Fedora And Red Hat System Administration/Print version


Fedora And Red Hat System Administration

The current, editable version of this book is available in Wikibooks, the open-content textbooks collection, at
https://en.wikibooks.org/wiki/Fedora_And_Red_Hat_System_Administration

Permission is granted to copy, distribute, and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 3.0 License.

Shell Basics

From the moment you connect to an SSH session, log into a text console, or open a terminal from a graphical environment, you are interacting with a shell program. To describe it simply, the shell provides your command line. It receives the commands you type and runs programs as needed to service those commands.

Bash, the most popular shell for GNU/Linux systems, is built on ideas going back to the original UNIX shell, the Borne Shell. While the Borne shell was revolutionary for its day, it is rather clunky by today's standards. Concepts like command line editing, command history and job control evolved later in other shells that sought to replace the original Borne shell such as the C shell and the Korn Shell. While these features greatly enhanced shell usability, they also came at the price of breaking compatibility with Borne shell syntax. When the GNU Project designed their shell they chose to implement these new ideas but still maintain compatibility with the original Borne shell. The called their shell the Borne Again Shell, or simply Bash.

The basic ideas for the shell differ little from the original, but command history, commandline editing, and features used in shell scripts are more idiosyncratic.

Running commands from the shell

edit

Commands at the shell take a basic form of:

COMMAND [-OPTIONS]... [ARG]...

(It is common convention to put variables in capitols and square brackets around optional elements. The ellipsis indicates the preceding can be repeated).

The COMMAND can be one of four things:

  • A Program - The shell will search your PATH environment variable for programs named COMMAND. Most programs are in /bin or /usr/bin. Documentation for commands are usually found in manual pages (Accessed with `man COMMAND')
  • A Shell Built-in - Built-in commands are commands processed directly by the shell such as cd, echo and alias. Documentation for built-ins can be found in the manual page for bash or with the help built-in: `help COMMAND'.
  • An alias - Aliases are processed before the command is run and are replaced by another command, possibly adding options or arguments.
  • A Function - Functions call a sequence of commands and are more often used in shell scripting than on a typical command line.

Example Built-in Commands

edit

Some of the simplest commands are Built-ins. echo for example simply prints the arguments passed to it:

[jtk@athena ~]$ echo Hello, World!
Hello, World!

The pwd built-in prints the working directory; cd changes the working directory. (We'll define "working directory" later when we discuss filesystem basics).

[jtk@athena ~]$ pwd
/home/jtk
[jtk@athena ~]$ cd /usr/share/doc/bash-3.1/
[jtk@athena bash-3.1]$ pwd
/usr/share/doc/bash-3.1
[jtk@athena bash-3.1]$ cd
[jtk@athena ~]$ pwd
/home/jtk

The help built-in provides documentation on built-ins. Without arguments it gives a list of built-ins. With Arguments, help can provide details on a particular built-in command:

[jtk@athena ~]$ help
GNU bash, version 3.1.7(1)-release (i386-redhat-linux-gnu)
These shell commands are defined internally.  Type `help' to see this list.
Type `help name' to find out more about the function `name'.
Use `info bash' to find out more about the shell in general.
Use `man -k' or `info' to find out more about commands not in this list.

A star (*) next to a name means that the command is disabled.

