$#T d /pecify "241A4D 4ules cI#TA@L$/ .A "241A4D .i cLACPI"A9$ .- A99$#T cI#TA@L$/ .A "241A4D .m state ..state $/TA@LI/8$D!4$LAT$D .- A99$#T d /pecify 2<T#<T 4<L$/ cI#TA@L$/ .A 2<T#<T .p ALL .s cL29AL82/TPI# .- A99$#T cI#TA@L$/ .A 2<T#<T .p ALL .s cLACPI# .- A99$#T %$ he Se!ure Shell ________________________________________________________________________________
29 LinuxI e!hni!al 'du!ation (entre -asi! Se!urity ________________________________________________________ The secure shell is a secure replacement for telnet and remote tools like rlo"inA rsh and r!#. The daemon sshd is started on the server using the rc.script 2et!2init$d2sshd. The ssh service uses port ** and clients connect using the ssh tool. W )ost Authenti!ation 1ith ssh both the host and the user authenticate. The host authentication is done by swapping keys. The hostFs public and private keys are usually kept in 2et!2ssh if you are using 2pen//8. Depending on the protocol used the host key file will be called ssh>host>ke! for #rotocol ' and ssh>host>rsa>ke! or ssh>host>dsa>ke! for #rotocol *. $ach of these keys have their corresponding public key! for example ssh>host>ke!.pu&. 1hen an ssh client connects to a server! the server will give the hosts public key. At this stage the user will be prompted with something like this+ The authenticity o! host Xneptune ((0.0.0.;)X canXt be estab)ished. C+/ 0ey !ingerprint is ;!=2L=c2=b;=b5=b2=e:=eM=ec=;L=;0=b:=db=>2=0M=!>. /re you sure you ,ant to continue connecting (yesno)\ If you accept to continue the connection the serverFs public key will be added to the local c82M$,.ssh,knownGhosts file. W 0ser Authenti!ation ?usin" #asswords@ Then the user is prompted for the password for his account on the remote server and logs in. W 0ser Authenti!ation ?usin" keys@ The user authentication can also involve swapping keys. "or this the user will need to generate a pair of private,public keys. "or example+ ssh-ke*gen -t dsa -b 10!/ will generate a '(*6 bit D/A key. @y default these keys will be saved in c82M$,.ssh and in this example are called idGdsa and idGdsa$#ub. If we assume we have a idGdsa$#ub key we can RplantF this key on a remote account and avoid typing passwords for further connections. To do this we need to copy the content of the file idGdsa$#ub into a file called authori=edGkeys2 kept in the remote c82M$,.ssh directory. WARNING All private keys in 2et!2ssh2; and P2$ssh2; should have a permission of =(( W sshd !onfi"uration file ________________________________________________________________________________
2$ LinuxI e!hni!al 'du!ation (entre -asi! Se!urity ________________________________________________________ /ample ,etc,ssh,sshdPconfig file+ BPort 22 BProtoco) 2,( BListen/ddress 0.0.0.0 BListen/ddress == B .ostJey !or protoco) *ersion ( B.ostJey etcsshssh9host90ey B .ostJeys !or protoco) *ersion 2 B.ostJey etcsshssh9host9rsa90ey B.ostJey etcsshssh9host9dsa90ey Wssh !onfi"uration file /ample ,etc,ssh,sshPconfig or c82M$,.ssh,config file+ B .ost S B %or,ardE(( no B Chosts/uthentication no B ChostsC+//uthentication no B C+//uthentication yes B Pass,ord/uthentication yes B .ostbased/uthentication no B Chec0.ostIP yes B Identity%i)e _.sshidentity B Identity%i)e _.sshid9rsa B Identity%i)e _.sshid9dsa B Port 22 B Protoco) 2,( B Cipher :des +CI(' The sshd daemon has been compiled with libwrap. 1e can see this with the following+ ldd ,usr,sbin,sshd _ grep wrap libwrap.so.( KH ,usr,lib,libwrap.so.( &(x((B7f((() This means that sshd is a valid entry for 2et!2hosts$allow or 2et!2hosts$deny. .$ ime (onfi"uration he System date ________________________________________________________________________________
2, LinuxI e!hni!al 'du!ation (entre -asi! Se!urity ________________________________________________________ The system date can be changed with the date command.The syntax is+ date MMDDhhmm99::X.ssY he )arware (lo!k The hardware clock can be directly changed with the hw!lo!k utility. The main options are+ .r or N.show prints the current times .w or N.systohc set the hardware clock to the current system time .s or N.hctosys set the system time to the current hardware clock time ime \ones In addition to <9T time some countries apply I day light savingJ policies which add or remove an hour at a given date every year. These policies are available on a liniux system in 2usr2share2=oneinfo2. @y copying the appropriate Mone file to 2et!2lo!altime on can enforce a particular Mone policy. "or example if we copy ,usr,share,Moneinfo,8ongkong to ,etc,localtime the next time we run date this will give us the time in 8ongkong. This is because date will read 2et!2lo!altime each time it is run. 0sin" +P The 9oordinated <niversal Time &<T9) is a standard used to keep track of time based on the $arth's rotation about it's axis. 8owever because of the slight irregularities of the rotation leap seconds need to be inserted into the <T9 scale using atomic clocks. /ince computers are not euipped with atomic clocks the idea is to use a protocol to synchroniMe computer clocks across the Internet. CT# stands for +etwork ime Proto!ol and is one such protocol. 9omputers that are directly updated by an atomic clock are called primary time servers and are used to update a larger number of secondary time servers. This forms a tree structure similar to the DC/ structure. The root servers are on the first level or stratum! the secondary server on the second and so on. 6onfiguring a client to ?uer! an C%0 server+ An CT# daemon called nt#d is used to regularly uery a remote time server. All that is needed is a ser4er entry in 2et!2nt#$!onf pointing to a public or corporate CT# server. #ublic CT# servers can be found online. The CT# protocol can also estimate the freuency errors of the hardware clock from a seuence of ueries! this estimate is written to a file referred to by the driftfile tag. ________________________________________________________________________________
21 LinuxI e!hni!al 'du!ation (entre -asi! Se!urity ________________________________________________________ Mininal ,etc,ntp.conf file ser*er ntp2.some,here.com dri!t!i)e *ar)ibntpdri!t C2TI9$+ on some systems the driftfile tag is pointing to 2et!2nt#$drift or 2et!2nt#2drift.
2nce nt#d is started it will itself be an CT# server providing services on port '*3 using <D#. 8ne off ?ueries+ The nt# package also provides the nt#date tool which can be use to set the time from the command line: ntpdate ntp2.some,here.com
Files "iles Description ,etc,fstab noexec N mount option which prevents any executables to execute from the device nosuid N mount option which prevents the /<ID and /?ID bits to take effect &see L#I'(') ,etc,localtime contains the time Mone policy used to determine the system time &with date) ,etc,ntp.conf configuration file for the CT# daemon nt#d ,etc,ntp.drift or ,etc,ntp,drift file used by nt#d to keep track of the hardware clock drift ,etc,security,access.conf file used to grant or deny access based on the user's name and the origin &local tty or remote host). 2ne can also specify a CI/ group using Igroup notation ,etc,security,limits.conf file used to impose resource limits on login &see the file itself for details) ,etc,ssh directory containing configuration files for both the ssh client and the sshd server ,usr,share,Moneinfo, collection of time Mone files. Depending on the user's location one of these files is copied to 2et!2lo!altime ,var,log,messages the main system log file ,var,log,secure log file containing information about failed logins or user accounts ,var,log,wtmp the wtmp file records all logins and logouts. ,var,run,utmp utm#?5@ N the utmp file allows one to discover information about who is currently using the system. There may be more users currently using the user's private key used during the user authentication process of an ssh sessionhe system! because not all programs use utmp logging c82M$,.ssh directory containing knownhosts! authori=edGkeys2! idGdsa and idGdsa$#ub authoriMedPkeys* contains a list a public id keys from remote users that are authorised to use this account &via ssh) idPdsa the user's private key used during the user authentication process of an ssh session idPdsa.pub the user's public key used during the user authentication process of an ssh session N this key must be present in the authoriMedPkeys* file of the account one is attempting to ssh to knownPhosts list of server public keys used for host authentication sshPconfig configuration file for ssh sshdPconfig configuration file for sshd (ommands ________________________________________________________________________________
+00 LinuxI e!hni!al 'du!ation (entre -asi! Se!urity ________________________________________________________ (ommand Des!ri#tion chattr change file attributes on an ext*,3 filesystem &see !hattr?1@ for details) date print or set the system time hwclock uery or set the hardware clock ipchains iptables i#tables?3@ N administration tool for I#v6 packet filtering and CAT last last?1@ N searches back through the file ,var,log,wtmp and displays a list of all users logged in &and out) since that file was created. The pseudo user reboot logs in each time the system is rebooted. Thus last reboot will show a log of all reboots since the log file was created ntpd the CT# daemon ntpdate nt#date?1@ N sets the local date and time by polling the Cetwork Time #rotocol &CT#) server&s) given as the server arguments to determine the correct time. It must be run as root on the local host ssh ssh?1@ N program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh! and provide secure encrypted communications between two untrusted hosts over an insecure network. %'' connections and arbitrary T9#,I# ports can also be forwarded over the secure channel ssh.keygen ssh8key"en?1@ N generates ! manages and converts authentication keys for ssh&'). ssh. keygen can create 4/A keys for use by //8 protocol version ' and 4/A or D/A keys for use by //8 protocol version *.>3 sshd sshd?3@ N daemon program that listens for ssh connections from clients. It is normally started at boot from ,etc,rc. It forks a new daemon for each incoming connection. The forked daemons handle key exchange! encryption! authentication! command execution! and data exchange who who?1@ N show who is logged on 1$ <se 2et!2hosts$deny to disable sshd service from everywhere 2$ "ind all files in 2usr2 that have the /<ID bit set %$ Log onto a remote host using ssh and authenticate using a pair of public,private keys .$ <se i#!hains &resp. i#tables) to deny access for all incoming! outgoing and forward traffic by default 5$ 9onfigure nt#d
