Fedora And Red Hat System Administration/Print version


Fedora And Red Hat System Administration

The current, editable version of this book is available in Wikibooks, the open-content textbooks collection, at
https://en.wikibooks.org/wiki/Fedora_And_Red_Hat_System_Administration

Permission is granted to copy, distribute, and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 3.0 License.


Shell Basics

Further information: Shell Programming

From the moment you connect to an ssh session or log in to a text console or open an terminal from a graphical environment you are interacting with a shell program. To describe it simply, the shell provides your command line. It receives the commands you type and runs programs as needed to service those commands.

Bash, the most popular shell for GNU/Linux systems, is built on ideas going back to the original UNIX shell, the Borne Shell. While the Borne shell was revolutionary for its day, it is rather clunky by today's standards. Concepts like command line editing, command history and job control evolved later in other shells that sought to replace the original Borne shell such as the C shell and the Korn Shell. While these features greatly enhanced shell usability, they also came at the price of breaking compatibility with Borne shell syntax. When the GNU Project designed their shell they chose to implement these new ideas but still maintain compatibility with the original Borne shell. The called their shell the Borne Again Shell, or simply Bash.

The basic ideas for the shell differ little from the original, but command history, commandline editing, and features used in shell scripts are more idiosyncratic.

Running commands from the shellEdit

Commands at the shell take a basic form of:

COMMAND [-OPTIONS]... [ARG]...

(It is common convention to put variables in capitols and square brackets around optional elements. The ellipsis indicates the preceding can be repeated).

The COMMAND can be one of four things:

  • A Program - The shell will search your PATH environment variable for programs named COMMAND. Most programs are in /bin or /usr/bin. Documentation for commands are usually found in manual pages (Accessed with `man COMMAND')
  • A Shell Built-in - Built-in commands are commands processed directly by the shell such as cd, echo and alias. Documentation for built-ins can be found in the manual page for bash or with the help built-in: `help COMMAND'.
  • An alias - Aliases are processed before the command is run and are replaced by another command, possibly adding options or arguments.
  • A Function - Functions call a sequence of commands and are more often used in shell scripting than on a typical command line.

Example Built-in CommandsEdit

Some of the simplest commands are Built-ins. echo for example simply prints the arguments passed to it:

[jtk@athena ~]$ echo Hello, World!
Hello, World!

The pwd built-in prints the working directory; cd changes the working directory. (We'll define "working directory" later when we discuss filesystem basics).

[jtk@athena ~]$ pwd
/home/jtk
[jtk@athena ~]$ cd /usr/share/doc/bash-3.1/
[jtk@athena bash-3.1]$ pwd
/usr/share/doc/bash-3.1
[jtk@athena bash-3.1]$ cd
[jtk@athena ~]$ pwd
/home/jtk

The help built-in provides documentation on built-ins. Without arguments it gives a list of built-ins. With Arguments, help can provide details on a particular built-in command:

[jtk@athena ~]$ help
GNU bash, version 3.1.7(1)-release (i386-redhat-linux-gnu)
These shell commands are defined internally.  Type `help' to see this list.
Type `help name' to find out more about the function `name'.
Use `info bash' to find out more about the shell in general.
Use `man -k' or `info' to find out more about commands not in this list.

A star (*) next to a name means that the command is disabled.

