Thursday, August 4, 2011

Sudo & ACL

Sudo
If a server needs to be administered by a number of people it is normally not a good idea for them all to use the root account. This is because it becomes difficult to determine exactly who did what, when and where if everyone logs in with the same credentials. The sudo utility was designed to overcome this difficulty.
The sudo utility allows users defined in the /etc/sudoers configuration file to have temporary access to run commands they would not normally be able to due to file permission restrictions. The commands can be run as user "root" or as any other user defined in the /etc/sudoers configuration file.
The privileged command you want to run must first begin with the word sudo followed by the command's regular syntax. When running the command with the sudo prefix, you will be prompted for your regular password before it is executed. You may run other privileged commands using sudo within a five-minute period without being re-prompted for a password. All commands run as sudo are logged in the log file /var/log/messages. [1]
If sudo is not available, then please install sudo package before progressing.

Declaring in /etc/sudoers

The file /etc/sudoers must be edited by running the command visudo
# visudo

user  machine_hostname = (run_as_user) comma_separated_list_of_commands

alpha  stationX.class.com = (root) /usr/bin/passwd
User alpha is able to run the command passwd as root on stationX.class.com.

beta ALL = (ALL) /usr/sbin/adduser
User beta is able to run the adduser command as any user on any machine.

gamma ALL = (ALL) ALL
User gamma is able to run any command as any user on any machine (never recommended).

Using sudo

Invoking sudo is very easy.
[alpha@stationX]$ sudopasswd
[beta@localhost]$ sudoadduser
[gamma@localhost]$ sudo ifconfig
  
ACL 
File Access Control List (FACL) is used to allow or deny permission to specific users. If it is required to set certain permissions to a file for users other than the owner, it can be obtained by giving a specific group of users that permission. However, this kind of permission will allow every user in a group to have the same permission on a file. Again, every file has exactly one owner and one group. It is difficult if we want the file to have some given permission for more than one group.
To restrict access to a file to only some specific users other than the owner, FACL system is implemented in Linux. In FACL, specific users are allowed or denied read and/or write and/or execute permissions on a file. This method can be visualized as adding exceptions. Such as, if we want a user other than the owner to have full permission over a file, we can define an FACL to do so. Again, if we want a single user in a group to have no permission on a file, it can also be done using FACL. For example, if the file example.fileis owned by user root, user 1 & cracker group would have specific permission on the file. This scenario is illustrated in the table-


 
Initial permission
Command
Modified permission
rw-r--r--


rw-r--r--
setfacl -m u:user1:rw- example.file
Grants user1 read and write access to example.file
rw-r--r--
setfacl -m g:cracker:--- example.file
Denies all permission to group cracker on example.file

Example 2: User Andrew is able to read and write in this file. User Susan can do neither.

We have to use ACL (Access Control List) for this.
#setfacl   -m  u:Andrew:rw-   /var/tmp/fstab     //-m==modify…grants user Andrew with read & write

#setfacl   -m  u:Susan:---   /var/tmp/fstab          //susan can neither read, write nor execute

#getfacl   /var/tmp/fstab                    //displays acl

Tar & RPM


Tar Files
Tar files are used to create archive files. Multiple files and directories can be archived into a single file by using the tar command. Keep in mind that tar does not perform compression.

Options

The most commonly used options in tar are –
-c
create archive
-x
extract archive
-v
verbosely list processed files
-f
the output would be a file
-t
displays content of an archive
-p
Preserve permission
-z
used for gzip
-j
used for bzip2

Syntax

tar  –cvf  archive.tar   file1 file2 file3 file4
Example – suppose you have to create a tar file (example.tar) with 3 files f1, f2, f3. Then the command would be –
# tar  -cvf   example.tar  f1 f2 f3

Given below are some examples
1 # tar xvf  example.tar
Extracts the archive example.tar in pwd to obtain original files

2 #  tar tvf example.tar
Shows the contents of the archive example.tar

3 #  tar  pcvf  example2.tar  f1  f2  f3
Creates an archive example2.tar and preserves permission of the original files f1, f2, f3

gzip

As mentioned earlier, tar performs no compression. To compress the archive, gzip can be used. gzip has some additional options –
-1
fastest compression regardless of the compression ratio
-9
best possible compression ratio regardless of the time needed