+0+ LinuxI e!hni!al 'du!ation (entre Linux System Administration __________________________________________________________ Linux System <dministration Prere6uisites Cone Goals 9ustomise system logging system 9onfigure !ron and at <nderstand backup tools and strategies "inding documentation (ontents Linux System Administration$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 101 '. Logfiles and configuration files............................................................................................................. '(* *. Log <tilities........................................................................................................................................... '(6 3. Automatic Tasks................................................................................................................................... '(7 6. @ackups and 9ompressions................................................................................................................. '(B 7. Documentation..................................................................................................................................... ''( =. $xercises and /ummary...................................................................................................................... ''3 _______________________________________________________________________ +02 LinuxI e!hni!al 'du!ation (entre Linux System Administration __________________________________________________________ C4er4iew 1e will concentrate on the main tasks of system administration such as monitoring log files! scheduling -obs using at and !ron. This also includes an overview of the documentation available &man#a"es and online resources) as well as some backup concepts. 1$ Lo"files and !onfi"uration files The /"ar/lo&/ directory This is the directory where most logfiles are kept. /ome applications generate their own log files &such as suid or samba). Most of the system logs are managed by the syslo"d daemon. 9ommon system files are + cron keeps track of messages generated when !ron executes mail messages relating to mail messages logs all messages except private authentication authpriv! cron! mail and news secure logs all failed authentications! users added,deleted etc The most important log file is messa"es where most activities are logged. The /etc/syslo&.conf file 1hen syslo"d is started it reads the 2et!2syslo"$!onf configuration file by default. 2ne can also start syslo"d with 8f and the path to an alternative config file. This file must contain a list of items followed by a priority! followed by the path to the log.file+ item$.priorit&$ B item%.priorit&% /path-to-log-file
0alid items are + auth and auth#ri4 user general and private authentication !ron cron daemon messages kern kernel messages mail news user user processes uu!#
0alid priorities are+ &from highest to lowest) emer" alert _______________________________________________________________________ +04 LinuxI e!hni!al 'du!ation (entre Linux System Administration __________________________________________________________ !rit err warnin" noti!e info debu" ; none
#riorities are minimalQ All higher priorities will be logged too. To force a priority to be info only you need to use an 'E] sign as in+ user.Kinfo ,var,log,userPactivity Listing of ,etc,syslog.conf d Log all kernel messages to the console. d Logging much else clutters up the screen. dkern.L ,dev,console d Log anything &except mail) of level info or higher. d Don't log private authentication messagesQ L.infoSmail.noneSnews.noneSauthpriv.none ,var,log,messages
d The authpriv file has restricted access. authpriv.L ,var,log,secure
d Log all the mail messages in one place. mail.L ,var,log,maillog
d Log cron stuff cron.L ,var,log,cron
d $verybody gets emergency messages! plus log them on another d machine. L.emerg L L.emerg ]'(.'.'.*76
d /ave boot messages also to boot.log localB.L ,var,log,boot.log d news.Kcrit ,var,log,news,news.crit news.Kerr ,var,log,news,news.err news.notice ,var,log,news,news.notice 2$ Lo" 0tilities The lo&&er command _______________________________________________________________________ +05 LinuxI e!hni!al 'du!ation (entre Linux System Administration __________________________________________________________ The first utility lo""er conveniently logs messages to the ,var,log,messages file+ If you type the following+ logger program myscipt ERR The end of 24ar2lo"2messa"es should now have a message similar to this+ 5ul 'B 'A+3'+(( localhost penguin+ program myscript $44 local settin&s The lo""er utility logs messages to ,var,log,messages by default. There are local items defined that can help you create your own logfiles as follows. lo!al0 to lo!al& are available items for administrators to use. The availability depends on the system &4ed8at lo!al& logs boot.time information in ,var,log,boot.log). Add the following line to 2et!2syslo"$!onf+ local6.L ,dev,ttyA 4estart the syslo"d or force it to re.read its' configuration file as follows+ killall -HUP syslogd The next command will be logged on the ,dev,ttyA logger -p local4.notice "This script is writing to /dev/tty9" An interesting device is the ,dev,speech this is installed with the "estival tools. lo&rotate The log files are updated using lo"rotate. <sually lo"rotate is run daily as a cron -ob. The configuration file 2et!2lo"rotate$!onf contains commands to create or compress files. Listing of logrotate.conf # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 _______________________________________________________________________ +09 LinuxI e!hni!al 'du!ation (entre Linux System Administration __________________________________________________________ # send errors to root errors root # create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed compress # RPM packages drop log rotation information into this directory include /etc/logrotate.d # no packages own lastlog or wtmp -- we'll rotate them here /var/log/wtmp { monthly create 0664 root utmp rotate 1 } %$ Automati! asks :sin& cron The program responsible for running crons is called !rond. $very minute the !rond will read specific files containing command to be executed. These files are called cronta&s. <ser crontabs are in 24ar2s#ool2!ron2GusernameH. These files should not be edited directly by non.root users and need to be edited using the !rontab tool &see below). The system crontab is 2et!2!rontab. This file will periodically exectute all the scripts in 2et!2!ron$; this includes any symbolic link pointing to scripts or binaries on the system. To manipulate !ron entries one uses the !rontab utility. /cheduled tasks are view with the 8l option as seen below+ crontab -l # DO NOT EDIT THIS FILE - edit the master and reinstall # (/tmp/crontab.1391 installed on Tue Jul 17 17:56:48 2001) # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $) 0 * * 07 2 /usr/bin/find /home/penguin -name core -exec rm {} \; Does the user root have any crontabsT /imilarly the 8e option will open your default editor and lets you enter a cron entry. <ser root can use the 8u to view and change any user's cron entries To delete your crontab file use !rontab 8r. This is the format for crontabs + _______________________________________________________________________ +0$ LinuxI e!hni!al 'du!ation (entre Linux System Administration __________________________________________________________ /inutes?085I@ )ours?082%@ Day of /onth?18%1@ /onth?1812@ Day of 9eek?081@ !ommand #ermissions+ @y default only the root user can use !rontab. The files 2et!2!ron$deny and 2et!2!ron$allow are available to allow or disallow the creation of crontabs for users listed in ,etc,passwd. Schedulin& )ith AatB The at -obs are run by the atd daemon. At -obs are spooled in 24ar2s#ool2at2 The at command is used to schedule a one off task with the syntax at 'time( 1here time can be expressed as+ now %am W 2days midni"ht 10715 A#r 12 teatime "or a complete list of valid time formats see ,usr,share,doc,at.xxx,timespec. :ou can list commands that are scheduled with at6 or at 8l. The at -obs are saved in ,var,spool,at,+ ls /var/spool/at/ a0000(00!d2>>d spoo) 1hen using at6 you should have a list of -obs proceeded by a number. :ou can use this number to deueue it+ at0 ( 200(10M1(M (;=2( a root "rom the at6 listing we see that the -ob number is 1! so we can remove the -ob from the spool as follows+ atrm 1 #ermissions+ _______________________________________________________________________ +0, LinuxI e!hni!al 'du!ation (entre Linux System Administration __________________________________________________________ @y default at is restricted to the root user. To override this you must either have an empty 2et!2at$deny or have a 2et!2at$allow with the appropriate names. .