Monday, 31 December 2012

Firewall (iptables) in Linux


Firewall in Linux:-
A firewall is a secure and trusted machine that sits between a private network and a public network.The firewall machine is configured with a set of rules that determine which network traffic will be allowed to pass and which will be blocked or refused. In some large organizations, you may even find a firewall located inside their corporate network to segregate sensitive areas of the organization from other employees. Many cases of computer crime occur from within an organization, not just from outside.
The term firewall comes from a device used to protect people from fire. The firewall is a shield of material resistant to fire that is placed between a potential fire and the people it is protecting.
Firewalls can be constructed in quite a variety of ways. The most sophisticated arrangement involves a number of separate machines and is known as a perimeter network. Two machines act as "filters" called chokes to allow only certain types of network traffic to pass, and between these chokes reside network servers such as a mail gateway or a World Wide Web proxy server. This configuration can be very safe and easily allows quite a great range of control over who can connect both from the inside to the outside, and from the outside to the inside. This sort of configuration might be used by large organizations.
Typically though, firewalls are single machines that serve all of these functions. These are a little less secure, because if there is some weakness in the firewall machine itself that allows people to gain access to it, the whole network security has been breached. Nevertheless, these types of firewalls are cheaper and easier to manage than the more sophisticated arrangement.



The Linux kernel provides a range of built-in features that allow it to function quite nicely as an IP firewall. The network implementation includes code to do IP filtering in a number of different ways, and provides a mechanism to quite accurately configure what sort of rules you'd like to put in place. The Linux firewall is flexible enough to make it very useful in either of the configurations.

Access Control Lists (ACLs) Configuration with commands in Red Hat Enterprise Linux 5


Files and directories have permission sets for the owner of the file, the group associated with the file, and all other users for the system. However, these permission sets have limitations. For example, different permissions cannot be configured for different users. Thus, Access Control Lists (ACLs) were
implemented.
The Red Hat Enterprise Linux 5 kernel provides ACL support for the ext3 file system and NFS-exported file systems. ACLs are also recognized on ext3 file systems accessed via Samba. Along with support in
the kernel, the acl package is required to implement ACLs. It contains the utilities used to add, modify, remove, and retrieve ACL information. The cp and mv commands copy or move any ACLs associated
 with files and directories.

Mounting File Systems

Before using ACLs for a file or directory, the partition for the file or directory must be mounted with ACL support. If it is a local ext3 file system, it can mounted with the following command:
mount -t ext3 -o acl <device-name><partition>
For example:
mount -t ext3 -o acl /dev/VolGroup00/LogVol02/work
Alternatively, if the partition is listed in the /etc/fstab file, the entry for the partition can include the acl option:
LABEL=/work /work ext3 acl 1 2
If an ext3 file system is accessed via Samba and ACLs have been enabled for it, the ACLs are recognized because Samba has been compiled with the -- with-acl-support option. No special flags are required when accessing or mounting a Samba share.

NFS

By default, if the file system being exported by an NFS server supports ACLs and the NFS client can read ACLs, ACLs are utilized by the client system. To disable ACLs on NFS shares when configuring the server, include the no_acl option in the /etc/exports file. To disable ACLs on an NFS share when mounting
it on a client, mount it with the no_acl option via the command line or the /etc/fstab file.

Setting Access ACLs

There are two types of ACLs: access ACLs and default ACLs. An access ACL is the access control list for a specific file or directory. A default ACL can only be associated with a directory; if a file within the directory does not have an access ACL, it uses the rules of the default ACL for the directory. Default ACLs are optional. ACLs can be configured:
Per user
Per group
Via the effective rights mask
For users not in the user group for the file
The setfacl utility sets ACLs for files and directories. Use the -m option to add or modify the ACL of a file or directory:
setfacl -m <rules><files>
Rules (<rules>) must be specified in the following formats. Multiple rules can be specified in the same command if they are separated by commas.
u:<uid>:<perms>
Sets the access ACL for a user. The user name or UID may be specified. The user may be any valid user on the system.
g:<gid>:<perms>
Sets the access ACL for a group. The group name or GID may be specified. The group may be any valid group on the system.

m:<perms>
Sets the effective rights mask. The mask is the union of all permissions of the owning group and all of the user and group entries.
o:<perms>
Sets the access ACL for users other than the ones in the group for the file. White space is ignored. Permissions (<perms>) must be a combination of the characters r, w, and x for read, write, and execute. If a file or directory already has an ACL, and the setfacl command is used, the additional rules are added
to the existing ACL or the existing rule is modified. For example, to give read and write permissions to user andrius:
setfacl -m u:andrius:rw /project/somefile
To remove all the permissions for a user, group, or others, use the -x option and do not specify any permission (s):
setfacl -x <rules><files>
For example, to remove all permissions from the user with UID 500:
setfacl -x u:500 /project/somefile

