Basic Linux Commands
Command Example Description
cat Sends file contents to standard output. This is a way to list the contents of short files to the screen. It works well with piping.
cat .bashrc Sends the contents of the ".bashrc" file to the screen.
cd Change directory
cd /home Change the current working directory to /home. The '/' indicates relative to root, and no matter what directory you are in when you execute this command, the directory will be changed to "/home".
cd httpd Change the current working directory to httpd, relative to the current location which is "/home". The full path of the new working directory is "/home/httpd".
cd .. Move to the parent directory of the current directory. This command will make the current working directory "/home.
cd ~ Move to the user's home directory which is "/home/username". The '~' indicates the users home directory.
cp Copy files
cp myfile yourfile Copy the files "myfile" to the file "yourfile" in the current working directory. This command will create the file "yourfile" if it doesn't exist. It will normally overwrite it without warning if it exists.
cp -i myfile yourfile With the "-i" option, if the file "yourfile" exists, you will be prompted before it is overwritten.
cp -i /data/myfile . Copy the file "/data/myfile" to the current working directory and name it "myfile". Prompt before overwriting the file.
cp -dpr srcdir destdir Copy all files from the directory "srcdir" to the directory "destdir" preserving links (-p option), file attributes (-p option), and copy recursively (-r option). With these options, a directory and all it contents can be copied to another directory.
dd dd if=/dev/hdb1 of=/backup/ Disk duplicate. The man page says this command is to "Convert and copy a file", but although used by more advanced users, it can be a very handy command. The "if" means input file, "of" means output file.
df Show the amount of disk space used on each mounted filesystem.
less less textfile Similar to the more command, but the user can page up and down through the file. The example displays the contents of textfile.
ln Creates a symbolic link to a file.
ln -s test symlink Creates a symbolic link named symlink that points to the file test Typing "ls -i test symlink" will show the two files are different with different inodes. Typing "ls -l test symlink" will show that symlink points to the file test.
locate A fast database driven file locator.
slocate -u This command builds the slocate database. It will take several minutes to complete this command. This command must be used before searching for files, however cron runs this command periodically on most systems.
locate whereis Lists all files whose names contain the string "whereis".
logout Logs the current user off the system.
ls List files
ls List files in the current working directory except those starting with . and only show the file name.
ls -al List all files in the current working directory in long listing format showing permissions, ownership, size, and time and date stamp
more Allows file contents or piped output to be sent to the screen one page at a time.
more /etc/profile Lists the contents of the "/etc/profile" file to the screen one page at a time.
ls -al |more Performs a directory listing of all files and pipes the output of the listing through more. If the directory listing is longer than a page, it will be listed one page at a time.
mv Move or rename files
mv -i myfile yourfile Move the file from "myfile" to "yourfile". This effectively changes the name of "myfile" to "yourfile".
mv -i /data/myfile . Move the file from "myfile" from the directory "/data" to the current working directory.
pwd Show the name of the current working directory
more /etc/profile Lists the contents of the "/etc/profile" file to the screen one page at a time.
shutdown Shuts the system down.
shutdown -h now Shuts the system down to halt immediately.
shutdown -r now Shuts the system down immediately and the system reboots.
whereis Show where the binary, source and manual page files are for a command
whereis ls Locates binaries and manual pages for the ls command.
Editors: emacs, vi, pico, jed, vim
mkdir - make directories
Usage
mkdir [OPTION] DIRECTORY
Options
Create the DIRECTORY(ies), if they do not already exist.
Mandatory arguments to long options are mandatory for short options too.
-m, mode=MODE set permission mode (as in chmod), not rwxrwxrwx - umask
-p, parents no error if existing, make parent directories as needed
-v, verbose print a message for each created directory
-help display this help and exit
-version output version information and exit
cd - change directories
Use cd to change directories. Type cd followed by the name of a directory to access that directory.Keep in mind that you are always in a directory and can navigate to directories hierarchically above or below.
mv- change the name of a directory
Type mv followed by the current name of a directory and the new name of the directory.
Ex: mv testdir newnamedir
pwd - print working directory
will show you the full path to the directory you are currently in. This is very handy to use, especially when performing some of the other commands on this page
rmdir - Remove an existing directory
rm -r
Removes directories and files within the directories recursively.
chown - change file owner and group
Usage
chown [OPTION] OWNER[:[GROUP]] FILE
chown [OPTION] :GROUP FILE
chown [OPTION] --reference=RFILE FILE
Options
Change the owner and/or group of each FILE to OWNER and/or GROUP. With --reference, change the owner and group of each FILE to those of RFILE.
-c, changes like verbose but report only when a change is made
-dereference affect the referent of each symbolic link, rather than the symbolic link itself
-h, no-dereference affect each symbolic link instead of any referenced file (useful only on systems that can change the ownership of a symlink)
-from=CURRENT_OWNER:CURRENT_GROUP
change the owner and/or group of each file only if its current owner and/or group match those specified here. Either may be omitted, in which case a match is not required for the omitted attribute.
-no-preserve-root do not treat `/' specially (the default)
-preserve-root fail to operate recursively on `/'
-f, -silent, -quiet suppress most error messages
-reference=RFILE use RFILE's owner and group rather than the specifying OWNER:GROUP values
-R, -recursive operate on files and directories recursively
-v, -verbose output a diagnostic for every file processed
The following options modify how a hierarchy is traversed when the -R option is also specified. If more than one is specified, only the final one takes effect.
-H if a command line argument is a symbolic link to a directory, traverse it
-L traverse every symbolic link to a directory encountered
-P do not traverse any symbolic links (default)
chmod - change file access permissions
Usage
chmod [-r] permissions filenames
r Change the permission on files that are in the subdirectories of the directory that you are currently in. permission Specifies the rights that are being granted. Below is the different rights that you can grant in an alpha numeric format.filenames File or directory that you are associating the rights with Permissions
u - User who owns the file.
g - Group that owns the file.
o - Other.
a - All.
r - Read the file.
w - Write or edit the file.
x - Execute or run the file as a program.
Numeric Permissions:
CHMOD can also to attributed by using Numeric Permissions:
400 read by owner
040 read by group
004 read by anybody (other)
200 write by owner
020 write by group
002 write by anybody
100 execute by owner
010 execute by group
001 execute by anybody
ls - Short listing of directory contents
-a list hidden files
-d list the name of the current directory
-F show directories with a trailing '/'
executable files with a trailing '*'
-g show group ownership of file in long listing
-i print the inode number of each file
-l long listing giving details about files and directories
-R list all subdirectories encountered
-t sort by time modified instead of name
cp - Copy files
cp myfile yourfile
Copy the files "myfile" to the file "yourfile" in the current working directory. This command will create the file "yourfile" if it doesn't exist. It will normally overwrite it without warning if it exists.
cp -i myfile yourfile
With the "-i" option, if the file "yourfile" exists, you will be prompted before it is overwritten.
cp -i /data/myfile
Copy the file "/data/myfile" to the current working directory and name it "myfile". Prompt before overwriting the file.
cp -dpr srcdir destdir
Copy all files from the directory "srcdir" to the directory "destdir" preserving links (-poption), file attributes (-p option), and copy recursively (-r option). With these options, a directory and all it contents can be copied to another dir
ln - Creates a symbolic link to a file.
ln -s test symlink
Creates a symbolic link named symlink that points to the file test Typing "ls -i test symlink" will show the two files are different with different inodes. Typing "ls -l test symlink" will show that symlink points to the file test.
locate - A fast database driven file locator.
slocate -u
This command builds the slocate database. It will take several minutes to complete this command.This command must be used before searching for files, however cron runs this command periodically on most systems.locate whereis Lists all files whose names contain the string "whereis". directory.
more - Allows file contents or piped output to be sent to the screen one page at a time
less - Opposite of the more command
cat - Sends file contents to standard output. This is a way to list the contents of short files to the screen. It works well with piping.
whereis - Report all known instances of a command
wc - Print byte, word, and line counts
bg
bg jobs Places the current job (or, by using the alternative form, the specified jobs) in the background, suspending its execution so that a new user prompt appears immediately. Use the jobs command to discover the identities of background jobs.
cal month year - Prints a calendar for the specified month of the specified year.
cat files - Prints the contents of the specified files.
clear - Clears the terminal screen.
cmp file1 file2 - Compares two files, reporting all discrepancies. Similar to the diff command, though the output format differs.
diff file1 file2 - Compares two files, reporting all discrepancies. Similar to the cmp command, though the output format differs.
dmesg - Prints the messages resulting from the most recent system boot.
fg
fg jobs - Brings the current job (or the specified jobs) to the foreground.
file files - Determines and prints a description of the type of each specified file.
find path -name pattern -print
Searches the specified path for files with names matching the specified pattern (usually enclosed in single quotes) and prints their names. The find command has many other arguments and functions; see the online documentation.
finger users - Prints descriptions of the specified users.
free - Displays the amount of used and free system memory.
ftp hostname
Opens an FTP connection to the specified host, allowing files to be transferred. The FTP program provides subcommands for accomplishing file transfers; see the online documentation.
head files - Prints the first several lines of each specified file.
ispell files - Checks the spelling of the contents of the specified files.
kill process_ids
kill - signal process_ids
kill -l
Kills the specified processes, sends the specified processes the specified signal (given as a number or name), or prints a list of available signals.
killall program
killall - signal program
Kills all processes that are instances of the specified program or sends the specified signal to all processes that are instances of the specified program.
mail - Launches a simple mail client that permits sending and receiving email messages.
man title
man section title - Prints the specified man page.
ping host - Sends an echo request via TCP/IP to the specified host. A response confirms that the host is operational.
reboot - Reboots the system (requires root privileges).
shutdown minutes
shutdown -r minutes
Shuts down the system after the specified number of minutes elapses (requires root privileges). The -r option causes the system to be rebooted once it has shut down.
sleep time - Causes the command interpreter to pause for the specified number of seconds.
sort files - Sorts the specified files. The command has many useful arguments; see the online documentation.
split file - Splits a file into several smaller files. The command has many arguments; see the online documentation
sync - Completes all pending input/output operations (requires root privileges).
telnet host - Opens a login session on the specified host.
top - Prints a display of system processes that's continually updated until the user presses the q key.
traceroute host - Uses echo requests to determine and print a network path to the host.
uptime - Prints the system uptime.
w - Prints the current system users.
wall - Prints a message to each user except those who've disabled message reception. Type Ctrl-D to end the message.
TIP 1:
All of these commands should work from your command prompt (regardless which shell you're using). Just in case some folks were not aware, you MUST press enter to invoke the command
TIP 2:
For this summary, please note that the EX: stands for example and is not part of the command. Commands are denoted in courier type font.
TIP 3:
If you need help understanding what the options are, or how to use a command, try adding this to the end of your command: --help
For example, for better understanding of the df command's options, type:
df --help
Command Summary Use
Use cd to change directories Type cd followed by the name of a directory to access that directory.
Keep in mind that you are always in a directory and allowed access to any directories hierarchically above or below. Ex:
cd games
If the directory games is not located hierarchically below the current directory, then the complete path must be written out. Ex:
cd /usr/games
To move up one directory, use the shortcut command. Ex:
cd ..
Use clear to clear the command prompt Type clear to clean up your command prompt window.
This is especially helpful when you are typing lots of commands and need a clean window to help you focus.Ex:
clear
This is also useful when you are getting ready to type a rather long command and do not wish to become confused by other details on the screen.
Use date to set your server's date and time Type date followed by the two digit month, the two digit date, the two digit time, and two digit minutes. The syntax is easy enough and resembles this: MMDDhhmm
This command is helpful but must be used when superuser or logged in as root. Otherwise you will get an "Operation not permitted" reply.As root user you can use the command such as:
date 11081300
The above command will set the server date and time to the 11th month (November), the 8th day, at 1:00pm.
Use df to check disk space Typing df provides a very quick check of your file system disk space.
Type df -h to get a more easily readable version of the output. Notice that this command will include all applicable storage such as your hard disk/s (hda, hdb etc.) and your server SWAP file (shm). To list disk space including filesystem type:
df -h -T
Use finger to see who's on the system Typing finger allows you to see who else is on the system or get detailed information about a person who has access to the system.
Type finger followed by the name of a user's account to get information about that user. Or, type finger and press enter to see who's on the system and what they are doing. Ex:
finger johndoe
Use logout to quit using the system Yep, you guessed it, typing logout will log your account out of the system.
Type logout at the prompt to disconnect from your Linux machine or to logout a particular user session from the system. Keep in mind that although rudimentary, leaving your critical account logged on may be a security concern. We always recommend promptly using logout when you are finished using your root account! Ex:
logout
Use ls to list files and directories Type ls to see a list of the files and directories located in the current directory. If you’re in the directory named games and you type ls, a list will appear that contains files in the games directory and sub-directories in the games directory. Examples:
ls Mail
ls /usr/bin
Type ls -alt to see a list of all files (including .rc files) and all directories located in the current directory. The listing will include detailed, often useful information. Examples:
ls -alt
ls -alt /usr/bin
If the screen flies by and you miss seeing a number of files, try using the |more at the end like:
ls -alt |more
* In Bash (Linux shell) often the abbreviated command L is available. To get a verbose listing of files and directories you could therefore simply type: l
Use man to pull up information about a Linux command Type man followed by a command to get detailed information about how to use the command. Ex:
man ls
Type man -k followed by a word to list all of the commands and descriptions that contain the word you specified. Ex:
man -k finger
Use more to read the contents of a file Type more followed by the name of a text file to read the file’s contents. Why do we exmphasize using this on a "text" file? Because most other types of files will look like garbage! Ex:
more testfile.txt
Use nano to start a text editor Typing nano will start a basic text editor on most Linux systems.
Type nano followed by the filename you wish to edit. This basic editor is quick and easy to use for beginners. However, it is very important that you also learn about other text editors available on Linux and UNIX systems. Click on this link to learn about others like emacs, vi, and pico. Ex:
nano /etc/security/access.conf
Use passwd to change your current password Type passwd and press enter. You'll see the message Changing password for yourname.
At the Old password: prompt, type in your old password .
Then, at the Enter new password: prompt, type in your new password .
The system double checks your new password. Beside the Verify: prompt, type the new password and press again.
Create a secure password that combines parts of words and numbers. For instance, your dog's name may be Rufus. He may have been born in 1980. Create a password that uses parts of both the name and date of birth, such as 80rufuS. Note the use of at least one capital letter. This is a fairly secure password and easy to remember.
Use pwd to list the name of your current directory Type pwd and hit enter. You'll see the full name of the directory you are currently in. This is your directory path and is very handy. This is especially handy when you forget which directory you’ve changed to and are trying to run other commands.
Linux Files and File Permission
Linux files are setup so access to them is controlled. There are three types of access:
1. read
2. write
3. execute
Each file belongs to a specific user and group. Access to the files is controlled by user, group, and what is called other. The term, other, is used to refer to someone who is not the user (owner) of the file, nor is the person a member of the group the file belongs to. When talking about setting permissions for "other" users to use, it is commonly referred to as setting the world execute, read, or write bit since anyone in the world will be able to perform the operation if the permission is set in the other category.
File names and permission characters
File names can be up to 256 characters long with "-", "_", and "." characters along with letters and numbers.
When a long file listing is done, there are 10 characters that are shown on the left that indicate type and permissions of the file. File permissions are shown according to the following syntax example: drwerwerwe
There are a total of 10 characters in this example, as in all Linux files. The first character indicates the type of file, and the next three indicate read, write, and execute permission for each of the three user types, user, group and other. Since there are three types of permission for three users, there are a total of nine permission bits. The table below shows the syntax:
1 2 3 4 5 6 7 8 9 10
File User Permissions Group Permissions Other Permissions
Type Read Write Execute Read Write Execute Read Write Execute
d r w e r w e r w e
• Character 1 is the type of file: - is ordinary, d is directory, l is link.
• Characters 2-4 show owner permissions. Character 2 indicates read permission, character 3 indicates write permission, and character 4 indicates execute permission.
• Characters 5-7 show group permissions. Character 5=read, 6=write, 7=execute
• Characters 8-10 show permissions for all other users. Character 8=read, 9=write, 10=execute
There are 5 possible characters in the permission fields. They are:
• r = read - This is only found in the read field.
• w = write - This is only found in the write field.
• x = execute - This is only found in the execute field.
• s = setuid - This is only found in the execute field.
• If there is a "-" in a particular location, there is no permission. This may be found in any field whether read, write, or execute field.
Examples
Type "ls -l" and a listing like the following is displayed:
total 10
drwxrwxrwx 4 george team1 122 Dec 12 18:02 Projects
-rw-rw-rw- 1 george team1 1873 Aug 23 08:34 test
-rw-rw-rw- 1 george team1 1234 Sep 12 11:13 datafile
Which means the following:
Type and # of Files's File's Size in Date of last Filename
Permission field Links Owner Group Bytes modification
| | | | | | |
drwxrwxrwx 4 george team1 122 Dec 12 18:02 Projects
The fields are as follows:
1. Type field: The first character in the field indicates a file type of one of the following:
o d = directory
o l = symbolic link
o s = socket
o p = named pipe
o - = regular file
o c= character (unbuffered) device file special
o b=block (buffered) device file special
2. Permissions are explained above.
3. Links: The number of directory entries that refer to the file. In our example, there are four.
4. The file's owner in our example is George.
5. The group the file belongs to. In our example, the group is team1.
6. The size of the file in bytes
7. The last modification date. If the file is recent, the date and time is shown. If the file is not in the current year, the year is shown rather than time.
8. The name of the file.
Set User Identification Attribute
The file permissions bits include an execute permission bit for file owner, group and other. When the execute bit for the owner is set to "s" the set user ID bit is set. This causes any persons or processes that run the file to have access to system resources as though they are the owner of the file. When the execute bit for the group is set to "s", the set group ID bit is set and the user running the program is given access based on access permission for the group the file belongs to. The following command:
chmod +s myfile
sets the user ID bit on the file "myfile". The command:
chmod g+s myfile
sets the group ID bit on the file "myfile".
The listing below shows a listing of two files that have the group or user ID bit set.
-rws--x--x 1 root root 14024 Sep 9 1999 chfn
-rwxr-sr-x 1 root mail 12072 Aug 16 1999 lockfile
The files chfn and lockfile are located in the directory "/usr/bin". The "s" takes the place of the normal location of the execute bit in the file listings above. This special permission mode has no meaning unless the file has execute permission set for either the group or other as well. This means that in the case of the lockfile, if the other users (world execute) bit is not set with permission to execute, then the user ID bit set would be meaningless since only that same group could run the program anyhow. In both files, everyone can execute the binary. The first program, when run is executed as though the program is the root user. The second program is run as though the group "mail" is the user's group.
For system security reasons it is not a good idea to set many program's set user or group ID bits any more than necessary, since this can allow an unauthorized user privileges in sensitive system areas. If the program has a flaw that allows the user to break out of the intended use of the program, then the system can be compromised.
Directory Permissions
There are two special bits in the permissions field of directories. They are:
• s - Set group ID
• t - Save text attribute (sticky bit) - The user may delete or modify only those files in the directory that they own or have write permission for.
Save text attribute
The /tmp directory is typically world-writable and looks like this in a listing:
drwxrwxrwt 13 root root 4096 Apr 15 08:05 tmp
Everyone can read, write, and access the directory. The "t'' indicates that only the user (and root, of course) that created a file in this directory can delete that file.
To set the sticky bit in a directory, do the following:
chmod +t data
This option should be used carefully. A possible alternative to this is
1. Create a directory in the user's home directory to which he or she can write temporary files.
2. Set the TMPDIR environment variable using each user's login script.
3. Programs using the tempnam(3) function will look for the TMPDIR variable and use it, instead of writing to the /tmp directory.
Directory Set Group ID
If the setgid bit on a directory entry is set, files in that directory will have the group ownership as the directory, instead of than the group of the user that created the file.
This attribute is helpful when several users need access to certain files. If the users work in a directory with the setgid attribute set then any files created in the directory by any of the users will have the permission of the group. For example, the administrator can create a group called spcprj and add the users Kathy and Mark to the group spcprj. The directory spcprjdir can be created with the set GID bit set and Kathy and Mark although in different primary groups can work in the directory and have full access to all files in that directory, but still not be able to access files in each other's primary group.
The following command will set the GID bit on a directory:
chmod g+s spcprjdir
The directory listing of the directory "spcprjdir":
drwxrwsr-x 2 kathy spcprj 1674 Sep 17 1999 spcprjdir
The "s'' in place of the execute bit in the group permissions causes all files written to the directory "spcprjdir" to belong to the group "spcprj" .
Examples
Below are examples of making changes to permissions:
chmod u+x myfile Gives the user execute permission on myfile.
chmod +x myfile Gives everyone execute permission on myfile.
chmod ugo+x myfile Same as the above command, but specifically specifies user, group and other.
chmod 400 myfile Gives the user read permission, and removes all other permission. These permissions are specified in octal, the first char is for the user, second for the group and the third is for other. The high bit (4) is for read access, the middle bit (2) os for write access, and the low bit (1) is for execute access.
chmod 764 myfile Gives user full access, group read and write access, and other read access.
chmod 751 myfile Gives user full access, group read and execute permission, and other, execute permission.
chmod +s myfile Set the setuid bit.
chmod go=rx myfile Remove read and execute permissions for the group and other.
Below are examples of making changes to owner and group:
chown mark test1 Changes the owner of the file test1 to the user Mark.
chgrp mark test1 Changes the file test1 to belong to the group "mark".
Note: Linux files were displayed with a default tab value of 8 in older Linux versions. That means that file names longer than 8 may not be displayed fully if you are using an old Linux distribution. There is an option associated with the ls command that solves this problem. It is "-T". Ex: "ls al -T 30" to make the tab length 30.
Umask Settings
The umask command is used to set and determine the default file creation permissions on the system. It is the octal complement of the desired file mode for the specific file type. Default permissions are:
• 777 - Executable files
• 666 - Text files
These defaults are set allowing all users to execute an executable file and not to execute a text file. The defaults allow all users can read and write the file.
The permission for the creation of new executable files is calculated by subtracting the umask value from the default permission value for the file type being created. An example for a text file is shown below with a umask value of 022:
666 Default Permission for text file
-022 Minus the umask value
-----
644 Allowed Permissions
Therefore the umask value is an expression of the permissions the user, group and world will not have as a default with regard to reading, writing, or executing the file. The umask value here means the group the file belongs to and users other than the owner will not be able to write to the file. In this case, when a new text file is created it will have a file permission value of 644, which means the owner can read and write the file, but members of the group the file belongs to, and all others can only read the file. A long directory listing of a file with these permissions set is shown below.
-rw-r--r-- 1 root workgrp 14233 Apr 24 10:32 textfile.txt
A example command to set the umask is:
umask 022
The most common umask setting is 022. The /etc/profile script is where the umask command is usually set for all users.
Red Hat Linux has a user and group ID creation scheme where there is a group for each user and only that user belongs to that group. If you use this scheme consistently you only need to use 002 for your umask value with normal users.
Accessing Removable Media
Making a Linux Filesystem on a Floppy
1. Use fdformat /dev/fd0H1440
2. To make a filesystem on the disk type "mkfs –t filesystem –c /dev/fd0H1440" where filesystem is the type of filesystem, usually ext2 (linux native).
3. Mount the filesystem "mount –t ext2 /dev/fd0 /mnt/floppy
Mounting floppy and CD-ROM drives
mount /dev/fd0 /mnt/floppy To mount a floppy
umount /dev/fd0 To unmount a floppy
mount /dev/cdrom /mnt/cdrom To mount a cdrom or
mount -t iso9660 -r /dev/cdrom /mnt/cdrom Another way to mount a CD-ROM with type specified or mount -t auto /dev/cdrom /mnt/cdrom
Note the CDROM may be on the secondary controller as a master (/dev/hdc) or slave (/dev/hdd). In fact, your /dev/cdrom is probably actually a softlink to one of these two devices, if you have an IDE interface. If you use SCSI, you will probably use something like /dev/sda1 or 2, etc.
Mounting a parallel port zip drive:
mount -t vfat /dev/sda4 /mnt/zipdrive
Note: in all these examples, the mount points must exist, be empty, and not already have a device mounted on them. Also you must unmount the device before removing it.
Setting up Removable and External Filesystems to Automatically mount when used
1. The program "autofs" must be setup to run as a daemon upon system startup. To do this with Redhat Linux, use the program "linuxconf" and select "Control", "Control panel", "Control Service activity". Activate "autofs" using the menu selections.
2. Edit the file "/etc/auto.master" to the following:
3. /mnt /etc/auto.misc --timeout 20
The above example sets the program to unmount the device after 20 seconds.
4. Edit the file "/etc/auto.misc" adding lines like:
5. cd -fstype=iso9660,ro :/dev/cdrom
6. fl -fstype=auto :/dev/fd0
This will cause the cd-rom to be mounted when you access the directory "/mnt/cd" and the floppy to be mounted when you access "/mnt/fl". The directories "/mnt/cd" and "mnt/fl" must not exist in order for this to work.
7. To use automount, put a cd in the CD-ROM drive and type "ls /mnt/cd" or "cd /mnt/cd".
Linux Package Installation and Printing
Generally, a large part of Linux consists of the packages you load on your system. These packages may be for various specific purposes such as adding shadow passwords, adding a secure telnet client, adding some type of network service, or perhaps upgrading the Apache web server. Whatever the reason, you will need to find the appropriate package on the web, download it, compile it, and install it. The package will come with instructions on how to do this. Some are easy to install, others may be complicated. This section gives general instructions commonly found and required when installing many packages. Please be aware, however, that there may be differences between these instructions and those that come with your package. You should read the instructions that come with your package.
Package installations
tar.gz source package general instructions
1. Read the install documentation associated with the installation
2. Put the packed file in the directory you want it to be installed under.
3. Examine the package with the command "tar tvzpf.tar.gz" to see where it will install.
4. Unpack the tar.gz file in one step with "tar xvzpf.tar.gz or in two steps with "gunzip .tar.gz" and "tar xpf .tar" It will create a directory like "packagename-2.3.4" and place the extracted information here.
5. Typically the following outlines the rest of the steps but they will vary from package to package. Go into the created subdirectory and type "./configure".
6. Type "make all" or "./make"
7. Type "make install" or "./make install"
Installing Redhat Packages
rpm -help To get help
rpm -q mypack-1.0.1.rpm Queries the database of installed packages to see if this package is installed or what version of it is installed.
rpm -ivh mypack-1.0-1.rpm Installs mypack.
rpm -uvh mypack-2.0-1.rpm Upgrades mypack.
rpm -qip mypack-1.2.2.rpm To query with details about the package.
rpm -qlp mypack-1.2.2.rpm Gives a list of files this package installs.
rpm -e mypack-1.2.2 Removes the package mypack-1.2.2.
Typically RPM packages come with binary files ready for installation so all you need to do is the install as in the line above. The compilation which is the last three steps in the tar example in the first section above don't need to be done. If you get a source file rather than a binary file, you will need to do a compile of code and an installation. If you just do the binary installation, be sure you get the package from a reliable source so you don't get lovely extras like trap doors, trojans, or viruses.
Setting Linux Print Spooling
Printing is supported by "lpd" the line printer spooler daemon, which you should activate to support print services. Once print services are setup, type "lpr ?s -Pprinter filename" where "printer" is the name of your printer (the default is lp). The '-s' option tells lpr to use symbolic links to print the file rather than copying it to its own spool file. If the '-P' option is left out, the default printer name will be assumed.
Print spooling can be set up easily in Redhat using the "printtool" configuration tool following the following steps:
1. Type "startx" to enter an x windows session.
2. Open a terminal under x windows
3. Type "printtool" in the terminal and CR.
4. Edit or add a printer. Note that lp is the default printer for the lpd daemon.
5. You can make the name of the printer anything you want. Note: lp is default.
6. The spool directory should be "var/spool/printername"
7. The printer server name should be the name of the server computer that the printer is attached to. Example PRT_SRV1
8. The print queue name is the name of the printer as the printer server computer perceives it. Example: HP_LASER1.
9. Depending on the network and how the printer resource is shared you may or may not need a user name and password.
How it works:
1. Note the file "/etc/printcap" defines what filter script file will be used to output the printfile. Type "man lpd" and "man printcap" for more information.
2. The filter script gets its input from standard input sometimes using such commands as "cat -", see the cat man page. It also uses "file -" to get a description of the input.
3. On netware print servers, you must be logged on before it will work. I use the scripts from the section on "Network printing setup and use" to logon and type "neton username".
Other useful commands for printing:
lpr - Prints a file to default lp printer
lpq - shows files to print in the print que
lpc - Line printer control program. Type "lpc status" to see status on all printers. This command can enable or disable printing or queuing.
lprm - Remove a job from the print queue using number reported by lpq. Ex: lprm 14
tunelp - A utility to optimize the printer. "tunelp /dev/lp -q" will display the IRQ for the device
The directory /var/spool/lpd contains a directory for every printer. This is where the print files are spooled.
To set up a printer on a parallel or serial port:
A printer on the first parallel port is probably /dev/lp0 or /dev/lp1.
To test the printer type "lptest > /dev/lp1" to send test output directly to the printer. If the printer is a postscript printer you need to send it a postscript file by typing "cat test.ps > /dev/lp1". The lptest program is a utility made to test a printer.
If the printer is serial, output is directed to /dev/ttyS0 or /dev/ttyS1.
The /etc/printcap file:
The printcap file begins a comment line with #
Example:
ljet4|lp|ps|Postscript|600dpi 20MB memory|end of hall|local|LPT1:\
:lp=dev/lp0:rw:\
:sd=/var/spool/lpd/ljet4:mx#0:mc#0:pl#72:pw#85:\
:lf=/var/log/lpd-errs:if=/usr/local/cap/ljet4:
On the first line (virtual), the names of the printer are shown with each name separated by '|'.
Commands include:
• The lp line is the device name for output (local printer).
• rw is specified if the printer can send data back to the host through the device file. A network printer uses /dev/null.
• mx - Sets the maximum size of a print job.
• pl - page length.
• pw - page width.
• The sd line is the subdirectory the files are spooled in
• The if line tells the input filter to use
• br-baud rate for a serial port
• sh-suppress header
• rp-remote printer
• rm-remote host that controls remote printer
• rs- restrict access to local printers to users with an account
• rg-restricted group that can use the printer
Configuration, Logging, and CRON
Linux System Configuration
In the subdirectory "/etc/sysconfig" are groups of files describing your system as follows:
• mouse - Describes the type of mouse and whether a three button mouse is emulated.
• keyboard - Describes the keyboard table.
• network - Describes if this machine supports networking, IP forwarding, sets the host name, sets the gateway, and describes the network interface the gateway will be found on.
• hwconf - Describes the hardware devices on your system in terms of vendor ID and device ID.
• init - Defines many initialization items for the system.
• static-routes - Defines the static routes if your machine is performing routing tasking. See the Networking Guide section on routing.
• Subdirectories:
o console - Defines your system keymapping. Normally contains the default.kmap file which is loaded when the system starts.
o network-scripts - This directory contains files used to configure your ethernet card. such as ifcfg-eth0, ifcfg-eth1, etc. In this file you set your permanent device name, IP address, netmask and other parameters.
For more information on setting these files up and how they are formatted, read "How Linux Works".
The /proc filesystem and the sysctl utility
The /proc filesystem is used to store many system configuration parameters. It is a virtual filesystem that resides in the kernels memory. Some of the areas in this filesystem cannot be written to by the root user including /proc/sys.
To see how much memory linux is using type:
cat /proc/meminfo
or:
free
cat /proc/cpuinfo To see information about your cpu
cat /proc/interrupts List interrupts in use
cat /proc/version List Linux version
cat /proc/filesystems List the types of filesystems in use
lsmod Show the kernel modules currently loaded
The "sysctl" program will list kernel parameters. Type "sysctl -a |more" to see a list of kernel parameters on your system.
For more in depth information on the proc filesystem, read "How Linux Works".
Linux System logging
The system daemon called syslogd is the program used to log system events such as kernel messages, login or logout messages, general system messages, etc. The /etc/syslog.conf file controls where logging information is recorded by syslogd. This file controls where your logfiles are kept. Typically these files are in the "var/log" directory.
My "/etc/syslog.conf" file"
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail, news and auth) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;news.none;authpriv.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Everybody gets emergency messages, plus log them on another
# machine.
*.emerg *
# Save mail and news errors of level err and higher in a
# special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
#
# INN
#
news.=crit /var/log/news/news.crit
news.=err /var/log/news/news.err
news.notice /var/log/news/news.notice
The first field is a facility followed by a "." with the second field being the priority such as "uucp,news.crit" above where the facility is uucp and news and the priority is crit. The last part of each line specifies the name of the log file where that log will be kept. This file does not like spaces in it so use tabs between sections.
Facilities are:
• authpriv, auth (depreciated) - Security authorization messages
• cron - The clock daemon (cron and at)
• daemon - Other system daemons
• kern - Kernel messages
• lpr - Line printer subsystem
• mail - Mail subsystem.
• mark - For internal use
• news - Usenet news subsystem.
• security (depreciated, same as authpriv) - should not be used anymore.
• syslog - Messages generated internally by syslogd.
• user - Generic user level messages
• uucp - UUCP (Unix-Unix copy) subsystem.
• local0 through local7
The ``authpriv'' facility should be separated from other log data, including attempts to switch users using /bin/su, login attempts, and other user accounting information.
Priority is one of the following with the least severity listed first:
• debug - Debug level message
• info - Informational message
• notice - Normal but significant conditions
• warning, warn (depreciated) - Warning conditions
• err, error (depreciated) - Error conditions
• crit - Critical conditions
• alert - Action must be taken immediately
• emerg, panic - System is unusable
An "*" stands for all facilities or all priorities. Many distributions default to only logging the most basic information. You may want to customize system logging for your environment.
Linux Logrotate
Going hand in hand with the system logging capability is the logrotate capability which is used to manage logfiles. The logrotate program is used to rotate, compress, and/or mail system log files. It is normally run from cron. It can be configured with the file "/etc/logrotate.conf" which is specified on the command line when logrotate is run.. The logrotate configuration file on my system is listed below:
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# send errors to root
errors root
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own lastlog or wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
/var/log/lastlog {
monthly
rotate 1
}
# system-specific logs may be configured here
Some of the logrotate configuration directives include:
• daily - log files are rotated every day
• weekly - log files are rotated once a week.
• monthly - log files are rotated once a month
• rotate - The number of times log files are rotated before being deleted or mailed to an address specified in a mail directive.
• include - Includes a file in this file as though it were in line. If the file is a directory, the files under that directory are included. In my copy above, there are several files under the directory "/etc/logrotate.d" which are used for logging various daemons.
• create - "create mode owner group". Creates the file with the specified mode, owner and group ids.
• copytruncate - truncate the original file after creating a copy so programs appending data will not have a problem.
• compress - Old versions of the log file are compressed with gzip.
• nocompress - Old log files are not compressed.
• errors - Any errors during logfile processing are mailed to the address "errors address".
• mail - When a log is rotated out of existence, it is mailed to the specified address "mail address".
There are many other directives associated with the logrotate program. Type "man logrotate" for more information.
Other system tracking files:
/var/log/wtmp - Binary info on users that have been logged on. The last command uses this info.
/var/run/utmp - Binary info on users currently logged on. The commands who, w, and finger use this info.
/var/log/lastlog - Used by finger to tell when a user was last logged in
Scheduling tasks with CRON
Cron runs commands in the /etc/crontab file, the /etc/cron.d directory, and /var/spool/cron directory that has file names of authorized users in the /etc/passwd file. Cron commands are scheduled in three locations:
• The directory "/var/spool/cron" with files named after accounts in "/etc/passwd". The format of files here is described in the crontab(1) manpage.
• The directory "/etc/cron.d". The format of files here is described in the crontab(5) manpage.
• The file called "/etc/crontab". The syntax of each line in this file is:
minute, hour, day of month, Month, day of week, (user name), command
Months are specified using the numbers 1 through 12. The user name is included it the file is a system crontab file. Some example entries are listed below:
Some example crontab entries are:
*/10 * * * * root /sbin/rmmod -as Every 10 minutes all unused kernel modules are unloaded.
0 1 * * * find /tmp -atime 3 -exec ls -l {} \; Lists files in /tmp that are 3 or more days old, Run at 1:00
0 12 * * mon,tues,wed,thurs,fri ls -al Lists files at noon on weekdays.
Redhat comes with the following entries:
01 * * * * root run-parts /etc/cron.hourly Hourly task list, runs at 1 minute after the hour
02 4 * * * root run-parts /etc/cron.daily Daily task list, runs at 4:00AM, 2 minutes after the hour
22 4 * * 0 root run-parts /etc/cron.weekly Weekly task list, runs at 4:00AM, Sunday 22 minutes after the hour
42 4 1 * * root run-parts /etc/cron.monthly Monthly task list, runs at 4:00AM, On the first of the month, 42 minutes after the hour
Note that for weekly and monthly tasks the number of minutes after the hour is staggered so the system does not try to do all jobs at once. Redhat therefore has the following additional directories each containing files with tasking:
• /etc/cron.hourly
• /etc/cron.daily
• /etc/cron.weekly
• /etc/cron.monthly
These files are directories. Therefore you can place any executable program in one of these directories and it will be run as scheduled above.
There is a crontab program which can be used to install, de install, or list tables used to drive cron. It has the same name as the configuration file, but is a binary program. You will see this if you type "whereis crontab".
Cron runs the following on my system:
• cron.hourly
1. In the file "inn-cron-nntpsend" the command "/sbin/chkconfig innd && su - news -c /usr/bin/nntpsend" is run to support internet news service.
• cron.daily
1. In the file "inn-cron-expire" the command "/sbin/chkconfig innd && su - news -c "/usr/bin/news.daily delayrm" " is run.
2. In the file "inn-cron-expire" the command "/sbin/chkconfig innd && /usr/bin/rnews -U" is run.
3. In the file "logrotate" the command "/usr/sbin/logrotate /etc/logrotate.conf" is run.
4. In the file "makewhateis.cron" a file "/var/lock/makewhatis.lock" is created to keep the cron scripts from stepping on each other. Do a man on makewhatis for more info.
5. In the file "slocate.cron" the command "/usr/bin/slocate -u -f "nfs,smbfs,ncpfs,proc,devpts" -e "/tmp,/var/tmp,/usr/tmp,/afs,/net" " is run to update the file location database.
6. In the file "lsrnpull-expire" the command. Do a "man slrnpull" for more info.
7. In the file "tetex.cron" TeX formats not used for 10 days are removed. "man tmpwatch"
8. In the file "tmpwatch"
• cron.weekly
1. In the file "makewhateis.cron" a file "/var/lock/makewhatis.lock" is created to keep the cron scripts from stepping on each other. The makewhatis command updates the apropos database which is the database used when the command "man -k" is used. For more information, type "man whatis" or "man apropos".
• cron.monthly contains no files
The system administrator can schedule tasks by adding entries to the /etc/crontab (see crontab(5)) file or on Redhat Linux, by adding entries in one of the cron.hourly, cron.daily, cron.weekly, or cron.monthly files. Users may be able to schedule cron jobs if the system is configured to allow it. If neither of the /etc/cron.allow nor the /etc/cron.deny files exist, either all users will be able to run cron commands or no users will be able to do it. If /etc/cron.allow exists, the user must be listed there in order to use cron commands. If /etc/cron.deny exists, the user must not be listed here or they will be unable to use cron.
One useful entry you can put in the /etc/cron.weekly directory in a file named something like "cleanold.cron" is:
find /var/spool/myspools -mtime +33 -exec rm -f {} \;
This entry will remove all files in the /var/spool/myspools directory whose data was changed more than 33 days ago.
The user (if allowed) can schedule cron tasks by following the below procedure:
1. Make a crontab file called for example "mycron".
2. Use the crontab(1) command to submit the command(s) to cron by typing "crontab mycron".
3. You can view what you have installed by typing "crontab -l".
crontab commands:
crontab -e Starts vi session by default to edit your crontab file. To use emacs as your editor, type "export VISUAL=emacs" before typing this command. When you exit the editor, the modified crontab is installed automatically.
crontab -r Removes your crontab entry from the /var/spool/cron directory. Does not erase your original crontab file.
crontab -l Lists all the user's cron tasks.
To use emacs, type "export VISUAL=emacs" before starting crontab.
Keys and Linux Terminal Configuration
To really understand and work with key mapping, you should read the "Support for text" section in the "How Linux Works CTDP Guide". It explains how terminal types are set and the different layers of keymapping along with how to map keys for various applications. Linux keymapping is complex and this section will just give you a short explanation of the various utility programs available, and how to do some specific keymapping. If you must perform custom keymapping, the "How Linux Works CTDP Guide" is necessary.
Linux keymapping is performed on several levels and many programs such as the shell, less, and emacs have their own support for keymapping. Other programs such as terminal programs use the terminfo or termcap database for keymapping. The main system wide keymapping the user may deal with is keymap which maps the keycode to a set of ASC characters that each keystroke will produce. A file is created which contains these specific keymappings and it is loaded with the command "loadkeys". There is a man page describing the structure of this file. It can be accessed by typing "man keymaps". There are many symbols in this file that describe values for keys. You can see the value of many of them by typing "dumpkeys --long-info" or "dumpkeys -l". Once the keymap file is created, the easy way to permanently modify the key settings for the system is to modify the file /etc/sysconfig/keyboard to a new default value such as KEYTABLE="/etc/sysconfig/console/mykeymap".
Console key utilities and files
• Kernel keyboard driver
o kbd_mode - Report or set the keyboard mode to -s (scancode mode, RAW) -k (keycode mode, MEDIUMRAW) -a (ASC mode, XLATE) -u (UTF-8 mode, UNICODE). XLATE is default.
o kbdrate - modify the keyboard repeat rate and delay time after keypress.
o kbdconf - Configures the /etc/sysconfig/keyboard file which specifies the location of the keyboard map file.
• For system key mapping make codes to keycodes
o setkeycodes - used to set a translation between unusual scancodes and keycodes. This utility is not usually needed.
o getkeycodes - Print the kernel scancode to keycode mapping table.
• Mapping keycodes to keymaps
o dumpkeys - dump keyboard driver translation tables in the format specified by keymaps. The output of this program will look similar to the keytable file in "/usr/lib/kbd/keytables/*.map" and the output can be saved to a file, and used to generate a new file to be used with the "loadkeys" command.
o loadkeys - Load the keyboard translation table into the system from a specified file. Type "loadkeys -d" or "loadkeys defkeymap" to load the default keymap. Changes keys for all virtual consoles. The keyboard translation table set in the kernel (compiled in) is in the file "/usr/src/linux/drivers/char/defkeymap.map". To change the kernels keymap without having to load a new table after booting, you must modify the file, then re-compile the kernel. You would only need to do this to modify keymaps for remote boot systems that don't have access to all system programs.
o setmetamode - define the keyboard meta key handling. Controls whether the keystroke, would send the keycode M-key or the key sequence ESC followed by key. You can have different setting in different virtual consoles.
• Debugging tools
o showkey - Examine the scancodes and keycodes sent by the keyboard. Options are -s (show scancodes) -k (show keycodes, default) -m (show keymap). This program outputs key values that the user presses on the keyboard. The program terminates when no keys are pressed for 10 seconds.
• Termcap and terminfo
o tic - Compiler for terminfo.
o infocmp - Used to examine terminfo files.
o /etc/termcap - The termcap database file.
o /usr/share/terminfo - The directory structures containing the terminfo compiled database.
• Other tools
o consolechars - Load console screen font (was called setfont). The directory "/usr/lib/kbd/consolefonts/" is the default directory for fonts. "/usr/lib/kbd/consoletrans" is the default directory for ACM's and SFM's.
o psfaddtable - Add a Unicode character to a console font.
o psfgettable
o pfsstriptable
• For terminals and terminal key mapping
o mesg - Use to turn others' write messaging ability to your terminal by on and off. "mesg on" to turn it on.
o stty - Print or change the terminal line settings.
o setterm - Set terminal attributes.
o tput - Initialize a terminal or query terminfo database.
o setleds - Set or output the keyboard LED settings for caps lock, num lock, and scroll lock.
o setfont - Never use unless you know what you are doing. There is no man page for this command.
o chvt - Change virtual terminal. Usage: chvt3.
o deallocvt - De allocate unused virtual terminals
• For X
o xmodmap - Used to modify keymaps and pointer button mappings in X. Map X keycodes to keysyms. Usage "xmodmap mykeys.map".
o xkeycaps - A GUI front end to xmodmap.
o xev - Allows you to see key make and breaks generated on a window.
o showfont - font dumper for X font server
o xset - Set user preferences for the display.
o /etc/X11/xinit/Xmodmap or $HOME/.Xmodmap - File(s) that can be uset to set keycode mapping in X
o $HOME/.Xinitrc - A file run when X starts that is a script file. The program "xmodmap" can be invoked in this file to set keymappings for X.
o $HOME/.Xresources - Another file where keymappings may be changed for X.
• Bash
o /etc/inputrc or $HOME/.inputrc - Where Bash keymapping is done.
• Less
o $HOME/.lessrc - Where keymapping is done for less.
• Emacs
o $HOME/.emacs - Where keymapping is done for emacs.
• tsh
o bindkey - A program supplied by tsh to allow for binding keymaps.
o $HOME/.cshrc
Setting Keystrokes
The stty command - Used to set up keystrokes on terminals
The command will bind the Backspace key(^H) to the erase function.
Characters that are specified:
• eof - End of file
• eol - End of line
• eol2 - Alternate character for ending a line
• erase - Erase the last character typed
• intr - The specified character will send an interrupt signal
• kill - Erase the current line.
• quit - Sends a quit signal.
• start - Restart output after having stopped it.
• stop - Stops the output.
• susp - Sends a terminal stop signal
• switch - Switch to a different shell layer
• werase - erase the last word typed.
setterm -foreground white - background blue Sets white foreground, and blue background
setterm -store Stores the present terminal values as default
Keys and terminal configuration
Special command line keys:
• CTRL U - Delete the line
• CTRL C - Abort command
• CTRL Z - Suspend command, Type fg to put it back into the foreground
• - Auto complete command
•F1 through F6 - Select a different virtual terminal
•F7 - Toggle to the first X terminal, if one is running.
•F1 - Toggle to the first text terminal from an X session.
• CTRL D - End of file, exits the shell
• CTRL W - Delete a word backwards
• CTRL / - Quit, weaker than CTRL C but does a core dump.
• CTRL S - Stop scrolling, may use "scroll lock" for this function.
• CTRL Q - Resume scrolling
Emacs keymapping
To modify the keymap in emacs so pressing the end key will move the cursor to the end of a line rather than the end of file, add the following lines to your user's $HOME/.emacs file:
(define-key function-key-map "\e[4~" [end])
(global-set-key [end] 'end-of-line)
Choosing a Backup Tool
Linux has several tools for backing up and restoring files
dump / restore : Old tools that work with filesystems, rather than files, and can back up unmounted devices. Although you can easyly control what is backed up with dump by editing a single column in the /etc/fstab file, for some reason these utilities have fallen into disuse. Today, many distributions of Linux, including Debian, do not even include them by default. If you want to use dump and restore , you must install them yourself.
tar : A standard backup tool, and by far the easiest to use. It is especially useful for backing up over multiple removable devices using the -M option.
cpio : A very flexible command, but one that is hard to use because of the unusual way in which the command must be entered.
Linux LILO and Runlevels
There is a LILO mini howto located on Linux websites such as The Linux Documentation Project and Metalab's Index of Linux publications. Also these howtos are likely to be on your system in the /usr/doc/HOWTO directory.
LILO is a boot loader that resides on your hard disk that can boot several operating systems. It runs when the system boots from the hard drive and boots the Linux kernel image stored there. To select an operating system other than the default at bootup, press at the boot prompt and select from a list of operating systems that the system knows about.
The file /etc/lilo.conf is used to set the configuration up for the boot loader program what will be installed on the boot sector of a partition. When the command "lilo" is issued, the contents of the configuration file is read and a binary executable program is installed on the boot record based on the contents of the configuration file.
Installing and Configuring LILO
To install LILO, edit the configuration file, /etc/lilo.conf. The command "/sbin/lilo" rewrites the modified lilo.conf configuration to the boot sector of the hard disk, and must be run every time you modify lilo.conf or your kernel.
Some options you may want are:
• vga= ask
LILO will prompt the user for a video mode at boot time. Normal is standard 80X25 display, extended is 80x50. To select a mode, run with the option "vga=ask", then select one of the listed modes, then set "vga=mode" where "mode" is one of the numeric values listed. On my system I have the following modes listed.
o 0 - 80x25
o 1 - 80x50
o 2 - 80x43
o 3 - 80x28
o 4 - 80x30
o 5 - 80x34
o 6 - 80x60
o 7 - 132x25
o 8 - 132x43
To select 132x43 I will set the mode "vga=8".
• initrd=/boot/initrd-2.2.14.img
This command allows the kernel to boot from a RAM disk image. This is necessary if the kernel requires a device supported by a module in order to boot. The kernel version in this example is 2.2.14, but your version may be different. The image file can be created using the "mkinitrd" command. Read the section about compiling the kernel for more information.
• append="mem=128M"
Used for some cases when a system has more than 64M of memory (128M in the example) in the case of older systems (kernels) that need this option to use more than 64M of memory. If you have a multiple boot Linux system, you will need to run LILO on each system to get this option to work on each system. See if enough memory is available to your system by using the "free" command to tell if you need this option.
• linear
The option "linear" may be needed if you have a partition with more than 1024 cylinders or a SCSI drive. This option generates linear sector addresses rather than sector, head, cylinder addresses. This is useful for large drives but should not affect a system that works properly.
The LILO configuration file contains a section for each operating system that you can boot. The best way to demonstrate this is with an example. The lilo.conf file below is for a system which has a Linux root partition on /dev/hda2 and a MS-DOS partition on /dev/hda1.
boot = /dev/hda # Tell LILO to install the boot loader on the /dev/hda disk boot record
vga = normal # Set a normal video mode
delay = 60 # The time in tenths of seconds to press to get the LILO prompt
# Equivalent would be "prompt" on one line, and "timeout=60" on
# another line.
default=msdos # Sets the default boot to DOS, Without this line, the default is the first stanza
install = /boot/boot.b # The file containing the boot sector to use
compact # Have LILO perform some optimization.
map = /boot/map #Specifies the map file LILO creates when installed
# Section for Linux root partition on /dev/hda2.
image = /vmlinuz # Location of kernel
label = linux # Name of the OS that is displayed in the LILO boot menu
root = /dev/hda2 # Location of root partition, if this isn't here the kernel image must have
# this set using the rdev command
read-only # Mount read only on startup, Can also be set by rdev
# Section for MSDOS partition on /dev/hda1.
other = /dev/hda1 # Location of partition
table = /dev/hda # Location of partition table for /dev/hda1
label = msdos # Name of OS (for boot menu)
The first operating system is normally the default operating system for LILO to boot, but the default command was used to change this. There's no need to use the rdev program to set the root partition in the kernel image if you use the "root=" command as in this example.
The options used above are described in the lilo.conf man page invoked by typing "man.lilo.conf". The option "boot = /dev/hda" is very important and defines what partition boot record the LILO boot loader will be installed on. The table option in the section "other" is optional, but if used, lilo must be reinstalled anytime your drive partitions are changed. Other than that, the comments above explain the options well.
If you install Windows 95 or 98, the LILO boot manager will be overwritten by windows. If you are going to do this after installing LILO, create a boot disk first. Boot Linux with the boot disk and re-install LILO after the Windows installation is done. LILO is re-installed by typing, as root, the command "lilo". Partitions with Windows 95 or 98 can be configured to boot with LILO using similar lilo.conf entries to those to boot DOS.
To run Linux in single user mode from lilo, at the boot prompt type "rhl single" where rhl is the name of the linux selection under lilo that you want to boot. This mode will not normally require a password for access. To prevent others from running the operating system in single user mode without a password, add the following lines at the end of the image section:
password="my_password"
restricted
Where "my_password" is the actual password to be entered when the user enters single user mode. This makes lilo ask for a password any time a user boots to this image in single user mode. If you do this you will want the "/etc/lilo.conf" file to be readable only by root so normal users can't get the password.
NOTES:
DOS should always be installed before Linux due to differences in the DOS and Linux LILO boot sectors.
To copy your MBR to a floppy using 512 character blocks, "dd if=/dev/had of=/fd/MBR bs=512 count=1"
To restore the boot record: "dd if=/fd/MBR of=/dev/had bs=446 count=1"
Setting parameters for Disk Drives
Some systems may have difficulty with hard disks that do not allow the disk parameters (heads, sectors per track, and cylinders) to be read. If disk errors make the LILO installation fail, the disk parameters may be the problem. This is especially true with SCSI and large drives. It may be necessary to manually enter the disk parameters in the "/etc/disktab" file to solve this problem. BIOS numbers your disks depending on the type of device. Numbers are in hex. Some documentation I have read indicates the numbers for various disks start as follows:
Floppy drives - 100.
The first hard disk - 301.
The second HD - 341.
SCSI - 801.
Second SCSI - 811.
Some documentation indicates these numbers, however I am not sure how accurate this is. According to the LILO man page the BIOS numbers hard disks starting at 0x80. If you have a problem in this area you may need to do some experimentation to get it to work.
Example file:
disk=/dev/sda
bios=0x80
disk=/dev/hda
bios=0x81
Other possible format (A SCSI drive with 2 partitions):
# Dev. Num BIOS code Secs/track Heads/cyl Cyls Part. Offset
0x800 0x80 32 64 1714 0
0x801 0x80 32 64 1714 1001
Removing LILO
To remove LILO from MS-DOS type "fdisk /MBR".
To remove LILO from linux type "lilo -u /dev/hda", or "dd if=/boot/boot.0300 of=/dev/hda bs=446 count=1". Only 446 bytes should be copied to the mbr. If the hard drive is scsi, the filename is boot.0800. Make sure when LILO was installed that this is the correct copy of the MBR and not a bogus copy from a Linux distribution.
Changing Runlevels
A runlevel is a software configuration of the system that allows only a selected group of processes to exist. Init can run the system in one of eight runlevels. The main runlevels are 0-6. The system runs in only one of these runlevels at a time. Typically these runlevels are used for different purposes. For Redhat Linux version 6, they are:
0 - halt
1 - Single user mode
2 - Multiuser, without NFS (The same as 3, if you don't have networking)
3 - Full multiuser mode
4 - unused
5 - X11
6 - Reboot
These runlevels can be configured by the administrator. The "/etc/inittab" file instructs init which runlevel to start the system at and describes the processes to be run at each runlevel. For a deeper explanation, read my article on "How Linux Works" or "The Linux Startup Reference Manual"
A running system can be taken to single user mode by using the telinit command to request run level 1 as follows:
telinit 1
It can be entered when the system boots by giving the word "single" or "emergency" on the kernel command line. This can be done at the LILO prompt after pressing the key and entering your selection with the word "single" after it. The kernel sends the command line to the init program and it doesn't use the default run level. The kernel command line entry is dependent on how you boot the system.
Entering single user mode is necessary when a damaged filesystem needs repaired. You can run the program fsck to check the filesystem when the damaged partition is not mounted or running.
LILO and the rdev program
You may have noticed that there are some parameters in LILO that can also be set by a program called rdev. The rdev program is a program that is used to set the following:
• The root partition (root device) The command "rdev -s vmlinuz /dev/hda2" will set the root device to be /dev/hda2 on the kernel image vmlinuz. In LILO the command, "root=/dev/hda2", will set the root device.
• The video mode. The command "rdev -v vmlinuz 1" will set the video mode as though the key 0(the first selection) were pressed at the video mode prompt. In LILO the command, "vga=ask", will cause the system to prompt for video mode. You are better off to use LILO to set the video mode.
The commands shown above are examples and the actual names and values used may be different for your system. The program rdev is used to modify the kernel image file so that it will know where such things as the root device are without LILO passing this information to the kernel. Therefore if you set these parameters in your kernel image file using rdev, you will not need to set it using LILO. Conversely if you do not set these commands using rdev, you will need to set them in your /etc/lilo.conf file and update LILO when you do a kernel recompile or make other changes affecting one or more of these parameters.
One system parameter LILO can set that rdev cannot set is the amount of system memory with the command, append="mem=128M". This command sets the memory to 128M.
In addition, rdev provides the ability to set the following parameters that LILO can't set.:
• The swap partition (swap device). The command "rdev -s vmlinuz /dev/hda3" will set the swap device. There is no command in LILO to do this.
• Set the RAMDISK size in kilobytes. The command "rdev -r vmlinuz 627" will set a RAM disk of 627K.
• Some root flags
Managing Linux Users
Linux Commands for managing users:
• adduser(8) - Command used to add user accounts.
• chage (1) - Used to change the time the user's password will expire.
• chfn(1) - Change a user's finger information
• chsh(1) - Change a user's shell.
• chgrp (1) - Changes the group ownership of files.
• chown (1) - Change the owner of file(s ) to another user.
• gpasswd (1) - Used to administer the /etc/group file.
• groupadd (8) - Create a new group.
• grpconv (8) - Creates /etc/gshadow from the file /etc/group which converts to shadow passwords.
• grpunconv (8)- Uses the files /etc/passwd and /etc/shadow to create /etc/passwd, then deletes /etc/shadow which converts from shadow passwords.
• groupdel (8) - Delete a group
• groupmod (8) - Modify a group
• groups (1) - print the groups a user is in
• grpck (8) - Verify the integrity of group files.
• id(1) - Print group or user ID numbers for the specified user.
• newgrp(1) - Allows a user to log in to a new group.
• newusers (8) - Update and create new users in batch form.
• nologin (5) - Prevent non-root users from logging onto the system.
• passwd (1) - Used to update a user's password. The command "passwd username" will set the password for the given user.
• pwconv (8) - Used to create the file /etc/shadow from the file /etc/passwd to convert to shadow passwords.
• pwunconv (8) - Uses the files /etc/passwd and /etc/shadow to create /etc/passwd, then deletes /etc/shadow to convert from shadow passwords.
• su (1) - run a shell with substitute user and group IDs
• useradd (8) - Create a new user or update default new user information
• userdel (8) - Delete a user account and their files from the system. The command "userdel -r newuser" will remove the user and deletes their home directory.
• usermod (8) - Modify a user account.
Other useful commands/examples:
find / -user username -ls Gives a list of all files owned by username.
chown -R myuser /home/myuser Changes ownership of all files in mysuer home directory to myuser.
chmod +s filename Sets the uid
Files
• /etc/passwd - Where the user's name, and other pertinent information are stored. This includes the password unless your system is using shadow passwords.
• /etc/shadow - Where the user's password is stored if you are using shadow passwords.
• /etc/group - Where group names are stored.
• /etc/aliases - Where the user's name is matched to a nickname for e-mail.
• /etc/sudoers - A list of users with special privileges along with the commands they can execute.
File Formats
Note group ID numbers start at 100 and user ID numbers start at 500. The file /etc/group gives groups
The /etc/passwd file:
username:password:uid:gid:gecos:homedir:shell
Gecos contains information about the user, including the real name. Shell is the name and path of the user's default shell program.
The /etc/group file:
groupname:password:gid:members
If the entry "bigclown:*: mark,george" is in the group file, the users mark and george are members of the bigclown group.
Examples
To add a user, while logged in as root, type "adduser username".
To set a user password, while logged in as root or the user that will be changed, type "passwd username". If "passwd" is typed, the password will be changed for the user, you are logged in as.
To remove a user, while logged in as root, type "userdel -r username". This will remove the user's home directory. You can delete the user without the "-r" option and delete the user's home directory manually. If the group the user was in, is no longer needed, you may delete it by editing the "/etc/group" file.
The file "/etc/aliases" is where the user's real name is matched to their user name for e-mail accounts. Add users to this file in the form:
Firstname,Lastname:username
Then update the database by typing "newaliases".
User Process Accounting
Process accounting is supported by new kernels. To use this feature, you'll need to get the acct-1.3.73.tar.gz package or later. The package contains some programs used to manage users. The following commands are useful for user accounting:
• ac(1) - Print statistics about users' connect time.
• accton (8) - Turn on accounting of processes. To turn it on type "accton /var/log/pacct".
• last(1) - Shows a list of users who have logged in.
• lastb(1) - Shows failed login attempts. This command requires the file /var/log/btmp to exist in order to work. Type "touch /var/log/btmp" to begin logging to this file.
• lastcomm (1) - Display information about previous commands in reverse order. Works only if process accounting is on.
• sa(8) - Generates a summary of information about users' processes that are stored in the /var/log/pacct file.
• utmpdump(1) - Used for debugging.
• who(1) - Find out what users are logged onto the system.
Files that hold accounting information
• /var/log/wtmp - Stores information about all logins and logouts.
• /var/run/utmp - Stores information about who is currently on the system and is used by the who command.
• /var/log/btmp - Used to store information about failed logins.
The /var/log/wtmp file, contains the following information:
• Type of Login
• Process ID of login process
• The device name of the tty used
• The init ID or abbreviated ttyname
• User Name
• Hostname for remote login
• Exit Status of a process
• The session ID
• The time entry was made
• IP address of remote host
See the man page for wtmp(5) for more information.
The ability to set quotas limits a user's disk storage by setting:
1. The number of inodes the user or group may use.
2. The number of disk blocks a user or group may use.
This limits user's ability to use up all system resources. It only works on ext2 filesystems. Quotas must be set for each filesystem that the user may use. The kernel must have quota support compiled in.
User Quotas
The ability to set quotas limits a user's disk storage by setting:
1. The number of inodes the user or group may use.
2. The number of disk blocks a user or group may use.
This limits the user's ability to use up all system resources. It only works on ext2 filesystems. Quotas must be set for each filesystem that the user may use. The kernel must have quota support compiled in.
Commands used to set quotas and limits are:
• edquota(8) - Used to edit user or group quotas. This program uses the vi editor to edit the quota.user and quota.group files. If the environment variable EDITOR is set to emacs, the emacs editor will be used. Type "export EDITOR=emacs" to set that variable.
• quota(1) - Display users' limits and current disk usage.
• quotaoff(8) - Turns system quotas off.
• quotaon(8) - Turn system quotas on.
• quotacheck(8) - Used to check a filesystem for usage, and update the quota.user file.
• repquota(8) - Lists a summary of quota information on filesystems.
• ulimit - A bash builtin command for setting the processes a user can run. The command "ulimit -n 9000" will set the limit on open files to 9000.
