Linux Level 2. Student Manual.

Transcription

1 Linux Level 2 Student Manual

2 Copyright One Course Source, 2007 ALL RIGHTS RESERVED This publication contains proprietary and confidential information, which is the property of One Course Source, 2340 Tampa Ave, Suite J, El Cajon, CA No part of this publication is be reproduced, copied, disclosed, transmitted, stored in a retrieval system or translated into any human or computer language, in any form, by any means, in whole or in part, without the prior express written consent of One Course Source. THIS PUBLICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. REFERENCES TO CORPORATIONS, THEIR SERVICES AND PRODUCTS, ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED. IN NO EVENT SHALL ONE COURSE SOURCE BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ARISING OUT OF OR IN CONNECTION WITH THE USE OF THIS INFORMATION. Descriptions of, or references to, products or publications within this publication do not imply endorsement of that product or publication. One Course Source makes no warranty of any kind with respect to the subject matter included herein, the products listed herein, or the completeness or accuracy of this publication. One Course Source specifically disclaims all warranties, express, implied or otherwise, including without limitation, all warranties of merchantability and fitness for a particular purpose. THIS PUBLICATION COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THE PUBLICATION. ONE COURSE SOURCE MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED IN THIS PUBLICATION AT ANY TIME. This notice may not be removed or altered. ver /14/ Q1

3 Unit Table of Contents Introduction Unit One Advanced Permissions Page Special Permission: setuid Special Permission: setgid Special Permission: sticky bit Access Control Lists Summary of Commands and Files Additional Resources Certification Notes Lab Exercises 47 Table of Contents 2007 One Course Source, Inc Page 2

4 Unit Two Administering Partitions Page Device names Virtual filesystems vs. physical filesystems Why have partitions? Which partitions should you create? Creating and modifying partitions with fdisk Creating and modifying partitions with parted The mkfs command The mke2fs command Create a partition label Summary of commands and files Additional Resources Certification notes Lab Exercises 77 Table of Contents 2007 One Course Source, Inc Page 3

5 Unit Three Mounting filesystems Page What is mounting? The mount command Mount rules The umount command umount rules Mounting automatically at boot The mount -a command The umount -a command Review: the df command Mounting CDs and floppy disks Swap partitions and files Summary of commands and files Additional Resources Certification notes Lab Exercises 105 Table of Contents 2007 One Course Source, Inc Page 4

6 Unit Four Administering the Filesystem Page Filesystem details The mke2fs command The ext2 and ext3 filesystems Why filesystems break Fixing filesystems with fsck fsck examples Displaying filesystem attributes Modifying filesystem attributes Summary of commands and files Additional Resources Certification notes Lab Exercises 136 Table of Contents 2007 One Course Source, Inc Page 5

7 Unit Five RAID Page RAID basics Hardware & software RAIDs RAID levels The mdadm command RAID disk recovery Summary of commands and files Additional Resources Certification notes Lab Exercises 157 Table of Contents 2007 One Course Source, Inc Page 6

8 Unit Six Logical Volumes Page What is LVM? LVM terms Initializing hard disks or partitions Creating a Volume Group Activating and deactivating a Volume Group Deleting a Volume Group Deleting a Physical Volume from a Volume Group Adding a Physical Volume to a Volume Group Displaying Volume Group information Displaying Physical Volume information Creating a Logical Volume Displaying Logical Volume information Using a Logical Volume Extending a Logical Volume Reducing a Logical Volume Making backups using snapshot Deleting a Logical Volume Summary of commands and files Additional Resources Certification notes Lab Exercises 193 Table of Contents 2007 One Course Source, Inc Page 7

9 Unit Seven Network Filesystems Page What is NFS? NFS benefits NFS daemons Starting server daemons Setting up a NFS server Setting up a NFS client Using automount Summary of commands and files Additional Resources Certification notes Lab Exercises 214 Unit Eight Disk Quotas Page Introduction to disk quotas Configuring a filesystem to support disk quotas Initializing the disk quota database Assigning quotas to user accounts Assigning quotas to group accounts Working with soft limits Displaying quota information Issuing warnings Turning quota checking on and off Summary of commands and files Additional Resources Certification notes Lab Exercises 235 Table of Contents 2007 One Course Source, Inc Page 8

10 Unit Nine Hardware Management Page Hardware Overview Compatibility Device Nodes Displaying hardware information Configuring hardware Summary of commands and files Additional Resources Certification notes Lab Exercises 252 Unit Ten Advanced X Configuration Page Overview X Window System components The process of starting X Window Server X Window security with xhost X Window security with xauth X Window security with ssh X Font Server Summary of commands and files Additional Resources Certification notes Lab Exercises 279 Table of Contents 2007 One Course Source, Inc Page 9

11 Unit Eleven Shell Scripting Page Scripting basics Review of Variable Usage Review of Quoting Arguments if statements Test conditions while loops until loops The break statement The continue statement The case statement for loops Exit Status Functions Advanced Input/Output Signals Debugging Summary of commands and files Additional Resources Certification notes Lab Exercises 333 Table of Contents 2007 One Course Source, Inc Page 10

12 Unit Twelve Fundamentals of TCP/IP Page Introduction to TCP/IP TCP/IP-based protocols IP addresses Subnetting IP routing DNS DHCP Summary of commands and files Additional Resources Certification notes Lab Exercises 352 Unit Thirteen TCP/IP Configuration Page Configuring a network interface Global network settings DNS client settings The Name Service Switch configuration file Network configuration utilities Summary of commands and files Additional Resources Certification notes Lab Exercises 400 Table of Contents 2007 One Course Source, Inc Page 11

13 Unit Fourteen Printer Management Page CUPS LPD and LPRng Setting up a CUPS printer Printing Files Monitoring the print queue Canceling print jobs Specifying a default printer Printer classes Checking printer status Managing the print queue Printing with different priorities Controlling printer status Moving print jobs Recovering from printer problems Removing a printer Summary of commands and files Additional Resources Certification notes Lab Exercises 431 Table of Contents 2007 One Course Source, Inc Page 12

14 Unit Fifteen Troubleshooting I Page Introduction to Troubleshooting User Access Problems System Boot Problems Problems with the X Window System Networking Problems Filesystem Problems Using the Troubleshooting Steps Using Recovery Run Levels The Rescue Environment Recovery Run Level Example: Recovering the root Password Rescue Mode Example: Recovering the Boot Loader Rescue Mode Example: Installing Software Summary of Commands and Files Additional Resources Certification Notes Lab Exercises 470 Page Appendix A...Preparing for Certification Exams 471 Appendix B...Preparing for RHCE and RHCT Exams 472 Appendix C...reparing for the LPI Exams 473 Appendix D...Preparing for the Linux+ Exam 474 Table of Contents 2007 One Course Source, Inc Page 13