$ -a!ku#s and (om#ressions 5ackup strate&ies There are three main strategies to back up a system+ Full+ copy all files -ncremental+ The first incremental copies all files added or changed since the last full backup! and subseuently copies all the files added or changed since the last incremental backup ifferential+ 9opies all files added or changed since the last full backup $xample+ If you made a full backup and 3 differential backups before a crash! how many tapes would you need to restore T %reatin& archi"es )ith tar The main option to create an archive with tar is 8!. :ou can also specify the name of the archive as the first argument if you use the 8f flag. tar -cf home"tar /home/ If you don't specify the file as an argument tar 8! will simply output the archive as standard output+ tar -c /home/ > home"tar Cxtractin& archi"es )ith tar $xtracting is straight forward. 4eplace the 8! flag with an 8x. This will cause the archive file to create directories if necessary and copy the archived files in your current directory. To redirect the output of the extracted archive into the directory ,usr,share,doc! for example! you can do+ tar ,f backeddocs"tar -1 /usr/share/doc %ompressions All archives can be compressed using different compression utilities. These flags are available when creating! testing or extracting an archive+ tar o#tion !om#ression ty#e \ compress = gMip _______________________________________________________________________ +01 LinuxI e!hni!al 'du!ation (entre Linux System Administration __________________________________________________________ D bMip*. The cpio utility The !#io utility is used to copy files to and from archives. List of files must be given to !#io either through a pipe &as when used with find) or via a file redirection such as withS . $xtract an archive on a tape+
cpio -i 2 /dev/tape . 9reate an archive for the ,etc directory+ find /etc 3 cpio -o > etc"cpio The dump and restore utilities "inally! it is also possible to perform backups using dum#. 4emember that the field after the options in 2et!2fstab is used to specify if a device should be backed up or not using dum#. An entire device can be backed up this way. 8owever dum# can also back directories 1hen backing up an entire device ¬ a directory) Information about the previous full or incremental backups is stored in 2et!2dum#dates. Dump can automatically do up to A incremental backups. @y default dum# will save the archive to /dev/st0. @ackups are recovered with the restore utility. dump -0 -f /tmp/etc.dump /etc
:ou can test this archive with restore -t -a -f /tmp/etc.dump $xtract all the files with restore -x -a -f /tmp/etc.dump or you can interactively extract a list of files &that gets interactively created too)+ _______________________________________________________________________ +02 LinuxI e!hni!al 'du!ation (entre Linux System Administration __________________________________________________________ restore -i -a -f /tmp/etc.dump restore > add etc/passwd etc/group restore > extract restoring ./etc/group restoring ./etc/passwd set owner/mode for '.'? [yn] y restore > ^ D -a!kin" u# with dd 4emember from L#I '(' that the dd tool can make an image of a device preserving everything including+ the underlying filesystem the boot sector &first 7'* k@) The image can be saved to a file or a device. The same is true retrieving the image. /yntax+ dd ifEFIL'2D'RI(' ofEFIL'2D'RI(' 9hat to ba!ku# The following table extracted from the "8/ document is used to determine how often specific directories need to be backed up: shareable unshareable static ,usr! ,opt ,etc! ,boot "ariable ,var,mail ,var,run! ,var,spool,mail 5$ Do!umentation /an#a"es and the whatis database The manpages are organised in sections CAM$ the name of the item followed by a short one line description. /:C2#/:/ the syntax for the command D$/94I#TI2C a longer description 2#TI2C/ a review of all possible options and their function "IL$/ files that are related to the current item &configuration files etc) /$$ AL/2 other manpages related to the current topic These are the main sections one can expect to find in a manpage. _______________________________________________________________________ ++0 LinuxI e!hni!al 'du!ation (entre Linux System Administration __________________________________________________________ The whatis database stores the CAM$ section of all the manpages on the system. This is done through a daily !ron. The whatis database has the following two entries+ name3ke&4 one line description The syntax for whatis is+ )hatis CstringD The output is the full CAM$ section of the manpages where string matched namedJke!3 2ne can also use the man command to uery the whatis database. The syntax is man -k CstringD This command is similar to a#ro#os. <nlike whatis this will uery both the InameJ and the Ione line descriptionJ entries of the database. If the string matches a word in any of these fields the above uery will return the full CAM$ section. $xample+ &the matching string has been highlighted) &hatis lilo lilo (;) 1 insta)) boot )oader lilo.con! 6)i)o7 (5) 1 con!iguration !i)e !or )i)o man -k lilo grubby (;) 1 command )ine too) !or con!iguring grub, lilo, and elilo lilo (;) 1 insta)) boot )oader lilo.con! 6)i)o7 (5) 1 con!iguration !i)e !or lilo The "8/ recommends manpages to be kept in 2usr2share2man. 8owever additional locations can be searched using the MAC#AT8 environment variable set in 2et!2man$!onfi". $ach directory is further divided into subdirectories corresponding to manpage sections. Manpage /ections /ection ' Information on executables /ection * /ystem calls! e.g mkdir&*) /ection 3 Library calls! e.g stdio&3) /ection 6 Devices &files in ,dev) /ection 7 9onfiguration files and formats /ection = ?ames /ection B Macro packages /ection > Administration commands _______________________________________________________________________ +++ LinuxI e!hni!al 'du!ation (entre Linux System Administration __________________________________________________________ To access a specific section C one has to enter+ man N command $xamples+ man mkdir man ! mkdir man crontab man % crontab Info #a"es The "8/ recommends info pages be kept in 2usr2share2info. These pages are compressed files that can be read with the info tool. The original ?C< tools used info pages rather than manpages. /ince then most info pages have been rewritten as manpages. 8owever information about ?C< pro-ects such as "!! or "lib! is still more extensive in the info pages compared to the manpages. Installed do!uments ?C< pro-ects include documents such as a "AE! 4$ADM$! 98AC?$L2? and sometimes user,admin guides. The formats can either be A/9II text! 8TML! Late% or postscript. These documents are kept in the 2usr2share2do!2 directory. )C9Cs and he Linux Do!umentation ProDe!t The Linux Documentation #ro-ect provides many detailed documents on specific topics. These are structured guides explaining concepts and implementations. The website <4L is www.tldp.org. The LD# documents are freely redistributable and can be contributed too using a ?#L type licence. 0senet +ews Grou#s The main newsgroups for Linux are the !om#$os$linux$; groups &e.g comp.os.linux.networking! comp.os.linux.security ...). 2nce you have setup a news reader to connect to a news server &usually available through an I/# or a <niversity campus) one downloads a list of all existing discussion groups and subscribes,unsubscribes to a given group.
There are many experienced as well as new users which rely on the newsgroups to get information on specific tasks or pro-ects. Take the time to answer some of these uestions if you feel you have the relevant experience. +otifyin" 0sers about the System _______________________________________________________________________ ++2 LinuxI e!hni!al 'du!ation (entre Linux System Administration __________________________________________________________ It is possible to print information for users login onto the system such as the sysadmin's contact details or the state of the system using either 2et!2issue &2et!2issue$net for telnet users) or 2et!2motd. The issue file is printed on the login terminals &ttys) by min"etty and can be used to publish the companies warning regarding the usage of the computer euipment! contact details or even some A/9II art. The same information can be made available through a display manager &see L#I '('). The issue.net file is visible at a telnet login prompt! it should generally not contain information about the system &2/ type! kernel version! etc) The filename motd stand for Omessage of the dayO and is only visible after a successful login. _______________________________________________________________________ ++4 LinuxI e!hni!al 'du!ation (entre Linux System Administration __________________________________________________________ 1$ 'xer!ises and Summary