Setting Default ACLs

To set a default ACL, add d: before the rule and specify a directory instead of a file name. For example, to set the default ACL for the /share/ directory to read and execute for users not in the user group (an access ACL for an individual file can override it):
setfacl -m d:o:rx /share

Retrieving ACLs

To determine the existing ACLs for a file or directory, use the getfacl command. In the example below, the getfacl is used to determine the existing ACLs for a file.
getfacl home/pupo/picture.png

The above command returns the following output:
# file: home/pupo/picture.png # owner: john # group:
john user::rwgroup::
r-- other::r--
If a directory with a default ACL is specified, the default ACL is also displayed as illustrated below.
[pupo@main /]$ getfacl home/sales/# file: home/sales/
# owner: john # group:
pupo user::rw- user:barryg:r-- group::r-- mask::r--
other::r-- default:user::rwx default:user:john:rwx
default:group::r-x default:mask::rwx default:other::rx

Archiving File Systems With ACLs


The star utility is similar to the tar utility in that it can be used to generate archives of files. The star package is required to use this utility. The command
line options for Star are as follows
Option                               Description
-c                               Creates an archive file.
-n                               Do not extract the files; use in conjunction with -x to show what
                                   extracting the files does.
-r                                 Replaces files in the archive. The files are written to the end of the archive
                                   file, replacing any files with the same path and file name.
-t                                Displays the contents of the archive file.
-u                              Updates the archive file. The files are written to the end of the archive if they
                                  do not exist in the archive or if the files are newer than the files of the same name
                                 in the archive. This option only work if the archive is a file or an unblocked tape
                                  that may backspace.

-x                              Extracts the files from the archive. If used with -U and a file in the archive is
                                 older than the corresponding file on the file system, the file is not extracted.
-help                          Displays the most important options.
-xhelp                        Displays the least important options.
-/                               Do not strip leading slashes from file names when extracting the files from an
                                 archive. By default, they are striped when files are extracted.
-acl                           When creating or extracting, archive or restore any ACLs associated with the
                                 files and directories.

Compatibility with Older Systems

If an ACL has been set on any file on a given file system that files system has the ext_attr attribute. This attribute can be seen using the following command:
tune2fs -l <filesystem-device>
A file system that has acquired the ext_attr attribute can be mounted with older kernels, but those kernels do not enforce any ACLs which have been set. Versions of the e2fsck utility included in version 1.22 and higher of the e2fsprogs package (including the versions in Red Hat Enterprise Linux 2.1 and 4) can check a file system with the ext_attr attribute. Older versions refuse to check it.





Thursday, 27 December 2012

File compression in Linux & ubuntu


File compression in ubuntu

For most everyday users, file compression is the process of taking many files and combining them into a single archive file that’s shrunk so it takes up less disk space. This makes the files easier to transfer from
computer to computer. Most Windows users make heavy use the Zip file format, and this is
fully supported in Ubuntu.Double-clicking a compressed file of virtually any format will open it in
the File Roller program, which is a little like WinZip under Windows. To extract any file or folder within the archive, simply click and drag it to a new location.
To create a compressed file from a file or folder, just right-click it and select the Create Archive option. Select the compression type you’d like to use from the dropdown list alongside the filename. Although Zip is popular on Windows, and there is no reason why it can’t be used under Ubuntu, most Ubuntu and Linux users prefer a different type of compression: compressed tar files. Tar has its roots in magnetic tape backup, hence the name: Tape ARchive. A tar file is simply lots of files combined into a single large file. Tar files
aren’t compressed by default, which is to say, tar is not a compression


Archive file extension                         Details
.tar                                                    Tape ARchive; simple format in which files are combined into a larger
                                                         file. Handled by the tar command at the command-line. Tar files aren’t
                                                         automatically compressed. The chief benefit of tar files is that they
                                                         record permission and ownership details, making them ideal for
                                                         backup.
.tar.gz                                               Tar archives that have been additionally compressed using the gzip
                                                        software, usually at the point of creation. Sometimes the .tgz file
                                                        extension is used instead of .tar.gz.
.tar.bz2                                            Tar archives that have been additionally compressed using the bzip2
                                                        software, usually at the point of creation. Bzip2 compression leads to
                                                        the smallest files of all, so is preferable. Sometimes the .tbz file
                                                        extension is used instead of .tar.bz2.
.zip                                                  As with Windows, zip files are compressed archives. Zip files haven’t
                                                       gained much traction in the Linux/Unix world because of legal concerns
                                                       some years ago. This is no longer an issue, but other archive formats
                                                       such as gzip and bzip2 are simply more established.


technology. However, tar files are nearly always compressed using add-in programs, the most popular of which are bzip2 and gzip. Tar files that are compressed usually have double file extensions showing
the type of compression used: .tar.bz2 or .tar.gz.


