LPIC 2 Certification: Henk Klöpping

LPIC 2 Certification
Henk Klpping
Preface
This book reflects the efforts of a number of experienced Linux professionals to prepare
for the LPIC-2 beta-exam. It is -- and always will be -- a work in progress. The authors
preiously obtained LPIC-! leels" and wanted to participate in the beta-exam for arious
reasons# to help LPI with their beta-testing" to learn from it and to help others to pass the
exam. $nd" last but not least# for the fun of it.
In my opinion" one of the most important mile stones set in the Linux world is the
possibility for certifying our skills. $dmittedly" you do not need certification to write
%pen &ource software or %pen &ource documentation - your peers certainly will not ask
for a certificate" but will 'udge you by your work.
(ut Linux is not 'ust a nice toy for software-engineers. It has always been a ery stable
and trustworthy operating system - een more so in comparison with it)s closed-source
alternaties. *rien by closed source endors) +uestionable license policies" security
risks" bugs and endor-lock" more and more IT-managers choose the Linux alternatie.
Though it)s perfectly feasible to out-source system management for Linux systems - a lot
of ma'or and minor players support Linux nowadays and Linux is stable as a rock - a
large number of companies prefer hiring their own sysadmins. $las" most recruiters
would not know a Linux admin if he fell on them. These recruiters need a way to certify
the skills of their candidates. $nd the candidates need a way to proe their skills" both to
themseles and to the recruiter.
$ number of organi,ations offer Linux certification. &ome of them are commercial
organi,ations" that both certify and educate. &ome of them certainly do a fine 'ob - but I
sincerely beliee certification organi,ations should be independent" especially from
educational organi,ations. The Linux Professional Institute fulfills these prere+uisites.
They also are a part of our community. &upport them.
The first drafts of this book were written by a limited amount of people. -e had limited
time# we were offered the opportunity to do beta-exams in $ugust 2..! and had to take
the exam in &eptember. Therefore" aboe all the authors had to proe to be good at
cutting and pasting other peoples work. It is up to you to 'udge our efforts" and"
hopefully" improe our work. To the many people we unintentionally forgot to gie credit
where due" from the bottom of our hearts# we thank you.
/enk 0l1pping" &eptember 2..!
- 2 -
Contents
Henk Klpping .................................................................................................................. 1
Preface ................................................................................................................................. 2
Contents .............................................................................................................................. 3
Chapter 1. Linux Kernel (2.21! .................................................................................13
"opics ................................................................................................................................ 13
Kernel Co#ponents (2.21.1! ........................................................................................ 1$
*ifferent types of kernel images ................................................................................ !2
3ote ............................................................................................................................ !2
Identifying stable and deelopment kernels and patches .......................................... !2
4sing kernel modules ................................................................................................ !5
Co#piling a Kernel (2.21.2! ......................................................................................... 23
6etting the kernel sources .......................................................................................... 22
Creating a .config file ................................................................................................ 22
3ote ............................................................................................................................ 27
3ote ............................................................................................................................ 27
Compiling the kernel .................................................................................................. 27
Installing the new kernel ............................................................................................ 28
3ote ............................................................................................................................ 9.
mkinitrd ...................................................................................................................... 9!
Patching a Kernel (2.21.3! ............................................................................................ 3%
Patching a kernel ........................................................................................................ 9:
;emoing a kernel patch from a production kernel ................................................... 97
Custo#i&ing a Kernel (2.21.$! ..................................................................................... 3'
kmod ersus kerneld .................................................................................................. 9<
Chapter 2. (yste# (tartup (2.22!................................................................................$1
Custo#i&ing syste# startup an) *oot processes (2.22.1! ........................................ $2
The Linux (oot process ............................................................................................ 22
-hat happens next" what does =sbin=init do> ............................................................ 2:
(yste# reco+ery (2.22.2! .............................................................................................. ,2
Influencing the regular boot process ......................................................................... 52
The ;escue (oot process .......................................................................................... 55
Chapter 3. -ilesyste# (2.23!.........................................................................................,.
/perating "he Linux -ilesyste# (2.23.1! ................................................................... ,'
The ?ile /ierarchy ..................................................................................................... 58
?ilesystems ................................................................................................................. 5<
Important .................................................................................................................... 5<
Creating ?ilesystems .................................................................................................. :.
@ounting and 4nmounting ........................................................................................ :.
&wap ........................................................................................................................... :9
0aintaining a Linux -ilesyste# (2.23.2! .................................................................... %$
fsck Afsck.e2fsB ........................................................................................................... :5
tune2fs ........................................................................................................................ :7
dumpe2fs .................................................................................................................... :8
- 9 -
badblocks ................................................................................................................... :<
debugfs ....................................................................................................................... :<
Creating 1n) Configuring -ilesyste# /ptions (2.23.3! .......................................... .
$utofs and automounter ............................................................................................. 7.
C*-;%@ filesystem .................................................................................................. 7!
Chapter $. Har)ware (2.2$!..........................................................................................,
Configuring 2134 (2.2$.1! ........................................................................................... .%
-hat is ;$I*> ........................................................................................................... 7:
;$I* leels ............................................................................................................... 7:
/ardware ;$I* ......................................................................................................... 77
&oftware ;$I* .......................................................................................................... 78
Configuring ;$I* Ausing mkraid and raidstartB ........................................................ 78
mkraid ........................................................................................................................ 7<
Persistent superblocks ................................................................................................ 7<
=etc=raidtab .................................................................................................................. 8.
3ote ............................................................................................................................ 8.
Configuring ;$I* using mdadm ............................................................................... 8!
1))ing 5ew Har)ware (2.2$.2! ................................................................................... '1
(us structures ............................................................................................................. 8!
4&( deices ............................................................................................................... 82
&erial deices ............................................................................................................. 8:
Configuring disks ....................................................................................................... 88
Configuring output deices ........................................................................................ 8<
(oftware 1n) Kernel Configuration (2.2$.3! ............................................................ 6
Configuring ?ilesystems ............................................................................................ <!
Configuring kernel options ........................................................................................ <!
Configuring Logical Colume @anagement ............................................................... <2
Configuring I*D C* burners ..................................................................................... <2
Configuring harddisks using hdparm ......................................................................... <5
Configuring PC0C31 4e+ices (2.2$.$! ...................................................................... 6%
%eriew of PC@CI$ ............................................................................................... <7
The cardmgr ............................................................................................................... <7
Card &erices for Linux ............................................................................................. <8
3ewer kernels and PC@CI$ ..................................................................................... <8
The cardctl and cardinfo commands .......................................................................... <8
Chapter ,. 5etworking (2.2,!....................................................................................1
7asic 5etworking Configuration (2.2,.1! ................................................................ 1
Configuring the network interface ........................................................................... !..
PPP ........................................................................................................................... !.9
1)+ance) 5etwork Configuration an) "rou*leshooting (2.2,.2! ........................ 11,
Cirtual Priate 3etwork ........................................................................................... !!5
Troubleshooting ....................................................................................................... !2.
Chapter %. 0ail 8 5ews (2.2%!..................................................................................12.
Configuring #ailing lists (2.2%.1! .............................................................................. 12.
Installing @a'ordomo ............................................................................................... !27
Creating a @ailing list ............................................................................................. !28
- 2 -
@aintaining a @ailinglist ......................................................................................... !9.
9sing (en)#ail (2.2%.2! .............................................................................................. 131
&endmail configuration ............................................................................................ !92
mail aliases ............................................................................................................... !9:
0anaging 0ail "raffic (2.2%.3! ................................................................................. 13.
Procmail ................................................................................................................... !97
(er+ing news (2.2%.$! ................................................................................................... 1$
Internet 3ews ........................................................................................................... !2.
Chapter .. 45( (2.2.!.................................................................................................1$$
7asic 7354 ' configuration (2.2..1! ......................................................................... 1$,
3ame-serer parts in (I3* ..................................................................................... !2:
The named.conf file ................................................................................................. !2:
3ote .......................................................................................................................... !28
3ote .......................................................................................................................... !28
3ote .......................................................................................................................... !5!
Conerting (I3* 2 to (I3* 8 configuration ..................................................... !5!
3ote .......................................................................................................................... !5!
The named name serer daemon .............................................................................. !5!
The ndc program ...................................................................................................... !52
&ending signals to named ........................................................................................ !52
Controlling named with a start=stop script .............................................................. !59
Create 1n) 0aintain 45( :ones (2.2..2! ............................................................... 1,3
Eones and reerse ,ones .......................................................................................... !52
3ote .......................................................................................................................... !57
3ote .......................................................................................................................... !5<
3ote .......................................................................................................................... !:.
3ote .......................................................................................................................... !:.
3ote .......................................................................................................................... !:2
@aster and slae serers .......................................................................................... !:2
3ote .......................................................................................................................... !:9
3ote .......................................................................................................................... !:2
Creating subdomains ................................................................................................ !:2
3ote .......................................................................................................................... !:5
*3& 4tilities ........................................................................................................... !::
3ote .......................................................................................................................... !:7
3ote .......................................................................................................................... !:8
3ote .......................................................................................................................... !:8
(ecuring a 45( (er+er (2.2..3! ................................................................................. 1%'
*3& &ecurity &trategies .......................................................................................... !:<
3ote .......................................................................................................................... !:<
@aking information harder to get ............................................................................ !:<
3ote .......................................................................................................................... !72
Controlling re+uests ................................................................................................. !72
Limiting effects of an intrusion ................................................................................ !79
3ote .......................................................................................................................... !72
3ote .......................................................................................................................... !75
- 5 -
Important .................................................................................................................. !7:
3ote .......................................................................................................................... !77
&ecuring name serer connections ........................................................................... !78
3ote .......................................................................................................................... !78
3ote .......................................................................................................................... !7<
3ote .......................................................................................................................... !7<
3ote .......................................................................................................................... !8.
Internal *3& ............................................................................................................ !8!
3ote .......................................................................................................................... !89
3ote .......................................................................................................................... !82
3ote .......................................................................................................................... !88
3ote .......................................................................................................................... !8<
Chapter '. ;e* (er+ices (2.2'!.................................................................................1'6
3#ple#enting a ;e* (er+er (2.2'.1! ........................................................................ 16
Installing the $pache web-serer ............................................................................. !<!
@odularity ................................................................................................................ !<!
;un-time loading of modules A*&%B ....................................................................... !<2
Tip ............................................................................................................................ !<9
Dncrypted webserers# &&L ..................................................................................... !<9
@onitoring $pache load and performance .............................................................. !<:
$pache accessFlog file ............................................................................................. !<:
;estricting client user access ................................................................................... !<7
Configuring authentication modules ........................................................................ !<8
3ote .......................................................................................................................... !<<
4ser files .................................................................................................................. 2..
6roup files ............................................................................................................... 2..
3ote .......................................................................................................................... 2.!
Configuring modFperl .............................................................................................. 2.!
Configuring modFphp support ................................................................................. 2.9
Configuring $pache serer options ......................................................................... 2.2
0aintaining a ;e* (er+er (2.2'.2! ........................................................................... 2$
$pache Cirtual /osting ........................................................................................... 2.5
Tip ............................................................................................................................ 2.5
Tip ............................................................................................................................ 2.:
Customi,ing file access ............................................................................................ 2.<
/ow to create a &&L serer Certificate .................................................................... 2.<
Tip ............................................................................................................................ 2!.
3#ple#enting a Proxy (er+er (2.2'.3! ...................................................................... 21
-eb-caches .............................................................................................................. 2!.
s+uid ......................................................................................................................... 2!!
Tip ............................................................................................................................ 2!9
;edirectors ............................................................................................................... 2!9
$uthenticators .......................................................................................................... 2!2
&ecurity Issue ........................................................................................................... 2!5
$ccess policies ......................................................................................................... 2!:
$uthenticator allow rules act as deny rulesG ............................................................ 2!8
- : -
s+uid always adds a default $CLG ........................................................................... 2!8
4tili,ing memory usage ........................................................................................... 2!8
Chapter 6. -ile an) (er+ice (haring (2.26!..............................................................22
Configuring a (a#*a (er+er (2.26.1! ...................................................................... 221
-hat is &amba> ....................................................................................................... 22!
Installing the &amba components ........................................................................... 22!
$n example of the functionality we wish to achiee .............................................. 222
$ccessing &amba shares from -indows 2... ....................................................... 229
$ccessing -indows or &amba shares from a Linux &amba client ......................... 29!
&ending a message with smbclient ......................................................................... 292
4sing a Linux &amba printer from -indows 2... ................................................ 295
4sing a -indows printer from Linux ..................................................................... 29<
&etting up an nmbd -I3& serer ........................................................................... 225
Creating logon scripts for clients ............................................................................ 22:
Configuring an 5-( (er+er (2.26.2! ......................................................................... 2$.
3?& - The 3etwork ?ile &ystem .............................................................................. 227
3ote .......................................................................................................................... 228
&etting up 3?& ......................................................................................................... 228
3ote .......................................................................................................................... 228
3ote .......................................................................................................................... 259
Caution ..................................................................................................................... 252
3ote .......................................................................................................................... 257
-arning .................................................................................................................... 257
3ote .......................................................................................................................... 25<
Tip ............................................................................................................................ 2:.
Tip ............................................................................................................................ 2:.
Testing 3?& ............................................................................................................. 2:2
3ote .......................................................................................................................... 2:9
3ote .......................................................................................................................... 2:2
&ecuring 3?& ........................................................................................................... 2:5
3ote .......................................................................................................................... 2::
%eriew of 3?& components ................................................................................. 2::
3?& protocol ersions .............................................................................................. 2:7
Chapter 1. 5etwork Client 0anage#ent (2.21! ..................................................2%'
4HCP Configuration (2.21.1! ................................................................................... 2%6
-hat is */CP> ....................................................................................................... 27.
/ow is the serer configured> ................................................................................ 27.
$n example ............................................................................................................. 27!
Controlling the */CP-serer)s behaior ................................................................ 28.
*/CP-relaying ....................................................................................................... 28!
53( configuration (2.21.2! .......................................................................................... 2'2
-hat is it> ............................................................................................................... 282
Configuring a system as a 3I& client ...................................................................... 289
&etting up 3I& master and slae serers ................................................................. 289
Creating 3I& maps .................................................................................................. 282
3I& related commands and files ............................................................................. 282
- 7 -
L41P configuration (2.21.3! ..................................................................................... 2'.
-hat is it> ............................................................................................................... 287
Installing and Configuring an L*$P &erer .......................................................... 288
@ore on L*$P ....................................................................................................... 2<8
P10 authentication (2.21.$! ..................................................................................... 26'
-hat is it> ............................................................................................................... 2<8
/ow does it work> .................................................................................................. 2<<
Configuring authentication ia =etc=passwd and =etc=shadow ................................. 9..
Configuring authentication ia 3I& ........................................................................ 9.2
Configuring authentication ia L*$P .................................................................... 9.2
Chapter 11. (yste# 0aintenance (2.211!..................................................................3,
(yste# Logging (2.211.1! .............................................................................................. 3%
&ysklogd ................................................................................................................... 9.:
Packaging (oftware (2.211.2! ....................................................................................... 36
*D( Packages .......................................................................................................... 9!.
;P@ Packages ......................................................................................................... 9!7
Important .................................................................................................................. 92.
7ackup /perations (2.211.3! ........................................................................................ 322
-hy> ........................................................................................................................ 922
-hat> ....................................................................................................................... 922
-hen> ...................................................................................................................... 922
/ow> ........................................................................................................................ 929
-here> ..................................................................................................................... 929
Chapter 12. (yste# (ecurity (2.212! .........................................................................32$
Configuring a router (2.212.2! .................................................................................... 32,
Priate 3etwork $ddresses ..................................................................................... 925
3etwork $ddress Translation A3$TB ..................................................................... 927
IP @as+uerading with IPC/$I3& .......................................................................... 928
IP forwarding with IPC/$I3& ............................................................................... 92<
Port ;edirection with IPC/$I3& ........................................................................... 92<
IPC/$I3&" an oeriew ......................................................................................... 99!
The ?irm)s network with IPC/$I3& ...................................................................... 999
IPT$(LD&" an oeriew ........................................................................................ 997
&aing $nd ;estoring ?irewall ;ules ..................................................................... 952
*enial of &erice A*%&B attacks ............................................................................. 952
;outed ..................................................................................................................... 959
Port&entry# Preenting port scans ........................................................................... 959
(ecuring -"P ser+ers (2.212.3! ................................................................................... 3,'
?TP serer Cersion :.2=%pen(&*=Linux-ftpd-..!7 ............................................... 958
The -ashington 4niersity ?TP &erer Cersion wu-2.:.! .................................... 9:9
$dditional precautions ............................................................................................ 9:7
(ecure shell (/pen((H! (2.212.$! ............................................................................... 3%.
-hat are ssh and sshd> ........................................................................................... 9:7
Installing ssh and sshd ............................................................................................ 9:8
Configuring sshd ..................................................................................................... 9:8
0eys and their purpose ............................................................................................ 97.
- 8 -
Configuring the ssh-agent ....................................................................................... 97!
Tunneling an application protocol oer ssh with portmapping .............................. 979
The .rhosts and .shosts files .................................................................................... 972
"CP<wrappers (2.212.,! .............................................................................................. 3.,
-hat do tcp wrappers do> ....................................................................................... 975
-hat don)t tcp wrappers do> ................................................................................... 975
Configuring tcp wrappers ....................................................................................... 975
xinetd ....................................................................................................................... 977
(ecurity tasks (2.212.%! ................................................................................................ 3..
0erberos .................................................................................................................. 978
3ote .......................................................................................................................... 97<
&nort ........................................................................................................................ 9<2
Tripwire ................................................................................................................... 9<:
The nmap command ................................................................................................ 2.5
0eeping track of security alerts .............................................................................. 2.:
Testing for open mail relays ................................................................................... 2.8
Chapter 13. (yste# Custo#i&ation an) 1uto#ation (2.213!..................................$1
2egular =xpressions ...................................................................................................... $1
Introducing ;egular Dxpressions ............................................................................. 2!!
3ote .......................................................................................................................... 2!!
Primities and @ultipliers ........................................................................................ 2!!
3ote .......................................................................................................................... 2!9
3ote .......................................................................................................................... 2!5
3ote .......................................................................................................................... 2!:
3ote .......................................................................................................................... 2!:
3ote .......................................................................................................................... 22.
3ote .......................................................................................................................... 22!
$nchors" 6rouping and $lternation ......................................................................... 22!
3ote .......................................................................................................................... 225
&pecial characters ..................................................................................................... 227
3ote .......................................................................................................................... 228
3ote .......................................................................................................................... 22<
3ote .......................................................................................................................... 22<
;egular Dxpressions in sed ...................................................................................... 29.
;egular Dxpressions in awk ..................................................................................... 29.
Perl ;egular Dxpressions ......................................................................................... 29!
3ote .......................................................................................................................... 29!
3ote .......................................................................................................................... 292
3ote .......................................................................................................................... 292
9sing Perl ........................................................................................................................ $3%
-riting simple Perl scripts ....................................................................................... 29:
Perl basics ................................................................................................................ 297
-arning .................................................................................................................... 297
&cope of ariables .................................................................................................... 22.
$ surprising feature .................................................................................................. 229
*etermining the si,e of an array .............................................................................. 222
- < -
Dlements are scalar dataG ......................................................................................... 225
$utomatic type conersion ...................................................................................... 228
&trings are not numerics ........................................................................................... 22<
3ote .......................................................................................................................... 25!
3ote .......................................................................................................................... 25!
Perl taint mode ......................................................................................................... 25:
3ote .......................................................................................................................... 257
Dxception ................................................................................................................. 257
Perl modules ............................................................................................................. 257
CP$3 ....................................................................................................................... 25<
Perl on the command line ........................................................................................ 2:.
;riting 7ourne shell scripts ........................................................................................ $%
Cariables .................................................................................................................. 2:!
(ranching and looping ............................................................................................. 2::
3ote .......................................................................................................................... 27!
?unctions .................................................................................................................. 272
/ere documents ....................................................................................................... 27:
3ote .......................................................................................................................... 277
$danced topics ....................................................................................................... 278
*ebugging scripts .................................................................................................... 278
&ome words on coding style .................................................................................... 28.
9sing se) ......................................................................................................................... $'
(ehaiour ................................................................................................................. 28!
Calling sed ............................................................................................................... 28!
3ote .......................................................................................................................... 28!
The sed expression ................................................................................................... 28!
The most fre+uently used sedcommands ................................................................. 282
3ote .......................................................................................................................... 282
6rouping in sed ........................................................................................................ 28:
-hite space .............................................................................................................. 287
$danced sed ........................................................................................................... 287
3ote .......................................................................................................................... 28<
3ote .......................................................................................................................... 28<
9sing awk ........................................................................................................................ $62
6eneric flow ............................................................................................................. 2<2
Cariables and arrays ................................................................................................. 2<2
Input files" records and fields ................................................................................... 2<5
(ranching" looping and other control statements .................................................... 2<7
3ote .......................................................................................................................... 2<8
Patterns ..................................................................................................................... 2<<
%perators .................................................................................................................. 5.!
4sing regular expressions ........................................................................................ 5.2
(uilt-in ariables ...................................................................................................... 5.2
?unctions .................................................................................................................. 5.2
rsync ................................................................................................................................ ,,
The rsync algorithm ................................................................................................. 5.5
- !. -
Configuring the rsync daemon ................................................................................. 5.:
4sing the rsync client ............................................................................................... 5.7
cronta* ............................................................................................................................ ,'
format of the crontab file ......................................................................................... 5.<
The at command ....................................................................................................... 5!.
0onitoring your syste# ................................................................................................ ,11
-arning .................................................................................................................... 5!2
parsing a log-file ...................................................................................................... 5!2
combine log-files ..................................................................................................... 5!2
generate alerts by mail and pager ............................................................................. 5!8
user login alert .......................................................................................................... 52!
Chapter 1$. "rou*leshooting (2.21$!..........................................................................,2%
Creating reco+ery )isks (2.21$.2! ................................................................................ ,2.
-hy we need bootdisks ........................................................................................... 528
Create a bootdisk ...................................................................................................... 528
(ig files hae little files upon their back.. ............................................................... 52<
initrd ......................................................................................................................... 59.
Create a recoery disk .............................................................................................. 59.
3)entifying *oot stages (2.21$.3! .................................................................................. ,31
The bootstrap process .............................................................................................. 59!
0ernel loading .......................................................................................................... 59!
*aemon initiali,ation ............................................................................................... 592
;ecogni,ing the four stages during boot ................................................................. 599
"rou*leshooting L3L/ (2.21$.$! ................................................................................. ,33
(ooting from C*-;%@ and networks .................................................................... 592
(ooting from disk or partition ................................................................................. 592
@ore about partitions tables ..................................................................................... 59:
Tip ............................................................................................................................ 59:
Dxtended partitions .................................................................................................. 597
The LIL% install locations ....................................................................................... 598
LIL% backup files .................................................................................................... 598
LIL% errors .............................................................................................................. 59<
>eneral trou*leshooting (2.21$.,! ............................................................................... ,$
$ word of caution .................................................................................................... 52!
Cost effectieness .................................................................................................... 52!
6etting help .............................................................................................................. 52!
6eneric issues with hardware problems .................................................................. 522
;esoling initial boot problems ............................................................................... 529
;esoling kernel boot problems .............................................................................. 522
;esoling I;H=*@$ conflicts ................................................................................ 52:
Troubleshooting tools .............................................................................................. 52:
"rou*leshooting syste# resources (2.21$.%! .............................................................. ,$'
Core system ariables .............................................................................................. 528
Login shells .............................................................................................................. 55.
&hell startup enironment ........................................................................................ 55.
Dditors ...................................................................................................................... 552
- !! -
&etting kernel parameters ......................................................................................... 559
&hared libraries ........................................................................................................ 552
"rou*leshooting network issues (2.21$..! .................................................................. ,%
&omething on network troubleshooting in general ................................................. 5:.
$n example situation .............................................................................................. 5:!
"rou*leshooting en+iron#ent configurations (2.21$.'! ........................................... ,%$
Troubleshooting =etc=inittab and =sbin=init .............................................................. 5:5
Troubleshooting authorisation problems ................................................................ 5:5
Troubleshooting =etc=profile .................................................................................... 5::
Troubleshooting =etc=rc.local or =etc=rc.boot ........................................................... 5::
Troubleshooting cron processes .............................................................................. 5::
Troubleshooting =etc=IshellFnameI.conf ................................................................. 5:7
Troubleshooting =etc=login.defs .............................................................................. 5:7
Troubleshooting =etc=syslog.conf ............................................................................ 5:7
1ppen)ix 1. LP3C Le+el 2 /*?ecti+es ....................................................................... ,%.
- !2 -
Chapter 1. Linux Kernel (2.21!
"opics
This topic has a total weight of : points and contains the following fie ob'ecties#
%b'ectie 2.2.!.!# 0ernel Components A! pointB
Candidates should be able to utilise kernel components that are necessary to
specific hardware" hardware driers" system resources and re+uirements. This
ob'ectie includes implementing different types of kernel images" identifying
stable and deelopment kernels and patches" as well as using kernel modules.
%b'ectie 2.2.!.2# Compiling a kernel A! pointB
Candidates should be able to properly configure a kernel to include or disable
specific features of the Linux kernel as necessary. This ob'ectie includes
compiling and recompiling the Linux kernel as needed" updating and noting
changes in a new kernel" creating an initrd image and installing new kernels.
%b'ectie 2.2.!.9# Patching a kernel A2 pointsB
Candidates should be able to properly patch a kernel to add support for new
hardware. This ob'ectie also includes being able to properly remoe kernel
patches from already patched kernels.
%b'ectie 2.2.!.2# Customi,ing a kernel A! pointB
Candidates should be able to customise a kernel for specific system re+uirements"
by patching" compiling and editing configuration files as re+uired. This ob'ectie
includes being able to assess re+uirements for a kernel compile as well as build
and configure kernel modules.
- !9 -
Kernel Co#ponents (2.21.1!
Candidates should be able to utilise kernel components that are necessary to specific
hardware" hardware driers" system resources and re+uirements. This ob'ectie includes
implementing different types of kernel images" identifying stable and deelopment
kernels and patches" as well as using kernel modules.
0ey files" terms and utilities include#
/usr/src/linux
/usr/src/linux/Documentation
zImage
bzImage
0ey knowledge area#
Kernel documentation (2.4 and 2.6)
Different types of kernel images
$ kernel can be monolithic or not. $ monolithic kernel is a kernel that contains all the
drier code needed to use all the hardware connected to or contained within the system
you are configuring. &uch a kernel does not need the assistance of modules. &o why
doesn)t eeryone 'ust build a monolithic kernel and be done with it> The main reason is
that such kernels tend to be rather large and often won)t fit on a single floppy disk.
$nother reason is that the implementation of a new improed drier for a certain piece of
hardware immediately results in the need for a new kernel. This is not the case with
modules as will be explained in the section called J4sing kernel modulesK.
@ost of the time" a kernel image is compressed to sae space. There are two types of
compressed kerneltypes# zImage and bzImage
The difference between J,ImageK and Jb,ImageK files lies in their different layout and
loading algorithms. ?or zImage the allowed kernelsi,e is 52.0b" bzImage doesn)t hae
this restriction. $s a result the bzImage kernel now is the preferred image type.
Note
(oth images use g,ip compression. The Jb,K in Jb,ImageK stands for Jbig zImageK" not
for Jb,ipKG
Identifying stable and development kernels and patches
$ kernel ersion number consists of three parts# ma'or" minor and the patch leel" all
separated by periods.
The ma'or release is incremented when a ma'or change in the kernel is made.
- !2 -
The minor release is incremented when significant changes and additions are made.
Den-numbered minor releases" e.g. 2.2" 2.:" 2.8" are considered stable releases and odd-
numbered releases" e.g. 2.!" 2.9 are considered to be in deelopment and are primarily
used by kernel deelopers.
The last part of the kernel ersion number is the so-called patch leel. $s errors in the
code are corrected Aand=or features are addedB the patch leel is incremented. Lou should
only upgrade your kernel to a higher patch leel when your current kernel has a security
problem or doesn)t function properly or when new functionality has been added to the
kernel.
Using kernel modules
Linux kernel modules are ob'ect files A.oB produced by the C compiler but not linked into
a complete executable. 0ernel modules can be loaded into the kernel to add functionality
when needed. @ost modules are distributed with the kernel and compiled along with it.
Dery kernel ersion has its own set of modules.
@odules are stored in a directory hierarchy under /lib/modules/kernel-version" where
kernel-version is the string reported by una#e @r" such as 2.2.5-!5smp. @ultiple module
hierarchies may be aailable under /lib/modules if multiple kernels are installed.
&ubdirectories that contain modules of a particular type exist beneath the /lib/modules/
kernel-version directory. This grouping is conenient for administrators" but also
facilitates important functionality to the command #o)pro*e.
"ypical #o)ule typesA
block
@odules for a few block-specific deices such as ;$I* controllers or I*D tape
dries.
cdrom
*eice drier modules for nonstandard C*-;%@ dries.
fs
*riers for filesystems such as @&-*%& Athe msdos.o moduleB.
ip2
Includes modular kernel features haing to do with IP processing" such as IP
mas+uerading.
- !5 -
misc
$nything that doesn)t fit into one of the other subdirectories ends up here. 3ote
that no modules are stored at the top of this tree"
net
3etwork interface drier modules.
scsi
Contains drier modules for the &C&I controller.
ideo
&pecial drier modules for ideo adapters.
@odule directories are also referred to as tags in the context of module manipulation
commands.
0anipulating #o)ules
lsmod
?or each kernel module loaded" display its name" si,e" use count and a list of other
referring modules. This command yields the same information as is aailable in
/proc/modules. %n a particular laptop" for instance" the command Bs*inBls#o) reports#
Module Size sed b!
serial"cb ##2$ #
tulip"cb %#&6' 2
cb"enabler 2(#2 4 )serial"cb tulip"cb*
ds 6%'4 2 )cb"enabler*
i'2%6( 22%'4 2
pcmcia"core ($$'$ $ )cb"enabler ds i'2%6(*

The format is name" si,e" use count" list of referring modules. If the module controls its
own unloading ia a JcanFunloadK routine" then the user count displayed by lsmod is
always -!" irrespectie of the real use count.
insmod
Insert a module into the running kernel. The module is located automatically and
inserted. Lou must be logged in as superuser to insert modules.
-reCuently use) optionsA
- !: -
-s
-rite results to syslog instead of the terminal.
-
&et erbose mode.
=xa#ple 1.1. =xa#ple
The kernel was compiled with modular support for a specific sound card. To erify that
this specific module" in this case maestro%.o exists" look for the file maestro%.o in the
/lib/modules/kernel-version directory#
+ insmod maestro%
sing /lib/modules/2.4.&/,ernel/dri-ers/sound/maestro%.o
/lib/modules/2.4.&/,ernel/dri-ers/sound/maestro%.o. /
unresol-ed s!mbol ac&0"probe"codec"1'46$#c2b
+ ec2o 34
#

This ins#o) maestro3 command yields an unresoled symbol and an exit status of !.
This is the same sort of message that might be seen when attempting to link a program
that referenced ariables or functions unaailable to the linker. In the context of a module
insertion" such messages indicate that the functions are not aailable in the kernel. ?rom
the name of the missing symbol" you can see that the ac&0"codec module is re+uired to
support the maestro% module" so it is inserted first#
+ insmod ac&0"codec
sing /lib/modules/2.4.&/,ernel/dri-ers/sound/ac&0"codec.o
+ insmod maestro%
sing /lib/modules/2.4.&/,ernel/dri-ers/sound/maestro%.o
+ lsmod
Module Size sed b!
maestro% 24202 $ (unused)
ac&0"codec ''&6 $ )maestro%*
serial"cb #4(6 #
tulip"cb %2#6$ 2
cb"enabler 20(2 4 )serial"cb tulip"cb*
ds 6'64 2 )cb"enabler*
i'2%6( 22(#2 2
pcmcia"core 4&$24 $ )cb"enabler ds i'2%6(*

$s the output from the ls#o) command aboe shows" the two modules maestro% and
ac&0"codec hae both been loaded.
rmmod
- !7 -
4nless a module is in use or referred to by another module" the module is remoed from
the running kernel. Lou must be logged in as the superuser to remoe modules.
+ rmmod ac&0"codec
ac&0"codec. De-ice or resource bus!
+ ec2o 34
#

The module can)t be unloaded because it is in use" in this case by the maestro% module.
The solution is to remoe the maestro% module first#
+ rmmod maestro%
+ rmmod ac&0"codec
+ ec2o 34
$

Issue the command ls#o) to erify that the modules hae indeed been remoed from the
running kernel.
modprobe
Like ins#o)" #o)pro*e is used to insert modules. /oweer" #o)pro*e has the ability
to load single modules" modules and their prere+uisites" or all modules stored in a
specific directory. The #o)pro*e command can also remoe modules when combined
with the @r option.
$ module is inserted with optional sy#*olD+alue parameters such as irCD, or )#aD3 .
This can be done on the command line or by specifying options in the module
configuration file as will be explained later on. If the module is dependent upon other
modules" they will be loaded first. The #o)pro*e command determines prere+uisite
relationships between modules by reading modules.dep at the top of the module
directory hierarchy" for instance /lib/modules/2.4.&/modules.dep.
Lou must be logged in as the superuser to insert modules.
-reCuently use) options
-a
Load all modules. -hen used with the -t tag" JallK is restricted to modules in the
tag directory. This action probes hardware by successie module-insertion
attempts for a single type of hardware" such as a network adapter. This may be
necessary" for example" to probe for more than one kind of network interface.
- !8 -
-c
*isplay a complete module configuration" including defaults and directies found
in /etc/modules.con5 Aor /etc/con5.modules" depending on your ersion of
module utilities. 3ote that the LPIC ob'ectie re+uires you to know both namesB.
The -c option is not used with any other options.
-l
List modules. -hen used with the -t tag" list only modules in directory tag.
-r
;emoe module" similar to r##o). @ultiple modules may be specified.
-s
*isplay results on syslog instead of the terminal.
-t tag
$ttempt to load multiple modules found in the directory tag until a module
succeeds or all modules in tag are exhausted. This action probes hardware by
successie module-insertion attempts for a single type of hardware" such as a
network adapter.
-
&et erbose mode.
Loading sound modules using #o)pro*e.
+ modprobe maestro%
+ ec2o 34
$
+ lsmod
Module Size sed b!
maestro% 24202 $ (unused)
ac&0"codec ''&6 $ )maestro%*
serial"cb #4(6 #
tulip"cb %2#6$ 2
cb"enabler 20(2 4 )serial"cb tulip"cb*
ds 6'64 2 )cb"enabler*
i'2%6( 22(#2 2
pcmcia"core 4&$24 $ )cb"enabler ds i'2%6(*

- !< -
(oth the modules hae been loaded. To remoe both the modules" use #o)pro*e @r
#aestro3.
modinfo
*isplay information about a module from its module6ob7ect65ile. &ome modules
contain no information at all" some hae a short one-line description" others hae a fairly
descriptie message.
/ptions fro# the #an@pageA
-a" --author
*isplay the module)s author.
-d" --description
*isplay the module)s description.
-n" --filename
*isplay the module)s filename.
-fformatFstring" --format formatFstring
Let)s the user specify an arbitrary format string which can extract alues from the
DL? section in moduleFfile which contains the module information.
;eplacements consist of a percent sign followed by a tag name in curly braces. $
tag name of MNfilenameO is always supported" een if the module has no modinfo
section.
-p" --parameters
*isplay the typed parameters that a module may support.
-h" --help
*isplay a small usage screen.
-C" --ersion
*isplay the ersion of modinfo.
=xa#ple 1.$. =xa#ple
-hat information can be retrieed from the maestro9 module#
- 2. -
pug.8+ modin5o maestro%
5ilename. /lib/modules/2.4.&/,ernel/dri-ers/sound/maestro%.o
description. 9:SS Maestro%/;llegro Dri-er9
aut2or. 9<ac2 =ro>n ?zab@zabbo.netA9
parm. debug int
parm. external"amp int

Configuring #o)ules
Lou may sometimes need to control the assignments of the resources a module uses" such
as hardware interrupts or *irect @emory $ccess A*@$B channels. %ther situations may
dictate special procedures to prepare for" or clean up after" module insertion or remoal.
This type of special control of modules is configured in the file /etc/modules.con5.
Co##only use) )irecti+es in /etc/modules.confA
,eep
The keep directie" when found before any path directies" causes the default
paths to be retained and added to any paths specified.
dep5ileBfull_path
This directie oerrides the default location for the modules dependency file"
modules.dep which will be described in the next section.
pat2Bpath
This directie specifies an additional directory to search for modules.
options modulename module-specific-options
%ptions for modules can be specified using the options configuration line in
modules.con5 or on the #o)pro*e command line. The command line oerrides
configurations in the file. modulename is the name of a single module file without
the .o extension. module-specific-options are specified as name=value pairs"
where the name is understood by the module and is reported using #o)info @p.
alias aliasname result
$liases can be used to associate a generic name with a specific module" for
example#
alias /de-/ppp ppp"generic
alias c2ar6ma7or6#$' ppp"generic
alias tt!6ldisc6% ppp"as!nc
alias tt!6ldisc6#4 ppp"s!nctt!
- 2! -
alias ppp6compress62# bsd"comp
alias ppp6compress624 ppp"de5late
alias ppp6compress626 ppp"de5late

pre6install module command
This directie causes a specified shell command to be executed prior to the
insertion of a module. ?or example" PC@CI$ serices need to be started prior to
installing the pcmcia"core module#
pre6install pcmcia"core /etc/init.d/pcmcia start

install module command
This directie allows a specific shell command to oerride the default module-
insertion command.
post6install module command
This directie causes a specified shell command to be executed after insertion of
the module.
pre6remo-e module command
This directie causes a specified shell command to be executed prior to remoal
of module.
remo-e module command
This directie allows a specific shell command to oerride the default module-
remoal command.
post6remo-e module command
This directie causes a specified shell command to be executed after remoal of
module.
?or more detailed information concerning the module-configuration file see #an
#o)ules.conf.
(lank lines and lines beginning with a + are ignored in modules.con5.
Module Dependency File
The command #o)pro*e can determine module dependencies and install prere+uisite
modules automatically. To do this" #o)pro*e scans the first column of
- 22 -
/lib/modules/kernel-version/modules.dep to find the module it is to install. Lines in
modules.dep are in the following form#
module"name.o. dependenc!# dependenc!2 ...

example for ac&0"codec and maestro%#
/lib/modules/2.4.&/,ernel/dri-ers/sound/ac&0"codec.o.
/lib/modules/2.4.&/,ernel/dri-ers/sound/maestro%.o. /
/lib/modules/2.4.&/,ernel/dri-ers/sound/ac&0"codec.o

/ere the ac&0"codec module depends on no other modules and the maestro% module
depends on the ac&0"codec module.
$ll of the modules aailable on the system are listed in the modules.dep file and are
referred to with their full path and filenames" including their .o extension. Those that are
not dependent on other modules are listed" but without dependencies. *ependencies that
are listed are inserted into the kernel by #o)pro*e first" and after they hae been
successfully inserted" the sub'ect module itself can be loaded.
The modules.dep file must be kept current to ensure the correct operation of #o)pro*e.
If module dependencies were to change without a corresponding modification to
modules.dep" then #o)pro*e would fail because a dependency would be missed. $s a
result" modules.dep needs to be AreBcreated each time the system is booted. @ost
distributions will do this by executing )ep#o) @a automatically when the system is
booted.
This procedure is also necessary after any change in module dependencies. The )ep#o)
command is actually a link to the same executable as #o)pro*e. The functionality of the
command differs depending on which name is used to execute it.
Co#piling a Kernel (2.21.2!
Candidates should be able to properly configure a kernel to include or disable specific
features of the Linux kernel as necessary. This ob'ectie includes compiling and
recompiling the Linux kernel as needed" updating and noting changes in a new kernel"
creating an initrd image and installing new kernels.
#ake config, xconfig, menuconfig, oldconfig, mrproper, zImage, bzImage,
modules, modules_install
#kinitr) Aboth ;ed hat and *ebian basedB
/usr/src/linux
- 29 -
/etc/lilo.con5
/boot/grub/menu.lst or /boot/grub/grub.con5
Getting the kernel sources
The kernel sources for the latest Linux kernel can be found at The Linux Kernel Archives
.
The generic filename is always in the form linux6kernel-version.tar.gz or linux6
kernel-version.tar.bz2. ?or example" linux62.4.#'.tar.gz is the kernel archie for
ersion J2.2.!8K.
$ common location to store and unpack kernel sources is /usr/src.
If there isn)t enough free space on /usr/src to unpack the sources it is possible to
unpack the source in anoher directory. Creating a softlink after unpacking from
/usr/src/linux to the linux subdirectory in that location ensures easy access to the
source.
The source code will be aailable as a compressed tar archie. Compression is done using
g&ip A.gz extentionB or *&ip2 A.bz2 extentionB. *ecompressing and unpacking can be
done using gun&ip or *un&ip2 followed by unpacking the resulting archie with tar" or
directly with tar using the z A.gzB or j A.bz2B options#
+ gunzip linux62.4.#'.tar.gz
+ tar x5 linux62.4.#'.tar

or
+ tar x75 linux62.4.#'.tar.bz2
&ee manpages for tar" g&ip" *&ip2 for more information.
Creating a .config file
The first step in compiling a kernel is setting up the kernel configuration which is saed
in the .con5ig file. There are more than 5.. options for the kernel" such as filesystem"
&C&I and networking support. @any of the options list kernel features that can be either
compiled directly into the kernel or compiled as modules.
&ome selections imply a group of other selections. ?or example" when you indicate that
you wish to include &C&I support" additional options become aailable for specific &C&I
driers and features.
- 22 -
The results of all of these choices are stored in the kernel configuration file
/usr/src/linux/.con5ig" which is a plain text file that lists the options as shell
ariables.
To begin" set the current working directory to the top of the source tree#
+ cd /usr/src/linux

There are seeral ways to set up .con5ig. $lthough you can do so" you should not edit
the file manually. Instead" select one of the three interactie approaches. $n additional
option is aailable to construct a default configuration. Dach set up is started using #ake.
#ake config
;unning #ake config is the most rudimentary of the automated kernel-configuration
methods and does not depend on full-screen display capabilities of your terminal. The
system se+uentially presents you with +uestions concerning kernel options. This method
can" admittedly" get a bit tedious and has the disadantage that you must answer all the
+uestions before being able to sae your .con5ig file and exit. /oweer" it is helpful if
you do not hae sufficient capability to use one of the menu-based methods. $ big
drawback is that you can)t moe back and forward through the arious +uestions. $n
example session looks like this#
+ ma,e con5ig
rm 65 include/asm
( cd include C ln 6s5 asm6i%'6 asm)
/bin/s2 scripts/Don5igure arc2/i%'6/con5ig.in
+
+ sing de5aults 5ound in arc2/i%'6/de5con5ig
+
E
E Dode maturit! le-el options
E
Frompt 5or de-elopment and/or incomplete code/dri-ers /
(DGHIIJ":KF:1IM:HL;M) )H/!/4* !
E
E Moadable module support
E
:nable loadable module support (DGHIIJ"MGDM:S) )N/n/4*

#ake #enuconfig
This configuration method is more intuitie and can be used as an alternatie to #ake
config. It creates a text-mode-windowed enironment where you may use arrow and
other keys to configure the kernel. The #ake #enuconfig command is illustrated below
in an xterm.
- 25 -
The #ake #enuconfig menu display.
#ake xconfig
If you are running the P -indow &ystem" the #ake xconfig command presents a 64I
menu with radio buttons to make the selections. The figure below illustrates the top-leel
#ake xconfig window.
- 2: -
The #ake xconfig top-leel window.
#ake ol)config
The #ake ol)config command creates a new .con5ig file" using the old .con5ig and
options found in the source" only re+uiring user interaction for options that that were
preiously not configured Anew optionsB" for instance after addition of new functionality"
of upgrading to a later kernel release.
-hen using the .con5ig from a preious kernel release" first copy the .con5ig from the
preious kernel-ersion to the /usr/src/linux/ directory and then run #ake ol)config.
The .con5ig will be moed to .con5ig.old and a new .con5ig is created. Lou will
only be prompted for the answers to new +uestionsQ the +uestions for which no answer
can be found in the .con5ig.old file.
Note
(e sure to make a backup of .con5ig before upgrading the kernel source" because the
distribution might contain a default .con5ig file" oerwriting your old file.
Note
#ake xconfig and #ake #enuconfig runs will start with reconstructing the .con5ig
file" using the current .con5ig and Anew defaultB options found in the source code. $s a
result .con5ig will contain at least all the preiously set and the new default options after
writing the new .con5ig file and exiting the session without any manual changes.
Compiling the kernel
The following se+uence of make commands leads to the building of the kernel and to the
building and installation of the modules.
- 27 -
!. make dep
2. make clean
9. make ,Image=b,Image
2. make modules
5. make modulesFinstall
#ake )ep
The dep ob'ect examins source files for dependencies. The resulting table of
dependencies is stored in a file called .depend. There will be a .depend file in each
directory containing source files. The .depend files are automatically included in
subse+uent #ake operations.
#ake clean
The JcleanK ob'ect remoes old output files that may exist from preious kernel builds.
These include core files" system map files and others.
#ake &3#ageB*&3#age
The &3#age and *&3#age ob'ects both effectiely build the kernel. The difference
between these two is explained in another paragraph.
$fter compilation the kernel image can be found in the
/usr/src/linux/arc2/i%'6/boot directory Aon i98: systemsB.
#ake #o)ules
The #o)ules ob'ect builds the modules# deice driers and other items that were
configured as modules.
#ake #o)ules<install
The #o)ules<install ob'ect installs all preiously built modules under
/lib/modules/kernel-version The kernel-version directory will be created if non-
exsistent.
Installing the ne kernel
$fter the new kernel has been compiled" the system can be configured to boot it.
The first step is to put a copy of the new bzImage on the boot partition. The name of the
kernel file should preferably contain the kernel-ersion number" for example#
-mlinuz62.4.#$#
- 28 -
+ cp /usr/src/linux/arc2/i%'6/boot/bzImage /boot/-mlinuz62.4.#$

The currently aailable kernel ersions can be found in the directory /boot/ as shown
below#
+ ls 6l /boot
6r>6r66r66 # root root 426'24 Mar 2% 2$$#
-mlinuz62.2.#'pre2#
6r>6r66r66 # root root 0%&''# Sep 20 #$.42 -mlinuz62.4.#$
6r>6r66r66 # root root 02'#(6 Sep 2# #(.24 -mlinuz62.4.&

3ext" configure the bootmanager to contain the new kernel.
Lilo an) +ersion@specific na#es
lilo.con5 could look like this#
+ =oot up t2is one b! de5ault.
de5aultB-mlinuz624#$
imageB/boot/-mlinuz62.4.#$
labelBlinux624#$
read6onl!
imageB/boot/-mlinuz62.4.&
labelBlinux624&
read6onl!
imageB/boot/-mlinuz62.2.#'pre2#
labelBlinux622#'
read6onl!

;un lilo to add the new kernel and reboot to actiate the new kernel.
Lilo an) fixe) na#es
$nother way to enable the new kernel is by creating symbolic links in the root directory
to the kernel images in /boot. It is a good practice to hae at least two kernels aailable#
the kernel that has been used so far Aand which is working properlyB and the newly
compiled one Awhich might not work since it hasn)t been tested yetB. %ne is called
-mlinuz and the other is called -mlinuz.old. Like this the labels in /etc/lilo.con5
don)t need to be changed after installation of a new kernel.
?irst point -mlinuz.old to the latest known-working kernel image Ain our example#
/boot/-mlinuz62.4.&B and point -mlinuz to the new kernel image Ain our example#
/boot/-mlinuz62.4.#$B#
+ ls 6l -mlinuzE
lr>xr>xr>x # root root #& Sep #& #0.%% -mlinuz 6A /boot/-mlinuz62.4.&
- 2< -
lr>xr>xr>x # root root 2( Sep #& #0.%% -mlinuz.old 6A
/boot/-mlinuz62.2.#'pre2#
+ rm /-mlinuz.old
+ ln 6s /boot/-mlinuz62.4.& /-mlinuz.old
+ rm /-mlinuz
+ ln 6s /boot/-mlinuz62.4.#$ /-mlinuz

lilo.con5 could look like this#
+ =oot up t2is one b! de5ault.
de5aultBMinux
imageB/-mlinuz
labelBMinux
read6onl!
imageB/-mlinuz.old
labelBMinuxGMD
read6onl!

;un lilo to add the new kernel and reboot to actiate.
+ lilo
;dded Minux E
;dded MinuxGMD

If the new kernel doesn)t work" reboot again" press &/I?T to hae the LIL% boot loader
actiate the boot menu and select the last known working kernel to boot.
Note
*on)t forget to run lilo after changing lilo.con5" otherwise the new kernel can)t be
booted because lilo.con5 is not consulted at boot time.
>ru* *oot#anager
Rust like with Lilo both ersion specific and fixed kernel image names kan be used with
6rub.
$ kernel configuration entry in /boot/grub/menu.lst Aor /boot/grub/grub.con5B
could look something like#
title JH/MinuxO ,ernel 2.6.'
root (2d$O$)
,ernel /boot/-mlinuz62.6.' rootB/de-/2da# ro
initrd /boot/initrd.img62.6.'
sa-ede5ault
boot

- 9. -
mkinitrd
The list of key files" terms and utilities also mentions #kinitr). The following text can
be found on The Linux ead !uarters #
4sing the initial ;$@ disk AinitrdB
initrd adds the capability to load a ;$@ disk by the boot loader. This ;$@ disk can
then be mounted as the root filesystem and programs can be run from it. $fterwards" a
new root filesystem can be mounted from a different deice. The preious root Afrom
initrdB is then either moed to the directory /initrd or it is unmounted.
initrd is mainly designed to allow system startup to occur in two phases" where the
kernel comes up with a minimum set of compiled-in driers" and where additional
modules are loaded from initrd.
%peration
-hen using initrd" the system boots as follows#
!. the boot loader loads the kernel and the initial ;$@ disk
2. the kernel conerts initrd into a JnormalK ;$@ disk and frees the memory used
by initrd.
9. initrd is mounted read-write as root
2. linuxrc is executed Athis can be any alid executable" including shell scriptsQ it is
run with uid . and can do basically eerything init can doB
5. when linuxrc terminates" the JrealK root filesystem is mounted
:. if a directory /initrd exists" the initrd is moed there" otherwise" initrd is
unmounted
7. the usual boot se+uence Ae.g. inocation of Bs*inBinit B is performed on the root
filesystem
3ote that moing initrd from / to /initrd does not inole unmounting it. It is
therefore possible to leae processes running on initrd Aor leae filesystems mounted"
but see belowB during that procedure. /oweer" if /initrd doesn)t exist" initrd can
only be unmounted if it is not used by anything. If it can)t be unmounted" it will stay in
memory.
$lso note that filesystems mounted under initrd continue to be accessible" but their
/proc/mounts entries are not updated. $lso" if /initrd doesn)t exist" initrd can)t be
unmounted and will JdisappearK and take those filesystems with it" thereby preenting
them from being re-mounted. It is therefore strongly suggested to generally unmount all
filesystems Aexcept of course for the root filesystem" but including /procB before
switching from initrd to the JnormalK root filesystem.
- 9! -
In order to de-allocate the memory used for the initial ;$@ disk" you hae to execute
freera#)isk after unmounting /initrd.
initrd adds the following new options to the boot command line options#
initrdS AL%$*LI3 onlyB
Loads the specified file as the initial ;$@ disk. -hen using LIL%" you hae to specify
the ;$@ disk image file in /etc/lilo.con5" using the I3IT;* configuration ariable.
noinitrd
initrd data is presered but it is not conerted to a ;$@ disk and the JnormalK root
filesystem is mounted. initrd data can be read from /de-/initrd. 3ote that the data in
initrd can hae any structure in this case and doesn)t necessarily hae to be a filesystem
image. This option is used mainly for debugging.
3ote that /de-/initrd is read-only and that it can only be used once. $s soon as the last
process has closed it" all data is freed and /de-/initrd can)t be opened any longer.
rootS=de=ram
initrd is mounted as root" and Blinuxrc is started. If no Blinuxrc exists" the normal boot
procedure is followed" with the ;$@ disk still mounted as root. This option is mainly
useful when booting from a floppy disk. Compared to directly mounting an on-disk
filesystem" the intermediate step of going ia initrd adds a little speed adantage and it
allows the use of a compressed file system. $lso" together with L%$*LI3 you may load
the ;$@ disk directly from C*rom or disk" hence haing a floppy-less boot from C*"
e.g.# =AEloa)lin =AE*&3#age rootDB)e+Bra# initr)D=AEr)i#age
Installation
?irst" the JnormalK root filesystem has to be prepared as follows#
+ m,nod /de-/initrd b $ 2($
+ c2mod 4$$ /de-/initrd
+ m,dir /initrd

If the root filesystem is created during the boot procedure Ai.e. if you)re creating an install
floppyB" the root filesystem creation procedure should perform these operations.
3ote that neither /de-/initrd nor /initrd are strictly re+uired for correct operation of
initrd" but it is a lot easier to experiment with initrd if you hae them" and you may
also want to use /initrd to pass data to the JrealK system.
- 92 -
&econd" the kernel has to be compiled with ;$@ disk support and with support for the
initial ;$@ disk enabled. $lso" all components needed to execute programs from initrd
Ae.g. executable format and filesystemB must be compiled into the kernelB.
Third" you hae to create the ;$@ disk image. This is done by creating a filesystem on a
block deice and then by copying files to it as needed. -ith recent kernels" at least three
types of deices are suitable for that#
a floppy disk Aworks eerywhere but it)s painfully slowB
a ;$@ disk Afast" but allocates physical memoryB
a loopback deice Athe most elegant solutionB
-e)ll describe the ;$@ disk method#
!. make sure you hae a ;$@ disk deice /de-/ram Ablock" ma'or !" minor .B
2. create an empty filesystem of the appropriate si,e" e.g.
%. + m,e25s 6m$ /de-/ram %$$
4. (i5 space is criticalO !ou ma! >ant to use t2e Minix IS instead
o5 :xt2)

5. mount the filesystem on an appropriate directory" e.g.
6. + mount 6t ext2 /de-/ram /mnt

7. create the console deice#
'. + m,dir /mnt/de-
&. + m,nod /mnt/de-/tt!# c 4 #

!.. copy all the files that are needed to properly use the initrd enironment. *on)t
forget the most important file" Blinuxrc 3ote that Blinuxrc must be gien execute
permission.
!!. unmount the ;$@ disk
#2.+ umount /de-/ram

!9. copy the image to a file
#4.+ dd i5B/de-/ram bsB#, countB%$$ o5B/boot/initrd

!5. deallocate the ;$@ disk
#6.+ 5reeramdis, /de-/ram

?or experimenting with initrd" you may want to take a rescue floppy Ae.g. rescue.g,
from &lackwareB and only add a symbolic link from Blinuxrc to B*inBsh" e.g.
+ gunzip /de-/ram
- 99 -
+ mount 6t minix /de-/ram /mnt
+ ln 6s /bin/s2 /mnt/linuxrc
+ umount /de-/ram
+ dd i5B/de-/ram bsB#, countB#44$ o5B/boot/initrd
+ 5reeramdis, /de-/ram

?inally" you hae to boot the kernel and load initrd . -ith L%$*LI3" you simply
execute
MG;DMIH initrdB
e.g. MG;DMIH D./MIHK/PMMIH< initrdBD./MIHK/IHIL1D

-ith LIL%" you add the option I3IT;*S to either the global section or to the section of
the respectie kernel in /etc/lilo.con5" e.g.
image B /-mlinuz
initrd B /boot/initrd

and run Bs*inBlilo
3ow you can boot and en'oy using initrd.
&etting the root deice
(y default" the standard settings in the kernel are used for the root deice" i.e. the default
compiled in or set with r)e+ " or what was passed with rootSxxx on the command line"
or" with LIL%" what was specified in /etc/lilo.con5 It is also possible to use initrd
with an 3?&-mounted rootQ you hae to use the nfsFrootFname and nfsFrootFaddrs boot
options for this.
It is also possible to change the root deice from within the initrd enironment. In order
to do so" /proc has to be mounted. Then" the following files are aailable#
/proc/s!s/,ernel/real6root6de-
/proc/s!s/,ernel/n5s6root6name
/proc/s!s/,ernel/n5s6root6addrs

real-root-de can be changed by writing the number of the new root ?& deice to it" e.g.
+ ec2o $x%$# A/proc/s!s/,ernel/real6root6de-

for /de-/2da#. -hen using an 3?&-mounted root" nfs-root-name and nfs-root-addrs
hae to be set accordingly and then real-root-de has to be set to .xff" e.g.
- 92 -
+ ec2o /-ar/n5sroot A/proc/s!s/,ernel/n5s6root6name
+ ec2o #&%.'.2%2.2.#&%.'.2%2.0..2((.2((.2((.$.ide5ix /
A/proc/s!s/,ernel/n5s6root6addrs
+ ec2o 2(( A/proc/s!s/,ernel/real6root6de-

If the root deice is set to the ;$@ disk" the root filesystem is not moed to /initrd" but
the boot procedure is simply continued by starting init on the initial ;$@ disk.
4sage scenarios
The main motiation for implementing initrd was to allow for modular kernel
configuration at system installation. The procedure would work as follows#
!. systems boots from floppy or other media with a minimal kernel Ae.g. support for
;$@ disks" initrd" a.out" and the ext2 ?&B and loads initrd
2. Blinuxrc determines what is needed to A!B mount the JrealK root ?& Ai.e. deice
type" deice driers" filesystemB and A2B the distribution media Ae.g. C*-;%@"
network" tape" ...B. This can be done by asking the user" by auto-probing" or by
using a hybrid approach.
9. Blinuxrc loads the necessary modules
2. Blinuxrc creates and populates the root file system Athis doesn)t hae to be a ery
usable system yetB
5. Blinuxrc unmounts the root filesystem and possibly any other filesystems it has
mounted" sets /proc/s!s/,ernel/..." and terminates
:. the root filesystem is mounted
7. now that we)re sure that the filesystem is accessible and intact" the boot loader can
be installed
8. the boot loader is configured to load an initrd with the set of modules that was
used to bring up the system Ae.g. /initrd can be modified" then unmounted" and
finally" the image is written from /de-/ram to a fileB
<. now the system is bootable and additional installation tasks can be performed
The key role of initrd here is to re-use the configuration data during normal system
operation without re+uiring the use of a bloated JgenericK kernel or re-compilation or re-
linking of the kernel.
$ second scenario is for installations where Linux runs on systems with different
hardware configurations in a single administratie domain. In such cases" it is desirable to
generate only a small set of kernels Aideally only oneB and to keep the system-specific
part of configuration information as small as possible. In this case" a common initrd
could be generated with all the necessary modules. Then" only Blinuxrc or a file read by it
would hae to be different.
$ third scenario might result in more conenient recoery disks" because information like
the location of the root ?& partition doesn)t hae to be proided at boot time" and the
- 95 -
system loaded from initrd can use a user-friendly dialog and can also perform some
sanity checks Aor een some form of auto-detectionB.
Last but not least" C*rom distributors may use it for better installation from C*" either
using a LIL% boot floppy and bootstrapping a bigger ramdisk ia initrd from C*" or
using L%$*LI3 to directly load the ramdisk from C* without need of floppies.
&ince initrd is a fairly generic mechanism" it is likely that additional uses will be found.
Patching a Kernel (2.21.3!
Candidates should be able to properly patch a kernel to add support for new hardware.
This ob'ectie also includes being able to properly remoe kernel patches from already
patched kernels.
patch
g&ip
*&ip2
Ma,e5ile
Patching a kernel
$ kernel patchfile contains a difference listing produced by the )iff command. The patch
command is used to apply the contents of the patchfile to the kernel sources.
Patching a kernel is ery straightforward#
!. Place patchfile in /usr/src.
2. Change directory to /usr/src.
9. 4ncompress the patchfile.
2. 4se patch to apply the patchfile to the kernel source# patch @p1 F patchfile
5. Check for failures.
:. (uild the kernel.
If patch is unable to apply a part of a patch" it puts that part in a re'ect file. The name of a
re'ect file is the name of the output file plus a .re' suffix" or a + if the addition of J.re7K
would generate a filename that is too long. In case een the addition of a mere + would
result in a filename that is too long" the last character of the filename is replaced with a +.
"he patch co##an) an) itGs #ost co##on optionsA
-pnumber " --stripSnumber
- 9: -
&trip the smallest prefix containing number leading slashes from each file name
found in the patch file. $ se+uence of one or more ad'acent slashes is counted as a
single slash. This controls how file names found in the patch file are treated" in
case you keep your files in a different directory than the person who sent out the
patch. ?or example" supposing the file name in the patch file was
/u/2o>ard/src/blur5l/blur5l.c" then setting -p. gies the entire file name
unmodified" and setting -p! gies u/2o>ard/src/blur5l/blur5l.c.
-s " --silent " --+uiet
-ork silently" unless an error occurs.
-D " --remoe-empty-files
;emoe output files that are empty after the patches hae been applied. 3ormally
this option is unnecessary" since patch can examine the time stamps on the header
to determine whether a file should exist after patching. /oweer" if the input is
not a context diff or if patch is conforming to P%&IP" patch does not remoe
empty patched files unless this option is gien. -hen patch remoes a file" it also
attempts to remoe any empty ancestor directories.
-; " --reerse
$ssume that this patch was created with the old and new files swapped. patch
attempts to swap each hunk around before applying it and re'ects will come out in
the swapped format. The -; option does not work with e) diff scripts because
there is too little information to reconstruct the reerse operation. If the first hunk
of a patch fails" patch reerses the hunk to see if it can be applied that way. If it
can" you are asked if you want to hae the -; option set. If it can)t" the patch
continues to be applied normally. A3ote# this method cannot detect a reersed
patch if it is a normal diff and if the first command is an append Ai.e. it should
hae been a deleteB since appends always succeed" due to the fact that a null
context matches anywhere. Luckily" most patches add or change lines rather than
delete them" so most reersed normal diffs begin with a delete" which fails"
triggering the heuristic.B
?or more information consult the man-pages of the )iff command and the patch
command.
!emoving a kernel patch from a production kernel
$ kernel patch can be remoed from a production kernel by remoing it from the
production kernel source tree and compiling a new kernel.
To remoe the patch from the production kernel simply try to apply the patch a second
time" patch will ask you if it should assume J61K as the following example illustrates#
- 97 -
+ patc2 6p# ? patc262.4.#%6pre%
patc2ing 5ile linux/Documentation/Don5igure.2elp
1e-ersed (or pre-iousl! applied) patc2 detectedQ ;ssume 614 )n* !

Custo#i&ing a Kernel (2.21.$!
Candidates should be able to customise a kernel for specific system re+uirements" by
patching" compiling and editing configuration files as re+uired. This ob'ectie includes
being able to assess re+uirements for a kernel compile as well as build and configure
kernel modules.
0ey files" terms" and utilities include#
patch
#ake
/usr/src/linux
/proc/s!s/,ernel/
/etc/con5.modulesO /etc/modules.con5
ins#o)H ls#o)H #o)pro*e
k#o)
kernel)
@ost of the key files" terms and utilities mentioned aboe hae been explained earlier in
this chapter" the ones that haen)t been mentioned will be mentioned in the paragraphs
that follow.
/proc/s!s/,ernel/ is a directory in the /proc pseudo filesystem which contains the
following entries#
3 ls 6l /proc/s!s/,ernel/
6r>6666666 # root root $ Gct 22 #4.## cad"pid
6r>6666666 # root root $ Gct 22 #4.## cap6bound
6r>6r66r66 # root root $ Gct 22 #4.## core"uses"pid
6r>6r66r66 # root root $ Gct 22 #4.## ctrl6alt6del
6r>6r66r66 # root root $ Gct 22 #4.## domainname
6r>6r66r66 # root root $ Gct 22 #4.## 2ostname
6r>6r66r66 # root root $ Gct 22 #4.## 2otplug
6r>6r66r66 # root root $ Gct 22 #4.## modprobe
6r>6r66r66 # root root $ Gct 22 #4.## msgmax
6r>6r66r66 # root root $ Gct 22 #4.## msgmnb
6r>6r66r66 # root root $ Gct 22 #4.## msgmni
6r66r66r66 # root root $ Gct 22 #4.## osrelease
6r66r66r66 # root root $ Gct 22 #4.## ost!pe
6r>6r66r66 # root root $ Gct 22 #4.## o-er5lo>gid
6r>6r66r66 # root root $ Gct 22 #4.## o-er5lo>uid
6r>6r66r66 # root root $ Gct 22 #4.## panic
6r>6r66r66 # root root $ Gct 22 #4.## print,
dr6xr6xr6x 2 root root $ Gct 22 #4.## random
6r>6r66r66 # root root $ Gct 22 #4.## rtsig6max
- 98 -
6r66r66r66 # root root $ Gct 22 #4.## rtsig6nr
6r>6r66r66 # root root $ Gct 22 #4.## sem
6r>6r66r66 # root root $ Gct 22 #4.## s2mall
6r>6r66r66 # root root $ Gct 22 #4.## s2mmax
6r>6r66r66 # root root $ Gct 22 #4.## s2mmni
6r>6r66r66 # root root $ Gct 22 #4.## tainted
6r>6r66r66 # root root $ Gct 22 #4.## t2reads6max
6r66r66r66 # root root $ Gct 22 #4.## -ersion

&ome files can be used to get information" for instance to show the ersion of the running
kernel#
cat /proc/s!s/,ernel/osrelease

&ome files can also be used to set information in the kernel. ?or instance" the following
will tell the kernel not to loop on a panic" but to auto-reboot after 2. seconds#
ec2o 2$ A /proc/s!s/,ernel/panic

kmod versus kerneld
;hat are theyI
(oth k#o) and kernel) make dynamic loading of kernel-modules possible. $ module is
loaded when the kernel needs it. A@odules are explained earlier is this chapterB.
;hat is the )ifference *etween the#I
kernel) is a daemon" k#o) is a thread in the kernel itself.
The communication with kernel) is done through &ystem C IPC. k#o) operates directly
from the kernel and does not use &ystem C IPC thereby making it an optional module.
k#o) replaces kernel) as of Linux kernel 2.2.x.
;hat )o they ha+e in co##onI
(oth facilitate dynamic loading of kernel modules.
(oth use #o)pro*e to manage dependencies and dynamic loading of modules.
@anual loading of modules with #o)pro*e or ins#o) is possible without the need for
k#o) or kernel).
- 9< -
In both cases" the kernel-option DGHIIJ"MGDM:S must be set to enable the usage of
modules.
=na*ling kmod
To enable the use of k#o)" a kernel must be compiled with the kernel-option
DGHIIJ"KMGD enabled. This can only be done if the kernel-option DGHIIJ"MGDM:S has
also been enabled.
- 2. -
Chapter 2. (yste# (tartup (2.22!
This topic has a total weight of 5 points and contains the following 2 ob'ecties#
%b'ectie 2.2.2.! Customi,ing system startup and boot processes A2 pointsB
This topic includes being able to edit the appropriate system startup scripts to
customi,e standard system run leels and boot processes" interacting with run
leels and creating custom initrd images as needed.
%b'ectie 2.2.2.2 &ystem recoery A9 pointsB
This topic includes being able to properly configure and naigate the standard
Linux filesystem" configuring and mounting arious filesystem types" and
manipulating filesystems to ad'ust for disk space re+uirements or deice
additions.
- 2! -
Custo#i&ing syste# startup an) *oot processes
(2.22.1!
This topic includes being able to edit the appropriate system startup scripts to customi,e
standard system run leels and boot processes" interacting with run leels and creating
custom initrd images as needed.
/etc/init.d/
/etc/inittab
/etc/rc.d
#kinitr) *escribed in the section called JmkinitrdK
"he Linu# $oot process
"he Linux *oot process can *e logically )i+i)e) into six parts. "hey are
as followsA
!. 0ernel loader loading" setup" and execution Abootsect.sB
In this step the file bootsect.s is loaded into memory by the (I%&. bootsect.s
then sets up a few parameters and loads the rest of the kernel into memory.
2. Parameter setup and switch to 92-bit mode Aboot.sB
$fter the kernel has been loaded" boot.s takes oer. It sets up a temporary I*T
and 6*T Aexplained later onB and handles the switch to 92-bit mode.
*etailed information on I*T" 6*T and L*T can be found on sandpile"org - The
#orld$s leading source for pure technical x%& processor information"
9. 0ernel decompression Acompressed/2ead.sB
The kernel is stored in a compressed format. This 2ead.s Asince there is another
2ead.sB decompresses the kernel.
2. 0ernel setup A2ead.sB
$fter the kernel is decompressed" 2ead.s Athe second oneB takes oer. The real
6*T and I*T are created" as is a basic memory-paging table.
5. 0ernel and memory initiali,ation Amain.cB
- 22 -
This step is the most complex. The kernel now has control and sets up all
remaining parameters and initiali,es eerything remaining. Cirtual memory is
setup completely and the first processes are created.
:. Init process creation Amain.cB
In the final step of booting" the Init process is created.
Kernel Loa)er (linux/arch/i386/boot/bootsect.s!
-hen the computer is first turned on" (I%& loads the boot sector of the boot disk into
memory at location .x7C... This first sector corresponds to the bootsect.s file. The
(I%& will only copy 5!2 bytes" so the kernel loader must be small. The code that is
loaded by the (I%& must be able to load the remaining portions of the operating system
and pass control onto the next file.
The first thing that bootsect.s does when it is loaded is to moe itself to the memory
location .x<.... This is to aoid any possible conflicts in memory. The code then 'umps
to the new copy located at .x<.... $fter this" an area in memory is set aside A.x2...-!2B
for a new disk parameter table. To make it so that more than one sector can be read from
the disk at a time" we will try to find the largest number of sectors that can be read at a
time. This will help speed reads from the disk when we begin loading the rest of the
kernel.
(efore this is done" setup.s is loaded into memory in the memory space aboe
bootsect.s" .x<.2.. This allows setup.s to be 'umped to after the kernel has been
loaded. 3ow the disk parameter table is created. (asically" the code tries to read 9:
sectors" if that fails it tries !8" !5" then if all else fails it uses < as the default.
If at any point there is an error" little can be done. In most cases" bootsect.s will 'ust
keep trying to do what it was doing when the error occurred. 4sually this will end in an
unbroken loop that can only be resoled by rebooting by hand.
$t last we are ready to copy the kernel into memory. bootsect.s goes into a loop that
reads the first 5.80b from the disk and places it into memory starting at .x!..... $fter
the kernel is loaded into ;$@" bootsect.s 'umps to .x<.2." where setup.s is loaded.
Para#eter (etup (linux/arch/i386/boot/setup.s!
setup.s makes sure that all hardware information has been collected and gathers more
information if necessary. It first erifies that it is loaded at .x<.2.. $fter this is erified"
setup.s does the following#
!. 6ets main memory si,e
2. &ets keyboard repeat rate to the maximum
9. ;etriees ideo card information
- 29 -
2. Collects monitor information for the terminal to use
5. 6ets information about the first and possibly second hard drie using (I%&
:. Looks to see if there is a mouse Aa pointing deiceB attached to the system
$ll of the information that setup.s collects is stored for later use by deice driers and
other areas of the system. Like bootsect.s" if an error occurs little can be done. @ost
errors are JhandledK by an infinite loop that has to be reset manually.
The next step in the booting process needs to use irtual memory. This can only be used
on a x8: by switching from real mode to protected mode. $fter all information has been
gathered by setup.s" it does a few more housekeeping chores to get ready for the switch
to 92-bit mode.
?irst" all interrupts are disabled. %nce the system is in 92-bit mode" no more (I%& calls
can be made. The area of memory at .x!... is where the (I%& handlers were loaded
when the system came up. -e no longer need these" so to get the compressed kernel out
of the way" setup.s moes the kernel from .x!.... to .x!.... This proides room for a
temporary I*T AInterrupt *escriptor TableB and 6*T A6lobal *escriptor TableB. The
6*T is only setup to hae the system in memory. $ll paging is disabled" so that
described memory locations correspond to actual memory addresses. $t this point"
extended Aor highB memory is enabled.
&etup also resets any present coprocessor and reconfigures the 825< Programmable
Interrupt Controller. $ll that remains now is for the protected bit mask to be set" and the
processor is in 92-bit mode. $fter the switch has been made" setup.s lets processing
continue at /compressed/2ead.s to uncompress the kernel.
Kernel 4eco#pression (linux/arch/i386/boot/compressed/head.s !
This first 2ead.s uncompresses the kernel into memory. The kernel is g,ip-compressed
to make sure that it can fit into the 5.80b that bootsect.s will load. -hen the kernel is
compiled" bootsect.s" 2ead.s " and /compressed/2ead.s are not compressed and are
appended to the front of the compressed kernel. They are the only three files that must
remain uncompressed.
2ead.s decompresses the kernel to address .x!....... This corresponds to the !@b
boundary in memory. 2ead.s does a bit of error checking before it decompresses the
kernel to ensure that there is enough memory aailable in high memory.
;ight before the decompression is done" the flags register is reset and the area in memory
where setup.s was is cleared. This is to put the system in a better known state. $fter the
decompression" control is passed to the now decompressed 2ead.s.
- 22 -
Kernel (etup (linux/arch/i386/kernel/head.s!
The second head.s is responsible for setting up the permanent I*T and 6*T" as well as a
basic paging table. (efore anything is done" the flags register is again reset. The first page
in the paging system is setup at .x5.... This page is filled by the information gathered in
setup.s by copying it from its location at .x<....
3ext the processor type is determined. ?or 58:s APentiumB and higher there is a processor
command that returns the type of processor. 4nfortunately" the 98: and 28: do not hae
this feature so some tricks hae to be employed. Dach processor has only certain flags" so
by trying to read and write to them you can determine the type of processor. If a
coprocessor is present that is also detected.
$fter that" the I*T and 6*T are set up. The table for the I*T is set up. Dach interrupt
gets an 8-byte descriptor. Dach descriptor is initially set to ignoreFint. This means that
nothing will happen when the interrupt is called. $ll that ignoreFint does is" is sae the
registers" print Junknown interruptsK" and then restore the registers.
Dach I*T descriptor is diided into four two-byte sections. The top four bytes are called
the --" while the bottom four are the C-. The -- contains a two-byte offset" a P-flag
set to !" and a *escriptor Priilege Leel. The C- has a selector and an offset. In total
the I*T can contain up to 25: entries.
$t this point the code sets up memory paging. In the x8: architecture" irtual memory
uses three descriptors to establish an address# a Page *irectory" a Page Table" and a Page
?rame. The Page *irectory is a table of all of the pages and what processes they match
to. The Page *irectory contains an index into the Page Table. The Page Table maps the
irtual address to the beginning of a physical page in memory. The Page ?rame and an
offset use the beginning address of the physical page and can retriee an actual location
in memory. The three structures are setup by 2ead.s. They make it so that the first 2@b
of memory is in the Page *irectory. The kernel)s irtual address is set to .xC......." or
the top of the last gigabyte of memory.
Dach memory address in an x8: has three parts. The first is the index into the Page
*irectory. The result of this index is the start of a specific Page Table. The second part of
the 92-bit address is an offset into the Page Table. The Page Table has a 92-bit entry that
corresponds to that offset. The top 2. bits are used to get an actual physical address. The
lower !2 bits are used for administratie purposes. The physical address corresponds to
the start of a physical page. The third part of the 92-bit address is an offset within this
page" e+ual to a real memory location.
$lmost eerything is set up at this point. 3ow control is passed to the main function in
the kernel. @ain.c gains control.
- 25 -
Kernel 3nitiali&ation (linux/init/main.c!
$ll remaining setup and initiali,ation functions are called from main.c. Paging" the I*T
and most of the other systems hae been initiali,ed by now. @ain.c will make sure
eerything is in its proper place before it tries to start some processes and gie control to
init.c.
$ call to the function startFkernelAB is made. In essence all that startFkernelAB does is run
through a list of init functions that needed to be called. &uch things as paging" traps"
I;Hs" process schedules and more are setup. The important work has already been done
for memory and interrupts. 3ow all that has to be done is to hae all of the tables filled
in.
3nit process creation (linux/init/main.c!
$fter all of the init functions hae been called main.c tries to start the init process.
main.c tries three different copies of init in order. If the first doesn)t work" it tries the
second" if that one doesn)t work it goes to the third. /ere are the file names for the three
init ersions#
!. /etc/init
2. /bin/init
9. /sbin/init
If none of these three inits work" then the system goes into single user mode. init is
needed to log in multiple users and to manage many other tasks. If it fails" then the single
user mode creates a shell and the system goes from there.
%hat happens ne#t& hat does /sbin/init do'
init is the parent of all processes" it reads the file /etc/inittab and creates processes
based on its contents. %ne of the things it usually does is spawn gettys so that users can
log in. It also defines so called JrunleelsK.
$ JrunleelK is a software configuration of the system which allows only a selected group
of processes to exist.
init can *e in one of the following eight runle+els
runleel . AreseredB
;unleel . is used to halt the system.
runleel ! AreseredB
;unleel ! is used to get the system in single user mode.
- 2: -
runleel 2-5
;unleels 2"9"2 and 5 are multi-user runleels.
runleel :
;unleel : is used to reboot the system.
runleel 7-<
;unleels 7" 8 and < are also alid. @ost of the 4nix ariants don)t use these
runleels. %n a particular *ebian Linux &ystem for instance" the
/etc/rc?runle-elA.d directories" which we)ll discuss later" are not
implemented for these runleels" but they could be.
runleel s or &
;unleels s and & are internally the same runleel & which brings the system in
Jsingle-user modeK. The scripts in the /etc/rcS.d directory are executed when
booting the system. $lthough runleel & is not meant to be actiated by the user"
it can be.
runleels $" ( and C
;unleels $" ( and C are so called Jon demandK runleels. If the current runleel
is J2K for instance" and an init 1 command is executed" the things to do for
runleel J$K are done but the actual runleel remains J2K.
Configuring /etc/inittab
$s mentioned earlier" init reads the file /etc/inittab to determine what it should do.
$n entry in this file has the following format#
id#runleels#action#process
Included below is an example /etc/inittab file.
+ L2e de5ault runle-el.
id.2.initde5ault.
+ =oot6time s!stem con5iguration/initialization script.
+ L2is is run 5irst except >2en booting in emergenc! (6b) mode.
si..s!sinit./etc/init.d/rcS
+ R2at to do in single6user mode.
88.S.>ait./sbin/sulogin
+ /etc/init.d executes t2e S and K scripts upon c2ange
- 27 -
+ o5 runle-el.
+
+ 1unle-el $ is 2alt.
+ 1unle-el # is single6user.
+ 1unle-els 26( are multi6user.
+ 1unle-el 6 is reboot.
l$.$.>ait./etc/init.d/rc $
l#.#.>ait./etc/init.d/rc #
l2.2.>ait./etc/init.d/rc 2
l%.%.>ait./etc/init.d/rc %
l(.(.>ait./etc/init.d/rc (
+ Hormall! not reac2edO but 5all t2roug2 in case o5 emergenc!.
z6.6.respa>n./sbin/sulogin
+ /sbin/gett! in-ocations 5or t2e runle-els.
+
+ L2e 9id9 5ield MSL be t2e same as t2e last
+ c2aracters o5 t2e de-ice (a5ter 9tt!9).
+
+ Iormat.
+ ?idA.?runle-elsA.?actionA.?processA
#.2%4(.respa>n./sbin/gett! %'4$$ tt!#
2.2%.respa>n./sbin/gett! %'4$$ tt!2

4escription of an entry in /etc/inittabA
id
The id-field uni+uely identifies an entry in the file /etc/inittab and can be !-2
characters in length. ?or gettys and other login processes howeer" the id field
should contain the suffix of the corresponding tty" otherwise the login accounting
might not work.
runleels
This field contains the runleels for which the specified action should be taken.
action
"he JactionK fiel) can ha+e one of the following +aluesA
respawn
The process will be restarted wheneer it terminates" Ae.g. gettyB.
wait
- 28 -
The process will be started once when the specified runleel is entered and init
will wait for its termination.
once
The process will be executed once when the specified runleel is entered.
boot
The process will be executed during system boot. The runleels field is ignored.
bootwait
The process will be executed during system boot" while init waits for its
termination Ae.g. /etc/rc). The runleels field is ignored.
off
This does absolutely nothing.
ondemand
$ process marked with an on demand runleel will be executed wheneer the
specified ondemand runleel is called. /oweer" no runleel change will occur
Aon demand runleels are JaK" JbK" and JcKB.
initdefault
$n initdefault entry specifies the runleel which should be entered after system
boot. If none exists" init will ask for a runleel on the console. The process field is
ignored. In the example aboe" the system will go to runleel 2 after boot.
sysinit
The process will be executed during system boot. It will be executed before any
boot or bootwait entries. The runleels field is ignored.
powerwait
The process will be executed when the power goes down. init is usually informed
about this by a process talking to a 4P& connected to the computer. init will wait
for the process to finish before continuing.
powerfail
$s for powerwait" except that init does not wait for the process)s completion.
- 2< -
powerokwait
This process will be executed as soon as init is informed that the power has been
restored.
powerfailnow
This process will be executed when init is told that the battery of the external
4P& is almost empty and the power is failing Aproided that the external 4P& and
the monitoring process are able to detect this conditionB.
ctrlaltdel
The process will be executed when init receies the &I6I3T signal. This means
that someone on the system console has pressed the CT;L-$LT-*DL key
combination. Typically one wants to execute some sort of shutdown either to get
into single-user leel or to reboot the machine.
kbdre+uest
The process will be executed when init receies a signal from the keyboard
handler that a special key combination was pressed on the console keyboard.
(asically you want to map some keyboard combination to the J0eyboard&ignalK
action. ?or example" to map $lt-4parrow for this purpose use the following in
your keymaps file# alt ,e!code #$% B Ke!boardSignal.
process
This field specifies the process that should be executed. If the process field starts
with a JTK" init will not do utmp and >tmp accounting. &ome gettys insist on
doing their own housekeeping. This is also a historic bug.
"he /etc/init.d/rc script
?or each of the runleels .-: there is an entry in /etc/inittab that executes
BetcBinit.)Brc I where J>K is .-:" as you can see in following line from the earlier example
aboe#

&o" what actually happens is that BetcBinit.)Brc is called with the runleel as a parameter.
The directory /etc contains seeral" runleel specific" directories which in their turn
contain runleel specific symbolic links to scripts in /etc/init.d/. Those directories
are#
- 5. -
3 ls 6d /etc/rcE
/etc/rc.boot /etc/rc#.d /etc/rc%.d /etc/rc(.d /etc/rcS.d
/etc/rc$.d /etc/rc2.d /etc/rc4.d /etc/rc6.d

$s you can see" there also is a /etc/rc.boot directory. This directory is obsolete and
has been replaced by the directory /etc/rcS.d. $t boot time" the directory /etc/rcS.d
is scanned first and then" for backwards compatibility" the /etc/rc.boot.
The name of the symbolic link either starts with an J&K or with a J0K. Let)s examine the /
etc/rc2.d directory#
3 ls /etc/rc2.d
K2$gpm S##pcmcia S2$logoutd S2$ss2 S'&cron
S#$ipc2ains S#2,erneld S2$lpd S2$x5s S&#apac2e
S#$s!s,logd S#4ppp S2$ma,ede- S22ntpdate S&&gdm
S##,logd S2$inetd S2$m!sSl S'&atd S&&rmnologin

If the name of the symbolic link starts with a J0K" the script is called with JstopK as a
parameter to stop the process. This is the case for K2$gpm" so the command becomes
K2gp# stop. Let)s find out what program or script is called#
3 ls 6l /etc/rc2.d/K2$gpm
lr>xr>xr>x # root root #% Mar 2% 2$$# /etc/rc2.d/K2$gpm 6A ../init.d/gpm

&o" K2gp# stop results in BetcBinit.)Bgp# stop. Let)s see what happens with the JstopK
parameter by examining part of the script#
+Q/bin/s2
+
+ Start Mouse e-ent ser-er
...
case 93#9 in
start)
gpm"start
CC
stop)
gpm"stop
CC
5orce6reloadTrestart)
gpm"stop
sleep %
gpm"start
CC
E)
ec2o 9sage. /etc/init.d/gpm UstartTstopTrestartT5orce6reloadV9
exit #
esac

- 5! -
In the case..esac the first parameter" U!" is examined and in case its alue is JstopK"
gp#<stop is executed.
%n the other hand" if the name of the symbolic link starts with an J&K" the script is called
with JstartK as a parameter to start the process.
The scripts are executed in a lexical sort order of the filenames.
Let)s say we)e got a daemon (o#e4ae#on" an accompanying script
/etc/init.d/SDscript and we want (o#e4ae#on to be running when the system is in
runleel 2 but not when the system is in runleel 9.
$s you)e read earlier" this means that we need a symbolic link" starting with an J&K" for
runleel 2 and a symbolic link" starting with a J0K" for runleel 9. -e)e also determined
that the daemon (o#e4ae#on is to be started after (16so#eother)ae#on which
implicates &2. and 08. since starting=stopping is symmetrical" i.e. that what is started
first is stopped last. This is accomplished with the following set of commands#
+ cd /etc/rc2.d
+ ln 6s ../init.d/SDscript S2$SomeDaemon
+ cd /etc/rc%.d
+ ln 6s ../init.d/SDscript K'$SomeDaemon

&hould you wish to manually start" restart or stop a process" it is good practice to use the
appropriate script in /etc/init.d/ " e.g. BetcBinit.)Bgp# restart to initiate the restart of
the process.
(yste# reco+ery (2.22.2!
This topic includes being able to properly configure and naigate the standard Linux
filesystem" configuring and mounting arious filesystem types" and manipulating
filesystems to ad'ust for disk space re+uirements or deice additions.
LIL%
init
inittab
#ount
fsck
Influencing the regular boot process
The regular boot process is the process that normally takes place when AreBbooting the
system. This process can be influenced by entering something at the LIL% prompt. -hat
- 52 -
can be influenced will be discussed in the following sections" but first we must actiate
the prompt. The LIL% prompt is actiated if LIL% sees that one of the (hift" Ctrl or 1lt
keys is pressed" or CapsLock or (crollLock is set after LIL% is loaded.
Choosing another kernel
If you)e 'ust compiled a new kernel and you)re experiencing difficulties with the new
kernel" chances are that you)d like to reert to the old kernel. %f course you)e kept the
old kernel and added a label to lilo.con5 which will show up if you press "a* or I on
the LIL% prompt. Choose the old kernel" then sole the problems with the new one.
7ooting into single user #o)e or a specific runle+el
This can be useful if" for instance" you)e installed a graphical enironment which isn)t
functioning properly. Lou either don)t see anything at all or the system doesn)t reach a
finite state because is keeps trying to start P oer and oer again.
(ooting into single user mode or into another runleel where the graphical enironment
isn)t running will gie you access to the system so you can correct the problem. To boot
into single user mode type the name of the label corresponding to the kernel you)d like
started followed by an JsK" J&K or the word JsingleK. If the label is JLinuxK" you can type
one of the following after the LIL% prompt#
MIMG. Minux s
MIMG. Minux S
MIMG. Minux single

If you hae defined a runleel" let)s say runleel 2" which is a text-only runleel" you can
type the following line to boot into runleel 2 and regain access to your system#
MIMG. Minux 4

Passing para#eters to the kernel
If a device doesn't work
$ possible cause can be that the deice drier in the kernel has to be told to use another
ir+ and=or another I=% port. (T-# This is only applicable if support for the deice has
been compiled into the kernel" not if you)re using a loadable module.
$s an example" let)s pretend we)e got a system with two identical ethernet-cards for
which support is compiled into the kernel. (y default only one card will be detected" so
we need to tell the drier in the kernel to probe for both cards. &uppose the first card is to
become eth. with an address of .x9.. and an ir+ of 5 and the second card is to become
- 59 -
eth! with an ir+ of !! and an address of .x92.. This is done at the LIL% bootprompt as
shown below#
MIMG. Minux et2erB(O$x%$$Oet2$ et2erB##O$x%4$Oet2#
(e careful only to include white space between the two JetherSK parameters.
If you've lost the root password
This neer happens because" being a well-trained system administrator" you)e written the
password down on a piece of paper" put it in an enelope and placed it in the ault.
In case you haen)t done this" shame on youG
The trick is to try to get a shell with root-priileges but without haing to type the root
password. $s soon as that)s accomplished" you can remoe the root password by clearing
root)s second field in the file /etc/pass>d Athe fields are separated by colonsB" do a
reboot" login as root and use passw) to set the new root password.
?irst reboot the system and type the following at the LIL% boot prompt#
MIMG. Minux initB/bin/bas2
This will gie you the shell but it)s possible that the default editor +i can)t be found
because it)s located on a filesystem that is not mounted yet Awhich would be the case on
my system because +i on my system is located in /usr/bin which is not mountedB. It)s
possible to do a #ount @a now which will mount all the filesystems mentioned in
/etc/5stab" except the ones with the noauto keyword" but you won)t see that the
filesystems hae been mounted when you type #ount after that because #ount and
u#ount keep a list of mounted filesystems in the file /etc/mtab which couldn)t be
updated because the root A=B filesystem under which /etc/mtab resides is mounted read-
only.
0eeping all this in mind" the steps to follow after we)e ac+uired the shell are#
+ mount 6o remountOr> / Wremount / readable and >ritable
+ mount 6a Wmount all
+ mount Ws2o> mounted 5iles!stems
+ -i /etc/pass>d Wand clear t2e second 5ield 5or root
+ s!nc W>rite bu55ers to dis,
+ umount 6a Wunmount 5iles!stems
+ mount 6o remountOro / Wremount / read6onl! again
?DtrlA?;ltA?DelA
login. root Wlogin as root >it2out pass>ord
+ pass>d Wt!pe t2e ne> pass>ord
- 52 -
$hem" now is a good time to write the root password ...
"he !escue $oot process
;hen fsck is starte) *ut fails
*uring boot" on my *ebian system" this is done by /etc/rcS.d/S%$c2ec,.5s. $ll
filesystems are checked based on the contents of /etc/5stab.
If the command fsck returns an exit status larger than !" the command has failed. The exit
status is the result of one or more of the following conditions#
$ 6 Ho errors
# 6 Iile s!stem errors corrected
2 6 S!stem s2ould be rebooted
4 6 Iile s!stem errors le5t uncorrected
' 6 Gperational error
#6 6 sage or s!ntax error
#2' 6 S2ared librar! error
If the command has failed you)ll get a message#
5sc, 5ailed. Flease repair manuall!
9DGHL1GM6D9 >ill exit 5rom t2is s2ell and
continue s!stem startup.
If you don)t press Ctrl@4 but enter the root password" you)ll get a shell" in fact
Bs*inBsulogin is launched" and you should be able to run fsck and fix the problem if the
root filesystem is mounted read-only.
$lternatiely" as is described in the next section" you can boot from a home-made disc or
from the distribution boot media.
3f your root (B! filesyste# is corrupt
Using a home-made bootfloppy
The default root filesystem is compiled into the kernel. This means that if a kernel has
been built on a system that uses =de=hda2 as the root filesystem and you)e put the kernel
on a floppy and boot from floppy" the kernel will still try to mount =de=hda2 as the root
filesystem.
The only way to circument this is to tell the kernel to mount another deice as the root
filesystem. Let)s say we)e cooked up a floppy with a root filesystem on it and a kernel
- 55 -
that is an exact copy of our current kernel. $ll we hae to do is boot from floppy and tell
the kernel to use the root filesystem from the floppy. This is done at the LIL% prompt#
MIMG. Minux rootB/de-/5d$

Using the distribution's bootmedia
$ lot of distributions come with two floppy disks and one or more C*)s. %ne of the
floppy disks is called the JbootdiskK or the JrescuediskK the other is called the JrootdiskK.
Lou can boot from the JbootdiskK and the system will ask you to enter the JrootdiskK.
$fter both disks hae been processed" you)e got a running system with the root
filesystem A=B in a ;$@disk.
In case you)re wondering why we didn)t boot from C*Q we could hae" if the system
supports booting from C*. ;emember to set the boot-order in the (I%& to try to boot
from C*-;%@ first and then /**.
$s soon as we)e booted from the disks or from C* we can get a shell with root-
priileges but without haing to type the root password by pressing 1lt@-2. It is now
possible to manually run fsck on the umounted filesystems.
Let)s assume your root partition was /de-/2da2. Lou can then run a filesystem check on
the root filesystem by typing fsck @y B)e+Bh)a2. The J-yK flag preents fsck from asking
+uestions which you must answer Athis can result in a lot of =ntersB and causes fsck to
use JyesK as an answer to all +uestions.
$lthough your current root A=B filesystem is completely in ;$@" you can mount a
filesystem from harddisk on an existing mountpoint in ;$@" such as /target or you can
create a directory first and then mount a harddisk partition there.
$fter you)e corrected the errors" don)t forget to u#ount the filesystems you)e mounted
before you reboot the system" otherwise you)ll get a message during boot that one or
more filesystems hae not been cleanly umounted and fsck will try to fix it again.
- 5: -
Chapter 3. -ilesyste# (2.23!
This ob'ectie has a weight of !. points and contains the following three ob'ecties#
%b'ectie 2.2.9.!Q %perating the Linux filesystem A9 pointsB
The formal LPI ob'ectie states# JCandidates should be able to properly configure
and naigate the standard Linux filesystem. This ob'ectie includes configuring
and mounting arious filesystem types. $lso included is manipulating filesystems
to ad'ust for disk space re+uirements or deice additions.K
%b'ectie 2.2.9.2Q @aintaining a Linux filesystem A2 pointsB
The formal LPI ob'ectie states# JCandidates should be able to properly maintain
a Linux filesystem using system utilities. This ob'ectie includes manipulating
standard filesystems.K
%b'ectie 2.2.9.9Q Creating and configuring filesystem options A9 pointsB
The formal LPI ob'ectie states# JCandidates should be able to configure
automount filesystems. This ob'ectie includes configuring automount for
network and deice filesystems. $lso included is creating non ext2 filesystems for
deices such as C*-;%@s.K
- 57 -
/perating "he Linux -ilesyste# (2.23.1!
The formal LPI ob'ectie states# JCandidates should be able to configure automount
filesystems. This ob'ectie includes configuring automount for network and deice
filesystems. $lso included is creating filesystems for deices such as C*-;%@s.K
L2e concept o5 t2e 5stab con5iguration
Lools and utilities 5or 2andling SR;F partitions and 5iles
/etc/5stab
mount/umount
/etc/mtab
s!nc
s>apon/s>apo55
/proc/mounts
"he (ile )ierarchy
/istorically" the location of certain files and utilities has not always been standard Aor
fixedB. This has led to problems with deelopment and upgrading between different
VdistributionsV of Linux. The Linux directory structure Aor file hierarchyB was based on
existing flaors of 43IP" but as it eoled" certain inconsistencies deeloped. These
were often small things like the location Aor placementB of certain configuration files" but
it resulted in difficulties porting software from host to host.
To e+uali,e these differences a file standard was deeloped. This is an eoling process"
to date" resulting in a fairly static model for the Linux file hierarchy.
The top leel of the Linux file hierarchy is referred to as the root Aor /B. The root
directory typically contains seeral other directories including#
bin/
;e+uired boot-time binaries
boot/
(oot configuration files for the %& loader and kernel image
de-/
*eice files
etc/
&ystem configuration files and scripts
2ome/
4ser=&ub branch directories
lib/
@ain %& shared libraries and kernel modules
lostX5ound/
&torage directory for JrecoeredK files
mnt/
Temporary point to connect deices to
proc/
Pseudo directory structure containing information about the kernel"
currently running processes and resource allocation
root/
Linux Anon-standardB home directory for the root user. $lternate location
being the / directory itself
sbin/
&ystem administration binaries and tools
- 58 -
tmp/
Location of temporary files
usr/
*ifficult to define - it contains almost eerything else including local
binaries" libraries" applications and packages Aincluding P -indowsB
-ar/
Cariable data" usually machine specific. Includes spool directories for mail
and news
6enerally" the root should not contain any additional files - a possible exception would be
mount points for arious purposes.
(ilesystems
$ filesystem is build of the methods and data structures that a operating system uses to
keep track of files on a disk or partitionQ that is" the way the files are organi,ed on the
disk. The word is also used to refer to a partition or disk that is used to store the files or
the type of the filesystem. Thus" one might say JI hae two filesystemsK meaning one has
two partitions on which one stores files" or that one might say that one is using the JP?&
filesystemK" meaning the type of the filesystem.
Important
The difference between a disk or partition and the filesystem it contains is important. $
few programs Aincluding" reasonably enough" programs that create filesystemsB operate
directly on the raw sectors of a disk or partitionQ if a filesystem is already there it will be
destroyed or seriously corrupted. @ost programs operate on a filesystem" and therefore
won)t work on a partition that doesn)t contain one Aor that contains one of the wrong
typeB.
(efore a partition or disk can be used as a filesystem" it needs to be initiali,ed" and the
bookkeeping data structures need to be written to the disk. This process is called making
a filesystem.
@ost 43IP filesystem types hae a similar general structure" although the exact details
ary +uite a bit. The central concepts are superblock" inode" data block" directory block"
and indirection block. The superblock contains information about the filesystem as a
whole" such as its si,e Athe exact information here depends on the filesystemB. $n inode
contains all information about a file" except its name. The name is stored in the directory"
together with the number of the inode. $ directory entry consists of a filename and the
number of the inode which represents the file. The inode contains the numbers of seeral
data blocks" which are used to store the data in the file. There is space only for a few data
block numbers in the inode" howeer" and if more are needed" more space for pointers to
the data blocks is allocated dynamically. These dynamically allocated blocks are indirect
blocksQ the name indicates that in order to find the data block" one has to find its number
in the indirect block first.
- 5< -
Creating (ilesystems
(efore a partition can be mounted Aor usedB" a filesystem must first be installed on it -
with ext2" this is the process of creating i-nodes and data blocks.
This process is the e+uialent of formatting the partition Asimilar to @&*%&)s for#at
commandB. 4nder Linux" the command to create a filesystem is called #kfs.
The command is issued in the following way#
m,5s )6c* ) 6t 5st!pe * 5iles!stem ) bloc,s *
e.g.
m,5s 6t ext2 /de-/5d$ + Ma,e a ext2 5iles!stem on a 5lopp!
where#
-c
forces a check for bad blocks
-t fstype
specifies the filesystem type. ?or most filesystem types there is a shorthand for
this e.g.# #kfs @t ext2 can also be called as #ke2fs or #kfs.ext2 and #kfs @t +fat
or #kfs @t #s)os can also be called as #kfs.+fat" #kfs.#s)os or #k)osfs
filesystem
is either the deice file associated with the partition or deice %; is the directory
where the file system is mounted Athis is used to erase the old file system and
create a new oneB
(e aware that creating a filesystem on a deice with an existing filesystem will cause all
data on the old filesystem to be erased.
*ounting and Unmounting
To attach a partition or deice to the directory hierarchy you must mount its associated
deice file. To do this" a mount point has to be created - this is simply a directory where
the deice will be attached. This directory will exist on a preiously mounted deice
Awith the exception of the root directory A/B which is a special caseB and will be empty. If
the directory is not empty" then the files in the directory will not be isible while the
- :. -
deice is mounted to it" but will reappear after the deice has been disconnected Aor
unmountedB.
To mount a deice" use the mount command#
mount )s>itc2es* de-ice"5ile mount"point
-ith some deices" mount will detect what type of filesystem exists on the deice"
howeer it is more usual to use mount in the form of#
mount )s>itc2es* 6t 5ile"s!stem"t!pe de-ice"5ile mount"point
6enerally" only the root user can use the mount command - mainly due to the fact that the
deice files are owned by root. ?or example" to mount the first partition on the second
hard drie off the /usr directory and assuming it contained the ext2 filesystem" you)d
enter the command#
mount 6t ext2 /de-/2db# /usr
$ common deice that is mounted is the floppy drie. $ floppy disk generally contains
the ?$T" also known as msdos" filesystem Abut not alwaysB and is mounted with the
command#
mount 6t msdos /de-/5d$ /mnt
3ote that the floppy disk was mounted under the /mnt directory. This is because the /mnt
directory is the usual place to temporarily mount deices.
To see what deices you currently hae mounted" simply type the command #ount.
Typing it on my system reeals#
/de-/2da% on / t!pe ext2 (r>)
/de-/2da# on /dos t!pe msdos (r>)
none on /proc t!pe proc (r>)
/de-/cdrom on /cdrom t!pe iso&66$ (ro)
/de-/5d$ on /mnt t!pe msdos (r>)
Dach line tells me what deice file is mounted" where it is mounted" what filesystem type
each partition is and how it is mounted Aro S read only" rw S read=writeB. 3ote the strange
entry on line three - the proc filesystem> This is a special VirtualV filesystem used by
Linux systems to store information about the kernel" processes and current resource
usages. It is actually part of the system)s memory - in other words" the kernel sets aside an
area of memory in which it stores information about the system. This same area is
mounted onto the filesystem so user programs hae access to this information.
- :! -
The information in the proc filesystem can also be used to see what filesystems are
mounted by issuing the command#
$ cat /proc/mounts
/de-/root / ext2 r> $ $
proc /proc proc r> $ $
/de-/2da# /dos msdos r> $ $
/de-/cdrom /cdrom iso&66$ ro $ $
/de-/5d$ /mnt msdos r> $ $
To release a deice and disconnect it from the filesystem" the umount command is used.
It is issued in the form#
umount device_file
or
umount mount_point
?or example" to release the floppy disk" you)d issue the command#
umount /mnt
or
umount /dev/fd
$gain" you must be the root user or a user with priileges to do this. Lou can)t unmount a
deice=mount point that is in use by a user Athe user)s current working directory is within
the mount pointB or is in use by a process. 3or can you unmount deices=mount points
which in turn hae deices mounted to them. $ll of this raises the +uestion - how does
the system know which deices to mount when the %& boots>
In true 43IP fashion" there is a file which goerns the behaior of mounting deices at
boot time. In Linux" this file is /etc/5stab. &o what is in the file> $n example line from
the fstab file uses the following format#
de-ice"5ile mount"point 5ile"s!stem"t!pe mount"options )n* )n*
The first three fields are self explanatoryQ the fourth field" mount_options defines how
the deice will be mounted Athis includes information of access mode ro=rw" execute
permissions and other informationB - information on this can be found in the #ount man
pages Anote that this field usually contains the word JdefaultsKB. The fifth and sixth fields
- :2 -
are used by the system utilities )u#p and fsck respectiely - see the next section for
details.
+ap
Linux can use either a normal file in the filesystem or a separate partition for swap space.
$ swap partition is faster" but it is easier to change the si,e of a swap file Athere)s no need
to repartition the whole hard disk" and possibly install eerything from scratchB. -hen
you know how much swap space you need" you should use a swap partition" but if you
are uncertain" you can use a swap file first" use the system for a while so that you can get
a feel for how much swap you need" and then make a swap partition when you)re
confident about its si,e. (ut it is recommended to use a separate partition" because this
excludes chances of file system fragmentation" which would reduce performance. $lso"
by using a separate swap partition" it can be guaranteed that the swap region is at the
fastest location of the disk. %n current /**s this is the beginning. It is possible to use
seeral swap partitions and=or swap files at the same time. This means that if you only
occasionally need an unusual amount of swap space" you can set up an extra swap file at
such times" instead of keeping the whole amount allocated all the time.
The command #kswap is used to initiali,e a swap partition or a swap file. The partition
or file needs to exist before it can be initiali,ed. $ swap partition is created with a disk
partitioning tool like f)isk and a swap file can be created with#
dd if!/dev/zero of!swapfile bs!"#$ count!%&&3&
-hen the partition or file is created" it can be initiali,ed with#
m'swap (device)file*
$n initiali,ed swap space is taken into use with swapon. This command tells the kernel
that the swap space can be used. The path to the swap space is gien as the argument" so
to start swapping on a temporary swap file one might use the following command#
swapon /swapfile
or" when using a swap partition#
swapon /dev/+da,
&wap spaces can be used automatically by listing them in the file /etc/5stab#
/de-/2da' none s>ap s> $ $
/s>ap5ile none s>ap s> $ $
- :9 -
The startup scripts will run the command swapon @a" which will start swapping on all the
swap spaces listed in /etc/5stab. Therefore" the swapon command is usually used only
when extra swap is needed. Lou can monitor the use of swap spaces with free. It will tell
the total amount of swap space used#
3 5ree
total used 5ree s2ared bu55ers
cac2ed
Mem. #20#4' #22('' 4(6$ $ #('4
6&%(2
6/X bu55ers/cac2e. (#6(2 0(4&6
S>ap. #%$04' (00#6 0%$%2
The first line of output AMem.B shows the physical memory. The total column does not
show the physical memory used by the kernel" which is loaded into the ;$@ memory
during the boot process. The used column shows the amount of memory used Athe
second line does not count buffersB. The 5ree column shows completely unused
memory. The s2ared column shows the amount of memory shared by seeral processesQ
The bu55ers column shows the current si,e of the disk buffer cache.
That last line AS>ap.B shows similar information for the swap spaces. If this line is all
,eroes" swap space is not actiated.
The same information" in a slightly different format" can be shown by using cat on the
file /proc/memin5o#
3 cat /proc/memin5o
total. used. 5ree. s2ared. bu55ers. cac2ed.
Mem. #%$#&&((2 #2(#00'(6 ($2#6&6 $ #622$#6 '&2'$(#2
S>ap. #%%''(&(2 (&#$##'4 040'406'
MemLotal. #20#4' ,=
MemIree. 4&$4 ,=
MemS2ared. $ ,=
=u55ers. #('4 ,=
Dac2ed. 6&#2$ ,=
S>apDac2ed. #'$6' ,=
;cti-e. '$24$ ,=
Inacti-e. %#$'$ ,=
Yig2Lotal. $ ,=
Yig2Iree. $ ,=
Mo>Lotal. #20#4' ,=
Mo>Iree. 4&$4 ,=
S>apLotal. #%$04' ,=
S>apIree. 0%$%2 ,=
0aintaining a Linux -ilesyste# (2.23.2!
- :2 -
The formal LPI ob'ectie states# JCandidates should be able to properly maintain a Linux
filesystem using system utilities.K This ob'ectie includes manipulating a standard ext2
filesystem.
fsck Afsck.ext2B
badblocks
mke2fs
dumpe2fs
debuge2fs
tune2fs
6ood disk maintenance re+uires periodic disk checks. Lour best tool is fsck" and should
be run at least monthly. *efault checks will normally be run after 2. system reboots" but
if your system stays up for weeks or months at a time" you)ll want to force a check from
time to time. Lour best bet is performing routine system backups and checking your
lostX5ound directories from time to time.
The fre+uency of the checks at system reboot can be changed with tune2fs. This utility
can also be used to change the mount count" which will preent the system from haing
to check all filesystems at the 2.th reboot Awhich can take a long timeB.
The )u#pe2fs utility will proide important information regarding hard disk operating
parameters found in the superblock" and *a)*locks will perform surface checking.
?inally" surgical procedures to remoe areas grown bad on the disk can be accomplished
using )e*ugfs.
fsck ,fsck-e2fs.
fsck is a utility to check and repair a Linux filesystem. In actuality fsck is simply a front-
end for the arious filesystem checkers Afsck.fstypeB aailable under Linux.
?sck is called automatically at system startup. If the filesystem is marked Jnot cleanK" the
maximum mount count is reached or the time between check is exceeded" the filesystem
is checked. To change the maximum mount count or the time between checks" use
tune2fs.
?re+uently used options to fsck include#
-s
&eriali,e fsck operations. This is a good idea if you checking multiple filesystems
and the checkers are in an interactie mode.
--
- :5 -
-alk through the /etc/5stab file and try to check all filesystems in one run.
This option is typically used from the =etc=rc system initiali,ation file" instead of
multiple commands for checking a single filesystem.
The root filesystem will be checked first. $fter that" filesystems will be checked
in the order specified by the fs_passno Athe sixthB field in the /etc/5stab file.
?ilesystems with a fs_passno alue of . are skipped and are not checked at all. If
there are multiple filesystems with the same pass number" fsck will attempt to
check them in parallel" although it will aoid running multiple filesystem checks
on the same physical disk.
-.
-hen checking all filesystems with the -$ flag" skip the root filesystem Ain case
it)s already mounted read-writeB.
%ptions which are not understood by fsck are passed to the filesystem-specific checker.
These arguments must not take arguments" as there is no way for fsck to be able to
properly guess which arguments take options and which don)t. %ptions and arguments
which follow the-- are treated as filesystem-specific options to be passed to the
filesystem-specific checker.
The filesystem checker for the ext2 filesystem is called fsck.e2fs or e2fsck. ?re+uently
used options include#
-a
This option does the same thing as the -p option. It is proided for backwards
compatibility onlyQ it is suggested that people use -p option wheneer possible.
-c
This option causes e2fsck to run the *a)*locks('! program to find any blocks
which are bad on the filesystem" and then marks them as bad by adding them to
the bad block inode.
-/
This option causes e2fsck to write completion information to the specified file
descriptor so that the progress of the filesystem check can be monitored. This
option is typically used by programs which are running e2fsck. If the file
descriptor specified is ." e2fsck will print a completion bar as it goes about its
business. This re+uires that e2fsck is running on a ideo console or terminal.
-f
?orce checking een if the filesystem seems clean.
- :: -
-n
%pen the filesystem read-only" and assume an answer of JnoK to all +uestions.
$llows e2fsck to be used non-interactiely. A3ote# if the -c" -l" or -L options are
specified in addition to the -n option" then the filesystem will be opened read-
write" to permit the bad-blocks list to be updated. /oweer" no other changes will
be made to the filesystem.B
-p
$utomatically repair AVpreenVB the filesystem without any +uestions.
-y
$ssume an answer of JyesK to all +uestionsQ allows e2fsck to be used non-
interactiely.
tune2fs
tune2fs is used to JtuneK a filesystem. This is mostly used to set filesystem check
options" such as the maximum mount count and the time between filesystem
c+ec's.
It is also possible to set the mount count to a specific alue. This can be used to )stagger)
the mount counts of the different filesystems" which ensures that at reboot not all
filesystems will be checked at the same time.
&o for a system that contains 5 partitions and is booted approximately once a month you
could do the following to stagger the mount counts#
tune25s 6c ( 6D $ partition"
tune25s 6c ( 6D # partition#
tune25s 6c ( 6D 2 partition3
tune25s 6c ( 6D % partition$
tune25s 6c ( 6D 4 partition&
The maximum mount count is 2." but for a system that is not fre+uently rebooted a lower
alue is adisable.
?re+uently used options include#
-c max-mount-counts
$d'ust the maximum mount count between two filesystem checks. If max-mount-
counts is . then the number of times the filesystem is mounted will be disregarded
by e2fsckA8B and the kernel. &taggering the mount-counts at which filesystems are
- :7 -
forcibly checked will aoid all filesystems being checked at one time when using
'ournalling filesystems.
Lou should strongly consider the conse+uences of disabling mount-count-
dependent checking entirely. (ad disk dries" cables" memory and kernel bugs
could all corrupt a filesystem without marking the filesystem dirty or in error. If
you are using 'ournalling on your filesystem" your filesystem will neer be
marked dirty" so it will not normally be checked. $ filesystem error detected by
the kernel will still force an fsck on the next reboot" but it may already be too late
to preent data loss at that point.
-/ mount-count
&et the number of times the filesystem has been mounted. Can be used in
con'unction with -c to force an fsck on the filesystem at the next reboot.
-i interval-between-c+ec's0d)m)w1
$d'ust the maximal time between two filesystem checks. 3o postfix or d result in
days" m in months" and w in weeks. $ alue of ,ero will disable the time-
dependent checking.
It is strongly recommended that either -c Amount-count-dependentB or -i Atime-
dependentB checking be enabled to force periodic full e2fsckA8B checking of the
filesystem. ?ailure to do so may lead to filesystem corruption due to bad disks"
cables or memory or kernel bugs to go unnoticed" until they cause data loss or
corruption.
-m reserved-bloc's-percentage
&et the percentage of resered filesystem blocks.
-r reserved-bloc's-count
&et the number of resered filesystem blocks.
dumpe2fs
)u#pe2fs prints the super block and blocks group information for the filesystem present
on deice.
-b
print the blocks which are resered as bad in the filesystem.
-+
- :8 -
only display the superblock information and not any of the block group descriptor
detail information.
badblocks
*a)*locks is used to check a filesystem for bad blocks. Lou can call it to scan for bad
blocks and write a log of bad sectors by using the -o output-file option. -hen called
from e2fsck by using the -c option" the bad blocks that are found will automatically be
marked bad.
debugfs
-ith )e*ugfs" you can modify the disk with direct disk writes. &ince this utility is so
powerful" you will normally want to inoke it as read-only until you are ready to actually
make changes and write them to the disk. To inoke )e*ugfs in read-only mode" do not
use any switches. To open in read-write mode" add the -w switch. Lou may also want to
include in the command line the deice you want to work on" as in /de-/2da# or
/de-/sda#" etc. %nce it is inoked" you should see a debugfs prompt.
-hen the superblock of a partition is damaged" you can specify a different superblock to
use#
debug5s 6b #$24 6s '#&% /de-/2da#
This means that the superblock at block 8!<9 will be used and the blocksi,e is !.22.
3ote that you hae to specify the blocksi,e when you want to use a different superblock.
The information about blocksi,e and backup superblocks can be found with#
dumpe25s /de-/2da#
The first command to try after inocation" is para#s to show the mode Aread-only or
read-writeB" and the current file system. If you run this command without opening a
filesystem" it will almost certainly dump core and exit. Two other commands" open and
close" may be of interest when checking more than one filesystem. Close takes no
argument" and appropriately enough" it closes the filesystem that is currently open. %pen
takes the deice name as an argument. To see disk statistics from the superblock" the
command stats will display the information by group. The command test* checks
whether a block is in use. This can be used to test if any data is lost in the blocks marked
as JbadK by the *a)*locks command. To get the filename for a block" first use the icheck
command to get the inode and then ncheck to get the filename. The best course of action
with bad blocks is to mark the block JbadK and restore the file from backup.
To get a complete list of all commands" see the man page of )e*ugfs or type I" lr or
list<reCuests.
- :< -
Creating 1n) Configuring -ilesyste# /ptions
(2.23.3!
The formal LPI ob'ectie states# JCandidates should be able to configure automount
filesystems. This ob'ectie includes configuring automount for network and deice
filesystems. $lso included is creating non ext2 filesystems for deices such as C*-
;%@s.K
/etc/auto.master
/etc/auto.)dir*
mkisofs
dd
mke2fs
/utofs and automounter
$utomounting is the process where mounting Aand unmountingB of filesystems is done
automatically by a daemon. If the filesystem is not mounted and a user tries to access it" it
will be automatically AreBmounted. This is useful in networked enironments Aespecially
when not all machines are always on-lineB and for remoable deices" such as floppies
and C*-;%@s.
The linux implementation of automounting" autofs" consists of a kernel component and a
daemon called auto#ount. $utofs uses auto#ount to mount local and remote
filesystems Aoer 3?&B when needed and unmount them when they are not being used
Aafter a timeoutB. Lour /etc/init.d/auto5s script first looks at /etc/auto.master#
+ sample /etc/auto.master 5ile
/-ar/auto5s/5lopp! /etc/auto.5lopp! 66timeoutB2
/-ar/auto5s/cdrom /etc/auto.cdrom 66timeoutB6
The file has three fields on each line. It has the directory in which all mounts will be
located. 3ext to that is the filename of the configurationAsB for deices to be mounted.
-e will call these filenames the VsupplementalV files. The last field displays the timeout
which occurs after the gien seconds of inactiity. The timeout will free or unmount all
deices specified in the supplemental files after that period of inactiity. The
supplemental files can hae more than one entry" but for these examples only one entry
per supplemental file was used. ;ead below for an explanation. The supplemental files
can be named anything you want them to be named.
They also hae three alues for each entry#
+ sample /etc/auto.5lopp! 5ile
- 7. -
5lopp! 6userO5st!peBauto ./de-/5d$
The first alue is the JpseudoK directory. This will be explained later. The second alue
contains the mount options. The third alue is the deice Asuch as /de-/5d$" the floppy
drieB which the JpseudoK directory is connected to.
The JpseudoK directory is contained in the directory which is defined in
/etc/auto.master. -hen users try to access this JpseudoK directory" they will be
rerouted to the deice you specified. ?or example" if you specify a supplemental file to
mount /de-/5d$ on /-ar/auto5s/5lopp!/5lopp!" the command ls
/var/autofs/floppy/floppy will list the contents of the floppy. (ut if you do the
command ls /var/autofs/floppy" you don)t see anything een though the directory
/-ar/auto5s/5lopp!/5lopp! should exist. That is because
/-ar/auto5s/5lopp!/5lopp! doesn)t exist as a file or directory" but somehow the
system knows that if you specifically ask for /-ar/auto5s/5lopp!/5lopp!" it will
reroute you to the floppy drie.
3ow as to the reason why the floppy drie and cdrom drie are not combined into the
same supplementary file. =ach )efinition in the /etc/auto.master file will ha+e its
own automount progra# running for it. If you hae seeral deices running on the
same automount program and one of them fails" it could force the others not to work.
That is why eery deice is running on its own automount program" which means there is
one deice per supplementary file per entry in the /etc/auto.master file.
CD0!1* filesystem
Creating an i#age for a C4@2/0
The usual utilities for creating filesystems on hard-disk partitions write an empty
filesystem onto them" which is then mounted and filled with files by the users as they
need it. $ writable C* is only writable once so if we wrote an empty filesystem to it" it
would get formatted and remain completely empty foreer. This is also true for re-
writable media as you cannot change arbitrary sectors yetQ you must erase the whole disk.
The tool to create the filesystem is called #kisofs. $ sample usage looks like this#
3 m,iso5s 6r 6o cd"image pri-ate"collection/
Z666666666W Z66666666666666666W
T T
>rite output to ta,e director! as input
The option -r sets the permissions of all files on the C* to be public readable and
enables ;ockridge extensions. Lou probably want to use this option unless you really
know what you)re doing Ahint# without -r the mount point gets the permissions of
priateFcollectionGB.
- 7! -
#kisofs will try to map all filenames to the 8.9 format used by *%& to ensure the highest
possible compatibility. In case of naming conflicts Adifferent files hae the same 8.9
nameB" numbers are used in the filenames and information about the chosen filename is
printed ia &T*D;; Ausually the screenB. *on)t panic# 4nder Linux you will neer see
these odd 8.9 filenames because Linux makes use of the ;ockridge extensions which
contain the original file information Apermissions" filename" etc.B. 4se the option -2 A@&
Roliet extensionsB or use #khy*ri) if you want to generate a more -indows-friendly
C*-;%@. Lou can also use #khy*ri) to create /?& C*-;%@& ;ead the man-page for
details on the arious options.
;easons why the output of #kisofs is not directly sent to the writer deice#
mkisofs knows nothing about driing C*-writersQ
Lou may want to test the image before burning itQ
%n slow machines it would not be reliable.
%ne could also think of creating an extra partition and writing the image to that partition
instead to a file. This is possible" but has a few drawbacks. If you write to the wrong
partition due to a typo" you could lose your complete Linux system. ?urthermore" it is a
waste of disk space because the C*-image is temporary data that can be deleted after
writing the C*. /oweer" using raw partitions saes you the time of deleting :5. @( of
files.
"est the C4@i#age
Linux has the ability to mount files as if they were disk partitions. This feature is useful
to check that the directory layout and file-access permissions of the C* image matches
your wishes. $lthough media is ery cheap today" the writing process is still time
consuming" and you may at least want to sae some time by doing a +uick test.
To mount the file cdFimage created aboe on the directory /cdrom" gie the command
3 mount 6t iso&66$ 6o roOloopB/de-/loop$ cd"image /cdrom
3ow you can inspect the files under /cdrom -- they appear exactly as they were on a real
C*. To unmount the C*-image" 'ust say u#ount /cdrom.
;rite the C4@i#age to a C4
The command c)recor) is used to write images to a &C&I C*-burner. 3on-&C&I writers
re+uire compatibility driers" which make them appear as if they were real &C&I deices.
?or a short explanation see the section called JConfiguring I*D C* burnersK
(efore showing you the last command" a warning that C*-writers want to be fed a
constant stream of data. &o" the process of writing the image to the C* must not be
- 72 -
interrupted or a corrupt C* will result. It)s easy to interrupt the data stream by deleting a
ery large file. Dxample# if you delete an old C*-image of :5. @b" the kernel must
update its information on :5."... blocks of the hard disk Aassuming you hae a block
si,e of ! 0b for your filesystemB. That takes some time and is ery likely to slow down
disk actiity long enough for the data stream to pause for a few seconds. /oweer"
reading mail" browsing the web" or een compiling a kernel generally will not affect the
writing process on modern machines.
Please note that no writer can re-position its laser and continue at the original spot on the
C* when it gets disturbed. Therefore any strong ibrations or other mechanical shocks
will probably destroy the C* you are writing.
3ow" find the &C&I-(4&" -I* and -L43 number with c)recor) @scan*us and use these
to write the C*#
s2ellA SDSI"=SB$ +
s2ellA SDSI"IDB6 + ta,en 5rom cdrecord 6scanbus
s2ellA SDSI"MHB$ +
s2ellA cdrecord 6- speedB2 de-B3SDSI"=SO3SDSI"IDO3SDSI"MH /
6data cd"image
+ same as abo-eO but s2orter.
s2ellA cdrecord 6- speedB2 de-B$O6O$ 6data cd"image
?or better readability" the coordinates of the writer are stored in three enironment
ariables with natural names# SDSI"=S" SDSI"ID" SDSI"MH.
If you use cdrecord to oerwrite a C*-;-" you must add the option blan,B... to erase
the old content. Please read the man page to learn more about the arious methods of
clearing the C*-;-.
If the machine is fast enough" you can feed the output of mkisofs directly into cdrecord#
s2ellA IMJ"SI<:BZm,iso5s 61 6S 6print6size pri-ate"collection/
2A[# /
T sed 6e 9s/.E B //9Z
s2ellA ec2o 3IMJ"SI<:
s2ellA ) 9$3IMJ"SI<:9 6ne $ * [[ m,iso5s 6r
pri-ate"collection/ /
T cdrecord speedB2 de-B$O6O$ tsizeB3UIMJ"SI<:Vs 6data 6
+ donWt 5orget t2e s 66\ \66 read
data 5rom SLDIH
The first command is an empty run to determine the si,e of the image Ayou need the
#kisofs from the c)recor) distribution for this to workB. Lou need to specify all
- 79 -
parameters you will use on the final run Ae.g. -2 or -+fsB. If your writer does not need to
know the si,e of the image to be written" you can leae this dry run out. The printed si,e
must be passed as a tsi,e-parameter to c)recor) Ait is stored in the enironment ariable
IMJ"SI<:B. The second command is a se+uence of #kisofs and c)recor)" coupled ia a
pipe.
0aking a copy of a )ata C4
It is possible to make a !#! copy of a data C*. (ut you should be aware of the fact that
any errors while reading the original Adue to dust or scratchesB will result in a defectie
copy. Please note that both methods will fail on audio C*sG
?irst case# you hae a C*-writer and a separate C*-;%@ drie. (y issuing the command
cdrecord 6- de-B$O6O$ speedB2 6isosize /de-/scd$
you read the data stream from the C*-;%@ drie attached as /de-/scd$ and write it
directly to the C*-writer.
&econd case# you don)t hae a separate C*-;%@ drie. In this case you hae to use the
C*-writer to read out the C*-;%@ first#
dd i5B/de-/scd$ o5Bcdimage
This command reads the content of the C*-;%@ from the deice /de-/scd$ and writes
it into the file cdimage. The content of this file is e+uialent to what #kisofs produces"
so you can proceed as described earlier in this document Awhich is to take the file
cdimage as input for c)recor)B.
- 72 -
Chapter $. Har)ware (2.2$!
This ob'ectie has a weight of 8 points and contains the following ob'ecties#
%b'ectie 2.2.2.!Q Configuring ;$I* A2 pointsB
Candidates should be able to configure and implement software ;$I*. This
ob'ectie includes using and configuring ;$I* ." ! and 5.
%b'ectie 2.2.2.2Q $dding 3ew /ardware A9 pointsB
Candidates should be able to configure internal and external deices for a system
including new hard disks" dumb terminal deices" serial 4P& deices" multi-port
serial cards" and LC* panels.
%b'ectie 2.2.2.9Q &oftware $nd 0ernel Configuration A2 pointsB
Candidates should be able to configure kernel options to support arious dries.
This ob'ectie includes using LC@ ALogical Colume @anagerB to manage hard
disk dries and partitions" as well as software tools to iew and modify hard disk
settings.
%b'ectie 2.2.2.2Q Configuring PC@CI$ *eices A9 pointsB
Candidates should be able to configure a Linux installation to include support for
mobile computer hardware extensions. This ob'ectie includes configuring those
deices.
- 75 -
Configuring 2134 (2.2$.1!
Candidates should be able to configure and implement software ;$I*. This ob'ectie
includes using and configuring ;$I* ." !" and 5.
#krai)
/etc/raidtab
#)a)#
mdadm.con5
%hat is !/ID'
;$I* stands for J;edundant $rray of Inexpensie *isksK
W!X
.
The basic idea behind ;$I* is to combine multiple small" inexpensie disk dries into an
array which yields performance exceeding that of one large and expensie drie. This
array of dries will appear to the computer as a single logical storage unit or drie.
;$I* is a method by which information is spread across seeral disks" using techni+ues
such as disk striping A;$I* Leel .B and disk mirroring A;$I* leel !B to achiee
redundancy" lower latency and=or higher bandwidth for reading and=or writing to disk"
and maximi,e recoerability from hard-disk crashes.
The underlying concept in ;$I* is that data may be distributed across each drie in the
array in a consistent manner. To do this" the data much first be broken into consistently-
si,ed chunks Aoften 920 or :20 in si,e" although different si,es can be usedB. Dach chunk
is then written to each drie in turn. -hen the data is to be read" the process is reersed"
giing the illusion that multiple dries are actually one large drie. Primary reasons to
use ;$I* include#
enhanced speed
increased storage capacity
greater efficiency in recoering from a disk failure
!/ID levels
There are a number of different ways to configure a ;$I* subsystem -- some maximi,e
performance" others maximi,e aailability" while others proide a mixture of both#
o ;$I*-. AstripingB
o ;$I*-! AmirroringB
o ;$I*-2=5
o Linear mode
- 7: -
Le+el . ;$I* leel ." often called JstripingK" is a performance-oriented striped data
mapping techni+ue. This means the data being written to the array is broken down into
strips and written across the member disks of the array. This allows high I=% performance
at low inherent cost but proides no redundancy. &torage capacity of the array is e+ual to
the total capacity of the member disks.
Le+el 1. ;$I* leel !" or JmirroringK" has been used longer than any other form of
;$I*. Leel ! proides redundancy by writing identical data to each member disk of the
array" leaing a mirrored copy on each disk. @irroring remains popular due to its
simplicity and high leel of data aailability. Leel ! operates with two or more disks that
may use parallel access for high data-transfer rates when reading" but more commonly
operate independently to proide high I=% transaction rates. Leel ! proides ery good
data reliability and improes performance for read-intensie applications but at a
relatiely high cost. $rray capacity is e+ual to the capacity of one member disk.
Le+el $. ;$I* leel 2 uses parity concentrated on a single disk drie to protect data. It)s
better suited to transaction I=% rather than large file transfers. (ecause the dedicated
parity disk represents an inherent bottleneck" leel 2 is seldom used without
accompanying technologies such as write-back caching. $rray capacity is e+ual to the
capacity of member disks" minus the capacity of one member disk.
Le+el ,. The most common type of ;$I* is leel 5 ;$I*. (y distributing parity across
some or all of the member disk dries of an array" ;$I* leel 5 eliminates the write
bottleneck inherent in leel 2. The only bottleneck is the parity calculation process. -ith
modern CP4s and software ;$I*" that isn)t a ery big bottleneck. $s with leel 2" the
result is asymmetrical performance" with reads substantially outperforming writes. Leel
5 is often used with write-back caching to reduce the asymmetry. $rray capacity is e+ual
to the capacity of member disks" minus capacity of one member disk.
Linear 2134. Linear ;$I* is a simple grouping of dries to create a larger irtual
drie. In linear ;$I*" the chunks are allocated se+uentially from one member drie"
going to the next drie only when the first is completely filled. This grouping proides no
performance benefit" as it is unlikely that any I=% operations will be split between
member dries. Linear ;$I* also offers no redundancy" and in fact decreases reliability
-- if any one member drie fails" the entire array cannot be used. The capacity is the total
of all member disks.
;$I* can be implemented either in hard#are or in soft#areQ both scenarios are
explained below.
)ardare !/ID
The hardware-based system manages the ;$I* subsystem independently from the host
and presents to the host only a single disk per ;$I* array.
- 77 -
$ typical hardware ;$I* deice might connect to a &C&I controller and present the
;$I* arrays as a single &C&I drie. $n external ;$I* system moes all ;$I* handling
intelligence into a controller located in the external disk subsystem.
;$I* controllers also come in the form of cards that act like a &C&I controller to the
operating system" but handle all of the actual drie communications themseles. In these
cases" you plug the dries into the ;$I* controller 'ust as you would a &C&I controller"
but then you add them to the ;$I* controller)s configuration" and the operating system
neer knows the difference.
+oftare !/ID
&oftware ;$I* implements the arious ;$I* leels in the kernel disk Ablock deiceB
code. It also offers the cheapest possible solution# Dxpensie disk controller cards or hot-
swap chassis are not re+uired" and software ;$I* works with cheaper I*D disks as well
as &C&I disks. -ith today)s fast CP4s" software ;$I* performance can excel against
hardware ;$I*.
&oftware ;$I* allows you to dramatically increase Linux disk I% performance and
reliability without buying expensie hardware ;$I* controllers or enclosures. The @*
drier in the Linux kernel is an example of a ;$I* solution that is completely hardware
independent. The performance of a software-based array is dependent on the serer CP4
performance and load.
The concept behind &oftware ;$I* is simple -- it allows you to combine two or more
block deices Ausually disk partitionsB into a single ;$I* deice. &o if you hae three
empty partitions Afor example# 2da%" 2db%" and 2dc%B" using &oftware ;$I*" you can
combine these partitions and address them as a single ;$I* deice" /de-/md$. /de-/md$
can then be formatted to contain a filesystem and used like any other partition.
Configuring !/ID ,using mkraid and raidstart.
&etting up ;$I* Ain softwareB re+uires only two files to be set up under Linux#
/etc/raidtab and /etc/rc.d/rc.local Aor e+uialentB. The Linux kernel proides a
special drier" /de-/md$" to access separate disk partitions as a logical ;$I* unit. These
partitions under ;$I* do not actually need to be different disks" but in order to eliminate
risks it is better to use different disks.
?ollow these steps to set up ;$I* in Linux#
!. initiali,e the partitions to be used under ;$I*
2. configure the ;$I* drie
9. automate ;$I* actiation
2. mount the filesystem on the ;$I* drie
Dach of these steps is now described in detail#
- 78 -
3nitiali&e partitions to *e use) in the 2134 setup. Create partitions using any disk
partitioning tool.
Configure the )ri+er. To configure the drier" you need to create or edit a configuration
file. (y default this is the file /etc/raidtab" but #krai) can be told to use another file.
In the configuration file you can specify the ;$I*-leel to use" which partitions=dries to
use" the deice-name for the ;$I* drie and more. In the next section A=etc=raidtabB we
will offer an example configuration file.
3nitiali&e 2134 )ri+e. /ere)s an example of the se+uence of commands needed to
create and format a ;$I* drie AmkraidB#
!. initiate A/de-/md$B ;$I* drie# #krai) B)e+B#)
2. create a filesystem using #kfs
1uto#ate 2134 acti+ation after re*oot. ;un rai)start in one of the startup files Ae.g.
/etc/rc.d/rc.local or /etc/init.d/rcSB before mounting the filesystem at boot time
using the following command# rai)start /dev/md0
#ount the filesyste# on the 2134 )ri+e. Ddit /etc/5stab to automatically mount the
filesystem on the ;$I* drie" or mount the filesystem manually after AmanuallyB issuing
the rai)start command.
mkraid
#krai) sets up a set of block deices into a single ;$I* array. It looks in its
configuration file for the md deices mentioned on the command line" and initiali,es those
arrays. #krai) works for all types of ;$I* arrays A;$I*!" ;$I*2" ;$I*5" LI3D$;
and ;$I*.B. 3ote that initiali,ing ;$I* deices destroys all of the data on the
constituent deices.
#krai) uses the file /etc/raidtab by default as its configuration file.
Persistent superblocks
(y default the ;$I* configuration is stored in a file Ai.e. /etc/raidtabB. To read a file"
it must be in a mounted filesystem. To mount a filesystem" the kernel must be able to
recogni,e the disk. &o initially" you could not boot from a ;$I* array. To sole this
problem" you can actiate auto detection in your kernel and configure #krai) so it will
write persistent superblocks.
The persistent superblock is a small disk area that contains information about the ;$I*
deice. It is allocated at the end of each ;$I* deice and helps the kernel to safely detect
;$I* deices - een if disks were moed between &C&I controllers. -hen a persistent
superblock is found and the current setup does not match the administration found in
there" the kernel will either correctly reorder disks" or will refuse to start up the array.
- 7< -
Dery member of the array contains a copy of this superblock. &ince this superblock
carries all information necessary to start up the whole array" the array can be constructed
and started if the members of that array are auto detected by the kernel. ?or auto
detection to work this way" all the JmemberK ;$I* partitions should be marked type
$x5d ALinux ;$I* auto detectB e.g. by using f)isk. Lour kernel should be configured to
enable it to read persistent superblocks.
%n a system that uses persistent superblocks the ;$I* configuration can be constructed
een if the filesystem that contains /etc/raidtab was not mounted yet. (e aware# the
file /etc/raidtab will not become superfluous - it is needed to be able to change and=or
rebuild your configuration.
/etc/raidtab
Carious Linux ;$I* tools use the default configuration file" /etc/raidtab.
/etc/raidtab has multiple sections" one for each md deice which is being configured.
Dach section begins with the raidde- keyword.
Note
The order of items in the file is important.
Later raidde- entries can use earlier ones" and the parsing code isn)t oerly bright" so be
sure to follow the ordering specified in the raidtab manpage for best results.
/ere)s a sample configuration file#
+
+ sample raidde- con5iguration 5ile
+
raidde- /de-/md$
raid6le-el $
nr6raid6dis,s 2 + Speci5ied belo>
persistent6superbloc, $
c2un,6size '
+ de-ice +#.
+
de-ice /de-/2da#
raid6dis, $
+ de-ice +2.
+
de-ice /de-/2db#
raid6dis, #
+ ; ne> section al>a!s starts >it2 t2e
+ ,e!>ord Wraidde-W

