UNIX FOURTH EDITION
Robin Anderson Andy Johnston et al
Unleashed
UNIX Unleashed, Fourth Edition Copyright © 2002 by Sams All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein.
ASSOCIATE PUBLISHER Jeff Koch
ACQUISITIONS EDITOR Kathryn Purdum
DEVELOPMENT EDITOR Mark Renfrow
MANAGING EDITOR Matt Purcell
PROJECT EDITOR
International Standard Book Number: 067232251X
Natalie Harris
Library of Congress Catalog Card Number: 2001093499
COPY EDITOR
Printed in the United States of America
Krista Hansing
PRODUCTION
First Printing: December 2001
D&G Limited, LLC 04
03
02
01
4
3
2
1
TECHNICAL EDITORS
Trademarks All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Sams cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark.
Robert Jensen Scott Orr
TEAM COORDINATOR Denni Bannister
INTERIOR DESIGNER
Warning and Disclaimer
Gary Adair
Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The authors and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book.
COVER DESIGNER Aren Howell
Contents at a Glance Introduction
Part I
1
Basic Operation
5
1
Startup and Shutdown
2
Managing Disk Hardware 53
3
Filesystem Administration
4
User Administration
5
Getting on the Network
6
Logging
7
Authentication
8
Securing a System for Rollout
9
Day-to-Day System Management
Part II
7
159 219
253 301
Critical Subsystems
10
The X Window System
11
Name Service (DNS)
12
Mail
13
File Sharing
14
Printing
15
Basic Web Services
16
Backups
Part III
97
341 397
427 429
461
489 543
607 639
675
Applications and Tools
715
17
Open Source Software Management
18
Databases
19
Automation
20
Advanced Web Services
Part IV
717
765 809 839
Towards Better Sysadmin
21
Security
895
22
Intrusion Detection
923
893
23
Requirements Analysis and Performance Monitoring
24
Working with People
Part V
Appendixes
1007
1045
A
High-Level Installation Steps
B
From Disk to Filesystem
C
User Creation Checklist
D
Binary-Hex Notation Summary
E
Cryptography in UNIX 1085
F
Handy Commands
G
References
Index
1113
1121
1103
1047
1055 1069 1073
977
Contents Foreword
1
Introduction
PART I 1
3
Basic Operation
5
Startup and Shutdown
7
Introduction ......................................................................................8 Outlining the Five-Step Boot Process ..............................................8 Step 1: Firmware—Hardware Self-Recognition ..............................9 Some Instances of Firmware ......................................................9 What Firmware Does ................................................................11 Firmware Settings ......................................................................12 Firmware Mechanisms and Specifics ........................................12 Step 2: Bootloader—Loading the OS ............................................25 What the Bootloader Does ........................................................25 Bootloader Mechanisms and Specifics ......................................26 Step 3: Kernel—Initialization and Control Transfer ......................27 What The Kernel Does ............................................................28 Kernel Mechanisms and Specifics ............................................29 Step 4: Init and Initialization Scripts ..............................................32 What Init Does ..........................................................................33 Init Mechanisms and Specifics: inittab ....................................33 Init Mechanisms and Specifics: init Scripts ..............................38 Step 5: Over to the Admin—Miscellaneous Wrap-Up ................41 Shutting Down and Generally Changing init Levels ......................41 The Red Hat Boot Sequence as Displayed by dmesg ....................43 The Solaris Boot Sequence as Displayed by dmesg ......................46 Sample Output from Shutting Down Solaris ............................48 Best Practices ..................................................................................49 Firmware ....................................................................................49 Kernel ........................................................................................49
vi
UNIX UNLEASHED Init ..............................................................................................50 Shutdown ..................................................................................50 Follow-Through ........................................................................50 Online References ..........................................................................50 Endnotes ........................................................................................51 2
Managing Disk Hardware
53
Introduction ....................................................................................54 Physical Devices ............................................................................54 OS-Independent Hardware Communication Standards ..................55 Brief Notes on Serial ................................................................56 Brief Notes on FireWire (IEEE 1394) ......................................56 Brief Notes on USB ..................................................................57 Brief Notes on ATAPI ................................................................58 Brief Notes on Parallel ..............................................................58 IDE/ATA ....................................................................................59 SCSI ..........................................................................................62 Know Your System ........................................................................77 Naming Conventions ................................................................77 Getting the OS to Tell You About Its Constituent Hardware ................................................................................80 Adding/Removing Disks (and Other Devices) ..............................84 Adding Devices ........................................................................84 Removing Devices ....................................................................89 Best Practices ..................................................................................90 General ......................................................................................90 SCSI Devices ............................................................................91 