Red Hat Linux 7.
Red Hat Linux 7.3: The Official Red Hat Linux Reference Guide Copyright © 2002 by Red Hat, Inc. Red Hat, Inc. 1801 Varsity Drive Raleigh NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701 PO Box 13588 Research Triangle Park NC 27709 USA rhl-rg(EN)-7.3-HTML-RHI (2002-07-11T16:05-0400) Copyright © 2002 by Red Hat, Inc. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, V1.
Table of Contents Introduction....................................................................................................................................... vii 1. Finding Appropriate Documentation .................................................................................. vii 1.1. Documentation For First-Time Linux Users.......................................................viii 1.2. For the More Experienced ...................................................................................
7.6. Additional Resources ......................................................................................... 109 II. Security Reference ..................................................................................................................... 111 8. Pluggable Authentication Modules (PAM)....................................................................... 113 8.1. Advantages of PAM ........................................................................................... 113 8.2.
III. Network Services Reference .................................................................................................... 159 13. Network Scripts .............................................................................................................. 161 13.1. Interface Configuration Files ........................................................................... 161 13.2. Interface Control Scripts .................................................................................. 164 13.3.
IV. Appendixes ................................................................................................................................ 259 A. General Parameters and Modules .................................................................................... 261 A.1. Specifying Module Parameters ......................................................................... 261 A.2. CD-ROM Module Parameters........................................................................... 262 A.3.
Introduction Welcome to the Official Red Hat Linux Reference Guide. The Official Red Hat Linux Reference Guide contains useful information about your Red Hat Linux system. From fundamental concepts, such as the structure of the Red Hat Linux filesystem, to the finer points of system security and authentication control, we hope you will find this book to be a valuable resource. This guide is for you if you want to learn a bit more about how your Red Hat Linux system works.
viii Introduction New to Linux This type of user has never used any Linux (or Linux-like) operating system before or has had only limited exposure to Linux. They may or may not have experience using other operating systems (such as Windows). Is this you? If so, skip ahead to Section 1.1. Some Linux Experience This type of user has installed and successfully used Linux (but not Red Hat Linux) before or may have equivalent experience with other Linux-like operating systems.
Introduction ix Beyond reading Red Hat Linux manuals, several other excellent documentation resources are available for little or no cost: 1.1.1. Introduction to Linux Websites • http://www.redhat.com — On the Red Hat website, you will find links to the Linux Documentation Project (LDP), online versions of the Red Hat Linux manuals, FAQs (Frequently Asked Questions), a database which can help you find a Linux Users Group near you, technical information in the Red Hat Support Knowledge Base, and more.
x Introduction downloaded and built software you found on the Internet. After installing Linux, however, configuration issues can be very confusing. The Official Red Hat Linux Customization Guide is designed to help explain the various ways your Red Hat Linux system can be configured to meet specific objectives. Use this manual to learn about specific configuration options and how to put them into effect.
Introduction xi Use Netscape Navigator to browse the Web. [key] A key on the keyboard is shown in this style. For example: To use [Tab] completion, type in a character and then press the [Tab] key. Your terminal will display the list of files in the directory that start with that letter. [key]-[combination] A combination of keystrokes is represented in this way.
xii Introduction [stephen@maturin stephen]$ leopard login: user input Text that the user has to type, either on the command line, or into a text box on a GUI screen, is displayed in this style. In the following example, text is displayed in this style: To boot your system into the text based installation program, you will need to type in the text command at the boot: prompt. Additionally, we use several different strategies to draw your attention to certain pieces of information.
Introduction xiii 3. Using the Mouse Red Hat Linux is designed to use a three-button mouse. If you have a two-button mouse, you should have selected three-button emulation during the installation process. If you’re using three-button emulation, pressing both mouse buttons at the same time equates to pressing the missing third (middle) button. In this document, if you are instructed to click with the mouse on something, that means click the left mouse button.
xiv Introduction • Official Red Hat support — Get help with your installation questions from Red Hat, Inc.’s support team. • Red Hat Network — Easily update your packages and receive security notices that are customized for your system. Go to http://rhn.redhat.com for more details. • Under the Brim: The Official Red Hat E-Newsletter — Every month, get the latest news and product information directly from Red Hat. To sign up, go to http://www.redhat.com/apps/activate/.
System Reference
Chapter 1. File System Structure 1.1. Why Share a Common Structure? An operating system’s file system structure is its most basic level of organization. Almost all of the ways an operating system interacts with its users, applications, and security model are dependent upon the way it stores its files on a primary storage device (normally a hard disk drive).
Chapter 1. File System Structure 1.2.1. FHS Organization The directories and files noted here are a small subset of those specified by the FHS document. Check the latest FHS document for the most complete information. 1.2.1.1. The /dev Directory The /dev directory contains file system entries which represent devices that are attached to the system. These files are essential for the system to function properly. 1.2.1.2.
Chapter 1. File System Structure 19 1.2.1.6. The /proc Directory The /proc directory contains special "files" that either extract information from or send information to the kernel. Due to the great variety of data available within /proc and the many ways this directory can be used to communicate with the kernel, an entire chapter has been devoted to the subject. For more information, please see Chapter 2. 1.2.1.7. The /sbin Directory The /sbin directory is for executables used only by the root user.
Chapter 1. File System Structure that do not belong in /sbin), share contains files that are not architecture-specific, src is for source code, and X11R6 is for the X Window System (XFree86 on Red Hat Linux). 1.2.1.9. The /usr/local Directory The FHS says: "The /usr/local hierarchy is for use by the system administrator when installing software locally. It needs to be safe from being overwritten when the system software is updated.
Chapter 1. File System Structure 21 +- spool |- anacron |- at |- cron |- fax |- lpd |- mail |- mqueue |- news |- rwho |- samba |- slrnpull |- squid |- up2date |- uucp |- uucppublic |- vbox |- voice |- tmp |- tux |- www |- yp System log files such as messages and lastlog go in /var/log. The /var/lib/rpm directory also contains the RPM system databases. Lock files go in /var/lock, usually in directories particular for the program using the file.
Chapter 1. File System Structure Another location specific to Red Hat Linux is the /etc/sysconfig/ directory. This directory stores a variety of configuration information. Many scripts that run at boot time use the files in this directory. See Section 3.3 for more information on what is within this directory and the role these files play in the boot process. Finally, one more directory worth noting is the /initrd/ directory. It is empty, but is used as a critical mount point during the boot process.
Chapter 2. The /proc File System The Linux kernel’s primary functions are to control access to physical devices on the computer and to schedule when and how processes interact with these devices. The /proc directory contains hierarchy of virtual folders and files which represent the current state of the kernel. Viewing files within /proc allows the user to peer into the kernel’s view of the system. In addition, the user can use these virtual files to communicate configuration changes to the kernel. 2.1.
Chapter 2. The /proc File System 24 As you view different virtual files in /proc, you will notice that some of the information makes sense. Others are not human readable. This is why utilities exist pull data from virtual files in /proc and display it in a useful way. Some examples of such applications are apm, free, and top. Note Some of the virtual files in /proc are only readable by the root user. 2.1.2.
Chapter 2. The /proc File System 25 1.16 1.2 0x03 0x00 0x00 0x01 99% 1792 min In this state, the apm command yields readable information from this data: APM BIOS 1.2 (kernel driver 1.16) AC off-line, battery status high: 99% (1 day, 5:52) This demonstrates the connection between data located in raw /proc files and the utilities designed to use that information for specific purposes. 2.2.2. /proc/cmdline This file essentially shows the parameters passed to the kernel at the time it is started.
Chapter 2. The /proc File System 26 occasionally compiled for particular architectures, this value tells you which package to install on the system. • model name • cpu MHz — Gives you the popular name of the processor, including its project name. — Shows the precise speed in megahertz of that particular processor (in thousandths). • cache size — Tells you the amount of level 2 memory cache available to the processor.
Chapter 2. The /proc File System 27 2.2.5. /proc/dma This file contains a list of the registered ISA direct memory access (DMA) channels in use. A sample /proc/dma files looks like this: 4: cascade 2.2.6. /proc/execdomains This file lists the execution domains currently supported by the Linux kernel, along with the range of personalities they support. 0-0 Linux [kernel] Think of execution domains as a kind of "personality" of a particular operating system.
Chapter 2. The /proc File System 28 2.2.9. /proc/interrupts This file records the number of interrupts per IRQ on the x86 architecture.
Chapter 2. The /proc File System 000f0000-000fffff : 00100000-07ffffff : 00100000-00291ba8 00291ba9-002e09cb e0000000-e3ffffff : e4000000-e7ffffff : e4000000-e4003fff e5000000-e57fffff e8000000-e8ffffff : e8000000-e8ffffff ea000000-ea00007f : ea000000-ea00007f ffff0000-ffffffff : 29 System ROM System RAM : Kernel code : Kernel data VIA Technologies, Inc. VT82C597 [Apollo VP3] PCI Bus #01 : Matrox Graphics, Inc. MGA G200 AGP : Matrox Graphics, Inc. MGA G200 AGP PCI Bus #01 : Matrox Graphics, Inc.
Chapter 2. The /proc File System 30 2.2.12. /proc/isapnp This file lists Plug and Play (PnP) cards in ISA slots on the system. This is most often seen with sound cards but may include any number of devices. A /proc/isapnp file with Soundblaster entry in it looks similar to this: Card 1 ’CTL0070:Creative ViBRA16C PnP’ PnP version 1.0 Product version 1.
Chapter 2. The /proc File System 31 2.2.14. /proc/kmsg This file is used to hold messages generated by the kernel. These messages are then picked up by other programs, such as klogd. 2.2.15. /proc/ksyms This file holds the kernel exported symbol definitions used by the modules tools to dynamically link and bind loadable modules.
Chapter 2. The /proc File System 32 2.2.18. /proc/mdstat This file contains the current information for multiple-disk, RAID configurations. If your system does not contain such a configuration, then your mdstat file will look similar to this: Personalities : read_ahead not set unused devices: none This file remains in the state above unless you create a software RAID or md device. In that case, you can use mdstat to give you a picture of what is currently happening with your mdX RAID devices.
Chapter 2. The /proc File System • MemShared versions. • Buffers 33 — Unused with 2.4 and higher kernels but left in for compatibility with earlier kernel — The amount of physical RAM, in kilobytes, used for file buffers. • Cached — The amount of physical RAM, in kilobytes, used as cache memory. • Active — The total amount of buffer or page cache memory, in kilobytes, that is in active use. • Inact_dirty available.
Chapter 2. The /proc File System 34 (autoclean) or if it is not being utilized (unused). Any module with a line containing a name listed in brackets ([ or ]) tells you that this module depends upon another module to be present in order to function. 2.2.22.
Chapter 2. The /proc File System 35 2.2.25. /proc/pci This file contains a full listing of every PCI device on your system. Depending on the number of PCI devices you have, /proc/pci can get rather long. An example from this file on a basic system looks similar to this: Bus 0, device 0, function 0: Host bridge: Intel Corporation 440BX/ZX - 82443BX/ZX Host bridge (rev 3). Master Capable. Latency=64. Prefetchable 32 bit memory at 0xe4000000 [0xe7ffffff].
Chapter 2. The /proc File System 36 2.2.26. /proc/slabinfo This file gives information about memory usage on the slab level. Linux kernels greater than 2.2 use slab pools to manage memory above the page level. Commonly used objects have their own slab pools.
Chapter 2. The /proc File System 37 2.2.29. /proc/uptime This file contains information about how long the system has on since its last restart. The output of /proc/uptime is quite minimal: 350735.47 234388.90 The first number tells you the total number of seconds the system has been up. The second number tells you how much of that time, also in seconds, the machine has spent idle. 2.2.30.
Chapter 2. The /proc File System 38 cpu0 0 0 cpu1 11 3 • cwd — A symlink to the current working directory for the process. — Gives a list of the environment variables for the process. The environment variable is given in all upper-case characters, and the value is in lower-case characters. • environ • exe — A symlink to the executable of this process. — A directory containing all of the file descriptors for a particular process.
Chapter 2.
