ContentsIntroduction
TheExamObjectives
AssessmentTest
AnswerstotheAssessmentTest
PartI:Exam1
Chapter1:ExploringLinuxCommand-LineToolsUnderstandingCommand-LineBasicsUsingStreams,Redirection,andPipesProcessingTextUsingFiltersUsingRegularExpressionsSummaryExamEssentialsReviewQuestions
Chapter2:ManagingSoftwarePackageConceptsUsingRPMUsingDebianPackagesConvertingBetweenPackageFormatsPackageDependenciesandConflictsManagingSharedLibrariesManagingProcessesSummaryExamEssentialsReviewQuestions
Chapter3:ConfiguringHardwareConfiguringtheFirmwareandCoreHardwareConfiguringExpansionCardsConfiguringUSBDevicesConfiguringHardDisksDesigningaHardDiskLayoutCreatingPartitionsandFilesystemsMaintainingFilesystemHealthMountingandUnmountingFilesystemsSummaryExamEssentialsReviewQuestions
Chapter4:ManagingFilesUsingFileManagementCommandsManagingFileOwnershipControllingAccesstoFilesManagingDiskQuotasLocatingFilesSummaryExamEssentialsReviewQuestions
Chapter5:BootingLinuxandEditingFilesInstallingBootLoadersUnderstandingtheBootProcessDealingwithRunlevelsandtheInitializationProcessUsingAlternativeBootSystemsEditingFileswithViSummaryExamEssentials
ReviewQuestions
PartII:Exam2
Chapter6:ConfiguringtheXWindowSystem,Localization,andPrintingConfiguringBasicXFeaturesConfiguringXFontsManagingGUILoginsUsingXforRemoteAccessXAccessibilityConfiguringLocalizationandInternationalizationConfiguringPrintingSummaryExamEssentialsReviewQuestions
Chapter7:AdministeringtheSystemManagingUsersandGroupsTuningUserandSystemEnvironmentsUsingSystemLogFilesMaintainingtheSystemTimeRunningJobsintheFutureSummaryExamEssentialsReviewQuestions
Chapter8:ConfiguringBasicNetworkingUnderstandingTCP/IPNetworkingUnderstandingNetworkAddressingConfiguringLinuxforaLocalNetworkDiagnosingNetworkConnections
SummaryExamEssentialsReviewQuestions
Chapter9:WritingScripts,ConfiguringEmail,andUsingDatabasesManagingtheShellEnvironmentWritingScriptsManagingEmailManagingDatawithSQLSummaryExamEssentialsReviewQuestions
Chapter10:SecuringYourSystemAdministeringNetworkSecurityAdministeringLocalSecurityConfiguringSSHUsingGPGSummaryExamEssentialsReviewQuestions
AppendixA:AnswerstoReviewQuestions
AppendixB:AbouttheAdditionalStudyTools
Index
Advertisement
SeniorAcquisitionsEditor:JeffKellumDevelopmentEditor:AlexaMurphy
TechnicalEditors:RossBrunsonandKevinGlendenning,FOSSter.comProductionEditor:EricCharbonneau
CopyEditor:KimWimpsettEditorialManager:PeteGaughanProductionManager:TimTate
VicePresidentandExecutiveGroupPublisher:RichardSwadleyVicePresidentandPublisher:NeilEdde
MediaProjectManager1:LauraMoss-HollisterMediaAssociateProducer:DougKuhnMediaQualityAssurance:JoshFrank
BookDesigner:JudyFungProofreader:CandaceCunningham
Indexer:TedLauxProjectCoordinator,Cover:KatherineCrocker
CoverDesigner:RyanSneedCopyright©2013byJohnWiley&Sons,Inc.,Indianapolis,Indiana
PublishedsimultaneouslyinCanadaISBN:978-1-118-49563-6
ISBN:978-1-118-52648-4(ebk.)ISBN:978-1-118-57047-0(ebk.)ISBN:978-1-118-57055-5(ebk.)
Nopartofthispublicationmaybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanningorotherwise,exceptaspermittedunderSections107or108ofthe1976UnitedStatesCopyrightAct,withouteitherthepriorwrittenpermissionofthePublisher,orauthorizationthroughpaymentoftheappropriateper-copyfeetotheCopyrightClearanceCenter,222RosewoodDrive,Danvers,MA01923,(978)750-8400,fax(978)646-8600.RequeststothePublisherforpermissionshouldbeaddressedtothePermissions
Department,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax(201)748-6008,oronlineatwww.wiley.com/go/permissions.
LimitofLiability/DisclaimerofWarranty:Thepublisherandtheauthormakenorepresentationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthisworkandspecificallydisclaimallwarranties,includingwithoutlimitationwarrantiesoffitnessforaparticularpurpose.Nowarrantymaybecreatedorextendedbysalesorpromotionalmaterials.Theadviceandstrategies
containedhereinmaynotbesuitableforeverysituation.Thisworkissoldwiththeunderstandingthatthepublisherisnotengagedinrenderinglegal,accounting,orotherprofessionalservices.If
professionalassistanceisrequired,theservicesofacompetentprofessionalpersonshouldbesought.Neitherthepublishernortheauthorshallbeliablefordamagesarisingherefrom.ThefactthatanorganizationorWebsiteisreferredtointhisworkasacitationand/orapotentialsourceoffurtherinformationdoesnotmeanthattheauthororthepublisherendorsestheinformationtheorganizationorWebsitemayprovideorrecommendationsitmaymake.Further,readersshouldbeawarethatInternetWebsiteslistedinthisworkmayhavechangedordisappearedbetweenwhenthisworkwas
writtenandwhenitisread.Forgeneralinformationonourotherproductsandservicesortoobtaintechnicalsupport,pleasecontactourCustomerCareDepartmentwithintheU.S.at(877)762-2974,outsidetheU.S.at(317)
572-3993orfax(317)572-4002.Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand.Somematerialincludedwithstandardprintversionsofthisbookmaynotbeincludedine-booksorinprint-on-demand.IfthisbookreferstomediasuchasaCDorDVDthatisnotincludedintheversionyoupurchased,youmaydownloadthismaterialathttp://booksupport.wiley.com.Formoreinformation
aboutWileyproducts,visitwww.wiley.com.LibraryofCongressControlNumber:2012951869
TRADEMARKS:Wiley,theWileylogo,andtheSybexlogoaretrademarksorregisteredtrademarksofJohnWiley&Sons,Inc.and/oritsaffiliates,intheUnitedStatesandothercountries,andmaynotbeusedwithoutwrittenpermission.Allothertrademarksarethepropertyoftheirrespectiveowners.
JohnWiley&Sons,Inc.,isnotassociatedwithanyproductorvendormentionedinthisbook.
DearReader,Thank you for choosing LPIC-1: Linux Professional Institute Certification Study Guide, Third
Edition.Thisbookispartofafamilyofpremium-qualitySybexbooks,allofwhicharewrittenbyoutstandingauthorswhocombinepracticalexperiencewithagiftforteaching.Sybex was founded in 1976. More than 30 years later, we’re still committed to producing
consistentlyexceptionalbooks.Witheachofourtitles,we’reworkinghardtosetanewstandardfortheindustry.Fromthepaperweprintontotheauthorsweworkwith,ourgoalistobringyouthebestbooksavailable.Ihopeyouseeallthatreflectedinthesepages.I’dbeveryinterestedtohearyourcommentsandget
yourfeedbackonhowwe’redoing.FeelfreetoletmeknowwhatyouthinkaboutthisoranyotherSybexbookbysendingmeanemailatnedde@wiley.com.Ifyouthinkyou’vefoundatechnicalerrorin this book, please visit http://sybex.custhelp.com. Customer feedback is critical to our efforts atSybex.
Bestregards,
NeilEddeVicePresidentandPublisherSybex,anImprintofWiley
AcknowledgmentsAlthoughthisbookbearsmynameasauthor,manyotherpeoplecontributedtoitscreation.Withouttheir help, this book wouldn’t exist, or at best would exist in a lesser form. Jeff Kellumwas theacquisitionseditorandsohelpedget thebookstarted.AlexaMurphy, thedevelopmentaleditor,andEricCharbonneau, the production editor, oversaw the book as it progressed through all its stages.RossBrunsonandKevinGlendenningwerethetechnicaleditorswhocheckedthetextfor technicalerrorsandomissions—butanymistakes that remainaremyown.KimWimpsett, thecopyeditor,helped keep the text grammatical and understandable. The proofreader, Candace Cunningham,checked the text for typos. I’d also like to thankNeil Salkind and others at StudioB,who helpedconnectmewithWileytowritethisbook.
AbouttheAuthorRoderickW.Smith isaLinuxconsultantandauthor.Hehaswrittenmore than20booksonLinux,FreeBSD,andcomputernetworking,includingLinuxEssentials,theLPIC-2StudyGuide,andLinuxAdministratorStreetSmarts(allfromSybex)[email protected].
TableofExercisesExercise1.1 EditingCommandsExercise2.1 ManagingPackagesUsingRPMExercise2.2 ManagingDebianPackagesExercise3.1 CreatingFilesystemsExercise4.1 ModifyingOwnershipandPermissionsExercise4.2 LocatingFilesExercise5.1 ChangingRunlevelsExercise6.1 PrintingwithLinuxExercise7.1 CreatingUserAccountsExercise7.2 CreatingUsercronJobsExercise8.1 PracticeResolvingHostnamesExercise8.2 ConfiguringaNetworkConnectionExercise9.1 ChangingYourbashPromptExercise9.2 CreatingaSimpleScriptExercise9.3 CreatingaSQLDatabaseExercise10.1MonitorNetworkPortUse
Introduction
Whyshouldyou learnaboutLinux?It’sa fast-growingoperatingsystem,and it is inexpensiveandflexible.Linuxisalsoamajorplayerinthesmallandmid-sizedserverfield,andit’sanincreasinglyviable platform for workstation and desktop use as well. By understanding Linux, you’ll increaseyourstandinginthejobmarket.EvenifyoualreadyknowWindowsorMacOSandyouremployerusesthesesystemsexclusively,understandingLinuxwillgiveyouanedgewhenyou’relookingforanew job or you’re looking for a promotion. For instance, this knowledgewill help youmake aninformeddecisionaboutifandwhenyoushoulddeployLinux.The Linux Professional Institute (LPI) has developed its LPI-1 certification as an introductory
certificationforpeoplewhowanttoentercareersinvolvingLinux.Theexamismeanttocertifythatan individual has the skills necessary to install, operate, and troubleshoot a Linux system and isfamiliarwithLinux-specificconceptsandbasichardware.The purpose of this book is to help you pass theLPIC-1 exams (101 and 102) updated in 2012.
Because these exams cover basic Linux installation, configuration, maintenance, applications,networking,andsecurity,thosearethetopicsthatareemphasizedinthisbook.You’lllearnenoughtogetaLinuxsystemupand runningand toconfigure it formanycommon tasks.Evenafteryou’vetakenandpassedtheLPIC-1exams,thisbookshouldremainausefulreference.
WhatIsLinux?Linux is a clone of theUnix operating system (OS) that has been popular in academia andmanybusiness environments foryears.Formerlyusedexclusivelyon largemainframes,UnixandLinuxcannowrunonsmallcomputers—whichareactuallyfarmorepowerfulthanthemainframesofjusta few years ago. Because of its mainframe heritage, Unix (and hence also Linux) scales well toperformtoday’sdemandingscientific,engineering,andnetworkservertasks.Linuxconsistsofakernel,whichisthecorecontrolsoftware,andmanylibrariesandutilitiesthat
relyonthekerneltoprovidefeatureswithwhichusersinteract.TheOSisavailableinmanydifferentdistributions,whicharecollectionsofaspecifickernelwithspecificsupportprograms.
WhyBecomeLinuxCertified?SeveralgoodreasonstogetyourLinuxcertificationexist.Therearefourmajorbenefits:RelevanceTheexamsweredesignedwiththeneedsofLinuxprofessionalsinmind.ThiswasdonebyperformingsurveysofLinuxadministratorstolearnwhattheyactuallyneedtoknowtodotheirjobs.QualityTheexamshavebeenextensivelytestedandvalidatedusingpsychometricstandards.Theresultisanabilitytodiscriminatebetweencompetentadministratorsandthosewhomuststilllearnmorematerial.NeutralityLPIisanorganizationthatdoesn’titselfmarketanyLinuxdistribution.Thisfactremovesthemotivationtocreateanexamthat’sdesignedasawaytomarketaparticulardistribution.
SupportTheexamsaresupportedbymajorplayersintheLinuxworld.
HowtoBecomeCertifiedThecertificationisavailabletoanyonewhopassesthetworequiredexams:101and102.Youdon’thavetoworkforaparticularcompany.It’snotasecretsociety.The exam is administered by PearsonVUE.The exam can be taken at any PearsonVUE testing
center. Ifyoupass,youwillgetacertificate in themail saying thatyouhavepassed.Contact (877)619-2096forPearsonVUEcontactinformation.
ToregisterfortheexamwithPearsonVUE,call(877)619-2096,orregisteronlineathttp://www.vue.com.Howeveryoudoit,you’llbeaskedforyourname,mailingaddress,phonenumber,employer,whenandwhereyouwanttotakethetest(i.e.,whichtestingcenter),andyourcreditcardnumber(arrangementforpaymentmustbemadeatthetimeofregistration).
WhoShouldBuyThisBookAnybodywhowantstopassthecertificationexamsmaybenefitfromthisbook.ThisbookcoversthematerialthatsomeonenewtoLinuxwillneedtolearntheOSfromthebeginning,anditcontinuestoprovidetheknowledgeyouneeduptoaproficiencylevelsufficienttopassthetwoexams.Youcanpickupthisbookandlearnfromitevenifyou’veneverusedLinuxbefore,althoughyou’llfinditaneasier read if you’ve at least casually used Linux for a few days. If you’re already familiar withLinux, this book can serve as a review and as a refresher course for informationwithwhich youmightnotbecompletelyfamiliar.Ineithercase,readingthisbookwillhelpyoupasstheexams.ThisbookiswrittenwiththeassumptionthatyouknowatleastalittlebitaboutLinux(whatitisand
possiblyafewLinuxcommands).Ialsoassumeyouknowsomebasicsaboutcomputersingeneral,suchashowtouseakeyboard,howtoinsertadiscintoanopticaldrive,andsoon.Chancesare,youhaveusedcomputers in a substantialway in thepast—perhaps evenLinux, as anordinaryuser, ormaybeyouhaveusedWindowsorMacOS. Idonotassume thatyouhaveextensiveknowledgeofLinux systemadministration,but if you’vedone some systemadministration,youcan still use thisbooktofillingapsinyourknowledge.
Asapracticalmatter,you’llneedaLinuxsystemwithwhichtopracticeandlearninahands-onway.NeithertheexamsnorthisbookcoversactuallyinstallingLinuxonacomputerfromscratch,althoughsomeoftheprerequisites(suchasdiskpartitioning)arecovered.Youmayneedtorefertoyourdistribution’sdocumentationtolearnhowtoaccomplishthistask.Alternatively,severalvendorssellcomputerswithLinuxpre-installed.
HowThisBookIsOrganizedThis book consists of 10 chapters plus supplementary information: an online glossary, thisintroduction,andtheassessmenttestaftertheintroduction.Thechaptersareorganizedasfollows:
Chapter1,“ExploringLinuxCommand-LineTools,”coversthebasictoolsyouneedtointeractwithLinux.Theseincludeshells,redirection,pipes,textfilters,andregularexpressions.Chapter2,“ManagingSoftware,”describestheprogramsyou’llusetomanagesoftware.MuchofthistaskiscenteredaroundtheRPMandDebianpackagemanagementsystems.Thechapteralsocovershandlingsharedlibrariesandmanagingprocesses(thatis,runningprograms).Chapter3,“ConfiguringHardware,”focusesonLinux’sinteractionswiththehardwareonwhichitruns.SpecifichardwareandproceduresforusingitincludetheBIOS,expansioncards,USBdevices,harddisks,andthepartitionsandfilesystemsusedonharddisks.Chapter4,“ManagingFiles,”coversthetoolsusedtomanagefiles.Thisincludescommandstomanagefiles,ownership,andpermissions,aswellasLinux’sstandarddirectorytreeandtoolsforarchivingfiles.Chapter5,“BootingLinuxandEditingFiles,”explainshowLinuxbootsupandhowyoucaneditfilesinLinux.SpecifictopicsincludetheGRUBLegacyandGRUB2bootloaders,bootdiagnostics,runlevels,andtheVieditor.Chapter6,“ConfiguringtheXWindowSystem,Localization,andPrinting,”describestheLinuxGUIandprintingsubsystems.TopicsincludeXconfiguration,managingGUIlogins,configuringlocation-specificfeatures,enablingaccessibilityfeatures,andsettingupLinuxtouseaprinter.Chapter7,“AdministeringtheSystem,”describesmiscellaneousadministrativetasks.Theseincludeuserandgroupmanagement,tuninguserenvironments,managinglogfiles,settingtheclock,andrunningjobsinthefuture.Chapter8,“ConfiguringBasicNetworking,”focusesonbasicnetworkconfiguration.TopicsincludeTCP/IPbasics,settingupLinuxonaTCP/IPnetwork,andnetworkdiagnostics.Chapter9,“WritingScripts,ConfiguringEmail,andUsingDatabases,”coversthesemiscellaneoustopics.Scriptsaresmallprogramsthatadministratorsoftenusetohelpautomatecommontasks.Email,ofcourse,isanimportanttopicforanycomputeruser,particularlyonLinux,whichoftenrunsanemailserverforlocalorremoteuse.Linuxcanrundatabasesthathelpyoustoreandretrieveinformation,andthesetoolscanbeveryimportantonesonmanyLinuxsystems.Chapter10,“SecuringYourSystem,”coverssecurity.Specificsubjectsincludenetworksecurity,localsecurity,andtheuseofencryptiontoimprovesecurity.
Chapters1through5coverthe101exam,whileChapters6through10coverthe102exam.ThesemakeupPartIandPartIIofthebook,respectively.Eachchapterbeginswith a list of the examobjectives that are covered in that chapter.Thebook
doesn’tcovertheobjectivesinorder.Thus,youshouldn’tbealarmedatsomeoftheoddorderingoftheobjectiveswithinthebook.Attheendofeachchapter,you’llfindacoupleofelementsyoucanusetopreparefortheexam:ExamEssentialsThissectionsummarizesimportantinformationthatwascoveredinthechapter.Youshouldbeabletoperformeachofthetasksorconveytheinformationrequested.
ReviewQuestionsEachchapterconcludeswith20reviewquestions.Youshouldanswerthesequestionsandcheckyouranswersagainsttheonesprovidedafterthequestions.Ifyoucan’tansweratleast80percentofthesequestionscorrectly,gobackandreviewthechapter,oratleastthosesectionsthatseemtobegivingyoudifficulty.
Thereviewquestions,assessmenttest,andothertestingelementsincludedinthisbookarenotderivedfromtheactualexamquestions,sodon’tmemorizetheanswerstothesequestionsandassumethatdoingsowillenableyoutopasstheexam.Youshouldlearntheunderlyingtopic,asdescribedinthetextofthebook.Thiswillletyouanswerthequestionsprovidedwiththisbookandpasstheexam.Learningtheunderlyingtopicisalsotheapproachthatwillserveyoubestintheworkplace—theultimategoalofacertification.
Togetthemostoutofthisbook,youshouldreadeachchapterfromstarttofinishandthencheckyourmemoryandunderstandingwiththechapter-endelements.Evenifyou’realreadyfamiliarwithatopic,you should skim thechapter;Linux is complexenough that thereareoftenmultipleways toaccomplishatask,soyoumaylearnsomethingevenifyou’realreadycompetentinanarea.
AdditionalStudyToolsReadersofthisbookcanaccessaWebsitethatcontainsseveraladditionalstudytools,includingthefollowing:
Readerscanaccessthesetoolsbyvisitinghttp://www.sybex.com/go/lpic3e.
SampleTestsAllofthequestionsinthisbookwillbeincluded,includingtheassessmenttestattheendofthisintroductionandthe200questionsfromthereviewsectionsattheendofeachchapter.Inaddition,therearetwo50-questionbonusexams.ThetestenginerunsonWindows,Linux,andMacOS.ElectronicFlashcardsTheadditionalstudytoolsincludes150questionsinflashcardformat(aquestionfollowedbyasinglecorrectanswer).Youcanusethesetoreviewyourknowledgeoftheexamobjectives.TheflashcardsrunonbothWindowsandLinux.GlossaryofTermsasaPDFFileInaddition,thereisasearchableglossaryinPDFformat,whichcanbereadonallplatformsthatsupportPDF.
ConventionsUsedinThisBookThisbookusescertaintypographicstylesinordertohelpyouquicklyidentifyimportantinformationandtoavoidconfusionoverthemeaningofwordssuchason-screenprompts.Inparticular,lookforthefollowingstyles:
Italicizedtextindicateskeytermsthataredescribedatlengthforthefirsttimeinachapter.(Italicsarealsousedforemphasis.)
Amonospacedfontindicatesthecontentsofconfigurationfiles,messagesdisplayedatatext-modeLinuxshellprompt,filenames,text-modecommandnames,andInternetURLs.Italicizedmonospacedtextindicatesavariable—informationthatdiffersfromonesystemorcommandruntoanother,suchasthenameofaclientcomputeroraprocessIDnumber.Boldmonospacedtextisinformationthatyou’retotypeintothecomputer,usuallyataLinuxshellprompt.Thistextcanalsobeitalicizedtoindicatethatyoushouldsubstituteanappropriatevalueforyoursystem.(Whenisolatedontheirownlines,commandsareprecededbynon-boldmonospaced$or#commandprompts,denotingregularuserorsystemadministratoruse,respectively.)
Inadditionto these textconventions,whichcanapply to individualwordsorentireparagraphs,afewconventionshighlightsegmentsoftext:
Anoteindicatesinformationthat’susefulorinterestingbutthat’ssomewhatperipheraltothemaintext.Anotemightberelevanttoasmallnumberofnetworks,forinstance,oritmayrefertoanoutdatedfeature.
Atipprovidesinformationthatcansaveyoutimeorfrustrationandthatmaynotbeentirelyobvious.Atipmightdescribehowtogetaroundalimitationorhowtouseafeaturetoperformanunusualtask.
Warningsdescribepotentialpitfallsordangers.Ifyoufailtoheedawarning,youmayendupspendingalotoftimerecoveringfromabug,oryoumayevenenduprestoringyourentiresystemfromscratch.
SidebarAsidebarislikeanotebutlonger.Theinformationinasidebarisuseful,butitdoesn’tfitintothemainflowofthetext.
RealWorldScenarioArealworldscenarioisatypeofsidebarthatdescribesataskorexamplethat’sparticularlygroundedintherealworld.ThismaybeasituationIorsomebodyIknowhasencountered,oritmaybeadviceonhowtoworkaroundproblemsthatarecommoninreal,workingLinuxenvironments.
EXERCISE:EXERCISEAnexerciseisaprocedureyoushouldtryonyourowncomputertohelpyoulearnaboutthematerialinthechapter.Don’tlimityourselftotheproceduresdescribedintheexercises,though!TryothercommandsandprocedurestoreallylearnaboutLinux.
TheExamObjectivesBehindeverycomputerindustryexamyoucanbesuretofindexamobjectives—thebroadtopicsinwhichexamdeveloperswanttoensureyourcompetency.Theofficialexamobjectivesarelistedhere.(They’realsoprintedatthestartofthechaptersinwhichthey’recovered.)
ExamobjectivesaresubjecttochangeatanytimewithoutpriornoticeandatLPI’ssolediscretion.PleasevisitLPI’sWebsite(http://www.lpi.org)forthemostcurrentlistingofexamobjectives.
Exam101ObjectivesThefollowingaretheareasinwhichyoumustbeproficientinordertopassthe101exam.Thisexamisbrokenintofourtopics(101−104),eachofwhichhasthreetoeightobjectives.Eachobjectivehasanassociatedweight,whichreflectsitsimportancetotheexamasawhole.Thefourmaintopicsare:SubjectArea
101SystemArchitecture102LinuxInstallationandPackageManagement103GNUandUnixCommands104Devices,LinuxFilesystems,FilesystemHierarchyStandard
101SystemArchitecture
101.1DetermineandConfigurehardwaresettings(Chapter3)EnableanddisableintegratedperipheralsConfiguresystemswithorwithoutexternalperipheralssuchaskeyboardsDifferentiatebetweenthevarioustypesofmassstoragedevicesSetthecorrecthardwareIDfordifferentdevices,especiallythebootdeviceKnowthedifferencesbetweencoldplugandhotplugdevicesDeterminehardwareresourcesfordevicesToolsandutilitiestolistvarioushardwareinformation(e.g.,lsusb,lspci,etc.)ToolsandutilitiestomanipulateUSBdevicesConceptualunderstandingofsysfs,udev,hald,dbusThefollowingisapartiallistoftheusedfiles,terms,andutilities:/sys,/proc,/dev,modprobe,lsmod,lspci,lsusb
101.2BoottheSystem(Chapter5)ProvidecommoncommandstothebootloaderandoptionstothekernelatboottimeDemonstrateknowledgeofthebootsequencefromBIOStobootcompletionCheckbooteventsinthelogfile
Thefollowingisapartiallistoftheusedfiles,termsandutilities:/var/log/messages,dmesg,BIOS,bootloader,kernel,init
101.3Changerunlevelsandshutdownorrebootsystem(Chapter5)SetthedefaultrunlevelChangebetweenrunlevelsincludingsingleusermodeShutdownandrebootfromthecommandlineAlertusersbeforeswitchingrunlevelsorothermajorsystemeventsProperlyterminateprocessesKnowledgeofbasicfeaturesofsystemdandUpstartThefollowingisapartiallistoftheusedfiles,termsandutilities:/etc/inittab,shutdown,init,/etc/init.d,telinit
102LinuxInstallationandPackageManagement
102.1Designharddisklayout(Chapter3)AllocatefilesystemsandswapspacetoseparatepartitionsordisksTailorthedesigntotheintendeduseofthesystemEnsurethe/bootpartitionconformstothehardwarearchitecturerequirementsforbootingKnowledgeofbasicfeaturesofLVMThefollowingisapartiallistoftheusedfiles,termsandutilities:/(root)filesystem,/varfilesystem,/homefilesystem,swapspace,mountpoints,partitions
102.2Installabootmanager(Chapter5)ProvidingalternativebootlocationsandbackupbootoptionsInstallandconfigureabootloadersuchasGRUBLegacyPerformbasicconfigurationchangesforGRUB2InteractwiththebootloaderThefollowingisapartiallistoftheusedfiles,terms,andutilities,/boot/grub/menu.lst,grub.cfgandothervariations,grub-install,MBR,superblock
102.3Managesharedlibraries(Chapter2)IdentifysharedlibrariesIdentifythetypicallocationsofsystemlibrariesLoadsharedlibrariesThefollowingisapartiallistoftheusedfiles,termsandutilities,ldd,ldconfig,/etc/ld.so.conf,LD_LIBRARY_PATH
102.4UseDebianpackagemanagement(Chapter2)Install,upgradeanduninstallDebianbinarypackagesFindpackagescontainingspecificfilesorlibrarieswhichmayormaynotbeinstalledObtainpackageinformationlikeversion,content,dependencies,packageintegrityand
installationstatus(whetherornotthepackageisinstalled)Thefollowingisapartiallistoftheusedfiles,termsandutilities:/etc/apt/sources.list,dpkg,dpkg-reconfigure,apt-get,apt-cache,aptitude
102.5UseRPMandYUMpackagemanagement(Chapter2)Install,re-install,upgradeandremovepackagesusingRPMandYUMObtaininformationonRPMpackagessuchasversion,status,dependencies,integrityandsignaturesDeterminewhatfilesapackageprovides,aswellasfindwhichpackageaspecificfilecomesfromThefollowingisapartiallistoftheusedfiles,termsandutilities:rpm,rpm2cpio,/etc/yum.conf,/etc/yum.repos.d/,yum,yumdownloader
103GNUandUnixCommands
103.1Workonthecommandline(Chapter1)UsesingleshellcommandsandonelinecommandsequencestoperformbasictasksonthecommandlineUseandmodifytheshellenvironmentincludingdefining,referencingandexportingenvironmentvariablesUseandeditcommandhistoryInvokecommandsinsideandoutsidethedefinedpathThefollowingisapartiallistoftheusedfiles,termsandutilities:.,bash,echo,env,exec,export,pwd,set,unset,man,uname,history
103.2Processtextstreamsusingfilters(Chapter1)SendtextfilesandoutputstreamsthroughtextutilityfilterstomodifytheoutputusingstandardUNIXcommandsfoundintheGNUtextutilspackageThefollowingisapartiallistoftheusedfiles,termsandutilities:cat,cut,expand,fmt,head,od,join,nl,paste,pr,sed,sort,split,tail,tr,unexpand,uniq,wc
103.3Performbasicfilemanagement(Chapter4)Copy,moveandremovefilesanddirectoriesindividuallyCopymultiplefilesanddirectoriesrecursivelyRemovefilesanddirectoriesrecursivelyUsesimpleandadvancedwildcardspecificationsincommandsUsingfindtolocateandactonfilesbasedontype,size,ortimeUsageoftar,cpio,andddThefollowingisapartiallistoftheusedfiles,termsandutilities:cp,find,mkdir,mv,ls,rm,rmdir,touch,tar,cpio,dd,file,gzip,gunzip,bzip2,fileglobbing
103.4Usestreams,pipesandredirects(Chapter1)
Redirectingstandardinput,standardoutputandstandarderrorPipetheoutputofonecommandtotheinputofanothercommandUsetheoutputofonecommandasargumentstoanothercommandSendoutputtobothstdoutandafileThefollowingisapartiallistoftheusedfiles,termsandutilities:tee,xargs
103.5Create,monitorandkillprocesses(Chapter2)RunjobsintheforegroundandbackgroundSignalaprogramtocontinuerunningafterlogoutMonitoractiveprocessesSelectandsortprocessesfordisplaySendsignalstoprocessesThefollowingisapartiallistoftheusedfiles,termsandutilities:&,bg,fg,jobs,kill,nohup,ps,top,free,uptime,killall
103.6Modifyprocessexecutionpriorities(Chapter2)KnowthedefaultpriorityofajobthatiscreatedRunaprogramwithhigherorlowerprioritythanthedefaultChangethepriorityofarunningprocessThefollowingisapartiallistoftheusedfiles,termsandutilities:nice,ps,renice,top
103.7Searchtextfilesusingregularexpressions(Chapter1)CreatesimpleregularexpressionscontainingseveralnotationalelementsUseregularexpressiontoolstoperformsearchesthroughafilesystemorfilecontentThefollowingisapartiallistoftheusedfiles,termsandutilities:grep,egrep,fgrep,sed,regex(7)
103.8Performbasicfileeditingoperationsusingvi(Chapter5)NavigateadocumentusingviUsebasicvimodesInsert,edit,delete,copyandfindtextThefollowingisapartiallistoftheusedfiles,termsandutilities:vi,/,?,h,j,k,l,i,o,a,c,d,p,y,dd,yy,ZZ,:w!,:q!,:e!
104Devices,LinuxFilesystems,FilesystemHierarchyStandard
104.1Createpartitionsandfilesystems(Chapter3)Usevariousmkfscommandstosetuppartitionsandcreatevariousfilesystemssuchas:ext2,ext3,xfs,reiserfsv3,vfatThefollowingisapartiallistoftheusedfiles,termsandutilities:fdisk,mkfs,mkswap
104.2Maintaintheintegrityoffilesystems(Chapter3)VerifytheintegrityoffilesystemsMonitorfreespaceandinodesRepairsimplefilesystemproblemsThefollowingisapartiallistoftheusedfiles,termsandutilities:du,df,fsck,e2fsck,mke2fs,debugfs,dumpe2fs,tune2fs,xfstools(suchasxfs_metadumpandxfs_info)
104.3Controlmountingandunmountingoffilesystems(Chapter3)ManuallymountandunmountfilesystemsConfigurefilesystemmountingonbootupConfigureusermountableremoveablefilesystemsThefollowingisapartiallistoftheusedfiles,termsandutilities:/etc/fstab,/media,mount,umount
104.4Managediskquotas(Chapter4)SetupadiskquotaforafilesystemEdit,checkandgenerateuserquotareportsThefollowingisapartiallistoftheusedfiles,termsandutilities:quota,edquota,repquota,quotaon
104.5Managefilepermissionsandownership(Chapter4)ManageaccesspermissionsonregularandspecialfilesaswellasdirectoriesUseaccessmodessuchassuid,sgidandthestickybittomaintainsecurityKnowhowtochangethefilecreationmaskUsethegroupfieldtograntfileaccesstogroupmembersThefollowingisapartiallistoftheusedfiles,termsandutilities:chmod,umask,chown,chgrp
104.6Createandchangehardandsymboliclinks(Chapter4)CreatelinksIdentifyhardand/orsoftlinksCopyingversuslinkingfilesUselinkstosupportsystemadministrationtasksThefollowingisapartiallistoftheusedfiles,termsandutilities:ln
104.7Findsystemfilesandplacefilesinthecorrectlocation(Chapter4)
UnderstandthecorrectlocationsoffilesundertheFHSFindfilesandcommandsonaLinuxsystemKnowthelocationandproposeofimportantfileanddirectoriesasdefinedintheFHSThefollowingisapartiallistoftheusedfiles,termsandutilities:find,locate,updatedb,
whereis,which,type,/etc/updatedb.conf
Exam102ObjectivesThe102examcomprisessixtopics(105–110),eachofwhichcontainsthreeorfourobjectives.Thesixmajortopicsare:SubjectArea
105Shells,ScriptingandDataManagement106UserInterfacesandDesktops107AdministrativeTasks108EssentialSystemServices109NetworkingFundamentals110Security
105Shells,ScriptingandDataManagement
105.1Customizeandusetheshellenvironment(Chapter9)Setenvironmentvariables(e.g.,PATH)atloginorwhenspawninganewshellWriteBASHfunctionsforfrequentlyusedsequencesofcommandsMaintainskeletondirectoriesfornewuseraccountsSetcommandsearchpathwiththeproperdirectoryThefollowingisapartiallistoftheusedfiles,terms,andutilities:/etc/profile,env,export,set,unset,~/.bash_profile,~/.bash_login,~/.profile,~/.bashrc,
~/.bash_logout,function,alias,lists
105.2Customizeorwritesimplescripts(Chapter9)Usestandardshsyntax(loops,tests)UsecommandsubstitutionTestreturnvaluesforsuccessorfailureorotherinformationprovidedbyacommandPerformconditionalmailingtothesuperuserCorrectlyselectthescriptinterpreterthroughtheshebang(#!)lineManagethelocation,ownership,executionandsuid-rightsofscriptsThefollowingisapartiallistoftheusedfiles,terms,andutilities:for,while,test,if,read,seq
105.3SQLdatamanagement(Chapter9)UseofbasicSQLcommandsPerformbasicdatamanipulationThefollowingisapartiallistoftheusedfiles,terms,andutilities:insert,update,select,delete,from,where,groupby,orderby,join
106UserInterfacesandDesktops
106.1InstallandconfigureX11(Chapter6)VerifythatthevideocardandmonitoraresupportedbyanXserverAwarenessoftheXfontserverBasicunderstandingandknowledgeoftheXWindowconfigurationfileThefollowingisapartiallistoftheusedfiles,terms,andutilities:/etc/X11/xorg.conf,xhost,DISPLAY,xwininfo,xdpyinfo,X
106.2Setupadisplaymanager(Chapter6)TurnthedisplaymanageronoroffChangethedisplaymanagergreetingChangedefaultcolordepthforthedisplaymanagerConfiguredisplaymanagersforusebyX-stationsThefollowingisapartiallistoftheusedfiles,terms,andutilities:/etc/inittab;plusxdm,kdm,andgdmconfigurationfiles
106.3Accessibility(Chapter6)KeyboardAccessibilitySettings(AccessX)VisualSettingsandThemesAssistiveTechnology(ATs)Thefollowingisapartiallistoftheusedfiles,terms,andutilities:Sticky/RepeatKeys,Slow/Bounce/ToggleKeys,MouseKeys,HighContrast/LargePrintDesktopThemes,ScreenReader,BrailleDisplay,ScreenMagnifier,On-ScreenKeyboard,Gestures(usedatlogin,forexamplegdm),Orca,GOK,emacspeak
107AdministrativeTasks
107.1Manageuserandgroupaccountsandrelatedsystemfiles(Chapter7)
Add,modifyandremoveusersandgroupsManageuser/groupinfoinpassword/groupdatabasesCreateandmanagespecialpurposeandlimitedaccountsThefollowingisapartiallistoftheusedfiles,terms,andutilities:/etc/passwd,/etc/shadow,/etc/group,/etc/skel,chage,groupadd,groupdel,groupmod,passwd,useradd,
userdel,usermod
107.2Automatesystemadministrationtasksbyschedulingjobs(Chapter9)
Managecronandatjobs
ConfigureuseraccesstocronandatservicesThefollowingisapartiallistoftheusedfiles,terms,andutilities:/etc/cron.{d,daily,hourly,monthly,weekly},/etc/at.deny,/etc/at.allow,/etc/crontab,/etc/cron.allow,/etc/cron.deny,/var/spool/cron/*,crontab,at,atq,atrm
107.3Localizationandinternationalization(Chapter6)LocalesettingsTimezonesettingsThefollowingisapartiallistoftheusedfiles,terms,andutilities:/etc/timezone,/etc/localtime,/usr/share/zoneinfo,environmentvariables(LC_*,LC_ALL,LANG,TZ),/usr/bin/locale,tzselect,tzconfig,date,iconv,UTF-8,ISO-8859,ASCII,Unicode
108EssentialSystemServices
108.1Maintainsystemtime(Chapter7)SetthesystemdateandtimeSetthehardwareclocktothecorrecttimeinUTCConfigurethecorrecttimezoneBasicNTPconfigurationKnowledgeofusingthepool.ntp.orgserviceThefollowingisapartiallistoftheusedfiles,terms,andutilities:/usr/share/zoneinfo,/etc/timezone,/etc/localtime,/etc/ntp.conf,date,hwclock,ntpd,ntpdate,
pool.ntp.org
108.2Systemlogging(Chapter7)Syslogconfigurationfilessyslogstandardfacilities,prioritiesandactionsThefollowingisapartiallistoftheusedfiles,terms,andutilities:syslog.conf,syslogd,klogd,logger
108.3MailTransferAgent(MTA)basics(Chapter9)Createe-mailaliasesConfiguree-mailforwardingKnowledgeofcommonlyavailableMTAprograms(postfix,sendmail,qmail,exim)(noconfiguration)Thefollowingisapartiallistoftheusedfiles,terms,andutilities:~/.forward,sendmailemulationlayercommands,newaliases,mail,mailq,postfix,sendmail,exim,qmail
108.4Manageprintersandprinting(Chapter6)BasicCUPSconfiguration(forlocalandremoteprinters)Manageuserprintqueues
TroubleshootgeneralprintingproblemsAddandremovejobsfromconfiguredprinterqueuesThefollowingisapartiallistoftheusedfiles,terms,andutilities:CUPSconfigurationfiles,toolsandutilities;/etc/cups;lpdlegacyinterface(lpr,lprm,lpq)
109NetworkingFundamentals
109.1Fundamentalsofinternetprotocols(Chapter8)DemonstrateanunderstandingnetworkmasksKnowledgeofthedifferencesbetweenprivateandpublic“dottedquad”IP-AddressesSettingadefaultrouteKnowledgeaboutcommonTCPandUDPports(20,21,22,23,25,53,80,110,119,139,143,161,443,465,993,995)KnowledgeaboutthedifferencesandmajorfeaturesofUDP,TCPandICMPKnowledgeofthemajordifferencesbetweenIPv4andIPV6KnowledgeofthebasicfeaturesofIPv6Thefollowingisapartiallistoftheusedfiles,terms,andutilities:/etc/services,ftp,telnet,host,ping,dig,traceroute,tracepath
109.2Basicnetworkconfiguration(Chapter8)ManuallyandautomaticallyconfigurenetworkinterfacesBasicTCP/IPhostconfigurationThefollowingisapartiallistoftheusedfiles,terms,andutilities:/etc/hostname,/etc/hosts,/etc/resolv.conf,/etc/nsswitch.conf,ifconfig,ifup,ifdown,route,
ping
109.3Basicnetworktroubleshooting(Chapter8)Manuallyandautomaticallyconfigurenetworkinterfacesandroutingtablestoincludeadding,starting,stopping,restarting,deletingorreconfiguringnetworkinterfacesChange,vieworconfiguretheroutingtableandcorrectanimproperlysetdefaultroutemanuallyDebugproblemsassociatedwiththenetworkconfigurationThefollowingisapartiallistoftheusedfiles,terms,andutilities:ifconfig,ifup,ifdown,route,host,hostname,dig,netstat,ping,traceroute
109.4ConfigureclientsideDNS(Chapter8)DemonstratetheuseofDNSonthelocalsystemModifytheorderinwhichnameresolutionisdoneThefollowingisapartiallistoftheusedfiles,terms,andutilities:/etc/hosts,/etc/resolv.conf,/etc/nsswitch.conf
110Security
110.1Performsecurityadministrationtasks(Chapter10)Auditasystemtofindfileswiththesuid/sgidbitsetSetorchangeuserpasswordsandpasswordaginginformationBeingabletousenmapandnetstattodiscoveropenportsonasystemSetuplimitsonuserlogins,processesandmemoryusageBasicsudoconfigurationandusageThefollowingisapartiallistoftheusedfiles,terms,andutilities:find,passwd,lsof,nmap,chage,netstat,sudo,/etc/sudoers,su,usermod,ulimit
110.2Setuphostsecurity(Chapter10)AwarenessofshadowpasswordsandhowtheyworkTurnoffnetworkservicesnotinuseUnderstandtheroleofTCPwrappersThefollowingisapartiallistoftheusedfiles,terms,andutilities:/etc/nologin,/etc/passwd,/etc/shadow,/etc/xinetd.d/*,/etc/xinetd.conf,/etc/inetd.d/*,
/etc/inetd.conf,/etc/inittab,/etc/init.d/*,/etc/hosts.allow,/etc/hosts.deny
110.3Securingdatawithencryption(Chapter10)PerformbasicOpenSSH2clientconfigurationandusageUnderstandtheroleofOpenSSH2serverhostkeysPerformbasicGnuPGconfigurationandusageUnderstandSSHporttunnels(includingX11tunnels)Thefollowingisapartiallistoftheusedfiles,terms,andutilities:ssh,ssh-keygen,ssh-agent,ssh-add,~/.ssh/id_rsaandid_rsa.pub,~/.ssh/id_dsaandid_dsa.pub,/etc/ssh/ssh_host_rsa_keyandssh_host_rsa_key.pub,/etc/ssh/ssh_host_dsa_keyandssh_host_dsa_key.pub,~/.ssh/authorized_keys,/etc/ssh_known_hosts,gpg,
~/.gnupg/*
AssessmentTest1. The following line appears in your X server ’s mouse configuration area. What can youconclude?Option"Protocol""PS/2"
A.ThemouseisconnectedtothePS/2hardwaremouseport.B.ThemouseusesthePS/2softwarecommunicationstandard.C.ThecomputerisanancientIBMPS/2system.D.ThemousewasdesignedforusewithIBM’sOS/2.E.Aslash(/)isinvalidinaprotocolname,sothemousewon’twork.
2.Howcanyoutellwhetheryoursystemisusinginetdorxinetdasasuperserver?(Selecttwo.)A.Typepsax|grepinetd,andexaminetheoutputforsignsofinetdorxinetd.B.Typesuperservertoseeareportonwhichsuperserverisrunning.C. Look for the /etc/inetd.conf file or /etc/xinetd.d subdirectory, which are signs ofinetdorxinetd,respectively.D. Examine the /etc/inittab file to see which super server is launched by init, which isresponsibleforthistask.E.Typenetstat-a|grepinetandexaminetheoutputforsignsofinetdorxinetd.
3.HowdoesthelpcutilityforCUPSdifferfromitscounterpartinBSDLPDandLPRng?A.ThelpcutilityisuniquetoCUPS;itdoesn’tshipwithBSDLPDorLPRng.B.CUPSdoesn’tshipwithanlpccommand,butBSDLPDandLPRngdo.C.CUPS’slpcismuchmorecomplexthanitscounterpartinBSDLPDandLPRng.D.CUPS’slpcismuchsimplerthanitscounterpartinBSDLPDandLPRng.E.Thelpcutilityisidenticalinallthreeoftheseprintingsystems.
4.Whatfilewouldyouedittorestrictthenumberofsimultaneousloginsausercanemploy?A./etc/pam.d/login-limitsB./etc/bashrcC./etc/security/limits.confD./etc/inittabE./etc/passwd
5.Which of the following are requiredwhen configuring a computer to use a static IP address?(Selecttwo.)
A.TheIPaddressoftheDHCPserverB.ThehostnameoftheNBNSserverC.Thecomputer ’sIPaddressD.ThenetworkmaskE.TheIPaddressoftheNTPserver
6.Whatdoesthefollowingcommandaccomplish?$wcreport.txt|teewc
A.Itlaunchesthewceditoronboththereport.txtandwc.txtfiles;eachfileopensinitsownwindow.B.Itdisplaysacountofthewindowsinwhichthereport.txtfileisdisplayedandshowsthatinformationinanewwindowcalledwc.C. It creates a countofnewlines,words, andbytes in thereport.txt file and then displays acountofthesestatisticsaboutthereportitjustgenerated.D.Itcleansupanymemoryleaksassociatedwiththeteeprogram’suseofthereport.txtfile.E.Itdisplaysacountofnewlines,words,andbytesinthereport.txtfileandcopiesthatoutputtothewcfile.
7. Which of the following characters defines the end of an OS or kernel definition in/boot/grub/grub.cfg?
A.;B.)C.}D.*/E.Noneoftheabove;thedefinitionendswiththetitlelinebeginningthenextentry
8.Whatdoesthenumber703representinthefollowing/etc/passwdentry?george:x:703:100:GeorgeBrown:/home/george:/bin/tcsh
A.Theaccount’shumanID(HID)numberB.Theaccount’sprocessID(PID)numberC.Theaccount’sgroupID(GID)numberD.Theaccount’sgloballyuniqueID(GUID)numberE.Theaccount’suserID(UID)number
9.Whatdoesthegrepcommandaccomplish?A.Itcreatesapipelinebetweentwoprograms.B.Itsearchesfiles’contentsforapattern.C.Itconcatenatestwoormorefiles.D.Itdisplaysthelastseverallinesofafile.E.Itlocatesfilesontheharddisk.
10.WhichofthefollowingarejournalingfilesystemsforLinux?(Selectthree.)A.HPFSB.ReiserFSC.Ext2fsD.Ext3fsE.XFS
11.You’ve configured your computer to use SMTP and IMAP via a tunneled SSH connection toyourISP’semailserverforimprovedsecurity.WhymightyoustillwanttouseGPGencryptionforyouremailsontopoftheencryptionprovidedbySSH?
A.TheSSH tunnel reachesonlyas far as the first email server;GPGencryptsdataonall thecomputersallthewaytoorfromyouremailcorrespondents.B. SSH encryption is notoriously poor for email, although it’s perfectly adequate for loginsessions;thus,addingGPGencryptionimprovessecurity.C.SSHdoesn’t encrypt theheadersof theemailmessages;GPGencrypts theheaders tokeepsnoopersfromlearningyourcorrespondents’identities.D.UsingGPGguaranteesthatyouremailmessageswon’tcontainunwantedvirusesorwormsthatmightinfectyourcorrespondents’computers.E. Configured in this way, SSH will encrypt the email headers and bodies, but not anyattachmentstoyouremail.
12. Which of the following ports are commonly used to retrieve email from an email servercomputer?(Selecttwo.)
A.110B.119C.139D.143E.443
13. You’re experiencing sporadic problemswith a Secure Shell (SSH) login server—sometimesuserscanlogin,andsometimestheycan’t.Whatmightyoutryimmediatelyafterafailuretohelpdiagnosethisproblem?
A.Ontheservercomputer,typehttp://localhost:631intoaWebbrowsertoaccesstheSSHconfigurationpageandcheckitserrorsubpageforerrormessages.B.TypediagnosesshdtorunadiagnosticontheSSHserverdaemon(sshd).C.Typetail/var/log/messagestolookforerrormessagesfromtheserver.D.Examinethe/dev/sshdevicefiletolookforerrormessagesfromtheserver.E.Ontheservercomputer,typesshdtoviewSSH’sdiagnosticmessages.
14.Whatisthefunctionofthe~/.profilefile?A.It’stheuserconfigurationfilefortheProFTPserver.B.It’soneofauser ’sbashstartupscripts.C.It’stheuserconfigurationfilefortheProFilefilemanager.D.Itspresencetellstcshtoignorefilemodes.E.Itholdstheuser ’sencryptedpassword.
15.Youwantyourcomputertoremindyoutogetyourcarinspectedintwoyears.Whatisthebestwaytodothis,ofthespecifiedoptions?
A.Createaprogramthatrepeatedlychecksthetimeand,whentwoyearshavepassed,displaysa
messagetogetyourcarinspected.B. Type cal day month year, where day, month, and year specify the date of the futureinspection,tohaveLinuxrunaprogramthatyouthenspecifyonthatdate.C.Createacronjobthatrunshourly.Thisjobshouldcheckthedateand,whenthecorrectdatecomesup,usemailtonotifyyouoftheneedforacarinspection.D.UsetheNTPGUIcalendarprogramtocreateanalarmfor thespecifieddate.Theprogramwillthendisplaythemessageyouenteratthespecifieddateandtime.E.Typeatdate,wheredate isadatespecification.Youcanthenspecifyacommand,suchasmailwithappropriateoptions,tonotifyyouoftheneedtogetyourcarinspected.
16.HowwouldyouconfigureacomputertousethecomputerwhoseIPaddressis172.24.21.1asagatewayforallnetworktrafficthat’snototherwiseconfigured?
A.gatewaydefault172.24.21.1B.gateway172.24.21.1C.routegateway172.24.21.1D.routeadddefaultgw172.24.21.1E.gw172.24.21.1
17.WhatsoftwarecanyouusetodriveaBrailledisplaydevice?(Selecttwo.)A.EmacspeakB.BRLTTYC.A2.6.26orlaterkernelD.GOKE.Aframebufferdriver
18.WhichistrueofsourceRPMpackages?A. They consist of three files: an original source tarball, a patch file of changes, and a PGPsignatureindicatingtheauthenticityofthepackage.B.Theyrequireprogrammingknowledgetorebuild.C.Theycansometimesbeusedtoworkarounddependencyproblemswithabinarypackage.D.TheyarenecessarytocompilesoftwareforRPM-baseddistributions.E.Theyalwayscontainsoftwarethat’slicensedundertermsoftheGPL.
19.Whichutilityshouldyouusebyitselftorenamethefilepumpkin.txttolantern.txt?A.ddB.rmC.cpD.mvE.ln
20. You want to run a lengthy scientific simulation program, called simbigbang, which doesn’trequireanyuserinteraction;theprogramoperatessolelyondiskfiles.Ifyoudon’twanttotieupthe
shellfromwhichyouruntheprogram,whatshouldyoutypetorunsimbigbanginthebackground?A.startsimbigbangB.simbigbang&C.bgsimbigbangD.backgroundsimbigbangE.nicesimbigbang
21.WhichofthefollowingcommandswillinstallanRPMpackagefilecalledtheprogram-1.2.3-4.i386.rpmonacomputer?(Selecttwo.)
A.rpm-Uvhtheprogram-1.2.3-4.i386.rpmB.rpm-itheprogram-1.2.3-4.i386.rpmC.rpm-UtheprogramD.rpm-etheprogram-1.2.3-4.i386.rpmE.rpm-Vptheprogram-1.2.3-4.i386.rpm
22.WhattoolcandiagnoseandfixmanycommonLinuxfilesystemproblems?A.mkfsB.fsckC.chkdskD.scandiskE.fdisk
23.You’vejustinstalledMySQL,andyouintendtouseittostoreinformationabouttheanimalsinazoo, from the anteaters to the zebras.What command are you likely to use first, once you startMySQL?
A.CREATEDATABASEanimals;B.USEanimals;C.CREATETABLEanimals;D.INSERTINTOanimals;E.UPDATEanimals;
24.Whichofthefollowingcommandsdisplayshelpontopic,whentypedinaLinuxshell?(Selecttwo.)
A.manualtopicB.mantopicC.?topicD.infotopicE.hinttopic
25.Acomputer ’shardwareclockkeepstrackofthetimewhilethecomputerispoweredoff.Inwhatformatsmaythistimebestoredonanx86Linuxsystem?(Selecttwo.)
A.CoordinatedUniversalTime(UTC)B.InternetTimeC.LocaltimeD.12-hourtimeE.Marstime
26.Youwanttoknowwhatkernelmodulesarecurrentlyloaded.Whatcommandwouldyoutypetolearnthisinformation?
A.insmodB.depmodC.modprobeD.lsmodE.modinfo
27.Youwant toenableallmembersof themusicgroup to read theinstruments.txt file,whichcurrentlyhas0640(-rw-r-----)permissions,ownershipbyroot,andgroupownershipbyroot.Howmightyouaccomplishthisgoal?(Selecttwo.)
A.Typechownmusicinstruments.txtinthefile’sdirectory.B.Typechgrpmusicinstruments.txtinthefile’sdirectory.C.Typechgroupmusicinstruments.txtinthefile’sdirectory.D.Typechmod0600instruments.txtinthefile’sdirectory.E.Typechown:musicinstruments.txtinthefile’sdirectory.
28.Youwant to create a link to the/usr/local/bin directory in another location.Which of thefollowingstatementsistrue?
A.Youcandothisonlyif/usr/local/binisonajournalingfilesystem.B.Youmustown/usr/local/bintocreatethelink.C.Youcancreate the linkonly if the link’s location ison the same filesystemas theoriginaldirectory.D.Onlythesystemadministratorcandothis.E.Thelinkwillprobablyhavetobeasymboliclink.
29.Whichofthefollowing,whentypedinVi’scommandmode,savesafileandquitstheprogram?(Selecttwo.)
A.:rqB.:wqC.:reD.:weE.ZZ
30.Auser ’shomedirectoryincludesafilecalled~/.forwardthatconsistsofoneline:|~/junkme.Whatistheeffectofthisconfiguration?
A.Theuser ’sincomingmailisforwardedtothejunkmeuseronthesamesystem.B.Theuser ’sincomingmailisstoredinthe~/junkmefile.C.Theuser ’sincomingmailissentthroughthe~/junkmeprogramfile.D.Theuser ’sincomingmailisflaggedasspamanddeleted.E.Theuser ’sincomingmailisforwardedtothesameuseronthejunkmecomputer.
AnswerstotheAssessmentTest1.B.“PS/2”canrefertobothahardwareinterfaceandasoftwareprotocol,butusedinthecontextof the Protocol option, it unambiguously refers to the software protocol. Thus, option B iscorrect.OptionAmightbecorrect,butthespecifiedlineisinsufficientevidenceofthat;USBmicegenerallyusethePS/2protocoloravariantofit,suchastheIntellimousePS/2protocol.AlthoughthePS/2hardwareportandprotocoloriginatedwiththeIBMPS/2computermentionedinoptionC,many other computers now use them.Mice that use the PS/2 protocolmay be usedwith justaboutanyOS,notjustIBM’sOS/2,sooptionDisincorrect.Aslash(/)isvalidaspartofthePS/2protocolname,sooptionEisincorrect.Formoreinformation,pleaseseeChapter6,“ConfiguringtheXWindowSystem,Localization,andPrinting.”2.A,C.Examiningaprocesslisting(obtainedfromps)forsignsofthesuperserveristhemostreliablewaytodeterminewhichoneisactuallyrunning,sooptionAiscorrect.Thepresenceofthesuperserver ’sconfigurationfileorfiles(asinoptionC)isalsoagooddiagnostic,althoughsomeolder systems that have been upgraded may have both sets of configuration files. There is nostandard superserver utility to report on which one is used, so option B is incorrect. Mostdistributions launch the super server through a SysV startup script; the /etc/inittab file isn’tdirectly involved in this process, so examining itwould be pointless, and optionD is incorrect.Althoughtheoutputofnetstat-ap,whentypedasroot,willincludeanindicationofanyinstanceofinetdorxinetd that’s listeningforconnections,optionEomits thecritical-p option,whichcausestheprogramtodisplayprocessnames.Thus,optionEisincorrect.Formoreinformation,pleaseseeChapter10,“SecuringYourSystem.”3.D.Thelpcutility isusedtostart,stop,changethepriorityof,andotherwisecontrol jobsinaprintqueue.CUPSshipswithanlpcutility,butit’squiterudimentarycomparedtothelpcutilitiesofBSDLPDandLPRng.Instead,CUPSreliesonitsWeb-basedinterfacetoprovidetheabilitytocontrol print jobs. Thus, option D is correct, and the remaining options must logically all beincorrect. For more information, please see Chapter 6, “Configuring the X Window System,Localization,andPrinting.”4.C.The/etc/security/limits.conffiledefinesvariouslimitsonuserresources,includingthenumber of simultaneous logins individual users are permitted. Thus, option C is correct. The/etc/pam.d/login-limits file (option A) is fictitious, although login limits do rely on thepam_limitsmoduletothePluggableAuthenticationSystem(PAM).The/etc/bashrcfile(optionB) is a global bash startup script file, but it’s not normally used to impose login limits. The/etc/inittabfile(optionD)isakeyLinuxstartupfile,butitdoesn’thaveanydirectbearingonimposing login limits. The/etc/passwd file (option E) definesmany key account features, butlogin limits arenot among these.Formore information,please seeChapter10, “SecuringYourSystem.”5.C,D.The computer ’s IP address (optionC) andnetworkmask (aka subnetmaskor netmask;option D) are the most critical components in TCIP/IP network configuration. (AdditionalinformationyoumayneedtoprovideonmanynetworksincludestheIPaddressesofonetothreeDNSservers,thehostnameorIPaddressofarouter,andthecomputer ’shostname.)Youshouldn’tneedtheIPaddressofaDynamicHostConfigurationProtocol(DHCP)server(optionA)—andifaDHCP server is present, chances are you should be using DHCP rather than static IP address
assignment.ANetBIOSNameService (NBNS)server (optionB)convertsbetweennamesandIPaddresses on NetBIOS networks. The hostname of such a computer isn’t likely to be a criticalconfiguration element, although youmay need to provide this information to Samba for someoperations to function correctly when sharing files. A Network Time Protocol (NTP) server(optionE)helpsyoumaintainsystemtimeonallyourcomputers,butthisisn’trequiredforbasicnetwork configuration. For more information, please see Chapter 8, “Configuring BasicNetworking.”6. E. The wc command displays a count of newlines, words, and bytes in the specified file(report.txt).Pipingthisdatathroughteecausesacopyoftheoutputtobestoredinthenewfile(wc in thisexample—youshouldn’t run thiscommandin thesamedirectoryas thewcexecutablefile!).Thus,optionEiscorrect.ContrarytooptionA,wcisnotaneditor,andtheremainingsyntaxwouldn’tcausetwofilestoopeninseparatewindowsevenifwcwereaneditor.ContrarytooptionB,wcdoesn’tcountwindowsoropenanewwindow.OptionCdescribestheeffectofwcreport|wc—that is, it overlooks the tee command. Contrary to option D, wc has nothing to do withcleaning up memory leaks, and tee doesn’t directly use the report.txt file. For moreinformation,pleaseseeChapter1,“ExploringLinuxCommand-LineTools.”7. C. The grub.cfg filename indicates a GRUB 2 configuration file. In such files, each OS orkernelstanzabeginswithamenuentrylineandanopencurlybrace({)andendswithaclosecurlybrace(}). Thus, optionC is correct. Some configuration files and programming languages usesemicolons(;) at the endofmost lines, but this isn’t trueofGRUB2, sooptionA is incorrect.Althoughcloseparentheses())areusedtoterminatesometypesofoptionsinsomeconfigurationfiles,includingdiskidentifiersinGRUB2’sconfigurationfile,theyaren’tusedtoterminatewholeOSorkerneldefinitionsinthisfile,sooptionBisincorrect.Thestring*/terminatescommentsinCprogramfiles,butisn’tcommonlyusedinGRUB2configurationfiles,sooptionDisincorrect.Option E would be correct if the question had asked about a GRUB Legacy configuration file(menu.lstorgrub.conf),butthequestionspecifiesaGRUB2configurationfile(grub.cfg); thetwobootloadersterminatetheirOS/kernelstanzasdifferently,sooptionEisincorrect.Formoreinformation,pleaseseeChapter5,“BootingLinuxandEditingFiles.”8.E.Thethirdfieldof/etc/passwdentriesholdstheUIDnumberfortheaccount,sooptionEiscorrect.Linuxdoesn’tuseanystandardidentifiercalledahumanID(HID;optionA),althoughtheacronymHIDstandsforhumaninterfacedevice,aclassofUSBdevices.Accountsdon’thavePIDnumbers(optionB);thosebelongtorunningprocesses.Theaccount’sGIDnumber(optionC)isstoredinthefourthfieldof/etc/passwd—100inthisexample.Linuxaccountsdon’tusegloballyuniqueID(GUID)numbers,sooptionDisincorrect.Formoreinformation,pleaseseeChapter7,“AdministeringtheSystem.”9. B. The grep command scans files to find those that contain a specified string or pattern, asdescribedbyoptionB.Inthecaseoftextfiles,grepdisplaysthematchinglineorlines;forbinaryfiles, it reports that the file matches the pattern. The method of creating a pipeline (option A)involves separating twocommandswith averticalbar (|).Thegrep command canbeused in apipeline,butitdoesn’tcreateone.Thecommandthatconcatenatesfiles(optionC)iscat,andthecommandthatdisplaysthelastseverallinesofafile(optionD)istail.Severalcommands,suchasfind,locate,andwhereis,locatefiles(optionE),butgrepisnotamongthesecommands.Formoreinformation,pleaseseeChapter1,“ExploringLinuxCommand-LineTools.”
10. B, D, E. ReiserFS (option B) was written from scratch for Linux. The Third ExtendedFilesystem(ext3fs;optionD)isajournalingfilesystembasedontheoldernon-journalingSecondExtended Filesystem (ext2fs; optionC). The Extents Filesystem (XFS; option E) is a journalingfilesystemwritten by SGI for Irix and later ported to Linux. TheHigh-Performance Filesystem(HPFS; option A) is a non-journaling filesystem designed by Microsoft for OS/2. For moreinformation,pleaseseeChapter3,“ConfiguringHardware.”11. A. Option A correctly describes the features of SSH and GPG in this context. Option B isincorrectbecauseSSHshoulddoa fine jobofencryptingyouremail so that itcan’tbedecodedbetweenyoursystemandyourISP’semailserver.OptionChasitbackward;emailtransferredviaSSHwillbecompletelyencrypted,includingbothheadersandbody.GPGdoesn’tencryptheaders,justmessagebodies.OptionDis incorrectbecauseGPGisn’tavirusscanner, justanencryptiontool.OptionE is incorrectbecause theSSH tunnelwillencrypteverything in theSMTP transfer,including email attachments. For more information, please see Chapter 10, “Securing YourSystem.”12.A,D.Port110(optionA)isassignedtothePostOfficeProtocol(POP),andport143(optionD) is assigned to the InternetMessageAccess Protocol (IMAP), both of whichmay be used toretrieve email messages from an email server system. Port 119 (option B) is assigned to theNetworkNewsTransferProtocol(NNTP),port139(optionC)isassignedtotheServerMessageBlock/CommonInternetFileSystem(SMB/CIFS)protocol,andport443(optionE)isassignedtotheHypertextTransferProtocolwithSSLencryption(HTTPS),noneofwhichiscommonlyusedforemailretrieval.Formoreinformation,pleaseseeChapter8,“ConfiguringBasicNetworking.”13. C. Log files, such as /var/log/messages and sometimes others in /var/log, often containuseful information concerning server errors.Thetail programdisplays the last few lines of afile,sousingittoexaminelogfilesimmediatelyafteraproblemoccurscanbeausefuldiagnosticprocedure.OptionCcorrectlycombinesthesefeatures.Thehttp://localhost:631URLofoptionAaccessestheCommonUnixPrintingSystem(CUPS)configurationutility,whichhasnothingtodowithSSH.Thereisnostandarddiagnoseutility(optionB)tohelpdiagnoseserverproblems,andthereisnostandard/dev/sshfile(optionD).ThesshdprogramistheSSHserveritself,sooptionBwillsimplylaunchtheserver.Formoreinformation,pleaseseeChapter5,“BootingLinuxandEditingFiles.”14. B. The ~./profile file is one of several bash startup scripts, as stated in option B. It hasnothing to dowith theProFTP server (optionA) or thetcsh shell (optionD). The ProFile filemanagermentioned in optionC is fictitious.Users’ encrypted passwords (optionE) are usuallystoredin/etc/shadow.Formoreinformation,pleaseseeChapter9,“WritingScripts,ConfiguringEmail,andUsingDatabases.”15.E.Theatutilitywascreatedtorunprogramsatonespecifiedpointinthefuture.Thus,optionEwillaccomplish thestatedgoal.OptionsAandCmightalsowork;butneither is thebestway toaccomplishthisgoal.OptionAwilltieupCPUtime,andiftheprogramcrashesorthesystemisshut downduring the intervening twoyears, themessagewill never display.OptionCwouldbemore reliable, but it adds unnecessary complexity to your hourly cron job schedule. The calprogramdisplays a text-mode calendar, enablingyou to identify thedaysof aweek for agivenmonth;itdoesn’tschedulefuturejobs,asoptionBsuggests.AGUIcalendarprogram,asspecifiedin option D, might work; but NTP is the Network Time Protocol, a protocol and like-named
program for synchronizing clocks across a network. Thus, NTP isn’t the tool for the job, andoptionDisincorrect.Formoreinformation,pleaseseeChapter7,“AdministeringtheSystem.”16.D.OptionDprovidesthecorrectcommandtoadd172.24.21.1asthedefaultgateway.OptionsAand B both use the fictitious gateway command, which doesn’t exist and therefore won’t workunlessyoucreateascriptofthisname.OptionCusesthecorrectroutecommand,butthereisnogatewayoptiontoroute;youmustuseadddefaultgw,asinoptionD.Thereisnostandardgwcommand, so option E is incorrect. Formore information, please see Chapter 8, “ConfiguringBasicNetworking.”17.B,C.TheBRLTTYpackage is anadd-ondaemon forhandlingaBrailledisplaydevice, andsomefeaturesforusingthesedeviceshavebeenaddedtothe2.6.26kernel,sooptionsBandCarecorrect.Emacspeak(optionA)isspeech-synthesissoftware;itcanbeusedto“speak”atextdisplaytoauser,butitdoesn’tinterfacewithBrailledisplays.GOK(optionD)isanon-screenkeyboard,not a Braille display tool. Framebuffer drivers (option E) are kernel drivers for managingconventionalvideocards;theyaren’tusedtodriveBrailledisplays.Formoreinformation,pleaseseeChapter6,“ConfiguringtheXWindowSystem,Localization,andPrinting.”18.C.Somedependenciesresultfromdynamicallylinkingbinariestolibrariesatcompiletimeandso can be overcome by recompiling the software from a source RPM, so option C is correct.Option A describes Debian source packages, not RPM packages. Recompiling a source RPMrequiresonlyissuinganappropriatecommand,althoughyoumustalsohaveappropriatecompilersand libraries installed. Thus, optionB is overly pessimistic. Source tarballs can also be used tocompile software for RPM systems, although this results in none of RPM’s advantages. Thus,option D is overly restrictive. The RPM format doesn’t impose any licensing requirements,contrarytooptionE.Formoreinformation,pleaseseeChapter2,“ManagingSoftware.”19.D.Themvutilitycanbeusedtorenamefilesaswellasmovethemfromonelocationtoanother,sooptionDiscorrect.Theddutility(optionA)isusedtocopyfilestobackups,rm(optionB)isusedtoremove(delete)files,cp(optionC)copiesfiles,andln(optionE)createslinks.Formoreinformation,pleaseseeChapter4,“ManagingFiles.”20. B. Appending an ampersand (&) to a command causes that command to execute in thebackground.TheprogramsolaunchedstillconsumesCPUtime,butitwon’tmonopolizetheshellyouusedtolaunchit.Thus,optionBiscorrect.Thestart(optionA)andbackground(optionD)commandsarefictitious.Althoughbg(optionC)doesplaceajobintothebackground,itdoesn’tlaunchaprogramthatway;itplacesaprocessthat’sbeensuspended(bypressingCtrl+Z)intothebackground.Theniceutility(optionE)launchesaprogramwithmodifiedpriority,butaprogramso launched still monopolizes its shell unless you take additional steps. For more information,pleaseseeChapter2,“ManagingSoftware.”21.A,B.The-Uvhparameter(optionA)issuesanupgradecommand(whichinstallstheprogramwhether or not an earlier version is installed) and creates a series of hashmarks to display thecommand’sprogress.The-iparameter(optionB)installstheprogramifit’snotalreadyinstalledbutcausesnoprogressdisplay.OptionCusesapackagename,notacompletefilename,andsoitwill fail to install thepackagefile.The-eoption(optionD)removesapackage.OptionE’s-Vpoptionverifiesthepackagefilebutdoesn’tinstallit.Formoreinformation,pleaseseeChapter2,“ManagingSoftware.”22.B.OptionB,fsck, isLinux’s filesystemcheckutility. It’s similar inpurpose to theDOSand
WindowsCHKDSKandScanDiskutilities(similartooptionsCandD),buttheseDOSandWindowsutilities don’t work on Linux filesystems like ext2fs or ReiserFS. Option A, mkfs, creates newfilesystems;itdoesn’tdiagnoseorfixfilesystemproblems.OptionE,fdisk,isatoolforcreatingormodifyingdiskpartitions;itdoesn’tmanagethefilesystemstheycontain.Formoreinformation,pleaseseeChapter3,“ConfiguringHardware.”23.A.AfreshlyinstalledMySQLdatabaseisunlikelytohaveaready-madedatabaseofanimals,soyourfirsttaskistocreatethatdatabasewiththeCREATEDATABASEcommand,asshowninoptionA.(You could call the database something other than animals, of course.) The USE command inoptionBwillbeusefulonlyoncethedatabasehasbeencreated.Oncethedatabaseiscreated,youcanuseCREATETABLE,asinoptionC,tocreateatable;however,you’llneedanexistingdatabasefirst,andthiscommandalsorequiresinformationaboutthetypeofdatatobestored,whichoptionC doesn’t provide. Option D’s INSERT INTO command stores data into a table once it’s beencreated,soit’sfarfromthefirstcommandyou’lluse.Italsorequiresadditionalspecificationofthedata to be stored, so it’s incomplete.Option E’s UPDATE commandmodifies existing entries, soyou’llusethiscommandonlyafteryou’vecreatedthedatabaseandaddedatleastoneanimaltoit.(OptionEisalsoanincompletecommandeventhen.)Formoreinformation,pleaseseeChapter9,“WritingScripts,ConfiguringEmail,andUsingDatabases.”24. B, D. The correct answers, man and info (options B and D), are two common Linux helppackages.Although?(optionC)isacommonhelpcommandwithincertaininteractiveprograms,it isn’tahelpcommand inbash orother commonLinux shells.There isnocommoncommandcalledmanual(optionA)norishint(optionE)avalidbashcommandorcommonprogramname.Formoreinformation,pleaseseeChapter1,“ExploringLinuxCommand-LineTools.”25.A,C.UnixsystemstraditionallystoretimeinUTC(akaGreenwichMeanTime),andLinuxmaydosoaswell.Thus,optionAiscorrect.Mostotherx86PCOSstraditionallystoretimeasthelocaltime, however, so Linux also supports this option, and option C is also correct. Internet Time(optionB) is an alternative to the 24-hour clock inwhich the day is broken into 1,000 “beats.”StandardPCBIOSsdon’tsupportthistimeformat.Likewise,a12-hourclockisn’tterriblyusefultocomputersbecauseitdoesn’tdifferentiatea.m.fromp.m.,makingoptionDincorrect.AlthoughthelengthoftheMartiandayissimilartothatofEarth(24hoursand37minutes),thosewantingtocolonizeMarswillhavetowaitforPCclockstosupportsettingtimefortheRedPlanet;optionEisincorrect.Formoreinformation,pleaseseeChapter7,“AdministeringtheSystem.”26. D. Typing lsmod (option D) produces a list of the modules that are currently loaded. Theinsmod(optionA)andmodprobe(optionC)programsbothloadmodules—eitherasinglemoduleorasinglemodulesandallthoseonwhichitdepends,respectively.Thedepmodcommand(optionB) generates the modules.dep file that contains module dependency information. The modinfocommand (option E) displays information, such as its version number and author, on a singlemodule.Formoreinformation,pleaseseeChapter3,“ConfiguringHardware.”27.B, E. Thechgrp andchown commands can both change the group ownership of a file. Thechgrp command takes a group name and a filename as parameters, as in option B. The chowncommandnormallychangesafile’sowner;butifyouprovideagroupnameprecededbyadot(.)oracolon(:),asinoptionE,itchangesthegroupofafile.ThechowncommandshowninoptionAwillchangetheprimaryownershipofthefiletothemusicuser,ifsuchauserexistsonthesystem;it won’t change the group ownership. There is no standard chgroup command, as in option C.
OptionDwillchangethepermissionsto0600(-rw-------),whichwillbeastepbackwardwithrespecttothegoalstate.Formoreinformation,pleaseseeChapter4,“ManagingFiles.”28.E.Hardlinkstodirectoriesarenotpermittedbymostfilesystems,soyou’llprobablyhavetocreateasymboliclink,asnotedinoptionE.Linksdon’trelyonafilesystemjournal,sooptionAisincorrect.ContrarytooptionB,anybodymaycreatealink,notjusttheoriginal’sowner.OptionCdescribesarestrictionofhardlinks;butbecausethislinkwillprobablyhavetobeasymboliclink,this restriction is unimportant and option C is incorrect. Option D describes a more severerestrictionthanoptionB,butit’sincorrectforthesamereasons.Formoreinformation,pleaseseeChapter4,“ManagingFiles.”29. B, E. The colon (:) starts ex mode, from which you can enter commands. In ex mode, rincludes a file in an existing one, w writes a file, e loads an entirely new file, and q quits theprogram.Thus, thedesired combination is:wq (optionB).As a special case,ZZ does the samething,sooptionEisalsocorrect.Formoreinformation,pleaseseeChapter5,“BootingLinuxandEditingFiles.”30.C.The~/.forwardfileisauseremailforwardingfile.Theverticalbarcharacter(|)atthestartofsuchafileisacodetosendtheemailthroughthespecifiedprogramfile,sooptionCiscorrect.To do as option A describes, the file would need to read junkme or junkme@hostname, wherehostnameisthecomputer ’shostname.TodoasoptionBdescribes,theleadingverticalbarwouldhavetobeomitted.It’sconceivablethatthe~/junkmescriptdoesasoptionDdescribes,butthere’sno way of knowing this for certain. To do as option E describes, the file would have to readuser@junkme,whereuseristheusername.Formoreinformation,pleaseseeChapter9,“WritingScripts,ConfiguringEmail,andUsingDatabases.”
Chapter1
ExploringLinuxCommand-LineTools
THEFOLLOWINGEXAMOBJECTIVESARECOVEREDINTHISCHAPTER:
1.103.1Workonthecommandline1.103.2Processtextstreamsusingfilters1.103.4Usestreams,pipes,andredirects1.103.7Searchtextfilesusingregularexpressions
LinuxborrowsheavilyfromUnix,andUnixbeganasatext-basedoperatingsystem(OS).UnixandLinux retain much of this heritage, which means that to understand how to use and, especially,administerLinux,youmustunderstandatleastthebasicsofitscommand-linetools.Thus,thisbookbegins with an introduction to Linux shells (the programs that accept and interpret text-modecommands)andmanyofthebasiccommandsandproceduresyoucanusefromashell.Thischapterbeginswithbasicshellinformation,includingshelloptionsandproceduresforusing
them.Fromthere,thischaptercoversstreams,pipes,andredirection,whichyoucanusetoshuntinputand output between programs or between files and programs. These techniques are frequentlycombinedwith textprocessingusing filters—commandsyoucanuse tomanipulate textwithout thehelpofaconventionaltexteditor.Sometimesyoumustmanipulatetextinanabstractway,usingcodestorepresentseveraldifferenttypesoftext.Thischapterthereforecoversthistopic.
UnderstandingCommand-LineBasicsBefore youdo anything elsewithLinux, you should understandhow to use aLinux shell. Severalshellsareavailable,butmostprovidesimilarcapabilities.Understandingafewbasicswilltakeyoualongway inyouruseofLinux,soIdescribesomeof these techniquesandcommands.Youshouldalsounderstand shellenvironmentvariables,which are placeholders for data thatmaybe useful tomanyprograms.Finally,onthetopicofcommand-linebasics,youshouldknowhowtogethelpwithcommandsyou’retryingtouse.
ExploringYourLinuxShellOptionsAswithmanykeysoftwarecomponents,Linuxprovidesarangeofoptionsforshells.Acompletelistwouldbequitelong,butthemorecommonchoicesincludethefollowing:
bashTheGNUBourneAgainShell(bash)isbasedontheearlierBourneshellforUnixbutextendsitinseveralways.InLinux,bashisthemostcommondefaultshellforuseraccounts,andit’stheoneemphasizedinthisbookandontheexam.bshTheBourneshelluponwhichbashisbasedalsogoesbythenamebsh.It’snotoftenusedin
Linux,althoughthebshcommandissometimesasymboliclinktobash.tcshThisshellisbasedontheearlierCshell(csh).It’safairlypopularshellinsomecircles,butnomajorLinuxdistributionsmakeitthedefaultshell.Althoughit’ssimilartobashinmanyrespects,someoperationaldetailsdiffer.Forinstance,youdon’tassignenvironmentvariablesinthesamewayintcshasinbash.cshTheoriginalCshellisn’tmuchusedonLinux,butifauserisfamiliarwithcsh,tcshmakesagoodsubstitute.kshTheKornShell(ksh)wasdesignedtotakethebestfeaturesoftheBourneshellandtheCshellandextendthem.IthasasmallbutdedicatedfollowingamongLinuxusers.zshTheZshell(zsh)takesshellevolutionfurtherthantheKornShell,incorporatingfeaturesfromearliershellsandaddingstillmore.Inadditiontotheseshells,dozensmoreobscureonesareavailable.InLinux,mostusersrunbash
because it’s the default. Some other OSs use csh or tcsh as the default, so if your users havebackgroundsonnon-LinuxUnix-likeOSs,theymaybemorefamiliarwiththeseothershells.Youcanchange auser ’s default shell by editing the account, as described inChapter 7, “Administering theSystem.”Thefile/bin/shisasymboliclinktothesystem’sdefaultshell—normally/bin/bashforLinux.
Thispracticeenablesyoutopointtoashell(say,atthestartofasimpleshellscript,asdescribedinChapter9,“WritingScripts,ConfiguringE-mail,andUsingDatabases”)andbeassuredthatashellwillbecalled,evenifthesystem’savailableshellschange.Thisfeatureisparticularlyimportantwhendevelopingshellscriptsthatmightberunonothercomputers,asdescribedinChapter9.
UsingaShellLinuxshelluseisfairlystraightforwardforanybodywho’susedatext-modeOSbefore:Youtypeacommand, possibly including options to it, and the computer executes the command. For themostpart, Linux commands are external—that is, they’re separate programs from the shell. A fewcommandsareinternaltotheshell,though,andknowingthedistinctioncanbeimportant.Youshouldalso know some of the tricks that can make using the command shell easier—how to have thecomputercompletealongcommandorfilename,retrieveacommandyou’verecentlyrun,oreditacommandyou’verecentlyused(orhaven’tyetfullyentered).
Oneclassofcommands—thoseforhandlingbasicfilemanagement—isveryimportantbutisn’tdescribedhereingreatdetail.Formoreinformationonthesecommands,consultChapter4,“ManagingFiles.”
