This book is a Guide to UNIX and Unix-like operating systems, such as GNU/Linux and *BSD. Other systems like Mac OS X, Solaris, and OSF/Tru64 also belong in the list. Because of this book's incomplete state, it might be hard to find the chapter that you want. Edit this paragraph Guide to UNIX is incomplete. At Wikibooks, you can edit this book now. (If you are reading a mirror, then you can go to the editable version of this book.) Here are some suggestions for improvements: improve modules, add detail add modules, follow naming policy enforce neutral point of view, reduce bias provide graphics, follow image policy fix bad info, spelling, grammar put questions and comments on talk pages Contents [hide] 1 Structure of this book 2 Conventions 2.1 Shell prompt 2.2 Commands and files 2.3 Audience 2.4 Command links

[edit] Structure of this book After this introduction, there are three main parts of this book. The Why Unix-like page introduces the Unix system-like platform. The various Platforms such as BSD then highlight particular Unix-like distributions. This book needs to add more platform pages other than BSD and Linux. The Explanations section contains a list of various topics which introduce and explain the use and administration of Unix-like systems. For example, Explanations/Shell Prompt introduces the shell prompt, and Explanations/Filesystems and Swap explains the use of storage devices. Many of the sections are incomplete or missing, but this section is being expanded. The current division into six parts might need to be changed later. The Quick References chapters list the Environment Variables, Files, Commands. There actually is not much here except for the Commands section. [edit] Conventions This book uses (or will use) the following conventions. [edit] Shell prompt The shell prompt looks like: $ A root shell prompt (see Explanations/Becoming Root) looks like: # When the user types commands or other text, it appears in bold. The following is an example. The user typed the "cat" command and then several lines which the computer echoed. $ cat This is an example.

This is an example. ^D $ Control characters are written like ^D. This means to hold the Control key and press D. Note that some control characters sometimes do not appear on the screen. For example, the user typed ^D but no "^D" actually appears on the screen. [edit] Commands and files This convention might need improvement. Currently, a good example is Explanations/Shell Prompt. A command name is introduced in bold, like uname. Later, it is mentioned as "uname". In the future, the bold version might be a link to the command in Commands. Filenames usually appear like /dev/null and /etc/ssh/sshd_config. Entire commands look like ls /dev/null /etc/sshd_config or echo a1 a2 a3. Mentioning again the parts or arguments of these commands looks like "a1" and "a2". When introducing a new part (like a new option) not mentioned before, that looks like -r or -o loop. Text from files is also quoted, for example "# comment". [edit] Audience This is a proposed convention, because it is mostly unimplemented in this book. The book targets multiple audiences. Unix or non-Unix users seeking background Unix system users (background and user instructions) Unix system administrators (background and administrator instructions) To handle this, there might be some templates. {{Guide to UNIX:u}} begin user instructions {{Guide to UNIX:eu}} end user instructions {{Guide to UNIX:i}} begin administrator instructions {{Guide to UNIX:ei}} end administrator instructions

The operating system installed on many servers and some workstations is Unix-like. But what does it mean to be like Unix? In this book, a Unix-like system is one that is similar to *BSD, GNU/Linux, Solaris, and the original Unix. Today, Mac OS X also qualifies as a Unix-like system. Contents [hide] 1 General Concepts 2 The shell 3 The C language 4 The kernel and userland 5 Neutral point of view

[edit] General Concepts As opposed to the (point and click) (graphical user interfaces) familiar to the general computer user, work usually gets done in unix in a text-based way, through what's known as the (command line shell). As opposed to a (single-user) operating system which permits computer usage only by one person at one particular time, unix is a multi-user) system, that allows access of multiple users to the computer simultaneously. Normally this is achieved by having the users access the system (remotely), through digital networks.

Whether accessing (remotely) or not, users need a (user account) before being granted access to the system; for the purposes of accounting, security, logging and resource management. Since each particular user account has varying degrees of control over the system and its resources, having the ability to verify the true identity of a given user is crucial, so a method exists that verifies each user account (username) against a corresponding (password); in a process known as (logging in). All Unix-like systems are similar. As with many operating systems for servers, the Unix-like systems can host multiple users and programs simultaneously. Some features are specific to Unix-like systems. The Unix-like systems provide a common command line interface called the shell. They also provide a common programming interface for the C language. The latter fact allows most Unix-like systems to run the same application software and desktop environments. Unix is popular with programmers for a variety of reasons. A primary reason for its popularity is the building-block approach, where a suite of simple tools can be streamed together to produce very sophisticated results. Another reason is the philosophy that 'everything is a file', which means that a standardized set of operations and functionality can be performed on different file types (directories vs. regular files), hardware devices, and even system processes. [edit] The shell Wikipedia has more about this subject: Unix shellThe shell is a program unique to Unix-like systems. It lets you type commands to launch other programs. When you login to the system through a text-only terminal, Unix gives you a login shell. If your system has a graphical user interface such as GNOME, KDE, or anything that uses X Window System, you can access the shell through a program called a console emulator or terminal emulator. This emulates the text-only terminal that the shell requires for running. Unfortunately, the shell and the commands are hard to learn. Further, many commands require "arguments" to work. For example, the rm command, which removes files, needs one or more "arguments" naming the files to delete. This book has a Explanations/Shell Prompt chapter which introduces the shell and its many features. One can automate tasks by saving shell commands in a text file called a shell script. For example, shell scripts are used to boot the system. The Unix shell is unique to Unix-like systems. Actually, there are multiple shells available for Unix. These shells extend their features in different ways. For the "Bourne-compatible" shells, there is a book in Wikibooks,Bourne Shell Scripting, to describe them. Most shell scripts are for Bourne-compatible shells. [edit] The C language Unix is the origin of the popular C language. Every program on the computer links to the C library which provides basic system features including access to the kernel. Even if an application is written in another language, like C++, it still links to the C library. An interpreted language like perl needs a perl interpreter linked to the C library. This dependence on C can be a disadvantage. Most Unix-like kernels are written entirely in C; most common programs use C, C++ or Objective-C. It is difficult to add code to these programs in another language such as Fortran. In contrast, some non-Unix systems allow different programming languages to interact more easily. This book does not describe how to program with C; that is the job of the book Programming:C. However, planned additions to this book will describe how to build and run Unix programs when you obtain their C source code.

[edit] The kernel and userland Wikipedia has more about this subject: kernel (computer science)Wikipedia has more about this subject: userlandEach Unix-like system has a kernel. This program controls the computer hardware. All other programs on the system are part of userland, which means outside the kernel. The kernel shares the system between all running userland programs. To use the keyboard, the network connection, or another part of the hardware, a userland program must contact the kernel using system calls. The kernel allows multiple programs to share the hardware safely. It also switches programs in and out of the processors; thus it is a "multitasking" kernel. For example, a web server like Apache, through the kernel, can simultaneously make multiple network connections to multiple web browsers. The same computer might also be running other server programs. As another example, a user on desktop system (with GNOME or KDE, for example) can simultaneously open multiple windows containing file managers, word processors, and games. While the file manager copies files and the word processor prints a document, the user can play a Tetris clone at the same time. However, though some non-Unix kernels do not provide these features, there are some to do. Both of the previous examples are possible with Windows in the place of Unix, Apache, GNOME, and KDE. Today, a very popular kernel is Linux. Linux qualifies as free and open source; even if Linux is running a server for millions of users, there is no licensing fee. Linux is combined with GNU to form the UNIX-like operating system, GNU/Linux (Although on very rare occasions it isn't combined with GNU). Thus, an easy way for a home user to obtain a Unix-like system is to install a GNU/Linux distribution that includes GNOME (pronounced "guh-nome", not "nome") or KDE (Although very old machines might not have the resources to run GNOME or KDE). When we want to configure the network connection, disks, or other parts of the hardware, we must often use special utility programs that configure the running kernel. Some of those programs are described in this book.

Linux® is an open source, Unix®-like kernel and operating system. The author of the kernel itself is Linus Torvalds, plus a loosely-knit team of programmers who enhance it in a collaborative effort over the Internet. This page provides a brief overview the main features of the Linux kernel and system, especially in comparison to other Unix-like systems. There are several other Wikibooks about Linux with more information. Contents [hide] 1 General 2 Kernel 3 Userland 4 Links to more information 4.1 Wikibooks for Linux 4.2 External Links 4.3 Distribution Related

[edit] General After Linus Torvalds suggested a penguin, Larry Ewing (lewing@isc.tamu.edu) used The GIMP to draw this popular image of Tux, the Linux mascot. Tux is now also the hero of some Linux games. In

A Neutral Look at Operating Systems has a comparison of Linux systems. such as device drivers and network protocol implementations. C library. [edit] Kernel Copyright license: The Linux kernel and its source code are released under the GNU General Public License. and even the Linux kernel configuration. X11. Both kernel and userland maintain extra compatibility so that one can update only the kernel. One can also inexpensively purchase a Linux distro as a retail package. However. and thus GNU encourages users to use Linux kernel. which makes them "GNU slash Linux" distributions. and unload when not used. the Linux distro vendors take care of making updates install correctly. is one of the many available Linux distributions. never worked well. the kernel is maintained at least with the basic set of utilities. Both the Linux kernel and some userland software. core commands. or requiring one to buy licenses. you can redistribute your modified version. C compiler and build tools for a Unix-like system. Some distributions have different target audiences: these might be home users. load on demand. Nearly every Linux distribution uses these programs. assembler.Guide to UNIX. Packages: A complete GNU/Linux operating system uses many free software (open source) packages from the BSD. Typically. /dev is often a dynamic filesystem where device nodes appear and disappear dynamically. which means you must provide source code. Many systems have multiple versions of Linux headers installed. which would include the shell.Mascot: The official mascot of Linux is Tux. free software supporters. in /usr/include/linux-version. . In fact. Most builds of Linux use modules aggressively (though use of modules is optional). Each distro decides which packages to provide. need these. when modules load or unload or when devices are connected or disconnected. In general. Special filesystems: Linux has some special filesystems which are not used for normal files. One can download them as a raw disk image in ISO format and burn it. and linker. hobbyists. their kernel. or only some userland package like the C library. the installation procedure. /usr/include/sys would sometimes have files used shared by the kernel and userland. and system boot scripts. Customizable kernel: Linux is probably the most customizable Unix-like kernel. *BSD and Mac OS X. like Linux. /sys holds other information about the running kernel. With most other Unix-like systems. and other projects. Live CDs or DVDs allow users to boot from a disk and run Linux using a RAM disk rather than a hard disk. but it is not as important as with Linux. Other Unix-like systems sometimes provide /proc. depend on the GNU C compiler. On non-Linux systems. However. to reside in separate files. such as the C library. But with the exception of the GNU C library and core commands. enterprise users. but you must use the same license. Modules allow pieces of the monolithic kernel. Many of the userland packages also use this license. or users of certain applications. Wikipedia has a list of Linux distributions. /proc holds information about running processes. "tux" has an account on the example machines. The GNU project always insists on providing their packages as free software. If you modify Linux or another package using this license. GNU. the preferred desktop environment. Every Linux vendor provides Linux source code. [edit] Userland GNU project: The GNU (GNU's Not Unix) project created the shell. many GNU tools and applications are also found on other Unix-like systems. Hurd. Linus Torvalds and his team can worry about the kernel (and userland programs which query and configure the kernel) and let other teams develop the userland system separately. A Linux distribution (or 'distro' for short) is a bundle of the Linux kernel and applications and a suite of programs for installing and maintaining a Linux system. distributions are in CD or DVD form. There are also non-free packages without source code. system configuration utilities. There are even several ways to edit the kernel configuration before building the kernel. Separate development: The Linux kernel is developed and maintained separately from userland. the Linux penguin. C compiler. Distributions: The Linux system that you actually obtain. Programs that use /proc often have trouble with ports to nonLinux systems. shell utilities. you can also just have /dev contain static device nodes like on other Unix-like systems. There is much variation between distributions concerning the available packages. and run. using licenses like the GNU General Public License. install.

Text editors: Most distros provide the traditional Unix editors "vi" and "emacs". This is in contrast to some Linux distros and most *BSD distros which drop you at a root shell prompt. but help the system administrator make customisations and optimisations.1 Root shell prompt 3 The basics of using the shell 3. it is a shell surrounding all other programs being run. such as Gentoo. /lib: The directory /lib exists on Linux and holds libraries needed by /bin and /sbin because /usr might not be mounted. These might be separate chapters under Guide to Unix/Explanations. but some install neither by default. PART 1: COMMAND LINE. UNIX/EXPLANATIONS/SHELL PROMPT The shell prompt (or command line) is where one types commands.1 Using the TTY device 1. When accessing the system through a graphical environment such as X11. TODO Find places to introduce pagers. Contents [hide] 1 Finding a shell prompt 1. both based on X11 window system) immediately after installation.2 Opening a terminal emulator 1.2 Editing Commands 3.3 The current/working directory .1 Arguments and Options 3. Both application packages and base system packages use this system. GNOME or KDE if you want it. emphasise building from source. or Portage. /usr: Stuff provided by your Linux distro often becomes installed in /usr instead of /usr/local. "rpm" (Red Hat Package Manager). Graphical user interface: Many of the popular Linux distros now boot the user straight into a desktop environment (GNOME or KDE.3 Using SSH to access a remote shell 2 Appearance of the prompt 2. redirects. Package management: Most distros provide a package management system such as "apt" (Advanced Package Tool). This chapter describes how to find a shell prompt and start using it. This frees /usr/local for packages which your Linux distro does not provide. The package manager is often the biggest difference between distros. Though every Linux distro with a compiler gives one the opportunity to rebuild the Linux kernel and other packages from source. pipes. and expect you to use the root shell prompt to install X11. it remains possible to open a terminal emulator and do useful work with the shell. these source distros provide scripts that not only automate the process. When accessing the system through a text-based terminal. Traditional Unix skills for text editing are not necessary when GNU "nano" is the installed non-X11 editor. the shell is the main way of accessing programs and doing work on the system. These automate the installation and upgrade of packages. Source distros: Some Linux distros.The GNU project also has a connection to the desktop environment called GNOME (GNU Network Object Model Environment). Even "ed" could be missing. and some basic file managing commands. In effect.

That is. but simply use TTY device. [edit] Using the TTY device Unix systems can use TTY devices for a shell. such as: . Most setups either start you with an xterm or two when you login. GNOME provides a terminal emulator somewhere in the Programs menu. try xterm. To get back to The X Window System. For example. The first line looks like login: Type your username at this prompt. then go to Enlightenment>Eterm. go to the Applications folder on your hard disk. or KDE) and a terminal emulator. or provide a menu from which you can start an xterm. This gives a shell. If you right click on an empty part of your icon panel. sometimes also use GUI and get to a TTY device with Ctrl+Alt+F[number] (most GNU/Linux systems allow 1-6 for [NUMBER]). It appears as a window in the graphical environment and allows access to the shell prompt. right click on the desktop. provide a menu bar to configure the terminal. and double-click the icon for the Terminal program. use /Applications/Utilities/Terminal. [edit] Appearance of the prompt The shell prompt normally ends in a $ sign. They do not use GUI. use Ctrl+Alt+F[number 1 higher than the number of TTY devices]. Using Enlightenment 17. [edit] Using SSH to access a remote shell The ssh program is a secure way to connect to a shell account on a remote server.4 Finding help for commands 5 Continue [edit] Finding a shell prompt People get shell prompts in different ways. like other graphical programs. You may want to keep the Terminal icon on your Dock. On Mac OS X. Most terminal emulators. some people prefer white text on a black background. See the chapter on Connecting to Remote Unix. such as: They use a graphical environment (such as Aqua. then type your password. GNOME. its menus can be found by holding the Control key and clicking with each of the three mouse buttons. xterm is more difficult to configure. [edit] Opening a terminal emulator A terminal emulator (or console emulator) is a program that emulates the terminal hardware that early users traditionally used to login to Unix. For simplicity. KDE provides a Terminal Program (Konsole). and to the Utilities folder inside it. you can Add an Application Button for the terminal. There are several ways to open a terminal emulator: With The X Window System. The server must be running the sshd servers software to accept the connection. the examples in this book use a shell prompt like this: $ Some older shell prompts end in % instead: % The C shell sometimes uses > instead: > Several shells have prompts that give more information. they allow you to change the font and colors. You can find it in the K Menu > System menu.

root shell prompts look like this: # [edit] The basics of using the shell [edit] Arguments and Options When you enter a command. the shell: searches through its builtin commands for the entered command. The "/var" in this case is an argument. we'll be using the command ls.2 root authpf 512 Mar 20 2005 authpf .. Arguments are separated by whitespace. It starts its search with the first directory listed in PATH. most systems change the shell prompt to end with #. Here is an example (read it as "el es dash one slash var"): $ ls -l /var drwxr-xr-x 2 root wheel 512 Mar 20 2005 account drwxrws--. use these special characters in the variables $PS[1-4]. In this book. but for many commands. drwxr-xr-x 2 root wheel 512 Jun 11 02:09 yp Note that these commands require that options come before other arguments. "ls". The root account is allowed to do anything (delete or change any file) so the # is a reminder of the power of the prompt.localhost:puffy {1} You can also customize your shell prompt. $PS1 is what you usually see and $PS2 is what you see when you are doing a multi-line command with a backslash ('\'). This command lists the contents of /var (which may differ on your computer): $ ls /var account backups db lib msgs run tmp audit crash empty log named rwho www authpf cron games mail quotas spool yp The first word.2 root wheel 512 Mar 20 2005 audit drwxrwx--. usually one space. it tells ls what to list. Each command decides what is an option. For bash. see the chapter on Becoming Root. Looks in the directories in enviornment variable PATH for the entered command. the shell does a few things in this order (if it succeeds. In this case. For more see the manual. the program /bin/ls is run. For example. the following does not work (unless you have a file or directory called -l): $ ls /var -l ls: -l: No such file or directory /var: account backups db lib msgs run tmp audit crash empty log named rwho www . Never copy/type the shell prompt used in this book.. For examples. There are some special arguments called options. is the name of the program or command built into the shell to run. If the command is not an absolute path. options with only one hyphen to start usually are short for a more descriptive option that starts with two hyphens and some that start with two hyphens don't have shorthands. Avoid using the # prompt when necessary. it executes the found command): The shell checks if the command is an absolute path (such as /bin/ls) and if that path is an executable file. [edit] Root shell prompt If you become root or login as root. which lists files and directories. The shell will always give you a prompt if it is ready to accept commands. then the second and so on.

Ctrl+N.. The most common pagers are less and more. which means "end of options".authpf cron games mail quotas spool yp Exception: on systems with the GNU C library (GNU and GNU/Linux). then use the right arrow to move the cursor to the right to delete the "-l". and Home keys are useful. $ ls -l /etc/passwd /etc/profile But how do we know what the "ls" command does? Most Unix-like systems provide online manual pages for each command. we press Return to run the command as normal. so ls /var -l is the same as ls -l /var. would take you up one level. cd ~ would take you to your home directory. These let the user type space bar to scroll down and 'q' to quit the pager. Although many shell prompts have the current directory's name or the end of the current directory's name right in the prompt (like '[user@localhost ~]$'). End. For example. This is nice for users who forget to type some option. many programs (not all of them) will automatically treat the options as if they were in the front. For example.-l -l [edit] Editing Commands If the shell has command-line editing. "/etc/passwd". After this. . cd . "ls" is the command name. $ cd /etc $ pwd $ ls passwd profile [edit] Finding help for commands The first word of the command is the name of the command. then the arrow. For example./etc/passwrd /etc/profile We can press the Home key to move the cursor to the beginning of the line." The syntax is cd followed by the pathname. and cd ~ followed by a username would take you to that user's home. What if there really is a file called "-l"? Then it must be specified that "-l" is not an option. and "-l". you can use the command pwd to Print the Working Directory. $ ls -. These previous lines are not run again unless the user presses Return. Ctrl+F. One does this using the "--" argument. If the arrow keys are broken. then the Control Emacs navigation keys (Ctrl+B. [edit] The current/working directory Use cd to change the directory you are "in. like this: $ ls -l /etc/passwd /etc/profile But we typed: $ ls l. (This will not work in many non-shell programs that lack command line editing!) Shells with history features allow using the up arrow to recall previous commands to the shell prompt. and "/etc/profile" are the arguments. Ctrl+E and Ctrl+A) also work in most shells. This is why it is inconvenient to have filenames start with hyphens. The left and right arrows allow the user to move the text cursor to edit the command and the Home and End keys allow the user to move the to the beginning or end of the line. cd /bin would take you to the /bin directory (located in the directory you are currently in). The down arrow returns down the list. we want to list some specific files. $ man ls This opens the manual page in a program called the pager. or you actually find some keyboard without arrows. in the following command. Ctrl+P.

2. the manual pages are often not useful for persons who know almost nothing about the commands.1 Single quotes 2.2 Paired quoting characters 2. or hash) $ (dollar sign) ` (tick) ~ (tilde) { and } (braces or curly brackets) ( and ) (parentheses) * (asterisk.1 * and ? 3. UNIX/EXPLANATIONS/QUOTING AND FILENAME EXPANSION Contents [hide] 1 Special characters and substitution 2 Quoting 2. The chapter on Commands will help.However.3 Curly brackets expansion [edit] Special characters and substitution The shell recognizes several special characters. This command simply echoes its arguments (including any changes made to the arguments by the shell). However. we need the echo command. All options except "-n" are ignored. pound sign. many Bourne and non-Bourne shells also make special the exclamation point. it does something more complex than simply running the command that you typed. The following are the special characters: \ (backslash) " (double quote) ' (single quote) # {number sign.2 When expansion fails 3. $ echo -lnQ arg1 arg2 arg3 . The section Guide to UNIX/Commands/Getting Help contains strategies for how to use man and the other help tools effectively.1 Backslash 2.2 Double quotes 3 Filename expansion 3. when parts of the command are replaced with other text. star or splat) ? (question mark) < (less than sign) > (greater than sign) & (ampersand) | (pipe) . To test substitution.2. which saves you work when typing longer filenames and lists of filenames. Some special characters trigger substitution. One common form of substitution is filename expansion. (semicolon) ! (exclamation point or bang) They are all special characters in the Bourne shell. When the shell sees special characters. except for the exclamation point.