Virtual desktops in ubuntu


Virtual desktops

Like all Linuxes, Ubuntu makes use of virtual desktops. This handy function is missing from Windows although it can be found in Macintosh OS X 10.5 under the name of Spaces.Using virtual desktops is like having a second (or third, or fourth etc.) monitor. Program windows can be placed on any of the desktops of the “monitors” and you can switch between desktops using the applet at the bottom-right of the screen.
Virtual desktops are best explained by example, so start a program of your choice (maybe the Firefox web browser) and switch to the second desktop by clicking the second of the screen icons in the virtual desktop
applet at the bottom right of the screen. The program window will seem to disappear. Now open a file browsing window (click Places - Home Folder), and return to the first desktop by clicking the first of the screen icons. The first desktop’s contents will now reappear. See how it works? You could set aside one virtual desktop solely for email, and another for day-to-day tasks such as web browsing, and switch between the desktops when necessary. You can have up to 36 virtual desktops—just right-click the icon, select Preferences, and increase the number in the Number of Work spaces counter. You can also give each a descriptive name in the Work space Names section—just double-click an entry in the list and over type.

Installation of network printer in ubuntu


Installing a network printer

To install a shared network printer in Ubuntu 8.10, such as one connected to another computer in your home or office, click System- Administration-  Printing and click the NEW button in the toolbar (click NEW PRINTER if using Ubuntu 8.04). Then select the type of network printer you’d like to connect to across the network.
For printers utilizing a network server device—normally found only in corporate environments—select AppSocket/HP JetDirect. Enter the address details on the right of the program window. This will probably
take the form of an IP address and a queue name—see your administrator for these, or the print server’s documentation. If connecting to a shared printer on a Windows PC, select Windows Printer via SAMBA, and click the BROWSE button to have Ubuntu automatically detect shared printers on the local network,  Click the chevrons alongside each heading to “unfold” them and, when you find the printer you’re looking for, select it and click the OK button.
Back in the parent window, click the radio button alongside Set Authentication Details Now (under Ubuntu 8.04 click the Authentication Required checkbox) and enter the Windows (not Ubuntu!) login
username/password required to access the Windows account that’s sharing the printer. Click VERIFY to check that the details work.
Click Forward when done to install the printer driver. It is unlikely it will be detected, and you will have to select it manually by working through the list of printer manufacturers and models.

Wednesday, 26 December 2012

keyboard shortcuts for ubuntu



keyboard shortcuts for ubuntu



Ubuntu makes use of a variety of keyboard shortcuts for quick access to built-in functions. Some of these shortcuts are similar to those found under Windows, while some are unique
shortcut keys            description

Alt+F4                Quit application
F1                       Context-sensitive help
F10                    Open a program’s File menu; use left/right cursor keys to move between other menus
Alt+F1               Open main menu; use left/right cursor keys to move between menus
Alt+F2                Open “Run Application” dialog box, whereby applications can be started by typing their
                           filenames
Alt+Tab               Switch between applications
Shift+Alt+up cursor     Switch between applications using a live preview of each window (like Mac OS’s
                                   Exposé feature)
Ctrl+Alt+ left/right cursor              Switch between virtual desktops
Windows+E                Switch between virtual desktops by viewing a live preview of each desktop (double-
                                   click to select)
Windows+M                Invert colors on desktop (useful for partially-sighted people, or if using the computer
                                    at night)
Windows+N                     Invert colors in top-most program window
Ctrl+Alt+Backspace         Restart the graphical subsystem (X); should only be used in emergencies because
                                         the restart is instant and without confirmation—all data will be lost!
Alt+F9                             Minimize window
Alt+F10                           Maximize window
Alt+F5                             Restore window after maximizing
Alt+F7                            Allows you to move window using cursor keys; hit Enter when done
Alt+F8                            Allows you resize window using cursor keys; hit Enter when done
PrintScreen                     Take screenshot of whole desktop
Alt+PrintScreen              Take screenshot of currently active program window

Tuesday, 25 December 2012

Installation of Ubuntu Linux 11.10 step by step



Installation of Ubuntu Linux 11.10

The installation of Ubuntu Linux 11.10, 32-bit version from a LiveCD. The installation of other 'ubuntu versions including 64-bit will be very similar.

Step 1:
The first thing you should do is head to 
http://www.ubuntu.com/download/ubuntu/download and download Ubuntu 11.10 LiveCD. click the big orange Start download box.

Step 2:
Using your disc burning software, burn the .iso you downloaded to a CD.

