\chapter{Key Configuration Files } \label{cha:conf-files} {\mns \subsection{Objectives} \label{sec:objectives-conf-files} After completing this module, you should be able to configure the following: \begin{itemize} \item The password files {\fn /etc/passwd}, {\fn /etc/shadow} \item The group file {\fn /etc/group} \item {\cmdn cron} management {\fn /etc/crontab} \item Kernel modules ({\fn /etc/modules.conf}) \item Filesystem mounting ({\fn /etc/fstab} and {\fn /etc/exports}) \item System startup and shutdown scripts \end{itemize} \section{{\fn /etc/passwd}} \label{sec:passwd} \begin{itemize} \item Stores information about users \begin{itemize} \item Password (on some systems) \item Id, and primary group \item {\kwd Finger} information \item Home directory \item Default shell \end{itemize} \end{itemize} \section{{\fn /etc/passwd} (continued)} \begin{itemize} \item Colon-separated fields, e.g. \end{itemize} {\myts \begin{verbatim} lee:Df18jed/nienysd:501:501:Lee Willis,Rm 1,013 567,013 765:/home/lee:/bin/bash \end{verbatim}} \begin{itemize} \item First field is the username \item Second is the encrypted password~\footnote{On systems which support shadow passwords this will just be an {\cmdn x}, see \ref{sec:shadow} for an explanation} \item Third and fourth fields give the user ID and the primary group ID respectively \item {\kwd Finger} information is a comma separated list of information about a user \begin{itemize} \item Typically stores full name, office room, office phone number and home phone number \end{itemize} \item The sixth field is the user's home directory \item The user's default shell is given by the last field \end{itemize} \section{Editing {\fn /etc/passwd}} \label{sec:edit-pass} \begin{itemize} \item You should never edit {\fn /etc/passwd} directly \begin{itemize} \item Can lose information on multi-user systems \end{itemize} \item Use the {\cmdn passwd} command \item Normal users simply type {\cmdn passwd} \begin{itemize} \item Prompted for old password \item Type new password twice (to avoid typos) \end{itemize} \item Superuser can change anyone's password {\cmdn passwd username} \begin{itemize} \item Enters only the new password \item Don't have to know the old password \end{itemize} \item Superuser may also disable/enable accounts \begin{itemize} \item {\cmdn passwd -l username} disables or {\em locks} an account \item {\cmdn passwd -u username} {\em unlocks} the account \end{itemize} \end{itemize} \section{Other Changes To {\fn /etc/passwd}} \label{sec:other-pass} \begin{itemize} \item {\cmdn chfn} allows you to change the finger information for a user e.g. {\myts \begin{verbatim} $ chfn -f "Lee Willis" -o "Room 1" -p "01234 5678" -h "0123 45678" \end{verbatim}}%$ \item {\cmdn chsh -s shell} lets you change your default shell \begin{itemize} \item Must be listed in {\fn /etc/shells} \item {\cmdn chsh \verb|--|list-shells} will give a list of valid values \end{itemize} \item Example: {\myss \begin{verbatim} $ chsh --list-shells /bin/bash /bin/sh /bin/ash /bin/bsh /bin/tcsh /bin/csh $ chsh -s /bin/tcsh lee Changing shell for lee. Password: Shell changed. \end{verbatim}} \item {\em Note:} Both {\cmdn chfn} and {\cmdn chsh} require you to give your password \end{itemize} \section{{\fn /etc/group}} \label{sec:group} \begin{itemize} \item Effective control of file access is one of the strengths of Linux/Unix \item One aspect of this is the concept of {\em groups} \item Users belong to one or more of these groups \item Access to files can be granted or denied on the basis of group priveleges \item Group membership is controlled by the file {\fn /etc/group} \end{itemize} \section{Editing {\fn /etc/group}} \label{sec:edit-group} \begin{itemize} \item Like {\fn /etc/passwd} shouldn't be edited directly \item Tools can change it and ensure locking \item To {\em create} a group with ID {\usb gid} and name {\usb gname}: \begin{quote} {\cmdn \$ groupadd -g {\usb gid} {\usb