LPI Linux Certification/Print Version
LPI Linux Certification/Print Version
LPI Linux Certification Current, editable version of this book is available in Wikibooks, collection of open-content textbooks at URL: http://en.wikibooks.org/wiki/LPI_Linux_Certification
LPI Linux Certification This book covers the Linux Professional Institute™ family of certifications. There are three levels of LPI™ certification: • Level 1: Junior Level Linux Professional. • Level 2: Advanced Level Linux Professional. • Level 3: Senior Level Linux Professional. To obtain a certification, a candidate is required to pass exams and, for Level 2 and Level 3, to hold a lower-level certification from the LPI™. All LPIC candidates are encouraged to browse the documentation at the LPI™ website. The resources there will familiarize the candidate with many things that are outside the scope of this book (e.g. exam cost, testing centers, other training resources) you are also encouraged to register with the LPI™ so that you can access the candidate area. The Detailed Objectives listed within each of the modules in this book have been reproduced from the LPI™ website with kind Permission. We are however, to make it clear that the Linux Professional Institute™ does not endorse the work contained within this book in any way whatsoever.
Audience This book is written specifically for the LPIC candidate. It is based as indeed is the exam around a community driven documentation project known as "The Linux Documentation Project". Each module in the book however, is organized around a particular subject. It is hence feasible for the casual reader to pick one particular module and study the material, with a view to gain a better understanding. However, many of the modules and in particular the Advanced modules will assume a certain skill level. It is also feasible for a new Linux user to come here with a view to learn Linux. However, although such readers are very welcome, they may be better served by studying the following material, Linux Guide. The modules on the LPI Linux certification are heavily slanted towards up and coming sysadmins.
About this book This book is organized so that each and every module can be accessed via the front page, this will be useful for readers who just wish to study or quickly gain information about one aspect of the exam syllabus. For exam candidates we have created an exam page which also has a table of contents that covers only the modules required for you to study for the various levels of the LPI™ . It is the hope of the contributors that the exam candidates will use the exam pages and their accompanying discussion pages to leave advice, tips and gotchas etc for other exam candidates. The Module pages will contain detailed objectives followed by an overview which in turn will be followed by section headings covering the module's syllabus. At the beginning of each section will be a list of prequisite reading (hopefully all nicely formated). It is advisable to read them, although the linked articles may not be required knowledge to pass the exam. However, they should relate to the individual sections they are contained within.
1
LPI Linux Certification/Print Version Lastly, we are obviously looking for Authors, We encourage all positive edits even if it is just to correct a simple spelling mistake or fix a link; in short, "Every addition is very welcome."
Table of Contents Junior Level Linux Professional - Exam Page Hardware & Architecture • • • • • •
Configure Fundamental BIOS Settings Configure Modem & Sound Cards Setup Non IDE Devices Setup Different PC Expansion Cards Configure Communication Devices Configure USB Devices
Linux Installation & Package Management • Design Hard Disk Layout • Install A Boot Manager • • • •
Make & Install Programs From Source Manage Shared Libraries Use Debian Package Management Use RPM and YUM package management
GNU & UNIX Commands • • • • • • • •
Work On The Command Line Process Text Streams Using Filters Perform Basic File Management Use Streams, Pipes & Redirects Create, Monitor & Kill Processes Modify Process Execution Priorities Search Text Files Using Regular Expressions Perform Basic File Editing Operations Using Vi
Devices, Linux Filesystems, Filesystem Hierarchy Standard • • • • • • • •
Create Partitions & Filesystems Maintaining The Integrity Of Filesystems Control Mounting & Unmounting Filesystems Managing Disk Quota Use File Permissions To Control Access To Files Manage File Ownership Create & Change Hard & Symbolic Links Find System Files & Place Files In The Correct Location
The X Window System • Install & Configure X11 • Setup A Display Manager • Install & Customise A Window Manager Environment Kernel • Kernel Runtime Management & Query • Reconfigure, Build & Install A Custom Kernel & Kernel Modules
2
LPI Linux Certification/Print Version Boot, Initialisation, Shutdown & Runlevels • Boot the System • Change Runlevels And Shutdown Or Reboot System Printing • Manage Printers & Print Queues • Print Files • Install & Configure Local & Remote Printers Documentation • Use & Manage Local System Documentation • Find Linux Documentation On The Internet • Notify Users On System-Related Issues Shells, Scripting, Programming & Compiling • Customise & Use The Shell Environment • Customise Or Write Simple Shell Scripts Administrative Tasks • Manage Users & Group Accounts & Related System Files • • • • •
Tune The User Environment & System Environment Variables Configure & Use System Log Files To Meet Administrative & Security Needs Automate System Administrative Tasks By Scheduling Jobs To Run In The Future Maintain An Effective Data Backup Strategy Maintain System Time
Networking Fundamentals • Fundamentals Of TCP/IP • TCP/IP Configuration & Troubleshooting • Configure Linux As A PPP Client Networking Services • • • • •
Configure & Manage xinetd, inetd & Related Services Operate & Perform Basic Configuration Of Mail Transfer Agent (MTA) Properly Manage The NFS & SAMBA Daemons Setup & Configure Basic DNS Services Setup Secure Shell (OpenSSH)
Security • Perform Security Administration Tasks • Setup Host Security • Setup User Level Security
3
LPI Linux Certification/Print Version
Advanced Level Linux Professional Linux Kernel (201) • • • • •
Kernel Components (201.1) Compiling A Kernel (201.2) Patching A Kernel (201.3) Customise, build and install a custom kernel and kernel modules (201.4) Manage/Query kernel and kernel modules at runtime (201.5)
System Startup (202) • Customising System Startup & Boot Processes (202.1) • System Recovery (202.2) Filesystems And Devices (203) • • • •
Operating The Linux File System (203.1) Maintaining A Linux File System (203.2) Creating & Configuring File System Options (203.3) udev Device Management (203.4)
Advanced Storage Device Administration (204) • • • • • •
Configuring RAID (204.1) Adjusting Storage Device Access (204.2) Logical Volume Manager (204.3) Adding New Hardware Software & Kernel Configuration Configuring PCMCIA Devices
Networking Configuration (205) • • • •
Basic Networking Configuration (205.1) Advanced Network Configuration & Troubleshooting (205.2) Troubleshooting Network Issues (205.3) Notify Users On System-Related Issues (205.4)
System Maintenance (206) • • • •
Make And Install Programs From Source (206.1) Backup Operations (206.2) System Logging Packaging Software
DNS (207) • Basic DNS Server Configuration (207.1) • Create & Maintain DNS Zones (207.2) • Securing A DNS Server (207.3) Web Services (208) • Implementing A Web Server (208.1) • Maintaining A Web Server (208.2) • Implementing A Proxy Server (208.3) File Sharing (209) • Samba Server Configuration (209.1) • NFS Server Configuration (209.2)
4
LPI Linux Certification/Print Version Network Client Management (210) • • • •
DHCP Configuration (210.1) PAM Authentication (210.2) LDAP Client Usage (210.3) NIS Configuration
E-Mail Services (211) • • • • • •
Using E-Mail Servers (211.1) Managing Local E-Mail Delivery (211.2) Managing Remote E-Mail Delivery (211.3) Configuring Mailing Lists Managing Mail Traffic Serving News
System Security (212) • Configuring A Router (212.1) • Securing FTP Servers (212.2) • Secure Shell (SSH) (212.3) • TCP Wrapper (212.4) • Security Tasks (212.5) Troubleshooting (213) • • • • • • •
Identifying Boot Stages And Troubleshooting Bootloaders (213.1) General Troubleshooting (213.2) Troubleshooting System Resources (213.3) Troubleshooting Environment Configurations (213.4) Creating Recovery Disks Identifying Boot Stages Troubleshooting Bootloaders
External links • • • • •
LPI Website [1] The Linux Documentation Project [2] LPI Linux certification information and study resources [3] LPI Study Guides from IBM - Highly regarded by the Linux Community [4] The Linux Tutorial [5]
Junior Level Linux Profesional Welcome! If you are here, then you are considering or have decided to take the Junior Level Linux Professional Exam. This page and its accompanying discussion page are specifically for you, and will explain your overall objectives for each exam (there are two exams you must complete before being certified). It is a good idea to come back here and perform a sanity check on your understanding against the overall objectives presented here. All that remains is for the authors and contributors of this book to wish you good luck. Please note DO NOT contribute actual exam questions you may have been presented with in the past ANYWHERE in this book.
5
LPI Linux Certification/Print Version
LPI 101 Exam Objectives Each objective is assigned a weighting value. The weights range roughly from 1 to 10 and indicate the relative importance of each objective. Objectives with higher weights will be covered in the exam with more questions.
LPI 101 Exam Table of Contents Topic 101: System Architecture • 101.1 Determine And Configure Hardware Settings • 101.2 Boot the System • 101.3 Change Runlevels And Shutdown Or Reboot System
Topic 102: Linux Installation and Package Management • • • •
102.1 Design Hard Disk Layout 102.2 Install A Boot Manager 102.3 Manage Shared Libraries 102.4 Use Debian Package Management
• 102.5 Use RPM and YUM package management
Topic 103: GNU and Unix Commands • • • • • • • •
103.1 Work On The Command Line 103.2 Process Text Streams Using Filters 103.3 Perform Basic File Management 103.4 Use Streams, Pipes And Redirects 103.5 Create, Monitor And Kill Processes 103.6 Modify Process Execution Priorities 103.7 Search Text Files Using Regular Expressions 103.8 Perform Basic File Editing Operations Using Vi
Topic 104: Devices, Linux Filesystems, Filesystem Hierarchy Standard • • • • • • •
104.1 Create Partitions And Filesystems 104.2 Maintaining The Integrity Of Filesystems 104.3 Control Mounting And Unmounting Of Filesystems 104.4 Managing Disk Quota 104.5 Manage File Permissions And Ownership 104.6 Create And Change Hard And Symbolic Links 104.7 Find System Files And Place Files In The Correct Location
6
LPI Linux Certification/Print Version
LPI 102 Exam Objectives Each objective is assigned a weighting value. The weights range roughly from 1 to 10 and indicate the relative importance of each objective. Objectives with higher weights will be covered in the exam with more questions.
LPI 102 Table of Contents Topic 105: Shells, Scripting and Data Management • 105.1 Customize And Use The Shell Environment • 105.2 Customize Or Write Simple Scripts • 105.3 SQL Data Management
Topic 106: User Interfaces and Desktops • 106.1 Install And Configure X11 • 106.2 Setup A Display Manager • 106.3 Accessibility
Topic 107: Administrative Tasks • 107.1 Manage User And Group Accounts And Related System Files • 107.2 Automate System Administration Tasks By Scheduling Jobs • 107.3 Localisation And Internationalisation
Topic 108: Essential System Services • • • •
108.1 Maintain System Time 108.2 System Logging 108.3 Mail Transfer Agent (MTA) Basics 108.4 Manage Printers And Printing
Topic 109: Networking Fundamentals • • • •
109.1 Fundamentals Of Internet Protocols 109.2 Basic Network Configuration 109.3 Basic Network Troubleshooting 109.4 Configure Client Side DNS
Topic 110: Security • 110.1 Perform Security Administration Tasks • 110.2 Setup Host Security • 110.3 Securing Data With Encryption
Sections below are refer to old exam version and are being made obsolete See page discussion for more details.
LPI 101 Exam Objectives • Hardware & Architecture
7
LPI Linux Certification/Print Version • Candidates should have a clear understanding of the concept of a BIOS [6] and what role it performs, from the initial computer power-on to the services it provides to the Linux kernel. Furthermore, candidates should be able to identify all the options presented to them in a standard BIOS interface and further be able to gather basic information about the system from the BIOS (Menu navigation). Candidates should also be able to navigate a BIOS and make changes that will enable or disable peripherals, and compare the information provided to them from the BIOS with the information provided from the kernel. Candidates should also be able to determine compatible modems, configure those modems for outbound dial up and set specific port speeds from the command line. Candidates should have an understanding of the term SCSI [7] (Small Computer System Interface) and how SCSI devices work (this includes the terms termination & SCSI ID). Candidates should also have an understanding of the terms Coldplug [8] and Hotplug [9] and be able to determine via BIOS and kernel methods the resources used for any given device that is attached. Candidates should be able to identify a Sound Card [10], and be able to determine if the kernel recognizes the sound card, as well as determine if the device has an issue/conflict pertaining to IRQ [11], DMA [12], or I/O [13]. Candidates should also be able to understand USB [14] devices and demonstrate a knowledge of the USB layer architecture. • Linux Installation & Package Management • Candidates should be able to design a disk [15] layout that takes into account your system requirements and its purpose. Candidates should also be able to setup various boot locations such as a floppy [16] or cdrom [17], install a bootloader and interact with that bootloader. Further, the candidate should be able to install, remove and query programs from both the RPM [18] and DPKG [19] commands. Using both RPM and DPKG distributions, candidates should be able to obtain package versions, installed package content, installation status and find any files or libraries that may or may not be installed on the system. Candidates should also be able to install programs from source via the make [20] program, which generally includes the use of the tar [21], gzip [22], and bz2 [23] compression utilities. Finally candidates should be able to identify shared libraries, load them and identify where the shared libraries should be located. • GNU & Unix Commands • Candidates should be able to understand the shell [24] environment and how to change its behavior by modifying the .profile file, which is located in home directories. Candidates should also be able to send text files and output streams through utility filters to modify the output. Candidates will be expected to know how to move, copy, delete, find, create files and directories, and use recursion to delete and create both files and directories. Candidates should understand the use of redirects [25], pipes [26] and sending your output to stdout [27] (Standard Output) and to a file. Candidates should be able to list, create and kill processes as well as understand the "&" option and what it does. The candidate should also be able to monitor processes in real time, and be able to modify the priority of any given process. Candidates should be able to create simple regular expressions and use regular expression tools to search through filesystems or file content. Lastly, candidates should know the basic commands for vi [28]. • Devices, Linux Filesystems, Filesystem Hierarchy Standard • Candidates should be able to set-up partitions and create filesystems, namely ext2 [29], ext3 [30], reiserfs [31], vfat [32] and xfs [33]. Candidates will know the tools that help maintain those filesystems and keep them in good working order, and use those tools to perform simple filesystem repairs. Candidates will be able to mount and unmount filesystems manually and configure the system to mount them automatically during the boot process. Candidates will be able to implement a disk quota solution for your users. The candidate will understand file permissions and what tools to use to modify those permissions, as well as the concept of file ownership and how to modify file ownership attributes. The candidate will be introduced to both hard [34] & symbolic [35] linking, why it is used, and the usage of the ln command. Finally the candidate will understand the FHS [36] standard and be able to determine where files should be located in FHS-based distributions. • The X Window System
8
LPI Linux Certification/Print Version • Candidates should be able to install and configure an X Server [37], install fonts and configure an X font server, and determine if your hardware is suitable for an X server. Candidates will be introduced to the display managers gdm [38] kdm [39] and xdm [40], and will be able to configure any of these three display managers. Candidates will then be introduced to the Window Manager Environment and GUI [41]. Lastly the candidate will be introduced to the usage of the DISPLAY environment variable, as well as the various files used for customization.
LPI 101 Table of Contents Hardware & Architecture • • • • • •
Configure Fundamental BIOS Settings Configure Modem & Sound Cards Setup Non IDE Devices Setup Different PC Expansion Cards Configure Communication Devices Configure USB Devices
Linux Installation & Package Management • • • • • •
Design Hard Disk Layout Install A Boot Manager Make & Install Programs From Source Manage Shared Libraries Use Debian Package Management Use RPM and YUM package management
GNU & Unix Commands • • • • • • • •
Work On The Command Line Process Text Streams Using Filters Perform Basic File Management Use Streams, Pipes & Redirects Create, Monitor & Kill Processes Modify Process Execution Priorities Search Text Files Using Regular Expressions Perform Basic File Editing Operations Using Vi
Devices, Linux Filesystems, Filesystem Hierarchy Standard • • • • • • • •
Create Partitions & Filesystems Maintaining The Integrity Of Filesystems Control Mounting & Unmounting Filesystems Managing Disk Quota Use File Permissions To Control Access To Files Manage File Ownership Create & Change Hard & Symbolic Links Find System Files & Place Files In The Correct Location
9
LPI Linux Certification/Print Version The X Window System • Install & Configure X11 • Setup A Display Manager • Install & Customise A Window Manager Environment
LPI 102 Exam Objectives The LPI 102 exam tests basic capabilities in the following areas: • Kernel • Candidates should be able to build, install, configure, manage and query a Linux kernel [42]. This includes using the command line to get information about the running kernel as well as any kernel modules. The candidate should also be able to understand how to manually load and unload modules and to further understand when those commands are safe to perform. The candidate should be able to determine what parameters you can pass to any given module and how to load those modules with a name other than the file name that represents the module. The candidate should understand at a basic level the difference between monolithic and modular kernels with regards kernel module management. • Boot, Initialization, Shutdown & Runlevels • Candidates should be able to boot the system level by level, This starts with passing commands to the bootloader that will define kernel location and pass parameters to the kernel in order to solve problems with the boot process. The candidate will know how to locate and gather information from log files pertaining to the boot process. The candidate will understand the runlevel [43] process and be able to set the default runlevel, as well as shutdown and restart the system from the command prompt this will include being able to terminate individual processes. The candidate will understand how to alert connected users that a major event is about to occur. • • • •
Candidates should be able to install/configure printers, print files, and manage printers both local and remote. Candidates should be able to find and use man pages, internet documentation. Candidates should be able to customize the shell environment, write and administrate simple shell scripts. Candidates should be able to Administrate users, groups, basic security, implement backups, and the use of cron [44] . • Candidates should be able to understand/configure/troubleshoot the TCP/IP stack, as well as configure a PPP [45] client. • Candidates should be able to manage NFS [46] and Samba [47] daemons, administrate MTA's [48] and the Apache webserver, configure DNS [49] and SSH [50]. • Candidates should be able to implement user level security, basic host security, and perform basic security administration tasks.
10
LPI Linux Certification/Print Version
LPI 102 Table of Contents Kernel • Kernel Runtime Management & Query • Reconfigure, Build & Install A Custom Kernel & Kernel Modules Boot, Initialization, Shutdown & Runlevels • Boot The System • Change Runlevels & Shutdown Or Reboot System Printing • Manage Printers & Print Queues • Print Files • Install & Configure Local & Remote Printers Documentation • Use & Manage Local System Documentation • Find Linux Documentation On The Internet • Notify Users On System-Related Issues Shells, Scripting, Programming, & Compiling • Customise & Use The Shell Environment • Customise Or Write Simple Shell Scripts Administrative Tasks • • • • • •
Manage Users & Group Accounts & Related System Files Tune The User Environment & System Environment Variables Configure & Use System Log Files To Meet Administrative & Security Needs Automate System Administrative Tasks By Scheduling Jobs To Run In The Future Maintain An Effective Data Backup Strategy Maintain System Time
Networking Fundamentals • Fundamentals Of TCP/IP • TCP/IP Configuration & Troubleshooting • Configure Linux As A PPP Client Networking Services • • • • • •
Configure & Manage xinetd, inetd & Related Services Operate & Perform Basic Configuration Of Mail Transfer Agent (MTA) Operate & Perform Basic Configuration Of Apache Properly Manage The NFS & SAMBA Daemons Setup & Configure Basic DNS Services Setup Secure Shell (OpenSSH)
11
LPI Linux Certification/Print Version
12
Security • Perform Security Administration Tasks • Setup Host Security • Setup User Level Security
External links • A good guide to LPI 101 - PDF [51] • A good guide to LPI 102 - PDF [52] • The Linux Tutorial [5]
Hardware & Architecture Configure Fundamental BIOS Settings Detailed Objective Weight: 1 Description Candidates should be able to configure fundamental system hardware by making the correct settings in the system BIOS [6] in x86 [53] based hardware. • Key knowledge area(s): • Enable and disable integrated peripherals. • Configure systems with or without external peripherals such as keyboards. • Correctly set IRQ [11],DMA [12] and I/O [54] addresses for all BIOS administrated ports and settings for error handling. • The following is a partial list of the used files, terms and utilities: • • • •
/proc/ioports /proc/interrupts /proc/dma /proc/pci
BIOS BIOS Tips & Tricks Familiarize yourself with BIOS settings in equipment that you support. Know your beeps: You may not have access to the internet when things go wrong. Change control: Always make sure you can reverse any change you make in a BIOS.
LPI Linux Certification/Print Version
13 BIOS updates: Keep informed. Don't roll them out as soon as they hit the mirrors. Wait a couple of months then check manufacturer forums for problems with the update. Once you are happy, update one system, monitor it and then roll out to the rest of your systems. Document the change, BIOS updates are normally a nightmare to reverse. Be aware of the F1 key to continue, particularly when rebooting remote servers. [55] Lights Out Management if it is available, utilize it. Think long and hard about implementing BIOS security. Can the same level of security be implemented elsewhere? Normally it can. Understand the limitations of BIOS date and time. Can system date and time be better maintained by other means?
Introduction The BIOS (Basic Input / Output System) can be thought of as a suite of small programs that operate between the operating system and the hardware on any given computer. It provides a number of services that enable the computer to boot any given operating system. The BIOS can also provide or present other services to the operating system depending on the operating system and / or the type of hardware installed. It is also wise to note that a modern-day computer may have multiple BIOS chips interfacing the various different hardware components that combine to build the whole computer. These include Disk Array Controllers [56], Graphic Cards [57], Sound Cards [58], and possibly a few others. Firstly lets look at the services the BIOS provides regardless of which operating system is installed: these being the POST [59] (Power On Self Test), Hardware Management, Security and Date & Time. Intel and other manufacturers have developed another standard called EFI [60] (Extensible Firmware Interface), which performs a similar function to BIOS, but does the job in a different manner. EFI is far more flexible and powerful than BIOS, but it has not enjoyed as much commercial success. Exploration of EFI is beyond the scope of this document for now.
LPI Linux Certification/Print Version
POST - Power On Self Test • The POST process involves a small diagnostic program that checks system hardware such as RAM or motherboard components. If a particular piece of hardware is present, a basic test is performed to check for faults. More advanced tests such as a long memory test may be performed, but normally these features need to be manually enabled in the BIOS. • If the POST process finds errors it will usually sound beeps on the motherboard speaker and / or show some visual message via LEDs on the motherboard and / or messages on the screen. This is known as an "Irregular POST Condition". • The number (and in some cases the pattern) of the beeps, lights, or messages will aid you in diagnosing the problem; however, different motherboard models (even Mobo's from the same manufacturer) have different implementations of these signals, so it is always wise to have a printed reference manual for each model you support or internet access on another machine for a quick look-up.
Hardware Management • During the POST process, the BIOS allows you great flexibility to customize certain aspects of the system via settings stored in CMOS [61] (Complementary Metal Oxide Semiconductor) memory. CMOS memory is volatile memory [62], but your motherboard has a backup battery to preserve any customized system configurations that you have made. This battery will eventually die. If you find that your computer is not retaining BIOS settings from one power cycle to another, the usual reason is that you need to replace this battery. • Useful BIOS settings often edited by users and system administrators may include: • Boot device priority • Enable / disable motherboard features like integrated video, LAN, or sound • Setting preferred memory addresses or IRQ vectors for PCI (or older) cards • On older motherboards these configurations were done by positioning certain jumpers [63] or dip switches [64] to the hardware manufacturer's specifications. Modern CMOS menus have replaced nearly all of these devices, with the exception of setting SCSI ID or resetting a BIOS password. There are still some "old school" motherboards in operation, so always keep the possibility of jumpers in mind.
Security • Most BIOSs allow the user to set a password. The computer will require this password to be input before completing the boot process. Often this BIOS password adds inconvenience without any real security: information on how to get around these passwords is freely available on the internet. If the user forgets this password, the computer will not proceed to load an operating system. It's not hard to see why BIOS Passwords are rarely invoked at the business level. • Many modern computers have the ability to detect configuration changes such as memory size changes and even if the case has been removed. The BIOS will often report these changes and prompt the user to press a key (usually the F1 key) to continue if this change is acceptable. Users may be required to hit another key to enter the BIOS configuration screens to change parameters depending on the particular BIOS manufacturer.
14
LPI Linux Certification/Print Version
Date and Time • Setting the time and date are options within any modern BIOS. This is a "real-time" clock that runs constantly, powered by the same battery that preserves the CMOS settings. It's not very accurate, even compared to a wrist-watch, but it's better to have this poor clock than to require users to enter the time manually at every reboot. (That's how it was done in the early days of computers.) • Linux (like other operating systems) maintains its own clock in software by counting interrupts generated by an oscillator circuit in your computer. This clock only functions while the operating system is running. • The BIOS provides the date and time to the operating system upon booting. After the operating system has gathered this information, the BIOS clock and the Operating System clock continue to run independently. This means that the BIOS clock will soon differ from the operating system clock, even if it is only in milliseconds. • Linux has a command called hwclock which can be used to synchronize the operating system clock with the BIOS. Once synchronized, they will drift apart again, however. (This is due to the Hardware nature of the BIOS clock and the Software nature of the OS clock.) • Further on in the course, you will start to look at ntp [65] and how important it is to maintain a consistent "Network Time". Knowing that the BIOS and operating system maintain separate clocks will aid you in setting out a solution. • The BIOS does not handle time zone or daylight savings time adjustments. These are handled by the operating system. For this reason, some administrators may choose to set their BIOS clocks to UTC [66] rather than the local time.