Chapter 2. The /proc File System 40 T: B: D: P: S: S: C:* I: E: Bus=01 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=12 MxCh= 2 Alloc= 0/900 us ( 0%), #Int= 0, #Iso= 0 Ver= 1.00 Cls=09(hub ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1 Vendor=0000 ProdID=0000 Rev= 0.00 Product=USB UHCI Root Hub SerialNumber=d400 #Ifs= 1 Cfg#= 1 Atr=40 MxPwr= 0mA If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub Ad=81(I) Atr=03(Int.) MxPS= 8 Ivl=255ms 2.3.3.
Chapter 2. The /proc File System 41 ------------- drive0 --------- drive1 -------- drive0 ---------- drive1 -----DMA enabled: UDMA enabled: UDMA enabled: UDMA DMA PIO yes yes 2 no no X yes no X no no X Navigating into the directory for an IDE channel, such as ide0, provides additional information. The channel file provides the channel number, while the model tells you the bus type for the channel (such as pci). 2.3.4.1. The Device Directory Within each IDE channel directory is a device directory.
Chapter 2. The /proc File System 42 nowerr number pio_mode slow unmaskirq using_dma 0 0 write-only 0 0 1 0 0 0 0 0 0 1 3 255 1 1 1 rw rw w rw rw rw 2.3.5. /proc/irq/ This directory is used to set IRQ to CPU affinity, which allows you to connect a particular IRQ to only one CPU. Alternatively, you can exclude a CPU from handling any IRQs. Each IRQ has its own directory, allowing for individual configuration of each IRQ.
Chapter 2. The /proc File System • sockstat • tcp — Provides socket statistics. — Contains detailed TCP socket information. • tr_rif • udp 43 — The token ring RIF routing table. — Contains detailed UDP socket information. • unix — Lists UNIX domain sockets currently in use. • wireless — Lists wireless interface data. 2.3.7. /proc/scsi/ This directory is analogous to the /proc/ide/ directory only it is for connected SCSI devices.
Chapter 2.
Chapter 2. The /proc File System 45 A good way to determine if a particular file can configured or is only designed to provide information is to list it. If the file is writable, you may use it to configure the kernel in a certain way.
Chapter 2. The /proc File System 46 Can close tray: 1 Can open tray: 1 Can lock tray: 1 Can change speed: 1 Can select disk: 0 Can read multisession: 1 Can read MCN: 1 Reports media changed: 1 Can play audio: 1 Can write CD-R: 0 Can write CD-RW: 0 Can read DVD: 0 Can write DVD-R: 0 Can write DVD-RAM: 0 This file can be quickly scanned to discover the qualities of an unknown CD-ROM, at least in the eyes of the kernel.
Chapter 2. The /proc File System 47 2.3.8.3. /proc/sys/kernel/ This directory contains a variety of different configuration files that directly affect the operation of the kernel. Some of the most important files include: — Controls the suspension of process accounting based on the percentage of free space available on the file system containing the log.
Chapter 2. The /proc File System 48 • 1 — Kernel alert. Action must be taken immediately. • 2 — Condition of the kernel is considered critical. • 3 — General kernel error condition. • 4 — General kernel warning condition. • 5 — Kernel notice of a normal but significant condition. • 6 — Kernel informational message. • 7 — Kernel debug-level messages. Four values are found in the printk file: 6 4 1 7 Each of these values defines a different rule for dealing with error messages.
Chapter 2. The /proc File System 49 — Tenths of seconds required to write a new warning message. This is used to prevent Denial of Service (DoS) attacks. The default setting is 50. • message_burst — Also used to prevent DoS attacks by placing a cost on every warning message. The higher the value of this file (default of 5), the more likely the warning message will be ignored.
Chapter 2. The /proc File System 50 For a complete list of files and options 2.4/Documentation/networking/ip-sysctl.txt. available, see /usr/src/linux- A number of other directories exist within the /proc/sys/net/ipv4/ directory cover specific topics.
Chapter 2. The /proc File System 51 — Configures the maximum number of memory map areas a process may have. In most cases, the default value of 65536 is appropriate. • max_map_count • overcommit_memory — Contains a value that, when set to something other than the default of 0, allows the kernel to skip a standard check to see if there is enough memory before allocating it. — Controls the amount of memory used by the page cache.
Chapter 2. The /proc File System 52 Registered line disciplines are stored in the ldiscs file, with detailed information available in the ldisc directory. 2.4. Using sysctl The sysctl command is used to view, set, and automated kernel settings in the /proc/sys/ directory. To get a quick overview of all settings configurable in the /proc/sys/ directory, type the sysctl -a command as root. This will create a large, comprehensive list, a small portion of which looks something like this: net.ipv4.route.
Chapter 2. The /proc File System 53 • /usr/src/linux-2.4/Documentation/sysctl — A directory containing a variety of sysctl tips, including modifying values that concern the kernel (kernel.txt), accessing file systems (fs.txt), and virtual memory use (vm.txt). • /usr/src/linux-2.4/Documentation/networking/ip-sysctl.txt — IP networking options. A look at various • /usr/src/linux-2.4 — Some of the most authoritative information on /proc can be found by reading the kernel source code.
Chapter 2.
Chapter 3. Boot Process, Init, and Shutdown This chapter contains information on what happens when you boot or shut down your Red Hat Linux system. Note This chapter focuses on LILO, the default boot loader for Red Hat Linux 7.1 and earlier versions. However, Red Hat Linux 7.3 contains an additional boot loader, GRUB, which is discussed thoroughly in Chapter 4. For more information concerning GRUB, see Chapter 4. 3.1.
Chapter 3. Boot Process, Init, and Shutdown GRUB or LILO uses the settings in the MBR to display boot options and allow for user input on which operating system to actually start up. But this begs the question: How does the boot loader in the MBR know what to do when the MBR is read? LILO actually has already written the instructions there through use of the lilo program with in turn reads the /etc/lilo.conf configuration file. The boot instructions for GRUB written in the /boot/grub/grub.
Chapter 3. Boot Process, Init, and Shutdown • 57 The existence of prompt tells LILO to show you whatever is referenced in the message line. While it is not recommended that you remove the prompt line, if you do remove it, you can still get a prompt by holding down the [Shift] key while your machine starts to boot. sets the amount of time that LILO will wait for user input before proceeding with booting the default line entry. This is measured in tenths of a second, with 50 as the default.
Chapter 3. Boot Process, Init, and Shutdown 3.2.2. Init The kernel finds /sbin/init and executes it. It is the init command which coordinates the rest of the boot process. When init starts, it becomes the parent or grandparent of all of the processes that start up automatically on a Red Hat Linux system. First, it runs the /etc/rc.d/rc.sysinit script, which sets your environment path, starts swap, checks the filesystems, and so on. Basically, rc.
Chapter 3. Boot Process, Init, and Shutdown 59 K30mcserv -> ../init.d/mcserv K34yppasswdd -> ../init.d/yppasswdd K35dhcpd -> ../init.d/dhcpd K35smb -> ../init.d/smb K35vncserver -> ../init.d/vncserver K45arpwatch -> ../init.d/arpwatch K45named -> ../init.d/named K50snmpd -> ../init.d/snmpd K54pxe -> ../init.d/pxe K55routed -> ../init.d/routed K60mars-nwe -> ../init.d/mars-nwe K61ldap -> ../init.d/ldap K65kadmin -> ../init.d/kadmin K65kprop -> ../init.d/kprop K65krb524 -> ../init.d/krb524 K65krb5kdc -> ..
Chapter 3. Boot Process, Init, and Shutdown rhnsd. The last thing init does is run /etc/rc.d/rc.local to run any special scripts configured for that host. At this point, the system is considered to be operating at runlevel 5.
Chapter 3. Boot Process, Init, and Shutdown 61 id:3:initdefault: The default runlevel is 3 in this example, the number after the first colon. If you want to change it, you can edit /etc/inittab by hand. Be very careful when you are editing the inittab file as typos can cause your system to become unbootable without a using a boot diskette or going into rescue mode.
Chapter 3. Boot Process, Init, and Shutdown • dhcpd • firewall • gpm • harddisks • hwconf • i18n • identd • init • ipchains • iptables • irda • keyboard • kudzu • mouse • named • netdump • network • ntpd • pcmcia • radvd • rawdevices • redhat-config-users • samba • sendmail • soundcard • squid • tux • ups • vncservers • xinetd It is possible that your system may be missing a few of them if the corresponding program that would need that file is not installed. Next, we will take a look at each one. 3.3.
Chapter 3. Boot Process, Init, and Shutdown 63 3.3.1.2. /etc/sysconfig/apmd The /etc/sysconfig/apmd file is used by apmd as a configuration for what things to start/stop/change on suspend or resume. It is set up to turn on or off apmd during startup, depending on whether your hardware supports Advanced Power Management (APM) or if you choose not to use it. apm is a monitoring daemon that works with power management code within the Linux kernel.
Chapter 3. Boot Process, Init, and Shutdown • true — Indicates that the clock is set to Universal Time. Any other value indicates that it is set to local time. • ARC= value • , where value is the following: true — Indicates the ARC console’s 42-year time offset is in effect. Any other value indicates that the normal UNIX epoch is assumed (for Alpha-based systems only).
Chapter 3. Boot Process, Init, and Shutdown 65 • USE_DMA=1, where setting this to 1 enables DMA. However, with some chipsets and hard drive combinations, DMA can cause data corruption. Check with your hard drive documentation or manufacturer before enabling this. • Multiple_IO=16, where a setting of 16 allows for multiple sectors per I/O interrupt. When enabled, this feature reduces operating system overhead by 30-50%. Use with caution.
Chapter 3. Boot Process, Init, and Shutdown , where value sets the color to a color indicating success. Defaults to ANSI sequences output by echo -e, setting the color to green. • SETCOLOR_SUCCESS= value , where value sets the color to a color indicating failure. Defaults to ANSI sequences output by echo -e, setting the color to red. • SETCOLOR_FAILURE= value , where value sets the color to a color indicating warning.
Chapter 3. Boot Process, Init, and Shutdown • DEVICE= value connections. , where value 67 is the device (usually a serial port) that handles infrared , where value specifies the type of dongle being used for infrared communication. This setting exists for people who use serial dongles rather than real infrared ports. A dongle is a device that is attached to a traditional serial port to communicate via infrared.
Chapter 3. Boot Process, Init, and Shutdown • mousesystems — A Mouse Systems™ mouse. • ps/2 — A PS/2 mouse. • msbm — A Microsoft™ bus mouse. • logibm — A Logitech™ bus mouse. • atibm — An ATI™ bus mouse. • logitech — A Logitech™ mouse. • mmseries — An older MouseMan™ mouse. • mmhittab — An mmhittab mouse. • XEMU3= value , where value is one of the following boolean values: • yes — The mouse only has two buttons, but three mouse buttons should be emulated.
Chapter 3. Boot Process, Init, and Shutdown 69 3.3.1.23. /etc/sysconfig/network The /etc/sysconfig/network file is used to specify information about the desired network configuration. The following values may be used: , where • NETWORKING= value is one of the following boolean values: value • yes — Networking should be configured. • no — Networking should not be configured. , where value should be the Fully Qualified Domain Name (FQDN), such as hostname.domain.
Chapter 3. Boot Process, Init, and Shutdown , where value is the list of options for the PCMCIA cardmgr (such as -q for quiet mode; -m to look for loadable kernel modules in the specified directory, and so on). Read the cardmgr man page for more information. • CARDMGR_OPTS= value 3.3.1.26. /etc/sysconfig/radvd The /etc/sysconfig/radvd file is used to pass arguments to the radvd daemon at boot time.
Chapter 3. Boot Process, Init, and Shutdown • 71 QUEUE=1h which is given to Sendmail as -q$QUEUE. The -q option is not given to Sendmail if /etc/sysconfig/sendmail exists and QUEUE is empty or undefined. 3.3.1.31. /etc/sysconfig/soundcard The /etc/sysconfig/soundcard file is generated by sndconfig and should not be modified. The sole use of this file is to determine what card entry in the menu to pop up by default the next time sndconfig is run.