raidde- /de-/md#
- 8. -
raid6le-el (
nr6raid6dis,s % + Speci5ied belo>
nr6spare6dis,s # + Speci5ied belo>
persistent6superbloc, #
parit!6algorit2m le5t6s!mmetric
+ De-ices to use in t2e 1;ID arra!.
+
de-ice /de-/sda#
raid6dis, $
de-ice /de-/sdb#
raid6dis, #
de-ice /de-/sdc#
raid6dis, 2
+ L2e spare dis,.
de-ice /de-/sdd#
spare6dis, $
Configuring !/ID using mdadm
The steps taken in using #)a)# for ;$I* configuration" setup and actiation are
basically the same as with #krai) and rai)start. -ith #)a)# howeer all actions are
being handled by 'ust one utility and #)a)# doesn)t necessarily need a configuration
file. ;ead the mdadm manpage and mdadm.conf manpages for more information about
mdadm" especially about create and assemble modes.
1))ing 5ew Har)ware (2.2$.2!
Candidates should be able to configure internal and external deices for a system
including new hard disks" dumb terminal deices" serial 4P& deices" multi-port serial
card" and LC* panels.
KIree'6
modprobe
lsmod
lsde-
lspci
setserial
usb-ie>
/proc/bus/usb
$us structures
@ost Linux installations run on PC hardware. The PC architecture currently supports a
number of bus-systems that allow easy extension of hardware by plugging cards into a
bus slot. Currently A2..!B the PCI bus is the most widely used bus. @any newer
motherboards only support PCI. %n older" but fairly recent systems" often a combination
- 8! -
of PCI and I&$ slots is used" simply because there were many I&$ cards aailable on the
market. &ee the next section for an oeriew of AformerlyB commonly used PC bus
structures.
"he #ain PC *us@syste#s
I&$
!: or 8bit" cheap" slow Ausually 8@/,B" standard" many cards aailable" but not
many new motherboards are shipped with I&$ anymoreQ
DI&$
92bit" expensie" fast" few cards aailable" but almost obsolete.
@C$
92 or !:bit ex-I(@-proprietary" fast" obsolete=rare.
CD&$-Local-(us
92bit" based on 28: architecture" cheap" fast" many cards aailable" obsolete.
PCI-Local-(us
92bit A:2 bit comingB" cheap" fast" many cards aailable" the de facto standard
-e will focus on PCI" the current standard. PCI Alike DI&$B is not proprietary. It is faster
than DI&$ or @C$" and cheaper. PCI is also aailable on other than PC hardware" e.g.
*DC $lpha and PowerPC. PCI is not processor dependent. This means you can use the a
PCI card in an $lpha-drien-PCI computer as well as in a Pentium-drien PCI computer"
gien the appropriate (I%& and software. PCI will deelop into a :2-bit ersion and
other more enhanced ersions.
Plug an) play
The term JPlug and PlayK is often used for systems that match up deices with their
deice driers and specifies their communication channels AI;H"*@$"I=%B. %n the I&$
bus" before Plug-and-Play" the bus-resources were set in hardware deices by 'umpers.
&oftware driers were assigned bus-resources by configuration files Aor the likeB or by
probing for a deice at pre-determined addresses. The PCI bus was PnP-like from the
beginning so it was triial to implement PnP for this bus. &ince the PCI bus specifications
don)t use the term JPnPK it)s not clear whether or not the PCI bus should be called PnP
Abut it supports in hardware what today is called PnPB.
- 82 -
Huerying your PCI bus
%n Linux systems you can use lspci to get a rundown of your PCI bus. $s a normal user"
you may hae to type Bs*inBlspci. In newer kernels Aas of 2.!.82B lspci can be run as
either root or any other user. lspci reads the /proc/bus/pci interface. The PCI I*
database Ae.g. /usr/s2are/pci.idsB is used to translate PCI endor and deice codes to
readable strings.
"a*le $.1. Co##only use) lspci para#eters
-n
shows PCI endor and deice codes as numbers instead of looking them up in the
PCI I* database
-t
shows a tree-like diagram of the buses" bridges" deices and connections between
them
-3
inokes busmapping mode. This will find all deices" een those that are behind
misconfigured bridges" etc. This is intended for debugging only" and can crash the
machine. It is only aailable to root.
-v
erbose mode" gies detailed information about the bus and deices. 4se -vv for
een more details.
$ sample output of lspci on a laptop follows#
$$.$$.$ Yost bridge. Intel Dorporation 44$=K/<K 6 '244%=K/<K Yost
bridge (;JF disabled) (re- $%)
$$.$4.$ PJ; compatible controller. Heomagic Dorporation )MagicJrap2
2(6;P* (re- #2)
$$.$(.$ =ridge. Intel Dorporation '2%0#;= FIIK4 IS; (re- $2)
$$.$(.# ID: inter5ace. Intel Dorporation '2%0#;= FIIK4 ID: (re- $#)
$$.$(.2 S= Dontroller. Intel Dorporation '2%0#;= FIIK4 S= (re- $#)
$$.$(.% =ridge. Intel Dorporation '2%0#;= FIIK4 ;DFI (re- $2)
$$.$&.$ Dommunication controller. Los2iba ;merica In5o S!stems II1 Fort
(re- 2%)
To see the interconnection between the buses" bridges and connections between them"
often the command lspci @+t is used" e.g.
6)$$*6X6$$.$ Intel Dorporation 44$=K/<K 6 '244%=K/<K Yost bridge (;JF
disabled)
X6$4.$ Heomagic Dorporation )MagicJrap2 2(6;P*
X6$(.$ Intel Dorporation '2%0#;= FIIK4 IS;
X6$(.# Intel Dorporation '2%0#;= FIIK4 ID:
X6$(.2 Intel Dorporation '2%0#;= FIIK4 S=
X6$(.% Intel Dorporation '2%0#;= FIIK4 ;DFI
/6$&.$ Los2iba ;merica In5o S!stems II1 Fort
In our example one PCI bus is present A$$B" on which 2 deices are present A$$" $4" $(
and $&B and deice 5 has 2 functions A$(.$..$(.%B.
PI latency timers
- 89 -
%ne of the things listed by the lspci command is the latency timer alue. The latency
timer can influence the performance of your PCI deices significantly. To influence the
behaior of the PCI bus and deices" you can use the command setpci. %ne of the
settings this command can perform is the PCI bus latency timer.
The PCI bus latency timer can range from ,ero to 228. If a deice has a setting of ,ero"
then it will immediately gie up the bus if another deice needs to transmit. If a deice
has a high latency setting" it will continue to use the bus for a longer period of time
before stopping" while the other deice waits for its turn.
If all of your deices hae relatiely high PCI bus latency timer settings and a lot of data
is being sent oer the bus" then your PCI cards are generally going to hae to wait longer
before they gain control of the bus" but are able to burst a lot of data across it before
giing up the bus to another deice. %n the other hand" if all your PCI deices hae low
PCI-bus latency settings" then they)re going to gladly gie up the bus if another card
needs to transmit data. This results in a much lower data-transmit latency" since no deice
is going to hold on to the bus for an extended period of time" causing other deices to
wait.
Low PCI-bus latency timer settings reduce the effectie PCI bus bandwidth when two or
more PCI deices are operating simultaneously" because large data bursts become much
less fre+uent and control of the bus changes rapidly" increasing oerhead.
onfiguring PI devices
(efore you buy any PCI card" you may want to read the PCI /%-T% and the /ardware
/%-T% to find out which cards are supported under Linux.
To add a PCI card to your system" you start by physically adding the PCI card. -hen you
reboot your system" the (I%& should automatically detect the card.
Communication between the card and the kernel is done ia the deice drier for your
card. Dither you compile the drier into your kernel" or you compile it as a module which
can be loaded using ins#o) or #o)pro*e.
The documentation for your deice drier will specify which parameters must be
specified Aif anyB to the drier. Configuration of the deice drier can be done either by
specifying its parameters to the kernel Alilo" /etc/lilo.con5B or by adding them to the
proper options line in /etc/con5.modules.
U+$ devices
$s we saw in the example" our PCI bus contained a deice called J4&( controllerK. The
4&( A4niersal &erial (usB is a special serial deice that can be used to connect
peripherals of all sorts to your computer. 4&( can be seen as a hot-pluggable auto
- 82 -
detecting bus# you can actiely add or remoe deices to and from the bus and the type of
deice is automatically detected. Linux supports a growing number of 4&( deices.
To find out which 4&( deices are currently connected to your system you use the
command us*+iew. It is explicitly listed in the exam ob'ecties. This command proides
a graphical display of the deices=hubs connected to the system. /oweer" us*+iew
depends on P and the 6T0 toolkit and is not always aailable on all 4&( aware
distributions. $n alternate way to obtain information about your 4&( deices is to
inspect the contents of the 4&( filesystem.
The 4&(-deice filesystem is a dynamically generated filesystem. %n most Linux
distributions that support 4&(" it is automatically mounted on startup. It can be mounted
almost eerywhere" but the most common location is /proc/bus/usb.
To mount it Jby handK" use#
mount 6t usbde-5s none /proc/bus/usb

The 4&( deice filesystem contains directories th at correspond with each 4&( bus.
These directories are named $$#" $$2 etc. In addition to these" there are two generated
files - the dri-ers and de-ices files.
/proc/bus/usb/dri-ers 'ust lists the currently registered driers Aeen if the drier is
not being used by any deiceB. This is most useful when testing module installation" and
checking for 4&( support in an unknown kernel.
/proc/bus/usb/de-ices lists information about the deices currently attached to the
4&( bus.
L. =usB$$ Me-B$$ FrntB$$ FortB$$ DntB$$ De-+B # SpdB#2 MxD2B 2
=. ;llocB 2'/&$$ us ( %])O +IntB 2O +IsoB $
D. PerB #.$$ DlsB$&(2ub ) SubB$$ FrotB$$ MxFSB ' +D5gsB #
F. PendorB$$$$ FrodIDB$$$$ 1e-B $.$$

D.E +I5sB # D5g+B # ;trB4$ MxF>rB $m;
I. I5+B $ ;ltB $ +:FsB # DlsB$&(2ub ) SubB$$ FrotB$$ Dri-erB2ub
:. ;dB'#(I) ;trB$%(Int.) MxFSB ' I-lB2((ms
L. =usB$$ Me-B$# FrntB$# FortB$# DntB$# De-+B 2 SpdB#2 MxD2B 4
D. PerB #.$$ DlsB$&(2ub ) SubB$$ FrotB$$ MxFSB ' +D5gsB #
F. PendorB$4(# FrodIDB#446 1e-B #.$$

D.E +I5sB # D5g+B # ;trBe$ MxF>rB#$$m;
I. I5+B $ ;ltB $ +:FsB # DlsB$&(2ub ) SubB$$ FrotB$$ Dri-erB2ub
:. ;dB'#(I) ;trB$%(Int.) MxFSB # I-lB2((ms
L. =usB$$ Me-B$2 FrntB$2 FortB$$ DntB$# De-+B % SpdB#2 MxD2B $
D. PerB #.$$ DlsB$$(Ai5c ) SubB$$ FrotB$$ MxFSB ' +D5gsB #
F. PendorB$((% FrodIDB$$$2 1e-B #.$$
- 85 -
The information in the /proc/bus/usb/de-ices output is arranged in groups. The lines
starting with T: specify the 4&( topology. Lines that start with : specify information
from the deice descriptor. Lines starting with !: contain information about the deice
descriptor" 'ust like the : lines. They are separated mainly because the information
wouldn)t all fit on one line. The lines that start with ":" if any" are the endor and product
strings that the deice returned. The line that starts with #: gie information from the
configuration descriptor. The line that starts with $: is information from the interface
descriptor. The line that starts with %: is information from the endpoint descriptor.
Configuring 9(7 )e+ices
-ith the release of the 2.2 kernel" Linux users gained serious 4&( support for a wide
range of deices. The Linux 4&( subsystem" integrated in the kernel and supported by
most Linux distributions" supports all necessary features like plug-and-play" 4&(
bandwith allocation and more than !.. ports per bus.
Linux supports both the 4niersal /ost Controller Interface A4/CI" used by Intel and
Cia motherboard chipsetsB and the %pen /ost Controller Interface A%/CI" used by
Compa+" $pple" &i&" %PTi" Lucent and $Li chipsetsB" making 4&( support aailable to
anyone with a modern motherboard" or with a spare PCI or PcCard slot aailable to add
in a cheap 4&( host controller board. Linux also supports 4&( hubs" which proide
expansion for additional deices.
Linux 2.2 proides 4&( support for deices conforming to the 4&( /uman Interface
*eice class" which includes 4&( keyboards" 4&( mice and touchpads" 4&( 'oysticks
and 4&( graphics tablets. These deices appear to the computer as normal keyboards"
mice and 'oysticks. This means that applications do not need to be updated to use the new
kernel capabilities. In addition" the deices can also appear on a new JeentK interface"
which allows customi,ed applications to take adantage of the additional capabilities
offered by 4&( deices.
Configuring a new type of 4&( deice usually re+uires either rebuilding the kernel or
loading additional modules. 3ext" you)ll need to create deice nodes to enable
communication between kernel and user programs A#kno)B. $fter that" the interface
between kernel and userspace will be aailable in the form of deice-files.
$dditionally you)ll need to configure your applications to make them aware of the newly
created deices. D.g. to enable the use of 4&(- mice and -keyboards in an P
enironment" you will probably need to change sections in the KI'6con5ig file. To
enable the use of 4&(-printers you probably will need to add an entry in
/etc/printcap" etc.
+erial devices
The setserial command can be used to detect the configuration of your serial deices.
4sing the command
- 8: -
setserial /de-/tt!S$

will gie you the the port type Ai.e." 825." !:25." !:55." !:55.$" etc.B" the hardware I=%
port" the hardware I;H line" its Jbaud baseK and some of its operational flags.
0ultiport *oar)s
Typical PC hardware comes with one or two serial ports. -hen you need to connect a
larger number of serial deices" e.g. to monitor ranges of other computers or to steer
industrial controllers" you can install a multiport adaptor" also known as multiport board
or multiport card. These are plugged into your PCI or I&$ bus and often hae their own
processing and buffering logic to ease the burden on your processor. Dach multiport card
has a number of external connecters A< or 25 pin *-connectors or ;R25 JtelephoneK
connectorsB. The smaller boards often hae their connectors mounted directly on the
board. If larger numbers of serial ports are supported" the connectors may be on the
cables which come off AexternallyB the card Aoctopus cableB" or can be on an external box
Apossibly rack mountableB which is connected by a cable to a multiport card.
Linux will need a device driver to work with multiport boards. There are many types of
multiport boards" some of which work in Linux" others are not. /oweer" often someone
has figured out how to make them work or wrote a drier for them. %ften" the drier is
implemented as a kernel-module that needs to be AautomaticallyB loaded. $s usual"
certain parameters may need to be passed to the drier ia lilo)s appen) command or ia
/etc/modules.con5B. The manufacturer of the board should hae info on their web-site
and you can try kernel documentation" discussion groups and mailing list archies to
obtain more information. There are kernel documentation files for Computone" /ayes-
D&P" @oxa-smartio" ;iscom8" &pecialix" &tallion and &P A&pecialixB boards.
Configuring serial )e+ices
setserial
*uring the normal boot process" only C%@ ports !-2 are initiali,ed using default I=%
ports and I;H alues. In order to initiali,e any additional serial ports" or to change the
C%@ !-2 ports to a non-standard configuration" the setserial program should be used.
setserial was created to configure the serial drier at runtime. The setserial command is
most commonly executed at boot time from one of the bootscripts Ae.g. $setserial or
rc.serialB This script is charged with the responsibility of initiali,ing the serial drier
to accommodate any nonstandard or unusual serial hardware in the machine.
The general syntax for the setserial command is#
setserial de-ice )parameters*

- 87 -
in which the deice is one of the serial deices" such as tt!S$.
"a*le $.2. Co##only use) setserial para#eters
port
0portnumber1
&pecify the I=% port address in hexadecimal notation" e.g. $x25'
ir4 0ir4num1
specify which I;H line the serial deice is using
uart 0type1
specify the 4$;T type" e.g. #6(($" #64($ or none Awhich disables the
serial deiceB
autoir4
specify that the kernel should try to figure out the I;H itself. 3ot
always reliable.
s'ip_test
specify that the kernel should not bother with the 4$;T type test
during auto configuration Aneeded when the kernel has problems
detecting the correct 4$;TB
autoconfig
instructs the kernel to attempt to automatically determine the 4$;T
type located at the supplied port
po#erd
power) is a daemon process that sits in the background and monitors the state of an
4ninterruptible Power &upply A4P&B. Information comes to power) from the status
signals of a serial line" from a remote host or from a fifo.
Configuring disks
To install a new disk in your system" you need to physically install the hard drie and
configure it in your computers (I%&. Linux will detect the new drie automatically in
most cases. Lou could type )#esg L #ore to find out what the drie is called. The second
I*D drie in your system will be named /de-/2db. -e will assume that the new drie is
/de-/2db.
Lou must now partition your new disk. $s root in a shell type#
5dis, /de-/2db

This will take you to a prompt that says Dommand (m 5or 2elp).. $t the prompt" type p
to display the existing partitions. If you hae partitions that you need to delete" type d"
then at the prompt" type the number of the partition that you wish to delete. 3ext" type n
to create the new partition. Type & Aassuming that this will be the first partition on the
new drieB" and hit enter. Then you will be prompted for the cylinder that you want to
start with on the drie. 3ext" you will be asked for the ending cylinder for the partition.
;epeat these steps until all partitions are created.
To put a clean filesystem on the first partition of your newly partitioned drie" type#
- 88 -
m,5s /de-/2db#

;epeat this step for all partitions. Lou can use the -t parameter to define the filesystem
type to build" e.g. ext2" ext%" x5s" minix etc.
Lou will now need to decide the mount point for each new partition on your drie. -e
will assume /data. Type#
m,dir /ne>

to create the mount point for your drie. 3ow you will need to edit /etc/5stab. Lou will
want to make an entry at the end of the file similar to this#
/de-/2db# /ne> ext2 de5aults # #

$fter you hae created a similar entry for each partition" write the file.
mount 6a

will mount the partitions in the directory that you specified in /etc/5stab.
Configuring output devices
Configuring C2" )e+ices
%n the hardware side you need to configure your graphic s card and hook-up your
monitor. 3ext" you need to configure the P-serer.
The standard P-serer for Linux is P?ree8:. $s of this writing both ersion 9 and 2 are
widely in use. Check the P?ree8: documentation to determine whether or not your
chipset is supported. The suggested setup for P?ree8: under Linux is a 28: or better with
at least 8 megabytes of ;$@" and a ideo card with a supported chipset. ?or optimal
performance" you can use an accelerated card such as an &9-chipset card.
Lou can determine what type of chipset your ideo card uses by reading the card)s
documentation or asking the manufacturer for it. $nother way to determine your chipset
is by running the (uperPro*e program included with the P?ree8: distribution.
Configuring P?ree8: to use your mouse" keyboard" monitor and ideo card correctly
used to be something of a black art" re+uiring extensie hand-hacking of a complex
configuration file.
- 8< -
P?ree8: release 9 and later simplified this process by proiding a program named
M-'%(etup. This program depends on the fact that all new PC hardware these days ships
with D6$=C6$ capable monitors. It inokes the C6$!: serer and uses it to bring up P
in a lowest-common-denominator :2.x28. mode. Then it runs an interactie program
that walks you through a series of fie configuration panels -- mouse" keyboard" AideoB
card" monitor and miscellaneous serer options. %n ;ed /at Linux" you may see a
different program called xf'%config. This works fairly similarly to M-'%(etup" but does
not itself use an P interface and the C6$!: serer.
-hen the P-serer does not come up properly or you suffer from poor +uality" this is
almost always due to a problem in your configuration file. 4sually" the monitor timing
alues are off" or the ideocard dotclocks are set incorrectly. @inor problems can be
fixed with x+i)tuneQ a really garbled screen usually means you need to go back into
M-'%(etup and choose a less-capable monitor type. If your display seems to roll or the
edges are fu,,y" this is a clear indication that the monitor-timing alues or dot clocks are
wrong. $lso be sure that you are correctly specifying your ideo card chipset" as well as
other options for the *eice section of M-'%Config.
Lou will need to hand-hack your P configuration to get optimal performance if your
monitor can support !:..x!2.. -- the highest canned resolution P?8:&etup supports is
!28.x!.22. If you want to hand-hack your ideo configuration for this or any other
reason" go see the L*P P?ree8: Cideo Timings /%-T%
Configuring LC4 )e+ices
Computers using Li+uid Crystal *isplays are more tricky to set up in P?ree8: than ones
with a normal AC;TB monitor. This is mainly due to the displays themseles# LC*s
basically hae a fixed resolution" although some hae extra hardware built in that can
cope with seeral different resolutions.
The standard serer P?F&C6$ should work in almost all cases. /oweer" it may result
in a poor picture +uality" e.g. due to wrong configuration of the 3odelines class in file /
etc/K##/KI'6Don5ig . The modelines settings define the hori,ontal and ertical refresh
rates of the electron beam in a C;T. $ lot of LC*=T?T displays are compatible and are
able to display a lot of common modelines correctly" howeer" you may need to hack the
ideo configuration for this or some other reason .
(oftware 1n) Kernel Configuration (2.2$.3!
Candidates should be able to configure kernel options to support arious hardware
deices including 4*@$:: dries and I*D C* burners. This ob'ectie includes using
LC@ ALogical Colume @anagerB to manage hard disk dries and partitions as well as
software tools to interact with hard disk settings.
;eision# U;eision# !.!! U AU*ate# 2..2=.9=22 !2#5.#!8 UB
- <. -
2dparm
tune25s
/proc/interrupts
s!sctl
Configuring (ilesystems
The ob'ectie names the tune25s command as one of the key utilities for this ob'ectie.
The filesystem optimi,ing tools are handled in tune2fs.
Configuring kernel options
In the section called J0ernel Components A2.2.!.!BK and on" the process to configure and
debug kernels is described. $dditional kernel options may be configured by patching the
kernel source code. 3ormally the kernel)s tunable parameters are listed in the arious
header files in the source code tree. There is no golden rule to apply here - you need to
read the kernel documentation or may een need to crawl through the kernel-code to find
the information you need. $dditionally" a running kernel can be configured by either
using the /proc filesystem or by using the sysctl command.
9sing the /proc filesyste#
Current kernels also support dynamic setting of kernel parameters. The easiest method to
set kernel parameters is by modifying the /proc filesystem. Lou can used the echo to set
parameters" in the format#
echo 'value' ( /proc/kernel/parameter
e.g. to actiate forwarding#
ec2o # A/proc/s!s/net/ip-4/ip"5or>ard
The changes take effect immediately but are lost during reboot.
The /proc/ filesystem can also be +ueried. To see which interrupts a system uses" for
example you could issue
+ cat /proc/interrupts
which generates output that may look like this#
DF$
$. #6%#%2'4 KL6FID timer
#. %%4((' KL6FID ,e!board
2. $ KL6FID cascade
0. 26(6( KL6FID %c('&"cs
- <! -
'. 2 KL6FID rtc
&. $ KL6FID GFM%6S; (MF4$#)
#$. 4 KL6FID MSS audio codec
##. $ KL6FID usb6u2ci
#2. 0#4%(0 KL6FID FS/2 Mouse
#%. # KL6FID 5pu
#4. #2%'24 KL6FID ide$
#(. 0 KL6FID ide#
HMI. $
9sing sysctl
0ernel tuning can be automated by putting the echo commands in the startup scripts Ae.g.
/etc/rc.d/rc.local. &ome distributions support the sysctl command and on those
systems the initscripts run sysctl @p on startup. This reads the configuration in the default
configuration file A/etc/s!sctl.con5B and sets the tunable parameters accordingly.
Configuring Logical 2olume *anagement
l+# is a logical olume manager for Linux. It enables you to concatenate seeral physical
olumes Ahard disks etc.B to a so-called +olu#e groups" forming a storage pool" much
like a irtual disk. I*D" &C&I disks" as well as" multiple deices A@*B are supported.
In the $&CII art below" the concepts=terminology used by l+# are sketched. %n the right
side the names of the commands are shown that can be used to manipulate=create the
layer sketched on the left.
-igure $.1. LN0 concepts in 1(C33 art
X6666666666666666) Polume Jroup *6666666666666666666X
T T
T X66666666666666666666666666666666666666666666666X T
T T 5iles!stem T 5iles!stem T T m,5s
T X6666666666666666666X666666666666666666666666666X T
T T logical -olume T logical -olume T T l-create
T X6X6X6X6X6X6X6X6X6X6X6X6X6X6X6X6X6X6X6X6X6X6X6X6X T
T T T T T T T T Tp2!sical extends T T T T T T T T T T -gcreate
X6666666666666666666X666666666666666X66666666666X
T p2!sical -olume T T T p-create
X6666666666666666666X666666666666666X66666666666X
T partition T T T 5dis, ($x'e)
X6666666666666666666X666666666666666X66666666666X

The physical media = partitions
a hard disk" or a partition" e.g. /de-/2da" /de-/2da6 or /de-/sda. Lou should
set the partition types of the disk or partition to $x'e" which is JLinux LC@K.
Partitioning is done using f)isk. Please note that your ersion of f)isk may not
yet know this type" so it will be listed as J4nknownK. Lou can turn any
consecutie number of blocks on a block deice into a 'h(sical )olume#
- <2 -
Physical Colume APCB
a physical medium with some administratie data added to it. The command
p+create can be used to add the administration onto the physical medium. The
command +gcreate is used to create a olume group" which consists of one or
more PC)s. $ PC that has been grouped in a olume group contains 'h(sical
*xtents#
Physical Dxtents APDB
Physical Dxtents are blocks of diskspace" often seeral megabytes in si,e. 4sing
the command l+create you can assign PDs to a Logical )olume#
Logical Colume ALCB
$ Logical Colume. %n a logical olume we can use the command #kfs to get a
+iles(stem#
?ilesystem
ext2" 1eiserIS" HRIS" KIS" ÎK" HLIS etc. To the linux kernel" there is no
difference between a regular partition and a Logical Colume. $ simple #ount
suffices to be able to use your logical olume.
&ome examples of typical usage of the LC@ commandset follow. Initially" you need to
set the partition type for the partitions to use to create logical olumes to $x'e. Let)s
assume we hae partitions /de-/2da4 and /de-/2da(" and they are set to the correct
partitioning type. To create a physical olume on both partitions Ai.e. to set up the olume
group descriptorB you type Abeing the superuserB#
+ p-create /de-/2da4 /de-/2da(
3ow we hae created two physical olumes. 3ext" we will create a olume group. $
olume group needs to hae a name Awe choose -olume$#B. To create our olume group"
using our preiously defined physical olumes" type#
+ -gcreate -olume$# /de-/2da( /de-/2da4
The preious command line is the most basic form Arefer to the manual pages for a list of
configurable parametersB. This will create an array of physical extents" by default they are
2 @b in si,e. 4sing these extents we can create one or more logical olumes" e.g#
+ l-create 6M #$$M -olume$#
.. this creates a logical olume with a default name choosen by l+create and starts with
the string l-ol followed by a digit -- let)s assume l-ol$. The logical olume will be
created using the olumegroup -olume$#. The name of the deicefile for this olume will
- <9 -
be /de-/-olume$#/l-ol$. 3ext" we can make a filesystem on the olumegroup" as
usual" using #kfs" e.g. an x5s filesystem#
+ m,5s 6tx5s /de-/-olgroup/-olname
The resulting filesystem can be mounted as usual#
+ mount /de-/-olgroup/-olname /mnt
%ne of the nicest features of LC@ is the possibility of taking snapshots of olumes. $
snapshot is a irtual copy of the olume to enable easy backups. $nother interesting
feature is striping" which can result in better performance" but also in a higher risk of
losing your data.
Configuring ID3 CD burners
@ost newer C* burners will work with Linux. If the &C&I-ersion of a particular writer
works" the I*D=$T$PI-ersion will most likely work too and ice ersa. 3ote" howeer"
that I*D=$T$PI writers and writers that use the parallel port re+uire compatibility
driers" which make them appear as if they were real &C&I deices AVeerything is
&C&IVB.
In newer Linux kernels Alater than 2.:B" &C&I-emulation is not needed anymore.
To use I*D burners" you need to actiate both I*D and &C&I support in your kernel" and
a number of other modules" as listed below#
Description Modulename
66666666666666666666666666 6666666666
:n2anced ID:/MIM/1MM... N
ID:/;L;FI DD1GM ide6cd M
SDSI 2ostadaptor emulation ide6scsi M
Moopbac, de-ice loop M
SDSI support scsi"mod N/M
SDSI DD61GM support sr"mod N/M
SDSI generic support sg N/M
ISG &66$ DD1GM 5iles!stem iso&66$ N
Microso5t ôliet cdrom... 7oliet M/N
66666666666666666666666666 6666666666
To use your I*D burner" the modules need to be loaded. This can be done automatically
ia the kernel)=k#o) daemons" or you need to insert the modules by hand" using
ins#o) or #o)pro*e. Lou might add the following lines to /etc/con5.modules#

alias scd$ sr"mod + load sr"mod upon access o5 scd$
alias scsi"2ostadaptor ide6scsi + SDSI 2ost adaptor emulation
options ide6cd ignoreB2db + i5 /de-/2db is !our DD6>riter
- <2 -
These aliases proide alternate names for the same module and are not essential" but
conenient. The options proides a way to make options for module loading permanent"
i.e. after you hae sucessfully used them with modprobe=insmod.
Configuring harddisks using hdparm
The disk subsystem of the Linux kernel is ery conseratie with your data. -hen not
completely sure if a certain disk or controller reliably handles a certain setting Asuch as
using 4ltra *@$ or I*D (lock @ode to transfer more sectors on a single interrupt or 92-
bit bus transfersB" it will default to the setting least likely to cause data corruption.
The command h)par# can be used to fine-tune your disk-drie. $lthough this utility is
intended primarily for use with ADBI*D hard disk deices" seeral of the options are also
alid Aand permittedB for use with &C&I hard disk deices and @?@=;LL hard disks with
PT interfaces.
h)par# can be used with many flags that influence it)s behaiour. It is mostly used to set
the using"dma flag A-dB and the 92-bit I=% support flag A-cB - these two flags can help
improe drie performance enormeously.
*@$ A*irect @emory $ccessB is a techni+ue used by newer ADBI*D dries. ;egular I*D
dries are interrupt drien. This means that the kernel will receie an interrupt eery time
a AsmallB amount of data needs to be transferred from disk to memory. The processor then
needs to transfer the data itself. *@$ A*irect @emory $ccessB or 4*@$ A4ltra *@$" a
faster ersionB works differently# the drie is capable of addressing memory directly"
hence can transfer the data into memory itself.
4ltra*@$ $T$:: dries are commonly used A4*@$::B" as are the newer 4*@$!..
dries. The 4*@$:: interface features burst data transfers of up to :: @(=second" up to
8 I*D deices per system. %ther interface speeds are used too# the older 99 @(=second
speed A4*@$99B or 4*@$!...
;ecent kernels A2.2B support *@$. Lou need to configure the kernel to support special
DI*D chipsets to be able to use all features of your controller. ?or older kernels" you may
need to install a patch to the kernel source code first.
Lou can configure newer kernels A2.2B to actiate *@$ automatically. ?or older kernels"
you hae to actiate it using the h)par# command. Den for newer kernels" you may
want to use h)par# to fine-tune the disk performance" since" as stated before" the kernel
will default to the setting least likely to cause data corruption. If you are sure about what
you are doing" and really need the extra speed" you can fine-tune the drie using h)par#.
?or example" assuming your disk is known as /de-/2db#
2dparm 6K6' /de-/2db
- <5 -
?or older 4*@$99 dries" use -5%%" for 4*@$!.. use -5%6. Lou could put a line in
your rc.local file to set this automatically on AreBboot. The field of A4B*@$ dries is
moing constantly and fast" therefore make sure to check the kernel documentation and
other references to find out about the newest deelopments.
%ther flags Asee manual page for a complete listB are#
"a*le $.3. Co##on flags for h)par#
-a
set=get the sector count for filesystem read-ahead
--
disable=enable read-lookahead
-/
check power mode status
-g
display the disks geometry
-7
lock the door on remoable dries Ae.g. EIPB
-y
force standby mode
-8
time the drie performance
-r
set the read-only flag for the deice
-m
set=get count for multiple block I%
/ere is an example of the use of h)par#. I? you hae ADBI*D disk dries" it is often
possible to boost your disk-performance by enabling 92 bit I=. transfer mode and setting
the using"dma flag for that drie. To try this" put the following line in a bootup script
Ae.g. /sbin/init.d/boot.localB" assuming the deicename for the drie is /de-/2da#
2dparm 6d# 6c% /de-/2da

To test how much you gained type#
2dparm 6t 6L /de-/2da

Configuring PC0C31 4e+ices (2.2$.$!
Candidates should be able to configure a Linux installation to include PC@CI$ support.
This ob'ectie includes configuring PC@CI$ deices" such as ethernet adapters" to be
auto detected when inserted.
/etc/pcmcia/
E.opts
cardctl
cardmgr
- <: -
1vervie of PC*CI/
3owadays" almost all laptops" and een a number of desktops" contain PC@CI$ slots.
PC@CI$ is an abbreiation for Personal Computer @emory Card International
$ssociation" a commission that defines standards for expansion cards
W5X
. The PC@CI$
itself was founded in !<<.. It initially deeloped a set of standards by which memory
could be added to portable systems. The PC@CI$ specification 2.. release in !<<! added
protocols for I=% deices and hard disks. The 2.! release in !<<9 refined these
specifications" and is the standard around which PC@CI$ cards are built today. PC@CI$
cards are credit card si,e adapters which fit into PC@CI$ slots. There are three types of
PC@CI$ cards" Type I generally used for memory cards such as ?L$&/ and &T$TIC
;$@Q Type II used for I=% peripherals such as serial adapters and fax-modems and Type
III which are used for rotating media such as hard disks. The only difference in the
physical specification for these cards is thickness# type I is the thinnest" type III the
thickest.
PC@CI$ cards are Jhot pluggableK e.g. you can remoe your network card without
damaging your system Ayour network will not work of courseB and plug it back in which
will automatically start up your card and configure the card for your system. Linux
supports PC@CI$ standards. It features a daemon which monitors PC@CI$ sockets to
see if cards are remoed or inserted Acar)#grB" and runs scripts to configure the network
into your system. Linux also features driers for the arious PC@CI$ cards. These
driers are either part of the kernel distribution or are supplied ia an additional package
ACard &erices for LinuxB.
"he cardmgr
The car)#gr daemon is responsible for monitoring PC@CI$ sockets" loading client
driers when needed and running user-leel scripts in response to card insertions and
remoals. It records its actions in the system log" but also uses beeps to signal card status
changes. The tones of the beeps indicate success or failure of particular configuration
steps. Two high beeps indicate that a card was identified and configured successfully. $
high beep followed by a low beep indicates that a card was identified" but could not be
configured for some reason. %ne low beep indicates that a card could not be identified.
The car)#gr daemon configures cards based on a database of known card types kept in
/etc/pcmcia/con5ig. This file describes the arious client driers" then describes how
to identify arious cards and which drierAsB belong with which cards. The format of this
file is described in the pc#cia(,! man page.
"he stab file
The car)#gr daemon records deice information for each socket in the file
/-ar/lib/pcmcia/stab. ?or the lines describing deices" the first field is the socket" the
second is the deice class" the third is the drier name" the fourth is used to number
multiple deices associated with the same drier" the fifth is the deice name" and the
final two fields are the ma'or and minor deice numbers for this deice Aif applicableB.
- <7 -
"he /etc/pcmcia )irectory
The /etc/pcmcia directory contains arious configuration files for PC@CI$ deices.
$lso" it contains scripts that start or stop PC@CI$ deices. ?or example the
configuration file con5ig.opts contains the local resource settings for PC@CI$ deices"
such as which ports to use" memory ranges to use and ports and ir+)s to exclude.
$dditionally" extra options for the modules can be specified here.
Card +ervices for Linu#
JCard &erices for LinuxK is a complete PC@CI$ or JPC CardK support package. It
includes a set of loadable kernel modules that implement a ersion of the Card &erices
applications-programming interface" a set of client driers for specific cards and a card
manager daemon that can respond to card insertion and remoal eents" loading and
unloading driers on demand. It supports Jhot swappingK of most card types" so cards can
be safely inserted and e'ected at any time. The release includes driers for a ariety of
ethernet cards" a drier for modem and serial port cards" seeral &C&I adapter driers" a
drier for $T$=I*D drie cards and memory-card driers that should support most
&;$@ cards and some flash cards.
Lou)ll need the kernel source to install pcmcia6cs" since the drier modules contain
references to the kernel source files. Installing the pcmcia6cs package results in a
number of modules in the /lib/modules/?!our6,ernel6-ersionA directory.
The PC@CI$ startup script recogni,es seeral groups of startup options which are set ia
enironment ariables. @ultiple options should be separated by spaces and enclosed in
+uotes. Placement of startup options depends on the Linux distribution used. They may
be placed directly in the startup script or they may be kept in a separate option file. These
are specific for arious Linux distributions.
Card &erices should automatically aoid allocating I% ports and interrupts already in use
by other standard deices. It will also attempt to detect conflicts with unknown deices"
but this is not completely reliable. In some cases" you may need to explicitly exclude
resources for a deice in /etc/pcmcia/con5ig.opts.
Neer kernels and PC*CI/
$s of kernel 2.2 PC@CI$ support is integrated into the kernel - that is# the modules
AdriersB are part of the kernel code distribution. Lou may want to try that first. /oweer"
in some situations the integrated support does not work. In many cases" you will still
want to download and install JCard &erices for LinuxK Apcmcia6csB.
"he cardctl and cardinfo commands
The car)ctl command can be used to check the status of a socket or to see how it is
configured. It can also be used to alter the configuration status of a card.
- <8 -
"a*le $.$. car)ctl co##an)s
status *isplay the current socket status flags.
config
*isplay the socket configuration" including power settings" interrupt and I=%
window settings and configuration registers.
ident
*isplay card identification information" including product identification strings"
manufacturer I* codes and function I* codes.
suspend &hut down and then disable power for a socket.
resume ;estore power to a socket and re-configure for use.
reset
&end a reset signal to a socket" sub'ect to approal by any driers already bound
to the socket.
e'ect
3otify all client driers that this card will be e'ected" then cut power to the
socket.
insert 3otify all client driers that this card has 'ust been inserted.
scheme
If no scheme name is gien" cardctl will display the current PC@CI$
configuration scheme. If a scheme name is gien" cardctl will de-configure all
PC@CI$ deices" and reconfigure for the new scheme.
If you are running P" the car)info utility produces a graphical interface to most car)ctl
functions.
- << -
Chapter ,. 5etworking (2.2,!
%b'ectie 2.2.5.!Q (asic 3etworking Configuration A5 pointsB
The candidate should be able to configure a network deice to be able to connect
to a local network and a wide-area network. This ob'ectie includes being able to
communicate between arious subnets within a single network" configure dialup-
access using mgetty" configure dialup-access using a modem or I&*3" configure
authentication protocols such as P$P and C/$P and configure TCP=IP logging.
%b'ectie 2.2.5.2Q $danced 3etwork Configuration and Troubleshooting A9 pointsB
The candidate should be able to configure a network deice to implement arious
network-authentication schemes. This ob'ectie includes configuring a multi-
homed network deice" configuring a irtual priate network and resoling
networking and communication problems.
7asic 5etworking Configuration (2.2,.1!
The candidate should be able to configure a network deice to be able to connect to a
local network and a wide-area network. This ob'ectie includes being able to
communicate between arious subnets within a single network" configure dialup access
using mgetty" configure dialup access using a modem or I&*3" configure authentication
protocols such as P$P and C/$P and configure TCP=IP logging.
Bs*inBroute
Bs*inBifconfig
Bs*inBarp
BusrBs*inBarpwatch
/etc/
Configuring the netork interface
$fter setting up your hardware" you hae to make the deices known to the kernel
networking software. $ couple of commands are used to configure the network interfaces
and initiali,e the routing table. These tasks are usually performed from the network-
initiali,ation script each time you boot the system. The basic tools for this process are
called ifconfig Awhere JifK stands for interfaceB and route.
- !.. -
ifconfig is used to make an interface accessible to the kernel networking layer. This
inoles the assignment of an IP address and other parameters" and actiation of the
interface" also known as Jbringing upK the interface. (eing actie here means that the
kernel will send and receie IP datagrams through the interface. The simplest way to
inoke it is with#
+ i5con5ig interface ip-address
This command assigns ip-address to interface and actiates it. $ll other parameters
are set to default alues. ?or instance" the default network mask is deried from the
network class of the IP address" such as 255.255.... for a class ( address.
route allows you to add or remoe routes from the kernel routing table. It can be inoked
as#
+ route UaddTdelV )6netT62ost* target )if*
The add and del arguments determine whether to add or delete the route to target. The
6net and 62ost arguments tell the route command whether the target is a network or a
host Aa host is assumed if you don)t specifyB. The i5 argument specifies the interface and
is optional" and allows you to specify to which network interface the route should be
directed -- the Linux kernel makes a sensible guess if you don)t supply this information.
"he Loop*ack 3nterface
The ery first interface to be actiated is the loopback interface#
+ i5con5ig lo #20.$.$.#
%ccasionally" you will see the dummy hostname localhost being used instead of the IP
address. ifconfig will look up the name in the hosts file" where an entry should declare it
as the hostname for !27.....!#
+ Sample /etc/2osts entr! 5or local2ost
#20.$.$.# local2ost
To iew the configuration of an interface" you inoke ifconfig" giing it only the interface
name as argument#
3 i5con5ig lo
lo Min, encap.Mocal Moopbac, inet addr.#20.$.$.#
Mas,.2((.$.$.$ F MGGF=;DK 1HHIHJ ML.%&24 Metric.# 1K
pac,ets.$
errors.$ dropped.$ o-erruns.$ 5rame.$ LK pac,ets.$ errors.$
dropped.$
o-erruns.$ carrier.$ Dollisions.$
- !.! -
$s you can see" the loopback interface has been assigned a netmask of 255......" since
!27.....! is a class $ address.
These steps are enough to use networking applications on a stand-alone host. $fter
adding these lines to your network initiali,ation script

and making sure it will be executed
at boot time" you may reboot your machine and try out arious applications. ?or instance"
telnet localhost should establish a telnet connection to your host" giing you a login:
prompt.
The loopback interface is useful not only as an example in networking books or as a test
bed during deelopment" but is actually used by some applications during normal
operation.
W7X
Therefore" you always hae to configure it" regardless of whether your
machine is attached to a network or not.
=thernet 3nterfaces
Configuring an Dthernet interface is pretty much the same as the loopback interface Y it
'ust re+uires a few more parameters when you are using subnetting.
&uppose we hae subnetted the IP network" which was originally a class ( network" into
class C subnetworks. To make the interface recogni,e this" the ifconfig incantation would
look like this#
+ i5con5ig et2$ #02.#6.#.2 netmas, 2((.2((.2((.$
This command assigns the eth. interface an IP address of !72.!:.!.2. If we had omitted
the netmask" ifconfig would deduce the netmask from the IP network class" which would
result in an incorrect netmask of 255.255..... 3ow a +uick check shows#
+ i5con5ig et2$
et2$ Min, encap #$Mps :t2ernet YRaddr
$$.$$.D$.&$.=%.42 inet addr #02.#6.#.2 =cast #02.#6.#.2(( Mas,
2((.2((.2((.$ F =1G;DD;SL 1HHIHJ ML #($$ Metric # 1K
pac,ets $
errors $ dropped $ o-errun $ LK pac,ets $ errors $ dropped $
o-errun $
Lou can see that ifconfig automatically sets the broadcast address Athe (cast fieldB to the
usual alue" which is the host)s network number with all the host bits set. $lso" the
maximum transmission unit Athe maximum si,e of IP datagrams the kernel will generate
for this interfaceB has been set to the maximum si,e of Dthernet packets# !"5.. bytes. The
defaults are usually what you will use" but all these alues can be oerridden if re+uired.
If you are using a 2...x or earlier kernel" you now hae to install a routing entry that
informs the kernel about the network that can be reached through eth.. ?or example#
+ route add 6net #02.#6.#.$
- !.2 -
$t first this looks a bit like magic because it)s not really clear how route detects which
interface to route through. /oweer" the trick is rather simple# the kernel checks all
interfaces that hae been configured so far and compares the destination address
A!72.!:.!.. in this caseB to the network part of the interface address Athat is" the bitwise
-9: of the interface address and the netmaskB. The only interface that matches is et2$.
3ow" what)s that 6net option for> This is used because route can handle both routes to
networks and routes to single hosts. -e hae to tell route explicitly that it denotes a
network" so we gie it the 6net flag.
2outing "hrough a >ateway
In the preious section" we only coered the case of a host on a single Dthernet. Huite
fre+uently" howeer" one encounters networks connected to one another by gateways.
These gateways may simply link two or more Dthernets" but may also proide a link to
the outside world" such as the Internet. In order to use a gateway" you hae to proide
additional routing information to the networking layer.
Imagine two ethernets linked through such a gateway" the host romeo. $ssuming that
romeo has already been configured" we 'ust hae to add an entry to our routing table
telling the kernel all hosts on the other network can be reached through romeo. The
appropriate incantation of route is shown belowQ the g> keyword tells it that the next
argument denotes a gateway#
+ route add 6net #02.#6.$.$ netmas, 2((.2((.2((.$ g> romeo
%f course" any host on the other network you wish to communicate with must hae a
routing entry for our network. %therwise you would only be able to send data to the other
network" but the hosts on the other network would be unable to reply.
This example only describes a gateway that switches packets between two isolated
ethernets. 3ow assume that romeo also has a connection to the Internet Asay" through an
additional PPP linkB. In this case" we would want datagrams to any destination network to
be handed to romeo. This action can be accomplished by making it the default gateway#
+ route add de5ault g> romeo
The network name default is a shorthand for ......." which denotes the default route.
The default route matches eery destination and will be used if a more specific route is
not aailable.
PPP
%n Linux" PPP functionality is split into two parts# a kernel component that handles the
low-leel protocols A/*LC" IPCP" IPPCP" etc.B and the user space ppp) daemon that
handles the arious higher-leel protocols" such as P$P and C/$P. The current release
- !.9 -
of the PPP software for Linux contains the PPP daemon ppp) and a program called chat
that automates the dialing of the remote system.
Like &LIP" PPP is implemented by a special line discipline. To use a serial line as a PPP
link" you first establish the connection oer your modem as usual" and subse+uently
conert the line to PPP mode. In this mode" all incoming data is passed to the PPP drier"
which checks the incoming /*LC frames for alidity Aeach /*LC frame carries a !:-bit
checksumB" and unwraps and dispatches them. Currently" PPP is able to transport both the
IP protocol" optionally using Can Racobson header compression" and the IPP protocol.
ppp) aids the kernel drier" performing the initiali,ation and authentication phase that is
necessary before actual network traffic can be sent across the link. ppp))s behaior may
be fine-tuned using a number of options.
PPP is strictly a peer to peer protocolQ there is AtechnicallyB no difference between the
machine that dials in and the machine that is dialed into. /oweer" for clarity)s sake" it is
useful to think in terms of servers and clients.
-hen you dial into a machine to establish a PPP connection" you are a client. The
machine to which you connect is the server. -hen you are setting up a Linux box to
receie and handle dial-in PPP connections" you are setting up a PPP server.
$s PPP is rather complex" it is impossible to explain all of it in a single chapter. This
book therefore cannot coer all aspects of ppp)" but only gies you an introduction. ?or
more information" consult 4sing Z @anaging PPP or the ppp) manual pages" and
;D$*@D files in the pppd source distribution" which should help you sort out most
+uestions not coered in this chapter. The PPP-/%-T% might also be of use.
Probably the greatest help you will find in configuring PPP will come from other users of
the same Linux distribution. PPP configuration +uestions are ery common" so try your
local usergroup mailing list or the I;C Linux channel. If your problems persist een after
reading the documentation" you could try the comp.protocols.ppp newsgroup. This is the
place where you will find most of the people inoled in pppd deelopment.
2unning ppp)
In this introductory example of how to establish a PPP connection with ppp)" we will
assume you are at romeo. ?irst" dial in to the PPP serer >illiam and log in to the ppp
account and >illiam will execute its PPP drier.
PPP lient
$fter exiting the communications program you used for dialing" execute the following
command" substituting the name of the serial deice you used for the tt!S% shown here#
+ pppd /de-/tt!S% %'4$$ crtscts de5aultroute
- !.2 -

This command flips the serial line tt!S% to the PPP line discipline and negotiates an IP
link with >illiam. The transfer speed used on the serial port will be 98"2.. bps. The
crtscts option turns on hardware handshake on the port" which is an absolute must at
speeds aboe <":.. bps.
The first thing ppp) does after starting up is negotiate seeral link characteristics with
the remote end using LCP. 4sually" the default set of options ppp) tries to negotiate will
work" so we won)t go into this here" except to say that part of this negotiation inoles
re+uesting or assigning the IP addresses at each end of the link.
?or the time being" we also assume that >illiam doesn)t re+uire any authentication from
us" so the configuration phase is completed successfully.
ppp) will then negotiate the IP parameters with its peer using IPCP" the IP control
protocol. &ince we didn)t specify any particular IP address to ppp) earlier" it will try to
use the address obtained by haing the resoler look up the local hostname. (oth will
then announce their addresses to each other.
4sually" there)s nothing wrong with these defaults. Den if your machine is on an
Dthernet" you can use the same IP address for both the Dthernet and the PPP interface.
3eertheless" ppp) allows you to use a different address" or een to ask your peer to use
some specific address. These options are discussed later.
$fter going through the IPCP setup phase" ppp) will prepare your host)s networking
layer to use the PPP link. It first configures the PPP network interface as a point-to-point
link" using ppp$ for the first PPP link that is actie" ppp# for the second" and so on. 3ext"
it sets up a routing table entry that points to the host at the other end of the link. In the
preious example" ppp) made the default network route point to >illiam" because we
gae it the de5aultroute option. The default route simplifies your routing by causing
any IP datagram destined for a nonlocal host to be sent to >illiamQ this makes sense
since it is the only way it can be reached. There are a number of different routing
schemes ppp) supports" some of which we will coer later in this chapter.
%f course" the dialing can be automated using the chat(1! command. ?or more
information see the manual page.
PPP !erver
;unning ppp) as a serer is 'ust a matter of configuring a serial tty deice to inoke
ppp) with appropriate options when an incoming data call has been receied. %ne way to
do this is to create a special account" say ppp" and gie it a script or program as a login
shell that inokes ppp) with these options. $lternatiely" if you intend to support P$P or
C/$P authentication" you can use the #getty program to support your modem and
exploit its J=$utoPPP=K feature.
- !.5 -
To build a serer using the login method" you add a line similar to the following to your /
etc/pass>d file#
ppp.x.($$.2$$.Fublic FFF ;ccount./tmp./etc/ppp/ppplogin
If your system supports shadow passwords" you also need to add an entry to the
/etc/s2ado> file#
ppp.Q.#$&#%.$.&&&&&.0...
%f course" the 4I* and 6I* you use depends on which user should own the connection"
and how you)e created it. Lou also hae to set the password for this account using the
passw) command.
The ppplogin script might look like this#
+Q/bin/s2
+ ppplogin 6 script to 5ire up pppd on login
mesg n
stt! 6ec2o
exec pppd 6detac2 silent modem crtscts
The #esg command disables other users from writing to the tty by using" for example"
the write command. The stty command turns off character echoing. This command is
necessaryQ otherwise" eerything the peer sends would be echoed back to it. The most
important ppp) option gien is 6detac2 because it preents ppp) from detaching from
the controlling tty. If we didn)t specify this option" it would go to the background" making
the shell script exit. This in turn would cause the serial line to hang up and the connection
to be dropped. The silent option causes ppp) to wait until it receies a packet from the
calling system before it starts sending. This option preents transmit timeouts from
occurring when the calling system is slow in firing up its PPP client. The modem option
makes ppp) drie the modem control lines of the serial port. Lou should always turn this
option on when using ppp) with a modem. The crtscts option turns on hardware
handshake.
(esides these options" you might want to force some sort of authentication" for example"
by specifying aut2 on ppp))s command line or in the global options file. The manual
page also discusses more specific options for turning indiidual authentication protocols
on and off.
If you wish to use #getty" all you need to do is configure #getty to support the serial
deice your modem is connected to" by adding a line similar to the following to
/etc/inittab#
L$.2%.respa>n./sbin/mgett! tt!S$
- !.: -
Configure ppp) for either P$P or C/$P authentication with the appropriate options in
its options file" and finally" add a section similar to the following to your
/etc/mgett!/login.con5ig file#
+ Don5igure mgett! to automaticall! detect incoming FFF calls and in-o,e
+ t2e pppd daemon to 2andle t2e connection.
+
/;utoFFF/ 6 ppp /usr/sbin/pppd aut2 6c2ap Xpap login
The first field is a special piece of magic used to detect that an incoming call is a PPP
one. Lou must not change the case of this stringQ it is case sensitie. The third column
AJpppKB is the user name which appears in who listings when someone has logged in. The
rest of the line is the command to inoke. In our example" we)e ensured that P$P
authentication is re+uired" disabled C/$P" and specified that the system pass>d file
should be used for authenticating users. This is probably similar to what you)ll want. Lou
can specify the options in the options file Asee belowB" or on the command line if you
prefer.
/ere is a small checklist of tasks to perform" as well as the se+uence in which they should
be performed in order to hae PPP dial-in working on your machine. @ake sure each step
works before moing on to the next#
!. Configure the modem for auto-answer mode. %n /ayes-compatible modems" this
is performed with a command like )T"0*3. If you)re going to be using the #getty
daemon" this isn)t necessary.
2. Configure the serial deice with a getty type of command to answer incoming
calls. $ commonly used getty ariant is #getty.
9. Consider authentication. -ill your callers authenticate using P$P" C/$P or
system login>
2. Configure ppp) as serer as described in this section.
5. Consider routing. -ill you need to proide a network route to callers> ;outing
can be performed using the ip6up script.
PPP Configuration -iles
Using "ptions Files
(efore ppp) parses its command-line arguments" it scans seeral files for default options.
These files may contain any alid command-line arguments spread out across an arbitrary
number of lines. /ash signs introduce comments.
The first options file is /etc/ppp/options" which is always scanned when ppp) starts
up. 4sing it to set some global defaults is a good idea" because it allows you to keep your
users from doing seeral things that may compromise security. ?or instance" to make
ppp) re+uire some kind of authentication Aeither P$P or C/$PB from the peer" you add
the auth option to this file. This option cannot be oerridden by the user" so it becomes
impossible to establish a PPP connection with any system that is not in your
- !.7 -
authentication databases. 3ote" howeer" that some options can be oerriddenQ the
connect string is a good example.
The other options file" which is read after /etc/ppp/options" is .ppprc in the user)s
home directory. It allows each user to specify her own set of default options.
$ sample /etc/ppp/options file might look like this#
+ Jlobal options 5or pppd running on romeo
loc, + use DF6st!le de-ice loc,ing
aut2 + reSuire aut2entication
use2ostname + use local 2ostname 5or DY;F
domain example.com + our domain name

The loc, keyword makes ppp) comply to the standard 44CP method of deice locking.
-ith this conention" each process that accesses a serial deice" say /de-/tt!S%" creates
a lock file with a name like MDK..tt!S% in a special lock-file directory to signal that the
deice is in use. This is necessary to preent other programs" such as #inico# or uucico"
from opening the serial deice while it is used by PPP.
The next three options relate to authentication and" therefore" to system security. The
authentication options are best placed in the global configuration file because they are
JpriilegedK and cannot be oerridden by users) 8/.ppprc options files.
IP onfiguration "ptions
IPCP is used to negotiate a number of IP parameters at link configuration time. 4sually"
each peer sends an IPCP Configuration ;e+uest packet" indicating which alues it wants
to change from the defaults and the new alue. 4pon receipt" the remote end inspects
each option in turn and either acknowledges or re'ects it.
ppp) gies you a lot of control oer which IPCP options it will try to negotiate. Lou can
tune it through arious command-line options that we will discuss in this section.
Choosing 3P 1))resses
$ll IP interfaces re+uire IP addresses assigned to themQ a PPP deice always has an IP
address. The PPP suite of protocols proides a mechanism that allows the automatic
assignment of IP addresses to PPP interfaces. It is possible for the PPP program at one
end of a point-to-point link to assign an IP address for the remote end to use or each may
use its own.
&ome PPP serers that handle a lot of client sites assign addresses dynamicallyQ addresses
are assigned to systems only when calling in and are reclaimed after they hae logged off.
This allows the number of IP addresses re+uired to be limited to the number of dialup
lines. -hile limitation is conenient for managers of the PPP dialup serer" it is often less
- !.8 -
conenient for users who are dialing in. In order for people to connect to your host" they
must know your IP address or the hostname associated with it. If you are a user of a PPP
serice that assigns you an IP address dynamically" this knowledge is difficult without
proiding some means of allowing the *3& database to be updated after you are assigned
an IP address. /ere we)ll coer a more preferable approach" which inoles you being
able to use the same IP address each time you establish your network connection.
In the preious example" we had ppp) on romeo dial up >illiam and establish an IP
link. 3o proisions were made to choose a particular IP address on either end of the link.
Instead" we let ppp) take its default action. It attempts to resole the local hostname
Aromeo in our exampleB to an IP address" which it uses for the local end" while letting the
remote machine A>illiamB proide its own. PPP supports seeral alternaties to this
arrangement.
To ask for particular addresses" you generally proide ppp) with the following option#
local_addr.remote_addr
local_addr and remote_addr may be specified either in dotted +uad notation or as
hostnames. This option makes ppp) attempt to use the first address supplied as its own
IP address" and the second as the peer)s. If the peer re'ects either of the addresses during
IPCP negotiation" no IP link will be established.
If you are dialing in to a serer and expect it to assign you an IP address" you should
ensure that ppp) does not attempt to negotiate one for itself. To do this" use the
noipde5ault option and leae the local_addr blank. The noipde5ault option will stop
ppp) from trying to use the IP address associated with the hostname as the local address.
If you want to set only the local address but accept any address the peer uses" simply
leae out the remote_addr part. To make romeo use the IP address !9..89.2.27 instead
of its own" gie it &30.83.+.,-: on the command line. &imilarly" to set the remote
address only" leae the local_addr field blank. (y default" ppp) will then use the
address associated with your hostname.
2outing "hrough a PPP Link
$fter setting up the network interface" ppp) will usually set up a host route to its peer
only. If the remote host is on a L$3" you certainly want to be able to connect to hosts
behind your peer as wellQ in that case" a network route must be set up.
-e hae already seen that ppp) can be asked to set the default route using the
de5aultroute option. This option is ery useful if the PPP serer you dialed-up acts as
your Internet gateway.
The reerse case" in which our system acts as a gateway for a single host" is also
relatiely easy to accomplish. ?or example" let us assume a home machine is dialing in to
- !.< -
our system Awhich is configured as a dialin PPP sererB. If we)e configured our system
to dynamically assign an IP address that belongs to our subnet" then we can use the
prox!arp option with ppp)" which will install a proxy $;P entry for oneshot. This
automatically makes the home machine accessible from all hosts at our network.
/oweer" things aren)t always that simple. Linking two local area networks usually
re+uires adding a specific network route because these networks may hae their own
default routes. (esides" haing both peers use the PPP link as the default route would
generate a loop through which packets to unknown destinations would ping-pong
between the peers until their time-to-lie expired.
&uppose you want to connect a subsidiary network with your machine romeo. The
subsidiary runs an Dthernet of its own using the IP network number !72.!:.9... The
subsidiary wants to connect to your network ia PPP to update customer databases. The
machine romeo acts as the gateway and will support the PPP linkQ its peer at the new
branch is called 7uliet and has an IP address of !72.!:.9.!.
-hen 7uliet connects to romeo" it makes the default route point to romeo. %n romeo"
howeer" we will hae only the point-to-point route to 7uliet and will hae to specially
configure a network route for subnet 9 that uses 7uliet as its gateway. -e could do this
manually using the route command after the PPP link is established" but this is not a ery
practical solution. ?ortunately" we can configure the route automatically by using a
feature of ppp) that we haen)t discussed yetQ the ip@up command. This command is a
shell script or program located in /etc/ppp that is executed by ppp) after the PPP
interface has been configured. -hen present" it is inoked with the following parameters#
ip6up i5ace de-ice speed local"addr remote"addr
The following table summari,es the meaning of each of the arguments Ain the first
column" we show the number used by the shell script to refer to each argumentB#
- !!. -
1rgu#ent 5a#e Purpose
U! iface The network interface used" e.g." ppp.
U2 deice
The pathname of the serial deice file used A>=de=tty" if
stdin=stdout are usedB
U9 speed The speed of the serial deice in bits per second
U2 localFaddr
The IP address of the remote end of the link in dotted +uad
notation
U5 remoteFaddr
The IP address of the remote end of the link in dotted +uad
notation
In our case" the ip@up script may contain the following code fragment#
+Q/bin/s2
case 3( in
#02.#6.%.#) + t2is is 7uliet
route add 6net #02.#6.%.$ g> #02.#6.%.#
CC
...
esac
exit $

&imilarly" /etc/ppp/ip6do>n can be used to undo any actions of ip@up after the PPP
link has been taken down again. &o in our /etc/ppp/ip6do>n script we would hae a
route command that remoed the route we created in the /etc/ppp/ip6up script.
/oweer" the routing scheme is not yet complete. -e hae set up routing table entries on
both PPP hosts" but" so far" neither of the hosts on either network knows anything about
the PPP link. This is not a big problem if all hosts at the subsidiary hae their default
route pointing at 7uliet" and all our hosts route to romeo by default. /oweer" if this is
not the case" your only option is to use a routing daemon like gate). $fter creating the
network route on romeo" the routing daemon broadcasts the new route to all hosts on the
attached subnets.
1uthentication with PPP
-ith PPP" each system may re+uire its peer to authenticate itself using one of two
authentication protocols# the 'ass#ord Authentication 'rotocol AP$PB or the ,hallenge
andshake Authentication 'rotocol AC/$PB. -hen a connection is established" each end
can re+uest the other to authenticate itself" regardless of whether it is the caller or the
called. In the description that follows" we will use the phrases JclientK and JsererK when
we want to distinguish between the system sending authentication re+uests and the
system responding to them. $ PPP daemon on the client can ask its peer on the serer for
authentication by sending yet another LCP configuration re+uest identifying the desired
authentication protocol.
- !!! -
P#P $ersus %#P
P$P" which is offered by many Internet &erice Proiders" works basically the same way
as the normal login procedure. The client authenticates itself by sending a username and a
Aoptionally encryptedB password to the serer" which the serer compares to its secrets
database. This techni+ue is ulnerable to eaesdroppers" who may try to obtain the
password by listening in on the serial line" and to repeated trial and error attacks.
C/$P does not hae these deficiencies. -ith C/$P" the serer sends a randomly
generated JchallengeK string to the client" along with its hostname. The client uses the
hostname to look up the appropriate secret" combines it with the challenge and encrypts
the string using a one-way hashing function. The result is returned to the serer along
with the client)s hostname. The serer now performs the same computation and
acknowledges the client if it arries at the same result.
C/$P also doesn)t re+uire the client to authenticate itself only at startup time" but sends
challenges at regular interals to make sure the client hasn)t been replaced by an intruder
Y for instance" by switching phone lines or because of a modem configuration error that
causes the PPP daemon not to notice that the original phone call has dropped out and
someone else has dialed in.
ppp) keeps the secret keys for P$P and C/$P in two separate files called
/etc/ppp/pap6secrets and /etc/ppp/c2ap6secrets. (y entering a remote host in one
or the other file" you hae fine control oer whether P$P or C/$P is used to authenticate
yourself with your peer" and ice ersa.
(y default" ppp) doesn)t re+uire authentication from the remote host" but it will agree to
authenticate itself when re+uested by the remote host. &ince C/$P is so much stronger
than P$P" ppp) tries to use the former wheneer possible. If the peer does not support it"
or if ppp) can)t find a C/$P secret for the remote system in its chap-secrets file" it
reerts to P$P. If it doesn)t hae a P$P secret for its peer either" it refuses to authenticate
altogether. $s a conse+uence" the connection is shut down.
Lou can modify this behaior in seeral ways. -hen gien the aut2 keyword" ppp)
re+uires the peer to authenticate itself. ppp) agrees to use either C/$P or P$P as long as
it has a secret for the peer in its C/$P or P$P database. There are other options to turn a
particular authentication protocol on or off" but I won)t describe them here.
If all systems you talk to with PPP agree to authenticate themseles with you" you should
put the aut2 option in the global /etc/ppp/options file and define passwords for each
system in the c2ap6secrets file. If a system doesn)t support C/$P" add an entry for it to
the pap6secrets file. That way" you can make sure no unauthenticated system connects
to your host.
The next two sections discuss the two PPP secrets files" pap6secrets and c2ap6
secrets. They are located in /etc/ppp and contain triplets of clients" serers and
- !!2 -
passwords" optionally followed by a list of IP addresses. The interpretation of the client
and serer fields is different for C/$P and P$P" and it also depends on whether we
authenticate ourseles with the peer" or whether we re+uire the serer to authenticate
itself with us.
&he %#P !ecrets File
-hen it has to authenticate itself with a serer using C/$P" ppp) searches the c2ap6
secrets file for an entry with the client field e+ual to the local hostname and the serer
field e+ual to the remote hostname sent in the C/$P challenge. -hen re+uiring the peer
to authenticate itself" the roles are simply reersed# ppp) then looks for an entry with the
client field e+ual to the remote hostname Asent in the client)s C/$P responseB" and the
serer field e+ual to the local hostname.
The following is a sample chap-secrets file for romeo#
+ DY;F secrets 5or romeo.example.com
+
+ client ser-er secret addrs
+666666666666666666666666666666666666666666666666666666666666666666666
romeo.example.com >illiam.s2a,espeare.com 9R2ere art t2ou9
romeo.example.com
>illiam.s2a,espeare.com romeo.example.com 9Lo be9
>illiam.s2a,espeare.com
E romeo.example.com 9Dapulet9
pub.example.com
-hen romeo establishes a PPP connection with >illiam" >illiam asks romeo to
authenticate itself by sending a C/$P challenge. ppp) on romeo then scans c2ap6
secrets for an entry with the client field e+ual to romeo.example.com and the serer
field e+ual to >illiam.s2a,espeare.com" and finds the first line shown in the example.
It then produces the C/$P response from the challenge string and the secret A4se The
&ource LukeB" and sends it off to >illiam.
ppp) also composes a C/$P challenge for >illiam containing a uni+ue challenge string
and its fully +ualified hostname Aromeo.example.comB. $ C/$P response in the way we
discussed" is formatted by >illiam and returned to romeo. ppp) then extracts the client
hostname A>illiam.s2a,espeare.comB from the response and searches the c2ap6
secrets file for a line matching >illiam as a client and romeo as the serer. The second
line does this" so ppp) combines the C/$P challenge and the secret To be" encrypts
them" and compares the result to >illiam)s C/$P response.
The optional fourth field lists the IP addresses that are acceptable for the client named in
the first field. The addresses can be gien in dotted +uad notation or as hostnames that are
looked up with the resoler. ?or instance" if >illiam asks to use an IP address during
IPCP negotiation that is not in this list" the re+uest is re'ected" and IPCP is shut down. In
the sample file shown aboe" >illiam is therefore limited to using its own IP address. If
- !!9 -
the address field is empty" any addresses are allowedQ a alue of . preents the use of IP
with that client altogether.
The third line of the sample chap-secrets file allows any host to establish a PPP link with
romeo because a client or serer field of / is a wildcard matching any hostname. The only
re+uirements are that the connecting host must know the secret and that it must use the IP
address associated with pub.example.com. Dntries with wildcard hostnames may appear
anywhere in the secrets file" since ppp) will always use the best match it can find for the
serer=client pair.
ppp) may need some help forming hostnames. $s explained before" the remote hostname
is always proided by the peer in the C/$P challenge or response packet. The local
hostname is obtained by calling the gethostna#e function by default. If you hae set the
system name to your un+ualified hostname" you also hae to proide ppp) with the
domain name using the domain option#
+ pppd 4 domain -bre>.com
This proision appends our domain name to romeo for all authentication-related
actiities. %ther options that modify ppp))s idea of the local hostname are use2ostname
and name. -hen you gie the local IP address on the command line using local.remote
and local is a name instead of a dotted +uad" ppp) uses this as the local hostname.
&he P#P !ecrets File
The P$P secrets file is ery similar to C/$P one. The first two fields always contain a
username and a hostnameQ the third holds the P$P secret. -hen the remote host sends its
authentication information" ppp) uses the entry that has a serer field e+ual to the local
hostname and a user field e+ual to the username sent in the re+uest. -hen it is necessary
for us to send our credentials to the peer" ppp) uses the secret that has a user field e+ual
to the local username and the serer field e+ual to the remote hostname.
$ sample P$P secrets file might look like this#
+ /etc/ppp/pap6secrets
+
+ user ser-er secret addrs
romeo6pap >illiam cresspa2l romeo.example.com
>illiam romeo DonaldJHt2 >illiam.s2a,espeare.com
The first line is used to authenticate ourseles when talking to >illiam. The second line
describes how a user named >illiam has to authenticate itself with us.
The name romeo-pap in the first column is the username we send to >illiam. (y
default" ppp) picks the local hostname as the username" but you can also specify a
different name by giing the user option followed by that name.
- !!2 -
-hen picking an entry from the pap6secrets file to identify us to a remote host" ppp)
must know the remote host)s name. $s it has no way of finding that out" you must specify
it on the command line using the remotename keyword followed by the peer)s hostname.
To use the aboe entry for authentication with >illiam" for example" we must add the
following option to ppp))s command line#
+ pppd ... remotename >illiam user romeo6pap
In the fourth field of the P$P secrets file Aand all following fieldsB" you can specify what
IP addresses are allowed for that particular host" 'ust as in the C/$P secrets file. The
peer will be allowed to re+uest only addresses from that list. In the sample file" the entry
that >illiam will use when it dials in Athe line where >illiam is the clientB allows it to
use its real IP address and no other.
1)+ance) 5etwork Configuration an)
"rou*leshooting (2.2,.2!
The candidate should be able to configure a network deice to implement arious
network authentication schemes. This ob'ectie includes configuring a multi-homed
network deice" configuring a irtual priate network and resoling networking and
communication problems.
Bs*inBroute
B*inBifconfig
B*inBnetstat
B*inBping
Bs*inBarp
BusrBs*inBtcp)u#p
BusrBs*inBlsof
BusrB*inBnc
2irtual Private Netork
;hat 3s 1 NP5
CP3 stands for Cirtual Priate 3etwork. $ CP3 uses the Internet as its transport
mechanism" while maintaining the security of the data on the CP3. -hat does a CP3
do> It allows you to connect two or more remote networks securely oer an insecure
connection. The reason it is called virtual is that there is no physical connection between
the two networks. Instead a non-dedicated secure tunnel is created through an insecure
connection Alike the InternetB. This tunnel is generally encrypted and is only decrypted
when it arries at the destination host.
- !!5 -
-hy would you need such a network> In today)s connected world" employees always
need access to the data on the corporate network. 4ntil recently this was done by dialing
directly into the serers. The issue with this is that long-distance bills can be expensie as
well as the cost of e+uipment and extra phone lines. (y letting the employee connect ia
local internet access whereer he is" the costs are dramatically reduced.
$nother reason for implementing a CP3 is to integrate the L$3s in seeral office or
branches. (y connecting the two networks" a user in Los $ngeles can access network
serices in 3ew Lork while still using their regular Internet connection.
NP5 "ypes
There are many ways to implement a CP3. @any companies use proprietary software
implementation while others use their routers because many routers hae CP3 support
built in. These CP3s can be as simple as an &&/ tunnel or ery complicated. (ut all
implementations create a irtual tunnel through an insecure network. &ome CP3
implementations include#
IP&DC
CP3*
&&/
@any Cisco ;outers
This book will only outline the implementations of an &&/ tunnel and IP&DC.
!!% and PPP
The system described here is to implement a CP3 using ssh and ppp. (asically ssh
creates a tunnel connection which ppp) can use to run TCP=IP traffic though. That)s what
makes up the CP3.
The real trick to getting ssh and ppp) to play well together is the utility pty@re)ir written
by $rpad @agosanyi that allows the redirection of standard in and standard out to a
pseudo tty. This allows ppp) to talk through ssh as if it were a serial line. %n the serer
side" ppp) is run as the users shell in the ssh-session" completing the link. $fter that" all
you need to do is the routing.
"he (er+er
The serer is set up by creating an entry in /etc/pass>d for a user with /usr/bin/pppd
as the shell#
-pn"user.E.#$$4.#$#.PFH serOOO./2ome/-pn6users./usr/sbin/pppd

- !!: -
This line assumes that the user cannot login using a password. $ll authentication is done
ia ssh)s public key authentication system. This way" only those with keys can get in" and
it)s pretty much impossible to remember a binary key that)s 59. characters long.
"he Client
The link is created by running ppp) through a pseudo terminal that is created by pty@
re)ir and connected to ssh. This is done with something similar to the following
se+uence of commands#
/usr/sbin/pt!6redir /usr/bin/ss2 6t 6e none 6o W=atc2mode !esW /
6c blo>5is2 6i /root/.ss2/identit!.-pn 6l 7oe A /tmp/-pn6
de-ice
sleep #$
/usr/sbin/pppd Zcat /tmp/-pn6de-iceZ
sleep #(
/sbin/route add 6net #02.#6.$.$ g> -pn6internal.m!compan!.com /
netmas,
2((.24$.$.$
/sbin/route add 6net #&2.#6'.$.$ g> -pn6internal.m!compan!.com /
netmas,
2((.2((.$.$

&imply" what this does is run ssh" redirecting its input and output to ppp). The options
passed to ssh configure it to run without escape characters A6eB" using the blowfish crypto
algorithm A6cB" using the identity file specified A6iB" in terminal mode A6tB" with the
options ;<atc+mode yes; A6oB. The sleep commands are used to space out the
executions of the commands so that each can complete their startup before the next is run.
If the client is a standalone machine" that)s all there is to it. If" on the other hand" you hae
more demanding routing needs Ae.g." when the client is a firewall to a larger networkB you
will hae to set up routes accordingly. %n the serer" this can be accomplished by
running a cron 'ob eery minute that +uietly sets back routes. It)s not a big deal if the
client isn)t connected" route will 'ust spit out an error Athat can be sent to /de-/null.B
IP!'
$ more full-blown approach to CP3 tunnels is the IP&DC protocol. IP&DC proides
encryption and authentication serices at the IP AInternet ProtocolB leel of the network
protocol stack. IP&DC can be used on any machine which does IP networking. *edicated
IP&DC gateway machines can be installed whereer re+uired to protect traffic. IP&DC can
also run on routers" on firewall machines" on arious application serers and on end-user
desktop or laptop machines.
- !!7 -
The basic idea of IP&DC is to proide security functions" authentication and encryption at
the IP-leel. This re+uires a higher-leel protocol AI0DB to set things up for the IP-leel
serices AD&P and $/B.
Three protocols are used in an IP&DC implementation#
D&P" Dncapsulating &ecurity Payload
Dncrypts and=or authenticates dataQ
$/" $uthentication /eader
Proides a packet authentication sericeQ
I0D" Internet 0ey Dxchange
3egotiates connection parameters" including keys" for the other two.
The term IP&DC is slightly ambiguous. In some contexts" it includes all three of the
aboe" but" in other contexts" it refers only to $/ and D&P.
?ree&=-$3 is the linux implementation of IP&DC. The ?ree&=-$3 implementation has
three main parts#
0LIP& Akernel IP&DCB implements $/" D&P and packet handling within the
kernel
Pluto Aan I0D daemonB implements I0D" negotiating connections with other
systems
arious scripts proide an administrator interface to the machinery
The config file contain three parts#
one or more connection specifications
Dach connection section starts with conn ident" where ident is an arbitrary
name which is used to identify the connection.
connection defaults
This section starts with conn 0default. ?or each parameter in it" any section
which does not hae a parameter of the same name gets a copy of the one from
the =default section. There may be multiple Mdefault sections" but only one
default may be supplied for any specific parameter name and all =default
sections must precede all non-=default sections of that type.
the config section
- !!8 -
The config section starts with config setup and contains information used when
starting the software.
$ sample configuration file is shown below#
+ basic con5iguration
con5ig setup
inter5acesB9ipsec$Bet2$9
,lipsdebugBnone
plutodebugBnone
plutoloadB]searc2
plutostartB]searc2
+ Dlose do>n old connection >2en ne> one using same ID s2o>s up.
uniSueidsB!es
+ de5aults t2at appl! to all connection descriptions
conn ]de5ault
+ Yo> persistent to be in (re),e!ing negotiations ($ means
-er!).
,e!ingtriesB$
+ Yo> to aut2enticate gate>a!s
aut2b!Brsasig
+ PFH connection 5or 2ead o55ice and branc2 o55ice
conn 2ead6branc2
+ identit! >e use in aut2entication exc2anges
le5tidB@2ead.example.com
le5trsasig,e!B$x#0(c55c64#5...
le5tB4(.66.&.#0$
le5tnext2opB4(.66.##.2(4
le5tsubnetB#&2.#6'.##.$/24
+ rig2t s.g.O subnet be2ind itO and next 2op to reac2 le5t
rig2tidB@branc2.example.com
rig2trsasig,e!B$x5c64#5d6d&a24...
rig2tB#0.#2$.#%'.#%4
rig2tnext2opB#0.#2$.#%'.#
rig2tsubnetB#&2.#6'.$.$/24
+ start automaticall! >2en ipsec is loaded
autoBstart
To aoid triial editing of the configuration file for each system inoled in a connection"
specifications are written in terms of left and rig+t participants" rather than in terms of
local and remote. -hich participant is considered left or rig+t is arbitraryQ IP&DC
figures out on which it is running on based on internal information. This permits identical
connection specifications to be used on both ends.
The left" leftsubnet and leftnext+op Aand the rig+t>>> counterpartsB determine the
layout of the connection#
subnet #&2.#6'.##.$/24 Ble5tsubnet
T
inter5ace #&2.#6'.##.x
le5t gate>a! mac2ine
- !!< -
inter5ace 4(.66.&.#0$ Ble5t
T
inter5ace 4(.66.##.2(4 Ble5tnext2op
router
inter5ace >e donWt ,no>
T
IHL:1H:L
T
inter5ace >e donWt ,no>
router
inter5ace #0.#2$.#%'.# Brig2tnext2op
T
inter5ace #0.#2$.#%'.#%4 Brig2t
rig2t gate>a! mac2ine
inter5ace #&2.#6'.$.x
T
subnet #&2.#6'.$.$/24 Brig2tsubnet
The leftid and leftrsasig'ey are used in authenticating the left participant. The
leftrsasig'ey is the public key of the left participant Ain the example aboe the ;&$
keys are shortened for easy displayB. The priate key is stored in the
/etc/ipsec.secrets file and should be kept secure.
The I0D-daemon of IP&DC is called pluto. It will authenticate and negotiate the secure
tunnels. %nce the connections is set up" the kernel implementation of IP&DC can route
traffic through the tunnel.
plutoloadB]searc2 and plutostartB]searc2 tell the pluto daemon to search the
configuration file for auto! statements. $ll connections with auto!add will be loaded in
the pluto database. Connections with auto!start will also be started.
?or more information on ?ree&=-$3 and IP&DC" please see the references at the
beginning of this chapter.
"roubleshooting
3etwork troubleshooting is a ery broad sub'ect with thousands of tools aailable. There
are some ery good books aailable on this topic" so we will limit our discussion to an
oeriew of some of the tools which can be used to sole or detect network problems.
ifconfig
ifconfig checks the network interface configuration. 4se this command to erify the
user)s configuration if the user)s system has been recently configured or if the user)s
system cannot reach the remote host while other systems on the same network can.
-hen ifconfig is entered with an interface name and no other arguments" it displays the
current alues assigned to that interface. ?or example" checking interface et+ system
gies this report#
- !2. -
3 i5con5ig et2$
et2$ Min, encap.:t2ernet YRaddr $$.#$.6$.('.$(.%6
inet addr.#&2.#6'.2.% =cast.#&2.#6'.2.2(( Mas,.2((.2((.2((.$
F =1G;DD;SL 1HHIHJ MMLID;SL ML.#($$ Metric.#
1K pac,ets.#%&'#'( errors.$ dropped.$ o-erruns.$ 5rame.$
LK pac,ets.#4##%(# errors.$ dropped.$ o-erruns.$ carrier.$
collisions.'2& txSueuelen.#$$
1K b!tes.&$%#042$( ('6#.% Mb) LK b!tes.2$#$42#$6 (#&#.0 Mb)
Interrupt.## =ase address.$xa$$$
The ifconfig command displays a few lines of output. The third line of the display shows
the characteristics of the interface. Check for these characteristics#
4P
The interface is enabled for use. If the interface is JdownK" bring the interface
JupK with the ifconfig command Ae.g. ifconfig eth upB.
;433I36
This interface is operational. If the interface is not JrunningK" the drier for this
interface may not be properly installed.
The second line of ifconfig output shows the IP address" the subnet mask and the
broadcast address. Check these three fields to make sure the network interface is properly
configured.
Two common interface configuration problems are misconfigured subnet masks and
incorrect IP addresses. $ bad subnet mask is indicated when the host can reach other
hosts on its local subnet and remote hosts on distant network" but cannot reach hosts on
other local subnets. ifconfig +uickly reeals if a bad subnet mask is set.
$n incorrectly set IP address can be a subtle problem. If the network part of the address is
incorrect" eery ping will fail with the Jno answerK error. In this case" using ifconfig will
reeal the incorrect address. /oweer" if the host part of the address is wrong" the
problem can be more difficult to detect. $ small system" such as a PC that only connects
out to other systems and neer accepts incoming connections" can run for a long time
with the wrong address without its user noticing the problem. $dditionally" the system
that suffers the ill effects may not be the one that is misconfigured. It is possible for
someone to accidentally use your IP address on his own system and for his mistake to
cause your system intermittent communications problems. This type of configuration
error cannot be discoered by ifconfig" because the error is on a remote host. The arp
command is used for this type of problem.
ping
The basic format of the ping command on a Linux system is#
- !2! -
3 ping )6c count* +ost
host
The hostname or IP address of the remote host being tested.
count
The number of packets to be sent in the test. 4se the count field and set the alue
low. %therwise" the ping command will continue to send test packets until you
interrupt it" usually by pressing CT;L-C A[CB.
To check that >>>.sno>.nl can be reached from your workstation" send four packets
with the following command.
3 ping 6c 4 >>>.sno>.nl
FIHJ 2ome.HM.net (#&%.60.0&.2($). (6 data b!tes
64 b!tes 5rom #&%.60.0&.2($. icmp"seSB$ ttlB24( timeB%2.# ms
64 b!tes 5rom #&%.60.0&.2($. icmp"seSB# ttlB24( timeB%2.# ms
64 b!tes 5rom #&%.60.0&.2($. icmp"seSB2 ttlB24( timeB%0.6 ms
64 b!tes 5rom #&%.60.0&.2($. icmp"seSB% ttlB24( timeB%4.# ms
666 2ome.HM.net ping statistics 666
4 pac,ets transmittedO 4 pac,ets recei-edO $] pac,et loss
round6trip min/a-g/max B %2.#/%%.&/%0.6 ms
This test shows a good wide-area network link to >>>.sno>.nl with no packet loss and
fast response. $ small packet loss" and a round-trip time an order of magnitude higher"
would not be abnormal for a connection made across a wide-area network. The statistics
displayed by the ping command can indicate a low-leel network problem. The key
statistics are#
The se+uence in which the packets are arriing" as shown by the IC@P se+uence
number AicmpFse+B displayed for each packetQ
/ow long it takes a packet to make the round trip" displayed in milliseconds after
the string timeSQ
The percentage of packets lost" displayed in a summary line at the end of the ping
output.
If the packet loss is high" the response time is ery slow or packets are arriing out of
order" there could be a network hardware problem. If you see these conditions when
communicating oer great distances on a wide area network" there is nothing to worry
about. TCP=IP was designed to deal with unreliable networks" and some wide-area
networks suffer from a high leel of packet loss. (ut if these problems are seen on a
local-area network" they indicate trouble.
%n a local-network cable segment" the round-trip time should be near ." there should be
little or no packet loss and the packets should arrie in order. If these things are not true"
there is a problem with the network hardware. %n an Dthernet" the problem could be
- !22 -
improper cable termination" a bad cable segment or a bad piece of JactieK hardware"
such as a hub" switch or transceier.
The results of a simple ping test" een if the ping is successful" can help direct you to
further testing toward the most likely causes of the problem. (ut other diagnostic tools
are needed to examine the problem more closely and find the underlying cause.
route
To check the routing of a linux box" the route command is usually entered with no
parameters or with 6n to turn off ip-address to name resolution. ?or example route @n
might show#
3 route 6n
Kernel IF routing table
Destination Jate>a! Jenmas, Ilags Metric 1e5 se
I5ace
#&2.#6'.##.$ $.$.$.$ 2((.2((.2((.$ $ $ $
et2$
#4(.66.'.$ $.$.$.$ 2((.2((.2(2.$ $ $ $
et2#
$.$.$.$ #4(.66.##.2(4 $.$.$.$ J $ $ $
et2#
This host has two interfaces" one on subnet !<2.!:8.!!..=22 the other on subnet
!25.::.8..=22. There is also a default route out on et+" to !25.::.!!.252 Adenoted by the
? under J?lagsK and a J*estinationK and J6enmaskK of .......B.
To be able to troubleshoot this information you need to know what the routing should be"
perhaps by saing the routing information when the system is known to work.
The two most common mistakes are#
3o network entry for an interface. -hen a network interface is configured a
routing entry should be added that informs the kernel about the network that can
be reached through the interface.
3o default route Aor two default routesB. There should be exactly one default
route. 3ote that two default gateways can go undetected for a long time because
the routing could JaccidentallyK use the proper gateway.
In general" if there is a routing problem" it is better to first locate the part of the network
where the problem originates" e.g. with ping or traceroute and then use route as part of
the diagnostics.
traceroute
traceroute is a tool used to discoer the links along a path. Path discoery is an essential
step in diagnosing routing problems.
- !29 -
The traceroute is based on a cleer use of the Time-To-Lie ATTLB field in the IP
packet)s header. The TTL field is used to limit the life of a packet. -hen a router fails or
is misconfigured" a routing loop or circular path may result. The TTL field preents
packets from remaining on a network indefinitely should such a routing loop occur. $
packet)s TTL field is decremented each time the packet crosses a router on its way
through a network. -hen its alue reaches ." the packet is discarded rather than
forwarded. -hen discarded" an IC@P TI@DFDPCDD*D* message is sent back to the
packet)s source to inform the source that the packet was discarded. (y manipulating the
TTL field of the original packet" the program traceroute uses information from these
IC@P messages to discoer paths through a network.
traceroute sends a series of 4*P packets with the destination address of the deice you
want a path to. (y default" traceroute sends sets of three packets to discoer each hop.
traceroute sets the TTL field in the first three packets to a alue of ! so that they are
discarded by the first router on the path. -hen the IC@P TI@DFDPCDD*D* messages
are returned by that router" traceroute records the source IP address of these IC@P
messages. This is the IP address of the first hop on the route to the destination.
3ext" three packets are sent with their TTL field set to 2. These will be discarded by the
second router on the path. The IC@P messages returned by this router reeal the IP
address of the second router on the path. The program proceeds in this manner until a set
of packets finally has a TTL alue large enough so that the packets reach their
destination. @ost implementations of traceroute default to trying only 9. hops before
halting.
$n example traceroute on linux looks like this#
3 traceroute -2ost2.cistron.net
traceroute to -2ost2.cistron.net (#&(.64.6'.%6)O %$ 2ops maxO %' b!te
pac,ets
# gate>a!.,abel.net-isit.nl (#4(.66.##.2(4) (6.$#% ms #&.#2$ ms
#2.642 ms
2 #4(.66.%.4( (#4(.66.%.4() #%'.#%' ms 2'.4'2 ms 2'.0'' ms
% asd6dc26ias6ar#$.nl.,pn.net (#&4.#(#.226.2) #$2.%%' ms 24$.(&6 ms
2(%.462 ms
4 asd6dc26ipc6dr$%.nl.,pn.net (#&(.#&$.220.242) &(.%2( ms 06.0%' ms
&0.6(# ms
( asd6dc26ipc6cr$#.nl.,pn.net (#&(.#&$.2%2.2$6) 6#.%0' ms 6$.60% ms
0(.'60 ms
6 asd6sara6ipc6dr$#.nl.,pn.net (#&(.#&$.2%%.04) ###.4&% ms &6.6%#
ms 00.%&' ms
0 asd6sara6ias6pr#$.nl.,pn.net (#&(.#&$.220.6) 0'.02# ms &(.$2& ms
'2.6#% ms
' ams6icr6$2.carrier#.net (2#2.4.#&2.6$) &$.#0& ms '$.6%4 ms
##2.#%$ ms
& 2#2.4.#&2.2# (2#2.4.#&2.2#) 4&.(2# ms '$.%(4 ms 6%.($% ms
#$ 2#2.4.#&4.42 (2#2.4.#&4.42) &4.(2' ms 6$.6&' ms #$%.(($ ms
## -2ost2.cistron.net (#&(.64.6'.%6) #$2.$(0 ms 62.(#( ms 66.6%0 ms
- !22 -
$gain" knowing what the route through your network should be" helps to locali,e the
problem. 3ote that not all network problems can be detected with a traceroute" because
of some complicating factors. ?irst" the router at some hop may not return IC@P
TI@DFDPCDD*D* messages. &econd" some older routers may incorrectly forward
packets een though the TTL is .. $ third possibility is that IC@P messages may be
gien low priority and may not be returned in a timely manner. ?inally" beyond some
point of the path" IC@P packets may be blocked.
The results of a traceroute is a great tool to narrow down the possible causes of a
network problem.
arp an) arpwatch
arp is used to manipulate the kernel)s $;P cache. The primary options are clearing an
address mapping entry and manually setting one up. ?or debugging purposes" the arp
program also allows a complete dump of the $;P cache.
If you know what the $;P address of a specific host should be" the dump may be used to
determine a duplicate IP-address" but running arpwatch on a central system might proe
more effectie.
arpwatch keeps track of ethernet=IP address pairings. Changes are reported ia syslog
and e-mail.
arpwatch will report a Jchanged ethernet addressK when a known IP address shows up
with a new ethernet address. -hen the old ethernet address suddenly shows up again" a
Jflip flopK is reported.
*etection of duplicate IP addresses is ery hard een with arpwatch. if" for example" a
rogue host uses the IP address of the host running the arpwatch program or neer
communicates with it" a duplicate IP address will go unnoticed. &till" arpwatch is a ery
useful tool in detecting networking problems.
tcp)u#p
tcp)u#p is a program that enables network administrators to inspect in real-time eery
packet going through the network to which his or her computer is attached. This tool is
typically used to monitor actie connections or troubleshoot occasional network
connectiity problems.
tcp)u#p can generate a lot of output" so it may be useful to limit the reported packets by
specifying a port Ae.g. tcpdump port '$B. There are lots of other ways to specify which
packets and what information we are interested in Y see the manpage of tcp)u#p for
more information.
- !25 -
nc
If the network between two hosts seems to be working" but the re+uested serice is not"
nc may be helpful. nc" or netcat" will create a TCP or 4*P connection to the gien host
and port. Lour standard in is then sent to the host and anything that comes back is sent to
your standard out.
&ome of the ma'or features of netcat are#
%utbound or inbound connections" TCP or 4*P" to or from any ports
?ull *3& forward=reerse checking" with appropriate warnings
$bility to use any local source port
$bility to use any locally-configured network source address
(uilt-in port-scanning capabilities" with randomi,er
(uilt-in loose source-routing capability
Can read command line arguments from standard input
&low-send mode" one line eery 3 seconds
/ex dump of transmitted and receied data
%ptional ability to let another program serice establish connections
%ptional telnet-options responder
(ecause netcat does not make any assumptions about the protocol used across the link" it
is better suited to debug connections than telnet.
- !2: -
Chapter %. 0ail 8 5ews (2.2%!
This ob'ectie has a weight of < points and contains the following ob'ecties#
%b'ectie 2.2.:.!Q Configuring mailing lists A! pointB
Install and maintain mailing lists using @a'ordomo. @onitor @a'ordomo
problems by iewing @a'ordomo logs.
%b'ectie 2.2.:.2Q 4sing &endmail A2 pointsB
Candidates should be able to manage a &endmail configuration including email
aliases" mail +uotas" and irtual mail domains. This ob'ectie includes configuring
internal mail relays and monitoring &@TP serers.
%b'ectie 2.2.:.9 @anaging @ail Traffic A9 pointsB
Candidates should be able to implement client mail-management software to
filter" sort and monitor incoming user mail. This ob'ectie includes using software
such as procmail on both serer and client side.
%b'ectie 2.2.:.2Q &ering 3ews A! pointB
Candidates should be able to install and configure news serers using inn. This
ob'ectie includes customi,ing and monitoring sered newsgroups.
Configuring #ailing lists (2.2%.1!
Install and maintain mailing lists using @a'ordomo. @onitor @a'ordomo problems by
iewing @a'ordomo logs.
Ma7ordomo2
Installing *a4ordomo
@a'ordomo is a program which automates the management of Internet mailing lists.
Commands are sent to @a'ordomo ia electronic mail to handle all aspects of list
maintenance. %nce a list is set up" irtually all operations can be performed remotely"
re+uiring no other human interention.
- !27 -
The IHSL;MM file contained in the distribution of @a'ordomo" contains ery good
instructions on installing @a'ordomo. -e will not repeat the entire IHSL;MM document"
but only gie a brief outline.
!. Create a user called Jma7ordomoK. This user should be in the group JdaemonK" the
home directory should be the installation directory and the shell /bin/5alse.
2. Ddit the Ma,e5ile. *efine the proper locations of perl" the C compiler and the
home directory of the Jma7ordomoK user Ai.e." the installation directoryB. $lso set
the user and group id)s. ;ead the entire file for any other alues that need to be
changed.
9. Copy sample.c5 to ma7ordomo.c5 and edit the latter. @ost ariables are self-
explanatory and well-documented.
2. Type ma,e >rapper and check for errors. This will create the >rapper program
that will parse all re+uests made to @a'ordomo.
5. $s root" type ma,e install and ma,e install6>rapper. This will install
@a'ordomo and the wrapper.
:. $dd the @a'ordomo-related aliases to your &endmail aliases. This is best done by
adding the following line to your sendmail.mc#
0. de5ine(Z;MI;S"IIM:WOZ/etc/mail/aliasesO/pat2/to/ma7ordomo/ma7ordo
mo.aliasesW)
Change /pat2/to/ma7ordomo/ma7ordomo.aliases to the real name of the
@a'ordomo aliases file. 3ow add the following aliases to that file#
ma7ordomo. 9T/pat2/to/ma7ordomo/>rapper ma7ordomo9
o>ner6ma7ordomo. !ou
ma7ordomo6o>ner. !ou
Change J!ouK to your username or D-mail address.
8. Test the installation. Change to the @a'ordomo installation directory and" as a
normal user" type ./>rapper con5ig6test. This will test the configuration of
@a'ordomo. ?ix any errors and run again. -hen the process is complete" and
there are no errors" config-test will offer to register your installation of
@a'ordomo by sending information on your operating system" your Perl ersion
and the address of the @a'ordomo owner to the @a'ordomo maintainers.
If you configured sendmail with the restricted shell feature AsmrshB" do not forget
to put a link to >rapper in the smrsh directory.
Creating a *ailing list
Creating a mailing list consists of two steps# create the proper aliases for sendmail and
create the necessary files for @a'ordomo to recogni,e the list. This should be done by the
maintainer of the mailinglist serer Aprobably JrootKB.
- !28 -
In the following sections" we will assume that @a'ordomo is installed in
/usr/local/ma7ordomo/" and that we want to create a mailinglist called Jlpic26
examprepK.
1liases
Create the following aliases in either ma7ordomo.aliases or aliases#
lpic26examprep. 9T/usr/local/ma7ordomo/>rapper resend /
6l lpic26examprep lpic26examprep6list9
lpic26examprep6list. .include./usr/local/ma7ordomo/lists/lpic26
examprep
o>ner6lpic26examprep. bmesman@sno>.nl
lpic26examprep6o>ner. bmesman@sno>.nl
lpic26examprep6reSuest. 9T/usr/local/ma7ordomo/>rapper ma7ordomo /
6l lpic26examprep9
lpic26examprep6appro-al. bmesman@sno>.nl
The lpic26examprep6reSuest alias makes it possible to send a message to this alias
with a body containing JsubscribeK to subscribe to the mailinglist. -ithout this alias"
the only way to subscribe to the list is sending an D-mail to ma7ordomo with Jsubscribe
lpic26examprepK in the body.
The aliases are setup in such a way that D-mail to the list will be passed through
JresendK to catch @a'ordomo commands before passing them on to the actual list.
?or more information on aliases" consult the H:RMISL file in the @a'ordomo distribution.
*o not forget to run the newaliases command" to update the actual aliases database.
0a?or)o#o -iles
In /usr/local/ma7ordomo/lists/ create a file lpic26examprep#
cd /usr/local/ma7ordomo/lists
touc2 lpic26examprep
This file will contain the D-mail addresses of the subscribers. Leae it empty for now.
Create the file lpic26examprep.in5o with introductory info about the list#
ec2o 9Discussionlist 5or MFIc2 exam preparation9 A lpic26examprep.in5o
The owner of the mailing list can always change the introduction with a simple D-mail
Asee the section called J@aintaining a @ailinglistKB.
(oth files should be owned by user ma7ordomo and group daemon and should be group
writable.
- !2< -
c2o>n ma7ordomo.daemon lpic26examprep lpic26examprep.in5o
c2mod 664 lpic26examprep lpic26examprep.in5o
3ow eerything is set up properly. $ll that remains to be done is generating a default
configuration file for the mailinglist by sending an D-mail to ma7ordomo@compan!.com#
ec2o 9con5ig lpic26examprep lpic26examprep.admin9 T mail
ma7ordomo@compan!.com
@a'ordomo will create a default configuration file Alpic26examprep.con5igB and send
it to the list owner. The list owner can change the configuration Ae.g." the list passwordGB
and use the Jne>con5igK command to send it back.
*aintaining a *ailinglist
$fter a mailinglist is set up" all maintenance can be done remotely by sending an D-mail
to ma7ordomo@compan!.com. @aintenance commands should be put in the body of the
message. The JSub7ect.K header will not be parsed by @a'ordomo. $ailable
commands include#
lists
&how the lists aailable on this @a'ordomo serer.
info \list]
;etriee the general introductory information for the named \list].
subscribe \list] W\address]X
&ubscribe yourself Aor \address] if specifiedB to the named \list]. *epending on
the configuration of the mailinglist" you may be added directly or you may be
asked to authorise the re+uest Ato preent other people subscribing you to
unwanted listsB.
unsubscribe \list] W\address]X
4nsubscribe yourself Aor \address] if specifiedB from the named \list].
Junsubscribe ^K will remoe you Aor \address]B from all lists. This may not work
if you hae subscribed using multiple addresses.
intro \list]
;etriee the introductory message" containing list policies and features. This is
also sent when you subscribe to a list.
newintro \list] \password]
- !9. -
;eplace the information file that people get when they subscribe or do a Jintro
\list]K. It reads eerything after the newintro command to the end of the
message or the word :GI on a line by itself as the new intro for the list.
newinfo \list] \password]
;eplace the information file that people get when they do Jinfo \list]K. AThis file
is also sent as the JintroK if the intro file does not exist.B This reads eerything
after the newinfo command to the end of the message or the word :GI on a line
by itself as the new info for the list.
passwd \list] \oldFpasswd] \newFpasswd]
This will change the list password.
config \list] \password]
;etriees a self-documenting configuration file for the list \list].
newconfig \list] \password]
Calidates and installs a new configuration file. It reads eerything after the
newconfig command to the end of the message or the word :GI on a line by itself
as the new configuration for the list. The config file is expected to be a complete
config file as returned by config. Incremental changing of the config file is not yet
supported. $s soon as the config file is alidated and installed its settings are
aailable for use. This is useful to remember if you hae multiple commands in
your mail message since they will be sub'ect to the settings of the new config file.
If there is an error in the config file Aincorrect alue...B" the config file will not be
accepted and an error message identifying the problem lineAsB will be returned to
the sender. 3ote that only error messages are returned to the sender" not the entire
config file" so it would be a good idea to keep a copy of your outgoing email
message.
9sing (en)#ail (2.2%.2!
Candidates should be able to manage a &endmail configuration including email aliases"
mail +uotas and irtual-mail domains. This ob'ectie includes configuring internal mail
relays and monitoring &@TP serers.
/etc/aliases
sendmail.c>
-irtusertable
genericstable
- !9! -
+endmail configuration
&endmail uses a configuration file usually called /etc/mail/sendmail.c5. Creating this
file by hand is probably the most difficult task a system administrator can encounter.
?ortunately" this file can be generated by using the m2 configuration tools.
$ simple mc file may look something like this#
di-ert(6#)
+
+ L2is is a sample con5iguration 5or mailser-er.compan!.com
+
di-ert($)
include(Z/usr/s2are/sendmail/sendmail.c5/m4/c5.m4W)dnl
P:1SIGHID(Z@(+)sendmail.mc #.$ (compan!.com) #&/#/$2W)
GSLNF:(ZlinuxW)dnl
DGM;IH(Zcompan!.comW)dnl
M;IM:1(local)dnl
M;IM:1(smtp)dnl
This file consists of the following parts#
di-ert(6#)
+
+ L2is is a sample con5iguration 5or mailser-er.compan!.com
+
di-ert($)
The diertA-!B tells m2 to ignore the following text until the next diert. This
seres as a comment for your own notes.
include(Z/usr/s2are/sendmail/sendmail.c5/m4/c5.m4W)dnl
This is the standard include file needed to generate the cf file. %ne of the things
this will do" is set /@_:I." which is the base directory for the m2 files.
P:1SIGHID(Z@(+)sendmail.mc #.$ (compan!.com) #&/#/$2W)
This defines the ersion number of your mc file. It will create a comment header
in the generated sendmail.c5 for reference.
GSLNF:(ZlinuxW)dnl
This simply includes the file 3DI"DI1/ost!pe/linux.m4. Dach operating system
has its own +uirks" such as the location of the alias or help files. Lou can see a list
of the aailable operating system types by looking in the directory
3DI"DI1/ost!pe/. Choose the name which best matches your operating system.
DGM;IH(Zcompan!.comW)dnl
Like the /("OP=(! command" the 4/0135(co#pany.co#! command simply
includes the contents of the file 3DI"DI1/domain/compan!.com. This can be used
to create global settings for all mc files for your domain. This line and the
associated file are optional" but recommended if you are creating more than one
configuration for your domain.
M;IM:1(local)dnl
M;IM:1(smtp)dnl
- !92 -
These are the mailers to include in the sendmail configuration. In this example"
we are including the local and prog mailer and the smtp family of mailers.
This is" of course" 'ust the beginning for most configurations. Lou will probably want to
add features by using the -=1"92= macro. ?or example" the .mc line#
I:;L1:(Zuse"c>"5ileW)
tells sendmail that you want to hae it read /etc/mail/sendmail.c> as a list of alternate
names for this host. The -=1"92= may contain a single optional parameter Y for
example#
I:;L1:(Zuse"c>"5ileWO Zdbm /etc/mail/alternate"namesW)
&ome other features are#
use"c>"5ile
;ead the file /etc/mail/sendmail.c> Aalso /etc/mail/local62ost6namesB to
get alternate names for this host. This could be useful" for example" for a host
@Ped for a dynamic set of other hosts. If the set is static" howeer" 'ust including
the line JD>?name#A ?name2A ...K Awhere the names are fully +ualified domain
namesB is probably better. The actual filename can be oerridden by redefining
con5DR"IIM: Ae.g." Jde5ine (Zcon5DR"IIM:WO Z/etc/alternate"5ileW)KB
use"ct"5ile
;ead the file /etc/mail/sendmail.ct to get the names of users who will be
JtrustedK# that is" able to set their enelope from address using -f without
generating a warning message. The actual filename can be oerridden by
redefining con5DL"IIM:.
nouucp
*on)t do anything special with 44CP addresses.
al>a!s"add"domain
Include the local-host domain een on locally deliered mail. 3ormally it is not
added on un+ualified names. /oweer" if you use a shared message store" but do
not use the same user-name space eerywhere" you may need the host name on
local names.
masSuerade"entire"domain
If mas+uerading is enabled Ausing M;S_:1;D:";SB and M;S_:1;D:"DGM;IH is
set" this feature will cause addresses to be rewritten such that the mas+uerading
- !99 -
domains are hidden. $ll hosts within the mas+uerading domains will be changed
to the mas+uerade name Aused in M;S_:1;D:";SB. ?or example" if you hae#
M;S_:1;D:";S(masS.com)
M;S_:1;D:"DGM;IH(5oo.org)
M;S_:1;D:"DGM;IH(bar.com)
then ^.foo.org and ^.bar.com are conerted to mas+.com. -ithout this feature"
only foo.org and bar.com are mas+ueraded.
masSuerade"en-elope
This feature instructs sendmail to mas+uerade the enelope sender and recipient"
as well as those in the headers.
genericstable
This feature will cause certain addresses originating locally Ai.e." that are
un+ualifiedB or a domain listed in 3BJ to be looked up in a map and turned into
another AJgenericKB form. This can change both the domain name and the user
name and is similar to the userdb function. The same types of addresses as for
mas+uerading are looked up Aonly header sender addresses unless the
JallmasSueradeK and=or JmasSuerade"en-elopeK features are inokedB.
Hualified addresses must hae a domain in the list of names gien by the macros
>=5=23C(<4/0135 or >=5=23C(<4/0135<-3L= Aanalogous to
01(P9=214=<4/0135 and 01(P9=214=<4/0135<-3L=B.
The argument of I:;L1:(ZgenericstableW) may be the map definitionQ the
default map definition is#
2as2 6o /etc/genericstable
The key for this table is either the full address or the un+ualified username Athe
former is tried firstBQ the alue is the new user address. If the new user address
does not include a domain" it will be +ualified in the standard manner" i.e." using
37 or the mas+uerade name. 3ote that the address to be looked up must be fully
+ualified. ?or local mail" it is necessary to use I:;L1:(Zal>a!s"add"domainW)
for the addresses to be +ualified.
-irtusertable
This is a domain-specific form of aliasing" allowing multiple irtual domains to
be hosted on one machine. If" for example" the irtuser table contained#
in5o@5oo.com 5oo6in5o
in5o@bar.com bar6in5o
@baz.org 7ane@else>2ere.net
- !92 -
then mail addressed to info_foo.com will be sent to the address foo-info" mail
addressed to info_bar.com will be deliered to bar-info" and mail addressed to
anyone at ba,.org will be sent to 'ane_elsewhere.net. The username from the
original address is passed as ]# allowing#
@5oo.org ]#@else>2ere.com
meaning someone_foo.org will be sent to someone_elsewhere.com.
$ll the host names on the left-hand side Afoo.com" bar.com and ba,.orgB must be
in the list of alternate names for this host Asee Juse-cw-fileKB. The default map
definition is#
2as2 6o /etc/-irtusertable
$ new definition can be specified as the second argument of the -=1"92=
macro" such as#
I:;L1:(Z-irtusertableWO Zdbm 6o /etc/mail/-irtusersW)
mailertable
$ Jmailer tableK can be used to oerride routing for particular domains.
0eys in this database are fully +ualified domain names or partial domains
preceded by a dot Y for example" Jangogh.C&.(erkeley.D*4K or
J.C&.(erkeley.D*4K. Calues must be of the form#
mailer.domain
where JmailerK is the internal mailer name" and JdomainK is where to send the
message. These maps are not reflected in the message header. $s a special case"
the forms#
local.user
will forward to the indicated user using the local mailer"
local.
will forward to the original user in the e-mail address using the local mailer" and
error.code message
will gie an error message with the indicated code and message.
smrs2
- !95 -
4se the &end@ail ;estricted &/ell AsmrshB Aprobably proided with your
distributionB instead of /bin/s2 for sending mail to a program. This improes the
ability of the local system administrator to control what is run ia e-mail. If an
argument is proided" it is used as the pathname to smrshQ otherwise" the path
defined by con5:=IHDI1 is used for the smrsh binary Y by default"
/usr/lib/sm.bin/smrs2 is assumed.
The commands that can be run are limited to the programs in the smrsh directory.
Initial pathnames on programs are stripped" so forwarding to
/usr/bin/-acation" /2ome/ser-er/m!dir/bin/-acation and -acation all
actually forward to /usr/lib/sm.bin/-acation.
To add a program" simply create a link in /usr/lib/sm.bin/ to the program
executable.
mail aliases
The mail aliases for sendmail Aand many other unix mailersB are in the file
/etc/mail/aliases Aor /etc/aliasesB.
The file contains lines of the form#
name. alias#O alias2O alias%O ...
-here name is the name to alias and alias+ are the aliases for that name. alias+ can be
another alias" a local username" a local filename" a command" an include file or an
external address.
username
The username must exist on the system. If you want to be able to send D-mail to
full names" you can use this to map the full names to user names#
ben.mesman. bmesman
g.g.a.m.de.-ries. gerrit
/pat2/name
The message will be appended to the specified file. This can also be used to drop
all messages to a user#
somebod!. /de-/null
Tcommand
The specified command will receie the messages on standard input. This could
be used to handle mailing lists.
.include. /pat2/name
- !9: -
The names in the file /pat2/name will be the addresses for the alias. The
filename must start with a J=K. If you put AallB usernames" one per line" in a file
you could hae an alias#
all. .include. /etc/mail/allusers
$ll users in /etc/mail/allusers will receie mail for all_company.com. 3ote
that it is not necessary to update the aliases database" with newaliases" when the
file /etc/mail/allusers is changed.
user@domain
Lou can also redirect mail to an D-mail address outside your domain" by
specifying the D-mail address here.
The aliases file is 'ust the raw data file. &endmail uses the binary file
/etc/mail/aliases.db to do the alias substitution. This file is created from
/etc/mail/aliases with the command newaliases. This command should be executed
each time the aliases file is changed for the change to take effect.
$fter aliasing has been done" alid recipients who hae a .5or>ard file in their home
directory hae messages forwarded to the list of users defined in that file. -hen all this is
done" sendmail hands the mail to the local deliery agent" usually procmail" for deliery.
0anaging 0ail "raffic (2.2%.3!
Candidates should be able to implement client mail management software to filter" sort
and monitor incoming user mail. This ob'ectie includes using software such as procmail
on both serer and client side.
procmail
.procmailrc
Procmail
Procmail is the default @*$ A@ail *eliery $gentB for most linux distributions. -hen
deliering mail" proc#ail first sets some enironment ariables to default alues" reads
the mail message from standard input" separates the body from the header and then starts
to look for a file called 3YGM:/.procmailrc. $ccording to the processing recipes in this
file" the mail message gets deliered. If no .procmailrc file is found" or processing of
the rc file falls off the end" proc#ail will store the mail in the default system mailbox.
The rc file can contain a mixture of enironment-ariable assignments Asome of which
hae a special meaning to procmailB and recipes. In their simplest appearance" the recipes
- !97 -
are simply one-line regular expressions that are searched for in the header of the arriing
mail. The first recipe that matches is used to determine where the mail has to go Ausually
a fileB. If processing falls off the end of the rc file" procmail will delier the mail to
3D:I;ML.
(y using multiple recipes" you can pre-sort your mail into seeral mailfolders. (ear in
mind though that mail can arrie simultaneously in these mail folders Aif seeral
proc#ail programs happen to run at the same time" which is not unlikely if a lot of mail
arriesB. To make sure this does not result in mayhem" proper use of lock files is highly
recommended.
Dnironment ariable assignments and recipes can be freely intermixed in the rcfile. If
any enironment ariable has a special meaning to proc#ail" it will be used
appropriately the moment it is parsed Ai.e." you can change the current directory wheneer
you want by specifying a new M;IMDI1" switch lockfiles by specifying a new MGDKIIM:"
change the umask at any time -- the possibilities are endlessB.
recipes
$ line starting with J#.K marks the beginning of a recipe. It has the following format#
.$ )5lags* ) . )localloc,5ile* *
Azero or more conditions Bone per lineCD
Aexactly one action lineD
Conditions start with a leading J^K" eerything after that character is passed on to the
internal egrep literally" except for leading and trailing whitespace. These regular
expressions are completely compatible with the normal egrep extended regular
expressions.
Conditions are andedQ if there are no conditions the result will be true by default.
$ simple .procmailrc file will look something like this#
+ Hext t>o are needed i5 !ou in-o,e programsO suc2 as
+ 5ormailO sendmailO or egrepO 5rom !our procmailrc
+ SY:MMB/bin/s2
+ F;LYB/usr/bin./bin
+ Fut + be5ore MGJIIM: i5 !ou >ant no logging (not recommended)
MGJIIM:B.procmail.log
+ Lo insert a blan, line bet>een eac2 messageWs log entr!O
+ uncomment next t>o lines (t2is is 2elp5ul 5or debugging)
+ MGJB9
+ 9
+ HGL:. pon reading t2e next lineO Frocmail does a c2dir to 3M;IMDI1
M;IMDI1B3YGM:/Mail + Ma,e sure t2is director! existsQ
- !98 -
.$.
E \Sub7ect..Etest
testing
The recipe consists of the following parts#
5otation 0eaning
.$
(egin a recipe
.
4se a lock file
E
(egin a condition
\Sub7ect..Etest
@atch lines in the message.
testing
&tore message in the gien mailbox in case matching.
To store mailing-list messages in a separate folder" use a recipe like this#
.$.
E \LG"procmail@in5ormati,/.r>t26aac2en/.de
procmail
-hen you are subscribed to the procmail mailinglist" you will receie messages that are
sent to the list. The \LG" expression will match any destination specification ATo" Cc"
;esent-To" etc.B. The string following the \LG" expression is used to match Athe
beginning ofB an D-mail address.
Procmail recipes are not case sensitie" so the aboe example will also match
procmail@in5ormati,.1RYL6;ac2en.de. If you need to match case" you can use the
J*K flag at the start of the recipe#
.$D.
E \Sub7ect..E;DP
Fotential.SF;M
This will only match if the J&ub'ect#K header contains the substring J$*CK in capitals.
This recipe will delier this D-mail to the Fotential.SF;M folder" because" allegedly"
more respectable" unsolicited adertising has an J$*CK marker in upper case on the
sub'ect line.
(ecause we are not !..M sure that the substring J$*CK will always be spam" we store
the message in a spam folder. -e can JstoreK the message in /de-/null if we know that
a message will always be spam#
.$
E \Irom..E@c!berspam/.com
/de-/null
This will delete all D-mail from anyone at cyberspam.com. 3ote that you should not use
file locking in this case" hence the missing colon after J#.K.
- !9< -
?or more options" please read the man pages of proc#ail or isit the procmail web-site.
(er+ing news (2.2%.$!
Candidates should be able to install and configure news serers using inn. This ob'ectie
includes customi,ing and monitoring sered newsgroups.
innd
Internet Nes
?rom the 1:;DM: file in the I33 distribution#
I33 AInter3et3ewsB" originally written by ;ich &al," is an extremely flexible and
configurable 4senet = netnews news serer. ?or a complete description of the protocols
behind 4senet and netnews" see ;?C !.9: and ;?C <77. In brief" netnews is a set of
protocols for exchanging messages between a decentrali,ed network of news serers.
3ews articles are organi,ed into newsgroups" which are themseles organi,ed into
hierarchies. Dach indiidual news serer stores locally all articles it has receied for a
gien newsgroup" making access to stored articles extremely fast. 3etnews does not
re+uire any central sererQ instead" each news serer passes along articles it receies to all
of the news serers it peers with" those serers pass the articles along to their peers" and
so on" resulting in Jflood fillK propagation of news articles.
$ news serer performs three basic functions# It accepts articles from other serers and
stores them on disk" sends articles it has receied out to other serers and offers stored
news articles to readers on demand. It additionally has to perform some periodic
maintenance tasks" such as deleting older articles to make room for new ones.
%riginally" a news serer would 'ust store all of the news articles it had receied in a
filesystem. 4sers could then read news by reading the article files on disk Aor more
commonly using news reading software that did this efficientlyB. These days" news
serers are almost always stand-alone systems and news reading is supported ia network
connections. $ user who wants to read a newsgroup opens that newsgroup in their
newsreader software" which opens a network connection to the news serer and sends
re+uests for articles and related information. The protocol that a newsreader uses to talk
to a news serer and that a news serer uses to talk to another news serer oer TCP=IP is
called 33TP A3etwork 3ews Transport ProtocolB.
I33 supports accepting articles ia either 33TP connections or ia 44CP. inn)" the
heart of I33" handles 33TP feeding connections directlyQ 44CP newsfeeds use rnews
Aincluded in I33B to hand articles off to inn). %ther parts of I33 handle feeding articles
out to other news serers" most commonly innfee) Afor real-time outgoing feedsB or
- !2. -
nntpsen) and innx#it Aused to send batches of news created by inn) to a remote site ia
TCP=IPB. I33 can also handle outgoing 44CP feeds.
The part of I33 that handles connections from newsreaders is nnrp).
$lso included in I33 are a wide ariety of supporting programs to handle periodic
maintenance and recoery from crashes" process special control messages" maintain the
list of actie newsgroups" and generate and record a staggering ariety of statistics and
summary information on the usage and performance of the serer.
I33 also supports an extremely powerful filtering system that allows the serer
administrator to re'ect unwanted articles Asuch as spam and other abuses of 4senetB.
3nstalling 355
Installing I33 is not ery difficult. Dither download a pre-compiled binary from your
faorite distribution" or download the source and compile it yourself. -hen compiling
from source" you can probably do#
./con5igure 66>it26perl
ma,e
ma,e install
;ead the IHSL;MM file to make sure this is what you want.
The difficult part is" of course" to configure I33.
Configuring 355
?or the purpose of this exam preparation" we will assume that we need a stand-alone
serer Aas opposed to distributed architecturesB with a traditional spool directory. ?or
more information on this and other configurations see &amsonoa...
&tart by editing inn.con5. This file is a series of key-alue pairs" one per line. ?irst the
key" followed by a colon and one or more whitespace characters and the alue itself.
The standard file from the distribution is well documented" with reasonable default
alues. ?or more information on options in this file" consult the inn.conf manual page.
?or our stand-alone configuration" make sure nnrpdpost2ost is set to nothing so the
serer knows that articles should be posted locally
reating (ews )roups
- !2! -
$ctie news groups are listed in the 8ne>s/db/acti-e file Acould be located in
/-ar/lib/ne>sB. Dditing this file by hand is not recommended" because of the rather
strict syntax.
Lou can use ctlinn) to create news groups" but only when I33 is running. I33 will not
run unless there are news groups in the acti-e file.
To sole this chicken and egg problem" create an acti-e file with two mandatory groups#
control $$$$$$$$$$ $$$$$$$$$# !
7un, $$$$$$$$$$ $$$$$$$$$# !
$lso create acti-e.times in the same directory#
touc2 acti-e.times
@ake sure this file is owned by user ne>s and group ne>s.
If I33 was installed from a *D( or ;P@ packet" there may already be default acti-e
and acti-e.times files.
3ow when you start I33" you can add newsgroups with the ctlinn) command#
ctlinnd ne>group ?groupA ?5lagsA ?creatorA
where#
\group]
The name of the newsgroup. If the newsgroup already exists" this command will
act as the c2angegroup command" changing the flags and=or the creator.
\flags]
Possible plags include#
!
Local posting is allowed
n
3o local posting is allowed" only remote ones
m
The group is moderated and all postings must be approed
7
$rticles in this group are not kept" but only passed on
x
$rticles cannot be posted to this newsgroup
\creator]
The name of the person creating the newsgroup. Can be omitted and will default
to the newsmaster.
- !22 -
If you want to create a local group that can be used for testing purposes" you would issue
the following command#
ctlinnd ne>group local.testing ! ben
This will create a newsgroup called Jlocal.testingK which accepts local posting.
(ewsfeeds
(efore we begin" it is worth mentioning the so-called wildmat pattern-matching syntax
used in many configuration files. These are simple wildcard matches using the asterisk
AJ^KB as the wildcard character" much like the simple wildcard expansion used by 4nix
shells.
In many cases" wildmat patterns can be specified in a comma-separated list to indicate a
list of newsgroups. -hen used in this fashion" each pattern is checked in turn to see if it
matches" and the last pattern in the line that matches the group name is used. Patterns
beginning with JGK designate groups to exclude based on the pattern match. ?or example#
comp.EO Qcomp.os.EO comp.os.linux.E
In this case" we will match eerything under comp AJcomp.^KB" except groups under
comp.os AJGcomp.os.^KB unless they are under the comp.os.linux hierarchy
AJcomp.os.linux.^KB.
Incoming newsfeeds are configured in incoming.con5. This file should at least contain a
default number of max6connections and Jpeer @DK" which is the entry for the localhost.
-ithout this entry articles will not appear in your spool.
$n example incoming.con5 file with a newsfeed from your upstream I&P for the comp.^
newsgroups will look like this#
max6connections. ' + per 5eed
peer M: U
2ostname. 9local2ostO #20.$.$.#9
V
peer isp U
2ostname. ne>s.isp.com
+ accept t2e comp ne>sgroups 5rom t2is 2ost
patterns. comp.E
V
If you want to send the local postings to the comp.^ newsgroups back to the upstream
I&P" you hae to set up an outgoing feed in ne>s5eeds#
ne>s.isp.com.comp.E.L5.ne>s.isp.com
- !29 -
The flag JTfK specifies that a file should be written. The name of the file must be uni+ue"
and defaults to the hostname of the feed Ane>s.isp.comB. 3ote that this only specifies
that a log entry should be written in a file. $ separate program" innfee)" will use this file
to do the actual feed. This means that innfee) should be configured to read the file and
send the articles to the peer. This is done by adding the following entry to the
inn5eed.con5 file#
peer isp U
2ostname. ne>s.isp.com
V
Chapter .. 45( (2.2.!
- !22 -
%b'ectie 2.2.7.!Q (asic (I3* 8 configuration A2 pointsB
The candidate should be able to configure (I3* to function as a caching-only
*3& serer. This ob'ectie includes the ability to conert a (I3* 2.< named.boot
file to the (I3* 8.x named.conf format and reload the *3& by using kill or ndc.
This ob'ectie also includes the configuration of logging and options such as
directory location for ,one files.
%b'ectie 2.2.7.2Q Create $nd @aintain *3& Eones A9 pointsB
The candidate should be able to create a ,one file for a forward or reerse ,one or
root-leel serer. This ob'ectie includes setting appropriate alues for the &%$
resource record" 3& records and @P records. $lso included is the addition of
hosts with $ resource records and C3$@D records" as appropriate" adding hosts
to reerse ,ones with PT; records and adding the ,one to the =etc=named.conf file
using the ,one statement with appropriate type" file and masters alues. $
candidate should also be able to delegate a ,one to another *3& serer.
%b'ectie 2.2.7.9Q &ecuring a *3& &erer A9 pointsB
The candidate should be able to configure (I3* to run as a non-root user and
configure (I3* to run in a chroot 'ail. This ob'ectie includes configuring
*3&&DC statements such as key and trusted-keys to preent domain spoofing.
$lso included is the ability to configure a split *3& configuration using the
forwarders statement and specifying a non-standard ersion-number string in
response to +ueries.
7asic 7354 ' configuration (2.2..1!
The candidate should be able to configure (I3* to function as a caching-only *3&
serer. This ob'ectie includes the ability to conert a (I3* 2.< named.boot file to the
(I3* 8.x named.conf format and reload the *3& by using kill or ndc. This ob'ectie
- !25 -
also includes the configuration of logging and options such as directory location for ,one
files.
/etc/named.con5
/usr/sbin/ndc
/usr/sbin/named6bootcon5
,ill
Name0server parts in $IND
3ame serers like (I3* are part of a worldwide *3& system that resoles machine
names into IP-addresses.
Table 7.!" J@a'or (I3* componentsK lists the most releant parts of (I3* software on a
system. 3ote that directories may ary across distributions.
"a*le ..1. 0a?or 7354 co#ponents
Co#ponent 4escription
Program /usr/sbin/named the real name serer
Program /usr/sbin/ncd name daemon control program
?ile named.con5 (I3* configuration file Arecent (I3*B
?ile named.boot obsolete (I3* configuration file A(I3* 2B
Program /usr/sbin/named6bootcon5 conerts named.boot to named.conf format
Program /etc/init.d/bind distribution specific startfile
*irectory /-ar/cac2e/bind working directory for named
;esoling is controlled by a file nss>itc2.con5 which is discussed in Chapter !."
-et#ork ,lient .anagement /0"0123 .
(I3* components will be discussed below.
"he named.conf file
The file named.con5 is the main configuration file of recent (I3* ersions Aersion 8
and < at the time of this writingB. It is the first configuration file read by na#e)" the *3&
name daemon.
- !2: -
Location of named.conf
LPI lists the location of named.con5 in /etc. /oweer" the location may ary across
distributions. ?or example in the *ebian Linux distribution named.con5 is located in the
/etc/bind directory.
1 caching-only named.conf file
This is an example named.con5 file. The ersion below is taken from the *ebian bind
package Asome comments remoedB.
options U
director! 9/-ar/cac2e/bind9C
// Suer!6source address E port (%C
// 5or>arders U
// $.$.$.$C
// VC
VC
// reduce log -erbosit! on issues outside our control
logging U
categor! lame6ser-ers U nullC VC
categor! cname U nullC VC
VC
// prime t2e ser-er >it2 ,no>ledge o5 t2e root ser-ers
zone 9.9 U
t!pe 2intC
5ile 9/etc/bind/db.root9C
VC
// be aut2oritati-e 5or t2e local2ost 5or>ard and re-erse zonesO and 5or
// broadcast zones as per 1ID #&#2
zone 9local2ost9 U
t!pe masterC
5ile 9/etc/bind/db.local9C
VC
zone 9#20.in6addr.arpa9 U
t!pe masterC
5ile 9/etc/bind/db.#209C
VC
zone 9$.in6addr.arpa9 U
t!pe masterC
5ile 9/etc/bind/db.$9C
VC
zone 92((.in6addr.arpa9 U
t!pe masterC
5ile 9/etc/bind/db.2((9C
- !27 -
VC
// add entries 5or ot2er zones belo> 2ere
The *ebian bind package that contains this file" will proide a fully functional caching-
onl( name serer. (I3* packages of other manufacturers will proide the same
functionality.
$ caching-only name serer resoles names" which are also stored in a cache" so that they
can be accessed faster when the nameserer is asked to resole these names again. (ut
this is what ever( name serer does. The difference is this is the onl( task a caching-onl(
name serer performs. It does not sere out ,ones" except for a few internal ones.
(yntax
The named.con5 file contains statements that start with a keyword plus a U Aopening
curly braceB and end with with a V Aclosing curly braceB. The options statement is an
example.
$ statement may contain other statements. The 5or>arders statement is an example of
this.
$ statement may also contain things like IP addresses or 5ile followed by a filename.
These simple things must be terminated by a semi-colon ACB.
$ll kinds of comments are allowed" e.g." // and + as end of line comments. &ee the
named.confA5B manual page for details.
Note
The C is 3%T alid as a comment sign in named.con5. It I&" howeer" in (I3* ,one
files" like the file /etc/bind/db.local from the example aboe.
"he options state#ent
%f the many possible entries Asee named.confA5BB inside an options statement" only the
director!" 5or>arders" 5or>ard" -ersion and dialup will be discussed below.
Note
There can be only one options statement in a named.con5 file.
(o#e things within options
director!
- !28 -
&pecifies the working directory for the name daemon. $ common alue is
/-ar/named. $lso" ,one files without a directory part are looked up in this
directory.
;ecent distributions separate the configuration directory from the working
directory. In a recent *ebian Linux distribution" for example" the working
directory is specified as /-ar/cac2e/bind" but all the configuration files are in /
etc/bind. $ll ,one files are also in that directory and must be specified with their
directory part" as can be seen in the named.con5 example aboe.
5or>arders
The 5or>arders statement contains one or more IP addresses of name serers to
+uery. /ow these addresses are used is specified by the 5or>ard statement
described below.
The default is no forwarders. ;esoling is done through the worldwide Aor
company localB *3& system.
4sually the specified name serers are those of the &erice Proider the system
connects to.
5or>ard
The 5or>ard works only when 5or>arders are specified.
Two alues can be specified# 5or>ard 5irstC AdefaultB and 5or>ard onl!C.
-ith 5irst the first +uery is sent to the specified name-serer addresses" next
+ueries are sent to other name serers. -ith onl! +ueries are limited to the
specified name-serer addresses.
$n example with both 5or>arders and 5or>ard#
options U
// ...
5or>arders U
#2%.#2.#%4.2C
#2%.#2.#%4.%C
V
5or>ard onl!C
// ...
V
In this example bind is told to +uery onl( the name serers #2%.#2.#%4.2 and
#2%.#2.#%4.%.
- !2< -
-ersion
It is possible to +uery the ersion from a running name serer#
dig txt c2aos -ersion.bind
3ote that the (I3* ersion is shown in the output. (ecause some (I3* ersions
hae known exploits" the (I3* ersion is sometimes kept hidden. The -ersion
specification#
-ersion 9not re-ealed9C
inside the options statement leads to not re-ealed responses on ersion
+ueries.
dialup
-hen a name serer sits behind a firewall" that connects to the outside world
through a dialup connection" some maintenance normally done by name serers
might be unwanted.
The following example" also inside the options part" stops external ,one
maintenance#
2eartbeat6inter-al $C
dialup !esC
@any more options can be placed inside the options block. &ee the manual page.
"he logging state#ent
The (I3* Aersion 8 and <B logging system is too elaborate to discuss in detail here. The
distinction between categories and channels is important.
$ channel is an output specification. The null channel" for example" dismisses any
output sent to the channel.
$ categor( is a type of data. The category securit! is one of many categories. To log
messages of type Acategor(B securit!" for example" to the de5ault"s!slog channel" use
the following#
logging U
categor! securit! U de5ault"s!slogC VC
// ...
VC
To turn off logging for certain types of data" send it to the null channel" as is done in the
example named.con5 shown earlier#
- !5. -
logging U
categor! lame6ser-ers U nullC VC
categor! cname U nullC VC
VC
This means that messages of types lame6ser-ers and cname are being discarded.
There are reasonable defaults for logging. This means that a named.con5 without
logging statement is possible.
Note
$ maximum of one logging statement is allowed in a named.con5 file.
Pre)efine) 1one state#ents
$ ,one defined in named.con5 will be aailable as @ inside the corresponding ,one file.
The @ is called the current origin. ?or example"
t!pe masterC
VC
will result in a current origin of #20.in6addr.arpa that is aailable as @ in file
etc/bind/db.#20.
*etails about ,one files" as well as how to create your own zone files and statements will
be coered in the section called JCreate $nd @aintain *3& Eones A2.2.7.2BK.
Converting $IND v5 to $IND v6 configuration
To conert the (I3* ersion 2 configuration file named.boot to named.con5 Athe
configuration file for (I3* ersions 8 and <B run the script named6bootcon5 that comes
with the (I3* distribution.
Note
$s of (I3* ersion 8.2" ,one files must start with an extra 3LLM field. This is discussed
in the section called JThe 3LLM statementK.
"he named name server daemon
The named name serer daemon is the program that communicates with other name
serers to resole names. It accepts +ueries" looks in its cache and +ueries other name
serers if it does not yet hae the answer.
- !5! -
%nce it finds an answer in its own cache or database or receies an answer from another
nameserer" it sends the answer back to the name serer that sent the +uery in the first
place.
Table Table 7.2" J Controlling named K lists ways to control the named name serer.
"a*le ..2. Controlling named
0etho) (ee
The ndc program the section called JThe ndc programK
&ending signals the section called J &ending signals to named K
4sing a start=stop script the section called J Controlling named with a start=stop script K
"he ndc program
The ndc Aname daemon controlB program can be used to control the named name serer
daemon. It can be used in batch- or interactie mode.
In batchmode a command is specified as a parameter to ndc#
ndc reload
This will ask the name serer to reload its configuration and ,one files. $ll commands
specified this way are understood by the name daemon. The special command 2elp will
show a list of possible commands.
The interactive mode is entered when n)c does not see a command on the command line.
It presents a prompt. 3ow" there are two types of commands# commands understood by
the name serer and commands to control n)c.
co##an)s un)erstoo) *y the na#e ser+er. The 2elp command presents a list of
commands understood by the name serer. These are the same commands that can be
specified as parameters on the command line.
co##an)s to control n)c. commands to control ndc itself. These start with a slash A/B.
The /2 command shows a listQ the /e exits ndc.
There is much more to know about n)c. &ee the manpage.
+ending signals to named
It is possible to send signals to the named process to control its behaior. $ full list of
signals can be found in the named manpage. %ne example is the SIJYF signal" that
causes named to reload named.con5 and the database files.
- !52 -
&ignals are sent to named with the kill command" e.g."
,ill 6YF 2#0
This sends a &I6/4P signal to a named process with process id 2#0" which triggers a
reload.
Controlling named ith a start7stop script
@ost distributions will come with a start=stop script that allows you to start" stop or
control named manually" e.g." /etc/init.d/bind in *ebian.
Table 7.9" J/etc/init.d/bind parametersK lists parameters that a current ersion of
/etc/init.d/bind accepts.
"a*le ..3. /etc/init.d/bind para#eters
Para#eter 4escription
start
starts named
stop
stops named
restart
stops and restarts named
reload
reloads configuration
5orce6reload
same as restart
Create 1n) 0aintain 45( :ones (2.2..2!
The candidate should be able to create a ,one file for a forward or reerse ,one or root-
leel serer. This ob'ectie includes setting appropriate alues for the &%$ resource
record" 3& records and @P records. $lso included is the addition of hosts with $
resource records and C3$@D records" as appropriate" adding hosts to reerse ,ones with
PT; records and adding the ,one to the =etc=named.conf file using the ,one statement
with appropriate type" file and masters alues. $ candidate should also be able to delegate
a ,one to another *3& serer.
contents o5 /-ar/named
zone 5ile s!ntax
resource record 5ormats
dig
nsloo,up
2ost
- !59 -
8ones and reverse 9ones
There are zones and reverse zones. Dach named.con5 will contain definitions for both.
Dxamples of ,ones are local2ost Aused internallyB and example.com Aan external
example which does not necessarily exist in realityB. Dxamples of reerse ,ones are
#20.in6addr.arpa Aused internallyB" and 24$.#2%.224.in6addr.arpa Aa real-world
exampleB.
/ow ,ones are related to reerse ,ones is shown below.
"he db.local file
$ special domain" local2ost" will be predefined in most cases.
/ere is the corresponding ,one file /etc/bind/db.local called from the example
named.con5 shown earlier in this chapter.
C
C =IHD data 5ile 5or local loopbac, inter5ace
C
3LLM 6$4'$$
@ IH SG; local2ost. root.local2ost. (
# C Serial
6$4'$$ C 1e5res2
'64$$ C 1etr!
24#&2$$ C :xpire
6$4'$$ ) C Hegati-e Dac2e LLM
C
@ IH HS local2ost.
@ IH ; #20.$.$.#
The @ contains the name of the ,one. It is called the current origin. $ zone statement in
named.con5 defines that current origin" as is seen in this part of the named.conf file we
saw earlier#
zone 9local2ost9 U
t!pe masterC
5ile 9/etc/bind/db.local9C
VC
&o in this case the ,one is called local2ost and all current origins in the ,one file will
become local2ost.
%ther parts of a ,one file will be explained in the section called JEone filesK below.
- !52 -
"he db.&,- file
To each IP range in a ,one file" there is a corresponding reverse zone that is described in
a reverse zone file. /ere is the file /etc/bind/db.#20#
C
C =IHD re-erse data 5ile 5or local loopbac, inter5ace
C
3LLM 6$4'$$
@ IH SG; local2ost. root.local2ost. (
# C Serial
6$4'$$ C 1e5res2
'64$$ C 1etr!
24#&2$$ C :xpire
6$4'$$ ) C Hegati-e Dac2e LLM
C
@ IH HS local2ost.
#.$.$ IH FL1 local2ost.
This is the calling part from named.con5#
t!pe masterC
VC
$s can be seen" the current origin will be #20.in6addr.arpa" so all @)s in the reerse
,one file will be replaced by #20.in6addr.arpa.
(ut there is more# all host names that do not end in a dot get the current origin appended.
This is i#portant " so I repeat#
all host names that do not end in a dot get the current origin appended.
$s an example# #.$.$ will become #.$.$.#20.in6addr.arpa.
3ormal IP addresses Ae.g. !27.....!B do not get the current origin appended.
$gain" details about the reerse ,one file will be discussed below.
"he hints file
The local2ost and #20.in6addr.arpa ,ones are for internal use within a system.
In the outside world" ,ones are hierarchically organi,ed. The root ,one Adenoted with a
dot A.BB is listed in a special hints file. The following ,one statement from named.con5
reads a root ,one file called /etc/bind/db.root
zone 9.9 U
- !55 -
t!pe 2intC
5ile 9/etc/bind/db.root9C
VC
(y the way" note the type# 2intG It is a special type for the root ,one. 3othing else is
stored in this file" and it is not updated dynamically.
/ere is a part from the db.root file.
C 5ormerl! HS.IHL:1HID.H:L
C
. %6$$$$$ IH HS ;.1GGL6S:1P:1S.H:L.
;.1GGL6S:1P:1S.H:L. %6$$$$$ ; #&'.4#.$.4
C
C 5ormerl! HS#.ISI.:D
C
. %6$$$$$ HS =.1GGL6S:1P:1S.H:L.
=.1GGL6S:1P:1S.H:L. %6$$$$$ ; #2'.&.$.#$0
3ote the dot at the left" this is the root ,oneG
Dither your distribution or you personally must keep the root ,one file current. Lou can
look at 5tp.rs.internic.net for a new ersion. %r" you could run something like
dig @a.root6ser-ers.net . ns A root2ints
This will create a new file.
Lou can also run
dig @a.root6ser-ers.net . SG;
Lou can do this periodically to see if the &%$ ersion number Asee belowB has changed.
:one files
The root ,one knows about all top-leel domains directly under it" e.g." the edu and org
domains as well as the country-specific domains like u, and nl.
If the example.org domain Aused here for illustration purposesB were a real domain" it
would not be handled by the root name serers. Instead" the nameserers for the org
domain would know all about it. This is called delegation# the root name serers hae
delegated authority for ,ones under org to the name serers for the org ,one. *oing
delegation yourself will be explained later in the section called J*elegating a *3& ,oneK.
$ ,one file is read from the named.con5 file with a ,one statement like
zone 9example.org9 IH U
t!pe masterC
- !5: -
5ile 9/etc/bind/exampleorg.zone9C
VC
This is an example ,one file for the ,one example.org.
3LLM '64$$
@ IH SG; lion.example.org. dnsmaster.lion.example.org. (
2$$###$0$$ C Ser. !!!!mm22ee (ee. ser/da! start $$)
2''$$ C 1e5res2
%6$$ C 1etr!
6$4'$$ C :xpiration
'64$$ ) C Hegati-e cac2ing
IH HS lion.example.org.
IH HS cat.example.org.
IH MK $ lion.example.org.
IH MK #$ cat.example.org.
lion IH ; 224.#2%.24$.#
dogg! IH ; 224.#2%.24$.2
cat IH ; 224.#2%.24$.%
C our laptop
bird IH ; 224.#2%.24$.4
Let)s examine this file in detail.
&he $TTL statement
The 3LLM is the default Time To Live for the ,one. -hen a name serer re+uests
information about this ,one" it also gets the TTL. $fter the TTL is expired" it should
renew the data in the cache.
3LLM %2
This sets the default TTL to 9 hours" and
3LLM '64$$
this one to 8:2.. seconds Asame as #d A! dayBB.
Note
&ince (I3* ersion 8.2 each ,one file should start with a default TTL. $ default alue is
substituted and a warning generated if the TTL is omitted. The change is defined in
;?C29.8.
- !57 -
$t the same time" the last &%$ time field changed meaning. 3ow it is the negatie
caching alue" which is explained below.
&he SOA resource record
The acronym &%$ means 4tart 5f Authorit(. It tells the outside world that this name
serer is recogni,ed as the authoritatie name serer to +uery about this domain. This has
two aspects# first" the parent ,one org has delegated AgrantedB the use of the
example.org domain to us" the second is that we claim to be the authority oer this ,one.
Darlier we saw the following SG; record#
2''$$ C 1e5res2
%6$$ C 1etr!
6$4'$$ C :xpiration