# gzip  example.tar
compresses the archive example.tar and creates a file example.tar.gz
# gunzip  example.tar.gz
extracts the compressed archive example.tar.gz
# gzip -1 example2.tar
performs fastest compression
# gzip -9 example2.tar
performs best compression
Alternative method
#  tar  zcvf  example.tar.gz  f1 f2 f3
creates a compressed archive example.tar.gz with the files f1, f2 and f3
#  tar  zxvf  example.tar.gz
extracts the compressed archive example.tar.gz

bzip2

bzip2 is a more powerful compression tool than gzip. bzip2 is the upgrade of the original bzip. bzip2 also supports fastest and best compression.
# bzip  example.tar
compresses the archive example.tar and creates a file example.tar.bz2
#  bunzip2  example.tar.bz2
extracts the compressed archive example.tar.bz2
# bzip2 -1 example2.tar
performs fastest compression
# bzip2 -9 example2.tar
performs best compression
Alternative method
#  tar  jcvf  example.tar.bz2  f1 f2 f3
creates a compressed archive example.tar.bz2 with the files f1, f2 and f3
#  tar  jxvf  example.tar.bz2
extracts the compressed archive example.tar.bz2

RPM
RPM or Relational Package Manager is used to install packages/software into the system. RPM can be setup using the following command

# rpm –ivh rpm_name
                  -i = install
       -v = show output verbosely
                  -h = show progress with #

RPM sometimes creates dependency problems. For example, if A.rpm requires B.rpm to be previously installed, then A.rpm cannot be installed unless B.rpm is installed first.
To install A.rpm ignoring dependency, the following command may be used, but it is very likely that the package will not work properly.

# rpm –ivh A.rpm –no-deps

To check whether an RPM is installed, the following commands can be used
# rpm –q RPM1
Checks whether package RPM1 is installed.
# rpm –qa
Shows all installed RPM
# rpm –ql RPM2
Shows locations of all files created during the installation process of RPM2


Runlevels


Runlevels
The term runlevel refers to a mode of OS initialization in Unix or similar operating systems. Runlevels are sort of like profiles that your computer uses to determine which services to launch in the background when you boot. The most commonly used runlevels are Runlevel 5 and Runlevel 3.
Runlevels may vary from one OS to another. The runlevels in Red Hat Linux are –
0
Halt
Shuts down the machine.
1
Single-User Mode
Typically used for recovery. Does not configure network interfaces, start daemons, or allow non-root logins.
2
Multi-User Mode
Does not configure network interfaces or start daemons.
3
Multi-User Mode with Networking
Starts the system normally and provides the BASH shell.
4
Not used/User-definable
For special purposes
5
X11
Full graphical mode managed by X-Server.
6
Reboot
Reboots the computer.

Setting the Runlevel

The runlevel that the system would log into by default is defined in /etc/inittab
#### /etc/inittab ####
init:5:initdefault
This line indicates that the system would log into runlevel 5 by default. Changing the value to something else would also change the default runlevel.

SCP & Mount


SCP (Secured Copy)
scp relies on ssh to operate. scp is used to securely copy files/directories from/to remote location. The syntax of scp is identical to cp.
Syntaxscp     -arg     source     destination

# scp  192.168.10.1:/root/f1  /home/sarmed

Copies the file ‘f1’ from remote host 192.168.10.1 to local directory /home/sarmed
# scp  f2  192.168.10.2:/home/sarmed


Copies the local file ‘f2’ to remote host 192.168.10.2 in the location /home/sarmed
# scp  –r  localdir  192.168.10.2:/home/sarmed
Copies local ‘localdir’ to remote host 192.168.10.2 in the location /home/sarmed

# scp  -P 87 192.168.10.1:/root/f3 /home/sarmed
Same as the first example. However, this time scp connects to port 87 instead of default ssh port 22.

# scp –P 87 sarmed@192.168.10.1:/home/sarmed/f4 /root
Same as the 4th example. Communicates with the remote host 192.168.10.1 at port 87 and as user sarmed. Copies the file f4 from the remote machine to /root in local host.

Mount
To access any physical device, it must be mounted to some logical location. By accessing the logical location, we actually access the physical device.
Syntax: command       -arg          source          destination
# mount  /dev/sdb1  /mnt
Mounts the physical partition /dev/sdb1 to logical location /mnt

# mount  /dev/sdc2  /media
Mounts the physical partition /dev/sdc2 to logical location /media

# mount  -t  nfs  192.168.10.1:/share  /newshare
Mounts the directory /share located in remote host 192.168.10.1 using NFS (network file system) to local /newshare. (NFS must be preconfigured in 192.168.10.1 for this command to work)

# mount –o  remount rw  /
Often used in recovery mode. –o = option. This command remounts / directory in rw mode

Help, Output Redirection & Pipelining


Man
Every Linux system has some well documented Manuals to help users get information about commands and services. These manuals can be accessed using the command

# man  command/file
syntax
# man ls
shows the manual of the command ‘ls’
# man resolv.conf

shows the manual of the file ‘/etc/resolv.conf’