Disk Drives Most computers use Hard Disk Drives [15] to hold an operating system and users' data. Some newer computers use Solid State Disk Drives [67] instead. Though the physical devices vary greatly, there is little difference from the standpoint of configuring Linux or other operating systems. Attachment Interfaces Firstly let's address the confusion that often comes around from disk drive terminology such as IDE/ATA [68] (Integrated Drive Electronics / Advanced Technology Attachment) and SATA [69] (Serial Advanced Technology Attachment) and indeed PATA [70] (Parallel Advanced Technology Attachment) which all use the ATA (Advanced Technology Attachment) standard to communicate with the device. The first part of the acronym can be thought of simplistically as a revision. For instance IDE, Fast IDE, EIDE, etc these revisions had changes made to the physical cables or ribbons that connect the disk drives to the computer that enabled certain features. This could be to address more disk space or speed up communications with the device. SATA was like a rewrite, once SATA came into being it was decided that all historical ATA devices that predated SATA, like IDE etc be grouped under the terminology PATA. SCSI [7] is another popular attachment interface that has undergone several generations of revision over the years: SCSI, SCSI-2, SCSI-3, U160, U320, and SAS. Click on the link at the head of this paragraph for more details, if desired. The SCSI family of attachment interfaces is not hardware-compatible with the ATA family, nor do they use the same software command set, so you cannot mix SCSI drives with ATA controllers or ATA drives with SCSI controllers. Because they use different commands, Linux will enumerate them with different labels. This will be handled in more detail when it becomes important later.
15
LPI Linux Certification/Print Version
16
A Brief History To get an understanding of modern hard drives, it helps to have some background. The BIOS traditionally uses INT13h [71] as an interface to the hard drive. INT13h, from a historical stand-point, had certain limitations such as: hard drive size, limit, etc. Now on the other side of the interface that being the drive which used the IDE/ATA also had restrictions. We can see these restrictions easily if we lay out a table as below. Specification
Max Cylinders
Max heads
Max sectors
Max Size
IDE/ATA
65,536
16
256
138GB
INT13h
1,024
256
63
528MB
Clearly you can see that because of the limitations of INT13h and IDE/ATA (which we have highlighted) under the above scenario, the largest drive your average computer could handle was 528MB. We call this specification CHS [72] (Cylinders Heads Sectors). You may recall that to calculate the total size of a hard drive use the following formula: • Cylinders * Heads * Sectors * 512 = Capacity To get around this a new specification was implemented called ECHS (Extended Cylinders Heads Sectors) some times also referred to as "Large Mode". This introduced a translation layer between the BIOS and INT13h. The translation layer then allowed a computer to handle disk drives upto 8.4GB in size we can see this with a following modification to the table above which we have set out below and highlighted the relevant row. Specification
Max Cylinders
Max heads
Max sectors
Max Size
IDE/ATA
65,536
16
256
138GB
ECHS
620
128
63
2.5GB
INT13h
1,024
256
63
8.4GB
To see how the translation works, lets take a 2.5GB hard drive with the following specs: Cylinders = 4960, Heads = 16, Sectors = 63. The translation program looks at the number of cylinders and makes a "Best fit" with the INT13h limitation of 1,024 cylinders. The translation program does this by division normally; It divides the number of cylinders by one of the following numbers: 2,4,6,8 and in some cases 16. In our case, 4960 / 8 = 620, which does not break the limitation of INT13h. Now the translation program multiplies the number of heads by 8, so 16 * 8 = 128. In this way, the translation program maintains the INT13h standard and provides a way in which the computer can see the whole disk. We can see this by calculating the disk space at both points previous translation and after. • Native 4660 * 16 * 63 * 512 = 2.5GB • Translation 620 * 128 * 63 * 512 = 2.5GB The Table above needs a little more clarification. You will note that the Heads for the ECHS (Translation Layer) = 128, which is incompatible with the IDE/ATA Layer, which specifies a limit of 16. We get away with this, because the translation layer is only concerned with INT13h and not in any way related to the IDE/ATA layer. The next table will show how this model really looks.
LPI Linux Certification/Print Version
17
Specification
Max Cylinders
Max heads
Max sectors
Max Size
Physical Drive 4,660
16
63
2.5GB
IDE/ATA
65,536
16
256
138GB
INT13h
1,024
256
63
8.4GB
ECHS
620
128
63
2.5GB
Needless to say, Hard Drives got a lot bigger than 8.4GB, so some other way was needed, as the cylinders, heads and sectors were no longer a viable option. This is covered in the next section where we bring you right up to date. LBA LBA (Logical Block Addressing [73]) is the most common scheme in use today to get past the 528MB limit imposed on an IDE/ATA disk drive. With LBA each block has a unique identification number thats starts at 0 and then 1,2,3,4,5... In order for this mechanism to work it must be supported by the BIOS, the operating system and the IDE drive. The common misconception with LBA is that it is the LBA itself that gets around the 528MB limit when in fact LBA uses translation. When you enable LBA mode in a BIOS you are in effect enabling translation. The translation can be the same as ECHS as discussed above or another algorithm can be used by a 3rd party. It is way beyond this course to look at these algorithms. But the point of 3rd party algorithms should be made. More and more with modern operating systems the BIOS is taking a back seat when "Talking" to the drive, modern operating systems now perform this function with their own interpretation of the ATA specification preferring to bypass the BIOS altogether.
IRQ There are 16 IRQ's (Interupt ReQuest) channels on x86 architecture, of those only a few are freely available. The table below lists the IRQ's that cannot be used in red and the IRQ's that could be reassigned providing certain hardware does not exist in your system in orange, and those that you are free to assign as you please in white. IRQ No. Hardware Assignment IRQ No. Hardware Assignment IRQ No. Hardware Assignment IRQ No. Hardware Assignment
0
System timer
4
COM1
8
Real Time Clock
12
PS2 Mouse
1
Keyboard
5
LPT2 / Sound Card
9
Available
13
Floating Point Proc
2
Handles IRQ 8 - 15
6
Floppy Controller
10
Available
14
Primary IDE
3
COM2
7
Parallel Port
11
Available
15
Secondary IDE
In essence IRQ's are used to halt the computer from processing any further information and immediately service the request from the interrupt. That being the device that is assigned to the interrupt. The table above explains what the IRQ architecture looked like under PIC [74] (Programmable Interrupt Controller), however it does hide the issue of priorities. The priorities of the IRQ structure can be seen like this 0-1-2-8-9-10-11-12-13-14-15-3-4-5-6-7. The reason 8-15 have a higher priority is that they hook into IRQ 2, in fact IRQ 2 can be said to be IRQ 9. What we have looked at here is somewhat historical under the above scenario adding new hardware quickly became an art and a pain! However, the advent of PCI [75] and USB [14] enabled a greater range of addresses and also the ability to just plug things in and go.
LPI Linux Certification/Print Version
DMA DMA (Direct Memory Access) is a feature of the modern computer to enable devices to bypass the CPU [76] when needing to write or read information to or from another device, the purpose of this is to take the load off the CPU and utilize the DMA controller and RAM [77] to move blocks of data from one area to another. Although the CPU is never completely eliminated in a DMA transfer, its role is purely to initiate the process rather than manage it.
I/O I/O (Input / Output) refers to moving data among all devices both external and internal within a modern computer system. Some devices can perform both input and output functions, an example of this is a Network Card [78], obviously keyboards [79], mouse [80] etc are examples of input devices and monitor [81], printers [82] are examples of output devices. I know, this is entry-level stuff but bear with me the theory is nearly over.
Putting it all together When you turn the PC on, BIOS instructions are loaded into RAM from a permanently available ROM [83] chip on the motherboard. These instructions, after performing a POST, may further inform the processor where the operating system is located and how to load it into RAM. In order to allow operating systems and applications to run on a PC, the BIOS provides a standard layer of services that the operating system can use to "talk" to the hardware. In turn, the operating system provides standard services to applications to perform their functions. It is important to understand that not all operating systems use all BIOS services, some use their own instructions to access the hardware. The direct method of accessing the hardware may improve performance. The BIOS utilizes a number of technologies to perform the services we have addressed above. However, as with all things in the computer industry, technology is moving forward fast. The BIOS performs a crucial role within the system and new technology added to the motherboard will normally require BIOS co-operation so that the OS can utilize the new technology. By now you should have a good understanding of the BIOS and the role it performs with hardware. In the next section we look at Linux and how it interacts with the BIOS / Hardware. This will hopefully give you a System Administrator's view of these relationships.
Viewing BIOS-related information in Linux Introduction From this point onward it becomes necessary to have access to a Linux PC. Although some theory is involved, we shall be interacting with Linux more and more. I advise that you attempt the commands as you come across them, testing your understanding as you go. Do be careful with some of the commands as an incorrect switch, or in some cases running a command from the wrong directory is not healthy. (One famous example is running rm -R * from / as root.) So if you are new to Linux, be careful: don't misuse the root account. Only use it when you have to. I personally advise a separate Linux installation for the course that contains no personal data. Understand that No author / contributor to this book is in any way responsible for any loss of data or damage to any hardware, however it is caused. Mistakes in typing can happen and this is an open book for anyone to edit regardless of their knowledge.
18
LPI Linux Certification/Print Version
19
/proc /proc is a pseudo-filesystem which is used as an interface to kernel data structures. Most of it is read-only, but some files allow kernel variables to be changed, particularly in /proc/sys. if you were to list the file system in /proc you would see something like this: user@host:~$ cd /proc user@host:/proc$ ls 1 4190 5071 5462 128 4312 5103 5478 1475 44 5162 5547 1481 45 5164 5563 1508 4589 5205 5574 1524 4590 5224 5579 1526 4594 5227 5655 165 4595 5289 5660 166 4597 5302 5661 1784 4765 5315 5695 1786 4805 5318 5697 1787 4878 5328 5698 2 4932 5336 5816 207 4934 5356 5820 2272 4956 5362 5821 2273 4972 5363 5829 2515 4986 5370 5832 2718 4999 5373 5842 3 5 5378 5851 3181 5021 5416 5854 4 5042 5419 5856 41 5043 5423 5858
5859 5867 5868 5871 5879 5880 5884 5890 5892 5901 5902 5903 5905 5912 5915 5918 5925 5938 5941 5970 5973 5982
6 6024 6553 6583 6593 6685 6694 6714 6716 6717 6735 7 acpi asound buddyinfo bus cgroups cmdline cpuinfo crypto devices diskstats
dma driver execdomains fb filesystems fs interrupts iomem ioports irq kallsyms kcore key-users kmsg loadavg locks meminfo misc modules mounts mtrr net
pagetypeinfo partitions sched_debug scsi self slabinfo stat swaps sys sysrq-trigger sysvipc timer_list timer_stats tty uptime version version_signature vmcore vmnet vmstat zoneinfo
The first thing that you will notice is the numbered directories these represent processes running on your system. Each numbered directory, has a common subset of directories that provide information about that process. The number representing the directory is consistent with the process number seen with the ps command. We cover processes in a later section. The directories and files we are interested in are the following: /proc/acpi /proc/bus/pci /proc/cpuinfo /proc/devices /proc/dma /proc/interrupts /proc/iomem /proc/ioports /proc/irq /proc/meminfo
* Power Management * Note on some distributions this may be /proc/pci * processor information
LPI Linux Certification/Print Version
20
Getting kernel information /proc is a pseudo-filesystem which is used as an interface to kernel data structures. Most of it is read-only, but some files allow kernel variables to be changed. Examples of available directories are: [Number]: Process information running on the system. cmdline: The complete command line, cwd: The working directory, ... /proc/uptime /proc/sys/kernel /proc/sys/net /proc/partitions /proc/scsi /proc/mount /proc/devices /proc/bus /proc/version
Since when the system is up and running. Kernel information. Network information. Hard drive partitions information. SCSI information. Mounted file system information. List the loaded drivers. Bus information. Linux version.
/proc/acpi This section needs text.
Getting hard drive Information In order to get disk information, use hdparm. More information is available at the hdparm man page [84] hdparm [options] [devices]
Common options: -g: Get the disk geometry. -C: Display the power mode of the hard drive. active/idle: Normal operation, Standby: Low
power
mode,
or sleeping: Lowest power mode. -v: Display
all
settings,
except
-i (same as -acdgkmnru for IDE, -gr for SCSI or -adgr for XT).
This is also the default behaviour when no flags are specified.
Examples: hdparm -g /dev/hda /dev/hda: geometry = 3648/255/63, sectors = 58605120, start = 0 hdparm -C /dev/hda /dev/hda: drive state is: active/idle And more... Bold text
LPI Linux Certification/Print Version
21
Exercises 1. What is the RAM size of your system? 2. Which devices are sharing an interrupt line? 3. Use the lspci utility with the right option to draw the PCI architecture of your system.
4. 5. 6. 7. 8.
• How many PCI buses and bridges are there? • Are there any PCI/ISA bridges? What is the lspci option to list all the Intel PCI devices? What is the command to set your IDE hard drive to read-only mode? What is the command to turn on/off the hard drive disk cache? What does the setpci utility do? What is the command to write a word in register N of a PCI device? Exercise Results
1. 2. 3. 4.
To show the amount of physical RAM available: use free or cat /proc/meminfo | grep MemTotal Which are the devices that are sharing an interrupt line? cat /proc/interrupts | more How many PCI buses and bridges are there? lspci | wc -l Are there any PCI/ISA bridges? lspci | grep 'PCI\|ISA'
5. 6. 7. 8. 9.
What is the option with lspci to list all the Intel PCI devices? lspci -d 8086:* What is the command to set you IDE hard drive in read only mode? hdparm -r1 What is the command to turn on/off the disk cache hard drive? hdparm -W1 hdparm -W0 What does the setpci utility do? setpci is a utility for querying and configuring PCI devices. What would be the command to write a word in register N of a PCI device? setpci -s 12:3.4 N.W=1
Configure Modem & Sound Cards Detailed Objective Weight: 1 Description Candidates should be able to configure modem and sound card settings. • Key knowledge area(s): • Ensure devices meet compatibility requirements (particularly that the modem is not an unsupported "win-modem"). • Verify that correct resources are used by the cards. • Configure modem for outbound dial-up. • Set serial port speeds. • The following is a partial list of the used files, terms and utilities: • • • • • •
/proc/dma /proc/interrupts /proc/ioports /proc/pci lspci lsusb
LPI Linux Certification/Print Version
22
Modems A modem is a device that lets you send digital data through a telephone line. The four types of modem are: • • • •
External: Connected through the serial port. USB: Connected through USB. Internal: ISA or PCI board. Built-in: Part of the motherboard.
Most new modems are Plug and Play and you have various ways to deal with it: • The serial driver does it all for you. • Use the isapnp program. • Let a PnP BIOS do the configuration. To display the configuration of an ISA device, use pnpdump. This utility can dump information (IO ports, interrupts, and DMA channels) that the card uses. To configure any ISA devices, use isapnp. For more information check the man page of isapnp.conf file.
Serial ports An external modem can be configured with setserial [85]. setserial [options] device [parameters] The available serial ports are: /dev/ttyS0 (COM1), port 0x3f8, irq /dev/ttyS1 (COM2), port 0x2f8, irq /dev/ttyS2 (COM3), port 0x3e8, irq /dev/ttyS3 (COM4), port 0x2e8, irq
4 3 4 3
Common options: -a: report all available information on a connected device. Common parameters: -port: Port number. -irq: IRQ number. -uart: Type of UART permitted (none, 8250, 16450,...). -autoconfig: Ask the kernel to determine the UART, IRQ number,... -baud_rate: Communication bandwidth. (Maximum: 115200 bytes/sec) Example: setserial -g /dev/ttyS*
LPI Linux Certification/Print Version
Dial Out and In In order to dial out with a modem, you can use the application setserial [85] or minicom [86]. A configuration file can be created with the -s option. minicom -s In order to be able to handle users dialing in, the system needs to be able to start a getty process to handle the dial-in session. The configuration must be done in the /etc/inittab file. D1:45:respawn:/sbin/agetty -mt60 19200,9600 ttyS0 vt100 -m: 19200,9600: t60: ttyS0: vt100:
tells getty to try to extract the bps rate. bps rate when it receives a BREAK character. timeout of 60 seconds. Port on which the modem is connected. Terminal type used in the TERM env variable.
Once /etc/inittab is modified, init needs to re-read it. telinit -q
Exercises • Exercises results
Detailed Objective Weight: 1 Description: Candidates should be able to configure non-IDE devices as SCSI, SATA, USB drives using the special BIOS as well as the necessary Linux tools. • Key knowledge area(s): • • • •
Differentiate between the various types of non-IDE devices. Manipulate BIOS to detect used and available SCSI IDs. Set the correct hardware ID for different devices, especially the boot device. Configure BIOS settings to control the boot sequence when both non-IDE and IDE devices are present .
• The following is a partial list of the used files, terms and utilities: • SCSI ID • /proc/scsi/ • scsi_info
23
LPI Linux Certification/Print Version
SCSI The SCSI BIOS can be accessed at boot time with some special key sequences (Ctrl+A for most Adaptec Host Bus Adapters, Ctrl+G, Ctrl+M, or other keys for other vendors) and allow you to setup some parameters. Bootable SCSI and more. In order to get SCSI information, use scsi_info or hdparm [87]. Examples: scsi_info /dev/sda hdparm -grv /dev/sda obs: Tested with hdparm v6.1 (debian sarge kernel 2.6.8-3 arch 386)
Exercises • Exercises results
Setup Different PC Expansion Cards Detailed Objective Weight: 3 Description Candidates should be able to configure various cards for the various expansion slots. • Key knowledge area(s): • Know the differences between coldplug and hotplug devices. • Determine hardware recources for devices. • The following is a partial list of the used files, terms and utilities: • • • •
The appropriate subdirectories of /proc hotplug configuration files, terms and utilities lspci [88] lsusb [89]
Hotplug With proper support from the operating system, some devices can be added and/or removed without shutting the system down, much like a CD-ROM or floppy disk can be mounted or unmounted. USB was designed to be hot-pluggable, but the operating system must still be prepared to deal with the possibility of devices appearing and disappearing. Some server motherboards support a hot-pluggable PCI slot standard, intended to reduce downtime by allowing administrators to replace failed components without shutting-down the entire server. A few server vendors even go as far as to allow swapping-out bad RAM while the system is running, but this is very rare and expensive. Both the hardware and the operating system must support hot-plugging components in order for the system to work. (There's a limited amount of repair that can be done on an airplane while flying at 10,000 feet.)
24
LPI Linux Certification/Print Version
Coldplug It is much less confusing to your computer if you shutdown the power before making any changes to hardware you are connecting.
PCI All PCI cards are normally detected by the BIOS. At boot time the BIOS probes the PCI configuration space and detects all the different devices and bridges. To insure that the BIOS has detected all the PCI devices, use lspci. Check for bridges, special devices, and functions. All ISA cards are also normally detected with the respected drivers. The utilities that allow you to manually configure any ISA cards are pnpdump, pnpisa and /etc/pnpisa.conf file. The pnpdump program allows you to dump information on all the detected ISA cards. The isapnp works with a configuration file /etc/pnpisa.conf that has the same syntax of the output of pnpdump and it allows you to customize any ISA card settings.
Exercises • Exercises results
Configure Communication Devices Detailed Objective Weight: 1 Description Candidates should be able to install and configure different internal and external communication devices like modems, ISDN adapters and DSL modems. • Key knowledge area(s): • • • • •
Verification of compatibility requirements (such as the modem is not a "winmodem"). Correctly set IRQs, DMAs and I/O Ports of the cards to avoid conflicts between devices. Load and configure suitable device drivers. Set serial port speed. Setup modem for outbound PPP connections.
• The following is a partial list of the used files, terms and utilities: • • • •
/proc/dma /proc/interrupts /proc/ioports setserial [85]
I/O Ports To list the I/O ports the system uses, print the /proc/ioports file. $ cat /proc/ioports 0000-001f : dma1 0020-003f : pic1 0040-005f : timer 0060-006f : keyboard 0070-007f : rtc 0080-008f : dma page reg
25
LPI Linux Certification/Print Version 00a0-00bf 00c0-00df 00f0-00ff 0170-0177 0170-0177 01f0-01f7 01f0-01f7 02f8-02ff 0376-0376 0376-0376 0378-037a 037b-037f 03c0-03df 03f6-03f6 03f6-03f6
: : : : : : : : : : : : : : :
pic2 dma2 fpu PCI device 8086:248a ide1 PCI device 8086:248a ide0 serial(auto) PCI device 8086:248a ide1 parport0 parport0 vesafb PCI device 8086:248a ide0
Interrupts To list all the interrupts used by all the devices, print the /proc/interrupts file. $ cat /proc/interrupts CPU0 0: 397517 XT-PIC timer 1: 7544 XT-PIC keyboard 2: 0 XT-PIC cascade 5: 0 XT-PIC usb-uhci, usb-uhci 8: 2 XT-PIC rtc 10: 2024 XT-PIC eth0, usb-uhci, PCI device 104c:ac51, PCI device 104c:ac51, Intel ICH3 12: 19502 XT-PIC PS/2 Mouse 14: 11445 XT-PIC ide0 15: 2770 XT-PIC ide1 NMI: 0 ERR: 0 An optimized system will not have any interrupt lines used by more than one heavily-used device. Remember that every ISR [90] from every device will be executed for each interrupt.
26
LPI Linux Certification/Print Version
DMA To list all the ISA DMA (Direct Memory Access) channels in-use, print out the /proc/dma file. $ cat /proc/dma 4: cascade
PCI To list all the devices on the pci buses, print out the /proc/pci file. $ cat /proc/pci PCI devices found: Bus 0, device 0, function 0: Class 0600: PCI device 8086:3575 (rev 2). Prefetchable 32 bit memory at 0xe0000000 [0xefffffff]. Bus 0, device 1, function 0: Class 0604: PCI device 8086:3576 (rev 2). Master Capable. Latency=96. Min Gnt=12. Bus 0, device 29, function 0: Class 0c03: PCI device 8086:2482 (rev 1). IRQ 10. I/O at 0x1800 [0x181f]. Bus 0, device 29, function 1: Class 0c03: PCI device 8086:2484 (rev 1). IRQ 5. I/O at 0x1820 [0x183f]. Bus 0, device 29, function 2: Class 0c03: PCI device 8086:2487 (rev 1). IRQ 5. I/O at 0x1840 [0x185f]. Bus 0, device 30, function 0: Class 0604: PCI device 8086:2448 (rev 65). Master Capable. No bursts. Min Gnt=4.
Exercises • Exercises results
Configure USB Devices Detailed Objective Weight: 1 Description Candidates should be able to activate USB support, use and configure different USB devices. • Key knowledge area(s): • Identify and load the correct USB driver module. • Demonstrate knowledge of the USB layer architecture and the modules used in the different layers. • The following is a partial list of the used files, terms and utilities:
27
LPI Linux Certification/Print Version • • • • • • •
28
lspci [88] xHCI modules lsusb [89] /etc/usbmgr/ usbmodules [91] /etc/hotplug udev [92] configuration files, utilities and documentation
Auto detection of new USB Devices The program that gets executed when a new hardware is connected is hotplug [93]. hotplug name Common names are: pci: PCI devices. usb: USB devices. The /etc/hotplug directory contains the script that must be executed each time a device gets inserted or removed. * /etc/hotplug/pci.agent: To install the appropriate PCI driver. * /etc/hotplug/usb.agent: To install the appropriate USB driver. The hotplug program is also started at boot time to initialize all the connected devices. /etc/init.d/hotplug
List USB Devices To verify your devices have been detected, use lsusb [89]. lsusb [options] Example: $ lsusb -v Bus 001 Device 004: ID 04a9:3045 Canon Inc. PowerShot S100 Device Descriptor: bLength bDescriptorType bcdUSB bDeviceClass bDeviceSubClass bDeviceProtocol bMaxPacketSize0 idVendor idProduct ...
18 1 1.00 255 255 255 32 0x04a9 0x3045
Vendor Specific Class Vendor Specific Subclass Vendor Specific Protocol Canon Inc. PowerShot S100
To display a graphical view of the connected USB devices, use usbview [94]
LPI Linux Certification/Print Version
USB Drivers Every detected USB device will be mounted in the /proc/bus/usb filesystem and can be accessed with the appropriate application. Each USB device will be viewed through a filename like /proc/bus/usb/001/005 . To check if the appropriate driver has been loaded for a USB devices, use usbmodules [91]. usbmodules [options] Examples: usbmodules –device /proc/bus/usb/001/001 usbcore usbmodules –device /proc/bus/usb/001/005 –mapfile /etc/hotplug/usb.handman The default modules to be loaded are /lib/modules//modules.usbmap. The mapping is stored in the file /lib/modules//modules.usbmap. All the drivers are stored in the directory /lib/modules//kernel/drivers/usb/.