Physical Addition ......................................................................91 After Physical Addition ............................................................91 Removing a Device ..................................................................91 Online References ........................................................................92 Standards Organizations ............................................................92 IDE/ATA ....................................................................................92 SCSI ..........................................................................................92 Other Communications Standards ............................................93 Red Hat ......................................................................................93 Solaris ........................................................................................93 Endnotes ........................................................................................94
CONTENTS 3
Filesystem Administration
97
Introduction ....................................................................................98 Dividing Disk Space Wisely ..........................................................98 Virtual Devices: Partitions ........................................................98 Logical Constructs: Filesystems ..............................................104 Philosophy of Division ............................................................109 Technical Details of Partitioning ............................................116 More About Filesystems ..............................................................119 Filesystem Components That the Admin Needs to Know About ....................................................................................119 Filesystem Types ....................................................................131 Administering Local Filesystems ................................................140 Local Filesystem Creation ......................................................140 Local Filesystem Availability Management ............................140 Space Management ..................................................................147 Removable Storage Media ............................................................154 Adding Swap Files ..................................................................154 Best Practices ................................................................................155 Partitioning ..............................................................................155 Filesystems ..............................................................................155 Online References ......................................................................156 Endnotes ......................................................................................157 4
User Administration
159
Definitions: Identity, Entity, Capability ........................................160 Storing Basic User Information Locally ......................................163 /etc/passwd ..............................................................................163 /etc/group ................................................................................166 /etc/shadow ..............................................................................168 Sharing User (and Other) Information over the Network ............174 rsync, rdist, cfengine ............................................................175 NIS (Nod to NIS+) ..................................................................175 LDAP ......................................................................................191 Creating Accounts ........................................................................194 Policy ......................................................................................194 Technical ..................................................................................199
vii
viii
UNIX UNLEASHED Removing Accounts ......................................................................204 Policy ......................................................................................204 Technical ................................................................................206 Best Practices ................................................................................211 Policy ......................................................................................211 Usernames and UIDs ..............................................................211 Group Names and GIDs ..........................................................211 Passwords ..............................................................................211 Shadowing ..............................................................................212 Account Locking ....................................................................212 Account Deletions ..................................................................212 NIS ..........................................................................................212 Creating Accounts ..................................................................213 General ....................................................................................213 Online References ......................................................................213 NIS ..........................................................................................213 LDAP ......................................................................................214 Endnotes ......................................................................................214 5
Getting on the Network
219
Introduction ..................................................................................220 TCP/IP ..........................................................................................220 The Internet as a Network of Networks ................................220 IP Addressing ..........................................................................225 IP Configuration and Troubleshooting Commands ................235 Services and Ports ..................................................................244 Best Practices ................................................................................249 Human Interaction ..................................................................249 Basic Network Configurations ................................................249 Troubleshooting ......................................................................250 Offering Services ....................................................................250 Online References ........................................................................251 Network Standards ..................................................................251 DHCP ......................................................................................251