StartingaShellIfyoulogintoLinuxusingatext-modeloginscreen,chancesareyou’llbedroppeddirectlyintoyourdefaultshell—theshelliswhatpresentsthepromptandacceptssubsequentcommands.Ifyou log intoLinuxusingagraphicaluser interface(GUI) loginscreen, though,you’llhave to
startashellmanually.SomeGUIsprovideamenuoptiontostartaprogramcalledaterminal,xterm,Konsole,orsomethingsimilar.Theseprogramsenableyoutoruntext-modeprogramswithinLinux,andbydefaulttheycomeuprunningyourshell.Ifyoucan’tfindsuchamenuoption,lookforonethatenablesyoutorunanarbitrarycommand.Selectit,andtypextermorkonsoleasthecommandname;thiswilllaunchanxterm-typeprogramthatwillrunashell.
UsingInternalandExternalCommandsInternal commands are, asyoumight expect, built into the shell.Most shells offer a similar set ofinternalcommands,butshell-to-shelldifferencesdoexist;consultyourshell’smanpage(asdescribedlater, in“GettingHelp”)fordetails,particularly ifyou’reusinganexoticshell. Internalcommandsyou’relikelytouseenableyoutoperformsomecommontasks:ChangetheWorkingDirectoryWheneveryou’rerunningashell,you’reworkinginaspecificdirectory.Whenyourefertoafilewithoutprovidingacompletepathtothefile,theshellworksonthefileinthecurrentworkingdirectory.(Similarrulesapplytomanyprograms.)Thecdcommandchangesthecurrentworkingdirectory.Forinstance,typingcd/home/sallychangestothe/home/sallydirectory.Thetilde(~)characterisausefulshortcut;itstandsforyourhomedirectory,sotypingcd~willhavethesameeffectascd/home/sallyifyourhomedirectoryis/home/sally.DisplaytheWorkingDirectoryThepwdcommanddisplays(“prints”tothescreen)thecurrentworkingdirectory.DisplayaLineofTextTheechocommanddisplaysthetextyouenter;forinstance,typingechoHellocausesthesystemtodisplaythestringHello.Thismayseempointless,butit’susefulinscripts(describedinChapter9),anditcanalsobeagoodwaytoreviewthecontentsofenvironmentvariables(describedlaterinthischapter,in“UsingEnvironmentVariables”).ExecuteaProgramTheexeccommandrunsanexternalprogramthatyouspecify,asinexecmyprogtorunmyprog.Inmostcases,thisisbetteraccomplishedbytypingthenameoftheprogramyouwanttorun.Theexeccommandhasonespecialfeature,though:Ratherthancreateanewprocessthatrunsalongsidetheshell,thenewprocessreplacestheshell.Whenthenewprocessterminates,it’sasifyouterminatedtheshell.TimeanOperationThetimecommandtimeshowlongsubsequentcommandstaketoexecute.Forinstance,typingtimepwdtellsyouhowlongthesystemtooktoexecutethepwdcommand.Thetimeisdisplayedafterthefullcommandterminates.Threetimesaredisplayed:totalexecutiontime(akarealtime),userCPUtime,andsystemCPUtime.ThefinaltwovaluestellyouaboutCPUtimeconsumed,whichislikelytobemuchlessthanthetotalexecutiontime.SetOptionsInitsmostbasicform,setdisplaysawidevarietyofoptionsrelatingtobashoperation.Theseoptionsareformattedmuchlikeenvironmentvariables,buttheyaren’tthesamethings.Youcanpassvariousoptionstosettohaveitaffectawiderangeofshelloperations.TerminatetheShellTheexitandlogoutcommandsbothterminatetheshell.Theexitcommandterminatesanyshell,butthelogoutcommandterminatesonlyloginshells—thatis,thosethatarelaunchedautomaticallywhenyouinitiateatext-modeloginasopposedtothosethatruninxtermwindowsorthelike.
Thislistisn’tcomplete.Latersectionsofthischapterandlaterchaptersdescribesomeadditionalinternalcommands.Consultyourshell’sdocumentationforacompletelistofitsinternalcommands.
Someoftheseinternalcommandsareduplicatedbyexternalcommandsthatdothesamething,butthoseexternalcommandsaren’talwaysinstalledonallsystems.Evenwhenthoseexternalcommandsare installed, the internal command takes precedence unless you provide the complete path to theexternalcommandonthecommandline,asintyping/bin/pwdratherthanpwd.
ConfusionoverInternalandExternalCommandsWhenduplicateinternalandexternalcommandsexist,theysometimesproducesubtlydifferentresultsoracceptdifferentoptions.Thesedifferencescanoccasionallycauseproblems.Forinstance,considerthepwdcommandandsymboliclinkstodirectories.(SymboliclinksaredescribedinmoredetailinChapter4.Fornow,knowthatthey’refilesthatpointtootherfilesordirectoriesandformostintentsandpurposescanbeaccessedjustlikethefilesordirectoriestowhichtheypoint.)Supposeyoucreateasymboliclinkto/binwithinyourhomedirectoryandthencdintothatdirectory.Youthenwanttoknowwhereyouare.Thepwdcommandthat’sinternaltobashwillproduceadifferentresultfromtheexternalpwdcommand:$pwd
/home/sally/binlink
$/bin/pwd
/usr/bin
Asyoucansee,bash’sinternalpwdshowsthepathviathesymboliclink,whereastheexternalcommandshowsthepathtowhichthelinkpoints.Sometimesthesedifferencescancauseconfusion,suchasifyoureadthemanpageorotherdocumentationthatdescribesoneversionbutyouusetheotherandadifferenceisimportant.Youmaywonderwhythecommandisn’toperatingasyouexpect.Ifindoubt,lookupthedocumentationfor,andtypethecompletepathto,theexternalcommandtobesureyouuseit.
Whenyoutypeacommandthat’snotrecognizedbytheshellasoneofitsinternalcommands,theshellchecksitspathtofindaprogrambythatnametoexecuteit.Thepathisalistofdirectoriesinwhichcommandscanbefound.It’sdefinedbythePATHenvironmentvariable,asdescribedshortlyin“UsingEnvironmentVariables.”Atypicaluseraccounthasabouthalfadozenoradozendirectoriesinitspath.YoucanadjustthepathbychangingthePATHenvironmentvariableinashellconfigurationfile,asdescribedin“ExploringShellConfiguration.”Youcanrunprogramsthataren’tonthepathbyprovidingacompletepathonthecommandline.
For instance, typing ./myprog runs the myprog program in the current directory, and typing/home/arthur/thisprogrunsthethisprogprograminthe/home/arthurdirectory.
Therootaccountshouldnormallyhaveashorterpaththanordinaryuseraccounts.Typically,you’llomitdirectoriesthatstoreGUIandotheruser-orientedprogramsfromroot’spathinordertodiscourageuseoftherootaccountforroutineoperations,thusminimizingtheriskofsecuritybreachesrelatedtobuggyorcompromisedbinariesbeingrunbyroot.Mostimportant,root’spathshouldneverincludethecurrentdirectory(./).Placingthisdirectoryinroot’spathmakesitpossibleforalocalmiscreanttotrickrootintorunningreplacementsforcommonprograms,suchasls,byhavingrootchangeintoadirectorywithsuchaprogram.Indeed,omittingthecurrentdirectoryfromordinaryuserpathsisalsogenerallyagoodidea.Ifthisdirectorymustbepartoftheordinaryuserpath,itshouldappearattheendofthepathsothatthestandardprogramstakeprecedenceoveranyreplacementprogramsinthecurrentdirectory.
In thecaseofbothprogramson thepathand thosewhosecompletepathsyou typeaspartof thecommand, the program file must bemarked as executable. This is done via the execute bit that’sstoredwith the file.Standardprogramsaremarkedasexecutablewhen they’re installed,but ifyouneedtoadjustaprogram’sexecutablestatus,youcandosowiththechmodcommand,asdescribedinChapter4.
PerformingSomeShellCommandTricksManyusersfindtypingcommandstobetediousanderror-prone.Thisisparticularlytrueofsloworsloppytypists.Forthisreason,Linuxshellsincludevarioustoolsthatcanhelpspeedupoperations.Thefirstoftheseiscommandcompletion:Typepartofacommandor(asanoptiontoacommand)afilename,andthenpresstheTabkey.Theshelltriestofillintherestofthecommandorthefilename.Ifjustonecommandorfilenamematchesthecharactersyou’vetypedsofar,theshellfillsitinandaddsaspaceafterit.If thecharactersyou’vetypeddon’tuniquelyidentifyacommandorfilename,theshellfillsinwhatitcanandthenstops.Dependingontheshellanditsconfiguration,itmaybeep.IfyoupresstheTabkeyagain,thesystemrespondsbydisplayingthepossiblecompletions.Youcanthentypeanothercharacterortwoand,ifyouhaven’tcompletedthecommandorfilename,presstheTabkeyagaintohavetheprocessrepeat.ThemostfundamentalLinuxcommandshavefairlyshortnames—mv,ls,set,andsoon.Some
othercommandsaremuch longer, though, suchastraceroute orsane-find-scanner. Filenamescanalsobequitelengthy—upto255charactersonmanyfilesystems.Thus,commandcompletioncansavealotoftimewhenyou’retyping.Itcanalsohelpyouavoidtypos.
ThemostpopularLinuxshells,includingbashandtcsh,supportcommandandfilenamecompletion.Someoldershells,though,don’tsupportthishelpfulfeature.
Anotherusefulshellshortcutisthehistory.Thehistorykeepsarecordofeverycommandyoutype.Ifyou’vetypedalongcommandrecentlyandwanttouseitagainoruseaminorvariantofit,youcanpullthecommandoutofthehistory.ThesimplestwaytodothisistopresstheUparrowkeyonyour
keyboard; this brings up the previous command. Pressing the Up arrow key repeatedly movesthroughmultiple commands so you can find the one youwant. If you overshoot, press theDownarrowkeytomovedownthehistory.TheCtrl+PandCtrl+NkeystrokesdoublefortheUpandDownarrowkeys,respectively.Anotherwaytousethecommandhistoryistosearchthroughit.PressCtrl+Rtobeginabackward
(reverse)search,whichiswhatyouprobablywant,andbegintypingcharactersthatshouldbeuniqueto the command you want to find. The characters you type need not be the ones that begin thecommand; they can exist anywhere in the command.You can either keep typing until you find thecorrectcommandor,afteryou’vetypedafewcharacters,pressCtrl+Rrepeatedlyuntilyoufindtheoneyouwant.TheCtrl+Skeystrokeworkssimilarlybutsearchesforwardin thecommandhistory,whichmightbehandyifyou’veusedabackwardsearchortheUparrowkeytolookbackandhaveovershot. Ineitherevent, ifyoucan’t find thecommandyouwantor ifyouchangeyourmindandwanttoterminatethesearch,pressCtrl+Gtodoso.Frequently,afterfindingacommandinthehistory,youwanttoedit it.Thebash shell, likemany
shells,provideseditingfeaturesmodeledafterthoseoftheEmacseditor:MoveWithintheLinePressCtrl+AorCtrl+Etomovethecursortothestartorendoftheline,respectively.TheLeftandRightarrowkeysmovewithinthelineacharacteratatime.Ctrl+BandCtrl+Fdothesame,movingbackwardandforwardwithinaline.PressingCtrlplustheLeftorRightarrowkeymovesbackwardorforwardawordatatime,asdoespressingEscandthenBorF.DeleteTextPressingCtrl+DortheDeletekeydeletesthecharacterunderthecursor,whereaspressingtheBackspacekeydeletesthecharactertotheleftofthecursor.PressingCtrl+Kdeletesalltextfromthecursortotheendoftheline.PressingCtrl+XandthenBackspacedeletesallthetextfromthecursortothebeginningoftheline.TransposeTextPressingCtrl+Ttransposesthecharacterbeforethecursorwiththecharacterunderthecursor.PressingEscandthenTtransposesthetwowordsimmediatelybefore(orunder)thecursor.ChangeCasePressingEscandthenUconvertstextfromthecursortotheendofthewordtouppercase.PressingEscandthenLconvertstextfromthecursortotheendofthewordtolowercase.PressingEscandthenCconvertstheletterunderthecursor(orthefirstletterofthenextword)touppercase,leavingtherestofthewordunaffected.InvokeanEditorYoucanlaunchafull-fledgededitortoeditacommandbypressingCtrl+XfollowedbyCtrl+E.Thebashshellattemptstolaunchtheeditordefinedbythe$FCEDITor$EDITORenvironmentvariableorEmacsasalastresort.Theseeditingcommandsarejust themostusefulonessupportedbybash;consultitsmanpage to
learn about many more obscure editing features. In practice, you’re likely to make heavy use ofcommandandfilenamecompletion,thecommandhistory,andperhapsafeweditingfeatures.
IfyouprefertheVieditortoEmacs,youcanuseaVi-likemodeinbashbytypingset-ovi.(ViisdescribedinChapter5,“BootingLinuxandEditingFiles.”)
The history command provides an interface to view and manage the history. Typing history
alonedisplaysallthecommandsinthehistory(typicallythelatest500commands);addinganumbercausesonlythatnumberofthelatestcommandstoappear.Youcanexecuteacommandbynumberbytyping an exclamationmark followed by its number, as in!210 to execute command 210. Typinghistory-cclearsthehistory,whichcanbehandyifyou’verecentlytypedcommandsyou’drathernothavediscoveredbyothers,suchascommandsthatincludepasswords.Thebashhistoryisstoredinthe.bash_historyfileinyourhomedirectory.Thisisanordinary
plain-textfile,soyoucanviewitwitha texteditororacommandsuchasless (described later, in“PagingThroughFileswithless”).
Becauseyourbashhistoryisstoredinafile,itcanbeexaminedbyanybodywhocanreadthatfile.Somecommandsenableyoutotypepasswordsorothersensitivedataonthesamelineasthecommandsthemselves,whichcanthereforeberisky.The~/.bash_historyfiledoesnotrecordwhatyoutypeinresponsetootherprograms’prompts,justwhatyoutypeatthebashpromptitself.Thus,ifyouhaveachoice,youshouldletcommandsthatrequirepasswordsorothersensitivedatapromptyouthemselvestoenterthisdata,ratherthanentersuchinformationasoptionstothecommandatthebashprompt.
InExercise1.1,you’llexperimentwithyourshell’scompletionandcommand-editingtools.
EXERCISE1.1EditingCommandsToexperimentwithyourshell’scompletionandcommand-editingtools,followthesesteps:1.Loginasanordinaryuser.2.Createatemporarydirectorybytypingmkdirtest.(DirectoryandfilemanipulationcommandsaredescribedinmoredetailinChapter4.)3.Changeintothetestdirectorybytypingcdtest.4.Createafewtemporaryfilesbytypingtouchonetwothree.Thiscommandcreatesthreeemptyfilesnamedone,two,andthree.5.Typels-lt,andwithoutpressingtheEnterkey,presstheTabkey.Thesystemmaybeepatyouordisplaytwothree. If it doesn’t displaytwothree, press theTab keyagain,anditshoulddoso.Thisrevealsthateithertwoorthreeisavalidcompletiontoyour command, because these are the two files in the test directory whose filenamesbeginwiththelettert.6. Type h, and again without pressing the Enter key, press the Tab key. The systemshouldcomplete thecommand(ls-lthree),atwhichpointyoucanpress theEnterkeytoexecuteit.(You’llseeinformationonthefile.)7. Press theUp arrowkey.You should see thels -l three command appear on thecommandline.8.PressCtrl+Atomovethecursortothebeginningoftheline.9. Press theRight arrowkey once, and typees (without pressing theEnter key). Thecommandlineshouldnowreadless-lthree.10.PresstheRightarrowkeyonce,andpresstheDeletekeythreetimes.Thecommandshouldnowreadlessthree.Press theEnterkey toexecute thecommand. (Note thatyoucandosoeventhoughthecursorisn’tattheendoftheline.)Thisinvokesthelesspager on the three file. (The less pager is described more fully later, in “PagingThroughFileswithless.”)Becausethisfileisempty,you’llseeamostlyemptyscreen.11.PresstheQkeytoexitfromthelesspager.
ExploringShellConfigurationShells,likemanyLinuxprograms,areconfiguredthroughfilesthatholdconfigurationoptionsinaplain-text format.Thebash configuration files are actuallybash shell scripts,which aredescribedmorefullyinChapter9.Fornow,youshouldknowthatthe~/.bashrcand~/.profilefilesarethemain user configuration files for bash, and /etc/bash.bashrc and /etc/profile are the mainglobalconfigurationfiles.Evenwithoutknowingmuchaboutshellscripting,youcanmakesimplechangestothesefiles.Edit
them in your favorite text editor, and changewhatever needs changing. For instance, you can adddirectoriestothe$PATHenvironmentvariable,whichtakesacolon-delimitedlistofdirectories.
Becarefulwhenchangingyourbashconfiguration,particularlytheglobalbashconfigurationfiles.Saveabackupoftheoriginalfilebeforemakingchanges,andtestyourchangesimmediatelybylogginginusinganothervirtualterminal.Ifyouspotaproblem,reverttoyoursavedcopyuntilyoucanlearnthecauseandcreateaworkingfile.
UsingEnvironmentVariablesEnvironmentvariablesarelikevariablesinprogramminglanguages—theyholddatatobereferredto by the variable name. Environment variables differ from programs’ internal variables in thatthey’repartoftheenvironmentofaprogram,andotherprograms,suchastheshell,canmodifythisenvironment.Programscanrelyonenvironmentvariablestosetinformationthatcanapplytomanydifferent programs. For instance, many text-based programs need to know the capabilities of theterminalprogramyouuse.Thisinformationisconveyedinthe$TERMenvironmentvariable,whichislikely to hold a value such asxterm orlinux. Programs that need to position the cursor, displaycolor text, orperformother tasks thatdependon terminal-specific capabilities can customize theiroutputbasedonthisinformation.Chapter9describesenvironmentvariablesandtheirmanipulationinmoredetail.Forthemoment,
youshouldknowthatyoucansettheminbashbyusinganassignment(=)operatorfollowedbytheexportcommand:$NNTPSERVER=news.abigisp.com
$exportNNTPSERVER
Youcancombinethesetwocommandsintoasingleform:$exportNNTPSERVER=news.abigisp.com
Eithermethodsetsthe$NNTPSERVERenvironmentvariabletonews.abigisp.com.(Whensettinganenvironment variable, you omit the dollar sign, but subsequent references include a dollar sign toidentifytheenvironmentvariableassuch.)Thereafter,programsthatneedthisinformationcanrefertotheenvironmentvariable.Infact,youcandosofromtheshellyourself,usingtheechocommand:$echo$NNTPSERVER
news.abigisp.com
Someenvironmentvariables,includingthe$TERMenvironmentvariable,aresetautomaticallywhenyoulogin.Ifaprogramusesenvironmentvariables,itsdocumentationshouldsayso.The$NNTPSERVERvariableisusedbysomeUsenetnewsclients,whichenableparticipationinatypeofonlinediscussiongroupthatpredatesWebforums.
Youcanalsoview theentireenvironmentby typingenv.The result is likely tobe severaldozenlinesofenvironmentvariablesandtheirvalues.Chapter9describeswhatmanyofthesevariablesareinmoredetail.To delete an environment variable, use the unset command, which takes the name of an
environmentvariable(withouttheleading$symbol)asanoption.Forinstance,unsetNNTPSERVERremovesthe$NNTPSERVERenvironmentvariable.
GettingHelpLinuxprovidesa text-basedhelpsystemknownasman.Thiscommand’sname isshort formanual,anditsentries(itsmanpages)providesuccinctsummariesofwhatacommand,file,orotherfeaturedoes.Forinstance,tolearnaboutmanitself,youcantypemanman.Theresultisadescriptionofthemancommand.Themanutilityusesthelesspagertodisplayinformation.Thisprogramdisplaystextapageata
time.Pressthespacebartomoveforwardapage,EscfollowedbyVtomovebackapage,thearrowkeystomoveupordownalineatatime,theslash(/)keytosearchfortext,andsoon.(Typemanless to learn all the details, or consult the upcoming section “PagingThrough Fileswithless.”)Whenyou’redone,pressQtoexitlessandthemanpageit’sdisplaying.Linux man pages are organized into several sections, which are summarized in Table 1.1.
Sometimesasinglekeywordhasentriesinmultiplesections;forinstance,passwdhasentriesunderbothsection1andsection5.Inmostcases,manreturnstheentryinthelowest-numberedsection,butyoucanforcetheissuebyprecedingthekeywordbythesectionnumber.Forinstance,typingman5passwdreturnsinformationonthepasswdfileformatratherthanthepasswdcommand.
TABLE1.1ManualsectionsSectionnumber Description1 Executableprogramsandshellcommands2 Systemcallsprovidedbythekernel3 Librarycallsprovidedbyprogramlibraries4 Devicefiles(usuallystoredin/dev)5 Fileformats6 Games7 Miscellaneous(macropackages,conventions,andsoon)8 Systemadministrationcommands(programsrunmostlyorexclusivelybyroot)9 Kernelroutines
Someprogramshavemovedawayfrommanpagestoinfopages.Thebasicpurposeofinfopagesisthesameasthatformanpages,butinfopagesuseahypertextformatsothatyoucanmovefromsection to section of the documentation for a program. Type info info to learnmore about thissystem.Bothmanpagesandinfopagesareusuallywritten ina tersestyle.They’re intendedas reference
tools,nottutorials;theyfrequentlyassumebasicfamiliaritywiththecommand,oratleastwithLinuxgenerally.Formoretutorialinformation,youmustlookelsewhere,suchasthisbookortheWeb.TheLinux Documentation Project (http://tldp.org) is a particularly relevant Web-based resource forlearningaboutvariousLinuxtopics.
UsingStreams,Redirection,andPipesStreams,redirection,andpipesaresomeof themorepowerfulcommand-linetools inLinux.Linuxtreats the input to and output from programs as a stream, which is a data entity that can be
manipulated.Ordinarily,inputcomesfromthekeyboardandoutputgoestothescreen(whichinthiscontextcanmeanafull-screentext-modeloginsession,anxtermorasimilarwindow,orthescreenofaremotecomputerviaaremoteloginsession).Youcanredirecttheseinputandoutputstreamstocomefromorgo toothersources, though,suchas files.Similarly,youcanpipe theoutputofoneprogramintoanotherprogram.Thesefacilitiescanbegreattoolstotietogethermultipleprograms.
PartoftheUnixphilosophytowhichLinuxadheresis,wheneverpossible,todocomplexthingsbycombiningmultiplesimpletools.Redirectionandpipeshelpinthistaskbyenablingsimpleprogramstobecombinedtogetherinchains,eachlinkfeedingofftheoutputoftheprecedinglink.
ExploringTypesofStreamsTobeginunderstandingredirectionandpipes,youmustfirstunderstandthedifferenttypesofinputandoutputstreams.Threearemostimportantforthistopic:StandardInputProgramsacceptkeyboardinputviastandardinput,orstdin.Inmostcases,thisisthedatathatcomesintothecomputerfromakeyboard.StandardOutputText-modeprogramssendmostdatatotheirusersviastandardoutput(akastdout),whichisnormallydisplayedonthescreen,eitherinafull-screentext-modesessionorinaGUIwindowsuchasanxterm.(FullyGUIprogramssuchasGUIwordprocessorsdon’tusestandardoutputfortheirregularinteractions,althoughtheymightusestandardoutputtodisplaymessagesinthextermfromwhichtheywerelaunched.GUIoutputisn’thandledviaanoutputstreaminthesenseI’mdescribinghere.)StandardErrorLinuxprovidesasecondtypeofoutputstream,knownasstandarderror,orstderr.Thisoutputstreamisintendedtocarryhigh-priorityinformationsuchaserrormessages.Ordinarily,standarderrorissenttothesameoutputdeviceasstandardoutput,soyoucan’teasilytellthemapart.Youcanredirectoneindependentlyoftheother,though,whichcanbehandy.Forinstance,youcanredirectstandarderrortoafilewhileleavingstandardoutputgoingtothescreensothatyoucaninteractwiththeprogramandthenstudytheerrormessageslater.Internally,programstreatthesestreamsjustlikedatafiles—theyopenthem,readfromorwriteto
the files, and close them when they’re done. Put another way, ordinary files are streams from aprogram’spointofview.Thestandardinput,output,anderrorstreamsjusthappentobetheonesusedtointeractwithusers.
RedirectingInputandOutputToredirectinputoroutput,youusesymbolsfollowingthecommand,includinganyoptionsittakes.Forinstance,toredirecttheoutputoftheechocommand,youwouldtypesomethinglikethis:$echo$NNTPSERVER>nntpserver.txt
The result is that the filenntpserver.txt contains the output of the command (in this case, thevalue of the $NNTPSERVER environment variable). Redirection operators exist to achieve severaleffects,assummarizedinTable1.2.
TABLE1.2CommonredirectionoperatorsRedirectionoperator Effect> Createsanewfilecontainingstandardoutput.Ifthespecifiedfileexists,it’soverwritten.>> Appendsstandardoutputtotheexistingfile.Ifthespecifiedfiledoesn’texist,it’screated.2> Createsanewfilecontainingstandarderror.Ifthespecifiedfileexists,it’soverwritten.2>> Appendsstandarderrortotheexistingfile.Ifthespecifiedfiledoesn’texist,it’screated.&> Createsanewfilecontainingbothstandardoutputandstandarderror.Ifthespecifiedfileexists,it’soverwritten.< Sendsthecontentsofthespecifiedfiletobeusedasstandardinput.<< Acceptstextonthefollowinglinesasstandardinput.<> Causesthespecifiedfiletobeusedforbothstandardinputandstandardoutput.
Most of these redirectors dealwith output, both because there are two types of output (standardoutputandstandarderror)andbecauseyoumustbeconcernedwithwhattodoincaseyouspecifyafile that already exists. The most important input redirector is <, which takes the specified file’scontentsasstandardinput.
Acommontrickistoredirectstandardoutputorstandarderrorto/dev/null.Thisfileisadevicethat’sconnectedtonothing;it’susedwhenyouwanttogetridofdata.Forinstance,ifthewhineprogramisgeneratingtoomanyerrormessages,youcantypewhine2>/dev/nulltorunitanddiscarditserrormessages.
Oneredirectionoperatorthatrequireselaborationis<<.Thisoperatorimplementsaheredocument,whichtakestextfromthefollowinglinesasstandardinput.Chancesareyouwon’tusethisredirectoron thecommand line, though; thefollowing linesare standard input,so there’snoneed to redirectthem.Rather,youmightusethiscommandaspartofascript inorder topassdatatoaninteractiveprogram. Unlike most redirection operators, the text immediately following the << code isn’t afilename;instead,it’sawordthat’susedtomarktheendofinput.Forinstance,typingsomeprog<<EOFcausessomeprogtoacceptinputuntilitseesalinethatcontainsonlythestringEOF(withoutevenaspacefollowingit).
SomeprogramsthattakeinputfromthecommandlineexpectyoutoterminateinputbypressingCtrl+D.Thiskeystrokecorrespondstoanend-of-filemarkerusingtheAmericanStandardCodeforInformationInterchange(ASCII).
A final redirection tool is the tee command. This command splits standard input so that it’sdisplayed on standard output and on as many files as you specify. Typically, tee is used inconjunctionwithdatapipesso thataprogram’soutputcanbebothstoredandviewed immediately.Forinstance,toviewandstoretheoutputofsomeprog,youmighttypethis:$someprog|teeoutput.txt
Theverticalbar(|)isthepipecharacter.Itimplementsapipe,asdescribedinthenextsection.
Ordinarily,teeoverwritesanyfileswhosenamesyouspecify.Ifyouwanttoappenddatatothesefiles,passthe-aoptiontotee.
PipingDataBetweenProgramsPrograms can frequently operate on other programs’ outputs. For instance, youmight use a text-filtering command (such as the ones described shortly, in “Processing Text Using Filters”) tomanipulate textoutputbyanotherprogram.Youcando thiswith thehelpof redirectionoperators;send the first program’s standardoutput to a file, and then redirect the secondprogram’s standardinputtoreadfromthatfile.Thissolutionisawkward,though,anditinvolvesthecreationofafilethatyoumighteasilyoverlook,leadingtounnecessaryclutteronyoursystem.Thesolutionistousedatapipes(akapipelines).Apiperedirectsthefirstprogram’sstandardoutput
tothesecondprogram’sstandardinputandisdenotedbyaverticalbar(|):$first|second
Forinstance,supposethatfirstgeneratessomesystemstatistics,suchassystemuptime,CPUuse,numberofusersloggedin,andsoon.Thisoutputmightbelengthy,soyouwanttotrimitabit.Youmightthereforeusesecond,whichcouldbeascriptorcommandthatechoesfromitsstandardinputonlytheinformationinwhichyou’reinterested.(Thegrepcommand,describedin“Usinggrep,” isoftenusedinthisrole.)Pipescanbeusedinsequencesofarbitrarylength:$first|second|third|fourth|fifth|sixth[...]
GeneratingCommandLinesSometimesyou’llfindyourselfconstructingaseriesofcommandsthataresimilartoeachotherbutnot similar enough to enable you to use their normal options to substitute a single command. Forinstance,supposeyouwanttoremoveeveryfileinadirectorytreewithanamethatendsinatilde(~).(Thisfilenameconventiondenotesbackupfilescreatedbycertaintexteditors.)Withalargedirectorytree, this task can be daunting; the usual file-deletion command (rm, described in more detail inChapter 4) doesn’t provide an option to search for and delete every file in a directory tree thatmatches such a specific criterion.One command that can do the search part of the job, though, isfind,which isalsodescribed inmoredetail inChapter4.Thiscommanddisplaysall the files thatmatchcriteriayouprovide.Ifyoucouldcombinetheoutputoffind tocreateaseriesofcommandlinesusingrm,thetaskwouldbesolved.Thisispreciselythepurposeofthexargscommand.Thexargscommandbuildsacommandfromitsstandardinput.Thebasicsyntaxforthiscommand
isasfollows:xargs[options][command[initial-arguments]]
Thecommandisthecommandyouwanttoexecute,andinitial-arguments isalistofargumentsyouwant to pass to the command.Theoptions arexargs options; they aren’t passed tocommand.
Whenyourunxargs,itrunscommandonceforeverywordpassedtoitonstandardinput,addingthatwordtotheargumentlistforcommand.Ifyouwanttopassmultipleoptionstothecommand,youcanprotectthembyenclosingthegroupinquotationmarks.For instance,consider the taskofdeletingall thosebackupfiles,denotedby tildecharacters.You
candothisbypipingtheoutputoffindtoxargs,whichthencallsrm:$find./-name"*~"|xargs-d"\n"rm
Thefirstpartof thiscommand(find./-name"*~") findsall the files in thecurrentdirectory(./)oritssubdirectorieswithanamethatendsinatilde(*~).Thislististhenpipedtoxargs,whichaddseachinputvaluetoitsownrmcommand.Problemscanariseiffilenamescontainspaces,sincebydefaultxargsusesbothspacesandnewlinesasitemdelimiters.The-d"\n"optiontellsxargstouse only newlines as delimiters, thus avoiding this problem in this context. (The find commandseparateseachfoundfilenamewithanewline.)Atoolthat’ssimilartoxargsinmanywaysisthebacktick(`),whichisacharactertotheleftofthe
1keyonmost keyboards.Thebacktick isnot the same as the single quote character ('), which islocatedtotherightofthesemicolon(;)onmostkeyboards.Text within backticks is treated as a separate command whose results are substituted on the
commandline.Forinstance,todeletethosebackupfiles,youcantypethefollowingcommand:$rm`find./-name"*~"`
Thebackticksolutionworksfineinsomecases,butitbreaksdowninmorecomplexsituations.Thereasonisthattheoutputofthebacktick-containedcommandispassedtothecommanditprecedesasifithadbeentypedattheshell.Bycontrast,whenyouusexargs,itrunsthecommandyouspecify(rmintheseexamples)onceforeachoftheinputitems.What’smore,youcan’tpassoptionssuchas-d"\n"toabacktick.Thus,thesetwoexampleswillworkthesameinmanycases,butnotinallofthem.
ProcessingTextUsingFiltersInkeepingwithLinux’sphilosophyofprovidingsmall tools thatcanbetiedtogetherviapipesandredirection to accomplish more complex tasks, many simple commands to manipulate text areavailable.Thesecommandsaccomplishtasksofvarioustypes,suchascombiningfiles,transformingthedatainfiles,formattingtext,displayingtext,andsummarizingdata.
Manyofthefollowingdescriptionsincludeinput-filespecifications.Inmostcases,youcanomittheseinput-filespecifications,inwhichcasetheutilityreadsfromstandardinputinstead.
File-CombiningCommandsThefirstgroupoftext-filteringcommandsarethoseusedtocombinetwoormorefilesintoonefile.Threeimportantcommandsinthiscategoryarecat,join,andpaste,whichjoinfilesendtoend,basedonfieldsinthefile,orbymergingonaline-by-linebasis,respectively.
CombiningFileswithcatThecatcommand’sname isshort forconcatenate, and this tooldoes just that: It links togetheranarbitrarynumberoffilesendtoendandsendstheresulttostandardoutput.Bycombiningcatwithoutputredirection,youcanquicklycombinetwofilesintoone:$catfirst.txtsecond.txt>combined.txt
Although cat is officially a tool for combining files, it’s also commonly used to display thecontentsofashort file. Ifyou typeonlyonefilenameasanoption,catdisplays that file.This isagreat way to review short files; but for long files, you’re better off using a full-fledged pagercommand,suchasmoreorless.Youcanaddoptionstohavecatperformminormodificationstothefilesasitcombinesthem:DisplayLineEndsIfyouwanttoseewherelinesend,addthe-Eor--show-endsoption.Theresultisadollarsign($)attheendofeachline.NumberLinesThe-nor--numberoptionaddslinenumberstothebeginningofeveryline.The-bor--number-nonblankoptionissimilar,butitnumbersonlylinesthatcontaintext.MinimizeBlankLinesThe-sor--squeeze-blankoptioncompressesgroupsofblanklinesdowntoasingleblankline.DisplaySpecialCharactersThe-Tor--show-tabsoptiondisplaystabcharactersas^I.The-vor--show-nonprintingoptiondisplaysmostcontrolandotherspecialcharactersusingcarat(^)andM-notations.Thetaccommandissimilartocat,butitreversestheorderoflinesintheoutput.
JoiningFilesbyFieldwithjoinThejoincommandcombinestwofilesbymatchingthecontentsofspecifiedfieldswithinthefiles.Fieldsaretypicallyspace-separatedentriesonaline,althoughyoucanspecifyanothercharacterasthe field separatorwith the-tchar option,wherechar is the character youwant to use.You cancausejointoignorecasewhenperformingcomparisonsbyusingthe-ioption.Theeffectofjoinmaybestbeunderstoodthroughademonstration.ConsiderListings1.1and1.2,
whichcontaindataontelephonenumbers;Listing1.1showsthenamesassociatedwiththosenumbers,andListing1.2showswhetherthenumbersarelistedorunlisted.Listing1.1:DemonstrationFileContainingTelephoneNumbersandNames555-2397Beckett,Barry
555-5116Carter,Gertrude
555-7929Jones,Theresa
555-9871Orwell,Samuel
Listing1.2:DemonstrationFileContainingTelephoneNumberListingStatus555-2397unlisted
555-5116listed
555-7929listed
555-9871unlisted
Youcandisplaythecontentsofbothfilesusingjoin:$joinlisting1.1.txtlisting1.2.txt
555-2397Beckett,Barryunlisted
555-5116Carter,Gertrudelisted
555-7929Jones,Theresalisted
555-9871Orwell,Samuelunlisted
Bydefault,joinuses thefirst fieldas theone tomatchacross files.BecauseListings1.1and1.2bothplacethephonenumberinthisfield,it’sthekeyfieldintheoutput.Youcanspecifyanotherfieldbyusingthe-1or-2optiontospecify the joinfieldfor thefirstorsecondfile, respectively,as injoin -1 3 -2 2 cameras.txt lenses.txt to join using the third field incameras.txt and thesecond field in lenses.txt. The -o FORMAT option enables more complex specifications for theoutputfile’sformat;consultthemanpageforjoinformoredetails.Thejoin commandcanbeusedat thecoreof a setof simplecustomizeddatabase-manipulation
tools using Linux text-manipulation commands. It’s very limited by itself, though; for instance, itrequiresitstwofilestohavethesameorderingoflines.(Youcanusethesortcommandtoensurethisisso.)
MergingLineswithpasteThepastecommandmergesfileslinebyline,separatingthelinesfromeachfilewithtabs,asshowninthefollowingexample,usingListings1.1and1.2again:$pastelisting1.1.txtlisting1.2.txt
555-2397Beckett,Barry555-2397unlisted
555-5116Carter,Gertrude555-5116listed
555-7929Jones,Theresa555-7929listed
555-9871Orwell,Samuel555-9871unlisted
Youcanusepastetocombinedatafromfilesthataren’tkeyedwithfieldssuitableforusebyjoin.Ofcourse,tobemeaningful,thefiles’linenumbersmustbeexactlyequivalent.Alternatively,youcanusepasteasaquickwaytocreateatwo-columnoutputoftextualdata;however,thealignmentofthesecondcolumnmaynotbeexactifthefirstcolumn’slinelengthsaren’texactlyeven,asshownintheprecedingexample.
File-TransformingCommandsManyofLinux’stext-manipulationcommandsareaimedattransformingthecontentsoffiles.Thesecommandsdon’tactuallychangefiles’contents,though;rather,theysendthechangedfiletostandardoutput.Youcanthenpipethisoutputtoanothercommandorredirectitintoanewfile.
Animportantfile-transformingcommandissed.Thiscommandisverycomplexandiscoveredlaterinthischapter,in“Usingsed.”
ConvertingTabstoSpaceswithexpandSometimestextfilescontaintabsbutprogramsthatneedtoprocessthefilesdon’tcopewellwithtabs;orperhapsyouwanttoeditatextfileinaneditorthatusesadifferentamountofhorizontalspaceforthetabthandidtheeditorthatcreatedthefile.Insuchcases,youmaywanttoconverttabstospaces.Theexpandcommanddoesthis.Bydefault,expandassumesatabstopeveryeightcharacters.Youcanchangethisspacingwiththe-
tnumor--tabs=numoption,wherenumisthetabspacingvalue.
DisplayingFilesinOctalwithodSomefilesaren’teasilydisplayedinASCII;mostgraphicsfiles,audiofiles,andsoonusenon-ASCIIcharacters that looklikegibberish.Worse, thesecharacterscandostrangethings toyourdisplayifyoutrytoviewsuchafilewithcatorasimilartool.Forinstance,yourfontmaychange,oryourconsolemay begin beeping uncontrollably.Nonetheless, youmay sometimeswant to display suchfiles,particularlyifyouwanttoinvestigatethestructureofadatafile.YoumayalsowanttolookatanASCIIfileinawaythateliminatescertainambiguities,suchaswhetheragapbetweenwordsisataborseveralspaces.Insuchcases,od(whosenamestandsforoctaldump)canhelp.Itdisplaysafileinanunambiguousformat—octal(base8)numbersbydefault.Forinstance,considerListing1.2asparsedbyod:$odlisting1.2.txt
0000000032465026465031462033471072440066156071551062564
0000020005144032465026465030465033061066040071551062564
0000040005144032465026465034467034462066040071551062564
0000060005144032465026465034071030467072440066156071551
0000100062564005144
0000104
Thefirstfieldoneachlineisanindexintothefileinoctal.Forinstance,thesecondlinebeginsatoctal20(16inbase10)bytesintothefile.Theremainingnumbersoneachlinerepresentthebytesinthefile.Thistypeofoutputcanbedifficulttointerpretunlessyou’rewellversedinoctalnotationandperhapsintheASCIIcode.Although od is nominally a tool for generating octal output, it can generate many other output
formats, such as hexadecimal (base 16), decimal (base 10), and even ASCII with escaped controlcharacters.Consultthemanpageforodfordetailsoncreatingthesevariants.
SortingFileswithsortSometimesyou’llcreateanoutputfilethatyouwantsorted.Todoso,youcanuseacommandthat’scalled,appropriatelyenough,sort.Thiscommandcansortinseveralways,includingthefollowing:IgnoreCaseOrdinarily,sortsortsbyASCIIvalue,whichdifferentiatesbetweenuppercaseandlowercaseletters.The-for--ignore-caseoptioncausessorttoignorecase.MonthSortThe-Mor--month-sortoptioncausestheprogramtosortbythree-lettermonthabbreviation(JANthroughDEC).NumericSortYoucansortbynumberbyusingthe-nor--numeric-sortoption.ReverseSortOrderThe-ror--reverseoptionsortsinreverseorder.SortFieldBydefault,sortusesthefirstfieldasitssortfield.Youcanspecifyanotherfieldwiththe-kfieldor--key=fieldoption.(Thefieldcanbetwonumberedfieldsseparatedbycommas,tosortonmultiplefields.)Asanexample,supposeyouwantedtosortListing1.1byfirstname.Youcoulddosolikethis:$sort-k3listing1.1.txt
555-2397Beckett,Barry
555-5116Carter,Gertrude
555-9871Orwell,Samuel
555-7929Jones,Theresa
The sort command supports a large number of additional options, many of them quite exotic.Consultsort’smanpagefordetails.
BreakingaFileintoPieceswithsplitThesplit command can split a file into two ormore files.Unlikemost of the text-manipulationcommands described in this chapter, this command requires you to enter an output filename—ormore precisely, an output filename prefix, to which is added an alphabetic code. You must alsonormallyspecifyhowlargeyouwanttheindividualfilestobe:SplitbyBytesThe-bsizeor--bytes=sizeoptionbreakstheinputfileintopiecesofsizebytes.Thisoptioncanhavetheusuallyundesirableconsequenceofsplittingthefilemid-line.SplitbyBytesinLine-SizedChunksYoucanbreakafileintofilesofnomorethanaspecifiedsizewithoutbreakinglinesacrossfilesbyusingthe-C=sizeor--line-bytes=sizeoption.(Lineswillstillbebrokenacrossfilesifthelinelengthisgreaterthansize.)SplitbyNumberofLinesThe-llinesor--lines=linesoptionsplitsthefileintochunkswithnomorethanthespecifiednumberoflines.Asanexample,considerbreakingListing1.1intotwopartsbynumberoflines:$split-l2listing1.1.txtnumbers
The result is two files, numbersaa and numbersab, that together hold the original contents oflisting1.1.txt.Ifyoudon’tspecifyanydefaults(asinsplitlisting1.1.txt),theresultisoutputfilessplitinto
1,000-linechunks,withnamesbeginningwithx(xaa,xab,andsoon).Ifyoudon’tspecifyaninputfilename,splitusesstandardinput.
TranslatingCharacterswithtrThetrcommandchangesindividualcharactersfromstandardinput.Itssyntaxisasfollows:tr[options]SET1[SET2]
Youspecifythecharactersyouwantreplacedinagroup(SET1)andthecharacterswithwhichyouwantthemtobereplacedasasecondgroup(SET2).EachcharacterinSET1isreplacedwiththeoneattheequivalentpositioninSET2.Here’sanexampleusingListing1.1:$trBCJbc<listing1.1.txt
555-2397beckett,barry
555-5116carter,Gertrude
555-7929cones,Theresa
555-9871Orwell,Samuel
Thetrcommandreliesonstandardinput,whichisthereasonfortheinputredirection(<)inthisexample.Thisistheonlywaytopassthecommandafile.
Thisexampletranslatessome,butnotall,oftheuppercasecharacterstolowercase.NotethatSET2in thisexamplewasshorter thanSET1.Theresult is thattr substitutes the lastavailable letter from
SET2forthemissingletters.Inthisexample,theJinJonesbecameac.The-tor--truncate-set1optioncausestrtotruncateSET1tothesizeofSET2instead.Anothertroptionis-d,whichcausestheprogramtodeletethecharactersfromSET1.Whenusing
-d,youcanomitSET2entirely.Thetrcommandalsoacceptsanumberofshortcuts,suchas[:alnum:](allnumbersandletters),
[:upper:](alluppercaseletters),[:lower:](alllowercaseletters),and[:digit:](alldigits).Youcanspecifyarangeofcharactersbyseparatingthemwithdashes(-),asinA-MforcharactersbetweenAandM,inclusive.Consulttr’smanpageforacompletelistoftheseshortcuts.
ConvertingSpacestoTabswithunexpandTheunexpandcommandis the logicaloppositeofexpand; itconvertsmultiplespaces to tabs.Thiscan help compress the size of files that containmany spaces and can be helpful if a file is to beprocessedbyautilitythatexpectstabsincertainlocations.Likeexpand,unexpand accepts the-tnum or--tabs=num option,which sets the tab spacing to
once every num characters. If you omit this option, unexpand assumes a tab stop every eightcharacters.
DeletingDuplicateLineswithuniqTheuniqcommandremovesduplicatelines.It’smostlikelytobeusefulifyou’vesortedafileanddon’twantduplicateitems.Forinstance,supposeyouwanttosummarizeShakespeare’svocabulary.Youmightcreatea filewithallof theBard’sworks,onewordper line.Youcan thensort this fileusingsortandpassitthroughuniq.Usingashorterexamplefilecontainingthetexttobeornottobe,thatisthequestion(onewordperline),theresultlookslikethis:$sortshakespeare.txt|uniq
be
is
not
or
question
that
the
to
Note that thewordstoandbe,whichappeared in theoriginal file twice,appearonlyonce in theuniq-processedversion.
File-FormattingCommandsThenextthreecommands—fmt,nl,andpr—reformatthetextinafile.Thefirstoftheseisdesignedtoreformattextfiles,suchasifaprogram’sREADMEdocumentationfileuseslinesthataretoolongforyourdisplay.Thenlcommandnumbersthelinesofafile,whichcanbehelpfulinreferringtolines in documentation or correspondence. Finally, pr is a print-processing tool; it formats adocumentinpagessuitableforprinting.
ReformattingParagraphswithfmt
Sometimes text files arrive with outrageously long line lengths, irregular line lengths, or otherproblems.Dependingonthedifficulty,youmaybeabletocopesimplybyusinganappropriatetexteditororviewertoreadthefile.Ifyouwanttocleanupthefileabit,though,youcandosowithfmt.If calledwith no options (other than the input filename, if you’re not having it work on standardinput),theprogramattemptstocleanupparagraphs,whichitassumesaredelimitedbytwoormoreblanklinesorbychangesinindentation.Thenewparagraphformattingdefaultstonomorethan75characterswide.Youcanchangethiswiththe-width,-wwidth,or--width=widthoptions,whichsetthelinelengthtowidthcharacters.
NumberingLineswithnlAs described earlier, in “Combining Fileswithcat,” you can number the lines of a filewith thatcommand.Thecat line-numberingoptionsare limited, though, so ifyouneed todocomplex linenumbering,nl is the tool touse.In itssimplestcase,youcanusenlalone toaccomplishmuch thesamegoalascat-bachieves:numberingallthenon-blanklinesinafile.Youcanaddmanyoptionstonltoachievevariousspecialeffects:BodyNumberingStyleYoucansetthenumberingstyleforthebulkofthelineswiththe-bstyleor--body-numbering=styleoption,wherestyleisastyleformatcode,describedshortly.HeaderandFooterNumberingStyleIfthetextisformattedforprintingandhasheadersorfooters,youcansetthestylefortheseelementswiththe-hstyleor--header-numbering=styleoptionfortheheaderand-fstyleor--footer-numbering=styleoptionforthefooter.PageSeparatorSomenumberingschemesresetthelinenumbersforeachpage.Youcantellnlhowtoidentifyanewpagewiththe-d=codeor--section-delimiter=codeoption,wherecodeisacodeforthecharacterthatidentifiesthenewpage.Line-NumberOptionsforNewPagesOrdinarily,nlbeginsnumberingeachnewpagewithline1.Ifyoupassthe-por--no-renumberoption,though,itdoesn’tresetthelinenumberwithanewpage.NumberFormatYoucanspecifythenumberingformatwiththe-nformator--number-format=formatoption,whereformatisln(leftjustified,noleadingzeros),rn(rightjustified,noleadingzeros),orrz(rightjustifiedwithleadingzeros).Thebody,header,andfooteroptionsenableyoutospecifyanumberingstyleforeachofthesepage
elements,asdescribedinTable1.3.
TABLE1.3Stylesusedbynlstylecode
Description
t Thedefaultbehavioristonumberlinesthataren’tempty.Youcanmakethisdefaultexplicitbyusingastyleoft.a Thisstylecausesalllinestobenumbered,includingemptylines.n Thisstylecausesalllinenumberstobeomitted,whichmaybedesirableforheadersorfooters.pREGEXP Thisoptioncausesonlylinesthatmatchthespecifiedregularexpression(REGEXP)tobenumbered.Regularexpressionsare
describedlater,in“UsingRegularExpressions.”
Asanexample,supposeyou’vecreatedascript,buggy,butyou find that it’snotworkingasyouexpect.Whenyourunit,yougeterrormessagesthatrefertolinenumbers,soyouwanttocreateaversionofthescriptwithlinesthatarenumberedforeasyreference.Youcandosobycallingnlwiththeoptiontonumberalllines,includingblanklines(-ba):
$nl-babuggy>numbered-buggy.txt
Becausetheinputfiledoesn’thaveanyexplicitpagedelimiters,theoutputwillbenumberedinasinglesequence;nldoesn’ttrytoimposeitsownpage-lengthlimits.
Thenumbered-buggy.txtfilecreatedbythiscommandisn’tusefulasascriptbecauseofthelinenumbers thatbegineachline.Youcan,however, loadit intoa texteditorordisplay itwithapagersuchaslesstoviewthetextandseethelinenumbersalongwiththecommandstheycontain.
PreparingaFileforPrintingwithprIfyouwanttoprintaplain-textfile,youmaywanttoprepareitwithheaders,footers,pagebreaks,andsoon.Theprcommandwasdesignedtodothis.Initsmostbasicform,youpassthecommandafile:$prmyfile.txt
Theresultistextformattedforprintingonalineprinter—thatis,prassumesan80-characterlinelength inamonospacedfont.Ofcourse,youcanalsousepr inapipe,either toaccept inputpipedfromanother programor to pipe its output to another program. (The recipient programmight belpr, which is used to print files, as described in Chapter 6, “Configuring the XWindow System,Localization,andPrinting.”)Bydefault,prcreatesoutputthatincludestheoriginaltextwithheadersthatincludethecurrentdate
andtime,theoriginalfilename,andthepagenumber.Youcantweaktheoutputformatinavarietyofways,includingthefollowing:GenerateMulti-columnOutputPassingthe-numcolsor--columns=numcolsoptioncreatesoutputwithnumcolscolumns.Notethatprdoesn’treformattext;iflinesaretoolong,they’retruncatedorrunoverintomultiplecolumns.GenerateDouble-SpacedOutputThe-dor--double-spaceoptioncausesdouble-spacedoutputfromasingle-spacedfile.UseFormFeedsOrdinarily,prseparatespagesbyusingafixednumberofblanklines.Thisworksfineifyourprinterusesthesamenumberoflinesthatprexpects.Ifyouhaveproblemswiththisissue,youcanpassthe-F,-f,or--form-feedoption,whichcausesprtooutputaform-feedcharacterbetweenpages.Thisworksbetterwithsomeprinters.SetPageLengthThe-llinesor--length=linesoptionsetsthelengthofthepageinlines.SettheHeaderTextThe-htextor--header=textoptionsetsthetexttobedisplayedintheheader,replacingthefilename.Tospecifyamulti-wordstring,encloseitinquotes,asin--header="MyFile".The-tor--omit-headeroptionomitstheheaderentirely.SetLeftMarginandPageWidthThe-ocharsor--indent=charsoptionsetstheleftmargintocharscharacters.Thismarginsizeisaddedtothepagewidth,whichdefaultsto72charactersandcanbeexplicitlysetwiththe-wcharsor--widthcharsoption.Theseoptionsarejustthebeginning;prsupportsmanymore,whicharedescribedinitsmanpage.
As an example of pr in action, consider printing a double-spaced and numbered version of a
configurationfile (say,/etc/profile) foryour reference.Youcando thisbypiping togethercatandits-noptiontogenerateanumberedoutput,prandits-doptiontodouble-spacetheresult,andlprtoprintthefile:$cat-n/etc/profile|pr-d|lpr
Theresultshouldbeaprintoutthatmightbehandyfortakingnotesontheconfigurationfile.Onecaveat,though:Ifthefilecontainslinesthatapproachorexceed80charactersinlength,theresultcanbe single lines that spill across two lines. The result will be disrupted page boundaries. As aworkaround,youcansetasomewhatshortpagelengthwith-landuse-f toensurethattheprinterreceivesformfeedsaftereachpage:$cat-n/etc/profile|pr-dfl50|lpr
Theprcommandisbuiltaroundassumptionsaboutprintercapabilitiesthatwerereasonableintheearly1980s.It’sstillusefultoday,butyoumightprefertolookintoGNUEnscript(http://www.codento.com/people/mtr/genscript/).Thisprogramhasmanyofthesamefeaturesaspr,butitgeneratesPostScriptoutputthatcantakebetteradvantageofmodernprinterfeatures.
File-ViewingCommandsSometimesyoujustwanttoviewafileorpartofafile.Afewcommandscanhelpyouaccomplishthisgoalwithoutloadingthefileintoafull-fledgededitor.
Asdescribedearlier,thecatcommandisalsohandyforviewingshortfiles.
ViewingtheStartsofFileswithheadSometimesallyouneedtodoisseethefirstfewlinesofafile.Thismaybeenoughtoidentifywhatamysteryfile is,for instance;oryoumaywant toseethefirstfewentriesofa logfile todeterminewhen that filewasstarted.Youcanaccomplish thisgoalwith theheadcommand,whichechoes thefirst10linesofoneormorefilestostandardoutput.(Ifyouspecifymultiplefilenames,eachone’soutputisprecededbyaheadertoidentifyit.)Youcanmodifytheamountofinformationdisplayedbyheadintwoways:SpecifytheNumberofBytesThe-cnumor--bytes=numoptiontellsheadtodisplaynumbytesfromthefileratherthanthedefault10lines.SpecifytheNumberofLinesYoucanchangethenumberoflinesdisplayedwiththe-nnumor--lines=numoption.
ViewingtheEndsofFileswithtailThetailcommandworksjustlikehead,exceptthattaildisplaysthelast10linesofafile.(Youcanusethe-c/--bytesand-n/--linesoptionstochangetheamountofdatadisplayed,justaswith
head.)Thiscommandisusefulforexaminingrecentactivityinlogfilesorotherfilestowhichdatamaybeappended.Thetailcommandsupportsseveraloptionsthataren’tpresentinheadandthatenabletheprogram
tohandleadditionalduties,includingthefollowing:TrackaFileThe-for--followoptiontellstailtokeepthefileopenandtodisplaynewlinesasthey’readded.Thisfeatureishelpfulfortrackinglogfilesbecauseitenablesyoutoseechangesasthey’remadetothefile.StopTrackingonProgramTerminationThe--pid=pidoptiontellstailtoterminatetracking(asinitiatedby-for--follow)oncetheprocesswithaprocessID(PID)ofpidterminates.(PIDsaredescribedinmoredetailinChapter2,“ManagingSoftware.”)Someadditionaloptionsprovidemoreobscurecapabilities.Consulttail’smanpagefordetails.
Youcancombineheadwithtailtodisplayorextractportionsofafile.Forinstance,supposeyouwanttodisplaylines11–15ofafile,sample.txt.Youcanextractthefirst15linesofthefilewithhead,andthendisplaythelastfivelinesofthatextractionwithtail.Thefinalcommandwouldbehead-n15sample.txt|tail-n5.
PagingThroughFileswithlessThelesscommand’snameisajoke;it’sareferencetothemorecommand,whichwasanearlyfilepager.Theideawastocreateabetterversionofmore,sothedeveloperscalleditless.Theideabehindless(andmore,forthatmatter)istoenableyoutoreadafileascreenatatime.
Whenyoutypelessfilename, theprogramdisplays thefirst fewlinesoffilename.Youcan thenpagebackandforththroughthefile:
Pressingthespacebarmovesforwardthroughthefileascreenatatime.PressingEscfollowedbyVmovesbackwardthroughthefileascreenatatime.TheUpandDownarrowkeysmoveupordownthroughthefilealineatatime.Youcansearchthefile’scontentsbypressingtheslash(/)keyfollowedbythesearchterm.Forinstance,typing/portablefindsthefirstoccurrenceofthestringportableafterthecurrentposition.TypingaslashfollowedbytheEnterkeymovestothenextoccurrenceofthesearchterm.Typingnalonerepeatsthesearchforward,whiletypingNalonerepeatsthesearchbackward.Youcansearchbackwardinthefilebyusingthequestionmark(?)keyratherthantheslashkey.Youcanmovetoaspecificlinebytypinggfollowedbythelinenumber,asing50togotoline50.Whenyou’redone,typeqtoexitfromtheprogram.
Unlikemostoftheprogramsdescribedhere,lesscan’tbereadilyusedinapipe,exceptasthefinalcommandinthepipe.Inthatrole,though,lessisveryusefulbecauseitenablesyoutoconvenientlyexaminelengthyoutput.
AlthoughlessisquitecommononLinuxsystemsandistypicallyconfiguredasthedefaulttextpager,someUnix-likesystemsusemoreinthisrole.Manyofless’sfeatures,suchastheabilitytopagebackwardinafile,don’tworkinmore.
One additional less feature can be handy: Typing h displays less’s internal help system. Thisdisplaysummarizesthecommandsyoumayuse,butit’slongenoughthatyoumustusetheusuallesspaging features toview it all!Whenyou’redonewith thehelp screens, typeq, just as if youwereexiting from viewing a help document with less. This action will return you to your originaldocument.
File-SummarizingCommandsThefinaltext-filteringcommandsIdescribeareusedtosummarizetextinonewayoranother.Thecut command takes segments of an input file and sends them to standard output, while the wccommanddisplayssomebasicstatisticsonthefile.
ExtractingTextwithcutThe cut command extracts portions of input lines and displays them on standard output. You canspecifywhattocutfrominputlinesinseveralways:ByByteThe-blistor--bytes=listoptioncutsthespecifiedlistofbytesfromtheinputfile.(Theformatofalistisdescribedshortly.)ByCharacterThe-clistor--characters=listoptioncutsthespecifiedlistofcharactersfromtheinputfile.Inpractice,thismethodandtheby-bytemethodusuallyproduceidenticalresults.(Iftheinputfileusesamulti-byteencodingsystem,though,theresultswon’tbeidentical.)ByFieldThe-flistor--fields=listoptioncutsthespecifiedlistoffieldsfromtheinputfile.Bydefault,afieldisatab-delimitedsectionofaline,butyoucanchangethedelimitingcharacterwiththe-dchar,--delim=char,or--delimiter=charoption,wherecharisthecharacteryouwanttousetodelimitfields.Ordinarily,cutechoeslinesthatdon’tcontaindelimiters.Includingthe-sor--only-delimitedoptionchangesthisbehaviorsothattheprogramdoesn’techolinesthatdon’tcontainthedelimitercharacter.Manyoftheseoptionstakealist,whichisawaytospecifymultiplebytes,characters,orfields.
Youmake this specification by number; it can be a single number (such as 4), a closed range ofnumbers(suchas2-4),oranopenrangeofnumbers(suchas-4or4-).Inthisfinalcase,allbytes,characters, or fields from the beginning of the line to the specified number or from the specifiednumbertotheendofthelineareincludedinthelist.Thecutcommandisfrequentlyusedinscriptstoextractdatafromsomeothercommand’soutput.
For instance,supposeyou’rewritingascriptand thescriptneeds toknowthehardwareaddressofyourEthernetadapter.Thisinformationcanbeobtainedfromtheifconfigcommand(describedinmoredetailinChapter8,“ConfiguringBasicNetworking”):$ifconfigeth0
eth0Linkencap:EthernetHWaddr00:0C:76:96:A3:73
inetaddr:192.168.1.3Bcast:192.168.1.255Mask:255.255.255.0
inet6addr:fe80::20c:76ff:fe96:a373/64Scope:Link
UPBROADCASTNOTRAILERSRUNNINGMULTICASTMTU:1500Metric:1
RXpackets:7127424errors:0dropped:0overruns:0frame:0
TXpackets:5273519errors:0dropped:0overruns:0carrier:0
collisions:0txqueuelen:1000
RXbytes:6272843708(5982.2Mb)TXbytes:1082453585(1032.3Mb)
Interrupt:10Baseaddress:0xde00
Unfortunately, most of this information is extraneous for the desired purpose. The hardwareaddress is the6-bytehexadecimalnumber followingHWaddr.Toextract thatdata,youcancombinegrep(describedshortly,in“Usinggrep”)withcutinapipe:$ifconfigeth0|grepHWaddr|cut-d""-f11
00:0C:76:96:A3:73
Ofcourse, ina scriptyouwouldprobablyassign thisvalue toavariableorotherwiseprocess itthroughadditionalpipes.Chapter9describesscriptsinmoredetail.
ObtainingaWordCountwithwcThe wc command produces a word count (that’s where it gets its name), as well as line and bytecounts,forafile:$wcfile.txt
308234315534file.txt
Thisfilecontains308lines(or,moreprecisely,308newlinecharacters);2,343words;and15,534bytes.Youcan limit theoutput to thenewlinecount, thewordcount, thebyte count,or a charactercountwiththe--lines(-l),--words(-w),--bytes(-c),or--chars(-m)option, respectively.Youcanalsolearnthemaximumlinelengthwiththe--max-line-length(-L)option.
ForanordinaryASCIIfile,thecharacterandbytecountswillbeidentical.Thesevaluesmaydivergeforfilesthatusemulti-bytecharacterencodings.
UsingRegularExpressionsMany Linux programs employ regular expressions, which are tools for describing or matchingpatterns in text. Regular expressions are similar in principle to the wildcards that can be used tospecifymultiplefilenames.Attheirsimplest,regularexpressionscanbeplaintextwithoutadornment.Certaincharactersareusedtodenotepatterns,though.Becauseoftheirimportance,Idescriberegularexpressionshere.Ialsocover twoprogramsthatmakeheavyuseofregularexpressions:grepandsed.Theseprogramssearchfortextwithinfilesandpermiteditingoffilesfromthecommandline,respectively.
UnderstandingRegularExpressionsTwo forms of regular expression are common: basic and extended. Which form you must usedependsontheprogram;someacceptoneformortheother,butotherscanuseeithertype,depending
on theoptionspassed to theprogram. (Someprogramsuse theirownminorormajorvariantsoneither of these classes of regular expression.)The differences between basic and extended regularexpressionsarecomplexandsubtle,butthefundamentalprinciplesofbotharesimilar.The simplest typeof regular expression is an alphabetic string, such asLinux orHWaddr. These
regularexpressionsmatchanystringofthesamesizeorlongerthatcontainstheregularexpression.For instance, the HWaddr regular expression matches HWaddr, This is the HWaddr, and TheHWaddr is unknown. The real strength of regular expressions comes in the use of non-alphabeticcharacters,whichactivateadvancedmatchingrules:BracketExpressionsCharactersenclosedinsquarebrackets([])constitutebracketexpressions,whichmatchanyonecharacterwithinthebrackets.Forinstance,theregularexpressionb[aeiou]gmatchesthewordsbag,beg,big,bog,andbug.RangeExpressionsArangeexpressionisavariantonabracketexpression.Insteadoflistingeverycharacterthatmatches,rangeexpressionslistthestartandendpointsseparatedbyadash(-),asina[2-4]z.Thisregularexpressionmatchesa2z,a3z,anda4z.AnySingleCharacterThedot(.)representsanysinglecharacterexceptanewline.Forinstance,a.zmatchesa2z,abz,aQz,oranyotherthree-characterstringthatbeginswithaandendswithz.StartandEndofLineThecarat(^)representsthestartofaline,andthedollarsign($)denotestheendofaline.RepetitionOperatorsAfullorpartialregularexpressionmaybefollowedbyaspecialsymboltodenotehowmanytimesamatchingitemmustexist.Specifically,anasterisk(*)denoteszeroormoreoccurrences,aplussign(+)matchesoneormoreoccurrences,andaquestionmark(?)specifieszerooronematch.Theasteriskisoftencombinedwiththedot(asin.*)tospecifyamatchwithanysubstring.Forinstance,A.*LincolnmatchesanystringthatcontainsAandLincoln,inthatorder—AbeLincolnandAbrahamLincolnarejusttwopossiblematches.MultiplePossibleStringsTheverticalbar(|)separatestwopossiblematches;forinstance,car|truckmatcheseithercarortruck.ParenthesesOrdinaryparentheses(())surroundsubexpressions.Parenthesesareoftenusedtospecifyhowoperatorsaretobeapplied;forexample,youcanputparenthesesaroundagroupofwordsthatareconcatenatedwiththeverticalbar,toensurethatthewordsaretreatedasagroup,anyoneofwhichmaymatch,withoutinvolvingsurroundingpartsoftheregularexpression.EscapingIfyouwanttomatchoneofthespecialcharacters,suchasadot,youmustescapeit—thatis,precedeitwithabackslash(\).Forinstance,tomatchacomputerhostname(say,twain.example.com),youmustescapethedots,asintwain\.example\.com.Theprecedingdescriptionsapply to extended regular expressions.Somedetails aredifferent for
basicregularexpressions.Inparticular,the?,+,|,(,and)symbolslosetheirspecialmeanings.To perform the tasks handled by these characters, some programs, such as grep, enable you torecoverthefunctionsofthesecharactersbyescapingthem(say,using\|insteadof|).Whetheryouuse basic or extended regular expressions depends on which form the program supports. Forprograms,suchasgrep,thatsupportboth,youcanuseeither;whichyouchooseismostlyamatterofpersonalpreference.Regularexpressionrulescanbeconfusing,particularlywhenyou’refirstintroducedtothem.Some
examples of their use, in the context of the programs that use them,will help.The next couple of
sectionsprovidesuchexamples.
UsinggrepThegrepcommandisextremelyuseful.Itsearchesforfilesthatcontainaspecifiedstringandreturnsthenameofthefileand(ifit’satextfile)alineofcontextforthatstring.Thebasicgrepsyntaxisasfollows:grep[options]regexp[files]
Theregexpisaregularexpression,asjustdescribed.Thegrepcommandsupportsalargenumberofoptions.Someofthecommonoptionsenableyoutomodifythewaytheprogramsearchesfiles:CountMatchingLinesInsteadofdisplayingcontextlines,grepdisplaysthenumberoflinesthatmatchthespecifiedpatternifyouusethe-cor--countoption.SpecifyaPatternInputFileThe-ffileor--file=fileoptiontakespatterninputfromthespecifiedfileratherthanfromthecommandline.IgnoreCaseYoucanperformacase-insensitivesearch,ratherthanthedefaultcase-sensitivesearch,byusingthe-ior--ignore-caseoption.SearchRecursivelyThe-ror--recursiveoptionsearchesinthespecifieddirectoryandallsubdirectoriesratherthansimplythespecifieddirectory.Youcanusergrepratherthanspecifythisoption.UseanExtendedRegularExpressionThegrepcommandinterpretsregexpasabasicregularexpressionbydefault.Touseanextendedregularexpression,youcanpassthe-Eor--extended-regexpoption.Alternatively,youcancallegrepratherthangrep;thisvariantcommandusesextendedregularexpressionsbydefault.Asimpleexampleofgrepusesaregularexpressionwithnospecialcomponents:$grep-reth0/etc/*
This example finds all the files in /etc that contain the string eth0 (the identifier for the firstEthernetdeviceonmostLinuxdistributions).Becausetheexampleincludesthe-roption,itsearchesrecursively, so files in subdirectoriesof/etc areexamined inaddition to those in/etc itself. Foreachmatchingtextfile,thelinethatcontainsthestringisprinted.
Somefilesin/etccan’tbereadbyordinaryusers.Thus,ifyoutypethiscommandasanon-rootuser,you’llseesomeerrormessagesrelatingtogrep’sinabilitytoopenfiles.
Rampingupabit, supposeyouwant to locateall the files in/etc thatcontain thestringeth0oreth1.Youcanenterthefollowingcommand,whichusesabracketexpressiontospecifybothvariantdevices:$grepeth[01]/etc/*
A still more complex example searches all files in /etc that contain the hostnametwain.example.comorbronto.pangaea.eduand,lateronthesameline,thenumber127.Thistaskrequires using several of the regular expression features. Expressed using extended regularexpressionnotation,thecommandlookslikethis:
$grep-E"(twain\.example\.com|bronto\.pangaea\.edu).*127"/etc/*
Thiscommandillustratesanotherfeatureyoumayneedtouse:shellquoting.Becausetheshellusescertaincharacters,suchas theverticalbarand theasterisk, for itsownpurposes,youmustenclosecertainregularexpressionsinquoteslesttheshellattempttoparsetheregularexpressionandpassamodifiedversionofwhatyoutypetogrep.Youcanusegrepinconjunctionwithcommandsthatproducealotofoutputinordertosiftthrough
thatoutputforthematerialthat’simportanttoyou.(Severalexamplesthroughoutthisbookusethistechnique.)Forexample,supposeyouwanttofindtheprocessID(PID)ofarunningxterm.Youcanuseapipetosendtheresultofapscommand(describedinChapter2)throughgrep:#psax|grepxterm
Theresult isa listofallrunningprocessescalledxterm,alongwith theirPIDs.Youcanevendothisinseries,usinggreptofurtherrestricttheoutputonsomeothercriterion,whichcanbeusefuliftheinitialpassstillproducestoomuchoutput.
UsingsedThesedcommanddirectlymodifiesthecontentsoffiles,sendingthechangedfiletostandardoutput.Itssyntaxcantakeoneoftwoforms:sed[options]-fscript-file[input-file]
sed[options]script-text[input-file]
Ineithercase,input-fileisthenameofthefileyouwanttomodify.(Modificationsaretemporaryunlessyousavetheminsomeway,asillustratedshortly.)Thescript(script-textorthecontentsofscript-file)isthesetofcommandsyouwantsedtoperform.Whenyoupassascriptdirectlyonthe command line, the script-text is typically enclosed in single quote marks. Table 1.4summarizesafewsedcommandsthatyoucanuseinitsscripts.
TABLE1.4CommonsedcommandsCommand Addresses Meaning= 0or1 Displaythecurrentlinenumber.a\text 0or1 Appendtexttothefile.i\text 0or1 Inserttextintothefile.rfilename 0or1 Appendtextfromfilenameintothefile.c\text Range Replacetheselectedrangeoflineswiththeprovidedtext.s/regexp/replacementRange Replacetextthatmatchestheregularexpression(regexp)withreplacement.wfilename Range Writethecurrentpatternspacetothespecifiedfile.q 0or1 Immediatelyquitthescript,butprintthecurrentpatternspace.Q 0or1 Immediatelyquitthescript.
Table1.4isincomplete;sedisquitecomplex,andthissectionmerelyintroducesthistool.
The Addresses column of Table 1.4 requires elaboration: sed commands operate on addresses,whicharelinenumbers.Commandsmaytakenoaddresses,inwhichcasetheyoperateontheentirefile; one address, inwhich case they operate on the specified line; or two addresses (a range), inwhichcasetheyoperateonthatrangeoflines,inclusive.Inoperation,sedlookssomethinglikethis:
$sed's/2012/2013/'cal-2012.txt>cal-2013.txt
Thiscommandprocessestheinputfile,cal-2012.txt,usingsed’sscommandtoreplacethefirstoccurrenceof2012oneachlinewith2013.(Ifasinglelinemayhavemorethanoneinstanceofthesearch string, you must perform a global search by appending g to the command string, as ins/2012/2013/g.) By default, sed sends the modified file to standard output, so this example usesredirectiontosendtheoutputtocal-2013.txt.Theideainthisexampleistoquicklyconvertafilecreatedfortheyear2012sothat itcanbeusedin2013.Ifyoudon’tspecifyaninputfilename,sedworksfromstandardinput,soitcanaccepttheoutputofanothercommandasitsinput.Although it’s conceptually simple, sed is a very complex tool; even a modest summary of its
capabilities would fill a chapter. You can consult its man page for basic information, but to fullyunderstandsed,youmaywanttoconsultabookonthesubject,suchasDaleDoughertyandArnoldRobbins’ssed&awk,2ndEdition(O’Reilly,1997).
Certainsedcommands,includingthesubstitutioncommand,arealsousedinVi,whichisdescribedmorefullyinChapter5.
DoingOneThinginManyWaysAsyoubecomeexperiencedwithLinuxandcomparenoteswithotherLinuxadministrators,youmayfindthatthewayyouworkisdifferentfromthewayotherswork.ThisisbecauseLinuxoftenprovidesmultiplemethodstosolvecertainproblems.Forinstance,ASCIItextfilesusecertaincharacterstoencodetheendofaline.Unix(andLinux)useasinglelinefeedcharacter(ASCII0x0a,sometimesrepresentedas\n),whereasDOSandWindowsusethecombinationofacarriagereturn(ASCII0x0dor\r)andalinefeed.WhenmovingASCIIfilesbetweencomputers,youmayneedtoconvertfromoneformtotheother.Howcanyoudothis?Onesolutionistouseaspecial-purposeprogram,suchasdos2unixorunix2dos.Youcouldtypedos2unixfile.txttoconvertfile.txtfromDOS-styletoUnix-styleASCII,forinstance.Thisisusuallythesimplestsolution,butnotallcomputershavetheseutilitiesinstalled.Anotherapproachistousetr.Forinstance,toconvertfromDOSstyletoUnixstyle,youmighttypethis:$tr-d\r<dosfile.txt>unixfile.txt
Thisapproachwon’tworkwhenconvertingfromUnixstyletoDOSstyle,though.Forthat,youcanusesed:seds/$/"\r"/unixfile.txt>dosfile.txt
Variantsonboththetrandsedcommandsexist.Forinstance,sometimesthequotesaround\rmaybeomittedfromthesedcommand;whetherthey’rerequireddependsonyourshellanditsconfiguration.Yetanotherapproachistoloadthefileintoatexteditorandthensaveitusingdifferentfile-typesettings.(Notalleditorssupportsuchchanges,butsomedo.)Manyotherexamplesexistofmultiplesolutionstoaproblem.Sometimesonesolutionstandsoutaboveothersasbeingsuperior,butothertimesthedifferencesmaybesubtle,oreachapproachmayhavemeritinparticularsituations.Thus,it’sbesttobeatleastsomewhatfamiliarwithallthealternatives.Idescribemanysuchoptionsthroughoutthisbook.
SummaryThecommandlineisthekeytoLinux.EvenifyoupreferGUItoolstotext-modetools,understandingtext-mode commands is necessary to fully manage Linux. This task begins with the shell, whichacceptscommandsyou typeanddisplays theresultsof thosecommands. Inaddition,shellssupportlinking programs together via pipes and redirecting programs’ input and output. These featuresenableyou toperformcomplex tasksusingsimple toolsbyhavingeachprogramperformitsownsmallpartofthetask.ThistechniqueisfrequentlyusedwithLinuxtextfilters,whichmanipulatetextfilesinvariousways—sortingtextbyfields,mergingmultiplefiles,andsoon.
ExamEssentials
SummarizefeaturesthatLinuxshellsoffertospeedupcommandentry.Thecommandhistoryoftenenablesyoutoretrieveanearliercommandthat’ssimilaroridenticaltotheoneyouwanttoenter.Tabcompletionreducestypingeffortbylettingtheshellfinishlongcommandnamesorfilenames.Command-lineeditingletsyoueditaretrievedcommandorchangeatypobeforecommittingthecommand.Describethepurposeofthemancommand.Themancommanddisplaysthemanualpageforthekeyword(command,filename,systemcall,orotherfeature)thatyoutype.Thisdocumentationprovidessuccinctsummaryinformationthat’susefulasareferencetolearnaboutexactcommandoptionsorfeatures.Explainthepurposeofenvironmentvariables.Environmentvariablesstoresmallpiecesofdata—programoptions,informationaboutthecomputer,andsoon.Thisinformationcanbereadbyprogramsandusedtomodifyprogrambehaviorinawaythat’sappropriateforthecurrentenvironment.Describethedifferencebetweenstandardoutputandstandarderror.Standardoutputcarriesnormalprogramoutput,whereasstandarderrorcarrieshigh-priorityoutput,suchaserrormessages.Thetwocanberedirectedindependentlyofoneanother.Explainthepurposeofpipes.Pipestieprogramstogetherbyfeedingthestandardoutputfromthefirstprogramintothesecondprogram’sstandardinput.Theycanbeusedtolinktogetheraseriesofsimpleprogramstoperformmorecomplextasksthananyoneoftheprogramscouldmanage.Summarizethestructureofregularexpressions.Regularexpressionsarestringsthatdescribeotherstrings.Theycancontainnormalalphanumericcharacters,whichmatchtheexactsamecharacters,aswellasseveralspecialsymbolsandsymbolsetsthatmatchmultipledifferentcharacters.Thecombinationisapowerfulpattern-matchingtoolusedbymanyLinuxprograms.
ReviewQuestions1.Youtypeacommandintobashandpassalongfilenametoit,butafteryouenterthecommand,youreceiveaFilenotfounderrormessagebecauseofa typo in thefilename.Howmightyouproceed?
A.Retypethecommand,andbesureyoutypethefilenamecorrectly,letterbyletter.B.Retypethecommand,butpresstheTabkeyaftertypingafewlettersofthelongfilenametoensurethatthefilenameisenteredcorrectly.C.PresstheUparrowkey,andusebash’seditingfeaturestocorrectthetypo.D.Anyoftheabove.E.Noneoftheabove.
2.Whichofthefollowingcommandsisimplementedasaninternalcommandinbash?A.catB.lessC.teeD.sed
E.echo
3.Youtypeecho$PROC,andthecomputerrepliesGoaway.Whatdoesthismean?A.Nocurrentlyrunningprocessesareassociatedwithyourshell,soyoumaylogoutwithoutterminatingthem.B.TheremotecomputerPROCisn’tacceptingconnections;youshouldcontactitsadministratortocorrecttheproblem.C.Yourcomputerishandlingtoomanyprocesses;youmustkillsomeofthemtoregaincontrolofthecomputer.D.Yourcentralprocessingunit(CPU)isdefectiveandmustbereplacedassoonaspossible.E.You,oneofyourconfigurationfiles,oraprogramyou’verunhassetthe$PROCenvironmentvariabletoGoaway.
4.Whatdoesthepwdcommandaccomplish?A.Itprintsthenameoftheworkingdirectory.B.Itchangesthecurrentworkingdirectory.C.Itprintswidedisplaysonnarrowpaper.D.ItparsesWebpageURLsfordisplay.E.Itprintstheterminal’swidthincharacters.
5. In an xterm window launched from your windowmanager, you type exec gedit.What willhappenwhenyouexitfromthegeditprogram?
A.Yourshellwillbearootshell.B.Thegeditprogramwillterminate,butnothingelseunusualwillhappen.C.YourXsessionwillterminate.D.Thextermwindowwillclose.E.Anewinstanceofgeditwillbelaunched.
6.What is the surest way to run a program (say, myprog) that’s located in the current workingdirectory?
A.Type./followedbytheprogramname:./myprog.B.Typetheprogramnamealone:myprog.C.Typerunfollowedbytheprogramname:runmyprog.D.Type/.followedbytheprogramname:/.myprog.E.Typetheprogramnamefollowedbyanampersand(&):myprog&.
7.HowdoesmandisplayinformationbydefaultonmostLinuxsystems?A.UsingacustomX-basedapplicationB.UsingtheFirefoxWebbrowserC.UsingtheinfobrowserD.UsingtheVieditor
E.Usingthelesspager
8.Youwant to store the standard output of theifconfig command in a text file (file.txt) forfuture reference, andyouwant towipeout anyexistingdata in the file.Youdonotwant to storestandarderrorinthisfile.Howcanyouaccomplishthesegoals?
A.ifconfig<file.txtB.ifconfig>>file.txtC.ifconfig>file.txtD.ifconfig|file.txtE.ifconfig2>file.txt
9.Whatistheeffectofthefollowingcommand?$myprog&>input.txt
A.Standarderrortomyprogistakenfrominput.txt.B.Standardinputtomyprogistakenfrominput.txt.C.Standardoutputandstandarderrorfrommyprogarewrittentoinput.txt.D.Alloftheabove.E.Noneoftheabove.
10.Howmanycommandscanyoupipetogetheratonce?A.2B.3C.4D.16E.Anarbitrarynumber
11.Youwanttorunaninteractivescript,gabby,whichproducesa lotofoutput inresponsetotheuser ’sinputs.Tofacilitatefuturestudyofthisscript,youwanttocopyitsoutputtoafile.Howmightyoudothis?