Dlements of these SG; lines are
@
the current origin" which expands to example.org Asee the named.conf fileB.
IH
the Internet data class. *on)t ask.
SG;
start of authority - that)s what this section is about
lion.example.org.
the name of the machine that has the master Asee the section called J@aster and
slae serersKB name serer for this domain.
dnsmaster.lion.example.org.
The email address of the person to mail in case of trouble" with the commercial at
symbol A@B normally in the email address replaced by a dot. 4ncoering the
reason for this is left as an exercise for the reader Asomething with current
origin .....>B
( five numbers )
- !58 -
The first number is the serial number. ?or a ,one definition that neer
changes Ae.g." the local2ost ,oneB a single # is enough.
?or ,ones that do change" howeer" another format is rather common#
((((mmddee. That is" 2 digits for the year" two for the month" two for the
day" plus two digits that start with $$ and are incremented eery time
something is changed. ?or example a serial number of
2$$###$0$#
corresponds to the second AGB change of the 7th of 3oember in the year
2..!. The next day" the first change will get the serial number
2$$###$'$$.
Note
Dach time something is changed in a ,one definition" the serial number
must grow Aby at least oneB. If the serial number does not grow" changes in
the ,one will go unnoticed.
The second number is the refresh rate. This is how fre+uently a slae
serer Asee belowB should check to see whether data has been changed.
&uggested alue in rfc!597# 242
The third number is the retry alue. This is the time a slae serer must
wait before it can retry after a refresh or failure" or between retries.
&uggested alue in rfc!597# 22
The fourth number is the expiration alue. If a slae serer cannot contact
the master serer to refresh the information" the ,one information expires
and the slae serer will stop sering data for this ,one.
&uggested alue in rfc!597# %$d
The fifth number is the negatie caching alue TTL. 3egatie caching
means that a *3& serer remembers that it could not resole a specific
domain. The number is the time that this memory is kept.
;easonable alue# #2
&he A resource record
This is the address record. It connects an IP address to a hostname. $n example record is
- !5< -
lion IH ; 224.#2%.24$.#
This connects the name lion.example.org Aremember that the current origin
example.org is added to any name that does not end in a dotB to the IP address
224.#2%.24$.#.
Note
Dach ; record has a corresponding FL1 record. This is described in the section called
J;eerse ,one filesK.
The $ record is used by IP2" the current ersion of the IP protocol. The next generation
of the protocol" IP:" has an ;6 record type. IP: is not discussed here.
&he CNAME resource record
$ DH;M: record specifies another name for a host with an $ record. $n example of a
combined ; and DH;M: record is
cat IH ; 224.#2%.24$.%
>>> IH DH;M: cat.example.org.
This makes >>>.example.org point to cat.example.org.
&he NS resource record
&pecifies a name serer for the ,one. ?or example
@ IH SG; .....
The first thing that catches one)s eye is that there is nothing before the I3 tag in the 3&
lines. In this case" the current origin that was specified earlier Ahere with the SG;B is still
alid as the current origin.
The name serers must be specified as I' addresses Acan you guess why>B.
Note
There must be at least two independent name serers for each domain. Independent
means connected to separate networks" separate power lines" etc. &ee the section called
J@aster and slae serersK below.
&he MX resource record
- !:. -
The @P record system is used by the mail transfer system" e.g." the sendmail daemons.
The number after the MK tag is the priority. $ priority of . is the highest priority. The
higher the number" the lower the priority. Priority . will be used for the host where the
mail is destined. If that host is down" another host with a lower priority will temporarily
store the mail.
Dxample entries
lion IH ; 224.#2%.24$.#
&o this example specifies that mail for lion.example.org is first sent to
lion.example.org. If that host is down" cat.example.org is used instead.
To distribute mail e+ually among two hosts" gie them the same priority. That is" if
another host with priority #$ is added" they will both receie a share of mail when
lion.example.org is down.
M*ing a domain
@ail can be deliered to a host" as was shown in the preious section. (ut the @ail
Transfer $gent A@T$B and the *3& can be configured in such a way that a host accepts
mail for a domain. &ee the section called J4sing &endmail A2.2.:.2BK for more
information about the sendmail @T$.
Considering our example" host lion.example.org can be configured to accept mail for
example.org.
To implement this" place @P records for example.org" e.g.#
C accept mail 5or t2e domain too
example.org. IH MK $ lion.example.org.
example.org. IH MK #$ cat.example.org.
in the example.org ,one file.
@ail addressed to example.org will only be accepted by the @T$ on
lion.example.org host if the @T$ is configured for this. &ee the section called J4sing
&endmail A2.2.:.2BK.
2e+erse &one files
Dach IP range has a reverse zone" that consists of part of the IP numbers in reerse order"
plus in6addr.arpa. This system is used amongst others" to check if a hostname belongs
to a specified address.
- !:! -
%ur example.org domain uses the IP range 224.#2%.24$.x. The corresponding reverse
zone is called 24$.#2%.224.in6addr.arpa. In named.con5 this could be the
corresponding entry#
zone 924$.#2%.224.in6addr.arpa9 IH U
t!pe masterC
5ile 9/etc/bind/exampleorg.re-9C
VC
$n example /etc/bind/exampleorg.re- Acorresponding to the example.org domain
we saw earlierB is#
3LLM '64$$
2''$$ C 1e5res2
%6$$ C 1etr!
6$4'$$ C :xpiration
# IH FL1 lion.example.org.
2 IH FL1 dogg!.example.org.
% IH FL1 cat.example.org.
4 IH FL1 bird.example.org.
The current origin is 24$.#2%.224.in6addr.arpa" so the entry for bird actually is
4.24$.#2%.224.in6addr.arpa IH FL1 bird.example.org.
Note
-hat happens if you omit the dot after example.org in this line>
&he PTR record
The FL1 record connects the reerse name A4.24$.#2%.224.in6addr.arpaB to the name
gien by the $ record Abird.example.orgB.
*aster and slave servers
Dach ,one Aexcept the ones local to the machine" such as local2ostB must hae at least
one master name serer. It can be supported by one or more slave name serers.
There should be two independent name serers for each ,one. Independent means
connected to a different network and other power supplies. If one power plant or network
fails the resoling names from the ,one must still be possible. $ good solution for this is
one master and one slae name serer at different locations.
- !:2 -
(oth master and slave name serers are authoritative for the ,one Aif the ,one was
delegated properly" see the section called J*elegating a *3& ,oneKB. That is" they both
gie the same answers about the ,one.
The data of a ,one originate on a master name serer for that ,one. The slave name serer
copies the data from the master. 5ther name serers can contact either a master or a slae
to resole a name.
This implies that the configuration must handle
slae name serer access control on the master
other name serer access control on both master and slae name serers
Configuring a #aster
$ ,one definition is defined as master by using the
t!pe masterC
statement inside a ,one definition. &ee" for example" this ,one statement Ain named.con5B
t!pe masterC
5ile 9/etc/bind/exampleorg.zone9C
VC
defines the example.org master. %f course" The exampleorg.zone file must" of course"
be created as discussed earlier.
There can be multiple independent master name serers for the same ,one.
$ noti5! statement controls whether or not the master sends *3& 3%TI?L messages
upon change of a master ,one. The noti5! statement can be put in a zone statement as
well as in an options statement. If one is present in both the zone and options
statements" the former takes precedence. -hen a slae receies such a 3%TI?L re+uest
Aand supports itB" it initiates a ,one transfer to the master immediately to update the ,one
data. The default is noti5! !esC. To turn it off Awhen" e.g." a ,one is sered by masters
onlyB set noti5! noC.
/ow does the master know which slae serers sere the same ,one> It inspects the HS
records defined for the ,one. Dxtra slae serers can be specified with the also6noti5!
statement Asee the named.confA5B manpageB.
Note
%lder ersions of (I3* used the term primar( instead of master.
- !:9 -
Configuring a sla+e
$ ,one definition is defined as slave by using the
t!pe sla-eC
statement inside a ,one definition" accompanied by the IP addressAesB of the masterAsB.
/ere" for example" is the ,one statement Ain named.con5B" which defines a example.org
slae#
t!pe sla-eC
masters U 224.#2%.24$.#C VC // lion
5ile 9db.example.org9C
VC
The file is created by the slae name serer itself. The slae has no data for
example.org. Instead" a slae receies its data from a master name serer and stores it in
the specified file.
3ote that the filename has no directory component. /ence it will be written in the (I3*
working directory gien by the director! option in named.con5. ?or instance"
/-ar/cac2e/bind or /-ar/named. The name serer must hae write access to the file.
Note
%lder ersions of (I3* used the term secondar( instead of slave.
1 stub na#e ser+er
?rom the named.con5(() manpage# $ stub ,one is like a slae ,one" except that it
replicates only the HS records of a master ,one instead of the entire ,one.
Creating subdomains
There are two ways to create a subdomain# inside a ,one or as a delegated ,one.
The first is to put a subdomain inside a normal ,one file. The subdomain will not hae its
own SG; and HS records. This method is not recommended - it is harder to maintain and
may produce administratie problems" such as signing a ,one.
The other method is to delegate the subdomain to a separate ,one. It is described next.
- !:2 -
4elegating a 45( &one
$ real" independent subdomain can be created by configuring the subdomain as an
independent ,one Ahaing its own SG; and HS recordsB and delegating that domain from
the parent domain.
$ ,one will only be authoritative if the parent ,one has delegated its authority to the
,one. ?or example" the example.org domain was delegated by the org domain.
Likewise" the example.org domain could delegate authority to an independent
scripts.example.org domain. The latter will be independent of the former and hae its
own SG; and HS records.
Let)s look at an example file of the scripts.example.org ,one#
3G1IJIH scripts.example.org.
ctl IH ; 224.#2%.24$.#6
IH MK $ ctl
IH MK #$ lion.example.org.
>>> IH DH;M: ctl
perl IH ; 224.#2%.24$.#0
IH MK $ perl
IH MK #$ ctl
IH MK 2$ lion.example.org.
bas2 IH ; 224.#2%.24$.#'
IH MK $ bas2
IH MK #$ ctl
IH MK 2$ lion.example.org.
s2 IH DH;M: bas2
3othing new" 'ust a complete ,one file.
(ut" to get it authoritatie" the parent domain" which is example.org in this case" must
delegate its authority to the scripts.example.org ,one. This is the way to delegate in
the example.org ,one file#
scripts 2d IH HS ctl.scripts.example.org.
2d IH HS bas2.scripts.example.org.
ctl.scripts.example.org. 2d IH ; 224.#2%.24$.#6
bas2.scripts.example.org. 2d IH ; 224.#2%.24$.#'
That)s allG
The HS records for scripts do the actual delegation. The ; records must be present"
otherwise the name serers of scripts cannot be located.
Note
It is adised to insert a TTL field Alike the 2d in the exampleB.
- !:5 -
DN+ Utilities
Three *3& utilities can help to resole names and een debug a *3& ,one. They are
called dig" 2ost and nsloo,up. $ll three are part of the (I3* source distribution.
"he dig progra#
The dig command lets you resole names in a way that is close to the setup of a ,one
file. ?or instance" you can do
dig bird.example.org ;
This will do a lookup of the ; record of bird.example.org. Part of the output looks like
this#
CC ;HSR:1 S:DLIGH.
bird.example.org. #D IH ; 224.#2%.24$.4
CC ;LYG1ILN S:DLIGH.
example.org. #D IH HS lion.example.org.
CC ;DDILIGH;M S:DLIGH.
lion.example.org. #D IH ; 224.#2%.24$.#
If dig shows a SG; record instead of the re+uested ; record" then the domain is ok" but
the re+uested host does not exist.
It is een possible to +uery another name serer instead of the oneAsB specified in
/etc/resol-.con5#
dig @cat.example.org bird.example.org ;
This will +uery name serer cat.example.org for the ; record of host bird. The name
serer that was contacted for the +uery will be listed in the tail of the output.
The dig can be used to test or debug your reerse ,one definitions. ?or instance"
dig 4.24$.#2%.224.in6addr.arpa FL1
will test the reerse entry for the lion host. Lou should expect something like this#
CC ;HSR:1 S:DLIGH.
4.24$.#2%.224.in6addr.arpa. #D IH FL1 lion.example.org.
CC ;LYG1ILN S:DLIGH.
24$.#2%.224.in6addr.arpa. #D IH HS lion.example.org.
CC ;DDILIGH;M S:DLIGH.
lion.example.org. #D IH ; 224.#2%.24$.4
- !:: -
If you get something like
CC ;HSR:1 S:DLIGH.
4.24$.#2%.224.in6addr.arpa. #D IH FL1
lion.example.org.24$.#2%.224.in6addr.arpa.
you)e made an error in your ,one file. 6ien a current origin of 24$.#2%.224.in6
addr.arpa." consider the line#
4 IH FL1 lion.example.org C R1GHJQ
The dot at the end was omitted" so the current origin is appended automatically. To
correct this" add the trailing dot#
4 IH FL1 lion.example.org. C 1IJYLQ
Note
-hen specifying a hostname like bird.example.org or 4.24$.#2%.224.in6addr.arpa
to )ig" a trailing dot may be added.
"he host progra#
The 2ost program reports resoler information in a simple format.
-hen a hostname is specified as a parameter" the corresponding ; record will be shown.
2ost bird.example.org
will result in output like
bird.example.org ; 224.#2%.24$.4
The 2ost program is especially useful when a hostname is wanted and an IP address is
gien. ?or example#
2ost 224.#2%.24$.4
from our example hosts shows output like#
Hame. bird.example.org
;ddress. 224.#2%.24$.4
The following command is also possible#
2ost 4.24$.#2%.224.in6addr.arpa
resoles the PT; record#
- !:7 -
4.24$.#2%.224.in6addr.arpa FL1 bird.example.org
Note
$s is the case with dig" when specifying a hostname like bird.example.org or
4.24$.#2%.224.in6addr.arpa to 2ost" a trailing dot may be added.
"he nslookup progra#
The nslookup program is yet another way to resole names. /oweer" its setup is +uite
different. It)s a tool that can be used interactiely and more re+uest types can be handled
than with )ig or host.
?or instance" start the interactie mode by entering nslookup and typing#
ls 6d example.org.
In result" the output will be shown in a ,onefile-like format Abeginning shownB#
)lion.example.org*
3G1IJIH example.org.
@ #D IH SG; lion postmaster.lion (
2$$###$'$$ C serial
'Y C re5res2
#Y C retr!
#R C expir!
#D ) C minimum
#D IH HS lion
#D IH MK $ lion
The first line" in s+uare brackets" contains the name of the name serer that sent the
answer.
Note
The example shown re+uires a zone transfer from the connected name serer. If this
name serer refuses ,one transfers Aas will be discussed belowB" you will of course not
see this output.
$ lot of commands can be gien to nslookup in interactie mode# the 2elp command
will present a list.
(ecuring a 45( (er+er (2.2..3!
The candidate should be able to configure (I3* to run as a non-root user and configure
(I3* to run in a chroot 'ail. This ob'ectie includes configuring *3&&DC statements
- !:8 -
such as key and trusted-keys to preent domain spoofing. $lso included is the ability to
configure a split *3& configuration using the forwarders statement and specifying a non-
standard ersion-number string in response to +ueries.
S!sP init 5iles or rc.local
/etc/named.con5
/etc/pass>d
dns,e!gen
DN+ +ecurity +trategies
There are seeral strategies possible to make *3& more secure.
-hen a security bug is discoered in the (I3* name serer" it will in most cases be fixed
within a few hours" resulting in a new (I3* release. This means that some of the (I3*
ersions that are a little older may hae known Apossibly security-relatedB bugs. 0eep an
eye on the (I3* source site Ahttp#==www.isc.org=products=(I3*=B periodically.
Note
Currently" (I3* ersions 8 and < are deeloped in parallel. 4se either the newest (I3*
8 or the newest (I3* <.
Consider subscribing to a security announcement list of a Linux distribution. ?or
instance" the *ebian debian6securit!6announce list is fast way to learn about a new
security bug. &ee http#==lists.debian.org to subscribe.
*aking information harder to get
There are ways to limit information that a normal user can +uery from a name serer
without influencing the normal name resoling. ?or instance" the ersion number can be
hidden. %r access can be limited" e.g." ,one transfers can be limited to a specific set of
slae name serers. (oth will be discussed next.
It is important to remember that hiding information is securit( through obscurit(. That is"
the easy way to get information is blocked" but there may be other ways to get the same
information by trying seeral other ways. 4ecurit( through obscurit( makes it harder to
get the information" but it does not make it impossible.
Hi)ing the +ersion nu#*er
&ince older (I3* ersions may hae known security bugs" the (I3* ersion number can
be of great help to someone who wishes to compromise your system. The command
- !:< -
dig @target c2aos -ersion.bind txt
will show the ersion of the (I3* name serer on host target.
The (I3* ersion can be hidden by entering a -ersion statement inside the options
statement in named.con5. In the following example" the ersion will be set to the string
2idden.
options U
// ...

// 2ide bind -ersion
-ersion 92idden9C
VC
The CD;T article shows a way to limit access to the bind ,one. This an alternatie to
replacing the (I3* ersion.
Li#iting access
There are seeral ways to limit access to the name serer. ?irst" an access control list
must be defined. This is done with the acl statement.
acl 9trusted9 U
local2ostC
#&2.#6'.#.$/24C
VC
This acl defines an access control list with label trusted. This label is a name that can
be used later" as will be shown.
Two types of connections between name serers and between name serers and resolers
are normal +ueries and ,one transfers.
normal +ueries
-hen a host sends a 6uer( to a name serer" it asks a name serer for specific
information.
The allo>6Suer! statement controls from which hosts +ueries are accepted.
,one transfers
$ ,one transfer happens when a name serer sends all it knows about a ,one to
another name serer or a resoler. Eone transfers are intended for slaes that need
to get information from a master of the same ,one.
Eone transfers are controlled by the allo>6trans5er statement.
- !7. -
The allo>6Suer! and allo>6trans5er statements can to be used inside a zone
statement or inside an options statement. It can contain either an acl label Alike
trustedB" or none or one or more IP addresses or IP ranges.
+imiting ,one transfers
(oth dig and nsloo,up can initiate a zone transfer. (y default" both master and slae
serers can gie out all ,one information. -ith dig"
dig @target example.org ax5r
shows the complete information about example.org. -ith nslookup in interactie mode"
ls 6d example.org
shows the same information.
&trictly speaking" only a slae name serer needs a zone transfer to get the full
information about the ,one from a master name serer for the ,one.
$ setup where only these ,one transfers are allowed" but all other ,one transfers are
prohibited is described here. It consists of extras in the named.con5)s of both the master
and all the slaes for a particular ,one.
/n #aster na#e ser+ers. %n a master name serer for the example.org ,one" the
allo>6trans5er statement is used to limit ,one transfers to a list of known slae serers.
acl 9m!"sla-e"ser-ers9 U
224.#2%.24$.%C // cat.example.org
VC
// ...
t!pe masterC
// ....
allo>6trans5er U
m!"sla-e"ser-ersC
VC
VC
3ow only the slaes Aonly cat hereB can re+uest a zone transfer from this master name
serer.
/n sla+e na#e ser+ers. %n a slave name serer for the same ,one" the complete ,one
should not be exposed at all. This too is implemented using an allo>6trans5er
statement.
- !7! -
t!pe sla-eC
// ....
allo>6trans5er U
noneC
VC
VC
3ow this slae will not accept zone transfer re+uests.
Note
*on)t forget to do the same for the reverse zone.
+imiting -ueries
3ormal +ueries can also be limited to a set of clients. This limits access to a certain set of
hosts. ?or security reasons" ...
acl 9m!2osts9 U
224.#2%.24$.$/24C
VC
// ...
// ...
allo>6Sueries U
m!2ostsC
VC
VC
This limits +ueries to hosts with an IP address that starts with 224.#2%.24$.
Controlling re:uests
$part from hiding information by making it harder to get" one can control some
automatic behaior of a name serer that can turn out to be dangerous.
-hen a AmaliciousB name serer receies a +uery it can respond with deliberately false
data which infects the cache of the name serer that sent the +uery. This is called
spoofing. $lthough spoofing is not as easy as it may seem" it is wise to take precautions.
@any possible spoofing methods hae been made impossible in the software. In the
(I3* configuration steps can be taken to enhance spoofing security. ?or instance" glue
can be disabled.
- !72 -
"urning off glue
-hen name serer lion gets a re+uest for" say" >>>.linuxdoc.org" it will +uery the
name serers of the linuxdoc.org domain. The answer from a name serer in the
linuxdoc.org domain will" in most cases" contain the names of their name serers.
It is possible" howeer" that the linuxdoc.org name serers did not send the $ records
of their name serers in their answers. (y default" our lion name serer will then send
re+uest for the ; records of linuxdoc.org)s name serers.
This is called glue fetching .6lue fetching is sub'ect to spoofing" so it can be turned off.
options U
// ...
5etc26glue noC
VC
The 5etc26glue option is alid in (I3* 8 but not in (I3* <. (I3* < does not fetch
glue.
Limiting effects of an intrusion
Den if you)re prepared to implement any *3& fix as soon as it appears" you may be too
late - een by only a couple of hours# your system could be compromised anyway. Lou
can prepare for this by minimi,ing the effects of possible compromises.
2unning 7354 with less pri+ileges
(y default" at least in some distributions" (I3* runs as root. If (I3* is compromised"
the attacker may get root access. This can be preented by running (I3* under a
different user and group.
It is tempting to use user nobod! and group nogroup for this. /oweer" with many
serices running as nobod! and nogroup another security issue arises when these serices
are able to communicate in one way or another.
The suggested way is to create a special user" e.g. named" and a corresponding group
Awhich could also be called namedB" and run the name serer under this user=group
combination.
To use the special user and group" specify the 6u and 6g options to named#
named 6u named 6g named
%n a *ebian system" for instance" the start line in /etc/init.d/bind becomes
- !79 -
start6stop6daemon ... 66exec /usr/sbin/named 66 6u named 6g named
Afor layout reasons some options hae been replaced by dotsB. The extra 66 tells the
start6stop6daemon to stop eating options" so that the named program gets these.
%n a ;ed /at Aor compatibleB system" the bind file will probably be /etc/rc.d/init.d/
dns. The corresponding line to start the name serer will become something like
daemon /sbin/named 6u named 6g named
Note
@ake sure the name serer has write access in the directory specified by the director!
option in named.con5.
2unning 7354 in a chroot .ail
$nother way to preent damage from a compromised name-serer process is to put the
process in a chroot 7ail. In such an enironment" a specified directory Ae.g." /-ar/cac2e/
bindB will be the / ArootB directory for this process. The process has no means of looking
aboe this new root" i.e." it cannot see the rest of the filesystem anymore.
Preparing a chroot .ail
&ince (I3* uses all sorts of files" these files must be copied to a directory structure
below the new root that mimics the original directory structure. $rticle lists files to copy.
/ere is an abstract#
Lou will need the etc" de-" lib" sbin or usr/sbin" and -ar/run directories
under the new root.
Lou)ll probably need the /de-/null deice under the new root#
m,nod 6m 666 /-ar/cac2e/bind/de-/null c # %
will create it.
Lou will need a pass>d and a group file in the new /etc#
cd /-ar/cac2e/bind/etc
cp 6p /etc/Upass>dOgroupV .
This copies the literal passwd and group files. $n alternatie is to create special
pass>d and group files" as will be shown in the section called JCombining
special user and chrootK.
Lou may also need to copy in some other stuff.
cp /etc/ld.so.cac2e .
- !72 -
cp /etc/localtime .
The configuration must also be present under the new root. The chrooted named
will need to find it when it receies a reload re+uest. The configuration can be
placed in /-ar/cac2e/bind/etc/bind.
3ote that each directory specified in the new named.con5 - the ones specified
with the director! option - is relatie to the new root directory.
The new lib directory must contain at least all the shared libraries used by bind.
?or instance" on my system"
ldd /usr/sbin/named
yields
libc.so.6 BA /lib/libc.so.6 ($x4$$#($$$)
/lib/ld6linux.so.2 BA /lib/ld6linux.so.2 ($x4$$$$$$$)
-hen looking in ArealB /lib" libc.so.6 is a symlink to libc62.#.%.so and ld6
linux.so.2 is a symlink to ld62.#.%.so. (oth the symlinks and the files they
point to must be copied to the lib directory under the new root#
cd /-ar/cac2e/bind/lib
cp 6pd /lib/Ulibc.so.6Olibc62.#.%.soOld6
linux.so.2Old62.#.%.soV .
(oth the named and the named6x5er programs must be present under the new
root. The ndc program may be of help too. %n my system" they are in /usr/sbin#
cp 6p /usr/sbin/namedUO6x5erV /-ar/cac2e/bind/usr/sbin
cp 6p /usr/sbin/ndc /-ar/cac2e/bind/usr/sbin
%n my system" it is in /usr/sbin and uses the same shared libraries as named.
/unning 0I(D chrooted
To get the (I3* name serer in a chroot 7ail" simply add the 6t and a directory name to
the command line used to start the name serer.
Note
It is also possible to use the c2root command to start the name serer. This has exactly
the same effect as using the 6t option" so it is not coered here.
&o" for example" in /etc/init.d/bind#
start6stop6daemon ... 66exec /usr/sbin/named 66 6t /-ar/cac2e/bind
- !75 -
This will make /-ar/cac2e/bind the new root directory for the name serer.
%r" in /etc/rc.d/init.d/dns#
daemon ... /sbin/named /-ar/cac2e/bind
This makes /-ar/cac2e/bind the new root directory for the name serer.
;emember that the double dash 66 after named tells the start6stop6daemon to pass
options after the double dash to named.
Important
The (I3* name serer actiates the chroot immediately after all command lines are read.
That is" before the configuration files are read.
onfiguration for a chrooted 0I(D
The configuration files are read after the name serer has chrooted to the specified
directory. $s a conse+uence" eery configuration file Ae.g. ,one files and the named.con5
fileB must be present in a configuration directory Ae.g." /etc/bindB under the chroot
directory.
%ne of the things that must be reconfigured is logging. The normal logging to syslog will
not work because of the chroot 'ail Acannot reach the 4nix socket /de-/log and cannot
recreate itB. /ere is an example logging statement from the named.con5 file inside the
chroot enironment that can sole this problem#
logging U
c2annel some"log U
5ile 9bind.log9 -ersions %C
se-erit! in5oC
VC
categor! de5ault U some"logC VC
// ...
VC
This will write logging information to the file
/-ar/cac2e/bind/-ar/cac2e/bind/bind.log" which was composed as follows#
/-ar/cac2e/bind Athe firstB
the chroot directory specified by the 6t option when starting named
/-ar/cac2e/bind Athe secondB
- !7: -
the directory specified by the director! statement inside the options statement
bind.log
the name of the log file specified by the logging statement
Eone files" if any" are also placed inside the chroot enironment. ?or instance" if
named.con5 contains a definition of a master ,one like
zone 9example.com9 IH U
t!pe masterC
5ile 9/etc/bind/example.com.zone9C
VC
the example.com.zone file will be in /-ar/cac2e/bin/etc/bind.
Co#*ining special user an) chroot
4sing a combination of running the name serer under a special user and group and a
chroot enironment will yield een better security. If the ,one- and configuration files are
unwritable by the special user and group the name serer is running under" they cannot be
compromised by a name serer break in.
Note
Inspecting the source for (I3* 8.2.5 reeals the order in which things happen#
parsing of commandline options
chrooting
go in the background and write pid file
change to new user and group
This means that the directory where the pid file is written Ae.g." /-ar/runB needs write
permission for root" but the new caching directory needs write permission for the
specified user and group.
The chroot enironment creates the possibly of special /etc/pass>d and /etc/group
files" that are completely different from the ones in the real /etc. The special user and
group used by the name serer may not een exist in the real /etc/pass>d. This is the
way to create the special files
ec2o 9named..229 A group
ec2o 9named.x.22.22.named./-ar/cac2e/bind./bin/5alse9 A pass>d
/oweer" the named program needs to know the special uid=gid)s at startup. &o you must
also do#
- !77 -
ec2o 9named..229 AA /etc/group
ec2o 9named.x.22.22.named./-ar/cac2e/bind./bin/5alse9 AA /etc/pass>d
*o not forget to add something like
named.Q.##222.$.&&&&&.0...
This must be added to both /etc/s2ado> files Aone in the real /etc" and one relatie to
the chroot enironmentB if shadow passwords are actie.
+ecuring name server connections
If a malicious name serer manages to infect ,one transfers" it can poison the ,one
information on a slae nameserer. Eone transfers can be limited to certain hosts by the
allo>6trans5er statement in named.con5.
Hueries can also be poisoned. Hueries can also be limited to dedicated hosts or host
groups using the allo>6Suer! statement.
Limiting access to certain hosts may sole the risk for poisoning if that hosts can be
trusted. (ut how can you be sure of this> If a name serer receies an answer" it simply
cannot be sure that the name serer that sent the answer really is the name serer it claims
to be.
4igning an answer by the name serer that sends it may sole this. 3ow the name serer
that receies the answer can erify the signature. $nd" it knows whether or not the
answer really originated on the name serer that the sender claims to be.
$ccording to the lpic2 ob'ectie you must be able to use (I3* 8)s )nskeygen. This helps
you to configure secure transactions between name serers.
Note
The )nskeygen command Awhich will be called )nssec@keygen in (I3* ersion <B is
part of the *3&&DC security extension for *3& .
*3&&DC is not really useful in (I3* ersion 8 due to a limited implementation. It is
fully implemented in (I3* ersion < which is described in the $lbit, and Liu book.
*3&&DC was in deelopment for seeral years" but did not catch on in the market Athe
fact that it will be fully implemented in (I3* < may change thisB. @oreoer" nowadays
most known ways to compromise a *3& serer are handled either by software or can be
preented by strict configuration. Therefore" the author states" it may be better to stop
deeloping *3&&DC in faor of a new design of the domain name system.
- !78 -
9sing the dnskeygen co##an)
The )nskeygen generates public" priate and shared keys for *3&" according to the
manual page. *nskeygen A*3& 0ey 6eneratorB is a tool to generate and maintain keys
for *3& &ecurity within the domain name system. The )nskeygen command can
generate public and priate keys to authenticate ,one data and shared secret keys to be
used for ;e+uest=Transaction signatures.
?irst choose the type of key#
a zone ke( Aspecify 6zB
used to sign ,one data
a host ke( Aspecify 62B
used to sign host data
a user ke( Aspecify 6uB
&trangely enough" )nskeygen can also generate a key applied by a user" for
example for signing email.
Note
Dxactly one of the 6z" 62 or 6u flags must be specified.
3ext" choose the algorithm. $n algorithm is selected with a flag followed by a number
which indicates the key si,e.
DS;/DSS Aspecify 6DB
generate a *&$=*&& key.
YM;D6MD( Aspecify 6YB
generate a /@$C-@*5 key.
1S; Aspecify 61B
generate an ;&$ key. If the 6I flag is also specified Aafter 61 and the si,eB the
program uses a large exponent for the generation of the ;&$ key.
Note
Dxactly one of the 6D" 6Y or 61 flags must be specified.
- !7< -
(y default" a generated key can be used for both authentication and encryption. Two flags
change this#
6a
the key cannot be used for authentication
6c
the key cannot be used for encryption
The last two arguments are 6n followed by the name of the key. (oth are re+uired.
Note
This does not coer the use of )nskeygen in detail. &ee the manual page.
>enerate) key files
The )nskeygen creates two files# KnameXalgorithmXfootprint.pri-ate and
KnameXalgorithmXfootprint.,e!.
&uppose the command gien is
dns,e!gen 6Y 06' 62 ,e!.example.com.
3ow two output files are created called K,e!.example.com.X#(0X#2%4(.pri-ate and
K,e!.example.com.X#(0X#2%4(.,e!.
The file K,e!.example.com.X#(0X#2%4(.pri-ate looks like
Fri-ate6,e!65ormat. -#.2
;lgorit2m. #(0 (YM;D)
Ke!. (P=iS!...
The file K,e!.example.com.X#(0X#2%4(.,e! has the following contents
,e!.example.com. IH K:N (#% % #(0 (P=iS!...
The generated keys Aabbreiated in both casesB are identical in both files.
9sing the key
To use the generated key put a ,e! statement in named.con5. This looks like
,e! ,e!.example.com. U
algorit2m 92mac6md(9C
- !8. -
secret 9(P=iS!...9C
VC
This re+uires" of course" that named.con5 be unreadable for anyone but the name serer.
The key can also be put in a separate file that can be included with the include
statement" so that the included file is the one that has limited readability.
3ext" define the serer that connects using the key. %n serer 224.#2%.4$$.2 define that
host 224.#2%.4$$.# can use this key#
ser-er 224.#2%.4$$.# U
,e!s ,e!.example.com.C
VC
%n name serer 224.#2%.4$$.# do the same for serer 224.#2%.4$$.2.
3ow transfers Afor instanceB can be limited to those ,ones that are signed by this key#
zone 9example.com9 U
t!pe masterC
5ile 9example.com.zone9C
allo>6trans5er U ,e! ,e!.example.com.C VC
VC
Internal DN+
&uppose your diision is located outside the firm)s main building. The workgroup will
hae its own name serers. Internally" hosts will be members of the ex>or,s Ashort for
example#orksB domain" that is" directly under the root A.B domain. IP addresses of all
hosts begin with #&2.#6'.02" so the reerse ,one 02.#6'.#&2.in6addr.arpa will also
be maintained.
The problem with this is that the root name serers don)t know anything about the
ex>or,s and 02.#6'.#&2.in6addr.arpa ,ones. 3or should they# there should be no
re+uest concerning these internal ,ones to one of the root name serers. &ince the *3&
system was not designed for use behind a firewall" some tricks must be applied. $ poor-
man)s solution is to try to limit any traffic from the internal name serer to the root
serers. (ut" using a split-leel *3& setup is likely to be a much better solution. Two
split-leel *3& setups will be shown.
Li#iting negotiations
(I3* behind a dial-up connection can be a nuisance# eery time a *3& wants to
communicate with a root name serer" an automatic dialer sets up a connection. Lou stop
(I3* from doing this by putting
// pre-ent dialup access
2eartbeat6inter-al $C
- !8! -
dialup !esC
inside the options statement of the named.con5 file.
This trick can also be used to limit communication from an internal ,one like ex>or,s.
The ex>or,s and 02.#6'.#&2.in6addr.arpa ,ones are implemented as conentional
master ,ones as described earlier in this chapter.
The fundamental problem with this is that the real root serers still don)t delegate the
ex>or,s Aand corresponding reerseB domain. $ better solution therefore is to put the
internal ,ones together with the root name serer definition into a separate *3&
implementation. This re+uires at least two independent name serers" and they can be set
up in two different ways" as will be described below.
(plit 45(A stan)@alone internal #aster
The first approach consists of a stand-alone name serer Athat is" master for the internal
,onesB and another name serer on another host that can be used to resole names from
both the outside world and the internal ,ones.
The figure below presents the ex>or,s domain that is used as an example.
The ex>or,s network.
The two name serers in this example will be on different hosts. The first name serer
runs on pri-dns and will proide internal ,one information. The other name serer is on
liongate" which will be a forwarding name serer for both the internal ,ones and the
outside world.
The host pri-dns Afor private 8-4B will contain the *3& for both the ex>or,s and
02.#6'.#&2.in6addr.arpa ,ones. This name serer will hae the following
characteristics#
- !82 -
it will be master for the root domain" but no *3& except itself will be able to
access this information
it will be master for the the ex>or,s and 02.#6'.#&2.in6addr.arpa domains.
%nly other name serers inside the building will be able to access this information
%n the other hand" liongate will do the following#
do forwarding for the internal ,ones Athis should be done firstB
do forwarding for the outside world
onfiguring the master on privdns
?irst" prepare a master file for the internal root ,one ?or example#
3LLM 2(2
. IH SG; pri-dns.ex>or,s. postmaster.pri-dns.ex>or,s. (
2$$##2#$$$ C !!!!mm22ee (ee BB ser/da! start $$)
2''$$
%6$$
6$4'$$
'64$$ )
IH HS pri-dns.ex>or,s.
pri-dns.ex>or,s. IH ; #&2.#6'.02.2
C glue records
ex>or,s. IH HS pri-dns.ex>or,s.
02.#6'.#&2.in6addr.arpa. IH HS pri-dns.ex>or,s.
3ote the glue records that delegate the ex>or,s and 02.#6'.#&2.in6addr.arpa ,ones.
3ext" add a zone statement in named.con5 that points to the master file for the root ,one#
// 1GGL M;SL:1 zone 5or internal DHS ser-er
zone 9.9 IH U
t!pe masterC
5ile 9/etc/bind/internal.root.zone9C
allo>6trans5er U noneC VC
allo>6Suer! U noneC VC
VC
4sing the type master tells the *3& that this really is a master serer for the root ,one.
The root ,one should not be known to any other name serers" therefore the allo>6
trans5er and allo>6Suer! are set to none.
Note
The root ,one definition type 2int" as present in a default caching-only serer" should be
turned off Aby not including it in the named.con5 file.
- !89 -
3ow" prepare ,one files for the ex>or,s and 02.#6'.#&2.in6addr.arpa ,ones" and add
the corresponding zone entries in the named.con5 file. The entry for ex>or,s should
look like this#
zone 9ex>or,s9 IH U
t!pe masterC
5ile 9/etc/bind/ex>or,s.zone9C
allo>6Suer! U #&2.#6'.02.#C VC // liongate
VC
The name serer on liongate is the one proiding names to the other hosts" so the IP
address of liongate must be listed in the allo>6Suer! field.
The same must be done for the corresponding reerse ,one.
@ake sure the options statement contains
recursion noC
5etc26glue noC
These statements tell the name serer it should not accept +ueries for ,ones other than the
ones it knows about.
/osts in the ex>or,s ,one should point their resol-.con5 to liongate. That is" the file
should contain the line#
nameser-er #&2.#6'.02.#
where #&2.#6'.02.# is the IP address of liongate. %n liongate itself" howeer"
nameser-er #20.$.$.#
is more efficient.
Note
The entries in resol-.con5 on pri-dns should not point to the name serer on pri-dns
itself. If the host is to be used for purposes that re+uire name resoling" it is better to
point the entries to the name serer on liongate.
onfiguring D(! on liongate
The functionality of the *3& is twofold# first it should resole names of the ex>or,s
,one Aand corresponding reerse ,oneB" secondly" it should resole names from the
outside world.
- !82 -
-ith the following 5or>arders statement +ueries to this name serer are being
forwarded to one on the listed IP addresses Aremember that 5or>arders is part of the
options statementB#
5or>arders U
#&2.#6'.02.2C // pri-dns
224.#2#.#2#.&&C // ISFWs DHS
VC
The name serers are tried in the order in which they are listed. ;e+uests are forwarded
to pri-dns first. If that one does not hae the answer" the *3& of the I&P is contacted
instead.
3ote that the IP address of pri-dns should be mentioned first# we don)t want re+uests for
internal names be sent to the I&P.
$lternatiely" the name serer on liongate can be configured as sla-e for the ex>or,s
domain and corresponding reerse domain. (ecause this is a must in the setup where both
name serers are on one host Awhich is described nextB" it is not discussed here.
1lternati+es
There are two alternaties to this setup. (oth re+uire two separate name serers.
The first alternatie is to use t#o nameser-er statements in resol-.con5#
nameser-er #&2.#6'.02.2
nameser-er #&2.#6'.02.#
The first IP address points to pri-dns" the second to liongate. In this situation"
pri-dns should also accept +ueries from #&2.#6'.02.$/24 and the 5or>arders
statement on liongate should not contain the #&2.#6'.02.2 Athe IP address of
pri-dnsB. The downside of this is that there is no single name serer entry-point.
The second alternatie is to use a sla-e setup for the ex>or,s Aplus corresponding
reerseB domain. This situation is re+uired when two name serers are running on the
same host. This will be elaborated below" so it will not be discussed here. ?or this to
work" the 5or>arders statement on liongate should not contain the IP address of
pri-dns.
(plit 45(A two 45( ser+ers on one #achine
&uppose the same network exists as aboe" but with one important difference# host
pri-dns is not aailable. This implies that the internal name serer must now run on one
of the other hosts" which also need access to the outside world.
- !85 -
In the situation described here" both name serers will be running on one host. $t least
one of these must run chrooted.
&wo name servers on one host
%n oder to do this" the following settings must be made#
"he internal na#e ser+er. There is a master name serer that seres the
ex>or,s and corresponding reerse domains. It runs chrooted" under its own uid=
gid" listening at a special port. It will not do any other resoler work. This name
serer will be referred to as the internal name serer.
"he visible na#e ser+er. The other name serer does not run chrooted" but it
does hae its own uid=gid. It seres as a sla-e for the ex>or,s and
02.#6'.#&2.in6addr.arpa domains. It also forwards other re+uests to the I&P.
This name serer will be referred to as the visible name serer" since this is the
name serer that will be isible to other hosts.
The nameser-er line in the resol-.con5 file points to #20.$.$.#Q other hosts in the
ex>or,s domain point their resoler to #&2.#6'.02.# Athe IP address of liongateB.
onfiguring the internal name server
The name serer is put into a chroot 'ail with own user and group I*)s. The name serer
will chroot to /-ar/cac2e/bindInternal. It will run as user inamed with 4I* (%$# and
as group with the same name and 6I* (%$#.
This chrooted name serer should be able to write to some directories. To allow this"
these directories should be owned by the the inamed 4I* and 6I*. The directories
Ainside the chroot 'ailB that need this are /-ar/run Abecause it needs to write named.pidB
and /-ar/cac2e/bind Abecause it needs to write e.g. a logfileB.
The configuration directory will be /-ar/cac2e/bindInternal/etc/bind" so that
references from the named.con5 file in that directory will be to /etc/bind. ?iles in that
directory include the master file for the root ,one and the ,one files for both the ex>or,s
and 02.#6'.#&2.in6addr.arpa domains.
/ere are the three master ,one definitions#
options U
director! 9/-ar/cac2e/bind9C
listen6on port (%(% U #20.$.$.#C VC
recursion noC
5etc26glue noC
VC
// HGL SYGRH Y:1:O described else>2ere.
// 6 special c2root loggingO see abo-e
// 6 zones 9local2ost9O 9#20.in6addr.arpa9O 9$.in6addr.arpa9 and
- !8: -
// 92((.in6addr.arpa as usual
// 1GGL M;SL:1 5or internal DHS ser-er
zone 9.9 IH U
t!pe masterC
5ile 9/etc/bind/internal.root.zone9C
allo>6Suer! U noneC VC
VC
// HG root zoneO t!pe 2int de5initionQ
// :KRG1KS <GH:S
zone 9ex>or,s9 IH U
t!pe masterC
5ile 9/etc/bind/ex>or,s.zone9C
allo>6trans5er U #20.$.$.#C VC
allo>6Suer! U #20.$.$.#C VC
VC
zone 902.#6'.#&2.in6addr.arpa9 IH U
t!pe masterC
5ile 9/etc/bind/ex>or,s.re-9C
allo>6trans5er U #20.$.$.#C VC
allo>6Suer! U #20.$.$.#C VC
VC
The director! refers to a location inside the chrooted tree. The listen6on specifies that
this name serer should only listen on port (%(% on the internal address #20.$.$.#. The
other two" recursion and 5etc26glue" preent resoling anything but the ,ones that
were defined here.
The root ,one is purely local" it is only for this name serer. Therefore" the configuration
does not allow +ueries and transfers.
The ex>or,s and 02.#6'.#&2.in6addr.arpa ,one definitions allow for internal ,one
transfers and +ueries" both specifically to the other name serer running there Athe isible
oneB. 3o other transfers and +ueries are allowed for these ,ones.
onfiguring the visible name server
This section will describe how to configure the visible name serer Aif in doubt read the
section called JTwo name serers on one hostK againB. ;emember it does not run
chrooted and listens on a normal port. Instead" it runs under its own 4I*=6I*.
The isible name serer should be able to answer +ueries about both the inside and the
outside worlds.
- !87 -
Note
The visible name serer on liongate could use forwarding to connect to the internal
name serer if the software allowed you to specify a port. -hile (I3* 8 does not allow
this" (I3* < will. In any case" it is easy to use a slae setup instead of forwarding.
The named.con5 for the isible name serer" with common parts omitted" looks like this#
// /etc/bind/named.con5
// bind -isible con5iguration on liongate
options U
director! 9/-ar/cac2e/bindPisible9C
// point to t2e ISFWs name ser-er 5or outside >orld
5or>arders U
224.#2#.#2#.&&C // ISFWs DHS
VC
VC
// HGL SYGRH Y:1:O described else>2ere.
// 6 logging as usual
// 6 root zone t!pe 2int as usual
// 6 zones 9local2ost9O 9#20.in6addr.arpa9O 9$.in6addr.arpa9 and
// 92((.in6addr.arpa as usual
// point to port (%(% 5or t2ese zonesO be sla-e 5or bot2
zone 9ex>or,s9 IH U
t!pe sla-eC
masters port (%(% U #20.$.$.#C VC
5ile 9ex>or,s.sla-e9C
allo>6Suer! U #20.$.$.#C #&2.#6'.02.$/24C VC
VC
zone 902.#6'.#&2.in6addr.arpa9 IH U
t!pe sla-eC
masters port (%(% U #20.$.$.#C VC
5ile 902.#6'.#&2.in6addr.arpa.sla-e9C
allo>6Suer! U #20.$.$.#C #&2.#6'.02.$/24C VC
VC
This implements the following#
a name serer that performs slae resoling for the ex>or,s and
02.#6'.#&2.in6addr.arpa ,ones
forwarding to resole names from the outside world
The directory specified by the director! statement must be writable by the running
name serer. That is" if the name serer is running as user -named and group -named" the
directory /-ar/cac2e/bindPisible must be owned by user -named and group -named.
- !88 -
The slae files ex>or,s.sla-e and 02.#6'.#&2.in6addr.arpa.sla-e will be put
there.
Let)s look at the slae ,one definitions. (oth refer to a master at port (%(% on the same
host. (oth definitions do not allow full ,one transfers. The only ,one transfers are from
master Aat port 5959B to slae Athe configuration for the master allows this" see the section
called JConfiguring the master on pri-dnsKB. 3ormal +ueries are allowed for the
localhost A#20.$.$.#" i.e." internal connections on liongateB" as well as all hosts in the
ex>or,s ,one A#&2.#6'.02.xB.
%n liongate the resol-.con5 file will contain
nameser-er #20.$.$.#
that is" it points to the visible name serer which listens on port (%. %ther hosts in the
ex>or,s domain will hae
nameser-er #&2.#6'.02.#
Athe IP address of liongateB in their resol-.con5.
Note
It is not possible to specify a portnumber in resol-.con5. The specified name sererAsB
will be contacted at port (%.
1 pro*le#
There is one problem with this scheme that results in extra maintenance. 3ormally" a
master name serer sends a notif( to a slae name serer when a ,one definition changes.
(ut there is no way to tell a name serer that there are two name serers listening at the
same IP addresses on different ports. In fact" the also6noti5! statement cannot contain
port information.
There is a simple solution to this problem. $fter a master ,one is changed" and the
internal name serer has reloaded the ,one data" the isible name serer has to be be
restarted manually.
Chapter '. ;e* (er+ices (2.2'!
This ob'ectie has a weight of : points and contains the following ob'ecties#
%b'ectie 2.2.8.!Q Implementing a -eb &erer A2 pointsB
- !8< -
Candidates should be able to install and configure an $pache web serer. This
ob'ectie includes monitoring $pache load and performance" restricting client-
user access" configuring #o)<perl and P/P support" and setting up client user
authentication. $lso included is the configuration of $pache serer options" such
as maximum re+uests" minimum and maximum serers" and clients.
%b'ectie 2.2.8.2Q @aintaining a -eb &erer A2 pointsB
Candidates should be able to configure $pache to use irtual hosts for web-sites
without dedicated IP addresses. This ob'ectie also includes creating an &&L
certification for $pache and defining &&L definitions in configuration files using
%pen&&L" as well as customi,ing file access by implementing redirect statements
in the configuration files of $pache.
%b'ectie 2.2.8.9Q Implementing a Proxy &erer A2 pointsB
Candidates should be able to install and configure a proxy serer using &+uid.
This ob'ectie includes implementing access policies" setting up authentication
and configuring memory usage policies.
3#ple#enting a ;e* (er+er (2.2'.1!
Candidates should be able to install and configure an $pache web serer. This ob'ectie
includes monitoring $pache load and performance" restricting client-user access"
configuring #o)<perl and P/P support" and setting up client user authentication. $lso
included is the configuration of $pache serer options" such as maximum re+uests"
minimum and maximum serers" and clients.
- !<. -
access.log
.2taccess
2ttpd.con5
mod"aut2
2tpass>d
2tgroup
.
Installing the /pache eb0server
$s of this writing A?ebruary 2..2B" there are two ersions of the $pache web-serer
aailable for download# a production ersion Aersion !.9.xB and a beta ersion of the
new ersion 2... $pache 2.. will include seeral new enhancements" but is not intended
for production use AyetB. If you are not familiar with software deelopment" and wish to
use a stable" working" web serer" you should use $pache !.9 until at least the 2.. series
gets out of beta. In this chapter" we focus on the stable ersion.
$pache can be built from source" but in most cases it is already part of your distribution.
The next step is to edit the configuration files for the serer# by default" these files are
called srm.con5" access.con5 and 2ttpd.con5. Lou should also hae an additional file
called mime.t!pes Atypically found in the /etc directory or in the same directory your
configuration files areB. The mime.t!pes file usually does not need editing.
Lour distribution probably contains a pre-cooked set of configuration files. Typical
locations for these configuration files are /etc/2ttpd/ or /etc/apac2e/. To help you
get started" most distributions Aand of course the $pache source distribution tooB proide
examples of these configuration files" called srm.con56dist" access.con56dist and
2ttpd.con56dist. Copy or rename these files dropping off the 6dist. Then edit each of
the files. ;ead the comments in each file carefully. ?ailure to set up these files correctly
could lead to your serer not working or being insecure.
?irst" edit 2ttpd.con5. This sets up the general attributes of the serer# the port number"
the user it runs as" etc. 3ext" edit the srm.con5 fileQ this sets up the root of the document
tree" sets such special functions as serer-parsed /T@L or internal imagemap parsing"
etc. ?inally" edit the access.con5 file to" at least" set the base cases of access. In addition
to these three files" the serer behaior can be configured on a directory-by-directory
basis by using .2taccess files in directories accessed by the serer" proided you
configured this in the 2ttpd.con5 file using the ;llo>G-erride optionB.
*odularity
$pache" like many other successful open source pro'ects" has a modular source code
architecture. This means that" to add or modify functionality" you do not need to know the
- !<! -
whole code base. Lou can custom build the serer with only the modules you need and
include your own modules.
Dxtending $pache can be done in C or in a ariety of other languages using the
appropriate modules. These modules expose $pache)s internal functionality to different
programming languages such as Perl or Tcl. There are many modules aailable" too many
to list in this book. If you hae any +uestions about the deelopment of an $pache
module" you should 'oin the $pache-modules mailing list at http9::modules"apache"org.
;emember to do your homework first# research past messages and check all the
documentation on the $pache site. Chances are good that someone has already written a
module that soles the problem you are experiencing.
The modular structure of $pache)s source code should not be confused with the
functionality of run-time loading of $pache modules. ;un-time modules are loaded after
the core functionality of $pache has started and are a relatiely new feature. In older
ersions" to use the functionality of a module" it needed to be compiled in in during the
build phase. Current implementations of $pache are capable of loading modules run-
time" see *&%.
!un0time loading of modules ,D+1.
@ost modern 4nix deriaties include a mechanism called dynamic linking=loading of
*ynamic &hared %b'ects A*&%B. This proides a way to build a piece of program code in
a special format for loading at run-time into the address space of an executable program.
This loading can usually be done in two ways# either automatically by a system program
called ld.so when an executable program is started" or manually" from within the
executing program ia a system interface to the 4nix loader through the system calls
)lopen(!=)lsy#(!.
In the latter method the *&%)s are usually called shared ob'ects or *&% files and can be
named with an arbitrary extension Aalthough the canonical name is 5oo.soB. These files
usually are installed in a program-specific directory. The executable program manually
loads the *&% at run-time into its address space ia )lopen(!.
The fact that $pache already uses a module concept to extend its functionality" and
internally uses a dispatch-list-based approach to link external modules into the $pache
core functionality predestined $pache for using *&%)s. &tarting with ersion !.9 $pache
began using the *&% mechanism to extend its functionality at run-time. $s of then the
configuration system supports two optional features for taking adantage of the modular
*&% approach# compilation of the $pache core program into a *&% library for shared
usage and compilation of the $pache modules into *&% files for explicit loading at run-
time.
- !<2 -
"ip
-hile $pache is installed by default in most Linux distributions" all ersions do not
support dynamic modules. To see if your ersion of $pache supports them" execute the
command http) @l which lists the modules that hae been compiled into $pache. If
mod"so.c appears in the list of modules then your $pache serer can use dynamic
modules.
1Pache eMten(ion (1PM(! support tool
The $PP& is a new support tool from $pache !.9 which can be used to build an $pache
module as a *&% outside the $pache source-tree. It knows the platform dependent build
parameters for making *&% files and proides an easy way to run the build commands
with them.
3ncrypted ebservers; ++L
$pache has been modified to support 4ecure 4ocket La(ers for &ecure %n-Line
transactions. The &ecure &ockets Layer protocol A&&LB is a protocol layer which may be
placed between a reliable connection-oriented network layer protocol Ae.g." TCP=IPB and
the application protocol layer Ae.g." /TTPB. &&L proides secure communication between
client and serer by allowing mutual authentication" the use of digital signatures for
integrity and encryption for priacy. There are a currently two ersions of &&L still in
use# ersions 2 and 9. $dditionally" there is the successor to &&L" TL& Aersion !" which
is based on &&LB" designed by the IDT?.
Pu*lic key cryptography
&&L uses Public 0ey Cryptography AP0CB" also known as asymmetric cryptography.
Public key cryptography is used in situations where the sender and receier do not share a
common secret" e.g." between browsers and web-serers" but wish to establish a trusted
channel for their communication.
P0C defines an algorithm which uses two keys" each of which may be used to encrypt a
message. If one key is used to encrypt a message" then the other must be used to decrypt
it. This makes it possible to receie secure messages by simply publishing one key Athe
public keyB and keeping the other secret Athe priate keyB. $nyone may encrypt a
message using the public key" but only the owner of the priate key will be able to read it.
?or example" Roan may send priate messages to the owner of a key-pair Ae.g." your web-
sererB" by encrypting the messages using the public key your serer publishes. %nly the
serer will be able to decrypt it.
-igure '.1. Pu*lic key exchange
DMI:HL (bro>ser) S:1P:1 (;pac2e/SSM)
- !<9 -
66666666666666666666666666666666666
666666666666666666666666666666666666666
(as,s 5or public ,e!) 666A (listens)
(recei-es ,e!) ?666 (send (signed) public part o5
,e! pair)
(-eri5ies ,e! is signed b! a D;)
(decr!pts message >it2 public ,e!)
9;lCao$%lls eis oe so>loleQlsli@ 9 666A (decr!pts message >/pri-ate
,e!)
666666666666666666666666666666666666
666666666666666666666666666666666666666

$ secure web-serer Ae.g." $pache=&&LB uses /TTP oer &&L" using port 229 by default
Acan be configured in 2ttpd.con5B. -ithin the browser" this is signified by the use of the
https scheme in the 4;L. The public key is exchanged during the set-up of the
communication between serer and client AbrowserB. That public key is signed Ait
contains a digital signature e.g." a message digestB by a so-called C$ ACertificate
$uthorityB. The browser contains a number of so-called root-certificates# they can be
used to determine the alidity of the C$)s that signed the key.
Narious 1pache an) ((L relate) pro?ects
$ number of solutions are aailable to enable $pache to use &&L on Linux#
commercially licensed# ;aen" &tronghold
$pache with &&Leay or %pen-&&L" aka $pache-&&L
modFssl
It can be +uite confusing to find out the difference between &&Leay" %pen&&L"
$pache=&&L and #o)<ssl. Therefore" the relation between these components is shown in
?igure 8.2" J;elations between $pache and &&L related pro'ectsK.
-igure '.2. 2elations *etween 1pache an) ((L relate) pro?ects
SSMea! ;pac2e
T T
X66666666666A GpenSSM T
T T
P T
;pac2e6SSM ?66666666666X
T
T
T
X666666A mod"ssl

Dric $. Loung and Tim R. /udson created ((Leay - a library containing encryption
functions. $nother team" lead by ;alf Dngelschall and (en Laurie" used this library as a
starting point to create a complementary set of cryptography software named /pen((L.
- !<2 -
$ team lead by (en Laurie combined /pen((L with the $pache webserer to create
$pache-&&L. In !<<8" ;alf Dngelschall and his team deried #o)<ssl from 1pache@
((L.
#o)<ssl is not a replacement for 1pache@((L - it is an alternatie. It is a matter of
personal choice as to which you run. #o)<ssl is what is known as a JsplitK - i.e." it was
originally deried from 1pache@((L" but has been extensiely redeeloped. @any
people find it ery easy to install.
There are a number of commercial products aailable# ;ed /at)s &ecure -eb &erer
Awhich is based on #o)<sslB" Coalent)s ;aen &&L @odule Aalso based on #o)<sslB
and C23et)s product &tronghold Abased on a different eolution branch named &ioux up
to &tronghold 2.x and based on #o)<ssl since &tronghold 9.xB.
#pache-!!+
To use $pache-&&L" you will need to do the following# ac+uire and install $pache with
the proper patches" ac+uire and install %pen&&L" generate a key-pair and either sign the
public part of it yourself" thus creating a certificate" or hae it signed by a commercial
Certificate $uthority AC$B.
The $pache-&&L distribution is simply a set of patches for $pache Aaailable for ersions
!.2..T and !.9..TB" some extra source files" a few ;D$*@D files and a few example
configuration files. The patches must be applied to the $pache source" and the result
compiled and linked with %pen&&L.
(efore installing it" you will need to be sure that you hae unpacked the source code for
the appropriate ersion of $pache. The modified source will still compile a standard
$pache as well as $pache-&&L.
$fter installation of the software" you will need to configure $pache as usual. $lso" a
number of additional directies should be used in the $pacheA-&&LB configuration files to
configure the secure serer for example" the location for the key-files. $s it)s beyond the
scope of this book to document these directies we recommend reading the $pache-&&L
documentation and the materials found on the Apache-44L #ebsite.
#pache with mod_ssl
To use #o)<ssl you will need to ac+uire and install $pache" patch it" and install and
configure the module. Lou also need to ac+uire and install %pen&&L" generate a key-pair"
and either sign the public part of it yourself" thus creating a certificate" or hae it signed
by a commercial Certificate $uthority AC$B.
The #o)<ssl package consists of the &&L module itself - and" surprisingly" a set of
patches for $pache itself. This may pu,,le you at first# why you need to patch $pache to
install the #o)<ssl module> -ell" the standard $PI that $pache uses for it)s modules is
- !<5 -
unable to communicate with the &&L module. Therefore" the source patches add the
Dxtended $PI AD$PIB. In other words# you can only use the #o)<ssl module when
$pache)s core code contains the Dxtended $PI. -hen building #o)<ssl" the $pache
source tree is automatically altered for you" adding the Dxtended $PI.
$fter installation of the software you will need to configure $pache as with $pache-&&L.
&ome additional directies should be used to configure the secure serer - for example
the location of the key-files. It)s beyond the scope of this book to document these
directies" howeer" you can find them in the #o)<ssl documentation and on the
mod1ssl #eb-site .
*onitoring /pache load and performance
$pache is a general web-serer and is designed to be correct first and fast second. ADen
so" its performance is +uite satisfactory.B @ost sites hae less than !.@bits of outgoing
bandwidth" which $pache can fill using only a low end Pentium-based computer. In
practice" sites with more bandwidth re+uire more than one machine to fill the bandwidth
due to other constraints Asuch as C6I or database transaction oerheadB. ?or these
reasons" the deelopment focus has stayed on correctness and configurability.
The single biggest hardware issue affecting web-serer performance is ;$@. $
webserer should neer eer hae to swap. It increases the latency of each re+uest
beyond a point that users consider Jfast enoughK. This causes users to hit stop and reload"
further increasing the load. Lou can" and should" control the MaxDlients setting so that
your serer does not spawn so many children that it starts swapping.
$n %pen &ource system that can be used to periodically load-test pages of web-serers is
Cricket. Cricket can be easily set up to record page-load times" and it has a web-based
grapher that will generate charts to display the data in seeral formats. It is based on
224tool" whose ancestor is @;T6 Ashort for J@ulti-;outer Traffic 6rapherKB. ;;*tool
A;ound ;obin *ata ToolB is a package that collects data in Jround robinK databasesQ each
data file is fixed in si,e so that running Cricket does not slowly fill up your disks. The
database tables are si,ed when created and do not grow larger oer time. $s the data
ages" it)s aeraged.
/pache access2log file
The access"log gies a generic oeriew of the access to your web-serer. The format
of the access log is highly configurable. The format is specified using a format string that
looks much like a C-style printf format string. $ typical configuration for the access log
might look as follows.
MogIormat 9]2 ]l ]u ]t /9]r/9 ]As ]b9 common
DustomMog logs/access"log common

- !<: -
This defines the nickname common and associates it with a particular log format string.
The aboe configuration will write log entries in a format known as the Common Log
?ormat ACL?B. This standard format can be produced by many different web serers and
read by many log analysis programs. The log file entries produced in CL? will look
something like this#
#20.$.$.# 6 5ran, )#$/Gct/2$$$.#%.((.%6 6$0$$* 9J:L /apac2e"pb.gi5
YLLF/#.$9 2$$ 2%26

and contain the following fields#
!. IP address of the client AMhB
2. ;?C !2!9 identity determined by i)ent) AMlB
9. userid of person re+uesting AMuB
2. time serer finished sering re+uest AMtB
5. re+uest line of user AMrB
:. status code serers sent to client AMsB
7. si,e of ob'ect returned AMbB.
!estricting client user access
$pache is aware of two methods of access control#
discretionary access control A*$CB
check the alidity of the credentials gien by the user" e.g. username=password
Ayou can change these at your discretionBQ
mandatory access controls A@$CB
alidate aspects that the user cannot control" for example" your *3$ se+uence"
fingerprint or retinal patterns.
In -eb terms" and $pache terms in particular" discretionary controls are based on
usernames and passwords" and mandatory controls are based on things like the IP address
of the re+uesting client.
$pache uses modules to authenticate and authorise users. 6enerally" modules let you
store the alid credential information in one or another format. The #o)<auth module"
for instance" looks in normal text files for the username and password info" and
#o)<auth<)*# looks in a *(@ database for it.
(elow is a list of the security-related modules that are included as part of the standard
$pache distribution.
#o)<auth
- !<7 -
This is the basis for most $pache security modulesQ it uses ordinary text files for
the authentication database.
#o)<access
This is the only module in the standard $pache distribution which applies
mandatory controls. It allows you to list hosts" domains" and=or IP addresses or
networks that are permitted or denied access to documents.
#o)<auth<anon
This module mimics the behaiour of anonymous ?TP - rather than haing a
database of alid credentials" it recogni,es a list of alid usernames Ai.e." the way
an ?TP serer recogni,es JftpK and JanonymousKB and grants access to any of
those with irtually any password. This module is more useful for logging access
to resources and keeping robots out than it is for actual access control.
#o)<auth<)*#
Like #o)<auth<)*" sae that credentials are stored in a *(@ file.
#o)<auth<)*
This module is essentially the same as #o)<auth" except that the authentication
credentials are stored in a (erkeley *( file format. The directies contain the
additional letters J*(K Ae.g." $uth*(4ser?ileB.
#o)<auth<)igest
-hereas the other discretionary control modules supplied with $pache all support
(asic authentication" #o)<auth<)igest is currently the sole supporter of the
*igest mechanism. It underwent some serious reamping in !<<<. Like
#o)<auth" the credentials used by this module are stored in a text file. *igest
database files are managed with the htdigest tool. 4sing #o)<)igest is much
more inoled than setting up (asic authenticationQ please see the module
documentation for details.
Configuring authentication modules
The security modules are passed the information about which authentication databases to
use ia directies in the $pache configuration files" such as 1uth9ser-ile or
1uth470>roup-ile. $n alternate approach is the use of .2taccess files" which can be
placed in the directories to be protected.
"he first approach. The resource being protected is determined from the placement of
the directies in the configuration filesQ in this example#
- !<8 -
?Director! /2ome/7o2nson/public"2tmlA
?Iiles 5oo.barA
;ut2Hame 9Ioo 5or L2oug2t9
;ut2L!pe =asic
;ut2serIile /2ome/7o2nson/5oo.2tpass>d
1eSuire -alid6user
?/IilesA
?/Director!A
?/screenA

The resource being protected is Jany file named foo.barK in the
/2ome/7o2nson/public"2tml directory or anywhere underneath it. Likewise" the
identification of which users are authori,ed to access 5oo.bar is stated by the directies
-- in this case" any user with alid credentials in the /2ome/7o2nson/5oo.2tpass>d file
can access it.
"he other approach. Create an .2taccess file. The serer behaiour can be configured
on a directory-by-directory basis by using .2taccess files in directories accessed by the
serer Aproided you configured this in the 2ttpd.con5 file using the ;llo>G-erride
optionB.
Note
(y using an .2taccess file you can also restrict or grant access to certain user to
documents in or under a directory. *ocuments that are to be restricted should be put in
directories separate from those you want unrestricted.
The authentication part of an .2taccess file contains 2 sections#
The first section of .2taccess can contain lines to determine which authentication type
to use. It can also contain the names of the password file to use" or the group file to use"
e.g.#
;ut2serIile Upat2 to pass>d 5ileV
;ut2JroupIile Upat2 to group 5ileV
;ut2Hame Utitle 5or dialog boxV
;ut2L!pe =asic

The second section of .2taccess contains a section that defines the access rights for the
current directory to ensure that only user UusernameV can access the current directory#
?Mimit J:LA
reSuire user UusernameV
?/MimitA

- !<< -
The Mimit section can contain other directies" that allow access from only certain IP
addresses or only for users who are part of a certain set of users" a group.
$s an example of the usage of both access control types A*$C and @$CB" the following
would permit any client on the local network AIP addresses !..^.^.^B to access the
5oo.2tml page without hindrance" but re+uire a username and password for anyone else#
?Iiles 5oo.2tmlA
Grder Den!O;llo>
Den! 5rom ;ll
;llo> 5rom #$.$.$.$/2((.$.$.$
;ut2Hame 9Insiders Gnl!9
;ut2L!pe =asic
;ut2serIile /usr/local/>eb/apac2e/.2tpass>d65oo
1eSuire -alid6user
Satis5! ;n!
?/IilesA

User files
The #o)<auth module uses plain text user files. Its entries are of the form
Jusername#passwordKQ additional fields may follow the password" separated from it by a
colon" but they)re ignored. The password field should be encrypted. To create and update
the flat-files used to store usernames and password for basic authentication of /TTP
users" you can use the command htpassw). This program can only be used when the
usernames are stored in a flat-file. htpassw) encrypts passwords using either a ersion of
@*5 modified for $pache" or the system)s cr!pt() routine. It is permissible to hae
some user records using @*5-encrypted passwords" while others in the same file may
hae passwords encrypted with cr!pt(). To use a *(@ database Aas used by
#o)<auth<)*B you may use )*##anage. ?or other types of user files=databases" please
consult the documentation that comes with the chosen module.
Group files
It is possible to deny or allow access for a group of users. This is done by creating a
group file. It contains a list of groups and members. The group names are completely
arbitrary. The usernames should occur in the password file. The format looks like this#
Ugroup#V.Uusername#V Uusername2V etc...
Ugroup2V.Uusername#V Uusername%V etc...

In this example" group# and group2 are different group names and username#"
username2" and username% are usernames from the password file. (e sure to put each
group entry on its own line.
- 2.. -
Note
$ username can be in more than one group entry. This simply means that the user is a
member of both groups.
The last step is to make sure that the read permissions for the group file hae been set for
eeryone Ai.e." owner" group and otherB. ;eferral to this file is done by insertion of
;ut2JroupIile directies into either the master configuration file or into the .2taccess
file.
=xa#ple '.1. =xa#ple
To ensure that only users of the group m!group" as defined in file
/etc/2ttpd/groups/group5ile" can access a directory" you)d use these directies in
.2taccess#
;ut2JroupIile /etc/2ttpd/groups/group5ile
?Mimit J:LA
reSuire group m!group
?/MimitA

Configuring mod_perl
#o)<perl is another module for $pache. Lou can configure it either at compile-time" or
as a *&%. -ith #o)<perl it is possible to write $pache modules entirely in Perl" letting
you easily do things that are more difficult or impossible in C6I programs. In addition"
the persistent Perl interpreter embedded in the module saes the oerhead of starting an
external interpreter. $nother important feature is code-caching# modules and scripts are
loaded and compiled only once" and for the rest of the serer)s life they are sered from
the cache. Thus" the serer spends its time running only already loaded and compiled
code" which is ery fast.
Lou hae full access to the inner workings of the web serer and can interene at any
stage of re+uest-processing. This allows for customi,ed processing of Ato name 'ust a few
of the phasesB 4;I-]filename translation" authentication" response generation and
logging. There is ery little run-time oerhead.
The standard Common 6ateway Interface AC6IB within $pache can be replaced entirely
with Perl code that handles the response generation phase of re+uest processing.
#o)<perl includes two general purpose modules for this purpose# ;pac2e..1egistr!"
which can transparently run existing perl C6I scripts and ;pac2e..Ferl1un" which does
a similar 'ob" but allows you to run JdirtierK Ato some extentB scripts.
Lou can configure your http) serer and handlers in Perl Ausing FerlSetPar" and
?FerlA sectionsB. Lou can also define your own configuration directies.
- 2.! -
There are many ways to install #o)<perl" e.g. as a *&%" either using $PP& or not" from
source or from ;P@)s. @ost of the possible scenarios can be found in the @odFperl. $s
an example we describe a scenario for building $pache and #o)<perl from source code.
Lou should hae the $pache source code" the source code for #o)<perl and hae
unpacked these in the same directory. Lou)ll need a recent ersion of perl installed on
your system. To build the module" in most cases" these commands will suffice#
3 cd 3Ut2e6name6o56t2e6director!6>it26t2e6sources65or6t2e6moduleV
3 perl Ma,e5ile.FM ;F;DY:"S1DB../apac2e"x.x.x/src /
DG"YLLFDB# S:";F;DIB# :P:1NLYIHJB#
3 ma,e [[ ma,e test [[ ma,e install

$fter building the module" you should also build the $pache serer. This can be done
using the commands#
3 cd 3Ut2e6name6o56t2e6director!6>it26t2e6sources65or6;pac2eV
3 ma,e install

$ll that)s left then is to add a few configuration lines to 2ttpd.con5 Athe $pache
configuration fileB and start the serer. -hich lines you should add depends on the
specific type of installation" but usually a few MoadModule and ;ddModule lines suffice.
$s an example" these are the lines you would need to add to use #o)<perl as a *&%#
MoadModule perl"module modules/libperl.so
;ddModule mod"perl.c
FerlModule ;pac2e..1egistr!
;lias /perl/ /2ome/2ttpd/perl/
?Mocation /perlA
SetYandler perl6script
FerlYandler ;pac2e..1egistr!
Gptions X:xecDJI
FerlSendYeader Gn
?/MocationA
The first two lines will add the #o)<perl module when $pache boots. %n boot" the
FerlModule directie ensures that the named Perl module is read in too. This usually is a
Perl package file ending in .pm. The ;lias keyword reroutes re+uests for 4;Is in the
form 2ttp.//>>>.2ost.com/perl/5ile.pl to the directory /2ome/2ttpd/perl. 3ext"
we define settings for that location. (y setting the SetYandler" all re+uests for a Perl file
in the directory /2ome/2ttpd/perl now will be redirected to the perl-script handler"
which is part of the ;pac2e..1egistr! module. The next line simply allows execution
of C6I scripts in the specified location. $ny 4;I of the form
2ttp.//>>>.2ost.com/perl/5ile.pl now will be compiled once and cached in
- 2.2 -
memory. The memory image will be refreshed by recompiling the Perl routine wheneer
its source is updated on disk.
Configuring mod_php support
P/P is a serer-side" cross-platform" /T@L embedded scripting language. P/P started
as a +uick Perl hack written by ;asmus Lerdorf in late !<<2. %er the next two to three
years" it eoled into what we today know as P/P=?I 2... P/P=?I started to get a lot of
users" but things didn)t start flying until Eee &uraski and $ndi 6utmans suddenly came
along with a new parser in the summer of !<<7" leading to P/P 9... P/P 9.. defined the
syntax and semantics used in both ersions 9 and 2.
P/P can be called from the C6I interface" but most common approach is to configure
P/P in the $pache web serer as a Adynamic *&%B module. To do this" you can either
use pre-build modules extracted from ;P@)s or roll your own from the source code. Lou
need to configure the make-process first. To tell configure to build the module as a
*&%" you need to tell it to use $PP&#
./con5igure 6>it26apxs

.. or" in case you want to specify the location for the apxs binary#
./con5igure 6>it26apxsBUpat26to6apxsV/apxs

3ext" you can compile P/P by running the #ake command. %nce all the source files are
successfully compiled" install P/P by using the #ake install command.
(efore $pache can use P/P" it has to know about the P/P module and when to use it.
The apxs program took care of telling $pache about the P/P module" so all that is left to
do is tell $pache about .p2p files. ?ile types are controlled in the 2ttpd.con5 file" and it
usually includes lines about P/P that are commented out. Lou want to search for these
lines and uncomment them#
;ddt!pe application/x62ttpd6p2p .p2p

.. and restart $pache by issuing the apachectl restart command.
To test whether it actually works" create the following page#
?YLMMA
?Y:;DA?LILM:AFYF Lest ?/LILM:A?/Y:;DA
?=GDNA
?4p2pin5o( ) 4A
?/=GDNA
?/YLMMA
- 2.9 -

3otice that P/P commands are contained by ?4 and 4A tags. &ae the file as test.p2p in
$pache)s 2tdocs directory and aim your browser at 2ttp.//local2ost/test.p2p. $
page should appear with the P/P logo and additional information about your P/P
configuration.
Configuring /pache server options
The 2ttpd.con5 file contains a number of sections that allow you to configure the
behaior of the $pache serer. $ number of keywords=sections are listed below.
MaxKeep;li-e1eSuests
The maximum number of re+uests to allow during a persistent connection. &et to
. to allow an unlimited amount.
StartSer-ers
The number of serers to start initially.
MinSpareSer-ers" MaxSpareSer-ers
4sed for serer-pool si,e regulation. ;ather than making you guess how many
serer processes you need" $pache dynamically adapts to the load it sees. That is"
it tries to maintain enough serer processes to handle the current load" plus a few
spare serers to handle transient load spikes Ae.g." multiple simultaneous re+uests
from a single 3etscape browserB. It does this by periodically checking how many
serers are waiting for a re+uest. If there are fewer than MinSpareSer-ers" it
creates a new spare. If there are more than MaxSpareSer-ers" some of the spares
die off.
MaxDlients
Limit on total number of serers running" i.e." limit on the number of clients that
can simultaneously connect. If this limit is eer reached" clients will be locked
out" so it should not be set too lo#. It is intended mainly as a brake to keep a
runaway serer from taking the system with it as it spirals down.
0aintaining a ;e* (er+er (2.2'.2!
- 2.2 -
Candidates should be able to configure $pache to use irtual hosting for web-sites
without dedicated IP addresses. This ob'ectie also includes creating an &&L certification
for $pache and creating &&L definitions in configuration files using %pen&&L. $lso
included is the customi,ation of file access by implementing redirect statements in
$pache)s configuration files.
2ttpd.con5
/pache 2irtual )osting
)irtual osting is a techni+ue that proides the capability to host more than one domain
on one ph(sical host. There are two methods to implement irtual hosting#
5a#e@*ase) +irtual hosting. -ith name-based irtual hosting" the serer relies on the
client Ae.g. the browserB to report the hostname as part of the /TTP headers. 4sing this
techni+ue" many different hosts can share the same IP address.
3P@*ase) +irtual hosting. 4sing this method" each AwebBdomain has it)s own uni+ue IP
address. &ince one ph(sical host can hae more than one IP address" one host can sere
more than one AwebBdomain. In other words# IP-based irtual hosts use the IP address of
the connection to determine the correct irtual host to sere.
5a#e@*ase) +irtual hosting
3ame-based irtual hosting is a fairly simple techni+ue. Lou need to configure your *3&
serer to map each hostname to the correct IP address first" then configure the $pache
/TTP &erer to recogni,e the different hostnames.
"ip
3ame-based irtual hosting eases the demand for scarce IP addresses. Therefore you
should use name-based irtual hosting unless there is a specific reason to choose IP-based
irtual hosting" see IP-based Cirtual /osting.
To use name-based irtual hosting" you must designate the IP address Aand possibly portB
on the serer that will be accepting re+uests for the hosts. This is configured using the
HamePirtualYost directie. 3ormally any and all IP addresses on the serer should be
used" so" you can use E as the argument to HamePirtualYost. 3ote that mentioning an IP
address in a HamePirtualYost directie does not automatically make the serer listen to
that IP address# there are two additional directies used to restrict or specify which
addresses and ports $pache listens to#
- 2.5 -
=ind;ddress is used to restrict the serer to listening to a single address" and can
be used to permit multiple Apache servers on the same machine to listen to
different IP addressesQ
Misten can be used to make a single Apache server listen to more than one
address and=or port.
The next step is to create a ?PirtualYostA block for each different host you would like
to sere. The argument to the ?PirtualYostA directie should be the same as the
argument to the HamePirtualYost directie Ai.e." an IP address or E for all addressesB.
Inside each ?PirtualYostA block" you will need" at minimum" a Ser-erHame directie
to designate which host is sered and a Document1oot directie to show where in the
filesystem the content for that host lies.
&uppose that both >>>.domain.tld and >>>.ot2erdomain.tld point to the IP address
""">##>33>$$. Lou then simply add the following to 2ttpd.con5#
HamePirtualYost ###.22.%%.44
?PirtualYost ###.22.%%.44A
Ser-erHame >>>.domain.tld
Document1oot />>>/domain
?/PirtualYostA
?PirtualYost ###.22.%%.44A
Ser-erHame >>>.ot2erdomain.tld
Document1oot />>>/ot2erdomain
?/PirtualYostA

In the simplest case" the IP address """>##>$$>33 can be replaced by E to match all IP
addresses for your serer. @any serers want to be accessible by more than one name.
This is possible with the Ser-er;lias directie placed inside the \Cirtual/ost] section"
if" for example" you add the following to the first \Cirtual/ost] block aboe
Ser-er;lias domain.tld E.domain.tld

then re+uests for all hosts in the domain.tld domain will be sered by the
>>>.domain.tld irtual host. The wildcard characters E and F can be used to match
names.
"ip
%f course" you can)t 'ust make up names and place them in Ser-erHame or Ser-er;lias.
Lou must first hae your *3& serer properly configured to map those names to the IP
address in the HamePirtualYost directie.
- 2.: -
?inally" you can fine-tune the configuration of the irtual hosts by placing other
directies inside the ?PirtualYostA containers. @ost directies can be placed in these
containers and will then change the configuration only of the releant irtual host.
Configuration directies set in the main serer context Aoutside any ?PirtualYostA
containerB will be used only if they are not oerridden by the irtual host settings.
3ow when a re+uest arries" the serer will first check if it is re+uesting an IP address
that matches the HamePirtualYost. If it is" then it will look at each ?PirtualYostA
section with a matching IP address and try to find one where the Ser-erHame or
Ser-er;lias matches the re+uested hostname. If it finds one" it then uses the
configuration for that serer. If no matching irtual host is found" then the first listed
irtual host that matches the IP address will be used.
$s a conse+uence" the first listed irtual host is the default irtual host. The
Document1oot from the main serer will neer be used when an IP address matches the
HamePirtualYost directie. If you would like to hae a special configuration for
re+uests that do not match any particular irtual host" simply put that configuration in a
?PirtualYostA container and list it first in the configuration file.
3P@*ase) +irtual hosting
*espite the adantages of name-based irtual hosting" there are some reasons why you
might consider using IP-based irtual hosting instead#
3ame-based irtual hosting cannot be used with &&L secure serers because of
the nature of the &&L protocol.
&ome ancient clients are not compatible with name-based irtual hosting. ?or
name-based irtual hosting to work" the client must send the /TTP /ost header.
This is re+uired by /TTP=!.!" and is implemented by all modern /TTP=!..
browsers as an extension.
&ome operating systems and network e+uipment implement bandwidth
management techni+ues that cannot differentiate between hosts unless they are on
separate IP addresses.
$s the term I'-based indicates" the serer must hae a different IP address for each IP-
based irtual host. This can be achieed by e+uipping the machine with seeral physical
network connections or by use of irtual interfaces" which are supported by most modern
operating systems Asee system documentation for details on IF aliasing and the
ifconfig commandB.
There are two ways of configuring $pache to support multiple hosts.
by running a separate http) daemon for each hostname
by running a single daemon which supports all the irtual hosts.
4se multiple daemons when#
- 2.7 -
there are security issues" e.g." if you want to maintain strict separation between the
web-pages for separate customers. In this case you would need one daemon per
customer" each running with different ser" Jroup" Misten and Ser-er1oot
settingsQ
you can afford the memory and file descriptor re+uirements of listening to eery
IP alias on the machine. It)s only possible to Misten to the JwildcardK address" or
to specific addresses. &o" if you need to listen to a specific address" you will need
to listen to all specific addresses.
4se a single daemon when#
sharing of the http) configuration between irtual hosts is acceptableQ
the machine seres a large number of re+uests" and so the performance loss in
running separate daemons may be significant.
!etting up multiple daemons
Create a separate http) installation for each irtual host. ?or each installation" use the
Misten directie in the configuration file to select which IP address Aor irtual hostB that
daemon serices#
Misten #2%.4(.60.'&.'$

Lou can use the domain name if you want to" but it is recommended you use the IP
address instead.
!etting up a single daemon
?or this case" a single http) will serice re+uests for the main serer and all the irtual
hosts. The PirtualYost directie in the configuration file is used to set the alues of
Ser-er;dmin" Ser-erHame" Document1oot" :rrorMog and Lrans5erMog or DustomMog
configuration directies to different alues for each irtual host.
?PirtualYost >>>.smallco.comA
Ser-er;dmin >ebmaster@mail.smallco.com
Document1oot /groups/smallco/>>>
Ser-erHame >>>.smallco.com
:rrorMog /groups/smallco/logs/error"log
Lrans5erMog /groups/smallco/logs/access"log
?/PirtualYostA
?PirtualYost >>>.ba!group.orgA
Ser-er;dmin >ebmaster@mail.ba!group.org
Document1oot /groups/ba!group/>>>
Ser-erHame >>>.ba!group.org
:rrorMog /groups/ba!group/logs/error"log
Lrans5erMog /groups/ba!group/logs/access"log
?/PirtualYostA
- 2.8 -

Customi9ing file access
1edirect allows you to tell clients about documents which used to exist in your serer)s
namespace" but do not anymore. This allows you to tell the clients where to look for the
relocated document.
1edirect Uold61IV Une>61MV

)o to create a ++L server Certificate
-hilst installing %pen&&L" the program openssl has been installed on your system. This
command can be used to create the necessary files.
@ore specifically these are#
the ;4A private ke( file is a digital file that you can use to decrypt messages sent
to you. It has a public component which you distribute Aia your ,ertificate fileB
and allows people to encrypt messages to youQ
a ,ertificate 4igning ;e6uest /,4;3 is a digital file which contains your public
key and your name. Lou send the C&; to a ,ertif(ing Authorit( /,A3 to be
conerted into a real ,ertificate.
$ ,ertificate contains your ;&$ public key" your name" the name of the C$ and
is digitally signed by your C$. (rowsers that know the C$ can erify the
signature on that Certificate" thereby obtaining your ;&$ public key. That enables
them to send messages which only you can decrypt.
To create a ;&$ priate key for your $pache serer Ait will be Triple-*D& encrypted and
PD@ formattedB#
3 openssl genrsa 6des% 6out ser-er.,e! #$24

openssl will ask for a pass-phrase. Please backup this serer.key file and remember the
pass-phrase.
To create a Certificate &igning ;e+uest AC&;B with the serer ;&$ priate key Aoutput
will be PD@ formattedB#
3 openssl reS 6ne> 6,e! ser-er.,e! 6out ser-er.csr

@ake sure you enter the ?H*3 AV?ully Hualified *omain 3ameVB of the serer when
%pen&&L prompts you for the JCommon3ameK" i.e. when you generate a C&; for a
web-site which will later be accessed ia 2ttps.//>>>.5oo.dom/" enter Jwww.foo.domK
here.
- 2.< -
Lou now hae to send this Certificate &igning ;e+uest AC&;B to a Certifying $uthority
AC$B for signing. The result is a real Certificate which can be used for $pache. /ere you
hae two options# ?irst you can let the C&; sign ia a commercial C$ like Cerisign or
Thawte. Then" you usually hae to post the C&; into a web form" pay for the signing and
await a signed Certificate that you can store in a ser-er.crt file. &econdly" you could
create your own C$ and sign the certificate yourself.
The ser-er.csr file is no longer needed. 3ow you hae two files# ser-er.,e! and
ser-er.crt. In your $pache)s 2ttpd.con5 file you should refer to them using lines like
these#
SSMDerti5icateIile /pat2/to/t2is/ser-er.crt
SSMDerti5icateKe!Iile /pat2/to/t2is/ser-er.,e!