15 Introduction About this course The series of manuals that this manual is a part of was designed with two goals in mind: 1. Prepare the student to be able to accomplish tasks on a Linux Operating System. 2. Prepare the student to take and pass Linux certification exams. The authors of this series of Linux manuals are firm believers in preparing students to not only pass certification exams, but to also to develop the experience to perform the tasks on the Linux OS. As a result, we have taken a very "hands on" and practical approach towards presenting the material as opposed to a "memorize facts" approach. We firmly believe that obtaining a certification without the ability to perform the tasks on a live system does not result in any benefit to the student. Introduction 2007 One Course Source, Inc Page 14

16 Typographical syntax Examples in this text of commands will appear in bold text and the output of the commands will appear in italic text. The commands and the output of the commands will be placed in a box to separate them from other text. Example: [student@linux1 student]$ pwd /home/student Note: "[student@linux1 student]$" is a prompt, a method the shell uses to say I m ready for a new command. Bold text within a sentence will indicate an important term or a command. Files and directories are highlighted by being placed in courier font. Introduction 2007 One Course Source, Inc Page 15

17 Using this manual while in class In many ways, class manuals are different from textbooks. Textbooks are often filled with lengthy paragraphs that explain a topic in detail. Unfortunately, this style doesn t work well in a classroom environment. Class manuals often are much more concise than textbooks. It's difficult to follow the instructor s example and read lengthy paragraphs in a book at the same time. For this purpose, class manuals are often more terse. You may consider referring to the manual occasionally while focusing primarily on the instructor's presentation. Using this manual after class The manual was designed to be used as a reference after class. If you are studying for a certification exam, each Unit has a section called "Certification Notes". This section shows you which topics in the Unit prepare you for the exam that you plan to take. You can also use this manual to assist you while working with Linux at home or at work. In addition to the information in the lecture part of the Units, each Unit has a "Additional Resources" section as well as a "Summary of Commands and Files" section to aid you in finding information. Introduction 2007 One Course Source, Inc Page 16

18 Lab Exercises The lab exercises provided in this class are intended to provide practical, hands on experience with a Linux Operating System. Students are strongly encouraged to perform the labs provided at the end of each Unit to reinforce the knowledge provided in class. If enough hard drive space is available, we highly recommended that your system be configured to be able to boot to two Linux Operating Systems. We recommend that these two Linux OSs be identical initially (same partitions, same packages installed). Use one of these OSs during lecture and another while performing lab exercises. Using this "duel boot" method will allow students to have a fully functional OS during lecture regardless of actions taken during the lab period. Introduction 2007 One Course Source, Inc Page 17

19 Which Linux distribution should you use? If your organization has already chosen a distribution of Linux, you may not have a choice in which distribution to use at work. However, you do have the choice of what distribution to use at home or what distribution to use to study for the certification exams. While just about all users and administrators have their own "favorite" distribution of Linux, the suggestions that we make here are based primarily on several practical criteria such as overall popularity, relevance to certification exams and the cost of the distribution. Choice based on popularity and cost: This criterion is by far the most difficult one as the popularity of Linux distributions is difficult to determine. Our experience tells us that Red Hat Enterprise Linux ( and SUSE ( roductsmenu_sles) are the two most popular Linux distributions in the business world. Since these two distributions are not free, other distributions are more popular in the "home" Linux world. Fedora (fedora.redhat.com/), a Red Hat-based distribution and Gentoo ( are two popular free Linux distributions Introduction 2007 One Course Source, Inc Page 18

20 Choice based on relevance to certification exams: If you are taking the LPI or Linux+ certification exams, your choice of which distribution to use to practice should not matter. Both of these exams attempt to be "distribution neutral". You should be aware, however, that the LPI exams do have one area that is somewhat "not neutral": software installation. There are two sets of utilities used to install software on Linux: Red Hat Package Management and Debian Package Management. At the time of the publication of this manual, you could choose to take an exam that has either Red Hat Package Management or Debian Package Management questions. With the RHCT and RHCE exams, the distribution choice is very important. For example, you don't want to practice on a SUSE distribution and then go take the RHCT or RHCE exam. For these exams, you want to practice on the Red Hat Enterprise Linux distribution that the exam will be given on. If you don't want to pay for this distribution, consider using either White Box Enterprise Linux ( or Fedora. Very important: If you use one of these distributions, make sure that you get one that is "close" to the Red Hat Enterprise Linux distribution that the exam is based on. Check the release dates of the distributions to make sure you have a distribution that is similar to Red Hat Enterprise Linux. Introduction 2007 One Course Source, Inc Page 19

21 A mention on Live Linux distributions: One additional factor you may consider when choosing a Linux distribution is the availability of machines or hard drive space. If you don't have a spare machine or a hard drive with "extra" space to dual boot, you may consider using a "Live" Linux distribution. Typically these are referred to as "Live CD" distributions, but some are also available on DVD. A "Live" Linux distribution is one that doesn't require any installation; you can boot the OS directly from the CD or DVD. The most popular and flexible of these distributions is Knoppix ( SUSE also has a "Live" distribution ( html). Additional "Live" distributions (as well as many other "regular" distributions) can be found on by clicking on the "distributions" link and filling out the form towards the bottom of the page. Introduction 2007 One Course Source, Inc Page 20

22 Installation instructions for after class labs If you are practicing after class, you will want to install your system in a manner that will be best for performing labs. While you may use any distribution of Linux, the labs will work best for either Red Hat Enterprise Linux or Fedora. To provide as much flexibility as possible, install your system using the following parameters: 1. Leave enough hard disk space free to allow you to add partitions as required. 2. Install the default software packages only - add packages later as needed 3. Don't modify the boot loader. 4. Don't implement a firewall Other than these general parameters, use values that work best for your environment. Introduction 2007 One Course Source, Inc Page 21

23 Class Data Files The class data files that accompanies this course contains the following: All of the examples files required for examples displayed in this manual All of the answers to the labs provided in the manual Introduction 2007 One Course Source, Inc Page 22

24 Unit One Advanced Permissions Unit topics: Page Special Permission: setuid Special Permission: setgid Special Permission: sticky bit Access Control Lists Summary of Commands and Files Additional Resources Certification Notes Lab Exercises 47 1 Advanced Permissions 2007 One Course Source, Inc Page 23

25 1.1 Special Permission: setuid When a user runs a command that accesses files, the system checks the user s permissions for the files. In some cases, this may cause problems. Consider a command like passwd. When this command runs, it edits the /etc/shadow file. If you look at the permissions of the /etc/shadow file, you will see that the permissions are: r So, when the typical user runs the passwd command and the system tries to access (modify) the /etc/shadow file, if it will deny the user access except The passwd command has a special permission set on it called setuid. When the passwd command is run and the command accesses files, the system pretends that the person accessing the file is the owner of the passwd command, not the person who is running the command. [root@ocs root]# ls -l /bin/passwd -r-sr-sr-x 3 root sys Jul /bin/passwd [root@ocs root]# id uid=10051(bob) gid=1(other) # passwd (accesses files as root, not bob) 1 Advanced Permissions 2007 One Course Source, Inc Page 24