Files:
• /etc/mtab
• quota.user - Resides on the filesystem quotas are being set on.
• quota.group
Read the Quota mini howto for more information. Here's roughly what is needed to enable and set quotas:
1. In your startup scripts, you should use the quotacheck and quotaon commands to start quota checking at system startup. Read the "How Linux Works" or the "Linux Startup Manual" for more information on startup scripts. This is already setup properly in most current versions of Linux.
2. In the /etc/fstab file, add the mount options "usrquota" and "grpquota". You only need "grpquota" if you are going to set group quotas also. An example entry:
3. /dev/hda2 / ext2 defaults,usrquota,grpquota 1 1
4. Issue the following commands, where "fs" is the name of the filesystem where quotas are to be set. The first two commands create the quota files, and the second two commands keep users from accessing those files.
5. touch /fs/quota.user
6. touch /fs/quota.group
7. chmod 600 /fs/quota.user
8. chmod 600 /fs/quota.group
9. If you use emacs rather than vi to edit files, type "export EDITOR=emacs". You may want to add this command to your shell startup script such as $HOME/.bash_profile.
10. Type "edquota username" to edit the quota file. You get a screen like this:
11. Quotas for user george:
12. /dev/hda2: blocks in use: 10672, limits (soft = 0, hard = 0)
13. inodes in use: 1856, limits (soft = 0, hard = 0)
14. /dev/hda3: blocks in use: 0, limits (soft = 0, hard = 0)
15. inodes in use: 0, limits (soft = 0, hard = 0)
Linux Passwords
Most versions of Linux come with the shadow password suite of software already installed. This suite of software is recommended to enhance security since all users must be able to access the /etc/passwd file. With full access to this file, a "crack" program can be used by any user to extract all passwords on the system. The shadow password software places the actual encrypted passwords into the /etc/shadow file making this file readable only by the root user. If your system has the file /etc/shadow, you probably already have shadow passwords installed.
Linux Shadow Passwords
If your system did not come with shadow passwords and you are going to install it you will want to read the Shadow-Password-HOWTO and roughly do the following.
1. Find the latest shadow password suite that will work on your system
2. Backup a copy of your files listed above that the shadow password suite will replace.
3. Install the shadow password suite.
4. Remove old man pages that may interfere with you seeing the correct replacement man pages that came with the shadow password suite.
5. run pwconv which creates /etc/npasswd and /etc/nshadow
6. Backup /etc/passwd and copy the files /etc/npasswd and /etc/nshadow to /etc/passwd and /etc/shadow respectively.
7. Be sure the /etc/shadow and /etc/passwd owners and permissions are the same as shown in listings in this manual.
8. Verify you can login
9. When you are sure the system runs OK, remove backup files such as the backed up copy of /etc/passwd.
10. You may need to upgrade your xlock program to get X working. xlock is the screen saver used to lock the screen.
11. xdm presents the login screen for X. You may need to upgrade xdm.
Linux Configuration and Diagnostic Tools
System and Network Configuration
• linuxconf - A GUI interactive interface available on Redhat 6.0 or later which includes netconf configuration.
• netconf - A GUI interactive interface available on Redhat 6.0 and later.
• kbdconf - A Redhat Linux tool which configures the /etc/sysconfig/keyboard file which specifies the location of the keyboard map file. This is a GUI based tool.
• mouseconfig - A Redhat Linux tool used to configure the /etc/sysconfig.mouse file. This is a GUI tool.
• timeconfig - A Redhat Linux tool used to configure the /etc/sysconfig/clock file. This is a GUI tool used to set timezone and whether or not the clock is set to GMT time.
• kernelcfg - A Redhat kernel configuration utility to be started from X.
• stty - Used to configure and print the console devices.
• setterm - Set terminal attributes.
• vmstat - Report statistics on virtual memory.
X Configuration
• XF86Setup - A newer X configuration program with a GUI interface which modifies the "/etc/X11/XF86Config" configuration file.
• xf86config - An older X configuration program with a text based interface. It also modifies the "/etc/X11/XF86Config" configuration file.
• Xconfigurator - The Redhat tool used during system setup to configure X.
• SuperProbe - A program that probes the video card to determine its type for use with setting up X.
• xvidtune - This program will test video modes on the fly without modification to your X configuration. Read the usr/X11R6/lib/X11/doc/VideoModes.doc file before running this program.
Library and kernel Dependency Management
Library management:
• ldd - Used to determine shared libraries used by binary files. Type "ldd /bin/ls" to see the shared libraries used by the "ls" command.
• ldconfig - Used to update links and cache for system use of the most recent runtime shared libraries.
Kernel Management:
• lsmod - List currently installed kernel modules.
• depmod - Creates a dependency file, "modules.dep" in the directory "/lib/modules/x.x.x", later used by modprobe to automatically load the relevant modules.
• insmod - Installs a loadable kernel module into the running kernel.
• rmmod - Unloads modules, Ex: rmmod ftape
• modprobe - Used to load a module or set of modules. Loads all modules specified in the file "modules.dep".
General Diagnostic
System resources
• free - Show system memory availability and usage
• df - Show the amount of disk free space on each mounted filesystem.
• du - Show disk usage
• lspci - List PCI devices
• pnpdump - Lists ISA PNP device resource information.
• vmstat - Reports virtual memory statistics.
Other:
• env - List the current environment variables.
• printenv - Print a copy of the environment.
• set - Shows how the environment is set up. This command can be very useful when debugging the environment.
• runlevel - List the current and previous runlevel.
• uname - Print system information. In my case, it prints "Linux".
• dmesg - Show the last kernel messages printed during the last boot.
Linux Mail
This page is not complete yet!
Linux Sendmail
Sendmail is the most used mail daemon with Linux and is probably already installed on your system. Its configuration file is "/etc/sendmail.cf". Also /etc/sendmail.hf, /etc/aliases, /etc/aliases.db are useful files with sendmail. Sendmail provides full SMTP support. Many server systems may use sendmail, however clients normally use POP or IMAP protocols and the supporting software to get mail from the mailbox server.
Compiling Sendmail
The sendmail program can be found at http://www.Sendmail.org/ and the current version is 8.10.1.
1. Download the sendmail_8_10_1.tar.gz file into the /usr/local directory.
2. Unpack it with the command "tar xvzf sendmail_8_10_1.tar.gz".
3. Change directories to sendmail-8.10.1
4. Read the INSTALL file for further installation instructions which are something like.
1. Type "sh Build"
2. Type "cd cf/cf".
3. cp generic-linux.mc config.mc
4. cd ..
5. less README
6. cd cf
7. emacs config.mc
8. sh Build config.cf
9. Back up your /etc/sendmail.cf file and current sendmail binary file.
10. Install config.cf as /etc/mail/sendmail.cf and copy the sendmail binary to /usr/sbin. The compiled binary is in obj.Linux2.2.14.i686/sendmail/.
Sendmail configuration files
1. /etc/aliases
2. /etc/sendmail.cf or /etc/mail/sendmail.cf
The aliases file
This is where mail aliases are defined. There are two mandatory aliases that must be present listed below:
MAILER-DAEMON: postmaster
postmaster: root
There are 5 optional types:
• conversion of mail name to unix user name. EX: "george_jones: george"
• expand a name into a list of names EX: "friendlybunch: tom, george, fred, mike". EX: "staff: melissa, tom, george, mark"
• mailing list, Sendmail will read a file and use the names in the file as a list of addressees. EX: "filebunch: :include: /usr/local/manyonteam"
• Alias a name to a file. EX: "nobody" /dev/null"
• replace a name by a program Ex "myhelp: |/usr/local/bin/helpme"
Here is a typical alias file from Redhat 6.1:
# @(#)aliases 8.2 (Berkeley) 3/5/94
#
# Aliases in this file will NOT be expanded in the header from
# Mail, but WILL be visible over networks or from /bin/mail.
#
# ********** The program "newaliases" must be run after
# ** NOTE ** this file is updated for any changes to
# ********** show through to sendmail.
#
# Basic system aliases -- these MUST be present.
MAILER-DAEMON: postmaster
postmaster: root
# General redirections for pseudo accounts.
bin: root
daemon: root
games: root
ingres: root
nobody: root
system: root
toor: root
uucp: root
# Well-known aliases.
manager: root
dumper: root
operator: root
# trap decode to catch security attacks
decode: root
# Person who should get root's mail
root: mark
#User aliases
mark.zehner: mark
george.jones: george
After modifying the alias file you can rebuild it with the command
newaliases
or
sendmail -bi
The /etc/sendmail.cf configuration file
Seven sections of this file:
1. Local information - Configuration for the local host.
2. Options - Sendmail environment options
3. Message Precedence - Specifies
4. Trusted Users - Specifies which users are allowed to change the sender addresses when sending mail.
5. Header Format - Specifies the headers that are inserted into the mail.
6. Rule Rewriting - The commands that re-write e-mail addresses into a form that can be read by the program that delivers the mail.
7. Mailer Definitions - Specifies the programs that deliver the mail.
Linux Logging in, Logging Out, and Shutting down
Logging in
Once you have completed your system install and booted your system, you should see a login prompt on your monitor. When you did your Linux install you should have set a root password. You may have also created a user with a password. Therefore to log in, you will want to type the name of a user or "root" for the login name and enter the appropriate password. If you logged in as a normal user and know the root password and want to use administration commands, you may use the command "su" to become a "super user". Some systems also support the "sudo" command, which allows administrative privileges on a command by command basis.
Linux Shell levels and the su command
The command, "su" will allow a normal user to enter a new shell level as the root user or as another user if they know the root user's or that user's password respectively. To become the root user, type "su" then you will be prompted for the root password. To become another user, type "su username". You must enter either that user's password to become that user. Every time you use the su command you enter a new shell level which means you have invoked a new running copy of the shell program, such as bash. You can see this change by typing the command "env" and looking at the value of the environment variable "SHLVL". This value increments when you use the su command and decrements when you use the "exit" command to exit that shell environment. You can also see the shell level value by typing "printenv SHLVL".
Logging out
Use the command "logout" to exit a given session. If you have logged in, then typed "su" to become a superuser or another user, you may need to type "exit" until your SHLVL environment value is 1. Then you can type "logout" to exit your session. The "exit" command will take you back to previous shell levels.
Shutting Linux Down
The system is intended to be shutdown by the system administrator using the shutdown command in one of the forms shown below. Many systems are set up to capture the keystroke combination to issue the shutdown command through the init program. This will work on most systems if the root user is logged in. Examples of using the shutdown command are shown below.
shutdown -h now
shutdown -r +10 "Rebooting in 10 minutes"
shutdown -r 13:00
The first command will shutdown and halt the system immediately. The second will reboot the system in 10 minutes and send the message to all users. The third command will shut the system down and do a reboot at 1:00 in the afternoon.
Making and Managing Linux Filesystems
Programs used to manage filesystems
• badblocks(8) - Search a device for badblocks. The command "badblocks /dev/hda" will search the first partition of the first IDE hard drive for badblocks.
• cfdisk(8) - A partition table manipulator used to create or delete disk partitions.
• dosfsck(8) - Used to check a msdos filesystem.
• dumpe2fs(8) - Lists the superblock and blocks group information on the device listed. Use with a command like "dumpe2fs /dev/hda2". The filesystem on the device must be a Linux filesystem for this to work.
• fdformat(8) - Performs s lowlevel format on a floppy disk. Ex: "fdformat /dev/fd0H1440".
• fdisk(8) - Used to add or remove partitions on a disk device. It modifies the partition table entries.
• fsck(8) - Used to check and/or repair a Linux filesystem. This should only be used on systems that are not mounted.
• hdparm(8) - Used to get or set the hard disk parameters.
• mkdosfs(8) - Used to create a msdos filesystem.
• mke2fs(8) - Create a Linux native filesystem which is called a second extended filesystem. This creates the current version of the Linux filesystem.
• mkfs(8) - Used to make a Linux filesystem on a device. The command "mkfs /dev/hdb1" will create a Linux filesystem on the first partition of the second IDE drive.
• mkswap(8) - Creates a Linux swap area on a device.
• mount(8) - Used to mount a filesystem. It supports many types of filesystems.
• stat(1u) - Used to print out inode information on a file. Usage: stat filename
• swapoff(8) - Used to de-activate a swap partition.
• swapon(8) - Used to activate a swap partition.
• tune2fs(8) - Used to adjust filesystem parameters that are tunable on a Linux second extended filesystem. The filesystem must not be mounted write when this operation is performed. Can adjust maximum mount counts between filesystem checks, the time between filesystem checks, the amount of reserved blocks, and other parameters.
• umount(8) - Unmount a filesystem.
Making a Filesystem
Making a swap partition
type "mkswap -c /dev/hda3 10336"
The -c has swap check for bad blocks. The 10336 is the size of the partition in blocks, about 10M. The system enables swap partitions at boot time, but if installing a new system you can type "swapon /dev/hda3" to enable it immediately.
Making an ext2 file system on a floppy
1. fdformat /dev/fd0H1440
2. mkfs -t ext2 -c /dev/fd0H1440
Other file systems:
A normal hard drive can have many types of filesystems on it. To create an ext2 file system, type "mke2fs -c /dev/hda2 82080" to create an 82 meg filesystem. Note: mkfs is a front end to many file system types including ext2, minux, and msdos.
Checking a Filesystem
fsck - Used to check and repair a filesystem.
fsck is a front end to a filesystem type specific fsck.ext2, fsck.minix, and fsck.msdos.
Syntax: fsck -t type device
Ex: fsck -t ext2 /dev/hda3
Linux Configuration
In this section, the configuration tool, "linuxconf" is discussed. This configuration tool provides a means to configure much of the system. In this section, attempts are made to describe the files where this configuration information is stored (unless documented in other sections), however its accuracy cannot be guaranteed, and these files will vary somewhat from one Linux system to another.
When filly expanded, the linuxconf menu includes the following:
• Config
o Networking
Client tasks
Basic host information
Name server specification (DNS)
Routing and Gateways
Defaults
other routes to networks
other routes to hosts
routes to alternate local nets
the routed daemon
Host name search path
Network Information System (NIS)
IPX interface setup
PPP/SLIP/PLIP
Server tasks
Exported file systems (NFS)
IP aliases for virtual hosts
Apache Web server
Defaults
Virtual domains
Sub-directory specs
Files specs
Modules
Performance
mod_ssl configuration
Domain Name Server (DNS)
Config
domains
IP reverse mappings
secondaries
forward zones
forwarders
features
IP allocation space
Add/Edit
host information by domain
(quick edit)
Security
Access control lists
Access control
Mail delivery system (sendmail)
Basic
Basic information
special (domain) routing
complex (user) routing
masquerading rules
mail to fax gateway
virtual email domain
the mail queue
user aliases
virtual domain user aliases
/etc/sendmail.cf
Anti-spam filters
Rehected senders
'Relay for' by IP
'Relay for' by name
Relay to hosts
Samba file server
Defaults
Default setup for user's home
Default setup for printers
Netlogon setup
Disk shares
Ftp server (wu-ftpd)
Basic configuration
Virtual hosts
Misc
Information about other hosts
Information about other networks
Linuxconf network access
o Users accounts
Normal
User accounts
Group definitions
Change root password
Special accounts
PPP accounts
SLIP accounts via normal login
UUCP accounts
POP accounts (mail only)
Virtual POP accounts (mail only)
Email aliases
user aliases
virtual domain user aliases
Policies
Password & account policies
Available user shells
Available PPP shells
Available SLIP shells
Message of the day - Allows you to type a new message of the day to be displayed on the console when a user logs in. This file is stored in /etc/motd.
o File systems
Access local drive
Access nfs volume
Configure swap files and partitions
Set quota defaults
Check some file permissions
o Miscellaneous services
Initial system services
Modem
o boot mode
Lilo
LILO defaults (linux boot loader)
LILO linux configurations
LILO other OS configurations
default boot configuration
a new kernel
a kernel you have compiled
Mode
default boot mode
• Control
o Control panel
Activate configuration
Shutdown/Reboot
Control service activity
Mount/Unmount file systems
Control configured local drives
Control configured nfs volumes
Mount other NFS file systems
Configure superuser scheduled tasks
Archive configurations
Switch system profile
Control PPP/SLIP.PLIP links
o Control files and systems
Configure all configuration files
Configure all commands and daemons
Configure file permission and ownership
Configure Linuxconf modules
Configure system profiles
Override Linuxconf addons
Create Linuxconf addons - This section allows a newly installed package to be managed using linuxconf
o logs
Boot messages
Linuxconf logs - Shows all configuration commands issued by linuxconf
o date & time - Allows the time zone to be set and the time to be set as stored in GMT format or local time. It also lets the time and date to be set.
o Features - Defines special behavior of linuxconf including the keyboard map (/etc/sysconfig/keyboard), language selection, and html timeout.
Linux Init Program
The init program is the first program run after your kernel begins running. It is configured with the /etc/inittab file. By modifying your /etc/inittab file, you change your system configuration in the following areas:
1. Start up system run level.
2. Specify processes to be executed during system boot.
3. Specify processes to be run when the specified runlevel is entered.
4. Specify processes to be run on certain runlevels with actions like respawn so the process is restarted any time it terminates.
5. Specify certain actions or processes to be run if certain signals or user actions are indicated.
The previous section on LILO explained what runlevels are.
Below is an example inittab file with line numbers added on the left side for reference:
# inittab This file describes how the INIT process should set up
# the system in a certain run-level.
#
# Author: Miquel van Smoorenburg,
# Modified for RHS Linux by Marc Ewing and Donnie Barnes
#
# Default runlevel. The runlevels used by RHS are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
1) id:3:initdefault:
# System initialization.
2) si::sysinit:/etc/rc.d/rc.sysinit
3) l0:0:wait:/etc/rc.d/rc 0
4) l1:1:wait:/etc/rc.d/rc 1
5) l2:2:wait:/etc/rc.d/rc 2
6) l3:3:wait:/etc/rc.d/rc 3
7) l4:4:wait:/etc/rc.d/rc 4
8) l5:5:wait:/etc/rc.d/rc 5
9) l6:6:wait:/etc/rc.d/rc 6
# Things to run in every runlevel.
10) ud::once:/sbin/update
# Trap CTRL-ALT-DELETE
11) ca::ctrlaltdel:/sbin/shutdown -t3 -r now
# When our UPS tells us power has failed, assume we have a few minutes
# of power left. Schedule a shutdown for 2 minutes from now.
# This does, of course, assume you have powerd installed and your
# UPS connected and working correctly.
12) pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down"
# If power was restored before the shutdown kicked in, cancel it.
13) pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled"
# Run gettys in standard runlevels
14) 1:2345:respawn:/sbin/mingetty tty1
15) 2:2345:respawn:/sbin/mingetty tty2
16) 3:2345:respawn:/sbin/mingetty tty3
17) 4:2345:respawn:/sbin/mingetty tty4
18) 5:2345:respawn:/sbin/mingetty tty5
19) 6:2345:respawn:/sbin/mingetty tty6
# Run xdm in runlevel 5
# xdm is now a separate service
20) x:5:respawn:/etc/X11/prefdm -nodaemon
Line number 1 sets the runlevel to 3. Line numbers 3 through 9 will run the startup script /etc/rc.d/rc for the appropriate run level as selected on line 1. Line numbers 14 through 19 spawn login getty programs on 6 virtual terminals. Other lines perform such things as power management and trapping the CTRL-ALT-DEL keystrokes for shutdown. Please see the "How Linux Works CTDP Guide" for further information on the format of the inittab file and what the init program does.
Linux Environment Settings, Shell Selection and Startup Scripts
Linux Environment Variables and Settings
There are many environment variables, some of which are listed below. The command used to add or modify environment variables is the export builtin command provided by the bash shell. See the bash(1) man page for more information on this built in command.
PS1="[\u@h \w]\\$ " Used to set the command line string to output user,machine and name of directory the user is in. In Redhat, to effectively change this value, it must be changed in the file "/etc/bashrc" and in "/etc/profile".
export PATH=$PATH:/usr/sbin Adds /usr/sbin to the path in the system environment
MANPATH Sets the path for man pages
Other environment variables include:
1. USERNAME
2. HOSTNAME
3. LOGNAME
4. MAIL
5. EDITOR - Specifies the editor to be used by default for some commands such as edquota. Usually it is set to vi or emacs with a command like "export EDITOR=emacs".
6. TERM - The type of terminal being used.
7. PATH - The path the system looks in to find commands that the user has entered.
8. HOME - The current user's home directory
9. SHELL - The current shell program that is being executed
10. USER - The name of the current user.
11. TMPDIR - Allows programs that use the tempnam(3) function call to use the directory specified by this variable rather than the /tmp directory.
12. SHLVL - Shows how many shells the user has invoked.
You can type "env" to see a listing of all current environment variables.
SHLVL indicates how many shells deep the user is. If the level is 2, you must type "exit", then logout to exit.
Setting noclobber=1 - keeps files from being clobbered by the shell.
Shell Selection for users
The file "/etc/shells" lists the valid shells and shell paths on your system. An example file is:
/bin/bash
/bin/sh
/bin/tcsh
/bin/csh
/bin/ash
/bin/bsh
/bin/bash2
/bin/ksh
/bin/zsh
The command "chsh" can be used by the user to set his preferred shell. Also the root user can use this command to set any user's shell. This command with the -l option will list the available shells. The -s option will allow the user to change their shell. For example type the following to determine and modify the user's shell.
1. chsh -l
2. chsh -s /bin/sh
The first line will show available shells, and the second entry will change it. The full path of the shell must be entered for the command to work.
Startup Scripts
The following scripts are run by bash if the –noprofile option is not used with the shell:
/etc/profile This script file is run first for all users during the login process
$HOME/.bash_profile This script file is run for individual user's customized setup
$HOME/.bash_login If the .bash_profile above does not exist, this file is run
$HOME/.profile This script file is run if $HOME/.bash_profile and .bash_login don't exist
If bash is invoked as "sh" it will run only "/etc/profile" and "$HOME/.profile", above.
The man page says that "$HOME/.bashrc" is run for non-login interactive shells. I'm not sure if it also runs for login interactive shells, but believe it does. If it does, I'm not sure whether it is run after the scripts above, but believe it is.
$HOME/.bash_logout Run when the user logs off the system.
Key bindings:
If the shell variable "INPUTRC" is set, probably in "/etc/profile" the keybindings are set by the file declared in the INPUTRC value. Usually this is "/etc/inputrc". Otherwise the keybindings are set in the file "$HOME/.inputrc" for each individual user.
$HOME/.inputrc - User's keybindings definition
/etc/inputrc - Global keybindings definition
Other scripts and files:
/etc/bashrc On my Redhat system, this file is run by $HOME/.bashrc.
/etc/login.defs Used with shadow passwords to set initial PATH and other parameters including how often a user must change passwords and what is acceptable as a password..
Put any new script files in /usr/bin or /usr/local/bin. If you put them in /usr/local/bin, they will be easier to keep track of, but you may want to add /usr/local/bin to your path environment to make them more accessible. You can put the command "export PATH=$PATH:/usr/local/bin" in one of the above scripts or add it to the path statement in /etc/profile.
Therefore to modify parameters for all users, edit:
/etc/profile For users environment setup and other customized items.
/etc/inputrc For keybindings on some systems if INPUTRC is set to it.
To customize user's setup edit: (Note: In /home/user's name/...)
HOME/.bash_profile - Users environment stuff and startup programs
$HOME/.bashrc - user aliases and functions
$HOME/.bash_logout - User actions to be done at logout
$HOME/.inputrc - Contains keybindings and other bits.
The tcsh shell operates as follows:
/etc/csh.login is run
$HOME/.tcshrc or .cshrc is run
$HOME/.login is run
Other files in the users home directory may be:
.emacs - For the emacs editor. Consists of LISP functions.
.exrc - For the vi editor
.fvwmrc - For the fvwm window manager
.twmrc - For the twm window manager
.newsrc - For newsreaders. Contains a list of newsgroups offered at this site.
.Xdefaults - For programs using the X window system
.xinitrc - Shell commands that run when the user logs into an X session.
Linux Kernel
The Kernel and its Modules
Most kernels are compiled so modular support is required except many used on floppy boot disks.
The package modules.tar.gz contains all the programs needed to manage modules. This should already be installed on most distributions. The kernel modules are usually in a directory pertinent to the kernel version in /lib/modules. Modules can be found in "lib/modules/2.2.12-20" for kernel version 2.2.12-20. They are loadable modules ending in ".o" that are used to support the kernel.
To load a module type "insmod module" where "module" is the name of the module to load. Ex: insmod /lib/modules/2.2.12-20/misc/ftape.o
Programs used to manage modules are:
• lsmod - Lists all the currently loaded kernel modules
• rmmod - Unloads modules, Ex: rmmod ftape
• depmod - Creates a dependency file, "modules.dep", later used by modprobe to automatically load the relevant modules.
• modprobe - Used to load a module or set of modules. Loads all modules specified in the file "modules.dep".
Modules are loaded from startup script files using "modprobe" to handle loadable modules automatically.
modprobe -l |more Lists all the modules available for your kernel
rmmod module_name Remove a module from the kernel
Finding the Kernel
Locate the kernel image on your hard disk. It should be in the file /vmlinuz, or /vmlinux. In some installations, /vmlinuz is a soft link to the actual kernel, so you may need to track down the kernel by following the links. On Redhat 6.1 it is in "/boot/vmlinuz". To find the kernel being used look in "/etc/lilo.conf".
Type "uname -a" to see the kernel version.
Compiling the Kernel
1. Backup the present kernel which is in "/boot" for most systems. You can tell where it is by looking at "/etc/lilo.conf" . sometimes lilo.conf will point to a link file. Trace the link file and backup the file being pointed to.
2. Have an alternate way to boot such as another linux system on your computer or an emergency boot disk that you can access your filesystem from in case your new kernel crashes.
3. Back up your kernel modules in the directory "/modules". There is probably a directory full of modules so you should be able to back it up using "cp –dpr dir1 dir2" where dir1 is the name of the directory where your modules are and dir2 is where you want to put them.
4. Go to "/usr/src/linux". There is a "/usr/src/linux/.config" file used to do the compile. It is modified by typing "make config" and the values in it are used to determine defaults while doing the "make config". Back this file up to keep your original settings if you want.
5. Type "make config" and answer the hundreds of questions asked. On another terminal, open the file "/usr/src/linux/Documentation/Configure.help" to determine what each configuration is. Also you can type "make menuconfig" or from an X session "make xconfig".
6. Type "make dep"
7. Type "make clean"
8. Type "make bzImage" or "make zImage" if the kernel is small.
9. Type "make modules"
10. Type "make modules_install"
11. Copy the file "/usr/src/linux/arch/i386/boot/bzImage" to "/boot/vmlinuz".
12. Copy the file "System.map" from "/usr/src/linux" to the "/boot" directory. Rename it "System.map=w.x.y" and make sure there is a link file called "System.map" pointing to it. This step will keep you from getting warning messages when you boot. It seems to be a step they forgot to include in the kernel-howto.
o cp /usr/src/System.map /boot/System.map-2.2.14
o cd /boot
o rm System.map
o ln –s System.map-2.2.14 System.map
13. Run rdev on the new kernel image to verify the root filesystem device. "rdev /boot/vmlinuz /dev/hda2". Please note that this step may be optionally dependent on whether you want to use the boot loader, lilo, to point to the root device.
14. Make sure the /etc/lilo.conf file is correct (image=/boot/vmlinuz)
15. If your kernel has a feature supported by a module that is required to boot, you will need to make a RAM disk boot image or your system won't boot.
o Type "lsmod" and look to see if the "loop" module is loaded. If it is skip the next step.
o Type "insmod /lib/modules/2.2.14/block/loop.o"
Use this command if the loopback module is not installed. This assumes you compiled the support into your kernel. In my example, I used kernel version 2.2.14, but your kernel version may have a different number. Substitute the appropriate values.
o Type "mkinitrd /boot/initrd-2.2.14.img 2.2.14"
Again, this example is for kernel version 2.2.14. This command will create a RAM image module for your kernel to load into.
o Add an entry similar to "initrd=/boot/initrd-2.2.14.img" to the "/etc/lilo.conf" file for the stanza that is used to boot this kernel. An example of the stanza follows.
o image=/boot/vmlinuz
o label=rhl
o initrd=/boot/initrd-2.2.14.img
o read-only
o root=/dev/hda2
Read the section about LILO for more information or read the lilo and lilo.conf man pages.
16. Run lilo by typing "lilo". If you didn't set the root device in step 12, you will need a line like "root=/dev/hda2" in /etc/lilo.conf in the group of commands for your kernel. This will tell the kernel where your root filesystem is.
This step may be necessary if you are using a kernel previous to the 2.2 series. In the directory "/usr/include" may be several link files such as "asm", "linux", and "scsi". These are normally softlinks through "/usr/src/linux". If they are, you can direct the softlink file "usr/src/linux" to your new kernel file which may be in the form "linux-2.2.14". If you don't have the "linux" softlink file and don't want to create it, you will need to remove and redirect the softlink files in "/usr/include" to the proper location of your new kernel source.
The sysctl tool
This tool is worth mentioning in this section since it is used to manipulate kernel parameters. If you type "sysctl -a |more" you will see a long list of kernel parameters. You can use this sysctl program to modify these parameters. However, I have been unable to add new parameters.
Linux Directory Structure
Note: Files are grouped according to purpose. Ex: commands, data files, documentation.
Parts of a Unix directory tree. See the FSSTND standard (Filesystem standard)
/ Root
|---root The home directory for the root user
|---home Contains the user's home directories
| |----ftp Users include many services as listed here
| |----httpd
| |----samba
| |----user1
| |----user2
|---bin Commands needed during bootup that might be needed by normal users
|---sbin Like bin but commands are not intended for normal users. Commands run by LINUX.
|---proc This filesystem is not on a disk. Exists in the kernels imagination (virtual). This directory
| | Holds information about kernel parameters and system configuration.
| |----1 A directory with info about process number 1. Each process
| has a directory below proc.
|---usr Contains all commands, libraries, man pages, games and static files for normal
| | operation.
| |----bin Almost all user commands. some commands are in /bin or /usr/local/bin.
| |----sbin System admin commands not needed on the root filesystem. e.g., most server
| | programs.
| |----include Header files for the C programming language. Should be below /user/lib for
| | consistency.
| |----lib Unchanging data files for programs and subsystems
| |----local The place for locally installed software and other files.
| |----man Manual pages
| |----info Info documents
| |----doc Documentation for various packages
| |----tmp
| |----X11R6 The X windows system files. There is a directory similar to usr below this
| | directory.
| |----X386 Like X11R6 but for X11 release 5
|---boot Files used by the bootstrap loader, LILO. Kernel images are often kept here.
|---lib Shared libraries needed by the programs on the root filesystem
| |----modules Loadable kernel modules, especially those needed to boot the system after
| disasters.
|---dev Device files for devices such as disk drives, serial ports, etc.
|---etc Configuration files specific to the machine.
| |----skel When a home directory is created it is initialized with files from this directory
| |----sysconfig Files that configure the linux system for networking, keyboard, time, and more.
|---var Contains files that change for mail, news, printers log files, man pages, temp files
| |----file
| |----lib Files that change while the system is running normally
| |----local Variable data for programs installed in /usr/local.
| |----lock Lock files. Used by a program to indicate it is using a particular device or file
| |----log Log files from programs such as login and syslog which logs all logins,
| | logouts, and other system messages.
| |----run Files that contain information about the system that is valid until the system is
| | next booted
| |----spool Directories for mail, printer spools, news and other spooled work.
| |----tmp Temporary files that are large or need to exist for longer than they should in
| | /tmp.
| |----catman A cache for man pages that are formatted on demand
|---mnt Mount points for temporary mounts by the system administrator.
|---tmp Temporary files. Programs running after bootup should use /var/tmp.
Finding Files in Linux
There are three good methods of finding files in linux:
1. The slocate database
2. The whereis command
3. The find command
The slocate database
To use the locate command, you will need to have a slocate database set up on your system. On many systems it is updated periodically by the cron daemon. Try the slocate command to see if it will work on your system:
locate whereis
Will list all files that contain the string "whereis". If that command did not work you will need to run the command:
slocate -u
This command will build the slocate database which will allow you to use the locate command. This command will take a few minutes to run.
The whereis command
This command will locate binary (or executable) programs and their respective man pages. The command:
whereis linuxconf
will find all binaries and manpages with the name linuxconf.
The find command
The following are examples of the find command:
find /home -user mark Will find every file under the directory /home owned by the user mark.
find /usr -name *spec Will find every file under the directory /usr ending in ".spec".
find /var/spool -mtime +40 Will find every file under the directory /var/spool that has data older than 40 days.
Find is a very powerful program and very useful for finding files with various characteristics. For more information, read the man page about find by typing "man find".
Locating man pages by subject
There is a keyword option in the man command that can be used to find man pages that have specific words in their descriptions. An example is:
man -k process
to find all man pages that talk about processes. Use the command:
man -k process |grep kernel
to find information on kernel processes. An equivalent command is the apropos command as follows:
apropos process
The which command
The which(1) program is a useful command for finding the full path of the executable program that would be executed if the name of the executable program is entered on the command line. The command:
which startx
Will show the full path of the startx command that will be run if "startx" is entered on the command line when an X session is started.
Linux Help
Sources of help include:
1. Man pages - Stands for manual pages and are available on your system by invoking the word "man" followed by the subject, you need help for. An example is "man inetd" for information about the inetd internet super daemon program.
2. Info - Info pages are meant as a replacement for man pages but are harder to use which is why man pages are still popular.
3. Howtos - Howtos are written about various functional areas and Linux programs. They are likely to be available on your system in the /usr/doc/HOWTO directory. They are also available at various websites which can be accessed from the CTDP Linux Weblinks section.
4. GNU manuals - Accessible through the GNU website which you can find in the the CTDP Linux Weblinks Documentation section.
5. Package documentation - Documentation that comes with individual packages, usually found with the package or in the /usr/doc or /usr/local directory.
6. Other LDP documents - There are many excellent Linux documents written in book form provided by The Linux Documentation Project which are available at their website. Their website may be accessed from the CTDP Linux Weblinks section. Many of these documents include subjects about Linux system administration, the Linux kernel, security and more.
7. Independent documents and resources - There are many excellent independently written documents. Watch the Linux Weblinks section for information on these types of resources. These resources are added as they are located or suggested by CTDP members or the public.
Man Pages
Man pages general are written to describe programs, configuration files, functions and more areas of the system. They are organized into numbered sections covering various subject areas as follows:
1. User commands that may be started by everyone.
2. System calls, functions provided by the kernel.
3. Subroutines, which are, library functions.
4. Devices, which are, special files in the /dev directory needed to access items like com ports and disk drives among many other things.
5. File format descriptions, such as configuration files and files like /etc/passwd.
6. Games.
7. Miscellaneous, such as macro packages, standard methods.
8. System administration tools for the root user.
9. More kernel routine documentation specifically for linux.
There may be other non numbered sections:
• n - New documentation, that may be moved to a more appropriate section.
• o - Old documentation, that may be kept for a grace period.
• l - Local documentation referring to this particular system.
When referenced in documentation, man pages are many times referred to by section. For example see the man page on inetd(8). You normally don't need to do anything special to see the page in section 8 except type "man inetd". The syntax for using man pages is "man command", where "command" is the name of the command or item you want help for. Sometimes a given name is in more than one section. For instance the name crontab is a configuration file and a utility used to perform configuration. There is a man page for this in sections 1 and 5. If "man crontab" is typed the file in section one will be shown. In this case you will need to type the section number as follows:
man 5 crontab
Once you are in a man page, type [space] to see the next page, and type "Q" anytime to quit
Searching pages:
You can use a keyword function in man. To find commands that deal with DNS, type "man -k dns". A list of all commands system calls and other items that have the word "dns" in their name or short description is given. Entering "man -k dns| grep domain" will search the man pages for occurrences of "dns" and "domain". Another command equivalent to using the "man -k is the apropos command. To search on a particular subject in the man page library type "apropos subject". A list of all man pages with the associated subject in its description will be displayed. This information is kept in the apropos database which is updated weekly by cron. See the section on cron or type "man apropos" or "man whatis" for more information.
To print a man page type "man name | lpr -P". You must have your printer set up for this to work.
Info Pages
Much documentation is included as info pages. Many times the same documentation is included in man pages, but sometimes information is included in infopages that is not in man pages. I don't like info pages since you need to remember many different key commands to navigate through them. There is a tutorial in the info pages that you can use to learn the commands. I recommend that before using info pages, you do at least a quick tour by taking the tutorial. Take notes and keep them handy when using the info pages. You may use the info pages by typing "info command" where command is the name of the command you need information about. To begin the tutorial, type "info", and look for the help section. Some of the basic info commands are listed below.
h Take the help tutorial
To move down (see more text) on a screen
or Backspace To page up the screen
b To move to the top of a screen
n To move to the next node (text on a particular topic)
p To move to the previous node
d To move to the main directory node
l To move to the last node you were at. Retraces where you were.
L Refresh the screen
m Show a menu of nodes you can move to
g Cancel menu selection
name Type node name or Ctrl-g to cancel after typing "m" for menu
u To move back to the menu you were at. Use this command after making a menu selection to get back to the last menu from which you made a selection.
? Show available commands.
Howto Documents and GNU manuals
Along with the man pages there is much Linux documentation contained in the various howto files and GNU documents written by the Linux community. There are many links on the web to help you find these sources of documentation. The easiest way to find these documents is to link to the websites that have them in the Linux, Weblinks, Documentation section of this website. Most of the how to documents should be on your system in the directory /usr/doc/HOWTO. They are in text format and can be read by the program "less" or any text editor.
Package Documentation
Linux is generally made up of many packages. Each package deals with certain functionality of Linux, but may have several commands. For instance, the etherboot package has a purpose of allowing users to set up remote machines for booting using a Linux server. This package has several binary programs used to perform this function. Most packages contain various text files or html or dvi files that contain further documentation about the package and their various commands. Most package documentation is in the directory "/usr/doc" or "/usr/local" under the specific package name. There are also various important manuals which may have come with your distribution. These manuals may be in postscript format. From an X session if you locate these files, you can double click on them to read them in postscript. The names of some of these manuals are:
1. Bash Reference Manual
2. LILO User's Guide
3. LILO Technical Overview
4. Name Server Operations Guide for BIND
5. IP Command Reference
6. IPv6 Flow Labels in Linux-2.2
7. Tunnels over IP in Linux-2.2
8. IP Chains Quick Reference
9. Sendmail Installation and Operations Guide
10. Sendmail - An Internetwork Mail Router
11. mgetty+sendfax
12. Automated System Monitoring and Notification with SWATCH
13. SGML-Tools User's Guide
Setting Linux Time
Programs for working with time and date are:
• clock - This is a soft link to hwclock.
• date(1) - Print or set the system date and time.
• hwclock(8) - Sets the hardware clock based on values entered on the command line.
• setclock(8) - Sets the BIOS hardware clock based on the time and setup of the system clock.
• timeconfig(8) - A program used to configure the system configuration file "/etc/sysconfig/clock" which includes the type of clock and timezone.
An Example:
While logged in as root do the following:
1. Type "date".
2. You should see some variation of"
"Wed Nov 24, 9:29:17 EST 1999"
3. To change the time type(as an example):
date -s 10:10
4. The system response will be:
"Wed Nov 24, 10:10:02 EST 1999"
5. Then if you want to set the hardware(BIOS) clock so the system will keep the time when it reboots type:
clock -w
or
setclock
The program setclock will set your hardware clock based on your system configuration parameters including whether or not your clock is set to universal time.
The "clock -w" command assumes your hardware clock is set to local time. If it is set for universal time you will want to type "clock -wu" rather than the "clock -w" in the line above. If you use the wrong option the time will be set incorrectly and you will need to do it again.
On a Redhat system, you can use the program "linuxconf" as root and page down to the next to the last line in the menu which is "date & time". Select it and see if the box named "universal format(GMT)", next to "Store date in CMOS", is checked. If is is not, you may save your time by typing "clock -w". If it is checked use "clock -wu".
Note: There is a man page for date that you can use to learn more. Type "man date". You do not want to make any more changes to time and especially to the date than necessary, especially while the system is running, since this can trigger the "cron" daemon to perform various time related system tasks.
An alternate method to set time is.
hwclock --set --date "2/24/2000" If you are using local time
hwclock --set --date "2/24/2000" -utc If you are using universal time
In the rc.sysinit startup script, this program is used with the options -adjust and -hctosys to adjust the hardware clock for drift, and set the system time to the hardware clock at the time of reboot.
On Redhat systems, there is a configuration program called "timeconfig" which can be used to configure the system configuration file /etc/sysconfig/clock and /etc/localtime. This program will use a graphical interface to let the user set the timezone and whether UTC time is used.
Basic Liinux Devices
The first partition on a IDE hard drive is called partition 1, and is called /dev/hda1 if the drive is the primary IDE master.
/dev/fd0 Floppy disk
/dev/hda1 IDE Hard drive 1, partition 1
/dev/hdb3 IDE Hard drive 2, partition 3
/dev/sda1 First SCSI interface (probably hard drive), device id 1
/dev/sdc3 First SCSI interface, device id 3
/dev/cdrom CD ROM drive
/dev/mouse Mouse device, sometimes a pointer to another device such as /dev/psaux, a ps/2 mouse driver.
primary IDE master /dev/hda
primary IDE slave /dev/hdb
secondary IDE master /dev/hdc
secondary IDE slave /dev/hdd
The first partition on a IDE hard drive is called partition 1, and is called /dev/hda1 if the drive is the primary IDE master.
Linux Tips
Multiple Virtual Terminal access
There are normally 6 virtual terminals in Linux, available by using Alt-F1 through Alt-F6. Each one can be logged in as a different user. There are normally 6 terminals available in X also, F7 through F12. The first X session will be on F7 (if on a local terminal), the second on F8, and so forth. If an X session is started from F1 and you also have an active session on F2, you can type Ctrl-Alt-F2 to go from the X session to the virtual console on F2. Also to get back to your X session, you can type Ctrl-Alt-F7. This example assumes that your terminals are setup in the standard manner with 6 virtual terminals that spawn the getty program available. You can check your setup by checking your /etc/inittab file. You should have lines like the following in your file.
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6
See the section on init for further information on this file.
Linux Command line shortcuts
If typing a command on the command line, you can press before the command is complete and if there are enough characters for it to be unique, the system will finish the command for you. If it is not yet unique, and is pressed twice, you will be given choices.
Pasting text in files
There is a cut and paste mouse utility that works with virtual consoles called gpm which runs as a daemon. To use it,
1. Move your mouse to the text you want to cut or paste
2. Hold the left mouse button down
3. Drag the mouse to the end of the selected text
4. Release the mouse button
5. If deleting text, just press the "DEL" key for your final step. If pasting text, move the text cursor to the location you want to paste to by switching terminals with function keys, using arrow keys, etc.
6. If pasting, press the right mouse button.
Viewing previously displayed text
Text that has scrolled off the top of the screen may be viewed again using the key combination. The Keys in the numbers section on the far right of the keypad do not work for this function, only the grey PgUp and PgDn keys just to the right of the key. If you want other keys to perform this function, it would be necessary to map them for bash shell keymapping. Pressing any other key other than or will bring you back to the normal screen location.
Linux System Setup
Linux Filesystem Access Types
For a list of programs used to work with filesystems, see the section "Making amd Managing Filesystems". To access other filesystems you must first create them or determine what is currently on your computer. This example assumes you already have filesystems on your computer such as DOS, Windows, or Other Linux partitions you want to access.
1. Use one of two methods to determine what partitions are on each drive
1. Type "fdisk /dev/hda" for drive 1, "fdisk /dev/hdb" for drive2. then type p to see a list of each partition. Type q to exit.
2. An alternate method to do this step assuming you can boot to the filesystem using LILO is:
1. Type "less /etc/lilo.conf"
2. Look for the label used by lilo to select dos, such as "dos" and use the associated device. The line on my system is "other=/dev/hda1" so I will use device "/dev/hda1". The disadvantage here is that this method will not allow determination of file systems with no operating system such as partitions that hold data.
2. Make directories for mount points for each of the other filesystems. For another Linux install such as Debian or Slackware, Type "mkdir /debian" or "mkdir /slackw" For a foreign operating system partition such as DOS or Windows98, "type "mkdir /dos" or "mkdir /win98".
3. Type "mount –t msdos /dev/hda1 /dos" where /dev/hda1 is where the dos partition is. Type "mount /dev/hda4 /win98" to mount the windows filesystem or mount "/dev/hda3 /slackw". Your filesystems may be on other partitions than those shown in examples here.
4. You can unmount when done: "umount /dev/hda1", however the exit scripts unmounts all file systems when the system is shutdown.
The following line in /etc/fstab will cause the system upon bootup to mount an msdos partition on /dev/hda1 on the directory /dos:
/dev/hda1 /dos vfat defaults 0 0
This works because one of the startup script files "/etc/rc.sysinit" includes a line "mount -a -t nonfs,smbfs,ncpfs,proc". This command mounts all filesystems listed in the file "/etc/fstab". You could set the filesystem type to msdos. Read the file, /usr/src//linux/fs/filesystems.c to find a list of supported filesystems with your kernel. The file /etc/mtab and /proc/mounts each keep a record of currently mounted filesystems on your system. Read the mount man page for more information.
Another useful command is "hdparm -g /dev/hda" which is used to determine hard drive geometry (sectors, heads, cylinders).
Mounting other partitions or operating systems at startup
To mount other partitions at startup modify the "/etc/fstab" file. Each line in the file refers to a different filesystem. Fields are separated by whitespace. The primary filesystems must be mounted first, so they must be in correct order. Your native partition for the system you are running should be listed first. The fields are as follows:
1. The name of the device such as "/dev/hda1"
2. The mount point. Use "/" for root. Other typical mount points are "/dos" for DOS, "swap" or "none" for the swap partition, and "/mnt/floppy" for "/dev/fd0" (the floppy drive).
3. The type of filesystem. They are: mini, ext, ext2(linux native), xiafs, msdos, hpfs, ntfs, fat32, iso9660(CD-ROM), nfs, swap (for swap space).
4. The mount options for use with the filesystem. Each filesystem type has different mount options. Read the mount man page to see possible options. ro= read only, user- allows normal users to mount the device.
5. The frequency the filesystem needs to be dumped (backed up) by the dump command. For ext2, normally make it 1, for others make it 0. 0 or nothing means it is not dumped. If 1, it is backed up during a system backup.
6. A number telling the order in which the filesystems should be checked at reboot time by the fsck program. Your root should be 1, others are in ascending order or 0 to not be checked.
To determine your hard drive's partitions and see what each partition holds which operating system, you may use the fdisk program. Just make sure you don't change your disk information. You can use the 'p' command to see a list of current partitions, then you can add them to your fstab file. Note: In order for the mount to succeed, you must have created the mount point subdirectory (except for root).
I like to install multiple copies of Linux on one computer for three reasons.
1. The second copy can serve as a backup to the first. If I totally screw up one copy of Linux, by changing kernels, etc, I can still get to the filesystem from the other system and straighten out my problems.
2. I can learn about other linux packages.
3. If a compile of a package fails on one system such as Redhat, I can try it on another system such as Slackware and it will probably work.
The fstab file
A typical /etc/fstab file:
/dev/hda2 / ext2 defaults 1 1
/dev/hdb1 /data auto defaults 0 0
/dev/hda1 /dos vfat defaults 0 0
/dev/hda3 /slackw ext2 defaults 0 0
/dev/hda4 swap swap defaults 0 0
/dev/cdrom /mnt/cdrom iso9660 noauto,owner,ro 0 0
/dev/fd0 /mnt/floppy ext2 noauto,owner 0 0
none /proc proc defaults 0 0
none /dev/pts devpts gid=5,mode=620 0 0
These are the options:
• defaults - Use the default options of rw, suid, dev,exec,auto, nouser, and async.
• auto - Auto detect the type of filesystem.
• noauto - The -a option will not mount the filesystem.
• owner
• ro - Read only
• rw - Read and write allowed
• user - Users have permission to mount this filesystem
• users - Allows a user to mount and another user to unmount the filesystem
The /proc directory is required for tracking processes in memory (RAM). The directories /data, /dos, and /slackw in this example must exist or their mounts will fail. The entries for the floppy and cdrom allow them to be automatically dismounted if they are mounted during shutdown. The option, "noauto" in their entries, keeps these devices from being mounted at startup.
Note:
If you install an OS that wipes LILO, you can use the fdisk utility to toggle the bootable flag (change the boot partition). This can help, if the OS that wiped LILO can toggle this partition to a Linux filesystem.
Linux Emergency Filesystems and Procedures
There are several ways to make a boot floppy, but basically there would be two types of boot floppys that make sense. The first is a simple boot floppy with a copy of your kernel that will mount your root device which is usually on your hard drive. This will give you another way to boot to your system and allow you to repair some problems such as a bad re-compile of a kernel or a lilo failure, but will not do much good if you develop a serious problem with your root filesystem. The second is a more elaborate boot floppy including a boot and root floppy and will independently support some tools that will allow repair of a root filesystem, or at least help you rescue files.
Making a simple Emergency boot floppy
How to make a single boot floppy:
1. Find the kernel. It is usually /vmlinuz or /boot/vmlinuz. The file vmlinuz may be a softlink to the actual kernel executable. Find the executable kernel.
2. Copy the kernel image to the floppy.
dd if=/vmlinuz of=/dev/fd0
3. Type the command "df" and examine it's output to determine where your root filesystem is. Your root is "/" and is mounted on something like "/dev/hda2".
4. Set the kernel image on the floppy to the location of your root system.
rdev /dev/fd0 /dev/hda2
Your root filesystem may be somewhere other than "/dev/hda2".
5. Test the floppy by rebooting your system and attempting to boot from it.
You can use the command "badblocks /dev/fd01440 1440" to check the floppy for badblocks.
Making a Boot Floppy with a Root Filesystem (not yet complete or accurate)
To make a Linux boot floppy with a root floppy will require two floppy disks. One will be used for the kernel, and the other will hold the root filesystem.
Important functions needed by an emergency boot filesystem:
e2fsck, mount, tar, gzip, insmod, ftape module for kernel if using tape backups
Please note, that it is best to recompile your kernel to do this. This is because most kernel images use modules for support that are stored on your root filesystem and if your root filesystem is corrupt, it may not work properly. The good news is, however, that you will only need a kernel with minimal support, since this is for emergency use only, and you won't need networking support and some other features. The other option is to use a kernel image already compiled that does not depend on modular support if you can find one.
1. Compile the kernel:
Most options, you may answer no to with the following exceptions.
o Make processor type 386 to support all machines with 1Gb of memory.
o Enable PCI support with access mode=any and quirks=y.
o CONFIG_SYSVIPC=y
o CONFIG_BINFMT_ELF=Y
o CONFIG_PNP=Y
To compile the kernel make sure you provide floppy, CD-ROM and hard disk support for your types of devices such as IDE or SCSI. In my compile, I support IDE only. Set CONFIG_BLK_DEV_IDE=Y and all in the IDE category may be set to Y except for "other IDE chipset support", CONFIG_IDE_CHIPSETS=N. Ramdisk support (CONFIG_BLK_DEV_RAM=Y) with initial support. Virtual terminals (CONFIG_VT=Y). CONFIG_VT_CONSOLE=Y, CONFIG_SERIAL=Y, CONFIG_MOUSE=Y, CONFIG_PS2MOUSE=Y. Under filesystems I supported all but quota, kernel automounter support, and UMSDOS. Include all under partition table support. Include VGA text console and Magic SysRq key.
2. Copy the kernel image to the first floppy.
dd if=/vmlinuz of=/dev/fd0
3. Set the image on the floppy to boot to a root filesystem on your floppy device.
rdev /dev/fd0 /dev/fd0
4. Prepare the root floppy (the second floppy disk)
1. type "fdformat /dev/fd0H1440" to format the floppy
2. type "mkfs -t ext2 -c /dev/fd0H1440" to create a filesystem on the floppy
Linux Samba
For complete information on Samba see the SMB HOWTO. Also refer to the the smb.conf(5), smbd(8), smbclient(1), smbpasswd(5), smbpasswd(8), and testparm(1) man pages. You may access the howtos from one of the weblinks listed in the Linux websites section. The Linux Documentation Project or Metalab's Index of Linux publications will have copies if these howtos.
You will want to perform the following steps according to the instructions below to set up samba services on your computer.
1. Set up your Windows based computers for file and print sharing if you want to access your windows computers from Linux.
2. Decide whether to run Samba through the inetd internet super daemon or through the startup scripts. Running using the startup scripts is recommended for better reliability.
3. Edit the /etc/services file to be sure the port services are enabled.
4. Edit the /etc/smb.conf file with encrypted passwords enabled to work with most modern Windows versions.
5. Add any users as desired to the /etc/smbusers file
6. Optionally add hostnames to /etc/lmhosts.
7. Set up your samba users passwords with the "smbpasswd -a username" command.
8. Start or restart Samba services. When running Samba services through the startup scripts it can be done in Redhat using the linuxconf program. On other systems it may be done with one or more of the following commands:
o samba start - Starts samba.
o /etc/re.d/init.d/smb start - Starts samba.
o samba restart - Restarts samba.
o /etc/re.d/init.d/smb restart - Restarts samba.
If using inetd to run Samba services, restart/start samba with the command "killall -HUP inetd".
Check your /usr/doc directory for a directory like "samba-2.0.5a". Enter this directory with the command "cd /usr/doc/samba-2.0.5a". There is a docs and a samples directory at this location. There is a sample smb.conf file in the samples directory called smb.conf.default. Use this file to start your /etc/smb.conf file if you don't have one. Modify it for your workgroup name, remove the comment from the line "encrypt passwords = yes" and set up your share definitions as you need.
Configuring Windows
Configuring windows 95 for sharing: (If you want to be able to browse your windows computer from Linux)
1. Right click on "network neighborhood" and click "properties"
2. Under configuration make sure you have "Client for Microsoft Networks", your ethernet card driver and TCP/IP
3. Select "Client for Microsoft Networks"
4. Select "File and Print Sharing" and turn on file and printer access, enter a password to use
5. Select Add?
Setting up the service method
There are two ways to run samba services. You can run them as a deamon, using the system startup scripts or use the internet super daemon, "inetd". You must choose one way or the other, you cannot run the service both ways. I recommend using the startup scripts since the service seems less reliable through inetd.
1. To run as a startup service, if you are using Redhat Linux, you may run "linuxconf" and go to "Control", then "Control panel", then "Control service activity", select "smb" and set it to enabled and running. You will also need to be sure the "/etc/services" file is set up for the named ports below, along with setting up the "/etc/smb.conf", "/etc/smbusers", and possibly the "/etc/lmhosts" files below.
2. To run on request through inetd, Put these lines in /etc/inedt.conf:
3. # Other services
4. netbios-ssn stream tcp nowait root /usr/sbin/tcpd /usr/sbin/smbd
5. netbios-ns dgram udp wait root /usr/sbin/tcpd /usr/sbin/nmbd \
6. -a
Setting up the services
Configure ports for NetBIOS name, datagram, and session services by being sure of existence of (or adding) the following lines in the /etc/services file:
netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session service
netbios-ssn 139/udp
Setting up the Samba configuration file
Edit the Samba configuration file "/etc/smb.conf" to provide suitable services. You should be able to get a file to start with from /usr/doc/samba-x.x.x/examples/smb.conf.default, you can copy it to /etc/smb.conf and use an editor to modify it.
This is the samba file I use: Note: you can use swat (described below) to configure this file.
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not many any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = mygroup
# This allows you to get around a problem in WIN95, it is also needed
# for OS/2 clients. You should definitely have this line enabled if
# you want to be able to just drop your GNU/Linux machine into an existing
# WIN95-only network.
lm announce = yes #important for WIN95 and OS/2 machines
# server string is the equivalent of the NT Description field
server string = Samba Server
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
# hosts deny = ALL
# hosts allow = 10.1.3.16 10.1.0.100
# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
printcap name = /etc/printcap
load printers = yes
# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
; printing = bsd
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Put a capping on the size of the log files (in Kb).
max log size = 50
# Security mode. Most people will want user level security. See
# security_level.txt for details.
security = user
# Use password server option only with security = server
; password server = <NT-Server-Name>
# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
; password level = 8
# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
encrypt passwords = yes
smb passwd file = /etc/smbpasswd
# The following are needed to allow password changing from Windows to
# update the Linux sytsem password also.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
# the encrypted SMB passwords. They allow the Unix password
# to be kept in sync with the SMB password.
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
# Unix users can map to different SMB User names
username map = /etc/smbusers
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /etc/smb.conf.%m
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
interfaces = 192.168.199.1/24 10.1.0.100/16
# Configure remote browse list synchronisation here
# request announcement to, or browse list sync from:
# a specific host or from / to a whole subnet (see below)
; remote browse sync = 192.168.3.25 192.168.5.255
# Cause this host to announce itself to local subnets here
; remote announce = 10.1.255.255 192.168.199.2 192.168.2.44
# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
; local master = no
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
; os level = 33
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
; domain master = yes
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
; preferred master = yes
# Use only if you have an NT server on your network that has been
# configured at install time to be a primary domain controller.
; domain controller = <NT-Domain-Controller-SMBName>
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
; domain logons = yes
# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
; logon script = %U.bat
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no
# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
; preserve case = no
; short preserve case = no
# Default case is normally upper case for all DOS files
; default case = lower
# Be very careful with case sensitivity - it can break things!
; case sensitive = no
admin users = root
dead time=15
hide dot files = yes
max connections = 10
share modes = yes
guest account = nobody
browseable = yes
; invalid users = root
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writeable = yes
path=/home/%S
public = no
# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
; comment = Network Logon Service
; path = /home/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
; path = /home/profiles
; browseable = no
; guest ok = yes
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
# This one is useful for people to share files
[tmp]
comment = Temporary file space
path = /tmp
read only = no
public = yes
# A publicly accessible directory, but read only, except for people in
# the "staff" group
[public]
comment = Public Stuff
path = /home/public
public = yes
writable = yes
printable = no
; write list = @staff
# Other examples.
#
# A private printer, usable only by fred. Spool data will be placed in fred's
# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;[fredsprn]
; comment = Fred's Printer
; valid users = fred
; path = /homes/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes
# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
;[fredsdir]
; comment = Fred's Service
; path = /usr/somewhere/private
; valid users = fred
; public = no
; writable = yes
; printable = no
# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
# also use the %u option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
; comment = PC Directories
; path = /usr/pc/%m
; public = no
; writable = yes
# A publicly accessible directory, read/write to all users. Note that all files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of course
# be specified, in which case all files would be owned by that user instead.
;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no
# The following two entries show how to share a directory so that two
# users can put files there that will be owned by specific users. In this
# setup, the directory should be writable by both users & have the sticky
# bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;[myshare]
; comment = Mary's and Fred's stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765
[cdrom]
comment = Samba server's CD-ROM
writable = no
locking = no
path = mnt/cdrom
public = no
root preexec = /bin/mount /mnt/cdrom
root postexec = /bin/umount /mnt/cdrom
[etc]
comment = Linux setup files in /etc
public = no
writeable = yes
path = /etc
read only = yes
valid users = george mark
[floppy]
comment = [Samba server's Floppy Drive
browseable = yes
writeable = yes
path = /mnt/floppy
public = no
root preexec = /bin/mount /dev/fd0 /mnt/floppy
root postexec = /bin/umount /mnt/floppy
Notes:
• The section that allows unix passwords to be synced with samba passwords does not seem to work. This may be because I use shadow passwords.
• To customize samba setups from various machines use the "include = /etc/smb.conf.%m" line.
• To make passwords be sent over the network in encrypted form:
1. In the /etc/smb.conf file add or uncomment the lines:
2. encrypt passwords = yes
3. smb password file = /etc/smbpasswd
4. Type "smbpasswd -a user" then enter the desired passwords
Note: If you are not using shadow passwords, there is a way to convert to secure passwords without users knowing it. The command "cat /etc/passwd |mksmbpasswd.sh > /etc/smbpasswd" will create a smbpasswd file. However if you are using shadow passwords (which you should be), the /etc/passwd file does not contain the required information to setup the password file and you must still have each user modify their passwords or do it from root with the "smbpasswd -a username" command. Read the documentation in /usr/doc/samba-x.x.x/docs/textdocs/ENCRYPTION.txt. Be sure your smbpasswd file is only readable and writable by the root user.
• Note: Be sure alias is off so hosts can't fool your machine by aliasing their names.
To deny all hosts access except those you specify use the following example under [global]:
• hosts deny = ALL
• hosts allow = 10.1.3.16 10.1.0.100
If you deny hosts, be sure you know what you are doing! The way Microsoft networking works is that a master browser is picked based on an election process from all computers that are running Windows networking. If you deny access to the master browser, you may be unable to browse the network for your computer. Therefore, unless you know what computer will be the master browser and backup browser that you will use for browsing, it may be unwise to use this feature.
The smbusers file
Edit the /etc/smbusers file to map your machine names to unix users names:
The following file is an example I use:
# Unix_name = SMB_name1 SMB_name2 ...
root = windoze1 windoze2
nobody = guest pcguest smbguest
mark = windoze3
In this case anyone logging in from machines windoze1 or 2 will be mapped as user "root".
The lmhosts file
You may want to edit the /etc/lmhosts file depending on how you are providing your samba name services, Below is an example:
127.0.0.1 localhost
10.1.0.100 mymachine
10.1.3.16 george
This file may be used by the system to get IP addresses from host names. It may not be necessary for you to configure this file. You may need it if you do not have a DNS server available or your DNS server is not configured properly. If you get a message like "Resource is unavailable" you should try creating this file.
Upon completion
You will need to issue the following commands to complete the setup of Samba services:
1. Enter the users' passwords with the command "smbpasswd -a user". This command is used to enter passwords for your users and is required for each user if you are using encrypted passwords which should be the case.
2. If running the startup daemons, use one of the following choices of "samba restart", "samba start", "/etc/rc.d/init.d/smb restart", or "/etc/rc.d/init.d/smb start". Don't forget to set your startup services in Redhat's linuxconf program to run Samba services the next time you boot your system.
3. If running Samba from inetd, start it with "killall -HUP inetd".
Examples of commands you may need or want to use
testparm |more To see the results of your changes. May have to restart inetd (below)
smbpasswd -a user To set samba passwords. See the smbpasswd(8) man page for more information.
samba restart To restart the Samba services when running through the startup scripts. This allows changes to take effect. You can use the command start, stop, or status to start, stop, or see the status of the service, respectively.