CONTENTS 6
Logging
253
Introduction ..................................................................................254 Standard Unix System Logging: syslog ......................................254 BSD System Logging ..............................................................254 syslog Internal Schema ............................................................259 syslog.conf ..............................................................................262 Timekeeping: ntp ..........................................................................268 ntp Architecture ......................................................................268 Configuring ntp at Your Site ....................................................269 Configuring Your Site’s Logging Security ..................................271 Securing Your Local Logging Configuration ........................271 Securing Your Remote Logging Configuration ......................273 Application Logging through syslog ............................................278 Application-Specific Logging outside syslog ..............................279 Standard System Logging outside syslog ....................................279 Red Hat Extras ........................................................................283 Cross-Platform syslog Alternatives ..............................................284 Log Analysis and Reporting ........................................................285 Log Analysis ............................................................................287 Real-Time/Near–Real-Time Alerting and Notifications ........290 Log Rotation and Retention ....................................................293 Best Practices ................................................................................296 General ....................................................................................296 syslog.conf ..............................................................................296 Hardening the Central Loghost ..............................................296 Periodic Checks ......................................................................297 Online References ......................................................................297 Red Hat Logging ....................................................................297 Computer Emergency Response Team (CERT) ....................297 ntp ............................................................................................298 syslog Replacement Packages ................................................298 Log Analysis ..........................................................................298 Endnotes ......................................................................................299
ix
x
UNIX UNLEASHED 7
Authentication
301
Introduction ..................................................................................302 What Is Authentication? ..............................................................302 Overview of UNIX Password Authentication ..............................302 Good Passwords and Bad Passwords ..........................................303 Linux Red Hat 7.1: Password-Checking Rules ......................305 Solaris 2.8: Password-Checking Rules ....................................306 Linux Red Hat 7.1: Password Aging ......................................309 Solaris 2.8: Password Aging ..................................................309 Basic UNIX Password Implementations ......................................310 Linux Red Hat 7.1: Password Hashes ....................................312 Solaris 2.8: Password Hashes ..................................................312 Linux Red Hat 7.1 and Solaris 2.8: Local Password File Format ............................................................................312 Linux Red Hat 7.1: Shadow Password Entry Fields ..............313 Solaris 2.8: Shadow Password Entry Fields ............................313 Linux Red Hat 7.1: Editing the Password File ........................314 Solaris 2.8: Editing the Password File ....................................314 Linux Red Hat 7.1: The newusers Program ............................315 Password Cracking ......................................................................315 Network Information System (NIS) ............................................317 Linux Red Hat 7.1: The nsswitch.conf File ............................320 Solaris 2.8: The nsswitch.conf File ........................................320 Alternate UNIX Password Algorithms ........................................321 Linux Red Hat 7.1: Hashing Algorithms ................................322 Solaris 2.8: Hashing Algorithms ............................................322 Alternate Authentication Schemes ..............................................322 ssh and Authentication ..................................................................326 Linux Red Hat 7.1: OpenSSH ................................................326 Solaris 2.8: ssh Options ..........................................................326 Kerberos ..................................................................................330 Integrating with PAM ..................................................................330 Linux Red Hat 7.1: PAM ........................................................334 Solaris 2.8: PAM ......................................................................335 The ident Server and Authentication ............................................335 Linux Red Hat 7.1: The identd Daemon ................................336 Solaris 2.8: The identd Daemon ..............................................337 Best Practices ................................................................................337 References ....................................................................................338