Step 3:
Before you go any further, ensure all important data is backed up in case of data loss on your drives.
Step 4:
Ensure you have a network cable connected, restart your computer, and boot from the CD drive.

Step 5:
The LiveCD will load up, and you'll be presented by the following box:





proceed with an installation, so click "Install Ubuntu."

Step 6:
You'll be greeted by the "Preparing to install Ubuntu" screen, exactly as below:






select "Install third-party software" as I have done in the screenshot above. I prefer to do system updates once up and running, but if you have the extra time you can also select "download updates while installing" as well. Then click continue.

Step 7:
The next screen you will see is "installation type," what you see will be dependent on whether you have an existing Windows installation or not.


Step 7-a:
For those installing in a virtual machine or to hard disks without an OS you will see the following screen:




You have two choices:

1. Erase the entire disk and use all of it for installation -- Ubuntu will automatically partition your disk and proceed with installation.
2. Select "something else" and manually create your partitions (which is covered in detail in step 7-C).

If you are choosing the first option, select the radio button and then click continue, proceeding to step 8.

Step 7-b:
Those of you that have current Windows installations or are going to dual-boot with another existing OS will be presented with a screen similar to below:




You have three options available:

1. You can choose the first option and install Ubuntu alongside your existing OS.
2. You can opt to replace your Windows installation with Ubuntu, allowing the installer to format your current partitions and automatically create new ones for Linux.
3. You can choose "something else" and create your own partition scheme and sizing (covered in detail in step 7-C).

Once you have selected which route you wish to proceed with click continue and proceed to step 8.

Step 7-c:
Having selected the "something else" option you will be presented with the following window:


Linux recognizes and assigns IDs to drive in a different manner to Windows. In the above image, you can clearly see my hard disk in the list. It is identified by "/dev/sda." Linux recognizes drives in the following way:
• Sda = 1st drive
• Sdb = 2nd drive
• Sdc = 3rd drive and so on

Partitions are also shown after the drive letters. So if I had 2 partitions on my first disk, they would be identified as:
• Sda1 – 1st drive, 1st partition
• Sda2 – 1st drive, 2nd partition

You will not see the common Windows C: label in the disk menu in the above list. You do, however, have key things to help you recognize your Windows C: drive. Both of these can be used to identify which is your Windows disk.
• The size of the disk is shown
• The name of the drive is shown
This is your current partition layout for your hard disks. If you have more than one disk, they will show up as /dev/sda, /dev/sdb etc.

Firstly, identify your Windows installation. In my case, it's sda1 (which is my first hard disk, first partition). What you see depends on how you created the extra space. I just resized the Windows partition from within Windows, and left the free space ready to install Linux. I recommend using Windows or a free utility from within Windows to resize your partition as most beginners will understand it more.

Therefore, we now need create a minimum of two partitions:

Click "Add" and the following box will appear:


You will notice I have already filled out the example above to create a 10GB root partition.

You can have a maximum of 4 primary partitions, or 3 primary partitions and 1 logical (which allows for another 64 partitions)
The size above is 10.00GB. e.g 1,000 = 1GB 10,000 = 10GB (Remember to leave enough free remaining space to create your SWAP partition!)
Location for new partition: e.g. do you want it at the start or end of the free space. Select beginning.
Use as: Ext4 is the recommended file system for Ubuntu, much the same as NTFS is Windows. SWAP is for SWAP space.
Mount point: This is where you want the partition to mount. E.g. we need a root partition, which in Linux is denoted by a "/".

Click OK once you have finished setting the partition information and you will return to your partition screen, now showing the root partition you just created. Using the same methods as before, create a SWAP partition
Once you have done that, you should be looking at something like below


So to re-cap the above, (in my example) we have the following:

• /dev/sda1 is your Windows partition.
• /dev/sda2 is your new root partition (Windows equiv. of C .
• /dev/sda3 is your SWAP space.

Once you are happy with the changes you have made, click install now and proceed to the next step.

Step 8:
As the installation starts to copy the required files to the hard disk, you will be presented with a screen to select your locale. It should automatically find where you are, as it has for me already:



Just double check it is correct, and then select continue.

Step 9:
The next screen to appear will be keyboard layout



Ensure the correct option is selected, above you will see the correct (and default UK) selection has been automatically made for me.

Step 10:
You will now be greeted by the "who are you" screen, ready for you to fill out with your user details:


The computers name and username will automatically populate when you type your full name. You can however edit them as you please. Fill in the details and then click continue.

You can opt to have Ubuntu automatically log in for you -- even with a password set -- or you can choose the traditional option requiring a password to log in. You really don't need to choose the encrypt option unless you're installing on a laptop and are dealing with highly secure information.
Step 11:The installation information screens will now appear as Ubuntu continues the installation


Step 12:Once installation has finished, you will be presented with the following box:



Select "restart now" and when requested, remove your installation CD, then press enter to reboot.