\ [edit] Backslash A backslash (\) simply stops the shell from thinking that certain characters are special. [edit] Paired quoting characters Paired characters affect whatever is between them. * matches 0 or more characters. In the example.-lnQ arg1 arg2 arg3 [edit] Quoting Quoting is used to preserve the literal meaning of special characters. For example. or backslash. even with a preceding backslash. The shell searches for existing files that match the patterns and does a subsitution. double quote. These characters are used for filename expansion: *?{} [edit] * and ? The shell globbing characters of * and ? are used to form patterns. /etc/ss* means all of the files inside the /etc directory which begin with the letters ss. single quotes were used to prevent the * from expanding. The results may differ on your system. as separate arguments. The echo command demonstrates the substitution. Now commands that want special shell characters for input will work. use two backslashes in a row. In the example. but don't preserve the literal meaning of $. [edit] Filename expansion The filename expansion is used in avoiding the typing of long lists of files. the files are separated by spaces. and `. \ when followed by a dollar sign. $ echo /etc/ss* . [edit] Single quotes Single quotes perserve the literal meaning of everything except single quotes. In the example above. which will be refered to in the rest of this section (there are many unnecessary things in this which you should find after reading this section. To print a backslash. it was used to print literally the doublequote character. \\ There is "a small possibility" that /etc/*tab are not text and a backslash will not be printed after this. but are used for the sake of example): $ echo There is \"a small possibility\" that '/etc/*tab' are " not " text and a backslash will not be printed after this. except / ? matches any 1 character except / When more than one file is matched. [edit] Double quotes Double quotes are like single quotes. Note single quotes can't be within single quotes. tick. double quotes were used to preserve the literal meaning of spaces. depending on what files you have. Here is an example of several types of quoting.

a} zyxwvutsrqponmlkjihgfedcba Unix/Explanations/Pipes and Job Control Pipes and Redirects We can connect standard input. Suppose that in the machine on the example above. The shell substituted those names for /etc/ss*. Here is an example of the ? character at work: $ ls /etc/ssh/ssh_host_???_key /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_rsa_key [edit] When expansion fails Sometimes.. In this case.cnf Notice how the * saved typing. Now here is something more useful. we make a mistake and typed /etc/sss* which matches nothing.cnf private x509v3. because * never matches /. the shell does not give an error. no files are found. but only one can be in the foreground. Then the shell would do no substitution: $ echo /etc/sss* /etc/sss* [edit] Curly brackets expansion The curly brackets help when typing several similar arguments. Though /etc/ssh/ssh_config exists on many systems. The filenames do not need to actually exist.pub sshd_config ssh_host_dsa_key.pub ssh_host_rsa_key /etc/ssl: lib openssl. The other commands can be in running at the background or suspended. $ ls /etc/ss* /etc/ssh: ssh_config ssh_host_key ssh_host_rsa_key.pub ssh_host_dsa_key ssh_host_key. and error of commands to other commands or to files. [edit] Job Control You can run multiple commands at once. . it simply does no substitution. it appeared not above. If we did ls /etc/s*.reboot} /bin/ls /bin/mv /bin/cp /sbin/halt /sbin/reboot You can also use them to print the alphabet (or numbers): $ echo {z.ssnakes} /etc/ssh /etc/ssl /etc/ssssnakes They are very useful for long lists of files in the same directories: $ echo /bin/{ls./etc/ssh /etc/ssl The echo command did this because it thinks that you ran echo /etc/ssh /etc/ssl.mv.l. we would probably save much typing. output.cp} /sbin/{halt. especially filenames. Example: $ echo /etc/ss{h. We will combine filename expansion with the ls command. when using * or ?. We will use substitution with a command other than "echo".

it has a builtin ftp client!) Though the Z shell is almost Bourne-compatible. you might benefit by using bash or ksh to get Bourne-compatibility and POSIX features. The Z shell boasts extra and unusual features that make it the prefered shell of many. which sometimes resembles slightly the C programming language. [edit] C shell BSD introduced the C shell. Some users still prefer the C shell. Many of the features were later added to the Bourne-compatible shells (except old copies of sh). this guide will describe the Bournecompatible shells. it is probably installed on Linux. though zsh is capable of masquerading as a Bourne shell when so instructed. ksh is one of the three: Public domain ksh (pdksh) is Bourne-compatible and mostly POSIX-compatible. the Z shell. When these features work differently in C shell and Bourne-compatible shells.4 Temporarily using a different shell 1. The shell tcsh is csh with more features. These are the Bourne-compatible shells: sh is the original Bourne shell. Mac OS X 10. this is an old shell without the POSIX features. One must pay a license fee to use it. [edit] zsh There are alternative shells such as zsh. On some systems though. but they have different features. mostly POSIX-compatible. [edit] Temporarily using a different shell . mksh is the MirBSD enhanced version of the Public Domain Korn shell (pdksh) dash is a POSIX compliant shell that is much smaller than bash. and can also be installed on non-Linux systems. bash is the GNU Bourne-again shell. If csh or tcsh is your default shell. (For example. On many non-Linux systems. It has all of the features of pdksh. If it is not the default. Thus bash and ksh (or even csh and tcsh) are better choices than sh.4 includes it. and you are not aware of the differences between shells. plus the ksh93 version has several interesting extensions. If you are beginning.2 C shell 1. POSIXcompatible shell such as bash or ksh. These shells are NOT Bourne-compatible.1 Bourne-compatible shells 1. different from bash. then you probably want to start with a Bourne-compatible. sh is really the same as bash or ksh. This shell is csh. It is Bourne-compatible. It is the default on most Linux systems.Unix/Explanations/Choice of Shell Contents [hide] 1 Choice of shell 1.3 zsh 1.5 Permanently changing the default shell 2 Advanced Bourne shell topics [edit] Choice of shell [edit] Bourne-compatible shells All Unix shells are similar. AT&T ksh is a commercial shell. and has other useful extensions. it differs in enough ways that its default behaivour is not Bournecompatible.

in which case other programs later started by that program also have a changed environment.. The environment of a program can change. With piping. [edit] Process limits Each process has limits on the following. Shells are normal programs. Using printenv with no arguments gives the entire environment: $ printenv . one can connect the standard input and output of commands to files. This is one of the main strengths of Unix. If you only read one chapter. but the default shell is always in "SHELL".org/wiki/Guide_to_Unix/Explanations/Choice_of_Shell" UNIX/EXPLANATIONS/ENVIRONMENT [edit] Environment Variables Every program inherits "environment variables" from the program that started it. The environment variable called SHELL contains the name of the default shell.. See Environment Variables to learn about specific variables. you might want to use a different shell such as ksh or bash. This guide does not describe them because the Wikibook for Bourne Shell Scripting already has several useful chapters: Bourne Shell Scripting/Redirection describes redirection and piping. and then start the program from that shell. SHELL=/bin/bash . The SHELL environment variable will still contain the default shell. Each shell provides a different way to set limits: Bourne shell uses the ulimit command while C shell uses limit. The normal way to set limits is to change the limits of some shell.) The "SHELL" environment variable is set during login and inherited by the shell. Bourne Shell Scripting/Loops has a useful section on "for loops" which allow the same commands to run repeatedly with different arguments each time.wikibooks. With redirection.. including "SHELL". Bourne Shell Scripting/Substitution shows how the special character $ allows one to embed the values of parameters or the results of commands into the arguments of commands. The exit command will return you to the first shell. and can be run easily. . When we started the "printenv" program. one can connect commands into useful chains. it inherited the entire environment. tcsh> printenv SHELL /bin/tcsh tcsh> bash bash$ printenv SHELL /bin/tcsh bash$ exit exit tcsh> [edit] Permanently changing the default shell $ chsh [edit] Advanced Bourne shell topics There are some important features in the Bourne-compatible shell. Retrieved from "http://en. Limits are inherited from the parent process. (You might be running some other shell. read this one. and showed "SHELL" to us..If you do not like the shell that you are using. This means that each program has the same environment variables as the program that started it.

Tux wants to connect to an account (username tux) on the computer "linux.example.example. For example. This command is often OpenSSH.) [edit] Using SSH from a Shell Prompt To connect to one Unix-like system from another.edu tux@linux.edu tux@linux. specify the name of the server and your username.edu's password: . The server must be running the sshd server software to accept your connection. Scenario: A program crashes with a message about "resource temporarily unavailable" or "too many open files". you can the ssh shell command. to allow 512 open files per process: Bourne shell $ ulimit -Sn 512 C shell $ limit openfiles 512 UNIX/EXPLANATIONS/CONNECTING TO REMOTE UNIX If the shell prompt is on a remote server. so specifying the port is not necessary. core dump size might be covered in a chapter on crashing. Explain what these limits do or refer to another chapter of this book. * cputime ("-t SECONDS") * filesize ("-f BLOCKS") * datasize ("-n KILOBYTES") * stacksize ("-s KILOBYTES") * coredumpsize ("-c BLOCKS") can also accept "unlimited" instead of BLOCKS * memoryuse ("-m KILOBYTES") * memorylocked ("-l KILOBYTES") * maxproc ("-p COUNT") * openfiles ("-n COUNT") TODO Explain how to use "limit" or "ulimit -S" to set limits.The following is the list of available limits. All that is required is that you trust the computer that you connect from and the server where your account is located. The SSH protocol encrypts your connecting to prevent spying and stealing of passwords. given with their C shell name ("Bourne shell option"). Raise the limits in the shell from which you start the program. ssh is the most common way to access it.example.edu": $ ssh tux@linux. (Be careful with ports 1024 and higher because these are controlled by users. For example. open your SSH client. than specifying the username is optional: $ whoami tux $ ssh linux.example. For example. To connect.edu's password: If Tux has the same username on the local computer.example. Most servers use the default port 22. not the system administrator. We need the name ("option") to show or change the limit in the C ("Bourne") shell. a popular SSH implementation from OpenBSD. Explain the danger of reducing hard limits.

it also checks /etc/crontab file for any modifications in time stamp of the file. You will be alerted if an attacker steals your connection.4)' can't be established. cron deamon will catch it and ultimately stop executing scheduled jobs in crontabs . Every time cron deamon wakes up to check crontab files. When you say 'yes'.example.example.edu" reach the same computer (or cluster). CRON description : When you start cron deamon.2. Are you sure you want to continue connecting (yes/no)? If you are reasonably sure that you connected to the correct computer (an attacker on the Internet might steal your connection to learn passwords) than you can answer 'yes' and add linux. you saw a message similar to the following: The authenticity of host 'linux. Thus. In order to have cron deamon continue running scheduled jobs.edu changed its key and you recognize the key.3.3. root. Information of schedules is contained within crontab file (which is different and individual for each user).example. RSA key fingerprint is a4:3d:fe:10:7e:45:2b:29:d0:fe:ed:ba:a3:21:66:a1. For root automated schedule (cron) login as root first. or individual users. which executes jobs (scripts) which are scheduled by system.edu to the list of known hosts.this is how to stop cron deamon.example. it searches for crontab files. When you simply 'touch' /etc/crontab file. crontab -l : Displays cron schedule of a user running this command from. which are user named account names in /var/cron/tabs directory. Cron deamon wakes up every minute and checks for any jobs scheduled to be executed in crontab files.wikibooks. . /usr/sbin/cron & : Starts users cron deamon.4' (RSA) to the list of known hosts. you get a message such as: Warning: Permanently added 'linux.org/wiki/Guide_to_Unix/Explanations/Connecting_to_Remote_Unix" PART 2: COMMON PROGRAMS UNIX/EXPLANATIONS/SCHEDULING JOBS CRON: Cron is an automated scheduler in UNIX/Linux Systems. ps -e |grep cron : Displays status of cron deamon if running.example.edu (1. which is executed by cron deamon).example. This means that your SSH client "knows" linux.1. if you know that linux. you need to restart it (bouce it). Retrieved from "http://en.edu.edu changes its key. but also if linux. It will verify that future connections to "linux. Some SSH clients also allow you to say 'yes' to one session only.edu.2.[edit] Accepting the Key Fingerprint The first time you connected. then add jobs to crontab file (crontab is per user specific configuration.example. then you can ignore the alert. which it keeps track and records.

Other readers will only know about word processors. GEdit from GNOME. A line in crontab file (below) removes all files in /home/me/tmp directory. The approach of this chapter is to introduce the earliest Unix text editors and progress to the Notepadstyle editors. each day at 6:30 PM. which are like text editors. TextEdit (in unstyled text mode) from Mac OS X. or KEdit or KWrite from KDE. The early editors lack many common features of editors. Text editors only deal with sequences of text characters. (Use of wildcard * allowed) 30 18 * * * rm /home/me/tmp/*</nowiki> UNIX/EXPLANATIONS/INTRODUCTION TO EDITORS The Introduction to Editors briefly introduces the reader to the common Unix text editors and provides links to more information. . Contents [hide] 1 The need for a text editor 2 ed 3 vi 4 vim 5 emacs 6 Word wrap [edit] The need for a text editor One who uses the command line. can still create text files using the cat tool and the shell redirection feature. promoting the common keyboard and preserving a more perfect docmument for all. $ cat > newfile We the people. Many readers will be familiar with text editors that have graphical user interfaces similar to Notepad from Windows. but have additional features for applying style and layout to the text. but knows not how to use a text editor. do ordain and establish three lines of text.[edit] CRONTAB file (Example): crontab -l : Enter this command to display user crontab file schedule for a logged in user. all in the same font.

$ ed newfile 139 . roughly translated. We type a command . opening files. If we forget "w". is that for every line in the file (". "w" to write the buffer back into newfile on disk. (Users of graphical user interfaces such as X11 have an advantage: they can use the mouse to copy and paste the text before "docmument". but that requires retyping the entire file. Observe what happens when one starts "ed". Here. $ ed newfile 139 A number (here "139") appears. promoting the common keyboard and preserving a more perfect docmument for all. we use a command 2s/docmument/document. For line "2". The "139" indicates that "ed" read in 139 characters that are now ready for editing. Then the program seems to stop. "s"ubstitute the first instance of "docmument" with "document". This is actually "ed" waiting for commands. Other text editors still follow this behavior. [edit] ed One of the first editors that did this was ed. We say that the file is open.p to do this. do ordain and establish three lines of text. The buffer. short for "edit". not the file is open.) An interesting possibility is if there is a way to delete the extra "m" from "docmument". $ ed newfile 139 . Notice that unlike many editors. "ed" has not yet shown the text of the file. and requiring the user to save to write the file back to disk. do ordain and establish three lines of text. "newfile" is the name of the text file to edit. This has many features of Windows Notepad. $ ed newfile 139 .p We the people. To be more correct from the perspective of a C programmer. 2s/docmument/document and preserving a more perfect document for all. "docmument" has an incorrect spelling. The command. the file was opened and copied into a buffer. then copy and paste the remainder of the text. "p"rint that line to standard output. On many computers.p We the people.Suppose there is a want to change this file. type the correction. "ed" actually lacks a prompt. Now to do some actual editing. One can replace it with cat > newfile again. it should be document. copying them into buffers. but that leaves the first lines unmodified. and to handle more complex tasks like inserting words and rearranging text. Here "ed" prints the changed line from the buffer. promoting the common keyboard and preserving a more perfect docmument for all. but no shell prompt appears. In this example."). and "q" to quit "ed". then our edit is lost. One can append to the file with cat >> newfile. Other wants could be revisions to this sentence and the addition of more sentences. but also lacks many. This means that the disk or storage device will not be bothered until we save the file.p . We run two more commands.

here it reads "newfile: unmodified: line 1" On many computers. ~ ~ ~ ~ newfile: unmodified: line 1 The screen might look different if you have a different version of "vi". not "vee" nor "six". by default never show at the screen whether the editor is in command or insert mode. this book has a chapter ed and sed (when someone writes that chapter). "ed" error messages are not useful when we mistype commands. do ordain and establish three lines of text. 2s/docmument/document and preserving a more perfect document for all. . do ordain and establish three lines of text. which in this case means to repeat the command fifteen times. Even worse. Here. which is short for "VIsual editor". all versions of "vi" have these two features: a "~" shows a nonexistant line (though you could type a line with only "~" to be confusing) there is a status line at the bottom.) So it is possible to move the cursor through the file. which was not possible with ed. with the cursor at "p" in "promoting". you can use the arrow keys to move the cursor. Observe what happens when one starts "vi". [j] moves down. Unix systems introduced video screens that allow Unix to draw anywhere on the screen. do ordain and establish three lines of text. But what if we want to type the letter "l" instead of moving the cursor? Press [i]. If that does not work. Then type something. w 138 q We made only one minor change. typed [i] and then "nominally " (including one space): We the people. Many Unix users never bother to learn "ed". the user. [edit] vi At some point. ell). However. [l] moves down For example. For those readers with interest. Your screen also probably has more than eight lines. Thus. [k] moves right. as a shortcut. one can press [l] for fifteen times to move the cursor from the "W" in "We" to the "p" in "promoting". you can use the standard "vi" keys: [h] moves left. the namers of this program intended one to call it "vee eye". nominally promoting the common keyboard and preserving a more perfect document for all. This gives the number "15" to the [l] command. ~ ~ ~ ~ Note that some copies of "vi". (In fact. which is a command to switch the vi editor from command mode to insert mode. such as this one. Someone decided that it would be good to create a "visual editor" that allows the user to move the cursor through the file (as it appears with "cat" or the ed "p" command) and make changes. The name of this program is vi. five. but this already required four commands. promoting the common keyboard and preserving a more perfect docmument for all. promoting the common keyboard and preserving a more perfect document for all. vi lets one press [1] [5] [l] (one.We the people. First you type the command: $ vi newfile Then the screen clears and becomes like this: We the people.

highlights. Each input line is divided into fields by a separator character (default is space) and patterns can be matched to these fields as they are referenced in the usual Unix style . A line that does not match is ignored.Aho. For addition. Any line that matches the given pattern has the action applied to it and this constitutes the output. there is unlimited precision. Learning the vi editor. $0 means the entire input line. The arbitrary-precision means that numbers can contain unlimited digits (limited by memory). type [:] [w] [q] [RETURN] which inputs "wq" to the colon prompt. Division stops after a . Therefore if you just want to print a subset of the input. It is a programming language which uses a pattern-action expression that transforms the input to the output. searching each line for the given pattern. and multiplication. including color coding screen. most other languages limit numbers to eight bytes at most. $2 being field 2 etc. Weinberger and Kernighan. To learn more about vi. Retrieved from "http://en. and spell check within the document. [edit] emacs [edit] Word wrap UNIX/EXPLANATIONS/AWK The name 'awk' is derived from the names of the three people who originally developed it . Awk will print the input as found. read the Wikibook. you can also specify which fields are to be output in the same way eg print $1. you just need to supply a pattern that will produce the desired results. press [ESC] escape. The list of commands are generally supplied in a separate file. any such records found will have the second and third fields printed. [edit] vim In new generation of Linux and Unix operating systems. However. the default action is to print the entire line. VIM incorporates almost all the features of VI and more. If no action is specified. and this can contain many lines for more complex problems. To save and quit the editor. It processes the input (usually a file of data).To exit insert mode.wikibooks. subtraction. If no pattern is specified then all input lines are selected.org/wiki/Guide_to_Unix/Explanations/awk" UNIX/EXPLANATIONS/BC bc is an arbitrary-precision calculator language. the more improved version of VI editor was released called vim (version 7 latest). A simple example: awk '$1 ~ /A/ { print $2 " " $3 }' /etc/passwd This will read the file /etc/passwd and check each record field 1 to contain "A".$1 being field 1.

variables and statements "for" loops . The function "integrate" approximates the definate integral from "a" to "b" using "n" parabola sections. The following example has long function and variable names and must be changed to work on these copies of "bc". (n = n . and integrate f from 0 to pi (pi is "4*a(1)". i. } return result.00000000067647189101 ^D [edit] Explain Now explain these features so users can understand the script.certain number of decimal places (usually 0 or 20). ". for(i = a. } Put this in a file. i + delta). This example integrates the sine function.) This is an example of a user starting bc. doing two calculations. ". "bc" is often called using the "-l" option. The following example was tested with OpenBSD bc and probably runs on GNU bc too. 4 times arctangent of 1) with 100 intervals: $ bc -l simpson integrate(0.1) + 1. i = i + delta) { /*print "calling simpson(".*/ result = result + simpson(i.n) { delta = (b . but different functions can be used by replacing f. Note that pressing ^D (control-D) also exits.40000000000000000000 quit $ [edit] Example script Some versions of "bc" limit function and variable names to one letter. 4*a(1). n. define f(x) { return s(x). which loads the standard library (which mostly contains trig functions) and sets the number of decimal places for division to 20. (Doing trig with the default precision of 0 decimal places is not so useful. } define integrate(a.b) { return ( (b-a)/6 ) * ( f(a) + 4*f((a+b)/2) + f(b) ). and exitting with "quit". 100) 2. Wikipedia has more about this subject: Simpson's ruleThis script implements Simpson's rule for integration. say "simpson". so "bc" is often bad with very small numbers (like 10e-44). } define simpson(a. "\n". load it. $ bc -l 3+4 7 2/5 . ") with n = ". The formula for "simpson" is taken from the Wikipedia article. i + delta.a) / n. result = 0.b.

see this. For example.functions ("define" and "return") standard library functions ("s" is sine) PART 3: ADMINISTRATION UNIX/EXPLANATIONS/BECOMING ROOT Most user accounts have only limited access to Unix. To install such software. but not into system directories like /usr. Some installation programs let you create the first user account during installation. using the root password. for example by uncommenting the "PermitRootLogin no" line in /etc/ssh/sshd_config on systems running OpenSSH. The superuser has a username of root. For security reasons. One should require using su or sudo instead.1 Configuring sudo 3.) In general. change permissions on system files. start servers on the reserved ports < 1024. (Some systems allow root to login through ssh because that is the only way in. root logins should be disabled on local consoles too.2 Useful defaults [edit] Login as Root The oldest way to access the superuser account is to login as root. it is common that users cannot delete files of other users or parts of system. NOTE: For Ubuntu and Kubuntu. . one must become the superuser. but the first user account can use sudo. and is allowed to do anything regardless of system permissions . A good system administrator would disable root logins when they are no longer necessary. it is bad to use root logins. One can a user (su USERNAME) but by default it switches you to root. You never get a root password or make a root login. Users can typically install new software in their home directories. After this. Contents [hide] 1 Login as Root 2 Use su 3 Use sudo 3. or do any other tasks from which normal users are banned. user ID of zero. before another user account is created and "su" or "sudo" are tested. and because many crackers on the net seem to know root's username. root logins are normally only permitted on local consoles. Ubuntu Linux and Mac OS X are both distros which do this. and thus have all of the powers of root: $ su Password: # The acronym "su" means switch user. The only good reason to use a root login is during the initial setup of a Unix system.restrictions on user activity never apply to root. so that a user must authenticate with a normal user account before becoming root. [edit] Use su The su command allows anyone who knows the root password to get a root shell.