FIles File Des!ri#tion ,etc,at.allow! at.deny at$allow?5@ N determine which user can submit commands for later execution via at&') or batch&'). The format of the files is a list of usernames! one on each line. 1hitespace is not permitted. The superuser may always use at. If the file ,etc,at.allow exists! only usernames mentioned in it are allowed to use at. If ,etc,at.allow does not exist! ,etc,at.deny is checked ,etc,cron.allow! cron.deny !rontab?1@ N If the cron.allow file exists! then you must be listed therein in order to be allowed to use this command. If the cron.allow file does not exist but the cron.deny file does exist! then you must not be listed in the cron.deny file in order to use this command. If neither of these files exists! only the super user will be allowed to use this command ,etc,crontab /ystem crontab file read by the !rond daemon whenever its modified time is changed ,etc,dumpdates /tores information about the last full or incremental dumps ,etc,issue Message printed by the min"etty program at the login prompt on a tty ,etc,issue.net Message printed by the telnet daemon at the login prompt ,etc,logrotate.conf 9onfiguration file for lo"rotate ,etc,motd Message displayed by lo"in after a successful login ,etc,syslog.conf 9onfiguration file for syslo"d ,usr,share,info Directory where info pages are stored ,usr,share,man Directory where the various sections of the manpages are stored ,var,spool,at, Directory containing spooled at and bat!h -obs ,var,spool,cron, Directory containing user defined crontabs. The crontab file has the name of the user that created it and can only be edited with the !rontab 8e command (ommands (ommand Des!ri#tion apropos a#ro#os?1@ N searches a set of database files containing short descriptions of system commands for keywords and displays the result on the standard output at at?1@ N read commands from standard input or a specified file which are to be executed at a later time atd atd?3@ N run -obs ueued by at for later execution at at&') . lists the user's pending -obs! unless the user is the superuserS in that case! everybody's -obs are listed. The format of the output lines &one for each -ob) is+ 5ob number! date! hour! -ob class atrm deletes -obs! identified by their -ob number cron or crond cron&>) N 9ron searches ,var,spool,cron for crontab files which are named after accounts in ,etc,passwdS crontabs found are loaded into memory. 9ron also searches for ,etc,crontab and the files in the ,etc,cron.d directory! which are in a different format _______________________________________________________________________ ++5 LinuxI e!hni!al 'du!ation (entre Linux System Administration __________________________________________________________ (ommand Des!ri#tion crontab file loaded by !rond. It is also the name of the program used to edit crontabs created by users in 24ar2s#ool2!ron dd copy files and devices with optional modifications such as block siMe & see info !oreutils dd) dump dum#?3@ N examines files on an ext*,3 filesystem and determines which files need to be backed up info read info documentation stored in 2usr2share2info logger allows shell scripts to log messages with syslo"d logrotate lo"rotate?3@ N is designed to ease administration of systems that generate large numbers of log files. It allows automatic rotation! compression! removal! and mailing of log files. $ach log file may be handled daily! weekly! monthly! or when it grows too large man .k same as a#ro#os restore restore files or file systems from backups made with dump syslogd The system logger. #rograms can send messages to syslo"d which include information such as the date and the host name. The configuration file 2et!2syslo"$!onf is used to customise where messages are logged &e.g file! device or remote logger) tar tar?1@ N an archiving program designed to store and extract files from an archive file known as a tarfile. A tarfile may be made on a tape drive! however! it is also common to write a tarfile to a normal file whatis whatis?1@ N search the whatis database for complete words Logging '. 9hange ,etc,syslog.conf to output some of the logs to ,dev,ttyA &make sure you restart syslo"d and that the output is properly redirected) *. Add a custom local7 item with critical priority to ,ect,syslog.conf and direct the output to ,dev,tty'(. 4estart syslogd and use logger to write information via local7. 3. 4ead the 2et!2r!$d2init$d2syslo" script and change 2et!2sys!onfi"2syslo" to allow remote hosts to send log outputs. /cheduling 6.9reate a cron entry which starts xclock every * minutes. 4emember that !ron is unaware of system variables such as PA) and DISPLAO. 7. <se at.to start xclock in the next five minutes. Archiving =. <se find to list all files that have been modified during the past *6 hours. _______________________________________________________________________ ++9 LinuxI e!hni!al 'du!ation (entre Linux System Administration __________________________________________________________ &hint+ 4edirect the output of !ind 1mtime F( to a file) B.<se !#io to create an archive called Incrementa).cpio. &ans+ <se the file created above and do !at "IL$ _ !#io Bo4 H Incremental.cpio) > <se tar to create an archive of all files last accessed or changed 7 mins ago. &8ICT+ use find to create a list of files! then save the list to a file. The tar tool has a switch to take input from a file. A. Test the archive before extracting it. '(. $xtract the archive you have -ust created. _______________________________________________________________________ ++$ LinuxI e!hni!al 'du!ation (entre Settin" u# PPP __________________________________________________________ Settin& up ;;; Prere6uisites 8ardware 9onfiguration &see L#I '(') Goals 9onfigure a modem for dial up <nderstand the roles of the ###d daemon and the !hat script 9onfigure options in 2et!2###2o#tions such as hardware flow control or persistent connections (ontents Settin" u# PPP$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 111 '. Dectecting Modems.............................................................................................................................. ''B *. Dialup 9onfiguration ............................................................................................................................ ''> 3. pppd and chat ...................................................................................................................................... ''A 6. ###D peers.......................................................................................................................................... '*( 7. 1vdial.................................................................................................................................................. '*' =. $xercises and /ummary...................................................................................................................... '** __________________________________________________________________________ ++, LinuxI e!hni!al 'du!ation (entre Settin" u# PPP __________________________________________________________ 1$ De!te!tin" /odems Linux assumes in general that serial modems are connected to a serial port &one of the ,dev,tty/# devices). /o you first need to find out which serial port the modem is connected to. The setserial B" command will uery the serial ports. If the resource is not available then the <A4T value will be unknown. /ample output for setserial + setseria) 1g de*tty+601:7 de*tty+0, $/CT= (<550/, Port= 0x0:!;, ICN= > de*tty+(, $/CT= (<550/, Port= 0x02!;, ICN= : de*tty+2, $/CT= un0no,n, Port= 0x0:e;, ICN= > de*tty+:, $/CT= un0no,n, Port= 0x02e;, ICN= : "or non.serial modems it is possible to get information about available resources in 2#ro!2#!i. 8ere the i,o and I4E settings can be transferred to a free 2de42ttyST device. This is achieved with the following * lines+ setseria) de*tty+2 port 0x2000 irG : setseria) de*tty+2 autocon!ig The last line simply deals with setting up the proper <A4T settings. These settings will be lost at the next boot and can be saved in 2et!2r!$serial. This script is one of the last scripts executed by r!$sysinit at boot time. The r!$serial script + B[binbash TTTIde*tty+2 PHCTI0x2000 ICNI: echo @+etting up +eria) Card ...@ binsetseria) ZTTT port ZPHCT irG ZICN 25de*nu)) binsetseria) ZTTT autocon!ig 25de*nu))
__________________________________________________________________________ ++1 LinuxI e!hni!al 'du!ation (entre Settin" u# PPP __________________________________________________________ 2$ Dialu# (onfi"uration 2nce the modem is known to be connected to a serial device it is possible to send modem specific instruction such as A\ or AD. 2ne tool that will act as a terminal interface is mini!om. minicom screenshot+ Another common tool is w4dial!onf. This tool will automatically scan for modems on the tty/Fs and create a configuration file called 2et!2w4dial$!onf. The next command will create or update the configuration file wvdialconf /etc/wvdial.conf This file is used to handle password authentication and initialise the ###d daemon once the connection is established. If a dialer called "G-:0 is defined in w4dial$!onf then the connection is started using wvdial MYISP __________________________________________________________________________ ++2 LinuxI e!hni!al 'du!ation (entre Settin" u# PPP __________________________________________________________ %$ ###d and !hat "irst of all the !hat script is used to communicate with a remote hostFs modem. It is a series of expect,send strings. The format is+ ^ex#e!ted 6uery_ ^answer_ $xpected ueries from the modem are+ ^ ^ ^C,_ ^(C++'(_ ^lo"in_ ^#assword_ ^I/'C0_ ^[_ The script is read seuentially and starts with the empty uery ^ ^ which is matched with the command ^A\_. 2nce the modem is initialised it sends back the uery ^C,_. To this the script will answer with a ^AD_ dialing command. This conversation goes on and on until the ^[_ prompt is reached at which stage one can run ###d. :ample chat script+ X/OHCTX XO$+TX X/OHCTX XDCCHCX X/OHCTX X#H C/CCIDCX X/OHCTX X#H &I/LTH#DX X/OHCTX XIn*a)id LoginX X/OHCTX XLogin incorrectX XX X/TWX XHJX X/T&T0((M2:>(2(2X XCH##DCTX XX Xogin=X XadrianX Xord=X Xadrianpass,dX XTIADH$TX X5X X5X pppd 2f course this is one way of doing things. 2ne can also start ###d manually and then invoke the chat script as follows+ pppd de*tty+2 ((5200 ^ nodetach ^ )oc0 ^ debug ^ crtscts ^ asyncmap 0000000 ^ connect @usrsbinchat 1! etcsyscon!ignet,or01scriptschat1ppp0@ The lines below the ###d commands can be saved in 2et!2###2o#tions. This file contains most of the features which make the strength and flexibility of ###d. The main options for 2et!2###2o#tions are listed in the next table. __________________________________________________________________________ +20 LinuxI e!hni!al 'du!ation (entre Settin" u# PPP __________________________________________________________ C#tion Des!ri#tion crtscts use hardware flow control using the 4T/ and 9T/ signals noauth do not reuire the peer to authenticate itself persist do not exit after a connection is terminated but try to reconnect reGuire1chap use 2et!2###2!ha#8se!rets for authentication 2nce a serial connection is established the ###d daemon will start the ### protocol. At this point a network interface called pppC is assigned an I# address with the script 2et!2###2i#8u#. 