 JOB_SPEC [&]                       (( expression ))
 . filename [arguments]             :
 [ arg... ]                         (( expression ))
 alias [-p] [name[=value] ... ]     bg [job_spec ...]
 bind [-lpvsPVS] [-m keymap] [-f fi break [n]
 builtin [shell-builtin [arg ...]]  caller [EXPR]
 case WORD in [PATTERN [| PATTERN]. cd [-L|-P] [dir]
 command [-pVv] command [arg ...]   compgen [-abcdefgjksuv] [-o option
 complete [-abcdefgjksuv] [-pr] [-o continue [n]
 declare [-afFirtx] [-p] [name[=val dirs [-clpv] [+N] [-N]
 disown [-h] [-ar] [jobspec ...]    echo [-neE] [arg ...]
 enable [-pnds] [-a] [-f filename]  eval [arg ...]
 exec [-cl] [-a name] file [redirec exit [n]
 export [-nf] [name[=value] ...] or false
 fc [-e ename] [-nlr] [first] [last fg [job_spec]
 for NAME [in WORDS ... ;] do COMMA for (( exp1; exp2; exp3 )); do COM
 function NAME { COMMANDS ; } or NA getopts optstring name [arg]
 hash [-lr] [-p pathname] [-dt] [na help [-s] [pattern ...]
 history [-c] [-d offset] [n] or hi if COMMANDS; then COMMANDS; [ elif
 jobs [-lnprs] [jobspec ...] or job kill [-s sigspec | -n signum | -si
 let arg [arg ...]                  local name[=value] ...
 logout                             popd [+N | -N] [-n]
 printf [-v var] format [arguments] pushd [dir | +N | -N] [-n]
 pwd [-LP]                          read [-ers] [-u fd] [-t timeout] [
 readonly [-af] [name[=value] ...]  return [n]
 select NAME [in WORDS ... ;] do CO set [--abefhkmnptuvxBCHP] [-o opti
 shift [n]                          shopt [-pqsu] [-o long-option] opt
 source filename [arguments]        suspend [-f]
 test [expr]                        time [-p] PIPELINE
 times                              trap [-lp] [arg signal_spec ...]
 true                               type [-afptP] name [name ...]
 typeset [-afFirtx] [-p] name[=valu ulimit [-SHacdfilmnpqstuvx] [limit
 umask [-p] [-S] [mode]             unalias [-a] name [name ...]
 unset [-f] [-v] [name ...]         until COMMANDS; do COMMANDS; done
 variables - Some variable names an wait [n]
 while COMMANDS; do COMMANDS; done  { COMMANDS ; }
[jtk@athena ~]$ help help
help: help [-s] [pattern ...]
     Display helpful information about builtin commands.  If PATTERN is
    specified, gives detailed help on all commands matching PATTERN,
    otherwise a list of the builtins is printed.  The -s option
    restricts the output for each builtin command matching PATTERN to
    a short usage synopsis.
[jtk@athena ~]$ help cd
cd: cd [-L|-P] [dir]
     Change the current directory to DIR.  The variable $HOME is the
    default DIR.  The variable CDPATH defines the search path for
    the directory containing DIR.  Alternative directory names in CDPATH
    are separated by a colon (:).  A null directory name is the same as
    the current directory, i.e. `.'.  If DIR begins with a slash (/),
    then CDPATH is not used.  If the directory is not found, and the
    shell option `cdable_vars' is set, then try the word as a variable
    name.  If that variable has a value, then cd to the value of that
    variable.  The -P option says to use the physical directory structure
    instead of following symbolic links; the -L option forces symbolic links

Example Program Commands

edit

Most commands you'll use are programs. That is, they are a separate program run in a separate process from the bash shell. These programs can be found in a number of locations on the system. The directories searched are specified in the PATH environment variable, but more on that later. Most programs are found in either the /bin or /usr/bin directories and we'll focus on those for now.

If I want to get a listing of files in a directory I would use the ls command. The actual program that runs when you type "ls" is found at /bin/ls. If called without arguments, ls will give a listing of files in the current directory. An argument can be used to tell it which directory to list. Options can be used to tell it how to list the files:

[jtk@athena ~]$ ls
bin   Desktop   google-earth  svn
[jtk@athena ~]$ ls -l
drwxrwxr-x 2 jtk jtk      4096 Dec  1 12:32 bin
drwxr-xr-x 8 jtk jtk      4096 Jan 11 13:51 Desktop
drwxr-xr-x 9 jtk jtk      4096 Dec 17 22:21 google-earth
-rw-r--r-- 1 jtk jtk  16791707 Dec  5 16:43 livejournal.tar.bz2
drwxrwxr-x 2 jtk jtk      4096 Dec  8 13:23 svn
[jtk@athena ~]$ ls -lt
drwxrwxr-x 2 jtk jtk      4096 Dec  1 12:32 bin
-rw-r--r-- 1 jtk jtk  16791707 Dec  5 16:43 livejournal.tar.bz2
drwxrwxr-x 2 jtk jtk      4096 Dec  8 13:23 svn
drwxr-xr-x 9 jtk jtk      4096 Dec 17 22:21 google-earth
drwxr-xr-x 8 jtk jtk      4096 Jan 11 13:51 Desktop
[jtk@athena ~]$ ls /home/
db2inst1  jtk  lost+found
[jtk@athena ~]$ ls -l /home/
total 24
drwxr-xr-x  7 db2inst1 db2iadm1  4096 Jul 17  2006 db2inst1
drwx------ 11 jtk      jtk       4096 Feb  2 11:47 jtk
drwx------  2 root     root     16384 Apr 19  2006 lost+found

Notice the option string "-lt". The "l" specifies a "long" listing while the "t" specifies that the entries should be sorted by modification time. These are single character options and could have been specified separately as "-l -t", but they are usually grouped together like this.

It is customary to put options before arguments such as in the command "ls -l /home". With GNU utilities this is optional, but some utilities will complain if any options appear after the same argument. (There is no distinction between option and argument to the shell or the operating system. When the command is executed by the kernel, they are all arguments and it is up to the program to interpret them).

Example Running Command as Root User

edit

If you are a user which is not root and you need to install or run a command which requires admin credentials then just do the following:

[jtk@athena ~]$ su root
Enter root password
Run the command you want (as root).