Some manuals contain further references at the bottom. These references usually contain page numbers that can be accessed using –
# man 5 resolv.conf
shows page no. 5 of resolv.conf

whereis, whatis & which

whatis displays an overview of the command. whereis & whatis have similar output that contains the location where the command is stored, as well as files related to the command.
# whatis pwd
pwd                  (1p)  - return working directory name
pwd                  (1)  - print name of current/working directory
pwd [builtins]       (1)  - bash built-in commands, see bash(1)
pwd.h [pwd]          (0p)  - password structure

# whatis cp
cp                   (1)  - copy files and directories
cp                   (1p)  - copy files

# whereis pwd
pwd: /bin/pwd /usr/share/man/man1/pwd.1.gz /usr/share/man/man1p/pwd.1p.gz

# which pwd
/bin/pwd


Output Redirections

Output can be redirected from one place to another by using the”>” sign. For example:

# echo hello
Shows hello in the terminal
# echo hello > /root/greetings
Instead of showing hello in the terminal, creates a new file /root/greetings and dumps ‘hello’ there.
# cat /etc/passwd
Shows the content of the file in the terminal
# cat /etc/passwd> /root/user_info
Instead of showing the file in the terminal, creates a new file /root/user_info and dumps the output there.

Redirecting output this way always overwrites the output file. To append in the output file, the sign “ >> ” is used.
# echo hello >> /root/user_info
Appends hello at the bottom the file /root/user_info

Pipelining

Pipelining ( | ) is applied to use the output of one command as input of the next command. For example-
# cat /etc/passwd | grep root
The first command’s output is the entire content of the file /etc/passwd. The second command filters ‘root’ from the output of the first command.
# tailf /var/log/maillog | grep palash
The output of the first command shows entries of the mail log in real time, and the second command filters the output and shows ‘palash’ only

Finding Files & Folders


Find

Syntax

# find location  -name  filename

Example

find /etc -name ifcfg-eth0
Find file named ifcfg-eth0 under the directory /etc.

find /home -user joe
Find every file under the directory /home owned by the user joe.

find /usr -name *stat
Find every file under the directory /usr ending in "stat".

find . -perm 664
Search for files with permission 644 in current directory

find / -inum  1011
Searches for file with inode number 1011 in entire filesystem.


Locate
Locate has comparatively easy syntax, but it is recommended to run updatedb prior to running locate.

# updated
# locate filename
Example –
# locate passwd

Setting up Network (Red Hat based System)


Segment 1
The easiest way to setup network is by using the following commands-
# setup > network settings

Used for setting up network parameters
# system-config-network

Used for setting up network parameters
# service network restart
Restarts the network service
# ifconfig
Check the network parameters

Network related files

/etc/sysconfig/network-scripts/

This directory contains a single file for each network adapter named ifcfg-eth0, ifcfg-eth1, ifcfg-eth2 and so on. The contents of the file are:
NAME= eth0
name of the device
DEVICE=eth0
Device id
BOOTPRO= none/static/dhcp
none/static are used for static IP address. dhcp is used for automatic IP address.
IPADDR= X.X.X.X
4 bit IP address
NETMASK= X.X.X.X
Netmask of the provided IP address
GATEWAY= X.X.X.X
IP address of the gateway server/router
USERCTL= yes/no
Whether normal users are able to change IP address

/etc/resolv.conf

DNS IP is set in this file. Keep in mind that the there are some International free DNS that can be used such as 4.2.2.1, 4.2.2.2, 8.8.8.8.
nameserver X.X.X.X

/etc/sysconfig/network

This file is primarily used to set hostname.
HOSTNAME = stationX.example.com

/etc/hosts

This file is used in case the hostname has to be resolved locally. The following line should be added-
IP
FQDN
Hostname
X.X.X.X
stationX.exaple.com
stationX

Troubleshooting

When troubleshooting any network, the following commands can be used.
# mii-tool
Note that there is no space in the command. Used for checking whether the cable is connected to the Network Interface Card.
# ping X.X.X.X
If physical connection is okay, you should get a reply with information like latency and TTL.
# traceroute X.X.X.X
Used for tracing the path to a specific IP or domain.
                 
Segment 2

Virtual Interfaces

Each NIC card in Linux can be used to create virtual interfaces which contain separate IP addresses. As a result, one can use a single LAN card to create multiple virtual LAN cards with specific IP address.

Procedure:

1.     Create a copy of the LAN card configuration file and make changes as necessary. The following example contains minimum configuration-
# cd /etc/sysconfig/network-scripts/
# cp ifcfg-eth0  ifcfg-eth0:1
# vim ifcfg-eth0:1
                 
      NAME=eth0:1
      DEVICE=eth0:1
      IPADDR= Y.Y.Y.Y
      SUBNET= Y.Y.Y.Y
2.  # service network restart

Check whether you can find the IP address of the virtual interface with ifconfig. If you’re successful, try pinging the IP address from local, as well as remote machines.