Defaults !insults. including root. Retrieved from "http://en. It might already be there. so sudo is good for administrators that prefer not to memorize a separate root password. running sudo prompts one for one's own user account password instead of a root password. group id zero. but commented out. the line provides that every user in group wheel can run any command as any user. one should exit the root shell. but someone who can use root can use all other accounts anyway. This requirement does not exist on some systems. When one finishes with the root shell created by su. The percent sign indicates that all users in group "wheel" can do this. so that it is not accidentally used later for normal user activity: # exit exit $ [edit] Use sudo There is a very configurable command called sudo which several Unix-like distros include. The last "ALL" indicates which commands are allowed. so we just say "(ALL)". The requirement is that your username be listed in /etc/group on the line for group "wheel". we try to view the log for email sent through a Unix-like system: $ less /var/log/maillog /var/log/maillog: Permission denied Because the permission was denied. It is intended for systems where the administrator grants (possibly limited) sudo access to many users.wikibooks.org/wiki/Guide_to_Unix/Explanations/Becoming_Root" . The first "ALL" means this is allowed on all computers. The syntax to run a COMMAND as root is: $ sudo COMMAND For example. In most cases. sudo must be configured before you can use it.) The "(ALL)" is the user for which the commands will have priveleges. %wheel ALL=(ALL) ALL What does it mean? The first word. then this option is not necessary. !lecture The "insults" feature would give a random insult to any user entering an incorrect password. Thus. "%wheel" is the user allowed to use sudo for something. The "lecture" gives a message to a user that uses "sudo" for the first time (after each boot of the system). [edit] Useful defaults This line in /etc/sudoers disables two options. if only administrators use sudo. We could say "(root)". especially if they rarely use root. not root's password. This is a useful configuration line to put in /etc/sudoers. The only requirement is that the user enter a password: their own password. This allows one to run individual commands as root.Some systems require that you join the wheel group to have access to su. we use sudo to run the command as root: $ sudo less /var/log/maillog [edit] Configuring sudo On some systems. (That is useful if you copy the same sudoers file to several different Unix-like systems.

or statically linked for a few popular kernels. In contrast. Linux For Newbies has instructions for using apt-get on Debian and rpm on Red Hat.pkgrm for Solaris [edit] Querying packages On rpm-based systems. they are usually only available for a few popular distros. and possibly for a different processor than what you run. is to get them from your Unixlike system vendor. If they are available as binaries. several packages for Unix-like systems are only available as sources. PART 4: HARDWARE UNIX/EXPLANATIONS/DETERMINING HARDWARE Here are some methods of Determining Hardware currently on the system: run dmesg (works well on *BSD) use KDE Info Center (K Menu -> System -> Info Center) TODO Describe how to determine video hardware while X11 is running (or create a page at Guide to X11 and link to it). pkg_info pkgadd. especially free software packages. to find out which package owns the command foo (where foo is a standalone executable). The best way to get many packages. Vendors port the packages to their distros and build binary packages. use the command: $ rpm -q -f foo To add a package on linux based system use $ rpm -i foo To remove package on linux based system user $ rpm -e foo rpm command has other options user man pages to find out more. . [edit] Handling packages rpm apt-get pkg_add.pkginfo.UNIX/EXPLANATIONS/INSTALLING PACKAGES The Microsoft Windows and Mac OS X platforms are so widespread that typically a Windows or Mac software vendor will provide a binary. pkg_delete.

.. However. OpenBSD 3. the answers are rounded down to integers. which matches the OpenBSD 3.. This line from the dmesg output indicates the presence of an audio device: audio0 at snapper0 We can go up the dmesg. $ dmesg | less . (Generally.) The real memory is 262144K.. which means that we have an audio device.. using bc or some other method: $ bc 262144 / 1024 256 230824 / 1024 225 quit This computer has 256 MB of memory. You can help Wikibooks by expanding it.. Revision 0x5 pci1 at mpcpcibr1 bus 0 . Because we used bc. This system has an OpenBSD 3. snapper0 at macobio0: irq 30... UNIX/EXPLANATIONS/FILESYSTEMS AND SWAP . audio0 at snapper0 .openbsd. amount of memory.8 operating system distribution.1. Divide by 1024 to convert to megabytes. but only 230824K is "avail".$_ The Determining Hardware module or this section of Wikibooks Guide to Unix Computing is a stub. and whether this computer has an audio device.8 (GENERIC) #425: Sat Sep 10 15:49:26 MDT 2005 deraadt@macppc. [edit] Examples Run dmesg on a *BSD system to determine the kernel version.2 .org:/usr/src/sys/arch/macppc/compile/GENERIC real mem = 268435456 (262144K) avail mem = 236363776 (230824K) using 1254 buffers containing 13418496 bytes of memory mainbus0 (root) . In contrast.. macobio0 at pci1 dev 23 function 0 "Apple Intrepid" rev 0x00 . the kernel on a *BSD matches some version of the system. there are many combinations of Linux kernels and systems.. learning that we have audio0 at snapper0 at macobio0 at pci1 at mpcpcibr1 at mainbus0. we are probably only interested in "audio0". which probably means available. On this computer. but only 225 MB are "avail".. mpcpcibr1 at mainbus0: uni-north. it should be possible to install programs that play sound and music.. and "snapper0" if we want to know the type of sound card providing this audio.8 kernel.

Filesystems themselves are represented as files in /dev such as /dev/cdrom and can be mounted to directories in the root filesystem such as /mnt/cdrom. including the UFS2 of FreeBSD. the directory containing all other directories.4 Creating Disk Images 5 Encrypted Filesystems 5. Contents [hide] 1 List of Filesystem Types 1.2 Encrypted Filesystems on Linux 6 References [edit] List of Filesystem Types The choice of Unix-like system influences the choice of filesystem.4 Mounts by Users 3. For example.2 Mounting Disk Images on FreeBSD 5 4. named pipes. This makes these filesystems good for mounting on /. directories. Sometimes. /tmp. Other filesystems are mounted on directories under / which make these filesystems look like directories in the root filesystem. a CD-ROM containing files might be mounted at /mnt/cdrom. and virtual devices can be accessed. Provide a scenario where we add an external disk drive to the file. Each disk or storage medium may contain one or more filesystems. Here files representing physical.A common feature in Unix-like filesystems is that all files appear in one file hierarchy.2 Mounting with fstab 3. There are several incompatible extensions to UFS. TODO Explain the /etc/fstab file. including normal files. Access to devices is supplied by another filesystem mounted at /dev. They also support the entire Unix user and group permission model. Though "swap" resides on a disk. and Mac OS X. and other such filesystems if those are separate partitions. and device nodes. is itself is called the root directory. while FFS is some kernel optimizations for UFS in *BSD.1 Simple mounting 3. it is not actually a filesystem. and only normal files and directories are allowed. Some disks are also used for swap. UFS is the on-disk layout. the permission on every file on the filesystems must be the same.1 Filesystems with full Unix support 1. [edit] Filesystems with full Unix support Unix File System (ufs/ffs) is the filesystem of *BSD and several commercial Unix variants.this is the standard way to encrypt disks under Linux now. TODO Add description of LUKS for Linux -. symbolic links. Therefore. each of which contains files which can contain data. when memory is full. The filesystem storing the base of the hierarchy is referred to as the root filesystem.5 Union Mounts 4 Disk Images 4. /. The Gentoo and Ubuntu wikis have good instructions for those specific distros.2 Foreign Filesystems 2 Disk Partitioning 3 Mounting Filesystems and Activating Swap 3.3 Mounting Disk Images on Linux 4. and also /home.1 Encrypted Filesystems on OpenBSD 5. Explain better how to use the mount and umount commands. /var. which supplies a temporary storage space for data in memory. NetBSD. Non-Unix filesystems were intended for non-Unix operating systems or to exchange files between different filesystems.3 Unmounting 3. In this example /mnt/cdrom is called a mountpoint. .1 Mounting Disk Images on NetBSD and OpenBSD 4. /usr. There are two kinds of filesystems: Filesystems with full Unix support can hold all types of Unix files.

Originally writen for SGI's Irix operating system this fs has been ported to Linux using a shim layer converting Linux VFS and locking semantics to Irix semantics. *BSD. nor Unix file permissions. compact disks (CDs) are called /dev/cd0c.. /dev/hda2. Reiserfs is a fast journaled filesystem written by Hans Reiser. [edit] Foreign Filesystems iso9660 is a common filesystem for CD-ROMs. *BSD has some extra rules: Partition 'c' (/dev/wd0c) must be the entire disk. /dev/sd1c. and Mac OS X) and DOS/Windows understand it. /dev/disk2. /dev/svnd1c. On *BSD... /dev/ad2c. In addition. /dev/svnd2c. HFS+ has binary trees. /dev/wd0b. UDF is a common filesystem for DVDs. IDE/ATA disks are called /dev/ad0c. jfs is a high performance journaled filesystem written by IBM originally for IBM AIX. The chapter Partitioning Disks describes the formats in more detail and how to edit the partition maps. Note that ext3 is really the same as ext2. and other systems that understand ext2. but not good for trading files between different Unix-like operating systems that implement UFS incompatibly. IDE/ATA disks are called /dev/hda. Because nearly every Unix-like system (including Linux. which make it faster than ffs and ext2 sometimes. and can be shared between different Linux systems.. HFS+ always has the same on-disk layout. Normally you can have normal files and directories. but not special files. Some newer Unix-like systems can read and write it. /dev/wd0d. /dev/hda3. On Linux.. /dev/sdc. ext2 always has the same on-disk layout. /dev/sd2c. On *BSD. then partition 'a' must be root (/) and 'b' must be swap. Most Unix-like systems can read it.. and can be used as the root filesystem. On Mac OS X. /dev/disk0s2. /dev/sdb. If a *BSD operating system boots on the disk... /dev/ad1c. /dev/disk1. [edit] Mounting Filesystems and Activating Swap The commands one uses are: mount to mount filesystems umount to unmount filesystems swapctl.. On *BSD. NetBSD/OpenBSD disk images are /dev/svnd0c. On Linux. /dev/hdc.. /dev/wd1c. SCSI disks are called /dev/sd0c. /dev/hdb. reiserfs is an alternative to ext2 on Linux. swapon. swapoff [edit] Simple mounting . but with journaling enabled... /dev/wd0c. disk0 is partitioned into /dev/disk0s1. HFS+ (hfsplus) is the main filesystem implementation for Mac OS X. Linux Second Extended Filesystem (ext2 or ext3) was inspired by ufs/ffs. msdos (FAT) is the filesystem from MS-DOS. and can be shared between different Mac systems. SCSI disks are called /dev/sda. disks are called /dev/disk0. /dev/cd1c. Unlike ufs/ffs. On FreeBSD. /dev/wd2c. Like ext2. Linux also provides other filesystems that you might use instead of ext2. ReactOS.UFS is good for the root filesystem.. and Microsoft Windows.. (If there is no OS on the disk. the msdos filesystem is often used to trade files between computers or on computers which boot multiple operating systems. On *BSD. symbolic links.. then 'a' can be used for any filesystem). and is similar.... IDE/ATA disks are called /dev/wd0c. or entirely as swap space. and then ported to Linux by the same. [edit] Disk Partitioning If the disk is not partitioned... FreeDOS. On Linux. /dev/hda4. ext2 is the main filesystem implementation for Linux. /dev/disk0s3. wd0 is partitioned into /dev/wd0a. it can be used for one filesystem.. and can be used as the root filesystem. Some Linux kernels can read them. Partioning the disk allows for multiple filesystems and swap spaces.. On Mac OS X. HFS+ supports both Unix and Mac file attributes. xfs is a high performance journaled filesystem written by SGI. ntfs is a newer filesystem from Microsoft Windows NT. hda is partitioned into /dev/hda1.

mount /dev/cdrom by a non-root user will mount /dev/cdrom using the mount point and options shows in /etc/fstab. If the directory was not empty. Such files are called disk images and they have several applications: Use dd to copy data from a device node to a normal file to preserve the content of a small disk. but only if "user" is listed as a mount option.usermount must be set to 1. [edit] Union Mounts Normally. its files are hidden until the filesystem is unmounted. Unfortunately. In OpenBSD. a non-partitioned SCSI disk sd0 will be mounted on /etc (which is not normally a mount point)... Each line with the mount option "user" describes a permitted mount. The user can pick any mount point which the user owns. The union mount allows these files to show through. One can also move such images to a computer with a CD burner. for example a floppy disk. and DragonflyBSD. For example. Any existing /etc files that we have that are not also on sd0 will still be available. not unmount.generic. or offer the image for download so others may burn it. filesystems are mounted on empty directories.) Here are some ways that root can permit user mounts: Linux allows the user to perform mounts permitted through the /etc/fstab file. Some operating systems provide a mount(8) option -o union for this. One might want to mount your disk image read-only to examine it before the burn. (An alternative is to configure "sudo" to allow users to become root when mounting and unmounting. All new files are made on the mounted filesystem. vfs. Each existing file from the directory only shows if there is no file in the same place on the mounted filesystem. a CD drive) and /mnt/cdrom is the place to mount. # mount -o union /dev/sd0c /etc [edit] Disk Images A filesystem can be stored on a file on another filesystem. In NetBSD. Create an /etc/fstab entry for /dev/hdb.usermount must be set to 1. kern.Suppose /dev/hdb is a device (for example. vfs. A sysctl value must be changed by the root user in order to do this on most of them. Some programs let you make iso9660 disk images before burning them to CD. [edit] Mounting with fstab The /etc/fstab file helps you mount. umount /dev/hdb [edit] Mounts by Users The user mounts are mounting and unmounting of filesystems by users other than the superuser. Note that union mounts are strange and might not work well on your system. In FreeBSD. Then the mount command is: mount /dev/hdb /mnt/cdrom There are more mount options so look for mount somewhere in Guide to UNIX/Commands. the different Unix variants have different approaches to this task. PcBSD. Run this command mount /dev/hdb [edit] Unmounting It is called umount. In this example. Many popular BSD-family operating systems allow the user to mount any device which the user can already read and write. .usermount must be set to 1.

(FIXME is this correct?) $ dd bs=1024 count=1440 if=/dev/zero of=example $ mkfs. Use the disk image.ext3 does no mounting. This guide only describes raw disk images. Note that mkfs. then you can create a disk image if you need a new filesystem. There are other formats (such as the Mac OS X NDIF format) but these must be converted or handled specially. empty disk image involves two steps before you mount it and start using it: Use dd(1) to make a new file of zeros with the correct size. we would instead mount partition 'c'. This particular disk image has a disklabel with a filesystem on partition 'a'.ext3(8) to create an unpartitioned ext3 filesystem. NetBSD and OpenBSD only allow mounting of filesystems stored on devices. Mount the svnd device. In this example.If you have no free space for new partitions on your disk. Format the disk image with partitions and filesystems.. we would also have made a disklabel. If we wanted to partition the disk image. If there was no disklabel. Thus five steps are involved: Associate the disk image with a svnd device.. Then we use mkfs. which we mount on /mnt. Sometimes this helps in the creation of encrypted filesystems. Association and dissociation are handled by the vnconfig(8) command. /dev/zero. /the/disk/image will be associated with /dev/svnd0c. # vnconfig -c /dev/svnd0c /the/disk/image # mount /dev/svnd0a /mnt . [edit] Creating Disk Images Creating a new. Unmount the svnd device. which is a compressed disk image. $ dd bs=1024 count=1440 if=/dev/zero of=example $ sudo vnconfig -c /dev/svnd0c example . # umount /mnt Some Linux kernels can mount a cloop (compressed loop). # mount -o loop /the/disk/image /mnt . Disassociate the disk image from the device..ext3 example The *BSD newfs(8) and newfs_msdos(8) utilities insist on formatting devices only. but some partition has free space. to create a 1440 kilobyte disk image (1440 blocks of 1024 bytes). One first prepares the image and then compresses it how? Then one mounts it how? The Knoppix livecd uses a cloop to fit more programs to the CD. We use dd and an unlimited supply of zeros. This is solved with vnconfig(8).. one uses mdconfig(8) with a vnode backed storage. # umount /dev/svnd0a # vnconfig -u /dev/svnd0c [edit] Mounting Disk Images on FreeBSD 5 In FreeBSD 5. Here is an example. One can ignore the imaginary disk geometry. so it cares not if it formats a device or a disk image. [edit] Mounting Disk Images on Linux The mount(8) option -o loop can be used to mount disk images instead of devices. which contain only the filesystem. Such an image must be mounted read-only. [edit] Mounting Disk Images on NetBSD and OpenBSD Normally.

. In this example. This is possible with the -k flag to vnconfig(8). $ dd bs=1024 count=1440 if=/dev/zero of=example $ sudo vnconfig -c /dev/svnd0c example $ sudo disklabel -E svnd0 Initial label editor (enter '?' for help at any prompt) >a partition: [a] offset: [0] size: [2880] FS type: [4.. $ sudo vnconfig -u /dev/svnd0c In fact. The mount will fail because the disklabel and filesystem header are not readable. we will mount the encrypted disk image called /secrets. you must vnconfig -u and 28* . especially if when creating an ffs filesystem. used with -c. OpenBSD only provides Blowfish encryption for disk images. vnconfig will still succeed.2BSD 2048 16384 32 # Cyl 0 c: 2880 0 unused 0 0 # Cyl 0 . so that the filesystem will be correctly listed in the label. on *BSD it is a good idea to always have a disklabel. and the letter will be different from 'c'..28* >q Write new label?: [y] $ sudo newfs /dev/rsvnd0a .2BSD] >p device: /dev/rsvnd0c type: SCSI disk: vnd device label: fictitious bytes/sector: 512 sectors/track: 100 tracks/cylinder: 1 sectors/cylinder: 100 cylinders: 28 total sectors: 2880 free sectors: 0 rpm: 3600 16 partitions: # size offset fstype [fsize bsize cpg] a: 2880 0 4. one would expect that there is a way to have an encrypted filesystem.$ sudo newfs /dev/rsvnd0c . # umount /dev/svnd0a # vnconfig -u /dev/svnd0c Note that if you entered the wrong encryption key. $ sudo vnconfig -u /dev/svnd0c [edit] Encrypted Filesystems [edit] Encrypted Filesystems on OpenBSD Because OpenBSD has integrated crypto... which contains a single partion letter 'a': # vnconfig -ck /dev/svnd0c /secrets Encryption key: # mount /dev/svnd0a .. In this case.

and home /home). On Macintoshes. For example. Each partition can be formatted separately. and possibly extra space for future partitions. then fill the partition with one large file to serve as the disk image. With fdisk: The master boot record (MBR) is not part of any partition. In that case. Windows.1 Partition Types 2. UNIX/EXPLANATIONS/PARTITIONING DISKS This chapter describes different types of partitioning maps and the programs used to adjust partitioning maps. Linux might be using 3 partitions (root /.then vnconfig -ck with the correct key. On i386 hardware. or swap. It is used by DOS. Root is on primary partion 3.1 Is there room for the disklabel? 3. fdisk partitioning is common. the Apple partition map allows the disk to contain one or more Macintosh (HFS+ or the older HFS) partitions. you must divide primary partion 4 into secondary partitions. The Unix-like system is often installed on the same disk as some other operating system. It is also used by Linux systems. create a normal unencrypted disk image. which hold computer files. The BIOS which boots the computer starts the Master Boot Record (MBR) on the disk. because the BIOS can find bootloader files on HFS+ and HFS partitions. The chapter for Filesystems and Swap described how Unix-like systems use partitions. The BIOS (Open Firmware) can boot the Macintosh without an MBR. and Linux. Windows might be installed on primary partitions 1 (drive C:) and 2 (drive D:). not of lose tup. Contents [hide] 1 fdisk partition maps 2 Apple partition maps 2. The fdisk partitioning is used by DOS and Windows. which is used as additional (but slower) memory by operating systems. but most configurations use a nonBSD partition map with a "slice" that contains a *BSD partition map and partitions.2 Example 3 BSD slices and partitions 3. The MBR understands the fdisk format. If you want more partitions. Make sure to use the correct key when initially formatting a new disk image. You are limited to four primary partititions. especially because Linux is often installed on the same disks as DOS and Windows.2 How does BSD read a non-BSD partition map? [edit] fdisk partition maps This section might need corrections. swap. mount it. [edit] Encrypted Filesystems on Linux Some Linux kernel configurations let you use losetup to encrypt disk images. Primary partition 4 contains the swap and home partitions. both the Unix-like kernel and the other system must understand the same kind of partioning map. Partitions are normally used for filesystems. The *BSD systems can use an MBR with a *BSD partition map. Think of lo(opback) setup. To have an entire encrypted disk partition. . A partition map divides the disk into partitions.

but most disks now lack them. Mac OS 9 and earlier would load a device driver for the disk from these partitions. A disk must have zero or one of these. It exists so that no other partition overlaps the partition map. These maps are created when Apple's Drive Setup program was used to format the disk. go to a shell prompt on Mac OS X or *BSD and use pdisk or diskutil. one can use the 128 MB as swap for OpenBSD. Mac OS classic drivers These tiny partitions would be after the partition map. but now both Linux and NetBSD are using this partition type. it is an A/UX partition for Apple's port of SVR2 to the 68k Mac. Using NetBSD's pdisk. For some reason. you can flag two Apple_UNIX_SVR2 partitions as root and swap partitions. There is usually one big "Apple_Free" partition. OpenBSD This is the OpenBSD slice. starting at 2. Mac OS X. Linux instead goes by its /etc/fstab file. Apple_Free Map editors like pdisk create this "partition" whenever partitions are deleted. Some operating systems are still stuck with "Apple_UNIX_SVR2" though. It is confusing if you have Linux and NetBSD on the same disk. the Linux bootloader. including Mac OS X. look for a program called FDISK. which are only used by Mac OS 9 and older.A primary partition might also be a *BSD slice. Some systems use the type to find their filesystems. To manipulate Apple partitions. The default MBR (the one from MS-DOS and FreeDOS) boots the active primary partition. and GNU/Linux as possible entries.EXE on DOS or fdisk on Linux. do not use them. [edit] Partition Types Actually. However. . Use HFS+ instead. That means that it contains a *BSD disklabel and several *BSD partitions. BSD uses the type to find its slice. Both Apple systems are obsolete. There is no Master Boot Record (MBR). These become "a" and "b" when you boot NetBSD. for example "OpenBSD". Apple_HFS This is an HFS+ or HFS partition. Apple_partition_map This partition contains the partition map. An "Apple_Free" partition is just unused space. However. Especially with newer versions of Mac OS X. partition types on Apple partition maps can be arbitrary strings. To manipulate fdisk partitions. This might also be an MS-DOS format partition. Drive Setup insists on creating 128 MB of unused Apple_Free space as partition 2. Apple_Bootstrap The BIOS (Open Firmware) can boot from this partition. but Mac OS will not mount it. Some older disks with Mac OS 9 drivers installed have several tiny partitions. You can create at least 17 partitions. Mac OS can also mount those. Most GNU/Linux systems now call that same program mac-fdisk for some reason. Apple_UNIX_SVR2 Nominally. This partition type is used by "ybin" to contain "yaboot". there is almost never a reason to use Apple_UFS. All other systems. and probably more. some MBRs like GRUB might give you a menu instead of booting the active partition. You can declare the type of each partition. but Linux ignores the types completely. It has its own Apple-format disklabel and separate boot partition (Apple_Boot? not Apple_Bootstrap) in case someone copies a bootable copy of Mac OS X to the partition. Trying to use Apple_UFS partitions with OpenBSD can corrupt data. Apple borrowed this partition type for their dualithic Linux for PowerPC Mac. One primary partition might be marked active. Apple_UFS This is a UFS partition mounted by Mac OS X. It can also contain an OS-menu with Mac OS 9. If careful. Drive Setup on Mac OS X also insists on wasting 128 MB on an Apple_Free partition between the Apple_partion_map and the first Apple_HFS. With these partition maps: Partition 1 contains the partition map. [edit] Apple partition maps Mac OS hard disks normally contain Apple partioning maps. Mac OS mounts all partitions of this type (unless the HFS do-not-mount flag is set).