gname}} \end{quote} \item To change name of group {\usb gname} to {\usb newname}: \begin{quote} {\cmdn \$ groupmod -n {\usb newname} {\usb gname}} \end{quote} \item {\pgn usermod} changes the groups a user belongs to, \begin{quote} e.g. to add the user {\cmdn lee} to groups {\sco www}, {\sco project}, and {\sco tempgroup}: {\myss \begin{verbatim} $ usermod -G www,project,tempgroup lee \end{verbatim}}%$ % \begin{itemize} % \end{itemize} \end{quote} \item N.B. It also removes him from any groups not listed (excluding his primary group) \item {\cmdn usermod} can also change the information in {\fn /etc/passwd} \begin{itemize} \item Can only be run by the superuser \end{itemize} \end{itemize} \section{Important Note} \label{sec:important-note} \begin{itemize} \item Changing user information shouldn't be undertaken lightly \item There are a number of restraints on changing usernames, IDs, and group IDs \item You can't change name while a user is logged in \item You can't change ID while user has processes running \item See {\cmdn man usermod} and {\cmdn man groupmod} for others \item Mostly common sense \end{itemize} \section{Shadow Passwords} \label{sec:shadow} \begin{itemize} \item {\em shadow passwords} are a security feature \begin{itemize} \item Normal users could get others' passwords if encrypted versions were readable \item Some information in {\fn /etc/passwd} needs to be readable, but {\em Passwords} don't! \end{itemize} \item Solution: \begin{itemize} \item Keep everything except passwords in {\fn /etc/passwd} \item Password field contains just a single {\em 'x'} \end{itemize} \item Encrypted passwords are stored in {\fn /etc/shadow} \begin{itemize} \item Only readable by superuser \end{itemize} \end{itemize} \section{{\fn /etc/shadow}} \label{sec:etc-shadow} \begin{itemize} \item {\fn /etc/shadow} also stores other information \item Mainly password expiry information \item Can force users to change their password \item Most important benefit is increased security \item All modern systems should use shadow passwords \end{itemize} \section{Scheduling Jobs ({\pgn Cron})} \label{sec:cron-jobs} \begin{itemize} \item {\cmdn cron} schedules jobs to run at times; specified in the file {\fn /etc/crontab} {\myts \begin{verbatim} SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root HOME=/ # run-parts 01 * * * * root run-parts /etc/cron.hourly 02 4 * * * root run-parts /etc/cron.daily 5,35 * * * 1-5 root /usr/local/bin/domail \end{verbatim}} \item The first section sets environment variables \item Cron jobs run when the current time/date matches a {\fn crontab} entry \item The first 5 fields in {\fn /etc/crontab} are {\myss \begin{verbatim} minute hour day_of_month month day_of_week \end{verbatim}} \item {\cmdn *} Matches all possible values \item Commas separate sets of values within a field \item Ranges can also be specified, e.g. {\cmdn [1-5]} \item Can also specifiy steps, e.g. {\cmdn [0-59/5]} \end{itemize} \section{{\fn /etc/crontab}} \label{sec:/etc/crontab} \begin{itemize} \item {\fn /etc/crontab} also specifies what {\em user} the job runs as, e.g. {\myss \begin{verbatim} 01 * * * * root run-parts /etc/cron.hourly 02 4 * * * root run-parts /etc/cron.daily \end{verbatim}} \item Second line runs the command {\cmdn run-parts /etc/cron.daily} as {\cmdn root} at 4:02am every day \item To run the command {\cmdn /usr/local/bin/domail} as {\cmdn root} {\em at} 10 minutes past {\em and} 40 minutes past the hour, {\em between} 9am and 6pm {\em on weekdays}: {\myss \begin{verbatim} 10,40 9-18 * * 0-5 mail /usr/local/bin/domail \end{verbatim}} \end{itemize} \section{{\cmdn run-parts}} \label{sec:run-parts} \begin{itemize} \item {\cmdn run-parts} is a script designed for use with {\cmdn cron} \item Runs all the programs in the specified directory \item Allows administrators to easily add jobs \begin{itemize} \item Simply place an executable script/program in the correct directory \end{itemize} \item