"ip
/ow do you run $pache-&&L as a shareable A*&%B module> ?irst" configure the shared
module support in the source tree#
./con5igure 66enable6s2aredBapac2e"ssl

then enable the module in your 2ttpd.con5#
MoadModule apac2e"ssl"module modules/libssl.so

3#ple#enting a Proxy (er+er (2.2'.3!
Candidates should be able to install and configure a proxy serer using sCui). This
ob'ectie includes implementing access policies" setting up authentication and utili,ing
memory usage.
sSuid.con5
2ttp"access
%eb0caches
$ #eb-cache" also known as a http prox(" is used to reduce bandwidth demands and often
allows for finer-grained access control. 4sing a proxy" the client specifies the hostname
and port number of a proxy in his web browsing software. The browser then makes
re+uests to the proxy" and the proxy forwards them to the origin serers. $ proxy will use
locally cached ersions of web-pages if they did not expire yet and will alidate client-
re+uests.
- 2!. -
$dditionally" there are transparent proxies. 4sually this is the tandem of a regular proxy
and a redirecting router. In these cases" a web re+uest can be intercepted by the proxy"
transparently. That is" as far as the client software knows" it is talking to the originating
serer itself" when it is really talking to the proxy.
squid
sCui) is a high-performance proxy caching serer for web clients. sCui) supports more
then 'ust /TTP data ob'ects# it supports ?TP and gopher ob'ects too. sCui) handles all
re+uests in a single" non-blocking" I=%-drien process. sCui) keeps meta data and"
especially" hot ob'ects cached in ;$@" caches *3& lookups" supports non-blocking *3&
lookups and implements negatie caching of failed re+uests. sCui) supports &&L"
extensie access controls and full re+uest logging. (y using the lightweight Internet
Cache Protocol" sCui) caches can be arranged in a hierarchy or mesh for additional
bandwidth saings.
sCui) can be used for a number of things" including saing bandwidth" handling traffic
spikes and caching sites that are occasionally unaailable. sCui) can also be used for load
balancing. Dssentially" the first time sCui) receies a re+uest from a browser" it acts as an
intermediary and passes the re+uest on to the serer. sCui) then saes a copy of the
ob'ect. If no other clients re+uest the same ob'ect" you)ll see no benefit. /oweer" if
multiple clients re+uest the ob'ect before it expires from the cache" sCui) can speed up
transactions and sae bandwidth. If you)e eer needed a document from a slow site" say
one located in another country" hosted on a slow connection or both" you can see the
benefit of haing a document cached. The first re+uest may be slower than molasses" but
the next re+uest for the same document will be much faster" and the originating serer)s
load will be lightened.
sCui) consists of a main serer program sCui)" a *omain 3ame &ystem lookup program
)nsser+er" some optional programs for rewriting re+uests and performing authentication"
and some management and client tools. -hen sCui) starts up" it spawns a configurable
number of )nsser+er processes" each of which can perform a single" blocking *omain
3ame &ystem A*3&B lookup. This reduces the amount of time the cache waits for *3&
lookups.
sCui) is normally obtained in source code format. %n most systems a simple #ake
install will suffice. $fter that" you will also hae a set of configuration files. $ll
configuration files are" by default" kept in the directory /usr/local/sSuid/etc.
/oweer" the location may ary" depending on the style and habits of your distribution.
The *ebian packages" for example" place the configuration files in /etc" which is the
normal home for .con5 files. Though there is more than one file in this directory" only
one file is important to most administrators" the sSuid.con5 file. There are oer a !25
option tags in this file - but you should only need to change eight options to get sCui) up
and running. The other options gie you additional flexibility.
- 2!! -
sCui) assumes that you wish to use the default alue if there is no occurrence of a tag in
the sSuid.con5 file. Theoretically" you could een run sCui) with a ,ero length
configuration file. Lou will need to change at least one part of the configuration file
though# the default sSuid.con5 denies access to all browsers. Lou will need to edit the
$ccess Control Lists to allow your clients to use the sCui) proxy. The most basic way to
perform access control is to use the 2ttp"access option Asee belowB.
(ections in the sCui).conf file
2ttp"port
this option determines on which portAsB sCui) will listen for re+uests. (y default
this is port %#2'. $nother commonly used port is port '$'$.
cac2e"dir
used to configure specific storage areas. If you use more than one disk for cached
data" you may need more than one mount point Afor example /usr/local/sSuid/
cac2e# for the first disk" /usr/local/sSuid/cac2e2 for the secondB. sCui)
allows you to hae more than one cac2e"dir option in your config file. This
option can hae four parameters#
cac2e"dir /usr/local/sSuid/cac2e/ #$$ #6 2(6

The first option determines in what directory the cache should be maintained. The
next option is a si,e alue. sCui) will store up to that amount of data in that
directory. The alue is in megabytes and defaults to !.. @egabyte. The next two
options set the number of subdirectories Afirst and second tierB to create in this
directory. sCui) makes lots of directories and stores a few files in each of them in
an attempt to speed up disk access Afinding the correct entry in a directory with
one million files in it is not efficient# it)s better to split the files up into lots of
smaller sets of filesB.
2ttp"access" acl
The basic syntax of the option is 2ttp"access allo>Tden! )Q*aclname. If you
want to proide access to an internal network" and deny access to anyone else"
your options might look like this#
acl 2ome src #$.$.$.$/2((.$.$.$
2ttp"access allo> 2ome

The first line sets up an $ccess Control List class called JhomeK of an internal
network range of addresses. The second line allows access to that range of
- 2!2 -
addresses. $ssuming it)s the final line in the access list" all other clients will be
denied. &ee also the section on acl.
"ip
3ote that sCui))s default behaior is to do the opposite of (our last access line if
it can)t find a matching entry. ?or example" if the last line is set to JallowK access
for a certain set of network addresses" then sCui) will deny any client that doesn)t
match any of its rules. %n the other hand" if the last line is set to JdenyK access"
then sCui) will allow access to any client that doesn)t match its rules.
aut2enticate"program
This option is used to specify which program to start up as a authenticator. Lou
can specify the name of the program and any parameters needed.
redirect"program" redirect"c2ildren
The redirect"program is used to specify which program to start up as a
redirector. The option redirect"c2ildren is used to specify how many
processes to start up to do redirection.
$fter you hae made changes to your configuration" issue sCui) @k reconfigure so that
sCui) will recogni,e the changes.
!edirectors
sCui) can be configured to pass eery incoming 4;L through a redirector process that
returns either a new 4;L or a blank line to indicate no change. $ redirector is an external
program" e.g. a script that you wrote yourself. Thus" a redirector program is -5T a
standard part of the sCui) package. /oweer" some examples are proided in the
contrib/ directory of the source distribution. &ince eeryone has different needs" it is up
to the indiidual administrators to write their own implementation.
$ redirector allows the administrator to control the locations to which his users may go. It
can be used in con'unction with transparent proxies to deny the users of your network
access to certain sites" e.g. porn-sites and the like.
The redirector program must read 4;Ls Aone per lineB on standard input" and write
rewritten 4;Ls or blank lines on standard output. $lso" sCui) writes additional
information after the 4;L which a redirector can use to make a decision. The input line
consists of four fields#
1M ip6address/5Sdn ident met2od

The 4;L originally re+uested.
- 2!9 -
The IP address and domain name Aif already cached by sCui)B of the client
making the re+uest.
The results of any I*D3T = $4T/ lookup done for this client" if enabled.
The /TTP method used in the re+uest" e.g. J:L.
$ parameter that is not known=specified is replaced by a dash. $ sample redirector input
line#
5tp.//5tp.gnome.org/pub/JHGM:/stable/releases/ gnome6#.$.(%/1:;DM:
#&2.#6'.#2.%4/6 6 J:L

$ sample response#
5tp.//5tp.net.lboro.ac.u,/gnome/stable/releases/ gnome6#.$.(%/1:;DM:
#&2.#6'.#2.%4/6 6 J:L

It is possible to send the client itself an /TTP redirect to the new 4;L" rather than hae
sCui) silently fetch the alternatie 4;L. To do this" the redirector should begin its
response with %$#. or %$2. depending on the type of redirect.
$ simple ery fast redirector called sCuir# is a good place to start" it uses the regex
library to allow pattern matching.
The following Perl script may also be used as a template for writing your own redirector#
+Q/usr/local/bin/perl
3TB#C
>2ile (?A) U
s@2ttp.//5rom2ost.com@2ttp.//to2ost.org@C
printC
V

/uthenticators
sCui) can make use of authentication. $uthentication can be done on arious leels" e.g.
network or user.
(rowsers are capable to send the user)s authentication credentials using a special
Jauthori,ation re+uest headerK. This works as follows# if sCui) gets a re+uest" gien there
was an 2ttp"access rule list that points to a prox!"aut2 $CL" sCui) looks for an
authorization header. If the header is present" sCui) decodes it and extracts a username
and password. If the header is missing" sCui) returns an /TTP reply with status 2.7
AProxy $uthentication ;e+uiredB. The user agent AbrowserB receies the 2.7 reply and
then prompts the user to enter a name and password. The name and password are
encoded" and sent in the $uthori,ation header for subse+uent re+uests to the proxy.
- 2!2 -
+ecurity Issue
The /TTP protocol has two authentication modes# basic and digest mode. In digest
mode" the serer encodes the password with a different key in a unidirectional function
and the client decodes the function using the password" then returns the key. This proes
that the client knows the password" without actually transmitting the password at any
point. /oweer" most proxies are not capable of using digest mode" and are using basic
mode instead. In basic mode" the name and password are encoded using base&<. A&ee
section !!.! of ;?C 2:!:B. /oweer" base:2 is a binary-to-text encoding algorithm" it
does 3%T encrypt the information it encodes. This means that the username and
password are essentially cleartext between the browser and the proxy. Therefore" you
should not use the same username and password that you would use for your account
login. sCui) supports digest mode. /oweer" ersions older than 2.5 need to be patched.
The patch was integrated in ersion 2.5" Ranuary 2..!.
$uthentication is actually performed outside of the main sCui) process. -hen sCui)
starts" it spawns a number of authentication subprocesses. These processes read
usernames and passwords on stdin and reply with GK or :11 on stdout. This techni+ue
allows you to use a number of different authentication schemes" although currently you
can only use one scheme at a time.
The sCui) source code comes with a few authentcation processes. These include#
L*$P# 4ses the Lightweight *irectory $ccess Protocol
3C&$# 4ses an 3C&$-style username and password file.
@&3T# 4ses a -indows 3T authentication domain.
P$@# 4ses the Linux Pluggable $uthentication @odules scheme.
&@(# 4ses a &@( serer like -indows 3T or &amba.
getpwam# 4ses the old-fashioned 4nix password file.
In order to authenticate users" you need to compile and install one of the supplied
authentication modules" download a different one or write your own. Lou tell sCui)
which authentication program to use with the aut2enticate"program option in
sSuid.con5. Lou specify the name of the program" plus any command line options if
necessary. ?or example#
aut2enticate"program /usr/local/sSuid/bin/ncsa"aut2
/usr/local/sSuid/etc/pass>d

The sCui) source distribution includes a number of external authentication modules in
the auth<#o)ules directory. $dditional modules that you might be interested in are#
;$*I4&
This is @arc an &elm)s ;$*I4& authenticator for sCui).
- 2!5 -
3on-$non L*$P
0arel *e (ruyne has modified $lan &park)s original L*$P authenticator to work
for non-anonymous L*$P serers.
6roup L*$P
Tobias Crawley has a patch that supports static and dynamic L*$P group
lookups when doing L*$P authentication. It modifies the core s+uid code to add
support for ldap groups in acl mechanism" and adds a group ldap authentication
module in the authFmodules=6;%4PFL*$P= directory.
s+uidauth.pl
This authentication program by Thomas (1rnert is written in perl and uses the
#), and 030=AA7ase%$ @odules. It has some security features" which may be
necessary for firewalls.
/ccess policies
@any sSuid.con5 options re+uire use of $ccess Control Lists A$CLsB. Dach $CL
consists of a name" type and alue Aa string or filenameB. $ccess control lists A$CLsB are
often regarded as the most difficult part of the sCui) cache configuration# the layout and
concept is not immediately obious to most people. $dditionally" the use of external
authenticators and the default $CL adds to the confusion.
$CLs can be seen as definitions of resources that may or may not gain access to certain
functions in the web-cache. $llowing the use of the proxy serer is one of these
functions.
To regulate access to certain functions" you will hae to define an $CL first" and then add
a line to deny or allow access to a function of the cache" using that $CL as a reference. In
most cases the feature to allo> or den! will be 2ttp"access" which allows or denies a
web browser)s to access the web-cache. The same principles apply to the other options"
such as icp"access.
To determine if a resource Ae.g. a userB has access to the web-cache" sCui) works its way
through the 2ttp"access list from top to bottom. It will match the rules" until one is
found that matches the user and either denies or allows access. Thus" if you want to allow
access to the proxy only to those users whose machines fall within a certain IP range you
would use the following#
acl ourallo>ed2osts src #&2.#6'.#.$/2((.2((.2((.$
acl all src $.$.$.$/$.$.$.$
2ttp"access allo> ourallo>ed2osts
2ttp"access den! all
- 2!: -

If a user from !<2.!:8.!.2 connects using TCP and re+uest a 4;L" sCui) will work it)s
way through the list of 2ttp"access lines. It works through this list from top to bottom"
stopping after the first match to decide which one they are in. In this case" sCui) will
match on the first 2ttp"access line. &ince the policy that matched is allo>" sCui)
would proceed to allow the re+uest.
The src option on the first line is one of the options you can use to decide which domain
the re+uesting user is in. Lou can regulate access based on the source or destination IP
address" domain or domain regular expression" hours" days" 4;L" port" protocol" method"
username or type of browser. $CLs can also re+uire user authentication" specify an
&3@P read community string" or set a TCP connection limit.
?or example" these lines would keep all internal IPs off the -eb except during lunchtime#
acl allo>ed"2osts #&2.#6'.#.$/2((.2((.2((.$
acl lunc2time MLRYI #2.$$6#%.$$
2ttp"access allo> allo>ed"2osts lunc2time

The MLRYI string denotes the proper days of the week" where M specifies @onday" L
specifies Tuesday and so on# RYI;S A-ednesday-&undayB. ?or more options hae a look
at the default configuration file sCui) installs on your system.
$nother example is the blocking of certain sites" based on their domain names#
acl adults dstdomain pla!bo!.com sex.com
acl ourallo>ed2osts src #&6.4.#6$.$/2((.2((.2((.$
acl all src $.$.$.$/$.$.$.$
2ttp"access den! adults
2ttp"access allo> ourallo>ed2osts
2ttp"access den! all
These lines preent access to the web-cache A2ttp"accessB to users who re+uest sites
listed in the adults $CL. If another site is re+uested" the next line allows access if the
user is in the range as specified by the $CL ourallo>ed2osts. If the user is not in that
range" the third line will deny access to the web-cache.
To use an authenticator" you hae to tell sCui) which program it should use to
authenticate a user Ausing the aut2enticate"program option in the sSuid.con5 fileB"
than you)ll need to set up an $CL of type prox!"aut2" and need to add a line to regulate
the access to the web-cache" using that ;DM#
aut2enticate"program /sbin/m!"aut2 65 /etc/m!"aut2.db
acl name prox!"aut2 1:_I1:D
2ttp"access allo> name

- 2!7 -
The $CL points to the external authenticator /sbin/m!"aut2. If a user wants access to
the webcache Athe 2ttp"access functionB" you would expect that Aas usualB the re+uest is
granted if the $CL name is matched. 5=*)*;"" this is not the case>
/uthenticator allo3 rules act as deny rules<
If the external authenticator allowed access the allo> rule actually acts as if it were a
den! ruleG An( follo#ing rules are conse6uentl( checked too until another matching $CL
is found. In other words# the rule 2ttp"access allo> name should be read as
2ttp"access den! Qname. The exclamation mark signifies a negation" thus the rule
2ttp"access den! Qname means# Jdeny access to users not matching the `namea ruleK.
squid alays adds a default /CL<
sCui) automatically adds a final rule to the $CL section that reverses the preceding AlastB
rule# if the last rule was an allo> rule" a den! all rule would be added" and ice ersa#
if the last rule was a den! rule" an allo> all rule would be added automatically.
(oth warnings imply that if the example aboe is implemented as it stands" the final line
2ttp"access allo> name implicitly adds a final rule 2ttp"access den! all. If the
external authenticator grants access" the access is not granted? but the next rule is
checked - and that next rule is the default den! rule if you do not specify one yourselfG
This means that properly authori,ed people would be denied access. This exceptional
behaior of sCui) is often misunderstood and pu,,les many noice sCui) administrators.
$ common solution is to add an extra lines" like this#
2ttp"access allo> name
2ttp"access allo> all

Utili9ing memory usage
sCui) uses lots of memory. ?or performance reasons this makes sense since it takes
much" much longer to read something from disk than it does to read directly from
memory. $ small amount of metadata for each cached ob'ect is kept in memory" the so-
called &toreDntry. ?or sCui) ersion 2 this is 5:-bytes on JsmallK pointer architectures
AIntel" &parc" @IP&" etcB and 88-bytes on JlargeK pointer architectures A$lphaB. In
addition" there is a !:-byte cache key A@*5 checksumB associated with each &toreDntry.
This means there are 72 or !.2 bytes of metadata in memory for eery ob'ect in your
cache. $ cache with !"..."... ob'ects therefore re+uires 72 @( of memory for metadata
only.
In practice" it re+uires much more than that. %ther uses of memory by sCui) include#
*isk buffers for reading and writing
3etwork I=% buffers
- 2!8 -
IP Cache contents
?H*3 Cache contents
3etdb IC@P measurement database
Per-re+uest state information" including full re+uest and reply headers
@iscellaneous statistics collection.
ot ob7ects which are kept entirely in memory.
Lou can use a number of parameters in sSuid.con5 to determine sCui))s memory
utili,ation.
The cac2e"mem parameter specifies how much memory to use for caching hot Aery
popularB re+uests. sCui))s actual memory usage depends strongly on your disk space
Acache spaceB and your incoming re+uest load. ;educing cac2e"mem will usuall( also
reduce sCui))s process si,e" but not necessarily.
The maximum"ob7ect"size option in sSuid.con5 specifies the maximum file si,e that
will be cached. %b'ects larger than this si,e will 3%T be saed on disk. The alue is
specified in kilobytes and the default is 2@(. If speed is more important than saing
bandwidth" you should leae this low.
The minimum"ob7ect"size option# ob'ects smaller than this si,e will 3%T be saed on
disk. The alue is specified in kilobytes" and the default is . 0(" which means there is no
minimum Aand eerything will be saed to diskB.
The cac2e"s>ap option tells sCui) how much disk space it may use. If you hae a large
disk cache" you may find that you do not hae enough memory to run sCui) effectiely.
If it performs badly" consider increasing the amount of ;$@ or reducing the
cac2e"s>ap.
- 2!< -
Chapter 6. -ile an) (er+ice (haring
(2.26!
%b'ectie 2.2.<.!Q Configuring a &amba &erer A5 pointsB
The candidate should be able to set up a &amba serer for arious clients. This
ob'ectie includes setting up a login script for &amba clients and setting up an
nmbd -I3& serer. $lso included is the changing of the workgroup in which a
serer participates" defining a shared directory in smb.conf" defining a shared
printer in smb.conf" using nmblookup to test -I3& serer functionality and using
the smbmount command to mount an &@( share on a Linux client.
%b'ectie 2.2.<.2Q Configuring an 3?& &erer A9 pointsB
The candidate should be able to create an exports file and specify filesystems to
be exported. This ob'ectie includes editing exports file entries to restrict access
to certain hosts" subnets or netgroups. $lso included is specifying mount options
in the exports file" configuring user I* mapping" mounting an 3?& filesystem on
a client and using mount options to specify soft or hard and background retries"
signal handling" locking and block si,e. The candidate should also be able to
configure tcp wrappers to further secure 3?&.
- 22. -
Configuring a (a#*a (er+er (2.26.1!
%hat is +amba'
&amba implements the &erer @essage (lock Aor &@( for shortB protocol. This is the
protocol used by @icrosoft to implement file and printer sharing. (y installing &amba on
a Linux machine" machines running the -indows %perating &ystem and other platforms
for which an &@( client is aailable can connect to the Linux machine and thus use files
and printers aailable by the Linux machine.
&amba is aailable for many platforms including Linux" $IP" /P-4P" &un%&" ?ree(&*"
%&=2" $miga%&. Consult 4amba? 5pening =indo#s To A =ider =orld" for further
information on platforms supporting &amba and for downloading a binary or source
distribution for your platform.
Installing the +amba components
*epending on your distribution" you can
o get the sources and compile them yourself
o install the package using rp# A;ed /at" &u&D etc.B
o install the package using apt@get or aptitu)e A*ebianB
&amba can be run either from inet) or as daemons. -hen run ia inet) you sae some
memory and you can use tcpwrappers for extra security. -hen run as daemons" the serer
is always ready and sessions are faster.
If you want to use encrypted passwords" you will need to hae a separate
/etc/samba/smbpass>d file because the layout differs from /etc/pass>d. *uring the
installation" you can choose to hae /etc/samba/smbpass>d generated from your /etc/
pass>d file. If you choose not to do this" you must use s#*passw) to set indiidual
passwords for users.
&amba consists of two daemons# n#*) and s#*).
n#*)" the 3et(I%& 3ame &erice *aemon" handles 3et(I%& name lookups and -I3&
re+uests. If you)e told &amba to function as a -I3& &erer" an extra copy of n#*) will
be running. $dditionally" if *3& is used to translate 3et(I%& names" another extra copy
of n#*) will be running.
s#*)" the &erer @essage (lock *aemon" handles file and print access. ?or each client
connected to the serer" an extra copy of s#*) runs.
&amba uses both the 4*P and TCP protocols.
- 22! -
TCP is used for file and print sharing on port !9<.
4*P is used for the registration and translation of 3et(I%& names and for browsing the
network. Port !97 is used for name serice re+uests and responses. Port !98 is used for
datagram serices to transmit small amounts of data" such as serer announcements.
/n e#ample of the functionality e ish to achieve
-e)e got three machines connected ia a network. The machines JLodaK and
Jwindoos'eK contain files the other machines must be able to manipulate. $lso" the
machines must be able to use each other)s printers. JLodaK is running Linux and has
&amba installed. Jwindoos'eK is running @icrosoft -indows 2... and JpugK is running
Linux and has s#*client installed to be able to function as a &amba client.
-e want to share 'ust parts of the filesystems on JLodaK and Jwindoos'eK.
The public share on JLodaK should be aailable to eeryone.
The img$ share on JLodaK should be aailable to the user JwillemK only.
The img# share on JLodaK should be aailable to both the users JwillemK and Jrc5:2K.
The home directories on JLodaK should be aailable to their respectie users.
%n the -indows 2... machine we)e got some generic files in the directories
5./>ins2are# and 5./>ins2are2 we wish to make aailable to the Linux machine
running &amba.
- 222 -
/ccessing +amba shares from %indos 2===
&ince I am using the -indows 2... machine as a workstation" I didn)t feel the need for
domains" primary or otherwise. Instead" I hae told the -indows 2... machine that it is
part of the workgroup JfalconK.
I hae included the /etc/samba/smb.con5 file that contains the settings to make
directories accessible from -indows 2.... 3ote that case doesn)t matter to @icrosoft
-indows but does matter to Linux when writing workgroup names and machine names.
Please read the comments before continuing#

+666666666666666666666666666666666666666666666666666666666666
+ L2is is. /etc/samba/smb.con5
+
+666666666666666666666666666666666666666666666666666666666666
)global*
+666666666666666666666666666666666666666666666666666666666666
+ L2is section contains t2e global ser-er settings and t2e
+ de5aults t2at >ill be used 5or t2e parameters o5 t2e ot2er
+ sections i5 t2e! are not speci5icall! assigned ot2er -alues
+ in t2ose ot2er sections.
+
+ Samba 7oins t2e I;MDGH >or,group
+666666666666666666666666666666666666666666666666666666666666
>or,group B I;MDGH
+ Describe t2e ser-er to t2e clients
+666666666666666666666666666666666666666666666666666666666666
ser-er string B Minux Samba Ser-er ]M
+ Gnl! allo> connections 5rom mac2ines on our M;H
+666666666666666666666666666666666666666666666666666666666666
2osts allo> B #&2.#6'.2.$/2((.2((.2((.$
+ Rindo>s 2$$$ uses encr!pted pass>ordsO so do >e
+666666666666666666666666666666666666666666666666666666666666
encr!pt pass>ords B !es
+ Lell Samba to use smbpass>d 5ile 5or user -alidation
+666666666666666666666666666666666666666666666666666666666666
securit! B user
smb pass>d 5ile B /etc/samba/smbpass>d
+ Ma,e t2e ser-er also a-ailable as Noda# to enable connection
+ 5rom Rindo>s as anot2er user
+666666666666666666666666666666666666666666666666666666666666
netbios name B Noda
netbios aliases B Noda#
+ ;ccess 5rom clients >ill be logged in log.?Het=IGS nameA
+666666666666666666666666666666666666666666666666666666666666
log 5ile B /-ar/log/samba/log.]m
- 229 -
)2omes*
+666666666666666666666666666666666666666666666666666666666666
+ L2is section enables t2e users t2at 2a-e an account and a
+ 2omedirector! on t2e Minux Samba Ser-er to access and modi5!
+ t2e contents o5 t2at director! 5rom a Samba client.
+
+ Describe t2e s2are to t2e user
+666666666666666666666666666666666666666666666666666666666666
comment B ]Ws 2omedirector! on ]M 5rom ]m
+ Do not s2o> t2e 2omes s2are itsel5 >2en bro>sing
+666666666666666666666666666666666666666666666666666666666666
bro>sable B no
+ ;llo> t2e user to >rite in 2is 2ome director!
+666666666666666666666666666666666666666666666666666666666666
>riteable B !es
)public*
+666666666666666666666666666666666666666666666666666666666666
+ L2is section de5ines a public s2are a-ailable 5or reading
+ and >riting 5or an!one on our M;H
+666666666666666666666666666666666666666666666666666666666666
comment B Fublic Storage on ]M
pat2 B /2ome/samba
+ S2o> t2e public s2are >2en bro>sing
+666666666666666666666666666666666666666666666666666666666666
bro>sable B !es
+ ;llo> e-er!one to >rite in t2is director!
+666666666666666666666666666666666666666666666666666666666666
>riteable B !es
)img$*
+666666666666666666666666666666666666666666666666666666666666
+ L2is section de5ines imaging s2are +$
+
+666666666666666666666666666666666666666666666666666666666666
pat2 B /img$
comment B ]Ws Imaging S2are +$ on ]M 5rom ]m
+ S2o> t2e img$ s2are itsel5 >2en bro>sing
+666666666666666666666666666666666666666666666666666666666666
bro>sable B !es
+666666666666666666666666666666666666666666666666666666666666
>riteable B !es
+ 1estrict access to -alid users
+666666666666666666666666666666666666666666666666666666666666
-alid users B >illem
)img#*
- 222 -
+666666666666666666666666666666666666666666666666666666666666
+ L2is section de5ines imaging s2are +#
+
+666666666666666666666666666666666666666666666666666666666666
pat2 B /img#
comment B ]Ws Imaging S2are +# on ]M 5rom ]m
+ S2o> t2e img# s2are itsel5 >2en bro>sing
+666666666666666666666666666666666666666666666666666666666666
bro>sable B !es
+666666666666666666666666666666666666666666666666666666666666
>riteable B !es
+ 1estrict access to -alid users
+666666666666666666666666666666666666666666666666666666666666
-alid users B >illemOrc(64
The sections WglobalX" WhomesX and WprintersX are so called special sections.
The WglobalX section contains the parameters that are applicable for the whole serer and
the defaults that will be used for the parameters that are not mentioned in other sections.
The WhomesX section makes it possible for users to connect to their home directories. The
share name JhomesK is changed by the serer to the username. If you want to use some
other directory instead of the user)s home directory" you can do this by specifying the
path. If you want to use the directory /2ome/samba2omes/?userA as the home directory"
for instance" you can do this by setting the path parameter as follows#
pat2B/2ome/samba2omes/]S

The M& macro will be substituted by the user)s name. Please consult the man page of
smb.conf A#an s#*.confB for information on the other macros that are aailable.
The WprintersX section is used for giing access to the printers and will be described later
in this chapter.
$fter creating the /etc/samba/smb.con5 file" &amba must be restarted if it)s already
running or started if it)s not#
+ /etc/init.d/samba restart or
+ /etc/init.d/samba start

3ow the samba passwords" which do not hae to be identical to the Linux passwords"
must be set. If a user already exists in the samba password file" you can use the command
without the J-aK flag.
- 225 -
+ smbpass>d )6a* user

0aking the first connection fro# ;in)ows 2
Let)s say you are the user JwillemK on the -indows 2... machine" and you enter
JbbyodaK in the browser. Lou will be presented with a dialog - Aillustrated below" but
which you won)t be able to read because it)s in *utchB - asking you to enter your
username and accompanying password.
$fter entering the correct username and password" you will hae access to your shares as
shown below#
$fter opening the img$ share" another s#*) process will be started by the already
running s#*) process#
+ ps x 6o pidOppidOcommand
FID FFID DGMM;HD
# $ init )2*
...
260($ # /usr/sbin/smbd 6D
- 22: -
260(% 260($ /usr/sbin/smbd 6D
...

$s you can see by looking at the process id API*B" the last BusrBs*inBs#*) started is
2:759 which has a process parent id APPI*B of 2:75.. This parent also is BusrBs*inBs#*)
and has a PPI* of !" which is the init process.
Lou can also use the s#*status command to ask the system who is using which shares
and which files are locked at the moment#
+ smbstatus
Samba -ersion 2.$.'
Ser-ice uid gid pid mac2ine
6666666666666666666666666666666666666666666666
img$ >illem >illem 260(% >indoos7e (#&2.#6'.2.##) Sat Ieb
#6
#2.#0.$( 2$$2
Ho loc,ed 5iles
S2are mode memor! usage (b!tes).
#$4'464(&&]) 5ree X (6($]) used X (6($]) o-er2ead B #$4'(06(#$$])
total

$s you can see" the user JwillemK is accessing the img$ share and has no files locked.
Lou will probably almost neer see file locks because their lifespan is so short. The file is
only locked during saing. If you don)t beliee me" try this out with a file that takes
seeral seconds to transport oer the network" or Jdrag and dropK a complete directory" as
I)e done in the example that follows" to the img$ share while running the command
s#*status @L. The J-LK option will tell s#*status to only show the locks#
+ >2ile trueC do smbstatus 6MC sleep #C done
Ho loc,ed 5iles
Ho loc,ed 5iles
Ho loc,ed 5iles
Moc,ed 5iles.
Fid Den!Mode 1/R Gploc, Hame
66666666666666666666666666666666666666666666666666
260(% D:HN";MM R1GHMN :KDMSIP:X=;LDY /img$/=il7arten/2$$#62$$2/
ôSter,1oosters.exe Sat Ieb #6 #%.#2.(# 2$$2
Moc,ed 5iles.
66666666666666666666666666666666666666666666666666
260(% D:HN";MM R1GHMN :KDMSIP:X=;LDY /img$/=il7arten/2$$$62$$#/
;rbiters.FK Sat Ieb #6 #%.#2.(2 2$$2
- 227 -
Moc,ed 5iles.
66666666666666666666666666666666666666666666666666
260(% D:HN";MM R1GHMN :KDMSIP:X=;LDY /img$/=il7arten/2$$$62$$#/
=asisIorm##2.8d5m Sat Ieb #6 #%.#2.(% 2$$2
...
Ho loc,ed 5iles

0aking the secon) connection fro# ;in)ows 2
3ow let)s see if the same works for the user rc5:2 by logging in to -indows 2... as that
user and entering JbbLodaK in the browser#
$fter entering the correct user and password combination" you will hae access to your
shares as shown below#
If eerything is as it should be" the user Jrc5:2K should not be able to write to the img$
share and should be able to write to the img# share.
- 228 -
If you try to access the img$ share" a window will appear saying the password is wrong or
that the username is unknown for the share. Lou will then hae the opportunity to enter a
username and password#
$s expected" this doesn)t work because the user Jrc5:2K is not authori,ed to do this. (ut
there is more to this than meets the eye. -hat if we were to connect as the user JwillemK
with the correct password> That should work" shouldn)t it> -ell" let)s see#
$fter hitting the J%0K button" we get the following response#
-hich" translated" says that the share //!oda/img$ is not accessible because the
submitted set of references Ausername and passwordB is in conflict with an existing set of
references.
The cause of this seems to be that there already is a connection as Jrc5:2K to Loda. To
proe it" let)s connect to the serer as the user JwillemK by using the alias JbbLoda!K"
which is a 3et(ios alias for JbbLodaK" while keeping the connection as the user Jrc5:2K
alie#
- 22< -
$fter hitting the J%0K button the next window appears showing that we)e got a
connection#
To proe that we also hae write access" we create a text file#
?inally we use the command s#*status to show that we really hae two simultaneous
connections#
- 29. -
Samba -ersion 2.$.'
6666666666666666666666666666666666666666666666
public rc(64 rc(64 2'%$( >indoos7e (#&2.#6'.2.##) Sat Ieb
#6
#%.4'.%( 2$$2
img$ >illem >illem 2'%(0 >indoos7e (#&2.#6'.2.##) Sat Ieb
#6
#4.#&.$2 2$$2

-hether this is a -indows +uirk or not will be demonstrated in the next section" where
we)ll try the same se+uence from a Linux &amba client.
/ccessing %indos or +amba shares from a Linu# +amba client
;ith smbclient
The command s#*client implements an ftp like interface to the &amba shares.
Lou can use s#*client to find out which shares are aailable on the -indows machine
Abbwindoos'eB by issuing the following command#
pug.8+ smbclient 6M >indoos7e 6R 5alcon 6 rc(64
Fass>ord. EEEEEE
DomainB)I;MDGH* GSB)Rindo>s (.$* Ser-erB)Rindo>s 2$$$ M;H Manager*
S2arename L!pe Domment
666666666 6666 6666666
IFD3 IFD :xterne IFD
I3 Dis, Standards2are
;DMIH3 Dis, 1emote Management
D3 Dis, Standards2are
RinS2are+# Dis, Rord Documents
RinS2are+2 Dis, :xcel S2eets

$nd on the Linux &amba &erer bbLoda as well#
pug.8+ smbclient 6M //!oda 6R 5alcon 6 rc(64
Fass>ord. EEEEEE
DomainB)I;MDGH* GSB)nix* Ser-erB)Samba 2.$.'*
S2arename L!pe Domment
666666666 6666 6666666
public Dis, Fublic Storage on !oda
img$ Dis, rc(64Ws Imaging S2are +$ on !oda 5rom
pug
img# Dis, rc(64Ws Imaging S2are +# on !oda 5rom
pug
IFD3 IFD IFD Ser-ice (Minux Samba Ser-er !oda)
rc(64 Dis, rc(64Ws 2omedirector! on !oda 5rom pug
- 29! -
Ser-er Domment
666666666 6666666
NGD; Minux Samba Ser-er !oda
NGD;# Minux Samba Ser-er !oda

Let)s connect to bbwindoos'eb-in&harec! to get a file#
pug.8+ smbclient //>indoos7e/RinS2are+# 6R 5alcon 6 rc(64
Fass>ord. EEEEEE
DomainB)I;MDGH* GSB)Rindo>s (.$* Ser-erB)Rindo>s 2$$$ M;H Manager*
smb. /A

-e)e now got a connection. $s with the ftp client" you can type JhelpK to find out which
commands are aailable#
smb. /A 2elp
4 altname arc2i-e bloc,size cancel
cd c2mod c2o>n del dir
du exit get 2elp 2istor!
lcd lin, lo>ercase ls mas,
md mget m,dir more mput
ne>er open print printmode prompt
put p>d S Sueue Suit
rd recurse rename rm rmdir
setmode s!mlin, tar tarmode translate
Q

?inding out which files are aailable is done by issuing either the ls or the )ir command#
smb. /A ls
. D $ Lue Ieb #& #$.(4.#2
2$$2
.. D $ Lue Ieb #& #$.(4.#2
2$$2
ô Ster, 6 Sponsoring.doc ; #$0$$' Sat ûl 0 ##.$(.%4
2$$#
Dontributie"2$$#.doc ; 2064' L2u ân ## #6.($.(2
2$$#
%'46# bloc,s o5 size 262#44. %060% bloc,s a-ailable
smb. /A

$s with an ftp client" you can download a file with the get or #get command#
smb. /A mget contrE
Jet 5ile Dontributie"2$$#.doc4 !
getting 5ile Dontributie"2$$#.doc o5 size 2064' as Dontributie"2$$#.doc
((2.& ,b/s) (a-erage (2.& ,b/s)
smb. /A

- 292 -
$s you can see" the command is case insensitie and wildcards can be used.
;ith smbmount
Lou can also mount the share as you would any other filesystem. This is done with the
s#*#ount command. To be able to use the command s#*#ount" support for the &@(
filesystem must be compiled into the kernel. Lou)ll find the smbfs option in the
filesystems section.
In the preious section" I promised to make connections from a Linux &amba client to the
Linux &amba serer as two different users to see if this can be done without using aliases.
-e)ll try to make a connection as the user JwillemK to his home directory on JbbLodaK
and as the user Jrc5:2K to the public share. /ere we go#
+ m,dir /mnt/s2# mountpoint 5or t2e 5irst s2are
+ m,dir /mnt/s22 mountpoint 5or t2e second s2are
+ smbmount //!oda/>illem /mnt/s2# 6o usernameB>illem
Fass>ord. EEEEEEE
+ smbmount //!oda/public /mnt/s22 6o usernameBrc(64
Fass>ord. EEEEEE
+ mount
...
//!oda/>illem on /mnt/s2# t!pe smb5s ($)
//!oda/public on /mnt/s22 t!pe smb5s ($)

&o" this worked nicely. Let)s ask the &amba &erer which shares are in use at the
moment#
+ smbstatus
Samba -ersion 2.$.'
6666666666666666666666666666666666666666666666
>illem >illem >illem %#%4( pug (#&2.#6'.2.') Sun Ieb
#0
2$.4%.%& 2$$2
public rc(64 rc(64 %#%46 pug (#&2.#6'.2.') Sun Ieb
#0
2$.44.%$ 2$$2
Ho loc,ed 5iles

$s you can see" there are two connections being sered by two separate processes. (ut"
there is also a difference in how file-locking is handled. ;emember that" when opening a
file from -indows" there was no lock isible while the file was open - the lock was only
present during the saing of the file. This is not the case when the &amba share is
mounted by a Linux client. %pening the file 2allo.txt in +i gies the following
s#*status result#
- 299 -
Samba -ersion 2.$.'
6666666666666666666666666666666666666666666666
>illem >illem >illem %#%4( pug (#&2.#6'.2.') Sun Ieb
#0
2$.4%.%& 2$$2
public rc(64 rc(64 %#%46 pug (#&2.#6'.2.') Sun Ieb
#0
2$.44.%$ 2$$2
Moc,ed 5iles.
66666666666666666666666666666666666666666666666666
%#%46 D:HN"HGH: 1DGHMN HGH: /2ome/samba/2allo.txt
Sun Ieb
#0 2$.('.#' 2$$2

$s you can see" the file is immediately locked when opened.
+ending a message ith smbclient
$ny machine running ;inPopup can receie a message sent ia the -inpopup protocol.
$ssume" for a moment" that we)e got to do maintenance on bbLoda" and we wish to tell
the user on bbwindoos'e that his shares will not be aailable during a certain period of
time. @ake a text file containing the message d I used +i to create a file called msg.txt
d and use s#*client to send it as follows#
+ cat msg.txt T smbclient 6M >indoos7e 6 IL6ops

The user on bbwindoos'e is presented with the following message#
- 292 -
Using a Linu# +amba printer from %indos 2===
9sing (a#*a
To instruct &amba to share all printers defined in /etc/printcap" you may add a
WprintersX section to /etc/samba/smb.con5#
)printers*
comment B Frinter ]p on Noda
pat2 B /-ar/spool/samba
printable B !es

$fter restarting &amba by issuing the command BetcBinit.)Bsa#*a restart we connect
from -indows 2... using the user Jrc5:2K - which also exists on the &amba &erer and
must hae the same password - to JbbLodaK and get the following result#
%opsG That gae us four printers" and we)e only got one. This happened because of the
aliases in /etc/printcap. %ur purpose was to get 'ust one printer. This can be achieed
by remoing the WprintersX section and replacing it with a printer-specific section#
)YF Maserêt (*
printer name B lp
comment B YF Maserêt ( on Noda
pat2 B /-ar/spool/lpd/samba
printable B !es
>riteable B no

$fter restarting &amba we reconnect to bbLoda and get the following result#
- 295 -
3ow double-click on J/P LaserRet 5K and -indows will tell you that the printer has to be
installed before you can use it and offers to go ahead with this. $llow -indows to install
the printer.
-indows then says that there is a wrong printer drier installed on the machine to which
the printer is connected and asks if the drier should be installed on the local computer.
$llow -indows to do so.
-indows shows a dialog with manufacturers and printers" we choose /P and /P
LaserRet 5" after which -indows installs the drier" and we are done.
3ow let)s see if it works. %pen a document" for instance in @& -ord" actiate the print
dialog to select the printer#
- 29: -
$fter hitting the J%0K button" the output will be sent to the printer.
If this doesn)t work" chances are that the user has no write permissions in the
/-ar/spool/lpd/samba directory. I experienced this problem myself and had the choice
to either add all users able to print to the JlpK group or gie all users write-access in the
directory /-ar/spool/lpd/samba. I chose the latter" which is fine because the parameter
setting Jwriteable S noK in the WprintersX section of the &amba configuration file
/etc/samba/smb.con5 makes sure that no non-printing process can write in that
directory.
-hat actually takes place is that the output is spooled to the directory set by the Jpath SK
parameter which in this case is the directory /-ar/spool/lpd/samba. ?rom there the
output is spooled to the JrealK spool directory of the printer as set by /etc/printcap. In
this case" /-ar/spool/lpd. Check this out by JcapturingK the spooled file as follows#
+ >2ile trueC do ls 6l samba AA tC ls 6l lp AA tC ec2o 96669 AA t C done
L2e /-ar/spool/lpd/samba director!.
6r>xr66r66 # rc(64 lp 04'$ Ieb #& #0.%( 1D(64.aDKx0(
L2e /-ar/spool/lpd/lp director!.
6r>6r>6666 # lp lp 0' Ieb #& #0.%( c5;$$2!oda
6r>6r>6666 # rc(64 lp 04'$ Ieb #& #0.%( d5;$$2!oda

Issuing the s#*status command shows the access to the share#
- 297 -
!oda./-ar/spool/lpd+ smbstatus
Samba -ersion 2.$.'
6666666666666666666666666666666666666666666666
YF Maserê rc(64 rc(64 %#%&# >indoos7e (#&2.#6'.2.##) Lue Ieb
#& #0.46.$% 2$$2

9sing lpr
$lthough this is not part of the exam" I feel that to be complete it is necessary to show
you that a Linux printer can also be used from -indows 2... without the need for
&amba.
%n the -indows machine the first thing to do is install an extra network component
called JPrint &erices ?or 4nixK. This adds the ability to print to an lpr port.
The next thing to do is add a local printer d yes" you read it right# not a network printer.
-hen -indows asks you to select the port" select the option that enables you to create a
new port and select the type JLP; PortK. Lou will then be presented with the next dialog
which asks you to gie the address of the lp) serer and the name of the printer. Dnter the
?ully Hualified *omain 3ame of the printer.
&ince I)e called my local domain JfalconK and the machine to which my /P LaserRet 5 is
connected is called JLodaK" this becomes (oda"falcon. The +ueue is called lp so that)s
what we enter for the printer name.
Then select the appropriate printer drier and gie the printer a name. Let)s call the
printer J;D@%TD /P LaserRet 5K.
-e are then presented with the possibility of sharing the printer under -indows. If you
choose to do so and there are other -indows machines in the same workgroup such as
-indows <8 for instance" they will see this printer as a -indows shared printer and can
print to it. -indows 2... will then send the output to the lp +ueue on Loda. -e don)t
need this functionality.
$fter printing a test page" we)re done. 3ow hae a look at the printers -indows 2...
knows#
- 298 -
The choice is yours# &amba printing or lpr printing. If printing is all you want to do" and
you don)t need the other functionality of &amba" and Print &erices ?or 4nix comes with
your -indows %&" lpr printing may be the best choice for you.
Using a %indos printer from Linu#
$lthough it is not in the topics I felt the need to describe this. Imagine a situation" for
instance" where there are lots of -indows users and 'ust a few Linux users. -ouldn)t it
be nice to be able to use the -indows printer from Linux without haing to moe the
printer to a &amba serer >
(e careful with the sharename you define for the printer under -indows 2.... If
-indows 2... tells you that the printer might not be aailable to @&-*%& clients"
shorten the name of the share until -indows 2... does not complain anymore.
s#*client did not report the printer when it was called J/P *eskRet 8<. CK" but it did
report the printer as soon as I called it J*eskRetF8<.CK.
I hae tried seeral utilities to accomplish this" amongst which are# s#*client" s#*print"
s#*spool and apsfilter.
$nd the winner is .... apsfilter for its ease of installation. The author" $ndreas 0lemm"
only asks that you send him a postcard because he)s interested in who is using apsfilter.
I)ll walk you through the installation#
+ aps5iltercon5ig
"/"/ "/"/ "/ "/ "/
"/ "/ "/"/"/ "/"/"/ "/ "/ "/"/"/"/ "/"/ "/ "/"/
"/"/"/"/ "/ "/ "/"/ "/"/"/"/ "/ "/ "/ "/"/"/"/ "/"/
"/ "/ "/ "/ "/"/ "/ "/ "/ "/ "/ "/
"/ "/ "/"/"/ "/"/"/ "/ "/ "/ "/"/ "/"/"/ "/
"/
"/
...
;ccept license )NT!T^T7THTn* 4
- 29< -

Type JLK" hit JenterK and read the informational screens that follow.
Ho> >e are c2ec,ing 5ile permissions in spooldir
Nour line printer sc2edulerWs spooldir seems to be. /-ar/spool/lpd
dr>xr>sr6x & lp lp 4$&6 Ieb 2$ #%.(% /-ar/spool/lpd
L2e G>ner o5 !our spooldir seems to be. lp
L2e Jroup o5 !our spooldir seems to be. lp
Is t2is correct4 )!/n*

Type JyK and hit JenterK.
creating a >or,ing cop! o5 printcap 6A /etc/printcap.old
It seems !ou 2a-e con5igured a printer >it2 t2is script be5ore.
Do !ou >ant to (a)dd anot2er printer entr! or
to (o)-er>rite t2e existing entries4
a/o4

If you)e already defined other printers" as I hae" type JaK and hit JenterK.
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBB
; F S I I M L : 1 S : L F 66 M;IH M:H:
66
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBB
currentl!
selected
666666666666666666666666666666666666666666666666666666666666666
666
(D) ;-ailable De-ice Dri-ers in !our gs binar!
(1) 1ead J2ostscript dri-er documentation
(de-ices.txt)
(#) Frinter Dri-er Selection )*
(2) Inter5ace Setup )*
Ior printing t2e test page.
(%) Faper Iormat (mandator!) )a4*
(4) Frint 1esolution in 9dots per inc29 )de5ault*
(() Loggle Monoc2rome/Dolor (#bppBb[>) )de5ault*
(L) Frint Lest FageO on local or Rindo>s remote prt.(a5ter
#6()
(P) Pie> per5.log (times o5 print attempts)
(;) ;bort installation (donWt do an!t2ing)
- 22. -
(I) BBA Install printer >it2 -alues s2o>n abo-e 6 repeat
t2is
step 5or installing multiple printers
(_) BBA Iinis2 installation
Nour c2oice4

?irst" we hae to select a drier for the /P *eskRet 8<.C. Type J!K and hit JenterK.
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
F1IHL:1 D1IP:1 S:M:DLIGH
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
Flease select t2e t!pe o5 printer !ou >ant to install.
#) FostScript printer
2) printer dri-er nati-el! supported b! g2ostscript
%) gimp6print / stp
4) 2pd7
() pcl% (successor to 2pd7O experimental)
6) I=M Gmni
0) cd7''$O cd7&0$
') FF; printerO needs g2ostscript 9ppmra>9 de-ice and pnm2ppa
$) return to main menu
Nour c2oice.

Choose J2K and hit JenterK. Lou can then browse through a list of printer driers.
;emember the number of the correct drier Ain my case" !9!" comes closest to my
printerB. /it J+K to close the list" type the number you remembered and hit JreturnK which
takes us back to the main menu.
The next thing to do is to set up the interface d choose J2K and hit JreturnK
6666666666666666666666666666666666666666666666666666666666666666
; F S I I M L : 1 S : L F 66 Inter5ace Setup 66
6666666666666666666666666666666666666666666666666666666666666666
L2e easiest >a! to connect a printer to !our computer is b!
using t2e parallel inter5aceO because itWs usuall! E5asterEO
more standardized and t2ere5ore muc2 easier to con5igure.
R2en con5iguring a serial printerO t2e installation dialogue
as,s !ou man! Suestions about 2o> to con5igure t2e serial
inter5ace o5 !our computerO so t2at it >or,s >ell >it2 !our
printers current settings.
R2en using t2e serial inter5aceO t2en !ou 2a-e to c2oose special
cablesO depending on t2e communication protocol bet>een computer
- 22! -
and printer (2ard>are/so5t>are 2ands2a,ing). Man! pit5alls 2ere
Q
currentl! selected. Inter5ace. )samba*
De-ice. )>indoos7e*
con5igure local / remote printer
#) local parallel/S= 2) local serial
%) nix/net>or, printer (lpd) 4) Rindo>s / HL (samba)
() ;ppleLal,
Nour c2oice4

$s you can see" there is a separate option for &amba. Choose J2K and hit JreturnK. Lou
will then be asked seeral +uestions as shown below#
6666666666666666666666666666666666666666666666666666666666666666
; F S I I M L : 1 Samba Frinter S:LF
6666666666666666666666666666666666666666666666666666666666666666
La,e care t2at smbclient is in aps5ilters searc2 pat2.
Nou can 5ine tune pat2s in /etc/aps5ilter/aps5ilterrc.
See smbclient manual page 5or more options i5 needed.
currentl! selected.
Het=IGS name o5 Rindo>s Ser-er . ) *
Rindo>s Ser-er IF . ) *
Frinter S2are Hame . ) *
Ror,group . ) *
Rindo>s sername . ) *
Rindo>s Fass>ord . ) *
(!ou can 5ine tune some more -alues in t2e smbclient.con5
5ile in t2e printers spool director! later)
Het=IGS name o5 Rindo>s Ser-er. >indoos7e
Rindo>s Ser-er IF ;ddress . #&2.#6'.2.##
Frinter S2are Hame . Des,êt"'&$D
Ror,group Hame . 5alcon
Frint as Rindo>s J:SL user (no. use real account)4 )!/n* n
Rindo>s sername . rc(64
Rindo>s Fass>ord . t2epass>ord

3ow" the default papertype must be set. Choose J9K" hit JreturnK" and you)ll be presented
with a list from which you can choose#
6666666666666666666666666666666666666666666666666666666666666666
; F S I I M L : 1 S : L F 66 Faper Iormat 66
6666666666666666666666666666666666666666666666666666666666666666
R2at paper 5ormat do !ou >ant to use 5or printing4
#) DIH ;4
2) DIH ;%
- 222 -
%) S letter
4) S legal
() S ledger
Nour c2oice4

I chose J!K" *I3 $2. 3ow we are ready to print a test page. Choose JTK" and hit JreturnK"
read the information and choose JTK again. Lou will then be asked if it is ok to print the
testpage#
Frinting Lest page using. cat setup/test.ps T gs 6S 6sD:PID:Bcd7'&$
/
6sF;F:1SI<:Ba4 6dHGF;S: 6dS;I:1 6sGutputIileBW/tmp/aps"testout.i:SS2RW
6
G, to print testpage4 )!/n*

Type JyK and hit JreturnK. The testpage will be created d which may take some time d
and sent to the printer. If the output looks ok" choose JIK" followed by JreturnK" to install
the printer with the alues shown in the menu#
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBB
Iilter installation 66 5inal steps
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBB
ItWs recommended to 2a-e one Wra>W entr! 5or eac2 p2!sical printer.
I5 !ouWre not sureO sa! W!W 66 it >onWt 2urt.
Do !ou >ant me to create one 5or printer at >indoos7e4 (!/n)

$ %k" let say JyK here.
Flease enter a printer Sueue name 5or printer Wcd7'&$W.
L2e de5ault name is Wauto%W.
Nour c2oice.

Let)s call the printer Jd'8<.cK.
EE creating printcap entr! 5or printer d7'&$c...
creating spooldir ...
creating samba con5ig 5ile ...
read protect pass>ord in5ormation...
remember S:LF settings in printers aps5ilterrc 5ile...
Flease enter a printer Sueue name 5or printer Wcd7'&$W.
L2e de5ault name is Wra>%W.
- 229 -
Nour c2oice.

$nd Jrawd'8<.cK.
EE creating printcap entr! 5or printer ra>d7'&$c...
creating spooldir ...
creating samba con5ig 5ile ...
read protect pass>ord in5ormation...
remember S:LF settings in printers aps5ilterrc 5ile...
EE done.
) press ?1:L1HA to continue *

-e)re done" choose JHK and hit JreturnK. ;ead through the informational screens that
follow. apsfilter has created the directories that are necessary and has modified the file /
etc/printcap by adding the following information#
+ ;FS%"=:JIH.printer%
+ 6 donWt delete start label 5or aps5ilter printer%
+ 6 no ot2er printer de5ines bet>een =:JIH and :HD M;=:M
d7'&$cTFrinter% auto./
.lpB/de-/null./
.i5B/etc/aps5ilter/basedir/bin/aps5ilter./
.sdB/-ar/spool/lpd/d7'&$c./
.l5B/-ar/spool/lpd/d7'&$c/log./
.a5B/-ar/spool/lpd/d7'&$c/acct./
.mx+$./
.s2.
ra>d7'&$cTFrinter% ra>./
.lpB/de-/null./
.i5B/etc/aps5ilter/basedir/bin/aps5ilter./
.sdB/-ar/spool/lpd/ra>d7'&$c./
.l5B/-ar/spool/lpd/ra>d7'&$c/log./
.a5B/-ar/spool/lpd/ra>d7'&$c/acct./
.mx+$./
.s5./
.s2.
+ ;FS%":HD 6 donWt delete t2is

Let)s try it out with lpr by sending a postscript file to the printer. There is a ery nice
picture of a tiger)s head that comes with ghostcript#
+ lpr 6Fdes,7et /usr/s2are/doc/gs/examples/tiger.ps.gz

Den a compressed postscript file gets printed nicely.
- 222 -
+etting up an nmbd %IN+ server
;hat is a ;35( (er+erI
-I3& stands for -indows Internet 3ame &erice. This is a name serice used to
translate 3et(I%& names to ip addresses by using 3et(I%& oer TCP=IP +ueries. It is
done using 4*P packets.
9sing (a#*a as a ;35( (er+er
To tell &amba that it should also play the role of -I3& &erer" add the following line to
the WglobalX section of the &amba configuration file /etc/samba/smb.con5#
)global*
>ins support B !es

(e careful" there should not be more than one -I3& &erer on a network and you should
not set any of the other -I3& parameters" such as Jwins sererK" when enabling Jwins
supportK.
9sing nmblookup to test the ;35( (er+er
n#*lookup is a Linux client that facilitates the lookup of 3et(I%& names oer TCP=IP.
Let)s see if it works by asking n#*lookup to find us the ip address for Loda!#
pug.8+ nmbloo,up Noda#
Suer!ing Noda# on #&2.#6'.2.2((
#&2.#6'.2.2# Noda#?$$A

$nd let)s proe that this is the same machine as Loda#
pug.8+ nmbloo,up Noda
Suer!ing Noda on #&2.#6'.2.2((
#&2.#6'.2.2# Noda?$$A

$nother way to do this is with the host command#
pug.8+ 2ost #&2.#6'.2.2#
Hame. !oda.5alcon
;ddress. #&2.#6'.2.2#

To proe that yoda! does not hae a *3& entry#
pug.8+ 2ost !oda#
- 225 -
!oda#.5alcon does not exist (;ut2oritati-e ans>er)

$nother example# let)s use n#*lookup to find out which machine is the master browser
for the falcon workgroup#
pug.8+ nmbloo,up 6M 5alcon
#&2.#6'.2.2# 5alcon?#dA

This proes that Loda is the master browser for the falcon workgroup.
Creating logon scripts for clients
Logon scripts can be ery handy. &o for example" if eery user needs his home directory
mapped to drie /# automatically" a logon script can take care of that. The user is then
presented with an extra hard-drie which gies you" as an administrator" the freedom to
moe home directories to another serer should the need arise. To the user it remains
drie /#" and all you hae to do is change one line in the logon script.
The same goes for printers and processes that should be accessible or run when a specific
user logs on or when a certain machine logs on.
The batch file must be a -indows-style batch file and should thus hae both a carriage
return and a line feed at the end of each line.
The first thing to do is enable logon support. This is done by adding the following line to
the WglobalX section of the &amba configuration file /etc/samba/smb.con5#
)global*
logon ser-er B !es

The second thing to do is create a share called WnetlogonX where the logon scripts will
reside and which is readable to all users#
)netlogon*
Domment B Hetlogon 5or Rindo>s clients
pat2 B /2ome/netlogon
bro>seable B no
guest o, B no
>riteable B no

The definition of the logon script depends on whether you want a script per user or per
client.
- 22: -
7ase) on the userGs na#e
$dd the following line to the WnetlogonX section#
logon script B ].bat

and" assuming the user is Jrc5:2K" create a file called /2ome/netlogon/rc(64.bat.
7ase) on the clientGs na#e
$dd the following line to the WnetlogonX section#
logon script B ]m.bat

and" assuming the machine is called Jxy,K" create a file called
/2ome/netlogon/x!z.bat.
Configuring an 5-( (er+er (2.26.2!
The candidate should be able to create an exports file and specify filesystems to be
exported. This ob'ectie includes editing exports file entries to restrict access to certain
hosts" subnets or netgroups. $lso included is specifying mount options in the exports file"
configuring user I* mapping" mounting an 3?& filesystem on a client and using mount
options to specify soft or hard and background retries" signal handling" locking and block
si,e. The candidate should also be able to configure tcp wrappers to further secure 3?&.
The file /etc/exports
The exportfs command
The show#ount command
The nfsstat command
N(+ 0 "he Netork (ile +ystem
The abbreiation 3?& expands to -et#ork +ile 4(stem. -ith 3?& you can make a
remote disk Aor only some of itB part of your local filesystem.
The 3?& protocol is currently being reworked" a process which has" so far" taken seeral
years. This has conse+uences for those using 3?&. @odern 3?& daemons will currently
run in kernel space Apart of the running kernelB and support ersion 9 of the 3?& protocol
Aersion 2 will still be supported for compatibility with older clientsB. %lder 3?&
daemons running in user space Awhich is almost independent of the kernelB and accepting
only protocol ersion 2 3?& re+uests" will still be around. This section will primarily
- 227 -
describe kernel-space 3?&-serers supporting protocol ersion 9 and compatible clients.
*ifferences from older ersions will be pointed out when appropriate.
Note
*etails about this 3?& work-in-progress are in the section called J3?& protocol
ersionsK below.
ClientH (er+er or *othI
The system that makes filesystemAsB aailable to other systems is called a server. The
system that connects to a serer is called a client. Dach system can be configured as
serer" client or both.
+etting up N(+
This section describes 3?&-related software and its configuration.
2eCuire#ents for 5-(
To run 3?&" the following is needed#
support for 3?& Aseeral optionsB must be built into the kernel
a portmapper must be running
on systems with 3?&-serer support" an -+4 daemon and a mount daemon must
be actie
support daemons may be needed
Dach is discussed in detail below.
Configuring the kernel for 5-(
-hen configuring a kernel for 3?&" it must be decided whether or not the system will be
a client or a serer. $ system with a kernel that contains 3?&-serer support can also be
used as an 3?& client.
Note
The situation described here is alid for the 2.2.x kernel series. &pecifications described
here may change in the future.
5-(@relate) kernel options
3?& file system support ADGHIIJ"HIS"ISB
- 228 -
If you want to use 3?& as a client" select this. If this is the only 3?& option
selected" the system will support 3?& protocol ersion 2 only. To use protocol
ersion 9 you will also need to select DGHIIJ"HIS"P%. -hen DGHIIJ"HIS"IS is
selected" support for an old-fashioned user-space 3?&-server Aprotocol ersion 2B
is also present. Lou can do without this option when the system is a kernel-space
3?&-serer serer only Ai.e." neither client nor user-space 3?&-sererB.
Proide 3?&9 client support ADGHIIJ"HIS"P%B
&elect this if the client system should be able to make 3?& connections to an 3?&
ersion 9 serer. This can only be selected if 3?& support ADGHIIJ"HIS"ISB is
also selected.
3?& serer support ADGHIIJ"HISDB 0ernel space only.
-hen you select this" you get a kernel-space 3?&-serer supporting 3?& protocol
ersion 2. $dditional software is needed to control the kernel-space 3?&-serer
Aas will be shown laterB. To run an old-fashioned user-space 3?&-serer this
option is not needed. &elect DGHIIJ"HIS instead.
Proide 3?&9 serer support ADGHIIJ"HISD"P%B
This option adds support for ersion 9 of the 3?& protocol to the kernel-space
3?&-serer. The kernel-space 3?&-serer will support both ersion 2 and 9 of the
3?& protocol. Lou can only select this if you also select 3?& serer support
ADGHIIJ"HISDB.
-hen configuring during a compiler build Ai.e." make menuconfig" make xconfig" etcB"
the options listed aboe can be found in the +ile 4(stems section" subsection -et#ork
+ile 4(stems.
Table <.!" J0ernel options for 3?&K proides an oeriew of 3?& support in the kernel.
"a*le 6.1. Kernel options for 5-(
4escription option(s! allows B pro+i)es
3?& file system
support
DGHIIJ"HIS"IS
allows both 3?& A2B client and user
space 3?& A2B serer
3?&9 client
support
DGHIIJ"HIS"IS and
DGHIIJ"HIS"P%
allows 3?& A2 T 9B client
3?& serer support
DGHIIJ"HISD
proides 3?& A2B kernel serer
3?&9 serer
support
DGHIIJ"HISD and
DGHIIJ"HISD"P%
proides 3?& A2 T 9B kernel serer
- 22< -
&electing at least one of the 3?& kernel options turns on &un ;PC A;emote Procedure
CallB support automatically. This results in a kernel space ;PC input=output daemon. It
can be recognised as )rpciod* in the process listing.
"he port#apper
The portmapper is needed for all 3?& traffic.
@ost distributions will install the portmapper if 3?& software Aother than the kernelB is
being installed.
The portmapper itself need not be configured. Portmapper security" howeer" is an issue#
you are strongly adised to limit access to the portmapper. This can be done using the tcp
wrapper.
!ecuring the portmapper
?irst" make sure the portmapper has support for the tcp wrapper built in. Lou can test this
by running l)) Bs*inBport#ap. The result could be something like
lib>rap.so.$ BA /lib/lib>rap.so.$ ($x4$$#'$$$)
libnsl.so.# BA /lib/libnsl.so.# ($x4$$2$$$$)
libc.so.6 BA /lib/libc.so.6 ($x4$$%6$$$)
The line with lib>rap.so.$ Alibwrap belongs to the tcp wrapperB shows that this
portmapper is compiled with tcp-wrapper support. If that line is missing" get a better
portmapper or compile one yourself.
$ common security-strategy is blocking incoming portmapper re+uests by default" but
allowing specific hosts to connect. This strategy will be described here.
&tart by editing the file /etc/2osts.den! and adding the following line#
portmap. ;MM

This denies eery system access to the portmapper. It can be extended with a command#
portmap. ;MM. (ec2o illegal rpc reSuest 5rom ]2 T mail root) [

3ow all portmapper re+uests are denied. In the second example" re+uests are denied and
reported to root.
The next step is allowing only those systems access that are allowed to do so. This is
done by putting a line in /etc/2osts.allo>#
- 25. -
portmap. #2#.#22.#2%.

This allows each host with an IP address starting with the numbers shown to connect to
the portmapper and" therefore" use 3?&. $nother possibility is specifying part of a
hostname#
portmap. .example.com

This allows all hosts inside the example.com domain to connect. To allow all hosts of a
3I& workgroup#
portmap. @>or,stations

To allow hosts with IP addresses in a subnet#
portmap. #&2.#6'.24.#6/2((.2((.2((.24'

This allows all hosts from !<2.!:8.22.!: to !<2.!:8.22.29 to connect Aexamples from
WEadok.!XB.
>eneral 5-( )ae#ons
&he nfs-utils package
3?& is implemented as a set of daemons. These can be recogni,ed by their name# they all
start with the rpc" prefix followed by the name of the daemon. $mong these are#
rpc.n5sd Aonly a support program in systems with a kernel 3?& sererB" rpc.mountd"
rpc.loc,d and rpc.statd.
The source for these daemons can be found in the n5s6utils package Asee W3?&X for
more information on nfs-utilsB. It will also contain the source of other support programs"
such as exportfs" show#ount and nfsstat. These will be discussed later in the section
called JDxporting filesystemsK and the section called JTesting 3?&K.
*istributions may proide n5s6utils as a ready-to-use package" sometimes under
different names. *ebian" for example" proides lock and status daemons in a special n5s6
common package" and the 3?& and mount daemons in n5s6Eser-er packages Awhich
come in user-space and kernel-space ersionsB.
Dach of the daemons mentioned here can also be secured using the tcp wrapper. *etails
in the section called J&ecuring 3?&K.
- 25! -
5-( ser+er software
&he (F! daemon
-hen implementing an 3?& serer" you can install support for an kernel-space or an
user-space 3?& serer" depending on the kernel configuration. The rpc.nfs) command
Asometimes called nfs)B is the complete 3?& serer in user space. I kernel space"
howeer" it is 'ust a support program that can start the 3?& serer in the kernel.
1 kernel@space or a user@space 5-( ser+er
The kernel-space 3?& serer
The kernel-space 3?& serer is part of the running kernel. $ kernel 3?& serer
appears as )n5sd* in the process list.
The ersion of rpc.nfs) that supports the 3?& serer inside the kernel is 'ust a
support program to control 3?& kernel sererAsB.
The user-space 3?& daemon
The rpc.nfs) program can also contain an old-fashioned user-space 3?& serer
Aersion 2 onlyB. $ user-space 3?& serer is a complete 3?& serer. It can be
recogni,ed as rpc.n5sd in the process list.
&he mount daemon
The #ount) Aor rpc.#ount)B mount-daemon handles incoming 3?& AmountB re+uests. It
is re+uired on a system that proides 3?& serer support.
The configuration of the mount daemon includes exporting Amaking aailableB a
filesystem to certain hosts and specifying how they can use this filesystem.
Dxporting filesystems" using the /etc/exports file and the exportfs command will be
discussed in the section called JDxporting filesystemsK.
&he lock daemon
$ lock daemon for 3?& is implemented in rpc.lock).
Lou won)t need lock-daemon support when using modern A2.2.xB kernels. These kernels
proide one internally" which can be recogni,ed as )loc,d* in the process list. &ince the
internal kernel lock-daemon takes precedence" starting rpc.lock) accidentally will do no
harm.
There is no configuration for rpc.lock).
- 252 -
&he status daemon
$ccording to the manual page" status daemon rpc.stat) implements only a reboot
notification serice. It is a user-space daemon - een on systems with 3?& ersion 9
support. It can be recogni,ed as rpc.statd in the process listing. It is used on systems
with 3?& client and 3?& serer support.
There is no configuration for rpc.stat).
=xporting filesyste#s
Dxporting a filesystem" or part of it" makes it aailable for use by another system. $
filesystem can be exported to a single host" a group of hosts or to eeryone.
Dxport definitions are configured in the file /etc/exports and will be actiated by the
exportfs command. The current export list can be +ueried with the command
show#ount @@exports.
Note
In examples below the system called n5ss2op will be the 3?& serer and the system
called clientH one of the clients.
&he file /et/e!ports
The file /etc/exports contains the definitionAsB of filesystemAsB to be exported" the
name of the host that is allowed to access it and how the host can access it.
Dach line in /etc/exports has the following format#
/dir +ostname( options) ...

3ame of the directory to be exported
The name of the system AhostB that is allowed to access /dir Athe exported
directoryB. If the name of the system is omitted all hosts can connect. There are fie
possibilities to specify a system name#
single hostname
The name of a host that is allowed to connect. Can be a name AclientHB or an
IP address.
wildcard
$ group of systems is allowed. $ll systems in the example.com domain will
- 259 -
be allowed by the E.example.com wildcard.
IP networks
;anges of ip numbers or address=subnetmask combinations.
nothing
Leaing the system part empty is mostly done by accident Asee the Caution
belowB. It allows all hosts to connect. To preent this error" make sure that
there is no spacing between the system name and the opening brace that starts
the options.
_3I&group
3I& workgroups can be specified as a name starting with an @.
%ptions between braces. -ill be discussed further on.
@ore than one system with options can be listed#
/2ome/5tp/pub clientH(r>) E.example.com(ro)

Dxplanation# system clientH is allowed to read and write in /2ome/5tp/pub.
&ystems in example.com are allowed to connect" but only to read.
Caution
@ake sure there is no space Anot een whiteB between the hostname and the specification
between braces. There is a lot of difference between
/2ome/5tp/pub clientH(r>)

and
/2ome/5tp/pub clientH (r>)

The first allows clientH read and write access. The second allows clientH access with
default options Asee #an , exportsB and all s(stems read and write accessG
=xport options
&eeral export options can be used in /etc/exports. %nly the most important will be
discussed here. &ee the exportsA5B manual page for a full list. Two types of options will
be listed here# general options and user=group id options.
- 252 -
>eneral options
ro AdefaultB
The clientAsB has only read access.
r>
The clientAsB has read and write access. %f course" the client may choose to mount
read-only anyway.
$lso releant is the way 3?& handles user and group permissions across systems. 3?&
software considers users with the same 4I* and the same username as the same users.
The same is true for 6I*s.
The user root is different. (ecause root can read Aand writeB eerything
W!8X
" root
permission oer 3?& is considered dangerous.
$ solution to this is called s6uashing# all re+uests are done as user nobod! Aactually 4I*
6((%4" often called 62B and group nobod! A6I* 6((%4B.
$t least four options are related to s+uashing# root"sSuas2" no"root"sSuas2"
all"sSuas2 and no"all"sSuas2. Dach will be discussed in detail.
9serBgroup i) sCuashing
root"sSuas2 AdefaultB
$ll re+uests by user root on clientH Athe clientB will be done as user nobod! on
n5ss2op Athe sererB. This implies" for instance" that user root on the client can
only read files on the serer that are #orld readable.
no"root"sSuas2
$ll re+uests as root on the client will be done as root on the serer.
This is necessary when" for instance" backups are to be made oer 3?&.
This implies that root on n5ss2op completely trusts user root on clientH.
all"sSuas2
;e+uests of any user other than root on clientH are performed as user nobod! on
n5ss2op.
4se this if you cannot map usernames and 4I*)s easily.
- 255 -
no"all"sSuas2 AdefaultB
$ll re+uests of a non-root user on clientH are attempted as the same user on
n5ss2op.
Dxample entry in /etc/exports on system n5ss2op Athe serer systemB#
/ client((roOno"root"sSuas2) E.example.com(ro)
&ystem n5ss2op allows system clientH read-onl( access to eerything and reads by
user root are done as root on n5ss2op. &ystems from the example.com domain are
allowed read-onl( access" but re+uests from root are done as user nobod!" because
root"sSuas2 is true by default.
/ere is an example file#
+ /etc/exports on n5ss2op
+ t2e access control list 5or 5iles!stems >2ic2 ma! be exported
+ to HIS clients. See exports(().
/ client2.ex>or,s(roOroot"sSuas2)
/ client%.ex>or,s(roOroot"sSuas2)
/ client4.ex>or,s(roOroot"sSuas2)
/2ome client&.ex>or,s(roOroot"sSuas2)
Dxplanation# client2" client% and client4 are allowed to mount the complete
filesystem A/# rootB. (ut they hae read-only access and re+uests are done as user nobod!.
The host client& is only allowed to mount the /2ome directory with the same rights as
the other three hosts.
&he exportfs command
%nce /etc/exports is configured" the export list in it can be actiated using the
exportfs command. It can also be used to reload the list after a change or deactiate the
export list. Table <.2" J%eriew of exportfsK shows some of the functionality of
exportfs.
"a*le 6.2. /+er+iew of exportfs
Co##an) 4escription
exportfs .r load or reload the export list
exportfs .ua de-actiate the export list
- 25: -
Note
%lder Auser-spaceB 3?& systems may not hae the exportfs command. %n these systems
the export list will be installed automatically by the mount daemon when it is started.
;eloading after a change is done by sending a SIJYF signal to the running mount-
daemon process.
1cti+ating an export list
The export list is actiated Aor reactiatedB with the following command#
export5s 6r
The r originates from the word re-exporting.
(efore the exportfs @r is issued" no filesystems are exported and no other system can
connect.
-hen the export list is actiated" the kernel export table will be filled. The following
command will show the kernel export table#
cat /proc/5s/n5s/exports
The output will look something like#
+ Persion #.#
+ Fat2 Dlient(Ilags) + IFs
/ client4.ex>or,s(roOroot"sSuas2Oas!ncO>dela!) + #&2.#6'.02.4
/2ome client&.ex>or,s(roOroot"sSuas2Oas!ncO>dela!) + #&2.#6'.02.&
/ client2.ex>or,s(roOroot"sSuas2Oas!ncO>dela!) + #&2.#6'.02.2
/ client%.ex>or,s(roOroot"sSuas2Oas!ncO>dela!) + #&2.#6'.02.%
Dxplanation# all named hosts are allowed to mount the root directory Aclient&# /2omeB
of this machine with the listed options. The IP addresses are listed for conenience.
$lso use exportfs @r after you hae made changes to /etc/exports on a running system.
%arning
-hen running exportfs @r" some things will be done in the directory /-ar/lib/n5s.
?iles there are easy to corrupt by human interention with far-reaching conse+uences" as I
hae learned from personal experience.
4eacti+ating an export list
$ll actie export entries are unexported with the command#
export5s 6ua
- 257 -
The letters ua are an abbreiation for unexport all.
$fter the exportfs @ua no exports are actie anymore.
&he sho#mount command
The show#ount shows information about the exported filesystems and actie mounts to
the host. Table <.9" J%eriew of showmountK shows how show#ount can be used.
"a*le 6.3. /+er+iew of show#ount
Co##an) 4escription
show#ount ..exports show actie export list
show#ount show names of clients with actie mounts
show#ount ..directories show directories that are mounted by remote clients
show#ount ..all show both client-names and directories
show#ount accepts a host name as its last argument. If present" show#ount will +uery
the 3?&-serer on that host. If omitted" the current host will be +ueried Aas in the
examples below" where the current host is called n5ss2opB.
;ith the ..exports option. The currently actie export list can be +ueried with the
66exports option#
+ s2o>mount 66exports
:xport list 5or n5ss2op.
/ client2.ex>or,sOclient%.ex>or,sOclient4.ex>or,s
/2ome client&.ex>or,s
The information is more sparse than the output of cat BprocBfsBnfsBexports shown earlier.
;ithout options. -ithout parameters" show#ount will show names of hosts currently
connected to the system#
+ s2o>mount
Yosts on n5ss2op.
client&.ex>or,s
;ith the ..directories option. -hen the 66directories option is specified"
show#ount will show names of directories that are currently mounted by a remote host#
+ s2o>mount 66directories
Directories on n5ss2op.
/2ome
- 258 -
;ith the ..all option. The show#ount @@all command lists both the remote client
AhostsB and the mounted directories#
+ s2o>mount 66all
;ll mount points on n5ss2op.
client&.ex>or,s./2ome
5-( clientA software an) configuration
$n 3?& client system is a system that does a mount-attempt" using the #ount command.
The #ount needs to hae support for 3?& built-in. This will generally be the case.
The 3?& client-system needs to hae appropriate 3?& support in the kernel" as shown
earlier Asee the section called JConfiguring the kernel for 3?&KB. 3ext" it needs a running
portmapper. Last" software is needed to perform the remote mounts attempt# the #ount
command.
Note
?amiliarity with the #ount command and the file /etc/5stab is assumed in this
paragraph. If in doubt" consult the appropriate manual pages.
The #ount command normally used to mount a remote filesystem through 3?&#
mount 6t n5s remote./t+ere /+ere

This specifies the filesystem /t+ere on the remote serer remote.
The mount point /+ere on the client" as usual.
Dxample# to mount the /usr filesystem" which is on serer system n5ss2op" onto the
local mount-point /usr" use#
mount 6t n5s n5ss2op./usr /usr
?ine-tuning of the mount re+uest is done through options.
mount 6t n5s 6o opts remote./t2ere /2ere
&eeral options are possible after the 6o option selector. These options affect either
mount attempts or actie 3?& connections.
0ount options for 5-(
ro ersus r>
If ro is specified the remote 3?& filesystem will be mounted read-onl(. -ith the
r> option the remote filesystem will be made aailable for both reading and
writing Aif the 3?& serer agreesB.
- 25< -
"ip
The default on the 3?& serer side A/etc/exportsB is ro" but the default on the
client side A#ount @t nfsB is r>. The serer-setting takes precedence" so mounts
will be done read-onl(.
"ip
6o ro can also be written as 6rQ 6o r> can also be written as 6>.
rsizeBnnn and >sizeBnnn
The rsize option specifies the si,e for read transfers Afrom serer to clientB. The
>size option specifies the opposite direction. $ higher number makes data
transfers faster on a reliable network. %n a network where many retries are
needed" transfers may become slower.
*efault alues are either #$24 or and 4$&6" depending on your kernel ersion.
Current kernels accept a maximum of up to '#&2. 3?& ersion 9 oer tcp" which
will probably production-ready by the time you read this" allows a maximum si,e
of %206'. This si,e is defined with HISSPD"M;K=MKSI<: in the file
include/linux/n5sd/const.2 found in the kernel source-archie.
udp and tcp
&pecifies the transport-layer protocol for the 3?& connection. @ost 3?& ersion
2 implementations support only udp" but tcp implementations do exist. 3?&
ersion 9 will allow both udp and tcp Athe latter is under actie deelopmentB.
?uture ersion 2 will allow only tcp. &ee the section called J3?& protocol
ersionsK.
n5s-ersBn
&pecifies the 3?& ersion used for the transport Asee the section called J3?&
protocol ersionsKB. @odern ersions of #ount will use ersion % by default.
%lder implementations that still use ersion 2 are probably numerous.
retr!Bn
The retr! option specifies the number of minutes to keep on retrying mount-
attempts before giing up. The default is #$$$$ minutes.
timeoBn
- 2:. -
The timeo option specifies after how much time a mount-attempt times out. The
time-out alue is specified in deci-seconds Atenth of a secondB. The default is 0
deci-seconds A..7 secondsB.
2ard AdefaultB ersus so5t
These options control how hard the system will try.
hard. The system will try indefinitely.
soft. The system will try until an ;PC AportmapperB timeout occurs.
intr ersus nointr AdefaultB
-ith these options one is able to control whether the user is allowed to interrupt
the mount-attempt.
intr. $ mount-attempt can be interrupted by the user if intr is specified.
nointr. $ mount-attempt cannot be interrupted by a user if nointr is set. The
mount re+uest can seem to hang for days if retr! has its default alue A!....
minutesB.
5g AdefaultB and bg
These options control the background mounting facility. It is off by default.
bg. This turns on background mounting# the client first tries to mount in the
foreground. $ll retries occur in the background.
fg. $ll attempts occur in the foreground.
@ackground mounting is also affected by other options. -hen intr is specified"
the mount attempt will be interrupted by a an ;PC timeout. This happens" for
example" when either the remote host is down or the portmapper is not running. In
a test setting the backgrounding was only done when a Jconnection refusedK
occurred.
%ptions can be combined using comma)s#
mount 6t n5s 6o roOrsizeB'#&2 n5ss2op./usr/s2are /usr/local/s2are
$ preferred combination of options might be# 2ard" intr and bg. The mount will be tried
indefinitely" with retries in the background" but can still be interrupted by the user that
started the mount.
- 2:! -
%ther mount options to consider are noatime" noauto" nosuid or een noexec. &ee #an
1 #ount and #an , nfs.
%f course" all these options can also be specified in /etc/5stab. (e sure to specify the
noauto option if the filesystem should not be mounted automatically at boot time. The
user option will allow non-root users to perform the mount. This is not default. Dxample
entry in /etc/5stab#
n5ss2op./2ome /2omesGnS2op n5s roOnoautoOuser $ $
3ow eery user can do
mount /2omesGnS2op
Lou can also use automounters to mount and unmount remote filesystems" howeer"
these are beyond the scope of this ob'ectie.
"esting N(+
$fter 3?& has been set up" it can be tested. The following tools can help# show#ount"
rpcinfo and nfsstat.
"he showmount --exports co##an)
$s shown in the section called JThe show#ount commandK" the show#ount @@exports
command lists the current exports a serer system. This can be used as a +uick indication
of the health of the created 3?& system. There are more sophisticated ways.
rpcinfo
The rpcinfo command reports ;PC information. This can be used to probe the
portmapper on a local or a remote system or to send pseudo re+uests.
rpcinfo2 probing a system
The rpcinfo @p command lists all registered serices the portmapper knows about. Dach
rpc""" program registers itself at startup with the portmapper" so the names shown
correspond to real daemons Aor the kernel e+uialents" as is the case for 3?& ersion 9B.
It can be used on the serer system n5ss2op to see if the portmapper is functioning#
program -ers proto port
#$$$$% % udp 2$4& n5s
This selection of the output shows that this portmapper will accept connections for nfs
ersion 9 on udp.
- 2:2 -
$ full sample output of rpcinfo @p on a serer system#
rpcin5o 6p
program -ers proto port
#$$$$$ 2 tcp ### portmapper
#$$$$$ 2 udp ### portmapper
#$$$24 # udp 0(0 status
#$$$24 # tcp 0(& status
#$$$$% 2 udp 2$4& n5s
#$$$$% % udp 2$4& n5s
#$$$2# # udp %200$ nloc,mgr
#$$$2# % udp %200$ nloc,mgr
#$$$2# 4 udp %200$ nloc,mgr
#$$$$( # udp %200# mountd
#$$$$( # tcp %206' mountd
#$$$$( 2 udp %200# mountd
#$$$$( 2 tcp %206' mountd
#$$$$( % udp %200# mountd
#$$$$( % tcp %206' mountd
$s can be seen in the listing" the portmapper will accept ;PC re+uests for ersions 2 and
9 of the 3?& protocol" both on udp.
Note
$s can be seen" each ;PC serice has its own ersion number. The mountd serice" for
instance" supports incoming connections for ersions !" 2 or 9 of mountd on both udp and
tcp.
It is also possible to probe n5ss2op Athe serer systemB from a client system" by
specifying the name of the serer system after @p#
rpcin5o 6p n5ss2op
The output" if all is well" of course" will be the same.
rpcinfo2 making null re-uests
It is possible to test a connection without doing any real work#
rpcinfo @u remotehost program
This is like the ping command to test a network connection. /oweer" rpcinfo @u works
like a real rpc=nfs connection" sending a so-called null pseudo re+uest. The @u option
forces rpcinfo to use udp transport. The result of the test on n5ss2op#
rpcin5o 6u n5ss2op n5s
program #$$$$% -ersion 2 read! and >aiting
program #$$$$% -ersion % read! and >aiting
- 2:9 -
The @t options will do the same for tcp transport#
rpcin5o 6t n5ss2op n5s
rpcin5o. 1FD. Frogram not registered
program #$$$$% is not a-ailable
This system obiously does hae support for nfs on udp" but not on tcp.
Note
In the example output" the number !....9 is used instead of or together with the name
n5s. 3ame or number can be used in each others place. That is" we could also hae
written#
rpcin5o 6u n5ss2op #$$$$%
"he nfsstat co##an)
The nfsstat lists statistics Ai.e." countersB about nfs connections. This can be used to see
whether something is going on at all and also to make sure nothing has gone cra,y.
Table <.2" J&ome options for the nfsstat programK proides an oeriew of releant
options for nfsstat.
"a*le 6.$. (o#e options for the nfsstat progra#
rpc nfs *oth
serer -sr -sn -s
client -cr -cn -c
both -r -n -nr
&ample output from nfsstat @sn on the serer host n5ss2op#
Ser-er n5s -2.
null getattr setattr root loo,up readlin,
# $] % $] $ $] $ $] 4# $] $ $]
read >rcac2e >rite create remo-e rename
((&( &&] $ $] $ $] # $] $ $] $ $]
lin, s!mlin, m,dir rmdir readdir 5sstat
$ $] $ $] $ $] $ $] 0 $] 2 $]
Ser-er n5s -%.
null getattr setattr loo,up access readlin,
# #$$] $ $] $ $] $ $] $ $] $ $]
read >rite create m,dir s!mlin, m,nod
$ $] $ $] $ $] $ $] $ $] $ $]
remo-e rmdir rename lin, readdir readdirplus
$ $] $ $] $ $] $ $] $ $] $ $]
- 2:2 -
5sstat 5sin5o pat2con5 commit
$ $] $ $] $ $] $ $]

The #)s under both null headings are the result of the rpcinfo @u nfsshop nfs command
shown earlier.
+ecuring N(+
3?& security has seeral unrelated issues. ?irst" the 3?& protocol and implementations
hae some known weaknesses. 3?& file-handles are numbers that should be random" but
are not" in reality. This opens the possibility of making a connection by guessing file-
handles. $nother problem is that all 3?& data transfer is done as-is. This means that
anyone able to listen to a connection can tap the information Athis is called sniffingB. (ad
mount-point names combined with human error can be a totally different security risk.
Li#iting access
(oth sniffing and unwanted connection re+uests can be preented by limiting access to
each 3?& serer to a set of known" trusted hosts with trusted users on it# within a small
workgroup" for instance. Tcp-wrapper support or firewall software can be used to limit
access to an 3?& serer.
"he tcp wrapper. Darlier Asee the section called J&ecuring the portmapperKB it was
shown how to limit connections to the portmapper from specific hosts. The same can be
done for the 3?& related daemons" i.e." rpc.#ount) and rpc.stat). If your system runs
an old-fashioned user-space 3?& serer Ai.e." has rpc.n5sd in the process listB" consider
protecting rpc.nfs) and possibly rpc.lock)" as well. If" on the other hand" your system is
running a modern kernel-based 3?& implementation Ai.e." has )n5sd* in the process listB"
you cannot do this" since the rpc.nfs) program is not the one accepting the connections.
@ake sure tcp-wrapper support is built into each daemon you want to protect.
-irewall software. The problem with tcp-wrapper support is that there already is a
connection inside the host when the connection is refused. If a security-related bug exists
in either the tcp-wrapper library Anot ery likelyB or the daemon that contains the support"
unwanted access may be granted. %r worse. ?irewall software Ae.g." iptablesB can make
the kernel block connections before they enter the host. Lou can consider blocking
unwanted 3?& connections at each 3?& serer host or at the entry point of a network to
all but acceptable hosts. (lock at least the portmapper port A!!!=udp and !!!=tcpB. $lso"
considering blocking 2.2<=udp and 2.2<=tcp A3?& connectionsB. Lou might also want to
block other ports like the ones shown with the rpcinfo @p command# for example" the
mount daemon ports 9277!=udp and 927:8=tcp Aat least on my systemB. /ow to set up a
firewall is shown in detail in Chapter !2" 4(stem 4ecurit( /0"0103 .
- 2:5 -
Pre+enting hu#an error
&imple human error in combination with bad naming can also be a security risk. Lou
would not be the first person to remoe a remote directory tree because the mount point
was not easily recogni,ed as such and the remote system was mounted read-#rite.
0ount read-only. @ounting a remote filesystem read-onl( can preent accidental
erasure. &o" mount read only if at all possible. If you do need to mount a part read-#rite"
make the part that can be written AerasedB as small as possible.
4esign your #ountpoints well. $lso" name a mount point so that it can easily be
recogni,ed as a mount point. %ne of the possibilities is to use a special name#
/MountFoints/n5ss2op
7est 5-( +ersion
Progress is made in 3?& software. $lthough no software can preent human error" other
risks Ae.g." guessable file-handles and sniffingB can be preented with better software.
Note
3?& ersion 2 is a new ersion of the 3?& protocol intended to fix all existing problems
in 3?&. It is still in the design phase. @ore about 3?& ersion 2 and differences between
the ersions in the section called J3?& protocol ersionsK in a moment.
>uessa*le file han)les. %ne of the ways to break in a 3?& serer is to guess so-called
file-handles. The old A92-bitB file-handles Aused in 3?& ersion 2B were rather easy to
guess. Cersion 9 of the 3?& protocol offers improed security by using :2-bit file-
handles that are considerably harder to guess.
Nersion $ security enhance#ents. The upcoming ersion 2 of the 3?& protocol defines
encrypted connections. -hen the connection is encrypted" getting information by sniffing
is made much harder or een impossible.
1vervie of N(+ components
Table <.5" J%eriew of 3?&-related programs and filesK proides an oeriew of the
most important files and software related to 3?&.
"a*le 6.,. /+er+iew of 5-(@relate) progra#s an) files
progra# or file )escription
The kernel proides 3?& support
The port#apper handles ;PC re+uests
- 2:: -
progra# or file )escription
rpc.nfs)
3?& serer control Akernel spaceB or software Auser
spaceB
rpc.#ount) handles incoming AunBmount re+uests
The file /etc/exports defines which filesystems are exported
The exportfs command AunBexports filesystems
show#ount @@exports shows current exports
The rpcinfo command reports ;PC information
The nfsstat command reports 3?& statistics
show#ount @@all shows actie mounts to me Athis hostB
#ount @t nfs re"oteA/t#ere
/#ere
mounts a remote filesystem
u#ount @t nfs @a unmounts all remote filesystems
N(+ protocol versions
Currently" there are a lot of changes in the 3?& protocol that can affect the way the
system is set up. Table <.:" J%eriew of 3?& protocol ersionsK proides an oeriew.
"a*le 6.%. /+er+iew of 5-( protocol +ersions
Protocol +ersion Current status kernel or user space u)p or tcp transport
! neer released
2 becoming obsolete user" kernel udp" some tcp impl. exist
9 new standard kernel udp" tcp# under deelopment
2 future standard kernel tcp
The trends that can be seen in Table <.:" J%eriew of 3?& protocol ersionsK are#
kernel space instead of user space and tcp instead of udp.
1 note on the transport protocol. Connections oer tcp A3?& 9"2" some 2B are
considered better than connections oer udp A3?& 2"9B. The udp option might be the
best on a small" fast network. (ut tcp allows considerably larger packet si,es Arsize"
>sizeB to be set. -ith si,es of :2k" tcp connections are reported to be !.M faster than
connections oer udp" which does not allow si,es that large.
- 2:7 -
Chapter 1. 5etwork Client
0anage#ent (2.21!
This topic has a total weight of : points and contains the following 2 ob'ecties#
%b'ectie 2.2!..!Q */CP Configuration A2 pointsB
This ob'ectie includes being able to configure a */CP serer" set default
options" create a subnet" create a dynamically allocated range" adding a static host"
- 2:8 -
setting options for a single host" adding bootp hosts" configure a */CP relay
client and reload the */CP serer after making changes.
%b'ectie 2.2!..2Q 3I& configuration A! pointB
This ob'ectie includes being able to configure a 3I& serer" create 3I& maps for
ma'or configuration files" configuring a system as a 3I& client" setting up a 3I&
slae serer and configuring the ability to search local files" *3&" 3I& etc. in
nss>itc2.con5.
%b'ectie 2.2!..9Q L*$P configuration A! pointB
This ob'ectie includes being able to configure a L*$P serer" configure a
directory hierarchy" add groups" hosts" serices and other data to the hierarchy"
import items from L*I? files and add items with a management tool" as well as
add users to the directory and change their passwords.
%b'ectie 2.2!..2Q P$@ authentication A2 pointsB
This ob'ectie includes being able to configure P$@ support authentication using
=etc=passwd" shadow passwords" 3I& and L*$P.
4HCP Configuration (2.21.1!
The candidate should be able to configure a */CP serer and set default options" create a
subnet and create a dynamically-allocated range. This ob'ectie includes adding a static
host" setting options for a single host and adding bootp hosts. $lso included the
configuration of a */CP relay agent and reloading the */CP serer after making
changes.
- 2:< -
d2cpd.con5
d2cpd.leases
%hat is D)CP'
*/CP stands for J*ynamic /ost Configuration ProtocolK. */CP consists of two
components# a protocol for deliering client-specific configuration parameters from a
*/CP serer to a */CP client and a mechanism for the allocation of network addresses
to clients.
$mongst the most commonly used configuration items are# ip6address" 2ost6name"
domain6name" subnet6mas," broadcast6address" routers and domain6name6
ser-ers.
The information is re+uested by a */CP client and proided by a */CP serer. (y
default" the serer listens for re+uests on udp port :7 and answers through udp port :8"
but it can be told to listen to another port instead with the 6p option. The */CP serer
will then answer through an udp port with a number one higher than the port it listens to.
The web-site ;esources for 8,' contains a lot of Apointers toB information on the
*/CP protocol" including ;?C)s.
)o is the server configured'
The configuration of the */CP serer" )hcp)" is done by means of its configuration file
/etc/d2cpd.con5.
The elements that can be used in a configuration file are# AglobalB parameters" shared
networks" subnets" groups and hosts.
;hat are (glo*al! para#etersI
Parameters can be seen as ariables that get assigned a alue and are passed from the
serer to the client. &ome parameters start with the option keyword and some do not.
Parameters that do not start with the option keyword are either parameters that control the
behaior of the */CP serer or are parameters that are optional in the */CP protocol.
The difference between JnormalK parameters and JglobalK parameters lies purely in the
scope of the parameters. If" for instance" the *3& is always the same" it is pointless to
add a domain6name6ser-ers parameter-definition statement to eery network-definition
statement. (y assigning the domain6name6ser-ers parameter a alue at the beginning of
the configuration file" the parameter becomes a global parameter and its alue becomes
the default alue for that parameter.
The alue of a global parameter can be oerridden by assigning the parameter another
alue in subse+uent sections.
- 27. -
;hat is a share)@network )eclarationI
$ shared-network declaration is used if there are multiple subnets on the same physical
network. Parameters that are the same for all the subnets belonging to the shared-network
can be defined once aboe the subnet-declarations within the shared-network declaration
that encompasses those subnet-declarations.
;hat is a su*net )eclarationI
$ subnet-declaration is used to define a network segment. Parameters that only apply to
the subnet in +uestion are defined within the subnet-declaration.
$ subnet-declaration must contain a range statement that defines the IP-addresses the
*/CP-serer can gie to clients on that subnet.
;hat is a group )eclarationI
$ group-declaration is used to group other declarations" including group-declarations"
that hae a number of properties in common so that the common properties only hae to
be be specified once in stead of for eery declaration.
;hat is a host )eclarationI
$ host declaration is used to set properties for a specific client. The client identifies itself
to the */CP serer by one of its uni+ue properties such as its 3IC address or its client-
identifier.
/n e#ample
Consider a firm which has four departments# &ales" $dministration" Dngineering and
@anagement. $ll departments are located in the same building and each department has
three floors to its disposal.
%n each floor" there are up to 2.. workstations and one laser printer ALP;T-xxB.
?urthermore each department has its own color laser-printer ACLP;T-xxB located on the
middle floor. The printers can only be used by users of the department the printers belong
to.
$ll users obtain an IP-address from the company)s */CP-serer and must be able to
reach the company)s *3&-serer and 3TP-serer. $ll users get their mail using the P%P9
protocol" send their mail using the &@TP protocol and read their news using the 33TP
protocol.
$ graphical representation of the company)s network is shown below#
- 27! -
"he network architecture
$ssuming that the IP range 2!.9!.x.x has been assigned to the company and that each
department has its own network Adetermined by the highest four bits of the third octetB"
the subnets could be set up as follows#
"a*le 1.1. "he first two octets are 21.31
4ept. -loor 3P range 2outer 4escription
...! ...! 2!.9!.!7.. - 2!.9!.!7.255 &ales floor c!
...! ..!. 2!.9!.!8.. - 2!.9!.!8.255 2!.9!.!7.! &ales floor c2
...! ..!! 2!.9!.!<.. - 2!.9!.!<.255 &ales floor c9
..!. .!.. 2!.9!.9:.. - 2!.9!.9:.255 $dministration c2
..!. .!.! 2!.9!.97.. - 2!.9!.97.255 2!.9!.9:.! $dministration c5
..!. .!!. 2!.9!.97.. - 2!.9!.97.255 $dministration c:
..!! .!!! 2!.9!.55.. - 2!.9!.55.255 Dngineering floor c7
..!! !... 2!.9!.5:.. - 2!.9!.5:.255 2!.9!.55.! Dngineering floor c8
..!! !..! 2!.9!.57.. - 2!.9!.57.255 Dngineering floor c<
.!.. !.!. 2!.9!.72.. - 2!.9!.72.255 @anagement floor c!.
- 272 -
4ept. -loor 3P range 2outer 4escription
.!.. !.!! 2!.9!.75.. - 2!.9!.75.255 2!.9!.72.! @anagement floor c!!
.!.. !!.. 2!.9!.7:.. - 2!.9!.7:.255 @anagement floor c!2
"he network ser+ices a+aila*le to workstations
The workstations on the company)s network obtain their IP-address and the IP-addresses
of the aailable network serices from the company)s */CP-serer ia the department)s
*/CP-relay which also functions as a router.
!ubnet-independent !ervices
&ubnet-independent serices are the serices that are aailable to all workstations on the
company)s network regardless the subnet they are on. The table below shows those
serices and their fixed IP-addresses.
"a*le 1.2. Co#pany@wi)e ser+ices
(er+ice 4escription 3P@a))ress Host na#e
*/CP The company)s */CP-serer 2!.9!...! dhcp.company.com
*3& The company)s *3& 2!.9!...2 dns.company.com
&@TP The company)s &@TP-serer 2!.9!...9 smtp.company.com
P%P9 The company)s P%P9-serer 2!.9!...2 pop9.company.com
3D-& The company)s 33TP-serer 2!.9!...5 news.company.com
3TP The company)s 3TP-serer 2!.9!...: ntp.company.com
!ubnet dependent services
&ubnet-dependent serices are the serices that are only aailable to the workstations on
the same subnet as the serice. The table below shows those serices and their fixed IP-
addresses.
"a*le 1.3. (u*net@)epen)ent (er+ices
4epart#ent (er+ice 4escription 3P@a))ress 5a#e
;outer &ales ;outer floor c2 2!.9!.!7.! rtr-.2.company.com
Printer Laser Printer floor c! 2!.9!.!7.2 lprt-.!.company.com
&ales Printer Laser Printer floor c2 2!.9!.!8.2 lprt-.2.company.com
Printer Laser Printer floor c9 2!.9!.!<.2 lprt-.9.company.com
Printer Color Laser Printer floor c2 2!.9!.!8.9 clprt-.2.company.com
;outer $dministration ;outer floor 2!.9!.9:.! rtr-.5.company.com
- 279 -
4epart#ent (er+ice 4escription 3P@a))ress 5a#e
c5
Printer Laser Printer floor c2 2!.9!.9:.2 lprt-.2.company.com
$dministration Printer Laser Printer floor c5 2!.9!.97.2 lprt-.5.company.com
Printer Laser Printer floor c: 2!.9!.98.2 lprt-.:.company.com
Printer Color Laser Printer floor c5 2!.9!.97.9 clprt-.5.company.com
;outer Dngineering ;outer floor c8 2!.9!.55.! rtr-.8.company.com
Printer Laser Printer floor c7 2!.9!.55.2 lprt-.7.company.com
Dngineering Printer Laser Printer floor c8 2!.9!.5:.2 lprt-.8.company.com
Printer Laser Printer floor c< 2!.9!.57.2 lprt-.<.company.com
Printer Color Laser Printer floor c8 2!.9!.5:.9 clprt-.8.company.com
;outer @anagement ;outer floor c!! 2!.9!.72.! rtr-!!.company.com
Printer Laser Printer floor c!. 2!.9!.72.2 lprt-!..company.com
@anagement Printer Laser Printer floor c!! 2!.9!.75.2 lprt-!!.company.com
Printer Laser Printer floor c!2 2!.9!.7:.2 lprt-!2.company.com
Printer Color Laser Printer floor c!! 2!.9!.75.9 clprt-!!.company.com
7uil)ing the 4HCP@ser+erGs configuration file
The information needed to be able to build a configuration file has already been gathered
in the preious sections when the network topology was deised.
In this section the actual configuration file /etc/d2cpd.con5 will be filled with the
necessary information.
&he global parameters for services
6lobal parameters are put at the top of the configuration file#
+ DHS
option domain6name6ser-ers 2#.%#.$.2C
+ SMLF
option smtp6ser-er 2#.%#.$.%C
+ FGF%
option pop6ser-er 2#.%#.$.4C
+ H:RS
option nntp6ser-er 2#.%#.$.(C
+ HLF
option time6ser-ers 2#.%#.$.6C

- 272 -
$nother way to do this is by using domain names. $ single domain name must resole to
a single IP-address. 4sing domain names" you would put the following entries in the
configuration file#
+ DHS
option domain6name6ser-ers dns.compan!.comC
+ SMLF
option smtp6ser-er smtp.compan!.comC
+ FGF%
option pop6ser-er pop%.compan!.comC
+ H:RS
option nntp6ser-er ne>s.compan!.comC
+ HLF
option time6ser-ers ntp.compan!.comC

&he company's shared-networks and subnets
$s has been discussed in the preious sections" there are four different networks" one for
each department and there are twele different IP-address ranges" one for each floor.
?urthermore" each network has its own router and printers.
This translates into four shared-networks each haing their own netmask and broadcast-
address and encompassing three IP-address ranges.
The netmask is an IP-address used to determine the network a workstation" or some other
network deice that uses an IP-address" is on. $ netmask has !)s in the bit-positions that
are the same for all network deices in that network and .)s in the other positions. &ince
all the subnets on a department)s shared-network are on the same physical network" the
distinction is made on the shared-network leel" not on the floor leel. The floor leel has
been coded into the IP-address Alow-nibble of the third octetB to prepare for the planned
installment next year of one router per floor in stead of one router per department. The
netmask is calculated as follows#
2#.%#.#6.$ 6 . T $$$# $#$# T $$$# #### T $$$# $$$$ T $$$$ $$$$ T S;M:S
2#.%#.%#.2(( . T $$$# $#$# T $$$# #### T $$$# #### T #### #### T H:LRG1K
2#.%#.%2.$ 6 . T $$$# $#$# T $$$# #### T $$#$ $$$$ T $$$$ $$$$ T
;DMIHISL1;LIGH
2#.%#.40.2(( . T $$$# $#$# T $$$# #### T $$#$ #### T #### #### T
H:LRG1K
2#.%#.4'.$ 6 . T $$$# $#$# T $$$# #### T $$## $$$$ T $$$$ $$$$ T
:HJIH::1IHJ
2#.%#.6%.2(( . T $$$# $#$# T $$$# #### T $$## #### T #### #### T H:LRG1K
2#.%#.64.$ 6 . T $$$# $#$# T $$$# #### T $#$$ $$$$ T $$$$ $$$$ T
M;H;J:M:HL
2#.%#.0&.2(( . T $$$# $#$# T $$$# #### T $#$$ #### T #### #### T H:LRG1K
5ixed6bits . T #### #### T #### #### T #### $$$$ T $$$$ $$$$ T H:LM;SK
2(( 2(( 24$ $
- 275 -

4sing a netmask of 255.255.22..." the network an IP-address is on can be determined.
This is done by $3*-ing the IP-address with the netmask. To determine on which of the
four networks a workstation with IP-address 2!.9!.57.!.5 is" the following calculation is
performed#
2#.%#.(0.#$( . T $$$# $#$# T $$$# #### T $$## #$$# T $##$ #$$# T IF6
;DD1:SS
2((.2((.24$.$. T #### #### T #### #### T #### $$$$ T $$$$ $$$$ T ;HD
H:LM;SK
2#.%#.4'.$. T $$$# $#$# T $$$# #### T $$## $$$$ T $$$$ $$$$ T JIP:S
H:LRG1K

The IP-address 2!.9!.57.!.5 is on the 2!.9!.28.. network" which is the Dngineering-
network.
The broadcast-address is used to send packets to eery workstation on a network. $
broadcast-address differs per network and can be determined by replacing all bits that can
ary within a network with !)s.
$nother way of determining the broadcast-address is to take the inerse of the netmask"
in this case ....!5.255" and then %; the result with the network address#
2#.%#.#6.$ 6 . T $$$# $#$# T $$$# #### T $$$# $$$$ T $$$$ $$$$ T S;M:S
$.$.#(.2(( . T $$$$ $$$$ T $$$$ $$$$ T $$$$ #### T #### #### T G1 IHP
H:LM;SK
2#.%#.%#.2(( . T $$$# $#$# T $$$# #### T $$$# #### T #### #### T JIP:S
=D;SL
2#.%#.%2.$ 6 . T $$$# $#$# T $$$# #### T $$#$ $$$$ T $$$$ $$$$ T
;DMIHISL1;LIGH
$.$.#(.2(( . T $$$$ $$$$ T $$$$ $$$$ T $$$$ #### T #### #### T G1 IHP
H:LM;SK
2#.%#.40.2(( . T $$$# $#$# T $$$# #### T $$#$ #### T #### #### T JIP:S
=D;SL
2#.%#.4'.$ 6 . T $$$# $#$# T $$$# #### T $$## $$$$ T $$$$ $$$$ T
:HJIH::1IHJ
$.$.#(.2(( . T $$$$ $$$$ T $$$$ $$$$ T $$$$ #### T #### #### T G1 IHP
H:LM;SK
2#.%#.6%.2(( . T $$$# $#$# T $$$# #### T $$## #### T #### #### T JIP:S
=D;SL
2#.%#.64.$ 6 . T $$$# $#$# T $$$# #### T $#$$ $$$$ T $$$$ $$$$ T
M;H;J:M:HL
$.$.#(.2(( . T $$$$ $$$$ T $$$$ $$$$ T $$$$ #### T #### #### T G1 IHP
H:LM;SK
2#.%#.0&.2(( . T $$$# $#$# T $$$# #### T $#$$ #### T #### #### T JIP:S
=D;SL

- 27: -
The broadcast-address for the network an IP-address is on can be determined by %;-ing
the IP-address with the inerse-netmask. ?or a workstation with IP-address 2!.9!.57.!.5"
the broadcast-address can be calculated as follows#
2#.%#.(0.#$( . T $$$# $#$# T $$$# #### T $$## #$$# T $##$ #$$# T IF6
;DD1:SS
$.$.#(.2(( . T $$$$ $$$$ T $$$$ $$$$ T $$$$ #### T #### #### T G1 IHP
H:LM;SK
2#.%#.6%.2(( . T $$$# $#$# T $$$# #### T $$## #### T #### #### T JIP:S
=D;SL

The IP-address 2!.9!.57.!.5 belongs to a network that has broadcast-address
2!.9!.:9.255" which is correct since the IP-address is on the Dngineering-network.
To tell the */CP-serer what IP-addresses to gie-out per subnet" a range stement must
be added to the subnet. Is this example the IP-addresses 2!.9!.x.. to 2!.9!.x.!. and
2!.9!.x.2!! to 2!.9!.x.255 on eery floor are resered for printers and routers. This
means that for eery subnet the range statement is#
range 2#.%#.x.## 2#.%#.x.2#$

-here JxK depends on the department and the floor.
To implement this structure" the following lines are added to the configuration-file#
+ L2e Sales net>or,O 5loors #6%
s2ared6net>or, sales6net U
+ Sales6net speci5ic parameters
option routers 2#.%#.#0.#C
option lpr6ser-ers 2#.%#.#0.2O 2#.%#.#'.2O 2#.%#.#&.2O 2#.%#.#'.%C
option broadcast6address 2#.%#.%#.2((C
subnet 2#.%#.#0.$ netmas, 2((.2((.24$.$ U
+ Iloor +# speci5ic parameters
range 2#.%#.#0.## 2#.%#.#0.2#$C
V
subnet 2#.%#.#'.$ netmas, 2((.2((.24$.$ U
+ Iloor +2 speci5ic parameters
range 2#.%#.#'.## 2#.%#.#'.2#$C
V
subnet 2#.%#.#&.$ netmas, 2((.2((.24$.$ U
+ Iloor +% speci5ic parameters
range 2#.%#.#&.## 2#.%#.#&.2#$C
V
V
+ L2e ;dministration net>or,O 5loors 466
s2ared6net>or, administration6net U
+ ;dministration6net speci5ic parameters
option routers 2#.%#.%6.#C
option lpr6ser-ers 2#.%#.%6.2O 2#.%#.%0.2O 2#.%#.%'.2O 2#.%#.%0.%C
option broadcast6address 2#.%#.40.2((C
- 277 -
subnet 2#.%#.%6.$ netmas, 2((.2((.24$.$ U
range 2#.%#.%6.## 2#.%#.%6.2#$C
V
subnet 2#.%#.#'.$ netmas, 2((.2((.24$.$ U
+ Iloor +( speci5ic parameters
range 2#.%#.%0.## 2#.%#.%0.2#$C
V
subnet 2#.%#.#&.$ netmas, 2((.2((.24$.$ U
range 2#.%#.%'.## 2#.%#.%'.2#$C
V
V
+ L2e :ngineering net>or,O 5loors 06&
s2ared6net>or, engineering6net U
+ :ngineering6net speci5ic parameters
option routers 2#.%#.((.#C
option lpr6ser-ers 2#.%#.((.2O 2#.%#.(6.2O 2#.%#.(0.2O 2#.%#.(6.%C
option broadcast6address 2#.%#.6%.2((C
subnet 2#.%#.((.$ netmas, 2((.2((.24$.$ U
range 2#.%#.((.## 2#.%#.((.2#$C
V
subnet 2#.%#.#'.$ netmas, 2((.2((.24$.$ U
+ Iloor +' speci5ic parameters
range 2#.%#.(6.## 2#.%#.(6.2#$C
V
subnet 2#.%#.#&.$ netmas, 2((.2((.24$.$ U
+ Iloor +& speci5ic parameters
range 2#.%#.(0.## 2#.%#.(0.2#$C
V
V
+ L2e Management net>or,O 5loors #$6#2
s2ared6net>or, management6net U
+ Management6net speci5ic parameters
option routers 2#.%#.04.#C
option lpr6ser-ers 2#.%#.04.2O 2#.%#.0(.2O 2#.%#.06.2O 2#.%#.0(.%C
option broadcast6address 2#.%#.0&.2((C
subnet 2#.%#.04.$ netmas, 2((.2((.24$.$ U
+ Iloor +#$ speci5ic parameters
range 2#.%#.04.## 2#.%#.04.2#$C
V
subnet 2#.%#.#'.$ netmas, 2((.2((.24$.$ U
+ Iloor +## speci5ic parameters
range 2#.%#.0(.## 2#.%#.0(.2#$C
V
subnet 2#.%#.#&.$ netmas, 2((.2((.24$.$ U
+ Iloor +#2 speci5ic parameters
range 2#.%#.06.## 2#.%#.06.2#$C
V
V

- 278 -
(tatic hosts
$ static host is a host that always gets the same IP-address from the */CP-serer in
opposite to dynamic hosts which get their IP-address from a range of IP-addresses.
%biously" the */CP-serer must be able recogni,e the host to be able to conclude that
the host has been defined as a static one in the */CP-serer)s configuration file. This can
be done by using the d2cp6client6identi5ier option or by using the 2ard>are
et2ernet option.
The d2cp6client6identi5ier is send to the serer by the client AhostB and must
uni+uely identify that client. This is not safe because there is no way to be sure that there
isn)t a second client that uses the same identifier.
The 2ard>are et2ernet option causes the match to be done on the client)s 3IC-address
which is world-wide uni+ue.
If the client does not send a d2cp6client6identi5ier" then the 3IC-address is used to
identify the client.
There are two designers" working for the Dngineering department" that come to the office
sometimes to get a hardcopy of their designs in colour. These designers are called JlukeK
and JleahK and they bring their laptops and connect them to the Dngineering-network.
The host names of their machines will be JlukeK and JleahK.
To make this so" the administrator has added the following lines to the */CP-serer)s
configuration file#
group U
+ options t2at appl! to all t2e static 2osts
option lpr6ser-ers 2#.%#.(6.%C
netmas, 2((.2((.24$.$C
2ost lu,e U
+ speci5ic 5or lu,e
2ard>are et2ernet ;;.''.(4.02.0I.&2C
5ixed6address 2#.%#.((.2##C
option 2ost6name 9lu,e9C
V
2ost lea2 U
+ speci5ic 5or lea2
2ard>are et2ernet DD.''.(4.02.'4.4IC
5ixed6address 2#.%#.((.2#2C
option 2ost6name 9lea29C
V
V

- 27< -
(tatic 7//"P hosts
This is a special static host. If luke and leah)s laptops were (%%TP-clients" the
administrator could hae added the following lines to the */CP-serer)s configuration
file#
group U
+ options t2at appl! to all t2e static 2osts
option lpr6ser-ers 2#.%#.(6.%C
netmas, 2((.2((.24$.$C
2ost lu,e U
+ speci5ic 5or lu,e
5ilename 9lu,es6boot65ile9C
ser-er6name 9ser-er name to send to lu,e9C
next6ser-er ?address o5 ser-er to load boot65ile 5romAC
2ard>are et2ernet ;;.''.(4.02.0I.&2C
5ixed6address 2#.%#.((.2##C
option 2ost6name 9lu,e9C
V
2ost lea2 U
+ speci5ic 5or lea2
5ilename 9lea2s6boot65ile9C
ser-er6name 9ser-er name to send to lea29C
next6ser-er ?address o5 ser-er to load boot65ile 5romAC
2ard>are et2ernet DD.''.(4.02.'4.4IC
5ixed6address 2#.%#.((.2#2C
option 2ost6name 9lea29C
V
V

The 5ilename option states the name of the file to get from the serer defined in the
next6ser-er option. If the next6ser-er is omitted" the serer to get the file from is the
*/CP-serer. The ser-er6name can be used to send the name of the serer the client is
booting from to the client.
?or information on the alid options" consult the dhcp-options man page A#an )hcp@
optionsB and the dhcpd.conf man page A#an )hcp).confB.
Controlling the D)CP0server>s behavior
Leases
$ lease is the amount of time a client may use the IP-address it got from the */CP-
serer. The client must refresh the lease periodically because the IP-address can be gien
to another client if the lease is expired. 3ormally" a client will be gien the same IP-
address if the lease is refreshed before it expired.
- 28. -
The option max6lease6time is used to specify the maximum amount of time in seconds
that will be assigned to a lease if the client asks for a specific expiration time.
The option de5ault6lease6time is used to specify the amount of time in seconds that
will be assigned to a lease if a client does not ask for a specific expiration time.
The */CP-serer keeps a database of the leases it has issued in the file
/-ar/d2cp/d2cpd.leases. If this file is empty" this is probably caused by the fact that
you hae only defined static hosts in the */CP-serer)s configuration file and you
haen)t used any range statements.
3nterfaces the 4HCP@ser+er listens on
4nless you specify otherwise" )hcp) will listen on all interfaces for a dhcp re+uest. If
you only want to sere re+uests on eth2 for instance" you can tell this to the daemon by
including the parameter on the command line that starts the daemon.
2eloa)ing the 4HCP@ser+er after #aking changes
This is done as follows#
+ /etc/init.d/d2cp restart

This will stop the running daemon" wait two seconds" then start a new daemon which
causes /etc/d2cpd.con5 to be read again.
D)CP0relaying
;hat is 4HCP@relayingI
In our earlier example there is one */CP-serer for the whole network and there are
routers between the clients and that serer.
If a client would be able to connect to the */CP-serer through a router" the */CP-
serer would not see the 3IC-address of the client but the 3IC-address of the router. This
would mean that a static host for instance" could not be recogni,ed by its hardware
address.
$ */CP-relay agent" such as )hcrelay proides a means for relaying */CP and
(%%TP re+uests from one of the subnets to the company)s */CP-serer.
If you need more information" consult The Internet ,onsortium 8,' omepage.
- 28! -
If not specified otherwise on the command line" the */CP-relay agent listens for */CP
re+uests on all interfaces and forwards them to the */CP-serers specified on the
command line. $ reply is only sent to the network the re+uest came from.
Please consult the man page A#an )hcrelayB for further details.
53( configuration (2.21.2!
The candidate should be able to configure an 3I& serer and create 3I& maps for ma'or
configuration files. This ob'ectie includes configuring a system as a 3I& client" setting
up an 3I& slae serer and configuring the ability to search local files" *3&" 3I&" etc. in
nss>itc2.con5.
nisupdate" ypbind" ypcat" ypmatch" ypser" ypswitch" yppasswd" yppoll" yppush" ypwhich"
rpcinfo
nis.conf" nsswitch.conf" ypser.conf
Contents of =etc=nis=# netgroup" nicknames" securenets
@akefile
%hat is it'
3I& stands for 3etwork Information &ystem. 3I& was deeloped by &un @icrosystems
and was originally named JLellow PagesK but since that is a trademark of (ritish
Telecom" &un @icrosystems had to change that name and choose 3I&. $s a remnant of
that former name" all 3I& commands start with the letters JypK.
3I& is based on ;PC A;emote Procedure CallsB and consists of a serer and one or more
clients. (ecause 3I& uses ;PC calls" the portmapper Aport#apB must be running. &ee the
section called JConfiguring an 3?& &erer A2.2.<.2BK for more information on the
portmapper.
The purpose of 3I& is to distribute information on the serer to all hosts on the network"
thus keeping the network transparent to the users. Let)s say" for example" that you would
like users to be able to log into any system on the L$3 using the same userid and
password.
This can be achieed by telling 3I& to distribute the files /etc/pass>d and
/etc/groups to all hosts in the 3I& domain.
The files distributed across the network can be any type of file" e.g." a text file that
contains the phone numbers of your colleagues.
- 282 -
Configuring a system as a NI+ client
The 3I& domain name" which is case-sensitie" must be set. This is done either during the
installation Awhen you are prompted for the domainnameB or afterwards by editing the
file /etc/de5aultdomain.
3ormally a client finds its 3I& serers by broadcasting on the local network. If the 3I&
serer is not on that network" you must specify the sererAsB in /etc/!p.con5.
Then 3I& can be started with the command BetcBinit.)Bnis start.
+etting up NI+ master and slave servers
;hat is their relationI
$ 3I& master-serer uses the command yppush to copy its 3I& databases to one or more
slae serers. -hat actually happens is that the 3I& master-serer tells a slae to come
and get the databases. The slae then uses ypxfr to do that.
$ drawback is that this only works if the slae happens to be up and running at the
moment that the serer executes yppush. The ypxfr manual page suggests that you run
ypxfr periodically in a cron 'ob and make the fre+uency dependent on the mutation grade
of the maps. Please consult this man page for further details A#an ' ypxfrB.
Configuring the#
There should be a /%-T% for your distribution that describes this. %n my *ebian
system" I found the information in the file /usr/s2are/doc/nis.debian.2o>to.gz.
&et the 3I& domain in the /etc/de5aultdomain file. It is common practice to use your
*3& domain name for this.
The next thing to do is restrict access to your 3I& domain because eeryone who knows
your domain name can retriee the contents of your 3I& maps. There are two files where
access restrictions can be configured# /etc/!pser-.con5 and
/etc/!pser-.securenets.
If none of the access rules in /etc/!pser-.con5 matches the map name" ypser+ checks
if there is an LPF&DC4;D key in the map. If so" access is allowed on a resered port" if
not" access is allowed. $n access rule has the following format" please read the man page
for further details A#an ypser+.confB#
2ost.map.securit!.mangle).5ield*

- 289 -
This is not ery safe because you hae to specify what is not allowed instead of what is.
It is safer to specify from which hosts access is allowed. This can be done in one of two
ways" either with tcpwrappers which inoles the files /etc/2osts.allo> and
/etc/2osts.den! or with the securenets method of ypser+ which inoles the file
/etc/!pser-.securenets.
Dach line in the /etc/!pser-.securenets consists of a netmask and a network" for
instance#
2((.2((.2((.$ #$#.#$2.#$%.$

This means that all machines in the !.!.!.2.!.9.. network are allowed to connect to the
3I& serer. If none of the rules match an incoming re+uest" the re+uest is logged and
ignored. If" howeer" the file /etc/!pser-.securenets does not exist" connections from
all host are allowed.
To use tcpwrapper support" this functionality needs to hae been compiled into ypser+. If
this is the case" tcpwrappers is used instead of the securenets functionality. To test if this
is the case" type#
+ !pser- 66-ersion
!pser- 6 HNS NF Ser-er -ersion #.%.#2 (>it2 securenets)

%biously" I hae not compiled tcpwrappers into ypser+.
Creating NI+ maps
3I& maps are created by running #ake in the directory /-ar/!p/.
#ake reads the file /-ar/!p/Ma,e5ile which contains the definitions of the 3I&
enironment and the arious maps.
The file /-ar/!p/Ma,e5ile explains itself" I suggest you read through it at least once.
NI+ related commands and files
This section briefly describes the functionality of the yp^ commands and related files as
described in their man pages. Please consult those man pages for further details on
command line options and other features.
"he relate) ypQ co##an)s an) fileA
yp*in)
- 282 -
yp*in) finds the serer for 3I& domains and maintains the 3I& binding
information.
ypcat
ypcat prints the alues of all keys from the 3I& database specified by mapname"
which may be a map name or a map nickname.
ypchfn" ypchsh and yppassw)
The standard passw)" chfn and chsh cannot be used under to change the users)
3I& password" shell or 6DC%& information" because only the password file on
the local host is modified. ?or changing the 3I& information" they are replaced by
their 3I& counterparts# yppassw)" ypchfn and ypchsh.
yp)o#ainna#e
yp)o#ainna#e sets or displays the name of the current 3I& domain.
yp#atch
yp#atch prints the alues of one or more keys from the 3I& database specified
by mapname.
yppoll
yppoll returns the ersion and master serer of a 3I& map.
yppush
yppush forces the propagation of changed 3I& databases.
ypser+
This is the 3etwork Information &erice A3I&B serer daemon.
ypset
ypset binds yp*in) to a specific 3I& serer.
ypwhich
ypwhich returns the name of the 3I& serer or the name of the master for a map.
nisup)ate
- 285 -
$ll I could find about nisup)ate is that it is a script that is part of the -ebmin
suite. -ebmin is a web-based interface for system administration for 4nix.
If you would like to know more about -ebmin" go to the =ebmin =ebsite.
nis.con5
This seems to be distribution specific. The file is not present on my *ebian
system. The file /etc/de5aults/nis contains the Configuration settings for the
3I& daemons as shown below#
+
+ /etc/de5aults/nis Don5iguration settings 5or t2e HIS daemons.
+
+ ;re >e a HIS ser-er and i5 so >2at ,ind (-alues. 5alseO sla-eO
master)
HISS:1P:1B5alse
+ Mocation o5 t2e master HIS pass>ord 5ile (5or !ppass>dd).
+ I5 !ou c2ange t2is ma,e sure it matc2es >it2 /-ar/!p/Ma,e5ile.
NFFRDDI1B/etc
+ Do >e allo> t2e user to use !pc2s2 and/or !pc25n 4 L2e
NFDY;HJ:GK
+ 5ields are passed >it2 6e to !ppass>ddO see itWs manpage.
+ Fossible -alues. 9c2s29O 9c25n9O 9c2s2Oc25n9
NFDY;HJ:GKBc2s2

nss>itc2.con5
/etc/nss>itc2.con5 is the &ystem *atabases and 3ame &erice &witch
configuration file. Carious functions in the C Library need to be configured to
work correctly in the local enironment. Traditionally" this was done by using
files Ae.g. /etc/pass>dB" but other nameserices Alike the 3etwork Information
&erice A3I&B and the *omain 3ame &erice A*3&BB became popular" and were
hacked into the C library" usually with a fixed search order. The Linux 634 C
Library 2.x Alibc.so.:B contains a cleaner solution of this problem. It)s design is
based upon a method used by &un @icrosystems in the C library of &olaris 2. &un
calls this scheme J3ame &erice &witchK A3&&B. The sources for the JdatabasesK
and their lookup order are specified in the /etc/nss>itc2.con5 file.
The file /etc/nss>itc2.con5 consists of one line per database. The first item on
the line is the name of the database followed by a colon A#B. The rest of the line
specifies how the lookup is done and how lookup results are treated. ?or example#
2osts. dns )QH;P;IMBreturn* 5iles
net>or,s. nis )HGLIGHDBreturn* 5iles

- 28: -
The aailable databases are# aliases" ethers" group" hosts" netgroup" network"
passwd" protocols" publickey" rpc" serices" shadow
$mongst the serices are# compat" db" files" hesiod" nis" nisplus ?or eery serice
there must be a file /lib/libnss"?ser-iceA.so.?-ersionA.
?or glibc 2.. the ersion number is J!K" for glibc 2.! the ersion number is J2K.
The action items are placed within brackets and between two serice names. The
general form is#
) ( QSL;LS B ;DLIGH )X * >2ere
WQW negates t2e SL;LS and can be omitted
SL;LS can be. successO not5oundO una-ail or tr!again
;DLIGH can be. return or continue

Please consult the man page A#an nsswitch.confB for further details.
!pser-.con5
/etc/!pser-.con5 is the configuration file for ypser+ and rpc.ypxfr).
L41P configuration (2.21.3!
The candidate should be able to configure an L*$P serer. This ob'ectie includes
configuring a directory hierarchy and adding group" hosts" serices and other data to the
hierarchy. $lso included are# importing items from L*I? files and adding items with a
management tool" as well as adding users to the directory and changing their passwords.
slapd
slapd.con5
%hat is it'
L*$P stands for Lightweight *irectory $ccess Protocol. $s the name suggests" it is a
lighter ersion of *$P" which stands for the *irectory $ccess Protocol that is defined by
the P.5.. standard. ?or more information on P.5.." please read ;+, 011&.
The reason for a lightweight ersion is that *$P was rather heay on processor load"
thereby asking for more than the processors could proide at the time. L*$P is described
in ;+, 00A1.
- 287 -
The L*$P pro'ect was started at the Bniversit( of .ichigan" but" as can be read on their
site" is no longer maintained there. ?or current information" the 4niersity of @ichigan
site points isitors to the 5penL8A' site instead.
The type of information best suited for storage in a directory is information with a low
mutation grade. The reason for this is that directories can not compete with ;*(@
systems because they are only optimi,ed for read access. &o then" what do we store in a
directory> Typically" L*$P directories contain employee data such as surname" christian
name" address" phone number" department" social security number" D-mail address.
$lternatiely" directories might store newsletters for eeryone to read" description of
company policies and procedures" templates supporting the house style of documents.
Installing and Configuring an LD/P +erver
/*taining the software
The %pen &ource L*$P software can be downloaded from the 5penL8A' 8o#nload
site.
*etailed instructions on installing L*$P can be found in the 5penL8A' Administrator$s
Cuide.
%n a *ebian system" apt@get install slap) will do the trick. Lou will hae to edit the file
/etc/ldap/slapd.con5 to reflect your wishes.
$fter this" the slap) daemon can be started with the command BetcBinit.)Bslap) start.
Configuring a )irectory hierarchy
Let)s take the company @ega?ix in The 3etherlands as an example.
- 288 -
This figure shows @ega?ix)s organisational structure.
The company consists of three departments# &ales" Dngineering and $dministration.
In order to proide local support to their customers" the Dngineering department has
offices in London" Paris" ;ome and $msterdam with" for the moment" one or two
engineers.
&o" how do we build a directory for this organi,ation>
?irst" we must decide what kind of information to store in the directory. Let)s put
ourseles in the shoes of the customer#
i. The organi,ational structure of the company
ii. Information about people working at the company
The second thing to do is select or create ob'ect class and schema definitions. The
directory /etc/ldap/sc2ema contains a number of predefined ones and core.sc2ema
fits our needs Atrust me" or hae a look at it if you don)tB.
The third thing to do is choose the ob'ect class we are going to use. This depends on the
data we wish to store. $n ob'ect class describes an ob'ect by defining its possible
attributes.
- 28< -
?or the organi,ational structure of the company" we are going to use the ob'ect classes
organi&ation" organi&ational9nit Anote the J,KB and country. This gies us the
following attributes#
country or JcK in short notation
organi,ation or JoK in short notation
organi,ational4nit or JouK in short notation
o userPassword
o search6uide
o see$lso
o businessCategory
o x!2!$ddress
o registered$ddress
o destinationIndicator
o preferred*eliery@ethod
o telex3umber
o teletexTerminalIdentifier
o telephone3umber
o internationali&*33umber
o facsimileTelephone3umber
o street
o post%ffice(ox
o postalCode
o postal$ddress
o physical*eliery%ffice3ame
o state%rProince3ame or JstK
o locality3ame or JlK
o description
?or people working for the company" we are going to use the ob'ect class person" which
supports the following attributes#
common3ame or JcnK in short notation
surname or JsnK in short notation
o userPassword
telephone3umber
o see$lso
description
Let)s configure slap) to reflect these choices by editing the configuration file
/etc/ldap/slapd.con5#
- 2<. -
+ Sc2ema and ob7ectDlass de5initions
include /etc/ldap/sc2ema/core.sc2ema
+ Sc2ema c2ec, allo>s 5or 5orcing entries to
+ matc2 sc2emas 5or t2eir ob7ectDlassesWs
sc2emac2ec, o55
+ R2ere t2e pid 5ile is put. L2e init.d script
+ >ill not stop t2e ser-er i5 !ou c2ange t2is.
pid5ile /-ar/run/slapd.pid
+ Mist o5 arguments t2at >ere passed to t2e ser-er
args5ile /-ar/run/slapd.args
+ 1ead slapd.con5(() 5or possible -alues
logle-el $
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ ldbm database de5initions
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ L2e bac,end t!peO ldbmO is t2e de5ault standard
database ldbm
+ L2e base o5 !our director!
su55ix 9oBMegaIixOcBHM9
+ R2ere t2e database 5iles are p2!sicall! stored
director! 9/-ar/ldap6test9
+ Distinguis2ed nameO not sub7ect to access control
rootdn 9cnBManagerOoBMegaIixOcBHM9
rootp> blabla
+ Sa-e t2e time t2at t2e entr! gets modi5ied
lastmod on

?or further details on the configuration file" please read the man page A#an slap).confB.
3est" we need to create the directory where the databases will reside# #k)ir B+arBl)ap@
test. 3ow we)re ready to start the daemon#
+ /etc/init.d/slapd start
Starting ldap ser-er(s). slapd.