26 To set setuid permission The setuid permission can be set using either octal or symbolic methods: root]# ls -l /usr/bin/ls -r-xr-xr-x 1 bin bin Jul /usr/bin/ls [root@ocs root]# chmod a+s /usr/bin/ls [root@ocs root]# ls -l /usr/bin/ls -r-sr-xr-x 1 bin bin Jul /usr/bin/ls [root@ocs root]# chmod a-s /usr/bin/ls [root@ocs root]# ls -l /usr/bin/ls -r-xr-xr-x 1 bin bin Jul /usr/bin/ls [root@ocs root]# [root@ocs root]# chmod 4555 /usr/bin/ls [root@ocs root]# ls -l /usr/bin/ls -r-sr-xr-x 1 bin bin Jul /usr/bin/ls [root@ocs root]# chmod 0555 /usr/bin/ls [root@ocs root]# ls -l /usr/bin/ls -r-xr-xr-x 1 bin bin Jul /usr/bin/ls Notice the s character located in the owner s permissions. This indicates that the setuid permissions is set. If the s is lower case, it means both setuid and the execute permission is set. If the S is upper case, it means only setuid (not execute) is set. 1 Advanced Permissions 2007 One Course Source, Inc Page 25

27 Be careful of setuid setuid files present a security risk on the system (especially files that are owned by root). Be careful of when you create setuid files and make sure you are aware of what setuid files are on your system You can use the find command to find which programs on the system have the setuid permission set: [root@ocs root]# find / -perm ls {output omitted} 1 Advanced Permissions 2007 One Course Source, Inc Page 26

28 1.2 Special Permission: setgid There are actually two forms of setgid permissions: setgid on a file and setgid on a directory. setgid on a file This essentially means the same thing as setuid on a file. When someone runs the command, instead of accessing files as the group the person is a part of, the system pretends the person is a member of the group the file is owned by. 1 Advanced Permissions 2007 One Course Source, Inc Page 27

29 setgid on a directory Consider the following situation: Four people from different groups in a company are working on a common project. The four users and the groups to which they belong are: User bob steve sue nick Groups staff accounting, staff payroll admin The company policy is for all users to have the umask 027. All users store the files for this project in a directory called /home/beta_prog_a 1 Advanced Permissions 2007 One Course Source, Inc Page 28

30 After a few of the users store some files in this directory, a listing of that directory looks like this: [root@ocs root]# ls -l /home/beta_prog_a total 6 -rw-r bob staff 124 Mar _data -rw-r steve accounting 575 Jul tax_table -rw-r sue payroll 560 Jul salaries -rw-r nick admin 560 Jul hr_data Based upon the above information, you will note that there is problem here. While each user can store files in the /home/beta_prog_a directory, no user can see another user s work. 1 Advanced Permissions 2007 One Course Source, Inc Page 29

31 To avoid this problem we can take four steps: 1. Create a new group (called beta in this case). 2. Place all user in the new group. 3. Give group ownership of the directory to the new group. 4. Set the setgid permission on the directory. After taking these steps, any new file in the directory home/beta_prog_a will be group owned by the new group. Example: [root@ocs root]# mkdir /home/beta_prog_a [root@ocs root]# groupadd -g 133 beta [root@ocs root]# vi /etc/group {add each user to the new group with the usermod command} [root@ocs root]# chgrp beta /home/beta_prog_a [root@ocs root]# chmod g+s /home/beta_prog_a {no output for any command} Notice the s character located in the group s permissions. This indicates that the setgid permissions is set. If the s is lower case, it means both setgid and the execute permission is set. If the S is upper case, it means only setgid (not execute) is set. 1 Advanced Permissions 2007 One Course Source, Inc Page 30

32 Be careful of setgid setgid files present a security risk on the system (especially files that are owned by system groups). Be careful of when you create setgid files and make sure you are aware of what setguid files are on your system. You can use the find command to find which programs on the system have the setgid permission set: [root@ocs root]# find / -perm ls {output omitted} 1 Advanced Permissions 2007 One Course Source, Inc Page 31

33 1.3 Special Permission: sticky bit Consider the following situation: You have a directory in which users can post announcements called /export/home/pub. In order for all users to be able to post (create files in) this directory, you need to give the permissions 777. Unfortunately, these permissions also allow any user to remove any file from the pub directory. What if a user decides to run the command rm -r * on that directory? The sticky bit permission give you the ability to allow anyone to add to a directory, but limits who can delete files in that directory. The only users who can delete files in a sticky bit directory are: 1. root 2. The owner of the directory 3. The owner of the file 1 Advanced Permissions 2007 One Course Source, Inc Page 32

34 To set sticky bit To set the sticky bit permission, use the chmod command: root]# chmod 1777 /export/home/pub root]# ls -ld /export/home/pub drwxrwxrwt 2 root other 512 Feb 18 18:11 /export/home/pub Notice the t character in the place where the x should be for others. This t tell you that the sticky bit has been set on this directory. 1 Advanced Permissions 2007 One Course Source, Inc Page 33

35 1.4 Access Control Lists Access Control Lists Essentials Consider the following situation: There are 500 user accounts on a system. The group payroll has 15 users assigned to it. Bob, who is a member of the payroll group, creates the file salaries and gives it the permissions 660. In this scenario, Bob and all the members of the payroll group have the ability to read and modify the salaries file. Nobody else can do anything with this file. The CEO of the company, who is not in the payroll group, requests to have read access to this file. There are two methods of giving the CEO access to the file: 1. Add the CEO to the payroll group. 2. Give read permission to everyone. Obviously, the second method is a very bad idea. The first method might be ok; however, there are a couple of disadvantages: #1. Each user can only be assigned to 16 groups and #2. The CEO now has access to any file that has group ownership. The ext3 filesystem includes a feature called Access Control Lists. ACL s allow you to specify permissions for individual users or groups. 1 Advanced Permissions 2007 One Course Source, Inc Page 34

36 Enable ACLs While ext3 filesystems are capable of allowing ACLs, they don't have this feature enabled by default. To enable ACLs, you need to have the filesystem mounted with the "acl" option. The mounting process will be discussed in greater detail in a future Unit. For now use the following command to enable ACLs on a filesystem: mount -o remount,acl /mount_point 1 Advanced Permissions 2007 One Course Source, Inc Page 35