 JOB_SPEC [&]                       (( expression ))
 . filename [arguments]             :
 [ arg... ]                         (( expression ))
 alias [-p] [name[=value] ... ]     bg [job_spec ...]
 bind [-lpvsPVS] [-m keymap] [-f fi break [n]
 builtin [shell-builtin [arg ...]]  caller [EXPR]
 case WORD in [PATTERN [| PATTERN]. cd [-L|-P] [dir]
 command [-pVv] command [arg ...]   compgen [-abcdefgjksuv] [-o option
 complete [-abcdefgjksuv] [-pr] [-o continue [n]
 declare [-afFirtx] [-p] [name[=val dirs [-clpv] [+N] [-N]
 disown [-h] [-ar] [jobspec ...]    echo [-neE] [arg ...]
 enable [-pnds] [-a] [-f filename]  eval [arg ...]
 exec [-cl] [-a name] file [redirec exit [n]
 export [-nf] [name[=value] ...] or false
 fc [-e ename] [-nlr] [first] [last fg [job_spec]
 for NAME [in WORDS ... ;] do COMMA for (( exp1; exp2; exp3 )); do COM
 function NAME { COMMANDS ; } or NA getopts optstring name [arg]
 hash [-lr] [-p pathname] [-dt] [na help [-s] [pattern ...]
 history [-c] [-d offset] [n] or hi if COMMANDS; then COMMANDS; [ elif
 jobs [-lnprs] [jobspec ...] or job kill [-s sigspec | -n signum | -si
 let arg [arg ...]                  local name[=value] ...
 logout                             popd [+N | -N] [-n]
 printf [-v var] format [arguments] pushd [dir | +N | -N] [-n]
 pwd [-LP]                          read [-ers] [-u fd] [-t timeout] [
 readonly [-af] [name[=value] ...]  return [n]
 select NAME [in WORDS ... ;] do CO set [--abefhkmnptuvxBCHP] [-o opti
 shift [n]                          shopt [-pqsu] [-o long-option] opt
 source filename [arguments]        suspend [-f]
 test [expr]                        time [-p] PIPELINE
 times                              trap [-lp] [arg signal_spec ...]
 true                               type [-afptP] name [name ...]
 typeset [-afFirtx] [-p] name[=valu ulimit [-SHacdfilmnpqstuvx] [limit
 umask [-p] [-S] [mode]             unalias [-a] name [name ...]
 unset [-f] [-v] [name ...]         until COMMANDS; do COMMANDS; done
 variables - Some variable names an wait [n]
 while COMMANDS; do COMMANDS; done  { COMMANDS ; }
[jtk@athena ~]$ help help
help: help [-s] [pattern ...]
     Display helpful information about builtin commands.  If PATTERN is
    specified, gives detailed help on all commands matching PATTERN,
    otherwise a list of the builtins is printed.  The -s option
    restricts the output for each builtin command matching PATTERN to
    a short usage synopsis.
[jtk@athena ~]$ help cd
cd: cd [-L|-P] [dir]
     Change the current directory to DIR.  The variable $HOME is the
    default DIR.  The variable CDPATH defines the search path for
    the directory containing DIR.  Alternative directory names in CDPATH
    are separated by a colon (:).  A null directory name is the same as
    the current directory, i.e. `.'.  If DIR begins with a slash (/),
    then CDPATH is not used.  If the directory is not found, and the
    shell option `cdable_vars' is set, then try the word as a variable
    name.  If that variable has a value, then cd to the value of that
    variable.  The -P option says to use the physical directory structure
    instead of following symbolic links; the -L option forces symbolic links

Example Program CommandsEdit

Most commands you'll use are programs. That is, they are a separate program run in a separate process from the bash shell. These programs can be found in a number of locations on the system. The directories searched are specified in the PATH environment variable, but more on that later. Most programs are found in either the /bin or /usr/bin directories and we'll focus on those for now.

If I want to get a listing of files in a directory I would use the ls command. The actual program that runs when you type "ls" is found at /bin/ls. If called without arguments, ls will give a listing of files in the current directory. An argument can be used to tell it which directory to list. Options can be used to tell it how to list the files:

[jtk@athena ~]$ ls
bin   Desktop   google-earth  svn
[jtk@athena ~]$ ls -l
drwxrwxr-x 2 jtk jtk      4096 Dec  1 12:32 bin
drwxr-xr-x 8 jtk jtk      4096 Jan 11 13:51 Desktop
drwxr-xr-x 9 jtk jtk      4096 Dec 17 22:21 google-earth
-rw-r--r-- 1 jtk jtk  16791707 Dec  5 16:43 livejournal.tar.bz2
drwxrwxr-x 2 jtk jtk      4096 Dec  8 13:23 svn
[jtk@athena ~]$ ls -lt
drwxrwxr-x 2 jtk jtk      4096 Dec  1 12:32 bin
-rw-r--r-- 1 jtk jtk  16791707 Dec  5 16:43 livejournal.tar.bz2
drwxrwxr-x 2 jtk jtk      4096 Dec  8 13:23 svn
drwxr-xr-x 9 jtk jtk      4096 Dec 17 22:21 google-earth
drwxr-xr-x 8 jtk jtk      4096 Jan 11 13:51 Desktop
[jtk@athena ~]$ ls /home/
db2inst1  jtk  lost+found
[jtk@athena ~]$ ls -l /home/
total 24
drwxr-xr-x  7 db2inst1 db2iadm1  4096 Jul 17  2006 db2inst1
drwx------ 11 jtk      jtk       4096 Feb  2 11:47 jtk
drwx------  2 root     root     16384 Apr 19  2006 lost+found

Notice the option string "-lt". The "l" specifies a "long" listing while the "t" specifies that the entries should be sorted by modification time. These are single character options and could have been specified separately as "-l -t", but they are usually grouped together like this.

It is customary to put options before arguments such as in the command "ls -l /home". With GNU utilities this is optional, but some utilities will complain if any options appear after the same argument. (There is no distinction between option and argument to the shell or the operating system. When the command is executed by the kernel, they are all arguments and it is up to the program to interpret them).