1hen a connection is terminated the ###d daemon releases the I# with the 2et!2###2i#8down script. .$ PPPD #eers There is a directory called #eers in 2et!2###2. In this directory one can create a file that contains all the necessary command line options for ###d. In this way peer connections can be started by all users. @elow is an example of a ### peer file+ d This option!i)e ,as generated by pppcon!ig 2.0.(0. hide1pass,ord noauth connect @usrsbinchat 1! etcsyscon!ignet,or01scriptschat1ppp0@ de*tty+0 ((5200 de!au)troute noipde!au)t user u02 The previous peer file &called uk*) would be used as follows+ B pppd ca)) u02 This will dial the number specified in the Ichat scriptJ and authenticate as the user Iuk*J. #lease noteCote that this reuires a corresponding entry in the 2et!2###2!ha#8se!rets! and 2et!2###2#a#8se!rets. The format for pap and chap secrets is as follows+ B +ecrets !or authentication using C./P B c)ient ser*er secret IP addresses u02 S @u02@ S This format allows different passwords to be used if you connect to different servers. It also allows you to specify an I# address. This is probably not going to work when connecting to an I/#! but when making private connections! you can specify I# addresses if there is a need. 2ne example would be where you need to audit your network activity! and want to specify which users get a certain I# address. 5$ 94dial This is the default method used by 4ed 8at to connect to a dial up network. To configure wvdial! it is easier to use one of the configuration tools provided with either ?nome or ;D$. They configure the __________________________________________________________________________ +2+ LinuxI e!hni!al 'du!ation (entre Settin" u# PPP __________________________________________________________ 2et!2w4dial$!onf file. @elow is a sample wvdial.conf file+ XModem(Y Modem K ,dev,tty/( @aud K ''7*(( Dial 9ommand K ATDT Init' K ATa "low9ontrol K 8ardware &94T/9T/) XDialer <;*Y <sername K uk* #assword K uk* #hone K (>67=(A'3B( Inherits K Modem( To use wvdial from the command line! you would execute it with the following syntax+ B ,*dia) 4dia)er1name5 In the example configuration file the following command would dial the connection called Iuk*J B ,*dia) u02 __________________________________________________________________________ +22 LinuxI e!hni!al 'du!ation (entre Settin" u# PPP __________________________________________________________ 1$ 'xer!ises and Summary Files File Des!ri#tion ,etc,ppp,options options used by the ###d daemon &additional options can be passed on the command line ,etc,ppp,chap. secrets contains login information available when using the challenge handshake authentication protocol &98A#) ,etc,ppp,pap. secrets contains login information available when using the password authentication protocol &#A#) ,etc,ppp,peers, contains files with connection information &user name! chat script) as well as ###d options ,etc,wvdial.conf configuration file used by w4dial (ommands (ommand Des!ri#tion chat !hat?3@ N The chat program defines a conversational exchange between the computer and the modem. Its primary purpose is to establish the connection between the #oint.to.#oint #rotocol Daemon &pppd) and the remote pppd process minicom program used to communicate over a serial connection. 9an be given a phone number! user name and password. 2nce the connection is established mini!om acts as a terminal pppd ###d?3@ N ### is the protocol used for establishing internet links over dial.up modems! D/L connections! and many other types of point.to.point links. The ###d daemon works together with the kernel ### driver to establish and maintain a ### link with another system &called the peer) and to negotiate Internet #rotocol &I#) addresses for each end of the link. #ppd can also authenticate the peer and,or supply authentication information to the peer. wvdial w4dial?1@ N wvdial is an intelligent ### dialer! which means that it dials a modem and starts ### in order to connect to the Internet. It is something like the chat&>) program! except that it uses heuristics to guess how to dial and log into your server rather than forcing you to write a login script __________________________________________________________________________ +24 LinuxI e!hni!al 'du!ation (entre Printin" __________________________________________________________ ;rintin& Prere6uisite Cone Goals <nderstand the ?C< printing tools used to submit and administrate print -obs 9onfigure a LP*n" print spooler (ontents Printin"$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 12% '. "ilters and gs........................................................................................................................................ '*6 *. #rinters and print ueues..................................................................................................................... '*6 3. #rinting Tools....................................................................................................................................... '*7 6. The configuration files.......................................................................................................................... '*= 7. $xercises and /ummary...................................................................................................................... '*A _________________________________________________________________________ +25 LinuxI e!hni!al 'du!ation (entre Printin" __________________________________________________________ 1$ Filters and "s "or non.text formats Linux and <CI% systems generally use filters. These filters translate `PD" or tro!! file formats into a postscript type format. This could directly be sent to a postscript printer! but since not all generic printers can handle postscript! an intermediate 'virtual postscript printer' is used called ghostscript or "s which translates the postscript into printer compatible language 	L) or something that the printer understands.
The commercial version of ghostscript is Aladdin ?hostscript and the ?C< version is derived from this. The "s utility has a database of printer drivers it can handle &this list is usually up to date! for example many </@ printers are supported) and converts the postscript directly into #9L for these known models. The "s utility plays a central role in Linux printing. 2$ Printers and #rint 6ueues As seen above simple ascii text printing is not handled in the same way as image or postscript files. If you only have one printer and you would like to printout your mail for example! it may not be necessary to use a filter. :ou may want to define a ueue without filters! which would print mail faster. :ou could also define a ueue on the same printer! which would only handle postscript files. All ueues and printers are defined in 2et!2#rint!a#. 8ere is the full configuration of a remote printer 'A*.'=>.'.*( using the remote ueue named RlpF+ )p=^ =sdI*arspoo))pd)p=^ =mxB0=^ =sh=^ =rmI(L2.(<;.(.20=^ =rpI)p= The essential options here are rm the remote host! sd the spool directory and r# the name of the remote ueue. Cotice that no filters are specified &you would use if for input filter). All the filtering is done on the remote host. _________________________________________________________________________ +29 LinuxI e!hni!al 'du!ation (entre Printin" __________________________________________________________ %$ Printin" ools l#r7 The l#r utility is used to submit -obs to a printer. This is a modern version of l# &line print). "rom a userFs point of view it is helpful to understand that a printer can be associated with more than one ueue. 8ere are two examples to print a file called L$TT$4. :end Eo& to default printer: )pr LDTTDC /end -ob to theF l-etF ueue+ )pr 1P)Vet LDTTDC %a&le+: "ain 8ptions for lpr 8Tnum #rint num copies 8PpG /pecify the print ueue pG 8s Make a symbolic link in the spool directory rather than copy the file in l#67 A user can monitor the status of print ueues with the l#6 utility. 8ere are a few examples. :ho# Eo&s in default ?ueue: )pG :ho# Eo&s for all ?ueues on the s!stem: )pG 1a :ho# Eo&s in the Kremote. ?ueue: )pG 1Premote l#rm7 Depending on the options in 2et!2l#d$#erms users may be allowed to delete ueued -obs using l#rm. Aemove last Eo& su&mitted: )prm Aemove Eo&s su&mitted &! user dhill: )prm dhi)) Aemove all su&mitted Eo&s: )prm 1a &or simply )prm 1) _________________________________________________________________________ +2$ LinuxI e!hni!al 'du!ation (entre Printin" __________________________________________________________ It is possible to remove a specific spooled -ob by referencing the -ob numberS this number is given by l#6. l#!7 The Line #rinter 9ontrol utility is used to control the print ueues and the printers. The print ueues can be disabled or enabled. Cotice that l#rm on the other hand can remove -obs from the ueue but doesnFt stop the ueue. 2ne can either use l#! interactively &l#! has its own prompt)! or on the command line. 8ere is an output of l#! Bhel#+ CA&= usrsbin)pc he)p V Commands may be abbre*iated. Commands are= abort enab)e disab)e he)p restart status topG \ c)ean exit do,n Guit start stop up The enable2disable2to#62u#2down options relate to ueues The start2sto# options relate to printers m#a"e7 This tool will format a document to print a fixed number of pages per sheet. The default is four pages per sheet. This is usefull to have a uick overview of a document. .