37 Setting ACL s To create a new ACL for a file, use the setfacl command with the -m option. The syntax of the setfacl command when using the -m option is: setfacl --set user::perm,group::perm,other:perm,mask:perm,[user:uid:perm],[group:gid:perm] filename Note: user, group, other and mask can be abbreviated to u, g, o and m. The perm can be give either in octal format or symbolic: Symbolic Permission Octal Permission rwx 7 rw- 6 r-x 5 r-- 4 -wx 3 -w- 2 --x Advanced Permissions 2007 One Course Source, Inc Page 36

38 To give the sample.txt file the permissions of Owner: Group: Others: Mask: bob games rwx r-x r-- r-x r-x r-x...use the command: boot]# setfacl -m u::7,g::5,o:4,m:5,u:bob:5,g:games:5 sample.txt or the command: boot]# setfacl -m u::rwx,g::r-x,o:r--,m:r-x,u:bob:r-x,g:games:r-x sample.txt Note: You can also specify either a user s name or UID number. The Mask setting The mask setting enforces a maximum permission for all users and groups (except the owner) on the file. Therefore, in the previous example, bob s effective permissions are just read (not read/write). We will this setting in more detail after looking at how to display ACLs. 1 Advanced Permissions 2007 One Course Source, Inc Page 37

39 Displaying ACLs When a file has an ACL, a + character will be displayed next to the permissions of the file when you run the ls -l command: [root@ocs boot]# ls -l sample.txt -rwxr-xr--+ 1 root root 0 Jan 22 09:33 sample.txt To display ACLs, use the command getfacl: [root@ocs boot]# getfacl sample.txt # file: sample.txt # owner: root # group: root user::rwx user:bob:r-x group::r-x group:games:r-x mask::r-x other::r-- 1 Advanced Permissions 2007 One Course Source, Inc Page 38

40 More details regarding the mask setting The mask setting is intended to provide you a method of avoiding accidentally providing permissions to a file that give undesired access to the file. Unfortunately, this often means that the permissions that you specify are not the permissions that you end up getting: [root@ocs boot]# setfacl -m m:4 sample.txt [root@ocs boot]# getfacl sample.txt # file: sample.txt # owner: root # group: root user::rwx user:bo:r-x #effective:r-- group::r-x #effective:r-- group:games:r-x #effective:r-- mask::r-- other::r-- In this example, the user bob only gets read permission on the file even though our original setfacl command requested both read and write permissions. Note: If you change a user or group ACL, the mask setting may be changed as well to allow the specified permissions. 1 Advanced Permissions 2007 One Course Source, Inc Page 39

41 Removing ACLs To remove an ACL, use the -x option: boot]# setfacl -x u:bo sample.txt boot]# ls -l sample.txt -rwxr-xr-- 1 root root 0 Jan 22 09:33 sample.txt Note: If the ACL permission is the last one in the ACL table, the ACL table will be removed and the + character next to the permissions will no longer be displayed. Other useful setfacl options Option Description -b Remove all ACLs (owner, group & other permissions still apply) -R Apply ACLs to directory and all contents (recursive) 1 Advanced Permissions 2007 One Course Source, Inc Page 40

42 Default ACLs If you apply an ACL to a directory, that ACL will be applied automatically to all new files and subdirectories created within that directory. When you initially create an ACL for a directory, you must specify an ACL permission for the user owner, group owner, others and mask. You also need to specify that these are default ACLs by placing a d character in front of each permission set: [root@ocs boot]# mkdir acl_dir [root@ocs boot]# setfacl -m d:u::7,d:g::7,d:o:5,d:m:7,d:u:bob:7 acl_dir Default permission sets show up in a different location than regular ACL entries when you use the getfacl command: [root@ocs boot]# getfacl acl_dir # file: acl_dir # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:user:bob:rwx default:group::rwx default:mask::rwx default:other::r-x 1 Advanced Permissions 2007 One Course Source, Inc Page 41

43 Creating files in a ACL directory When you create a new file in a directory that has a default ACL set on it, the directory s ACL is applied to the new file after it has been filtered by the umask setting: [root@ocs boot]# cd acl_dir [root@ocs acl_dir]# touch acl.txt [root@ocs acl_dir]# ls -l acl.txt -rw-rw-r--+ 1 root root 0 Jan 22 09:53 acl.txt [root@ocs acl_dir]# getfacl acl.txt # file: acl.txt # owner: root # group: root user::rwuser:bo:rwx #effective:rwgroup::rwx #effective:rwmask::rwother::r-- If the permissions specified by the ACL are higher than the umask setting then the umask setting wins out. 1 Advanced Permissions 2007 One Course Source, Inc Page 42

44 Creating a subdirectory in an ACL directory When you create a directory in an ACL directory, the umask setting is not used. The ACL permissions, including the default permissions, are passed from the parent directory to the subdirectory: [root@ocs acl_dir]# mkdir new_acl [root@ocs acl_dir]# getfacl new_acl # file: new_acl # owner: root # group: root user::rwx user:bo:rwx group::rwx mask::rwx other::r-x default:user::rwx default:user:bo:rwx default:group::rwx default:mask::rwx default:other::r-x 1 Advanced Permissions 2007 One Course Source, Inc Page 43

45 1.5 Summary of Commands and Files Command chmod getfacl setfacl File None Description Changes file and directory permissions Displays ACL permissions of files and directories Sets ACL permissions on files and directories Description 1 Advanced Permissions 2007 One Course Source, Inc Page 44

46 1.6 Additional Resources Books None Web sites - Chapter #5: Files and Filesystem Security Man pages chmod getfacl setfacl 1 Advanced Permissions 2007 One Course Source, Inc Page 45

47 1.7 Certification Notes Review the following charts to determine what sections in this Unit are relevant for the exam that you are preparing for: Topic RHCT RHCE Linux+ LPI 1-1 LPI 1-2 LPI 2-1 LPI Special permission: setuid X X X X X N N 1.2 Special permission: setgid X X X X X N N 1.3 Special permission: sticky bit X X X X X N N 1.4 Access Control Lists X X X X X N N B X N Key Background - May not be on exam itself, but contains information that aids in the understanding of other topics. exam - A topic that is "testable" for this exam Not on exam - Indicates that this topic isn't on the exam and isn't needed to understand other topics on the exam. 1 Advanced Permissions 2007 One Course Source, Inc Page 46

48 1.8 Lab Exercises Scenario #1: Your boss wants a "bulletin board" directory where anyone can access (get into the directory), list files and add files (but not delete other user's files). Create this bulletin board directory as /var/board. Scenario #2: Make a user account named "zack". Create a directory called /var/data that will automatically place an ACL of rwx for the user "zack and an ACL of "rw-" for the group games on all new files and directories placed in the directory. 1 Advanced Permissions 2007 One Course Source, Inc Page 47