Example Running Command as Root UserEdit

If you are a user which is not root and you need to install or run a command which requires admin credentials then just do the following:

[jtk@athena ~]$ su root
Enter root password
Run the command you want (as root).

It's that's easy.

If you are a user and want to list the IP address of the machine you can use sudo command, for now lets imagine you are allowed to use sudo command

# sudo /sbin/ifconfig 

Similarly you can use sudo to run any superuser command



The X Window System

The X window system or X11 is most basic component of the graphical environment. You can find many implementations of X11 including servers for Max OSX and Windows (Please insert recommendations!). Most GNU/Linux distributions now use X.Org's implementation (which forked not too long ago from the XFree86 project).

Starting XEdit

Graphical Login and GDMEdit

Most functions of your users graphical experience is actually not handled by X, but rather by the Graphical login managers, such as the Gnome Display Manager(GDM). While other display managers exist, Red Hat and fedora based systems use the Gnome Display Manager as the login manager for their systems.

The X commandEdit

In comparison to Graphical Managers such as GDM, "X" contains extremely minimal functionality on its own, but each graphical display manager is actually built atop X, and thus X is important to understand in its own right.

The 'X' window system is:

  • a client-server application
  1. The client is the application using the X-window
  2. The server controls the keyboard and screen and takes signals from the application and responds with output to display on the screen
  • A protocol used by the application to connect to the server
    • the 'X' protocol, also known as X11

To start X, one has

The startx commandEdit

The X startup scriptsEdit

Remote X access with SSHEdit

/etc/ssh/ssh_configEdit

/etc/ssh/sshd_configEdit

VNCEdit

Starting a VNC ServerEdit

vncserver :1

Customizing your VNC X startupEdit

Securing your VNC connectionEdit

Further readingEdit



Archives And Compression

Compressing DataEdit

gzip and gunzipEdit

Under Construction

bzip2 and bunzip2Edit

Under Construction

tar - *NIX ArchivesEdit

Under Construction

Creating a tar archiveEdit

Under Construction

Inspecting a tar archiveEdit

Under Construction

Extracting a tar archiveEdit

Under Construction

cpio - Flexible Archiving ToolEdit

In general, tar is the preferred method for creating archives, but in some cases a particular archive format may be desired and cpio provides a greater degree of control over how the archive is generated at the cost of greater complexity.

Creating a cpio archiveEdit

To create a cpio archive, the -o option is provided (think 'o' for "The archive is being written out"). cpio expects a list of files to be provided to its standard input. The list of files is usually provided by piping results from the find command. The -H option can be used to specify the archive format, see the man page for more information.

[user@station user]$ find playground/
playground/
playground/AUTHORS
playground/ChangeLog
playground/COPYING
playground/foo.txt
playground/newfile
[user@station user]$ find playground/ | cpio -o >archive
1212 blocks
[user@station user]$ ls -l archive
-rw-rw-r--    1 user     user       620544 Jan  5 08:49 archive
[user@station user]$ file archive
archive: cpio archive

Listing contents of an archive with cpioEdit

To view the contents of an archive the -i option is provided to tell cpio to expect the archive data on its standard input. The -t option is also used then to tell cpio to not extract, but rather simply list the contents of the archive.

[user@station user]$ cpio -it <archive
playground/
playground/AUTHORS
playground/ChangeLog
playground/COPYING
playground/foo.txt
playground/newfile
1212 blocks

Extracting an archive with cpioEdit

The -i option is used with a combination of options to tell it how to extract. Common choices include -d to tell cpio to create directories as needed. -m to reset file modification times. -R to change file ownership.

[user@station user]$ cd /tmp
[user@station tmp]$ cpio -idm <archive
1212 blocks
[user@station tmp]$ find playground/
playground/
playground/AUTHORS
playground/ChangeLog
playground/COPYING
playground/foo.txt
playground/newfile

zip - PKZIP style archivesEdit

Creating a zip archiveEdit

[user@station user]$ zip -r playground.zip playground
  adding: playground/ (stored 0%)
  adding: playground/AUTHORS (deflated 63%)
  adding: playground/COPYING (deflated 62%)
  adding: playground/foo.txt (stored 0%)
  adding: playground/newfile (deflated 39%)
  adding: playground/ChangeLog (deflated 70%)
[user@station user]$ ls -l playground.zip
-rw-r--r--  1 user     user     71607 Jan 11 14:33 playground.zip

