Copyright 1992 by Mark Komarinski Linux System Administration Manual ASSUMPTIONS: In order to read what follows, you will have to know the following: Basic UNIX commands, such as ls, cp, passwd. Basic UNIX file access concepts (groups, chmod, etc) How to set up a Linux system on your computer. This manual assumes that you have a SLS release running and a kernel that is at least ver. 0.96. All programs have been run under the /bin/bash shell. These programs should also work for other shells available under Linux. TOPICS COVERED: This manual is intended to take a user who is familiar with MS-DOS and some style of UNIX* and show that user how to effectively run a Linux system. The following topics are included: Managing drives Setting up user accounts Security Administration utilities WHAT THIS BOOK DOES NOT COVER: This book does not cover the installation or the basics of Linux. Each of those topics have their own manuals. Also, since Linux does not support the following features yet, they are not covered: Networking Accounting programs Spoolers OTHER SOURCES: There are many other books you can purchase that supplement or expand on what is in this manual. Some good books that I have or were suggested to me are: "Practical UNIX Security" by the O'Reilly group "Essential System Administration" also by the O'Reilly group. -- CHAPTER 1: *You as System Administrator* Now that you have your Linux operating system running, how do you keep it running effectively? That is the job of the System Administrator, the person who does everything in the background that makes sure your machine does not come to a screeching halt in the middle of a program. Now that you have your own Linux machine running, you become the System Administrator. After reading this manual, you should be able to get a good grasp on what you have to do and how to get it done. *Secure Passwords: the key to a secure system* (passwd) Once you have your machine set up, login as root. When the system is first set up, the root user has no password. Anyone can log in as root and have free access to your system. The first thing you must do is change the password for root. To do this, use the ->passwd<- command. The password for root must be totally unguessable by normal users. Also, user accounts should be protected. Here are some hints for good passwords: 1) Do not include anything significant to you, such as a nickname, phone number, your last name, etc. 2) Do not use a word that can be found in the dictionary. 3) Make your password at least 6 characters long, with a mix of letters, digits, and/or punctuation characters. 4) Do not tell anyone your password and do not write it down anywhere. 5) Change your password often. To change your password, type: passwd Type in your password, then you will be prompted to type it in again, just to make sure you spelled it right the first time. If the two passwords you entered do not match, your password is not changed. Remember that when you type in your passwords, they will not be shown on the screen. This is to prevent anyone around you from seeing your password. A sample password changing run looks like this: /# passwd Enter new password: Re-type new password: Password changed. /# *Making your system User-Friendly* Now that your system is more secure, make your sysstem more user-friendly. This is done by changing two files, one called /etc/issue, and the other is /etc/motd. The /etc/issue file contains the message that you see above the "login:" prompt. This message commonly contains the name of the site and the operating system. For example, my /etc/issue file reads: linux ver. 0.98.1 (enry.dorm.clarkson.edu) The next file you'll want to change is /etc/motd. This file is the one that gets seen every time you log in. Motd stands for [Message Of The Day.] This file usually contains a welcome screen and messages of general importance for all users. For example, my /etc/motd file has: ** Welcome to enry.dorm.clakrson.edu, the only .dorm computer not ** ** added to the net yet ** Good News! SLIP will be available ASAP. These are just examples, your setups may look similar to this, but don't have to be. *Group and password files: GID and UID* (/etc/passwd, etc/group) Before adding users to your system, there are two more files to look at. The first is /etc/passwd, and the other is /etc/group. The /etc/passwd file contains all the user account information, including password, real name, startup shell, and home directory. A typical /etc/passwd entry looks like this: henry:2OkwUbaCV73X.:100:6:Mark Komarinski:/home/henry:/bin/sh 1 2 3 4 5 6 7 The entries are separated by colons and are, in order: 1) User name 2) Encrypted password 3) User ID (or UID) 4) Group ID (or GID) 5) Real name 6) Home directory 7) Shell to execute when logging in The two important entries are numbers 3 and 4. The UID enables a program to tell what user is executing. Each user must have a unique UID. The GID can be common across many users. The UID's and GID's let a user know what kind of access he has to a file. The /etc/passwd file comes with a number of accounts already created, some without passwords, and some accounts that were never meant to be logged into. Some of these accounts are: root : The super user. This account has a UID of 0 and a GID of 0, meaning it can so anyhting to any file on the system. sync : An account whose shell is /bin/sync. If you log into this account, you will not be asked for a password, and the disk cache gets dumped to disk. This is useful just before rebooting, or after doign disk-intensive operations. daemon : Has a UID of 1 and is used to execute system service processes. This acocunt should not be available for login. You may not have a daemon user, since it is seldom used. bin : Has a UID of 2 and owns most of the executable files in /bin and /usr/bin. This account should not be available for login. This user may not exist, as it is seldom used. adm : Has a UID of 4 and owns most accounting files and programs. This account is also not available for login. uucp : This acocunt handles all of the Unix-to-Unix copy processes and programs. As a convention, programs that have to do with uucp have 'uu' as the first two characters of its name. The list of known groups on the site is kept in /etc/group. Typical /etc/group entries look like this: root::0:root sys::3:root,bin,sys,adm 1 23 4 Again, entries are separated by colons, and are: 1) Group name 2) Unused 3) Group ID number (GID) 4) Addional users The special entries here are 3 and 4. In this file, each group must have a unique GID in entry 3. Entry 4 contains users of another group that have access to this group. For example, the user root can access both files of group root and group sys, assuming that the user in group sys has group permissions set. A few groups were set up when you first installed your system, similar to the passwords that are in /etc/passwd. These groups include: root : Owns most system files. GID of 0. other : An extra group for the heck of it. bin : Controls most executables in /usr/bin and /bin. It has a GID of 2. sys : Owns a number of various system files. GID of 3. adm : Owns most administration utilities, and has a GID of 4. uucp : Similar to the uucp user above. Has a GID of 5. *Adding users* (adduser) Adding users is easy. The SLS release and most other releases of Linux provide a program called *adduser*. To use adduser: 1) Find an unused UID and a suitable GID for the user. This can be done by searching through the /etc/passwd and /etc/group files as mentioned above. 2) Log in as root and type: *adduser* 3) At the prompt, enter the username to add. A typical username has 8 characters or less in it, but more than 3. 4) Then you will get prompted for the user's real name. This is optional, but good etiquette is to put in the person's real name. 5) Enter the group to add the user to. Here you must type in the number that is listed in /etc/group that refers the the user's GID. If you give the user a GID of 0 this is about the same as giving the user most root priveleges, and you will be asked if you are sure about this. 6) Enter the UID for the user. Make sure this is a unique number. 7) Next you must enter the home directory for the user. The default is /usr/users/. You can change this based on how you want your system set up. Most sites use paths such as /home/ or /users/. 8) Now enter the default shell. The default for this is /bin/sh, which is fine for most users, but you can change it to whatever shell you like. You can even set up single programs that the user can run. For example, there is a user called sync, whost shell is /bin/sync. When this user logs in, the /bin/sync program is run, then logs out. 9) Next is the default password. This is the password that gets put into the /etc/passwd file. If the user is going to log in immediately, you can just use the default password of the user's username. Otherwise, you should think up a password that follows the rules for good passwords (see above in Secure Passwords) and notify the user of the password. Either way, suggest to the user that they change their password right after they log in, to keep their account secure. 10) After entering all this information, you are given all the information you have typed in, and asked to verify that the information is correct. If you type 'y', the user is created and a default directory is created. If you type 'n', you return to the 'Username to add:' prompt. A typical adduser run looks like this: #adduser Username to add: laslo [laslo] laslo's personal name : laslo laslo's group : 0 Give laslo superuser privs? [y|n] : n laslo's group : 6 laslo's uid : 110 laslo's home directory: [/usr/users/laslo] : /home/laslo Default dir is [/home/laslo] laslo's default shell : [/bin/sh] : Default shell is [/bin/sh] laslo's defualt password : [laslo] : Create user [laslo] In directory, [/home/laslo], with [/bin/sh] as a default shell, and [laslo], for a password. Is this correct? [y|n] : y Making directory, [/home/laslo]. # And the user laslo now has an account. You can also manually add a user without using the adduser command. To do this: 1) Log in as root and edit the /etc/passwd file. 2) Set up an entry similar to the sample /etc/passwd entry (see UID and GID above). 3) Make sure that the password field is empty, since you can't encrypt a password in your head. 4) Make the home directory for the user (/home/) and use chown to change ownership of the directory to the user. (chown . /home/) 5) Log into the new user account and verify that things are working right. 