49 Scenario #3: Create two user accounts ("zed" and "ned") and a group called "build" and make "zack", "zed" and "ned" as members of the "build" group. Create a "share" directory called /var/build which will automatically give each new file in the directory the group ownership of "build". Test the results via one of the user accounts that you created. 1 Advanced Permissions 2007 One Course Source, Inc Page 48

50 Unit Eight Disk Quotas Unit topics: Page Introduction to disk quotas Configuring a filesystem to support disk quotas Initializing the disk quota database Assigning quotas to user accounts Assigning quotas to group accounts Working with soft limits Displaying quota information Issuing warnings Turning quota checking on and off Summary of commands and files Additional Resources Certification notes Lab Exercises Disk Quotas 2007 One Course Source, Inc Page 216

51 8.1 Introduction to disk quotas Disk quotas provide the system administrator with a way to limit disk space usage by individual users or members of groups. Quotas are implemented on a filesystem by filesystem basis. Limits can be given for both block size (1 block=1 kilobyte) and number of inodes (number of files in the filesystem). Both hard and soft limits can be provided. Users can't use more disk space than their hard limit allows. For example, if a user's block size limit is and their inode limit is 500 then the user can't use more than 50 MB of space on the filesystem or have more than 500 files on the filesystem. Soft limits provide a method of automatically issuing a warning to users when they are coming close to their hard limits. In order for soft limits to work, you also have to set a grace period for the quota. 8 Disk Quotas 2007 One Course Source, Inc Page 217

52 8.2 Configuring a filesystem to support disk quotas In order to tell the kernel that you want to implement disk quotas on a filesystem, you need to have the filesystem mounted with the "usrquota" and/or "grpquota" options. The best way to do this is to modify the /etc/fstab file: [root@ocs root]# more /etc/fstab LABEL=/ / ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 none /dev/pts devpts gid=5,mode= none /proc proc defaults 0 0 none /dev/shm tmpfs defaults 0 0 /dev/hda3 swap swap defaults 0 0 LABEL=/home /home ext3 defaults,usrquota,grpquota 1 2 /dev/cdrom /mnt/cdrom udf,iso9660 noauto,owner,kudzu,ro 0 0 /dev/fd0 /mnt/floppy auto noauto,owner,kudzu 0 0 The usrquota option will turn on quotas for users. The grpquota option will turn on quotas for groups. After modifying the /etc/fstab file, reboot the machine or remount the filesystem: [root@ocs root]# mount -o remount /home 8 Disk Quotas 2007 One Course Source, Inc Page 218

53 8.3 Initializing the disk quota database In order for disk quotas to work for users, a database must exist in the top-level directory of the filesystem. To create this database, use the quotacheck command: [root@ocs root]# quotacheck -c /home This command generates a file called aquota.user in the top-level directory of the filesystem: [root@ocs root]# ls /home aquota.user This file is used to store information regarding user's quotas in the filesystem. To enable disk quotas for groups you also need a file called aquota.group. To create this database, use the -g option to the quotacheck command: [root@ocs root]# quotacheck -c -g /home Note: If you use the -g option with the -c option, the aquota.user file will not be created. To make both the aquota.group and aquota.user databases, use the -u option with the -c and -g options. The quotacheck command is also very useful to bring the database up to date in the event that disk quotas were temporarily turned off or if the filesystem was unmounted improperly. 8 Disk Quotas 2007 One Course Source, Inc Page 219

54 Common quotacheck options Option Description -c Creates new databases, ignoring existing ones -v Verbose mode -u Check/create user database file (done by default) -g Check/create group database file (not done by default) -a Check/create database on all mounted filesystems that are Disk Quota enabled (mounted with usrquota and/or grpquota options) -m Force the creation of the databases. Turning on disk quotas The last step is to ensure that turning on quotas for the filesystem correctly initialized the databases. You can either reboot your machine, or use the quotaon command: root]# quotaon /home Note: You can use the quotaoff command to turn off quotas as well. 8 Disk Quotas 2007 One Course Source, Inc Page 220

55 8.4 Assigning quotas to user accounts To assign quotas to user accounts, use the edquota command. The edquota command will start an editor and display the data from the aquota.user file. By default, the edquota command will use the vi editor. To override this, set either the EDITOR or VISUAL environment variables to your preferred editor prior to running edquota. The -u option to the edquota command will allow you to edit user quota entries. This option is assumed by default, so you can drop it when you run the edquota command: root]# edquota julia Disk quotas for user julia (uid 501): Filesystem blocks soft hard inodes soft hard /dev/hda The fields under "blocks" and "inodes" are for information use only. They indicate how many blocks and inodes the user is currently using. The following is an example of a user who is limited to 50MB of disk space on the filesystem and 100 files (inodes) on the filesystem: [root@ocs root]# edquota julia Disk quotas for user julia (uid 501): Filesystem blocks soft hard inodes soft hard /dev/hda Disk Quotas 2007 One Course Source, Inc Page 221

56 Assigning quotas to multiple users Assigning quotas to multiple users "by hand" can be a time consuming task. To avoid this waste of time, you can make use of the -p option to the edquota command. The -p option allows you to specify a "prototypical user" and apply this user's quotas to multiple users. For example, the following command will apply julia's quotas to bob, sue and tim: [root@ocs root]# edquota -p julia bob sue tim {no output} You can also use the awk utility to grab usernames from the /etc/passwd file: [root@ocs root]# edquota -p julia `awk -F: '$3 > 500 {print $1}' /etc/passwd` {no output} Note: The characters surrounding the awk command are backquotes, not single quotes. You can also "copy" a user's quotas for a specific filesystem by using the -f option: [root@ocs root]# edquota -f /home -p julia bob sue tim {no output} 8 Disk Quotas 2007 One Course Source, Inc Page 222

57 8.5 Assigning quotas to group accounts To assign quotas to group accounts, use the edquota command with the -g option: root]# edquota -g games Disk quotas for group games (gid 20): Filesystem blocks soft hard inodes soft hard /dev/hda It is important to remember that all members of this group will have these limits imposed on them. If a user has limits assigned to his/her user account and to a group that they belong to, then the most restrictive quotas apply. 8 Disk Quotas 2007 One Course Source, Inc Page 223

58 8.6 Working with soft limits In order for soft limits to work, you need to first specify a grace period. When a user exceeds a soft limit, they can continue to use disk space/inodes until the grace period expires. Once the grace period expires, the soft limit reverts to a hard limit until the user's disk usage falls below the soft limit. To modify the grace period, use the -t option to the edquota command: [root@ocs root]# edquota -t Grace period before enforcing soft limits for users: Time units may be: days, hours, minutes, or seconds Filesystem Block grace period Inode grace period /dev/hda6 7days 7days Note that grace periods are assigned to the filesystem, not the user. You can specify a different grace period for disk space usage (block usage) or number of files (inodes usage). 8 Disk Quotas 2007 One Course Source, Inc Page 224