Chapter 3. Boot Process, Init, and Shutdown • ups-trust425+625 — For a Trust™ UPS. ! • DEVICE= value ! " • OPTIONS= value " , where ! , where ! value " value " specifies where the UPS is connected, such as /dev/ttyS0. is a special command that needs to be passed to the UPS. 3.3.1.35. /etc/sysconfig/vncservers The /etc/sysconfig/vncservers file configures how the Virtual Network Computing (VNC) server starts up.
Chapter 3. Boot Process, Init, and Shutdown • Scripts used to bring up and down ISDN interfaces, such as ifup-isdn and ifdown-isdn • Various shared network function scripts which should not be edited directly.
Chapter 3. Boot Process, Init, and Shutdown • In the graphical GRUB boot loader screen, select the Red Hat Linux boot label and press [e] to edit it. • Arrow down to the kernel line and press [e] to edit it. • At the prompt, type single and press [Enter]. • You will be returned to the GRUB screen with the kernel information. Press the [b] key to boot the system into single user mode. A very bare system will boot, and you will have a command shell from which you can fix things.
Chapter 3. Boot Process, Init, and Shutdown 75 Warning If your computer does not power itself down, be careful not turn off the computer until you see a message indicating that the system is halted or finished shutting down. Failure to wait for this message will mean that you may be turning off the machine before your hard drive partitions are unmounted. This can cause filesystem corruption, even to the point where your system may not boot the next time it attempts to start up.
Chapter 3.
Chapter 4. GRUB Before Red Hat Linux can load on a system, it must be told to boot by special instructions placed on a boot loader, a program that exists on the system’s primary hard drive or other media device that knows how to start the Linux kernel. If using an x86 system that only boots Red Hat Linux and only one version of the Linux kernel, then the exact process used by the boot loader to start Red Hat Linux is not very important.
Chapter 4. GRUB Note Some filesystems, as well as filesystem configurations, may require a Stage 1.5 file that essentially bridges the gap between the primary and secondary boot loaders. For example, if the Stage 2 boot loader file is on a partition using a filesystem that the Stage 1 boot loader cannot access, it is possible to direct the Stage 1 boot loader to load additional instructions from the Stage 1.5 file that allows it to read the Stage 2 boot loader file.
Chapter 4. GRUB 79 Note When changes are made to the GRUB configuration file, it is not necessary to restart GRUB. Any changes made are automatically detected. If GRUB is restarted, the user will be dropped to the command line GRUB shell. 4.1.3. Installing GRUB If GRUB was not installed during the Red Hat Linux installation process, the following explains how to install it and make it the default boot loader.
Chapter 4. GRUB Note Remember that GRUB’s numbering system for devices starts at 0, and not 1. This is one of the most common mistakes made by new GRUB users. ( ) partition-number relates to the number of a specific partition on a disk device. Like the bios-device-number , the partition numbering starts at 0. While most partitions are specified by numbers, if a system uses BSD partitions, they are signified by letters, such as a or c.
Chapter 4. GRUB 81 4.2.3. GRUB’s Root Filesystem Some users are confused by the use of the term "root filesystem" with GRUB. It is important to remember that GRUB’s root filesystem has nothing to do with the Linux root filesystem. The GRUB root filesystem is the root partition for a particular device. GRUB uses this information to mount the device and load files from it, among other things.
Chapter 4. GRUB to move to the beginning of a line, and [Ctrl]-[e] to move to the end of a line. In addition, the arrow, [Home], [End], and [Delete] keys work as they do in the bash shell. 4.3.4. Order of Interface Use When the GRUB environment starts loading the second stage boot loader, it looks for its configuration file. When found, it uses the configuration file to build the menu list of operating systems to load and then displays the boot menu interface.
Chapter 4. GRUB 83 0 kernel-file-name 120 option-1 120 option-N 1 — Specifies the kernel file to load from GRUB’s root filesystem when using direct loading to boot the operating system. Options can follow the kernel command and will be passed to the kernel when it is loaded. • kernel For Red Hat Linux, an example kernel command looks like the following: kernel /vmlinuz root=/dev/hda5 This line specifies that the vmlinuz file is loaded from GRUB’s root filesystem, such as (hd0,0).
Chapter 4. GRUB 4.5.2. Configuration File Structure The commands to set the global preferences for the GRUB menu interface are placed at the top of the file, followed by the different entries for each of the operating systems to boot.
Chapter 4. GRUB 85 • http://www.uruk.org/orig-grub — The original GRUB documentation before the project was handed off to the Free Software Foundation for further development. • http://www.redhat.com/mirrors/LDP/HOWTO/mini/Multiboot-with-GRUB.html — Investigates various uses for GRUB, including booting operating systems other than Linux. • http://www.linuxgazette.com/issue64/kohli.
Chapter 4.
Chapter 5. The ext3 File System With the release of Red Hat Linux 7.2, Red Hat changed the default file system from the venerable ext2 format to the journaling ext3 file system. 5.1. Features of ext3 The ext3 file system is essentially an enhanced version of ext2 file system.
Chapter 5. The ext3 File System 5.2. Creating an ext3 File System If you are adding a new disk drive to a Red Hat Linux system and want to utilize the ext3 file system, you must first partition the hard disk with a program such as fdisk and then format the file system. 5.2.1. Partitioning with fdisk To use fdisk, open a shell prompt and log in as the root user. The fdisk command requires you to specify the device you are partitioning as an argument to the command.
Chapter 5. The ext3 File System 89 Tip It is a good idea to write down which partitions (for example, /dev/hdb2) are meant for which file systems (for example, /home/username) as you create each partition. Next, you will need to specify what type of file system you intend to put on the disk because fdisk creates partitions of type unknown by default. To do this, type t followed by a partition number. Next enter the hex value for the file system type you intend to install on the partition.
Chapter 5. The ext3 File System Once you have assigned each partition a label, add the partitions to /etc/fstab. To do this, log in as root and type: pico -w /etc/fstab Then add a line to /etc/fstab for each labeled partition similar to this: LABEL=/mount/point /mount/point ext3 defaults 1 2 In the above entry in /etc/fstab, replace each occurrence of /mount/point with the mount point you intend to use for the partition.
Chapter 5. The ext3 File System 91 umount /dev/hdbX In the above command, replace hdb with the drive letter and X with the partition number. For the remainder of this section, the sample commands will use hdb1 for these values.
Chapter 5.
Chapter 6. Users and Groups The control of users and groups exists at the core of Red Hat Linux system administration. Users can be either people (accounts tied to a physical user) or logical users (accounts that exist for applications so that they can perform specific tasks) . Both types of users have a User ID (which is usually unique) and Group ID. Groups are logical expressions of organization.
Chapter 6.
Chapter 6.
Chapter 6. Users and Groups Group GID Members mailnull 47 mailnull rpcusers 29 nfsnobody 65534 xfs 43 xfs gdm 42 gdm apache 48 apache squid 23 squid named 25 named junkbust 73 junkbust mysql 27 mysql mailman 41 mailman ldap 55 ldap Table 6-2. Standard Groups 6.4. User Private Groups Red Hat Linux uses a user private group (UPG) scheme, which makes UNIX groups easier to use.
Chapter 6. Users and Groups 97 You can add a user to a group using redhat-config-users (see the Official Red Hat Linux Customization Guide), or if you prefer to use the command line, use the /usr/sbin/groupadd groupname command to create a group. The /usr/bin/gpasswd -a loginname groupname command will add a user loginname to a group. (See the groupadd and gpasswd man pages if you need more information on their options.) The /etc/group file contains the group information for your system.
Chapter 6. Users and Groups 6.5. Shadow Utilities If you are in a multiuser environment and not using a networked authentication scheme such as Kerberos, you should consider using Shadow Utilities (also known as shadow passwords) for the enhanced protection offered for your system’s authentication files.
Chapter 7. X Servers and Clients While the heart of Red Hat Linux is the kernel, for workstation users, the X environment is the face of the operating system. The kernel provides the engine for everything that happens, managing processes and resources virtually unseen. However, the day-to-day Linux users spend the majority of their time in a graphical desktop environment, opening applications, resizing windows, and scrolling through text.
Chapter 7. X Servers and Clients 7.2. The XFree86 Server Red Hat Linux uses XFree86 4 as the base X Window System, which includes the various necessary X libraries, fonts, utilities, documentation, and development tools. To provide maximum compatibility with older hardware, as well as hardware that is not currently well supported by XFree86 4, Red Hat Linux also provides the older XFree86 3 Server packages.
Chapter 7. X Servers and Clients 101 the installation process. If you use Xconfigurator to reconfigure a new video card, both configuration files are regenerated. The configuration files are made up by a collection of sections, each of which defines a particular aspect of the XFree86 server’s operation. Many of the configuration sections are similar in both files, however there are many differences also.
Chapter 7. X Servers and Clients Files This section sets paths for services vital to the XFree86 server, such as the font path. Common options include: — Sets the locations where the XFree86 server can find fonts. Different fixed paths to directories holding font files can be placed here, separated by commas. By default, Red Hat Linux uses xfs as the font server and points FontPath to unix/:7100.
Chapter 7. X Servers and Clients 103 — Provides a unique name for this monitor, usually numbering each monitor starting at 0. The first monitor would be named Monitor0, the second Monitor1, and so on. • Identifier — Used to specify the video modes used by the monitor at particular resolutions, with certain horizontal sync and vertical refresh resolutions. Modeline entries are usually preceded by a comment that explains what the mode line specifies.
Chapter 7. X Servers and Clients — The names of any InputDevice sections to be used with the XFree86 server. Most users will only have two lines here, Keyboard0 and Mouse0, the first keyboard and mouse configured for the system. The options CoreKeyboard and CorePointer refer to the fact that these are the preferred keyboard and mouse, respectively, to use with the XFree86 server. • InputDevice — The name of the Screen section to use.
Chapter 7. X Servers and Clients 105 These window managers can be run as individual X clients to gain a better sense of their differences. Type the xinit 8 path-to-window-manager 9 command, where 8 path-to-windowmanager 9 is the location of the window manager binary file. The binary file can be found by typing which 8 window-manager-name 9 or by looking for the name of the window manager in a bin directory. 7.3.2.
Chapter 7. X Servers and Clients you must already be logged into the system at runlevel 3 to be able to type commands, startx is only designed to bring up certain X clients, such as a desktop environment, in a particular manner. It does not provide any user authentication. When startx begins, it looks for a .xinitrc file in the user’s home directory to define the X clients to run. If it does not find that file present, it will run the system default /etc/X11/xinit/xinitrc script instead.
Chapter 7. X Servers and Clients 107 xdm display managers to find one to use. Once one is found, prefdm launches it to handle the user login. Each of the display managers look to the /etc/X11/xdm/Xsetup_0 file to set up the login screen. Once the user logs into the system, the /etc/X11/xdm/GiveConsole script runs to assign ownership of the console to the user.
Chapter 7. X Servers and Clients 7.5.1. xfs Configuration The /etc/rc.d/init.d/xfs script starts the xfs server. Several options can be configured in the /etc/X11/fs/config file: — Sets a list of alternate font servers to be used if this font server is not available. A comma must separate every font server in the list. • alternate-servers • catalogue — An ordered list of font paths to use that contain the font files.
Chapter 7. X Servers and Clients 109 Note You must have a fonts.dir file in your new font directory for the chkfontpath command to work correctly. The creation of the fonts.dir file, as well as any other files used by xfs with these fonts, is beyond the scope of this document. Many font collections available for Linux include these files for you, it may not be necessary to create them by hand. 3. Restart xfs using the /sbin/service xfs restart command. You will also need to restart your X session. 4.
Chapter 7. X Servers and Clients 7.6.2. Useful Websites • http://www.xfree86.org — Home page of the XFree86 project, which produces the XFree86 open source version of the X Window System. XFree86 is bundled with Red Hat Linux to control the necessary hardware and provide a GUI environment. • http://dri.sourceforge.net — Home page of the DRI (Direct Rendering Infrastructure) project.