A.gabby>gabby-out.txtB.gabby|teegabby-out.txtC.gabby<gabby-out.txtD.gabby&>gabby-out.txtE.gabby`gabby-out.txt`
12. A text-mode program, verbose, prints a lot of spurious “error”messages to standard error.Howmightyougetridofthosemessageswhilestillinteractingwiththeprogram?
A.verbose|quietB.verbose&>/dev/nullC.verbose2>/dev/nullD.verbose>junk.txt
E.quiet-modeverbose
13.Howdothe>and>>redirectionoperatorsdiffer?A.The>operatorcreatesanewfileoroverwritesanexistingone;the>>operatorcreatesanewfileorappendstoanexistingone.B.The>operatorcreatesanewfileoroverwritesanexistingone;the>>operatorappendstoanexistingfileorissuesanerrormessageifthespecifiedfiledoesn’texist.C.The>operatorredirectsstandardoutput;the>>operatorredirectsstandarderror.D.The>operatorredirectsstandardoutput;the>>operatorredirectsstandardinput.E.The> operatorwrites to an existing file but fails if the file doesn’t exist; the >> operatorwritestoanexistingfileorcreatesanewoneifitdoesn’talreadyexist.
14.Whatprogramwouldyouusetodisplaytheendofaconfigurationfile?A.uniqB.cutC.tailD.wcE.fmt
15.Whatistheeffectofthefollowingcommand?$prreport.txt|lpr
A.Thefilereport.txtisformattedforprintingandsenttothelprprogram.B.Thefilesreport.txtandlprarecombinedtogetherintoonefileandsenttostandardoutput.C.Tabsareconvertedtospacesinreport.txt,andtheresultissavedinlpr.D.Thefilereport.txtisprinted,andanyerrormessagesarestoredinthefilelpr.E.Noneoftheabove.
16.Whichofthefollowingcommandswillnumberthelinesinaleph.txt?(Selectthree.)A.fmtaleph.txtB.nlaleph.txtC.cat-baleph.txtD.cat-naleph.txtE.od-nlaleph.txt
17.Whichofthefollowingcommandswillchangealloccurrencesofdoginthefileanimals.txttomuttinthescreendisplay?
A.sed-s"dog""mutt"animals.txtB.grep-s"dog||mutt"animals.txtC.sed's/dog/mutt/g'animals.txtD.catanimals.txt|grep-c"dog""mutt"E.fmtanimals.txt|cut'dog'>'mutt'
18. You’ve received an ASCII text file (longlines.txt) that uses no carriage returns withinparagraphsbuttwocarriagereturnsbetweenparagraphs.Theresultisthatyourpreferredtexteditordisplayseachparagraphasaverylongline.Howcanyoureformatthisfilesothatyoucanmoreeasilyeditit(oracopy)?
A.sed's/Ctrl-M/NL/'longlines.txtB.fmtlonglines.txt>longlines2.txtC.catlonglines.txt>longlines2.txtD.prlonglines.txt>longlines2.txtE.greplonglines.txt>longlines2.txt
19.Whichofthefollowingcommandswillprintlinesfromthefileworld.txtthatcontainmatchestochangesandchanged?
A.grepchange[ds]world.txtB.sedchange[d-s]world.txtC.od"change'd|s'"world.txtD.catworld.txtchangeschangedE.findworld.txt"change(d|s)"
20.Whichofthefollowingregularexpressionswillmatchthestringsdog,dug,andvariousotherstringsbutnotdig?
A.d.gB.d[ou]gC.d[o-u]gD.di*gE.d.ig
Chapter2
ManagingSoftware
THEFOLLOWINGEXAMOBJECTIVESARECOVEREDINTHISCHAPTER:
1.102.3Managesharedlibraries1.102.4UseDebianpackagemanagement1.102.5UseRPMandYumpackagemanagement1.103.5Create,monitor,andkillprocesses1.103.6Modifyprocessexecutionpriorities
ALinux system is defined largely by the collection of software it contains. TheLinux kernel, thelibrariesusedbymanypackages,theshellsusedtointerpretcommands,theXWindowSystemGUI,theservers,andmoreallmakeup thesystem’ssoftwareenvironment.Manyof thechaptersof thisbook are devoted to configuring specific software components, but they all have something incommon:toolsusedtoinstall,uninstall,upgrade,andotherwisemanipulatethesoftware.Ironically,thiscommonalityisamajorsourceofdifferencesbetweenLinuxsystems.TwomajorLinuxpackagemanagementtoolsexist:RPMPackageManager(RPM)andDebianpackages.(Severalless-commonpackagemanagementsystemsalsoexist.)Withfewexceptions,eachindividualLinuxcomputerusespreciselyonepackagemanagementsystem,soyou’llneedtoknowonlyonetoadministerasinglesystem.TobetrulyfluentinallthingsLinux,though,youshouldbeatleastsomewhatfamiliarwithbothofthem.Thus,thischapterdescribesboth.This chapter also covers libraries—software components that can be used by many different
programs.Librarieshelpreducethediskspaceandmemoryrequirementsofcomplexprograms,buttheyalsorequiresomeattention;ifthatattentionisn’tgiventothem,theycancauseproblemsbytheirabsenceorbecauseofincompatibilitiesbetweentheirandtheirdependentsoftware’sversions.Packagemanagement,andinsomesenselibrarymanagement,relatestoprogramsasfilesonyour
harddisk.Oncerun,though,programsaredynamicentities.Linuxprovidestoolstohelpyoumanagerunning programs (known asprocesses)—you can learnwhat processes are running, change theirpriorities,andterminateprocessesyoudon’twantrunning.
PackageConceptsBefore proceeding, you should understand some of the principles that underlie Linux packagemanagement tools. Any computer ’s software is like a house of cards: One programmay rely onmultiple other programs or libraries, each of which relies on several more, and so on. Thefoundation on which all these programs rely is the Linux kernel. Any of these packages cantheoretically be replaced by an equivalent one; however, doing so sometimes causes problems.Worse, removingonecard from thestackcouldcause thewholehouseofcards tocome tumbling
down.Linux packagemanagement tools are intended to help build andmodify this house of cards by
trackingwhatsoftwareisinstalled.Theinformationthatthesystemmaintainshelpsavoidproblemsinseveralways:PackagesThemostbasicinformationthatpackagesystemsmaintainisinformationaboutsoftwarepackages—thatis,collectionsoffilesthatareinstalledonthecomputer.Packagesareusuallydistributedassinglefilesthataresimilartotarballs(archivescreatedwiththetarutilityandusuallycompressedwithgziporbzip2)orzipfiles.Onceinstalled,mostpackagesconsistofdozensorhundredsoffiles,andthepackagesystemtracksthemall.Packagesincludeadditionalinformationthataidsinthesubsequentdutiesofpackagemanagementsystems.InstalledFileDatabasePackagesystemsmaintainadatabaseofinstalledfiles.Thedatabaseincludesinformationabouteveryfileinstalledviathepackagesystem,thenameofthepackagetowhicheachofthosefilesbelongs,andassociatedadditionalinformation.DependenciesOneofthemostimportanttypesofinformationmaintainedbythepackagesystemisdependencyinformation—thatis,therequirementsofpackagesforoneanother.Forinstance,ifSuperProgreliesonUltraLibtodoitswork,thepackagedatabaserecordsthisinformation.IfyouattempttoinstallSuperProgwhenUltraLibisn’tinstalled,thepackagesystemwon’tletyoudoso.Similarly,ifyoutrytouninstallUltraLibwhenSuperProgisinstalled,thepackagesystemwon’tletyou.(Youcanoverridetheseprohibitions,asdescribedlaterin“ForcingtheInstallation.”Doingsoisusuallyinadvisable,though.)ChecksumsThepackagesystemmaintainschecksumsandassortedancillaryinformationaboutfiles.Thisinformationcanbeusedtoverifythevalidityoftheinstalledsoftware.Thisfeaturehasitslimits,though;it’sintendedtohelpyouspotdiskerrors,accidentaloverwritingoffiles,orothernon-sinisterproblems.It’soflimiteduseindetectingintrusions,becauseanintrudercouldusethepackagesystemtoinstallalteredsystemsoftware.UpgradesandUninstallationBytrackingfilesanddependencies,packagesystemspermiteasyupgradesanduninstallation:Tellthepackagesystemtoupgradeorremoveapackage,anditwillreplaceorremoveeveryfileinthepackage.Ofcourse,thisassumesthattheupgradeoruninstallationdoesn’tcausedependencyproblems;ifitdoes,thepackagesystemwillblocktheoperationunlessyouoverrideit.BinaryPackageCreationBoththeRPMandDebianpackagesystemsprovidetoolstohelpcreatebinarypackages(thosethatareinstalleddirectly)fromsourcecode.Thisfeatureisparticularlyhelpfulifyou’rerunningLinuxonapeculiarCPU;youcandownloadsourcecodeandcreateabinarypackageevenifthedevelopersdidn’tprovideexplicitsupportforyourCPU.Creatingabinarypackagefromsourcehasadvantagesovercompilingsoftwarefromsourceinmoreconventionalways,becauseyoucanthenusethepackagemanagementsystemtotrackdependencies,attendtoindividualfiles,andsoon.BoththeRPMandDebianpackagesystemsprovideallofthesebasicfeatures,althoughthedetails
oftheiroperationdiffer.Thesetwopackagesystemsareincompatiblewithoneanotherinthesensethat their package files and their installed file databases are different; you can’t directly install anRPMpackageonaDebian-basedsystemorviceversa. (Tools toconvertbetweenformatsdoexist,anddevelopersareworkingonwaystobetterintegratethetwopackageformats.)
Mostdistributionsinstalljustonepackagesystem.It’spossibletoinstallmorethanone,though,andsomeprograms(suchasalien)requirebothforfullfunctionality.Actuallyusingbothsystemstoinstallsoftwareisinadvisablebecausetheirdatabasesareseparate.IfyouinstallalibraryusingaDebianpackageandthentrytoinstallanRPMpackagethatreliesonthatlibrary,RPMwon’trealizethatthelibraryisalreadyinstalledandwillreturnanerror.
UsingRPMThemostpopularpackagemanagerintheLinuxworldistheRPMPackageManager(RPM).RPMisalsoavailableonnon-Linuxplatforms,althoughitsees lessuseoutside theLinuxworld.TheRPMsystemprovidesallthebasictoolsdescribedintheprecedingsection,“PackageConcepts,”suchasapackagedatabasethatallowsforidentifyingconflictsandownershipofparticularfiles.
RPMDistributionsandConventionsRedHat developedRPM for its owndistribution.RedHat released the softwareunder theGeneralPublicLicense(GPL),however,soothershavebeenfreetouseitintheirowndistributions—andthisis precisely what has happened. Some distributions, such as Mandriva (formerly Mandrake) andYellowDog, are basedonRedHat, so theyuseRPMs aswell asmanyother parts of theRedHatdistribution.Others,suchasSUSE,borrowlessfromtheRedHattemplate,buttheydouseRPMs.Ofcourse, all Linux distributions share many common components, so even those that weren’toriginallybasedonRedHatareverysimilartoitinmanywaysotherthantheiruseofRPMpackages.On theotherhand,distributions thatwereoriginallybasedonRedHathavediverged from itovertime.Asaresult,thegroupofRPM-usingdistributionsshowssubstantialvariability,butallofthemare still Linux distributions that provide the same basic tools, such as the Linux kernel, commonshells,anXserver,andsoon.
RedHathassplinteredintothreedistributions:Fedoraisthedownloadableversionfavoredbyhomeusers,students,andbusinessesonatightbudget.TheRedHatnameisnowreservedforthefor-payversionofthedistribution,knownmoreformallyasRedHatEnterpriseLinux(RHEL).CentOSisafreelyredistributableversionintendedforenterpriseusers.
RPM is a cross-platform tool. As noted earlier, some non-Linux Unix systems can use RPM,although most don’t use it as their primary package-distribution system. RPM supports any CPUarchitecture.RedHatLinuxisorhasbeenavailableforatleastfiveCPUs:x86,x86-64(akaAMD64,EM64T,andx64),IA-64,Alpha,andSPARC.Amongthedistributionsmentionedearlier,YellowDogisaPowerPCdistribution(itrunsonApplePowerPC-basedMacsandsomenon-Applesystems),andSUSE is available on x86, x86-64, and PowerPC systems. For the most part, source RPMs are
transportable across architectures—you can use the same source RPM to build packages for x86,AMD64,PowerPC,Alpha,SPARC,oranyotherplatformyoulike.Someprogramsarecomposedofarchitecture-independent scripts and so need no recompilation. There are also documentation andconfigurationpackagesthatworkonanyCPU.TheconventionfornamingRPMpackagesisasfollows:packagename-a.b.c-x.arch.rpm
Eachofthefilenamecomponentshasaspecificmeaning:PackageNameThefirstcomponent(packagename)isthenameofthepackage,suchassambaorsamba-serverfortheSambafileandprintserver.Notethatthesameprogrammaybegivendifferentpackagenamesbydifferentdistributionmaintainers.VersionNumberThesecondcomponent(a.b.c)isthepackageversionnumber,suchas3.6.5.Theversionnumberdoesn’thavetobethreeperiod-separatednumbers,butthat’sthemostcommonform.Theprogramauthorassignstheversionnumber.BuildNumberThenumberfollowingtheversionnumber(x)isthebuildnumber(alsoknownasthereleasenumber).Thisnumberrepresentsminorchangesmadebythepackagemaintainer,notbytheprogramauthor.Thesechangesmayrepresentalteredstartupscriptsorconfigurationfiles,changedfilelocations,addeddocumentation,orpatchesappendedtotheoriginalprogramtofixbugsortomaketheprogrammorecompatiblewiththetargetLinuxdistribution.Manydistributionmaintainersaddalettercodetothebuildnumbertodistinguishtheirpackagesfromthoseofothers.Notethatthesenumbersarenotcomparableacrosspackagemaintainers—George’sbuildnumber5ofapackageisnotnecessarilyanimprovementonSusan’sbuildnumber4ofthesamepackage.ArchitectureThefinalcomponentprecedingthe.rpmextension(arch)isacodeforthepackage’sarchitecture.Thei386architecturecodeiscommon;itrepresentsafilecompiledforanyx86CPUfromthe80386onward.SomepackagesincludeoptimizationsforPentiumsornewer(i586ori686),andnon-x86binarypackagesusecodesfortheirCPUs,suchasppcforPowerPCCPUsorx86_64forthex86-64platform.Scripts,documentation,andotherCPU-independentpackagesgenerallyusethenoarcharchitecturecode.ThemainexceptiontothisruleissourceRPMs,whichusethesrcarchitecturecode.As an example of RPM version numbering, the Fedora 17 distribution for x86-64 ships with a
Sambapackagecalledsamba-3.6.5-86.fc17.1.x86_64.rpm,indicatingthatthisisbuild86.fc17.1ofSamba3.6.5,compiledwithx86-64optimizations.Thesenamingconventionsarejustthat,though—conventions.It’spossibletorenameapackagehoweveryoulike,anditwillstillinstallandwork.Theinformation in the filename is retainedwithin the package. This fact can be useful if you’re everforcedtotransferRPMsusingamediumthatdoesn’tallowforlongfilenames.Infact,earlyversionsofSUSEeschewedlongfilenames,preferringshortfilenamessuchassamba.rpm.Inanidealworld,anyRPMpackagewillinstallandrunonanyRPM-baseddistributionthatusesan
appropriateCPUtype.Unfortunately,compatibility issuescancropupfromtimeto time, includingthefollowing:
DistributionsmayusedifferentversionsoftheRPMutilities.ThisproblemcancompletelypreventanRPMfromonedistributionfrombeingusedonanother.AnRPMpackagedesignedforonedistributionmayhavedependenciesthatareunmetinanotherdistribution.Apackagemayrequireanewerversionofalibrarythanispresentonthe
distributionyou’reusing,forinstance.Thisproblemcanusuallybeovercomebyinstallingorupgradingthedepended-onpackage,butsometimesdoingsocausesproblemsbecausetheupgrademaybreakotherpackages.ByrebuildingthepackageyouwanttoinstallfromasourceRPM,youcanoftenworkaroundtheseproblems,butsometimestheunderlyingsourcecodealsoneedstheupgradedlibraries.AnRPMpackagemaybebuilttodependonapackageofaparticularname,suchassamba-clientdependingonsamba-common;butifthedistributionyou’reusinghasnamedthepackagedifferently,therpmutilitywillobject.Youcanoverridethisobjectionbyusingthe--nodepsswitch,butsometimesthepackagewon’tworkonceinstalled.RebuildingfromasourceRPMmayormaynotfixthisproblem.Evenwhenadependencyappearstobemet,differentdistributionsmayincludeslightlydifferentfilesintheirpackages.Forthisreason,apackagemeantforonedistributionmaynotruncorrectlywheninstalledonanotherdistribution.Sometimesinstallinganadditionalpackagewillfixthisproblem.Someprogramsincludedistribution-specificscriptsorconfigurationfiles.Thisproblemisparticularlyacuteforservers,whichmayincludestartupscriptsthatgoin/etc/rc.d/init.dorelsewhere.OvercomingthisproblemusuallyrequiresthatyouremovetheoffendingscriptafterinstallingtheRPMandeitherstarttheserverinsomeotherwayorwriteanewstartupscript,perhapsmodeledafteronethatcamewithsomeotherserverforyourdistribution.
Inmostcases,it’sbesttousetheRPMsintendedforyourdistribution.RPMmeta-packagers,suchastheYellowDogUpdater,Modified(Yum),cansimplifylocatingandinstallingpackagesdesignedforyour distribution. If you’re forced to go outside of your distribution’s officially supported list ofpackages,mixingandmatchingRPMsfromdifferentdistributionsusuallyworksreasonablywellformostprograms.ThisisparticularlytrueifthedistributionsarecloselyrelatedoryourebuildfromasourceRPM.IfyouhavetroublewithanRPM,though,youmaydowelltotrytofindanequivalentpackagethatwasbuiltwithyourdistributioninmind.
TherpmCommandSetThemainRPMutilityprogramisknownasrpm.Usethisprogramtoinstallorupgradeapackageattheshellprompt.Therpmcommandhasthefollowingsyntax:rpm[operation][options][package-files|package-names]
Table 2.1 summarizes the most common rpm operations, and Table 2.2 summarizes the mostimportant options. Be aware, however, that rpm is a complex tool, so this listing is necessarilyincomplete.For informationaboutoperationsandoptionsmoreobscure than those listed inTables2.1and2.2,seethemanpagesforrpm.Manyofrpm’sless-usedfeaturesaredevotedtothecreationofRPMpackagesbysoftwaredevelopers.
TABLE2.1CommonrpmoperationsOperation Description-i Installsapackage;systemmustnotcontainapackageofthesamename-U Installsanewpackageorupgradesanexistingone-For--freshen
Upgradesapackageonlyifanearlierversionalreadyexists
-q Queriesapackage—findswhetherapackageisinstalled,whatfilesitcontains,andsoon-Vor--verify Verifiesapackage—checksthatitsfilesarepresentandunchangedsinceinstallation
-e Uninstallsapackage-b Buildsabinarypackage,givensourcecodeandconfigurationfiles;movedtotherpmbuildprogramwithRPMversion
4.2--rebuild Buildsabinarypackage,givenasourceRPMfile;movedtotherpmbuildprogramwithRPMversion4.2--rebuilddb RebuildstheRPMdatabasetofixerrors
TABLE2.2Most-importantrpmoptionsOption Usedwith
operationsDescription
--rootdir Any ModifiestheLinuxsystemhavingarootdirectorylocatedatdir.ThisoptioncanbeusedtomaintainoneLinuxinstallationdiscretefromanotherone(say,duringOSinstallationoremergencymaintenance).
--force -i,-U,-F Forcesinstallationofapackageevenwhenitmeansoverwritingexistingfilesorpackages.-hor--hash
-i,-U,-F Displaysaseriesofhashmarks(#)toindicatetheprogressoftheoperation.
-v -i,-U,-F Usedinconjunctionwiththe-hoptiontoproduceauniformnumberofhashmarksforeachpackage.--nodeps -i,-U,-
F,-e
Specifiesthatnodependencychecksbeperformed.Installsorremovesthepackageevenifitreliesonapackageorfilethat’snotpresentorisrequiredbyapackagethat’snotbeinguninstalled.
--test -i,-U,-F Checksfordependencies,conflicts,andotherproblemswithoutactuallyinstallingthepackage.--prefix
path
-i,-U,-F Setstheinstallationdirectorytopath(worksonlyforsomepackages).
-aor--all -q,-V Queriesorverifiesallpackages.-ffileor--filefile
-q,-V Queriesorverifiesthepackagethatownsfile.
-ppackage-file
-q QueriestheuninstalledRPMpackage-file.
-i -q Displayspackageinformation,includingthepackagemaintainer,ashortdescription,andsoon.-Ror--requires
-q Displaysthepackagesandfilesonwhichthisonedepends.
-lor--list
-q Displaysthefilescontainedinthepackage.
Touserpm,youcombineoneoperationwithoneormoreoptions.Inmostcases,youincludeoneormorepackagenamesorpackagefilenamesaswell.(Apackagefilenameisacompletefilename,butapackagenameisashortenedversion.Forinstance,apackagefilenamemightbesamba-3.6.5-86.fc17.1.x86_64.rpm, whereas the matching package name is samba.) You can issue the rpmcommand once for each package, or you can list multiple packages, separated by spaces, on thecommand line.The latter isoftenpreferablewhenyou’re installingor removingseveralpackages,someofwhichdependonothers in thegroup.Issuingseparatecommandsin thissituationrequiresthatyou install thedepended-onpackagefirstor remove it last,whereas issuingasinglecommandallowsyoutolistthepackagesonthecommandlineinanyorder.Someoperationsrequirethatyougiveapackagefilename,andothersrequireapackagename.In
particular, -i, -U, -F, and the rebuild operations require package filenames; -q, -V, and -enormallytakeapackagename,althoughthe-poptioncanmodifyaquery(-q)operationtoworkonapackagefilename.When you’re installing or upgrading a package, the -U operation is generally the most useful
becauseitenablesyoutoinstallthepackagewithoutmanuallyuninstallingtheoldone.Thisone-stepoperationisparticularlyhelpfulwhenpackagescontainmanydependencies;rpmdetectstheseandcanperformtheoperationshouldthenewpackagefulfillthedependenciesprovidedbytheoldone.Touserpmtoinstallorupgradeapackage,issueacommandsimilartothefollowing:#rpm-Uvhsamba-3.6.5-86.fc17.1.x86_64.rpm
You can also use rpm -ivh in place of rpm -Uvh if you don’t already have a samba packageinstalled.
It’spossibletodistributethesameprogramunderdifferentnames.Inthissituation,upgradingmayfailoritmayproduceaduplicateinstallation,whichcanyieldbizarreprogram-specificmalfunctions.RedHathasdescribedaformalsystemforpackagenamingtoavoidsuchproblems,buttheystilloccuroccasionally.Therefore,it’sbesttoupgradeapackageusingasubsequentreleaseprovidedbythesameindividualororganizationthatprovidedtheoriginal.
Verifythatthepackageisinstalledwiththerpm-qicommand,whichdisplaysinformationsuchaswhen and onwhat computer the binary packagewas built.Listing2.1 demonstrates this command.(rpm-qialsodisplaysanextendedplain-Englishsummaryofwhat thepackage is,whichhasbeenomittedfromListing2.1.)Listing2.1:RPMqueryoutput$rpm-qisamba
Name:samba
Epoch:2
Version:3.6.5
Release:86.fc17.1
Architecture:x86_64
InstallDate:Mon16Jul201212:28:51PMEDT
Group:SystemEnvironment/Daemons
Size:18503445
License:GPLv3+andLGPLv3+
Signature:RSA/SHA256,Fri04May201211:03:50AMEDT,KeyID
50e94c991aca3465
SourceRPM:samba-3.6.5-86.fc17.1.src.rpm
BuildDate:Fri04May201208:42:51AMEDT
BuildHost:x86-06.phx2.fedoraproject.org
Relocations:(notrelocatable)
Packager:FedoraProject
Vendor:FedoraProject
URL:http://www.samba.org/
Summary:ServerandClientsoftwaretointeroperatewithWindowsmachines
ExtractingDatafromRPMsOccasionallyyoumaywant toextractdatafromRPMswithout installingthepackage.Forinstance,thiscanbeagoodway to retrieve theoriginal sourcecode fromasourceRPMforcompiling thesoftwarewithoutthehelpoftheRPMtoolsortoretrievefontsorothernon-programdataforuseonanon-RPMsystem.RPM files are actually modified cpio archives. Thus, converting the files into cpio files is
relativelystraightforward,whereuponyoucanusecpiotoretrievetheindividualfiles.Todothisjob,youneedtousetherpm2cpioprogram,whichshipswithmostLinuxdistributions.(Youcanusethistoolevenondistributionsthatdon’tuseRPM.)Thisprogramtakesasingleargument—thenameofthe RPM file—and outputs the cpio archive on standard output. So, if you want to create a cpioarchivefile,youmustredirecttheoutput:$rpm2cpiosamba-3.6.5-86.fc17.1.src.rpm>samba-3.6.5-86.fc17.1.src.cpio
Theredirectionoperator(>)isdescribedinmoredetailinChapter1,“ExploringLinuxCommand-LineTools,”asisthepipeoperator(|),whichismentionedshortly.Chapter4,“ManagingFiles,”describescpioinmoredetail.
Youcan then extract thedatausingcpio,which takes the-i option to extract an archive and--make-directoriestocreatedirectories:$cpio-i--make-directories<samba-3.6.5-86.fc17.1.src.cpio
Alternatively, you can use a pipe to link these two commands together without creating anintermediaryfile:$rpm2cpiosamba-3.6.5-86.fc17.1.src.rpm|cpio-i--make-directories
Ineithercase,theresultisanextractionofthefilesinthearchiveinthecurrentdirectory.Inthecaseofbinarypackages, thisis likelytobeaseriesofsubdirectoriesthatmimicthelayoutoftheLinuxrootdirectory—thatis,usr,lib,etc,andsoon,althoughpreciselywhichdirectoriesareincludeddependson thepackage.Forasourcepackage, theresultof theextractionprocess is likely tobeasource code tarball, a .spec file (which holds information RPM uses to build the package), andperhapssomepatchfiles.
Whenyou’reextractingdatafromanRPMfileusingrpm2cpioandcpio,createaholdingsubdirectoryandthenextractthedataintothissubdirectory.Thispracticewillensurethatyoucanfindallthefiles.Ifyouextractfilesinyourhomedirectory,someofthemmaygetlostamidstyourotherfiles.Ifyouextractfilesasrootintheroot(/)directory,theycouldconceivablyoverwritefilesthatyouwanttokeep.
Another option for extracting data from RPMs is to use alien, which is described later in“ConvertingBetweenPackageFormats.”ThisprogramcanconvertanRPMintoaDebianpackageoratarball.
UsingYumYum(http://yum.baseurl.org),mentionedearlier,isoneofseveralmeta-packagers—itenablesyoutoeasilyinstallapackageandallitsdependenciesusingasinglecommandline.WhenusingYum,youdon’t even need to locate and download the package files, because Yum does this for you bysearchinginoneormorerepositories—InternetsitesthathostRPMfilesforaparticulardistribution.YumoriginatedwiththefairlyobscureYellowDogLinuxdistribution,butit’ssincebeenadopted
byRedHat,CentOS,Fedora,andsomeotherRPM-baseddistributions.Yumisn’tusedbyallRPM-based distributions, though; SUSE and Mandriva, to name just two, each use their own meta-packagers. Debian-based distributions generally employ the Advanced Package Tools (APT), asdescribedlaterin“Usingapt-get.”Nonetheless,becauseofthepopularityofRedHat,CentOS,andFedora,knowingYumcanbevaluable.ThemostbasicwaytouseYumiswiththeyumcommand,whichhasthefollowingsyntax:
yum[options][command][package...]
Which options are available depend on the command you use.Table 2.3 describes common yumcommands.
TABLE2.3CommonyumcommandsCommand Descriptioninstall Installsoneormorepackagesbypackagename.Alsoinstallsdependenciesofthespecifiedpackageorpackages.update Updatesthespecifiedpackageorpackagestothelatestavailableversion.Ifnopackagesarespecified,yumupdatesevery
installedpackage.check-updateCheckstoseewhetherupdatesareavailable.Iftheyare,yumdisplaystheirnames,versions,andrepositoryarea(updates
orextras,forinstance).upgrade Workslikeupdatewiththe--obsoletesflagset,whichhandlesobsoletepackagesinawaythat’ssuperiorwhen
performingadistributionversionupgrade.removeorerase
Deletesapackagefromthesystem;similartorpm-e,butyumalsoremovesdepended-onpackages.
list Displaysinformationaboutapackage,suchastheinstalledversionandwhetheranupdateisavailable.providesorwhatprovides
Displaysinformationaboutpackagesthatprovideaspecifiedprogramorfeature.Forinstance,typingyumprovidessambalistsalltheSamba-relatedpackages,includingeveryavailableupdate.Notethattheoutputcanbecopious.
search Searchespackagenames,summaries,packagers,anddescriptionsforaspecifiedkeyword.Thisisusefulifyoudon’tknowapackage’snamebutcanthinkofawordthat’slikelytoappearinoneofthesefieldsbutnotinthesefieldsforotherpackages.
info Displaysinformationaboutapackage,similartotherpm-qicommand.clean CleansuptheYumcachedirectory.Runningthiscommandfromtimetotimeisadvisable,lestdownloadedpackageschew
uptoomuchdiskspace.shell EnterstheYumshellmode,inwhichyoucanentermultipleYumcommandsoneafteranother.resolvedep Displayspackagesmatchingthespecifieddependency.localinstall InstallsthespecifiedlocalRPMfiles,usingyourYumrepositoriestoresolvedependencies.localupdate UpdatesthesystemusingthespecifiedlocalRPMfiles,usingyourYumrepositoriestoresolvedependencies.Packages
otherthanthoseupdatedbylocalfilesandtheirdependenciesarenotupdated.deplist Displaysdependenciesofthespecifiedpackage.
Inmostcases,usingYumiseasierthanusingRPMdirectlytomanagepackages,becauseYumfindsthelatestavailablepackage,downloadsit,andinstallsanyrequireddependencies.Yumhasitslimits,though; it’s only as good as its repositories, so it can’t install software that’s not stored in thoserepositories.
IfyouuseYumtoautomaticallyupgradeallpackagesonyoursystem,you’reeffectivelygivingcontrolofyoursystemtothedistributionmaintainer.AlthoughRedHatorotherdistributionmaintainersareunlikelytotrytobreakintoyourcomputerinthisway,anautomaticupdatewithminimalsupervisiononyourpartcouldeasilybreaksomethingonyoursystem,particularlyifyou’veobtainedpackagesfromunusualsourcesinthepast.
Ifyoudon’twanttoinstall thepackagebutmerelywanttoobtainit,youcanuseyumdownloader.Typethiscommandfollowedbythenameofapackage,andthelatestversionofthepackagewillbedownloaded to the current directory. This can be handy if you need to update a system that’s notconnectedtotheInternet;youcanuseanothercomputerthatrunsthesamedistributiontoobtainthepackagesandthentransferthemtothetargetsystem.IfyouprefertouseGUItoolsratherthancommand-linetools,youshouldbeawarethatGUIfront-
endstoyumexist.Examplesincludeyumexandkyum.Youcanuse the text-modeyum to install these
front-ends,asinyuminstallkyum.Exercise2.1runsyouthroughtheprocessofmanagingpackagesusingtherpmutility.
EXERCISE2.1ManagingPackagesUsingRPMTomanagepackagesusingtherpmutility,followthesesteps:1.LogintotheLinuxsystemasanormaluser.2.Acquireapackagetousefortestingpurposes.Youcantryusingapackagefromyourdistributionthatyouknowyouhaven’tinstalled;butifyoutryarandompackage,youmayfindit’salreadyinstalledorhasunmetdependencies.Thislabusesasanexamplethe installation of zsh-4.3.17-1.fc17.x86_64.rpm, a shell that’s not installed bydefaultonmostsystems,fromtheFedora17DVDontoaFedora17system.YoumustadjustthecommandsasnecessaryifyouuseanotherRPMfileinyourtests.3. Launch anxterm from the desktop environment’smenu system if you used aGUIlogin.4. Acquire root privileges. You can do this by typing su in an xterm, by selectingSession New Root Console from a Konsole window, or by using sudo (if it’sconfigured)torunthecommandsinthefollowingsteps.5. Type rpm -q zsh to verify that the package isn’t currently installed. The systemshouldrespondwiththemessagepackagezshisnotinstalled.6. Type rpm -qpi zsh-4.3.17-1.fc17.x86_64.rpm. (You’ll need to provide acompletepathtothepackagefileifit’snotinyourcurrentdirectory.)Thesystemshouldrespondbydisplaying informationabout thepackage, suchas theversionnumber, thevendor,thehostnameofthemachineonwhichitwasbuilt,andapackagedescription.7. Type rpm -ivh zsh-4.3.17-1.fc17.x86_64.rpm. The system should install thepackageanddisplayaseriesofhashmarks(#)asitdoesso.8. Type rpm -q zsh. The system should respond with the complete package name,including the version and build numbers. This response verifies that the package isinstalled.9.Typezsh.ThislaunchesaZshell,whichfunctionsmuchlikethemorecommonbashandtcshshells.You’relikelytoseeyourcommandpromptchange,butyoucanissuemostofthesamecommandsyoucanusewithbashortcsh.10.Typerpm-Vzsh.Thesystemshouldn’tproduceanyoutput—justanewcommandprompt.The verify (-V or --verify) command checks the package files against datastored in the database. Immediately after installation, most packages should show nodeviations.(Ahandfulofpackageswillbemodifiedduringinstallation,butzshisn’toneofthem.)11.Typerpm-ezsh.Thesystemshouldn’tproduceanyoutput—justanewcommandprompt. This command removes the package from the system. Note that you’reremoving thezshpackagewhile running thezshprogram.Linuxcontinues to run thezshprogramyou’reusing,butyou’llbeunabletolaunchnewinstancesoftheprogram.Someprogramsmaymisbehave ifyoudo thisbecause fileswillbemissingafteryouremovethepackage.
12.Typeexittoexitzshandreturntoyournormalshell.13. Type rpm -q zsh. The system should respond with a package zsh is not
installederrorbecauseyou’vejustuninstalledthepackage.14.Typeyuminstallzsh.Thesystemshouldcheckyourrepositories,downloadzsh,andinstallit.Itwillaskforconfirmationbeforebeginningthedownload.15. Type rpm -q zsh. The results should be similar to those in step 8, although theversionnumbermaydiffer.16.Typerpm-ezsh.Thisstepremoveszshfromthesystembutproducesnooutput,justasinstep11.
ThefinalthreestepswillworkonlyifyourdistributionusesYum.Ifyou’reusingadistributionthatusesanothertool,youmaybeabletolocateanduseitsequivalent,suchaszypperforSUSE.
RPMandYumConfigurationFilesOrdinarily,youneedn’texplicitlyconfigureRPMorYum;distributionsthatuseRPMconfigureitinreasonablewaysbydefault.Sometimes,though,youmaywanttotweakafewdetails,particularlyifyou routinelybuild sourceRPMpackagesandwant tooptimize theoutput foryourcomputer.YoumayalsowanttoaddaYumrepositoryforsomeunusualsoftwareyourun.Todoso,youtypicallyeditanRPMorYumconfigurationfile.The main RPM configuration file is /usr/lib/rpm/rpmrc. This file sets a variety of options,
mostly related to theCPUoptimizationsusedwhencompiling sourcepackages.You shouldn’t editthis file, though; instead, you should create and edit /etc/rpmrc (to make global changes) or~/.rpmrc (to make changes on a per-user basis). The main reason to create such a file is toimplementarchitectureoptimizations—for instance, tooptimizeyourcodeforyourCPUmodelbypassingappropriatecompileroptionswhenyoubuildasourceRPMintoabinaryRPM.Thisisdonewiththeoptflagsline:optflags:athlon-O2-g-march=i686
ThislinetellsRPMtopassthe-O2-g-march-i686optionstothecompilerwheneverbuildingfortheathlonplatform.AlthoughRPMcandetermineyoursystem’sarchitecture,theoptflagslinebyitself isn’t likely tobeenough to set thecorrect flags.Mostdefaultrpmrc files include a seriesofbuildarchtranslatelinesthatcauserpmbuild(orrpmforolderversionsofRPM)touseonesetofoptimizationsforawholefamilyofCPUs.Forx86systems,theselinestypicallylooklikethis:buildarchtranslate:athlon:i386
buildarchtranslate:i686:i386
buildarchtranslate:i586:i386
buildarchtranslate:i486:i386
buildarchtranslate:i386:i386
TheselinestellRPMtotranslatetheathlon,i686,i586,i486,andi386CPUcodestousethei386optimizations.ThiseffectivelydefeatsthepurposeofanyCPU-specificoptimizationsyoucreateon the optflags line for your architecture, but it guarantees that the RPMs you build will bemaximallyportable.Tochangematters,youmustalterthelineforyourCPUtype,asreturnedwhenyoutypeuname-p.Forinstance,onanAthlon-basedsystem,youmightenterthefollowingline:buildarchtranslate:athlon:athlon
Thereafter, when you rebuild a source RPM, the system will use the appropriate Athlonoptimizations. The result can be a slight performance boost on your own system, but reducedportability—dependingonthepreciseoptimizationsyouchoose,suchpackagesmaynotrunonnon-AthlonCPUs.(Indeed,youmaynotevenbeabletoinstallthemonnon-AthlonCPUs!)Yum is configured via the /etc/yum.conf file, with additional configuration files in the
/etc/yum.repos.d/directory.Theyum.conffileholdsbasicoptions,suchasthedirectorytowhichYumdownloadsRPMsandwhereYumlogsitsactivities.Chancesareyouwon’tneedtomodifythisfile.The/etc/yum.repos.d/ directory, on the other hand, potentially holds several files, each ofwhichdescribesaYumrepository—thatis,asitethatholdsRPMsthatmaybeinstalledviaYum.Youprobably shouldn’t directly edit these files; instead, if you want to add a repository, you shouldmanuallydownloadtheRPMthatincludestherepositoryconfigurationandinstallitusingrpm.Thenext time you useYum, it will access your new repository alongwith the old ones. SeveralYumrepositoriesexist,mostlyforRedHat,CentOS,andFedora,suchasthefollowing:LivnaThisrepository(http://rpm.livna.org/)hostsmultimediatools,suchasadditionalcodecsandvideodrivers.KDERedHatRedHat,CentOS,andFedorafavortheGNUNetworkObjectModelEnvironment(GNOME)desktopenvironment,althoughtheyshipwiththeKDesktopEnvironment(KDE),too.Therepositoryathttp://kde-redhat.sourceforge.netprovidesimprovedKDERPMsforthosewhofavorKDE.FreshRPMsThisrepository(http://freshrpms.net)providesadditionalRPMs,mostlyfocusingonmultimediaapplicationsanddrivers.Manyadditionalrepositoriesexist.TryaWebsearchontermssuchasyumrepository,orcheckthe
Webpageofanysite thathostsunusualsoftwareyouwant toruntoseewhether itprovidesaYumrepository. If so, it should provide an RPM or other instructions on adding its site to your Yumrepositorylist.
RPMComparedtoOtherPackageFormatsRPM is avery flexiblepackagemanagement system. Inmost respects, it’s comparable toDebian’spackage manager, and it offers many more features than tarballs do. When compared to Debianpackages, the greatest strength of RPMs is probably their ubiquity. Many software packages areavailableinRPMformfromtheirdevelopersand/orfromdistributionmaintainers.
Distributionpackagersfrequentlymodifytheoriginalprogramsinordertomakethemintegratemoresmoothlyintothedistributionasawhole.Forinstance,distribution-specificstartupscriptsmaybeadded,programbinariesmayberelocatedfromdefault/usr/localsubdirectories,andprogramsourcecodemaybepatchedtofixbugsoraddfeatures.Althoughthesechangescanbeuseful,youmaynotwantthem,particularlyifyou’reusingaprogramonadistributionotherthantheoneforwhichthepackagewasintended.
ThefactthattherearesomanyRPM-baseddistributionscanbeaboon.Youmaybeabletousean
RPMintendedforonedistributiononanother,althoughasnotedearlier,thisisn’tcertain.Infact,thisadvantagecanturnintoadrawbackifyoutrytomixandmatchtoomuch—youcanwindupwithamishmashofconflictingpackagesthatcanbedifficulttodisentangle.
TheRPMFindWebsite,http://rpmfind.net,isanextremelyusefulresourcewhenyouwanttofindanRPMofaspecificprogram.AnothersitewithsimilarcharacteristicsisFreshRPMs,http://freshrpms.net.ThesesitesincludelinkstoRPMsbuiltbyprograms’authors,specificdistributions’RPMs,andthosebuiltbythirdparties.AddingsuchsitesasYumrepositoriescanmakethemeveneasiertouse.
Comparedtotarballs,RPMsoffermuchmoresophisticatedpackagemanagementtools.Thiscanbeimportant when you’re upgrading or removing packages and also for verifying the integrity ofinstalledpackages.Ontheotherhand,althoughRPMsarecommonintheLinuxworld, they’relesscommononotherplatforms.Therefore,you’remorelikelytofindtarballsofgenericUnixsourcecode, and tarballs arepreferred ifyou’vewrittenaprogram thatyou intend todistribute forotherplatforms.
UsingDebianPackagesIntheiroverallfeatures,DebianpackagesaresimilartoRPMs;butthedetailsofoperationforeachdiffer,andDebianpackagesareusedondifferentdistributionsthanareRPMs.Becauseeachsystemusesitsowndatabaseformat,RPMsandDebianpackagesaren’tinterchangeablewithoutconvertingformats. Using Debian packages requires knowing how to use the dpkg, dselect, and apt-getcommands.Afewothercommandscanalsobehelpful.
DebianDistributionsandConventionsAs the name implies,Debian packages originatedwith theDebian distribution. Since that time, theformathasbeenadoptedbyseveralotherdistributions,includingUbuntu,LinuxMint,andXandros.SuchdistributionsarederivedfromtheoriginalDebian,whichmeansthatpackagesfromtheoriginalDebianarelikelytoworkwellonotherDebian-basedsystems.AlthoughDebiandoesn’temphasizeflashy GUI configuration tools, its derivatives tend to be more GUI-centric, which makes thesedistributionsmoreappealingtoLinuxnovices.TheoriginalDebianfavorsasystemthat’sasbug-freeaspossible,andittriestoadherestrictlytoopensourcesoftwareprinciplesratherthaninvesteffortinGUIconfigurationtools.TheoriginalDebianisunusualinthatit’smaintainednotbyacompanythatismotivatedbyprofit,butratherbyvolunteerswhoaremotivatedbythedesiretobuildaproducetheywanttouse.LikeRPM, theDebian package format is neutralwith respect to bothOS andCPU type.Debian
packagesareextremely rareoutsideLinux,althoughvarious systems thatused theDebianpackagesystemandsoftwarelibraryatopnon-Linuxkernelshavebeenattempted,andlargelyabandoned,withtheexceptionofkFreeBSD(http://www.debian.org/ports/kfreebsd-gnu/)TheoriginalDebiandistributionhasbeenported tomanydifferentCPUs, includingx86, x86-64,
IA-64, ARM, PowerPC, Alpha, 680x0, MIPS, and SPARC. The original architecture was x86, and
subsequentportsexistatvaryinglevelsofmaturity.Derivativedistributionsgenerallyworkonlyonx86orx86-64systems,butthiscouldchangeinthefuture.Debian packages follow a naming convention similar to that for RPMs; but Debian packages
sometimes omit codes in the filename to specify a package’s architecture, particularly on x86packages.When these codes are present, they may differ from RPM conventions. For instance, afilename ending in i386.deb indicates an x86 binary, powerpc.deb is a PowerPC binary, andall.debindicatesaCPU-independentpackage,suchasdocumentationorscripts.AswithRPMfiles,thisfile-namingconventionisonlythat—aconvention.Youcanrenameafileasyouseefit,toeitherinclude or omit the processor code. There is no code for Debian source packages because, asdescribedintheupcomingsection“DebianPackagesComparedtoOtherPackageFormats,”Debiansourcepackagesconsistofseveralseparatefiles.
ThedpkgCommandSetDebianpackagesareincompatiblewithRPMpackages,butthebasicprinciplesofoperationarethesameacrossbothpackagetypes.LikeRPMs,Debianpackagesincludedependencyinformation,andtheDebianpackageutilitiesmaintainadatabaseof installedpackages, files,andsoon.Youuse thedpkgcommandtoinstallaDebianpackage.Thiscommand’ssyntaxissimilartothatofrpm:dpkg[options][action][package-files|package-name]
Theaction is theaction tobe taken;commonactionsare summarized inTable2.4.Theoptions(Table2.5)modifythebehavioroftheaction,muchliketheoptionstorpm.
TABLE2.4dpkgprimaryactionsAction Description-ior--install Installsapackage--configure Reconfiguresaninstalledpackage:runsthepost-installationscripttosetsite-specificoptions-ror--remove Removesapackagebutleavesconfigurationfilesintact-Por--purge Removesapackage,includingconfigurationfiles--get-selections Displayscurrentlyinstalledpackages-por--print-avail Displaysinformationaboutaninstalledpackage-Ior--info Displaysinformationaboutanuninstalledpackagefile-lpatternor--listpattern Listsallinstalledpackageswhosenamesmatchpattern-Lor--listfiles Liststheinstalledfilesassociatedwithapackage-Spatternor--searchpattern Locatesthepackage(s)thatownthefile(s)specifiedbypattern-Cor--audit Searchesforpartiallyinstalledpackagesandsuggestswhattodowiththem
TABLE2.5Optionsforfine-tuningdpkgactionsOption Used
withactions
Description
--root=dir All ModifiestheLinuxsystemusingarootdirectorylocatedatdir.CanbeusedtomaintainoneLinuxinstallationdiscretefromanotherone,sayduringOSinstallationoremergencymaintenance.
-Bor--auto-deconfigure
-r Disablespackagesthatrelyononethatisbeingremoved.
--force-things Assorted Overridesdefaultsthatwouldordinarilycausedpkgtoabort.Consultthedpkgmanpagefordetailsofthingsthisoptiondoes.
--ignore-
depends=package
-i,-r Ignoresdependencyinformationforthespecifiedpackage.
--no-act -i,-r Checksfordependencies,conflicts,andotherproblemswithoutactuallyinstallingorremovingthepackage.--recursive -i Installsallpackagesthatmatchthepackage-namewildcardinthespecifieddirectoryandallsubdirectories.-G -i Doesn’tinstallthepackageifanewerversionofthesamepackageisalreadyinstalled.
-Eor--skip-same-version
-i Doesn’tinstallthepackageifthesameversionofthepackageisalreadyinstalled.
As with rpm, dpkg expects a package name in some cases and a package filename in others.Specifically, --install (-i) and --info (-I) both require the package filename, but the othercommandstaketheshorterpackagename.As an example, consider the following command, which installs the samba_2:3.6.3-
2ubuntu2.3_amd64.debpackage:#dpkg-isamba_2:3.6.3-2ubuntu2.3_amd64.deb
Ifyou’reupgradingapackage,youmayneedtoremoveanoldpackagebeforeinstallingthenewone.Todothis,usethe-roptiontodpkg,asinthefollowing:#dpkg-rsamba
Tofindinformationaboutaninstalledpackage,usethe-pparametertodpkg,asshowninListing2.2.ThislistingomitsanextendedEnglishdescriptionofwhatthepackagedoes.Listing2.2:dpkgpackageinformationqueryoutput$dpkg-psamba
Package:samba
Priority:optional
Section:net
Installed-Size:22862
Maintainer:UbuntuDevelopers<[email protected]>
Architecture:amd64
Version:2:3.6.3-2ubuntu2.3
Replaces:samba-common(<=2.0.5a-2)
Depends:samba-common(=2:3.6.3-2ubuntu2.3),libwbclient0
(=2:3.6.3-2ubuntu2.3),libacl1(>=2.2.51-5),libattr1(>=1:2.4.46-5),
libc6(>=2.15),libcap2(>=2.10),libcomerr2(>=1.01),libcups2
(>=1.4.0),libgssapi-krb5-2(>=1.10+dfsg~),libk5crypto3(>=1.6.dfsg.2),
libkrb5-3(>=1.10+dfsg~),libldap-2.4-2(>=2.4.7),libpam0g
(>=0.99.7.1),libpopt0(>=1.14),libtalloc2(>=2.0.4~git20101213),
libtdb1(>=1.2.7+git20101214),zlib1g(>=1:1.1.4),debconf(>=0.5)
|debconf-2.0,upstart-job,libpam-runtime(>=1.0.1-11),
libpam-modules,lsb-base(>=3.2-13),procps,update-inetd,
adduser,samba-common-bin
Recommends:logrotate,tdb-tools
Suggests:openbsd-inetd|inet-superserver,smbldap-tools,ldb-tools,
ctdb,ufw
Conflicts:samba4(<<4.0.0~alpha6-2)
Size:8042012
Debian-basedsystemsoftenuseapairofsomewhathigher-levelutilities,apt-getanddselect,tohandlepackageinstallationandremoval.Theseutilitiesaredescribedlater in“Usingapt-get”and“Usingdselect,aptitude, and Synaptic.” Their interfaces can be very usefulwhen youwant toinstallseveralpackages,butdpkgisoftenmoreconvenientwhenyou’remanipulatingjustoneortwopackages. Because dpkg can take package filenames as input, it’s also the preferred method ofinstallingapackagethatyoudownloadfromanunusualsourceorcreateyourself.
Usingapt-cacheTheAPTsuiteoftoolsincludesaprogram,apt-cache,that’sintendedsolelytoprovideinformationabouttheDebianpackagedatabase(knowninDebianterminologyasthepackagecache).Youmaybe
interestedinusingseveralfeaturesofthistool:DisplayPackageInformationUsingtheshowpkgsubcommand,asinapt-cacheshowpkgsamba,displaysinformationaboutthepackage.Theinformationdisplayedisdifferentfromthatreturnedbydpkg’sinformationalactions.DisplayPackageStatisticsYoucanlearnhowmanypackagesyou’veinstalled,howmanydependenciesarerecorded,andvariousotherstatisticsaboutthepackagedatabasebypassingthestatssubcommand,asinapt-cachestats.FindUnmetDependenciesIfaprogramisreportingmissinglibrariesorfiles,typingapt-cacheunmetmayhelp;thisfunctionofapt-cachereturnsinformationaboutunmetdependencies,whichmayhelpyoutrackdownthesourceofmissing-fileproblems.DisplayDependenciesUsingthedependssubcommand,asinapt-cachedependssamba,showsallofthespecifiedpackage’sdependencies.Thisinformationcanbehelpfulintrackingdowndependency-relatedproblems.Therdependssubcommandfindsreversedependencies—packagesthatdependontheoneyouspecify.LocateAllPackagesThepkgnamessubcommanddisplaysthenamesofallthepackagesinstalledonthesystem.Ifyouincludeasecondparameter,asinapt-cachepkgnamessa,theprogramreturnsonlythosepackagesthatbeginwiththespecifiedstring.
Several more subcommands and options exist, but these are the ones you’re most likely to use.Several apt-cache subcommands are intended for package maintainers and debugging seriouspackagedatabaseproblems rather thanday-to-day systemadministration.Consult theman page forapt-cacheformoreinformation.
Usingapt-getAPT,withitsapt-getutility,isDebian’sequivalenttoYumoncertainRPM-baseddistributions.Thismeta-packagingtoolenablesyoutoperformeasyupgradesofpackages,especiallyifyouhaveafastInternet connection. Debian-based systems include a file, /etc/apt/sources.list, that specifieslocationsfromwhichimportantpackagescanbeobtained.IfyouinstalledtheOSfromaCD-ROMdrive, this filewill initially list directories on the installationCD-ROM inwhich packages can befound. There are also likely to be a few lines near the top, commented out with hashmarks (#),indicating directories on an FTP site or aWeb site fromwhich you can obtain updated packages.(Theselinesmaybeuncommentedifyoudidanetworkinstallinitially.)
Don’taddasiteto/etc/apt/sources.listunlessyou’resureitcanbetrusted.Theapt-getutilitydoesautomaticandsemiautomaticupgrades,soifyouaddanetworksourcetosources.listandthatsourcecontainsunreliableprogramsorprogramswithsecurityholes,yoursystemwillbecomevulnerableafterupgradingviaapt-get.
AlthoughAPT ismost strongly associatedwithDebian systems, a port toRPM-based systems isalsoavailable.Checkhttp://apt4rpm.sourceforge.netforinformationaboutthisport.The apt-get utility works by obtaining information about available packages from the sources
listedin/etc/apt/sources.listandthenusingthatinformationtoupgradeorinstallpackages.Thesyntaxissimilartothatofdpkg:apt-get[options][command][package-names]
Table2.6liststheapt-getcommands,andTable2.7liststhemostcommonlyusedoptions.Inmostcases,youwon’tuseanyoptionswithapt-get—just a single commandandpossiblyoneormorepackagenames.Oneparticularlycommonuseofthisutilityistokeepyoursystemuptodatewithanynewpackages.Thefollowingtwocommandswillaccomplish thisgoal if/etc/apt/sources.listincludespointerstoup-to-datefilearchivesites:#apt-getupdate
#apt-getdist-upgrade
TABLE2.6apt-getcommandsCommand Descriptionupdate Obtainsupdatedinformationaboutpackagesavailablefromtheinstallationsourceslistedin/etc/apt/sources.list.upgrade Upgradesallinstalledpackagestothenewestversionsavailable,basedonlocallystoredinformationaboutavailable
packages.dselect-
upgrade
Performsanychangesinpackagestatus(installation,removal,andsoon)leftundoneafterrunningdselect.
dist-
upgrade
Similartoupgrade,butperforms“smart”conflictresolutiontoavoidupgradingapackageifdoingsowouldbreakadependency.
install Installsapackagebypackagename(notbypackagefilename),obtainingthepackagefromthesourcethatcontainsthemostup-to-dateversion.
remove Removesaspecifiedpackagebypackagename.source Retrievesthenewestavailablesourcepackagefilebypackagefilenameusinginformationaboutavailablepackagesand
installationarchiveslistedin/etc/apt/sources.list.check Checksthepackagedatabaseforconsistencyandbrokenpackageinstallations.clean PerformshousekeepingtohelpclearoutinformationaboutretrievedfilesfromtheDebianpackagedatabase.Ifyoudon’t
usedselectforpackagemanagement,runthisfromtimetotimeinordertosavediskspace.autoclean Similartocleanbutremovesinformationonlyaboutpackagesthatcannolongerbedownloaded.
TABLE2.7Most-usefulapt-getoptionsOption Usedwithcommands Description-dor--download-only upgrade,dselect-upgrade,
install,source
Downloadspackagefilesbutdoesn’tinstallthem.
-for--fix-broken install,remove Attemptstofixasystemonwhichdependenciesareunsatisfied.-m,--ignore-missing,or--fix-missing
upgrade,dselect-upgrade,
install,remove,source
Ignoresallpackagefilesthatcan’tberetrieved(becauseofnetworkerrors,missingfiles,orthelike).
-qor--quiet All Omitssomeprogressindicatorinformation.Maybedoubled(forinstance,-qq)toproducestilllessprogressinformation.
-s,--simulate,--just-print,--
dry-run,--recon,or--no-actAll Performsasimulationoftheactionwithoutactuallymodifying,
installing,orremovingfiles.-y,--yes,or--assume-yes All Producesa“yes”responsetoanyyes/nopromptininstallation
scripts.-b,--compile,or--build source Compilesasourcepackageafterretrievingit.--no-upgrade install Causesapt-gettonotupgradeapackageifanolderversionis
alreadyinstalled.
IfyouuseAPTtoautomaticallyupgradeallpackagesonyoursystem,you’reeffectivelygivingcontrolofyourcomputertothedistributionmaintainer.AlthoughDebianorotherdistributionmaintainersareunlikelytotrytobreakintoyourcomputerinthisway,anautomaticupdatewithminimalsupervisiononyourpartcouldeasilybreaksomethingonyoursystem,particularlyifyou’veobtainedpackagesfromunusualsourcesinthepast.
InExercise2.2,you’llfamiliarizeyourselfwiththeDebianpackagesystem.
EXERCISE2.2ManagingDebianPackagesTomanageDebianpackages,followthesesteps:1.LogintotheLinuxsystemasanormaluser.2.Acquireapackagetousefortestingpurposes.Youcantryusingapackagefromyourdistributionthatyouknowyouhaven’tinstalled;butifyoutryarandompackage,youmayfindit’salreadyinstalledorhasunmetdependencies.Thislabusesasanexamplethe installation of zsh_4.3.17-1ubuntu1_amd64.deb, a shell that’s not installed bydefaultonmost systems,obtainedusing the-doption toapt-get on anUbuntu12.04system. You must adjust the commands as necessary if you use another package,distribution,orarchitectureinyourtests.3. Launch anxterm from the desktop environment’smenu system if you used aGUIlogin.4. Acquire root privileges. You can do this by typing su in an xterm, by selectingSession New Root Console from a Konsole window, or by using sudo (if it’sconfigured)torunthecommandsinthefollowingsteps.5.Typedpkg-Lzshtoverifythatthepackageisn’tcurrentlyinstalled.Thiscommandrespondswithalistoffilesassociatedwiththepackageifit’sinstalledorwithanerrorthatreadsPackage`zsh'isnotinstalledifit’snot.6. Type dpkg -I zsh_4.3.17-1ubuntu1_amd64.deb. (You’ll need to add a completepathtothepackagefileifit’snotinyourcurrentdirectory.)Thesystemshouldrespondbydisplayinginformationaboutthepackage,suchastheversionnumber,dependencies,thenameofthepackagemaintainer,andapackagedescription.7. Type dpkg -i zsh_4.3.17-1ubuntu1_amd64.deb. The system should install thepackageanddisplayaseriesoflinessummarizingitsactionsasitdoesso.8.Typedpkg-pzsh.Thesystemshouldrespondwith informationabout thepackagesimilartothatdisplayedinstep6.9.Typezsh.ThislaunchesaZshell,whichfunctionsmuchlikethemorecommonbashandtcshshells.You’relikelytoseeyourcommandpromptchangeslightly,butyoucanissuemostofthesamecommandsyoucanusewithbashortcsh.10.Typedpkg-Pzsh.Thiscommandremovesthepackagefromthesystem,includingconfigurationfiles.Itmayproduceaseriesofwarningsaboutnon-emptydirectoriesthatitcouldn’t remove.Note thatyou’re removing thezshpackagewhile running thezsh
program.Linuxcontinuestorunthezshprogramyou’reusing,butyou’llbeunabletolaunchnewinstancesoftheprogram.Someprogramsmaymisbehavebecausefileswillbemissingafteryouremovethepackage.11.Typeexittoexitfromzshandreturntoyournormalshell.12. Type dpkg -L zsh. The system should respond with a Package `zsh' is notinstallederrorbecauseyou’vejustuninstalledit.13.Typeapt-getinstallzshtoinstallzshusingtheAPTsystem.Dependingonyourconfiguration,thesystemmaydownloadthepackagefromanInternetsiteoraskyoutoinsertaCD-ROM.IfitasksforaCD-ROM,insertitandpresstheEnterkey.Thesystemshouldinstallthepackage.14.Typedpkg-pzsh.Thesystemshouldrespondwithinformationaboutthepackagesimilartothatdisplayedinstep6or8.15. Type dpkg -P zsh. This command removes the package from the system, asdescribedinstep10.
Usingdselect,aptitude,andSynapticThedselectprogramisahigh-levelpackagebrowser.Usingit,youcanselectpackagestoinstallonyoursystemfromtheAPTarchivesdefinedin/etc/apt/sources.list,reviewthepackagesthatarealready installed onyour system, uninstall packages, andupgradepackages.Overall,dselect is apowerful tool, but it can be intimidating to the uninitiated because it presents a lot of options thataren’tobvious,usingatext-modeinteractiveuserinterface.Althoughdselectsupportsafewcommand-lineoptions,they’remostlyobscureorminor(suchas
optionstoset thecolorscheme).Consultdselect’smanpagefordetails.Touse theprogram, typedselect. The result is the dselect main menu, as shown running in a KDEKonsole window inFigure2.1.
FIGURE2.1ThedselectutilityprovidesaccesstoAPTfeaturesusingamenusystem.
Anothertext-basedDebianpackagemanagerisaptitude.Ininteractivemode,aptitudeissimilartodselect ina roughway,butaptitude addsmenusaccessedbypressingCtrl+Tand rearrangessome features. You can also pass various commands to aptitude on the command line, as inaptitudesearchsamba,whichsearches forpackages related toSamba.Featuresaccessible fromthecommandline(ortheinteractiveinterface)includethefollowing:UpdatePackageListsYoucanupdatepackagelistsfromtheAPTrepositoriesbytypingaptitudeupdate.InstallSoftwareTheinstallcommand-lineoptioninstallsanamedpackage.Thiscommandhasseveralvariantnamesandsyntaxesthatmodifyitsaction.Forinstance,typingaptitudeinstallzshinstallsthezshpackage,buttypingaptitudeinstallzsh-(withatrailingdash)andaptituderemovezshbothuninstallzsh.UpgradeSoftwareThefull-upgradeandsafe-upgradeoptionsbothupgradeallinstalledpackages.Thesafe-upgradeoptionisconservativeaboutremovingpackagesorinstallingnewonesandsomayfail;full-upgradeislessconservativeabouttheseactionsandsoismorelikelytocompleteitstasks,butitmaybreaksoftwareintheprocess.SearchforPackagesThesearchoption,notedearlier,searchesthedatabaseforpackagesmatchingthespecifiedname.Theresultisalistofpackages,oneperline,withsummarycodesforeachpackage’sinstallstatus,itsname,andabriefdescription.CleanUptheDatabaseTheautocleanoptionremovesalready-downloadedpackagesthatarenolongeravailable,andcleanremovesalldownloadedpackages.ObtainHelpTypingaptitudehelpresultsinacompletelistofoptions.Broadlyspeaking,aptitudecombinestheinteractivefeaturesofdselectwith thecommand-line
optionsofapt-get.Allthreeprogramsprovidesimilarfunctionality,soyoucanusewhicheverone
youprefer.Atoolthat’ssimilartodselectandaptitudeinsomewaysisSynaptic,butSynapticisaGUIX-
basedprogramandas such is easier touse.Overall,dselect,aptitude, andSynaptic are usefultools,particularlyifyouneedtolocatesoftwarebutdon’tknowitsexactname—theabilitytobrowseandsearch theavailablepackagescanbeagreatboon.Unfortunately, thehugepackage list canbeintimidating.
ReconfiguringPackagesDebianpackagesoftenprovidemore-extensiveinitialsetupoptionsthandotheirRPMcounterparts.Frequently,theinstallscriptincludedinthepackageasksahandfulofquestions,suchasqueryingforthe name of an outgoing mail relay system for a mail server program. These questions help thepackage system set up a standardized configuration that has nonetheless been customized for yourcomputer.Inthecourseofyoursystemadministration,youmayaltertheconfigurationfilesforapackage.If
youdo this and findyou’vemade amess of things, youmaywant to revert to the initial standardconfiguration. To do so, you can use the dpkg-reconfigure program, which runs the initialconfigurationscriptforthepackageyouspecify:#dpkg-reconfiguresamba
Thiscommandreconfiguresthesambapackage,askingthepackage’s initial installationquestionsandrestartingtheSambadaemons.Oncethisisdone,thepackageshouldbeinsomethingclosertoitsinitialstate.
DebianPackagesComparedtoOtherPackageFormatsThe overall functionality of Debian packages is similar to that of RPMs, although there aredifferences.Debiansourcepackagesaren’tsinglefiles;they’regroupsoffiles—theoriginalsourcetarball,apatchfilethat’susedtomodifythesourcecode(includingafilethatcontrolsthebuildingofaDebianpackage),anda.dscfilethatcontainsadigital“signature”tohelpverifytheauthenticityofthe collection. The Debian package tools can combine these and compile the package to create aDebian binary package. This structure makes Debian source packages slightly less convenient totransportbecauseyoumustmoveatleasttwofiles(thetarballandpatchfile;the.dscfileisoptional)rather than justone.Debiansourcepackagesalso support justonepatch file,whereasRPMsourcepackagesmaycontainmultiplepatchfiles.Althoughyoucancertainlycombinemultiplepatchfilesintoone,doingsomakesitlessclearwhereapatchcomesfrom,thusmakingithardertobackoutofanygivenchange.These source package differences are mostly of interest to software developers. As a system
administratororenduser,youneednotnormallybeconcernedwiththemunlessyoumustrecompilea package from a source form—and even then, the differences between the formats need not beoverwhelming. The exact commands and features used by each system differ, but they accomplishsimilaroverallgoals.BecausealldistributionsthatuseDebianpackagesarederivedfromDebian,theytendtobemore
compatible with one another (in terms of their packages) than RPM-based distributions are. Inparticular,Debian has defined details of its system startup scripts andmany other features to help
DebianpackagesinstallandrunonanyDebian-basedsystem.ThishelpsDebian-basedsystemsavoidthesortsofincompatibilitiesinstartupscriptsthatcancauseproblemsusingonedistribution’sRPMson another distribution. Of course, some future distribution could violate Debian’s guidelines forthesematters,sothisadvantageisn’tguaranteedtoholdovertime.As a practical matter, it can be harder to locate Debian packages than RPM packages for some
exoticprograms.Debianmaintainsagoodcollectionathttp://www.debian.org/distrib/packages,andsomeprogramauthorsmakeDebianpackages available aswell. If youcan find anRPMbutnot aDebian package, you may be able to convert the RPM to Debian format using a program calledalien,asdescribedshortlyin“ConvertingBetweenPackageFormats.”Ifallelsefails,youcanuseatarball,butyou’lllosetheadvantagesoftheDebianpackagedatabase.
ConfiguringDebianPackageToolsWith the exception of theAPT sources listmentioned earlier, Debian package tools don’t usuallyrequireconfiguration.Debianinstallsreasonabledefaults(asdoitsderivativedistributions).Onrareoccasions,though,youmaywanttoadjustsomeofthesedefaults.Doingsorequiresthatyouknowwheretolookforthem.Themainconfigurationfilefordpkgis/etc/dpkg/dpkg.cfgor /.dpkg.cfg.This filecontains
dpkgoptions,assummarizedinTable2.5,butwithouttheleadingdashes.Forinstance,tohavedpkgalways perform a test run rather than actually install a package, you’d create adpkg.cfg file thatcontainsoneline:no-act
ForAPT, themainconfiguration fileyou’re likely tomodify is/etc/apt/sources.list, whichwasdescribedearlier in“Usingapt-get.”Beyond this file is/etc/apt/apt.conf,which controlsAPTanddselectoptions.Aswithdpkg.cfg,chancesareyouwon’tneedtomodifyapt.conf.Ifyoudo need tomake changes, the format ismore complex and ismodeled after those of the InternetSoftwareConsortium’s(ISC’s)DynamicHostConfigurationProtocol(DHCP)andBerkeleyInternetNameDomain(BIND)servers’configurationfiles.Optionsaregroupedtogetherbyopenandclosecurlybraces({}):APT
{
Get
{
Download-Only"true";
};
};
Theselinesareequivalenttopermanentlysettingthe--download-onlyoptiondescribed inTable2.7.Youcan,ofcourse,setmanymoreoptions.Fordetails,consultapt.conf’smanpage.Youmayalsowanttoreviewthesampleconfigurationfile,/usr/share/doc/apt/examples/apt.conf. (Theworking /etc/apt/apt.conf file is typically extremely simple, or may be missing entirely andthereforenotbeveryhelpfulasanexample.)You should be aware that Debian’s package tools rely on various files in the /var/lib/dpkg
directorytree.Thesefilesmaintainlistsofavailablepackages,listsofinstalledpackages,andsoon.Inotherwords,thisdirectorytreeiseffectivelytheDebianinstalledfiledatabase.Assuch,youshouldbesuretobackupthisdirectorywhenyouperformsystembackupsandbecarefulaboutmodifying
itscontents.
ConvertingBetweenPackageFormatsSometimesyou’representedwithapackagefileinoneformat,butyouwanttouseanotherformat.ThisisparticularlycommonwhenyouuseaDebian-baseddistributionandcanfindonlytarballsorRPM files of a package. When this happens, you can keep looking for a package file in theappropriate format, install the tools for the foreign format, createapackage froma source tarballusing the standard RPM or Debian tools, or convert between package formats with a utility likealien.This section focuseson this lastoption.ThealienprogramcomeswithDebiananda fewother
distributionsbutmaynotbeinstalledbydefault.Ifit’snotinstalledonyoursystem,installitbytypingapt-getinstallalienonasystemthatusesAPT,orusetheRpmfindorDebianpackageWebsitetolocateit.ThisprogramcanconvertbetweenRPMpackages,Debianpackages,Stampedepackages(usedbyStampedeLinux),andtarballs.Youneed to be aware of some caveats. For one thing,alien requires that you have appropriate
packagemanager software installed—for instance, bothRPMandDebian to convert between theseformats.Thealienutilitydoesn’talwaysconvertalldependencyinformationcompletelycorrectly.Whenconverting froma tarball,alien copies the files directly as they had been in the tarball, soalienworksonlyiftheoriginaltarballhasfilesthatshouldbeinstalledofftheroot(/)directoryofthesystem.
AlthoughalienrequiresbothRPMandDebianpackagesystemstobeinstalledtoconvertbetweentheseformats,aliendoesn’tusethedatabasefeaturesofthesepackagesunlessyouusethe--installoption.Thepresenceofaforeignpackagemanagerisn’taproblemaslongasyoudon’tuseittoinstallsoftwarethatmightduplicateorconflictwithsoftwareinstalledwithyourprimarypackagemanager.
Thebasicsyntaxofalienisasfollows:alien[options]file[...]
Themostimportantoptionsare--to-deb,--to-rpm,--to-slp,and--to-tgz,whichconverttoDebian,RPM,Stampede,andtarballformat,respectively.(Ifyouomitthedestinationformat,alienassumes you want a Debian package.) The --install option installs the converted package andremovestheconvertedfile.Consultthealienmanpageforadditionaloptions.Forinstance,supposeyouhaveaDebianpackagecalledsomeprogram-1.2.3-4_i386.deb,andyou
want to create an RPM from it. You can issue the following command to create an RPM calledsomeprogram-1.2.3-5.i386.rpm:#alien--to-rpmsomeprogram-1.2.3-4_i386.deb
If you use a Debian-based system and want to install a tarball but keep a record of the files itcontainsinyourDebianpackagedatabase,youcandosowiththefollowingcommand:#alien--installbinary-tarball.tar.gz
It’simportanttorememberthatconvertingatarballconvertsthefilesinthedirectorystructureoftheoriginaltarballusingthesystem’srootdirectoryasthebase.Therefore,youmayneedtounpackthetarball, jugglefilesaround,andrepackit toget thedesiredresultsprior to installing the tarballwithalien.Forinstance,supposeyouhaveabinarytarballthatcreatesadirectorycalledprogram-files,withbin,man,andlibdirectoriesunderthis.Theintentmayhavebeentounpackthetarballin/usror/usr/localandcreatelinksforcriticalfiles.ToconvertthistarballtoanRPM,youcanissuethefollowingcommands:#tarxvfzprogram.tar.gz
#mvprogram-filesusr
#tarcvfzprogram.tgzusr
#rm-rusr
#alien--to-rpmprogram.tgz
By renaming the program-files directory to usr and creating a new tarball, you’ve created atarball that,when converted toRPM format,will have files in the locations youwant—/usr/bin,
/usr/man,and/usr/lib.Youmightneedtoperformmoreextensivemodifications,dependingonthecontentsoftheoriginaltarball.
PackageDependenciesandConflictsAlthoughpackage installationoftenproceedssmoothly, sometimes itdoesn’t.Theusualsourcesofproblems relate to unsatisfied dependencies or conflicts between packages. The RPM and Debianpackage management systems are intended to help you locate and resolve such problems, but onoccasion (particularly when mixing packages from different vendors), they can actually causeproblems.Ineitherevent,itpaystorecognizetheseerrorsandknowhowtoresolvethem.
Ifyouuseameta-packager,suchasYumorAPT,forallyourpackagemanagement,you’remuchlesslikelytorunintoproblemswithpackagedependenciesandconflicts.Theseproblemsaremostlikelytoarisewhenyouinstalllonepackages,especiallythosefromunusualsources.
RealandImaginedPackageDependencyProblemsPackagedependenciesandconflictscanariseforavarietyofreasons,includingthefollowing:MissingLibrariesorSupportProgramsOneofthemostcommondependencyproblemsiscausedbyamissingsupportpackage.Forinstance,allKDEprogramsrelyonQt,awidgetsetthatprovidesassortedGUItools.IfQtisn’tinstalled,youwon’tbeabletoinstallanyKDEpackagesusingRPMsorDebianpackages.Libraries—supportcodethatcanbeusedbymanydifferentprogramsasifitwerepartoftheprogramitself—areparticularlycommonsourcesofproblemsinthisrespect.IncompatibleLibrariesorSupportProgramsEvenifalibraryorsupportprogramisinstalledonyoursystem,itmaybethewrongversion.Forinstance,ifaprogramrequiresQt4.8,thepresenceofQt3.3won’tdomuchgood.Fortunately,Linuxlibrary-namingconventionsenableyou
toinstallmultipleversionsofalibraryincaseyouhaveprogramswithcompetingrequirements.DuplicateFilesorFeaturesConflictsarisewhenonepackageincludesfilesthatarealreadyinstalledandthatbelongtoanotherpackage.Occasionally,broadfeaturescanconflictaswell,asintwoWebserverpackages.Featureconflictsareusuallyaccompaniedbynameconflicts.Conflictsaremostcommonwhenmixingpackagesintendedfordifferentdistributions,becausedistributionsmaysplitfilesacrosspackagesindifferentways.MismatchedNamesRPMandDebianpackagemanagementsystemsgivenamestotheirpackages.Thesenamesdon’talwaysmatchacrossdistributions.Forthisreason,ifonepackagechecksforanotherpackagebyname,thefirstpackagemaynotinstallonanotherdistribution,eveniftheappropriatepackageisinstalled,becausethattargetpackagehasadifferentname.Someoftheseproblemsareveryrealandserious.Missinglibraries,forinstance,mustbeinstalled.
(Sometimes,though,amissinglibraryisn’tquiteasmissingasitseems,asdescribedintheupcomingsection “Forcing the Installation.”) Others, like mismatched package names, are artifacts of thepackagingsystem.Unfortunately,it’snotalwayseasytotellintowhichcategoryaconflictfits.Whenusing a package management system, you may be able to use the error message returned by thepackagesystem,alongwithyourownexperiencewithandknowledgeofspecificpackages,tomakeajudgment. For instance, if RPM reports that you’remissing a slew of librarieswithwhich you’reunfamiliar, you’ll probably have to track down at least one package—unless you know you’veinstalledthelibrariesinsomeotherway,inwhichcaseyoumaywanttoforcetheinstallation.
WorkaroundsforPackageDependencyProblemsWhenyouencounteranunmetpackagedependencyorconflict,whatcanyoudoaboutit?Thereareseveralapproachestotheseproblems.Someoftheseapproachesworkwellinsomesituationsbutnotothers,soyoushouldreviewthepossibilitiescarefully.Theoptionsincludeforcingtheinstallation,modifyingyoursystemtomeetthedependency,rebuildingtheproblempackagefromsourcecode,andfindinganotherversionoftheproblempackage.
ForcingtheInstallationOne approach is to ignore the issue. Although this sounds risky, it’s appropriate in some casesinvolvingfailedRPMorDebiandependencies.For instance, if thedependency isonapackage thatyou installedby compiling the source codeyourself, you can safely ignore thedependency.Whenusingrpm,youcantelltheprogramtoignorefaileddependenciesbyusingthe--nodepsparameter:#rpm-iapackage.rpm--nodeps
You can force installation over some other errors, such as conflicts with existing packages, byusingthe--forceparameter:#rpm-iapackage.rpm--force
Donotuse--nodepsor--forceasamatterofcourse.Ignoringthedependencycheckscanleadyouintotrouble,soyoushouldusetheseoptionsonlywhenyouneedtodoso.Inthecaseofconflicts,theerrormessagesyougetwhenyoufirsttrytoinstallwithout--forcewilltellyouwhichpackages’filesyou’llbereplacing,sobesureyoubackthemuporarepreparedtoreinstallthepackagesincaseoftrouble.
If you’re using dpkg, you can use the --ignore-depends=package, --force-depends, and --force-conflicts parameters to overcome dependency and conflict problems in Debian-basedsystems. Because there’s less deviation in package names and requirements among Debian-basedsystems,theseoptionsarelessoftenneededonsuchsystems.
UpgradingorReplacingtheDepended-onPackageOfficially, the proper way to overcome a package dependency problem is to install, upgrade, orreplacethedepended-uponpackage.Ifaprogramrequires,say,Qt4.8orgreater,youshouldupgradeanolder version (such as 4.4) to 4.8.Toperform such anupgrade, you’ll need to track down andinstall the appropriate package.This usually isn’t toodifficult if thenewpackageyouwant comesfromaLinuxdistribution,especiallyifyouuseameta-packagersuchasYumorAPT;theappropriatedepended-onpackageshouldcomewiththesamedistribution.One problemwith this approach is that packages intended for different distributions sometimes
have differing requirements. If you run Distribution A and install a package that was built forDistributionB,thepackagewillexpressdependenciesintermsofDistributionB’sfilesandversions.The appropriate versions may not be available in a form intended for Distribution A; and byinstalling Distribution B’s versions, you can sometimes cause conflicts with other Distribution Apackages.Evenifyouinstall theupgradedpackageanditworks,youmayrunintoproblemsinthefuturewhenitcomestimetoinstallsomeotherprogramorupgradethedistributionasawhole—theupgrade installermaynot recognizeDistributionB’spackageormaynotbeable toupgrade to itsownnewerversion.
RebuildingtheProblemPackageSomedependenciesresultfromthelibrariesandothersupportutilitiesinstalledonthecomputerthatcompiled the package, not from requirements in the underlying source code. If the software isrecompiled on a system that has different packages, the dependencies will change. Therefore,rebuildingapackagefromsourcecodecanovercomeatleastsomedependencies.IfyouuseanRPM-basedsystem, thecommand to rebuildapackage is straightforward:Youcall
rpmbuild (or rpm with old versions of RPM) with the name of the source package and use --rebuild,asfollows:#rpmbuild--rebuildpackagename-version.src.rpm
Ofcourse,todothisyoumusthavethesourceRPMforthepackage.ThiscanusuallybeobtainedfromthesamelocationasthebinaryRPM.Whenyouexecutethiscommand,rpmbuildextracts thesourcecodeandexecuteswhatevercommandsare required tobuildanewpackage—orsometimesseveralnewpackages.(OnesourceRPMcanbuildmultiplebinaryRPMs.)Thecompilationprocess
cantakeanywherefromafewsecondstoseveralhours,dependingonthesizeofthepackageandthespeed of your computer. The result should be one or more new binary RPMs in/usr/src/distname/RPMS/arch,wheredistnameisadistribution-specificname(suchasredhatonRedHatorpackagesonSUSE)andarchisyourCPUarchitecture(suchasi386ori586forx86orppcforPowerPC).YoucanmovetheseRPMstoanyconvenientlocationandinstallthemjustasyouwouldanyothers.
SourcepackagesarealsoavailableforDebiansystems,butasidefromsitesdevotedtoDebianandrelateddistributions,Debiansourcepackagesarerare.ThesitesthatdohavethesepackagesprovidetheminformsthattypicallyinstalleasilyonappropriateDebianorrelatedsystems.Forthisreason,it’slesslikelythatyou’llrebuildaDebianpackagefromsource.
Beawarethatcompilingasourcepackagetypicallyrequiresyoutohaveappropriatedevelopmenttools installed on your system, such as the GNU Compiler Collection (GCC) and assorteddevelopment libraries.Development libraries are the parts of a library that enable programs to bewrittenforthelibrary.ManyLinuxinstallationslackdevelopmentlibrariesevenwhenthematchingbinary libraries are installed. Thus, you may need to install quite a few packages to recompile asourcepackage.Theerrormessagesyoureceivewhenyouattemptbutfailtobuildasourcepackagecan help you track down the necessary software, but youmay need to read several lines of errormessages and use your package system to search for appropriate tools and development libraries.(Developmentlibrariesoftenincludethestringdevordevelintheirnames.)
