Me in IT UNIX/Linux Consultancy is based in Utrecht, The Netherlands and specialized in UNIX and Linux consultancy. Experience with Red Hat Enterprise Linux (Red Hat Certified Architect), Fedora Project, CentOS, OpenBSD and related released Open Source products makes Me in IT UNIX/Linux Consultancy a great partner in implementing, maintaining and upgrading your environment.

Open Source software is an important aspect of any Linux distribution. Me in IT UNIX/Linux Consultancy tries to use Open Source software where possible and tries to share experiences actively. In the articles section you will find many UNIX/Linux adventures shared for others to benefit.

Why a umask of 0027 creates files like 0640

The User Mask (umask) can be managed with the command umask. A umask is the reverse value of the octal permission set that files and directories are created with.

So, a umask of 0777 creates files with an octal permission value of 0000; no permissions to read, write or execute.

But; there is a strange thing about the umask; it never allows to make files executable. Here is a demonstration of this "flaw"/"security feature".

$ umask 0027
$ touch me
$ ls -l me | awk '{print $1}'
-rw-r-----

I would have expected 750, instead 640 is produced. This is default security behaviour of UNIX/Linux.

The longest left hand typed word

On slashdot somebody desribes that you can find the longest left hand typed password with UNIX tools like grep. That's a simple solution for a difficult problem!

Here is a script that would print the longest words typable with the left hand side of a keyboard. The list shows the longest word on top.

#!/bin/sh

status="notfound"
cat /usr/share/dict/words | while read word ; do
  for letter in y u i o p h j k l n m ; do
   echo "$word" | grep "$letter" > /dev/null
   if [ "$?" = 0 ] ; then
    status="found"
   fi
  done

  if [ "$status" = "notfound" ] ; then
   echo "$word"
  fi
done | while read match ; do
  length=$(echo "$match" | wc -c)
  echo "$length $match"
done | sort -nr | awk '{print $2}'

Howto use NAT on Fedora Core 9 machine with iptables

Network Address Translation is a technique to masquerade IP addresses on your internal LAN to the outside world. In other words; the outside world will not be able to look into your network.

This technique is easy to setup and maintain, saves IP addresses and is likely more secure that pure routing. To set it up, you require:

  1. A Linux machine, for this example Fedora Core 9
  2. Two network cards, eth0 attached to you LAN, eth1 connected to the internet.
  3. A little bit of Linux/UNIX knowledge
  4. 30 minutes or so

Enable IP forwarding

To be able to use IP forwarding, you must tell the kernel that it's okay to forward traffic from one network card to another. This setting is found in /etc/sysctl.conf. Set net.ipv4.ip_forward to 1.
To do this, execute:

echo 1 > /proc/sys/net/ipv4/ip_forward
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

The first command enables IP forwarding now, a reboot would undo this setting. To enable this setting for every reboot, also execute that second line.

Enable the firewall (IPtables)

Make sure the service IPtables is running now and is started at bootup:

# service iptables status
<output omitted>
# chkconfig --list iptables
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Configure the firewall (IPtables)

Now that the kernel knows it's allowed to forward traffic from one NIC to another, configure the firewall. The firewall is the intelligent part of setting up NAT, IPtables actually 'does the work'. Here are the commands to set it up:

/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Safe the firewall rules

You have only configured the firewall for now, a reboot would undo all settings. Run this command once you are happy with the setup:

# /sbin/service iptables save

Reboot to test the setup. Your LAN client will have to set the default route to the IP address of the NAT machine's LAN NIC.

5 ways to configure at what runlevel daemons are started

There are a few ways to start (and stop) daemons at specific runlevels. For Fedora you could use modify how Apache (httpd) is started:

chkconfig --level 4 httpd on

This is a simple command line tool to tell the the startup facility to enable (on) the Apache (httpd) daemon at runlevel 4 (--level 4). Works great and fast, but the script httpd must have some parameters in the file to let chkconfig know what to do with it:

# chkconfig: 4 85 15
# description: Apache is a World Wide Web server. It is used to serve HTML files and CGI.
# processname: httpd
# config: /etc/httpd/conf/httpd.conf
# config: /etc/sysconfig/httpd
# pidfile: /var/run/httpd.pid