USB Applications Many applications exist for many different devices. It is sometimes time consuming to make them work. An application that can be used for a digital camera is gphoto2. Common options: --debug: See what is the problem when talking to the camera. --print-usb-usermap: Store the output in /etc/hotplug/usb.usermap in order for the application to support your camera. -P: Download pictures. Example: $ gphoto2 --summary Detected a 'Canon PowerShot S100'. Camera summary : Camera identification: Model : Canon PowerShot S100 Owner: Power status: on battery (power OK) Flash disk information: Drive D: 31'885'312 bytes total 27'668'480 bytes available
29
LPI Linux Certification/Print Version
Exercises USB: 1. 2. 3. 4.
Check if you can detect a digital camera. View the camera device information. Take a picture and download it into a system with gphoto2. Configure your own device (HD, camera, mouse, keyboard,...)
• Exercises results
Linux Installation & Package Management Detailed Objectives Weight: 2 Description: Candidates should be able to design a disk partitioning scheme for a Linux system. • Key knowledge area(s): • Allocate filesystems and swap space to separate partitions or disks. • Tailor the design to the intended use of the system. • Ensure the /boot partition conforms to the BIOS requirements for booting. • The following is a partial list of the used files, terms and utilities: • • • • • •
/ (root) filesystem /var filesystem /home filesystem swap space mount points partitions
Filesystems A filesystem is simply a way of organizing data in computer-accessible form on the hard disk or other media. Different filesystems have different organizing structures to determine where the data and indexing information will be stored. Some popular filesystems include: ext2
one of the oldest and most universally supported filesystems on Linux, Unix, and BSD operating systems
ext3
an extended version of ext2 which overcomes some limitations and adds journaling
ext4 btrfs reiserfs
an enhanced journaling filesystem written by Hans Reiser and extended by the open source community since his incarceration
jfs xfs fat or vfat
the file allocation table-based filesystem used by MS-DOS and Windows 9x
NTFS
A more advanced (than fat) filesystem used by Windows NT, 2000, XP and Vista
30
LPI Linux Certification/Print Version
Partitions When doing an installation there is normally a minimum disk configuration of two partitions that needs to be created: • / (root): directory that contains the Linux distribution. • Swap space: partition that allows a kernel to run more processes that can normally fit into RAM. If multiple disks are available it is good practice to also have the /usr and /home directories on different partitions. Each partition will contain a filesystem type and can be mounted on the active system in the filesystem global tree. To print the active mounted filesystems, use mount [95]. $ mount dev/hda3 on / type reiserfs (rw) proc on /proc type proc (rw) devpts on /dev/pts type devpts (rw) /dev/hda1 on /boot type ext2 (rw) shmfs on /dev/shm type shm (rw) usbdevfs on /proc/bus/usb type usbdevfs (rw) The swap partition doesn't need a file system. It will be accessed in raw mode by the kernel with no filesystem system calls as overhead.
Disk speed issues Before deciding on your partitioning scheme, you really need to know exactly what sort of applications you will be running. • • • •
Mail Server Web Server Graphical X-Windows based applications And more
If your system has multiple disks, use the fastest one to store most of your data. • / Contains most of the system utilities and doesn't get used much. These can be shipped off to the slowest disk. • /var/log contains a lot of logging information. Best on a fast disk. • /usr is typically on a separate partition anyway and if you have a lot of clients starting lots of X applications, use a fast disk. Examples of system applications: For e-mail serving, Sendmail writes to two main locations mail queue, usually /var/spool/mqueue and /var/spool/mail as well as other location. Apache uses several different files, two logs files per site hosted for logging and access to the actual pages. Apache spends quite a bit of time writing to logs files in /var/log (or where configured to do so)
31
LPI Linux Certification/Print Version
32
Virtual memory (Swap) When you set up a new system, swap should be twice your actual RAM. This is not always sensible in real-world scenarios, however it is a traditional guideline and a conservative answer to give in an exam. Information on the swap partition can be displayed with swapon. swapon -s # Display the active partition To get information on the usage of virtual memory, use vmstat. $ vmstat -n 1 procs r b w swpd 5 0 1 184 1 0 0 184 2 0 0 184
free 3228 3476 3476
buff 37684 37684 37684
memory cache 92828 92596 92596
swap si so 0 0 0 0 0 0
bi 37 0 0
io bo 19 0 0
system in cs 124 228 102 368 101 328
us 3 0 0
sy 0 0 0
cpu id 97 100 100
R:processes waiting for run time. b: processes in uninterruptable sleep. w: processes swapped out. swpd: virtual memory used (kB). free: Idle memory (kB). buff: Memory used as buffers (kB). si: Memory swapped in from disk (kB/s). so: Memory swapped to disk (kB/s). bi: Blocks received from a block device (blocks/s). bo: Blocks sent to a block device (blocks/s). in: The number of interrupts per second. cs: The number of context switches per second. us: user time sy: system time id: idle time
Exercises • Exercises results 1. Open two terminals: In one terminal display periodically the virtual memory usage. In the second terminal disable the virtual memory and re-enable it. Notify the changes in the first terminal. 2. What is the disk layout of your system and how many disks do you have? 3. How many swap space can you use?
LPI Linux Certification/Print Version
Detailed Objective Weight: 2 Description: Candidates should be able to select, install and configure a boot manager. • Key knowledge area(s): • Providing alternative boot locations and backup boot options • Install and configure a boot loader such as GRUB. • Interact with the boot loader. • The following is a partial list of the used files, terms and utilities: • • • • • •
/boot/grub/menu.lst grub-install MBR superblock /etc/lilo.conf lilo
Boot managers A boot loader is installed in the MBR. When a system starts, it loads what is in the MBR to RAM. Under Linux there are two main boot loaders: • Lilo: LInux LOader. • Grub: GRand Unified Boot Loader. A boot loader allows you to select the image that you would like to boot from. A system can contain multiple images (operating systems). A boot loader allows you to interactively run commands and pass parameters to the image that you will boot. The initrd is the driver that will be used to build a filesystem on RAM to mount other filesystems and execute programs. GRUB is today's default boot loader for many distributions. When installing Windows with Linux, install Windows first and Linux second, because Windows overwrites the MBR without asking.
LILO vs. GRUB Both are used to load an image from a disk to RAM. GRUB has the following advantages to LILO: • More pre-OS commands. • Supports images stored beyond the 1024 BIOS cylinder limitation. • Can access its configuration file through the filesystem. When using LILO, each time you add a new image or change an image a new LILO needs to be installed in the MBR. • LILO keeps its boot information in the MBR • GRUB keeps its boot information in the filesystem (menu.lst). • LILO also has a configuration file /etc/lilo.conf. To install GRUB on the MBR, use grub-install. The command setup will override the MBR. To install LILO on the MBR, use lilo. The lilo will use the /etc/lilo.conf file to know what to write into the MBR. Example of /etc/lilo.conf:
33
LPI Linux Certification/Print Version
34
# LILO global section boot = /dev/hda # LILO installation target: MBR vga = normal # (normal, extended, or ask) read-only # Mount the root file systems read-only # LILO Linux section image=/boot/vmlinuz # Image to load label=linux # Label to display root=/dev/hda1 # Root partition for the kernel initrd=/boot/initrd # Ramdisk # LILO DOS/Windows section other=/dev/hda3 label=windows # LILO memtest section image=/boot/memtest.bin label=memtest86 Example of menu.lst (GRUB configuration file): # GRUB default values timeout 10 # Boot the default kernel after 10 seconds default 0 # Default kernel # Grub for Linux section 0 title GNU/Linux # Title root (hd0,1) # /dev/hda2 root filesystem # Kernel and parameters to pass to the kernel kernel /boot/vmlinuz root=/dev/hda2 read-only initrd /boot/initrd boot # Grub for DOS/Windows section title Winblows root (hd0,2) # /dev/hda3 makeactive chainloader+1
GRUB Resources * * * * * * * * *
GRUB Manual [96] GRUB homepage [97] Grub wiki [98] Linux+Win+Grub HowTo [99] Linux Recovery and Boot Disk Creation with Grub Win32 Grub [101] Booting with GRUB [102] WinGRUB [103] GRUB Installer for Windows [104]
[100]
.
LPI Linux Certification/Print Version * GRUB for DOS
[105]
- Bridging DOS/Windows to Unix/Linux
Exercises • Exercises results 1) Install Grub on a floppy disk and try to boot your image manually: mkfs -t ext2 /dev/fd0 mount /dev/fd0 /mnt mkdir -p /mnt/boot/grub cp /boot/grub/stage* /mnt/boot/grub/ cp /boot/grub/e2fs-stage1_5 /mnt/boot/grub/ touch /mnt/boot/grub umount /mnt grub root (fd0) setup (fd0) quit Now reboot with the floppy and from the prompt select the kernel on the hard disk. root (hd0,1) kernel /boot/vmlinuz root=/dev/hda2 read-only initrd /boot/initrd boot 2) Create /boot/grub/menu.lst file and install Grub on your hard drive with the grub utility. 3) Install back lilo. Change the linux label of the default kernel image to SuSE in /etc/lilo.conf and re-install the lilo program in the MBR.
Detailed Objective Weight: 5 Description: Candidates should be able to build and install an executable program from source. This objective includes being able to unpack a file of sources. Candidates should be able to make simple customizations to the Makefile, for example changing paths or adding extra include directories, either in the raw Makefile or using the configure tools. • Key knowledge area(s): • • • • •
Unpack a file of sources using typical compression utilities. Make simple customizations to Makefile such as changing paths or adding extra include directories. Apply parameters to a configure script. Know where sources are stored by default. Compile a RPM or DPKG software package using sources.
• The following is a partial list of the used files, terms and utilities: • RPM and DPKG commands • /usr/src/ • gunzip • gzip • bzip2
35
LPI Linux Certification/Print Version
36
• tar • configure • make
Source files An archive is a collection of related files stored in one file. The command that allows you to store files and subtree directories in one file is tar. tar function & options files Common functions: -c: Create a new tar file. -t: Tell the contents of a tar file. -x: Extract the contents of a tar file. Common options: -f file: Specify the name of the tar file. Examples: tar tar tar tar
cvf cvf tvf xvf
mybackup.tar ~ usr.tar /usr mybackup.tar mybackup.tar
It is good practice to use the .tar extension for all files archived with tar.
File compression Compression saves space for storage and file transfer. There are multiple utilities to do compression: • compress, uncompress # Old Unix compression algorithm • gzip, gunzip # Most common use • bzip2, bunzip2 # Best compression algorithm Once an archive has been created , it can be compressed. Examples: $ ls -l backup.tar -rw-r--r-- 1 rarrigon users 22773760 nov 10 11:07 backup.tar $ gzip -v backup.tar backup.tar: 53.8% -- replaced with backup.tar.gz $ ls -l backup.tar.gz -rw-r--r-- 1 rarrigon users 10507393 nov 10 11:07 backup.tar.gz gunzip backup.tar.gz $ bzip2 -v backup.tar backup.tar: 2.260:1,
3.540 bits/byte, 55.75% saved, 22773760 in, 10077846 out.
Files archiving and compression When archiving files and subdirectories it is possible to package and compress them in one command. Examples: tar tar tar tar
cvzf cvjf xvzf xvjf
backup.tgz backup.tbz backup.tgz backup.tbz
~ ~ # #
# Backup of # Backup of Extract and Extract and
home with gzip home with bzip2 gunzip backup.tgz bunzip2 backup.tbz
LPI Linux Certification/Print Version By default tar uses a relative path but with the -P option it is possible to save files with an absolute path. Files in this mode will always be extracted at the same location. For compressing and archiving in one line $ tar cvf - . | gzip > target.tar.gz For unzipping a compressed archive: $ gunzip -c file_name.tar.gz |tar xvf -
GNU tool chain Under Linux all the sources can be built with the standard GNU tool chain. make Utility to maintain group of programs. Use the rules defined in Makefile. • gcc ANSI C Compiler • g++ C++ Compiler Many compressed or archived packages once installed will have information files (README, INSTALL) that should explain how it should be built and installed. The files Makefile.in and configure.in are the basic files that will be used to generate a final Makefile. The configured file in general scans the system and will build a final Makefile.
Exercises • Exercises results 1. Do an archive of the /bin and the /sbin directories. With which compression utilities do you get the smallest file size? Use -v to get in percentage the size file reduction. 2. Install the file /usr/src/packages/SOURCES/grub-09.tar.bz2 in /tmp and by reading INSTALL and README build the sources. 3. Find the way to uncompress a .deb an a .rpm archive, what is in ? 4. In on command line, compress a new file and uncompress this new file somewhere else.
Detailed Objective Weight: 1 Description: Candidates should be able to determine the shared libraries that executable programs depend on and install them when necessary. • Key knowledge area(s): • Identify shared libraries. • Identify the typical locations of system libraries. • Load shared libraries. • The following is a partial list of the used files, terms and utilities: • • • •
ldd ldconfig /etc/ld.so.conf LD_LIBRARY_PATH
37
LPI Linux Certification/Print Version
Shared libraries A library is a set of functions that programs can use to implement their functionalities. When building (linking) a program, those libraries can be statically or dynamically linked to an executable. Static link means that the final program will contain the library function within its file. (lib.a) Dynamic link means that the needed libraries would need to be loaded into RAM when the program needs to be executed. (lib.so) The default directories for all the standard libraries are: • /lib: Used mainly by /bin programs. • /usr/lib: Used mainly by /usr/bin programs. The file /etc/ld.so.conf is used by the system to specify other library locations. To build a cache file used by the runtime loader of all the available libraies, use ldconfig. The file /etc/ld.so.cache will be generated.
Library dependencies To print shared programs or library dependencies, use ldd. ldd [-vdr] program|library Example: $ ldd -d -v /bin/cp libc.so.6 => /lib/libc.so.6 (0x40027000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) Version information: /bin/cp: libc.so.6 (GLIBC_2.1.3) => /lib/libc.so.6 libc.so.6 (GLIBC_2.1) => /lib/libc.so.6 libc.so.6 (GLIBC_2.2) => /lib/libc.so.6 libc.so.6 (GLIBC_2.0) => /lib/libc.so.6 /lib/libc.so.6: ld-linux.so.2 (GLIBC_2.1.1) => /lib/ldlinux.so.2 ld-linux.so.2 (GLIBC_2.2.3) => /lib/ldlinux.so.2 ld-linux.so.2 (GLIBC_2.1) => /lib/ldlinux.so.2 ld-linux.so.2 (GLIBC_2.2) => /lib/ld-linux.so.2 ld-linux.so.2 (GLIBC_2.0) => /lib/ld-linux.so.2
Runtime loader The runtime loader ld.so finds the needed library of a program and will load them into RAM. The search order of ld.so is: • LD_LIBRARY_PATH • The cache file /etc/ld.so.cache • The default directories /lib and /usr/lib.
38
LPI Linux Certification/Print Version
Exercises • Exercises results
Detailed Objective Weight: 3 Description: Candidates should be able to perform package management using the Debian package manager. • Key knowledge area(s): • Install, upgrade and uninstall Debian binary packages. • Find packages containing specific files or libraries which may or may not be installed. • Obtain package information like version, content, dependencies, package integrity and installation status (whether or not the package is installed). • The following is a partial list of the used files, terms and utilities: • /etc/apt/sources.list • dpkg • • • •
dpkg-reconfigure apt-get apt-cache aptitude
Package Structure In order to understand how to use Debian's package management system, it would be useful to first have an understanding of how a Debian package is named. For example, the package ncftp_3.1.3-1_i386.deb has 5 major parts: • • • • •
ncftp - the name of the program/application/library 3.1.3 - the version of the program/application/library assigned by the original (upstream) author(s) 1 - the revision number of the package assigned by the person(s) who packaged the program for a Debian system i386 - the architecture the packaged program is designed to run on .deb - signifies this is a Debian package
Note that there is special significance to the use of underscores(_) and hyphens(-); an underscore shall separate the name of the program and its version, a hyphen shall separate a version number and the revision number, and an underscore shall separate the revision number and the architecture.
dpkg dpkg is the "grandaddy" or "back-end" of the Debian Package Management System. Features present in the more advanced tools are not available to dpkg but it is nevertheless a useful tool. Some notes: • dpkg keeps its record of available packages in /var/lib/dpkg/available. Some of the more common functions used by administrators by dpkg are: Adding, Removing, and Configuring Packages • dpkg {-i|--install} will install the specified package • dpkg {-r|--remove} will remove the specified package (but leave the configuration files intact)
39
LPI Linux Certification/Print Version • dpkg {-P|--purge} will remove the specified package and the corresponding configuration files • dpkg --root /target -i will install a package into a unbootable system by specifying the system root. • dpkg --unpack will unpack (but do not configure) a Debian archive into the file system of the hard disk • dpkg --configure will configure a package that already has been unpacked Querying Package Information • dpkg --info will print out the control file (and other information) for a specified package • dpkg {-l|--list} this will give you a list of installed packages. • dpkg {-a|--pending} is given instead of a package name, then all packages unpacked, but marked to be removed or purged in file /var/lib/dpkg/status, are removed or purged, respectively. • dpkg -s (--status) will give you a description of installed package Updating Package Information • dpkg --update-avail will replace old information with with new information from package. • dpkg --merge-avail will combine old information with new information from package.
dpkg-reconfigure dpkg-reconfigure reconfigures packages after they have already been installed. • dpkg-reconfigure to reconfigure the initial installation settings • dpkg-reconfigure --priority=medium package [...] will set the minimum priority of question that will be displayed • dpkg-reconfigure --all will reconfigure all packages • dpkg-reconfigure locales will generate any extra locales • dpkg-reconfigure --p=low xserver-xfree86 will reconfigure X server
Dselect The utility that allows you on debian to easely add/remove packages is dselect. • • • • • •
Choose the access method to use. Update list of available packages, if possible. Request which packages you want on your system. Install and upgrade wanted packages. Configure any packages that are unconfigured. Remove unwanted software.
There is on dselect an interactive menu that will allow you to install/remove packages. Care must be taken with this utility. You can damage your system. Dselect menu example: Debian `dselect' package handling frontend. 0. [A]ccess 1. [U]pdate 2. [S]elect
Choose the access method to use. Update list of available packages, if possible. Request which packages you want on your system.
40
LPI Linux Certification/Print Version 3. 4. 5. 6.
[I]nstall [C]onfig [R]emove [Q]uit
41
Install and upgrade wanted packages. Configure any packages that are unconfigured. Remove unwanted software. Quit dselect.
$ dselect - list of access methods Abbrev. * multi_cd
Descriptio
cdrom
Install from a CD-ROM.
Install from a CD-ROM set.
nfs
Install from an NFS server (not yet mounted).
multi_nfs
Install from an NFS server (using the CD-ROM set) (not yet mounted).
harddisk
Install from a hard disk partition (not yet mounted).
mounted
Install from a filesystem which is already mounted.
multi_mount
Install from a mounted partition with changing contents.
floppy
Install from a pile of floppy disks.
apt
APT Acquisition [file,http,ftp]
apt-get If you know the name of a package you want to install, use apt-get. You must configure the sources.list file. This same file is used when you choose the apt access method of dselect. The location is /etc/apt. • apt-get install will search its database for the most recent version of this package and will retrieve and install it from the corresponding archive as specified in sources.list. In the event that this package depends on another APT will check the dependencies and install the needed packages.
• • • • •
• apt-get install = will install a package at the version specified • apt-get install -o DPkg::options::="--force-overwrite" installs a package ignoring "error processing ..., which is also in package ..." errors. apt-get remove will remove the specified package but keep its configuration files. apt-get --purge remove will remove the specified package and its configuration files. apt-get -u install will upgrade and install a specific package. apt-get -u upgrade will upgrade packages within the same distribution packages except those which have been kept back because of broken dependencies or new dependencies. apt-get -u dist-upgrade will upgrade an entire Debian system at once.
apt-file • apt-file search will search for a package which includes the specified file. • apt-file list will list the contents of a package matching the pattern. This action is very close to the dpkg -S command except the package does not need to be installed or fetched.
Apt-cache To find the name of a package that you want to install use apt-cache. apt-cache main options are : • add - Add a package file to the source cache • showpkg - Show some general information for a single package • stats - Show some basic statistics • search - Search the package list for a regex pattern • show - Show a readable record for the package
LPI Linux Certification/Print Version • depends – Show raw dependency information for a package user@host:~$ apt-cache search gimp babygimp - An icon editor in Perl-Tk blackbook - GTK+ Address Book Applet cupsys-driver-gimpprint - Gimp-Print printer drivers for CUPS escputil - A maintenance utility for Epson Stylus printers filmgimp - A motion picture editing and retouching tool
Resources APT HOWTO http://www.debian.org/doc/manuals/apt-howto/index.en.html dselect Documentation for Beginners http://www.debian.org/doc/manuals/dselect-beginner/
Exercises • Exercises results 1. 2. 3. 4.
Install a system with Debian. Get familiar with dselect and remove the tcpdump utility. Install back with apt-get the package that contains the tcpdump utility. Try kpackage to install ethereal
Red Hat Package Manager is a powerful package manager, which can be used to build, install, query, verify, update, and erase individual software packages. A package consists of an archive of files and meta-data used to install and erase the archive files. The meta-data includes helper scripts, file attributes, and descriptive information about the package. Packages come in two varieties: binary packages, used to encapsulate software to be installed, and source packages, containing the source code and recipe necessary to produce binary packages.
Detailed Objective Weight: 3 Description: Candidates should be able to perform package management using RPM and YUM tools. • Key knowledge area(s): • Install, re-install, upgrade and remove packages using RPM and YUM. • Obtain information on RPM packages such as version, status, dependencies, integrity and signatures. • Determine what files a package provides, as well as find which package a specific file comes from. • The following is a partial list of the used files, terms and utilities: • • • • • •
rpm rpm2cpio /etc/yum.conf /etc/yum.repos.d/ yum yumdownloader
42
LPI Linux Certification/Print Version
Red Hat Package Manager Some Linux distribution uses rpm the “Red Hat Package Manager” for all its distribution software. RPM maintains a detailed database of all software installed in the system. To install a RPM package, do: rpm -i [package].rpm The package will be installed only if the dependency are met and there is no conflict with another package. To upgrade a package, do: rpm -U [package].rpm The files of the old package version will be removed and replaced by the new files. To remove a RPM package, do: rpm -e [package].rpm The package will be removed only if no other package depends on it.
RPM Queries With the -q option you can query the RPM database or display information about package file. There are several switches that you can use: • -i: to get package information rpm -q -i apache • -l: To get a file list of a package. $ rpm -q -l pciutils /sbin/lspci /sbin/setpci /usr/share/doc/package/pciutils ... /usr/share/pci.ids • -f file: Query which package a file belongs to. $ rpm -q -f /sbin/lspci pciutils-2.1.9-58 • -s: File list with status information. • -d: list only documentation files. • -a: List all the installed packages. If you want to display information about package file you can specify filename using -p switch: rpm -q -i -p [package].rpm
43
LPI Linux Certification/Print Version
RPM Commands To get general information on a package or program, use rpmlocate. rpmlocate ipcs -q -i apache Searching for ipcs in rpm db: util-linux-2.11n-75: /usr/bin/ipcs /usr/share/man/man8/ipcs.8.gz To list all the installed packages, use rpmqpack: rpmqpack Alternatively use: rpm -qa
Source Installation The RPM source files have generally the format package.src.rpm and can be installed the same way as binaries. The directories where they will be installed from /usr/src/packages are: • • • • •
SOURCES: For the original sources. SPECS: For the .spec file that controls the build process. BUILD: All the sources are built in this directory. RPMS: Where the complete binary packages are stored. SRPMS: The sources.
To install the source of a package, do: $ rpm -i mypack.src.rpm The source files will be stored in the /usr/src/packages in directories SPEC and SOURCES. To compile the sources, do: $ rpm -ba /usr/src/packages/SPECS/mypack.spec The result of the compilation will be stored in the BUILD directory
Exercises • Exercises results 1. Is the apache package installed? 2. In which package are the files /bin/ls, /usr/sbin/tcpdump, and /sbin/ifconfig? 3. From the floppy disk install the pci utilities and grub packages. Build the binaries and try to execute them. The sources should be in the /usr/src/packages/BINARY directory.
44
LPI Linux Certification/Print Version
GNU & UNIX Commands Detailed Objective Weight: 4 Description: Candidates should be able to interact with shells and commands using the command line. The objective assumes the bash shell. • Key knowledge area(s): • • • •
Use single shell commands and one line command sequences to perform basic tasks on the command line. Use and modify the shell environment including defining, referencing and exporting environment variables. Use and edit command history. Invoke commands inside and outside the defined path.
• The following is a partial list of the used files, terms and utilities: • . • bash • echo • • • • • • • • •
env exec export pwd set unset man uname history
Command line Command lines have a common form: command
[options]
[arguments]
Examples: pwd ls -ld or ls -l -d or ls -d -l rm -r /tmp/toto cat ../readme helpme > save more /etc/passwd /etc/hosts /etc/group find . -name *.[ch] -print date "+day is %a" Command lines can be stored into a file for a script. To display a string to the standard output (stdout) use echo. echo [-n][string|command|$variable] echo my home directory is: $HOME echo I use the $SHELL shell
45
LPI Linux Certification/Print Version
Shells and Bash The order of precedence of the various sources of command when you type a command to the shell are: • • • • •
Aliases Keywords, such as if, for and more. Functions Built-ins like cd, type, and kill. Scripts and executable programs, for which the shell searches in the directories listed in the PATH environment variable.