LocatingAnotherVersionoftheProblemPackageFrequently, the simplestway to fix adependencyproblemorpackage conflict is touse adifferentversion of the package youwant to install. This could be a newer or older official version (4.2.3ratherthan4.4.7,say),oritmightbethesameofficialversionbutbuiltforyourdistributionratherthan for another distribution. Sites like Rpmfind (http://www.rpmfind.net) and Debian’s packagelisting (http://www.debian.org/distrib/packages) can be very useful in tracking down alternativeversionsofapackage.Yourowndistribution’sWebsiteorFTPsitecanalsobeagoodplacetolocatepackages.
Ifthepackageyou’retryingtoinstallrequiresnewerlibrariesthanyouhaveandyoudon’twanttoupgradethoselibraries,anolderversionofthepackagemayworkwithyourexistinglibraries.Beforeinstallingsuchaprogram,though,youshouldchecktobesurethatthenewerversionoftheprogramdoesn’tfixsecuritybugs.Ifitdoes,youshouldfindanotherwaytoinstallthepackage.
Themainproblemwithlocatinganotherversionofthepackageisthatsometimesyoureallyneedtheversionthat’snotinstallingcorrectly.Itmayhavefeaturesyouneed,oritmayfiximportantbugs.Onoccasion,otherversionsmaynotbeavailable,oryoumaybeunabletolocateanotherversionof
thepackageinyourpreferredpackageformat.
StartupScriptProblemsOneparticularlycommonproblemwhentryingtoinstallserversfromonedistributioninanotherisgettingstartupscriptsworking.Inthepast,mostmajorLinuxdistributionsusedSysVstartupscripts,but these scriptsweren’t always transportable across distributions. Today, alternatives to SysV arecommon,whichfurthercomplicatesthisproblem.Theresultisthattheserveryouinstalledmaynotstartup.Possibleworkaroundsincludemodifyingthestartupscriptthatcamewiththeserver,buildinga new script based on another one from your distribution, and starting the server through a localstartupscriptlike/etc/rc.d/rc.localor/etc/rc.d/boot.local.Chapter5,“BootingLinuxandEditingFiles,”describesstartupscriptsinmoredetail.
Startupscriptproblemsaffectonlyserversandotherprogramsthatarestartedautomaticallywhenthecomputerboots;theydon’taffecttypicaluserapplicationsorlibraries.
ManagingSharedLibrariesMostLinuxsoftwarereliesheavilyonsharedlibraries.Theprecedingsectionshavedescribedsomeoftheproblemsthatcanariseinmanagingsharedlibrarypackages—forexample,ifalibraryisn’tinstalledoristhewrongversion,youmayhaveproblemsinstallingapackage.Librarymanagementgoesbeyondmerelyconfiguringthem, though.Tounderstandthis,youmustfirstunderstandafewlibraryprinciples.Youcanthenmoveontosettingthelibrarypathandusingcommandsthatmanagelibraries.
LibraryPrinciplesTheideabehindalibraryistosimplifyprogrammers’livesbyprovidingcommonlyusedprogramfragments.For instance,oneof themost important libraries is theClibrary (libc),whichprovidesmany of the higher-level features associatedwith theC programming language.Another commontype of library is associated with GUIs. These libraries are often calledwidget sets because theyprovide theon-screenwidgets usedbyprograms—buttons, scroll bars,menubars, and so on.TheGIMP Tool Kit (GTK+) andQt are themost popular Linuxwidget sets, and both ship largely aslibraries.Librariesarechosenbyprogrammers,notbyusers;youusuallycan’tsubstituteonelibraryforanother.(Themainexceptionsareminorversionupgrades.)
LinuxusestheGNUClibrary(glibc)versionoftheClibrary.Package-managerdependenciesandotherlibraryreferencesaretoglibcspecifically.Asofglibc2.15,forhistoricalreasonsthemainglibcfileisusuallycalled/lib/libc.so.6or/lib64/libc.so.6,butthisfileissometimesasymboliclinktoafileofanothername,suchas/lib/libc-2.15.so.
Inprinciple,theroutinesinalibrarycanbelinkedintoaprogram’smainfile,justlikealltheobjectcodefilescreatedbythecompiler.Thisapproach,however,hascertainproblems:
Theresultingprogramfileishuge.Thismeansittakesupalotofdiskspace,anditconsumesalotofRAMwhenloaded.Ifmultipleprogramsusethelibrary,asiscommon,theprogram-sizeissueismultipliedseveraltimes;thelibraryiseffectivelystoredmultipletimesondiskandinRAM.Theprogramcan’ttakeadvantageofimprovementsinthelibrarywithoutrecompiling(oratleastrelinking)theprogram.
Forthesereasons,mostprogramsusetheirlibrariesassharedlibraries(akadynamiclibraries).Inthis form, themain program executable omitsmost of the library routines. Instead, the executableincludes references to shared library files,whichcan thenbe loadedalongwith themainprogramfile.Thisapproachhelpskeepprogramfilesizedown,enablessharingofthememoryconsumedbylibrariesacrossprograms,andenablesprogramstotakeadvantageofimprovementsinlibrariesbyupgradingthelibrary.
Linuxsharedlibrariesaresimilartothedynamiclinklibraries(DLLs)ofWindows.WindowsDLLsareusuallyidentifiedby.DLLfilenameextensions;butinLinux,sharedlibrariesusuallyhavea.soor.so.versionextension,whereversionisaversionnumber.(.sostandsforsharedobject.)Linuxstaticlibraries(usedbylinkersforinclusioninprogramswhendynamiclibrariesaren’ttobeused)have.afilenameextensions.
On the downside, shared libraries can degrade program load time slightly if the library isn’talreadyinusebyanotherprogram,andtheycancreatesoftwaremanagementcomplications:
Sharedlibrarychangescanbeincompatiblewithsomeorallprogramsthatusethelibrary.Linuxuseslibrarynumberingschemestoenableyoutokeepmultipleversionsofalibraryinstalledatonce.Upgradesthatshouldn’tcauseproblemscanoverwriteolderversions,whereasmajorupgradesgetinstalledsidebysidewiththeiroldercounterparts.Thisapproachminimizesthechanceofproblems,butsometimeschangesthatshouldn’tcauseproblemsdocausethem.Programsmustbeabletolocatesharedlibraries.Thistaskrequiresadjustingconfigurationfilesandenvironmentvariables.Ifit’sdonewrongorifaprogramoverridesthedefaultsandlooksinthewrongplace,theresultisusuallythattheprogramwon’trunatall.ThenumberoflibrariesforLinuxhasrisendramaticallyovertime.Whenthey’reusedinsharedform,theresultcanbeatangledmessofpackagedependencies,particularlyifyouuseprograms
thatrelyonmanyorobscurelibraries.Inmostcases,thisissueboilsdowntoapackageproblemthatcanbehandledbyyourpackagemanagementtools.Ifanimportantsharedlibrarybecomesinaccessiblebecauseitwasaccidentallyoverwritten,duetoadiskerrororforanyotherreason,theresultcanbeseveresystemproblems.Inaworst-casescenario,thesystemmightnotevenboot.
In most cases, these drawbacks are manageable and are much less important than the problemsassociatedwithusingstaticlibraries.Thus,dynamiclibrariesareverypopular.
Staticlibrariesaresometimesusedbydeveloperswhocreateprogramsusingparticularlyodd,outdated,orotherwiseexoticlibraries.Thisenablesthemtodistributetheirbinarypackageswithoutrequiringuserstoobtainandinstalltheiroddballlibraries.Likewise,staticlibrariesaresometimesusedonsmallemergencysystems,whichdon’thaveenoughprogramsinstalledtomaketheadvantagesofsharedlibrariesworthpursuing.
LocatingLibraryFilesThe major administrative challenge of handling shared libraries involves enabling programs tolocatethosesharedlibraries.Binaryprogramfilescanpointtolibrarieseitherbynamealone(asinlibc.so.6) or by providing a complete path (as in /lib/libc.so.6). In the first case, youmustconfigurealibrarypath—asetofdirectoriesinwhichprogramsshouldsearchforlibraries.Thiscanbedoneboththroughaglobalconfigurationfileandthroughanenvironmentvariable.Ifastaticpathtoalibraryiswrong,youmustfindawaytocorrecttheproblem.Inallofthesecases,aftermakingachange, you may need to use a special command to get the system to recognize the change, asdescribedlaterin“LibraryManagementCommands.”
SettingthePathSystemwideThefirstwaytosetthelibrarypathistoeditthe/etc/ld.so.conffile.Thisfileconsistsofaseriesoflines,eachofwhichlistsonedirectoryinwhichsharedlibraryfilesmaybefound.Typically,thisfilelistsbetweenhalfadozenandacoupledozendirectories.Somedistributionshaveanadditionaltype of line in this file. These lines beginwith theinclude directive; they list files that are to beincludedasif theywerepartofthemainfile.Forinstance,Ubuntu12.04’sld.so.confbeginswiththisline:include/etc/ld.so.conf.d/*.conf
Thislinetellsthesystemtoloadallthefilesin/etc/ld.so.conf.dwhosenamesendin.confasiftheywerepartof themain/etc/ld.so.conf file.Thismechanismenablespackagemaintainers toadd their unique library directories to the search list by placing a .conf file in the appropriatedirectory.Somedistributions,suchasGentoo,useamechanismwithasimilargoalbutdifferentdetails.With
these distributions, the env-update utility reads files in /etc/env.d to create the final form ofseveral/etcconfigurationfiles, including/etc/ld.so.conf. Inparticular, theLDPATHvariables inthesefilesareread,andtheirvaluesmakeupthelinesinld.so.conf.Thus,tochangeld.so.confin
Gentooorotherdistributionsthatusethismechanism,youshouldaddoreditfilesin/etc/env.dandthentypeenv-updatetodothejob.Generallyspeaking,there’sseldomaneedtochangethelibrarypathsystemwide.Librarypackage
files usually install themselves in directories that are already on the path or add their pathsautomatically.Themainreasontomakesuchchangeswouldbeifyouinstalledalibrarypackage,ora program that creates its own libraries, in an unusual location via amechanism other than yourdistribution’smainpackageutility.Forinstance,youmightcompilealibraryfromsourcecodeandthenneedtoupdateyourlibrarypathinthisway.Afteryouchangeyour librarypath,youmustuseldconfig tohaveyourprogramsuse thenew
path,asdescribedlaterin“LibraryManagementCommands.”
Inadditiontothedirectoriesspecifiedin/etc/ld.so.conf,Linuxreferstothetrustedlibrarydirectories,/liband/usr/lib.Thesedirectoriesarealwaysonthelibrarypath,eveniftheyaren’tlistedinld.so.conf.
TemporarilyChangingthePathSometimes,changingthepathpermanentlyandgloballyisunnecessaryandeveninappropriate.Forinstance,youmightwanttotesttheeffectofanewlibrarybeforeusingitforallyourprograms.Todoso,youcouldinstallthesharedlibrariesinanunusuallocationandthensettheLD_LIBRARY_PATHenvironment variable. This environment variable specifies additional directories the system is tosearchforlibraries.
Chapter9,“WritingScripts,ConfiguringEmail,andUsingDatabases,”describesenvironmentvariablesinmoredetail.
TosettheLD_LIBRARY_PATHenvironmentvariableusingthebashshell,youcantypeacommandlikethis:$exportLD_LIBRARY_PATH=/usr/local/testlib:/opt/newlib
Thislineaddstwodirectories,/usr/local/testliband/opt/newlib,tothesearchpath.Youcanspecifyasfeworasmanydirectoriesasyoulike,separatedbycolons.Thesedirectoriesareaddedtothestart of the search path,whichmeans they take precedence over other directories. This fact ishandywhenyou’retestingreplacementlibraries,butitcancauseproblemsifusersmanagetosetthisenvironmentvariableinappropriately.Youcansetthisenvironmentvariablepermanentlyinauser ’sshellstartupscriptfiles,asdescribed
inChapter9.Doingsomeans theuserwillalwaysuse thespecified librarypaths inaddition to thenormal system paths. In principle, you could set the LD_LIBRARY_PATH globally; however, using/etc/ld.so.confisthepreferredmethodofeffectingglobalchangestothelibrarypath.Unlike other library path changes, this one doesn’t require that you run ldconfig for it to take
effect.
CorrectingProblemsLibrarypathproblemsusuallymanifestasaprogram’sinabilitytolocatealibrary.Ifyoulaunchtheprogramfromashell,you’llseeanerrormessagelikethis:$gimp
gimp:errorwhileloadingsharedlibraries:libXinerama.so.1:cannot
opensharedobjectfile:Nosuchfileordirectory
Thismessageindicatesthatthesystemcouldn’tfindthelibXinerama.so.1libraryfile.Theusualcauseofsuchproblemsisthatthelibraryisn’tinstalled,soyoushouldlookforitusingcommandssuchasfind(describedinChapter4,“ManagingFiles”).Ifthefileisn’tinstalled,trytotrackdownthepackagetowhichitshouldbelong(aWebsearchcanworkwondersinthistask)andinstallit.If,ontheotherhand,thelibraryfileisavailable,youmayneedtoadditsdirectorygloballyorto
LD_LIBRARY_PATH.Sometimesthelibrary’spathishard-codedintheprogram’sbinaryfile.(Youcandiscover this using ldd, as described shortly in “Library Management Commands.”) When thishappens,youmayneedtocreateasymboliclinkfromthelocationofthelibraryonyoursystemtothelocationtheprogramexpects.Asimilarproblemcanoccurwhentheprogramexpectsalibrarytohaveonenamebutthelibraryhasanothernameonyoursystem.Forinstance,theprogrammaylinktobiglib.so.5,butyoursystemhasbiglib.so.5.2 installed.Minorversion-numberchangeslikethisareusuallyinconsequential,socreatingasymboliclinkwillcorrecttheproblem:#ln-sbiglib.so.5.2biglib.so.5
Youmust typethiscommandasroot in thedirectory inwhich the libraryresides.Youmust thenrunldconfig,asdescribedinthenextsection.
LibraryManagementCommandsLinux provides a pair of commands that you’re likely to use for library management. The lddprogram displays a program’s shared library dependencies—that is, the shared libraries that aprogram uses. The ldconfig program updates caches and links used by the system for locatinglibraries—that is, it reads /etc/ld.so.conf and implements any changes in that file or in thedirectoriestowhichitrefers.Bothofthesetoolsareinvaluableinmanaginglibraries.
DisplayingSharedLibraryDependenciesIf you run into programs thatwon’t launch because ofmissing libraries, the first step is to checkwhichlibrariestheprogramfileuses.Youcandothiswiththelddcommand:$ldd/bin/ls
librt.so.1=>/lib/librt.so.1(0x0000002a9566c000)
libncurses.so.5=>/lib/libncurses.so.5(0x0000002a95784000)
libacl.so.1=>/lib/libacl.so.1(0x0000002a958ea000)
libc.so.6=>/lib/libc.so.6(0x0000002a959f1000)
libpthread.so.0=>/lib/libpthread.so.0(0x0000002a95c17000)
/lib64/ld-linux-x86-64.so.2(0x0000002a95556000)
libattr.so.1=>/lib/libattr.so.1(0x0000002a95dad000)
Each lineof output beginswith a libraryname, such aslibrt.so.1 orlibncurses.so.5. If thelibrarynamedoesn’tcontainacompletepath,ldd attempts to find the true libraryanddisplays thecomplete path following the => symbol, as in /lib/librt.so.1 or /lib/libncurses.so.5. Youneedn’tbeconcernedaboutthelonghexadecimalnumberfollowingthecompletepathtothelibrary
file.Theprecedingexampleshowsone library (/lib64/ld-linux-x86-64.so.2) that’s referred towith a complete path in the executable file. It lacks the initial directory-less library name and =>symbol.Thelddcommandacceptsafewoptions.Themostnotableoftheseisprobably-v,whichdisplaysa
long list of version information following the main entry. This information may be helpful intracking downwhich version of a library a program is using, in case you havemultiple versionsinstalled.Keep inmind that libraries can themselves depend on other libraries. Thus, you can use ldd to
discoverwhat librariesareusedbya library.Becauseof thispotential foradependencychain, it’spossiblethataprogramwillfailtoruneventhoughallitslibrariesarepresent.Whenusingldd totrack down problems, be sure to check the needs of all the libraries of the program, and all thelibrariesusedbythefirsttieroflibraries,andsoon,untilyou’veexhaustedthechain.Thelddutilitycanberunbyordinaryusers,aswellasbyroot.Youmustrunitasrootifyoucan’t
readtheprogramfileasanordinaryuser.
RebuildingtheLibraryCacheLinux (or, more precisely, the ld.so and ld-linux.so programs, which manage the loading oflibraries)doesn’tread/etc/ld.so.confeverytimeaprogramruns.Instead,thesystemreliesonacached list of directories and the files they contain, stored inbinary format in/etc/ld.so.cache.This list is maintained in a format that’s much more efficient than a plain-text list of files anddirectories.Thedrawbackisthatyoumustrebuildthatcacheeverytimeyouaddorremovelibraries.Theseadditionsandremovalsincludebothchangingthecontentsofthelibrarydirectoriesandaddingorremovinglibrarydirectories.Thetooltodothisjobiscalledldconfig.Ordinarily,it’scalledwithoutanyoptions:#ldconfig
Thisprogramdoes,though,takeoptionstomodifyitsbehavior:DisplayVerboseInformationOrdinarily,ldconfigdoesn’tdisplayanyinformationasitworks.The-voptioncausestheprogramtosummarizethedirectoriesandfilesit’sregisteringasitgoesaboutitsbusiness.Don’tRebuildtheCacheThe-Noptioncausesldconfigtonotperformitsprimarydutyofupdatingthelibrarycache.Itwill,though,updatesymboliclinkstolibraries,whichisasecondarydutyofthisprogram.ProcessOnlySpecifiedDirectoriesThe-noptioncausesldconfigtoupdatethelinkscontainedinthedirectoriesspecifiedonthecommandline.Thesystemwon’texaminethedirectoriesspecifiedin/etc/ld.so.conforthetrusteddirectories(/liband/usr/lib).Don’tUpdateLinksThe-Xoptionistheoppositeof-N;itcausesldconfigtoupdatethecachebutnotmanagelinks.UseaNewConfigurationFileYoucanchangetheconfigurationfilefrom/etc/ld.so.confbyusingthe-fconffileoption,whereconffileisthefileyouwanttouse.UseaNewCacheFileYoucanchangethecachefilethatldconfigcreatesbypassingthe-Ccachefileoption,wherecachefileisthefileyouwanttouse.UseaNewRootThe-rdiroptiontellsldconfigtotreatdirasifitweretheroot(/)directory.
Thisoptionishelpfulwhenyou’rerecoveringabadlycorruptedsystemorinstallinganewOS.DisplayCurrentInformationThe-poptioncausesldconfigtodisplaythecurrentcache—allthelibrarydirectoriesandthelibrariestheycontain.BothRPM andDebian library packages typically run ldconfig automatically after installing or
removingthepackage.Thesamethinghappensaspartoftheinstallationprocessformanypackagescompiled from source. Thus, you may well be running ldconfig more than you realize in theprocessofsoftwaremanagement.Youmayneedtoruntheprogramyourselfifyoumanuallymodifyyourlibraryconfigurationinanyway.
ManagingProcessesWhenyoutypeacommandname,thatprogramisrun,andaprocessiscreatedforit.Knowinghowtomanage these processes is critical to using Linux. Key details in this task include identifyingprocesses, manipulating foreground and background processes, killing processes, and adjustingprocesspriorities.
UnderstandingtheKernel:TheFirstProcessTheLinuxkernelisattheheartofeveryLinuxsystem.Althoughyoucan’tmanagethekernelprocessin quite theway you canmanage other processes, short of rebooting the computer, you can learnabout it. To do so, you can use the uname command, which takes several options to displayinformation:NodeNameThe-nor--nodenameoptiondisplaysthesystem’snodename—thatis,itsnetworkhostname.KernelNameThe-sor--kernel-nameoptiondisplaysthekernelname,whichisLinuxonaLinuxsystem.KernelVersionYoucanfindthekernelversionwiththe-vor--kernel-versionoption.Ordinarily,thisholdsthekernelbuilddateandtime,notanactualversionnumber.KernelReleaseTheactualkernelversionnumbercanbefoundviathe-ror--kernel-releaseoption.MachineThe-mor--machineoptionreturnsinformationaboutyourmachine.ThisislikelytobeaCPUcode,suchasi686orx86_64.ProcessorUsingthe-por--processoroptionmayreturninformationaboutyourCPU,suchasthemanufacturer,model,andclockspeed;inpractice,itreturnsunknownonmanysystems.HardwarePlatformHardwareplatforminformationistheoreticallyreturnedbythe-ior--hardware-platformoption,butthisoptionoftenreturnsunknown.OSNameThe-oor--operating-systemoptionreturnstheOSname—normallyGNU/LinuxforaLinuxsystem.PrintAllInformationThe-aor--alloptionreturnsallavailableinformation.Inpractice,you’remost likely touseuname-a at thecommand line to learn someof thebasics
aboutyourkernelandsystem.Theotheroptionsaremostusefulinmulti-platformscripts,whichcan
usetheseoptionstoquicklyobtaincriticalinformationtohelpthemadjusttheiractionsforthesystemonwhichthey’rerunning.
ExaminingProcessListsOne of themost important tools in processmanagement is ps. This program displays processes’status (hence the name, ps). It sports many helpful options, and it’s useful in monitoring what’shappeningonasystem.Thiscanbeparticularlycriticalwhenthecomputerisn’tworkingasitshouldbe—forinstance,ifit’sunusuallyslow.Thepsprogramsupportsanunusualnumberofoptions,butjustafewofthemwilltakeyoualongway.Likewise,interpretingpsoutputcanbetrickybecausesomanyoptionsmodifytheprogram’soutput.Someps-likeprograms,mostnotablytop,alsodeserveattention.
UsingUsefulpsOptionsTheofficialsyntaxforpsisfairlysimple:ps[options]
Thissimplicityofformhidesconsiderablecomplexitybecausepssupportsthreedifferenttypesofoptions,aswellasmanyoptionswithineachtype.Thethreetypesofoptionsareasfollows:Unix98OptionsThesesingle-characteroptionsmaybegroupedtogetherandareprecededbyasingledash(-).BSDOptionsThesesingle-characteroptionsmaybegroupedtogetherandmustnotbeprecededbyadash.GNULongOptionsThesemulti-characteroptionsarenevergroupedtogether.They’reprecededbytwodashes(--).Optionsthatmaybegroupedtogethermaybeclusteredwithoutspacesbetweenthem.Forinstance,
ratherthantypingps-a-f,youcantypeps-af.Thereasonforsomuchcomplexityisthatthepsutilityhashistoricallyvarieda lot fromoneUnixOStoanother.Theversionofps that shipswithmajorLinuxdistributionsattemptstoimplementmostfeaturesfromallthesedifferentpsversions,soit supports many different personalities. In fact, you can change some of its default behaviors bysettingthePS_PERSONALITYenvironmentvariabletoposix,old,linux,bsd,sun,digital,orvariousothers.TherestofthissectiondescribesthedefaultpsbehavioronmostLinuxsystems.Someofthemoreusefulpsfeaturesincludethefollowing:DisplayHelpThe--helpoptionsummarizessomeofthemorecommonpsoptions.DisplayAllProcessesBydefault,psdisplaysonlyprocessesthatwererunfromitsownterminal(xterm,text-modelogin,orremotelogin).The-Aand-eoptionscauseittodisplayalltheprocessesonthesystem,andxdisplaysallprocessesownedbytheuserwhogivesthecommand.Thexoptionalsoincreasestheamountofinformationthat’sdisplayedabouteachprocess.DisplayOneUser’sProcessesYoucandisplayprocessesownedbyagivenuserwiththe-uuser,Uuser,and--Useruseroptions.TheuservariablemaybeausernameorauserID.DisplayExtraInformationThe-f,-l,j,l,u,andvoptionsallexpandtheinformationprovidedinthepsoutput.Mostpsoutputformatsincludeonelineperprocess,butpscandisplayenoughinformationthatit’simpossibletofititallonone80-characterline.Therefore,these
optionsprovidevariousmixesofinformation.DisplayProcessHierarchyThe-H,-f,and--forestoptionsgroupprocessesanduseindentationtoshowthehierarchyofrelationshipsbetweenprocesses.Theseoptionsareusefulifyou’retryingtotracetheparentageofaprocess.DisplayWideOutputThepscommandoutputcanbemorethan80columnswide.Normally,pstruncatesitsoutputsothatitwillfitonyourscreenorxterm.The-wandwoptionstellpsnottodothis,whichcanbeusefulifyoudirecttheoutputtoafile,asinpsw>ps.txt.Youcanthenexaminetheoutputfileinatexteditorthatsupportswidelines.Youcancombinethesepsoptionsinmanywaystoproducetheoutputyouwant.You’llprobably
needtoexperimenttolearnwhichoptionsproducethedesiredresultsbecauseeachoptionmodifiestheoutputinsomeway.Eventhosethatwouldseemtoinfluencejusttheselectionofprocessestolistsometimesmodifytheinformationthat’sprovidedabouteachprocess.
InterpretingpsOutputListings2.3and2.4showacoupleofexamplesofpsinaction.Listing2.3showsps-urodsmith--forest,andListing2.4showspsuUrodsmith.Listing2.3:Outputofps-urodsmith--forest$ps-urodsmith--forest
PIDTTYTIMECMD
2451pts/300:00:00bash
2551pts/300:00:00ps
2496?00:00:00kvt
2498pts/100:00:00bash
2505pts/100:00:00\_nedit
2506?00:00:00\_csh
2544?00:00:00\_xeyes
19221?00:00:01dfm
Listing2.4:OutputofpsuUrodsmith$psuUrodsmith
USERPID%CPU%MEMVSZRSSTTYSTATSTARTTIMECOMMAND
rodsmith192210.01.544841984?SMay070:01dfm
rodsmith24510.00.818561048pts/3S16:130:00-bash
rodsmith24960.23.262324124?S16:170:00/opt/kd
rodsmith24980.00.818601044pts/1S16:170:00bash
rodsmith25050.12.647843332pts/1S16:170:00nedit
rodsmith25060.00.721241012?S16:170:00/bin/cs
rodsmith25440.01.025761360?S16:170:00xeyes
rodsmith25560.00.72588916pts/3R16:180:00psuU
Theoutput producedbyps normally beginswith a heading line,which displays themeaning ofeachcolumn.Importantinformationthatmaybedisplayed(andlabeled)includesthefollowing:UsernameThisisthenameoftheuserwhorunstheprograms.Listings2.3and2.4restrictedthisoutputtooneusertolimitthelengthofthelistings.ProcessIDTheprocessID(PID)isanumberthat’sassociatedwiththeprocess.Thisitemisparticularlyimportantbecauseyouneedittomodifyorkilltheprocess,asdescribedlaterinthischapter.ParentProcessIDTheparentprocessID(PPID)identifiestheprocess’sparent.(NeitherListing
2.3norListing2.4showsthePPID.)TTYTheteletype(TTY)isacodeusedtoidentifyaterminal.AsillustratedbyListings2.3and2.4,notallprocesseshaveTTYnumbers—Xprogramsanddaemons,forinstance,don’t.Text-modeprogramsdohavethesenumbers,whichpointtoaconsole,xterm,orremoteloginsession.CPUTimeTheTIMEand%CPUheadingsaretwomeasuresofCPUtimeused.ThefirstindicatesthetotalamountofCPUtimeconsumed,andthesecondrepresentsthepercentageofCPUtimetheprocessisusingwhenpsexecutes.Bothcanhelpyouspotrunawayprocesses—thosethatareconsumingtoomuchCPUtime.Unfortunately,whatconstitutes“toomuch”variesfromoneprogramtoanother,soit’simpossibletogiveasimpleruletohelpyouspotarunawayprocess.CPUPriorityAsdescribedshortly,in“ManagingProcessPriorities,”it’spossibletogivedifferentprocessesdifferentprioritiesforCPUtime.TheNIcolumn,ifpresent(it’snotintheprecedingexamples)liststheseprioritycodes.Thedefaultvalueis0.Positivevaluesrepresentreducedpriority,whereasnegativevaluesrepresentincreasedpriority.MemoryUseVariousheadingsindicatememoryuse—forinstance,RSSisresidentsetsize(thememoryusedbytheprogramanditsdata),and%MEMisthepercentageofmemorytheprogramisusing.SomeoutputformatsalsoincludeaSHAREcolumn,whichismemorythat’ssharedwithotherprocesses(suchassharedlibraries).AswithCPU-usemeasures,thesecolumnscanhelppointyoutothesourcesofdifficulties;butbecauselegitimatememoryneedsofprogramsvarysomuch,it’simpossibletogiveasimplecriterionforwhenaproblemexists.CommandThefinalcolumninmostlistingsisthecommandusedtolaunchtheprocess.ThisistruncatedinListing2.4becausethisformatliststhecompletecommand,butsomuchotherinformationappearsthatthecompletecommandwon’tusuallyfitononeline.(Thisiswherethewide-columnoptionscancomeinhandy.)Asyoucansee,alotofinformationcanbegleanedfromapslisting—orperhapsthatshouldbethe
plurallistings,becausenosingleformatincludesalloftheavailableinformation.Forthemostpart,the PID, username, and command are the most important pieces of information. In some cases,though, you may need specific other components. If your system’s memory or CPU use hasskyrocketed,forinstance,you’llwanttopayattentiontothememoryorCPUusecolumn.
It’softennecessarytofindspecificprocesses.YoumightwanttofindthePIDassociatedwithaparticularcommandinordertokillit,forinstance.Thisinformationcanbegleanedbypipingthepsoutputthroughgrep,asinpsax|grepbashtofindalltheinstancesofbash.
Althoughyoumayneedawidescreenorxtermtoviewtheoutput,youmayfindps-A--foresttobeahelpfulcommandinlearningaboutyoursystem.Processesthataren’t linkedtootherswereeitherstarteddirectlybyinitorhavehad theirparentskilled,andso theyhavebeen“adopted”byinit.(Chapter5describesinitandthebootprocedureinmoredetail.)Mostoftheseprocessesarefairly important—they’re servers, login tools, and soon.Processes thathangoff severalothers inthis tree view, such as xeyes and nedit in Listing 2.3, are mostly user programs launched fromshells.
top:ADynamicpsVariantIfyouwanttoknowhowmuchCPUtimevariousprocessesareconsumingrelativetooneanotherorifyouwanttoquicklydiscoverwhichprocessesareconsumingthemostCPUtime,atoolcalledtopistheoneforthejob.Thetoptoolisatext-modeprogram,butofcourseitcanberuninanxtermorsimilarwindow, as shown inFigure2.2; there are alsoGUIvariants, likekpm andgnome-system-monitor.Bydefault,top sorts itsentriesbyCPUuse,and itupdates itsdisplayevery fewseconds.Thismakesitaverygoodtoolforspottingrunawayprocessesonanotherwiselightlyloadedsystem—thoseprocessesalmostalwaysappearinthefirstpositionortwo,andtheyconsumeaninordinateamountofCPUtime.LookingatFigure2.2,youmightthinkthatFahCore_65.exeissuchaprocess,butinfact,it’slegitimatelyconsumingalotofCPUtime.You’llneedtobefamiliarwiththepurposesandnormalhabitsofprograms runningonyour system inorder tomake suchdeterminations; thelegitimateneedsofdifferentprogramsvary somuch that it’s impossible togive a simple rule forjudgingwhenaprocessisconsumingtoomuchCPUtime.
FIGURE2.2ThetopcommandshowssystemsummaryinformationandinformationaboutthemostCPU-intensiveprocessesonacomputer.
LikemanyLinuxcommands,topacceptsseveraloptions.Themostusefularelistedhere:-ddelayThisoptionspecifiesthedelaybetweenupdates,whichisnormallyfiveseconds.-ppidIfyouwanttomonitorspecificprocesses,youcanlistthemusingthisoption.You’llneedthePIDs,whichyoucanobtainwithps,asdescribedearlier.Youcanspecifyupto20PIDsbyusingthisoptionmultipletimes,onceforeachPID.-niterYoucantelltoptodisplayacertainnumberofupdates(iter)andthenquit.(Normally,topcontinuesupdatinguntilyouterminatetheprogram.)-bThisoptionspecifiesbatchmode,inwhichtopdoesn’tusethenormalscreen-updatecommands.YoumightusethistologCPUuseoftargetedprogramstoafile,forinstance.
Youcandomorewithtopthanwatchitupdateitsdisplay.Whenit’srunning,youcanenteranyofseveral single-letter commands, some of which prompt you for additional information. Thesecommandsincludethefollowing:
hand?Thesekeystrokesdisplayhelpinformation.kYoucankillaprocesswiththiscommand.ThetopprogramwillaskforaPIDnumber,andifit’sabletokilltheprocess,itwilldoso.(Theupcomingsection“KillingProcesses”describesotherwaystokillprocesses.)qThisoptionquitsfromtop.rYoucanchangeaprocess’sprioritywiththiscommand.You’llhavetoenterthePIDnumberandanewpriorityvalue—apositivevaluewilldecreaseitspriority,andanegativevaluewillincreaseitspriority,assumingithasthedefault0prioritytobeginwith.Onlyrootmayincreaseaprocess’spriority.Therenicecommand(describedshortly,in“ManagingProcessPriorities”)isanotherwaytoaccomplishthistask.sThiscommandchangesthedisplay’supdaterate,whichyou’llbeaskedtoenter(inseconds).PThiscommandsetsthedisplaytosortbyCPUusage,whichisthedefault.MYoucanchangethedisplaytosortbymemoryusagewiththiscommand.Morecommandsareavailableintop(bothcommand-lineoptionsandinteractivecommands)than
canbesummarizedhere;consulttop’smanpageformoreinformation.Oneof thepiecesof informationprovidedbytop is the loadaverage,which isameasureof the
demandforCPUtimebyapplications.InFigure2.2,youcanseethreeload-averageestimatesonthetopline;thesecorrespondtothecurrentloadaverageandtwopreviousmeasures.AsystemonwhichnoprogramsaredemandingCPUtimehasaloadaverageof0.0.AsystemwithoneprogramrunningCPU-intensivetaskshasaloadaverageof1.0.Higherloadaveragesreflectprogramscompetingforavailable CPU time. You can also find the current load average via the uptime command, whichdisplaystheloadaveragealongwithinformationonhowlongthecomputerhasbeenrunning.Theloadaveragecanbeusefulindetectingrunawayprocesses.Forinstance,ifasystemnormallyhasaload average of 0.5 but suddenly gets stuck at a load average of 2.5, a couple of CPU-hoggingprocesses may have hung—that is, become unresponsive. Hung processes sometimes needlesslyconsumealotofCPUtime.Youcanusetoptolocatetheseprocessesand,ifnecessary,killthem.
MostcomputerstodayincludemultipleCPUsorCPUcores.Onsuchsystems,theloadaveragecanequalthenumberofCPUsorcoresbeforecompetitionforCPUtimebegins.Forinstance,onaquad-coreCPU,theloadaveragecanbeashighas4.0withoutcausingcontention.Typically,oneprogramcancreatealoadofjust1.0;however,multi-threadedprogramscancreatehigherloadaverages,particularlyonmulti-coresystems.
jobs:ProcessesAssociatedwithYourSessionThe jobs command displaysminimal information about the processes associatedwith the currentsession.Inpractice,jobs isusuallyoflimitedvalue,but itdoeshaveafewuses.Oneoftheseis to
providejobIDnumbers.ThesenumbersareconceptuallysimilartoPIDnumbers,butthey’renotthesame.Jobsarenumberedstartingfrom1foreachsession,andinmostcases,asingleshellhasonlyafewassociatedjobs.ThejobIDnumbersareusedbyahandfulofutilities inplaceofPIDs,soyoumayneedthisinformation.A seconduseofjobs is to ensure that all your programs have terminated prior to logging out.
Under somecircumstances, loggingoutofa remote login sessioncancause theclientprogram tofreezeupifyou’veleftprogramsrunning.Aquickcheckwithjobswillinformyouofanyforgottenprocessesandenableyoutoshutthemdown.
UnderstandingForegroundandBackgroundProcessesOneof themostbasicprocess-management tasks is to controlwhether aprocess is running in theforegroundorthebackground—thatis,whetherit’smonopolizingtheuseoftheterminalfromwhichitwas launched.Normally,whenyou launchaprogram, it takesover the terminal, preventingyoufromdoingotherworkinthatterminal.(Someprograms,though,releasetheterminal.ThisismostcommonforserversandsomeGUIprograms.)Ifaprogramisrunningbutyoudecideyouwanttousethatterminalforsomethingelse,pressing
Ctrl+Znormallypauses theprogramandgivesyoucontrolof the terminal. (An importantpoint isthatthisproceduresuspendstheprogram,soifit’sperformingrealwork,thatworkstops!)Thiscanbehandyif,say,you’rerunningatexteditorinatext-modeloginandyouwanttocheckafilenamesoyoucanmentionitinthefileyou’reediting.YoupressCtrl+Zandtypelstogetthefilelisting.Togetbacktothetexteditor,youthentypefg,whichrestoresthetexteditortotheforegroundofyourterminal.Ifyou’vesuspendedseveralprocesses,youaddajobnumber,asinfg2 to restore job2.Youcanobtainalistofjobsassociatedwithaterminalbytypingjobs,whichdisplaysthejobsandtheirjobnumbers.Avariantonfg isbg.Whereasfg restoresa job to theforeground,bg restoresa job to running
status,butinthebackground.Youcanusethiscommandiftheprocessyou’rerunningisperforminga CPU-intensive task that requires no human interaction but you want to use the terminal in themeantime. Another use of bg is in a GUI environment—after launching a GUI program from anxterm or similarwindow, that shell is tiedup servicing theGUIprogram,whichprobablydoesn’treallyneedtheshell.PressingCtrl+Zinthextermwindowwillenableyoutotypeshellcommandsagain,buttheGUIprogramwillbefrozen.TounfreezetheGUIprogram,typebgintheshell,whichenables the GUI program to run in the background while the shell continues to process yourcommands.As an alternative to launching a program, usingCtrl+Z, and typing bg to run a program in the
background, you can append an ampersand (&) to the commandwhen launching the program. Forinstance,ratherthaneditafilewiththeNEditGUIeditorbytypingneditmyfile.txt,youcantypeneditmyfile.txt&.Thiscommandlaunchestheneditprograminthebackgroundfromthestart,leavingyouabletocontrolyourxtermwindowforothertasks.
ManagingProcessPrioritiesSometimes,youmaywanttoprioritizeyourprograms’CPUuse.Forinstance,youmayberunningaprogramthat’sveryCPU-intensivebutthatwilltakealongtimetofinishitswork,andyoudon’twant
thatprogramtointerferewithothersthatareofamoreinteractivenature.Alternatively,onaheavilyloadedcomputer,youmayhaveajobthat’smoreimportantthanothersthatarerunning,soyoumaywanttogiveitapriorityboost.Ineithercase,theusualmethodofaccomplishingthisgoalisthroughtheniceandrenicecommands.Youcanusenicetolaunchaprogramwithaspecifiedpriorityoruserenicetoalterthepriorityofarunningprogram.Youcanassignapriority tonice in anyof threeways:by specifying thepriorityprecededbya
dash (this works well for positive priorities but makes them look like negative priorities), byspecifying the priority after a-n parameter, or by specifying the priority after an--adjustment=parameter.Inallcases,theseparametersarefollowedbythenameoftheprogramyouwanttorun:nice[argument][command[command-arguments]]
Forinstance,thefollowingthreecommandsareallequivalent:$nice-12number-crunchdata.txt
$nice-n12number-crunchdata.txt
$nice--adjustment=12number-crunchdata.txt
All three of these commands run the number-crunch program at priority 12 and pass it thedata.txt file. If you omit the adjustment value,nice uses 10 as a default. The range of possiblevalues is −20 to 19, with negative values having the highest priority. Only root may launch aprogramwithincreasedpriority(thatis,giveanegativepriorityvalue),butanyusermayusenicetolaunchaprogramwithlowpriority.Thedefaultpriorityforaprogramrunwithoutniceis0.Ifyou’vefoundthatarunningprocessisconsumingtoomuchCPUtimeorisbeingswampedby
otherprogramsandsoshouldbegivenmoreCPUtime,youcanusethereniceprogramtoalteritsprioritywithoutdisruptingtheprogram’soperation.Thesyntaxforreniceisasfollows:renicepriority[[-p]pids][[-g]pgrps][[-u]users]
You must specify the priority, which takes the same values this variable takes with nice. Inaddition,youmustspecifyoneormorePIDs(pids),oneormoregroupIDs(pgrps),oroneormoreusernames(users).Inthelattertwocases,renicechangesthepriorityofallprogramsthatmatchthespecified criterion—but only root may use renice in this way. Also, only root may increase aprocess’spriority.Ifyougiveanumericvaluewithouta-p,-g,or-uoption,reniceassumes thevalueisaPID.Youmaymixandmatchthesemethodsofspecification.Forinstance,youmightenterthefollowingcommand:#renice716580-updavisontbaker
Thiscommandsetsthepriorityto7forPID16580andforallprocessesownedbypdavisonandtbaker.
KillingProcessesSometimes,reducingaprocess’spriorityisn’tastrongenoughaction.Aprogrammayhavebecometotallyunresponsive,oryoumaywanttoterminateaprocessthatshouldn’tberunning.Inthesecases,the kill command is the tool to use. This program sends a signal (a method that Linux uses tocommunicatewithprocesses) toaprocess.Thesignal isusuallysentby thekernel, theuser,or theprogram itself to terminate the process. Linux supportsmany numbered signals, each ofwhich isassociatedwith a specific name.You can see themall by typingkill-l. If you don’t use-l, thesyntaxforkillisasfollows:kill-ssignalpid
AlthoughLinuxincludesakillprogram,manyshells,includingbashandcsh,includebuilt-inkillequivalentsthatworkinmuchthesamewayastheexternalprogram.Ifyouwanttobesureyou’reusingtheexternalprogram,typeitscompletepath,asin/bin/kill.
The-ssignalparametersendsthespecifiedsignaltotheprocess.Youcanspecifythesignalusingeitheranumber(suchas9)oraname(suchasSIGKILL).Thesignalsyou’remostlikelytouseare1(SIGHUP, which terminates interactive programs and causes many daemons to reread theirconfiguration files), 9 (SIGKILL, which causes the process to exit without performing routineshutdowntasks),and15(SIGTERM,whichcausestheprocesstoexitbutallowsit tocloseopenfilesandsoon).Ifyoudon’tspecifyasignal,thedefaultis15(SIGTERM).Youcanalsousetheshortenedform-signal.Ifyoudothisanduseasignalname,youshouldomittheSIGportionofthename—forinstance,useKILLratherthanSIGKILL.Thepidoptionis,ofcourse,thePIDfortheprocessyouwanttokill.Youcanobtainthisnumberfrompsortop.
Thekillprogramwillkillonlythoseprocessesownedbytheuserwhorunskill.Theexceptionisifthatuserisroot;thesuperusermaykillanyuser ’sprocesses.
RunningProgramsPersistentlySignalscanbepassedtoprogramsbythekernelevenifyoudon’tusethekillcommand.Forinstance,whenyoulogoutofasession,theprogramsyoustartedfromthatsessionaresenttheSIGHUPsignal,whichcausesthemtoterminate.Ifyouwanttorunaprogramthatwillcontinuerunningevenwhenyoulogout,youcanlaunchitwiththenohupprogram:$nohupprogramoptions
ThiscommandcausestheprogramtoignoretheSIGHUPsignal.Itcanbehandyifyouwanttolaunchcertainsmallserversthatmaylegitimatelyberunasordinaryusers.
Avariantonkilliskillall,whichhasthefollowingform:killall[options][--]name[...]
ThiscommandkillsaprocessbasedonitsnameratherthanitsPIDnumber.Forinstance,killallvikillsalltherunningprocessescalledvi.Youmayspecifyasignalintheshortenedform(-signal)orbyprecedingthesignalnumberwith-sor--signal.Aswithkill, thedefault is15(SIGTERM).Onepotentially importantoption tokillall is-i,which causes it to ask for confirmation beforesendingthesignaltoeachprocess.Youmightuseitlikethis:$killall-ivi
Killvi(13211)?(y/n)y
Killvi(13217)?(y/n)n
Inthisexample,twoinstancesoftheVieditorwererunning,butonlyoneshouldhavebeenkilled.
Asageneralrule,ifyourunkillallasroot,youshouldusethe-iparameter;ifyoudon’t,it’salltoolikelythatyou’llkillprocessesthatyoushouldn’t,particularlyifthecomputerisbeingusedbymanypeopleatonce.
SomeversionsofUnixprovideakillallcommandthatworksverydifferentlyfromLinux’skillall.Thisalternatekillallkillsalltheprocessesstartedbytheuserwhorunsthecommand.Thisisapotentiallymuchmoredestructivecommand,soifyoueverfindyourselfonanon-Linuxsystem,donotusekillalluntilyou’vediscoveredwhatthatsystem’skillalldoes(say,byreadingthekillallmanpage).
SummaryLinuxprovidesnumeroustoolstohelpyoumanagesoftware.MostdistributionsarebuiltaroundtheRPMorDebianpackagesystems,bothofwhichenableinstallation,upgrade,andremovalofsoftwareusingacentralizedpackagedatabasetoavoidconflictsandotherproblemsthatarecommonwhennocentralpackagedatabaseexists.Youcanperformbasicoperationsonindividualfilesor,withthehelpof extra tools such as Yum and APT, keep your system synchronized with the outside world,automaticallyorsemi-automaticallyupdatingallyoursoftwaretothelatestversions.Nomatterhowyouinstallyoursoftware,youmayneedtomanagesharedlibraries.Thesesoftware
componentsarenecessarybuildingblocksoflargemodernprograms,andinthebestofallpossibleworldstheyoperateentirelytransparently.Sometimes,though,sharedlibrariesneedtobeupgradedor the system configuration changed so that programs can find the libraries.When this happens,knowingaboutcriticalconfigurationfilesandcommandscanhelpyouworkaroundanydifficulties.Beyond managing packages and libraries, Linux software management involves manipulating
processes. Knowing how to manipulate foreground and background processes, adjust processpriorities,andkillstrayprocessescanhelpyoukeepyourLinuxsystemworkingwell.
ExamEssentialsIdentifycriticalfeaturesofRPMandDebianpackageformats.RPMandDebianpackagesstoreallfilesforagivenpackageinasinglefilethatalsoincludesinformationaboutwhatotherpackagesthesoftwaredependson.Thesesystemsmaintainadatabaseofinstalledpackagesandtheirassociatedfilesanddependencies.DescribethetoolsusedformanagingRPMs.Therpmprogramisthemaintoolforinstalling,upgrading,anduninstallingRPMs.Thisprogramacceptsoperationsandoptionsthattellitpreciselywhattodo.TheYumutility,andparticularlyitsyumcommand,enablesinstallationofapackageandallitsdependenciesviatheInternet,ratherthanfromlocalpackagefiles.DescribethetoolsusedformanagingDebianpackages.Thedpkgprograminstallsoruninstallsasinglepackageoragroupofpackagesyouspecify.Theapt-getutilityretrievesprogramsfrominstallationmediaorfromtheInternetforinstallationandcanautomaticallyupgradeyourentire
system.Thedselectprogramservesasamenu-driveninterfacetoapt-get,enablingyoutoselectprogramsyouwanttoinstallfromatext-modemenu.Summarizetoolsforextractingfilesandconvertingbetweenpackageformats.Therpm2cpioprogramcanconvertanRPMfiletoacpioarchive,enablingusersofnon-RPMsystemstoaccessfilesinanRPM.ThealienutilitycanconvertinanydirectionbetweenDebianpackages,RPMs,Stampedepackages,andtarballs.Thisenablestheuseofpackagesintendedforonesystemonanother.Summarizethereasonsforusingsharedlibraries.Sharedlibrarieskeepdiskspaceandmemoryrequirementsmanageablebyplacingcodethat’sneededbymanyprogramsinseparatefilesfromtheprogramsthatuseit,enablingonecopytobeusedmultipletimes.Moregenerally,librariesenableprogrammerstousebasic“buildingblocks”thatothershavewrittenwithouthavingtoconstantlyreinventcode.Describemethodsavailabletochangethelibrarypath.Thelibrarypathcanbechangedsystemwidebyeditingthe/etc/ld.so.conffileandthentypingldconfig.Fortemporaryorper-userchanges,directoriesmaybeaddedtothepathbyplacingthemintheLD_LIBRARY_PATHenvironmentvariable.Explainthedifferencebetweenforegroundandbackgroundprocesses.Foregroundprocesseshavecontrolofthecurrentterminalortext-modewindow(suchasanxterm).Backgroundprocessesdon’thaveexclusivecontrolofaterminalortext-modewindowbutarestillrunning.DescribehowtolimittheCPUtimeusedbyaprocess.YoucanlaunchaprogramwithniceoruserenicetoalteritspriorityinobtainingCPUtime.Ifaprocessistrulyoutofcontrol,youcanterminateitwiththekillcommand.
ReviewQuestions1.Whichofthefollowingisnotanadvantageofasourcepackageoverabinarypackage?
A.AsinglesourcepackagecanbeusedonmultipleCPUarchitectures.B.Byrecompilingasourcepackage,youcansometimesworkaroundlibraryincompatibilities.C.Youcanmodifythecodeinasourcepackage,thusalteringthebehaviorofaprogram.D.Sourcepackagescanbeinstalledmorequicklythanbinarypackagescan.E.Youmaybeabletorecompilesourcecodeforanon-LinuxUnixprogramonLinux.
2.WhichistrueofusingbothRPMandDebianpackagemanagementsystemsononecomputer?A. It’s generally inadvisable because the two systems don’t share installed-file databaseinformation.B.It’simpossiblebecausetheirinstalled-filedatabasesconflictwithoneanother.C.Itcausesnoproblemsifyouinstallimportantlibrariesonceineachformat.D.It’sacommonpracticeonRedHatandDebiansystems.E.Usingbothsystemssimultaneouslyrequiresinstallingthealienprogram.
3. Which of the following statements is true about binary RPM packages that are built for a
particulardistribution?A.Licenserequirementsforbidusingthepackageonanyotherdistribution.B. They may be used in another RPM-based distribution only when you set the --convert-distribparametertorpm.C.TheymaybeusedinanotherRPM-baseddistributiononlyafteryourecompilethepackage’ssourceRPM.D.TheycanberecompiledforanRPM-baseddistributionrunningonanothertypeofCPU.E.TheycanoftenbeusedonanotherRPM-baseddistributionforthesameCPUarchitecture,butthisisn’tguaranteed.
4.AnadministratortypesthefollowingcommandonanRPM-basedLinuxdistribution:#rpm-ivhmegaprog.rpm
Whatistheeffectofthiscommand?A.Ifthemegaprogpackageisinstalledonthecomputer,itisuninstalled.B.Ifthemegaprog.rpmpackageexists,isvalid,andisn’talreadyinstalledonthecomputer,itisinstalled.C.Themegaprog.rpmsourceRPMpackageiscompiledintoabinaryRPMforthecomputer.D.Nothing;megaprog.rpmisn’tavalidRPMfilename,sorpmwillrefusetooperateonthisfile.E. The megaprog.rpm package replaces any earlier version of the package that’s alreadyinstalledonthecomputer.
5.Which of the following commands will extract the contents of the myfonts.rpm file into thecurrentdirectory?
A.rpm2cpiomyfonts.rpm|cpio-i--make-directoriesB.rpm2cpiomyfonts.rpm>make-directoriesC.rpm-emyfonts.rpmD.alien--to-extractmyfonts.rpmE.rpmbuild--rebuildmyfonts.rpm
6.Tousedpkgtoremoveapackagecalledtheprogram,includingitsconfigurationfiles,whichofthefollowingcommandswouldyouissue?
A.dpkg-etheprogramB.dpkg-ptheprogramC.dpkg-rtheprogramD.dpkg-rtheprogram-1.2.3-4.debE.dpkg-Ptheprogram
7.Whichofthefollowingdescribesadifferencebetweenapt-getanddpkg?A.apt-getprovidesaGUIinterfacetoDebianpackagemanagement;dpkgdoesn’t.B.apt-getcaninstalltarballsinadditiontoDebianpackages;dpkgcan’t.C.apt-getcanautomaticallyretrieveandupdateprogramsfromInternetsites;dpkgcan’t.
D.apt-getisprovidedonlywiththeoriginalDebiandistribution,butdpkgcomeswithDebiananditsderivatives.E.apt-getworksonlywithDebian-baseddistributions,butdpkgcanworkwithbothRPMsandDebianpackages.
8.WhatcommandwouldyoutypetoobtainalistofallinstalledpackagesonaDebiansystem?A.apt-getshowallB.apt-cacheshowpkgC.dpkg-rallpkgsD.dpkg-iE.dpkg--get-selections
9. As root, you type apt-get update on a Debian system. What should be the effect of thiscommand?
A.None;updateisaninvalidoptiontoapt-get.B.TheAPTutilitiesdeliverinformationaboutthelatestupdatesyou’vemadetotheAPTInternetrepositories,enablingyoutoshareyourchangeswithothers.C. TheAPT utilities download all available upgrades for your installed programs and installthemonyoursystem.D. TheAPT utilities retrieve information about the latest packages available so that youmayinstallthemwithsubsequentapt-getcommands.E.TheAPTutilitiesupdatethemselves,ensuringyou’reusingthelatestversionofAPT.
10.Whichof thefollowingcommandswouldyou type toupdate theunzipprogramonaFedorasystemtothelatestversion?(Selectallthatapply.)
A.yumupdateunzipB.yumupgradeunzipC.yum-uunzipD.yum-UunzipE.yumcheck-updateunzip
11. How should you configure a system that uses Yum to access an additional Yum softwarerepository?
A.Editthe/etc/apt/sources.listfiletoincludetherepositorysite’sURL,asdetailedontherepository’sWebsite.B.DownloadapackagefromtherepositorysiteandinstallitwithRPM,orplaceaconfigurationfilefromtherepositorysiteinthe/etc/yum.repos.ddirectory.C.Usetheadd-repositorysubcommandtoyumortheAddRepositoryoptionintheFilemenuinyumex,passingittheURLoftherepository.D.Edit the/etc/yum.conf file, locate the[repos] section,andadd theURLto therepositoryaftertheexistingrepositoryURLs.E.Editthe/etc/yum.conffile,locatetheREPOSITORIES=line,andaddthenewrepositorytothe
colon-delimitedlistonthatline.
12.Whatisthepreferredmethodofaddingadirectorytothelibrarypathforallusers?A.ModifytheLD_LIBRARY_PATHenvironmentvariableinaglobalshellscript.B.Addthedirectorytothe/etc/ld.so.conffile,andthentypeldconfig.C.Typeldconfig/new/dir,where/new/diristhedirectoryyouwanttoadd.D.Createasymboliclinkfromthatdirectorytoonethat’salreadyonthelibrarypath.E.Typeldd/new/dir,where/new/diristhedirectoryyouwanttoadd.
13. You prefer the look of GTK+ widgets to Qt widgets, so you want to substitute the GTK+librariesfortheQtlibrariesonyoursystem.Howwouldyoudothis?
A.Youmusttypeldconfig--makesubs=qt,gtk.ThiscommandsubstitutestheGTK+librariesfortheQtlibrariesatloadtime.B. Youmust uninstall the Qt library packages and re-install the GTK+ packages with the --substitute=qtoptiontorpmorthe--replace=qtoptiontodpkg.C.YoumustnotethefilenamesoftheQtlibraries,uninstall thepackages,andcreatesymboliclinksfromtheQtlibrariestotheGTK+libraries.D.Youcan’teasilydothis;librariescan’tbearbitrarilyexchangedforoneanother.YouwouldneedtorewritealltheQt-usingprogramstouseGTK+.E.Youmustreboot thecomputerandpassthesubst=qt,gtkoption to thekernel.Thiscausesthekerneltomaketheappropriatesubstitutions.
14.Ausertypeskill-911287atabashprompt.What is theprobable intent,assumingtheusertypedthecorrectcommand?
A.TocutoffanetworkconnectionusingTCPport11287B.Todisplay thenumberofprocesses thathavebeenkilledwithsignal11287 in the lastninedaysC.TocauseaserverwithprocessID11287toreloaditsconfigurationfileD.ToterminateamisbehavingorhungprogramwithprocessID11287E.ToincreasethepriorityoftheprogramrunningwithprocessID11287
15.Whatprogramsmightyouusetolearnwhatyoursystem’sloadaverageis?(Selecttwo.)A.ldB.loadC.topD.uptimeE.la
16.Which of the following commands creates a display of processes, showing the parent-childrelationshipsthroughlinksbetweentheirnames?
A.ps--forestB.psaux
C.ps-eD.ps--treeE.Alloftheabove
17.Youusetop toexamine theCPU timebeingconsumedbyvariousprocessesonyour system.Youdiscoverthatoneprocess,dfcomp, isconsumingmorethan90percentofyoursystem’sCPUtime.Whatcanyouconclude?
A.Very little;dfcomp couldbe legitimatelyconsuming thatmuchCPU time,or it couldbeanunauthorizedormalfunctioningprogram.B. No program should consume 90 percent of available CPU time; dfcomp is clearlymalfunctioningandshouldbeterminated.C.Thisisnormal;dfcompisthekernel’smainschedulingprocess,anditconsumesanyunusedCPUtime.D.ThisbehaviorisnormalifyourCPUislesspowerfulthana2.5GHzEM64TPentium,butonnewersystems,noprogramshouldconsume90percentofCPUtime.E.ThisbehaviorisnormalifyourCPUhasatleastfourcores,butonsystemswithfewercoresthanthis,noprogramshouldconsume90percentofCPUtime.
18. You type jobs at a bash command prompt and receive a new command prompt with nointerveningoutput.Whatcanyouconclude?
A.ThetotalCPUtimeusedbyyourprocessesisnegligible(below0.1).B.Noprocessesarerunningunderyourusernameexcepttheshellyou’reusing.C.Thejobsshellisinstalledandworkingcorrectlyonthesystem.D.Thesystemhascrashed;jobsnormallyreturnsalargenumberofrunningprocesses.E.Nobackgroundprocessesarerunningthatwerelaunchedfromtheshellyou’reusing.
19.Whichtwoofthefollowingcommandsareequivalenttooneanother?(Selecttwo.)A.nice--value10crunchB.nice-n-10crunchC.nice-10crunchD.nice10crunchE.nicecrunch
20.Whichofthefollowingarerestrictionsonordinaryusers’abilitiestorunrenice?(Selecttwo.)A.Usersmaynotmodifytheprioritiesofprocessesthatarealreadyrunning.B.Usersmaynotmodifythepriorityoftheirprogramslaunchedfromanythingbuttheircurrentshells.C. Users may not decrease the priority (that is, increase the priority value) of their ownprocesses.D.Usersmaynotmodifytheprioritiesofotherusers’processes.E. Users may not increase the priority (that is, decrease the priority value) of their ownprocesses.
Chapter3
ConfiguringHardware
THEFOLLOWINGEXAMOBJECTIVESARECOVEREDINTHISCHAPTER:
1.101.1Determineandconfigurehardwaresettings1.102.1Designharddisklayout1.104.1Createpartitionsandfilesystems1.104.2Maintaintheintegrityoffilesystems1.104.3Controlmountingandunmountingoffilesystems
AllOSsrunatophardware,andthishardwareinfluenceshowtheOSsrun.Mostobviously,hardwarecan be fast or slow, reliable or unreliable. Somewhatmore subtly,OSs provide variousmeans ofconfiguring and accessing the hardware—partitioning hard disks and reading data fromUniversalSerialBus(USB)devices,forinstance.YoumustunderstandatleastthebasicsofhowLinuxinteractswith its hardware environment in order to effectively administer a Linux system, so this chapterpresentsthatinformation.This chapter begins with a look at firmware, which is the lowest-level software that runs on a
computer.Acomputer ’sfirmwarebeginsthebootprocessandconfigurescertainhardwaredevices.ThischapterthenmovesontoexpansioncardsandUSBdevices.Thischapterconcludeswithanexaminationofdiskhardwareandthefilesystemsitcontains—disk
interface standards,diskpartitioning,how to trackdiskusage,how to tune filesystems foroptimalperformance, how to check filesystems’ internal consistency, and how to repair simple filesystemdefects.Assumingafilesystemisingoodshape,youmustbeabletomountittobeabletouseit,sothat topic is also coveredhere. (Onedisk topic, bootmanagers, is covered inChapter5, “BootingLinuxandEditingFiles.”)
ConfiguringtheFirmwareandCoreHardwareAllcomputers shipwitha setof corehardware—mostobviously, acentral processingunit (CPU),whichdoesthebulkofthecomputationalwork,andrandomaccessmemory(RAM),whichholdsdata.Manyadditionalbasic featureshelpglueeverything together,andsomeof thesecanbeconfiguredboth inside and outside of Linux. At the heart of much of this hardware is the firmware, whichprovidesconfiguration toolsand initiates theOSbootingprocess.Youcanuse thefirmware’sownuser interface to enable anddisablekeyhardwarecomponents,butonceLinux isbooted,youmayneedtomanagethishardwareusingLinuxutilities.Keycomponentsmanagedbythefirmware(and,once it’sbooted,Linux) include interrupts, I/Oaddresses,DMAaddresses, the real-timeclock, andAdvancedTechnologyAttachment(ATA)harddiskinterfaces.
UnderstandingtheRoleoftheFirmwareManyhardwaredevicesincludefirmware,soanygivencomputercanhavemanytypesoffirmwareinstalled—for the motherboard, for a plug-in disk controller, for modems, and so on. The mostimportantfirmware,though,isinstalledonthecomputer ’smotherboard.Thisfirmwareinitializesthemotherboard’shardwareandcontrolsthebootprocess.Inthepast,thevastmajorityofx86-andx86-64-basedcomputershaveuseda typeof firmwareknownas theBasic Input/OutputSystem (BIOS).Beginningin2011,though,anewtypeoffirmware,knownastheExtensibleFirmwareInterface(EFI)or theUnifiedEFI (UEFI), has become all but standard on new computers. Someolder computersalsouseEFI.DespitethefactthatEFIisn’ttechnicallyaBIOS,mostmanufacturersrefertoitbythatnameintheirdocumentation.TheexamobjectivesrefertotheBIOS,butnottoEFI.Nonetheless,intherealworldyou’relikelytoencounterEFIonnewercomputers.ThedifferencesbetweenBIOSandEFIareparticularly important inbooting thecomputer,asdescribed inChapter5.Formanyof thesetuptasksdescribedinthischapter, thetwotypesoffirmwarebehaveverysimilarly,althoughEFIimplementationssometimesprovideflashiergraphicaluserinterfaces;mostBIOSs,andsomeEFIs,provideonlytext-modeuserinterfaces.
Inthisbook,IusethetermEFItoreferbothtotheoriginalEFIandtothenewerUEFI,whichiseffectivelyEFI2.x.
Themotherboard’s firmware resides in electronically erasable programmable read-only memory(EEPROM), aka flashmemory.When you turn on a computer, the firmware performs apower-onself-test (POST), initializes hardware to a knownoperational state, loads the boot loader from thebootdevice(typicallythefirstharddisk),andpassescontroltothebootloader,whichinturnloadstheOS.Historically,afurtherpurposeofaBIOSwastoprovidefundamentalinput/output(I/O)servicesto
theoperatingsystemandapplicationprograms,insulatingthemfromhardwarechanges.AlthoughtheLinux kernel uses the BIOS to collect information about the hardware, once Linux is running, itdoesn’tuseBIOSservicesforI/O.Intheory,someEFIservicescanbeusedbytheOS,butasofthe3.5.0kernel,LinuxtakesadvantageoffewoftheseEFIfeatures.LinuxsystemadministratorsrequireabasicunderstandingoftheBIOSorEFIbecauseofthekeyroleitplaysinconfiguringhardwareandinbooting.
Mostx86andx86-64computersuseaBIOSoranEFI;however,somecomputersuseradicallydifferentsoftwareinplaceofthesetypesoffirmware.OlderPowerPC-basedApplecomputers,forinstance,useOpenFirmware.(Intel-basedMacsuseEFI.)AlthoughOpenFirmware,EFI,andotherfirmwareprogramsdifferfromthetraditional(somenowsay“legacy”)x86BIOS,thesesystemsallperformsimilartasks.Ifyoumustadministeracomputerwithanunusualfirmware,youshouldtakesometimetoresearchthedetailsofhowitsfirmwareoperates;however,thiswon’tgreatlyaffecthowLinuxtreatsthehardwareatthelevelofday-to-daysystemadministration.
Although firmware implementations vary from manufacturer to manufacturer, most BIOSs andEFIsprovideaninteractivefacilitytoconfigurethem.Typically,youenterthissetuptoolbypressingtheDeletekeyora functionkeyearly in theboot sequence. (Consultyourmotherboardmanualorlookforonscreenpromptsfordetails.)Figure3.1showsatypicalBIOSsetupmainscreen.Youcanuse the arrow keys, the Enter key, and so on to move around the BIOS options and adjust them.ComputersusuallycomedeliveredwithreasonableBIOSdefaults,butyoumayneedtoadjustthemifyouaddnewhardwareorifastandardpieceofhardwareiscausingproblems.
FIGURE3.1ABIOSsetupscreenprovidesfeaturesrelatedtolow-levelhardwareconfiguration.
PCswithEFIsmayprovidesetuputilitiessimilartotheoneshowninFigure3.1.Asnotedearlier,though,someEFIsfeatureflashierGUIsratherthanatext-baseduserinterface.Othersareorganizedinaverydifferentway,asshowninFigure3.2.Thevariabilitymakesitimpossibletoprovidesimpleinstructions on how to locate specific features; youmay need to read yourmanual or explore theoptionsyourfirmwareprovides.
FIGURE3.2Firmwareuserinterfacesvarygreatlyfromonetoanother;youmayneedtospendsometimeexploringyours.
Onekeyabilityofthefirmwareistoenableordisableon-boardhardware.Modernmotherboardsprovideawiderangeofhardwaredevices, includingfloppydiskcontrollers,harddiskcontrollers,RS-232 serial ports, parallel ports, USB ports, Ethernet ports, audio hardware, and even videohardware.Usually,havingthishardwareavailableisbeneficial,butsometimesit’snot.Thehardwaremaybeinadequate,soyou’llwanttoreplaceitwithamorecapableplug-incard;oryoumaynotneedit. In such cases, you can disable the device in the firmware. Doing so keeps the device fromconsumingthehardwareresourcesthataredescribedshortly,reducingtheoddsofanunuseddeviceinterferingwiththehardwareyoudouse.Precisely how to disable hardware in the firmware varies from one computer to another. You
shouldperusetheavailablemenustofindmentionofthehardwareyouwanttodisable.MenusentitledIntegratedPeripheralsorAdvancedareparticularlylikelytoholdthesefeatures.Onceyou’vespottedthe options, follow the onscreen prompts for hints about how to proceed; for instance, Figure 3.1showsanItemSpecificHelpareaontherightsideofthescreen.Informationaboutkeystopresstoperformvariousactionsappearshere. (Althoughnot identifiedasahelparea, the right sideof thescreen inFigure3.2provides similar hints.)Onceyou’re finished, follow theonscreenmenus andpromptstosaveyourchangesandexit.Whenyoudoso,thecomputerwillreboot.OnceLinux boots, it uses its own drivers to access the computer ’s hardware.Understanding the
hardwareresourcesthatLinuxuseswillhelpyoudeterminewhenyoumaywanttoshutdown,bootintothefirmware,anddisableparticularhardwaredevicesatsuchalowlevel.
BootingWithoutaKeyboardMostPCshavekeyboardsattachedtothem;however,manyLinuxcomputersfunctionasservers,whichdon’trequirekeyboardsforday-to-dayoperation.Insuchcases,youmaywanttodetachthekeyboardtoreduceclutterandeliminatetheriskofaccidentalkeypressescausingproblems.Unfortunately,manycomputerscomplainandrefusetobootifyouunplugthekeyboardandattempttobootthecomputer.Todisablethiswarning,lookforafirmwareoptioncalledHaltOnorsomethingsimilar.Thisoptiontellsthefirmwareunderwhatcircumstancesitshouldrefusetoboot.Youshouldfindanoptiontodisablethekeyboardcheck.Onceyouselectthisoption,youshouldbeabletoshutdown,detachthekeyboard,andbootnormally.Ofcourse,you’llneedtobeabletoaccessthecomputerviaanetworkconnectionorinsomeotherwaytoadministerit,sobesurethisisconfiguredbeforeyouremovethekeyboard!
IRQsAninterruptrequest(IRQ),orinterrupt,isasignalsenttotheCPUinstructingittosuspenditscurrentactivity and to handle some external event such as keyboard input.On the x86 platform, IRQs arenumberedfrom0to15.Moremoderncomputers,includingx86-64systems,providemorethanthese16interrupts.Someinterruptsarereservedforspecificpurposes,suchasthekeyboardandthereal-time clock; others have common uses (and are sometimes overused) but may be reassigned; andsomeareleftavailableforextradevicesthatmaybeaddedtothesystem.Table3.1liststheIRQsandtheir common purposes in the x86 system. (On x86-64 systems, IRQs are typically assigned as inTable3.1,butadditionalhardwaremaybeassignedtohigherIRQs.)
TABLE3.1IRQsandtheircommonusesIRQ Typicaluse Notes0 Systemtimer Reservedforinternaluse.1 Keyboard Reservedforkeyboarduseonly.2 CascadeforIRQs8–15 Theoriginalx86IRQ-handlingcircuitcanmanagejust8IRQs;2aretiedtogethertohandle16
IRQs,butIRQ2mustbeusedtohandleIRQs8–15.3 SecondRS-232serialport(COM2:
inWindows)MayalsobesharedbyafourthRS-232serialport.
4 FirstRS-232serialport(COM1:inWindows)
MayalsobesharedbyathirdRS-232serialport.
5 Soundcardorsecondparallelport(LPT2:inWindows)
6 Floppydiskcontroller Reservedforthefirstfloppydiskcontroller.7 Firstparallelport(LPT1:in
Windows)8 Real-timeclock Reservedforsystemclockuseonly.9 Openinterrupt10 Openinterrupt11 Openinterrupt12 PS/2mouse13 Mathcoprocessor Reservedforinternaluse.14 PrimaryATAcontroller ThecontrollerforATAdevicessuchasharddrives;traditionally/dev/hdaand/dev/hdbunder
Linux.1
15 SecondaryATAcontroller ThecontrollerformoreATAdevices;traditionally/dev/hdcand/dev/hddunderLinux.1
1MostmoderndistributionstreatATAdisksasSCSIdisks,whichchangestheirdeviceidentifiersfrom/dev/hdxto/dev/sdx.
IRQ5isacommonsourceofinterruptconflictsonoldercomputersbecauseit’sthedefaultvalueforsoundcardsaswellasforsecondparallelports.ModerncomputersoftenuseahigherIRQforsoundcardsandalsooftenlackparallelports.
TheoriginalIndustryStandardArchitecture (ISA)busdesignmakessharingan interruptbetweentwodevices tricky. Ideally,every ISAdeviceshouldhave itsownIRQ.Themore recentPeripheralComponentInterconnect(PCI)busmakessharinginterruptsabiteasier,soPCIdevicesfrequentlyendupsharinganIRQ.TheISAbushasbecomerareoncomputersmadesince2001orso.OnceaLinuxsystemisrunning,youcanexplorewhatIRQsarebeingusedforvariouspurposesby
examiningthecontentsofthe/proc/interruptsfile.Acommonwaytodothisiswiththeuseofthecatcommand:$cat/proc/interrupts
CPU0
0:42IO-APIC-edgetimer
1:444882IO-APIC-edgei8042
4:12IO-APIC-edge
6:69IO-APIC-edgefloppy
8:0IO-APIC-edgertc
9:0IO-APIC-fasteoiacpi
14:3010291IO-APIC-edgeide0
15:11156960IO-APIC-edgeide1
16:125264892IO-APIC-fasteoieth0
17:0IO-APIC-fasteoicx88[0],cx88[0]
20:3598946IO-APIC-fasteoisata_via
21:4566307IO-APIC-fasteoiuhci_hcd:usb1,uhci_hcd:usb2,ehci_hcd:usb3
22:430444IO-APIC-fasteoiVIA8237
NMI:0Non-maskableinterrupts
LOC:168759611Localtimerinterrupts
TRM:0Thermaleventinterrupts
THR:0ThresholdAPICinterrupts
SPU:0Spuriousinterrupts
ERR:0
The/procfilesystemisavirtualfilesystem—itdoesn’trefertoactualfilesonaharddiskbuttokerneldatathat’sconvenienttorepresentusingafilesystem.Thefilesin/procprovideinformationaboutthehardware,runningprocesses,andsoon.ManyLinuxutilitiesuse/procbehindthescenes;oryoucandirectlyaccessthesefilesusingutilitieslikecat,whichcopiesthedatatothescreenwhengivenjustoneargument.
ThisoutputshowsthenamesofthedriversthatareusingeachIRQ.Someofthesedrivernamesareeasytointerpret,suchasfloppy.Othersaremorepuzzling,suchascx88 (it’sadriver foravideocapture card). If the purpose of a driver isn’t obvious, try doing aWeb search on it; chances are
you’llfindarelevanthitfairlyeasily.Notethattheprecedingoutputshowsinterruptsnumberedupto22;thissystemsupportsmorethanthe16basex86interrupts.
The/proc/interruptsfilelistsIRQsthatareinusebyLinux,butLinuxdoesn’tbeginusinganIRQuntiltherelevantdriverisloaded.Thismaynothappenuntilyoutrytousethehardware.Thus,the/proc/interruptslistmaynotshowalltheinterruptsthatareconfiguredonyoursystem.Forinstance,theprecedingexampleshowsnothingforIRQ7,whichisreservedfortheparallelport,becausetheporthadn’tbeenusedpriortoviewingthefile.Iftheparallelportwereusedand/proc/interruptsviewedagain,anentryforIRQ7andtheparport0driverwouldappear.
AlthoughIRQconflictsarerareonmodernhardware,theydooccasionallystillcropup.Whenthishappens, youmust reconfigureoneormoredevices tousedifferent IRQs.This topic is describedshortly,in“ConfiguringExpansionCards.”
I/OAddressesI/Oaddresses (also referred to as I/Oports) areunique locations inmemory that are reserved forcommunicationsbetweentheCPUandspecificphysicalhardwaredevices.LikeIRQs,I/Oaddressesare commonlyassociatedwith specificdevices and shouldnotordinarilybe shared.Table3.2 listssomeLinuxdevicefilenamesalongwith theequivalentnames inWindows,aswellas thecommonIRQandI/Oaddresssettings.
TABLE3.2CommonLinuxdevices
Althoughtheuseisdeprecated,oldersystemssometimesuse/dev/cuax(wherexisanumber0orgreater)toindicateanRS-232serialdevice.Thus,/dev/ttyS0and/dev/cua0refertothesamephysicaldevice.
Once a Linux system is running, you can explore what I/O addresses the computer is using byexamining the contents of the /proc/ioports file. A common way to do this is with the cat
command:$cat/proc/ioports
0000-001f:dma1
0020-0021:pic1
0040-0043:timer0
0050-0053:timer1
0060-006f:keyboard
0070-0077:rtc
0080-008f:dmapagereg
00a0-00a1:pic2
00c0-00df:dma2
00f0-00ff:fpu
Thisexampletruncatestheoutput,whichgoesonforquiteawayonthetestsystem.AswithIRQs,ifyoursystemsuffersfromI/Oportconflicts,youmustreconfigureoneormoredevices,asdescribedin“ConfiguringExpansionCards.”Inpractice,suchconflictsarerarerthanIRQconflicts.
DMAAddressesDirectmemoryaddressing(DMA)isanalternativemethodofcommunicationtoI/Oports.RatherthanhavetheCPUmediatethetransferofdatabetweenadeviceandmemory,DMApermitsthedevicetotransferdatadirectly,withouttheCPU’sattention.TheresultcanbelowerCPUrequirementsforI/Oactivity,whichcanimproveoverallsystemperformance.To supportDMA, the x86 architecture implements severalDMA channels, each ofwhich can be
usedbyaparticulardevice.TolearnwhatDMAchannelsyoursystemuses,examinethe/proc/dmafile:$cat/proc/dma
2:floppy
4:cascade
This output indicates that DMA channels 2 and 4 are in use. Aswith IRQs and I/O ports, DMAaddresses should not normally be shared. In practice, DMA address conflicts are rarer than IRQconflicts, so chances are you won’t run into problems. If you do, consult the upcoming section“ConfiguringExpansionCards.”
BootDisksandGeometrySettingsMostfirmwareimplementationsenableyoutochoosetheorderinwhichdevicesarebooted.Thisisan area inwhichBIOS andEFI differ, and there are substantial implementation-to-implementationdifferences,too.Generallyspeaking,though,therulesareasfollows:BIOSTheBIOSbootprocessbeginsbyreadingabootsector(typicallythefirstsector)fromadiskandthenexecutingthatcode.Thus,bootoptionsforBIOS-basedcomputersarelimited;youcanonlyselecttheorderinwhichvariousbootdevices(harddisks,floppydisks,opticaldisks,USBdevices,andsoon)areexaminedtofindabootsector.EFIUnderEFI,thebootprocessinvolvesreadingabootloaderfilefromafilesystemonaspecialpartition,knownastheEFISystemPartition(ESP).Thisfileeithercantakeaspecialdefaultnameorcanberegisteredinthecomputer ’sNVRAM.Thus,EFIcomputersoftenpresentanextendedrangeofbootoptions,involvingbothdefaultbootloaderfilesfromvariousdevices(toenablegrantingprecedencetoabootableUSBflashdrive,forexample)andmultiplebootloadersonthe
computer ’sharddisks.SomeprimitiveEFIimplementations,though,presentsimpleBIOS-likebootoptions.
ManyEFIimplementationssupportaBIOScompatibilitymodeandsocanbootmediaintendedforBIOS-basedcomputers.Thisfeature,intendedtohelpinthetransitionfromBIOStoEFI,cancomplicatefirmwaresetupandOSinstallationbecauseitcreatesextrabootoptionsthatusersoftendon’tunderstand.
Althoughboot sequences involving removabledisks are common, theyhave theirproblems.Forinstance,ifsomebodyaccidentallyleavesafloppydiskinthedrive,thiscanpreventthesystemfrombooting.Worse,somevirusesaretransmittedbyBIOSbootsectors,sothismethodcanresultinviralinfection.Usingremovabledisksasthedefaultbootmediaalsoopensthedoortointruderswhohavephysicalaccesstothecomputer;theyneedonlyrebootwithabootableremovablediskorCD-ROMtogaincompletecontrolofyoursystem.Forthesereasons,it’sbettertomakethefirstharddisk(oraboot loader on a hard disk’sESP, in the case ofEFI) the only boot device. (Youmust change thisconfigurationwheninstallingLinuxorusinganemergencybootdiskformaintenance.)Mostmoderncomputersmaketemporarychangeseasierbyprovidingaspecialkeytoallowaone-timechangetothebootsequence.Onoldercomputers,tochangethebootsequence,youmustlocatetheappropriatefirmwareoption, change it, and reboot the computer. It’s usually located in anAdvancedmenu, solookthere.Anotherdiskoptionistheonefordetectingdiskdevices.Figure3.1showsthreediskdevices:the
A:floppydisk(/dev/fd0underLinux),a1048MBprimarymasterharddisk,andaCD-ROMdriveasthe secondarymaster. Inmost cases, the firmwaredetects and configures harddisks andCD-ROMdrivescorrectly. In rarecircumstances,youmust tell aBIOS-basedcomputerabout theharddisk’scylinder/head/sector(CHS)geometry.TheCHSgeometryisaholdoverfromtheearlydaysofthex86architecture.Figure3.3showsthe
traditional hard disk layout, which consists of a fixed number of read/write heads that can moveacross thedisksurfaces (orplatters).As thediskspins,eachheadmarksoutacircular trackon itsplatter; these tracks collectively make up a cylinder. Each track is broken down into a series ofsectors. Thus, any sector on a hard disk can be uniquely identified by three numbers: a cylindernumber,aheadnumber,andasectornumber.Thex86BIOSwasdesignedtouse this three-numberCHS identification code. One consequence of this configuration is that the BIOSmust know howmanycylinders,heads,andsectorsthediskhas.ModernharddisksrelaythisinformationtotheBIOSautomatically;but for compatibilitywith theearliestharddisks,BIOSs still enableyou to set thesevaluesmanually.