[edit] Example On the example system. The terms "slice" and "partition" are often defined as follows: A partition is an entry (filesystem or swap) in the BSD disklabel. so the command would be "mac-fdisk /dev/hda".9G) DeviceType=0x0.9G) 4: OpenBSD OpenBSD 25165824 @ 25165888 ( 12. One of the partitions is a BSD slice. The *BSD system will use the disklabel while other systems use the partition map. we use "pdisk" on OpenBSD to see the partition map. 'a' must be root and 'b' if it exists must be swap. In the following discussion. and the entire disk is reserved to *BSD. Most Linux distros now give the name "mac-fdisk" to "pdisk". The disk has only a disklabel. The BSD partition map is called a disklabel. The disk has a partition map but no disklabel.0G) 5: Apple_UNIX_SVR2 untitled 24064454 @ 50333666 ( 11. and letters of all partitions. Only *BSD can use this disk. types. OpenBSD/macppc only recognizes Apple_HFS partitions. so NetBSD/macppc installations do not need a disklabel. Because of these special traits. On Mac OS X the command would be "pdisk /dev/disk0". "partition map" refers to a non-BSD partition map which is not a disklabel. assigning letters to all recognized types of partitions. We run the "pdisk /dev/rwd0c" command on OpenBSD. The disklabel indicates the locations. DeviceId=0x0 Command (? for help): q # [edit] BSD slices and partitions Wikipedia has more about this subject: BSD disklabelThis section might need corrections. This leads to three situations when a disk is used with BSD: The disk has a partition map and a disklabel. possibly after the MBR. The disklabel is at the beginning of the disk. # pdisk /dev/rwd0c Edit /dev/rwd0c Command (? for help): p Partition map (with 512 byte blocks) on '/dev/rwd0c' #: type name length base ( size ) 1: Apple_partition_map Apple 63 @ 1 2: Apple_Bootstrap untitled 1954 @ 50331712 3: Apple_HFS Apple_HFS_Untitled_1 24903680 @ 262208 ( 11. Number of Blocks=117210240 (55. the BSD kernel generates a partition map. NetBSD/macppc recognizes both Apple_HFS and NetBSD (Apple_UNIX_SVR2) partitions. [edit] Is there room for the disklabel? . BSD partitioning is special because on a disk with *BSD installed. With Apple partition maps.5G) 6: Apple_Free Extra 262144 @ 64 (128. The disklabel is at the beginning of the BSD slice. The partition map is at the beginning of the disk (possibly after the MBR). A disk with OpenBSD/macppc installed uses this configuration.0M) 7: Apple_UNIX_SVR2 swap 1099416 @ 74398120 (536. We use the pdisk command "p" to print the partition map and then "q" to quit. If the disk is used with *BSD.9G) Device block size=512. BSD disklabels are confined to slices on any disks that are also used by non-BSD operating systems. A slice is the partition of the non-BSD partition map (like fdisk or Apple) which contains the BSD disklabel and partitions.8M) 8: Apple_Free Extra 41712704 @ 75497536 ( 19.

1 root operator 3. When creating a disklabel. they are at /dev/cd* and /dev/rcd*. 0 Nov 1 16:26 /dev/cd0a brw-r--'--. which is a form of secondary partitioning. If they look like this: $ ls -l /dev/cd* brw-r--'--. [edit] How does BSD read a non-BSD partition map? The *BSD distros have different approaches for using non-BSD partitions. Mac OS X will put an Apple-specific disklabel on all Apple_UFS partitions because those are not listed in a BSD disklabel. If no disklabel exists. If OpenBSD sees an Apple partitioning map.1 Granting permission to the user • 1. but then you would have to "chown" the file back to you. starting with letter 'i'. OpenBSD assigns letters to all "Apple_HFS" (HFS+) partitions. or having *BSD and a non*BSD operating system on the same disk.To make room for a disklabel. Use disklabel -E to edit the disklabel. it will search for a partition of type "OpenBSD". (You could become root to rip the CD. all UFS/FFS partitions leave the first bytes unused. UNIX/EXPLANATIONS/COMPACT DISCS Contents [hide] • 1 Ripping CD audio • 1. and use the disklabel on that partition. 2 Nov 1 16:26 /dev/cd0c . On *BSD. Thus you can put a root UFS/FFS partition directly at the beginning of the disk (except the MBR) and still have room for a disklabel. it will assign letters to all of the HFS+ partitions and NetBSD partitions.1 root operator 3. [edit] Granting permission to the user First you should have read-and-write permission to the CD device.) First look at your CD devices nodes. With some drives (one without analog connections to the sound card) this is the only way to correctly play a file. one starts with the HFS+ partitions already in the disklabel. If NetBSD sees an Apple partitioning map.2 Ripping tracks 2 Eject a disc 3 Burn a disk • • [edit] Ripping CD audio This copies the audio from a CD track to a file. All UFS/FFS partitions must be listed in a disklabel to be useful. Then one adds OpenBSD partitions by dividing the "OpenBSD" Apple partition into several disklabel partitions.

The user needs to have "sudo" access. $ sudo cdrecord -v -dummy dev=/dev/cd0c burn.iso. 16 Nov 1 16:26 /dev/cd1a brw-r--'--.1 root wheel 3. but not any special access to the CD device node. 0 Nov 1 16:26 /dev/cd0a brw-rw--'-.iso $ sudo mount -r -t cd9660 /dev/svnd0a /mnt $ diff /mnt backup $ echo $? 0 $ sudo umount /mnt $ sudo vnconfig -u /dev/svnd0c The filesystem is good though file is misleading: $ file burn.01 (--) Copyright (C) 1995-2004 Jörg Schilling TOC Type: 1 = CD-ROM scsidev: '/dev/cd0c' devname: '/dev/cd0c' .iso -r -hfs backup $ chmod a-w burn. (NetBSD/OpenBSD) $ sudo vnconfig /dev/svnd0c burn. $ eject cd0 [edit] Burn a disk Scenario: put the contents of a directory called backup to CD.1 root operator 3.wav [edit] Eject a disc Many systems provide an eject command. cdrecord: Continuing in 5 seconds. Here we do the actual burn (and eject) as root. Cdrecord-Clone 2.iso burn. 18 Nov 1 16:26 /dev/cd1c Here. 16 Nov 1 16:26 /dev/cd1a brw-rw--'-. We decide to add the users to group "wheel". root needs to grant read and write permission to the user.1 root wheel 3.iso: x86 boot sector. we change the group of the devices and grant read and write permission to the group: $ sudo chgrp wheel /dev/cd* /dev/rcd* $ sudo chmod g+gw /dev/cd* /dev/rcd* $ ls -l /dev/cd* brw-rw--'-. This is a test burn to demonstrate cdrecord -v. We will call it burn. With a CD in: $ cdparanoia 2 song37.wav. 2 Nov 1 16:26 /dev/cd0c brw-rw--'-. Our ". cdrecord: Future versions of cdrecord may have different drive dependent defaults.. 18 Nov 1 16:26 /dev/cd1c [edit] Ripping tracks We must insert a CD before ripping the track.brw-r--'--. Here. cdrecord: Asuming -tao mode. Create a disk image of the CD. • -R is ISO6990 Rock Ridge support • -r is Rock Ridge but with all files to root (usable on computers with different users) • -hfs indicates a hybrid ISO9660/HFS disk $ mkisofs -o burn.1 root wheel 3.iso Mount it to check for validity.iso cdrecord: No write mode specified. for example.wav" suffix is because that is the default format of cdparanoia. Once they are in.1 root operator 3. we rip track 2 and store it in song.1 root wheel 3. extended partition table Insert a blank disk..

Waiting for reader process to fill input buffer . Driver flags : MMC-2 SWABAUDIO BURNFREE Supported modes: TAO PACKET SAO SAO/R96P SAO/R96R RAW/R16 RAW/R96P RAW/R96R Drive buf size : 1731072 = 1690 KB FIFO size : 4194304 = 4096 KB Track 01: data 114 MB Total size: 130 MB (12:58. Fixating time: 34. index: 24 Manufacturer: SONY Corporation Blocks total: 359849 Blocks current: 359849 Blocks remaining: 301455 Starting to write CD/DVD at speed 24 in dummy TAO mode for single session.457s cdrecord: fifo had 1947 puts and 1947 gets.2x. starting dummy write 0 seconds. Min drive buffer fill was 98% Fixating. BURN-Free is ON.. Track 01: Total bytes read/written: 119586816/119586816 (58392 sectors). Last chance to quit. Operation starts. SCSI buffer size: 61440 atapi: 0 Device type : Removable CD-ROM Version : 0 Response Format: 2 Capabilities : Vendor_info : 'MATSHITA' Identifikation : 'CD-RW CW-8123 ' Revision : 'CA0T' Device seems to be: Generic mmc2 DVD-ROM. WARNING: Some drives don't like fixation in dummy mode. $ echo $? 0 .. min fill was 80%. Turning BURN-Free off Starting new track at sector: 0 Track 01: 114 of 114 MB written (fifo 100%) [buf 98%] 8.6x. Writing time: 102. cdrecord: fifo was 0 times empty and 1860 times full.. input buffer ready.58) = 58394 sectors Lout start: 131 MB (13:00/44) = 58394 sectors Current Secsize: 2048 ATIP info from disk: Indicated writing power: 5 Is not unrestricted Is not erasable Disk sub type: Medium Type B.275s Average write speed 7.scsibus: -2 target: -2 lun: -2 Using libscg version 'schily-0..8'. Current: 0x0009 Profile: 0x0010 Profile: 0x0008 Profile: 0x0009 (current) Profile: 0x000A Using generic SCSI-3/mmc CD-R/CD-RW driver (mmc_cdr). low Beta category (B-) (4) ATIP start of lead in: -11834 (97:24/16) ATIP start of lead out: 359849 (79:59/74) Disk type: Short strategy type (Phthalocyanine or similar) Manuf.

Unix/Explanations/Real Networking Interfaces . Operation starts. $ command1 | command2 command1 standard output is redirected as standard input to command2.8'. Track 01: Total bytes read/written: 119586816/119586816 (58392 sectors).. starting real write 0 seconds. Device type : Removable CD-ROM Version : 0 Response Format: 2 Capabilities : Vendor_info : 'MATSHITA' Identifikation : 'CD-RW CW-8123 ' Revision : 'CA0T' Device seems to be: Generic mmc2 DVD-ROM. $ sudo eject cd0 If we reinsert the disk then we can mount/unmount it: $ sudo mount /dev/cd0a /mnt $ sudo umount /mnt PART 5: NETWORKING UNIX/EXPLANATIONS/INTERPROCESS COMMUNICATION [edit] PIPEs One of the beauties of UNIX/Linux are pipes.01 (--) Copyright (C) 1995-2004 Jörg Schilling scsidev: '/dev/cd0c' devname: '/dev/cd0c' scsibus: -2 target: -2 lun: -2 Using libscg version 'schily-0. cdrecord: Future versions of cdrecord may have different drive dependent defaults. Driver flags : MMC-2 SWABAUDIO BURNFREE Supported modes: TAO PACKET SAO SAO/R96P SAO/R96R RAW/R16 RAW/R96P RAW/R96R Starting to write CD/DVD at speed 24 in real TAO mode for single session. cdrecord: Continuing in 5 seconds.An actual burn: $ sudo cdrecord dev=/dev/cd0c burn. Cdrecord-Clone 2. Last chance to quit. cdrecord: Asuming -tao mode. Pipes are used for redirecting STDOUT (standard out) to STDIN (standard in).. The OS or drive might not know that the disk now has a filesystem on it.iso Password: cdrecord: No write mode specified. $ echo $? 0 We should eject the finished disk now. Using generic SCSI-3/mmc CD-R/CD-RW driver (mmc_cdr).

052 ms $ ping6 -c3 ::1 PING6(56=40+8+8 bytes) ::1 --> ::1 16 bytes from ::1.0.1: icmp_seq=1 ttl=255 time=0.0.284 ms 16 bytes from ::1.132/0. $ ping -c3 127. It is also possible to route packets between interfaces.0. This requires configuring the interfaces correctly and making a routing table.1" as an attack target and proceeds to destroy their own computer. even if it has no connection to an actual IPv6 network.094/0. and also for any situation where the server and client are on the same computer. It probably looks something like: $ ifconfig lo lo0: flags=8049<UP.1): 56 data bytes 64 bytes from 127.1: icmp_seq=0 ttl=255 time=0. icmp_seq=1 hlim=64 time=0. icmp_seq=0 hlim=64 time=0.) Use the ifconfig command to check the status of the interface. This is in addition to any address that it has on an actual network.0. then your IPv6 loopback address is "::1". every computer calls itself "127. they use the loopback interface.0. We use "ping -c3" and "ping6 -c3" to ping 3 times.0. A firewall is a good idea.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 The IPv4 address of your computer is "127. though some Unix variants have a different command. Use the ifconfig command as root. otherwise it would ping every second until you interrupted with ^C (CTRL+C).1 PING".0. You probably have no problem pinging the interface with ping or ping6.206 ms 64 bytes from 127. 3 packets received. For example.118 ms 16 bytes from ::1. (For example. some computer games have a one-player mode where server and client are on the same computer.1: icmp_seq=2 ttl=255 time=0. The computer should be able to use IPv6 to communicate with itself. UNIX/EXPLANATIONS/FAKE NETWORKING INTERFACES Loopback The system uses the loopback interface "lo0" to talk to itself.0. Talking-to-oneself is useful for testing servers.0.0. but because there is only one computer.0. If an interface is only a tunnel through another interface.Real Networking Interfaces are the actual physical network connections on a computer. there is somewhere in the Boot Process that configures network connections. These games use the "network". A common configuration is to do DHCP with dhclient or pump command. (Some jokes involve a person who is given "127.MULTICAST> mtu 33224 groups: lo inet 127.0.1 (127. so it is impossible to use this address to communicate between computers.RUNNING.0.1".0. an Ethernet wire or wireless card is a real networking interface.LOOPBACK. In fact. Normally. icmp_seq=2 hlim=64 time= ping statistics --3 packets transmitted.094 ms 64 bytes from 127.0% packet loss round-trip min/avg/max/std-dev = 0.116 ms . then it is a Guide to Unix/Explanations/Fake Networking Interface.) If your system is running an IPv6 stack. Most systems automatically configure it at boot.096 ms --.

org/cgi-bin/cvsweb. and OpenBSD. and which are not found in the GNU licenses. tun. FreeBSD. this page covers the free variants of *BSD. carp. gif. This is similar to OpenSolaris and OpenDarwin.173/0.netbsd.opendarwin.org/bsdweb. The Wikibook. 3 packets received. some other *BSD copyright holders still use the clause. gre. pppoe. While *BSD does use some copylefted GNU programs. . lo. Contents [hide] 1 General 2 Kernel 3 Userland 4 Ports [edit] General The *BSD systems are descendants of AT&T Unix (though non-free Unix code was removed) so they feel more like Unix than their rival system GNU/Linux.freebsd.0% packet loss round-trip min/avg/max/std-dev = 0. Some interfaces that you might be able to create: bridge. gives an overview of BSD in its Berkeley Software Distribution chapter. Unix-like kernels provide device drivers and networking support and allow multiple users and programs to share the system. ppp. some parts of *BSD have extra terms in the license that annoy some people. the *BSD projects honor their ancestry putting BSD at the end of their names. A Neutral Look at Operating Systems. The last BSD release from Berkeley had non-free code removed so more persons could use it. In particular. trunk.::1 ping6 statistics --3 packets transmitted. 0.cgi/ FreeBSD http://www. vlan.116/0.org/cgi-bin/cvsweb/ OpenSolaris http://cvs. Currently. especially in comparison to other Unix-like systems. There are also nonfree variants. which leaves everyone free to make non-free versions of *BSD and distribute binaries without source code. and the development trees of non-free Unix-like systems are normally not public. Compare: DragonFly BSD http://www.cgi/ The *BSD sources are stored in /usr/src/ and the kernel in /usr/src/sys/.cgi/ OpenBSD http://www. NetBSD. and so must be upgraded together.org/index. Today. Unix/BSD/Introduction This page summarizes the main features of the *BSD kernel and system.org/cgi/cvsweb. [edit] Kernel Recall that a kernel is the interface between programs and hardware. The *BSD kernel and system programs are heavily integrated.dragonflybsd.--. but GNU/Linux programs and kernels are in separate trees. The core system.org/source/ OpenDarwin http://cvs. The four big *BSD systems are free software and open source. including kernel and userland. is maintained in one CVS tree.284/0. most of *BSD is not copyleft. However.079 ms [edit] Create interfaces If you want to use a fake network interface. you often must create it with "ifconfig create".opensolaris. AT&T had cheaply licensed the code to universities including Berkeley where major enhancements such as TCP/IP was then developed.openbsd. especially DragonFly BSD.cgi/ NetBSD http://cvsweb. sl. there was enough dislike for the "advertising clause" (which requires marks on certain ads) that the Regents of the University of California removed it from their license.

the UltraSPARC processors by Sun Microsystems. . Support for the ARM and MIPS architectures is currently in development. This is the main way of installing stuff that is not part of the base system. This is because /usr/ might not be mounted. Static linking is when the each program is in one file. It runs on processors compatible with the Intel x86 family. The kernel contains a "securelevel" feature which attempts to permanently restrict what all users (including root. while mkLinux and the kernel of Mac OS X are modular. A consequence of this is that the BSD kernel has a similar structure to commercial Unix kernels also descended from AT&T Unix. A unique feature of the pkgsrc tree is that it also works on other operating systems. and ultimately the original vi. and Fortran 77. DragonFly BSD also uses pkgsrc. The kernel is actually the original AT&T Unix with all of its files replaced. Retrieved from "http://en. FreeBSD includes "ee". The BSD university project had added or replaced so much stuff (the VAX port. so many prefer to use a binary package instead of a "make install". as well as on the DEC Alpha.) that *BSD projects could take the free parts and produce completely free kernels without needing a Unix license. although nano is free software and pico isn't). on all Unix systems) are organized and shows where each device was detected. By default. OpenBSD also includes "mg". AMD64 and PowerPC processors. C++. type a "cd" command to the directory containing the port (for example. The mounting and examining of "/proc" and "/sys".. and building of software for *BSD. . an editor resembling Emacs 17 but without any free but copylefted GNU code. is a better strategy on Linux. [edit] Ports There is a ports tree or packages tree originally from FreeBSD. the networking features.org/wiki/Guide_to_Unix/BSD/Introduction" Unix/BSD/FreeBSD FreeBSD is a Unix-like free operating system descended from AT&T UNIX via the Berkeley Software Distribution (BSD) branch through the 386BSD and 4. DragonFly BSD is changing some of this. patching. nvi is a clone of the original vi. the superuser) can do after a certain point in the boot process.so cannot be used.4BSD operating systems. First. which means that it is one program in one memory-addressing space. /usr/ports/games/nethack/). the Itanium (IA-64). This consists of Makefiles that automate the downloading. Thus the kernel avoids forming and sending messages between parts of itself. On NetBSD this is called pkgsrc. It also runs on the PC-98 architecture. The clone was necessary to remove some non-free Unix code. The original AT&T Unix and Linux are also monolithic. the "easy editor" with some similarities to nano and pico (both of which are in the ports tree. it only looks at the base system.wikibooks. without the need for other files (shared libraries) containing code shared by programs. This is nvi included with BSD. Thus installing a program is often two easy steps. The programs in /bin/ and /sbin/ are statically linked. Then. Objective C. The base system can rebuild itself with gcc. The system compiler is the GNU Compiler Collection (GCC) with C. This section describes the userland included with the base system. gcc does not look in /usr/local/ for header files and libraries. Actually. or the use of tools like "lspci". the fast file system. so the shared library /usr/lib/libc. Building software takes a long time. type a "make install" command and wait for everything to finish. [edit] Userland Recall that userland consists of all the software above the kernel.. The kernel boot messages (also visible with dmesg. and is not some other vi implementation such as vim. In contrast. the Linux drivers seem to give any boot messages that they feel like. The library code is copied into the programs. extracting. The main text editor in the base system is "vi".The *BSD kernel (often installed at "/bsd/") is monolothic.