Listing contents of a zip archiveEdit

[user@station user]$ unzip -l playground.zip
Archive:  playground.zip
  Length     Date   Time    Name
 --------    ----   ----    ----
        0  01-11-05 14:33   playground/
     2110  01-11-05 14:32   playground/AUTHORS
    17992  01-11-05 14:33   playground/COPYING
       22  01-11-05 14:33   playground/foo.txt
       44  01-11-05 14:33   playground/newfile
   212169  01-11-05 14:32   playground/ChangeLog
 --------                   -------
   232337                   6 files

Unpacking a zip archiveEdit

[user@station user]$ rm -rf playground
[user@station user]$ unzip playground.zip
Archive:  playground.zip
   creating: playground/
  inflating: playground/AUTHORS
  inflating: playground/COPYING
 extracting: playground/foo.txt
  inflating: playground/newfile
  inflating: playground/ChangeLog

dump - Filesystem Level BackupEdit

Under Construction



Finding And Checking Files

Finding files with dangerous permissionsEdit

Files that are writable by "other"Edit

If we search just based on permission, we'll get false hits from things like symbolic links.

[user@station user]$ find . -perm +002 -ls
  4095    0 lrwxrwxrwx   1 user     user           22 Jan  4 08:30 ./rh033 -> rh033-RHEL3-1-20031103
 10209    0 lrwxrwxrwx   1 user     user           18 Jan  4 09:28 ./.mozilla/default/bgdnw5up.slt/lock -> 192.168.0.254:3311
 63259    1 -rw-rw-rw-   1 user     user            6 Jan  5 11:58 ./playground/real-problem

Instead look for files with other write enabled that are regular files.

[user@station user]$ find . -perm +002 -type f -ls
 63259    1 -rw-rw-rw-   1 user     user            6 Jan  5 11:58 ./playground/real-problem

Directories that are writable by "other"Edit

When searching for directories that are writeable by other, one should also consider whether the "sticky bit" is set for the directory. In octal, the sticky bit is represented as a 1 in the first position in four digit octal representation (ex: 1777). This is a common setting for temporary directories and is not normally considered a security risk.

World writable temporary directories:

[user@station user]$ find / -perm -1002 -type d -ls 2>/dev/null
   493    0 drwxrwxrwt   2 root     root           40 Jan  4 09:25 /dev/shm
     2    4 drwxrwxrwt  11 root     root         4096 Jan  5 11:42 /tmp
 58497    4 drwxrwxrwt   2 xfs      xfs          4096 Jan  4 09:26 /tmp/.font-unix
 29250    4 drwxrwxrwt   2 root     user         4096 Jan  4 09:27 /tmp/.X11-unix
 14625    4 drwxrwxrwt   2 user     user         4096 Jan  4 09:27 /tmp/.ICE-unix
 29252    4 drwxrwxrwt   2 user     user         4096 Jan  4 09:28 /tmp/.esd
665189    4 drwxrwxrwt   2 root     root         4096 Jan  3 07:51 /var/lib/texmf
 97345    4 drwxrwxrwt   2 root     root         4096 Jan  4 14:00 /var/tmp
178466    4 drwxrwxrwt   2 root     root         4096 Aug 11  2003 /var/spool/vbox
762533    4 drwxrwxrwt   2 root     root         4096 Sep 25  2003 /var/spool/samba

Finding the real problem directories:

[user@station user]$ find / -perm -002 -not -perm -1000 -type d -ls 2>/dev/null

 46931    1 drwxrwxrwx   2 user     user         1024 Jan  5 12:06 /home/kupferer/bad-permissions

SUID and SGID executablesEdit

SUID and SGID executables can present serious security concerns since they allow users to execute programs with permissions of another user. For this reason they should be closely monitored. SUID is represented as 4 in the first position and SGID, by a 2.

md5sumEdit

The md5sum command produces a checksum for a file that can be used later to check whether the file's contents have changed.

[user@station user]$ echo "some content" >a_file
[user@station user]$ md5sum a_file
eb9c2bf0eb63f3a7bc0ea37ef18aeba5  a_file
[user@station user]$ echo "Some content" >a_file
[user@station user]$ md5sum a_file
581ab2d89f05c294d4fe69c623bdef83  a_file

This is often used when downloading files from possibly untrustworthy mirrors. So long as a trusted checksum can be obtained, it can be used to verify that the data wasn't corrupted whether accidentally or maliciously. Often checksum files are distributed with downloads or kept on secure media to check systems for possible data corruption or intrusion. To create an MD5 checksum file, simply redirect the md5sum output to a file. md5sum -c can then be used to run the check later.