CONTENTS 8
Securing a System for Rollout
341
You Must Harden the System ......................................................342 Patching: Process and Policy ........................................................344 Solaris: At Install Time ............................................................345 Patching Red Hat Linux ..........................................................346 Mandrake Linux ......................................................................347 General Considerations for Patching ......................................348 Why You Must Do More Than Patch ..........................................348 Step 1: Someone Discovers a Bug in a Program ....................348 Step 2: Someone Realizes That This Bug Is a Security Vulnerability ..........................................................................349 Step 3: Someone Figures Out How to Exploit This Vulnerability ..........................................................................350 Step 4: Someone Might Share the Vulnerability and Exploit with the Public ......................................................................351 Step 5: A Source-Code Patch Is Released ..............................352 Step 6: A Binary (Vendor) Patch Is Released ........................352 Step 7: People Apply the Patch ..............................................353 Auditing Services ........................................................................354 Part I: The inetd/xinetd Audit ..................................................354 Part II: Tracking Down the Rest with netstat, lsof, and a Few Detective Tools ....................................................363 Periodic Checks for Integrity ..................................................375 Secure Network Daemon Replacements ......................................376 TCP Wrappers (tcpd) ..............................................................376 Secure Shell (ssh) ....................................................................377 Secure Portmapper (portmap/rpcbind) ....................................378 Auditing Passwords ......................................................................379 Automating Linux/UNIX Lockdown with Bastille Linux ..........380 Account Security (AccountSecurity.pm) ................................382 File Permissions (FilePermissions.pm) ..................................382 Deactivate Miscellaneous Daemons (MiscellaneousDaemons.pm) ................................................382 Boot Security (BootSecurity.pm) ............................................383 Add Enhanced Logging (logging.pm) ....................................383 Configure Miscellaneous PAM Settings (ConfigureMiscPAM.pm) ......................................................383
xi
xii
UNIX UNLEASHED Disable User Tools (DisableUserTools.pm) ............................383 Printing (printing.pm) ..............................................................384 Apache (Apache.pm) ..............................................................384 DNS (DNS.pm) ......................................................................384 FTP (FTP.pm) ..........................................................................385 sendmail (sendmail.pm) ..........................................................385 Secure inetd Configuration (SecureInetd.pm) ........................385 tmp Directory Defense (TMPDIR.pm) ..................................385 Firewall (firewall.pm) ..............................................................386 Port Scan Attack Detector (psad.pm) ......................................386 Automating Solaris/UNIX Lockdown with Other Tools ..............387 Titan ........................................................................................387 Solaris-Specific Hardening Tools: YASSP and jass ....................................................................392 Best Practices ................................................................................393 Resources ......................................................................................393 Endnotes ......................................................................................394 9
Day-to-Day System Management
397
Overview ......................................................................................398 The Proactive Administrator ........................................................398 The Importance of Being Root ................................................398 Process Management ..............................................................400 Looking at System Logs ..........................................................406 Check Partition Usage ............................................................407 Quota Pros and Cons ..............................................................408 When Was the System Booted? ..............................................409 Is Everything Running? ..........................................................410 Are the Backups Getting Done? ..............................................411 Be a System Environmentalist ................................................412 Reactive Administration ..............................................................412 Lowering the Defenses ............................................................413 Firefighting ..............................................................................413 Deciphering User Requests ....................................................415 Deleted Mailspool ..................................................................418
CONTENTS ”These New Guys Need Accounts” ........................................421 ”We Need a Group Account for Our Group Web Page and Mail” ..............................................................................421 ”