$ he !onfi"uration files 2et!2#rint!a# As seen earlier in the chapter! this file defines all printers and ueues that the system can use &remote and local). The default printer can be specified with either variables L#D$/T or #4ICT$4+ #4ICT$4Klp If no environmental variable is set the default printer is the first printer defined in 2et!2#rint!a#. The main definitions are+ l# device name! usually ,dev,lp( for the parallel port mx maximum file siMe &MeroKnolimit) sd spool directory &,var,spool,lpd,4Gueuename5) if input filter rm remote host address or I# r# remote ueue name If this file is modified you will need to restart the l#d daemon. 2et!2l#d$!onf This is a very lengthy file and by default all options are commented out. This file is used if an administrator wishes to have more control &i.e remote access authentication! user permissions Z) over the printing. _________________________________________________________________________ +2, LinuxI e!hni!al 'du!ation (entre Printin" __________________________________________________________ 2et!2l#d$#erms This file controls permission for the l#!! l#6 and l#rm utilities. In particular you can grant users the right to deueue their current -ob &using the l#rm tool) with the line + /CCDPT +DC'ICDIA +/AD.H+T +/AD$+DC L#4ng uses a system of keys to shorten the entries in l#d$#erms. This is however not very to understand. "or example the service RAF corresponds to l#rm in the above line. /ample 2et!2l#d$#erms file + BB Permissions are chec0ed by the use o! X0eysX and matches. %or each o! BB the !o))o,ing LPC acti*ities, the !o))o,ing 0eys ha*e a *a)ue. BB BB Jey Aatch Connect `ob `ob LPN LPCA LPC BB +poo) Print BB +DC'ICD + XEX XCX XPX XNX XAX XCX BB $+DC + 1 `$+C `$+C `$+C `$+C `$+C BB .H+T + C. `. `. `. `. `. BB "CH$P + 1 `$+C `$+C `$+C `$+C `$+C BB IP IP CIP `IP `IP CIP `IP `IP BB PHCT # PHCT PHCT 1 PHCT PHCT PHCT BB CDAHTD$+DC + 1 `$+C `$+C `$+C C$+C C$+C BB CDAHTD.H+T + C. C. `. C. C. C. BB CDAHTD"CH$P + 1 `$+C `$+C `$+C C$+C C$+C BB CDAHTDIP IP CIP CIP `IP CIP CIP CIP BB CH#TCHLLI#D + 1 CL CL CL CL CL BB PCI#TDC + 1 PC PC PC PC PC BB %HCK/C& ' 1 +/ 1 1 +/ +/ BB +/AD.H+T ' 1 +/ 1 +/ +/ +/ BB +/AD$+DC ' 1 1 1 +$ +$ +$ BB +DC'DC ' 1 +' 1 +' +' +' BB LPC + 1 1 1 1 1 LPC BB /$T. ' 1 /$ /$ /$ /$ /$ BB /$T.TTPD + 1 /$ /$ /$ /$ /$ BB /$T.$+DC + 1 /$ /$ /$ /$ /$ BB /$T.%CHA + 1 /$ /$ /$ /$ /$ BB /$T.+/AD$+DC + 1 /$ /$ /$ /$ /$ BB BB JDT= BB `. I .H+T host in contro) !i)e BB C. I CDAHTD.H+T connecting host name BB `$+C I $+DC user in contro) !i)e BB /$T. ,i)) match (true) i! authenticated trans!er BB /$T.TTPD ,i)) match authentication type BB /$T.$+DC ,i)) match c)ient authentication type BB /$T.%CHA ,i)) match ser*er authentication type and is #$LL i! not !rom ser*er BB /$T.+/AD$+DC ,i)) match c)ient authentication to sa*e authentication in Vob BB BB Dxamp)e Permissions BB BB B /)) operations a))o,ed except those speci!ica))y !orbidden BB &D%/$LT /CCDPT BB BB BCeVect connections !rom hosts not on subnet (:0.(L(.0.0 BB B or Dngineering pcXs _________________________________________________________________________ +21 LinuxI e!hni!al 'du!ation (entre Printin" __________________________________________________________ BB CD`DCT +DC'ICDIE #HT CDAHTDIPI(:0.(L(.0.0255.255.0.0 BB CD`DCT +DC'ICDIE #HT CDAHTD.H+TIengpcS BB BB B&o not a))o, anybody but root or papo,e)) on BB Bastart(.astart.com or the ser*er to use contro) BB B!aci)ities. BB /CCDPT +DC'ICDIC +DC'DC CDAHTD$+DCIroot BB /CCDPT +DC'ICDIC CDAHTD.H+TIastart(.astart.com CDAHTD$+DCIpapo,e)) BB BB B/))o, root on ta)0er.astart.com to contro) printer hpVet BB /CCDPT +DC'ICDIC .H+TIta)0er.astart.com PCI#TDCIhpVet CDAHTD$+DCIroot BB BCeVect a)) others BB CD`DCT +DC'ICDIC BB BB B&o not a))o, !or,arded Vobs or reGuests BB CD`DCT +DC'ICDIC,C,A %HCK/C& BB B B a))o, root on ser*er to contro) Vobs /CCDPT +DC'ICDIC +DC'DC CDAHTD$+DCIroot B a))o, anybody to get ser*er, status, and printcap /CCDPT +DC'ICDIC LPCI)pd,status,printcap B reVect a)) others CD`DCT +DC'ICDIC B B a))o, same user on originating host to remo*e a Vob /CCDPT +DC'ICDIA +/AD.H+T +/AD$+DC B a))o, root on ser*er to remo*e a Vob /CCDPT +DC'ICDIA +DC'DC CDAHTD$+DCIroot CD`DCT +DC'ICDIA B a)) other operations a))o,ed &D%/$LT /CCDPT 2et!2hosts$Jl#dAe6ui4K These files were used by the L#4 printing suite and presented a security risk. 1hen running a print server you needed to specify which hosts could access the printer in 2et!2hosts$l#d. :ou also needed to add the hosts to 2et!2hosts$e6ui4. These files are now replaced in L#4ng by the 2et!2l#d$#erms file _________________________________________________________________________ +22 LinuxI e!hni!al 'du!ation (entre Printin" __________________________________________________________ 5$ 'xer!ises and Summary erm Definitiion "ilter /cripts used to prepare a document before printing Device Type of connection used to access the printer &e.g parallel! </@ or network) Driver Translates raw or postscript type formats into printer specific instructions such a s #9L Files File Des!ri#tion ,etc,printcap 4ead by the l#d daemon at start up and contains a list of configured printers ,etc,lpd.perms 9ontains permissions applied to the l#d daemon such as remote access (ommands (ommand Des!ri#tion lpc line printer control program lpd line printer daemon lp print printer ueue status lpr submit files for printing lprm remove a ueued print -ob mpage print multiple pages of a document on one page 1$ /tart #rinttool and create a new local ueue called lp. 2$ 9ustomise the device ,dev,tty'( as the printer device &remember to do !hmod 111 2de42tty10 to allow printing on this device). :ou now have a virtual printer on your systemQ %$ /end -obs to the print ueue using l#r and #r &pre.formatting tool) .$ 1ith your systemFs print tool! define different remote ueues+ . a <CI% ueue . a /M@ ueue If you are the server! make sure the appropriate rules are defined in 2et!2l#d$#erms In each case . check the 2et!2#rint!a# file. 1hich filter is usedT 8ow is the remote host definedT . check the 24ar2s#ool2l#d2 directory. 5$ /top the various printer ueues and printers with l#!. _________________________________________________________________________ +40 LinuxI e!hni!al 'du!ation (entre Printin" __________________________________________________________ 1$ 9heck the contents of each ueue with l#6 &$ De.ueue selected -obs with l#rm _________________________________________________________________________ +4+ LinuxI e!hni!al 'du!ation (entre Appendix __________________________________________________________________________ L;I 1D$ 3bEecti"es 1$ ,ernel Manage,Euery kernel and kernel modules at runtime Manage a kernel and kernel loadable modules. <se command.line utilities to get information about the kernel modules and the running kernel. Load modules with correct parameters and unload them. Load modules using aliases &p.3) Ke!#ords: )ibmodu)eskernel-versionmodu)es.dep (p.:), etcmodu)es.con! or etccon!.modu)es (p.:) de#mod ?#$%@! insmod ?#$%@! lsmod ?#$%@! rmmod ?#$%@! modinfo ?#$.@! mod#robe ?#$%@! uname ?#$I@ 4econfigure! build! and install a custom kernel and kernel modules 9ustomise! build! and install a kernel and kernel loadable modules from source 9ustomise the current kernel. @uild a new kernel or new kernel modules as needed. Install the new kernel and reconfigure the boot loader. Ke!#ords: usrsrc)inuxS (p.5), usrsrc)inux.con!ig (p.<)! )ibmodu)eskernel-versionS (p.;)! bootS (p.;) make! !onfi" ?#$1@! menu!onfi" ?#$1@! x!onfi" ?#$1@! old!onfi" ?#$1@! modules ?#$3@! install! modulesGinstall ?#$3@! de#mod ?#$%@ 2$ -ootA InitialisationA Shutdown and *unle4els @oot the system "ollow the system through the booting process. #arse parameters to the boot loader &runlevel and kernel options). 9heck events in the log files. Ke!#ords: dmes" ?#$22@! *ar)ogmessages, etcmodu)es.con! (p.:), LIL2 &p.'A)! ?4<@ &p.'A) 9hange runlevels and shutdown or reboot system Manage the systemFs runlevels. The default runlevel. The single user mode. /hutdown and reboot. Alert users before switching runlevel. Ke!#ords: shutdown ?#$25@! init ?#$15@! etcinittab (p.(;) %$ Printin" Manage printers and print ueues Manage print ueues and print -obs. Monitor print server and user print ueues. Troubleshoot general printing problems. Ke!#ords: l#! ?#$12&@! l#6 ?#$121@! l#rm ?#$121@! l#r ?#$121@! etcprintcap (p.(2M) #rint files Manage print ueues and manipulate print -obs. Add and remove -obs from printer ueues. 9onvert text files to postscript for printing. Ke!#ords: l#r ?#$121@! l#6 ?#$121@! m#a"e ?#$12&@ Install and configure local and remote printers Install a printer daemon. Install and configure a print filter &e.g.+ apsfilter! magicfilter). Make local and remote printers accessible for a Linux system. /M@ shared printers. _________________________________________________________________________
+42 LinuxI e!hni!al 'du!ation (entre Appendix __________________________________________________________________________ Ke!#ords: l#d! etcprintcap (p.(2M), etcaps!i)terS, *ar)ibaps!i)terS, etcmagic!i)terS, *arspoo))pdS .$ Do!umentation <se and manage local system documentation <se and administer the manpages and the material in ,usr,share,doc. "ind relevant man pages. /earch vmware $rror saving serial number+ no matchman page sections. "ind a command and all the documentation related to it. 9onfigure access to man sources and the man system. Ke!#ords: man ?#$112@! a#ro#os ?#$111@! whatis ?#$111@! A/#P/T. (p.((() "ind Linux documentation on the Internet "ind and use Linux documentation. <se Linux documentation from sources such as the ;inux ocumentation 0roEect &LD#) &p.''*)! vendors and third.party websites. Linux specific newsgroups &p.''*). Cewsgroup archives. Mailing lists.