If you need to know the exact source of a command, do: $ type kill kill is a shell builtin Not the same as: /bin/kill To list all the built-in commands use help. /bin/bash /bin/bash can be invoked at login time or explicitly from the command line. At login time the following script files will be executed: • /etc/profile default system file • $HOME/.profile if it exists • $HOME/.bash_profile if it exists When bash is executed the following script files will be executed • /etc/bash.bashrc if it exists • $HOME/.bashrc if it exists When a user explicitly invokes a bash shell, the following script files will be executed: • /etc/bash.bashrc if it exists • $HOME/.bashrc if it exists The history off commands typed from the bash shell are stored in ~/.bash_history. A script is a list of commands and operations saved in a text file to be executed in the context of the shell. The bash scripts intend to setup your environment variables and more. Overlay /bin/bash Each time you execute a program a new process is created. When the program terminates, the process will be terminated and you get back your prompt. In some cases you can run a program in background with the '&' following the command. myscript & In some situations, it is also possible to overlay the running process bash. exec [program] This is usefull when you don't need to get the prompt back. The login program for example can be a good example to overlay the bash process in which it has been started. exec login
46
LPI Linux Certification/Print Version
Shell variables All local variables to the bash session can be viewed with set. To declare a local variable, do: VARNAME=foo To unset a variable, do: unset VARNAME All the environment variables can be viewed with env. To declare a variable that will be seen by other shells use export. export VARNAME=foo or VARNAME=foo export VARNAME The variable will only be seen by the shell that has been started from where the variable has been declared. Here are some important variables: • HOME: Home directory of username logged in. • PATH: Command search path.
Man pages The online manuals describe most of the commands available in your system. man mkdir man cal If you are looking for a key word in all the man pages, use the -k option. man -k compress apropos compress The location of all the man pages must be set in the MANPATH variable. echo $MANPATH /usr/local/man:/usr/share/man:/usr/X11R6/man:/opt/gnome/man
Exercises 1. Get information on the useradd and userdel commands. 2. Create two new accounts user1 and user2 and set the passwords to those accounts with the passwd command. As root lock the accounts and check if you can still log in. 3. What is the command to concatenate files? 4. Declare and initialize the following environment variables: NAME and LASTNAME. Use echo to print them out. 5. Start a new bash (type bash) and check that you can still see those declared variables. 6. Use exec to start a new bash session. Can you still see those declared variables? 7. Use date to display the month. 8. Add a new user named notroot with root's rights and lock the root account. • Exercises results
47
LPI Linux Certification/Print Version
Detailed Objective Weight: 3 Description: Candidates should be able to apply filters to text streams. • Key knowledge area(s): • Send text files and output streams through text utility filters to modify the output using standard UNIX commands found in the GNU textutils package. • The following is a partial list of the used files, terms and utilities: • • • • • • • •
cat cut expand fmt head od join nl
• • • • • • • • • •
paste pr sed sort split tail tr unexpand uniq wc
Pattern matching and wildcards Wildcards are pattern matching characters commonly used to find file names or text within a file. Common utilizations of a wildcard are: locating file names that you don't fully remember, locating files that have something in common, or performing operations on multiple files rather than individual. The shell interprets these special characters: ! @ # $ % ^ & * ( ) { } [ ] | \ ; ~ ' " ` ? The characters used for wildcard are: ?
*
[
]
~
If you use the wildcard characters the shell will try to generate a file from them. Try the following: echo all files * Special wildcard characters ? match any one character. * Any string [abcfghz] One char set [a-z] One char in range
48
LPI Linux Certification/Print Version [!x-z] Not in set ~ Home directory ~user User home directory Examples: ? One character filenames only [aA]??? Four characters, starting with a or A. ~toto pathname of toto home directory [!0-9]* All string not starting with a number. What about these commands? ls ls ls ls
[a-z][A-Z]??.[uk] big* a???a ??*
Shell and wildcards A shell command line can be a simple command or more complex. ls -l [fF]* ls *.c | more ls -l [a-s]* | mail `users` The first event in the shell is to interpret wildcards. Only the shell interprets unquoted wildcards.
Quoting and Comments Quoting Do quote to prevent the shell interpreting the special characters and to transform multiple words into one shell word. • 'string' - Nearly everything within the quote is literal: echo 'He did it, "Why?"' echo 'Because "#@&^:-)"' echo '$VAR='Me • "string" - Like 'string', however it interprets $, \, !: echo "What's happening?" echo "I don't know but check this $ANSWER" • The backslash (\) treats the following character as literal: echo \$VAR=Me echo What\'s happening\? • How could we display the backslash? With the following line: echo \\
49
LPI Linux Certification/Print Version Comments You can add comments in a command line or a script. Use the character #. A white space must immediately precede #. Examples: echo $HOME # Print my Home directory echo "### PASSED ###" # Only this part is a comment echo The key h#, not g was pressed. Commands • cat, tac: Concatenate files and print on the standard output, from beginning to end or end to beginning, respectively. • head, tail: Output the first and last part of files. • nl: Number lines of files. • wc: Print the number of lines, words, and bytes (in that order) in files. • cut: Remove sections from each line of files. • tr: Translate or delete character. • expand, unexpand: Convert tabs to spaces and space to tabs. • • • • • • • •
paste: Merge lines of files. join: Join lines of two files on a common field. uniq: Remove duplicate lines from a sorted file. split: Split a file into pieces. fmt: Simple optimal text formatter. pr: Convert text files for printing. sort: Sort lines of text files. od: Dump files in octal and other formats.
Concatenate files To concatenate files, use cat. cat [options] [files...] tac [options] [files...] The results are displayed to the standard output. Common options: -s: never more than one single blank line. -n: number all output lines. Examples: cat file # Display file to the standard output. cat chapter* # Display all chapters to standard output. cat -n -s file # Display file with line number with single blank line. To concatenate files in reverse order, use tac.
50
LPI Linux Certification/Print Version
View the begining and the end of a file To view only few lines at the beginning or at the end of a file, use head or tail. head [options] [files...] tail [options] [files...] The results are displayed to the standard output. Common options: -n: number of lines to be displayed. (head and tail) -c: number of bytes to be diplayed (head and tail) -f: append output. (tail) -s #: iteration for new data every # sec. (tail) Examples: head file # Display the first 10 lines of file. head -n 2 file # Display the first 2 lines of file. tail -c 10 file # Display the last 10 bytes of file. tail -f -s 1 /var/log/messages Display the last 10 lines of messages, block and check for new data every second.
Numbering file lines To add the line number to a file, use nl. nl [options] [files...] The results are displayed to the standard output. Common options: -i #: increment line number by #. -b: numbering style: a: number all lines t: non-empty lines n: number no lines -n: numbering format: rz: right justified ln: left justified. Examples: nl file # Add the line number in each line in the file. nl -b t -n rz file # Add the line number to each non-empty line with zero-completed format.
51
LPI Linux Certification/Print Version
Counting items in a file To print the number of lines, words and bytes of a file, use wc. wc [options] [files...] The results are displayed to the standard output. Common options: -c: -m: -w: -l: -L:
print print print print print
the the the the the
size in bytes. number of characters. number of words. number of lines. length of the longest line.
Examples: wc *.[ch] # Display the number of lines, words, and characters for all files .c or .h. wc -L file # Display the size of the longest line. wc -w file # Display the number of words.
Cutting fields in files To remove sections from each line of files, use cut. cut [options] [files...] The results are displayed to the standard output. Common options: -b #: Extract the byte at position #. -f #: Extract the field number #. Examples: cut -b 4 file # Extract and display the 4th byte of each line of file. cut -b 4,7 file # Extract and display the 4th and 7th byte of each line. cut -b -2,4-6, 20- file # Extract characters leading up to 2 (1 and 2), 4 to 6, and 20 to the end of the line for each line of file. cut -f 1,3 -d: /etc/passwd # Extract the username and ID of each line in /etc/passwd.
The default delimiter is TAB but can be specified with -d.
Character conversion To translate the standard input (stdin) to standard output, use tr. tr [options] SET1 SET2 Common options: -d: delete character in SET1. -s: replace sequence of characters in SET1 by one. Examples: tr ‘a‘ 'A' # Translate lower a with A tr ‘[A-Z]’ ‘[a-z]’ # Translate uppercase to lowercase tr -d ‘ ‘ # Delete all spaces from file To convert tabs to spaces, use expand and to convert spaces to tabs, use unexpand.
52
LPI Linux Certification/Print Version expand file unexpand file
Line manipulation To paste multiple lines of files, use paste. paste [options] [files...] Common options: -d #: delimiter: Use # for the delimiter. -s: serial: paste one file at a time. Examples: paste f1 f2 # Display line of f1 followed by f2. paste -d: file1 file2 # Use ':' for the delimiter. To join multiple lines of files, use join. join file1 file2 To remove duplicated line, use uniq. uniq [options] [files...] Common options: -d: only print duplicated lines. -u: only print unique lines. Examples: uniq -cd file # Display the number of duplicated line. Splitting files To split big files, use split. split [options] file Common options: -l #: split every # lines. -b #: split file in bytes or b for 512 bytes, k for kilobytes, m for megabytes. Examples: split -l 25 file # Split file into 25-line files. split -b 512 file # Split file into 512-byte files. split -b 2b file # Split file into 2*512-byte files.
53
LPI Linux Certification/Print Version
Formatting for printing To format a file, use fmt. fmt [options] [files...] Common options: -w #: maximum line width. Examples: $ fmt -w 35 file # Display lines with a maximum width of 35 characters. To format a file for a printer, use pr. pr [options] [files...] Common options: -d: double space. Examples: $ pr -d file # Format file with double-spacing.
Sort lines of text files To sort the lines of the named files, use sort. sort [options] file The results are displayed to the standard output. Common options: -r : Reverse -f : Ignore case -n : Numeric -o file: Redirect output to file -u : No duplicate records -t; : Use ';' as delimiter, rather than tab or space. Examples: sort file -r sort file -ro result
Binary file dump To dump a binary file, use od. od [options] file The results are displayed to the standard output and start with an offset address in octal format. Common options: -c: -x: -d: -X: -D:
each byte 2-byte in 2-byte in 4-byte in 4-byte in
Examples:
as a character hex decimal hex decimal
54
LPI Linux Certification/Print Version $ od -cx /bin/ls 0000000 177 E L F 001 001 457f 464c 0101 0001 0000 0000020 002 \0 003 \0 001 \0 0002 0003 0001 0000 9420 0000040 ° ² \0 \0 \0 \0 b2b0 0000 0000 0000 0034 0000060 032 \0 031 \0 006 \0 001a 0019 0006 0000 0034
55
001 0000 \0 0804 \0 0020 \0 0000
\0 \0 \0 \0 0000 0000 \0 224 004 0034 0000 \0 4 \0 0006 0028 \0 4 \0 \0 8034 0804
\0
\0
\0
\0
\0
\b
4
\0
\0
\0
\0 006
\0
(
\0
4 200 004
\b
\0
Exercises 1. Use wildcard characters and list all filenames that contain any character followed by 'in' in the /etc directory. 2. Use wildcard characters and list all filenames that start with any character between 'a' and 'e' that have at least two more characters and do not end with a number. 3. Use wildcard characters and list all filenames of exactly 4 characters and all filenames starting with an uppercase letter. Do not descend into any directory found. 4. Use wildcard characters and list all files that contain 'sh' in /bin. 5. Display your environment variable HOME preceded by the string "$HOME value is:" 6. Display the contents of $SHELL with two asterisk characters before and after it. 7. How would you display the following string of characters as is with echo using double quote and \. • @#$%^&*()'"\ 8. Compose echo commands to display the following two strings: • That's what he said! • 'Never Again!' he replied. 9. Display the number of words in all files that begin with the letter 'h' in the /etc directory. 10. How would you send a 2M (megabyte) file with two 1.44 M floppy. How would you put back together the split file? 11. What is the command to translate the : delimiter in /etc/password by #? • Exercises results
Detailed Objective Weight: 4 Description: Candidates should be able to use basic Linux commands to manage files and directories. • Key knowledge area(s): • • • • • •
Copy, move and remove files and directories individually. Copy multiple files and directories recursively. Remove files and directories recursively. Use simple and advanced wildcard specifications in commands. Use find to locate and act on files based on type, size, or time. Usage of tar, cpio and dd.
• The following is a partial list of the used files, terms and utilities: • cp • find • mkdir • mv
LPI Linux Certification/Print Version • • • • • • • • • • • •
ls rm rmdir touch tar cpio dd file gzip gunzip bzip2 file globbing
Create and Remove directories To create a directory, use mkdir. mkdir [options] dir Common options: -m -p
mode: set permission mode. Default use umask. parent: create parent directory as needed.
Examples: mkdir -m 0700 bin mkdir -p bin/system/x86 To delete an empty directory, use rmdir. rmdir [options] dir Common options: -p
parent: remove empty superdirectories.
Examples: rmdir tmp rmdir -p bin/system/x86
Copy files and directories To copy one file to another, or to a directory, use cp. cp [options] source target Source and target can be a file or a directory. Common options: -i -r -f
interactive: prompt to overwrite recursive: copy the subdirectories and contents. Use -R for special files. force: force the overwriting
The default is to silently clobber the target file. (This does not alter the source.
56
LPI Linux Certification/Print Version Examples: cp *.[a-z] /tmp cp readme readme.orig cp ls /bin cp -ri bin/* /bin
Move & Rename files To rename a file or directory or to move a file or directory to another location, use mv. mv [options] source target Source and target can be a file or a directory. Common options: -i -f -v
interactive: prompt to overwrite force: force the overwriting verbose
The default is to silently clobber the target file. Examples: mv mv mv mv
*.[a-z] /tmp readme readme.orig ls /bin -fi bin/* /bin
Listing filenames and information The command to list files in the current directory is ls. ls [options] [filenames] Common options are: -l -F -a -R -d
For a long format Append a file type character All files, including hidden files Recursive listing of subtree Do not descend into directory
The ls is equivalent to the dir command on DOS. Examples of ls output: $ ls -l /bin/ls -rwxr-xr-x 1 root root 46784 mar 23 2002 /bin/ls $ ls -ld /bin drwxr-xr-x 2 root root 2144 nov 5 11:55 /bin $ ls -a . .bash_history .bash_profile .bashrc ... $ ls -dF /etc .bashrc /bin/ls .bashrc /bin/ls* /etc/
57
LPI Linux Certification/Print Version
File types The long format means: $ ls -l /etc/hosts #List a long format of the file hosts -rw-r—r-- 1 root root 677 Jul 5 22:18 /etc/hosts File content and location Linux/Unix does not distinguish file by filename extension, like Windows. To determine the file content use file. $ file /etc .bashrc /bin/ls /dev/cdrom /etc:
directory
.bashrc:
ASCII English text
/bin/ls:
ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
/dev/cdrom: symbolic link to /dev/hdc
To determine if a command is a built-in shell command or a program, use type, and use which to find its location. $ type cp cd ls which type cp is /bin/cp cd is a shell builtin ls is aliased to `ls $LS_OPTIONS' which is aliased to `type -p' type is a shell builtin $ which cut /usr/bin/cut
Creating and using filenames Filenames can be created with: • I/O redirection cat chapter1 chapter2 > book • An editor, such as vi. vi mynewfile • Many of the Unix utlities cp file newfile • An application netscape • The touch command, which creates empty files (or updates the "date modified" of existing files) touch memo The valid filename may have (or be): • Maximum 255 characters per filename • Any character except forward '/' • Recommended alphanumeric characters as well as plus, minus, and underscore characters. • Case sensitive ('A' and 'a' are treated differently)
58
LPI Linux Certification/Print Version Characters to avoid • Hyphen character. touch my-file -lt • White space. touch more drink touch "more drink" • Most other special characters !@#$%^&*():;"'}{|\.?~` touch memo*
Remove files or directories To remove files or subtree directories, use rm. rm [options] files Files can be a file or a directory. Common options: -i -f -r
interactive: prompt for each removal force: force the overwriting recursive: remove subtree directories and contents
There is no 'unremove' or 'undelete' command. Examples: rm *.[a-z] rm readme readme.orig rm
ls /bin
rm -rfi /bin cd; rm -rf *
.* # This removes all files in the home directory of the current user, as well as those in the subdirectories therein!
Locating files in a subtree directory To search for a file in a subtree directory, use find. find [subtrees] [conditions] [actions] The command can take multiple conditions and will search recursively in the subtree. Some possible conditions are: -name [FNG] # Search for the FNG name -type c # Type of file [bcdfl] -size [+-]# # Has a +- size in blocks (c: bytes, k: kilobytes) -user [name] # Own by user -atime [+-]# # Accessed days ago. +n means the file has not been accessed for the last n days. -n means the file has been accessed in the last n days. -mtime [+-]# # Modified days ago -perm nnn # Has permision flags nnn
59
LPI Linux Certification/Print Version Some possible actions are: -print # Print the pathname -exec cmd {} \; # Execute cmd on the file -ok cmd {} \; # Same as -exec but ask first Examples: find find find find find find
. -name '*.[ch]' -print /var /tmp . -size +20 -print ~ -type c -name '*sys*' -print / -type f -size +2c -exec rm -i {} \; / -atime -3 -print ~jo ~toto -user chloe -exec mv {} /tmp \;
To locate a binary, source file, or man page, use whereis. Whereis [options] Common options: -b: Search only for binaries. -m: Search only for manual sections. -s: Search only for sources. Examples: $ whereis host host: /usr/bin/host /etc/host.conf /usr/share/man/man1/host.1.gz $ whereis -m host host: /usr/share/man/man1/host.1.gz To locate a file located somewhere defined by the PATH variable, use which. $ which -a ls /bin/ls The -a will look for all possible matches in PATH, not just for the first one.
Exercises 1. Compose an interactive command to remove all .tmp files in your home directory. Respond y to every prompt. 2. List all the files in the user's home directories ending with .pdf that are bigger than 50 blocks and have not been accessed for a month. 3. Create a file file.h that will contain all the filenames ending with .h found in the /usr directory. 4. Do a touch on all the c files found in /usr/src/packages directory. 5. What are the default permissions when you create a new file and a new directory? 6. How would you create a new file or directory that contains a space in the filename? (Example: 'new dir') 7. What is the command to remove all the files of types char and block in your home directory? 8. How would you find the location of the program find? 9. Delete all files in /tmp which are not owned by root and have not been accessed for a week. • Exercises results
60
LPI Linux Certification/Print Version
Detailed Objective Weight: 4 Description: Candidates should be able to redirect streams and connect them in order to efficiently process textual data. Tasks include redirecting standard input, standard output and standard error, piping the output of one command to the input of another command, using the output of one command as an argument for another command and sending output to both standard output and a file. • Key knowledge area(s): • • • •
Redirect standard input, standard output and standard error. Pipe the output of one command to the input of another command. Use the output of one command as an argument to another command. Send output to both standard output and a file.
• The following is a partial list of the used files, terms and utilities: • tee • xargs
Standard input and standard output For each command executed in a terminal, there is: a standard input value 0 (default keyboard), a standard output value 1 (default terminal), and a standard output for errors value 2 (default terminal). Each channel can also be identified by an address: &0 for input, &1 for output, And &2 for errors. Each channel [n] can be redirected. [n]< file: Default value of n is 0 and it reads standard input from file. [n]> file: Default value is 1 and it sends standard output to file, overwriting the file if it exists. (Thus clobbering the file.) [n]>>file: Default value is 1 and it appends standard output to file. book # out=book, in=none, error=terminal mv /etc/* . 2>error # out=terminal, in=none, error=error echo end of file >> book # out=book, in=none, error=terminal set -o noclobber # Shell does not clobber existing files. ls > list 2>&1 # ls and errors are redirected to list. ls 2>&1 > list # Errors are redirected to standard output and ls output is redirected to list.
cat `ls /etc/*.conf` > conffile 2>>/tmp/errors Concatenate all the configuration files from /etc dir in conffile and append errors in file /tmp/errors. Redirecting with pipes Pipes are an efficient way to apply multiple commands concurrently. command1 | command2 The standard output of command1 will be piped to the standard input of command2. The standard error is not piped. Examples:
61
LPI Linux Certification/Print Version ls -l /dev | more ls -l /etc/*.conf | grep user | grep 500 ls -l /bin | mail `users` To redirect the standard output to a file and to the terminal at the same time, use tee. ls -l /dev | tee file ls -l /etc | tee -a file # Append to the file Building arguments The xargs utility constructs an argument list for a command using standard input. xargs [options] [command] The xargs command creates an argument list for command from standard input. It is typically used with a pipe. Common options: -p: prompt the user before executing each command. Examples: ls f* | xargs cat # Print to standard output the content of all files starting with f. find ~ -name 'proj1*' print | xargs cat
Search in the home directory for files starting with proj1 and send it to the standard input of cat. Use the /dev/null device file to discard output or error messages. Try the following: grep try /etc/* grep try /etc/* 2> /dev/null grep try /etc/* > /dev/null 2> /dev/null
Exercises 1. Create a file list.bin that will contain all the filenames from the /bin directory. 2. Write a command that will append the list of files from /usr/local/bin to the file named list.bin and discard any error output. 3. Split your list.bin file into files that are 50 lines long and remove list.bin. 4. From the split files recreate list.bin (but with inversed order). 5. Simplify the following commands: ls *.c | xargs rm ls [aA]* | xargs cat cat `ls *.v` 2>/dev/null 6. Use find to do the following command: more `ls *.c` 7. Write a command that will create a file list.sbin with the contents of /sbin and at the same time display it to standard output. 8. Create a file that within the filename you include the creation time. 9. Create a file that will contain all the filenames in reverse order with extension .conf from the /etc directory. • Exercises results
62
LPI Linux Certification/Print Version
Detailed Objectives Weight: 4 Description: Candidates should be able to perform basic process management. • Key knowledge area(s): • • • • •
Run jobs in the foreground and background. Signal a program to continue running after logout. Monitor active processes. Select and sort processes for display. Send signals to processes.
• The following is a partial list of the used files, terms and utilities: • • • • •
& bg fg jobs kill
• • • • • •
nohup ps top free uptime killall
Create processes A running application is a process. Every process has: a process ID, a parent process ID, a current directory PWD, a file descriptor table, a program which it is executing, environment variables (inherited from its parent process), stdin, stdout, stderr (standard error), and possibly even more (optional) traits. Bash is a program that when it is executed becomes a process. Each time you execute a command in a shell a new process is created. Except for the built-in shell command. They run in the shell context. Use type to check if a command is a built-in shell command. Example: type cp ls which type
Monitor processes To monitor the processes in real-time, use top. top - 9:20am up 2:48, 4 users, load average: 0.15, 0.13, 0.09 78 processes: 75 sleeping, 3 running, 0 zombie, 0 stopped CPU states: 15.3% user, 0.3% system, 0.0% nice, 84.2% idle Mem: 254896K av, 251204K used, 3692K free, 0K shrd, 27384K buff Swap: 514072K av, 0K used, 514072K free 120488K cached PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND 1517 rarrigon 0 0 40816 39M 17372 R 15.0 16.0 2:59 mozilla-bin 1727 rarrigon 19 0 988 988 768 R 0.3 0.3 0:00 top 1 root 20 0 220 220 188 S 0.0 0.0 0:04 init
63
LPI Linux Certification/Print Version 2 root
20
64
0
0
0
0 SW
0.0
0.0
0:00 keventd
RSS is the total amount of physical memory used by the task. SHARE is the amount of shared memory used by the task. %CPU is the task's share of the CPU time. %MEM is the task's share of the physical memory. Once top is running it is also possible to execute interactive commands: • • • • •
Type N to sort tasks by pid. Type A to sort tasks by age (newest first). Type P to sort tasks by CPU usage. Type M to sort tasks by memory usage. Type k to kill a process (NOTE: You will be prompted for the process' pid).
Once the system is up and running from a terminal it is possible to see which processes are running with the ps program. To display a long format of all the processes in the system, use the following: ps -Al F S UID 004 S 004 S 006 S 044 R
PID 0 0 0 0
PPID
1 381 1000 1524
C PRI NI 0 0 80 1 0 80 1 0 80 1222 0 79
ADDR SZ WCHAN TTY 0 112 do_sel ? 0 332 do_sel ? 0 339 do_sel ? 0 761 pts/3
TIME CMD 00:00:04 init 00:00:00 dhcpcd 00:00:00 inetd 00:00:00 ps
The ps program will display all the processes running and their PID numbers and other information. To see a long format of the processes in your login session, use: ps -l F S
UID
PID
PPID
C PRI
NI ADDR SZ WCHAN 724 wait4
TTY
000 S
500
1154
1139
0
80
0 -
002 S
500
1285
1283
0
77
0 - 24432 wait_f pts/1
00:00:00 soffice.bin
040 R
500
1442
1435
0
79
0 -
00:00:00 ps
768 -
pts/1
TIME CMD
pts/4
00:00:00 bash
F: Process Flags 002: being created, 040: forked but didn't exec, 400: killed by a signal. S: Process States: R: runnable, S: sleeping, Z: zompbie UID: User ID, PID: Process ID, PPID: Parent Process ID, C: Scheduler, PRI: priority NI: Nice value, SZ: size of routine, WCHAN: name of routine
Kill processes The ps program will display all the processes running and their PID numbers. Once the PID is known, it is possible to send signals to the process: • SIGSTOP to stop a process. • SIGCONT to continue a stopped process. • SIGKILL to kill a process. The program to send a signal to a process is called kill. kill -SIGKILL [pid] kill -63 [pid] kill -l By default a process is started in the foreground and it is the only one to receive keyboard input. Use CTRL+Z to suspend it. To start a process in the background use the &.