and the creation of the ports system that made downloading. Hotmail. where m and n are small positive integers. Initially. Other major changes include an m:n threading solution called KSE which is now the default threading (pthreads) library. FreeBSD 3. and Yahoo!. Perhaps FreeBSD 2. FreeBSD developers maintain (at least) two branches of simultaneous development. userland utilities and applications by others. A -STABLE branch of FreeBSD is created for each major version number. it is eventually backported ("MFC" . a similar but better-known operating system. and all are packaged together by other groups and published as Linux distributions. FreeBSD ended up re-engineering much of the system with the FreeBSD 2. such as the GNU project.Merge from CURRENT in the FreeBSD developer slang) to the -STABLE branch. from which releases are cut about once every 4-6 months. which was optimized for performance under high loads. The latest 4-STABLE release of FreeBSD is 4. implies that m userland threads correspond to n kernel threads. The kernel. FreeBSD's development model is described in an in-depth article by Niklas Saers [3]. releasing much of the kernel from the MP lock. -CURRENT. taking its sources from 386BSD. device drivers and all of the userland utilities. initial support for SMP systems and also added support for a new 64 bit platform: the Alpha.2. and was released in May 2006. Berkeley. A long uptime also indicates that no kernel updates have been deemed necessary. and of the operating systems that accurately report uptime remotely [1]. However. The BSD Daemon will remain as the FreeBSD Project mascot. The TrustedBSD project was formed by Robert Watson for the express purpose of adding trusted operating system functionality to the FreeBSD operating system. It is now possible for more than one process to execute in kernel mode at the same time.4BSD-Lite release from the University of California. If a feature is sufficiently stable and mature. is now 7. Many other new features are security related.0's most notable advance was the revamp of the original CMU's Mach Virtual Memory system. FreeBSD is generally regarded as quite reliable and robust.11. This is in contrast to Linux. The development branch. An extensible mandatory access control framework (the TrustedBSD MAC . At its time the 3. FreeBSD is the most common free operating system listed in Netcraft's list [2] of the 50 web servers with the longest uptime (uptime on some operating systems such as some versions of Linux can't be calculated). The terminology m:n. but it was a necessary step to develop what would become the very successful 4. The FreeBSD Handbook includes more historical information about the genesis of FreeBSD. such as the shell.1 were cut from -CURRENT).3 (the creation of the 5-STABLE branch). [edit] FreeBSD 5 development and changes The latest and final FreeBSD release from the 5-STABLE branch is 5. sometimes referred to as the Big Giant Lock. as installing a new kernel requires a reboot and resets the uptime counter of the system. due to concerns about the legality of all the sources used in 386BSD and a consequent lawsuit between Novell (then owner of the UNIX trademark) and Berkeley. building and installing third party software very easy.X branch. the competition finished and the design by Anton K.FreeBSD is developed as a complete operating system. in which the kernel is developed by one set of developers.5. are held in the same source code revision tracking tree (CVS).0. FreeBSD employed the BSD Daemon as its logo. but in 2005 a competition for a new logo was arranged. Gural was chosen as the new FreeBSD logo. The first 6-STABLE release was 6.0 brought many changes: it switched to the ELF binary format. starting with 5.0 release in January of 1995 using the 4.3 (5.com (a huge repository of software that broke several throughput records on the net). which contains aggressive new kernel and userspace features. The first 5-STABLE release was 5.X branch was severely critized as many changes were not evidently beneficial and affected performance.0 through 5. which is the last of the 4-STABLE branch releases. FreeBSD powered extremely successful sites like cdrom. On October 8. 2005. The big difference in FreeBSD 5 was a major change in the low-level kernel locking mechanisms to enable better symmetric multiprocessor (SMP) support. As an operating system. History and development Initial development of FreeBSD started in 1993.0-CURRENT.

0-CURRENT is under active development. been limited success in using it to run games on FreeBSD [4].Framework). these applications are in the minority. the Unreal Tournament series. three-clause BSD license. Generally. WordPerfect. The primary release accomplishments of this release include the removal of the Giant lock from VFS. There are also parts under the GPL. RealPlayer. such as mirroring (gmirror) and encryption (gbde). Applications used under the Linux compatibility layer include StarOffice. replacement of the libthr library with a better performing implementation of 1:1 threading. albeit one with a long gestation period due to the large feature set. however. LGPL. ccp. and 7. Skype. Oracle. Adobe Acrobat. which allows everyone to use and redistribute FreeBSD as they wish. and so on. contributed by Poul-Henning Kamp. License As with its sister operating systems. possibly because this compatibility layer only supports the system calls of Linux Kernel 2. A 2006 Summer of Code project to update the compatibility layer and implement missing system calls has been accepted [5]. Though there are many applications that run flawlessly under the compatibility layer.4. that are only distributed in binary form and thus cannot be ported to FreeBSD without the will of those who control the source code. Also available are binary blobs for particular functionality. Derivatives . a historic release. and the new UFS2 filesystem all came from TrustedBSD. FreeBSD 5 has also significantly changed the block I/O layer with the introduction of the GEOM modular disk I/O request transformation framework. often commercial. TransGaming's product to run Microsoft Windows games on Linux. SeaMonkey. Doom 3. Quake 4. as well as additional work in the area of advanced 802. and the addition of a BSM audit implementation. the code in FreeBSD is released under the terms of a variety of licenses. Mathematica and Matlab perform as expected.4 has confirmed the FreeBSD 5. applications such as nmrpipe. filesystem Access Control Lists (ACLs). Its usage is largely crippled at this time due to an incomplete compatibility layer. The recent release of FreeBSD 5. 2006. These versions continue the work on SMP and threading optimization. created by the TrustedBSD Project which is heavily based upon the BSM implementation found in Apple's Open Source Darwin which has been released under a BSD-style license. One example of this is Cedega. FreeBSD 6 and 7 FreeBSD 6. it allows FreeBSD users to run a majority of the applications that are only distributed as Linux binaries. For most scientific applications. called OpenBSM. There has. the Linux compatibility layer performs correctly.11 functionality. such as the Atheros HAL for wireless functionality and a binary only tool for Adaptec's AAC RAID. thus rendering some Linux binaries unusable on FreeBSD or limiting their functionality. including Linux. The reasoning behind this is generally attributed to being able to run applications developed for Linux.x branch as a highly stable and well-performing release. and four-clause BSD license. ISC.1 was released on May 8. GEOM enables the simple creation of many kinds of functionality. Linux compatibility FreeBSD provides binary compatibility with several other Unix-like operating systems. there seems to be no noticeable performance penalty when running Linux binaries as opposed to native FreeBSD ones. Some of the TrustedBSD functionality has been integrated into the NetBSD and OpenBSD operating systems as well. VMware.2. All of the kernel code and most newly created code is released under the terms of the twoclause BSD license. When compared to the vast number of native applications available for FreeBSD using the Ports Collection. In a nutshell. the Linux version of Netscape. it should be noted that the layer is not complete. and TrustedBSD security event auditing.

Apple continues to integrate new code from and contribute changes back to FreeBSD. the FreeSBIE and Frenzy live CD distributions. ~ refers to your home directory. Most programs use this shell variable to find your home. the m0n0wall and pfSense embedded firewalls. The names of environment variables are case-sensitive. A shell variable is like an environment variable. even if it differs from your home directory in /etc/passwd. This is an easy way for a user to get own username. you can start programs that put dotfiles or other files in a different directory than your usual home directory. These range from embedded devices. also includes substantial FreeBSD code. [edit] LOGNAME The name of the user. a notable fork from FreeBSD 4. and DragonFly BSD. including its virtual file system. programs must not trust this variable because it can be set to an arbitrary value. network stack and components of its userspace. You can use shells to set variables. In Bourne shell.org/wiki/Guide_to_Unix/BSD/FreeBSD" Unix/Environment Variables An environment variable is a setting normally inherited or declared when a shell is started. but normally you just write a shell initialisation script to set it in each shell. ~tux always refers to the home directory of user tux as specified in /etc/passwd. In most shells. Examples: EDITOR=vi EDITOR=emacs [edit] HOME The home directory of the user. originally derived from Apple's codebase but now a separate entity. vipw. such as Juniper routers and Nokia's firewall operating system. and other such programs when you tell them to edit a file. However. . Retrieved from "http://en. borrows heavily from FreeBSD.wikibooks. thus you can set this variable to override the setting in /etc/passwd for your home directory. there are a number of operating systems originally forked from or based on FreeBSD including PC-BSD and DesktopBSD. the core of Apple's Mac OS X.) [edit] EDITOR The editor program called by sudoedit. to portions of other operating systems including Linux and the RTOS VxWorks. Both LOGNAME and USER should be set to the username. except that it is not exported to new programs started from that shell. The open source OpenDarwin. by convention they are uppercase. (You could export it. the syntax varies but Bourne shells use: $ VARNAME=new value $ export VARNAME or $ export VARNAME=new value Each program started from that shell will have VARNAME set to new value. This way.A range of products are directly or indirectly based on FreeBSD. In addition. which include enhancements aimed at home users and workstations. while ~ (without a username after it) always refers to the value of HOME. Darwin.8 aiming for a different multiprocessor synchronization strategy than that chosen for FreeBSD 5 and development of some microkernel features.

The bash and public domain ksh shells use this as the prompt string. [edit] PS1 This is a shell variable. in which case the email reader uses the default setting. not normally exported as an environment variable. which is where many systems deliver mail.bash_profile. Some users do not have email at their local Unix box. \W (name of working directory w/o path). it is not run. The system boot scripts also set PATH. it uses this variable to find the inbox. but /bin/ls does). in which case the MAIL environment variable is irrelevant. Examples: PATH=/bin:/sbin:/usr/bin:/usr/sbin:/home/puffy/bin If this PATH is set and you type the shell command $ uname -r then the shell searches for the "uname" executable program. . then the shell stops searching and runs it. Examples: PAGER=less PAGER=more [edit] PATH A space or colon separated list of directories in which the shell searches for executables when a command is run without an absolute path. The default value for user "tux" would be /var/mail/tux. the first command to set the path would seem to be in /etc/rc.sysinit. such as /etc/profile for Bourne shells. because the search never reached that directory. If /home/puffy/bin/uname also is executable. which is one of the shell scripts invoked by the init process (inittab). then /usr/bin.d/rc. Many users do not have MAIL set. [edit] PAGER The pager called by man and other such programs when you tell them to view a file. \u (username). The frequency for which "bash" checks and alerts you for new local email.conf for OpenBSD systems. First it searches in /bin. \t (time). Some systems set PATH using the system shell initialistation files.Examples: LOGNAME=tux LOGNAME=puffy [edit] MAIL The location of incoming local email. Things that can be put in the prompt string include \h (hostname). not normally exported as an environment variable. Some systems set PATH before this as part of the login procedure. \d (date). for example in /etc/login. If /bin/uname is an executable (which it should be). \w (absolute pathname of working directory). For example. When mail or another local email reader inherits this environment variable. On some Linux boxes. then /sbin. [edit] MAILCHECK This is a shell variable. then add /usr/X11R6/bin to the path using /etc/profile. but instead use the Internet to access their mail server. a Linux box could set the PATH at login. then add /home/ambler/bin to the path using ~/. For example ls doesn't have an absolute path.

UNIX/FILES Contents [hide] 1 /etc/ 1. On some Slackware boxes. the command line prompt is set in /etc/profile. The xterm and rxvt prompts are different. and indicates how they are to be used or otherwise integrated into the overall system's file system. but it would be if you write a ~/.bashrc to do that.bashrc file runs /etc/bashrc.4 /etc/profile 1.bashrc. A Practical Guide to Linux. Prompts are shell variables set from shell initialisation scripts. not normally exported as an environment variable. by Mark G. The prompt is also set in /etc/profile.3 /etc/passwd 1. The bash and public domain ksh shells use this as a secondary prompt string. Sobell and published by Addison-Wesley (1998).6 /etc/sysctl. the primary prompt string is set in the /etc/bashrc file.1 /dev/cdrom 5.1 /etc/fstab 1. Because every instance of "bash" runs ~/. The fstab file typically lists all used disks and disk partitions.2 /etc/group 1. [edit] USER This variable should have the same setting and purpose as LOGNAME.conf 1. [edit] PS2 This is a shell variable. The prompt is not set for X sessions. .3 /dev/hd* 5. A ~/.4 /dev/null 6 Dot files 7 Directories [edit] /etc/ [edit] /etc/fstab The fstab (for file systems table) file is commonly found on Unix and Unix-like systems and is part of the system configuration.On some Red Hat boxes. They are not xterm settings set by X resources such as /usr/X11R6/lib/X11/app-defaults/XTerm. but the setting in bashrc seems to take precedence. the prompt also appears in X sessions started from a display manager such as "xdm".5 /etc/shadow 1.2 /dev/fd* 5.7 Files to be merged in to the list 2 /proc/ 3 /var/ 4 /boot/ 5 /dev/ 5. has more information on prompt strings at page 331. which sets the prompt.

However. The fourth column gives options.alice It has four sections which going from left to right are.alice) The list of users who are members of that group. Some unixs such as HP-UX reserve other groups numbers as well. the fstab was only read by programs.org. (0) The unique id assigned to the group.au/talks/fstab/fstab_structure. and not written to. The third column indicates the filesystem type. The file may have other names on a given Unix variant.kudzu 0 0 ntfs swap ro. including if the filesystem should be mounted at boot. or algorithm to use to interpret the filesystem. A value of zero in either of the last 2 columns disables the corresponding feature (http://www. A typical entry is: root::0:root. more modern system administration tools can automatically build and edit fstab. See also mtab [edit] /etc/group /etc/group stores the definitive list of the users groups and their members.html). (root) The group name. The second column indicates where the data is to be attached to the filesystem. To get more information about the fstab file you can read the man page about it.mode=620 0 0 /proc proc defaults 00 /dev/shm tmpfs defaults 00 udf.owner. The Kfstab graphical configuration utility is available for KDE for editing fstab. Example The following is an example of a fstab file on a Red Hat Linux system: # device name LABEL=/ none none none mount point fs-type options dump-freq pass-num / ext3 defaults 11 /dev/pts devpts gid=5. or act as graphical editors for it. It is the duty of the system administrator to properly create and maintain this file. Normally not used.Traditionally. Group ids below 10 are reserved for system use. [edit] /etc/passwd . The sixth column indicates the order in which the fsck utility will scan the partitions for errors when the computer powers on. (root. for example. it is /etc/vfstab on Solaris.humbug.iso9660 noauto. () The group password in a hashed form. The fifth column adjusts the archiving schedule for the partition (used by dump).kudzu.defaults defaults 00 00 00 # my removable media /dev/cdrom /mnt/cdrom /dev/fd0 /mnt/floppy # my NTFS Windows XP partition /dev/hda1 /mnt/WinXP /dev/hda6 swap # my files partition shared by windows and linux /dev/hda7 /mnt/shared vfat umask=000 ( kudzu is an option specific to Red Hat and Fedora Core ) The first column indicates the device name or other means of locating the partition or data source.ro 0 0 auto noauto.owner.

(alice) The username. [edit] Files to be merged in to the list /etc/aliases . it contains a list of users and their associated internal user id numbers.system-wide default functions and aliases for the bash shell /etc/conf. can be used for anything or left blank. (/home/alice/) The home directory of the user. (621) date of last password change. Changing the file has no effect before the next reboot. if left blank the account will remain indefinitely. An entry in this file is of the form: alice:*:134:20:Alice Monkey:/home/alice/:/bin/bash It has seven sections which going from left to right are. For example the user id 0 is used for the root user. (43SrweDe3F) The password in hashed form. do not. Some Bourne-compatible shells also use this file. (30) the maximum number of days before the user is forced to change their password. (*) The password in a hashed form. In modern systems a star indicates shadowing is in use and hence the password can be found in /etc/shadow/. (5) the mimimum number of days before the password may be changed. When these users login. (134) The unique id assigned to the user. (10) the number of days after which a user is advised to change their password./etc/passwd is the user authentication database. [edit] /etc/sysctl. alice:43SrweDe3F:621:5:30:10:100:900: The sections are: (alice) The username.aliases and options for configurable modules . the Bourne shell runs the commands in this file before giving the shell prompt to the user. however as this file needs to world readable (so all programs can use it to convert between username and user id) it is no longer considered secure to keep passwords in this file.file containing aliases used by sendmail and other MTAs (mail transport agents). the scripts read this file and use "sysctl" to set the parameters shown in the file. [edit] /etc/profile /etc/profile contains the system default settings for users who login using the Bourne shell. After updating this file. (100) the maximum number of days an account can be inactive for before it is suspeneded. During system boot. Most often used for the purpose of temporary accounts.conf /etc/sysctl. Some unique ids have special purposes.modules . Most of these commands are variable assignments which configure the behavior of the shell. [edit] /etc/shadow /etc/shadow contains the passwords for users in systems which use shadowing. Normally used for personal information abou the user such as full name. but other shells. /etc/bashrc . it is necessary to run the newaliases utility for the changes to be passed to sendmail.conf configures the behavior of the running Unix kernel. such as the C shell. Historically it also included passwords. "/bin/sh". (20) The group that the user is assigned to upon login. (Alice Monkey) The GCOS field. (900) the date the account will expire. (/bin/bash) The users default shell.

dir_colors file in the user's home directory. /proc/version .contains a list of the i/o addresses used by various devices connected to the computer /proc/kcore . etc.d./etc/crontab . /etc/hosts.local (Mandrake/Red Hat) on startup. /etc/termcap . For obvious security reasons.ASCII database defining the capabilities and characteristics of different consoles. For security reasons.contains information on partitions and filesystems used by system to mount different partitions and devices on the directory tree /etc/HOSTNAME . It's also possible to use the free command to get the same information (and more). /etc/mtab .conf .contains a list of domain name servers used by the local machine /etc/securetty . This is often overwitten by the /etc/rc.similar to /etc/passwd but for groups /etc/inetd. This is typically the program which is responsible for. Also sets up other system-wide environment variables.prints interrupts currently in use /proc/ioports .The command ls -l /proc/kcore will give the amount of RAM on the computer. setting up virtual login terminals.runs different programs and processes on startup. printed immediately after login.configures the inetd daemon to tell it what TCP/IP services to provide (which daemons to load at boot time).shows currently mounted devices and partitions and their status /etc/passwd .shell script to run different commands periodically (hourly. A corrupt /etc/passwd file can easily render a Linux box unusable.contains passwords and other information concerning users who are registered to use the system.conf . running the rc.sets system-wide defaults for bash shell. weekly. It can be modified by root directly.d.allow .S script (in Slackware) or by the /etc/rc. daily. monthly. but it is preferable to use a configuration utility such as passwd to make the changes.d/rc.contains a list of terminals on which root can login. /etc/fstab . The location in Slackware is /etc/XF86Config. and perhaps other rpm-based distributions).d/rc.hosts allowed (by the tcpd daemon) to access Internet services /etc/hosts. /etc/inittab .used by system to store information about last boot /var/log/wtmp . /etc/issue . Used in conjunction with the eval command (see below). This is often overwritten by /etc/rc.contains a list of host names and absolute IP addresses. and printers /etc/X11/XF86Config . /etc/lilo.used by syslog daemon to store kernel boot-time messages /var/log/lastlog .pre-login message.S (Slackware) or /etc/rc.message of the day file.specifies hosts to which file systems can be exported using NFS.X configuration file.cpu information /proc/filesystems . and running xdm for a graphical login prompt (only if the default runlevel is set for a graphical login).configuration file for lilo boot loader /etc/motd . terminals.) /etc/DIR_COLORS . It is this file in Slackware that sets up the DIR_COLORS environment variable for the color ls command. The dircolors command uses this file when there is not a .prints Linux version and other info [edit] /var/ /var/log/messages .prints filesystems currently in use /proc/interrupts . this should not include dialup terminals.local script (in Mandrake and Red Hat. among other things. Man exports contains information on how to set up this file for remote users.deny .d/rc.used to store colors for different file types when using ls command.stores the name of the host computer /etc/hosts . /etc/exports . See the remarks in connection with /etc/issue. The relevant lines should be commented out (or changed) in these scripts if a custom pre-login message is desired.d/rc.shows the setup of printers /etc/profile . setting the default runlevel.sysinit script contained in /etc/rc. bringing down the system in an orderly fashion in response to [Ctrl][Alt][Del]. A good start to securing a Linux box is to turn off these services unless they are necessary. [edit] /proc/ /proc/cpuinfo . running the rc script in /etc/rc.hosts forbidden (by the tcpd daemon) to access Internet services /etc/group .contains binary data indicating login times and duration for each user on system [edit] /boot/ . /etc/resolv. /etc/printcap .conf . this is readable only by root.