Is Broken” ........................422 Request for New Hardware ....................................................423 Request for New Software/License ........................................423 Best Practices ................................................................................425 Proactive Administration ........................................................425 Reactive Administration ..........................................................425 Online References ......................................................................425[email protected] ) is the coordinator of systems engineering for the University of Maryland, Baltimore County (UMBC). He has been involved in UNIX software development and administration since 1992, working as an independent consultant and also working directly for various local organizations. His current focus is primarily on directory services and middleware development. On the side, he enjoys music, home improvement, and burning things. (http://www.calefaction.org) Jay Beale is the lead developer of the Bastille Linux Project, which creates a wildly popular security-tightening program. As an independent security consultant and trainer, he authored the Center for Internet Security’s Linux Security Benchmark and wrote the Center’s Security Measurement “tester” program. He formerly served as Security Team Director for the Linux vendor MandrakeSoft and as a system and security administrator for the distance-education–focused University of Maryland, University College. Jay is a frequent conference speaker and the author of a number of articles on UNIX/Linux security, along with the upcoming book Securing Linux the Bastille Way, to be published by Addison Wesley. You can learn more about his articles, talks, and favorite security links at http://www.bastille-linux.org/jay. Matt Bishop received his Ph.D. in computer science from Purdue University, where he specialized in computer security, in 1984. He was a research scientist at the Research Institute of Advanced Computer Science and was on the faculty at Dartmouth College before joining the Department of Computer Science at the University of California at Davis. His main research area is the analysis of vulnerabilities in computer systems, including modeling them, building tools to detect vulnerabilities, and ameliorating or eliminating them. This includes detecting and handling all types of malicious logic, especially computer worms and computer viruses. He is also active in the areas of network security, the study of denial-of-service attacks and defenses, policy modeling, software assurance testing, and formal modeling of access control. In addition, he studies the issue of trust as an underpinning for security policies, procedures, and mechanisms, and he is known in part for his work in UNIX security.[email protected] . Sandy Kolstad Antunes is firmly enmeshed within the astrophysical, business startup, and role-playing communities, and there is a surprisingly amount of crossover in these. Currently on leave from NASA satellite work to complete his Ph.D., Sandy is also a proud househusband and, when time allows, able freelance writer. For a full background, just look him up on Google. Emma Kolstad Antunes wrote her first Web page in vi for Mosaic, but she prefers to use Dreamweaver and BBEdit today. She has been a Web master at NASA’s Goddard Space Flight Center since 1994. An experienced Web developer with a background in designing and maintaining complex, database-driven Web sites, these days Emma spends more of her time telling other people how to do good Web design than actually getting to do much of her own. Jon Lasser lives in Baltimore, Maryland, where he is a consultant specializing in UNIX security, systems administration, and training. He is the lead coordinator for the Bastille Linux Project. He can be reached at [email protected] . Kevin Lyda was fork()ed at 37058400. After spending many years processing stdin in various locations (Brooklyn, New York; Salina, Kansas; Huntington, New York; Buffalo, New York), he began spewing results to stdout, first in Buffalo, then in Boston, Massachusetts, and now in Dublin, Ireland. It is his hope that all his calls to read (STDIN_FILENO,...) will succeed for the lifetime of his process and that the data output is of use. Andrew R. Senft is a co-founder of Easy Software Products, a small software company specializing in printing and Internet technologies. Previously, Andrew worked for the Navy for 10 years as a software engineer. Carolyn Sienkiewicz is an ex-professional musician who has been administering UNIX systems since 1986. She has a master of science degree in computer science from Johns Hopkins University. When not managing systems and sysadmins, she and her husband can be hailed on the Chesapeake Bay, where they sail their sailboat Whiskers, a Catalina 34.[email protected] .[email protected] Retype new password: ok setenv security-mode command ok[email protected] > Modified for RHS Linux by Marc Ewing and Donnie Barnes[email protected] ) (gcc version 2.96 20000731 ➥(Red Hat Linux 7.1 2.96-7 9)) #1 Sun Apr 8 20:41:30 EDT 2001 BIOS-provided physical RAM map: BIOS-e820: 00000000000a0000 @ 0000000000000000 (usable) BIOS-e820: 0000000000010000 @ 00000000000f0000 (reserved) BIOS-e820: 000000000fe07000 @ 0000000000100000 (usable) BIOS-e820: 000000000005a000 @ 000000000ff26000 (reserved) BIOS-e820: 0000000000080000 @ 000000000ff80000 (reserved) BIOS-e820: 0000000000500000 @ 00000000ffb00000 (reserved) BIOS-e820: 000000000001f000 @ 000000000ff07000 (ACPI data) On node 0 totalpages: 65287 zone(0): 4096 pages. zone DMA has max 32 cached pages. zone(1): 61191 pages. zone Normal has max 478 cached pages. zone(2): 0 pages. zone HighMem has max 1 cached pages. Kernel command line: BOOT_IMAGE=linux ro root=304 BOOT_FILE=/boot/vmlinuz-2.4.2 ➥-2 hdc=ide-scsi ide_setup: hdc=ide-scsi Initializing CPU#0 Detected 996.785 MHz processor. Console: colour VGA+ 80x25 Calibrating delay loop... 1985.74 BogoMIPS Memory: 254380k/261148k available (1365k kernel code, 6384k reserved, 92k data, ➥ 236k init, 0k highmem) Dentry-cache hash table entries: 32768 (order: 6, 262144 bytes) Buffer-cache hash table entries: 16384 (order: 4, 65536 bytes) Page-cache hash table entries: 65536 (order: 7, 524288 bytes) Inode-cache hash table entries: 16384 (order: 5, 131072 bytes) VFS: Diskquotas version dquot_6.5.0 initialized CPU: Before vendor init, caps: 0383f9ff 00000000 00000000, vendor = 0 CPU: L1 I cache: 16K, L1 D cache: 16K CPU: L2 cache: 256K Intel machine check architecture supported. Intel machine check reporting enabled on CPU#0. CPU: After vendor init, caps: 0383f9ff 00000000 00000000 00000000[email protected] ) mtrr: detected mtrr type: Intel PCI: PCI BIOS revision 2.10 entry at 0xfc08e, last bus=2 PCI: Using configuration type 1 PCI: Probing PCI hardware Unknown bridge resource 0: assuming transparent Unknown bridge resource 2: assuming transparent PCI: Using IRQ router default [8086/2440] at 00:1f.0 isapnp: Scanning for PnP cards... isapnp: No Plug & Play device found Linux NET4.0 for Linux 2.4 Based upon Swansea University Computer Society NET3.039 Initializing RT netlink socket apm: BIOS version 1.2 Flags 0x03 (Driver version 1.14) Starting kswapd v1.8 pty: 256 Unix98 ptys configured block: queued sectors max/low 168848kB/56282kB, 512 slots per queue RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize Uniform Multi-Platform E-IDE driver Revision: 6.31 ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx PIIX4: IDE controller on PCI bus 00 dev f9 PIIX4: chipset revision 2 PIIX4: not 100% native mode: will probe irqs later ide0: BM-DMA at 0xffa0-0xffa7, BIOS settings: hda:DMA, hdb:pio ide1: BM-DMA at 0xffa8-0xffaf, BIOS settings: hdc:DMA, hdd:pio hda: Maxtor 5T040H4, ATA DISK drive hdc: SONY CD-RW CRX700E, ATAPI CD/DVD-ROM drive ide0 at 0x1f0-0x1f7,0x3f6 on irq 14 ide1 at 0x170-0x177,0x376 on irq 15 hda: 78125000 sectors (40000 MB) w/2048KiB Cache, CHS=4863/255/63, UDMA(100) Partition check: hda: hda1 hda2 hda3 hda4 Floppy drive(s): fd0 is 1.44M FDC 0 is a National Semiconductor PC87306 Serial driver version 5.02 (2000-08-09) with MANY_PORTS MULTIPORT SHARE_IRQ ➥SERIAL_PCI ISAPNP enabled ttyS00 at 0x03f8 (irq = 4) is a 16550A ttyS01 at 0x02f8 (irq = 3) is a 16550A Real Time Clock Driver v1.10d md driver 0.90.0 MAX_MD_DEVS=256, MD_SB_DISKS=27 md.c: sizeof(mdp_super_t) = 4096 /sbus@1f,0/QLGC,isp@0,10000/sd@0,0 3. c1t2d0 <SEAGATE-ST118273W-6244 cyl 7499 alt 2 hd 20 sec 237> /sbus@1f,0/QLGC,isp@0,10000/sd@2,0 Specify disk (enter its number): quit format>, then return. Be aware, though, that these commands are compatible only with local user information storage. The sixth field contains the full path to the user’s home directory. In our example, this is /home/users/valjean. This is the directory that the user automatically logs into on the system, and that contains various environment control and other user files. The base path is site-dependent, although it is common to see the terms users or home somewhere in it. Caution If the home directory specified in this field does not exist on your system or is unavailable at the time of the user’s login, the user should receive an error message similar to the following: No directory! Logging in with home=/:<user-list>. next host to add: linux.my.site.com next host to add: The current list of NIS servers looks like this: linux.my.site.com. next host to add: linux.my.site.com next host to add: The current list of NIS servers looks like this: linux.my.site Is this correct? [y/n: y] We need some minutes to build the databases... Building /var/yp/WiLdRuMPus/ypservers... Running /var/yp/Makefile... gmake[1]: Entering directory ’/var/yp/WiLdRuMPus’ Updating passwd.byname... Updating passwd.byuid... Updating group.byname... Updating group.bygid... Updating hosts.byname... Updating hosts.byaddr... Updating rpc.byname... Updating rpc.bynumber... or a return on a line by itself. next host to add: solaris.my.site.com next host to add: ^D The current list of yp servers looks like this:” and “couldn’t find ” errors occurred because the flat files needed to create the standard NIS maps do not exist on our reference system. As under Red Hat, the directory /var/yp/WiLdRuMPus was created to hold the domain’s maps. Again, to make the server its own client, first run ypserv and then invoke ypbind without any options. Under Solaris, the server names for this example are stored in the file /var/yp/binding/WiLdRuMPus/ypservers. Although Solaris does not have a chkconfig analog, all the necessary services will be started on reboot by checks performed automatically by initialization scripts.: [] [ []] <map>—Displays- —Searches
[email protected] . This can be handled through a mail alias without creating an account at all. A user’s request will often reflect what the user thinks is possible rather than what that user actually needs. Make sure that you understand the difference. . .—Sets—Sets, .—Grants option, they use the value differently. Under Red Hat, this sets the number of days after a password expires until the account is permanently disabled.57 Under Solaris, it represents the maximum number of days allowed between user logins. By default, the version of useradd included with Red Hat creates a new group for every user added to the system and assigns its group name to match the username. If you pass it the -n option, however, this behavior is suppressed. Red Hat also accepts the following extra switches: • mtu 1500 index 2 inet 10.100.70.20 netmask ffffff00 broadcast 10.100.70.255 ether 0:3:ba:8:73:d3<destination> • Selector format: .<severity> Note that multiple selectors are allowed, separated by semicolons. Also note that the angle brackets ( < and > ) are not actually part of the entry; they are just delineators. (not <SPACE>). • Comments begin with a # mark. • Blank lines are ignored. • If any part of a rule is malformed, the whole thing is ignored. • Asterisk wildcard: The only wildcard supported is the asterisk (*). If used as a facility, it indicates all facilities except mark. If used as a severity, it indicates all severity levels. If used as a destination, it indicates that the record should be sent via write to all users currently logged in . • Semicolons: • Semicolons (;) may be used to specify more than one selector per destination. • Multiple selector format: <selector>;<selector>;<selector>;… [email protected] ) { if ($searchstring) { /$searchstring/i || next; }”, where is the appropriate runlevel. If you’re not sure which one that is, either get it from the :initdefault: line in the /etc/inittab file, like this: # grep :initdefault: /etc/inittab[email protected] > # # Modified for Debian Linux by Ian A. Murdock # # Modified for RHS Linux by Marc Ewing <[email protected] > # # <service_name> <sock_type> <proto> <user> <server_path> <args> # # Echo, discard, daytime, and chargen are used primarily for testing. # # To re-read this file after changes, just do a ‘killall -HUP inetd’ # #echo stream tcp nowait root internal #echo dgram udp wait root internal #discard stream tcp nowait root internal #discard dgram udp wait root internal #daytime stream tcp nowait root internal #daytime dgram udp wait root internal #chargen stream tcp nowait root internal #chargen dgram udp wait root internal #time stream tcp nowait root internal #time dgram udp wait root internal # # These are standard services. # ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd # # Shell, login, exec, comsat and talk are BSD protocols.