FIGURE3.3Harddisksarebuiltfromplatters,eachofwhichisbrokenintotracks,whicharebrokenintosectors.
TheBIOSwilldetectonlycertaintypesofdisks.Ofparticularimportance,SCSIdisksand(onsomeoldercomputers)serialATA(SATA)diskswon’tappearinthemainBIOSdisk-detectionscreen.Thesedisksarehandledbysupplementaryfirmwareassociatedwiththecontrollersforthesedevices.SomeBIOSsdoprovideexplicitoptionstoaddSCSIdevicesintothebootsequence,soyoucangiveprioritytoeitherATAorSCSIdevices.Forthosewithouttheseoptions,SCSIdisksgenerallytakesecondseattoATAdisks.
CHSgeometry, unfortunately, has its problems.For one thing, all but the earliest hard disks usevariablenumbersofsectorspercylinder—moderndiskssqueezemoresectorsontooutertracksthaninnerones,fittingmoredataoneachdisk.Thus,theCHSgeometrypresentedtotheBIOSbytheharddiskisaconvenientlie.Worse,becauseoflimitsonthenumbersintheBIOSandintheATAharddiskinterface, plain CHS geometry tops out at 504MiB, which is puny by today’s standards. Variouspatches, such asCHSgeometry translation, can be used to expand the limit to about 8GiB.Today,though, the preference is to use logical block addressing (LBA) mode. (Some sources use theexpansionlinearblockaddressingforthisacronym.)Inthismode,asingleuniquenumberisassignedtoeachsectoronthedisk,andthedisk’sfirmwareissmartenoughtoreadfromthecorrectheadandcylinderwhengiventhissectornumber.ModernBIOSstypicallyprovideanoptiontouseLBAmode,CHS translation mode, or possibly some other modes with large disks. EFI doesn’t use CHSaddressingatall,exceptinitsBIOScompatibilitymode;instead,EFIusesLBAmodeexclusively.Inmostcases,LBAmodeisthebestchoice.Ifyoumustretrievedatafromveryolddisks,though,youmayneedtochangethisoption.
BecauseofvariabilityinhowdifferentBIOSshandleCHStranslation,movingdisksbetweencomputerscanresultinproblemsbecauseofmismatchedCHSgeometriesclaimedindiskstructuresandbytheBIOS.Linuxisusuallysmartenoughtoworkaroundsuchproblems,butyoumayseesomeodderrormessagesindiskutilitieslikefdisk.IfyouseemessagesaboutinconsistentCHSgeometries,proceedwithcautionwhenusinglow-leveldiskutilitieslestyoucreateaninconsistentpartitiontablethatcouldcauseproblems,particularlyinOSsthatarelessrobustthanLinuxonthisscore.
ColdplugandHotplugDevicesWheneveryoudealwithhardware,youshouldkeepinmindadistinctionbetweentwodevicetypes:
coldplugandhotplug.Thesedevicetypesdifferdependingonwhethertheycanbephysicallyattachedanddetachedwhenthecomputeristurnedon(thatis,“hot”),versusonlywhenit’sturnedoff(“cold”).
Coldplugdevicesaredesignedtobephysicallyconnectedanddisconnectedonlywhenthecomputeristurnedoff.Attemptingtoattachordetachsuchdeviceswhenthecomputerisrunningcandamagethedeviceorthecomputer,sodonotattempttodoso.
Traditionally,componentsthatareinternal tothecomputer,suchastheCPU,memory,PCIcards,andharddisks,havebeencoldplugdevices.AhotplugvariantofPCI,however,hasbeendevelopedandisusedonsomecomputers—mainlyonserversandothersystemsthatcan’taffordthedowntimerequiredtoinstallorremoveadevice.Hot-plugSATAdevicesarealsoavailable.Modern external devices, such as Ethernet, USB, and IEEE-1394 devices, are hotplug; you can
attach and detach such devices as you see fit. These devices rely on specializedLinux software todetect thechangestothesystemasthey’reattachedanddetached.Severalutilitieshelpinmanaginghotplugdevices:SysfsThesysfsvirtualfilesystem,mountedat/sys,exportsinformationaboutdevicessothatuser-spaceutilitiescanaccesstheinformation.
Auserspaceprogramisonethatrunsasanordinaryprogram,whetheritrunsasanordinaryuserorasroot.Thiscontrastswithkernelspacecode,whichrunsaspartofthekernel.Typically,onlythekernel(andhencekernel-spacecode)cancommunicatedirectlywithhardware.User-spaceprogramsaretheultimateusersofhardware,though.Traditionally,the/devfilesystemhasprovidedthemainmeansofinterfacebetweenuser-spaceprogramsandhardware;however,thetoolsdescribedherehelpexpandonthisaccess,particularlyinwaysthatareusefulforhotplugdevices.
HALDaemonTheHardwareAbstractionLayer(HAL)Daemon,orhald,isauser-spaceprogramthatrunsatalltimes(thatis,asadaemon)thatprovidesotheruser-spaceprogramswithinformationaboutavailablehardware.D-BusTheDesktopBus(D-Bus)providesafurtherabstractionofhardwareinformationaccess.Likehald,D-Busrunsasadaemon.D-Busenablesprocessestocommunicatewitheachotheraswellastoregistertobenotifiedofevents,bothbyotherprocessesandbyhardware(suchastheavailabilityofanewUSBdevice).udevTraditionally,Linuxhascreateddevicenodesasconventionalfilesinthe/devdirectorytree.Theexistenceofhotplugdevicesandvariousotherissues,however,havemotivatedthecreationofudev:avirtualfilesystem,mountedat/dev,whichcreatesdynamicdevicefilesasdriversareloadedandunloaded.Youcanconfigureudevthroughfilesin/etc/udev,butthestandardconfigurationisusuallysufficientforcommonhardware.These tools all help programs work seamlessly in a world of hotplug devices by enabling the
programstolearnabouthardware,includingreceivingnotificationwhenthehardwareconfiguration
changes.Older external devices, such as parallel and RS-232 ports, are officially coldplug in nature. In
practice,manypeopletreatthesedevicesasiftheywerehotplug,andtheycanusuallygetawaywithit; but there is a risk of damage, so it’s safest to power down a computer before connecting ordisconnecting such a device.WhenRS-232 or parallel port devices are hotplugged, they typicallyaren’tregisteredbytoolssuchasudevandhald.Onlytheports towhichthesedevicesconnectarehandledbytheOS;it’suptouser-spaceprograms,suchasterminalprogramsortheprintingsystem,toknowhowtocommunicatewiththeexternaldevices.
ConfiguringExpansionCardsManyhardwaredevicesrequireconfiguration—youmustsettheIRQ,I/Oport,andDMAaddressesused by the device. (Not all devices use all three resources.) Through themid-1990s, this processinvolvedtediouschangestojumpersonthehardware.Today,though,youcanconfiguremostoptionsthroughsoftware.
EvendevicesthatarebuiltintothemotherboardareconfiguredthroughthesamemeansusedtoconfigurePCIcards.
ConfiguringPCICardsThePCIbus,whichisthestandardexpansionbusformostinternaldevices,wasdesignedwithPlug-and-Play(PnP)−styleconfigurationinmind;thus,automaticconfigurationofPCIdevicesistherulerather than the exception. For the most part, PCI devices configure themselves automatically, andthere’snoneedtomakeanychanges.Youcan,though,tweakhowPCIdevicesaredetectedinseveralways:
TheLinuxkernelhasseveraloptionsthataffecthowitdetectsPCIdevices.YoucanfindtheseinthekernelconfigurationscreensunderBusOptions.Mostuserscanrelyontheoptionsintheirdistributions’defaultkernelstoworkproperly;butifyourecompileyourkernelyourselfandifyou’rehavingproblemswithdevicedetection,youmaywanttostudytheseoptions.MostfirmwareimplementationshavePCIoptionsthatchangethewayPCIresourcesareallocated.AdjustingtheseoptionsmayhelpifyourunintostrangehardwareproblemswithPCIdevices.SomeLinuxdriverssupportoptionsthatcausethemtoconfiguretherelevanthardwaretouseparticularresources.Youshouldconsultthedrivers’documentationfilesfordetailsoftheoptionstheysupport.Youmustthenpasstheseoptionstothekernelusingabootloader(asdescribedinChapter5)oraskernelmoduleoptions.YoucanusethesetpciutilitytodirectlyqueryandadjustPCIdevices’configurations.Thistoolismostlikelytobeusefulifyouknowenoughaboutthehardwaretofine-tuneitslow-levelconfiguration;it’snotoftenusedtotweakthehardware’sbasicIRQ,I/Oport,orDMAoptions.
In addition to the configuration options, youmaywant to check how PCI devices are currently
configured.Youcanusethelspcicommandfor thispurpose; itdisplaysall informationabout thePCIbussesonyour systemandalldevices connected to thosebusses.This command takes severaloptionsthatfine-tuneitsbehavior.Table3.3liststhemostcommonofthese.
TABLE3.3OptionsforlspciOption Effect-v Increasesverbosityofoutput.Thisoptionmaybedoubled(-vv)ortripled(-vvv)toproduceyetmoreoutput.-n Displaysinformationinnumericcodesratherthantranslatingthecodestomanufactureranddevicenames.-nn Displaysboththemanufactureranddevicenamesandtheirassociatednumericcodes.-x DisplaysthePCIconfigurationspaceforeachdeviceasahexadecimaldump.Thisisanextremelyadvanced
option.Tripling(-xxx)orquadrupling(-xxxx)thisoptiondisplaysinformationaboutmoredevices.-b ShowsIRQnumbersandotherdataasseenbydevicesratherthanasseenbythekernel.-t Displaysatreeviewdepictingtherelationshipbetweendevices.-s
[[[[domain]:]bus]:]
[slot][.[func]]
Displaysonlydevicesthatmatchthelistedspecification.Thiscanbeusedtotrimtheresultsoftheoutput.
-d[vendor]:[device] Showsdataonthespecifieddevice.-ifile UsesthespecifiedfiletomapvendoranddeviceIDstonames.(Thedefaultis/usr/share/misc/pci.ids.)-m Dumpsdatainamachine-readableform,intendedforusebyscripts.Asingle-musesabackward-compatible
format,whereasdoubling(-mm)usesanewerformat.-D DisplaysPCIdomainnumbers.Thesenumbersnormallyaren’tdisplayed.-M Performsascaninbus-mappingmode,whichcanrevealdeviceshiddenbehindamisconfiguredPCIbridge.This
isanadvancedoptionthatcanbeusedonlybyroot.--version Displaysversioninformation.
LearningaboutKernelModulesHardwareinLinuxishandledbykerneldrivers,manyofwhichcomeintheformofkernelmodules.These are stand-alonedriver files, typically stored in the/lib/modules directory tree, that can beloadedtoprovideaccesstohardwareandunloadedtodisablesuchaccess.Typically,Linuxloadsthemodulesitneedswhenitboots,butyoumayneedtoloadadditionalmodulesyourself.Youcanlearnaboutthemodulesthatarecurrentlyloadedonyoursystembyusinglsmod,which
takesnooptionsandproducesoutputlikethis:$lsmod
ModuleSizeUsedby
isofs358200
zlib_inflate218881isofs
floppy652000
nls_iso8859_155681
nls_cp43772961
vfat156801
fat495361vfat
sr_mod192360
ide_cd428480
cdrom390802sr_mod,ide_cd
Thisoutputhasbeeneditedforbrevity.Althoughoutputsthisshortarepossiblewithcertainconfigurations,they’rerare.
Themostimportantcolumninthisoutputisthefirstone,labeledModule;thiscolumnspecifiesthe
names of all themodules that are currently loaded.You can learnmore about thesemoduleswithmodinfo,asdescribedshortly,butsometimestheirpurposeisfairlyobvious.Forinstance,thecdrommoduleprovidesaccesstotheopticaldrive.TheUsedbycolumnofthelsmodoutputdescribeswhat’susingthemodule.Alltheentrieshavea
number,which indicates thenumberofothermodulesorprocesses that areusing themodule.Forinstance, in the preceding example, the isofs module (used to access CD-ROM filesystems) isn’tcurrently in use, as revealed by its 0 value; but the vfat module (used to read VFAT hard diskpartitionsandfloppies)isbeingused,asshownbyitsvalueof1.Ifoneofthemodulesisbeingusedbyanothermodule,theusingmodule’snameappearsintheUsedbycolumn.Forinstance,theisofsmodule relies on the zlib_inflate module, so the lattermodule’s Used by column includes theisofsmodulename.Thisinformationcanbeusefulwhenyou’remanagingmodules.Forinstance,ifyoursystemproducedtheprecedingoutput,youcouldn’tdirectlyremovethezlib_inflatemodulebecause it’s being used by the isofsmodule; but you could remove the isofs module, and afterdoingso,youcouldremovethezlib_inflatemodule.(BothmoduleswouldneedtobeaddedbacktoreadmostCD-ROMs,though.)
Thelsmodcommanddisplaysinformationonlyaboutkernelmodules,notaboutdriversthatarecompileddirectlyintotheLinuxkernel.Forthisreason,amodulemayneedtobeloadedononesystembutnotonanothertousethesamehardwarebecausethesecondsystemmaycompiletherelevantdriverdirectlyintothekernel.
LoadingKernelModulesLinux enables you to loadkernelmoduleswith twoprograms:insmod andmodprobe. The insmodprogram insertsa singlemodule into thekernel.Thisprocess requiresyou tohavealready loadedany modules on which the module you’re loading relies. The modprobe program, by contrast,automaticallyloadsanydepended-onmodulesandsoisgenerallythepreferredwaytodothejob.
Inpractice,youmaynotneedtouseinsmodormodprobetoloadmodulesbecauseLinuxcanloadthemautomatically.Thisabilityreliesonthekernel’smoduleauto-loaderfeature,whichmustbecompiledintothekernel,andonvariousconfigurationfiles,whicharealsorequiredformodprobeandsomeothertools.Usinginsmodandmodprobecanbeusefulfortestingnewmodulesorforworkingaroundproblemswiththeauto-loader,though.
Inpractice,insmod isafairlystraightforwardprogramtouse;youtypeitsnamefollowedbythemodulefilename:#insmod/lib/modules/2.6.26/kernel/drivers/block/floppy.ko
Thiscommand loads thefloppy.komodule,whichyoumust specifyby filename.Moduleshavemodulenames,too,whichareusuallythesameasthefilenamebutwithouttheextension,asinfloppy
forthefloppy.kofile.Unfortunately,insmodrequiresthefullmodulename.Youcanpassadditionalmoduleoptionstothemodulebyaddingthemtothecommandline.Module
optionsarehighlymodule-specific,soyoumustconsult thedocumentationfor themoduletolearnwhat topass.Examples includeoptions to tellanRS-232serialportdriverwhat interrupt touse toaccessthehardwareortotellavideocardframebufferdriverwhatscreenresolutiontouse.Some modules depend on other modules. In these cases, if you attempt to load a module that
dependsonothersandthoseothermodulesaren’t loaded,insmodwillfail.Whenthishappens,youmusteithertrackdownandmanuallyloadthedepended-onmodulesorusemodprobe.Inthesimplestcase,youcanusemodprobemuchasyouuseinsmod,bypassingitamodulename:#modprobefloppy
Aswithinsmod,youcanaddkerneloptions to theendof thecommand line.Unlikeinsmod,youspecify a module by its module name rather than its module filename when you use modprobe.Generally speaking, this helps make modprobe easier to use, as does the fact that modprobeautomatically loads dependencies. This greater convenience means that modprobe relies onconfigurationfiles.Italsomeansthatyoucanuseoptions(placedbetweenthecommandnameandthemodulename)tomodifymodprobe’sbehavior:BeVerboseThe-vor--verboseoptiontellsmodprobetodisplayextrainformationaboutitsoperations.Typically,thisincludesasummaryofeveryinsmodoperationitperforms.ChangeConfigurationFilesThemodprobeprogramusesaconfigurationfilecalled/etc/modprobe.conf(ormultiplefilesin/etc/modprobe.d).Youcanchangetheconfigurationfileordirectorybypassinganewfilewiththe-Cfilenameoption,asinmodprobe-C/etc/mymodprobe.conffloppy.PerformaDryRunThe-nor--dry-runoptioncausesmodprobetoperformchecksandallotheroperationsexcepttheactualmoduleinsertions.Youmightusethisoptioninconjunctionwith-vtoseewhatmodprobewoulddowithoutloadingthemodule.Thismaybehelpfulindebugging,particularlyifinsertingthemoduleishavingsomedetrimentaleffect,suchasdisablingdiskaccess.RemoveModulesThe-ror--removeoptionreversesmodprobe’susualeffect;itcausestheprogramtoremovethespecifiedmoduleandanyonwhichitdepends.(Depended-onmodulesarenotremovedifthey’reinuse.)ForceLoadingThe-for--forceoptiontellsmodprobetoforcethemoduleloadingevenifthekernelversiondoesn’tmatchwhatthemoduleexpects.Thisactionispotentiallydangerous,butit’soccasionallyrequiredwhenusingthird-partybinary-onlymodules.ShowDependenciesThe--show-dependsoptionshowsallthemodulesonwhichthespecifiedmoduledepends.Thisoptiondoesn’tinstallanyofthemodules;it’spurelyinformativeinnature.ShowAvailableModulesThe-lor--listoptiondisplaysalistofavailableoptionswhosenamesmatchthewildcardyouspecify.Forinstance,typingmodprobe-lv*displaysallmoduleswhosenamesbeginwithv.Ifyouprovidenowildcard,modprobedisplaysallavailablemodules.Like--show-depends,thisoptiondoesn’tcauseanymodulestobeloaded.
Thislistofoptionsisincomplete.Theothersarerelativelyobscure,soyou’renotlikelytoneedthemoften.Consultthemodprobemanpageformoreinformation.
RemovingKernelModulesInmostcases,youcanleavemodulesloadedindefinitely;theonlyharmthatamoduledoeswhenit’sloadedbutnotusedistoconsumeasmallamountofmemory.(Thelsmodprogramshowshowmuchmemory eachmodule consumes.) Sometimes, though, youmaywant to remove a loadedmodule.Reasonsincludereclaimingthattinyamountofmemory,unloadinganoldmodulesoyoucanloadanupdatedreplacementmodule,andremovingamodulethatyoususpectisunreliable.Thework of unloading a kernelmodule is done by the rmmod command,which is basically the
oppositeofinsmod.Thermmod command takes amodulenameas anoption, though, rather than amodulefilename:#rmmodfloppy
This example command unloads the floppy module. You canmodify the behavior of rmmod invariousways:BeVerbosePassingthe-vor--verboseoptioncausesrmmodtodisplaysomeextrainformationaboutwhatit’sdoing.Thismaybehelpfulifyou’retroubleshootingaproblem.ForceRemovalThe-for--forceoptionforcesmoduleremovalevenifthemoduleismarkedasbeinginuse.Naturally,thisisaverydangerousoption,butit’ssometimeshelpfulifamoduleismisbehavinginsomewaythat’sevenmoredangerous.ThisoptionhasnoeffectunlesstheCONFIG_MODULE_FORCE_UNLOADkerneloptionisenabled.WaitUntilUnusedThe-wor--waitoptioncausesrmmodtowaitforthemoduletobecomeunused,ratherthanreturnanerrormessage,ifthemoduleisinuse.Oncethemoduleisnolongerbeingused(say,afterafloppydiskisunmountedifyoutrytoremovethefloppymodule),rmmodunloadsthemoduleandreturns.Untilthen,rmmoddoesn’treturn,makingitlooklikeit’snotdoinganything.Afewmorermmodoptionsexist;consultthermmodmanpagefordetails.Likeinsmod,rmmodoperatesonasinglemodule.Ifyoutrytounloadamodulethat’sdependedon
by othermodules or is in use, rmmod will return an errormessage. (The -w optionmodifies thisbehavior, as just described.) If the module is depended on by other modules, rmmod lists thosemodules,soyoucandecidewhethertounloadthem.Ifyouwanttounloadanentiremodulestack—thatis,amoduleandallthoseuponwhichitdepends—youcanusethemodprobecommandandits-roption,asdescribedearlierin“LoadingKernelModules.”
ConfiguringUSBDevicesUSBisanextremelypopular(perhapsthemostpopular)externalinterfaceform.ThisfactmeansyoumustunderstandsomethingaboutUSB,includingUSBitself,Linux’sUSBdrivers,andLinux’sUSB
managementtools.
USBBasicsUSBisaprotocolandhardwareport for transferringdata toandfromdevices. Itallowsformanymore(andvaried)devicesperinterfaceportthaneitherATAorSCSIandgivesbetterspeedthanRS-232 serial and parallel ports. TheUSB 1.0 and 1.1 specifications allow for up to 127 devices and12Mbps of data transfer.USB 2.0 allows formuch higher transfer rates—480Mbps, to be precise.USB3.0,introducedin2010,supportsatheoreticalmaximumspeedof4.8Gbps,although3.2Gbpsisamorelikelytopspeedinpractice.USB3.0devicesrequireanewphysicalconnector.
Datatransferspeedsmaybeexpressedinbitspersecond(bps)ormultiplesthereof,suchasmegabitspersecond(Mbps)orgigabitspersecond(Gbps);orinbytespersecond(B/s)ormultiplesthereof,suchasmegabytespersecond(MB/s).Inmostcases,thereare8bitsperbyte,somultiplyingordividingby8maybenecessaryifyou’retryingtocomparespeedsofdevicesthatusedifferentmeasures.
USB is the preferred interface method for many external devices, including printers, scanners,mice,digitalcameras, flashdrives,andmusicplayers.USBkeyboards,Ethernetadapters,modems,speakers,harddrives,andotherdevicesarealsoavailable,althoughUSBhasyettodominatetheseareasasithassomeothers.Mostcomputers shipwith four toeightUSBports. (A fewyearsago, twoUSBportsweremore
common.)Eachportcanhandleonedevicebyitself,butyoucanuseaUSBhub toconnectseveraldevices to each port. Thus, you can theoretically connect huge numbers of USB devices to acomputer. In practice, youmay run into speed problems, particularly if you’re usingUSB 1.x fordevicesthattendtotransferalotofdata,suchasscanners,printers,orharddrives.
IfyouhaveanoldercomputerthatlacksUSB3.0supportandyouwanttoconnectahigh-speedUSB3.0device,youcanbuyaseparateUSB3.0board.Youcancontinuetousethecomputer ’sbuilt-inUSBportsforslowerdevices.
LinuxUSBDriversSeveral different USB controllers are available, with names such as UHCI, OHCI, EHCI, andR8A66597. Modern Linux distributions ship with the drivers for the common USB controllersenabled,soyourUSBportshouldbeactivatedautomaticallywhenyoubootthecomputer.TheUHCIandOHCIcontrollershandleUSB1.xdevices,butmostothercontrollerscanhandleUSB2.0devices.Youneeda2.6.31ornewerkerneltouseUSB3.0hardware.NotethatthesebasicsmerelyprovideameanstoaccesstheactualUSBhardwareandaddressthedevicesinalow-levelmanner.You’llneedadditional software—eitherdriversor specialized softwarepackages—tomakepracticaluseof thedevices.
You can learn a great deal about your devices by using the lsusb utility. A simple use of thisprogramwithnooptionsrevealsbasicinformationaboutyourUSBdevices:$lsusb
Bus003Device008:ID0686:400eMinoltaCo.,Ltd
Bus003Device001:ID0000:0000
Bus002Device002:ID046d:c401Logitech,Inc.TrackManMarbleWheel
Bus002Device001:ID0000:0000
Bus001Device001:ID0000:0000
In this example, threeUSBbusses aredetected (001, 002, and003).The first bushasnodevicesattached, but the second and third each have one device—a Logitech TrackMan Marble Wheeltrackball and aMinoltaDiMAGEScanElite 5400 scanner, respectively. (The scanner ’s name isn’tfully identified by this output, except insofar as the IDnumber encodes this information.)You cangatheradditionalinformationbyusingvariousoptionstolsusb:BeVerboseThe-voptionproducesextendedinformationabouteachproduct.RestrictBusandDeviceNumberUsingthe-s[[bus]:][devnum]optionrestrictsoutputtothespecifiedbusanddevicenumber.RestrictVendorandProductYoucanlimitoutputtoaparticularvendorandproductbyusingthe-d[vendor]:[product]option.ThevendorandproductarethecodesjustafterIDoneachlineofthebasiclsusboutput.DisplayDevicebyFilenameUsing-Dfilenamedisplaysinformationaboutthedevicethat’saccessibleviafilename,whichshouldbeafileinthe/proc/bus/usbdirectorytree.Thisdirectoryprovidesalow-levelinterfacetoUSBdevices,asdescribedshortly.TreeViewThe-toptiondisplaysthedevicelistasatreesothatyoucanmoreeasilyseewhatdevicesareconnectedtospecificcontrollers.VersionThe-Vor--versionoptiondisplaystheversionofthelsusbutilityandexits.EarlyLinuxUSBimplementationsrequiredaseparatedriverforeveryUSBdevice.Manyofthese
drivers remain in the kernel, and some software relies on them. For instance, USB disk storagedevicesuseUSBstoragedrivers that interfacewithLinux’sSCSIsupport,makingUSBharddisks,removabledisks,andsoonlooklikeSCSIdevices.LinuxprovidesaUSBfilesystemthatinturnprovidesaccesstoUSBdevicesinagenericmanner.
Thisfilesystemappearsaspartofthe/procvirtualfilesystem.Inparticular,USBdeviceinformationis accessible from /proc/bus/usb. Subdirectories of /proc/bus/usb are given numbered namesbasedontheUSBcontrollersinstalledonthecomputer,asin/proc/bus/usb/001forthefirstUSBcontroller.SoftwarecanaccessfilesinthesedirectoriestocontrolUSBdevicesratherthanusedevicefilesin/devaswithmosthardwaredevices.ToolssuchasscannersoftwareandtheLinuxprintingsystemcanautomaticallylocatecompatibleUSBdevicesandusethesefiles.
USBManagerApplicationsUSBcanbechallengingforOSsbecauseitwasdesignedasahot-pluggabletechnology.TheLinuxkernelwasn’toriginallydesignedwith thissortofactivity inmind,so thekernelreliesonexternalutilitiestohelpmanagematters.TwotoolsinparticularareusedformanagingUSBdevices:usbmgrandhotplug.
Theusbmgrpackage(locatedathttp://freecode.com/projects/usbmgr)isaprogramthatrunsinthebackgroundtodetectchangesontheUSBbus.Whenitdetectschanges,itloadsorunloadsthekernelmodulesthatarerequiredtohandlethedevices.Forinstance,ifyoupluginaUSBZipdrive,usbmgrwill load the necessary USB and SCSI disk modules. This package uses configuration files in/etc/usbmgr tohandlespecificdevicesanduses/etc/usbmgr/usbmgr.conf tocontrol theoverallconfiguration.With the shift from in-kernel device-specific USB drivers to the USB device filesystem
(/proc/bus/usb),usbmgrhasbeendeclininginimportance.Infact, itmaynotbeinstalledonyoursystem.Instead,mostdistributionsrelyontheHotplugpackage(http://linux-hotplug.sourceforge.net),which relies on kernel support addedwith the 2.4.x kernel series. This system uses files stored in/etc/hotplug to control the configuration of specific USB devices. In particular,/etc/hotplug/usb.usermap contains a database of USB device IDs and pointers to scripts in/etc/hotplug/usb that are run when devices are plugged in or unplugged. These scripts mightchange permissions on USB device files so that ordinary users can access USB hardware, runcommands to detect newUSB disk devices, or otherwise prepare the system for a new (or newlyremoved)USBdevice.
ConfiguringHardDisksHard disks are among the most important components in your system. Three different hard diskinterfacesarecommononmoderncomputers:ParallelAdvancedTechnologyAttachment(PATA),akaATA;SerialAdvancedTechnologyAttachment(SATA);andSmallComputerSystemInterface (SCSI).Inaddition,externalUSBandIEEE-1394drivesareavailable,asareexternalvariantsofSATAandSCSIdrives.Eachhasitsownmethodoflow-levelconfiguration.
ConfiguringPATADisksPATAdisksonceruledtheroostinthex86PCworld,buttodaySATAdiskshavelargelysupplantedthem. Thus, you’re most likely to encounter PATA disks on older computers—say, from 2005 orearlier.PATAdisksarestillreadilyavailable,though.Asthefullnameimplies,PATAdisksuseaparallelinterface,meaningthatseveralbitsofdataare
transferredoverthecableatonce.Thus,PATAcablesarewide,supportingatotalofeither40or80lines,dependingonthevarietyofPATA.YoucanconnectuptotwodevicestoeachPATAconnectoron a motherboard or plug-in PATA controller, meaning that PATA cables typically have threeconnectors—oneforthemotherboardandtwofordisks.PATAdisksmustbeconfiguredasmastersorasslaves.Thiscanbedoneviajumpersonthedisks
themselves.Typically,themasterdevicesitsattheendofthecable,andtheslavedeviceresidesonthemiddleconnector.AllmodernPATAdisksalsosupportanoptioncalledcableselect.Whensettothisoption, thedriveattempts toconfigure itselfautomaticallybasedon itspositionon thePATAcable.Thus,youreasiestconfigurationisusuallytosetallPATAdevicestousethecable-selectoption;youcanthenattachthemtowhateverpositionisconvenient,andthedrivesshouldconfigurethemselves.For best performance, disks should be placed on separate controllers rather than configured as
masterandslaveonasinglecontroller,becauseeachPATAcontrollerhasalimitedthroughputthatmay be exceeded by two drives. Until recently, most motherboards have included at least two
controllers,soputtingeachdriveonitsowncontrollerisn’taproblemuntilyouinstallmorethantwodrivesinasinglecomputer.All but the most ancient BIOSs auto-detect PATA devices and provide information about their
capacitiesandmodelnumbersintheBIOSsetuputilities.Inthepast,mostmotherboardswouldbootPATAdrives inpreference tootherdrives,butmodern firmwareusuallyprovidesmoreoptions tocontrolyourbootpreferences.InLinux,PATAdiskshave traditionallybeen identifiedas/dev/hda,/dev/hdb, and soon,with
/dev/hdabeingthemasterdriveonthefirstcontroller,/dev/hdbbeingtheslavedriveonthefirstcontroller,andsoon.Thus,gapscanoccurinthenumberingscheme—ifyouhavemasterdisksonthefirstandsecondcontrollersbutnoslavedisks,yoursystemwillcontain/dev/hdaand/dev/hdcbutno/dev/hdb.Partitionsareidentifiedbynumbersafterthemaindevicename,asin/dev/hda1,/dev/hda2,andsoon.The naming rules for disks also apply to opticalmedia, except that thesemedia typically aren’t
partitioned. Most Linux distributions also create a link to your optical drive under the name/dev/cdromor/dev/dvd.RemovablePATAdisks,suchasZipdisks,aregivenidentifiersasiftheywerefixedPATAdisks,optionallyincludingpartitionidentifiers.MostmodernLinuxdistributions favornewerPATAdrivers that treatPATAdisksas if theywere
SCSIdisks.Thus,youmayfindthatyourdevicefilenamesfollowtheSCSIrulesratherthanthePATArulesevenifyouhavePATAdisks.
ConfiguringSATADisksSATAisanewerinterfacethanPATA,andSATAhaslargelydisplacedPATAastheinterfaceofchoice.NewmotherboardstypicallyhostfourormoreSATAinterfacesandfrequentlylackPATAinterfaces.SATAdisksconnecttotheirmotherboardsorcontrollersonaone-to-onebasis—unlikewithPATA,
you can’t connect more than one disk to a single cable. This fact simplifies configuration; theretypically aren’t jumpers to set, and you needn’t be concernedwith the position of the disk on thecable.AsthewordserialintheexpansionofSATAimplies,SATAisaserialbus—onlyonebitofdatacan
betransferredatatime.SATAtransfersmorebitsperunitoftimeonitsdataline,though,soSATAisfaster than PATA (1.5−6.0Gbps for SATA vs. 128−1064Mbps for PATA, but these are theoreticalmaximumsthatareunlikelytobeachievedinreal-worldsituations).BecauseofSATA’sserialnature,SATAcablesaremuchthinnerthanPATAcables.ModernfirmwaredetectsSATAdisksandprovidesinformationaboutthemjustasforPATAdisks.
Thefirmwaremayprovidebootorderoptions,too.OlderBIOSsarelikelytobemorelimited.Thisisparticularlytrueifyourmotherboarddoesn’tprovideSATAsupportbutyouuseaseparateSATAcontrollercard.Youmaybeable toboot fromanSATAdisk in suchcases ifyourcontrollercardsupportsthisoption,oryoumayneedtouseaPATAbootdisk.MostLinuxSATAdriverstreatSATAdisksasiftheywereSCSIdisks,soyoushouldreadthenext
section,“ConfiguringSCSIDisks,” for informationaboutdevicenaming.Someolderdrivers treatSATAdiskslikePATAdisks,soyoumayneedtousePATAnamesinsomerarecircumstances.
ConfiguringSCSIDisks
There are many types of SCSI definitions, which use a variety of different cables and operate atvarious speeds. SCSI is traditionally a parallel bus, like PATA, although the latest variant, SerialAttachedSCSI(SAS),isaserialbuslikeSATA.SCSIhastraditionallybeenconsideredasuperiorbusto PATA; however, the cost difference has risen dramatically over the past decade or two, so fewpeopletodayuseSCSI.Youmayfinditonoldersystemsoronveryhigh-endsystems.SCSIsupportsupto8or16devicesperbus,dependingonthevariety.Oneofthesedevicesisthe
SCSIhostadapter,whicheitherisbuiltintothemotherboardorcomesasaplug-incard.Inpractice,thenumberofdevicesyoucanattachtoaSCSIbusismorerestrictedbecauseofcable-lengthlimits,whichvaryfromoneSCSIvarietytoanother.EachdevicehasitsownIDnumber,typicallyassignedviaajumperonthedevice.Youmustensurethateachdevice’sIDisunique.ConsultitsdocumentationtolearnhowtosettheID.Ifyourmotherboard lacksbuilt-inSCSIports, chancesare itwon’tdetectSCSIdevices.Youcan
stillbootfromaSCSIharddiskifyourSCSIhostadapterhasitsownfirmwarethatsupportsbooting.Mosthigh-endSCSIhostadaptershavethissupport,butlow-endSCSIhostadaptersdon’thavebuilt-in firmware. Ifyouusesuchahostadapter,youcanstillattachSCSIharddisks to theadapter,andLinuxcanusethem,butyou’llneedtobootfromaPATAorSATAharddisk.SCSI IDs aren’t used to identify the corresponding device file on a Linux system. Hard drives
followthenamingsystem/dev/sdx(wherexisaletterfromaup),SCSItapesarenamed/dev/stxand/dev/nstx (wherex isanumber from0up),andSCSICD-ROMsandDVD-ROMsarenamed/dev/scdxor/dev/srx(wherexisanumberfrom0up).SCSIdevicenumbering(orlettering)isusuallyassignedinincreasingorderbasedontheSCSIID.
IfyouhaveoneharddiskwithaSCSIIDof2andanotherharddiskwithaSCSIIDof4,theywillbeassigned to/dev/sdaand/dev/sdb, respectively.The realdanger is ifyouadda thirdSCSIdriveandgiveitanIDof0,1,or3.Thisnewdiskwillbecome/dev/sda(foranIDof0or1)or/dev/sdb(forID3),bumpinguponeorbothoftheexistingdisks’Linuxdeviceidentifiers.Forthisreason,it’susuallybest togiveharddisks the lowestpossibleSCSI IDsso thatyoucanadd futuredisksusinghigherIDs.
ThemappingofLinuxdeviceidentifierstoSCSIdevicesdependsinpartonthedesignoftheSCSIhostadapter.SomehostadaptersresultinassignmentstartingfromSCSIID7andworkingdownto0ratherthanthereverse,withWideSCSIdevicenumberingcontinuingonfromtheretoIDs14through8.
Another complication iswhen you havemultiple SCSI host adapters. In this case, Linux assignsdevicefilenamestoallofthedisksonthefirstadapter,followedbyallthoseonthesecondadapter.Depending onwhere the drivers for the SCSI host adapters are found (compiled directly into thekernelorloadedasmodules)andhowthey’reloaded(formodulardrivers),youmaynotbeabletocontrolwhichadaptertakesprecedence.
Rememberthatsomenon-SCSIdevices,suchasUSBdiskdevicesandSATAdisks,aremappedontotheLinuxSCSIsubsystem.ThiscancauseatrueSCSIharddisktobeassignedahigherdeviceIDthanyou’dexpectifyouusesuch“pseudo-SCSI”devices.
TheSCSIbus is logicallyone-dimensional—that is, everydeviceon thebus falls alonga singleline.Thisbusmustnotforkorbranchinanyway.EachendoftheSCSIbusmustbeterminated.Thisreferstothepresenceofaspecialresistorpackthatpreventssignalsfrombouncingbackandforthalong the SCSI chain.Consult your SCSI host adapter and SCSI devices’manuals to learn how toterminatethem.RememberthatbothendsoftheSCSIchainmustbeterminated,butdevicesmid-chainmustnotbeterminated.TheSCSIhostadapterqualifiesasadevice,soifit’sattheendofthechain,itmustbe terminated.Termination is a truehardware requirement; it doesn’t apply toSATAorUSBdiskdevices,eventhoughtheyuseLinuxSCSIdrivers.Incorrect termination often results in bizarre SCSI problems, such as an inability to detect SCSI
devices, poor performance, or unreliable operation. Similar symptoms can result from the use ofpoor-qualitySCSIcablesorcablesthataretoolong.
ConfiguringExternalDisksExternaldiskscomeinseveralvarieties,themostcommonofwhichareUSB,IEEE-1394,andSCSI.SCSIhaslongsupportedexternaldisksdirectly,andmanySCSIhostadaptershavebothinternalandexternalconnectors.YouconfigureexternalSCSIdisksjustlikeinternaldisks,althoughthephysicaldetailsofsettingtheSCSIIDnumberandterminationmaydiffer;consultyourdevices’manualsfordetails.Linux treats externalUSB and IEEE-1394 disks just likeSCSI devices, from a software point of
view.Typically, you canplug in thedevice, see a/dev/sdx device node appear, and use it as youwouldaSCSIdisk.This is thecase forboth trueexternalharddisksandmedia suchas solid-stateUSBflashdrives.
Externaldrivesareeasilyremoved,andthiscanbeagreatconvenience;however,youshouldneverunpluganexternaldriveuntilyou’veunmountedthediskinLinuxusingtheumountcommand,asdescribedinChapter5.Failuretounmountadiskislikelytoresultindamagetothefilesystem,includinglostfiles.Inaddition,althoughUSBandIEEE-1394bussesarehot-pluggable,mostSCSIbussesaren’t,soconnectingordisconnectingaSCSIdevicewhilethecomputerisrunningisdangerous.(InsertingorejectingaremovableSCSIdisk,suchasaZipdisk,issafe,however.)
DesigningaHardDiskLayoutWhetheryoursystemusesPATA,SATA,orSCSIdisks,youmustdesignadisklayoutforLinux.If
you’reusingasystemwithLinuxpreinstalled,youmaynotneedtodealwiththistaskimmediately;however,soonerorlateryou’llhavetoinstallLinuxonanewcomputeroronewithanexistingOSorupgradeyourharddisk.Thenextfewpagesdescribethex86partitioningschemes,Linuxmountpoints, and common choices for a Linux partitioning scheme. The upcoming section “CreatingPartitionsandFilesystems”coversthemechanicsofcreatingpartitions.
WhyPartition?The first issue with partitioning is the question of why you should do it. The answer is thatpartitioningprovidesavarietyofadvantages,includingthefollowing:Multi-OSSupportPartitioningenablesyoutokeepthedatafordifferentOSsseparate.Infact,manyOSscan’teasilyco-existonthesamepartitionbecausetheydon’tsupporteachother ’sprimaryfilesystems.ThisfeatureisobviouslyimportantmainlyifyouwantthecomputertobootmultipleOSs.Itcanalsobehandytohelpmaintainanemergencysystem—youcaninstallasingleOStwice,usingthesecondinstallationasanemergencymaintenancetoolforthefirstincaseproblemsdevelop.FilesystemChoiceBypartitioningyourdisk,youcanusedifferentfilesystems—datastructuresdesignedtoholdallthefilesonapartition—oneachpartition.Perhapsonefilesystemisfasterthananotherandsoisimportantfortime-criticalorfrequentlyaccessedfiles,butanothermayprovideaccountingorbackupfeaturesyouwanttouseforusers’datafiles.DiskSpaceManagementBypartitioningyourdisk,youcanlockcertainsetsoffilesintoafixedspace.Forinstance,ifyourestrictuserstostoringfilesononeortwopartitions,theycanfillthosepartitionswithoutcausingproblemsonotherpartitions,suchassystempartitions.Thisfeaturecanhelpkeepyoursystemfromcrashingifspacerunsout.Ontheotherhand,ifyougetthepartitionsizeswrong,youcanrunoutofdiskspaceonjustonepartitionmuchsoonerthanwouldbethecaseifyou’dusedfewerpartitions.DiskErrorProtectionDiskssometimesdevelopproblems.Theseproblemscanbetheresultofbadhardwareoroferrorsthatcreepintothefilesystems.Ineithercase,splittingadiskintopartitionsprovidessomeprotectionagainstsuchproblems.Ifdatastructuresononepartitionbecomecorrupted,theseerrorsaffectonlythefilesonthatpartition.Thisseparationcanthereforeprotectdataonotherpartitionsandsimplifydatarecovery.SecurityYoucanusedifferentsecurity-relatedmountoptionsondifferentpartitions.Forinstance,youmightmountapartitionthatholdscriticalsystemfilesread-only,preventingusersfromwritingtothatpartition.Linux’sfilesecurityoptionsshouldprovidesimilarprotection,buttakingadvantageofLinuxfilesystemmountoptionsprovidesredundancythatcanbehelpfulincaseofanerrorinsettingupfileordirectorypermissions.BackupSomebackuptoolsworkbestonwholepartitions.Bykeepingpartitionssmall,youmaybeabletobackupmoreeasilythanyoucouldifyourpartitionswerelarge.In practice, most Linux computers use several partitions, although precisely how the system is
partitioned varies fromone computer to another. (The upcoming section “CommonPartitions andFilesystemLayouts”describessomepossibilities.)
UnderstandingPartitioningSystems
Partitionsaredefinedbydata structures that arewritten to specifiedpartsof theharddisk.Severalcompetingsystemsfordefiningthesepartitionsexist.Onx86andx86-64hardware,themostcommonmethodupuntil2010hadbeentheMasterBootRecord(MBR)partitioningsystem,socalledbecauseit stores itsdata in the first sectorof thedisk,which isalsoknownas theMBR.TheMBRsystem,however,islimitedtopartitionsandpartitionplacementof2tebibytes(TiB;1TiBis240bytes),atleastwhenusingthenearlyuniversalsectorsizeof512bytes.ThesuccessortoMBRistheGUIDPartitionTable (GPT) partitioning system,which hasmuch higher limits and certain other advantages. Thetools andmethods formanipulatingMBR andGPT disks differ from each other, although there’ssubstantialoverlap.
Stillmorepartitioningsystemsexist,andyoumayrunintothemfromtimetotime.Forinstance,MacintoshesthatusePowerPCCPUsgenerallyemploytheApplePartitionMap(APM),andmanyUnixvariantsemployBerkeleyStandardDistribution(BSD)disklabels.You’remostlikelytoencounterMBRandGPTdisks,sothosearethepartitioningsystemscoveredinthisbook.Detailsforothersystemsdiffer,butthebasicprinciplesarethesame.
MBRPartitionsTheoriginalx86partitioningschemeallowedforonlyfourpartitions.Asharddisksincreasedinsizeand theneed formorepartitionsbecameapparent, theoriginal schemewas extended in away thatretainedbackwardcompatibility.Thenewschemeusesthreepartitiontypes:
Primarypartitions,whicharethesameastheoriginalpartitiontypesExtendedpartitions,whichareaspecialtypeofprimarypartitionthatservesasaplaceholderforthenexttypeLogicalpartitions,whichresidewithinanextendedpartition
Figure 3.4 illustrates how these partition types relate. Because logical partitions reside within asingleextendedpartition,alllogicalpartitionsmustbecontiguous.
FIGURE3.4TheMBRpartitioningsystemusesuptofourprimarypartitions,oneofwhichcanbeaplaceholderextendedpartitionthatcontainslogicalpartitions.
For anyonedisk, you’re limited to four primarypartitions, or three primarypartitions andoneextended partition. Many OSs, such as DOS, Windows, and FreeBSD, must boot from primarypartitions,andbecauseofthis,mostharddisksincludeatleastoneprimarypartition.Linux,however,isnotsolimited,soyoucouldbootLinuxfromadiskthatcontainsnoprimarypartitions,althoughinpracticefewpeopledothis.Theprimarypartitionshavenumbersintherangeof1−4,whereaslogicalpartitionsarenumbered
5andup.GapscanappearinthenumberingofMBRprimarypartitions;however,suchgapscannotexistinthenumberingoflogicalpartitions.Thatis,youcanhaveadiskwithpartitionsnumbered1,
3,5,6,and7butnot1,3,5,and7—ifpartition7exists,theremustbea5anda6.In addition to holding the partition table, theMBR data structure holds the primary BIOS boot
loader—thefirstdisk-loadedcodethattheCPUexecuteswhenaBIOS-basedcomputerboots.Thus,theMBRisextremelyimportantandsensitive.BecausetheMBRexistsonlyinthefirstsectorofthedisk, it’svulnerable todamage;accidentalerasurewillmakeyourdiskunusableunlessyouhaveabackup.
YoucanbackupyourMBRpartitionsbytypingsfdisk-d/dev/sda>sda-backup.txt(orsimilarcommandstospecifyanotherdiskdeviceorbackupfile).Youcanthencopythebackupfile(sda-backup.txtinthisexample)toaremovablediskoranothercomputerforsafekeeping.Youcanrestorethebackupbytypingsfdisk-f/dev/sda<sda-backup.txt.Besureyou’reusingthecorrectbackupfile,though;amistakecangenerateincorrectorevenimpossiblepartitiondefinitions!
MBRpartitionshavetypecodes,whichare1-byte(2-digithexadecimal)numbers,tohelpidentifytheir purpose. Common type codes you may run into include 0x0c (FAT), 0x05 (an old type ofextendedpartition),0x07(NTFS),0x0f(anewertypeofextendedpartition),0x82(Linuxswap),and0x83(Linuxfilesystem).AlthoughtheMBRdatastructurehassurvivedforthreedecades,itsdaysarenumberedbecauseit’s
noteasilyextensiblebeyond2TiBdisks.Thus,anewsystemisneeded.
GPTPartitionsGPTispartof Intel’sEFIspecification,butGPTcanbeusedoncomputers thatdon’tuseEFI,andGPTisthepreferredpartitioningsystemfordisksbiggerthan2TiB.MostEFI-basedcomputersuseGPTevenondiskssmallerthan2TiB.GPTemploysaprotectiveMBR,whichisalegalMBRdefinitionthatmakesGPT-unawareutilities
thinkthat thediskholdsasingleMBRpartitionthatspanstheentiredisk.AdditionaldatastructuresdefinethetrueGPTpartitions.Thesedatastructuresareduplicated,withonecopyatthestartofthediskandanotheratitsend.Thisprovidesredundancythatcanhelpindatarecoveryshouldanaccidentdamageoneofthetwosetsofdatastructures.GPTdoes awaywith theprimary/extended/logical distinctionofMBR.Youcandefineup to128
partitions by default (and that limit may be raised, if necessary). Gaps can occur in partitionnumbering, soyoucanhaveadiskwith threepartitionsnumbered3, 7, and104, toname just onepossibility.Inpractice,though,GPTpartitionsareusuallynumberedconsecutivelystartingwith1.GPT’smain drawback is that support for it is relatively immature. The fdisk utility (described
shortly in “Partitioning aDisk”) doesn’tworkwithGPT disks, although alternatives tofdisk areavailable.Someversionsof theGRUBboot loader alsodon’t support it.The situation isworse insomeOSs—particularlyolderones.Nonetheless,youshouldbeatleastsomewhatfamiliarwithGPTbecauseofMBR’sinabilitytohandlediskslargerthan2TiB.LikeMBR,GPTsupportspartitiontypecodes;however,GPTtypecodesare16-byteGUIDvalues.
Diskpartitioningtoolstypicallytranslatethesecodesintoshortdescriptions,suchas“Linuxswap.”Confusingly,mostLinuxinstallationsusethesametypecodefortheirfilesystemsthatWindowsuses
foritsfilesystems,althoughaLinux-onlycodeisavailableandislikelytobeginseeingheavierusebeginningin2013.
AnAlternativetoPartitions:LVMAnalternativetopartitionsforsomefunctionsislogicalvolumemanagement(LVM).TouseLVM,you set aside one or more partitions and assign them MBR partition type codes of 0x8e (or anequivalentonGPTdisks).Youthenuseaseriesofutilities,suchaspvcreate,vgcreate,lvcreate,andlvscan,tomanagethepartitions(knownasphysicalvolumesinthisscheme),tomergethemintovolumegroups,andtocreateandmanagelogicalvolumeswithinthevolumegroups.Ultimately,youthenaccessthelogicalvolumesusingnamesyouassignedtotheminthe/dev/mapperdirectory,suchas/dev/mapper/myvol-home.LVMsoundscomplicated,anditis.Whywouldyouwanttouseit?ThebiggestadvantagetoLVMis
thatitenablesyoutoeasilyresizeyourlogicalvolumeswithoutworryingaboutthepositionsorsizesof surroundingpartitions. Ina sense, the logicalvolumesare like files ina regular filesystem; thefilesystem(orvolumegroup,inthecaseofLVM)managestheallocationofspacewhenyouresizefiles(orlogicalvolumes).Thiscanbeagreatboonifyou’renotsureoftheoptimumstartingsizesofyourpartitions.Youcanalsoeasilyadddiskspace,intheformofanewphysicaldisk,toexpandthesizeofanexistingvolumegroup.Onthedownside,LVMaddscomplexity,andnotallLinuxdistributionssupport itoutof thebox.
LVMcancomplicatedisasterrecovery,andifyourLVMconfigurationspansmultipledisks,afailureofonediskwillputallfilesinyourvolumegroupatrisk.It’seasiesttoconfigureasystemwithatleastonefilesystem(dedicatedto/boot,orperhapstherootfilesystemcontaining/boot)initsownconventionalpartition,reservingLVMfor/home,/usr,andotherfilesystems.Despitethesedrawbacks,youmightconsiderinvestigatingLVMfurtherinsomesituations.It’smost
likelytobeusefulifyouwanttocreateaninstallationwithmanyspecializedfilesystemsandyouwanttoretaintheoptionofresizingthosefilesystemsinthefuture.AsecondsituationwhereLVMishandyisifyouneedtocreateverylargefilesystemsthataretoolargeforasinglephysicaldisktohandle.
MountPointsOnceadiskispartitioned,anOSmusthavesomewaytoaccessthedataonthepartitions.InDOSandWindows, this is done by assigning a drive letter, such as C: or D:, to each partition. (DOS andWindowsusepartition typecodes todecidewhichpartitionsgetdrive lettersandwhich to ignore.)Linux,though,doesn’tusedriveletters;instead,Linuxusesaunifieddirectorytree.Eachpartitionismountedatamountpointinthattree.Amountpointisadirectorythat’susedasawaytoaccessthefilesystemonthepartition,andmountingthefilesystemistheprocessoflinkingthefilesystemtothemountpoint.For instance, suppose that a Linux system has three partitions: the root (/) partition, /home, and
/usr. The root partition holds the basic system files, and all other partitions are accessed viadirectoriesonthatfilesystem.If/homecontainsusers’homedirectories,suchassallyandsam,thosedirectorieswillbeaccessibleas/home/sallyand/home/samoncethispartitionismountedat/home.If this partition were unmounted and remounted at /users, the same directories would becomeaccessibleas/users/sallyand/users/sam.
PartitionscanbemountedjustaboutanywhereintheLinuxdirectorytree,includingondirectoriesontherootpartitionaswellasdirectoriesonmountedpartitions.Forinstance,if/homeisaseparatepartition, you can have a /home/morehomes directory that serves as a mount point for anotherpartition.The upcoming section “Mounting and Unmounting Filesystems” describes the commands and
configurationfilesthatareusedformountingpartitions.Fornow,youshouldbeconcernedonlywithwhatconstitutesagoodfilesystemlayout(thatis,whatdirectoriesyoushouldsplitoffintotheirownpartitions)andhowtocreatethesepartitions.
CommonPartitionsandFilesystemLayoutsSo, what directories are commonly split off into separate partitions? Table 3.4 summarizes somepopularchoices.Notethattypicalsizesformanyofthesepartitionsvarygreatlydependingonhowthesystemisused.Therefore,it’simpossibletomakerecommendationsonpartitionsizethatwillbeuniversallyacceptable.
TABLE3.4CommonpartitionsandtheirusesPartition(mountpoint)
Typicalsize Use
Swap(notmounted)
OnetotwotimesthesystemRAMsize
ServesasanadjuncttosystemRAM;isslowbutenablesthecomputertorunmoreorlargerprograms.
/home 200MiB–3TiB(ormore)
Holdsusers’datafiles.Isolatingitonaseparatepartitionpreservesuserdataduringasystemupgrade.Sizedependsonthenumberofusersandtheirdatastorageneeds.
/boot 100–500MiB Holdscriticalbootfiles.CreatingitasaseparatepartitionletsyoucircumventlimitationsofolderBIOSsandbootloaders,whichoftencan’tbootakernelfromapointaboveavaluebetween504MiBand2TiB.
/usr 500MiB–25GiB
HoldsmostLinuxprogramanddatafiles;thisissometimesthelargestpartition,although/homeislargeronsystemswithmanyusersorifusersstorelargedatafiles.Changesimplementedin2012aremakingithardertocreateaseparate/usrpartitioninmanydistributions.
/usr/local 100MiB–3GiB HoldsLinuxprogramanddatafilesthatareuniquetothisinstallation,particularlythosethatyoucompileyourself.
/opt 100MiB–5GiB HoldsLinuxprogramanddatafilesthatareassociatedwiththird-partypackages,especiallycommercialones.
/var 100MiB–3TiB(ormore)
Holdsmiscellaneousfilesassociatedwiththeday-to-dayfunctioningofacomputer.Thesefilesareoftentransientinnature.Mostoftensplitoffasaseparatepartitionwhenthesystemfunctionsasaserverthatusesthe/vardirectoryforserver-relatedfileslikemailqueues.
/tmp 100MiB–20GiB
Holdstemporaryfilescreatedbyordinaryusers.
/mnt N/A Notaseparatepartition;rather,itoritssubdirectoriesareusedasmountpointsforremovablemedialikefloppiesorCD-ROMs.
/media N/A Holdssubdirectoriesthatmaybeusedasmountpointsforremovablemedia,muchlike/mntoritssubdirectories.
Some directories—/etc, /bin, /sbin, /lib, and /dev—shouldnever be placed on separatepartitions.Thesedirectorieshost critical systemconfiguration files or fileswithoutwhich aLinuxsystemcan’tfunction.Forinstance,/etccontains/etc/fstab, thefilethatspecifieswhatpartitionscorrespondtowhatdirectories,and/bincontainsthemountutilitythat’susedtomountpartitionsondirectories.Changestosystemutilitiesin2012aremakingitharder,butnotimpossible,tosplitoff/usrasaseparatepartition.
The2.4.xandnewerkernelsincludesupportforadedicated/devfilesystem,whichobviatestheneedforfilesinadisk-based/devdirectory;so,insomesense,/devcanresideonaseparatefilesystem,althoughnotaseparatepartition.Theudevutilitycontrolsthe/devfilesysteminrecentversionsofLinux.
CreatingPartitionsandFilesystemsIfyou’reinstallingLinuxonacomputer,chancesareitwillpresentyouwithatooltohelpguideyouthrough the partitioningprocess.These installation toolswill create the partitions you tell them tocreateorcreatepartitionssizedas thedistribution’smaintainersbelieveappropriate. Ifyouneed topartitionanewdiskyou’readding,though,orifyouwanttocreatepartitionsusingstandardLinuxtools rather than relyonyourdistribution’s installation tools, youmustknowsomethingabout theLinuxprogramsthataccomplishthistask.Partitioninginvolvestwotasks:creatingthepartitionsandpreparingthepartitionstobeused.InLinux,thesetwotasksareusuallyaccomplishedusingseparatetools,althoughsometoolscanhandlebothtaskssimultaneously.
WhentoCreateMultiplePartitionsOneproblemwithsplittingofflotsofseparatepartitions,particularlyfornewadministrators,isthatitcanbedifficulttosettleonappropriatepartitionsizes.AsnotedinTable3.4,theappropriatesizeofvariouspartitionscanvarysubstantiallyfromonesystemtoanother.Forinstance,aworkstationislikelytoneedafairlysmall/varpartition(say,100MiB),butamailornewsservermayneeda/varpartitionthat’sgigabytesinsize.Guessingwrongisn’tfatal,butitisannoying.You’llneedtoresizeyourpartitions(whichistediousanddangerous)orsetupsymboliclinksbetweenpartitionssothatsubdirectoriesononepartitioncanbestoredonotherpartitions.LVMcansimplifysuchafter-the-factchanges,butasnotedearlier,LVMaddsitsowncomplexity.Forthisreason,IgenerallyrecommendthatnewLinuxadministratorstrysimplepartitionlayoutsfirst.Theroot(/)partitionisrequired,andswapisaverygoodidea.Beyondthis,/bootcanbehelpfulonharddisksofmorethan8GiBwitholderdistributionsorBIOSsbutisseldomneededwithcomputersordistributionssoldsince2000.Asidefromuserdata(in/homeorelsewhere),mostLinuxinstallationsin2012require5−25GiB,sosettingroot(/)toavalueinthisrangemakessense.Anappropriatesizefor/homeisoftenrelativelyeasyfornewadministratorstoguess,oryoucandevoteallyourdiskspaceaftercreatingroot(/)andswapto/home.Beyondthesepartitions,Irecommendthatnewadministratorsproceedwithcaution.AsyougainmoreexperiencewithLinux,youmaywanttobreakoffotherdirectoriesintotheirownpartitionsonsubsequentinstallationsorwhenupgradingdiskhardware.Youcanusetheducommandtolearnhowmuchspaceisusedbyfileswithinanygivendirectory.
PartitioningaDiskThe traditionalLinux tool fordiskpartitioning iscalledfdisk.This tool’sname is short for fixeddisk,andthenameisthesameasaDOSandWindowstoolthataccomplishesthesametask.(WhenImeantorefertotheDOS/Windowstool,Icapitalizeitsname,asinFDISK.TheLinuxtool’snameisalwaysentirelylowercase.)BothDOS’sFDISKandLinux’sfdiskaretext-modetoolstoaccomplishsimilargoals,butthetwoareverydifferentinoperationaldetails.Althoughfdiskisthetraditionaltool,severalothersexist.OneoftheseisGNUParted,whichcan
handleseveraldifferentpartition table types,not just theMBRthatfdisk canhandle. IfyoupreferfdisktoGNUPartedbutmustuseGPT,youcanuseGPTfdisk(http://www.rodsbooks.com/gdisk/);thispackage’sgdiskprogramworksmuchlikefdiskbutonGPTdisks.Althoughfdiskisthetoolcoveredbytheexam,someadministratorsprefertherelatedcfdisk(orthesimilarcgdiskforGPT),which has a friendlier user interface. The sfdisk (or sgdisk forGPT) tool is useful forwritingscriptsthatcanhandlediskpartitioningtasks.
UsingfdiskTouseLinux’sfdisk,typethecommandnamefollowedbythenameofthediskdeviceyouwanttopartition,as infdisk/dev/hda topartition theprimarymasterPATAdisk.The result is anfdiskprompt:#fdisk/dev/hda
Command(mforhelp):
AttheCommand(mforhelp):prompt,youcantypecommandstoaccomplishvariousgoals:DisplaytheCurrentPartitionTableYoumaywanttobeginbydisplayingthecurrentpartitiontable.Todoso,typep.Ifyouonlywanttodisplaythecurrentpartitiontable,youcantypefdisk-l/dev/hda(orwhateverthedeviceidentifieris)atacommandpromptratherthanenterfdisk’sinteractivemode.Thiscommanddisplaysthepartitiontableandthenexits.CreateaPartitionTocreateapartition,typen.Theresultisaseriesofpromptsaskingforinformationaboutthepartition—whetheritshouldbeaprimary,extended,orlogicalpartition;thepartition’sstartingcylinder;thepartition’sendingcylinderorsize;andsoon.Thedetailsofwhatyou’reaskeddependinpartonwhat’salreadydefined.Forinstance,fdiskwon’taskyouifyouwanttocreateanextendedpartitionifonealreadyexists.Olderversionsoffdiskmeasurepartitionstartandendpointsincylinders,notmegabytes.ThisisaholdoverfromtheCHSmeasurementsusedbythex86partitiontable.Recentversionsoffdiskusesectorsasthedefaultunitofmeasure,althoughyoucanspecifyapartition’ssizebyusingaplussign,number,andsuffix,asin+20Gtocreatea20GiBpartition.
Inthepast,partitionswerealignedonCHScylinders.Thiswasbeneficialgiventhehardwareofthe1980s,buttodayit’sdetrimental.Manymoderndisksrequirepartitionalignmenton8-sectororlargerboundariesforoptimumperformance.Recentpartitioningprogramsbeginpartitionson1MiB(2048-sector)boundariesforthisreason.Failuretoalignpartitionsproperlycanresultinsevereperformancedegradation.Seehttp://www.ibm.com/developerworks/linux/library/l-4kb-sector-disks/formoreonthistopic.
DeleteaPartitionTodeleteapartition,typed.Ifmorethanonepartitionexists,theprogramwillaskforthepartitionnumber,whichyoumustenter.ChangeaPartition’sTypeWhenyoucreateapartition,fdiskassignsitatypecodeof0x83,whichcorrespondstoaLinuxfilesystem.IfyouwanttocreateaLinuxswappartitionorapartitionforanotherOS,youcantypettochangeapartitiontypecode.Theprogramthenpromptsyouforapartitionnumberandatypecode.ListPartitionTypesSeveraldozenpartitiontypecodesexist,soit’seasytoforgetwhattheyare.Typel(that’salowercaseL)atthemainfdiskprompttoseealistofthemostcommonones.YoucanalsogetthislistbytypingLwhenyou’repromptedforthepartitiontypewhenyouchangeapartition’stypecode.MarkaPartitionBootableSomeOSs,suchasDOSandWindows,relyontheirpartitionshavingspecialbootableflagsinordertoboot.Youcansetthisflagbytypinga,whereuponfdiskasksforthepartitionnumber.GetHelpTypemor?toseeasummaryofthemainfdiskcommands.ExitLinux’sfdisksupportstwoexitmodes.First,youcantypeqtoexittheprogramwithoutsavinganychanges;anythingyoudowiththeprogramislost.Thisoptionisparticularlyhelpfulifyou’vemadeamistake.Second,typingwwritesyourchangestothediskandexitstheprogram.Asanexample, considerdeletingaprimary, an extended, anda logicalpartitiononaUSB flash
driveandcreatingasinglenewoneintheirplace:#fdisk/dev/sdc
Command(mforhelp):p
Disk/dev/sdc:2038MB,2038431744bytes
63heads,62sectors/track,1019cylinders,total3981312sectors
Units=sectorsof1*512=512bytes
Sectorsize(logical/physical):512bytes/512bytes
I/Osize(minimum/optimal):512bytes/512bytes
Diskidentifier:0x88a46f2c
DeviceBootStartEndBlocksIdSystem
/dev/sdc120482099199104857683Linux
/dev/sdc2209920039813119410565Extended
/dev/sdc52101248398131194003283Linux
Command(mforhelp):d
Partitionnumber(1-5):5
Command(mforhelp):d
Partitionnumber(1-5):2
Command(mforhelp):d
Selectedpartition1
Command(mforhelp):n
Partitiontype:
pprimary(0primary,0extended,4free)
eextended
Select(defaultp):p
Partitionnumber(1-4,default1):1
Firstsector(2048-3981311,default2048):2048
Lastsector,+sectorsor+size{K,M,G}(2048-3981311,default3981311):
Usingdefaultvalue3981311
Command(mforhelp):w
Thepartitiontablehasbeenaltered!
Callingioctl()tore-readpartitiontable.
Syncingdisks.
Thisprocessbeginswithapcommandtoverifythattheprogramisoperatingonthecorrectdisk.Withthisinformationinhand,thethreeexistingpartitionsaredeleted.Notethatthefirsttwodeletionsaskforapartitionnumber,butthethirddoesn’t,becauseonlyonepartitionisleft.Oncethisisdone,nisusedtocreateanewprimarypartition.Oncethetaskiscomplete,thewcommandisusedtowritethechangestodiskandexittheprogram.Theresultofthissequenceisadiskwithasingleprimarypartition(/dev/sdc1)markedasholdingaLinuxfilesystem.ToworkonaGPTdisk,youcanusegdiskinmuchthesamewayyouusefdisk.Asidefromsome
details,suchasthelackofaprompttocreateprimary,extended,orlogicalpartitions,gdiskusesthesamebasiccommandsasfdisk.
UsingGNUPartedGNUParted(http://www.gnu.org/software/parted/)isapartitioningtoolthatworkswithMBR,GPT,APM,BSDdisklabels,andotherdisktypes.Italsosupportsmorefeaturesthanfdiskandiseasiertouseinsomeways.Ontheotherhand,GNUPartedusesitsownwayofreferringtopartitions,whichcanbeconfusing.It’salsomorefinickyaboutminordiskpartitioningquirksanderrorsthanisfdisk.AlthoughGNUPartedisn’tcoveredontheexam,knowingabitaboutitcanbehandy.YoustartGNUPartedmuchasyoustartfdisk,bytypingitsnamefollowedbythedeviceyouwant
tomodify,asinparted/dev/hda topartition/dev/hda.Theresult issomebrief introductorytextfollowed by a(parted) prompt atwhich you type commands. Type? to see a list of commands,whicharemulti-charactercommandssimilartoLinuxshellcommands.Forinstance,printdisplaysthecurrentpartitiontable,mkpartcreates(makes)apartition,andrmremovesapartition.Some still-more-advanced partitioning capabilities appear only in flashy GUI tools, such as the
GNOMEPartitionEditor,akaGParted(http://gparted.sourceforge.net),whichisshowninFigure3.5.Asidefromitsnovice-friendlyuserinterface,GParted’smainclaimtofameisthatitenablesyoutoeasilymoveorresizepartitions.Youmayneedtoruntheprogramfromanemergencydisktouse
thesefeatures,though;youcan’tmoveorresizeanypartitionthat’scurrentlyinuse.Suchpartitionsaremarkedwithapadlockicon,asshownnextto/dev/sdc1inFigure3.5.
FIGURE3.5GPartedenablespoint-and-clickpartitionmanagement,includingpartitionmovingandresizing.
Resizingormovingafilesystemcanbedangerous.Iftheresizingcodecontainsabugorifthere’sapowerfailureduringtheoperation,datacanbelost.Thus,Istronglyrecommendyoubackupanyimportantdatabeforeresizingormovingapartition.Also,resizingormovingyourbootpartitiononaBIOS-basedcomputercanrenderthesystemunbootableuntilyoure-installyourbootloader.
PreparingaPartitionforUseOnce a partition is created, you must prepare it for use. This process is often called “making afilesystem”or“formattingapartition.”Itinvolveswritinglow-leveldatastructurestodisk.Linuxcanthenreadandmodifythesedatastructurestoaccessandstorefilesinthepartition.Youshouldknowsomething about the commonLinux filesystems and knowhow to use filesystem-creation tools tocreatethem.
Thewordformattingissomewhatambiguous.Itcanrefertoeitherlow-levelformatting,whichcreatesastructureofsectorsandtracksonthediskmedia,orhigh-levelformatting,whichcreatesafilesystem.Harddisksarelow-levelformattedatthefactoryandshouldneverneedtobelow-levelformattedagain.Floppydisks,though,canbebothlow-andhigh-levelformatted.Thetoolsdescribedherecanhigh-levelformatafloppydiskaswellasaharddisk.Tolow-levelformatafloppydisk,youmustusethefdformatcommand,asinfdformat/dev/fd0.Thiscommandcannotbeusedonaharddisk.
CommonFilesystemTypesLinuxsupportsquiteafewdifferentfilesystems,bothLinux-nativeandthoseintendedforotherOSs.SomeofthelatterbarelyworkunderLinux,andevenwhentheydoworkreliably,theyusuallydon’tsupport all the features that Linux expects in its native filesystems. Thus,when preparing a Linuxsystem,you’lluseoneormoreofitsnativefilesystemsformostorallpartitions:Ext2fsTheSecondExtendedFileSystem(ext2fsorext2)isthetraditionalLinux-nativefilesystem.ItwascreatedforLinuxandwasthedominantLinuxfilesystemthroughoutthelate1990s.Ext2fshasareputationasareliablefilesystem.Ithassincebeeneclipsedbyotherfilesystems,butitstillhasitsuses.Inparticular,ext2fscanbeagoodchoiceforasmall/bootpartition,ifyouchoosetouseone,andforsmall(sub-gigabyte)removabledisks.Onsuchsmallpartitions,thesizeofthejournalusedbymoreadvancedfilesystemscanbearealproblem,sothenon-journalingext2fsisabetterchoice.(Journalingisdescribedinmoredetailshortly.)Theext2filesystemtypecodeisext2.
OnanEFI-basedcomputer,usingext2fs,ext3fs,orReiserFSonaseparate/bootpartitionenablesthefirmwaretoreadthispartitionwiththehelpofsuitabledrivers.Thiscanexpandyouroptionsforbootloaderconfiguration.
Ext3fsTheThirdExtendedFileSystem(ext3fsorext3)isbasicallyext2fswithajournaladded.Theresultisafilesystemthat’sasreliableasext2fsbutthatrecoversfrompoweroutagesandsystemcrashesmuchmorequickly.Theext3filesystemtypecodeisext3.Ext4fsTheFourthExtendedFileSystem(ext4fsorext4)isthenext-generationversionofthisfilesystemfamily.Itaddstheabilitytoworkwithverylargedisks(thoseover16TiB,thelimitforext2fsandext3fs)orverylargefiles(thoseover2TiB),aswellasextensionsintendedtoimproveperformance.Itsfilesystemtypecodeisext4.ReiserFSThisfilesystemwasdesignedfromscratchasajournalingfilesystemforLinux.It’sparticularlygoodathandlinglargenumbersofsmallfiles(say,smallerthanabout32KB)becauseReiserFSusesvarioustrickstosqueezetheendsoffilesintoeachother ’sunusedspaces.Thissmallsavingscanadduptoalargepercentageoffilesizeswhenfilesaresmall.Youcanusereiserfsasthetypecodeforthisfilesystem.
AsofLinuxkernelversion3.6.0,ReiserFSversion3.xiscurrent.Afrom-scratchrewriteofReiserFS,knownasReiser4,isunderdevelopment,althoughdevelopmenthasslowedtothepointthatit’suncertainifReiser4willeverbeincludedinthemainstreamkernel.
JFSIBMdevelopedtheJournaledFileSystem(JFS)foritsAIXOSandlaterre-implementeditonOS/2.TheOS/2versionwassubsequentlydonatedtoLinux.JFSisatechnicallysophisticatedjournalingfilesystemthatmaybeofparticularinterestifyou’refamiliarwithAIXorOS/2orwantanadvancedfilesystemtouseonadual-bootsystemwithoneoftheseOSs.Asyoumightexpect,thisfilesystem’stypecodeisjfs.
XFSSiliconGraphics(SGI)createditsExtentsFileSystem(XFS)foritsIRIXOSand,likeIBM,laterdonatedthecodetoLinux.LikeJFS,XFSisaverytechnicallysophisticatedfilesystem.XFShasgainedareputationforrobustness,speed,andflexibilityonIRIX,butsomeoftheXFSfeaturesthatmakeitsoflexibleonIRIXaren’tsupportedwellunderLinux.Usexfsasthetypecodeforthisfilesystem.BtrfsThisfilesystem(pronounced“buttereffess”or“beetreeeffess”)isanadvancedfilesystemwithfeaturesinspiredbythoseofSun’sZettabyteFileSystem(ZFS).Likeext4fs,JFS,andXFS,Btrfsisafastperformerandisabletohandleverylargedisksandfiles.Asofthe3.6.0kernel,Btrfsisconsideredexperimental;however,itsadvancedfeaturesmakeitalikelysuccessortothecurrentpopularfilesystems.In practice,most administrators choose ext3fs, ext4fs, or ReiserFS as their primary filesystems;
however, JFSandXFSalsoworkwell, andsomeadministratorsprefer them,particularlyon largedisks that store large files. (Ext4fs alsohandles large files.)Harddataon themerits andproblemswitheach filesystemaredifficult tocomeby,andevenwhen theydoexist, they’resuspectbecausefilesystemperformanceinteractswithsomanyotherfactors.Forinstance,asjustnoted,ReiserFScancrammore small files into a small space than can other filesystems, but this advantage isn’t veryimportantifyou’llbestoringmostlylargerfiles.
Ifyou’reusinganon-x86ornon-x86-64platform,besuretocheckfilesystemdevelopmentonthatplatform.AfilesystemmaybespeedyandreliableononeCPUbutsluggishandunreliableonanother.
Inaddition to theseLinux-native filesystems,youmayneed todealwith someothers from time totime,includingthefollowing:FAT TheFileAllocationTable(FAT)filesystemisoldandprimitive—butubiquitous.It’stheonlyharddiskfilesystemsupportedbyDOSandWindows9x/Me.Forthisreason,everymajorOSunderstandsFAT,makingitanexcellentfilesystemforexchangingdataonremovabledisks.TwomajororthogonalvariantsofFATexist:ItvariesinthesizeoftheFATdatastructureafterwhichthefilesystemisnamed(12-,16-,or32-bitpointers),andithasvariantsthatsupportlongfilenames.LinuxautomaticallydetectstheFATsize,soyoushouldn’tneedtoworryaboutthis.TousetheoriginalFATfilenames,whicharelimitedtoeightcharacterswithanoptionalthree-characterextension(theso-called8.3filenames),usetheLinuxfilesystemtypecodeofmsdos.TouseWindows-stylelongfilenames,usethefilesystemtypecodeofvfat.ALinux-onlylongfilenamesystem,knownasumsdos,supportsadditionalLinuxfeatures—enoughthatyoucaninstallLinuxonaFATpartition,althoughthispracticeisn’trecommendedexceptforcertaintypesofemergencydisksortotryLinuxonaWindowssystem.NTFSTheNewTechnologyFileSystem(NTFS)isthepreferredfilesystemforWindowsNT/200x/XP/Vista/7.Unfortunately,Linux’sNTFSsupportisratherrudimentary.Asofthe2.6.xkernelseries,LinuxcanreliablyreadNTFSandcanoverwriteexistingfiles,buttheLinuxkernelcan’twritenewfilestoanNTFSpartition.
IfyoumusthavegoodNTFSread/writesupportforadual-bootsystem,lookintoNTFS-3G(http://www.ntfs-3g.org).Thisisaread/writeNTFSdriverthatresidesinuserspaceratherthaninkernelspace.It’susedasthedefaultNTFSdriverbysomeLinuxdistributions.
HFSandHFS+ApplehaslongusedtheHierarchicalFileSystem(HFS)withitsMacOS,andLinuxprovidesfullread/writeHFSsupport.Thissupportisn’tasreliableasLinux’sread/writeFATsupport,though,soyoumaywanttouseFATwhenexchangingfileswithMacusers.ApplehasextendedHFStobettersupportlargeharddisksandmanyUnix-likefeatureswithitsHFS+(akaExtendedHFS).Linux2.6.xandnewerprovidelimitedHFS+support;butwritesupportworksonlywiththeHFS+journaldisabled.ISO-9660ThestandardfilesystemforCD-ROMshaslongbeenISO-9660.Thisfilesystemcomesinseverallevels.Level1issimilartotheoriginalFATinthatitsupportsonly8.3filenames.Levels2and3addsupportforlonger32-characterfilenames.LinuxsupportsISO-9660usingitsiso9660filesystemtypecode.Linux’sISO-9660supportalsoworkswiththeRockRidgeextensions,whichareaseriesofextensionstoISO-9660toenableittosupportUnix-stylelongfilenames,permissions,symboliclinks,andsoon.Similarly,JolietprovidessupportforlongfilenamesasimplementedforWindows.IfadiscincludesRockRidgeorJolietextensions,Linuxwillautomaticallydetectandusethem.UDFTheUniversalDiscFormat(UDF)isthenext-generationfilesystemforopticaldiscs.It’scommonlyusedonDVD-ROMsandrecordableopticaldiscs.Linuxsupportsit,butread/writeUDFsupportisstillinitsinfancy.Asapracticalmatter,ifyou’repreparingaharddiskforusewithLinux,youshouldprobablyuse
Linuxfilesystemsonly.Ifyou’repreparingadiskthatwillbeusedforadual-bootconfiguration,youmaywanttosetasidesomepartitionsforotherfilesystemtypes.Forremovabledisks,you’llhavetobethejudgeofwhat’smostappropriate.Youmightuseext2fsforaLinux-onlyremovabledisk,FATfor a cross-platform disk, or ISO-9660 (perhaps with Rock Ridge and Joliet) for a CD-R orrecordableDVD.
ISO-9660andotheropticaldiscfilesystemsarecreatedwithspecialtoolsintendedforthispurpose.Specifically,mkisofscreatesanISO-9660filesystem(optionallywithRockRidge,Joliet,HFS,andUDFcomponentsadded),whilecdrecordwritesthisimagetoablankCD-R.ThegrowisofsprogramcombinesbothfunctionsbutworksonlyonrecordableDVDmedia.
CreatingaFilesystemMost filesystems, including all Linux-native filesystems, have Linux tools that can create thefilesystem on a partition. Typically, these tools have filenames of the form mkfs.fstype, wherefstypeisthefilesystemtypecode.Thesetoolscanalsobecalledfromafront-endtoolcalledmkfs;
youpassthefilesystemtypecodetomkfsusingits-toption:#mkfs-text3/dev/sda6
Forext2andext3filesystems,themke2fsprogramisoftenusedinsteadofmkfs.Themke2fsprogramisjustanothernameformkfs.ext2.
Thiscommandcreatesanext3filesystemon/dev/sda6.Dependingonthefilesystem,thespeedofthedisk,andthesizeofthepartition,thisprocesscantakeanywherefromafractionofasecondtoafew seconds. Most filesystem-build tools support additional options, some of which can greatlyincrease the timerequired tobuilda filesystem.Inparticular, the-coption issupportedbyseveralfilesystems.Thisoptioncausesthetooltoperformabad-blockcheck—everysectorinthepartitionischeckedtobesureitcanreliablyholddata.Ifitcan’t,thesectorismarkedasbadandisn’tused.
Ifyouperformabad-blockcheckandfindthatsomesectorsarebad,chancesaretheentireharddiskdoesn’thavelongtolive.Sometimesthissortofproblemcanresultfromotherissues,though,suchasbadcablesorSCSIterminationproblems.
OfthecommonLinuxfilesystems,ext2fs,ext3fs,andext4fsprovidethemostoptionsintheirmkfstools. (In fact, these tools are one and the same; the program simply creates a filesystemwith theappropriatefeaturesforthenamethat’susedtocallit.)Youcantypemanmkfs.ext2 to learnaboutthese options,most ofwhich dealwith obscure and unimportant features.One obscure option thatdoesdeservemention is-mpercent,which sets the reserved-spacepercentage.The idea is thatyoudon’twantthedisktocompletelyfillupwithuserfiles;ifthediskstartsgettingclosetofull,Linuxshouldreportthatthediskisfullbeforeitreallyis,at leastforordinaryusers.Thisgivestherootusertheabilitytologinandcreatenewfiles,ifnecessary,tohelprecoverthesystem.Theext2fs/ext3fs/ext4fsreserved-spacepercentagedefaultsto5percent,whichtranslatestoquitea
lotofspaceonlargedisks.Youmaywanttoreducethisvalue(say,bypassing-m2toreduceitto2percent)onyourroot(/)filesystemandperhapsevenlower(1percentor0percent)onsome,suchas/home.Setting-m0alsomakessenseonremovabledisks,whicharen’tlikelytobecriticalforsystemrecoveryandmaybeabitcrampedtobeginwith.Inadditiontoprovidingfilesystem-creationtoolsforLinux-nativefilesystems,Linuxdistributions
usuallyprovidesuch tools forvariousnon-Linux filesystems.Themost importantof thesemaybeforFAT.Themain tool for this task iscalledmkdosfs,but it’soften linked to themkfs.msdos andmkfs.vfatnames,aswell.ThisprogramcanautomaticallyadjustthesizeoftheFATdatastructureto12,16,or32bitsdependingon thedevicesize.Youcanoverride thisoptionwith the-Ffat-sizeoption,wherefat-size is the FAT size in bits—12, 16, or 32.No special options are required tocreateaFATfilesystemthatcanhandleWindows-style(VFAT)longfilenames;thesearecreatedbytheOS.InExercise3.1,you’llpracticecreatingfilesystemsusingmkfsandrelatedutilities.