It's that's easy.

If you are a user and want to list the IP address of the machine you can use sudo command, for now lets imagine you are allowed to use sudo command

# sudo /sbin/ifconfig 

Similarly you can use sudo to run any superuser command


The X Window System

The X window system or X11 is most basic component of the graphical environment. You can find many implementations of X11 including servers for Max OSX and Windows (Please insert recommendations!). Most GNU/Linux distributions now use X.Org's implementation (which forked not too long ago from the XFree86 project).

Starting X

edit

Graphical Login and GDM

edit

Most functions of your users graphical experience is actually not handled by X, but rather by the Graphical login managers, such as the Gnome Display Manager(GDM). While other display managers exist, Red Hat and fedora based systems use the Gnome Display Manager as the login manager for their systems.

The X command

edit

In comparison to Graphical Managers such as GDM, "X" contains extremely minimal functionality on its own, but each graphical display manager is actually built atop X, and thus X is important to understand in its own right.

The 'X' window system is:

  • a client-server application
  1. The client is the application using the X-window
  2. The server controls the keyboard and screen and takes signals from the application and responds with output to display on the screen
  • A protocol used by the application to connect to the server
    • the 'X' protocol, also known as X11

To start X, one has

The startx command

edit

The X startup scripts

edit

Remote X access with SSH

edit

/etc/ssh/ssh_config

edit

/etc/ssh/sshd_config

edit

Starting a VNC Server

edit

vncserver :1

Customizing your VNC X startup

edit

Securing your VNC connection

edit

Further reading

edit


Archives And Compression

Compressing Data

edit

gzip and gunzip

edit

Under Construction

bzip2 and bunzip2

edit

Under Construction

tar - *NIX Archives

edit

Under Construction

Creating a tar archive

edit

To create an uncompressed tar archive, the c and f options are provided (think 'c' for create and 'f' for filename):

[user@station user]$ tar cf foo.tar file1 file2 file3

The first argument is the name of the archive, in this case foo.tar. Any following arguments are the files that are being archived (e.g. file1 file2 file3). Usually globbing is used to archive all files of a particular type (e.g. tar cf foo.tar *.cpp will archive all of the .cpp files in the current directory):


To archive all files and subdirectories within a directory, the same options are provided, but the second argument is the . character which symbolizes the current working directory:

[user@station user]$ tar cf foo.tar .


To compress the contents of the archive one of the z, J, or j options are used. Each option corresponds to a different compression algorithm, which in order are: gzip, xz, and bzip2.

For example, to create a gzip compressed archive of the current directory the following would be run:

[user@station user]$ tar cfz foo.tar.gz .


Inspecting a tar archive

edit

Under Construction

Extracting a tar archive

edit

Under Construction


cpio - Flexible Archiving Tool

edit

In general, tar is the preferred method for creating archives, but in some cases a particular archive format may be desired and cpio provides a greater degree of control over how the archive is generated at the cost of greater complexity.

Creating a cpio archive

edit

To create a cpio archive, the -o option is provided (think 'o' for "The archive is being written out"). cpio expects a list of files to be provided to its standard input. The list of files is usually provided by piping results from the find command. The -H option can be used to specify the archive format, see the man page for more information.

[user@station user]$ find playground/
playground/
playground/AUTHORS
playground/ChangeLog
playground/COPYING
playground/foo.txt
playground/newfile
[user@station user]$ find playground/ | cpio -o >archive
1212 blocks
[user@station user]$ ls -l archive
-rw-rw-r--    1 user     user       620544 Jan  5 08:49 archive
[user@station user]$ file archive
archive: cpio archive

Listing contents of an archive with cpio

edit

To view the contents of an archive the -i option is provided to tell cpio to expect the archive data on its standard input. The -t option is also used then to tell cpio to not extract, but rather simply list the contents of the archive.

[user@station user]$ cpio -it <archive
playground/
playground/AUTHORS
playground/ChangeLog
playground/COPYING
playground/foo.txt
playground/newfile
1212 blocks

Extracting an archive with cpio

edit

The -i option is used with a combination of options to tell it how to extract. Common choices include -d to tell cpio to create directories as needed. -m to reset file modification times. -R to change file ownership.