LPI Linux Certification/Print Version bash & xeyes & In a bash process it is possible to start multiple jobs. The command to manipulate jobs is jobs. jobs bg %job fg %job kill %job
# # # #
List all the active jobs Resume job in background Resume job in foreground Kill background job
When bash is terminated all processes that have been started from the session will receive the SIGHUP signal. This will by default terminate the process. To prevent the termination of a process, the program can be started with the nohup command. nohup mydaemon
Exercises 1. How can you control CPU usage for PID 3196 • Exercises results
Detailed Objective Weight: 2 Description: Candidates should be able to manage process execution priorities. • Key knowledge area(s): • Know the default priority of a job that is created. • Run a program with higher or lower priority than the default. • Change the priority of a running process. • The following is a partial list of the used files, terms and utilities: • • • •
nice ps renice top
Priorities To start a command with an adjusted priority, use nice. nice -n +2 [command] nice -n -19 [command] The program nice changes the base time quantum of the scheduler. This means it informs the scheduler of how important a process is, which is used as a guide to how much CPU time to give it. For example, if you wanted to perform another task (such as listening to music) while ripping another CD, you could use the following: nice -n +5 oggenc
65
LPI Linux Certification/Print Version Were you listening to music, you would not get any “hops” in the music playback, as the scheduler “knows” the oggenc process is less important. The values can go from -19 (highest priority) to +20 (lowest priority). The default value is 0. Only root can set a value below zero. To modify the priority of a running program, use renice. renice +1 -u root # Change the priority for all root processes. renice +2 -p 193 # Change the priority for PID 193
Exercises • Exercises results 1. 2. 3. 4. 5. 6.
Which user and root processes are using most of the memory? Same start as 2), but make the print out stop for 3[s] and to continue for 1[s] repeatedly. Make a shell script to renice all processes called apache to a value of 19. Do a print from ps formatted as: “username”, “command”, “nice value” Kill all the processes called “bash” that are owned by user polto. Open two terminals. In one terminal type the following, and from the other terminal see that you can stop and continue the print out:
while [ 1 ] do echo -n The date is:; date; done
Detailed Objective Weight: 2 Description: Candidates should be able to manipulate files and text data using regular expressions. This objective includes creating simple regular expressions containing several notational elements. It also includes using regular expression tools to perform searches through a filesystem or file content. • Key knowledge area(s): • Create simple regular expressions containing several notational elements. • Use regular expression tools to perform searches through a filesystem or file content. • The following is a partial list of the used files, terms and utilities: • • • • •
grep egrep fgrep sed regex(7)
66
LPI Linux Certification/Print Version
Pattern matching There are two kinds of pattern matching: • Wildcards (File Name Generation) • Regexp (Regular Expression) Wildcard characters are mainly applied when they are used in the current directory or subdirectories. When wildcard characters *, ?, [ - ], ~, and ! are used in regexp they no longer generate filenames. Some of the utilities that use regexp are: • • • • •
grep, egrep vi more sed Perl
Limited regexp search patterns used by all utilities able to use regexp. • Any 1 char . Ab.a Abla or Abca • 1 char set [ ] Ab[sd]a Absa or Abda only • 1 char range [ - ] Ab[a-z]a Abaa or Abba or ... • • • • •
Not in set [^ ] Ab[^0-9]a Abaa or Abba or ... 0 or more * Ab*a Absala or Aba or ... Begin line ^ ^Aba Line starts>Aba End line $ Aba$ Aba bin01
grep To find text in a file, use grep. grep [options] [string] [files] It is best to quote the string to prevent misinterpretation. Common options: • • • • • •
-i: Ignore case -E: Extended, use regular expressions -l: List filename only if at least one matches -c: Display only count of matched lines -n: Also display line number -v: Must not match.
Examples: grep grep grep grep grep grep grep
host /etc/*.conf -l '\ getty -- starts -> login - starts --> shell \ / \---------------s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined CustomLog "/var/log/httpd/access_log" common ScriptAlias /cgi-bin/ "/srv/httpd/cgi-bin/" AllowOverride None Options None Order allow,deny Allow from all DefaultType text/plain TypesConfig /etc/httpd/mime.types root@lpislack:~#
This slightly striped down httpd.conf is taken from a Slackware 13.0 system (lpislack. There are two terms to know when talking about httpd.conf: "directives" and "containers". "Directives" are the configuration options (and their values) themselves, while "containers" are directories or collections of files. Any directive inside a container will only be valid inside this container, directives outside the container are of global effect for the whole site. On the other side, there are directives that are only valid inside a container. ServerRoot "/usr" This is a tricky on. All relative paths start from here, the absolute ones are, as implied by the name, absolute. Listen 80 The TCP port the httpd listens for incoming connection requests. If our machine has more than one network address, we can bind the httpd to one (ore more) IP adresses/port combinations here as well. LoadModule auth_basic_module lib/httpd/modules/mod_auth_basic.so Loads the module auth_basic_module located in lib/httpd/modules/mod_auth_basic.so relative to the the ServerRoot, so the whole path to this module is /usr/lib/httpd/modules/mod_auth_basic.so User apache The user account httpd runs as. This better be an restricted account. One (the first) httpd process has to run as root, if it wants to claim port 80. Group apache The group of the user httpd runs as. ServerAdmin
[email protected] the e-mail address of the administrator responsible for running the httpd. This shows up when errors occur.
172
LPI Linux Certification/Print Version
173
DocumentRoot "/srv/httpd/htdocs" This is the directory where the actual HTML documents live on your hard drive! ... This is a container object. All directives inside are only valid for this directory "/" and all of its subdirectories. Options FollowSymLinks Potential security risk! Does what its name suggest. AllowOverride None You can override most directives with a .htaccess file. This is a security risk and the use of .htascess is denied by this directive. Order deny,allow Controls the access to files and directories. First look who is not allowed, then look who is allowed. The default is the last control that matches, if non matches or both match, use the default (=last)! Deny from all Denies all hosts the access to all file in this container. ... Container for the ServerRoot directory. Note the Order allow,deny and the Allow from all directives. Here we want access from all hosts. DirectoryIndex index.html The file with this name is presented to the client when a web browser accesses a directory and not a specific HTML page. If no index.html exist in this directory the contents of the directory itself is shown. Options Indexes allows this, while Options -Indexes generates an error message instead of listing the directories contents. ErrorLog "/var/log/httpd/error_log" Sets the logfile for error messages. LogLevel warn Sets the verbosity of the error messages. LogFormat combined
"%h
%l
%u
%t
\"%r\"
%>s
%b
\"%{Referer}i\"
\"%{User-Agent}i\""
Sets the format of the entries in the custom log file (usually access_log) CustomLog "/var/log/httpd/access_log" common Sets name and location of the custom log file. ScriptAlias /cgi-bin/ "/srv/httpd/cgi-bin/" Directory for CGI scripts. DefaultType text/plain Apache uses this MIME type for the HTML pages it provides to the web browser, if the HTML page itself contains no other information. TypesConfig /etc/httpd/mime.types List of MIME types to use for different types of file names.
LPI Linux Certification/Print Version
Access restrictions methods and files Access to files and directories on the web server can be restricted based on the machines IP or network [121] (hostname, domain, IP address, or network) or based on user name and password. While the access can be restricted by this methods all content transmitted in both directions is still not encrypted! To secure the communication and ensure the identity of the web server the SSL/TLS protocol will be used in the next chapter of this book.
Container The behaviour of the Apache web server can be finely tuned in the Apache configuration (or the .htaccess file) on a per directory ( container), per file ( container), or per URL ( container) basis. The directives inside a (or ) container are valid for the directory itself and all its subdirectories. Most of this directives can be overwritten by external configuration files, usually .htaccess. This is highly discouraged for security and sanity reasons. Some possible directives for AllowOverride are: None no use of external configuration changes allowed (safest) All all directives can be changed (most insecure) Limit some changes are allowed (not secure at all) AuthConfig mainly authentication related directives can be changed Options mainly Options directives can be overwritten
Machine Restrictions Order sets the sequence of access restrictions, where the last matching rule wins. The last rule is also the default rule if neither rule matches or both match. The possible Allow/Deny restrictions are hostname (host.domain.example), domain (domain2.example), ip (192.168.10.3) and network (192.168.10 192.168.10.0/24). Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all Deny from example.com All access from everywhere is allowed, but the domain example.com is denied.
174
LPI Linux Certification/Print Version
User Based Restrictions User based access restrictions are insecure on different levels: • passwords are not encrypted (danger: snooping) • every content up- and download is clear text (danger: snooping) • there is no guarantee about the identity of the sever (danger: fraud/phishing) One big part of Apaches flexibility is its capability to talk to different back ends for user authentication, the most simple being plain text files, which is OK for smaller numbers of users, but do not scale to more than (about) 150 people. Usernames, passwords and groups are stored in text files usually called .htpasswd and .htgroup. These names are defined in httpd.conf or .htaccess by the directives AuthUserFile and AuthGroupFile. Both directives are part of the mod_auth module. We create/change a username and password with the htpasswd utility. The -c option creates a new password file, if such a file already exists it will be destroyed without warning! htpasswd requires two parameters: pasword and username. root@lpislack# htpasswd -c /etc/httpd/htpasswd newuser ... One other important thing to keep in mind is that the only safe place for password file and group file is outside the DocumentRoot, where these files can't accidentally or maliciously be downloaded by unauthorized visitors. Going back to reality, overwriting the httpd.conf directives with a .htaccess file and placing the .htpasswd and .htgroup inside the document directories is often done, if the web site administrator does not have full access to the Apache configuration, e. g. in shared hosting environments. To protect these files one can restrict the access to them in a container spelled out in the httpd.conf: Order allow,deny Deny from all Satisfy All Example 1 This example shows the preferred, but sadly not always possible configuration. The restricted directory is /srv/httpd/htdocs/private1, that can be reached at http:/ / lpislack. vbox. privat/ private1/ by my web browser. httpd.conf: AuthType Basic AuthName "Private1! Restricted Access!" require valid-user AuthUserFile /etc/httpd/htpasswd After fiddling with the configuration file we probably should restart the httpd server process. root@lpislack:/etc/httpd# /etc/rc.d/rc.httpd restart Create password file htaccess:
175
LPI Linux Certification/Print Version root@lpislack:/etc/httpd# htpasswd -c /etc/httpd/htpasswd firstuser New password: Re-type new password: Adding password for user firstuser root@lpislack:/etc/httpd# cat htpasswd firstuser:2km7TAXpj3scw root@lpislack:/etc/httpd# This file is only accessible by authorized (root!) users. (And by the way, the password is tee2Seih.) The password protected page /srv/httpd/htdocs/private1/index.html source code: root@lpislack:/srv/www/htdocs/private1# cat index.html This is private! Example 2 This example shows a commonly used configuration. It is not the best, but sometimes the only possible setup. We can do much better (much safer) if we can locate the password file outside the DocumentRoot. The restricted directory here is /srv/httpd/htdocs/private2, that can be reached at http:/ / lpislack. vbox. privat/ private2/by the web browser. The only change to httpd.conf is to allow AllowOverride. In fact, if we can change httpd.conf, we could do the right thing in the first place (see Example 1). AllowOverride AuthConfig Set up the external configuration file .htaccess in /srv/httpd/htdocs/private2/: AuthType Basic AuthName "Private2! Restricted Access!" require valid-user AuthUserFile /srv/httpd/htdocs/private2/.htpasswd Restart httpd: root@lpislack:/etc/httpd# /etc/rc.d/rc.httpd restart Create password file with the user seconduser with the password uu2yo1Wo: root@lpislack:/etc/httpd# htpasswd -c /srv/www/htdocs/private2/.htpasswd seconduser New password: Re-type new password: Adding password for user seconduser root@lpislack:/etc/httpd# cat /srv/www/htdocs/private2/.htpasswd seconduser:2l.jKENGUwyQ6
176
LPI Linux Certification/Print Version
Modules and CGI Flexibility and easy extendability are two important reasons for Apaches success. They are achieved in part by the CGI (=common gateway interconnect) concept and the ability to extend an already compiled Apache instance with modules. CGI programs (often called "CGI scripts") are executable programs that can be written in any language, be it bash, pearl, php, basic, assembler or ada. They run on the server, which uses up hardware resources of the server (RAM and CPU time) but do not impact the client. He receives what looks like any static HTML page, although the HTML page was dynamically created by the CGI program. The httpd takes the output of the CGI program and gives it unchanged and unchecked to the client web browser. (e.g., the HTTP headers have to be crafted by the CGI program). CGI programms can also take user input (via PUT or GET requests). Example This bash script outputs "don't try this at home" in ugly blinking letters and prints the content of /etc/passwd to show how dangerous CGI programming can be! #!/bin/sh echo "Content-type: text/html" echo "" echo "" echo "" echo "DON'T TRY THIS AT HOME!" cat /etc/passwd echo "" echo ""
Modules Modules on the other hand can extend the abilites of the httpd with features that are not part of the main Apache source code. (Some modules can be compiled into the httpd directly.) Modules can be switched on and off (e. g. for security reasons) with a simple change in the httpd.conf. Most modules need addional configuration directives in httpd.conf, usually by importing configuration files. For security reasons we will only enable modules actually needed by our web site.
mod_php One very useful example is mod_php. If PHP code is executed as a simple CGI script, every script starts the PHP parsing engine, the HTML text is generated, and then the PHP parsing engine is shut down. mod_php starts the PHP engine as a module for the Apache process and the PHP engine will be persisted over multiple requests. This drastically reduces the overhead of using PHP for dynamic web site creation. As an added bonus we can use PHP code directly in our HTTP sourcecode. This code also runs at the server side and is then replaced by its output before the complete HTML page is sent to the client. If we use a database, this connection can also be persisted if we use mod_php. The PHP language itself is configured by php.ini, located at /etc/httpd/, but this file usually don't need to be changed. To enable mod_php on Slackware 13.0 we only need to uncomment the line Include /etc/httpd/mod_php.conf in /etc/httpd/httpd.conf. This will include this already set up configuration directly into our httpd.conf.
177
LPI Linux Certification/Print Version mod_php.conf: LoadModule php5_module lib/httpd/modules/libphp5.so AddType application/x-httpd-php .php We now change AddType application/x-httpd-php to AddType application/x-httpd-php .php .html .htm to use PHP code inside HTML documents. This can be convenient, but increases the workload on high traffic websites considerably, because ever requested HTML page is shoved through the PHP interpreter. Another thing we can do to make our lives a bit easier, is adding index.php to the DirectoryIndex directive. Now we restart the httpd Example To check if it works we create testforphp.php somewhere below the DocumentRoot Status for PHP Now remove this file (or at least deny read access), because this will blast our entire web server configuration to the whole internet, where every creep of the planet is just milliseconds away from us. (Try searching for intitle:phpinfo "PHP Version" in Google...)
mod_perl While Slackware 13.0 comes with perl as an installable package, the minimal test CGI script printenv in /srv/www/cgi-bin needs a small help. First we need to mark it as an executable by root@lpislack:/srv/www/htdocs# chmod a+x ../cgi-bin/printenv and then change the first line "#!/usr/local/bin/perl" to "#!/usr/bin/perl". Now we can navigate our web browser to http:/ / lpislack. vbox. privat/ cgi-bin/ printenv and see if it works: DOCUMENT_ROOT="/srv/httpd/htdocs" GATEWAY_INTERFACE="CGI/1.1" HTTP_ACCEPT="text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1" HTTP_ACCEPT_CHARSET="iso-8859-1, utf-8, utf-16, *;q=0.1" HTTP_ACCEPT_ENCODING="deflate, gzip, x-gzip, identity, *;q=0" HTTP_ACCEPT_LANGUAGE="de-DE,de;q=0.9,en;q=0.8" HTTP_CACHE_CONTROL="no-cache" HTTP_CONNECTION="Keep-Alive, TE" HTTP_HOST="lpislack.vbox.privat"
178
LPI Linux Certification/Print Version HTTP_TE="deflate, gzip, chunked, identity, trailers" HTTP_USER_AGENT="Opera/9.80 (X11; Linux i686; U; de) Presto/2.2.15 Version/10.10" PATH="/bin:/usr/bin:/sbin:/usr/sbin" QUERY_STRING="" REMOTE_ADDR="192.168.10.21" REMOTE_PORT="40206" REQUEST_METHOD="GET" REQUEST_URI="/cgi-bin/printenv" SCRIPT_FILENAME="/srv/httpd/cgi-bin/printenv" SCRIPT_NAME="/cgi-bin/printenv" SERVER_ADDR="172.25.28.4" SERVER_ADMIN="
[email protected]" SERVER_NAME="lpislack.vbox.privat" SERVER_PORT="80" SERVER_PROTOCOL="HTTP/1.1" SERVER_SIGNATURE="" SERVER_SOFTWARE="Apache/2.2.14 (Unix) DAV/2 PHP/5.2.12" UNIQUE_ID="S3ibiawZHAQAAAq2Hf0AAAAD"
We do not use mod_perl at this time but run CGI scripts written in Perl as we would run any other executable. So mod_perl (from http:/ / perl. apache. org) does for the Perl language the same as mod_php does for PHP : it adds native language support directly into the Apache web server and so reduces load and speeds up response time. Sadly there is no pre built mod_perl package for Slackware 13.0, but http:/ / slackbuilds. org has at http:/ / slackbuilds. org/ repository/ 13. 0/ network/ mod_perl/ a tried and true buildscript for everyone who can read the instructions. (As as sidenote, SlackBuilds are the preferred method to build Slackware packages from source.) This situation demonstrates the use of modules: Functionality that is not included in Apache can be added by external modules without recompiling Apache. If there was a bugfix for Apache and we had to upgrade, mod_perl will still work fine as a modul. If mod_perl was compiled into Apache we had to get the source code, fit it to our setup, compile and install it. With every update we would need to go through the same process, just to keep using Perl. After building and installing the the package we simply need to include mod_perl.conf to httpd.conf and restart the Apache server. mod_perl.conf: LoadModule perl_module lib/httpd/modules/mod_perl.so AddHandler perl-script pl # mod_perl mode SetHandler perl-script PerlResponseHandler ModPerl::Registry PerlOptions +ParseHeaders Options +ExecCGI Perl files can live everywhere in the DocumentRoot and their name has to end in ".pl". Let's go back to the printenv example. If we call it again, it will still be executed as CGI, but if we copy it to the DocumetRoot and rename it printenv.pl it will be run by mod_perl, as we can clearly see by the MOD_PERL and
179
LPI Linux Certification/Print Version MOD_PERL_API_VERSION lines in the output below: DOCUMENT_ROOT="/srv/httpd/htdocs" GATEWAY_INTERFACE="CGI/1.1" HTTP_ACCEPT="text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1" HTTP_ACCEPT_CHARSET="iso-8859-1, utf-8, utf-16, *;q=0.1" HTTP_ACCEPT_ENCODING="deflate, gzip, x-gzip, identity, *;q=0" HTTP_ACCEPT_LANGUAGE="de-DE,de;q=0.9,en;q=0.8" HTTP_CONNECTION="Keep-Alive, TE" HTTP_HOST="lpislack.vbox.privat" HTTP_TE="deflate, gzip, chunked, identity, trailers" HTTP_USER_AGENT="Opera/9.80 (X11; Linux i686; U; de) Presto/2.2.15 Version/10.10" MOD_PERL="mod_perl/2.0.4" MOD_PERL_API_VERSION="2" PATH="/bin:/usr/bin:/sbin:/usr/sbin" QUERY_STRING="" REMOTE_ADDR="192.168.10.21" REMOTE_PORT="45519" REQUEST_METHOD="GET" REQUEST_URI="/printenv.pl" SCRIPT_FILENAME="/srv/httpd/htdocs/printenv.pl" SCRIPT_NAME="/printenv.pl" SERVER_ADDR="172.25.28.4" SERVER_ADMIN="
[email protected]" SERVER_NAME="lpislack.vbox.privat" SERVER_PORT="80" SERVER_PROTOCOL="HTTP/1.1" SERVER_SIGNATURE="" SERVER_SOFTWARE="Apache/2.2.14 (Unix) DAV/2 PHP/5.2.12 mod_perl/2.0.4 Perl/v5.10.0" UNIQUE_ID="S3i3VqwZHAQAAAxfFDUAAAAA"
Restrict Resource Usage Apache is capable of serving up pretty busy web sites. One mechanism to provide quick responsetimes under heavy load is to have waiting processes ready to jump into action at any given time. So unlike most other programs Apache spawns multiple processes when it is started. The number of processes is adjusted depending on the numbers of connections by creating and destroying child processes as needed. One control process listens for new requests, usually on TCP port 80, while every client is connected to its very own child process that serves requests for the whole lifetime of this connection. StartServers determines the number of processes to begin with when Apache is started. But this is of little meaning, because MinSpareServers sets the miniumum number of idle Apache processes waiting to server new connections. If there are less spare servers left, they are created at a rate of one per second. If that is not enough, the rate of process creation is doubled every second up to 32 new processes per second. If this is not sufficient, we sure as hell have other problems. On the other hand, if there are more idle servers than MaxSpareServers the unneeded processes are shut down one by one. MaxClients limits the absolute number of simultaneously running server processes, and with that the maximum number of simultaneous client connections. The maximum number of 256 is a hard limit set at compile time. If there are more connection requests than apache processes to serve them, the requests are first moved to a backlog, and
180
LPI Linux Certification/Print Version only if this backlog is filled up too, the requests are rejected. The lifetime of an apache (child) process can be limited by the absolute number of connections he will serve as defined by MaximumRequests. This can mitigate problems when memory leaks on less stable platforms occur or problems caused by buggy modules or badly written CGIs. If set to 0 child processes can live indefinitely, if they are not terminated because of too many spare servers.
Redhat/CentOS Installation # yum install httpd The web server binary is called httpd. The control script is called apachectl. The access and error log files are located in /var/log/httpd/ and called access_log and error_log.
Debian Intallation # aptitude install apache2 The web server binary is called apache2. The control script is called apache2ctl, which is not the same as apachectl by another name. The access and error log files are located in /var/log/apache2/ and called access.log and error.log. (Note the dot “.” instead of the underscore “_”.)