The second drive is either /dev/hdb or /dev/hdc. for example if the file does not exist: $ rm x rm: x: No such file or directory One can hide the error by redirecting it to a file. . Examples: Deleting file called "x" (command rm x) sometimes causes an error. but hdb on some). depending on the hardware configuration. the kernel is located at /vmlinuz. In the Slackware distribution. [edit] /dev/fd* At Linux. Generally. Many machines have one hard drive (hda) and one cdrom drive (hdc on many machines. [edit] /dev/null /dev/null is a do-nothing device to use when one wants to ignore or delete program output. simply "> y" will do the same thing. By using /dev/null as the file.. /dev/fd0 is the first floppy disk drive at the system. This file is useful when a program expects to save to a file. [edit] /dev/hd* At Linux. the "2>&1" redirects the standard error of "rm" (where the error appears) to standard output.7MB of space. Red Hat and Mandrake do not contain these device driver files by default. so the file "y" appears. but you want not to save anything. Some IDE hardware allows up to four drives. /dev/hda is the first IDE hard drive. /dev/cdrom is a symbolic link to the cdrom drive.5" diskette with up to 1. Bourne shell: $ rm x > /dev/null 2>&1 In the Bourne shell. /dev/fd1 is the second floppy disk drive. There is no actual hardware associated with the /dev/null device.the typical location and name of the Linux kernel. Likewise. but is also empty. One way to make an empty file called "y" is: $ cat /dev/null > y The "cat" command copies the file "/dev/null" to standard output. and the shell operator ">" redirects this output to "y". this is invoked when formatting a floppy drive for a particular density. The "/dev/null" file seems empty when read. Use /dev/fd0H1440 to operate the first floppy drive in high density mode. Partitions are numbered from 1./boot/vmlinuz . Often. [edit] /dev/ [edit] /dev/cdrom /dev/cdrom is not an actual device. /dev/hda2. then the ">" redirects the standard output to /dev/null.) . a Linux system with /dev/hdb for its floppy drive is likely to have a link /dev/cdrom which redirects to /dev/hdb. the error never saves to an actual file. For example. This file can also be used as input to a program to represent an empty file. (Note that in this case. including /dev/hdd. but on many systems it is a symbolic link to the actual CD device. like /dev/hda1.. Slackware comes with drivers that allow for formatting a 3.

/etc/X11 .fvwm2rc .files used during booting and possibly the kernel itself are stored here /dev .inet1 script to set up networking (in Slackwar). System-wide functions and aliases go in /etc/bashrc and default environment variables go in /etc/profile. There is also typically an rc. If a program doesn't find its configuration file in the user's home directory. If it doesn't find that. Can be used to activate applications. the look and behavior of emacs can be customized by usinng the .fvwmrc . along the lines of autoexec.d. Contains files for services to be started and stopped at that run level.initialization commands that are run automatically (like autoexec.cshrc .d .lessrc .profile.initialization command run when bash shell starts up as a non-login shell .bash_logout . run a given window manager.login .logout .xinitrc .configuration file for fvwm2 window manager .bat in DOS.xsession .typically contains key bindings for cursor movement with the less command . most with . Default versions of these files are often installed in users' home directories when the software packages that use them are installed.d .home directories of individual users /lib . /etc/skel .file executed by bash shell on logout .Xdefaults file. .d . etc.bash_login.configuration files for the X Window system /home . but also by adding the appropriate modifications to the . an rc. Bash looks first for a .contains device files for various devices on system /etc . The behavior of many different application programs can be changed by modifying this file.configuration file for the jed text editor .initialization file when user logs in .bashrc . Includes tables of disks to mount. not this book.bash_profile. . If it does not find .contains most of the initialization scripts themselves on an rpm-based system.[edit] Dot files TODO Move files for X11 from here to Guide to X11.jedrc .initialization file when running startx. these files are symbolic links to the initialization scripts themselves. /etc/rc. it looks for .emacs file.modular device driver files. /etc/profile.Xdefaults .configuration file for emacs editor .wm_style .commands run when user logs out . processes to run on startup.bat) when C shell is initiated . Should contain all binaries needed to boot the system or run it in single-user mode /boot . NFS. --Kernigh 00:29. /bin . /etc/rc. and modify the appearance of the root window.d . and mail.initialization of bash shell run only on login.where ``*'' is a number corresponding to the default run level. 22 December 2005 (UTC) There is some redundancy across these programs. On rpm-based systems.essential UNIX commands such as ls.contains a number of shell scripts that are run on bootup at different run levels.d/init. it looks for .d/init.standard shared library files /lib/modules . The source of this information is Transwiki:Useful unix command.gives choice of default window manager if one is not specified in startx . and an rc. despite attempts at standardization such as the the Linux Filesystem Hierarchy Standard (FHS) organization.emacs . etc.bash_profile .files used by subsystems such as networking. /etc/rc. For example.bash_profile file when started as a login shell or with the -login option.configuration file for xdm [edit] Directories Different distributions have different directory structures.directory containing several example or skeleton initialization shells. .sets up X resources for individual user. it will often fall back on a sytem-wide default configuration file installed in one of the subdirectories that the package lives in. which are in /etc/rc. Often contains subdirectories and files used to populate a new user's home directory. .d/rc*.configuration file for fvwm window manager .modules script to load modular device drivers.contains scripts that are run by /etc/profile upon login.local script that can be edited to run commands desired by the administrator.o extensions .

/usr . The same file can also be found at /var/adm/packages. November 2002 Copyright (C) 2000. Contains the kernel sources.yet another place to look for comon executables /usr/man . 51 Franklin St./mnt . APPLICABILITY AND DEFINITIONS 3 2. VERBATIM COPYING 4 3. etc.location of program documentation files under Mandrake and Red Hat /usr/src .directory specifically designed for programs and users to store temporary files. and monitoring /tmp . Source code for programs of all types are often unpacked in this directory. cd-rom readers.X Window system distribution /usr/local/bin .other commands used by superuser for system administration /usr/share . which contains executable binaries related to the X Window system /usr/doc . PREAMBLE 2 1.a. mail that has not yet been picked up. /proc . /usr/src/linux . The /bin directory is generally located on the same disk partition as /. /usr/bin/X11 .often a symbolic link to a subdirectory whose name corresponds to the exact version of the Linux kernel that is running.h /usr/info . documentation. MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document. /var/log/scripts .2002 Free Software Foundation. used by various utilities /var/log/packages .temporary storage for files being printed.contains files. /var/spool . COMBINING DOCUMENTS 7 6. /var . and the main location of program documentation files under Slackware /usr/include . COPYING IN QUANTITY 5 4. MODIFICATIONS 6 5.standard location of include files used in C programs such as stdio.most often a symbolic link to /usr/X11R6/bin. each of which has detailed information on an installed package in Slackware. Other filesystems are only mounted at a later stage during startup. etc. etc.standard library files such as libc. but changing it is not allowed. Boston. libraries.directory containing a number of subdirectory with programs.administrative files such as log files. /usr/lib/X11 . so putting binaries essential for boot here is not a good idea. which is mounted in read-only mode during the boot process.contains most user commands. Should not contain binaries necessary for booting the system. setup and auxiliary files /usr/share/doc . Contents [hide] 1 0.virtual file system that provides a number of system statistics /root . Inc. Searched by the linker when programs are compiled. COLLECTIONS OF DOCUMENTS 8 7.contains subdirectories where many installed programs have configuration.location of miscellaneous documentation.location of binaries used for system administration. Each device is mounted on a subdirectory of /mnt. Fifth Floor. since the adm subdirectory is a symbolic link to log.primary location of the GNU info system files /usr/lib . which go in /bin. AGGREGATION WITH INDEPENDENT WORKS . /usr/bin . You can inspect these scripts to see what special features are included in individual packages. Each package file contains a short description plus a list of all installed files.location of manual page files /usr/sbin .package installation scripts in Slackware are stored here. configuration.typical mount point for many user-mountable devices such as floppy drives.2001.home directory for root /sbin .2. UNIX/GNU FREE DOCUMENTATION LICENSE Version 1.location of source programs used to build system.


[edit] 0. PREAMBLE The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others. This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software. We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference. [edit] 1. APPLICABILITY AND DEFINITIONS This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under the conditions stated herein. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you". You accept the license if you copy, modify or distribute the work in a way requiring permission under copyright law. A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language. A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them. The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none. The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words. A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not

Transparent if used for any substantial amount of text. A copy that is not "Transparent" is called "Opaque". Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standardconforming simple HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only. The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text. A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as "Acknowledgements", "Dedications", "Endorsements", or "History".) To "Preserve the Title" of such a section when you modify the Document means that it remains a section "Entitled XYZ" according to this definition. The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License. [edit] 2. VERBATIM COPYING You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3. You may also lend copies, under the same conditions stated above, and you may publicly display copies. [edit] 3. COPYING IN QUANTITY If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects. If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages. If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus

accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public. It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document. [edit] 4. MODIFICATIONS You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version: A. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission. B. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has fewer than five), unless they release you from this requirement. C. State on the Title page the name of the publisher of the Modified Version, as the publisher. D. Preserve all the copyright notices of the Document. E. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices. F. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below. G. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice. H. Include an unaltered copy of this License. I. Preserve the section Entitled "History", Preserve its Title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section Entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence. J. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission. K. For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title of the section, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein. L. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles. M. Delete any section Entitled "Endorsements". Such a section may not be included in the Modified Version. N. Do not retitle any existing section to be Entitled "Endorsements" or to conflict in title with any Invariant Section. O. Preserve any Warranty Disclaimers. If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles. You may add a section Entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one. The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version. [edit] 5. COMBINING DOCUMENTS You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers. The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work. In the combination, you must combine any sections Entitled "History" in the various original documents, forming one section Entitled "History"; likewise combine any sections Entitled "Acknowledgements", and any sections Entitled "Dedications". You must delete all sections Entitled "Endorsements." [edit] 6. COLLECTIONS OF DOCUMENTS You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects. You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document. [edit] 7. AGGREGATION WITH INDEPENDENT WORKS A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting from the compilation is not used to limit the legal rights of the compilation's users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document. If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one half of the entire aggregate, the Document's Cover Texts may be placed on covers that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate. [edit] 8. TRANSLATION

However. The evolution of UNIX security features continues to this day. you may choose any version ever published (not as a draft) by the Free Software Foundation.org/copyleft/. or distribute the Document except as expressly provided for under this License. from you under this License will not have their licenses terminated so long as such parties remain in full compliance. sublicense or distribute the Document is void. you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. UNIX COMPUTING SECURITY The only secure computer is one that's unplugged. The primary focus will be for the System Administrator of a UNIX system. If the Document specifies that a particular numbered version of this License "or any later version" applies to it. and will automatically terminate your rights under this License. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer. controlling user access to the system. You may include a translation of this License. [edit] 9. Replacing Invariant Sections with translations requires special permission from their copyright holders. . That is the operator who is responsible for configuring and maintaining a functioning system. If a section in the Document is Entitled "Acknowledgements". and buried 20 feet under the ground in a secret location. UNIX computing systems have been made more widely available and have become an essential part of networking and internet infrastructure. TERMINATION You may not copy. This book is intended for an audience that has at least a basic familiarity with the UNIX operating system. modify. FUTURE REVISIONS OF THIS LICENSE The Free Software Foundation may publish new. FBI UNIX is a computer operating system that was first developed during the 1960s and 1970s at AT&T Bell Labs. See http://www. It was originally conceived as an academic operating system. or "History". If the Document does not specify a version number of this License. the directory structure.gnu. parties who have received copies. the original version will prevail. but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. particularly at the university level. Since then. "Dedications". revised versions of the GNU Free Documentation License from time to time. the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title. including common shell commands. and any Warranty Disclaimers. however.. —Dennis Hughes. Such new versions will be similar in spirit to the present version. and hence security was not a top priority of the design. so you may distribute translations of the Document under the terms of section 4. with an increasingly urgent need for preventing inappropriate access to systems and their data.Translation is considered a kind of modification. modify. Each version of the License is given a distinguishing version number. as well as troubleshooting system failures.. Any other attempt to copy. sublicense. and so forth. or rights. [edit] 10. and file manipulation. but may differ in detail to address new problems or concerns. provided that you also include the original English version of this License and the original versions of those notices and disclaimers. and I'm not even too sure about that one. The increased level of access and the need for data security have driven improvements to UNIX security features. and all the license notices in the Document. locked in a safe.

as frequently as once per day if feasible. . However by continually applying a series of security measures to the systems.As there are multiple variations of the UNIX operating system made available by various computing vendors. a UNIX computing system can never be made fully secure. rather than as a result of curiosity. whether by confirming the identity of a person who performed an action. Finally. Even a greeting message presented prior to login can be used as a legal defense. In the event of a direct compromise through the hardware. Security is also used to manage privacy on a system. not to mention related operating systems such as Linux. In addition. This also includes the need to make periodic backup copies of files on the system on secure media. particularly in the circumstance where the system is serving as a component of a company business or when the loss of important information can have significant consequences. rather than just initiating monitoring in the particular circumstance. witnesses. copying. including viewing.1 Sarbanes-Oxley 2 System management 3 User education [edit] Legal issues A necessary element of system security is the legal system. To allow successful prosecution of unlawful activities against a computer system. and by allowing individuals to maintain control of private information. So logging and auditing need to be part of the standard security measures. It can be important during the prosecution to demonstrate that you were performing on-going active measures to prevent inappropriate access. and so forth. the net risk to the system can be brought to a minimum. costing a firm a significant source of income. The threat of prosecution is an important element in deterring an unlawful intrusion or activity. Providing security to a system is not a goal so much as it is an ongoing process. At least at present. UNIX COMPUTING SECURITY/PRINCIPLES AND POLICIES Computing security as it applies to UNIX is usually taken to mean protection of a UNIX-based computing system against unauthorized access to information or services on that system. But security can also apply to unauthorized attempts to deny appropriate individuals access to the stored information through loss of availability. A business service can be rendered inoperative for a period of time. a carefully-worded legal warning notice needs to be presented prior to login so that the potential intruder can not claim ignorance. forensic evidence must be available to demonstrate that a crime occured. This necessitates the use of logging to track activities and events on the system. and the protection of these logs against tampering. this book will cover topics common to most of the UNIX releases. including camera records. It is not even necessary for a system to be compromised in order to have business consequences. due diligence in securing your system can help demonstrate that an inappropriate intrusion was willful and dedicated. Features specific to a particular vendor's release will be noted accordingly. Contents [hide] 1 Legal issues 1. unmodified physical evidence may also be needed. modifying or destroying data.

Retrieved from "http://en. which can affect their stock value. So. New exploitations are constantly being discovered. and demonstrating useful tools that can enhance the security of their data. and in some cases muchneeded attention to computing security in many commercial companies. individual actions by users on a UNIX system can result in a net increase in the security risk. and decide whether the extra measures are worth the trade-off. and is likely to be met with resistance by the users. [edit] System management Applying security measures is a constant trade-off between maintaining the usefulness of a system and keeping it secure. Companies that are required to disclose that they have poor security practices could prove an uninviting investment. Events that resulted in the compromise of key computing systems can have a significant impact on the company business. some education of the users is needed. which must be reported to the SEC each year. Determining whether an individual is authorized to have access to the information is an essential component of UNIX system security. Although computing security was not a factor in the events that resulted in this act. This education includes raising security awareness. Each new security measure will further restrict activities on a system. additional changes to the system configuration. describe the measures used to protect the data. or simply an assessment of the risk and determining a means to manage it. secure methods of verifying identity. and requires access control policies. training users against certain types of harmful actions. attention to computing security has became an important factor. So the system operators must weigh the risks of data loss versus less utility. Due to these requirements. Section 409 — Real time disclosure of information. The law imposes accounting requirements and control practices on U. Requirements for accurate financial records have been strengthened. the legislation has had an indirect impact on security requirements. and the administrator will need to stay on top of remedies for newly discovered vulnerabilities.S. It requires careful examination of the system to control or eliminate these weaknesses.org/wiki/UNIX_Computing_Security/Principles_and_policies" . resulting in the need for control of all aspects of how financial information is processed. Three of the most relevant sections of Sarbanes-Oxley for computing security are: Section 302 — Certification of the completeness and accuracy of financial reports by the CEO and CFO. it will still require steady maintenance and monitoring to keep it that way. Once a system has been properly secured. Section 404 — Management assessment of internal controls.[edit] Sarbanes-Oxley The Sarbanes-Oxley Act of 2002 was a significant piece of legislation designed to help prevent corporate financial fraud. in addition to monitoring potentially harmful actions by users.wikibooks. and their ability to modify information on the system. companies. In many instances the operating system as shipped by a vendor is applied with a weak security configuration. Computing security became relevant due to a provision in Sarbanes-Oxley requiring disclosure of potential liabilities that might impact the bottom line. and methods of storing and transmitting credentials. The identity of the individual is used to determine the information they can access. and safeguard the information used to track the information security. The Administrator of a UNIX system has a significant ability to reduce security risks by properly configuring the operating system to enable security features. and neglecting to apply an appropriate restriction can leave a system vulnerable to exploitation. [edit] User education Unfortunately. Doing so may require periodic application of new patches. or at least those that are publically owned. The act requires companies to disclose when their financial information has been tampered with. This has brought an increased.

a user must have an account. such as delivering electronic mail. More on this later. Depending on the person or institution operating the systems. The root account has special capabilities that grant the user enhanced privileges. So these characters are usually prohibited on many UNIX systems.1 /etc/group 3 Identifiers 3.3 Unauthorized login attempts 2 Groups 2. or uucp. alphabetical characters. or share a common name across multiple systems. The username and password are normally sufficient to connect a user to the system. lp. if they are on the same system. The remainder of the login name can consist of numbers. —Clifford Stoll In order to connect to a UNIX-based system and perform activities. Each account can use a different name. . Contents [hide] 1 Login 1. and get a new one every six months. On UNIX systems it is a requirement that the first character of the username be an alphabetical character. bin. Typically an assigned name will be based on the person's actual name. which is string known to the user by which the account access is authenticated when accessing the system. or username. the individual users may be able to choose their account names. UNIX systems are typically delivered with a set of system accounts for performing special operations. or they may be assigned a name. Accounts with these special characters can cause problems with certain system functions. The case of the character matters: "Joe1234" is a different login name than "joe1234". and will be a unique identifier on the system.2 Selecting a password 1. In most cases the account begins with a lower case character by convention. sys. or accounts on different systems. which is associated with the account name. The account also has a password. which means that it is the name that the user types on the keyboard when prompted for a login.UNIX COMPUTINGSECURITY/ACCESS AUTHORIZATION Treat your password like your toothbrush.1 /etc/passwd 1. Thus an asterisk or colon character is invalid for a login name. These may include such accounts as root. Don't let anybody else use it. Users can have multiple accounts on the same system.1 Default accounts 4 Shadow password file 5 Account management [edit] Login The username is also the login name. This account must have a unique numerical identifier. and so precautions are usually enforced to prevent its acquisition by unauthorized individuals. or an underscore.

[edit] Selecting a password Once a user is logged on to a system. and each line is subdivided into fields that are separated by colons. If there is a format error in the /etc/passwd file.) The system stores the password in the /etc/passwd file in an encrypted form. Here are some exmples of typical passwords that can make it relatively easy to guess: . this could be the reason why. It is a good idea to run this from time to time to make sure potential problems haven't been introduced.) UNIX systems can include a command called pwck that can be run to check for format problems with the passwd file. the encrypted password field will be updated in the user's account entry in the /etc/passwd file. so accidently forgetting to turn off the caps-lock key may result in access denial. followed by a prompt for the password. the user will be allowed access to the system. their input password is encrypted and compared to the encryption in the /etc/passwd file. (Simultaneous edits can result in changes from one operator overwriting changes from another operator. the vipw command uses a locking mechanism to prevent another administrator from editing the same file at the same time. while others will not show anything. the system commands are unable to read entries further down in the file. This means that the password is encrypted using a technique that that does not have a known decryption method.[edit] /etc/passwd The information for UNIX accounts is stored in a text file located at /etc/passwd. If the two match then the user is allowed access. (Each connection allows multiple attempts in case the user accidently types the login name or password incorrectly. (They may be prompted to immediately change their password to something only they know. When they connect to the system they will be prompted for the login name. If a user is unable to log on to a system.) After the new password is accepted. then they will be prompted twice for the new password selection. That is. there is no efficient means to determine the password based on the encryption string. (This is why it is important for the root account to always be the first entry. If the system is configured correctly. they can change their password by means of the passwd command. For this reason it is vital that the password be selected so that it is difficult to guess.) If the password is valid.) It is a good habit for all System Administrators to use the vipw command. and there exist programs that can attempt to gain access to a system through trial and error of commonly selected passwords.) Note that the password is also case sensitive. This file contains information for one account per line. (Some systems will print an asterisk for each password character. they are provided with a default password so that they can login. UNIX uses an encryption technique called a one-way hash. The user will then be prompted for their current password. When editing the /etc/passwd file. The meaning of the fields is as follows: login name Text name of the account password The one-way hash encrypted password user ID A unique numerical identifier for the account group ID The default group identifier for the account GECOS ID A comma-separated list of user information home directory The users' initial working directory shell The program to use for a shell interface When a user gains an account. so that the System Administrator can log in and correct issues with the passwd file. Simple. the user can then enter their provided password and it will not appear on the display when it is typed. If the two do not match then access is refuse and the user is prompted again to login. assuming they are versed in the use of vi. (The redundant prompt is to make sure that the user didn't accidently mistype the new password the first time. The password is a key element of the system's security that is used to verify a user's identity. easily-guessable passwords have frequently been the cause of unauthorized access. Each time the user logs on. an unfortunate situation where file locking is not available on multi-user systems.

such as observing them at the keyboard during login. the failed login attempts can be recorded in log files. Wherever possible the System Administrator should require the use of a group for providing access to shared resources. such as btmp. however. The second is that it is much more difficult to terminate access by a specific individual to a shared account. The log files can be periodically checked by the System Administrator to check for unusual failed login activities (such as hundreds of attempts in a day). #. it may still be possible to guess the password. As long as the group exists and your account belongs to the group. They may resort to surreptitious means to obtain the proper login from a user. except by educating the user and discouraging the use of passwords on multiple systems. . Normally the login is printed on the screen during access. The newgrp command is used to switch your group without changing your account. and an account can belong to one or more groups. you will be changed to the selected group name. they may be able to gain unauthorized access to the other systems as well. The first is that it is nearly impossible to track or audit the activities of an individual who is a member of a shared account. Wherever possible it is advisable to implement such features to ensure the selection of strong passwords. &c. and this information is stored in the /etc/passwd file. UNIX can qualify access to system resources on the basis of group membership. Another limit is to restrict the number of login attempts before disconnecting the session. and a special character (such as *. $. [edit] Groups In addition to the account identifiers. However the password should be kept concealed on the screen. %. [edit] Unauthorized login attempts Unfortunately there are individuals who may attempt to gain unauthorized access to a system by trying to use another individual's account. Unfortunately this means that if the password on one system is determined by another person. To make the task of guessing a password difficult. using social engineering to trick an operator or user into giving them access. If a weak password has been selected by the user. so that it takes much longer to attempt each guess. The first limit puts a time delay in between each failed login attempt. When a user has an account on multiple systems. The group is used to manage information or resources that are shared by multiple people. It is normally used to obviate the need for shared accounts. In addition. Each group can contain multiple accounts. There are two reasons for this. or by setting up a spoofing program that mimics normal login. You would now have access privileges appropriate for that group. they may choose to use the same password on each of the systems in order to make it easier to remember. Another method used to obtain unauthorized access is to attempt to guess the login and password.) These measures can make a password much more difficult to determine. and avoid the use of a shared account. which is considered bad security practice. This possibility is difficult for the System Administrator to guard against. so the individual may already know the account name. most UNIX systems have limits built into the login system.The person's name The name of their child A birthday Simple words such as "guess" or "password" A place name The person's phone number Common keyboard patterns such as "qwerty" The name of the computer A word spelled backwards The same as one of the above followed by a single digit Modern UNIX systems have security configurations that provide some measure of strength checking when a password is set or changed. and include one or more upper-case and lower-case letters. such as users. a password may be required to be at least eight characters in length. An account will have a default group to which they belong. a number. For example.