Step 13:
For those of you that have Ubuntu as the only OS the computer will boot directly into Linux. If you're dual-booting, you will see the GRUB menu appear similar to below:


Press enter, to select the first option and load your newly installed Ubuntu OS.

Step 14:
For those that elected to automatically log into Ubuntu, you will go straight to the desktop in Step 15. For everyone else, you will be greeted with the new login manager for Ubuntu



Enter your password, and hit enter to login to your desktop.

Step 15:
Your desktop should look like this


Step 16:
Before we proceed further, let's check for updates. Click on the power button on the top right corner of the screen and select "check for updates," or words to that effect.



I'd already run updates on this install so the example above is displaying "software up to date," but the picture highlights where you need to select anyway.

Upon selecting the update option, the update manager will appear, as below:




If it comes up with no available updates, just select "check" again to verify that it is correct. Having done the same thing myself, I was presented with the updates you see above. For those that opted to install updates during installation it is unlikely there will be further updates required.

You might be asked to enter your password to confirm changes. If prompted, enter your password and click OK. The same is true of any notifications that may appear during updating the OS.

Once complete select close, and restart Ubuntu.The power button is located on the top right corner of the screen. Click this and select shutdown.
Step 17:
No install is complete without full support for mp3s, core MS fonts, DVD playback codecs, Flash and Java, so let'sgo ahead and sort this now.

Click the black Ubuntu menu button at the top left corner of the screen and in the menu that appears, type "software centre" and select the Ubuntu Software Centre. Once open, click the search bar, type "restricted" and the following should appear:



Select Ubuntu restricted extras, and then click on the install button. 

Authentication is much like UAC (user access control) in windows Vista and 7. It is required to elevate your user privileges to that of root (Linux administrator). 

Ubuntu restricted extras will now download, sort any dependencies and install. You can check its progress by viewing the progress bar above the install button. Once finished the In Progress tab will disappear -- restart Linux.It's not strictly necessary, but I always do it after installing this package so everything can start up properly.

Now you can enjoy your new OS .










Wednesday, 19 December 2012

RED HAT LINUX USERS AND GROUPS THROUGH GRAPHICAL AND COMMAND LINE INTERFACE

RED HAT LINUX USERS AND GROUPS CONFIGURATION 

The control of users and groups is a core element of Red Hat Enterprise Linux system administration. Users can be either people (meaning accounts tied to physical users) or accounts which exist for specific applications to use. Groups are logical expressions of organization, tying users together for a common
purpose. Users within a group can read, write, or execute files owned by that group. Each user and group has a unique numerical identification number called a userid (UID) and a groupid (GID), respectively. A user who creates a file is also the owner and group owner of that file. The file is assigned separate read, write, and execute permissions for the owner, the group, and everyone else. The file owner can be changed only by the root user, and access permissions can be changed by both the root user and file owner. Red Hat
Enterprise Linux also supports access control lists (ACLs) for files and directories which allow permissions for specific users outside of the owner to be set.

User and Group Configuration

The User Manager allows you to view, modify, add, and delete local users and groups. To use the User Manager, you must be running the X Window System, have root privileges and have the system-config-users RPM package installed. To start the User Manager from the desktop, go to System (on the panel) =>
Administration => Users & Groups. You can also type the command systemconfig- users at a shell prompt (for example, in an XT ermora Gnome terminal).


To view a list of local users on the system, click the Users tab. To view a list of local groups on the system, click the Groups tab. To find a specific user or group, type the first few letters of the name in the Search filter field. Press Enter or click the Apply filter button. The filtered list is displayed. To sort the users or groups, click on the column name. To view a list of local users on the system, click the Users tab. To view a list of local groups on the system, click the Groups tab. To find a specific user or group, type the first few letters of
the name in the Search filter field. Press Enter or click the Apply filter button. The filtered list is displayed. To sort the click on the column name, the users or groups are sorted according to the value of that column. Red Hat Enterprise Linux reserves user IDs below 500 for system users. By default, User Manager does not display system users. To view all users, including the system users, go to Edit => Preferences and uncheck Hide system users and groups from the dialog box.