References [1] http:/ / www. lpi. org [2] http:/ / www. tldp. org [3] http:/ / www. certification-crazy. net/ lpi. htm [4] http:/ / www. ibm. com/ developerworks/ linux/ lpi/ ?S_TACT=105AGX59& S_CMP=GR-LPI& ca=dgr-wikiaLPI [5] http:/ / www. linux-tutorial. info [6] http:/ / en. wikipedia. org/ wiki/ BIOS [7] http:/ / en. wikipedia. org/ wiki/ SCSI [8] http:/ / en. wikipedia. org/ wiki/ Coldplug [9] http:/ / en. wikipedia. org/ wiki/ Hotplug [10] http:/ / en. wikipedia. org/ wiki/ Sound_card [11] http:/ / en. wikipedia. org/ wiki/ IRQ [12] http:/ / en. wikipedia. org/ wiki/ Direct_memory_access [13] http:/ / en. wikipedia. org/ wiki/ Input/ output [14] http:/ / en. wikipedia. org/ wiki/ USB [15] http:/ / en. wikipedia. org/ wiki/ Hard_disk_drive [16] http:/ / en. wikipedia. org/ wiki/ Floppy_disk [17] http:/ / en. wikipedia. org/ wiki/ Cdrom [18] http:/ / en. wikipedia. org/ wiki/ RPM_Package_Manager [19] http:/ / en. wikipedia. org/ wiki/ Dpkg [20] http:/ / en. wikipedia. org/ wiki/ Make_(software) [21] http:/ / en. wikipedia. org/ wiki/ Tar_(file_format) [22] http:/ / en. wikipedia. org/ wiki/ Gzip [23] http:/ / en. wikipedia. org/ wiki/ Bz2 [24] http:/ / en. wikipedia. org/ wiki/ Shell_(computing) [25] http:/ / en. wikipedia. org/ wiki/ Redirection_(Unix) [26] http:/ / en. wikipedia. org/ wiki/ Pipe_(Unix) [27] http:/ / en. wikipedia. org/ wiki/ Stdout#Standard_output_. 28stdout. 29 [28] http:/ / en. wikipedia. org/ wiki/ Vi [29] http:/ / en. wikipedia. org/ wiki/ Ext2
181
LPI Linux Certification/Print Version [30] [31] [32] [33] [34] [35] [36] [37] [38] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50] [51]
http:/ / en. wikipedia. org/ wiki/ Ext3 http:/ / en. wikipedia. org/ wiki/ Reiserfs http:/ / en. wikipedia. org/ wiki/ Vfat http:/ / en. wikipedia. org/ wiki/ Xfs http:/ / en. wikipedia. org/ wiki/ Hard_link http:/ / en. wikipedia. org/ wiki/ Symbolic_link http:/ / en. wikipedia. org/ wiki/ Filesystem_Hierarchy_Standard http:/ / en. wikipedia. org/ wiki/ X_Window_System http:/ / en. wikipedia. org/ wiki/ GNOME_Display_Manager http:/ / en. wikipedia. org/ wiki/ KDE_Display_Manager http:/ / en. wikipedia. org/ wiki/ XDM http:/ / en. wikipedia. org/ wiki/ Graphical_user_interface http:/ / en. wikipedia. org/ wiki/ Linux_kernel http:/ / en. wikipedia. org/ wiki/ Runlevel http:/ / en. wikipedia. org/ wiki/ Cron http:/ / en. wikipedia. org/ wiki/ Point-to-Point_Protocol http:/ / en. wikipedia. org/ wiki/ Network_File_System_(protocol) http:/ / en. wikipedia. org/ wiki/ Samba_(software) http:/ / en. wikipedia. org/ wiki/ Mail_transfer_agent http:/ / en. wikipedia. org/ wiki/ Domain_name_system http:/ / en. wikipedia. org/ wiki/ Secure_Shell http:/ / www. kroon. co. za/ lpi/ lpi101prepv3. pdf
[52] [53] [54] [55] [56] [57] [58] [59] [60] [61] [62] [63] [64] [65] [66] [67] [68] [69] [70] [71] [72] [73] [74] [75] [76] [77] [78] [79] [80] [81] [82] [83] [84] [85]
http:/ / www. kroon. co. za/ lpi/ lpi102prepv3. pdf http:/ / en. wikipedia. org/ wiki/ X86 http:/ / en. wikipedia. org/ wiki/ I/ O http:/ / en. wikipedia. org/ wiki/ Lights_out_management http:/ / en. wikipedia. org/ wiki/ Disk_array_controller http:/ / en. wikipedia. org/ wiki/ Graphic_cards http:/ / en. wikipedia. org/ wiki/ Sound_cards http:/ / en. wikipedia. org/ wiki/ Power-on_self-test http:/ / en. wikipedia. org/ wiki/ Extensible_Firmware_Interface http:/ / en. wikipedia. org/ wiki/ CMOS http:/ / en. wikipedia. org/ wiki/ Volatile_memory http:/ / en. wikipedia. org/ wiki/ Jumper_(computing) http:/ / en. wikipedia. org/ wiki/ DIP_switch http:/ / en. wikipedia. org/ wiki/ Network_Time_Protocol http:/ / en. wikipedia. org/ wiki/ UTC http:/ / en. wikipedia. org/ wiki/ Solid-state_drive http:/ / en. wikipedia. org/ wiki/ Integrated_Drive_Electronics http:/ / en. wikipedia. org/ wiki/ Serial_ATA http:/ / en. wikipedia. org/ wiki/ AT_Attachment http:/ / en. wikipedia. org/ wiki/ INT13 http:/ / en. wikipedia. org/ wiki/ Cylinder-head-sector http:/ / en. wikipedia. org/ wiki/ Logical_block_addressing http:/ / en. wikipedia. org/ wiki/ Programmable_Interrupt_Controller http:/ / en. wikipedia. org/ wiki/ Peripheral_Component_Interconnect http:/ / en. wikipedia. org/ wiki/ CPU http:/ / en. wikipedia. org/ wiki/ RAM http:/ / en. wikipedia. org/ wiki/ Network_card http:/ / en. wikipedia. org/ wiki/ Keyboard_(computing) http:/ / en. wikipedia. org/ wiki/ Computer_mouse http:/ / en. wikipedia. org/ wiki/ Visual_display_unit http:/ / en. wikipedia. org/ wiki/ Computer_printer http:/ / en. wikipedia. org/ wiki/ Read-only_memory http:/ / www. die. net/ doc/ linux/ man/ man8/ hdparm. 8. html http:/ / linux. die. net/ man/ 8/ setserial
[86] http:/ / linux. die. net/ man/ 1/ minicom [87] http:/ / linux. die. net/ man/ 8/ hdparm [88] http:/ / linux. die. net/ man/ 8/ lspci
182
LPI Linux Certification/Print Version [89] http:/ / linux. die. net/ man/ 8/ lsusb [90] http:/ / en. wikipedia. org/ wiki/ Interrupt_handler [91] http:/ / linux. die. net/ man/ 8/ usbmodules [92] http:/ / linux. die. net/ man/ 8/ udev [93] http:/ / linux. die. net/ man/ 8/ hotplug [94] http:/ / www. kroah. com/ linux-usb/ [95] http:/ / linux. die. net/ man/ 8/ mount [96] http:/ / www. gnu. org/ software/ grub/ manual/ html_node/ [97] http:/ / www. gnu. org/ software/ grub [98] http:/ / autistici. org/ grub/ [99] http:/ / tldp. org/ HOWTO/ Linux+ Win9x+ Grub-HOWTO/ index. html [100] http:/ / promote-opensource. org/ modules/ mylinks/ singlelink. php?cid=14& lid=94 [101] http:/ / www. skyjammer. com/ files/ knoppix/ [102] http:/ / www. ameritech. net/ users/ gholmer/ booting. html [103] http:/ / grub4dos. sourceforge. net/ [104] http:/ / www. geocities. com/ lode_leroy/ grubinstall/ [105] http:/ / grub. linuxeden. com/ [106] http:/ / www. pathname. com/ fhs/ [107] http:/ / www. kernel. org/ doc/ Documentation/ kernel-parameters. txt [108] http:/ / upstart. ubuntu. com/ [109] http:/ / www. postfix. org/ faq. html#procmail [110] "Netcraft report on web server usage" (http:/ / news. netcraft. com/ archives/ 2009/ 12/ 24/ december_2009_web_server_survey. html). . Retrieved 2009-12-27. [111] http:/ / httpd. apache. org/ [112] http:/ / httpd. apache. org/ docs/ 2. 2/ [113] http:/ / www. slackware. com [114] http:/ / www. virtualbox. com [115] http:/ / www. debian. org [116] http:/ / www. redhat. com [117] http:/ / www. centos. org [118] http:/ / httpd. apache. org/ docs/ 2. 2/ install. html [119] http:/ / awstats. sourceforge. net/ [120] http:/ / www. mrunix. net/ webalizer/ [121] http:/ / httpd. apache. org/ docs/ 2. 2/ mod/ mod_authz_host. html
208.2 Maintaining A Web Server Objectives Version 3.0 (2009)
Detailed Objective Weight: 2 Description: Candidates should be able to configure a web server to use virtual hosts, Secure Sockets Layer (SSL) and customise file access. Key knowledge areas • • • •
SSL configuration files, tools and utilities SSL certificate handling Apache 2.x virtual host implementation (with and without dedicated IP addresses) Using redirect statements in Apache's configuration files to customise file access
The following is a partial list of the used files, terms and utilities: • Apache2 configuration files • /etc/ssl/* • openssl
183
LPI Linux Certification/Print Version
Overview Apache is an impressive and powerful application. It is not only able to serve simple (static) HTTP pages, which is (essentially) a trivial task. Apache can host multiple web sites (http:/ / www. example. com and http:/ / www. beispiel. de) on one physical machine at one IP address using one Apache process by using "virtual hosts". Apache can also use multiple IP addresses to store different web sites on the same physical machine, which does not (necessarily) need different networking card. This is also realized by "virtual hosts". Also, Apache can use very sophisticated methods to redirect queries. Most importantly, at least to me, is the use SSL (as OpenSSL). SSL can do many things for many people: it can secure (encrypt) the content going back and forth between the web client and the web server. It can also ensure the identity of both parties communicating, the server and the client.
Virtual Hosts VirtualHost sections contain directives that apply only to a specific hostname or IP address. See (http:/ / httpd. apache.org/docs/trunk/en/mod/core.html#virtualhost) and (http://httpd.apache.org/docs/trunk/en/vhosts/)
OpenSSL OpenSSL(link) is a collection of tools that implement and handle certificates(link) that conform to the Transport Layer Security (TLS) ??? protocol(link).
What are certificates? Secure Socket Layer (SSL)(link), or Transport Layer Security (TLS)(link) as SSL versions beyond 3 are called now, uses Public Key Cryptography(link) to protect transactions over the insecure and not secureable internet. Like all public key cryptographic schemes (I know of) TLS uses a secret private key and an openly shared public key, called a certificate. The special twist with TLS certificates is the certification authority (CA)(link). For a TLS certificate to be recognized as valid, it has to be (cryptographically) signed by a "Certification Authority". Flashback Public Key Crypto In a nutshell, public key crypto works like this: there are two keys, one public key for everyone to have, and one private key, for my eyes only. The private key is also (usually) protected by a very strong password. Both keys can be used to encrypt data that only the other key can decrypt. There is in principle no difference between the public and private key! On the other hand side it seems to make no sense to encrypt data with your private key, because everyone on the internet has already or can get your public key and decrypt the data. But if you encrypt data with your private key, you can prove you are in possession of the private key. This way you can (cryptographically) sign the data. To sign a piece of data we usually don't encrypt the whole but a (cryptographic) hash(link) of it and so can prove the authenticity of the data, provided we guard our private key very carefully. The password simply is a second security measure, in case the private key leaked into the public or gets lost. What does a CA do exactly? A Certification Authority signs our public keys with its private key. Then they are called certificates. Thats it! Almost. We send in a "certificate signing request" (more on this later), a claim of your identity and a varying sum of money and the CA tries (depending on the amount of money we spent) to check our identity and if succeeded will sign our request and finally send back the signed certificate. But keep in mind that there is only so much The Hong Kong Post Office(TM) (or any other CA) can do to verify e. g. a Brazilian identity. But now the problem is to get the certificate of the CA... and here the trick is: we already have it! Most pieces of software that can use TLS certificates
184
LPI Linux Certification/Print Version come with a list of trusted (this is the magic word) CAs. Any new certificate (e. g. shop.example.com) signed by this trusted CAs (e. g. by StartSSL) with their certificates installed on our machines is also regarded as trusted. Unsigned certificates or ones signed by unknown CA are regarded as "not trusted" an we are presented with a dire warning. How do certificates work exactly? We can use TLS certificates with almost any insecure service on the internet, if we only try hard enough. • • • • •
Web browsing (HTTPS instead of HTTP) Sending Mail (SMTPS instead of SMTP) Receiving Mail (IMAPS instead of IMAP/POP3S instead of POP3) Chat (IRC over TLS) VPN (OpenVPN)
How does it work (for web surfing)? A bit simplified: 1. the client connects to the server 2. the server sends over the certificate 3. the client checks certain properties of the certificate 1. the certificate is bound to the Full Qualified Host Name (FQHN) of the server we connect to. The web browser checks if the FQHN of the server and the certificate match, if not it generates an error. 2. the certificate needs to be signed by a trusted CA, if not the web browser generates an error. 3. certificates have a limited lifetime, depending on the amount of money we paid. The web browser checks if the certificate is still "fresh" and if not, it generates an error. 4. there is a list of invalid certificates on our computer. These certificates are revoked for different reasons: they where compromised, had errors, were stolen, ... If the server certificate is on that list, the client software generates an error. 4. if the certificate is deemed valid (or if an invalid certificate is accepted, despite being not valid) the client encrypts a random value with the certificate and sends it to the server. 5. only the client (because he generated it) and the server (because only he can decrypt it) know the random value, generated by the client 6. from the random value a symmetric key is generated on both ends and any further communication both ways is encrypted with this generated key. (A symmetric key is used, because encryption and decryption are much easier to handle by the CPU.)
How to find and use certificates CA root certificates are stored on our computers in lots of different places. Often every piece of software that uses TLS brings their own list of trusted CAs. • • • •
openssl: /etc/ssl/certs firefox: thunderbird: claws-mail: ~/.claws-mail/certs/
On the other hand side openssl can act as an TLS client for classical "clear text" protocols like, well like all the internet protocols, e. g. POP3
185
LPI Linux Certification/Print Version
How to get a certificate
Detailed Objective Weight: 2 Description: Candidates should be able to install and configure a proxy server, including access policies, authentication and resource usage. • Key knowledge area(s): • • • •
Squid 2.x configuration files, terms and utilities Access restriction methods Client user authentication methods Layout and content of ACL in the Squid configuration files
• The following is a partial list of the used files, terms and utilities: • squid.conf • acl • http_access
Exercises • Implementing a proxy server We will be using the squid web proxy server version 2.4 and Linux kernel version 2.4 . Proxying can be done in two ways : normal proxying and transparent proxying • In normal proxying, the client specifies the hostname and port number of a proxy in his web browsing software. The browser then makes requests to the proxy, and the proxy forwards them to the origin servers. • In transparent proxying, ... Use transparent proxying if : You want to force clients on your network to use the proxy, whether they want to or not. You want clients to use a proxy, but don't want them to know they're being proxied. You want clients to be proxied, but don't want to go to all the work of updating the settings in hundreds or thousands of web browsers. There are two types of transparent proxying : • Squid on the gateway • Squid on a separate box than the gateway
Squid on the gateway box Setting up squid for ordinary proxying is quite simple : after installing squid, edit the default configuration file squid.conf Find the following directives, uncomment them, and change them to the appropriate values: • • • •
httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on
Next, look at the cache_effective_user and cache_effective_group directives, and set them up with a dedicated user and group (i.e squid/squid) Finally, look at the http_access directive. The default is usually ``http_access deny all. This will prevent anyone from accessing squid. For now, you can change this to ``http_access allow all, but once it is working, you will probably want to read the directions on ACLs (Access Control Lists), and setup the cache such that only people on your local
186
LPI Linux Certification/Print Version network (or whatever) can access the cache. ACLs in squid will enable you to restrict access to the proxy. The general format for an ACL rule is : acl aclname acltype string1 ... ACL rules can then be used in the http_access directive ACL types are : • Src : acl aclname src ip-address/netmask acl aclname src 172.16.1.0/24 • Dst : acl aclname dst ip-address/netmask acl aclname dst 172.16.1.0/24 • Time : acl aclname time [day-abbreviations: M,T,W,H,F,A,S] [h1:m1-h2:m2] acl ACLTIME time M 9:00-17:00 • Port : acl aclname port port-no acl acceleratedport port 80 • Proto : acl aclname proto protocol acl aclname proto HTTP FTP • Method : acl aclname method method-type acl aclname method GET POST • Maxconn : acl aclname maxconn integer acl twoconn maxconn 5 Next, initialize the cache directories with squid -z (if this is a not a new installation of squid, you should skip this step). Next, launch squid via the /etc/init.d/squid script, and you should be able to set your web browser's proxy settings to the IP of the box and port 3128 (unless you changed the default port number) and access squid as a normal proxy. Implementing a proxy server Transparent proxying can be set up in two different ways : on the router or on another (remote) host Transparent proxying on the router will involve setting up squid in the « normal », and configuring the packet filtering subsystem to redirect clients' connections to squid The kernel's networking options required are : • Under 'General Setup' Networking support Sysctl support • Under 'Networking Options' Network packet filtering TCP/IP networking • Under 'Networking Options' -> IP: Netfilter Configuration Connection tracking IP tables support Full NAT
187
LPI Linux Certification/Print Version
188
REDIRECT target support • Under 'File Systems' /proc filesystem support You must say NO to Fast switching under Networking Options ! Once you have your new kernel up and running, make sure you have IP forwarding enabled. Next, to configure iptables to enable transparent proxying, all you have to do is : iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128
Transparent proxying to a remote box Let's assume we have two boxes called squid-box and iptables-box, and that they are on the network local-network. First, on the machine that squid will be running on, squid-box, you do not need iptables or any special kernel options on this machine, just squid. You *will*, however, need the 'http_accel' options as described above. Now, on the machine that iptables will be running on, iptables-box, you will need to configure the kernel as described above, except that you don't need the REDIRECT target support. You will need 2 iptables rules : iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128 iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box The first one sends the packets to squid-box from iptables-box. The second makes sure that the reply gets sent back through iptables-box, instead of directly to the client. This is very important, because otherwise squid will never receive the answer from the target web server (and thus, no caching can take place!) Key terms, files and utilities : • • • •
squid.conf Acl http_access Exercises
Network Client Management Detailed Objective Weight: 2 Description: Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server. • Key knowledge area(s): • DHCP configuration files, tterms and utilities • Subnet and dynamically-allocated range setup • The following is a partial list of the used files, terms and utilities: • dhcpd.conf • dhcpd.leases
LPI Linux Certification/Print Version
189
DHCP configuration = Overview Description: The candidate should be able to configure a DHCP server and set default options, create a subnet, and create a dynamically-allocated range. This objective includes adding a static host, setting options for a single host, and adding bootp hosts. Also included is to configure a DHCP relay agent, and reload the DHCP server after making changes. Key files, terms, and utilities include: dhcpd.conf dhcpd.leases
Exercises DHCP? Most people reading this will already know the DHCP protocol. Just as a quick reminder. DHCP stands for Dynamic Host Configuration Protocol and is commonly used to distribute specific network settings in networks. Settings such as the default gateway, nameservers, IP addresses and much more. As for a small illustration of the protocol itself. Configuring dhcpd After the installation of dhcpd the main configuration file can be found at /etc/dhcpd.conf. For Debian installations, one should edit /etc/default/dhcp as soon as the installation is finished and change the following line according to your setup. INTERFACES="eth1" # or "eth1 eth2", whatever interfaces you wish to serve ip's. The dhcpd.conf file is divided in global parameters and subnet specific parameters. Each subnet can override the global parameters. The most commonly used parameters are the following. option domain-name "example.com"; option domain-name-servers "192.168.0.1, 193.190.63.172" option subnet-mask 255.255.255.0; # global Subnet mask default-lease-time 600; # Seconds each DHCP lease is granted and after which a request for the same ip is launched. max-lease-time 7200; # If DHCP server does not respond, keep IP till 7200 seconds are passed.
subnet 192.168.0.0 netmask 255.255.255.240 { # Subnet for first 13 devices, 10 of which are servers, 3 printers range 192.168.0.10 192.168.0.13;
# Range of IP's for our printers
option subnet-mask 255.255.255.240; option broadcast-address 192.168.0.15; # This is the subnets broadcast address option routers 192.168.0.14; # The gateway of this subnet option time-servers 192.168.0.14; # Gateway is running a timeserver option ntp-servers 192.168.0.14; # Gateway running a timeserver } subnet 192.168.0.16 netmask 255.255.255.224 { # Subnet for 29 computers range 192.168.0.17 192.168.0.45; option subnet-mask 255.255.255.224;
LPI Linux Certification/Print Version option broadcast-address 192.168.0.47; option routers 192.168.0.46; } group { host server1 { # the first fixed server for subnet 192.168.0.0/28 server-name server1; hardware ethernet 0f:45:d3:23:11:90; fixed-address 192.168.0.1; } host server2 { server-name server2; hardware ethernet 0f:45:d3:23:11:91; fixed-address 192.168.0.2; } }
This example is just providing a hint about possible options and overrides. More info can be found on dhcpd.conf and dhcp-options in man pages. Look in those pages too for information about using the DHCP server to serve BOOTP as well, usefull for diskless clients.
Detailed Objective Weight: 1 Description: Candidates should be able to configure an NIS server. This objective includes configuring a system as an NIS client. • Key knowledge area(s): • NIS configuration files, terms and utilities • Create NIS maps for major configuration files • Manipulate nsswitch.conf to configure the ability to search local files, DNS, NIS, etc. • The following is a partial list of the used files, terms and utilities: • • • • • • • • • • • • • •
ypbind ypcat ypmatch ypserv yppasswd yppoll yppush ypwhich rpcinfo nsswitch.conf ypserv.conf contents of /var/yp/* netgroup nicknames
• securenets • Makefile
190
LPI Linux Certification/Print Version
NIS configuration Overview Description: The candidate should be able to configure an NIS server and create NIS maps for major configuration files. This objective includes configuring a system as a NIS client, setting up an NIS slave server, and configuring ability to search local files, DNS, NIS, etc. in nsswitch.conf. Key files, terms, and utilities include: nisupdate, ypbind, ypcat, ypmatch, ypserv, ypswitch, yppasswd, yppoll, yppush, ypwhich, rpcinfo nis.conf, nsswitch.conf, ypserv.conf /etc/nis/netgroup /etc/nis/nicknames /etc/nis/securenets
NIS NIS stands for Network Information Service. Its purpose is to provide information, that has to be known throughout the network, to all machines on the network. Information likely to be distributed by NIS is login names/passwords/home directories (/etc/passwd) and group information (/etc/group) If, for example, your password entry is recorded in the NIS passwd database, you will be able to login on all machines on the network which have the NIS client programs running. Within a network there must be at least one machine acting as a NIS server. You can have multiple NIS servers, each serving different NIS "domains" - or you can have cooperating NIS servers, where one is the master NIS server, and all the other are so-called slave NIS servers (for a certain NIS "domain", that is!) - or you can have a mix of them... Slave servers only have copies of the NIS databases and receive these copies from the master NIS server whenever changes are made to the master's databases. Depending on the number of machines in your network and the reliability of your network, you might decide to install one or more slave servers. Whenever a NIS server goes down or is too slow in responding to requests, a NIS client connected to that server will try to find one that is up or faster. NIS databases are in so-called DBM format, derived from ASCII databases. For example, the files /etc/passwd and /etc/group can be directly converted to DBM format using ASCII-to-DBM translation software ("makedbm", included with the server software). The master NIS server should have both, the ASCII databases and the DBM databases. Slave servers will be notified of any change to the NIS maps, (via the "yppush" program), and automatically retrieve the necessary changes in order to synchronize their databases. NIS clients do not need to do this since they always talk to the NIS server to read the information stored in it's DBM databases. To run any of the software mentioned below you will need to run the program /usr/sbin/portmap. The RPC portmapper (portmap(8)) is a server that converts RPC program numbers into TCP/IP (or UDP/IP) protocol port numbers. It must be running in order to make RPC calls (which is what the NIS/NIS+ client software does) to RPC servers (like a NIS or NIS+ server) on that machine. When an RPC server is started, it will tell portmap what port number it is listening to, and what RPC program numbers it is prepared to serve. When a client wishes to make an RPC call to a given program number, it will first contact portmap on the server machine to determine the port number where RPC packets should be sent. Since RPC servers could be started by inetd(8), portmap should be running before inetd is started. For secure RPC, the portmapper needs the Time service. Make sure, that the Time service is enabled in /etc/inetd.conf on all hosts: # Time service is used for clock syncronization. #
191
LPI Linux Certification/Print Version time time
stream dgram
tcp udp
192 nowait wait
root root
internal internal
IMPORTANT: Don't forget to restart inetd after changes on its configuration file ! What do you need to set up NIS? Determine whether you are a Server, Slave or Client : Your machine is going to be part of a network with existing NIS servers You do not have any NIS servers in the network yet In the first case, you only need the client programs (ypbind, ypwhich, ypcat, yppoll, ypmatch). The most important program is ypbind. This program must be running at all times, which means, it should always appear in the list of processes. It is a daemon process and needs to be started from the system's startup file (eg. /etc/init.d/nis, /sbin/init.d/ypclient, /etc/rc.d/init.d/ypbind, /etc/rc.local). As soon as ypbind is running your system has become a NIS client. In the second case, if you don't have NIS servers, then you will also need a NIS server program (usually called ypserv). Section 9 describes how to set up a NIS server on your Linux machine using the "ypserv" daemon.