59 8.7 Displaying quota information To display quota information for a filesystem, use the repquota command: [root@ocs root]# repquota /home *** Report for user quotas on device /dev/hda6 Block grace time: 7days; Inode grace time: 7days Block limits File limits User used soft hard grace used soft hard grace root julia Note: to get an "up-to-date" picture, you may want to run the quotacheck command with the "-augv" options. This is due to the fact that when changes occur in the filesystem, some changes are stored in memory for a short period of time and will not "show up" in the aquota.users and aquota.groups files. Common repquota options Option Description -v Verbose (shows statistics) -n Show UID/GIDs, not username/groupnames -u Report quotas for users (default) -g Report quotas for groups 8 Disk Quotas 2007 One Course Source, Inc Page 225

60 To display disk quota information for a specific user or group, use the quota command: [root@ocs root]# quota julia Disk quotas for user julia (uid 501): Filesystem blocks quota limit grace files quota limit grace /dev/hda Common quota options Option Description -u Print quotas for specified user (default) -g Print quotas for specified group -v Verbose output 8 Disk Quotas 2007 One Course Source, Inc Page 226

61 8.8 Issuing warnings You can have a warning sent to users who have reached their quota limits by using the warnquota command. This command makes use of three files in the /etc directory: warnquota.conf, quotatab, and quotagrpadmins. The /etc/warnquota.conf file This file contains general settings for the warnquota command, most of which are self-explanatory. A typical warnquota.conf file would look like the following: [root@ocs root]# more /etc/warnquota.conf # this is an example warnquota.conf # and # type comments are allowed # and even blank lines # values can be quoted: MAIL_CMD = "/usr/sbin/sendmail -t" FROM = # but they don't have to be: # SUBJECT = NOTE: You are exceeding your allocated disk space limits CC_TO = "root@localhost" SUPPORT = "root@myhost.com" PHONE = "(123) or (222) " # Text in the beginning of the mail (if not specified, default text is used) # This way text can be split to more lines 8 Disk Quotas 2007 One Course Source, Inc Page 227

62 # Line breaks are done by ' ' character # MESSAGE = Your disk usage has exceeded the agreed limits\ on this server Please delete any unnecessary files on following filesystems: # Text in the end of the mail (if not specified, default text using SUPPORT and PHONE # is created) SIGNATURE = root@localhost # Following text is used for mails about group exceeding quotas # It should contain string %s exactly once - it will be substituted for a group name GROUP_MESSAGE = Hello, a group '%s' you're member of use too much space. \ I chose you to do the cleanup. Delete group files on following filesystems: # Text in the end of the mail to the group (if not specified, default text using SUPPORT # and PHONE is created). GROUP_SIGNATURE = See you! Your admin # # end of example warnquota.conf file # 8 Disk Quotas 2007 One Course Source, Inc Page 228

63 The /etc/quotatab file This file allows you to specify descriptions for each filesystem. These descriptions will be used to indicate to the user the purpose of the filesystem. A typical /etc/quotatab file looks like the following: [root@ocs root]# more /etc/quotatab # # This is sample quotatab (/etc/quotatab) # Here you can specify description of each device for user # # Comments begin with hash in the beginning of the line # Example of description /dev/loop0: This is loopback device /dev/hda4: Your home directory Note: If this file does not exist, you will receive an error when you run the warnquota command: warnquota: Can't open /etc/quotatab: No such file or directory Will use device names. 8 Disk Quotas 2007 One Course Source, Inc Page 229

64 The /etc/quotagrpadmins file The quotagrpadmins file is used to specify "disk quota group administrators". When warnquota is run, quota group administrators will receive in the event that their group has reached a quota limit. A typically example of this file: [root@ocs root]# more /etc/quotagrpadmins # # This is a sample groupadmins file (/etc/quotagrpadmins) # # Comments begin with hash in the beginning of the line # In this file you specify users responsible for space used by the group users: root mygroup: chief Note: Regular group members do not receive s from the warnquota command. A user has to be defined as a quota group administrator of a group to receive these s. Common warnquota options Option Description -u Check users for quota limits (performed by default) -g Check groups for quota limits (not performed by default) 8 Disk Quotas 2007 One Course Source, Inc Page 230

65 8.9 Turning quota checking on and off To turn quota checking off, use the quotaoff command: root]# quotaoff /home To turn quota checking on, use the quotaon command: root]# quotaon /home Common quotaoff and quotaon options Option Description -a Turn off/on quota check (both users and groups) for all filesystems -v Display verbose messages -u Turn off/on quota checking only for users (defaults to both group and users) -g Turn off/on quota checking only for groups (defaults to both group and users) 8 Disk Quotas 2007 One Course Source, Inc Page 231

66 8.10 Summary of commands and files Command edquota mount quota quotacheck quotaoff quotaon repquota warnquota Description Edits a user's or group's quotas or sets a filesystem's grace periods. Mounts a filesystem. Displays a quota report for a user or a group. Creates or updates the quota database for a filesystem. Turns quota checking off for a filesystem Turns quota checking on for a filesystem Displays a quota report for a filesystem. Sends users warning based on their quota limits File /etc/fstab /etc/quotagrpadmins /etc/quotatab /etc/warnquota.conf Description Tells the system how to mount filesystems at boot. Allows you to specify "administrators" for groups who will receive warning messages if their group has reached a quota limit. Used by the warnquota command to provide descriptions of filesystems to users. The configuration file of the warnquota command. 8 Disk Quotas 2007 One Course Source, Inc Page 232

67 8.11 Additional Resources Books None. Web sites - Chapter The Quota mini-howto Man pages edquota mount quota quotacheck quotaoff quotaon repquota warnquota 8 Disk Quotas 2007 One Course Source, Inc Page 233

68 8.12 Certification notes Review the following charts to determine what sections in this Unit are relevant for the exam that you are preparing for: Topic RHCT RHCE Linux+ LPI 1-1 LPI 1-2 LPI 2-1 LPI Introduction to disk quotas X X N X X N N 8.2 Configuring a filesystem to X X N X X N N support disk quotas 8.3 Initializing the disk quota X X N X X N N database 8.4 Assigning quotas to user X X N X X N N accounts 8.5 Assigning quotas to group X X N X X N N accounts 8.6 Working with soft limits X X N X X N N 8.7 Displaying quota information X X N X X N N 8.8 Issuing warnings X X N X X N N 8.9 Turning quota checking on and off X X N X X N N B X N Key Background - May not be on exam itself, but contains information that aids in the understanding of other topics. exam - A topic that is "testable" for this exam Not on exam - Indicates that this topic isn't on the exam and isn't needed to understand other topics on the exam. 8 Disk Quotas 2007 One Course Source, Inc Page 234