/etc/rc.d/init.d/smb restart The same as the Samba restart command, but this command directly invokes the Samba startup script.
smbclient -L mymachine To tell what services are running under samba
smbmount Used to mount volumes from windows machines
killall -HUP inetd To restart the inetd daemon and therefore allow new settings for this daemon or any subdaemon to be implemented. You will use this command, only if you run Samba using the inetd daemon.
Common Pitfalls
Many times those setting up Samba services will either have trouble browsing for their computer on the network or logging in. Below I have listed some possible reasons for these problems and what you should check:
• Unable to browse:
1. Check to be sure the name of your workgroup is correct in the /etc/smb.conf file with the statement "workgroup = mygroup".
2. Check to be sure the line "browseable = yes" is included in the [global] section of /etc/smb.conf.
3. You may need to set up the lmhosts file if you do not have a DNS server or your DNS server is not configured with your samba server IP address and name.
4. Type "ps -ax |grep smb" and you should see a line like "784 ? S 0:00 smbd -D". If you don't your services are not running and you should start them.
5. If you are attempting to run Samba services from inetd using the inetd.conf file, run Samba as a startup service and see if that fixes the problem.
• Unable to login with the system producing a message saying the password is incorrect.
1. Check the log files in the /var/log/samba directory. First look for a file "log.machinename" where machinename is the name of the machine you are logging in from. You can "cat log.machinename" or use less or more to see the file.
2. Be sure your user mapping is correct.
1. Be sure the line "username map = /etc/smbusers" is included in the /etc/smb.conf file. Also check the log.smb file
2. Be sure the file /etc/smbusers file contain line(s) like "unixuser = windozemachine1 windozemachine2 winuser1 winuser2 ...". The unix user is normally the name of the equivalent user you want to log in as such as root. I always put the machine name and all windows users names in the file to be sure that if the login is by machine name or Windows user name, it will be translated to a unix user name. Normally it is Windows user name. You will find out by examining the file "log.machinename".
3. Be sure you are logging in using encrypted passwords from both the Linux and windows sides.
1. Be sure the lines "encrypt passwords = yes" and "smb passwd file = /etc/smbpasswd" are in the /etc/smb.conf file and are not commented out with a ';' or '#' character in front of the line.
2. Be sure you have added the users you are trying to log in as with the "smbpasswd -a user" command where user is the name of the Linux user you want to log in as. For instance the command is "smbpasswd -a root" to set the password up for the root user.
3. Be sure Windows 95 is sending encrypted passwords. There is an upgrade patch for Windows 95 from Microsoft to make this change. This is only necessary for old versions of Windows 95. Windows 98, NT, 2K all send encrypted passwords by default. Therefore unless you are using one of the first versions of Windows 95 that came out, you should not have this problem.
Be sure you restart Samba every time you make a change to the /etc/smb.conf file to put your changes into effect.
Mounting and getting windows files from Linux after samba is installed
There are two programs supporting file services from windows:
1. smbmount - Allows a shared directory on a windows machine to be mounted on the Linux machine.
2. smbclient - Works similar to an ftp client enabling the user to transfer files
smbmount //winhost/windows /mnt/name_windows -c mylinuxmachine
This command mounts the directory "windows" on the windows computer "winhost" on the machine named "mylinuxmachine". The directory "windows" must have sharing enabled for this to work. To unmount:
smbumount /mnt/name_windows
The smbclient program works with the following syntax:
smbclient //winmachine/dirsharename -s /etc/smb.conf
The winmachine is the NetBIOS name of the serving machine with the shared resource on it.
The dirsharename is the share name of the directory
The "-s /etc/smb.conf" indicates the path of the samba configuration file.
After entering the above command you will get a password prompt. If no password is required, press "return", otherwise enter the required password. Upon successful login you can look at the directory with the "dir" command. Below are some available commands:
• dir - directory
• get remotefile localfile
• cd - Change directory
• exit, q, or quit - To exit the program
• help - for help information
• mkdir - make directory
See the man page on smbclient for a full set of commands. Note: I've had trouble getting this program to work with windozeNT.
Some notes on the smb.conf file format
Variables as found in the smb.conf file are as follows:
• %a - The architecture of the client machine such as Samba, WfWg, WinNT, Win95
• %d - The PID of the server process.
• %g - The group ID of the service's username (The name the client got)
• %G - The group ID of the session requested username
• %h - The internet (DNS) samba server host name.
• %H - The user's home directory.
• %I - The client machine's IP address.
• %L - The NetBIOS server name
• %m - The NetBIOS client name
• %M - The internet (DNS) client host name.
• %n - .
• %N - NIS home directory server name.
• %p - The path of the service's home directory from NIS auto.map.
• %P - The current services' root directory.
• %R - The protocol level. CORE, COREPLUS, LANMAN1, LANMAN2, or NT1.
• %S - The name of the current service.
• %T - The current data and time.
• %u - The client's username
• %U - The username the client wanted.
• %v - Samba version number.
There are many global and service parameters defined in the smb.conf file. Read the man page on smb.conf for a complete list. Here is a list of a few global parameters:
• auto services - Directories automatically visible to all users browsing the network.
• bind interfaces only - Limits the interfaces to serve samba requests.
• deadtime - The timeout for inactive connections
• debug level - The level of messages for logging.
• default service - The service to be connected if the service requested cannot be found. EX:
• default service = docs
• [docs] path= /%S
• directory mask - Octal file settings used to convert DOS modes to UNIX modes when creating directories.
• directory security mask - Controls file permissions that can be modified by windows clients.
• dns proxy - Specifies that the nmbd daemon if running as WINS server, should should treat unknown names as DNS names and do a DNS lookup.
• lock directory - The path of the directory where lock files are stored.
• message command - Samba's command to run in response to WinPopup messages.
• name resolve order - The query order for resolution of name to IP addresses. Values are bcast, hosts, wins and lmhosts.
• netbios aliases - Other names the samba server is called and will answer to.
• netbios name - The samba server's netbios name.
• smb passwd file - The path for the encrypted Samba password file.
• smbrun - The path of the smbrun program used to execute shell commands for the samba daemon.
• socket address - Controls the address on which Samba will listen for connections.
• syslog - Sets the threshold for sending messages to syslog
• syslog only - Use syslog rather than samba log files
SWAT configuration
SWAT allows an administrator to configure the smb.conf file using a web browser. To use it you need to do the following:
1. Add the following line to your /etc/services file:
2. swat 901/tcp # Swat Samba configuration services
3. Add the following line to your /etc/inted.conf file
4. swat stream tcp nowait.400 root /usr/sbin/swat swat
5. Type "killall -HUP inetd" to reload the inetd.conf file.
6. On your local machine, address your web browser to http://localhost:901/
7. If you connect over the network through a remote machine you should know that your password will be sent in the clear.
8. SWAT will rewrite your smb.conf file and remove comments. Back up your smb.conf file before using SWAT.
For more information on NetBIOS, WINS, SMB, and NBNS (NetBIOS Name Server) read "The CTDP Networking Guide".
Linux Identd (auth)
The identd daemon or service returns user information to a remote host that a user is requesting a service from. This service is misunderstood by many who seem to think that it is used for some kind of user authorization. It is a good idea to support this service which uses port 113. Some remote systems could require it in order to receive requested services. As a system administrator, it can help you identify users who are abusing systems. The identd(1) and authuser(3) man pages give more information about the subject.
Linux X Configuration
Installation
If installing X, install it in "/usr/X11R6/…".
Configuration Files
/etc/X11/XF86Config
This file has the following sections. They are Files, ServerFlags, Keyboard, Pointer, Monitor, Device (may be more than 1), and Screen (may be more than 1).
Files, Keyboard and Pointer Sections:
The files section sets up the paths for X to use for files that specify screen colors and fonts. If the directory specified here doesn't exist or is empty XFree86 will crash or generate error messages. The "Keyboard" section specifies the keyboard protocol, usually standard, and key repeat rates. The "Pointer" section includes a Protocol and Device line. The device is the mouse device such as /dev/mouse (This may be a softlink to another device). The Protocol is one of BusMouse, Logitech, Microsoft, MMSeries, Mouseman, Mousesystems, PS/2, or MMHitTab.
The monitor section:
In the monitor section the Identifier can be any unique identifier string to identify that particular monitor. The VendorName and ModelName are for reference. The HorizSync is in Khz and may be one number, multiple numbers separated by commas, or a range. Ex: 30-54. Ex 31.5, 35.2. VertRefresh is in Hz and can be specified similar to HorizSync. VertRefreah and HorizSync specify valid rates for your monitor. An example "Modeline is shown below:
Modeline "1024X768" 65.00 1024 1032 1176 1344 768 771 777 806 –hsync –vsync
The name is "1024X768", an arbitrary string used to refer to the modeline in the screen section.
The dot-clock is 65.00 which is the video card's driving clock frequency in MHz for that resolution mode. It is the rate that the video card should send pixels to the monitor for that screen mode.
The next four numbers 1024, 1032, 1176, and 1344 are the horizontal values and the last four are the vertical values. These values specify when the monitor should fire it's electron gun and when the horizontal and vertical sync pulses occur.
Read the file /usr/X11R6/lib/X11/doc/VideoModes.doc. It explains how to configure this section. Also, the file, Monitors shows examples of modelines for specific monitors.
The device section:
This section describes video cards. The Identifier, VendorName, BoardName and optional Chipset are strings and are only used for identification. The VideoRam specifies the amount of video memory in Kb. The data in Clocks should come from the video board manual. The file Devices in the documentation section should help with device setup. If your video card is found in the Devices file, that section may be copied into the XF86Config file. Note: Sometimes the card may use a programmable clock chip, in which case there may be a line specifying "ClockChip" rather than "Clocks". Some cards may specify a "Ramdac" line. Some video cards also require other special options using an "Option" line. these options are described in the README file for the particular chipset.
The screen section:
The section, "screen" is where you can specify what XFree86 server runs with your X server.
EX:
Section "Screen:
Driver "accle"
Device "Actix GE32+ 2MB"
Monitor "Generic Monitor"
SubSection "Display"
Depth 8
Modes "640x480"
ViewPort 0 0
Virtual 1280 1024
EndSubsection
SubSection "Display"
Depth 16
Weight 565
Modes "640x480"
ViewPort 0 0
Virtual 1024 768
EndSubsection
EndSection
The values for driver can be Accel, SVGA, VGA16, VGA2, or Mono. Accel supports XF86_S3, XF86_Mach32, XF86_Mach8, XF86_8514, XF86_P9000, XF86_AGX, and XF86_W32 servers. SVGA supports the XF86_SVGA server. The driver specifies the X server to use.
Depth sets the number of pits per pixel. Modes displays a list of the video mode names defined in the ModeLine option in the Monitor section. The virtual option specifies the virtual desktop size. Use this if you have enough RAM on the video card but a monitor that won't support the greater resolution. ViewPort defines the coordinates of the upper left corner of the virtual desktop when XFree86 starts. In the Screen section, the driver name indicates the type of X server you are running. The X server is the program that runs with your monitor, mouse, and keyboard, regardless of the platform or location. It could be running on the same machine, or on another machine on a network or on a serial port. For example if I am running a svga server program(XF86_SVGA), the screen section that will apply would be the one labeled as follows in the screen section:
Driver "svga"
I believe the X server program that runs is determined by the "xserverrc" file either in the user's home directory or in the directory "/usr/X11/xinit/". I do not believe this is used anymore since the Xwrapper program is set up to be the X server program on current systems. If it is used, it is used to pass parameters to the Xwrapper program. On my system the X server falls through to the default "X" file which is a link to the Xwrapper program. See the "How Linux Works CTDP Guide" for more information.
You can use Ctrl-Alt-+ to change the resolution. X starts with the poorest one you select (by default), you can change that manually by editing /etc/X11/XF86Config.
Configuration tools:
Programs to configure X are:
• XF86Setup - A newer X configuration program with a GUI interface which modifies the "/etc/X11/XF86Config" configuration file.
• xf86config - An older X configuration program with a text based interface. It also modifies the "/etc/X11/XF86Config" configuration file.
• Xconfigurator - The Redhat tool used during system setup to configure X.
• xvidtune - This program will test video modes on the fly without modification to your X configuration. Read the usr/X11R6/lib/X11/doc/VideoModes.doc file before running this program.
• SuperProbe - A program that probes the video card to determine its type for use with setting up X. xvidtune - This program will test video modes on the fly without modification to your X configuration.
The programs reside in "/usr/X11R6/bin" and "/usr/bin/X11". The programs XF86Setup, xf86config, and Xconfigurator modify the "/etc/X11/XF86Config" configuration file. XF86Setup is the newer configuration program with a GUI interface and xf86config is older with a text based interface. I advise users to use XF86Setup when possible, but use xf86config when they have problems with XF86Setup. To get it configured, you must provide information about your keyboard, mouse, video card and monitor. You must also select a screen resolution mode. Usually if you can't find a configuration for your video card you can select a generic driver such as SVGA. Later to improve performance, you may want to make manual modifications to your configuration with settings that more closely match your video card. The main information about your video monitor includes the maximum vertical and horizontal scan rates. You will want to refer to your monitor's manual for this information. If you have problems with X and it won't work, one thing to try is reducing your video mode from a higher to lower resolution. Ex: Change from 1200X1024 to 800X600. Usually if you can't use higher resolution it is due to monitor scan frequencies. Your video card memory determines a combination of your maximum resolution and maximum colors. For example 1200X1024 with 65535 colors requires 1200 times 1024 times 2 bytes of video memory which is 2.4576 M of video memory. Your video card needs 4M to run this mode.
A handy program for determining your video card type and video RAM is "SuperProbe". This program could crash your system, but should do no harm, other than having to reboot and clean the system. It is recommended that you backup your files prior to running this program, however.
The program xvidtune will let you test video modes on the fly without modification to your X configuration. Read the /usr/X11R6/lib/X11/doc/VideoModes.doc file before running this program.
The instructions for configuring X are spread out over several text files. Check the README, VideoModes.doc, README.Config, and README.Linux. Read the man pages for Xconfig, XF86Config, XFree86, and Xfree86kbd. Many documentation files for various packages are in "/usr/doc". Many of these files are too in depth for the average user and describe many X Consortium standards.
Running in terminal mode in run level 5:
You can set the runlevel in the "/etc/inittab" program to run in runlevel 5, which means you will have the X font server running. This way you can provide remote services in X to other machines. If you want to boot into terminal mode, however, you must modify the file "/etc/X11/xdm/Xservers". Comment out the line that shows:
:0 local /usr/X11R6/bin/X
To provide X services to a remote boot machine according to the Linux Terminal Server Project (LTSP):
Modify the file /etc/rc.d/init.d/xfs. Modify two lines around 22 and 41:
Redhat 6.0
Change the lines that start with to
Redhat 6.1
Change the lines that start with "daemon xfs –droppriv –daemon –port –1" to "daemon xfs –droppriv –daemon –port 7100
Change the file /etc/X11/XF86Config:
Change the line to
Change the file /etc/X11/xdm/Xaccess at line 40
# * #any host can get a login window
Remove the first # to enable remote workstation access.
Configuring the Xresources file
In the script file xinitrc explained in the section on "How X works" in the "How Linux Works" manual is a line like:
userresources=$HOME/.Xresources
There is also a line like:
sysresources=/etc/X11/xinit/Xresources
These resource files are made available to the system with lines like:
xrdb -merge $sysresources
xrdb -merge $userresources
This section briefly explains the format of the Xresources file. Each X application belongs to an application class. Applications use resources such as background, foreground, font, and geometry. The X programs may have their own resources. The manual page for X programs specify which resources they use. Resources are also arranged into classes. A resource line in the Xresources file is in the form:
(ApplicationClass or ApplicationName)*(ResourceClass or ResourceName) : value
The xterm program belongs to the XTerm class.
A sample Xresources file follows:
! Defaults
XTerm*Foreground: white
Xterm*Background: blue
Clock*Geometry: 80x80+10+10
! Specifics
xterm-1*background: black
Linux X Use
Entering and exiting Linux Xwindows
startx - To enter xwindows
CTRL-ALT-BS - To exit xwindows quickly
Depress the left mouse button on the desktop to get a menu to let you exit for some windows managers.
X windows is usually started by typing "startx". To find out where the startx script file is that is used for this process type "which startx". Then you can look at the script file using "less". In the script file there is a statement near the top like "sysclientrc=/usr/X11R6/lib/X11/xinit/xinitrc" which tells you where the initrc file is. The user configuration file will be in /home/your user name/.xinitrc. At the bottom of the file /usr/X11R6/lib/X11/xinit/xinitrc there is a statement like "exec fvwm" which tells the program to execute your windows manager. This may be inside an if statement to determine the existence of the users preferred window manager or the existence of a particular manager then trying others in series when the first listed is not available. To modify the x window manager for the user, you need to copy the xinitrc file to /home/your user name/xinitrc and modify it.
.Xresources
.Xmodemap
A current list of good windows managers:
• fvwm95
• OLVWM
• wmaker - window maker
• CDE
• wm2
• KDE - The K desktop environment
• gnome
• The program xfs is the xfont server
• The program xdm is an X Display Manager
How to set up X managers for different users
To set your preferred windows manager, on Redhat and possibly other systems, make a file, /etc/sysconfig/desktop, and put the string "KDE" or "GNOME" in it depending on the preferred system wide X manager. However this will not allow users to select their own favorite window manager. Note: This is exclusive of users who are running remote X services such as VNC as explained in "The CTDP Linux User's Guide". To allow users to select their own manager independent of system settings do the following:
1. Copy the file "/etc/X11/xinit/Xclients" to the users home directory, renaming it with a period as its first character
cp /etc/X11/xinit/Xclients /home/username/.Xclients
2. Modify the following lines in /home/username/.Xclients from:
3. if [ -f /etc/sysconfig/desktop ]; then
4. if [ -n "`grep -i GNOME /etc/sysconfig/desktop`" ]; then
5. PREFERRED=gnome-session
6. elif [ -n "`grep -i KDE /etc/sysconfig/desktop`" ]; then
7. PREFERRED=startkde
8. elif [ -n "`grep -i AnotherLevel /etc/sysconfig/desktop`" ]; then
9. PREFERRED=AnotherLevel
10. fi
11. fi
to:
if [ -f $HOME/.desktop ]; then
if [ -n "`grep -i GNOME $HOME/.desktop`" ]; then
PREFERRED=gnome-session
elif [ -n "`grep -i KDE $HOME/.desktop`" ]; then
PREFERRED=startkde
elif [ -n "`grep -i AnotherLevel $HOME/.desktop`" ]; then
PREFERRED=AnotherLevel
fi
fi
12. Make a file, $HOME/.desktop, and put the string "KDE" or "GNOME" in it depending on the user's preferred X manager. The user can do this step.
To remotely use Xwindows from Microsoft Windows
This section describes how to set this up for the MI/X server program to run on windows. I have not been able to get this server to run with KDE or gnome, and many graphic images do not seem to work with it. See the section on using X remotely for a better solution. This section is still here for anyone who wants to experiment with it.
1. Get a copy of an X windows server program for windows such as MI/X for windows from MicroImages at http://www.microimages.com.
2. Install the package according to instructions on your windows box.
3. Set up a shortcut to MI/X to run XS.EXE on the windows box.
4. Invoke the shortcut to begin the Xwindows server program.
5. Telnet to your linux box from your windows box
6. Type "fvwm –display mark:0 &" where "mark" is the name of your windows box
Tips
• To exit X windows quickly or if the video is working improperly, use the key combination.
• To increase or decrease graphic mode use<+> or <-> respectively. This will toggle through video modes on the modes line in the screen section of the XF86Config file.
• The command "X -showconfig" lists the video chip names known to the X server.
• The command "X -probeonly > /tmp/test.out 2>&1" lists supported chipsets and other useful information.
• The command "X > /tmp/test.out 2>&1" runs X bare. Use Ctrl-Alt-BS key combination, then examine the contents of the output file to help debug X startup problems.
Using Linux X Remotely
If you want to display an X session on a windows 95/98/NT/2000/xxx computer from a Linux computer, do the following:
1. Go to the website http://www.uk.research.att.com/vnc and download a minimum of:
1. vnc_latest_doc.tgz or vnc_latest_doc.zip
2. vnc-3_3_3_x86_linux_2_0.tgz
3. vnc-3_3_3r2_x86_win32.zip
You may want to retrieve other files such as "vnc-3_3_3_javasrc.tgz", vnc-3_3_3_unixsrc.tgz", or "vnc-3_3_3r2_winsrc.zip" if you are interested in source code.
2. On the Linux machine do the following:
1. Put the file
vnc-3_3_3_x86_linux_2_0.tgz
in "usr/local" or a directory of your choosing.
2. Unzip the file by typing "tar xvzf vnc-3_3_3_x86_linux_2_0.tgz".
3. Type "cd vnc_x86_linux_2.0"
4. Copy or move the following files
1. Xvnc
2. vncpasswd
3. vncserver
4. vncviewer
to the directory "/usr/bin" or an appropriate directory included in your system path.
5. If you want to run a window manager other than "twm", modify the file "xstartup" in your user's home directory, usually "/root/.vnc/xstartup"
1. Comment out the line with a # in front of the line
twm &
2. To run KDE add
startkde &
or to run gnome add
gnome-session &
6. Type "vncserver" and enter the password you will want to use to login from the session display with.
7. If you want the server to be available on the next boot, add the line:
vncserver
To your "/etc/rc.d/rc.local" file or to the users $HOME/.bash_profile.
3. Be aware that putting the "vncserver" line in the rc.local file will activate it on a system or root level. You may note that if you run it this way, the next time you boot, it may ask you to enter a password again. If you want to run the program on a user to user level, you will want to place the above line in the user's home directory in the file ".bash_profile", so they can run it independently of root or the system. If you do this you'll need to modify the above line to be "vncserver :2" and have a different display number assigned to each user. If you don't assign specific display numbers to each user a different display number will be assigned in the order that users log in since the program uses the next available display number whenever it is run. The display number is reported to the user when the vncserver program is run. After that you can look for the process name, Xvnc, with the "ps -aux |grep Xvnc to tell what display numbers are valid and which process is owned by which user.
Also when the user logs off the vncserver program for that user still keeps running. To kill the vncserver program you may want to add the line:
4. vncserver -kill :2
5. to the .bash_logout file in the user's home directory. Be sure you use the correct display number in the file. In the example above I used the number 2 but it would need to be the correct number for your user.
6. On the windows machine:
1. Unzip the file
vnc-3_3_3r2_x86_win32.zip
to a suitable location for temporary storage.
2. Enter the directory "winvnc"
3. Run "setup.exe" by double clicking on the file.
4. Reboot your computer.
5. Run the vnc viewier, by selecting "Start", "programs", "VNC" and "Run VNCviewer".
6. When prompted enter the address or name of the vncserver machine followed by a :screennumber similar to mymachine:1 or 10.1.1.1:1. The last number after the colon is the display number, and the user must enter the correct number to communicate to the correct VNC server program being run for that user on the remote (Linux) computer.
7. When prompted enter your password for access.
To change the password after the program has been installed, use the vncpasswd program. It is also worth noting, that when exiting a remote X session, you are best off to logoff using the normal shutdown procedure accessed from the start button rather than just clicking the X in the upper right corner of the session window. You are less likely to have system problems this way.
Linux X Documentation
There is so much documentation on X on your computer that it is necessary to devote a separate section to it. There are many protocols that support X and many Specifications and Manuals that describe them. There is documentation in /usr/X11R6/lib/X11/doc. Much of this documentation relates to video card support along with mouse support. Read the file README.Config. Under the directory "/usr/doc" there are several X related packages, including XFree86-doc-3.3.5, XFree86-xfs-3.3.5, Xconfigurator-4.2.8, xfm-1.3.2, and many including X managers such as gnome. The directories XFree86-ISO8859-x-x.x.x describe international standards for managing characters for other languages. Chances are you won't need to worry about those files.
XFree86-doc-3.3.5 includes:
• BDF - Bitmap Distribution Format. An X Consortium standard for font exchange. Types of statements are STARTFONT, COMMENT, FONT, SIZE, FONTBOUNDINGBOX, STARTPROPERTIES, ENDPROPERTIES, CHARS, ENCODING, SWIDTH, DWIDTH, BBX, ATTRIBUTES, BITMAP, ENDFONT.
• CTEXT - Compound Text Encoding. A format for multiple character set data such as multi-lingual text.
• DPMX - X Display Power Management Signaling (DPMS) Extension. Provides X Protocol control over the VESA DPMS characteristics of video boards under control of the X window system.
• FSProtocol - X Font Service Protocol – Address multiple font formats across various platforms. I.E. Fonts stored on various computer may not match others.
• ICCM - Inter Client Communications Manual
• ICE - Inter-Client Exchange Protocol
• SM - Session Management Library – Provides a uniform mechanism for users to save and restore their sessions.
• XDMCP - X Display Manager Control protocol. Provides a uniform method for an autonomous display to request login service for a remote host.
• XIE - X Image Extension Protocol
• XIM - X Input Method Protocol. Protocol between IM library and IM (input method) Server for international text.
• XKB -
• XLFD - X Logical Font Description Conventions. Method to determine fonts available on a given server.
Linux Domain Name Service (DNS)
Please note: There is a new program version for DNS called BIND 8. The old version used slightly different setup files such as "named.boot" rather than "named.conf" as in the new version. This is why you may see confusing documentation in books and on the web. I have tried to document BIND 8 here.
DNS and its structure is explained in more detail in the "networking" manual written for this document series. This section explains setup of the name server.
The daemon that provides the service - named
Set up the following files as per this example:
1. /etc/hosts - Local host names.
2. /etc/host.conf - Configures the relationship between DNS and the /etc/hosts file.
3. /etc/resolv.conf - Configures the name resolver for interaction with the domain name server.
4. /etc/named.conf - Defines the main parameters for the name server.
5. /var/named/named.ca - Hints file specified in the /etc/named.conf file.
6. /var/named/named.local - Local hosts file specified in the /etc/named.conf file
7. /var/named/db.10.1.hosts - Zone file specified in the /etc/named.conf file.
8. /var/named/db.mycompany.com.hosts - Reverse zone file specified in the /etc/named.conf file.
domain=mycompany.com. nameserver=mymachine=10.1.0.100 mail server=mailmachine=10.1.0.4 Windows box=10.1.3.16.
1. File: /etc/hosts
2. 127.0.0.1 localhost localhost.localdomain
3. 10.1.0.100 mymachine.mycompany.com mymachine
4. File: /etc/host.conf
5. order hosts, bind
6. multi on
7. nospoof on
8. alert on
The line "nospoof on" checks for IP address spoofing and "alert on" will send a warning if an attempt to spoof is detected. The order command specifies that when the client is resolving names to first look in the /etc/host file, then use BIND8 (DNS) to resolve the name. Another valid option for the command order is nis which stands for Network Information Service, created by Sun. The line "multi on" specifies that all valid addresses for a host found in the hosts file should be returned. This means that the same host name will be returned for a machine that has more than one network address such as a machine that interfaces to two or more networks. For example I have a machine interfacing to network 192.168.199.0 at IP address 192.168.199.1 and the other interface is on network 10.1.0.0 at IP address 10.1.1.100. It allows both networks to refer to the machine with the same name.
• File: /etc/resolv.conf
domain mycompany.com
search mycompany.com mynet.net
nameserver 127.0.0.1
nameserver 10.1.0.100
Commands:
• search - Specifies domain names used to expand a host name prior to sending the DNS query to the nameserver. The search list may contain up to 6 domain names, each separated by whitespace. The "mynet.net" shown above is only used for an example and is not normally included.
• nameserver - Up to three nameserver commands may be used. Each nameserver command specifies an IP address of a nameserver that can be used to answer name queries.
• domain - The name of the local domain which is used to expand the host name before sending the query to the name server. If no domain is specified, the value in the search command is used.
• File /etc/named.conf. - This file replaces named.boot in the old configuration. The first two zones need to be defined for all servers and if they are the only ones defined, the result would be a caching only nameserver. In each of the rest of the zones your server can be designated as a master or a slave for that zone.
// generated by named-bootconf.pl
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "named.local";
};
zone "1.10.in-addr.arpa" {
type master;
file "db.10.1.hosts";
allow transfer { 127.0.0.1; };
};
zone "mycompany.com" {
type master;
file "db.mycompany.com.hosts";
notify yes;
allow transfer { 127.0.0.1; };
};
Commands:
• acl - A named IP address control list for access control
• include - Allows an additional file to be included in this configuration file.
• key - Security key for authentification and authorization.
• logging - Determines where DNS logging is stored and what events are logged.
• options
o directory - Defines the directory all files are to be found in.
o forwarders - Forward first and forward only are the two choices. Forward first is the default which causes the server to forward queries not in its own cache to specific servers (forwarders) before querying any external server. Forward only means the query is only sent to the forwarders.
• server - Gives characteristics of a remote server.
o bogus - yes or no (default). Mark it bogus if it is sending bad data.
o support-ixfr
o transfers - Not yet used but will limit number of concurrent in bound zone transfers.
o transfer-format - one-answer or many-answers. Many answers works for bind 8.1 and above and is more efficient.
o keys - Used to identify a key defined by the key statement
• zone - Parts of the network (zones) which are to be serviced by the nameserver.
o allow-transfer - Specifies The hosts allowed to receive zone transfers from the server. Any transfer specification in the zone statement will override the allow-transfer statement.
o allow-update - Specifies hosts that are allowed to send DNS updates to the server. No updates are allowed from any hosts as a default.
o also notify - Allows nameservers not in the zone's database record to receive a DNS NOTIFY message when zone information is updated.
o dialup - yes or no
o type - Defines the type of nameserver for this zone. Choices:
master
slave
hint - Specifies the initial set of nameservers for the root zone.
forward - Directs all queries to other servers
stub - Replicates only the NS records of a master zone instead of the entire zone but otherwise is like a slave.
o file - Defines the file name that will provide information for this zone.
o masters - Defines the master server for the zone if this server for this zone is a slave. Syntax: "masters {192.168.1.6; };"
o notify - Options are "notify no" or "notify yes" which determines if slave servers will be notified immediately when the zone information is updated. Notify yes is the default.
There are many more options associated with this file. For more information, read the BIND configuration file guide for BIND version 8 or higher. The option "allow transfer", above, limits DNS zone transfers to the loopback address. If there were a slave nameserver, its IP address should be here. With the allow transfer option set, other machines cannot get DNS information. This limits the effectiveness of IP spoofers and spammers.
• File: /var/named/named.ca (if you have one, don't modify unless you have to). This is the hints file that helps the name server locate root nameservers at startup.
Some documentation says to modify the line "A.ROOT-SERVERS.NET." to put your Linux box address:
A.ROOT-SERVERS.NET. 3600000 A 10.1.0.100
but this is not correct. Some versions of the name server will generate error messages to var/log/messages if this is done.
I use:
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache ."
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC registration services
; under anonymous FTP as
; file /domain/named.root
; on server FTP.RS.INTERNIC.NET
; -OR- under Gopher at RS.INTERNIC.NET
; under menu InterNIC Registration Services (NSI)
; submenu InterNIC Registration Archives
; file named.root
;
; last update: Aug 22, 1997
; related version of root zone: 1997082200
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 201.12.27.33
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; temporarily housed at NSI (InterNIC)
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 198.41.0.10
;
; housed in LINX, operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; temporarily housed at ISI (IANA)
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; housed in Japan, operated by WIDE
;
;. 3600000 NS M.ROOT-SERVERS.NET.
;M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File
The official root nameserver file is at ftp:.rs.internic.net and is called /domain/named.root.
• File: /var/named/named.local (should not need to change)
unchanged as:
@ IN SOA localhost. root.localhost. (
1999112701 ; Serial number as date and two digit number YYMMDDXX
28800 ; Refresh in seconds 28800=8H
7200 ; Retry in seconds 7200=2H
3600000 ; Expire 3600000=1 week
86400) ; Minimum TTL 86400=24Hours
@ IN NS localhost.
1 IN PTR localhost.
• Create File: /var/named/db.10.1.hosts: Note: The first 2 lines are to be on one line!! The '\' means continue the line on the next line.
1.10.in-addr.arpa. IN SOA mymachine.mycompany.com.\
root.mymachine.mycompany.com. (
1999112701
10800
3600
604800
86400 ) ;Default TTL
1.10.in-addr.arpa. IN NS mymachine.mycompany.com.
100.0.1.10.in-addr.arpa. IN PTR mymachine.mycompany.com.
4.0.1.10.in-addr.arpa. IN PTR mailmachine.mycompany.com.
16.3.1.10.in-addr.arpa. IN PTR george.mycompany.com.
In the SOA section are five parameters as follows:
1. Serial number (1999112701) - If less than master's SN, the slave gets a new copy of this file from the master.
2. Refresh (10800) - The time in seconds between when the slave compares this file's SN with the master.
3. Retry (3600) - The time the server should wait before asking again if the master fails to respond to a file update (SOA request).
4. Expire (604800)- Time in seconds the slave server can respond even though it cannot get an updated zone file.
5. TTL (86400) - The time to live (TTL) in seconds that a resolver will use data received from a nameserver before it will ask for the same data again.
• Create file /var/named/db.mycompany.com.hosts: Note: The first 2 lines are to be on one line!!
mycompany.com. IN SOA mymachine.mycompany.com. root.mymachine.mycompany.com. (
1999112701
10800
3600
604800
86400 )
mycompany.com. IN NS mymachine.mycompany.com.
mycompany.com. IN MX 10 mailmachine.mycompany.com.
mymachine.mycompany.com. IN A 10.1.0.100
mailmachine.mycompany.com. IN A 10.1.0.4
george.mycompany.com. IN A 10.1.3.16
Database Record Description:
• A - Ties a host name with an IP address.
• CNAME - Stands for canonical name which is an alias for a host.
• MX - Mail exchanger. The lower associated number for each given mail server indicates a higher preference to use that server.
• NS - Indicates a name server.
• PTR - Gives the hostname for an IP address.
• SOA - Start of authority shows where the zone's data starts.
• Type "ndc restart" to restart the domain name server
• You can use "nslookup" to test your operations if you want. When in nslookup you should be able to type the name of a machine and get info about it, or type its full address and get information about it. Type "?" for help and "exit" to get out. To start the named daemon in Redhat, you can use the program "linuxconf" and select "Control service activity", then select named and activate it so it will run the next time the system is booted. If you don't have "linuxconf", you would need to activate it in your system's initialization scripts.
Other notes:
To get it running:
Type "ps ax |more to see all processes running and look to see if it is one of them.
If it is look and see if it is listed in /etc/services. If not add the following lines to the file.
nameserver 42/tcp name
domain 53/tcp nameserver
domain 53/udp nameserver
Type "ndc start" or "ndc restart".
Other pertinent files:
/etc/nsswitch.conf - Several system administration database source files are defined here This is in support of the Network Information System (NIS) which can be used to control many administrative functions on many systems from one location.
Linux DHCP and BOOTP
DHCP Server
There is currently a howto on configuring a DHCP server but it is three years old, however the DHCP server version 2-0 or later from the Internet Software Consortium comes with good documentation. There may be some quirks in the install depending on your system and what you are trying to do. My installation is Redhat 6.1 and I will mainly cover that, but will give alternatives that should cover most Linux versions.
Pre-installation and Kernel setup
Before you do an install, or configuration for DHCP you need the following kernel options installed.
1. TCP/IP networking enabled
2. MULTICAST enabled - To check to see if MULTICAST is enabled, type "ifconfig -a". You should see "MULTICAST" listed in your outputs for your ethernet devices.
3. CONFIG_PACKET=y
4. CONFIG_FILTER=y
If you need to re-compile your kernel, follow the instructions on the section or the howto on the kernel. If you make the CONFIG_PACKET and CONFIG_FILTER options modular, you will need to add lines in your /etc/rc.d/rc.local file to load these two modules.
Installation
If you have a relatively modern Linux version, you should already have the dchpd server program installed on your system. To tell type "whereis dhcpd" and if you get a dchpd program listed usually in /usr/sbin, you should be set for the configuration. If you don't have a modern Linux version, kernel 2.1.x or later, go get one since support for dhcp can be very hard to do and has bugs on older systems. Also there is better networking support in many areas with newer Linux versions and kernels.
Steps to install:
1. Download the source file from the internet software consortium at httpd:\\www.isc.org.
2. Put the file on your system in /usr/local/src.
3. Enter the command "tar xvzf dhcp-2.0.tar.gz" (modify the command for your filename/version). See the section on "Package Installation".
4. Type "cd dhcp-2.0" or the proper name of your directory created by tar.
5. Type "./configure".
6. Type "make". You may want to check the symbolic link file "usr/include/asm" to be sure it is point to the correct location for the kernel asm headers. On Redhat 6.1 that location is /usr/srclinux/include/asm. This should be seen in the file as:
7. lrwxrwxrwx 1 root root 24 Dec 17 05:07 /usr/include/asm -> ../src/linux/include/asm
You may need to delete the file and recreate it with the "ln" command with the following commands:
1. cd /usr/include
2. rm src
3. ln -s ../src/linux/include/asm asm
8. Type "make install". This copies the man pages and binaries to their correct locations.
Configuration
In my configuration, I used my second network interface (eth1) to provide DHCP services to a subnet. You will most likely use eth0, but you will need to substitute your correct network interface in the example.
1. To get the DHCP server to work for windows clients and possible other clients you must add a route to your route table to enable the sending of packets to the IP destination address 255.255.255.255. There are two ways to do this as follows: (pick one)
1. Modify your /etc/sysconfig/static-routes file and add the following line:
eth1 net 255.255.255.255 netmask 255.255.255.255
Notes:
With this entry in static-routes, it does not show up in the Redhat "netconf" configuration tool. I think it is because there is no gateway specified. You could set it up in netconf under "Routing and gateways", "routes to alternate local nets" and set the network to 255.255.255.255, the netmask to the same, with the interface as eth1 (or eth0 or whatever device you are using). It shows up in the static routes file as "any-net 255.255.255.255 netmask 255.255.255.255 gw eth1". However, I'm not sure setting it this way with nettool will work.
To implement this change you will need to do one of the following:
Reboot
Type "/etc/rc.d/init.d/network restart"
Type "route add -host 255.255.255.255 dev eth1"
2. Add the following command to your /etc/rc.d/rc.local file:
route add -host 255.255.255.255 dev eth1
Then reboot or type the same command on the command line.
2.
3. Much documentation says you need to issue the command:
echo 1 >/proc/sys/net/ipv4/ip_bootp_agent
This command does not work for me on Redhat 6.1. This is because the permissions on the /proc files and in particular the /proc/sys directory will not allow write permission, even to root. This may be because kernel variables are stored here. I think this command is only needed for version 2.1.x kernels and is not needed for 2.2 version or higher kernels. My system works without it and I run kernel 2.2.14.
4. Issue the command "touch /var/state/dhcp/dhcpd.leases". This will create an empty leases file which is required to run the dhcpd program.
5. Create a /etc/dhcpd.conf file similar to the following:
6. subnet 192.168.199.0 netmask 255.255.255.0 {
7. # --- default gateway
8. option routers 192.168.199.1;
9. option subnet-mask 255.255.255.0;
10.
11. option nis-domain "mynet.net";
12. option domain-name "mynet.net";
13. option domain-name-servers 192.168.199.1;
14.
15. option time-offset -5; # Eastern Standard Time
16. # option ntp-servers 192.168.199.1;
17. # option netbios-name-servers 192.168.199.1;
18. # --- Selects point-to-point node (default is hybrid). Don't change this unless
19. # -- you understand Netbios very well
20. # option netbios-node-type 2;
21.
22. default-lease-time 1209600; # 2 weeks
23. max-lease-time 1814400; # 3 weeks
24.
25. range 192.168.199.10 192.168.199.250;
26.
27. # we want the nameserver to appear at a fixed address
28. host nameserver {
29. next-server nameserver.mynet.net;
30. hardware ethernet 00:10:4b:ca:db:b5;
31. fixed-address 192.168.199.1;
32. }
33. }
You can use this file or use the example file in /usr/doc/dhcp-2.0/dhcpd.conf.sample. In my setup my network is 192.168.199.0 with a netmask of 255.255.255.255. My nameserver and gateway is 192.168.199.1. My domain is called "mynet.net".
34. According to the documentation, if your DHCP packets must go through a firewall you will need to allow packets from IP address 0.0.0.0 through 255.255.255.255 on UDP ports 67 and 68. I think this would be correct but you would need to allow packets on IP addresses 0.0.0.0 and 255.255.255.255, along with any packets that involve your network. For example if your network and subnets are covered under the numbers 10.1.x.x, you would need to allow any packets on 10.1.x.x, 0.0.0.0, and 255.255.255.255 on ports 67 and 68.
35. You need to start the dhcp server one of the following ways.
1. Use linuxconf in "control panel", "control service activity", select dhcpd, select "start", then select the "enabled" box.
2. Type "/etc/rc.d/init.d/dhcpd start" to begin the service. You can add this line to your /etc/rc.d/rc.local script but usually you want to add a link to it from one of your runlevel startup directories such as /etc/rc.d/rc3.d/S65dhcpd. You may also want to add a link in the file /etc/rc.d/rc5.d to run on bootups to X. If you do this you'll also want to add kill links to it in the shutdown runlevels such as K35dhcpd in /etc/rc.d/rc0.d, rc1.d, rc2.d, and rc6.d.
36. If you get errors, one thing to check is to be sure you are not also running a BOOTP server at the same time. Also check your /etc/dhcpd.conf file.
37. Why doesn't my DHCP server update my DNS entries? This function is not yet implemented in version 2.0, but the ISC is working on implementing it in version 3.0. There is an issue from a security standpoint of who owns the DNS records. Specifically the A record and to a certain extent the PTR record. According to the ISC, it is likely the server will update the records initially whether it be the "right thing to do" or not.
Configuration File Options
The configuration file is /etc/dhcpd.conf. Its options are:
• option broadcast-address - Broadcast address in my case would be "option broadcast-address 192.168.199.255;".
• option dhcp-client-identifier - String rather than hardware address used to identify DHCP clients.
• option domain-name - The name of the domain the DHCP server is serving.
• option domain-name-servers - The address(es) of the DNS servers on the domain. Ex: "option domain-name-servers 192.168.199.1, 192.168.199.5;" The names are separated by a comma and whitespace with a semicolon ending the line.
• option host-name - The client's host name.
• option lpr-servers - Lists print server addresses.
• option nntp-server - Network News Transfer Protocol (NNTP) server address
• option pop-server - Mail server address.
• option routers - The default router address.
• option smtp-server - The SMTP e-mail server address(es).
• option subnet-mask - The subnet mask is not necessary since the subnet statement (see example file) contains a netmask value.
• option time-offset - The difference between your time zone and the Coordinated Universal Time.
• option netbios-name-servers - Define the address of the NBNS name server for samba services.
BOOTP Server
Installing BOOTP is a step back from installing DHCP but it can offer capabilities independent of DHCP such as remote booting specific client computers.
BOOTP Installation
1. Get bootpd-2.4.tar.gz and put it in a appropriate directory such as "/usr/local".
2. Type: "tar xvzf bootbd-2.4.tar.gz" which will make a directory "bootpd-2.4" full of files.
3. Read the README and README-linux files then type "make install".
4. Copy the executables to the "/usr/sbin" directory.
5. Copy the man pages to their appropriate directories by typing "cp *.8 /usr/man/man8" and "cp *.5 /usr/man/man5".
6. Read the manual on bootp, and bootptab.
Configuration
1. You can invoke bootp services in redhat linux as an independent daemon by doing (choice A) below or from the internet super daemon by doing (choice B). Choice A:
1. Using linuxconf set the bootparamd service to active.
2. Modify the "bootparamd" file in the directory "/etc/rc.d/init.d" so that everywhere "rpc.bootparamd" occurs, you substitute "bootpd –d".
3. Reboot your system or type "/etc/rc.d/init.d/bootparamd restart".
Choice B:
4. With bootparamd services off, add the following line in the file "/etc/inetd.conf": bootps dgram udp wait root /usr/sbin/tcpd bootpd -d
5. Type "killall -HUP inetd".
2. Make the file "/etc/bootptab" as shown below:
3. global.prof:\
4. :sm=255.255.0.0:\
5. :ds=10.1.0.100:\
6. :gw=10.1.0.1:\
7. :ht=ethernet:\
8. :bf=dosimage:
9. dos1:td=/tftpboot:hd=/bootfiles:tc=global.prof:ha=006097baa5a2:ip=10.1.0.101
This makes the name of the machine "dos1" with an IP address of "10.1.0.101" and the bootfile to load in "/tftpboot/bootfiles/dosimage".
10. Add the machine's name and address to the following files:
1. /etc/hosts
2. /var/named/db.mycompany.com.hosts
3. /var/named/db.10.1.hosts
Apache Web Server
Introduction
The apache web server is called "httpd". The configuration files for it for many systems are in "/etc/httpd/conf". Their names are httpd.conf, srm.conf, access.conf, mime.types, and magic. The file srm.conf specifies the directory location of the root document with the "DocumentRoot" statement. The "DirectoryIndex" statement gives the name of the starting file. The file access.conf, is used to control user access to various html files. On my system, the initial startup file is "/home/httpd/html/index.html". Documentation is in /home/httpd/html/manual.
Apache Installation
There are many options that can be selected when installing Apache. Among them are selection of the modules to be compiled with the apache web server. This will be commented on at the appropriate installation step. In my installation, I installed Apache with PHP and mysql support. To get the Apache compile to work with mysql support, it was necessary for mysql to be installed from the source. When mysql was installed from binary, the apache compile failed. Here's the installation steps for installing Apache from a tarred and zipped source file:
1. Copy the source file to "/usr/src" or "/usr/local/src". The source file is called something like apache_1_3_19_tar.gz.
2. Type "cd /usr/src" or "cd /usr/local/src" depending on where you copied your file.
3. Type "tar xvzf apache_1_3_19_tar.gz" to decompress the source file. The directory, "apache_1.3.19" is created.
4. Type "ln -s apache_1.3.9 apache" to create a software link to the apache directory.
1. If installing PHP support with apache, copy the PHP source file "php-4_0_4pl1.tar.gz" from php.org to "/usr/src" or "/usr/local/src".
2. Type "tar xvzf php-4_0_4pl1.tar.gz" to decompress the source file.
5. Type "cd apache".
6. Documentation at the apache.org web site indicates to enter the "src" directory to perform the configuration and compile. However by reading the "INSTALL" files in the apache and apache/src directories, it can be done from inside the src directory or from the main apache directory. Either approach will work. There are various advantages and disadvantages to each approach. Compiling from inside the "src" directory allows easier module control by allowing the changing of the "Configuration" file. If done from the main directory, modules to be included or excluded from the default setting must be included on the command line. I have chosen to do the install using the "configure" file in the main directory since documentation indicates that some parameters may be overridden here and I am making no changes to the default included modules. If you want to install PHP support, there is a way to do it as documented in PHP INSTALL file, but I have not outlined that procedure here and have assumed you will be performing the install from the main directory if installing PHP. If you want to change the default modules by compiling in the "src" directory, follow the subset of instructions below.
1. Type "cd src".
2. Edit the file "Configuration" file.
3. Type "./Configure". I do not believe you can use the options "--sysconfdir" and "--logfiledir" to specify configuration and loglile locations as I have done below.
4. Skip the next step (Step 7).
7. Type "./configure --prefix=/usr/local/apache --sysconfdir=/etc/httpd/conf --logfiledir=/var/log/httpd". I have added the "--sysconfdir" option to set the location where the apache configuration files will be, and the "--logfiledir" option to set the location of where logging information is written for apache. If you are making changes to the default modules use the additional command line parameters "--enable-module=NAME" and "--disable-module="NAME" where "NAME" is the name of the module to be enabled or disabled. Read the "INSTALL" file in the main directory for more information here and read the "src/Configuration" file to see what the module names are. If installing PHP support follow the subset of instructions below.
1. Type "cd .."
2. Type "cd php-4.0.4pl1"
3. Type "./configure --with-mysql=/usr/local/mysql --with-apache=../apache --enable-track-vars". This assumes you've already installed mysql in the "/usr/local/mysql" directory.
4. Type "make".
5. Type "make install".
6. Type "cd ../apache".
7. Type "./configure --prefix=/usr/local/apache --sysconfdir=/etc/httpd/conf --logfiledir=/var/log/httpd --activate-module=src/modules/php4/libphp4.a"
8. Type "make". Note: When I did my install, I got a compile error related to the mysql installation. If you installed the binary version of mysql, you may need to install it from the source version.
9. Type "make install". If installing PHP support follow the subset of instructions below.
1. Type "cd ../php-4.0.4pl1".
2. Type "cp php.ini-dist /usr/local/lib/php.ini".
3. Edit "/etc/httpd/conf/httpd.conf" or "/etc/httpd/conf/srm.conf" and add the following line:
AddType application/x-httpd-php .php
Configuration
At this point it is time to set up the apache configuration by modifying the apache configuration files and setting apache to start automatically. The apache configuration files are:
1. httpd.conf - This is the main configuration file. It is used to specify where the document root for the web server is found, various server parameters, directory permissions, where mime types for files are found, and addition of application type definitions and the associated handler for each application.
2. srm.conf - This file is used to configure apache server directives. These directives are now recommended to be put in the httpd.conf file.
3. access.conf - This file is used to control directory access and who can access the directories. The directory access control is now recommended to be put in the httpd.conf file.
Specific configuration parameters:
• Specification of the document root where the HTML main web page, "index.html" should be found. This line should look like:
DocumentRoot "/home/httpd/html"
• Additional parameters including:
o ServerRoot - Specifies where the servers main directory is.
ServerRoot "/usr/local/apache"
o ErrorLog amd Loglevel- Specifies where the web server will keep its error log file and the level at which errors are kept. Loglevel options are debug, info, notice, warn, error, crit, alert, and emerg.
ErrorLog /var/log/httpd/error_log
LogLevel warn
o Keep alive - Specifies whether persistant connections are to be supported.
KeepAlive On
o KeepAlive Requests 100 - The maximum keep alive requests to be supported.
o KeepAliveTimeout 15 - The number of seconds the connection is kept alive if no additional requests are received from the client.
o The maximum and mininum number of servers that may be created to wait for client requests and the number of servers to start when the web server starts.
MinSpareServers 5
MaxSpareServers 10
StartServers 5
o MaxClients 150 - The maximum number of clients that may connect at one time to the web server.
o Port 80
o The user and group the web server is run as.
User nobody
Group nobody
• Directory permission entries are used to define various directory options and permissions. These entries appear similar to the following which defines the permissions for the document root directory:
Options FollowSymLinks
Allow Override None
Parameters include:
o AllowOverride
o AuthConfig
o FileInfo
o Limit
Options include:
o ExecCGI - Allows CGI programs in the directory to be executed.
o FollowSymLinks
o Includes
o Indexes
o MultiViews
o None - No options
o All - All options except MultiViews
• Permissions - Are set with statements such as:
Order deny, allow
Deny from all
or:
Order allow, deny
Allow from all
and tag pairs along with and tags are set with options such as:
o GET
o POST
o OPTIONS
o PROPFIND
• and tag pairs can be set to limit access to specific file types the same as is done with directory entries above.
• CGI Driectory definition which defined what directory CGI application files are kept in and can be used to run these files. Other directories can be specified to allow the execution of CGI files if the ExecCGI option is specified in these directory entries.
Allow Override None
Options None
Order allow, deny
Allow from all
• AddType and Add handler statements. These statements allow file types and associated programs to handle these file types. You will linely need this set of entries to run PHP.
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
To run server parsed SHTML files you will need:
AddType text/html .shtml
AddHandler server-parsed .shtml
This is just a partial list of common apache web server options. For a more complete guide, including setting up virtual hosts, refer to the Apache web server documentation.
Getting user filled out form data from the web
There are many types of programs that can be written to do this:
1. Perl CGI scripts
2. Shell CGI scripts
3. PHP scripts that are scripts run on the server side when the page is requested. PHP code is embedded in the HTML page, but files are labeled with the .php extension.
4. Java Servlets
5. Compiled programs based on any language.
The CGI Environment:
The Web server fills in a standard list of environment variables when it runs. It writes to other environment variables when it is requested to. Since the Apache server always runs, anything it puts in the environment is readable by other programs, such as a Perl script program. This is possible as long as the other program knows the names of the variables to be read.
Terms:
• CGI - Common Gateway Interface. A set of rules (interface) for scripting and exchanging data over the web.
• SGML - Standard Generalized Markup Language. HTML is an application of this.
• URL - Universal Resource Locator. Includes protocol (HTTP, FTP, FILE, GOPHER), module name, path name of object.
• IIS - Microsoft's Internet Information Server (A web server for NT)
• IDC - Internet Database Connector
• ISAPI - Microsoft web programming (Internet Server Application Programming Interface)
Linux Network File System (NFS)
Linux Server Setup
NFS requires RPC to operate. The following daemons are run when the linuxconf nfs service is started:
1. rpc.rquotad - Enforces the set quotas for remote mounted NFS systems.
2. rpc.mountd - Performs the requested mounts.
3. rpc.nfsd - Handles the user interface to the kernel module that performs NFS.
Server Configuration
To set up the server side:
1. Edit the file "/etc/exports" as in one of the examples below.
2. Then type "exportfs -a".
3. Activate NFS services using linuxconf.
4. After making any changes, restart the nfs daemon either by using "linuxconf" or typing "/etc/rc.d/init.d/nfs restart". Also if you want changes to the /etc/exports file to take place immediately, install them with the "exportfs -r" command. Doing this, you will not need to restart nfs for changes to be in effect.
This is an example of an exports file for general use:
/data/installs jimslinux(rw,no_root_squash)
/data/docs *.mycompany.com(ro,root_squash)
/data markslinux(rw,no_root_squash) tomscomputer(ro)
/tftpboot linux3(ro,no_root_squash)
/data tedslinux(ro,no_root_squash)
The third line allows markslinux to have full access even at the root level to all files in /data, but tomscomputer has read only access, at the world (other) level.
This is an example of an exports file set up for diskless computers with remote booting:
/tftpboot/lts/ltsroot 10.1.0.101/255.255.0.0(ro,no_root_squash)
/tftpboot/lts/ltsroot 10.1.200.1/255.255.0.0(ro,no_root_squash)
/tftpboot/lts/ltsroot 10.1.200.2/255.255.0.0(ro,no_root_squash)
/tftpboot/lts/linux3 10.1.200.2/255/255.0.0(rw,no_root_squash)
The format of the file is:
directoryname hostname(options)
The hostname can be the IP address followed by the netmask as shown above.
Options include:
• no_root_squash - Allows root users on client computers to have root access on the server. Mount requests for root are not be mounted to the anonomous user. This option is needed for diskless clients.
• root_squash - Requests from root clients are mapped to the nobody user and group ID so they will only have file privileges associated with other.
• ro - read only access
• rw - read write access
There are many more options documented in the exports(5) man page.
Performing the mount from the client
To do the mount on the remote machine:
1. On the remote boot machine, "linux3", after making a /tmp/mnt directory on the remote machine "linux3", type "mount -n 10.1.0.100:/tftpboot/lts/linux3 /tmp/mnt -t nfs".
2. The -n is only needed if the /etc directory on the remote boot machine is read only.
3. The 10.1.0.100 address is the address of the NFS server machine with the filesystem being mounted.
Client Setup
To set up the client side on a fully functional Linux machine type "mount -o rsize=1024,wsize=1024 mymachine:/data /mnt/mymachine/data
Linux Point to Point Protocol (PPP)
Point to point protocol (PPP) is the latest way to set up networking services through a modem or serial cable.
minicom is a configuration program to set up and use PPP services.
Linux Network Security
Linux Firewall management
Regardless of your firewall type (proxy, packetfiltering, etc), it is not a good idea to have a firewall performing any more services than absolutely necessary. The services are best limited to the minimum services required to run the machine. I recommend that you do not provide NFS, TFTP, BOOTP, DHCP, web services, mail services, samba services, FTP, or telnet on your firewall unless absolutely necessary. If you must provide these services, be careful with wild cards in their configuration files that may allow blocks of systems or users to have access to your machine. Also if you are running these services, you should monitor security postings on these services so you are aware of any security holes associated with that particular service. If you must provide telnet or FTP, be sure you configure your tcp wrapper in the inetd.conf file for these services, and set the hosts.all and hosts.deny files as restrictive as possible. See the section on inetd services for information on how to do this. Policies for a firewall:
1. Disable IP forwarding
2. Limit services
3. Monitor log files carefully including logfiles on any services running.
4. Limit write access to files and directories on the firewall.
5. Implement policies to prevent denial of services attacks along with IP spoofing and IP fragmentation attacks. Enabling user quotas can help prevent denial of service attacks.
6. Limit access to services with the hosts.allow and hosts.deny files.
7. Set parameters in your TCP wrapper and any other services to protect against anyone pretending to have another host's name or address. See the section on inetd.
8. Be sure your /etc/securetty file will not allow root logins from unsecured locations.
System monitoring
Check your system log files often. They are in the /var/log directory. Check the log files /var/log/secure and var/log/messages daily. Also carefully monitor log files on any extra services you are running on your firewall.
General network policies
• Configure the identd protocol to allow for user name lookups from client to server machines. This will make it easier to track down any user who abuses the system.
• Use network monitoring tool software to detect abnormal activity on your system or an intrusion.
The Chroot environment
A chroot environment is an isolated environment which is separate from the real operating system. It has its own root environment complete with necessary programs, libraries, and modules required to run independently of the real operating system. In this way it can become more difficult to break into the real operating system and damage it. A program that has root privileges, can, however still get into the real operating system but it becomes more work for an intruder. Some network services that can be configured to run in a chroot environment include bind and Apache. This chroot system is designed to prevent someone who has exploited a security problem in a service from getting access to the real system.
Linux IP Masquerading
For complete information on the setup of IP masquerading, see the following Linux how-tos:
• IPCHAINS-HOWTO
• Firewall-HOWTO
• IP-Masquerade-HOWTO
Some of the information in this section is based on these how-tos. This section summarizes and puts in simple steps some of the items you will be required to perform to set up IP masquerading. It is not a replacement for the Linux how to documents, but a complement to them by giving an overview of what must be done. You may access the howtos from one of the weblinks listed in the Linux websites section. The Linux Documentation Project or Metalab's Index of Linux publications will have copies if these howtos.
IP masquerading allows internal machines that don't have an officially assigned IP addresses to communicate to other networks and especially the internet. It uses a form of Network Address Translation (NAT) to accomplish this. In Linux, IP masquerading support is provided by the kernel. To get it to work you must do essentially three things:
1. Be sure the kernel has support for IP masquerading.
2. Enable IPv4 forwarding.
3. Be sure modules needed for support are loaded into the kernel.
4. Set up the firewall rules.
Checking for IP Masquerade kernel Support
To determine if IP masquerading is set up in your kernel type:
ls /proc/net
If one of the result files listed is "ip_masquerade", you will not need to recompile your kernel.
If IP masquerading is not set up you must recompile your kernel with the following options set (This is for a 2.2.x kernel or higher):
Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?]- YES
Enable loadable module support (CONFIG_MODULES) [Y/n/?] - YES
Networking support (CONFIG_NET) [Y/n/?] - YES
Packet socket (CONFIG_PACKET) [Y/m/n/?] - YES
Kernel/User netlink socket (CONFIG_NETLINK) [Y/n/?] - YES
Routing messages (CONFIG_RTNETLINK) [Y/n/?] - NO
Network firewalls (CONFIG_FIREWALL) [Y/n/?] - YES
TCP/IP networking (CONFIG_INET) - YES
IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [Y/n/?] - NO
IP: verbose route monitoring (CONFIG_IP_ROUTE_VERBOSE) [Y/n/?] - YES
IP: firewalling (CONFIG_IP_FIREWALL) [Y/n/?] - YES
IP: firewall packet netlink device (CONFIG_IP_FIREWALL_NETLINK) [Y/n/?] - YES
IP: always defragment (required for masquerading) (CONFIG_IP_ALWAYS_DEFRAG) [Y/n/?] - YES
IP: masquerading (CONFIG_IP_MASQUERADE [Y/n/?] - YES
IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP) [Y/n/?] - YES
IP: masquerading special modules support (CONFIG_IP_MASQUERADE_MOD) [Y/n/?] - YES
IP: ipautofw masquerade support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPAUTOFW) [Y/n/?] - NO
IP: ipportfw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPPORTFW) [Y/n/?] - YES
IP: ip fwmark masq-forwarding support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_MFW) [Y/m/n/?] - NO
IP: optimize as router not host (CONFIG_IP_ROUTER) [Y/n/?] - YES
IP: GRE tunnels over IP (CONFIG_NET_IPGRE) [N/y/m/?] - NO
IP: TCP syncookie support (not enabled per default) (CONFIG_SYN_COOKIES) [Y/n/?] - YES
Network device support (CONFIG_NETDEVICES) [Y/n/?] - YES
Dummy net driver support (CONFIG_DUMMY) [M/n/y/?] - YES
/proc filesystem support (CONFIG_PROC_FS) [Y/n/?] - YES
These are the kernel options you need for IP Masquerade. You will need to select other options for your specific hardware and network setup. Read the IP masquerade and kernel howtos for more information. You may also want the section about how to compile the Linux kernel in The CTDP Linux User's Guide in the Linux section of this documentation.
Enable IPv4 Forwarding
1. Type "ls /proc/sys/net/ipv4" and look for a file "ip_forward" or "ip_forwarding". Whichever you find, use its name in the following example. The example will use "ip_forward".
2. Type "echo "1" > /proc/sys/net/ipv4/ip_forward". This will enable IP forwarding until the next time you boot.
3. If running Redhat Linux, edit the "/etc/sysconfig/network" script. Look for the line with "FORWARD_IPV4=" on it and make sure it says "FORWARD_IPV4="yes". The next time you boot, IPv4 forwarding will be enabled. There may be other ways to set this up on other systems.
Setting up Firewall Rules and Enabling Kernel Modules
Create the following text and place it in a file "/etc/rc.d/rc.firewall". This will load your needed modules into your kernel and set up your basic firewall rules. If you copy the file from this page, be sure to remove carriage returns when you get it into Linux or it may not work properly.