The lines chkconfig and description are mandatory. In this example, the chkconfig line tells the startup facility to start in runlevel 4, with a "priority" of 85. This priority can be seen with ls /etc/rc4.d. The numbers of the startup script represent the order of how they are started.

ln -s /etc/init.d/httpd /etc/rc4.d/S85httpd

A much simpler, more simplistic method to start Apache. This command symbolically links /etc/rc4.d/S85httpd to the startup script of Apache. Don't forget to also stop the daemons with this set of links:

ln -s /etc/init.d/httpd /etc/rc0.d/K15httpd
ln -s /etc/init.d/httpd /etc/rc1.d/K15httpd
ln -s /etc/init.d/httpd /etc/rc2.d/K15httpd
ln -s /etc/init.d/httpd /etc/rc3.d/K15httpd
ln -s /etc/init.d/httpd /etc/rc5.d/K15httpd
ln -s /etc/init.d/httpd /etc/rc6.d/K15httpd

ntsysv

A text-based graphical menu to enable or disable services.

serviceconf and system-config-services

A graphical interface to enable or disable services.

Where the Linux boot process can fail and how to solve it

Booting a computer to run Linux is quite a complex procedure. Happily it's understandable, so correctable when things break.

  1. P.O.S.T. The computer is powered on, the computer shows you a screen to configure some basic settings, the BIOS and tests itself. Not much Linux here!
  2. Boatloader Grub, Lilo or some other boot loader is started. The bootloader is a small piece of code that is able to start loading the kernel. Mostly you will have some options to edit boot parameters, like "single" to start in single user mode.
  3. The kernel This is where Linux starts, you'll see all kinds of (cryptic) messages scrolling over your screen. Use dmesg to see them again after booting.
  4. INIT The process "init" is started, the first process on a Linux machine. Init read /etc/inittab and launches RC.
  5. RC This facility is responsible for starting all the daemons and programs that make Linux a server.

Bootloader errors and fixes

The bootloader could point to a kernel that's not there, or adds a boot parameter that incorrect. A.k.a. a typo. Review your Grub or Lilo configuration and try again. Grub is a lot easier to debug, is has a minimalistic shell included.

Kernel errors and fixes

You could have built a kernel that's not suitable for your computer. I hope you have left and old kernel on your system, use Grub to select that kernel and boot it.

Init errors and fixes

Init is quite simple, it reads /etc/inittab and starts RC. When you have "played around with" /etc/inittab and made a typo somewhere, you might need to boot of a CD to fix the typo.

RC errors and fixes

This is the part where many "errors" can occur, like: "Apache is not starting". Review the startup script in /etc/init.d, review that there a script and it has no errors in it. Also read the article about controlling daemons.

Is "cat" too fast for you too?

These modern day computers are so fast, that "cat"-ting a file scrolls by at an unreadable speed!

Here is a small shell script to slowly cat files or standard input:

#!/bin/sh

# A program to slowly cat file or standard input.

if [ "$1" ] ; then
file="$1"
else
file="-"
fi

cat "$file" | while read line ; do
echo "$line"
sleep 1
done

And here is how to use it:

$ scat mylongfile
line 1
line 2
line 3
$ cat mylongfile | scat
line 1
line 2
line 3

Amazing what computers can do!

An example of using "chroot" to reset a password of a linux machine

I tried to explain what "chrooting" is to a group of starting Linux gurus. It seemed rather difficult to explain. So, maybe an illustrated article will explain what chroot is.

From chroot's manpage:

chroot - run command or interactive shell with special root directory

And in my own words:

chroot starts a process in a directory which looks like the root directory to that process.

Here is an example of how chroot can be used to reset a root password on an existing system. (Even works when the bootloader (grub) has a password set.)

  1. Insert a linux boot or install CD/DVD and make the computer boot from that cd.
  2. When the CD boots and starts the installer, hit [CTRL]+[ALT]+[F2] to go to a shell.
  3. Now that you have a shell available, you must mount the / (maybe /usr too) directory. Mostly you don't know what directory was the / directory, so you will end up mounting an unmounting a few times. mkdir /mnt/a && mount /dev/sda5 /mnt/a && mount /dev/sda3 /mnt/a/usr
  4. When you have the required mountpoints mounted, execute a chroot, like this: chroot /mnt/a /bin/sh
  5. Now you can execute passwd, which is actually /mnt/a/usr/bin/passwd. The password will be updated in /etc/shadow, which is actually /mnt/a/etc/shadow

Here is a screenshot to illustrate the procedure: (click to enlarge)

Why does "reboot" work as a user on Fedora Core?