[user@station playground]$ for I in $(seq 1 6)
> do echo "Content for file-$I" >file-$I
> done
[user@station user]$ ls
file-1  file-2  file-3  file-4  file-5  file-6
[user@station playground]$ md5sum * >files.md5
[user@station playground]$ cat files.md5
37bca4ca3e0aa391ce8676a694940e66  file-1
ab831d920679cd711a85dc72360dbddc  file-2
371e1a1c44fac93d8ff0aa87ce623f19  file-3
8472ca817e850d90b2d747254f4ec6d2  file-4
d1c4512228268473f5a7f9e22c20a14c  file-5
1c64532d6ba6dd4125be760a1e7f66d3  file-6
[user@station playground]$ echo "different stuff" >file-3
[user@station playground]$ md5sum -c files.md5
file-1: OK
file-2: OK
file-3: FAILED
file-4: OK
file-5: OK
file-6: OK
md5sum: WARNING: 1 of 6 computed checksums did NOT match

Finding and Checking SUID and SGID executablesEdit

[root@station root]# find / -type f -perm +6000 -exec md5sum {} \; >suid.md5
[root@station root]# echo "blah" > /usr/local/bin/new-suid
[root@station root]# chmod 4755 /usr/local/bin/new-suid
[root@station root]# find / -type f -perm +6000 -exec md5sum {} \; >suid.md5.new
[root@station root]# diff suid.md5 suid.md5.new
45a46
> 0d599f0ec05c3bda8c3b8a68c32a1b47  /usr/local/bin/new-suid
[root@station root]# mv suid.md5.new suid.md5
mv: overwrite `suid.md5'? y
[root@station root]# echo "more" >> /usr/local/bin/new-suid
[root@station root]# find / -type f -perm +6000 -exec md5sum {} \; >suid.md5.new
[root@station root]# diff suid.md5 suid.md5.new
46c46
< 0d599f0ec05c3bda8c3b8a68c32a1b47  /usr/local/bin/new-suid
---
> 9faee5c03d3f99ba4b95be1fc78c847f  /usr/local/bin/new-suid



Bash Scripting

< Fedora And Red Hat System Administration

Further information: Bash Shell Scripting

BasicsEdit

Handling ArgumentsEdit

This program will display all arguments:

 for ARG; do
     echo "had arg: $ARG"
 done

Example FunctionsEdit

Launch Apps and Set NicenessEdit

 showdates () {
      cal
      date
      ddate
 }
 
 donice () {
     COMMAND=$1
     NICEVAL=$(grep "^$COMMAND" ~/.nice-settings | cut -d: -f2)
     if test -n "$NICEVAL"
     then
         nice -n "$NICEVAL" $*
     else
         nice $*
     fi
 }
 
 grpshare () {
     if [ $1 = '-g' ]; then
         SET_GROUP=$2
         shift; shift
     else
         SET_GROUP=users
     fi
 
     for FILE; do
         chgrp $SET_GROUP -R $FILE
         chmod g+rw -R $FILE
     done
 }

Example ScriptsEdit

Setting Environment VariableEdit

 #!/bin/bash
 
 for PROFILE in $(find /home/ -name .bash_profile)
 do
     if egrep -q '^(export[[:space:]]+)?EDITOR' $PROFILE
     then
        # User already set an editor, override that
        sed -i.orig -r 's/^(export[[:space:]]+)?EDITOR=.*/export EDITOR=nano/' $PROFILE
     else
         # No previous editor was set
         echo "export EDITOR=/usr/bin/nano" >>$PROFILE
     fi
 done

Setting AliasesEdit

 #!/bin/bash
 
 for BASHRC in $(find /home/ -name .bashrc)
 do
     for ALIAS in "alias rm='rm -i'" "alias cp='cp -i'" "alias mv='mv -i'"
     do
         ALIAS_CMD=$(echo $ALIAS | cut -d= -f1)
         if ! egrep -q "^$ALIAS_CMD" $BASHRC
         then
             echo $ALIAS >>$BASHRC
         fi
     done
 done

Checking MD5s for SUID and SGID ExecutablesEdit

 #!/bin/bash
 # /root/bin or /usr/local/bin would be a good place for this script
 # Probably need to run this as root, otherwise many errors will show up about
 # permission problems with reading these files.
 NOTIFY_EMAIL=user@station.example.com
 
 # Assume (for now) that we already have a /etc/suid.md5 to compare new file to
 find / -type f -perm +6000 -exec md5sum {} \; >/etc/suid.md5.new
 
 if diff /etc/suid.md5 /etc/suid.md5.new &>/tmp/suid-check-diff.out
 then
     echo "No SUIDs have changed"
 else
     if [ "$1" = "interactive" ]
     then
         cat /tmp/suid-check-diff.out
         echo "Check FAILED!  SUID executable(s) have changed!"
         read -p "Is this okay? (yes/no) " RESPONSE
         if [ "$RESPONSE" = "yes" ]
         then
             mv /etc/suid.md5.new /etc/suid.md5
         fi
     else
         echo "Check FAILED!  SUID executable(s) have changed!" | mail -s "SUID Change" $NOTIFY_EMAIL
     fi
 fi

Checking URLs for New ContentEdit

 #!/bin/bash
 
 URL_FILE=$HOME/.content-check-urls
 URL_DIR=$HOME/.content-check
 
 if ! [ -d $URL_DIR ]; then
     mkdir $URL_DIR
 fi
 
 if ! [ -f $URL_FILE ]; then
     echo "new-content-check: $URL_FILE not found"
     exit 1
 fi
 
 for URL in $(cat $URL_FILE); do
     MD5_FILE=$URL_DIR/$(echo $URL | md5sum | cut -d' ' -f1)
 
     if [ -f $MD5_FILE ]; then
         # Looks like we´ve got an old version of this data, gotta check it
         links -dump "$URL" | md5sum > $MD5_FILE.new
         if ! diff $MD5_FILE $MD5_FILE.new &>/dev/null; then
             echo "New content at $URL"
             mv -f $MD5_FILE.new $MD5_FILE
         else
             rm $MD5_FILE.new
         fi
     else
         # No old version, just store the new sum
         links -dump "$URL" | md5sum > $MD5_FILE
     fi
 done

Connecting via ssh using keysEdit

 #!/bin/bash
 SUCCESS=0
 WRONG_ARGS=65
 if [ $# -ne 2 ]
 then
  echo "Uso: `basename $0` user host"
  echo "Es : `basename $0` myuser host.example.com"
  exit $WRONG_ARGS
 fi
 if [ ! -e "$HOME/.ssh/id_rsa.pub" ];
 then
 echo "missing rsa key:"
 echo "run \"ssh-keygen -t rsa -b 2048\" and try again"
 exit $WRONG_ARGS
 else
 echo rsa public key found
 fi
 #Creating check file
 echo    "#!/bin/bash">check.key.sh
 echo    "if test -n \"\`ls .*|grep ssh\`\"">>check.key.sh
 echo    " then">>check.key.sh
 echo    " if test -n \"\`grep \"`cat $HOME/.ssh/id_rsa.pub|cut -d " " -f2`\" .ssh/authorized_keys2\`\"">>check.key.sh
 echo    "   then">>check.key.sh
 echo    "   echo public key found">>check.key.sh
 echo    "  else">>check.key.sh
 echo    "   echo missing public key:">>check.key.sh
 echo    "   echo putting public key on remote keyring">>check.key.sh
 echo    "   cat id_rsa.pub >>.ssh/authorized_keys2">>check.key.sh
 echo    "  fi">>check.key.sh
 echo    "else">>check.key.sh
 echo    "echo missind directory .ssh: creating ...">>check.key.sh
 echo    " mkdir -p .ssh">>check.key.sh
 echo    " echo creating remote keyring and copying public key ...">>check.key.sh
 echo    " cp id_rsa.pub .ssh/authorized_keys2">>check.key.sh
 echo    "fi">>check.key.sh
 echo    " echo setting keyring permissions ...">>check.key.sh
 echo    " chmod 600 .ssh/authorized_keys2">>check.key.sh
 echo    " echo setting directory permissions">>check.key.sh
 echo    " chmod 700 .ssh">>check.key.sh
 echo    "echo check key finished">>check.key.sh
 echo    "echo \"Please run the following to access the host again\"">>check.key.sh
 echo    "echo ssh $1@$2">>check.key.sh
 echo    "echo deleting check files ...">>check.key.sh
 echo    "rm id_rsa.pub">>check.key.sh
 echo    "rm check.key.sh">>check.key.sh
 chmod +x check.key.sh
 scp -p ~/.ssh/id_rsa.pub check.key.sh $1@$2:
 rm check.key.sh 
 ssh $1@$2 ./check.key.sh
 ssh $1@$2



Awk Scripting

Awk - A Data Driven Programming LanguageEdit

Under Construction

Using Awk at the Command LineEdit

Under Construction

Awk ScriptsEdit

Parsing User Information from passwd dataEdit

/usr/local/bin/bash-users.awk

#!/bin/awk -f
BEGIN {
    FS = ":"
    USER_COUNT = 0
}

/:\/bin\/bash$/ {
    ++USER_COUNT
    print $1
}

END {
    print USER_COUNT " bash users."
}

Usage:

[user@station user]$ getent passwd | bin/bash-users.awk
root
jkupferer
mesa
user
4 bash users.



Users, Groups and Authentication

UNIX users and group basicsEdit

Managing users and groupsEdit

Managing file permissionsEdit

Creating groups sharesEdit

Remote user accounts with NISEdit

Remote user accounts with LDAPEdit




Filesystem Mangement

Partition ManagementEdit

A partition is a place on disk which contains

at the fdisk prompt: n - create a new partition e - create an extended partition p - will print the table

Block DevicesEdit

Overview of PartitionsEdit

Using Radified's [1] analogy, a partition is like

Creating a partitionEdit

Using the fdisk utilityEdit

"fdisk -l" ---> listed fdisk -l

the Mkfs CommandEdit

mkfs, then hit the tab key twice gives you a list mkfs -t * which equals mkfs.*

so mkfs.reiserfs equals mkfs -t reiserfs

VFAT filesystem - tends to be used for usb mkfs -b ----> mkfs -t every partition has

4k is what you want -> optimized for speed rat mkfs -f [fragment size] fdisk -> enters the interactive prompt w - write n - new m - manual +100m - creates a partition q - quit the command "q" will quit fdisk. if you exit with "q" rather than "w"

1000 bytes is kb 1024 bytes is a kib "kibibytes"

running the command "cat /proc/partitions" looking at the file /proc/partitions will tell you what block devices the kernel knows about partprobe - speaks to a higher level of the kernel

it is a good idea to check with "partprobe" if the kernel agrees with our partitions

Sysfs filesystem vs. Proc filesystemEdit

InodesEdit

Metadata is stored in the inode

we have goto our filesystem formatted

ctime - when was the inode created mtime - when was the inode last modified

ext2 had to make sure it assigns them to the correct filesystem - tune2fs -l /dev/xvda1

dumpe2fs /dev/xvda1 holding

= Mounting the file systemEdit

if something is to show up on the desktop, then it will show up as mnt

if we "touch /home/share/unmounted"

the command to mount the

every directory has an inode for the current directory ( in the . entry)

dump e2fs will tell us if

FilesystemsEdit

ext2 and ext3Edit

ext3 is the ext2 filesystem with journaling added. Journaling keeps track of what will be written to the disk prior to the write operation beginning. When the write is done, it is noted in the journal. If the system crashes during a write, it can recover the operation when it comes back up. This prevents incomplete writes from occurring on the disk and eliminates the need to do a filesystem check after a system crash.

jfsEdit

JFS is a high a performance filesystem made by IBM and ported to Linux in 2001. It uses B+ trees,extents, and a journal to guarantee the consistency of the file system in the event of a crash.

reiserfsEdit

Labeling Filesystems and Block DevicesEdit

Mounting FilesystemsEdit

The mount CommandEdit

/etc/fstabEdit

AutoFS - AutomountingEdit

AutoFS allows the system to automatically mount devices and network shares as they are requested and even unmount them again when no longer in use. The main configuration for the automounter is /etc/auto.master. Initially, this file will only contain comments, including examples for a /etc/auto.misc and /etc/auto.net.

BasicsEdit

Automounting Home DirectoriesEdit

AutoFS ScriptsEdit

The /net ExampleEdit



Working with repositories

Repositories of extra softwareEdit

Fedora Core only includes a core set of packages. For downloading and installing programs or codecs not distributed with Core, there are several repositories available. Packages are generally compatible between third-party repositories, though this has not always been the case.[1] There are also occasional overlaps or packaging errors that cause one package to negatively affect packages distributed from different repositories.

Official repositoriesEdit

Fedora Core, Fedora Extras and Fedora Legacy are official repositories in this project. Fedora Core is maintained by Red Hat. Fedora Extras is maintained by a group of volunteers and affiliated with the official Fedora Project. Fedora Extras is currently included in the base distribution as a default repository and no extra configuration is required to enable it. Fedora Legacy repository is also included in Fedora Core 5 and above versions but it is not enabled by default.

Unofficial repositoriesEdit

These repositories are designed to be compatible with Fedora Core although they may not be compatible with each other. Some of the repositories have discontinued active support for earlier versions of Fedora Core but keep the repositories around for the convenience of users with previous versions.

  • Livna, a third-party repository maintained by a group of packagers, supporting Fedora Core 5 through 14 (as of June 2010). Since it merged in 2008 with two other package repositories into RPM Fusion, it contains just the libdvdcss-1.2.10-1 package.
(Must use with Extras. Not compatible with RPMForge repositories.)[2][3]
  • RPMforge, containing the packages of Matthias Saou, Dag Wieers and Dries that were previously available in three different repositories, supporting Fedora Core 1 through 5.[4] RPMforge is compatible with Fedora Extras, similar to Livna.[5]
    • FreshRPMS, maintained by Matthias Saou, supporting Fedora Core 1 through 6
    • Dag, maintained by Dag Wieers, supporting Fedora Core 1 through 3
    • Dries, maintained by Dries Verachtert, supporting Fedora Core 1 through 6
    • PlanetCCRMA, maintained by Fernando Lopez-Lezcano, supporting Fedora Core 1 through 5
  • kde-redhat, Excellent source for KDE support in Fedora Core maintained by a group of packagers that support Fedora Core. Has updated KDE desktop RPMS, general KDE applications such as Bluetooth support.
  • The Grey Sector, containing mostly MPlayer related packages and binary packaged codecs (which have some legal issues). The repository is maintained by the MPlayer developer.
  • fedora-xgl, containing packages required to enable Xgl on Fedora.
  • dribble, containing packages with a focus on fun software (multimedia, games, emulators). It is recommended that this repository be used with Livna.
  • ATrpms, maintained by Axel Thimm and supporting Fedora Core 1 through 6.
  • Updates base packages ahead of Core. Some administrators consider it a bad idea to update base packages outside of their official channel.
  • ATrpms is also used extensively by Fedora Myth(TV)ology - a popular how-to resource for installing MythTV on Fedora Core, maintained by Jarod Wilson.

Legal statusEdit

Fedora Core, Fedora Extras and Fedora Legacy projects follow the same packaging guidelines in the Fedora project, and they all only maintain packages that are Free, open source software and legally distributable anywhere in the world. Other repositories may have different policies. For example, the Livna project maintains packages that may have legal issues within the United States or can be downloaded only by the end user.

Some repositories also maintain "source-only" packages that require the user to download pre-built binaries that may not be available to the public. The package script then unpacks and repacks the binaries in a format more suitable for deployment on RPM-based systems.

Software update utilitiesEdit

The main tool to install software from repositories is the command yum. A graphical tool called pirut (available in the upper menu bar with the name "Package Manager") is, together with the update program pup ("Package Update"), part of the standard installation since Fedora Core 5. Since FC6, a new mechanism for updates was added, based on a daemon called yum-updatesd that scans the repositories, and a notification applet called puplet that notifies the user about the new updates.

In addition to these standard tools, two graphical alternatives - Yumex [9] and Synaptic - are also available, in Extras. There is also Kyum, which provides a graphical frontend for KDE users.

By default, Fedora Core downloads software (including updates) from a randomly-selected mirror. It is possible to install directly from the Fedora Core CDs or DVD, but this requires changes to yum's configuration files (See off-line repositories below). Altering the configuration in this way is also useful when setting up a local mirror (for example on a company intranet), so that downloads can be obtained from there without having to access a mirror on the Internet.

Up until Fedora Core 4, maintainers of some of the extra repositories advocated the use of apt-rpm for update management - being written in C, it uses fewer CPU cycles and is therefore suitable for older computers with slower processors. For Fedora Core 5, a new version of apt is included in Extras which is capable of using native yum metadata and is multi-lib capable. [6]

Another useful tool to work with repositories is Fedora Helper [10]. It installs and configures the "missing codecs" - MP3 support, for example. It uses the rpm.livna.org repository. Another tool that helps when using different repositories together is Fedora Frog.[11]

Off-line repositoriesEdit

If a machine needs to be updated that is not connected to the network, a repository can be created and updated from there. To create such a portable repository do [7]:

  • make the directories ./yum, ./yum/base and ./yum/updates. (if you want your local apache to serve as repository of your intranet, do it inside /var/www/html)
  • copy all RPMs of your distribution inside ./base
  • create the headers of the packets with the command createrepo ./base (use /var/www/html/yum/base if you did set it for Apache)
  • download the updates. To do that, look for a real mirror (there is a list of them here [8]) and rsync with it to pick up changes (they will be stored in the ./updates repository). To rsync use the command rsync -avrt rsync://repository --exclude=debug/ /your-path/yum/updates

To use the off-line repository from a computer you only have to include in the /etc/yum/repos.d directory an entry (a *.repo file like the others already in /etc/yum/repos.d) specifying the path to the repository. You can use ftp, http or a mounted filesystem. In the latter case the repository path should start with "file://".

ReferencesEdit

  1. FreshRPMs mailing list: (non-)compatibility of repositories
  2. Livna's maintainers have a policy to not work together with other 3rd party repositories or at least they had this policy when Fedora Extras was Fedora.us
  3. Matthias Saou explains the compatibility issues between FreshRPMs and Livna
  4. FreshRPMS, PlanetCCRMA, Dries and DAG (RPMforge.net) build their packages together from the same sources. This ensures much greater cooperation and compatibility and will eventually lead to a merger.
  5. "RPMforge: Frequently Asked Questions". http://rpmforge.net/user/faq/#compatibility-and-mixing. Retrieved 2006-07-28.