69 8.13 Lab Exercises Scenario: Create the following user and group accounts: user accounts: jed, fred, ned, ted, red group accounts: hardware, software Make "hardware" the primary group for jed, fred and ted. Make "software" the primary group for ned and red. Implement the following quotas for the /home filesystem: User/group soft blocks hard blocks soft inodes hard inodes jed ted fred hardware software Test the user's quotas by using the su command to access their accounts and running the du command to generate large files. For example, the following command will create a file called "filename" in the current directory that is 1 megabyte in size: dd if=/dev/zero of=filename bs=1m count=1 8 Disk Quotas 2007 One Course Source, Inc Page 235

70 Unit Thirteen TCP/IP Configuration Unit topics: Page Configuring a network interface Global network settings DNS client settings The Name Service Switch configuration file Network configuration utilities Summary of commands and files Additional Resources Certification notes Lab Exercises TCP/IP Configuration 2007 One Course Source, Inc Page 353

71 13.1 Configuring a network interface Note: Some of the following material was covered in the "Linux Level I" courseware and is included here for reference and review. In order to configure a network interface, you first need to determine if your machine will be a DHCP client or have its network parameters statically assigned. DHCP client configuration Assuming that you have a single Ethernet network card, you can set the machine up to be a DHCP client by setting the following settings in the /etc/sysconfig/network-scripts/ifcfg-eth0 file as shown below: [root@ocs /root]# more /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes Note: the /var/lib/dhcp/dhclient-eth0.leases file holds DHCP information. 13 TCP/IP Configuration 2007 One Course Source, Inc Page 354

72 Using static settings To set your interface for a static IP address, use settings like the following example: [root@ocs /root]# more /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 BOOTPROTO=static IPADDR= NETMASK= ONBOOT=yes 13 TCP/IP Configuration 2007 One Course Source, Inc Page 355

73 Configuration settings The following chart illustrates the common configuration settings in the "ifcfg" file: Setting Description BOOTPROTO Can be set to "static", "dhcp" or "bootp". BROADCAST Specifies the broadcast address. On most Linux systems, this directive is deprecated. DEVICE Specifies the device name. IPADDR Specifies the IP address of this interface. NETMASK Specifies the subnet mask of this interface. NETWORK Specifies the network address. On most Linux systems, this directive is deprecated. ONBOOT Can be set to "yes" or "no". USERCTL Set to "yes" allows non-root users to control the interface (bring it up & down, can IP settings "on the fly", etc.). Set to "no" (or not set at all) allows only root to control the interface. Additional network cards If you have more than one Ethernet network card, the first would be referred to as "eth0" and the second would be referred to as "eth1". The configuration file for the second card would be /etc/sysconfig/network-scripts/ifcfgeth1. All additional Ethernet interface cards would also be sequentially numbered. 13 TCP/IP Configuration 2007 One Course Source, Inc Page 356

74 Interface names While Ethernet network cards are called "ethn", other network cards have different names: Type Name PPP (Point-to-Point Protocol) pppn Token Ring trn FDDI (Fiber Distributed Data Interface) fddin The configuration files for these network cards follow the same "syntax" as the Ethernet card configuration files (/etc/sysconfig/networkscripts/ifcfg-ppp0 for example). Device modules The interface names above are provided for our (system administrators) benefit. In order for the network device to function properly, a kernel module needs to be loaded. When the network device is started, the kernel looks in the /etc/modules.conf file to determine what module to load for the network device. On most systems, the required entry in this file is automatically generated: [root@ocs /root]# grep eth0 /etc/modules.conf alias eth0 e TCP/IP Configuration 2007 One Course Source, Inc Page 357

75 Assigning multiple IP addresses to an interface You can assign more than one IP address to a single network card. An example of when you might do this is when you are hosting several web sites on a single machine. Each web site will have a separate IP address. Instead of installing many network cards, you can bind multiple IP addresses to a single network card. There are two methods that you can use to bind multiple IP addresses to a single network card: Separate configuration file method To bind a second IP address to the eth0 device, create a file named "/etc/sysconfig/network-scripts/ifcfg-eth0:0" and place the network settings in this file: [root@ocs /root]# more /etc/sysconfig/network-scripts/ifcfg-eth0:0 DEVICE=eth0:0 BOOTPROTO=static IPADDR= NETMASK= ONBOOT=yes Note the DEVICE setting. This is an important detail that is often overlooked. Additional files (eth0:2, eth0:3, etc.) can also be created. 13 TCP/IP Configuration 2007 One Course Source, Inc Page 358

76 Range configuration file To bind a range of multiple IP addresses to the eth0 device, create a file named "/etc/sysconfig/network-scripts/ifcfg-eth0-range0" and place the following network settings in this file: [root@ocs /root]# more /etc/sysconfig/network-scripts/ifcfg-eth0-range0 DEVICE=eth0-range0 IPADDR_START= IPADDR_END= CLONENUM_START=0 NETMASK= ONBOOT=yes You can have more than one range file as long as all of the IP addresses are within a single "Class C-sized" network. 13 TCP/IP Configuration 2007 One Course Source, Inc Page 359

77 Assigning static routes In some cases you may have more than one router attached to your local network. For example, your network may have a router that connects to the network and one or more routers that connect to internal networks. You can specify which router to send network packets to based on the destination IP address of the packet. This can be done by adding entries to the /etc/sysconfig/network-scripts/route-eth0 or /etc/sysconfig/networking/devices/eth0.route files. The /etc/sysconfig/network-scripts/route-eth0 file To assign a static route using this file, add a line with the following syntax: IP_address/CIDR_subnet via Router_IP For example, the following line will send packets destined for the class C network to the machine: /24 via Additional entries can be added on separate lines. 13 TCP/IP Configuration 2007 One Course Source, Inc Page 360

78 The /etc/sysconfig/networking/devices/eth0.route file In this file, you specify static routes using the following syntax: ADDRESS0=IP_address NETMASK0=VLSM_subnet GATEWAY=Router_IP_address For example, the following line will send packets destined for the class C network to the machine: ADDRESS0= NETMASK0= GATEWAY0= Additional static routes can be added using the notation "ADDRESS1", "ADDRESS2", etc. 13 TCP/IP Configuration 2007 One Course Source, Inc Page 361