EXERCISE3.1CreatingFilesystemsTrycreatingsomefilesystemsonasparepartitionoraremovabledisk.Evenafloppydiskwilldo,althoughyouwon’tbeabletocreatejournalingfilesystemsonafloppydisk.Thefollowingstepsassumeyou’reusingaUSBflashdrive,/dev/sdc1;changethedevicespecificationasnecessary.Besuretouseanemptypartition!Accidentallyenteringthewrongdevicefilenamecouldwipeoutyourentiresystem!Thisexerciseusesafewcommandsthataredescribedinmoredetaillaterinthischapter.Tocreatesomefilesystems,followthesesteps:1.Loginasroot.2.Usefdisktoverifythepartitionsonyourtargetdiskbytypingfdisk-l/dev/sdc.Youshouldseealistofpartitions,includingtheoneyou’lluseforyourtests.(IffdiskreportsasinglepartitionwitheeundertheIdcolumn,thediskisaGPTdisk,andyoushouldverifythedisk’spartitionswithgdiskratherthanfdisk.)3.Verify thatyour testpartitionisnotcurrentlymounted.Typedf tosee thecurrentlymountedpartitionsandverifythat/dev/sdc1isnotamongthem.4.Typemkfs-text2/dev/sdc1.Youshouldseeseveral linesofstatus informationappear.5.Typemount /dev/sdc1 /mnt tomount the new filesystem to /mnt. (Youmay useanothermountpoint,ifyoulike.)6. Type df /mnt to see basic accounting information for the filesystem. On my testsystemwitha/dev/sdc1that’sprecisely1000MiBinsize,1,007,896blocksarepresent;1,264 are used; and 955,432 blocks are available.Most of the difference between thepresentandavailableblocksiscausedbythe5percentreservedspace.7.Typeumount/mnttounmountthefilesystem.8.Typemkfs-text2-m0/dev/sdc1tocreateanewext2filesystemonthedevice,butwithoutanyreservedspace.9.Repeatsteps5−7.Notethattheavailablespacehasincreased(to1,006,632blocksonmytestdisk).Theavailablespaceplustheusedspaceshouldnowequalthetotalblocks.10. Repeat steps 4−7, but use a filesystem type code of ext3 to create a journalingfilesystem. (Thiswon’tbepossible ifyouusea floppydisk.)Notehowmuchspace isconsumedbythejournal.11.Repeatsteps4−7,butuseanotherfilesystem,suchasJFSorReiserFS.Notehowthefilesystem-creation tools differ in the information they present and in their statedamountsofavailablespace.
Beawarethat,becauseofdifferencesinhowfilesystemsstorefilesandallocatespace,agreateramountofavailablespacewhenafilesystemiscreatedmaynottranslateintoagreatercapacitytostorefiles.
CreatingSwapSpaceSomepartitionsdon’tholdfiles.Mostnotably,Linuxcanuseaswappartition,which is apartition
thatLinuxtreatsasanextensionofmemory.(Linuxcanalsouseaswapfile,whichisafilethatworksinthesameway.Bothareexamplesofswapspace.)LinuxusestheMBRpartitiontypecodeof0x82to identifyswapspace,butaswithotherpartitions, thiscodeismostlyaconvenience tokeepotherOSsfromtryingtoaccessLinuxswappartitions;Linuxuses/etc/fstabtodefinewhichpartitionstouseasswapspace,asdescribedinChapter4,“ManagingFiles.”
Solarisforx86alsousesanMBRpartitiontypecodeof0x82,butinSolaris,thiscodereferstoaSolarispartition.Ifyoudual-bootbetweenSolarisandLinux,thisdoublemeaningofthe0x82partitiontypecodecancauseconfusion.ThisisparticularlytruewheninstallingtheOSs.YoumayneedtouseLinux’sfdisktotemporarilychangethepartitiontypecodestokeepLinuxfromtryingtouseaSolarispartitionasswapspaceortokeepSolarisfromtryingtointerpretLinuxswapspaceasadatapartition.
Althoughswapspacedoesn’tholdafilesystemperseandisn’tmountedinthewaythatfilesystempartitions are mounted, swap space does require preparation similar to that for creation of afilesystem. This task is accomplishedwith the mkswap command, which you can generally use bypassingitnothingbutthedeviceidentifier:#mkswap/dev/sda7
Thisexampleturns/dev/sda7intoswapspace.Tousetheswapspace,youmustactivateitwiththeswaponcommand:#swapon/dev/sda7
Topermanentlyactivateswapspace,youmustcreateanentryforitin/etc/fstab,asdescribedinChapter4.
MaintainingFilesystemHealthFilesystemscanbecome“sick”inavarietyofways.Theycanbecomeoverloadedwithtoomuchdata,theycanbetunedinappropriatelyforyoursystem,ortheycanbecomecorruptedbecauseofbuggydrivers,buggyutilities,orhardwareerrors.Fortunately,Linuxprovidesavarietyofutilitiesthatcanhelpyoukeepaneyeonthestatusofyourfilesystems,tunetheirperformance,andfixthem.
ManyofLinux’sfilesystemmaintenancetoolsshouldberunwhenthefilesystemisnotmounted.Changesmadebymaintenanceutilitieswhilethefilesystemismountedcanconfusethekernel’sfilesystemdrivers,resultingindatacorruption.Inthefollowingpages,Imentionwhenutilitiescanandcan’tbeusedwithmountedfilesystems.
TuningFilesystemsFilesystems are basically just big data structures—they’re a means of storing data on disk in anindexedmethodthatmakesiteasytolocatethedataatalatertime.Likealldatastructures,filesystems
includedesigncompromises.Forinstance,adesignfeaturemayenableyoutostoremoresmallfilesondiskbutmightchewupdiskspace,thusreducingthetotalcapacityavailableforstorageoflargerfiles.Inmanycases,youhavenochoiceconcerningthesecompromises,butsomefilesystemsincludetools that enable you to set filesystem options that affect performance. This is particularly true ofext2fs and the related ext3fs and ext4fs. Three tools are particularly important for tuning thesefilesystems:dumpe2fs,tune2fs,anddebugfs.Thefirstof these toolsprovides informationaboutthefilesystem,andtheothertwoenableyoutochangetuningoptions.
ObtainingFilesystemInformationYoucanlearnalotaboutyourext2orext3filesystemwiththedumpe2fscommand.Thiscommand’ssyntaxisfairlystraightforward:dumpe2fs[options]device
The device is the filesystem device file, such as /dev/sdb7. This command accepts severaloptions,mostofwhichareratherobscure.Themostimportantoptionisprobably-h,whichcausestheutilitytoomitinformationaboutgroupdescriptors.(Thisinformationishelpfulinveryadvancedfilesystemdebuggingbutnotforbasicfilesystemtuning.)Forinformationaboutadditionaloptions,consultthemanpagefordumpe2fs.Unlessyou’reafilesystemexpertandneedtodebugacorruptedfilesystem,you’remostlikelyto
want to use dumpe2fs with the -h option. The result is about three dozen lines of output, eachspecifyingaparticularfilesystemoption,likethese:Lastmountedon:<notavailable>
Filesystemfeatures:has_journalfiletypesparse_super
Filesystemstate:clean
Inodecount:657312
Blockcount:1313305
Lastchecked:SunFeb2614:23:232012
Checkinterval:15552000(6months)
Someof theseoptions’meaningsare fairlyself-explanatory; for instance, the filesystemwas lastchecked(withfsck,describedin“CheckingFilesystems”)onFebruary26,2012.Otheroptionsaren’tsoobvious;forinstance,theInodecountlinemaybepuzzling.(It’sacountofthenumberofinodessupportedbythefilesystem.Eachinodecontains informationforonefile,so thenumberof inodeseffectivelylimitsthenumberoffilesyoucanstore.)Thenexttwosectionsdescribesomeoftheoptionsyoumaywanttochange.Fornow,youshould
knowthatyoucan retrieve informationabouthowyour filesystemsarecurrentlyconfiguredusingdumpe2fs. You can then use this information when modifying the configuration; if your currentsettings seem reasonable, you can leave them alone, but if they seem ill-adapted to yourconfiguration,youcanchangethem.Unlikemanylow-leveldiskutilities,youcansafelyrundumpe2fsonafilesystemthat’scurrently
mounted.Thiscanbehandywhenyou’restudyingyourconfigurationtodecidewhattomodify.Mostother filesystems lackanequivalent todumpe2fs, butXFSprovides somethingwithat least
somesurfacesimilarities:xfs_info.To invoke it,pass thecommand thenameof thepartition thatholdsthefilesystemyouwanttocheck:#xfs_info/dev/sda7
meta-data=/dev/sda7isize=256agcount=88,agsize=1032192blks
=sectsz=512attr=0
data=bsize=4096blocks=89915392,imaxpct=25
=sunit=0swidth=0blks,unwritten=1
naming=version2bsize=4096
log=internalbsize=4096blocks=8064,version=1
=sectsz=512sunit=0blks
realtime=noneextsz=65536blocks=0,rtextents=0
Insteadofthepartitionname,youcanpassthemountpoint,suchas/homeor/usr/local.Unlikemostfilesystemtools,xfs_inforequiresthatthefilesystembemounted.Theinformationreturnedbyxfs_infoisfairlytechnical,mostlyrelatedtoblocksizes,sectorsizes,andsoon.AnotherXFStoolisxfs_metadump.Thisprogramcopiesthefilesystem’smetadata(filenames,file
sizes,andsoon)toafile.Forinstance,xfs_metadump/dev/sda7~/dump-filecopiesthemetadatato~/dump-file.Thiscommanddoesn’tcopyactualfilecontentsandsoisn’tusefulasabackuptool.Instead, it’s intended as a debugging tool; if the filesystem is behaving strangely, you can use thiscommandandsendtheresultingfiletoXFSdevelopersforstudy.
AdjustingTunableFilesystemParametersThetune2fsprogramenablesyoutochangemanyofthefilesystemparametersthatarereportedbydumpe2fs.Thisprogram’ssyntaxisfairlysimple,butithidesagreatdealofcomplexity:tune2fs[options]device
The complexity arises because of the large number of options that the program accepts. Eachfeaturethattune2fsenablesyoutoadjustrequiresitsownoption:AdjusttheMaximumMountCountExt2fs,ext3fs,andext4fsrequireaperiodicdiskcheckwithfsck.Thischeckisdesignedtopreventerrorsfromcreepingontothediskundetected.Youcanadjustthemaximumnumberoftimesthediskmaybemountedwithoutacheckwiththe-cmountsoption,wheremountsisthenumberofmounts.Youcantrickthesystemintothinkingthefilesystemhasbeenmountedacertainnumberoftimeswiththe-Cmountsoption;thissetsthemountcountertomounts.AdjusttheTimeBetweenChecksPeriodicdiskchecksarerequiredbasedontimeaswellasthenumberofmounts.Youcansetthetimebetweencheckswiththe-iintervaloption,whereintervalisthemaximumtimebetweenchecks.Normally,intervalisanumberwiththecharacterd,w,ormappended,tospecifydays,weeks,ormonths,respectively.AddaJournalThe-joptionaddsajournaltothefilesystem,effectivelyconvertinganext2filesystemintoanext3filesystem.Journalmanagementisdescribedinmoredetailin“MaintainingaJournal.”SettheReservedBlocksThe-mpercentoptionsetsthepercentageofdiskspacethat’sreservedforusebyroot.Thedefaultvalueis5,butthisisexcessiveonmulti-gigabyteharddisks,soyoumaywanttoreduceit.Youmaywanttosetitto0onremovabledisksintendedtostoreuserfiles.Youcanalsosetthereservedspaceinblocks,ratherthanasapercentageofdiskspace,withthe-rblocksoption.Theoptionsdescribedherearetheonesthataremostlikelytobeuseful.Severalotheroptionsare
available;consulttune2fs’smanpagefordetails.Aswithmostlow-leveldiskutilities,youshouldn’tusetune2fstoadjustamountedfilesystem.If
youwanttoadjustakeymountedfilesystem,suchasyourroot(/)filesystem,youmayneedtoboot
up an emergency disk system, such as the CD-ROM-based PartedMagic (http://partedmagic.com).Manydistributions’installdiscscanbeusedinthiscapacity,aswell.InXFS,thexfs_admincommandistheroughequivalentoftune2fs.Someoptionsyoumaywant
toadjustincludethefollowing:UseVersion2JournalFormatThe-joptionenablesversion2log(journal)format,whichcanimproveperformanceinsomesituations.ObtaintheFilesystemLabelandUUIDYoucanusethe-land-uoptionstoobtainthefilesystem’slabel(name)anduniversallyuniqueidentifier(UUID),respectively.ThenameisseldomusedinLinuxbutcanbeusedinsomecases.TheUUIDisalongcodethatisincreasinglyusedbydistributionstospecifyafilesystemtobemounted,asdescribedin“PermanentlyMountingFilesystems.”
TheblkidcommandcandisplaythelabelandUUIDofanypartition’sfilesystem,notjustanXFSpartition.
SettheFilesystemLabelandUUIDYoucanchangethefilesystem’slabelorUUIDbyusingthe-Llabelor-Uuuidoption,respectively.Thelabelisatmost12charactersinlength.You’llnormallyusethe-UoptiontosettheUUIDtoaknownvalue(suchastheUUIDthepartitionusedpriortoitbeingreformatted);oryoucanusegenerateastheuuidvaluetohavexfs_admincreateanewUUID.YoushouldnotsettheUUIDtoavaluethat’sinuseonanotherpartition!Inuse,xfs_adminmightlooksomethinglikethis:#xfs_admin-Lav_data/dev/sda7
writingallSBs
newlabel="av_data"
This example sets the name of the filesystem on /dev/sda7 to av_data. As with tune2fs,xfs_adminshouldbeusedonlyonunmountedfilesystems.
InteractivelyDebuggingaFilesystemIn addition to reviewing and changing filesystem flags with dumpe2fs and tune2fs, you caninteractivelymodify a filesystem’s features usingdebugfs. This program provides the abilities ofdumpe2fs,tune2fs,andmanyofLinux’snormalfile-manipulationtoolsallrolledintoone.Tousetheprogram,typeitsnamefollowedbythedevicefilenamecorrespondingtothefilesystemyouwanttomanipulate.You’llthenseethedebugfsprompt:#debugfs/dev/sda11
debugfs:
Youcantypecommandsatthisprompttoachievespecificgoals:DisplayFilesystemSuperblockInformationTheshow_super_statsorstatscommandproducessuperblockinformation,similartowhatdumpe2fsdisplays.DisplayInodeInformationYoucandisplaytheinodedataonafileordirectorybytypingstatfilename,wherefilenameisthenameofthefile.UndeleteaFileYoucanusedebugfstoundeleteafilebytypingundeleteinodename,where
inodeistheinodenumberofthedeletedfileandnameisthefilenameyouwanttogivetoit.(Youcanuseundelinplaceofundeleteifyoulike.)Thisfacilityisoflimitedutilitybecauseyoumustknowtheinodenumberassociatedwiththedeletedfile.Youcanobtainalistofdeletedinodesbytypinglsdelorlist_deleted_inodes,butthelistmaynotprovideenoughcluestoletyouzeroinonthefileyouwanttorecover.ExtractaFileYoucanextractafilefromthefilesystembytypingwriteinternal-fileexternal-file,whereinternal-fileisthenameofafileinthefilesystemyou’remanipulatingandexternal-fileisafilenameonyourmainLinuxsystem.Thisfacilitycanbehandyifafilesystemisbadlydamagedandyouwanttoextractacriticalfilewithoutmountingthefilesystem.ManipulateFilesMostofthecommandsdescribedinChapter4workwithindebugfs.Youcanchangeyourdirectorywithcd,createlinkswithln,removeafilewithrm,andsoon.ObtainHelpTypinglist_requests,lr,help,or?producesasummaryofavailablecommands.ExitTypingquitexitsfromtheprogram.This summary just scratches the surfaceofdebugfs’s capabilities. In thehandsof an expert, this
programcanhelprescueabadlydamagedfilesystemoratleastextractcriticaldatafromit.Tolearnmore,consulttheprogram’smanpage.
Althoughdebugfsisausefultool,it’spotentiallydangerous.Don’tuseitonamountedfilesystem,don’tuseitunlessyouhaveto,andbeverycarefulwhenusingit.Ifindoubt,leavetheadjustmentstotheexperts.Beawarethattheexamdoescoverdebugfs,though.
The closest XFS equivalent to debugfs is called xfs_db. Like debugfs, xfs_db provides aninteractive tool to access and manipulate a filesystem, but xfs_db provides fewer tools that areamenabletonoviceorintermediateuse.Instead,xfs_dbisatoolforXFSexperts.
MaintainingaJournalExt2fsisatraditionalfilesystem.Althoughit’sagoodperformer,itsuffersfromamajorlimitation:Afterapowerfailure,asystemcrash,oranotheruncontrolledshutdown,thefilesystemcouldbeinaninconsistentstate.Theonlywaytosafelymountthefilesystemsothatyou’resureitsdatastructuresarevalid is toperformafulldiskcheckonit,asdescribedin“CheckingFilesystems.”This taskisusuallyhandledautomaticallywhenthesystemboots,butittakestime—probablyseveralminutes,orperhapsmorethananhouronalargefilesystemorifthecomputerhasmanysmallerfilesystems.Thesolutiontothisproblemistochangetoajournalingfilesystem.Suchafilesystemmaintainsa
journal,whichisadatastructurethatdescribespendingoperations.Priortowritingdatatothedisk’smaindata structures,Linuxdescribeswhat it’s about todo in the journal.When theoperations arecomplete,theirentriesareremovedfromthejournal.Thus,atanygivenmomentthejournalshouldcontainalistofdiskstructuresthatmightbeundergoingmodification.Theresultisthat,intheeventofacrashorpowerfailure,thesystemcanexaminethejournalandcheckonlythosedatastructuresdescribed in it. If inconsistencies are found, the system can roll back or complete the changes,returning thedisk toaconsistent statewithoutcheckingeverydata structure in the filesystem.This
greatly speeds the disk-check process after power failures and system crashes. Today, journalingfilesystemsarethestandardformostLinuxdiskpartitions.Verysmallpartitions(suchasaseparate/bootpartition, ifyouuseone)andsmall removabledisks (suchasZipdisks)often lack journals,though.FivejournalingfilesystemsarecommononLinux:ext3fs,ext4fs,ReiserFS,XFS,andJFS.Ofthese,
thelastthreerequirelittleinthewayofjournalconfiguration.Ext3fsisabitdifferent;it’sbasicallyjust ext2fs with a journal added. This fact means you can add a journal to an ext2 filesystem,convertingitintoanext3filesystem.Thisiswhatthe-joptiontotune2fsdoes,asdescribedearlierin “Adjusting Tunable Filesystem Parameters.” Ext4fs is a further enhancement of this filesystemfamily.
Althoughusingtune2fsonamountedfilesystemisgenerallyinadvisable,it’ssafetouseits-joptiononamountedfilesystem.Theresultisafilecalled.journalthatholdsthejournal.Ifyouaddajournaltoanunmountedfilesystem,thejournalfilewillbeinvisible.
Adding a journal alone won’t do much good, though. To use a journal, you must mount thefilesystemwiththecorrectfilesystemtypecode—ext3ratherthanext2forext3fs,orext4forext4fs.(Theupcomingsection“MountingandUnmountingFilesystems”describeshowtodothis.)Thejournal,likeotherfilesystemfeatures,hasitsownsetofparameters.Youcansetthesewiththe
-J option to tune2fs. In particular, the size=journal-size and device=external-journalsuboptions enable you to set the journal’s size and the device onwhich it’s stored.By default, thesystemcreatesajournalthat’stherightsizeforthefilesystemandstoresitonthefilesystemitself.
CheckingFilesystemsTuning a filesystem is a task you’re likely to perform every once in a while—say, whenmakingmajor changes to an installation. Another task is muchmore common: checking a filesystem forerrors. Bugs, power failures, and mechanical problems can all cause the data structures on afilesystemtobecomecorrupted.Theresultsaresometimessubtle,butifthey’releftunchecked,theycancauseseveredataloss.Forthisreason,Linuxincludestoolsforverifyingafilesystem’sintegrityandforcorrectinganyproblemsthatmayexist.Themaintoolyou’lluseforthispurposeiscalledfsck. This program is actually a front end to other tools, such as e2fsck (aka fsck.ext2,fsck.ext3,andfsck.ext4)orXFS’sxfs_checkandxfs_repair.Thesyntaxforfsckisasfollows:fsck[-sACVRTNP][-tfstype][--][fsck-options]filesystems
Theexamobjectivesincludebothe2fsckandfsck,butbecausefsckisthemoregeneraltoolthat’susefulonmorefilesystems,it’stheformdescribedinmoredetailinthisbook.
Themorecommonparameterstofsckenableyoutoperformusefulactions:CheckAllFilesThe-Aoptioncausesfscktocheckallthefilesystemsmarkedtobecheckedin/etc/fstab.Thisoptionisnormallyusedinsystemstartupscripts.
IndicateProgressThe-Coptiondisplaysatext-modeprogressindicatorofthecheckprocess.Mostfilesystemcheckprogramsdon’tsupportthisfeature,bute2fsckdoes.ShowVerboseOutputThe-Voptionproducesverboseoutputofthecheckprocess.NoActionThe-Noptiontellsfscktodisplaywhatitwouldnormallydowithoutactuallydoingit.SettheFilesystemTypeNormally,fsckdeterminesthefilesystemtypeautomatically.Youcanforcethetypewiththe-tfstypeflag,though.Usedinconjunctionwith-A,thiscausestheprogramtocheckonlythespecifiedfilesystemtypes,evenifothersaremarkedtobechecked.Iffstypeisprefixedwithno,thenallfilesystemsexceptthespecifiedtypearechecked.Filesystem-SpecificOptionsFilesystemcheckprogramsforspecificfilesystemsoftenhavetheirownoptions.Thefsckcommandpassesoptionsitdoesn’tunderstand,orthosethatfollowadoubledash(--),totheunderlyingcheckprogram.Commonoptionsinclude-aor-p(performanautomaticcheck),-r(performaninteractivecheck),and-f(forceafullfilesystemcheckevenifthefilesysteminitiallyappearstobeclean).FilesystemListThefinalparameterisusuallythenameofthefilesystemorfilesystemsbeingchecked,suchas/dev/sda6.Normally,yourunfsckwithonlythefilesystemdevicename,asinfsck/dev/sda6.Youcanadd
optionsasneeded,however.Checkfsck’smanpageforlesscommonoptions.
Runfsckonlyonfilesystemsthatarenotcurrentlymountedorthataremountedinread-onlymode.Changeswrittentodiskduringnormalread/writeoperationscanconfusefsckandresultinfilesystemcorruption.
Linuxrunsfsckautomaticallyat startuponpartitions thataremarked for this in/etc/fstab, asdescribedlaterin“PermanentlyMountingFilesystems.”Thenormalbehaviorofe2fsckcausesittoperformjustaquickcursoryexaminationofapartitionifit’sbeenunmountedcleanly.TheresultisthattheLinuxbootprocessisn’tdelayedbecauseofafilesystemcheckunlessthesystemwasn’tshutdownproperly.Thisrulehasacoupleofexceptions, though:e2fsck forcesacheck if thediskhasgonelongerthanacertainamountoftimewithoutchecks(normallysixmonths)orifthefilesystemhasbeenmountedmorethanacertainnumberof timessincethelastcheck(normally20).Youcanchange these options using tune2fs, as described earlier in “Adjusting Tunable FilesystemParameters.”Therefore,you’lloccasionallyseeautomatic filesystemchecksofext2,ext3,andext4filesystemsevenifthesystemwasshutdowncorrectly.Journaling filesystems do away with full filesystem checks at system startup even if the system
wasn’t shut down correctly.Nonetheless, these filesystems still require check programs to correctproblems introduced by undetected write failures, bugs, hardware problems, and the like. If youencounter odd behavior with a journaling filesystem, you might consider unmounting it andperformingafilesystemcheck—butbesuretoreadthedocumentationfirst.SomeLinuxdistributionsdo odd things with some journaling filesystem check programs. For instance, Mandriva uses asymbolic link from /sbin/fsck.reiserfs to /bin/true. This configuration speeds system boottimesshouldReiserFSpartitionsbemarkedforautomaticchecks,butitcanbeconfusingifyouneedtomanuallycheckthefilesystem.Ifthisisthecase,run/sbin/reiserfsck todothejob.Similarly,
/sbin/fsck.xfsisusuallynothingbutascriptthatadvisestheusertorunxfs_checkorxfs_repair.
MonitoringDiskUseOnecommonproblemwithdisksisthattheycanfillup.Toavoidthisproblem,youneedtoolstotellyouhowmuchspaceyour filesareconsuming.This is the taskof thedf anddu programs,whichsummarizediskuseonapartition-by-partitionanddirectory-by-directorybasis,respectively.
MonitoringDiskUsebyPartitionThedfcommand’ssyntaxisasfollows:df[options][files]
Inthesimplestcase,youcantypethecommandnametoseeasummaryofdiskspaceusedonallofasystem’spartitions:$df
Filesystem1K-blocksUsedAvailableUse%Mountedon
/dev/sdb1058597844449900140988476%/
/dev/sdb122086264991468109479648%/opt
/dev/hda132541468320928222054013%/usr/local
/dev/hda91536134010174596518674467%/home
/dev/hda102269928813663408788282064%/other/emu
/dev/hda6101089226137430124%/boot
/dev/sdb51953216101875293446453%/other/shared
none25652802565280%/dev/shm
speaker:/home62972483845900245134862%/speaker/home
//win/music171566088100864905574448%/win/mp3s
Thisoutput shows thedevice fileassociatedwith the filesystem, the totalamountof spaceon thefilesystem,theusedspaceonthefilesystem,thefreespaceonthefilesystem,thepercentageofspacethat’s used, and the mount point. Typically, when used space climbs above about 80 percent, youshould consider cleaning up the partition. The appropriate ceiling varies from one computer andpartitiontoanother,though.Theriskisgreatestonpartitionsthatholdfilesthatchangefrequently—particularlyiflargefilesarelikelytobecreatedonapartition,evenifonlytemporarily.Youcanfine-tunetheeffectsofdfbypassingitseveraloptions.Eachoptionmodifiesthedfoutput
inaspecificway:IncludeAllFilesystemsThe-aor--alloptionincludespseudo-filesystemswithasizeof0intheoutput.Thesefilesystemsmayinclude/proc,/sys,/proc/bus/usb,andothers.UseScaledUnitsThe-hor--human-readableoptioncausesdftoscaleandlabelitsunits;forinstance,insteadofreportingapartitionashaving5859784blocks,itreportsthesizeas5.6G(for5.6GiB).The-Hand--sioptionshaveasimilareffect,buttheyusepower-of-10(1,000;1,000,000;andsoon)unitsratherthanpower-of-2(1,024;1,048,576;andsoon)units.The-k(--kilobytes)and-m(--megabytes)optionsforceoutputintheirrespectiveunits.SummarizeInodesBydefault,dfsummarizesavailableanduseddiskspace.Youcaninsteadreceiveareportonavailableandusedinodesbypassingthe-ior--inodesoption.Thisinformationcanbehelpfulifapartitionhasverymanysmallfiles,whichcandepleteavailableinodessoonerthantheydepleteavailablediskspace.
The-ioptionworkswellforext2,ext3,ext4,XFS,andsomeotherfilesystemsthatcreateafixednumberofinodeswhenthefilesystemiscreated.Otherfilesystems,suchasReiserFSandBtrfs,createinodesdynamically,renderingthe-ioptionmeaningless.
LocalFilesystemsOnlyThe-lor--localoptioncausesdftoomitnetworkfilesystems.Thiscanspeedupoperation.DisplayFilesystemTypeThe-Tor--print-typeoptionaddsthefilesystemtypetotheinformationdfdisplays.LimitbyFilesystemTypeThe-tfstypeor--type=fstypeoptiondisplaysonlyinformationaboutfilesystemsofthespecifiedtype.The-xfstypeor--exclude-type=fstypeoptionhastheoppositeeffect;itexcludesfilesystemsofthespecifiedtypefromthereport.This list is incomplete;consultdf’smanpagefordetailsaboutmoreoptions. Inaddition to these
options,youcanspecifyoneormorefilestodf.Whenyoudothis,theprogramrestrictsitsreporttothefilesystemonwhichthespecifiedfileordirectoryexists.Forinstance,tolearnaboutthediskspace used on the/home partition, you could typedf /home. Alternatively, you can give a devicefilename,asindf/dev/hda9.
MonitoringDiskUsebyDirectoryThedfcommandishelpfulforfindingoutwhichpartitionsareindangerofbecomingoverloaded,butonceyou’veobtainedthisinformation,youmayneedtofine-tunethediagnosisandtrackdownthedirectoriesandfilesthatarechewingupdiskspace.Thetoolforthistaskisdu,whichhasasyntaxsimilartothatofdf:du[options][directories]
This command searches directories you specify and reports how much disk space each isconsuming. This search is recursive, so you can learn how much space the directory and all itssubdirectoriesconsume.The result canbeavery long listing ifyou specifydirectorieswithmanyfiles,butseveraloptionscanreducethesizeofthisoutput.Otherscanperformhelpfultasksaswell:SummarizeFilesAsWellAsDirectoriesOrdinarily,dureportsonthespaceusedbythefilesindirectoriesbutnotthespaceusedbyindividualfiles.Passingthe-aor--alloptioncausesdutoreportonindividualfilesaswell.ComputeaGrandTotalAddingthe-cor--totaloptioncausesdutoaddagrandtotaltotheendofitsoutput.UseScaledUnitsThe-hor--human-readableoptioncausesdutoscaleandlabelitsunits;forinstance,insteadofreportingthetotaldiskspaceusedas5859784blocks,itreportsthesizeas5.6G(for5.6GiB).The-Hand--sioptionshaveasimilareffect,buttheyusepower-of-10(1,000;1,000,000;andsoon)unitsratherthanpower-of-2(1,024;1,048,576;andsoon)units.The-k(--kilobytes)and-m(--megabytes)optionsforceoutputintheirrespectiveunits.CountHardLinksOrdinarily,ducountsfilesthatappearmultipletimesashardlinksonlyonce.Thisreflectstruediskspaceused,butsometimesyoumaywanttocounteachlinkindependently—
forinstance,ifyou’recreatingaCD-Randthefilewillbestoredonceforeachlink.Todoso,includethe-l(that’salowercaseL)or--count-linksoption.(LinksaredescribedinmoredetailinChapter4.)LimitDepthThe--max-depth=noptionlimitsthereporttonlevels.(Thesubdirectories’contentsarecountedeveniftheyaren’treported.)SummarizeIfyoudon’twantalineofoutputforeachsubdirectoryinthetree,passthe-sor--summarizeoption,whichlimitsthereporttothosefilesanddirectoriesyouspecifyonthecommandline.Thisoptionisequivalentto--max=depth=0.LimittoOneFilesystemThe-xor--one-file-systemoptionlimitsthereporttothecurrentfilesystem.Ifanotherfilesystemismountedwithinthetreeyouwantsummarized,itscontentsaren’tincludedinthereport.Thislistisincomplete;youshouldconsultdu’smanpageforinformationaboutadditionaloptions.Asanexampleofduinaction,considerusingittodiscoverwhichofyourusersisconsumingthe
mostdiskspacein/home.Chancesareyou’renotconcernedwiththedetailsofwhichsubdirectorieswithineachhomedirectoryareusingthespace,soyou’llpassthe-soptiontotheprogram:#du-s/home/*
12/home/ellen
35304/home/freddie
1760/home/jennie
12078/home/jjones
0/home/lost+found
10110324/home/mspiggy
In this example, thewildcard character (*) stands for all the files and directories in /home, thusproducing summaries for all these subdirectories. (For more on this topic, consult Chapter 4.)Clearly,mspiggy(orwhoeverownsthe/home/mspiggydirectory)isthebiggestdiskspaceuser—oratleast,thatdirectory’scontentsareconsumingthemostspace.Youcouldinvestigatefurther,saybytyping du -s /home/mspiggy/* to learn where the disk space is being used within the/home/mspiggydirectory.Inthecaseofuserfiles,ifthisspaceconsumptionisaproblem,youmaywanttocontactthisuserinsteadoftryingtocleanitupyourself.
Manytypesoffilesshouldn’tsimplybedeleted.Forinstance,mostprogramfilesshouldberemovedviathesystem’spackagemanagementsystem,ifyoudecidetoremovethem.(ThistopiciscoveredinChapter2,“ManagingSoftware.”)Ifyou’renotsurewhatafileisorhowitshouldberemoved,don’tdeleteit—tryaWebsearch,typemanfilename,orotherwiseresearchittofigureoutwhatitis.
MountingandUnmountingFilesystemsMaintainingfilesystemsisnecessary,butthewholereasonfilesystemsexististostorefiles—inotherwords, to be useful. Under Linux, filesystems are most often used by being mounted—that is,associatedwithadirectory.Thistaskcanbeaccomplishedonaone-timebasisbyusingtoolssuchas
mount (and thenunmountedwithumount)orpersistentlyacross rebootsbyediting the/etc/fstabfile.
TemporarilyMountingorUnmountingFilesystemsLinuxprovidesthemountcommand tomounta filesystemtoamountpoint.Theumountcommandreverses this process. (Yes,umount is spelled correctly; it’smissing the firstn.) In practice, usingthesecommandsisn’tusuallytoodifficult,buttheysupportalargenumberofoptions.
SyntaxandParametersformountThesyntaxformountisasfollows:mount[-alrsvw][-tfstype][-ooptions][device][mountpoint]
Commonparametersformountsupportanumberoffeatures:MountAllFilesystemsThe-aparametercausesmounttomountallthefilesystemslistedinthe/etc/fstabfile,whichspecifiesthemost-usedpartitionsanddevices.Theupcomingsection“PermanentlyMountingFilesystems”describesthisfile’sformat.MountRead-OnlyThe-rparametercausesLinuxtomountthefilesystemread-only,evenifit’snormallyaread/writefilesystem.ShowVerboseOutputAswithmanycommands,-vproducesverboseoutput—theprogramprovidescommentsonoperationsastheyoccur.MountRead/WriteThe-wparametercausesLinuxtoattempttomountthefilesystemforbothreadandwriteoperations.Thisisthedefaultformostfilesystems,butsomeexperimentaldriversdefaulttoread-onlyoperation.The-orwoptionhasthesameeffect.SpecifytheFilesystemTypeUsethe-tfstypeparametertospecifythefilesystemtype.Commonfilesystemtypesareext2(forext2fs),ext3(forext3fs),ext4(forext4fs),reiserfs(forReiserFS),jfs(forJFS),xfs(forXFS),vfat(forFATwithVFATlongfilenames),msdos(forFATusingonlyshortDOSfilenames),iso9660(forCD-ROMfilesystems),udf(forDVDandsomeCD-ROMfilesystems),nfs(forNFSnetworkmounts),andcifs(forSMB/CIFSnetworkshares).Linuxsupportsmanyothers.Ifthisparameterisomitted,Linuxwillattempttoauto-detectthefilesystemtype.
Linuxrequiressupportinthekernelorasakernelmoduletomountafilesystemofagiventype.Ifthissupportismissing,Linuxwillrefusetomountthefilesysteminquestion.
MountbyLabelorUUIDThe-Llabeland-UuuidoptionstellmounttomountthefilesystemwiththespecifiedlabelorUUID,respectively.AdditionalOptionsYoucanaddmanyoptionsusingthe-oparameter.Manyofthesearefilesystem-specific.DeviceThedeviceisthedevicefilenameassociatedwiththepartitionordiskdevice,suchas
/dev/hda4,/dev/fd0,or/dev/cdrom.Thisparameterisusuallyrequired,butitmaybeomittedundersomecircumstances,asdescribedshortly.MountPointThemountpointisthedirectorytowhichthedevice’scontentsshouldbeattached.Aswithdevice,it’susuallyrequired,butitmaybeomittedundersomecircumstances.Theprecedinglistofmountparametersisn’tcomprehensive;consultthemountmanpageforsome
ofthemoreobscureoptions.Themostcommonapplicationsofmountuse fewparametersbecauseLinux generally does a good job of detecting the filesystem type and the default parametersworkreasonablywell.Forinstance,considerthisexample:#mount/dev/sdb7/mnt/shared
This commandmounts the contents of/dev/sdb7 on/mnt/shared, auto-detecting the filesystemtypeandusingthedefaultoptions.Ordinarily,onlyrootmay issueamountcommand;however, if/etc/fstabspecifiestheuser,users,orowneroption,anordinaryusermaymounta filesystemusing a simplified syntax in which only the device or mount point is specified, but not both. Forinstance, a user may type mount /mnt/cdrom to mount a CD-ROM if /etc/fstab specifies/mnt/cdromasitsmountpointandusestheuser,users,orowneroption.
MostLinuxdistributionsshipwithauto-mountersupport,whichcausestheOStoautomaticallymountremovablemediawhenthey’reinserted.InGUIenvironments,afilebrowsermayalsoopenontheinserteddisk.Toejectthedisk,theuserwillneedtounmountthefilesystembyusingumount,asdescribedshortly,orbyselectinganoptioninthedesktopenvironment.
WhenLinuxmountsafilesystem,itordinarilyrecordsthisfactin/etc/mtab.Thisfilehasaformatsimilartothatof/etc/fstabandisstoredin/etc,butit’snotaconfigurationfileyoushouldedit.Youmightexaminethisfiletodeterminewhatfilesystemsaremounted,though.(Thedfcommand,described in more detail in “Monitoring Disk Use by Partition,” is another way to learn whatfilesystemsaremounted.)
OptionsformountWhenyoudoneedtousespecialparameters(via-oorin/etc/fstab),it’susuallytoaddfilesystem-specific options. Table 3.5 summarizes the most important filesystem options. Some of these aremeaningfulonlyinthe/etc/fstabfile.
TABLE3.5ImportantfilesystemoptionsforthemountcommandOption Supported
filesystemsDescription
defaults All Causesthedefaultoptionsforthisfilesystemtobeused.It’susedprimarilyinthe/etc/fstabfiletoensurethatthefileincludesanoptionscolumn.
loop All Causestheloopbackdeviceforthismounttobeused.Allowsyoutomountafileasifitwereadiskpartition.Forinstance,mount-tvfat-oloopimage.img/mnt/imagemountsthefileimage.imgasifitwereadisk.
autoor
noauto
All Mountsordoesn’tmountthefilesystematboottimeorwhenrootissuesthemount-acommand.Thedefaultisauto,butnoautoisappropriateforremovablemedia.Usedin/etc/fstab.
useror
nouser
All Allowsordisallowsordinaryuserstomountthefilesystem.Thedefaultisnouser,butuserisoftenappropriateforremovablemedia.Usedin/etc/fstab.Whenincludedinthisfile,userallowsusers
totypemount/mountpoint(where/mountpointistheassignedmountpoint)tomountadisk.Onlytheuserwhomountedthefilesystemmayunmountit.
users All Similartouser,exceptthatanyusermayunmountafilesystemonceit’sbeenmounted.owner All Similartouser,exceptthattheusermustownthedevicefile.Somedistributions,suchasRedHat,
assignownershipofsomedevicefiles(suchas/dev/fd0forthefloppydisk)totheconsoleuser,sothiscanbeahelpfuloption.
remount All Changesoneormoremountoptionswithoutexplicitlyunmountingapartition.Tousethisoption,youissueamountcommandonanalreadymountedfilesystembutwithremountalongwithanyoptionsyouwanttochange.Thisfeaturecanbeusedtoenableordisablewriteaccesstoapartition,forexample.
ro All Specifiesaread-onlymountofthefilesystem.Thisisthedefaultforfilesystemsthatincludenowriteaccessandforsomewithparticularlyunreliablewritesupport.
rw Allread/writefilesystems
Specifiesaread/writemountofthefilesystem.Thisisthedefaultformostread/writefilesystems.
uid=value Mostfilesystemsthatdon’tsupportUnix-stylepermissions,suchasvfat,hpfs,ntfs,andhfs
Setstheownerofallfiles.Forinstance,uid=1000setstheownertowhoeverhasLinuxuserID1000.(CheckLinuxuserIDsinthe/etc/passwdfile.)
gid=value Mostfilesystemsthatdon’tsupportUnix-stylepermissions,suchasvfat,hpfs,ntfs,andhfs
Workslikeuid=value,butsetsthegroupofallfilesonthefilesystem.YoucanfindgroupIDsinthe/etc/groupfile.
umask=valueMostfilesystemsthatdon’tsupportUnix-stylepermissions,suchasvfat,hpfs,ntfs,andhfs
Setstheumaskforthepermissionsonfiles.valueisinterpretedinbinaryasbitstoberemovedfrompermissionsonfiles.Forinstance,umask=027yieldspermissionsof750,or–rwxr-x---.Usedinconjunctionwithuid=valueandgid=value,thisoptionletsyoucontrolwhocanaccessfilesonFAT,HPFS,andmanyotherforeignfilesystems.
dmask=valueMostfilesystemsthatdon’tsupportUnix-stylepermissions,suchasvfat,hpfs,ntfs,andhfs
Similartoumask,butsetstheumaskfordirectoriesonly,notforfiles.
fmask=valueMostfilesystemsthatdon’tsupportUnix-stylepermissions,suchasvfat,hpfs,ntfs,andhfs
Similartoumask,butsetstheumaskforfilesonly,notfordirectories.
conv=code MostfilesystemsusedonMicrosoftandAppleOSs:msdos,umsdos,vfat,hpfs,andhfs
Ifcodeisborbinary,Linuxdoesn’tmodifythefiles’contents.Ifcodeistortext,LinuxautoconvertsfilesbetweenLinux-styleandDOS-orMacintosh-styleend-of-linecharacters.Ifcodeisaorauto,Linuxappliestheconversionunlessthefileisaknownbinaryfileformat.It’susuallybesttoleavethisatitsdefaultvalueofbinarybecausefileconversionscancauseseriousproblemsforsomeapplicationsandfiletypes.
norock iso9660 DisablesRockRidgeextensionsforISO-9660CD-ROMs.nojoliet iso9660 DisablesJolietextensionsforISO-9660CD-ROMs.
Some filesystems support additional options that aren’t described here. The man page for mountcoverssomeofthese,butyoumayneedtolookatthefilesystem’sdocumentationforsomeoptions.This documentation may appear in /usr/src/linux/Documentation/filesystems or/usr/src/linux/fs/fsname,wherefsnameisthenameofthefilesystem.
UsingumountTheumountcommandissimplerthanmount.Thebasicumountsyntaxisasfollows:umount[-afnrv][-tfstype][device|mountpoint]
Mostoftheseparametershavemeaningssimilartotheirmeaningsinmount,butsomedifferences
deservemention:UnmountAllRatherthanunmountpartitionslistedin/etc/fstab,the-aoptioncausesthesystemtoattempttounmountallthepartitionslistedin/etc/mtab,thefilethatholdsinformationaboutmountedfilesystems.Onanormallyrunningsystem,thisoperationislikelytosucceedonlypartlybecauseitwon’tbeabletounmountsomekeyfilesystems,suchastherootpartition.ForceUnmountYoucanusethe-foptiontotellLinuxtoforceanunmountoperationthatmightotherwisefail.ThisfeatureissometimeshelpfulwhenunmountingNFSmountssharedbyserversthathavebecomeunreachable.FallBacktoRead-OnlyThe-roptiontellsumountthatifitcan’tunmountafilesystem,itshouldattempttoremountitinread-onlymode.UnmountPartitionsofaSpecificFilesystemTypeThe-tfstypeoptiontellsthesystemtounmountonlypartitionsofthespecifiedtype.Youcanlistmultiplefilesystemtypesbyseparatingthemwithcommas.TheDeviceandMountPointYouneedtospecifyonlythedeviceoronlythemountpoint,notboth.Aswithmount,normaluserscan’tordinarilyuseumount.Theexceptionisifthepartitionordevice
islistedin/etc/fstabandspecifiestheuser,users,orowneroption,inwhichcasenormaluserscanunmountthedevice.(Inthecaseofuser,onlytheuserwhomountedthepartitionmayunmountit;in thecaseofowner, the user issuing the commandmust alsoown thedevice file, aswithmount.)Theseoptionsaremostusefulforremovable-mediadevices.
BecautiouswhenremovingfloppydisksorunpluggingUSBdisk-likedevices(USBflashdrivesorexternalharddisks).Linuxcachesaccessestomostfilesystems,whichmeansthatdatamaynotbewrittentothediskuntilsometimeafterawritecommand.Becauseofthis,it’spossibletocorruptadiskbyejectingorunpluggingit,evenwhenthedriveisn’tactive.Youmustalwaysissueaumountcommandbeforeejectingamounteddisk.(GUIunmounttoolsdothisbehindthescenes,sousingadesktop’sunmountorejectoptionisequivalenttousingumount.)Afterissuingtheumountcommand,waitforthecommandtoreturn,andifthediskhasactivityindicators,waitforthemtostopblinkingtobesureLinuxhasfinishedusingthedevice.Anotherwaytowritethecachetodiskistousethesynccommand;butbecausethiscommanddoesnotfullyunmountafilesystem,it’snotasubstituteforumount.
PermanentlyMountingFilesystemsThe /etc/fstab file controls how Linux provides access to disk partitions and removablemediadevices. Linux supports a unified directory structure in which every disk device (partition orremovabledisk)ismountedataparticularpointinthedirectorytree.Forinstance,youmightaccessaUSBflashdriveat/media/usb.Therootofthistreeisaccessedfrom/.Directoriesoffthisrootmaybeotherpartitionsordisks,ortheymaybeordinarydirectories.Forinstance,/etcshouldbeonthesamepartitionas/,butmanyotherdirectories,suchas/home,maycorrespondtoseparatepartitions.
The /etc/fstab file describes how these filesystems are laid out. (The filename fstab is anabbreviationforfilesystemtable.)The/etc/fstabfileconsistsofaseriesoflinesthatcontainsixfieldseach;thefieldsareseparated
byoneormorespacesortabs.Alinethatbeginswithahashmark(#)isacommentandisignored.Listing3.1showsasample/etc/fstabfile.Listing3.1:Sample/etc/fstabfile#devicemountpointfilesystemoptionsdumpfsck
/dev/hda1/ext4defaults11
UUID=3631a288-673e-40f5-9e96-6539fec468e9\
/usrreiserfsdefaults00
LABEL=/home/homereiserfsdefaults00
/dev/hdb5/windowsvfatuid=500,umask=000
/dev/hdc/media/cdromiso9660users,noauto00
/dev/sda1/media/usbautousers,noauto00
server:/home/other/homenfsusers,exec00
//winsrv/shr/other/wincifsusers,credentials=/etc/creds00
/dev/hda4swapswapdefaults00
Themeaningofeachfieldinthisfileisasfollows:DeviceThefirstcolumnspecifiesthemountdevice.Theseareusuallydevicefilenamesthatreferenceharddisks,floppydrives,andsoon.MostdistributionsnowspecifypartitionsbytheirlabelsorUUIDs,asintheLABEL=/homeandUUID=3631a288-673e-40f5-9e96-6539fec468e9entriesinListing3.1.WhenLinuxencounterssuchanentry,ittriestofindthepartitionwhosefilesystemhasthespecifiednameorUUIDandmountit.Thispracticecanhelpreduceproblemsifpartitionnumberschange,butsomefilesystemslacktheselabels.It’salsopossibletolistanetworkdrive,asinserver:/home,whichisthe/homeexportonthecomputercalledserver;or//winsrv/shr,whichistheshrshareontheWindowsorSambaservercalledwinsrv.MountPointThesecondcolumnspecifiesthemountpoint;intheunifiedLinuxfilesystem,thisiswherethepartitionordiskwillbemounted.Thisshouldusuallybeanemptydirectoryinanotherfilesystem.Theroot(/)filesystemisanexception.Soisswapspace,whichisindicatedbyanentryofswap.FilesystemTypeThefilesystemtypecodeisthesameasthetypecodeusedtomountafilesystemwiththemountcommand.Youcanuseanyfilesystemtypecodeyoucanusedirectlywiththemountcommand.Afilesystemtypecodeofautoletsthekernelauto-detectthefilesystemtype,whichcanbeaconvenientoptionforremovablemediadevices.Auto-detectiondoesn’tworkwithallfilesystems,though.MountOptionsMostfilesystemssupportseveralmountoptions,whichmodifyhowthekerneltreatsthefilesystem.Youmayspecifymultiplemountoptions,separatedbycommas.Forinstance,uid=500,umask=0for/windowsinListing3.1setstheuserID(owner)ofallfilesto500andsetstheumaskto0.(UserIDsandumasksarecoveredinmoredetailinChapter4.)Table3.3summarizesthemostcommonmountoptions.BackupOperationThenext-to-lastfieldcontainsa1ifthedumputilityshouldbackupapartitionora0ifitshouldn’t.Ifyouneverusethedumpbackupprogram,thisoptionisessentiallymeaningless.(Thedumpprogramwasonceacommonbackuptool,butitismuchlesspopulartoday.)FilesystemCheckOrderAtboottime,Linuxusesthefsckprogramtocheckfilesystemintegrity.
Thefinalcolumnspecifiestheorderinwhichthischeckoccurs.A0meansthatfsckshouldnotcheckafilesystem.Highernumbersrepresentthecheckorder.Therootpartitionshouldhaveavalueof1,andallothersthatshouldbecheckedshouldhaveavalueof2.Somefilesystems,suchasReiserFS,shouldn’tbeautomaticallycheckedandsoshouldhavevaluesof0.Ifyouaddanewharddiskorhavetorepartitiontheoneyouhave,you’llprobablyneedtomodify
/etc/fstab.Youmayalsoneedtoeditittoaltersomeofitsoptions.Forinstance,settingtheuserIDorumaskonWindowspartitionsmountedinLinuxmaybenecessarytoletordinaryuserswritetothepartition.
ManagingUser-MountableMediaYoumaywanttogiveordinaryuserstheabilitytomountcertainpartitionsorremovablemedia,suchasfloppies,CD-ROMs,andUSBflashdrives.Todoso,createanordinary/etc/fstabentryforthefilesystem,butbesuretoaddtheuser,users,orowneroptiontotheoptionscolumn.Table3.5describesthedifferencesbetweenthesethreeoptions.Listing3.1showssomeexamplesofuser-mountablemedia:/media/cdrom,/media/usb,/other/home,and/other/win.Thefirsttwoofthesearedesignedforremovablemediaandincludethenoautooption,whichpreventsLinuxfromwastingtimetryingtomountthemwhentheOSfirstboots.Thesecondpairofmountpointsarenetworkfilesharesthataremountedautomaticallyatboottime;theusersoptionontheselinesenablesordinaryuserstounmountandthenremountthefilesystem,whichmightbehandyif,say,ordinaryusershavetheabilitytoshutdowntheserver.Aswithanyfilesystemsyouwanttomount,youmustprovidemountpoints—thatis,createemptydirectories—foruser-mountablemedia.Removablemediaareusuallymountedinsubdirectoriesof/mntor/media.Manymoderndistributionsincludeauto-mountfacilitiesthatautomaticallymountremovablemediawhenthey’reinserted.Thesetoolstypicallycreatemountpointsin/mediaandcreateiconsonusers’desktopstoenableeasyaccesstothemedia.ThisconfigurationproduceseffectsthatarefamiliartousersofWindowsandMacOS.
The credentials option for the /other/win mount point in Listing 3.1 deserves greaterelaboration. Ordinarily, most SMB/CIFS shares require a username and password as a means ofaccess control.Althoughyoucanuse theusername=name andpassword=pass options tosmbfs orcifs, these options are undesirable, particularly in /etc/fstab, because they leave the passwordvulnerable to discovery—anybody who can read /etc/fstab can read the password. Thecredentials=fileoptionprovidesanalternative—youcanuseittopointLinuxatafilethatholdstheusernameandpassword.Thisfilehaslabeledlines:username=hschmidt
password=yiW7t9Td
Of course, the file you specify (/etc/creds in Listing 3.1) must be well protected—it must bereadableonlytorootandperhapstotheuserwhoseshareitdescribes.
SummaryMostLinuxtoolsandproceduresprovidealayeraroundthehardware,insulatingyoufromaneedtoknowtoomanydetails.Nonetheless,sometimesyouhavetodiginandconfigurehardwaredirectly.FirmwaresettingscancontrolonboarddevicessuchasharddiskcontrollersandUSBports.USBandSCSIdeviceshavetheirownquirks,andUSBinparticularisquicklyevolving.Harddisksareoneclassofhardwarethat’slikelytorequiremoreattentionthanmost.Specifically,
youmustknowhowtocreatepartitionsandpreparefilesystemsonthosepartitions.ThesetasksarenecessarywhenyouinstallLinux(althoughmostdistributionsprovideGUItoolstohelpguideyouthroughthistaskduringinstallation),whenyouaddaharddisk,orwhenyoureconfigureanexistingsystem.Youshouldalsoknowsomethingaboutbootmanagers.TheseprogramshelpgetLinuxupandrunningwhenyouturnonacomputer ’spower,sothey’reunusuallycriticaltoLinuxoperation.FilesystemmanagementisbasictobeingabletoadministeroruseaLinuxsystem.Themostbasic
of these basic tasks are filesystem tasks—the ability tomount filesystems, check their health, andrepairailing filesystems.Oncea filesystem ismounted,youmaywant toperiodicallycheck toseehowfullitis,lestyourunoutofdiskspace.
ExamEssentialsSummarizeBIOSessentials.TheBIOSprovidestwoimportantfunctions:First,itconfigureshardware—bothhardwarethat’sbuiltintothemotherboardandhardwareonmanytypesofplug-incards.Second,theBIOSbeginsthecomputer ’sbootprocess,passingcontrolontothebootloaderintheMBR.TheBIOSiscurrentlybeingretiredinfavorofanewtypeoffirmware,EFI,whichperformsthesetasksonmoderncomputers.Describewhatfilescontainimportanthardwareinformation.Therearemanyfilesunderthe/procfilesystem.Manyofthesefileshavebeenmentionedthroughoutthischapter.Familiarizeyourselfwiththesefiles,suchas/proc/ioports,/proc/interrupts,/proc/dma,/proc/bus/usb,andothers.ExplainLinux’smodelformanagingUSBhardware.LinuxusesdriversforUSBcontrollers.Thesedriversinturnareusedbysomedevice-specificdrivers(forUSBdiskdevices,forinstance)andbyprogramsthataccessUSBhardwareviaentriesinthe/proc/bus/usbdirectorytree.SummarizehowtoobtaininformationaboutPCIandUSBdevices.ThelspciandlsusbprogramsreturninformationaboutPCIandUSBdevices,respectively.Youcanlearnmanufacturers’namesandvariousconfigurationoptionsbyusingthesecommands.Identifycommondisktypesandtheirfeatures.PATAdiskswerethemostcommontypeonPCsuntilabout2005.Sincethen,SATAdisks,whicharemoreeasilyconfigured,havegainedsubstantiallyinpopularity.SCSIdiskshavelongbeenconsideredthetop-tierdisks,buttheirhighpricehaskeptthemoutofinexpensivecommodityPCs.Describethepurposeofdiskpartitions.Diskpartitionsbreakthediskintoahandfulofdistinctparts.EachpartitioncanbeusedbyadifferentOS,cancontainadifferentfilesystem,andisisolatedfromotherpartitions.Thesefeaturesimprovesecurityandsafetyandcangreatlysimplifyrunningamulti-OSsystem.
SummarizeimportantLinuxdiskpartitions.ThemostimportantLinuxdiskpartitionistheroot(/)partition,whichisatthebaseoftheLinuxdirectorytree.Otherpossiblepartitionsincludeaswappartition,/homeforhomedirectories,/usrforprogramfiles,/varfortransientsystemfiles,/tmpfortemporaryuserfiles,/bootforthekernelandothercriticalbootfiles,andmore.Describecommandsthathelpyoumonitordiskuse.Thedfcommandprovidesaone-linesummaryofeachmountedfilesystem’ssize,availablespace,freespace,andpercentageofspaceused.Theducommandaddsupthediskspaceusedbyallthefilesinaspecifieddirectorytreeandpresentsasummarybydirectoryandsubdirectory.Summarizethetoolsthatcanhelpkeepafilesystemhealthy.Thefsckprogramisafront-endtofilesystem-specifictoolssuchase2fsckandfsck.jfs.Bywhatevername,theseprogramsexamineafilesystem’smajordatastructuresforinternalconsistencyandcancorrectminorerrors.ExplainhowfilesystemsaremountedinLinux.ThemountcommandtiesafilesystemtoaLinuxdirectory;oncethefilesystemismounted,itsfilescanbeaccessedaspartofthemountdirectory.The/etc/fstabfiledescribespermanentmappingsoffilesystemstomountpoints;whenthesystemboots,itautomaticallymountsthedescribedfilesystemsunlesstheyusethenoautooption(whichiscommonforremovabledisks).
ReviewQuestions1.WhatarecommonIRQsforRS-232serialports?(Selecttwo.)
A.1B.3C.4D.8E.16
2.Whattoolwouldyouusetodisableamotherboard’ssoundhardwareifyoudon’twanttouseit?A.ThefirmwareB.ThealsactlutilityC.ThelsmodcommandD.ThelspciprogramE.Noneoftheabove;onboardsounddevicescan’tbedisabled
3.Whatisthepurposeofudev?A.ToaidinthedevelopmentofsoftwareB.TounloadLinuxdevicedriversC.ToloadLinuxdevicedriversD.Tostoredevices’BIOSconfigurationsinfilesE.Tomanagethe/devdirectorytree
4. You’ve just installed Linux on a new computer with a single SATA hard disk. What device
identifierwillrefertothedisk?A./dev/sdaB./dev/mapper/disk1C./dev/hdaD.C:E./dev/sdaor/dev/hda
5.WhichfilescontainessentialsysteminformationsuchasIRQs,directmemoryaccesschannels,andI/Oaddresses?(Selectthree.)
A./proc/ioportsB./proc/ioaddressesC./proc/dmaD./proc/interruptsE./proc/hardware
6.Typingfdisk-l/dev/sdaonaLinuxcomputerwithanMBRdiskproducesalistingoffourpartitions:/dev/sda1,/dev/sda2,/dev/sda5,and/dev/sda6.Whichofthefollowingistrue?
A.Thediskcontainstwoprimarypartitionsandtwoextendedpartitions.B.Either/dev/sda1or/dev/sda2isanextendedpartition.C. The partition table is corrupted; there should be a /dev/sda3 and a /dev/sda4 before/dev/sda5.D.Ifyouadda/dev/sda3withfdisk,/dev/sda5willbecome/dev/sda6and/dev/sda6willbecome/dev/sda7.E.Both/dev/sda1and/dev/sda2arelogicalpartitions.
7.AnewLinuxadministratorplanstocreateasystemwithseparate/home,/usr/local,and/etcpartitions, in addition to the root (/) partition. Which of the following best describes thisconfiguration?
A.Thesystemwon’tbootbecausecriticalboot-timefilesresidein/home.B.Thesystemwillboot,but/usr/localwon’tbeavailablebecausemountedpartitionsmustbemounteddirectlyofftheirparentpartition,notinasubdirectory.C. The system will boot only if the /home partition is on a separate physical disk from the/usr/localpartition.D.Thesystemwillbootandoperatecorrectly,providedeachpartition is largeenough for itsintendeduse.E.The systemwon’t boot because/etc contains configuration files necessary tomount non-rootpartitions.
8.Whichofthefollowingdirectoriesismostlikelytobeplacedonitsownharddiskpartition?A./binB./sbin
C./mntD./homeE./dev
9. You discover that anMBR hard disk has partitions with type codes of 0x0f, 0x82, and 0x83.Assumingthesetypecodesareaccurate,whatcanyouconcludeaboutthedisk?
A.ThediskholdsapartialorcompleteLinuxsystem.B.ThediskholdsDOSorWindows9x/MeandWindowsNT/200x/XPinstallations.C.ThediskholdsaFreeBSDinstallation.D.Thediskiscorrupt;thosepartitiontypecodesareincompatible.E.ThediskholdsaMacOSXinstallation.
10. You run Linux’s fdisk and modify your partition layout. Before exiting the program, yourealizethatyou’vebeenworkingonthewrongdisk.Whatcanyoudotocorrectthisproblem?
A.Nothing;thedamageisdone,soyou’llhavetorecoverdatafromabackup.B.Typewtoexitfdiskwithoutsavingchangestodisk.C.Typeqtoexitfdiskwithoutsavingchangestodisk.D.Typeurepeatedlytoundotheoperationsyou’vemadeinerror.E.Typettoundoallthechangesandreturntotheoriginaldiskstate.
11.Whatdoesthefollowingcommandaccomplish?#mkfs-text2/dev/sda4
A.Itsetsthepartitiontabletypecodefor/dev/sda4toext2.B. ItconvertsaFATpartition intoanext2fspartitionwithoutdamaging thepartition’sexistingfiles.C.Nothing;the-toptionisn’tvalid,andsoitcausesmkfstoabortitsoperation.D.Itconvertsanext2filesystemtoanext4filesystem.E.Itcreatesanewext2filesystemon/dev/sda4,overwritinganyexistingfilesystemanddata.
12. Which of the following best summarizes the differences between DOS’s FDISK and Linux’sfdisk?
A.Linux’sfdiskisasimplecloneofDOS’sFDISKbutwrittentoworkfromLinuxratherthanfromDOSorWindows.B. The two are completely independent programs that accomplish similar goals, althoughLinux’sfdiskismoreflexible.C.DOS’sFDISKusesGUIcontrols,whereasLinux’sfdiskusesacommand-lineinterface,buttheyhavesimilarfunctionality.D.Despite their similarnames, they’re completelydifferent tools—DOS’sFDISK handles diskpartitioning,whereasLinux’sfdiskformatsfloppydisks.E.DOS’sFDISKmanagesGPTdiskswhereasLinux’sfdiskmanagesMBRdisks.
13.Whatmountpointshouldyouassociatewithswappartitions?
A./B./swapC./bootD./memE.Noneoftheabove
14.Whichofthefollowingoptionsisusedwithfscktoforceittouseaparticularfilesystemtype?A.-AB.-NC.-tD.-CE.-f
15.Whichofthefollowingpiecesofinformationcandfnotreport?A.HowlongthefilesystemhasbeenmountedB.Thenumberofinodesusedonanext3fspartitionC.ThefilesystemtypeofapartitionD.ThepercentageofavailablediskspaceusedonapartitionE.Themountpointassociatedwithafilesystem
16. What is an advantage of a journaling filesystem over a conventional (non-journaling)filesystem?
A.Journalingfilesystemsareolderandbettertestedthannon-journalingfilesystems.B.Journalingfilesystemsneverneedtohavetheirfilesystemscheckedwithfsck.C.JournalingfilesystemssupportLinuxownershipandpermissions;non-journalingfilesystemsdon’t.D.Journalingfilesystemsrequireshorterdiskchecksafterapowerfailureorsystemcrash.E.Journalingfilesystemsrecordalltransactions,enablingthemtobeundone.
17.ToaccessfilesonaUSBflashdrive,youtypemount/dev/sdc1/media/flashasroot.Whichtypesoffilesystemswillthiscommandmount?
A.Ext2fsB.FATC.HFSD.ReiserFSE.Alloftheabove
18.Which of the following/etc/fstab entrieswillmount /dev/sdb2 as the /home directory atboottime?
A./dev/sdb2reiserfs/homedefaults00B./dev/sdb2/homereiserfsdefaults00
C./homereiserfs/dev/sdb2noauto00D./home/dev/sdb2reiserfsnoauto00E.reiserfs/dev/sdb2/homenoauto00
19.Whatfilesystemoptionsmightyouspecifyin/etc/fstabtomakearemovabledisk(USBflashdrive,Zipdisk,floppydisk,andsoon)mountablebyanordinaryuserwithaUIDof1000?(Selectthree.)
A.userB.usersC.ownerD.ownersE.uid=1000
20.WhatistheminimumsafeprocedureforremovingaUSBflashdrive,mountedfrom/dev/sdb1at/media/usb,fromaLinuxcomputer?
A.Typeumount/media/usb,waitforthecommandtoreturnanddisk-activitylightstostop,andthenunplugthedrive.B.Unplugthedrive,andthentypeumount/media/usbtoensurethatLinuxregistersthedrive’sremovalfromthesystem.C.Unplugthedrive,andthentypesync/dev/sdb1toflushthecachestoensureproblemsdon’tdevelop.D. Type usbdrive-remove, and then quickly remove the disk before its activity light stopsblinking.E.Typefsck/dev/sdb1,wait for thecommand to returnanddisk-activity lights tostop,andthenunplugthedrive.
Chapter4
ManagingFiles
THEFOLLOWINGEXAMOBJECTIVESARECOVEREDINTHISCHAPTER:
1.103.3Performbasicfilemanagement1.104.4Managediskquotas1.104.5Managefilepermissionsandownership1.104.6Createandchangehardandsymboliclinks1.104.7Findsystemfilesandplacefilesinthecorrectlocation
Ultimately,Linuxisacollectionoffilesstoredonyourharddisk.Otherdiskfilescontainallyouruser data. For these reasons, being able to manage the files contained on your filesystems is animportant skill for anyLinux systemadministrator.Chapter 3, “ConfiguringHardware,” describedcreatingdiskpartitions,preparingfilesystemsonthem,maintainingthosefilesystems,andmountingthem.Thischaptercontinuesthistopicbylookingmorecloselyatfilemanagement.Thischapterbeginswithanexaminationofthebasiccommandsusedtoaccessandmanipulatefiles.
Asamulti-userOS,Linuxprovidestoolsthatenableyoutorestrictwhomayaccessyourfiles,soIdescribe theLinuxownershipmodel and thecommands that arebuilton thismodel to control fileaccess. Furthermore, Linux provides a system that enables you to restrict how much disk spaceindividualusersmayconsume,soIdescribethisfeature.Finally,thischapterlooksatlocatingfiles—boththeformaldescriptionofwherecertaintypesoffilesshouldresideandthecommandsyoucanusetolocatespecificfiles.
UsingFileManagementCommandsBasic filemanagement iscritical to theuseofanycomputer.This isparticularly trueonUnix-likesystems, including Linux, because these systems treat almost everything as a file, including mosthardwaredevicesandvariousspecializedinterfaces.Thus,beingabletocreate,delete,move,rename,archive,andotherwisemanipulatefilesisabasicskillofanyLinuxuserorsystemadministrator.Tobegin,youshouldunderstandsomethingoftherulesthatgovernfilenamesandtheshortcutsyou
canusetorefertofiles.Withthisinformationinhand,youcanmoveontolearnhowtomanipulatefiles,howtomanipulatedirectories,howtoarchivefiles,andhowtomanagelinks.
FileNamingandWildcardExpansionRulesLinux filenames aremuch like the filenames on any otherOS. EveryOS has its filename quirks,though, and thesedifferences canbe stumblingblocks to thosewhomovebetween systems—or tothosewhowanttomovefilesbetweensystems.
Linux filenamescancontainuppercaseor lowercase letters,numbers, andevenmostpunctuationandcontrolcharacters.Tosimplifyyourlifeandavoidconfusion,though,Irecommendrestrictingnon-alphanumericsymbolstothedot(.),thedash(-),andtheunderscore(_).Someprogramscreatebackup files that end in the tilde (~), as well. Although Linux filenames can contain spaces, andalthoughsuchfilenamesarecommoninsomeOSs,theymustbeescapedontheLinuxcommandlinebypreceding thespacewithabackslash (\)orbyenclosing theentire filename inquotes ("). Thisrequirement makes spaces a bit awkward in Linux, so most Linux users substitute dashes orunderscores.A fewcharactershavespecialmeaningandshouldneverbeused in filenames.These include the
asterisk(*),thequestionmark(?),theforwardslash(/),thebackslash(\),andthequotationmark(").Althoughyoucancreatefilesthatcontainallofthesecharactersexceptfortheforwardslash(whichserves to separate directory elements) by escaping them, they’re likely to cause greater confusionthanothersymbols.Linuxfilename lengthdependson the filesysteminuse.Onext2fs,ext3fs,ext4fs,ReiserFS,XFS,
andmanyothers,thelimitis255characters.Ifyou’veeverusedDOS,you’reprobablyfamiliarwiththe8.3filenamelimit:DOSfilenamesarerestrictedtoeightcharactersfollowedbyanoptionalthree-characterextension.Thesetwocomponentsareseparatedbyadot.Althoughone- tofour-characterextensionsarecommoninLinux,Linuxfilenamescancontainanarbitrarynumberofdots. Infact,filenamescanbeginwithadot.Theseso-calleddotfilesarehiddenfromviewbymostutilitiesthatdisplayfiles,sothey’repopularforstoringconfigurationfilesinyourhomedirectory.
IfyouaccessaFileAllocationTable(FAT)filesystemonaremovablediskorpartitionusedbyDOS,youcandosousingeitheroftwofilesystemtypecodes:msdos,whichlimitsyouto8.3filenames;orvfat,whichsupportsWindows-stylelongfilenames.Inaddition,theumsdosfilesystemtypecodewasaLinux-onlyextensionthatsupportedLinux-stylelongfilenames.UMSDOSsupportwasdiscontinuedafterthe2.6.11kernel.
Two filenames are particularly special.A filename that consists of a single dot (.) refers to thecurrentdirectory,whereasafilenamethatconsistsofadoubledot(..)referstotheparentdirectory.Forinstance,ifyourcurrentdirectoryis/home/jerry,then.referstothatdirectoryand..refersto/home.OnecriticaldifferencebetweenLinuxfilenamesandthoseofmanyotherOSsisthatLinuxtreatsits
filenamesinacase-sensitiveway;inotherwords,Filename.txtisdifferentfromfilename.txtorFILENAME.TXT. All three files can exist in a single directory. UnderWindows, all three filenamesrefertothesamefile.AlthoughWindows95andlaterallretainthecaseofthefilename,theyignoreitwhenyourefertoanexistingfile,andtheydon’tpermitfileswhosenamesdifferonlyincasetoco-existinasingledirectory.Thisdifferenceisn’tamajorproblemformostpeoplewhomigratefromWindowstoLinux,butyoushouldbeawareofit.ItcanalsocauseproblemswhenyoutrytoreadaFATdiskusingtheLinuxvfatdriverbecauseLinuxhastofollowtheWindowsruleswhenmanagingfilesonthatdisk.Youcanusewildcardswithmanycommands.Awildcardisasymbolorsetofsymbolsthatstands
inforothercharacters.ThreeclassesofwildcardsarecommoninLinux:
?Aquestionmark(?)standsinforasinglecharacter.Forinstance,b??kmatchesbook,balk,buck,oranyotherfour-characterfilenamethatbeginswithbandendswithk.*Anasterisk(*)matchesanycharacterorsetofcharacters,includingnocharacter.Forinstance,b*kmatchesbook,balk,andbuckjustasdoesb??k.b*kalsomatchesbk,bbk,andbacktrack.BracketedValuesCharactersenclosedinsquarebrackets([])normallymatchanycharacterintheset.Forinstance,b[ao][lo]kmatchesbalkandbookbutnotbackorback.It’salsopossibletospecifyarangeofvalues;forinstance,b[a-z]ckmatchesback,buck,andotherfour-letterfilenamesofthisformwhosesecondcharacterisalowercaseletter.Thisdiffersfromb?ck—becauseLinuxtreatsfilenamesinacase-sensitivewayandbecause?matchesanycharacter(notjustanylowercaseletter),b[a-z]ckdoesn’tmatchbAckorb3ck,althoughb?ckmatchesbothofthesefilenames.Wildcardsare implemented in theshellandpassed to thecommandyoucall.For instance, ifyou
typelsb??k,andthatwildcardmatchesthethreefilesbalk,book,andbuck,theresultispreciselyasifyou’dtypedlsbalkbookbuck.Theprocessofwildcardexpansionisknownasfileglobbingorsimplyglobbing.
Thewaywildcardsareexpandedcanleadtoundesirableconsequences.Forinstance,supposeyouwanttocopytwofiles,specifiedviaawildcard,toanotherdirectory,butyouforgettogivethedestinationdirectory.Thecpcommand(describedshortly)willinterpretthecommandasarequesttocopythefirstofthefilesoverthesecond.
FileCommandsA few file-manipulation commands are extremely important to everyday file operations. Thesecommandsenableyoutolist,copy,move,rename,anddeletefiles.
ThelsCommandTomanipulate files, it’s helpful toknowwhat they are.This is the jobof thels command,whosenameisshortforlist.Thelscommanddisplaysthenamesoffilesinadirectory.Itssyntaxissimple:ls[options][files]
The command supports a huge number of options; consult ls’s man page for details. The mostusefuloptionsincludethefollowing:DisplayAllFilesNormally,lsomitsfileswhosenamesbeginwithadot(.).Thesedotfilesareoftenconfigurationfilesthataren’tusuallyofinterest.Addingthe-aor--allparameterdisplaysdotfiles.ColorListingThe--coloroptionproducesacolor-codedlistingthatdifferentiatesdirectories,symboliclinks,andsoonbydisplayingthemindifferentcolors.ThisworksattheLinuxconsole,inxtermwindowsinX,andfromsometypesofremotelogins,butsomeremote-loginprogramsdon’tsupportcolordisplays.SomeLinuxdistributionsconfiguretheirshellstousethisoptionbydefault.
DisplayDirectoryNamesNormally,ifyoutypeadirectorynameasoneofthefiles,lsdisplaysthecontentsofthatdirectory.Thesamethinghappensifadirectorynamematchesawildcard.Addingthe-dor--directoryparameterchangesthisbehaviortolistonlythedirectoryname,whichissometimespreferable.LongListingThelscommandnormallydisplaysfilenamesonly.The-lparameter(alowercaseL)producesalonglistingthatincludesinformationsuchasthefile’spermissionstring(describedin“UnderstandingPermissions”),owner,group,size,andcreationdate.DisplayFileTypeThe-For--file-typeoptionappendsanindicatorcodetotheendofeachnamesoyouknowwhattypeoffileitis.Themeaningsareasfollows:
/Directory@ Symboliclink= Socket| Pipe
RecursiveListingThe-Ror--recursiveoptioncauseslstodisplaydirectorycontentsrecursively.Thatis,ifthetargetdirectorycontainsasubdirectory,lsdisplaysboththefilesinthetargetdirectoryandthefilesinitssubdirectory.Theresultcanbeahugelistingifadirectoryhasmanysubdirectories.Both theoptions list and thefiles list are optional. If you omit thefiles list,ls displays the
contentsofthecurrentdirectory.Youmayinsteadgiveoneormorefileordirectorynames,inwhichcaselsdisplaysinformationaboutthosefilesordirectories,asinthisexample:$ls-F/usr/bin/ls
/bin/ls*
/usr:
bin/include/lib32/local/share/X11R6/games/lib/lib64@sbin/
src/
Thisoutputshowsboththe/bin/lsprogramfileandthecontentsofthe/usrdirectory.Thelatterconsistsmainlyofsubdirectories,butitincludesonesymboliclinkaswell.Bydefault,lscreatesalistingthat’ssortedbyfilename,asshowninthisexample.Inthepast,uppercaseletters(asinX11R6)appeared before lowercase letters (as in bin); however, recent versions of ls sort in a case-insensitivemanner.Oneofthemostcommonlsoptionsis-l,whichcreatesalonglistinglikethis:$ls-lt*
-rwxr-xr-x1rodsmithusers111Apr1313:48test
-rw-r--r--1rodsmithusers176322Dec1609:34thttpd-2.20b-1.i686.rpm
-rw-r--r--1rodsmithusers1838045Apr2418:52tomsrtbt-1.7.269.tar.gz
-rw-r--r--1rodsmithusers3265021Apr2223:46tripwire.rpm
Thisoutputincludesthepermissionstrings,ownership,filesizes,andfilecreationdatesinadditiontothefilenames.Thisexamplealsoillustratestheuseofthe*wildcard,whichmatchesanystring—thus,t*matchesanyfilenamethatbeginswitht.
Youcancombinemultipleoptionsbymergingthemwithasingleprecedingdash,asinls-lFtogetalonglistingthatalsoincludesfiletypecodes.Thiscansaveabitoftypingcomparedtothealternativeofls-l-F.
ThecpCommandThecpcommandcopiesafile.Itsbasicsyntaxisasfollows:cp[options]sourcedestination
Thesourceisnormallyoneormorefiles,andthedestinationmaybeafile(whenthesourceisasinglefile)oradirectory(whenthesource isoneormorefiles).Whencopyingtoadirectory,cppreserves the original filename; otherwise, it gives the new file the filename indicated bydestination. The command supports a large number of options; consult its man page for moreinformation.Someof theusefuloptionsenableyou tomodify thecommand’soperation inhelpfulways:ForceOverwriteThe-for--forceoptionforcesthesystemtooverwriteanyexistingfileswithoutprompting.UseInteractiveModeThe-ior--interactiveoptioncausescptoaskyoubeforeoverwritinganyexistingfiles.PreserveOwnershipandPermissionsNormally,acopiedfileisownedbytheuserwhoissuesthecpcommandandusesthataccount’sdefaultpermissions.The-por--preserveoptionpreservesownershipandpermissions,ifpossible.PerformaRecursiveCopyIfyouusethe-Ror--recursiveoptionandspecifyadirectoryasthesource,theentiredirectory,includingitssubdirectories,iscopied.Although-ralsoperformsarecursivecopy,itsbehaviorwithfilesotherthanordinaryfilesanddirectoriesisunspecified.Mostcpimplementationsuse-rasasynonymfor-R,butthisbehaviorisn’tguaranteed.PerformanArchiveCopyThe-aor--archiveoptionissimilarto-R,butitalsopreservesownershipandcopieslinksasis.The-Roptioncopiesthefilestowhichsymboliclinkspointratherthanthesymboliclinksthemselves.(Linksaredescribedinmoredetaillaterinthischapterin“ManagingLinks.”)PerformanUpdateCopyThe-uor--updateoptiontellscptocopythefileonlyiftheoriginalisnewerthanthetargetorifthetargetdoesn’texist.
Thislistofcpoptionsisincompletebutcoversthemostusefuloptions.Consultcp’smanpageforinformationaboutadditionalcpoptions.
As an example, the following command copies the /etc/fstab configuration file to a backuplocationin/root,butonlyiftheoriginal/etc/fstabisnewerthantheexistingbackup:#cp-u/etc/fstab/root/fstab-backup
ThemvCommandThemvcommand(short formove) is commonlyusedboth tomove filesanddirectories fromonelocation to another and to rename them. Linux doesn’t distinguish between these two types ofoperations,althoughmanyusersdo.Thesyntaxofmvissimilartothatofcp:mv[options]sourcedestination
Thecommandtakesmanyofthesameoptionsascpdoes.Fromtheearlierlist,--preserve,--recursive,and--archivedon’tapplytomv,buttheothersdo.Tomoveoneormorefilesordirectories,specifythefilesasthesourceandspecifyadirectoryor
(optionally,forasingle-filemove)afilenameforthedestination:$mvdocument.odtimportant/purchases/
Thisexampleusesatrailingslash(/)onthedestinationdirectory.Thispracticecanhelpavoidproblemscausedbytypos.Forinstance,ifthedestinationdirectoryweremistypedasimportant/purchase(missingthefinals),mvwouldmovedocument.odtintotheimportantdirectoryunderthefilenamepurchase.Addingthetrailingslashmakesitexplicitthatyouintendtomovethefileintoasubdirectory.Ifitdoesn’texist,mvcomplains,soyou’renotleftwithmysteriousmisnamedfiles.YoucanalsousetheTabkeytoavoidproblems.WhenyoupressTabinmanyLinuxshells,suchasbash,theshelltriestocompletethefilenameautomatically,reducingtheriskofatypo.