It seems to work. Let)s see if there are any error messages that hae been logged#
+ ls 6ltr /-ar/log
...
6r>6r66666 # root adm &%4$40 ân 2( #6.44 s!slog
6r>6r66666 # root adm 4(20( ân 2( #6.44 debug
6r>6r66666 # root adm 2'2$4% ân 2( #6.4( aut2.log
- 2<! -
L2ere are no messages in s!slog and debug but aut2.log contains.
+ grep 9slapd9 /-ar/log/aut2.log
ân 2( #6.44.22 pug slapd)#%0%*. unable to open =er,ele! db
/etc/sasldb. Ho
suc2 5ile or director!

&$&L stands for J&imple $uthentication and &ecurity LayerK. This is the layer between
%penL*$P and 0erberos. &ince we)re not using 0erberos" let)s silently ignore the
message.
?inally" we define the @ega?ix organi,ation in L*$P *ata Interchange ?ormat AldifB.
&ee ldif)s man page A#an l)ifB for further details.
+666666666666666666666666666666666666666666666666666666666666
+ L2e organisational structure
+
+ dn B distinguis2edHame
+ ou B organizationalnit
+ o B organizationHame
+ c B countr!
+666666666666666666666666666666666666666666666666666666666666
+ L2e organisation MegaIix in t2e Het2erlands
dn. oBMegaIixO cBHM
ob7ectDlass. organization
description. L2e MegaIix Dompan! Mtd.
+ L2e Sales department
dn. ouBSalesO oBMegaIixO cBHM
description. Sales dept.
+ L2e engineering department
dn. ouB:ngineeringO oBMegaIixO cBHM
description. :ngineering dept.
+ :ngineering 6 Mondon di-ision
dn. ouBMondonO ouB:ngineeringO oBMegaIixO cBHM
description. Di-ision Mondon
+ :ngineering 6 Faris di-ision
dn. ouBFarisO ouB:ngineeringO oBMegaIixO cBHM
description. Di-ision Faris
+ :ngineering 6 1ome di-ision
dn. ouB1omeO ouB:ngineeringO oBMegaIixO cBHM
description. Di-ision 1ome
+ :ngineering 6 ;msterdam di-ision
dn. ouB;msterdamO ouB:ngineeringO oBMegaIixO cBHM
- 2<2 -
description. Di-ision ;msterdam
dn. ouB;dministrationO oBMegaIixO cBHM
description. ;dministration dept.
+666666666666666666666666666666666666666666666666666666666666
+ L2e persons in t2e organisation
+
+ dn B distinguis2edHame
+ ou B organizationalnit
+ o B organizationHame
+ c B countr!
+ cn B commonHame
+ sn B surname
+666666666666666666666666666666666666666666666666666666666666
+ L2e Dompan!Ws Manager
dn. cnBManagerO oBMegaIixO cBHM
ob7ectDlass. person
cn. Manager
cn. Jordon Je,,o
sn. Je,,o
description. Jeneral Manager 6 L2e =ig =oss
telep2oneHumber. (((6#2((
+ L2e engineers in Mondon
dn. cnBô2n Yug2esO ouBMondonO ouB:ngineeringO oBMegaIixO cBHM
ob7ectDlass. person
cn. :ngineer
cn. ô2n Yug2es
sn. Yug2es
description. :ngineer
dn. cnBFeter =ainesO ouBMondonO ouB:ngineeringO oBMegaIixO cBHM
ob7ectDlass. person
cn. :ngineer
cn. Feter =aines
sn. =aines
+ L2e engineers in Faris
dn. cnBMinda D2arterisO ouBFarisO ouB:ngineeringO oBMegaIixO cBHM
ob7ectDlass. person
cn. :ngineer
cn. Minda D2arteris
sn. D2arteris
+ L2e engineers in 1ome
dn. cnBMarcello DontiO ouB1omeO ouB:ngineeringO oBMegaIixO cBHM
ob7ectDlass. person
cn. :ngineer
cn. Marcello Donti
sn. Donti
- 2<9 -
+ L2e engineers in ;msterdam
dn. cnBFieter ânsenO ouB;msterdamO ouB:ngineeringO oBMegaIixO cBHM
ob7ectDlass. person
cn. :ngineer
cn. Fieter ânsen
sn. ânsen
dn. cnBô2an KlaassensO ouB;msterdamO ouB:ngineeringO oBMegaIixO cBHM
ob7ectDlass. person
cn. :ngineer
cn. ô2an Klaassens
sn. Klaassens

To update our directory with the data from the aboe file MegaIix.ldi5" we use the
command#
+ ldapadd 65 /etc/ldap/MegaIix.ldi5 6D WcnBManagerOoBMega5ixOcBHMW 6R 6x
:nter MD;F Fass>ord. (>2ic2 is WblablaW)
adding ne> entr! 9oBMegaIixO cBHM9
adding ne> entr! 9ouBSalesO oBMegaIixO cBHM9
adding ne> entr! 9ouB:ngineeringO oBMegaIixO cBHM9
adding ne> entr! 9ouBMondonO ouB:ngineeringO oBMegaIixO cBHM9
adding ne> entr! 9ouBFarisO ouB:ngineeringO oBMegaIixO cBHM9
adding ne> entr! 9ouB1omeO ouB:ngineeringO oBMegaIixO cBHM9
adding ne> entr! 9ouB;msterdamO ouB:ngineeringO oBMegaIixO cBHM9
adding ne> entr! 9ouB;dministrationO oBMegaIixO cBHM9
adding ne> entr! 9cnBManagerO oBMegaIixO cBHM9
adding ne> entr! 9cnBô2n Yug2esO ouBMondonO ouB:ngineeringO oBMegaIixO
cBHM9
adding ne> entr! 9cnBFeter =ainesO ouBMondonO ouB:ngineeringO
oBMegaIixO cBHM9
adding ne> entr! 9cnBMinda D2arterisO ouBFarisO ouB:ngineeringO
oBMegaIixO cBHM9
adding ne> entr! 9cnBMarcello DontiO ouB1omeO ouB:ngineeringO
oBMegaIixO cBHM9
adding ne> entr! 9cnBFieter ânsenO ouB;msterdamO ouB:ngineeringO
oBMegaIixO cBHM9
adding ne> entr! 9cnBô2an KlaassensO ouB;msterdamO ouB:ngineeringO
oBMegaIixO cBHM9

The data has been added.
To check if eerything works the way we want it to" let)s ask our directory for a list of all
entries concerning the JengineeringK organi,ational4nit" JouK for short#
+ ldapsearc2 6MMM 6b WouBengineeringOoBMegaIixOcBnlW 6x cn description
dn. ouB:ngineeringO oBMegaIixO cBHM
description. :ngineering dept.
- 2<2 -
dn. ouB1omeO ouB:ngineeringO oBMegaIixO cBHM
description. Di-ision 1ome
description. Di-ision ;msterdam
cn. :ngineer
cn. ô2n Yug2es
cn. :ngineer
cn. Feter =aines
cn. :ngineer
cn. Minda D2arteris
dn. cnBMarcello DontiO ouB1omeO ouB:ngineeringO oBMegaIixO cBHM
cn. :ngineer
cn. Marcello Donti
cn. :ngineer
cn. Fieter ânsen
cn. :ngineer
cn. ô2an Klaassens

$nd it worksG
The distinguished3ame" or JdnK" consists of the set of attributes that uni+uely identify an
entry. This set of attributes corresponds to the JpathK that has to be traeled to reach that
entry. The last result shown aboe" JRohan 0laassensK" is found by starting to search at
JoS@ega?ix and cS3LK" going to the department of JDngineeringK and finally going to
the diision J$msterdamK.
- 2<5 -
1))ing )ata to the hierarchy
@ega?ix)s sales in $msterdam hae increased and thus the need for a third engineer
arose. Luckily" @r. -im Poorten applied for the 'ob and got it.
To add @r. Poorten to our directory" we create the file
/etc/ldap/MegaIix.;msterdam.;dd.ldi5" I like descriptie names" and issue the
command#
+ ldapadd 65 /etc/ldap/MegaIix.;msterdam.;dd.ldi5 6D
WcnBManagerOoBMegaIixOxBHMW 6R 6x

There should now be three engineers working in the $msterdam diision#
+ ldapsearc2 6MMM 6b WouBamsterdamOouBengineeringOoBMegaIixOcBnlW 6x cn
cn. :ngineer
cn. Fieter ânsen
cn. :ngineer
cn. ô2an Klaassens
dn. cnBRim FoortenO ouB;msterdamO ouB:ngineeringO oBMegaIixO cBHM
cn. :ngineer
cn. Rim Foorten

$nd" as you can see" there areG
Changing )ata in the hierarchy
4nfortunately" sales are down in London but are expected to increase the next +uarter. In
Paris" there are a lot of problems" so an extra engineer for a week or two would be nice.
Rohn /ughes always wanted to see Paris and offered to assist his colleague Linda for a
week or two.
3aturally" the directory should reflect this new situation to enable people to locate Rohn
when needed. &ince the JouK is part of the distinguished3ame and ou occurs twice" a
simple modify won)t work. The safest way to do this is to get the existing entry and write
it to a file in ldif format. Then" modify that file to first delete the existing entry and then
add a new one with the new location.
+ ldapsearc2 6MMM 6b WouBlondonOouBengineeringOoBMegaIixOcBnlW 6x A
MegaIix.ô2n.to.Faris.ldi5

- 2<: -
This gies all information about the London diision of the Dngineering department#
ob7ectDlass. person
cn. :ngineer
cn. ô2n Yug2es
sn. Yug2es
ob7ectDlass. person
cn. :ngineer
cn. Feter =aines
sn. =aines

;emoe the all entries except the one from Rohn /uges and modify=add lines so that the
file looks like this#
+ 1emo-e ô2n Yug2es 5rom Mondon
c2anget!pe. delete
+ ;nd place 2im in t2e Faris di-ision
dn. cnBô2n Yug2esO ouBFarisO ouB:ngineeringO oBMegaIixO cBHM
c2anget!pe. add
ob7ectDlass. person
cn. :ngineer
cn. ô2n Yug2es
sn. Yug2es

To commit the changes to the database" we issue the command#
+ ldapmodi5! 6r 65 MegaIix.ô2n.to.Faris.ldi5 6D
WcnBManagerOoBMegaIixOcBHMW 6R 6x
deleting entr! 9cnBô2n Yug2esO ouBMondonO ouB:ngineeringO oBMegaIixO
cBHM9
adding ne> entr! 9cnBô2n Yug2esO ouBFarisO ouB:ngineeringO oBMegaIixO
cBHM9

To demonstrate that Rohn is now stationed in Paris" we issue the following search
command#
pug./etc/ldap+ ldapsearc2 6MMM 6b
WouBFarisOouBengineeringOoBMegaIixOcBnlW 6x
- 2<7 -
ob7ectDlass. person
cn. :ngineer
cn. Minda D2arteris
sn. D2arteris
dn. cnBô2n Yug2esO ouBFarisO ouB:ngineeringO oBMegaIixO cBHM
ob7ectDlass. person
cn. :ngineer
cn. ô2n Yug2es
sn. Yug2es

*ore on LD/P
If you would like to read more about L*$P" this section points you to a few sources of
information#
The 5penL8A' site
The 5penL8A' Administrator$s guide
The L8A' Linux 5=T5
The Internet +A! archives where ;?C)s and other documentation can be searched
and found.
P10 authentication (2.21.$!
The candidate should be able to configure P$@ to support authentication ia traditional /
etc/pass>d" shadow passwords" 3I& or L*$P.
/etc/pam.d
/etc/pam.con5
%hat is it'
P$@ stands for Pluggable $uthentication @odules. P$@ consists of a set of libraries
and an $PI A$pplication programming InterfaceB that can be used to perform
authentication tasks. Priilege granting programs" such as login and su" use the $PI to
perform standard authentication tasks.
- 2<8 -
)o does it ork'
"he authentication tasks can *e su*)i+i)e) into four )ifferent functional groupsA
account
Proide account erification types of serice# has the user)s password expired>Q Is
this user permitted access to the re+uested serice>
authentication
Dstablish if the user really is whom he claims to be. This can be done" for
example" by asking a password or" gien the right module" by reading a chip-card
or by performing a retinal or fingerprint scan.
password
This group)s responsibility is the task of updating authentication mechanisms.
Typically" such serices are strongly coupled to those of the authentication group.
&ome authentication mechanisms lend themseles well to being updated. The user
might be presented with a +uestion like JPlease enter the new passwordK.
session
This group of tasks coers things that should be done prior to a serice being
offered and after it is withdrawn. &uch tasks include the maintenance of audit
trails and the mounting of the user)s home directory. The session management
group is important as it proides both an opening and closing hook for modules
that affect the serices aailable to a user.
P$@ can be configured using the file /etc/pam.con5 which has the following format#
ser-ice t!pe control module6pat2 module6arguments

"he #eaning of these fi+e fiel)s isA
serice
This is the name of the application inoled" for example# login" ssh or passw).
type
This is the type of group the task to be performed belongs to# account" auth Athe
authentication groupB" password or session.
- 2<< -
control
This field indicates what the P$@-$PI should do in case authentication fails for
any module.
"he are four +ali) +alues for the control fiel)A
re+uisite
4pon failure" the authentication process will be terminated immediately.
re+uired
This will return failure after the remaining modules for this serice and type hae
been inoked.
sufficient
4pon success" the authentication process will be satisfied" een if a prior re+uired
module has failed the authentication.
optional
The success or failure of this module is only important if this is the only module
associated with this serice and this type.
module-path
This is the filename" including the full path" of the P$@ that is to be used by the
application.
module-arguments
These are module specific arguments" separated by spaces" that are to be passed to
the module. ;efer to the specific module)s documentation for further details.
Configuration is also possible using indiidual configuration files" which is
recommended. These files should all be located in the /etc/pam.d directory. If this
directory exists" the file /etc/pam.con5 will be ignored. The filenames should all be
lowercase and be identical to the name of the serice" such as login. The format of these
files is identical to /etc/pam.con5 with the exception that there is no serice field.
Configuring authentication via /etc/pass3d and /etc/shado3
-hat we need is the unix authentication module pam"unix.so which uses standard calls
from the system)s libraries to retriee=set account information=authentication. This
- 9.. -
information is obtained from the files /etc/pass>d and" if shadow passwords are
enabled" /etc/s2ado>.
"he pam2unix.so #o)ule supports the following #anage#ent groupsA
account
The type JaccountK does not authenticate the user but checks other things such as
the expiration date of the password and might force the user to change his
password based on the contents of the files /etc/pass>d and /etc/s2ado>.
"he following options are supporte)A
debug
Log information using syslog.
audit
$lso logs information" een more than debug does.
auth
The type JauthK checks the user)s password against the password databaseAsB. This
component is configured in the file /etc/nss>itc2.con5. Please consult the man
page A#an nsswitch.confB for further details.
audit
debug
$lso logs information using syslog but less than audit.
nodelay
This argument sets the delay-on-failure" which has a default of a second" to
nodelay.
nullok
$llows empty passwords. 3ormally authentication fails if the password is blank.
- 9.! -
tryFfirstFpass
4se the password from the preious stacked auth module and prompt for a new
password if the retrieed password is blank or incorrect.
useFfirstFpass
4se the result from the preious stacked auth module" neer prompt the user for a
password and fails if the result was a fail.
password
The type JpasswordK changes the user)s password.
audit
bigcrypt
4se the *DC JC2K extension to cryptAB.
debug
$lso logs information using syslog but less than audit.
md5
4se md5 encryption instead of cryptAB.
nis
4se 3I& A3etwork Information &ericeB passwords.
notFsetFpass
*on)t use the passwords from other stacked modules and do not gie the new
password to other stacked modules.
nullok
$llows empty passwords. 3ormally authentication fails if the password is blank.
remember
- 9.2 -
;emember the last n passwords to preent the user from using one of the last n
passwords again.
tryFfirstFpass
4se the password from the preious stacked auth module" and prompt for a new
password if the retrieed password is blank or incorrect.
useFauthtok
&et the new password to the one proided by a preious module.
useFfirstFpass
4se the result from the preious stacked auth module" neer prompt the user for a
password and fails if the result was a fail.
session
The type JsessionK uses syslog to log the user)s name and session type at the start
and end of a session.
The JsessionK type does not support any options.
?or each serice that re+uires authentication a file with the name of that serice must be
created in /etc/pam.d. Dxamples of those serices are# login" ssh" ppp" su.
?or example purposes the file /etc/pam.d/login will be used#
+ Fer5orm pass>ord aut2entication and allo> accounts >it2out a pass>ord
aut2 reSuired pam"unix.so nullo,
+ D2ec, pass>ord -alidit! and continue processing ot2er F;MWs e-en i5
+ t2is test 5ails. ;ccess >ill onl! be granted i5 a Wsu55icientW F;MO
+ t2at 5ollo>s t2is WreSuiredW oneO succeeds.
account reSuired pam"unix.so
+ Mog t2e user name and session t!pe to s!slog at bot2 t2e start and
t2e end
+ o5 t2e session.
session reSuired pam"unix.so
+ ;llo> t2e user to c2ange empt! pass>ords (nullo,)O per5orm some
additional
+ c2ec,s (obscure) be5ore a pass>ord c2ange is accepted and en5orce
t2at a
+ pass>ord 2as a minimum (minB4) lengt2 o5 4 and a maximum (maxB')
lengt2 o5
+ ' c2aracters.
pass>ord reSuired pam"unix.so nullo, obscure minB4 maxB'
- 9.9 -

Configuring authentication via NI+
To be able to authenticate ia 3I&" the module pam"nis.so is needed. This module can
be found at 'A. -I4 Authorisation .odule.
To set up things in such a way that 3I& authentication is sufficient Aand if that is not the
case try pam"unix.soB" the lines that do the trick in /etc/pam.d/login are#
aut2 su55icient pam"nis.so itemBuser /
senseBallo> mapBusers.b!name -alueBcompsci
aut2 reSuired pam"unix.so tr!"5irst"pass
account su55icient pam"ldap.so /
itemBuser senseBden! mapBcancelled.b!name
errorBexpired

Configuring authentication via LD/P
To be able to authenticatie ia L*$P" the module pam"ldap.so is needed.
To set up things in such a way that L*$P authentication is sufficient" Aand if that is not
the case try pam"unix.soB" the lines that do the trick in /etc/pam.d/login are#
aut2 su55icient pam"ldap.so
aut2 reSuired pam"unix.so tr!"5irst"pass
account su55icient pam"ldap.so

- 9.2 -
Chapter 11. (yste# 0aintenance
(2.211!
This topic has a total weight of 2 points and contains the following ob'ecties#
%b'ectie 2.2!!.!Q &ystem logging A! pointB
The candidate should be able to configure syslogd to act as a central network log
serer. This ob'ectie also includes configuring syslogd to send log output to a
central log serer" logging remote connections and using grep and other text
utilities to automate log analysis.
%b'ectie 2.2!!.2Q Packaging software A! pointB
The candidate should be able to build a package. This ob'ectie includes building
Aor rebuildingB both ;P@ and *D( packaged software.
%b'ectie 2.2!!.9Q (ackup %perations A2 pointsB
The candidate should be able to create an off-site backup storage plan.
- 9.5 -
(yste# Logging (2.211.1!
The candidate should be able to configure syslogd to act as a central network log serer.
This ob'ectie also includes configuring syslogd to send log output to a central log serer"
logging remote connections and using grep and other text utilities to automate log
analysis.
s!slog.con5
s!s,logd
/etc/2osts
+ysklogd
&ysklogd is an enhanced ersion of the standard (erkeley utility program which is used
on Linux systems. It is responsible for logging messages receied from programs and
facilities on the local host" as well as from remote hosts.
&ysklogd includes two system utilities syslog) and klog)" which support system logging
and kernel message trapping. &upport of both internet and unix domain sockets enables
this utility package to support both local and remote logging.
syslog)
syslog) proides the kind of logging that is used by many modern programs. Dery
logged message contains at least a time" a hostname and" usually" a program name field.
A&ee the s!slogA9B manual page for information on generating messagesB
;ules in /etc/s!slog.con5 specify where messages should go. $n example syslog.conf
entry is shown below#
+ Sample s!slog.con5 line
daemon.>arning /-ar/log/daemon.log
This means that messages of priority warning and higher from the facility daemon will be
sent to the file /-ar/log/daemon.log.
$ message is sent to the destinations of all matching rules.
The facility specifies the subsystem that produces the message. It is one of the following
keywords#
aut+
- 9.: -
&ecurity and authori,ation messages. This facility is deprecated" use aut+priv
instead.
aut+priv
&ecurity and authori,ation messages.
cron
Clock deamons Aat and cronB.
daemon
@iscellaneous deamons without a separate facility alue.
ftp
?tp deamons.
'ern
0ernel messages.
lpr
Line printer subsystem.
mail
@ail subsystem" including serices like fetch#ail and I@$P.
news
4&D3DT news subsystem.
syslog
@essages generated internally by syslog).
user
6eneric user-leel messages. This is the default.
uucp
44CP subsystem.
local through localG
- 9.7 -
;esered for local use.
The priority is one of the following keywords" in ascending order# debug" info" notice"
warning" err" crit" alert" emerg. The priority defines the seerity of the message. The
standard behaior is that all messages of the specified priority and higher are logged to
the gien action.
The second field is the JlogfileK" but it need not be a regular file. The syslog) proides
the following actions#
;egular ?ile
Typically messages are logged to real files. The file has to be specified with the
full pathname" beginning with a slash A)=)B.
Lou may prefix an entry with the minus A)-)B sign to omit syncing the file after
eery logging. 3ote that you might lose information if the system crashes right
after a write attempt. 3eertheless" this might gie you back some performance"
especially if you run programs that use logging in a ery erbose manner.
Terminal and Console
If the file you specified is a tty" special tty-handling is done" same as with
/de-/console.
;emote @achine
syslog) proides full remote logging" that is" it is able to send messages to a
remote host running syslog) and to receie messages from remote hosts. The
remote host won)t forward the message again" it will 'ust log them locally. To
forward messages to another host" prepend the hostname with the at sign A)_)B#
+ Send all logging to a remote mac2ine
E.E @remote
4sing this feature" you)re able to control all syslog messages on one host"
assuming all other machines log remotely to that host. This makes administration
easier.
If the remote hostname cannot be resoled at startup because the name-serer is
inaccessible Aperhaps it is started after syslog)B" no need to worry# syslog) will
retry ten times before complaining. %ne way to aoid this is to place the hostname
in /etc/2osts.
- 9.8 -
3ote that you hae to start the central logging serer with the 6r option to enable
this. (y default" syslog) doesn)t listen to the network. $lso note that syslog) has
no facility to split log messages from different hosts to different files.
List %f 4sers
4sually" critical messages are also directed to JrootK on the host machine. Lou
can specify a list of users who get the message by simply writing their login
names. Lou may specify more than one user by separating them with commas
A)")B.
+ Messages o5 t2e priorit! alert >ill be directed to root and 7oe!
E.alert rootO7oe!
If they)re logged in" they get the message. $n e-mail will not be sent" because" by
the time it arries" it might be too late.
Dmergency messages often should go to all users currently online to notify them
that something strange is happening with the system. To specify this wall-feature"
use an asterisk A)^)B.
klog)
klog) is a system daemon which intercepts and logs linux kernel messages.
The kernel log information is gathered from either the /proc filesystem or from the
syscall interface.
$lthough klog) has the option of sending the log messages directly to a file" the default
behaior is to send the messages to syslog) using the 'ern facility.
Packaging (oftware (2.211.2!
The candidate should be able to build a package. This ob'ectie includes building Aor
rebuildingB both ;P@ and *D( packaged software.
rpm
SF:D 5ile 5ormat
/debian/rules
-hile there is a ast +uantity of software aailable in the *D( or ;P@ format"
sometimes it is necessary to install software that isn)t. It is often possible to install the
software from source" but you may want to create a package from the source and install
the package. This is useful if you want to be able to do updates without worrying if all
- 9.< -
obsolete files are remoed or if the software needs to be installed on more than one
machine.
(oth *D( and ;P@ use a similar structure to build a package. $ script" in one way or
another" is used to build the package to run in /usr and install it in a temporary directory
A*D(# ?sourcedirA/debian/?pac,agenameA Q ;P@# /-ar/tmp/?pac,agenameA6
buildrootB. The appropriate files are gathered in an archie and some control data is
added. The resulting *D( or ;P@ can be installed on the target platform.
(oth package systems start from the original source and apply a patch where necessary to
correct any problems that might arise in packaging.
The ma'or difference between the packaging formats is the location and structure of the
JscriptsK. In the *D( format" a directory AdebianB which contains a number of files is
added to the source. ;P@ uses a spec-file" which is separate from the source.
D3$ Packages
$s mentioned in the J*ebian Policy 6uideK" the debian directory structure can be
generated with )h<#ake. This utility will try to guess a suitable debian/rules file
based on information in the source-directory.
The generated debian directory contains a number of files. &ome files will need to be
edited" e.g." the :escriptionH needs a proper description in the control file and
documentation you want to hae installed in /usr/s2are/doc/pac'agename will hae to
be added to the docs file.
%nly the re+uired files will be mentioned here. These are control" c2angelog"
cop!rig2t and rules.
control file
This file contains arious alues which )pkg and )select will use to manage the package.
/ere is an example#
Source. bao
Section. games
Friorit!. optional
Maintainer. =en Mesman ?ben@mesman.nuA
=uild6Depends. deb2elper (AA %.$.$)
Standards6Persion. %.(.2
Fac,age. bao
;rc2itecture. an!
Depends. 3Us2libs.DependsV
Description. ; mancala game 5rom Lanzania and <anzibar
=ao is >2at >e call a mancala game. Mancala is t2e term to denominate
games >it2 one s2ared c2aracteristic. mo-es are not executed as in
- 9!. -
c2ess or c2ec,ersO instead mo-es are executed b! so>ing seeds (or
ot2er pla!ing pieces) into 2oles.
The first six lines are the control information for the source package.
The IectionH field is the *ebian section this package goes to. This package will be
installed in the section JgamesK. %ther sections include for instance Jx!!K for P!!
specific programs or JdeelK for programmer tools.
The JriorityH field describes how important it is for the user to install this package.
Possible priorities are Jre+uiredK" JimportantK" JstandardK" JoptionalK and JextraK. This
should probably be JoptionalK or JextraK for self-created packages.
The 3aintainerH field is the maintainer of the *ebian package" not the upstream
maintainer. The Itandards-Kersion is the ersion of the *ebian Policy @anual the
package conforms to.
If you want to resole the build dependencies Ai.e." the packages needed to build this
packageB automatically" you need to specify the packages in the <uild-:epends field.
The second part of the file contains information on the binary package that will be
generated. If more binary packages should be created from the same source" there will be
more of these sections.
3ote that the -rc+itectureH field should be set to JallK for most packages. &e the
*ebian Policy @anual for more information on architecture dependent packages.
$part from the package description" the most important information here is the
relationship with other packages. There are seen possible relations#
*epends#
4sed if the program absolutely will not run Aor will cause seere breakageB unless
a particular package is present.
;ecommends#
4sed for packages that are not strictly necessary but are typically used with the
program.
&uggests#
4sed for packages which will work nicely with the program but are not at all
necessary
Pre-*epends#
- 9!! -
This is stronger than *epends#. The package will not be installed unless the
packages it pre-depends on are installed and correctl( configured. 4se this ery
sparingly and only after discussing it on the debian-deel mailing list.
Conflicts#
4sed if the program absolutely will not run Aor will cause seere breakageB if a
particular package is present.
Proides#
?or some types of packages where there are multiple alternaties" irtual names
hae been defined. Lou can get the full list in /usr/s2are/doc/debian6polic!/
-irtual6pac,age6names6list.text.gz file. 4sed if the program proides a
function of an existing irtual package.
;eplaces#
4sed when the program replaces files from another package or completely
replaces another package Aused in con'unction with Conflicts#B. ?iles from the
named packages will be remoed before installing.
3ote that in this example the J*epends#K field contains 3(s2libs.Depends). This will
be automatically generated by )h<shli*)eps" and filled in by )h<gencontrol" with the
names of any shared libraries the program uses" such as libc: or xlib:g" so they don)t
hae to be explicitly specified.
copyright file
This file contains the information about package upstream resources" copyright and
license information. Its format is not dictated by the *ebian Policy" but the contents is
Asection :.5B. )h<#ake creates a default one. This is what it looks like#
L2is pac,age >as debianized b! =en Mesman ?ben@sno>.nlA
on IriO 2% Ho- 2$$# ##.42.%0 X$#$$.
It >as do>nloaded 5rom ?5ill in 5tp siteA
pstream ;ut2or(s). ?put aut2or(s) name and email 2ereA
Dop!rig2t.
?Must 5ollo> 2ereA
If the program is licensed under one of the common free software licenses" such as the
634 6PL or L6PL" (&* or the $rtistic license" you can refer to the appropriate file in
the /usr/s2are/common6licenses/ directory. If the program has its own license" the
complete license must be included in this file.
- 9!2 -
#hangelog file
This is a re+uired file and uses a special format. This format is used by dpkg and other
programs to obtain the ersion number" reision" distribution and urgency of the package.
?or the maintainer of the program" it is also important" since it is good to document all
changes. It will help people downloading the package to see whether there are any
unresoled issues that they should know about before installing. It will be saed as /usr/
s2are/doc/bao/c2angelog.Debian.gz in the binary package.
This is an example D2angelog#
bao ($.#.$) unstableC urgenc!Blo>
E Initial 1elease.
66 =en Mesman ?ben@sno>.nlA IriO 2% Ho- 2$$# ##.42.%0 X$#$$
Mocal -ariables.
mode. debian6c2angelog
:nd.
The first line is the package name" ersion" distribution and urgency. The name must
match the source package name" distribution should be either JunstableK or
JexperimentalK Afor nowB" and urgency probably shouldn)t be changed to anything higher
than JlowK.
The third line is a log entry describing the changes in this release. The fifth line closes the
comments and specifies who made the release and when. The name AemailD must be
followed by two spaces and the date in ;?C822 format Ae.g." as generated with )ate @2B.
3ew releases should be added at the top.
rules file
3ow we need to take a look at the exact rules which )pkg@*uil)package will use to
actually create the package. This file is actually another @akefile" since it is executed
with Jmake -fK" but different from the one in the upstream source.
The important part to know about the rules file created by )h<#ake is that it is 'ust a
suggestion. It will work for simple packages" but" for more complicated ones" don)t be
afraid to add and subtract from it to fit your needs. The only thing that you must not
change are the names of the rules" because all the tools use these names" as mandated by
the Packaging @anual.
+Q/usr/bin/ma,e 65
+ Sample debian/rules t2at uses deb2elper.
+ JH cop!rig2t #&&0 to #&&& b! ôe! Yess.
- 9!9 -
+ ncomment t2is to turn on -erbose mode.
+export DY"P:1=GS:B#
+ L2is is t2e deb2elper compatibilit! -ersion to use.
export DY"DGMF;LB%
con5igure. con5igure6stamp
con5igure6stamp.
d2"testdir
+ ;dd 2ere commands to con5igure t2e pac,age.
./con5igure 66pre5ixB/usr 66mandirB/33Upre5ixV/s2are/man
66in5odirB/33Upre5ixV/s2are/in5o
touc2 con5igure6stamp
build. con5igure6stamp build6stamp
build6stamp.
d2"testdir
+ ;dd 2ere commands to compile t2e pac,age.
3(M;K:)
+/usr/bin/docboo,6to6man debian/bao.sgml A bao.#
touc2 build6stamp
clean.
d2"testdir
+ d2"testroot
rm 65 build6stamp con5igure6stamp
+ ;dd 2ere commands to clean up a5ter t2e build process.
63(M;K:) distclean
d2"clean
install. build
d2"testdir
d2"testroot
d2"clean 6,
d2"installdirs
+ ;dd 2ere commands to install t2e pac,age into debian/bao.
3(M;K:) install D:SLDI1B3(D1DI1)/debian/bao
+ =uild arc2itecture6independent 5iles 2ere.
binar!6indep. build install
+ Re 2a-e not2ing to do b! de5ault.
+ =uild arc2itecture6dependent 5iles 2ere.
binar!6arc2. build install
d2"testdir
d2"testroot
+ d2"installdebcon5
d2"installdocs
d2"installexamples
d2"installmenu
- 9!2 -
+ d2"installlogrotate
+ d2"installemacsen
+ d2"installpam
+ d2"installmime
+ d2"installinit
d2"installcron
d2"installman
d2"installin5o
+ d2"undocumented
d2"installc2angelogs
d2"lin,
d2"strip
d2"compress
d2"5ixperms
+ d2"ma,es2libs
d2"installdeb
+ d2"perl
d2"s2libdeps
d2"gencontrol
d2"md(sums
d2"builddeb
binar!. binar!6indep binar!6arc2
.FYGHN. build clean binar!6indep binar!6arc2 binar! install con5igure
$s you can see from the first line" this script will be processed by #ake.
The JconfigureK rule Aand its child" Jconfig-stampKB specify that the program will be
configured to run in /usr Ainstead of the default /usr/localB. $lso the manual pages
and the shared files will be installed in the *ebian default location.
The JbuildK rule Aand its child Jbuild-stampKB specify how the program is to be built. In
most cases" the program)s own Ma,e5ile will be used.
The JcleanK rule cleans up any unneeded binary or auto-generated stuff left oer from
building the package. This rule must be working at all times Aeen when the source tree is
cleaned upGB" so please use the forcing options Ae.g." for r#" that is -fB" or ignore return
alues Awith a - in front of a command nameB.
The installation process" the JinstallK rule" basically runs the JinstallK rule from the
program)s own Ma,e5ile" but installs in ?p>dA/debian/bao directory.
$s the comments suggest" the Jbinary-indepK rule is used to build architecture
independent packages. $s none are specified in the control file" nothing will be done. If
the package was an J$rchitecture# allK one" all the commands for building the package
would be under this rule" and the next rule AJbinary-archKB would be empty instead.
The Jbinary-archK rule uses seeral small utilities from the debhelper package to perform
arious operations to make the package Policy conforming.
- 9!5 -
The names start with d2"" and the rest is the description of what the particular utility
really does. It is all +uite self-explanatory" but here are some additional explanations#
d2"testdir checks that you are in the right directory Ai.e. the top-leel source
directoryB"
d2"testroot checks that you hae root permissions which is needed for binaryE
targets" and clean"
d2"installmanpages copies all the manpages it can find in the source tree to
package"
d2"strip strips debugging headers from executable files and libraries" to make
them smaller"
d2"compress g,ips manual pages and documentation larger than 2 0b"
d2"installdeb copies package related files Ae.g. the maintainer scriptsB under
debian=tmp=*D(I$3 directory"
d2"s2libdeps calculates shared libraries dependencies of the libraries and
executables"
d2"gencontrol adds stuff to" and installs" the control file"
d2"md(sums generates @*5 checksums for all the files in the package.
?or more information on these and other debhelper commands" read the debhelper
documentation.
7uil)ing "he Package
-hen the rules file is adapted to the program" a package can be build by executing
dp,g6buildpac,age 6r5a,eroot
This will do eerything for you" including the signing of the files. Lou will 'ust hae to
enter your P6P Aor 6P6B secret key twice.
In our example" the following files will be generated#
bao"$.#.$6#"i%'6.deb
This is the completed binary package. Lou can use )pkg or apt to install or
remoe this 'ust like any other packageQ
bao"$.#.$.orig.tar.gz
This is the original source code gathered up so that if someone else wants to
recreate the package from scratch they can. %r if they aren)t using the *ebian
packaging system" but need to manually download the source and compile.
bao"$.#.$6#.dsc
- 9!: -
This is a summary of the contents of the source code. The file is generated from
the bao6$.#.$/debian/control file and is used when unpacking the source with
)pkg@source. This file is P6P signed" so that people can be sure of its origin.
bao"$.#.$6#.di55.gz
This compressed file contains each and eery addition made to the original source
code" in the form known as Junified diffK. It is made and used by )pkg@source.
bao"$.#.$6#"i%'6.c2anges
This file describes all the changes made in the current package reision" and it is
used by the *ebian ?TP archie maintenance programs to install the binary and
source packages in it. It is partly generated from the
bao6$.#.$/debian/c2angelog file and the .dsc file.
People downloading the package can look at this file and +uickly see what has
changed. The long strings of numbers are @*5 checksums for the files
mentioned. Those downloading the files can test them with #),su# and if the
numbers don)t match" they)ll know the file is corrupt or has been hacked. This file
is P6P signed" so that people can be een more sure that it is authentic.
!P* Packages
The &PDC file is a description of how a Asource-B;P@ can be built from source. The
&PDC file should be named according to a standard conention.
Aprogram nameD6Aversion numberD6Arelease numberD.spec
This will ensure that if you install multiple source ;P@s for different ersions of the
same package that the spec files remain intact.
(efore you can actually build an ;P@ from a spec file" you should make sure you hae a
proper build tree. It should contain the following directories#
=IMD is the directory where all building occurs by ;P@. Lou don)t hae to do
your test building anywhere in particular" but this is where ;P@ will do its
building"
SG1D:S is the directory where you should put your original source tar files and
your patches. This is where ;P@ will look by default"
SF:DS is the directory where all spec files should go"
1FMS is where ;P@ will put all binary ;P@s when built"
S1FMS is where all source ;P@s will be put.
The default location is of the build tree is /usr/src.
- 9!7 -
/ere is a sample of a spec file Abao6$.#.$6#.specB#
Summar!. ; mancala game 5rom Lanzania and <anzibar
Hame. bao
Persion. $.#
1elease. #
Dop!rig2t. JFM
Jroup. ;musements/James
Source. 5tp.//5tp.somesite.com/pub/games/bao6$.#.$.tar.gz
+ Fatc2. none
=uild1oot. /-ar/tmp/]UnameV6buildroot
]description
=ao is >2at >e call a mancala game. Mancala is t2e term to denominate
games >it2 one s2ared c2aracteristic. mo-es are not executed as in
c2ess or c2ec,ersO instead mo-es are executed b! so>ing seeds (or
ot2er ot2er pla!ing pieces) into 2oles.
]prep
]setup
]build
./con5igure 66pre5ixB/usr 66mandirB/usr/s2are/man 66in5odirB/usr/s2are/
in5o
ma,e
]install
rm 6r5 31FM"=IMD"1GGL
ma,e install D:SLDI1B3(1FM"=IMD"1GGL)
]clean
rm 6r5 31FM"=IMD"1GGL
]5iles
]de5attr(6OrootOroot)
]doc 1:;DM: LGDG
/usr/bin/bao
]c2angelog
E Lue Dec $4 2$$# =en Mesman ?ben@sno>.nlA
6 initial release
"he Hea)er
The header consists of a series of fields that proide general information about the
package. These fields are#
4ummar(9 This is a one line description of the package"
-ame9 This is the ?nameA string from the rpm file"
)ersion9 This is the ?-ersionA string from the rpm file"
;elease9 This is the ?releaseA string from the rpm file"
- 9!8 -
,op(right9 This is the copyright of the package. It should be a short description"
like 6PL" (&*" @IT" public domain" distributable or commercial"
Croup9 This is used by higher-leel installation programs" such as gnorp#" to
place this package in its proper place in the hierarchical structure. $ description of
the hierarchy can be found in /usr/doc/rpmE/J1GFS"
4ource9 This is the location of the original source file. The filename on the local
system must match the filename in this line Ai.e." do not rename the file after
downloadingB. &eeral source files can be specified along these lines#
Source$. 2ttp.//site.name/do>nloads/2opla6$#.tar.gz
Source#. 2ttp.//site.name/do>nloads/2opla6$2.tar.gz
Source2. 5tp.//ot2er.site/pub/patc2es/addition6#.tar.gz
'atch9 This works basically" the same as the J&ource#K field. It designates the
location of the patch file. @ultiple patches can be specified in the same manner as
in J&ource#K"
@uild;oot9 This is the JrootK for building and installing the new package. This
can help test the package before it is installed"
Ddescription This is not really a header item" but should be described with the
header anyway. It is a multi-line description of the package. There should be one
JMdescriptionK field per package and=or subpackage.
Prep
This is the second section of the spec file. It should contain all commands to set-up the
source to do a #ake. This is where you unpack the sourceAsB and apply the patchAesB.
%ne thing to note is that each of these sections is really 'ust a place to execute shell
scripts. &o" it is possible to create a sh script and put it after the Rprep tag to unpack and
patch the sources. /oweer" there are macros to aid in this.
The first macro" shown in the example" is the Rsetup macro. It unpacks the sources
mentioned in the J&ource#K line in the header and c))s into the source directory.
The second macro is called Rpatch. It will apply all patches mentioned in the header.
&ince there are no patches for this package" the Rpatch macro is not included in the
example.
If something needs to be done that can)t be handled by these macros" you can include
another setup. Derything up to the JMbuildK section will be interpreted as an sh script.
7uil)
There aren)t really any macros for this section. Rust use any commands here that you
would need to build the software once you hae untarred the source" patched it and cd)ed
into the directory. This is 'ust another set of commands passed to sh" so any legal sh
commands can go here Aincluding commentsB.
- 9!< -
Important
It is important to keep in mind that your current working directory is reset in each of
these sections to the top leel of the source directory. Lou can always c) into
subdirectories if necessary.
3nstall
There aren)t really any macros here" either. (asically" use any commands that are
necessary for the install. If you hae #ake install aailable to you in the package you are
building" put that here. If not" you can either patch the Ma,e5ile for a #ake install and
'ust do a #ake install here" or you can hand install them here with sh commands. Lou
can consider your current directory to be the top-leel of the source directory.
The ariable 1FM"=IMD"1GGL is aailable to tell you the path set as the J(uildroot#K in
the header. 4sing build roots are optional" but are highly recommended because they
keep you from cluttering your system with software that isn)t in your ;P@ database
Abuilding an ;P@ doesn)t touch your database...you must install the binary ;P@ you 'ust
built to do thatB.
Clean
It)s a good idea to always make sure there is a clean build root before building a package
a second time on a system. The JMcleanK macro will help with that. &imply put the
proper commands there to blow away a former build root.
In the example" the 1FM"=IMD"1GGL is remoed. To be prudent" it is a good idea to
check that 1FM"=IMD"1GGL was not set to / before doing something this olatile.
-iles
This is the section where you must list the files for the binary package. ;P@ has no way
of knowing what binaries get installed as a result of make install. To circument this"
some hae suggested doing a find before and after the package install. -ith a multiuser
system" this is unacceptable as other files may be created during a package building
process that hae nothing to do with the package itself.
There are some macros aailable to do some special things as well. They are listed and
described here#
R)oc is used to mark documentation in the source package that you want
installed in a binary install. The documents will be installed in /usr/doc/3H;M:6
3P:1SIGH631:M:;S:. Lou can list multiple documents on the command line with
this macro" or you can list them all separately using a macro for each of them.
Rconfig is used to mark configuration files in a package. This includes files like
sendmail.c5" pass>d" etc. If you later uninstall a package containing config
- 92. -
files" any unchanged files will be remoed and any changed files will get moed
to their old name with a .rpmsa-e appended to the filename. Lou can list
multiple files with this macro as well.
R)ir marks a single directory in a file list to be included as being owned by a
package. (y default" if you list a directory name #ithout a R)ir macro"
ever(thing in that directory is included in the file list and later installed as part of
that package.
R)efattr allows you to set default attributes for files listed after the R)efattr
declaration. The attributes are listed in the form Amode" o>ner" groupB where the
mode is the octal number representing the bit pattern for the new permissions
Asuch as ch#o) would useB" o>ner is the username of the owner" and group is the
group you would like assigned. ALou may leae any field to the installed defaultB
by simply placing a J-K in its place" as was done in the mode field for the example
package.
Rfiles @f Ffilena#eS will allow you to list your files in some arbitrary file within
the build directory of the sources. This is nice in cases where you hae a package
that can build its own file list. Lou then include that file list here and you won)t
hae to specifically list the files.
$ potential problem in the file list is listing directories. If you list /usr/bin by accident"
your binary package will contain eery file in /usr/bin on your system.
Changelog
This is a log of the changes that were made when the package was updated. If you are
modifying an existing ;P@ it is a good idea to list the changes here.
The format is simple. &tart each new entry with a line with a J^K followed by the date"
your name and your email address. The date should appear in the same format that is
output by#
date X9]a ]b ]d ]N9
The rest of the section is a free text field" but should be organi,ed in some coherent
manner.
7uil)ing 2P0s
-hen the &PDC file is finished" you can build an ;P@ with#
rpm 6bb ?spec65ileA
The 6bb indicate that rp# should build a binary package. 6bs builds a source rpm and
6ba builds both AallB. The ;P@ will be placed in /usr/src/1FMS/ and the source ;P@
will be placed in /usr/src/S1FMS Aor whereer your ;P@-build tree should beB.
- 92! -
7ackup /perations (2.211.3!
The candidate should be able to create an off-site backup storage plan.
%hy'
Deryone Amore or lessB knows that" as a system administrator" it is ital to make
backups. @ost also know why. Lour data is aluable. It will cost you time and effort to
re-create it" and that costs money or at least personal grief and tears. &ometimes it can)t
een be re-created" such as the results of some experiments. &ince it is an inestment" you
should protect it and take steps to aoid losing it.
There are four main reasons why you may lose data# human error" software bugs"
hardware failure and natural disasters. /umans are +uite unreliable" they might make a
mistake or be malicious and destroy data on purpose. @odern software does not een
pretend to be reliable. $ rock-solid program is an exception" not a rule. /ardware is more
reliable" but may break seemingly spontaneously" often at the worst possible time. 3ature
may not be eil" but" neertheless" can be ery destructie sometimes.
%hat'
In general" you want to back up as much as possible. $ ma'or exception is the /proc
filesystem. &ince this only contains data that the kernel generates automagically" it is
neer a good idea to back it up. The /proc/,core file is especially unnecessary" since it
is 'ust an image of your current physical memoryQ it)s pretty large as well. &ome special
files that are constantly changed by the operating system Ae.g. /etc/mtabB should not be
restored" hence not be backed up. There may be others on your system.
6ray areas include the news spool" log files and many other things in /-ar. Lou must
decide what you consider important. $lso" consider what to do with the deice files in
/de-. @ost backup solutions can backup and restore these special files" but you may want
to re-generate them with a script.
The obious things to back up are user files A/2omeB and system configuration files
A/etc" but possibly other things scattered all oer the filesystemB.
%hen'
*epending on the rate of change of the data" this may be anything from daily to almost
neer. The latter happens on firewall systems" where only the log files change daily Abut
logging should happen on a different system anywayB. &o" the only time when a backup is
necessary" for example" is when the system is updated or after a security update.
%n normal systems" a daily backup is often best.
- 922 -
(ackups can take seeral hours to complete" but" for a successful backup strategy" human
interaction should be minimal" preferably 'ust a matter of placing a tape in the tape
deice.
)o'
-hile the brand or the technology of the hardware and software used for backups is not
important" there are" neertheless" important considerations in selecting them. Imagine"
for example" the restore software breaks and the publisher has since gone out of business.
3o matter how you create your backups" the two most important parts in a backup
strategy are#
erifying the backup
The safest method is to read back the entire backup and compare this with the
original files. This is ery time-consuming and often not an option. $ faster" and
relatiely safe method" is to create a table of contents Awhich should contain a
checksum per fileB during the backup. $fterwards" read the contents of the tape
and compare the two.
testing the restore procedure
This means that you must hae a restore procedure. This restore procedure has to
specify how to restore anything from a single file to the whole system. Dery few
months" you should test this procedure by doing a restore.
%here'
If something fails during a backup" the medium will not contain anything useful. If this
was your only medium" you are screwed. &o you should hae at least two sets of backup
media. (ut if you store both sets in the same building" the first disaster that comes along
will destroy all your precious backups along with the running system.
&o you should hae at least one set stored at a remote site. *epending on the nature of
your data" you could store weekly or daily sets remotely.
*o not forget to store a copy of the backup-plan along with the backups at the remote
site. %therwise you cannot guarantee that the system will be back up-and-running in the
shortest possible time.
- 929 -
Chapter 12. (yste# (ecurity
(2.212!
This topic has a total weight of !. points and contains the following ob'ecties#
A%b'ectie 2.2!2.! - not defined by LPIB
This ob'ectie was not defined by LPI
%b'ectie 2.2!2.2Q Configuring a router A2 pointsB
The candidate should be able to configure ipchains and iptables to perform IP
mas+uerading and state the significance of 3etwork $ddress Translation and
Priate 3etwork $ddresses in protecting a network. This ob'ectie includes
configuring port redirection" listing filtering rules and writing rules that accept or
block datagrams based upon source or destination protocol" port and address. $lso
included is saing and reloading filtering configurations" using settings in /proc/
s!s/net/ip-4 to respond to *%& attacks" using
/proc/s!s/net/ip-4/ip"5or>ard to turn IP forwarding on and off and using
tools such as Port&entry to block port scans and ulnerability probes.
%b'ectie 2.2!2.9Q &ecuring ?TP serers A2 pointsB
The candidate should be able to configure an anonymous download ?TP serer.
This ob'ectie includes configuring an ?TP serer to allow anonymous uploads"
listing additional precautions to be taken if anonymous uploads are permitted"
configuring guest users and groups with chroot 'ail and configuring ftpaccess to
deny access to named users or groups.
%b'ectie 2.2!2.2Q &ecure shell A%pen&&/B A2 pointsB
The candidate should be able to configure sshd to allow or deny root logins and
enable or disable P forwarding. This ob'ectie includes generating serer keys"
generating a user)s public=priate key pair" adding a public key to a user)s
authori,edFkeys file and configuring ssh-agent for all users. Candidates should
also be able to configure port forwarding to tunnel an application protocol oer
ssh" configure ssh to support the ssh protocol ersions ! and 2" disable non-root
logins during system maintenance" configure trusted clients for ssh logins without
a password and make multiple connections from multiple hosts to guard against
loss of connection to remote host following configuration changes.
%b'ectie 2.2!2.5Q TCPFwrapper A! pointB
- 922 -
The candidate should be able to configure tcpwrappers to allow connections to
specified serers from only certain hosts or subnets.
%b'ectie 2.2!2.:Q &ecurity tasks A9 pointsB
The candidate should be able to install and configure kerberos and perform basic
security auditing of source code. This ob'ectie includes arranging to receie
security alerts from (ugtra+" CD;T" CI$C and other sources" being able to test
for open-mail relays and anonymous ?TP serers and installing and configuring
an intrusion detection system" such as snort or Tripwire. Candidates should also
be able to update the I*& configuration as new ulnerabilities are discoered and
apply security patches and bug-fixes.
&ources of information# ;?C!<!8
Configuring a router (2.212.2!
The candidate should be able to configure ipchains and iptables to perform IP
mas+uerading and state the significance of 3etwork $ddress Translation and Priate
3etwork $ddresses in protecting a network. This ob'ectie includes configuring port
redirection" listing filtering rules and writing rules that accept or block datagrams based
upon source or destination protocol" port and address. $lso included is saing and
reloading filtering configurations" using settings in /proc/s!s/net/ip-4 to respond to
*%& attacks" using /proc/s!s/net/ip-4/ip"5or>ard to turn IP forwarding on and off
and using tools such as Port&entry to block port scans and ulnerability probes.
ipchains
/proc/s!s/net/ip-4
/etc/ser-ices
ipta*les
route)
Private Netork /ddresses
-hy do Priate 3etwork $ddresses exist > It has been common practice to assign
globally-uni+ue addresses to all hosts that use TCP=IP. In order to extend the life of the
IP2 address space" address registries are re+uiring more 'ustification concerning the
need for extra address space than eer before" which makes it harder for organi,ations to
ac+uire additional address space.
/osts within enterprises that use IP can be partitioned into three categories#
Category !
- 925 -
These hosts do not re+uire access to the hosts of other enterprises or on the
Internet itselfQ hosts within this category may use IP addresses that are
unambiguous within an enterprise" but may be ambiguous between enterprises.
Category 2
These are hosts that need access to a limited set of outside serices Ae.g." D-mail"
?TP" netnews" remote loginB" which can be handled by mediating gateways Ae.g."
application layer gatewaysB. ?or many hosts in this category" unrestricted external
access Aproided ia IP connectiityB may be unnecessary and een undesirable
Afor priacy=security reasonsB. These hosts" the same as category ! hosts" may use
IP addresses that are unambiguous within an enterprise" but may be ambiguous
between enterprises.
Category 9
These hosts need network-layer access outside the enterprise Aproided ia IP
connectiityBQ hosts in the last category re+uire IP addresses that are globally
unambiguous.
-e will refer to the hosts in the first and second categories as JpriateK and to hosts in
the third category as JpublicK.
@any applications re+uire connectiity only within one enterprise and do not need
external Aoutside the enterpriseB connectiity for the ma'ority of internal hosts. In larger
enterprises it is often easy to identify a substantial number of hosts using TCP=IP that do
not need network-layer connectiity outside the enterprise.
The Internet $ssigned 3umbers $uthority AI$3$B has resered the following three
blocks of the IP address space for priate internets#
#$.$.$.$ 6 #$.2((.2((.2(( (#$/' pre5ix)
#02.#6.$.$ 6 #02.%#.2((.2(( (#02.#6/#2 pre5ix)
#&2.#6'.$.$ 6 #&2.#6'.2((.2(( (#&2.#6'/#6 pre5ix)
-e will refer to the first block as J22-bit blockK" the second as J2.-bit blockK" and to the
third as J!:-bitK block. 3ote that Ain pre-CI*; notationB the first block is nothing but a
single class $ network number" while the second block is a set of !: contiguous class (
network numbers and third block is a set of 25: contiguous class C network numbers.
- 92: -
Netork /ddress "ranslation ,N/".
The figure aboe displays s hypothetical situation which will sere as an example in the
following explanation.
JThe ?irmK has four machines" ! to 2" which are connected ia a /4( and hae priate
IP-$ddresses in the !<2.!:8.x.x range. @achine 2 seres as a router to the Internet and
has two network interfaces. %ne connects the router to The ?irm)s internal network ia
the hub and has a priate IP-address of !<2.!:8...!" while the other connects the router to
the Internet and has a alid AdynamicB IP-$ddress of !.!.!.2.!.9.!.2.
Let)s say that the user at @achine 2 wishes to look at a web page on &ome /ost
Ahttp#==&ome/ost.&omeCountryB with an IP-address of 2.!.2.2.2.9.2.2. To be able to
see the web page" @achine 2 must be able to get information from the Internet and thus
must be" in some way" connected to the Internet. $nd indeed" @achine 2 has an indirect
- 927 -
connection to the Internet ia @achine 2" but how can this work> @achine 2 has a priate
IP-address which is not supported on the InternetG
This is where 3$T kicks in. @achine 2" the router" replaces the priate IP-address of
@achine 2 Aand also of @achine ! and 9 if neededB with its own IP-$ddress before
sending the re+uest to &ome /ost. &ome /ost thinks that a machine with IP-$ddress
!.!.!.2.!.9.!.2 asked for the web page and responds by sending the web page to
@achine 2.
@achine 2 knows that it has replaced the IP-address of @achine 2 with its own before
sending the re+uest to &ome /ost so it also knows that the answer it got to the re+uest has
to go to @achine 2. @achine 2 accomplishes this by replacing its own IP-address in the
answer by the IP-address of @achine 2.
This is" in a nutshell" what 3$T does. ?or more detailed information consult ;?C!:9!.
IP *as:uerading ith IPC)/IN+
IP @as+uerading is a form of 3$T. To get IP @as+uerading up and running on your
Linux computer" your kernel must support this.
?or more detailed information on compiling a kernel and modules" see Chapter !" Linux
Kernel /0"0213 .
Let)s go back to The ?irm)s network. The IP mas+uerading rules on machine 2 can be set
using the following ipchains commands#
+ ipc2ains 6F 5or>ard D:HN
+ ipc2ains 6; 5or>ard 6i et2$ 6s #&2.#6'.$.$/24 67 M;S_

The first line defines a policy A-PB that states that all packets that hae a destination
address in the outside world will not be forwarded A*D3LB by the forward chain
AforwardB. This is done because it is good practice to forbid all traffic by default except
traffic that you explicitly want.
The second line adds A-$B a rule to the forward chain AforwardB that states that all
packages arriing A-iB at interface eth. and coming from A-sB an ip-address in the range
!<2.!:8....-!<2.!:8...255 will be mas+ueraded A-' @$&HB and forwarded to the outside
world. The J=22K states that the first 22 bits always hae the same alue" in this case
!<2.!:8.." and that the last 8 bits can hae any alue.
@achine 2 now knows -/$T to do with IP packets that come from @achines ! to 2" but
not -/D;D to send them. To complete @achine 2)s instructions" we add the following
commands#
+ route add 6net #&2.#6'.$.$ netmas, 2((.2((.2((.$ et2$
- 928 -
+ route add de5ault g> #$#.#$2.#$%.#$4 et2#

The first line adds a route to the !<2.!:8.x.x network ia eth..
The second line adds a default route ia eth!" which is used if the destination is not in the
!<2.!:8.x.x range.
IP forarding ith IPC)/IN+
IP forwarding is the relaying of IP packets from one network to another. Let)s go back to
The ?irm)s network. -e want @achine 2 to forward the IP packets to the Internet. This
means that all of the ?irms machines must use JrealK IP addresses" as explained earlier"
and that @achine 2 must know that certain IP addresses should go to the outside world"
i.e." the Internet.
To enable forwarding" support must be enabled in the kernel Asee Chapter !" Linux
Kernel /0"0213 for more detailsB and forwarding itself must be enabled by issuing the
command echo 1 S BprocBsysBnetBip+$Bip<forwar).
@achine 2 now knows -/$T to do with IP packets that come from the @achines ! to 2"
but not -/D;D to send them. To tell @achine 2 this" we use the following commands#
+ route add 6net #&2.#6'.$.$ netmas, 2((.2((.2((.$ et2$
+ route add de5ault g> #$#.#$2.#$%.#$4 et2#

The first line adds a route to the !<2.!:8.x.x network ia eth.. -ith kernel ersions of
2.2 or higher this is done automatically.
The second line adds a default route ia eth! which is used if the destination is not in the
!<2.!:8.x.x range.
Port !edirection ith IPC)/IN+
Port redirection is a mechanism which enables the redirection of IP packets based on
destination port number to another port. To enable port redirection" support must be
enabled in the kernel. &ee the section called J IP @as+uerading with IPC/$I3& K for
more details.
&ince it worked so well the last time" let)s go back to The ?irm)s network again for an
example.
&uppose @achine 2 has a web-serer Aor some other programB running which listens to
port 2925" and people from the outside must be able to connect to that program. &ince
The ?irm is using priate IP addresses for their internal network" @achine 2 is not isible
- 92< -
on the Internet. The solution here is to tell @achine 2 to route all data from the outside
that is aimed at port 8. to port 2925 on @achine 2.
3ow we)e got a problem# with the command ipchains @? 2=432" the port must be on
the same host and here this is not the case. &o" what to do now >
The solution lies in the ip#asCa)# portfw command. Typing ip#asCa)# portfw @h
gies the following information#
+ ipmasSadm port5> 62
sage. port5> 6a 6F F1GLG 6M M;DD1 MFG1L 61 1;DD1 1FG1L )6p F1:I* add
entr!
port5> 6d 6F F1GLG 6M M;DD1 MFG1L )61 1;DD1 1FG1L*
delete entr!
port5> 65 clear
table
port5> 6l list
table
port5> ?argsA 6n no
names
F1GLG is t2e protocolO can be 9tcp9 or 9udp9
M;DD1 is t2e local inter5ace recei-ing pac,ets to be 5or>arded.
MFG1L is t2e port being redirected.
1;DD1 is t2e remote address.
1FG1L is t2e port being redirected to.
F1:I is t2e pre5erence le-el (load balancingO de5aultB#$)

Dxecuting the following commands on @achine 2 will achiee our goal#
+ ipmasSadm port5> 65
+ ipmasSadm port5> 6a 6F tcp 6M #$#.#$2.#$%.#$4 '$ 61 #&2.#6'.$.## 2%4(

The first line empties the portfw table" the second line adds a portfw rule Aportfw -aB for
the tcp packets A-P tcpB arriing at port 8. on the external interface of @achine 2 A-L
!.!.!.2.!.9.!.2 8.B" which states that those packets must be sent to port 2925 on
@achine 2 A-; !<2.!:8...!! 2925B.
$nd what about the replies from @achine 2 in response to the re+uests> &houldn)t there
be a rule for that too> The answer is no" because this works similarly to mas+uerading.
@achine 2 has no idea whatsoeer that the re+uest came from the outside. To @achine 2"
it looks like the re+uest came from @achine 2" so the answer goes to @achine 2. @achine
2 knows that this is in answer to a re+uest from the outside that has been rerouted to
@achine 2" so it sends the answer to the same machine the re+uest came from.
- 99. -
IPC)/IN+& an overvie
- 99! -
This figure shows the stages of the ipchains process.
IPC/$I3&" nomen est omen" hence there are chains" a minimum of three to be precise.
-e)e always got an I3P4T" ?%;-$;* and %4TP4T chain and" optionally" one or
more user-defined chains.
$ chain contains rules that determine the fate of a packet based on its source address"
destination address" source port" destination port" protocol-type or any combination of
these.
If a packet matches a rule" the packet is sent to the chain specified in the target. This can
be $CCDPT" *D3L" @$&H" ;D*I;DCT or ;DT4;3 or a user-defined chain.
$CCDPT means that the packet will pass through. *D3L means that the packet is not
accepted and thrown away without any form of notification to the sender. @$&H means
that the packet will be mas+ueraded if it came from the localhost or demas+ueraded if it
is a response to an earlier sent mas+ueraded packet. @$&H is only allowed for the
forward chain and the user-defined chains. ;D*I;DCT will redirect packets to a local
port. ;D*I;DCT is only allowed for the input chain and for user-defined chains.
;DRDCT means that the packet is not accepted and that the sender will be notified of this
fact by means of an IC@P message. ;DT4;3 has the same effect as a packet reaching
the end of a user-defined chain without match" i.e." the next rule in the preious chain will
be checked. If the end of a built-in chain is reached" or a rule in a built-in chain with
target ;DT4;3 is matched" the target specified by the chain policy determines the fate
of the packet.
4escriptions of the +arious stages an) their relationshipsA
Checksum
The checksum is calculated on the header of the IP packet. If the checksum is
incorrect" the packet is denied. The checksum field is the !:-bit one)s complement
of the one)s complement sum of all !:-bit words in the header. ?or purposes of
computing the checksum" the alue of the checksum field is ,ero. &ee ;?C7<! for
more information.
&anity
There is a sanity check before each firewall chain" but the check before the input
chain is the most important. &ome malformed packets might confuse the rule-
checking code" and these are denied here Aa message is printed to the syslog if this
happensB.
I3P4T
- 992 -
Let)s say a packet arries at eth." has a correct checksum" and the sanity is ok too.
The packet then enters the I3P4T chain and is accepted" re'ected or denied. The
difference between deny and re'ect lies in the response sent to the sender of the
packet. In case of deny" the sender is neer notified" in case of re'ect" the sender is
notified if the packet was not an IC@P packet.
*emas+uerade
In case mas+uerading is used" this is the step where the opposite is done.
$fterward" the demas+ueraded packet goes directly to the %4TP4T chain. If
mas+uerading isn)t used" the packet goes into the routing decision process.
;outing decision
/ere it is decided" based on the destination of the packet" if the packet should go
to a local process on the same machine or to a process on another machine" in
which case the packet is sent to the ?%;-$;* chain.
Local Process
This can be any local process that can accept and send packets.
?%;-$;*
$ll packets arriing at this machine that are destined for another machine go
through the ?%;-$;* chain and are accepted" denied or re'ected.
%4TP4T
$ll packets that go out an interface pass through the %4TP4T chain and are
accepted" denied or re'ected.
"he (irm>s netork ith IPC)/IN+
The best way to secure things is to define what is allowed" consider eerything else to be
not allowed and see to it that what is not allowed is not possible.
/ow does this reflect on the usage of IPC/$I3& > (efore explaining things" let)s make a
few functional assumptions in relation to the ?irm)s network#
o -e are running a nameserer on @achine 2
o Packets from @achines !-9 aimed at the outside world are mas+ueraded by
@achine 2 and forwarded.
o -e can ping machines on our local net as well as machines in the outside world"
but we ourseles do not respond to any pings from the outside world" i.e." arriing
at our eth! interface.
- 999 -
o -e are participating in a distributed.net pro'ect# rc5:2 cracking. -e are running a
proxy on @achine 2 that communicates with a serer on the Internet. @achines
!-9 get their data from the proxy serer and send their computed results to the
proxy serer.
o %f course we also want to be able to iew web-pages with http and https.
?irst" we delete all rules for all built-in chains#
+ ipc2ains 6I input
+ ipc2ains 6I 5or>ard
+ ipc2ains 6I output

Then we delete all user-defined chains#
+ ipc2ains 6K

The we tell ipchains to *D3L all traffic#
+ ipc2ains 6F input D:HN
+ ipc2ains 6F 5or>ard D:HN
+ ipc2ains 6F output D:HN

The next thing to do is allow traffic on a need basis. Let)s start with forwarding#
+ ec2o # A /proc/s!s/net/ip-4/ip"5or>ard

-e trust eerything coming from the local @achines !-9. @achine 2 receies this on its
eth. interface A!<2.!:8...!B and thus the ipchains commands needed are#
+ ipc2ains 6; input 6i et2$ 67 ;DD:FL
+ ipc2ains 6; output 6i et2$ 67 ;DD:FL

The same goes for the lo interface. -ithout this definition" certain serices" such as a
caching *3& &erer" will not function correctly#
+ ipc2ains 6; input 6i lo 67 ;DD:FL
+ ipc2ains 6; output 6i lo 67 ;DD:FL

-e want to be able to iew web-pages. This is done ia either the http or the https
protocol which use port 8. and port 229 respectiely#
+ ipc2ains 6; output 6i et2# 6p tcp 66dport '$ 67 ;DD:FL
+ ipc2ains 6; input 6i et2# 6p tcp 66sport '$ 67 ;DD:FL Q 6!
+ ipc2ains 6; output 6i et2# 6p tcp 66dport 44% 67 ;DD:FL
- 992 -
+ ipc2ains 6; input 6i et2# 6p tcp 66sport 44% 67 ;DD:FL Q 6!
+ ipc2ains 6; 5or>ard 6p tcp 6i et2# 6s #&2.#6'.$.$/24 66dport '$ 67
M;S_
+ ipc2ains 6; 5or>ard 6p tcp 6i et2# 6s #&2.#6'.$.$/24 66dport 44% 67
M;S_

-e also want to enable our *3&" running on @achine 2" to do re+uests on other
nameserers" *3& uses port 59 for sending the +ueries and for receiing the answers to
the +ueries#
+ ipc2ains 6; output 6i et2# 6p udp 66dport (% 67 ;DD:FL
+ ipc2ains 6; input 6i et2# 6p udp 66sport (% 67 ;DD:FL

?or the rc5:2 proxyserer running on @achine 2 which uses port 2.:2 to receie new
and send computed keys" we need the following two lines#
+ ipc2ains 6; output 6i et2# 6p tcp 66dport 2$64 67 ;DD:FL
+ ipc2ains 6; input 6i et2# 6p tcp 66sport 2$64 67 ;DD:FL Q 6!

-e want to be able to ping hosts on the Internet. This is done with so-called IC@P
packets. IC@P stands for Internet Control @essage Protocol. IC@P messages are sent in
seeral situations# for example" when a datagram cannot reach its destination" when the
gateway does not hae the buffering capacity to forward a datagram or when the gateway
can direct the host to send traffic on a shorter route. There are seeral IC@P types.
Typing ipchains @h ic#p will show you which types are alid#
L!pe Dode Description
$ $ ec2o6repl! (pong)
% destination6unreac2able
$ net>or,6unreac2able
# 2ost6unreac2able
2 protocol6unreac2able
% port6unreac2able
4 5ragmentation6needed
( source6route65ailed
6 net>or,6un,no>n
0 2ost6un,no>n
& net>or,6pro2ibited
#$ 2ost6pro2ibited
## LGS6net>or,6unreac2able
#2 LGS62ost6unreac2able
#% communication6pro2ibited
#4 2ost6precedence6-iolation
#( precedence6cuto55
4 $ source6Suenc2
( redirect
$ net>or,6redirect
# 2ost6redirect
2 LGS6net>or,6redirect
% LGS62ost6redirect
- 995 -
' $ ec2o6reSuest (ping)
& $ router6ad-ertisement
#$ $ router6solicitation
## time6exceeded (ttl6exceeded)
$ ttl6zero6during6transit
# ttl6zero6during6reassembl!
#2 parameter6problem
$ ip62eader6bad
# reSuired6option6missing
#% $ timestamp6reSuest
#4 $ timestamp6repl!
#0 $ address6mas,6reSuest
#' $ address6mas,6repl!

(ecause we want to be able to ping hosts on the Internet" we need to allow outgoing
echo-re+uest or ping. &ince we also want to be able to receie the answers to a ping" we
must allow incoming echo-reply or pong#
+ ipc2ains 6; output 6i et2# 6p icmp 66icmp6t!pe ping 67 ;DD:FL
+ ipc2ains 6; input 6i et2# 6p icmp 66icmp6t!pe pong 67 ;DD:FL

-e also allow incoming and outgoing destination-unreachable IC@P messages on both
the internal Aeth.B interface and the external Aeth!B interface. These occur if a datagram
can)t be deliered to its destination.
+ ipc2ains 6; input 6p icmp 66icmp6t!pe destination6unreac2able 67
;DD:FL
+ ipc2ains 6; output 6p icmp 66icmp6t!pe destination6unreac2able 67
;DD:FL

If a gateway hasn)t got the buffer space needed to +ueue the datagrams for output to the
next network on the route to the destination network" it discards Internet datagrams and
sends source-s+uench messages. %n receipt of a source-+uench message" the source host
should cut back the rate at which it is sending traffic to the specified destination until it
no longer receies source-+uench messages from the gateway.
&o we must also allow incoming and outgoing source-+uench messages on both the
internal Aeth.B interface and the external Aeth!B interface.
+ ipc2ains 6; input 6p icmp 66icmp6t!pe source6Suenc2 67 ;DD:FL
+ ipc2ains 6; output 6p icmp 66icmp6t!pe source6Suenc2 67 ;DD:FL

-e do not allow redirect messages because this is not applicable in our situation. This
kind of message is used to tell a host that there is a shorter route to a network ia another
gateway. -e only hae one gateway" @achine 2" so there is no need for it.
- 99: -
-e do not allow router-adertisement and router-solicitation messages. These messages
enable hosts attached to multicast or broadcast networks to discoer the IP addresses of
their neighboring routers. ?or more information" consult ;?C!25:.
*atagrams contain a field called TTL" which stands for Time To Lie. This field is
decremented by each gateway the datagram passes through. If a gateway sees that the
alue of the TTL field is ,ero" it will discard the datagram and notify the source of this
situation by means of an IC@P time-exceeded message. -e allow both incoming and
outgoing IC@P time-exceeded messages on all interfaces#
+ ipc2ains 6; input 6p icmp 66icmp6t!pe time6exeeded 67 ;DD:FL
+ ipc2ains 6; output 6p icmp 66icmp6t!pe time6exeeded 67 ;DD:FL

If a datagram is discarded by a host or gateway because it can)t be processed due to a
problem with the header parameters" the host or gateway will send an IC@P parameter-
problem message. -e allow both incoming and outgoing IC@P parameter-problem
messages on all interfaces#
+ ipc2ains 6; input 6p icmp 66icmp6t!pe parameter6problem 67 ;DD:FL
+ ipc2ains 6; output 6p icmp 66icmp6t!pe parameter6problem 67 ;DD:FL

-e are also not interested in timestamp-re+uest and timestamp-reply messages. ?or more
information" consult ;?C7<2.
$ host can use IC@P address-mask-re+uest messages to ask for the address mask of a
certain machine. IC@P address-mask-reply messages are used to transmit the answer to
the re+uest. &ee ;?C<5. for more information if you)re interested. -e don)t allow these
type of messages because we don)t need them.
?inally" we must allow the mas+uerading of any IC@P packet. $s a result of the rules
mentioned aboe" Jany IC@P packetK can only be one of the packets we allow#
+ ipc2ains 6; 5or>ard 6p icmp 6i et2# 6s #&2.#6'.$.$/24 67 M;S_

Lou don)t hae to know all icmp-types by heart. I)e described them to point out that
more happens than meets the eye. These topics are described in-depth in the ;?C)s 7<2"
<5." and !25:" which are aailable from multiple sources on the Internet.
IP"/$L3+& an overvie
;hat is itI
Linux kernels as of ersion 2.9.!5 support a new framework designed for packet filtering
called JnetfilterK which must be compiled into the kernel. This is done by selecting
J3etworking options --]K which brings you to the J3etworking optionsK page. Dnabling
- 997 -
the option J3etwork packet filteringK sets C%3?I6F3DT?ILTD; to JLK and adds the
JIP# 3etfilter Configuration --]K option to the page. &electing this option takes you to the
JIP# 3etfilter ConfigurationK page. Lou should at least enable the JConnection tracking
AC%3?I6FIPF3?FC%33T;$C0BK and the JIP tables support
AC%3?I6FIPF3?FIPT$(LD&BK. The latter adds a lot of options from which you should
at least enable JConnection state match support AC%3?I6FIPF3?F@$TC/F&T$TDBK"
JPacket ?iltering AC%3?I6FIPF3?F?ILTD;BK and J?ull 3$T
AC%3?I6FIPF3?F3$TBK.
The user space tool ipta*les is used to tell the JnetfilterK code in the kernel which packets
to filter.
5etfilter JhooksK
$s the figure aboe shows" netfilter supports fie different hooks in the protocol stack.
Imagine for a moment that packets pass through a tube. $ hook is a part in the tube"
where an additional piece of tube can be inserted. In this piece of tube works a little man
who examines and changes when needed" eery passing packet based on his 'ob
description" the so called JrulesK. The little man reports to his boss" netfilter" what to do
with the packet.
"here are fi+e possi*le actionsA
3?F$CCDPT
Continue traersal as normal.
3?F*;%P
*rop the packet and don)t continue traersal.
3?FH4D4D
Hueue the packet for userspace handling.
- 998 -
3?F;DPD$T
Call this hook again.
3?F&T%LD3
I)e taken oer the packet" don)t continue traersal.
"a*les an) Chains
(y default fie chains and three tables are supported. $s the figure below shows" certain
chains are only alid for certain tables.
"a*le 12.1. Nali) chains per ta*le
C/$I3
P;D;%4TI36 I3P4T ?%;-$;* %4TP4T P%&T;%4TI36
T$(LD
@$36LD C C
3$T C C C
?ILTD; C C C
"he JfilterK ta*le
The filter table is used for filtering packets. The filter table contains three chains. The
I3P4T chain is used for all packets that are for the firewall. The ?%;-$;* chain is
used for all packets that come from outside the firewall and are destined for another
machine. The %4TP4T chain is used for all packets generated by the firewall.
"he JnatK ta*le
The nat table is used for 3etwork $ddress Translation. The nat table contains three
chains. The P;D;%4TI36 chain is the first used to alter packets. The %4TP4T chain is
used to alter packets generated by the firewall. The P%&T;%4TI36 chain is the last
chain where packets can be altered as they leae the firewall.
"he J#angleK ta*le
The mangle table is used to mangle packets. -e can change seeral things but we can)t
do mas+uerading or network address translation here. The mangle table contains two
chains. The P;D;%4TI36 chain is the first chain alter packets. The %4TP4T chain is
used to alter packets generated by the firewall.
- 99< -
Connection trackingA (tateful -irewalling
?irewalls that are able to do connection tracking are called &tateful ?irewalls. -hat it
comes down to is that connections are tracked by remembering what Atype ofB packets
hae been receied and sent.
Incoming packets in response to a ping" for instance" can be accepted by the firewall
because the firewall knows that we)e caused this ourseles by doing the ping in the first
place.
The ipta*les option used for connection tracking is the J--stateK option.
"he #anual page )escri*es this as followsA
state
This module" when combined with connection tracking" allows access to the
connection tracking state for this packet.
--state state
-here state is a comma-separated list of the connection states to match.
Possi*le states areA
I3C$LI*
The packet is associated with no known connection.
D&T$(LI&/D*
The packet is associated with a connection which has seen packets in both
directions.
3D-
The packet has started a new connection" or otherwise associated with a
connection which has not seen packets in both directions.
;DL$TD*
The packet is starting a new connection" but is associated with an existing
connection" such as an ?TP data transfer or an IC@P error.
"here are two #o)ules for connection trackingA
- 92. -
ip"conntrac,
The main connection-tracking code.
ip"conntrac,"5tp
$dditional code needed to track ftp connections" both actie and passie.
Conntrack hooks in at P;D;%4TI36" ?%;-$;*" %4TP4T and P%&T;%4TI36.
HooksH "a*les an) Chains put together
Putting what we)e discussed so far into one picture#
- 92! -
1))ing extra functionality
#dding targets
Dach rule specifies what to do with a packet matching the rule. The Jwhat-to-doK part is
called the target. &tandard targets always present are#
$CCDPT means let the packet through.
*;%P means throw the packet on the floor
H4D4D means pass the packet to user space.
;DT4;3 means stop traersing this chain and resume at the next rule in the preious
calling chain. If the end of a built-in chain is reached or a rule in a built-in chain with
target ;DT4;3 matches the packet" the target specified in the chain policy determines
the fate of the packet.
Included in the standard distribution are a number of target extensions for which support
in the kernel must be enabled if you wish to use them. Consult the man page of ipta*les
for further details. @ost of these targets hae options. The extension L%6 for instance"
has the following fie options# J--log-leelK" J--log-prefixK" J--log-tcp-se+uenceK" J--log-
tcp-optionsK" J--log-ip-optionsK. Please consult the man page for details on options per
target.
"he exten)e) target #o)ules inclu)e) in the )istri*ution areA
L%6
Turn on kernel logging of matching packets. -hen this option is set for a rule" the
Linux kernel will print some information on all matching packets Asuch as most IP
header fieldsB ia printkAB.
@$;0
This is used to set the netfilter mark alue associated with the packet. It is only
alid in the mangle table.
;DRDCT
This is used to send back an error packet in response to the matched packetQ
otherwise" it is e+uialent to *;%P. This target is only alid in the I3P4T"
?%;-$;* and %4TP4T chains and user-defined chains which are only called
by those chains.
T%&
- 922 -
This is used to set the 8-bit Type of &erice field in the IP header. It is only alid
in the mangle table.
@I;;%;
This is an experimental demonstration target which inerts the source and
destination fields in the IP header and retransmits the packet. It is only alid in the
I3P4T" ?%;-$;* and %4TP4T chains and user-defined chains which are
only called by those chains.
&3$T
This target is only alid in the the P%&T;%4TI36 chain of the nat table. It
specifies that the source address of the packet should be modified Aand all future
packets in this connection will also be mangledB" and rules should cease being
examined.
*3$T
This target is only alid in the P;D;%4TI36" %4TP4T and user-defined chains
Awhich are only called by those chainsB of the nat table. It specifies that the
destination address of the packet should be modified Aand all future packets in this
connection will also be mangledB" and rules should cease being examined.
@$&H4D;$*D
This target is only alid in the P%&T;%4TI36 chain of the nat table. It should
only be used with dynamically assigned IP AdialupB connections# if you hae a
static IP address" you should use the &3$T target. @as+uerading is e+uialent to
specifying a mapping to the IP address of the interface the packet is going out" but
also has the effect that connections are forgotten when the interface goes down.
This is the correct behaiour when the next dialup is unlikely to hae the same
interface address Aand hence any established connections are lost anywayB.
;D*I;DCT
This target is only alid in the P;D;%4TI36" %4TP4T and user-defined chains
Awhich are only called by those chainsB of the nat table. It alters the destination IP
address to send the packet to the machine itself Alocally-generated packets are
mapped to the !27.....! addressB.
#dding matching modules
Dach rule specifies what to do with a packet matching that rule. The JmatchK part is
implemented by packet matching modules. @ost of these modules support options.
Please consult the man page for detailed information on the options.
- 929 -
"he following #o)ules are inclu)e) in the )istri*utionA
tcp
These extensions are loaded if J--protocol tcpK is specified" and no other match is
specified.
udp
These extensions are loaded if J--protocol udpK is specified" and no other match is
specified.
icmp
This extension is loaded if J--protocol icmpK is specified" and no other match is
specified.
mac
@atch source @$C address. It must be of the form PP#PP#PP#PP#PP#PP.
3ote that this only makes sense for packets entering the P;D;%4TI36"
?%;-$;* or I3P4T chains for packets coming from an ethernet deice.
limit
This module matches at a limited rate using a token bucket filter# it can be used in
combination with the L%6 target to gie limited logging. $ rule using this
extension will match until this limit is reached Aunless the JGK flag is usedB.
multiport
This module matches a set of source or destination ports. 4p to !5 ports can be
specified. It can only be used in con'unction with -p tcp or -p udp.
mark
This module matches the netfilter mark field associated with a packet Awhich can
be set using the @$;0 targetB.
owner
This module attempts to match arious characteristics of the packet creator for
locally-generated packets. It is only alid in the %4TP4T chain" and een then
some packets Asuch as IC@P ping responsesB may hae no owner and hence"
neer match.
- 922 -
state
This module" when combined with connection tracking" allows access to the
connection tracking state for this packet.
unclean
This module takes no options" but attempts to match packets which seem
malformed or unusual. This is regarded as experimental.
tos
This module matches the 8 bits of Type of &erice field in the IP header Aie.
including the precedence bitsB.
"he -ir#Gs network with 3P"17L=(
-e all remember The ?irm)s network from the preious section. Let)s isit it again. The
picture below shows The ?irm)s network and the possible combinations of traffic
initiation=destination.
- 925 -
(1! "raffic initiate) *y the -irewall that is )estine) for the 3nternet
-e are running a *3& on the ?irewall that needs to be able to consult other *3&es on
the Internet Awhich use the 4*P protocol and listen to P%;T 59B. -e want to be able to
use ssh Awhich uses the TCP protocol and port 22B to connect to other systems on the
Internet. -e are participating in a distributed.net pro'ect ;C5:2 cracking and are running
a proxy serer on the ?irewall Awhich uses the TCP protocol and P%;T 2.:2 to
communicate with the keysererB. -e want to be able to ping hosts on the Internet Aping
uses the IC@P protocol and message type JpingKB. The ?irewall communicates with the
Internet through interface eth!. Taking all this into consideration" the ipta*les commands
we need are#
iptables 6t 5ilter 6; GLFL 6o et2# 6p udp 66destination6port dns
/
6m state 66state H:R 67 ;DD:FL
iptables 6t 5ilter 6; GLFL 6o et2# 6p tcp 66destination6port ss2
/
iptables 6t 5ilter 6; GLFL 6o et2# 6p tcp 66destination6port 2$64
/
iptables 6t 5ilter 6; GLFL 6o et2# 6p icmp 66icmp6t!pe ping
/

These four ipta*les commands tell the firewall to allow outgoing connection-
initiali,ation packets for dns" ssh" ;C5:2 cracking and ping.
(2! "raffic initiate) *y the 3nternet that is )estine) for the -irewall
-e want to be able to use ssh" which uses the TCP protocol and port 22" to connect to
our ?irewall from other systems on the Internet. The ipta*les commands we need are#
iptables 6t 5ilter 6; IHFL 6i et2# 6p tcp 66destination6port ss2
/

This ipta*les command tells the firewall to allow incoming connection initiali,ation
packets for ssh.
(3! "raffic initiate) *y the -irewall that is )estine) for the internal
network
-e want to be able to use ssh" which uses the TCP protocol and port 22" to connect to
one of our internal machines from our ?irewall. The ipta*les commands we need are#
- 92: -
iptables 6t 5ilter 6; GLFL 6o et2$ 6p tcp 66destination6port ss2
/

This ipta*les command tells the ?irewall to allow outgoing &&/ connection initiali,ation
packets destined for a machine on the Internal 3etwork.
($! "raffic initiate) *y the internal network that is )estine) for the
firewall
The machines on the internal network" using the dns of the firewall" must be able to
connect to the firewall using ssh" are processing ;C5:2 keys" must be able to talk to the
proxy on the firewall using port 2.:2 and must be able to ping the ?irewall for system
administratie purposes. The ipta*les commands we need are#
iptables 6t 5ilter 6; IHFL 6i et2$ 6p udp 66destination6port dns
/
iptables 6t 5ilter 6; IHFL 6i et2$ 6p tcp 66destination6port ss2
/
iptables 6t 5ilter 6; IHFL 6i et2$ 6p tcp 66destination6port 2$64
/
iptables 6t 5ilter 6; IHFL 6i et2$ 6p icmp 66icmp6t!pe ping
/

These four ipta*les commands tell the ?irewall to allow incoming connection-
initiali,ation packets for dns" ssh" ;C5:2 cracking and ping.
(,! "raffic initiate) *y the 3nternal 5etwork that is )estine) for the
3nternet
Dery connection from a machine on the internal network to a machine on the Internet is
allowed. The ipta*les commands we need are#
iptables 6t 5ilter 6; IG1R;1D 6i et2$ 6o et2# 6m state 66state H:R 67
;DD:FL

This ipta*les command tells the ?irewall to allow $LL outgoing connection initiali,ation
packets.
- 927 -
(%! "raffic initiate) *y the 3nternet that is )estine) for the 3nternal
5etwork
This does not occur because our local network uses priate IP addresses that can)t be used
on the Internet. %ur local machines aren)t isible from the Internet.
-hat we could do to make one of our machines aailable on the Internet is to let people
connect to a certain port on the firewall and use 3$T to redirect them to a port on one of
the machines on the Internal 3etwork.
&uppose @achine 2 has a web-serer Aor some other programB running which listens to
port 2925 and people from the outside must be able to connect to that program. &ince The
?irm is using priate IP addresses for their Internal 3etwork" @achine 2 is not isible on
the Internet. The solution here is to tell @achine 2 that all data from the outside that is
aimed at port 8. should be routed to port 2925 on @achine 2. The ipta*les commands we
need are#
iptables 6t nat 6; F1:1GLIHJ 6i et2# 6p tcp 66destination6port '$
/
67 DH;L 66to6destination #&2.#6'.$.##.2%4(
iptables 6t 5ilter 6; IG1R;1D 6i et2# 6p tcp 66destination6port 2%4(
/

The first line changes the destination address and port. &ince this then becomes traffic
aimed at another machine" the traffic must pass the ?%;-$;* filter. The second line
sees to it that that happens.
(T! "raffic as a result of initiate) traffic
&o far" we)e only specified that connection initiation traffic is allowed" but that is not
enough. -e also must allow D&T$(LI&/D* and ;DL$TD* traffic.
Let)s tell the firewall that all D&T$(LI&/D* and ;DL$TD* traffic" regardless of type"
interface etc. is allowed. -e must also allow the initiation of traffic on the firewalls lo
interface because otherwise some serices" such a a caching *3& serer" will not work.
-e need the following ipta*les commands to reali,e this#
iptables 6t 5ilter 6; IHFL 6m state 66state :SL;=MISY:DO1:M;L:D 67
;DD:FL
iptables 6t 5ilter 6; IG1R;1D 6m state 66state :SL;=MISY:DO1:M;L:D 67
;DD:FL
iptables 6t 5ilter 6; GLFL 6m state 66state :SL;=MISY:DO1:M;L:D 67
;DD:FL
iptables 6t 5ilter 6; IHFL 6m state 66state H:R 6i lo 67
;DD:FL

- 928 -
;emember that this can)t be a problem because the packets are a result of the fact that
we)e accepted the initiation of the connection in the first place.
1ll iptables co##an)s put together
$dding stuff to start with a clean sheet and telling the firewall to mas+uerade packets
from the internal network aimed at the Internet can be accomplished with the following
commands#
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
+ IMSY ;MM 1M:S IH LY: M;HJM:O H;L ;HD IIML:1 L;=M:S
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
iptables 6t mangle 6I
iptables 6t nat 6I
iptables 6t 5ilter 6I
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
+ D:M:L: ;MM S:16D:IIH:D (HGL =IML6IH) DY;IHS IH LY: L;=M:S
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
iptables 6t mangle 6K
iptables 6t nat 6K
iptables 6t 5ilter 6K
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
+ S:L ;MM FGMIDI:S IG1 ;MM =IM6IH DY;IHS LG D1GF
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
iptables 6F IHFL D1GF
iptables 6F IG1R;1D D1GF
iptables 6F GLFL D1GF
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
+ (#) L1;IIID IHILI;L:D =N LY: II1:R;MM D:SLIH:D IG1 LY: IHL:1H:L
+ DHSO SSYO 1D(64O FIHJ
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
+ ;MMGR IHILI;LIGH =N LY: II1:R;MM
iptables 6t 5ilter 6; GLFL 6o et2# 6p udp 66destination6port dns
/
/
iptables 6t 5ilter 6; GLFL 6o et2# 6p tcp 66destination6port 2$64
/
iptables 6t 5ilter 6; GLFL 6o et2# 6p icmp 66icmp6t!pe ping
/
- 92< -
+ ;MMGR IHDGMIHJ 1:SFGHS:S
iptables 6t 5ilter 6; IHFL 6i et2#
/
6m state 66state :SL;=MISY:DO1:M;L:D 67 ;DD:FL
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
+ (2) L1;IIID IHILI;L:D =N LY: GLSID: D:SLIH:D IG1 LY: II1:R;MM
+ SSY
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
+ ;MMGR IHILI;LIGH
iptables 6t 5ilter 6; IHFL 6i et2# 6p tcp 66destination6port ss2
/
+ ;MMGR 1:SFGHS:
/
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
+ (%) L1;IIID IHILI;L:D =N LY: II1:R;MM D:SLIH:D IG1 LY: IHL:1H;M
H:LRG1K
+ SSY
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
+ ;MMGR IHILI;LIGH
iptables 6t 5ilter 6; GLFL 6o et2$ 6p tcp 66destination6port ss2
/
+ ;MMGR 1:SFGHS:
/
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
+ (4) L1;IIID IHILI;L:D =N LY: IHL:1H;M H:LRG1K D:SLIH:D IG1 LY:
II1:R;MM
+ DHSO SSYO 1D(64O FIHJ
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
+ ;MMGR IHILI;LIGH
iptables 6t 5ilter 6; IHFL 6i et2$ 6p udp 66destination6port dns
/
/
iptables 6t 5ilter 6; IHFL 6i et2$ 6p tcp 66destination6port 2$64
/
iptables 6t 5ilter 6; IHFL 6i et2$ 6p icmp 66icmp6t!pe ping
/
- 95. -
+ ;MMGR 1:SFGHS:
iptables 6t 5ilter 6; GLFL 6o et2$
/
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
+ (() L1;IIID IHILI;L:D =N LY: IHL:1H;M H:LRG1K D:SLIH:D IG1 LY: GLSID:
+ :P:1NLYIHJ R: D;H IHILI;L: IS ;MMGR:D
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
+ ;MMGR IHILI;LIGH GI :P:1NLYIHJ
iptables 6t 5ilter 6; IG1R;1D 6i et2$ 6o et2#
/
+ ;MMGR 1:D:FLIGH
iptables 6t 5ilter 6; IG1R;1D 6i et2# 6o et2$
/
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
+ (6) L1;IIID IHILI;L:D =N LY: GLSID: D:SLIH:D IG1 LY: IHL:1H;M H:LRG1K
+ ;MM IG1=IDD:HO :KD:FL R:=S:1P:1 IG1R;1DIHJ LG IHL:1H;M M;DYIH:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
+ ;MMGR D:SLIH;LIGH H;L I1GM II1:R;MM.'$ LG IHL:1H;M M;DYIH:.2%4(
iptables 6t nat 6; F1:1GLIHJ 6i et2# 6p tcp 66destination6port '$
/
67 DH;L 66to6destination #&2.#6'.$.##.2%4(
iptables 6t 5ilter 6; IG1R;1D 6i et2# 6p tcp 66destination6port 2%4(
/
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
+ (Q) L1;IIID ;S ; 1:SML GI IHILI;L:D L1;IIID
+ ;MM ;MMGR:D
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
+ ;MMGR ;MM F;DK:LS 1:SMLIHJ I1GM ;MMGR:D DGHH:DLIGHS
iptables 6t 5ilter 6; IHFL 6m state 66state :SL;=MISY:DO1:M;L:D 67
;DD:FL
iptables 6t 5ilter 6; IG1R;1D 6m state 66state :SL;=MISY:DO1:M;L:D 67
;DD:FL
iptables 6t 5ilter 6; GLFL 6m state 66state :SL;=MISY:DO1:M;L:D 67
;DD:FL
iptables 6t 5ilter 6; IHFL 6m state 66state H:R 6i lo 67
;DD:FL
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
+ M;S_:1;D: F;DK;J:S I1GM G1 IHL:1H;M H:LRG1K D:SLIH:D IG1 LY:
IHL:1H:L
+ LYIS IS SH;L (SG1D: H;L)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
- 95! -
iptables 6t nat 6; FGSL1GLIHJ 6i et2$ 6o et2# 6s #&2.#6'.$.$/24 67
M;S_:1;D:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
+ :H;=M: IG1R;1DIHJ
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++
ec2o # A /proc/s!s/net/ip-4/ip"5or>ard

+aving /nd !estoring (ireall !ules
?irewall rules can be saed and restored easily by using the commands ipchains@sa+e"
which writes to stdout and ipchains@restore" which reads from stdin. $ssuming we
use the file 5>rules.sa-ed to sae=restore the rules" the two commands are#
ipc2ains6sa-e A 5>rules.sa-ed
ipc2ains6restore ? 5>rules.sa-ed

&imilar commands exist for ipta*les#
iptables6sa-e A 5>rules.sa-ed
iptables6restore ? 5>rules.sa-ed

Denial of +ervice ,D1+. attacks
;hat they are
*o& attackers misuse the fact that resources on the Internet are limited and that serices
can be disrupted by taking away Aone ofB their resources# storage-capacity" bandwith or
processor-capacity. This is done by Jpacket floodingK.
Packet flooding can be done with TCP" IC@P and 4*P.
-hen using TCP mostly the &L3" $C0 and ;&T flags are used.
-hen using IC@P" the message types echo re+uest and echo reply are used. This is
called Jping-floodingK.
-hen using 4*P" the chargen and echo 4*P serices are used.
$lso" two systems can be played out against each other by a third system. The third
system changes the source IP-address of the packages it sends to the first system to that
of the second system. The first system then thinks the packets came from the second
system and starts sending replies to the second system. This method is called J*o& with
IP address spoofingK.
- 952 -
Check the site http#==www.cert.org= for a complete history of *o& and **os A*istributed
*o&B attacks. $nd hae a look at ;?C2827 which describes 3etwork Ingress ?iltering" a
method to preent IP address spoofing. This doesn)t preent *o& attacks but makes it
possible to trace the real IP address of the offender.
;hat to )o against the#
It is not possible to fully preent *o& attacks without disconnecting from the Internet.
-hat you can do to minimi,e the effects of *o& and **o& attacks is apply some packet
filtering and rate limiting rules to the firewall.
!outed
;hat it is
route) is a program that can automatically ad'ust routing tables based on changes in the
network.
;hen to use it
If there are multiple possible paths to a certain destination" and you want an alternate
route to that destination to be selected automatically Ain case the default route to that
destination is not usable for some reasonB the route) program can do this for you
automatically.
Port+entry; Preventing port scans
4escription
'ort4entr( is part of the $bacus Pro'ect suite of security tools. It is a program designed to
detect and respond to port scans against a target host in real-time. &ome of its more useful
features include#
o ;uns on TCP and 4*P sockets to detect port scans against your system.
Port&entry is configurable to run on multiple sockets at the same time so you only
need to start one copy to coer do,ens of tripwired serices.
o &tealth scan detection ALinux only right nowB. Port&entry will detect &L3=half-
open" ?I3" 34LL" P-@$& and oddball packet stealth scans. ?our stealth scan
operation modes are aailable for you to choose from.
o Port&entry will react to a port scan attempt by blocking the host in real-time. This
is done through configured options of either dropping the local route back to the
attacker" using the Linux ipfwadm=ipchains command" ^(&* ipfw command and=
or dropping the attacker host IP into a TCP -rappers hosts.deny file
automatically.
- 959 -
o Port&entry has an internal state engine to remember hosts that connected
preiously. This allows the setting of a trigger alue to preent false alarms and
detect JrandomK port probing.
o Port&entry will report all iolations to the local or remote syslog daemons
indicating the system name" time of attack" attacking host IP and the TCP or 4*P
port a connection attempt was made to. -hen used in con'unction with Logcheck
it will proide an alert to administrators through e-mail.
o %nce a scan is detected your system will turn into a black hole and disappear from
the attacker. This feature stops most attacks cold.
3nstallation an) Configuration
$fter you)e downloaded the correct ersion" and untarred it" you)e got a directory
portsentr!6x.! which contains the portsentry files and some ;D$*@D files. The
information below comes from those ;D$*@D files.
The first thing to do is erify Aand change if appliccableB the contents of the
portsentr!"con5ig.2 file#
o C%3?I6F?ILD - The path to the Port&entry configuration file.
o -;$PPD;F/%&T&F*D3L - The path and name of TCP wrapper hosts.deny
file.
o &L&L%6F?$CILITL - The syslog facility for Port&entry to use.
o &L&L%6FLDCDL - The syslog leel to send messages.
The second thing to do is erify Aand change if appliccableB the contents of the
portsentr!.con5 file#
o TCPFP%;T& - $ comma delimited string of TCP ports you want Port&entry to
listen to. This string C$33%T hae any spaces in it. Lou can list as many
sockets as you would like. Port&entry will try to bind them all up until the default
limit of :2.
o 4*PFP%;T& - The same as aboe" except for 4*P ports. Lou need to be ery
careful with 4*P mode as an attacker can forge a port sweep and make you block
any number of hosts. 4se this option with caution or not at all if your host is a
well-known Internet connected system.
o $*C$3CD*FP%;T&FTCP - $ alue indicating the highest port number to
monitor down from. $ny port ^below^ this number is then monitored. The default
is !.22 Aresered port rangeB" but can be as large as :5595 Asystem maxB. I don)t
recommend going oer !.22 with this option.
o $*C$3CD*FP%;T&F4*P - &ame as aboe" except for 4*P.
o $*C$3CD*FDPCL4*DFTCP - $ comma delimited string of TCP ports that
should be manually excluded from monitoring in $danced mode. These are
normally ports that may get hit by mistake by remote clients and shouldn)t cause
alarms Aident" &&L" etcB.
o $*C$3CD*FDPCL4*DF4*P - &ame as aboe" except for 4*P.
- 952 -
o I63%;DF?ILD - The path to the file that contains IP addresses of hosts you want
to always be ignored. This will be explained later.
o (L%C0D*F?ILD - The path to the file that contains the IP addresses of blocked
hosts.
o ;D&%LCDF/%&T - This option turns off *3& resolution for hosts. If you hae a
slow *3& serer it may be more effectie to turn off resolution.
o (L%C0F4*P - This option disables all automatic responses to 4*P probes.
(ecause 4*P can be easily forged" it may allow an attacker to start a denial of
serice attack against the protected host" causing it to block all manner of hosts
that should normally be left alone. &etting this option to J.K will disable all
responses" although the connects are still logged. This option is mainly useful for
Internet exposed hosts. ?or internal hosts you should leae this enabled. If
someone internally is firing spoofed packets at you" then you hae a much bigger
problem than a denial of serice.
o (L%C0FTCP - &ame as aboe" but for TCP. Packet forgery is not as big a
problem though because Port&entry waits for a full connect to occur and this is
much harder to forge in the basic modes. Leae this enabled" een for Internet
connected hosts. ?or stealth-scan detection modes" the 4*P warning applies#
4sing packet forgery" an attacker can cause you to incorrectly block hosts.
o 0ILLF;%4TD - This is the command to drop the offending route if an attack is
detected. This is the ^full path^ to the route command along with the necessary
parameters to make the command work. The macro UT$;6DTU will be
substituted with the attacking host IP and is ;DH4I;D* in this option. Lour
gateway should be a ^dead host^ on the local subnet. %n some systems" you can
'ust use the localhost address A!27.....!B and it will probably work. $ll packets
from the target host will be routed to this address" so be carefulG. @ore modern
route commands will include a J-blackholeK or J-re'ectK flag. Check the man
pages and" if your route command supports this feature" you should use it
Aalthough we recommend using packet filtering instead" see belowB.
o 0ILLF/%&T&F*D3L - This is the format of the string to drop into the
2osts.den! file that TCP wrapper uses. $gain the UT$;6DTU macro is
expanded out to be the IP of the attacker and is re+uired. Lou can also drop in any
TCP wrapper escape codes AMh" twist" etcB. The macro UP%;TU will substitute
the port hit by the attacker" but this is 3%T re+uired for this option. The macro
U@%*DU reports which mode the blocking occurred Atcp" udp" stcp" sudp" atcp"
audpB" but is also 3%T re+uired.
o 0ILLF;43FC@* - This is a command to run ^before^ the route is dropped to
the attacker. Lou can put in any program=script you want executed when an attack
is detected. 'utting in retaliator( actions against an attacking host is not
recommended . Cirtually eery time you)re are port scanned" the host doing the
scanning has been compromised itself. Therefore" if you retaliate" you are
probably attacking an innocent party. $lso the goal of security is to make the
person 6% $-$L. Lou don)t want to irritate them into making a personal
endetta against you. ;emember" een a !9 year old can run a Winsert faorite
*.%.&. program hereX attack against you from their -indows box to make your
- 955 -
life miserable. $s aboe" the UT$;6DTU" UP%;TU and U@%*DU macros are
aailable to you" but they are not re+uired with this option.
o 0ILLF;43FC@*F?I;&T - &etting this to J.K tells the command aboe to run
before the route is dropped. &etting it to J!K makes the command run after the
blocking has occurred.
o &C$3FT;I66D; - Port&entry has a state engine that will remember hosts that
hae connected to it. &etting this alue will tell Port&entry to allow P number of
grace port hits before it reacts. This will detect both se+uential and random port
sweeps. The default is . which will react immediately. $ setting of ! or 2 will
reduce false alarms" anything higher is probably too much as anything more than
9 hits to different ports is pretty suspicious behaior. 4sually you can leae this at
. without any problem except in $danced stealth-scan detection modes where
you may create a Jhair triggerK if you aren)t careful. 4se your own discretion.
o P%;TF($33D; - $ text banner you want displayed to the connecting host if the
Port&entry is actiated. Leae this commented out if you don)t want this feature.
If you do use it" try not to taunt the person too much. It is best to keep it
professional and to the point. The banner is ^not^ displayed when stealth scan
detection modes are used.
The third thing to do is to pull the portsentry.ignore file into your editor and add any host
you want ignored if it connects to a tripwired port. This should always contain at least the
localhost A!27.....!B and the IP)s of the local interfaces. It is ^not^ recommended to put
in eery machine IP on your network" but you can use a netmask to do this. The format
for this is#
?IF ;ddressA/?Hetmas, =itsA
#&2.#6'.2.$/24
#&2.#6'.$.$/#6
etc.

It is not recommended to ignore too much. It may be important for you to see who is
connecting to you" een if it is a JfriendlyK machine. This can help you detect internal
host compromises faster. To answer your +uestion# yes" this does happen" and there hae
been cases of administrators ignoring too much and getting hacked by their own
machines as a result.
The fourth thing to do is compile the package. Type #ake and pick your system type and
allow it to build and install. The default directory is /usr/local/psionic/portsentr!.
If you don)t like this directory 'ust edit the Ma,e5ile and make sure your
portsentr!.con5 and portsentr!"con5ig.2 files reflect the new path.
Type #ake install after the build to hae it copy files to your install directory.
- 95: -
The fifth thing to do is start up Port&entry. Port&entry has six modes of operation. 5nl(
one protocol mode t(pe can be started at a time Ai.e." one TCP mode and one 4*P
modeB. The aailable modes are#
portsentry @tcp Abasic port-bound TCP modeB. Port&entry will check the config
files and then bind to all TCP ports in the background. To check the init status"
'ust look in the local syslog file to which messages are sent.
portsentry @u)p Abasic port-bound 4*P modeB. Port&entry will check the config
files and then bind to all 4*P ports in the background. If you want to check the
init status you" 'ust look in the local syslog to which messages are sent.
4*P=&tealth scan warnings apply Aread# ;D$*@D.stealthB.
portsentry @stcp A&tealth TCP scan detectionB. Port&entry will use a raw socket to
monitor all incoming packets. If an incoming packet is destined for a monitored
port it will react to block the host. This method will detect connectAB scans"
&L3=half-open scans and ?I3 scans. 4*P=&tealth scan warnings apply Aread#
;D$*@D.stealthB.
portsentry @atcp A$danced TCP stealth scan detectionB. Port&entry will start by
making a list of all the ports listening in the port area under the
$*C$3CD*FP%;T&FTCP option and will then create an exclusion list based on
these ports. $ny host connecting to âny port^ in this range that is ^not excluded^
Ai.e." not a listening network daemon W&@TP" /TTP" etc.XB is blocked. This has
some ery powerful implications that you should be aware of# A!B This mode is
the m ost sensitie and the most effectie of all the protection options. It reacts to
port probes with lightning speed because you don)t hae to wait for them to hit a
tripwired port. A2B (ecause it reacts so abruptly" you may cut off legitimate traffic.
$n ?TP site may send an ident re+uest to you. If you are monitoring the ident port
A!!9 TCPB then you hae 'ust cut off the ?TP site you were going toG $s a result
you should put in this list all ports that fall into this situation.
$danced Logic @ode - Port&entry is intelligent about how it monitors ports. ?or
some protocols such as ?TP" the client actually opens up ports in the ephemeral
range A!.22-:5595B and the serer then connects ^back^ to you. This would
normally cause the port scanner to actiate. /oweer" Port&entry will look at the
incoming connection and determine if it is destined for one of these JtemporaryK
bindings. If it is" then the connection is ignored for that one time. $s soon as the
connection is torn down the window closes and full protection is back again. This
is" in fact" a rudimentary stateful inspection engine. 4*P=&tealth scan warnings
apply Aread# ;D$*@D.stealthB.
portsentry @su)p AV&tealthV 4*P scan detectionB. This operates in a manner
similar to the TCP stealth mode aboe. 4*P ports need to be listed and are then
monitored. This does not bind any sockets" and while not really JstealthK scan
detection Adoesn)t usually apply to 4*PB" it operates in a similar manner Areacts to
âny^ 4*P packetB. 4*P=&tealth scan warnings apply Aread# ;D$*@D.stealthB.
portsentry @au)p A$danced J&tealthK 4*P scan detectionB. This is the same as
aboe except for the 4*P protocol. This is a ery adanced option and can cause
false alarms. This is because Port&entry makes no distinction between broadcast
and direct traffic. If you hae a router on your local network putting out ;IP
- 957 -
broadcasts then there is a good chance you will block them. 4se this option with
extreme caution. Lou need to be sure to put exclusions into the
$*C$3CD*FDPCL4*DF4*P line Ai.e." 52. W;IPXB 4*P=&tealth scan warnings
apply Aread# ;D$*@D.stealthB.
3ow we)re ready to test the installation# Tail the local log and you should see seeral
Port&entry initiali,ation messages. $ successful startup looks like this#
Gct & $&.##.%( nemesis portsentr!)#644*. adminalert. portsentr! is
starting.
Gct & $&.##.%6 nemesis portsentr!)#644*. adminalert. Joing into listen
mode on
LDF port. #4%
. . .
Gct & $&.##.%0 nemesis portsentr!)#644*. adminalert. FortSentr! is no>
acti-e
and listening.

The last line indicates the Port&entry is properly initiali,ed" If you don)t see this then
something has failed.
(ecuring -"P ser+ers (2.212.3!
The candidate should be able to configure an anonymous download ?TP serer. This
ob'ectie includes configuring an ?TP serer to allow anonymous uploads" listing
additional precautions to be taken if anonymous uploads are permitted" configuring guest
users and groups with chroot 'ail" and configuring ftpaccess to deny access to named
users or groups.
5tpaccessO 5tpusersO 5tpgroups
/etc/pass>d
c2root
("P server 2ersion ?-571pen$+D7Linu#0ftpd0=-@A
3nstallation
*epending on the Linux distribution you)re running" this can be done in seeral ways
Abuilding from sources" using rpm" using apt-get" using aptitude" etc.B. &ince I)m using the
*ebian distribution" I)e used apt@get#
+ apt6get install 5tpd

To check which files are installed by this command" type#
- 958 -
+ dp,g 66list5iles 5tpd

Creating an JftpK user for anony#ous -"P
$nonymous ?TP allows users to connect to a system without needing a password. There
are two special login names to facilitate this" JanonymousK and JftpK. (oth refer to the
same account )ftp) which we)ll create" including the home directory and subtree needed#
+ adduser 5tp Wcreate user and /2ome/5tp
....
+ c2o>n root.root /2ome/5tp Wma,e it o>ned b! root
+ c2mod ((( /2ome/5tp Wset it un>ritable b! an!oneO allo>
subdirs
+ cd /2ome/5tp
+ m,dir bin etc lib pub Wcreate needed sub directories
+ c2mod (## bin etc lib Wset it un>ritable b! an!one
+ c2mod ((( pub Wset it un>ritable b! an!oneO allo>
subdirs
+ m,dir pub/incoming Wupload director!

The JftpK user will be chroot)ed which means that the root / directory will be remapped
to /2ome/5tp. The command ls is located in the /bin directory which isn)t isible
anymore. ?or this reason the ls command must be copied to the /2ome/5tp/bin directory
and the libraries the ls command needs and which obiously can)t be found either must be
copied to the /2ome/5tp/lib directory#
+ cd /2ome/5tp
+ cp /bin/ls bin/
+ c2mod ### bin/ls Wexecutable onl!

$nd now to the libraries the ls needs#
+ ldd /bin/ls
librt.so.# BA /lib/librt.so.# ($x4$$#e$$$)
libc.so.6 BA /lib/libc.so.6 ($x4$$%$$$$)
libpt2read.so.$ BA /lib/libpt2read.so.$ ($x4$#(%$$$)

-e)ll copy them#
+ cp /lib/librt.so.# lib/
+ cp /lib/libc.so.6 lib/
+ cp /lib/libpt2read.so.$ lib/
+ cp /lib/ld6linux.so.2 lib/
+ c2mod ((( lib/E Wreadable and executable
+ c2o>n root.root lib/E Wma,e t2em all o>ned b! root

- 95< -
If we want to present the anonymous user with a message after a succesful login" we can
do this by editing the /2ome/5tp/etc/motd file.
?inally" should we wish to see owner and group names instead of their numbers" the files
/etc/pass>d and /etc/group must also be copied to the /2ome/5tp/etc directory. The
password field in both files" which is the second field" is not used and should not contain
a real password so we)ll replace it with an asterisk.
+ perl 6ne Ws/\()\.*X.)()\.*E)(..E)3//#E/%/C printCW /etc/pass>d A etc/
pass>d
+ perl 6ne Ws/\()\.*X.)()\.*E)(..E)3//#E/%/C printCW /etc/group A
etc/group

;elco#e #essage for all ftp users
-hen a user connects to the system by means of ftp" the contents of the file
/etc/5tp>elcome is displayed if that file exists#
+ 5tp pug
Donnected to pug.
22$6 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
22$6 + L2is is /etc/5tp>elcome +
22$6 + +
22$6 + +
22$6 + 1egistered users must use t2eir loginname and +
22$6 + pass>ord to be able to access 5iles in t2eir +
22$6 + 2ome directories. +
22$6 + +
22$6 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
22$ pug ILF ser-er (Persion 6.4/Gpen=SD/Minux65tpd6$.#0) read!.
Hame (pug.>illem).

If the file /etc/5tp>elcome doesn)t exist" the following is displayed#
+ 5tp pug
Donnected to pug.
Hame (pug.>illem).