—This—This[email protected] [email protected] ( www.insecure.org/nmap/ ) Interesting ports on (192.168.71.128): (The 1513 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 5432/tcp open postgres Nmap run completed — 1 IP address (1 host up) scanned in 3 seconds, passing the daemon name as a parameter to tcpd. tcpd checks its access control lists in /etc/hosts.allow and /etc/hosts.deny, does a consistency check on the IP address,29 and, should these check out, starts the daemon. You can learn exactly how to configure this functionality by reading the man pages hosts_access(5) and hosts_options(5): man 5 hosts_access man 5 hosts_options. This sets quotas for the selected filesystem. Next, you should set the limits for each user using edquota. Typically, quotaon is started when your system is booted. The command should be included in an rc file in /etc. Often it is included in the appropriate file by your UNIX vendor but is commented out. A search of files in /etc will find it if it exists. Is Broken” There is no substitute for experience when troubleshooting application problems. That’s the bad news. The good news is that a good set of documentation speeds the process of gaining that experience. As mentioned earlier in this chapter, documentation is a good investment for an admin. If a documentation standard is available, use it. Otherwise, create your own, perhaps using some of the suggestions made earlier. Having a source of information available when troubleshooting problems refreshes your memory or saves you from having to chase down the local guru for the application. It will help you to know where the application lives—what server, what filesystem, what directory? Where are the configuration files? Is a program included with the application for configuration maintenance? Are tools included to help you get status on the application? Putting together this kind of information serves as a good learning exercise for you while you are compiling it, and it will help the others in your group when they need to solve problems. When problems with an application arise, log them; when solved, note what was done to fix the problem. If you have support with the vendor, document all the contact information, phone numbers, contract numbers or support handles, and the like. Log each call instance to the tech support. If you have to hand off the problem to another admin, it will help that admin to pick up where you left off. Obviously, we can’t address specific problems and their solutions in the space in this book. We can tell you that keeping notes and logs in a consistent and diligent manner goes a long way toward filling the gaps in experience when troubleshooting. It also helps to spread the knowledge around a group when you have documentation that can be shared and learned from. xauth merge - [] [<server to execute>] is the name of the display that XDM is controlling (what would be set for $DISPLAY for xdm to find out where it is)[email protected] Tue Apr 10 18:47 12/417 “This is the first tes” N 2 [email protected] . Tue Apr 10 18:57 12/415 “Second test message” N 3 [email protected] Tue Apr 10 19:23 12/413 “Third test message” N 4 [email protected] Tue Apr 10 19:42 12/423 “Fourth and final test” & 1 Message 1: From [email protected] Tue Apr 10 18:47:05 2001 Date: 10 Apr 2001 23:47:05 -0000 From: [email protected] To: [email protected] Subject: This is the first test message Hi, This is a test message & d[email protected] Tue Apr 10 18:57:32 2001 Date: 10 Apr 2001 23:57:32 -0000 From: [email protected] To: [email protected] Subject: Second test message Hi, this is the second test message & q Saved 3 messages in mbox $[email protected] [email protected] . VRFY [email protected] 252 <[email protected] > VRFY jessica 550 jessica... User unknown QUIT 221 shadrach.ispnet1.net closing connection Connection closed by foreign host. [riley@shadrach riley]$”. 214-2.0.0 To report bugs in the implementation send email to 214-2.0.0 [email protected] . 214-2.0.0 For local information send email to Postmaster at your site. 214 2.0.0 End of HELP info HELP RCPT 214-2.0.0 RCPT TO: [ <parameters> ] 214-2.0.0 Specifies the recipient. Can be used any number of times. 214-2.0.0 Parameters are ESMTP extensions. See “HELP DSN” for details. 214 2.0.0 End of HELP info QUIT 221 2.0.0 test.ispnet.net closing connection Connection closed by foreign host. $[email protected] instead of [email protected] ) • Using sophisticated MDA programs (such as procmail) to allow mail filtering to block spam For the mail hub to be capable of processing messages for remote hosts, it must be on a dedicated Internet connection (one that is active 24 hours a day, 7 days a week). If the server is on a dial-up connection, any mail sent to the server while it is disconnected will be lost. When the mail hub is on a dedicated Internet connection, precautions must be taken to ensure that spammers can’t use the mail hub to forward their own email messages sent from other sites. However, because this is the mail gateway for internal users to send mail out to the Internet, it should allow your domain clients access to relay messages. The sendmail access table is used to create a table of addresses that are allowed to[email protected] :0 guitars } :0 hc * !^FROM_DAEMON * !^X-Loop: [email protected] | (formail -r -I”Precedence: junk” \ -A”X-Loop: [email protected] ” ; \ echo “Thanks for your message, but I will be out of the office until 1/4”) \ | $SENDMAIL -t[email protected] . Next, a copy of all the messages is placed in the mail folder named guitar.[email protected] Tue Dec 5 18:01 17/673 “Re: Test message” &1 Message 1: From [email protected] Tue Dec 5 18:01:22 2000 Delivered-To: [email protected] To: [email protected] Subject: Re: Test message References: <[email protected] > In-Reply-To: <[email protected] > X-Loop: [email protected] Precedence: junk Date: Tue, 5 Dec 2000 18:01:22 -0500 (EST) From: [email protected] (Rich Blum) Thanks for your message, but I will be out of the office until 1/4 &[email protected] 250 2.1.0 rich@[158.18.1.153]... Sender ok RCPT TO: [email protected] 250 2.1.5 [email protected] ... Recipient ok DATA 354 Enter mail, end with “.” on a line by itself Subject: test From: [email protected] To: [email protected] This is a test message. . 