[user@station user]$ cd /tmp
[user@station tmp]$ cpio -idm <archive
1212 blocks
[user@station tmp]$ find playground/
playground/
playground/AUTHORS
playground/ChangeLog
playground/COPYING
playground/foo.txt
playground/newfile

zip - PKZIP style archives

edit

Creating a zip archive

edit
[user@station user]$ zip -r playground.zip playground
  adding: playground/ (stored 0%)
  adding: playground/AUTHORS (deflated 63%)
  adding: playground/COPYING (deflated 62%)
  adding: playground/foo.txt (stored 0%)
  adding: playground/newfile (deflated 39%)
  adding: playground/ChangeLog (deflated 70%)
[user@station user]$ ls -l playground.zip
-rw-r--r--  1 user     user     71607 Jan 11 14:33 playground.zip

Listing contents of a zip archive

edit
[user@station user]$ unzip -l playground.zip
Archive:  playground.zip
  Length     Date   Time    Name
 --------    ----   ----    ----
        0  01-11-05 14:33   playground/
     2110  01-11-05 14:32   playground/AUTHORS
    17992  01-11-05 14:33   playground/COPYING
       22  01-11-05 14:33   playground/foo.txt
       44  01-11-05 14:33   playground/newfile
   212169  01-11-05 14:32   playground/ChangeLog
 --------                   -------
   232337                   6 files

Unpacking a zip archive

edit
[user@station user]$ rm -rf playground
[user@station user]$ unzip playground.zip
Archive:  playground.zip
   creating: playground/
  inflating: playground/AUTHORS
  inflating: playground/COPYING
 extracting: playground/foo.txt
  inflating: playground/newfile
  inflating: playground/ChangeLog

dump - Filesystem Level Backup

edit

Under Construction


Finding And Checking Files

Finding files with dangerous permissions

edit

Files that are writable by "other"

edit

If we search just based on permission, we'll get false hits from things like symbolic links.

[user@station user]$ find . -perm +002 -ls
  4095    0 lrwxrwxrwx   1 user     user           22 Jan  4 08:30 ./rh033 -> rh033-RHEL3-1-20031103
 10209    0 lrwxrwxrwx   1 user     user           18 Jan  4 09:28 ./.mozilla/default/bgdnw5up.slt/lock -> 192.168.0.254:3311
 63259    1 -rw-rw-rw-   1 user     user            6 Jan  5 11:58 ./playground/real-problem

Instead look for files with other write enabled that are regular files.

[user@station user]$ find . -perm +002 -type f -ls
 63259    1 -rw-rw-rw-   1 user     user            6 Jan  5 11:58 ./playground/real-problem

Directories that are writable by "other"

edit

When searching for directories that are writeable by other, one should also consider whether the "sticky bit" is set for the directory. In octal, the sticky bit is represented as a 1 in the first position in four digit octal representation (ex: 1777). This is a common setting for temporary directories and is not normally considered a security risk.

World writable temporary directories:

[user@station user]$ find / -perm -1002 -type d -ls 2>/dev/null
   493    0 drwxrwxrwt   2 root     root           40 Jan  4 09:25 /dev/shm
     2    4 drwxrwxrwt  11 root     root         4096 Jan  5 11:42 /tmp
 58497    4 drwxrwxrwt   2 xfs      xfs          4096 Jan  4 09:26 /tmp/.font-unix
 29250    4 drwxrwxrwt   2 root     user         4096 Jan  4 09:27 /tmp/.X11-unix
 14625    4 drwxrwxrwt   2 user     user         4096 Jan  4 09:27 /tmp/.ICE-unix
 29252    4 drwxrwxrwt   2 user     user         4096 Jan  4 09:28 /tmp/.esd
665189    4 drwxrwxrwt   2 root     root         4096 Jan  3 07:51 /var/lib/texmf
 97345    4 drwxrwxrwt   2 root     root         4096 Jan  4 14:00 /var/tmp
178466    4 drwxrwxrwt   2 root     root         4096 Aug 11  2003 /var/spool/vbox
762533    4 drwxrwxrwt   2 root     root         4096 Sep 25  2003 /var/spool/samba

Finding the real problem directories:

[user@station user]$ find / -perm -002 -not -perm -1000 -type d -ls 2>/dev/null

 46931    1 drwxrwxrwx   2 user     user         1024 Jan  5 12:06 /home/kupferer/bad-permissions

SUID and SGID executables

edit

SUID and SGID executables can present serious security concerns since they allow users to execute programs with permissions of another user. For this reason they should be closely monitored. SUID is represented as 4 in the first position and SGID, by a 2.

md5sum

edit

The md5sum command produces a checksum for a file that can be used later to check whether the file's contents have changed.

[user@station user]$ echo "some content" >a_file
[user@station user]$ md5sum a_file
eb9c2bf0eb63f3a7bc0ea37ef18aeba5  a_file
[user@station user]$ echo "Some content" >a_file
[user@station user]$ md5sum a_file
581ab2d89f05c294d4fe69c623bdef83  a_file

This is often used when downloading files from possibly untrustworthy mirrors. So long as a trusted checksum can be obtained, it can be used to verify that the data wasn't corrupted whether accidentally or maliciously. Often checksum files are distributed with downloads or kept on secure media to check systems for possible data corruption or intrusion. To create an MD5 checksum file, simply redirect the md5sum output to a file. md5sum -c can then be used to run the check later.