Adding a New User

To add a new user, click the Add User button. Type the username and full name for the new user in the appropriate fields. Type the user's password in the Password and Confirm Password fields. The password must be at least six characters. Select a login shell. If you are not sure which shell to select, accept the default

value of /bin/bash. The default home directory is /home/<username>/. You can change the home directory that is created for the user, or you can choose not to create the home directory by unselecting Create home directory. If you select to create the home directory, default configuration files are copied from the /etc/skel/directory into the new home directory. Red Hat Enterprise Linux uses a user private group (UPG) scheme. The UPG scheme does not add or change anything in the standard UNIX way of handling groups; it offers a new convention. Whenever you Create a new user, by default, a unique group with the same name as the user is created. If you do not want to create this group, unselect Create a private group for the user. To specify a user ID for the user, select Specify user ID manually. If the option is not selected, the next available user ID above 500 is assigned to the new user. Because Red Hat Enterprise Linux reserves user IDs below 500 for system users, it is not advisable to manually assign user IDs 1- 499. Click OK to create the user

To configure more advanced user properties, such as password expiration, modify the user's properties after adding the user.

Modifying User Properties


To view the properties of an existing user, click on the Users tab, select the user from the user list, and click Properties from the menu (or choose File => Properties from the pull down menu).

The User Properties window is divided into multiple tabbed pages:
• User Data — shows the basic user information configured when you added the user.Use this tab to                                          change the user's full name, password, home directory, or login shell.
• Account Info — Select Enable account expiration if you want the account to expire on a certain date. Enter the date in the provided fields. Select Local password is locked to lock the user account and prevent the user from logging into the system.
• Password Info — displays the date that the user's password last changed. To force the user to change passwords after a certain number of days, select Enable password expiration and enter a desired value in the Days before change required: field. The number of days before the user's password expires the number of days before the user is warned to change passwords, and days before the account becomes inactive can also be changed.

• Groups— Allows you to view and configure the Primary Group of the user. As well as other groups that you want the user to be a member of it.

User and Group Management Tools


Managing users and groups can be a tedious task; this is why Red Hat Enterprise Linux provides tools and conventions to make them easier to manage. The easiest way to manage users and groups is through the graphical application, User Manager (system-config-users). For more information on User Manager. The following command line tools can also be used to manage users and groups:
• useradd, usermod, and userdel— Industry-standard methods of adding, deleting and modifying user accounts
• groupadd, groupmod, and groupdel — Industry-standard methods of adding, deleting, and modifying user groups
• gpasswd — Industry-standard method of administering the /etc/groupfile
• pwck, grpck— Tools used for the verification of the password, group, and associated shadow files
• pwconv, pwunconv — Tools used for the conversion of passwords to shadow passwords and back to standard passwords

Command Line Configuration

If you prefer command line tools or do not have the X Window System installed, use this section to configure users and groups.

Adding a User
To add a user to the system:
1. Issue the useraddcommand to create a locked user account:
• useradd <username>
2. Unlock the account by issuing the passwdcommand to assign a password and set password aging guidelines:
• passwd <username>

Adding a Group
To add a group to the system, use the command groupadd:
groupadd <group-name>

Option                                            Description
-g<gid>                                          Group ID for the group, which must be unique and greater than
-r                                                    Create a system group with a GID less than 500
-f                                                    When used with -g<gid> and <gid> already exists,
                                                       groupadd will choose another unique <gid> for the group.

Password Aging


For security reasons, it is advisable to require users to change their passwords periodically. This can be done when adding or editing a user on the Password Info tab of the User Manager. To configure password expiration for a user from a shell prompt, use the chage command.

Option                                           Description
-m<days>                                      Specifies the minimum number of days between which the user must                                                
                                                      change passwords. If the value is 0, the password does not expire.
-M<days>                                    Specifies the maximum number of days for which the password is valid
                                     .              When the number of days specified by this option plus the number of days
                                                     specified with the -d option is less than the current day, the user must
                                                     chang
-d<days>                                     Specifies the number of days since January 1, 1970 the password was
                                                    changed
-I<days>                                     Specifies the number of inactive days after the password expiration before
                                                   locking the account. If the value is 0, the account is not locked after the
                                                  password expires.

-E<date>                                     Specifies the date on which the account is locked, in the format YYYY-
                                                  MM-DD. Instead of the date, the number of days since January 1, 1970
                                                 can also be used.
-W<days>                                Specifies the number of days before the password expiration date to warn
                                                 the user.

You can configure a password to expire the first time a user logs in. This forces users to change passwords the first time they log in.

1. Lock the user password — If the user does not exist, use the useradd command to create the user account, but do not give it a password so that it remains locked. If the password is already enabled, lock it with the command:
• usermod -L username
2. Force immediate password expiration — Type the following command:
• chage -d 0 username
This command sets the value for the date the password was last changed to the epoch (January 1, 1970). This value forces immediate password expiration no matter what password aging policy, if any, is in place.
3. Unlock the account — There are two common approaches to this step. The administrator can assign an initial password or assign a null password.