These accounts are generally used for system administration and maintenance. and each line is subdivided into fields that are separated by colons. Note that if a group has a password. an account must be added to the appropriate members list. The value of the uid can typically range from 0 up to one less than the maximum integer supported on the system. It is good practice to use this command to check that format errors have not been introduced. the accounts billy_bob. This identifier is used internally by the system to determine ownership of potentially sensitive data and processes. bin. A new account created subsequently may be assigned the previous uid. It is often referred to as the superuser account. such as root. (Negative identifiers. is an identifier that corresponds to a user's account on a UNIX system. making that new user the owner of the files created by the previous account. When an account is deleted for some reason. most of these accounts have their passwords disabled. or uid. and each new account is added by assigning a previously unused identifier. When the system needs to list the owner of a data file or process.frederick Each line in the file describes a group. sys. The root account in particular. In this example. and much of the security-related configuration of a UNIX system is intended to prevent this eventuality. the System Administrator needs to perform periodic maintenance to locate files that lack a valid account. it normally maps the identifier back to the account name in the /etc/passwd file before presenting the information. [edit] Identifiers UNIX uses integer values to track and store access information. However this may result in files created by that account having an unassigned uid. This file contains information for one group per line. particularly -2. Here is a brief example of an /etc/group file: root::0:root other::1:root bin::2:bin users::20: secrets::30:billy_bob. In many instances. the account entry is removed from the /etc/passwd file. a user can use the password to change to that group even if he or she is not a member. there is usually a grpck command available that can be used to check the format of the /etc/group file. daemon. . sally_sue. and the uid is used for system files or processes.[edit] /etc/group The information for UNIX groups is stored in a text file located at /etc/group. As with the pwck command for the /etc/passwd file. By convention the user identifiers 0 through 99 are nearly always reserved for these accounts. which has a uid of zero (0). is a special account that has higher privileges than any user. and so forth. The meaning of the fields is as follows: group name Text name of the group password The one-way hash encrypted password group ID The default group identifier for the account members A comma-separated list of group names To belong to additional groups beyond the default. Special precautions need to be taken to prevent inappropriate individuals from gaining access to this account. In order to prevent this eventuality.sally_sue. and frederick are all members of the group secrets. the vendor media can load selected default accounts.) User identifiers are usually assigned beginning with 100. are for special purpose use only. even though their default group is users. The user identifier. [edit] Default accounts During the initial installation of a system.

The drawback to this. such as two words separated by a number. (An example of such a program is called crack. [edit] Shadow password file While a user's password is stored as an encrypted string on UNIX systems. the task becomes slightly more difficult. The first is to configure a system so that the root account can not be accessed directly. which can be used by the System Administrator to periodically check their user's passwords for guessable values. The program can also use a dictionary of words and encrypt each one and compare them in turn to each encrypted password on a system. and then the superuser account. With the encrypted password "shadowed" in this manner. (An example of this would be a trusted user account that is allowed to make revisions to a server's printer configuration.) There are a number of tools available. anybody who can read the encrypted value may be able to use a program to test various commonly-used passwords and see if they match. of course. A more sophisticated approach to limiting the superuser account access requirement is through the use of role-based access control. When the password is formed using a rule. However a wily individual may have considerable computing resources at his or her disposal. Instead a user account must first be compromised. commonly known as the shadow password file. The implementation of this feature will vary depending on the UNIX vendor. both in open source and from vendors. The shadow password is located at /etc/shadow on Sun systems and under /tcb on HP-UX systems. This allows designated user accounts to perform a limited set of actions that are normally restricted to the root account. and the password field of the /etc/passwd file is replaced by an asterisk. [edit] Account management Under construction. the program can try a series of guesses and encrypt them to see if they match the value in the user's password field. This can provide an audit trail of when the superuser account was accessed and by whom. It also helps to insulate the system from attempts to break into the superuser account directly. This random salt value will most likely result in a different encryption string value even when the passwords for two accounts match.. although it can never be reduced to zero.. is that becomes more difficult to maintain a secure system when multiple people have superuser access. two-character "salt". so guessing a weak password may just be a matter of time. Instead the operator must log on using their user account. This topic will be covered in more detail in later chapters. that can be used to provide role-based access control capabilities. the encrypted password includes a random. It can also make it more difficult to perform a root-cause analysis when something on a system breaks.) In order to forestall this technique. To make this task somewhat more difficult for a password guessing program. As a result the program must recompute the encryption string for each guess and for every account. the encrypted passwords can be stored in a separate file. Paperwork & records Modifying passwords Password aging Disabling accounts . There are several methods to help reduce the risk of a shared superuser access. That is. the task of guessing a password is rendered much more difficult.In certain environments it may be necessary for certain administrative capabilities to be shared among more than one operator. making a brute-force attack quite feasible on a system where a password consists of a simple word. Nonetheless a modern UNIX system can still crunch through a large number of guesses in a relatively short amount of time. The contents of the shadow password file can only be read by the root account. then su (switch-user) to the superuser account.

In UNIX. In UNIX the filesystem contains the following information available for each file: Unique inode number The length of the file in bytes The identifier of the device that contains the file File type A set of permissions bits.2 Directory permissions 2. or attached as part of a Storage Area Network. such as a disk drive.4 Searching for file permissions 2. as on many other modern operating systems. or gid File creation date and time File last access date and time File last modification date and time The total number of hard links to the inode The typical UNIX file types are as follows: Block file Raw file Regular file Directory Named pipe Symbolic link Socket A hard link is a type of file that references another file on the same device and file system by means of its inode number. which are an essential means of managing information on a computer system. [edit] File permissions .UNIX COMPUTING SECURITY/UNIX FILESYSTEM Most of the data used by a computer is stored on disk drives. It includes information that the operating system can use to find specific data content and who is allowed to access that data. is laid out.1 Set ID on execute 2. Some sites may also employ removeable disk media that can be loaded by an operator or a robotic device. allowing the data to be organized and access managed. The location of a file on a directory tree is called its path. These are physical devices with a relative high access latency. All of this data is organized into a series of files. compared to.3 Setting file permissions 2. but large storage capacity. or mode Identifier of the file's owner. A directory is a special type of file that can reference zero or more other files and directories. physical memory. files are stored in a tree structure with the branch nodes being called directories. an adjacent expansion cabinet. Contents [hide] 1 Filesystem and files 2 File permissions 2. The data in a file is organized in a format that applications can understand. Directory trees are contained in one or more filesystems. or uid Identifier of the file's group. say.5 umask [edit] Filesystem and files The filesystem is the method by which data on a device. A symbolic link is a type of file that contains the path information to another file. On a server system a disk drive can be located inside the same cabinet as the CPU. attached to the network as an appliance.

) These permissions are indicated by an r. followed by the file size in bytes. the user bill is able to run it. Now suppose the myjob file is given owner root. respectively. w and x. however. Normally when a job is run. where the s indicates that the set user ID on execution flag has been set. The resulting file permission bits may now appear as r-xr-s---. Next are the names of the file owner and group. write. Each of these groups describe a set of file permissions that determine whether a file can be read. Here is an example: $ ls -l /usr/bin/vi -r-xr-xr-t 6 bin bin 604880 Sep 3 2003 /usr/bin/vi The left-most field of the ls output displays the mode of a file.and is run by the file owner. The first (left-most) character shows the type of the file. This is an integer field that is normally 2 bytes (16 bits) in length. when the file was executed it would have access to any file that can be accessed by the group sys. if a file is a program or a script. and the set permissions bit for the user are activated by the System Administrator. When the job is run now. More on that in a moment. Each bit within the mode is a binary flag that represents a type of security access setting. so members of the group would not necessarily be able to modify the file. it uses the user and group of the account that executes the file. modify. The number to the right of the mode shows the total number of hard links to the file. The resulting file has permission bits r-sr-x---. So this case the command has five other hard links. or run the file as a program (or script). (They can also cover certain special execution modes. The middle set are the permission settings for the file group. The common types are as follows: . . and executed as a program. That is. the first set of three characters indicates the permission settings for the owner of the file. it has access to any file that can be accessed by root (which is usually any file on the system. When this file is executed.) [edit] Set ID on execute The mode can also contain special flags that set the permissions of a file when it is executed. From left to right. if the group identifier were set to sys. That is. Thus an rwx in the group set indicates that any member of the file group can read.Information about a file's statistics can be viewed by means of the ls command in combination with the -l "long listing" option. including the original file. suppose a command myjob has permissions r-xr-x--. and the file name or path. and the last set to the right are the permissions for every body else (usually referred to as "world". For example. This controls the type of access that the job gains. Because the file still belongs to group research. the set permissions bits will determine the owner or group under which it will run. The process that executes the myjob command is given the owner bill and group research. The r-x above is missing the write flag. The job can access any file that can also be accessed from the account bill.— Ordinary file b — Block special file c — Character special file d — Directory D — Door (Solaris) l — Symbolic link n — Network special file (HP-UX) p — Named pipe s — Socket The remaining nine characters consist of three groups of three characters each. the date or time of the last modification. the job runs as though the user belonged to the same group as the file's group identifier. The ls displays the mode information as a field of ten characters. user bill in group research.) A similar effect occurs when the set group ID on execution flag has been set.

[edit] Directory permissions The permissions on a directory have a somewhat different meaning than they do for files. particularly when they can be modified by a user.. not the file permissions. then it can be exploited to elevate that user's privileges. A file that is owned by root that has the set user ID flag has the same access privileges as the System Administrator. say. or size. with no arguments to list the contents of that directory. If a directory allows you execute but not read permissions. it may still contain vulnerabilities that can be exploited to gain unauthorized privileges. Finally chmod can set the file mode. you could do a "long list" of that file. You can also do a "long list" of the directory using the ls -l command. when a shell script is executed.. [edit] Setting file permissions The permissions for a file can be set using the chown.1 myacct mygrp 0 Dec 9 12:00 test. Note: On Linux. You also can not change directory with the cd command to a directory where you only have read permissions.txt -rw-r----. set user ID or set group ID permissions sticky bit. . or perform other unauthorized activities. nor read the content of files in that directory.txt $ cd test $ ls . or execute permissions. Even if the file can not be modified by a user. the chown can be used to set both the owner and group of a file. under construction. The chown is given a valid account name or numerical identifier. you get an error if you tried to use ls to list the directory. all setuid and setgid permissions are ignored intentionally by system.txt See the appropriate manual pages for further information on these commands. If a directory allows you x. (On some operating systems. Selected system commands require these mode settings in order to function properly. Likewise chgrp can be used to set the group for a file. The read permissions on a directory allow the ls command.txt $ chmod 100 test $ chmod 640 test/test. if you knew that a particular file existed in that directory and if that file allowed you read privileges. can represent an unacceptible level of risk to a system. However the read mode only allows the file name to be read. Batch jobs can be run at regular intervals to search for the existence of these files and to bring them to the attention of the System Administrator. unreadable total 0 $ ls -l test. For this reason the existance of files with set user ID or set group ID permissions should be carefully monitored by the System Administrator. However. and is used to set the owner of a file or set of files. and chmod commands. you can cd to that directory and read the contents of any files in that directory for which you have read privileges.It is important to point out at this point that the set ID feature can potentially compromise the security of a system. If this file can also be modified by any user. owner. chgrp. However any other files with these settings. As a simple example: $ id uid=234(myacct) gid=100(mygrp) $ mkdir test $ touch test/test.

This option is typically activated with the -R.o=r /usr/local/bin/bigjob Here the u. $ /usr/bin/find /usr/bin -type f -perm -002 -exec ls -l {} \. deleting. and = modify the permissions by adding. Any combination of these modes can be set by adding up the appropriate values. directories. say. or x (execute) mode bits. as well as certain file owners and groups. symbolic links. and a 0 for the world permissions. In this case the two in the third digit matches the world write bit. and o represent the user. respectively. This allows a more refined approach to modifying the mode of a file. device files. [edit] Searching for file permissions The find can be a powerful tool for searching the file systems for files or directories with particular permission settings. A symbolic operation determines who it affects. w (write). -. Finally the fancy -exec ls -al {} \. as discussed above. group. The chown. the type of operation. When combined with the symbolic operations of the chmod command. chgrp and chmod commands normally have a recursive option that acts upon a directory and all files under that directory tree. For example: $ chmod 550 /usr/local/bin/bigjob has a 5 for the user permissions. and other (world) permissions. and the affected permissions. The example below shows a search of the /home directory tree for any files with an owner that is not in the password database.g-w. and so forth. g. a two (2) sets the write mode. The +. but see the manual pages for your particular operating system. This example gives the user execute permissions. The world gets no privileges for this file.Here is an example of a combined chown command that sets the file owner to root and the group to sys: $ chown root:sys /usr/local/bin/bigjob Permission Value Execute (x) 1 Write (w) 2 Read (r) 4 The original format for the chmod command allows the entire mode to be set for a file or set of files. or any files or directories under that directory tree. or setting the bits specified by the r (red). The arguements -type f restricts the search to files. The -perm -002 sets the type of permissions to find. For example: $ chmod -R o-w /usr/bin will recursively remove any world permission bits on the /usr/bin directory. The parameters passed to the find command form an expression that determines what the command is seeking in the directory tree /usr/bin. instead of. and a four (4) sets the read mode. . This is done by passing the command a three or four digit number that defines the mode settings. (The odd \. this can provide a powerful tool for managing permissions on a directory. In the example below (which was written for HP-UX) the find command is being used to search the /usr/bin directory tree for any files that allow world write permissions. removed write permissions for the file's group. More recently the chmod command has been enhanced to allow a comma-separated list of symbolic operations.. so this is enabling the read (4) and execute (1) flags for both the user and group. clause at the end is a terminator of the command. A one (1) enables the execute mode. the minus before the number means to only match on the values that are set in the number. Each of the last three digits in the number represents one of the sets of permission flags. a 5 for the group permissions. causes the command ls -l to be executed on any file that met the prior conditions. and limits other (world) to read operations only. For example: $ chmod u+x. A 5 is equal to a 1 plus 4.) Some variant of find has the -ls option which can replace -exec ls -al {} \.

$ /usr/bin/find /home -nouser -exec ls -l {} \.txt -rw------. write. so members of the group will only be able to read or execute the file.wikibooks. [edit] umask Each UNIX session has a file mode creation mask that defines the initial value of the permission bits when a new file is created. The command umask can be used to display the mask for the current session. The user will then need to manually modify the permissions on a file or directory in order to make it available to others. That is. regardless of the setting of the umask. If any accounts have been removed from the password database. it can be considerate of the users to run the find at a lower priority using the nice command.1 bilbo users 0 Jan 18 07:41 testfile. except that the values are used in the negative sense.org/wiki/UNIX_Computing_Security/UNIX_filesystem" Category: UNIX UNIX COMPUTING SECURITY/SECURING ACCOUNTS . a umask setting of 000 results in the weakest security setting.txt In this example. This mask consists of a series of bit flags that determine whether a particular permissions setting will be turned on or off.txt A umask setting of 077 is recommended for optimal security. Also some care needs to be exercised to avoid searches of network-mounted directory trees as this can significantly slow the search time. Note that whenever the System Administrator is performing a lengthy search of the file system. so the file owner can have read. A zero means that all of the permission bits will be set. Finally the seven in the last digit will turn off all permissions for world. the umask command can be executed with the new mask passed as a parameter.txt $ ls -al testfile. this can be achieved with the help of -xdev option which limits find to search local file system only. To change the mask for the session. the system creates a file with the execute permissions turned off.1 bilbo users 0 Jan 18 07:47 testfile. the first zero affects the owner's permissions on the file. as anybody on the system can have access to the file unless the user remembers to restrict the permissions.txt -rw-r----. Otherwise the job may impact disc access performance. when a value is set in the mask the corresponding permission bit will be turned off when a file is created. and execute permissions on that file. (Note that in the example above. A '2' will turn off the write permission bit. Retrieved from "http://en.) The middle number two affects the permissions for the file group. This value is similar to the number that is passed to the chmod command. In order to apply a base umask setting.txt $ ls -al testfile2. the System Administrator can include a umask command in the shell startup files such as /etc/profile. a command such as this can be used to search for orphaned files. $ umask 077 $ umask 077 $ touch testfile2. $ umask 027 $ touch testfile. Conversely.

2 PATH 3 Dot files 3.1 Missing home directories 2 Shell environment 2.profile. the environments in which programs will be run. Once an account is in use.) The home directory should be protected in such a manner that the user owns it and the group identifier of the directory matches the account's default group. it is normally given a separate home directory. Some versions of Unix provide a means of disabling user logins whenever their home directory is not found.1 Session timeout 2. Contents [hide] 1 Home directory 1. Unused or unneeded accounts need to be disabled so that they are not employed for inappropriate purposes.cshrc. the home directory for the root account can be located under its own directory tree.1 . Once a private root home directory is implemented. and it is often indicative of a problem with the system.rhosts [edit] Home directory When an account is first created. . Such configuration can be applied to the default user security settings. usually under the /home or possibly the /user directory tree where the user can store their data files and where custom startup and configuration files are located. Normally this directory should be placed on the same file system as slash so that the directory is always present when the system is booted. These can provide.2 .1 ForwardPath 3. Many System Administrators provide a default set of startup. or even coopted by an inappropriate person. for example.forward 3. As a remedy for this case. the System Administrator will still need to employ a certain level of vigilence to make certain the access is not abused. . Having a private directory for root also provides a somewhat more secure location for any tools and scripts the System Administrator might want to run. the System Administrator can then modify the "dot" files under the slash directory and use them to provide a default set of startup files for their users. Note that having a user log in using a home directory of slash is generally not a good idea. So this can potentially lead to permissions problems with the startup configuration files. This is also the default directory for the root (super-user) account. or slash (/) directory. (For example. [edit] Missing home directories In cases where the home directory does not exist for a particular user account. useful aliases and site-specific operations. the default action on many Unix systems is to start the login session at the top-level. Permission modes of 750 or 700 are common. In addition the home directory is normally given permissions that restrict access by other users. /root). and other unexpected behavior.The users of a Unix system are most likely not nearly as knowledgeable about the security aspects of their system as are the System Administrators. (These can include . and so forth.login. This is a directory. So it is important to use the configuration capabilities of the system to configure these accounts so that they are reasonably secure. However these default files need to be properly secured or else they may be tampered with and any new accounts quickly compromised.netrc 3.1. . Passwords need to be checked for strength and periodically updated. or "dot" files that are copied into the new home directory.3 . There may also be special restrictions needed for certain accounts depending on access and data security requirements on the server. and so forth.

including the Korn Shell. it is easy to see why this may pose a security problem. such as 300 (or 5 minutes). Note that if the value of the PATH variable begins or ends with a period. that will limit the period of vulnerability. either TMOUT or TIMEOUT. the system will treat this just like a period. For this reason it is important that the root account in particular never have a period in its PATH variable. it only takes a few moments for an unscrupulous individual to take advantage of the situation to increase their own access privileges. As the user's current working directory may be anywhere on the system where the account has access permissions. So.[edit] Shell environment Many of the shells available for use on Unix systems allow environmental variables to be configured. the directory path to recently executed commands can get stored in a cache. The System Administrator might never even be aware of the inappropriate activity. the system will then attempt to execute the file. For example.) This variable can be used to expire shells when a user or system administrator is drawn away from active login session for a period of time.login. and the user decides to execute a command. and some vendor versions of the Bourne Shell. Suppose an account contains just such a period in its PATH variable. If it is found. When this variable is set it gives the number of seconds of no activity before the shell expires. the root PATH variable should never begin or end with a colon. Certain shell types. Typically this variable would be set to some value. It is normally set in a global shell startup file such as /etc/profile or /etc/csh. This potential vulnerability is particularly true for the root account. Some of these variables can have security implications. the system will then try to execute it. the system searches through each of the directories in the PATH looking for a program with a matching name. Suppose root has a period at the start of their PATH variable. When a command is typed at the shell prompt. (A value of zero means no timeout. This variable is set to a colonseparated list of valid directories on the system. then a user calls up to report a problem in their home directory. . in addition. suppose that a System Administrator has walked away from their desk for a minute and a person types in a few commands at the shell prompt: root$ touch /tmp/rubbish root$ chmod 4777 /tmp/rubbish root$ exit This creates a world-editable file that can be modified to run commands that can grant root privileges to anybody executing it.) $ echo $PATH /usr/bin:/usr/bin/X11:/usr/contrib/bin:/usr/local/bin:. It is for situations like this that it is important for unattended sessions to either be locked down or disconnected. This file could easily be a shell script that exploits the permissions of the root account to grant the user enhanced permissions. Bash. will support a time out variable. then simply replicates the actions of the ls call. That individual now owns the system. the system will then check the user's current working directory for a matching file. When a match is found the search ceases and the program is executed. [edit] Session timeout When a Unix session is left unattended for a period of time.) or an empty entry (::) is used to represent the current working directory. If the command was not located in one of the directories listed prior to the period. and a few can be configured to enhance the system security. In Unix a single period within the path name (. However if the user has placed a file called ls in their home directory. It would be normal for the System Administrator to change directory to the user's home location and perform a directory listing using the ls command. (For reasons of efficiency. [edit] PATH Unix shell sessions use an environment variable called PATH to determine the location of commands and other programs that can be executed from the shell command line.