[user@station playground]$ for I in $(seq 1 6)
> do echo "Content for file-$I" >file-$I
> done
[user@station user]$ ls
file-1  file-2  file-3  file-4  file-5  file-6
[user@station playground]$ md5sum * >files.md5
[user@station playground]$ cat files.md5
37bca4ca3e0aa391ce8676a694940e66  file-1
ab831d920679cd711a85dc72360dbddc  file-2
371e1a1c44fac93d8ff0aa87ce623f19  file-3
8472ca817e850d90b2d747254f4ec6d2  file-4
d1c4512228268473f5a7f9e22c20a14c  file-5
1c64532d6ba6dd4125be760a1e7f66d3  file-6
[user@station playground]$ echo "different stuff" >file-3
[user@station playground]$ md5sum -c files.md5
file-1: OK
file-2: OK
file-3: FAILED
file-4: OK
file-5: OK
file-6: OK
md5sum: WARNING: 1 of 6 computed checksums did NOT match

Finding and Checking SUID and SGID executables

edit
[root@station root]# find / -type f -perm +6000 -exec md5sum {} \; >suid.md5
[root@station root]# echo "blah" > /usr/local/bin/new-suid
[root@station root]# chmod 4755 /usr/local/bin/new-suid
[root@station root]# find / -type f -perm +6000 -exec md5sum {} \; >suid.md5.new
[root@station root]# diff suid.md5 suid.md5.new
45a46
> 0d599f0ec05c3bda8c3b8a68c32a1b47  /usr/local/bin/new-suid
[root@station root]# mv suid.md5.new suid.md5
mv: overwrite `suid.md5'? y
[root@station root]# echo "more" >> /usr/local/bin/new-suid
[root@station root]# find / -type f -perm +6000 -exec md5sum {} \; >suid.md5.new
[root@station root]# diff suid.md5 suid.md5.new
46c46
< 0d599f0ec05c3bda8c3b8a68c32a1b47  /usr/local/bin/new-suid
---
> 9faee5c03d3f99ba4b95be1fc78c847f  /usr/local/bin/new-suid


Bash Scripting

< Fedora And Red Hat System Administration

Basics

edit

Handling Arguments

edit

This program will display all arguments:

 for ARG; do
     echo "had arg: $ARG"
 done

Example Functions

edit

Launch Apps and Set Niceness

edit
 showdates () {
      cal
      date
      ddate
 }
 
 donice () {
     COMMAND=$1
     NICEVAL=$(grep "^$COMMAND" ~/.nice-settings | cut -d: -f2)
     if test -n "$NICEVAL"
     then
         nice -n "$NICEVAL" $*
     else
         nice $*
     fi
 }
 
 grpshare () {
     if [ $1 = '-g' ]; then
         SET_GROUP=$2
         shift; shift
     else
         SET_GROUP=users
     fi
 
     for FILE; do
         chgrp $SET_GROUP -R $FILE
         chmod g+rw -R $FILE
     done
 }

Example Scripts

edit

Setting Environment Variable

edit
 #!/bin/bash
 
 for PROFILE in $(find /home/ -name .bash_profile)
 do
     if egrep -q '^(export[[:space:]]+)?EDITOR' $PROFILE
     then
        # User already set an editor, override that
        sed -i.orig -r 's/^(export[[:space:]]+)?EDITOR=.*/export EDITOR=nano/' $PROFILE
     else
         # No previous editor was set
         echo "export EDITOR=/usr/bin/nano" >>$PROFILE
     fi
 done

Setting Aliases

edit
 #!/bin/bash
 
 for BASHRC in $(find /home/ -name .bashrc)
 do
     for ALIAS in "alias rm='rm -i'" "alias cp='cp -i'" "alias mv='mv -i'"
     do
         ALIAS_CMD=$(echo $ALIAS | cut -d= -f1)
         if ! egrep -q "^$ALIAS_CMD" $BASHRC
         then
             echo $ALIAS >>$BASHRC
         fi
     done
 done

Checking MD5s for SUID and SGID Executables

edit
 #!/bin/bash
 # /root/bin or /usr/local/bin would be a good place for this script
 # Probably need to run this as root, otherwise many errors will show up about
 # permission problems with reading these files.
 NOTIFY_EMAIL=user@station.example.com
 