To assign an initial password, use the following steps:
• Start the command line Python interpreter with the python command It displays the following:

4.1.1-9)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>>
• At the prompt, type the following commands. Replace <password>with the password to encrypt and <salt> with a random combination of at least 2 of the following: any alphanumeric character, the slash (/)
character or a dot (.): import crypt;
print crypt.crypt("<password>","<salt>")
The output is the encrypted password, similar to '12CsGd8FRcMSM'.
• Press Ctrl-D to exit the Python interpreter.
• At the shell, enter the following command (replacing <encryptedpassword> with the encrypted output of the Python interpreter):
usermod -p "<encrypted-password>" <username>
Alternatively, you can assign a null password instead of an initial
password. To do this, use the following command:
• usermod -p "" username

In either case, upon initial log in, the user is prompted for a new password.

Explaining the Process

The following steps illustrate what happens if the command useradd juanis issued on a system that has shadow passwords enabled:
1. A new line for juan is created in /etc/passwd. The line has the following characteristics:

• It begins with the username juan.
• There is an x for the password field indicating that the system is using shadow passwords.
• A UID greater than 499 is created. (Under Red Hat Enterprise Linux, UIDs and GIDs below 500 are
  reserved for system use.)
• A GID greater than 499 is created.
• The optional GECOS information is left blank.
• The home directory for juanis set to /home/juan/.
• The default shell is set to /bin/bash.
2. A new line for juan is created in /etc/shadow. The line has the following characteristics:
• It begins with the username juan.
• Two exclamation points (!!) appear in the password field of the /etc/shadow file, which locks the account.

• The password is set to never expire.
3. A new line for a group named juan is created in /etc/group. A group with the same name as a user is
   called a user private group. For more information on user private groups,
 “Adding a New User”.
The line created in /etc/grouphas the following characteristics:
• It begins with the group name juan.
• An x appears in the password field indicating that the system is using shadow group passwords.
• The GID matches the one listed for user juanin /etc/passwd.
4. A new line for a group named juanis created in /etc/gshadow. The line has the following characteristics:
• It begins with the group name juan.
• An exclamation point (!) appears in the password field of the /etc/gshadowfile, which locks the group.
• All other fields are blank.
5. A directory for user juanis created in the /home/ directory. This directory is owned by user juan and group
    juan. However, it has read, write, and execute privileges only for the user juan. All other permissions are
    denied.

6. The files within the /etc/skel/ directory (which contain default user settings) are copied into the new
    home/juan/ directory.
At this point, a locked account called juanexists on the system. To activate it,the administrator must next assign a password to the account using the passwd command and, optionally, set password aging guidelines.

User Private Groups

Red Hat Enterprise Linux uses a user private group (UPG) scheme, which makes UNIX groups easier to manage. A UPG is created whenever a new user is added to the system. A UPG has the same name as the user for which it was created and that user is the only member of the UPG. UPGs make it safe to set
default permissions for a newly created file or directory, allowing both the user and the group of that user to make modifications to the file or directory. The setting which determines what permissions are applied to a newly created file or directory is called a umask and is configured in the /etc/bashrc file. Traditionally on UNIX systems, the umaskis set to 022, which allows only the user who created the file or directory to make modifications. Under this scheme, all other users, including members of the creator's group, are not
allowed to make any modifications. However, under the UPG scheme, this "group protection" is not necessary since every user has their own private group.

Group Directories


Many IT organizations like to create a group for each major project and then assign people to the group if they need to access that project's files. Using this traditional scheme, managing files has been difficult; when someone creates a file, it is associated with the primary group to which they belong. When a single person works on multiple projects, it is difficult to associate the right files with the right group. Using the UPG scheme, however, groups are automatically assigned to files created within a directory with the setgid bit set.

The setgid bit makes managing group projects that share a common directory very simple because any files a user creates within the directory are owned by the group which owns the directory. Let us say, for example, that a group of people need to work on files in the /usr/share/emacs/site-lisp/ directory. Some people are trusted to modify the directory, but certainly not everyone is trusted. First create an emacsgroup, as
in the following command:

• /usr/sbin/groupadd emacs
To associate the contents of the directory with the emacsgroup, type:
• chown -R root.emacs /usr/share/emacs/site-lisp
Now, it is possible to add the proper users to the group with the gpasswd command:
• /usr/bin/gpasswd -a <username> emacs
To allow users to create files within the directory, use the following command:
• chmod 775 /usr/share/emacs/site-lisp
When a user creates a new file, it is assigned the group of the user's default private group. Next, set the setgid bit, which assigns everything created in the directory the same group permission as the directory itself (emacs). Use the following command:
• chmod 2775 /usr/share/emacs/site-lisp
At this point, because the default umask of each user is 002, all members of the emacs group can create and edit files in the /usr/share/emacs/site-lisp/ directory without the administrator having to change file permissions every time users write new files. In multiuser environments it is very important to use shadow passwords (provided by the shadow-utils package). Doing so enhances the security of system authentication files. For this reason, the installation program enables shadow passwords by default. The following lists the advantages of shadow passwords have over the traditional way of storing passwords on UNIX-based systems:

• Improves system security by moving encrypted password hashes from the world-readable /etc/passwd file to /etc/shadow, which is readable only by the root user.
• Stores information about password aging.
• Allows the use the /etc/login.defsfile to enforce security policies.Most utilities provided by the shadow-utilspackage work properly whether or not shadow passwords are enabled. However, since password aging
information is stored exclusively in the /etc/ shadow file, any commands which create or modify password aging information do not work. The following is a list of commands which do not work without first enabling shadow passwords:
• chage
• gpasswd
• /usr/sbin/usermod-e or -foptions
• /usr/sbin/useradd-e or -foptions



























Tuesday, 18 December 2012

Runlevels in red hat enterprise linux


Runlevels:

A runlevel is a state, or mode, that is defined by the services listed in the directory /etc/rc.d/rc<x>.d, where <x> is the number of the runlevels. The following runlevels exist:

0 — Halt
1 — Single-user mode
2 — Not used (user-definable)
3 — Full multi-user mode
 4 — Not used (user-definable)
5 — Full multi-user mode (with an X-based login screen)
6 — Reboot
If you use a text login screen, you are operating in runlevel 3. If you use a graphical login screen, you are operating in runlevel 5. The default runlevel can be changed by modifying the /etc/inittab file, which contains a line near the top of the file similar to the following:
id:5:initdefault:
Change the number in this line to the desired runlevel. The change does not take effect until you reboot the system.

Samba in RedHat Enterprise Linux


SAMBA INTRODUCTION 

Samba is an open source implementation of the Server Message Block (SMB) protocol. It allows the networking of Microsoft Windows®, Linux, UNIX, and other operating systems together, enabling access to Windows-based file and printer shares. Samba's use of SMB allows it to appear as a Windows
server to Windows clients.

The ability to join an Active Directory domain by means of LDAP and Kerberos
Built in Unicode support for internationalization
Support for Microsoft Windows XP Professional client connections to
Samba servers without needing local registry hacking

Samba Features

Samba is a powerful and versatile server application. Even seasoned system administrators must know its abilities and limitations before attempting installation and configuration.

What Samba can do:

 Serve directory trees and printers to Linux, UNIX, and Windows clients
Assist in network browsing (with or without NetBIOS)
Authenticate Windows domain logins
Provide Windows Internet Name Service (WINS) name server resolution
Act as a Windows NT®-style Primary Domain Controller (PDC)
Act as a Backup Domain Controller (BDC) for a Samba-based PDC
Act as an Active Directory domain member server
Join a Windows NT/2000/2003 PDC

Samba limitations :

Act as a BDC for a Windows PDC (and vice versa)
Act as an Active Directory domain controller

Samba Daemons and Related Services

Samba Daemons

Samba is comprised of three daemons (smbd, nmbd, and winbindd). Two services (smb and windbind) control how the daemons are started, stopped, and other service-related features. Each daemon is listed in detail, as well as which specific service has control over it.
smbd
The smbd server daemon provides file sharing and printing services to Windows clients. In addition, it is responsible for user authentication,
resource locking, and data sharing through the SMB protocol. The default ports on which the server listens for SMB traffic are TCP ports 139 and 445.The smbd daemon is controlled by the smb service. nmbd.
The nmbd server daemon understands and replies to NetBIOS name service requests such as those produced by SMB/CIFS in Windows-based systems.These systems include Windows 95/98/ME, Windows NT, Windows 2000,Windows XP, and LanManager clients. It also participates in the browsing protocols that make up the Windows Network Neighborhood view. The default port that the server listens to for NMB traffic is UDP port 137. The nmbddaemon is controlled by the smbservice.
winbindd
The winbind service resolves user and group information on a server running Windows NT 2000 or Windows Server 2003. This makes Windows user / group information understandable by UNIX platforms. This is achieved by using Microsoft RPC calls, Pluggable Authentication Modules (PAM), and
the Name Service Switch (NSS). This allows Windows NT domain users to appear and operate as UNIX users on a UNIX machine. Though bundled with the Samba distribution, the winbindservice is controlled separately from the smbservice.The winbindd daemon is controlled by the winbind service and does not
require the smb service to be started in order to operate. Winbindd is also used when Samba is an Active Directory member, and may also be used on a Samba domain controller (to implement nested groups and/or interdomain trust). Because winbind is a client-side service used to connect to Windows NT-based servers.