The preceding command copies the document.odt file into the important/purchases
subdirectory. If the move occurs on one low-level filesystem, Linux does the job by rewritingdirectoryentries;thefile’sdataneednotbereadandrewritten.Thismakesmv fast.Whenthetargetdirectoryisonanotherpartitionordisk, though,Linuxmustreadtheoriginalfile,rewrite it to thenewlocation,anddeletetheoriginal.Thisslowsdownmv.Renaming a file with mv worksmuch likemoving a file, except that the source and destination
filenamesareinthesamedirectory,asshownhere:$mvdocument.odtwasher-order.odt
This renamesdocument.odt towasher-order.odt in thesamedirectory.Youcancombine thesetwoformsaswell:$mvdocument.odtimportant/purchases/washer-order.odt
Thiscommandsimultaneouslymovesandrenamesthefile.Youcanmoveorrenameentiredirectoriesusingmv, too; justspecifyoneormoredirectoriesas
thesourceinthecommand.Forinstance,considerthefollowingcommands:$mvimportantcritical
$mvcritical/tmp/
The first of these commands renames the important subdirectory as critical in the currentdirectory.Thesecondcommandmovestherenamedsubdirectorytothe/tmpdirectory. (Youcouldcombine these twocommands tomvimportant/tmp/critical.)The formof thesecommands isidenticaltotheformofmvwhenusedwithfiles,althoughyoumayoptionallyaddatrailingslash(/)todirectorynames.
ThermCommandTodeleteafile,usethermcommand,whosenameisshortforremove.Itssyntaxissimple:rm[options]files
Thermcommandacceptsmanyofthesameoptionsascpormv.Ofthosedescribedwithcp,--preserve, --archive, and --update don’t apply to rm, but all the others do. With rm, -r issynonymouswith-R.
Bydefault,Linuxdoesn’tprovideanysortof“trash-can”functionalityforitsrmcommand;onceyou’vedeletedafilewithrm,it’sgoneandcannotberecoveredwithoutretrievingitfromabackuporperforminglow-leveldiskmaintenance(suchaswithdebugfs).Therefore,youshouldbecautiouswhenusingrm,particularlywhenyou’reloggedonasroot.Thisisespeciallytruewhenyou’reusingthe-Roption,whichcandestroyalargepartofyourLinuxinstallation!ManyLinuxGUIfilemanagersdoimplementtrash-canfunctionalitysothatyoucaneasilyrecoverfilesmovedtothetrash(assumingyouhaven’temptiedthetrash),soyoumaywanttouseafilemanagerforremovingfiles.
ThetouchCommandLinux-nativefilesystemsmaintainthreetimestampsforeveryfile:
Lastfile-modificationtimeLastinodechangetimeLastaccesstime
Variousprogramsrelyonthesetimestamps;forinstance,themakeutility(whichhelpscompileaprogram from source code) uses the time stamps to determine which source-code files must berecompiled if an object file already exists for a particular file. Thus, sometimes youmay need tomodifythetimestamps.Thisisthejobofthetouchcommand,whichhasthefollowingsyntax:touch[options]files
Bydefault,touchsetsthemodificationandaccesstimestothecurrenttime.Youmightusethisif,forinstance,youwantedmaketorecompileaparticularsourcecodefileeventhoughanewerobjectfileexisted.Ifthespecifiedfilesdon’talreadyexist,touchcreatesthemasemptyfiles.Thiscanbehandyifyouwanttocreatedummyfiles—say,toexperimentwithotherfile-manipulationcommands.Youcanpassvariousoptionstotouchtohaveitchangeitsbehavior:ChangeOnlytheAccessTimeThe-aor--time=atimeoptioncausestouchtochangetheaccesstimealone,notthemodificationtime.ChangeOnlytheModificationTimeThe-mor--time=mtimeoptioncausestouchtochangethemodificationtimealone,nottheaccesstime.DoNotCreateFileIfyoudon’twanttouchtocreateanyfilesthatdon’talreadyexist,passitthe-cor--no-createoption.SettheTimeasSpecifiedThe-ttimestampoptionsetsthetimetothespecifiedtimestamp.This
valueisgivenintheformMMDDhhmm[[CC]YY][.ss],whereMMisthemonth,DDistheday,hhisthehour(ona24-hourclock),mmistheminute,[CC]YYistheyear(suchas2012or12,whichareequivalent),andssisthesecond.Anotherwaytosetaparticulartimeiswiththe-rreffileor--reference=reffileoption,wherereffileisafilewhosetimestampyouwanttoreplicate.
FileArchivingCommandsAfilearchivingtoolcollectsagroupoffilesintoasingle“package”filethatyoucaneasilymovearoundonasinglesystem;backuptoarecordableDVD,tape,orotherremovablemedia;ortransferacross a network.Linux supports several archiving commands, themost prominent beingtar andcpio.Thedd command, althoughnot technically an archiving command, is similar in someways,becauseitcancopyanentirepartitionordiskintoafile,orviceversa.
Thezipformat,whichiscommononWindows,issupportedbytheLinuxzipandunzipcommands.Otherarchiveformats,suchastheRoshalArchive(RAR)andStuffIt,canalsobemanipulatedusingLinuxutilities.Thesearchiveformatsmaybeimportantinsomeenvironments,buttheyaren’tcoveredontheexam.
ThetarUtilityThetarprogram’snamestandsfor“tapearchiver.”Despitethisfact,youcanusetartoarchivedatatoothermedia.Infact,tarballs(archivefilescreatedbytarandtypicallycompressedwithgziporbzip2) are oftenused for transferringmultiple files between computers in one step, such aswhendistributingsourcecode.Thetar program is a complexpackagewithmanyoptions, butmost ofwhat you’ll dowith the
utilitycanbecoveredwithafewcommoncommands.Table4.1liststheprimarytarcommands,andTable 4.2 lists the qualifiers thatmodifywhat the commands do.Whenever you run tar, you useexactlyonecommand,andyouusuallyuseatleastonequalifier.
TABLE4.1tarcommandsCommand AbbreviationDescription--create c Createsanarchive--concatenate A Appendstarfilestoanarchive--append r Appendsnon-tarfilestoanarchive--update u Appendsfilesthatarenewerthanthoseinanarchive--diffor--compare d Comparesanarchivetofilesondisk--list t Listsanarchive’scontents--extractor--get x Extractsfilesfromanarchive
TABLE4.2tarqualifiersQualifier Abbreviation Description--directorydir C Changestodirectorydirbeforeperformingoperations--file[host:]file f Usesthefilecalledfileonthecomputercalledhostasthearchivefile--listed-incremental
file
g Performsanincrementalbackuporrestore,usingfileasalistofpreviouslyarchivedfiles
--one-file-system l(onoldversionsoftar) Backsuporrestoresonlyonefilesystem(partition)
--multi-volume M Createsorextractsamulti-tapearchive--tape-lengthN L ChangestapesafterNkilobytes--same-permissions p Preservesallprotectioninformation--absolute-paths P Retainstheleading/onfilenames--verbose v Listsallfilesreadorextracted;whenusedwith--list,displaysfilesizes,
ownership,andtimestamps--verify W Verifiesthearchiveafterwritingit--excludefile (none) Excludesfilefromthearchive--exclude-fromfile X Excludesfileslistedinfilefromthearchive--gzipor--ungzip z Processesanarchivethroughgzip--bzip2 j(someolderversionsused
Iory)Processesanarchivethroughbzip2
--xz J Processesanarchivethroughxz
OfthecommandslistedinTable4.1,themostcommonlyusedare--create,--extract,and--list. The most useful qualifiers from Table 4.2 are --file, --listed-incremental, --one-
file-system, --same-permissions, --gzip, --bzip2, --xz, and --verbose. If you fail tospecifyafilenamewiththe--filequalifier,tarwillattempttouseadefaultdevice,whichisoften(butnotalways)atapedevicefile.Three compression tools—gzip, bzip2, and xz—are often used with tar, which applies
compressiontothetarballasawholeratherthantotheindividualfiles.Thismethodofcompressingreduces the tarball’s size compared to compressing constituent files and then adding them to thearchive,butitmakesthearchivemoresusceptibletodamage;asingle-byteerrorearlyinthearchivecanmake it impossible torecoveranysubsequentdata.Of the threecompression tools,gzip is theoldest and provides the least compression, bzip2 provides improved compression, and xz is thenewestandprovidesthebestcompression.Typically,filescompressedwiththeseutilitieshave.gz,.bz2, or .xz extensions, respectively. Compressed tarballs sometimes use their own specialextensions,suchas.tgzforagzip-compressedtarballor.tbzforonecompressedwithbzip2.As an example of tar in use, consider archiving and compressing the my-work subdirectory of
yourhomedirectorytoaUSBflashdrivemountedat/media/pen.Thefollowingcommandwilldothetrick:$tarcvfz/media/pen/my-work.tgz~/my-work
Ifyouthentransferthisflashdrivetoanothersystem,mountitat/media/usb,andwanttoextractthearchive,youcandosowithanothercommand:$tarxvfz/media/usb/my-work.tgz
Insteadofusingthecompressionoptions,youcanuseapipetoconnectacompressiontooltotarwhenextractingdata.Forinstance,gunzip-ctarball.tgz|tarxvf-uncompressestarball.tgz.
The preceding command creates a subdirectory calledmy-work in the currentworking directoryandpopulates itwith thefilesfromthearchive.Ifyoudon’tknowwhat’s inanarchive, it’sagoodpractice to examine it with the --list command before extracting its contents. Although tarballsusually contain a single subdirectory, sometimes tarballs contain many files without a “carrier”subdirectory.Extractingsuchtarballsdrops thesefiles inyourcurrentdirectory,whichcanmakeitdifficulttodeterminewhichfilescomefromthetarballandwhichwerealreadypresent.
ThecpioUtilityThecpioprogramissimilarinprincipletotar,butthedetailsofitsoperationdiffer.Aswithtar,youcandirectitsoutputstraighttoatapedeviceortoaregularfile.Backinguptoatapedevicecanbeaconvenientwaytobackupthecomputerbecauseitrequiresnointermediatestorage.Torestoredata,youusecpiotoreaddirectlyfromthetapedevicefileorfromaregularfile.Thecpioutilityhasthreeoperatingmodes:Copy-OutModeThismode,activatedbyuseofthe-oor--createoption,createsanarchiveandcopiesfilesintoit.Copy-InModeYouactivatecopy-inmodebyusingthe-ior--extractoption.Thismodeextractsdatafromanexistingarchive.Ifyouprovideafilenameorapatterntomatch,cpioextractsonlythefileswhosenamesmatchthepatternyouprovide.Copy-PassModeThismodeisactivatedbythe-por--pass-throughoption.Itcombinesthecopy-outandcopy-inmodes,enablingyoutocopyadirectorytreefromonelocationtoanother.
Thecopy-outandcopy-inmodesarenamedconfusingly.Thinkofthemasreferringtocopyingoutoforintothecomputer ’smaindirectorytree,ratherthanthearchivefile.
In addition to the options used to select the mode, cpio accepts many other options, the mostimportantofwhicharesummarizedinTable4.3.Tocreateanarchive,youcombinethe--create(or-o)optionwithoneormoreoftheoptionsinTable4.3;torestoredata,youdothesame,butyouuse--extract (or-i). In either case,cpio acts on filenames that you type at the console. In practice,you’llprobablyusetheredirectionoperator(<)topassafilenamelisttotheprogram.
TABLE4.3OptionsforusewithcpioOption AbbreviationDescription--reset-access-time -a Resetstheaccesstimeafterreadingafilesothatitdoesn’tappeartohavebeenread.--append -A Appendsdatatoanexistingarchive.--
patternfile=filename
-Efilename Usesthecontentsoffilenameasalistoffilestobeextractedincopy-inmode.
--file=filename -Ffilename Usesfilenameasthecpioarchivefile;ifthisparameterisomitted,cpiousesstandardinputoroutput.
--format=format -Hformat Usesaspecifiedformatforthearchivefile.Commonvaluesforformatincludebin(thedefault,anoldbinaryformat),crc(anewerbinaryformatwithachecksum),andtar(theformatusedbytar).
N/A -Ifilename Usesthespecifiedfilenameinsteadofstandardinput.(Unlike-F,thisoptiondoesnotredirectoutputdata.)
--no-
absolutefilenames
N/A Incopy-inmode,extractsfilesrelativetothecurrentdirectory,eveniffilenamesinthearchivecontainfulldirectorypaths.
N/A -Ofilename Usesthespecifiedfilenameinsteadofstandardoutput.(Unlike-F,thisoptiondoesnotredirectinputdata.)
--list -t Displaysatableofcontentsfortheinput.--unconditional -u Replacesallfileswithoutfirstaskingforverification.--verbose -v Displaysfilenamesasthey’readdedtoorextractedfromthearchive.Whenusedwith-t,displays
additionallistinginformation(similartols-l).
Tousecpiotoarchiveadirectory,youmustpassalistoffilestotheutilityusingstandardinput.
Youcandothiswiththefindutility(describedinmoredetaillaterin“ThefindCommand”):$find./my-work|cpio-o>/media/usb/my-work.cpio
The resulting archive file is uncompressed, though. To compress the data, you must include acompressionutility,suchasgzip,inthepipe:$find./my-work|cpio-o|gzip>/media/usb/my-work.cpio.gz
Extracting data from an uncompressed cpio archive (say, on another computer with the mediamountedat/media/usb)entailsusingthe-ioption,butnopipeisrequired:$cpio-i</media/usb/my-work.cpio
If yourcpio archive is compressed, youmust first uncompress itwithgunzip. By using the -coptiontothiscommand,youcanpassitsoutputtocpioinapipe:$gunzip-c/media/usb/my-work.cpio.gz|cpio-i
Touncompressanarchivecompressedwithbzip2,youwouldusebunzip2-c in thepiperatherthangunzip-c.Ifthearchiveiscompressedwithxz,youwoulduseunxz-binthepipe.
TheddUtilitySometimesyouwanttoarchiveafilesystemataverylowlevel.Forinstance,youmaywanttocreatearepresentationofaCD-ROMthatyoucanstoreonyourharddiskorbackupafilesystemthatLinuxcan’tunderstand.Todoso,youcanusetheddprogram.Thisutilityisalow-levelcopyingprogram,andwhenyougiveit thedevicefileforapartitionasinput, itcopiesthatpartition’scontents totheoutputfileyouspecify.Thisoutputfilecanbeanotherpartitionidentifier,atapedevice,oraregularfile,tonamethreepossibilities.Theinputandoutputfilesarepassedwiththeif=fileandof=fileoptions:#ddif=/dev/sda3of=/dev/st0
Thiscommandbacksupthe/dev/sda3diskpartitionto/dev/st0(aSCSItapedrive).Theresultisaverylow-levelbackupofthepartitionthatcanberestoredbyswappingtheif=andof=options:#ddif=/dev/st0of=/dev/sda3
Theddutilitycanbeagoodwaytocreateexactbackupsofentirepartitions,butasageneralbackuptool,ithasseriousproblems.Itbacksuptheentirepartition,includinganyemptyspace.Forinstance,a2GiBpartitionthatholdsjust5MiBoffileswillrequire2GiBofstoragespace.Restoringindividualfiles isalso impossibleunless thebackupdevice isa randomaccessdevice thatcanbemounted; ifyoubackuptotape,youmustrestoreeverything(atleasttoatemporaryfileorpartition)torecoverasinglefile.Finally,youcan’teasilyrestoredatatoapartitionthat’ssmallerthantheoriginalpartition;andwhenrestoring toa largerpartition,you’llendupwastingsomeof thespaceavailableon thatpartition.Despitetheseproblems,ddcanbehandyinsomesituations.Itcanbeagoodwaytomakeanexact
copyofaremovabledisk(includinganopticaldisc),forinstance.YoucanuseddtocopyadiskforwhichLinuxlacksfilesystemdrivers.IfyouneedtocreatemultipleidenticalLinuxinstallations,youcandosobyusingddtocopyaworkinginstallationtomultiplecomputers,aslongastheyhaveharddisksthesamesize.Youcanalsouseddinsomeothercapacities.Forinstance,ifyouneedanemptyfileofaparticular
size,youcancopyfromthe/dev/zerodevice(aLinuxdevicethatreturnsnothingbutzeroes)toatargetfile.You’llneedtousethebs=sizeandcount=lengthoptionstosettheblocksizeandlengthofthefile,though:
$ddif=/dev/zeroof=empty-file.imgbs=1024count=720
Thisexamplecreatesa720KiB(1024×720bytes)emptyfile.Youmightthenmanipulatethisfileby,forexample,creatingafilesystemonitwithmkfs.
BackingUpUsingOpticalMediaOpticalmediarequirespecialbackupprocedures.Normally,cdrecordacceptsinputfromaprogramlikemkisofs,whichcreatesanISO-9660orUDFfilesystem—thetypeoffilesystemthat’smostoftenfoundonCD-ROMsandDVDs.Oneoptionforbackinguptoopticaldiscsistousemkisofsandthencdrecordtocopyfilestothedisc.Ifyoucopyfiles“raw”thisway,though,you’lllosesomeinformation,suchaswritepermissionbits.You’llhavebetterluckifyoucreateatarorcpioarchiveondisk.YoucanthenusemkisofstoplacethatarchiveinanISO-9660orUDFfilesystemandthenburntheimagefiletotheopticaldisc.Theresultwillbeadiscthatyoucanmountandthatwillcontainanarchiveyoucanreadwithtarorcpio.Asomewhatmoredirectoptionistocreateanarchivefileandburnitdirectlytotheopticaldiscusingcdrecord,bypassingmkisofs.Suchadiscwon’tbemountableintheusualway,butyoucanaccessthearchivedirectlybyusingtheCD-ROMdevicefile.Onrestoration,thisworksmuchlikeataperestoreexceptthatyouspecifytheopticaldevicefilename(suchas/dev/cdrom)insteadofthetapedevicefilename(suchas/dev/st0).
ManagingLinksInLinux,alinkisawaytogiveafilemultipleidentities,similartoshortcutsinWindowsandaliasesinMac OS. Linux employs links to helpmake files more accessible, to give commandsmultiplenames,toenableprogramsthatlookforthesamefilesindifferentlocationstoaccessthesamefiles,andsoon.Twotypesoflinksexist:hardlinksandsymboliclinks(akasoftlinks). (Theirdifferencesaredescribedinmoredetailshortly.)Thelncommandcreateslinks.Itssyntaxissimilartothatofcp:ln[options]sourcelink
The source is the original file, and the link is the name of the link you want to create. Thiscommandsupportsoptionsthathaveseveraleffects:RemoveTargetFilesThe-for--forceoptioncauseslntoremoveanyexistinglinksorfilesthathavethetargetlinkname.The-ior--interactiveoptionhasasimilareffect,butitqueriesyoubeforereplacingexistingfilesandlinks.CreateDirectoryHardLinksOrdinarily,youcan’tcreatehardlinkstodirectories.Therootusercanattempttodoso,though,bypassingthe-d,-F,or--directoryoptiontoln.(Symboliclinkstodirectoriesaren’taproblem.)Inpractice,thisfeatureisunlikelytoworkbecausemostfilesystemsdon’tsupportit.CreateaSymbolicLinkThelncommandcreateshardlinksbydefault.Tocreateasymboliclink,passthe-sor--symbolicoptiontothecommand.Afewotheroptionsexisttoperformmoreobscuretasks;consultln’smanpagefordetails.Bydefault,lncreateshardlinks,whichareproducedbycreatingtwodirectoryentriesthatpointto
the same file (more precisely, the same inode). Both filenames are equally valid and prominent;neitherisa“truer”filenamethantheother,exceptthatonewascreatedfirst(whencreatingthefile)and the other was created second. To delete the file, you must delete both hard links to the file.Becauseofthewayhardlinksarecreated,theymustexistonasinglelow-levelfilesystem;youcan’tcreateahardlinkfrom,say,yourroot(/)filesystemtoaseparatefilesystemyou’vemountedonit,suchas/home (if it’saseparatefilesystem).Theunderlyingfilesystemmustsupporthardlinks.AllLinux-nativefilesystemssupportthisfeature,butsomenon-Linuxfilesystemsdon’t.Symbolic links, by contrast, are special file types. The symbolic link is a separate file whose
contentspointtothelinked-tofile.Linuxknowstoaccessthelinked-tofilewheneveryoutrytoaccessthesymboliclink,soinmostrespectsaccessingasymboliclinkworksjustlikeaccessingtheoriginalfile.Becausesymboliclinksarebasicallyfilesthatcontainfilenames,theycanpointacrosslow-levelfilesystems—youcanpointfromtheroot(/)filesystemtoafileonaseparate/homefilesystem,forinstance.Thelookupprocessforaccessingtheoriginalfilefromthelinkconsumesatinybitoftime,sosymboliclinkaccessisslowerthanhardlinkaccess—butnotbyenoughthatyou’dnoticeinanybutverybizarreconditionsorartificialtests.Longdirectorylistingsshowthelinked-tofile:$ls-lalink.odt
lrwxrwxrwx1rodsmithusers8Dec215:31alink.odt->test.odt
Inpractice,symbolic linksaremorecommonthanhardlinks; theirdisadvantagesareminor,andthe ability to link across filesystems and to directories can be important. Linux employs links incertain critical system administration tasks. For instance, System V (SysV) startup scripts usesymboliclinksinrunleveldirectories,asdescribedinChapter5,“BootingLinuxandEditingFiles.”Certaincommandsthathavehistoricallybeenknownbymultiplenamesarealsooftenaccessiblevialinks. For example, the /sbin/fsck.ext2, /sbin/fsck.ext3, /sbin/fsck.ext4, and/sbin/e2fsckprogramsareusually links (hard linksonsomesystems, symbolic linksonothers).You can often leave these links alone, but sometimes you must adjust them. Chapter 5 describeschanging the SysV startup script links to affect what programs run when the system boots, forinstance.
DirectoryCommandsMostofthecommandsthatapplytofilesalsoapplytodirectories.Inparticular,ls,mv,touch,andln allworkwithdirectories,with thecaveatsmentionedearlier.Thecp commandalsoworkswithdirectories,butonlywhenyouusearecursionoption,suchas-r.Acoupleofadditionalcommands,mkdirandrmdir,enableyoutocreateanddeletedirectories,respectively.
ThemkdirCommandThemkdircommandcreatesadirectory.Thiscommand’sofficialsyntaxisasfollows:mkdir[options]directory-name(s)
Inmostcases,mkdirisusedwithoutoptions,butafewaresupported:SetModeThe-mmodeor--mode=modeoptioncausesthenewdirectorytohavethespecifiedpermissionmode,expressedasanoctalnumber.(Theupcomingsection“UnderstandingPermissions”describespermissionmodes.)CreateParentDirectoriesNormally,ifyouspecifythecreationofadirectorywithinadirectorythatdoesn’texist,mkdirrespondswithaNosuchfileordirectoryerroranddoesn’tcreatethe
directory.Ifyouincludethe-por--parentsoption,though,mkdircreatesthenecessaryparentdirectory.
ThermdirCommandThermdircommandistheoppositeofmkdir;itdestroysadirectory.Itssyntaxissimilar:rmdir[options]directory-name(s)
Likemkdir,rmdirsupportsfewoptions,themostimportantofwhichhandlethesetasks:IgnoreFailuresonNon-emptyDirectoriesNormally,ifadirectorycontainsfilesorotherdirectories,rmdirdoesn’tdeleteitandreturnsanerrormessage.Withthe--ignore-fail-on-non-emptyoption,rmdirstilldoesn’tdeletethedirectory,butitdoesn’treturnanerrormessage.DeleteTreeThe-por--parentsoptioncausesrmdirtodeleteanentiredirectorytree.Forinstance,typingrmdir-pone/two/threecausesrmdirtodeleteone/two/three,thenone/two,andfinallyone,providednootherfilesordirectoriesarepresent.
Whenyou’redeletinganentiredirectorytreefilledwithfiles,youshoulduserm-Rratherthanrmdir.Thisisbecauserm-Rdeletesfileswithinthespecifieddirectorybutrmdirdoesn’t,sormdircan’tdothejob.
ManagingFileOwnershipSecurityisanimportanttopicthatcutsacrossmanytypesofcommandsandLinuxsubsystems.Inthecaseof files, security isbuilton fileownershipand filepermissions.These two topics are closelyintertwined;ownership ismeaninglesswithoutpermissions thatuse it, andpermissions relyon theexistenceofownership.Ownershipistwo-tiered:Eachfilehasanindividualownerandagroupwithwhichit’sassociated
(sometimescalledthegroupowner,orsimplythefile’sgroup).Eachgroupcancontainanarbitrarynumberofusers,asdescribedinChapter7,“AdministeringtheSystem.”Thetwotypesofownershipenableyoutoprovidethreetiersofpermissionstocontrolaccesstofiles:bythefile’sowner,bythefile’s group, and to all other users. The commands to manage these two types of ownership aresimilar,buttheyaren’tidentical.
AssessingFileOwnershipYoucanlearnwhoownsafilewiththelscommand,whichwasdescribedearlier.Inparticular,thatcommand’s -l option produces a long listing, which includes both ownership and permissioninformation:$ls-l
total1141
-rw-r--r--1rodsmithusers219648Mar813:064425ch02.doc
-rw-r--r--1rodsmithusers942590Mar623:31f0201.tif
Thislonglistingincludestheusernameoftheowner(rodsmithforbothfilesinthisexample)and
thegroupnameofthefiles’groups(usersforbothfilesinthisexample).Thepermissionstring(-rw-r--r-- for both files in this example) is also important for file security, as described later in“ControllingAccesstoFiles.”In most cases, the usernames associated with files are the same as login usernames. Files can,
however,beownedbyaccountsthataren’tordinaryloginaccounts.Forinstance,someservershaveaccountsoftheirown,andserver-specificfilesmaybeownedbytheseaccounts.Ifyoudeleteanaccount,asdescribedinChapter7,theaccount’sfilesdon’tvanish,buttheaccount
namedoes.Internally,Linuxusesnumbersratherthannames,soyou’llseenumbersinplaceoftheusername and group name in the ls output. Depending on the file, you may want to archive it,reassignownershiptoanexistinguser,ordeleteit.
ChangingaFile’sOwnerWheneverafileiscreated,it’sassignedanowner.Thesuperusercanchangeafile’sownerusingthechowncommand,whichhasthefollowingsyntax:chown[options][newowner][:newgroup]filenames
Asyoumightexpect, thenewownerandnewgroupvariablesare thenewownerandgroupfor thefile;youcanprovidebothoromiteither,butyoucan’tomitboth.Forinstance,supposeyouwanttogiveownershipofafiletosallyandtheskyhookgroup:#chownsally:skyhookforward.odt
Linux’schowncommandacceptsadot(.)inplaceofacolon(:)todelimittheownerandgroup,atleastasofthecorefileutilitiesversion8.14.Theuseofadothasbeendeprecated,though,meaningthatthedevelopersfavorthealternativeandmayeventuallyeliminatetheuseofadotasafeature.
Youcanuseseveraloptionswithchown,mostofwhicharefairlyobscure.Onethat’smostlikelytobeusefulis-Ror--recursive,whichimplementstheownershipchangeonanentiredirectorytree.Consultthemanpageforchownforinformationaboutadditionaloptions.Onlyrootmayusethechowncommandtochangetheownershipoffiles.Ifanordinaryusertries
touse it, theresult isanOperationnotpermittederrormessage.Ordinaryusersmay,however,usechown to change the group of files that they own, provided that the users belong to the targetgroup.
ChangingaFile’sGroupBothrootandordinaryusersmayrunthechgrpcommand,whichchangesafile’sgroup.(Ordinaryusersmayonlychangeafile’sgrouptoagrouptowhichtheuserbelongs.)Thiscommand’ssyntaxissimilarto,butsimplerthan,thatofchown:chgrp[options]newgroupfilenames
Thechgrpcommandacceptsmanyofthesameoptionsaschown,including-Ror--recursive.Inpractice,chgrpprovidesasubsetofthechownfunctionality.
ControllingAccesstoFilesThebulkof thecomplexity in fileownershipandpermissions ison thepermissionsendof things.Linux’ssystemofpermissions ismoderatelycomplex,sounderstandinghowitworks iscritical toanymanipulationofpermissions.Withthebasicinformationinhand,youcantacklethecommandsusedtochangefilepermissions.
UnderstandingPermissionsLinuxpermissionsarefairlycomplex.Inadditiontoprovidingaccesscontrolforfiles,afewspecialpermissionbitsexist,whichprovidesomeunusualfeatures.
TheMeaningsofPermissionBitsConsiderthefollowingfileaccesscontrolstringthat’sdisplayedwiththe-loptiontols:$ls-ltest
-rwxr-xr-x1rodsmithusers111Apr1313:48test
This string (-rwxr-xr-x in this example) is 10 characters long. The first character has specialmeaning—it’s the file type code. The type code determines how Linux will interpret the file—asordinarydata,adirectory,oraspecialfiletype.Table4.4summarizesLinuxtypecodes.
TABLE4.4LinuxfiletypecodesCode Meaning- Normaldatafile;maybetext,anexecutableprogram,graphics,compresseddata,orjustaboutanyothertypeofdata.d Directory;diskdirectoriesarefilesjustlikeanyothers,buttheycontainfilenamesandpointerstodiskinodes.l Symboliclink;thefilecontainsthenameofanotherfileordirectory.WhenLinuxaccessesthesymboliclink,ittriestoreadthe
linked-tofile.p Namedpipe;apipeenablestworunningLinuxprogramstocommunicatewitheachother.Oneopensthepipeforreading,andthe
otheropensitforwriting,enablingdatatobetransferredbetweentheprograms.s Socket;asocketissimilartoanamedpipe,butitpermitsnetworkandbidirectionallinks.b Blockdevice;afilethatcorrespondstoahardwaredevicetoandfromwhichdataistransferredinblocksofmorethanonebyte.
Diskdevices(harddisks,floppies,CD-ROMs,andsoon)arecommonblockdevices.c Characterdevice;afilethatcorrespondstoahardwaredevicetoandfromwhichdataistransferredinunitsofonebyte.Examples
includeparallelport,RS-232serialport,andaudiodevices.
Theremainingninecharactersofthepermissionstring(rwxr-xr-xintheexample)arebrokenupinto three groups of three characters, as illustrated in Figure4.1. The first group controls the fileowner ’saccesstothefile,thesecondcontrolsthegroup’saccesstothefile,andthethirdcontrolsallotherusers’accesstothefile(oftenreferredtoasworldpermissions).
FIGURE4.1ThemainLinuxpermissionoptionsareencodedin10bits,thelast9ofwhicharegroupedintothreegroupsof3bitseach.
Ineachof these threecases, thepermissionstringdetermines thepresenceorabsenceofeachofthreetypesofaccess:read,write,andexecute.Readandwritepermissionsarefairlyself-explanatory,atleastforordinaryfiles.Iftheexecutepermissionispresent,itmeansthatthefilemayberunasaprogram.(Ofcourse,thisdoesn’tturnanon-programfileintoaprogram;itonlymeansthatausermayrunafileifit’saprogram.Settingtheexecutebitonanon-programfilewillprobablycausenorealharm,butitcouldbeconfusing.)Theabsenceofthepermissionisdenotedbyadash(-) in thepermissionstring.Thepresenceofthepermissionisindicatedbyaletter—rforread,wforwrite,orxforexecute.Thus,theexamplepermissionstringrwxr-xr-xmeansthatthefile’sowner,membersofthefile’s
group,andallotheruserscanreadandexecutethefile.Onlythefile’sownerhaswritepermissiontothefile.Youcaneasilyexcludethosewhodon’tbelongtothefile’sgroup,orevenallbutthefile’sowner, by changing the permission string, as described in “Changing a File’sMode” later in thischapter.Individual permissions, such as execute access for the file’s owner, are often referred to as
permissionbits.ThisisbecauseLinuxencodesthisinformationinbinaryform.Becauseit’sbinary,the permission information can be expressed as a single 9-bit number. This number is usuallyexpressed inoctal (base8) formbecauseabase-8number is3bits in length,whichmeans that thebase-8 representationofapermissionstring is threecharacters long,onecharacter foreachof theowner,group,andworldpermissions.Theread,write,andexecutepermissionseachcorrespondtooneofthesebits.Theresultisthatyoucandetermineowner,group,orworldpermissionsbyaddingbase-8numbers:1forexecutepermission,2forwritepermission,and4forreadpermission.Table 4.5 shows some examples of common permissions and their meanings. This table is
necessarilyincomplete;with9permissionbits,thetotalnumberofpossiblepermissionsis29,or512.Mostofthosepossibilitiesarepeculiar,andyou’renotlikelytoencounterorcreatethemexceptbyaccident.
TABLE4.5ExamplepermissionsandtheirlikelyusesPermissionstring
Octalcode
Meaning
rwxrwxrwx 777 Read,write,andexecutepermissionsforallusers.rwxr-xr-x 755 Readandexecutepermissionforallusers.Thefile’sowneralsohaswritepermission.rwxr-x--- 750 Readandexecutepermissionfortheownerandgroup.Thefile’sowneralsohaswritepermission.Userswhoaren’t
thefile’sownerormembersofthegrouphavenoaccesstothefile.rwx------ 700 Read,write,andexecutepermissionsforthefile’sowneronly;allothershavenoaccess.rw-rw-rw- 666 Readandwritepermissionsforallusers.Noexecutepermissionsforanybody.rw-rw-r-- 664 Readandwritepermissionsfortheownerandgroup.Read-onlypermissionforallothers.rw-rw---- 660 Readandwritepermissionsfortheownerandgroup.Noworldpermissions.rw-r--r-- 644 Readandwritepermissionsfortheowner.Read-onlypermissionforallothers.rw-r----- 640 Readandwritepermissionsfortheowner,andread-onlypermissionforthegroup.Nopermissionforothers.
rw------- 600 Readandwritepermissionsfortheowner.Nopermissionforanybodyelse.r-------- 400 Readpermissionfortheowner.Nopermissionforanybodyelse.
Executepermissionmakessenseforordinaryfiles,butit’smeaninglessformostotherfiletypes,suchasdevicefiles.Directories,though,usetheexecutebitanotherway.Whenadirectory’sexecutebit is set, that means that the directory’s contents may be searched. This is a highly desirablecharacteristicfordirectories,soyou’llalmostneverfindadirectoryonwhichtheexecutebitisnotsetinconjunctionwiththereadbit.Directoriescanbeconfusingwithrespecttowritepermission.Recallthatdirectoriesarefilesthat
areinterpretedinaspecialway.Assuch,ifausercanwritetoadirectory,thatusercancreate,delete,or rename files in the directory, even if the user isn’t the owner of those files and does not havepermissiontowritetothosefiles.Youcanusethestickybit(describedshortly,in“SpecialPermissionBits”)toalterthisbehavior.Symboliclinksareunusualwithrespecttopermissions.Thisfiletypealwayshas777(rwxrwxrwx)
permissions, thusgranting all users full access to the file.This access applies only to the link fileitself,however,nottothelinked-tofile.Inotherwords,alluserscanreadthecontentsofthelinktodiscoverthenameofthefiletowhichitpoints,butthepermissionsonthelinked-tofiledetermineitsfileaccess.Changingthepermissionsonasymboliclinkaffectsthelinked-tofile.Manyofthepermissionrulesdon’tapplytoroot.Thesuperusercanreadorwriteanyfileonthe
computer—even files that grant access to nobody (that is, those that have 000 permissions). Thesuperuserstillneedsanexecutebittobesettorunaprogramfile,butthesuperuserhasthepowertochange the permissions on any file, so this limitation isn’t very substantial. Some files may beinaccessible toroot, but only because of an underlying restriction—for instance, even root can’taccessaharddiskthat’snotinstalledinthecomputer.
SpecialPermissionBitsA few special permissionoptions are also supported, and theymaybe indicatedby changes to thepermissionstring:SetUserID(SUID)ThesetuserID(SUID)optionisusedinconjunctionwithexecutablefiles,andittellsLinuxtoruntheprogramwiththepermissionsofwhoeverownsthefileratherthanwiththepermissionsoftheuserwhorunstheprogram.Forinstance,ifafileisownedbyrootandhasitsSUIDbitset,theprogramrunswithrootprivilegesandcanthereforereadanyfileonthecomputer.Someserversandothersystemprogramsrunthisway,whichisoftencalledSUIDroot.SUIDprogramsareindicatedbyansintheowner ’sexecutebitpositioninthepermissionstring,asinrwsr-xr-x.SetGroupID(SGID)ThesetgroupID(SGID)optionissimilartotheSUIDoption,butitsetsthegroupoftherunningprogramtothegroupofthefile.It’sindicatedbyansinthegroupexecutebitpositioninthepermissionstring,asinrwxr-sr-x.WhentheSGIDbitissetonadirectory,newfilesorsubdirectoriescreatedintheoriginaldirectorywillinheritthegroupownershipofthedirectory,ratherthanbebasedontheuser ’scurrentdefaultgroup.StickyBitThestickybithaschangedmeaningduringthecourseofUnixhistory.InmodernLinuximplementations(andmostmodernversionsofUnix),it’susedtoprotectfilesfrombeingdeletedbythosewhodon’townthefiles.Whenthisbitispresentonadirectory,thedirectory’sfilescanbedeletedonlybytheirowners,thedirectory’sowner,orroot.Thestickybitisindicatedbyatinthe
worldexecutebitposition,asinrwxr-xr-t.
Thesespecialpermissionbitsallhavesecurityimplications.SUIDandSGIDprograms(andparticularlySUIDrootprograms)arepotentialsecurityrisks.AlthoughsomeprogramsmusthavetheirSUIDbitssettofunctionproperly,mostdon’t,andyoushouldn’tsetthesebitsunlessyou’recertainthatdoingsoisnecessary.Thestickybitisn’tdangerousthisway,butbecauseitaffectswhomaydeletefilesinadirectory,youshouldconsideritseffect—ortheeffectofnothavingit—ondirectoriestowhichmanyusersshouldhavewriteaccess,suchas/tmp.Typically,suchdirectorieshavetheirstickybitsset.
UsingACLsUnix-stylepermissionshaveservedLinuxwellsinceitscreationandareemphasizedontheexam,butanewandimprovedpermissionsystemisnowavailable.Anaccesscontrollist(ACL)isalistofusersorgroupsandthepermissionsthey’regiven.LinuxACLs,likeLinuxowner,group,andworldpermissions,consistofthreepermissionbits,oneeachforread,write,andexecutepermissions.Thefile’sownercanassignACLstoanarbitrarynumberofusersandgroups,makingACLsmoreflexiblethanLinuxpermissions,whicharelimitedtogroupsdefinedbythesystemadministrator.ACLsrequiresupportintheunderlyingfilesystem.AllthemajorLinuxfilesystemsnowsupportACLs,butyoumayneedtorecompileyourkernel(oratleasttherelevantkernelmodule)toactivatethissupport.ACLsrequiretheirowncommandstosetandview.ThesetfaclcommandsetsanACL,andthegetfaclcommanddisplaystheACLsforafile.Consultthesecommands’manpagesformoreinformation.
ChangingaFile’sModeYou canmodify a file’s permissions using the chmod command. This commandmay be issued inmanydifferentwaystoachievethesameeffect.Itsbasicsyntaxisasfollows:chmod[options][mode[,mode...]]filename...
Thechmod options are similar to those of chown and chgrp. In particular, --recursive (or -R)changesallthefilesinadirectorytree.Mostofthecomplexityofchmodcomesinthespecificationofthefile’smode.Youcanspecifythe
modeintwobasicforms:asanoctalnumberorasasymbolicmode,whichisasetofcodesrelatedtothestringrepresentationofthepermissions.TheoctalrepresentationofthemodeisthesameasthatdescribedearlierandsummarizedinTable
4.5.Forinstance,tochangepermissionsonreport.textorw-r--r--,youcan issue thefollowingcommand:$chmod644report.tex
In addition, you can precede the three digits for the owner, group, and world permissions withanother digit that sets special permissions. Three bits are supported (and hence they have valuesbetween0and7):adding4setsthesetuserID(SUID)bit,adding2setsthesetgroupID(SGID)bit,andadding1setsthestickybit.Ifyouomitthefirstdigit(asintheprecedingexample),Linuxclearsallthreebits.Usingfourdigitscausesthefirsttobeinterpretedasthespecialpermissionscode.Forinstance,supposeyou’veacquiredascriptcalledbigprogram.YouwanttosetbothSUIDand
SGIDbits(6);tomaketheprogramreadable,writeable,andexecutablebytheowner(7);tomakeitreadableandexecutablebythegroup(5);andtomakeitcompletelyinaccessibletoallothers(0).Thefollowingcommandsillustratehowtodothis;notethedifferenceinthemodestringbeforeandafterexecutingthechmodcommand:$ls-lbigprogram
-rw-r--r--1rodsmithusers10323Oct3118:58bigprogram
$chmod6750bigprogram
$ls-lbigprogram
-rwsr-s---1rodsmithusers10323Oct3118:58bigprogram
Asymbolicmode,bycontrast,consistsofthreecomponents:acodeindicatingthepermissionsetyouwanttomodify(theowner,thegroup,andsoon);asymbolindicatingwhetheryouwanttoadd,delete,orsetthemodeequaltothestatedvalue;andacodespecifyingwhatthepermissionshouldbe.Table4.6summarizesallthesecodes.Notethatthesecodesareallcase-sensitive.
TABLE4.6Codesusedinsymbolicmodes
Tousesymbolicpermissionsettings,youcombineoneormoreofthecodesfromthefirstcolumnofTable4.6withonesymbolfromthethirdcolumnandoneormorecodesfromthefifthcolumn.You can combine multiple settings by separating them with commas. Table 4.7 provides someexamplesofchmodusingsymbolicpermissionsettings.
TABLE4.7ExamplesofsymbolicpermissionswithchmodCommand Initialpermissions Endpermissionschmoda+xbigprogram rw-r--r-- rwxr-xr-x
chmodug=rwreport.tex r-------- rw-rw----
chmodo-rwxbigprogram rwxrwxr-x rwxrwx---
chmodg=ureport.tex rw-r--r-- rw-rw-r--
chmodg-w,o-rwreport.tex rw-rw-rw- rw-r-----
Asageneralrule,symbolicpermissionsaremostusefulwhenyouwanttomakeasimplechange(suchasaddingexecuteorwritepermissionstooneormoreclassesofusers)orwhenyouwanttomake similar changes tomany fileswithout affecting theirotherpermissions (for instance, addingwrite permissionswithout affecting execute permissions).Octal permissions aremost usefulwhenyou want to set a specific absolute permission, such as rw-r--r-- (644). In any event, a systemadministratorshouldbefamiliarwithbothmethodsofsettingpermissions.Afile’sownerandrootaretheonlyuserswhomayadjustafile’spermissions.Evenifotherusers
havewriteaccesstoadirectoryinwhichafileresidesandwriteaccesstothefileitself,theymaynotchangethefile’spermissions(buttheymaymodifyorevendeletethefile).Tounderstandwhythisisso,youneedtoknowthatthefilepermissionsarestoredaspartofthefile’sinode,whichisn’tpartofthedirectoryentry.Read/writeaccesstothedirectoryentry,oreventhefileitself,doesn’tgiveausertherighttochangetheinodestructures(exceptindirectly—forinstance,ifawritechangesthefile’ssizeorafiledeletioneliminatestheneedfortheinode).In Exercise 4.1, you’ll experiment with the effect of Linux ownership and permissions on file
accessibility.
EXERCISE4.1ModifyingOwnershipandPermissionsDuringthisexercise,you’llneedtousethreeaccounts:rootandtwouseraccounts,eachinadifferentgroup.Tostudytheseeffects,followthesesteps:1. Log in three times using three virtual terminals: once asroot, once asuser1, andonceasuser2.(Useusernamesappropriateforyoursystem,though.Besurethatuser1anduser2areindifferentgroups.)Ifyouprefer,insteadofusingvirtualterminals,youcan open three xterm windows in an X session and use su to acquire each user ’sprivileges.2.Asroot,createascratchdirectory—say,/tmp/scratch.Typemkdir/tmp/scratch.3.Asroot,giveallusersreadandwriteaccesstothescratchdirectorybytypingchmod0777/tmp/scratch.4.Intheuser1anduser2 loginsessions,change to thescratchdirectoryby typingcd/tmp/scratch.5.Asuser1,copyashorttextfiletothescratchdirectoryusingcp,asincp/etc/fstab./testfile.6. As user1, set 0644 (-rw-r--r--) permissions on the file by typing chmod 0644
testfile.Typels-l,andverifythatthepermissionstringinthefirstcolumnmatchesthisvalue(-rw-r--r--).7.Asuser2,trytoaccessthefilebytypingcattestfile.Thefileshouldappearonthescreen.8.Asuser2, try tochange thenameof thefileby typingmvtestfilechangedfile.The systemwon’t produce any feedback, but if you type ls, you’ll see that the file’snamehaschanged.Notethatuser2doesn’townthefilebutcanrenameitbecauseuser2canwritetothedirectoryinwhichthefileresides.
9.Asuser2,trytochangethemodeofthefilebytypingchmod0600changedfile.ThesystemshouldrespondwithanOperationnotpermittederrorbecauseonlythefile’sownermaychangeitspermissions.10. As user2, try to delete the file by typing rm changedfile. Depending on yourconfiguration,thesystemmayormaynotaskforverification,butitshouldpermitthedeletion.Thisistruedespitethefactthatuser2doesn’townthefilebecauseuser2canwritetothedirectoryinwhichthefileresides.11.Asuser1,repeatstep5tore-createthetestfile.12.Asuser1,givethefilemorerestrictivepermissionsbytypingchmod0640.Typingls-lshouldrevealpermissionsof-rw-r-----,meaningthatthefile’sownercanreadandwritethefile,membersofthefile’sgroupcanreadit,andotherusersaregivennoaccess.13. As user2, repeat steps 7−10. The cat operation should fail with a Permissiondeniederror,butsteps8−10shouldproducethesameresultsastheydidthefirst timearound.(Ifthecatoperationsucceeded,theneitheruser2belongstothefile’sgrouporthefile’smodeissetincorrectly.)14.Logoutoftheuser1anduser2accounts.15.Asroot,typerm-r/tmp/scratchtodeletethescratchdirectoryanditscontents.Ifyoulike,youcanperformtestswithmorefilepermissionmodesandotherfile-manipulationcommandsbeforestep14.
SettingtheDefaultModeandGroupWhen a user creates a file, that file has default ownership and permissions. The default owner is,understandably, the userwho created the file. The default group is the user ’s primary group. Thedefaultpermissionsareconfigurable.Thesearedefinedbytheusermask(umask),whichissetbytheumaskcommand.Thiscommandtakesasinputanoctalvaluethatrepresentsthebitstoberemovedfrom 777 permissions for directories, or from 666 permissions for files, when a new file ordirectoryiscreated.Table4.8summarizestheeffectofseveralpossibleumaskvalues.
TABLE4.8SampleumaskvaluesandtheireffectsUmaskCreatedfiles Createddirectories000 666(rw-rw-rw-) 777(rwxrwxrwx)002 664(rw-rw-r--) 775(rwxrwxr-x)022 644(rw-r--r--) 755(rwxr-xr-x)027 640(rw-r-----) 750(rwxr-x---)077 600(rw-------) 700(rwx------)277 400(r--------) 500(r-x------)
Notethattheumaskisn’tasimplesubtractionfromthevaluesof777or666;it’sabit-wiseremoval.Anybitthat’ssetintheumaskisremovedfromthefinalpermissionfornewfiles,butifabitisn’tset(as in the execute bit in ordinary files), its specification in the umask doesn’t do any harm. Forinstance,considerthe7valuesinseveralentriesofTable4.8’sUmaskcolumn.Thiscorrespondstoabinaryvalueof111.Anordinaryfilemighthaverw-(110)permissions,butapplyingtheumask’s7(111)eliminates1valuesbutdoesn’ttouch0values,thusproducinga(binary)000value—thatis,---
permissions,expressedsymbolically.Ordinaryuserscanenter theumaskcommandtochangethepermissionsonnewfiles theycreate.
Thesuperusercanalsomodifythedefaultsettingforallusersbymodifyingasystemconfigurationfile. Typically, /etc/profile contains one or more umask commands. Setting the umask in/etc/profilemayormaynothaveaneffectbecauseitcanbeoverriddenatotherpoints,suchasauser ’sownconfigurationfiles.Nonetheless,settingtheumaskin/etc/profileorothersystemfilescanbeausefulprocedureifyouwanttochangethedefaultsystempolicy.MostLinuxdistributionsuseadefaultumaskof002or022.To findwhat the current umask is, typeumask alone,without any parameters. Typing umask -S
producestheumaskexpressedsymbolicallyratherthaninoctalform.Youmayalsospecifyaumaskinthiswaywhenyouwanttochangeit,butinthiscase,youspecifythebitsthatyoudowantset.Forinstance,umasku=rwx,g=rx,o=rxisequivalenttoumask022.Inadditiontosettingthedefaultmaskwithumask,userscanchangetheirdefaultgroupwithnewgrp,
as in newgrp skyhook to create new files with the group set to the skyhook group. To use thiscommand,theusermustbeamemberofthespecifiedgroup.Thenewgrpcommandalsoacceptsthe-l parameter, as innewgrp -l skyhook,which reinitializes the environment as if theuser had justloggedin.
ChangingFileAttributesSome filesystems support attributes in addition to those described in the preceding sections. Inparticular, some Linux-native filesystems support several attributes that you can adjust with thechattrcommand:AppendOnlyTheaattributesetsappendmode,whichdisableswriteaccesstothefileexceptforappendingdata.Thiscanbeasecurityfeaturetopreventaccidentalormaliciouschangestofilesthatrecorddata,suchaslogfiles.CompressedThecattributecausesthekerneltoautomaticallycompressdatawrittentothefileanduncompressitwhenit’sreadback.ImmutableTheiflagmakesafileimmutable,whichgoesastepbeyondsimplydisablingwriteaccesstothefile.Thefilecan’tbedeleted,linkstoitcan’tbecreated,andthefilecan’tberenamed.DataJournalingThejflagtellsthekerneltojournalalldatawrittentothefile.Thisimprovesrecoverabilityofdatawrittentothefileafterasystemcrashbutcanslowperformance.Thisflaghasnoeffectonext2filesystems.SecureDeletionOrdinarily,whenyoudeleteafileitsdirectoryentryisremovedanditsinodeismarkedasbeingavailableforrecycling.Thedatablocksthatmakeupthebulkofthefilearen’terased.Settingthesflagchangesthisbehavior;whenthefileisdeleted,thekernelzerositsdatablocks,whichmaybedesirableforfilesthatcontainsensitivedata.NoTail-MergingTail-mergingisaprocessinwhichsmallpiecesofdataattheendsoffilesthatdon’tfillacompleteblockaremergedwithsimilarpiecesofdatafromotherfiles.Theresultisreduceddiskspaceconsumption,particularlywhenyoustoremanysmallfilesratherthanafewbigones.Settingthetflagdisablesthisbehavior,whichisdesirableifthefilesystemwillbereadbycertainnon-kerneldrivers,suchasthosethatarepartoftheGrandUnifiedBootLoader(GRUB).
NoAccessTimeUpdatesIfyousettheAattribute,Linuxwon’tupdatetheaccesstimestampwhenyouaccessafile.Thiscanreducediskinput/output,whichisparticularlyhelpfulforsavingbatterylifeonlaptops.Thislistofattributesisincompletebutincludesthemostusefuloptions;consult themanpagefor
chattr for more flags. You set the options you want using the minus (-), plus (+), or equal (=)symboltoremoveanoptionfromanexistingset,addanoptiontoanexistingset,orsetaprecisesetofoptions(overwritinganythatalreadyexist),respectively.Forinstance,toaddtheimmutableflagtotheimportant.txtfile,youenterthefollowingcommand:#chattr+iimportant.txt
Theresultisthatyou’llbeunabletodeletethefile,evenasroot.Todeletethefile,youmustfirstremovetheimmutableflag:#chattr-iimportant.txt
ManagingDiskQuotasJustoneuserofamulti-usersystemcancauseseriousproblemsforothersbyconsumingtoomuchdiskspace.Ifasingleusercreateshugefiles(say,multimediarecordings),thosefilescanuseenoughdiskspacetopreventotherusersfromcreatingtheirownfiles.Tohelpmanagethissituation,Linuxsupportsdiskquotas—limits,enforcedbytheOS,onhowmanyfilesorhowmuchdiskspaceasingleusermayconsume.TheLinuxquotasystemsupportsquotasbothforindividualusersandforLinuxgroups.
EnablingQuotaSupportQuotas require support in both the kernel for the filesystem being used and various user-spaceutilities. The ext2fs, ext3fs,ReiserFS, JFS, andXFS filesystems support quotas, but this support ismissingforsomefilesystemsinearly2.6.xkernels.Tryusingthelatestkernelifyouhaveproblemswith your preferred filesystem. You must explicitly enable support via the Quota Support kerneloptioninthefilesystemareawhenrecompilingyourkernel.Mostdistributionsshipwiththissupportenabled,sorecompilingyourkernelmaynotbenecessary,butyoushouldbeawareofthisoptionifyourecompileyourkernel.Twogeneral quota support systems are available forLinux.The firstwasused through the2.4.x
kernelsandisreferredtoasthequotav1support.Thesecondwasaddedwiththe2.6.xkernelseriesandisreferredtoasthequotav2system.Thisdescriptionappliestothelattersystem,buttheformerworksinasimilarway.Outsideofthekernel,youneedsupporttoolstousequotas.Forthequotav2system,thispackageis
usuallycalledquota,andit installsanumberofutilities,configurationfiles,systemstartupscripts,andsoon.
Youcaninstallthesupportsoftwarefromsourcecode,ifyoulike;however,thisjobishandledmosteasilyusingapackageforyourdistribution.Thisdescriptionassumesthatyouinstallthesoftwareinthisway.Ifyoudon’t,youmayneedtocreatestartupscriptstoinitializethequotasupportwhenyoubootyourcomputer.TheQuotaMini-HOWTO,athttp://en.tldp.org/HOWTO/Quota.html,providesdetailsofhowtodothis.
You must modify your /etc/fstab entries for any partitions on which you want to use quotasupport.Inparticular,youmustaddtheusrquotafilesystemmountoptiontoemployuserquotasandthegrpquotaoptiontousegroupquotas.Entriesthataresoconfiguredresemblethefollowing:/dev/sdc5/homeext3usrquota,grpquota11
Thislineactivatesbothuserandgroupquotasupportforthe/dev/sdc5partition,whichismountedat/home.Ofcourse,youcanaddotheroptionsifyoulike.Depending on your distribution, youmay need to configure the quota package’s system startup
scripts to run when the system boots. Chapter 5 describes startup script management in detail.Typically,you’lltypeacommandsuchaschkconfigquotaon,butyoushouldcheckontheSysVscripts installed by your distribution’s quota package. Some distributions require the use ofcommandsotherthanchkconfigtodothistask,asdescribedinChapter5.Whateveritsdetails,thisstartupscriptrunsthequotaoncommand,whichactivatesquotasupport.Afterinstallingsoftwareandmakingconfigurationfilechanges,youmustactivatethesystems.The
simplestwaytodothisistorebootthecomputer,andthisstepisnecessaryifyouhadtorecompileyourkerneltoaddquotasupportdirectlyintothekernel.Ifyoudidn’tdothis,youshouldbeabletoget by with less disruptive measures: using modprobe to install the kernel module, if necessary;runningthestartupscriptforthequotatools;andremountingthefilesystemsonwhichyouintendtousequotasbytypingmount-oremount/mount-point,where/mount-pointisthemountpointinquestion.
SettingQuotasforUsersAtthispoint,quotasupportshouldbefullyactiveonyourcomputer,butthequotasthemselvesaren’tset. You can set the quotas by using edquota, which starts the Vi editor (described in Chapter 1,“ExploringLinuxCommand-LineTools”)ona temporaryconfiguration file (/etc/quotatab) thatcontrols quotas for the user you specify. When you exit the utility, edquota uses the temporaryconfiguration file to write the quota information to low-level disk data structures that control thekernel’squotamechanisms.Forinstance,youmighttypeedquotasallytoeditsally’squotas.Thecontentsoftheeditorshowthecurrentquotainformation:Diskquotasforusersally(uid21810):
Filesystemblockssofthardinodessofthard
/dev/sdc49710410485761048576124200
Thetemporaryconfigurationfileprovidesinformationaboutboththenumberofdiskblocksinuseandthenumberofinodesinuse.(Eachfileorsymboliclinkconsumesasingleinode,sotheinodelimits are effectively limits on the number of files a user may own. Disk blocks vary in sizedependingonthefilesystemandfilesystemcreationoptions,buttheytypicallyrangefrom512bytes
to8KiB.)Changingtheuseinformation(undertheblocksandinodescolumns)hasnoeffect;thesecolumnsreporthowmanyblocksorinodestheuserisactuallyconsuming.Youcanalterthesoftandhardlimitsforbothblocksandinodes.Thehardlimitisthemaximumnumberofblocksorinodesthat the usermay consume; the kernelwon’t permit a user to surpass these limits. Soft limits aresomewhat less stringent; usersmay temporarily exceed soft limit values, butwhen they do so, thesystem issues warnings. Soft limits also interact with a grace period; if the soft quota limit isexceededforlongerthanthegraceperiod,thekernelbeginstreatingitlikeahardlimitandrefusestoallowtheusertocreatemorefiles.Youcansetthegraceperiodbyusingedquotawithits-toption,asinedquota-t.Graceperiodsaresetonaper-filesystembasisratherthanaper-userbasis.Settinga limit to0 (as in the inode limits in the preceding example) eliminates the use of quotas for thatvalue;usersmayconsumeasmuchdiskspaceorcreateasmanyfilesastheylike,uptotheavailablespaceonthefilesystem.Whenusingedquota, youcanadjustquotas independently for every filesystem forwhichquotas
areenabledandseparatelyforeveryuserorgroup.(Toeditquotasforagroup,usethe-goption,asinedquota-guserstoadjustquotasfortheusersgroup.)A few more quota-related commands are useful. The first is quotacheck, which verifies and
updates quota information on quota-enabled disks. This command is normally run as part of thequotapackage’sstartupscript,butyoumaywanttorunitperiodically(say,onceaweek)asacronjob. (Chapter 7 describes cron jobs.) Although theoretically not necessary if everything workscorrectly,quotacheck ensures thatquotaaccountingdoesn’tbecome inaccurate.The secondusefulauxiliaryquotacommandisrepquota,whichsummarizesthequotainformationaboutthefilesystemyouspecifyoronallfilesystemsifyoupassitthe-aoption.Thistoolcanbeveryhelpfulinkeepingtrack of disk usage. The quota command has a similar effect. The quota tool takes a number ofoptions to have themmodify their outputs. For instance, -g displays group quotas, -l omits NFSmounts, and-q limits output to filesystems onwhich usage is over the limit.Consultquota’s manpageforstillmoreobscureoptions.
LocatingFilesMaintainingyourfilesystemsinperfecthealth,settingpermissions,andsoonispointlessifyoucan’tfindyourfiles.Forthisreason,Linuxprovidesseveraltoolstohelpyoulocatethefilesyouneedtouse. The first of these tools is actually a standard for where files are located; with the rightknowledge,youmaybeable to find fileswithout theuseofanyspecializedprograms.Thesecondclassoftoolsincludesjustsuchspecializedprograms,whichsearchadirectorytreeoradatabaseforfilesthatmeetwhatevercriteriayouspecify.
TheFHSLinux’splacementof files isderivedfrommore than40yearsofUnixhistory.Given that fact, thestructure is remarkably simple and coherent, but it’s easy for a new administrator to becomeconfused.Somedirectoriesseem,onthesurface,tofulfillsimilarorevenidenticalroles,butinfacttherearesubtlebutimportantdifferences.ThissectiondescribestheLinuxdirectorylayoutstandardsandpresentsanoverviewofwhatgoeswhere.
TheFSSTNDandFHSAlthoughLinuxdrawsheavilyonUnix,Unix’slonghistoryhasledtonumeroussplitsandvariants,startingwith theBerkeley StandardDistribution (BSD),whichwas originally a set of patches andextensions toAT&T’soriginalUnixcode.Asaresultof theseschismswithin theUnixcommunity,early Linux distributions didn’t always follow identical patterns. The result was a great deal ofconfusion.ThisproblemwasquitesevereearlyinLinux’shistory,anditthreatenedtosplittheLinuxcommunityintofactions.Variousmeasuresweretakentocombatthisproblem,oneofwhichwasthedevelopment of the Filesystem Standard (FSSTND), which was first released in early 1994. TheFSSTNDstandardizedseveralspecificfeatures,suchasthefollowing:
Standardizedtheprogramsthatresidein/binand/usr/bin.Differencesonthisscorecausedproblemswhenscriptsreferredtofilesinonelocationortheother.Specifiedthatexecutablefilesshouldn’tresidein/etc,ashadpreviouslybeencommon.Removedchangeablefilesfromthe/usrdirectorytree,enablingittobemountedread-only(ausefulsecuritymeasure).
TherehavebeenthreemajorversionsofFSSTND:1.0,1.1,and1.2.FSSTNDbegantoreininsomeof thechaos in theLinuxworld in1994.By1995,however,FSSTND’s limitationswerebecomingapparent.Thus, anewstandardwasdeveloped: theFilesystemHierarchyStandard (FHS).This newstandardisbasedonFSSTNDbutextendsitsubstantially.TheFHSismorethanaLinuxstandard;itmaybeusedtodefinethelayoutoffilesonotherUnix-likeOSs.One important distinctionmadeby theFHS is that between shareable files and unshareable files.
Shareable filesmaybe reasonably sharedbetweencomputers, such asuserdata files andprogrambinaryfiles.(Ofcourse,youdon’tneed tosharesuchfiles,butyoumaydoso.) If filesareshared,they’re normally shared through an NFS server. Unshareable files contain system-specificinformation,suchasconfiguration files.For instance,you’renot likely towant toshareaserver ’sconfigurationfilebetweencomputers.Asecond importantdistinctionused in theFHS is thatbetweenstatic filesandvariable files. The
formerdon’tnormallychangeexcept throughdirect interventionbythesystemadministrator.Mostprogramexecutablesareexamplesofstaticfiles.Variablefilesmaybechangedbyusers,automatedscripts,servers,orthelike.Forinstance,users’homedirectoriesandmailqueuesarecomposedofvariable files. The FHS tries to isolate each directory into one cell of this 2 × 2(shareable/unshareable × static/variable) matrix. Figure 4.2 illustrates these relationships. Somedirectories are mixed, but in these cases, the FHS tries to specify the status of particularsubdirectories.Forinstance,/var isvariable,anditcontainssomeshareableandsomeunshareablesubdirectories,asshowninFigure4.2.
FIGURE4.2TheFHSattemptstofiteachimportantdirectoryinonecellofa2×2matrix.
LiketheFSSTND,theFHScomesinnumberedversions.Version2.3,thelatestversionasIwrite,wasreleasedinJanuary2004.TheURLforFHS’sofficialWebpageishttp://www.pathname.com/fhs/.
SomeLinuxvendors—mostnotablyFedora—arebeginningtomakechangesthatdeviatefromtheFHS.Forinstance,Fedora17andlaternowplaceallbinariesin/usr/binand/usr/sbin.The/bindirectoryisnowasymboliclinkto/usr/bin,and/sbinisasymboliclinkto/usr/sbin.Thislayoutcomplicatessometypesofconfigurations,suchasthosethatrequireaseparate/usrpartition.
ImportantDirectoriesandTheirContentsThe FHS defines some directories very precisely, but details for others are left unresolved. Forinstance, users’ files normally go in the /home directory, but you may have reason to call thissomethingelseortousetwoormoreseparatedirectoriesforusers’files.Overall,themostcommondirectoriesdefinedbytheFHSorusedbyconventionarethefollowing:
/EveryLinuxfilesystemtracesitsrootstoasingledirectory,knownas/(pronounced,andoftenreferredto,astherootfilesystemorrootdirectory).Allotherdirectoriesbranchoffthisone.Linuxdoesn’tusedriveletters;instead,everyfilesystemismountedatamountpointwithinanotherpartition(/orsomethingelse).Certaincriticalsubdirectories,suchas/etcand/sbin,mustresideontherootpartition,butotherscanoptionallybeonseparatepartitions.Don’tconfusetherootdirectorywiththe/rootdirectory,describedshortly./bootThe/bootdirectorycontainsstaticandunshareablefilesrelatedtotheinitialbootingofthecomputer.Higher-levelstartupandconfigurationfilesresideinanotherdirectory,/etc.Somesystemsimposeparticularlimitson/boot.Forinstance,olderx86BIOSsandolderversionsoftheLinuxLoader(LILO)mayrequirethat/bootresidebelowthe1,024thcylinderoftheharddisk.Similarly,someEFIbootmethodsworkbestwithaseparate/bootpartitionthatusesext2fsorReiserFS.Theserequirementssometimes,butnotalways,necessitatethatthe/bootdirectorybeaseparatepartition./binThisdirectorycontainscertaincriticalexecutablefiles,suchasls,cp,andmount.Thesecommandsareaccessibletoallusersandconstitutethemostimportantcommandsthatordinaryusersmightissue.Youwon’tnormallyfindcommandsforbigapplicationprogramsin/bin(althoughtheVieditorislocatedhere).The/bindirectorycontainsstaticfiles.Althoughinsomesensethe/binfilesareshareable,becausethey’resoimportanttothebasicoperationofacomputer,thedirectoryisalmostnevershared—anypotentialclientsmusthavetheirownlocal/bindirectories./sbinThisdirectoryissimilarto/bin,butitcontainsprogramsthatarenormallyrunonlybythesystemadministrator—toolslikefdiskande2fsck.It’sstaticandtheoreticallyshareable,butinpractice,itmakesnosensetoshareit./libThisdirectoryissimilarto/binand/sbin,butitcontainsprogramlibraries,whicharemadeupofcodethat’ssharedacrossmanyprogramsandstoredinseparatefilestosavediskspaceandRAM.The/lib/modulessubdirectorycontainskernelmodules—driversthatcanbeloaded
andunloadedasrequired.Like/binand/sbin,/libisstaticandtheoreticallyshareable,althoughit’snotsharedinpractice./usrThisdirectoryhoststhebulkofaLinuxcomputer ’sprograms.Itscontentsareshareableandstatic,soitcanbemountedread-onlyandmaybesharedwithotherLinuxsystems.Forthesereasons,manyadministratorssplit/usroffintoaseparatepartition,althoughdoingsoisn’trequired.(Fedora’srecentchangesmakethisdifficultwiththisdistribution,though.)Somesubdirectoriesof/usraresimilartotheirnamesakesintherootdirectory(suchas/usr/binand/usr/lib),buttheycontainprogramsandlibrariesthataren’tabsolutelycriticaltothebasicfunctioningofthecomputer./usr/localThisdirectorycontainssubdirectoriesthatmirrortheorganizationof/usr,suchas/usr/local/binand/usr/local/lib.The/usr/localdirectoryhostsfilesthatasystemadministratorinstallslocally—forinstance,packagesthatarecompiledonthetargetcomputer.Theideaistohaveanareathat’ssafefromautomaticsoftwareupgradeswhentheOSasawholeisupgraded.ImmediatelyafterLinuxisinstalled,/usr/localshouldbeemptyexceptforsomestubsubdirectories.SomesystemadministratorssplitthisoffintoitsownpartitiontoprotectitfromOSreinstallationproceduresthatmighterasetheparentpartition./usr/X11R6ThisdirectoryhousesfilesrelatedtotheXWindowSystem(Xforshort),Linux’sGUIenvironment.Like/usr/local,thisdirectorycontainssubdirectoriessimilartothosein/usr,suchas/usr/X11R6/binand/usr/X11R6/lib.Althoughcommonlyusedseveralyearsago,mostmoderndistributionshavemovedthecontentsofthisdirectorytoothers,suchas/usr/bin./optThisdirectoryissimilarto/usr/localinmanyways,butit’sintendedforready-madepackagesthatdon’tshipwiththeOS,suchascommercialwordprocessorsorgames.Typically,theseprogramsresideinsubdirectoriesin/optnamedafterthemselves,suchas/opt/applix.The/optdirectoryisstaticandshareable.Somesystemadministratorsbreakitintoaseparatepartitionormakeitasymboliclinktoasubdirectoryof/usr/localandmakethataseparatepartition./homeThisdirectorycontainsusers’data,andit’sshareableandvariable.Althoughthe/homedirectoryisconsideredoptionalinFHS,inpracticeit’samatterofthenamebeingoptional.Forinstance,ifyouaddanewdisktosupportadditionalusers,youmightleavetheexisting/homedirectoryintactandcreateanew/home2directorytohousethenewusers.The/homedirectoryoftenresidesonitsownpartition./rootThisisthehomedirectoryfortherootuser.Becausetherootaccountissocriticalandsystem-specific,thisvariabledirectoryisn’treallyshareable./varThisdirectorycontainstransientfilesofvarioustypes—systemlogfiles,printspoolfiles,mailandnewsfiles,andsoon.Therefore,thedirectory’scontentsarevariable.Somesubdirectoriesareshareable,butothersarenot.Manysystemadministratorsput/varinitsownpartition,particularlyonsystemsthatseealotofactivityin/var,likemajorUsenetnewsormailservers./tmpManyprogramsneedtocreatetemporary(hencevariable)files,andtheusualplacetodosoisin/tmp.Mostdistributionsincluderoutinesthatcleanoutthisdirectoryperiodicallyandsometimeswipethedirectorycleanatbootup.The/tmpdirectoryisseldomshared.Someadministratorscreateaseparate/tmppartitiontopreventrunawayprocessesfromcausingproblemsontherootfilesystemwhenprocessescreatetoo-largetemporaryfiles.Asimilar
directoryexistsaspartofthe/vardirectorytree(/var/tmp)./mntLinuxmountsremovable-mediadeviceswithinitsnormaldirectorystructure,and/mntisprovidedforthispurpose.Some(mostlyolder)distributionscreatesubdirectorieswithin/mnt,suchas/mnt/floppyand/mnt/cdrom,tofunctionasmountpoints.Othersuse/mntdirectlyorevenuseseparatemountpointsoff/,suchas/floppyand/cdrom.TheFHSmentionsonly/mnt;itdoesn’tspecifyhowit’stobeused.Specificmediamountedin/mntmaybeeitherstaticorvariable.Asageneralrule,thesedirectoriesareshareable./mediaThisdirectoryisanoptionalpartoftheFHS.It’slike/mnt,butitshouldcontainsubdirectoriesforspecificmediatypes,suchas/media/floppyand/media/cdrom.Manymoderndistributionsuse/mediasubdirectoriesasthedefaultmountpointsforcommonremovabledisktypes,oftencreatingsubdirectoriesonthefly./devBecauseLinuxtreatsmosthardwaredevicesasiftheywerefiles,theOSmusthavealocationinitsfilesystemwherethesedevicefilesreside.The/devdirectoryisthatplace.Itcontainsalargenumberoffilesthatfunctionashardwareinterfaces.Ifauserhassufficientprivileges,thatusermayaccessthedevicehardwarebyreadingfromandwritingtotheassociateddevicefile.TheLinuxkernelsupportsadevicefilesystemthatenables/devtobeanautomaticallycreatedvirtualfilesystem—thekernelandsupporttoolscreate/deventriesontheflytoaccommodatetheneedsofspecificdrivers.Mostdistributionsnowusethisfacility./procThisisanunusualdirectorybecauseitdoesn’tcorrespondtoaregulardirectoryorpartition.Instead,it’savirtualfilesystemthat’screateddynamicallybyLinuxtoprovideaccesstocertaintypesofhardwareinformationthataren’taccessiblevia/dev.Forinstance,ifyoutypecat/proc/cpuinfo,thesystemrespondsbydisplayinginformationaboutyourCPU—itsmodelname,speed,andsoon.KnowledgeofthesedirectoriesandtheirpurposesisinvaluableinproperlyadministeringaLinux
system. For instance, understanding the purpose of directories like /bin, /sbin, /usr/bin,
/usr/local/bin, andotherswillhelpyouwhen itcomes time to installanewprogram.Placingaprograminthewronglocationcancauseproblemsatalaterdate.Forexample,ifyouputabinaryfilein/binwhenitshouldgoin/usr/local/bin,thatprogrammaylaterbeoverwrittenordeletedduringasystemupgradewhenleavingitintactwouldhavebeenmoreappropriate.
ToolsforLocatingFilesYouusefile-locationcommandstolocateafileonyourcomputer.Mostfrequently,thesecommandshelpyoulocateafilebyname,butsometimesyoucanuseothercriteria,suchasmodificationdate.Thesecommandscansearchadirectorytree(includingroot,whichscanstheentiresystem)forafilematchingthespecifiedcriteriainanysubdirectory.
ThefindCommandThe find utility implements a brute-force approach to finding files. This program finds files bysearchingthroughthespecifieddirectorytree,checkingfilenames,filecreationdates,andsoontolocatethefilesthatmatchthespecifiedcriteria.Becauseofthismethodofoperation,findtendstobeslow;butit’sveryflexibleandisverylikelytosucceed,assumingthefileforwhichyou’researching
exists.Thefindsyntaxisasfollows:find[path...][expression...]
You can specify one ormore paths in which find should operate; the programwill restrict itsoperationstothesepaths.Theexpressionisawayofspecifyingwhatyouwanttofind.Themanpageforfindincludesinformationabouttheseexpressions,butsomeofthecommonenableyoutosearchbyvariouscommoncriteria:SearchbyFilenameYoucansearchforafilenameusingthe-namepatternexpression.Doingsofindsfilesthatmatchthespecifiedpattern.Ifpatternisanordinaryfilename,findmatchesthatnameexactly.Youcanusewildcardsifyouenclosepatterninquotes,andfindwilllocatefilesthatmatchthewildcardfilename.SearchbyPermissionModeIfyouneedtofindfilesthathavecertainpermissions,youcandosobyusingthe-permmodeexpression.Themodemaybeexpressedeithersymbolicallyorinoctalform.Ifyouprecedemodewitha+,findlocatesfilesinwhichanyofthespecifiedpermissionbitsareset.Ifyouprecedemodewitha-,findlocatesfilesinwhichallthespecifiedpermissionbitsareset.SearchbyFileSizeYoucansearchforafileofagivensizewiththe-sizenexpression.Normally,nisspecifiedin512-byteblocks,butyoucanmodifythisbytrailingthevaluewithalettercode,suchascforbytesorkforkilobytes.SearchbyGroupThe-gidGIDexpressionsearchesforfileswhosegroupID(GID)issettoGID.The-groupnameoptionlocatesfileswhosegroupnameisname.TheformercanbehandyiftheGIDhasbeenorphanedandhasnoname,butthelatterisgenerallyeasiertouse.SearchbyUserIDThe-uidUIDexpressionsearchesforfilesownedbytheuserwhoseuserID(UID)isUID.The-usernameoptionsearchesforfilesownedbyname.TheformercanbehandyiftheUIDhasbeenorphanedandhasnoname,butthelatterisgenerallyeasiertouse.RestrictSearchDepthIfyouwanttosearchadirectoryand,perhaps,somelimitednumberofsubdirectories,youcanusethe-maxdepthlevelsexpressiontolimitthesearch.Therearemanyvariantandadditionaloptions;findisaverypowerfulcommand.Asanexample
ofitsuse,considerthetaskoffindingallCsourcecodefiles,whichnormallyhavenamesthatendin.c, in all users’ home directories. If these home directories reside in /home, youmight issue thefollowingcommand:#find/home-name"*.c"
Theresultwillbealistingofallthefilesthatmatchthesearchcriteria.
Ordinaryusersmayusefind,butitdoesn’tovercomeLinux’sfilepermissionfeatures.Ifyoulackpermissiontolistadirectory’scontents,findwillreturnthatdirectorynameandtheerrormessagePermissiondenied.
ThelocateCommandThelocate utilityworksmuch likefind if youwant to find a file by name, but it differs in two
importantways:Thelocatetoolisfarlesssophisticatedinitssearchoptions.Younormallyuseittosearchonlyonfilenames,andtheprogramreturnsallfilesthatcontainthespecifiedstring.Forinstance,whensearchingforrpm,locatewillreturnotherprograms,likegnorpmandrpm2cpio.Thelocateprogramworksfromadatabasethatitmaintains.Mostdistributionsincludeacronjobthatcallsutilitiesthatupdatethelocatedatabase,periodically,suchasonceanightoronceaweek.(Youcanalsousetheupdatedbcommand,whichisconfiguredviathe/etc/updatedb.conffile,todothistaskatanytime.)Forthisreason,locatemaynotfindrecentfiles,oritmayreturnthenamesoffilesthatnolongerexist.Ifthedatabase-updateutilitiesomitcertaindirectories,filesinthemwon’tbereturnedbyalocatequery.
Becauselocateworksfromadatabase,it’stypicallymuchfasterthanfind,particularlyonsystem-widesearches.It’slikelytoreturnmanyfalsealarms,though,especiallyifyouwanttofindafilewithashortname.Touseit,typelocatesearch-string,wheresearch-stringisthestringthatappearsinthefilename.
SomeLinuxdistributionsuseslocateratherthanlocate.Theslocateprogramincludessecurityfeaturestopreventusersfromseeingthenamesoffilesindirectoriestheyshouldn’tbeabletoaccess.Onmostsystemsthatuseslocate,thelocatecommandisalinktoslocate,solocateimplementsslocate’ssecurityfeatures.Afewdistributionsdon’tinstalleitherlocateorslocatebydefault.
ThewhereisCommandThewhereisprogramsearchesforfilesinarestrictedsetoflocations,suchasstandardbinaryfiledirectories,librarydirectories,andmanpagedirectories.Thistooldoesnotsearchuserdirectoriesormanyotherlocationsthatareeasilysearchedbyfindorlocate.Thewhereisutilityisaquickwaytofindprogramexecutablesandrelatedfileslikedocumentationorconfigurationfiles.Thewhereis program returns filenames thatbeginwithwhateveryou typeas a searchcriterion,
even if those filescontainextensions.This featureoften turnsupconfiguration files in/etc, manpages,andsimilarfiles.Tousetheprogram,typethenameoftheprogramyouwanttolocate.Forinstance,thefollowingcommandlocatesls:$whereisls
ls:/bin/ls/usr/share/man/man1/ls.1.bz2
The result shows both the ls executable (/bin/ls) and ls’s man page. The whereis programaccepts several parameters that modify its behavior in various ways. These are detailed in theprogram’smanpage.
ThewhichCommandConsideredasasearchcommand,whichisveryweak;itmerelysearchesyourpathforthecommandthatyoutypeandliststhecompletepathtothefirstmatchitfinds.(Youcansearchforallmatchesbyaddingthe-aoption.)Forinstance,youmightwanttoknowwherethextermprogramislocated:$whichxterm
/usr/bin/xterm
Becausethefilesthatwhichfindsareonyourpath,itwon’thelpyoutoruntheseprograms.Instead,it’slikelytobeusefulifyouneedtoknowthecompletepathforsomereason—say,becauseyouwanttocalltheprogramfromascriptanddon’twanttomakeassumptionsaboutthepathavailabletothescriptandsowanttoincludethecompletepathinthescript.
ThetypeCommandThiscommandisn’treallyasearchcommand;instead,ittellsyouhowacommandyoutypewillbeinterpreted—asabuilt-incommand,anexternalcommand,analias,andsoon.Forinstance,youcanuseittoidentifyseveralcommoncommands:$typetype
typeisashellbuiltin
$typecat
catis/bin/cat
$typels
lsisaliasedto'ls--color'
Thisexampleidentifiestypeitselfasabuilt-inshellcommand,catasaseparateprogramstoredin/bin, and ls as an alias for ls --color. You can add several options tomodify the command’sbehavior.Forinstance,-tshortenstheoutputtobuiltin,file,alias,orothershortidentifiers;and-aprovidesacompletelist, for instanceprovidingboththealiasexpansionandthelocationoftheultimateexecutablewhenprovidedwithanaliasname.InExercise4.2,you’lluseseveralmethodsoflocatingfiles.