6) If there are no problems, change the password for the user so that nobody else has access to the account. To disable an account, change the password field to *. To completely delete an account, back up and delete the user's home directory and any other files that the user may own, and remove the line in /etc/passwd that refers to the user you wish to delete. Chapter 2: Managing drives *Multiple drives vs. the single drive concepts* The idea of a drive is much different than it is under DOS. The Linux (and UNIX in general) way of looking at drives is as follows: Each physical drive can be split into partitions and each partition can be mounted into a directory. Because of this, there are no drive letters as in DOS; there is no drive A:, B:, C:, and so on. The users will only be dealing with one drive. Everything is shown in terms of directories. You could have one partition (also called a filesystem) for the root directory and other files (the / directory), another filesystem for user commands (the /usr directory) and another filesystem for user space (the /usr/users, /home, or /user directory). For example, I have three partitions that I use: One is for the / directory, one is for the /usr directory, and the third one is for the /home directory. When I cd into the /usr or /home or / directories or any of their subdirectories, it is just like using cd from DOS to change to a subdirectory. I do not have to switch drive letters, I just have to use cd and go to that filesystem. There are a few advantages to using this system. First, you can add more total space to the system. If you notice that that the /usr/X386 subdirectory will take up more space than /usr has, you can create a new filesystem from the unused portion of your drive and mount that partition to /usr/X386. Second, all file operations are both invisible to the user and the user's programs. DOS needs a drive letter and a directory. Linux just needs a directory. Linux refers to physical drives, such as the 3.5 inch floppy drive, as files in the /dev directory. For example, the first drive (called A: in dos) is /dev/fd0 in Linux. The fd refers to the fact that it is a floppy drive, and the 0 means that it is the first. Hard drives are referred to in two different ways. One, the physical drive itself, the first or second drive. The other way is by which partition on that physical drive. Hard drive entries in /dev have an hd, to signify hard drive, followed by an a for the first physical drive, b for the second physical drive, etc. After that is a number to specify the partition within the physical drive. The first partition is 1, the second partition is 2, etc. In order to help you think in Linux, here are a few DOS to Linux ways of thinking of the same drive: DOS LINUX A: /dev/fd0 B: /dev/fd1 C: (assuming first /dev/hda1 partition on the first hard drive) E: (assuming second /dev/hdb2 partition on the second hard drive) *Creating a Minix Filesystem* (mkfs, mount, umount, /etc/fstab) You can create a new filesystem for Linux to use if you have space left on your physical drive and if that space is set up as a Linux partition using fdisk. There are two different types of filesystems that you can use, the minix filesystem and the extended filesystem. The minix filesystem works and is currently the standard for filesystems, but has a limitation of 14 characters for filenames. The extended filesystem can handle filenames up to 255 characters long, but the code has not been perfected and is still in beta testing. Your best format for a filesystem is the minix filesystem. To create a new minix filesystem, you need to know the partition and the size of the partition, in blocks. You can find this information out by running fdisk and giving the 'p' command: #fdisk /dev/hdb Command (m for help): p Disk /dev/hdb: 8 heads, 35 sectors, 872 cylinders Units = cylinders of 280 * 512 bytes Device Boot Begin Start End Blocks Id System /dev/hdb1 1 1 615 86082+ 7 OS/2 HPFS /dev/hdb2 616 616 872 35980 81 Linux/MINIX Command (m for help): According to this information, I have two partitions on this physical drive. One is an OS/2 partition, and the other is a minix filesystem. To create the filesystem on /dev/hdb2 (The second partition on the first drive), I would use mkfs with the -c option to check the space for bad blocks and give the size of the partition as given by fdisk: #mkfs -c /dev/hdb2 35980 Once the filesystem is created, you must mount the filesystem and copy over the information you want to use. If the partition is for a /home directory and you have no users yet, this is rather easy. But if you want to mount a new filesystem to use in /usr/src, there is a bit of work involved in setting it up. Let's assume that you want to add a filesystem to a directory that already has data on it. For example, your /usr/src directory and subdirectories. The first thing that you have to do is mount your new partition to a place where you can copy the files to, because you can not have two directories named /usr/src. So, mount your new filesystem to /mnt. The /mnt directory is used mostly for mounting temporary filesystems, such as floppy disks or filesystems used for backup. Let's also assume that your new filesystem is on /dev/hdb2. To mount /dev/hdb2 to /mnt, just type: #mount /dev/hdb2 /mnt Now you can copy the files from /usr/src to /mnt. To copy /usr/src and it's subdirectories, use the -r option of cp #cp -r /usr/src /mnt And all of the files in /usr/src will be copied into /mnt. After this, you must umount /dev/hdb2, delete the fles in /usr/src