Setting Up the NIS Client The ypbind daemon Newer ypbind versions have a configuration file called /etc/yp.conf. You can hardcode a NIS server there - for more info see the manual page for ypbind(8). You also need this file for NYS. An example: ypserver 10.10.0.1 ypserver 10.0.100.8 ypserver 10.3.1.1 If the system cam resolv the hostnames without NIS, you may use the name, otherwise you have to use the IP address. ypbind 3.3 has a bug and will only use the last entry (ypserver 10.3.1.1 in the example). All other entries are ignored. ypbind-mt handle this correct and uses that one, which answerd at first. It might be a good idea to test ypbind before incorporating it in the startup files. To test ypbind do the following: Make sure you have your YP-domain name set. If it is not set then issue the command: /bin/domainname nis.domain where nis.domain should be some string _NOT_ normally associated with the DNS-domain name of your machine! The reason for this is that it makes it a little harder for external crackers to retreive the password database from your NIS servers. If you don't know what the NIS domain name is on your network, ask your system/network administrator. Start up "/usr/sbin/portmap" if it is not already running. Create the directory "/var/yp" if it does not exist. Start up "/usr/sbin/ypbind" Use the command "rpcinfo -p localhost" to check if ypbind was able to register its service with the portmapper. The output should look like: program vers proto 100000 2 tcp 100000 2 udp 100007 2 udp 100007 2 tcp
port 111 111 637 639
portmapper portmapper ypbind ypbind
Or like this (depending on the version of ypbind you are using) : program vers proto 100000 2 tcp
port 111
portmapper
LPI Linux Certification/Print Version 100000 100007 100007 100007 100007
2 2 1 2 1
udp udp udp tcp tcp
193 111 758 758 761 761
portmapper ypbind ypbind ypbind ypbind
You may also run "rpcinfo -u localhost ypbind". This command should produce something like: program 100007 version 1 ready and waiting program 100007 version 2 ready and waiting The output depends on the ypbind version you have installed. Important is only the "version 2" message. At this point you should be able to use NIS client programs like ypcat, etc... For example, "ypcat passwd.byname" will give you the entire NIS password database. IMPORTANT: If you skipped the test procedure then make sure you have set the domain name, and created the directory /var/yp. This directory MUST exist for ypbind to start up succesfully. To check if the domainname is set correct, use the /bin/ypdomainname from yp-tools 2.2. It uses the yp_get_default_domain() function which is more restrict. It doesn't allow for example the "(none)" domainname, which is the default under Linux and makes a lot of problems. If the test worked you may now want to change your startupd files so that ypbind will be started at boot time and your system will act as a NIS client. Make sure that the domainname will be set before you start ypbind. Well, that's it. Reboot the machine and watch the boot messages to see if ypbind is actually started. For host lookups you must set (or add) "nis" to the lookup order line in your /etc/host.conf file. Please read the manpage "resolv+.8" for more details. Add the following line to /etc/passwd on your NIS clients: +:::::: You can also use the + and - characters to include/exclude or change users. If you want to exclude the user guest just add -guest to your /etc/passwd file. You want to use a different shell (e.g. ksh) for the user "linux"? No problem, just add "+linux::::::/bin/ksh" (without the quotes) to your /etc/passwd. Fields that you don't want to change have to be left empty. You could also use Netgroups for user control. For example, to allow login-access only to miquels, dth and ed, and all members of the sysadmin netgroup, but to have the account data of all other users available use: +miquels::::::: +ed::::::: +dth::::::: +@sysadmins::::::: -ftp +:*::::::/etc/NoShell Note that in Linux you can also override the password field, as we did in this example. We also remove the login "ftp", so it isn't known any longer, and anonymous ftp will not work. The netgroup would look like : sysadmins (-,software,) (-,kukuk,)
LPI Linux Certification/Print Version
194
The nsswitch.conf File The Network Services switch file /etc/nsswitch.conf determines the order of lookups performed when a certain piece of information is requested, just like the /etc/host.conf file which determines the way host lookups are performed. For example, the line : hosts: files nis dns specifies that host lookup functions should first look in the local /etc/hosts file, followed by a NIS lookup and finally through the domain name service (/etc/resolv.conf and named), at which point if no match is found an error is returned. This file must be readable for every user! You can find more information in the man-page nsswitch.5 or nsswitch.conf.5. A good /etc/nsswitch.conf file for NIS is: # /etc/nsswitch.conf passwd: compat group: compat # For libc5, you must use shadow: shadow: compat passwd_compat: nis group_compat: nis shadow_compat: nis hosts: nis files dns services: nis [NOTFOUND=return] networks: nis [NOTFOUND=return] protocols: nis [NOTFOUND=return] rpc: nis [NOTFOUND=return] ethers: nis [NOTFOUND=return] netmasks: nis [NOTFOUND=return] netgroup: nis bootparams: nis [NOTFOUND=return] publickey: nis [NOTFOUND=return] automount: files aliases: nis [NOTFOUND=return]
files nis
files files files files files files files files files
Setting up a NIS Server The Server Program ypserv If you run your server as master, determine what files you require to be available via NIS and then add or remove the appropriate entries to the "all" rule in /var/yp/Makefile. You always should look at the Makefile and edit the Options at the beginning of the file. There was one big change between ypserv 1.1 and ypserv 1.2. Since version 1.2, the file handles are cached. This means you have to call makedbm always with the -c option if you create new maps. Make sure, you are using the new /var/yp/Makefile from ypserv 1.2 or later, or add the -c flag to makedbm in the Makefile. If you don't do that, ypserv will continue to use the old maps, and not the updated one. Now edit /var/yp/securenets and /etc/ypserv.conf. For more information, read the ypserv(8) and ypserv.conf(5) manual pages. Make sure the portmapper (portmap(8)) is running, and start the server ypserv. The command « rpcinfo -u localhost ypserv » should output something like :
LPI Linux Certification/Print Version
195
program 100004 version 1 ready and waiting program 100004 version 2 ready and waiting The "version 1" line could be missing, depending on the ypserv version and configuration you are using. It is only necessary if you have old SunOS 4.x clients. Now generate the NIS (YP) database. On the master, run : % /usr/lib/yp/ypinit -m On a slave make sure that ypwhich -m works. This means, that your slave must be configured as NIS client before you could run « /usr/lib/yp/ypinit -s masterhost » to install the host as NIS slave. That's it, your server is up and running. If you have bigger problems, you could start ypserv and ypbind in debug mode on different xterms. The debug output should show you what goes wrong. If you need to update a map, run make in the /var/yp directory on the NIS master. This will update a map if the source file is newer, and push the files to the slave servers. Please don't use ypinit for updating a map. You might want to edit root's crontab *on the slave* server and add the following lines: 20 * * * * 40 6 * * * 55 6,18 * * *
/usr/lib/yp/ypxfr_1perhour /usr/lib/yp/ypxfr_1perday /usr/lib/yp/ypxfr_2perday
This will ensure that most NIS maps are kept up-to-date, even if an update is missed because the slave was down at the time the update was done on the master. You can add a slave at every time later. At first, make sure that the new slave server has permissions to contact the NIS master. Then run : % /usr/lib/yp/ypinit -s masterhost on the new slave. On the master server, add the new slave server name to /var/yp/ypservers and run make in /var/yp to update the map.
The Program rpc.ypxfrd rpc.ypxfrd is used for speed up the transfer of very large NIS maps from a NIS master to NIS slave servers. If a NIS slave server receives a message that there is a new map, it will start ypxfr for transfering the new map. ypxfr will read the contents of a map from the master server using the yp_all() function. This process can take several minutes when there are very large maps which have to store by the database library. The rpc.ypxfrd server speeds up the transfer process by allowing NIS slave servers to simply copy the master server's map files rather than building their own from scratch. rpc.ypxfrd uses an RPC-based file transfer protocol, so that there is no need for building a new map. rpc.ypxfrd can be started by inetd. But since it starts very slow, it should be started with ypserv. You need to start rpc.ypxfrd only on the NIS master server.
The Program rpc.yppasswdd Whenever users change their passwords, the NIS password database and probably other NIS databases, which depend on the NIS password database, should be updated. The program "rpc.yppasswdd" is a server that handles password changes and makes sure that the NIS information will be updated accordingly. rpc.yppasswdd is now integrated in ypserv. You don't need the older, separate yppasswd-0.9.tar.gz or yppasswd-0.10.tar.gz, and you shouldn't use them any longer. The rpc.yppasswdd in ypserv 1.3.2 has full shadow support. yppasswd is now part of
LPI Linux Certification/Print Version yp-tools-2.2.tar.gz. You need to start rpc.yppasswdd only on the NIS master server. By default, users are not allowed to change their full name or the login shell. You can allow this with the -e chfn or -e chsh option. If your passwd and shadow files are not in another directory then /etc, you need to add the -D option. For example, if you have put all source files in /etc/yp and wish to allow the user to change his shell, you need to start rpc.yppasswdd with the following parameters: rpc.yppasswdd -D /etc/yp -e chsh or rpc.yppasswdd -s /etc/yp/shadow -p /etc/yp/passwd -e chsh There is nothing more to do. You just need to make sure, that rpc.yppasswdd uses the same files as /var/yp/Makefile. Errors will be logged using syslog. If everything is fine (as it should be), you should be able to verify your installation with a few simple commands. Assuming, for example, your passwd file is being supplied by NIS, the command : % ypcat passwd should give you the contents of your NIS passwd file. The command : % ypmatch userid passwd (where userid is the login name of an arbitrary user) should give you the user's entry in the NIS passwd file. The "ypcat" and "ypmatch" programs should be included with your distribution of traditional NIS or NYS. Once you have NIS correctly configured on the server and client, you do need to be sure that the configuration will survive a reboot. On RedHat, create or modify the variable NISDOMAIN in the file /etc/sysconfig/network.
Detailed Objective Weight: 1 Description: Candidates should be able to configure an LDAP server. This objective includes working with directory hierarchy, groups, hosts, services and adding other data to the hierarchy. Also included is importing and adding items, as well as adding and managing users. • Key knowledge area(s): • LDAP configuration files, tools and utilities • Importing items from LDIF files • Change user passwords • The following is a partial list of the used files, terms and utilities: • slapd • slapd.conf
196
LPI Linux Certification/Print Version
Detailed Objective Weight: 2 Description: The candidate should be able to configure PAM to support authentication using various available methods. • Key knowledge area(s): • • • •
PAM configuration files, terms and utilities passwd and shadow passwords NIS LADP
• The following is a partial list of the used files, terms and utilities: • /etc/pam.d • pam.conf == PAM authentication == test PAM (Pluggable Authentication Modules) is a flexible mechanism for authenticating users. Since the beginnings of UNIX, authenticating a user has been accomplished via the user entering a password and the system checking if the entered password corresponds to the encrypted official password that is stored in /etc/passwd . The idea being that the user *is* really that user if and only if they can correctly enter their secret password. That was in the beginning. Since then, a number of new ways of authenticating users have become popular. Including more complicated replacements for the /etc/passwd file, and hardware devices Smart cards etc.. The problem is that each time a new authentication scheme is developed, it requires all the necessary programs (login, ftpd etc...) to be rewritten to support it. PAM provides a way to develop programs that are independent of authentication scheme. These programs need "authentication modules" to be attatched to them at run-time in order to work. Which authentication module is to be attatched is dependent upon the local system setup and is at the discretion of the local system administrator. PAM authentication Linux-PAM (Pluggable Authentication Modules for Linux) is a suite of shared libraries that enable the local system administrator to choose how applications authenticate users. In other words, without (rewriting and) recompiling a PAM-aware application, it is possible to switch between the authentication mechanism(s) it uses. Indeed, one may entirely upgrade the local authentication system without touching the applications themselves. Historically an application that has required a given user to be authenticated, has had to be compiled to use a specific authentication mechanism. For example, in the case of traditional UN*X systems, the identity of the user is verified by the user entering a correct password. This password, after being prefixed by a two character ``salt, is encrypted (with crypt(3)). The user is then authenticated if this encrypted password is identical to the second field of the user's entry in the system password database (the /etc/passwd file). On such systems, most if not all forms of privileges are granted based on this single authentication scheme. Privilege comes in the form of a personal user-identifier (uid) and membership of various groups. Services and applications are available based on the personal and group identity of the user. Traditionally, group membership has been assigned based on entries in the /etc/group file. PAM authentication Unfortunately, increases in the speed of computers and the widespread introduction of network based computing, have made once secure authentication mechanisms, such as this, vulnerable to attack. In the light of such realities, new methods of authentication are continuously being developed. It is the purpose of the Linux-PAM project to separate the development of privilege granting software from the development of secure and appropriate authentication schemes. This is accomplished by providing a library of functions that an application may use to
197
LPI Linux Certification/Print Version request that a user be authenticated. This PAM library is configured locally with a system file, /etc/pam.conf (or a series of configuration files located in /etc/pam.d/) to authenticate a user request via the locally available authentication modules. The modules themselves will usually be located in the directory /lib/security and take the form of dynamically loadable object files (see dlopen(3)). PAM authentication Overview For the uninitiated, we begin by considering an example. We take an application that grants some service to users; login is one such program. Login does two things, it first establishes that the requesting user is whom they claim to be and second provides them with the requested service: in the case of login the service is a command shell (bash, tcsh, zsh, etc.) running with the identity of the user. Traditionally, the former step is achieved by the login application prompting the user for a password and then verifying that it agrees with that located on the system; hence verifying that as far as the system is concerned the user is who they claim to be. This is the task that is delegated to Linux-PAM. From the perspective of the application programmer (in this case the person that wrote the login application), Linux-PAM takes care of this authentication task -- verifying the identity of the user. PAM authentication The flexibility of Linux-PAM is that you, the system administrator, have the freedom to stipulate which authentication scheme is to be used. You have the freedom to set the scheme for any/all PAM-aware applications on your Linux system. That is, you can authenticate from anything as naive as simple trust (pam_permit) to something as paranoid as a combination of a retinal scan, a voice print and a one-time password! To illustrate the flexibility you face, consider the following situation: a system administrator (parent) wishes to improve the mathematical ability of her users (children). She can configure their favorite ``Shoot 'em up game (PAM-aware of course) to authenticate them with a request for the product of a couple of random numbers less than 12. It is clear that if the game is any good they will soon learn their multiplication tables. As they mature, the authentication can be upgraded to include (long) division! PAM authentication Linux-PAM deals with four separate types of (management) task. These are: authentication management; account management; session management; and password management. The association of the preferred management scheme with the behavior of an application is made with entries in the relevant Linux-PAM configuration file. The management functions are performed by modules specified in the configuration file. The Linux-PAM library consults the contents of the PAM configuration file and loads the modules that are appropriate for an application. These modules fall into one of four management groups and are stacked in the order they appear in the configuration file. These modules, when called by Linux-PAM, perform the various authentication tasks for the application. Textual information, required from/or offered to the user, can be exchanged through the use of the application-supplied conversation function. PAM authentication Linux-PAM is designed to provide the system administrator with a great deal of flexibility in configuring the privilege granting applications of their system. The local configuration of those aspects of system security controlled by Linux-PAM is contained in one of two places: either the single system file, /etc/pam.conf; or the /etc/pam.d/ directory. Linux-PAM specific tokens in this file are case insensitive. The module paths, however, are case sensitive since they indicate a file's name and reflect the case dependence of typical Linux file-systems. The case-sensitivity of the arguments to any given module is defined for each module in turn. In addition to the lines described below, there are two special characters provided for the convenience of the system administrator: comments are preceded by a `#' and extend to the next end-of-line; also, module specification lines may be extended with a `\' escaped newline.
198
LPI Linux Certification/Print Version A general configuration line of the /etc/pam.conf file has the following form: : service-name module-type control-flag module-path args PAM authentication Below, we explain the meaning of each of these tokens. The second (and more recently adopted) way of configuring Linux-PAM is via the contents of the /etc/pam.d/ directory. Once we have explained the meaning of the above tokens, we will describe this method. Service-name The name of the service associated with this entry. Frequently the service name is the conventional name of the given application. For example, `ftpd', `rlogind' and `su', etc. . There is a special service-name, reserved for defining a default authentication mechanism. It has the name `OTHER' and may be specified in either lower or upper case characters. Note, when there is a module specified for a named service, the `OTHER' entries are ignored. PAM authentication Module-type One of (currently) four types of module. The four types are as follows: auth; this module type provides two aspects of authenticating the user. Firstly, it establishes that the user is who they claim to be, by instructing the application to prompt the user for a password or other means of identification. Secondly, the module can grant group membership (independently of the /etc/groups file discussed above) or other privileges through its credential granting properties. account; this module performs non-authentication based account management. It is typically used to restrict/permit access to a service based on the time of day, currently available system resources (maximum number of users) or perhaps the location of the applicant user---`root' login only on the console. session; primarily, this module is associated with doing things that need to be done for the user before/after they can be given service. Such things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories, etc. . password; this last module type is required for updating the authentication token associated with the user. Typically, there is one module for each `challenge/response' based authentication (auth) module-type. PAM authentication Control-flag The control-flag is used to indicate how the PAM library will react to the success or failure of the module it is associated with. Since modules can be stacked (modules of the same type execute in series, one after another), the control-flags determine the relative importance of each module. The application is not made aware of the individual success or failure of modules listed in the `/etc/pam.conf' file. Instead, it receives a summary success or fail response from the Linux-PAM library. The order of execution of these modules is that of the entries in the /etc/pam.conf file; earlier entries are executed before later ones. As of Linux-PAM v0.60, this control-flag can be defined with one of two syntaxes. The simpler (and historical) syntax for the control-flag is a single keyword defined to indicate the severity of concern associated with the success or failure of a specific module. There are four such keywords: required, requisite, sufficient and optional. PAM authentication Control-flag The Linux-PAM library interprets these keywords in the following manner: required; this indicates that the success of the module is required for the module-type facility to succeed. Failure of this module will not be apparent to the user until all of the remaining modules (of the same module-type) have been executed. requisite; like required, however, in the case that such a module returns a failure, control is directly returned to the application. The return value is that associated with the first required or requisite module to fail. Note, this flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium. It is conceivable that such behavior might inform an attacker of valid accounts on a system. This possibility
199
LPI Linux Certification/Print Version should be weighed against the not insignificant concerns of exposing a sensitive password in a hostile environment. sufficient; the success of this module is deemed `sufficient' to satisfy the Linux-PAM library that this module-type has succeeded in its purpose. In the event that no previous required module has failed, no more `stacked' modules of this type are invoked. (Note, in this case subsequent required modules are not invoked.). A failure of this module is not deemed as fatal to satisfying the application that this module-type has succeeded. Optional; as its name suggests, this control-flag marks the module as not being critical to the success or failure of the user's application for service. In general, Linux-PAM ignores such a module when determining if the module stack will succeed or fail. However, in the absence of any definite successes or failures of previous or subsequent stacked modules this module will determine the nature of the response to the application. One example of this latter case, is when the other modules return something like PAM_IGNORE. PAM authentication Control-flag : The more elaborate (newer) syntax is much more specific and gives the administrator a great deal of control over how the user is authenticated. This form of the control flag is delimeted with square brackets and consists of a series of value=action tokens: [value1=action1 value2=action2 ...] Here, valueI is one of the following return values: success; open_err; symbol_err; service_err; system_err; buf_err; perm_denied; auth_err; cred_insufficient; authinfo_unavail; user_unknown; maxtries; new_authtok_reqd; acct_expired; session_err; cred_unavail; cred_expired; cred_err; no_module_data; conv_err; authtok_err; authtok_recover_err; authtok_lock_busy; authtok_disable_aging; try_again; ignore; abort; authtok_expired; module_unknown; bad_item; and default. The last of these (default) can be used to set the action for those return values that are not explicitly defined. The actionI can be a positive integer or one of the following tokens: ignore; ok; done; bad; die; and reset. A positive integer, J, when specified as the action, can be used to indicate that the next J modules of the current module-type will be skipped. In this way, the administrator can develop a moderately sophisticated stack of modules with a number of different paths of execution. Which path is taken can be determined by the reactions of individual modules. PAM authentication ignore - when used with a stack of modules, the module's return status will not contribute to the return code the application obtains. bad - this action indicates that the return code should be thought of as indicative of the module failing. If this module is the first in the stack to fail, its status value will be used for that of the whole stack. die - equivalent to bad with the side effect of terminating the module stack and PAM immediately returning to the application. ok - this tells PAM that the administrator thinks this return code should contribute directly to the return code of the full stack of modules. In other words, if the former state of the stack would lead to a return of PAM_SUCCESS, the module's return code will override this value. Note, if the former state of the stack holds some value that is indicative of a modules failure, this 'ok' value will not be used to override that value. done - equivalent to ok with the side effect of terminating the module stack and PAM immediately returning to the application. reset - clear all memory of the state of the module stack and start again with the next stacked module. PAM authentication Each of the four keywords: required; requisite; sufficient; and optional, have an equivalent expression in terms of the [...] syntax. They are as follows: required is equivalent to [success=ok new_authtok_reqd=ok ignore=ignore default=bad]
200
LPI Linux Certification/Print Version requisite is equivalent to [success=ok new_authtok_reqd=ok ignore=ignore default=die] sufficient is equivalent to [success=done new_authtok_reqd=done default=ignore] optional is equivalent to [success=ok new_authtok_reqd=ok default=ignore] Just to get a feel for the power of this new syntax, here is a taste of what you can do with it. With Linux-PAM-0.63, the notion of client plug-in agents was introduced. This is something that makes it possible for PAM to support machine-machine authentication using the transport protocol inherent to the client/server application. With the ``[ ... value=action ... ] control syntax, it is possible for an application to be configured to support binary prompts with compliant clients, but to gracefully fall over into an alternative authentication mode for older, legacy, applications. PAM authentication Module-path The path-name of the dynamically loadable object file; the pluggable module itself. If the first character of the module path is `/', it is assumed to be a complete path. If this is not the case, the given module path is appended to the default module path: /lib/security Args The args are a list of tokens that are passed to the module when it is invoked. Much like arguments to a typical Linux shell command. Generally, valid arguments are optional and are specific to any given module. Invalid arguments are ignored by a module, however, when encountering an invalid argument, the module is required to write an error to syslog(3). For a list of generic options see the next section. Any line in (one of) the configuration file(s), that is not formatted correctly, will generally tend (erring on the side of caution) to make the authentication process fail. A corresponding error is written to the system log files with a call to syslog(3). PAM authentication Directory based configuration More flexible than the single configuration file, as of version 0.56, it is possible to configure libpam via the contents of the /etc/pam.d/ directory. In this case the directory is filled with files each of which has a filename equal to a service-name (in lower-case): it is the personal configuration file for the named service. Linux-PAM can be compiled in one of two modes. The preferred mode uses either /etc/pam.d/ or /etc/pam.conf configuration but not both. That is to say, if there is a /etc/pam.d/ directory then libpam only uses the files contained in this directory. However, in the absence of the /etc/pam.d/ directory the /etc/pam.conf file is used (this is likely to be the mode your preferred distribution uses). The other mode is to use both /etc/pam.d/ and /etc/pam.conf in sequence. In this mode, entries in /etc/pam.d/ override those of /etc/pam.conf. The syntax of each file in /etc/pam.d/ is similar to that of the /etc/pam.conf file and is made up of lines of the following form: module-type control-flag module-path arguments The only difference being that the service-name is not present. The service-name is of course the name of the given configuration file. For example, /etc/pam.d/login contains the configuration for the login service. PAM authentication This method of configuration has a number of advantages over the single file approach. We list them here to assist the reader in deciding which scheme to adopt: A lower chance of misconfiguring an application. There is one less field to mis-type when editing the configuration files by hand. Easier to maintain. One application may be reconfigured without risk of interfering with other applications on the system.