 # Assume (for now) that we already have a /etc/suid.md5 to compare new file to
 find / -type f -perm +6000 -exec md5sum {} \; >/etc/suid.md5.new
 
 if diff /etc/suid.md5 /etc/suid.md5.new &>/tmp/suid-check-diff.out
 then
     echo "No SUIDs have changed"
 else
     if [ "$1" = "interactive" ]
     then
         cat /tmp/suid-check-diff.out
         echo "Check FAILED!  SUID executable(s) have changed!"
         read -p "Is this okay? (yes/no) " RESPONSE
         if [ "$RESPONSE" = "yes" ]
         then
             mv /etc/suid.md5.new /etc/suid.md5
         fi
     else
         echo "Check FAILED!  SUID executable(s) have changed!" | mail -s "SUID Change" $NOTIFY_EMAIL
     fi
 fi

Checking URLs for New Content

edit
 #!/bin/bash
 
 URL_FILE=$HOME/.content-check-urls
 URL_DIR=$HOME/.content-check
 
 if ! [ -d $URL_DIR ]; then
     mkdir $URL_DIR
 fi
 
 if ! [ -f $URL_FILE ]; then
     echo "new-content-check: $URL_FILE not found"
     exit 1
 fi
 
 for URL in $(cat $URL_FILE); do
     MD5_FILE=$URL_DIR/$(echo $URL | md5sum | cut -d' ' -f1)
 
     if [ -f $MD5_FILE ]; then
         # Looks like we´ve got an old version of this data, gotta check it
         links -dump "$URL" | md5sum > $MD5_FILE.new
         if ! diff $MD5_FILE $MD5_FILE.new &>/dev/null; then
             echo "New content at $URL"
             mv -f $MD5_FILE.new $MD5_FILE
         else
             rm $MD5_FILE.new
         fi
     else
         # No old version, just store the new sum
         links -dump "$URL" | md5sum > $MD5_FILE
     fi
 done

Connecting via ssh using keys

edit
 #!/bin/bash
 SUCCESS=0
 WRONG_ARGS=65
 if [ $# -ne 2 ]
 then
  echo "Uso: `basename $0` user host"
  echo "Es : `basename $0` myuser host.example.com"
  exit $WRONG_ARGS
 fi
 if [ ! -e "$HOME/.ssh/id_rsa.pub" ];
 then
 echo "missing rsa key:"
 echo "run \"ssh-keygen -t rsa -b 2048\" and try again"
 exit $WRONG_ARGS
 else
 echo rsa public key found
 fi
 #Creating check file
 echo    "#!/bin/bash">check.key.sh
 echo    "if test -n \"\`ls .*|grep ssh\`\"">>check.key.sh
 echo    " then">>check.key.sh
 echo    " if test -n \"\`grep \"`cat $HOME/.ssh/id_rsa.pub|cut -d " " -f2`\" .ssh/authorized_keys2\`\"">>check.key.sh
 echo    "   then">>check.key.sh
 echo    "   echo public key found">>check.key.sh
 echo    "  else">>check.key.sh
 echo    "   echo missing public key:">>check.key.sh
 echo    "   echo putting public key on remote keyring">>check.key.sh
 echo    "   cat id_rsa.pub >>.ssh/authorized_keys2">>check.key.sh
 echo    "  fi">>check.key.sh
 echo    "else">>check.key.sh
 echo    "echo missind directory .ssh: creating ...">>check.key.sh
 echo    " mkdir -p .ssh">>check.key.sh
 echo    " echo creating remote keyring and copying public key ...">>check.key.sh
 echo    " cp id_rsa.pub .ssh/authorized_keys2">>check.key.sh
 echo    "fi">>check.key.sh
 echo    " echo setting keyring permissions ...">>check.key.sh
 echo    " chmod 600 .ssh/authorized_keys2">>check.key.sh
 echo    " echo setting directory permissions">>check.key.sh
 echo    " chmod 700 .ssh">>check.key.sh
 echo    "echo check key finished">>check.key.sh
 echo    "echo \"Please run the following to access the host again\"">>check.key.sh
 echo    "echo ssh $1@$2">>check.key.sh
 echo    "echo deleting check files ...">>check.key.sh
 echo    "rm id_rsa.pub">>check.key.sh
 echo    "rm check.key.sh">>check.key.sh
 chmod +x check.key.sh
 scp -p ~/.ssh/id_rsa.pub check.key.sh $1@$2:
 rm check.key.sh 
 ssh $1@$2 ./check.key.sh
 ssh $1@$2


Awk Scripting

Awk - A Data Driven Programming Language

edit

Under Construction

Using Awk at the Command Line

edit

Under Construction

Awk Scripts

edit

Parsing User Information from passwd data

edit

/usr/local/bin/bash-users.awk

#!/bin/awk -f
BEGIN {
    FS = ":"
    USER_COUNT = 0
}

/:\/bin\/bash$/ {
    ++USER_COUNT
    print $1
}

END {
    print USER_COUNT " bash users."
}

Usage:

[user@station user]$ getent passwd | bin/bash-users.awk
root
jkupferer
mesa
user
4 bash users.