If you are a normal (non-root) user on Fedora Core 9, you are able to reboot a machine without the usage of a password. Reboot initiates all kind of scripts that should normally be run as root, while "reboot" does not have a set user id bit set:

$ which reboot
/usr/bin/reboot
$ ls -l /usr/bin/reboot
lrwxrwxrwx 1 root root 13 2008-11-11 22:18 /usr/bin/reboot -> consolehelper
$ ls -l /usr/bin/consolehelper
-rwxr-xr-x 1 root root 3904 2008-08-03 09:10 /usr/bin/consolehelper
$ file /usr/bin/consolehelper
/usr/bin/consolehelper: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped

From the man page of consolehelper I find:

consolehelper  is  a  tool  that makes it easy for console users to run system programs, doing authentication via PAM (which can be set  up  to trust all console users or to ask for a password at the system administrator’s discretion).

And in /etc/pam.d/reboot there is:

#%PAM-1.0
auth       sufficient pam_rootok.so
auth       required pam_console.so
#auth       include system-auth
account    required pam_permit.so

And from the manpage of pam_console.so:

pam_console.so  is designed to give users at the physical console (virtual terminals and local xdm-managed X sessions by default, but that is configurable)  capabilities  that they would not otherwise have, and to take those capabilities away when the are no longer logged  in  at  the console.

So; reboot is permitted by non-root users when they are logged into the console. To test this, login to a machine, try "reboot":

reboot: Need to be root

"Set User ID bit" demostration

The "set user id"-bit (or setuid-bit) is a potentially dangerous permission type. Wrong usage of setuid can result in unauthorized access to your system.

What it means

When a setuid bit is set to an executable, the script will be executed as if it was executed by the owner of the file. So for example this script has a setuid bit set:

$ ls -l myscript.sh
-rwsr-xr-x 1 root wheel 200 Nov 5 10:47 myscript.sh

This script may be executable by anybody. When executed by the user "robert" for example, it will inherit permissions as if it was executed by root.

Imagine that this script contains the command "reboot"; in that case anybody would be able to reboot the machine.

How you can set it

Very easy:

# chmod 4755 myscript.sh

or
# chmod u+s myscript.sh

What you can do with it

Here is a small demonstration, first showing that a user can't write to /etc/passwd.

$ echo "foo bar" >> /etc/passwd
-bash: /etc/passwd: Permission denied

Now set the setuid bit:
# chmod u+s /bin/echo

With the setuid bit on, the user is able to write to /etc/passwd:
$ echo "foo bar" >> /etc/passwd
$

See the dangerous situation we have just created? Undo it by executing # chmod u-s /bin/echo.

How to detect (and resolve) it

# find / -perm -4000

Please notice that there are many files on a system that have setuid bits, like:

  • /bin/mount - because a user needs to be able to mount a cdrom or floppy.
  • /bin/ping
  • /usr/bin/crontab

Cygwin is not as scary as it looks

Most people on the windows platform know Cygwin. ("Cygwin is a Linux-like environment for Windows.") As I never use Windows, I feared programs like these, but it turns out cygwin is quite usable. It's even possible to run shell scripts that normally run on my Mac OS X machine.

Download the installer, select all packages you want. (Don't worry, all "generic" tools (ls, cd, grep, awk, ps, bash) are installed by default.) I added "openssh", "netcat", "xterm" and some others. Dependencies will be resolved automatically. The installer downloads everything. You can run the installer again to add extra packages.

You end up with a "Cygwin" icon. Double click it to start your terminal. It's not really a terminal, but looks quite like it.

Some things are strange or missing, like "top" that's missing, permissions (ls -al) look strange, just as the directory structure. But; take some distance from these details and conclude that you have "bash" running on your windows machine!

About Consultancy Articles Contact




References Red Hat Certified Architect By Robert de Bock Robert de Bock
Curriculum Vitae By Fred Clausen +31 6 14 39 58 72
By Nelson Manning [email protected]
Syndicate content