Login #essage for all not chrootGe) users
$fter a succesful login" the contents of the file /etc/motd are displayed if the file exists#
+ 5tp pug
Donnected to pug.
22$6 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
22$6 + +
- 9:. -
22$6 + +
22$6 + +
22$6 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Hame (pug.>illem).
%%# Fass>ord reSuired 5or >illem.
Fass>ord.
2%$6
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2%$6 + L2is is /etc/motd
+
2%$6 +
+
2%$6 + Relcome to our 5tp ;rc2i-eQ
+
2%$6
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2%$ ser >illem logged in.
1emote s!stem t!pe is HIK.
sing binar! mode to trans5er 5iles.
5tpA

4irectory specific #essages
$ directory message is a message that tells something about the contents of the directory.
This message" which should be put in the .message file in that directory" only gets
displayed when the user changes to that directory during an ftp session#
5tpA cd lpic2
2($6 L2is director! contains t2e 5iles 5or t2e lpic2 examprep.
2($6
2($ DRD command success5ul.
5tpA

Pre+enting all ftp connections
@ore accurately# Preenting $LL logins. If the file /etc/nologin exists" logging in to
the system is not possible and the contents of the file are displayed#
+ 5tp pug
Donnected to pug.
(%$6
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
(%$6 + L2is is /etc/nologin
+
(%$6 +
+
(%$6 + MGJIHS ;1: HGL F:1MILL:D ;L LY: LIM:
+
- 9:! -
(%$6 +
+
(%$6 + please tr! again later
+
(%$6 +
+
(%$6
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
(%$ S!stem not a-ailable.
5tpA

Pre+enting specific users fro# using ftp
$ user whose name is in the file /etc/5tpusers is not allowed ftp access. The user )root)
for instance is not allowed access. Let)s try to ftp as root anyway and see what happens#
>illem@pug.83 5tp pug
Donnected to pug.
22$6 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
22$6 + +
22$6 + +
22$6 + +
22$6 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Hame (pug.>illem). root
%%# Fass>ord reSuired 5or root.
Fass>ord.
(%$ Mogin incorrect.
Mogin 5ailed.
5tpA

2estricting specific users to their ho#e )irectories
$ user whose name is in /etc/5tpc2root is treated the same as the JanonymousK or
JftpK user# they)re chroot)ed to their home directories" which has the same conse+uences.
ftpaccess an) ftpgroups
The ?TP serer I)e installed" Cersion :.2=%pen(&*=Linux-ftpd-..!7" does not use these
two files.
- 9:2 -
"he %ashington University ("P +erver 2ersion u02-?-@
3nstalling
*epending on the Linux distribution you)re running this can be done in seeral ways
Abuilding from sources" using rpm" using apt-get" using aptitude etc.B. &ince I)m using the
*ebian distribution" I)e used apt@get#
+ apt6get install >u65tpd
Do !ou >ant to set up or update an anon!mous ILF account no>4 )n*
?!A?:nterA
:nter t2e name o5 t2e ILF 2ome director!. )/2ome/5tp* ?:nterA
Do !ou >ant to create a director! 5or user uploads4 )n* ?!A?:nterA
Flease loo, at /etc/>u65tpd/5tpaccess and its manual page 5or
5urt2er in5ormation on 2o> to ma,e /pub/incoming more secure.
;dding s!stem user 5tp...
;dding ne> group 5tp (#$%).
;dding ne> user 5tp (#$%) >it2 group 5tp.
Dreating 2ome director! /2ome/5tp.
;non!mous ILF users >ill onl! see ID and JID numbersO instead o5
namesO because t2e libnss"5iles.so librar! 2asnWt been installed.
It is not installed b! de5aultO since t2ere is no eas! >a! to 5ind
out >2at -ersion >e need to install.
I5 !ou >ant to install it manuall!O it s2ould be placed in /2ome/5tp/lib
o>ned b! rootO and >it2 permissions o5 444 (r66r66r66)

To check which files are installed by this command" type#
+ dp,g 66list5iles >u65tpd

Creating an JftpK user for anony#ous ftp
This user has been created with the command a))ftpuser during the installation of the
serer daemon" which includes the accompanying directory structure. The JftpK user will
operate within a chroot)ed enironment#
+ ls 6l1 /2ome/5tp
/2ome/5tp.
total (
d66x66x66x 2 root root #$24 Dec 6 #&.$0 bin
d66x66x66x 2 root root #$24 Dec 6 #&.$0 etc
d66x66x66x 2 root root #$24 Dec 6 #&.$0 lib
dr6xr6xr6x % root root #$24 Dec 6 #&.## pub
6r>6r66r66 # root root %46 Dec 6 #&.$0 >elcome.msg
- 9:9 -
/2ome/5tp/bin.
total 22$
666x66x66x # root root 4''44 Dec 6 #&.$0 gzip
666x66x66x # root root 4%&%2 Dec 6 #&.$0 ls
666x66x66x # root root #2'0'$ Dec 6 #&.$0 tar
/2ome/5tp/etc.
total %
6r66r66r66 # root root #' Dec 6 #&.$0 group
6r66r66r66 # root root 44 Dec 6 #&.$0 pass>d
6r66r66r66 # root root #0' Dec 6 #&.$0 pat2msg
/2ome/5tp/lib.
total #%04
6r6xr6xr6x # root root &4(2& Dec 6 #&.$0 ld6linux.so.2
6r66r66r66 # root root ##0##&6 Dec 6 #&.$0 libc.so.6
6r66r66r66 # root root #$4044 Dec 6 #&.$0 libpt2read.so.$
6r66r66r66 # root root 2((&6 Dec 6 #&.$0 librt.so.#
/2ome/5tp/pub.
total 2
dr>xr6x6>x 2 root root #$24 Dec 6 #&.$0 incoming
6r>6r66r66 # root root 6 Dec 6 #&.## test.bestand
/2ome/5tp/pub/incoming.
total $

The files /2ome/5tp/etc/group and /2ome/5tp/etc/pass>d are examples and must be
replaced the real ones without real passwords#
+ perl 6ne Ws/\()\.*X.)()\.*E)(..E)3//#E/%/C printCW /etc/pass>d A etc/
pass>d
+ perl 6ne Ws/\()\.*X.)()\.*E)(..E)3//#E/%/C printCW /etc/group A
etc/group

The file >elcome.msg contains the message that is displayed when the anonymous or ftp
user successfully logs in. This is configured in /etc/>u65tpd/5tpaccess as follows#
message />elcome.msg login

The se+uence of messages during a session is#
>illem@pug.83 5tp pug
Donnected to pug.
22$6+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
22$6LYIS IS /etc/>u65tpd/>elcome.msg
22$6con5igured >it2 banner
22$666
22$6RelcomeO arc2i-e user @pug Q
22$6
- 9:2 -
22$6L2e local time is. Iri Dec 0 $#.(6.%' 2$$#
22$6
22$6L2is is an experimental ILF ser-er. I5 2a-e an! unusual problemsO
22$6please report t2em -ia e6mail to ?root@pugA.
22$6
22$6I5 !ou do 2a-e problemsO please tr! using a das2 (6) as t2e 5irst
22$6c2aracter o5 !our pass>ord 66 t2is >ill turn o55 t2e continuation
22$6messages t2at ma! be con5using !our ILF client.
22$6+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
22$6
22$6
22$ con5igured >it2 greeting. pug ILF Ser-er at !our ser-iceQ
Hame (pug.>illem). anon!mous
%%# Juest login o,O send !our complete e6mail address as pass>ord.
Fass>ord.
2%$6+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2%$6LYIS IS /2ome/5tp/>elcome.msg
2%$6con5igured >it2 message
2%$666
2%$6RelcomeO arc2i-e user anon!mous@pug Q
2%$6
2%$6L2e local time is. Iri Dec 0 $#.(0.$( 2$$#
2%$6
2%$6L2is is an experimental ILF ser-er. I5 2a-e an! unusual problemsO
2%$6please report t2em -ia e6mail to ?root@pugA.
2%$6
2%$6I5 !ou do 2a-e problemsO please tr! using a das2 (6) as t2e 5irst
2%$6c2aracter o5 !our pass>ord 66 t2is >ill turn o55 t2e continuation
2%$6messages t2at ma! be con5using !our ILF client.
2%$6+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2%$6
2%$ Juest login o,O access restrictions appl!.
1emote s!stem t!pe is HIK.
sing binar! mode to trans5er 5iles.
5tpA

;elco#e #essage for all ftp users
This is configured in the /etc/>u65tpd/5tpaccess in the following manner#
banner /etc/>u65tpd/>elcome.msg

This message will be shown before the user logs in#
3 5tp pug
Donnected to pug.
22$6+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
22$6LYIS IS /etc/>u65tpd/>elcome.msg
22$6
22$6RelcomeO arc2i-e user @pug Q
22$6
22$6L2e local time is. Iri Dec 0 $#.%%.(2 2$$#
22$6
- 9:5 -
22$6L2is is an experimental ILF ser-er. I5 2a-e an! unusual problemsO
22$6please report t2em -ia e6mail to ?root@pugA.
22$6
22$6I5 !ou do 2a-e problemsO please tr! using a das2 (6) as t2e 5irst
22$6c2aracter o5 !our pass>ord 66 t2is >ill turn o55 t2e continuation
22$6messages t2at ma! be con5using !our ILF client.
22$6+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
22$6
22$6
22$ pug ILF ser-er read!.
Hame (pug.>illem).

Login #essage for all not chroote) users
This is configured in the /etc/>u65tpd/5tpaccess file in the following manner#
message />elcome.msg login

The message for the chrooted users is in a file with the same name but must reside in the
root directory of the chrooted user.
4irectory specific #essages
$ directory message is a message that tells something about the contents of the directory.
This message should be put in the file that you specify in /etc/>u65tpd/5tpaccess.
This is done in the following manner#
message .message c>dBE

This means that a file with the name .message is displayed when users enter the
directory containing the file.
Pre+enting all ftp connections
The wu-ftpd daemon does not care if the file /etc/nologin exists. -hether users can ftp
or not is configured in the files /etc/>u65tpd/5tpaccess and /etc/5tpusers.
Pre+enting specific users or groups fro# using ftp
This can be done by adding a username to the file /etc/5tpusers or by adding deny-uid
and=or deny-gid lines to the file /etc/>u65tpd/5tpaccess. Consult the man page for
further details.
- 9:: -
2estricting specific users to their ho#e )irectories
-ith wu-ftpd" there are three types of users# anonymous" guest and real. %nly real users
can moe around the filesystem according to their access priileges. &pecific users can be
restricted to their home directories by defining them as guest users. This is done in the
file /etc/>u65tpd/5tpaccess in the following manner#
guestgroup ?groupnameA )?groupnameA ...*
guestuser ?usernameA )?usernameA ...*

Consult the man page for further details.
/dditional precautions
If you allow users to upload data into an incoming directory" do not allow the creation of
sub-directories in that directory to preent misuse.
(ecure shell (/pen((H! (2.212.$!
The candidate should be able to configure sshd to allow or deny root logins" enable or
disable P forwarding. This ob'ectie includes generating serer keys" generating a user)s
public=priate key pair" adding a public key to a user)s authori,edFkeys file and
configuring ssh-agent for all users. Candidates should also be able to configure port-
forwarding to tunnel an application protocol oer ssh" configure ssh to support the ssh
protocol ersions ! and 2" disable non-root logins during system maintenance" configure
trusted clients for ssh logins without a password and make multiple connections from
multiple hosts to guard against loss of connection to a remote host following
configuration changes.
ss2O ss2d
/etc/ss2/ss2d"con5ig
8/.ss2/id"dsa.pub and id"saO 8/.ss2/aut2orized",e!s
.s2ostsO .r2osts
%hat are ssh and sshd'
ssh is a client program for logging into a remote machine and for executing commands
on a remote machine. It is intended to replace rlogin and rsh" and proide secure
encrypted communications between two untrusted hosts oer an insecure network.
ssh) is the serer AdaemonB program for ssh. Together these programs replace rlogin and
rsh" and proide secure encrypted communications between two untrusted hosts oer an
insecure network.
- 9:7 -
Lou can copy files using the scp command. &cp stands for &ecure CoPy. scp uses ssh for
data transfer.
Installing ssh and sshd
There are seeral ways to do this" I use the *ebian way#
+ apt6get install ss2

To check which files are installed type this command#
+ dp,g 66list5iles ss2

Configuring sshd
Configuring ssh) is done by editing the configuration file /etc/ss2/ss2d"con5ig.
1llow or )eny root logins
This is done by setting the keyword Per#it2ootLogin in the configuration file to the
appropriate alue. To make it more difficult for someone to gain full access" you
shouldn)t allow root logins.
Possi*le +alues for Per#it2ootLoginA
yes
This is the default. -hen set to yes" root can login using ssh.
no
-hen set to no" root cannot login using ssh.
without-password
This means that password authentication is disabled for root.
forced-commands-only
This means that root can only use ssh to login to the system and execute the
commands that are gien on the command line.
- 9:8 -
1llow or )eny non@root logins
There are a number of keywords that can be used to influence the behaiour of ssh) in
relation to logins.
"hese keywor)s areA
$llow4sers
This keyword is followed by a list of user names" separated by spaces. Login is
allowed only for usernames that match one of the patterns. Lou can use J^K and
J>K as wildcards in the patterns.
*eny4sers
This keyword is followed by a list of user names" separated by spaces. 4ser
names that match one of the patterns can not login. Lou can use J^K and J>K as
wildcards in the patterns.
$llow6roups
This keyword is followed by a list of group names" separated by spaces. Login is
allowed only for users who are a member of one or more groups that match one of
the patterns. Lou can use J^K and J>K as wildcards in the patterns.
*eny6roups
This keyword is followed by a list of group names" separated by spaces. Login is
not allowed for users who are a member of one or more groups that match one of
the patterns. Lou can use J^K and J>K as wildcards in the patterns.
=na*ling or )isa*ling M forwar)ing
There are a number of keywords that can be used to influence the behaiour of ssh) in
relation to the P -indows system.
"he keywor)s areA
P!!?orwarding
P!! forwarding is a mechanism where the program runs on one machine and the
P -indows output is shown on another machine. The command ssh @M re#ote
will set the \ariable]*I&PL$L\=ariable] in the serer-shell to
localhostAnu#A which is actually the tunnel-endpoint which is mapped back to
the original \ariable]*I&PL$L\=ariable] in the client context. This tunnel is
secured using ssh. P!!?orwarding can be set to yes or no. The default is no.
- 9:< -
P!!*isplay%ffset
This specifies the first display number that is aailable for the P!! forwarding of
ssh). This preents ssh) from interfering with real serers. The default is !..
P$uthLocation
This specifies the fully +ualified location of the xauth command. The default
location is /usr/bin/K##/xaut2. xauth is used to edit and display the
authori,ation information used in connecting to the P serer.
If you connect to machine ( from machine $ using ssh your<accountU#achine7 and
start an xter# for instance" the process will run on machine ( and the P output will go to
machine $.
%n machine $" you must authorise machine ( for P with the command xhost
V#achine7.
Beys and their purpose
There are two types of keys# &erer keys and 4ser keys.
(er+er keys
There is a slight difference between the protocol ersions ! and 2.
"he #an page of ssh) )escri*es this as followsA
&&/ protocol ersion !
Dach host has a host-specific ;&$ key Anormally !.22 bitsB used to identify the
host. $dditionally" when the daemon starts" it generates a serer ;&$ key
Anormally 7:8 bitsB. This key is normally regenerated eery hour if it has been
used and is neer stored on disk.
-heneer a client connects the daemon responds with its public host and serer
keys. The client compares the ;&$ host key against its own database to erify
that it has not changed. The client then generates a 25: bit random number. It
encrypts this random number using both the host key and the serer key" and
sends the encrypted number to the serer. (oth sides then use this random number
as a session key which is used to encrypt all further communications in the
session. The rest of the session is encrypted using a conentional cipher" currently
(lowfish or 9*D&" with 9*D& being used by default. The client selects the
encryption algorithm to use from those offered by the serer.
- 97. -
3ext" the serer and the client enter an authentication dialog. The client tries to
authenticate itself using .rhosts authentication" .rhosts authentication combined
with ;&$ host authentication" ;&$ challenge- response authentication or
password based authentication.
;hosts authentication is normally disabled because it is fundamentally insecure"
but can be enabled in the serer configuration file if desired. &ystem security is
not improed unless rsh)" rlogin)" rexec) and rex) are disabled.
&&/ protocol ersion 2
Cersion 2 works similarly# Dach host has a host-specific *&$ key used to identify
the host. /oweer" when the daemon starts" it does not generate a serer key.
?orward security is proided through a *iffie-/ellman key agreement. This key
agreement results in a shared session key.
The rest of the session is encrypted using a symmetric cipher" currently !28-bit
$D&" (lowfish" 9*D&" C$&T!28" $rcfour" !<2-bit $D& or 25:-bit $D&. The
client selects the encryption algorithm to use from those offered by the serer.
$dditionally" session integrity is proided through a cryptographic message
authentication code Ahmac-sha! or hmac- md5B.
Protocol ersion 2 proides a public key based user APubkey$uthenticationB or
client host A/ostbased$uthenticationB authentication method" conentional
password authentication and challenge-response based methods.
If possible" choose &&/ protocol ersion 2 as the only possible or as the first protocol to
use.
9ser keysH pu*lic an) pri+ate
ssh implements the ;&$ authentication protocol automatically. The user creates an ;&$
key pair by running ssh@keygen. This stores the priate key in 3YGM:/.ss2/id"dsa and
the public key in 3YGM:/.ss2/id"dsa.pub in the user)s home directory. The user should
then copy the idFdsa.pub to 3YGM:/.ss2/aut2orized",e!s in his home directory on the
remote machine. The aut2orized",e!s 5ile has one key per line which can be ery
long. $fter this" the user can log in without giing the password. Instead of dsa" rsa can
be used also. The names of the keys reflect this.
Configuring the ssh-agent
ssh@agent is a program to hold priate keys used for public-key authentication A;&$"
*&$B. The idea is that ssh@agent is started in the beginning of an P-session or a login
session" and all other windows or programs are started as clients to the ssh@agent
program. Through use of enironment ariables" the agent can be located and
automatically used for authentication when the logging-in to other machines using ssh.
- 97! -
Login session
$dd the following two lines to your 3YGM:/.bas2"pro5ile file or e+uialent Adepending
on the shell you are usingB to be able to login without haing to type your password each
time#
e-al Zss26agentZ
ss26add

The e+al Wssh@agentW sets a number of enironment ariables. In fact" ssh@agent returns
the strings needed to set them and e+al sees to it that they get set.
The ssh@a)) command without parameters reads the contents of the file
3YGM:/.ss2/id"dsa which contains the priate key" as described earlier.
-hen the user logs out from the local system" the program ssh@agent must be terminated.
To see to it that this happens automatically" add the following line to your .bas2"logout
file or e+uialent" depending on the shell you are using#
ss26agent 6,

The process id of of the current agent is determined by examining the contents of the
enironment ariable U&&/F$6D3TFPI*" which has been set by the e+al Wssh@agentW
command.
To set this up for all future users" modify files in the /etc/s,el directory which
automatically get copied to the new user)s home directory when this user is created with
a))user or with the usera)) @# X@k skeleton )irectoryY.
=na*ling M@sessions
There are seeral ways to do this" depending on how P is started and which display
manager you are using.
If you start P from the command line with startx" you can type ssh@agent startx" open a
terminal window in P and type ssh@a))" which will prompt you for the passphrase and
load your keys.
&ince I am using 6nome and *ebian" I hae installed the graphical ersion of ssh@
askpass by installing the appropriate .deb package#
+ apt6get install ss26as,pass6gnome

- 972 -
This file is called gno#e@ssh@askpass and is started by the ssh@agent command which" in
its turn" is automatically started by 6nome. This is configured in the file
/etc/gdm/Session/Jnome.
"unneling an application protocol over ssh ith portmapping
$s an example" consider the situation shown in the picture. -e are working on
@y@achine" and we want to get the file /2ome/>illem/5s$"bac,up from the machine
called Loda using scp.
-ithout ssh tunneling with port forwarding" we would hae to do this in a few steps"
assuming there is a user willem on both the firewall and on yoda#
on M!Mac2ine do. ss2 >illem@#$#.#$2.#$%.#$4 Wlogin on t2e 5ire>all
on Iire>all do. scp >illem@!oda.5s$"bac,up . Wplace 5ile 5rom !oda on
5ire>all
on M!Mac2ine do. scp >illem@#$#.#$2.#$%.#$4.5s$"bac,up . Wget t2e 5ile
on M!Mac2ine do. ss2 >illem@#$#.#$2.#$%.#$4 rm 5s$"bac,up Wremo-e t2e
5ile

-ith tunneling" this can be done with one command" not including the command to set
up the tunnel itself.
(efore we get to the actual commands inoled" let me explain what tunneling with port
forwarding means. It is +uite simple actually. -hat happens is that we use ssh to tell
@y@achine that it has got a port that points to port 22" the port that is used by ssh" on
yoda. $fter that" all data sent to that port on @y@achine will get forwarded to port 22 on
yoda.
Let us assume that the local port is going to be port 8.22. The ssh command used to
create the tunnel becomes#
M!Mac2ine + ss2 6M '$22.!oda.22 >illem@#$#.#$2.#$%.#$4

-e are now logged in on the ?irewall as the user willem and the tunnel has been
established. -e can now open a second terminal window and type the scp command that
makes use of that tunnel and gets the file#
M!Mac2ine 3 scp 6F >illem@local2ost.5s$"bac,up .

$nd we)e got the fileG The tunnel can be terminated by logging out from the firewall.
- 979 -
-e are not +uite there though. This can also be done in a different way without the need
for two windows and without haing to terminate the tunnel manually.
This is accomplished by the same set of commands we used earlier but we run the tunnel
in the background. To be able to run the tunnel in the background without this resulting
in the immediate closure of that tunnel" we hae to fool the tunnel to stay open long
enough. This is done by using ssh)s ability to execute a remote command and terminate
after the completion of that command" combined with the J-fK flag to tell ssh to run in the
background. The command that we will execute on the other machine is sleep % which
gies us :. seconds to initiate the scp command. Les" to I3ITI$TD the connection. It
does not matter how long the actual scp command takes" the connection will not be
terminated before the scp is finished.
To illustrate the aboe" we will combine both commands on one line and use sleep 1
instead of sleep %#
M!Mac2ine 3 ss2 65 6M '$22.!oda.22 >illem@#$#.#$2.#$%.#$4 sleep #C/
scp 6F'$22 >illem@local2ost.5s$"bac,up .
>illem@local2ostWs pass>ord. Raiting 5or 5or>arded connections to
terminate...
L2e 5ollo>ing connections are open.
+$ direct6tcpip. listening port '$22 5or !oda port 22O connect 5rom
#20.$.$.# port #40( (t4 r# i#/$ o#6/$)
?2ere >e t!pe t2e pass>ordA
5s$"bac,up #$$] TEEEEEEEEEEEEEEEEEEEEEEEEEEEEET 6(2(
$$.$$
M!Mac2ine 3

$s you can see" we immediately got a timeout because we were not +uick enough in
typing the password. -hat you can also see is that this did not end the connection. $s
soon as the password was gien" the file was copied with the scp command.
3ote that we had to tell scp with -P8.22 to use port 8.22 since it would otherwise hae
used the default port 22.
In this example we hae used scp as an example but the same trick also works for other
protocols" such as smtp.
&ince the tunnel is an ssh tunnel" all data going through the tunnel is encrypted.
"he .rhosts and .shosts files
The 3YGM:/.r2osts file was originally used by the rlogin and rsh commands. The file
contained information about the machines the user can connect from. &ay you create a
3YGM:/.s2osts file which contains a line in the form#
- 972 -
mac2ine6a.somedomain user6a mac2ine6b.somedomain user6b

Then user-a can login to machine-b from machine-a using user-b)s account without the
need for user-b)s password.
$lthough ssh can still make use of the 3YGM:/.r2osts and 3YGM:/.s2osts files" this is
configured in the /etc/ss2/ss2d"con5ig file and it is highly recommended you use the
new authentication method. The new method uses the ssh@keygen command and the
3YGM:/.ss2/aut2orized",e!s files" which are more secure.
"CP<wrappers (2.212.,!
The candidate should be able to configure tcpwrappers to allow connections to specified
serers from only certain hosts or subnets.
inetd.con5O
tcpd
2osts.allo>O 2osts.den!
xinetd
%hat do tcp rappers do'
(efore tcp wrappers were born" a daemon called inet) was listening for incoming
network connections and took it upon itself to start the appropriate serer program when
needed.
?or security reasons" it became necessary to only allow certain type of incoming
connections from certain hosts. The inet) daemon listens to incoming re+uests and
instead of starting the serer program needed" inet) starts tcp) which does some
additional checks Asuch as where the re+uest came fromB. If tcp) determines that the
connection should be honored" the serer program needed is launched by tcp).
%hat don>t tcp rappers do'
Tcp wrappers do not protect against network sniffing because tcp wrappers do not
encrypt the traffic. 4se ssh encryption to preent network sniffing.
Configuring tcp rappers
The first thing to do when you want a serice to be started by tcp) is to tell inet) that this
is the case. To tell inet) that we want the ftp serer wu@ftp) to be started by tcp)" we
must add the following line to inet))s configuration file /etc/inetd.con5#
- 975 -
5tp stream tcp no>ait root /usr/sbin/tcpd /usr/sbin/>u65tpd 6l

The lines of /etc/inetd.con5 are made up of the following mandatory fields#
serice name
This is the name of the serice as specified in the file /etc/ser-ices" in this case
JftpK.
socket type
This is the socket type which should be one of JstreamK" JdgramK" JrawK" JrdmK
or Jse+packetK. In this case the socket type for ftp is JstreamK.
protocol
This is the protocol type used as specified in the file /etc/protocols" in this
case JtcpK.
wait=nowaitW.maxX
?or non datagram sockets this is always JnowaitK.
userW.groupX
This entry specifies which user=group the program should run with. In this case"
JrootK.
serer program
This entry contains the pathname of the program to be executed by inet) when a
re+uest is made to that socket.
serer program arguments
This is the program" with it)s command line arguments" that is to be started by
inet) if the criteria are met. In this case" this is BusrBs*inBwu@ftp) @l.
The next thing to do is to edit the contents of the files /etc/2osts.allo> and
/etc/2osts.den! which both use the same format#
daemon"list . client"list ) . s2ell"command *

daemonFlist
- 97: -
This is a list of one or more daemon process names or wildcards. Consult the man
page of 2ost"access(() for details.
clientFlist
This is a list of one or more host names" host addresses" patterns or wildcards that
will be matched against the client host name or address. Consult the man page of
2ost"access(() for details.
shellFcommand
Command to be run by the shell when the rule matches.
The access control software consults two files. The search stops at the first match# $ccess
will be granted when a Adaemon"clientB pair matches an entry in the =etc=hosts.allow file.
%r access will be denied when a Adaemon"clientB pair matches an entry in the
/etc/2osts.den! file.
%therwise" access will be granted. $ non-existing access control file is treated as an
empty file. Thus" access control can be turned off by proiding no access control files.
xinetd
This stands for JePtended Inter3DT serices *aemonK and replaces the combo inet) and
tcp). xinet) can do the same things and offers extra functionality such as# more
sophisticated access control" preenting *o& attacks" extensie logging. ?or more
information" take a look at the Einetd omepage .
(ecurity tasks (2.212.%!
The candidate should be able to install and configure kerberos and perform basic security
auditing of source code. This ob'ectie includes subscribing to security alerts from
(ugtra+" CD;T" CI$C or other sources" being able to test for open mail relays and
anonymous ?TP serers and installing and configuring an intrusion detection system"
such as snort or Tripwire. Candidates should also be able to update the I*& configuration
as new ulnerabilities are discoered and apply security patches and bugfixes.
telnet
Lrip>ire
nmap
- 977 -
Berberos
;hat is Ker*erosI
0erberos was created by the .assachusetts Institute of Technolog(. $ll information in
this section comes from their site.
0erberos is a network-authentication protocol for client=serer applications. 0erberos
supports strong authentication and data-encryption. This makes it possible for both the
client and the serer to assure themseles about their respectie identities and" once they
are satisfied" use encrypted to communication to keep transmitted passwords and data
priate.
4nder 0erberos" a client Agenerally either a user or a sericeB sends a re+uest for a ticket
to the 0ey *istribution Center A0*CB. The 0*C creates a ticket-granting ticket AT6TB
for the client" encrypts it using the client)s password as the key and sends the encrypted
T6T back to the client. The client then attempts to decrypt the T6T" using its password.
If the client successfully decrypts the T6T Ai.e." if the client gae the correct passwordB" it
keeps the decrypted T6T" which indicates proof of the client)s identity.
The T6T" which expires after a specified time" permits the client to obtain additional
tickets" which gie permission for specific serices. The re+uesting and granting of these
additional tickets is user-transparent.
Preparing the installation
(efore installing 0erberos C5" it is necessary to consider the following issues#
The name of your 0erberos realm Aor the name of each realm" if you need more than oneB.
/ow you will map your hostnames onto 0erberos realms.
-hich ports your 0*C and kadmin Adatabase accessB serices will use.
/ow many slae 0*Cs you need and where they should be located.
The hostnames of your master and slae 0*Cs.
/ow fre+uently you will propagate the database from the master 0*C to the slae 0*Cs.
-hether you need backward compatibility with 0erberos C2.
3erberos /ealms
$lthough your 0erberos realm can be any $&CII string" conention is to make it the
same as your domain name" in upper-case letters. ?or example" hosts in the domain
fubar.org would be in the 0erberos realm ?4($;.%;6.
If you need multiple 0erberos realms" @IT recommends that you use descriptie names
which end with your domain name" such as (%&T%3.?4($;.%;6 and
/%4&T%3.?4($;.%;6.
- 978 -
Mapping %ostnames onto 3erberos /ealms
@apping hostnames onto 0erberos realms is done in one of two ways.
The first mechanism" which has been in use for years in @IT-based 0erberos
distributions" works through a set of rules in the ,rb(.con5 configuration file. A&ee
section krb5.conf.B Lou can specify mappings for an entire domain or subdomain and=or
on a hostname-by-hostname basis. &ince greater specificity takes precedence" you do this
by specifying the mappings for a gien domain or subdomain and listing the exceptions.
The 0erberos C5 &ystem $dministrator)s 6uide contains a thorough description of the
parts of the krb5.conf file and what may be specified in each. $ sample krb5.conf file
appears in section krb5.conf. Lou should be able to use this file" substituting the releant
information for your 0erberos installation for the samples.
The second mechanism" recently introduced into the @IT code base but not currently
used by default" works by looking up the information in special TPT records in the
*omain 3ame &erice. If this mechanism is enabled on the client" it will try to look up a
TPT record for the *3& name formed by putting the prefix Fkerberos in front of the
hostname in +uestion. If that record is not found" it will try using Fkerberos and the host)s
domain name" then its parent domain" and so forth. &o" for the hostname
(%&T%3.D36I3DD;I36.?%%($;.C%@" the names looked up would be#
",erberos.boston.engineering.5oobar.com
",erberos.engineering.5oobar.com
",erberos.5oobar.com
",erberos.com

The alue of the first TPT record found is taken as the realm name.
Note
%biously" this doesn)t work all that well if a host and a subdomain hae the same name"
and different realms. If" for example all the hosts in the D36I3DD;I36.?%%($;.C%@
domain are in the D36I3DD;I36.?%%($;.C%@ realm" but a host named
D36I3DD;I36.?%%($;.C%@ is for some reason in another realm. In that case" you
would set up TPT records for all hosts" rather than relying on the fallback to the domain
name.
Den if you do not choose to use this mechanism within your site" you may wish to set it
up anyway" for use when interacting with other sites.
Ports for the 3D and #dmin !ervices
- 97< -
The default ports used by 0erberos are port 88 for the 0*C and port 72< for the admin
serer. Lou can" howeer" choose to run on other ports" as long as they are specified in
each host)s /etc/ser-ices and ,rb(.con5 files" and the ,dc.con5 file on each 0*C.
?or a more thorough treatment of port numbers used by the 0erberos C5 programs" refer
to the JConfiguring Lour ?irewall to -ork -ith 0erberos C5K section of the 0erberos
C5 &ystem $dministrator)s 6uide" which is also aailable from the .assachusetts
Institute of Technolog( .
!lave 3Ds
&lae 0*Cs proide an additional source of 0erberos ticket-granting serices in the
eent of inaccessibility of the master 0*C. The number of slae 0*Cs you need and the
decision of where to place them" both physically and logically" depends on the specifics
of your network.
0erberos authentication on your network re+uires that each client be able to contact a
0*C. Therefore" you need to anticipate that a 0*C might be unaailable and hae a
slae 0*C to take up the slack.
&ome considerations include#
/ae at least one slae 0*C as a backup for when the master 0*C is down" is being
upgraded or is otherwise unaailable.
If your network is split such that a network outage is likely to cause a network partition
Asome segment or segments of the network become cut off or isolated from other
segmentsB" hae a slae 0*C accessible to each segment.
If possible" hae at least one slae 0*C in a different building from the master" in case of
power outages" fires or other locali,ed disasters.
%ostnames for the Master and !lave 3Ds
@IT recommends that your 0*Cs hae a predefined set of C3$@D records A*3&
hostname aliasesB" such as kerberos for the master 0*C and kerberos-!" kerberos-2" ...
for the slae 0*Cs. This way" if you need to swap a machine" you only need to change a
*3& entry" rather than haing to change hostnames.
$ new mechanism for locating 0*Cs of a realm through *3& has been added to the @IT
0erberos C5 distribution. $ relatiely new record type called &;C has been added to
*3&. Looked up by a serice name and a domain name" these records indicate the
hostname and port number to contact for that serice" optionally with weighting and
prioriti,ing. A&ee ;?C 2782 if you want more information. Lou can follow the example
below for straightforward cases.B
- 98. -
The use with 0erberos is fairly straightforward. The domain name used in the &;C
record name is the domain-style 0erberos realm name. AIt is possible to hae 0erberos
realm names that are not *3&-style names" but we don)t recommend it for Internet use"
and the code does not support it well.B
(e+eral )ifferent Ker*eros@relate) ser+ice na#es are use)A
Fkerberos.Fudp
This is for contacting any 0*C. This entry will be used the most often. 3ormally
you should list ports 88 and 75. on each of your 0*Cs.
Fkerberos-master.Fudp
This entry should refer to those 0*Cs" if any" that will immediately see password
changes to the 0erberos database. This entry is used for only one case# when a
user is logging in and the password appears to be incorrect. The master 0*C is
then contacted Ain case the user)s password has recently been changed and the
slae 0*C hasn)t been updated yetB and the password is tried again. %nly if that
fails an Jincorrect passwordK error is gien. If you hae only one 0*C" or for
whateer reason there is no accessible 0*C that would get database changes
faster than the others" you do not need to define this entry.
Fkerberos-adm.Ftcp
This should list port 72< on your master 0*C. &upport for it is not complete at
this time" but it will eentually be used by the kadmin program and related
utilities. ?or now" you will also need the adminFserer entry in krb5.conf.
Fkpasswd.Fudp
This should list port 2:2 on your master 0*C. It is used when a user changes her
password.
(e aware" howeer" that the *3& &;C specification re+uires that the hostnames
listed be the canonical names" not aliases. &o" for example" you might include the
following records in your A(I3*-styleB ,one file#
3G1IJIH 5oobar.com.
",erberos LKL 9IGG=;1.DGM9
,erberos DH;M: dais!
,erberos6# DH;M: use6t2e65orce6lu,e
,erberos62 DH;M: bunn!6rabbit
",erberos."udp S1P $ $ '' dais!
S1P $ $ '' use6t2e65orce6lu,e
S1P $ $ '' bunn!6rabbit
",erberos6master."udp S1P $ $ '' dais!
",erberos6adm."tcp S1P $ $ 04& dais!
- 98! -
",pass>d."udp S1P $ $ 464 dais!

$s with the *3&-based mechanism for determining the 0erberos realm of a host" we
recommend distributing the information this way for use by other sites that may want to
interact with yours using 0erberos" een if you don)t immediately make use of it within
your own site. If you anticipate installing a ery large number of machines on which it
will be hard to update the 0erberos configuration files" you may wish to do all of your
0erberos serice lookups ia *3& and not put the information Aexcept for adminFserer"
as noted aboeB in future ersions of your ,rb(.con5 files at all. Dentually" @IT hopes
to phase out the listing of serer hostnames in the client-side configuration filesQ making
preparations now will make the transition easier in the future.
Database Propagation
The 0erberos database resides on the master 0*C and must be propagated regularly
Ausually by a cron 'obB to the slae 0*Cs. In deciding how fre+uently the propagation
should happen" you will need to balance the amount of time the propagation takes against
the maximum reasonable amount of time a user should hae to wait for a password
change to take effect.
If the propagation time is longer than this maximum reasonable time Ae.g." you hae a
particularly large database" you hae a lot of slaes" or you experience fre+uent network
delaysB" you may wish to cut down on your propagation delay by performing the
propagation in parallel. To do this" hae the master 0*C propagate the database to one
set of slaes" and then hae each of these slaes propagate the database to additional
slaes.
3nstallation an) Configuration
Installing 3Ds
The 0ey *istribution Centers A0*CsB issue 0erberos tickets. Dach 0*C contains a copy
of the 0erberos database. The master 0*C contains the master copy of the database"
which it propagates to the slae 0*Cs at regular interals. $ll database changes Asuch as
password changesB are made on the master 0*C.
&lae 0*Cs proide 0erberos ticket-granting serices" but not database administration.
This allows clients to continue to obtain tickets when the master 0*C is unaailable.
@IT recommends that you install all of your 0*Cs to be able to function as either the
master or one of the slaes. This will enable you to easily switch your master 0*C with
one of the slaes if necessary. A&ee section &witching @aster and &lae 0*Cs.B This
installation procedure is based on that recommendation. Install the @aster 0*C.
- 982 -
This installation procedure will re+uire you to go back and forth a couple of times
between the master 0*C and each of the slae 0*Cs.
The first few steps must be done on the master 0*C.
=)it the Configuration -iles
@odify the configuration files" /etc/,rb(.con5 Asee section krb5.confB and
/usr/local/-ar/,rb(,dc/,dc.con5 Asee section kdc.confB to reflect the correct
information Asuch as the hostnames and realm nameB for your realm. @IT recommends
that you keep ,rb(.con5 in =etc.
$mong the settings in your /etc/,rb(.con5 file" be sure to create a logging stan,a so
that the K4C and ka)#in) will generate logging output. ?or example#
)logging*
,dc B IIM:./-ar/log/,rb(,dc.log
admin"ser-er B IIM:./-ar/log/,admin.log
de5ault B IIM:./-ar/log/,rb(lib.log

Create the 4ata*ase
Lou will use the k)*,<util command on the @aster 0*C to create the 0erberos database
and the optional stash file. The stash file is a local copy of the master key that resides in
encrypted form on 0*C)s local disk. The stash file is used to authenticate the 0*C to
itself automatically before starting the ka)#in) and kr*,k)c daemons Ae.g." as part of
the machine)s boot se+uenceB. The stash file" like the keytab file Asee &ee section The
0eytab ?ile" for more informationB is a potential point-of-entry for a break-in" and if
compromised" would allow unrestricted access to the 0erberos database. If you choose to
install a stash file" it should be readable only by root and should exist only on 0*C)s
local disk. The file should not be part of any backup of the machine" unless access to the
backup data is secured as tightly as access to the master password itself.
3ote that k)*,<util will prompt you for the master key for the 0erberos database. This
key can be any string. $ good key is one you can remember" but that no one else can
guess. Dxamples of bad keys are words that can be found in a dictionary" any common or
popular name" especially a famous person Aor cartoon characterB" your username in any
form Ae.g." forward" backward" repeated twice" etc.B" and any of the sample keys that
appear in this document. %ne example of a key which might be good if it did not appear
in this document is J@ITiys205GK" which represents the sentence J@IT is your source for
0erberos 5GK AIt)s the first letter of each word" substituting the numeral J2K for the word
JforK" and includes the punctuation mark at the end.B
The following is an example of how to create a 0erberos database and stash file on the
master 0*C" using the k)*,<util command. ;eplace $T/D3$.@IT.D*4 with the
name of your 0erberos realm.
- 989 -
s2ell] /usr/local/sbin/,db("util create 6r ;LY:H;.MIL.:D 6s
Initializing database W/usr/local/-ar/,rb(,dc/principalW 5or
/
realm W;LY:H;.MIL.:DWO
master ,e! name WK/M@;LY:H;.MIL.:DW
Nou >ill be prompted 5or t2e database Master Fass>ord.
It is important t2at !ou HGL IG1J:L t2is pass>ord.
:nter KDD database master ,e!. U L!pe t2e master pass>ord V
1e6enter KDD database master ,e! to -eri5!. U L!pe it again V
s2ell]

This will create fie files in the directory specified in your ,dc.con5 file# two 0erberos
database files" principal.dband principal.o,Q the 0erberos administratie database
file" principal.,adm(Q the administratie database lock file" principal.,adm(.loc,
and the stash file" .,(stas2. AThe default directory is /usr/local/-ar/,rb(,dc.B If you
do not want a stash file" run the aboe command without the -s option.
1)) 1)#inistrators to the 1cl -ile
3ext" you need to create an $ccess Control List AaclB file and put the 0erberos principal
of at least one of the administrators into it. The filename should match the alue you hae
set for JaclFfileK in your ,dc.con5 file. The default file name is ,adm(.acl. The format
of the file is#
Kerberos principal permissions optional target principal

The 0erberos principal Aand optional target principalB can include the J^K wildcard" so if
you want any principal with the instance JadminK to hae full permissions on the
database" you could use the principal J^=admin_;D$L@K where J;D$L@K is your
0erberos realm.
3ote# a common use of an admin instance is so you can grant separate permissions Asuch
as administrator access to the 0erberos databaseB to a separate 0erberos principal. ?or
example" the user 'oeadmin might hae a principal for his administratie use" called
'oeadmin=admin. This way" 'oeadmin would obtain 'oeadmin=admin tickets only when he
actually needs to use those permissions. ;efer to the 0erberos C5 $dministrator)s 6uide
or the 0erberos C5 4ser)s 6uide for more detailed explanations of principals and
instances.
"he per#issions (acls! recogni&e) in the acl file are the followingA
a
allows the addition of principals or policies in the database.
$
- 982 -
prohibits the addition of principals or policies in the database.
d
allows the deletion of principals or policies in the database.
*
prohibits the deletion of principals or policies in the database.
m
allows the modification of principals or policies in the database.
@
prohibits the modification of principals or policies in the database.
c
allows the changing of passwords for principals in the database.
C
prohibits the changing of passwords for principals in the database.
i
allows in+uiries to the database.
I
prohibits in+uiries to the database.
l
allows the listing of principals or policies in the database.
L
prohibits the listing of principals or policies in the database.
^
&hort for all priileges AadmcilB.
- 985 -
x
&hort for all priileges AadmcilBQ identical to J^K.
To gie the principal ^=admin_$T/D3$.@IT.D*4 permission to change all of the
database permissions on any principal permissions" you would place the following line in
the file#
E/admin@;LY:H;.MIL.:D E

To gie the principal 'oeadmin_$T/D3$.@IT.D*4 permission to add" list" and in+uire
about any principal that has the instance JrootK" you would add the following line to the
acl file#
7oeadmin@;LY:H;.MIL.:D ali E/root@;LY:H;.MIL.:D

1)) 1)#inistrators to the Ker*eros 4ata*ase
3ext you need to add administratie principals to the 0erberos database. ALou must add
at least one now.B To do this" use ka)#in.local on the master 0*C. The administratie
principals you create should be the ones you added to the $CL file. A&ee the section $dd
$dministrators to the $cl ?ile.B In the following example" the administration principal
admin=admin is created#
s2ell] /usr/local/sbin/,admin.local
,admin.local. addprinc admin/admin@;LY:H;.MIL.:D
R;1HIHJ. no polic! speci5ied 5or 9admin/admin@;LY:H;.MIL.:D9C
de5aulting to no polic!.
:nter pass>ord 5or principal admin/admin@;LY:H;.MIL.:D. U :nter a
pass>ord V
1e6enter pass>ord 5or principal admin/admin@;LY:H;.MIL.:D. U L!pe it
again V
Frincipal 9admin/admin@;LY:H;.MIL.:D9 created.
,admin.local.

Create a ka)#in) Keyta*
The kadmind keytab is the key that kadmind will use to decrypt administrators) 0erberos
tickets to determine whether or not it should gie them access to the database. Lou need
to create the kadmin keytab with entries for the principals kadmin=admin and
kadmin=changepw. AThese principals are placed in the 0erberos database automatically
when you create it.B To create the kadmin keytab" run ka)#in.local and use the kta))
command" as in the following example.
s2ell] /usr/local/sbin/,admin.local
,admin.local. ,tadd 6, /usr/local/-ar/,rb(,dc/,adm(.,e!tab
/
- 98: -
,admin/admin ,admin/c2angep>
:ntr! 5or principal ,admin/admin@;LY:H;.MIL.:D >it2
,-no %O encr!ption t!pe D:S6D=D6D1D added to ,e!tab
R1IIM:./usr/local/-ar/,rb(,dc/,adm(.,e!tab.
:ntr! 5or principal ,admin/c2angep>@;LY:H;.MIL.:D >it2
,-no %O encr!ption t!pe D:S6D=D6D1D added to ,e!tab
R1IIM:./usr/local/-ar/,rb(,dc/,adm(.,e!tab.
,admin.local. Suit
s2ell]

$s specified in the J-kK argument" ktadd will sae the extracted keytab as
=usr=local=ar=krb5kdc=kadm5.keytab. The filename you use must be the one specified in
your kdc.conf file.
(tart the Ker*eros 4ae#ons on the 0aster K4C
$t this point" you are ready to start the 0erberos daemons on the @aster 0*C. To do so"
type#
s2ell] /usr/local/sbin/,rb(,dc
s2ell] /usr/local/sbin/,admind

Dach daemon will fork and run in the background. $ssuming you want these daemons to
start up automatically at boot time" you can add them to 0*C)s =etc=rc or =etc=inittab file.
Lou need to hae a stash file in order to do this.
Lou can erify that they started properly by checking for their startup messages in the
logging locations you defined in /etc/,rb(.con5. A&ee the section called J Ddit the
Configuration ?iles KB ?or example#
s2ell] tail /-ar/log/,rb(,dc.log
Dec $2 #2.%(.40 beeblebrox ,rb(,dc)%#'0*(in5o). commencing operation
s2ell] tail /-ar/log/,admin.log
Dec $2 #2.%(.(2 beeblebrox ,admind)%#'&*(in5o). starting

$ny errors the daemons encounter while starting will also be listed in the logging output.
3nstall the (la+e K4Cs
Lou are now ready to start configuring the slae 0*Cs. $ssuming you are setting the
0*Cs up so that you can easily switch the master 0*C with one of the slaes" you
should perform each of these steps on the master 0*C as well as the slae 0*Cs" unless
these instructions specify otherwise.
Create Host Keys for the (la+e K4Cs
- 987 -
Dach 0*C needs a host principal in the 0erberos database. Lou can enter these from any
host" once the kadmind daemon is running. If" for example your master 0*C were called
kerberos.mit.edu" and you had two 0*C slaes named kerberos-!.mit.edu and
kerberos-2.mit.edu" you would type the following#
s2ell] /usr/local/sbin/,admin
,admin. addprinc 6rand,e! 2ost/,erberos.mit.edu
R;1HIHJ. no polic! speci5ied 5or 92ost/,erberos.mit.edu@;LY:H;.MIL.:D9C
Frincipal 92ost/,erberos.mit.edu@;LY:H;.MIL.:D9 created.
,admin. addprinc 6rand,e! 2ost/,erberos6#.mit.edu
R;1HIHJ. no polic! speci5ied 5or
92ost/,erberos6#.mit.edu@;LY:H;.MIL.:D9C
Frincipal 92ost/,erberos6#.mit.edu@;LY:H;.MIL.:D9 created.
,admin. addprinc 6rand,e! 2ost/,erberos62.mit.edu
R;1HIHJ. no polic! speci5ied 5or
92ost/,erberos62.mit.edu@;LY:H;.MIL.:D9C
Frincipal 92ost/,erberos62.mit.edu@;LY:H;.MIL.:D9 created.
,admin.

It is not actually necessary to hae the master 0*C serer in the 0erberos database" but it
can be handy if anyone will be logging into the machine as something other than root" or
you want to be able to swap the master 0*C with one of the slaes if necessary.
=xtract Host Keyta*s for the K4Cs
Dach 0*C Aincluding the masterB needs a keytab to decrypt tickets. Ideally" you should
extract each keytab locally on its own 0*C. If this is not feasible" you should use an
encrypted session to send them across the network. To extract a keytab on a 0*C called
kerberos.mit.edu" you would execute the following command#
,admin. ,tadd 2ost/,erberos.mit.edu
,admin. :ntr! 5or principal 2ost/,erberos.mit.edu@;LY:H;.MIL.:D >it2
,-no #O encr!ption t!pe D:S6D=D6D1D added to ,e!tab
R1IIM:./etc/,rb(.,e!tab.
,admin.

3ote that the principal must exist in the 0erberos database in order to extract the keytab.
(et 9p the (la+e K4Cs for 4ata*ase Propagation
The database is propagated from the master 0*C to the slae 0*Cs ia the kprop)
daemon. To set up propagation" create a file on each 0*C named
/usr/local/-ar/,rb(,dc/,propd.acl containing the principals for each of the 0*Cs.
If" for example the master 0*C were kerberos.mit.edu" the slae 0*Cs were
kerberos-!.mit.edu and kerberos-2.mit.edu" and the realm were $T/D3$.@IT.D*4"
then the file)s contents would be#
- 988 -
2ost/,erberos.mit.edu@;LY:H;.MIL.:D
2ost/,erberos6#.mit.edu@;LY:H;.MIL.:D
2ost/,erberos62.mit.edu@;LY:H;.MIL.:D

Then" add the following lines to /etc/inetd.con5 file on each 0*C.
,rb("prop stream tcp no>ait root /usr/local/sbin/,propd ,propd
e,login stream tcp no>ait root /usr/local/sbin/,logind
/
,logind 6, 6c 6e

The first line sets up the kpropd database propagation daemon. The second line sets up
the eklogin daemon" allowing 0erberos-authenticated" encrypted rlogin to the 0*C.
Lou also need to add the following lines to =etc=serices on each 0*C#
,erberos ''/udp ,dc + Kerberos aut2entication (udp)
,erberos ''/tcp ,dc + Kerberos aut2entication (tcp)
,rb("prop 0(4/tcp + Kerberos sla-e propagation
,erberos6adm 04&/tcp + Kerberos ( admin/c2angep> (tcp)
,erberos6adm 04&/udp + Kerberos ( admin/c2angep> (udp)
e,login 2#$(/tcp + Kerberos encr!pted rlogin

7ack on the 0aster K4C
3ow that the slae 0*Cs are able to accept database propagation" you)ll need to
propagate the database to each of them.
Propagate the 4ata*ase to =ach (la+e K4C
?irst" create a dump of the database on the master 0*C" as follows#
s2ell] /usr/local/sbin/,db("util dump
/usr/local/-ar/,rb(,dc/sla-e"datatrans
s2ell]

3ext" you need to manually propagate the database to each slae 0*C" as in the
following example.
/usr/local/sbin/,prop 65 /usr/local/-ar/,rb(,dc/sla-e"datatrans
/
,erberos6#.mit.edu
/usr/local/sbin/,prop 65 /usr/local/-ar/,rb(,dc/sla-e"datatrans
/
,erberos62.mit.edu

- 98< -
Lou will need a script to dump and propagate the database. The following is an example
of a bourne shell script that will do this. ;emember that you need to replace /usr/local
with the name of the directory in which you installed 0erberos C5.
+Q/bin/s2
,dclist B 9,erberos6#.mit.edu ,erberos62.mit.edu9
/usr/local/sbin/,db("util 61 9dump
/usr/local/-ar/,rb(,dc/sla-e"datatrans9
5or ,dc in 3,dclist
do
/usr/local/sbin/,prop 65 /usr/local/-ar/,rb(,dc/sla-e"datatrans 3,dc
done

Lou will need to set up a cron 'ob to run this script at the interals you decided on earlier
A&ee section *atabase Propagation.B
-inish 3nstalling the (la+e K4Cs
3ow that the slae 0*Cs hae copies of the 0erberos database" you can create stash files
for them and start the krb5kdc daemon.
Create (tash -iles on the (la+e K4Cs
Create stash files by issuing the following commands on each slae 0*C#
s2ell] ,db("util stas2
,db("util. Dannot 5ind/read stored master ,e! >2ile reading master ,e!
,db("util. Rarning. proceeding >it2out master ,e!
:nter KDD database master ,e!. U :nter t2e database master ,e! V
s2ell]

$s mentioned aboe" the stash file is necessary for your 0*Cs to be able to authenticate
themseles" such as when they reboot. Lou could run your 0*Cs without stash files" but
you would then need to type in the 0erberos database master key by hand eery time you
start a 0*C daemon.
(tart the krb5kdc 4ae#on on =ach K4C
The final step in configuring your slae 0*Cs is to run the 0*C daemon#
s2ell] /usr/local/sbin/,rb(,dc

- 9<. -
$s with the master 0*C" you will probably want to add this command to the 0*C)s
/etc/rc or /etc/inittab files" so they will start the krb5kdc daemon automatically at
boot time.
1)) Ker*eros Principals to the 4ata*ase
%nce your 0*Cs are set up and running" you are ready to use ka)#in to load principals
for your users" hosts and other serices into the 0erberos database. This procedure is
described fully in the J$dding or @odifying PrincipalsK section of the 0erberos C5
&ystem $dministrator)s 6uide. A&ee the section called J Create /ost 0eys for the &lae
0*Cs K for a brief description.B The keytab is generated by running ka)#in and issuing
the kta)) command.
Li#it 1ccess to the K4Cs
To limit the possibility that your 0erberos database could be compromised" @IT
recommends that each 0*C be a dedicated host" with limited access. If your 0*C is also
a file serer" ?TP serer" -eb serer" or een 'ust a client machine" someone who
obtained root access through a security hole in any of those areas could gain access to the
0erberos database.
@IT recommends that your 0*Cs use the following /etc/inetd.con5 file.
+
+ Lime ser-ice is used 5or cloc, s!nc2ronization.
+
time stream tcp no>ait root internal
time dgram udp >ait root internal
+
+ Mimited Kerberos ser-ices
+
,rb("prop stream tcp no>ait root /usr/local/sbin/,propd ,propd
e,login stream tcp no>ait root /usr/local/sbin/,logind
/
,logind 6( 6c 6e

(witching 0aster an) (la+e K4Cs
Lou may occasionally want to use one of your slae 0*Cs as the master. This might
happen if you are upgrading the master 0*C" or if your master 0*C has a disk crash.
$ssuming you hae configured all of your 0*Cs to be able to function as either the
master 0*C or a slae 0*C Aas this document recommendsB" all you need to do to make
the changeoer is#
If the master 0*C is still running" do the following on the old master 0*C#
!. 0ill the kadmind process.
- 9<! -
2. *isable the cron 'ob that propagates the database.
9. ;un your database propagation script manually" to ensure that the slaes all hae the
latest copy of the database Asee the section called J Propagate the *atabase to Dach &lae
0*C KB. $s of the !.2.2 release" it is no longer necessary to use k)*,<util )u#p@o+ in
order to presere per-principal policy information" as the default dump format now
supports it. 3ote you should update your slaes prior to your master" so that they will
understand the new dump format. AThis is a good policy anyway.B
%n the new master 0*C#
!. Create a database keytab. A&ee section Create a kadmind 0eytab.
2. &tart the kadmind daemon. A&ee section &tart the 0erberos *aemons on the @aster
0*C.B
9. &et up the cron 'ob to propagate the database. A&ee section Propagate the *atabase to
Dach &lae 0*C.B
2. &witch the C3$@Ds of the old and new master 0*Cs. AIf you don)t do this" you)ll
need to change the krb5.conf file on eery client machine in your 0erberos realm.B
+nort
;hat is itI
&nort is a lightweight network intrusion detection system capable of performing real-time
traffic analysis and packet logging on IP networks. It can perform protocol analysis"
content searching=matching and can be used to detect a ariety of attacks and probes"
such as buffer oerflows" stealth port scans" C6I attacks" &@( probes" %& fingerprinting
attempts and much more. &nort uses a flexible rules language to describe traffic that it
should collect or pass" as well as a detection engine that utili,es a modular plugin
architecture. &nort has a real-time alerting capability as well" incorporating alerting
mechanisms for syslog" a user-specified file" a 43IP socket or -inPopup messages to
-indows clients using &amba)s smbclient.
&nort has three primary uses. It can be used as a straight packet-sniffer like tcp)u#p" a
packet-logger Auseful for network traffic debugging" etcB" or as a full blown network-
intrusion detection system.
&nort logs packets in either tcp)u#p binary format or in &nort)s decoded $&CII format
to logging directories that are named based on the IP address of the JforeignK host.
- 9<2 -
3nstallation
Lou can get snort from The 4nort 8o#nload ,enter. &ince I am using *ebian" I used the
*ebian way to install &nort#
+ apt6get install snort

Lou will then be asked to specify the interface &nort should listen on. In my case" this is
et2$.
3ext you will be asked to specify how many IP addresses &nort should listen to. This is
done in CI*; form" i.e. !<2.!:8.2..=22 for a block of 25: IP addresses or !<2.!:8.2.8=92
for 'ust one. I hae chosen to only listen to my own IP address" which is !<2.!:8.2.8.
3ext you will be asked who should receie the daily statistic mails. The default is root.
To run snort in the sniffer mode" i.e. let snort dump TCP=IP packets to the screen type#
+ snort 6-
$#/$06#6.22.#2.046(4$ #&2.#6'.2.'.#$24 6A #&2.#6'.2.#.(%
DF LLM.64 LGS.$x$ ID.#%('# IpMen.2$ DgmMen.6$ DI
Men. 4$
BXBXBXBXBXBXBXBXBXBXBXBXBXBXBXBXBXBXBXBXBXBXBXBXBXBXBXBXBXBXBXBXBXBXBXB
XBX
$#/$06#6.22.#2.0($%46 #&2.#6'.2.#.(% 6A #&2.#6'.2.'.#$24
DF LLM.64 LGS.$x$ ID.(''26 IpMen.2$ DgmMen.422
Men. 4$2
XBX
$#/$06#6.22.#2.0(#2&# #&2.#6'.2.' 6A #&'.#'6.2$%.2$
IDMF LLM.64 LGS.$x$ ID.$ IpMen.2$ DgmMen.'4 DI
L!pe.' Dode.$ ID.2(6$4 SeS.$ :DYG
XBX
$#/$06#6.22.#2.&4$((& #&'.#'6.2$%.2$ 6A #&2.#6'.2.'
IDMF LLM.2%( LGS.$x$ ID.##6'4 IpMen.2$ DgmMen.'4
L!pe.$ Dode.$ ID.2(6$4 SeS.$ :DYG 1:FMN
XBX

The output shown aboe is the result of the command ping www.)e*ian.org. The first
section shows the outgoing *3& lookup for www.debian.org. The second section shows
the reply to the *3& lookup. The third section shows the outgoing ping Awhich is" in fact"
an IC@P message of type DC/%B. The fourth section shows the answer to the ping
Awhich is" in fact" an IC@P message of type DC/% ;DPLLB.
- 9<9 -
To run snort in the sniffer mode and show application data as well" type#
+ snort 6-d
$#/$06#6.2#.#0.&0&('6 #&2.#6'.2.'.#$24 6A #&2.#6'.2.#.(%
DF LLM.64 LGS.$x$ ID.'#$( IpMen.2$ DgmMen.6$ DI
Men. 4$
(0 %( $# $$ $$ $# $$ $$ $$ $$ $$ $$ $% 00 00 00 R(...........>>>
$6 64 6( 62 6& 6# 6: $% 6I 02 60 $$ $$ $# $$ $# .debian.org.....
XBX
$#/$06#6.2#.#0.&'%2#' #&2.#6'.2.#.(% 6A #&2.#6'.2.'.#$24
DF LLM.64 LGS.$x$ ID.(''2( IpMen.2$ DgmMen.422
Men. 4$2
(0 %( '# '$ $$ $# $$ $# $$ $& $$ $& $% 00 00 00 R(...........>>>
$6 64 6( 62 6& 6# 6: $% 6I 02 60 $$ $$ $# $$ $# .debian.org.....
D$ $D $$ $# $$ $# $$ $$ $4 #0 $$ $4 D6 =; D= #4 ................
D$ #$ $$ $2 $$ $# $$ $$ $4 #0 $$ $& $6 0% 6# 6D .............sam
6I 0% 6# D$ #$ D$ #$ $$ $2 $$ $# $$ $$ $4 #0 $$ osa.............
$' $( 0% 6# 6( 6: 0% D$ #$ D$ #$ $$ $2 $$ $# $$ ..saens.........
$$ $4 #0 $$ $; $0 6= 6D 6( 6% 6= 6( 02 D$ #$ D$ ......,lec,er...
#$ $$ $2 $$ $# $$ $$ $4 #0 $$ $; $0 0$ 6# 6: 64 ............pand
6I 02 6# D$ #$ D$ #$ $$ $2 $$ $# $$ $$ $4 #0 $$ ora.............
$& $6 6D 0( 02 0$ 6' 0& D$ #$ D$ #$ $$ $2 $$ $# ..murp2!........
$$ $$ $4 #0 $$ $' $( 6# 0( 02 6& 6% D$ #$ D$ #$ .......auric....
$$ $2 $$ $# $$ $$ $4 #0 $$ #$ $% 6: 0% %2 $0 6% ...........ns2.c
6& 0% 04 02 6I 6: $2 6: 6D $$ D$ #$ $$ $2 $$ $# istron.nl.......
$$ $$ $4 #0 $$ $: $2 6: 0% $( 6' 6# 6: 64 0% $% .......ns.2ands.
6% 6I 6D $$ D$ #$ $$ $2 $$ $# $$ $$ $4 #0 $$ $; com.............
$% 6: 0% %# $% 00 6# 00 D$ DI D$ %D $$ $# $$ $# .ns#.>a>...?....
$$ $$ $4 #0 $$ $4 D# I& 6# :; D$ (# $$ $# $$ $# ........a.._....
$$ $2 %I ;0 $$ $4 '$ 6( 24 D$ D$ 6( $$ $# $$ $# ..4....e3..e....
$$ $$ $4 #0 $$ $4 D6 =; D= #4 D$ 0= $$ $# $$ $# ...........U....
$$ $$ $4 #0 $$ $4 '4 :( '& I& D$ &# $$ $# $$ $# ................
$$ $$ $4 #0 $$ $4 D' :; :0 $6 D$ ;6 $$ $# $$ $# ................
$$ $$ $4 #0 $$ $4 D: I6 :2 2D D$ =; $$ $# $$ $# .........6......
$$ $# (: %4 $$ $4 D% 4$ 44 #D D$ D6 $$ $# $$ $# ..\4...@D.......
$$ $$ %2 ;$ $$ $4 D% :$ %( 20 D$ I$ $$ $# $$ $# ..2.....(W......
$$ $2 &D (D $$ $4 D( 2& 0& I; .../...)!.
XBX
$#/$06#6.2#.#0.&'4#&# #&2.#6'.2.' 6A #&'.#'6.2$%.2$
IDMF LLM.64 LGS.$x$ ID.$ IpMen.2$ DgmMen.'4 DI
L!pe.' Dode.$ ID.24'%6 SeS.$ :DYG
%D %& =D :D $$ $I $4 6; $' $& $; $= $D $D $: $I ?&.....7........
#$ ## #2 #% #4 #( #6 #0 #' #& #; #= #D #D #: #I ................
2$ 2# 22 2% 24 2( 26 20 2' 2& 2; 2= 2D 2D 2: 2I Q9+3][W()EXO6./
%$ %# %2 %% %4 %( %6 %0 $#2%4(60
XBX
$#/$06#6.2#.#'.#0'4(4 #&'.#'6.2$%.2$ 6A #&2.#6'.2.'
IDMF LLM.2%( LGS.$x$ ID.66( IpMen.2$ DgmMen.'4
L!pe.$ Dode.$ ID.24'%6 SeS.$ :DYG 1:FMN
- 9<2 -
%D %& =D :D $$ $I $4 6; $' $& $; $= $D $D $: $I ?&.....7........
#$ ## #2 #% #4 #( #6 #0 #' #& #; #= #D #D #: #I ................
2$ 2# 22 2% 24 2( 26 20 2' 2& 2; 2= 2D 2D 2: 2I Q9+3][W()EXO6./
%$ %# %2 %% %4 %( %6 %0 $#2%4(60
XBX

The output shown aboe is the result of the command ping www.)e*ian.org. The first
section shows the outgoing *3& lookup for www.debian.org. The second section shows
the reply to the *3& lookup. The third section shows the outgoing ping Awhich is" in fact"
an IC@P message of type DC/%B. The fourth section shows the answer to the ping
Awhich is" in fact" an IC@P message of type DC/% ;DPLLB.
To run snort in the packet-logger mode" creating directories based on the host" type#
+ snort 6de- 6l ./snortlog

$fter starting snort and running the commands ping www.)e*ian.org and ping
www.iaf.nl the contents of the ./snortlog directory is as follows#
+ ls 6l1 snortlog/
snortlog/.
total 4
dr>x666666 2 root root #$24 ân ' $&.(6 #&2.#6'.2.'
dr>x666666 2 root root #$24 ân ' $&.(6 #&'.#'6.2$%.2$
dr>x666666 2 root root #$24 ân ' $&.(6 '$.'&.22'.#$
6r>6666666 # root root (2' ân ' $&.(6 ;1F
snortlog/#&2.#6'.2.'.
total '
6r>6666666 # root root %6&' ân ' $&.(6 IDMF":DYG
6r>6666666 # root root %2&( ân ' $&.(6 DF.#$246(%
snortlog/#&'.#'6.2$%.2$.
total 2
6r>6666666 # root root #6$& ân ' $&.(6 IDMF":DYG"1:FMN
snortlog/'$.'&.22'.#$.
total %
6r>6666666 # root root 2#%' ân ' $&.(6 IDMF":DYG"1:FMN

To run snort in network-intrusion detection mode" type#
+ snort 6d 62 #&2.#6'.2.$/24 6l ./snortlog 6c snort.con

This lets snort run in the most basic network-intrusion detection mode" which logs the
same way as the packet-logger mode.
- 9<5 -
There are +uite a few of other possibilities" such as logging in a binary format" which can
later be parsed by snort. Please consult the 4nort Bsers .anual for more information.
Configuration
Lou can also create a configuration containing rules. To hae &nort use these rules" use
the J-c \configfile]K option.
&nort rules are diided into two logical sections" the rule header and the rule options. The
rule header contains the action" protocol" source and destination IP addresses and
netmasks" and the source and destination ports information. The rule option section
contains alert messages and information on which parts of the packet should be inspected
to determine if the rule action should be taken.
alert tcp an! an! 6A #&2.#6'.#.$/24 ### (content.9T$$ $# '6 a(T9C
msg. 9mountd access9C)

The text up to the first parenthesis is the rule header and the section enclosed in
parenthesis is the rule options. The words before the colon in the rule options section are
called option keywords. 3ote that the rule options section is not specifically re+uired by
any rule" they are 'ust used for the sake of making tighter definitions of packets to collect
or alert on Aor drop" for that matterB. $ll of the elements in that rule must be true for the
indicated rule action to be taken. -hen taken together" the elements can be considered to
form a logical $3* statement. $t the same time" the arious rules in a &nort rules library
file can be considered to form a large logical %; statement.
$gain" there are a lot of possibilities which are explained in the 4nort Bsers .anual.
There is no point in learning the possibilities by heart but I adise you to look at the
manual to get a global idea of what is possible.
"ripire
;hat is itI
Tripwire is a cross platform software suite from a company by the same name. Tripwire
monitors system changes.
$ll information in this chapter comes from Trip#ire$s #eb-site . Consult the site for more
information.
Tripwire does not preent an intruder or irus from attacking system files but detects
intrusions when they occur. (y comparing system files and directories against a
preiously stored JbaselineK database" Tripwire finds any additions" deletions or changes
to the specified properties. This enables the system administrator to determine the extent
of the problem and begin the necessary damage control.
- 9<: -
3nstallation
Linux %pen &ource Code for Tripwire can be found at 4ource +orge9 'ro7ect Trip#ire.
&ince there is a *ebian package for tripwire" I hae chosen to install it the *ebian way#
apt6get install trip>ire

Lou will then get the following message#
Lrip>ire ,eeps its con5iguration in an encr!pted database t2at is
generatedO b!
de5aultO 5rom /etc/trip>ire/t>c5g.txt
an! c2anges to /etc/trip>ire/t>c5g.txtO eit2er as a result o5 a c2ange
in t2is
pac,age or due to administrator acti-it!O reSuire t2e regeneration o5
t2e
encr!pted database be5ore t2e! >ill ta,e e55ect.
Selecting t2is action >ill result in !our being prompted 5or t2e site
,e!
pass6p2rase during t2e post6installation process o5 t2is pac,age.
1ebuild t2e Lrip>ire con5iguration 5ile4

Choose to rebuild it ALesB. Lou will then get the following message#
Lrip>ire ,eeps its policies on >2at attributes o5 >2ic2 5iles s2ould be
monitored in an encr!pted database t2at is generatedO b! de5aultO 5rom
/etc/trip>ire/t>pol.txt
;n! c2anges to /etc/trip>ire/t>pol.txtO eit2er as a result o5 a c2ange
in t2is pac,age or due to administrator acti-it!O reSuire t2e
regeneration o5 t2e encr!pted database be5ore t2e! >ill ta,e e55ect.
Selecting t2is action >ill result in !our being prompted 5or t2e site
,e! pass6p2rase during t2e post6installation process o5 t2is pac,age.
1ebuild Lrip>ire polic! 5ile4

Choose to rebuild it ALesB. Lou will then get the following message#
Lrip>ire uses t>o di55erent ,e!s 5or aut2entication and encr!ption o5
5iles. L2e site ,e! is used to protect 5iles t2at could be used
across se-eral s!stems. L2is includes t2e polic! and con5iguration
5iles.
Nou are prompted 5or t2is pass6p2rase eit2er because no site ,e!
exists at t2is time or because !ou 2a-e reSuested t2e rebuilding o5
- 9<7 -
t2e polic! or con5iguration 5iles.
1emember t2is pass6p2raseO it is not stored an!>2ereQ
:nter site6,e! pass6p2rase

Rust enter a phrase you can remember" such as J(e careful not to trip oer the wireK. Lou
will then get the following message#
Flease repeat t2e site pass6p2rase to be sure !ou didnWt mist!pe.
1epeat t2e site6,e! pass6p2rase

;etype your pass-phrase. Lou will then get the following message#
Lrip>ire uses t>o di55erent ,e!s 5or aut2entication and encr!ption o5
5iles. L2e local ,e! is used to protect 5iles speci5ic to t2e local
mac2ineO suc2 as t2e Lrip>ire database. L2e local ,e! ma! also be
used 5or signing integrit! c2ec, reports.
Nou are being prompted 5or t2is pass6p2rase because no local ,e! 5ile
currentl! exists.
1emember t2is pass6p2raseO it is not stored an!>2ereQ
:nter local ,e! pass6p2rase

Rust type another pass-phrase you can remember" such as J$nother Tripwire phraseK.
Lou will then get the following message#
Flease repeat t2e local pass6p2rase to be sure !ou didnWt mist!pe.
1epeat t2e local ,e! pass6p2rase

;etype your pass-phrase. Lou will then get the following message#
Lrip>ire 2as been installed.
L2e Lrip>ire binaries are located in /usr/bin and t2e database is
located in /-ar/lib/trip>ire. It is strongl! ad-ised t2at t2ese
locations be stored on >rite6protected media (e.g. mounted 1G 5lopp!).
See /usr/s2are/doc/trip>ire/1:;DM:.Debian 5or details.

This concludes the installation of Tripwire.
- 9<8 -
Configuration
This section describes the files that influence the behaior of Tripwire.
&he &ripwire onfiguration File
The Tripwire configuration file is structured as a list of keyword-alue pairs and may also
contain comments and ariable definitions. $ny lines with JcK in the first column are
treated as comments.
$fter installation" the file /etc/trip>ire/t>c5g.txt contains the following lines#
1GGL B/usr/sbin
FGMIIM: B/etc/trip>ire/t>.pol
D=IIM: B/-ar/lib/trip>ire/3(YGSLH;M:).t>d
1:FG1LIIM: B/-ar/lib/trip>ire/report/3(YGSLH;M:)63(D;L:).t>r
SIL:K:NIIM: B/etc/trip>ire/site.,e!
MGD;MK:NIIM: B/etc/trip>ire/3(YGSLH;M:)6local.,e!
:DILG1 B/usr/bin/-i
M;L:F1GMFLIHJ B5alse
MGGS:DI1:DLG1NDY:DKIHJ B5alse
M;IMHGPIGM;LIGHS Btrue
:M;IM1:FG1LM:P:M B%
1:FG1LM:P:M B%
SNSMGJ1:FG1LIHJ Btrue
M;IMM:LYGD BSMLF
SMLFYGSL Blocal2ost
SMLFFG1L B2(

This is the plain text ersion of the file /etc/trip>ire/t>.c5g. $fter modifying the
plain text ersion" a new" encrypted ersion of that file must be generated by issuing the
command twa)#in @@create@cfgfile.
/e-uired $ariables
The following ariables must be set in order for Tripwire to operate#
FGMIIM: De5ault B /etc/trip>ire/t>.pol
D=IIM: De5ault B /-ar/lib/trip>ire/3(YGSLH;M:).t>d
1:FG1LIIM: De5ault B /-ar/lib/trip>ire/report/3(YGSLH;M:)63
(D;L:).t>r
SIL:K:NIIM: De5ault B /etc/trip>ire/site.,e!
MGD;MK:NIIM: De5ault B /etc/trip>ire/3(YGSLH;M:)6local.,e!

"ther variables
The following ariables are not re+uired to run Tripwire" but without them" the program)s
functionality will be limited. The alues assigned during installation are listed.
- 9<< -
/ptional +aria*les
D*IT%;
&pecifies an editor to be used in interactie modes. If D*IT%; is not defined" and
no editor is specified on the command line" using interactie modes will cause an
error. Initial alue# /bin/-i
TD@P*I;DCT%;L
This ariable determines where Tripwire writes its temporary files. (y default it is
/tmp" which" due to the default permissions" can be ery insecure. It is
recommended that you use this configuration ariable to proide tripwire with a
secure place to write temporary files. The directory should hae permissions set
so that only the owning process can read=write to it" i.e." ch#o) .. Initial alue#
/tmp
6L%($LD@$IL
This ariable is set to a list of email addresses separated by either a comma A"B or
semi-colon AQB. If a report would hae normally been sent out" it will also be send
to this list of recipients. Initial alue# none
L$TDP;%@PTI36
Prompt for passphrase as late as possible to minimi,e the amount of time that the
passphrase is stored in memory. If the alue is true Acase-sensitieB" then late
prompting is turned on. -ith any other alue" or if the ariable is remoed from
the configuration file" late prompting is turned off. Initial alue# false
L%%&D*I;DCT%;LC/DC0I36
-hen a file is added or remoed from a directory" Tripwire reports both the
changes to the file itself and the modification to the directory Asi,e" num links"
etc.B. This can create redundant entries in Tripwire reports. -ith loose directory
checking" Tripwire will not check directories for any properties that would change
when a file was added or deleted. This includes# si,e" number of links" access
time" change time" modification time" number of blocks" growing file and all
hashes. If the alue for this ariable is true Acase-sensitieB" then loose directory
checking is turned on" and these properties will be ignored for all directories.
-ith any other alue" or if the ariable is remoed from the configuration file"
loose directory checking is turned off. Turning loose directory checking on is
e+uialent to appending the following propertymask to the rules for all directory
inodes# -snacmblC@&/. Initial alue# false
&L&L%6;DP%;TI36
- 2.. -
If this ariable is set to true" messages are sent to the syslog for four eents#
database initiali,ation" integrity check completions" database updates and policy
updates. The syslog messages are sent from the JuserK facility at the JnoticeK
leel. ?or more information" see the syslogdA!B man page and the syslog.conf file.
The following illustrates the information logged in the syslog for each of the four
eents#
ûn #' #4.$&.42 lig2t2ouse trip>ire)&444*. Database initialized.
/-ar/lib/trip>ire/test.t>d
ûn #' #4.#$.(0 lig2t2ouse trip>ire)&60#*. Integrit! D2ec,
Domplete.
LR1eport lig2t2ouse 2$$$$6#'#4#$(0 P.2 S.&$ ;.# 1.$ D.#
ûn #' #4.##.#& lig2t2ouse trip>ire)&602*. Database pdate
Domplete.
ûn #' #4.#'.26 lig2t2ouse trip>ire)&6'%*. Folic! pdate Domplete.

The letters in the Integrity Checking log correspond to the number of iolations"
maximum seerity leel and the number of files added" deleted or changed"
respectiely. -ith any alue other than true" or if this ariable is remoed from
the configuration file" syslog reporting will be turned off. Initial alue# true
;DP%;TLDCDL
&pecifies the default leel of report produced by the twprint @@print@report
mode. Calid alues for this option are . to 2. The report leel specified by this
option can be oerridden with the A-t or --report-leelB option on the command
line. If this ariable is not included in the configuration file" the default report
leel is 9. 3ote that only reports printed using the twprint --print-report mode are
affected by this parameterQ reports displayed by other modes and other commands
are not affected. Initial alue# 9
@$IL@DT/%*
&pecifies the protocol to be used by Tripwire for email notification. The only
acceptable alues for this field are &@TP or &D3*@$IL. $ny other alue will
produce an error message. Initial alue# &D3*@$IL
&@TP/%&T
&pecifies the domain name or IP address of the &@TP serer used for email
notification. Ignored unless @$IL@DT/%* is set to &@TP. Initial alue#
mail.domain.com
- 2.! -
&@TPP%;T
&pecifies the port number used with &@TP. Ignored unless @$IL@DT/%* is set
to &@TP. Initial alue# 25
@$ILP;%6;$@
&pecifies the program used for email reporting of rule iolations if
@$IL@DT/%* is set to &D3*@$IL. The program must take an ;?C822 style
mail header" and recipients will be listed in the JTo# K field of the mail header.
&ome mail programs interpret a line consisting of only a single period character to
mean end-of-input" and all text after that is ignored. &ince there is a small
possibility that a Tripwire report would contain such a line" the mail program
specified must be able to ignore lines that consist of a single period Athe -oi option
to sendmail produces this behaiourB. Initial alue# BusrBli*Bsen)#ail @oi @t
D@$IL;DP%;TLDCDL
&pecifies the default leel of report produced by the tripwire @@check mode email
report. Calid alues for this option are . to 2. The report leel specified by this
option can be oerridden with the A-t or --email-report-leelB option on the
command-line. If this ariable is not included in the configuration file" the default
report leel is 9. Initial alue# 9
@$IL3%CI%L$TI%3&
This option controls the way that Tripwire sends email notification if no rule
iolations are found during an integrity check. If @$IL3%CI%L$TI%3& is set
to false and no iolations are found" Tripwire will not send a report. -ith any
other alue" or if the ariable is remoed from the configuration file" Tripwire will
send an email message stating that no iolations were found. @ailing reports of
no iolations allows an administrator to distinguish between unattended integrity
checks that are failing to run and integrity checks that are running but are not
finding any iolations. /oweer" mailing no iolations reports will increase the
amount of data that must be processed. Initial alue# true
&he &ripwire Policy File
The policy file describes system ob'ects to be monitored by Tripwire and specifies which
properties for each ob'ect should be collected and stored in the database file. Dach ob'ect
in the policy file is associated with a property mask" which describes what changes to the
file or directory Tripwire should monitor" and which ones can safely be ignored. (y
customi,ing the arious aspects of the policy file" the system administrator can ery
closely control how Tripwire checks the integrity of any system.
"he *asic co#ponents of policy files
- 2.2 -
Comments
In a policy file" any text following a JcK" up to the next line break" is considered a
comment.
*irecties
Tripwire supports a small number of directies that allow conditional
interpretation of the policy file and certain diagnostic and debugging operations.
The primary purpose of directies is to support sharing of a policy file among
multiple machines. *irecties use the following syntax#
__ directieFname WargumentsX
-here the directie name is one of the directies listed below#
@@section + Designates a section o5 t2e polic! 5ile.
@@i52ost + ;llo> conditional interpretation
@@else + o5 t2e polic! 5ile.
@@endi5
@@print + Frint a message to standard output.
@@error + Frint a message to standard output and t2en exit.
@@end + Mar,s t2e logical end6o565ile.

Cariables
?or user conenience" Tripwire)s policy file supports ariables for string
substitution. Cariables can be defined anywhere between rules. The syntax for
ariable definition is#
ariable S alueQ
Cariable substitution is legal anywhere that a string could appear. The syntax for
ariable substitution is#
UA ariable B
;ules
Policy rules determine whether and to what extent Tripwire will check particular
files and directories. There are two kinds of policy rules recogni,ed by Tripwire#
!B 3ormal rules define which properties of a particular file or directory tree
Tripwire scans.
2B &top points tell Tripwire not to scan a particular file or directory.
The format for a normal rule is#
- 2.9 -
ob'ectFname -] propertyFmaskQ
The ?ormat for stop points is#
G ob'ectFname Q
$fter installation" the plain text ersion of the policy file /etc/trip>ire/t>pol.txt
contains the following lines which you should read at least once to get a global idea of
how things are done. $n excerpt#
...
+ Jlobal Pariable De5initions
@@section JMG=;M
LR=IH B /usr/sbinC
LR:LD B /etc/trip>ireC
LRP;1 B /-ar/lib/trip>ireC
+
+ Iile S!stem De5initions
+
@@section IS
+
+ IirstO some -ariables to ma,e con5iguration easier
+
S:D"D1IL B 3(IgnoreHone)6SYa C + Dritical 5iles t2at cannot c2ange
S:D"SID B 3(IgnoreHone)6SYa C + =inaries >it2 t2e SID or SJID
5lags set
S:D"=IH B 3(1eadGnl!) C + =inaries t2at s2ould not c2ange
...
+
+ Lrip>ire =inaries
+
(
rulename B 9Lrip>ire =inaries9O
se-erit! B 3(SIJ"YI)
)
U
3(LR=IH)/siggen 6A 3(S:D"=IH) C
3(LR=IH)/trip>ire 6A 3(S:D"=IH) C
3(LR=IH)/t>admin 6A 3(S:D"=IH) C
3(LR=IH)/t>print 6A 3(S:D"=IH) C
V
...

%nce the initial policy file has been generated" any changes should be made with the
tripwire @@up)ate@policy command" rather than by simply oerwriting the policy file
with the twa)#in @@create@polfile command. This is an important distinction--when a
new policy file is created" the Tripwire database must be re-initiali,ed. If an intruder has
- 2.2 -
modified files since the last integrity check" these changes will not be detected and will
be included as part of the new JbaselineK database.
"he nmap command
;hat is itI
n#ap is a network exploration tool and security scanner. It can be used to scan a
network" determine which hosts are up and what serices they are offering.
n#ap supports a large number of scanning techni+ues such as# 4*P" TCP connectAB"
TCP &L3 Ahalf openB" ftp proxy Abounce attackB" ;eerse-ident" IC@P Aping sweepB"
?I3" $C0 sweep" Pmas Tree" &L3 sweep" IP Protocol and 3ull scan.
If you hae built a firewall" and you check that no ports are open that you do not want
open" n#ap is the tool to use.
9sing the nmap co##an)
$ssuming we hae got a host fictitious.test and we want to see what tcp ports this host is
listening to" this is done as follows#
+ nmap 6sL 5ictitious.test
Starting nmap P. 2.(4=:L;%$ ( >>>.insecure.org/nmap/ )
Hote. Yost seems do>n. I5 it is reall! upO but bloc,ing our ping
probesO tr! 6F$
Hmap run completed 66 # IF address ($ 2osts up) scanned in %$ seconds

$s you can see" this didn)t work and since I)m ery sure that the host is up" I can connect
to it by means of ssh" I will issue the command again with the -P. option#
+ nmap 6sL 6F$ 5ictitious.test
Interesting ports on 5ictitious.test (ip address).
(L2e #(4( ports scanned but not s2o>n belo> are in state. 5iltered)
Fort State Ser-ice
22/tcp open ss2
#%0/tcp closed netbios6ns
#%'/tcp closed netbios6dgm
#%&/tcp closed netbios6ssn
Hmap run completed 66 # IF address (# 2ost up) scanned in %$4 seconds

$fter this command" the ports are only tested for accessibility by means of the TCP
protocol. Let)s try the same command on the @icrosoft web-site#
- 2.5 -
+ nmap 6sL >>>.microso5t.com
Interesting ports on microso5t.com (2$0.46.#&0.#$2).
(L2e #(44 ports scanned but not s2o>n belo> are in state. 5iltered)
Fort State Ser-ice
'$/tcp open 2ttp
#%0/tcp closed netbios6ns
#%'/tcp closed netbios6dgm
#%&/tcp closed netbios6ssn
44%/tcp open 2ttps
Hmap run completed 66 # IF address (# 2ost up) scanned in %'% seconds

3ote the difference# the machine fictitious.test is not running a webserer and @icrosoft
is Aports 8. and 229B.
/ae a look at nmap)s manual page" there are a lot of command line options.
Beeping track of security alerts
;hat are theyI
&ecurity alerts are warnings about ulnerabilities in certain pieces of software. Those
ulnerabilities can result in a decrease of your serice leel because certain indiiduals
are ery good at misusing those ulnerabilities. This can result in your system being
hacked or blown out of the water.
@ost of the time there is already a solution for the problem or someone is already
working on one" as will be described in the rest of this section.
7ugtraC
4hat is it5
(ugTra+ is a full disclosure moderated mailing-list for the detailed discussion and
announcement of computer security ulnerabilities# what they are" how to exploit them
and how to fix them.
4here is it5
%n the website 4ecurit(+ocus there is a link to mailing lists" one of which is (ugtra+.
There also is a (ugtra+ ?$H.
!ubscribing to the 0ugtra- mailing list
- 2.: -
Lou can subscribe to the (ugtra+ mailing-list by sending an e-mail message to bugtra+-
subscribe_securityfocus.com. The content of the sub'ect or message body do not matter.
Lou will receie a confirmation re+uest to which you will hae to answer.
Unsubscribing from the 0ugtra- mailing list
&end an e-mail message to bugtra+-unsubscribe_securityfocus.com from the subscribed
address. The content of the sub'ect or message body do not matter. Lou will receie a
confirmation re+uest to which you will hae to answer.
If your email address has changed email listadmin_securityfocus.com and ask to be
manually remoed.
C=2"
4hat is it5
The CD;T Coordination Center ACD;T=CCB is a center of Internet security expertise" at
the &oftware Dngineering Institute" a federally funded research and deelopment center
operated by Carnegie @ellon 4niersity. They study Internet security ulnerabilities"
handle computer security incidents" publish security alerts" research long-term changes in
networked systems and deelop information and training to help you improe security at
your site.
4here is it5
CD;T maintains a website called The ,*;T ,oordination ,enter.
%ow to subscribe to the '/& #dvisory mailing list
Lou can subscribe to the CD;T adisory mailing list by sending an email to
ma'ordomo_cert.org. In the body of the message" type Jsubscribe cert-adisoryK without
the single +uotes.
%ow to unsubscribe to the '/& #dvisory mailing list
To remoe your name from the CD;T mailing list" send email to ma'ordomo_cert.org.
In the body of the message" type Junsubscribe cert-adisoryK without the single +uotes.
C31C
4hat is it5
CI$C is the 4.&. *epartment of Dnergy)s Computer Incident $disory Capability.
Dstablished in !<8<" shortly after the Internet -orm" CI$C proides arious computer
security serices free of charge to employees and contractors of the *%D" such as#
- 2.7 -
Incident /andling consulting" Computer &ecurity Information" %n-site -orkshops"
-hite-hat $udits.
4here is it5
There is a ,IA, =ebsite.
!ubscribing to the mailing list
CI$C has seeral self-subscribing mailing lists for electronic publications#
CI$C-(4LLDTI3 for $disories" highest priority - time critical information" and
(ulletins" important computer security information.
CI$C-3%TD& for 3otes" a collection of computer security articles.
&PI-$33%43CD for official news about &ecurity Profile Inspector A&PIB software
updates" new features" distribution and aailability.
&PI-3%TD&" for discussion of problems and solutions regarding the use of &PI products.
The mailing lists are managed by a public domain software package called ListProcessor"
which ignores D-mail header sub'ect lines. To subscribe Aadd yourselfB to one of the
mailing lists" send re+uests of the following form# subscribe list-name Last3ame"
?irst3ame" Phone3umber as the D-mail message body" substituting CI$C-(4LLDTI3"
CI$C-3%TD&" &PI-$33%43CD or &PI-3%TD& for Jlist-nameK and alid information
for JLast3ameK J?irst3ameK and JPhone3umber.K &end to# ciac-listproc_llnl.go.
Lou will receie an acknowledgment containing address and initial PI3" and information
on how to change either of them" cancel your subscription or get help.
Unsubscribing from the mailing list
To be remoed from a mailing list" send the following re+uest ia D-mail to ciac-
listproc_llnl.go# unsubscribe list-name.
"esting for open mail relays
;hat are theyI
$n open mail relay is a mail serer that accepts &@TP connections from anywhere. This
means that eeryone can connect to port 25 on that mail serer and send mail to
whomeer they want. If you are unlucky" other system administrators might add your
serer)s IP address to their *D3L=;DRDCT or e+uialent list.
- 2.8 -
"esting for the#
Testing if your mail daemon is an open mail relay is in fact +uite easy. Telnet from a
machine that should not be able to use your mail serer as a relay to your mail serer)s
port 25 and try to send an e-mail as shown below#
c2aron.8+ telnet mail.2ome.nl 2(
Lr!ing 2#%.(#.#2&.2(%...
Donnected to mail.2ome.nl.
:scape c2aracter is W\*W.
22$ mail2.2ome.nl :SMLF ser-er (InterMail -M.4.$#.$%.$$ 2$#622&6#2#)
read! IriO
## ân 2$$2 #0.#&.#4 X$#$$
Y:MG
2($ mail2.2ome.nl
M;IM I1GM. >illem@test.bla.bla.bla
2($ Sender ?>illem@test.bla.bla.blaA G,
1DFL LG. >illem@sno>.nl
2($ 1ecipient ?>illem@sno>.nlA G,
D;L;
%(4 G, Send data ending >it2 ?D1MIA.?D1MIA
I1GM. >illem@test.bla.bla.bla
LG. >illem@sno>.nl
Ya2a2aO open mail rela! test
.
2($ Message recei-ed.
2$$2$####62%2(.JGÎ''&0.mail2.2ome.nl@sno>.castel.nl
_IL
22# mail2.2ome.nl :SMLF ser-er closing connection
Donnection closed b! 5oreign 2ost.

This worked because this is my I&P and I FdoF belong to the right domain. I tried it from
a wrong domain" and I got no response whatsoeer. Lou could use IPC/$I3&"
IPT$(LD& or some other sort of firewall software to tell your firewall to only forward
the &@TP protocol packets to your mail serer if they are coming from a certain range of
IP addresses Afor instance" the dynamic ones you hae resered for your PPP usersB. $lso"
most mail serers allow configuration settings to aoid acting as an open relay.
3owadays" this is the default behaiour for most mail serer implementations.
- 2.< -
Chapter 13. (yste# Custo#i&ation
an) 1uto#ation (2.213!
This topic has a total weight of 9 points and contains the following ob'ectie#
%b'ectie 2.2!9.!Q $utomating tasks using scripts A9B
Candidates should be able to write simple scripts to automate tasks using different
common scripting languages. Tasks for automation include checking processes"
process execution" parsing logs" synchronising files across machines" monitoring
files for changes" generating and sending e-mail alerts and notifying
administrators when specified users log in or out.
0ey knowledge areaAsB#
&tandard text manipulation software sucs as awk and se)
($&/
cron configuration files
at daemon usage
;emote copying software such as rsync and scp
Perl# (asic commands
The following is a partial list of the used files" terms and utilities#
perl
*ash
awk
se)
cronta*
at
This chapter discusses three main programs that work with ;egular Dxpressions# Perl"
sed and awk. (ecause ;egular Dxpressions re+uire a rather extended explanation and are
common in all three programs" the ;egular Dxpressions are discussed first.
The chapter concludes with topics about rsync" crontab and monitoring your system" as
listed in the lpic ob'ecties aboe.
2egular =xpressions
- 2!. -
;egular *xpressions are" as you will read further on in this chapter" the salt of all Bnix
s(stems. ;egular Dxpression patterns are used in grep and deriaties" Perl" awk and se).
In general" there are lots of similarities between the ;egular Dxpression dialects used by
each of these programs. -hen able to work with one dialect" it is +uite easy to work with
the other dialects too. There are" howeer" annoying and dangerous differences. In this
section the commonalities will be described and the differences clarified. 4nfortunately"
portability is an issue# there are een different ;egular Dxpression dialects for the same
program on different operating systems. Linux ;egular Dxpression support is less
complicated" but een here differences exist. This point will gradually become clear in
this section.
In keeping with common practice in Perl documentation" the term Perl will be used for
the Perl language and perl will be used for the program.
Introducing !egular 3#pressions
$ ;egular Dxpression is a pattern. The pattern is matched against some text. The result#
the pattern will either fit or not fit. There is a lot to say about this pattern language. The
text is fre+uently called the input. %n the command line or in scripts" it can originate from
an input stream Astandard inputB or from a set of files. In these cases the input will almost
always be of a line of text. -hen using a programming language that supports ;egular
Dxpressions" the pattern will probably be matched against the contents of a buffer.
Note
-hen using ;egular Dxpressions on the command line" such as with grep" you must
protect the ;egular Dxpression from expansion by the shell. Putting a single AforwardB
+uote on each side of the ;egular Dxpression will do the 'ob#
grep WlooEn!W tune.texts
This Arather longB section will discuss ;egular Dxpressions in detail. ?irst" the ;egular
Dxpression language Aincluding ariantsB is introduced. 3ext" ;egular Dxpressions are
applied using specific programs. &o" take a deep breath and start reading.
Primitives and *ultipliers
The parts of a ;egular Dxpression most commonly used are the primitive and the
multiplier. They fre+uently occur in pairs. $n example of such a pair is#
:U4V
In this example" : is the primitie and U4V is the multiplier" meaning four times the thing
before it. This ;egular Dxpression will match four consecutie capital : characters
somewhere in the input.
- 2!! -
6ien the ;egular Dxpression aboe" as an example" and an input line such as the
following#
I li,e lots o5 ::::Ws
the ;egular Dxpression will match the four D)s in the input. @oreoer" the complete line
will match" since the ;egular Dxpression fits somewhere in the line. $ member of the
grep family" such as egrep will show the input if the ;egular Dxpression matches part or
all of it. &o" if egrep were to handle something like this
ec2o 9Mots o5 ::::Ws9 T egrep W:U4VW
then egrep would show the whole line.
$ multiplier may be omitted" in which case a multiplier of one time is added
automatically to each primitie. &o the ;egular Dxpression#
2ead
effectiely means#
one 2" followed by one e followed by one a followed by one d.
(oth primities and multipliers are discussed below Athe section called JPrimitiesK and
the section called J@ultipliersKB. @ore facilities are aailable for ;egular Dxpressions#
anchoring" grouping and alternation. These are discussed later on.
Pri#iti+es
There are three types of primities# a regular character" the dot placeholder and the
character class. The character class is the most complicated of these.
# digit6 letter or other character
$ny regular character can be a primitie. This includes letters Alike :B and digits. ?or
instance" in the following example the capital : is the primitie#
:U4V
-hat is the primitie here#
4U2V
The correct answer is 4.
%ther characters can also be used as primities in a ;egular Dxpression. ?or example#
- 2!2 -
ls 6la T egrep W U##VW
Athe ;egular Dxpression is a space followed by multiplier U##VB. This will show lines
containing at least !! consecutie spaces.
&ome characters hae special meanings" such as the curly brace AUB. These characters
must be escaped Athey are preceded by a backslash A/BB to remoe the special meaning.
This will be discussed further later on.
&he dot2 placeholder for any character
The dot has a special meaning. $s a primitie" it can be a placeholder to allow an(
character in that position. ?or instance#
a.c
allows for one Aremember the one-time multiplier being added>B a" followed by any
single character" followed by one c. &o
ec2o reading t2e abc T egrep Wa.cW
fits.
$nd what will this fit on>
a.U%V
The answer# one a followed by three arbitrary characters.
Note
To find a literal dot" use the /. primitie.
haracter classes
$ character class is a placeholder for a number of characters. It is more restrictie than
the dot placeholder" since it allows you to specify the characters the placeholder should
match.
0eep in mind that the character class is a primitive" it is a placeholder for one of the
specified characters.
To set up a character class" start with a ) Aopening s+uare bracketB and end it with *
Aclosing s+uare bracketB. $ny combination of sets and ranges can be specified between
these s+uare brackets.
1 character set in a character class
- 2!9 -
To specify a set Aa seriesB of characters in a character class" simply put them between the
s+uare brackets. &o"
)aoui!;*
specifies a set consisting of an a Aboth lower and upper caseB" an o" a u or a !.
;emember that the character class is a primitie. That is" it can be multiplied#
)aoui!;*U2V
This specifies t#o characters" each of which may be one of the characters inside the
s+uare brackets.
The order of the characters in the set is irreleant. That is" )abc;=D* is the same as the
)a;b=cD* character class. &o"
ec2o reading t2e abc T egrep Wa)b=*cW
fits" as would
ec2o reading t2e a=c T egrep Wa)b=*cW
1 character range in a character class
$ character range consists of two characters separated by a minus sign. This specifies
one digit#
)$6&*
This is one lower case letter#
)a6z*
;anges can be combined#
)a6z$6&*
&ome sets can be written as ranges. ?or example" the ;egular Dxpression#
)g2iJYI*U2V
can also be written as#
)g6iJ6I*U2V
It matches two of the indicated characters.
- 2!2 -
?or now" the order is defined by the $&CII character set Aor deriaties like iso885<-xB.
In the $&CII character set" letters and digits are not ad'acent. That is why they need to be
specified separately as ranges#
)a6z$6&*
@ore and more systems support so-called locale handling Asuch as the character set for a
gien countryB of ;egular Dxpressions. $rising character definitions like 4nicode will
probably change this.
Co#*inations of sets an) ranges
;anges and sets can be combined at will. This specifies one of the named owels or a
digit#
)aoui!$6&*
$nd this one matches three characters#
);6<*)aoui!$6&*);6<*
-hich one> $nswer# three characters" the first and the third an uppercase letter with a
owel or digit in the middle. In the following example the ;egular Dxpression matches#
ec2o L2is is âH T egrep W);6<*)aoui!$6&*);6<*W
Note
To include a minus sign in a character set" place it at the beginning or the end of the
character class.
"he in+erte) character class
It is often desirable to exclu)e certain characters from a character class. That)s where the
inverted character class comes in.
The inverted character class starts with a caret A\B as the first character after the opening
s+uare bracket A)B that starts the character class. The caret sign at the beginning inerts
AnegatesB the meaning of the character class. -here
)$6&*
fits one digit"
)\$6&*
will fit an( character that is not a digit.
- 2!5 -
This" of course" can be extended with eery character class#
)\aeou!$6&*
will fit anything that is neither a owel nor a digit.
Note
To include a caret sign in a character class" do not put it at the beginning.
P"!I* character classes
The '54IE character classes form an extension to the character classes that were
discussed aboe. They come in the following format#
)).ke(#ord.**
The ke(#ord is a word describing the class" for example" alnum or blan,. Current
implementations of 634 grep and egrep" as well as 634 awk AgawkB" come with
manpages that describe the P%&IP character classes. Let)s look at some examples.
Note
The outer s+uare brackets are the delimiters of any character class. The inner s+uare
brackets and colons plus the ke(#ord define the P%&IP character set.
"a*le 13.1. /+er+iew of character classes
5otation 4escription
)).alnum.**
It fits exactly one alphanumeric character. It is the same as
)a6z;6<$6&*
)).alp2a.**
This class matches any letter
)).upper.**
This class matches any uppercase letter Asame as#
);6<*
B
)).lo>er.**
This class matches any lowercase letter Asame as#
)a6z*
B
)).digit.**
This class matches any digit Asame as#
)$6&*
B
)).xdigit.**
This class matches any hexadecimal digit Asame as#
)$6&;6Ia65*
B
- 2!: -
5otation 4escription
)).blan,.**
It matches a blank or a tab sign Aa subset of the wider set called #hite
spaceB
)).space.**
It matches each white-space character" including space" tab" formfeed and
carriage return
)).punct.**
This class matches all punctiation characters
@ultiple P%&IP-character-set definitions can be combined in one character class#
)).punct.*).space.**
This one fits a character which is either a punctuation character Asuch as a semicolon or a
plus signB or a white-space character.
The P%&IP character set specifiers can be combined with any other character-class
element" as shown below#
)$6&*U4V)).space.*O/..*)$6&*U2V
In words# four digits" then one character that can be either a white-space character" a
comma" a dot or a colon" followed by two digits.
&ince the P%&IP character class extensions are extensions to the regular character class"
it can be inerted the same way#
)\).digit.**
This matches one non-digit. It is identical to#
)\$6&*
0ultipliers
$ multiplier Aalso known as 6uantifierB works in con'unction with a primitie. The
multiplier is placed after the primitie. Together they form a specification of how many
of which characters are wanted.
4nfortunately" before multipliers can be explained in detail" the two main ariants in
;egular Dxpressions" most affecting the way multipliers are spelled" need to be
introduced first. The classic ;egular Dxpressions are the ones implemented in grep and
se). The modern" or extended ;egular Dxpressions" on the other hand" are the ones used
by awk" egrep" Perl and flex" to name a few. The multipliers shown so far were in the
extended style. ?or this reason" egrep" was used in examples.
- 2!7 -
-e will discuss 2 multipliers. They are the E" 4 and X multipliers Aand their classic
counterparts E" /4 and /X" yes" the E is the same in both casesB.
Lou can also use the curly-brace multipliers we)e already met. These are part of the
P%&IP standard. $ll releant 634 programs hae support for curly-brace multipliers on
boardQ een ersions for classic ;egular Dxpression exist. In 634 awk AgawkB a special
66posix option must be gien to turn on support for curly-brace multipliers. Table !9.2"
J@ultipliersK at the end of this section will proide an oeriew of ;egular Dxpression
multipliers.
&he % multiplier
The E is the oldest multiplier around. $s far as I know" it is implemented in eery
;egular Dxpression language. It is the same in classic and extended ariants.
The E means# zero or more times. &o"
aE
means ,ero or more a)s. This may not be that meaningful" since it is always true. In larger
combinations" howeer" its use can be more meaningful#
baEc
That is" one b" and one c" possibly with a)s between them.
&he & multiplier
The 4 multiplier means zero or one time" in other words" present or not present. The
extended ersion is 4" the ersion to use in classic ;egular Dxpressions is /4.
$n example# in sgml=xml sections start with ?section followed by a lot of things" and
end with ?/section" also followed by other things. To fetch both lines" use
egrep W?/4sectionW regexp.xml
The classic ariant is
grep W?//4sectionW regexp.xml
&he ' multiplier
The X multiplier means one or more times. The extended ersion is X" the ersion to use
in classic ;egular Dxpressions is /X.
This AextendedB ;egular Dxpression
- 2!8 -
baXc
means one b" followed by at least one a" followed by a c.
To find long" regardless of how may o)s it contains" use the AextendedB ;egular
Dxpression
loXng
&he curly brace multiplier
In the extended ariant" a normal set of curly braces is used" as in U4V. In the classic
ariant" a matching pair of /U and /V Aeach curly brace is prefixed by a backslashB is
used" as in /U4/V.
The curly-brace multipliers come in four ariants Aonly the extended ;egular Dxpressions
will be shownB. The general form is
Um"nV
In this" both m and n are numbers indicating the lowest AmB and the highest AnB number. It
matches at least m" but at most n times. ?or instance" to match at least two" but at most
four digits#
)$6&*U2O4V
To specify a minimum number of times" omit the n Abut not the commaGB#
Um"V
?or instance" to match at least fie digits#
)$6&*U(OV
$nd to show lines that are at least 78 characters long Ashow also line numbersB" select
egrep 6n W.U0'OVW 5ile# 5ile2 ...
To specify a maximum number of times" omit the m Abut not the commaGB#
U"nV
?or instance" to match up to three digits#
)$6&*UO%V
In this case" the minimum will be ,ero.
- 2!< -
Note
The example alone will not limit to three digits. It will 'ust match up to three characters.
If more numbers ad'acent to these three are not wanted" anchors must be used - see the
section called J$nchorsK.
To match something no more and no less than n times" specify only n Ado not use a
commaB#
UnV
To match exactly four capital alphabetic characters" for instance#
);6<*U4V
(upport an) porta*ility. Curly-brace multipliers are supported by Perl. In 634 awk"
support must be enabled explicitly with the 66posix optionQ other awk implementations
might not AyetB support these multipliers Acalled interval expressions in awk
terminologyB. 634 egrep will support them. 634 grep supports the classic ersion. In
other ersions of AeBgrep" support may be lacking. 634 sed supports the classic
implementation. There are implementations of sed that do not support curly-brace
multipliers at all. In yet other implementations of sed" extended ;egular Dxpressions can
be selected. P%&IP standards are said to re+uire curly-brace multipliers" so support is
expected to be implemented elsewhere oer time. Table !9.9" JPortable multipliersK
proides an oeriew.
Multiplier overview
Table !9.2" J@ultipliersK shows all multipliers and ariants together.
"a*le 13.2. 0ultipliers
exten)e) 2= classic 2= #eaning
E E
,ero or more times
4 /4
,ero or one time
X /X
one or more time
Um"nV /Um"n/V at least m" but maximally n times
U"nV /U"n/V up to n times
Um"V /Um"/V at least m times
UmV /Um/V exactly m times
extended ;D# Perl" 634 awk with 66posix" 634 egrep
classic ;D# 634 grep" 634 sed
- 22. -
Note
634 awk without 66posix and other awk implementations currently support only the E"
X and 4 multipliers.
Porta*ility. If your ;egular Dxpressions should also be used on non-634 platforms
portability becomes an issue. %ld grep)s will probably not support the /X and /4
multipliers. Curly-brace multipliers Acalled interval expression in awk terminologyB will
probably not be supported in other awks Athough they are reported to be part of the
P%&IP standardB. Den 634 awk AgawkB does not enable interal expressions by
default# they can only be enabled by inoking either the 66posix or the 66re6inter-al
option. Table !9.9" JPortable multipliersK lists multipliers that you can use safely across
platforms. (ut een here" exceptions do exist.
"a*le 13.3. Porta*le #ultipliers
Perl awkH egrep se)H grep #eaning
E E E
,ero or more times
4 4
,ero or one time
X X
one or more times
Um"nV at least m" but maximally n times
UOnV up to n times
UmOV at least m times
UnV exactly n times
/nchors& Grouping and /lternation
1nchors
&ometimes a ;egular Dxpression should only match if a pattern matches at a certain
position" for instance" at the beginning of the input or at the beginning of a word. This can
be achieed by adding an anchor to your ;egular Dxpression.
$nchors are also called zero #idth assertions because they fit between or ad'acent to
something.
There are two types of anchors# anchors specifying a beginning or ending of a line and
anchors specifying a word boundary. (oth types will be discussed.
0egin and end anchors
-hen an anchor is used in a ;egular Dxpression" the ;egular Dxpression will only match
if the string is in the position specified by the anchor.
- 22! -
6enerally" newlines are stripped before the match is attempted. This is true for at least
awk" sed and all grep ariants. (ut" in Perl" you must either remoe the newline using the
c2omp operator or include it in the ;egular Dxpression. ?urthermore" if the so-called
multi-line mode is turned on" the meaning of begin and end anchors changes altogether in
Perl. @ore in the section called JPerl ;egular DxpressionsK.
Porta*ility. (egin and end anchors are supported in all ;egular Dxpression ariants and
use the same notation eerywhere.
Let)s look at the begin and end anchors in more detail.
"he 4 *egin anchor
The \ AcaretB is the anchor that specifies the beginning of the input. If you attach \ at the
beginning of your ;egular Dxpression" matches will then only be found at the beginning
of the input.
In the example below there is a match#
ec2o Gnce upon ... T grep W\GnceW
There is" howeer" no match in this one#
ec2o Ye said. Gnce ... T grep W\GnceW
"he 5 en) anchor
The 3 Adollar signB is the anchor that specifies placement at the end of the input. The 3 is
typically attached to the end of the ;egular Dxpression. The ;egular Dxpression will then
only match strings at the end of the input.
In the next example all lines that end in a slash Athat is" containing directory namesB will
match#
ls 6lI T grep W/3W
In this example" there will not be a match" since pw) does not put a slash at the end of its
output#
p>d T grep W/3W
0atching co#plete text
(y using the begin and end anchors together" you can create a ;egular Dxpression that
matches the entire input" not 'ust some part of it#
\)$6&*X3W
- 222 -
specifies that the complete input should consist of digits and nothing else. &o" if the input
contains one non-digit" the ;egular Dxpression will not match.
In the following example" egrep will not show empty lines or lines that only contain
spaces#
egrep 6- W\ E3W listo5names
&o" the lines that will be shown contain at least one character that is not a space.
4ord-boundary anchors
-ord-boundary anchors fit between a word and something else. In most ;egular
Dxpressions word is defined as a series of alphanumeric characters. &o" a word boundary
fits between an alphanumeric character and a non-alphanumeric character. ?urthermore" a
word-boundary anchor will also fit between an alphanumeric character and the beginning
or end Awhere \ and 3 would matchB.
There are two ariants of word-boundary anchors. The first is /b" which matches on
either side of a word. The second ariant consists of two anchors# /? and /A. The /?
anchor fits either between a non-alphanumeric character and an alphanumeric character
or before the beginning of a line if the line starts with an alphanumeric character Alike \B.
The /A anchor fits either between an alphanumeric character and a non-alphanumeric
character or after an alphanumeric character at the end of a line Alike 3B. The spelling of
word-boundary anchors is the same eerywhere.
Porta*ility. -ord-boundary anchors are not supported widely" but can be found in all
634 implementations of the programs. The only implementation you can really be sure
of is /b in Perl.
Let)s look at word-boundary anchors in more detail.
"he 6b wor)@*oun)ary anchor
The /b word-boundary anchor fits on either side of a word. This one matches#
ec2o L2e one and onl! T grep W/boneW
This one does not#
ec2o gone >it2 t2e >ind T grep W/boneW
The /b anchor can also be used at the end of a word. This one does not match#
ec2o printed onesided T grep Wone/bW
$ more complicated example is#
- 229 -
/b)$6&*U66#$V/b
This will only match if the input contains a series of six" seen" eight" nine or ten digits.
"he 67 an) 6( wor)@*oun)ary anchors
The /? and /A word-boundary anchors fit" respectiely" on the left and right word
boundaries. They can be used together" but this is not mandatory.
In#
ec2o L2e onesided page is gone T grep W/?one/AW
the ;egular Dxpression will not match.
#nchor overview
Table !9.2" J$nchorsK proides an oeriew of anchors and their support.
"a*le 13.$. 1nchors
anchor awk egrep Perl grepH se) #eaning
\
yes yes yes yes beginning
3
yes yes yes yes ending
/b
no yes yes yes word boundary
/?
no yes no yes left word boundary
/A
no yes no yes right word boundary
5otes
\ and 3 in Perl can hae a slightly different meaning in con'unction with newlines.
634 awk AgawkB does support /? and /A
634 grep and egrep do support word boundaries. %ther grep)s might not do this.
>rouping
Crouping is making part of a ;egular Dxpression a separate entity. This is done by
putting that part inside parentheses" like#
)$6&*.()$6&*.)
In the aboe" the second )$6&*. is inside parentheses" hence it is grouped.
- 222 -
Note
The group Athe part between the parenthesesB itself must be a correct ;egular Dxpression.
-hy would you use grouping> There are three important reasons#
!. a multiplier can be applied to a group. *iscussed next.
2. the input the group matches can be re-used Aso-called backreferencesB. *iscussed
next.
9. to use alternation in part of the ;egular Dxpression. -ill be discussed later in the
section called J6rouping and $lternationK.
4nfortunately" the difference between classic and extended ;egular Dxpressions pops up
again here. Table !9.5" J6rouping operatorsK shows when to use which spelling.
"a*le 13.,. >rouping operators
spelling progra#
(...) awk" Perl" egrep
/(.../) grep" sed
(upport an) porta*ility. 6rouping support is present in Perl together with arious
backreference mechanisms. 6rouping is also supported by all awk ariants" but
backreferences are not. 634 grep" egrep and se) support both grouping and
backreferences. Dery program that allows grouping also allows multiplication applied to
a group.
#pplying a multiplier to a group
$ multiplier can be applied to a group. &imply put the multiplier right after the closing
parenthesis of a group. To find a representation of time in the typical format two digits -
colon - two digits - colon - two digits Asuch as #4.#$.#0B" for example" use the following
AextendedB ;egular Dxpression#
()$6&*U2V.)U2V)$6&*U2V
To find all words with JingK twice Asuch as singingB" use this extended ;egular
Dxpression#
(ing)U2V
If a group is not followed by a multiplier" then multiplication by one is chosen
automatically.
)rouping and backreferences
- 225 -
The part of the input on which a group matches comes aailable for re-use. $ special
mechanism for backward referencing" called a backreference is aailable for this. The
backreference corresponding to the first group in a ;egular Dxpression is indicated with
J/#K Aa backslash and the digit oneB" the one corresponding to the second group /2" and
so on. If" for example" you are looking for the occurrence of four identical digits" you
might use#
()$6&*)/#/#/#
&uppose this is tried on#
L2e #626% o5 4444
?irst" the ;D finds # as the first digit. There is a group around it" so the alue is saed. In
the ;egular Dxpression there is a /# after the group. This tells the ;egular Dxpression
engine to use the same alue Adigit !B again. This fails" since there is a dash after the #.
This se+uence is repeated for the 2 and the %" but both fail. /oweer" when it finds the 4
it than finds the other three 4s" so the ;egular Dxpression matches at last.
In an earlier paragraph I needed to find words that contain twice the same three
characters" like singing. /ere is how I found words like that#
egrep W(...)/#W /usr/s2are/dict/american6englis2
AI know" I should hae used );6<a6z*U%V instead of the dots. &ince there are only letters
in the file" dots work as wellB.
Dxtracting the matching part Aor een subpartsB using grouping is ery important in Perl.
@ore in the section called JPerl ;egular DxpressionsK.
1lternation
4sing alternation" one can specify either=or constructions in a ;egular Dxpression.
$gain" the difference between classic and extended ;egular Dxpressions pops up.
Table !9.:" J$lternation operatorK shows when to use which spelling.
"a*le 13.%. 1lternation operator
spelling progra#
T
awk" Perl" egrep
/T
grep" sed
$s an example" suppose a file contains phone numbers of mobile phones. -anted# only
the numbers that apply to The 3etherlands. In the 3etherlands" mobile phone numbers
- 22: -
start with $6. -hen called from outside the 3etherlands" this should be $$%#6. This is not
true in all countries" so some numbers start with X%#6. /ere is the ;egular Dxpression to
handle all three possibilities#
egrep W$6T$$%#6T/X%#W p2onenumbers
)rouping and #lternation
$lternation can be used inside a group. Then" the alternation applies only to the part in
the group.
&uppose the mobile phone numbers should be at the beginning of the input line. Then
we)ll we need to use an anchor. (ut if we use an anchor followed by the existing ;egular
Dxpression A\$6T...B" then the anchor applies only to the first number. The following is
the correct solution#
egrep W\($6T$$%#6T/X%#)W p2onenumbers
$nother example# ?ind numbers in the range ! .. !2. Leading ,eroes are not allowed.
&olution Aextended ;egular DxpressionB#
/b()#6&*T#)$62*)/b
In words# one digit in the range !-< or two digits in the range !.-!2.
+pecial characters
Two topics are discussed here#
!. setting or remoing the special meaning of a character
2. white space
Characters an) co#*inations with a special #eaning
2ule 1. If a character has a special meaning by itself" it will lose this special meaning if a
backslash is put before it.
The dot by itself has a special meaning" but /. will match a literal dot" as in
)$6&*X/.)$6&*U2V
$lso" to find a literal star it needs to be prefixed with a backslash. The following will
match ,ero or more digits or stars.
)$6&/E*E
- 227 -
To find a phone number starting with a literal plus followed by one or more digits" use
this egrep command line#
egrep W/X)$6&*XW 2olida!address.mail
2ule 2. If a backslash and a character together hae a special meaning" then omitting the
backslash will remoe the special meaning.
In some ;egular Dxpression ariants" the /b has a special meaning as word boundary.
-hen the b is used alone" it 'ust means the letter b.
/bbac,
In classic ;egular Dxpressions" the /X has a special meaning Aa multiplierB. $ X without a
backslash matches a literal X#
grep WX)$6&*/X 2olida!address.mail
which is" of course" completely the opposite of the earlier extended ;egular Dxpression
example.
;hite space
$ white-space character is either a space character or a tab character. &ometimes the
definition is extended with a formfeed character and a carriage-return character.
In classic ;egular Dxpressions" handling white space" especially tab characters" can be a
burden. In extended ;egular expressions" this is done comfortably. Perl is the most
luxurious. $ll will be discussed next.
lassic /egular '7pressions
In some classic ;egular Dxpression ariants Anotably sedB" there is no easy primitie for
a tab character" let alone for white space. It is probably best to refrain from using classic
;egular Dxpressions for tab handling. Two workarounds are aailable.
"a* characters
%ne way to handle white space is to create a character class consisting of a space and a
literal tab character. That is the )" followed by a space" followed by a real tab character"
followed by *.
Note
This will not work on the command line. @ost shells intercept the tab character for other
purposes.
- 228 -
In an editor you can usually type the tab character as [I Acontrol-IB. In some editors" tab
has a special function" so something must be done first. In emacs" for example" you must
type [H[I to get a literal tab character.
Note
@ake sure your editor does not change tabs automatically when saing the file Acheck
with od" for exampleB.
2eplacing ta*s *eforehan)
The second workaround is to replace tab characters before they reach your classic-
;egular-Dxpression program. 4sing tr AtransliterateB is one option.
... T tr W/$##W W W T sed ...
/ere" any tab character Adenoted by /$##B is changed to a space character before the
information is sent to sed.
Note
tr can only read from standard input Ae.g." a pipeB.
P/(3M white space
If your software supports P%&IP character-classes ALinux aims towards P%&IP
complianceB" then you probably hae the )).blan,.** and )).space.** character
classes aailable. In the following example the )).blan,.** character class is used in a
;egular Dxpression that matches a +" possibly preceded white-space characters" at the
beginning of the line. &ince 6- is used" grep will show all lines on which the ;egular
Dxpression does not match#
grep 6- W\)).blan,.**E+W >2ate-er.con5
The resulting output consists of all lines that do not start with a + and do not start with
one or more white-space characters and a +. This is a way to show a file without the
comments in it.
'7tended /egular '7pressions
The extended ;egular Dxpressions hae the /t notation for a tab character. -ith that" it
is easy to build a white-space character class#
) /t*
This means# either a space or a tab character. $pplied#
- 22< -
)$6&*U#O2V) /t*X);6<*
That is" one or two digits" followed by one or more white-space characters and an
uppercase letter.
P%&IP character classes are used exactly the same way as in classic ;egular Dxpressions
AaboeB.
If you can use Perl for white-space handling" you are lucky# Perl has the /s primitie that
matches a white-space character. $pplied#
)$6&*U#O2V/sX);6<*
%r" to see lines starting with a + possibly preceded by white space#
\/sE+
?or more on Perl ;egular Dxpressions" see the section called JPerl ;egular DxpressionsK.
!egular 3#pressions in sed
This section will only describe what ;egular Dxpressions look like in se). /ow and
where ;egular Dxpressions are applied is described in the section called J4sing se)K.
The se) program uses the classic ;egular Dxpression ersion. Probably because of a fear
of breaking old software" few new features hae been added" not een in 634 sed.
;emember that sed is line oriented. %perations work on a line that has been read from a
file or standard input. The global modifier for the substitute command works on a line
basis. -hen global is turned on" the replacement is done as often as possible in each line.
-hen global is kept off" then the replacement will work once in each input line.
$s described earlier" parsing white space is a burden in sed. Luckily" 634 sed 9..2
supports the P%&IP character-set primities" so )).space.**/X can be used to match
one or more white-space characters.
!egular 3#pressions in awk
This section will only describe what ;egular Dxpressions look like in awk. /ow and
where ;egular Dxpressions are applied is described in the section called J4sing awkK.
There are at least three ariants of a>, for Linux. %f those" 634 awk AgawkB is the most
sophisticated. The gawk distribution comes with great documentation.
$ll awk ariants accept the extended ;egular Dxpressions described earlier" but"
currently" without the curly-brace multipliers Acalled interval expressions in awk
- 29. -
terminologyB. 0eep in mind that gawk has some extensions that the other awk ariants do
not accept" such as P%&IP character-class extensions and the /? and /A word anchors.
The interval expressions are supported in gawk" but are not enabled by default for
portability with other awk implementations. To enable these" use either the 66posix or
the 66re6inter-al option.
Lou might hae wondered why most awk ariants do not hae support for word anchors.
&ince each awk split its input into fields Awhich are normal words by defaultB these fields
can be checked with normal begin and end anchors. The following checks" for example"
if the second field AwordB begins with an uppercase letter#
ec2o L2e ;pe T a>, W32 8 /\);6<*/ Uprint 32 9. starts upcase9VW
Creating a white@space character class in awk is easy# ) /t* Aas was shown earlierB. In
gawk" the P%&IP white-space character classes can be used instead. This is" of course"
not portable to other awks.
Perl !egular 3#pressions
?urther ;eading# lots of Perl documentation" e.g.. &ee perl)oc perlre on your computer
for more information about Perl ;egular Dxpressions.
Perl has the most powerful ;egular Dxpression ariant. If at all possible" use Perl for your
;egular Dxpression tasks.
Note
This section will only describe the Perl ;egular Dxpressions and how to use them in Perl.
The Perl language itself is described in the section called J4sing PerlK.
The Perl ;egular Dxpression language is basically the extended ;egular Dxpression
language introduced earlier. There are" howeer" some subtle differences and extensions"
which will be discussed below. The section on Perl ;egular Dxpressions will end with a
presentation on how to use grouping to extract parts of a ;egular Dxpression match.
Perl character class extensions
Perl has extra primities" many of which turn out to be ery handy in eeryday use.
Table !9.7" JDxtra primities in PerlK shows a selection.
"a*le 13... =xtra pri#iti+es in Perl
in Perl )escription sa#e in awk
/d
a digit
)$6&*
/D
a non-digit
)\$6&*
- 29! -
in Perl )escription sa#e in awk
/s
a white-space character
) /t/5/r*
/S
a non-white-space character
)\ /t/5/r*
/>
a JwordK character
)a6z;6<$6&"*
/R
a non-JwordK character
)\a6z;6<$6&"*
These primities can be used both as a standalone primitie and inside a character class.
Note
The Perl definition of /> is not the same as an alphanumeric character. Instead" it is
defined as an alphanumeric character or an underline character A)a6z;6<$6&"*B.
4ifferenceA the )ot
The dot means# any character" but not the ne#line character. In the single line mode"
which is not discussed further in this book" the dot will also match the newline.
(pecial characters
In Perl" it is easy to distinction between characters that need to be prefixed with a
backslash to remoe a ApossibleB special meaning and those that do not" namely />
characters ersus /R characters.
63 characters. $ny primitie that matches /> is a normal character without a special
meaning. The letter a" for example" falls into this category.
68 characters. $ny character that matches /R may hae a special meaning. Prefix it with
a backslash to make sure it loses that special meaning. If it does not hae a special
meaning" putting a backslash before it will do no harm. The X character" for example"
falls in this category.
1nchorsA line *oun)aries
Line-boundary handling is ery sophisticated in Perl. Consider for example" that the
meaning of \ and 3 changes when multi-line mode is used. ?or more information you
might start with perl)oc perlre" then read other documentation.
5ewlines are not re#o+e) auto#atically. -hen reading lines Afrom a file or
information streamB Perl does not chop off newlines automatically. Lou can either
remoe the newline before the match is applied" or you can include the newline in your
;egular Dxpression. /ere is an example that remoes the newline using the c2omp
operator#
- 292 -
>2ile (?A) + read lineO put it in 3"
U
c2ompC + remo-e ne>line 5rom 3"
print 3"O9/n9 i5 (/&U2V3/)C + s2o> 3" i5 it ends in &&
V
If you keep the newline character and want to match the end of line you must include the
newline in your ;egular Dxpression#
/&U2V/n3/
This matches if there are two nines and a newline-character at the end of the input.
1nchorsA wor) *oun)aries
$s far as we know" the anchor /b originated in Perl" and is now aailable in some other
;egular Dxpression ariants" as shown earlier. Perl has the /b" but also the opposite /=.
Table !9.8" JPerl Anon-Bword boundary anchorsK shows both.
"a*le 13.'. Perl (non@!wor) *oun)ary anchors
pri#iti+e )escription
/b
word boundary Abetween /> and /RB
/=
not a word boundary
=xtracting #atching parts
Perl has two ways to re-use the matching parts Aor een subpartsB. The first is done by
reading some special pseudo ariables" the second inoles grouping.
Method 82 using $(6 $) and $*
$fter a successful match" the three related pseudo ariables 3Z" 3[ and 3W will contain the
following#
3[
The 3[ pseudo ariable Acorrect spelling# a dollar sign and an ampersand
characterB contains that part of the input that the ;egular Dxpression precisely
matched.
3Z
The 3Z pseudo ariable Acorrect spelling# a dollar sign and a backward +uote a.k.a.
backtickB contains the part of the input before the matching part.
- 299 -
3W
The 3W pseudo ariable Acorrect spelling# a dollar sign and a forward single +uoteB
contains the part of the input after the matching part.
Note
(e sure to confirm that the ;egular Dxpression really matched. %therwise" the alues of
3Z" 3[ and 3W may be random.
$n example#
3" B WL2is is a nice boo,WC
i5 (//>Xic/>X/)
U
print
9Input. /93"/9/n9O
9Fart be5ore matc2. /93Z/9/n9O
9Matc2ing part. /93[/9/n9O
9Fart a5ter matc2. /93W/9/n9C
V
The output of this program part is#
Input. 9L2is is a nice boo,9
Fart be5ore matc2. 9L2is is a 9
Matc2ing part. 9nice9
Fart a5ter matc2. 9 boo,9
3ote that the contents of 3Z has an extra trailing space and that of 3W an extra leading
space.
Method 92 grouping
In the Perl ;egular Dxpression language" one can use grouping to extract matching parts
or een subparts from the input.
&uppose the input is#
Loda! is 0 ânuar! 2$$2O a monda!.
The following Perl ;egular Dxpression matches the complete date in the input#
/b/dU#O2V/sX);6<a6z*)a6z*X/sX/dU4V/b
In Perl" you can also group the day" the month and the year parts#
/b(/dU#O2V)/sX();6<a6z*)a6z*X)/sX(/dU4V)/b
- 292 -
-hen this ;egular Dxpression is matched against the input" three pseudo ariables"
namely 3#" 32 and 3% will be filled-in with the corresponding parts of the date. The
information corresponding to the first group Aseen from the leftB is inserted in 3#" the
second in 32" and so on#
3" B 9Loda! is 0 ânuar! 2$$2O a monda!.9C
i5 (//b(/dU#O2V)/sX();6<a6z*)a6z*X)/sX(/dU4V)/b/)
U
print 9Da!. 3#/n9O
9Mont2. 32/n9O
9Near. 3%/n9C
V
5este) groups. 6roups can be nested#
/b((/dU#O2V)/sX();6<a6z*)a6z*X)/sX(/dU4V))/b
Information corresponding to the utmost group Ahere# the whole dateB gets into 3#. The
parts inside that group fall into 32" 3% and so on. To see this working" use something like
this#
3" B 9Loda! is 0 ânuar! 2$$2O a monda!.9C
i5 (//b((/dU#O2V)/sX();6<a6z*)a6z*X)/sX(/dU4V))/b/)
U
print 9Date. 3#/n9O
9Da!. 32/n9O
9Mont2. 3%/n9O
9Near. 34/n9C
V
#lternate method 92 using the binding operator
There is an alternatie to the use of the pseudo ariables A3# etc.B. The parts of the input
that correspond to the groups in the ;egular Dxpression can be written in an array. In the
program part below" these subparts of the input are stored in the array @results#
m! 3input B 9Loda! is 0 ânuar! 2$$2O a monda!.9C
m! @result B 3input B8 //b((/dU#O2V)/sX();6<a6z*)a6z*X)/sX(/dU4V))/
b/C
i5 (@result) + i5 1: 5its
+ etc
It is important to reali,e that
3input B8 /1:/
- 295 -
actually is a statement that returns an array. To capture this" put an array assignment
before it#
@result B 3input B8 /1:/
This really is correct PerlG ;emember that the B8 operator is called the binding operator.
It is not an assignment.
This program part puts eerything in perspectie#
m! 3input B 9Loda! is 0 ânuar! 2$$2O a monda!.9C
m! @result B 3input B8 //b((/dU#O2V)/sX();6<a6z*)a6z*X)/sX(/dU4V))/
b/C
i5 (@result) + i5 1: 5its
U
5or (m! 3i B $C 3i ? scalar @resultC 3iXX)
U
print 9Iield 3i. 3result)3i*/n9C
V
V
Dlements of the array will be filled in the same order the pseudo ariables were assigned.
The first element" 3results)$*" will get the complete date" 3results)#* will get the
day" 3results)2* the month and 3results)%* the year.
9sing Perl
%riting simple Perl scripts
Perl is an acronym that stands for 'ractical *xtraction and ;eport Language. It is a
language optimi,ed for scanning text files" extracting information from those text files
and printing reports based on that information. It can also be used for many system-
management tasks. The language is intended to be practical Aeasy to use" efficient"
completeB" rather than beautiful Atiny" elegant" minimalB. Perl combines features of C"
se)" awk and sh. If you hae a problem that you would ordinarily sole using se)" awk
or sh" but it exceeds their capabilities or must run a little faster" and you can)t or don)t
want to write in C" then Perl may be for you. There are also translators to turn your se)
and awk scripts into Perl scripts. -hen you need powerful ;egular Dxpression support"
Perl will probably be the best option.
Perl)s expression syntax corresponds closely to C expression syntax. Perl does not limit
the si,e of your data" the only restriction is the si,e of your memory. ;ecursion is of
unlimited depth. Tables used by hashes Apreiously called associatie arraysB grow as
necessary to preent degraded performance. In Perl" you can use sophisticated pattern-
matching techni+ues to scan large amounts of data +uickly. $lthough optimi,ed for
scanning text" perl can also deal with binary data" and can make )*# files look like
- 29: -
hashes. &etuid and setgid perl scripts are safer than C programs through a data-flow-
tracing mechanism AtaintmodeB that closes a number of security holes.
Perl is an interpreted language" which means that there is no explicit compilation step.
The perl processor reads its input file" conerts it to an internal form and executes it
immediately. Internally" howeer" perl compiles the program and only executes it if the
compilation was successful.
$ number of interesting features are#
3o need to explicitly declare ariables.
The type of a ariable Ascalar" array or hashB is indicated by a prefix character.
3o need to define the si,e of strings or of arrays before using them.
$ll ariables hae predictable default alues.
$ ery rich set of pattern-matching operations that make it ery easy to locate and
process patterns of text.
$ complete set of arithmetic capabilities.
$ ery complete set of built-in functions.
Perl basics
%arning
Perl is a ery powerful and rich language. It goes far beyond the scope of this book to try
to teach you all about it. The ob'ecties re+uire that you know 'ust enough about Perl to
enable you to write simple Perl scripts. Therefore" we will coer the basics and leae it up
to you to explore further. It is assumed the reader has at least a nodding ac+uaintance
with at least one programming language" preferably C or awk" and therefore knows
concepts like ariables" arrays" branching" looping" control statements and the like. $fter
all" you are an LPIC-! alumnus C6)
-irst steps
perl will use standard input by default and look there for statements it should execute.
Thus" to execute Perl statements" you could start up the perl program 'ust by typing in its
name
W!<X
#
3 perl
The perl interpreter starts up" and silently waits for input. It is possible to type in a
number of Perl statements next. Dery command in Perl should end in a semicolonQ to
forget one is a common error" both for experienced and noice users. Thus" a Perl
program could look like this#
print 92ello >orld/n9C
exit $C
- 297 -
To make perl interpret these statements" terminate the input by typing CtrlT4 on the
next line. 3ow perl will check the statements you typed" check for errors and execute
them. If all went well" you will see the following on your screen#
2ello >orld
@ost of the time" you will want to execute a program that consists of statements in a file.
It is possible to start up perl" and tell it to execute statements from within a file#
3 perl perlfile
$ll script files Ashell" PerlB are handled the same way# statements are contained in files
which hae the execution bit set Ach#o) VxB. If the first line of an script contains a hash
and an exclamation mark -- +Q -- as its first two characters" this denotes that the location
of an interpreter follows. The shell will start that interpreter and feed the script to it. ?or
example#
+Q/usr/bin/perl
perl statements
Derything after the first line is Perl speak. Lines beginning with a hash A+B are
comments. ;emember that statements in Perl should end in a semicolon. Thus" a Perl
script could look something like this#