# rc.firewall - Initial SIMPLE IP Masquerade setup for 2.0.x kernels using IPFWADM
#
# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current available IP MASQ modules
# are shown below but are commented out from loading.
# Needed to initially load modules
#
/sbin/depmod -a
# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp
# Supports the masquerading of RealAudio over UDP. Without this module,
# RealAudio WILL function but in TCP mode. This can cause a reduction
# in sound quality
#
#/sbin/modprobe ip_masq_raudio
# Supports the masquerading of IRC DCC file transfers
#
/sbin/modprobe ip_masq_irc
# Supports the masquerading of Quake and QuakeWorld by default. This modules is
# for for multiple users behind the Linux MASQ server. If you are going to play
# Quake I, II, and III, use the second example.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
# /sbin/modprobe ip_masq_quake ports=26000,27000,27910,27960
# Supports the masquerading of the CuSeeme video conferencing software
#
#/sbin/modprobe ip_masq_cuseeme
#Supports the masquerading of the VDO-live video conferencing software
#
#/sbin/modprobe ip_masq_vdolive
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your Internet IP address dynamically from SLIP, PPP, or DHCP, enable this following
# option. This enables dynamic-ip address hacking in IP MASQ, making the life
# with DialD, PPPd, and similar programs much easier.
#
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
#
/sbin/ipchains -M -S 7200 10 160
# DHCP: For people who receive their external IP address from either DHCP or BOOTP
# such as ADSL or Cablemodem users, it is necessary to use the following
# before the deny command. The "bootp_client_net_if_name" should be replaced
# the name of the link that the DHCP/BOOTP server will put an address on to?
# This will be something like "eth0", "eth1", etc.
#
# This example is currently commented out.
#
#
/sbin/ipchains -A input -j ACCEPT -i eth1 -s 0/0 67 -d 0/0 68 -p udp
# Enable simple IP forwarding and Masquerading
#
# NOTE: The following is an example for an internal LAN address in the 192.168.0.x
# network with a 255.255.255.0 or a "24" bit subnet mask.
#
# Please change this network number and subnet mask to match your internal LAN setup
#
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 10.1.199.0/24 -j MASQ
This file will load modules you need, and set your firewall rules with ipchains. The last line in the file sets IP forwarding up for network 10.1.199.*. You will need to modify this line for your network address. Your network consists of the machines that you are running IP masquerading for. It should be connected to an ethernet card on your IP masquerading machine. If your network is 192.168.1.*, you will want "/sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ" on the line above. If it is 10.1.*.*, you will want "/sbin/ipchains -A forward -s 10.1.0.0/16 -j MASQ" on the line above.
Add the following line to the "/etc/rc.d/rc.local" file:
/etc/rc.d/rc.firewall
Of course, the machines that you are configuring to be behind the machine that provides the masquerading service should be configured to use that as their gateway.
Linux Proxy Servers
For complete information on the use of IP chains and setting up a firewall, see the following Linux how-tos:
• IPCHAINS-HOWTO
• Firewall-HOWTO
• IP-Masquerade-HOWTO
Some of the information in this section is based on these how-tos. This section summarizes and puts in simple steps some of the items you will be required to perform to set up a firewall. It is not meant as a replacement for the Linux how to documents, but a complement to them by giving an overview of what must be done. You may access the howtos from one of the websites listed in the Linux websites section. The Linux Documentation Project or Metalab's Index of Linux publications will have copies of these howtos. Also much of the information in this section is contained in the firewalls section of The CTDP Networking Guide in the networking section. If you do not know the various firewall types, you should read that section.
Packet Filtering Firewalls
In a packet filtering firewall, data is forwarded based on a set of firewall rules. This firewall works at the network level. Packets are filtered by type, source address, destination address, and port information. These rules are similar to the routing rules explained in The CTDP Networking Guide and may be thought of as a set of instructions similar to a case statement or if statement. This type of firewall is fast, but cannot allow access to a particular user since there is no way to identify the user except by using the IP address of the user's computer, which may be an unreliable method. Also the user does not need to configure any software to use a packet filtering firewall such as setting a web browser to use a proxy for access to the web. The user may be unaware of the firewall. This means the firewall is transparent to the client. The ipchains tool is commonly used to configure packet filtering or circuit level relay firewalls.
Circuit Level Relay Firewall
A circuit level relay firewall is also transparent to the client. It listens on a port such as port 80 for http requests and redirect the request to a proxy server running on the machine. Basically, the redirect function is set up using ipchains then the proxy will filter the package at the port that received the redirect.
Configuring a Proxy Server
The following packages are available in Linux:
• Ipchains soon to be replaced by netfilter (Packet filtering supported by the Linux kernel). It comes with Linux and is used to modify the kernel packet routing tables.
• SOCKS - Circuit Switching firewall. Normally doesn't come with Linux, but is free.
• Squid - A circuit switching proxy. Normally comes with Linux.
• Juniper Firewall Toolkit - A firewall toolkit product used to build a firewall. It uses transparent filtering, and is circuit switching. It is available as open source.
• The TIS Firewall Toolkit (FWTK). A toolkit that comes with application level proxies. The applications include telnet, rlogin, SMTP mail, ftp, http, and X windows. it can also perform as a transparent proxy for other services.
This section does not explain how to set up and install these packages.
Deny Ping
An easy way to deny ping on your Linux computer:
ipchains -A input -p ICMP -j DENY
Warning: Those not familiar with the ICMP protocol and its uses should be aware that this command will deny all ICMP message types including useful and important messages. The ICMP protocol performs many functions and this command may cause network problems depending on how the machine is used (especially if used for routing) on your network. Ping is only one feature supported by ICMP. You should not use this command unless you know what you are doing or you are using it on a system that is not important for network operation. See the "Internet Control Message Protocol (ICMP)" section in the The CTDP Networking Guide. Safer examples are shown below.
Deny Telnet Connections
This example will deny telnet functions to your machine.
ipchains -A input -p TCP -s 0/0 telnet -j DENY
Using this command to block telnet is worthwhile it you are interested in using a more secure means of providing remote sessions. Secure shell is a good substitute for telnet for those who require a secure environment.
Ipchains and Linux Packet filtering
The administration of data packet management is controlled by the kernel. Therefore to provide support for things like IP masquerading, packet forwarding, and port redirects, the support must be compiled into the kernel. The kernel contains a series of tables that each contain 0 or more rules. Each table is called a chain. A chain is a sequence of rules. Each rule contains two items.
1. Characteristics - Characteristics such as source address, destination address, protocol type (UDP, TCP, ICMP), and port numbers.
2. Instructions - Instructions are carried out if the rule characteristics match the data packet.
The kernel filters each data packet for a specific chain. For instance when a data packet is received, the "input" chain rules are checked to determine the acceptance policy for the data packet. The rules are checked starting with the first rule (rule 1). If the rule characteristics match the data packet, the associated rule instruction is carried out. If they don't match, the next rule is checked. The rules are sequentially checked, and if the end of the chain is reached, the default policy for the chain is returned.
Rules and Programming Comparison
For those who are familiar with programming the ipchains rule set can be compared to a sequence of if statements.
if (packet=characteristics1) then perform action1;
elseif (packet=characteristics2) then perform action2;
elseif (packet=characteristics3) then perform action3;
else perform default action4;
The comparisons are made depending on the type of packets, their source or destination or a variety of characteristics entered using the ipchains command. If the packet matches the established characteristics, the action specified by the ipchains command is carried out.
Chain Specification
Chains are specified by name. There are three chains that are available and can't be deleted. They are:
1. Input - Regulates acceptance of incoming data packets.
2. Forward - Defines permissions to forward packets that have another host as a destination.
3. Output - Permissions for sending packets.
Each rule has a branch name or policy. Policies are listed below:
• ACCEPT - Accept the data packet.
• REJECT - Drop and the packet but send a ICMP message indicating the packet was refused.
• DENY - Drop and ignore the packet.
• REDIRECT - Redirect to a local socket with input rules only even if the packet is for a remote host. This applies to TCP or UDP packets.
• MASQ - Sets up IP masquerading. Works on TCP or UDP packets.
• RETURN - The next rule in the previous calling chain is examined.
You can create more chains then add rules to them. The commands used to modify chains are as follows:
• -N Create a new chain
• -X Delete an empty chain
• -L List the rules in the chain
• -P Change the policy for a chain
• -F Flush=Delete all the rules in a chain
• -Z Zero the packet and byte counters in all chains
Commands to manipulate rules inside the chain are:
• -A Append a new rule to a chain.
• -I Insert a new rule at some position in a chain.
• -R Replace a rule at some position in a chain.
• -D Delete a rule at some position in a chain.
• Options for masquerading:
o -M with -L to list the currently masqueraded connection.
o -M with -S to set the masquerading timeout values.
IPchains Options for setting rule specifications:
• -s Source
• -d Destination
• -p Protocol=tcp, upd, icmp, all or a name from /etc/protocols
• -j Jump target, Specifies the target of the rule. The target can be a user defined chain, but not the one this rule is in.
• -i Interface=Name of the interface the packet is received on or the interface where the packet will be sent
• -t Mask used to modify the type of service (TOS) field in the IP header. This option is followed by two values, the first one is and'ed with the TOS field, and the second is exclusive or'ed. The masks are eight bit hexadecimal values. An example of use is "ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10" These bits are used to set priority. See the section on IP message formats.
• -f Fragment
When making changes to firewall rules, it is a good idea to deny all packages prior to making changes with the following three commands:
ipchains -I input 1 -j DENY
ipchains -I output 1 -j DENY
ipchains -I forward 1 -j DENY
These commands inserts a rule at location 1 that denies all packages for input, output, or forwarding. This is done so no unauthorized packets are not let through while doing the changes. When your changes have been completed, you need to remove the rules at position 1 with the following commands:
ipchains -D input 1
ipchains -D output 1
ipchains -D forward 1
Examples of the use of ipchains to allow various services
Create a new chain:
ipchains -N chainame
The option "-N" creates the chain.
Add the chain to the input chain:
ipchains -A input -j chainame
Allow connections to outside http servers from inside our network:
ipchains -A chainame -s 10.1.0.0/16 1024: -d 0.0.0.0/0 www -j ACCEPT
The "-A chainame" adds a rule to the chain called "chainame". The "-s 10.1.0.0/16 1024:" specifies any traffic on network 10.1.0.0 at port 1024 or above. The "-d 0.0.0.0/0 www" specifies any destination for www service (in the /etc/services file) and the "-j ACCEPT" sets the rule to accept the traffic.
Allow connections from the internet to connect with your http server:
ipchains -A chainame -s 0.0.0.0/0 www -d 10.1.1.36 1024: -j ACCEPT
The "-A chainame" adds a rule to the chain called "chainame". The "-s 0.0.0.0/0 www" specifies traffic from any source for www service. The "-d 10.1.1.36 1024:" specifies the http server at IP address 10.1.1.36 at ports above 1024 and the "-j ACCEPT" sets the rule to accept the traffic.
Allow DNS to go through the firewall:
ipchains -A chainame -p UDP -s 0/0 dns -d 10.1.0.0/16 -j ACCEPT
The "-A chainame" adds a rule to the chain called "chainame". The "-p UDP" specifies UDP protocol. The "-s 0/0 dns" specifies any dns traffic from any location. The "-d 10.1.0.0/16" specifies our network and the "-j ACCEPT" sets the rule to accept the traffic. This allows DNS queries from computers inside our network to be received.
Allow e-mail to go from our internal mail server to mailservers outside the network.
ipchains -A chainame -s 10.1.1.24 -d 0/0 smtp -j ACCEPT
The "-A chainame" adds a rule to the chain called "chainame". The "-s 10.1.1.24" specifies any traffic from 10.1.1.24 IP address. The "-d 0/0 smtp" specifies any smtp type of service going anywhere and the "-j ACCEPT" sets the rule to accept the traffic.
Allow e-mail to come from any location to our mail server:
ipchains -A chainame -s 0/0 smtp -d 10.1.1.24 smtp -j ACCEPT
The "-A chainame" adds a rule to the chain called "chainame". The "-s 0/0 smtp" specifies mail traffic from anywhere. The "-d 10.1.1.24 smtp" specifies mail traffic going to our mail server and the "-j ACCEPT" sets the rule to accept the traffic.
Perform a HTTP port redirect for a transparent proxy server:
ipchains -A input -p tcp -s 10.1.0.0/16 -d 0/0 80 -j REDIRECT 8080
The "-A input" adds a rule to the input chain. The "-p tcp" specifies the protocol TCP. The "-s 10.1.0.0/16" specifies the source as a network with netmask 255.255.0.0. The "-d 0/0" specifies a destination of anywhere. The number 80 is the HTTP port number, and the command "-j REDIRECT 8080" redirects the traffic to port 8080.
Give telnet transmissions a higher priority
ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10"
The bits at the end of the line specified in hexadecimal format are used to set the priority of the IP message on the network. The first value is and'ed with the TOS field in the IP message header, and the second value is exclusive or'ed. See the section on IP message formats for more information.
Using ipchains-save and ipchains-restore to make rules permanent
When you are done setting your ipchains rules, use the following procedure while logged on as root to make them permanent:
1. Type the command "ipchains-save > /etc/iprules.save".
2. Create the following script named "packetfw":
3. #! /bin/sh
4. # Packet filtering firewall script to be used turn the firewall on or off
5.
6. if [ -f /etc/iprules.save ]
7. then
8. case "$1" in
9. start)
10. echo -n "Turning on packet filtering firewall:"
11. /sbin/ipchains-restore < /etc/iprules.save
12. echo 1 > /proc/sys/net/ipv4/ip_forward
13. echo "."
14. ;;
15. stop)
16. echo -n "Turning off packet filtering:"
17. echo 0 > /proc/sys/net/ipv4/ip_forward
18. /sbin/ipchains -X
19. /sbin/ipchains -F
20. /sbin/ipchains -P input ACCEPT
21. /sbin/ipchains -P output ACCEPT
22. /sbin/ipchains -P forward ACCEPT
23. echo "."
24. ;;
25. *)
26. echo "Usage: /etc/init.d/packetfw {start|stop}"
27. exit 1
28. ;;
29. esac
30. exit 0
31. else
32. echo the /etc/iprules.save file does not exist.
33. exit 1
34. fi
35. Save the file in the /etc/rc.d/init.d directory.
36. In the /etc/rc.d/rc3.d and the /etc/rc.d/rc5.d directories make a symbolic link called S07packetfw to the /etc/rc.d/init.d/packetfw file with the command "ln -s /etc/rc.d/rc3/S07packetfw /etc/rc.d/init.d/packetfw". This applies to runlevel 3. Do the same for the runlevel 5 initialization directory. Note: You may need to use a different number than the "S07" string to number your link file. Look in your /etc/rc.d/rc3.d and /etc/rc.d/rc5.d directories to determine what number is available to give this file. Try to give it a number just below your network number file. On my system the S10network file is used to start my network.
Linux UUCP
This section is not yet complete!
UUCP which stands for Unix to Unix copy is primarily used for copying files between Unix systems but can also perform other functions. It typically does not do the tasking immediately, but executes tasking based on queued requests. Tasking is done based on a specific schedule set up by the administrator. This form of intersystem tasking has been used in the past to send information over telephone lines at times when rates were low.
Much information on this page was developed from the Taylor UUCP Version 1.06 Documentation by Lance Taylor. This document comes on Redhat Linux 6.1 systems in the file /usr/doc/uucp-1.06.1/uucp.html. For complete information, you should read this file. This page only attempts to give a few examples with explanations to get you up and running quicker.
UUCP Configuration files
Configuration files are located in "/etc/uucp" or "/usr/lib/uucp" on older Linux versions.
Then make sure that the permissions of the files are
-rw-r--r-- 1 root root 321 Aug 23 1999 call
-rw-r--r-- 1 root root 1184 Aug 23 1999 config
-rw-r--r-- 1 root root 321 Aug 23 1999 dial
-rw-r--r-- 1 root root 325 Aug 23 1999 dialcode
-rw-r--r-- 1 root root 323 Aug 23 1999 passwd
-rw-r--r-- 1 root root 321 Aug 23 1999 port
-rw-r--r-- 1 root root 320 Aug 23 1999 sys
Each configuration file is described below:
• call - Contains your login/password for each system you poll. It is used when calling remote systems. The syntax is:
• remotesystem username password
The remote system is the name of the remote host, the username is the name of the user and password is the password required for the user.
• config - The main configuration file (Line numbers were added for reference)
1. nodename mymachine # The UUCP name of this system
2. spool /var/spool/uucp # The UUCP spool directory
3. pubdir /var/spool/uucppublic # The UUCP public directory
4. logfile /var/log/uucp/log # The UUCP log file
5. statfile /var/log/uucp/stats # The UUCP statistics file
6. debugfile /var/log/uucp/debug # The UUCP debugging file
7. #sysfile /etc/uucp/sys # Default "sys"
8. #portfile /etc/uucp/port # Default "port"
9. #dialfile /etc/uucp/dial # Default "dial"
10. #dialcodefile /etc/uucp/dialcode # Default "dialcode"
11. #callfile /etc/uucp/call # Default "call"
12. #passwdfile /etc/uucp/passwd # Default "passwd"
# No commands may be executed by unknowns (empty list of permitted commands)
# Upload is authorized in /var/spool/uucp for unknown hosts
13. unknown commands
14. unknown pubdir /var/spool/uucp
15. unknown remote-send ~ !~/upload
16. unknown remote-receive ~/upload
To set this file up all you need to do is replace "mymachine" by your system name.
The lines in the file do the following:
1. name
2. spool directory
3. public directory
4. log file
5. statistics file
6. debugging file
7. default sys file
8. default port file
9. default dial file
10. default dialcode file
11. Default call file
12. Default password file
13. No commands may be executed by unknown hosts since the list of commands is empty
14. The public directory is set for unknown hosts which is /var/spool/uucp
15. Files may be sent to unknown hosts from the /var/spool/uucp directory. Files may not be sent from the /var/spool/uucp/upload directory indicated by !~/upload. The ~ symbol indicates the public directory. The ! symbol indicates not which excludes the filename that follows it.
16. Files may be upload ed by unknown hosts to the public directory (~) which is /var/spool/uucp or the /var/spool/uucp/upload directory.
The command,
unknown receive-request no
Will not allow unknown hosts to receive files from this host.
Setting the public directory permits users on systems that call in to request a file by prefixing it with `~/' to get a file from the public directory. To retrieve the file "/var/spool/public/database" from the server "ourserver", a user on a remote host can enter "uucp ourserver!~/INDEX ~"; The file would be sent to the user's local public directory. When using `csh' or `bash' the ! and the second ~ must be quoted. This example applies if the user's host is known to the server. If it is unknown, the user would get the file from /var/spool/uucp/INDEX.
NEWS
INN stands for internet news. Network news transport protocol (NNTP) is the protocol used to send news over the internet. The RFC numbers describing the protocol are 977 and 1036. One popular news software is Cnews.
Linux Secure Shell
Much of this information is from the secure shell website and is intended as a supplement for introductory purposes and an aid to enable users to get secure shell running.
Why you should use secure shell
When a user logs on to a Linux system using the standard telnet or ftp services, the password during the logon process is sent in the clear. Anyone with a network sniffer can intercept the password and then break into the system. Secure shell uses password encryption and implements several other important security measures which allows users to remotely logon to Linux systems without worrying about security.
Getting secure shell
Refer to the weblinks section under "Sites for specific programs" to locate secure shell documentation and downloadable copies of secure shell. Secure shell is a commercial product for corporate use, but may be used by individuals and educational institutions without charge. The secure shell website contains a FAQ section from which you can link to mirror sites for documentation and downloading.
Installation on Linux
Place the secure shell downloaded package in /usr/local/source and issue the following commands:
1. Unpack the file with "tar xvzf ssh-2_2_0_tar.gz". The directory "ssh-2.2.0" will be created.
2. Enter the directory with the command "cd ssh-2.2.0"
3. Type "./configure" to configure the package for the build.
4. Type "make" to build the package.
5. Type "make install" to install the package.
6. Optionally type "make clean-up-old" to remove *.old files.
This assumes you are installing from a source tarred and zipped file.
Installation on a Windows platform
1. Double click on the SSHWin-2_2_0.EXE file that you downloaded. An install wizard will begin.
2. Perform the install, reading and accepting the license agreement. The copy I tested was a 30 day evaluation copy.
3. Click on "Start" -> "Programs" -> "SSH Secure Shell" -> "Secure Shell Client" to start the secure shell program. This program has an excellent help menu that can be activated by selecting "Help" -> "Contents".
4. Click on "Edit" -> "Settings" , select "Connection" and enter your hostname and user name then click OK.
5. Click on "Edit" -> "Settings" , select "User Keys" and click on the "Generate New Key Pair" button to generate a set of keys. You will need to enter a password phrase later required key authentication. This will take a few minutes, so this is a good time to start services on the host side.
6. Start SSH on the host side. On Linux you can type "/usr/local/sbin/sshd2" on the command line. The program is normally installed in the /usr/local/sbin directory. To get the program to start at bootup, the above command may be placed in the /etc/rc.d/rc.local file.
7. Logon from the Windows side by pressing ENTER or selecting "File" -> "Connect".
8. Enter your Linux user name and the user password for your Linux account.
9. Upload the public key file generated earlier to the users home directory ~/.ssh2 directory.
1. Click on "Edit" -> "Settings" , select "Host Settings", and click "Browse" to locate the public key file generated earlier. It may be in C:\Program Files\SSH Communications Security\Users\computername\userkeys\user.pub.
2. Click on "Window" -> "NewFileTransfer"
3. Select "View" -> "Show Hidden Files"
4. Enter the /$HOME/.ssh2 directory.
5. Select "Operation -> "Upload"
10. Create a file called "authorization" in the users $HOME/.ssh2 directory. You may use an editor with the string "Key" followed by the name of the file you upload ed or type the following:
1. cd ~/.ssh2
2. echo "Key username.pub" > authorization
11. The next time you login, if you enter your password in the "Connect to remote Host" dialog box, you are using password authentication and must enter your Linux user's password. If you press ENTER when you see this box, you will be able to enter your pass phrase to use the private key for authentication.
Congratulations, you are done, unless you are interested in setting your Linux computer as a client. Also, if you are interested in using your Windows computer as a host, you may need another program (if one exists) since the above program is a Windows SSH2 client program.
Configuring SSH for Linux
This section and the sections below are useful if you want to connect from one Linux computer to another, or use a Linux on the client side. The following steps are documented in the README file and the SSH2.QUICKSTART file of the SSS package, but there are additional comments here which may be of some use. It is recommended, however, that you rely on the package documentation for correct documentation since programs change and the procedures may change.
You will be generating key sets to allow secure communications in the following steps. Keep in mind that on the server side, you will need a public key and an authorization file, and on the client side, you will need a private key and an identification file. The public key on the server and private key on the client must be a matching pair of keys as generated by the SSS-key gen program. You should know that you can use either host based authentication or user based authentication. If you use user based authentication, key files mentioned below must be set up in the user's home directory. If host based authentication is used, the host that is being authenticated, must have the appropriate key files. The instructions below set up user authentication.
1. Be sure your computer has the device "/dev/random" which is used to generate keys. If it does not, you will need to use the ssh-keygen2 utility to generate security keys.
2. Set up the following files (Note: The ~ symbol indicates the user's home directory):
o Files needed on the client host to login to a remote server host.
1. ~/.ssh2/id_ds a_1024_a and ~/.ssh2/id_ds a_1024_a.pub - The first is a 1024 bit DSA private key and the second is a 1024 bit DSA public key. the second key may be distributed to other computers that you will want to log in on. The first key must be held only by the user.
Create these files while logged in as the user you want to create them for and type:
SSS-key gen
You will need to enter a password phrase. It will create the two files in the location shown above.
2. ~/.ssh2/identification - Lists the private keys to be used for authentication. the contents of the file should be:
# identification
id key id_ds a_1024_a
This can be created using an editor or by running the ssh-pubkeymgr script program. The following commands will also create this file:
1. cd ~/.ssh2
2. echo "id key id_ds a_1024_a" > identification
o Files needed on the server host to enable users to login from a remote client host.
1. Step 1, above, should be repeated on the server host to set up the user's .ssh2 directory, using a optionally different password phrase. Then the public key, id_ds a_1024_a.pub, must be copied to this directory on this server host. Perform step 2, above, if you want to use the remote machine to logon to other remote machines.
2. Copy the public key file, "~/.ssh2/id_ds a_1024_a.pub" from the local host above to this remote host and call it "serverhostname.pub", placing it in the ~/.ssh2 directory.
3. ~/.ssh2/authorization - Anyone holding any of the matching private keys to this public key may log in as the user whose public key their private key matches.
4. # authorization
5. Key serverhostname.pub
This can be created using an editor or by running the SSS-pubkeymgr script program. The following commands will also create this file:
1. cd ~/.ssh2
2. echo "Key serverhostname.pub" > authorization
Additional configuration files, that you may not need to be concerned about
1. Files that may need configured:
o ~/ssh2/hostkeys/key_xxxx_yyyy.pub - The public host key for port xxxx of the host yyyy.
o ~/.ssh2/SSS_config - The client configuration file similar to the file /etc/ssh2/ssh2_config.
o ~/.ssh2/knownhosts/xxxxyyyy.pub - Public host keys where users will log in from for host based authentication. The ~./shosts or ~/.rhosts file must also be set up. See the SSH documentation for more information on this subject.
o /etc/ssh2/knownhosts/xxxxyyyy.pub
o /etc/hosts.equiv and /etc/shosts.equiv. See the ssh2 man page
o ~/rhosts and ~/shosts
2. Files that should already be configured:
o /etc/ssh2/ssh2_config - This file is created by the "make install" command issued earlier.
o /etc/ssh2/hostkey.pub and /etc/ssh2/hostkey - Should be created by the "make install" command issued earlier, but it may be created by issuing the commands:
1. rm /etc/ssh2/hostkey*
2. ssh-keygen2 -P /etc/hostkey
See the ssh2_config and sshd2_config man pages for more configuration file format information.
About SSH2
SSH is now using SSH2 which has improved security over SSH1. The binary programs include:
• ssh2 - The secure shell client which replaces rlogin and rsh.
• sshd2 - The secure shell daemon.
• sftp2 - The secure shell FTP client.
• sftp-server2 - The secure shell FTP server which is executed from the sshd2 daemon program.
• scp2 - The scp client. I have no idea what scp is, as of right now.
• ssh-keygen2 - A utility for generating security keys.
• ssh-add2 - Adds identities to the authentication agent.
• ssh-agent2 - The authentication agent.
• ssh-askpass2 - X utility for quering passwords.
• ssh-signer2 - Signs host based authentication packets.
• ssh-probe2 - Probes a network for ssh2 servers.
• SSS-pubkeymgr - A script file utility program used to generate public keys.
• SSS-chrootmgr - A utility that makes it easier to set the chroot environment up.
Additional man page is "ssh2_config".
Linux Text Processing
Groff
GNU's version of nroff and troff. Groff produces output both for printing and plain ASC text. Macro packages are provided for different types of documents.
Macros:
• mgs - Writing papers
• man - For writing man pages
To make a man page from a created file(see the section on how to make a man page) type:
groff -t -man -Tascii viewmod.txt > viewmod.1
-Tascii Procuces ASCII text -Tps Produces postscript -Tdvi Output similar to TeX (DVI - Device Independent)
TEX and LaTeX
LaTeX is a set of macros on top of TEX that is concerned with the structure of a document such as chapters, footnotes and sections.
TEX Commands:
\documentstyle{letter} Choices: article, report, book, letter. They specify global macros
\begin Begin document
\End End document
\\ Line break
\ Starts a command, If backslach is trailing, a space is forced
~ Forces a space between tow words or characters without a line break
{\em } Text within brackets is emphasized
\bf Boldfaced
\tt Typwriter text
Example:
\documentstyle{letter}
\address{123 Desert Rd \\Unit 2B\\Wayside, AZ 08821}
\signature{John Smith}
\begin{document}
\begin{letter}{Mr.~George~Lunuxuser\\
1100 N East Street \\
California, MD 20190}
\opening{Dear George,}
I would like to inform you that I have just discovered \LaTex\ and it is the greatest
thing since sliced bread. You should use it for all your text processing needs.
\closing{Most Sincerely,}
\end{letter}
\end{document}
Save as tolinux.tex
Type "latex tolinux"
Results are output in tolinux.dvi
Use "dvips" to make a postscript file from the dvi file, Ex: dvips –o tolinux.ps tolinux.dvi
To see the output, you can use "xdvi" from X windows.
The program "dvilj" will print dvi files on Laserjet printers.
The program "eps" will print dvi files on epson printers.
LaTeX user's Guide and Reference Manual
The TEXbook
Making TEX Work
Texinfo
Used to produce hypertext info pages and printed manuals.
• @ - Begins a command
• @c or @comment - Begins a comment
• @setfilename - Name of output file
• @settitle - The title of the document
• @setchapternewpage - Tells where to start new chapters. Choices: odd, even
• @code - Specifies text to be emphasized
• @ifinfo - Specified text to show up only in info file
• @enumerate
• @end - Way to end things like ifinfo, titlepage, menu, enumerate
• @table
• @var - Indicates a metavariable
• @xref - Cross reference to another node
• @cindex - Makes entries in the concept index at the end of the document
Example file:
\input texinfo @c -*-texinfo-*-
@c %**start of header
@setfilename test.info
@settitle An example texinfo file
@c %**end of header
@titlepage
@sp 10
@comment This is to be in large font
@center @titlefont(This Test Title)
@end titlepage
@c Node, Next , Previous, Up
@node Top , First Chapter , (dir), (dir)
@ifinfo
This is a test info file. There is no worthwhile text here.
This is only a test.
@end ifinfo
@menu
* First Chapter:: The only chapter
* Concept Index:: Index of Concepts
@end menu
@c Node , Next ,previous, up
@node First Chapter, Concept Index, Top, Top
@chapter First Chapter
@cindex Sample index entry
@c A numbered list
@enumerate
@item
The first one
@item
The second one
@end enumerate
The @code{makeinfo} and @code{texinfo-format-buffer}
commands transform a Texinfo file into an Info file. @TeX{}
typesets it for a printed manual.
@c Node ,next , previous , up
@node Concept Index, , First Chapter, Top
@unnumbered Concept Index
@printindex cp
@contents
@bye
If the file is called test.texi, type "makeinfo test.texi" to make an info file called test.info.
Linux Networking Setup
Required Information
To enable networking, you must configure your network interface card or cards with an IP address and netmask. The kernel must have support for your cards compiled in, either as modular support or direct support. If you don't have kernel support read the sections about the kernel and how to compile it. To set your cards up, do the following. In my example my network is 192.168.1.0, IP=192.168.1.100, broadcast=192.168.1.255, netmask=255.255.255.0, gateway-192.168.1.1, nameserver=192.168.1.10.
1. Determine your machines IP address from your network administrator
2. Your network mask. This determines which portion of the IP address specifies the subnetwork number and which portion specifies the host.
Class C (most networks) 255.255.255.0
Class B 255.255.0.0
3. Your network address which is your IP address bit wise anded with the network mask.
Ex: IP: 192.168.1.100 Mask: 255.255.255.0 Net Addr:: 192.168.1.0
4. Your broadcast address. Used to broadcast packets to every machine on your subnet.
Ex: IP: 192.168.1.100 Mask: 255.255.255.0 Net Addr: 192.168.1.255
5. Your gateway address. The address of the machine that is your gateway to the outside world.
In many cases: Ex: IP: 192.168.1.100 Gateway: 192.168.1.1
6. Your nameserver address. Translates host names into IP addresses. 192.168.1.10
Configuration tools
There are many network configuration tools today. They are:
netconf A GUI interactive interface available on Redhat 6.1
linuxconf A GUI interactive interface available on Redhat 6.1 which includes netconf configuration.
netconfig A GUI step by step interface
ifconfig A text based program to configure the network interface. Type "man ifconfig" for info.
These programs will modify values in the following files:
• /etc/sysconfig/network - Defines your network and some of its characteristics.
• /etc/HOSTNAME - Shows the host name of this host. IF your name is "myhost" then that is exactly the text this file will contain.
• /etc/resolv.conf - Specifies the domain to be searched for host names to connect to, the nameserver address, and the search order for the nameservers.
• /etc/host.conf - Specifies the order nameservice looks to resolve names.
• /etc/hosts - Shows addresses and names of local hosts.
• /etc/networks - Provides a database of network names with network addresses similar to the /etc/hosts file. This file is not required for operation.
• /etc/sysconfig/network-scripts/ifcfg-eth* - There is a file for each network interface. This file contains the IP address of the interface and many other setup variables.
Analysis Tools
• netstat - Displays information about the systems network connections, including port connections, routing tables, and more. The command "netstar -r" will display the routing table.
• traceroute - This command can be used to determine the network route from your computer to some other computer on your network or the internet. To use it you can type "route IPaddress" of the computer you want to see the route to.
• nslookup - Used to query DNS servers for information about hosts.
• arp - This program lets the user read or modify their arp cache.
• tcpdump - This program allows the user to see TCP traffic on their network.
• dig(1) - Send domain name query packets to name servers for debugging or testing.
Manual Configuration
You can use one of the above tools or configure the network the old fashioned way as follows:
1. First to use networking on any permanent basis you should setup the file /etc/sysconfig/network similar to the example shown below.
2. Assign an ip address with "ifconfig eth0 192.168.1.100 netmask 255.255.255.0 up".
3. Tell your machine that a hub is ready for information with the command "route add -net 192.168.0.0 netmask 255.255.255.0 eth0"
4. To contact hosts outside your network if a machine with IP address 192.168.1.1 is the gateway use the command "route add default gw 192.168.1.1 eth0"
5. If using a dialup connection use the command "route add default ppp0" The word default says if the packet is not for a machine on your local network, send it to the default device.
These settings are not permanent, but go away the next time you boot. They are normally set up in the directory /etc/sysconfig/network-scripts. Add the network interface to the file /etc/sysconfig/network-scripts/ifcfg-eth*. For example the file ifcfg-eth0 if for the first ethernet interface, ifcfg-eth1 for the second, ifcfg-lo is for the local interface. An example file from my system is:
DEVICE="eth0"
IPADDR="192.168.1.100"
NETMASK="255.255.0.0"
ONBOOT="yes"
BOOTPROTO="none"
IPXNETNUM_802_2=""
IPXPRIMARY_802_2="no"
IPXACTIVE_802_2="no"
IPXNETNUM_802_3=""
IPXPRIMARY_802_3="no"
IPXACTIVE_802_3="no"
IPXNETNUM_ETHERII=""
IPXPRIMARY_ETHERII="no"
IPXACTIVE_ETHERII="no"
IPXNETNUM_SNAP=""
IPXPRIMARY_SNAP="no"
IPXACTIVE_SNAP="no"
Unless you know what you're doing it is best to use a network configuration tool. I cannot guarantee the accurateness of how to set these files up on your system.
Configuring an interface for multiple IP addresses
If you want to configure your network card to act as more than one IP address, issue the following command:
ifconfig dummy 192.168.1.102 netmask 255.255.255.0
This uses the dummy system interface capability supported in the kernel to setup another virtual interface which operates at IP address 192.168.1.102. Substitute the IP address that you want your virtual interface to be with an appropriate netmask for your network. To disable this, issue the following command.
ifconfig dummy down
Another way to use multiple IP addresses on one ethernet card is to set up a new file in your /etc/sysconfig/network-scripts directory. Copy your ifcfg-eth0 role to ifcfg-eth0:0. Edit that file and rename the device to "eth0:0" and the IP address to the desired IP address. You may also want to modify BROADCAST, NETWORK, or NETMASK. You can continue adding IP addresses by using :1, :2, etc such as ifcfg-eth0:2.
To make it effective, you must reboot your system or issue the command "/etc/rc.d/init.d/network restart" as root.
Dynamically allocated IP addresses
To get the IP address of a dynamically allocated network interface in a script file enter the following:
dynip=`/sbin/ifconfig | grep -A 4 ppp0 | awk '/inet/ { print $2 } ' | sed -e s/addr://`
Substitute the correct interface that you get your dynamic IP address in for ppp0 in the example above. This script line gets your dynamic IP address for use in a masquerade script. You can use the variable $dynip as in any other configuration. The next time you make a new connection you will need to extract the dynip value again and re-run the masquerade script.
Networking file formats, examples and considerations
Below are listed some more in depth information about the networking files.
• /etc/sysconfig/network
The /etc/inittab file contains the entry "si::sysinit:/etc/rc.d/rc.sysinit" which causes the system at startup to run the rc.sysinit script. The rc.sysinit file expects to find the file /etc/sysconfig/network if networking is to be enabled.
The network file looks like this:
NETWORKING=yes
FORWARD_IPV4=false
HOSTNAME=mymachine.mycompany.com
DOMAINNAME=mycompany.com
GATEWAY=192.168.1.1
GATEWAYDEV=eth0
Where GATEWAYDEV is the network interface card that is attached to the network the gateway machine is on. The GATEWAY is the actual IP address of the gateway machine.
• /etc/hosts - Defines local hosts.
• 127.0.0.1 localhost localhost.localdomain
• 192.168.1.100 mymachine.mycompany.com mymachine
• /etc/services - Internet network services list. It associates port numbers with names of services. The file contains three fields which are name, port/protocol, and aliases with an optional comment.
• /etc/protocols - Describes DARPA internet protocols available from the TCP/IP subsystem. Maps protocol ID numbers to protocol names. It includes protocol name, number, and aliases. The protocol file on my system:
• # /etc/protocols:
• # $Id: protocols,v 1.1 1995/02/24 01:09:41 imurdock Exp $
• #
• # Internet (IP) protocols
• #
• # from: @(#)protocols 5.1 (Berkeley) 4/17/89
• #
• # Updated for NetBSD based on RFC 1340, Assigned Numbers (July 1992).
•
• ip 0 IP # internet protocol, pseudo protocol number
• icmp 1 ICMP # internet control message protocol
• igmp 2 IGMP # Internet Group Management
• ggp 3 GGP # gateway-gateway protocol
• ipencap 4 IP-ENCAP # IP encapsulated in IP (officially ``IP'')
• st 5 ST # ST datagram mode
• tcp 6 TCP # transmission control protocol
• egp 8 EGP # exterior gateway protocol
• pup 12 PUP # PARC universal packet protocol
• udp 17 UDP # user datagram protocol
• hmp 20 HMP # host monitoring protocol
• xns-idp 22 XNS-IDP # Xerox NS IDP
• rdp 27 RDP # "reliable datagram" protocol
• iso-tp4 29 ISO-TP4 # ISO Transport Protocol class 4
• xtp 36 XTP # Xpress Tranfer Protocol
• ddp 37 DDP # Datagram Delivery Protocol
• idpr-cmtp 39 IDPR-CMTP # IDPR Control Message Transport
• rspf 73 RSPF #Radio Shortest Path First.
• vmtp 81 VMTP # Versatile Message Transport
• ospf 89 OSPFIGP # Open Shortest Path First IGP
• ipip 94 IPIP # Yet Another IP encapsulation
• encap 98 ENCAP # Yet Another IP encapsulation
• /etc/named.conf - Used for domain name service to configure named. Other files used are dependent on this file. This file is explained further in the DNS section
• /etc/resolv.conf - Specifies the domain to be searched for host names to connect to, the nameserver address, and the search order for the nameservers.
• domain mycompany.com
• search mycompany.com mynet.net
• nameserver 192.168.1.100
• nameserver 192.168.199.1
• nameserver 192.168.1.10
The third line specifies that DNS should be tried on my machine first then use the normal nameserver on the fifth line. The fourth line specifies that my machine is running nameservices on another network which is using interface 192.168.199.1. This assumes the nameserver is set up on my machine which is explained in another section.
• /etc/host.conf - Specifies the order nameservice looks to resolve names. An example file:
• order hosts, bind
• multi on
• nospoof on
The order specifies that when resolving names to first look in the /etc/host file, then use BIND8 (DNS) to resolve the name. The line "multi on" specifies that all valid addresses for a host found in the hosts file should be returned.
The files in /etc/sysconfig/network-scripts control your network interfaces. The network interface file is described above in the section "Manual Configuration". If you want or need more in depth knowledge about how these files are used, you will need to read the document "How Linux Works CTDP Guide" or "The CTDP Linux Startup Manual". Otherwise you will need to analyze the system startup scripts which is no small task.
Older X windows configuration
In Xwindows a working configuration is set up as follows:
NAMES:
hostname: mymachine.mycompany.com
Domain: mycompany.com
Nameservers: 192.168.1.10
HOSTS:
IP - 192.168.1.100
Name - mymachine.mycompany.com
INTERFACES:
Interface - eth0
IP- 192.168.1.100
proto - none
atboot - yes
Netmask: 255.255.255.0
Network: 192.168.1.0
Broadcast: 192.168.1.255
ROUTING:
Default gateway: 192.168.1.1
Default gateway device: eth0
Interface - 192.168.1.100
Network Address - 192.168.1.0
Network gateway 192.168.1.1
Netmask - 255.255.255.0
Routing
Routing table information is used to route incoming and outgoing network diagrams to other machines. On most simple configurations, there are three routes. One for sending packets to your own machine, one for sending packets to other machines on your network and one for sending packets to other machines outside your network through the gateway. Two programs (ifconfig and route) are used to configure these parameters. They are described in more detail in the routing section.
Linux Network Tools and Terms
Linux Networking Tools
arp Address resolution protocol Type "arp -a" to display entries in the arp cache.
ifconfig A command line tool used to configure a network interface. There is a man page available for this program.
ifdown Shuts down a network interface
ifup Starts a network interface such as eth0 or ppp0
ipchains A tool used to administer firewall rules.
netconf The Redhat GUI network configuration tool.
netconfig Another network configuration tool which is usually run when the system is installed. Netconf is better.
netstat Type "netstat -rn" to see the routing table. Type "netstat-in" to see the interface info.
nslookup Used to test DNS configuration by querying DNS servers.
ping A network tool used to sent ICMP test packets to other hosts to determine if they can respond or are reachable.
ripquery A tool to query some routers for their routing table.
route Typing "route -n" will show the routing table
tcpdump A network sniffer tool used to dump headers of packets on a network interface.
traceroute Sends data to a remote host to a port that doesn't exist with a TTL field at 1,2,etc to get the intermediate hosts to send back their addresses reporting errors. The destination will report an unreachable port error sending its address.
Networking terms
• ARP - Address resolution protocol. Used to translate hardware addresses (ethernet ports) and IP addresses and vice versa. Uses broadcast messages for resolution.
• BOOTP - A protocol used to allow client computers to get their IP address from a BOOTP server. DHCP supercedes, though does not replace this protocol.
• DHCP - Dynamic Host Configuration Protocol, allows clients to get their IP addresses from a DHCP server. This system "leases" IP addresses to clients for limited periods of time. If the client has not used their IP address within the lease time, the IP address is free fro re-assignment.
• ICMP - Internet Control Message Protocol. Part of the IP layer. Communicates error messages and other messages that require attention.
• IGMP - Internet Group Management Protocol. Protocol used to manage multicasting through routers.
• IP - Three kinds of IP addresses are unicast, broadcast and multicast.
• MBONE - Used to refer to a network that supports multicasting.
• NIS - Network information service, is a name service created by Sun Microsystems.
• NFS - Network file sharing, allows two Unix style computers to mount and access part or all of a file system on a remote computer.
• OSPF - Open Shortest Path First dynamic routing protocol intended as a replacement for RIP.
• PPP - Point to point protocol is a serial protocol commonly used to connect using a modem to the internet
• RARP - Reverse ARP, used for clients to determine their IP addresses.
• RIP - Routing Information Protocol, used by almost all TCP/IP implementation to perform dynamic routing.
• RPC - Remote procedure call is a set of function calls used by a client program to call functions in a remote server program.
• SLIP - Serial line internet protocol
• SMTP - Simple mail transport protocol, commonly uset as the mail message transport protocol.
• SNMP - Simple network management protocol.
• UDP - User Datagram Protocol, a transport layer protocol
• UUCP - Unix to Unix copy is a protocol that allows Unix computers to exchange files.
Linux Inetd Network services
Services typically provided using inetd include:
• auth or identd - This is a server that returns user information to a remote host that a user is requesting a service from. It can be run as a stand alone daemon from the startup scripts.
• bootpd - A server that allows remote clients to get their IP addresses from a bootp server using the bootp network protocol. This involves the server having a /etc/bootptab file containing hardware addresses and associated IP addresses for each computer to be serviced. It can be run as a stand alone daemon from the startup scripts.
• ftp - File transport protocol. Allows users to transport files between remote sites.
• tftp - Trivial file transport protocol. A way for users to transfer files to/from remote machines without logging in. Normally this transfer is limited to specific areas and is normally used for transporting files to clients which are needed for remote booting.
• telnet - A protocol used to open user sessions from remote sites.
• exec - in.rexecd - Remote execution server allows remote users to execute commands on the system provided they have proper authorization.
• rlogin - An older method of opening remote sessions, being replaced by telnet.
• rsh - Remote shell, Used to execute commands on a remote host.
• talk - A communication program that allows two users to talk by copying lines from one user's terminal to the other.
• finger - Allows users to get information about users currently logged in on the local system or remote systems.
• comsat - A server that notifies users when they have received mail. The biff program is used to turn comsat service on and off for each user.
• pop-2 - ipop2d - Supports POP2 remote mail access protocol.
• pop-3 -ipop3d - Supports POP3 remote mail access protocol.
• imap - imapd - Supports the IMAP4rev1 remote mail access protocol which is more powerful than POP3. See RFC 2060.
• uucp - uucico - The daemon that processes Unix to Unix copy (UUCP) file transfer requests that were queued by uucp or uux.
• netstat - Displays network connections, routing tables, and other networking information about a system. This works on the local system and over a network.
• swat - A Samba web administration tool allowing the administrator to configure the /etc/smb.conf file using a web browser.
These services can be controlled (added/removed) by adding or deleting (commenting out) lines in the file "/etc/inedt.conf". If you make a change to this file, you will want to restart the inetd daemon with the command:
kill -HUP inetd
Although you can use inetd to run services such as Samba and BOOTP normally, I recommend using the startup script files which can be configured using the program "linuxconf" and selecting "Control service activity". If these services are used often, you will want to run them direct through the startup scripts. To conserve system resources, you may want to use inetd to control these services if they won't be used very often, but you can't run them using the start up scripts and using inetd at the same time.
The inedt configuration file
The file /etc/inetd.conf is used to configure these networking services. Its format is:
service socket type protocol flags user server path server arguments
It is explained in more detail in the "How Linux Works" document.
Limiting services to your machine to specific addresses
1. If your system is not set for services to use the tcpd daemon rather than the usual deamon by substituting the following in the "/etc/inetd.conf" file"
2. Change lines like this:
3. finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd
4. To this:
5. finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd
6. Change the hosts deny file so the following lines are included with the comments:
7. ALL: ALL
8. ALL: PARANOID
9. Change the hosts.allow file to allow services to desired TCP/IP addresses. Ex:
10. ALL: 10.1.0.153, 10.1.2.252
11. fingerd: 10.1.1.3
12. Note: To see the address of your windows box, select run and run winipcfg.
13. Reset the inetd deamon by issuing the command "kill –HUP inetd".
To disable a network service completely
To disable remote services like finger, who, and w, you will want to modify your /etc/inetd.conf file. To disable finger services for example, change the /etc/inetd.conf file so the line that says "in.fingerd" at the end, is commented out. Do the same for any other services you do not want to run. Then make the inetd daemon reload its configuration file and restart with the command "killall -HUP inetd".
Linux Xinetd Network services
The service, xinetd, is a service designed to provide the same functionality as inetd, but with better configuration options and better security. It provides the same services as inetd, so you will not need to run inetd with this service and can substitute this service for inetd. This service is easy to install and run. It is meant as a replacement for inetd, but can be run at the same time inetd is being run. If you decide to run both inetd and xinetd, but you should not run the same services, such as telnet or ftp, on both inetd and xinetd at the same time. Xinetd will support the hosts.allow and hosts.deny features using the tcp wrapper daemon, the same as inetd does.
Obtaining xinetd
It is very easy to obtain, compile, and install xinetd. You may obtain FAQ information from: http://synack.net/xinetd/faq.html and complete documentation with source and binaries may be obtained from http://www.synack.net/xinetd/. Also there is a very good xinetd tutorial which describes installation and configuration (yes, better than this documentation) at http://www.macsecurity.org/resources/xinetd/tutorial.shtml. It is written for users running Linux on a MacIntosh, but it applies very well to xinetd and Linux in general.
Compilation and installation
Download the code to a location like "/usr/local/xinetd" then enter the directory you downloaded xinetd to. Follow the following procedure to unpack a source tar file, compile, and install the package:
1. Type "tar xvzf xinetd-2_1_8_9p3_tar.gz" to unpack the file.
2. Type "cd xinetd-2.1.8.8.p3" to enter the directory the files were unpacked to.
3. Read the README and INSTALL files with the commands "less README" and "less "INSTALL".
4. Type "./configure -- with-libwrap --with-loadavg". Some documentation recommends not using the --with-libwrap option since xinit supports its own method of providing the same capabilities of hosts.allow and hosts.deny.
5. Type "make".
6. Type "make install". This will install the man pages, xinetd.conf, xinet.log, xinetd, and itox. These files will be accessible by typing "man" followed by the name of the file such as "man xinetd". It will also install the binary programs, xinetd, itox, and xconv.pl.
1. At this point, you may not have ready access to these programs unless the directory /usr/local/sbin is in your system path. You can find out by issuing the command "env" and looking at the value of your path variable. If the directory is named in the path variable, you are set. If not, you will need to add it to your system path.
2. If you are only going to require these commands while logged in as root (which is likely), you can edit the .bash_profile file in the root directory (/root/.bash_profile). This assumes you are using the bash shell, otherwise edit the appropriate file for the shell you are running. Add ":/usr/local/bin" to the statement that begins with "PATH". If no statement starting with "PATH" exists, add the statement "PATH=$PATH:/usr/local/bin".
3. If you want this path added for all users, you may add the statements as described above to the /etc/profile file.
7. The xinetd documentation says to issue the command:
xconv.pl < /etc/inetd.conf > /tmp/xinetd.conf
But I recommend using the command:
xconv.pl < /etc/inetd.conf > /etc/xinetd.conf
This will create a configuration file for xinetd from your original inetd.conf file.
8. You now need to start the service. The easy way to do this is to modify the /etc/rc.d/init.d/inet file and replace all occurrences of inetd by xinetd. Since xinetd is installed to /usr/local/sbin rather than /usr/sbin, you will need to account for this in your file modifications or copy xinetd to /usr/sbin.
9. If you have a problem getting the service to run right consider the following pitfalls:
o If you converted your inetd.conf file to xinetd.conf, and were running with tcp wrappers in inetd, and did not compile tcp wrapper support into xinetd with the option --with-libwrap, you will need to either compile the option in or modify your configuration file so tcp wrappers are no longer used. this can generally be done by moving the server arguments to the server value, and the server arguments will be set to what would have been on the server command line or the value -1. For instance the entry:
o server = /usr/sbin/tcpd
o server_args = in.ftpd -l -a
becomes:
server = /usr/sbin/in.ftpd
server_args = -l -a
The entry:
server = /usr/sbin/tcpd
server_args = in.telnetd
becomes:
server = /usr/sbin/in.telnetd
server_args = -1
o You may need to add the line "groups = yes" to each service. See the xinetd.conf man page.
Other Linux Network Services
Network services not normally controlled using the inetd daemon include but are not limited to:
• arpwatch - Keeps track of ethernet IP addresses that are resolved using the ARP protocol. This allows system administrators to note new IP addresses being used. It maintains a database in /var/arpwatch/arp.dat
• bootparamd - Allows remote computers to boot from a Linux box using the BOOTP network protocol. This allows the remote computer to get its IP address if the server knows the hardware address of the remote machine. The DHCP protocol is an upgrade to this protocol since it is more automated.
• dhcpd - Provides DHCP services to "lease" out IP addresses to remote machines.
• gated - Provides routing services for BGP and other protocols. Alternative to routed. Supports IGP (Interior gateway protocol) and EGP (Exterior Gateway Protocol).
• httpd - The Apache hypertext transfer protocol Web server.
• identd (auth) - Server implementing the TCP/IP proposed standard IDENT user identification protocol in RFC 1413. It returns user information to a remote host that a user is requesting a service from. Also called auth.
• innd - The Usenet news server
• ldap - Lightweight directory access protocol package which provides client/server based directory database services which runs on UNIX platforms over TCP/IP. RFC is 1777.
• mars-nwe - Loads the MARS Netware compatible file and print server daemon called nwserv. Allows a Linux machine to be used as a file and printserver for netware based clients using IPX/SPX.
• mcserv - Allows users on remote machines to use the midcommander file manager to work with files. It uses the PAM library for authentication.
• named - Provides DNS services. It is a name server used to translate local IP addresses to names and vice-versa.
• nfs - Provides Network File System server services
• nfslock - NFS file locking service. Starts the daemons rpc.locked and rpc.statd. The rpc.statd daemon implements the Network Status Monitor (NSM) RPC protocol which is a reboot notification service used to implement file lock recovery when an NFS server crashes and reboots.
• portmap - Provides Remote Procedure Call (RPC) support for other protocols like NFS.
• postgresql - Runs the postgres database and provides SQL services. It runs the daemon postmaster.
• pulse - Heartbeat daemon for monitoring the health of lvs (Redhat clustering services) cluster nodes. This tool is used for clustering machines.
• pxe - A preboot execution environment (PXE) server. Allows network boot of other PXE machines. PXE is a standard developed by Intel for a means of booting various operating systems on remote machines.
• routed - Provides for automatic router table updates using the RIP dynamic routing information protocol.
• rstatd - The rstat protocol allows users on a network to get performance information for any machine on the network. Runs the rpc.rstatd daemon which provides performance statistics retrieved from the kernel usually by using the "rup" command.
• rusersd - Provides services that allow users to find one another over the network.
• rwalld - Provides users with an ability to use the rwall command to write messages on remote terminals.
• rwhod - The rwho protocol lets remote users get a list of all users logged onto a machine by running the rwho daemon.
• sendmail - The sendmail mail transport agent daemon used to move e-mail from one machine to another.
• smb - Provides SMB (Samba) client/server services which include file and print services. It allows Linux computers to exchange file and printer services with Microsoft Windows based systems.
• snmpd - Provides Simple Network Management Protocol support to Linux.
• squid - Runs the squid proxy web server
• xfs - X font file server
• xntpd - Starts the Network Time Protocol NTPv3 daemon. NTP provides a means to synchronize time and coordinate time distribution in a large, diverse internet operating at all speeds. RFC 1305 describes this protocol.
• ypbind - Binds YP/NIS clients to a yellow pages server. NIS is a name service created by Sun.
• yppasswdd - Allows users to change their passwords on systems running YP/NIS
• ypserv - This daemon provides the YP/NIS (Network Information System) server functions.
Linux Process Control
Tools for working with processes
• accton - Turns process accounting on and off. Uses the file /var/log/pacct. To turn it on type "accton /var/log/pacct". Use the command with no arguments to turn it off.
• kill - Kill a process by number
• killall - Send a signal to a process by name
• lastcomm (1) - Display information about previous commands in reverse order. Works only if process accounting is on.
• nice - Set process priority of new processes.
• ps(1) - Used to report the status of one or more processes.
• pstree(1) - Display the tree of running processes.
• renice(8) - Can be used to change the process priority of a currently running process.
• sa(8) - Generates a summary of information about users' processes that are stored in the /var/log/pacct file.
• skill - Report process status.
• snice - Report process status.
• top - Displays the processes that are using the most CPU resources.
Checking running processes
While logged in as root, type "ps -ax |more" or "ps -aux |more". You will get a list of all processes running on your computer. You will see the process id (PID), process status (STAT) various statistics, and the command name. You can kill a process by typing "kill" and the PID number right afterwards similar to the line below.
kill 1721
You can also stop and restart processes by sending them various signals as in the below examples:
kill -STOP 1721 Stops (suspends) process 1721 by sending the STOP signal to the process. This process will still be on the task list. The process can't catch or ignore the STOP signal.
kill -CONT 1721 Continue process 1721 causing it to resume. The CONT signal is sent to the process.
kill -TERM 1721 Terminates process 1721 by sending the TERM signal to the process. This process will no longer show up on the task list if it is actually terminated. Process terminated cannot be continued. The TERM signal can be caught so TERM is not guaranteed to kill the process.
kill -HUP 1721 Stops, then restarts process 1721. This is usually done when a process is not working properly or the configuration files for that process have been changed. This command sends the HUP signal to the process which means hangup. This signal can be caught by the process.
killall -HUP myprint Restarts any process with the name "myprint".
kill -TERM myprint Terminates any process with the name "myprint".
Setting up and doing process control
The examples in this section use the "yes" command as an easy method for an example of a program that runs continually. The "yes" command outputs the string "y" until it is killed or stopped. When the output is ported to the /dev/null (null device or bit bucket), the output is basically dumped. Therefore this command is harmless, but is a good demonstration. To put the process in the background, append an "&" character to the end of the command as shown below.
yes > /dev/null &
The system will respond with a job number and process ID or PID similar to:
[1] 10419
Either number can be used to refer to the job. The "jobs" command can be used to check the job. When the command is entered the system will respond with a list of running jobs similar to the following:
[1]+ Running yes >/dev/null &
The job can be killed using the process ID or the job number. Either
kill %1
or:
kill 10419
Stopping and restarting jobs
Another way to put a job into the background is to
1. Start the job normally like:
yes > /dev/null
The prompt does not come back.
2. Use the key to stop the job.
3. Use the command "bg" or "bg %1" where 1 is the job number to put the process in the background. The system reports the job number when you stop the job.
Before the last step, the job was suspended. The "fg" command could have been used to bring the job into the foreground rather than using the "bg" command to put it in the background. If the job is running in the foreground, you can type &@60Ctrl-C> to terminate the process.
Killing or Reconfiguring a Daemon without Restarting
killall -1 inetd Restarts inetd by sending signal number 1 which is the hangup signal.
killall -HUP inetd Causes the daemon to reload its config file by sending the hangup signal. The difference between this example and the previous one is the signal is called by name here rather than number.
To make changes to inetd:
1. Reconfigure /etc/inetd.conf
2. Restart inetd by sending it the hangup signal
The easy way to reset a service that was started via the rc script files during system startup:
1. Find the file for the service, you want to start. For example find the file for the print daemon "lpd". These files should typically be in the directory "/etc/rc.d/init.d". The file name in this case is "lpd". (Note this is a script file, that starts the daemon, not the actual binary daemon file).
2. Go to that subdirectory "cd /etc/rc.d/init.d" and type "./lpd restart".
3. You should get output to the screen that indicates this service has been shut down and then started.
Setting process priority
In Linux, processes have a priority number between -20 and 19. The value of -20 is the highest, and 19 is the lowest priority. Process priority can be set with the nice(1) command and changed using the renice(8) command. To set a process to have the highest priority find the process ID number using the ps command. If your process name is "myprog" type:
ps -ax |grep myprog
You should get something like:
756 tty1 S 0:00 myprog
The first number on the line is your process ID. Enter the command:
renice -20 756
This will set your process (PID=756) to priority of -20. Modify the process ID number for that of your program running on your system. You can use the nice command to determine the default priority of new processes by typing "nice" on the command line. If you want to start a process with a specific priority, use the nice(1) command when you invoke the process.
Setting limits on the number of processes that can run
The command "ulimit" is used to limit the number of processes users can run along with available system resources. All processes which will be started from the shell (bash in many cases), will have the same resource limits. See the bash manual page for more information. To set the limits for daemons which are running at boot time add ulimit command to boot scripts.
The command "ulimit -a" reports the current limits.
Using Linux PAM
PAM stands for Pluggable Authentication Modules. PAM is a library, used to control the function of various applications that have the capability to use the PAM libraries. PAM is based on a series of library modules, some of which depend on configuration files. Locations of PAM configuration files and library modules are:
• All PAM applications are configured in the directory "/etc/pam.d" or in a file "/etc/pam.conf".
• The library modules are normally stored in the directory "/lib/security".
• The configuration files are located in the directory "/etc/security".
To configure PAM, on systems already set up for it, you would need to edit the files for the service you want to modify in the "/etc/pam.d" directory, and modify the appropriate configuration file in the directory "/etc/security". This page will explain how to set up the configuration files and how to configure the modules so applications can use them.
The PAM configuration files
PAM is controlled a main configuration file( /etc/pam.conf) or control directory (/etc/pam.d). Some PAM module's behavior is controlled with configuration files (in /etc/security)as listed below:
• access.conf - Login access control. Used for the pam_access.so library.
• group.conf - Group membership control. Used for the pam_group.so library.
• limits.conf - Set system resource limits. Used for the pam_limits.so library.
• pam_env - Control ability to change environment variables. Used for the pam_env.so library.
• time - Allows time restrictions to be applied to services and user privileges. Used for the pam_time.so library.
The main pam.conf file or the /etc/pam.d files
The configuration for PAM is normally in the /etc/pam.d directory which has a file for each PAM controlled application. This file or directory is used to control the behavior of applications that use the PAM modules. Some examples of PAM controlled applications are login, samba, and shutdown. PAM is controlled using the configuration file /etc/pam.conf or the configuration directory, but not both. The directory structure control has precedence. A general configuration line in one of the PAM application configuration file has the following form:
module-type control-flag module-path arguments
If the /etc/pam.conf file is used to control PAM rather than the /etc/pam.d directory structure, the pam.conf lines are the same except they have an additional parameter at the start which is "service-name". The various parameters on each line are:
1. service-name(not in directory files) - The type of service such as rlogin or ftp.
2. module-type - The type name of the PAM module used which are
1. auth - Authenticates the user to be sure they are who they claim to be, usually asking a password then checking it, and setting credentials like as group memberships or kerberos tickets.
2. account - Check to see if the authentication is allowed based on available system resources such as the maximum number of users or the location of the user. Access could be denied if the account has expired or the user is not allowed to log in at this time of day.
3. password - Used to set passwords. Typically, there is one module for each auth module-type.
4. session - Used to make it possible for a user to use their account once they have been authenticated. This module does things that need to be done for the user before or after they can be given service such as logging of information concerning the opening or closing of some data exchange with a user, or mounting directories. This module may make the user's mailbox available.
3. control-flag
1. required - The success of the module is required for the module-type facility to succeed. Failure of this module will not be apparent to the user until all of the remaining modules (of the same module-type) have been executed
2. requisite - If the module returns a failure, control is directly returned to the application. The return value is that associated with the first required or requisite module to fail. This flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium.