Users, Groups and Authentication

UNIX users and group basics

edit

Managing users and groups

edit

Managing file permissions

edit

Creating groups shares

edit

Remote user accounts with NIS

edit

Remote user accounts with LDAP

edit



Filesystem Mangement

Partition Management

edit

A partition is a place on disk which contains

at the fdisk prompt: n - create a new partition e - create an extended partition p - will print the table

Block Devices

edit

Overview of Partitions

edit

Using Radified's [1] analogy, a partition is like

Creating a partition

edit
Using the fdisk utility
edit

"fdisk -l" ---> listed fdisk -l

the Mkfs Command
edit

mkfs, then hit the tab key twice gives you a list mkfs -t * which equals mkfs.*

so mkfs.reiserfs equals mkfs -t reiserfs

VFAT filesystem - tends to be used for usb mkfs -b ----> mkfs -t every partition has

4k is what you want -> optimized for speed rat mkfs -f [fragment size] fdisk -> enters the interactive prompt w - write n - new m - manual +100m - creates a partition q - quit the command "q" will quit fdisk. if you exit with "q" rather than "w"

1000 bytes is kb 1024 bytes is a kib "kibibytes"

running the command "cat /proc/partitions" looking at the file /proc/partitions will tell you what block devices the kernel knows about partprobe - speaks to a higher level of the kernel

it is a good idea to check with "partprobe" if the kernel agrees with our partitions

Sysfs filesystem vs. Proc filesystem

edit

Inodes

edit

Metadata is stored in the inode

we have goto our filesystem formatted

ctime - when was the inode created mtime - when was the inode last modified

ext2 had to make sure it assigns them to the correct filesystem - tune2fs -l /dev/xvda1

dumpe2fs /dev/xvda1 holding

= Mounting the file system
edit

if something is to show up on the desktop, then it will show up as mnt

if we "touch /home/share/unmounted"

the command to mount the

every directory has an inode for the current directory ( in the . entry)

dump e2fs will tell us if

Filesystems

edit

ext2 and ext3

edit

ext3 is the ext2 filesystem with journaling added. Journaling keeps track of what will be written to the disk prior to the write operation beginning. When the write is done, it is noted in the journal. If the system crashes during a write, it can recover the operation when it comes back up. This prevents incomplete writes from occurring on the disk and eliminates the need to do a filesystem check after a system crash.

JFS is a high a performance filesystem made by IBM and ported to Linux in 2001. It uses B+ trees,extents, and a journal to guarantee the consistency of the file system in the event of a crash.

reiserfs

edit

Labeling Filesystems and Block Devices

edit

Mounting Filesystems

edit

The mount Command

edit

/etc/fstab

edit

AutoFS - Automounting

edit

AutoFS allows the system to automatically mount devices and network shares as they are requested and even unmount them again when no longer in use. The main configuration for the automounter is /etc/auto.master. Initially, this file will only contain comments, including examples for a /etc/auto.misc and /etc/auto.net.

Basics

edit

Automounting Home Directories

edit

AutoFS Scripts

edit

The /net Example

edit


Working with repositories

Repositories of extra software

edit

Fedora Core only includes a core set of packages. For downloading and installing programs or codecs not distributed with Core, there are several repositories available. Packages are generally compatible between third-party repositories, though this has not always been the case.[1] There are also occasional overlaps or packaging errors that cause one package to negatively affect packages distributed from different repositories.

Official repositories

edit

Fedora Core, Fedora Extras and Fedora Legacy are official repositories in this project. Fedora Core is maintained by Red Hat. Fedora Extras is maintained by a group of volunteers and affiliated with the official Fedora Project. Fedora Extras is currently included in the base distribution as a default repository and no extra configuration is required to enable it. Fedora Legacy repository is also included in Fedora Core 5 and above versions but it is not enabled by default.

Unofficial repositories

edit

These repositories are designed to be compatible with Fedora Core although they may not be compatible with each other. Some of the repositories have discontinued active support for earlier versions of Fedora Core but keep the repositories around for the convenience of users with previous versions.