N.B. {\em Not} a standard cron feature \end{itemize} \section{{\cmdn logrotate}} \begin{itemize} \item Log rotation is normally handled by {\cmdn logrotate} \item Run by cron, which reads {\fn /etc/logrotate.conf} for configuration \item Example: {\myts \begin{verbatim} $ cat /etc/logrotate.conf #Rotate the logs weekly weekly # keep 4 weeks worth of backlogs rotate 4 # send errors to root errors root # create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed #compress # RPM packages drop log rotation information into this directory include /etc/logrotate.d # no packages own lastlog or wtmp --- we'll rotate them here /var/log/wtmp { monthly rotate 1 } /var/log/lastlog { monthly rotate 1 } \end{verbatim}}%$ \end{itemize} \section{Module Configuration} \label{sec:mod-conf} \begin{itemize} \item The Linux kernel can be modular in nature \item Needs to know which devices use which drivers \item {\fn /etc/modules.conf} contains this information~\footnote{Warning, on some older systems this is {\fn /etc/conf.modules}} \item Typical file may look like: \begin{verbatim} alias eth0 ne2k-pci alias eth1 3c509 \end{verbatim} \item States that the device {\cmdn eth0} requires the module {\cmdn ne2k-pci}, and {\cmdn eth1} requires {\cmdn 3c509} \end{itemize} \section{Modules Configuration --- `Options'} \label{sec:mod-conf-options} \begin{itemize} \item Some modules allow you to specify options \item Mainly used for ISA peripherals, e.g. to provide I/O and IRQ information: \\ \begin{verbatim} alias eth0 ne options ne irq=10 \end{verbatim} Specifies that {\cmdn eth0} requires the module {\cmdn ne} which should be passed the argument {\cmdn irq=10} \item Can also specify actions to be executed when loading unloading modules, e.g.\\ {\myss \begin{verbatim} pre-install pcmcia_core /etc/rc.d/init.d/pcmcia start \end{verbatim}} Run {\cmdn /etc/rc.d/init.d/pcmcia start} before loading the {\cmdn pcmcia\_core} module \end{itemize} \section{Mounting Filesystems} \label{sec:mount} \begin{itemize} \item Linux can store its files on multiple disks \item It decides what part of the filesystem each of these lives on using {\fn /etc/fstab} \\[16pt] {\myts \begin{tabular}{|p{85pt}|p{100pt}|p{40pt}|p{50pt}|p{24pt}|p{30pt}|} \hline Logical Volume&Mount Point&FS type&Options&Dump&Check order \\ \hline \hline /dev/hda1&/&ext2&defaults&1&1 \\ \hline /dev/hda5&/home&ext2&defaults&1&2\\ \hline /dev/hda7&/tmp&ext2&defaults&1&2\\ \hline /dev/hda6&/usr&ext2&defaults&1&2\\ \hline /dev/hda8&swap&swap&defaults&0&0\\ \hline /dev/fd0&/mnt/floppy&ext2&noauto&0&0\\ \hline /dev/cdrom&/mnt/cdrom&iso9660&noauto,ro&0&0\\ \hline \verb|\\|kashmir\verb|\|c&/mnt/kashmir&smbfs&guest&0&0\\ \hline landlord:/var/admin&/var/admin&nfs&defaults&0&0 \\ \hline landlord:/home/lee&/home/lee/LANDLORD&nfs&defaults&0&0 \\ \hline \end{tabular}} \end{itemize} \section{Runlevels} \label{sec:key-configs-run-levels} \begin{itemize} \item Linux has several modes of operation \item Referred to as {\kwd runlevels} \item The Linux Standards Base (\url{http://www.linuxbase.org/spec/refspecs/LSB_1.1.0/gLSB/runlevels.html}) defines the following standard runlevels that all distributions must follow to be compliant: \begin{tabular}[t]{ll} 0 & halt\\ 1 & single user mode \\ 2 & multiuser with no network services exported \\ 3 & normal/full multiuser \\ 4 & reserved for local use, default is normal/full multiuser \\ 5 & multiuser with \texttt{xdm} or equivalent \\ 6 & reboot \end{tabular} \end{itemize} \section{Single User Mode} \label{sec:key-configs-single-user-mode} \begin{itemize} \item Mainly used for diagnostic purposes \item Starts only a subset of the possible services, e.g. \begin{itemize} \item No networking \item No mail services \item No name lookup services \begin{itemize} \item Except {\fn /etc/hosts} \end{itemize} \item No file-sharing services etc \end{itemize} \end{itemize} \section{Multi User Mode} \label{sec:key-configs-multi--user-mode} \begin{itemize} \item