Security Reference
Chapter 8. Pluggable Authentication Modules (PAM) Programs that give privileges to users must properly authenticate each user. When you log into a system, you provide your username and password, and the log in process uses this username and password to verify your identity. Pluggable Authentication Modules (PAM) allows the system administrator to set authentication policies for PAM-aware applications without having to recompile authentication programs.
Chapter 8. Pluggable Authentication Modules (PAM) The next four sections will describe the basic format of PAM configuration files and how they use PAM modules to perform authentication for PAM-aware applications. 8.3. PAM Modules There are four types of PAM modules used to control access to services. These types correlate to different aspects of the authorization process: — used to authenticate the user by, for example, asking for and checking a password.
Chapter 8. Pluggable Authentication Modules (PAM) 115 8.3.2. Creating Modules New PAM modules can be added at any time, and PAM-aware applications can then use them. For example, if you create a one-time-password creation method and write a PAM module to support it, PAM-aware programs can immediately use the new module and password method without being recompiled or otherwise modified.
Chapter 8. Pluggable Authentication Modules (PAM) A newer control flag syntax allowing for even more control is now available for PAM. Please see the PAM docs located in the /usr/share/doc/pam-version-number/ directory for information on this new syntax. 8.5. PAM Module Paths Module paths tell PAM where to find the pluggable module to be used with the module type specified. Usually, it is provided as the full path to the module, such as /lib/security/pam_stack.so.
Chapter 8. Pluggable Authentication Modules (PAM) 117 This line causes the user to be asked for a password and then checks the password using the information stored in /etc/passwd and, if it exists, /etc/shadow. The pam_unix.so module automatically detects and utilizes shadow passwords stored in /etc/shadow to authenticate users. Please refer to the Section 6.5 for more information on shadow passwords. The argument nullok instructs the pam_unix.so module to allow a blank password.
Chapter 8. Pluggable Authentication Modules (PAM) #%PAM-1.0 auth auth auth auth auth required required required sufficient required /lib/security/pam_nologin.so /lib/security/pam_securetty.so /lib/security/pam_env.so /lib/security/pam_rhosts_auth.so /lib/security/pam_stack.so service=system-auth First, pam_nologin.so checks to see if /etc/nologin exists. If is does, no one can log in except for root. auth required /lib/security/pam_securetty.so The pam_securetty.
Chapter 8. Pluggable Authentication Modules (PAM) 119 The devices affected include, but are not limited to, sound cards, floppy drives, and CD-ROM drives. This allows a local user to manipulate these devices without attaining root, thus simplifying common tasks for the console user. You can edit the list of devices /etc/security/console.perms. controlled by pam_console.so in the file 8.8.2.
Chapter 8.
Chapter 9. TCP Wrappers and xinetd Controlling access to network services can be a challenge. Firewalls are useful for controlling access in and out of a particular network, but they can be difficult to configure. TCP wrappers and xinetd control access to services by hostname and IP addresses. In addition, these tools also include logging and utilization management capabilities that are easy to configure. 9.1.
Chapter 9. TCP Wrappers and xinetd 122 All rules in each file take effect from the top down, so the order in which the rules are placed can be important. Any changes to these files take effect immediately on the affected services; restarting of the services is not required. 9.2.1. Formatting Rules All access control rules are placed on lines within hosts.allow and hosts.deny, and any blank lines or lines that start with the comment character (#) are ignored. Each rule needs to be on a separate line.
Chapter 9. TCP Wrappers and xinetd 123 Caution The KNOWN, UNKNOWN, and PARANOID wildcards should be used very carefully, as a disruption in name resolution may make prevent legitimate users from gaining access to a network service. The access control language also contains a powerful operator, EXCEPT, which allows separate lists to be combined within the same rule line.
Chapter 9. TCP Wrappers and xinetd 124 Various expansions containing specific information about the client, server, and process involved are available to the shell commands: • %a — The client’s IP address. • %A — The server’s IP address. • %c — Various IP address. types of client information, such as the username and hostname, or the username and • %d — The daemon process name. • %h — The client’s hostname (or IP address, if the hostname is unavailable).
Chapter 9. TCP Wrappers and xinetd 125 9.3.1. xinetd Configuration Files The xinet service is controlled by the /etc/xinetd.conf file, as well as the various servicespecific files in the /etc/xinetd.d directory. 9.3.1.1. /etc/xinetd.conf The xinetd.conf file is the parent of all xinetd-controlled service configuration files, as the service-specific files are also parsed every time xinetd starts. By default, xinetd.
Chapter 9. TCP Wrappers and xinetd 126 9.3.1.2. Files in the /etc/xinetd.d Directory The various files in the /etc/xinetd.d directory are read every time xinetd starts, due to the includedir /etc/xinetd.d statement at the bottom of /etc/xinetd.conf. These files, with names such as finger, ipop3, and rlogin, relate to the various services controlled by xinetd. The files in /etc/xinetd.d use the same conventions and options as what is seen in /etc/xinetd.conf.
Chapter 9. TCP Wrappers and xinetd 127 two files, /etc/hosts.allow and /etc/hosts.deny, each service’s file in /etc/xinetd.d can contain access control rules based on the hosts that will be allowed to use that service. The following options are supported in the xinetd files to control host access: • only_from — Allows the hosts specified to use the service. • no_access — Blocks these hosts from using this service. • access_times — Specifies the time range when a particular service may be used.
Chapter 9. TCP Wrappers and xinetd point to another port number on the same system, redirect the request to different IP address on the same machine, shift the request to a totally different system and port number, or any combination of these options. In this way, a user connecting to certain service on a system may be rerouted to another system with no disruption.
Chapter 9. TCP Wrappers and xinetd 129 @ A — Contains a README file that discusses how TCP wrappers work and the various hostname and host address spoofing risks that exist. • /usr/share/doc/tcp_wrappers- version @ A — Includes a README file that discusses aspects of access control and a sample.conf file with various ideas for modifying /etc/xinetd.d service configurations.
Chapter 9.
Chapter 10. SSH Protocol SSH™ allows users to log into host systems remotely. Unlike rlogin or telnet SSH encrypts the login session, making it impossible for intruders to collect clear-text passwords. SSH is designed to replace common methods for remotely logging into another system through a command shell. A related program called scp replaces older programs designed to copy files between hosts such as ftp or rcp.
Chapter 10. SSH Protocol • Interception of communication between two systems — In this scenario, a third party exists somewhere on the network between communicating entities and makes a copy of the information being passed between them. The intercepting party may intercept and keep the information, or it may alter the information and send it on to the intended recipient.
Chapter 10. SSH Protocol 133 Once an SSH client contacts a server, key information is exchanged so that the two systems can correctly construct the transport layer. The following steps occur during this exchange: • Key exchange • The public key algorithm to be used • The symmetric encryption algorithm to be used • The message authentication algorithm to be used • The hash algorithm to be used During the key exchange, the server identifies itself to the client with a host key.
Chapter 10. SSH Protocol 10.3.3. Connection After a successful authentication over the SSH transport layer, multiple channels are opened by multiplexing3 the single connection between the two systems. Each of these channels handles communication for different terminal sessions, forwarded X11 sessions, or other services seeking to use the SSH connection. Both clients and servers can create a new channel. Each channel is then assigned a different number for each end of the connection.
Chapter 10. SSH Protocol • id_dsa — Contains the DSA authentication identity of the user. • id_dsa.pub • id_rsa 135 — The DSA public key of the user. — The RSA public key used by sshd for version 2 of the SSH protocol. • identity — The RSA private key used by sshd for version 1 of the SSH protocol. • known_hosts — This file contains DSA host keys of SSH servers accessed by the user. This file is very important for ensuring that the SSH client is connecting the correct SSH server.
Chapter 10. SSH Protocol Note Setting up port forwarding to listen on ports below 1024 requires root access. So if you want to check your email on a server called mail.domain.com using POP through an encrypted connection, you can use the following command: ssh -L 1100:mail.domain.com:110 mail.domain.com Once the port forwarding channel is in place between the two machines, you can direct your POP mail client to use port 1100 on localhost to check for new mail.
Chapter 10. SSH Protocol 137 • ftp • rlogin • wu-ftpd • vsftpd For more information on runlevels and configuring services with chkconfig, ntsysv, and serviceconf, refer to the chapter titled Controlling Access to Services in the Official Red Hat Linux Customization Guide.
Chapter 10.
Chapter 11. Kerberos Kerberos is a network authentication protocol created by MIT which uses secret-key cryptography to secure passwords over the network. Encrypting passwords with Kerberos can help to thwart unauthorized users trying to intercept passwords on the network, thus adding an extra layer of system security. 11.1. Advantages of Kerberos Most conventional network systems use password-based authentication schemes.
Chapter 11. Kerberos 11.3. Kerberos Terminology Like any other system, Kerberos has its own terminology to define various aspects of the service. Before learning how the service works, it is important to learn the following terms. ciphertext Encrypted data. clear-text Unencrypted, human-readable data. client An entity on the network (a user, a host, or an application) that can get a ticket from Kerberos.
Chapter 11. Kerberos 141 ticket A temporary set of electronic credentials that verify the identity of a client for a particular service. Ticket Granting Service (TGS) A server that issues tickets for a desired service which are in turn given to users for access to the service. The TGS usually runs on the same host as the KDC Ticket Granting Ticket (TGT) A special ticket that allows the client to obtain additional tickets without applying for them from the KDC. 11.4.
Chapter 11. Kerberos Note Kerberos depends on certain network services to work correctly. First, Kerberos requires approximate clock synchronization between the machines on the network. A clock syncing program should be set up for the network. Since certain aspects of Kerberos rely on the Domain Name Service (DNS), be sure that the DNS entries and hosts on the network are all properly configured.
Chapter 11. Kerberos 143 KDC from kerberos.example.com to the name of your Kerberos server. By convention, all realm names are uppercase and all DNS hostnames and domain names are lowercase. For full details on the formats of these files, see their respective man pages. 4. Create the database using the kdb5_util utility from a shell prompt: /usr/kerberos/sbin/kdb5_util create -s The create command creates the database that will be used to store keys for your Kerberos realm.
Chapter 11. Kerberos Once you have completed the steps listed above, your Kerberos server should be up and running. Next, you will need to set up your Kerberos clients. 11.7. Configuring a Kerberos 5 Client Setting up a Kerberos 5 client is less involved than setting up a server. At minimum, you should install the client packages and provide your clients with a valid krb5.conf configuration file. Kerberized versions of rsh and rlogin will also require some configuration changes. 1.
Chapter 11. Kerberos 145 11.8. Additional Resources For more information on Kerberos, refer to the following resources. 11.8.1. Installed Documentation D E — The Kerberos V5 Installation Guide and the Kerberos V5 System Administrator’s Guide in PostScript and HTML formats. You must have the krb5-server RPM package installed. • /usr/share/doc/krb5-server- version-number D E — The Kerberos V5 UNIX User’s Guide in PostScript and HTML formats. You must have the krb5-workstation RPM package installed.
Chapter 11.
Chapter 12. Installing and Configuring Tripwire Tripwire software can help to ensure the integrity of critical system files and directories by identifying all changes made to them. Tripwire configuration options include the ability to receive alerts via email if particular files are altered and automated integrity checking via a cron job.
Chapter 12. Installing and Configuring Tripwire Figure 12-1. How to Use Tripwire The following steps should be taken to properly install, use and maintain Tripwire: 1. Install Tripwire and customize the policy file — If not already done, install the tripwire RPM (see Section 12.2.1). Then, customize the sample configuration (/etc/tripwire/twcfg.txt) and policy (/etc/tripwire/twpol.txt) files and run the configuration script (/etc/tripwire/twinstall.sh). For more information, see Section 12.2.2. 2.
Chapter 12. Installing and Configuring Tripwire 149 information, see Section 12.7. 3. Run a Tripwire integrity check — Compare the newly-created Tripwire database with the actual system files, looking for missing or altered files. For more information, see Section 12.8. 4. Examine the Tripwire report file — View the Tripwire report file using twprint to note integrity violations. For more information, see Section 12.9. 5.
Chapter 12. Installing and Configuring Tripwire 1. If you already know of several changes that should be made to the configuration file (/etc/tripwire/twcfg.txt) or the policy file (/etc/tripwire/twpol.txt), edit those files now. Note While you should edit your configuration and policy files to customize Tripwire to your particular situation, editing the configuration or policy files is not required to use Tripwire.
Chapter 12. Installing and Configuring Tripwire 151 12.4. Tripwire Components The Tripwire policy file is a text file containing comments, rules, directives, and variables. This file dictates the way Tripwire checks your system. Each rule in the policy file specifies a system object to be monitored. Rules also describe which changes to the object to report and which to ignore. System objects are the files and directories you wish to monitor. Each object is identified by an object name.
Chapter 12. Installing and Configuring Tripwire 12.6. Selecting Passphrases Tripwire files are signed or encrypted using site and local keys, which protect the configuration, policy, database, and report files from being viewed or altered except by users who know the site and/or local passphrases. This means that, even if an intruder can obtain root access to your system, they will not be able to alter the Tripwire files to hide their tracks unless they also know the passphrases.
Chapter 12. Installing and Configuring Tripwire 153 12.9. Printing Reports The twprint -m r command will display the contents of a Tripwire report in clear text. You must tell twprint which report file to display. A twprint command for printing Tripwire reports looks similar to the following (all on one line): /usr/sbin/twprint -m r --twrfile /var/lib/tripwire/report/ name .twr L M The -m r option in the command tells twprint to decode a Tripwire report.
Chapter 12. Installing and Configuring Tripwire 12.9.1. Using twprint to View the Tripwire Database You can also use twprint to view the entire database or information about selected files in the Tripwire database. This is useful for seeing just how much information Tripwire is tracking on your system.
Chapter 12. Installing and Configuring Tripwire ------------Object Type Device Number Inode Number Mode Num Links UID GID 155 ----------Regular File 773 216991 -rw-r--r-1 root (0) root (0) See the twprint man page for other options. 12.10. Updating the Database after an Integrity Check If you run an integrity check and Tripwire finds violations, you will first need to determine whether the violations discovered are actual security breaches or the product of authorized modifications.
Chapter 12. Installing and Configuring Tripwire does not have a /etc/smb.conf file, you can tell Tripwire not to try to look for it by commenting out its line in twpol.txt: # /etc/smb.conf -> $(SEC_CONFIG) ; Next, you must tell Tripwire to generate a new /etc/tripwire/tw.pol signed file and then generate an updated database file based on this policy information. Assuming /etc/tripwire/twpol.txt is the edited policy file, use this command: /usr/sbin/twadmin --create-polfile -S site.
Chapter 12. Installing and Configuring Tripwire 157 For example, if you would like two administrators, Sam and Bob, notified if a networking program is modified, change the Networking Programs rule directive in the policy file to look like this: ( rulename = "Networking Programs", severity = $(SIG_HI), emailto = bob@domain.com;sam@domain.com ) Once a new signed policy file is generated from the /etc/tripwire/twpol.
Chapter 12.
Network Services Reference
Chapter 13. Network Scripts Using Red Hat Linux, all network communications occur between interfaces and physical networking devices connected to the system, configured in a particular way, and utilizing at least one protocol to exchange data with other systems. The different types of interfaces that exist are as varied as the physical devices they support.
Chapter 13. Network Scripts Within each of the interface configuration files, the following values are common: T • BOOTPROTO= protocol U T , where protocol U • none — No boot-time protocol should be used. • bootp — The BOOTP protocol should be used. • dhcp — The DHCP protocol should be used. T • BROADCAST= address T U , where T address U is the broadcast address. , where T name U is the name of the dynamically-allocated PPP devices where it is the logical name).
Chapter 13. Network Scripts 163 connection tools. You can also create and edit this file manually. A typical ifcfg-ppp0 files looks like this: DEVICE=ppp0 NAME=test WVDIALSECT=test MODEMPORT=/dev/modem LINESPEED=115200 PAPNAME=test USERCTL=true ONBOOT=no PERSIST=no DEFROUTE=yes PEERDNS=yes DEMAND=no IDLETIMEOUT=600 Serial Line Internet Protocol (SLIP) is another dialup interface, although it is less commonly used. SLIP files have interface configuration file names such as ifcfg-sl0.
• Chapter 13. Network Scripts no — The /etc/resolv.conf file will not be changed. X • PERSIST= answer Y , where X answer Y is one of the following: • yes — This interface should be kept active at all times, even if deactivated after a modem hang • no — This interface should not be kept active at all times. up. X • REMIP= address unspecified. Y X , where Y X address X Y is the remote system’s IP address.
Chapter 13. Network Scripts 165 13.2. Interface Control Scripts The interface control scripts control activating and deactivating interface connections. There are two primary interface control scripts, /sbin/ifdown and /sbin/ifup, that call on control scripts located in the /etc/sysconfig/network-scripts/ directory. The two primary interface control scripts in the /etc/sysconfig/network-scripts directory, ifdown and ifup, are symbolic links to the scripts in the /sbin/ directory.
Chapter 13. Network Scripts 13.3. Network Functions Red Hat Linux makes use of several files that contain important functions that are used in various ways to bring interfaces up and down. Rather than forcing each interface control file to contain the same functions as another, these functions are grouped together in a few files that can be sourced when needed. The most common network functions file is network-functions, located in the /etc/sysconfig/network-scripts/ directory.
Chapter 14. Firewalling with iptables The Linux kernel contains advanced tools for packet filtering — the process of controlling network packets as they attempt to enter, move through, and exit your system. Pre-2.4 kernels contained the ability to manipulate packets using ipchains which used lists of rules that apply to packets at each step of the filtering process. The introduction of the 2.
Chapter 14. Firewalling with iptables Regardless of their destination, when packets match a particular rule on one of the rule lists, they are designated for a particular target or action to be applied to them. If the rule specifies an ACCEPT target for a matching packet, the packet skips the rest of the rule checks and is allowed to continue to its destination. If a rule specifies a DROP target, that packet is refused access to the system and nothing is sent back to the host that sent the packet.
Chapter 14. Firewalling with iptables 169 14.3. Options Used in iptables Commands Rules that allow packets to be filtered by the kernel are put into place by running the iptables command with a number of options after it that identify the types of packets being filtered, the source or destination of those packets, and what to do with the packet if it matches the rule.
Chapter 14. Firewalling with iptables 170 The iptables commands are: — Appends the iptables rule to the end of the specified chain. This is the command used to simply add a rule when rule order in the chain does not matter. • -A — Checks a particular rule before adding it to the user-specified chain. This command can help you construct complicated iptables rules by prompting you for additional parameters and options.
Chapter 14. Firewalling with iptables 171 — Sets the destination hostname, IP address, or network of a packet that will match the rule. When matching a network, you can use two different methods for signifying the netmasks, such as 192.168.0.0/255.255.255.0 or 192.168.0.0/24. • -d • -f — Applies this rule only to fragmented packets. By using the ! option after this parameter, only unfragmented packets will be matched.
• Chapter 14. Firewalling with iptables --dport — Sets the destination port for the packet. You can use either a network service name (such as www or smtp), port number, or range of port numbers to configure this option. To browse the names and aliases of network services and the port numbers they use, view the /etc/services file. You can also use --destination-port to specify this match option.
Chapter 14. Firewalling with iptables 173 14.3.5.4. Modules with Additional Match Options Additional match options are also available through modules loaded when the iptables command calls them. To use a match option module, you must load the module by name by including -m d module-name e in the iptables command. A large number of modules are available by default. It is even possible to create your own modules to provide additional match option functionality.
Chapter 14. Firewalling with iptables 174 • ACCEPT — Allows the packet to successfully move on to its destination or another chain. — Drops the packet without responding to the requester. The system that sent the packet is not notified of the failure. The packet is simply removed from the rule checking the chain and discarded. • DROP — The packet is queued for handling in userspace, where a user or an application, for instance can do something with it.
Chapter 14. Firewalling with iptables 175 — Expands numbers into their exact values. On a busy system, the number of packets and bytes seen by a particular chain or rule may be abbreviated using K (thousands), M (millions), and G (billions) at the end of the number. This option forces the full number to be displayed. • -x — Displays IP addresses and port numbers in numeric format, rather than the default hostname and network service format.
Chapter 14.
Chapter 15. Apache The Apache product includes software developed by the Apache Software Foundation (http://www.apache.org). The Apache HTTP server is a robust and commercial-grade open source Web server used by the majority of websites on the Internet. The Red Hat Linux distribution includes Apache, as well as a number of additional modules which are designed to enhance the functionality of the server and add strong encryption capabilities. Apache’s default configuration should work for most users.
mod_log_referer mod_mime mod_negotiation mod_status mod_info mod_include mod_autoindex mod_dir mod_cgi mod_asis mod_imap mod_actions mod_userdir mod_alias mod_rewrite mod_access mod_auth mod_auth_anon mod_auth_db mod_expires mod_headers mod_setenvif The following modules are installed but disabled (see Section 15.
Chapter 15. Apache 179 15.2. Starting and Stopping httpd During the installation process, a Bourne shell script named httpd was saved in /etc/rc.d/init.d/. To manually stop, start, or check the status of your server, run httpd with either stop, start, or status as an argument. To start your server, type the command: /sbin/service httpd start If you are running Apache as a secure server, you will be prompted to fill in your password. After you type it in, your server will start.
Chapter 15. Apache provided in HTML format at http://localhoast/manual/ or to the Apache group documentation at http://httpd.apache.org/docs/. For more information about mod_ssl directives, refer to the documentation included in HTML format at http://localhost/manual/mod/mod_ssl/ or see the mod_ssl User Manual at http://www.modssl.org/docs/2.8/. 15.3.1. ServerType Your ServerType must be set to standalone. By default, your Web server is set to ServerType standalone.
Chapter 15. Apache 181 15.3.8. Timeout Timeout defines, in seconds, the amount of time that your server will wait for receipts and transmissions during communications. Specifically, Timeout defines how long your server will wait to receive a GET request, how long it will wait to receive TCP packets on a POST or PUT request and how long it will wait between ACKs responding to TCP packets. Timeout is set to 300 seconds, which is appropriate for most situations. 15.3.9.
Chapter 15. Apache 15.3.14. MaxClients MaxClients sets a limit on the total number of server processes, or simultaneously connected clients, that can run at one time. You should keep MaxClients at a high number (your server’s default is set to 150), because no one else will be allowed to connect once that number of simultaneously connected clients is reached. You can not set MaxClients to higher than 256 without recompiling Apache.
Chapter 15. Apache 183 15.3.20. ClearModuleList The ClearModuleList directive is located immediately before the long list of AddModule directives. ClearModuleList erases the server’s built-in list of active modules. Then the list of AddModule directives re-creates the list, immediately after ClearModuleList. 15.3.21. AddModule AddModule is the directive used to create a complete list of all available modules. You will use the AddModule directive if you add your own module in as a DSO.
Chapter 15. Apache 15.3.25. Group The Group directive is similar to the User. The Group sets the group under which the server will answer requests. The default Group is apache. 15.3.26. ServerAdmin ServerAdmin should be the email address of the Web server’s administrator. This email address will show up in error messages on server-generated webpages, so users can report a problem by sending email to the server administrator. ServerAdmin is set by default to root@localhost.
Chapter 15. Apache 185 The cgi-bin directory is set up to allow the execution of CGI scripts, with the ExecCGI option. If you need to execute a CGI script in another directory, you will need to set ExecCGI for that directory. For example, if your cgi-bin is /var/www/cgi-bin, but you want to execute CGI scripts from within /home/my_cgi_directory, add an ExecCGI directive to a set of Directory directives like the following to your httpd.
Chapter 15. Apache 15.3.33. Allow Allow specifies which requester can access a given directory. The requester can be all, a domain name, an IP address, a partial IP address, a network/netmask pair, and so on. Your DocumentRoot directory is configured to Allow requests from all meaning everyone has access. 15.3.34. Deny Deny works just like Allow, but you are specifying who is denied access. Your DocumentRoot is not configured to Deny requests from anyone by default. 15.3.35.
Chapter 15. Apache 187 15.3.38. CacheNegotiatedDocs By default, your Web server asks proxy servers not to cache any documents which were negotiated on the basis of content (that is, they may change over time or because of the input from the requester). If you uncomment CacheNegotiatedDocs, you are disabling that function and proxy servers will be allowed to cache the documents from then on. 15.3.39. UseCanonicalName UseCanonicalName is set by default to on.
Chapter 15. Apache other words, after a reverse lookup is performed, a forward lookup is performed on the result. At least one of the IP addresses in the forward lookup must match the address from the first reverse lookup. Generally, you should leave HostnameLookups set to off, because the DNS requests add a load to your server and may slow it down. If your server is busy, the effects of HostnameLookups will be noticeable. HostnameLookups are also an issue for the Internet as a whole.
Chapter 15. Apache 189 authuser If authentication was required, this is the username with which the user identified herself. Usually, this is not used, so you will see a - in its place. [date] The date and time of the request. "request" The request string exactly as it came from the browser or client. status The HTTP status code which was returned to the browser or client. bytes The size of the document. referer This can give the URL of the webpage which linked to the the current request.
Chapter 15. Apache See Section 15.3.65 and Section 15.3.29 for instructions on how to execute CGI scripts in directories other than the cgi-bin. 15.3.51. Redirect When a webpage is moved, Redirect can be used to map the old URL to a new URL. The format is as follows: Redirect /path/foo.html http://new_domain/path/foo.html So, if an HTTP request is received for a page which used to be found at http://your_domain/path/foo.html, the server will send back the new URL (http://new_domain/path/foo.
Chapter 15. Apache 191 15.3.55. AddIcon AddIcon tells the server which icon to show in server generated directory listings for certain file types or for files with certain extensions. For example, your Web server is set to show the icon binary.gif for files with .bin or .exe extensions. 15.3.56. DefaultIcon DefaultIcon names the icon to show in server generated directory listings for files which have no other icon specified. The unknown.gif image file is the DefaultIcon for those files by default. 15.3.
Chapter 15. Apache 15.3.62. AddLanguage AddLanguage associates filename extensions with specific content languages. This directive is mostly useful for content negotiation, when the server returns one of several documents based on the client’s language preference as set in their browser. 15.3.63. LanguagePriority LanguagePriority allows you to set precedence for different languages in which to serve files, which will be in effect if the client expressed no preference for language in their browser.
Chapter 15. Apache 193 15.3.67. MetaDir MetaDir specifies the name of a directory where your Web server should look for files containing meta information (extra HTTP headers) to include when serving documents. 15.3.68. MetaSuffix MetaSuffix specifies the filename suffix for the file that contains meta information (extra HTTP headers), which should be located in the MetaDir directory. 15.3.69.
Chapter 15. Apache # AuthType Basic # AuthName Temporary # AuthUserFile /etc/httpd/conf/passwd # EnableDelete Off # umask 007 # Limit PUT # require valid-user # /Limit # /Location t t u t u u You will also need to uncomment the following lines at the beginning of httpd.conf so that the mod_put module is loaded when Apache starts: #LoadModule put_module modules/mod_put.so #AddModule mod_put.
Chapter 15. Apache 195 15.3.72. ProxyRequests If you uncomment the IfModule tags surrounding the ProxyRequests directives, your Apache server will also function as a proxy server. You will also need to load the mod_proxy module. For instructions on how to load in modules, see Section 15.4. 15.3.73. ProxyVia The ProxyVia command controls whether or not an HTTP Via: header line is sent along with requests or replies which go through the Apache proxy server.
Chapter 15. Apache You cannot use name-based virtual hosts with your secure server because the SSL handshake (when the browser accepts the secure Web server’s authenticating certificate) occurs before the HTTP request which identifies the correct name-based virtual host. In other words, authentication occurs before there is any identification of different name-based virtual hosts. If you want to use virtual hosts with your secure server, you will need to use IP address-based virtual hosts.
Chapter 15. Apache 197 15.4. Adding Modules to Your Server Since Apache 1.3 supports DSOs, you can easily load Apache modules or compile in your own modules to your Web server. DSO support means that modules may be loaded at runtime. Since the modules are only loaded as necessary, they will not use any memory unless they are loaded. The Apache Group provides complete DSO Documentation at http://httpd.apache.org/docs/dso.html.
Chapter 15. Apache Note that you will need to change the name of the module and the name of your shared object file as appropriate. At the end of the AddModule list in httpd.conf, add a line for the source code file for your module like the following: AddModule mod_foo.c Note that you will need to change the name of the source code file as appropriate. Once you have completed the previous steps, stop and start your Web server as outlined in Section 15.2.
Chapter 15. Apache 199 15.5.1. The Secure Web Server Virtual Host The default configuration of your Web server runs a non-secure and a secure server. Both servers use the same IP address and host name, but they listen on different ports, and the secure server is a virtual host. This configuration enables you to serve both secure and non-secure documents in an manner.
Chapter 15. Apache If you set up a virtual host and want it to listen on a non-default port, you will need to set up a virtual host for that port and add a Listen directive for corresponding to that port. Then add the port number to the first line of the virtual host configuration as in the following example: | VirtualHost ip_address_of_your_server:12331 } This line would create a virtual host that listens on port 12331. You must restart httpd to start a new virtual host. See Section 15.
Chapter 16. Email Email is one of the most widely used services on the Internet. Red Hat Linux offers many ways for you to utilize email, whether you are a desktop user or a system administrator. This chapter looks at popular email protocols that are in use today and various programs designed to accomplish different types of tasks when dealing with email. 16.1. Protocols Email, like other network services, uses a variety of protocols.
Chapter 16. Email 16.1.2. POP The Post Office Protocol (POP) allows email clients to pull off email from remote servers and save those messages on their local machine. Most POP email clients are automatically configured to delete the message on the email server after it has been successfully transferred to the client’s system, though this can usually be changed. To connect to a POP server, the email client opens a TCP connection to port 110 on the server.
Chapter 16. Email 203 SMTP also handles cases where email needs to be forwarded between systems, when the receiving system knows where to send the message. The protocol can verify that certain users are indeed served by a particular mail server (the VRFY command) or expand a mailing list (the EXPN command). Email can also be relayed between two SMTP servers, if both systems permit such activity. Unlike IMAP and POP, the SMTP protocol does not require authentication.
Chapter 16. Email complicated. In addition, due to problems from spam, use of a particular MTA is usually restricted by the MTA’s own configuration or network access to the system running it. Many of the larger and more complex MUAs can also be used to send email. However, this action should not be confused with the actions of a true MTA.
Chapter 16. Email 205 16.3.2. Purpose and Limitations It is important to be aware of what Sendmail is and what it can do for you as opposed to what it is not. In these days of monolithic applications that fulfill multiple roles, you might initially think that Sendmail is the only application you need to run an email server within your organization. Technically, this is true, as Sendmail can spool mail to your users’ directories and accepts new email via the command line.
Chapter 16. Email @domain.com bob@otherdomain.com Figure 16-1. virtusertable example Then, to add this new information to the virtusertable.db file, execute makemap hash /etc/mail/virtusertable as root. This will create a new /etc/mail/virtusertable virtusertable.db that contains the new configuration. 16.3.4. Common Sendmail Configuration Changes Although a default sendmail.
Chapter 16. Email 207 # sendmail.cw - include all aliases for your machine # here. torgo.bigcorp.com poodle.bigcorp.com devel.bigcorp.com Figure 16-2. Example settings for local-host-names On the other machines, torgo, poodle, and devel, edit /etc/sendmail.cf to "masquerade" as mail.bigcorp.com when sending mail and to forward any local mail processing to bigcorp.com. Find the DH and DM lines in /etc/sendmail.
Chapter 16. Email Because /etc/mail/access.db is a database, you need to use makemap to activate your changes by recreating the database map. This is easily done by running the makemap hash /etc/mail/access /etc/mail/access command as root. This example shows that any email sent from badspammer.com would be blocked with a 550 RFC-821 compliant error code and message back to the spammer, except for email sent from the tux.badspammer.com sub-domain, which would be accepted.
Chapter 16. Email 209 16.4. Fetchmail Fetchmail is a program that can retrieve email from remote servers for on-demand TCP/IP connections. Many users appreciate the ability to separate the process of downloading their messages located on a remote server from the process of reading and organizing their email in an MUA.
Chapter 16. Email set postmaster "user1" set bouncemail poll pop.domain.com proto pop3 user ’user1’ there with password ’secret’ is user1 here poll mail.domain2.com user ’user5’ there with password ’secret2’ is user1 here user ’user7’ there with password ’secret3’ is user1 here Figure 16-6. Example of a basic .
Chapter 16. Email 211 methods that do not require a password, then methods that mask your password, and finally attempt to send your password in the clear to authenticate to the server. number — Tells Fetchmail to only poll this server every number of times that it checks for email on all configured servers. This option might be used with email servers where you rarely receive messages. • interval • port port-number — Overrides the default port number for a specified protocol.
Chapter 16. Email 16.4.2.1. Informational or Debugging Options Certain options used after the fetchmail command can provide you with important information. • --configdump — Displays every possible option based on information from .fetchmailrc and Fetchmail defaults. No email is retrieved for any users when using this option. — Executes Fetchmail in silent mode, preventing any messages, other than errors, from appearing after the fetchmail command.
Chapter 16. Email 213 a .procmailrc file in the user’s home directory to find rules specific to that user. Many users also create additional rc files of their own for Procmail that are referred to by their .procmailrc file but may be turned on or off quickly if a mail filtering problem develops. By default, no system-wide rc files exist in the /etc directory, and no user .procmailrc files exist. To begin using Procmail, you will need to construct a .
Chapter 16. Email — Sets the current working directory for Procmail. If set, all other Procmail paths are relative to this directory. • MAILDIR — Specifies the original mailbox, or another place to put the messages if they cannot be placed in the default or recipe-required location. • ORGMAIL By default, a value of /var/spool/mail/$LOGNAME is used. — Sets the amount of time, in seconds, that Procmail will pause if a necessary resource, such as swap space, is not available.
Chapter 16. Email 215 be performed. Conditions are checked based on the flags set in the recipe’s first line. Optional special characters placed after the * character can further control the condition. The action-to-perform specifies what is to happen to a message if it matches one of the conditions. There can only be one action per recipe. In many cases, the name of a mailbox is used here to direct matching messages into that file, effectively sorting the email.
Chapter 16. Email If you would like to ignore "Program failure" messages when deciding whether a filter or action succeeded, use the W option instead. Additional flags can be found in the procmailrc man page. 16.5.2.3. Specifying a Local Lockfile Lockfiles are very useful with Procmail to ensure that more than one process does not try to alter a certain message at the same time. You can specify a local lockfile by placing a colon (:) after any flags on a recipe’s first line.
Chapter 16. Email 217 :0: new-mail.spool Figure 16-10. Example with no conditions The first line starts the recipe by specifying that a local lockfile is to be created but does not specify a name, leaving Procmail to use the destination filename and the LOCKEXT to name it. No condition is specified, so every message will match this recipe and, therefore, will be placed in the single spool file called new-mail.spool, located within the directory specified by the MAILDIR environment variable.
Chapter 16. Email SPAM=junk :0: * To??^$ $SPAM :0: * ^(To|CC):.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*, $SPAM :0: * ^Message-Id:.* [^@]* $SPAM Figure 16-13. Example of a basic spam filter In this example, the junk mailbox is associated with the SPAM variable, so that you can change the mailbox that holds your spam in one place. Then, three recipes look for messages to send to the junk mailbox. The first recipe looks for messages that have no recipient in the To line.
Chapter 16. Email 219 Authority (CA) for an SSL certificate, or you can create a self-signed certificate to provide the benefit of the SSL encrypted communication. To create a self-signed SSL certificate, change to the /usr/share/ssl/certs/ directory, type the make stunnel.pem command, and answer the questions. Then, use stunnel to start the mail daemon that you wish to use.