+Q/usr/bin/perl
statement#C
+ a comment line
statement2C
statement%C + end o5 line comment
Perl statements can also be put in a block. $ block consists of a opening curly brace"
some statements and a closing curly brace. ?or instance#

i5 (3x A ()
U
statement(C
statement6C
V
The block is used in seeral places# each i5" for example" #ust be followed by a block
and statements in a subroutine definition will be contained in a block.
%nce you hae written a Perl program this way" and hae set the execution bit on it" you
can simply run it by typing the name of the file. $gain" perl will check your code first
and generate error messages if it finds mistakes.
- 298 -
Printing
In many of our examples" we will use the built-in print function. print takes a list
containing one or more arguments and prints them. If a file handle Afile handlesB is placed
between the print keyword and the arguments" the arguments are sent to the
corresponding file. (y default" standard output will be used. The print function does not
add newlines or other formatting.
?ormatting can be added by including escape characters" or you can use the print5
function. C programmers will feel at ease with this function right away. The first string
argument to printf is a format string" which is a mixture of normal characters and format
directies. 3ormal characters are simply output as is. ?ormat directies begin with a J]K
and are instructions on how to output the next argument from the list of arguments
following the format string. ?ormat directies may contain width and precision
specification" instructions for left or right 'ustification" and type of data. Please see the
Perl documentation Astart with perl)oc perl. $n example#
3- B #$C
32 B %%.6C
print5( 9L2e area o5 a ]5 x ]5 rectangle is ]#$.%5/n9O 3-O 32O 3- E
32 )C

will print#
L2e area o5 a #$ x %%.6 rectangle is %%6.$$$

Naria*les
Lou can store all types of data in ariables. $n example#
+Q/usr/bin/perl
3x B #C
3! B 2C
3z B %C
print 93x X 3! B 3z/n9C

$ny ariables in +uotes will be ealuated before the print prints out the results. &o"
running this program results in the following output#
# X 2 B %

- 29< -
+cope of variables
(y default" all ariables in Perl are global ariablesQ that is" they are accessible from
eery part of the program. Lou can create priate ariables called lexical ariables at any
time with the m! operator. Their scope is restricted to the block or file they are declared
within. $ block is denoted by a set of curly braces Athe block that defines a subroutine or
an JifK statement or a specially created blockB#
U
m!(3xO 3!)C + pri-ate -ariables 5or t2is bloc,
V
Lou can force yourself to use only lexical ariables with the following pragma#
use strictC
-hen using this pragma" unwanted use of a global ariable will be caught. ?or instance#
+Q/usr/bin/perl 6>
use strictC
3-erse B 9Some text9C
This results in a compile-time error. To fix this" use m! 3-erse to make 3-erse a local
ariable Athis time at file leelB or use the use -ars ... pragma to define 3-erse as a
known global ariable.
In Perl" the first character of a ariable name or ariable reference denotes what kind of
alue the ariable may hold. /ere are the most common kinds of ariables#
"a*le 13.6. Naria*le types in Perl
3-ar
names a ariable that holds a scalar data type Ainteger" floating point or stringB.
@-ar
names a ariable that holds an array of scalars or list.
]-ar
names a ariable that holds a hash of scalars.
The aboe table names three different ariables. In other words" ariable 3x is a different
ariable than @x.
!calar variables
$ Perl scalar ariable can be an integer" floating point or a character string. Integer
literals are written without a decimal point or an JDK exponent. Dxamples of integer
literals are#
#2%(4
- 22. -
6#0&
$x%2 + 2exadecimal
$20 + octal
The third number in the list is a hexadecimal Abase !:B constantQ its alue is 5. decimal.
The fourth number in the list is an octal Abase 8B constant because it begins with a J.KQ its
alue is 29 decimal.
?loating point literal numbers are written with a single decimal point and=or an JDK
exponent. Dxample floating point literals are#
#2.%
66.2%:20
%:0
.#
&tring literals are enclosed in either single or double +uotes#
9L2e >orld/n9
$nother example#
Wno expansionsW
(ingle@Cuote) strings. In a single-+uoted string no expansion will be done. In the
following the 3 is 'ust a dollar sign and /n are the two characters backslash and n#
print WSome 3-erse 2ere /nWC
The output will be#
Some 3-erse 2ere /n
Commands between backticks Aback +uotesB and escape se+uences will not not expanded.
4ou*le@Cuote) strings. @aterial in double-+uoted strings is sub'ect to expansion.
$mong these are ariables and escape se+uences. $n escape se+uence is a combination
of a backslash and characterAsB. The combination will hae a special meaning. The
newline character" for example" will be written as the /n combination in a double-+uoted
string#
m! 3-erse B W2allo t2ereWC
print 9Some 3-erse 2ere/n9C
This will result in
Some 2allo t2ere 2ere
- 22! -
The last character of the output is a newline. If you want 3" @ or ] to appear literally in a
string delimited by double +uotes" escape them with a single backslash. $nother example
is the double-+uote character itself# to get a double +uote in a string surrounded by double
+uotes" use the / for escaping the double-+uote. Table !9.!." JDscape characters in PerlK
shows a list of well-known escape se+uences.
"a*le 13.1. =scape characters in Perl
/t
tab
/n
newline
/r
return
/5
formfeed
/b
backspace
/a
alarm AbellB
/e
escape character
/$%%
octal character
/9
double +uote
//
literal backslash
/c
c" where JcK is a normal character
?or example" suppose we had assigned 3t B WtestW. Then#
3x B W3tW
would assign the literal string Ut to 3x" where
3x B 93t9
would assign the literal string test to 3x. &ome example string literals are#
9Yello RorldQ9
W; bit longer but still a nonsensical stringW
WW
99
-hen a ariable contains a scalar literal" its name always begins with a JUK. $n example#
3lengt2 B #2.%C
3>idt2 B #0C
3area B 3lengt2 E 3>idt2C + 3area s2ould be 2$&.#
In the aboe" the alue of 3lengt2 was a floating-point number" the alue of 3>idt2 was
an integer. The result of the calculation would be floating point.
$n example using strings#
3colour B 9blue9C
- 222 -
3s2ade B 9dar,9C
3description B 3s2ade . 9 9 . 3colour
/ere" the scalar ariable 3description will hae the alue Jdark blueK A).) is the string-
concatenation operatorB.
#rrays
$n array is a singly dimensioned ector of scalar +uantities. Indiidual elements of the
array are accessed by a small integer index Aor subscriptB. 3ormally" an array containing
JnK elements has indices starting at $ and going to n 6 #" inclusie. In contrast to many
other programming languages" it is possible to hae array literals Asometimes called listsB.
Dxamples of array literals are#
() + t2e empt! listO or arra!
(#O2O%) + an arra! o5 t2ree integers
(#OW5redWO20.#O%E()
The last example is of any array containing 2 elements. The second element AindexSS!B
is a string and the fourth element AindexSS9B is an integer of alue !5.
-hen a ariable references an array of scalars" its name always begins with a J_K. ?or
example#
@one B (#O 2O %)C
@t>o B (4O (O 6)C
@bot2 B (@oneO @t>o)C

$t the end of this" @bot2 will be an array of six elements. The expression J(@oneO
@t>o)K" in this context" effectiely 'oins the two smaller arrays end-to-end.
/ surprising feature
the fact is" that to reference one of the elements of an array" whose name starts with J_K"
you are referring to a scalar datum -- and thus the name must begin with JUK.
Lou also must enclose the subscript or index in s+uare brackets following the name. ?or
example#
@-ec B (%O4O()C
3sum B 3-ec)$* X 3-ec)2*C
3-ec)#* B 3sumC

$t the end of this" 3sum will hae the alue of 8" and the array @-ec will hae the alue
A9"8"5B.
- 229 -
Determining the si9e of an array
?or eery array @5oo" there is a scalar ariable 3+5oo that gies the index-id of the last
element of the array. &o" after execution of#
@-ec B ((O#$O#()C
The alue of Ucec is 2.
$ more common way to do this is by using the automatic conersion from array to scalar.
-hen an array is assigned to a scalar the scalar will get the number of elements in the
array. The two following lines do exactly this#
m! 3size B @somearra!C
m! 3size B scalar @somearra!C
The scalar command makes the conersion een more isible.
Multi-dimensional arrays
Perl does not support multi-dimensional arrays. ?rom a technical point of iew" there is
no need for multi-dimensional arrays - memory can be regarded as a one-dimensional
array of bytes - but often the multi-dimensional notational closer matches reality. Think"
for example" of programming a board game where it would be much more conenient to
think in terms of JrowsK and JcolumnsK" instead of terms like Joffset counting from
s+uare oneK.
There are a number of ways to simulate multi-dimensional arrays using Perl. %ne of them
uses references. $ reference is a scalar that refers to an entire array" list or other ariable
type. To create a reference to a ariable" you put a backslash in front of it. &o" /@a
denotes a reference to the array a. $ reference is a scalar and therefore can be stored as
an element of an array or list. Thus" it is possible to store a reference to an entire array in
one element of another array. In the $&CII art below" an example is gien. Dach line
represents an array Afrom left to right @a" from top to bottom @b and from front to back
@cB. $ dash denotes an element in the array. The JPK" for example" denotes element 2 in
array @c Aremember" we start counting at ,eroB.
$ 6 6 % 6 6 6 6 6 6 a
T c
T /
T (K) 3c)4*
T / 3b)0*6A)4*
T / 3a)%*6A)0*6A)4*
T/
0
T
T
b

- 222 -
To find the element APB you can use three methods#
The direct notation 3c)4*# *enotes that APB is element c2 of @c" or
4sing the notation 3b)0*6A)4*# &tart at array @b" which denotes to use element
c7 in array @b" which is a reference to array @c" and take the 2th element to find
APB" or
4sing the notation 3a)%*6A)0*6A)4*# &tart at array @a" take element c9" which is
a reference to array @b" of which element c7 is a reference to array @c" of which
you take element c2.
%ash $ariables
-hen a ariable references a hash of scalars" its name always begins with a J]K. ?or
example#
]box B (9len9O #$$O 92eig2t9O 4$O 9>idt29O 2$O 9colour9O 9blue9)C
This can also be written as follows#
]box B (9len9 BA #$$O 92eig2t9 BA 4$O 9>idt29O 2$O 9colour9 BA
9blue9)C
(oth assign a hash with four elements to ariable ]box. The indices Aor keysB of the
elements are the strings VlenV" VheightV" VwidthV and VcolourV and the alues of those
elements are !.." 2." 2." and VblueV" respectiely.
3lements are scalar data<
-hen we refer to elements" we are referring to scalar data and thus the ariable reference
must start with J3K.
The index delimiters of )NO) denote that we are accessing a hash A'ust as the index
delimiters )WX) denote access to an arrayB. In our example" to get the height" use#
print 92eig2t is 9O 3boxUW2eig2tWVC
The output will be
2eig2t is 4$
3boxUW-olumeWV B 3boxUW>idt2WV E 3boxUWlengt2WV E 3boxUW2eig2tWVC
This assigns a fifth element to hash ]box.
9ser (u*routines
Defining a subroutine
- 225 -
Perl has the ability to use user-defined subroutines or functions. The name of such a
subroutine consists of letters" digits and underscores" but can)t start with a digit. It is
defined by the sub keyword" followed by a name and a block#
m! 3n B $C + 5ile6>ide -ariable 3n
...
sub marine
U
3n XB #C
print 9YelloO sailor number 3nQ/n9C
V
&ubroutine definitions can be anywhere in your program text. &ubroutine definitions are
globalQ without some powerful trickiness" there are no priate subroutines. If you hae
two subroutine definitions with the same name" the later one oerwrites the earlier one.
alling a subroutine
Inoke a subroutine from within any expression by using the subroutine name" sometimes
preceded with an ampersand#
[marineC + sa!s YelloO sailor number #Q
[marineC + sa!s YelloO sailor number 2Q
[marineC + sa!s YelloO sailor number %Q
[marineC + sa!s YelloO sailor number 4Q
The initial ampersand is often optional. It is mandatory" howeer" if you are defining a
function of your own that has the same name as one of the built-in functions of Perl Athis
is a bad idea anywayB#
sub c2omp
U
print 9bit more t2an I could c2e>9C
V
[c2ompC + pre-ents calling t2e internal c2omp 5unction
Lou may omit the ampersand if there is no built-in with the same name and if the
definition of the function precedes the calling of the function#
sub multipl!
U
3")$* E 3")#*C
V
...
m! 3mult B multipl! %((O ##%C
- 22: -
Passing arguments to subroutines
$ special array @" contains the arguments passed to the subroutine on entrance. It is a
good idea to sae the arguments in a local ariable#
+ s2o> elements o5 arra! b! index
sub s2o>arra!
U
m! @list B @"C
5or (m! 3i B $C 3i ? @listC 3iXX)
U
print 9index 3i -alue 3list)3i*/n9C
V
V
This is how the subroutine is called#
m! @ro>s B (24O%$O#2O%4)C
...
s2o>arra! @ro>sC
The output is#
index $ -alue 24
index # -alue %$
index 2 -alue #2
index % -alue %4
-hen passing argumentAsB to a subroutine" you actually pass an array. In fact" you are
passing one array. -hen you want to pass separate entities Ae.g." two arraysB" you must
pass references to these entities instead and dereference these in the subroutine itself.
This is left as an exercise to the reader.
/eturning from a subroutine
The result of the last executed statement of a subroutine will be the return alue of the
subroutine. This subroutine will return the sum of the first two arguments#
sub add
U
3")$* X 3")#*C
V
Lou can also make the subroutine return by using the return keyword#
sub di-ide
U
i5 (3")#* BB $)
- 227 -
U
return $C
V
+ ot2er>ise. return t2e di-ision
3")$* / 3")#*C
V
/perators an) (internal! functions
%perators allow a combination of constants and ariables. There are many common
operators" howeer we will only discuss the most important ones. The precedence of the
operations are largely intuitie. Precedence of operations can be oerridden by the use of
parentheses. -hen in doubt" use parentheses to preent ambiguity as a last resort. Check
the Perl syntax first.
5u#erical operators. 3umerical operators expect numbers as arguments and return
numbers as results. The basic numeric operators are# X 6 E / EE" Athe last one means
exponentiationB. $dditionally" these operators may be combined with the JSK e+ual sign"
to form C-style operators such as XB 6B EB EEB#
3n B 'C
3n EEB %C + same as. 3n B 3n EE %C
print 3nC + (#2 (' E ' E ')..
$mong the built-in numeric functions are# cos" sin" exp" log and sSrt. $dditionally" the
increment-by-one AXXB and decrement-by-one A66B operators are used in Perl in the same
way as they are used in C. $s in the C language" their placement is of importance#
3m B #C

print 3mXX . 9 9C + print -alue 5irstO t2an increment..
print 3m . 9 9C + print incremented -alue ..
print XX3m . 9 9C + increment 5irstO t2en print ne> -alue..
print 3m . 9 /n9C + print -alueC

This would result in the printing of the range# # 2 % %
/utomatic type conversion
numeric operators and functions expect numeric arguments. If they are gien a string
argument" they conert to numeric automatically.
(tring concatenation operator. To add strings" use the string concatenation operator# .
Aa dotB. It denotes string concatenation#
3i B W2iWC
3o B W2oWC
3song B 3i . 3oC
- 228 -
Cariable 3song will now contain 2i2o.
7oolean operators. There is no special data type that signifies (oolean alues. There
are 'ust alues that mean false# the ,ero or null alues. @ore specifically" they are#
99 null string
9$9 string
$ integer
$.$ 5loat
() empt! arra! or list
$ ariable can be set to unde5" meaning that it is completely undefined. Derything that
is not ,ero" null" empty or undef will mean true. There are a number of operators that
explicitly produce (oolean results# these always produce . to indicate false and ! to
indicate true. The most common are#
TT or
[[ and
Q not
The first two are short-circuit operatorsQ the right operand is not ealuated if the answer
can be determinded solely from the left operand. The JnotK operator Q reerses the alue
of its only operand# true will become false" ice ersa.
5u#eric Co#parisons. ?or comparing numbers" you can use#

? less
?B less or eSual
BB eSuals
QB not eSual
AB bigger or eSual
A bigger
+trings are not numerics
If you compare strings using these numeric comparison operators" the strings are first
conerted to numeric +uantities and the numeric +uantities compared.
(tring Co#parisons. The commonly used ones#
lt lesser t2an
le lesser or eSual
eS eSuals (identical)
ne not eSual
ge greater or eSual
gt greater t2an
The operators eS and ne are used for direct string comparisons. The others are used
mainly in sorting. To perform more sophisticated string comparisons in Perl" use pattern
- 22< -
matching. Perl permits the use of powerful pattern-matching operators# B8 and Q8 for
does match and does not match respectiely.
Pattern #atching with 2egular =xpressions
;egular Dxpressions are probably the most important feature of Perl. ;egular
Dxpressions in general are described in the section called J;egular DxpressionsK. (e sure
to read the part about Perl ;egular Dxpression extensions Asee the section called JPerl
;egular DxpressionsKB. This section shows how to apply ;egular Dxpressions in Perl.
To match a ;egular Dxpression against a ariable" a statement must be created consisting
of
the ariable# 3some
the binding operator B8
a ;egular Dxpression enclosed in slashes# /\);6<*/
$ comparison statement can look as follows#
3some B8 /\);6<*/
This is not complete# the result of the comparison must be handled as well. In the
following example the (oolean result of the aboe statement is ealuated Awith an i5
statementB. The result is either true or false. If true Aif the contents of 3some starts with
an uppercase letterB" the block is entered#
i5 (3some B8 /\);6<*/)
U
+ matc2. do somet2ing
V
If both ariable and binding operator are omitted" the comparison is done against the
contents of the so-called default variable 3"#
i5 (/\);6<*/)
U
+ 1: matc2es on 3". do somet2ing
V
%f course" if the ;egular Dxpression matches" pseudo ariables like 3[" 3#" etc. can be
inspected" as described in the section called JPerl ;egular DxpressionsK.
There is also the reerse of the binding operator# the Q8. Its result is true if the ;egular
Dxpression does not match the contents of the ariable. In the example below" the block
is entered when the contents of 3some does not start with an uppercase letter#
i5 (3some Q8 /\);6<*/)
U
- 25. -
+ i5 no matc2. do somet2ing
V
-hen matching against 3" the not operator Q can be used instead#
i5 (Q/\);6<*/)
U
+ 1: does not matc2 on 3"
V
$nother way to check if a ariable matches is to inspect the results of the match. This
will only work if grouping Asee the section called JPerl ;egular DxpressionsKB is used.
The following is an example#
m! @results B 3input B8 /\();6<*)()a6z*X)/C
i5 (@results)
U
+ 1: matc2edQ
print 9#st part. 3results)$*O 2nd part 3results)#*/n9C
V
-ile han)les
Perl programs may need to refer to specific input or output streams or files. The ariables
that name them are" by conention" always rendered in uppercase. %utput files can be
explicitly created by the open function. ?or example" to open a file named prog.dat you
would use#
open(GLO 9Aprog.dat9) TT die 93$. open prog.dat 5or >riting
5ailed. 3Q9C
This associates the file handle %4T with the file. The leading JAK signifies that the file
will be emptied Aif it did existB or created. 4se JAAK to instead append to the file.
Note
Lou must check if the open succeeds and catch possible errors. %ne of the possibilities is
the use of die as shown aboeQ 3Q will contain the error.
3ow" you can use the file handle to write something to the file#
print GL (9; test9)C
Note
-hen using print or print5 and a handle )o not put a co##a after the han)le.
- 25! -
This will open and empty the file and will write J; testK to it. There is no comma
bet#een the file handle and the first string argument.
&tandard input is opened automatically and can be referenced ia the predefined handle
called JSLDGLK. SLDGL will be used by print5 and print if no file handle was
specified. $nother automatically opened handle is SLD:11 Astandard errorB.
$ file can be closed using the close keyword#
close(GL)C
?ile handles can also be used when reading from a file.
m! 35ile B WlistG5HamesWC
open(IHO 9?35ile9) TT die 93$. unable to open 35ile 5or reading9C
The initial ? can be omitted.
To read from the file" use the file handle surrounded by ? and A. There is" howeer"
something to watch out for# scalar ersus array context. If the handle is read in scalar
context" exactly one line is read#
m! 3line B ?IHAC
-hen this is used again" the next line is read and so on. In arra( context howeer" all
lines will be read at once. The following" for example" will do exactly that#
m! @allMines B ?IHAC
The method of reading input line-by-line is often used in combination with a >2ile
keyword#
>2ile (?IHA)
U
+ most recent line read in 3"
print 3"C
V
This example reads each line and prints it" until no more lines can be read.
*on)t forget to close the handles again#
close(IH)C
$ predefined file handle is SLDIH for standard input. It is opened for reading. It can be
used like any other handle.
$ commonly used construction is ?A. It operates as follows#
- 252 -
If arguments are passed to the program A@;1JP is inspectedB" each of these
arguments is considered to be a filename. Dery ?A reads one line until all files
hae been read.
If" on the other hand" no arguments are found A@;1JP is emptyB" ?A will be the
same as ?SLDIHA.
In applications it might be used like this#
>2ile (?A)
U
...statement(s)...
V
This will read either from named files Agien as argumentsB or from standard input.
-hile inside the >2ile loop" a special predefined ariable 3;1JP contains the name of
the file that is being read Astandard input is indicated by a dash A6BB.
Process han)les
$ ery powerful Perl facility is the process handle. It works exactly like a file handle but
refers to a process instead. Process handles can be opened for reading or for writing.
The following code will open a RYG handle that is associated with a running who
program.
open (RYGO 9>2oT9) TT die 9cannot start >2o. 3Q9C
m! @>2oMines B ?RYGAC
close (RYG)C
print 9L2ere are currentl! 9O scalar @>2oMinesO 9 users logged
in/n9C
The T symbol indicates that this is a process to be opened. (y placing the T at the end" we
tell Perl that we want to read from the process.
%f course" there are also writable process handles. $ typical application might be writing
a message Acollected earlierB to a mail program#
open (M;IMO 9Tmutt 6s /9log report/9 3mailto9) TT
die 9cannot start mutt. 3Q9C
print M;IM @messageMinesC
close (M;IM)C
This time the T is at the beginning" indicating that the handle should be open for writing.
The message is sent after the close statement has been processed.
- 259 -
LoopsBrepetition
Perl supports a number of loop constructs. Let)s study the following example" in which
we also recapitulate a number of the other things we)e learned so far. The numbers in the
left margin are for reference purposes only and do not belong to the code.
/66666666666666666666666666666666666666666666666666666666666666666666
66
T
# T open ( FRO 9?/etc/pass>d9) TT die 9:2..4 DanWt read /etc/pass>d49C
2 T >2ile ( @a B split (W.WO ?FRA) ) U
% T 5oreac2 3x ( @a ) U print 3x . 9 9C V
4 T print 9/n9C
( T V
6 T close( FR )C
T

In line !" the main logic functionality is determined by a boolean expression# the TT A)or)
operatorB with two operands. The operands are functions in this case" but that is all
perfectly legal in the Perl language. ;emember that booleans act as short-circuit
operators# the right operand is not ealuated if the answer can be determined solely from
the left operand. Therefore" if the open succeeds" the die function will neer be called.
-hen open fails" the first part of the boolean expression is false and" therefore" the
second part of the expression should be parsed Athe die function will be calledB and the
script will terminate. ?or now" let)s assume that the function opened the password file
successfully. The file handle P- is now associated with it.
Line 2 contains a JwhileK loop. $ JwhileK statement uses a test expression as its
argument and executes its block eery time the expression ealuates to true. $ test
expression is ealuated before eery iteration" so the block may get executed . times. The
core of the test expression is the split function. The split will take a string Aits second
argumentB and split it into chunks" delimited by one of the characters as specified in the
first argument Ain our case" a colonB. In our example" split fetches the input string
directly from the file using the file handle JP-K. The test expression ealuates to true as
long as the array J@aK is filled by the split" which is the case as long as split is able to
read from the file.
Line 9 gies an example of the 5oreac2 loop. The 5oreac2 loop proides a handy way to
cycle through all elements of an array in order. It takes 2 arguments# the ariable where
an element of the array should be put in and the name of the array within parentheses.
The loop cycles through all alues in the array Aeffectiely# all fields in the line from the
password fileB and stashes each field in Ux" one field per iteration. The alue is printed
next.
Line 2 'ust prints a newline after each line that was read and parsed from the password
file.
- 252 -
Line 5 terminates the JwhileK loop and
Line : closes the file associated with the file handle JP-K.
$nother example further clarifies the use of the 5oreac2 loop and introduces the range
operator Athree dots in a rowB and the concept of lists#
@a B (9a9...9z9O9;9...9<9)C
5oreac2 3n (@a) U
print 3nC
V

In the first line" the array @a is filled with the elements of a list. $ list is simply a listing
of alues. In this case" the list is formed by specifying two ranges" namely the range of all
letters from VaV to V,V and the second range of all letters from V$V to VEV. The array @a
will contain 52 elements. The 5oreac2 loops through all alues in the array" one per
iteration" and prints the resulting alue to standard output Asince we did not specify a file
handleB.
abcde5g2i7,lmnopSrstu->x!z;=DD:IJYI^KMMHGF_1SLPRKN<

The 5or loop is the third type of loop. It is identical to the C JforK construct. The general
structure is#
5or( init C test C incr ) block
$ 5or statement can easily be rewritten using >2ile#
m! 3iC m! 3i B $C
5or(3i B $C 3i ? 2$C 3iXX) >2ile (3i ? 2$)
U U
print 9/3i. 3i/n9C print 9/3i. 3i/n9C
3iXXC
V V
The test is performed before eery iteration" so the block may be executed . times. /ere"
for example" is a way to print a table of s+uares" using the printf function#
5or(3n B #C 3n ?B #$C XX3n)
U
print5(9]d sSuared is ]d/n9O 3nO 3n E 3n)C
V
LogicB*ranching
Perl supports the i5 statement#
- 255 -
i5( 3le ? #$.$ )
U
print(9Mengt2 3le is too small/n9)C
V
Dach test expression must be followed by a statement block. (locks do not hae to end
with a semicolon. The following is functionally e+uialent to our example aboe#
print( 9Mengt2 3le is too smallQ/n9 ) i5 (3le ? #$.$)C
There are JelseK and JelsifK keywords too#
i5( 3le ? #$.$ )
U
print( 9Mengt2 3le is too smallQ/n9 )C
V
elsi5( 3le A #$$.$ )
U
print( 9Mengt2 3le is too bigQ/n9 )C
V
else
U
print( 9Mengt2 is 7ust rig2tQ/n9 )C
V

3ote that i5" elsi5 and else must be followed by a block" een for one statement.
Lou can een use short-circuit boolean operators" as in#
3l ? #$.$ [[ print(9Mengt2 3le is too smallQ/n9)C
This kind of expression is particularly useful when you hae to take an exceptional action
after something Asuch as opening an input fileB fails#
open(IHO9?5oo.dat9) TT die(9nable to open 5oo.dat. 3Q9)C
written e+uialently" but less readably" as#
die(9nable to open 5oo.dat. 3Q9) i5 Qopen(IHO9?5oo.dat9)C
Perl taint mode
perl automatically enables a set of special security checks" called taint mode" when it
detects its program running with differing real and effectie user or group I*s. In other
words# when a program has either its setuid or setgid bit set Aor bothB.
Lou can also enable taint mode explicitly by using the -8 command line flag#
+Q/usr/bin/perl 6> 6L
- 25: -
Th 6L flag is strongly suggested for serer programs and any program run on behalf of
someone else" such as C6I scripts. %nce taint mode is on" it)s on for the remainder of
your script.
-hile in this mode" perl takes special precautions" called taint checks" to preent both
obious and subtle traps. &ome of these checks are reasonably simple" such as erifying
that path directories aren)t writable by othersQ careful programmers hae always used
checks like these. %ther checks" howeer" are best supported by the language itself. $s a
result of these checks set>id perl programs are more secure" than similar C programs.
Note
4sing taint mode does not take the responsibility away from the programmer. It 'ust
helps the programmer. ?or instance" if a program allows some user input from a web
page" perl tests if the program checks this data" regardless of the +uality of the test.
Lou may not use data deried from outside your program to affect something else outside
your program -- at least" not by accident. $ll command-line arguments" enironment
ariables" locale information Asee the perllocale manual pageB" results of certain system
calls Areaddir()" readlin,()" the ariable of s2mread()" the messages returned by
msgrc-()" the password" gcos and shell fields returned by the getp>xxx() callsB" and all
file input are marked as JtaintedK.
Tainted data may not be used directly or indirectly in any command that inokes a
subshell" nor in any command that modifies files" directories or processes.
3#ception
If you pass a list of arguments to either s!stem or exec" the elements of that list are 3%T
checked for taintedness. ?or example" assuming 3arg is tainted" this is allowed AalasB#
exec Ws2WO W6cWO 3argC + Donsidered secure... .6(
The programmer knows whether or not to trust 3arg and" so" whether to take appropriate
action.
$ny ariable set to a alue deried from tainted data will itself be tainted" een if it is
logically impossible for the tainted data to alter the ariable. (ecause taintedness can be
associated with particular scalar alues" some elements of an array can be tainted and
others not.
Perl modules
Perl scripts often use Perl modules. 6reat many Perl modules are freely aailable. $
module proides a way to package Perl code for reuse. @any modules support ob'ect-
- 257 -
oriented concepts. @odules are" in fact" packages that follow some strict conentions.
Therefore" packages are explained first.
$ package is a set of related Perl subroutines in its own namespace. Perl modules are
often implemented in an %b'ect %riented way" thereby hiding the nitty-gritty details of
the implementation of the module and presenting the user of the module with a small"
clear interface.
$ package starts with the pac,age statement. The following example is the first line of
DJI.pm#
pac,age DJIC
This sets the namespace in DJI.pm to DJI.
-hen you write a Perl script" you will work in the default namespace called main. Lou
can switch to another namespace by using another pac,age statement.
$ module is a package designed for reuse. /oweer" modules are contained in files
ending in the .pm extension Aperl moduleB and are located in one of the Perl library
directories. To make use of a module" the use keyword is used with the name of the
module as argument#
use DJIC
If the module name contains two ad'acent colons" the first part indicates a subdirectory.
Thus" Iile..=asename refers to a module file called =asename.pm in the subdirectory
named Iile in Aone ofB the library directories.
The predefined array @IHD will list the directories where perl will start looking for
modules. ?or instance" if directory /usr/lib/perl( is in @IHD" then perl will look for
/usr/lib/perl(/Iile/=asename.pm when looking for the Iile..=asename module.
The @IHD can be easily extended. ?or instance" to use a locally deeloped module in the
directory /2ome/!ou/lib" use#
pus2(@IHDOW/2ome/!ou/libW)C
The perl -I flag can also be used#
+Q/usr/bin/perl 6> 6I/2ome/!ou/lib
To make perl use a Perl module use the use keyword#
use Iile..=asenameC + Moo, 5or Iile/=asename.pm.
Lou can nest deeper than a single directory. Rust replace each double-colon with a
directory separator.
- 258 -
CP/N
There are hundreds of free modules aailable on the ,omprehensive 'erl Archive
-et#ork" or CP$3" a set of Internet serers located throughout the world. It consists of
about !.. sites that archie the same content. @any countries hae at least one CP$3
mirror" and their number is growing. $ailable modules include support for access to
%racle and other databases A*(IBQ networking protocols such as /TTP" P%P9 and ?TP
and support for C6I.
CP$3 offers arious options to search for modules by authorAsB" category" name or date.
%nce you hae found something interesting" you can download the module. Lou will
hae a compressed tarfile that contains the archie. Lou)ll need to decompress the tarfile
and untar it. 3ext" you can issue the commands#
+ perl Ma,e5ile.FM
+ ma,e
+ ma,e test

If the test is successful" you can issue a ma,e install to install the module. @ake sure
you hae the appropriate permissions to install the module in your Perl 5 library
directory. %ften" you)ll need to be root. That)s all you need to do on 4nix systems with
dynamic linking.
$ndreas 01nigs) CP$3 module ADF;H.pmB is designed to automate the #ake and install
of Perl modules and extensions. It includes some searching capabilities and knows a
number of methods to fetch the raw data from the 3et. @odules are fetched from one or
more of the mirrored CP$3 sites and unpacked in a dedicated directory. @ost Perl
installations already hae this module pre-installed" but if not" you may want to download
and install it first. $dditionally" to allow you to perform extended searches for modules"
there is another module aailable# DF;H..R;IL. It)s a full-text search engine that indexes
all documents aailable in CP$3 authors) directories. CP$3##-$IT uses a special
protocol that resembles 33TP. CP$3##-$IT tries to access so-called J#ait serversK and
can do so using either a direct connection or oer an http proxy.
The CP$3 module normally is operated from within an interactie shell. That shell will
allow additional search commands if the DF;H..R;IL module has been installed.
The initial configuration will be started automatically when the shell is started for the first
time. To start the CP$3 shell" type#
+ perl 6MDF;H 6e s2ellC

The first time you start up this command" it will create some administratie files in which
your preferences are kept. Lou can either choose to configure manually or let the module
guess at the proper alues Awhich often works out fineB. @anual configuration will ask
- 25< -
+uestions about the amount of disk space to use" the locations of some external programs
the module wants to use" whether or not module dependencies should be resoled
automatically" the location of your proxy serers Aif anyB and possible extra parameters
you)d want to specify for #ake" etc. $lso" the module will try seeral methods Aif
necessaryB of gaining access to a CP$3 site and may ask you for your location and your
faorite #ait server.
Perl on the command line
Perl can be easily inoked from the command line.
perl 6e Gperl co##an)sG
$n easy way to find the hexadecimal alue of a decimal number" for example" is#
perl 6e Wprint5 9]x/n9O 26CW
The output will be#
#a
The 6n flag is ery helpful on the command line. &uppose you want to use something like
this#
>2ile (?A)
U
print 9 .3"9C
V
Derything but the print statement can be eliminated by using the 6n option#
perl 6ne Wprint 9 .3"9CW inputs
This example will read lines from the file inputs. ?or each line that was read" output will
be printed consisting of four spaces" a colon A.B and the original input line Aexpanded
from 3"B.
;riting 7ourne shell scripts
(eing an LPIC-! alumnus Aor at least someone with e+uialent knowledgeB" you are
already familiar with the shell. (y JshellK" we mean a shell compliant to the IDDD P%&IP
&hell and Tools specification AIDDD -orking 6roup !..9.2B" for example" the (ourne
shell or *ash. In this section" we do not focus on the command-line interface" but on the
writing of shell scripts. $ shell script is 'ust a set of shell commands" grouped into a file
and executed by the shell. $ ery basic script could read like this#
+Q/bin/s2
- 2:. -
ec2o 9YelloO >orldQ9
exit $
Lou can type this in using your faorite editor. $fter editing and saing it under some
name - lets assume 2ello - you can execute it by starting up a shell with the program
name as argument" for example#
3 s2 2ello
Yello RorldQ
3 "
$lternately" you can set the execution bit on the program by issuing the command
3 c2mod Xx 2ello
/aing done that" you can execute the script by simply typing its name#
3 ./2ello
Yello RorldQ
3 "
3ote that the script should either be in a directory that is in your F;LY" or you should
specify its exact location" as we did in our example. -ithin the shell" the hash A+B is used
to indicate a comment - anything on the same line after the hash will be ignored by the
shell#
+Q/bin/s2
+ L2is program displa!s a >elcoming text and exits.
+ It >as >ritten 5or demonstration purposes.
ec2o 9YelloO >orldQ9
exit $
$lso" note that a script should pass an exit code to the outside world. (y conention" the
alue $ signals that the script ran correctly" a non-,ero alue signifies that some error
occurred.
2ariables
$ ariable within a shell script is 'ust some data referenced by name. The data is always
stored as a string of alpha numerical data. The shell does not work with concepts like
JintegersK" JrealsK or Jfloating point ariablesK" eerything is a string. &hell ariable
names may consist of upper- or lowercase letters" digits and the underscore. -hite space
is not allowed in ariable names. &ome ariables are predefined by the shell - a number
of them are listed later on. $ll others can be user defined.
To set a ariable within a script an e+ual sign is used#
;"P;1I;=M:Ba"-alue
- 2:! -
-hite space is not allowed anywhere in this construct. If you want to assign a string to a
ariable that contains white space" you either hae to prepend it with a backslash" or put
the string within double or single +uotes" e.g#
;"P;1I;=M:B9a -alue9
Lou can de-reference the ariable name AJfetch its contentsKB by using a dollar-sign in
front of the name of the ariable. ?or example" to print the contents of the ariable set in
our preious example" you could use#
ec2o 3;"P;1I;=M:
&ometimes" we will need to delimit the ariable name itself to preent confusion.
&uppose we hae a ariable named ; and another one named ;; - the following statement
can mean either Jprint the contents of the ariable named ; followed by the literal string
`;aK or it could mean Jprint the contents of the ariable named ;;K#
ec2o 3;;
To preent uncertainty" use curly braces to delimit the ariable name#
ec2o 3U;V; + 3; and string 9;9
ec2o 3U;;V + 3;;
If a ariable is not set" the 34LL alue is returned by default if the ariable is de-
referenced. /oweer" the shell proides a number of notations that allow substitutions if
the 34LL alue was found#
3U-arname.6valueV will return the alue of the ariable -arname if it is not
34LL" otherwise the alue value will be usedQ
3U-arname.BvalueV returns the alue of the ariable -arname if it is not 34LLQ
otherwise" the alue value is used an) the ariable will be set to valueQ
3U-arname.4valueV returns the alue of -arname if it is not 34LLQ otherwise"
value is written to standard error and the script is exited. If value is omitted" then
the message Jparameter. parameter HMM or not setK is written to standard
error insteadQ
3U-arname.XvalueV will substitute value if the ariable contents are not 34LLQ
otherwise" nothing is substituted.
/ere are some examples of the use of substitutions# suppose we hae a script that needs
the ariable M;IMLG set. If we want the script to exit if that ariable was not set" we could
use#
M;IM=GKB3UM;IMLG.49M;IMLG needs to be set9V
%r we might decide that the @$IL(%P defaults to JrootK" like this#
- 2:2 -
M;IM=GKB3UM;IMLG.BrootV
Cariables alues may be de-referenced and reset at will. (ut a ariable can be declared to
be read-only" using the rea)only command#
3 1:;DGHMNB9Doncrete9
3 readonl! 1:;DGHMN
3 ec2o 3U1:;DGHMNV
Doncrete
3 1:;DGHMNB9=ric,9
bas2. 1:;DGHMN. readonl! -ariable
The preious example was run using *ash" the default shell on Linux systems. It is fully
compatible with the original (ourne shell.
The shell uses a number of internal ariables. The alues for these are generally set at
login by parsing the contents of a startup configuration file" e.g." the /etc/pro5ile file
or the .login or .bas2rc script within the home directory of the account. Dnironment
ariables are by no means set in stone and can be altered by the user in most cases.
"a*le 13.11. Co##on =n+iron#ent Naria*les
/%@D the path to the home directory
I?& Internal ?ield &eparator characters. 4sually space" tab and newline
P$T/ colon separated list of directories to search for the command to execute
P&!" P&2 The strings to use as the primary and secondary prompts
P-* The current working directory
&/DLL absolute path to the executable that is being run as the current shell session.
4&D; The name of the user that runs the current session
The scope of ariables within a shell is global Ain *ash" you can use the local keyword
to define local ariables within functionsB. /oweer" there is a catch# subshells - new
shells" spawned by the current shell - do not automatically inherit the ariables of the
calling shellAscriptB. To enable inheritance of a ariable" you need to use the export
keyword. -hen a ariable is exported its data is accessible by its child-processes. &uch a
ariable is called an Jenvironment variableK. &ee the example captured below#

3 cat test
+Q/bin/s2
ec2o 3UaV
exit$
3 aB4
3 ./test
3 export a
3 aB4
- 2:9 -
3 ./test
4
3 "
$lso" a subshell is not able to change the content of the ariable in the calling shell - in
other words# the subshell uses a cop( of the ariable. (y using parentheses" you can force
a subshell to be started. &ee this example#
+Q/bin/s2
export aB4
ec2o 3a
( aB&C ec2o 3a )
ec2o 3a
exit $
This will produce the output#
4
&
4
(pecial +aria*les
-ithin a shell script" a number of special ariables are aailable. They are filled by the
shell on execution and cannot be influenced AsetB by the userQ therefore we will call them
Jenironment pseudo-ariablesK from now on. The table below lists most of them#
"a*le 13.12. Co##on =n+iron#ent Pseu)o Naria*les
3$
The full name of the current script.
3# ..
3&
The first to ninth argument passed to the shell
3+
The number of arguments passed to the shell or the number of parameters set by
executing the set command
3E
The alues of all the positional parameters as a single alue
3@
&ame as U^" except when double +uoted it has the effect of double-+uoting each
parameter
33
The PI* of the current shell
3Q
The PI* of the last program sent to the background
34
The exit status of the last command not executed in the background
36
lists the current options" as specified upon inocation of the shell Asome may be set
by defaultB.
$s you can see" there are JonlyK nine enironment pseudo ariables that represent
parameters. -hat" if you hae more than nine parameters> Lou could use the 3@ or 3E
- 2:2 -
ariable and use a loop Athe section called J(ranching and loopingKB to list all ariables -
like this#
+Q/bin/s2
5or parameter in 93@9
do
ec2o 3parameter
done
exit $
This loop will set the ariable parameter to the next argument and display it. $ssuming
you saed this script as partest" the following session could be run#
3 s2 partest # 2 % 4 ( 6 9se-en is a nice number9 ' & #$ ## #2
#
2
%
4
(
6
se-en is a nice number
'
&
#$
##
#2
3 "
$s an experiment" you might want to replace the 3@ in the partest script with 3E and
rerun the script using the same arguments#
# 2 % 4 ( 6 se-en is a nice number ' & #$ ## #2
3 "
3ow remoe the +uotes" and you would get#
#
2
%
4
(
6
se-en
is
a
nice
number
'
&
#$
##
- 2:5 -
#2
3 "
Lou might experiment a bit further by adding a line that also prints the contents of the 3+
pseudo-ariable. $nother method to iterate through more than < arguments is by using
the special shell keyword s2i5t. $n example that uses another form of looping Athe
section called J(ranching and loopingKB" the >2ile loop" illustrates the s2i5t#
+Q/bin/s2
>2ile ) Q 6z 93#9 *
do
ec2o 9U9 3# 9V9
s2i5t
done
exit $
This program will cycle through all of its parameters and display them" one by one. /ere
is yet another method# use two pseudo-ariables and s2i5t#
+Q/bin/s2
>2ile ) 3+ 6ne $ *
do
ec2o 93#9
s2i5t
done
exit $
$ranching and looping
It is often necessary to conditionally execute parts of your scripts. $dditionally" a number
of methods is implemented which allow you to perform controlled iteration of blocks of
code AloopingB.
The shell supports many branching options. The i5 is used most often. It enables you to
conditionally execute blocks of code. The condition should immediately follow the i5
statement. 3ext comes the block of code to execute" delimited by the keywords t2en and
5i#
i5 UconditionV
t2en
UcodeV
Umore codeV
5i
The condition should ealuate to a alue of ,ero AJtrueKB or one AJfalseKB. The block of
code will be executed if the condition is true. %ptionally" you can use the else keyword
to proide a container for a block of code that will be executed if the condition ealuates
to false#
i5 UconditionV
- 2:: -
t2en
Ucode executed i5 condition e-aluates trueV
else
Ucode executed i5 condition e-aluates 5alseV
5i
.. or" to be concrete#
i5 test #$$ 6lt #
t2en
ec2o 9#$$ is less t2an # 6 5ascinating..9
else
ec2o 9# is less t2an #$$. SoO >2at else is ne>49
5i
-e made use of the shell built-in command test in this example. test ealuates logical
expressions and is often used to form the condition for looping and branching
instructions. test takes boolean statements as its argument and returns a alue of ,ero or
one. The shortened form of the test command is formed by enclosing an expression in
s+uare brackets )*" like this#
i5 ) #$$ 6lt # *
t2en
ec2o 9#$$ is less t2an # 6 5ascinating..9
else
ec2o 9# is less t2an #$$. SoO >2at else is ne>49
5i
(e certain to include white space between the s+uare brackets and the statement. The test
command is often used in con'unction with the shell)s boolean operators. This relies on
the shell)s behaior to ealuate 'ust enough parts of an expressions to ensure its outcome#
) 3NG1"IHFL B 9boo29 * [[ ec2o 9;re !ou a co>49
The part of the expression to the right of the double ampersands Aboolean $3*B will
neer ealuate if the part to the left ealuates to false. The else keyword can be followed
by another if keyword" which allows nesting#
i5 ) #$$ 6lt # *
t2en
ec2o 9#$$ is less t2an #. Iascinating..9
else
i5 ) 2 6gt # *
t2en
ec2o 92 is bigger t2an #. Iigures.9
else
ec2o 9# is bigger t2an 2. Iascinating..9
5i
5i
- 2:7 -
The examples gien so far are" of course" not ery realistic" but sere the purpose of
clarifying the concepts. In practice" testing is mostly done against ariables" as
demonstrated in the following example Awhich demonstrates a shorter form of the else ...
if statements# the elif statement. It allows se+uential matching of conditions without the
need to nest if.. then.. else .. fi constructsB#
+Q/bin/s2
P;1B2

i5 ) 3P;1 6eS # *
t2en
ec2o 9Gne.9
eli5 ) 3P;1 6eS 2 *
t2en
ec2o 9L>o.9
else
ec2o 9Hot #O not 2O but 3P;19
5i
$nother branching mechanism is the case construct. The syntax for this construct is#
case U-ariableV in.
Uexpression6#V) UcodeV CC
Uexpression62V) UcodeV CC
esac
The case construct is used to test the contents of a ariable against a regular expression
Aas described in the section called J;egular DxpressionsKB. If the expression matches" a
corresponding block of code will be executed. That block starts after the closing
parenthesis and should be terminated using a se+uence of two semi-colons ACCB. If a
matching expression is found" the script will continue 'ust after the esac statement. $n
example#
ManguageB9Dobol9

case 3UManguageV in
â-aT7a-a) ec2o 9â-a9CC
=;SID) ec2o 9=asic9CC
D) ec2o 9;2O a master..9CC
E) ec2o 9;not2er language9CC
esac
3ote the use of the the wild card JE)K" which matches any pattern. If none of the other
expressions match the ariable" the script prints a default message.
Loops iterate through a block of code until or while some condition is met. Conditions
might be" for example" that a list of alues is exhausted" a command returned a true or
- 2:8 -
false alue or a gien ariable or set of ariables reached a alue. -ithin a P%&IP shell
there are three types of loops# the 5or" >2ile and until constructs. Preiously" we gae
you two examples of looping# the 5or and the >2ile loop. $ few additional examples
will" hopefully" clarify their proper use#
for loops. the syntax for a for loop is
5or U-ariablenameV in Ulist6o56-aluesV
do
UcommandV ...
done
Ulist6o56-aluesV is a whitespace separated list of alues. This type of loop fills the
ariable named in U-ariablenameV with the first element of the list of alues and iterates
through the commandAsB. It keeps iterating until all alues of the list hae been processed"
or the loop is terminated otherwise" e.g." using the *reak command. ?or example#
3 cat list.s2
+Q/bin/s2
+ t2is loop lists some numbers
+
5or P;M: in #& 2 # % 4 & 2 # & ## #4 %%
do
ec2o 6n 93P;M: 9
done
ec2o
exit $
3 s2 list.s2
#& 2 # % 4 & 2 # & ## #4 %%
3 "
It is possible to use the output of a command to generate a list of ariables" and this can
be combined with elements you define yourself" as is demonstrated in this capture of a
session#
3 cat ./count
+Q/bin/s2
+ t2is loop counts 5rom # to #$
+
5or P;M: in zero ZseS %Z
do
ec2o 3P;M:
done
exit $
3 s2 count
zero
#
2
%
3 "
- 2:< -
$ 5or loop expects its parameters to be literal strings. /ence" execution of the seC
program is forced by putting its name and parameters between backticks. %therwise" the
loop would 'ust iterate the loop using the strings JzeroK" JseSK and J%K to fill the P;M:
ariable.
$ny loop can be terminated prematurely using the *reak statement. Dxecution of the
code will be resumed on the first line after the loop" for example" this code snippet will
print 'ust J;K Aand not J=K and JDKB#
5or -ar in ; = D
do
brea,
ec2o 9t2is >ill ne-er be ec2oed9
done
ec2o 3-ar
If" for some reason" the remaining part of the code within a loop needs not be executed"
you can use the continue statement.
5or -ar in ; = D
do
ec2o 3-ar
continue
done
The code snippet aboe will print
;
=
D
while loops. If you want to execute code #hile some condition holds true" you can use
the >2ile statement. $ >2ile function executes statements within a corresponding do ..
done block" e.g.#
>2ile true
do
done
ec2o 9t2is is ec2oed9
In our example" we used the common program true" which will 'ust exit with an exit code
$ A,eroB. Its counterpart" false will 'ust exit with the alue #. 3ote that a >2ile loop
expects a list" much as the 5or loop does. The >2ile loop" howeer" expects a list of
executable commands rather than a list of ariables. $s long as the last command in the
list returns ,ero" the commands delimited by the do .. done keywords will be executed#
>2ile
5alse + returns #
- 27. -
ec2o 9be5ore9 + returns $ 6A code >it2in do..done bloc, >ill
be executed
do
brea,
done
Dxecution of this code would result into the following output#
be5ore
t2is is ec2oed
3ote" howeer" that you almost neer see more then one command within the list. %ften"
this will be the test program. $s you see" this loop-type can also be terminated
prematurely using the *reak command.
>2ile true
do
brea,
done
Lou can force execution of the next iteration by using the continue command#
stopB$
>2ile test 3stop 6ne #
do
stopB#
continue
done
The example aboe also demonstrates the aforementioned usage of the program called
JtestK. ;emember# test alidates the expression formed by its arguments and exits with a
alue of true A.B or false A!B accordingly" see the manual page for test(1!.
Note
The *ash shell has a built-in ersion of test. It is described in the manual page of bash.
until loops. The until function is ery similar to the >2ile function. It too expects a list
of executable commands" but the corresponding block of code - again delimited by the do
.. done statements - will be executed as long as the last command in the list returns a
non-zero alue#
until true
do
- 27! -
done
The following example lists the alues from ! to !.#
;B$
until ) 3; 6eS ## *
do
;BZexpr 3; X #Z
ec2o 3;
done
3ote the method used to increment the alue of a ariable" using the execution
AbackticksB of the expr tool.
(unctions
?unctions are 'ust a set of shell commands grouped together under a uni+ue name. %nce a
function has been defined" you can call it using its name as if it was a standalone
program. &hell functions allow programmers to organi,e actions into logical blocks.
Instead of haing to repeat the same lines oer and oer again" which would result in long
scripts" performance penalties and a far bigger chance of erroneous code" similar lines of
code can be grouped together and called by name. This stimulates modular thinking on
behalf of the programmer and proides reuse of code. It is also easier to follow the
script)s flow.
$ function is defined by declaring its name" followed by a set of empty parentheses ()
and a body" denoted by curly braces UV. -ithin that body the commands are grouped"
e.g.#
+Q/bin/s2
dprint() U
i5 ) 3D:=J *
t2en
ec2o 9Debug. 3E9
5i
V
dprint 9at begin o5 main code9
exit $
&ae this script in a file named td. Try running it. It will output nothing. 3ow set and
export the D:=J ariable and run it again#
3 export D:=JB#
3 ./td
Debug. at begin o5 main code
3 "
- 272 -
The i5 ... t2en construct used within the function will be explained later on. $
number of things can be obsered here. ?irst of all" the function needs to be declared
before it can be called. $lso" the method to call a function is demonstrated# simply use its
name. $s you see" you can specify parameters. 3ote that the definition of the function
does not re+uire specification of the number of parameters. -hen calling a function you
are free to specify as many parameters as you would like. Lou will need to write code
within the function to ensure that the proper number of parameters is passed. The 3E
pseudo-ariable can be used within the function to list Aif anyB the argumentAsB. Indeed"
pseudo-ariables 3#..3&" 3+" 3@ and 3E are all aailable within the function as well" and
differ from the pseudo-ariables with the same name within the script. To demonstrate
this" sae the following program in a file named Jtd2K#
+Q/bin/s2
5# () U
ec2o 9in 5unction atB9 93@9
ec2o 9in 5unction 2as2B9 93+9
ec2o 9in 5unction starB9 93E9
V

ec2o 9in main script atB9 93@9
ec2o 9in main script 2as2B9 93+9
ec2o 9in main script starB9 93E9
5# one 5le> o-er t2e cuc,oos nest
exit $
;unning it" with the specified command" will hae the following result#
3 s2 ./td2 coo coo
in main script atB coo coo
in main script 2as2B 2
in main script starB coo coo
in 5unction atB one 5le> o-er t2e cuc,oos nest
in 5unction 2as2B 6
in 5unction starB one 5le> o-er t2e cuc,oos nest
3 "
Though functions do not share the set of pseudo-ariables with the rest of the script" they
do share all other ariables with the main program. If a function changes the content of a
ariable or defines a new one" its contents will be aailable in the main script as well. The
following script clarifies this#
+Q/bin/s2
S:L"; () U
;B9ne>9
=B9bee9
V
;B9old9
- 279 -
ec2o 3; + >ill displa! 9old9
S:L"; + sets -ariable in script
ec2o 3; + >ill displa! 9ne>9 no>
ec2o 3= + and t2is >ill displa! 9bee9
exit $
%n most modern P%&IP-compliant shells they will work 'ust fine" to aoid confusion" it
is best to refrain from using ariables and functions with the same name in one script.
Lou are allowed to use recursion - in other words# you are allowed to call a function
#ithin itself. /oweer" it is important to proide some sort of escape" otherwise your
script will neer terminate#
+Q/bin/s2
call"me"4"e-er() U
ec2o 92elloQ9
call"me"4"e-er
V
call"me"4"e-er
exit $
This script will run foreer" happily printing out greetings. $ more usable example
follows. Please study it carefully - it demonstrates arious concepts we will explain later
on.
/6666666666666666666666666666666666666666666666666666666666666666666
666
$# T +Q/bin/s2
$2 T
$% T seSpes() U
$4 T
$( T 5ail()
$6 T U
$0 T ec2o 5ailed. 3E
$' T exit #
$& T V
#$ T
## T ) 3+ 6eS % * TT 5ail argument error
#2 T
#% T local zBZexpr 3# X 3%Z
#4 T
#( T ec2o 3#
#6 T ) 3z 6le 32 * [[ seSpes 3z 32 3%
#0 T ec2o 3#
#' T V
#& T
2$ T seSpes 3# 32 3%
2# T
- 272 -
22 T exit $
/6666666666666666666666666666666666666666666666666666666666666666666
666
,an (ou figure out #hat this program doesF Probably not. @any people need to run this
first to understand its function.
The example illustrates the concept of recursion" nested functions" local ariables and
alternate testing syntax. ?or those of you who look at this script with awe" it may come as
a surprise to learn that this is a ery typical example of illegible code. Lou are not
supposed to write code like this Asee the section called J&ome words on coding styleK for
an explanation why notB.
That said" lets look at the improed ersion#
/6666666666666666666666666666666666666666666666666666666666666666666
666
$# T +Q/bin/s2
$2 T
$% T + L2is script prints seSuences o5 -aluesO counting up 5irstO
$4 T + t2en do>n again. It needs % parameters. t2e start -alueO
$( T + t2e maximal -alue and t2e increment. It uses recursion
$6 T + to ac2ie-e t2is. See t2e comment be5ore t2e 5unction
$0 T + seSpes() 5ound belo> 5or an explanation.
$' T
$& T + 5ail() prints its arguments and exits t2e script >it2 an
#$ T + error code (#) to signal to t2e calling program t2at
## T + somet2ing >ent >rong.
#2 T +
#% T 5ail()
#4 T U
#( T ec2o 5ailed. 3E
#6 T exit #
#0 T V
#' T
#& T
2$ T + seSpes() needs % arguments. t2e current -alueO t2e maximal
2# T + -alue and t2e increment to use. It >ill print t2e current
22 T + -alueO increment it >it2 t2e increment to use and t2en >ill
2% T + create a ne> instance o5 itsel5O >2ic2 acts li,e>iseO
24 T + until t2e printed result is eSual or bigger t2an t2e maximal
2( T + -alue. :ac2 time t2e 5unction is called b! itsel5O a ne> set
26 T + o5 pseudo6-ariables (3#..3%) is created and ,ept in memor!.
20 T + R2en t2e maximal -alue 5inall! 2as been reac2edO t2e last
2' T + 5unction exits and gi-es control bac, to t2e 5unction t2at
2& T + called itO >2ic2 acts li,e>ise until t2e calling
%$ T + program 5inall! regains control. L2is ;SDII art tries to clari5!
%# T + t2is.
%2 T +
%% T + seSpez # % #
%4 T + print 3# ............ (#)
%( T + T seSpez 2 % #
%6 T + T print 3# ......... (2)
%0 T + T T seSpez % % #
- 275 -
%' T + T T print 3# ...... (%)
%& T + T T print 3# ...... (%)
4$ T + T T 3#B%
4# T + T print 3# ......... (2)
42 T + T ?66exit
4% T + print 3# ............ (#)
44 T + ?66exit
4( T +
46 T seSpes() U
40 T
4' T + print t2e current -alue and calculate t2e next -alue
4& T +
($ T ec2o 3#
(# T next"-alueBZexpr 3# X 3%Z
(2 T
(% T + c2ec, i5 >e alread! surpassed t2e maximal -alue
(4 T +
(( T i5 ) 3next"-alue 6le 32 *
(6 T t2en
(0 T + >e need anot2er iteration.
(' T seSpes 3next"-alue 32 3%
(& T 5i
6$ T
6# T + Done. Frint t2is -alue once more.
62 T ec2o 3#
6% T V
64 T
6( T + L2e script starts 2ereO and c2ec,s its parameters. Hote t2at
66 T + t2e code t2at -alidates t2e arguments is -er! incompleteQ Re
60 T + 7ust c2ec, 5or t2e number o5 argumentsO not 5or t2eir -aluesO
6' T + 5or example. L2is segment de5initel! lac,s Sualit!.
6& T +
0$ T i5 ) 3+ 6ne % *
0# T t2en
02 T + print and exit
0% T 5ail argument error
04 T else
0( T + call recursi-e 5unction
06 T seSpes 3# 32 3%
00 T 5i
0' T
0& T exit $ + tell calling program all >ent >ell
/6666666666666666666666666666666666666666666666666666666666666666666
666
$s you see" this code has almost four times the amount of lines our preious example
had. /oweer" it uses a more generic syntax" has many lines of comments and does not
use local ariables and nested functions. It works 'ust as well as the preious example and
is self-explanatory - hence" nothing more needs to be said about it.
)ere documents
$ so-called here document allows you to use a series of text-lines directly from a shell
script as input for a command. The following example will print a help-text#
- 27: -
/6666666666666666666666666666666666666666666666666666666666666666666
666
$# T+Q/bin/s2
$2 T
$% Tusage()
$4 TU
$( T cat ?? :HDD;L
$6 T se 3$ as 5ollo>s.
$6 T 3$ spec
$' T >2ere spec is one o5 t2e 5ollo>ing.
$& T red 6 to select red output
#$ T green 6 to select green output
## T blue 6 to select blue output
#2 T:HDD;L
#% T
#4 T exit #
#( TV
#6 T
#0 Ttest 6z 93#9 [[ usage
#' T
#& T.... t2e rest o5 t2e script ...
/6666666666666666666666666666666666666666666666666666666666666666666
666
This program will check in line !7 if the first argument is present Aa way to test if any
arguments were gien at allB. If not" the program will call a function called usage. Inside
usage a here-document is used to feed the usage text to cat. The here-document starts in
line $( and ends in line #2. It consists of#
?? Aline .5B followed by#
a label definition A:HDD;L here" line .5B.
a closing label# :HDD;L in line !2. The closing label #ust start at the left Aas
shownB and must be spelled exactly like the label definition Ain line .5B.
The text between the begin and end of the here document Athat is text in lines .: until !!B
will be passed to cat" which will display it. The output of the usage function Asupposing
that the script is called m!setcolorB will be#
se m!setcolor as 5ollo>s.
m!setcolor spec
>2ere spec is one o5 t2e 5ollo>ing.
red 6 to select red output
green 6 to select green output
blue 6 to select blue output
Note
ere-documents can be controlled in seeral ways. ?inding these out is left as an exercise
to the reader.
- 277 -
/dvanced topics
(y now you should hae learned enough to pass the LPIC-2 exam. /oweer" shell
programming is an art in itself. It goes well beyond the scope of this book to teach you
eerything there is to know about it. %n a number of topics" if you would like to read
further" please check the bibliography. $mongst the topics perhaps warranting further
study are#
how to include external scripts in your own Adotting in scriptsB
how to use arithmetic within your script
how to trap signals sent to your script
how to use in-line redirection
setting parameters using JsetK
how to use the e+alBexec commands
Debugging scripts
To trace a script)s execution" you can use the command set. The option 6x causes the
shell to print each command as it is ealuated. &etting this option also enables a scripter
to see the results of ariable substitution and file name expansion. The 6- option instructs
the shell to print a command before it is ealuated. 4sing both parameters enables you to
study the inner workings of the script" howeer it results in a rather elaborate and
sometimes confusing output. To switch off debugging" use the JXxK option.
Dxperienced shell programmers often use debug functions and statements to debug a
script. ?or example#

+Q/bin/s2
D:=JB# + remo-e t2is line to suppress debugging output
debug()
U
) 3D:=J * [[ ec2o D:=J. 3E
V
RG1MDB9Rorld9
debug 9RG1MD B 3RG1MD9
ec2o 9Yello Rorld9
debug 9:nd9
(y setting the D:=J ariable" you can control whether or not debugging output will be
sent. If you are done debugging" you can either remoe the JdebugK lines and function or
leae them alone and remoe the line that sets D:=J.
- 278 -
Lou can use your own set of debugging functions to temporarily stop or delay execution
of your script. (y using the power that 4nix gies you" you can een write a ery basic
debugger that enables you to set breakpoints and interactiely iew the enironment. &ee
the example below#

+Q/bin/s2

D:=JB# + remo-e t2is line to suppress debugging output

debug"print()
U
) 6z 93D:=J9 * TT ec2o D:=J. 3E
V

debug"brea,point()
U
>2ile ) Q 6z 93D:=J9 *
do
ec2o 9D:=J. Y:MD :K:DLIGH. (S)uitO (e)n-ironment or
(c)ontinue49
stt! ra>
stt! 6ec2o
;BZdd i5B/de-/tt! countB# ibsB# 2A/de-/nullZ
stt! 6ra>
stt! ec2o
case 3; in
ST_) exitCC
eT:) setCC
cTD) brea,C
esac
done
V
debug"dela!()
U
) 6z 93D:=J9 * TT sleep 3#
V

RG1MDB9Rorld9
debug"print 9RG1MD B 3RG1MD9
ec2o 9Yello Rorld9
debug"print 9:nd9
>2ile true
do
ec2o 9loop..9
debug"brea,point
debug"dela! #
done
This script demonstrates a number of techni+ues - we leae it up to you to study them as
an exercise. 3ote" that the techni+ues used aboe will only work for interactie scripts -
- 27< -
that is# scripts that hae a controlling tty. Try running this script" both with and without
the D:=J flag.
+ome ords on coding style
The power of the 4nix programming enironment tends to seduce a lot of programmers
into writing unreadable code. %ften" the argumentation is that terse code will be more
efficient. In practice" this is often not true. $dditionally" many noice programmers tend
to try to Jshow offK their knowledge. @any scripts are written that are barely readable
and hae no indentation. (ad code uses shortcuts" nesting and recursion wheneer
possible and uses uncommon constructs. $ll this is then spangled with esoteric regular
expressions. Gou must never #rite code like this" ;emember9 (ou are almost a certified
professional" The main reason (ou #ill be hired is not to impress (our peers? but to
enable others to do their #ork - including (our peers"
6ood programmers are consistent in how they write. They 'udge code readability to be
more important than AminorB performance gains. They refrain from things like nested
functions or functions that bear the same name as a ariable. They user proper
indentation and test their programs. They also test if their newly-written program really
works. execute" e.g. ?or example#
.. code ..
cd 3RG1KDI1
i5 ) 34 6ne $ *
t2en
ec2o could not c2ange to 3RG1KDI1
exit #
5i
.. more code ..
$ good programmer spends a lot of time documenting his work" both inside the code and
in separate documentation. /e is aware that some of his peers may lack his skills and
therefore tries to use the simplest approach to sole a problem. /e uses plain Dnglish to
clearly and succinctly explain how his code works. /e refrains from snide remarks" the
usage of weird acronyms and emoticons. In general# be brief? but complete.
9sing sed
sed is an abbreiation of stream editor. It can edit information on the fly while reading
information from either standard input or one or more files.
$s shown in the section called J;egular DxpressionsK" se) operates with the classic
;egular Dxpressions. The ;egular Dxpressions described here are alid for 634 sed Athe
examples are tested with 634 sed ersion 9..2B. 3ote that ery old" non-P%&IP
compliant ersions of se) may not hae the extra multipliers and grouping support.
- 28. -
$ehaviour
3ote that se) will pass all information it reads on to standard output by default.
&ince we can control information when it is processed by se)" we can delete part of the
information before it reaches standard output or we can change part of the information so
that what comes out on standard output is different from what was read.
(ut" if we do not interene" information is shown as-is by se).
There is also the possibility of reverting this behaior. -hen the 6n option is specified"
se) will only show information when explicitly asked to do so.
Calling sed
There are two ways to call sed. In the first form" se) reads from standard input#
... T sed HflagsI $sed expression$
In the second form" se) will read information from one or more files#
sed HflagsI $sed expression$ file/s3
The crucial part in both forms is the sed expression. The sed expression specifies what
will be done to the information. -hat it looks like will be discussed further on. /ow a
sed expression is specified is shown here.
Note
The sed expression may contain spaces and characters that are sub'ect to shell expansion.
To preent expansion by the shell" the complete sed expression must be embedded in
single forward +uotes" as shown aboe. se) will not see these +uotes.
-hen multiple sed expressions are desired" each must hae a 6e flag before it. The first
form#
... T sed 6e $sed expr1$ 6e $sed expr0$
The second form#
sed 6e $sed expr1$ 6e $sed expr0$ file/s3
"he sed expression
The sed expression allows you to control the information passing through se). It can"
howeer" hae many different forms.
- 28! -
The general form of a sed expression is
addresssedcommand
That is# an address immediately followed by a sedcommand. If address is alid for a line
of information" then sedcommand will be applied.
$n address can be a ;egular Dxpression Abetween slashesB" or it can be a line-number
specification. &ome sedcommands may need extra additions.
2egular =xpression specification. $ form with a ;egular Dxpression specification as
address looks like#
/regex/sedcommand
$n example of this is#
/B/d
The ;egular Dxpression specification is /B/" the sedcommand is d. Together" these tell
se) not to display lines that contain an B character.
Line nu#*er specification. The address can be a line-number specification
Aabbreiated as linespecB#
linespecsedcommand
Athat is# linespec immediately followed by sedcommandB. The linespec is a specification
of line numberAsB. They can be specified as a single number or as a range# two numbers
with a comma between them. $n example of this is#
#O%d
The result of this is that the first three lines read by se) will not be shown. The other lines
will" of course" be shown.
"he most fre:uently used sedcommands
The delete and substitute commands are probably the most fre+uently used commands.
"he )elete co##an)
The general form is
addressd
- 282 -
That is# address immediately followed by a d. 4sing this" se) will omit the information
that matches address from the information that is being processed by se). Information
not matching address will" of course" be passed on.
$n example of this is#
sed W#dW /etc/pass>d
This command line will result in all lines of /etc/pass>d" except the first one" to
standard output Athe screen in this caseB.
This is another example" using a range#
sed W#O#$dW m!5ile
This will cause the contents of m!5ile to be shown" minus the first ten lines.
4sing a ;egular Dxpression as address works the same way#
sed W/\3/dW m!script T less
This will pass all non-empty lines from m!script to the less command.
$ little extension#
sed W/\ E3/dW m!script A ne>script
/ere the result will be that all lines in m!script" except those that contain nothing or
only spaceAsB" will be written to ne>script.
"he su*stitute co##an)
-ith the substitute command" you can change some of the information before it is sent to
the standard output. The other information will go there as well" but unchanged.
The most general form of the substitute sedcommand is#
addresss/regex/replacementstring/modifiers
The address works as a line selector" as shown earlier. The address part can be omitted"
in which case the substitute is attempted on all lines. The modifiers can also be omitted"
in which case the defaults apply Amore on this laterB. &ince both the address and the
modifiers can be omitted" a simplified command would look like this#
s/regex/replacementstring/
- 289 -
This format" of course" is ery famous.
The substitute works as follows# the part of the line on which regex fits is replaced by
replacementstring.
se) reads its information line by line" as do many other 4nix commands. $ substitute
works only once per line# the first location Aseen from the leftB where the ;egular
Dxpression matches is replaced by the replacementstring.
This behaior can be changed by the g modifier. -hen the g modifier is specified" each
part of the input string where the ;egular Dxpression fits is replaced by the replacement
string. The g AglobalB means# as many times as possible within the input line.
3ow" let)s look at this in practice. &uppose the following information is generated by
echo#
ec2o 2ttp.//>>>.x.z/YLMM Iiles/Fag #.2tml T sed Ws/ /]2$/W
In this example" the input string contains two spaces. The se) command-line replaces one
space Athe firstB by ]2$. &o the result will be#
2ttp.//>>>.x.z/YLMM]2$Iiles/Fag #.2tml
That is" the first space is replaced by ]2$" the second is not.
Note
-hat is shown here corresponds to the so-called urlencoding. (ut this is not completely
coered here. $t least" percent signs in the input should be replaced first.
To replace all spaces" the g modifier needs to be specified#
ec2o 2ttp.//>>>.x.z/YLMM Iiles/Fag #.2tml T sed Ws/ /]2$/gW
3ow the result is#
2ttp.//>>>.x.z/YLMM]2$Iiles/Fag]2$#.2tml
That is" *oth spaces are replaced by ]2$.
&uppose you)e got a file containing lines with 4;Ls as well as lines containing other
information. Lou want to replace spaces in the 4;Ls" *ut only in the 92Ls. In this case"
an address can be used to select the 4;Ls#
/\2ttp./s/ /]2$/g
&uppose file m!stu55 contains the following#
- 282 -
2ttp.//a.b.c/Item #/index Main.2tml
some ot2er in5ormation on a separate line
2ttp.//a.b.c/Item 2/index Subpage.2tml
This file can be processed as follows#
sed W/\2ttp./s/ /]2$/gW m!stu55
The output will be#
2ttp.//a.b.c/Item]2$#/index]2$Main.2tml
some ot2er in5ormation on a separate line
2ttp.//a.b.c/Item]2$2/index]2$Subpage.2tml
/utputting change) lines only
;ecall that the 6n flag reerses the behaior of se)# information read is not passed on by
default. To show information some action must be taken. The substitute command has a p
modifier that does exactly that# outputting those lines that are changed. 4sing both the 6n
flag and the p modifier together will output only those lines that are changed.
sed 6n Ws/regex/replacement/pW infile/s3
$nother example is this#
sed 6n Ws//b)Ml*inux/b/MIHK/pW txt5ile
This will read all lines from txt5ile" but show only lines that contain either linux or
Minux with both linux and Minux replaced by MIHK.
"he 9A the #atching part
The precise part of an input line on which the ;egular Dxpression matches is represented
by [" which can then be used in the replacement part. $n example is Asplit across lines for
readabilityB#
ec2o Ho> is #( Ieb 2$$2 T /
sed Ws/)$6&*/U#O2/V /X);6<a6z*)a6z*/X/B[B/W
This will replace the date part with the date surrounded by B characters. The part of the
input that does not match the ;egular Dxpression is not replaced. Instead it is shown
literally. &o the output is#
Ho> is B#( IebB 2$$2
- 285 -
Grouping in sed
6rouping can be used in se)" at least in the 634 ersion that is used by default in Linux.
$ group is opened with J/(K Aa backslash and an opening parenthesisB and closed with
J/)K Aa backslash and a closing parenthesisB. 6rouping can be used in combination with
back-referencing.
7ack@references
;emember that a back-reference is the re-use of a part of a ;egular Dxpression selected
by grouping.
(ack-references in se) can be used in both a ;egular Dxpression and in the replacement
part of the substitute command.
?or example" the following will not show lines in files 5# and 52 that contain four
identical uppercase-letters#
sed W//();6<*/)/#/#/#/dW 5# 52
The following substitute will replace each series of four identical uppercase-letters by
four K characters#
ls 6la T sed Ws//();6<*/)/#/#/#/KKKK/gW
The following sedexpression places any uppercase-letter between s+uare brackets#
s//();6<*/)/)/#*/g
;emember that the replacement part is not a ;egular Dxpression" so the s+uare brackets
are literal characters.
?or example#
ec2o Yello L2ere T sed Ws//();6<*/)/)/#*/gW
The output of the aboe command line will be#
)Y*ello )L*2ere
2eplacing the whole input
;emember that a se) substitute command will replace only the part on which the ;egular
Dxpression matches. Parts of the line that do not match are sent unchanged to the
standard output.
-hen you )o want to match the whole line" the following must be true#
- 28: -
!. the ;egular Dxpression must match the complete line
2. the desired part must be selected using grouping
Let)s look again at the date example discussed earlier Asplit across lines for readabilityB#
ec2o Ho> is #( Ieb 2$$2 T /
sed Ws/\.E/b/()$6&*/U#O2/V /X);6<a6z*)a6z*/X/).E3//#/W
The output is exactly#
#( Ieb
*o not forget the /b word-boundary anchor# without it" the .E will match too many
characters.
%hite space
;emember that se) uses the classical ;egular Dxpressions" in which there is no easy way
to specify a tabulation character.
In modern" 634 ersions of se)" P%&IP character-classes are accepted" so )).blan,.**
and )).space.** can be used to match white space. /oweer" since P%&IP support
Are+uired by some goernmentsB is not yet present on all non-Linux systems" the use of
P%&IP character-classes may be non-portable.
/dvanced sed
Lots of things can be done with se). $mong se))s facilities are command-grouping and
pattern-space. Things might grow too complex to use on the command line" so this
section will show how to use a separate file with se) commands.
Putting sedcommands in a file
It is is possible to store indiidual sed expressions in a so-called Jsed script-fileK. Dach
line should contain exactly one sed expression. There should be no +uotes around the sed
expressions in the sedfile#
s/red/green/
/blue/d
The sed script-file can be called by se) using the 65 flag. The first form#
... T sed 65 sedfile
The second form#
sed 65 sedfile file/s3
- 287 -
%ther flags can be added Ae.g. 6nB *efore the 65 flag or after sedfile. The 65 and sedfile
should be used together. *o not put other parameters between 65 and sedfile.
Consider for example" the following se) command#
sed 6e Ws/?titleA/title(/W 6e Ws/?//titleA/)/W 5#
This can be put in a special sed command-file. -e call it c2gtitle.sed#
s/?titleA/title(/
s/?//titleA/)/
3ow all we hae to do is#
sed 65 c2gtitle.sed 5#
This is the contents of file 5##
?titleA:-er!t2ing about sed?/titleA
The output of the se) command line will be#
title(:-er!t2ing about sed)
4sing a separate sedfile allows you to do more complex things. $mong these are
command grouping and the pattern buffer.
Co##an) grouping
se) commands" such as d or s" can be grouped. This can be explained using an example
task# an $&CII art table that should be conerted into html.
&uppose" the file orgtable contains the following table in ascii art#
Lable #
2$6% %64 #$64 #064 #6( '6( #(6( 226( (66 #&66 pct
6666666666666666666666666666666666666666666666666666666
T TX( T T T6& T6' T66 TX2b TX# TX' T (0]T
T62b TX'b T66b T6& TX#b TX0 TX'b TX#c TX6 T60 T 6$]T
TX0b T60 T66 TX2c TX#$cTX# T T6& T TX%b T 6%]T
-e want to conert the lines inside the table into html. The first line should look like this
after conersion#
?L1A?LDA[nbspC[nbspC?/LDA?LDAX(?/LDA
?LDA[nbspC[nbspC?/LDA?LDA[nbspC[nbspC?/LDA
?LDA6&?/LDA ?LDA6'?/LDA ?LDA66?/LDA ?LDAX2b?/LDA ?LDAX#?/LDA
?LDAX'?/LDA
?LDA(0]?/LDA ?/L1A
- 288 -
To accomplish this" we hae to make seeral substitutions" among them the substitution
of white space into JZnbspQK Athe non-breakable-space character in /T@L. -e only
want to do this in the table entries Athat is# all lines that start with a TB" not in the table
header. The following commands in the sedfile called 2tmlise.sed will replace only
those lines that start with a T#
/\T/s/\T/?L1A?LDA/
/\T/s/T3/?//LDA?//L1A/
/\T/s/T/?//LDA?LDA/g
/\T/s/ /[nbspC/g
/\666/d
$s a bonus it gets rid of the dashed line.
Note
The literal slashes in the replacement part need to be prefixed by a backslash to preent
se) from mixing it up with the slash separator.
/ere is the complete call to conert the contents of orgtable to html using
2tmlise.sed#
sed 65 2tmlise.sed orgtable
There is another way to write the same thing. $s can be seen" the address /\T/ is used
four times. Commands can be grouped by using the same address followed by the same
commands inside curly braces. This is a so-called command group#
/\T/ U
s/\T/?L1A?LDA/
s/T3/?//LDA?//L1A/
s/T/?LDA?LDA/g
s/ /[nbspC/g
V
/\666/d
-e begin by matching eery input line with the /\T/ pattern. If this matches" all the
commands between the curly braces are applied to this line. The first and the last ertical
bars are exceptions because they need only J?L1A?LDAK Arow and cell open in /T@LB
and J?/LDA?/L1AK Acell and row close in /T@LB" so we substitute them first. 3ext we
substitute each remaining ertical bar with J?/LDA?LDAK pattern. Last" we substitute each
space by J[nbspCK.
Note
-hite space at the start of a command is allowed" so you can indent your script to reflect
the grouping of the commands. Lou cannot put whitespace after a command# the end of a
- 28< -
command must be either a newline or a semicolon. The semicolon is not part of the
P%&IP standard" but is supported in the 634 ersion of se).
"he pattern *uffer
&uppose you want to match a fixed group of words" such as a name" but they are not on
the same line. ?or example" in a manual you want to change the words Jlocal unix
guruK into JMocal :xpertK. (ut" the word JlocalK could be on one line and the words
Junix guruK on the next. This would be hard to match with the commands discussed so
far. Dnter the pattern buffer.
The pattern buffer is the place where the current line is stored Athat is# the buffer to which
the ;egular Dxpression is matchedB. This is the buffer on which the commands are
executed and which is printed after the last command is finished. Lines can be added to
this buffer by using the H command. -hen the new line is appended to the former" a
ne#line character is inserted between them.
It is now possible to match input like this#
Nesterda!O our local
unix guru explained t2at ...
In this case" we hae to match eery combination in which the words can be diided oer
two lines Athree possibilitiesB. Den better# we can first remoe the ne#line character. %ur
sedfile would look like this#
/local/ U
H
s/ E/n/ /
s/local unix guru/Mocal :xpert/
V
The output will be#
Nesterda!O our Mocal :xpert explained t2at ...
There is still a small problem though. -hen you run this script on the following input" the
result might be not +uite what you expect. /ere is the input#
R2en all else 5ailsO as, !our local unix guru.
L2is is an extra indented line.
L2is stor! >as broug2t to !ou b!.
!our local unix guru
The result is#
R2en all else 5ailsO as, !our Mocal :xpert.
- 2<. -
!our local unix guru
?irst" the empty line before L2is is an extra ... has been remoed. This is probably
not what we intended. &econd" the last line is unchanged Ain some non-634 ersions of
se)" the last line may disappear because se) crashesB.
The problem is that the pattern we looked for Ai.e." localB was on one line. &o we did not
hae to read the second line before making the substitution. (ecause we did so anyway
the newline was remoed and the empty line was added to the line that contained the
match. The second time this happened" the ;egular Dxpression of the substitute command
did not find a second line" so the last line of input is not changed at all.
To fix this we could add a rule to match the pattern when it appears completely on one
line. This gies us the following script
/local/ U
H
s/ E/n/ /
V
The output now becomes#
R2en all else 5ailsO as, !our Mocal :xpert.
!our Mocal :xpert
3ote that this is the only way to remoe newlines from a file with se). (ecause it
operates on one line at a time" it normally ignores the newline. &o you can)t match it"
unless you add the next line to the pattern buffer. -hen you do that" the newline is
reinserted" and you can match it using J/nK.
1 stan)@alone se) script
Let)s go back to the 2tmlise.sed file used earlier. If you are getting bored of typing se)
@f ht#lise.se)" consider making this a stand-alone sed script. That is a sed script-file that
becomes a command of its own.
?irst" start by adding a line at the beginning#
+Q/bin/sed 65
- 2<! -
%f course" the location of the se) program may be different.
The total file will now look like this#
+Q/bin/sed 65
/\T/ U
s/\T/?L1A?LDA/
s/T3/?//LDA?//L1A/
s/T/?LDA?LDA/g
s/ /[nbspC/g
V
/\666/d
3ow rename it to 2tmlise" install it in a directory that is named in the F;LY enironment
ariable" gie it execute permission" and you are ready to run the command eerywhere#
2tmlise orgtable
9sing awk
awk is an interpreted language" used mostly to extract metadata from data files. It can be
used to select rows and columns from a file and to calculate deried data" such as sums. It
is also often used to filter input into a more readable format" such as log-file data.
awk uses blocks of statements" prepended with a so-called pattern. awk opens its
inputfileAsB" reads lines of text from them and matches the contents of the inputlines with
the patterns as specified in its program. If a pattern matches" the corresponding block of
code is executed. &uch patterns can be regular expressions Asee the section called
J;egular DxpressionsKB" but a number of other forms are supported as well.
awk can be used to extract reports from arious input files" to alidate data" produce
indices" manage small databases and to play around with algorithms to be used in other
programming languages. &ome rather complex programs hae been written in awk.
/oweer" awk)s capabilities are strained by tasks of such complexity. If you find yourself
writing awk scripts of more than" say" a few hundred lines" you might consider using a
different programming language" such as Ferl" Sc2eme" D or DXX.
To gie you an impression of the look and feel of an awk program" we offer the
following example. *on)t worry if you do not understand AallB this code AyetB" we will
clarify it later.
5unction resume(lineO part)
U
lenBlengt2(line)
i5 (len A ( 2 E part) )
U
ret-al B substr(lineO#Opart) 9 ... 9 substr(lineOlen6part)
V else U
- 2<2 -
ret-al B line
V
return ret-al
V
/\&$./ U
print resume(substr(3$O4)O4)
V
Q/\&$./ U
print resume(3$O4)
V
The name awk is an acronym and stands for the initials of its authors# $lfred C. $ho"
Peter R. -einberger" and (rian -. 0ernighan. It also pokes some fun at the somewhat
a#k#ard language that awk implements. The original ersion was written in !<77 at
$TZT (ell Laboratories. In !<85" a new ersion made the programming language more
powerful" introducing user-defined functions" multiple input streams and computed
regular expressions. awk was enhanced and improed oer many years and eentually
became part of the P%&IP Command Language and 4tilities standard.
The 634 implementation" gawk" which is the ersion in use on most 4nix systems
nowadays" was written in !<8:. In !<88" it was reworked to be compatible with newer
Anon-634B awk implementations. Current deelopment focuses on bug fixes"
performance improements and standards compliance.
%nce you are familiar with awk" you will most likely get into the habit of typing simple
one-liners" for example" to extract and=or combine fields from input files. &uch a one-
liner is typically built like this#
3 a>, WprogramW input65ile# input65ile2 ...
where program consists of a series of patterns ApatternsB and actions Amore about these
laterB. This command format instructs the shell to start awk and use the program Ain
single +uotes to preent shell expansion of special charactersB to process records in the
input fileAsB.
Longer awk programs are often put in files. These files are either called from the
command-line interface#
3 a>, 665ile programname input65ile# input65ile2 ...
or they are contained in files that start with the line#
+Q/usr/bin/a>,
and hae the execution bit set Ach#o) VxB.
- 2<9 -
3ow that we hae an oeriew" let)s go in and take a closer look.
Generic flo
$s stated before" an awk program reads lines and processes those lines" using blocks of
code. $ block of code is denoted by curly braces. $ typical program consists of one or
more of these blocks" often preceded by patterns that determine whether or not the code
in the code block should be executed for the current line of input.
@ore formally" an awk program is a se+uence of pattern-action statements and optional
function-definitions#
pattern U action statements V
.. and optional ..
5unction name(parameter list) U statements V
?or each line in the input" awk tests to see if the record matches any pattern specified in
the program. ?or each pattern that matches" the associated action is executed. The
patterns are tested in the order they occur in the program.
Patterns can hae arious forms" for example" regular expressions or relational
expressionsQ pattern types are described later ApatternsB.
$ctions are lines of code to be executed by awk. The regular programming structures
Abranching and loopingB are aailableQ so are ariables and arrays. Conditional testing"
matching on regular expressions and arious operators and assignments are also
aailable. $ll of these components are described below. The + AhashB is used to start a
comment" the remainder of the line will be ignored.
2ariables and arrays
awk supports the use of ariables. There are a number of internal variables whose alues
either can be read or set by both awk and the programmer. These can be used to influence
awk)s behaior or to +uery awk)s enironment. The programmer may also set other
ariables" which automatically come into existence when first used. Their alues are
floating point numbers or strings# automatic conersion is performed by awk if the
context re+uires it.
%nly one-dimensional arrays are supported. $rrays are always subscripted with strings"
for example" x)#* Athe ! is automatically conerted to the string J!KB or x)ra!*. Lou
may also use a list of alues Aa comma-separated list of expressionsB as an array subscript
since these lists are conerted to strings by awk. &imulations of multi-dimensional arrays
can be done this way#
iB9K9
- 2<2 -
7B9N9
x)iO7*B9text9
In this example" the array JxK is subscripted by a list of expressions. /oweer" the list is
conerted to a string first. awk does this conersion by concatenating the alues in i and
7 using a special separator Aby default the hexadecimal alue /$%4B. Thus" the subscript
would be the string JPb.92LK" which is an acceptable subscript for awk)s one-
dimensional associatie arrays.
To delete an entire array" you can use the command#
delete arra!
To delete an array named scores" for example" you could issue the command delete
scored. $dditionally" you can delete one member of an array by using the construction
delete arra!)index*
&o" for example" delete scores)&*. 3ote that this 'ust deletes the element from the
array" but does not rearrange the members to close the JgapK.
Input files& records and fields
awk normally is used with text-file input. -ithin awk text files are seen as sets of
records and fields. In most cases" a simplified iew can be used# records are lines of text"
delimited by a newline. /oweer" it is possible to set your own record separator by
setting the ariable 1S" which can be a regular expression or a single character. -hen 1S
contains a regular expression" the text in the input that matches this regular expression
will separate the record.
awk splits the input records into fields. (y default" Ase+uences ofB white space are seen as
a separator. It is possible to use the alue of the IS ariable to define the field separator.
(y setting IS to the null string" each character in the input stream becomes a separate
field. If IS is a single character" the records are diided into fields using that single
character. In all other cases" ?& should be a regular expression" and the fields will be
separated by the characters that match that regular expression.
To refer to a field" specify a dollar sign followed by a numerical representation of it)s
position within the record. To refer to the first field" for example" you would use 3#" the
fifth field would be 3(. 3$ is the whole record. It is acceptable to refer to a field using a
ariable" like this#
n B 0
print 3n
This prints the seenth field from the input record. To determine the number of fields in
the input record" you can use the ariable HI. This example also demonstrates the use of
- 2<5 -
the print statement" which prints its arguments to standard output" and the use of the
internal variable HI" which contains the number of fields in the current input record.
@ore about internal ariables will be explained later on.
To split records into fields" you can also set the ariable II:MDRIDLYS to a space-
separated list of numbers# the records will be seen as se+uences of fields with fixed
width" as specified in the ariable" and awk will not use field separators any more" unless
you assign a new alue to ?&.
awk allows you to assign alues to the fields" and that assignment will preail oer the
alues assigned when awk reads the input record. &uppose the seenth field of a record
contains the string scoob!doo" and you set it to another alue#
30 B 9se-en9
Then the seenth field will contain the string se-en and the 3$ will be recomputed to
reflect the change.
$s an example" and to reiew a number of the concepts aboe" let)s study this awk
program#
a>, 6I. WU
GISB9.9 + set t2e output 5ield separator
print 3$ + print all input 5ields
3#B95irst9 + re6assign t2e 5irst 5ield
print 3$ + print all input 5ields again
VW m!5ile
awk is called using the 6I flag to set the field separator to a colon. -e could hae
achieed the same result by assigning the alue J#K to the IS ariable. In our example" we
assume the program has been entered at the command-line interface. Therefore we placed
the program between +uotes to preent ariable expansion by the shell. The main block
of code is specified between curly braces" and no conditions or expressions are specified
before that block" therefore it will be executed for any record.
In the main code block" we start by setting the GIS ariable to a dot. This signifies that all
output fields will be separated by a dot. 3ext" the input line is printed by referring to 3$.
Then" on the next line" we force the first field into a fixed alue" and then we print out the
Anewly createdB full record again. %n the final line" the block is closed and the input file
name is specified. $ssuming the file m!5ile contains these two lines#
a.b.c.d
#.2.%.4
The output would be#
a.b.c.c
5irst.b.c.d
- 2<: -
#.2.%.4
5irst.2.%.4
It is possible to refer to non-existent fields or to assign alues to non-existing fields" but
it)s beyond the scope of this introduction. &ee the manual pages for A634B awk for more
details.
$ranching& looping and other control statements
-ithin awk programs" you can use a number of control statements. /ere" too" statements
can be grouped together by using curly braces. $ statement Aor group of statementsB can
be prepended by a control statement. If the control statement ealuates to true" the
corresponding block of code Aor single statementB will be executed. ?or example the i5
statement has the form#

i5 (condition) statement
.. or" if blocks of code are used#

i5 (condition) U statements... V
$ sample program that uses i5 and demonstrates the use else and the use of blocks of
code follows#
i5 (3HI A 4) U
print 9L2is record 2as o-er 4 5ields9
print 9It is a -er! lengt2! recordQ9
longXX
V else U
print 9He-er more t2an 5our 6 good .6)9
s2ortXX
V
or" the simpler case" this fragment of code uses a single statement#
i5 (3HI ? % ) print 9less t2an % 5ields 5ound9
Looping AiterationB can be done by using either the >2ile" do >2ile or 5or statement#

>2ile (condition) statement
do statement >2ile (condition)
5or (expr#C expr2C expr%) statement
$n example is gien below. It prints out the numbers from ! to !." using all three
methods. $dditionally" the keyword exit is introduced. exit simply terminates the
program. This program makes use of a simple trick to make it run without input data# it
- 2<7 -
consists of 'ust a =:JIH block Amore about that laterQ patternsB. $lso note the use of the
increment operator XX AoperatorsB.
=:JIH U
+ 5irst met2od.
+
numberB#
do U
print number
number B number X #
V >2ile (number ? ##)
+ second met2od.
+
numberB#
>2ile ( number ? ## ) print numberXX
+ t2ird met2od.
+
5or (numberB#C number?##C number B number X #) print number
V
The exit statement terminates the program. It can be followed by an expression that
should return a alue from ....255. This alue is passed on to the calling program" for
example" to enable it to see why a program terminated#
3 a>, W=:JIH U exit (6 VWC ec2o 34
(6
Note
%nly alues between . and 255 are meaningful exit alues" all other alues will be
conerted into that range.
The brea, statement can be used to 'ump out of a do" while or for loop unconditionally.
The loop is terminated" and program continues at the first statement after the loop. ?or
example" here is another Asomewhat clumsyB way to count to ten using awk#
=:JIH U
zB$
>2ile (#BB#) U
i5 (XXz BB #$) brea,
print z
V
print 9#$9
V
4nder normal circumstances" all commands within a block of code executed under the
control of either a >2ile" do or 5or function will be executed for each iteration. The
continue statement can be used to perform the next iteration" thereby skipping the code
- 2<8 -
between the continue statement and the end of the loop. Let another way to count to ten"
for example" is#
=:JIH U
zB$
>2ile (#BB#) U
print zC
i5 (XXz ? #$) continue
print 9#$9
brea,
V
V
Patterns
$s stated before" awk programs are composed of blocks of code prepended by patterns.
The blocks of code will be executed if the pattern applies.
Patterns can be in any of the following forms#
=:JIH
:HD
/regular expression/
relational expression
pattern [[ pattern
pattern TT pattern
pattern 4 pattern . pattern
(pattern)
Q pattern
pattern#O pattern2
7=>35 an) =54. $n awk program can hae multiple (D6I3 and D3* patterns. The
actions in the (D6I3 block will be executed before input is read" the actions in the D3*
block after the input is terminated. (locks of code that start with a (D6I3 pattern are
merged together into one irtual (D6I3 block. The same applies to D3* blocks. Thus" a
Asomewhat unusableB interactie awk program like this#
=:JIH U
print 9#9
V
:HD U
print 9a9
V
=:JIH U
print 929
V
:HD U
print 9b9
V
U exit V
.. assuming you would enter some input" would print#
- 2<< -
#
2
.. some input !ou ga-e ..
a
b
2egular =xpressions. ?or blocks prepended with a /regexp/ pattern" Asee the section
called J;egular DxpressionsKB the code found in the corresponding block will be
executed for each input record that matches the regular expression regexp specified. awk
uses an extended set of regular expressions" similar to egrep(1! Aremember that the
interval expressions are either not supported at all or can only enabled on re+uestB.
2elational expressions. $nother way to select which block to execute for which record
is using relational expressions. &uch an expression consists of awk commands Aa.k.a.
actionsB. ?re+uently" this is used to match on fields within a record#
3 a>, W3# BB 9$#9 U print VW
This would print all input records AlinesB that hae the string J.!K as their first field. Lou
can also check fields to match regular expressions" by using the JmatchK operator 8 Athe
tilde characterB" as is done in this one-liner#
3 a>, W3# 8 /)ab<*x/ U print 32 9 9 3% VW
6ien the following input#
<x t2e rain
cx and sno>
ax in Spain
gx and Irance
this would produce#
t2e rain
in Spain
Logical operators. Combinations of pattern expressions can be made by using logical
operators [[ AandB TT AorB and Q AnotB. $s in C and perl" these work in a short-circuit
fashion# if enough of the expression is resoled to determine the outcome Atrue or falseB
of the expression" the other patterns are not resoled. Thus" gien this example#

( 3# A $ ) [[ ( 32 ? 42 )
if 3# was assigned the alue #" the first part of the expression would return JtrueK.
(ecause the resolution of the second expression" J( 32 ? 42 )K" is of no releance to
the outcome of the entire expression" it will neer be executed. This example#
3 a>, W 3# BB % TT 32 8 /)a6z*&/ U print VW
- 5.. -
would print all records where the first field has the alue 9" or" if the first field does not
contain a string with the alue 9" would check if the second field matches the regular
expression )a6z*&.
Con)itional operators. The conditional operator UpatternV4UpatternV.UpatternV
Asometimes called the ternar( operatorB works 'ust like the same operator in C. If the first
pattern is true" then the pattern used for testing is the second pattern" otherwise it is the
third. %nly one of the second and third patterns is ealuated.
3 a>, W3#BB% 4 32BB9b9 . 32BB9c9 U print VW
This signifies" that" if the first field contains a string with alue J9K" the record will be
printed if the second field contains the string JbK. If the first field does not contain the
alue J9K" the record will be printed if the second field contains the string JcK. $ll other
records are not printed.
2ange operator. ?inally" there is the form where a range of records can be specified.
This is done by specifying the start of the range" a comma and the end of a range. In this
example" selected records will be printed#
3 a>, W3#BB9start9O 3#BB9stop9 U print VW
This program will suppress lines in its input until a record AlineB is found in the input
where the first field is the string JstartK. That record" and all records following it" would
be printed - until a record is found where the first field is the string JstopK. $ny records
follo#ing that line will silently be discarded" until the next record is found where the first
field is the word JstartK.
1perators
awk supports standard operators similar to those used in C. ?rom the manual pages#
"a*le 13.13. awk operators
A...B 6rouping of statements" for example" to force order of execution
TT -- Increment and decrement" both prefix and postfix
[ ^^ Dxponentiation. (oth alternaties support the same functionality
T - G 4nary plus" unary minus and logical negation
T - $ddition" subtraction
^ = M @ultiplication" diision and modulus
AspaceB the space is used for string concatenation
\ \S ] ]S G
S SS
relation operators# lesser" lesser or e+ual" bigger" bigger or e+ual" not e+ual"
e+ual
Ge match a regular expression
in array membership
- 5.! -
ZZ ff logical and" logical or
>#
This has the form expr# 4 expr2 . expr%. If expr# is true" expr2 is
ealuated" else expr% is ealuated.
S TS -S ^S =
S MS [S
^^S
assignments. The basic form is -ar B -alue. The operator form" for
example" -ar operatorB -alue is an alternate form to write -ar B -ar
operator -alue" b EB % is the same as b B b E %. 3ote that the form \B is
an alternate way of writing EEB
Using regular e#pressions
The chapter on ;egular Dxpressions Asee the section called J;egular DxpressionsKB gies
a thorough oeriew of the regular expressions that can be used in either awk" perl or
se). This section" therefore" focuses on using them within awk" rather than on the
;egular *xpressions themseles.
$ regular expression can be used as a pattern by enclosing it in slashes. Then the regular
expression is tested against the entire text of each record. 3ormally" it only needs to
match some part of the text in order to succeed. This" for example" prints the second field
of each record that contains the characters JsnowK anywhere in it#
3 a>, W/sno>/ U print 32 VW p2onelist
$uilt0in variables
$n exhaustie list of all built-in ariables can be found in the manual pages for awkQ only
the most commonly used ones are explained here. The built-in ariables IS and GIS hae
been demonstrated before. They can be used to force the ?ield &eparator and %utput
?ield &eparator by setting them from within an awk code block. The IH1 ariable holds
count of the current record number. $ ery basic one-liner to generate numbered program
listings" for example" could look like this#

a>, WU print5 9]$(d ]s/n9OIH1O 3$ VW
(y default" records are separated by newline characters" that is" awk reads lines of text by
default and treats each line as a record. This behaiour can be changed by setting the
ariable 1S. 1S contains either a single character or a regular expression. Text in the input
that matches that character or regular expression is used as a separator. The enironment
can be read by using the contents of the internal array :HPI1GH. To read the ariable L:1M
for the enironment" you would use :HPI1GH)9L:1M9*.
(unctions
awk allows the definition of functions by the programmer and has a large number of
built-in functions.
- 5.2 -
7uilt@in functions
The built-in functions consist of mathematical functions" string functions" time functions
and the system function.
The mathematical functions are# atan2(!O x)" cos(expr)" exp(expr)" int(expr)"
log(expr)" sin(expr) and sSrt(expr).
$dditionally" there are two functions aailable to work with random numbers#
srand()expr*)" which seeds the random generator" and rand()" which returns a random
number between . and !.
$ rich set of string functions is aailableQ please consult the manual pages for a full
description. $ short list of the most commonly used functions follows# index(sOt) to
return the index of the string t in the string s" lengt2()s*) to obtain the length of the
string specified Aor the length of the input record if no string is specifiedB" matc2(sOr) to
return on which position in string s the expression r occurs. substr(sOi)On*) returns
the substring from string s" starting at position i" with optional length n.
%ne of the primary uses of awk programs is processing log files that contain time-stamp
information. awk proides two functions for obtaining time stamps and formatting them#
s!stime() returns the current time of day as the number of seconds since midnight 4TC"
Ranuary !st" !<7." and str5time()5ormat )O timestamp**) to format time stamps
according to the form specified in 5ormat. To learn more about the format string used
with this function" the manual pages for str5time(%) should be consulted.
(elf@written functions
4ser-defined functions were added later to awk" and therefore" the implementation is
sometimes" somewhat" well" a#k#ard. 4ser-defined functions are constructed following
this template#
5unction name(parameter list) U statements V
$s an example" we)ll list a function that prints out a part of a string Ayou may be familiar
with it" since we)e used it before in our examplesB#
5unction resume(lineO part)
U
lenBlengt2(line)
i5 (len A ( 2 E part) )
U
ret-al B substr(lineO#Opart) 9 ... 9 substr(lineOlen6part)
V else U
ret-al B line
V
- 5.9 -
return ret-al
V
This function is named JresumeK Areh-suh-ma(B. It prints a short ersion of its input line"
consisting of an e+ual number of characters from the begin and end of the line"
concatenated by an ellipsis. It has two parameters#
line" the line to determine the resume from" and
part" which is the exact number of characters counted from the beginning and the
end of the line that should be displayed.
-ithin the function" the parameter will be aailable as AlocalB ariables line and part.
This function returns its result" which in this case will be a string.
$rrays are passed to functions b( reference" therefore" changing the alue of one of the
members of an array will be isible in the other parts of the program" too. ;egular
ariables are passed by alue" therefore when a function alters its alue" that is not
automatically isible to other parts of the program. ?or example#
5unction 5na(a) U a)$*B% V
5unction 5nb(b) U bB4 V
=:JIH U
a)$*B4
5na(a)
print a)$*

bB'
5nb(b)
print b
V
This would print
%
'
3ote that whilst defining a user-defined function" the name should be followed
immediately by the left parenthesis" without any white space.
?unctions are executed when called from within expressions in either actions Asee the
example aboeB or patterns. $n example of usage of a function in a pattern follows#
5unction 2as"lengt2"o5 (stringO len)
U
return (lengt2(string) BB len)
V
2as"lengt2"o5(3$O4) U print 95our9 V
This will print out the string JfourK for each line that contains exactly 2 characters.
- 5.2 -
The proision for local ariables is rather clumsy# they are declared as extra parameters
in the parameter list. The conention is to separate local ariables from real parameters
by extra spaces in the parameter list" e.g.#
5unction 5(pO SO aO b) + a [ b are local
U
... code ...
V
U 5(#O 2) V
?unctions may call each other and may be recursie. To return a alue from a function"
you should use return expr. The return alue will be undefined if no alue is proided.
rsync
rsync is an open source utility that proides fast incremental file transfer. rsync is a
replacement for rcp" but has many more features. rsync is mostly used to synchroni,e
files between systems. It does this ery efficiently" for it uses a special algorithm that 'ust
sends the differences between the files oer the link.
"he rsync algorithm
To determine the differences between two files" without the need to hae both files
aailable on one host" one of the hosts diides its ersion of the file to rsync in fixed-si,e
blocks. ?or each block" a checksum is calculated
W29X
. The checksums are sent to the other
side. The other host scans its ersion of the file for occurrences of blocks with matching
checksums Aeen if these blocks are not located at the same boundariesB. -ith more or
less similar files" chances are that many matching blocks will be located.
$fter completion of the analysis" the host sends its peer information on how to construct a
copy of the file in terms of blocks with literal data or the identifier for a common
matching block it has found.
-igure 13.1. rsync protocol si#plifie)
2ost ; T 2ost =
666666666666666666666666666666666666
X666666666666666666666666666666666666666666
T
6666666 5ile a 666666666 T 6666666 5ile b 666666666
T
)b$*)b#*)b2*)b%*)b4*)b(* T )x#*)b$*)b#*)x2*)b4*)x%*
T T T T T T T T T T T T T
c$ c# c2 c% c4 c( A66666666666666A 4 c$ c# 4 c4 4
T
)x#*)b$*)b#*)x2*)b4*)x%* ?6666666666666? construct 9)x#*Xc$Xc#X
)x2*Xc4X)x%*9
T
- 5.5 -
666666666666666666666666666666666666
X666666666666666666666666666666666666666666

In the figure aboe" at the left" host $ is represented. It has a file a" an older ersion of
file b. To synchroni,e the two" host $ will split up its file into blocks Ain our example#
Wb.X..Wb5XB and calculate checksums oer these blocks Ac...c5B. Then" it will send these to
the other host Ahost (B. /ost ( will figure out if any blocks can be found in JoldK file b
that hae the same checksum. &ince both sides probably hae a number of blocks in
common" these parts of the file do not need to be sent oer the line. /ost ( will tell host
$ how to construct file b by either sending oer blocks of literal data Afor blocks that
could not be matched anywhereB or the identifier of a block that both sides hae in
common.
Configuring the rsync daemon
rsync can also talk to Jrs(nc serversK" which can proide anonymous or authenticated
rsync.
&ynchroni,ation is done between two machines. %ne of these needs to run a serer-
program" the other can use rsync in client-mode. The rsync daemon can be run in
standalone mode#
+ rs!nc 66daemon
%r you can make inet) start it" in which case you will need to add a line to its
configuration file A/etc/inetd.con5B#
rs!nc stream tcp no>ait root /usr/bin/rs!nc rs!ncd 66daemon
rsync is capable of using ssh or rsh for transport. 4sing ssh has the adantage that all
traffic will be properly encrypted and authentication can be done transparently" using
1S;/DS; public keys Asee the section called J &ecure shell A%pen&&/B A2.2!2.2B KB. rsync
can be used stand-alone too" in which case the data is sent oer port 879. Dnsure that this
port is listed in the file /etc/ser-ices as Jrs!ncK.
The daemon uses the configuration file /etc/rs!ncd.con5. $n example follows#
loc, 5ile B /-ar/run/rs!nc.loc,
pid 5ile B /-ar/run/rs!ncd.pid
log 5ile B /-ar/log/rs!ncd.log
motd 5ile B /etc/rs!ncd.motd
)openarea*
pat2 B /5s$/rs!nc/public
comment B Fublic ;rea
uid B nobod!
gid B nobod!
read onl! B no
- 5.: -
list B !es
2osts allo> B 7ones smit2
aut2 users B peter >end!
secrets 5ile B /etc/rs!ncd.scrt
use c2root B !es
The first four lines globally specify the location of arious files the rsync) daemon uses.
These are the lockfile Aloc, 5ileB" the file that will contain the process I* for the
process Apid 5ileB" the file in which to log messages Alog 5ileB and the file in which a
message of the day file Amotd 5ileB can be found. The latter is displayed if a client
connects to the rsync serer.
$n area is nothing more that a grouping of options for access to certain areas on your
serer. &ometimes areas are referred to as modules or Asomewhat confusinglyB paths.
%ptions are specified within an area and only alid within that area. The configuration
file can hae many area-definitions" ours 'ust has one.
$n area is denoted by its name within s+uare brackets# such as )openarea*. The pat2
option defines the path where the files are rsync)ed to and fromQ the comment option
specifies a descriptie explanation for listingsQ the uid and gid specify which uid=gid the
serer will use to access the area. The authori,ed users are listed after the aut2 users
option. These are the names of users allowed to access this area. The aut2 users do not
hae to be system users" howeer" their names should occur in the secrets file. This is a
file containing plaintext key=alue pairs of usernames and passwords. The location of that
secrets file can be specified using the secrets 5ile option. The option 2osts allo>
denies access to all hosts other than those whose IP address or hostnames are listed. Its
counterpart 2osts den! does the opposite# it allows eerybody" except the hosts whose
IP address or hostnames are listed. The other options specify that the file-system path is
read=write Aread onl!B and the rsync path shows up in rsync listings AlistB. ?or
security reasons" the rsync daemon can chroot to the path specified" which is switched on
by the Juse c2rootK option. @any more options can be found in the man page for
rsync).conf.
Using the rsync client
The rsync client can be used with either rsh or ssh. ssh is recommended because it
encrypts communication Afor priacy and security reasonsB.
The client has many options. The manual page lists them all and contains plenty of good
examples. Rust to gie you an impression" here is an example of typical use#
3 rs!nc 6a-zrpog 66rs2B/usr/bin/ss2 66compress
2en,@rs!nc.opensource.nl..lpic2boo, /5s$/docboo,/lpic2
$s you can see" there are two command line option notation methods" the old-style single
minus prefixed notation and the posix-compliant double-minus prefixed notation. This
will retriee the files in the area lpic2boo, on serer rs!nc.opensource.nl and put
- 5.7 -
them in /5s$/docboo,/lpic2 on the local serer" using the username 2en, to log in. The
options 6a-zrog are used to get the data in an archie" to set -erbose mode" fetch the
files recursiely" and presere the permissions" owner and group used on the original
files. $nother example#
3 rs!nc rs!nc.opensource.nl..
.. will list out all the modules running on the serer.
rsync is capable of using include and exclude patterns" which hae a specific syntax
A somewhat like shell wildcards" but with exclusions and extensionsB.
crontab
4nix systems start up the cron daemon in multi-user mode. /ence" so does Linux. The
cron daemon will execute programs at predestined times. The daemon wakes up eery
minute and runs the commands as necessary.
?iles in which the time and interal to run commands are specified" as well as the
commands themseles" are called cronta* files. $ll cron implementations support user
cronta*s# each system-user has his=her own cron command file. These indiidual
configuration files are stored in a standard directory# /-ar/spool/cron/crontabs or
/-ar/cron/tabs/. They bare the name of the appropriate user-account from the
/etc/pass>d file.
(y default" either only the superuser or eery user will hae the right to create and
maintain a crontab file Awhich of the two depends on the local configurationB. ?or a
more fine-grained authori,ation scheme" either the file /etc/cron.allo> or the file
/etc/cron.den! can be created by the superuser. &uch a file contains lines with
usernames. If the cron.allo> file is found" only users that are listed in that file will hae
the right to maintain entries" if the cron.den! file is found" all users except the users
listed there can use cron.
The information in user files is often stored in memory by the daemon - therefore" when
you change the user files manually" by editing them" you will need to restart the cron
daemon to actiate the changes. /oweer" under normal circumstances you should not
edit the user files by hand" but use the command
3 crontab 6e
to edit your personal entry. This will start up your editor" enable you to edit your entry
and will actiate the changes if your entry could be alidated. The file /etc/crontab and
the files in the /etc/cron.d directory are monitored by the daemon for changes.
- 5.8 -
$lternately" you can use a file in your YGM: directory Aor another location where you hae
write-accessB and edit this file. To actie it" use
crontab ?t2e65ile6nameA
To deactiate it" use#
crontab 6r
This has the adantage oer the cronta* @e method that your local copy of the crontab
file remains aailable for future use.
@odern implementations of cron often look in more places for configuration files. ?irst
of all" there is the file /etc/crontab. It can be edited by root and allows specification of
a user I* to use when executing the command. $dditionally" cron will concatenate any
files found in /etc/cron.d and will treat them as if they were part of Aextensions toB
/etc/crontab.
@ost distributions also offer proisions to enable easy execution of commands that need
to be run on an hourly" daily" weekly or monthly basis. This is done by creating
directories named /etc/cron.2ourl!" /etc/cron.dail! and so on" in which directories
scripts can be placed. These are run se+uentially" both to presere system resources and
to be able to support dependencies between scripts A)this has to run first" before that can
be run)B. Typically" the order of execution is determined by the name of the scriptQ
therefore" their names are often prepended with e+ual-length short-strings to force the
correct execution order" for example# aaa"logoutusers or aab"clean5s. %ften" the
execution of these scripts is initiated by a script that in turn is started by a cronta* entry
in the /etc/crontab file.
-hen executing commands" a default enironment setting is proided" containing at least
the YGM:" F;LY and L:1M ariables. The F;LY often is set to ery minimalist alues. $ny
output is mailed to the owner of the crontab or to the user named in the M;IMLG
enironment ariable" if it exists.
format of the crontab file
Lou can define or oerride enironment ariables" by defining them in the crontab file"
one ariable per line" in the format#
P;1I;=M:B-alue
Lines whose first non-whitespace character is a hash A+B are comment-lines. Dmpty lines
are discarded. The format for lines in a crontab entry is#
minute 2our da!6o56mont2 mont2 da!6o56>ee, (>2o6and6)>2at6to6do
- 5.< -
The minute field can hae alues from .-5<" the 2our field .-22" the da!6o56mont2 field
!-9!" and the da!6o56>ee, field .-7Q both . and 7 signify &unday" ! is @onday" and so
on. The (>2o6and6)>2at6to6do field contains either 'ust the command and its
parameters Ain case this is an entry in an indiidual crontab entryB" or the name of the user
I* used to run the command" followed by the command and its parameters. $ star
signifies Jdon)t careK or Jalways matchK. If you want to run the local command
so#ething eery minute" with parameter 6else and redirection of the output to the null-
deice" you might specify#
E E E E E /usr/local/bin/somet2ing 6else A/de-/null 2A[#
$dditionally" you are allowed to specify lists of alues and ranges to match. $ range is a
AinclusieB specification of initial and final alues" separated by a hyphen. &o" for
example" 46' specifies that all numbers in the set 2" 5" :" 7 and 8 will match. $ comma-
separated list of alues and=or ranges is allowed" too. Therefore" #6%O6 would translate to
matching either 1? 0? J? or &" and #6%O(6'O#$ would translate to matching either 1? 0? J?
A? &? K" 8 or !.). &ome examples#
$ ( E E E 5ind 3YGM: 6t!pe 5 W(W 6name core 6o 6name dead.letter W)W
6atime X0 6mtime X0 6exec rm 65 WUVW WCW
This is an entry in a user crontab" that scans the /%@D directory and below for files
named dead.letter and core" that hae not been accessed for at least a week and
remoes them.
'O#6O24 '6#% E E #6( uucp /usr/local/bin/poll
This is an example entry that could occur in /etc/crontab or in one of the files in /etc/
cron.d. It makes cron start up the command BusrBlocalB*inBpoll on @onday through
?riday Athe fifth field" !-5B" at 8" !: and 22 minutes past the hour" for all hours between 8
and !9 hour inclusie. The first time the command will be executed during a week is on
@onday" at 8h.8" and the last time on ?riday" on !9h22. This command will be run with
the 4I* of the user uucp.
Lou can use names instead of numbers for weekdays and months" but this feature is not
fully implementedQ therefore specifying ranges using these names are -5T allowed.
$dditionally" you need to specify the first three letters of the days" more" no less.
?ollowing a range with a slash results in matching with the members of the range" but not
with the default step alue J!K. &o" .-!.=9 signifies the alues ." 9" : and <.l To say
Jeery 2 hoursK" you could use the construct J^=2K.
"he at command
Closely associated with cron Aand often implemented by itB is the command at. 4sing
this command" you can execute a gien command or set of commands at a later time.
/oweer" unlike cron" the commands executed with at are only executed once. The time
- 5!. -
and date for execution can be specified on the command lineQ the commandAsB needs to
be specified on standard input#