250 2.0.0 f35EDFB04406 Message accepted for delivery QUIT 221 2.0.0 shadrach.ispnet1.net closing connection Connection closed by foreign host. $”] <pathname> share -F nfs –o rw=.angrysunguy.com –d “Home directories” /export/home share –F nfs –o ro /cdrom share –F nfs –d “Mail files” /var/spool/mail, where can be either the simple hostname or the fully qualified domain name of an NFS server. If you have Solaris hosts on your network, especially hosts that you do not control, you should be cognizant of this feature. Because any Solaris client has a default map to mount all shared filesystems from any server on its network, it’s important that you share your filesystems only with those clients to which you want to allow access. directive is used to apply configuration directives and configuration options to a named directory and its subdirectories. For example, the following block indicates that the FollowSymlinks option and AllowOverride None directive apply specifically to the server root (/) and its subdirectories: [email protected] DocumentRoot “/usr/local/apache/htdocs” Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny Allow from all UserDir public_html DirectoryIndex index.html AccessFileName .htaccess Order allow,deny Deny from all UseCanonicalName On TypesConfig /usr/local/apache/conf/mime.types Alias /icons/ “/usr/local/apache/icons/” Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all ScriptAlias /cgi-bin/ “/usr/local/apache/cgi-bin/” AllowOverride None Options None Order allow,deny Allow from all IndexOptions FancyIndexing AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip AddIconByType (TXT,/icons/text.gif) text/* AddIconByType (IMG,/icons/image2.gif) image/* ... AddEncoding x-compress Z AddEncoding x-gzip gz tgz AddLanguage da .dk AddLanguage nl .nl ... DocumentRoot /www/hers ServerName www.domain.com DocumentRoot /www/his ServerName www.his.domain.com Options Indexes FollowSymLinks MultiViews +Includes AllowOverride None Order allow,deny Allow from all SSI Test Page Output This file last modified:
Options +ExecCGI SetHandler cgi-script block (see the section titled “Module Configuration Directives” for more information about LoadModule and IfModule).. /usr/local/bin/sparc-sun-solaris2.8-c++ /usr/local/bin/sparc-sun-solaris2.8-g++ /usr/local/bin/sparc-sun-solaris2.8-gcc [email protected] Generating public/private dsa key pair. Your identification has been saved in /usr/local/etc/ssh_host_dsa_key. Your public key has been saved in /usr/local/etc/ssh_host_dsa_key.pub. The key fingerprint is: 29:23:50:0e:55:18:31:ee:86:39:88:df:a2:9c:17:73 [email protected] Generating public/private rsa key pair. Your identification has been saved in /usr/local/etc/ssh_host_rsa_key. Your public key has been saved in /usr/local/etc/ssh_host_rsa_key.pub. The key fingerprint is: 21:4d:33:ce:36:ed:a0:c0:3a:b1:37:2a:3c:c7:9c:e0 [email protected] bfs1[4]#=<path> set to “bfs1.membrain.com15224757” WARNING: parameter set to “none” ## Attempting to volumize 26 entries in pkgmap. part 1 -- 310 blocks, 25 entries ## Packaging one part. /usr/src/pkg/gzip/package/GNUzip/pkgmap /usr/src/pkg/gzip/package/GNUzip/pkginfo /usr/src/pkg/gzip/package/GNUzip/root/usr/local/bin/gzexe /usr/src/pkg/gzip/package/GNUzip/root/usr/local/bin/gzip /usr/src/pkg/gzip/package/GNUzip/root/usr/local/bin/zcmp /usr/src/pkg/gzip/package/GNUzip/root/usr/local/bin/zforce /usr/src/pkg/gzip/package/GNUzip/root/usr/local/bin/zgrep /usr/src/pkg/gzip/package/GNUzip/root/usr/local/bin/zmore /usr/src/pkg/gzip/package/GNUzip/root/usr/local/bin/znew /usr/src/pkg/gzip/package/GNUzip/root/usr/local/info/gzip.info /usr/src/pkg/gzip/package/GNUzip/root/usr/local/man/man1/gzexe.1 /usr/src/pkg/gzip/package/GNUzip/root/usr/local/man/man1/gzip.1 /usr/src/pkg/gzip/package/GNUzip/root/usr/local/man/man1/zcmp.1 /usr/src/pkg/gzip/package/GNUzip/root/usr/local/man/man1/zforce.1 /usr/src/pkg/gzip/package/GNUzip/root/usr/local/man/man1/zgrep.1 /usr/src/pkg/gzip/package/GNUzip/root/usr/local/man/man1/zmore.1 /usr/src/pkg/gzip/package/GNUzip/root/usr/local/man/man1/znew.1 ## Validating control scripts. ## Packaging complete. changes the first instance of BEFORE to AFTER in each line of ➥ , and reports on the differences. Examples: chstr TX Texas */addresses.* chstr ii counter2 *.c” exit 0 } case $1 in -h|-help) esac[email protected] ) { if (/(\S+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)%\s+(\S+).*/) { $fs = $1; $space = $2; $used = $3; $avail = $4; $capacity = $5; $mntpt = $6; if (($mntpt eq $ROOT)&&($capacity>$ROOT_THRESHHOLD)) { $status = join (“”,$status, join (“ “,$mntpt,”is at”,($capacity.”%”), “capacity”,”\n”)); } if (($mntpt eq $USR)&&($capacity>$USR_THRESHHOLD)) { $status = join (“”,$status, join (“ “,$mntpt,”is at”,($capacity.”%”), “capacity”,”\n”)); } if (($mntpt eq $PACKETS)&&($capacity>$PACKETS_ ➥THRESHHOLD)){ $status = join (“”,$status, join (“ “,$mntpt,”is at”,($capacity.”%”), “capacity”,”\n”)); } } } } close DF; if ($status) { $mail_status = $status; open (MAIL, “|$MAIL -s \”$SUBJECT_STRING\” $NOTIFY_MAIL_LIST”); print MAIL $mail_status; close (MAIL); }[email protected] ) on ) = ( copy editfiles processes required tidy )Hello, World! Goodbye, World! Hello, World! Goodbye, World! Hello, World! \n”; for ($i=0;$i<10;++$i) { echo “Number = $i \n”; } echo “\n”; ?> Goodbye, World! TEXT being easily handled in CGI.pm as simply a call to h1(TEXT);. Different parameters determine what is imported into your code. The most common (and useful) is use CGI qw(:standard), which provides support for HTML 2.0, forms, and CGI input using POST and GET. CGI.pm is well documented and, with its strong abstraction of HTML functionality, speeds Web development. syntax. This leads into the risk of ASP; besides its inherent security holes, the capability to control aspects of a reader’s machine can lead to risky Web behavior. Much as with Java, having access to some privileges on a reader’s system brings benefits (to the Web programmer) but also risks (in terms of potential security issues). Again, you cannot always guarantee that your readers are using an appropriate browser or have configured the browser with the permissions that you expect. Therefore, reliance on browser-specific functionality always should be optional. require reader service 