Chapter 16. Email • procmail — Provides an overview of how Procmail works and the steps involved with filtering • procmailrc — Explains the rc file format used to construct recipes. email. • procmailex — Gives a number of useful, real-world examples of Procmail recipes. • procmailsc — Explains the weighted scoring technique used by Procmail to see if a particular recipe matches a certain message. 16.7.2. Useful Websites • http://www.redhat.com/mirrors/LDP/HOWTO/Mail-Administrator-HOWTO.
Chapter 17. Berkeley Internet Name Domain (BIND) Today, the Internet and almost all local networks depend upon a working and reliable Domain Name Service (DNS), which is used to resolve names of systems into IP addresses and vice versa. In order to facilitate DNS on your network, a nameserver is required to translate these names into the IP addresses necessary to make the connection. In addition, a nameserver can translate IP addresses back into a system’s name, commonly called a reverse lookup.
Chapter 17. Berkeley Internet Name Domain (BIND) Except for the hostname, every section is a called a zone, which defines a particular namespace. A namespace controls the naming of the sub-domains to its left. While this example only contains two sub-domains, a FQDN must contain at least one sub-domain but may include many more, depending upon the namespace organization in use.
Chapter 17. Berkeley Internet Name Domain (BIND) 223 Warning Do not manually edit the /etc/named.conf file or any files in the /var/named/ directory if you are using the BIND Configuration Tool. Any manual changes to those files will be overwritten the next time the BIND Configuration Tool is used. The /etc/named.conf file must be free of errors in order for named to start.
Chapter 17. Berkeley Internet Name Domain (BIND) When utilized with other /etc/named.conf statements and their options, acl statements can be very useful in ensuring the proper use of your BIND nameserver. Consider the example in Figure 17-3. acl black-hats { 10.0.2.0/24; 192.168.0.0/24; }; acl red-hats { 10.0.1.0/24; }; options { blackhole { black-hats; }; allow-query { red-hats; }; allow-recursion { red-hats; }; } Figure 17-3. Example of acl statements in use This named.
Chapter 17. Berkeley Internet Name Domain (BIND) 225 • allow-query — Specifies which hosts are allowed to query this nameserver. By default, all • allow-recursion — Similar to allow-query, except it applies to recursive queries. By de- • directory — Changes the named working directory to something other than the default, /var/named. • forward — Controls how forwarding occurs, if the forwarders option contains valid IP ad- hosts are allowed to query.
Chapter 17. Berkeley Internet Name Domain (BIND) answer regarding a particular zone while other hosts receive totally different information. Alternatively, certain zones may only be made available to particular trusted hosts while non-trusted hosts can only make queries for other zones. Multiple views may be used, so long as their names are unique. The match-clients option specifies the IP addresses that apply to a particular view.
Chapter 17. Berkeley Internet Name Domain (BIND) 227 17.2.1.1. Sample Zone Statements Most changes to the /etc/named.conf file of a master or slave nameserver concerns adding, modifying, or deleting zone statements. While these zone statements can contain many options, most nameservers use few of them. The following zone statements are very basic examples that may be used in a master-slave nameserver relationship. A zone statement on a primary nameserver hosting the domain domain.
Chapter 17. Berkeley Internet Name Domain (BIND) 17.2.2.1. Zone File Directives Directives are identified by the leading $ character before the name of the directive and usually placed at the top of the zone file. The following directives are the most commonly used: — Tells named to include another zone file in this zone file at the place where the directive is used. This allows additional zone settings to be stored apart from the main zone file.
Chapter 17. Berkeley Internet Name Domain (BIND) IN IN server1 A A 229 10.0.1.3 10.0.1.5 Figure 17-8. Example A records Requests for domain.com are pointed to 10.0.1.3, while requests for server1.domain.com are pointed to 10.0.1.5. — Canonical name record, which tells the nameserver that one name is also known as another. • CNAME § alias-name ¨ IN § CNAME real-name ¨ Figure 17-9.
Chapter 17. Berkeley Internet Name Domain (BIND) IN IN NS NS dns1.domain.com. dns2.domain.com. Figure 17-14. Example NS records • PTR — PoinTeR record, designed to point to another part of the namespace. PTR records are primarily used for reverse name resolution, as they point IP addresses back to a particular name. See Section 17.2.2.4 for more examples of PTR records in use.
Chapter 17. Berkeley Internet Name Domain (BIND) Seconds Other Time Units 259200 3D 604800 1W 31536000 365D 231 Table 17-1. Seconds compared to other time units The following example demonstrates how a basic SOA resource record might look. @ IN SOA dns1.domain.com. hostmaster.domain.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day Figure 17-16. Example SOA records 17.2.2.3.
Chapter 17. Berkeley Internet Name Domain (BIND) In this example, standard directives and SOA values are used. The authoritative nameservers are set to be dns1.domain.com and dns2.domain.com, which have A records that tie them to 10.0.1.2 and 10.0.1.3, respectively. The email servers configured with the MX records point to server1 and server2 via CNAME records. Since the server1 and server2 names do not end in a trailing dot (.), the $ORIGIN domain is placed after them, expanding them to server1.
Chapter 17. Berkeley Internet Name Domain (BIND) 233 zone "1.0.10.in-addr.arpa" IN { type master; file "domain.com.rr.zone"; allow-update { none; }; }; Figure 17-20. An example of a reverse resolution zone statement There is very little difference between this example an a standard zone statement, except for how the zone is named. Note that a reverse name resolution zone requires the first three blocks of the IP address to be reversed and ".in-addr.arpa" to be included after them.
Chapter 17. Berkeley Internet Name Domain (BIND) ¯ ° key " key-name " { algorithm hmac-md5; secret " key-value "; }; ¯ ° Figure 17-22. Sample key statement in /etc/named.conf In this case, the ¯ key-value ° is a HMAC-MD5 key. You can generate your own HMAC-MD5 keys with the following command: ¯ dnssec-keygen -a hmac-md5 -b bit-length ° -n HOST ¯ key-file-name ° A key with at least a 256-bit length is good idea.
Chapter 17. Berkeley Internet Name Domain (BIND) 235 If the command was not successful, carefully go over the /etc/named.conf and /etc/rndc.conf files and look for errors. Caution You should make sure that unprivileged users cannot read or write the /etc/rndc.conf file. 17.3.2. Command Line Options An rndc command takes the following form: rndc ± options ²\± command ²^± command-options ² Figure 17-26.
Chapter 17. Berkeley Internet Name Domain (BIND) 17.4. BIND Advanced Features Most BIND implementations only use named to provide name resolution services or to act as an authority for a particular domain or sub-domain. However, BIND version 9 has a number of advanced features that, when properly configured and utilized, allow for a more secure and efficient DNS service.
Chapter 17. Berkeley Internet Name Domain (BIND) • 237 TSIG — Short for Transaction SIGnatures, a shared secret key exists on the master and slave server, verifying that a transfer from master to slave is authorized. This feature strengthens the standard IP address-based method of transfer authorization. An attacker would not only need to have access to the IP address to transfer the zone, but they would also need to know the secret key.
Chapter 17. Berkeley Internet Name Domain (BIND) 17.6.1.
Chapter 18. Network File System (NFS) NFS (Network File System) exists to allow remote hosts to mount partitions on a particular system and use them as though they were local filesystems. This allows files to be organized in a central location, while providing the functionality of allowing authorized users continuous access to them. Two versions of NFS are currently in use. NFS version 2, which has been around for several years, is widely supported by various operating systems.
Chapter 18. Network File System (NFS) to the /etc/exports file to uncover that host’s privileges for the various mounts available. After granting access, any file and directory operations are sent to the server using remote procedure calls. Warning NFS mount privileges are granted specifically to a host, not a user. If you grant a host access to a particular part of your hard drive with NFS, users of that machine will have access to your shared data.
Chapter 18. Network File System (NFS) 100003 3 100021 1 100021 3 100021 4 [root@bleach /]# udp udp udp udp 2049 1028 1028 1028 241 nfs nlockmgr nlockmgr nlockmgr The -p option probes the portmapper on the specified host or defaults to localhost if no specific host is listed. Other options are available from the rpcinfo man page. From the output above, various NFS services can be seen running.
Chapter 18. Network File System (NFS) 18.2.1. /etc/exports The /etc/exports file is the standard for controlling which filesystems are exported to which hosts, as well as specifying particular options that control everything. Blank lines are ignored, comments can be made using #, and long lines can be wrapped with a backslash (\). Each exported filesystem should be on its own line. Lists of authorized hosts placed after an exported filesystem must be separated by space characters.
Chapter 18. Network File System (NFS) 243 However, be careful when using wildcards with fully qualified domain names, as they tend to be more exact than you would expect. For example, the use of *.domain.com as wildcard will allow sales.domain.com to access the exported filesystem, but not bob.sales.domain.com. To match both possibilities, as well as sam.corp.domain.com, you would have to provide *.domain.com *.*.domain.com.
Chapter 18. Network File System (NFS) The ¹ options º area specifies how the filesystem is to be mounted. For example, if the options area states rw,suid on a particular mount, the exported filesystem will be mounted read-write and the user and group ID set by the server will be used. Note, parentheses are not to be used here. For more mount options, see Section 18.3.3. 18.3.2.
Chapter 18. Network File System (NFS) 245 This line states that any directory a user tries to access under the local /home directory (due to the asterisk character) should result in an NFS mount on the server.domain.com system within its exported /home filesystem. The mount options specify that each /home directory NFS mounts should use a particular collection of settings. For more information on mount options, including the ones used in this example, see Section 18.3.3. 18.3.3.
Chapter 18. Network File System (NFS) 18.4.1. Host Access NFS controls who can mount an exported filesystem based on the host making the mount request, not the user that will utilize the filesystem. Hosts must be given explicit rights to mount the exported filesystem. Access control is not possible for users, other than file and directory permissions. In other words, when you export a filesystem via NFS to a remote host, you are not only trusting the host you are allowing to mount the filesystem.
Chapter 18. Network File System (NFS) 247 • fstab — Gives details for the format of the /etc/fstab file used to mount filesystems at • nfs — Provides detail on NFS-specific filesystem export and mount options. • exports — Shows common options used in the /etc/exports file when exporting NFS system boot. filesystems. 18.5.2.
Chapter 18.
Chapter 19. Lightweight Directory Access Protocol (LDAP) 19.1. What is LDAP? LDAP (Lightweight Directory Access Protocol) is a proposed open standard for accessing global or local directory services over a network and/or the Internet. A directory, in this sense, is very much like a phone book. LDAP can handle other information, but at present it is typically used to associate names with phone numbers and email addresses.
Chapter 19. Lightweight Directory Access Protocol (LDAP) 19.3. Uses for LDAP Several Netscape applications, including web browsers using the Netscape Roaming Access feature, are LDAP-enabled. Sendmail can use LDAP to look up addresses. Evolution has LDAP support. Your organization can use LDAP as an organization-wide directory and/or name service (in place of NIS or flat files). You can even use a personal LDAP server to keep track of your own email address book (see Section 19.11).
Chapter 19. Lightweight Directory Access Protocol (LDAP) 251 An entry can contain as many à attrtype Ä : à attrvalue Ä pairs as needed. A blank line indicates that the entry is finished and that another entry is about to begin. Caution Å Æ Å Æ Your attrtype and attrvalue pairs must be defined in a schema before they can be used. You cannot simply define them in an LDIF file and expect an LDAP server without corresponding data in its schema files to be able to use this information.
Chapter 19. Lightweight Directory Access Protocol (LDAP) or suffix "dc=acmeuniversity, dc=edu" The rootdn entry is the DN for a user who is unrestricted by the access control or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory.
Chapter 19. Lightweight Directory Access Protocol (LDAP) 253 Caution You should not modify any of the schema items defined in the schema files installed by OpenLDAP. You can extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. To do this, create a local.schema file in the /etc/openldap/schema directory. Reference this new schema within slapd.
Chapter 19. Lightweight Directory Access Protocol (LDAP) • slapindex — Reindexes the slapd database /usr/sbin/slapindex to begin reindexing. based on the actual current database content. Execute — Generates a user password value for use with ldapmodify or the rootpw value in /etc/openldap/slapd.conf. Execute /usr/sbin/slappasswd to create the password. • slappasswd Warning Be sure to stop slapd before using slapadd, slapcat or slapindex.