The `normal' operating state \item All configured services are running \item Multiple users can log in \item {\fn /sbin/runlevel} shows the previous and current runlevel of your machine \end{itemize} \section{Starting up and Shutting down} \label{sec:key-configs-startup-shutdown} \begin{itemize} \item Only the {\kwd superuser} can shutdown or reboot \item {\cmdn halt} will shut down the machine totally \begin{itemize} \item For safety you should type {\cmdn /sbin/halt} \end{itemize} \item Makes sure all processes are stopped \item Stops services cleanly \item Writes unsaved data to the disk \begin{itemize} \item `Syncing' \end{itemize} \item {\cmdn /sbin/reboot} will shut down cleanly and reboot \end{itemize} \section{Changing runlevel} \label{sec:changing-runlevels} \begin{itemize} \item It is sometimes necessary to change runlevel \item Rare, but useful to know \item You can instruct a system to change runlevel using the {\pgn telinit} command \item Example: \begin{verbatim} $ telinit 5 \end{verbatim}%$ \item Changes to runlevel 5 \item {\pgn telinit 1} takes the system down to single user mode \end{itemize} \section{Initscripts} \label{sec:key-configs-init-scripts} \begin{itemize} \item The precise behaviour of each of the runlevels is controlled by {\em initscripts} \item Control which services run in each runlevel \item Live in {\fn init.d} \begin{itemize} \item On Debian it's in {\fn /etc/init.d} \item On Redhat it's {\fn /etc/rc.d/init.d} \end{itemize} \item Each file here is a script that can be called with an argument, {\cmdn start}, {\cmdn stop}, or {\cmdn restart} \end{itemize} \section{{\fn rcn.d}} \label{sec:key-configs-rc.d} \begin{itemize} \item The contents of the directories {\fn rc{\em n}.d} control which services start and stop in runlevel {\usb n} \item The directories hold symbolic links to the files in {\fn init.d} \item The links are named informatively \item To start service {\usb abc} you would create a link typically named {\uin Sxx{\usb abc}}, to {\fn init.d/{\usb abc}} \item The {\uin xx} specifies the order to run the scripts, e.g. \verb|S00foo| will be run before \verb|S90foo| \item Links that stop a service are of the form {\uin Kxx{\usb abc}} \end{itemize} \section{Initscripts --- An example} \label{sec:key-configs-initscripts-eg} \begin{itemize} \item Consider the following:~\footnote{Unimportant information has been removed from the screen dump so do not be alarmed if this doesn't look like you'd expect!} {\myts \begin{verbatim} lee @ 12:22:08 /etc/rc.d/rc3.d ls -l S* lrwxrwxrwx ... S01kerneld -> ../init.d/kerneld lrwxrwxrwx ... S10network -> ../init.d/network lrwxrwxrwx ... S15nfsfs -> ../init.d/nfsfs lrwxrwxrwx ... S20random -> ../init.d/random lrwxrwxrwx ... S30syslog -> ../init.d/syslog lrwxrwxrwx ... S40atd -> ../init.d/atd lrwxrwxrwx ... S40crond -> ../init.d/crond lrwxrwxrwx ... S40portmap -> ../init.d/portmap lrwxrwxrwx ... S40snmpd -> ../init.d/snmpd lrwxrwxrwx ... S45pcmcia -> ../init.d/pcmcia lrwxrwxrwx ... S50inet -> ../init.d/inee lrwxrwxrwx ... S55named -> ../init.d/named \end{verbatim}} \item We can see that the first thing started is {\pgn kerneld}, followed by {\pgn network} services, {\pgn nfs} services, etc \item There are also a series of \verb|Kxxyyy| scripts which shut down the services in a sensible order \end{itemize} \section{Restarting Services} \label{sec:key-configs-restart-services} \begin{itemize} \item Can be necessary to restart a particular service, e.g. so it can re-read a modified configuration file \item This can be done without a complete reboot \item It must, however, be done by the superuser \item To restart samba ({\pgn smb}) we can do the following: \begin{verbatim} $ cd /etc/rc.d/init.d $ ./smb restart \end{verbatim} \end{itemize} {\normalsize \section{Exercises} \begin{enumerate} \item {\em Passwords} \begin{enumerate} \item Find out whether your machine is using standard or shadow passwords? \end{enumerate} \item {\em Users} \begin{enumerate} \item Add a new user ({\pgn useradd}) and set them up with the correct Full Name, password, home directory. Set their default shell to {\pgn csh} \end{enumerate} \item {\em Groups} \begin{enumerate} \item Create a new group and add your user to this group \item Now remove both the user and the group. How would you ensure that all files belonging to that user have been removed? \end{enumerate} \item {\em Scheduling} \begin{enumerate} \item Add a cron job to eject your CDROM drive at 5 minutes past every hour and put it back in at ten minutes past the hour \end{enumerate} \item {\em Mounting} \begin{enumerate} \item Set up your {\fn fstab} so that \begin{verbatim} $ mount /dev/cdrom \end{verbatim}%$ will automatically mount your CD drive under {\fn /mnt/cdrom} \end{enumerate} \item {\em Runlevels} \begin{enumerate} \item Switch your machine between runlevels 3 and 5. What is happening? What happens if you change to runlevel 6? \item Make sure your machine runs the same set of services in both runlevels \end{enumerate} \item {\em Stop, Start and Restart Services} \begin{enumerate} \item Check you can stop, start, or restart services \item Can you do this as a normal (ie non-root) user? \end{enumerate} \end{enumerate} \section{Solutions} \begin{enumerate} \item {\em Passwords} \begin{enumerate} \item Your machine will have an {\fn /etc/shadow} file if it is using shadow passwords. The password field will be set to an 'x' in {\fn /etc/passwd}. \end{enumerate} \item {\em Users} \begin{enumerate} \item The following would set the details for the user Lee Willis \begin{verbatim} $ useradd leewillis $ passwd leewillis Changing password for user leewillis New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully $ chfn -f "Lee Willis" leewillis Changing finger information for leewillis. Finger information changed. $ chsh -s /bin/csh leewillis Changing shell for leewillis. Shell changed. \end{verbatim} The home directory should be set up properly ({\fn /home/leewillis}), if not you can change it with \begin{verbatim} $ usermod -d /home/leewillis leewillis \end{verbatim}%$ \end{enumerate} \item {\em Groups} \begin{enumerate} \item \begin{verbatim} $ groupadd newgroup $ usermod -G newgroup leewillis \end{verbatim} \item To remove the group, the user and the user's home directory \begin{verbatim} $ groupdel newgroup $ userdel -r leewillis \end{verbatim} There are a few important points here! Firstly there may still be files in the filesystem belonging to that user. To locate them all you should have done \begin{verbatim}find / -user leewillis -exec rm -f {} \;\end{verbatim} prior to removing the user. You should also have located all files belonging to the group and re-parented and/or removed them before removing the group \end{enumerate} \item {\em Scheduling} \begin{enumerate} \item The following lines should acheive the desired effect \begin{verbatim} 05 * * * * root eject /dev/cdrom 10 * * * * root eject -t /dev/cdrom \end{verbatim} \end{enumerate} \item {\em Mounting} \begin{enumerate} \item The entry should look like \begin{verbatim} /dev/cdrom /mnt/cdrom iso9660 noauto,ro 0 0 \end{verbatim} \end{enumerate} \item {\em Runlevels} \begin{enumerate} \item You can change runlevels by using {\cmdn telinit 5} and {\cmdn telinit 3}. All non-relevant services are stopped and the new ones started each time you change runlevel. Runlevel 6 reboots the machine! \item You should ensure that the directory listings for {\fn /etc/rc.d/rc3.5} and {\fn /etc/rc.d/rc5.d} are the same. This should ensure that the same services are started/stopped when entering either runlevel. \end{enumerate} \item {\em Start, Stop and Restart services} \begin{enumerate} \item - \item - \end{enumerate} \end{enumerate} } % End normalsize from start of exercises } % end {\mns from chapter start %%% Local Variables: %%% mode: latex %%% TeX-master: "planet_intermediate_0-0_masterfile" %%% End: