Red Hat ENTERPRISE LINUX 4.5.0 -, Reference Manual

Page 1: ...Red Hat Enterprise Linux 4 5 0 4 5 0 Reference Guide ISBN N A Publication date ...

Page 2: ...Red Hat Enterprise Linux 4 5 0 ...

Page 3: ...tribution of the work or derivative of the work in any standard paper book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder Red Hat and the Red Hat Shadow Man logo are registered trademarks of Red Hat Inc in the United States and other countries All other trademarks referenced herein are the property of their respective owners The GPG fingerp...

Page 4: ...Red Hat Enterprise Linux 4 5 0 ...

Page 5: ...Runlevels 9 4 2 Runlevel Utilities 10 5 Shutting Down 11 2 The GRUB Boot Loader 13 1 Boot Loaders and System Architecture 13 2 GRUB 13 2 1 GRUB and the x86 Boot Process 13 2 2 Features of GRUB 14 3 Installing GRUB 15 4 GRUB Terminology 15 4 1 Device Names 16 4 2 File Names and Blocklists 17 4 3 The Root File System and GRUB 17 5 GRUB Interfaces 18 5 1 Interfaces Load Order 19 6 GRUB Commands 19 7 ...

Page 6: ...sysconfig iptables config 39 1 19 etc sysconfig irda 39 1 20 etc sysconfig keyboard 40 1 21 etc sysconfig kudzu 40 1 22 etc sysconfig mouse 40 1 23 etc sysconfig named 41 1 24 etc sysconfig netdump 42 1 25 etc sysconfig network 42 1 26 etc sysconfig ntpd 42 1 27 etc sysconfig pcmcia 43 1 28 etc sysconfig radvd 43 1 29 etc sysconfig rawdevices 43 1 30 etc sysconfig samba 43 1 31 etc sysconfig selin...

Page 7: ... 55 2 13 proc ioports 56 2 14 proc kcore 56 2 15 proc kmsg 57 2 16 proc loadavg 57 2 17 proc locks 57 2 18 proc mdstat 57 2 19 proc meminfo 58 2 20 proc misc 60 2 21 proc modules 60 2 22 proc mounts 60 2 23 proc mtrr 61 2 24 proc partitions 61 2 25 proc pci 62 2 26 proc slabinfo 62 2 27 proc stat 64 2 28 proc swaps 64 2 29 proc sysrq trigger 65 2 30 proc uptime 65 2 31 proc version 65 3 Directorie...

Page 8: ...iguration Files 101 3 1 xorg conf 102 4 Fonts 108 4 1 Fontconfig 109 4 2 Core X Font System 110 5 Runlevels and X 112 5 1 Runlevel 3 112 5 2 Runlevel 5 113 6 Additional Resources 114 6 1 Installed Documentation 114 6 2 Useful Websites 114 6 3 Related Books 115 II Network Services Reference 117 8 Network Interfaces 119 1 Network Configuration Files 119 2 Interface Configuration Files 120 2 1 Ethern...

Page 9: ... 2 Packaging Changes in Apache HTTP Server 2 0 148 1 3 File System Changes in Apache HTTP Server 2 0 148 2 Migrating Apache HTTP Server 1 3 Configuration Files 149 2 1 Global Environment Configuration 150 2 2 Main Server Configuration 153 2 3 Virtual Host Configuration 155 2 4 Modules and Apache HTTP Server 2 0 155 3 After Installation 161 4 Starting and Stopping httpd 162 5 Configuration Directiv...

Page 10: ...el 173 5 37 LogFormat 173 5 38 CustomLog 174 5 39 ServerSignature 174 5 40 Alias 174 5 41 ScriptAlias 174 5 42 Redirect 174 5 43 IndexOptions 175 5 44 AddIconByEncoding 175 5 45 AddIconByType 175 5 46 AddIcon 175 5 47 DefaultIcon 176 5 48 AddDescription 176 5 49 ReadmeName 176 5 50 HeaderName 176 5 51 IndexIgnore 176 5 52 AddEncoding 176 5 53 AddLanguage 176 5 54 LanguagePriority 176 5 55 AddType ...

Page 11: ...port Agents 189 3 1 Sendmail 189 3 2 Postfix 194 3 3 Fetchmail 196 4 Mail Delivery Agents 200 4 1 Procmail Configuration 201 4 2 Procmail Recipes 202 5 Mail User Agents 207 5 1 Securing Communication 208 6 Additional Resources 210 6 1 Installed Documentation 210 6 2 Useful Websites 211 6 3 Related Books 211 12 Berkeley Internet Name Domain BIND 213 1 Introduction to DNS 213 1 1 Nameserver Zones 21...

Page 12: ...tc openldap schema Directory 241 6 OpenLDAP Setup Overview 242 6 1 Editing etc openldap slapd conf 242 7 Configuring a System to Authenticate Using OpenLDAP 244 7 1 PAM and LDAP 245 7 2 Migrating Old Authentication Information to LDAP Format 245 8 Migrating Directories from Earlier Releases 246 9 Additional Resources 246 9 1 Installed Documentation 246 9 2 Useful Websites 247 9 3 Related Books 248...

Page 13: ...okup 270 8 6 pdbedit 270 8 7 rpcclient 271 8 8 smbcacls 271 8 9 smbclient 271 8 10 smbcontrol 271 8 11 smbgroupedit 272 8 12 smbmount 272 8 13 smbpasswd 272 8 14 smbspool 272 8 15 smbstatus 272 8 16 smbtar 272 8 17 testparm 273 8 18 testprns 274 8 19 wbinfo 274 9 Additional Resources 274 9 1 Installed Documentation 274 9 2 Red Hat Documentation 274 9 3 Related Books 274 9 4 Useful Websites 275 15 ...

Page 14: ...AM Modules 303 6 PAM and Administrative Credential Caching 304 6 1 Removing the Timestamp File 304 6 2 Common pam_timestamp Directives 304 7 PAM and Device Ownership 305 7 1 Device Ownership 305 7 2 Application Access 306 8 Additional Resources 306 8 1 Installed Documentation 306 8 2 Useful Websites 307 17 TCP Wrappers and xinetd 309 1 TCP Wrappers 309 1 1 Advantages of TCP Wrappers 310 2 TCP Wrap...

Page 15: ... 343 1 2 Disadvantages of Kerberos 343 2 Kerberos Terminology 344 3 How Kerberos Works 346 4 Kerberos and PAM 347 5 Configuring a Kerberos 5 Server 348 6 Configuring a Kerberos 5 Client 350 7 Additional Resources 351 7 1 Installed Documentation 351 7 2 Useful Websites 352 20 SSH Protocol 355 1 Features of SSH 355 1 1 Why Use SSH 355 2 SSH Protocol Versions 356 3 Event Sequence of an SSH Connection...

Page 16: ...3 Useful Websites 369 IV Appendixes 371 A General Parameters and Modules 373 1 Kernel Module Utilities 373 2 Persistent Module Loading 376 3 Specifying Module Parameters 376 4 Storage parameters 377 5 Ethernet Parameters 383 5 1 Using Multiple Ethernet Cards 390 5 2 The Channel Bonding Module 390 6 Additional Resources 394 6 1 Installed Documentation 394 6 2 Useful Websites 394 Index 395 Red Hat E...

Page 17: ...the changes include A New Samba Chapter The new Samba chapter explains various Samba daemons and configuration options Special thanks to John Terpstra for his hard work in helping to complete this chapter A New SELinux Chapter The new SELinux chapter explains various SELinux files and configuration options Special thanks to Karsten Wade for his hard work in helping to complete this chapter An Upda...

Page 18: ...user has never used any Linux or Linux like operating system before or has had only limited exposure to Linux They may or may not have experience using other operating systems such as Windows Is this you If so skip ahead to Section 2 1 Documentation For First Time Linux Users Some Linux Experience This type of user has installed and successfully used Linux but not Red Hat Enterprise Linux before o...

Page 19: ...find the specific command you need to accomplish a task You only need to know the general way in which Linux functions what you need to accomplish and how to access the tool that gives you the exact instructions you need to execute the command The Red Hat Enterprise Linux Installation Guide and the Red Hat Enterprise Linux Step By Step Guide are excellent references for helping you get a Red Hat E...

Page 20: ...ady have a basic grasp of the most frequently used commands You may have installed your own Linux system and maybe you have even downloaded and built software you found on the Internet After installing Linux however configuration issues can be very confusing The Red Hat Enterprise Linux System Administration Guide is designed to help explain the various ways a Red Hat Enterprise Linux system can b...

Page 21: ...words in this manual are represented in different fonts styles and weights This highlighting indicates that the word is part of a specific category The categories include the following Courier font Courier font represents commands file names and paths and prompts When shown as below it indicates computer output Desktop about html logs paulwesterberg png Mail backupfiles mail reports bold Courier f...

Page 22: ...reboot Caution A caution indicates an act that would violate your support agreement such as recompiling the kernel Warning A warning indicates potential data loss as may happen when tuning hardware for maximum performance 4 More to Come The Red Hat Enterprise Linux Reference Guide is part of Red Hat s commitment to provide useful and timely support to Red Hat Enterprise Linux users Future editions...

Page 23: ... com bugzilla against the component rhel rg Be sure to mention the manual s identifier rhel rg If you mention the manual s identifier we know exactly which version of the guide you have If you have a suggestion for improving the documentation try to be as specific as possible when describing it If you have found an error please include the section number and some of the surrounding text so we can ...

Page 24: ...xxiv ...

Page 25: ...nts and how they fit together This part outlines many important aspects of the system It covers the boot process the basic file system layout the location of crucial system files and file systems and the basic concepts behind users and groups Additionally the X Window System is explained in detail ...

Page 26: ......

Page 27: ...dules and mounts the root partition read only 4 The kernel transfers control of the boot process to the sbin init program 5 The sbin init program loads all services and user space tools and mounts all partitions listed in etc fstab 6 The user is presented with a login screen for the freshly booted Linux system Because configuration of the boot process is more common than the customization of the s...

Page 28: ...e Boot Loader This section looks at the default boot loader for the x86 platform GRUB Depending on the system s architecture the boot process may differ slightly Refer to Section 2 2 1 Boot Loaders for Other Architectures for a brief overview of non x86 boot loaders For more information about configuring and using GRUB see Chapter 2 The GRUB Boot Loader A boot loader for the x86 platform is broken...

Page 29: ...appropriate initramfs images into memory Next the kernel decompresses these images from memory to boot a RAM based virtual file system via cpio The initramfs is used by the kernel to load drivers and modules necessary to boot the system This is particularly important if SCSI hard drives are present or if the systems use the ext3 file system Once the kernel and the initramfs image s are loaded into...

Page 30: ...nvironment path starts swap checks the file systems and executes all other steps required for system initialization For example most systems use a clock so rc sysinit reads the etc sysconfig clock configuration file to initialize the hardware clock Another example is if there are special serial port processes which must be initialized rc sysinit executes the etc rc serial file The init command the...

Page 31: ...bgpd init d bgpd S16ospf6d init d ospf6d S16ospfd init d ospfd S16ripd init d ripd S16ripngd init d ripngd S20random init d random S24pcmcia init d pcmcia S25netfs init d netfs S26apmd init d apmd S27ypbind init d ypbind S28autofs init d autofs S40smartd init d smartd S44acpid init d acpid S54hpoj init d hpoj S55cups init d cups S55sshd init d sshd S56rawdevices init d rawdevices S56xinetd init d ...

Page 32: ... an sbin mingetty process for each virtual console login prompt allocated to the runlevel Runlevels 2 through 5 have all six virtual consoles while runlevel 1 single user mode has one and runlevels 0 and 6 have none The sbin mingetty process opens communication pathways to tty devices2 sets their modes prints the login prompt accepts the user s username and password and initiates the login process...

Page 33: ...s The idea behind SysV init runlevels revolves around the idea that different systems can be used in different ways For example a server runs more efficiently without the drag on system resources created by the X Window System Or there may be times when a system administrator may need to operate the system at a lower runlevel to perform diagnostic tasks like fixing disk corruption in runlevel 1 Th...

Page 34: ...tem Administration Guide It is possible to change the default runlevel at boot time by modifying the arguments passed by the boot loader to the kernel For information on changing the runlevel at boot time refer to Section 8 Changing Runlevels at Boot Time 4 2 Runlevel Utilities One of the best ways to configure runlevels is to use an initscript utility These tools are designed to simplify the task...

Page 35: ...r now After shutting everything down the h option halts the machine and the r option reboots PAM console users can use the reboot and halt commands to shut down the system while in runlevels 1 through 5 For more information about PAM console users refer to Section 7 PAM and Device Ownership If the computer does not power itself down be careful not to turn off the computer until a message appears i...

Page 36: ...12 ...

Page 37: ...64 GRUB IBM eServer iSeries OS 400 IBM eServer pSeries YABOOT IBM S 390 z IPL IBM eServer zSeries z IPL Intel Itanium ELILO x86 GRUB Table 2 1 Boot Loaders by Architecture This chapter discusses commands and configuration options for the GRUB boot loader included with Red Hat Enterprise Linux for the x86 architecture 2 GRUB The GNU GRand Unified Boot loader GRUB is a program which enables the sele...

Page 38: ...use the boot loader loads the operating system directly There is no intermediary between the boot loader and the kernel The boot process used by other operating systems may differ For example the Microsoft Windows operating system as well as other operating systems are loaded using chain loading Under this method the MBR points to the first sector of the partition holding the operating system wher...

Page 39: ...tion 3 Installing GRUB 3 Installing GRUB If GRUB was not installed during the installation process it can be installed afterward Once installed it automatically becomes the default boot loader Before installing GRUB make sure to use the latest GRUB package available or use the GRUB package from the installation CD ROMs For instructions on installing packages refer to the chapter titled Package Man...

Page 40: ...RUB the b in hdb is analogous to the 1 in hd1 and so on The partition number specifies the number of a partition on a device Like the bios device number most types of partitions are numbered starting at 0 However BSD partitions are specified using letters with a corresponding to 0 b corresponding to 1 and so on Tip The numbering system for devices under GRUB always begins with 0 not 1 Failing to m...

Page 41: ...rtition To load such files provide a blocklist that specifies block by block where the file is located in the partition Since a file is often comprised of several different sets of blocks blocklists use a special syntax Each block containing the file is specified by an offset number of blocks followed by the number of blocks from that offset point Block offsets are listed sequentially in a comma d...

Page 42: ...nel or another operating system The interfaces are as follows Note The following GRUB interfaces can only be accessed by pressing any key within the three seconds of the GRUB menu bypass screen Menu Interface This is the default interface shown when GRUB is configured by the installation program A menu of operating systems or preconfigured kernels are displayed as a list ordered by name Use the ar...

Page 43: ...der When GRUB loads its second stage boot loader it first searches for its configuration file Once found the menu interface bypass screen is displayed If a key is pressed within three seconds GRUB builds a menu list and displays the menu interface If no key is pressed the default kernel entry in the GRUB menu is used If the configuration file cannot be found or if the configuration file is unreada...

Page 44: ...nfig file Installs GRUB to the system MBR stage 1 Signifies a device partition and file where the first boot loader image can be found such as hd0 0 grub stage1 install disk Specifies the disk where the stage 1 boot loader should be installed such as hd0 stage 2 Passes the stage 2 boot loader location to the stage 1 boot loader such as hd0 0 grub stage2 p config file This option tells the install ...

Page 45: ... boot in GRUB s menu interface essentially allows the user to select a pre set group of commands to execute The commands given in Section 6 GRUB Commands can be used as well as some special commands that are only available in the configuration file 7 1 Configuration File Structure The GRUB menu interface configuration file is boot grub grub conf The commands to set the global preferences for the m...

Page 46: ... use the blocklist notation 1 color normal color selected color Allows specific colors to be used in the menu where two colors are configured as the foreground and background Use simple color names such as red black For example color red black green blue default integer Replace integer with the default entry title number to be loaded if the menu interface times out fallback integer Replace integer...

Page 47: ...out integer Specifies the interval in seconds that GRUB waits before loading the entry designated in the default command splashimage path to image Specifies the location of the splash screen image to be used when GRUB boots title group title Specifies a title to be used with a particular group of commands used to load a kernel or operating system To add human readable comments to the menu configur...

Page 48: ...ww gnu org software grub http www gnu org software grub The home page of the GNU GRUB project This site contains information concerning the state of GRUB development and an FAQ http www redhat com mirrors LDP HOWTO mini Multiboot with GRUB html Investigates various uses for GRUB including booting operating systems other than Linux http www linuxgazette com issue64 kohli html An introductory articl...

Page 49: ...el of access each user has to that file The top level of this organization is crucial Access to the underlying directories can be restricted or security problems could manifest themselves if from the top level down it does not adhere to a rigid structure 2 Overview of File System Hierarchy Standard FHS Red Hat Enterprise Linux uses the Filesystem Hierarchy Standard FHS file system structure which ...

Page 50: ...were once located in etc should be placed into sbin or bin The X11 and skel directories are subdirectories of the etc directory etc X11 skel The etc X11 directory is for X Window System configuration files such as xorg conf The etc skel directory is for skeleton user files which are used to populate a home directory when a user is first created 2 1 4 The lib Directory The lib directory should cont...

Page 51: ... sample package may have different tools that each go in their own sub directories such as opt sample tool1 and opt sample tool2 each of which can have their own bin man and other similar directories 2 1 8 The proc Directory The proc directory contains special files that either extract information from or send information to the kernel Due to the great variety of data available within proc and the...

Page 52: ...ed refer to the sbin hotplug and sbin udev man pages 2 1 12 The usr Directory The usr directory is for files that can be shared across multiple machines The usr directory is often on its own partition and is mounted read only At a minimum the following directories should be subdirectories of usr usr bin etc games include kerberos lib libexec local sbin share src tmp var tmp X11R6 Under the usr dir...

Page 53: ...e usr directory is mounted as a read only NFS share from a remote host it is still possible to install a package or program under the usr local directory 2 1 14 The var Directory Since the FHS requires Linux to mount usr as read only any programs that write log files or need spool or lock directories should write them to the var directory The FHS states var is for variable data files This includes...

Page 54: ...ore information about Red Hat Network refer to the documentation online at https rhn redhat com Another location specific to Red Hat Enterprise Linux is the etc sysconfig directory This directory stores a variety of configuration information Many scripts that run at boot time use the files in this directory Refer to Chapter 4 The sysconfig Directory for more information about what is within this d...

Page 55: ... The information in this chapter is not intended to be complete as many of these files have a variety of options that are only used in very specific or rare circumstances 1 Files in the etc sysconfig Directory The following files are normally found in the etc sysconfig directory amd apmd arpwatch authconfig autofs clock desktop devlabel dhcpd exim firstboot gpm harddisks hwconf i18n init ip6tables...

Page 56: ...e of the files listed here are not present in the etc sysconfig directory the corresponding program may not be installed The following sections offer descriptions of these files Files not listed here as well as extra file options found in the usr share doc initscripts version number sysconfig txt file replace version number with the version of the initscripts package Alternatively Chapter 4 The sy...

Page 57: ...etc sysconfig arpwatch file is used to pass arguments to the arpwatch daemon at boot time The arpwatch daemon maintains a table of Ethernet MAC addresses and their IP address pairings By default this file sets the owner of the arpwatch process to the user pcap as well as sends any messages to the root mail queue For more information regarding available parameters for this file refer to the arpwatc...

Page 58: ... where value is a binary value that controls whether to disable direct mount support as the Linux implementation does not conform to the Sun Microsystems automounter behavior The default value is 1 true and allows for compatibility with the Sun automounter options specification syntax 1 6 etc sysconfig clock The etc sysconfig clock file controls the interpretation of values read from the system ha...

Page 59: ...runlevel 5 Correct values are DESKTOP value where value is one of the following GNOME Selects the GNOME desktop environment KDE Selects the KDE desktop environment DISPLAYMANAGER value where value is one of the following GNOME Selects the GNOME Display Manager KDE Selects the KDE Display Manager XDM Selects the X Display Manager For more information refer to Chapter 7 The X Window System 1 8 etc s...

Page 60: ... as q QUEUE The q option is not given to exim if etc sysconfig exim exists and QUEUE is empty or undefined 1 11 etc sysconfig firstboot The first time the system boots the sbin init program calls the etc rc d init d firstboot script which in turn launches the Setup Agent This application allows the user to install the latest updates as well as additional applications and documentation The etc sysc...

Page 61: ... IDE 32 bit I O support to an interface card By default this entry is commented out and therefore disabled LOOKAHEAD 1 enables drive read lookahead By default this entry is commented out and therefore disabled EXTRA_PARAMS specifies where extra parameters can be added By default there are no parameters listed 1 14 etc sysconfig hwconf The etc sysconfig hwconf file lists all the hardware that kudzu...

Page 62: ...lure color via the echo en command The default color is set to red SETCOLOR_WARNING value where value sets the warning color via the echo en command The default color is set to yellow SETCOLOR_NORMAL value where value resets the color to normal via the echo en LOGLEVEL value where value sets the initial console logging level for the kernel The default is 3 8 means everything including debugging wh...

Page 63: ...iptables command Once created add the rule s to the etc sysconfig iptables file by typing the following command sbin service iptables save Once this file exists any firewall rules saved in it persists through a system reboot or a service restart For more information on iptables refer to Chapter 18 iptables 1 19 etc sysconfig irda The etc sysconfig irda file controls how infrared devices on the sys...

Page 64: ...eyboard The etc sysconfig keyboard file controls the behavior of the keyboard The following values may be used KEYBOARDTYPE sun pc where sun means a Sun keyboard is attached on dev kbd or pc means a PS 2 keyboard connected to a PS 2 port KEYTABLE file where file is the name of a keytable file For example KEYTABLE us The files that can be used as keytables start in lib kbd keymaps i386 and branch i...

Page 65: ...e value refers to the kind of mouse used when X is running The options here are the same as the MOUSETYPE setting in this same file DEVICE value where value is the mouse device A sample value dev input mice is a symbolic link that points to the actual mouse device 1 23 etc sysconfig named The etc sysconfig named file is used to pass arguments to the named daemon at boot time The named daemon is a ...

Page 66: ... is used to specify information about the desired network configuration The following values may be used NETWORKING value where value is one of the following boolean values yes Networking should be configured no Networking should not be configured HOSTNAME value where value should be the Fully Qualified Domain Name FQDN such as hostname expample com but can be whatever hostname is necessary Note F...

Page 67: ... where value is the list of pcmcia_core options CARDMGR_OPTS value where value is the list of options for the PCMCIA cardmgr such as q for quiet mode m to look for loadable kernel modules in the specified directory and so on Read the cardmgr man page for more information 1 28 etc sysconfig radvd The etc sysconfig radvd file is used to pass arguments to the radvd daemon at boot time The radvd daemo...

Page 68: ... is one of the following yes Sendmail should be configured to listen to port 25 for incoming mail yes implies the use of Sendmail s bd options no Sendmail should not be configured to listen to port 25 for incoming mail QUEUE 1h which is given to Sendmail as q QUEUE The q option is not given to Sendmail if etc sysconfig sendmail exists and QUEUE is empty or undefined 1 33 etc sysconfig spamassassin...

Page 69: ...stration Guide 1 37 etc sysconfig system logviewer The etc sysconfig system logviewer file is the configuration file for the graphical interactive log viewing application Log Viewer This file is edited by the Edit Preferences pull down menu in the Log Viewer application and should not be edited by hand For more information on using this application refer to the chapter called Log Files in the Red ...

Page 70: ... are normally found in etc sysconfig apm scripts This directory contains the APM suspend resume script Do not edit the files directly If customization is necessary create a file called etc sysconfig apm scripts apmcontinue which is called at the end of the script It is also possible to control the script by editing etc sysconfig apmd cbq This directory contains the configuration files needed to do...

Page 71: ...website online at https rhn redhat com 3 Additional Resources This chapter is only intended as an introduction to the files in the etc sysconfig directory The following source contains more comprehensive information 3 1 Installed Documentation usr share doc initscripts version number sysconfig txt This file contains a more authoritative listing of the files found in the etc sysconfig directory and...

Page 72: ...48 ...

Page 73: ...ation In addition most of the time and date settings on virtual files reflect the current time and date indicative of the fact they are constantly updated Virtual files such as proc interrupts proc meminfo proc mounts and proc partitions provide an up to the moment glimpse of the system s hardware Others like the proc filesystems file and the proc sys directory provide system configuration informa...

Page 74: ...ymbol to redirect the new value to the file For example to change the hostname on the fly type echo www example com proc sys kernel hostname Other files act as binary or boolean switches Typing cat proc sys net ipv4 ip_forward returns either a 0 or a 1 A 0 indicates that the kernel is not forwarding network packets Using the echo command to change the value of the ip_forward file to 1 immediately ...

Page 75: ...ot use a battery as a power source apm is able do little more than put the machine in standby mode The apm command is much more useful on laptops For example the following output is from the command cat proc apm on a laptop while plugged into a power outlet 1 16 1 2 0x03 0x01 0x03 0x09 100 1 When the same laptop is unplugged from its power source for a few minutes the content of the apm file chang...

Page 76: ...similar in concept to dev hda1 but much more extensible For more information on LVM used in Red Hat Enterprise Linux refer to http www tldp org HOWTO LVM HOWTO index html Next rhgb signals that the rhgb package has been installed and graphical booting is supported assuming etc inittab shows a default runlevel set to id 5 initdefault Finally quiet indicates all verbose kernel messages are suppresse...

Page 77: ...ed by the Linux kernel including additional details for each A sample proc crypto file looks like the following name sha1 module kernel type digest blocksize 64 digestsize 20 name md5 module md5 type digest blocksize 64 digestsize 16 2 6 proc devices This file displays the various character and block devices currently configured not including devices whose modules are not loaded Below is a sample ...

Page 78: ...an change the way the operating system treats system calls from these binaries by changing the personality of the task Except for the PER_LINUX execution domain different personalities can be implemented as dynamically loadable modules 2 9 proc fb This file contains a list of frame buffer devices with the frame buffer device number and the driver that controls it Typical output of proc fb for syst...

Page 79: ... 10 100 Ethernet 20 8450043 11120093 IO APIC level megaraid 30 10432 10722 IO APIC level aic7xxx 31 23 22 IO APIC level aic7xxx NMI 0 ERR 0 The first column refers to the IRQ number Each CPU in the system has its own column and its own number of interrupts per IRQ The next column reports the type of interrupt and the last column contains the name of the device that is located at that IRQ Each of t...

Page 80: ...ith a device This file can be quite long The following is a partial listing 0000 001f dma1 0020 003f pic1 0040 005f timer 0060 006f keyboard 0070 007f rtc 0080 008f dma page reg 00a0 00bf pic2 00c0 00df dma2 00f0 00ff fpu 0170 0177 ide1 01f0 01f7 ide0 02f8 02ff serial auto 0376 0376 ide1 03c0 03df vga 03f6 03f6 ide0 03f8 03ff serial auto 0cf8 0cff PCI conf1 d000 dfff PCI Bus 01 e000 e00f VIA Techn...

Page 81: ...fd 00 2531440 0 EOF 5 POSIX ADVISORY WRITE 3326 fd 00 2531430 0 EOF 6 POSIX ADVISORY WRITE 3175 fd 00 2531425 0 EOF 7 POSIX ADVISORY WRITE 3056 fd 00 2548663 0 EOF Each lock has its own line which starts with a unique number The second column refers to the class of lock used with FLOCK signifying the older style UNIX file locks from a flock system call and POSIX representing the newer POSIX locks ...

Page 82: ...teback 0 kB Mapped 42236 kB Slab 25912 kB Committed_AS 118680 kB PageTables 1236 kB VmallocTotal 3874808 kB VmallocUsed 1416 kB VmallocChunk 3872908 kB HugePages_Total 0 HugePages_Free 0 Hugepagesize 4096 kB Much of the information here is used by the free top and ps commands In fact the output of the free command is similar in appearance to the contents and structure of proc meminfo But by lookin...

Page 83: ...represents the worst case scenario value and also includes swap memory PageTables The total amount of memory in kilobytes dedicated to the lowest page table level VMallocTotal The total amount of memory in kilobytes of total allocated virtual address space VMallocUsed The total amount of memory in kilobytes of used virtual address space VMallocChunk The largest contiguous block of memory in kiloby...

Page 84: ...b000 autofs4 20293 2 Live 0x1284f000 sunrpc 140453 3 nfs lockd Live 0x12954000 3c59x 33257 0 Live 0x12871000 uhci_hcd 28377 0 Live 0x12869000 md5 3777 1 Live 0x1282c000 ipv6 211845 16 Live 0x128de000 ext3 92585 2 Live 0x12886000 jbd 65625 1 ext3 Live 0x12857000 dm_mod 46677 3 Live 0x12833000 The first column contains the name of the module The second column refers to the memory size of the module ...

Page 85: ...the current Memory Type Range Registers MTRRs in use with the system If the system architecture supports MTRRs then the proc mtrr file may look similar to the following reg00 base 0x00000000 0MB size 256MB write back count 1 reg01 base 0xe8000000 3712MB size 32MB write combining count 1 MTRRs are used with the Intel P6 family of processors Pentium II and higher and control processor access to memo...

Page 86: ... 128 Bus 0 device 4 function 0 ISA bridge Intel Corporation 82371AB PIIX4 ISA rev 2 Bus 0 device 4 function 1 IDE interface Intel Corporation 82371AB PIIX4 IDE rev 1 Master Capable Latency 32 I O at 0xd800 0xd80f Bus 0 device 4 function 2 USB Controller Intel Corporation 82371AB PIIX4 USB rev 1 IRQ 5 Master Capable Latency 32 I O at 0xd400 0xd41f Bus 0 device 4 function 3 Bridge Intel Corporation ...

Page 87: ...904 1125 59 0 03K 16 119 64K size 32 1666 768 46 0 03K 14 119 56K anon_vma 1512 1482 98 0 44K 168 9 672K inode_cache 1464 1040 71 0 06K 24 61 96K size 64 1320 820 62 0 19K 66 20 264K filp 678 587 86 0 02K 3 226 12K dm_io 678 587 86 0 02K 3 226 12K dm_tio 576 574 99 0 47K 72 8 288K proc_inode_cache 528 514 97 0 50K 66 8 264K size 512 492 372 75 0 09K 12 41 48K bio 465 314 67 0 25K 31 15 124K size 2...

Page 88: ...m has been in user mode user mode with low priority nice system mode idle task I O wait IRQ hardirq and softirq respectively The IRQ hardirq is the direct response to a hardware event The IRQ takes minimal work for queuing the heavy work up for the softirq to execute The softirq runs at a lower priority than the IRQ and therefore may be interrupted more frequently The total for all CPUs is given a...

Page 89: ...the system has been up The second number is how much of that time the machine has spent idle in seconds 2 31 proc version This file specifies the version of the Linux kernel and gcc in use as well as the version of Red Hat Enterprise Linux installed on the system Linux version 2 6 8 1 523 user foo redhat com gcc version 3 4 1 20040714 Red Hat Enterprise Linux 3 4 1 7 1 Mon Aug 16 13 27 03 EDT 2004...

Page 90: ...v null lrwx 1 root root 64 May 8 11 31 3 dev ptmx lrwx 1 root root 64 May 8 11 31 4 socket 7774817 lrwx 1 root root 64 May 8 11 31 5 dev ptmx lrwx 1 root root 64 May 8 11 31 6 socket 7774829 lrwx 1 root root 64 May 8 11 31 7 dev ptmx maps A list of memory maps to the various executables and library files associated with this process This file can be rather long depending upon the complexity of the...

Page 91: ...id 0 0 0 0 Gid 0 0 0 0 FDSize 32 Groups VmSize 3072 kB VmLck 0 kB VmRSS 840 kB VmData 104 kB VmStk 12 kB VmExe 300 kB VmLib 2528 kB SigPnd 0000000000000000 SigBlk 0000000000000000 SigIgn 8000000000001000 SigCgt 0000000000014005 CapInh 0000000000000000 CapPrm 00000000fffffeff CapEff 00000000fffffeff The information in this output includes the process name and ID the state such as S sleeping or R ru...

Page 92: ...ple of a proc bus usb devices file T Bus 01 Lev 00 Prnt 00 Port 00 Cnt 00 Dev 1 Spd 12 MxCh 2 B Alloc 0 900 us 0 Int 0 Iso 0 D Ver 1 00 Cls 09 hub Sub 00 Prot 00 MxPS 8 Cfgs 1 P Vendor 0000 ProdID 0000 Rev 0 00 S Product USB UHCI Root Hub S SerialNumber d400 C Ifs 1 Cfg 1 Atr 40 MxPwr 0mA I If 0 Alt 0 EPs 1 Cls 09 hub Sub 00 Prot 00 Driver hub E Ad 81 I Atr 03 Int MxPS 8 Ivl 255ms 3 3 proc driver ...

Page 93: ...is enabled for the devices on the IDE channels Intel PIIX4 Ultra 33 Chipset Primary Channel Secondary Channel enabled enabled drive0 drive1 drive0 drive1 DMA enabled yes no yes no UDMA enabled yes no no no UDMA enabled 2 X X X UDMA DMA PIO Navigating into the directory for an IDE channel such as ide0 provides additional information The channel file provides the channel number while the model ident...

Page 94: ...tory is used to set IRQ to CPU affinity which allows the system to connect a particular IRQ to only one CPU Alternatively it can exclude a CPU from handling any IRQs Each IRQ has its own directory allowing for the individual configuration of each IRQ The proc irq prof_cpu_mask file is a bitmask that contains the default values for the smp_affinity file in the IRQ directory The values in smp_affini...

Page 95: ...contains one or more of the following values filter mangle or nat ip_mr_cache Lists the multicast routing cache ip_mr_vif Lists multicast virtual interfaces netstat Contains a broad yet detailed collection of networking statistics including TCP timeouts SYN cookies sent and received and much more psched Lists global packet scheduler parameters raw Lists raw device statistics route Lists the kernel...

Page 96: ... 2 4 Compile Options TCQ Enabled By Default Disabled AIC7XXX_PROC_STATS Enabled AIC7XXX_RESET_DELAY 5 Adapter Configuration SCSI Adapter Adaptec AIC 7880 Ultra SCSI host adapter Ultra Narrow Controller PCI MMAPed I O Base 0xfcffe000 Adapter SEEPROM Config SEEPROM found and used Adaptec SCSI BIOS Enabled IRQ 30 SCBs Active 0 Max Active 1 Allocated 15 HW 16 Page 255 Interrupts 33726 BIOS Control Wor...

Page 97: ...may be used to configure the kernel For example a partial listing of proc sys fs looks like the following r r r 1 root root 0 May 10 16 14 dentry state rw r r 1 root root 0 May 10 16 14 dir notify enable r r r 1 root root 0 May 10 16 14 dquot nr rw r r 1 root root 0 May 10 16 14 file max r r r 1 root root 0 May 10 16 14 file nr In this listing the files dir notify enable and file max can be writte...

Page 98: ...a file called info which reveals a number of important CD ROM parameters CD ROM information Id cdrom c 3 20 2003 12 17 drive name hdc drive speed 48 drive of slots 1 Can close tray 1 Can open tray 1 Can lock tray 1 Can change speed 1 Can select disk 0 Can read multisession 1 Can read MCN 1 Reports media changed 1 Can play audio 1 Can write CD R 0 Can write CD RW 0 Can read DVD 0 Can write DVD R 0 ...

Page 99: ...between when a directory has been freed and when it can be reclaimed and the fourth measures the pages currently requested by the system The last two numbers are not used and display only zeros dquot nr Lists the maximum number of cached disk quota entries file max Lists the maximum number of file handles that the kernel allocates Raising the value in this file can resolve errors caused by a lack ...

Page 100: ...apability h ctrl alt del Controls whether Ctrl Alt Delete gracefully restarts the computer using init 0 or forces an immediate reboot without syncing the dirty buffers to disk 1 domainname Configures the system domain name such as example com exec shield Configures the Exec Shield feature of the kernel Exec Shield provides protection against certain types of buffer overflow attacks There are two p...

Page 101: ...nb Sets the maximum number of bytes in a single message queue The default is 16384 msgmni Sets the maximum number of message queue identifiers The default is 16 osrelease Lists the Linux kernel release number This file can only be altered by changing the kernel source and recompiling ostype Displays the type of operating system By default this file is set to Linux and this value can only be change...

Page 102: ...t number of POSIX real time signals queued by the kernel sem Configures semaphore settings within the kernel A semaphore is a System V IPC object that is used to control utilization of a particular process shmall Sets the total amount of shared memory that can be used at one time on the system in pages By default this value is 2097152 shmmax Sets the largest shared memory segment size allowed by t...

Page 103: ...remount all file systems as read only p Outputs all flags and registers to the console t Outputs a list of processes to the console m Outputs memory statistics to the console 0 through 9 Sets the log level for the console e Kills all processes except init using SIGTERM i Kills all processes except init using SIGKILL l Kills all processes using SIGKILL including init The system is unusable after is...

Page 104: ... compiled The first field in this file such as 3 relates to the number of times a kernel was built from the source base 3 9 4 proc sys net This directory contains subdirectories concerning various networking topics Various configurations at the time of kernel compilation make different directories available here such as ethernet ipv4 ipx and ipv6 By altering the files within these directories syst...

Page 105: ...tworking settings Many of these settings used in conjunction with one another are useful in preventing attacks on the system or when using the system to act as a router Caution An erroneous change to these files may affect remote connectivity to the system The following is a list of some of the more important files within the proc sys net ipv4 directory icmp_destunreach_rate icmp_echoreply_rate ic...

Page 106: ...interface to be configured in different ways including the use of default settings for unconfigured devices in the proc sys net ipv4 conf default subdirectory and settings that override all special configurations in the proc sys net ipv4 conf all subdirectory The proc sys net ipv4 neigh directory contains settings for communicating with a host directly connected to the system called a network neig...

Page 107: ...data at this percentage of total memory for the generator of dirty data via pdflush The default value is 40 dirty_writeback_centisecs Defines the interval between pdflush daemon wakeups which periodically writes dirty in memory data out to disk The default value is 500 expressed in hundredths of a second laptop_mode Minimizes the number of times that a hard disk needs to spin up by keeping the dis...

Page 108: ...rrently running This file is read only and should not be changed by the user Under heavy I O loads the default value of two is increased by the kernel overcommit_memory Configures the conditions under which a large memory request is accepted or denied The following three modes are available 0 The kernel performs heuristic memory over commit handling by estimating the amount of memory available and...

Page 109: ...y character based data terminals are called tty devices In Linux there are three different kinds of tty devices Serial devices are used with serial connections such as over a modem or using a serial cable Virtual terminals create the common console connection such as the virtual consoles available when pressing Alt F key at the system console Pseudo terminals create a two way communication that is...

Page 110: ...ion seen if each of the files were viewed individually The only difference is the file location For example the proc sys net ipv4 route min_delay file is listed as net ipv4 route min_delay with the directory slashes replaced by dots and the proc sys portion assumed The sysctl command can be used in place of echo to assign values to writable files in the proc sys directory For example instead of us...

Page 111: ...sr share doc kernel doc version Documentation sysrq txt An overview of System Request Key options usr share doc kernel doc version Documentation sysctl A directory containing a variety of sysctl tips including modifying values that concern the kernel kernel txt accessing file systems fs txt and virtual memory use vm txt usr share doc kernel doc version Documentation networking ip sysctl txt A deta...

Page 112: ...88 ...

Page 113: ...ut using ACLs refer to the chapter titled Access Control Lists in the Red Hat Enterprise Linux System Administration Guide Proper management of users and groups as well as the effective management of file permissions are among the most important tasks a system administrator undertakes For a detailed look at strategies for managing users and groups refer to the chapter titled Managing User Accounts...

Page 114: ...c passwd file by an Everything installation The groupid GID in this table is the primary group for the user See Section 3 Standard Groups for a listing of standard groups User UID GID Home Directory Shell root 0 0 root bin bash bin 1 1 bin sbin nologin daemon 2 2 sbin sbin nologin adm 3 4 var adm sbin nologin lp 4 7 var spool lpd sbin nologin sync 5 0 sbin bin sync shutdown 6 0 sbin sbin shutdown ...

Page 115: ... etc X11 fs sbin nologin gdm 42 42 var gdm sbin nologin htt 100 101 usr lib im sbin nologin mysql 27 27 var lib mysql bin bash webalizer 67 67 var www usage sbin nologin mailnull 47 47 var spool mqueue sbin nologin smmsp 51 51 var spool mqueue sbin nologin squid 23 23 var spool squid sbin nologin ldap 55 55 var lib ldap bin false netdump 34 34 var crash bin bash pcap 77 77 var arpwatch sbin nologi...

Page 116: ...in adm adm 4 root adm daemon tty 5 disk 6 root lp 7 daemon lp mem 8 kmem 9 wheel 10 root mail 12 mail postfix exim news 13 news uucp 14 uucp man 15 games 20 gopher 30 dip 40 ftp 50 lock 54 nobody 99 users 100 rpm 37 utmp 22 floppy 19 vcsa 69 dbus 81 ntp 38 canna 39 nscd 28 rpc 32 postdrop 90 postfix 89 mailman 41 Chapter 6 Users and Groups 92 ...

Page 117: ...gavt 102 quagga 92 radvd 75 slocate 21 wnn 49 dovecot 97 radiusd 95 Table 6 2 Standard Groups 4 User Private Groups Red Hat Enterprise Linux uses a user private group UPG scheme which makes UNIX groups easier to manage A UPG is created whenever a new user is added to the system A UPG has the same name as the user for which it was created and that user is the only member of the UPG User Private Gro...

Page 118: ...cult to associate the right files with the right group Using the UPG scheme however groups are automatically assigned to files created within a directory with the setgid bit set The setgid bit makes managing group projects that share a common directory very simple because any files a user creates within the directory are owned by the group which owns the directory Lets say for example that a group...

Page 119: ...h is readable only by the root user Stores information about password aging Allows the use the etc login defs file to enforce security policies Most utilities provided by the shadow utils package work properly whether or not shadow passwords are enabled However since password aging information is stored exclusively in the etc shadow file any commands which create or modify password aging informati...

Page 120: ...tion Files man 5 group The file containing group information for the system man 5 passwd The file containing user information for the system man 5 shadow The file containing passwords and account expiration information for the system 6 2 Related Books Red Hat Enterprise Linux Introduction to System Administration Red Hat Inc This companion manual provides an overview of concepts and techniques of ...

Page 121: ... Red Hat Enterprise Linux Security Guide Red Hat Inc This companion manual provides security related aspects of user accounts namely choosing strong passwords Related Books 97 ...

Page 122: ...98 ...

Page 123: ...rver architecture The X server the Xorg binary listens for connections from X client applications via a network or local loopback interface The server communicates with the hardware such as the video card monitor keyboard and mouse X client applications exist in the user space creating a graphical user interface GUI for the user and passing user requests to the X server 1 The X11R6 8 Release Red H...

Page 124: ...rise Linux System Administration Guide In some situations reconfiguring the X server may require manually editing its configuration file etc X11 xorg conf For information about the structure of this file refer to Section 3 X Server Configuration Files 2 Desktop Environments and Window Managers Once an X server is running X client applications can connect to it and create a GUI for the user A range...

Page 125: ...ndow manager it should not be used in conjunction with GNOME or KDE twm The minimalist Tab Window Manager which provides the most basic tool set of any of the window managers and can be used either as a standalone or with a desktop environment It is installed as part of the X11R6 8 release These window managers can be run without desktop environments to gain a better sense of their differences To ...

Page 126: ...eature on or off Acceptable boolean values are 1 on true or yes Turns the option on 0 off false or no Turns the option off The following are some of the more important sections in the order in which they appear in a typical etc X11 xorg conf file More detailed information about the X server configuration file can be found in the xorg conf man page 3 1 2 ServerFlags The optional ServerFlags section...

Page 127: ...n section to be used with the X server More than one Screen option may be present The following is an example of a typical Screen entry Screen 0 Screen0 0 0 The first number in this example Screen entry 0 indicates that the first monitor connector or head on the video card uses the configuration specified in the Screen section with the identifier Screen0 If the video card has more than one head an...

Page 128: ... the X server must connect to obtain fonts from the xfs font server By default the FontPath is unix 7100 This tells the X server to obtain font information using UNIX domain sockets for inter process communication IPC on port 7100 Refer to Section 4 Fonts for more information concerning X and fonts ModulePath An optional parameter which specifies alternate directories which store X server modules ...

Page 129: ... both mouse buttons are pressed simultaneously Consult the xorg conf man page for a list of valid options for this section By default the InputDevice section has comments to allow users to configure additional options 3 1 7 Monitor Each Monitor section configures one type of monitor used by the system While one Monitor section is the minimum additional instances may occur for each monitor type in ...

Page 130: ...termine the validity of built in or specified Modeline entries for the monitor Modeline An optional parameter which specifies additional video modes for the monitor at particular resolutions with certain horizontal sync and vertical refresh resolutions Refer to the xorg conf man page for a more detailed explanation of Modeline entries Option option name An optional entry which specifies extra para...

Page 131: ...cifies which monitor connector or head on the video card the Device section configures This option is only useful for video cards with multiple heads If multiple monitors are connected to different heads on the same video card separate Device sections must exist and each of these sections must have a different Screen value Values for the Screen entry must be an integer The first head on the video ...

Page 132: ...ne is required for the color depth specified in the DefaultDepth entry Option option name An optional entry which specifies extra parameters for the section Replace option name with a valid option listed for this section in the xorg conf man page 3 1 10 DRI The optional DRI section specifies parameters for the Direct Rendering Infrastructure DRI DRI is an interface which allows 3D software applica...

Page 133: ...ont subsystem Important The Fontconfig font subsystem does not yet work for OpenOffice org which uses its own font rendering technology It is important to note that Fontconfig uses the etc fonts fonts conf configuration file and should not be edited by hand Tip Due to the transition to the new font system GTK 1 2 applications are not affected by any changes made via the Font Preferences dialog acc...

Page 134: ...t files there Important If the font file name ends with a gz extension it is compressed and cannot be used until uncompressed To do this use the gunzip command or double click the file and drag the font to a directory in Nautilus 4 2 Core X Font System For compatibility Red Hat Enterprise Linux provides the core X font subsystem which uses the X Font Server xfs to provide fonts to X client applica...

Page 135: ...n default point size Specifies the default point size for any font that does not specify this value The value for this option is set in decipoints The default of 120 corresponds to a 12 point font default resolutions Specifies a list of resolutions supported by the X server Each resolution in the list must be separated by a comma deferglyphs Specifies whether to defer loading glyphs the graphic us...

Page 136: ...ult installation of Red Hat Enterprise Linux configures a machine to boot into a graphical login environment known as runlevel 5 It is possible however to boot into the text only multi user mode called runlevel 3 and begin an X session from there For more information about runlevels refer to Section 4 SysV Init Runlevels The following subsections review how X starts up in both runlevel 3 and runle...

Page 137: ...not exist in the user s home directory the standard etc X11 xinit Xclients script attempts to start another desktop environment trying GNOME first and then KDE followed by twm The user is returned to a text mode user session after logging out of X from runlevel 3 5 2 Runlevel 5 When the system boots into runlevel 5 a special X client application called a display manager is launched A user must aut...

Page 138: ...the console to the root user The original display manager which continued running after the user logged in takes control by spawning a new display manager This restarts the X server displays a new login window and starts the entire process over again The user is returned to the display manager after logging out of X from runlevel 5 For more information on how display managers control user authenti...

Page 139: ...config font subsystem for X 6 3 Related Books The Concise Guide to XFree86 for Linux by Aron Hsiao Que Provides an expert s view of the operation of XFree86 on Linux systems The New XFree86 by Bill Ball Prima Publishing Discuses XFree86 and its relationship with the popular desktop environments such as GNOME and KDE Beginning GTK and GNOME by Peter Wright Wrox Press Inc Introduces programmers to t...

Page 140: ...116 ...

Page 141: ...ety of network services under Red Hat Enterprise Linux This part describes how network interfaces are configured as well as provides details about critical network services such as FTP NFS the Apache HTTP Server Sendmail Postfix Exim Fetchmail Procmail BIND LDAP and Samba ...

Page 142: ......

Page 143: ...ary network configuration files are as follows etc hosts The main purpose of this file is to resolve hostnames that cannot be resolved any other way It can also be used to resolve hostnames on small networks with no DNS server Regardless of the type of network the computer is on this file should contain a line specifying the IP address of the loopback device 127 0 0 1 as localhost localdomain For ...

Page 144: ...ols 2 1 Ethernet Interfaces One of the most common interface files is ifcfg eth0 which controls the first Ethernet network interface card or NIC in the system In a system with multiple NICs there are multiple ifcfg eth X files where X is a unique number corresponding to a specific interface Because each device has its own configuration file an administrator can control how each interface functions...

Page 145: ...yes ETHTOOL_OPTS options where options are any device specific options supported by ethtool For example if you wanted to force 100Mb full duplex ETHTOOL_OPTS autoneg off speed 100 duplex full Note that changing speed or duplex settings almost always requires disabling autonegotiation with the autoneg off option This needs to be stated first as the option entries are order dependent GATEWAY address...

Page 146: ...olv conf if the DNS directive is set If using DHCP then yes is the default no Do not modify etc resolv conf SLAVE bond interface where bond interface is one of the following yes This device is controlled by the channel bonding interface specified in the MASTER directive no This device is not controlled by the channel bonding interface specified in the MASTER directive This directive is used in con...

Page 147: ...ork is the network address of the IPsec destination network This is only used for network to network IPsec configurations SRC address where address is the IP address of the IPsec source host or router This setting is optional and is only used for host to host IPsec configurations SRCNET network where network is the network address of the IPsec source network This is only used for network to networ...

Page 148: ...y called ifcfg bond N replacing N with the number for the interface such as 0 The contents of the file can be identical to whatever type of interface that is getting bonded such as an Ethernet interface The only difference is that the DEVICE directive must be bond N replacing N with the number for the interface The following is a sample channel bonding configuration file DEVICE bond0 BOOTPROTO non...

Page 149: ...0 2 serving as an alias of an Ethernet interface already configured to receive its IP information via DHCP in ifcfg eth0 Under this configuration eth0 is bound to a dynamic IP address but the same physical network card can receive request via the fixed 10 0 0 2 IP address Caution Alias interfaces do not support DHCP A clone interface configuration file should use the following naming convention if...

Page 150: ...o create a dialup account It is also possible to create and edit this file manually The following is a typical ifcfg ppp0 file DEVICE ppp0 NAME test WVDIALSECT test MODEMPORT dev modem LINESPEED 115200 PAPNAME test USERCTL true ONBOOT no PERSIST no DEFROUTE yes PEERDNS yes DEMAND no IDLETIMEOUT 600 Serial Line Internet Protocol SLIP is another dialup interface although it is used less frequently S...

Page 151: ...t occurs to allow connections to a remote system PERSIST answer where answer is one of the following yes This interface should be kept active at all times even if deactivated after a modem hang up no This interface should not be kept active at all times REMIP address where address is the remote system s IP address This is usually left unspecified WVDIALSECT name where name associates this interfac...

Page 152: ... of these scripts are called they require the value of the interface to be specified such as ifup eth0 Caution The ifup and ifdown interface scripts are the only scripts that the user should use to bring up and take down network interfaces The following scripts are described for reference purposes only Two files used to perform a variety of network initialization tasks during the process of bringi...

Page 153: ...gs a SLIP interface up or down ifup wireless Brings up a wireless interface Warning Removing or modifying any scripts in the etc sysconfig network scripts directory can cause interface connections to act irregularly or fail Only advanced users should modify scripts related to a network interface The easiest way to manipulate all network scripts simultaneously is to use the sbin service command on ...

Page 154: ...v4 interfaces a etc sysconfig network scripts network functions ipv6 file exists specifically to hold this information The functions in this file configure and delete static IPv6 routes create and remove tunnels add and remove IPv6 addresses to an interface and test for the existence of an IPv6 address on an interface 5 Additional Resources The following are resources which explain more about netw...

Page 155: ...trol Protocol TCP running over an IP network with NFSv4 requiring it NFSv2 and NFSv3 can use the User Datagram Protocol UDP running over an IP network to provide a stateless network connection between the client and server When using NFSv2 or NFSv3 with UDP the stateless UDP connection under normal conditions minimizes network traffic as the NFS server sends the client a cookie after the client is...

Page 156: ...t during system start up However this can be error prone if the port is unavailable or conflicts with another daemon 1 1 Required Services Red Hat Enterprise Linux uses a combination of kernel level support and daemon processes to provide NFS file sharing NFSv2 and NFSv3 rely on Remote Procedure Calls RPC to encode and decode requests between clients and servers RPC services under Linux are contro...

Page 157: ...cess is used by the NFS server to perform user authentication and is started only when SECURE_NFS yes is set in the etc sysconfig nfs file rpc gssd This process is used by the NFS server to perform user authentication and is started only when SECURE_NFS yes is set in the etc sysconfig nfs file 1 2 NFS and portmap Note The following section only applies to NFSv2 or NFSv3 implementations that requir...

Page 158: ...udp 2049 nfs 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100005 1 udp 836 mountd 100005 1 tcp 839 mountd 100005 2 udp 836 mountd 100005 2 tcp 839 mountd 100005 3 udp 836 mountd 100005 3 tcp 839 mountd The output from this command reveals that the correct NFS services are running If one of the NFS services does not start up correctly portmap is unable to map RPC requests from clients for that servi...

Page 159: ...ess to Services in the Red Hat Enterprise Linux System Administration Guide for more information regarding these tools 3 NFS Server Configuration There are three ways to configure an NFS server under Red Hat Enterprise Linux using the NFS Server Configuration Tool system config nfs manually editing its configuration file etc exports or using the usr sbin exportfs command For instructions on using ...

Page 160: ...r example the use of example com as a wildcard allows sales example com to access an exported file system but not bob sales example com To match both possibilities both example com and example com must be specified IP networks Allows the matching of hosts based on their IP addresses within a larger network For example 192 168 0 0 28 allows the first 16 IP addresses from 192 168 0 0 to 192 168 0 15...

Page 161: ...e Linux To disable this feature specify the no_acl option when exporting the file system For more about this feature refer to the chapter titled Network File System NFS in the Red Hat Enterprise Linux System Administration Guide Each default for every exported file system must be explicitly overridden For example if the rw option is not specified then the exported file system is shared as read onl...

Page 162: ... service When given the proper options the usr sbin exportfs command writes the exported file systems to var lib nfs xtab Since rpc mountd refers to the xtab file when deciding access privileges to a file system changes to the list of exported file systems take effect immediately The following is a list of commonly used options available for usr sbin exportfs r Causes all directories listed in etc...

Page 163: ...On Red Hat Enterprise Linux the pseudo file system is identified as a single real file system identified at export with the fsid 0 option For example the following commands could be executed on an NFSv4 server mkdir exports mkdir exports opt mkdir exports etc mount bind usr local opt exports opt mount bind usr local etc exports etc exportfs o fsid 0 insecure no_subtree_check gss krb5p exports expo...

Page 164: ... read or the mount fails Replace nfs type with either nfs for NFSv2 or NFSv3 servers or nfs4 for NFSv4 servers Replace options with a comma separated list of options for the NFS file system refer to Section 4 3 Common NFS Mount Options for details Refer to the fstab man page for additional information 4 2 autofs One drawback to using etc fstab is that regardless of how infrequently a user accesses...

Page 165: ...Be sure to include the hyphen character immediately before the options list Replace server with the hostname IP address or fully qualified domain name of the server exporting the file system Replace remote export with the path to the exported directory Replace options with a comma separated list of options for the NFS file system refer to Section 4 3 Common NFS Mount Options for details While auto...

Page 166: ...pecifies whether the program using a file via an NFS connection should stop and wait hard for the server to come back online if the host serving the exported file system is unavailable or if it should report an error soft If hard is specified the user cannot terminate the process waiting for the NFS communication to resume unless the intr option is also specified If soft is specified the user can ...

Page 167: ...5 uses Kerberos V5 instead of local UNIX UIDs and GIDs to authenticate users sec krb5i uses Kerberos V5 for user authentication and performs integrity checking of NFS operations using secure checksums to prevent data tampering sec krb5p uses Kerberos V5 for user authentication integrity checking and encrypts NFS traffic to prevent traffic sniffing This is the most secure setting but it also has th...

Page 168: ... unauthorized machine is the system permitted to mount the NFS share since no username or password information is exchanged to provide additional security for the NFS mount Wildcards should be used sparingly when exporting directories via NFS as it is possible for the scope of the wildcard to encompass more systems than intended It is also possible to restrict access to the portmap service via TCP...

Page 169: ... Enterprise Linux It is not recommended that this feature be disabled For more about this feature refer to the chapter titled Network File System NFS in the Red Hat Enterprise Linux System Administration Guide The default behavior when exporting a file system via NFS is to use root squashing This sets the user ID of anyone accessing the NFS share as the root user on their local machine to a value ...

Page 170: ...re 2 which includes the 2 6 kernel http www nluug nl events sane2000 papers pawlowski pdf An excellent whitepaper on the features and enhancements of the NFS Version 4 protocol 6 3 Related Books Managing NFS and NIS by Hal Stern Mike Eisler and Ricardo Labiaga O Reilly Associates Makes an excellent reference guide for the many different NFS export and mount options available NFS Illustrated by Bre...

Page 171: ...s file whenever it is used For more information about the HTTP Configuration Tool please refer to the chapter titled Apache HTTP Server Configuration in the Red Hat Enterprise Linux System Administration Guide 1 Apache HTTP Server 2 0 There are important differences between the Apache HTTP Server 2 0 and version 1 3 version 1 3 shipped with Red Hat Enterprise Linux 2 1 and earlier This section rev...

Page 172: ...apache manual packages were renamed to httpd httpd devel and httpd manual respectively The mod_dav package was incorporated into the httpd package The mod_put and mod_roaming packages were removed since their functionality is a subset of that provided by mod_dav which is now incorporated into the httpd package The mod_auth_any and mod_bandwidth packages were removed The version number for the mod_...

Page 173: ...Enterprise Linux 4 5 0 from Red Hat Enterprise Linux 2 1 note that the new stock configuration file for the Apache HTTP Server 2 0 package is installed as etc httpd conf httpd conf rpmnew and the original version 1 3 httpd conf is left untouched It is entirely up to you whether to use the new configuration file and migrate the old settings to it or use the existing file as a base and modify it to ...

Page 174: ...ble Listen directive If Port 80 was set in the 1 3 version configuration file change it to Listen 80 in the 2 0 configuration file If Port was set to some value other than 80 then append the port number to the contents of the ServerName directive For example the following is a sample Apache HTTP Server 1 3 directive Port 123 ServerName www example com To migrate this setting to Apache HTTP Server ...

Page 175: ...are handled by threads conserving system resources and allowing large numbers of requests to be served efficiently Although some of the directives accepted by the worker MPM are the same as those accepted by the prefork MPM the values for those directives should not be transfered directly from an Apache HTTP Server 1 3 installation It is best to instead use the default values as a guide then exper...

Page 176: ...the etc httpd conf d directory The various HAVE_XXX definitions are no longer defined Important If modifying the original file note that it is of paramount importance that the httpd conf contains the following directive Include conf d conf Omission of this directive results in the failure of all modules packaged in their own RPMs such as mod_perl php and mod_ssl 2 1 4 Other Global Environment Chan...

Page 177: ...y lightly customized main server sections should migrate their changes into the default 2 0 configuration 2 2 1 UserDir Mapping The UserDir directive is used to enable URLs such as http example com bob to map to a subdirectory within the home directory of the user bob such as home bob public_html A side effect of this feature allows a potential attacker to determine whether a given username is pre...

Page 178: ...hanged from README and HEADER to README html and HEADER html For more on this topic refer to the following documentation on the Apache Software Foundation s website http httpd apache org docs 2 0 mod mod_autoindex html indexoptions http httpd apache org docs 2 0 mod mod_autoindex html readmename http httpd apache org docs 2 0 mod mod_autoindex html headername 2 2 4 Content Negotiation The CacheNeg...

Page 179: ...figuration has been moved out of the main server configuration file and into etc httpd conf d ssl conf For more on this topic refer to the chapter titled Apache HTTP Secure Server Configuration in the Red Hat Enterprise Linux System Administration Guide and the documentation online at the following URL http httpd apache org docs 2 0 vhosts 2 4 Modules and Apache HTTP Server 2 0 In Apache HTTP Serv...

Page 180: ... PATH_INFO The following is an example of this directive AcceptPathInfo on For more on this topic refer to the following documentation on the Apache Software Foundation s website http httpd apache org docs 2 0 mod core html acceptpathinfo http httpd apache org docs 2 0 handler html http httpd apache org docs 2 0 filter html 2 4 1 The suexec Module In Apache HTTP Server 2 0 the mod_suexec module us...

Page 181: ...have been removed The mod_ssl module now obeys the ErrorLog and LogLevel directives Refer to Section 5 35 ErrorLog and Section 5 36 LogLevel for more information about these directives For more on this topic refer to the following documentation on the Apache Software Foundation s website http httpd apache org docs 2 0 mod mod_ssl html http httpd apache org docs 2 0 vhosts 2 4 3 The mod_proxy Modul...

Page 182: ...od mod_include html 2 4 5 The mod_auth_dbm and mod_auth_db Modules Apache HTTP Server 1 3 supported two authentication modules mod_auth_db and mod_auth_dbm which used Berkeley Databases and DBM databases respectively These modules have been combined into a single module named mod_auth_dbm in Apache HTTP Server 2 0 which can access several different database formats To migrate from mod_auth_db conf...

Page 183: ...dduser username htdbm TDB authdb username Remove user from database dbmmanage authdb delete username htdbm x TDB authdb username List users in database dbmmanage authdb view htdbm l TDB authdb Verify a password dbmmanage authdb check username htdbm v TDB authdb username Table 10 1 Migrating from dbmmanage to htdbm The m and s options work with both dbmmanage and htdbm enabling the use of the MD5 o...

Page 184: ... statement Include conf d conf must be in httpd conf as described in Section 2 1 3 Dynamic Shared Object DSO Support 2 4 8 PHP The configuration for PHP has been moved from httpd conf into the file etc httpd conf d php conf For this file to be loaded the statement Include conf d conf must be in httpd conf as described in Section 2 1 3 Dynamic Shared Object DSO Support Note Any PHP configuration di...

Page 185: ...rsion index html replacing version with the version number of the package or http authzldap othello ch for more information on configuring the mod_authz_ldap third party module 3 After Installation After installing the httpd package review the Apache HTTP Server s documentation available online at http httpd apache org docs 2 0 The Apache HTTP Server s documentation contains a full list and comple...

Page 186: ...ype sbin service httpd start To stop the server as root type sbin service httpd stop The restart option is a shorthand way of stopping and then starting the Apache HTTP Server To restart the server as root type sbin service httpd restart Note If running the Apache HTTP Server as a secure server it may be necessary to type the server password whenever using the start or restart options After editin...

Page 187: ... refer to the chapter titled Apache HTTP Secure Server Configuration in the Red Hat Enterprise Linux System Administration Guide 5 Configuration Directives in httpd conf The Apache HTTP Server configuration file is etc httpd conf httpd conf The httpd conf file is well commented and mostly self explanatory The default configuration works for most situations however it is a good idea to become famil...

Page 188: ...httpd for both secure and non secure servers 5 3 PidFile PidFile names the file where the server records its process ID PID By default the PID is listed in var run httpd pid 5 4 Timeout Timeout defines in seconds the amount of time that the server waits for receipts and transmissions during communications Timeout is set to 300 seconds by default which is appropriate for most situations 5 5 KeepAli...

Page 189: ...xplained in Section 2 1 2 Server Pool Size Regulation the responsibility for managing characteristics of the server pool falls to a module group called MPMs under Apache HTTP Server 2 0 The characteristics of the server pool differ depending upon which MPM is used For this reason an IfModule container is necessary to define the server pool for the MPM in use By default Apache HTTP Server 2 0 defin...

Page 190: ... with the worker MPM They adjust how the Apache HTTP Server dynamically adapts to the perceived load by maintaining an appropriate number of spare server threads based on the number of incoming requests The server checks the number of server threads waiting for a request and kills some if there are more than MaxSpareThreads or creates some if the number of servers is less than MinSpareThreads The ...

Page 191: ...ort 5 13 ExtendedStatus The ExtendedStatus directive controls whether Apache generates basic off or detailed server status information on when the server status handler is called The server status handler is called using Location tags More information on calling server status is included in Section 5 60 Location 5 14 IfDefine The IfDefine tags surround configuration directives that are applied if ...

Page 192: ...P Server does not run as the root user 5 17 Group Specifies the group name of the Apache HTTP Server processes This directive has been deprecated for the configuration of virtual hosts By default Group is set to apache 5 18 ServerAdmin Sets the ServerAdmin directive to the email address of the Web server administrator This email address shows up in error messages on server generated Web pages so u...

Page 193: ...e directory which contains most of the HTML files which are served in response to requests The default DocumentRoot for both the non secure and secure Web servers is the var www html directory For example the server might receive a request for the following document http example com foo html The server looks for the following file in the default directory var www html foo html To change the Docume...

Page 194: ... permissions for CGI scripts and the entire path to the scripts must be set to 0755 5 23 Options The Options directive controls which server features are available in a particular directory For example under the restrictive parameters specified for the root directory Options is only set to the FollowSymLinks directive No features are enabled except that the server is allowed to follow symbolic lin...

Page 195: ... The name for the subdirectory is set to public_html in the default configuration For example the server might receive the following request http example com username foo html The server would look for the file home username public_html foo html In the above example home username is the user s home directory note that the default path to users home directories may vary Make sure that the permissio...

Page 196: ...s are allowed to cache such documents 5 32 TypesConfig TypesConfig names the file which sets the default list of MIME type mappings file name extensions to content types The default TypesConfig file is etc mime types Instead of editing etc mime types the recommended way to add MIME type mappings is to use the AddType directive For more information about AddType refer to Section 5 55 AddType 5 33 D...

Page 197: ...remote host s IP address or hostname Lists the remote IP address of the requesting client If HostnameLookups is set to on the client hostname is recorded unless it is not available from DNS l rfc931 Not used A hyphen appears in the log file for this field u authenticated user Lists the username of the user recorded if authentication was required Usually this is not used so a hyphen appears in the ...

Page 198: ...tory can be accessed by the Web server but the directory is not in the DocumentRoot 5 41 ScriptAlias The ScriptAlias directive defines where CGI scripts are located Generally it is not good practice to leave CGI scripts within the DocumentRoot where they can potentially be viewed as text documents For this reason a special directory outside of the DocumentRoot directory containing server side exec...

Page 199: ...ser can re sort a directory listing by clicking on column headers Another click on the same header switches from ascending to descending order FancyIndexing also shows different icons for different files based upon file extensions The AddDescription option when used in conjunction with FancyIndexing presents a short description for the file in server generated directory listings IndexOptions has a...

Page 200: ... include the file as an HTML document and then tries to include it as plain text By default ReadmeName is set to README html 5 50 HeaderName HeaderName names the file which if it exists in the directory is prepended to the start of server generated directory listings Like ReadmeName the server tries to include it as an HTML document if possible or in plain text if not 5 51 IndexIgnore IndexIgnore ...

Page 201: ...function in any directory on the server which has the ExecCGI option within the directories container Refer to Section 5 22 Directory for more information about setting the ExecCGI option for a directory In addition to CGI scripts the AddHandler directive is used to process server parsed HTML and image map files 5 57 Action Action specifies a MIME content type and CGI script pair so that when a fi...

Page 202: ...main use the following directives Location server info SetHandler server info Order deny allow Deny from all Allow from example com Location Again replace example com with the second level domain name for the Web server 5 61 ProxyRequests To configure the Apache HTTP Server to function as a proxy server remove the hash mark from the beginning of the IfModule mod_proxy c line the ProxyRequests and ...

Page 203: ...e Specifies the expiry time in hours for a document that was received using a protocol that does not support expiry times The default is set to 1 hour 3600 seconds NoProxy Specifies a space separated list of subnets IP addresses domains or hosts whose content is not cached This setting is most useful for Intranet sites 5 64 NameVirtualHost The NameVirtualHost directive associates an IP address and...

Page 204: ...d to allow SSL to close the connection without a closing notification from the client browser This setting is necessary for certain browsers that do not reliably shut down the SSL connection For more information on other directives within the SSL configuration file refer to the following URLs http localhost manual mod mod_ssl html http httpd apache org docs 2 0 mod mod_ssl html For information abo...

Page 205: ... if the http manual package is installed documentation about DSOs can be found online at http localhost manual mod For the Apache HTTP Server to use a DSO it must be specified in a LoadModule directive within etc httpd conf httpd conf If the module is provided by a separate package the line must appear within the modules configuration file in the etc httpd conf d directory Refer to Section 5 12 Lo...

Page 206: ...ment the NameVirtualHost line by removing the hash mark and replace the asterisk with the IP address assigned to the machine Next configure a virtual host by uncommenting and customizing the VirtualHost container On the VirtualHost line change the asterisk to the server s IP address Change the ServerName to a valid DNS name assigned to the machine and configure the other directives as necessary Th...

Page 207: ...th the non secure Web server The configuration directives for the secure server are contained within virtual host tags in the etc httpd conf d ssl conf file By default both the secure and the non secure Web servers share the same DocumentRoot It is recommended that a different DocumentRoot be made available for the secure Web server To stop the non secure Web server from accepting connections comm...

Page 208: ... from Wrox Press Ltd s Programmer to Programmer series and is aimed at both experienced and novice Web server administrators Administering Apache by Mark Allan Arnold Osborne Media Group This book is targeted at Internet Service Providers who aim to provide more secure services Apache Server Unleashed by Richard Bowen et al SAMS BOOKS An encyclopedic source for the Apache HTTP Server Apache Pocket...

Page 209: ...sing a client server architecture An email message is created using a mail client program This program then sends the message to a server The server then forwards the message to the recipient s email server where the message is then supplied to the recipient s email client To enable this process a variety of standard network protocols allow different machines often running different operating syst...

Page 210: ...sage Access Protocol IMAP The use of IMAP and POP is configured through dovecot by default dovecot runs only IMAP To configure dovecot to use POP 1 Edit etc dovecot conf to have the line protocols imap imaps pop3 pop3s 2 Make that change operational for the current session by running the command service dovecot restart 3 Make that change operational after the next reboot by running the command chk...

Page 211: ...For added security it is possible to use Secure Socket Layer SSL encryption for client authentication and data transfer sessions This can be enabled by using the ipop3s service or by using the usr sbin stunnel program Refer to Section 5 1 Securing Communication for more information 1 2 2 IMAP The default IMAP server under Red Hat Enterprise Linux is usr sbin imapd and is provided by the imap packa...

Page 212: ...eciding if a particular MTA can or should accept a message for delivery is quite complicated In addition due to problems from spam use of a particular MTA is usually restricted by the MTA s configuration or the access configuration for the network on which the MTA resides Many modern email client programs can act as an MTA when sending email However this action should not be confused with the role...

Page 213: ...mation about how to switch the default MTA from Sendmail to Postfix refer to the chapter called Mail Transport Agent MTA Configuration in the Red Hat Enterprise Linux System Administration Guide 3 1 Sendmail Sendmail s core purpose like other MTAs is to safely transfer email among hosts usually using the SMTP protocol However Sendmail is highly configurable allowing control over almost every aspec...

Page 214: ...ocessor to create a new etc mail sendmail cf More information on configuring Sendmail can be found in Section 3 1 3 Common Sendmail Configuration Changes Various Sendmail configuration files are installed in the etc mail directory including access Specifies which systems can use Sendmail for outbound email domaintable Specifies domain name mapping local host names Specifies aliases for the host ma...

Page 215: ...sendmail cf by executing the following command m4 etc mail sendmail mc etc mail sendmail cf By default the m4 macro processor is installed with Sendmail but is part of the m4 package After creating a new etc mail sendmail cf file restart Sendmail for the changes to take effect The easiest way to do this is to type the following command sbin service sendmail restart Important The default sendmail c...

Page 216: ...network so that their return address is user example com instead of user host example com To do this add the following lines to etc mail sendmail mc FEATURE always_add_domain dnl FEATURE masquerade_entire_domain FEATURE masquerade_envelope FEATURE allmasquerade MASQUERADE_AS bigcorp com MASQUERADE_DOMAIN bigcorp com MASQUERADE_AS bigcorp com After generating a new sendmail cf using m4 this configu...

Page 217: ...g or blocking access Refer to the usr share sendmail cf README for more information and examples Since Sendmail calls the Procmail MDA when delivering mail it is also possible to use a spam filtering program such as SpamAssassin to identify and file spam for users Refer to Section 4 2 6 Spam Filters for more about using SpamAssassin 3 1 6 Using Sendmail with LDAP Using the Lightweight Directory Ac...

Page 218: ...fix is a Sendmail compatible MTA that is designed to be secure fast and easy to configure To improve security Postfix uses a modular design where small processes with limited privileges are launched by a master daemon The smaller less privileged processes perform very specific tasks related to the various stages of mail delivery and run in a change rooted environment to limit the effects of attack...

Page 219: ... this file master cf Specifies how Postfix interacts with various processes to accomplish mail delivery transport Maps email addresses to relay hosts Important The default etc postfix main cf file does not allow Postfix to accept network connections from a host other than the local computer For instructions on configuring Postfix as a server for other clients refer to Section 3 2 2 Basic Postfix C...

Page 220: ...process of downloading their messages located on a remote server from the process of reading and organizing their email in an MUA Designed with the needs of dial up users in mind Fetchmail connects and quickly downloads all of the email messages to the mail spool file using any number of protocols including POP3 and IMAP It can even forward email messages to an SMTP server if necessary Fetchmail i...

Page 221: ...Fetchmail to use this server option when it is run which checks for email using the specified user options Any server options after a skip action however are not checked unless this server s hostname is specified when Fetchmail is invoked The skip option is useful when testing configurations in fetchmailrc because it only checks skipped servers when specifically invoked and does not affect any cur...

Page 222: ...ptions must be placed on their own line in fetchmailrc after a poll or skip action auth auth type Replace auth type with the type of authentication to be used By default password authentication is used but some protocols support other types of authentication including kerberos_v5 kerberos_v4 and ssh If the any authentication type is used Fetchmail first tries methods that do not require a password...

Page 223: ...ace password with the user s password preconnect command Replace command with a command to be executed before retrieving messages for the user postconnect command Replace command with a command to be executed after retrieving messages for the user ssl Activates SSL encryption user username Replace username with the username used by Fetchmail to retrieve messages This option must precede all other ...

Page 224: ...messages on the remote email server after downloading them This option overrides the default behavior of deleting messages after downloading them l max number bytes Fetchmail does not download any messages over a particular size and leaves them on the remote email server quit Quits the Fetchmail daemon process More commands and fetchmailrc options can be found in the fetchmail man page 4 Mail Deli...

Page 225: ...r s home directory Therefore to use Procmail each user must construct a procmailrc file with specific environment variables and rules 4 1 Procmail Configuration The Procmail configuration file contains important environmental variables These variables specify things such as which messages to sort and what to do with the messages that do not match any recipes These environmental variables usually a...

Page 226: ...lows a user to specify an external file containing additional Procmail recipes much like the INCLUDERC option except that recipe checking is actually stopped on the referring configuration file and only the recipes on the SWITCHRC specified file are used VERBOSE Causes Procmail to log more information This option is useful for debugging Other important environmental variables are pulled from the s...

Page 227: ... effectively sorting the email Special action characters may also be used before the action is specified Refer to Section 4 2 4 Special Conditions and Actions for more information 4 2 1 Delivering vs Non Delivering Recipes The action used if the recipe matches a particular message determines whether it is considered a delivering or non delivering recipe A delivering recipe contains an action that ...

Page 228: ...g conditions This occurs by default h Uses the header in a resulting action This is the default behavior w Tells Procmail to wait for the specified filter or program to finish and reports whether or not it was successful before considering the message filtered W Is identical to w except that Program failure messages are suppressed For a detailed list of additional flags refer to the procmailrc man...

Page 229: ...est way to develop the skills to build Procmail recipe conditions stems from a strong understanding of regular expressions combined with looking at many examples built by others A thorough explanation of regular expressions is beyond the scope of this section The structure of Procmail recipes and useful sample Procmail recipes can be found at various places on the Internet such as http www iki fi ...

Page 230: ...om time to time to look for false positives Once satisfied that no messages are accidentally being matched delete the mailbox and direct the action to send the messages to dev null The following recipe grabs email sent from a particular mailing list and places it in a specified folder 0 From CC To tux lug tuxlug Any messages sent from the tux lug domain com mailing list are placed in the tuxlug ma...

Page 231: ...iles all email tagged in the header as spam into a mailbox called spam Since SpamAssassin is a Perl script it may be necessary on busy servers to use the binary SpamAssassin daemon spamd and client application spamc Configuring SpamAssassin this way however requires root access to the host To start the spamd daemon type the following command as root sbin service spamassassin start To start the Spa...

Page 232: ...sed over the network 5 1 1 Secure Email Clients Most Linux MUAs designed to check email on remote servers support SSL encryption To use SSL when retrieving email it must be enabled on both the email client and server SSL is easy to enable on the client side often done with the click of a button in the MUA s configuration window or via an option in the MUA s configuration file Secure IMAP and POP h...

Page 233: ...OpenSSL libraries included with Red Hat Enterprise Linux to provide strong cryptography and protect the connections It is best to apply to a CA to obtain an SSL certificate but it is also possible to create a self signed certificate To create a self signed SSL certificate change to the usr share ssl certs directory and type the following command make stunnel pem Again answer all of the questions t...

Page 234: ...f Postfix usr share doc fetchmail version number Contains a full list of Fetchmail features in the FEATURES file and an introductory FAQ document Replace version number with the version number of Fetchmail usr share doc procmail version number Contains a README file that provides an overview of Procmail a FEATURES file that explores every program feature and an FAQ file with answers to many common...

Page 235: ...s and configuration examples http www postfix org The Postfix project home page contains a wealth of information about Postfix The mailing list is a particularly good place to look for information http catb org esr fetchmail The home page for Fetchmail featuring an online manual and a thorough FAQ http www procmail org The home page for Procmail with links to assorted mailing lists dedicated to Pr...

Page 236: ...rnet Email Protocols A Developer s Guide by Kevin Johnson Addison Wesley Publishing Company Provides a very thorough review of major email protocols and the security they provide Managing IMAP by Dianna Mullet and Kevin Mullet O Reilly Associates Details the steps required to configure an IMAP server Red Hat Enterprise Linux Security Guide Red Hat Inc The Server Security chapter explains ways to s...

Page 237: ...ery DNS is normally implemented using centralized servers that are authoritative for some domains and refer to other DNS servers for other domains When a client host requests information from a nameserver it usually connects to port 53 The nameserver then attempts to resolve the FQDN based on its resolver library which may contain authoritative information about the host requested or cached data f...

Page 238: ... multiple zones It all depends on how the nameserver is configured 1 2 Nameserver Types There are four primary nameserver configuration types master Stores original and authoritative zone records for a namespace and answers queries about the namespace from other nameservers slave Answers queries from other nameservers concerning namespaces for which it is considered an authority However slave name...

Page 239: ...t N name statement N class option 1 option 2 option N 2 1 Common Statement Types The following types of statements are commonly used in etc named conf 2 1 1 acl Statement The acl statement or access control statement defines groups of hosts which can then be permitted or denied access to the nameserver An acl statement takes the following form acl acl name match element match element In this state...

Page 240: ...de Statement The include statement allows files to be included in a named conf file In this way sensitive configuration data such as keys can be placed in a separate file with restrictive permissions An include statement takes the following form include file name In this statement file name is replaced with an absolute path to a file 2 1 3 options Statement The options statement defines global ser...

Page 241: ...ders directive fail forwarders Specifies a list of valid IP addresses for nameservers where requests should be forwarded for resolution listen on Specifies the network interface on which named listens for queries By default all interfaces are used Using this directive on a DNS server which also acts a gateway BIND can be configured to only answer queries that originate from one of the networks A l...

Page 242: ...ristics of a zone such as the location of its configuration file and zone specific options This statement can be used to override the global options statements A zone statement takes the following form zone zone name zone class zone options zone options In this statement zone name is the name of the zone zone class is the optional class of the zone and zone options is a list of options characteriz...

Page 243: ...y list within a zone statement type Defines the type of zone Below is a list of valid options delegation only Enforces the delegation status of infrastructure zones such as COM NET or ORG Any answer that is received without an explicit or implicit delegation is treated as NXDOMAIN This option is only applicable in TLDs or root zone files used in recursive or caching implementations forward Forward...

Page 244: ...e allow update line is a directive telling named the IP address of the master server The following is an example slave server zone statement for example com zone zone example com type slave file example com zone masters 192 168 0 1 This zone statement configures named on the slave server to query the master server at the 192 168 0 1 IP address for information about the example com zone The informa...

Page 245: ...hat affect how named should respond to remote nameservers especially in regards to notifications and zone transfers The transfer format option controls whether one resource record is sent with each message one answer or multiple resource records are sent with each message many answers While many answers is more efficient only newer BIND nameservers understand it trusted keys Contains assorted publ...

Page 246: ...e the parameters of the zone and assign identities to individual hosts Directives are optional but resource records are required to provide name service to a zone All directives and resource records should be entered on individual lines Comments can be placed after semicolon characters in zone files 3 1 Zone File Directives Directives begin with the dollar sign character followed by the name of th...

Page 247: ...e file resource records The following are used most frequently A Address record which specifies an IP address to assign to a name as in this example host IN A IP address If the host value is omitted then an A record points to a default IP address for the top of the namespace This system is the target for all non FQDN requests Consider the following A record examples for the example com zone file I...

Page 248: ...il example com IN MX 20 mail2 example com In this example the first mail example com email server is preferred to the mail2 example com email server when receiving email destined for the example com domain NS NameServer record which announces the authoritative nameservers for a particular zone This is an example of an NS record IN NS nameserver name The nameserver name should be a FQDN Next two na...

Page 249: ...w long to wait before asking the master nameserver if any changes have been made to the zone The serial number directive is a numerical value used by the slave servers to determine if it is using outdated zone data and should therefore refresh it The time to retry directive is a numerical value used by slave servers to determine the length of time to wait before issuing a refresh request in the ev...

Page 250: ...mple com IN NS dns2 example com IN MX 10 mail example com IN MX 20 mail2 example com dns1 IN A 10 0 1 1 dns2 IN A 10 0 1 2 server1 IN A 10 0 1 5 server2 IN A 10 0 1 6 ftp IN A 10 0 1 3 IN A 10 0 1 4 mail IN CNAME server1 mail2 IN CNAME server2 www IN CNAME server1 In this example standard directives and SOA values are used The authoritative nameservers are set as dns1 example com and dns2 example ...

Page 251: ...le com This zone file would be called into service with a zone statement in the named conf file which looks similar to the following zone 1 0 10 in addr arpa IN type master file example com rr zone allow update none There is very little difference between this example and a standard zone statement except for the zone name Note that a reverse name resolution zone requires the first three blocks of ...

Page 252: ...d5 b bit length n HOST key file name A key with at least a 256 bit length is a good idea The actual key that should be placed in the key value area can be found in the key file name file generated by this command Warning Because etc named conf is world readable it is a good idea to place the key statement in a separate file readable only by root and then use an include statement to reference it Fo...

Page 253: ...Refreshes the nameserver s database reload Reloads the zone files but keeps all other previously cached responses This command also allows changes to zone files without losing all stored name resolutions If changes only affected a specific zone reload only that specific zone by adding the name of the zone after the reload command stats Dumps the current named statistics to the var named named stat...

Page 254: ...ND supports Incremental Zone Transfers IXFR where a slave nameserver only downloads the updated portions of a zone modified on a master nameserver The standard transfer process requires that the entire zone be transferred to each slave nameserver for even the smallest change For very popular domains with very lengthy zone files and many slave nameservers IXFR makes the notification and update proc...

Page 255: ... would also need to know the secret key BIND version 9 also supports TKEY which is another shared secret key method of authorizing zone transfers 5 4 IP version 6 BIND version 9 supports name service in IP version 6 IPv6 environments through the use of A6 zone records If the network environment includes both IPv4 and IPv6 hosts use the lwresd lightweight resolver daemon on all network clients This...

Page 256: ...ind version number This directory lists the most recent features Replace version number with the version of bind installed on the system usr share doc bind version number arm This directory contains HTML and SGML of the BIND 9 Administrator Reference Manual which details BIND resource requirements how to configure different types of nameservers perform load balancing and other advanced topics For ...

Page 257: ...named conf A comprehensive list of options available within the named configuration file man rndc conf A comprehensive list of options available within the rndc configuration file 7 2 Useful Websites http www isc org products BIND The home page of the BIND project containing information about current releases as well as a PDF version of the BIND 9 Administrator Reference Manual http www redhat com...

Page 258: ...between multiple network services and BIND with an emphasis on task oriented technical topics Chapter 12 Berkeley Internet 234 ...

Page 259: ...riety of databases to store a directory each optimized for quick and copious read operations When an LDAP client application connects to an LDAP server it can either query a directory or attempt to modify it In the event of a query the server either answers the query locally or it can refer the querent to an LDAP server which does have the answer If the client application is attempting to modify i...

Page 260: ... of a set of LDAP specific terms entry A single unit within an LDAP directory Each entry is identified by its unique Distinguished Name DN attributes Information directly associated with an entry For example an organization could be represented as an LDAP entry Attributes associated with the organization might include a fax number an address and so on People can also be represented as entries in a...

Page 261: ...r viewing and modifying directories on an LDAP server openldap servers Contains the servers and other utilities necessary to configure and run an LDAP server There are two servers contained in the openldap servers package the Standalone LDAP Daemon usr sbin slapd and the Standalone LDAP Update Replication Daemon usr sbin slurpd The slapd daemon is the standalone LDAP server while the slurpd daemon...

Page 262: ...password value for use with ldapmodify or the rootpw value in the slapd configuration file etc openldap slapd conf Execute the usr sbin slappasswd command to create the password Warning You must stop slapd by issuing the sbin service ldap stop command before using slapadd slapcat or slapindex Otherwise the integrity of the LDAP directory is at risk For more information on using these utilities ref...

Page 263: ...so lib64 security pam_ldap so The libnss_ldap glibc version so module allows applications to look up users groups hosts and other information using an LDAP directory via glibc s Nameservice Switch NSS interface replace glibc version with the version of libnss_ldap in use NSS allows applications to authenticate using LDAP in conjunction with the NIS name service and flat authentication files The pa...

Page 264: ...ne at http www apache org for details on the status of this module 3 3 LDAP Client Applications There are graphical LDAP clients available which support creating and modifying directories but they are not included with Red Hat Enterprise Linux One such application is LDAP Browser Editor A Java based tool available online at http www iit edu gawojar ldap Most other LDAP clients access directories a...

Page 265: ...a cosine schema include etc openldap schema inetorgperson schema include etc openldap schema nis schema include etc openldap schema rfc822 MailMember schema include etc openldap schema redhat autofs schema Caution Do not modify schema items defined in the schema files installed by OpenLDAP It is possible to extend the schema used by OpenLDAP to support additional attribute types and object classes...

Page 266: ...onf for more information 3 Start slapd with the command sbin service ldap start After configuring LDAP use chkconfig usr sbin ntsysv or the Services Configuration Tool to configure LDAP to start at boot time For more information about configuring services refer to the chapter titled Controlling Access to Services in the Red Hat Enterprise Linux System Administration Guide 4 Add entries to an LDAP ...

Page 267: ...type a password The program prints the resulting encrypted password to the shell prompt Next copy the newly created encrypted password into the etc openldap slapd conf on one of the rootpw lines and remove the hash mark When finished the line should look similar to the following example rootpw SSHA vv2y i6V6esazrIv70xSSnNAJE18bb2u Warning LDAP passwords including the rootpw directive specified in ...

Page 268: ...ldap servers package The openldap openldap clients and nss_ldap packages need to be installed on all LDAP client machines Edit the Configuration Files On the server edit the etc openldap slapd conf file on the LDAP server to make sure it matches the specifics of the organization Refer to Section 6 1 Editing etc openldap slapd conf for instructions about editing slapd conf On the client machines bo...

Page 269: ...on information into an LDAP format Note Perl must be installed on the system to use these scripts First modify the migrate_common ph file so that it reflects the correct domain The default DNS domain should be changed from its default value to something like DEFAULT_MAIL_DOMAIN example The default base should also be changed to something like DEFAULT_BASE dc example dc com The job of migrating a u...

Page 270: ...wards This can be achieved by performing the following steps 1 Before upgrading the operating system run the command usr sbin slapcat l ldif output This outputs an LDIF file called ldif output containing the entries from the LDAP directory 2 Upgrade the operating system being careful not to reformat the partition containing the LDIF file 3 Re import the LDAP directory to the upgraded Berkeley DB f...

Page 271: ... add entries to a slapd database man slapcat Describes command line options used to generate an LDIF file from a slapd database man slapindex Describes command line options used to regenerate an index based upon the contents of a slapd database man slappasswd Describes command line options used to generate user passwords for LDAP directories Configuration Files man ldap conf Describes the format a...

Page 272: ... the LDAP protocol http www newarchitectmag com archives 2000 05 wilcox A useful look at managing groups in LDAP http www ldapman org articles Articles that offer a good introduction to LDAP including methods to design a directory tree and customizing directory structures 9 3 Related Books OpenLDAP by Example by John Terpstra and Benjamin Coles Prentice Hall Implementing LDAP by Mark Wilcox Wrox P...

Page 273: ... Two new documents developed by the Samba org team which include a 400 page reference manual and a 300 page implementation and integration manual For more information about these published titles refer to Section 9 3 Related Books 1 1 Samba Features Samba is a powerful and versatile server application Even seasoned system administrators must know its abilities and limitations before attempting ins...

Page 274: ...e requests such as those produced by SMB CIFS in Windows based systems These systems include Windows 95 98 ME Windows NT Windows 2000 Windows XP and LanManager clients It also participates in the browsing protocols that make up the Windows Network Neighborhood view The default port that the server listens to for NMB traffic is UDP port 137 The nmbd daemon is controlled by the smb service 2 1 3 The...

Page 275: ...y To restart the server type the following command in a shell prompt while logged in as root sbin service smb restart The condrestart conditional restart option only starts smb on the condition that it is currently running This option is useful for scripts because it does not start the daemon if it is not running Note When the smb conf file is changed Samba automatically reloads it after a few min...

Page 276: ...n controller and does not participate in a domain in any way The following examples include several anonymous share level security configurations and one user level security configuration For more information on share level and user level security modes refer to Section 4 Samba Security Modes 3 1 1 Anonymous Read Only The following smb conf file shows a sample configuration needed to implement ano...

Page 277: ...iver directive is set to Yes In this case the Samba server has no responsibility for sharing printer drivers to the client global workgroup DOCS netbios name DOCS_SRV security share printcap name cups disable spools Yes show add printer wizard No printing cups printers comment All Printers path var spool samba guest ok Yes printable Yes use client driver Yes browseable Yes 3 1 4 Secure Read Write ...

Page 278: ...ility to control printer and network shares 3 2 1 Active Directory Domain Member Server The following smb conf file shows a sample configuration needed to implement an Active Directory domain member server In this example Samba authenticates users for services being run locally but is also a client of the Active Directory Ensure that your kerberos realm parameter is shown in all caps for example r...

Page 279: ...beros the etc krb5 conf file and the kinit command refer to Chapter 19 Kerberos To join an Active Directory server windows1 example com type the following command as root on the member server root net ads join S windows1 example com U administrator password Since the machine windows1 was automatically found in the corresponding Kerberos realm the kinit command succeeded the net command connects to...

Page 280: ... member server in instances where Linux only applications are required for use in the domain environment Administrators appreciate keeping track of all machines in the domain even if not Windows based In the event the Windows based server hardware is deprecated it is quite easy to modify the smb conf file to convert the server to a Samba based PDC If Windows NT based servers are upgraded to Window...

Page 281: ...st 3 3 1 Primary Domain Controller PDC using tdbsam The simplest and most common implementation of a Samba PDC uses the tdbsam password database backend Planned to replace the aging smbpasswd backend tdbsam has numerous improvements that are explained in more detail in Section 5 Samba Account Information Databases The passdb backend directive controls which backend is to be used for the PDC global...

Page 282: ...rectory under the path shown mkdir p var lib samba profiles john Profiles comment Roaming Profile Share path var lib samba profiles read only No browseable No guest ok Yes profile acls Yes Other resource shares Note If you need more than one domain controller or have more than 250 users do not use a tdbsam authentication backend LDAP is recommended in these cases 3 3 2 Primary Domain Controller PD...

Page 283: ...up DOCS netbios name DOCS_SRV passdb backend ldapsam ldap ldap example com username map etc samba smbusers security user add user script usr sbin useradd m u delete user script usr sbin userdel r u add group script usr sbin groupadd g delete group script usr sbin groupdel g add user to group script usr sbin usermod G g u add machine script usr sbin useradd s bin false d dev null g machines u The f...

Page 284: ...s own LDAP database This example uses the LDAP database of the PDC as seen in the passdb backend directive global workgroup DOCS netbios name DOCS_SRV2 passdb backend ldapsam ldap ldap example com username map etc samba smbusers security user add user script usr sbin useradd m u delete user script usr sbin userdel r u add group script usr sbin groupadd g delete group script usr sbin groupdel g add...

Page 285: ...implemented in one way while user level security can be implemented in one of four different ways The different ways of implementing a security level are called security modes 4 1 User Level Security User level security is the default setting for Samba Even if the security user directive is not listed in the smb conf file it is used by Samba If the server accepts the client s username password the...

Page 286: ...de into a domain member server by using the following directives in smb conf GLOBAL security domain workgroup MARKETING 4 4 Active Directory Security Mode User Level Security If you have an Active Directory environment it is possible to join the domain as a native Active Directory member Even if a security policy restricts the use of NT compatible authentication protocols the Samba server can join...

Page 287: ...n text backend all usernames and passwords are sent unencrypted between the client and the Samba server This method is very insecure and is not recommended for use by any means It is possible that different Windows clients connecting to the Samba server with plain text passwords cannot support such an authentication method smbpasswd A popular backend used in previous Samba packages the smbpasswd b...

Page 288: ...s should require Active Directory or LDAP integration due to scalability and possible network infrastructure concerns ldapsam The ldapsam backend provides an optimal distributed account installation method for Samba LDAP is optimal because of its ability to replicate its database to any number of servers using the OpenLDAP slurpd daemon LDAP databases are light weight and scalable perfect for most...

Page 289: ...ain master browser You can have one local master browser per subnet without a domain master browser but this results in isolated workgroups unable to see each other To resolve NetBIOS names in cross subnet workgroups WINS is required Note The Domain Master Browser can be the same machine as the WINS server There can only be one domain master browser per workgroup name Here is an example of the smb...

Page 290: ...e domain master browser for that domain A Samba server must be set up as a domain master server in this type of situation Network browsing may fail if the Samba server is running WINS along with other domain controllers in operation For subnets that do not include the Windows NT PDC a Samba server can be implemented as a local master browser Configuring the smb conf for a local master browser or n...

Page 291: ...s are not resolvable for the client without WINS 7 Samba with CUPS Printing Support Samba allows client machines to share printers connected to the Samba server as well as send Linux documents to Windows printer shares Although there are other printing systems that function with Red Hat Enterprise Linux CUPS Common UNIX Print System is the recommended printing system due to its close integration w...

Page 292: ...address The findsmb program is a Perl script which reports information about SMB aware systems on a specific subnet If no subnet is specified the local subnet is used Items displayed include IP address NetBIOS name workgroup or domain name operating system and version The following example shows the output of executing findsmb as any valid user on a system findsmb IP ADDR NETBIOS NAME WORKGROUP OS...

Page 293: ...4 net net protocol function misc_options target_options The net utility is similar to the net utility used for Windows and MS DOS The first argument is used to specify the protocol to use when executing a command The protocol option can be ads rap or rpc for specifying the type of server connection Active Directory uses ads Win9x NT3 uses rap and Windows NT4 2000 2003 uses rpc If the protocol is o...

Page 294: ...ername kristin NT username Account Flags U User SID S 1 5 21 1210235352 3804200048 1474496110 2012 Primary Group SID S 1 5 21 1210235352 3804200048 1474496110 2077 Full Name Home Directory wakko kristin HomeDir Drive Logon Script Profile Path wakko kristin profile Domain WAKKO Account desc Workstations Munged dial Logon time 0 Logoff time Mon 18 Jan 2038 22 14 07 GMT Kickoff time Mon 18 Jan 2038 2...

Page 295: ...ient program issues administrative commands using Microsoft RPCs which provide access to the Windows administration graphical user interfaces GUIs for systems management This is most often used by advanced users that understand the full complexity of Microsoft RPCs 8 8 smbcacls smbcacls server share filename options The smbcacls program modifies Windows ACLs on files and directories shared by the ...

Page 296: ...istin Password password root yakko ls l mnt html total 0 rwxr xr x 1 root root 0 Jan 29 08 09 index html 8 13 smbpasswd smbpasswd options username password The smbpasswd program manages encrypted passwords This program can be run by a superuser to change any user s password as well as by an ordinary user to change their own Samba password 8 14 smbspool smbspool job user title copies options filena...

Page 297: ...lone domain etc after testing This is convenient when debugging as it excludes comments and concisely presents information for experienced administrators to read For example testparm Load smb config files from etc samba smb conf Processing section homes Processing section printers Processing section tmp Processing section html Loaded services file OK Server role ROLE_STANDALONE Press enter to see ...

Page 298: ...il 9 1 Installed Documentation usr share doc samba version number All additional files included with the Samba distribution This includes all helper scripts sample configuration files and documentation 9 2 Red Hat Documentation Red Hat Enterprise Linux System Administration Guide Red Hat Inc The Samba chapter explains how to configure a Samba server 9 3 Related Books The Official Samba 3 HOWTO Col...

Page 299: ...tion created by the Samba development team Many resources are available in HTML and PDF formats while others are only available for purchase Although many of these links are not Red Hat Enterprise Linux specific some concepts may apply http samba org samba archives html http us1 samba org samba archives html Active email lists for the Samba community Enabling digest mode is recommended due to high...

Page 300: ...276 ...

Page 301: ... share files to the public System administrators therefore should be aware of the FTP protocol s unique characteristics 1 1 Multiple Ports Multiple Modes Unlike most protocols used on the Internet FTP requires multiple network ports to work properly When an FTP client application initiates a connection to an FTP server it opens port 21 on the server known as the command port This port is used to i...

Page 302: ... an anonymous FTP server For more information about configuring and administering Red Hat Content Accelerator consult the documentation available online at http www redhat com docs manuals tux vsftpd A fast secure FTP daemon which is the preferred FTP server for Red Hat Enterprise Linux The remainder of this chapter focuses on vsftpd 2 1 vsftpd The Very Secure FTP Daemon vsftpd is designed from th...

Page 303: ...hroot jail Because these child processes are unprivileged and only have access to the directory being shared any crashed processes only allows the attacker access to the shared files 3 Files Installed with vsftpd The vsftpd RPM installs the daemon usr sbin vsftpd its configuration and related files as well as FTP directories onto the system The following is a list of the files and directories most...

Page 304: ...n file for vsftpd To restart the server as root type sbin service vsftpd restart The condrestart conditional restart option only starts vsftpd if it is currently running This option is useful for scripts because it does not start the daemon if it is not running To conditionally restart the server as root type sbin service vsftpd condrestart By default the vsftpd service does not start automaticall...

Page 305: ...emon must be running The first copy must be run using the vsftpd initscripts as outlined in Section 4 Starting and Stopping vsftpd This copy uses the standard configuration file etc vsftpd vsftpd conf Each additional FTP site must have a configuration file with a unique name in the etc vsftpd directory such as etc vsftpd vsftpd site 2 conf Each configuration file must be readable and writable only...

Page 306: ...ve value For each directive replace directive with a valid directive and value with a valid value Important There must not be any spaces between the directive equal symbol and the value in a directive Comment lines must be preceded by a hash mark and are ignored by the daemon For a complete list of all directives available refer to the man page for vsftpd conf Important For an overview of ways to ...

Page 307: ... usernames anonymous and ftp are accepted The default value is YES Refer to Section 5 3 Anonymous User Options for a list of directives affecting anonymous users banned_email_file If the deny_email_enable directive is set to YES this directive specifies the file containing a list of anonymous email passwords which are not permitted access to the server The default value is etc vsftpd banned_emails...

Page 308: ... Note in Red Hat Enterprise Linux the value is set to YES userlist_deny When used in conjunction with the userlist_enable directive and set to NO all local users are denied access unless the username is listed in the file specified by the userlist_file directive Because access is denied before the client is asked for a password setting this directive to NO prevents local users from submitting unen...

Page 309: ...o download world readable files The default value is YES ftp_username Specifies the local user account listed in etc passwd used for the anonymous FTP user The home directory specified in etc passwd for the user is the root directory of the anonymous FTP user The default value is ftp no_anon_password When enabled the anonymous user is not asked for a password The default value is NO secure_email_l...

Page 310: ... logging in The default value is NO Warning Enabling chroot_local_user opens up a number of security issues especially for users with upload privileges For this reason it is not recommended guest_enable When enabled all non anonymous users are logged in as the user guest which is the local user specified in the guest_username directive The default value is NO guest_username Specifies the username ...

Page 311: ...entered The name of this file is specified in the message_file directive and is message by default The default value is NO Note in Red Hat Enterprise Linux the value is set to YES force_dot_files When enabled files beginning with a dot are listed in directory listings with the exception of the and files The default value is NO hide_ids When enabled all directory listings show ftp as the user and g...

Page 312: ...abled in conjunction with xferlog_enable vsftpd writes two files simultaneously a wu ftpd compatible log to the file specified in the xferlog_file directive var log xferlog by default and a standard vsftpd log file specified in the vsftpd_log_file directive var log vsftpd log by default The default value is NO log_ftp_protocol When enabled in conjunction with xferlog_enable and with xferlog_std_fo...

Page 313: ...d and xferlog_std_format must be set to YES It is also used if dual_log_enable is set to YES The default value is var log xferlog xferlog_std_format When enabled in conjunction with xferlog_enable only a wu ftpd compatible file transfer log is written to the file specified in the xferlog_file directive var log xferlog by default It is important to note that this file only logs file transfers and d...

Page 314: ...cifies maximum amount of time data transfers are allowed to stall in seconds Once triggered the connection to the remote client is closed The default value is 300 ftp_data_port Specifies the port used for active data connections when connect_from_port_20 is set to YES The default value is 20 idle_session_timeout Specifies the maximum amount of time between commands from a remote client Once trigge...

Page 315: ...ctions would result in an error message The default value is 0 which does not limit connections max_per_ip Specifies the maximum of clients allowed to connected from the same source IP address The default value is 0 which does not limit connections pasv_address Specifies the IP address for the public facing IP address of the server for servers behind Network Address Translation NAT firewalls This ...

Page 316: ... value is YES 6 Additional Resources For more information about vsftpd refer to the following resources 6 1 Installed Documentation The usr share doc vsftpd version number directory Replace version number with the installed version of the vsftpd package This directory contains a README with basic information about the software The TUNING file contains basic performance tuning tips and the SECURITY...

Page 317: ...ware http slacksite com other ftp html This website provides a concise explanation of the differences between active and passive mode FTP http war jgaa com ftp cmd rfc A comprehensive list of Request for Comments RFCs related to the FTP protocol 6 3 Related Books Red Hat Enterprise Linux Security Guide Red Hat Inc The Server Security chapter explains ways to secure vsftpd and other services Useful...

Page 318: ...294 ...

Page 319: ...ining system integrity This part describes critical tools used for the purpose of user authentication network access control and secure network communication For more information about securing a Red Hat Enterprise Linux system refer to the Red Hat Enterprise Linux Security Guide ...

Page 320: ......

Page 321: ... for more information 1 Advantages of PAM PAM offers the following advantages It provides a common authentication scheme that can be used with a wide variety of applications It allows a large amount of flexibility and control over authentication for both system administrators and application developers It allows application developers to develop programs without creating their own authentication s...

Page 322: ...d This module interface sets and verifies passwords session This module interface configures and manages user sessions Modules with this interface can also perform additional tasks that are needed to allow access like mounting a user s home directory and making the user s mailbox available Note An individual module can provide any or all module interfaces For instance pam_unix so provides all four...

Page 323: ...ecide how important the success or failure of a particular module is to the overall goal of authenticating the user to the service There are four predefined control flags required The module result must be successful for authentication to continue If a required module result fails the user is not notified until results on all modules referencing that interface are completed requisite The module re...

Page 324: ...le uses secrets stored in a Berkeley DB file to authenticate the user Berkeley DB is an open source database system embedded in many applications The module takes a db argument so that Berkeley DB knows which database to use for the requested service A typical pam_userdb so line within a PAM configuration file looks like this auth required pam_userdb so db path to file In the previous example repl...

Page 325: ...ple all three auth modules are checked even if the first auth module fails This prevents the user from knowing at what stage their authentication failed Such knowledge in the hands of an attacker could allow them to more easily deduce how to crack the system account required pam_unix so This module performs any necessary account verification For example if shadow passwords have been enabled the ac...

Page 326: ..._cracklib so test for secure passwords before being accepted session required pam_unix so The final line specifies that the session component of the pam_unix so module manages the session This module logs the username and the service type to var log messages at the beginning and end of each session It can be supplemented by stacking it with other session modules for more functionality The next sam...

Page 327: ...at the user must now pass through the PAM configuration for system authentication as found in etc pam d system auth Tip To prevent PAM from prompting for a password when the securetty result fails change the pam_securetty so module from required to requisite 5 Creating PAM Modules New PAM modules can be added at any time for PAM aware applications to use For example if a developer invents a one ti...

Page 328: ...enged administrative access for the user The existence of the timestamp file is denoted by an authentication icon in the notification area of the panel Below is an illustration of the authentication icon Figure 16 1 The Authentication Icon 6 1 Removing the Timestamp File It is recommended that before walking away from a console where a PAM timestamp is active the timestamp file be destroyed To do ...

Page 329: ...gin programs gdm and kdm If this user is the first user to log in at the physical console called the console user the module grants the user ownership of a variety of devices normally owned by root The console user owns these devices until the last local session for that user ends Once the user has logged out ownership of the devices reverts back to the root user The devices affected include but a...

Page 330: ...roup of applications the console user has access to are three programs which shut off or reboot the system These are sbin halt sbin reboot sbin poweroff Because these are PAM aware applications they call the pam_console so module as a requirement for use For more information refer to the Section 8 1 Installed Documentation 8 Additional Resources The following resources further explain methods to u...

Page 331: ...e perms Describes the format and options available within etc security console perms the configuration file for the console user permissions assigned by PAM man pam_timestamp Describes the pam_timestamp so module usr share doc pam version number Contains a System Administrators Guide a Module Writers Manual and the Application Developers Manual as well as a copy of the PAM standard DCE RFC 86 0 re...

Page 332: ...308 ...

Page 333: ...The TCP wrappers package tcp_wrappers is installed by default and provides host based access control to network services The most important component within the package is the usr lib libwrap a library In general terms a TCP wrapped service is one that has been compiled against the libwrap a library When a connection attempt is made to a TCP wrapped service the service first references the hosts a...

Page 334: ... TCP wrappers operate separately from the network services they protect allowing many server applications to share a common set of configuration files for simpler management 2 TCP Wrappers Configuration Files To determine if a client machine is allowed to connect to a service TCP wrappers reference the following two files which are commonly referred to as hosts access files etc hosts allow etc hos...

Page 335: ...line of a hosts access file is not a newline character created by pressing the Enter key the last rule in the file fails and an error is logged to either var log messages or var log secure This is also the case for a rule that spans multiple lines without using the backslash The following example illustrates the relevant portion of a log message for a rule failure due to either of these circumstan...

Page 336: ...ss rule is more complex and uses two option fields sshd example com spawn bin echo bin date access denied var log sshd log deny Note that each option field is preceded by the backslash Use of the backslash prevents failure of the rule due to length This sample rule states that if a connection to the SSH daemon sshd is attempted from a host in the example com domain execute the echo command which l...

Page 337: ...cing a period at the beginning of a hostname matches all hosts sharing the listed components of the name The following example applies to any host within the example com domain ALL example com IP address ending with a period Placing a period at the end of an IP address matches all hosts sharing the initial numeric groups of an IP address The following example applies to any host within the 192 168...

Page 338: ...ecessary The following example refers TCP wrappers to the etc telnet hosts file for all Telnet connections in telnetd etc telnet hosts Other lesser used patterns are also accepted by TCP wrappers Refer to the hosts_access man 5 page for more information Warning Be very careful when using hostnames and domain names Attackers can use a variety of tricks to circumvent accurate name resolution In addi...

Page 339: ...XCEPT operators This allows other administrators to quickly scan the appropriate files to see what hosts are allowed or denied access to services without having to sort through EXCEPT operators 2 2 Option Fields In addition to basic rules allowing and denying access the Red Hat Enterprise Linux implementation of TCP wrappers supports extensions to the access control language through option fields ...

Page 340: ...ample com but deny connections from client 2 example com sshd client 1 example com allow sshd client 2 example com deny By allowing access control on a per rule basis the option field allows administrators to consolidate all access rules into a single file either hosts allow or hosts deny Some consider this an easier way of organizing access rules 2 2 3 Shell Commands Option fields allow access ru...

Page 341: ...variety of client information such as the username and hostname or the username and IP address d Supplies the daemon process name h Supplies the client s hostname or IP address if the hostname is unavailable H Supplies the server s hostname or IP address if the hostname is unavailable n Supplies the client s hostname If unavailable unknown is printed If the client s hostname and host address do no...

Page 342: ... daemon is a TCP wrapped super service which controls access to a subset of popular network services including FTP IMAP and Telnet It also provides service specific configuration options for access control enhanced logging binding redirection and resource utilization control When a client host attempts to connect to a network service controlled by xinetd the super service receives the request and ...

Page 343: ...rded log_on_failure Configures xinetd to log if there is a connection failure or if the connection is not allowed cps Configures xinetd to allow no more than 25 connections per second to any given service If this limit is reached the service is retired for 30 seconds includedir etc xinetd d Includes options declared in the service specific configuration files located in the etc xinetd d directory ...

Page 344: ...ocket type to stream wait Defines whether the service is single threaded yes or multi threaded no user Defines what user ID the process runs under server Defines the binary executable to be launched log_on_failure Defines logging parameters for log_on_failure in addition to those already defined in xinetd conf disable Defines whether the service is active 4 3 Altering xinetd Configuration Files Th...

Page 345: ...d administrator restarts the xinetd service Also unlike TCP wrappers access control through xinetd only affects services controlled by xinetd The xinetd hosts access control differs from the method used by TCP wrappers While TCP wrappers places all of the access configuration within two files etc hosts allow and etc hosts deny xinetd s access control is found in each service s configuration file w...

Page 346: ...ionship between the two access control mechanisms The following is the order of operations followed by xinetd when a client requests a connection 1 The xinetd daemon accesses the TCP wrappers hosts access rules through a libwrap a library call If a deny rule matches the client host the connection is dropped If an allow rule matches the client host the connection is passed on to xinetd 2 The xinetd...

Page 347: ... only the first machine can see an internal system can be used to provide services for a totally different network Alternatively these options can be used to limit the exposure of a particular service on a multi homed machine to a known IP address as well as redirect any requests for that service to another machine specially configured for that purpose For example consider a system that is used as...

Page 348: ...ting point number argument There are more resource management options available for xinetd Refer to the chapter titled Server Security in the Red Hat Enterprise Linux Security Guide for more information as well as the xinetd conf man page 5 Additional Resources Additional information concerning TCP wrappers and xinetd is available from system documentation and on the Internet 5 1 Installed Documen...

Page 349: ... listing of features and an informative FAQ http www macsecurity org resources xinetd tutorial shtml A thorough tutorial that discusses many different ways to tweak default xinetd configuration files to meet specific security goals 5 3 Related Books Red Hat Enterprise Linux Security Guide Red Hat Inc Provides an overview of workstation server and network security with specific suggestions regardin...

Page 350: ...326 ...

Page 351: ...rewall based on these rules refer to Section 7 Additional Resources Warning The default firewall mechanism under the 2 4 and newer kernels is iptables but iptables cannot be used if ipchains are already running If ipchains is present at boot time the kernel issues an error and fails to start iptables The functionality of ipchains is not affected by these errors 1 Packet Filtering The Linux kernel ...

Page 352: ...ts routed through the host PREROUTING Alters incoming network packets before they are routed POSTROUTING Alters network packets before they are sent out Every network packet received by or sent from a Linux system is subject to at least one table However a packet may be subjected to multiple rules within each table before emerging at the end of the chain The structure and purpose of these rules ma...

Page 353: ...he following significant differences between ipchains and iptables before attempting to use iptables Under iptables each filtered packet is processed using rules from only one chain rather than multiple chains For instance a FORWARD packet coming into a system using ipchains would have to go through the INPUT FORWARD and OUTPUT chains to move along to its destination However iptables only sends pa...

Page 354: ...table name command chain name parameter 1 option 1 parameter n option n The table name option allows the user to select a table other than the default filter table to use with the command The command option dictates a specific action to perform such as appending or deleting the rule specified by the chain name option Following the chain name are pairs of parameters and options that define what hap...

Page 355: ...mmand flushes every rule from every chain h Provides a list of command structures as well as a quick summary of command parameters and options I Inserts a rule in a chain at a point specified by a user defined integer value If no number is specified iptables places the command at the top of the chain Caution Be aware when using the A or I option that the order of the rules within a chain are impor...

Page 356: ...itmask f Applies this rule only to fragmented packets By using the exclamation point character option after this parameter only unfragmented packets are matched i Sets the incoming network interface such as eth0 or ppp0 With iptables this optional parameter may only be used with the INPUT and FORWARD chains when used with the filter table and the PREROUTING chain with the nat and mangle tables Thi...

Page 357: ...cols provide specialized matching options which can be configured to match a particular packet using that protocol However the protocol must first be specified in the iptables command For example p tcp protocol name where protocol name is the target protocol makes options for the specified protocol available 3 4 1 TCP Protocol These match options are available for the TCP protocol p tcp dport Sets...

Page 358: ...e ACK and FIN flags unset Using the exclamation point character after tcp flags reverses the effect of the match option tcp option Attempts to match with TCP specific options that can be set within a particular packet This match option can also be reversed with the exclamation point character 3 4 2 UDP Protocol These match options are available for the UDP protocol p udp dport Specifies the destin...

Page 359: ...petitive messages or using up system resources Refer to Section 3 5 Target Options for more information about the LOG target The limit module enables the following options limit Sets the number of matches for a particular range of time specified with a number and time modifier arranged in a number time format For example using limit 5 hour only lets a rule match 5 times in a single hour If a numbe...

Page 360: ...ich match the packet specify a target The following are the standard targets user defined chain Replace user defined chain with the name of a user defined chain within the table This target passes the packet to the target chain ACCEPT Allows the packet to successfully move on to its destination or another chain DROP Drops the packet without responding to the requester The system that sent the pack...

Page 361: ...mote system and drops the packet The REJECT target accepts reject with type where type is the rejection type allowing more detailed information to be sent back with the error packet The message port unreachable is the default type error given if no other option is used For a full list of type options refer to the iptables man page Other target extensions including several that are useful for IP ma...

Page 362: ... script reapplies the rules saved in etc sysconfig iptables by using the sbin iptables restore command While it is always a good idea to test a new iptables rule before committing it to the etc sysconfig iptables file it is possible to copy iptables rules into this file from another system s version of this file This provides a quick way to distribute sets of iptables rules to multiple machines Im...

Page 363: ...If the IPTABLES_SAVE_ON_RESTART directive within the etc sysconfig iptables config configuration file is changed from its default value to yes current rules are saved to etc sysconfig iptables and any existing rules are moved to the file etc sysconfig iptables save Refer to Section 5 1 iptables Control Scripts Configuration File for more information about the iptables config file status Prints to ...

Page 364: ...his directive accepts the following values yes Saves existing rules to etc sysconfig iptables when the firewall is stopped moving the previous version to the etc sysconfig iptables save file no The default value Does not save existing rules when the firewall is stopped IPTABLES_SAVE_ON_RESTART Saves current firewall rules when the firewall is restarted This directive accepts the following values y...

Page 365: ...er to the following sources for additional information on packet filtering with iptables Red Hat Enterprise Linux Security Guide Red Hat Inc Contains a chapter about the role of firewalls within an overall security strategy as well as strategies for constructing firewall rules Red Hat Enterprise Linux System Administration Guide Red Hat Inc Contains a chapter about configuring firewalls using Secu...

Page 366: ...iptables commands http www redhat com support resources networking firewall html This webpage links to a variety of update to date packet filter resources Chapter 18 iptables 342 ...

Page 367: ...ication schemes Such schemes require a user to authenticate to a given network server by supplying their username and password Unfortunately the transmission of authentication information for many services is unencrypted For such a scheme to be secure the network has to be inaccessible to outsiders and all computers and users on the network must be trusted and trustworthy Even if this is the case ...

Page 368: ... server and client side communicate Again this may require extensive programming Closed source applications that do not have Kerberos support by default are often the most problematic Kerberos is an all or nothing solution Once Kerberos is used on the network any unencrypted passwords transferred to a non kerberized service is at risk Thus the network gains no benefit from the use of Kerberos To s...

Page 369: ...a cannot be decrypted without the proper key or extremely good guessing key distribution center KDC A service that issues Kerberos tickets usually run on the same host as the ticket granting server TGS keytab or key table A file that includes an unencrypted list of principals and their keys Servers retrieve the keys they need from keytab files instead of using kinit The default keytab file is etc ...

Page 370: ... machine and any kerberized services look for the ticket on the user s machine rather than asking the user to authenticate using a password When a user on a kerberized network logs in to their workstation their principal is sent to the KDC in a request for a TGT from AS This request can be sent by the login program so that it is transparent to the user or can be sent by the kinit program after the...

Page 371: ...or details on setting up Network Time Protocol servers replace version number with the version number of the ntp package installed on the system Also since certain aspects of Kerberos rely on the Domain Name Service DNS be sure that the DNS entries and hosts on the network are all properly configured Refer to the Kerberos V5 System Administrator s Guide provided in PostScript and HTML formats in u...

Page 372: ... not authenticate to the server This clock synchronization is necessary to prevent an attacker from using an old Kerberos ticket to masquerade as a valid user It is advisable to set up a Network Time Protocol NTP compatible client server network even if Kerberos is not being used Red Hat Enterprise Linux includes the ntp package for this purpose Refer to usr share doc ntp version number index htm ...

Page 373: ...his configuration users with a second principal with an instance of admin for example joe admin EXAMPLE COM are able to wield full power over the realm s Kerberos database Once kadmind is started on the server any user can access its services by running kadmin on any of the clients or servers in the realm However only users listed in the kadm5 acl file can modify the database in any way except for...

Page 374: ... the client packages and provide each client with a valid krb5 conf configuration file Kerberized versions of rsh and rlogin also requires some configuration changes 1 Be sure that time synchronization is in place between the Kerberos client and the KDC Refer to Section 5 Configuring a Kerberos 5 Server for more information In addition verify that DNS is working properly on the Kerberos client bef...

Page 375: ...P should function properly with Kerberos as long as the cyrus user is able to find the proper key in etc krb5 keytab and the root for the principal is set to imap created with kadmin The dovecot package also contains an IMAP server alternative to cyrus imap which is also included with Red Hat Enterprise Linux but does not support GSS API and Kerberos to date CVS To use a kerberized CVS server gser...

Page 376: ...s Administrative Applications man kadmin Describes how to use this command to administer the Kerberos V5 database man kdb5_util Describes how to use this command to create and perform low level administrative functions on the Kerberos V5 database Server Applications man krb5kdc Describes available command line options for the Kerberos V5 KDC man kadmind Describes available command line options for...

Page 377: ...Bill Bryant in 1988 modified by Theodore Ts o in 1997 This document is a conversation between two developers who are thinking through the creation of a Kerberos style authentication system The conversational style of the discussion make this a good starting place for people who are completely unfamiliar with Kerberos http www ornl gov jar HowToKerb html How to Kerberize your site is a good referen...

Page 378: ...354 ...

Page 379: ...y The client transmits its authentication information to the server using strong 128 bit encryption All data sent and received during a session is transferred using 128 bit encryption making intercepted transmissions extremely difficult to decrypt and read The client can forward X111 applications from the server This technique called X11 forwarding provides a secure means to use graphical applicat...

Page 380: ...r hostile reasons the results can be disastrous If SSH is used for remote shell login and file copying these security threats can be greatly diminished This is because the SSH client and server use digital signatures to verify their identity Additionally all communication between the client and server systems is encrypted Attempts to spoof the identity of either side of a communication does not wo...

Page 381: ...ransfer of information Once an SSH client contacts a server key information is exchanged so that the two systems can correctly construct the transport layer The following steps occur during this exchange Keys are exchanged The public key encryption algorithm is determined The symmetric encryption algorithm is determined The message authentication algorithm is determined The hash algorithm is deter...

Page 382: ... limited period of time 3 2 Authentication Once the transport layer has constructed a secure tunnel to pass information between the two systems the server tells the client the different authentication methods supported such as using a private key encoded signature or typing a password The client then tries to authenticate itself to the server using one of these supported methods SSH servers and cl...

Page 383: ...in the etc ssh directory moduli Contains Diffie Hellman groups used for the Diffie Hellman key exchange which is critical for constructing a secure transport layer When keys are exchanged at the beginning of an SSH session a shared secret value is created which cannot be determined by either party alone This value is then used to provide host authentication ssh_config The system wide default SSH c...

Page 384: ..._hosts file using a text editor Before doing this however contact the system administrator of the SSH server to verify the server is not compromised Refer to the ssh_config and sshd_config man pages for information concerning the various directives available in the SSH configuration files 5 More Than a Secure Shell A secure command line interface is just the beginning of the many ways SSH can be u...

Page 385: ...mail example com using POP3 through an encrypted connection use the following command ssh L 1100 mail example com 110 mail example com Once the port forwarding channel is in place between the client machine and the mail server direct a POP3 mail client to use port 1100 on the localhost to check for new mail Any requests sent to port 1100 on the client system are directed securely to the mail examp...

Page 386: ...Requiring SSH for Remote Connections For SSH to be truly effective using insecure connection protocols such as Telnet and FTP should be prohibited Otherwise a user s password may be protected using SSH for one session only to be captured later while logging in using Telnet Some services to disable include telnet rsh rlogin vsftpd To disable insecure connection methods to the system use the command...

Page 387: ...pplications man sshd Describes available command line options for the SSH server Configuration Files man ssh_config Describes the format and options available within the configuration file for SSH clients man sshd_config Describes the format and options available within the configuration file for the SSH server 7 2 Useful Websites http www openssh com The OpenSSH FAQ page bug reports mailing lists...

Page 388: ...364 ...

Page 389: ...ient as needed and is very finely detailed This detail gives the SELinux kernel complete granular control over the entire system When a subject such as an application attempts to access an object such as a file the policy enforcement server in the kernel checks an access vector cache AVC where subject and object permissions are cached If a decision cannot be made based on data in the AVC the reque...

Page 390: ...figure SELinux under Red Hat Enterprise Linux using the Security Level Configuration Tool system config securitylevel or manually editing the configuration file etc sysconfig selinux The etc sysconfig selinux file is the primary configuration file for enabling or disabling SELinux as well as setting which policy to enforce on the system and how to enforce it Note The etc sysconfig selinux contains...

Page 391: ...d by SELinux targeted Only targeted network daemons are protected Important The following daemons are protected in the default targeted policy dhcpd httpd apache te named nscd ntpd portmap snmpd squid and syslogd The rest of the system runs in the unconfined_t domain The policy files for these daemons can be found in etc selinux targeted src policy domains program and are subject to change as newe...

Page 392: ...fies in real time the mode SELinux is running By executing setenforce 1 SELinux is put in enforcing mode By executing setenforce 0 SELinux is put in permissive mode To actually disable SELinux you need to either set the parameter in etc sysconfig selinux or pass the parameter selinux 0 to the kernel either in etc grub conf or at boot time usr bin sestatus v Gets the detailed status of a system run...

Page 393: ...Red Hat Documentation Red Hat SELinux Guide Explains what SELinux is and explains how to work with SELinux 3 3 Useful Websites http www nsa gov selinux Homepage for the NSA SELinux development team Many resources are available in HTML and PDF formats Although many of these links are not Red Hat Enterprise Linux specific some concepts may apply http fedora redhat com docs Homepage for the Fedora do...

Page 394: ...370 ...

Page 395: ...Part IV Appendixes ...

Page 396: ......

Page 397: ... adapters and network adapters are not included in the installation kernel Rather they must be loaded as modules by the user at boot time Once installation is completed support exists for a large number of devices through kernel modules Important Red Hat provides a large number of unsupported device drivers in groups of packages called kernel smp unsupported kernel version and kernel hugemem unsup...

Page 398: ...seq_oss snd_seq 51633 5 snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq_device 8781 4 snd_rawmidi snd_seq_dummy snd_seq_oss snd_seq snd_pcm_oss 42849 0 snd_mixer_oss 16833 1 snd_pcm_oss snd_pcm 76485 3 snd_ens1371 snd_ac97_codec snd_pcm_oss snd_timer 23237 2 snd_seq snd_pcm snd 52933 12 snd_ens1371 snd_rawmidi snd_ac97_codec snd_seq_oss snd_seq snd_seq_device snd_pcm_oss snd_mixer_os soundcor...

Page 399: ...ds the module dependencies before loading the specified module For example the command sbin modprobe e100 loads any module dependencies and then the e100 module To print to the screen all commands as sbin modprobe executes them use the v option For example sbin modprobe v e100 Output similar to the following is displayed sbin insmod lib modules 2 6 9 5 EL kernel drivers net e100 ko Using lib modul...

Page 400: ...nce of the etc rc modules file at boot time which contains various commands to load modules The rc modules should be used and notrc local because rc modules is executed earlier in the boot process For example the following commands configure loading of the foo module at boot time as root echo modprobe foo etc rc modules chmod x etc rc modules Tip This approach is not necessary for network and SCSI...

Page 401: ...dma addressing is using 64 bit DAC 0 off 1 on commit Control whether a COMMIT_CONFIG is issued to the adapter for foreign arrays This is typically needed in systems that do not have a BIOS 0 off 1 on startup_timeout The duration of time in seconds to wait for adapter to have it s kernel up and running This is typically adjusted for large systems that do not have a BIOS aif_timeout The duration of ...

Page 402: ...86x AIC 787x AIC 788x AIC 789x AIC 3860 aic7xxx ko verbose Enable verbose diagnostic logging allow_memio Allow device registers to be memory mapped debug Bitmask of debug values to enable no_probe Toggle EISA VLB controller probing probe_eisa_vl Toggle EISA VLB controller probing no_reset Supress initial bus resets extended Enable extended geometry on all controllers periodic_otag Send an ordered ...

Page 403: ...f commands per logical unit default 64 fast_load Faster loading of the driver skips physical devices default 0 debug_level Debug level for driver default 0 Emulex LightPulse Fibre Channel SCSI driver lpfc ko lpfc_poll FCP ring polling mode control 0 none 1 poll with interrupts enabled 3 poll and disable FCP ring interrupts lpfc_log_verbose Verbose logging bit mask lpfc_lun_queue_depth Max number o...

Page 404: ...Use ADISC on rediscovery to authenticate FCP devices lpfc_ack0 Enable ACK0 support lpfc_cr_delay A count of milliseconds after which an interrupt response is generated lpfc_cr_count A count of I O completions after which an interrupt response is generated lpfc_multi_ring_support Determines number of primary SLI rings to spread IOCB entries across lpfc_fdmi_on Enable FDMI support lpfc_discovery_thr...

Page 405: ...ar persistency table mpt_saf_te Force enabling SEP Processor QLogic Fibre Channel Driver qla2xxx ko ql2xlogintimeout Login timeout value in seconds qlport_down_retry Maximum number of command retries to a port that returns a PORT DOWN status ql2xplogiabsentdevice Option to enable PLOGI to devices that are not present after a Fabric scan ql2xloginretrycount Specify an alternate value for the NVRAM ...

Page 406: ...egisters led Set to 1 to enable LED support diff 0 for no differential mode 1 for BIOS 2 for always 3 for not GPIO3 irqm 0 for open drain 1 to leave alone 2 for totem pole buschk 0 to not check 1 for detach on error 2 for warn on error hostid The SCSI ID to use for the host adapters verb 0 for minimal verbosity 1 for normal 2 for excessive debug Set bits to enable debugging settle Settle delay in ...

Page 407: ... should module parameters be adjusted Module paramaters can be viewed using the modinfo command Note For information about using these tools consult the man pages for ethtool mii tool and modinfo Hardware Module Parameters 3Com EtherLink PCI III XL Vortex 3c590 3c592 3c595 3c597 Boomerang 3c900 3c905 3c595 3c59x ko debug 3c59x debug level 0 6 options 3c59x Bits 0 3 media type bit 4 bus mastering b...

Page 408: ...ies to all NICs if enable_wol is unset rx_copybreak 3c59x copy breakpoint for copy only tiny frames max_interrupt_work 3c59x maximum events handled per interrupt compaq_ioaddr 3c59x PCI I O base address Compaq BIOS problem workaround compaq_irq 3c59x PCI IRQ number Compaq BIOS problem workaround compaq_device_id 3c59x PCI device ID Compaq BIOS problem workaround watchdog 3c59x transmit timeout in ...

Page 409: ...le Message Signaled Interrupt MSI Intel Ether Express 100 driver e100 ko debug Debug level 0 none 16 all eeprom_bad_csum_allow Allow bad eeprom checksums Intel EtherExpress 1000 Gigabit e1000 ko TxDescriptors Number of transmit descriptors RxDescriptors Number of receive descriptors Speed Speed setting Duplex Duplex setting AutoNeg Advertised auto negotiation setting FlowControl Flow Control setti...

Page 410: ...0ge_fw_name Firmware image name myri10ge_ecrc_enable Enable Extended CRC on PCI E myri10ge_max_intr_slots Interrupt queue slots myri10ge_small_bytes Threshold of small packets myri10ge_msi Enable Message Signalled Interrupts myri10ge_intr_coal_delay Interrupt coalescing delay myri10ge_flow_control Pause parameter myri10ge_deassert_wait Wait when deasserting legacy interrupts myri10ge_force_firmwar...

Page 411: ...U all boards debug DP8381x default debug level rx_copybreak DP8381x copy breakpoint for copy only tiny frames options DP8381x Bits 0 3 media type bit 17 full duplex full_duplex DP8381x full duplex setting s 1 AMD PCnet32 and AMD PCnetPCI pcnet32 ko PCnet32 and PCnetPCI pcnet32 ko debug pcnet32 debug level max_interrupt_work pcnet32 maximum events handled per interrupt rx_copybreak pcnet32 copy bre...

Page 412: ... Copy breakpoint for copy only tiny frames use_dac Enable PCI DAC Unsafe on 32 bit PCI slot debug Debug verbosity level 0 none 16 all Neterion Xframe 10GbE Server Adapter s2io ko SIS 900 701G PCI Fast Ethernet sis900 ko multicast_filter_limit SiS 900 7016 maximum number of filtered multicast addresses max_interrupt_work SiS 900 7016 maximum events handled per interrupt sis900_debug SiS 900 7016 bi...

Page 413: ...eprecated Bits 0 3 media type bit 17 full duplex full_duplex Deprecated Forced full duplex setting 0 1 enable_hw_cksum Enable disable hardware cksum support 0 1 Broadcom Tigon3 tg3 ko tg3_debug Tigon3 bitmapped debugging message enable value ThunderLAN PCI tlan ko aui ThunderLAN use AUI port s 0 1 duplex ThunderLAN duplex setting s 0 default 1 half 2 full speed ThunderLAN port speen setting s 0 10...

Page 414: ...pt debug VIA Rhine debug level 0 7 rx_copybreak VIA Rhine copy breakpoint for copy only tiny frames avoid_D3 Avoid power state D3 work around for broken BIOSes Table A 2 Ethernet Module Parameters 5 1 Using Multiple Ethernet Cards It is possible to use multiple Ethernet cards on a single machine For each card there must be an alias and possibly options lines for each card in etc modprobe conf For ...

Page 415: ...Refer to Section 5 2 1 bonding Module Directives for a listing of available options 4 After testing place preferred module options in etc modprobe conf 5 2 1 bonding Module Directives Before finalizing the settings for the bonding module it is a good idea to test which settings work best To do this open a shell prompt as root and type tail f var log messages Open another shell prompt and use the s...

Page 416: ... policy for fault tolerance and load balancing The outgoing traffic is distributed according to the current load on each slave interface Incoming traffic is received by the current slave If the receiving slave fails another slave takes over the MAC address of the failed slave 6 Sets an Active Load Balancing ALB policy for fault tolerance and load balancing Includes transmit and receive load balanc...

Page 417: ...he interface name such as eth0 of the primary device The primary device is the first of the bonding interfaces to be used and is not abandoned unless it fails This setting is particularly useful when one NIC in the bonding interface is faster and therefore able to handle a bigger load This setting is only valid when the bonding interface is in active backup mode Refer to usr share doc kernel doc k...

Page 418: ...od man page description and list of command line options modprobe man page description and list of command line options rmmod man page description and list of command line options modinfo man page description and list of command line options usr share doc kernel doc version Documentation kbuild modules txt how to compile and use kernel modules Note you must have the kernel doc package installed to...

Page 419: ...guration directive 176 AddType Apache configuration directive 177 Alias Apache configuration directive 174 Allow Apache configuration directive 171 AllowOverride Apache configuration directive 170 Apache see Apache HTTP Server Apache HTTP Server 1 3 migration to 2 0 149 2 0 features of 147 file system changes 148 migration from 1 3 149 MPM specific directives 165 packaging changes 148 additional r...

Page 420: ... file examples 226 zone file resource records 223 zone statements sample 220 features 230 DNS enhancements 230 IPv6 231 multiple views 230 security 231 introducing 213 213 named daemon 214 nameserver definition of 213 nameserver types caching only 214 forwarding 214 master 214 slave 214 rndc program 227 etc rndc conf 228 command line options 229 configuring keys 228 configuring named to use 227 ro...

Page 421: ...CustomLog 174 DefaultIcon 176 DefaultType 172 Deny 171 Directory 169 DirectoryIndex 171 DocumentRoot 169 ErrorDocument 177 ErrorLog 173 ExtendedStatus 167 for cache functionality 178 Group 168 HeaderName 176 HostnameLookups 172 IfDefine 167 IfModule 165 Include 167 IndexIgnore 176 IndexOptions 175 KeepAlive 164 see also KeepAliveTimeout troubleshooting 164 KeepAliveTimeout 165 LanguagePriority 176...

Page 422: ...y Apache configuration directive 169 DirectoryIndex Apache configuration directive 171 display managers see X DNS 213 see also BIND introducing 213 documentation experienced user xx finding appropriate xviii first time users xviii newsgroups xix websites xix guru xx DocumentRoot Apache configuration directive 169 changing 182 changing shared 183 DoS see Denial of Service DoS attack see Denial of S...

Page 423: ...ns 199 FHS 25 25 see also file system file system FHS standard 25 hierarchy 25 organization 25 structure 25 virtual see proc file system files proc file system changing 50 86 viewing 49 86 findsmb program 268 forwarding nameserver see BIND frame buffer device 54 see also proc fb FrontPage 162 fstab 140 see also NFS FTP 277 see also vsftpd active mode 277 command port 277 data port 277 definition o...

Page 424: ...Apache configuration directive 167 ifdown 128 IfModule Apache configuration directive 165 ifup 128 Include Apache configuration directive 167 IndexIgnore Apache configuration directive 176 IndexOptions Apache configuration directive 175 init command 6 see also boot process configuration files etc inittab 9 role in boot process 6 see also boot process runlevels directories for 9 runlevels accessed ...

Page 425: ...ribution Center KDC 346 server set up 348 terminology 344 Ticket granting Server TGS 346 Ticket granting Ticket TGT 346 kernel role in boot process 5 kernel modules etc rc modules 376 Ethernet modules parameters 383 supporting multiple cards 390 introducing 373 listing 373 loading 375 module parameters specifying 376 persistent loading 376 SCSI modules parameters 377 types of 373 unload 375 kwin 1...

Page 426: ...ole in boot process 4 Listen Apache configuration directive 166 LoadModule Apache configuration directive 167 Location Apache configuration directive 178 LogFormat Apache configuration directive 173 LogLevel Apache configuration directive 173 lsmod 373 lspci 62 M Mail Delivery Agent see email Mail Transfer Agent see email Mail User Agent see email make_smbcodepage program 268 make_unicodemap progr...

Page 427: ...mount options 142 condrestart 134 how it works 131 introducing 131 portmap 133 reloading 134 required services 132 restarting 134 security 143 file permissions 145 host access 143 NFSv2 NFSv3 host access 144 NFSv4 host access 144 server configuration 135 etc exports 135 exportfs command 138 exportfs command with NFSv4 139 starting 134 status 134 stopping 134 TCP 131 UDP 131 NIC modules see kernel ...

Page 428: ...5 prefdm see X proc directory 27 proc file system proc apm 51 proc buddyinfo 51 proc bus directory 67 proc cmdline 52 proc cpuinfo 52 proc crypto 53 proc devices block devices 53 character devices 53 proc dma 54 proc driver directory 68 proc execdomains 54 proc fb 54 proc filesystems 54 proc fs directory 68 proc ide directory 69 device directories 69 proc interrupts 55 proc iomem 55 proc ioports 5...

Page 429: ...so setserial command ReadmeName Apache configuration directive 176 Red Hat Enterprise Linux specific file locations etc sysconfig 30 see also sysconfig directory var lib rpm 30 var spool up2date 30 Redirect Apache configuration directive 174 rmmod 375 root nameserver see BIND rpcclient program 271 rpcinfo 134 runlevels see init command changing with GRUB 18 configuration of 10 see also services S ...

Page 430: ...ectory 261 PDC using LDAP 258 PDC using tdbsam 257 Secure File and Print Server example 253 WINS 266 sbin directory 27 ScriptAlias Apache configuration directive 174 SCSI modules see kernel modules security running Apache without 182 SELinux 365 additional resources 369 documentation 369 installed documentation 369 websites 369 introduction 365 related files 365 etc selinux Directory 368 etc sysco...

Page 431: ...s of 355 insecure protocols and 362 layers of channels 358 transport layer 357 port forwarding 361 requiring for remote login 362 security risks 355 version 1 356 version 2 356 X11 forwarding 360 SSL configuration 180 StartServers Apache configuration directive 165 startx 112 see X see also X stunnel 208 SuexecUserGroup Apache configuration directive 156 167 sys directory 28 sysconfig directory 30...

Page 432: ...related books 325 useful websites 325 advantages of 310 configuration files etc hosts allow 309 310 etc hosts deny 309 310 access control option 316 expansions 317 formatting rules within 311 hosts access files 310 log option 315 operators 315 option fields 315 patterns 313 shell command option 316 spawn option 316 twist option 316 wildcards 312 definition of 309 introducing 309 testparm program 2...

Page 433: ...k options 289 multihome configuration 280 restarting 280 RPM files installed by 279 security features 278 starting 280 starting multiple copies of 280 status 280 stopping 280 W wbinfo program 274 webmaster email address for 168 window managers see X X X etc X11 xorg conf boolean values for 102 Device 106 DRI 108 Files section 104 InputDevice section 104 introducing 102 Module section 104 Monitor 1...

Page 434: ...erver 99 features of 99 X Window System see X X 500 see LDAP X 500 Lite see LDAP xinetd 318 see also TCP wrappers additional resources installed documentation 324 related books 325 useful websites 325 configuration files 318 etc xinetd conf 318 etc xinetd d directory 319 access control options 321 binding options 322 logging options 318 319 320 redirection options 322 resource management options 3...