Cotify users on system.related issues Cotify users about current issues related to the system. Logon messages. Ke!#ords: etcissue (p.L and p.((:), etcissue.net (p.((:), etcmotd (p.((:) 5$ ShellsA S!ri#tin"A Pro"rammin" and (om#ilin" 9ustomise and use the shell environment 9ustomise shell environments to meet users' needs. /et environment variables at login! or when spawning a new shell. 1rite bash functions for freuently used seuences of commands. Ke!#ords: _.bash9pro!i)e (p.ML)! _.bash9)ogin (p.ML)! _.pro!i)e (p.ML)! _.bashrc (p.;0)! _.bash9)ogout (p.;0)! _.inputrc (p.;0) fun!tion ?#$@! ex#ort ?#$&I@! en4 ?#$&I@! set ?#$&I@! unset ?#$&I@ 9ustomise or write simple scripts 9ustomise existing scripts. 1rite simple new shell scripts. <se standard sh syntax &loops! tests). <se command substitution. Test command return.values and file status. 9onditionally mailing the superuser. The she.bang &dQ) sign. Manage location! ownership! execution and suid rights of scripts. Ke!#ords: while ?#$3%@! for ?#$3.@! test ?#$32@! !hmod ?#$31 and file permissions in L#I'('@ 1$ Administrati4e asks Manage users and group accounts and related system files Add! remove! suspend and change user accounts. Manage groups. 9hange user,group info in passwd,group databases. 9reate special purpose and limited accounts. Ke!#ords: !ha"e ?#$%%@! "#asswd?#$@! "rou#add ?#$2I@! "rou#del ?#$2I@! "rou#mod?#$%2@! "r#!on4 ?#$%1@! "r#un!on4 ?#$%1@! #asswd ?#$2&@! #w!on4?#$%0@! #wun!on4?#$%0@! useradd?#$2&A#$%1@! userdel ?#$%%@! usermod ?#$%2@ etcpass,d (p.:0)! etcshado, (p.:0)! etcgroup(p.:()! etcgshado, (p.:() Tune the user environment and system environment variables Modify global and user profiles. /et up environment variables. Maintain the skel directory. /et command search path. Ke!#ords: en4 ?#$&I@! ex#ort ?#$&I@! set ?#$&I@! unset ?#$&I@! etcpro!i)e(p.;<)! etcs0e) (p.:() _________________________________________________________________________
+44 LinuxI e!hni!al 'du!ation (entre Appendix __________________________________________________________________________ 9onfigure and use system log files to meet administrative and security needs 9onfigure system logs. Manage type and level of information logged. Manually scan log files for notable activity. Monitoring log files+ automatic rotation and archiving. Track down problems noted in logs. Ke!#ords: lo"rotate ?#$105@! tail Bf! etcsys)og.con! (p.(0:, p.(0>)! *ar)ogS (p.(0:) Automate system administration tasks by scheduling -obs to run in the future <se !ron or ana!ron to run -obs at regular intervals. <se at to run -obs once. Manage !ron and at -obs. 9onfigure user access to !ron and at services. Ke!#ords: at ?#$10&@! at6 ?#$10&@! atrm?#$10&@! !rontab ?#$101@ etcanacrontab! etcat.deny ((0;)! etcat.a))o, (p.(0M)! etccrontab (p.(0<)! etccron.a))o, (p.(0M)! etccron.deny (p.(0M)! *arspoo)cronS (p.(0<) Maintain an effective data backup strategy #lan a backup strategy. Automatically backup filesystems to various media. Dump a raw device to a file and vice versa. #erform partial and manual backups. 0erify the integrity of backup files. #artially or fully restore backups. Ke!#ords: !#io ?#$10I@! dd ?#$110@! dum# ?#$10I@! restore ?#$10I@! tar ?#$103@ Maintain system time Maintain the system time and synchroniMe the clock over CT#. /et the system date and time. /et the @I2/ clock to the correct time in <T9! configuring the correct time Mone for the system and configuring the system to correct clock drift to match CT# clock. Ke!#ords: date ?#$I&@! hw!lo!k ?#$I3@! nt#d ?#$I3@! nt#date ?#$II@ usrshare8onein!o (p.L;), etctime8one (p.), etc)oca)time(p.L;), etcntp.con! (p.L;), etcntp.dri!t (p.LL) &$ +etworkin" Fundamentals "undamentals of T9#,I# <nderstand I#.addresses! network masks and broadcast address. Determine the network address! broadcast address and netmask when given an I#.address and the number of bits. Cetwork classes and classless subnets &9ID4) and the reserved addresses for private network use. It includes the understanding of the function and application of a default route. It also includes the understanding of basic Internet protocols &I#! I9M#! T9#! <D#) &p.73) and the more common T9# and <D# ports &*(! *'! *3! *7! 73! >(! ''(! ''A! '3A! '63! '='). Ke!#ords: etcser*ices(p.5>)! ft# ?#$11@! telnet ?#$10@! host! #in"! di"! tra!eroute! whois T9#,I# configuration and troubleshooting 0iew! change and verify configuration settings for various network interfaces. Manual and onboot configuration for interfaces and routing tables. 9onfigure and correct routing tables. 9onfigure Linux as a D89# client. Ke!#ords: etc.H+T#/AD (p.:;) or etchostname, etchosts (p.:;), etcnet,or0s (p.>(), etchost.con! (see &#+ section p.<<), etcreso)*.con! (p.:;), etcnss,itch.con! (see &#+ section p.<M) if!onfi" ?#$%I@! route ?#$.0@! dh!#!d ?#$.0@! dh!#!lient ?#$.0@! #um# ?#$.0@! host! hostname ?domainnameA dnsdomainname@! netstat ?#$.%@! #in" ?#$.2@! tra!eroute ?#$..@! t!#dum# ?#$.2@
9onfigure Linux as a ### client _________________________________________________________________________
+45 LinuxI e!hni!al 'du!ation (entre Appendix __________________________________________________________________________ <nderstand the basics of the ### protocol. 9onfigure ### for outbound connections. Define the chat seuence when connecting. Initialisation and termination of a ### connection with a modem! I/DC or AD/L. /et up ### to automatically reconnect if disconnected. Ke!#ords: etcpppoptions.S (p.(20), etcppppeersS (p.(2(), etc,*dia).con! (p.((L) 2et!2###2i#8u# ?#$121@! 2et!2###2i#8down ?#$121@! w4dial ?#$11I@! pppd &p.'*()
3$ +etworkin" Ser4i!es 9onfigure and manage inetd! xinetd! and related services 9onfigure services available through inetd. <se tcpwrappers. /tart! stop! and restart internet services. 9onfigure basic network services including telnet and ftp. /et a service to run as another user instead of the default in inetd.conf. Ke!#ords: etcinetd.con! (p.5;), etchosts.a))o, (p.<2), etchosts.deny (p.<2), etcser*ices (p.5L), etcxinetd.con! (p.5L), etcxinetd.)og 2perate and perform basic configuration of sendmail Modify simple parameters in sendmail configuration files. 9reate mail aliases. Manage the mail ueue. /tart and stop sendmail. 9onfigure mail forwarding and perform basic troubleshooting of sendmail. The ob-ective includes checking for and closing open relay on the mailserver. It does not include advanced custom configuration of /endmail. Ke!#ords: etcsendmai).c! (p.M(), etca)iases (p.M(), etcmai)S (p.M(), _.!or,ard (p.M2) mail6 ?#$&2@! sendmail ?#$&1@! newaliases ?#$&2@ 2perate and perform basic configuration of Apache Modify simple parameters in Apache configuration files. /tart! stop! and restart httpd. Does not include advanced custom configuration of Apache. Ke!#ords: a#a!he!tl ?#$&%@! htt#d! httpd.con! (p.M2) #roperly manage the C"/! smb! and nmb daemons Mount remote filesystems using C"/. 9onfigure C"/ for exporting local filesystems. /tart! stop! and restart the C"/ services. Install and configure /amba using ?<I tools or direct edit of the ,etc,smb.conf file. /haring of home directories and printers! as well as correctly setting the nmbd as a 1IC/ client. Ke!#ords: etcexports (p.<:)! etc!stab (p.<:)! etcsmb.con! (p.<5)! mount ?#$1%@! umount /etup and configure basic DC/ services 9onfigure hostname lookups and troubleshoot problems with local caching.only name server. <nderstand the domain registration and DC/ translation process. Differences between bind 6 and bind > configuration files. Ke!#ords: etchosts (p.<M), etcreso)*.con! (p.<M), etcnss,itch.con! (p.<M), etcnamed.boot &v.6) &p.=>) or etcnamed.con! &v.>) &p.=>)! named /et up secure shell &2pen//8) _________________________________________________________________________
+49 LinuxI e!hni!al 'du!ation (entre Appendix __________________________________________________________________________ 2btain and configure 2pen//8. @asic 2pen//8 installation and troubleshooting. 9onfigure sshd to start at system boot. Ke!#ords: etchosts.a))o, (p.LM), etchosts.deny (p.LM), etcno)ogin, etcsshsshd9con!ig (p.LM), etcssh90no,n9hosts (p.L<), etcsshrc sshd ?#$I1@! ssh8key"en ?#$I1@ I$ Se!urity #erform security administration tasks $nsure local security policies. 9onfigure T9# wrappers. "ind files with /<ID,/?ID bit set. 0erify packages. /et or change user passwords and password ageing information. <pdate binaries as recommended by 9$4T! @<?T4AE or distribution's security alerts. @asic knowledge of i#!hains and i#tables. Ke!#ords: procnetip9!,chains, procnetip9!,names, procnetip9masGuerade, find ?#$I0@! i#!hains ?#$I2@! #asswd! so!ket! i#tables ?#$I2@ /etup host security /et up a basic level of host security. 9onfigure syslog ! shadowed passwords. /et up a mail alias for root. Turn off unused network services. Ke!#ords: etcinetd.con! or etcinet.dS, etcno)ogin (p.L0), etcpass,d, etcshado,, etssys)og.con! /etup user level security &p.A() 9onfigure user level security. Limits on user logins! processes! and memory usage. Ke!#ords: 6uota! usermod ?see l#i 101@ _________________________________________________________________________