forward:$z/. [edit] .forward The sendmail program includes support for this file that is intended to forward e-mail messages to a new address (after a user has relocated their account. However if the user has configured their . This could. or in the /etc/PATH file on some vendor releases.) If the file is not found.com. such as /etc/profile. it is forwarded to the addresses in the . Setting the PATH in the shell startup script. Whenever a new user account is created. can help the System Administrator manage the use of the PATH variable for most user accounts.forward file for the user account named bob. is that an address can also be a system command. For example: sample_address@no. Another concern with the PATH variable is whether any of the directories in the PATH allow user's to modify the contents. it should be placed at the very end of the PATH. In addition to improper settings added by users.) After the user has established that they are sufficiently well-trained with UNIX to properly configure their own . The contents of this file can contain a comma-separated list of addresses. for example. The ForwardPath option is set in the sendmail configuration by means of the OJ line (or "O ForwardPath="). [edit] ForwardPath Beginning with version 8 of the sendmail program. Periodic checks of the permissions on these directories and files is necessary to help maintain a secure system. however.forward file.forward file in the controlled directory. The problem with regard to security.forward file in the user's home directory.forward This will cause sendmail to first check for a file under a /var/forward directory with the name of the user's account followed by a . Otherwise an unscrupulous user can modify one or more of the commands.forward file. It is also passed as standard input to the program listed in strings. (This can be automated as part of the account creation tools. the files may be modified by an intruder so that they can regain access at some future date. they can still perform actions on the system. and all files within those directories should not allow write permissions. It may be common practice to initially disable a user account by disabling the password. be a script written by the user to execute commands contained within the mail message. the System Administrator can then create a account.forward file. then sendmail will check for a . For example: OJ/var/forward/$u.or have two colons next to each other with no directory in between. In any event it is often preferable for the System Administrator to type in the full command path rather than relying on the system.such. This will cause the system to check all of the standard directories containing executables before trying the current working directory. These are of interest to the System Administrator because in certain cases they can introduce weaknesses into the security of a Unix system. . The permissions on the directories in the PATH should all restrict write permissions. An alert System Administrator will regularly search their system for the presence of these files. and expect other users and even root to execute their modified file. for example). the account. "|/var/tmp/give_me_access" When an e-mail message arrives.forward. then check the permissions and contents for potential security issues. [edit] Dot files These files are normally located in the home directory of an account and contain various startup and configuration settings and procedures. If it is necessary for a user's PATH variable to include a period.forward would be interpreted as the . An unscrupulous individual may exploit this access for inappropriate activities. (Thus bob.forward file can be removed.forward file to execute a command. the ForwardPath option can be used to define alternate locations for the .

netrc file can also obtain the user's login password.rhosts for an account to connect between A—B and B—C. [edit] Init The parent of all processes. One of the most known is init. Retrieved from "http://en. However this is only a partial solution. As you'd expect. This serves to force the owner to restrict the permissions on this file. The file can be set up to allow access from any host. In order to automate this process. [edit] .netrc can be read by anybody except the owner. somebody who manages to obtain inappropriate access to C can use the .wikibooks. batch downloads of files from a remote site.rhosts capability where possible. it is usually better to disable the . Once this is done. say. Another issue with the . Anybody who has read access to the . A preferable approach for most purposes would be to use the host authentication method of the sftp command instead.) This bypasses the normal login process and immediately connects the user with the system. thus: . Suppose that three systems are set up so that A has a trust relationship with B. Process ID is almost always 1. Unfortunately. or it could be deliberately established on a compromised system to allow inappropriate access.rhosts file can provide an autologin capability for a user when running the remote login command (usually rlogin. For example: + joebob will allow the account joebob to connect from any host without entering a password.netrc file stores the password in plain text. init will take ownership of orphaned processes.[edit] . can provide a back door for an individual to get from C to A. the automatic login process will fail. [edit] Viewing processes For example. That is. a scheduled batch task. even though C is not trusted by A (and may even have network access blocked). this capability can introduce a number of potential vulnerabilities to a system. The ftp process has a built-in restriction that partially alleviates this problem. but A does not necessarily trust C. the account may belong to an entirely different person on another system. Due to the security dangers inherant in its use. they can configure a . Unfortunately the format of the .rhosts file to obtain access to A. If the user's .rhosts file is the method used to enter the allowed account access.netrc file to provide access without the need to input a password. say. a script can be run to transfer files using.org/wiki/UNIX_Computing_Security/Securing_accounts" UNIX COMPUTING SECURITY/SYSTEM PROCESSES System processes of UNIX consist of those processes that are not user services or user processes.rhosts The .netrc Users may want to use the ftp command for. The establishment of . a user may list the status of his or her processes using the ps command.

This banner can be useful for presenting a carefully-worded warning to anybody accessing the system. then the password string will appear in the packets in a readable form. . The Kerberos client will support secure authentication. That user can send signals to those two processes using the kill command. and communicate with it using the TELNET protocol. the login password is sent across the network in clear-text form. unless of course it is kept physically isolated. This reduces the risk of back-door access methods of the later commands.$ ps -f UID PID PPID C STIME TTY TIME CMD john_doe 15265 15254 0 11:18:13 pts/5 00:00 -sh john_doe 11407 15265 1 13:52:09 pts/5 00:00 ps -f The user with the account name john_doe is the owner of the two processes with process identifiers 15265 and 11407. and help maintain the secrecy of the password string.wikibooks. from a security perspective.org/wiki/UNIX_Computing_Security/System_processes" UNIX COMPUTING SECURITY/REMOTE ACCESS -------------------------------------------------------------------------------Contents [hide] 1 Telnet 1. the default configuration of telnet should only be employed on network segments that you are highly confident are secure. if the network packets between the two hosts are being read by some intermediary. however. If somebody is presented this warning prior to login. The telnet service can normally be configured to display a text banner prior to the presentation of the login prompt. So in this sense it is like a "Do Not Trespass" sign on a piece of property. Likewise any data sent through during the session will also appear in readable form. including any other secure information sent to the remote hosts. if you want to maintain the security of your communications. Establishing such a network is becoming increasingly difficult.) A method of securing the password using telnet is to configure it to run as a Kerberos client. Retrieved from "http://en. However the system can prevent that user from using the kill command on processes he does not own. so data transmission subsequent to the login will remain vulnerable to interception. then they can not claim ignorance of what they were trying to access. However this will not provide an encrypted session. That is to say.1 /etc/securetty 2 ftp 3 Sendmail [edit] Telnet This command is used to establish a connection with another host that can be accessed via the network. such as rlogin. (Even then it is never possible to be 100% certain. For the default configuration. Typically telnet is used to connect to a user login via the standard TELNET port. when this functionality is available. Normally. The presence and consistent use of a login banner can be useful in the event that a prosecution of an individual for unauthorized access becomes necessary. Something that can be said in favor of telnet. is that it typically lacks the means to bypass the login sequence that is available to the Berkeley remote login commands.

then entering any string as a password. However. When the file exists. The ftp daemon can be configured to allow a form of access that is known as "anonymous ftp". It has two network ports. (Port 20 is employed for data transfer. Many vendors have adopted the wu-ftpd flavor of the File Transfer Protocol.. The instructions for how to properly configure an anonymous ftp account are usually given in the manual pages for the ftp daemon.to become root. many of which can be used to enhance the security of a system. anybody using a packet sniffer to intercept the session packets will be able to read the password. [edit] Sendmail The sendmail program is used to send.. Unfortunately it has had a spotted history with respect to security vulnerabilities . In addition. So if an unauthorized person is able to gain read access to the . relay. and receive electronic mail using SMTP (Simple Mail Transfer Protocol). any data files are also sent in unencrypted form. the root account is only allowed to login via the listed devices in the file.netrc files and then either remove them or check their contents. To prevent direct remote connection via the root account.. one per line. If this service is required. The first of these is the use of the .[edit] /etc/securetty The /etc/securetty file is used to enable login security. and uses tcp for reliable packet transfer. Thus an owner and group of root:sys and a file mode of 640 would effectively secure this file. When the /etc/securetty file is created it should be properly restricted to prevent modification from any accounts except root. the Secure Shell software can be used. To prevent this situation. However unless a secure authentication system such as kerberos has been enabled. but this is a courtesy only. However. (See anonymous ftp below. Note that this does not prevent a System Administrator from connecting to the system via their user account and then executing an su . usually 20 and 21. This incorporates additional features in the ftp configuration. the sftp command equivalent does not have as rich a set of supported commands as does the standard version of ftp. or in cases where security is not an issue. This uprotected version of ftp should only be used across a secure network.netrc are in an unencrypted form. In fact this is a recommended method as it allows usage of the root account to be logged. while port 21 is used for session control. There are several other features of ftp that can present a security issue for the System Administrator. This file can be configured to allow automatic connection to a remote site without the need to provide an account name or password. This allows any individual from a remote site to connect by typing "anonymous" at the login prompt.) For encrypted login and file transmission. That is. More to come. the ~ftp/etc/passwd file should not include encrypted password information. at least at present. any passwords stored in .netrc file in a user's home directory. great care should be taken to follow the documented instructions. many System Administrators will regularly search their systems for . and only the ls command should be in the ~ftp/usr/bin/ directory and have 111 permissions. More here. (By convention the password is usually entered in the form of an email address.netrc file (such as by compromising the system) they may also be able to gain access to other remote systems.) Connecting to a remote system via ftp requires a login at the destination. the password will be transmitted across the network in the clear. a recommended practice is to only include the single entry console within this file. In particular. [edit] ftp The File Transfer Protocol is intended to allow the reliable transmission of files between two systems on the network.) An improperly configured anonymous ftp capability can present a host of weaknesses that can be exploited by an intruder..

it can be good practice to periodically rotate the logs. It is expeced that an unauthorized intruder into a computing system will attempt to remove any trace of their activities from the system log files. and if it does not securely process the data a suitably-formatted e-mail could potentially be used to compromise the system.1 && mv -f mylog. thus keeping the log file trimmed.and exploits. such as a distribution list of e-mail addresses. (The log files should be backed up to media at some point. Log files can be very useful resources for security incident investigations.sh command and passes the mail message to the script as standard input. The UNIX releases are preconfigured to record certain information in log files. The prog mailer is configured in the sendmail. The System Administrator can restrict the commands that can be run in the script to a small set of "safe" commands. A script can be used to run this periodically.1 mylog.cf configuration file using the Mprog option. For these reasons log files should be periodically backed up to separate media. thus avoiding a denial of service event due to a full file system. On each system where it is loaded.debug_log When an e-mail message is sent to the save_debug_message address on this server. When the sendmail process is configured to use smrsh as the prog mailer. . users on the system can modify it for their own purposes.sh". this capability can readily introduce security vulnerabilities into the system. and precautions need to be taken to prevent tampering with the log files.2 && mv -f mylog. but configuration settings are available to increase the amount of information recorded. UNIX COMPUTING SECURITY/LOG FILES AND AUDITING Log files are generated by system processes to record activities for subsequent analysis. sendmail reads a file that is used to store a list of mail aliases. For this reason it is important to take advantage of any security features that have been added to sendmail. Likewise if the script is not securely protected.) Rotating the log files helps minimizes the disk space usage. rename the current log file to a name in a sequence.log && cp -p mylog mylog.3 $ test -f mylog. its sendmail daemon executes the /usr/local/bin/record_bug. Here is an example of rotating a log file called mylog: $ cd /var/adm $ test -f mylog. That is to say. For log files that tend to grow significantly in size over the course of time. Messages with arbitrary content can be sent to this address. Here is an example of just such an entry: save_debug_message : "|/usr/local/bin/record_bug. it limits the capabilities of the script being executed. A user with a terminated account might even be able to regain access by this means. A capability that was introduced to try and limit the amount of damage that an aliased command could introduced was the use of the smrsh shell. One of the built-in features of the alias list is the ability to execute a shell command using a prog mailer. and to apply the latest security patches to this product as they become available.1 $ :>mylog The effect of this is to rotate the log through three copies before it is finally overwritten.2 $ test -f mylog. These aliases are e-mail addresses that the sendmail program translates into another form. They can also be essential for prosecution of criminal activity. They can be useful tools for troubleshooting system problems and also to check for inappropriate activity.2 mylog. As you might expect. and start a new log.

This log file can be written to from a shell or script by means of the logger command. [edit] Auditing Auditing is normally a built-in capability that can be activated on a UNIX system. and so forth. hardware errors. mail debug messages can be added to a mail. rather than waiting for a page to fill. These can be configured by means of the /etc/syslog. which is often configured to save mail-related messages to a dedicated log file.conf). The print jobs are recorded in a log file. For this reason it is often a good idea to disable this network logging capability in the syslogd startup. including panic conditions. The audit system must be activated in order to begin collecting data. However it is possible to flood this socket with invalid messages. A printer can be dedicated to recording log messages on hard copy. If the server is compromised. The System Administrator should also be wary of misleading log messages. which on some systems can be configured to provide additional logging information. It is a requirement for C-2 trusted system security. usually giving the printer name. For example. read-many operations. This could potentially be useful in tracking access attempts. as well as warnings and tracking information. the account running the print job. the messages will still be stored safely on the remote host. Among the types of information that can be logged is remote user login attempts and successes. In some circumstances this can be useful for helping tracing the origin of an inappropriate or erroneous connection. This data acquisition does come at a cost. including the client host from where the user is connecting. which processes them according to a configuration defined by a special file (such as /etc/syslog. or ignored altogether. The line printer daemon (lpd) is normally used to dispatch an output job to a printer. It can be used to troubleshoot e-mail issues as well as to look for unusual mail activity. Messages are sent to the syslogd daemon. Some versions of syslogd can be configured to read log messages broadcast over the network. There are several options for maintaining a system log that is difficult if not impossible for an intruder to clean up.conf file. This can either print to a locally attached device. [edit] Other logs There are other log files that can sometimes be useful in tracking accesses and activities. The log messages are sent to the system via the syslogd. Certain services or daemons can be configured to log information to the syslogd file.log file and e-mailed to the System Administrator. and this can be employed as a prank or nuisance factor. Combinations of facilities and log levels can be processed in different manners. Users can add log entries using the logger command. The daemon can be configured to log information about e-mail messages sent. all error messages can be copied to the syslog. This log file can collect a variety of useful information. or forward the print jobs to a remote printer on a different server. as it can consume as much as 10% of the system CPU time. alerts can be printed to the console. The log messages can be copied to a device that is configured for write-once. data corruption. thus leading to a rapid growth of the log file and a potential denial of service. received.[edit] Syslog The system log is a log file that is maintained by the syslogd daemon. Events passed to the syslog are defined by a set of facilities and log levels.log file. The old line printers were especially useful for this purpose as the messages could be viewed immediately. which can then be analyzed using the available audit system commands. This could be a CD-ROM recording or a specially-configured tape drive. and the date and time. The daemon can forward messages to a secure system on the network. These can include the inetd file. . The sendmail daemon can be used to send and receive electronic mail between UNIX systems using SMTP (Simple Mail Transfer Protocol). The data is stored in a file. and relayed.

Unauthorized individuals gaining access to a server room can intercept network transmissions. media storage and network connections. such as ceiling-mounted camera domes. [edit] Reboot When an intruder has physical access to a server. system calls. When the system is rebooted normally.The audit subsystem can collect data on events. The interior can be monitored using surveillance systems. and user activities. such as CD-ROM. It is also a simple matter to obtain valuable data. Removalable media devices. Companies that value their server computing resources will typically place the systems in isolated rooms with carefully managed environments and protections against power outages. &c. or perform malicious destruction of your systems and data. which is a good place to start. Access to server rooms is limited by means of locks that can require combination codes. usually on a daily basis. management of the file is necessary. In addition. or placed after the primary boot device. The audit capability typically has a threshold setting that will cause the auditing to switch to an alternate log file under certain conditions. cause servers to reboot from inserted media. Usually this can be achieved by means of a cron job that summarizes the log entries and looks for inappropriate events. . This audit file is often placed on a different file system in case the threshold switch is triggered by the original file system reaching a disk usage limit. Perimeter defense is provided by building access mechanisms and security personnel. Data can be removed or stolen by the theft of a laptop or disk drive. The audit logs should be regularly monitored to check for activity that needs to be tracked. or biometric devices. floppy disk. Usually there is an audit man page. As the audit file can potentially grow without bounds. special digital cards. Access to the network and internal servers can be acquired by accessing an office terminal or workstation. With the system up. However not all the computing infrastructure can be protected to this degree. they may have inserted changes that allow unauthorized privileges. so it is best for the System Administrator to review the manual pages on the subject. The physical security of your computing infrastructure is at least as important as the measures that are applied at the software level. The particulars of the auditing configuration can vary depending on the particular flavor of the UNIX OS.org/wiki/UNIX_Computing_Security/Log_files_and_auditing" UNIX COMPUTING SECURITY/PHYSICAL SECURITY Suggested topics: server room. magnetic tape or USB disks (including USB pen drives) should be removed from the list of bootable devices. then to copy it onto media for easy removal. which can then be examined for information about the system calls being run.wikibooks. the users calling the system commands. and the modifications made. they may be able to reboot the system from alternate media. they may be able to mount up the file systems on the server and make whatever changes they would like. Retrieved from "http://en. This can be done by rotating the log files and backing up the logs to separate media. regularly storing the audit event logs on separate media can be useful for the purposes of investigation of unauthorized access. Auditing can collect a significant amount of data.

UNIX COMPUTING SECURITY/DATA SECURITY Suggested topics: backups to media. If this level has not been protected by a login prompt. you could take in consideration selecting a filing system that supports usefull features. disk backup tools and data backup tools (database dumps for example) UNIX systems provide many tools that help in backing up files. most commonly known is the tar command which allows creating archives and preserver ownership/time-date/permessions on the files being archived.1 disaster recovery tool 3 external links [edit] backup tools backup tools can be devided according to what they backup. those tar archives can also easily be compressed. there are some questions you need to answer: What do i want to backup? How often do i want to backup? Where to save the backup? How long do i need the backup? How long does it take to get the backup replace a damaged system after a desaster? Whats the format i want to my backup to be in? How to backup ? How to minimize backup time when doing frequent backups? if you are desinging your system in a way to make it easy to backup. Backup is very essential in an environment where your data is precious. and that to a subset of data for almost any computer user. and ufs2 for (free?)bsd supports it. the system can still be booted into single-user mode. recovery. which dumps entire filing systems and treats it as a collection of disk blocks. Boot authentication can take the form of a BIOS supported poweron password or a specialized program. such as the Linux sulogin command which requires a password before granting access in Single-user mode. so it inherents a lot from the ar command (archive). can be configured in /etc/fstab cpio tar: tar puts multiple files and directories in one archive. note that tar actually stands for Tape Archive. another tool to backup is "dump" and "restore". when planning for a backup system. tar can compress archives too. file/directory backup tools.If a removable media device is not present. XFS supports it. such as snapshots. encryption and disaster recovery. the system can be modified with privileges equivalent to root. some of the options that can be passed to tar are: c : create archive x : extract archive t : list . using gzip for example. Contents [hide] 1 backup tools 1. Vendors will typically implement a Boot Authentication feature only allows authorized users to boot a system to Single-user mode.1 remote backup 2 backup systems 2.

IPTables. OpenSSH. Check for insecure entries in the /etc/passwd file. The last update to this package was version 1. tripwire. and implement more secure procedures. Check the format of the /etc/group file. nfsbug. [edit] COPS This venerable package consists of a series of scripts and binaries that can be used to check some basic security configurations on a UNIX system. v : operate verbosily (print out what files were progressed) f file: to specify the file name you are dealing with. Check specific system files for world-write permissions. Linux Virtualization. md5. and may require some fine tuning to operate on a modern version of UNIX.04. (There is also a perl version included in the package. Check specific startup and configuration files in the user home directories. Depending on the security requirements.) The following groups of checks are performed by the COPS utility: Check selected system directories for world-write permissions.z : work with gz compression to create compressed archives or extract compressed archives or list the content. [edit] remote backup rsync tar to remote machine: tar czf uwe@remotehost:/path/remote localpath tar over ssh tunneling example tar czf . The output will vary according to the UNIX vendor and OS version. and for a root entry in the /etc/ftpuser. released in 1991. Use the U-Kuang rules-based expert system to check for potential security exploits. Check all files on the system for setuid status and note changes. umask. TIGER. [edit] Check sum utilities . look for indications of an attack or a compromised system. but was based on a much older version of perl and is known to have some bugs. Check for world-writeable files in /usr/lib/crontab. hence this tool is starting to show its age. a number of these utilities can be employed on a regular basis to strength-check their system security. IDS/IPS. sudo. Check the root account PATH. SNORT. Check for world-writeable files in /etc/rc*. -------------------------------------------------------------------------------There are a number of commercial and free software tools available that are designed to help the System Administrator strengthen the security of their system.someDir | ssh user@domain tar -C somDirToExtractTo xzf [edit] backup systems amanda [edit] disaster recovery tool mondo UNIX COMPUTING SECURITY/USEFUL TOOLS Suggested topics: COPS.

it is important that the check sum of the file be compared with the value at a secure source. as this will make it vastly more difficult for an attacker to produce a tampered file that has the same check sum. Some integrity-checking utilities such as tripwire use multiple check sum programs to search for file modifications. or check sums. This will help to protect the system from illicit tampering. a stronger utility such as md5 should be used instead of cksum.pdf) = 46df33cb1473394c32a8910d162eb913 Whenever a System Administrator downloads a program or patch that will be executed on a UNIX system. Many vendors will provide check sum values for the downloadable files that they make available. [edit] OpenSSH . For example. The value of the resulting string will change whenever the contents of a file is changed. The string can also be used to check whether a file was corrupted during the download process. When possible. Check sums can also be used to validate the binary commands on a system. so this utility can be used to check whether a downloaded file has been tampered with inappropriately.pdf MD5 (important_data. as an output.There are UNIX utilities such as cksum and md5 that can be used to read the contents of a file and produce a one-way hashed values. $ mdf important_data.

Sign up to vote on this title
UsefulNot useful