79 13.2 Global network settings The "global" network settings are stored in the /etc/sysconfig/network file: /root]# more /etc/sysconfig/network NETWORKING=yes HOSTNAME=linux84 GATEWAY= The typical settings in this file include the following: Setting Description HOSTNAME Specifies the machine's host name. Regardless of the number of IP addresses bound to the machine, it should only have one "host name". GATEWAY The router to gain access to another network. This setting could be placed in the "ifcfg" file as well. If placed in both files, the setting in the "network" file will override the setting in the "ifcfg" file. NETWORKING Set to "yes" will start networking at boot. Set to "no" will tell the system to not start networking at boot. NISDOMAIN If this machine is part of a NIS domain, the domain name should be specified here. NIS is a topic covered in a later class. 13 TCP/IP Configuration 2007 One Course Source, Inc Page 362

80 13.3 DNS client settings If you want to set your machine up to be a DNS client, add the following settings to the /etc/resolv.conf file: [root@ocs /root]# more /etc/resolv.conf nameserver nameserver The typical settings in this file include the following: Setting Description nameserver Specifies the IP address of the DNS server. Servers are searched in the order that they appear in this file. If the first server doesn't respond, the secondary nameserver is consulted. search A list (separated by spaces) of domains to use when a relative host name is given. For example, if the search setting is "search example.com sample.com" and the host name "ted" is provided, then "ted.example.com" will be queried. If the DNS result is negative (no such machine), then "ted.sample.com" will be queried. options Allows the parameters of how DNS queries are performed to be modified. For example, "options timeout:5" tells DNS to wait 5 seconds for a DNS server to respond before returning a "time out" result. These can also be modified in the /usr/include/resolv.h file. See the man page for "resolv.conf" for more examples. 13 TCP/IP Configuration 2007 One Course Source, Inc Page 363

81 Modifying the host table Instead of using a DNS server to resolve machines in your local network, you may want use the /etc/hosts file. As we will see later, this file is normally consulted in the event that a DNS server doesn't provide the requested information: [root@ocs /root]# more /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail ocs localhost.localdomain localhost student1 Note: The IP address is a special IP that represents the machine itself. Don't delete this IP address as some local services require it to function properly. 13 TCP/IP Configuration 2007 One Course Source, Inc Page 364

82 13.4 The Name Service Switch configuration file The /etc/nsswitch.conf file tells Linux which databases to look in for system information. You can use this file to tell Linux where to look for hostname to IP address translation by using the "hosts" setting: /root]# more /etc/nsswitch.conf {output omitted} # Legal entries are: # # nisplus or nis+ Use NIS+ (NIS version 3) # nis or yp Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far {output omitted} hosts: files dns {output omitted} 13 TCP/IP Configuration 2007 One Course Source, Inc Page 365

83 Databases in the /etc/nsswitch.conf file Each line in the /etc/nsswitch.conf file has the following format: database service ([reaction]) (service [reaction]) For networking, the only important "database" is hosts. The following chart illustrates some of the other databases: Database Description aliases Specifies the locations of the mail aliases database (may not be used for all mail servers) group Specifies the locations of groups database for group accounts. hosts Specifies the locations of host name to IP translation databases. passwd Specifies the locations of passwd database for user accounts. rpc Specifies the locations of Remote Procedure Call database. services Specifies the locations of the network services databases. shadow Specifies the locations of shadow database for user accounts. For this Unit, we will focus on the hosts database as the other databases don't relate to basic network setup and function. In other Units and classes, we will cover the other databases in more detail. 13 TCP/IP Configuration 2007 One Course Source, Inc Page 366

84 Services in the /etc/nsswitch.conf file The /etc/nsswitch.conf file has the services that you are allowed to specify: /root]# more /etc/nsswitch.conf {output omitted} # Legal entries are: # # nisplus or nis+ Use NIS+ (NIS version 3) # nis or yp Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far Typically "dns", "files" or "nis" will be used in conjunction with the "hosts" database. 13 TCP/IP Configuration 2007 One Course Source, Inc Page 367

85 Reactions in the /etc/nsswitch.conf file You can tell your system to react in an alternative manner when a database query result is returned. The format for this is: database service [STATUS=ACTION] The STATUS is the return value provided when the database lookup is completed. There are four possible STATUS returns: STATUS Default Action Description success return Information was found and returned. notfound continue Service responded, but information was not found. unavail continue Service doesn't respond at all. tryagain continue Service responds, but is not available to provide information. The "continue" action means "check the next service if there is one". The "return" action means "stop checking services and provide application with results given by service. Typically the default action for each STATUS is best. In some cases you may wish to modify the default action. For example, the following line will change the default action of the "unavail" STATUS: hosts nis [NOTFOUND=return] files 13 TCP/IP Configuration 2007 One Course Source, Inc Page 368

86 13.5 Network configuration utilities There are many tools that can be used to view network information, change network information on the fly or change the network configuration files for you. This section explores the most common of these tools. Using the Network Configuration (neat) tool The Network Configuration tool can be used to modify basic network information. It is accessed by typing the command neat within a shell: [root@ocs /root]# neat The neat tool will function both in a GUI and in text mode. See the next few pages for more details regarding neat. 13 TCP/IP Configuration 2007 One Course Source, Inc Page 369

87 On the "Devices" tab you can view the interfaces that have been configured for your system: 13 TCP/IP Configuration 2007 One Course Source, Inc Page 370

88 If you click on a interface and then click "Edit", you can modify some of the features of the interface such as it's IP address, subnet mask, and default gateway. Keep in mind that these values are stored in a file previously mentioned. 13 TCP/IP Configuration 2007 One Course Source, Inc Page 371

89 The "Route" tab allows you to set up specific static routes for this interface: 13 TCP/IP Configuration 2007 One Course Source, Inc Page 372

90 The "Hardware Device" tab allows you to specify the type of interface (kernel module to load), the alias number (eth0, eth1, etc.), and the network card's MAC address: 13 TCP/IP Configuration 2007 One Course Source, Inc Page 373

91 In the main window, the "Hardware" tab displays the network cards (adapters) recognized by your system: 13 TCP/IP Configuration 2007 One Course Source, Inc Page 374

92 If you choose a network adapter and click "Edit", you can specify the parameters of the network card: 13 TCP/IP Configuration 2007 One Course Source, Inc Page 375

93 In the main window, the DNS tab allows you to specify your machine's hostname and DNS settings: 13 TCP/IP Configuration 2007 One Course Source, Inc Page 376

94 The "Hosts" tab allows you to modify your local host table (/etc/hosts): 13 TCP/IP Configuration 2007 One Course Source, Inc Page 377

95 Using the netconfig tool The netconfig tool is a text-based utility that allows you to modify some of your network parameters. Type "netconfig" at the command to start the utility: 13 TCP/IP Configuration 2007 One Course Source, Inc Page 378

96 After selection "yes", you are provided with the following screen: By default, netconfig modifies your primary network card's parameters (eth0 in most cases). To modify another network card's parameters, use the --device option (example: netconfig --device eth1). This method can also be used to create devices such as eth0:0. 13 TCP/IP Configuration 2007 One Course Source, Inc Page 379