3. sufficient - If this module succeeds and no previous required module has failed, no more `stacked' modules of this type are invoked. This means subsequent required modules are not invoked. A failure of this module is not deemed as fatal to satisfying the application that this module-type has succeeded.
4. optional - This module is not critical to the success or failure of the user's application for service. In the absence of any definite successes or failures of previous or subsequent stacked modules this module will determine the nature of the response to the application.
4. module-path - The path and filename of the PAM library used to control the function.
5. arguments - Arguments are optional and vary from module to module.
My "/etc/pam.d/rlogin" file looks like this:
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
session required /lib/security/pam_pwdb.so
session optional /lib/security/pam_console.so
Command Example Description
cat Sends file contents to standard output. This is a way to list the contents of short files to the screen. It works well with piping.
cat .bashrc Sends the contents of the ".bashrc" file to the screen.
cd Change directory
cd /home Change the current working directory to /home. The '/' indicates relative to root, and no matter what directory you are in when you execute this command, the directory will be changed to "/home".
cd httpd Change the current working directory to httpd, relative to the current location which is "/home". The full path of the new working directory is "/home/httpd".
cd .. Move to the parent directory of the current directory. This command will make the current working directory "/home.
cd ~ Move to the user's home directory which is "/home/username". The '~' indicates the users home directory.
cp Copy files
cp myfile yourfile Copy the files "myfile" to the file "yourfile" in the current working directory. This command will create the file "yourfile" if it doesn't exist. It will normally overwrite it without warning if it exists.
cp -i myfile yourfile With the "-i" option, if the file "yourfile" exists, you will be prompted before it is overwritten.
cp -i /data/myfile . Copy the file "/data/myfile" to the current working directory and name it "myfile". Prompt before overwriting the file.
cp -dpr srcdir destdir Copy all files from the directory "srcdir" to the directory "destdir" preserving links (-p option), file attributes (-p option), and copy recursively (-r option). With these options, a directory and all it contents can be copied to another directory.
dd dd if=/dev/hdb1 of=/backup/ Disk duplicate. The man page says this command is to "Convert and copy a file", but although used by more advanced users, it can be a very handy command. The "if" means input file, "of" means output file.
df Show the amount of disk space used on each mounted filesystem.
less less textfile Similar to the more command, but the user can page up and down through the file. The example displays the contents of textfile.
ln Creates a symbolic link to a file.
ln -s test symlink Creates a symbolic link named symlink that points to the file test Typing "ls -i test symlink" will show the two files are different with different inodes. Typing "ls -l test symlink" will show that symlink points to the file test.
locate A fast database driven file locator.
slocate -u This command builds the slocate database. It will take several minutes to complete this command. This command must be used before searching for files, however cron runs this command periodically on most systems.
locate whereis Lists all files whose names contain the string "whereis".
logout Logs the current user off the system.
ls List files
ls List files in the current working directory except those starting with . and only show the file name.
ls -al List all files in the current working directory in long listing format showing permissions, ownership, size, and time and date stamp
more Allows file contents or piped output to be sent to the screen one page at a time.
more /etc/profile Lists the contents of the "/etc/profile" file to the screen one page at a time.
ls -al |more Performs a directory listing of all files and pipes the output of the listing through more. If the directory listing is longer than a page, it will be listed one page at a time.
mv Move or rename files
mv -i myfile yourfile Move the file from "myfile" to "yourfile". This effectively changes the name of "myfile" to "yourfile".
mv -i /data/myfile . Move the file from "myfile" from the directory "/data" to the current working directory.
pwd Show the name of the current working directory
more /etc/profile Lists the contents of the "/etc/profile" file to the screen one page at a time.
shutdown Shuts the system down.
shutdown -h now Shuts the system down to halt immediately.
shutdown -r now Shuts the system down immediately and the system reboots.
whereis Show where the binary, source and manual page files are for a command
whereis ls Locates binaries and manual pages for the ls command.
Editors: emacs, vi, pico, jed, vim
mkdir - make directories
Usage
mkdir [OPTION] DIRECTORY
Options
Create the DIRECTORY(ies), if they do not already exist.
Mandatory arguments to long options are mandatory for short options too.
-m, mode=MODE set permission mode (as in chmod), not rwxrwxrwx - umask
-p, parents no error if existing, make parent directories as needed
-v, verbose print a message for each created directory
-help display this help and exit
-version output version information and exit
cd - change directories
Use cd to change directories. Type cd followed by the name of a directory to access that directory.Keep in mind that you are always in a directory and can navigate to directories hierarchically above or below.
mv- change the name of a directory
Type mv followed by the current name of a directory and the new name of the directory.
Ex: mv testdir newnamedir
pwd - print working directory
will show you the full path to the directory you are currently in. This is very handy to use, especially when performing some of the other commands on this page
rmdir - Remove an existing directory
rm -r
Removes directories and files within the directories recursively.
chown - change file owner and group
Usage
chown [OPTION] OWNER[:[GROUP]] FILE
chown [OPTION] :GROUP FILE
chown [OPTION] --reference=RFILE FILE
Options
Change the owner and/or group of each FILE to OWNER and/or GROUP. With --reference, change the owner and group of each FILE to those of RFILE.
-c, changes like verbose but report only when a change is made
-dereference affect the referent of each symbolic link, rather than the symbolic link itself
-h, no-dereference affect each symbolic link instead of any referenced file (useful only on systems that can change the ownership of a symlink)
-from=CURRENT_OWNER:CURRENT_GROUP
change the owner and/or group of each file only if its current owner and/or group match those specified here. Either may be omitted, in which case a match is not required for the omitted attribute.
-no-preserve-root do not treat `/' specially (the default)
-preserve-root fail to operate recursively on `/'
-f, -silent, -quiet suppress most error messages
-reference=RFILE use RFILE's owner and group rather than the specifying OWNER:GROUP values
-R, -recursive operate on files and directories recursively
-v, -verbose output a diagnostic for every file processed
The following options modify how a hierarchy is traversed when the -R option is also specified. If more than one is specified, only the final one takes effect.
-H if a command line argument is a symbolic link to a directory, traverse it
-L traverse every symbolic link to a directory encountered
-P do not traverse any symbolic links (default)
chmod - change file access permissions
Usage
chmod [-r] permissions filenames
r Change the permission on files that are in the subdirectories of the directory that you are currently in. permission Specifies the rights that are being granted. Below is the different rights that you can grant in an alpha numeric format.filenames File or directory that you are associating the rights with Permissions
u - User who owns the file.
g - Group that owns the file.
o - Other.
a - All.
r - Read the file.
w - Write or edit the file.
x - Execute or run the file as a program.
Numeric Permissions:
CHMOD can also to attributed by using Numeric Permissions:
400 read by owner
040 read by group
004 read by anybody (other)
200 write by owner
020 write by group
002 write by anybody
100 execute by owner
010 execute by group
001 execute by anybody
ls - Short listing of directory contents
-a list hidden files
-d list the name of the current directory
-F show directories with a trailing '/'
executable files with a trailing '*'
-g show group ownership of file in long listing
-i print the inode number of each file
-l long listing giving details about files and directories
-R list all subdirectories encountered
-t sort by time modified instead of name
cp - Copy files
cp myfile yourfile
Copy the files "myfile" to the file "yourfile" in the current working directory. This command will create the file "yourfile" if it doesn't exist. It will normally overwrite it without warning if it exists.
cp -i myfile yourfile
With the "-i" option, if the file "yourfile" exists, you will be prompted before it is overwritten.
cp -i /data/myfile
Copy the file "/data/myfile" to the current working directory and name it "myfile". Prompt before overwriting the file.
cp -dpr srcdir destdir
Copy all files from the directory "srcdir" to the directory "destdir" preserving links (-poption), file attributes (-p option), and copy recursively (-r option). With these options, a directory and all it contents can be copied to another dir
ln - Creates a symbolic link to a file.
ln -s test symlink
Creates a symbolic link named symlink that points to the file test Typing "ls -i test symlink" will show the two files are different with different inodes. Typing "ls -l test symlink" will show that symlink points to the file test.
locate - A fast database driven file locator.
slocate -u
This command builds the slocate database. It will take several minutes to complete this command.This command must be used before searching for files, however cron runs this command periodically on most systems.locate whereis Lists all files whose names contain the string "whereis". directory.
more - Allows file contents or piped output to be sent to the screen one page at a time
less - Opposite of the more command
cat - Sends file contents to standard output. This is a way to list the contents of short files to the screen. It works well with piping.
whereis - Report all known instances of a command
wc - Print byte, word, and line counts
bg
bg jobs Places the current job (or, by using the alternative form, the specified jobs) in the background, suspending its execution so that a new user prompt appears immediately. Use the jobs command to discover the identities of background jobs.
cal month year - Prints a calendar for the specified month of the specified year.
cat files - Prints the contents of the specified files.
clear - Clears the terminal screen.
cmp file1 file2 - Compares two files, reporting all discrepancies. Similar to the diff command, though the output format differs.
diff file1 file2 - Compares two files, reporting all discrepancies. Similar to the cmp command, though the output format differs.
dmesg - Prints the messages resulting from the most recent system boot.
fg
fg jobs - Brings the current job (or the specified jobs) to the foreground.
file files - Determines and prints a description of the type of each specified file.
find path -name pattern -print
Searches the specified path for files with names matching the specified pattern (usually enclosed in single quotes) and prints their names. The find command has many other arguments and functions; see the online documentation.
finger users - Prints descriptions of the specified users.
free - Displays the amount of used and free system memory.
ftp hostname
Opens an FTP connection to the specified host, allowing files to be transferred. The FTP program provides subcommands for accomplishing file transfers; see the online documentation.
head files - Prints the first several lines of each specified file.
ispell files - Checks the spelling of the contents of the specified files.
kill process_ids
kill - signal process_ids
kill -l
Kills the specified processes, sends the specified processes the specified signal (given as a number or name), or prints a list of available signals.
killall program
killall - signal program
Kills all processes that are instances of the specified program or sends the specified signal to all processes that are instances of the specified program.
mail - Launches a simple mail client that permits sending and receiving email messages.
man title
man section title - Prints the specified man page.
ping host - Sends an echo request via TCP/IP to the specified host. A response confirms that the host is operational.
reboot - Reboots the system (requires root privileges).
shutdown minutes
shutdown -r minutes
Shuts down the system after the specified number of minutes elapses (requires root privileges). The -r option causes the system to be rebooted once it has shut down.
sleep time - Causes the command interpreter to pause for the specified number of seconds.
sort files - Sorts the specified files. The command has many useful arguments; see the online documentation.
split file - Splits a file into several smaller files. The command has many arguments; see the online documentation
sync - Completes all pending input/output operations (requires root privileges).
telnet host - Opens a login session on the specified host.
top - Prints a display of system processes that's continually updated until the user presses the q key.
traceroute host - Uses echo requests to determine and print a network path to the host.
uptime - Prints the system uptime.
w - Prints the current system users.
wall - Prints a message to each user except those who've disabled message reception. Type Ctrl-D to end the message.
TIP 1:
All of these commands should work from your command prompt (regardless which shell you're using). Just in case some folks were not aware, you MUST press enter to invoke the command
TIP 2:
For this summary, please note that the EX: stands for example and is not part of the command. Commands are denoted in courier type font.
TIP 3:
If you need help understanding what the options are, or how to use a command, try adding this to the end of your command: --help
For example, for better understanding of the df command's options, type:
df --help
Command Summary Use
Use cd to change directories Type cd followed by the name of a directory to access that directory.
Keep in mind that you are always in a directory and allowed access to any directories hierarchically above or below. Ex:
cd games
If the directory games is not located hierarchically below the current directory, then the complete path must be written out. Ex:
cd /usr/games
To move up one directory, use the shortcut command. Ex:
cd ..
Use clear to clear the command prompt Type clear to clean up your command prompt window.
This is especially helpful when you are typing lots of commands and need a clean window to help you focus.Ex:
clear
This is also useful when you are getting ready to type a rather long command and do not wish to become confused by other details on the screen.
Use date to set your server's date and time Type date followed by the two digit month, the two digit date, the two digit time, and two digit minutes. The syntax is easy enough and resembles this: MMDDhhmm
This command is helpful but must be used when superuser or logged in as root. Otherwise you will get an "Operation not permitted" reply.As root user you can use the command such as:
date 11081300
The above command will set the server date and time to the 11th month (November), the 8th day, at 1:00pm.
Use df to check disk space Typing df provides a very quick check of your file system disk space.
Type df -h to get a more easily readable version of the output. Notice that this command will include all applicable storage such as your hard disk/s (hda, hdb etc.) and your server SWAP file (shm). To list disk space including filesystem type:
df -h -T
Use finger to see who's on the system Typing finger allows you to see who else is on the system or get detailed information about a person who has access to the system.
Type finger followed by the name of a user's account to get information about that user. Or, type finger and press enter to see who's on the system and what they are doing. Ex:
finger johndoe
Use logout to quit using the system Yep, you guessed it, typing logout will log your account out of the system.
Type logout at the prompt to disconnect from your Linux machine or to logout a particular user session from the system. Keep in mind that although rudimentary, leaving your critical account logged on may be a security concern. We always recommend promptly using logout when you are finished using your root account! Ex:
logout
Use ls to list files and directories Type ls to see a list of the files and directories located in the current directory. If you’re in the directory named games and you type ls, a list will appear that contains files in the games directory and sub-directories in the games directory. Examples:
ls Mail
ls /usr/bin
Type ls -alt to see a list of all files (including .rc files) and all directories located in the current directory. The listing will include detailed, often useful information. Examples:
ls -alt
ls -alt /usr/bin
If the screen flies by and you miss seeing a number of files, try using the |more at the end like:
ls -alt |more
* In Bash (Linux shell) often the abbreviated command L is available. To get a verbose listing of files and directories you could therefore simply type: l
Use man to pull up information about a Linux command Type man followed by a command to get detailed information about how to use the command. Ex:
man ls
Type man -k followed by a word to list all of the commands and descriptions that contain the word you specified. Ex:
man -k finger
Use more to read the contents of a file Type more followed by the name of a text file to read the file’s contents. Why do we exmphasize using this on a "text" file? Because most other types of files will look like garbage! Ex:
more testfile.txt
Use nano to start a text editor Typing nano will start a basic text editor on most Linux systems.
Type nano followed by the filename you wish to edit. This basic editor is quick and easy to use for beginners. However, it is very important that you also learn about other text editors available on Linux and UNIX systems. Click on this link to learn about others like emacs, vi, and pico. Ex:
nano /etc/security/access.conf
Use passwd to change your current password Type passwd and press enter. You'll see the message Changing password for yourname.
At the Old password: prompt, type in your old password .
Then, at the Enter new password: prompt, type in your new password .
The system double checks your new password. Beside the Verify: prompt, type the new password and press again.
Create a secure password that combines parts of words and numbers. For instance, your dog's name may be Rufus. He may have been born in 1980. Create a password that uses parts of both the name and date of birth, such as 80rufuS. Note the use of at least one capital letter. This is a fairly secure password and easy to remember.
Use pwd to list the name of your current directory Type pwd and hit enter. You'll see the full name of the directory you are currently in. This is your directory path and is very handy. This is especially handy when you forget which directory you’ve changed to and are trying to run other commands.
Linux Files and File Permission
Linux files are setup so access to them is controlled. There are three types of access:
1. read
2. write
3. execute
Each file belongs to a specific user and group. Access to the files is controlled by user, group, and what is called other. The term, other, is used to refer to someone who is not the user (owner) of the file, nor is the person a member of the group the file belongs to. When talking about setting permissions for "other" users to use, it is commonly referred to as setting the world execute, read, or write bit since anyone in the world will be able to perform the operation if the permission is set in the other category.
File names and permission characters
File names can be up to 256 characters long with "-", "_", and "." characters along with letters and numbers.
When a long file listing is done, there are 10 characters that are shown on the left that indicate type and permissions of the file. File permissions are shown according to the following syntax example: drwerwerwe
There are a total of 10 characters in this example, as in all Linux files. The first character indicates the type of file, and the next three indicate read, write, and execute permission for each of the three user types, user, group and other. Since there are three types of permission for three users, there are a total of nine permission bits. The table below shows the syntax:
1 2 3 4 5 6 7 8 9 10
File User Permissions Group Permissions Other Permissions
Type Read Write Execute Read Write Execute Read Write Execute
d r w e r w e r w e
• Character 1 is the type of file: - is ordinary, d is directory, l is link.
• Characters 2-4 show owner permissions. Character 2 indicates read permission, character 3 indicates write permission, and character 4 indicates execute permission.
• Characters 5-7 show group permissions. Character 5=read, 6=write, 7=execute
• Characters 8-10 show permissions for all other users. Character 8=read, 9=write, 10=execute
There are 5 possible characters in the permission fields. They are:
• r = read - This is only found in the read field.
• w = write - This is only found in the write field.
• x = execute - This is only found in the execute field.
• s = setuid - This is only found in the execute field.
• If there is a "-" in a particular location, there is no permission. This may be found in any field whether read, write, or execute field.
Examples
Type "ls -l" and a listing like the following is displayed:
total 10
drwxrwxrwx 4 george team1 122 Dec 12 18:02 Projects
-rw-rw-rw- 1 george team1 1873 Aug 23 08:34 test
-rw-rw-rw- 1 george team1 1234 Sep 12 11:13 datafile
Which means the following:
Type and # of Files's File's Size in Date of last Filename
Permission field Links Owner Group Bytes modification
| | | | | | |
drwxrwxrwx 4 george team1 122 Dec 12 18:02 Projects
The fields are as follows:
1. Type field: The first character in the field indicates a file type of one of the following:
o d = directory
o l = symbolic link
o s = socket
o p = named pipe
o - = regular file
o c= character (unbuffered) device file special
o b=block (buffered) device file special
2. Permissions are explained above.
3. Links: The number of directory entries that refer to the file. In our example, there are four.
4. The file's owner in our example is George.
5. The group the file belongs to. In our example, the group is team1.
6. The size of the file in bytes
7. The last modification date. If the file is recent, the date and time is shown. If the file is not in the current year, the year is shown rather than time.
8. The name of the file.
Set User Identification Attribute
The file permissions bits include an execute permission bit for file owner, group and other. When the execute bit for the owner is set to "s" the set user ID bit is set. This causes any persons or processes that run the file to have access to system resources as though they are the owner of the file. When the execute bit for the group is set to "s", the set group ID bit is set and the user running the program is given access based on access permission for the group the file belongs to. The following command:
chmod +s myfile
sets the user ID bit on the file "myfile". The command:
chmod g+s myfile
sets the group ID bit on the file "myfile".
The listing below shows a listing of two files that have the group or user ID bit set.
-rws--x--x 1 root root 14024 Sep 9 1999 chfn
-rwxr-sr-x 1 root mail 12072 Aug 16 1999 lockfile
The files chfn and lockfile are located in the directory "/usr/bin". The "s" takes the place of the normal location of the execute bit in the file listings above. This special permission mode has no meaning unless the file has execute permission set for either the group or other as well. This means that in the case of the lockfile, if the other users (world execute) bit is not set with permission to execute, then the user ID bit set would be meaningless since only that same group could run the program anyhow. In both files, everyone can execute the binary. The first program, when run is executed as though the program is the root user. The second program is run as though the group "mail" is the user's group.
For system security reasons it is not a good idea to set many program's set user or group ID bits any more than necessary, since this can allow an unauthorized user privileges in sensitive system areas. If the program has a flaw that allows the user to break out of the intended use of the program, then the system can be compromised.
Directory Permissions
There are two special bits in the permissions field of directories. They are:
• s - Set group ID
• t - Save text attribute (sticky bit) - The user may delete or modify only those files in the directory that they own or have write permission for.
Save text attribute
The /tmp directory is typically world-writable and looks like this in a listing:
drwxrwxrwt 13 root root 4096 Apr 15 08:05 tmp
Everyone can read, write, and access the directory. The "t'' indicates that only the user (and root, of course) that created a file in this directory can delete that file.
To set the sticky bit in a directory, do the following:
chmod +t data
This option should be used carefully. A possible alternative to this is
1. Create a directory in the user's home directory to which he or she can write temporary files.
2. Set the TMPDIR environment variable using each user's login script.
3. Programs using the tempnam(3) function will look for the TMPDIR variable and use it, instead of writing to the /tmp directory.
Directory Set Group ID
If the setgid bit on a directory entry is set, files in that directory will have the group ownership as the directory, instead of than the group of the user that created the file.
This attribute is helpful when several users need access to certain files. If the users work in a directory with the setgid attribute set then any files created in the directory by any of the users will have the permission of the group. For example, the administrator can create a group called spcprj and add the users Kathy and Mark to the group spcprj. The directory spcprjdir can be created with the set GID bit set and Kathy and Mark although in different primary groups can work in the directory and have full access to all files in that directory, but still not be able to access files in each other's primary group.
The following command will set the GID bit on a directory:
chmod g+s spcprjdir
The directory listing of the directory "spcprjdir":
drwxrwsr-x 2 kathy spcprj 1674 Sep 17 1999 spcprjdir
The "s'' in place of the execute bit in the group permissions causes all files written to the directory "spcprjdir" to belong to the group "spcprj" .
Examples
Below are examples of making changes to permissions:
chmod u+x myfile Gives the user execute permission on myfile.
chmod +x myfile Gives everyone execute permission on myfile.
chmod ugo+x myfile Same as the above command, but specifically specifies user, group and other.
chmod 400 myfile Gives the user read permission, and removes all other permission. These permissions are specified in octal, the first char is for the user, second for the group and the third is for other. The high bit (4) is for read access, the middle bit (2) os for write access, and the low bit (1) is for execute access.
chmod 764 myfile Gives user full access, group read and write access, and other read access.
chmod 751 myfile Gives user full access, group read and execute permission, and other, execute permission.
chmod +s myfile Set the setuid bit.
chmod go=rx myfile Remove read and execute permissions for the group and other.
Below are examples of making changes to owner and group:
chown mark test1 Changes the owner of the file test1 to the user Mark.
chgrp mark test1 Changes the file test1 to belong to the group "mark".
Note: Linux files were displayed with a default tab value of 8 in older Linux versions. That means that file names longer than 8 may not be displayed fully if you are using an old Linux distribution. There is an option associated with the ls command that solves this problem. It is "-T". Ex: "ls al -T 30" to make the tab length 30.
Umask Settings
The umask command is used to set and determine the default file creation permissions on the system. It is the octal complement of the desired file mode for the specific file type. Default permissions are:
• 777 - Executable files
• 666 - Text files
These defaults are set allowing all users to execute an executable file and not to execute a text file. The defaults allow all users can read and write the file.
The permission for the creation of new executable files is calculated by subtracting the umask value from the default permission value for the file type being created. An example for a text file is shown below with a umask value of 022:
666 Default Permission for text file
-022 Minus the umask value
-----
644 Allowed Permissions
Therefore the umask value is an expression of the permissions the user, group and world will not have as a default with regard to reading, writing, or executing the file. The umask value here means the group the file belongs to and users other than the owner will not be able to write to the file. In this case, when a new text file is created it will have a file permission value of 644, which means the owner can read and write the file, but members of the group the file belongs to, and all others can only read the file. A long directory listing of a file with these permissions set is shown below.
-rw-r--r-- 1 root workgrp 14233 Apr 24 10:32 textfile.txt
A example command to set the umask is:
umask 022
The most common umask setting is 022. The /etc/profile script is where the umask command is usually set for all users.
Red Hat Linux has a user and group ID creation scheme where there is a group for each user and only that user belongs to that group. If you use this scheme consistently you only need to use 002 for your umask value with normal users.
Accessing Removable Media
Making a Linux Filesystem on a Floppy
1. Use fdformat /dev/fd0H1440
2. To make a filesystem on the disk type "mkfs –t filesystem –c /dev/fd0H1440" where filesystem is the type of filesystem, usually ext2 (linux native).
3. Mount the filesystem "mount –t ext2 /dev/fd0 /mnt/floppy
Mounting floppy and CD-ROM drives
mount /dev/fd0 /mnt/floppy To mount a floppy
umount /dev/fd0 To unmount a floppy
mount /dev/cdrom /mnt/cdrom To mount a cdrom or
mount -t iso9660 -r /dev/cdrom /mnt/cdrom Another way to mount a CD-ROM with type specified or mount -t auto /dev/cdrom /mnt/cdrom
Note the CDROM may be on the secondary controller as a master (/dev/hdc) or slave (/dev/hdd). In fact, your /dev/cdrom is probably actually a softlink to one of these two devices, if you have an IDE interface. If you use SCSI, you will probably use something like /dev/sda1 or 2, etc.
Mounting a parallel port zip drive:
mount -t vfat /dev/sda4 /mnt/zipdrive
Note: in all these examples, the mount points must exist, be empty, and not already have a device mounted on them. Also you must unmount the device before removing it.
Setting up Removable and External Filesystems to Automatically mount when used
1. The program "autofs" must be setup to run as a daemon upon system startup. To do this with Redhat Linux, use the program "linuxconf" and select "Control", "Control panel", "Control Service activity". Activate "autofs" using the menu selections.
2. Edit the file "/etc/auto.master" to the following:
3. /mnt /etc/auto.misc --timeout 20
The above example sets the program to unmount the device after 20 seconds.
4. Edit the file "/etc/auto.misc" adding lines like:
5. cd -fstype=iso9660,ro :/dev/cdrom
6. fl -fstype=auto :/dev/fd0
This will cause the cd-rom to be mounted when you access the directory "/mnt/cd" and the floppy to be mounted when you access "/mnt/fl". The directories "/mnt/cd" and "mnt/fl" must not exist in order for this to work.
7. To use automount, put a cd in the CD-ROM drive and type "ls /mnt/cd" or "cd /mnt/cd".
Linux Package Installation and Printing
Generally, a large part of Linux consists of the packages you load on your system. These packages may be for various specific purposes such as adding shadow passwords, adding a secure telnet client, adding some type of network service, or perhaps upgrading the Apache web server. Whatever the reason, you will need to find the appropriate package on the web, download it, compile it, and install it. The package will come with instructions on how to do this. Some are easy to install, others may be complicated. This section gives general instructions commonly found and required when installing many packages. Please be aware, however, that there may be differences between these instructions and those that come with your package. You should read the instructions that come with your package.
Package installations
tar.gz source package general instructions
1. Read the install documentation associated with the installation
2. Put the packed file in the directory you want it to be installed under.
3. Examine the package with the command "tar tvzpf
4. Unpack the tar.gz file in one step with "tar xvzpf
5. Typically the following outlines the rest of the steps but they will vary from package to package. Go into the created subdirectory and type "./configure".
6. Type "make all" or "./make"
7. Type "make install" or "./make install"
Installing Redhat Packages
rpm -help To get help
rpm -q mypack-1.0.1.rpm Queries the database of installed packages to see if this package is installed or what version of it is installed.
rpm -ivh mypack-1.0-1.rpm Installs mypack.
rpm -uvh mypack-2.0-1.rpm Upgrades mypack.
rpm -qip mypack-1.2.2.rpm To query with details about the package.
rpm -qlp mypack-1.2.2.rpm Gives a list of files this package installs.
rpm -e mypack-1.2.2 Removes the package mypack-1.2.2.
Typically RPM packages come with binary files ready for installation so all you need to do is the install as in the line above. The compilation which is the last three steps in the tar example in the first section above don't need to be done. If you get a source file rather than a binary file, you will need to do a compile of code and an installation. If you just do the binary installation, be sure you get the package from a reliable source so you don't get lovely extras like trap doors, trojans, or viruses.
Setting Linux Print Spooling
Printing is supported by "lpd" the line printer spooler daemon, which you should activate to support print services. Once print services are setup, type "lpr ?s -Pprinter filename" where "printer" is the name of your printer (the default is lp). The '-s' option tells lpr to use symbolic links to print the file rather than copying it to its own spool file. If the '-P' option is left out, the default printer name will be assumed.
Print spooling can be set up easily in Redhat using the "printtool" configuration tool following the following steps:
1. Type "startx" to enter an x windows session.
2. Open a terminal under x windows
3. Type "printtool" in the terminal and CR.
4. Edit or add a printer. Note that lp is the default printer for the lpd daemon.
5. You can make the name of the printer anything you want. Note: lp is default.
6. The spool directory should be "var/spool/printername"
7. The printer server name should be the name of the server computer that the printer is attached to. Example PRT_SRV1
8. The print queue name is the name of the printer as the printer server computer perceives it. Example: HP_LASER1.
9. Depending on the network and how the printer resource is shared you may or may not need a user name and password.
How it works:
1. Note the file "/etc/printcap" defines what filter script file will be used to output the printfile. Type "man lpd" and "man printcap" for more information.
2. The filter script gets its input from standard input sometimes using such commands as "cat -", see the cat man page. It also uses "file -" to get a description of the input.
3. On netware print servers, you must be logged on before it will work. I use the scripts from the section on "Network printing setup and use" to logon and type "neton username".
Other useful commands for printing:
lpr - Prints a file to default lp printer
lpq - shows files to print in the print que
lpc - Line printer control program. Type "lpc status" to see status on all printers. This command can enable or disable printing or queuing.
lprm - Remove a job from the print queue using number reported by lpq. Ex: lprm 14
tunelp - A utility to optimize the printer. "tunelp /dev/lp -q" will display the IRQ for the device
The directory /var/spool/lpd contains a directory for every printer. This is where the print files are spooled.
To set up a printer on a parallel or serial port:
A printer on the first parallel port is probably /dev/lp0 or /dev/lp1.
To test the printer type "lptest > /dev/lp1" to send test output directly to the printer. If the printer is a postscript printer you need to send it a postscript file by typing "cat test.ps > /dev/lp1". The lptest program is a utility made to test a printer.
If the printer is serial, output is directed to /dev/ttyS0 or /dev/ttyS1.
The /etc/printcap file:
The printcap file begins a comment line with #
Example:
ljet4|lp|ps|Postscript|600dpi 20MB memory|end of hall|local|LPT1:\
:lp=dev/lp0:rw:\
:sd=/var/spool/lpd/ljet4:mx#0:mc#0:pl#72:pw#85:\
:lf=/var/log/lpd-errs:if=/usr/local/cap/ljet4:
On the first line (virtual), the names of the printer are shown with each name separated by '|'.
Commands include:
• The lp line is the device name for output (local printer).
• rw is specified if the printer can send data back to the host through the device file. A network printer uses /dev/null.
• mx - Sets the maximum size of a print job.
• pl - page length.
• pw - page width.
• The sd line is the subdirectory the files are spooled in
• The if line tells the input filter to use
• br-baud rate for a serial port
• sh-suppress header
• rp-remote printer
• rm-remote host that controls remote printer
• rs- restrict access to local printers to users with an account
• rg-restricted group that can use the printer
Configuration, Logging, and CRON
Linux System Configuration
In the subdirectory "/etc/sysconfig" are groups of files describing your system as follows:
• mouse - Describes the type of mouse and whether a three button mouse is emulated.
• keyboard - Describes the keyboard table.
• network - Describes if this machine supports networking, IP forwarding, sets the host name, sets the gateway, and describes the network interface the gateway will be found on.
• hwconf - Describes the hardware devices on your system in terms of vendor ID and device ID.
• init - Defines many initialization items for the system.
• static-routes - Defines the static routes if your machine is performing routing tasking. See the Networking Guide section on routing.
• Subdirectories:
o console - Defines your system keymapping. Normally contains the default.kmap file which is loaded when the system starts.
o network-scripts - This directory contains files used to configure your ethernet card. such as ifcfg-eth0, ifcfg-eth1, etc. In this file you set your permanent device name, IP address, netmask and other parameters.
For more information on setting these files up and how they are formatted, read "How Linux Works".
The /proc filesystem and the sysctl utility
The /proc filesystem is used to store many system configuration parameters. It is a virtual filesystem that resides in the kernels memory. Some of the areas in this filesystem cannot be written to by the root user including /proc/sys.
To see how much memory linux is using type:
cat /proc/meminfo
or:
free
cat /proc/cpuinfo To see information about your cpu
cat /proc/interrupts List interrupts in use
cat /proc/version List Linux version
cat /proc/filesystems List the types of filesystems in use
lsmod Show the kernel modules currently loaded
The "sysctl" program will list kernel parameters. Type "sysctl -a |more" to see a list of kernel parameters on your system.
For more in depth information on the proc filesystem, read "How Linux Works".
Linux System logging
The system daemon called syslogd is the program used to log system events such as kernel messages, login or logout messages, general system messages, etc. The /etc/syslog.conf file controls where logging information is recorded by syslogd. This file controls where your logfiles are kept. Typically these files are in the "var/log" directory.
My "/etc/syslog.conf" file"
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail, news and auth) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;news.none;authpriv.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Everybody gets emergency messages, plus log them on another
# machine.
*.emerg *
# Save mail and news errors of level err and higher in a
# special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
#
# INN
#
news.=crit /var/log/news/news.crit
news.=err /var/log/news/news.err
news.notice /var/log/news/news.notice
The first field is a facility followed by a "." with the second field being the priority such as "uucp,news.crit" above where the facility is uucp and news and the priority is crit. The last part of each line specifies the name of the log file where that log will be kept. This file does not like spaces in it so use tabs between sections.
Facilities are:
• authpriv, auth (depreciated) - Security authorization messages
• cron - The clock daemon (cron and at)
• daemon - Other system daemons
• kern - Kernel messages
• lpr - Line printer subsystem
• mail - Mail subsystem.
• mark - For internal use
• news - Usenet news subsystem.
• security (depreciated, same as authpriv) - should not be used anymore.
• syslog - Messages generated internally by syslogd.
• user - Generic user level messages
• uucp - UUCP (Unix-Unix copy) subsystem.
• local0 through local7
The ``authpriv'' facility should be separated from other log data, including attempts to switch users using /bin/su, login attempts, and other user accounting information.
Priority is one of the following with the least severity listed first:
• debug - Debug level message
• info - Informational message
• notice - Normal but significant conditions
• warning, warn (depreciated) - Warning conditions
• err, error (depreciated) - Error conditions
• crit - Critical conditions
• alert - Action must be taken immediately
• emerg, panic - System is unusable
An "*" stands for all facilities or all priorities. Many distributions default to only logging the most basic information. You may want to customize system logging for your environment.
Linux Logrotate
Going hand in hand with the system logging capability is the logrotate capability which is used to manage logfiles. The logrotate program is used to rotate, compress, and/or mail system log files. It is normally run from cron. It can be configured with the file "/etc/logrotate.conf" which is specified on the command line when logrotate is run.. The logrotate configuration file on my system is listed below:
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# send errors to root
errors root
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own lastlog or wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
/var/log/lastlog {
monthly
rotate 1
}
# system-specific logs may be configured here
Some of the logrotate configuration directives include:
• daily - log files are rotated every day
• weekly - log files are rotated once a week.
• monthly - log files are rotated once a month
• rotate - The number of times log files are rotated before being deleted or mailed to an address specified in a mail directive.
• include - Includes a file in this file as though it were in line. If the file is a directory, the files under that directory are included. In my copy above, there are several files under the directory "/etc/logrotate.d" which are used for logging various daemons.
• create - "create mode owner group". Creates the file with the specified mode, owner and group ids.
• copytruncate - truncate the original file after creating a copy so programs appending data will not have a problem.
• compress - Old versions of the log file are compressed with gzip.
• nocompress - Old log files are not compressed.
• errors - Any errors during logfile processing are mailed to the address "errors address".
• mail - When a log is rotated out of existence, it is mailed to the specified address "mail address".
There are many other directives associated with the logrotate program. Type "man logrotate" for more information.
Other system tracking files:
/var/log/wtmp - Binary info on users that have been logged on. The last command uses this info.
/var/run/utmp - Binary info on users currently logged on. The commands who, w, and finger use this info.
/var/log/lastlog - Used by finger to tell when a user was last logged in
Scheduling tasks with CRON
Cron runs commands in the /etc/crontab file, the /etc/cron.d directory, and /var/spool/cron directory that has file names of authorized users in the /etc/passwd file. Cron commands are scheduled in three locations:
• The directory "/var/spool/cron" with files named after accounts in "/etc/passwd". The format of files here is described in the crontab(1) manpage.
• The directory "/etc/cron.d". The format of files here is described in the crontab(5) manpage.
• The file called "/etc/crontab". The syntax of each line in this file is:
minute, hour, day of month, Month, day of week, (user name), command
Months are specified using the numbers 1 through 12. The user name is included it the file is a system crontab file. Some example entries are listed below:
Some example crontab entries are:
*/10 * * * * root /sbin/rmmod -as Every 10 minutes all unused kernel modules are unloaded.
0 1 * * * find /tmp -atime 3 -exec ls -l {} \; Lists files in /tmp that are 3 or more days old, Run at 1:00
0 12 * * mon,tues,wed,thurs,fri ls -al Lists files at noon on weekdays.
Redhat comes with the following entries:
01 * * * * root run-parts /etc/cron.hourly Hourly task list, runs at 1 minute after the hour
02 4 * * * root run-parts /etc/cron.daily Daily task list, runs at 4:00AM, 2 minutes after the hour
22 4 * * 0 root run-parts /etc/cron.weekly Weekly task list, runs at 4:00AM, Sunday 22 minutes after the hour
42 4 1 * * root run-parts /etc/cron.monthly Monthly task list, runs at 4:00AM, On the first of the month, 42 minutes after the hour
Note that for weekly and monthly tasks the number of minutes after the hour is staggered so the system does not try to do all jobs at once. Redhat therefore has the following additional directories each containing files with tasking:
• /etc/cron.hourly
• /etc/cron.daily
• /etc/cron.weekly
• /etc/cron.monthly
These files are directories. Therefore you can place any executable program in one of these directories and it will be run as scheduled above.
There is a crontab program which can be used to install, de install, or list tables used to drive cron. It has the same name as the configuration file, but is a binary program. You will see this if you type "whereis crontab".
Cron runs the following on my system:
• cron.hourly
1. In the file "inn-cron-nntpsend" the command "/sbin/chkconfig innd && su - news -c /usr/bin/nntpsend" is run to support internet news service.
• cron.daily
1. In the file "inn-cron-expire" the command "/sbin/chkconfig innd && su - news -c "/usr/bin/news.daily delayrm" " is run.
2. In the file "inn-cron-expire" the command "/sbin/chkconfig innd && /usr/bin/rnews -U" is run.
3. In the file "logrotate" the command "/usr/sbin/logrotate /etc/logrotate.conf" is run.
4. In the file "makewhateis.cron" a file "/var/lock/makewhatis.lock" is created to keep the cron scripts from stepping on each other. Do a man on makewhatis for more info.
5. In the file "slocate.cron" the command "/usr/bin/slocate -u -f "nfs,smbfs,ncpfs,proc,devpts" -e "/tmp,/var/tmp,/usr/tmp,/afs,/net" " is run to update the file location database.
6. In the file "lsrnpull-expire" the command. Do a "man slrnpull" for more info.
7. In the file "tetex.cron" TeX formats not used for 10 days are removed. "man tmpwatch"
8. In the file "tmpwatch"
• cron.weekly
1. In the file "makewhateis.cron" a file "/var/lock/makewhatis.lock" is created to keep the cron scripts from stepping on each other. The makewhatis command updates the apropos database which is the database used when the command "man -k" is used. For more information, type "man whatis" or "man apropos".
• cron.monthly contains no files
The system administrator can schedule tasks by adding entries to the /etc/crontab (see crontab(5)) file or on Redhat Linux, by adding entries in one of the cron.hourly, cron.daily, cron.weekly, or cron.monthly files. Users may be able to schedule cron jobs if the system is configured to allow it. If neither of the /etc/cron.allow nor the /etc/cron.deny files exist, either all users will be able to run cron commands or no users will be able to do it. If /etc/cron.allow exists, the user must be listed there in order to use cron commands. If /etc/cron.deny exists, the user must not be listed here or they will be unable to use cron.
One useful entry you can put in the /etc/cron.weekly directory in a file named something like "cleanold.cron" is:
find /var/spool/myspools -mtime +33 -exec rm -f {} \;
This entry will remove all files in the /var/spool/myspools directory whose data was changed more than 33 days ago.
The user (if allowed) can schedule cron tasks by following the below procedure:
1. Make a crontab file called for example "mycron".
2. Use the crontab(1) command to submit the command(s) to cron by typing "crontab mycron".
3. You can view what you have installed by typing "crontab -l".
crontab commands:
crontab -e Starts vi session by default to edit your crontab file. To use emacs as your editor, type "export VISUAL=emacs" before typing this command. When you exit the editor, the modified crontab is installed automatically.
crontab -r Removes your crontab entry from the /var/spool/cron directory. Does not erase your original crontab file.
crontab -l Lists all the user's cron tasks.
To use emacs, type "export VISUAL=emacs" before starting crontab.
Keys and Linux Terminal Configuration
To really understand and work with key mapping, you should read the "Support for text" section in the "How Linux Works CTDP Guide". It explains how terminal types are set and the different layers of keymapping along with how to map keys for various applications. Linux keymapping is complex and this section will just give you a short explanation of the various utility programs available, and how to do some specific keymapping. If you must perform custom keymapping, the "How Linux Works CTDP Guide" is necessary.
Linux keymapping is performed on several levels and many programs such as the shell, less, and emacs have their own support for keymapping. Other programs such as terminal programs use the terminfo or termcap database for keymapping. The main system wide keymapping the user may deal with is keymap which maps the keycode to a set of ASC characters that each keystroke will produce. A file is created which contains these specific keymappings and it is loaded with the command "loadkeys". There is a man page describing the structure of this file. It can be accessed by typing "man keymaps". There are many symbols in this file that describe values for keys. You can see the value of many of them by typing "dumpkeys --long-info" or "dumpkeys -l". Once the keymap file is created, the easy way to permanently modify the key settings for the system is to modify the file /etc/sysconfig/keyboard to a new default value such as KEYTABLE="/etc/sysconfig/console/mykeymap".
Console key utilities and files
• Kernel keyboard driver
o kbd_mode - Report or set the keyboard mode to -s (scancode mode, RAW) -k (keycode mode, MEDIUMRAW) -a (ASC mode, XLATE) -u (UTF-8 mode, UNICODE). XLATE is default.
o kbdrate - modify the keyboard repeat rate and delay time after keypress.
o kbdconf - Configures the /etc/sysconfig/keyboard file which specifies the location of the keyboard map file.
• For system key mapping make codes to keycodes
o setkeycodes - used to set a translation between unusual scancodes and keycodes. This utility is not usually needed.
o getkeycodes - Print the kernel scancode to keycode mapping table.
• Mapping keycodes to keymaps
o dumpkeys - dump keyboard driver translation tables in the format specified by keymaps. The output of this program will look similar to the keytable file in "/usr/lib/kbd/keytables/*.map" and the output can be saved to a file, and used to generate a new file to be used with the "loadkeys" command.
o loadkeys - Load the keyboard translation table into the system from a specified file. Type "loadkeys -d" or "loadkeys defkeymap" to load the default keymap. Changes keys for all virtual consoles. The keyboard translation table set in the kernel (compiled in) is in the file "/usr/src/linux/drivers/char/defkeymap.map". To change the kernels keymap without having to load a new table after booting, you must modify the file, then re-compile the kernel. You would only need to do this to modify keymaps for remote boot systems that don't have access to all system programs.
o setmetamode - define the keyboard meta key handling. Controls whether the keystroke
• Debugging tools
o showkey - Examine the scancodes and keycodes sent by the keyboard. Options are -s (show scancodes) -k (show keycodes, default) -m (show keymap). This program outputs key values that the user presses on the keyboard. The program terminates when no keys are pressed for 10 seconds.
• Termcap and terminfo
o tic - Compiler for terminfo.
o infocmp - Used to examine terminfo files.
o /etc/termcap - The termcap database file.
o /usr/share/terminfo - The directory structures containing the terminfo compiled database.
• Other tools
o consolechars - Load console screen font (was called setfont). The directory "/usr/lib/kbd/consolefonts/" is the default directory for fonts. "/usr/lib/kbd/consoletrans" is the default directory for ACM's and SFM's.
o psfaddtable - Add a Unicode character to a console font.
o psfgettable
o pfsstriptable
• For terminals and terminal key mapping
o mesg - Use to turn others' write messaging ability to your terminal by on and off. "mesg on" to turn it on.
o stty - Print or change the terminal line settings.
o setterm - Set terminal attributes.
o tput - Initialize a terminal or query terminfo database.
o setleds - Set or output the keyboard LED settings for caps lock, num lock, and scroll lock.
o setfont - Never use unless you know what you are doing. There is no man page for this command.
o chvt - Change virtual terminal. Usage: chvt3.
o deallocvt - De allocate unused virtual terminals
• For X
o xmodmap - Used to modify keymaps and pointer button mappings in X. Map X keycodes to keysyms. Usage "xmodmap mykeys.map".
o xkeycaps - A GUI front end to xmodmap.
o xev - Allows you to see key make and breaks generated on a window.
o showfont - font dumper for X font server
o xset - Set user preferences for the display.
o /etc/X11/xinit/Xmodmap or $HOME/.Xmodmap - File(s) that can be uset to set keycode mapping in X
o $HOME/.Xinitrc - A file run when X starts that is a script file. The program "xmodmap" can be invoked in this file to set keymappings for X.
o $HOME/.Xresources - Another file where keymappings may be changed for X.
• Bash
o /etc/inputrc or $HOME/.inputrc - Where Bash keymapping is done.
• Less
o $HOME/.lessrc - Where keymapping is done for less.
• Emacs
o $HOME/.emacs - Where keymapping is done for emacs.
• tsh
o bindkey - A program supplied by tsh to allow for binding keymaps.
o $HOME/.cshrc
Setting Keystrokes
The stty command - Used to set up keystrokes on terminals
The command
Characters that are specified:
• eof - End of file
• eol - End of line
• eol2 - Alternate character for ending a line
• erase - Erase the last character typed
• intr - The specified character will send an interrupt signal
• kill - Erase the current line.
• quit - Sends a quit signal.
• start - Restart output after having stopped it.
• stop - Stops the output.
• susp - Sends a terminal stop signal
• switch - Switch to a different shell layer
• werase - erase the last word typed.
setterm -foreground white - background blue Sets white foreground, and blue background
setterm -store Stores the present terminal values as default
Keys and terminal configuration
Special command line keys:
• CTRL U - Delete the line
• CTRL C - Abort command
• CTRL Z - Suspend command, Type fg to put it back into the foreground
•
•
•
•
• CTRL D - End of file, exits the shell
• CTRL W - Delete a word backwards
• CTRL / - Quit, weaker than CTRL C but does a core dump.
• CTRL S - Stop scrolling, may use "scroll lock" for this function.
• CTRL Q - Resume scrolling
Emacs keymapping
To modify the keymap in emacs so pressing the end key will move the cursor to the end of a line rather than the end of file, add the following lines to your user's $HOME/.emacs file:
(define-key function-key-map "\e[4~" [end])
(global-set-key [end] 'end-of-line)
Choosing a Backup Tool
Linux has several tools for backing up and restoring files
dump / restore : Old tools that work with filesystems, rather than files, and can back up unmounted devices. Although you can easyly control what is backed up with dump by editing a single column in the /etc/fstab file, for some reason these utilities have fallen into disuse. Today, many distributions of Linux, including Debian, do not even include them by default. If you want to use dump and restore , you must install them yourself.
tar : A standard backup tool, and by far the easiest to use. It is especially useful for backing up over multiple removable devices using the -M option.
cpio : A very flexible command, but one that is hard to use because of the unusual way in which the command must be entered.
Linux LILO and Runlevels
There is a LILO mini howto located on Linux websites such as The Linux Documentation Project and Metalab's Index of Linux publications. Also these howtos are likely to be on your system in the /usr/doc/HOWTO directory.
LILO is a boot loader that resides on your hard disk that can boot several operating systems. It runs when the system boots from the hard drive and boots the Linux kernel image stored there. To select an operating system other than the default at bootup, press
The file /etc/lilo.conf is used to set the configuration up for the boot loader program what will be installed on the boot sector of a partition. When the command "lilo" is issued, the contents of the configuration file is read and a binary executable program is installed on the boot record based on the contents of the configuration file.
Installing and Configuring LILO
To install LILO, edit the configuration file, /etc/lilo.conf. The command "/sbin/lilo" rewrites the modified lilo.conf configuration to the boot sector of the hard disk, and must be run every time you modify lilo.conf or your kernel.
Some options you may want are:
• vga= ask
LILO will prompt the user for a video mode at boot time. Normal is standard 80X25 display, extended is 80x50. To select a mode, run with the option "vga=ask", then select one of the listed modes, then set "vga=mode" where "mode" is one of the numeric values listed. On my system I have the following modes listed.
o 0 - 80x25
o 1 - 80x50
o 2 - 80x43
o 3 - 80x28
o 4 - 80x30
o 5 - 80x34
o 6 - 80x60
o 7 - 132x25
o 8 - 132x43
To select 132x43 I will set the mode "vga=8".
• initrd=/boot/initrd-2.2.14.img
This command allows the kernel to boot from a RAM disk image. This is necessary if the kernel requires a device supported by a module in order to boot. The kernel version in this example is 2.2.14, but your version may be different. The image file can be created using the "mkinitrd" command. Read the section about compiling the kernel for more information.
• append="mem=128M"
Used for some cases when a system has more than 64M of memory (128M in the example) in the case of older systems (kernels) that need this option to use more than 64M of memory. If you have a multiple boot Linux system, you will need to run LILO on each system to get this option to work on each system. See if enough memory is available to your system by using the "free" command to tell if you need this option.
• linear
The option "linear" may be needed if you have a partition with more than 1024 cylinders or a SCSI drive. This option generates linear sector addresses rather than sector, head, cylinder addresses. This is useful for large drives but should not affect a system that works properly.
The LILO configuration file contains a section for each operating system that you can boot. The best way to demonstrate this is with an example. The lilo.conf file below is for a system which has a Linux root partition on /dev/hda2 and a MS-DOS partition on /dev/hda1.
boot = /dev/hda # Tell LILO to install the boot loader on the /dev/hda disk boot record
vga = normal # Set a normal video mode
delay = 60 # The time in tenths of seconds to press
# Equivalent would be "prompt" on one line, and "timeout=60" on
# another line.
default=msdos # Sets the default boot to DOS, Without this line, the default is the first stanza
install = /boot/boot.b # The file containing the boot sector to use
compact # Have LILO perform some optimization.
map = /boot/map #Specifies the map file LILO creates when installed
# Section for Linux root partition on /dev/hda2.
image = /vmlinuz # Location of kernel
label = linux # Name of the OS that is displayed in the LILO boot menu
root = /dev/hda2 # Location of root partition, if this isn't here the kernel image must have
# this set using the rdev command
read-only # Mount read only on startup, Can also be set by rdev
# Section for MSDOS partition on /dev/hda1.
other = /dev/hda1 # Location of partition
table = /dev/hda # Location of partition table for /dev/hda1
label = msdos # Name of OS (for boot menu)
The first operating system is normally the default operating system for LILO to boot, but the default command was used to change this. There's no need to use the rdev program to set the root partition in the kernel image if you use the "root=" command as in this example.
The options used above are described in the lilo.conf man page invoked by typing "man.lilo.conf". The option "boot = /dev/hda" is very important and defines what partition boot record the LILO boot loader will be installed on. The table option in the section "other" is optional, but if used, lilo must be reinstalled anytime your drive partitions are changed. Other than that, the comments above explain the options well.
If you install Windows 95 or 98, the LILO boot manager will be overwritten by windows. If you are going to do this after installing LILO, create a boot disk first. Boot Linux with the boot disk and re-install LILO after the Windows installation is done. LILO is re-installed by typing, as root, the command "lilo". Partitions with Windows 95 or 98 can be configured to boot with LILO using similar lilo.conf entries to those to boot DOS.
To run Linux in single user mode from lilo, at the boot prompt type "rhl single" where rhl is the name of the linux selection under lilo that you want to boot. This mode will not normally require a password for access. To prevent others from running the operating system in single user mode without a password, add the following lines at the end of the image section:
password="my_password"
restricted
Where "my_password" is the actual password to be entered when the user enters single user mode. This makes lilo ask for a password any time a user boots to this image in single user mode. If you do this you will want the "/etc/lilo.conf" file to be readable only by root so normal users can't get the password.
NOTES:
DOS should always be installed before Linux due to differences in the DOS and Linux LILO boot sectors.
To copy your MBR to a floppy using 512 character blocks, "dd if=/dev/had of=/fd/MBR bs=512 count=1"
To restore the boot record: "dd if=/fd/MBR of=/dev/had bs=446 count=1"
Setting parameters for Disk Drives
Some systems may have difficulty with hard disks that do not allow the disk parameters (heads, sectors per track, and cylinders) to be read. If disk errors make the LILO installation fail, the disk parameters may be the problem. This is especially true with SCSI and large drives. It may be necessary to manually enter the disk parameters in the "/etc/disktab" file to solve this problem. BIOS numbers your disks depending on the type of device. Numbers are in hex. Some documentation I have read indicates the numbers for various disks start as follows:
Floppy drives - 100.
The first hard disk - 301.
The second HD - 341.
SCSI - 801.
Second SCSI - 811.
Some documentation indicates these numbers, however I am not sure how accurate this is. According to the LILO man page the BIOS numbers hard disks starting at 0x80. If you have a problem in this area you may need to do some experimentation to get it to work.
Example file:
disk=/dev/sda
bios=0x80
disk=/dev/hda
bios=0x81
Other possible format (A SCSI drive with 2 partitions):
# Dev. Num BIOS code Secs/track Heads/cyl Cyls Part. Offset
0x800 0x80 32 64 1714 0
0x801 0x80 32 64 1714 1001
Removing LILO
To remove LILO from MS-DOS type "fdisk /MBR".
To remove LILO from linux type "lilo -u /dev/hda", or "dd if=/boot/boot.0300 of=/dev/hda bs=446 count=1". Only 446 bytes should be copied to the mbr. If the hard drive is scsi, the filename is boot.0800. Make sure when LILO was installed that this is the correct copy of the MBR and not a bogus copy from a Linux distribution.
Changing Runlevels
A runlevel is a software configuration of the system that allows only a selected group of processes to exist. Init can run the system in one of eight runlevels. The main runlevels are 0-6. The system runs in only one of these runlevels at a time. Typically these runlevels are used for different purposes. For Redhat Linux version 6, they are:
0 - halt
1 - Single user mode
2 - Multiuser, without NFS (The same as 3, if you don't have networking)
3 - Full multiuser mode
4 - unused
5 - X11
6 - Reboot
These runlevels can be configured by the administrator. The "/etc/inittab" file instructs init which runlevel to start the system at and describes the processes to be run at each runlevel. For a deeper explanation, read my article on "How Linux Works" or "The Linux Startup Reference Manual"
A running system can be taken to single user mode by using the telinit command to request run level 1 as follows:
telinit 1
It can be entered when the system boots by giving the word "single" or "emergency" on the kernel command line. This can be done at the LILO prompt after pressing the
Entering single user mode is necessary when a damaged filesystem needs repaired. You can run the program fsck to check the filesystem when the damaged partition is not mounted or running.
LILO and the rdev program
You may have noticed that there are some parameters in LILO that can also be set by a program called rdev. The rdev program is a program that is used to set the following:
• The root partition (root device) The command "rdev -s vmlinuz /dev/hda2" will set the root device to be /dev/hda2 on the kernel image vmlinuz. In LILO the command, "root=/dev/hda2", will set the root device.
• The video mode. The command "rdev -v vmlinuz 1" will set the video mode as though the key 0(the first selection) were pressed at the video mode prompt. In LILO the command, "vga=ask", will cause the system to prompt for video mode. You are better off to use LILO to set the video mode.
The commands shown above are examples and the actual names and values used may be different for your system. The program rdev is used to modify the kernel image file so that it will know where such things as the root device are without LILO passing this information to the kernel. Therefore if you set these parameters in your kernel image file using rdev, you will not need to set it using LILO. Conversely if you do not set these commands using rdev, you will need to set them in your /etc/lilo.conf file and update LILO when you do a kernel recompile or make other changes affecting one or more of these parameters.
One system parameter LILO can set that rdev cannot set is the amount of system memory with the command, append="mem=128M". This command sets the memory to 128M.
In addition, rdev provides the ability to set the following parameters that LILO can't set.:
• The swap partition (swap device). The command "rdev -s vmlinuz /dev/hda3" will set the swap device. There is no command in LILO to do this.
• Set the RAMDISK size in kilobytes. The command "rdev -r vmlinuz 627" will set a RAM disk of 627K.
• Some root flags
Managing Linux Users
Linux Commands for managing users:
• adduser(8) - Command used to add user accounts.
• chage (1) - Used to change the time the user's password will expire.
• chfn(1) - Change a user's finger information
• chsh(1) - Change a user's shell.
• chgrp (1) - Changes the group ownership of files.
• chown (1) - Change the owner of file(s ) to another user.
• gpasswd (1) - Used to administer the /etc/group file.
• groupadd (8) - Create a new group.
• grpconv (8) - Creates /etc/gshadow from the file /etc/group which converts to shadow passwords.
• grpunconv (8)- Uses the files /etc/passwd and /etc/shadow to create /etc/passwd, then deletes /etc/shadow which converts from shadow passwords.
• groupdel (8) - Delete a group
• groupmod (8) - Modify a group
• groups (1) - print the groups a user is in
• grpck (8) - Verify the integrity of group files.
• id(1) - Print group or user ID numbers for the specified user.
• newgrp(1) - Allows a user to log in to a new group.
• newusers (8) - Update and create new users in batch form.
• nologin (5) - Prevent non-root users from logging onto the system.
• passwd (1) - Used to update a user's password. The command "passwd username" will set the password for the given user.
• pwconv (8) - Used to create the file /etc/shadow from the file /etc/passwd to convert to shadow passwords.
• pwunconv (8) - Uses the files /etc/passwd and /etc/shadow to create /etc/passwd, then deletes /etc/shadow to convert from shadow passwords.
• su (1) - run a shell with substitute user and group IDs
• useradd (8) - Create a new user or update default new user information
• userdel (8) - Delete a user account and their files from the system. The command "userdel -r newuser" will remove the user and deletes their home directory.
• usermod (8) - Modify a user account.
Other useful commands/examples:
find / -user username -ls Gives a list of all files owned by username.
chown -R myuser /home/myuser Changes ownership of all files in mysuer home directory to myuser.
chmod +s filename Sets the uid
Files
• /etc/passwd - Where the user's name, and other pertinent information are stored. This includes the password unless your system is using shadow passwords.
• /etc/shadow - Where the user's password is stored if you are using shadow passwords.
• /etc/group - Where group names are stored.
• /etc/aliases - Where the user's name is matched to a nickname for e-mail.
• /etc/sudoers - A list of users with special privileges along with the commands they can execute.
File Formats
Note group ID numbers start at 100 and user ID numbers start at 500. The file /etc/group gives groups
The /etc/passwd file:
username:password:uid:gid:gecos:homedir:shell
Gecos contains information about the user, including the real name. Shell is the name and path of the user's default shell program.
The /etc/group file:
groupname:password:gid:members
If the entry "bigclown:*: mark,george" is in the group file, the users mark and george are members of the bigclown group.
Examples
To add a user, while logged in as root, type "adduser username".
To set a user password, while logged in as root or the user that will be changed, type "passwd username". If "passwd" is typed, the password will be changed for the user, you are logged in as.
To remove a user, while logged in as root, type "userdel -r username". This will remove the user's home directory. You can delete the user without the "-r" option and delete the user's home directory manually. If the group the user was in, is no longer needed, you may delete it by editing the "/etc/group" file.
The file "/etc/aliases" is where the user's real name is matched to their user name for e-mail accounts. Add users to this file in the form:
Firstname,Lastname:username
Then update the database by typing "newaliases".
User Process Accounting
Process accounting is supported by new kernels. To use this feature, you'll need to get the acct-1.3.73.tar.gz package or later. The package contains some programs used to manage users. The following commands are useful for user accounting:
• ac(1) - Print statistics about users' connect time.
• accton (8) - Turn on accounting of processes. To turn it on type "accton /var/log/pacct".
• last(1) - Shows a list of users who have logged in.
• lastb(1) - Shows failed login attempts. This command requires the file /var/log/btmp to exist in order to work. Type "touch /var/log/btmp" to begin logging to this file.
• lastcomm (1) - Display information about previous commands in reverse order. Works only if process accounting is on.
• sa(8) - Generates a summary of information about users' processes that are stored in the /var/log/pacct file.
• utmpdump(1) - Used for debugging.
• who(1) - Find out what users are logged onto the system.
Files that hold accounting information
• /var/log/wtmp - Stores information about all logins and logouts.
• /var/run/utmp - Stores information about who is currently on the system and is used by the who command.
• /var/log/btmp - Used to store information about failed logins.
The /var/log/wtmp file, contains the following information:
• Type of Login
• Process ID of login process
• The device name of the tty used
• The init ID or abbreviated ttyname
• User Name
• Hostname for remote login
• Exit Status of a process
• The session ID
• The time entry was made
• IP address of remote host
See the man page for wtmp(5) for more information.
The ability to set quotas limits a user's disk storage by setting:
1. The number of inodes the user or group may use.
2. The number of disk blocks a user or group may use.
This limits user's ability to use up all system resources. It only works on ext2 filesystems. Quotas must be set for each filesystem that the user may use. The kernel must have quota support compiled in.
User Quotas
The ability to set quotas limits a user's disk storage by setting:
1. The number of inodes the user or group may use.
2. The number of disk blocks a user or group may use.
This limits the user's ability to use up all system resources. It only works on ext2 filesystems. Quotas must be set for each filesystem that the user may use. The kernel must have quota support compiled in.
Commands used to set quotas and limits are:
• edquota(8) - Used to edit user or group quotas. This program uses the vi editor to edit the quota.user and quota.group files. If the environment variable EDITOR is set to emacs, the emacs editor will be used. Type "export EDITOR=emacs" to set that variable.
• quota(1) - Display users' limits and current disk usage.
• quotaoff(8) - Turns system quotas off.
• quotaon(8) - Turn system quotas on.
• quotacheck(8) - Used to check a filesystem for usage, and update the quota.user file.
• repquota(8) - Lists a summary of quota information on filesystems.
• ulimit - A bash builtin command for setting the processes a user can run. The command "ulimit -n 9000" will set the limit on open files to 9000.
Files:
• /etc/mtab
• quota.user - Resides on the filesystem quotas are being set on.
• quota.group
Read the Quota mini howto for more information. Here's roughly what is needed to enable and set quotas:
1. In your startup scripts, you should use the quotacheck and quotaon commands to start quota checking at system startup. Read the "How Linux Works" or the "Linux Startup Manual" for more information on startup scripts. This is already setup properly in most current versions of Linux.
2. In the /etc/fstab file, add the mount options "usrquota" and "grpquota". You only need "grpquota" if you are going to set group quotas also. An example entry:
3. /dev/hda2 / ext2 defaults,usrquota,grpquota 1 1
4. Issue the following commands, where "fs" is the name of the filesystem where quotas are to be set. The first two commands create the quota files, and the second two commands keep users from accessing those files.
5. touch /fs/quota.user
6. touch /fs/quota.group
7. chmod 600 /fs/quota.user
8. chmod 600 /fs/quota.group
9. If you use emacs rather than vi to edit files, type "export EDITOR=emacs". You may want to add this command to your shell startup script such as $HOME/.bash_profile.
10. Type "edquota username" to edit the quota file. You get a screen like this:
11. Quotas for user george:
12. /dev/hda2: blocks in use: 10672, limits (soft = 0, hard = 0)
13. inodes in use: 1856, limits (soft = 0, hard = 0)
14. /dev/hda3: blocks in use: 0, limits (soft = 0, hard = 0)
15. inodes in use: 0, limits (soft = 0, hard = 0)
Linux Passwords
Most versions of Linux come with the shadow password suite of software already installed. This suite of software is recommended to enhance security since all users must be able to access the /etc/passwd file. With full access to this file, a "crack" program can be used by any user to extract all passwords on the system. The shadow password software places the actual encrypted passwords into the /etc/shadow file making this file readable only by the root user. If your system has the file /etc/shadow, you probably already have shadow passwords installed.
Linux Shadow Passwords
If your system did not come with shadow passwords and you are going to install it you will want to read the Shadow-Password-HOWTO and roughly do the following.
1. Find the latest shadow password suite that will work on your system
2. Backup a copy of your files listed above that the shadow password suite will replace.
3. Install the shadow password suite.
4. Remove old man pages that may interfere with you seeing the correct replacement man pages that came with the shadow password suite.
5. run pwconv which creates /etc/npasswd and /etc/nshadow
6. Backup /etc/passwd and copy the files /etc/npasswd and /etc/nshadow to /etc/passwd and /etc/shadow respectively.
7. Be sure the /etc/shadow and /etc/passwd owners and permissions are the same as shown in listings in this manual.
8. Verify you can login
9. When you are sure the system runs OK, remove backup files such as the backed up copy of /etc/passwd.
10. You may need to upgrade your xlock program to get X working. xlock is the screen saver used to lock the screen.
11. xdm presents the login screen for X. You may need to upgrade xdm.
Linux Configuration and Diagnostic Tools
System and Network Configuration
• linuxconf - A GUI interactive interface available on Redhat 6.0 or later which includes netconf configuration.
• netconf - A GUI interactive interface available on Redhat 6.0 and later.
• kbdconf - A Redhat Linux tool which configures the /etc/sysconfig/keyboard file which specifies the location of the keyboard map file. This is a GUI based tool.
• mouseconfig - A Redhat Linux tool used to configure the /etc/sysconfig.mouse file. This is a GUI tool.
• timeconfig - A Redhat Linux tool used to configure the /etc/sysconfig/clock file. This is a GUI tool used to set timezone and whether or not the clock is set to GMT time.
• kernelcfg - A Redhat kernel configuration utility to be started from X.
• stty - Used to configure and print the console devices.
• setterm - Set terminal attributes.
• vmstat - Report statistics on virtual memory.
X Configuration
• XF86Setup - A newer X configuration program with a GUI interface which modifies the "/etc/X11/XF86Config" configuration file.
• xf86config - An older X configuration program with a text based interface. It also modifies the "/etc/X11/XF86Config" configuration file.
• Xconfigurator - The Redhat tool used during system setup to configure X.
• SuperProbe - A program that probes the video card to determine its type for use with setting up X.
• xvidtune - This program will test video modes on the fly without modification to your X configuration. Read the usr/X11R6/lib/X11/doc/VideoModes.doc file before running this program.
Library and kernel Dependency Management
Library management:
• ldd - Used to determine shared libraries used by binary files. Type "ldd /bin/ls" to see the shared libraries used by the "ls" command.
• ldconfig - Used to update links and cache for system use of the most recent runtime shared libraries.
Kernel Management:
• lsmod - List currently installed kernel modules.
• depmod - Creates a dependency file, "modules.dep" in the directory "/lib/modules/x.x.x", later used by modprobe to automatically load the relevant modules.
• insmod - Installs a loadable kernel module into the running kernel.
• rmmod - Unloads modules, Ex: rmmod ftape
• modprobe - Used to load a module or set of modules. Loads all modules specified in the file "modules.dep".
General Diagnostic
System resources
• free - Show system memory availability and usage
• df - Show the amount of disk free space on each mounted filesystem.
• du - Show disk usage
• lspci - List PCI devices
• pnpdump - Lists ISA PNP device resource information.
• vmstat - Reports virtual memory statistics.
Other:
• env - List the current environment variables.
• printenv - Print a copy of the environment.
• set - Shows how the environment is set up. This command can be very useful when debugging the environment.
• runlevel - List the current and previous runlevel.
• uname - Print system information. In my case, it prints "Linux".
• dmesg - Show the last kernel messages printed during the last boot.
Linux Mail
This page is not complete yet!
Linux Sendmail
Sendmail is the most used mail daemon with Linux and is probably already installed on your system. Its configuration file is "/etc/sendmail.cf". Also /etc/sendmail.hf, /etc/aliases, /etc/aliases.db are useful files with sendmail. Sendmail provides full SMTP support. Many server systems may use sendmail, however clients normally use POP or IMAP protocols and the supporting software to get mail from the mailbox server.
Compiling Sendmail
The sendmail program can be found at http://www.Sendmail.org/ and the current version is 8.10.1.
1. Download the sendmail_8_10_1.tar.gz file into the /usr/local directory.
2. Unpack it with the command "tar xvzf sendmail_8_10_1.tar.gz".
3. Change directories to sendmail-8.10.1
4. Read the INSTALL file for further installation instructions which are something like.
1. Type "sh Build"
2. Type "cd cf/cf".
3. cp generic-linux.mc config.mc
4. cd ..
5. less README
6. cd cf
7. emacs config.mc
8. sh Build config.cf
9. Back up your /etc/sendmail.cf file and current sendmail binary file.
10. Install config.cf as /etc/mail/sendmail.cf and copy the sendmail binary to /usr/sbin. The compiled binary is in obj.Linux2.2.14.i686/sendmail/.
Sendmail configuration files
1. /etc/aliases
2. /etc/sendmail.cf or /etc/mail/sendmail.cf
The aliases file
This is where mail aliases are defined. There are two mandatory aliases that must be present listed below:
MAILER-DAEMON: postmaster
postmaster: root
There are 5 optional types:
• conversion of mail name to unix user name. EX: "george_jones: george"
• expand a name into a list of names EX: "friendlybunch: tom, george, fred, mike". EX: "staff: melissa, tom, george, mark"
• mailing list, Sendmail will read a file and use the names in the file as a list of addressees. EX: "filebunch: :include: /usr/local/manyonteam"
• Alias a name to a file. EX: "nobody" /dev/null"
• replace a name by a program Ex "myhelp: |/usr/local/bin/helpme"
Here is a typical alias file from Redhat 6.1:
# @(#)aliases 8.2 (Berkeley) 3/5/94
#
# Aliases in this file will NOT be expanded in the header from
# Mail, but WILL be visible over networks or from /bin/mail.
#
# ********** The program "newaliases" must be run after
# ** NOTE ** this file is updated for any changes to
# ********** show through to sendmail.
#
# Basic system aliases -- these MUST be present.
MAILER-DAEMON: postmaster
postmaster: root
# General redirections for pseudo accounts.
bin: root
daemon: root
games: root
ingres: root
nobody: root
system: root
toor: root
uucp: root
# Well-known aliases.
manager: root
dumper: root
operator: root
# trap decode to catch security attacks
decode: root
# Person who should get root's mail
root: mark
#User aliases
mark.zehner: mark
george.jones: george
After modifying the alias file you can rebuild it with the command
newaliases
or
sendmail -bi
The /etc/sendmail.cf configuration file
Seven sections of this file:
1. Local information - Configuration for the local host.
2. Options - Sendmail environment options
3. Message Precedence - Specifies
4. Trusted Users - Specifies which users are allowed to change the sender addresses when sending mail.
5. Header Format - Specifies the headers that are inserted into the mail.
6. Rule Rewriting - The commands that re-write e-mail addresses into a form that can be read by the program that delivers the mail.
7. Mailer Definitions - Specifies the programs that deliver the mail.
Linux Logging in, Logging Out, and Shutting down
Logging in
Once you have completed your system install and booted your system, you should see a login prompt on your monitor. When you did your Linux install you should have set a root password. You may have also created a user with a password. Therefore to log in, you will want to type the name of a user or "root" for the login name and enter the appropriate password. If you logged in as a normal user and know the root password and want to use administration commands, you may use the command "su" to become a "super user". Some systems also support the "sudo" command, which allows administrative privileges on a command by command basis.
Linux Shell levels and the su command
The command, "su" will allow a normal user to enter a new shell level as the root user or as another user if they know the root user's or that user's password respectively. To become the root user, type "su" then you will be prompted for the root password. To become another user, type "su username". You must enter either that user's password to become that user. Every time you use the su command you enter a new shell level which means you have invoked a new running copy of the shell program, such as bash. You can see this change by typing the command "env" and looking at the value of the environment variable "SHLVL". This value increments when you use the su command and decrements when you use the "exit" command to exit that shell environment. You can also see the shell level value by typing "printenv SHLVL".
Logging out
Use the command "logout" to exit a given session. If you have logged in, then typed "su" to become a superuser or another user, you may need to type "exit" until your SHLVL environment value is 1. Then you can type "logout" to exit your session. The "exit" command will take you back to previous shell levels.
Shutting Linux Down
The system is intended to be shutdown by the system administrator using the shutdown command in one of the forms shown below. Many systems are set up to capture the
shutdown -h now
shutdown -r +10 "Rebooting in 10 minutes"
shutdown -r 13:00
The first command will shutdown and halt the system immediately. The second will reboot the system in 10 minutes and send the message to all users. The third command will shut the system down and do a reboot at 1:00 in the afternoon.
Making and Managing Linux Filesystems
Programs used to manage filesystems
• badblocks(8) - Search a device for badblocks. The command "badblocks /dev/hda" will search the first partition of the first IDE hard drive for badblocks.
• cfdisk(8) - A partition table manipulator used to create or delete disk partitions.
• dosfsck(8) - Used to check a msdos filesystem.
• dumpe2fs(8) - Lists the superblock and blocks group information on the device listed. Use with a command like "dumpe2fs /dev/hda2". The filesystem on the device must be a Linux filesystem for this to work.
• fdformat(8) - Performs s lowlevel format on a floppy disk. Ex: "fdformat /dev/fd0H1440".
• fdisk(8) - Used to add or remove partitions on a disk device. It modifies the partition table entries.
• fsck(8) - Used to check and/or repair a Linux filesystem. This should only be used on systems that are not mounted.
• hdparm(8) - Used to get or set the hard disk parameters.
• mkdosfs(8) - Used to create a msdos filesystem.
• mke2fs(8) - Create a Linux native filesystem which is called a second extended filesystem. This creates the current version of the Linux filesystem.
• mkfs(8) - Used to make a Linux filesystem on a device. The command "mkfs /dev/hdb1" will create a Linux filesystem on the first partition of the second IDE drive.
• mkswap(8) - Creates a Linux swap area on a device.
• mount(8) - Used to mount a filesystem. It supports many types of filesystems.
• stat(1u) - Used to print out inode information on a file. Usage: stat filename
• swapoff(8) - Used to de-activate a swap partition.
• swapon(8) - Used to activate a swap partition.
• tune2fs(8) - Used to adjust filesystem parameters that are tunable on a Linux second extended filesystem. The filesystem must not be mounted write when this operation is performed. Can adjust maximum mount counts between filesystem checks, the time between filesystem checks, the amount of reserved blocks, and other parameters.
• umount(8) - Unmount a filesystem.
Making a Filesystem
Making a swap partition
type "mkswap -c /dev/hda3 10336"
The -c has swap check for bad blocks. The 10336 is the size of the partition in blocks, about 10M. The system enables swap partitions at boot time, but if installing a new system you can type "swapon /dev/hda3" to enable it immediately.
Making an ext2 file system on a floppy
1. fdformat /dev/fd0H1440
2. mkfs -t ext2 -c /dev/fd0H1440
Other file systems:
A normal hard drive can have many types of filesystems on it. To create an ext2 file system, type "mke2fs -c /dev/hda2 82080" to create an 82 meg filesystem. Note: mkfs is a front end to many file system types including ext2, minux, and msdos.
Checking a Filesystem
fsck - Used to check and repair a filesystem.
fsck is a front end to a filesystem type specific fsck.ext2, fsck.minix, and fsck.msdos.
Syntax: fsck -t type device
Ex: fsck -t ext2 /dev/hda3
Linux Configuration
In this section, the configuration tool, "linuxconf" is discussed. This configuration tool provides a means to configure much of the system. In this section, attempts are made to describe the files where this configuration information is stored (unless documented in other sections), however its accuracy cannot be guaranteed, and these files will vary somewhat from one Linux system to another.
When filly expanded, the linuxconf menu includes the following:
• Config
o Networking
Client tasks
Basic host information
Name server specification (DNS)
Routing and Gateways
Defaults
other routes to networks
other routes to hosts
routes to alternate local nets
the routed daemon
Host name search path
Network Information System (NIS)
IPX interface setup
PPP/SLIP/PLIP
Server tasks
Exported file systems (NFS)
IP aliases for virtual hosts
Apache Web server
Defaults
Virtual domains
Sub-directory specs
Files specs
Modules
Performance
mod_ssl configuration
Domain Name Server (DNS)
Config
domains
IP reverse mappings
secondaries
forward zones
forwarders
features
IP allocation space
Add/Edit
host information by domain
(quick edit)
Security
Access control lists
Access control
Mail delivery system (sendmail)
Basic
Basic information
special (domain) routing
complex (user) routing
masquerading rules
mail to fax gateway
virtual email domain
the mail queue
user aliases
virtual domain user aliases
/etc/sendmail.cf
Anti-spam filters
Rehected senders
'Relay for' by IP
'Relay for' by name
Relay to hosts
Samba file server
Defaults
Default setup for user's home
Default setup for printers
Netlogon setup
Disk shares
Ftp server (wu-ftpd)
Basic configuration
Virtual hosts
Misc
Information about other hosts
Information about other networks
Linuxconf network access
o Users accounts
Normal
User accounts
Group definitions
Change root password
Special accounts
PPP accounts
SLIP accounts via normal login
UUCP accounts
POP accounts (mail only)
Virtual POP accounts (mail only)
Email aliases
user aliases
virtual domain user aliases
Policies
Password & account policies
Available user shells
Available PPP shells
Available SLIP shells
Message of the day - Allows you to type a new message of the day to be displayed on the console when a user logs in. This file is stored in /etc/motd.
o File systems
Access local drive
Access nfs volume
Configure swap files and partitions
Set quota defaults
Check some file permissions
o Miscellaneous services
Initial system services
Modem
o boot mode
Lilo
LILO defaults (linux boot loader)
LILO linux configurations
LILO other OS configurations
default boot configuration
a new kernel
a kernel you have compiled
Mode
default boot mode
• Control
o Control panel
Activate configuration
Shutdown/Reboot
Control service activity
Mount/Unmount file systems
Control configured local drives
Control configured nfs volumes
Mount other NFS file systems
Configure superuser scheduled tasks
Archive configurations
Switch system profile
Control PPP/SLIP.PLIP links
o Control files and systems
Configure all configuration files
Configure all commands and daemons
Configure file permission and ownership
Configure Linuxconf modules
Configure system profiles
Override Linuxconf addons
Create Linuxconf addons - This section allows a newly installed package to be managed using linuxconf
o logs
Boot messages
Linuxconf logs - Shows all configuration commands issued by linuxconf
o date & time - Allows the time zone to be set and the time to be set as stored in GMT format or local time. It also lets the time and date to be set.
o Features - Defines special behavior of linuxconf including the keyboard map (/etc/sysconfig/keyboard), language selection, and html timeout.
Linux Init Program
The init program is the first program run after your kernel begins running. It is configured with the /etc/inittab file. By modifying your /etc/inittab file, you change your system configuration in the following areas:
1. Start up system run level.
2. Specify processes to be executed during system boot.
3. Specify processes to be run when the specified runlevel is entered.
4. Specify processes to be run on certain runlevels with actions like respawn so the process is restarted any time it terminates.
5. Specify certain actions or processes to be run if certain signals or user actions are indicated.
The previous section on LILO explained what runlevels are.
Below is an example inittab file with line numbers added on the left side for reference:
# inittab This file describes how the INIT process should set up
# the system in a certain run-level.
#
# Author: Miquel van Smoorenburg,
# Modified for RHS Linux by Marc Ewing and Donnie Barnes
#
# Default runlevel. The runlevels used by RHS are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
1) id:3:initdefault:
# System initialization.
2) si::sysinit:/etc/rc.d/rc.sysinit
3) l0:0:wait:/etc/rc.d/rc 0
4) l1:1:wait:/etc/rc.d/rc 1
5) l2:2:wait:/etc/rc.d/rc 2
6) l3:3:wait:/etc/rc.d/rc 3
7) l4:4:wait:/etc/rc.d/rc 4
8) l5:5:wait:/etc/rc.d/rc 5
9) l6:6:wait:/etc/rc.d/rc 6
# Things to run in every runlevel.
10) ud::once:/sbin/update
# Trap CTRL-ALT-DELETE
11) ca::ctrlaltdel:/sbin/shutdown -t3 -r now
# When our UPS tells us power has failed, assume we have a few minutes
# of power left. Schedule a shutdown for 2 minutes from now.
# This does, of course, assume you have powerd installed and your
# UPS connected and working correctly.
12) pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down"
# If power was restored before the shutdown kicked in, cancel it.
13) pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled"
# Run gettys in standard runlevels
14) 1:2345:respawn:/sbin/mingetty tty1
15) 2:2345:respawn:/sbin/mingetty tty2
16) 3:2345:respawn:/sbin/mingetty tty3
17) 4:2345:respawn:/sbin/mingetty tty4
18) 5:2345:respawn:/sbin/mingetty tty5
19) 6:2345:respawn:/sbin/mingetty tty6
# Run xdm in runlevel 5
# xdm is now a separate service
20) x:5:respawn:/etc/X11/prefdm -nodaemon
Line number 1 sets the runlevel to 3. Line numbers 3 through 9 will run the startup script /etc/rc.d/rc for the appropriate run level as selected on line 1. Line numbers 14 through 19 spawn login getty programs on 6 virtual terminals. Other lines perform such things as power management and trapping the CTRL-ALT-DEL keystrokes for shutdown. Please see the "How Linux Works CTDP Guide" for further information on the format of the inittab file and what the init program does.
Linux Environment Settings, Shell Selection and Startup Scripts
Linux Environment Variables and Settings
There are many environment variables, some of which are listed below. The command used to add or modify environment variables is the export builtin command provided by the bash shell. See the bash(1) man page for more information on this built in command.
PS1="[\u@h \w]\\$ " Used to set the command line string to output user,machine and name of directory the user is in. In Redhat, to effectively change this value, it must be changed in the file "/etc/bashrc" and in "/etc/profile".
export PATH=$PATH:/usr/sbin Adds /usr/sbin to the path in the system environment
MANPATH Sets the path for man pages
Other environment variables include:
1. USERNAME
2. HOSTNAME
3. LOGNAME
4. MAIL
5. EDITOR - Specifies the editor to be used by default for some commands such as edquota. Usually it is set to vi or emacs with a command like "export EDITOR=emacs".
6. TERM - The type of terminal being used.
7. PATH - The path the system looks in to find commands that the user has entered.
8. HOME - The current user's home directory
9. SHELL - The current shell program that is being executed
10. USER - The name of the current user.
11. TMPDIR - Allows programs that use the tempnam(3) function call to use the directory specified by this variable rather than the /tmp directory.
12. SHLVL - Shows how many shells the user has invoked.
You can type "env" to see a listing of all current environment variables.
SHLVL indicates how many shells deep the user is. If the level is 2, you must type "exit", then logout to exit.
Setting noclobber=1 - keeps files from being clobbered by the shell.
Shell Selection for users
The file "/etc/shells" lists the valid shells and shell paths on your system. An example file is:
/bin/bash
/bin/sh
/bin/tcsh
/bin/csh
/bin/ash
/bin/bsh
/bin/bash2
/bin/ksh
/bin/zsh
The command "chsh" can be used by the user to set his preferred shell. Also the root user can use this command to set any user's shell. This command with the -l option will list the available shells. The -s option will allow the user to change their shell. For example type the following to determine and modify the user's shell.
1. chsh -l
2. chsh -s /bin/sh
The first line will show available shells, and the second entry will change it. The full path of the shell must be entered for the command to work.
Startup Scripts
The following scripts are run by bash if the –noprofile option is not used with the shell:
/etc/profile This script file is run first for all users during the login process
$HOME/.bash_profile This script file is run for individual user's customized setup
$HOME/.bash_login If the .bash_profile above does not exist, this file is run
$HOME/.profile This script file is run if $HOME/.bash_profile and .bash_login don't exist
If bash is invoked as "sh" it will run only "/etc/profile" and "$HOME/.profile", above.
The man page says that "$HOME/.bashrc" is run for non-login interactive shells. I'm not sure if it also runs for login interactive shells, but believe it does. If it does, I'm not sure whether it is run after the scripts above, but believe it is.
$HOME/.bash_logout Run when the user logs off the system.
Key bindings:
If the shell variable "INPUTRC" is set, probably in "/etc/profile" the keybindings are set by the file declared in the INPUTRC value. Usually this is "/etc/inputrc". Otherwise the keybindings are set in the file "$HOME/.inputrc" for each individual user.
$HOME/.inputrc - User's keybindings definition
/etc/inputrc - Global keybindings definition
Other scripts and files:
/etc/bashrc On my Redhat system, this file is run by $HOME/.bashrc.
/etc/login.defs Used with shadow passwords to set initial PATH and other parameters including how often a user must change passwords and what is acceptable as a password..
Put any new script files in /usr/bin or /usr/local/bin. If you put them in /usr/local/bin, they will be easier to keep track of, but you may want to add /usr/local/bin to your path environment to make them more accessible. You can put the command "export PATH=$PATH:/usr/local/bin" in one of the above scripts or add it to the path statement in /etc/profile.
Therefore to modify parameters for all users, edit:
/etc/profile For users environment setup and other customized items.
/etc/inputrc For keybindings on some systems if INPUTRC is set to it.
To customize user's setup edit: (Note: In /home/user's name/...)
HOME/.bash_profile - Users environment stuff and startup programs
$HOME/.bashrc - user aliases and functions
$HOME/.bash_logout - User actions to be done at logout
$HOME/.inputrc - Contains keybindings and other bits.
The tcsh shell operates as follows:
/etc/csh.login is run
$HOME/.tcshrc or .cshrc is run
$HOME/.login is run
Other files in the users home directory may be:
.emacs - For the emacs editor. Consists of LISP functions.
.exrc - For the vi editor
.fvwmrc - For the fvwm window manager
.twmrc - For the twm window manager
.newsrc - For newsreaders. Contains a list of newsgroups offered at this site.
.Xdefaults - For programs using the X window system
.xinitrc - Shell commands that run when the user logs into an X session.
Linux Kernel
The Kernel and its Modules
Most kernels are compiled so modular support is required except many used on floppy boot disks.
The package modules.tar.gz contains all the programs needed to manage modules. This should already be installed on most distributions. The kernel modules are usually in a directory pertinent to the kernel version in /lib/modules. Modules can be found in "lib/modules/2.2.12-20" for kernel version 2.2.12-20. They are loadable modules ending in ".o" that are used to support the kernel.
To load a module type "insmod module" where "module" is the name of the module to load. Ex: insmod /lib/modules/2.2.12-20/misc/ftape.o
Programs used to manage modules are:
• lsmod - Lists all the currently loaded kernel modules
• rmmod - Unloads modules, Ex: rmmod ftape
• depmod - Creates a dependency file, "modules.dep", later used by modprobe to automatically load the relevant modules.
• modprobe - Used to load a module or set of modules. Loads all modules specified in the file "modules.dep".
Modules are loaded from startup script files using "modprobe" to handle loadable modules automatically.
modprobe -l |more Lists all the modules available for your kernel
rmmod module_name Remove a module from the kernel
Finding the Kernel
Locate the kernel image on your hard disk. It should be in the file /vmlinuz, or /vmlinux. In some installations, /vmlinuz is a soft link to the actual kernel, so you may need to track down the kernel by following the links. On Redhat 6.1 it is in "/boot/vmlinuz". To find the kernel being used look in "/etc/lilo.conf".
Type "uname -a" to see the kernel version.
Compiling the Kernel
1. Backup the present kernel which is in "/boot" for most systems. You can tell where it is by looking at "/etc/lilo.conf" . sometimes lilo.conf will point to a link file. Trace the link file and backup the file being pointed to.
2. Have an alternate way to boot such as another linux system on your computer or an emergency boot disk that you can access your filesystem from in case your new kernel crashes.
3. Back up your kernel modules in the directory "/modules". There is probably a directory full of modules so you should be able to back it up using "cp –dpr dir1 dir2" where dir1 is the name of the directory where your modules are and dir2 is where you want to put them.
4. Go to "/usr/src/linux". There is a "/usr/src/linux/.config" file used to do the compile. It is modified by typing "make config" and the values in it are used to determine defaults while doing the "make config". Back this file up to keep your original settings if you want.
5. Type "make config" and answer the hundreds of questions asked. On another terminal, open the file "/usr/src/linux/Documentation/Configure.help" to determine what each configuration is. Also you can type "make menuconfig" or from an X session "make xconfig".
6. Type "make dep"
7. Type "make clean"
8. Type "make bzImage" or "make zImage" if the kernel is small.
9. Type "make modules"
10. Type "make modules_install"
11. Copy the file "/usr/src/linux/arch/i386/boot/bzImage" to "/boot/vmlinuz".
12. Copy the file "System.map" from "/usr/src/linux" to the "/boot" directory. Rename it "System.map=w.x.y" and make sure there is a link file called "System.map" pointing to it. This step will keep you from getting warning messages when you boot. It seems to be a step they forgot to include in the kernel-howto.
o cp /usr/src/System.map /boot/System.map-2.2.14
o cd /boot
o rm System.map
o ln –s System.map-2.2.14 System.map
13. Run rdev on the new kernel image to verify the root filesystem device. "rdev /boot/vmlinuz /dev/hda2". Please note that this step may be optionally dependent on whether you want to use the boot loader, lilo, to point to the root device.
14. Make sure the /etc/lilo.conf file is correct (image=/boot/vmlinuz)
15. If your kernel has a feature supported by a module that is required to boot, you will need to make a RAM disk boot image or your system won't boot.
o Type "lsmod" and look to see if the "loop" module is loaded. If it is skip the next step.
o Type "insmod /lib/modules/2.2.14/block/loop.o"
Use this command if the loopback module is not installed. This assumes you compiled the support into your kernel. In my example, I used kernel version 2.2.14, but your kernel version may have a different number. Substitute the appropriate values.
o Type "mkinitrd /boot/initrd-2.2.14.img 2.2.14"
Again, this example is for kernel version 2.2.14. This command will create a RAM image module for your kernel to load into.
o Add an entry similar to "initrd=/boot/initrd-2.2.14.img" to the "/etc/lilo.conf" file for the stanza that is used to boot this kernel. An example of the stanza follows.
o image=/boot/vmlinuz
o label=rhl
o initrd=/boot/initrd-2.2.14.img
o read-only
o root=/dev/hda2
Read the section about LILO for more information or read the lilo and lilo.conf man pages.
16. Run lilo by typing "lilo". If you didn't set the root device in step 12, you will need a line like "root=/dev/hda2" in /etc/lilo.conf in the group of commands for your kernel. This will tell the kernel where your root filesystem is.
This step may be necessary if you are using a kernel previous to the 2.2 series. In the directory "/usr/include" may be several link files such as "asm", "linux", and "scsi". These are normally softlinks through "/usr/src/linux". If they are, you can direct the softlink file "usr/src/linux" to your new kernel file which may be in the form "linux-2.2.14". If you don't have the "linux" softlink file and don't want to create it, you will need to remove and redirect the softlink files in "/usr/include" to the proper location of your new kernel source.
The sysctl tool
This tool is worth mentioning in this section since it is used to manipulate kernel parameters. If you type "sysctl -a |more" you will see a long list of kernel parameters. You can use this sysctl program to modify these parameters. However, I have been unable to add new parameters.
Linux Directory Structure
Note: Files are grouped according to purpose. Ex: commands, data files, documentation.
Parts of a Unix directory tree. See the FSSTND standard (Filesystem standard)
/ Root
|---root The home directory for the root user
|---home Contains the user's home directories
| |----ftp Users include many services as listed here
| |----httpd
| |----samba
| |----user1
| |----user2
|---bin Commands needed during bootup that might be needed by normal users
|---sbin Like bin but commands are not intended for normal users. Commands run by LINUX.
|---proc This filesystem is not on a disk. Exists in the kernels imagination (virtual). This directory
| | Holds information about kernel parameters and system configuration.
| |----1 A directory with info about process number 1. Each process
| has a directory below proc.
|---usr Contains all commands, libraries, man pages, games and static files for normal
| | operation.
| |----bin Almost all user commands. some commands are in /bin or /usr/local/bin.
| |----sbin System admin commands not needed on the root filesystem. e.g., most server
| | programs.
| |----include Header files for the C programming language. Should be below /user/lib for
| | consistency.
| |----lib Unchanging data files for programs and subsystems
| |----local The place for locally installed software and other files.
| |----man Manual pages
| |----info Info documents
| |----doc Documentation for various packages
| |----tmp
| |----X11R6 The X windows system files. There is a directory similar to usr below this
| | directory.
| |----X386 Like X11R6 but for X11 release 5
|---boot Files used by the bootstrap loader, LILO. Kernel images are often kept here.
|---lib Shared libraries needed by the programs on the root filesystem
| |----modules Loadable kernel modules, especially those needed to boot the system after
| disasters.
|---dev Device files for devices such as disk drives, serial ports, etc.
|---etc Configuration files specific to the machine.
| |----skel When a home directory is created it is initialized with files from this directory
| |----sysconfig Files that configure the linux system for networking, keyboard, time, and more.
|---var Contains files that change for mail, news, printers log files, man pages, temp files
| |----file
| |----lib Files that change while the system is running normally
| |----local Variable data for programs installed in /usr/local.
| |----lock Lock files. Used by a program to indicate it is using a particular device or file
| |----log Log files from programs such as login and syslog which logs all logins,
| | logouts, and other system messages.
| |----run Files that contain information about the system that is valid until the system is
| | next booted
| |----spool Directories for mail, printer spools, news and other spooled work.
| |----tmp Temporary files that are large or need to exist for longer than they should in
| | /tmp.
| |----catman A cache for man pages that are formatted on demand
|---mnt Mount points for temporary mounts by the system administrator.
|---tmp Temporary files. Programs running after bootup should use /var/tmp.
Finding Files in Linux
There are three good methods of finding files in linux:
1. The slocate database
2. The whereis command
3. The find command
The slocate database
To use the locate command, you will need to have a slocate database set up on your system. On many systems it is updated periodically by the cron daemon. Try the slocate command to see if it will work on your system:
locate whereis
Will list all files that contain the string "whereis". If that command did not work you will need to run the command:
slocate -u
This command will build the slocate database which will allow you to use the locate command. This command will take a few minutes to run.
The whereis command
This command will locate binary (or executable) programs and their respective man pages. The command:
whereis linuxconf
will find all binaries and manpages with the name linuxconf.
The find command
The following are examples of the find command:
find /home -user mark Will find every file under the directory /home owned by the user mark.
find /usr -name *spec Will find every file under the directory /usr ending in ".spec".
find /var/spool -mtime +40 Will find every file under the directory /var/spool that has data older than 40 days.
Find is a very powerful program and very useful for finding files with various characteristics. For more information, read the man page about find by typing "man find".
Locating man pages by subject
There is a keyword option in the man command that can be used to find man pages that have specific words in their descriptions. An example is:
man -k process
to find all man pages that talk about processes. Use the command:
man -k process |grep kernel
to find information on kernel processes. An equivalent command is the apropos command as follows:
apropos process
The which command
The which(1) program is a useful command for finding the full path of the executable program that would be executed if the name of the executable program is entered on the command line. The command:
which startx
Will show the full path of the startx command that will be run if "startx" is entered on the command line when an X session is started.
Linux Help
Sources of help include:
1. Man pages - Stands for manual pages and are available on your system by invoking the word "man" followed by the subject, you need help for. An example is "man inetd" for information about the inetd internet super daemon program.
2. Info - Info pages are meant as a replacement for man pages but are harder to use which is why man pages are still popular.
3. Howtos - Howtos are written about various functional areas and Linux programs. They are likely to be available on your system in the /usr/doc/HOWTO directory. They are also available at various websites which can be accessed from the CTDP Linux Weblinks section.
4. GNU manuals - Accessible through the GNU website which you can find in the the CTDP Linux Weblinks Documentation section.
5. Package documentation - Documentation that comes with individual packages, usually found with the package or in the /usr/doc or /usr/local directory.
6. Other LDP documents - There are many excellent Linux documents written in book form provided by The Linux Documentation Project which are available at their website. Their website may be accessed from the CTDP Linux Weblinks section. Many of these documents include subjects about Linux system administration, the Linux kernel, security and more.
7. Independent documents and resources - There are many excellent independently written documents. Watch the Linux Weblinks section for information on these types of resources. These resources are added as they are located or suggested by CTDP members or the public.
Man Pages
Man pages general are written to describe programs, configuration files, functions and more areas of the system. They are organized into numbered sections covering various subject areas as follows:
1. User commands that may be started by everyone.
2. System calls, functions provided by the kernel.
3. Subroutines, which are, library functions.
4. Devices, which are, special files in the /dev directory needed to access items like com ports and disk drives among many other things.
5. File format descriptions, such as configuration files and files like /etc/passwd.
6. Games.
7. Miscellaneous, such as macro packages, standard methods.
8. System administration tools for the root user.
9. More kernel routine documentation specifically for linux.
There may be other non numbered sections:
• n - New documentation, that may be moved to a more appropriate section.
• o - Old documentation, that may be kept for a grace period.
• l - Local documentation referring to this particular system.
When referenced in documentation, man pages are many times referred to by section. For example see the man page on inetd(8). You normally don't need to do anything special to see the page in section 8 except type "man inetd". The syntax for using man pages is "man command", where "command" is the name of the command or item you want help for. Sometimes a given name is in more than one section. For instance the name crontab is a configuration file and a utility used to perform configuration. There is a man page for this in sections 1 and 5. If "man crontab" is typed the file in section one will be shown. In this case you will need to type the section number as follows:
man 5 crontab
Once you are in a man page, type [space] to see the next page, and type "Q" anytime to quit
Searching pages:
You can use a keyword function in man. To find commands that deal with DNS, type "man -k dns". A list of all commands system calls and other items that have the word "dns" in their name or short description is given. Entering "man -k dns| grep domain" will search the man pages for occurrences of "dns" and "domain". Another command equivalent to using the "man -k is the apropos command. To search on a particular subject in the man page library type "apropos subject". A list of all man pages with the associated subject in its description will be displayed. This information is kept in the apropos database which is updated weekly by cron. See the section on cron or type "man apropos" or "man whatis" for more information.
To print a man page type "man name | lpr -P". You must have your printer set up for this to work.
Info Pages
Much documentation is included as info pages. Many times the same documentation is included in man pages, but sometimes information is included in infopages that is not in man pages. I don't like info pages since you need to remember many different key commands to navigate through them. There is a tutorial in the info pages that you can use to learn the commands. I recommend that before using info pages, you do at least a quick tour by taking the tutorial. Take notes and keep them handy when using the info pages. You may use the info pages by typing "info command" where command is the name of the command you need information about. To begin the tutorial, type "info", and look for the help section. Some of the basic info commands are listed below.
h Take the help tutorial
b To move to the top of a screen
n To move to the next node (text on a particular topic)
p To move to the previous node
d To move to the main directory node
l To move to the last node you were at. Retraces where you were.
m Show a menu of nodes you can move to
name Type node name or Ctrl-g to cancel after typing "m" for menu
u To move back to the menu you were at. Use this command after making a menu selection to get back to the last menu from which you made a selection.
? Show available commands.
Howto Documents and GNU manuals
Along with the man pages there is much Linux documentation contained in the various howto files and GNU documents written by the Linux community. There are many links on the web to help you find these sources of documentation. The easiest way to find these documents is to link to the websites that have them in the Linux, Weblinks, Documentation section of this website. Most of the how to documents should be on your system in the directory /usr/doc/HOWTO. They are in text format and can be read by the program "less" or any text editor.
Package Documentation
Linux is generally made up of many packages. Each package deals with certain functionality of Linux, but may have several commands. For instance, the etherboot package has a purpose of allowing users to set up remote machines for booting using a Linux server. This package has several binary programs used to perform this function. Most packages contain various text files or html or dvi files that contain further documentation about the package and their various commands. Most package documentation is in the directory "/usr/doc" or "/usr/local" under the specific package name. There are also various important manuals which may have come with your distribution. These manuals may be in postscript format. From an X session if you locate these files, you can double click on them to read them in postscript. The names of some of these manuals are:
1. Bash Reference Manual
2. LILO User's Guide
3. LILO Technical Overview
4. Name Server Operations Guide for BIND
5. IP Command Reference
6. IPv6 Flow Labels in Linux-2.2
7. Tunnels over IP in Linux-2.2
8. IP Chains Quick Reference
9. Sendmail Installation and Operations Guide
10. Sendmail - An Internetwork Mail Router
11. mgetty+sendfax
12. Automated System Monitoring and Notification with SWATCH
13. SGML-Tools User's Guide
Setting Linux Time
Programs for working with time and date are:
• clock - This is a soft link to hwclock.
• date(1) - Print or set the system date and time.
• hwclock(8) - Sets the hardware clock based on values entered on the command line.
• setclock(8) - Sets the BIOS hardware clock based on the time and setup of the system clock.
• timeconfig(8) - A program used to configure the system configuration file "/etc/sysconfig/clock" which includes the type of clock and timezone.
An Example:
While logged in as root do the following:
1. Type "date".
2. You should see some variation of"
"Wed Nov 24, 9:29:17 EST 1999"
3. To change the time type(as an example):
date -s 10:10
4. The system response will be:
"Wed Nov 24, 10:10:02 EST 1999"
5. Then if you want to set the hardware(BIOS) clock so the system will keep the time when it reboots type:
clock -w
or
setclock
The program setclock will set your hardware clock based on your system configuration parameters including whether or not your clock is set to universal time.
The "clock -w" command assumes your hardware clock is set to local time. If it is set for universal time you will want to type "clock -wu" rather than the "clock -w" in the line above. If you use the wrong option the time will be set incorrectly and you will need to do it again.
On a Redhat system, you can use the program "linuxconf" as root and page down to the next to the last line in the menu which is "date & time". Select it and see if the box named "universal format(GMT)", next to "Store date in CMOS", is checked. If is is not, you may save your time by typing "clock -w". If it is checked use "clock -wu".
Note: There is a man page for date that you can use to learn more. Type "man date". You do not want to make any more changes to time and especially to the date than necessary, especially while the system is running, since this can trigger the "cron" daemon to perform various time related system tasks.
An alternate method to set time is.
hwclock --set --date "2/24/2000" If you are using local time
hwclock --set --date "2/24/2000" -utc If you are using universal time
In the rc.sysinit startup script, this program is used with the options -adjust and -hctosys to adjust the hardware clock for drift, and set the system time to the hardware clock at the time of reboot.
On Redhat systems, there is a configuration program called "timeconfig" which can be used to configure the system configuration file /etc/sysconfig/clock and /etc/localtime. This program will use a graphical interface to let the user set the timezone and whether UTC time is used.
Basic Liinux Devices
The first partition on a IDE hard drive is called partition 1, and is called /dev/hda1 if the drive is the primary IDE master.
/dev/fd0 Floppy disk
/dev/hda1 IDE Hard drive 1, partition 1
/dev/hdb3 IDE Hard drive 2, partition 3
/dev/sda1 First SCSI interface (probably hard drive), device id 1
/dev/sdc3 First SCSI interface, device id 3
/dev/cdrom CD ROM drive
/dev/mouse Mouse device, sometimes a pointer to another device such as /dev/psaux, a ps/2 mouse driver.
primary IDE master /dev/hda
primary IDE slave /dev/hdb
secondary IDE master /dev/hdc
secondary IDE slave /dev/hdd
The first partition on a IDE hard drive is called partition 1, and is called /dev/hda1 if the drive is the primary IDE master.
Linux Tips
Multiple Virtual Terminal access
There are normally 6 virtual terminals in Linux, available by using Alt-F1 through Alt-F6. Each one can be logged in as a different user. There are normally 6 terminals available in X also, F7 through F12. The first X session will be on F7 (if on a local terminal), the second on F8, and so forth. If an X session is started from F1 and you also have an active session on F2, you can type Ctrl-Alt-F2 to go from the X session to the virtual console on F2. Also to get back to your X session, you can type Ctrl-Alt-F7. This example assumes that your terminals are setup in the standard manner with 6 virtual terminals that spawn the getty program available. You can check your setup by checking your /etc/inittab file. You should have lines like the following in your file.
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6
See the section on init for further information on this file.
Linux Command line shortcuts
If typing a command on the command line, you can press
Pasting text in files
There is a cut and paste mouse utility that works with virtual consoles called gpm which runs as a daemon. To use it,
1. Move your mouse to the text you want to cut or paste
2. Hold the left mouse button down
3. Drag the mouse to the end of the selected text
4. Release the mouse button
5. If deleting text, just press the "DEL" key for your final step. If pasting text, move the text cursor to the location you want to paste to by switching terminals with function keys, using arrow keys, etc.
6. If pasting, press the right mouse button.
Viewing previously displayed text
Text that has scrolled off the top of the screen may be viewed again using the
Linux System Setup
Linux Filesystem Access Types
For a list of programs used to work with filesystems, see the section "Making amd Managing Filesystems". To access other filesystems you must first create them or determine what is currently on your computer. This example assumes you already have filesystems on your computer such as DOS, Windows, or Other Linux partitions you want to access.
1. Use one of two methods to determine what partitions are on each drive
1. Type "fdisk /dev/hda" for drive 1, "fdisk /dev/hdb" for drive2. then type p to see a list of each partition. Type q to exit.
2. An alternate method to do this step assuming you can boot to the filesystem using LILO is:
1. Type "less /etc/lilo.conf"
2. Look for the label used by lilo to select dos, such as "dos" and use the associated device. The line on my system is "other=/dev/hda1" so I will use device "/dev/hda1". The disadvantage here is that this method will not allow determination of file systems with no operating system such as partitions that hold data.
2. Make directories for mount points for each of the other filesystems. For another Linux install such as Debian or Slackware, Type "mkdir /debian" or "mkdir /slackw" For a foreign operating system partition such as DOS or Windows98, "type "mkdir /dos" or "mkdir /win98".
3. Type "mount –t msdos /dev/hda1 /dos" where /dev/hda1 is where the dos partition is. Type "mount /dev/hda4 /win98" to mount the windows filesystem or mount "/dev/hda3 /slackw". Your filesystems may be on other partitions than those shown in examples here.
4. You can unmount when done: "umount /dev/hda1", however the exit scripts unmounts all file systems when the system is shutdown.
The following line in /etc/fstab will cause the system upon bootup to mount an msdos partition on /dev/hda1 on the directory /dos:
/dev/hda1 /dos vfat defaults 0 0
This works because one of the startup script files "/etc/rc.sysinit" includes a line "mount -a -t nonfs,smbfs,ncpfs,proc". This command mounts all filesystems listed in the file "/etc/fstab". You could set the filesystem type to msdos. Read the file, /usr/src//linux/fs/filesystems.c to find a list of supported filesystems with your kernel. The file /etc/mtab and /proc/mounts each keep a record of currently mounted filesystems on your system. Read the mount man page for more information.
Another useful command is "hdparm -g /dev/hda" which is used to determine hard drive geometry (sectors, heads, cylinders).
Mounting other partitions or operating systems at startup
To mount other partitions at startup modify the "/etc/fstab" file. Each line in the file refers to a different filesystem. Fields are separated by whitespace. The primary filesystems must be mounted first, so they must be in correct order. Your native partition for the system you are running should be listed first. The fields are as follows:
1. The name of the device such as "/dev/hda1"
2. The mount point. Use "/" for root. Other typical mount points are "/dos" for DOS, "swap" or "none" for the swap partition, and "/mnt/floppy" for "/dev/fd0" (the floppy drive).
3. The type of filesystem. They are: mini, ext, ext2(linux native), xiafs, msdos, hpfs, ntfs, fat32, iso9660(CD-ROM), nfs, swap (for swap space).
4. The mount options for use with the filesystem. Each filesystem type has different mount options. Read the mount man page to see possible options. ro= read only, user- allows normal users to mount the device.
5. The frequency the filesystem needs to be dumped (backed up) by the dump command. For ext2, normally make it 1, for others make it 0. 0 or nothing means it is not dumped. If 1, it is backed up during a system backup.
6. A number telling the order in which the filesystems should be checked at reboot time by the fsck program. Your root should be 1, others are in ascending order or 0 to not be checked.
To determine your hard drive's partitions and see what each partition holds which operating system, you may use the fdisk program. Just make sure you don't change your disk information. You can use the 'p' command to see a list of current partitions, then you can add them to your fstab file. Note: In order for the mount to succeed, you must have created the mount point subdirectory (except for root).
I like to install multiple copies of Linux on one computer for three reasons.
1. The second copy can serve as a backup to the first. If I totally screw up one copy of Linux, by changing kernels, etc, I can still get to the filesystem from the other system and straighten out my problems.
2. I can learn about other linux packages.
3. If a compile of a package fails on one system such as Redhat, I can try it on another system such as Slackware and it will probably work.
The fstab file
A typical /etc/fstab file:
/dev/hda2 / ext2 defaults 1 1
/dev/hdb1 /data auto defaults 0 0
/dev/hda1 /dos vfat defaults 0 0
/dev/hda3 /slackw ext2 defaults 0 0
/dev/hda4 swap swap defaults 0 0
/dev/cdrom /mnt/cdrom iso9660 noauto,owner,ro 0 0
/dev/fd0 /mnt/floppy ext2 noauto,owner 0 0
none /proc proc defaults 0 0
none /dev/pts devpts gid=5,mode=620 0 0
These are the options:
• defaults - Use the default options of rw, suid, dev,exec,auto, nouser, and async.
• auto - Auto detect the type of filesystem.
• noauto - The -a option will not mount the filesystem.
• owner
• ro - Read only
• rw - Read and write allowed
• user - Users have permission to mount this filesystem
• users - Allows a user to mount and another user to unmount the filesystem
The /proc directory is required for tracking processes in memory (RAM). The directories /data, /dos, and /slackw in this example must exist or their mounts will fail. The entries for the floppy and cdrom allow them to be automatically dismounted if they are mounted during shutdown. The option, "noauto" in their entries, keeps these devices from being mounted at startup.
Note:
If you install an OS that wipes LILO, you can use the fdisk utility to toggle the bootable flag (change the boot partition). This can help, if the OS that wiped LILO can toggle this partition to a Linux filesystem.
Linux Emergency Filesystems and Procedures
There are several ways to make a boot floppy, but basically there would be two types of boot floppys that make sense. The first is a simple boot floppy with a copy of your kernel that will mount your root device which is usually on your hard drive. This will give you another way to boot to your system and allow you to repair some problems such as a bad re-compile of a kernel or a lilo failure, but will not do much good if you develop a serious problem with your root filesystem. The second is a more elaborate boot floppy including a boot and root floppy and will independently support some tools that will allow repair of a root filesystem, or at least help you rescue files.
Making a simple Emergency boot floppy
How to make a single boot floppy:
1. Find the kernel. It is usually /vmlinuz or /boot/vmlinuz. The file vmlinuz may be a softlink to the actual kernel executable. Find the executable kernel.
2. Copy the kernel image to the floppy.
dd if=/vmlinuz of=/dev/fd0
3. Type the command "df" and examine it's output to determine where your root filesystem is. Your root is "/" and is mounted on something like "/dev/hda2".
4. Set the kernel image on the floppy to the location of your root system.
rdev /dev/fd0 /dev/hda2
Your root filesystem may be somewhere other than "/dev/hda2".
5. Test the floppy by rebooting your system and attempting to boot from it.
You can use the command "badblocks /dev/fd01440 1440" to check the floppy for badblocks.
Making a Boot Floppy with a Root Filesystem (not yet complete or accurate)
To make a Linux boot floppy with a root floppy will require two floppy disks. One will be used for the kernel, and the other will hold the root filesystem.
Important functions needed by an emergency boot filesystem:
e2fsck, mount, tar, gzip, insmod, ftape module for kernel if using tape backups
Please note, that it is best to recompile your kernel to do this. This is because most kernel images use modules for support that are stored on your root filesystem and if your root filesystem is corrupt, it may not work properly. The good news is, however, that you will only need a kernel with minimal support, since this is for emergency use only, and you won't need networking support and some other features. The other option is to use a kernel image already compiled that does not depend on modular support if you can find one.
1. Compile the kernel:
Most options, you may answer no to with the following exceptions.
o Make processor type 386 to support all machines with 1Gb of memory.
o Enable PCI support with access mode=any and quirks=y.
o CONFIG_SYSVIPC=y
o CONFIG_BINFMT_ELF=Y
o CONFIG_PNP=Y
To compile the kernel make sure you provide floppy, CD-ROM and hard disk support for your types of devices such as IDE or SCSI. In my compile, I support IDE only. Set CONFIG_BLK_DEV_IDE=Y and all in the IDE category may be set to Y except for "other IDE chipset support", CONFIG_IDE_CHIPSETS=N. Ramdisk support (CONFIG_BLK_DEV_RAM=Y) with initial support. Virtual terminals (CONFIG_VT=Y). CONFIG_VT_CONSOLE=Y, CONFIG_SERIAL=Y, CONFIG_MOUSE=Y, CONFIG_PS2MOUSE=Y. Under filesystems I supported all but quota, kernel automounter support, and UMSDOS. Include all under partition table support. Include VGA text console and Magic SysRq key.
2. Copy the kernel image to the first floppy.
dd if=/vmlinuz of=/dev/fd0
3. Set the image on the floppy to boot to a root filesystem on your floppy device.
rdev /dev/fd0 /dev/fd0
4. Prepare the root floppy (the second floppy disk)
1. type "fdformat /dev/fd0H1440" to format the floppy
2. type "mkfs -t ext2 -c /dev/fd0H1440" to create a filesystem on the floppy
Linux Samba
For complete information on Samba see the SMB HOWTO. Also refer to the the smb.conf(5), smbd(8), smbclient(1), smbpasswd(5), smbpasswd(8), and testparm(1) man pages. You may access the howtos from one of the weblinks listed in the Linux websites section. The Linux Documentation Project or Metalab's Index of Linux publications will have copies if these howtos.
You will want to perform the following steps according to the instructions below to set up samba services on your computer.
1. Set up your Windows based computers for file and print sharing if you want to access your windows computers from Linux.
2. Decide whether to run Samba through the inetd internet super daemon or through the startup scripts. Running using the startup scripts is recommended for better reliability.
3. Edit the /etc/services file to be sure the port services are enabled.
4. Edit the /etc/smb.conf file with encrypted passwords enabled to work with most modern Windows versions.
5. Add any users as desired to the /etc/smbusers file
6. Optionally add hostnames to /etc/lmhosts.
7. Set up your samba users passwords with the "smbpasswd -a username" command.
8. Start or restart Samba services. When running Samba services through the startup scripts it can be done in Redhat using the linuxconf program. On other systems it may be done with one or more of the following commands:
o samba start - Starts samba.
o /etc/re.d/init.d/smb start - Starts samba.
o samba restart - Restarts samba.
o /etc/re.d/init.d/smb restart - Restarts samba.
If using inetd to run Samba services, restart/start samba with the command "killall -HUP inetd".
Check your /usr/doc directory for a directory like "samba-2.0.5a". Enter this directory with the command "cd /usr/doc/samba-2.0.5a". There is a docs and a samples directory at this location. There is a sample smb.conf file in the samples directory called smb.conf.default. Use this file to start your /etc/smb.conf file if you don't have one. Modify it for your workgroup name, remove the comment from the line "encrypt passwords = yes" and set up your share definitions as you need.
Configuring Windows
Configuring windows 95 for sharing: (If you want to be able to browse your windows computer from Linux)
1. Right click on "network neighborhood" and click "properties"
2. Under configuration make sure you have "Client for Microsoft Networks", your ethernet card driver and TCP/IP
3. Select "Client for Microsoft Networks"
4. Select "File and Print Sharing" and turn on file and printer access, enter a password to use
5. Select Add?
Setting up the service method
There are two ways to run samba services. You can run them as a deamon, using the system startup scripts or use the internet super daemon, "inetd". You must choose one way or the other, you cannot run the service both ways. I recommend using the startup scripts since the service seems less reliable through inetd.
1. To run as a startup service, if you are using Redhat Linux, you may run "linuxconf" and go to "Control", then "Control panel", then "Control service activity", select "smb" and set it to enabled and running. You will also need to be sure the "/etc/services" file is set up for the named ports below, along with setting up the "/etc/smb.conf", "/etc/smbusers", and possibly the "/etc/lmhosts" files below.
2. To run on request through inetd, Put these lines in /etc/inedt.conf:
3. # Other services
4. netbios-ssn stream tcp nowait root /usr/sbin/tcpd /usr/sbin/smbd
5. netbios-ns dgram udp wait root /usr/sbin/tcpd /usr/sbin/nmbd \
6. -a
Setting up the services
Configure ports for NetBIOS name, datagram, and session services by being sure of existence of (or adding) the following lines in the /etc/services file:
netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session service
netbios-ssn 139/udp
Setting up the Samba configuration file
Edit the Samba configuration file "/etc/smb.conf" to provide suitable services. You should be able to get a file to start with from /usr/doc/samba-x.x.x/examples/smb.conf.default, you can copy it to /etc/smb.conf and use an editor to modify it.
This is the samba file I use: Note: you can use swat (described below) to configure this file.
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not many any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = mygroup
# This allows you to get around a problem in WIN95, it is also needed
# for OS/2 clients. You should definitely have this line enabled if
# you want to be able to just drop your GNU/Linux machine into an existing
# WIN95-only network.
lm announce = yes #important for WIN95 and OS/2 machines
# server string is the equivalent of the NT Description field
server string = Samba Server
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
# hosts deny = ALL
# hosts allow = 10.1.3.16 10.1.0.100
# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
printcap name = /etc/printcap
load printers = yes
# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
; printing = bsd
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Put a capping on the size of the log files (in Kb).
max log size = 50
# Security mode. Most people will want user level security. See
# security_level.txt for details.
security = user
# Use password server option only with security = server
; password server = <NT-Server-Name>
# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
; password level = 8
# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
encrypt passwords = yes
smb passwd file = /etc/smbpasswd
# The following are needed to allow password changing from Windows to
# update the Linux sytsem password also.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
# the encrypted SMB passwords. They allow the Unix password
# to be kept in sync with the SMB password.
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
# Unix users can map to different SMB User names
username map = /etc/smbusers
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /etc/smb.conf.%m
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
interfaces = 192.168.199.1/24 10.1.0.100/16
# Configure remote browse list synchronisation here
# request announcement to, or browse list sync from:
# a specific host or from / to a whole subnet (see below)
; remote browse sync = 192.168.3.25 192.168.5.255
# Cause this host to announce itself to local subnets here
; remote announce = 10.1.255.255 192.168.199.2 192.168.2.44
# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
; local master = no
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
; os level = 33
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
; domain master = yes
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
; preferred master = yes
# Use only if you have an NT server on your network that has been
# configured at install time to be a primary domain controller.
; domain controller = <NT-Domain-Controller-SMBName>
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
; domain logons = yes
# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
; logon script = %U.bat
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no
# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
; preserve case = no
; short preserve case = no
# Default case is normally upper case for all DOS files
; default case = lower
# Be very careful with case sensitivity - it can break things!
; case sensitive = no
admin users = root
dead time=15
hide dot files = yes
max connections = 10
share modes = yes
guest account = nobody
browseable = yes
; invalid users = root
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writeable = yes
path=/home/%S
public = no
# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
; comment = Network Logon Service
; path = /home/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
; path = /home/profiles
; browseable = no
; guest ok = yes
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
# This one is useful for people to share files
[tmp]
comment = Temporary file space
path = /tmp
read only = no
public = yes
# A publicly accessible directory, but read only, except for people in
# the "staff" group
[public]
comment = Public Stuff
path = /home/public
public = yes
writable = yes
printable = no
; write list = @staff
# Other examples.
#
# A private printer, usable only by fred. Spool data will be placed in fred's
# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;[fredsprn]
; comment = Fred's Printer
; valid users = fred
; path = /homes/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes
# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
;[fredsdir]
; comment = Fred's Service
; path = /usr/somewhere/private
; valid users = fred
; public = no
; writable = yes
; printable = no
# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
# also use the %u option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
; comment = PC Directories
; path = /usr/pc/%m
; public = no
; writable = yes
# A publicly accessible directory, read/write to all users. Note that all files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of course
# be specified, in which case all files would be owned by that user instead.
;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no
# The following two entries show how to share a directory so that two
# users can put files there that will be owned by specific users. In this
# setup, the directory should be writable by both users & have the sticky
# bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;[myshare]
; comment = Mary's and Fred's stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765
[cdrom]
comment = Samba server's CD-ROM
writable = no
locking = no
path = mnt/cdrom
public = no
root preexec = /bin/mount /mnt/cdrom
root postexec = /bin/umount /mnt/cdrom
[etc]
comment = Linux setup files in /etc
public = no
writeable = yes
path = /etc
read only = yes
valid users = george mark
[floppy]
comment = [Samba server's Floppy Drive
browseable = yes
writeable = yes
path = /mnt/floppy
public = no
root preexec = /bin/mount /dev/fd0 /mnt/floppy
root postexec = /bin/umount /mnt/floppy
Notes:
• The section that allows unix passwords to be synced with samba passwords does not seem to work. This may be because I use shadow passwords.
• To customize samba setups from various machines use the "include = /etc/smb.conf.%m" line.
• To make passwords be sent over the network in encrypted form:
1. In the /etc/smb.conf file add or uncomment the lines:
2. encrypt passwords = yes
3. smb password file = /etc/smbpasswd
4. Type "smbpasswd -a user" then enter the desired passwords
Note: If you are not using shadow passwords, there is a way to convert to secure passwords without users knowing it. The command "cat /etc/passwd |mksmbpasswd.sh > /etc/smbpasswd" will create a smbpasswd file. However if you are using shadow passwords (which you should be), the /etc/passwd file does not contain the required information to setup the password file and you must still have each user modify their passwords or do it from root with the "smbpasswd -a username" command. Read the documentation in /usr/doc/samba-x.x.x/docs/textdocs/ENCRYPTION.txt. Be sure your smbpasswd file is only readable and writable by the root user.
• Note: Be sure alias is off so hosts can't fool your machine by aliasing their names.
To deny all hosts access except those you specify use the following example under [global]:
• hosts deny = ALL
• hosts allow = 10.1.3.16 10.1.0.100
If you deny hosts, be sure you know what you are doing! The way Microsoft networking works is that a master browser is picked based on an election process from all computers that are running Windows networking. If you deny access to the master browser, you may be unable to browse the network for your computer. Therefore, unless you know what computer will be the master browser and backup browser that you will use for browsing, it may be unwise to use this feature.
The smbusers file
Edit the /etc/smbusers file to map your machine names to unix users names:
The following file is an example I use:
# Unix_name = SMB_name1 SMB_name2 ...
root = windoze1 windoze2
nobody = guest pcguest smbguest
mark = windoze3
In this case anyone logging in from machines windoze1 or 2 will be mapped as user "root".
The lmhosts file
You may want to edit the /etc/lmhosts file depending on how you are providing your samba name services, Below is an example:
127.0.0.1 localhost
10.1.0.100 mymachine
10.1.3.16 george
This file may be used by the system to get IP addresses from host names. It may not be necessary for you to configure this file. You may need it if you do not have a DNS server available or your DNS server is not configured properly. If you get a message like "Resource is unavailable" you should try creating this file.
Upon completion
You will need to issue the following commands to complete the setup of Samba services:
1. Enter the users' passwords with the command "smbpasswd -a user". This command is used to enter passwords for your users and is required for each user if you are using encrypted passwords which should be the case.
2. If running the startup daemons, use one of the following choices of "samba restart", "samba start", "/etc/rc.d/init.d/smb restart", or "/etc/rc.d/init.d/smb start". Don't forget to set your startup services in Redhat's linuxconf program to run Samba services the next time you boot your system.
3. If running Samba from inetd, start it with "killall -HUP inetd".
Examples of commands you may need or want to use
testparm |more To see the results of your changes. May have to restart inetd (below)
smbpasswd -a user To set samba passwords. See the smbpasswd(8) man page for more information.
samba restart To restart the Samba services when running through the startup scripts. This allows changes to take effect. You can use the command start, stop, or status to start, stop, or see the status of the service, respectively.
/etc/rc.d/init.d/smb restart The same as the Samba restart command, but this command directly invokes the Samba startup script.
smbclient -L mymachine To tell what services are running under samba
smbmount Used to mount volumes from windows machines
killall -HUP inetd To restart the inetd daemon and therefore allow new settings for this daemon or any subdaemon to be implemented. You will use this command, only if you run Samba using the inetd daemon.