and then mount the new /dev/hdb2 to /usr/src: #umount /dev/hdb2 #rm -r /usr/src/* #mount /dev/hdb2 /usr/src In order to have /dev/hdb2 mounted every time you restert Linux, you have to add a line to the /etc/fstab file. The /etc/fstab file contains a table of drive partitions, where they should be mounted, and the type of filesystem that that partition uses. My /etc/fstab file looks as follows: /dev/hda2 / minix defaults /dev/hdb1 /usr minix defaults The first column lists the device that you wish to mount. The second column gives where the filesystem should be mounted on. The third column gives what kind of filesystem it is, and the last column should just be set to 'defaults'. With this file, every time I start Linux, /dev/hda2 gets mounted on the root directory and /dev/hdb1 gets mounted on /usr. This all happens before I log in, and is handled by a file called /etc/rc, which I'll get to in just a bit. If you want to remove a filesystem from the /etc/fstab file, first make sure that it is not a needed directory (such as / or /lib) and be sure that you can get to the files if you need to. From there, it is a simple matter of removing that line from the /etc/fstab file and using umount to unmount the filesystem from the system. Chapter 3: Startup and Shutdown of your Linux System *Startup* (/etc/rc /etc/rc.local /etc/inittab) When you first start your system up, two files are read. The first is the /etc/rc file and the second is the /etc/inittab file. The /etc/rc file contains commands necessary for making the system usable. My /etc/rc file looks like this: # rc from 0.96 root disk # uses mount -a and removes some pesky files /etc/update & # remove /etc/mtab* so mount creates the /etc/mtab file /bin/rm -f /etc/mtab* /etc/nologin /bin/rdev > /etc/mtab /bin/mount -av /bin/rm -f /usr/spool/uucp/LCK* /bin/sh /etc/rc.local As with this file and the next two, any line that begins with a # is treated as a comment and is not executed. The first command, the /etc/update, starts a process that will regularly run the sync command. In case of a system crash, the loss of data on the drives would be minimal. Next the /etc/mtab and /etc/nologin files are removed. The /etc/mtab file contains information about the drives in the /etc/fstab file. The /etc/nologin file, if it exists, prevents users other than root from logging into the system. This file is usually created by the shutdown command. The rdev command lists the filesystems in the /etc/fstab file and converts it info a file suitable for the /etc/mtab file. The mount command with the -a option will mount the filesystems listed in /etc/fstab. The next file that is removed has to deal with lock files and the modem. Programs such as UUCP and Kermit use lock files to tell other programs which lines are currently in use. If the system is shut down while one of these programs are running, the lock file must be removed before the modem line can be used by antoher program. The final line executes the /etc/rc.local file. This file contains commands that are necessary for your local machine. Here is my /etc/rc.local file: /bin/hostname enry /usr/bin/setterm -blank 10 if [ -x /usr/etc/inet/rc.net ]; then /usr/etc/inet/rc.net fi The first command, hostname, sets the name of the host when it gets displayed in the login screen. For example, my machine name is enry. The next command sets the screen blanking to 10 minutes. The final command executes the /usr/etc/inet/rc.net file if it exists. This file contains the commands to start the TCP/IP daemons and is dicussed in greater detail in the NET manual. Another file that is used at boot-time is the /etc/inittab file. This file tells the kernel which ports to send login screens to. Here is my /etc/inittab file: # inittab for linux, poeigl 1.3 # Format: # ttyline:termcap-entry:getty-command tty1:console:/etc/getty 9600 tty1 tty2:console:/etc/getty 9600 tty2 tty3:console:/etc/getty 9600 tty3 tty4:console:/etc/getty 9600 tty4 #tty5:console:/etc/getty 9600 tty5 #tty6:console:/etc/getty 9600 tty6 # ttys1:dumb:/etc/getty 9600 ttys1 # ttys2:dumb:/etc/getty -m -t60 2400 ttys2 The format of an /etc/inittab entry is: 1) Device line 2) Terminal type 3) Getty command The device line is the entry in the /dev directory that you want to send a login screen to. For example, to send a login screen to your first virtual screen (ALT-F1), the device is tty1. To send a login screen to a dumb terminal connected to your first serial port, the device is ttys0. The terminal type defines what kind of default terminal emulation to assume for the login screen. If you are only using the virtual consoles, this can be left as 'console'. If you have other terminals connected to your machine, check the documentation. Usually the best emulations are vt100 or vt220. For a complete list of emulations you can use, look at the /etc/termcap file. Getty is the program that actually sends the commands to the screen to let the user log in. The format of getty is usually: /etc/getty Where speed is the baud you want to use and the device line is the line that you listed in the first field of the inittab entry. So if you have a vt100 terminal connected to ttys0 and the speed is 2400 baud, the inittab entry looks like this: ttys0:vt100:/etc/getty 2400 ttys0 *Shutdown* There are at least three different way to shut the system down. The first is to usr the shutdown command. .