3 at Ugi-en6timeV
command6#
command62
\D
3 "
The time can be constructed using many forms" the simplest is by specifying the hour and
minute AtimeB you want the commands to run Ahh#mmB. The time will always be assumed
to be in the future. $ number of keywords may are also aailable# midnig2t" noon or
een teatime A!:... hoursB. Lou can use either 22 hour notation" or append JP@K or
J$@K to the time. To specify a date you can use the form mont2 da! or mont2 da!
!ear" Ae.g." ûl #0 2$%'B or the form J@@**LLK" J@@=**=LLK or J**.@@.LLK.
To specify both time and date" first specify the time" and then the date#

3 at 2$.$$ ûl #0 2$%'
;elatie time is acceptable. JIn 2. minutesK can be specified as follows#

3 at no> X 2$ minutes
Instead of minutes" you can also specify 2ours" da!s or >ee,s. To tell at to run a 'ob
tomorrow you 'ust say so#

3 at no> X 2$ minutes tomorro>
The superuser may use at. %ther users) permission to use it is determined by the files
/etc/at.allo> and /etc/at.den!" which work much the same as the preiously
described files /etc/cron.allo> and /etc/cron.den!. If the allow-file exists" only
usernames mentioned in it may use at. If the allow file does not exist" /etc/at.den! is
checked and eery username not mentioned there is allowed to use at. $n empty
=etc=at.deny means that no one is restricted.
0onitoring your syste#
$s we hae seen" 4nix systems contain many tools# tools to start up programs
automatically" synchroni,e files between systems and help manipulate data Ase)" awk and
perlB. Lou may hae noticed that there is a huge oerlap in functionality between these
three. -hy do we hae se)" if awk has most of its functionality too> -hy do we need
awk when we can use perl instead> -ell" there are many reasons. ?irst of all" you need
to reali,e that it 'ust grew this way. se) was there before awk and perl came after awk.
(ut" as there are still many se) and awk scripts around that offer ery useful
- 5!! -
functionality" both tools are still maintained and heaily used. There is also the +uestion
of resources# the oerhead needed for a simple se) script is much less than that of a full-
blown enironment like perl)s. $lso" a number of people 'ust feel more comfortable using
one set of tools" while others like another set. $nd" as a sysadmin or poweruser" it is ery
conenient to hae alternate methods aailable if parts of the system are damaged. &ay"
for example" that ls does not work Abecause you are in a chrooted enironment or
somebody inadertently deleted itB" in which case you can use the shells) expansion
mechanism instead#
ec2o E
In practice" it all boils down to your personal preference and the enironment you hae
aailable. /oweer" it really helps to be able to work with regular expressions Asee the
section called J;egular DxpressionsKB" the salt of all 4nix systems. &tudy them well.
In the next sections" we will proide arious examples of scripts that can be used to
monitor your system" using arious toolsets. -e will gie examples of arious ways to
parse a log-file" combine log-files and generate alerts by mail and pager. -e will write a
script that monitors files for changes and another that warns administrators when
specified users log in or out.
%arning
The scripts we proide are meant to be examples. They should not be used in a
production enironment Jas isK" since they are written to clarify an approachQ they are
intended to help you understand how to write solutions for system administration
problems using the basic 4nix components. The scripts lack proper attention security and
robustness" the scripts" for example" do not check whether a statement has completed
successfullyQ signals that may disrupt the scripts are not caught" sometimes modularity is
offered to support didactical clarity etc.
parsing a log0file
$s a system administrator you often will study the contents of logfiles. Logfiles are your
main source of information when something is not A+uiteB working. $las" often these
logfiles are riddled with information you do not need AyetB. Therefore" it is useful to be
able to filter the data. ?or example" the syslog) daemon logs so-called marks - lines
containing the string J66 M;1K 66K. It pumps out one such line eery 2. minutes
W25X
. This
is useful to check whether or not the daemon is running successfully" but adds a huge
number of lines to the logfile. Lou can remoe these lines in many ways# 4nix allows
many roads to a gien goal. $ simple se) script could do the trick#

sed W/66 M;1K 663/dW /-ar/log/messages
or you could use another essential 4nix tool#
- 5!2 -

grep 6- 66 966 M;1K 669 /-ar/log/messages
3ote the double dash that tells grep where its options end. This is necessary to preent
grep from parsing the searchstring as if it were an option. Let another way to obtain the
same goal#

a>, WQ/66 M;1K 663/ U print VW /-ar/log/messages
$nd finally" using perl#

perl 6ne W/66 M;1K 663/ TT printCW /-ar/log/messages
%r" in the true tradition of perl that een within perl there is more than one way to do
things#

perl 6ne Wprint unless /66 M;1K 663/CW /-ar/log/messages
$nother example# suppose you are interested in those lines from the messages file that
were written during lunch breaks Anoon to !2...B. Lou could filter out these lines using
sed#
sed 6n W/\);6<*)a6z*/U2/V ) #6%*)$6&* #)2%*./pW /-ar/log/messages
The 6n option tells se) not to print any lines" unless specifically told so using the )p)
command. The regular expression looks like stiff swearing on first sight. It isn)t. $mple
analysis reeals that it instructs se) to print all lines that begin A\B with an uppercase
letter A);6<*B" followed by 2 lowercase letters A)a6z*/U2/VB" a space" either a space or
one of the digits !-9 A) #6%*B" yet another digit A)$6&*B" another space" the digit ! and
either the digit 2 or the digit 9 A)2%*B" followed by a colon. Phew.
%r you could use this awk one-liner#
a>, W/\);6<*)a6z*)a6z* ) #6%*)$6&* #)2%*./W /-ar/log/messages
3ote that this time we did not use the interal expression AU2VB" but simply duplicated the
expression. (y default gawk Awhich we are using throughout this bookB does not support
interal expressions. /oweer" by specifying the 66posix flag it can be done#
a>, 66posix W/\);6<*)a6z*U2V ) #6%*)$6&* #)2%*./W /-ar/log/messages
$lternately" you could use a simple awk script#
a>, WU
split(3%OpieceO 9.9)
- 5!9 -
i5 ( piece)#* 8 /#)2%*/ ) U print V
VW /-ar/log/messages
which renders the same result" using a different method. It simply looks for the third
Awhite-space delimitedB field" which is the time-specification" splits that into 9 subfields
ApieceB" using the colon as delimiter AsplitB and instructs awk to print all lines that
hae a match A8B with the third field from the timefield.
?inally" we can use perl to obtain the same results#
perl 6ne W/\);6<*)a6z*U2V ) #6%*)$6&* #)2%*./ [[ printCW
/-ar/log/messages
$s an exercise" you could try some other approaches yourself. If you want to be
reasonably sure that your do-it-(ourself approach renders the same result as the methods
tested aboe" make a copy of Aa part ofB the messages file" run one of the commands we
gae as an example on it and pipe the result through su##
3 cp /-ar/log/messages ./m!5ile
3 sed 6n W/\);6<*)a6z*/U2/V ) #6%*)$6&* #)2%*./pW ./m!5ile Tsum
4''%$ %'6
Lour home-brewn script should render the exact same numbers you get from one of the
example scripts when its results are piped through su#.
combine log0files
%ften" you)ll need to combine information from seeral files into one report. $gain" this
can be done in many ways. There is no such thing as the right #a( - it all depends on
your skills" preferences and the aailable toolsets. Lou are free to choose whicheer
method you want. /oweer" to get you started" some examples follow.
The command groups will list the groups you are in. It accepts parameters" which should
be usernames" and will display the groups for these users. (y the way# on most systems
groups itself is a shell script. $n example of typical use and output for this command
follows#
3 groups nobod! root uucp
nobod! . nogroup
root . root bin uucp s2ado> dialout audio nogroup
uucp . uucp
3 "
The information displayed here is based on two publicly readable files# /etc/pass>d and
/etc/group. The groups command internally uses i) to access the information in these
files" but nothing stops us from accessing it directly. The following sample shell script
- 5!2 -
consists mainly of an inocation of awk. It will display a list of all users and the groups
they are in" and" as an extra" prints the full-name of the user.
/6666666666666666666666666666666666666666666666666666666666666666666
666
$# T +Q/bin/s2
$2 T +
$% T
$4 T + L2is script displa!s t2e groups s!stem users
$( T + are inO on a per user basis.
$6 T
$0 T a>, 6I. W=:JIH U
$' T
$& T + 1ead t2e comment 5ield / user name 5ield 5rom t2e
#$ T + pass>d 5ile into t2e arra! W5ullnameWO indexed b!
## T + t2e username. I5 t2e comment 5ield >as empt!O use
#2 T + t2e username itsel5 as WcommentW.
#% T +
#4 T >2ile (getline ? 9/etc/pass>d9) U
#( T i5 (3(BB99) U
#6 T 5ullname)3#* B 3#
#0 T V else U
#' T 5ullname)3#* B 3(
#& T V
2$ T V
2# T V
22 T
2% T U
24 T + =uild up an arra!O indexed b! userO t2at contains a
2( T + space concatenated list o5 groups 5or t2at user
26 T
20 T number"o5"usersBsplit(3HIOusersO9O9)
2' T
2& T 5or(countB$C count ? number"o5"usersC countXX) U
%$ T t2is"userBusers)countX#*
%# T logname)t2is"user* B logname)t2is"user* 9 9 3#
%2 T V
%% T V
%4 T
%( T :HD U
%6 T + Mist t2e arra!
%0 T +
%' T 5or (-al in logname) U
%& T print5 9]6#$s ]62$s ]s/n9O
4$ T substr(-alO#O#$)O
4# T substr(5ullname)-al*O#O2$)O
42 T logname)-al*
4% T V
44 T VW /etc/group
/6666666666666666666666666666666666666666666666666666666666666666666
666
$n example of how the output might look#
at at at
- 5!5 -
bin bin bin
db2as D=2 ;dministration db2iadm#
named Hameser-er Daemon named
oracle Gracle ser dba
db2inst# D=2 Instance main us db2asgrp
... output truncated ...
%n line .! we state that the interpreter for this script is /bin/s2. That may seem
surprising at first" since the script actually consists of awk statements. /oweer" there are
two exceptions# the command-line parameter A6I.B" Aline .7B and the filename
/etc/group Aline 22B. It is possible to rewrite this program as a pure awk script - we
leae it up to you as an exercise. The awk construction consists of three groups#
the =:JIH group" which builds up an array containing the full-names of all system
users listed in /etc/pass>d"
the body" which reads the lines from /etc/group and builds an array that
contains the groups per user
the :HD group" which finally combines the two and prints them.
the 7=>35 *lock. Line !2 shows a method to se+uentially read a file #ithin an awk
program block# the getline function. getline fetches an input-line ArecordB from a file
and" if used in this context" will fill the ariables Ae.g." 3$..3HIB accordingly. (y putting
getline in the decision part of a >2ile loop" the entire file will be read" one record AlineB
per iteration" until getline returns . Awhich signals Jend of fileKB and the >2ile loop is
terminated. In our case" the file /etc/pass>d is opened and read" line by line. -e set the
field-delimiter to a colon A6I." line .7B" which is indeed the field-separator for fields in
the /etc/pass>d file. -ithin the loop we now can access the username A3#B and full
name of Aor a comment aboutB that user A3(B. The construct used on line !: Aand !8B
creates an array" indexed by username.
the #ain *lock. In the main block" awk will loop through the /etc/group file Awhich
was specified on the command line as input file" line 22B. The ariable 3HI always
contains the contents of the last field" which" in this case" is a comma-delimited list of
users. Line 27 splits up that field and puts the usernames found in the last field into an
array users. The 5or loop on lines 2<-92 adds the group to the proper elements of array
logname" which is indexed by username.
the =54 *lock. The D3* block will be executed when the input-file is exhausted. The
logname array was preiously indexed by username# each array-element contains a
space-delimited list of group-names Ae.g." the array-element logname)root* could
contain the string Jroot bin s2ado> nogroupKB. The J5or (-al in logname)K loop
Aline 98B will walk through all elements of the array logname" whilst putting the name of
the element in the ariable -al. Line 9< defines the output format to use# first a left-
aligned string-field with a length of !. characters" if necessary padded to the left with
spaces A]6#$sBQ next" another left-aligned string-field with a length of 2. characters" also
padded to the left with spaces A]6#$sB" and finally a string of ariable length. To preent
- 5!: -
field oerflow" the substr function is used to trim fields to their maximum allowed
length.
%f course" you can do the ery same thing using a perl script. Lou can start from scratch"
but since we already hae a fully functional awk program that does the trick" we can also
use a utility to conert that script to a perl program. %n most 4nix systems it)s named
a2p. It takes the name of the awk script as its argument and prints the resulting output to
standard output#

a2p userlist.a>, A userlist.pl
The results are often pretty good" but in our case some fine-tuning was needed" both to
the originating and resulting scripts" since the awk program in our example was
embedded in a shell-script. The example below lists our result#
/6666666666666666666666666666666666666666666666666666666666666666666
666
$# T +Q/usr/bin/perl
$2 T
$% T open(":LD"F;SSRDO W/etc/pass>dW) TT die WDannot open 5ile
9/etc/pass>d9.WC
$4 T open(":LD"J1GFO W/etc/groupW) TT die WDannot open 5ile
9/etc/group9.WC
$( T
$6 T 3) B #C + set arra! base to #
$0 T
$' T 3IS B W.WC
$& T
#$ T + 1ead t2e comment 5ield / user name 5ield 5rom t2e
## T + pass>d 5ile into t2e arra! W5ullnameWO indexed b!
#2 T + t2e username. I5 t2e comment 5ield >as empt!O use
#% T + t2e username itsel5 as WcommentW.
#4 T +
#( T >2ile ((3" B [Jetline2(W":LD"F;SSRDW)O3getline"o,)) U
#6 T i5 (3Ild)(* eS WW) U
#0 T 35ullnameU3Ild)#*V B 3Ild)#*C
#' T V
#& T else U
2$ T 35ullnameU3Ild)#*V B 3Ild)(*C
2# T V
22 T V
2% T
24 T >2ile ((3" B [Jetline2(W":LD"J1GFW)O3getline"o,)) U
2( T c2ompC + strip record separator
26 T @Ild B split(/)./n*/O 3"O &&&&)C
20 T
2' T + =uild up an arra!O indexed b! userO t2at contains a
2& T + space concatenated list o5 groups 5or t2at user
%$ T
%# T 3number"o5"users B (@users B split(/O/O 3Ild)3+Ild*O &&&&))C
%2 T
%% T 5or (3count B $C 3count ? 3number"o5"usersC 3countXX) U
- 5!7 -
%4 T 3t2is"user B 3users)3count X #*C
%( T 3lognameU3t2is"userV B 3lognameU3t2is"userV . W W . 3Ild)#*C
%6 T V
%0 T V
%' T
%& T + Mist t2e arra!
4$ T +
4# T 5oreac2 3-al (,e!s ]logname) U
42 T print5 9]6#$s ]62$s ]s/n9O
4% T substr(3-alO #O #$)O
44 T substr(35ullnameU3-alVO #O 2$)O
4( T 3lognameU3-alVC
46 T V
40 T
4' T sub Jetline2 U
4& T (352) B @"C
($ T i5 (3getline"o, B ((3" B ?352A) ne WW)) U
(# T c2ompC + strip record separator
(2 T @Ild B split(/)./n*/O 3"O &&&&)C
(% T V
(4 T 3"C
(( T V
/6666666666666666666666666666666666666666666666666666666666666666666
666
$s you might expect" this code works in a manner similar to the preiously used awk
example. The most striking difference is the addition of the Jetline2 function. This
function reads a line from the file specified by the file handle Awhich was passed as
argumentB and splits the records into fields" which are put in the array Ild. The c2omp
function Aline 5!B remoes the record separator from the input-line" since perl does not
do that automatically Aawk doesB. $lso" the perl program was rewritten to remoe its
dependency on a shell" therefore" the program opens both input files within Alines .9 and
.2B. Line .: sets the array base to !" which is the default for awk arrays" as opposed to
perl arrays" which are base .. The loop in line !5-22 reads the information from the
pass>d file and puts the full user names in the array 5ullname again" the loop on lines
22-97 reads in the group-file and builds the array that contains the lists of groups for each
user. ?inally" the code in lines 2!-2: is almost identical to that of the D3* block in the
awk example Alines 98-22B and works likewise.
The automatic generation of code does not necessarily delier ery clean code. In our
example" some code was included that is not necessary to make this program work
properly. $s an exercise" try to find those lines.
generate alerts by mail and pager
In most cases" it suffices to construct reports and mail them to the system administrator.
/oweer" when an eent occurs which re+uires immediate attention another mechanism
should be used. In these cases" you could use &@&-messaging or page the sysadmin. Lou
also could send a message to a terminal or hae a pop-up box appear somewhere. $gain"
- 5!8 -
there are many ways to achiee your goal. &@& and AalphanumericB pagers are used most
fre+uently.
&ending mail to somebody on a 4nix system from within a process is ery simple
proided that you hae set up e-mail correctly" of course. ?or example" to mail from
within a shell program" use this command#
ec2o 9Yi t2ereQ9 T mail 7ones 6s 9Yi t2ereQ9
%r" to send longer texts" you could use a Jhere documentK Adescribed in the section called
J/ere documentsKB#
mail 7ones 6s 9Yi t2ereQ9 ??:GI
+ +
+ + +
+ +
+ +++ + +
++ + + +
+ + +
+ + + +
:GI
To mail something from within Perl" a similar concept can be used#

open(M;IM O 9Tmail 7ones 6s /9Yi L2ereQ/99) TT die 9mail 5ailed9C
print M;IM 9YiO Faula.9C
close(M;IM)C
To print more than one line" you can use may different techni+ues" for example" you
could use an array and print it like this#

@text)$*B9YelloO Faula/n9C
@text)#*B9/n9C
@text)2*B9JreetingsQ/n9C

open(M;IM O 9Tmail 7ones 6s /9Yi L2ereQ/99) TT die 9mail 5ailed9C
print M;IM @textC
close(M;IM)C
3ote that you need to insert newline characters at the end of the array elements if you
want to start a new line. $lternatiely" you could use a Jhere documentKB" as we did in the
shell#

open(M;IMO 9Tmail root 6s /9Yi L2ereQ/99) TT die 9mail 5ailed9C
print M;IM ??:GIC

- 5!< -
+ +
+ + +
+ +
+ +++ + +
++ + + +
+ + +
+ + + +

:GI
close(M;IM)C
Pager-serice proiders proide P&T3 gateways# you dial in to these systems using a
modem" oer public phone-lines. &ome special software needs to be written or
downloaded to enable you to page someone. %ften some kind of terminal based protocol
is used. %ther" systems use a protocol called T$P ATelocator $lpha-entry ProtocolB"
formerly known as PDT APersonal Dntry TerminalB or IP% A@otorola inented it"
including its nameB. &ometimes Ain DuropeB the 4CP protocol ABniversal
,ommunication 'rotocolB is used. There are a number of software programs for 4nix
systems to enable them to use '4T- gateways" the most fre+uently used ones are
Hylafax" *eepage" Cpage" tpage and sen)page. The latter is written in Perl and released
under the 6PL.
Pager-serices are often replaced by &@& serices nowadays" especially in Durope"
where the 6&@ network is aailable almost eerywhere. &@& offers the adantage of
guaranteed deliery to the recipient. $dditionally" most system administrators already
hae mobile phones. If &@& is used" they do not need to carry around an additional
pager.
To enable computers to send &@& messages" special add-on 6&@ deices are aailable.
They either accept serial input or are placed in a PC@CI$ slot. They are capable of
sending &@& messages directly. &ome software has been written for them# you may want
to look at http#==smslink.sourceforge.org. (y adding a computer that addresses such a
deice to your network" you can set up your own gatewayAsB for your own network.
$part from installing your own software=gateway" you can use external gateways" some
of which are aailable on the Internet" others are proided by your Telecom operator#
-eb gateways. Lou 'ust fill in the proper fields of the form and the message will
be sentQ
&3PP A&imple 3etwork Paging ProtocolB gateways. These are capable of
understanding &3PP Asee also ;?C-!:25B. %ne way to implement such a gateway
on your own network is by using the sen)page softwareQ
mail gateways. The method of usage aries from gateway to gateway. @any
times" the message can be put in the body of the mail and messages are addressed
using the pager number as the address for the recipient Ae.g."
?pagernumberA@?sms6gate>a!6domainABQ
most ATelecom=pager sericeB proiders proide P&T3 to &@& gateways. Lou
dial in to these systems using a modem. &ome special software needs to be written
- 52. -
or downloaded to enable you to communicate with the gateway. %ften either 4CP
or T$P protocols are used.
user login alert
The ob'ecties state that you should be able to write a script that notifies AtheB
administratorAsB when specified users log in or out. There are" as always" many ways to
accomplish this.
%ne solution would be to gie a user a special login JshellK" that issues a warning before
starting up the JrealK shell. This could be a simple shell-script Adon)t forget to ch#o) Vx
itB and named something like /bin/prebas2. $n example of such a script#
+Q/bin/bas2
+
D;L:BZ/bin/dateZ
+
mail root 6s 9S:1 3S:1 MGJJ:D IH9 ??:GI
;ttentionQ
L2e user 3S:1 2as logged in at 3D;L:.
:GI
exec /bin/bas2 66login
The corresponding line in the /etc/pass>d file for this user could look like this#
user.x.($#.#$$../2ome/user./bin/prebas2
-hen the user logs in" the initiating script will be run. It will send the mail and then
oerwrite the current process with the shell. The user will neer see that the warning has
been issued" unless he or she checks out his=her entry in the /etc/pass>d file.
$lternately" you could choose to leae the JinitiatingK shell in place Ai.e." not to issue the
exec commandB which lets you use the initiating shell to report to you when a user logs
out#
+Q/bin/bas2
+
D;L:BZ/bin/dateZ
/usr/bin/mail root 6s 9S:1 3S:1 MGJJ:D IH9 ??:GI

;ttentionQ
L2e user 3S:1 2as logged in at 3D;L:.
:GI
/bin/bas2 66login
D;L:BZ/bin/dateZ
no2up /usr/bin/mail root 6s 9S:1 3S:1 MGJJ:D GL9 2A/de-/null #A[2
??:GI2
- 52! -

;ttentionQ

L2e user 3S:1 2as logged out at 3D;L:.
:GI2
This script consists of three parts# a part that is executed before the actual shell is
executed" the execution of the shell and a part that will be executed after the shell has
terminated. 3ote that the last mail command is protected from hangup signals by a
nohup statement. If you leae out that statement" the mail process will receie a
terminating signal before it would be able to send the mail.
3ow" root will receie mail eery time the user logs in or out. %f course" you can issue
any command you want instead of sending #ail. 3ote that the user could easily detect
this guardian script is running by issuing a ps command. /e could een kill the guardian
script" which would also terminate his script" but the logout notification would neer
arrie.
$nother method would be to inoke logger" which logs a warning to the syslog facility
Ae.g." for a script that 'ust warns you when somebody has logged inB#
+Q/bin/bas2
+
/usr/bin/logger 9logged in9
exec /bin/bas2 66login
logger" by default" will log a line to the file that has been connected to the
Juser.noticeK syslog facility Asee# syslog.confA5B and loggerA!BB. 3ote" that logger
automatically prepends the line in the logfile with the date and the username" hence you
do not need to specify it yourself.
-e hae described two ways to record a user logging in or out" using the (ourne shell to
glue standard 4nix=Linux commands together. There are many more possibilities# to use
a script that acts as a daemon and that regularly checks the process-table of any processes
run on behalf of the user or to add a line to /etc/pro5ile that alerts the sysadmin. $ll of
these methods hae arious pros and cons. $s usual" there are many ways to achiee
what you want.
To demonstrate the use of awk to parse information" we will tackle this problem another
way. %n Linux systems" the last(1! command shows a listing of the logging behaior of
users. The command obtains its information from the >tmp file Aoften found in
/-ar/logB. The >tmp file is used by a number of programs to records logins and logoutsQ
login" init and some ersions of getty. $n example of its output follows#
piet tt!# Lue Ho- 20 #'.$4 still logged
in
piet tt!# Lue Ho- 20 #'.$% 6 #'.$%
($$.$$)
- 522 -
2en, .$ console L2u Ho- #( #6.%' still logged
in
2en, .$ console Red Gct 24 #0.$2 6 #'.%%
('X$2.%#)
reboot s!stem boot 2.2.#' Red Gct 24 #0.$#
('X$2.%%)
... lines truncated ...
>tmp begins Iri Sep 0 #0.4'.($ 2$$#
The output displays the user" the ApseudoBterminal the user used to log in" the address of
the host from which the user made the connection Aif aailableB and finally a set of fields
that specify how long the user has been logged in.
(y running last eery - let)s say - fie minutes and checking if anything has changed
since the last time we checked" we can generate a report that tells us who has logged
in=out since the last time we checked. $n outline of the flow#
(begin)
T
X6 store current situation in a 5ile
T
?is t2ere a 2istor! 5ile4A
T
/ /
n !
T T
T X6 ma,e a di55 bet>een 2istor! 5ile and ne> 5ile
T T
T ?>ere t2ere c2anges since last time4A
T T
T / /
T n !
T T T
T T X6 mail report
T T T
T / /
T T
/ /
T
X6 put current situation into 2istor! 5ile
T
(end)
and a possible implementation" marked with line-numbers for later reference#
/6666666666666666666666666666666666666666666666666666666666666666666
666
$# T +Q/bin/s2
$2 T
$% T + L2e base director! to put our logs in
$4 T +
$( T =;S:DI1B/-ar/log/c2ec,login
- 529 -
$6 T
$0 T + L2e name o5 t2e 2istor!6 and current 5ileO in >2ic2 t2e
$' T + login in5ormation is stored
$& T +
#$ T YISLG1NB3U=;S:DI1V/2istor!
## T D11:HLB3U=;S:DI1V/current
#2 T
#% T + ; simple generic 5ailure 5unctionO aborts a5ter displa!ing
#4 T + its arguments.
#( T +
#6 T 5ail()
#0 T U
#' T ec2o 9Iailed. 3E9
#& T exit #
2$ T V
2# T
22 T + L2is 5unction cleans up t2e output o5 WlastWO b!
2% T + eliminating empt! linesO reboot lines and >tmp
24 T + lines.
2( T +
26 T clean"last()
20 T U
2' T /usr/bin/last T sed WU
2& T /\reboot /d
%$ T /\3/d
%# T /\>tmp begins /d
%2 T VW
%% T
%4 T V
%( T
%6 T MNJ1GFBZid 6gnZ
%0 T MNID:HLBZid 6unZ
%' T
%& T + D2ec, our en-ironment.
4$ T +
4# T ) 6d 3U=;S:DI1V * TT m,dir 6p 3U=;S:DI1V
42 T ) 6d 3U=;S:DI1V * TT 5ail could not create 3U=;S:DI1V
4% T ) 6J 3U=;S:DI1V * TT 5ail 3U=;S:DI1V not o>ned b! 3UMNJ1GFV
44 T ) 6G 3U=;S:DI1V * TT 5ail 3U=;S:DI1V not o>ned b! 3UMNID:HLV
4( T
46 T + store current situation in a 5ile
40 T
4' T clean"last A3UD11:HLV
4& T
($ T
(# T
(2 T + Is t2ere a 2istor! 5ile4
(% T +
(4 T i5 ) 65 3UYISLG1NV *
(( T t2en
(6 T + Nes 6 2as t2e situation c2anged since last time4
(0 T +
(' T i5 Q Zcmp 66silent 3D11:HL 3YISLG1NZ
(& T t2en
6$ T + Nes 6 mail root about it
6# T +
62 T di55 3YISLG1N 3D11:HL Tmail root 6s 9Mogin report9
- 522 -
6% T 5i
64 T 5i
6( T +
66 T + Fut current situation into 2istor! 5ile
60 T +
6' T m- 3UD11:HLV 3UYISLG1NV
6& T ) 34 6eS $ * TT 5ail m- 3UD11:HLV 3UYISLG1NV
0$ T exit $
/6666666666666666666666666666666666666666666666666666666666666666666
666
This script could be run by cron" let)s say" eery 5 minutes. $t line .!" we see the
se+uences AJhash-bangKB that tell the shell that this script should be run by /bin/s2. %n
most Linux systems" this will be a link to the *ash shell. The script uses a file to maintain
its state between inocations Athe history fileB and a workfile. The history file will contain
the login information as it was written at the preious inocation of the script and the
workfile will contain the most recent login information. The locations for these files are
specified on lines .!-!2. 4sing ariables to configure a script is both a common and
time-honored practice. That way" you only need to change these ariables should you
eer desire another location for these files" instead of haing to change the names
throughout the entire script.
%n lines !9-2." a rudimentary fail-function is defined. It prints its arguments and exits"
passing the alue # to the calling shell. Passing a non-,ero alue to the calling program is"
by conention" a signal that some error occurred whilst executing the program. In the rest
of the script" we can use the construct#
5ail Ut2e text to print be5ore exitingV
which will print#
Iailed. Ut2e text to print be5ore exitingV
and will abort the script. If the script is run by cron" any AerrorBoutput will be mailed by
default to the owner of the entry.
Lines 22-92 contain a function that seres as a wrapper around the last command. Its
output is filtered# it remoes lines that start with reboot Aline 2<B" empty lines Aline 9.B
and the line that reports when the wtmp file was created Aline 9!B. $ll other lines are sent
through unchanged.
In lines 9: and 97" the identity of the user running the script is determined. These alues
used to create readable reports on failure. Lines 9<-22 check the enironment. Line 2!
checks if the base directory exists and" if not" tries to create it. Line 22 rechecks the
existence of the directory and exits if it AstillB is not there. Lines 29 and 22 check whether
or not the base-directory is owned by the current user and group. If one of these tests
fails" an error messages is created by the 5ail function and the script is aborted.
- 525 -
Lines 28 and 2< execute our special filtered ersion of last and send the output to our
workfile. That file now contains the most current log information. Lines 52-:2 checks
whether a history file already exists. This will always be the case" unless this is the first
inocation of the script. %n line 58" a comparison between the old and new database is
made. If there is no difference" nothing is done. %therwise" the command )iff is used to
mail the differences to root. ?inally" in line :8" the history file is oerwritten by the
current database.
The aforementioned method has plenty of flaws# not eery program logs to >tmp" and the
reports will be delayed for" at most" the length of the interal you specified to run the
checkscript. $lso" the output format of diff is not the most user-friendly output. Lou may
find it a rewarding operation to refine this script yourself.
Chapter 1$. "rou*leshooting
(2.21$!
This topic has a total weight of 7 points and contains the following ob'ecties#
%b'ectie 2.2!2.!Q A3ot Implemented by LPIB
This ob'ectie was not defined by LPI.
%b'ectie 2.2!2.2 Creating recoery disks A! pointB
Candidate should be able to# create both a standard bootdisk for system entrance"
and a recoery disk for system repair.
%b'ectie 2.2!2.9Q Identifying boot stages A! pointB
Candidate should be able to# determine" from bootup text" the 2 stages of boot
se+uence and distinguish between each.
%b'ectie 2.2!2.2Q Troubleshooting LIL% A! pointB
- 52: -
Candidate should be able to# determine specific stage failures and correctie
techni+ues.
%b'ectie 2.2!2.5Q 6eneral troubleshooting A! pointB
$ candidate should be able to recogni,e and identify boot loader and kernel
specific stages and utili,e kernel boot messages to diagnose kernel errors. This
ob'ectie includes being able to identify and correct common hardware issues"
and be able to determine if the problem is hardware or software.
%b'ectie 2.2!2.:Q Troubleshooting system resources A! pointB
$ candidate should be able to identify" diagnose and repair local system
enironment.
%b'ectie 2.2!2.7Q Troubleshooting network issues A! pointB
$ candidates should be able to identify and correct common network setup issues
to include knowledge of locations for basic configuration files and commands.
%b'ectie 2.2!2.8Q Troubleshooting enironment configurations A! pointB
$ candidate should be able to identify common local system and user
enironment configuration issues and common repair techni+ues.
Creating reco+ery )isks (2.21$.2!
Candidate should be able to# create both a standard bootdisk for system entrance" and a
recoery disk for system repair.
/usr/sbin/rde-
/bin/cat
/bin/mountAincludes -o loop switchB
$ny standard editor
/sbin/lilo
/bin/dd
/sbin/m,e25s
/etc/5stabO /etc/inittab
/usr/sbin/c2root
?amiliarity with the location and contents of the L*P (ootdisk-/%-T%
/http9::###"ibiblio"org:pub:Linux:docs:5=T5:@ootdisk-5=T53
- 527 -
%hy e need bootdisks
$ bootdisk is a small Linux system on a diskette. Lou can boot a kernel from it" hence
the name. The kernel will mount a root filesystem" which typically is either stored on the
same diskette or on a separate root disk. That filesystem contains a number of necessary
files and deices" and a set of software tailored for a specific task. Lou can expect basic
commands like /bin/mount" /bin/s2 or /bin/bas2 to be in the bootdisk)s root file
system and basic configuration files like /etc/inittab - 'ust enough to satisfy the needs
the bootdisk was intended for.
The software found on a bootdisk is mostly used to perform a subset of system
maintenance functions. %ften" the boot disk)s root filesystem contains software to recoer
from system errors" for example to enable you to inspect and repair a damaged system.
&ometimes they are used to perform a ery specific task" for example to enable easy
software upgrades for large +uantities of @&--indows laptops.
&ince there is 'ust a limited amount of data you can store on a diskette" often compression
techni+ues are used to create a compressed image of the filesystem on disk. In these cases
the kernel will decompress the image into memory and subse+uently mount it. The kernel
needs to be built with ;$@-disk support to enable it to do this. In some cases the
aailable space is insufficient for both the kernel and its root filesystem. In these cases"
the kernel is put on one disk Athe boot diskB and the AcompressedB root filesystem on
another Athe root diskB. &ometimes one or more utilit( disks are used to store additional
data" for example additional utilities that do not fit on your root disk.
The @ootdisk-5=T5 contains an excellent and ery detailed description on how to
build arious types of boot and root disks. In the sections below we gie an oeriew of
the material presented there. Please refer to the /%-T% for additional information.
Create a bootdisk
To build a bootdisk" you will need to ..
select or build a kernel
copy the kernel to a floppy disk either by#
o using LIL% or
o using dd
create and populate a root filesystem
decide whether or not to use a separate disk for the root filesystem
compress the root filesystem
copy the root filesystem to floppy disk
set the ramdisk word
Dach of these steps is outlined below. @ore specific details can be looked up in the ?$H.
- 528 -
The boot disk typically contains the kernel to boot. /ence" you first need to determine the
functionality your boot-kernel will need and either build a new kernel or select one that
was built before and matches the specifications. ?or example" to create a bootdisk to be
used for checking filesystems" you need to hae a kernel that recogni,es the proper
filesystems. /oweer" it does not necessarily need networking functionality. In some
cases it suffices to copy oer your existing kernel" but in many cases your default
AcompressedB kernelimage will be too bloated to fit on a diskette" especially if you aim to
build a combined boot=root disk. The kernel building process is described in more detail
in the section called J0ernel Components A2.2.!.!BK and on.
$fter selecting=building the kernel you need to copy it on to the boot disk. Lou can either
use L3L/ or copy oer the kernel using )).
The method which uses L3L/ consumes more disk space" but adds some
flexibility" since you will be able to specify extra parameters during boot. Lou
will need to create a small filesystem on the boot disk for L3L/" 'ust big enough
to contain the kernel and 5. blocks worth of additional space for inodes. Lou then
create a filesystem on the disk" using #ke2fs" and fill it with some deice- and
configuration files" see the ?$H for details. Then you run lilo on it.
The other method uses )) to copy oer the kernelimage to the disk. In this case
you do not need to make a filesystem" but need to configure the kernel itself to
instruct it where to find its rootdeice. This can be done using the r)e+ command.
In both cases next you need to set a alue in the so-called ramdisk #ord in the kernel.
This is a well defined location in the kernel binary that is used to specify where the root
filesystem is to be found" along with other options. The word consists of !: bits. The first
!! bits are used to set the offset Aspecified in !.22 byte blocksB where on the disk the root
filesystem image will be stored. If bit !5 is set the kernel will prompt you for a diskette
before trying to mount the root filesystem. This enables you to use a separate root disk.
(it !2 is used to signify that a ;$@disk should be used. Lou will need to calculate the
alue for the ;$@*I&0 word by hand and set its alue ia the r)e+ command.
The creation of a root filesystem is by far the most complex part of the 'ob. It re+uires
setting up a partition somewhere Aa physical partition" a file mounted ia the loopback
interface or a ramdiskB" ,eroing it out to remoe random garbage Awhich allows for
optimal compression laterB" creating a filesystem on it" mounting it" populating it with the
files you want" unmounting it" compressing it and finally copying the compressed image
onto a floppy. Lou will need to ensure the consistency of the filesystem contents" for
example make sure that all AdynamicB libraries that are needed are aailable and all
necessary deices are created. $ll of these steps are described in more detail in the ?$H.
$ig files have little files upon their back--
Linux makes it fairly easy to create a filesystem within=on a file instead of on a disk or
ramdisk# it uses loopback devices. Lou could create an iso<::. C* ;%@ image
Atypically using the #kisofs commandB and mount it without haing to burn it to C* first
- 52< -
by using a loopback deice. $ less commonly known techni+ue uses a JplainK file. To
make this work you need to create an ,eroed out file first#
dd i5B/de-/zero o5B5s5ile bsB#, countB#$$
This creates a file that contains !..0 of ,ero bytes" named JfsfileK. 3ext" you need to
associate one of the loopback deices with that file. This is done using the losetup
command#
losetup 6e none /de-/loop$ 5s5ile
The 6e none is default and specifies that encryption should not be used in this case
Acheck out the manual page for losetup('! for more detailsB. 3ow" you can make a
filesystem on it" in this case an ext2 filesystem#
m,5s 6t ext2 /de-/loop$ #$$
3ext" mount this newly created filesystem somewhere in your hierarchy" let)s say on
/mnt#
mount 6t ext2 /de-/loop$ /mnt
Lou can use this filesystem any way you want to. To unmount it" use#
umount /de-/loop$
losetup 6d /de-/loop$
There are arious software packages aailable to aid the creation of boot- and
rescuedisks. 4sing these packages you can 'ust specify a set of files for inclusion and the
software automates Ato arying degreesB the creation of a bootdisk. &ome of these
packages enable creation of ery compact" yet rich Jmicro-distributionsK that contain
hundreds of commands and a kernel on one diskette.
initrd
3ewer kernels Aas of 2..B allow a kernel to boot in two phases. Initially" the kernel can
load an initial ramdisk image Ahence the name initr)B from the boot disk" which contains
a root filesystem and a program A/linuxrcB to be run. linuxrc can perform arious
AinteractieB tasks" e.g. ask the user for additional configuration options. It often is used to
add additional modules in a bare-bone kernel. $fter this initial program exits" the kernel
continues loading the real root image and booting continues normally.
Create a recovery disk
$ recoery Aor rescue-B disk is in fact 'ust a boot=root disk and is created likewise Athe
section called J-hy we need bootdisksKB. (ut besides the generic software that makes up
a bootdisk" it also contains information specific for your distribution or system. It is used
- 59. -
to recoer from fatal system crashes and can be used to restore your systems
functionality" for example by proiding software to restore backups Acpio" tarB. It usually
contains information about your system like partition information and a kernel specific to
your systems hardware. @ost Linux distributions offer you the option to create a rescue
disk during system installation.
3)entifying *oot stages (2.21$.3!
Candidate should be able to# determine" from bootup text" the 2 stages of boot se+uence
and distinguish between each.
boot loader start and hand off to kernel
kernel loading
hardware initiali,ation and setup
daemon initiali,ation and setup
"he bootstrap process
The boot process has been described at length in Chapter 2" 4(stem 4tartup /0"0203. This
section underlines and enhances that description. -e will limit our discussion to PC
hardware" though most other hardware uses similar schemes.
The PC boot process is started on powerup. The processor will start execution of code
contained in the @asic In- and 5utput 4(stem A(I%&B. The (I%& is a program stored in
;ead %nly @emory A;%@B and is a part of the PC hardware. $part from the bootstrap
code it contains routines to set up your hardware and to communicate with it. @ost of the
code in the (I%& is neer used by Linux" but the bootstrap code is.
The bootstrap code will load a block of data from sector ." cylinder . of what has been
configured to be your boot drie. In most cases this will be the first floppy drie. If
reading the floppy disk fails or no floppy disk was inserted" the program in the (I%& will
try to load the first sector from the first AspecifiedB hard disk. @ost (I%&es allow you to
set up an alternate order" i.e. to try the hard disk first or first try to boot from C*.
-hereer the data was found Aand if it was found" of courseB the (I%& will load it into
memory and try to execute it as if it were a program. In most cases the data either
consists of code from a boot loader such as LIL%" or the start of an operating system
kernel like Linux. If the code on the boot sector is illegible or inalid" the (I%& will try
the next bootdeice.
Bernel loading
$s can be determined from the text aboe" there are two ways for the kernel to be loaded#
- 59! -
by using the kernelcode itself. The first sector of the boot disk will contain the
first sector of the Linux kernel itself. That code loads the rest of the kernel from
the boot deice.
by using a bootstrap loader. There are 2 well-known bootstrap loaders for Linux#
6;4( A6;and 4nified (ootloaderB and LIL%. LIL% has by far the largest
installed base" formally 6;4( is still beta software. /oweer" 6;4( has a
number of adantages oer LIL%" such as built in knowledge of filesystems.
/ence 6;4( is capable of loading configuration files and the kernel directly by
their filename. LIL% uses a different method# the physical location
Atrack=sector=offsetB for the kernel is stored at installation time. The bootloader
part of LIL% doesn)t need knowledge of the filesystem it is booting from. It is the
most commonly used bootloader. It is the only bootstraploader you need to know
to pass the LPIC-2 exam" but it neer hurts to be aware of an alternatie.
If LIL% has been used" it will locate the kernel" load it and execute it. If the kernel has
been raw-copied to a diskette its first sector also contains code that loads the rest of the
kernelcode from the boot deice and conse+uently executes it.
The kernel will initiali,e its internal data structures and deice driers. %nce it is
completely initiali,ed" it consults the contents of the ramdisk #ord" a fixed address in its
binary that specifies where the kernel can find the filesystem that will be mounted as root
AI/)" the root filesystemB. The ramdisk word also can specify that the filesystem is a
;$@disk. $ ;$@disk is a memory region that is loaded with a Aoptionally compressedB
image of a filesystem" and that is used if it were a hard disk. If the kernel can not find the
root filesystem it halts.
Daemon initiali9ation
$ssuming all went well the kernel now is up and running and has mounted its root
filesystem. 3ext" the kernel -ill start up the init program" located in either /bin or
/sbin. init uses the configuration file /etc/inittab to determine which programAsB to
start next.
The way init is used to start up the initial processes aries from distribution to
distribution. init can be configured in many ways. (ut in all cases a number of
commands will be issued to set up the basic system such as running fsck on hard disks"
initiali,ing swapping and mount disks that are configured in /etc/5stab. 3ext" a group
of commands Aoften scriptsB are executed. They define a so called runlevel. &uch
runleels define a set of processes that need to be run to get the system in a certain state"
for example multi-user mode or single-user mode.
The initde5ault entry in the /etc/inittab file defines the initial runleel of the
system. If there is no such entry or the configuration file was not found init will prompt
for a runleel at the system console. Conse+uently" all processes specified for that
runleel in the inittab file will be started. In some cases the initial scripts are specified
by the s!sinit label in the init" in other cases they are considered part of a runleel.
- 592 -
-hen a runleel defines multi-user use" typically a number of daemons is started next.
This is done by using start-up scripts" that can be in arious location" depending on the
distribution you use. Typically such start-up scripts are located in the /etc/rc.d/
directory and named aptly after the software they run" e.g. sen)#ail" inet) or ssh).
Typically" these scripts are linked to another leel of directories" one per runleel. In all
runleels one or more getty programs will be spawned" to enable user logins.
!ecogni9ing the four stages during boot
?rom what was written before you now should be able to identify the four stages of the
bootse+uence#
boot loader start and hand off to kernel - typically you can recogni,e this stage
because LIL% displays the four letters JLK" JIK" JLK" and J%K. Dach of these
letters identifies a certain stage in the initial bootprocess. Their meaning is
described in more detail in the section called JLIL% errorsKQ
kernel loading - this stage can be recogni,ed since the kernel will display arious
messages" starting with the message JLoading K followed by the name of your
kernel" e.g. Minux62.2.2$.
hardware initiali,ation and setup - can be identified by arious messages that
inform you about the arious hardware components that were found and
initiali,ed.
daemon initiali,ation and setup - this is fairly distribution specific" but this stage
can be recogni,ed by messages that typically contain lines like J&tarting the ...
daemonK.
The kernel stores its messages is a ring buffer. %n most Linux systems that ring buffer is
flushed to a file during the last phase of the boot process for later inspection. The
command )#esg will display the contents of the current buffer Aand actually often is used
to flush the ring buffer to a file during the last phase of the boot se+uenceB. Check the
manual page for more information.
"rou*leshooting L3L/ (2.21$.$!
Candidate should be able to# determine specific stage failures and correctie techni+ues.
0now meaning of L" LI" LIL" LIL%" and scrolling .!.!.! errors
0now the different LIL% install locations" @(;" =de=fd." or primary=extended partition
/boot/boot.b
0now significance of /boot/boot.+++ files
- 599 -
$ooting from CD0!1* and netorks
$s of this writing most (I%&)s let you choose booting from hard disk" floppy" network or
C*;%@. To gie an oersight these alternaties are outlined below. &ince most systems
boot from hard disk" this process was described in more detail and is elaborated on later
on.
@ooting from ,8;5. re+uires that your hardware support the JDl ToritoK standard. Dl
Torito is a specification that says how a C*;%@ should be formatted such that you can
directly boot from it. $ bootable C*;%@ contains contains a floppy-disk image in its
initial sectors. This image is treated like a floppy by the (I%& and booted from.
@ooting from the net#ork is done using the @oot 'rotocol A(%%TPB or the 8(namic ost
,onfiguration 'rotocol A*/CPB. */CP actually is an eolution of (%%TP. In most
cases the client has no means to address the bootserer directly" so the client broadcasts
an 4*P packet oer the network. $ny bootserer that has information about the client
stored will answer. If more than one serer responds" the client will select one of them.
&ince the re+uesting client does not yet hae a alid IP address" the uni+ue hardware
A@$CB address of its network card is used to identify it to the (%%TP sererAsB in your
network. The (%%TP sererAsB will issue the IP address" a hostname" the address of the
serer where the image of the kernel to boot can be found and the name of that image.
The client configures its network accordingly and downloads the specified image from
the serer that was specified using the Trivial +ile Transfer 'rotocol AT?TPB. T?TP is
often considered to be an unsafe protocol" since there is no authentication. It uses the
4*P protocol. /oweer" its triiality also compact implementations that can be stored in
a boot-;%@" for example a PC (I%&. $fter the kernel image has been retrieed" is will
be started the usual way. %ften" the root filesystem is located on another serer too" and
3?& is used to mount it. This re+uires a Linux kernel that allows the root filesystem to be
3?&.
$ooting from disk or partition
booting from flopp( or disk is the common case. In preious chapters we already
described the boot process used to boot from floppy. /oweer" there is is a slight
difference between floppy and hard disk boots. (oth contain a bootsector" located at
cylinder ." head ." sector !. %n a floppy the boot sector often contains 'ust the boot code
to be loaded in memory and executed.
booting from hard disk re+uires some additional functionality# a hard disk can contain
one or more partitions" in which case the boot program needs to find out from which
partition to boot. $ partition in turn will contain its own bootcode sector. The sector
located at cylinder ." head ." sector ! is called the master boot record A@(;B.
Information about hard disk partitions is typically stored in partition tables" which are
data-structures stored on a special partition sector. There are arious types of partition
tables" for example I;IP=&6I" &un or *%&. It depends on the hardware in use which type
- 592 -
of partition table is used. In this book we focus on the classical PC A*%&B partition table"
which is typical for PC hardware. (y default Linux accepts and uses *%& partition
tables. &upport for other partition types can be enabled in the kernel. %n PC hardware the
partition table is part of the @(;. Lou can use the f)isk command to print out your
current partition table or to create a new one.
%n a PC the (I%& starts loading the first 22: bytes of cylinder ." head ." sector ! into
memory. These bytes comprise the boot program. That boot program is executed next. It
is up to you which program to use to boot your system. (y writing your own boot
program you could continue the boot process any way you want. (ut there are many fine
boot programs aailable" for example the *%& loader and the Linux Loader ALIL%B.
$lternately" you can use another boot loader program" for example 6;4(. &ometimes a
-indows boot loader is used Ai.e. (ootmagicB" or een the old fashioned *%& boot
loader.
*%& for example uses a loader programs that scans the partition table for a bootable
partition. -hen an entry marked JactieK was found the first sector of that partition is
loaded into memory and executed. That code in turn continues the loading of the
operating system.
Linux can install a loader program too. %ften this will be LIL%" the Linux Loader. LIL%
uses a two-stage approach# the boot sector has a boot program" that loads a boot file" the
second stage boot program. That program presents you with a simple menu-like
interface" which either prompts you for the operating system to load or optionally times
out and loads the the default system. 3ote" that the code in the @(; is limited# it does
not hae any knowledge about concepts like JfilesystemsK let alone JfilenamesK. It can
access the hard disk" but needs the (I%& to do so. $nd the (I%& is not capable of
understanding anything but C/& ACylinder=/eads=&ectorsB. /ence" to find its boot
program" the code in the @(; needs exact specification of the C/& to use to find it.
These specifications are figured out by /sbin/lilo" when it installs the boot sector.
The second stage LIL% boot program needs information about the following items#
where /boot/boot.b can be foundQ it contains the second stage boot program.
The second stage program will be loaded by the initial boot program in the @(;Q
the /boot/map file" which contains information about the location of kernels" boot
sectors etc.Q this information is used mostly by the second stage boot programQ see
below for a more detailed description of the map fileQ
the location of kernelAsB you want to be able to boot
the boot sectors of all operating systems it boots
the location of the startup message" if one has been defined
;emember" to be able to access these files" the (I%& needs the C/&
ACylinder=/ead=&ectorB information to load the proper block. This also holds true for the
code in the second stage loader. LIL% therefore needs a so called map file" that maps
filenames into C/& alues. This file contains information for all files that LIL% needs to
- 595 -
know of during boot" for example locations of the kernelAsB" the command line to execute
on boot" and more. The default name for the map file is /boot/map. /sbin/lilo uses the
file /etc/lilo.con5 to determine what files to map and what bootprogram to use and
creates a mapfile accordingly.
*ore about partitions tables
The *%& partition table is embedded in the @(; at cylinder ." head ." sector !" at offset
227 A.x!(?B and on. There are four entries in a *%& partition table. %nly one of them
can be marked as actie# the boot program normally will load the first sector of the actie
partition in memory and delier control to it.
$n entry in the partition table contains !: bytes" as shown in the following figure#
-igure 1$.1. 1 (4/(! partition ta*le entry

Tboot4 TTstart TTt!pe TTpartition T
T TTc!l T2ead TsectTT TTc!l T2ead TsectT
T666666TT66666666TT666666TT6666TT666666TT66666666TT666666TT6666T
Tstart in M=; TTsize in sectors T
T666666TT666666TT666666TT666666TT666666TT666666TT666666TT666666T
$s you can see" each partition entry contains the start and end location of the partition
specified as the Cylinder=/ead=&ector of the hard disk. 3ote" that the JCylinderK field has
!. bits" therefore the maximum number of sectors that can be specified is A2[!.SSB !.22.
(I%&es traditionally use C/& specifications hence older (I%&es are not capable of
accessing data stored beyond the first !.22 cylinders of the disk.
$s disks grew in si,e the partition=disk si,es could not be properly expressed using the
limited capacity of the C/& fields anymore. $n alternate method of addressing blocks on
a hard disk was introduced# Logical @lock Addressing AL($B. L($ addressing specifies
sections of the disk by their block number relatie to .. $ block can be seen as a 5!2 byte
sector. The last :2 bits in a partition table entry contain the JbeginK and JendK of that
partition specified as L($ address of the begin of the partition and the number of sectors.
"ip
;emember that your computer boots using the (I%& disk access routines. /ence" if your
(I%& does not cope with L($ addressing you may not be able to boot from partitions
beyond the !.22 cylinder boundary. ?or this reason people with large disks often create a
small partition somewhere within the !.22 cylinder boundary" usually mounted on /boot
and put the boot program and kernel in there" so (I%& can boot Linux from hard disk.
%nce loaded" Linux ignores the (I%& - it has its own disk access procedures which are
capable of handling huge disks.
- 59: -
The JtypeK field contains the type of the partition" which usually relates to the purpose
the partition was intended for. To gie an impression of the arious types of partitions
aailable" a screen dump of the JLKist command within f)isk follows#
$ :mpt! #0 Yidden YFIS/HLI (c Friam :dis, a6 Gpen=SD
# I;L#2 #' ;SL Rindo>s s>a 6# SpeedStor a0 HeKLSL:F
2 K:HIK root #b Yidden Rin&( I; 6% JH Y1D or S!s b0 =SDI 5s
% K:HIK usr #c Yidden Rin&( I; 64 Ho-ell Het>are b' =SDI
s>ap
4 I;L#6 ?%2M #e Yidden Rin&( I; 6( Ho-ell Het>are c#
D1DGS/sec (I;L6
( :xtended 24 H:D DGS 0$ Dis,Secure Mult c4
D1DGS/sec (I;L6
6 I;L#6 %c FartitionMagic 0( FD/IK c6
D1DGS/sec (I;L6
0 YFIS/HLIS 4$ Penix '$2'6 '$ Gld Minix c0 S!rinx
' ;IK 4# FFD F1eF =oot '# Minix / old Min db DF/M /
DLGS / .
& ;IK bootable 42 SIS '2 Minux s>ap e# DGS
access
a GS/2 =oot Manag 4d _HK4.x '% Minux e% DGS 1/G
b Rin&( I;L%2 4e _HK4.x 2nd part '4 GS/2 2idden D. e4
SpeedStor
c Rin&( I;L%2 (M= 45 _HK4.x %rd part '( Minux extended eb =eGS 5s
e Rin&( I;L#6 (M= ($ GnLrac, DM '6 HLIS -olume set 5#
SpeedStor
5 Rin&( :xtWd (M= (# GnLrac, DM6 ;ux '0 HLIS -olume set 54
SpeedStor
#$ GFS (2 DF/M &% ;moeba 52 DGS
secondar!
## Yidden I;L#2 (% GnLrac, DM6 ;ux &4 ;moeba ==L 5d Minux
raid auto
#2 DompaS diagnost (4 GnLrac,DM6 a$ I=M L2in,pad 2i 5e M;Hstep
#4 Yidden I;L#6 ?% (( :<6Dri-e a( =SD/%'6 55 ==L
#6 Yidden I;L#6 (6 Jolden =o>
3#tended partitions
The design limitation that imposes a maximum of four partitions proed to be
troublesome as disks grew larger and larger. Therefore" a work-around was inented# by
specifying one of the partitions as a J*%& Dxtended partitionK it in effect becomes a
container for more partitions aptly named logical partitions. The JDxtended partitionK
can be regarded as a container" that holds one or more logical partitions. The total si,e of
all logical partitions within the extended partition can neer exceed the si,e of that
extended partition.
In principle Linux lets you create as many logical partitions as you want" of course
restricted by the physical boundaries of the extended partition and hardware limitations.
The logical partitions are described in a linked list of sectors. The four primary partitions"
present or not" get numbers !-2. Logical partitions start numbering from 5. The main disk
contains a partition table that describes the partitions" the extended partitions contain
- 597 -
logical partitions that in turn contain a partition table that describes a logical partition and
a pointer to the next logical partitions partition table" see the $&CII art below#
-igure 1$.2. Partition ta*le setup
X6666666666666666666666666666666666666666666666666X
T Fartition table /de-/2da T
T X66666666666666666666666666666666666666666666666T
T T Fartition # /de-/2da# T
T T T
T T66666666666666666666666666666666666666666666666T
T T Fartition 2 /de-/2da2 T
T T T
T T66666666666666666666666666666666666666666666666T
T T :xtended partition /de-/2da% T
T T X666666666666666666666666666666666666666666666T
T T T :xtended partition table T
T T T666666666666666666666666666666666666666666666T
T T T Fartition % /de-/2da( T
T T T T
T T T666666666666666666666666666666666666666666666T
T T T :xtended partition table T
T T T666666666666666666666666666666666666666666666T
T T T Fartition 4 /de-/2da6 T
T T T T
T T66666666666666666666666666666666666666666666666T
T T Fartition ( /de-/2da4 T
T T T
X6666666666666666666666666666666666666666666666666X
"he LIL1 install locations
LIL%)s first stage loader program can either be put in the @(;" or it can be put in any
partitions boot sector. %f course" you could put it in both locations if you wanted to" for
example in the @(; to decide whether to boot -indows" *%& or Linux and if Linux is
booted" its boot sector could contain LIL%)s primary loader too" which would for
example enable you to choose between different ersions=configurations of the kernel.
The tandem JLinux and -indowsK is fre+uently used to ease the migration of serices to
the Linux platform or to enable both Linux and -indows to run on the same computer.
To dual boot Linux and -indows <5=<8" you can install LIL% on the master boot record.
-indows 3T and -indows 2... re+uire their own loader in the @(;. In these case" you
can install LIL% in the Linux partition as a secondary boot loader. The initial boot will be
done by the -indows loader in the @(;" which then can transfer control to LIL%.
LIL1 backup files
/sbin/lilo can create the bootprogram in the @(; or in the first sectors of a partition.
The bootprogram" sometimes referred to as the first stage loader will try to load the
second stage boot loader. The seconds stage bootloader is contained in a file on the boot
partition of your Linux system" by default it is in the file /boot/boot.b.
- 598 -
If you use /sbin/lilo to write the bootprogram it will try to make a backup copy of the
old contents of the bootsector and will write the old contents in a file named
/boot/boot.++++. The hash symbols are actually replaced by the ma'or and minor
numbers of the deice where the original bootsector used to be" for example" the backup
copy of the @(; on the first I*D disk would be stored as /boot/boot.$%$$# 9 is the
ma'or number for the deice file /de-/2da" and . is the minor number for it. /sbin/lilo
will not oerwrite an already existing backup file.
LIL1 errors
-hen LIL% loads itself" it displays the word
MIMG
Dach letter is printed before or after performing some specific action. If LIL% fails at
some point" the letters printed so far can be used to identify the problem.
(not2ing)
3o part of L3L/ has been loaded. Dither L3L/ isn)t installed or the partition on which
its boot sector is located isn)t actie.
M error
The first stage boot loader has been loaded and started" but it can)t load the second stage
boot loader. The two-digit error codes indicate the type of problem. This condition
usually indicates a media failure or a geometry mismatch. The most fre+uent causes for a
geometry mismatch are not physical defects or inalid partition tables but errors during
the installation of L3L/. %ften these are caused by ignoring the !.22 cylinder boundary.
This error code signals a transient problem - in that case LIL% will try to resume or halt
the system. /oweer" sometimes the error code is not transient and LIL% will repeat it"
oer and oer again. This means that you end up with a scrolling screen that contains 'ust
the error codes. ?or example# the error code J.!K signifies an Jillegal commandK. This
signifies that the disk type is not supported by your (I%& or that the geometry can not
correctly be determined. %ther error codes are described in full in the LIL%)s user
documentation.
MI
The first stage boot loader was able to load the second stage boot loader" but has failed to
execute it. This can either be caused by a geometry mismatch or by moing
/boot/boot.b without running the map installer.
MIM
- 59< -
The second stage boot loader has been started" but it can)t load the descriptor table from
the map file. This is typically caused by a media failure or by a geometry mismatch.
MIM4
The second stage boot loader has been loaded at an incorrect address. This is typically
caused by a subtle geometry mismatch or by moing /boot/boot.b without running the
map installer.
MIM6
The descriptor table is corrupt. This can either be caused by a geometry mismatch or by
moing /boot/map without running the map installer.
MIMG
$ll parts of L3L/ hae been successfully loaded.
>eneral trou*leshooting (2.21$.,!
$ candidate should be able to recogni,e and identify boot loader and kernel specific
stages and utili,e kernel boot messages to diagnose kernel errors. This ob'ectie includes
being able to identify and correct common hardware issues" and be able to determine if
the problem is hardware or software.
screen output during bootup
/bin/dmesg
kernel syslog entries in system logs Aif entry is able to be gainedB
arious system and daemon log files in /-ar/log/
/sbin/lspci
/bin/dmesg
/usr/bin/lsde-
/sbin/lsmod
/sbin/modprobe
/sbin/insmod
/bin/uname
location of system kernel and attending modules =" =boot" and =lib=modules
/proc filesystem
strace
strings
ltrace
lso5
- 52. -
/ ord of caution
*ebugging boot problems Aor any other problems for that matterB can be complex at
times. Lour best teacher is experience. /oweer" by carefully studying the boot messages
and hae the proper understanding of the mechanisms at hand you should be able to sole
most" if not all" common Linux problems.
Lou need a good working knowledge of the boot process to be able to sole boot
problems. In preious sections the boot process was described in detail as was system
initiali,ation. (y now you should be able to determine in what stage the boot process is
from the messages displayed on the screen. Lou should be able to utili,e kernel boot
messages to diagnose kernel errors. If not" please re-read the preious sections carefully.
-e will proide a number of suggestions on how to sole common problems in the next
sections. /oweer" it is beyond the scope of this book to coer all possible permutations.
If your problem is not coered here" search the web for peers with the same problem"
consult your colleagues" read more documentation" inestigate and experiment.
Cost effectiveness
In an ideal world you always hae plenty of time to find out the exact nature of the
problem and conse+uently sole it. In the real world you will hae to be aware of cost
effectieness. Look for the most Acost-B effectie way to sole the problem. ?or example#
let)s say that initial inestigation indicates that the boot disk has hardware problems. Lou
do not know yet the exact nature of the problems" but hae eliminated the most common
causes. The disk still does not work reliably. /ence" you need more time to inestigate
further. If your customer has a recent backup and deliberation learns that he agrees to go
back to that situation" you might consider suggesting installation of a brand new disk and
restoring the most recent backup instead. The total costs of your time so far and the new
hardware are probably less than the costs you hae to make to inestigate any further -
een more so if you consider the probability that you need to replace the disk after all.
Getting help
This book is not an omniscient encyclopedia that describes solutions for all problems you
may encounter. If you get stuck" there are many ways to get help. ?irst" you could call or
mail the distributor of your Linux ersion. %ften you are granted installation support or
9. day generic support. It may be worth your money to subscribe to a support network -
most distributions offer such a serice at nominal fees.
&ome distributions grant on-line AInternetB access to support databases. In these databases
you can find a wealth of information on hardware and software problems. Lou can often
search for keywords or error messages and most of them are cross-referenced to enable
you to find related topics. &ome 4;Ls you may check follow#
&u&D
- 52! -
http9::###"suse"com:us:business:services:support:index"html
;ed /at
http9::###"redhat"com:apps:redirect"apm:services:consulting:F
rhpage=:index"html:ent_servicesLL
*ebian
http9::###"debian"org:doc:+A!:ch-support"html
@andrake
http9::###"mandrakeexpert"com:index1"php
Lou can also grep or &grep for Aparts ofB an error message or keyword in the
documentation on your system" typically in and under /usr/doc/" /usr/s2are/doc/ or
/usr/src/linux/Documentation. $dditionally" you could try to enter the error message
in an Internet search engine" for example http9::###"google"org. This often returns
4;L& to ?$H)s" /%--T%)s and other documents that may contain clues on how to sole
your problem. 4senet news archies" like http9::###"de7a"com are another resource to
use.
Generic issues ith hardare problems
%ften" Linux refuses to boot due to hardware problems. If a system boots and seems to be
working fine" it still may hae a hardware problem. If it is not working with Linux" but is
working fine with other operating systems" for example *%& or -indows" this too often
signifies hardware problems. Linux assumes the hardware to be up to specifications and
will try to use it to its AspecifiedB limits.
In general# regularly check the system log files for write and read errors. They indicate
that the hardware is slowly becoming less reliable. %ther indications of lurking hardware
problems are# problems when accessing the C*;%@ Ahalt" long delays" bus errors"
segmentation faultsB" kernel generation or compilation of other programs aborts with
signal !! or signal 7" scrambled or incorrect file contents" memory access errors" graphics
that are not displayed correctly" C;C errors when accessing the floppy disk drie" crashes
or halts during boot and errors when creating a filesystem.
To discoer lurking hardware errors" you can use a simple" yet effectie test# create a
small script that compiles the kernel in an endless loop" for example#
+
+ adapted 5rom 2ttp.//>>>.bit>izard.nl/sig##
+
cd /usr/src/linux
+
- 522 -
cB$
>2ile true
do
ma,e clean [A /de-/null
ma,e 6, bzImage A log.3UcV 2A /de-/null
cBZexpr 3UcV X #Z
done
Dery iteration of this loop should create a log file - all log files should hae the exact
same content. Lou could use su# or #),su# to check this. If you detect differences
between the log files this often is an indication some hardware problem exists.
!esolving initial boot problems
If your system does not boot AanymoreB you want to retriee basic system functionality#
your system should boot and the kernel should load. $fter that" you often are able to
resole the other problems using the rich set of debugging tools Linux offers.
There are a number of common boot problems. %ne group relates to the @(; and
bootstrap files. *ata corruption or accidental deletion of files or the boot partition will
preent your drie from booting. $nother group clearly relates to hardware failures on
the boot-drie.
har)ware pro*le#s. If a hardware component failure causes the system to refuse to
boot you typically get one of the following clues# the (I%& reports errors like J3o ?ixed
*isk ?oundK or J*isk Controller DrrorK. &ometimes" numerical messages are displayed"
often in the !7.. range" e.g. J!7.!K" J!7<!K etc. If the controller is in error" a message
that indicates this is often shown. In the most obious case" the disk does not een start
spinning.
&tart by ensuring that your (I%& was set up correctly. The disk geometry needs to be set
correctly to enable your (I%& to see the drie. %ften" a Plug $nd Play option can be set
in the (I%&. &et the option so that P3P is deactiated. If an additional option J;eset
Configuration *ataK or J4pdate D&C*K is offered" please set it to JyesK or alternatiely
to JenabledK.
If you hae problems with a drie you 'ust added to the system" the problems are often
caused by incorrect cabling or 'umper selections. @ake sure all connectors are properly
seated. Dnsure that I*D master and slae dries are 'umpered and cabled properly.
4*@$ dries make use of special twisted pair cabling. Lour (I%& needs to be able to
access the disk during boot" so make sure your drie geometry and=or type has been
correctly specified in your (I%&.
Lou should erify the seating of the connectors" check the cables between disk and
motherboard. Check for corrosion. $lso check the power cables. Lou can remoe the
cables and measure them" using a simple ohm meter or bu,,er" and=or replace them with
new ones. $ Jhard disk controllerK error message can often be caused by bad cabling too.
- 529 -
$lways check your cabling first" een when the symptoms seem to indicate a controller
error. If the error persists try to replace the controller card.
software pro*le#s. If a software failure causes the system to refuse to boot" you
typically get one of the following clues# LIL% does not display all of its four letters"
LIL% hangs" you get a screen with scrolling error codes" e.g. J.!.!.!..K" the system
report something like Jdrie not bootable" insert system diskK" the system boots another
operating system than intended.
If you are able to boot a floppy you can use a boot floppy or rescue disk to boot a kernel
Athe section called J-hy we need bootdisksKB. Lou could use a rescue floppy that boots a
kernel that has the root filesystem set to your hard disk Ausing the r)e+ commandB. %r
you could use a special tiny Linux distribution" like tomsrtbt Ahttp9::###"toms"net:rb: B
and mount the root filesystem by hand. @ake sure the rescue disk contains he necessary
functionality=modules to fit your hardware" e.g. if you hae &C&I disks" be sure the
driers are either compiled into your boot kernel or aailable as modules. If the boot
floppy has booted you should start by checking the alidity of your @(;. -hen the
LIL% bootup messages indicate a geometry error or a related error" you should erify that
/sbin/lilo ran correctly. If you are in doubt" you can rerun it" proided you hae access
to Aa backup copy ofB the lilo.con5 file. $lso check if the error is caused by the !.22
cylinder boundary problem# your kernelAsB and related files should be accessible for your
(I%&" and some (I%&es Aas a rule of thumb# made before !<<8B are not able to access
disk cylinders aboe !.22.
3ext" erify that the partition table in the @(; is correct by running f)isk. Cerify that at
least one partition is marked as JbootK or JactieK - some (I%&es re+uire that the Linux
boot partition to be marked JbootableK" some distributions may re+uire this too. If the
partition table is incorrect" you will need to repair it. If you hae access to a backup of
your boot systems @(; Aincluding the partition table" hence# the first 5!2 bytes of your
hard diskB and hae put it on a floppy" now is the time to recoer it. $lternately" you may
hae printed the partition listQ if so you can use f)isk to restore the partition table.
If the partition table looks correct when you print it in f)isk the next step is to take a look
at the root filesystem of your drie. Lou can use the fsck command to repair filesystem
problems on your root file system. If all else fails" you hae to resort to reformatting and=
or repartitioning your disk and restore the latest back up or een may need to replace the
disk.
!esolving kernel boot problems
If the initial boot se+uence could be completed" the kernel is loaded and tries to mount its
root filesystem. This can either be a ;$@*I&0 Ainitr)B or a partition on a hard disk. %f
course" the kernel needs to be able to access Aall ofB its memory and the filesystem on the
disk" which may re+uire certain deice driers in the kernel. -hen the root filesystem
could be mounted additional programs can be executed and additional kernel modules
may be loaded to add functionality. If the root filesystem is a ;$@ disk" it may contain
- 522 -
programs to load the modules needed to address other hardware deices such as disks. In
these phases you could experience module loading problems" which can result in ApartialB
hardware inaccessibility.
In many cases it is not clear whether or not the cause of a problem lies with the hardware
or the software. /oweer" most of these errors result from inalid configuration.
har)ware pro*le#s. If a hardware problem causes the system to refuse to boot" you
typically get one of the following clues# JP$3IC C?& unable to mount root fs on cc#ccK"
modprobe reports errors loading a module" I;H=*@$ conflicts can be reported" parts of
your hardware do not work or intermittent errors occur. $s a rule of thumb" if your kernel
boots" but your system conse+uently hangs or issues error messages" you should check
for software problems and configuration problems first. If this does not resole the
problem" check your hardware Athe section called J6eneric issues with hardware
problemsKB.
software pro*le#s. If a software problem causes the system to refuse to boot" you
typically also get one of the clues we listed under Jhardware errorsK# JP$3IC C?&
unable to mount root fs on cc#ccK" modprobe reports errors loading a module" I;H=*@$
conflicts can be reported.
The JP$3IC C?& unable to mount...K message occurs when the kernel could be loaded"
but either the ramdisk or the physical partition could not be mounted. This can be the
result of forgetting to run /sbin/lilo after a kernel change or update" or forgetting to
run rde- if case you put the kernel-image directly into the boot-sectors of a partition. The
P$3IC message is sometimes caused by inaccessibility of Aparts ofB your system)s
memory" for example when it tries to mount the ;$@-disk as its root filesystem. %lder
kernels may re+uire you to set the amount of ;$@ by rebooting and setting the boot
parameter#
memB?size6o56memor!6in6Kb!tesA
In order to recogni,e memory aboe :2 @eg" it may be necessary to append the JmemSK
option to the kernel command line permanently. If you are using LIL% for your boot
loader" you would do this in the lilo.con5 file. ?or example" if you had a machine with
!28 @eg you would type#
appendB9memB#%#$02K9
To help you to determine what deice the kernel tries to mount" the JP$3ICK message
contains the ma'or and minor number of the deice" e.g. &.$ for /de-/md$ Athe first
irtual ;$I* disk" the section called J&oftware ;$I*KB or '.%" the first &C&I disk /de-/
sda. This can pinpoint the area where you should start your search for configuration
errors. ?or example# if this message points to the /de-/md$ deice" you should check if
the kernel was compiled with support for software ;$I*" ditto for &C&I disks.
- 525 -
In most cases" your should hae your system booted by now. It may be that you still see
numerous errors" e.g. daemons won)t start" your network card or sound card does not
work" In the next sections we will describe tools that aid you with troubleshooting and
gie hints and tips on how to resole more problems.
!esolving I!C7D*/ conflicts
I;H conflicts are a common source of problems. Lou can use )#esg to see which
interrupts were re+uired by the driers and compare this with the contents of
/proc/interrupts or the output of ls)e+ to determine conflicts. The I;H a PCI deice
uses is also reported in /proc/pci or by using the lspci program. &ometimes a card could
not obtain an I;H since the (I%& assigned all of them to non-PCI AI&$B cards. Check
your (I%& settings if you suspect this to be the case.
4nder some conditions I;H)s can be shared between two deices. *eices on the PCI bus
may share the same I;H interrupt with other deices on the PCI bus proided the drier
software supports this. In other cases where there is potential for conflict" there should be
no problem if no two deices with the same I;H are eer in use at the same time. Den if
deices with conflicting I;Hs are used simultaneously one of them will likely hae its
interrupts caught by its deice drier and may work. The other deiceAsB will likely
behae like they were configured with the wrong interrupts.
"roubleshooting tools
Linux has a rich set of tools that aid you in troubleshooting. $n oeriew of the most
commonly used commands and their functionality follows#
lspci. this command displays information about all PCI buses in the system and all
deices connected to them. The command is described in more detail in the section called
JPuerying your PC3 *usK.
dmesg. the kernel logs messages into a ring buffer. )#esg dumps the contents of the ring
buffer to standard output. %ften" the )#esg command is issued at the end of the boot
se+uence for example in one of the start up scripts" to dump the bootup messages into a
file Ae.g. boot.messagesB.
lsdev. is a front end to the /proc filesystem and prints out information about interrupts"
I=% ports and dma settings. This gies an oeriew of which hardware uses what I%
addresses" I;H)s and *@$ channels and can aid in determining conflicts.
lsmod. a program that displays the modules currently in use by the kernel. 3ame" si,e"
use count" an a list of referring modules are displayed. The information displayed is
identical tot hat in /proc/modules. ls#o) fre+uently is used to check if the proper
modules could be loaded.
- 52: -
modprobe. a high leel interface to ins#o). %ften" modules depend on each other and=or
need to be loaded in a certain order. #o)pro*e is used to make this more easy for system
administrators. It uses a dependency file" which is created by )ep#o)" to load modules in
the right order from certain specified locations. The normal use of )ep#o) is to include
it somewhere in the rc-files in /etc/rc.d" so that the correct module dependencies will
be aailable immediately after booting the system. The configuration file
/etc/modules.con5 can be used to steer )ep#o) and #o)pro*e)s behaior. #o)pro*e
will unload all modules in a dependent chains if one of them fails to load. &ee also the
section called J0ernel Components A2.2.!.!BK.
insmod. installs a loadable module in the running kernel. It tries to do this by resoling
all symbols from the kernel)s exported symbol table. Lou can specify the Aob'ectB file
name. If the file name is gien without extension" ins#o) will search for the module in
common default directories. These default locations can be oerridden by the contents of
an enironment ariable AMGDF;LYB or in the configuration file /etc/modules.con5.
uname. displays machine type" network hostname" %& release" %& name" %& ersion and
processor type of the host.
/proc filesyste#. is a direct reflection of the system in memory presented to you as files
and directories. It proides an easy way to iew kernel information and information about
currently running processes. In Linux some commands read /proc directly to get
information about the state of the system. It allows you to iew statistical information"
hardware information" network and host parameters" memory and performance
information and lets you modify some parameters runtime by writing alues in it.
strace. a ery handy diagnostic tool. It runs a program or connects to a running process
Ae.g. a daemonB and intercepts the system calls which are receied by it. (y default it
reports the name of the system call" its arguments and the return alue on standard error.
It is ery useful in cases where you do not hae access to the source code and also seres
as a tool to be used to gain better understanding of the inner workings of certain
programs. The program to be traced need not be recompiled for this.
ltrace. similar to strace" but instead of recording system calls it runs the specified
command and intercepts and records the dynamic library calls which are called by the
executed process and the signals which are receied by that process. It can also intercept
and print the system calls executed by the program. The program to be traced need not be
recompiled for this" so you can use it on binaries for which you don)t hae the source
handy.
strings. can print out strings - se+uences of printable characters - that are hidden within
non-text files" such as executables. %ften used to check for names of enironment
ariables and configurations files used by an executable.
fuser. accepts a filename and displays the PI*)s of processes using the specified files or
filesystems. Comes in handy if you want to know which process uses a certain file" for
- 527 -
example# if you are not able to unmount a filesystem this often is caused by a process that
still uses a file on that filesystem. fuser can be used to find the PI*AsB of the processAesB.
$ consecutie ps @p ZP34 will name the process.
lsof. by default lists all open files belonging to all actie processes. &ince 4nix uses the
file metaphor too for deices a open file can be a regular file" a directory" a block special
file" a character special file" an executing text reference" a library" a stream or a network
file AInternet socket" 3?& file or 43IP domain socket.B The utility can be used to see
which processes use which resources.
"rou*leshooting syste# resources (2.21$.%!
$ candidate should be able to identify" diagnose and repair local system enironment.
/etc/pro5ileO /etc/pro5ile.d/
Core system ariables
/etc/bas2rc (or ot2er appropriate global s2ell con5iguration 5iles)
/etc/init.d/
/etc/rc.E
/bin/ln
/bin/rm
$ny editor of choice
/etc/ld.so.con5
/sbin/ldcon5ig
/sbin/s!sctlO /etc/s!sctl.con5
Core system variables
$pplications" for example *ash" often use ariables. These ariables are not necessarily
aailable as environment ariables" but often hae a local scope# they are aailable for the
process" but not for its children. %n the other hand" eery enironmental ariable set by
an application is aailable for eery child of that application. ?or example# within a shell
you can access enironment ariables as if they were locally defined shell-ariables. Lou
can JpromoteK a shell ariable to an enironment ariable by using the export builtin.
@any enironment settings influence the behaior of applications. &ome of them are ery
specific for 'ust one application. (ut there are a number of standard ariables that many
application will use or expect to be in place. $ list of the most commonly used
enironment ariables follows#
"a*le 1$.1. Co##only use) en+iron#ent +aria*les
C%L4@3& the number of columns your screen has Atypically 8.B
- 528 -
/%@D the location of your home-directory
I?&
Input ?ile &eparator. I?& contains the list of separators that the shell
recogni,es. (y default this is set to whitespace alues Aspace" tab etc.B.
/oweer" setting I?& to a non-whitespace character can pose a security risk.
?or example# I?&So" the program executes the command B*inBshow. JoK is
considered the separator. /ence /bin/s2 would be executed. @ost modern
command shells therefore ignore the alue for I?&.
L%63$@D name used to log in
@$3P$T/
colon delimited se+uence of directories that contain Asources forB manual
pages" see #anpath(1!
P$6D; the program used to display files on screen Ae.g. less or pg
P$T/ colon delimited se+uence of directories that contain executables
P&!..2
definitiion of the prompts the shell uses in interactie mode# P&!# the primary
prompt string" shown when you initially start typing a commandQ P&2#
secondary prompt string" shown on the second and consecutie lines if you
type in a command that spans multiple linesQ P&9# the prompt used when
*ash issues the select command
WaX
Q P&2# the alue is printed before each
command *ash displays during an execution trace Ae.g. set @xB.
;%-& the number of rows your screen has Atypically 22B
&/DLL the name of the current shell
&/LCL
if a shell is spawned" this ariable is passed on to it. It will contain the SYMPM
alue of the parent shell" incremented by one.
TD;@
the terminal type. %riginally" this specified the type of terminal you
physically had connected to the computer. Currently" irtual terminals are
more often the case. This enironment ariable is used to select which
controlling code se+uences are sent to your AirtualB terminal" for example to
set high intensity or clear the screen.
T@P*I;
allows programs that use the tempnamA9B function call to use the directory
specified by this ariable rather than the /tmp directory.
4I* the current users) id
4&D; the current users name
WaX
The select command is rarely used. It allows you to specify a number of options which
are printed as a menu. Lou are then prompted with the P&9 prompt and can select an
option" which is passed to a list of statements for further processing. &ee the *ash manual
page for more information.
To see your enironment from within a shell" type en+ or set. %f course" the alue of
indiidual ariables can be printed using the echo.
- 52< -
Login shells
The file /etc/s2ells lists the alid login shells on your system. It re+uires fully
specified filenames. $n example file is#
/bin/bas2
/bin/s2
/bin/tcs2
/bin/cs2
/bin/as2
/bin/bs2
/bin/,s2
/bin/5alse
/bin/5alse is not a real shell" howeer" sometimes you want to add a user to your
system that is not allowed to log in Ae.g. >>>run. $dding a user to your system re+uires
giing him an entry in /etc/pass>d" which in turn re+uires you to specify a alid login
shell. (eing able to specify /bin/5alse as JshellK preents users to obtain a shell. The
command chsh can be used by the user to set his preferred shell. JrootK can use this
command to set any user)s shell. This command with the 6l option will list the aailable
shells. The 6s option will allow the user to change his login shell#
3 c2s2 6s /bin/s2
+hell startup environment
@ost of your users log in and are presented with a shell. $ shell)s behaior typically is
controlled by setting a number of enironmental ariables. These are typically set at two
leels# system wide and per user. To set them" a start-up file is loaded and executed.
There are many shells - most of them hae specific start-up files. $dditionally" it depends
on whether or not the shell is spawned by the login program or by another shell which
startup files are executed. /oweer" when shells are reported to display unexpected
behaior" often something is set wrongly in one of the start up files.
@ost login-shells will check for /etc/pro5ile first. Typically" this file sets the L:1M and
F;LY ariables. The format for this file is the same as that of a APosixB shell. It hence
contains calls to external programs# in older days" the fortune command was often called
here# it generates a random epigram. %n older systems the contents of the message of the
day file A/etc/motdB were displayed here too" on newer systems this is often done by the
login program itself.
@ore settings can be put in Aoften shell-specificB startup files in the users YGM: directory.
Posix compliant shells will check for 3YGM:/.pro5ile. *ash will behae likewise" if
inoked as sh. %ften" on Linux systems" /bin/s2 is a AsymbolicB link to /bin/bas2.
&ome distributions put calls to distribution or shell specific central startup files into the
user leel files. This can be confusing at times.
- 55. -
*ash is the most commonly used shell for Linux systems. It will run /etc/pro5ile if
inoked from login" then look for 3YGM:/.bas2"pro5ile" 3YGM:/.bas2"login and
3YGM:/.pro5ile" in that order. It and reads and executes commands from the first one
that exists and is readable. -hen a *ash login shell exits it reads and executes commands
from the file 3YGM:/.bas2"logout if readable. $ common mistake is to create a
userleel start up file as JrootK - and forget to set the permissions correctly. $t least the
user should hae execute and read permissions. Typically the permissions should be
6r>xr6x666 Aassuming the file is owned by the userB.
If users complain that their shell does not recogni,e certain key strokes or reacts strangely
on them" chances are that either the L:1M ariable does not match the AirtualB terminal
type in use or the ke( bindings for the application Aoften a shellB are wrongly set. If the
L:1M setting is inalid the display will often be garbled too.
The behaior of programs that use the rea)line library to fetch input from the keyboard
are influenced by key bind settings. The rea)line library supports e#acs and +i key
bindings by default and allows you to configure key bindings to certain functions within
applications" for example *ash. If the shell ariable IHFL1D is set Aoften in
/etc/pro5ileB key-bindings are set by the file declared in the its alue. %therwise the
key-bindings are set in the file 3YGM:/.inputrc for each indiidual user" or system wide
in the file /etc/inputrc. The syntax for controlling key bindings is simple. $ll that is
re+uired is the name of the command or the text of a macro and a key se+uence to which
it should be bound" see the manual pages for readline(%). *ash allows the current key
bindings to be displayed or modified with the *in) builtin command. The editing mode
*ash uses may be switched during interactie use by using the set 6o option" e.g. set 6
o -i. %ften" the user sets his preference in one of the startup files. $ simple typo there
can result in eccentric behaior of the shell Aat least for that userB.
The file /etc/login.de5s Aman login.de5s(()B defines the behaior of login on the
system on systems that use shadow passwords. -ith it" you control the behaior of
related programs too" for example c25n" c2s2 or groupadd. It is a plain text
configuration file" used to set the initial F;LY and other parameters" including how often a
user must change passwords and what is acceptable as a password.
@any applications make use of other configuration files in the users YGM: directory" for
example#
"a*le 1$.2. Co##only use) configuration files in :;<%
.emacs
a configuration file for the e#acs that contains DLI&P functions
.exrc
startup file for the +i editor
.5->mrc
startup file for the f+w# window manager
.ss2
actually a directory" that contain files with the known hosts" identity and
public key used by ssh
- 55! -
.t>mrc
another one" for the tw# window manager
.ne>src
keeps track of what newsgroups the user is subscribed to and what articles he
read.
.Kde5aults
behaiors" fonts" and colors for P -indows &ystem applications
.xinitrc
shell commands that run when the user logs into an P session
.xsession
shell commands that run when the user logs into an P session using Pdm
It)s easy for a user to oerwrite AclobberB existing files when they are redirecting output to
a file. To preent this from happening to them you can set the noclobber setting by
adding the line
set 6o noclobber
to their shell start-up file.
3ditors
The 4nix system engineer or system administrator can barely do his work without a
proper editor. The definition of Jproper editorK howeer is" and always has been"
discussed at length. ;oughly" there are two main stream editors aailable in the 4nix
world - thought strictly speaking one of them is far more than 'ust an editor - e#acs and
+i.
+i - or one of its clones" for example the popular +i# by (ram @olenaar" used on most
Linux installations - is a crude" but effectie editor. It supports an interface that allows
you to keep your fingers on the keyboard all the time" and by design makes you use as
less keys as possible. D.g. the use of arrow keys" function keys and other non standard
keys is non-mandatory. This results in a steep learning cure for noice users but they
gain a high return on that inestment. They will be able to process texts faster and will be
able to maintain an ergonomically acceptable working position. They will be able to work
on een slightly defectie keyboards=terminals. +i has limited functionality" but
eerything one needs to effectiely and efficiently edit texts is aailable.
%n the other side of the spectrum resides e#acs. &trictly speaking" it is a text processing
system. It makes use of DLI&P programs to enhance its functionality. e#acs also
supports an interface that allows you to keep your fingers on the keyboard all the time.
The amount of features and extensions e#acs offers can initially be somewhat
oerwhelming" but it comes with excellent built in documentation. $dditionally a lot of
people wrote extensions for e#acs. ?or example e+i" which emulates +i within e#acs.
(oth e#acs and +i are widely used" howeer" +i is much smaller in si,e than the
complete e#acs package. /ence" and gien its longer history" +i is aailable on almost
eery 4nix platform Aincluding LinuxB and on eery 4nix system. I therefore strongly
suggest that noices start using +i for a while. It is omnipresent and will fit on a boot disk
or rescue disk" with plenty of room to spare. Check out e#acs if you need features like
- 552 -
spell-checking or syntax highlighting. There is no reason not to use both applications" but
as a system administrator you must know the +i basics" especially if you hae to work on
older systems. @any systems do not hae e#acs installed" most Linux systems do"
howeer.
+etting kernel parameters
The sysctl command is used to modify kernel parameters at runtime. In Linux" it)s a front
end to the /proc filesystem" hence you should hae compiled support for proc5s if you
want to use sysctl on Linux.
Typically you can read or set things like whether or not the kernel reacts to the three
finger salute Actrl-alt-)elB" the abilities of certain deices" such as your C*;%@)s ability
to be able to close and open its tray" information about the way the kernel handles
filesystem" such as the maximal number of inodes a filesystem can hae" network
information like whether or not the kernel should use IP forwarding" the kernel type and
release and many" many more.
To see a list of all options aailable on your system you can issue the command
+ s!sctl 6a Tmore
Lou will see a listing that could start like this#
+ s!sctl 6a Tmore
sunrpc.nlm"debug B $
sunrpc.n5sd"debug B $
sunrpc.n5s"debug B $
sunrpc.rpc"debug B $
de-.cdrom.c2ec,"media B $
de-.cdrom.loc, B #
de-.cdrom.debug B $
de-.cdrom.autoe7ect B $
de-.cdrom.autoclose B #
de-.cdrom.in5o B DD61GM in5ormationO Id. cdrom.c %.## 2$$$/$6/#2
de-.cdrom.in5o B
de-.cdrom.in5o B dri-e name. 2dc
de-.cdrom.in5o B dri-e speed. 24
de-.cdrom.in5o B dri-e + o5 slots. #
de-.cdrom.in5o B Dan close tra!. #
de-.cdrom.in5o B Dan open tra!. #
de-.cdrom.in5o B Dan loc, tra!. #
de-.cdrom.in5o B Dan c2ange speed. #
de-.cdrom.in5o B Dan select dis,. $
de-.cdrom.in5o B Dan read multisession. #
de-.cdrom.in5o B Dan read MDH. #
de-.cdrom.in5o B 1eports media c2anged. #
66More66
$s you can see" the ariable names Aa.k.a. ke( namesB consist of dot delimited parts. Dach
part of a ariable name correlates to a directory under the /proc/s!s hierarchy" for
- 559 -
example /proc/s!s/de-/cdrom/in5o corresponds to de-.cdrom.in5o. $n alternate
method to set or read the ariables is by using plain old cat" e.g. you can either type#
+ cat /proc/s!s/de-/cdrom/in5o
.. or ..
+ s!sctl de-.cdrom.in5o
3ote" howeer" that sysctl will prepend the key name by default" use the 6n option to
suppress this. To confuse matters more" you are also allowed to use the J=K slash as a
separator with sysctl" hence these two alternate forms are alid too#
+ s!sctl de-/cdrom/in5o
..
+ s!sctl /de-/cdrom/in5o
..
sysctl can load configuration files and set the kernel enironment accordingly. The
default location for the configuration file is /etc/s!sctl.con5. Its syntax is simple# it
contains simple to,en B -alue pairs" along with comment lines and=or blank lines. $n
example followes#
+ s!sctl.con5 sample
+
,ernel.domainname B !ello>.sno>.nl
net.ip-4.ip"5or>ard B $
This example 'ust sets the domain name and disables IP forwarding. Lou can use the 6p
option to instruct sysctl to read this file Aor specify another one to readB. 3ote" that it is
possible to put whitespace and other AunmeantB tokens in the right hand side of the
expressions in the configuration file. $lso note that you can use the /proc interface to
influence these ariables" for example#
+ ec2o 9/sbin/modprobe9 A/proc/s!s/,ernel/modprobe
+hared libraries
$ librar( is an archie whose members are ob'ect files i.e." pre-compiled program code.
$ library makes it possible for a program to use common routines without the
administratie oerhead of maintaining source code. $dditionally the ob'ects in the
library do not hae to be compiled each time the program is compiled.
There are two types of libraries# static libraries and shared or d(namic libraries.
The term JstaticK refers to the fact that" when a static library is used whilst creating a
program" the linker links in the releant parts of the library staticall(" i.e." they become
part of the resulting executable file. This consumes unnecessary memory and disk space
- 552 -
since each new instance of a statically linked program loads parts of the same program-
code its predecessors did. The exact same code will be on disk and in memory many
times. $lso" bug-fixing code in a statically linked library re+uires recompilation of all
programs that use the older ersion of the statically linked program.
To improe this shared libraries were inented. -hen a program uses a shared library"
the binary 'ust contains a reference to the library" not the code itself. $ special run time
loader" ld.so Afor a.out format filesB or ld6linux.so Afor DL? format filesB finds the
library at run-time and loads it into memory. &ome additional naming conentions are
used to allow real-time updates for shared libraries and support for non-backward-
compatible ersions. 4nderstanding these conentions is key to your ability to maintain a
Linux system.
(hare) o*?ect +ersion nu#*ering
(y conention" a shared library has a ma7or ersion number" a minor ersion number and
a patch level identification Aoften also a numberB. The patch level is typically changed to
specify that a bug fix or minor optimi,ation of the code occurred# ersion !...!2 probably
signifies the !2th bug-fix in ersion !... .inor ersion numbers are typically
incremented when a large number of patches hae been submitted or a ma'or bug was
fixed. .a7or ersion numbers are changed when the interface to the functions in the
shared library changes. @a'or ersions of shared libraries should be backward
compatible" hence programs that ran fine using a shared ob'ect ersion !.. should also
run fine with ersion !.! or with ersion !.<.<.
5a#ing sche#es for share) o*?ects
%n a Linux system Aand on many other 4nix systems tooB a shared ob'ect has a real
name" a soname and a linkname. The linkname 'ust contains the name of the library" the
soname contains the ma'or ersion number" and the real name contains the minor ersion
and Awhen aailableB the patch leel. %n a Linux system" the soname and linkname are
symbolic links to the correct shared library.
the real name is the name of the file that contains the shared ob'ects precompiled
code. (y conention the format libH;M:.so).ma7or*).minor*).patc2le-el*
is used# /lib/libpam.so.$.02Q the dynamic loader needs to know this name to
find the exact instance of the shared libraryQ
the soname often is the real name without the minor ersion number and the patch
leel number# /lib/libpam.so.$. Programs that need a shared ob'ect will
commonly use the soname to specify the library. %n a Linux system that soname
is a symbolic link to the real name of the shared library" hence the loader is able to
find itQ
the linkname is the soname without any ersioning information#
/lib/libpam.so. The linkname of a shared ob'ect is needed as a reference to the
shared ob'ect during the linking phase of a program Acompile timeB. %n a Linux
system it is often a link to the soname Awhich in turn is a link to the real nameB.
- 555 -
The $&CII art below sketches a typical naming scheme for a shared ob'ect on a Linux
system in this case for the JfooK library Ai.e." ersion !...2B#
Min,er uses.. :xecutable as,s loader 5or..
Moader 5inds..
X6lin,name66666666X X6soname6666666666X X6
real name6666666X
T T666s!mlin,666AT T666s!mlin,666AT
T
T lib5oo.so T T lib5oo.so.# T T
lib5oo.so.#.$.4 T
X66666666666666666X X66666666666666666X
X66666666666666666X
In this case" the compiler=linker and the executable Aby means of the run-time loaderB will
use the exact same shared ob'ect" which indeed is the normal situation.
The symbolic link for the soname Awhich points to the real nameB is created automatically
when you run the l)config command Aas JrootKB" which will be discussed in more detail
in a later section. The linkna#e is typically set up during installation of a shared library
and normally is a symlink to the soname or real name.
Min,er uses.. :xecutable as,s loader 5or.. Moader
5inds..
X6lin,name66666666X X6soname6666666666X X6real
name6666666X
T T666666666AT T6666666666AT
T
T lib5oo.so T \ T lib5oo.so.# T \ T
lib5oo.so.#.$.4 T
X66666666666666666X T X66666666666666666X T
X66666666666666666X
T T
s!mlin,O s!mlin,O
set up manuall! set up b! ldcon5ig
(y pointing the symlink to another library" you can deelop code using another library#
5inds..
X6lin,name6666X X6soname6666666666X X6real
name6666666X
T T T T6s!mlin,66AT
T
T lib5oo.so T T lib5oo.so.# T T
lib5oo.so.#.$.4 T
X6666666666666X X66666666666666666X
X66666666666666666X
T
- 55: -
T X66666666666666666X
X66666666666666666X
X66666s!mlin,66666666AT lib5oo.so.#.$.2 T ......... T
lib5oo.so.#.$.2 T
X66666666666666666X
X66666666666666666X
3ow" you can run code using one ersion of a library Athe soname symlink will be
followedB and deelop using another.
$nother possibility is upgrading your shared ob'ect with a newer one. This typically is
done like this#
5inds..
X6real
name6666666X
X66666AT
T
/ \ T
lib5oo.so.#.2.$ T
/ T
X66666666666666666X
X6lin,name66666666X X6soname6666666666X / T
X66666666666666666X
T T6s!mlin,6AT T/ T T
T
T lib5oo.so T T lib5oo.so.# T T T
lib5oo.so.#.$.4 T
X66666666666666666X X66666666666666666X T
X66666666666666666X
T
s!mlin,O set up b! ldcon5ig
&o# /usr/lib/lib5oo.so.2 is a Afully-+ualifiedB soname" normally set by l)config to be
a symbolic link to a real name like /usr/lib/lib5oo.so.2.$. The linkname would be /
usr/lib/lib5oo.so" which typically is a symbolic link referring to
/usr/lib/lib5oo.so.2 too" but may be another name.
ldconfig
The l)config command performs two important functions# it creates a cache file" that
speeds up loading of shared ob'ects and creates the proper symbolic links to enable the
linking loader to find the necessary shared ob'ect. ?or a better understanding of how
l)config achiees this" you need to know a bit more about the file formatAsB of shared
ob'ects.
$ shared ob'ect is recogni,able by its file format. %n Intel=Linux that typically is an DL?
file format" though the conentional a.out format is still supported on some systems. The
- 557 -
conentional a.out format will not be discussed here in much detail" since on most
4nix=Linux systems the DL? file format is standard nowadays.
There are two main stream types of DL? libraries# those linked against libc( and those
linked against libc6 AglibcB. $lso" there can be shared ob'ects that need both.
$n DL? file contains a header and arious sectionsQ the information contained in the
sections depends on the type of DL? file. $ shared ob'ect howeer contains a J*ynamic
&ectionK A*&B" which in turn contains a number of symbols and corresponding alues.
%ne of these symbols is named SGH;M: and its alue contains the soname as specified by
the programmer. l)config uses this alue to determine the &%3$@D for a file that it has
detected to be a alid shared ob'ect. $lso" the files filename is considered.
3ote" that the &%3$@D in the *& is not re+uired to match the AanB actual filename for
that shared ob'ect e.g." the shared ob'ect could be in a file named meaningless5ilename
while the &%3$@D in the *& could be lib5oo.so.2.
If you want to inspect the &%3$@D in the *&" you can use the o*?)u#p utility#
3 ob7dump 6p /usr/lib/libesd.so.$.2.#6 Tgrep SGH;M:
SGH;M: libesd.so.$
3"
l)config uses both the &%3$@D as stored in the shared ob'ect and the filename it has to
create the cache file and the appropriate symbolic links. l)config scans all directories
whose names are passed to it on the command line and in the file /etc/ld.so.con5. The
two trusted directories /usr/lib and /lib are always scanned too.
?or each directory specified as location for shared ob'ects l)config scans the files found
there. It skips those files it does not recogni,e as a shared ob'ect. &hared ob'ects are
recogni,ed as such if they are either in a.out format or in DL? format.
?or each shared ob'ect its &%3$@D will be determined next. $n internal list is build that
contains all &%3$@D& and the corresponding filename. J@ost actualK is determined by
the shared library)s filename" adhering to the conentions stated before" hence
lib5oo.so.#.$ is regarded as more recent than lib5oo.so.#.
If all shared ob'ects for a gien directory hae been scanned the appropriate symbolic
links will be made# for each &%3$@D in the list a symbolic link to the most recent
ersion of the shared ob'ect Aaccording to its ersion numberB will be created. 3ext" the
cache file will be written" consisting of the &%3$@D&" type of library and
accompanying full file name.
- 558 -
How the )yna#ic linker locates share) o*?ects
$s you know" ma'or ersions of shared libraries are backward compatible. Therefore"
most programs suffice by specifying the ma'or ersion number to the dynamic loader Athe
sonameB.
the linker for DL? format files" ld6linux.so" starts by checking the enironment
ariable MD"MI=1;1N"F;LY. This ariable may contain a colon separated list of
directories to search. %ften used to permit non-)root) users to define the location
for self-written shared ob'ects" since a non-)root) user is not permitted to put these
in the standard locations" or to allow testingQ
if the library could not be found in the directories that are mentioned in the
enironment ariable" the cache file is searched. That file" by default
/etc/ld.so.cac2e" contains a compiled list of libraries and typically is created
using l)config as we described earlier. The file /etc/ld.so.cac2e is not human
readable. If you want to see the contents of the cache file use the command
l)config @p /etc/ld.so.cache#
+ ldcon5ig 6p /etc/ld.so.cac2e
4%2 libs 5ound in cac2e Z/etc/ld.so.cac2eW

libz-t.so.2 (libc6) BA /usr/lib/libz-t.so.2
libz.so.# (libc6) BA /usr/lib/libz.so.#
...deleted a lot o5 lines...
ld6linux.so.2 (:MI) BA /lib/ld6linux.so.2
ld6linux.so.# (:MI) BA /lib/ld6linux.so.#
&hared libraries were traditionally stored in /lib and /usr/lib. These locations
are searched as a last resort. This will probably neer happen unless the cache file
does not exist because l)config has already scanned those directories when
creating the cache file.
To see which ersions of which shared ob'ects are needed by a program" use the
command l)). This command also tries to resole the matching filename" it uses the
cache file to do this. ?or example#
+ ldd /usr/bin/-im
libncurses.so.( BA /lib/libncurses.so.( ($x4$$#a$$$)
libc.so.6 BA /lib/libc.so.6 ($x4$$6%$$$)
+ "
$s you see" the author of +i# choose to use the ncurses shared library - to be precise# the
library with the 45-A.* libncurses.so.(" which translates to the fully +ualified
filename /lib/libncurses.so.(.
There are a number of occasions in which the exact location of shared libraries needs to
be known. -hen a program is linked" the linker Al)B needs their location to be able to
- 55< -
refer to them. It searches for them in /lib" /usr/lib and in directories added with
6rpat2 and 6Mdir command line options.
gcc 6s2ared 6RlO6sonameOlib7-c.so.# 6o lib7-c.so.#.$.# 7-c.o
ln 6s5 lib7-c.so.#.$.# lib7-c.so.#.$
ln 6s5 lib7-c.so.#.$ lib7-c.so.#
ln 6s5 lib7-c.so.# lib7-c.so
"rou*leshooting network issues (2.21$..!
$ candidate should be able to identify and correct common network setup issues to
include knowledge of locations for basic configuration files and commands.
/sbin/i5con5ig
/sbin/route
/bin/netstat
/etc/net>or, or /etc/s!scon5ig/net>or,6scripts/
system log files such as /-ar/log/s!slog and /-ar/log/messages
/bin/ping
/etc/resol-.con5
/etc/2osts
/etc/2osts.allo>O /etc/2osts.den!
/etc/2ostname or /etc/YGSLH;M:
/sbin/2ostname
/usr/sbin/traceroute
/usr/bin/nsloo,up
/usr/bin/dig
/bin/dmesg
2ost
+omething on netork troubleshooting in general
The purpose of this chapter is not proiding solutions to all possible network problems
but more to point out that you hae to do it methodically and with knowledge of the
surrounding enironment.
0nowledge of the surrounding enironment is an absolute necessity because you can)t
sole a problem if you hae no idea whatsoeer where problems can occur. Lou hae to
know how you are connected to the network because eery component that plays a role in
facilitating your network access can fail.
The key files" terms and utilities will not be described in this chapter since most of them
hae already been described in Chapter 5" -et#orking /0"02A3 and other chapters.
- 5:. -
/n e#ample situation
Let)s assume you)re working on a PC which is connected to the Internet by means of a
local area network and a firewall. &uddenly you can)t iew that web page anymore.
The first step in determining the problem is to make a list of the components that are
inoled" this could be something like#
X !our FD >it2 et2$ net>or, inter5ace to t2e M;H
X t2e 5ire>all >it2 et2$ inter5ace to t2e M;H
and et2# inter5ace to t2e ISF
X t2e site !ou are tr!ing to reac2
Then think about how eerything works together. Lou enter the 4;L in the browser.
Lour machine uses *3& to find out what the IP address is of the web site you are trying
to reach etc.
Packets trael through your eth. interface oer the L$3 to the eth. interface of the
firewall and out the eth! interface of the firewall to the I&P and from the I&P in some way
to the web serer.
3ow that you know how the different components interact" you can take steps to
determine the source of the malfunction.
The graphic below should not be treated as the way to sole all problems. The purpose of
the graphic is to gie an example of step-by-step troubleshooting gien a certain situation
which in this case is fictitious #B
- 5:! -
&
The cause of the problem has been determined and can be &AoledB.
!
Can we reach other machines on the internet > Try another 4;L or try pinging
another machine on the internet. (e careful with ping though" your firewall could
be blocking IC@P echo-re+uests and replies.
2
Is the machine we are trying to reach" the target" down > Try reaching the machine
ia another network" contact a friend and let him try to reach the machine" call the
person responsible for the machine etc.
9
- 5:2 -
Can we reach the firewall> Try pinging the firewall" login to it etc.
2
Is there a /%P down > 4se traceroute to find out what the hops are between you
and the target host. The route from my machine to LPI)s web-serer for instance
can be determined by issuing the command traceroute @3 www.lpi.org#
+ traceroute 6I >>>.lpi.org
traceroute to >>>.lpi.org (2$&.#60.#00.&%)O %$ 2ops maxO %' b!te
pac,ets
# 5ertuut.sno>groningen (#&2.#6'.2.#) $.((( ms $.4'$ ms
$.%'0 ms
2 >c6#.r6#&(6'(6#(6.essent,abel.com (#&(.'(.#(6.#) %$.&#$ ms
26.%(2 ms #&.4$6 ms
% Yg-M6RebDonYg-.castel.nl (#&(.'(.#(%.#4() #&.2&6 ms 2'.6(6
ms 2&.2$4 ms
4 S6;MS6IxYg-.castel.nl (#&(.'(.#((.2) #02.'#% ms #&&.$#0 ms
&(.'&4 ms
( 5$46$'.ams6icr6$%.carrier#.net (2#2.4.#&4.#%) ##'.'0& ms
'4.262 ms #%$.'(( ms
6 g$26$$.amd6bbr6$#.carrier#.net (2#2.4.2##.#&0) %$.0&$ ms
4(.$0% ms 2'.6%# ms
0 p$'6$$.lon6bbr6$2.carrier#.net (2#2.4.#&%.#6() #0'.&0' ms
2##.6&6 ms %$#.%2# ms
' p#%6$2.n!c6bbr6$#.carrier#.net (2#2.4.2$$.'&) #'&.6$6 ms
4#%.0$' ms #&4.0&4 ms
& g$#6$$.n!c6pni6$2.carrier#.net (2#2.4.#&%.#&') #%4.624 ms
#'2.640 ms 4##.'06 ms
#$ ($$.FGS26#.JR#4.HND4.;ML:1.H:L (#(0.#%$.&4.24&) #&&.($% ms
#%&.$'% ms #('.'$4 ms
## (0'.;LM%6$.K12.HND4.;ML:1.H:L (#(2.6%.26.242) #22.%$& ms
#&#.0'% ms 2&0.$66 ms
#2 #''.at6#6$6$.K12.HND'.;ML:1.H:L (#(2.6%.#'.&$) 2#2.'$( ms
#&%.'4# ms &4.20' ms
#% $.so62626$.KM2.HND'.;ML:1.H:L (#(2.6%.#&.%%) #%#.(%( ms
#%#.06' ms #(2.0#0 ms
#4 $.so626$6$.LM2.HND'.;ML:1.H:L (#(2.6%.$.#'() #&'.64( ms
#%6.#&& ms 204.$(& ms
#( $.so6%6$6$.LM2.LG12.;ML:1.H:L (#(2.6%.2.'6) 2%2.''6 ms
#''.(## ms #66.2(6 ms
#6 FGS#6$.K12.LG12.;ML:1.H:L (#(2.6%.2.0') #(%.$#( ms #(0.$06
ms #($.0(& ms
#0 FGS06$.JR4.LG12.;ML:1.H:L (#(2.6%.#%#.#4#) #4%.&(6 ms
#46.%#% ms #4#.4$( ms
#' a,ainn6g>.customer.alter.net (2$&.#60.#60.##') %'4.6'0 ms
%#$.4$6 ms %$2.044 ms
#& ne>.lpi.org (2$&.#60.#00.&%) %4'.&'# ms %(6.4'6 ms %2'.$6&
ms
5
- 5:9 -
Can other machines in the network reach the firewall> 4se ping" or login to the
firewall from that machine or try iewing a web page on the internet from that
machine.
:
*oes the firewall block the traffic to that particular machine> @aybe someone
doesn)t want you to look at that particular site and has instructed the firewall to
block traffic to and=or from that site.
7
Inspect the firewall. The problem seems to be on the firewall. Test the interfaces
on the firewall" inspect the firewalling rules" check the cabling etc.
8
Is our eth. interface up> This can be tested by issuing the command ifconfig eth.
<
$re your route definitions as they should be> Think of things like default
gateway. The route table can be iewed by issuing the command route @n.
!.
Is there a physical reason for the problem> Check if the the problem is in the
cabling. This could be a defectie cable or a badly shielded one. Putting power
supply cabling and data cabling through the same tube without metal shielding
between the two of them can cause unpredictable" hard to reproduce" errors in the
data transmission.
"rou*leshooting en+iron#ent configurations
(2.21$.'!
$ candidate should be able to identify common local system and user enironment
configuration issues and common repair techni+ues.
/etc/inittab
/sbin/init
/etc/pass>d
/etc/s2ado>
/etc/group
- 5:2 -
/etc/pro5ile
/etc/rc.local or /etc/rc.boot
/usr/sbin/cron
/usr/bin/crontab
/-ar/spool/cron/crontabs/
/etc/Zs2ell"nameZ.con5
/etc/login.de5s
/etc/s!slog.con5
"roubleshooting /etc/inittab and /sbin/init
The program Bs*inBinit reads the file /etc/inittab. &ee the section called J -hat
happens next" what does /sbin/init do> K for a detailed description of the boot process.
If a process isn)t running after booting the system" check this file for errors. Then find out
what the default runleel is and check the the /etc/rc4.d/ directory for start=stop
scripts.
To get an idea what kind of problems can occur if something is not configured correctly
in /etc/inittab" hae a look at the file and you)ll see things like#
The default runleel. This is the runleel the system will be in when the boot
stage is completed.
&cripts to run at boottime. These are the scripts in the directory /etc/rcS.d.
-hat to do if CT;LT$LTT*DL is pressed. &o" if you don)t want to hae the
system respond with a reboot to this famous key combination" you can change this
behaior here.
The number of terminals A$ltT?!...$ltT?nB that can be inoked by pressing one
of the before mentioned key combinations.
6etty)s on modem lines. $ well known message is one of the form# JId tty&9
respawning too fast# disabled for 5 minutesK.
The .odem-5=T5 on ###"linuxdoc"org describes this as follows#
The line mentioned" in this case tty&9" causes the problem. @ake sure the syntax
for this line is correct and that the deice Atty&9B exists and can be found. If the
modem has negated C* and getty opens the port" you)ll get this error message
since negated C* will kill getty. Then getty will respawn only to be killed again"
etc. Thus it respawns oer and oer Atoo fastB. It seems that if the cable to the
modem is disconnected or you hae the wrong serial port" it)s 'ust like C* is
negated. $ll this can occur when your modem is chatting with getty. @ake sure
your modem is configured correctly. Look at 1" commands = and P.
"roubleshooting authorisation problems
The files inoled are /etc/pass>d" /etc/s2ado> and /etc/group.
- 5:5 -
If a user can)t login or gets the wrong shell" chances are the problem is located in
/etc/pass>d or /etc/s2ado>. These kind of problems often occurs if someone has been
editing the files manually instead of using one of the system tools such as a))user"
usera))" )eluser" user)el.
&uppose" for example" that a user gets the following result when issuing the command ls @
l#
2ome+ ls 6l
total '
dr6xr6xr6x 6 root $ #$24 Dec 6 #&.$0 5tp
dr>xr6xr6x 6 >>>6data %% #$24 Gct ' #0.#' ompro7ect
dr>xr6xr6x ( piet #$$% #$24 Dec 6 2%.%4 piet
dr>xr6xr6x % rc(64 #$$# #$24 Dec 4 #&.%0 rc(64
dr>xr6xr6x 2 seco5r 4$$ #$24 Dec #0 #(.26 seco5r
dr>xr6sr6x %' >illem #$$$ %$02 Ieb ( $&.4' >illem

%biously" something has gone wrong# there are group numbers in the result instead of
group names as it should be#
dr6xr6xr6x 6 root root #$24 Dec 6 #&.$0 5tp
dr>xr6xr6x 6 >>>6data >>>6data #$24 Gct ' #0.#' ompro7ect
dr>xr6xr6x ( piet piet #$24 Dec 6 2%.%4 piet
dr>xr6xr6x % rc(64 rc(64 #$24 Dec 4 #&.%0 rc(64
dr>xr6xr6x 2 seco5r seco5r #$24 Dec #0 #(.26 seco5r
dr>xr6sr6x %' >illem >illem %$02 Ieb ( $&.4' >illem

The problem lies in /etc/group which is used to replace the group number by the group
name. The group is probably not defined in /etc/group.
"roubleshooting /etc/profile
/ere you)ll often find the system-wide ariable definitions such as P$T/" u#ask and the
prompt. Typical problems that can be the result of an error in /etc/pro5ile can be
commands that can)t be found Adue to a wrong P$T/B and new files that are created with
the wrong permissions Adue to an erroneous u#askB.
"roubleshooting /etc/rc.local or /etc/rc.boot
This is not used anymore as far as I know. Dntries that were in these files are know
scripts in /etc/rcS.d which should symbolically link to scripts in /etc/init.d as is the
case with all the other runleels.
"roubleshooting cron processes
Cron is responsible for the running of scheduled processes. Dach indiidual user can hae
his own crontab. If a user can)t get his scheduled 'ob to run" the most common causes for
- 5:: -
this are that the user lacks the authori,ation to run the command in +uestion or the user
lacks the authori,ation to use cron. The latter is the case if a file /etc/cron.allo> exists
and the user is not mentioned in that file or if the file /etc/cron.den! exists and the user
is mentioned in that file.
The files /-ar/spool/crontabs/?usernameA which are the user specific cron files"
should not be edited directly" use cronta* @e instead.
"roubleshooting /etc/=shell2name=.conf
This has already been described in the section called JLogin shellsK.
"roubleshooting /etc/login.defs
This has already been described in the section called J&hell startup enironmentK.
"roubleshooting /etc/syslog.conf
This had already been described in the section called J&ystem Logging A2.2!!.!BK.
1ppen)ix 1. LP3C Le+el 2 /*?ecti+es
"a*le 1.1. LP3C Le+el 2.21 @ 2.2, /*?ecti+es 1n) "heir 2elati+e ;eight
2 LP3C Le+el 2 1
2.! Linux 0ernel #
2.2.!.! 0ernel Components !
2.2.!.2 Compiling a kernel !
2.2.!.9 Patching a kernel 2
- 5:7 -
2.2.!.2 Customising a kernel !
2.2 &ystem &tartup #
2.2.2.! Customising system startup and boot processes 2
2.2.2.2 &ystem recoery 9
2.9 ?ilesystem #
2.2.9.! %perating the Linux filesystem 9
2.2.9.2 @aintaining a Linux filesystem 2
2.2.9.9 Creating and configuring filesystem options 9
2.2 /ardware #
2.2.2.! Configuring ;$I* 2
2.2.2.2 $dding new hardware 9
2.2.2.9 &oftware and kernel configuration 2
2.2.2.2 Configuring PC@CI$ deices !
2.5 3etworking Configuration #
2.2.5.! (asic networking configuration 5
2.2.5.2 $danced 3etwork Configuration and Troubleshooting 9
"a*le 1.2. LP3C Le+el 2.2% @ 2.26 /*?ecti+es 1n) "heir 2elati+e ;eight
2.: @ail Z 3ews #
2.2.:.! Configuring mailing lists !
2.2.:.2 4sing email serers 2
2.2.:.9 @anaging @ail Traffic 9
2.2.:.2 &ering news !
2.7 *3& #
2.2.7.! (asic *3& serer configuration 2
2.2.7.2 Create and maintain *3& ,ones 9
2.2.7.9 &ecuring a *3& serer 9
2.8 -eb &erices #
2.2.8.! Implementing a web serer 2
2.2.8.2 @aintaining a web serer 2
2.2.8.9 Implementing a proxy serer 2
2.< ?ile and &erice &haring #
2.2.<.! Configuring a &amba serer 5
2.2.<.2 Configuring an 3?& serer 9
"a*le 1.3. LP3C Le+el 2.21 @ 2.21$ /*?ecti+es 1n) "heir 2elati+e ;eight
2!. 3etwork Client @anagement #
2.2!..! */CP configuration 2
2.2!..2 3I& configuration !
2.2!..9 L*$P configuration !
- 5:8 -
2.2!..2 P$@ authentication 2
2!! &ystem @aintenance #
2.2!!.! &ystem logging !
2.2!!.2 Packaging software !
2.2!!.9 (ackup operations 2
2!2 &ystem &ecurity #
2.2!2.2 Configuring a router 2
2.2!2.9 &ecuring ?TP serers 2
2.2!2.2 &ecure shell A&&/B 2
2.2!2.5 TCPFwrappers !
2.2!2.: &ecurity tasks 9
2!9 &ystem Customi,ation and $utomation #
2.2!9.! $utomating tasks using scripts 9
2!2 Troubleshooting #
2.2!2.2 Creating recoery disks !
2.2!2.9 Identifying boot stages !
2.2!2.2 Troubleshooting bootloaders !
2.2!2.5 6eneral troubleshooting !
2.2!2.: Troubleshooting system resources !
2.2!2.7 Troubleshooting network issues !
2.2!2.8 Troubleshooting enironment configurations !
- 5:< -

LPIC 2 Certification: Henk Klöpping

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LPIC 2 Certification: Henk Klöpping

Uploaded by

Copyright:

Available Formats

LPIC 2 Certification

4%2 libs 5ound in cac2e Z/etc/ld.so.cac2eW

You might also like