Common Pitfalls
Many times those setting up Samba services will either have trouble browsing for their computer on the network or logging in. Below I have listed some possible reasons for these problems and what you should check:
• Unable to browse:
1. Check to be sure the name of your workgroup is correct in the /etc/smb.conf file with the statement "workgroup = mygroup".
2. Check to be sure the line "browseable = yes" is included in the [global] section of /etc/smb.conf.
3. You may need to set up the lmhosts file if you do not have a DNS server or your DNS server is not configured with your samba server IP address and name.
4. Type "ps -ax |grep smb" and you should see a line like "784 ? S 0:00 smbd -D". If you don't your services are not running and you should start them.
5. If you are attempting to run Samba services from inetd using the inetd.conf file, run Samba as a startup service and see if that fixes the problem.
• Unable to login with the system producing a message saying the password is incorrect.
1. Check the log files in the /var/log/samba directory. First look for a file "log.machinename" where machinename is the name of the machine you are logging in from. You can "cat log.machinename" or use less or more to see the file.
2. Be sure your user mapping is correct.
1. Be sure the line "username map = /etc/smbusers" is included in the /etc/smb.conf file. Also check the log.smb file
2. Be sure the file /etc/smbusers file contain line(s) like "unixuser = windozemachine1 windozemachine2 winuser1 winuser2 ...". The unix user is normally the name of the equivalent user you want to log in as such as root. I always put the machine name and all windows users names in the file to be sure that if the login is by machine name or Windows user name, it will be translated to a unix user name. Normally it is Windows user name. You will find out by examining the file "log.machinename".
3. Be sure you are logging in using encrypted passwords from both the Linux and windows sides.
1. Be sure the lines "encrypt passwords = yes" and "smb passwd file = /etc/smbpasswd" are in the /etc/smb.conf file and are not commented out with a ';' or '#' character in front of the line.
2. Be sure you have added the users you are trying to log in as with the "smbpasswd -a user" command where user is the name of the Linux user you want to log in as. For instance the command is "smbpasswd -a root" to set the password up for the root user.
3. Be sure Windows 95 is sending encrypted passwords. There is an upgrade patch for Windows 95 from Microsoft to make this change. This is only necessary for old versions of Windows 95. Windows 98, NT, 2K all send encrypted passwords by default. Therefore unless you are using one of the first versions of Windows 95 that came out, you should not have this problem.
Be sure you restart Samba every time you make a change to the /etc/smb.conf file to put your changes into effect.
Mounting and getting windows files from Linux after samba is installed
There are two programs supporting file services from windows:
1. smbmount - Allows a shared directory on a windows machine to be mounted on the Linux machine.
2. smbclient - Works similar to an ftp client enabling the user to transfer files
smbmount //winhost/windows /mnt/name_windows -c mylinuxmachine
This command mounts the directory "windows" on the windows computer "winhost" on the machine named "mylinuxmachine". The directory "windows" must have sharing enabled for this to work. To unmount:
smbumount /mnt/name_windows
The smbclient program works with the following syntax:
smbclient //winmachine/dirsharename -s /etc/smb.conf
The winmachine is the NetBIOS name of the serving machine with the shared resource on it.
The dirsharename is the share name of the directory
The "-s /etc/smb.conf" indicates the path of the samba configuration file.
After entering the above command you will get a password prompt. If no password is required, press "return", otherwise enter the required password. Upon successful login you can look at the directory with the "dir" command. Below are some available commands:
• dir - directory
• get remotefile localfile
• cd - Change directory
• exit, q, or quit - To exit the program
• help - for help information
• mkdir - make directory
See the man page on smbclient for a full set of commands. Note: I've had trouble getting this program to work with windozeNT.
Some notes on the smb.conf file format
Variables as found in the smb.conf file are as follows:
• %a - The architecture of the client machine such as Samba, WfWg, WinNT, Win95
• %d - The PID of the server process.
• %g - The group ID of the service's username (The name the client got)
• %G - The group ID of the session requested username
• %h - The internet (DNS) samba server host name.
• %H - The user's home directory.
• %I - The client machine's IP address.
• %L - The NetBIOS server name
• %m - The NetBIOS client name
• %M - The internet (DNS) client host name.
• %n - .
• %N - NIS home directory server name.
• %p - The path of the service's home directory from NIS auto.map.
• %P - The current services' root directory.
• %R - The protocol level. CORE, COREPLUS, LANMAN1, LANMAN2, or NT1.
• %S - The name of the current service.
• %T - The current data and time.
• %u - The client's username
• %U - The username the client wanted.
• %v - Samba version number.
There are many global and service parameters defined in the smb.conf file. Read the man page on smb.conf for a complete list. Here is a list of a few global parameters:
• auto services - Directories automatically visible to all users browsing the network.
• bind interfaces only - Limits the interfaces to serve samba requests.
• deadtime - The timeout for inactive connections
• debug level - The level of messages for logging.
• default service - The service to be connected if the service requested cannot be found. EX:
• default service = docs
• [docs] path= /%S
• directory mask - Octal file settings used to convert DOS modes to UNIX modes when creating directories.
• directory security mask - Controls file permissions that can be modified by windows clients.
• dns proxy - Specifies that the nmbd daemon if running as WINS server, should should treat unknown names as DNS names and do a DNS lookup.
• lock directory - The path of the directory where lock files are stored.
• message command - Samba's command to run in response to WinPopup messages.
• name resolve order - The query order for resolution of name to IP addresses. Values are bcast, hosts, wins and lmhosts.
• netbios aliases - Other names the samba server is called and will answer to.
• netbios name - The samba server's netbios name.
• smb passwd file - The path for the encrypted Samba password file.
• smbrun - The path of the smbrun program used to execute shell commands for the samba daemon.
• socket address - Controls the address on which Samba will listen for connections.
• syslog - Sets the threshold for sending messages to syslog
• syslog only - Use syslog rather than samba log files
SWAT configuration
SWAT allows an administrator to configure the smb.conf file using a web browser. To use it you need to do the following:
1. Add the following line to your /etc/services file:
2. swat 901/tcp # Swat Samba configuration services
3. Add the following line to your /etc/inted.conf file
4. swat stream tcp nowait.400 root /usr/sbin/swat swat
5. Type "killall -HUP inetd" to reload the inetd.conf file.
6. On your local machine, address your web browser to http://localhost:901/
7. If you connect over the network through a remote machine you should know that your password will be sent in the clear.
8. SWAT will rewrite your smb.conf file and remove comments. Back up your smb.conf file before using SWAT.
For more information on NetBIOS, WINS, SMB, and NBNS (NetBIOS Name Server) read "The CTDP Networking Guide".
Linux Identd (auth)
The identd daemon or service returns user information to a remote host that a user is requesting a service from. This service is misunderstood by many who seem to think that it is used for some kind of user authorization. It is a good idea to support this service which uses port 113. Some remote systems could require it in order to receive requested services. As a system administrator, it can help you identify users who are abusing systems. The identd(1) and authuser(3) man pages give more information about the subject.
Linux X Configuration
Installation
If installing X, install it in "/usr/X11R6/…".
Configuration Files
/etc/X11/XF86Config
This file has the following sections. They are Files, ServerFlags, Keyboard, Pointer, Monitor, Device (may be more than 1), and Screen (may be more than 1).
Files, Keyboard and Pointer Sections:
The files section sets up the paths for X to use for files that specify screen colors and fonts. If the directory specified here doesn't exist or is empty XFree86 will crash or generate error messages. The "Keyboard" section specifies the keyboard protocol, usually standard, and key repeat rates. The "Pointer" section includes a Protocol and Device line. The device is the mouse device such as /dev/mouse (This may be a softlink to another device). The Protocol is one of BusMouse, Logitech, Microsoft, MMSeries, Mouseman, Mousesystems, PS/2, or MMHitTab.
The monitor section:
In the monitor section the Identifier can be any unique identifier string to identify that particular monitor. The VendorName and ModelName are for reference. The HorizSync is in Khz and may be one number, multiple numbers separated by commas, or a range. Ex: 30-54. Ex 31.5, 35.2. VertRefresh is in Hz and can be specified similar to HorizSync. VertRefreah and HorizSync specify valid rates for your monitor. An example "Modeline is shown below:
Modeline "1024X768" 65.00 1024 1032 1176 1344 768 771 777 806 –hsync –vsync
The name is "1024X768", an arbitrary string used to refer to the modeline in the screen section.
The dot-clock is 65.00 which is the video card's driving clock frequency in MHz for that resolution mode. It is the rate that the video card should send pixels to the monitor for that screen mode.
The next four numbers 1024, 1032, 1176, and 1344 are the horizontal values and the last four are the vertical values. These values specify when the monitor should fire it's electron gun and when the horizontal and vertical sync pulses occur.
Read the file /usr/X11R6/lib/X11/doc/VideoModes.doc. It explains how to configure this section. Also, the file, Monitors shows examples of modelines for specific monitors.
The device section:
This section describes video cards. The Identifier, VendorName, BoardName and optional Chipset are strings and are only used for identification. The VideoRam specifies the amount of video memory in Kb. The data in Clocks should come from the video board manual. The file Devices in the documentation section should help with device setup. If your video card is found in the Devices file, that section may be copied into the XF86Config file. Note: Sometimes the card may use a programmable clock chip, in which case there may be a line specifying "ClockChip" rather than "Clocks". Some cards may specify a "Ramdac" line. Some video cards also require other special options using an "Option" line. these options are described in the README file for the particular chipset.
The screen section:
The section, "screen" is where you can specify what XFree86 server runs with your X server.
EX:
Section "Screen:
Driver "accle"
Device "Actix GE32+ 2MB"
Monitor "Generic Monitor"
SubSection "Display"
Depth 8
Modes "640x480"
ViewPort 0 0
Virtual 1280 1024
EndSubsection
SubSection "Display"
Depth 16
Weight 565
Modes "640x480"
ViewPort 0 0
Virtual 1024 768
EndSubsection
EndSection
The values for driver can be Accel, SVGA, VGA16, VGA2, or Mono. Accel supports XF86_S3, XF86_Mach32, XF86_Mach8, XF86_8514, XF86_P9000, XF86_AGX, and XF86_W32 servers. SVGA supports the XF86_SVGA server. The driver specifies the X server to use.
Depth sets the number of pits per pixel. Modes displays a list of the video mode names defined in the ModeLine option in the Monitor section. The virtual option specifies the virtual desktop size. Use this if you have enough RAM on the video card but a monitor that won't support the greater resolution. ViewPort defines the coordinates of the upper left corner of the virtual desktop when XFree86 starts. In the Screen section, the driver name indicates the type of X server you are running. The X server is the program that runs with your monitor, mouse, and keyboard, regardless of the platform or location. It could be running on the same machine, or on another machine on a network or on a serial port. For example if I am running a svga server program(XF86_SVGA), the screen section that will apply would be the one labeled as follows in the screen section:
Driver "svga"
I believe the X server program that runs is determined by the "xserverrc" file either in the user's home directory or in the directory "/usr/X11/xinit/". I do not believe this is used anymore since the Xwrapper program is set up to be the X server program on current systems. If it is used, it is used to pass parameters to the Xwrapper program. On my system the X server falls through to the default "X" file which is a link to the Xwrapper program. See the "How Linux Works CTDP Guide" for more information.
You can use Ctrl-Alt-+ to change the resolution. X starts with the poorest one you select (by default), you can change that manually by editing /etc/X11/XF86Config.
Configuration tools:
Programs to configure X are:
• XF86Setup - A newer X configuration program with a GUI interface which modifies the "/etc/X11/XF86Config" configuration file.
• xf86config - An older X configuration program with a text based interface. It also modifies the "/etc/X11/XF86Config" configuration file.
• Xconfigurator - The Redhat tool used during system setup to configure X.
• xvidtune - This program will test video modes on the fly without modification to your X configuration. Read the usr/X11R6/lib/X11/doc/VideoModes.doc file before running this program.
• SuperProbe - A program that probes the video card to determine its type for use with setting up X. xvidtune - This program will test video modes on the fly without modification to your X configuration.
The programs reside in "/usr/X11R6/bin" and "/usr/bin/X11". The programs XF86Setup, xf86config, and Xconfigurator modify the "/etc/X11/XF86Config" configuration file. XF86Setup is the newer configuration program with a GUI interface and xf86config is older with a text based interface. I advise users to use XF86Setup when possible, but use xf86config when they have problems with XF86Setup. To get it configured, you must provide information about your keyboard, mouse, video card and monitor. You must also select a screen resolution mode. Usually if you can't find a configuration for your video card you can select a generic driver such as SVGA. Later to improve performance, you may want to make manual modifications to your configuration with settings that more closely match your video card. The main information about your video monitor includes the maximum vertical and horizontal scan rates. You will want to refer to your monitor's manual for this information. If you have problems with X and it won't work, one thing to try is reducing your video mode from a higher to lower resolution. Ex: Change from 1200X1024 to 800X600. Usually if you can't use higher resolution it is due to monitor scan frequencies. Your video card memory determines a combination of your maximum resolution and maximum colors. For example 1200X1024 with 65535 colors requires 1200 times 1024 times 2 bytes of video memory which is 2.4576 M of video memory. Your video card needs 4M to run this mode.
A handy program for determining your video card type and video RAM is "SuperProbe". This program could crash your system, but should do no harm, other than having to reboot and clean the system. It is recommended that you backup your files prior to running this program, however.
The program xvidtune will let you test video modes on the fly without modification to your X configuration. Read the /usr/X11R6/lib/X11/doc/VideoModes.doc file before running this program.
The instructions for configuring X are spread out over several text files. Check the README, VideoModes.doc, README.Config, and README.Linux. Read the man pages for Xconfig, XF86Config, XFree86, and Xfree86kbd. Many documentation files for various packages are in "/usr/doc". Many of these files are too in depth for the average user and describe many X Consortium standards.
Running in terminal mode in run level 5:
You can set the runlevel in the "/etc/inittab" program to run in runlevel 5, which means you will have the X font server running. This way you can provide remote services in X to other machines. If you want to boot into terminal mode, however, you must modify the file "/etc/X11/xdm/Xservers". Comment out the line that shows:
:0 local /usr/X11R6/bin/X
To provide X services to a remote boot machine according to the Linux Terminal Server Project (LTSP):
Modify the file /etc/rc.d/init.d/xfs. Modify two lines around 22 and 41:
Redhat 6.0
Change the lines that start with
Redhat 6.1
Change the lines that start with "daemon xfs –droppriv –daemon –port –1" to "daemon xfs –droppriv –daemon –port 7100
Change the file /etc/X11/XF86Config:
Change the line
Change the file /etc/X11/xdm/Xaccess at line 40
# * #any host can get a login window
Remove the first # to enable remote workstation access.
Configuring the Xresources file
In the script file xinitrc explained in the section on "How X works" in the "How Linux Works" manual is a line like:
userresources=$HOME/.Xresources
There is also a line like:
sysresources=/etc/X11/xinit/Xresources
These resource files are made available to the system with lines like:
xrdb -merge $sysresources
xrdb -merge $userresources
This section briefly explains the format of the Xresources file. Each X application belongs to an application class. Applications use resources such as background, foreground, font, and geometry. The X programs may have their own resources. The manual page for X programs specify which resources they use. Resources are also arranged into classes. A resource line in the Xresources file is in the form:
(ApplicationClass or ApplicationName)*(ResourceClass or ResourceName) : value
The xterm program belongs to the XTerm class.
A sample Xresources file follows:
! Defaults
XTerm*Foreground: white
Xterm*Background: blue
Clock*Geometry: 80x80+10+10
! Specifics
xterm-1*background: black
Linux X Use
Entering and exiting Linux Xwindows
startx - To enter xwindows
CTRL-ALT-BS - To exit xwindows quickly
Depress the left mouse button on the desktop to get a menu to let you exit for some windows managers.
X windows is usually started by typing "startx". To find out where the startx script file is that is used for this process type "which startx". Then you can look at the script file using "less". In the script file there is a statement near the top like "sysclientrc=/usr/X11R6/lib/X11/xinit/xinitrc" which tells you where the initrc file is. The user configuration file will be in /home/your user name/.xinitrc. At the bottom of the file /usr/X11R6/lib/X11/xinit/xinitrc there is a statement like "exec fvwm" which tells the program to execute your windows manager. This may be inside an if statement to determine the existence of the users preferred window manager or the existence of a particular manager then trying others in series when the first listed is not available. To modify the x window manager for the user, you need to copy the xinitrc file to /home/your user name/xinitrc and modify it.
.Xresources
.Xmodemap
A current list of good windows managers:
• fvwm95
• OLVWM
• wmaker - window maker
• CDE
• wm2
• KDE - The K desktop environment
• gnome
• The program xfs is the xfont server
• The program xdm is an X Display Manager
How to set up X managers for different users
To set your preferred windows manager, on Redhat and possibly other systems, make a file, /etc/sysconfig/desktop, and put the string "KDE" or "GNOME" in it depending on the preferred system wide X manager. However this will not allow users to select their own favorite window manager. Note: This is exclusive of users who are running remote X services such as VNC as explained in "The CTDP Linux User's Guide". To allow users to select their own manager independent of system settings do the following:
1. Copy the file "/etc/X11/xinit/Xclients" to the users home directory, renaming it with a period as its first character
cp /etc/X11/xinit/Xclients /home/username/.Xclients
2. Modify the following lines in /home/username/.Xclients from:
3. if [ -f /etc/sysconfig/desktop ]; then
4. if [ -n "`grep -i GNOME /etc/sysconfig/desktop`" ]; then
5. PREFERRED=gnome-session
6. elif [ -n "`grep -i KDE /etc/sysconfig/desktop`" ]; then
7. PREFERRED=startkde
8. elif [ -n "`grep -i AnotherLevel /etc/sysconfig/desktop`" ]; then
9. PREFERRED=AnotherLevel
10. fi
11. fi
to:
if [ -f $HOME/.desktop ]; then
if [ -n "`grep -i GNOME $HOME/.desktop`" ]; then
PREFERRED=gnome-session
elif [ -n "`grep -i KDE $HOME/.desktop`" ]; then
PREFERRED=startkde
elif [ -n "`grep -i AnotherLevel $HOME/.desktop`" ]; then
PREFERRED=AnotherLevel
fi
fi
12. Make a file, $HOME/.desktop, and put the string "KDE" or "GNOME" in it depending on the user's preferred X manager. The user can do this step.
To remotely use Xwindows from Microsoft Windows
This section describes how to set this up for the MI/X server program to run on windows. I have not been able to get this server to run with KDE or gnome, and many graphic images do not seem to work with it. See the section on using X remotely for a better solution. This section is still here for anyone who wants to experiment with it.
1. Get a copy of an X windows server program for windows such as MI/X for windows from MicroImages at http://www.microimages.com.
2. Install the package according to instructions on your windows box.
3. Set up a shortcut to MI/X to run XS.EXE on the windows box.
4. Invoke the shortcut to begin the Xwindows server program.
5. Telnet to your linux box from your windows box
6. Type "fvwm –display mark:0 &" where "mark" is the name of your windows box
Tips
• To exit X windows quickly or if the video is working improperly, use the
• To increase or decrease graphic mode use
• The command "X -showconfig" lists the video chip names known to the X server.
• The command "X -probeonly > /tmp/test.out 2>&1" lists supported chipsets and other useful information.
• The command "X > /tmp/test.out 2>&1" runs X bare. Use Ctrl-Alt-BS key combination, then examine the contents of the output file to help debug X startup problems.
Using Linux X Remotely
If you want to display an X session on a windows 95/98/NT/2000/xxx computer from a Linux computer, do the following:
1. Go to the website http://www.uk.research.att.com/vnc and download a minimum of:
1. vnc_latest_doc.tgz or vnc_latest_doc.zip
2. vnc-3_3_3_x86_linux_2_0.tgz
3. vnc-3_3_3r2_x86_win32.zip
You may want to retrieve other files such as "vnc-3_3_3_javasrc.tgz", vnc-3_3_3_unixsrc.tgz", or "vnc-3_3_3r2_winsrc.zip" if you are interested in source code.
2. On the Linux machine do the following:
1. Put the file
vnc-3_3_3_x86_linux_2_0.tgz
in "usr/local" or a directory of your choosing.
2. Unzip the file by typing "tar xvzf vnc-3_3_3_x86_linux_2_0.tgz".
3. Type "cd vnc_x86_linux_2.0"
4. Copy or move the following files
1. Xvnc
2. vncpasswd
3. vncserver
4. vncviewer
to the directory "/usr/bin" or an appropriate directory included in your system path.
5. If you want to run a window manager other than "twm", modify the file "xstartup" in your user's home directory, usually "/root/.vnc/xstartup"
1. Comment out the line with a # in front of the line
twm &
2. To run KDE add
startkde &
or to run gnome add
gnome-session &
6. Type "vncserver" and enter the password you will want to use to login from the session display with.
7. If you want the server to be available on the next boot, add the line:
vncserver
To your "/etc/rc.d/rc.local" file or to the users $HOME/.bash_profile.
3. Be aware that putting the "vncserver" line in the rc.local file will activate it on a system or root level. You may note that if you run it this way, the next time you boot, it may ask you to enter a password again. If you want to run the program on a user to user level, you will want to place the above line in the user's home directory in the file ".bash_profile", so they can run it independently of root or the system. If you do this you'll need to modify the above line to be "vncserver :2" and have a different display number assigned to each user. If you don't assign specific display numbers to each user a different display number will be assigned in the order that users log in since the program uses the next available display number whenever it is run. The display number is reported to the user when the vncserver program is run. After that you can look for the process name, Xvnc, with the "ps -aux |grep Xvnc to tell what display numbers are valid and which process is owned by which user.
Also when the user logs off the vncserver program for that user still keeps running. To kill the vncserver program you may want to add the line:
4. vncserver -kill :2
5. to the .bash_logout file in the user's home directory. Be sure you use the correct display number in the file. In the example above I used the number 2 but it would need to be the correct number for your user.
6. On the windows machine:
1. Unzip the file
vnc-3_3_3r2_x86_win32.zip
to a suitable location for temporary storage.
2. Enter the directory "winvnc"
3. Run "setup.exe" by double clicking on the file.
4. Reboot your computer.
5. Run the vnc viewier, by selecting "Start", "programs", "VNC" and "Run VNCviewer".
6. When prompted enter the address or name of the vncserver machine followed by a :screennumber similar to mymachine:1 or 10.1.1.1:1. The last number after the colon is the display number, and the user must enter the correct number to communicate to the correct VNC server program being run for that user on the remote (Linux) computer.
7. When prompted enter your password for access.
To change the password after the program has been installed, use the vncpasswd program. It is also worth noting, that when exiting a remote X session, you are best off to logoff using the normal shutdown procedure accessed from the start button rather than just clicking the X in the upper right corner of the session window. You are less likely to have system problems this way.
Linux X Documentation
There is so much documentation on X on your computer that it is necessary to devote a separate section to it. There are many protocols that support X and many Specifications and Manuals that describe them. There is documentation in /usr/X11R6/lib/X11/doc. Much of this documentation relates to video card support along with mouse support. Read the file README.Config. Under the directory "/usr/doc" there are several X related packages, including XFree86-doc-3.3.5, XFree86-xfs-3.3.5, Xconfigurator-4.2.8, xfm-1.3.2, and many including X managers such as gnome. The directories XFree86-ISO8859-x-x.x.x describe international standards for managing characters for other languages. Chances are you won't need to worry about those files.
XFree86-doc-3.3.5 includes:
• BDF - Bitmap Distribution Format. An X Consortium standard for font exchange. Types of statements are STARTFONT, COMMENT, FONT, SIZE, FONTBOUNDINGBOX, STARTPROPERTIES, ENDPROPERTIES, CHARS, ENCODING, SWIDTH, DWIDTH, BBX, ATTRIBUTES, BITMAP, ENDFONT.
• CTEXT - Compound Text Encoding. A format for multiple character set data such as multi-lingual text.
• DPMX - X Display Power Management Signaling (DPMS) Extension. Provides X Protocol control over the VESA DPMS characteristics of video boards under control of the X window system.
• FSProtocol - X Font Service Protocol – Address multiple font formats across various platforms. I.E. Fonts stored on various computer may not match others.
• ICCM - Inter Client Communications Manual
• ICE - Inter-Client Exchange Protocol
• SM - Session Management Library – Provides a uniform mechanism for users to save and restore their sessions.
• XDMCP - X Display Manager Control protocol. Provides a uniform method for an autonomous display to request login service for a remote host.
• XIE - X Image Extension Protocol
• XIM - X Input Method Protocol. Protocol between IM library and IM (input method) Server for international text.
• XKB -
• XLFD - X Logical Font Description Conventions. Method to determine fonts available on a given server.
Linux Domain Name Service (DNS)
Please note: There is a new program version for DNS called BIND 8. The old version used slightly different setup files such as "named.boot" rather than "named.conf" as in the new version. This is why you may see confusing documentation in books and on the web. I have tried to document BIND 8 here.
DNS and its structure is explained in more detail in the "networking" manual written for this document series. This section explains setup of the name server.
The daemon that provides the service - named
Set up the following files as per this example:
1. /etc/hosts - Local host names.
2. /etc/host.conf - Configures the relationship between DNS and the /etc/hosts file.
3. /etc/resolv.conf - Configures the name resolver for interaction with the domain name server.
4. /etc/named.conf - Defines the main parameters for the name server.
5. /var/named/named.ca - Hints file specified in the /etc/named.conf file.
6. /var/named/named.local - Local hosts file specified in the /etc/named.conf file
7. /var/named/db.10.1.hosts - Zone file specified in the /etc/named.conf file.
8. /var/named/db.mycompany.com.hosts - Reverse zone file specified in the /etc/named.conf file.
domain=mycompany.com. nameserver=mymachine=10.1.0.100 mail server=mailmachine=10.1.0.4 Windows box=10.1.3.16.
1. File: /etc/hosts
2. 127.0.0.1 localhost localhost.localdomain
3. 10.1.0.100 mymachine.mycompany.com mymachine
4. File: /etc/host.conf
5. order hosts, bind
6. multi on
7. nospoof on
8. alert on
The line "nospoof on" checks for IP address spoofing and "alert on" will send a warning if an attempt to spoof is detected. The order command specifies that when the client is resolving names to first look in the /etc/host file, then use BIND8 (DNS) to resolve the name. Another valid option for the command order is nis which stands for Network Information Service, created by Sun. The line "multi on" specifies that all valid addresses for a host found in the hosts file should be returned. This means that the same host name will be returned for a machine that has more than one network address such as a machine that interfaces to two or more networks. For example I have a machine interfacing to network 192.168.199.0 at IP address 192.168.199.1 and the other interface is on network 10.1.0.0 at IP address 10.1.1.100. It allows both networks to refer to the machine with the same name.
• File: /etc/resolv.conf
domain mycompany.com
search mycompany.com mynet.net
nameserver 127.0.0.1
nameserver 10.1.0.100
Commands:
• search - Specifies domain names used to expand a host name prior to sending the DNS query to the nameserver. The search list may contain up to 6 domain names, each separated by whitespace. The "mynet.net" shown above is only used for an example and is not normally included.
• nameserver - Up to three nameserver commands may be used. Each nameserver command specifies an IP address of a nameserver that can be used to answer name queries.
• domain - The name of the local domain which is used to expand the host name before sending the query to the name server. If no domain is specified, the value in the search command is used.
• File /etc/named.conf. - This file replaces named.boot in the old configuration. The first two zones need to be defined for all servers and if they are the only ones defined, the result would be a caching only nameserver. In each of the rest of the zones your server can be designated as a master or a slave for that zone.
// generated by named-bootconf.pl
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "named.local";
};
zone "1.10.in-addr.arpa" {
type master;
file "db.10.1.hosts";
allow transfer { 127.0.0.1; };
};
zone "mycompany.com" {
type master;
file "db.mycompany.com.hosts";
notify yes;
allow transfer { 127.0.0.1; };
};
Commands:
• acl - A named IP address control list for access control
• include - Allows an additional file to be included in this configuration file.
• key - Security key for authentification and authorization.
• logging - Determines where DNS logging is stored and what events are logged.
• options
o directory - Defines the directory all files are to be found in.
o forwarders - Forward first and forward only are the two choices. Forward first is the default which causes the server to forward queries not in its own cache to specific servers (forwarders) before querying any external server. Forward only means the query is only sent to the forwarders.
• server - Gives characteristics of a remote server.
o bogus - yes or no (default). Mark it bogus if it is sending bad data.
o support-ixfr
o transfers - Not yet used but will limit number of concurrent in bound zone transfers.
o transfer-format - one-answer or many-answers. Many answers works for bind 8.1 and above and is more efficient.
o keys - Used to identify a key defined by the key statement
• zone - Parts of the network (zones) which are to be serviced by the nameserver.
o allow-transfer - Specifies The hosts allowed to receive zone transfers from the server. Any transfer specification in the zone statement will override the allow-transfer statement.
o allow-update - Specifies hosts that are allowed to send DNS updates to the server. No updates are allowed from any hosts as a default.
o also notify - Allows nameservers not in the zone's database record to receive a DNS NOTIFY message when zone information is updated.
o dialup - yes or no
o type - Defines the type of nameserver for this zone. Choices:
master
slave
hint - Specifies the initial set of nameservers for the root zone.
forward - Directs all queries to other servers
stub - Replicates only the NS records of a master zone instead of the entire zone but otherwise is like a slave.
o file - Defines the file name that will provide information for this zone.
o masters - Defines the master server for the zone if this server for this zone is a slave. Syntax: "masters {192.168.1.6; };"
o notify - Options are "notify no" or "notify yes" which determines if slave servers will be notified immediately when the zone information is updated. Notify yes is the default.
There are many more options associated with this file. For more information, read the BIND configuration file guide for BIND version 8 or higher. The option "allow transfer", above, limits DNS zone transfers to the loopback address. If there were a slave nameserver, its IP address should be here. With the allow transfer option set, other machines cannot get DNS information. This limits the effectiveness of IP spoofers and spammers.
• File: /var/named/named.ca (if you have one, don't modify unless you have to). This is the hints file that helps the name server locate root nameservers at startup.
Some documentation says to modify the line "A.ROOT-SERVERS.NET." to put your Linux box address:
A.ROOT-SERVERS.NET. 3600000 A 10.1.0.100
but this is not correct. Some versions of the name server will generate error messages to var/log/messages if this is done.
I use:
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache .
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC registration services
; under anonymous FTP as
; file /domain/named.root
; on server FTP.RS.INTERNIC.NET
; -OR- under Gopher at RS.INTERNIC.NET
; under menu InterNIC Registration Services (NSI)
; submenu InterNIC Registration Archives
; file named.root
;
; last update: Aug 22, 1997
; related version of root zone: 1997082200
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 201.12.27.33
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; temporarily housed at NSI (InterNIC)
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 198.41.0.10
;
; housed in LINX, operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; temporarily housed at ISI (IANA)
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; housed in Japan, operated by WIDE
;
;. 3600000 NS M.ROOT-SERVERS.NET.
;M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File
The official root nameserver file is at ftp:.rs.internic.net and is called /domain/named.root.
• File: /var/named/named.local (should not need to change)
unchanged as:
@ IN SOA localhost. root.localhost. (
1999112701 ; Serial number as date and two digit number YYMMDDXX
28800 ; Refresh in seconds 28800=8H
7200 ; Retry in seconds 7200=2H
3600000 ; Expire 3600000=1 week
86400) ; Minimum TTL 86400=24Hours
@ IN NS localhost.
1 IN PTR localhost.
• Create File: /var/named/db.10.1.hosts: Note: The first 2 lines are to be on one line!! The '\' means continue the line on the next line.
1.10.in-addr.arpa. IN SOA mymachine.mycompany.com.\
root.mymachine.mycompany.com. (
1999112701
10800
3600
604800
86400 ) ;Default TTL
1.10.in-addr.arpa. IN NS mymachine.mycompany.com.
100.0.1.10.in-addr.arpa. IN PTR mymachine.mycompany.com.
4.0.1.10.in-addr.arpa. IN PTR mailmachine.mycompany.com.
16.3.1.10.in-addr.arpa. IN PTR george.mycompany.com.
In the SOA section are five parameters as follows:
1. Serial number (1999112701) - If less than master's SN, the slave gets a new copy of this file from the master.
2. Refresh (10800) - The time in seconds between when the slave compares this file's SN with the master.
3. Retry (3600) - The time the server should wait before asking again if the master fails to respond to a file update (SOA request).
4. Expire (604800)- Time in seconds the slave server can respond even though it cannot get an updated zone file.
5. TTL (86400) - The time to live (TTL) in seconds that a resolver will use data received from a nameserver before it will ask for the same data again.
• Create file /var/named/db.mycompany.com.hosts: Note: The first 2 lines are to be on one line!!
mycompany.com. IN SOA mymachine.mycompany.com. root.mymachine.mycompany.com. (
1999112701
10800
3600
604800
86400 )
mycompany.com. IN NS mymachine.mycompany.com.
mycompany.com. IN MX 10 mailmachine.mycompany.com.
mymachine.mycompany.com. IN A 10.1.0.100
mailmachine.mycompany.com. IN A 10.1.0.4
george.mycompany.com. IN A 10.1.3.16
Database Record Description:
• A - Ties a host name with an IP address.
• CNAME - Stands for canonical name which is an alias for a host.
• MX - Mail exchanger. The lower associated number for each given mail server indicates a higher preference to use that server.
• NS - Indicates a name server.
• PTR - Gives the hostname for an IP address.
• SOA - Start of authority shows where the zone's data starts.
• Type "ndc restart" to restart the domain name server
• You can use "nslookup" to test your operations if you want. When in nslookup you should be able to type the name of a machine and get info about it, or type its full address and get information about it. Type "?" for help and "exit" to get out. To start the named daemon in Redhat, you can use the program "linuxconf" and select "Control service activity", then select named and activate it so it will run the next time the system is booted. If you don't have "linuxconf", you would need to activate it in your system's initialization scripts.
Other notes:
To get it running:
Type "ps ax |more to see all processes running and look to see if it is one of them.
If it is look and see if it is listed in /etc/services. If not add the following lines to the file.
nameserver 42/tcp name
domain 53/tcp nameserver
domain 53/udp nameserver
Type "ndc start" or "ndc restart".
Other pertinent files:
/etc/nsswitch.conf - Several system administration database source files are defined here This is in support of the Network Information System (NIS) which can be used to control many administrative functions on many systems from one location.
Linux DHCP and BOOTP
DHCP Server
There is currently a howto on configuring a DHCP server but it is three years old, however the DHCP server version 2-0 or later from the Internet Software Consortium comes with good documentation. There may be some quirks in the install depending on your system and what you are trying to do. My installation is Redhat 6.1 and I will mainly cover that, but will give alternatives that should cover most Linux versions.
Pre-installation and Kernel setup
Before you do an install, or configuration for DHCP you need the following kernel options installed.
1. TCP/IP networking enabled
2. MULTICAST enabled - To check to see if MULTICAST is enabled, type "ifconfig -a". You should see "MULTICAST" listed in your outputs for your ethernet devices.
3. CONFIG_PACKET=y
4. CONFIG_FILTER=y
If you need to re-compile your kernel, follow the instructions on the section or the howto on the kernel. If you make the CONFIG_PACKET and CONFIG_FILTER options modular, you will need to add lines in your /etc/rc.d/rc.local file to load these two modules.
Installation
If you have a relatively modern Linux version, you should already have the dchpd server program installed on your system. To tell type "whereis dhcpd" and if you get a dchpd program listed usually in /usr/sbin, you should be set for the configuration. If you don't have a modern Linux version, kernel 2.1.x or later, go get one since support for dhcp can be very hard to do and has bugs on older systems. Also there is better networking support in many areas with newer Linux versions and kernels.
Steps to install:
1. Download the source file from the internet software consortium at httpd:\\www.isc.org.
2. Put the file on your system in /usr/local/src.
3. Enter the command "tar xvzf dhcp-2.0.tar.gz" (modify the command for your filename/version). See the section on "Package Installation".
4. Type "cd dhcp-2.0" or the proper name of your directory created by tar.
5. Type "./configure".
6. Type "make". You may want to check the symbolic link file "usr/include/asm" to be sure it is point to the correct location for the kernel asm headers. On Redhat 6.1 that location is /usr/srclinux/include/asm. This should be seen in the file as:
7. lrwxrwxrwx 1 root root 24 Dec 17 05:07 /usr/include/asm -> ../src/linux/include/asm
You may need to delete the file and recreate it with the "ln" command with the following commands:
1. cd /usr/include
2. rm src
3. ln -s ../src/linux/include/asm asm
8. Type "make install". This copies the man pages and binaries to their correct locations.
Configuration
In my configuration, I used my second network interface (eth1) to provide DHCP services to a subnet. You will most likely use eth0, but you will need to substitute your correct network interface in the example.
1. To get the DHCP server to work for windows clients and possible other clients you must add a route to your route table to enable the sending of packets to the IP destination address 255.255.255.255. There are two ways to do this as follows: (pick one)
1. Modify your /etc/sysconfig/static-routes file and add the following line:
eth1 net 255.255.255.255 netmask 255.255.255.255
Notes:
With this entry in static-routes, it does not show up in the Redhat "netconf" configuration tool. I think it is because there is no gateway specified. You could set it up in netconf under "Routing and gateways", "routes to alternate local nets" and set the network to 255.255.255.255, the netmask to the same, with the interface as eth1 (or eth0 or whatever device you are using). It shows up in the static routes file as "any-net 255.255.255.255 netmask 255.255.255.255 gw eth1". However, I'm not sure setting it this way with nettool will work.
To implement this change you will need to do one of the following:
Reboot
Type "/etc/rc.d/init.d/network restart"
Type "route add -host 255.255.255.255 dev eth1"
2. Add the following command to your /etc/rc.d/rc.local file:
route add -host 255.255.255.255 dev eth1
Then reboot or type the same command on the command line.
2.
3. Much documentation says you need to issue the command:
echo 1 >/proc/sys/net/ipv4/ip_bootp_agent
This command does not work for me on Redhat 6.1. This is because the permissions on the /proc files and in particular the /proc/sys directory will not allow write permission, even to root. This may be because kernel variables are stored here. I think this command is only needed for version 2.1.x kernels and is not needed for 2.2 version or higher kernels. My system works without it and I run kernel 2.2.14.
4. Issue the command "touch /var/state/dhcp/dhcpd.leases". This will create an empty leases file which is required to run the dhcpd program.
5. Create a /etc/dhcpd.conf file similar to the following:
6. subnet 192.168.199.0 netmask 255.255.255.0 {
7. # --- default gateway
8. option routers 192.168.199.1;
9. option subnet-mask 255.255.255.0;
10.
11. option nis-domain "mynet.net";
12. option domain-name "mynet.net";
13. option domain-name-servers 192.168.199.1;
14.
15. option time-offset -5; # Eastern Standard Time
16. # option ntp-servers 192.168.199.1;
17. # option netbios-name-servers 192.168.199.1;
18. # --- Selects point-to-point node (default is hybrid). Don't change this unless
19. # -- you understand Netbios very well
20. # option netbios-node-type 2;
21.
22. default-lease-time 1209600; # 2 weeks
23. max-lease-time 1814400; # 3 weeks
24.
25. range 192.168.199.10 192.168.199.250;
26.
27. # we want the nameserver to appear at a fixed address
28. host nameserver {
29. next-server nameserver.mynet.net;
30. hardware ethernet 00:10:4b:ca:db:b5;
31. fixed-address 192.168.199.1;
32. }
33. }
You can use this file or use the example file in /usr/doc/dhcp-2.0/dhcpd.conf.sample. In my setup my network is 192.168.199.0 with a netmask of 255.255.255.255. My nameserver and gateway is 192.168.199.1. My domain is called "mynet.net".
34. According to the documentation, if your DHCP packets must go through a firewall you will need to allow packets from IP address 0.0.0.0 through 255.255.255.255 on UDP ports 67 and 68. I think this would be correct but you would need to allow packets on IP addresses 0.0.0.0 and 255.255.255.255, along with any packets that involve your network. For example if your network and subnets are covered under the numbers 10.1.x.x, you would need to allow any packets on 10.1.x.x, 0.0.0.0, and 255.255.255.255 on ports 67 and 68.
35. You need to start the dhcp server one of the following ways.
1. Use linuxconf in "control panel", "control service activity", select dhcpd, select "start", then select the "enabled" box.
2. Type "/etc/rc.d/init.d/dhcpd start" to begin the service. You can add this line to your /etc/rc.d/rc.local script but usually you want to add a link to it from one of your runlevel startup directories such as /etc/rc.d/rc3.d/S65dhcpd. You may also want to add a link in the file /etc/rc.d/rc5.d to run on bootups to X. If you do this you'll also want to add kill links to it in the shutdown runlevels such as K35dhcpd in /etc/rc.d/rc0.d, rc1.d, rc2.d, and rc6.d.
36. If you get errors, one thing to check is to be sure you are not also running a BOOTP server at the same time. Also check your /etc/dhcpd.conf file.
37. Why doesn't my DHCP server update my DNS entries? This function is not yet implemented in version 2.0, but the ISC is working on implementing it in version 3.0. There is an issue from a security standpoint of who owns the DNS records. Specifically the A record and to a certain extent the PTR record. According to the ISC, it is likely the server will update the records initially whether it be the "right thing to do" or not.
Configuration File Options
The configuration file is /etc/dhcpd.conf. Its options are:
• option broadcast-address - Broadcast address in my case would be "option broadcast-address 192.168.199.255;".
• option dhcp-client-identifier - String rather than hardware address used to identify DHCP clients.
• option domain-name - The name of the domain the DHCP server is serving.
• option domain-name-servers - The address(es) of the DNS servers on the domain. Ex: "option domain-name-servers 192.168.199.1, 192.168.199.5;" The names are separated by a comma and whitespace with a semicolon ending the line.
• option host-name - The client's host name.
• option lpr-servers - Lists print server addresses.
• option nntp-server - Network News Transfer Protocol (NNTP) server address
• option pop-server - Mail server address.
• option routers - The default router address.
• option smtp-server - The SMTP e-mail server address(es).
• option subnet-mask - The subnet mask is not necessary since the subnet statement (see example file) contains a netmask value.
• option time-offset - The difference between your time zone and the Coordinated Universal Time.
• option netbios-name-servers - Define the address of the NBNS name server for samba services.
BOOTP Server
Installing BOOTP is a step back from installing DHCP but it can offer capabilities independent of DHCP such as remote booting specific client computers.
BOOTP Installation
1. Get bootpd-2.4.tar.gz and put it in a appropriate directory such as "/usr/local".
2. Type: "tar xvzf bootbd-2.4.tar.gz" which will make a directory "bootpd-2.4" full of files.
3. Read the README and README-linux files then type "make install".
4. Copy the executables to the "/usr/sbin" directory.
5. Copy the man pages to their appropriate directories by typing "cp *.8 /usr/man/man8" and "cp *.5 /usr/man/man5".
6. Read the manual on bootp, and bootptab.
Configuration
1. You can invoke bootp services in redhat linux as an independent daemon by doing (choice A) below or from the internet super daemon by doing (choice B). Choice A:
1. Using linuxconf set the bootparamd service to active.
2. Modify the "bootparamd" file in the directory "/etc/rc.d/init.d" so that everywhere "rpc.bootparamd" occurs, you substitute "bootpd –d".
3. Reboot your system or type "/etc/rc.d/init.d/bootparamd restart".
Choice B:
4. With bootparamd services off, add the following line in the file "/etc/inetd.conf": bootps dgram udp wait root /usr/sbin/tcpd bootpd -d
5. Type "killall -HUP inetd".
2. Make the file "/etc/bootptab" as shown below:
3. global.prof:\
4. :sm=255.255.0.0:\
5. :ds=10.1.0.100:\
6. :gw=10.1.0.1:\
7. :ht=ethernet:\
8. :bf=dosimage:
9. dos1:td=/tftpboot:hd=/bootfiles:tc=global.prof:ha=006097baa5a2:ip=10.1.0.101
This makes the name of the machine "dos1" with an IP address of "10.1.0.101" and the bootfile to load in "/tftpboot/bootfiles/dosimage".
10. Add the machine's name and address to the following files:
1. /etc/hosts
2. /var/named/db.mycompany.com.hosts
3. /var/named/db.10.1.hosts
Apache Web Server
Introduction
The apache web server is called "httpd". The configuration files for it for many systems are in "/etc/httpd/conf". Their names are httpd.conf, srm.conf, access.conf, mime.types, and magic. The file srm.conf specifies the directory location of the root document with the "DocumentRoot" statement. The "DirectoryIndex" statement gives the name of the starting file. The file access.conf, is used to control user access to various html files. On my system, the initial startup file is "/home/httpd/html/index.html". Documentation is in /home/httpd/html/manual.
Apache Installation
There are many options that can be selected when installing Apache. Among them are selection of the modules to be compiled with the apache web server. This will be commented on at the appropriate installation step. In my installation, I installed Apache with PHP and mysql support. To get the Apache compile to work with mysql support, it was necessary for mysql to be installed from the source. When mysql was installed from binary, the apache compile failed. Here's the installation steps for installing Apache from a tarred and zipped source file:
1. Copy the source file to "/usr/src" or "/usr/local/src". The source file is called something like apache_1_3_19_tar.gz.
2. Type "cd /usr/src" or "cd /usr/local/src" depending on where you copied your file.
3. Type "tar xvzf apache_1_3_19_tar.gz" to decompress the source file. The directory, "apache_1.3.19" is created.
4. Type "ln -s apache_1.3.9 apache" to create a software link to the apache directory.
1. If installing PHP support with apache, copy the PHP source file "php-4_0_4pl1.tar.gz" from php.org to "/usr/src" or "/usr/local/src".
2. Type "tar xvzf php-4_0_4pl1.tar.gz" to decompress the source file.
5. Type "cd apache".
6. Documentation at the apache.org web site indicates to enter the "src" directory to perform the configuration and compile. However by reading the "INSTALL" files in the apache and apache/src directories, it can be done from inside the src directory or from the main apache directory. Either approach will work. There are various advantages and disadvantages to each approach. Compiling from inside the "src" directory allows easier module control by allowing the changing of the "Configuration" file. If done from the main directory, modules to be included or excluded from the default setting must be included on the command line. I have chosen to do the install using the "configure" file in the main directory since documentation indicates that some parameters may be overridden here and I am making no changes to the default included modules. If you want to install PHP support, there is a way to do it as documented in PHP INSTALL file, but I have not outlined that procedure here and have assumed you will be performing the install from the main directory if installing PHP. If you want to change the default modules by compiling in the "src" directory, follow the subset of instructions below.
1. Type "cd src".
2. Edit the file "Configuration" file.
3. Type "./Configure". I do not believe you can use the options "--sysconfdir" and "--logfiledir" to specify configuration and loglile locations as I have done below.
4. Skip the next step (Step 7).
7. Type "./configure --prefix=/usr/local/apache --sysconfdir=/etc/httpd/conf --logfiledir=/var/log/httpd". I have added the "--sysconfdir" option to set the location where the apache configuration files will be, and the "--logfiledir" option to set the location of where logging information is written for apache. If you are making changes to the default modules use the additional command line parameters "--enable-module=NAME" and "--disable-module="NAME" where "NAME" is the name of the module to be enabled or disabled. Read the "INSTALL" file in the main directory for more information here and read the "src/Configuration" file to see what the module names are. If installing PHP support follow the subset of instructions below.
1. Type "cd .."
2. Type "cd php-4.0.4pl1"
3. Type "./configure --with-mysql=/usr/local/mysql --with-apache=../apache --enable-track-vars". This assumes you've already installed mysql in the "/usr/local/mysql" directory.
4. Type "make".
5. Type "make install".
6. Type "cd ../apache".
7. Type "./configure --prefix=/usr/local/apache --sysconfdir=/etc/httpd/conf --logfiledir=/var/log/httpd --activate-module=src/modules/php4/libphp4.a"
8. Type "make". Note: When I did my install, I got a compile error related to the mysql installation. If you installed the binary version of mysql, you may need to install it from the source version.
9. Type "make install". If installing PHP support follow the subset of instructions below.
1. Type "cd ../php-4.0.4pl1".
2. Type "cp php.ini-dist /usr/local/lib/php.ini".
3. Edit "/etc/httpd/conf/httpd.conf" or "/etc/httpd/conf/srm.conf" and add the following line:
AddType application/x-httpd-php .php
Configuration
At this point it is time to set up the apache configuration by modifying the apache configuration files and setting apache to start automatically. The apache configuration files are:
1. httpd.conf - This is the main configuration file. It is used to specify where the document root for the web server is found, various server parameters, directory permissions, where mime types for files are found, and addition of application type definitions and the associated handler for each application.
2. srm.conf - This file is used to configure apache server directives. These directives are now recommended to be put in the httpd.conf file.
3. access.conf - This file is used to control directory access and who can access the directories. The directory access control is now recommended to be put in the httpd.conf file.
Specific configuration parameters:
• Specification of the document root where the HTML main web page, "index.html" should be found. This line should look like:
DocumentRoot "/home/httpd/html"
• Additional parameters including:
o ServerRoot - Specifies where the servers main directory is.
ServerRoot "/usr/local/apache"
o ErrorLog amd Loglevel- Specifies where the web server will keep its error log file and the level at which errors are kept. Loglevel options are debug, info, notice, warn, error, crit, alert, and emerg.
ErrorLog /var/log/httpd/error_log
LogLevel warn
o Keep alive - Specifies whether persistant connections are to be supported.
KeepAlive On
o KeepAlive Requests 100 - The maximum keep alive requests to be supported.
o KeepAliveTimeout 15 - The number of seconds the connection is kept alive if no additional requests are received from the client.
o The maximum and mininum number of servers that may be created to wait for client requests and the number of servers to start when the web server starts.
MinSpareServers 5
MaxSpareServers 10
StartServers 5
o MaxClients 150 - The maximum number of clients that may connect at one time to the web server.
o Port 80
o The user and group the web server is run as.
User nobody
Group nobody
• Directory permission entries are used to define various directory options and permissions. These entries appear similar to the following which defines the permissions for the document root directory:
Options FollowSymLinks
Allow Override None
Parameters include:
o AllowOverride
o AuthConfig
o FileInfo
o Limit
Options include:
o ExecCGI - Allows CGI programs in the directory to be executed.
o FollowSymLinks
o Includes
o Indexes
o MultiViews
o None - No options
o All - All options except MultiViews
• Permissions - Are set with statements such as:
Order deny, allow
Deny from all
or:
Order allow, deny
Allow from all
o GET
o POST
o OPTIONS
o PROPFIND
•
• CGI Driectory definition which defined what directory CGI application files are kept in and can be used to run these files. Other directories can be specified to allow the execution of CGI files if the ExecCGI option is specified in these directory entries.
Allow Override None
Options None
Order allow, deny
Allow from all
• AddType and Add handler statements. These statements allow file types and associated programs to handle these file types. You will linely need this set of entries to run PHP.
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
To run server parsed SHTML files you will need:
AddType text/html .shtml
AddHandler server-parsed .shtml
This is just a partial list of common apache web server options. For a more complete guide, including setting up virtual hosts, refer to the Apache web server documentation.
Getting user filled out form data from the web
There are many types of programs that can be written to do this:
1. Perl CGI scripts
2. Shell CGI scripts
3. PHP scripts that are scripts run on the server side when the page is requested. PHP code is embedded in the HTML page, but files are labeled with the .php extension.
4. Java Servlets
5. Compiled programs based on any language.
The CGI Environment:
The Web server fills in a standard list of environment variables when it runs. It writes to other environment variables when it is requested to. Since the Apache server always runs, anything it puts in the environment is readable by other programs, such as a Perl script program. This is possible as long as the other program knows the names of the variables to be read.
Terms:
• CGI - Common Gateway Interface. A set of rules (interface) for scripting and exchanging data over the web.
• SGML - Standard Generalized Markup Language. HTML is an application of this.
• URL - Universal Resource Locator. Includes protocol (HTTP, FTP, FILE, GOPHER), module name, path name of object.
• IIS - Microsoft's Internet Information Server (A web server for NT)
• IDC - Internet Database Connector
• ISAPI - Microsoft web programming (Internet Server Application Programming Interface)
Linux Network File System (NFS)
Linux Server Setup
NFS requires RPC to operate. The following daemons are run when the linuxconf nfs service is started:
1. rpc.rquotad - Enforces the set quotas for remote mounted NFS systems.
2. rpc.mountd - Performs the requested mounts.
3. rpc.nfsd - Handles the user interface to the kernel module that performs NFS.
Server Configuration
To set up the server side:
1. Edit the file "/etc/exports" as in one of the examples below.
2. Then type "exportfs -a".
3. Activate NFS services using linuxconf.
4. After making any changes, restart the nfs daemon either by using "linuxconf" or typing "/etc/rc.d/init.d/nfs restart". Also if you want changes to the /etc/exports file to take place immediately, install them with the "exportfs -r" command. Doing this, you will not need to restart nfs for changes to be in effect.
This is an example of an exports file for general use:
/data/installs jimslinux(rw,no_root_squash)
/data/docs *.mycompany.com(ro,root_squash)
/data markslinux(rw,no_root_squash) tomscomputer(ro)
/tftpboot linux3(ro,no_root_squash)
/data tedslinux(ro,no_root_squash)
The third line allows markslinux to have full access even at the root level to all files in /data, but tomscomputer has read only access, at the world (other) level.
This is an example of an exports file set up for diskless computers with remote booting:
/tftpboot/lts/ltsroot 10.1.0.101/255.255.0.0(ro,no_root_squash)
/tftpboot/lts/ltsroot 10.1.200.1/255.255.0.0(ro,no_root_squash)
/tftpboot/lts/ltsroot 10.1.200.2/255.255.0.0(ro,no_root_squash)
/tftpboot/lts/linux3 10.1.200.2/255/255.0.0(rw,no_root_squash)
The format of the file is:
directoryname hostname(options)
The hostname can be the IP address followed by the netmask as shown above.
Options include:
• no_root_squash - Allows root users on client computers to have root access on the server. Mount requests for root are not be mounted to the anonomous user. This option is needed for diskless clients.
• root_squash - Requests from root clients are mapped to the nobody user and group ID so they will only have file privileges associated with other.
• ro - read only access
• rw - read write access
There are many more options documented in the exports(5) man page.
Performing the mount from the client
To do the mount on the remote machine:
1. On the remote boot machine, "linux3", after making a /tmp/mnt directory on the remote machine "linux3", type "mount -n 10.1.0.100:/tftpboot/lts/linux3 /tmp/mnt -t nfs".
2. The -n is only needed if the /etc directory on the remote boot machine is read only.
3. The 10.1.0.100 address is the address of the NFS server machine with the filesystem being mounted.
Client Setup
To set up the client side on a fully functional Linux machine type "mount -o rsize=1024,wsize=1024 mymachine:/data /mnt/mymachine/data
Linux Point to Point Protocol (PPP)
Point to point protocol (PPP) is the latest way to set up networking services through a modem or serial cable.
minicom is a configuration program to set up and use PPP services.
Linux Network Security
Linux Firewall management
Regardless of your firewall type (proxy, packetfiltering, etc), it is not a good idea to have a firewall performing any more services than absolutely necessary. The services are best limited to the minimum services required to run the machine. I recommend that you do not provide NFS, TFTP, BOOTP, DHCP, web services, mail services, samba services, FTP, or telnet on your firewall unless absolutely necessary. If you must provide these services, be careful with wild cards in their configuration files that may allow blocks of systems or users to have access to your machine. Also if you are running these services, you should monitor security postings on these services so you are aware of any security holes associated with that particular service. If you must provide telnet or FTP, be sure you configure your tcp wrapper in the inetd.conf file for these services, and set the hosts.all and hosts.deny files as restrictive as possible. See the section on inetd services for information on how to do this. Policies for a firewall:
1. Disable IP forwarding
2. Limit services
3. Monitor log files carefully including logfiles on any services running.
4. Limit write access to files and directories on the firewall.
5. Implement policies to prevent denial of services attacks along with IP spoofing and IP fragmentation attacks. Enabling user quotas can help prevent denial of service attacks.
6. Limit access to services with the hosts.allow and hosts.deny files.
7. Set parameters in your TCP wrapper and any other services to protect against anyone pretending to have another host's name or address. See the section on inetd.
8. Be sure your /etc/securetty file will not allow root logins from unsecured locations.
System monitoring
Check your system log files often. They are in the /var/log directory. Check the log files /var/log/secure and var/log/messages daily. Also carefully monitor log files on any extra services you are running on your firewall.
General network policies
• Configure the identd protocol to allow for user name lookups from client to server machines. This will make it easier to track down any user who abuses the system.
• Use network monitoring tool software to detect abnormal activity on your system or an intrusion.
The Chroot environment
A chroot environment is an isolated environment which is separate from the real operating system. It has its own root environment complete with necessary programs, libraries, and modules required to run independently of the real operating system. In this way it can become more difficult to break into the real operating system and damage it. A program that has root privileges, can, however still get into the real operating system but it becomes more work for an intruder. Some network services that can be configured to run in a chroot environment include bind and Apache. This chroot system is designed to prevent someone who has exploited a security problem in a service from getting access to the real system.
Linux IP Masquerading
For complete information on the setup of IP masquerading, see the following Linux how-tos:
• IPCHAINS-HOWTO
• Firewall-HOWTO
• IP-Masquerade-HOWTO
Some of the information in this section is based on these how-tos. This section summarizes and puts in simple steps some of the items you will be required to perform to set up IP masquerading. It is not a replacement for the Linux how to documents, but a complement to them by giving an overview of what must be done. You may access the howtos from one of the weblinks listed in the Linux websites section. The Linux Documentation Project or Metalab's Index of Linux publications will have copies if these howtos.
IP masquerading allows internal machines that don't have an officially assigned IP addresses to communicate to other networks and especially the internet. It uses a form of Network Address Translation (NAT) to accomplish this. In Linux, IP masquerading support is provided by the kernel. To get it to work you must do essentially three things:
1. Be sure the kernel has support for IP masquerading.
2. Enable IPv4 forwarding.
3. Be sure modules needed for support are loaded into the kernel.
4. Set up the firewall rules.
Checking for IP Masquerade kernel Support
To determine if IP masquerading is set up in your kernel type:
ls /proc/net
If one of the result files listed is "ip_masquerade", you will not need to recompile your kernel.
If IP masquerading is not set up you must recompile your kernel with the following options set (This is for a 2.2.x kernel or higher):
Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?]- YES
Enable loadable module support (CONFIG_MODULES) [Y/n/?] - YES
Networking support (CONFIG_NET) [Y/n/?] - YES
Packet socket (CONFIG_PACKET) [Y/m/n/?] - YES
Kernel/User netlink socket (CONFIG_NETLINK) [Y/n/?] - YES
Routing messages (CONFIG_RTNETLINK) [Y/n/?] - NO
Network firewalls (CONFIG_FIREWALL) [Y/n/?] - YES
TCP/IP networking (CONFIG_INET) - YES
IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [Y/n/?] - NO
IP: verbose route monitoring (CONFIG_IP_ROUTE_VERBOSE) [Y/n/?] - YES
IP: firewalling (CONFIG_IP_FIREWALL) [Y/n/?] - YES
IP: firewall packet netlink device (CONFIG_IP_FIREWALL_NETLINK) [Y/n/?] - YES
IP: always defragment (required for masquerading) (CONFIG_IP_ALWAYS_DEFRAG) [Y/n/?] - YES
IP: masquerading (CONFIG_IP_MASQUERADE [Y/n/?] - YES
IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP) [Y/n/?] - YES
IP: masquerading special modules support (CONFIG_IP_MASQUERADE_MOD) [Y/n/?] - YES
IP: ipautofw masquerade support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPAUTOFW) [Y/n/?] - NO
IP: ipportfw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPPORTFW) [Y/n/?] - YES
IP: ip fwmark masq-forwarding support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_MFW) [Y/m/n/?] - NO
IP: optimize as router not host (CONFIG_IP_ROUTER) [Y/n/?] - YES
IP: GRE tunnels over IP (CONFIG_NET_IPGRE) [N/y/m/?] - NO
IP: TCP syncookie support (not enabled per default) (CONFIG_SYN_COOKIES) [Y/n/?] - YES
Network device support (CONFIG_NETDEVICES) [Y/n/?] - YES
Dummy net driver support (CONFIG_DUMMY) [M/n/y/?] - YES
/proc filesystem support (CONFIG_PROC_FS) [Y/n/?] - YES
These are the kernel options you need for IP Masquerade. You will need to select other options for your specific hardware and network setup. Read the IP masquerade and kernel howtos for more information. You may also want the section about how to compile the Linux kernel in The CTDP Linux User's Guide in the Linux section of this documentation.
Enable IPv4 Forwarding
1. Type "ls /proc/sys/net/ipv4" and look for a file "ip_forward" or "ip_forwarding". Whichever you find, use its name in the following example. The example will use "ip_forward".
2. Type "echo "1" > /proc/sys/net/ipv4/ip_forward". This will enable IP forwarding until the next time you boot.
3. If running Redhat Linux, edit the "/etc/sysconfig/network" script. Look for the line with "FORWARD_IPV4=" on it and make sure it says "FORWARD_IPV4="yes". The next time you boot, IPv4 forwarding will be enabled. There may be other ways to set this up on other systems.
Setting up Firewall Rules and Enabling Kernel Modules
Create the following text and place it in a file "/etc/rc.d/rc.firewall". This will load your needed modules into your kernel and set up your basic firewall rules. If you copy the file from this page, be sure to remove carriage returns when you get it into Linux or it may not work properly.