  • Livna, a third-party repository maintained by a group of packagers, supporting Fedora Core 5 through 14 (as of June 2010). Since it merged in 2008 with two other package repositories into RPM Fusion, it contains just the libdvdcss-1.2.10-1 package.
(Must use with Extras. Not compatible with RPMForge repositories.)[2][3]
  • RPMforge, containing the packages of Matthias Saou, Dag Wieers and Dries that were previously available in three different repositories, supporting Fedora Core 1 through 5.[4] RPMforge is compatible with Fedora Extras, similar to Livna.[5]
    • FreshRPMS, maintained by Matthias Saou, supporting Fedora Core 1 through 6
    • Dag, maintained by Dag Wieers, supporting Fedora Core 1 through 3
    • Dries, maintained by Dries Verachtert, supporting Fedora Core 1 through 6
    • PlanetCCRMA, maintained by Fernando Lopez-Lezcano, supporting Fedora Core 1 through 5
  • kde-redhat, Excellent source for KDE support in Fedora Core maintained by a group of packagers that support Fedora Core. Has updated KDE desktop RPMS, general KDE applications such as Bluetooth support.
  • The Grey Sector, containing mostly MPlayer related packages and binary packaged codecs (which have some legal issues). The repository is maintained by the MPlayer developer.
  • fedora-xgl, containing packages required to enable Xgl on Fedora.
  • dribble, containing packages with a focus on fun software (multimedia, games, emulators). It is recommended that this repository be used with Livna.
  • ATrpms, maintained by Axel Thimm and supporting Fedora Core 1 through 6.
  • Updates base packages ahead of Core. Some administrators consider it a bad idea to update base packages outside of their official channel.
  • ATrpms is also used extensively by Fedora Myth(TV)ology - a popular how-to resource for installing MythTV on Fedora Core, maintained by Jarod Wilson.
edit

Fedora Core, Fedora Extras and Fedora Legacy projects follow the same packaging guidelines in the Fedora project, and they all only maintain packages that are Free, open source software and legally distributable anywhere in the world. Other repositories may have different policies. For example, the Livna project maintains packages that may have legal issues within the United States or can be downloaded only by the end user.

Some repositories also maintain "source-only" packages that require the user to download pre-built binaries that may not be available to the public. The package script then unpacks and repacks the binaries in a format more suitable for deployment on RPM-based systems.

Software update utilities

edit

The main tool to install software from repositories is the command yum. A graphical tool called pirut (available in the upper menu bar with the name "Package Manager") is, together with the update program pup ("Package Update"), part of the standard installation since Fedora Core 5. Since FC6, a new mechanism for updates was added, based on a daemon called yum-updatesd that scans the repositories, and a notification applet called puplet that notifies the user about the new updates.

In addition to these standard tools, two graphical alternatives - Yumex [9] and Synaptic - are also available, in Extras. There is also Kyum, which provides a graphical frontend for KDE users.

By default, Fedora Core downloads software (including updates) from a randomly-selected mirror. It is possible to install directly from the Fedora Core CDs or DVD, but this requires changes to yum's configuration files (See off-line repositories below). Altering the configuration in this way is also useful when setting up a local mirror (for example on a company intranet), so that downloads can be obtained from there without having to access a mirror on the Internet.

Up until Fedora Core 4, maintainers of some of the extra repositories advocated the use of apt-rpm for update management - being written in C, it uses fewer CPU cycles and is therefore suitable for older computers with slower processors. For Fedora Core 5, a new version of apt is included in Extras which is capable of using native yum metadata and is multi-lib capable. [6]

Another useful tool to work with repositories is Fedora Helper [10]. It installs and configures the "missing codecs" - MP3 support, for example. It uses the rpm.livna.org repository. Another tool that helps when using different repositories together is Fedora Frog.[11]

Off-line repositories

edit

If a machine needs to be updated that is not connected to the network, a repository can be created and updated from there. To create such a portable repository do [7]:

  • make the directories ./yum, ./yum/base and ./yum/updates. (if you want your local apache to serve as repository of your intranet, do it inside /var/www/html)
  • copy all RPMs of your distribution inside ./base
  • create the headers of the packets with the command createrepo ./base (use /var/www/html/yum/base if you did set it for Apache)
  • download the updates. To do that, look for a real mirror (there is a list of them here [8]) and rsync with it to pick up changes (they will be stored in the ./updates repository). To rsync use the command rsync -avrt rsync://repository --exclude=debug/ /your-path/yum/updates

To use the off-line repository from a computer you only have to include in the /etc/yum/repos.d directory an entry (a *.repo file like the others already in /etc/yum/repos.d) specifying the path to the repository. You can use ftp, http or a mounted filesystem. In the latter case the repository path should start with "file://".

References

edit
  1. FreshRPMs mailing list: (non-)compatibility of repositories
  2. Livna's maintainers have a policy to not work together with other 3rd party repositories or at least they had this policy when Fedora Extras was Fedora.us
  3. Matthias Saou explains the compatibility issues between FreshRPMs and Livna
  4. FreshRPMS, PlanetCCRMA, Dries and DAG (RPMforge.net) build their packages together from the same sources. This ensures much greater cooperation and compatibility and will eventually lead to a merger.
  5. "RPMforge: Frequently Asked Questions". Retrieved 2006-07-28.