201
LPI Linux Certification/Print Version It is possible to symbolically link different services configuration files to a single file. This makes it easier to keep the system policy for access consistent across different applications. (It should be noted, to conserve space, it is equally possible to hard link a number of configuration files. However, care should be taken when administering this arrangement as editing a hard linked file is likely to break the link.) A potential for quicker configuration file parsing. Only the relevant entries are parsed when a service gets bound to its modules. It is possible to limit read access to individual Linux-PAM configuration files using the file protections of the filesystem. Package management becomes simpler. Every time a new application is installed, it can be accompanied by an /etc/pam.d/xxxxxx file. PAM authentication The following are optional arguments which are likely to be understood by any module. Arguments (including these) are in general optional. Debug : Use the syslog(3) call to log debugging information to the system log files. no_warn : Instruct module to not give warning messages to the application. use_first_pass : The module should not prompt the user for a password. Instead, it should obtain the previously typed password (from the preceding auth module), and use that. If that doesn't work, then the user will not be authenticated. (This option is intended for auth and password modules only). try_first_pass : The module should attempt authentication with the previously typed password (from the preceding auth module). If that doesn't work, then the user is prompted for a password. (This option is intended for auth modules only). use_mapped_pass : This argument is not currently supported by any of the modules in the Linux-PAM distribution because of possible consequences associated with U.S. encryption exporting restrictions. Within the U.S., module developers are, of course, free to implement it (as are developers in other countries). expose_account : In general the leakage of some information about user accounts is not a secure policy for modules to adopt. Sometimes information such as users names or home directories, or preferred shell, can be used to attack a user's account. In some circumstances, however, this sort of information is not deemed a threat: displaying a user's full name when asking them for a password in a secured environment could also be called being 'friendly'. The expose_account argument is a standard module argument to encourage a module to be less discrete about account information as it is deemed appropriate by the local administrator. PAM authentication Example configuration file entries Default policy : If a system is to be considered secure, it had better have a reasonably secure `OTHER' entry. The following is a paranoid setting (which is not a bad place to start!): 1. default; deny access OTHER auth required pam_deny.so OTHER account required pam_deny.so OTHER password required pam_deny.so OTHER session required pam_deny.so Whilst fundamentally a secure default, this is not very sympathetic to a misconfigured system. For example, such a system is vulnerable to locking everyone out should the rest of the file become badly written. The module pam_deny
202
LPI Linux Certification/Print Version is not very sophisticated. For example, it logs no information when it is invoked so unless the users of a system contact the administrator when failing to execute a service application, the administrator may go for a long while in ignorance of the fact that his system is misconfigured. PAM authentication The addition of the following line before those in the above example would provide a suitable warning to the administrator. 1. default; wake up! This application is not configured OTHER auth required pam_warn.so OTHER password required pam_warn.so Having two ``OTHER auth lines is an example of stacking. On a system that uses the /etc/pam.d/ configuration, the corresponding default setup would be achieved with the following file: 1. default configuration: /etc/pam.d/other auth required pam_warn.so auth required pam_deny.so account required pam_deny.so password required pam_warn.so password required pam_deny.so session required pam_deny.so PAM authentication On a less sensitive computer, one on which the system administrator wishes to remain ignorant of much of the power of Linux-PAM, the following selection of lines (in /etc/pam.conf) is likely to mimic the historically familiar Linux setup. 1. default; standard UN*X access OTHER auth required pam_unix.so OTHER account required pam_unix.so OTHER password required pam_unix.so OTHER session required pam_unix.so PAM authentication Key terms, files and utilities : /etc/pam.d /etc/pam.conf /lib/libpam.so.*
System Security Detailed Objective Weight: 2 Description: Candidates should be able to configure a system to perform network address translation (NAT, IP masquerading) and state its significance in protecting a network. This objective includes configuring port redirection, managing filter rules and averting attacks. • Key knowledge area(s): • • • • • •
iptables configuration files, tools and utilities ipchains configuration files, tools and utilities Tools, commands and utilities to manage routing tables. Private address ranges Port redirection and IP forwarding List and write filtering and rules that accept or block datagrams based on source or destination protocol, port and address • Save and reload filtering configurations • Manipulating the content of /proc/sys/net/ to respond to DoS attacks • The following is a partial list of the used files, terms and utilities: • /proc/sys/net/ipv4 • /etc/services
203
LPI Linux Certification/Print Version • • • •
ipchains iptables routed quagga
Configuring a router Overview Description: The candidate should be able to configure ipchains and iptables to perform IP masquerading, and state the significance of Network Address Translation and Private Network Addresses in protecting a network. This objective includes configuring port redirection, listing filtering rules, and writing rules that accept or block datagrams based upon source or destination protocol, port and address. Also included is saving and reloading filtering configurations, using settings in /proc/sys/net/ipv4 to respond to DOS attacks, using /proc/sys/net/ipv4/ip_forward to turn IP forwarding on and off, and usingtools such as PortSentry to block port scans and vulnerability probes. Key files, terms, and utilities include: /proc/sys/net/ipv4 /etc/services ipchains iptables routed
Configuring a router There are numerous steps you should take to configure a router connected to insecure networks like the Internet First of all, identify what services you need, and have a policy of blocking everything else ! This minimize your exposure to security breaches. Common steps for routers are : Log all dropped/rejected packets (and limit the rate at which you log, to avoid logfiles size explosion) Use NAT whenever you can – unroutable addresses are more difficult to hack Define a default policy for TCP/UDP block ports answers: drop/reject/reset ? Dropping isn't really helpful, scanners nowadays detect it easily. Rejecting may still show that a firewall is blocking access, resetting acts as if nothing is listening (i.e the « normal » way) Unless you know you need it, drop (and log + limit) all ICMP packets except the most useful : dest-unreachable, time-exceeded and echo-reply Protect against known attacks, i.e : anti-spoofing of IP addresses, disable source_route packets, disable icmp_redirect, log « martians » IP addresses (i.e addresses which appear on an interface they don't belong to), disable syn_cookies, disable ECN (Explicit Congestion Notification), disable TCP timestamps, ICMP broadcasts and ICMP bogus errors
204
LPI Linux Certification/Print Version
Detailed Objective Weight: 2 Description: Candidates should be able to configure an FTP server for anonymous downloads and uploads. This objective includes precautions to be taken if anonymous uploads are permitted and configuring user access. • Key knowledge area(s): • • • •
Configuration files, tools and utilities for vsftpd, Pure-FTPd, wu-ftpd and ProFTPd Layout and content of FTP access restriction files Client user authentication methods Usage of chroot to secure FTP
• The following is a partial list of the used files, terms and utilities: • • • •
ftpaccess ftpusers ftpgroups /etc/passwd
Securing FTP servers Overview Description: The candidate should be able to configure an anonymous download FTP server. This objective includes configuring an FTP server to allow anonymous uploads, listing additional precautions to be taken if anonymous uploads are permitted, configuring guest users and groups with chroot jail, and configuring ftpaccess to deny access to named users or groups. Key files, terms, and utilities include: ftpaccess, ftpusers, ftpgroups /etc/passwd chroot Securing an FTP server will include : • • • • •
FTP Warning Banner customization FTP Greeting Banner customization Securing, denying and restricting User Accounts Securing Anonymous Access Securing Anonymous Upload
205
LPI Linux Certification/Print Version
FTP protocol The File Transport Protocol (FTP) is an older TCP protocol designed to transfer files over a network. Because all transactions with the server, including user authentication, are unencrypted, it is considered an insecure protocol and should be carefully configured.
wu-ftpd FTP server We will focus on the wu-ftpd FTP server from Washington University Wu-ftpd's main configuration files are in /etc : ftpusers,ftpaccess and ftpconversions the ftpusers file contains a list of all those users who are not allowed to log into your FTP server. As you can imagine, user root should be listed here. You should also make sure that other special user accounts such as lp, shutdown, mail, etc. are included here. the ftpaccess file is used to configure issues such as security, user definitions, etc. It's actually the general configuration file. Some interesting settings that you can establish here are: loginfails [number] where number is a number that stands for the amount of times that a user is allowed to fail to authenticate before being totally disabled.
shutdown [filename] where filename is the name of a file that, if it exists, automatically shuts down the FTP server without a need to actually close the port in the /etc/inetd.conf file and then restarting inetd. Finally, the ftpconversions file is used to allow the clients special "on-the-fly" conversions of files, i.e automatic uncompression of files on download
FTP Warning Banner Returning a customized banner to FTP clients when they connect is a good idea, as it helps disguise what system the FTP server is running on. ou can send banners to incoming connections either using TCP wrappers, or as described below. Add the ollowing line to its configuration file, /etc/ftpaccess : banner /etc/banners/warning.msg The contents of the banner file should look something like this : Hello, all activity on ftp.example.com is logged.
FTP Greeting Banner After login, all users are presented with a greeting banner. By default, this banner includes version information useful to crackers trying to identify weaknesses in a system.. To change the greeting banner for wu-ftpd, add the following directive to /etc/ftpusers: greeting text Securing FTP servers Because FTP passes unencrypted usernames and passwords over insecure networks for authentication, it is a good idea to deny system users access to the server from their user accounts. To disable user accounts in wu-ftpd, add the following directive to /etc/ftpusers: deny-uid * To disable specific user accounts in wu-ftpd, add the username to /etc/ftpusers
Anonymous Access The best way to setup anonymous FTP is by configuring a chroot jail : instead of allowing total access to the system, this will limit access to a given directory. In other words, after an anonymous user logs into the system she will only have access to the user ftp's home directory and nothing else. If she enters cd /, which in most other cases should take her to the system's root directory, it will only take her to /home/ftp most likely (it's the default home directory for the user ftp).
206
LPI Linux Certification/Print Version
207
Most distributions like RedHat provide an anonymous ftp package, to help prepare the chroot jail It's important to give to your strictly FTP users no real shell account on the Linux system. In this manner, if for any reasons someone could successfully get out of the FTP chrooted environment (see below for definition), it would not have the possibility of executing any user tasks since it doesn't have a bash shell. First, create new users for this purpose. This has to be separate from a regular user account with unlimited access because of how the chroot environment works. Chroot makes it appear from the user's perspective as if the level of the file system you've placed them in is the top level of the file system. Setup these new users with a shell as /dev/null, and add /dev/null in the list of allowed shells, /etc/shells. Make sure also that in /etc/passwd, their home dir is listed as /home/./ftp (for user ftp), even though the real dir is /home/ftp Setup a chroot user environment : what you're essentially doing is creating a skeleton root file system with enough components necessary, binaries, password files, etc. to allow Unix to do a chroot when the user logs in. Note that wu-ftpd may be compiled with the --enable-ls option, in which case the /home/ftp/bin, and /home/ftp/lib directories are not required since this new option allows Wu-ftpd to use its own ls function. We still continue to demonstrate the old method for people that prefer to copy /bin/ls to the chroot'd FTP directory, /home/ftp/bin and create the appropriated library related tools. The following are the necessary steps to run Wu-ftpd software in a chroot jail: first create all the necessary chrooted environment directories: [root@deep [root@deep [root@deep [root@deep
] ] ] ]
/# /# /# /#
mkdir mkdir mkdir mkdir
/home/ftp/dev /home/ftp/etc /home/ftp/bin /home/ftp/lib
Change the new directories permission to 0511 for security reasons: The chmod command will make our chrooted dev, etc, bin, and lib directories readable and executable by the super-user root and executable by the user-group and all users : [root@deep [root@deep [root@deep [root@deep
] ] ] ]
/# /# /# /#
chmod chmod chmod chmod
0511 0511 0511 0511
/home/ftp/dev/ /home/ftp/etc/ /home/ftp/bin /home/ftp/lib
Copy the /bin/ls binary to /home/ftp/bin directory and change the permission of the ls program to 0111. You don't want users to be able to modify the binaries: [root@deep ] /# cp /bin/ls /home/ftp/bin [root@deep ] /# chmod 0111 /bin/ls /home/ftp/bin/ls Find the shared library dependencies of the ls Linux binary program: : [root@deep ] /# ldd /bin/ls libc.so.6 => /lib/libc.so.6 (0x00125000) /lib/ld-linux.so.2 =7gt; /lib/ld-linux.so.2 (0x00110000) Copy the shared libraries identified above to your new lib directory under /home/ftp directory: [root@deep ] /# cp /lib/libc.so.6 /home/ftp/lib/ [root@deep ] /# cp /lib/ld-linux.so.2 /home/ftp/lib/ Create your /home/ftp/dev/null file: [root@deep ] /# mknod /home/ftp/dev/null c 1 3 [root@deep ] /# chmod 666 /home/ftp/dev/null
LPI Linux Certification/Print Version
208
Copy the group and passwd files in /home/ftp/etc directory. This should not be the same as your real ones. For this reason, we'll remove all non FTP users except for the super-user root in both of these files, passwd and group. Edit the passwd file, vi /home/ftp/etc/passwd and delete all entries except for the super-user root and your allowed FTP users. It is very important that the passwd file in the chroot environment has entries like: root:x:0:0:root:/:/dev/null ftpadmin:x:502:502::/ftpadmin/:/dev/null (notice two things here: first, the home directory for all users inside this modified passwd file are now changed to reflect the new chrooted FTP directory i.e. /home/ftp/./ftpadmin/ begins /ftpadmin/, and also, the name of the user's login shell for the root account has been changed to /dev/null) Edit the group file, vi /home/ftp/etc/group and delete all entries except for the super-user root and all your allowed FTP users. The group file should correspond to your normal group file: root:x:0:root ftpadmin:x:502: Now we must set passwd, and group files in the chroot jail directory immutable for better security. [root@deep ] /# cd /home/ftp/etc/ [root@deep ] /# chattr +i passwd Set the immutable bit on group file: [root@deep ] /# cd /home/ftp/etc/ [root@deep ] /# chattr +i group Configure your /etc/pam.d/ftp file to use pam authentication by creating the /etc/pam.d/ftp file and add the following lines: #%PAM-1.0 auth
required /lib/security/pam_listfile.so item=user sense=deny \ file=/etc/ftpusers onerr=succeed
auth
required /lib/security/pam_pwdb.so shadow nullok
auth
required /lib/security/pam_shells.so
account required /lib/security/pam_pwdb.so session required /lib/security/pam_pwdb.so
Anonymous Upload If you want to allow anonymous users to upload, it is recommended you create a write-only directory within /var/ftp/pub/. To do this type: mkdir /var/ftp/pub/upload Next change the permissions so that anonymous users cannot see what is within the directory by typing: chmod 744 /var/ftp/pub/upload A long format listing of the directory should look like this: drwxr--r--
2 root
ftp
4096 Aug 20 18:26 upload
LPI Linux Certification/Print Version
Detailed Objective Weight: 2 Description: Candidates should be able to configure an SSH daemon. This objective includes managing keys and configuring SSH for users. Candidates should also be able to forward an application protocol over SSH and manage the SSH login. • Key knowledge area(s): • • • • • • •
SSH (OpenSSH) configuration files, tools and utilities Differences between SSH versions 1 and 2 Login restrictions for the superuser and the normal users Managing and using server and client keys to login with and without password Usage of XWindow and other application protocols through SSH tunnels Configuration of ssh-agent Usage of multiple connections from multiple hosts to guard against loss of connection to remote host following configuration changes
• The following is a partial list of the used files, terms and utilities: • • • • • • •
ssh sshd /etc/ssh/sshd_config ~/.ssh/identity.pub and identity ~/.ssh/authorized_keys .shosts .rhosts
Secure Shell (OpenSSH) Overview Description: The candidate should be able to configure sshd to allow or deny root logins, enable or disable X forwarding. This objective includes generating server keys, generating a user's public/private key pair, adding a public key to a user's authorized_keys file, and configuring ssh-agent for all users. Candidates should also be able to configure port forwarding to tunnel an application protocol over ssh, configure ssh to support the ssh protocol versions 1 and 2, disable non-root logins during system maintenance, configure trusted clients for ssh logins without a password, and make multiple connections from multiple hosts to guard against loss of connection to remote host following configuration changes. Key files, terms, and utilities include: ssh, sshd /etc/ssh/sshd_config ~/.ssh/identity.pub, ~/.ssh/identity ~/.ssh/authorized_keys .shosts, .rhosts
209
LPI Linux Certification/Print Version
OpenSSH OpenSSH is a free, open source implementation of the SSH (Secure SHell) protocols. It replaces telnet, ftp, rlogin, rsh, and rcp with secure, encrypted network connectivity tools. OpenSSH supports versions 1.3, 1.5, and 2.0 of the SSH protocol. If you use OpenSSH tools, you are enhancing the security of your machine. All communications using OpenSSH tools, including passwords, are encrypted. Telnet and ftp use plaintext passwords and send all information unencrypted. The information can be intercepted, the passwords can be retrieved, and then your system can be compromised by an unauthorized person logging in to your system using one of the intercepted passwords. The OpenSSH set of utilities should be used whenever possible to avoid these security problems. Another reason to use OpenSSH is that it automatically forwards the DISPLAY variable to the client machine. In other words, if you are running the X Window System on your local machine, and you log in to a remote machine using the ssh command, when you execute a program on the remote machine that requires X, it will be displayed on your local machine. This is convenient if you prefer graphical system administration tools but do not always have physical access to your server. The ssh command is a secure replacement for the rlogin, rsh, and telnet commands. It allows you to log in to and execute commands on a remote machine. Logging in to a remote machine with ssh is similar to using telnet. To log in to a remote machine named penguin.example.net, type the following command at a shell prompt: ssh penguin.example.net The first time you ssh to a remote machine, you will see a message similar to the following: The authenticity of host 'penguin.example.net' can't be established. DSA key fingerprint is 94:68:3a:3a:bc:f3:9a:9b:01:5d:b3:07:38:e2:11:0c. Are you sure you want to continue connecting (yes/no)? Type yes to continue. This will add the server to your list of known hosts as seen in the following message: Warning: Permanently added 'penguin.example.net' (DSA) to the list of known hosts.
Next, you'll see a prompt asking for your password for the remote machine. After entering your password, you will be at a shell prompt for the remote machine. If you use ssh without any command line options, the username that you are logged in as on the local client machine is passed to the remote machine. If you want to specify a different username, use the following command: ssh -l username penguin.example.net You can also use the syntax ssh
[email protected]. The ssh command can be used to execute a command on the remote machine without logging in to a shell prompt. The syntax is ssh hostname command. For example, if you want to execute the command ls /usr/share/doc on the remote machine penguin.example.net, type the following command at a shell prompt: ssh penguin.example.net ls /usr/share/doc After you enter the correct password, the contents of /usr/share/doc will be displayed, and you will return to your shell prompt. The scp command can be used to transfer files between machines over a secure, encrypted connection. It is similar to rcp. The general syntax to transfer a local file to a remote system is scp localfile user@hostname:/newfilename. The localfile specifies the source, and the group of user@hostname:/newfilename specifies the destination. To transfer the local file shadowman to your account on penguin.example.net, type the following at a shell prompt (replace user with your username):
210
LPI Linux Certification/Print Version scp shadowman
[email protected]:/home/user This will transfer the local file shadowman to /home/user/shadowman on penguin.example.net. The general syntax to transfer a remote file to the local system is scp user@hostname:/remotefile /newlocalfile. The remotefile specifies the source, and newlocalfile specifies the destination. Multiple files can be specified as the source files. For example, to transfer the contents of the directory /downloads to an existing directory called uploads on the remote machine penguin.example.net, type the following at a shell prompt: scp /downloads/*
[email protected]:/uploads/ The sftp utility can be used to open a secure, interactive FTP session. It is similar to ftp except that it uses a secure, encrypted connection. The general syntax is sftp
[email protected]. Once authenticated, you can use a set of commands similar to using FTP. Refer to the sftp manual page for a list of these commands. To read the manual page, execute the command man sftp at a shell prompt. The sftp utility is only available in OpenSSH version 2.5.0p1 and higher.
Generating Key Pairs If you do not want to enter your password every time you ssh, scp, or sftp to a remote machine, you can generate an authorization key pair. Note: Separate Authorization Key Pairs You must have separate authorization key pairs for SSH Protocol 1 (RSA) and SSH Protocol 2 (DSA). Warning : Each User Needs Their Own Key Pair ! Keys must be generated for each user. To generate keys for a user, follow the following steps as the user who wants to connect to remote machines. If you complete the following steps as root, only root will be able to use the keys. Use the following steps to generate a DSA key pair. DSA is used by SSH Protocol 2 and is the default for Red Hat. 1. To generate a DSA key pair to work with version 2.0 of the protocol, type the following command at a shell prompt: ssh-keygen -t dsa Accept the default file location of ~/.ssh/id_dsa. Enter a passphrase different from your account password and confirm it by entering it again. (A passphrase is a string of words and characters used to authenticate a user. Passphrases differ from passwords in that you can use spaces or tabs in the passphrase. Passphrases are generally longer than passwords because they are usually phrases instead of just a word.) 2. Change the permissions of your .ssh directory using the command chmod 755 ~/.ssh. 3. Copy the contents of ~/.ssh/id_dsa.pub to ~/.ssh/authorized_keys2 on the machine to which you want to connect. If the file ~/.ssh/authorized_keys2 doesn't exist, you can copy the file ~/.ssh/id_dsa.pub to the file ~/.ssh/authorized_keys2 on the other machine. Use the following steps to generate a RSA key pair for version 2.0 of the SSH protocol. 1. To generate a RSA key pair to work with version 2.0 of the protocol, type the following command at a shell prompt: ssh-keygen -t rsa Accept the default file location of ~/.ssh/id_rsa. Enter a passphrase different from your account password and confirm it by entering it again. [1] 2. Change the permissions of your .ssh directory using the command chmod 755 ~/.ssh.
211
LPI Linux Certification/Print Version 3. Append the contents of ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys2 on the machine to which you want to connect. If the file ~/.ssh/authorized_keys2 doesn't exist, you can copy the file ~/.ssh/id_rsa.pub to the file ~/.ssh/authorized_keys2 on the other machine. Use the following steps to generate an RSA key pair, which is used by version 1 of the SSH Protocol. 1. To generate an RSA (for version 1.3 and 1.5 protocol) key pair, type the following command at a shell prompt: ssh-keygen Accept the default file location (~/.ssh/identity). Enter a passphrase different from your account password. Confirm the passphrase by entering it again. 2. Change the permissions of your .ssh directory and your keys with the commands chmod 755 ~/.ssh and chmod 644 ~/.ssh/identity.pub. 3. Copy the contents of ~/.ssh/identity.pub to the file ~/.ssh/authorized_keys on the machine to which you wish to connect. If the file ~/.ssh/authorized_keys doesn't exist, you can copy the file ~/.ssh/identity.pub to the file ~/.ssh/authorized_keys on the remote machine.
X Forwarding You can forward the X11 port through SSH to enable encrypted X11 connections. There's no need to export a DISPLAY variable or to call the xhost utility. On the server-side you must check the file /etc/ssh/sshd_config to be sure that the "X11Forwarding" option is set to "yes". On the client-side, use the -X option : ssh -X user@remotehost When the remote host prompt appears, start a X11 application: xterm & A xterm window from the remote host will open on your local desktop.
Detailed Objective Weight: 1 Description: Candidates should be able to configure tcpwrappers to allow connections to specified servers only from certain hosts or subnets. • Key knowledge area(s): • tcpwrappers configuration files, tools and utilities • (x)inetd configuration files, tools and utilities • The following is a partial list of the used files, terms and utilities: • • • • •
/etc/xinetd.conf /etc/xinetd.d/* /etc/inetd.conf tcpd /etc/hosts.allow
• /etc/hosts.deny
212
LPI Linux Certification/Print Version
TCP_wrappers Overview Description: The candidate should be able to configure tcpwrappers to allow connections to specified servers from only certain hosts or subnets. Key files, terms, and utilities include: inetd.conf, tcpd hosts.allow, hosts.deny xinetd
TCP_wrappers The TCP wrapper is a system to control access to network services For each service protected by TCP wrappers, the tcpd program is used and consults 2 files where access rights are defined, in search order : /etc/hosts.deny: if a rule here is met, access is denied /etc/hosts.allow: if a rule here is met, access is allowed Rules are constructed to match all services or specific services. If no match occurs in the two files, access is granted. It is common to set specific rules in /etc/hosts.allow, and provide a blanket denial in /etc/hosts.deny (i.e deny everything except when specifically allowed) Rules format are : [list of services] : [list of hosts] i.e : deny all incoming requests except FTP from the local domain /etc/hosts.allow : ftp : LOCAL /etc/hosts.deny : ALL : ALL
Detailed Objective Weight: 3 Description: Candidates should be able to install and configure a secure authentication system, perform basic security auditing of source code, receive security alerts from various sources, audit servers for open email relays and anonymous FTP servers, install, configure and run intrusion detection systems and apply security patches and bugfixes. • Key knowledge area(s): • • • •
Basic KERBEROS 5 configuration files, tools and utilities to ensure secure logins to a server Tools and utilities to scan and test ports on a server Locations and organisations that report security alerts as Bugtraq, CERT, CIAC or other sources Tools and utilities to implement an intrusion detection system (IDS)
• The following is a partial list of the used files, terms and utilities: • Tripwire • telnet • nmap • snort
213
LPI Linux Certification/Print Version • nessus • PortSentry
Security tasks Overview Description: The candidate should be able to install and configure kerberos and perform basic security auditing of source code. This objective includes arranging to receive security alerts from Bugtraq, CERT, CIAC or other sources, being able to test for open mail relays and anonymous FTP servers, installing and configuring an intrusion detection system such as snort or Tripwire. Candidates should also be able to update the IDS configuration as new vulnerabilities are discovered and apply security patches and bugfixes. Key files, terms, and utilities include: Tripwire nessus netsaint snort telnet nmap
Kerberos Reference: Red Hat Enterprise Linux 4: Reference Guide - Chapter 19. Kerberos (http:/ / www. redhat. com/ docs/ manuals/enterprise/RHEL-4-Manual/ref-guide/ch-kerberos.html) 1. Installing Server 2. Installing Client 3. Basic Configuration (e.g. krb5.conf ..)
Security tasks Use atelnet client to test/debug your servers This implies you know a little about the protocol used : read the corresponding RFCs Check security mailing lists such as Bugtraq, CERT, et al. regularly Patch your systems ASAP ! Run a security scanner on your system regularly Network security scanners Nessus and Netsaint are widely used, highly considered and open-source Bastille Linux is a great host-based security scanner Use some Intrusion Detection Systems (IDS), both network- and hosts-based Tripwire Snort Don't forget : security is a never-ending process, not a state or a product !
214
LPI Linux Certification/Print Version
Network Troubleshooting Detailed Objective Weight: 1 Description: Candidates should be able to identify and correct common network setup issues, to include knowledge of locations for basic configuration files and commands. • Key knowledge area(s): • • • • • • •
Location and content of access restriction files as /etc/hosts Utilities to configure and manipulate ethernet network interfaces Utilities to manage routing tables Utilities to list network states. Utilities to gain information about the network configuration Methods of information about the recognised and used hardware devices System initialisation files and their contents (SysV init process)
• The following is a partial list of the used files, terms and utilities: • • • • • • • • • • • • • • • •
/sbin/ifconfig /sbin/route /bin/netstat /etc/network || /etc/sysconfig/network-scripts/ System log files such as /var/log/syslog &&/var/log/messages /bin/ping /etc/resolv.conf /etc/hosts /etc/hosts.allow && /etc/hosts.deny /etc/hostname || /etc/HOSTNAME /sbin/hostname /usr/sbin/traceroute /usr/bin/nslookup /usr/bin/dig /bin/dmesg /usr/bin/host
LPI101 Exercises • Configure Fundamental BIOS Settings Exercise Results 1. 2. 3. 4. 5. 6. 7.
To show the amount of physical RAM available: use free or cat /proc/meminfo | grep MemTotal Which are the devices that are sharing an interrupt line? cat /proc/interrupts | more How many PCI buses and bridges are there? lspci | wc -l Are there any PCI/ISA bridges? lspci | grep 'PCI\|ISA' What is the option with lspci to list all the Intel PCI devices? lspci -d 8086:* What is the command to set you IDE hard drive in read only mode? hdparm -r1 What is the command to turn on/off the disk cache hard drive? hdparm -W1 hdparm -W0
8. What does the setpci utility do? setpci is a utility for querying and configuring PCI devices. 9. What would be the command to write a word in register N of a PCI device? setpci -s 12:3.4 N.W=1
215
Article Sources and Contributors
Article Sources and Contributors LPI Linux Certification/Print Version Source: http://en.wikibooks.org/w/index.php?oldid=2025268 Contributors: Adrignola, Barry Sharpe, Blancandrin, Xania, 1 anonymous edits
License Creative Commons Attribution-Share Alike 3.0 Unported http:/ / creativecommons. org/ licenses/ by-sa/ 3. 0/
216