# rc.firewall - Initial SIMPLE IP Masquerade setup for 2.0.x kernels using IPFWADM
#
# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current available IP MASQ modules
# are shown below but are commented out from loading.
# Needed to initially load modules
#
/sbin/depmod -a
# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp
# Supports the masquerading of RealAudio over UDP. Without this module,
# RealAudio WILL function but in TCP mode. This can cause a reduction
# in sound quality
#
#/sbin/modprobe ip_masq_raudio
# Supports the masquerading of IRC DCC file transfers
#
/sbin/modprobe ip_masq_irc
# Supports the masquerading of Quake and QuakeWorld by default. This modules is
# for for multiple users behind the Linux MASQ server. If you are going to play
# Quake I, II, and III, use the second example.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
# /sbin/modprobe ip_masq_quake ports=26000,27000,27910,27960
# Supports the masquerading of the CuSeeme video conferencing software
#
#/sbin/modprobe ip_masq_cuseeme
#Supports the masquerading of the VDO-live video conferencing software
#
#/sbin/modprobe ip_masq_vdolive
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your Internet IP address dynamically from SLIP, PPP, or DHCP, enable this following
# option. This enables dynamic-ip address hacking in IP MASQ, making the life
# with DialD, PPPd, and similar programs much easier.
#
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# MASQ timeouts
#
# 2 hrs timeout for TCP session timeouts
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
#
/sbin/ipchains -M -S 7200 10 160
# DHCP: For people who receive their external IP address from either DHCP or BOOTP
# such as ADSL or Cablemodem users, it is necessary to use the following
# before the deny command. The "bootp_client_net_if_name" should be replaced
# the name of the link that the DHCP/BOOTP server will put an address on to?
# This will be something like "eth0", "eth1", etc.
#
# This example is currently commented out.
#
#
/sbin/ipchains -A input -j ACCEPT -i eth1 -s 0/0 67 -d 0/0 68 -p udp
# Enable simple IP forwarding and Masquerading
#
# NOTE: The following is an example for an internal LAN address in the 192.168.0.x
# network with a 255.255.255.0 or a "24" bit subnet mask.
#
# Please change this network number and subnet mask to match your internal LAN setup
#
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 10.1.199.0/24 -j MASQ
This file will load modules you need, and set your firewall rules with ipchains. The last line in the file sets IP forwarding up for network 10.1.199.*. You will need to modify this line for your network address. Your network consists of the machines that you are running IP masquerading for. It should be connected to an ethernet card on your IP masquerading machine. If your network is 192.168.1.*, you will want "/sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ" on the line above. If it is 10.1.*.*, you will want "/sbin/ipchains -A forward -s 10.1.0.0/16 -j MASQ" on the line above.
Add the following line to the "/etc/rc.d/rc.local" file:
/etc/rc.d/rc.firewall
Of course, the machines that you are configuring to be behind the machine that provides the masquerading service should be configured to use that as their gateway.
Linux Proxy Servers
For complete information on the use of IP chains and setting up a firewall, see the following Linux how-tos:
• IPCHAINS-HOWTO
• Firewall-HOWTO
• IP-Masquerade-HOWTO
Some of the information in this section is based on these how-tos. This section summarizes and puts in simple steps some of the items you will be required to perform to set up a firewall. It is not meant as a replacement for the Linux how to documents, but a complement to them by giving an overview of what must be done. You may access the howtos from one of the websites listed in the Linux websites section. The Linux Documentation Project or Metalab's Index of Linux publications will have copies of these howtos. Also much of the information in this section is contained in the firewalls section of The CTDP Networking Guide in the networking section. If you do not know the various firewall types, you should read that section.
Packet Filtering Firewalls
In a packet filtering firewall, data is forwarded based on a set of firewall rules. This firewall works at the network level. Packets are filtered by type, source address, destination address, and port information. These rules are similar to the routing rules explained in The CTDP Networking Guide and may be thought of as a set of instructions similar to a case statement or if statement. This type of firewall is fast, but cannot allow access to a particular user since there is no way to identify the user except by using the IP address of the user's computer, which may be an unreliable method. Also the user does not need to configure any software to use a packet filtering firewall such as setting a web browser to use a proxy for access to the web. The user may be unaware of the firewall. This means the firewall is transparent to the client. The ipchains tool is commonly used to configure packet filtering or circuit level relay firewalls.
Circuit Level Relay Firewall
A circuit level relay firewall is also transparent to the client. It listens on a port such as port 80 for http requests and redirect the request to a proxy server running on the machine. Basically, the redirect function is set up using ipchains then the proxy will filter the package at the port that received the redirect.
Configuring a Proxy Server
The following packages are available in Linux:
• Ipchains soon to be replaced by netfilter (Packet filtering supported by the Linux kernel). It comes with Linux and is used to modify the kernel packet routing tables.
• SOCKS - Circuit Switching firewall. Normally doesn't come with Linux, but is free.
• Squid - A circuit switching proxy. Normally comes with Linux.
• Juniper Firewall Toolkit - A firewall toolkit product used to build a firewall. It uses transparent filtering, and is circuit switching. It is available as open source.
• The TIS Firewall Toolkit (FWTK). A toolkit that comes with application level proxies. The applications include telnet, rlogin, SMTP mail, ftp, http, and X windows. it can also perform as a transparent proxy for other services.
This section does not explain how to set up and install these packages.
Deny Ping
An easy way to deny ping on your Linux computer:
ipchains -A input -p ICMP -j DENY
Warning: Those not familiar with the ICMP protocol and its uses should be aware that this command will deny all ICMP message types including useful and important messages. The ICMP protocol performs many functions and this command may cause network problems depending on how the machine is used (especially if used for routing) on your network. Ping is only one feature supported by ICMP. You should not use this command unless you know what you are doing or you are using it on a system that is not important for network operation. See the "Internet Control Message Protocol (ICMP)" section in the The CTDP Networking Guide. Safer examples are shown below.
Deny Telnet Connections
This example will deny telnet functions to your machine.
ipchains -A input -p TCP -s 0/0 telnet -j DENY
Using this command to block telnet is worthwhile it you are interested in using a more secure means of providing remote sessions. Secure shell is a good substitute for telnet for those who require a secure environment.
Ipchains and Linux Packet filtering
The administration of data packet management is controlled by the kernel. Therefore to provide support for things like IP masquerading, packet forwarding, and port redirects, the support must be compiled into the kernel. The kernel contains a series of tables that each contain 0 or more rules. Each table is called a chain. A chain is a sequence of rules. Each rule contains two items.
1. Characteristics - Characteristics such as source address, destination address, protocol type (UDP, TCP, ICMP), and port numbers.
2. Instructions - Instructions are carried out if the rule characteristics match the data packet.
The kernel filters each data packet for a specific chain. For instance when a data packet is received, the "input" chain rules are checked to determine the acceptance policy for the data packet. The rules are checked starting with the first rule (rule 1). If the rule characteristics match the data packet, the associated rule instruction is carried out. If they don't match, the next rule is checked. The rules are sequentially checked, and if the end of the chain is reached, the default policy for the chain is returned.
Rules and Programming Comparison
For those who are familiar with programming the ipchains rule set can be compared to a sequence of if statements.
if (packet=characteristics1) then perform action1;
elseif (packet=characteristics2) then perform action2;
elseif (packet=characteristics3) then perform action3;
else perform default action4;
The comparisons are made depending on the type of packets, their source or destination or a variety of characteristics entered using the ipchains command. If the packet matches the established characteristics, the action specified by the ipchains command is carried out.
Chain Specification
Chains are specified by name. There are three chains that are available and can't be deleted. They are:
1. Input - Regulates acceptance of incoming data packets.
2. Forward - Defines permissions to forward packets that have another host as a destination.
3. Output - Permissions for sending packets.
Each rule has a branch name or policy. Policies are listed below:
• ACCEPT - Accept the data packet.
• REJECT - Drop and the packet but send a ICMP message indicating the packet was refused.
• DENY - Drop and ignore the packet.
• REDIRECT - Redirect to a local socket with input rules only even if the packet is for a remote host. This applies to TCP or UDP packets.
• MASQ - Sets up IP masquerading. Works on TCP or UDP packets.
• RETURN - The next rule in the previous calling chain is examined.
You can create more chains then add rules to them. The commands used to modify chains are as follows:
• -N Create a new chain
• -X Delete an empty chain
• -L List the rules in the chain
• -P Change the policy for a chain
• -F Flush=Delete all the rules in a chain
• -Z Zero the packet and byte counters in all chains
Commands to manipulate rules inside the chain are:
• -A Append a new rule to a chain.
• -I Insert a new rule at some position in a chain.
• -R Replace a rule at some position in a chain.
• -D Delete a rule at some position in a chain.
• Options for masquerading:
o -M with -L to list the currently masqueraded connection.
o -M with -S to set the masquerading timeout values.
IPchains Options for setting rule specifications:
• -s Source
• -d Destination
• -p Protocol=tcp, upd, icmp, all or a name from /etc/protocols
• -j Jump target, Specifies the target of the rule. The target can be a user defined chain, but not the one this rule is in.
• -i Interface=Name of the interface the packet is received on or the interface where the packet will be sent
• -t Mask used to modify the type of service (TOS) field in the IP header. This option is followed by two values, the first one is and'ed with the TOS field, and the second is exclusive or'ed. The masks are eight bit hexadecimal values. An example of use is "ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10" These bits are used to set priority. See the section on IP message formats.
• -f Fragment
When making changes to firewall rules, it is a good idea to deny all packages prior to making changes with the following three commands:
ipchains -I input 1 -j DENY
ipchains -I output 1 -j DENY
ipchains -I forward 1 -j DENY
These commands inserts a rule at location 1 that denies all packages for input, output, or forwarding. This is done so no unauthorized packets are not let through while doing the changes. When your changes have been completed, you need to remove the rules at position 1 with the following commands:
ipchains -D input 1
ipchains -D output 1
ipchains -D forward 1
Examples of the use of ipchains to allow various services
Create a new chain:
ipchains -N chainame
The option "-N" creates the chain.
Add the chain to the input chain:
ipchains -A input -j chainame
Allow connections to outside http servers from inside our network:
ipchains -A chainame -s 10.1.0.0/16 1024: -d 0.0.0.0/0 www -j ACCEPT
The "-A chainame" adds a rule to the chain called "chainame". The "-s 10.1.0.0/16 1024:" specifies any traffic on network 10.1.0.0 at port 1024 or above. The "-d 0.0.0.0/0 www" specifies any destination for www service (in the /etc/services file) and the "-j ACCEPT" sets the rule to accept the traffic.
Allow connections from the internet to connect with your http server:
ipchains -A chainame -s 0.0.0.0/0 www -d 10.1.1.36 1024: -j ACCEPT
The "-A chainame" adds a rule to the chain called "chainame". The "-s 0.0.0.0/0 www" specifies traffic from any source for www service. The "-d 10.1.1.36 1024:" specifies the http server at IP address 10.1.1.36 at ports above 1024 and the "-j ACCEPT" sets the rule to accept the traffic.
Allow DNS to go through the firewall:
ipchains -A chainame -p UDP -s 0/0 dns -d 10.1.0.0/16 -j ACCEPT
The "-A chainame" adds a rule to the chain called "chainame". The "-p UDP" specifies UDP protocol. The "-s 0/0 dns" specifies any dns traffic from any location. The "-d 10.1.0.0/16" specifies our network and the "-j ACCEPT" sets the rule to accept the traffic. This allows DNS queries from computers inside our network to be received.
Allow e-mail to go from our internal mail server to mailservers outside the network.
ipchains -A chainame -s 10.1.1.24 -d 0/0 smtp -j ACCEPT
The "-A chainame" adds a rule to the chain called "chainame". The "-s 10.1.1.24" specifies any traffic from 10.1.1.24 IP address. The "-d 0/0 smtp" specifies any smtp type of service going anywhere and the "-j ACCEPT" sets the rule to accept the traffic.
Allow e-mail to come from any location to our mail server:
ipchains -A chainame -s 0/0 smtp -d 10.1.1.24 smtp -j ACCEPT
The "-A chainame" adds a rule to the chain called "chainame". The "-s 0/0 smtp" specifies mail traffic from anywhere. The "-d 10.1.1.24 smtp" specifies mail traffic going to our mail server and the "-j ACCEPT" sets the rule to accept the traffic.
Perform a HTTP port redirect for a transparent proxy server:
ipchains -A input -p tcp -s 10.1.0.0/16 -d 0/0 80 -j REDIRECT 8080
The "-A input" adds a rule to the input chain. The "-p tcp" specifies the protocol TCP. The "-s 10.1.0.0/16" specifies the source as a network with netmask 255.255.0.0. The "-d 0/0" specifies a destination of anywhere. The number 80 is the HTTP port number, and the command "-j REDIRECT 8080" redirects the traffic to port 8080.
Give telnet transmissions a higher priority
ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10"
The bits at the end of the line specified in hexadecimal format are used to set the priority of the IP message on the network. The first value is and'ed with the TOS field in the IP message header, and the second value is exclusive or'ed. See the section on IP message formats for more information.
Using ipchains-save and ipchains-restore to make rules permanent
When you are done setting your ipchains rules, use the following procedure while logged on as root to make them permanent:
1. Type the command "ipchains-save > /etc/iprules.save".
2. Create the following script named "packetfw":
3. #! /bin/sh
4. # Packet filtering firewall script to be used turn the firewall on or off
5.
6. if [ -f /etc/iprules.save ]
7. then
8. case "$1" in
9. start)
10. echo -n "Turning on packet filtering firewall:"
11. /sbin/ipchains-restore < /etc/iprules.save
12. echo 1 > /proc/sys/net/ipv4/ip_forward
13. echo "."
14. ;;
15. stop)
16. echo -n "Turning off packet filtering:"
17. echo 0 > /proc/sys/net/ipv4/ip_forward
18. /sbin/ipchains -X
19. /sbin/ipchains -F
20. /sbin/ipchains -P input ACCEPT
21. /sbin/ipchains -P output ACCEPT
22. /sbin/ipchains -P forward ACCEPT
23. echo "."
24. ;;
25. *)
26. echo "Usage: /etc/init.d/packetfw {start|stop}"
27. exit 1
28. ;;
29. esac
30. exit 0
31. else
32. echo the /etc/iprules.save file does not exist.
33. exit 1
34. fi
35. Save the file in the /etc/rc.d/init.d directory.
36. In the /etc/rc.d/rc3.d and the /etc/rc.d/rc5.d directories make a symbolic link called S07packetfw to the /etc/rc.d/init.d/packetfw file with the command "ln -s /etc/rc.d/rc3/S07packetfw /etc/rc.d/init.d/packetfw". This applies to runlevel 3. Do the same for the runlevel 5 initialization directory. Note: You may need to use a different number than the "S07" string to number your link file. Look in your /etc/rc.d/rc3.d and /etc/rc.d/rc5.d directories to determine what number is available to give this file. Try to give it a number just below your network number file. On my system the S10network file is used to start my network.
Linux UUCP
This section is not yet complete!
UUCP which stands for Unix to Unix copy is primarily used for copying files between Unix systems but can also perform other functions. It typically does not do the tasking immediately, but executes tasking based on queued requests. Tasking is done based on a specific schedule set up by the administrator. This form of intersystem tasking has been used in the past to send information over telephone lines at times when rates were low.
Much information on this page was developed from the Taylor UUCP Version 1.06 Documentation by Lance Taylor. This document comes on Redhat Linux 6.1 systems in the file /usr/doc/uucp-1.06.1/uucp.html. For complete information, you should read this file. This page only attempts to give a few examples with explanations to get you up and running quicker.
UUCP Configuration files
Configuration files are located in "/etc/uucp" or "/usr/lib/uucp" on older Linux versions.
Then make sure that the permissions of the files are
-rw-r--r-- 1 root root 321 Aug 23 1999 call
-rw-r--r-- 1 root root 1184 Aug 23 1999 config
-rw-r--r-- 1 root root 321 Aug 23 1999 dial
-rw-r--r-- 1 root root 325 Aug 23 1999 dialcode
-rw-r--r-- 1 root root 323 Aug 23 1999 passwd
-rw-r--r-- 1 root root 321 Aug 23 1999 port
-rw-r--r-- 1 root root 320 Aug 23 1999 sys
Each configuration file is described below:
• call - Contains your login/password for each system you poll. It is used when calling remote systems. The syntax is:
• remotesystem username password
The remote system is the name of the remote host, the username is the name of the user and password is the password required for the user.
• config - The main configuration file (Line numbers were added for reference)
1. nodename mymachine # The UUCP name of this system
2. spool /var/spool/uucp # The UUCP spool directory
3. pubdir /var/spool/uucppublic # The UUCP public directory
4. logfile /var/log/uucp/log # The UUCP log file
5. statfile /var/log/uucp/stats # The UUCP statistics file
6. debugfile /var/log/uucp/debug # The UUCP debugging file
7. #sysfile /etc/uucp/sys # Default "sys"
8. #portfile /etc/uucp/port # Default "port"
9. #dialfile /etc/uucp/dial # Default "dial"
10. #dialcodefile /etc/uucp/dialcode # Default "dialcode"
11. #callfile /etc/uucp/call # Default "call"
12. #passwdfile /etc/uucp/passwd # Default "passwd"
# No commands may be executed by unknowns (empty list of permitted commands)
# Upload is authorized in /var/spool/uucp for unknown hosts
13. unknown commands
14. unknown pubdir /var/spool/uucp
15. unknown remote-send ~ !~/upload
16. unknown remote-receive ~/upload
To set this file up all you need to do is replace "mymachine" by your system name.
The lines in the file do the following:
1. name
2. spool directory
3. public directory
4. log file
5. statistics file
6. debugging file
7. default sys file
8. default port file
9. default dial file
10. default dialcode file
11. Default call file
12. Default password file
13. No commands may be executed by unknown hosts since the list of commands is empty
14. The public directory is set for unknown hosts which is /var/spool/uucp
15. Files may be sent to unknown hosts from the /var/spool/uucp directory. Files may not be sent from the /var/spool/uucp/upload directory indicated by !~/upload. The ~ symbol indicates the public directory. The ! symbol indicates not which excludes the filename that follows it.
16. Files may be upload ed by unknown hosts to the public directory (~) which is /var/spool/uucp or the /var/spool/uucp/upload directory.
The command,
unknown receive-request no
Will not allow unknown hosts to receive files from this host.
Setting the public directory permits users on systems that call in to request a file by prefixing it with `~/' to get a file from the public directory. To retrieve the file "/var/spool/public/database" from the server "ourserver", a user on a remote host can enter "uucp ourserver!~/INDEX ~"; The file would be sent to the user's local public directory. When using `csh' or `bash' the ! and the second ~ must be quoted. This example applies if the user's host is known to the server. If it is unknown, the user would get the file from /var/spool/uucp/INDEX.
NEWS
INN stands for internet news. Network news transport protocol (NNTP) is the protocol used to send news over the internet. The RFC numbers describing the protocol are 977 and 1036. One popular news software is Cnews.
Linux Secure Shell
Much of this information is from the secure shell website and is intended as a supplement for introductory purposes and an aid to enable users to get secure shell running.
Why you should use secure shell
When a user logs on to a Linux system using the standard telnet or ftp services, the password during the logon process is sent in the clear. Anyone with a network sniffer can intercept the password and then break into the system. Secure shell uses password encryption and implements several other important security measures which allows users to remotely logon to Linux systems without worrying about security.
Getting secure shell
Refer to the weblinks section under "Sites for specific programs" to locate secure shell documentation and downloadable copies of secure shell. Secure shell is a commercial product for corporate use, but may be used by individuals and educational institutions without charge. The secure shell website contains a FAQ section from which you can link to mirror sites for documentation and downloading.
Installation on Linux
Place the secure shell downloaded package in /usr/local/source and issue the following commands:
1. Unpack the file with "tar xvzf ssh-2_2_0_tar.gz". The directory "ssh-2.2.0" will be created.
2. Enter the directory with the command "cd ssh-2.2.0"
3. Type "./configure" to configure the package for the build.
4. Type "make" to build the package.
5. Type "make install" to install the package.
6. Optionally type "make clean-up-old" to remove *.old files.
This assumes you are installing from a source tarred and zipped file.
Installation on a Windows platform
1. Double click on the SSHWin-2_2_0.EXE file that you downloaded. An install wizard will begin.
2. Perform the install, reading and accepting the license agreement. The copy I tested was a 30 day evaluation copy.
3. Click on "Start" -> "Programs" -> "SSH Secure Shell" -> "Secure Shell Client" to start the secure shell program. This program has an excellent help menu that can be activated by selecting "Help" -> "Contents".
4. Click on "Edit" -> "Settings" , select "Connection" and enter your hostname and user name then click OK.
5. Click on "Edit" -> "Settings" , select "User Keys" and click on the "Generate New Key Pair" button to generate a set of keys. You will need to enter a password phrase later required key authentication. This will take a few minutes, so this is a good time to start services on the host side.
6. Start SSH on the host side. On Linux you can type "/usr/local/sbin/sshd2" on the command line. The program is normally installed in the /usr/local/sbin directory. To get the program to start at bootup, the above command may be placed in the /etc/rc.d/rc.local file.
7. Logon from the Windows side by pressing ENTER or selecting "File" -> "Connect".
8. Enter your Linux user name and the user password for your Linux account.
9. Upload the public key file generated earlier to the users home directory ~/.ssh2 directory.
1. Click on "Edit" -> "Settings" , select "Host Settings", and click "Browse" to locate the public key file generated earlier. It may be in C:\Program Files\SSH Communications Security\Users\computername\userkeys\user.pub.
2. Click on "Window" -> "NewFileTransfer"
3. Select "View" -> "Show Hidden Files"
4. Enter the /$HOME/.ssh2 directory.
5. Select "Operation -> "Upload"
10. Create a file called "authorization" in the users $HOME/.ssh2 directory. You may use an editor with the string "Key" followed by the name of the file you upload ed or type the following:
1. cd ~/.ssh2
2. echo "Key username.pub" > authorization
11. The next time you login, if you enter your password in the "Connect to remote Host" dialog box, you are using password authentication and must enter your Linux user's password. If you press ENTER when you see this box, you will be able to enter your pass phrase to use the private key for authentication.
Congratulations, you are done, unless you are interested in setting your Linux computer as a client. Also, if you are interested in using your Windows computer as a host, you may need another program (if one exists) since the above program is a Windows SSH2 client program.
Configuring SSH for Linux
This section and the sections below are useful if you want to connect from one Linux computer to another, or use a Linux on the client side. The following steps are documented in the README file and the SSH2.QUICKSTART file of the SSS package, but there are additional comments here which may be of some use. It is recommended, however, that you rely on the package documentation for correct documentation since programs change and the procedures may change.
You will be generating key sets to allow secure communications in the following steps. Keep in mind that on the server side, you will need a public key and an authorization file, and on the client side, you will need a private key and an identification file. The public key on the server and private key on the client must be a matching pair of keys as generated by the SSS-key gen program. You should know that you can use either host based authentication or user based authentication. If you use user based authentication, key files mentioned below must be set up in the user's home directory. If host based authentication is used, the host that is being authenticated, must have the appropriate key files. The instructions below set up user authentication.
1. Be sure your computer has the device "/dev/random" which is used to generate keys. If it does not, you will need to use the ssh-keygen2 utility to generate security keys.
2. Set up the following files (Note: The ~ symbol indicates the user's home directory):
o Files needed on the client host to login to a remote server host.
1. ~/.ssh2/id_ds a_1024_a and ~/.ssh2/id_ds a_1024_a.pub - The first is a 1024 bit DSA private key and the second is a 1024 bit DSA public key. the second key may be distributed to other computers that you will want to log in on. The first key must be held only by the user.
Create these files while logged in as the user you want to create them for and type:
SSS-key gen
You will need to enter a password phrase. It will create the two files in the location shown above.
2. ~/.ssh2/identification - Lists the private keys to be used for authentication. the contents of the file should be:
# identification
id key id_ds a_1024_a
This can be created using an editor or by running the ssh-pubkeymgr script program. The following commands will also create this file:
1. cd ~/.ssh2
2. echo "id key id_ds a_1024_a" > identification
o Files needed on the server host to enable users to login from a remote client host.
1. Step 1, above, should be repeated on the server host to set up the user's .ssh2 directory, using a optionally different password phrase. Then the public key, id_ds a_1024_a.pub, must be copied to this directory on this server host. Perform step 2, above, if you want to use the remote machine to logon to other remote machines.
2. Copy the public key file, "~/.ssh2/id_ds a_1024_a.pub" from the local host above to this remote host and call it "serverhostname.pub", placing it in the ~/.ssh2 directory.
3. ~/.ssh2/authorization - Anyone holding any of the matching private keys to this public key may log in as the user whose public key their private key matches.
4. # authorization
5. Key serverhostname.pub
This can be created using an editor or by running the SSS-pubkeymgr script program. The following commands will also create this file:
1. cd ~/.ssh2
2. echo "Key serverhostname.pub" > authorization
Additional configuration files, that you may not need to be concerned about
1. Files that may need configured:
o ~/ssh2/hostkeys/key_xxxx_yyyy.pub - The public host key for port xxxx of the host yyyy.
o ~/.ssh2/SSS_config - The client configuration file similar to the file /etc/ssh2/ssh2_config.
o ~/.ssh2/knownhosts/xxxxyyyy.pub - Public host keys where users will log in from for host based authentication. The ~./shosts or ~/.rhosts file must also be set up. See the SSH documentation for more information on this subject.
o /etc/ssh2/knownhosts/xxxxyyyy.pub
o /etc/hosts.equiv and /etc/shosts.equiv. See the ssh2 man page
o ~/rhosts and ~/shosts
2. Files that should already be configured:
o /etc/ssh2/ssh2_config - This file is created by the "make install" command issued earlier.
o /etc/ssh2/hostkey.pub and /etc/ssh2/hostkey - Should be created by the "make install" command issued earlier, but it may be created by issuing the commands:
1. rm /etc/ssh2/hostkey*
2. ssh-keygen2 -P /etc/hostkey
See the ssh2_config and sshd2_config man pages for more configuration file format information.
About SSH2
SSH is now using SSH2 which has improved security over SSH1. The binary programs include:
• ssh2 - The secure shell client which replaces rlogin and rsh.
• sshd2 - The secure shell daemon.
• sftp2 - The secure shell FTP client.
• sftp-server2 - The secure shell FTP server which is executed from the sshd2 daemon program.
• scp2 - The scp client. I have no idea what scp is, as of right now.
• ssh-keygen2 - A utility for generating security keys.
• ssh-add2 - Adds identities to the authentication agent.
• ssh-agent2 - The authentication agent.
• ssh-askpass2 - X utility for quering passwords.
• ssh-signer2 - Signs host based authentication packets.
• ssh-probe2 - Probes a network for ssh2 servers.
• SSS-pubkeymgr - A script file utility program used to generate public keys.
• SSS-chrootmgr - A utility that makes it easier to set the chroot environment up.
Additional man page is "ssh2_config".
Linux Text Processing
Groff
GNU's version of nroff and troff. Groff produces output both for printing and plain ASC text. Macro packages are provided for different types of documents.
Macros:
• mgs - Writing papers
• man - For writing man pages
To make a man page from a created file(see the section on how to make a man page) type:
groff -t -man -Tascii viewmod.txt > viewmod.1
-Tascii Procuces ASCII text -Tps Produces postscript -Tdvi Output similar to TeX (DVI - Device Independent)
TEX and LaTeX
LaTeX is a set of macros on top of TEX that is concerned with the structure of a document such as chapters, footnotes and sections.
TEX Commands:
\documentstyle{letter} Choices: article, report, book, letter. They specify global macros
\begin Begin document
\End End document
\\ Line break
\ Starts a command, If backslach is trailing, a space is forced
~ Forces a space between tow words or characters without a line break
{\em } Text within brackets is emphasized
\bf Boldfaced
\tt Typwriter text
Example:
\documentstyle{letter}
\address{123 Desert Rd \\Unit 2B\\Wayside, AZ 08821}
\signature{John Smith}
\begin{document}
\begin{letter}{Mr.~George~Lunuxuser\\
1100 N East Street \\
California, MD 20190}
\opening{Dear George,}
I would like to inform you that I have just discovered \LaTex\ and it is the greatest
thing since sliced bread. You should use it for all your text processing needs.
\closing{Most Sincerely,}
\end{letter}
\end{document}
Save as tolinux.tex
Type "latex tolinux"
Results are output in tolinux.dvi
Use "dvips" to make a postscript file from the dvi file, Ex: dvips –o tolinux.ps tolinux.dvi
To see the output, you can use "xdvi" from X windows.
The program "dvilj" will print dvi files on Laserjet printers.
The program "eps" will print dvi files on epson printers.
LaTeX user's Guide and Reference Manual
The TEXbook
Making TEX Work
Texinfo
Used to produce hypertext info pages and printed manuals.
• @ - Begins a command
• @c or @comment - Begins a comment
• @setfilename - Name of output file
• @settitle - The title of the document
• @setchapternewpage - Tells where to start new chapters. Choices: odd, even
• @code - Specifies text to be emphasized
• @ifinfo - Specified text to show up only in info file
• @enumerate
• @end - Way to end things like ifinfo, titlepage, menu, enumerate
• @table
• @var - Indicates a metavariable
• @xref - Cross reference to another node
• @cindex - Makes entries in the concept index at the end of the document
Example file:
\input texinfo @c -*-texinfo-*-
@c %**start of header
@setfilename test.info
@settitle An example texinfo file
@c %**end of header
@titlepage
@sp 10
@comment This is to be in large font
@center @titlefont(This Test Title)
@end titlepage
@c Node, Next , Previous, Up
@node Top , First Chapter , (dir), (dir)
@ifinfo
This is a test info file. There is no worthwhile text here.
This is only a test.
@end ifinfo
@menu
* First Chapter:: The only chapter
* Concept Index:: Index of Concepts
@end menu
@c Node , Next ,previous, up
@node First Chapter, Concept Index, Top, Top
@chapter First Chapter
@cindex Sample index entry
@c A numbered list
@enumerate
@item
The first one
@item
The second one
@end enumerate
The @code{makeinfo} and @code{texinfo-format-buffer}
commands transform a Texinfo file into an Info file. @TeX{}
typesets it for a printed manual.
@c Node ,next , previous , up
@node Concept Index, , First Chapter, Top
@unnumbered Concept Index
@printindex cp
@contents
@bye
If the file is called test.texi, type "makeinfo test.texi" to make an info file called test.info.
Linux Networking Setup
Required Information
To enable networking, you must configure your network interface card or cards with an IP address and netmask. The kernel must have support for your cards compiled in, either as modular support or direct support. If you don't have kernel support read the sections about the kernel and how to compile it. To set your cards up, do the following. In my example my network is 192.168.1.0, IP=192.168.1.100, broadcast=192.168.1.255, netmask=255.255.255.0, gateway-192.168.1.1, nameserver=192.168.1.10.
1. Determine your machines IP address from your network administrator
2. Your network mask. This determines which portion of the IP address specifies the subnetwork number and which portion specifies the host.
Class C (most networks) 255.255.255.0
Class B 255.255.0.0
3. Your network address which is your IP address bit wise anded with the network mask.
Ex: IP: 192.168.1.100 Mask: 255.255.255.0 Net Addr:: 192.168.1.0
4. Your broadcast address. Used to broadcast packets to every machine on your subnet.
Ex: IP: 192.168.1.100 Mask: 255.255.255.0 Net Addr: 192.168.1.255
5. Your gateway address. The address of the machine that is your gateway to the outside world.
In many cases: Ex: IP: 192.168.1.100 Gateway: 192.168.1.1
6. Your nameserver address. Translates host names into IP addresses. 192.168.1.10
Configuration tools
There are many network configuration tools today. They are:
netconf A GUI interactive interface available on Redhat 6.1
linuxconf A GUI interactive interface available on Redhat 6.1 which includes netconf configuration.
netconfig A GUI step by step interface
ifconfig A text based program to configure the network interface. Type "man ifconfig" for info.
These programs will modify values in the following files:
• /etc/sysconfig/network - Defines your network and some of its characteristics.
• /etc/HOSTNAME - Shows the host name of this host. IF your name is "myhost" then that is exactly the text this file will contain.
• /etc/resolv.conf - Specifies the domain to be searched for host names to connect to, the nameserver address, and the search order for the nameservers.
• /etc/host.conf - Specifies the order nameservice looks to resolve names.
• /etc/hosts - Shows addresses and names of local hosts.
• /etc/networks - Provides a database of network names with network addresses similar to the /etc/hosts file. This file is not required for operation.
• /etc/sysconfig/network-scripts/ifcfg-eth* - There is a file for each network interface. This file contains the IP address of the interface and many other setup variables.
Analysis Tools
• netstat - Displays information about the systems network connections, including port connections, routing tables, and more. The command "netstar -r" will display the routing table.
• traceroute - This command can be used to determine the network route from your computer to some other computer on your network or the internet. To use it you can type "route IPaddress" of the computer you want to see the route to.
• nslookup - Used to query DNS servers for information about hosts.
• arp - This program lets the user read or modify their arp cache.
• tcpdump - This program allows the user to see TCP traffic on their network.
• dig(1) - Send domain name query packets to name servers for debugging or testing.
Manual Configuration
You can use one of the above tools or configure the network the old fashioned way as follows:
1. First to use networking on any permanent basis you should setup the file /etc/sysconfig/network similar to the example shown below.
2. Assign an ip address with "ifconfig eth0 192.168.1.100 netmask 255.255.255.0 up".
3. Tell your machine that a hub is ready for information with the command "route add -net 192.168.0.0 netmask 255.255.255.0 eth0"
4. To contact hosts outside your network if a machine with IP address 192.168.1.1 is the gateway use the command "route add default gw 192.168.1.1 eth0"
5. If using a dialup connection use the command "route add default ppp0" The word default says if the packet is not for a machine on your local network, send it to the default device.
These settings are not permanent, but go away the next time you boot. They are normally set up in the directory /etc/sysconfig/network-scripts. Add the network interface to the file /etc/sysconfig/network-scripts/ifcfg-eth*. For example the file ifcfg-eth0 if for the first ethernet interface, ifcfg-eth1 for the second, ifcfg-lo is for the local interface. An example file from my system is:
DEVICE="eth0"
IPADDR="192.168.1.100"
NETMASK="255.255.0.0"
ONBOOT="yes"
BOOTPROTO="none"
IPXNETNUM_802_2=""
IPXPRIMARY_802_2="no"
IPXACTIVE_802_2="no"
IPXNETNUM_802_3=""
IPXPRIMARY_802_3="no"
IPXACTIVE_802_3="no"
IPXNETNUM_ETHERII=""
IPXPRIMARY_ETHERII="no"
IPXACTIVE_ETHERII="no"
IPXNETNUM_SNAP=""
IPXPRIMARY_SNAP="no"
IPXACTIVE_SNAP="no"
Unless you know what you're doing it is best to use a network configuration tool. I cannot guarantee the accurateness of how to set these files up on your system.
Configuring an interface for multiple IP addresses
If you want to configure your network card to act as more than one IP address, issue the following command:
ifconfig dummy 192.168.1.102 netmask 255.255.255.0
This uses the dummy system interface capability supported in the kernel to setup another virtual interface which operates at IP address 192.168.1.102. Substitute the IP address that you want your virtual interface to be with an appropriate netmask for your network. To disable this, issue the following command.
ifconfig dummy down
Another way to use multiple IP addresses on one ethernet card is to set up a new file in your /etc/sysconfig/network-scripts directory. Copy your ifcfg-eth0 role to ifcfg-eth0:0. Edit that file and rename the device to "eth0:0" and the IP address to the desired IP address. You may also want to modify BROADCAST, NETWORK, or NETMASK. You can continue adding IP addresses by using :1, :2, etc such as ifcfg-eth0:2.
To make it effective, you must reboot your system or issue the command "/etc/rc.d/init.d/network restart" as root.
Dynamically allocated IP addresses
To get the IP address of a dynamically allocated network interface in a script file enter the following:
dynip=`/sbin/ifconfig | grep -A 4 ppp0 | awk '/inet/ { print $2 } ' | sed -e s/addr://`
Substitute the correct interface that you get your dynamic IP address in for ppp0 in the example above. This script line gets your dynamic IP address for use in a masquerade script. You can use the variable $dynip as in any other configuration. The next time you make a new connection you will need to extract the dynip value again and re-run the masquerade script.
Networking file formats, examples and considerations
Below are listed some more in depth information about the networking files.
• /etc/sysconfig/network
The /etc/inittab file contains the entry "si::sysinit:/etc/rc.d/rc.sysinit" which causes the system at startup to run the rc.sysinit script. The rc.sysinit file expects to find the file /etc/sysconfig/network if networking is to be enabled.
The network file looks like this:
NETWORKING=yes
FORWARD_IPV4=false
HOSTNAME=mymachine.mycompany.com
DOMAINNAME=mycompany.com
GATEWAY=192.168.1.1
GATEWAYDEV=eth0
Where GATEWAYDEV is the network interface card that is attached to the network the gateway machine is on. The GATEWAY is the actual IP address of the gateway machine.
• /etc/hosts - Defines local hosts.
• 127.0.0.1 localhost localhost.localdomain
• 192.168.1.100 mymachine.mycompany.com mymachine
• /etc/services - Internet network services list. It associates port numbers with names of services. The file contains three fields which are name, port/protocol, and aliases with an optional comment.
• /etc/protocols - Describes DARPA internet protocols available from the TCP/IP subsystem. Maps protocol ID numbers to protocol names. It includes protocol name, number, and aliases. The protocol file on my system:
• # /etc/protocols:
• # $Id: protocols,v 1.1 1995/02/24 01:09:41 imurdock Exp $
• #
• # Internet (IP) protocols
• #
• # from: @(#)protocols 5.1 (Berkeley) 4/17/89
• #
• # Updated for NetBSD based on RFC 1340, Assigned Numbers (July 1992).
•
• ip 0 IP # internet protocol, pseudo protocol number
• icmp 1 ICMP # internet control message protocol
• igmp 2 IGMP # Internet Group Management
• ggp 3 GGP # gateway-gateway protocol
• ipencap 4 IP-ENCAP # IP encapsulated in IP (officially ``IP'')
• st 5 ST # ST datagram mode
• tcp 6 TCP # transmission control protocol
• egp 8 EGP # exterior gateway protocol
• pup 12 PUP # PARC universal packet protocol
• udp 17 UDP # user datagram protocol
• hmp 20 HMP # host monitoring protocol
• xns-idp 22 XNS-IDP # Xerox NS IDP
• rdp 27 RDP # "reliable datagram" protocol
• iso-tp4 29 ISO-TP4 # ISO Transport Protocol class 4
• xtp 36 XTP # Xpress Tranfer Protocol
• ddp 37 DDP # Datagram Delivery Protocol
• idpr-cmtp 39 IDPR-CMTP # IDPR Control Message Transport
• rspf 73 RSPF #Radio Shortest Path First.
• vmtp 81 VMTP # Versatile Message Transport
• ospf 89 OSPFIGP # Open Shortest Path First IGP
• ipip 94 IPIP # Yet Another IP encapsulation
• encap 98 ENCAP # Yet Another IP encapsulation
• /etc/named.conf - Used for domain name service to configure named. Other files used are dependent on this file. This file is explained further in the DNS section
• /etc/resolv.conf - Specifies the domain to be searched for host names to connect to, the nameserver address, and the search order for the nameservers.
• domain mycompany.com
• search mycompany.com mynet.net
• nameserver 192.168.1.100
• nameserver 192.168.199.1
• nameserver 192.168.1.10
The third line specifies that DNS should be tried on my machine first then use the normal nameserver on the fifth line. The fourth line specifies that my machine is running nameservices on another network which is using interface 192.168.199.1. This assumes the nameserver is set up on my machine which is explained in another section.
• /etc/host.conf - Specifies the order nameservice looks to resolve names. An example file:
• order hosts, bind
• multi on
• nospoof on
The order specifies that when resolving names to first look in the /etc/host file, then use BIND8 (DNS) to resolve the name. The line "multi on" specifies that all valid addresses for a host found in the hosts file should be returned.
The files in /etc/sysconfig/network-scripts control your network interfaces. The network interface file is described above in the section "Manual Configuration". If you want or need more in depth knowledge about how these files are used, you will need to read the document "How Linux Works CTDP Guide" or "The CTDP Linux Startup Manual". Otherwise you will need to analyze the system startup scripts which is no small task.
Older X windows configuration
In Xwindows a working configuration is set up as follows:
NAMES:
hostname: mymachine.mycompany.com
Domain: mycompany.com
Nameservers: 192.168.1.10
HOSTS:
IP - 192.168.1.100
Name - mymachine.mycompany.com
INTERFACES:
Interface - eth0
IP- 192.168.1.100
proto - none
atboot - yes
Netmask: 255.255.255.0
Network: 192.168.1.0
Broadcast: 192.168.1.255
ROUTING:
Default gateway: 192.168.1.1
Default gateway device: eth0
Interface - 192.168.1.100
Network Address - 192.168.1.0
Network gateway 192.168.1.1
Netmask - 255.255.255.0
Routing
Routing table information is used to route incoming and outgoing network diagrams to other machines. On most simple configurations, there are three routes. One for sending packets to your own machine, one for sending packets to other machines on your network and one for sending packets to other machines outside your network through the gateway. Two programs (ifconfig and route) are used to configure these parameters. They are described in more detail in the routing section.
Linux Network Tools and Terms
Linux Networking Tools
arp Address resolution protocol Type "arp -a" to display entries in the arp cache.
ifconfig A command line tool used to configure a network interface. There is a man page available for this program.
ifdown Shuts down a network interface
ifup Starts a network interface such as eth0 or ppp0
ipchains A tool used to administer firewall rules.
netconf The Redhat GUI network configuration tool.
netconfig Another network configuration tool which is usually run when the system is installed. Netconf is better.
netstat Type "netstat -rn" to see the routing table. Type "netstat-in" to see the interface info.
nslookup Used to test DNS configuration by querying DNS servers.
ping A network tool used to sent ICMP test packets to other hosts to determine if they can respond or are reachable.
ripquery A tool to query some routers for their routing table.
route Typing "route -n" will show the routing table
tcpdump A network sniffer tool used to dump headers of packets on a network interface.
traceroute Sends data to a remote host to a port that doesn't exist with a TTL field at 1,2,etc to get the intermediate hosts to send back their addresses reporting errors. The destination will report an unreachable port error sending its address.
Networking terms
• ARP - Address resolution protocol. Used to translate hardware addresses (ethernet ports) and IP addresses and vice versa. Uses broadcast messages for resolution.
• BOOTP - A protocol used to allow client computers to get their IP address from a BOOTP server. DHCP supercedes, though does not replace this protocol.
• DHCP - Dynamic Host Configuration Protocol, allows clients to get their IP addresses from a DHCP server. This system "leases" IP addresses to clients for limited periods of time. If the client has not used their IP address within the lease time, the IP address is free fro re-assignment.
• ICMP - Internet Control Message Protocol. Part of the IP layer. Communicates error messages and other messages that require attention.
• IGMP - Internet Group Management Protocol. Protocol used to manage multicasting through routers.
• IP - Three kinds of IP addresses are unicast, broadcast and multicast.
• MBONE - Used to refer to a network that supports multicasting.
• NIS - Network information service, is a name service created by Sun Microsystems.
• NFS - Network file sharing, allows two Unix style computers to mount and access part or all of a file system on a remote computer.
• OSPF - Open Shortest Path First dynamic routing protocol intended as a replacement for RIP.
• PPP - Point to point protocol is a serial protocol commonly used to connect using a modem to the internet
• RARP - Reverse ARP, used for clients to determine their IP addresses.
• RIP - Routing Information Protocol, used by almost all TCP/IP implementation to perform dynamic routing.
• RPC - Remote procedure call is a set of function calls used by a client program to call functions in a remote server program.
• SLIP - Serial line internet protocol
• SMTP - Simple mail transport protocol, commonly uset as the mail message transport protocol.
• SNMP - Simple network management protocol.
• UDP - User Datagram Protocol, a transport layer protocol
• UUCP - Unix to Unix copy is a protocol that allows Unix computers to exchange files.
Linux Inetd Network services
Services typically provided using inetd include:
• auth or identd - This is a server that returns user information to a remote host that a user is requesting a service from. It can be run as a stand alone daemon from the startup scripts.
• bootpd - A server that allows remote clients to get their IP addresses from a bootp server using the bootp network protocol. This involves the server having a /etc/bootptab file containing hardware addresses and associated IP addresses for each computer to be serviced. It can be run as a stand alone daemon from the startup scripts.
• ftp - File transport protocol. Allows users to transport files between remote sites.
• tftp - Trivial file transport protocol. A way for users to transfer files to/from remote machines without logging in. Normally this transfer is limited to specific areas and is normally used for transporting files to clients which are needed for remote booting.
• telnet - A protocol used to open user sessions from remote sites.
• exec - in.rexecd - Remote execution server allows remote users to execute commands on the system provided they have proper authorization.
• rlogin - An older method of opening remote sessions, being replaced by telnet.
• rsh - Remote shell, Used to execute commands on a remote host.
• talk - A communication program that allows two users to talk by copying lines from one user's terminal to the other.
• finger - Allows users to get information about users currently logged in on the local system or remote systems.
• comsat - A server that notifies users when they have received mail. The biff program is used to turn comsat service on and off for each user.
• pop-2 - ipop2d - Supports POP2 remote mail access protocol.
• pop-3 -ipop3d - Supports POP3 remote mail access protocol.
• imap - imapd - Supports the IMAP4rev1 remote mail access protocol which is more powerful than POP3. See RFC 2060.
• uucp - uucico - The daemon that processes Unix to Unix copy (UUCP) file transfer requests that were queued by uucp or uux.
• netstat - Displays network connections, routing tables, and other networking information about a system. This works on the local system and over a network.
• swat - A Samba web administration tool allowing the administrator to configure the /etc/smb.conf file using a web browser.
These services can be controlled (added/removed) by adding or deleting (commenting out) lines in the file "/etc/inedt.conf". If you make a change to this file, you will want to restart the inetd daemon with the command:
kill -HUP inetd
Although you can use inetd to run services such as Samba and BOOTP normally, I recommend using the startup script files which can be configured using the program "linuxconf" and selecting "Control service activity". If these services are used often, you will want to run them direct through the startup scripts. To conserve system resources, you may want to use inetd to control these services if they won't be used very often, but you can't run them using the start up scripts and using inetd at the same time.
The inedt configuration file
The file /etc/inetd.conf is used to configure these networking services. Its format is:
service socket type protocol flags user server path server arguments
It is explained in more detail in the "How Linux Works" document.
Limiting services to your machine to specific addresses
1. If your system is not set for services to use the tcpd daemon rather than the usual deamon by substituting the following in the "/etc/inetd.conf" file"
2. Change lines like this:
3. finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd
4. To this:
5. finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd
6. Change the hosts deny file so the following lines are included with the comments:
7. ALL: ALL
8. ALL: PARANOID
9. Change the hosts.allow file to allow services to desired TCP/IP addresses. Ex:
10. ALL: 10.1.0.153, 10.1.2.252
11. fingerd: 10.1.1.3
12. Note: To see the address of your windows box, select run and run winipcfg.
13. Reset the inetd deamon by issuing the command "kill –HUP inetd".
To disable a network service completely
To disable remote services like finger, who, and w, you will want to modify your /etc/inetd.conf file. To disable finger services for example, change the /etc/inetd.conf file so the line that says "in.fingerd" at the end, is commented out. Do the same for any other services you do not want to run. Then make the inetd daemon reload its configuration file and restart with the command "killall -HUP inetd".
Linux Xinetd Network services
The service, xinetd, is a service designed to provide the same functionality as inetd, but with better configuration options and better security. It provides the same services as inetd, so you will not need to run inetd with this service and can substitute this service for inetd. This service is easy to install and run. It is meant as a replacement for inetd, but can be run at the same time inetd is being run. If you decide to run both inetd and xinetd, but you should not run the same services, such as telnet or ftp, on both inetd and xinetd at the same time. Xinetd will support the hosts.allow and hosts.deny features using the tcp wrapper daemon, the same as inetd does.
Obtaining xinetd
It is very easy to obtain, compile, and install xinetd. You may obtain FAQ information from: http://synack.net/xinetd/faq.html and complete documentation with source and binaries may be obtained from http://www.synack.net/xinetd/. Also there is a very good xinetd tutorial which describes installation and configuration (yes, better than this documentation) at http://www.macsecurity.org/resources/xinetd/tutorial.shtml. It is written for users running Linux on a MacIntosh, but it applies very well to xinetd and Linux in general.
Compilation and installation
Download the code to a location like "/usr/local/xinetd" then enter the directory you downloaded xinetd to. Follow the following procedure to unpack a source tar file, compile, and install the package:
1. Type "tar xvzf xinetd-2_1_8_9p3_tar.gz" to unpack the file.
2. Type "cd xinetd-2.1.8.8.p3" to enter the directory the files were unpacked to.
3. Read the README and INSTALL files with the commands "less README" and "less "INSTALL".
4. Type "./configure -- with-libwrap --with-loadavg". Some documentation recommends not using the --with-libwrap option since xinit supports its own method of providing the same capabilities of hosts.allow and hosts.deny.
5. Type "make".
6. Type "make install". This will install the man pages, xinetd.conf, xinet.log, xinetd, and itox. These files will be accessible by typing "man" followed by the name of the file such as "man xinetd". It will also install the binary programs, xinetd, itox, and xconv.pl.
1. At this point, you may not have ready access to these programs unless the directory /usr/local/sbin is in your system path. You can find out by issuing the command "env" and looking at the value of your path variable. If the directory is named in the path variable, you are set. If not, you will need to add it to your system path.
2. If you are only going to require these commands while logged in as root (which is likely), you can edit the .bash_profile file in the root directory (/root/.bash_profile). This assumes you are using the bash shell, otherwise edit the appropriate file for the shell you are running. Add ":/usr/local/bin" to the statement that begins with "PATH". If no statement starting with "PATH" exists, add the statement "PATH=$PATH:/usr/local/bin".
3. If you want this path added for all users, you may add the statements as described above to the /etc/profile file.
7. The xinetd documentation says to issue the command:
xconv.pl < /etc/inetd.conf > /tmp/xinetd.conf
But I recommend using the command:
xconv.pl < /etc/inetd.conf > /etc/xinetd.conf
This will create a configuration file for xinetd from your original inetd.conf file.
8. You now need to start the service. The easy way to do this is to modify the /etc/rc.d/init.d/inet file and replace all occurrences of inetd by xinetd. Since xinetd is installed to /usr/local/sbin rather than /usr/sbin, you will need to account for this in your file modifications or copy xinetd to /usr/sbin.
9. If you have a problem getting the service to run right consider the following pitfalls:
o If you converted your inetd.conf file to xinetd.conf, and were running with tcp wrappers in inetd, and did not compile tcp wrapper support into xinetd with the option --with-libwrap, you will need to either compile the option in or modify your configuration file so tcp wrappers are no longer used. this can generally be done by moving the server arguments to the server value, and the server arguments will be set to what would have been on the server command line or the value -1. For instance the entry:
o server = /usr/sbin/tcpd
o server_args = in.ftpd -l -a
becomes:
server = /usr/sbin/in.ftpd
server_args = -l -a
The entry:
server = /usr/sbin/tcpd
server_args = in.telnetd
becomes:
server = /usr/sbin/in.telnetd
server_args = -1
o You may need to add the line "groups = yes" to each service. See the xinetd.conf man page.
Other Linux Network Services
Network services not normally controlled using the inetd daemon include but are not limited to:
• arpwatch - Keeps track of ethernet IP addresses that are resolved using the ARP protocol. This allows system administrators to note new IP addresses being used. It maintains a database in /var/arpwatch/arp.dat
• bootparamd - Allows remote computers to boot from a Linux box using the BOOTP network protocol. This allows the remote computer to get its IP address if the server knows the hardware address of the remote machine. The DHCP protocol is an upgrade to this protocol since it is more automated.
• dhcpd - Provides DHCP services to "lease" out IP addresses to remote machines.
• gated - Provides routing services for BGP and other protocols. Alternative to routed. Supports IGP (Interior gateway protocol) and EGP (Exterior Gateway Protocol).
• httpd - The Apache hypertext transfer protocol Web server.
• identd (auth) - Server implementing the TCP/IP proposed standard IDENT user identification protocol in RFC 1413. It returns user information to a remote host that a user is requesting a service from. Also called auth.
• innd - The Usenet news server
• ldap - Lightweight directory access protocol package which provides client/server based directory database services which runs on UNIX platforms over TCP/IP. RFC is 1777.
• mars-nwe - Loads the MARS Netware compatible file and print server daemon called nwserv. Allows a Linux machine to be used as a file and printserver for netware based clients using IPX/SPX.
• mcserv - Allows users on remote machines to use the midcommander file manager to work with files. It uses the PAM library for authentication.
• named - Provides DNS services. It is a name server used to translate local IP addresses to names and vice-versa.
• nfs - Provides Network File System server services
• nfslock - NFS file locking service. Starts the daemons rpc.locked and rpc.statd. The rpc.statd daemon implements the Network Status Monitor (NSM) RPC protocol which is a reboot notification service used to implement file lock recovery when an NFS server crashes and reboots.
• portmap - Provides Remote Procedure Call (RPC) support for other protocols like NFS.
• postgresql - Runs the postgres database and provides SQL services. It runs the daemon postmaster.
• pulse - Heartbeat daemon for monitoring the health of lvs (Redhat clustering services) cluster nodes. This tool is used for clustering machines.
• pxe - A preboot execution environment (PXE) server. Allows network boot of other PXE machines. PXE is a standard developed by Intel for a means of booting various operating systems on remote machines.
• routed - Provides for automatic router table updates using the RIP dynamic routing information protocol.
• rstatd - The rstat protocol allows users on a network to get performance information for any machine on the network. Runs the rpc.rstatd daemon which provides performance statistics retrieved from the kernel usually by using the "rup" command.
• rusersd - Provides services that allow users to find one another over the network.
• rwalld - Provides users with an ability to use the rwall command to write messages on remote terminals.
• rwhod - The rwho protocol lets remote users get a list of all users logged onto a machine by running the rwho daemon.
• sendmail - The sendmail mail transport agent daemon used to move e-mail from one machine to another.
• smb - Provides SMB (Samba) client/server services which include file and print services. It allows Linux computers to exchange file and printer services with Microsoft Windows based systems.
• snmpd - Provides Simple Network Management Protocol support to Linux.
• squid - Runs the squid proxy web server
• xfs - X font file server
• xntpd - Starts the Network Time Protocol NTPv3 daemon. NTP provides a means to synchronize time and coordinate time distribution in a large, diverse internet operating at all speeds. RFC 1305 describes this protocol.
• ypbind - Binds YP/NIS clients to a yellow pages server. NIS is a name service created by Sun.
• yppasswdd - Allows users to change their passwords on systems running YP/NIS
• ypserv - This daemon provides the YP/NIS (Network Information System) server functions.
Linux Process Control
Tools for working with processes
• accton - Turns process accounting on and off. Uses the file /var/log/pacct. To turn it on type "accton /var/log/pacct". Use the command with no arguments to turn it off.
• kill - Kill a process by number
• killall - Send a signal to a process by name
• lastcomm (1) - Display information about previous commands in reverse order. Works only if process accounting is on.
• nice - Set process priority of new processes.
• ps(1) - Used to report the status of one or more processes.
• pstree(1) - Display the tree of running processes.
• renice(8) - Can be used to change the process priority of a currently running process.
• sa(8) - Generates a summary of information about users' processes that are stored in the /var/log/pacct file.
• skill - Report process status.
• snice - Report process status.
• top - Displays the processes that are using the most CPU resources.
Checking running processes
While logged in as root, type "ps -ax |more" or "ps -aux |more". You will get a list of all processes running on your computer. You will see the process id (PID), process status (STAT) various statistics, and the command name. You can kill a process by typing "kill" and the PID number right afterwards similar to the line below.
kill 1721
You can also stop and restart processes by sending them various signals as in the below examples:
kill -STOP 1721 Stops (suspends) process 1721 by sending the STOP signal to the process. This process will still be on the task list. The process can't catch or ignore the STOP signal.
kill -CONT 1721 Continue process 1721 causing it to resume. The CONT signal is sent to the process.
kill -TERM 1721 Terminates process 1721 by sending the TERM signal to the process. This process will no longer show up on the task list if it is actually terminated. Process terminated cannot be continued. The TERM signal can be caught so TERM is not guaranteed to kill the process.
kill -HUP 1721 Stops, then restarts process 1721. This is usually done when a process is not working properly or the configuration files for that process have been changed. This command sends the HUP signal to the process which means hangup. This signal can be caught by the process.
killall -HUP myprint Restarts any process with the name "myprint".
kill -TERM myprint Terminates any process with the name "myprint".
Setting up and doing process control
The examples in this section use the "yes" command as an easy method for an example of a program that runs continually. The "yes" command outputs the string "y" until it is killed or stopped. When the output is ported to the /dev/null (null device or bit bucket), the output is basically dumped. Therefore this command is harmless, but is a good demonstration. To put the process in the background, append an "&" character to the end of the command as shown below.
yes > /dev/null &
The system will respond with a job number and process ID or PID similar to:
[1] 10419
Either number can be used to refer to the job. The "jobs" command can be used to check the job. When the command is entered the system will respond with a list of running jobs similar to the following:
[1]+ Running yes >/dev/null &
The job can be killed using the process ID or the job number. Either
kill %1
or:
kill 10419
Stopping and restarting jobs
Another way to put a job into the background is to
1. Start the job normally like:
yes > /dev/null
The prompt does not come back.
2. Use the
3. Use the command "bg" or "bg %1" where 1 is the job number to put the process in the background. The system reports the job number when you stop the job.
Before the last step, the job was suspended. The "fg" command could have been used to bring the job into the foreground rather than using the "bg" command to put it in the background. If the job is running in the foreground, you can type &@60Ctrl-C> to terminate the process.
Killing or Reconfiguring a Daemon without Restarting
killall -1 inetd Restarts inetd by sending signal number 1 which is the hangup signal.
killall -HUP inetd Causes the daemon to reload its config file by sending the hangup signal. The difference between this example and the previous one is the signal is called by name here rather than number.
To make changes to inetd:
1. Reconfigure /etc/inetd.conf
2. Restart inetd by sending it the hangup signal
The easy way to reset a service that was started via the rc script files during system startup:
1. Find the file for the service, you want to start. For example find the file for the print daemon "lpd". These files should typically be in the directory "/etc/rc.d/init.d". The file name in this case is "lpd". (Note this is a script file, that starts the daemon, not the actual binary daemon file).
2. Go to that subdirectory "cd /etc/rc.d/init.d" and type "./lpd restart".
3. You should get output to the screen that indicates this service has been shut down and then started.
Setting process priority
In Linux, processes have a priority number between -20 and 19. The value of -20 is the highest, and 19 is the lowest priority. Process priority can be set with the nice(1) command and changed using the renice(8) command. To set a process to have the highest priority find the process ID number using the ps command. If your process name is "myprog" type:
ps -ax |grep myprog
You should get something like:
756 tty1 S 0:00 myprog
The first number on the line is your process ID. Enter the command:
renice -20 756
This will set your process (PID=756) to priority of -20. Modify the process ID number for that of your program running on your system. You can use the nice command to determine the default priority of new processes by typing "nice" on the command line. If you want to start a process with a specific priority, use the nice(1) command when you invoke the process.
Setting limits on the number of processes that can run
The command "ulimit" is used to limit the number of processes users can run along with available system resources. All processes which will be started from the shell (bash in many cases), will have the same resource limits. See the bash manual page for more information. To set the limits for daemons which are running at boot time add ulimit command to boot scripts.
The command "ulimit -a" reports the current limits.
Using Linux PAM
PAM stands for Pluggable Authentication Modules. PAM is a library, used to control the function of various applications that have the capability to use the PAM libraries. PAM is based on a series of library modules, some of which depend on configuration files. Locations of PAM configuration files and library modules are:
• All PAM applications are configured in the directory "/etc/pam.d" or in a file "/etc/pam.conf".
• The library modules are normally stored in the directory "/lib/security".
• The configuration files are located in the directory "/etc/security".
To configure PAM, on systems already set up for it, you would need to edit the files for the service you want to modify in the "/etc/pam.d" directory, and modify the appropriate configuration file in the directory "/etc/security". This page will explain how to set up the configuration files and how to configure the modules so applications can use them.
The PAM configuration files
PAM is controlled a main configuration file( /etc/pam.conf) or control directory (/etc/pam.d). Some PAM module's behavior is controlled with configuration files (in /etc/security)as listed below:
• access.conf - Login access control. Used for the pam_access.so library.
• group.conf - Group membership control. Used for the pam_group.so library.
• limits.conf - Set system resource limits. Used for the pam_limits.so library.
• pam_env - Control ability to change environment variables. Used for the pam_env.so library.
• time - Allows time restrictions to be applied to services and user privileges. Used for the pam_time.so library.
The main pam.conf file or the /etc/pam.d files
The configuration for PAM is normally in the /etc/pam.d directory which has a file for each PAM controlled application. This file or directory is used to control the behavior of applications that use the PAM modules. Some examples of PAM controlled applications are login, samba, and shutdown. PAM is controlled using the configuration file /etc/pam.conf or the configuration directory, but not both. The directory structure control has precedence. A general configuration line in one of the PAM application configuration file has the following form:
module-type control-flag module-path arguments
If the /etc/pam.conf file is used to control PAM rather than the /etc/pam.d directory structure, the pam.conf lines are the same except they have an additional parameter at the start which is "service-name". The various parameters on each line are:
1. service-name(not in directory files) - The type of service such as rlogin or ftp.
2. module-type - The type name of the PAM module used which are
1. auth - Authenticates the user to be sure they are who they claim to be, usually asking a password then checking it, and setting credentials like as group memberships or kerberos tickets.
2. account - Check to see if the authentication is allowed based on available system resources such as the maximum number of users or the location of the user. Access could be denied if the account has expired or the user is not allowed to log in at this time of day.
3. password - Used to set passwords. Typically, there is one module for each auth module-type.
4. session - Used to make it possible for a user to use their account once they have been authenticated. This module does things that need to be done for the user before or after they can be given service such as logging of information concerning the opening or closing of some data exchange with a user, or mounting directories. This module may make the user's mailbox available.
3. control-flag
1. required - The success of the module is required for the module-type facility to succeed. Failure of this module will not be apparent to the user until all of the remaining modules (of the same module-type) have been executed
2. requisite - If the module returns a failure, control is directly returned to the application. The return value is that associated with the first required or requisite module to fail. This flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium.
3. sufficient - If this module succeeds and no previous required module has failed, no more `stacked' modules of this type are invoked. This means subsequent required modules are not invoked. A failure of this module is not deemed as fatal to satisfying the application that this module-type has succeeded.
4. optional - This module is not critical to the success or failure of the user's application for service. In the absence of any definite successes or failures of previous or subsequent stacked modules this module will determine the nature of the response to the application.
4. module-path - The path and filename of the PAM library used to control the function.
5. arguments - Arguments are optional and vary from module to module.
My "/etc/pam.d/rlogin" file looks like this:
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
session required /lib/security/pam_pwdb.so
session optional /lib/security/pam_console.so
No comments:
Post a Comment