Chapter 19. Lightweight Directory Access Protocol (LDAP) 255 4. Create your LDAP directory. Examples of LDAP entries are provided at the PADL Software website: http://www.padl.com/ldap_examples.html 5. Add entries to your LDAP directory with ldapadd. 6. Use ldapsearch to see if slapd is working. 7. At this point, your LDAP directory should exist. You can now configure your LDAP-enabled applications to use the LDAP directory. 19.10.
Chapter 19. Lightweight Directory Access Protocol (LDAP) 19.10.2.4. PAM and LDAP To have standard PAM-enabled applications use LDAP for authentication, run authconfig and select Use LDAP. (PAM is beyond the scope of this LDAP overview, so if you need help, consult Chapter 8 and the PAM man pages.) 19.10.3.
Chapter 19. Lightweight Directory Access Protocol (LDAP) 257 DAP website and the LDAP HOWTO, before configuring LDAP on your system. 19.11.1. Installed Documentation • The ldap man page is a good place to get started for an introduction to LDAP. Also, man pages exist for the various LDAP daemons and utilities. Please check the man pages if you need more information on ldapmodify, ldapsearch, and the like. • /usr/share/docs/openldap-versionnumber miscellaneous information.
Chapter 19.
Appendixes
Appendix A. General Parameters and Modules This appendix is provided to illustrate some of the possible parameters that may be needed by certain drivers1 for particular hardware devices. In most cases, these additional parameters are unnecessary, since the kernel may already be able to use the device without them.
Appendix A. General Parameters and Modules Note Only use one method, and not both, when loading a module with particular parameters. Caution When a parameter has commas, make sure you do not put a space after a comma. A.2. CD-ROM Module Parameters Note Not all of the CD-ROM drives that are listed are supported. Please check the Hardware Compatibility List on Red Hat’s website at http://hardware.redhat.com to make sure your CD-ROM drive is supported.
Appendix A. General Parameters and Modules 263 Hardware Module Parameters ISP16, MAD16, or Mozart sound card CD-ROM interface (OPTi 82C928 and OPTi 82C929) with Sanyo/Panasonic, Sony, or Mitsumi drives isp16.o isp16=io_port,IRQ,dma, drive_type OR isp16_cdrom_base=io_port isp16_cdrom_irq=IRQ isp16_cdrom_dma=dma isp16_cdrom_type=drive_type Mitsumi CD-ROM, Standard mcd.o mcd=io_port,IRQ Mitsumi CD-ROM, Experimental mcdx.
Appendix A. General Parameters and Modules Note Most newer Sound Blaster cards come with IDE interfaces. For these cards, you do not need to use sbpcd parameters; only use hdX parameters. A.3. SCSI parameters Hardware Module Adaptec 28xx, R9xx, 39xx aic7xxx.o 3ware Storage Controller 3w-xxxx.o NCR53c810/820/720, NCR53c700/710/700-66 53c7,8xx.o Parameters AM53/79C974 (PC-SCSI) Driver AM53C974.o Most Buslogic (now Mylex) cards with "BT" part number BusLogic.
Appendix A. General Parameters and Modules Hardware Module ACARD ATP870U PCI SCSI Controller atp870u.o Compaq Smart Array 5300 Controller cciss.o Compaq Smart/2 RAID Controller cpqarray.o 265 Parameters Compaq FibreChannel Controller cpqfc.o Domex DMX3191D dmx3191d.o Data Technology Corp DTC3180/3280 dtc.o DTP SCSI host adapters (EATA/DMA) PM2011B/9X ISA, PM2021A/9X ISA, PM2012A, PM2012B, PM2022A/9X EISA, PM2122A/9X, PM2322A/9X, SmartRAID PM3021, PM3222, PM3224 eata.
Appendix A. General Parameters and Modules Hardware Module Parameters NCR SCSI controllers with 810/810A/815/ 825/825A/860/875/876/895 chipsets ncr53c8xx.o ncr53c8xx=option1:value1, option2:value2,... OR ncr53c8xx="option1:value1 option2:value2..." Pro Audio Spectrum/Studio 16 pas16.o PCI-2000 IntelliCache pci2000.o PCI-2220I EIDE RAID pci2220i.o IOMEGA PPA3 parallel port SCSI host adapter ppa.o Perceptive Solutions PSI-240I EIDE psi240i.o Qlogic 1280 qla1280.o Qlogic 2x00 qla2x00.
Appendix A. General Parameters and Modules 267 Configuration Example Future Domain TMC-800 at CA000, IRQ 10 controller_type=2 base_address=0xca000 irq=10 Table A-4. SCSI Parameters Configuration Examples A.4. Ethernet Parameters Hardware Module Parameters 3Com 3c501 3c501.o 3c501=io_port,IRQ 3Com 3c503 and 3c503/16 3c503.o 3c503=io_port,IRQ OR 3c503 io=io_port_1,io_port_n irq=IRQ_1,IRQ_n 3Com EtherLink Plus (3c505) 3c505.
Appendix A. General Parameters and Modules Hardware Module Crystal SemiconductorCS89[02]0 cs89x0.o EtherWORKS DE425 de4x5.o TP/COAX EISA, DE434 TP PCI, DE435/450 TP/COAX/AUI PCI DE500 10/100 PCI Kingston, LinkSys, SMC8432, SMC9332, Znyx31[45], and Znyx346 10/100 cards with DC21040 (no SROM), DC21041[A], DC21140[A], DC21142, DC21143 chipsets Parameters de4x5=io_port OR de4x5 io=io_port de4x5 args=’ethX[fdx] autosense=MEDIA_STRING’ D-Link DE-600 Ethernet Pocket Adapter de600.
Appendix A. General Parameters and Modules 269 Hardware Module Parameters Intel EtherExpress 16 (i82586) eexpress.o eexpress=io_port,IRQ OR eexpress io=io_port irq=IRQ options= 0x10 10base T half duplex 0x20 10base T full duplex 0x100 100base T half duplex 0x200 100baseT full duplex SMC EtherPower II 9432 PCI (83c170/175 EPIC series) epic100.o Racal-Interlan ES3210 EISA es3210.o ICL EtherTeam 16i/32 EISA eth16i.
Appendix A. General Parameters and Modules Hardware Module MiCom-Interlan NI5010 ni5010.o NI5210 card (i82586 Ethernet chip) ni52.o NI6510 Ethernet ni65.o IBM Olympic-based PCI token ring olympic.o AMD PCnet32 and AMD PCnetPCI pcnet32.o SIS 900/701G PCI Fast Ethernet sis900.o SysKonnect SK-98XX Gigabit sk98lin.o SMC Ultra and SMC EtherEZ ISA ethercard (8K, 83c790) smc-ultra.o SMC Ultra32 EISA Ethernet card (32K) smc-ultra32.o Sun BigMac Ethernet sunbmac.
Appendix A. General Parameters and Modules 271 Hardware Module Parameters WD8003 and WD8013-compatible Ethernet cards wd.o wd=io_port,IRQ,mem, mem_end OR wd io=io_port irq=IRQ mem=mem mem_end=end Compex RL100ATX-PCI winbond.o Packet Engines Yellowfin yellowfin.o Table A-5.
Appendix A.
Index Symbols .fetchmailrc, 209 global options, 210 server options, 210 user options, 211 .procmailrc, 213 /dev directory, 18 /etc directory, 18 /etc/exports, 242 /etc/fstab, 90, 243 adding partitions to, 89 /etc/hosts.allow, 121 /etc/hosts.deny, 121 /etc/lilo.conf, settings in, 56 /etc/named.conf, 223 /etc/pam.conf, 113 /etc/pam.
pci, 35 process directories, 37 scsi directory, 43 self directory, 39 slabinfo, 36 stat, 36 swaps, 36 sys directory, 44 controlling with sysctl, 52 dev directory, 45 fs directory, 46 kernel directory, 47 net directory, 48 vm directory, 50 sysvipc directory, 51 tty directory, 51 uptime, 37 version, 37 viewing files, 23 /proc directory, 19 /proc file system, 23 /sbin directory, 19 /usr directory, 19 /usr/local directory, 20, 21 /var directory, 20 /var/lib/rpm directory, 21 /var/named/, 227 /var/spool/up2
boot process, 55 chain loading, 78 direct loading, 78 init, 58 x86, 55 booting single-user mode GRUB, 61 LILO, 61 BrowserMatch Apache configuration directive, 193 C cache directives for Apache, 195 CacheNegotiatedDocs Apache configuration directive, 187 CD-ROM module parameters, 262 CGI scripts allowing execution outside cgi-bin, 184 outside the ScriptAlias, 192 chkconfig, 74 ClearModuleList Apache configuration directive, 183 common logfile format, 188 configuration Apache, 179 SSL, 196 virtual hosts
document, x copying and pasting text when using X, xiii CustomLog Apache configuration directive, 188 D default modules, 177 DefaultIcon Apache configuration directive, 191 DefaultType Apache configuration directive, 187 Deny Apache configuration directive, 186 desktop environments, 105 (See Also XFree86) devices, local ownership of, 118 (See Also PAM) directories /dev, 18 /etc, 18 /lib, 18 /mnt, 18 /opt, 18 /proc, 19, 23 (See Also /proc file system) /sbin, 19 /usr, 19 /usr/local, 20, 21 /var, 20 Dire
reverting from ext3, 90 ext3, 87, 89, 89 (See Also mkfs) converting from ext2, 90 creating, 88 features, 87 hierarchy, 17 labeling (See e2label) organization, 18 standard, 18 structure, 17 virtual (See /proc file system) formating disk drives (See mkfs) FrontPage, 177 H halt, 74 HeaderName Apache configuration directive, 191 hierarchy, file system, 17 HostnameLookups Apache configuration directive, 187 http put, 193 httpd.
K KeepAlive Apache configuration directive, 181 KeepAliveTimeout Apache configuration directive, 181 Kerberos, 139 additional resources, 145 installed documentation, 145 useful websites, 145 advantages of, 139 and PAM, 142 disadvantages of, 139 how it works, 141 kerberize, 139 Key Distribution Center (KDC), 141 setting up clients, 144 setting up server, 142 terminology, 140 Ticket Granting Service(TGS), 141 Ticket Granting Ticket (TGT), 141 kernel, 261 drivers, 261 L labeling disk partitions (See e2la
N P NameVirtualHost Apache configuration directive, 195 Netscape Navigator publish feature, 193 network configuration, 161 control scripts, 165 functions, 166 interfaces, 161 alias, 164 clone, 164 dialup, 162 Ethernet, 161 scripts, 161 Network File System (See NFS) NFS, 239 additional resources, 246 installed documentation, 246 related books, 247 client /etc/fstab, 243 autofs, 244 configuration, 243 mount options, 245 methodology, 239 portmap, 240 security, 245 file permissions, 246 host access, 246
running at boot time, 74 proxy server, 195, 195 ProxyRequests Apache configuration directive, 195 ProxyVia Apache configuration directive, 195 public_html directories, 186 R rc.
shutdown, 74 system request key enabling, 45 SysV init, 60 directories used by, 60 runlevels used by, 73 T TCP wrappers, 121 access control, 121 operators, 123 patterns, 122 shell commands, 123 wildcards, 122 additional resources, 128 installed documentation, 128 useful websites, 129 advantages, 121 purpose, 121 xinetd, 124 Timeout Apache configuration directive, 181 Tripwire, 147 additional resources, 157 installed documentation, 157 useful websites, 157 components, 151 configuration file signing, 15
X X client (See XFree86) X server (See XFree86) X Window System (See XFree86) overview, 99 X client, 99 X server, 99 x86 boot process, 77 XFree86, 99 additional resources, 109 installed documentation, 109 related books, 110 useful websites, 110 clients desktop environments, 105 window managers, 104 desktop environments, 105 fonts, 107 adding, 108 configuration, 108 xfs, 107 runlevel 3, 105 5, 106 runlevels, 105 server, 100 configuration, 100 structure, 99 window managers, 104 X clients, 104 Xconfigurator,