Copyright (c) 200: LinuxIT. Permission is granted to copy, distribute andor modi!y this document under the terms o! the "#$ %ree &ocumentation License, 'ersion (.2 or any )ater *ersion pub)ished by the %ree +o!t,are %oundation- ,ith the In*ariant +ections being .istory, /c0no,)edgements, ,ith the %ront1Co*er Texts being 2re)eased under the "%&L by LinuxIT3. G+0 Free Do!umentation Li!ense Version 1.2, November 2002 Copyright (C) 2000,200(,2002 %ree +o!t,are %oundation, Inc. 5L Temp)e P)ace, +uite ::0, Ooston, A/ 02(((1(:0M $+/ D*eryone is permitted to copy and distribute *erbatim copies o! this )icense document, but changing it is not a))o,ed. 0. PREAMBLE The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others. This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software. We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference. 1. APPLICABILITY AND DEFINITIONS This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under the conditions stated herein. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you". You accept the license if you copy, modify or distribute the work in a way requiring permission under copyright law. A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language. A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them. The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none. The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the _____________________________________________________________________ cxxxvii Licence Agreement ____________________________________________ notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words. A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not Transparent if used for any substantial amount of text. A copy that is not "Transparent" is called "Opaque". Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only. The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text. A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as "Acknowledgements", "Dedications", "Endorsements", or "History".) To "Preserve the Title" of such a section when you modify the Document means that it remains a section "Entitled XYZ" according to this definition. The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License. 2. VERBATIM COPYING You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3. You may also lend copies, under the same conditions stated above, and you may publicly display copies. 3. COPYING IN QUANTITY If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects. If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages. If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer- network location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must _____________________________________________________________________ cxxxviii Licence Agreement ____________________________________________ take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public. It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document. 4. MODIFICATIONS You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version: A. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission. B. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has fewer than five), unless they release you from this requirement. C. State on the Title page the name of the publisher of the Modified Version, as the publisher. D. Preserve all the copyright notices of the Document. E. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices. F. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below. G. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice. H. Include an unaltered copy of this License. I. Preserve the section Entitled "History", Preserve its Title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section Entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence. J. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission. K. For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title of the section, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein. L. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles. M. Delete any section Entitled "Endorsements". Such a section may not be included in the Modified Version. N. Do not retitle any existing section to be Entitled "Endorsements" or to conflict in title with any Invariant Section. O. Preserve any Warranty Disclaimers. If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles. You may add a section Entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard. You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already _____________________________________________________________________ cxxxix Licence Agreement ____________________________________________ includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one. The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version. 5. COMBINING DOCUMENTS You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers. The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work. In the combination, you must combine any sections Entitled "History" in the various original documents, forming one section Entitled "History"; likewise combine any sections Entitled "Acknowledgements", and any sections Entitled "Dedications". You must delete all sections Entitled "Endorsements." 6. COLLECTIONS OF DOCUMENTS You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects. You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document. 7. AGGREGATION WITH INDEPENDENT WORKS A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting from the compilation is not used to limit the legal rights of the compilation's users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document. If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one half of the entire aggregate, the Document's Cover Texts may be placed on covers that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate. 8. TRANSLATION Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the original English version of this License and the original versions of those notices and disclaimers. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer, the original version will prevail. If a section in the Document is Entitled "Acknowledgements", "Dedications", or "History", the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title. 9. TERMINATION You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate _____________________________________________________________________ cxl Licence Agreement ____________________________________________ your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 10. FUTURE REVISIONS OF THIS LICENSE The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/. Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation. _____________________________________________________________________ cxli LinuxI e!hni!al 'du!ation (entre Index __________________________________________________________ Index
A apachectl B3 apropos ''' arp 63 at '(B atd '(B at '(B atrm '(B @ backup strategies '(> bootloaders '(*6 cylinders *( broadcast address 7( 9 chage 33 chattr >A classless subnets 7* cron '(3 crond '(= crontab '(= D date AB dd ''( depmod 3 dhcpcd 6( dhcpclient 6( dig B( DC/ ,etc,named.boot => ,etc,named.conf =A dig B( DC/ 9onfiguration "iles => DC/ Mone files =A 8ierarchical structure => host B( Types of DC/ servers => Dotted Euad 6A driftfile A> dump '(A $ env BA export BA exportfs =3 " "iles ,etc,hosts.allow =* ,etc,aliases B* ,etc,at.allow '(> ,etc,at.deny'(> ,etc,bashrc >( ,etc,cron.allow '(B ,etc,cron.deny '(B ,etc,crontab'(= ,etc,dumpdates '(A ,etc,exports =3 ,etc,host.conf == ,etc,hosts =B ,etc,hosts.deny =* ,etc,inetd.conf 7> ,etc,inputrc >( ,etc,issue ''3 ,etc,issue.net ''3 ,etc,localtime A> ,etc,logrotate.conf '(7 ,etc,mail,L B' ,etc,motd ''3 ,etc,named.boot => ,etc,named.conf =A ,etc,networks 6' ,etc,nsswitch.conf == ,etc,ntp.conf A> ,etc,ntp.drift AA ,etc,ntp,drift AA ,etc,ppp,ip.down '*' ,etc,ppp,ip.up '*' ,etc,printcap '*7! '*B ,etc,profile BA ,etc,resolv =B ,etc,resolv.conf 3>! =B ,etc,security,access.conf A( ,etc,security,limits.conf A( ,etc,sendmail.cf B' ,etc,services 77 ,etc,shadow 3( ,etc,smb.conf =7 ,etc,ssh A= ,etc,sysctl.conf 3A ,etc,syslog.conf '(3p. ,etc,wvdial.conf '*' ,etc,xinetd.conf 7A ,lib,modules, *p. ,proc,sys,net,ipv6,ipPforward 3A ,usr,share,man ''' ,usr,share,Moneinfo, A> ,var,log,httpd B3 ,var,log,messages A( ,var,log,secure A( ,var,log,wtmp A( ,var,run,utmp A( ,var,spool,at, '(B ,var,spool,cron,GusernameH '(= ,var,spool,mail, B* ,var,spool,mueue B* b,.bashPprofile BA b,.bashrc >( b,.forward B* b,.inputrc >( c82M$,.ssh A= access.conf B3 authoriMedPkeys* A= httpd.conf B3 idPdsa A= idPdsa.pub A= knownPhosts A= modutils &package) 3 srm.conf B3 LinuxI e!hni!al 'du!ation (entre Index __________________________________________________________ sshPconfig AB sshdPconfig AB find A( ftp =' ? gpasswd *A groupadd 3* groupadd *A groups *> 8 host B( 821T2s ''* hwclock A> I I9M# 76 id *> ifconfig 3A inetd 7> info ''* init '= init &boot parameters) *' init.d 'B insmod 3 I# 76 ipchains A* iptables A* ; kernel build LIL2 '( make clean B make config = make dep B make menuconfig = make modules > make modulesPinstall > make oldconfig = make xconfig = L last A( libwrap A' LIL2 *(p. logger '(7 logrotate '(7 lpc '*B lpd '*= lp '*= lpr '*= lprm '*= lsmod 3 M mail B* man .k ''' Manpages ''( MAC#AT8 ''' modinfo 3 modprobe 3 modprobe 3 modules.conf 3 modules.dep 3 mpage '*B C netmask 6A netstat 63 network address 7( Cews ?roups ''* C"/ =* noexec >A nosuid >A CT# . network time protocol A> ntpd A> ntpdate AA # passwd *B ping 6* portmap =3 ### 76 pppd ,etc,wvdial.conf '*' chap.secrets '*' chat '*( minicom ''A pap.secrets'*' peers '*' wvdial ''A pump 6( 4 restore '(A rmmod 3 route 6' / /amba smbclient =6 smbmount =6 scripting c&& )) >7 expr >7 for loop >6 if then >3 until loop >6 while loop >3 sendmail B* sendmail.cf 9w B' DsB' "w B' shutdown '> socket 7A ssh A= ssh.keygen A= sshd A= subneting 7* subnets 7* sysctl 3A syslog.conf '(3 syslogd '(3 T tar '(> T9# 76 T9# wrappers =' LinuxI e!hni!al 'du!ation (entre Index __________________________________________________________ tcpPwrapper A' T9#,I# model &6 layer) 73 T9#,I# /uite 73 tcpdump 6* telnet =( test >* The Linux Documentation #ro-ect ''* traceroute 66 < <D# 76 unset BA useradd *B! 3* usermod 3* 1 whatis ''' who A( % xinetd 7A