EXERCISE4.2LocatingFilesThisexercisedemonstratesseveralmethodsoflocatingfiles.You’lllocatethestartxprogram.(Ifyoursystemdoesn’thaveXinstalled,youcantrysearchingforanotherprogramorfile,suchaspwdorfstab.Youmayneedtochangethepathpassedtofindinstep5.)Tofindafile,followthesesteps:1.LogintotheLinuxsystemasanormaluser.2. Launch anxterm from the desktop environment’smenu system if you used aGUIloginmethod.3.Typelocatestartx.The system should display several filenames that include thestring startx. This search should take very little time. (A few distributions lack thelocatecommand,sothisstepwon’tworkonsomesystems.)4.Typewhereisstartx.Thesystemrespondswiththenamesofafewfilesthatcontainthestringstartx.Note that this listmaybeslightlydifferent fromthe list returnedbystep3butthatthesearchproceedsquickly.5. Type find /usr -name startx. This search takes longer and, when run as anordinaryuser,mostlikelyreturnsseveralPermissiondeniederrormessages.Itshouldalso return a single line listing the /usr/bin/startx or /usr/X11R6/bin/startxprogramfile.Notethatthiscommandsearchesonly/usr.Ifyousearched/usr/X11R6,thecommandwould take less time; ifyousearched/, the commandwould takemoretime.6. Type which startx. This search completes almost instantaneously, returning thecompletefilenameofthefirstinstanceofstartxthesystemfindsonitspath.7. Type type startx. Again, the search completes very quickly. It should identifystartxasanexternalcommandstoredat/usr/bin/startx,/usr/X11R6/bin/startx,orpossiblysomeotherlocation.
SummaryFilemanagementisbasictobeingabletoadministeroruseaLinuxsystem.Variouscommandsareusefultobothusersandadministratorsforcopying,moving,renaming,andotherwisemanipulatingfilesanddirectories.Youmayalsowant tosetupaccesscontrols,both to limit theamountofdiskspaceusersmayconsumeandtolimitwhomayaccessspecificfilesanddirectories.Finally,Linuxprovidestoolstohelpyoulocatefilesusingvariouscriteria.
ExamEssentialsDescribecommandsusedtocopy,move,andrenamefilesinLinux.Thecpcommandcopiesfiles,asincpfirstsecondtocreateacopyoffirstcalledsecond.Themvcommanddoesdoubledutyasafile-movingandafile-renamingcommand.Itworksmuchlikecp,butmvmovesorrenamesthefileratherthancopyingit.
SummarizeLinux’sdirectory-manipulationcommands.Themkdircommandcreatesanewdirectory,andrmdirdeletesadirectory.Youcanalsousemanyfile-manipulationcommands,suchasmvandrm(withits-roption),ondirectories.Explainthedifferencebetweenhardandsymboliclinks.Hardlinksareduplicatedirectoryentriesthatbothpointtothesameinodeandhencetothesamefile.Symboliclinksarespecialfilesthatpointtoanotherfileordirectorybyname.Hardlinksmustresideonasinglefilesystem,butsymboliclinksmaypointacrossfilesystems.SummarizethecommonLinuxarchivingprograms.Thetarandcpioprogramsarebothfile-basedarchivingtoolsthatcreatearchivesoffilesusingordinaryfileaccesscommands.Theddprogramisafile-copyprogram;butwhenit’sfedapartitiondevicefile,itcopiestheentirepartitiononaverylow-levelbasis,whichisusefulforcreatinglow-levelimagebackupsofLinuxornon-Linuxfilesystems.DescribeLinux’sfileownershipsystem.Everyfilehasanownerandagroup,identifiedbynumber.Filepermissionscanbeassignedindependentlytothefile’sowner,thefile’sgroup,andallotherusers.ExplainLinux’sfilepermissionssystem.Linuxprovidesindependentread,write,andexecutepermissionsforthefile’sowner,thefile’sgroup,andallotherusers,resultinginninemainpermissionbits.Specialpermissionbitsarealsoavailable,enablingyoutolaunchprogramfileswithmodifiedaccountfeaturesoraltertherulesLinuxusestocontrolwhomaydeletefiles.SummarizethecommandsLinuxusestomodifypermissions.ThechmodcommandisLinux’smaintoolforsettingpermissions.Youcanspecifypermissionsusingeitheranoctal(base8)modeorasymbolicnotation.Thechownandchgrpcommandsenableyoutochangethefile’sownerandgroup,respectively.(Thechowncommandcandobothbutcanberunonlybyroot.)DescribetheprerequisitesofusingLinux’sdiskquotasystem.Linux’sdiskquotasystemrequiressupportintheLinuxkernelforthefilesystemonwhichquotasaretobeused.Youmustalsorunthequotaoncommand,typicallyfromaSysVstartupscript,toenablethisfeature.Explainhowquotasareset.Youcaneditquotasforanindividualuserviatheedquotacommand,asinedquotalarrytoeditlarry’squotas.Thiscommandopensaneditoronatextfilethatdescribestheuser ’squotas.Youcanchangethisdescription,savethefile,andexitfromtheeditortochangetheuser ’squotas.SummarizehowLinux’sstandarddirectoriesarestructured.Linux’sdirectorytreebeginswiththeroot(/)directory,whichholdsmostlyotherdirectories.Specificdirectoriesmayholdspecifictypesofinformation,suchasuserfilesin/homeandconfigurationfilesin/etc.Someofthesedirectoriesandtheirsubdirectoriesmaybeseparatepartitions,whichhelpsisolatedataintheeventoffilesystemcorruption.Describethemajorfile-locationcommandsinLinux.Thefindcommandlocatesfilesbybruteforce,searchingthroughthedirectorytreeforfilesthatmatchthecriteriayouspecify.Thelocate(orslocate)commandsearchesadatabaseoffilesinpubliclyaccessibledirectories.Thewhereiscommandsearchesahandfulofimportantdirectories,andwhichsearchesthepath.Thetypecommandidentifiesanothercommandasabuilt-inshellcommand,ashellalias,oranexternalcommand(includingthepathtothatcommand).
ReviewQuestions1.Whymightyoutypetouchfilename?
A.TomovefilenametothecurrentdirectoryB.Toensurethatfilename’stimestampholdsthecurrenttimeC.ToconvertfilenamefromDOS-styletoUnix-styleend-of-linecharactersD.Totestthevalidityoffilename’sdiskstructuresE.Towritecacheddatarelatingtofilenametothedisk
2.Whatparametercanyoupasstolntocreateasoftlink?(Selecttwo.)A.-sB.--softC.--slinkD.--symbolicE.--sl
3. You want to discover the sizes of several dot files in a directory. Which of the followingcommandsmightyouusetodothis?
A.ls-laB.ls-pC.ls-RD.ls-dE.ls-F
4.Youwant tomovea file fromyourharddisk toaUSBflashdrive.Whichof the following istrue?
A. You’ll have to use the --preserve option to mv to keep ownership and permissions setcorrectly.B.Themvcommandwilladjustfilesystempointerswithoutphysicallyrewritingdataiftheflashdriveusesthesamefilesystemtypeastheharddiskpartition.C.Youmustusethesamefilesystemtypeonbothmediatopreserveownershipandpermissions.D.Themvcommandwilldeletethefileontheharddiskaftercopyingittotheflashdrive.E.YoumustusetheFATfilesystemontheUSBflashdrive;Linux-nativefilesystemswon’tworkonremovabledisks.
5.Youtypemkdirone/two/threeandreceiveanerrormessagethatreads,inpart,Nosuchfileordirectory.Whatcanyoudotoovercomethisproblem?(Selecttwo.)
A.Addthe--parentsparametertothemkdircommand.B. Issue three separate mkdir commands: mkdir one, then mkdir one/two, and then mkdirone/two/three.C.Typetouch/bin/mkdirtobesurethemkdirprogramfileexists.
D.Typermdironetoclearawaytheinterferingbaseofthedesirednewdirectorytree.E.Typemktreeone/two/threeinsteadofmkdirone/two/three.
6.Whichofthefollowingcommandsarecommonlyusedtocreatearchivefiles?(Selecttwo.)A.restoreB.viC.tapeD.cpioE.tar
7.You’vereceivedatarballcalleddata79.tarfromacolleague,butyouwanttocheckthenamesofthefilesitcontainsbeforeextractingthem.Whichofthefollowingcommandswouldyouusetodothis?
A.taruvfdata79.tarB.tarcvfdata79.tarC.tarxvfdata79.tarD.tarrvfdata79.tarE.tartvfdata79.tar
8.YouwanttocreatealinkfromyourhomedirectoryonyourharddisktoadirectoryonaCD-ROMdrive.Whichofthefollowingtypesoflinksmightyouuse?
A.OnlyasymboliclinkB.OnlyahardlinkC.EitherasymbolicorahardlinkD.Onlyahardlink,andthenonlyifbothdirectoriesusethesamelow-levelfilesystemE.Noneoftheabove;suchlinksaren’tpossibleunderLinux
9.Whatcommandwouldyoutype(asroot)tochangetheownershipofsomefile.txtfromralphtotony?
A.chownralph:tonysomefile.txtB.chmodsomefile.txttonyC.chownsomefile.txttonyD.chmodtony:ralphsomefile.txtE.chowntonysomefile.txt
10. Typing ls -ld wonderjaye reveals a symbolic file mode of drwxr-xr-x. Which of thefollowingaretrue?(Selecttwo.)
A.wonderjayeisasymboliclink.B.wonderjayeisanexecutableprogram.C.wonderjayeisadirectory.D.wonderjayehasitsSUIDbitset.
E.wonderjayemaybereadbyallusersofthesystem.
11.WhenshouldprogramsbeconfiguredSUIDroot?A.Atalltimes;thispermissionisrequiredforexecutableprogramsB.WheneveraprogramshouldbeabletoaccessadevicefileC.OnlywhentheyrequirerootprivilegestodotheirjobD.Never;thispermissionisaseveresecurityriskE.Whenevertheprogramfileisownedbytherootuser
12. Which of the following commands would you type to enable world read access to the filemyfile.txt?(Assumethatyou’retheownerofmyfile.txt.)
A.chmod741myfile.txtB.chmod0640myfile.txtC.chmodu+rmyfile.txtD.chmoda-rmyfile.txtE.chmodo+rmyfile.txt
13.Whichofthefollowingumaskvalueswillresultinfileswithrw-r-----permissions?A.640B.210C.022D.027E.138
14.Youseetheusrquotaandgrpquotaoptionsinthe/etc/fstabentryforafilesystem.Whatistheconsequenceoftheseentries?
A. Quota support will be available if it’s compiled into the kernel; it will be automaticallyactivatedwhenyoumountthefilesystem.B.Userquotaswillbeavailable,butthegrpquotaoptionisinvalidandwillbeignored.C.Quotasupportwillbedisabledonthefilesysteminquestion.D.Nothing;theseoptionsaremalformedandsowillhavenoeffect.E.Quotasupportwillbeavailableifit’scompiledintoyourkernel,butyoumustactivateitwiththequotaoncommand.
15.Whichof the followingcommandscanbeused tosummarize thequota informationaboutallfilesystems?
A.repquotaB.repquota-aC.quotacheckD.quotacheck-aE.edquota-a
16. You’ve installed a commercial spreadsheet program calledWonderCalc on aworkstation. Inwhichofthefollowingdirectoriesareyoumostlikelytofindtheprogramexecutablefile?
A./usr/sbinB./etc/X11C./bootD./opt/wcalc/binE./sbin/wcalc
17.Whichofthefollowingfile-locationcommandsislikelytotakethemosttimetofindafilethatmaybelocatedanywhereonthecomputer(assumingtheoperationsucceeds)?
A.Thefindcommand.B.Thelocatecommand.C.Thewhereiscommand.D.Thetypecommand.E.They’reallequalinspeed.
18.Whatcanthetypecommanddothatwhereiscan’tdo?A.Identifythecommandasbeingforx86orx86-64CPUsB.Locatecommandsbasedontheirintendedpurpose,notjustbynameC.Identifyacommandasanalias,internalcommand,orexternalcommandD.AssistintypingacommandbyfinishingtypingitforyouE.Identifyacommandasbeingabinaryorascript
19.Youwanttotrackdownallthefilesin/homethatareownedbykaren.Whichofthefollowingcommandswilldothejob?
A.find/home-uidkarenB.find/home-userkarenC.locate/home-usernamekarenD.locate/homeKarenE.find/home-namekaren
20.Whatcanyouconcludefromthefollowinginteraction?$whichman
/usr/bin/man
A.Theonlyfilecalledmanonthecomputerisin/usr/bin.B.The/usr/bin/manprogramwasinstalledbysystempackagetools.C.The/usr/bin/manprogramwillberunbyanyuserwhotypesman.D.Thefirstinstanceofthemanprogram,inpathsearchorder,isin/usr/bin.E.Theusermanownsthe/usr/bin/manprogramfile.
Chapter5
BootingLinuxandEditingFiles
THEFOLLOWINGEXAMOBJECTIVESARECOVEREDINTHISCHAPTER:
1.101.2:Bootthesystem1.101.3:Changerunlevelsandshutdownorrebootsystem1.102.2:Installabootmanager1.103.8:Performbasicfileeditingoperationsusingvi
Sofar,thisbookhasdealtlargelywitharunningLinuxsystem,butfromtimetotimeyou’llneedtobootLinux.Ordinarily thisprocess isapainlessone:Youpress thepowerbutton,waitacoupleofminutes,andseeaLinuxloginprompt.Sometimes,though,you’llhavetointerveneinthisprocessinonewayoranother.TheLinuxbootprocesscanbeconfiguredtobootLinuxwithparticularoptionsandeventoboot
other operating systems, so knowing how to configure the boot process can help you accomplishyourboot-relatedgoals.Oncethesystemisbooted,youshouldknowhowtostudylogfilesrelatedtothebootprocess.Thiscanhelpyoudiagnoseproblemsorverifythatthesystemisoperatingthewayitshouldbe.Finally, this chapter looks at editing fileswithVi.Vi isn’t particularly boot-related, but knowing
howtoeditfilesisvitaltomanyadministrativetasks,includingeditingthebootloaderconfigurationfiles.
InstallingBootLoadersThecomputer ’sbootprocessbeginswithaprogramcalledabootloader.ThisprogramrunsbeforeanyOShasloaded,althoughyounormallyinstallandconfigureitfromwithinLinux(orsomeotherOS). Boot loaderswork in particularways that depend on both the firmware you use and theOSyou’re booting. Understanding your boot loader ’s principles is necessary to properly configurethem, so before delving into the details of specific boot loaders, I describe these boot loaderprinciples.InLinux,themost-usedbootloaderistheGrandUnifiedBootLoader(GRUB),whichisavailablein
twoversions:GRUBLegacy(withversionnumbersupto0.97)andGRUB2(withversionnumbersfrom1.9x to2.x,with2.00being the latest as Iwrite).Anassortmentof alternativeboot loaders isavailable,though,andinsomecasesyoumayneedtouseoneofthem,soIprovideabriefrundownoftheselesscommonbootloaders.
Thischapterdescribesbootloadersforx86andx86-64computers.Otherplatformshavetheirownbootloaders.Someofthesearesimilartocertainx86/x86-64bootloaders,buttheyaren’tquiteidentical.Youshouldconsultplatform-specificdocumentationifyouneedtoreconfigureanon-x86bootloader.
BootLoaderPrinciplesInonewayoranother,yourcomputer ’sfirmwarereadsthebootloaderintomemoryfromtheharddiskandexecutesit.Thebootloader,inturn,isresponsibleforloadingtheLinuxkernelintomemoryandstartingitrunning.Thus,configuringaharddisk(oratleastyourbootharddisk)isn’tcompleteuntilthebootloaderisconfigured.AlthoughLinuxdistributionsprovidesemi-automatedmethodsofconfiguringabootloaderduringsysteminstallation,youmayneedtoknowmore,particularlyifyourecompile your kernel or need to set up an advanced configuration—say, one to select betweenseveralOSs.Although the exam objectives mention only the Basic Input/Output System (BIOS) firmware,
beginning in2011 theExtensibleFirmware Interface (EFI) and itsUnifiedEFI (UEFI)varianthavebecome increasingly important. Thus, I describe the principles upon which both BIOS and EFIcomputers’bootloadersarebased.
BIOSBootLoaderPrinciplesTheBIOSbootprocesscanbeabitconvoluted,inpartbecausesomanyoptionsareavailable.Figure5.1depictsa typicalconfiguration,showingacoupleofpossiblebootpaths.Inbothcases, thebootprocessbeginswiththeBIOS.AsdescribedinChapter3,“ConfiguringHardware,”youtelltheBIOSwhichbootdevicetouse—aharddisk,afloppydisk,aCD-ROMdrive,orsomethingelse.Assumingyoupickaharddiskas theprimarybootdevice(or ifhigher-prioritydevicesaren’tbootable), theBIOSloadscodefromtheMasterBootRecord(MBR),whichisthefirstsectorontheharddisk.Thiscodeistheprimarybootloadercode.Intheory,itcouldbejustaboutanything,evenacomplete(iftiny)OS.
FIGURE5.1Thex86bootsystemprovidesseveraloptionsforredirectingtheprocess,butultimatelyanOSkernelisloaded.
Inpractice,theprimarybootloaderdoesoneoftwothings:Itexaminesthepartitiontableandlocatesthepartitionthat’smarkedasbootable.Theprimarybootloaderthenloadsthebootsectorfromthatpartitionandexecutesit.Thisbootsectorcontainsasecondarybootloader,whichcontinuestheprocessbylocatinganOSkernel,loadingit,andexecutingit.ThisoptionisdepictedbytheAarrowsinFigure5.1.ItlocatesanOSkernel,loadsit,andexecutesitdirectly.Thisapproachbypassesthesecondary
bootloaderentirely,asdepictedbytheBarrowinFigure5.1.Traditionally,x86systemsrunningDOSorWindowsfollowpathA.DOSandWindows9x/Meship
withvery simpleboot loaders thatprovide little in thewayofoptions.LaterversionsofWindowsshipwithabootloaderthatcanprovidelimitedredirectioninthesecondstageoftheApath.Linux’smost popular BIOS boot loaders, LILO andGRUB, are bothmuchmore flexible. They
supportinstallationineithertheMBRorthebootsectorofabootpartition.Thus,youcaneitherkeepaDOS/Windows-styleprimarybootloaderanddirectthesystemtobootakernelfromabootsectorinstallation(pathA)orbypassthisstepandloadthekernelstraightfromtheMBR(pathB).ThefirstoptionhastheadvantagethatanotherOSisunlikelytowipeoutLILOorGRUB,becauseit’sstoredsafelyinaLinuxpartition.WindowshasatendencytowriteitsstandardMBRbootloaderwhenit’sinstalled, so if you need to re-installWindowson a dual-boot system, this actionwillwipe out anMBR-basedbootloader.IfthebootloaderisstoredinaLinuxpartition’sbootsector,itwillremainintact,althoughWindowsmightconfigurethesystemtobypassit.ToreactivatetheLinuxbootloader,youmustuseatoolsuchastheDOS/WindowsFDISKtomarktheLinuxpartitionasthebootpartition.A drawback of placing LILO or GRUB in a partition’s boot sector is that this partition must
normally be a primary partition, at least with disks that use the MBR partitioning system. (Anexceptionisifyou’reusingsomeotherbootloaderintheMBRorinanotherpartition.Ifthisthird-partybootloadercanredirectthebootprocesstoalogicalpartition,thisrestrictiongoesaway.)Forthisreason,manypeopleprefertoputLILOorGRUBintheharddisk’sMBR.In the end, both approaches work, and for a Linux-only installation, the advantages and
disadvantages of both approaches are veryminor. Some distributions don’t give you an option atinstalltime.Forthem,youshouldreviewyourbootloaderconfigurationand,whenyoumustaddakernelorotherwisechangethebootloader,modifytheexistingconfigurationratherthantrytocreateanewone.OndisksthatusetheGUIDPartitionTable(GPT)partitioningsystem,GRUBstorespartofitselfin
aspecialpartition,knownastheBIOSBootPartition.OnMBRdisks,theequivalentcoderesidesinthesectorsimmediatelyfollowingtheMBR,whichareofficiallyunallocatedintheMBRscheme.
ALinuxbootloadercanbeinstalledtoafloppydiskorUSBflashdriveaswellastoaharddisk.Evenifyoudon’twanttousesuchadiskaspartofyourregularbootprocess,youmaywanttocreateanemergencydiskwithyourregularbootloader.YoucanthenuseittobootLinuxifsomethinggoeswrongwithyourregularbootloaderinstallation.
Thisdescriptionprovidesasomewhatsimplifiedviewofbootloaders.MostLinuxbootloadersaremuchmore complex than this. They can redirect the boot process to non-Linux boot sectors andpresentmenusthatenableyoutobootmultipleOSsormultipleLinuxkernels.Youcanchainseveralbootloaders,includingthird-partybootloaderssuchasSystemCommanderorBootMagic.Chainingboot loaders in thiswayenablesyouto takeadvantageofuniquefeaturesofmultipleboot loaders,suchastheabilityofSystemCommandertobootseveralversionsofDOSorWindowsonasinglepartition.
Theexam’sobjective102.2mentionsthesuperblock.Despiteitsplacementinanobjectiveaboutbootloaders,thesuperblockisn’treallyabootloaderconcept;rather,it’spartofthefilesystem.Thesuperblockdescribesbasicfilesystemfeatures,suchasthefilesystem’ssizeandstatus.Thedebugfsanddumpe2fscommands,describedinChapter3,providesomebasicsuperblockinformation.OnBIOS-basedcomputers,thesuperblockcanholdaportionofthebootloader,sodamagetoitcancausebootproblems.
EFIBootLoaderPrinciplesTheBIOSbootprocess,asjustdescribed,wasdesignedinthe1980s,whenthespaceavailableforaBIOSinthecomputer ’sfirmwarewastinybytoday’sstandards.Thus,thebootprocesshadtobeverysimple,andagreatdealofthecomplexityhadtobepushedintosoftwarestoredontheharddisk.ThenewerEFIfirmwareismuchmorecomplexthantheolderBIOS,andsoitsbootprocesscanbe
moresophisticated.Insteadofrelyingoncodestoredinbootsectorsontheharddisk,EFIreliesonbootloadersstoredasfilesinadiskpartition,knownastheEFISystemPartition(ESP),whichusestheFileAllocationTable(FAT)filesystem.UnderLinux,theESPistypicallymountedat/boot/efi.Boot loaders reside in fileswith.efi filenameextensions stored in subdirectoriesnamedafter theOSorbootloadernameundertheEFIsubdirectoryoftheESP.Thus,youmighthaveabootloadercalled/boot/efi/EFI/ubuntu/grub.efior/boot/efi/EFI/suse/elilo.efi.This configuration enables you to store a separate boot loader for each OS you install on the
computer.TheEFIfirmwareincludesitsownprogram,abootmanager,tohelpyouselectwhichbootloader to launch. The resulting boot path resembles Figure 5.2. In this figure, two boot loaders(loader1.efiandloader2.efi)areavailable,eachofwhichlaunchesitsownOSkernel,locatedonitsownpartition.
FIGURE5.2TheEFIbootprocessbeginsthebootredirectionfromthefirmwarelevelandemploysfilesinfilesystemsratherthanbootcodehiddeninbootsectors.
Theexamobjectivesusethetermsbootloaderandbootmanagerinterchangeably,butthisbookdoesn’t.Abootloaderloadsakernelintomemoryandtransferscontroltoit,whereasabootmanagerpresentsamenuofbootoptions.Manyprograms,includingthepopularGRUB,combinebothfunctionsinoneprogram,whichisthereasonforthelackofclarityinmanysources.
Inordertowork,theEFImustknowaboutthebootloadersinstalledontheharddisk’sESP.Thisisnormallydonebyregisteringthebootloaderswiththefirmware,eitherusingautilitybuiltintothe
firmware’sownuser interfaceorusinga tool suchasLinux’sefibootmgr program.Alternatively,mostx86-64EFIimplementationswilluseabootloadercalledEFI/boot/bootx64.efiontheESPasadefaultifnoothersareregistered.Thisisthewayyoubootmostremovabledisks;youstoreyourbootloaderusingthisnameontheremovabledisk’sESP.Themost popular EFI boot loaders for Linux are based onBIOS boot loaders, so they provide
functionalitynotrequiredbyEFIbootloadersgenerally,suchastheirownbootmanagerfeaturesthatprovide the ability to chainload to anotherEFI boot loader. Thus, the boot process on amulti-OScomputermightrunasingleEFIbootloader,whichthenchainloadsotherEFIbootloaders.Infact,thisissometimesapracticalnecessity,sincemanyEFIimplementationsprovidesuchprimitivebootmanagersthatselectinganOSmustbedonebyaseparatebootprogram.
UsingGRUBLegacyastheBootLoaderThe Grand Unified Bootloader (GRUB) is the default boot loader for most Linux distributions;however,GRUB is really twoboot loaders:GRUBLegacy andGRUB2.Although these twobootloaders are similar inmanyways, they differ inmany important details.GRUBLegacy is, as youmightexpect,theolderofthetwobootloaders.ItusedtobethedominantbootloaderforLinux,butit’sbeeneclipsedbyGRUB2.Nonetheless,because the twoboot loadersaresosimilar, IdescribeGRUBLegacyfirstandinmoredetail;theupcomingsection,“UsingGRUB2astheBootLoader,”focusesonitsdifferencesfromGRUBLegacy.Inthefollowingpages,Idescribehowtoconfigure,install,andinteractwithGRUBLegacy.
ConfiguringGRUBLegacyThe usual location for GRUB Legacy’s configuration file on a BIOS-based computer is/boot/grub/menu.lst.Somedistributions(suchasFedora,RedHat,andGentoo)use thefilenamegrub.confratherthanmenu.lst.TheGRUBconfigurationfileisbrokenintoglobalandper-imagesections,eachofwhichhas itsownoptions.Beforegetting intosectiondetails, though,youshouldunderstandafewGRUBquirks.
GRUBLegacyofficiallysupportsBIOSbutnotEFI.Aheavilypatchedversion,maintainedbyFedora,providessupportforEFI.Ifyou’reusingthisversionofGRUB,itsconfigurationfilegoesinthesamedirectoryontheESPthathousestheGRUBLegacybinary,suchas/boot/efi/EFI/redhatforastandardFedoraorRedHatinstallation.
GRUBNomenclatureandQuirksListing5.1showsasampleGRUBconfiguration file.This fileprovidesdefinitions tobootseveralOSs—Fedoraon/dev/sda5,Debianon/dev/sda6,andWindowson/dev/sda2.FedoraandDebiansharea/bootpartition(/dev/sda1),onwhichtheGRUBconfigurationresides.Listing5.1:AsampleGRUBconfigurationfile#grub.conf/menu.lst
#
#GlobalOptions:
#
default=0
timeout=15
splashimage=/grub/bootimage.xpm.gz
#
#KernelImageOptions:
#
titleFedora(3.4.1)
root(hd0,0)
kernel/vmlinuz-3.4.1roroot=/dev/sda5mem=4096M
initrd/initrd-3.4.1
titleDebian(3.4.2-experimental)
root(hd0,0)
kernel(hd0,0)/bzImage-3.4.2-experimentalroroot=/dev/sda6
#
#Otheroperatingsystems
#
titleWindows
rootnoverify(hd0,1)
chainloader+1
GRUBdoesn’trefertodiskdrivesbydevicefilenamethewayLinuxdoes.GRUBnumbersdrivesso that instead of/dev/hda or/dev/sda, GRUB uses (hd0). Similarly, /dev/hdb or /dev/sdb islikelytobe(hd1).GRUBdoesn’tdistinguishbetweenPATA,SATA,SCSI,andUSBdrives,soonaSCSI-onlysystem,thefirstSCSIdriveis(hd0).Onamixedsystem,ATAdrivesnormallyreceivethelowernumbers,althoughthisisn’talwaysthecase.GRUBLegacy’sdrivemappingscanbefoundinthe/boot/grub/device.mapfile.Additionally,GRUBLegacynumberspartitionsonadrivestartingat0insteadofthe1thatisused
by Linux. GRUB Legacy separates partition numbers from drive numbers with a comma, as in(hd0,0) for the first partition on the first disk (normally Linux’s /dev/hda1 or /dev/sda1) or(hd0,4)forthefirstlogicalpartitiononthefirstdisk(normallyLinux’s/dev/hda5or/dev/sda5).Floppydevicesarereferredtoas(fd0),orconceivably(fd1)orhigherifyouhavemorethanonefloppydrive.Floppydisksaren’tpartitioned,sotheydon’treceivepartitionnumbers.GRUBLegacytreatsUSBflashdrivesjustlikeharddisks,althoughitreliesonthefirmwaretoaccessthesedrives,soGRUBLegacywon’tbootfromaUSBflashdriveifyou’reusinganoldercomputerthatdoesn’tsupportthisoption.GRUBLegacydefinesitsownrootpartition,whichcanbedifferentfromtheLinuxrootpartition.
GRUB’srootpartitionisthepartitioninwhichGRUB’sconfigurationfile(menu.lstorgrub.conf)resides.BecausethisfileisnormallyinLinux’s/boot/grub/directory,theGRUBrootpartitionwillbethesameasLinux’srootpartitionifyoudonotuseaseparate/bootor/boot/grubpartition.Ifyou split off/boot into its own partition, as is fairly common,GRUB’s root partitionwill be thesameasLinux’s/bootpartition.YoumustkeepthisdifferenceinmindwhenreferringtofilesintheGRUBconfigurationdirectory.
EssentialGlobalGRUBLegacyOptionsGRUB’s global section precedes its per-image configurations. Typically, you’ll find just a fewoptionsinthisglobalsection:DefaultOSThedefault=optiontellsGRUBwhichOStoboot.Listing5.1’sdefault=0causesthefirstlistedOStobebooted(remember,GRUBindexesfrom0).Ifyouwanttobootthesecond
listedoperatingsystem,usedefault=1,andsoon,throughallyourOSs.TimeoutThetimeout=optiondefineshowlong,inseconds,towaitforuserinputbeforebootingthedefaultoperatingsystem.BackgroundGraphicThesplashimage=linepointstoagraphicsfilethat’sdisplayedasthebackgroundforthebootprocess.Thislineisoptional,butmostLinuxdistributionspointtoanimagetospruceupthebootmenu.ThefilenamereferenceisrelativetotheGRUBrootpartition,soif/bootisonaseparatepartition,thatportionofthepathisomitted.Alternatively,thepathmaybeginwithaGRUBdevicespecification,suchas(hd0,5)torefertoafileonthatpartition.
EssentialGRUBLegacyPer-ImageOptionsGRUBLegacy’sper-imageoptionsareoftenindentedafterthefirstline,butthisisaconvention,notarequirementofthefileformat.TheoptionsbeginwithanidentificationandcontinuewithoptionsthattellGRUBhowtohandletheimage:TitleThetitlelinebeginsaper-imagestanzaandspecifiesthelabeltodisplaywhenthebootloaderruns.TheGRUBLegacytitlecanacceptspacesandisconventionallymoderatelydescriptive,asshowninListing5.1.GRUBRootTherootoptionspecifiesthelocationofGRUBLegacy’srootpartition.Thisisthe/bootpartitionifaseparateoneexists;otherwise,it’susuallytheLinuxroot(/)partition.GRUBcanresideonaFATpartition,onafloppydisk,oroncertainotherOSs’partitions,though,soGRUB’srootcouldconceivablybesomewheremoreexotic.KernelSpecificationThekernelsettingdescribesthelocationoftheLinuxkernelaswellasanykerneloptionsthataretobepassedtoit.PathsarerelativetoGRUBLegacy’srootpartition.Asanalternative,youcanspecifydevicesusingGRUB’ssyntax,suchaskernel(hd0,5)/vmlinuzroroot=/dev/sda5.Notethatyoupassmostkerneloptionsonthisline.Someotherbootloaderssplitoffkerneloptionsonseparatelines;butinGRUB,youincorporatetheseoptionsontothekernelline.Therooptiontellsthekerneltomountitsrootfilesystemread-only(it’slaterremountedread/write),andtheroot=optionspecifiestheLinuxrootfilesystem.Becausetheseoptionsarebeingpassedtothekernel,theyuseLinux-styledeviceidentifiers,whennecessary,unlikeotheroptionsintheGRUBconfigurationfile.InitialRAMDiskUsetheinitrdoptiontospecifyaninitialRAMdisk,whichholdsaminimalsetofdrivers,utilities,andconfigurationfilesthatthekernelusestomountitsrootfilesystembeforethekernelcanfullyaccesstheharddisk.MostLinuxdistributionsrelyheavilyontheinitialRAMdiskasawaytokeepthemainkernelfilesmallandtoprovidetoolstothekernelatapointinthebootprocessbeforetheycouldbeloadedfromtheharddisk.Non-LinuxRootTherootnoverifyoptionissimilartotherootoptionexceptthatGRUBLegacywon’ttrytoaccessfilesonthispartition.It’susedtospecifyabootpartitionforOSsforwhichGRUBLegacycan’tdirectlyloadakernel,suchasDOSandWindows.ChainloadingThechainloaderoptiontellsGRUBLegacytopasscontroltoanotherbootloader.Typically,it’spasseda+1optiontoloadthefirstsectorofthetargetOS’srootpartition(usuallyspecifiedwithrootnoverify)andtohandoverexecutiontothissecondarybootloader.
ChainloadingasjustdescribedworksonBIOScomputers.Ifyou’reusinganEFI-enabledversionofGRUBLegacy,youcanchainload,butyoumusttellGRUBLegacytousetheESP(typicallybyspecifyingroot(hd0,0),althoughthedeviceidentificationmaydiffer)andthenpassthenameofanEFIbootloaderfileviathechainloaderoption,asinchainloader/EFI/Microsoft/boot/bootmgfw.efi.
ToaddakerneltoGRUB,followthesesteps:1.Asroot,loadthemenu.lstorgrub.conffileintoatexteditor.2.CopyaworkingconfigurationforaLinuxkernel.3.Modifythetitlelinetogiveyournewconfigurationauniquename.4.Modifythekernellinetopointtothenewkernel.Ifyouneedtochangeanykerneloptions,doso.5.Ifyou’readding,deleting,orchangingaRAMdisk,makeappropriatechangestotheinitrdline.6.Ifdesired,changetheglobaldefaultlinetopointtothenewkernel.7.Saveyourchanges,andexitthetexteditor.At thispoint,GRUB isconfigured tobootyournewkernel.Whenyou reboot,youshould see it
appear in your menu, and you should be able to boot it. If you have problems, boot a workingconfigurationtodebugtheissue.
Don’teliminateaworkingconfigurationforanoldkerneluntilyou’vedeterminedthatyournewkernelworkscorrectly.
InstallingGRUBLegacyThecommandfor installingGRUBLegacyonaBIOS-basedcomputer isgrub-install.Youmustspecifythebootsectorbydevicenamewhenyouinstall thebootloader.Thebasiccommandlookslike#grub-install/dev/sda
or#grub-install'(hd0)'
EithercommandwillinstallGRUBLegacyintothefirstsector(thatis,theMBR)ofyourfirstharddrive.Inthesecondexample,youneedsinglequotesaroundthedevicename.IfyouwanttoinstallGRUB Legacy in the boot sector of a partition rather than in the MBR, you include a partitionidentifier,asin/dev/sda1or(hd0,0).Ifyou’reinstallingFedora’sEFI-enabledversionofGRUBLegacy,youshouldnotusethegrub-
installcommand;instead,copythegrub.efi file toasuitablesubdirectoryonyourESP,suchas/boot/efi/EFI/redhat, and copy grub.conf to the same location. If you install using Fedora’sgrub-efiRPMfile,thegrub.efifileshouldbeplacedinthislocationbydefault.Aftercopyingthese
files,youmayneedtouseefibootmgrtoaddthebootloadertotheEFI’slist:#efibootmgr-c-l\\EFI\\redhat\\grub.efi-LGRUB
ThiscommandaddsGRUBLegacy,stored in theESP’s/EFI/redhatdirectory, to theEFI’sbootloaderlist.Youmustusedoubled-upbackslashes(\\)ratherthantheLinux-styleforwardslashes(/)asdirectoryseparators.Consulttheefibootmgrutility’smanpageformoreinformation.You do not need to reinstall GRUB after making changes to its configuration file. (Such a
reinstallation is requiredforsomeolderboot loaders, though.)Youneed to installGRUBthiswayonlyifyoumakecertainchangestoyourdiskconfiguration,suchasresizingormovingtheGRUBrootpartition,movingyourentireinstallationtoanewharddisk,orpossiblyreinstallingWindows(which tends towipeoutMBR-basedboot loaders). In someof these cases, youmayneed to bootLinuxviaabackupbootloader,suchasGRUBinstalledtoafloppyorUSBdisk.
InteractingwithGRUBLegacyThefirstscreentheGRUBLegacybootloadershowsyouisalistofall theoperatingsystemsyouspecifiedwith thetitle option in yourGRUBconfiguration file.You canwait for the timeout toexpire for the default operating system to boot. To select an alternative, use your arrow keys tohighlighttheoperatingsystemthatyouwanttoboot.Onceyourchoiceishighlighted,presstheEnterkeytostartbooting.Followthesestepswhenyouwanttochangeorpassadditionaloptionstoyouroperatingsystem:1.Use your arrow keys to highlight the operating system thatmost closelymatcheswhat youwanttoboot.2.PresstheEkeytoeditthisentry.You’llseeanewscreenlistingalltheoptionsforthisentry.3.Useyourarrowkeystohighlightthekerneloptionline.4.PresstheEkeytoeditthekerneloptions.5.Editthekernellinetoaddanyoptions,suchas1toboottosingle-usermode.GRUBLegacypassestheextraoptiontothekernel.6.PresstheEnterkeytocompletetheedits.7.PresstheBkeytostartbooting.Youcanmakewhateverchangesyoulikeinstep5,suchasusingadifferentinitprogram.Youdo
thisbyappendinginit=/bin/bash(orwhateverprogramyouwanttouse)totheendofthekernelline.
UsingGRUB2astheBootLoaderInprinciple,configuringGRUB2ismuchlikeconfiguringGRUBLegacy;however,someimportantdetails differ. First, the GRUB 2 configuration file is /boot/grub/grub.cfg. (Some distributionsplacethisfilein/boot/grub2,enablingsimultaneous installationsofGRUBLegacyandGRUB2.)GRUB2addsanumberoffeatures,suchassupportforloadablemodulesforspecificfilesystemsandmodes of operation, that aren’t present in GRUB Legacy. (The insmod command in the GRUB 2configuration file loads modules.) GRUB 2 also supports conditional logic statements, enablingloadingmodulesordisplayingmenuentriesonlyifparticularconditionsaremet.IfyoumerelywanttoaddorchangeasingleOSentry,you’llfindthemostimportantchangesare
to the per-image options. Listing 5.2 shows GRUB 2 equivalents to the image options shown in
Listing5.1.Listing5.2:GRUB2imageconfigurationexamples#
#KernelImageOptions:
#
menuentry"Fedora(3.4.1)"{
setroot=(hd0,1)
linux/vmlinuz-3.4.1roroot=/dev/sda5mem=4096M
initrd/initrd-3.4.1
}
menuentry"Debian(3.4.2-experimental)"{
setroot=(hd0,1)
linux(hd0,1)/bzImage-3.4.2-experimentalroroot=/dev/sda6
}
#
#Otheroperatingsystems
#
menuentry"Windows"{
setroot=(hd0,2)
chainloader+1
}
ImportantchangescomparedtoGRUBLegacyincludethefollowing:Thetitlekeywordisreplacedbymenuentry.Themenutitleisenclosedinquotationmarks.Anopeningcurlybrace({)followsthemenutitle,andeachentryendswithaclosingcurlybrace(}).Thesetkeywordprecedestherootkeyword,andanequalsign(=)separatesrootfromthepartitionspecification.Therootnoverifykeywordhasbeeneliminated;youuserootinstead.Partitionsarenumberedstartingfrom1ratherthanfrom0.Asimilarchangeindisknumberingisnotimplemented.Thischangecanbeveryconfusingifyou’reusedtoGRUBLegacy,butitmakespartitionnumberingmix-upswhen“translating”fromLinux-stylepartitionnumberinglesslikely.ThemostrecentversionsofGRUB2alsosupportamorecomplexpartitionidentificationschemetospecifythepartitiontabletype,asin(hd0,gpt2)tospecifythatthesecondGPTpartitionshouldbeused,or(hd1,mbr3)tospecifythatthethirdMBRpartitionshouldbeused.
GRUB 2 makes further changes, in that it employs a set of scripts and other tools that helpautomaticallymaintainthe/boot/grub/grub.cfg file.Theintent is thatsystemadministratorsneednever explicitly edit this file. Instead, you would edit files in /etc/grub.d, and the/etc/default/grub file, to change yourGRUB2 configuration.Aftermaking such changes, youmustexplicitlyrebuildthegrub.cfgfile,asdescribedshortly.Files in /etc/grub.d control particular GRUB OS probers. These scripts scan the system for
particularOSs and kernels and addGRUBentries to/boot/grub/grub.cfg to support thoseOSs.You can add custom kernel entries, such as those shown in Listing 5.2, to the 40_custom file tosupportyourownlocallycompiledkernelsorunusualOSsthatGRUBdoesn’tautomaticallydetect.The/etc/default/grubfilecontrolsthedefaultscreatedbytheGRUB2configurationscripts.For
instance,ifyouwanttoadjustthetimeout,youmightchangethefollowingline:
GRUB_TIMEOUT=10
A distribution that’s designed to use GRUB 2, such as Ubuntu, will automatically run theconfiguration scripts after certain actions, such as installing a new kernel with the distribution’spackage manager. If you need to make changes yourself, you can type update-grub or grub-mkconfig > /boot/grub/grub.cfg after you’ve edited /etc/default/grub or files in/etc/grub.d. This command re-reads these configuration files and writes a fresh/boot/grub/grub.cfg file. (Some installations use2 aftergrub in command names, as ingrub2-mkconfigratherthangrub-mkconfig.)UnlikeGRUBLegacy,GRUB2isdesignedtoworkwithbothBIOSandEFI-basedcomputers,as
wellaswithafewmore-exoticfirmwaretypes.WhenyoufirstinstallLinux,theinstallershouldsetupGRUB correctly, using grub-install in much the way described for GRUB Legacy. On EFI-based computers, GRUB 2’s version of grub-install should install the GRUB 2 EFI binary filewhere itbelongs;but ifyouhaveproblems,youmayneed touseefibootmgr,asdescribedearlierwithreferencetoGRUBLegacy.
UsingAlternativeBootLoadersAlthoughGRUBLegacyandGRUB2dominatetheLinuxbootloaderarenatodayandaretheonlybootloaderscoveredontheexam,thereareseveralothersthatyoumayencounterandthatdeservemention:SyslinuxTheSyslinuxProject(http://www.syslinux.org)isactuallyafamilyofBIOS-basedbootloaders,eachofwhichismuchsmallerandmorespecializedthanGRUBLegacyorGRUB2.ThemostnotablememberofthisfamilyisISOLINUX,whichisabootloaderforuseonopticaldiscs,whichhaveuniquebootrequirements.TheEXTLINUXbootloaderisanothermemberofthisfamily;itcanbootLinuxfromanext2,ext3,orext4filesystem.LILOTheLinuxLoader(LILO)wasthemostcommonLinuxbootloaderinthe1990s.It’sprimitiveandlimitedbytoday’sstandards,anditworksonlyonBIOS-basedcomputers.FormoreinformationonLILO,gotohttp://freshmeat.net/projects/lilo/.ELILOTheEFILinuxLoader(ELILO;http://elilo.sourceforge.net)istheoldestLinuxbootloaderforEFI-basedcomputers.It’ssimilartoLILOinitsfeaturesandfunctionalityandisusedbysomedistributions(mostnotably,OpenSUSE)asthedefaultbootloaderonEFI-basedcomputers.TheLinuxKernelSinceversion3.3.0,theLinuxkernelhasincorporatedanEFIbootloaderforx86andx86-64systems.OnanEFI-basedcomputer,thisfeatureenablesthekerneltoserveasitsownbootloader,eliminatingtheneedforaseparatetoolsuchasGRUB2orELILO.rEFItThisprogram,hostedathttp://refit.sourceforge.net,istechnicallyabootmanager,notabootloader.It’spopularonIntel-basedMacs,butsomebuildsoftheprogramcanbeusedonUEFI-basedPCs,too.Itpresentsaprettygraphicalinterface,enablinguserstoselecttheirbootOSusingiconsratherthanatext-basedinterface.rEFItappearstohavebeenabandoned;asIwrite,thelastupdatewasin2010.rEFIndThisprogramisderivedfromrEFItsoastomakeitmoreusefulonUEFI-basedPCsandtoextenditsfeatureset.LikerEFIt,rEFIndisabootmanager,notabootloader;it’sintendedtopresentalistofbootoptionstousers.It’smostusefuloncomputerswithEFIimplementationsthatprovidepoorbootmanagers.ItalsoprovidesfeaturesthataredesignedtoworkwiththeLinux
kernel’sbuilt-inEFIbootloader,tosimplifythepassingofoptionsrequiredtogetthekerneltoboot.Youcanlearnmoreathttp://www.rodsbooks.com/refind/.gummibootThisisanopensourceEFIbootmanagerthat’sconceptuallysimilartorEFItorrEFInd,butitusesatext-modeinterfaceandfeweroptions.Youcanlearnmoreathttp://freedesktop.org/wiki/Software/gummiboot.AlthoughdevelopmentofLinuxbootloadersforBIOS-basedcomputershaslargelystabilized,with
GRUB2nowdominatingthisfield,EFIbootloaderdevelopmentisquitedynamic,atleastasoflate2012.Thisislikelytocontinuetobethecaseinthenearfuture,sinceEFI-basedcomputersareonlynowbecomingcommon.The fact thatMicrosoft is requiringuseof a firmware featureknownasSecureBoot is likely to
haveanimpactonLinuxbootloadersinlate2012and2013,too.WithSecureBootenabled,anEFI-basedcomputerwilllaunchabootloaderonlyifit’sbeencryptographicallysignedwithakeywhosecounterpartisstoredinthecomputer ’sfirmware.Thegoalistomakeitharderformalwareauthorstotakeoveracomputerbyinsertingtheirprogramsearlyinthebootprocess.TheproblemfromaLinux perspective is that use of Secure Boot requires the signing of a Linux boot loader withMicrosoft’skey(sinceit’stheonlyonethat’sguaranteedtobeonmostcomputers),theadditionofadistribution-specificorlocallygeneratedkeytothecomputer ’sfirmware,ordisablingSecureBoot.Todate,Fedorahasannouncedthatitwilluseitsownnewbootloader,inconjunctionwithasignedversionofGRUB, to launchFedora18onEFI-basedcomputers; andUbuntuhas announced that itwillworkwithcomputermanufacturerstoadditsownkeytocomputersanduseitsownsignedbootloader.Inpractice,though,youmayneedtodisableSecureBootorgenerateyourownkeytobootanarbitraryLinuxdistributionoracustom-builtkernel.
FixingaDamagedBootLoaderInstallationLinuxsystemssometimesbecomeunbootablebecausethebootloaderhasbeendamaged.YoucanreinstallGRUBifyoucanmanagetobootyoursystem,butofcoursethisisacatch-22.MostLinuxdistributionsprovideawaytoresolvethisproblembyenablingyoutobootthecomputereveniftheon-diskbootloaderisn’tworking.TrybootingtheinstallationdiscyouusedtoinstalltheOSandlookforanoptiontobootakernelfromtheharddisk.Oncethesystemisbooted,youcanusegrub-installtoreinstallGRUB.Alternatively,theinstallationdiscmayprovidearecoveryoptionthatwillhelptoautomaticallyorsemi-automaticallyrestoreabrokensystem.Ifyourdistribution’sinstalldiscisn’thelpful,youcantrySuperGRUBDisk(http://www.supergrubdisk.org),whichisabootablediscimagewithavarietyofoptionstolocateandusetheGRUBconfigurationfileonyourharddisk.IfSuperGRUBDiskcanfindyourGRUBconfigurationfile,youcanbootusingitandthenre-installGRUBtoyourharddisk.Ifallelsefails,youmaybeabletouseGRUB’sinteractivefeaturestolocateandbootakernel.Doingso,however,canbefrustrating;asingletypocanproduceafailuretoboot.
UnderstandingtheBootProcessAnytimeyoumodifythewayyourcomputerboots,thepossibilityexiststhatyouwon’tgettheresultsyouexpect.Inthesecases,it’susefultoknowwhereyoucanturnformoreinformationaboutwhatishappeningduringstartup.Thereportsyoureceiveonaparticularbootcanbetterguideyouonceyouunderstandsomethingaboutwhat’ssupposedtohappenwhenaLinuxsystemboots.
ExtractingInformationabouttheBootProcessCertainLinuxkernelandmoduleloginformationisstoredinwhatiscalledthekernelringbuffer.Bydefault,Linuxdisplaysmessagesdestinedforthekernelringbufferduringthebootprocess—they’rethosemessages that scroll past too quickly to read. (Some distributions hidemost or all of thesemessagesunlessyouselectaspecialoptionduringthebootprocess.)Youcaninspectthisinformationwiththiscommand:#dmesg
This command generates a lot of output, so youmaywant to pipe it through theless pager orredirectittoafile.Herearesomeexamplesofthesecommands:#dmesg|less
#dmesg>boot.messages
ManyLinuxdistributionsstorethekernelringbufferto/var/log/dmesgsoonafterthesystemboots.Becausenewinformationisloggedtothekernelringbufferasthesystemoperatesandbecausethekernelringbuffer ’ssizeisfinite,youmayneedtoconsultthislogfiletolearnaboutthebootprocessoncethesystemhasbeenoperatingforawhile.Also,becausethekernelringbufferisheldinmemory,itscontentsareclearedandgeneratedanewwitheverybootofthecomputer.
Anothersourceoflogginginformationisthesystemlogger(syslogd).Themostusefulsyslogdfiletolookatisusually/var/log/messages,but/var/log/syslogandotherlogfilesin/var/logcanalsoholdhelpfulinformation.
SomeLinuxdistributionsalsologboot-timeinformationtootherfiles.Debianusesadaemoncalledbootlogdthat,bydefault,logsanymessagesthatgoto/dev/consoletothe/var/log/bootfile.FedoraandRedHatusesyslogdservicestologinformationto/var/log/boot.log.
LocatingandInterpretingBootMessagesBootmessagesinthekernelringbufferor/var/logfilescanbecryptictotheuninitiated.Sometipscanhelpyoulocateandinterprettheinformationyoufindinthesesources:UselessandItsSearchFunctionsThelesspagerisagreattoolforexaminingboththekernel
ringbufferandlogfiles.Thesearchfunction(accessedbypressingtheslashkey,/)canhelpyoulookforparticularstrings.LookforHardwareTypeNamesManybootmessages,particularlyinthekernelringbuffer,relatetohardware.Trysearchingforthenameofthehardwaretype,suchasSCSIorUSB,ifyou’rehavingproblemswiththesesubsystems.RememberthatLinuxtreatsmanydiskdevicesasSCSIdisks,too!LookforHardwareChipsetNamesLinuxdriverssometimeslogmessagesalongwiththeirdrivernames,whichareusuallybasedonthechipsetinquestion.Ifyouknowyourhardwarewellenoughtoknowthechipsetname,searchforitorforasubsetofit.Forinstance,searchingfor8169mayturnupmessagesrelatedtoaRealTek8169Ethernetinterface.Similarly,youcansearchforhigher-levelkernelmodulenames,suchasreiserfsformessagesfromtheReiserFSfilesystemdriver.StudytheOutputfromaWorkingSystemFamiliarizeyourselfwiththecontentsofthekernelringbufferandlogfilesonaworkingsystem.Ifyouknowwhattoexpectwhenasystemisfunctioningcorrectly,you’llfinditeasiertoidentifyproblemswhentheyoccur.Sometimes,asystemwon’tbootatall.Inthiscase,kernelbootmessages(whichordinarilygointo
thekernelringbuffer)aredisplayedonthescreen,whichcanhelpyouidentifythecauseofafailure.ManymodernLinuxdistributionshidethesemessagesbydefault,butyoucansometimesrevealthembypressingtheEsckeyduringthebootprocess.Oncethekernelbootprocesshascompleted,othersystems take over, and the last fewmessages displayed on the screen can also provide clues—forinstance, if the last message displayed mentions starting a particular server, it’s possible that theserverishangingandinterruptingthebootprocess.Youmaybeabletodisabletheserverbyusingasingle-userbootmodeandthereforebypasstheproblem.
TheBootProcessTheprocessoftakinganx86computerfromitsinitialstatewhenthepoweristurnedontohavingaworkingoperatingsystemrunningiscomplexbecauseofthewaymodernpersonalcomputershaveevolved.Thestepsacomputergoesthroughinordertobootanoperatingsystemareasfollows:
1. The system is given power, and a special hardware circuit causes the CPU to look at apredeterminedaddressandexecutethecodestoredinthatlocation.Thefirmware(BIOSorEFI)residesatthislocation,sotheCPUrunsthefirmware.2. The firmware performs some tasks. These include checking for hardware, configuringhardware,andlookingforabootloader.3.Whenthebootloadertakesoverfromthefirmware,itloadsakernelorchainloadstoanotherbootloader,asdescribedearlierinthischapter.4.OncetheLinuxkerneltakesover,itperformstaskssuchasinitializingdevices,mountingtherootpartition,andfinallyloadingandexecutingtheinitialprogramforyoursystem.Bydefault,thisistheprogram/sbin/init.5.TheinitialprogramgetstheprocessID(PID)of1becauseit’sthefirstprogramtorunonthesystem.InatraditionalLinuxbootsystem,/sbin/initreadsthe/etc/inittabfiletodeterminewhatotherprograms to run.Onsystems thatuse thenewerUpstartorsystemdstartupsystems,/sbin/initreadsotherconfigurationfiles.
How the init program and the initialization scripts work is covered next, in “Dealing withRunlevelsandtheInitializationProcess.”
Ifyouwouldlikemoredetailsaboutthisbootprocess,readhttp://www.linuxdevcenter.com/pub/a/linux/excerpts/linux_kernel/how_computer_boots.html.Thispagedescribestheprocessfromthecomputerbeingpowereduptothekernelbeingloadedandlaunching/sbin/init.
DealingwithRunlevelsandtheInitializationProcess
Linuxreliesonrunlevelstodeterminewhatfeaturesareavailable.Runlevelsarenumberedfrom0to6, and each one is assigned a set of services that should be active. Upon booting, Linux enters apredetermined runlevel,whichyoucan set.Knowingwhat these functions are, andhow tomanagerunlevels, is important ifyou’re tocontrol theLinuxbootprocessandongoingoperations.Tothisend,youmustunderstandthepurposeofrunlevels,beabletoidentifytheservicesthatareactiveinarunlevel,beabletoadjustthoseservices,beabletocheckyourdefaultandcurrentrunlevels,andbeabletochangethedefaultandcurrentrunlevels.
ThenextfewpagesdescribethetraditionalSystemV(SysV)initializationsystem.Upstartandsystemddifferfromthissystem,althoughtheyprovideenoughcompatibilityfeaturesthatmanyofthetoolsandconceptsdescribedwithrespecttoSysValsoapplytothesenewersystems.Upstartandsystemdprovidetheirownadditionaltools,though.
RunlevelFunctionsEarlierinthischapter,Idescribedsingle-usermode.TogettothismodewhenbootingLinux,youusethenumber1, the letterS ors, or thewordsingle as an option passed to the kernel by the bootloader.Single-usermodeissimplyanavailablerunlevelforyoursystem.Theavailablerunlevelsonmostsystemsarethenumbers0through6.ThelettersSandsaresynonymouswithrunlevel1asfarasmanyutilitiesareconcerned.Runlevels0,1,and6arereservedforspecialpurposes;theremainingrunlevelsareavailablefor
whatever purpose you or your Linux distribution provider decide. Table 5.1 summarizes theconventionalusesoftherunlevels.Otherassignments—andevenrunlevelsoutsidetherangeof0to6—arepossiblewithsomesystems,butsuchconfigurationsarerare.Ifyourunintopeculiarrunlevelnumbers,consult/etc/inittab—itdefinesthemandoftencontainscommentsexplainingthevariousrunlevels.
TABLE5.1Runlevelsandtheirpurposes
Runlevel Purpose0 Atransitionalrunlevel,meaningthatit’susedtoshiftthecomputerfromonestatetoanother.Specifically,itshutsdownthe
system.Onmodernhardware,thecomputershouldcompletelypowerdown.Ifnot,you’reexpectedtoeitherrebootthecomputermanuallyorpoweritoff.
1,s,orS Single-usermode.Whatservices,ifany,arestartedatthisrunlevelvariesbydistribution.It’stypicallyusedforlow-levelsystemmaintenancethatmaybeimpairedbynormalsystemoperation,suchasresizingpartitions.
2 OnDebiananditsderivatives,afullmulti-usermodewithXrunningandagraphicallogin.Mostotherdistributionsleavethisrunlevelundefined.
3 OnFedora,Mandriva,RedHat,andmostotherdistributions,afullmulti-usermodewithaconsole(non-graphical)loginscreen.
4 Usuallyundefinedbydefaultandthereforeavailableforcustomization.5 OnFedora,Mandriva,RedHat,andmostotherdistributions,thesamebehaviorasrunlevel3withtheadditionofhavingXrun
withanXDM(graphical)login.6 Usedtorebootthesystem.Thisrunlevelisalsoatransitionalrunlevel.Yoursystemiscompletelyshutdown,andthenthe
computerrebootsautomatically.
Don’tconfigureyourdefaultrunlevelto0or6.Ifyoudo,yoursystemwillimmediatelyshutdownorrebootonceitfinishespoweringup.Runlevel1couldconceivablybeusedasadefault,butchancesareyou’llwanttouse2,3,or5asyourdefaultrunlevel,dependingonyourdistributionanduseforthesystem.
Asageneralrule,distributionshavebeendriftingtowardRedHat’srunlevelset;however,therearesomeexceptionsandholdouts,suchasDebian.Distributionsthatusenewerstartupsystemsgenerallydon’tuserunlevelsnatively,buttheyprovidecompatibilitytoolsthatmakethecomputerappeartouserunlevelsforthebenefitofscriptsandprogramsthatassumetheuseofrunlevels.
IdentifyingtheServicesinaRunlevelTherearetwomainwaystoaffectwhatprogramsrunwhenyouenteranewSysVrunlevel.Thefirstis to add or delete entries in your/etc/inittab file.A typical /etc/inittab file containsmanyentries,andexceptforacoupleofspecialcases,inspectingorchangingthecontentsofthisfileisbestleft to experts. Once all the entries in /etc/inittab for your runlevel are executed, your bootprocessiscomplete,andyoucanlogin.
The/etc/inittabfileisoneSysVfeaturethatmaynotbeusedbynewerstartupsystems,suchasUpstartandsystemd.Ubuntu12.04,whichusesUpstart,providesno/etc/inittabfileatall.Fedora17,whichusessystemd,providesan/etc/inittabfilethatcontainsnothingbutcommentsnotingitsobsolescence.OpenSUSE12.1isalsobasedonsystemd,anditprovidesan/etc/inittabfile,butit’snolongerusedinanymeaningfulway.Someotherdistributions,suchasDebian,continuetouseSysV,andtheexamcontinuestoemphasizeSysV(including/etc/inittab).
Basicsofthe/etc/inittabFileEntriesin/etc/inittabfollowasimpleformat.Eachlineconsistsoffourcolon-delimitedfields:
id:runlevels:action:process
Eachofthesefieldshasaspecificmeaning:IdentificationCodeTheidfieldconsistsofasequenceofonetofourcharactersthatidentifiesitsfunction.ApplicableRunlevelsTherunlevelsfieldconsistsofalistofrunlevelsforwhichthisentryapplies.Forinstance,345meanstheentryisapplicabletorunlevels3,4,and5.ActiontoBeTakenSpecificcodesintheactionfieldtellinithowtotreattheprocess.Forinstance,waittellsinittostarttheprocessoncewhenenteringarunlevelandtowaitfortheprocess’stermination,andrespawntellsinittorestarttheprocesswheneveritterminates(whichisgreatforloginprocesses).Severalotheractionsareavailable;consultthemanpageforinittabfordetails.ProcesstoRunTheprocessfieldistheprocesstorunforthisentry,includinganyoptionsandargumentsthatarerequired.Thepartof/etc/inittabthattellsinithowtohandleeachrunlevellookslikethis:l0:0:wait:/etc/init.d/rc0
l1:1:wait:/etc/init.d/rc1
l2:2:wait:/etc/init.d/rc2
l3:3:wait:/etc/init.d/rc3
l4:4:wait:/etc/init.d/rc4
l5:5:wait:/etc/init.d/rc5
l6:6:wait:/etc/init.d/rc6
Theselinesstartwithcodesthatbeginwithanl(alowercaseletterL,notanumber1)followedbytherunlevelnumber—forinstance,l0forrunlevel0,l1forrunlevel1,andsoon.Theselinesspecifyscripts or programs that are to be run when the specified runlevel is entered. In the case of thisexample,allthescriptsarethesame(/etc/init.d/rc),butthescriptispassedtherunlevelnumberasanargument.Somedistributionscallspecificprogramsforcertainrunlevels,suchasshutdownforrunlevel0.
Theupcomingsection“CheckingandChangingYourDefaultRunlevel”describeshowtotellinitwhatrunleveltoenterwhenthesystemboots.
TheSysVStartupScriptsThe /etc/init.d/rc or /etc/rc.d/rc script performs the crucial task of running all the scriptsassociated with the runlevel. The runlevel-specific scripts are stored in /etc/rc.d/rc?.d,/etc/init.d/rc?.d, /etc/rc?.d, or a similar location. (The precise location varies betweendistributions.) In all these cases,? is the runlevel number.Whenentering a runlevel,rc passes thestartparametertoallthescriptswithnamesthatbeginwithacapitalSandpassesthestopparameterto all the scripts with names that begin with a capital K. These SysV startup scripts start or stopservices dependingon theparameter they’re passed, so thenamingof the scripts controlswhetherthey’re started or stopped when a runlevel is entered. These scripts are also numbered, as inS10networkandK35smb.
Therc program runs the scripts innumericorder.This feature enablesdistributiondesigners tocontroltheorderinwhichscriptsrunbygivingthemappropriatenumbers.Thiscontrolisimportantbecausesomeservicesdependonothers.Forinstance,networkserversmustnormallybestartedafterthenetworkisbroughtup.Inreality,thefilesintheSysVrunleveldirectoriesaresymboliclinkstothemainscripts,whichare
typically stored in /etc/rc.d, /etc/init.d, or /etc/rc.d/init.d (again, the exact locationdependsonthedistribution).TheseoriginalSysVstartupscriptshavenamesthatlacktheleadingSorKandnumber,asinsmbinsteadofK35smb.
Youcanalsostartservicesbyhand.Runthemwiththestartoption,asin/etc/init.d/smbstarttostartthesmb(Samba)server.Otherusefuloptionsarestop,restart,andstatus.Mostscriptssupportalltheseoptions.
To determinewhich services are active in a runlevel, search the appropriate SysV startup scriptdirectory for scripts with filenames that begin with an S. Alternatively, you can use a runlevelmanagementtool,asdescribednext.DistributionsbasedonUpstartandsystemdoftenprovidestartupscripts thatarenamedandwork
much like on SysV-based computers; however,when the computer boots, itmay use other startupmethods, as described later, in “Using Alternative Boot Systems.” The SysV scripts are providedmainly for backward compatibility to help system administrators who are familiar with the SysVstartupmethodandforthebenefitofadministrativescriptsthatmightrelyonSysVscripts.Fedoraisnotableinthatitprovidesveryfewsuchcompatibilityscripts(atleastasofFedora17);youmayneedtousenativesystemdmethodsratherthanSysVifyouuseFedora.
ManagingRunlevelServicesTheSysVstartupscriptsintherunleveldirectoriesaresymboliclinksbacktotheoriginalscript.Thisis done so you don’t need to copy the same script into each runlevel directory. Instead, you canmodifytheoriginalscriptwithouthavingtotrackdownitscopiesinalltheSysVrunleveldirectories.Youcanalsomodifywhichprogramsareactiveinarunlevelbyeditingthelinkfilenames.Numerousutilityprogramsareavailabletohelpyoumanagetheselinks,suchaschkconfig,update-rc.d,andrc-update. I describe the first of these tools because it’s supported onmanydistributions. If yourdistributiondoesn’tsupportthesetools,youshouldcheckdistribution-centricdocumentation.Thesetoolsmayprovideimpairedfunctionalityonsystemsthatdon’tuseSysVnatively;youmayneedtolocateUpstart-orsystemd-specifictoolsinstead.To list the services and their applicable runlevels with chkconfig, use the --list option. The
outputlookssomethinglikethisbutislikelytobemuchlonger:#chkconfig--list
pcmcia0:off1:off2:on3:on4:on5:on6:off
nfs-common0:off1:off2:off3:on4:on5:on6:off
xprint0:off1:off2:off3:on4:on5:on6:off
setserial0:off1:off2:off3:off4:off5:off6:off
Thisoutput shows the statusof the services in all seven runlevels.For instance,youcan see that
nfs-commonisinactiveinrunlevels0−2,activeinrunlevels3−5,andinactiveinrunlevel6.Ifyou’reinterestedinaspecificservice,youcanspecifyitsname:#chkconfig--listnfs-common
nfs-common0:off1:off2:off3:on4:on5:on6:off
Tomodifytherunlevelsinwhichaserviceruns,useacommandlikethis:#chkconfig--level23nfs-commonon
ThepreviousexampleisforDebian-basedsystems.OnRedHatandsimilarsystems,youwouldprobablywanttotargetrunlevels3,4,and5withsomethinglike--level345ratherthan--level23.
Youcansetthescripttobeon(toactivateit),off(todeactivateit),orreset(tosetittoitsdefaultvalue).Ifyou’veaddedastartupscripttothemainSysVstartupscriptdirectory,youcanhavechkconfig
register it and add appropriate start and stop links in the runlevel directories.When you do this,chkconfig inspects thescript forspecialcomments to indicatedefault runlevels. If thesecommentsare in the file andyou’rehappywith the suggested levels, youcanadd it to these runlevelswith acommandlikethis:#chkconfig--addnfs-common
Thiscommandaddsthenfs-commonscripttothosemanagedbychkconfig.Youwould,ofcourse,change nfs-common to your script’s name. This approach may not work if the script lacks thenecessarycommentlineswithrunlevelsequencenumbersforchkconfig’sbenefit.
CheckingYourRunlevelSometimesit’snecessarytocheckyourcurrentrunlevel.Typically,you’lldothispriortochangingtherunlevelortocheckthestatusifsomethingisn’tworkingcorrectly.Twodifferentrunlevelchecksarepossible:checkingyourdefaultrunlevelandcheckingyourcurrentrunlevel.
CheckingandChangingYourDefaultRunlevelOnaSysV-based system,youcandetermineyourdefault runlevelby inspecting the/etc/inittabfilewiththelesscommandoropeningitinaneditor.Alternatively,youmayusethegrepcommandtolookforthelinespecifyingtheinitdefaultaction.OnaDebiansystem,you’llseesomethinglikethis:#grep:initdefault:/etc/inittab
id:2:initdefault:
If grep returns nothing, chances are you’ve either mistyped the command or your computer isusing Upstart, systemd, or some other initialization tool. On some systems, the second colon-delimitedfieldwillcontaina3,5,orsomevalueotherthanthe2shownhere.Youmaynotice that theid line doesn’t define a process to run. In the case of theinitdefault
action,theprocessfieldisignored.If you want to change the default runlevel for the next time you boot your system, edit the
initdefault line in /etc/inittab and change the runlevel field to the value you want. If yoursystemlacksan/etc/inittabfile,createonethatcontainsonlyaninitdefault line thatspecifiestherunlevelyouwanttoenterbydefault.Ifyour systemdoesn’tuseSysV,you’llneed toadjust thedefault runlevel in someotherway,as
describedlaterin“UsingAlternativeBootSystems.”
DeterminingYourCurrentRunlevelIfyour system isupand running,youcandetermineyour runlevel informationwith therunlevelcommand:#runlevel
N2
Thefirstcharacteris thepreviousrunlevel.WhenthecharacterisN, thismeans thesystemhasn’tswitched runlevels sincebooting. It’s possible to switch todifferent runlevelson a running systemwiththeinitandtelinitprograms,asdescribednext.Thesecondcharacterintherunleveloutputisyourcurrentrunlevel.Both Upstart and systemd provide runlevel commands for compatibility with SysV. These
alternativesdon’t technicallyuse runlevels, though, so the information is a sortof “translation”ofwhatthestartupsystemisusingtoSysVterms.
ChangingRunlevelsonaRunningSystemSometimesyoumaywant tochangerunlevelsona runningsystem.Youmightdo this togetmoreservices,suchasgoingfromaconsoletoagraphicalloginrunlevel,ortoshutdownorrebootyourcomputer. This can be accomplishedwith the init (or telinit), shutdown, halt, reboot, andpoweroffcommands.
ChangingRunlevelswithinitortelinitTheinit process is the first process run by theLinux kernel, but you can also use it to have thesystem reread the /etc/inittab file and implement changes it finds there or to change to a newrunlevel.Thesimplestcaseistohaveitchangetotherunlevelyouspecify.Forinstance,tochangetorunlevel 1 (the runlevel reserved for single-user or maintenance mode), you would type thiscommand:#init1
Torebootthesystem,youcanuseinittochangetorunlevel6(therunlevelreservedforreboots):#init6
Avariantofinitistelinit.Thisprogramcantakearunlevelnumberjustlikeinittochangetothat runlevel, but it can also take the Q or q option to have the tool reread /etc/inittab andimplementanychangesitfindsthere.Thus,ifyou’vemadeachangetotherunlevelin/etc/inittab,youcanimmediatelyimplementthatchangebytypingtelinitq.
Themanpagesforthesecommandsindicateslightlydifferentsyntaxes;buttelinitissometimesasymboliclinktoinit,andinpracticeinitrespondsjustliketelinittotheQandqoptions.
TheUpstartandsystemdtoolsprovideinitandtelinitcommandsthatworkmuchastheydoonSysV-basedcomputers.
ChangingRunlevelswithshutdownAlthoughyoucanshutdownor reboot thecomputerwithinit,doingsohassomeproblems.Oneissue is that it’s simply anunintuitive command for this action.Another is that changing runlevelswith init causes an immediate change to the new runlevel. This may cause other users on yoursystemsomeaggravationbecausethey’llbegivennowarningabouttheshutdown.Thus,it’sbettertouse the shutdown command in amulti-user environmentwhen youwant to reboot, shut down, orswitch to single-user mode. This command supports extra options that make it friendlier in suchenvironments.Theshutdownprogramsendsamessagetoalluserswhoareloggedintoyoursystemandprevents
otherusersfromlogginginduringtheprocessofchangingrunlevels.Theshutdowncommandalsoletsyouspecifywhentoeffecttherunlevelchangesothatusershavetimetoexiteditorsandsafelystopotherprocessestheymayhaverunning.When the time tochangerunlevels is reached,shutdown signals theinitprocess foryou. In the
simplestform,shutdownisinvokedwithatimeargumentlikethis:#shutdownnow
This changes the system to runlevel 1, the single-user ormaintenancemode.Thenow parametercausesthechangetooccurimmediately.Otherpossibletimeformatsincludehh:mm,foratimein24-hourclockformat(suchas6:00for6:00a.m.or13:30for1:30p.m.),and+mforatimemminutesinthefuture.You can add extra parameters to specify that youwant to reboot or halt (that is, power off) the
computer.Specifically,-r reboots thesystem,-Hhalts it (terminatesoperationbutdoesn’tpower itoff),and-Ppowersitoff.The-hoptionmayhaltorpoweroffthecomputer,butusuallyitpowersitoff.Forinstance,youcantypeshutdown-r+10torebootthesystemin10minutes.Togivepeoplesomewarningabouttheimpendingshutdown,youcanaddamessagetotheendof
thecommand:#shutdown-h+15"systemgoingdownformaintenance"
Ifyouscheduleashutdownbutthenchangeyourmind,youcanusethe-coptiontocancelit:#shutdown-c"nevermind"
Upstart and systemd provide shutdown commands of their own that function like the shutdowncommandofSysV.Youmaywanttocheckyourcomputer ’smanpageforshutdowntoverifythatitworksinthewaydescribedhere;withdevelopmentactiveintherealmofstartupsystems,youmayfindsomesurprises!
ChangingRunlevelswiththehalt,reboot,andpoweroffCommandsThree additional shortcut commands are halt, reboot, and poweroff. (In reality, reboot andpoweroff areusually symbolic links tohalt.This commandbehavesdifferentlydependingon thenamewithwhich it’s called.) As youmight expect, these commands halt the system (shut it downwithoutpoweringitoff),rebootit,orshutitdownand(onhardwarethatsupportsthisfeature)turnoff thepower,respectively.Aswithtelinitandshutdown, thesecommandsareavailable inSysV,Upstart,andsystemd.InExercise5.1,you’llexperimentwithsomeofthemethodsofchangingrunlevelsjustdescribed.
EXERCISE5.1ChangingRunlevelsThisexercisewilldemonstratetheeffectsofchangingtherunlevelinvariouswaysonaworkingsystem.Beawarethatsomeoftheeffectswillbedifferentfromonesystemtoanother,dependingonboththedistributionandthesystem-specificconfigurationofthecomputer.Also,inthecourseofrunningthisexercise,you’llrebootthecomputer,soyoushouldn’tdoitonasystemthatanybodyelseisusing.Tomanageyourrunlevels,followthesesteps:1.Loginasroot,oracquirerootprivilegesbyusingsuorbyusingsudowitheachofthe following commands. Use a text-mode or remote login; some of the exerciseactivitieswillshutdownX.2.Typerunleveltolearnyourcurrentrunlevel.Recallthatthefirstcharacterreturnedreferstothepreviousrunlevel(Ndenotesnopreviousrunlevel; ithasn’tbeenchangedsince the system booted). The second output character is the current runlevel. This islikelytobe2onDebianorDebian-derivedsystemsand3or5onRedHatorRedHat−derivedsystems.3. If your system reports it’s in runlevel 5, type telinit 3 to switch to runlevel 3.Chances are your X server will stop working. (Pressing Alt+F7 from a text-modeconsole will show a blank text-mode screen rather than the X display this keystrokewouldnormallyreveal.)4.Ifyoursysteminitiallyreportedarunlevelof3,typetelinit5toswitchtorunlevel5. Thiswill probably startX; however, ifX ismisconfigured, the screen is likely toblink two or three times and possibly display an error message. If X isn’t installed,nothingmuchwillhappen,asidefromadisplayaboutafewservicesbeingstoppedandstarted.IfXstarts,youcangetbacktoyourtext-modeconsolebypressingCtrl+Alt+F1.5.Ifyoursystemreportedthatitwasinrunlevel2,youcantryotherrunlevels,suchas3,4,or5;however,thisisn’tlikelytohavemucheffect.YoucantemporarilystartorstopX by typing /etc/init.d/gdm start or /etc/init.d/gdm stop. (You may need tochangegdmtoxdm,mdm,orkdm.)6.Returntoyouroriginalrunlevelusingtelinit,asintelinit5.7.Ifyourdistributionuses/etc/inittabandsetsthedefaultrunlevelto5,editthatfileand change the default runlevel by changing the number in the line that readsid:n:initdefault:.Thenumber,n,islikelytobeeither3or5;changeittotheothervalue. (It’s wise to make a backup of /etc/inittab before editing it!) If your
distributiondoesn’tuse/etc/inittab or sets adefault runlevelof2, don’tmakeanychangestothisfile,andskipaheadtostep11.8.Rebootthecomputerbytypingrebootnoworshutdown-rnow.9.Loginasrootagain,andtyperunleveltoverifythatyou’rerunningintherunlevelyouspecifiedinstep7.10.Edit/etc/inittabtorestoreittoitsoriginalstate,orrestoreitfromitsbackup.11.Typetelinit6. This enters runlevel 6,which reboots the system.The computershouldnowberunningasitwasbeforeyoubeganthisexercise.
UsingAlternativeBootSystemsTheprecedingsectionshavedescribedthetraditionalLinuxbootandrunlevelsystem,basedonSysVscripts. In recent years, however, Linux developers have begun experimenting with severalalternativestoSysV,andsomeofthesehavebecomepopular.Twoinparticular,Upstartandsystemd,areworthdescribing.Both includecompatibility features toease the transition fromSysV,but theyprovideuniquefeaturesoftheirown.
ConfiguringUpstartSeveralmodernLinuxdistributions, includingrecentversionsofUbuntu,nowuseaninitprocesscalled Upstart (http://upstart.ubuntu.com) rather than the venerable SysV startup system. Broadlyspeaking, Upstart does the same job as the SysV scripts, but Upstart is designed to better handletoday’sdynamicallychanginghotplughardware,whichcanbeconnectedtoanddisconnectedfromacomputer while it’s still running. Upstart provides SysV compatibility features, so you should befamiliarwith the SysVmethods described earlier; however, it also has its own unique scripts anddiffers in some important ways. In particular, Upstart does away with /etc/inittab, insteadprovidinganintegratedsetofstartupscriptsthatcan,inprinciple,completelyreplacetheSysV-style/etc/inittabandrunlevel-specificstartupscripts.Upstartscriptsalsosupportstartingorstoppingservicesbasedonawidervarietyofactions thandoSysVstartup scripts; for instance,Upstart canlaunchaservicewheneveraparticularhardwaredeviceisattached.
UsingUpstart-NativeMethodsA system that uses nothing but Upstart and its native scripts replaces both /etc/inittab and therunlevel-specific SysV startup script directories with scripts in the /etc/init directory. (Thisdirectory was called /etc/event.d on earlier versions of Upstart.) You may want to check thecontentsofthisdirectoryonyourownUpstart-basedsystem.
AsIwrite,Upstartisunderheavydevelopment,anditsconfigurationfileformatissubjecttochange.Thus,youmayfinddifferencesfromwhatisdescribedinthesepages.
Tochangetherunlevelsinwhichaparticularserviceruns,you’llhavetoedititsconfigurationfile
in a text editor. Locate the script (typically/etc/init/name.conf, where name is the name of theservice),andloaditintoatexteditor.Lookforlinesthatincludethetextstartonandstopon,asinthefollowingexample:starton(filesystem
andstartedhal
andtty-device-addedKERNEL=tty7
and(graphics-device-addedorstoppedudevtrigger))
stoponrunlevel[016]
Locateanyrunlevelspecificationandadjustitforyourneeds.Forinstance,youmightchangetheprecedingexample’sstoponrunlevelspecificationtoreadstoponrunlevel[0126]toincluderunlevel2inthelistofrunlevelsonwhichtheserviceistobestopped.Afteryoumakesuchachange,youcanuse thestartorstop command to immediately startor
stop the service, as in stop gdm to shut down the gdm server. Before changing your runlevel (asdescribedearlier,in“ChangingRunlevelsonaRunningSystem”),youshouldtypeinitctlreloadtohaveUpstartrereaditsconfigurationfiles.
IfyouupgradethepackagethatprovidestheUpstartconfigurationscript,youmayneedtoreconfigureit.
UsingSysVCompatibilityMethodsBecausetheSysVstartupscriptsystemhasbeensocommonforsolong,alargenumberofsoftwarepackages include SysV startup scripts. To accommodate such packages, Upstart provides acompatibility mode: It runs SysV startup scripts in the usual locations (/etc/rc.d/rc?.d,/etc/init.d/rc?.d,/etc/rc?.d,orasimilarlocation).Thus,ifyouinstallapackagethatdoesn’tyet include anUpstart configuration script, it should still launch in the usualway. Furthermore, ifyou’veinstalledutilitiessuchaschkconfig,youshouldbeable touse themtomanageyourSysV-basedservicesjustasyouwouldonaSysV-basedsystem.You may find, however, that chkconfig and other SysV-based tools no longer work for some
services.Astimegoeson,thisislikelytobetrueformoreandmoreservices,becausethedevelopersof distributions that favorUpstartmay convert their packages’ startup scripts to useUpstart-nativemethods.
UsingsystemdThesystemdstartuppackage(http://www.freedesktop.org/wiki/Software/systemd/)isasecondmajorcontendertoreplaceSysVscripts.It’sintendedtoprovidefasterandmoreflexiblestartupcomparedtoSysVscripts.Thisisaccomplishedbyenablingparallelstartupofservicesandstartupofservicesbasedonexternalactivation(asopposedtostartingitemslinearlyaccordingtofixedrunlevels).Fedora15andnewer,Mandriva2011andnewer,andOpenSUSE12.1andnewerallusesystemdby
default.Someotherdistributions,suchasDebianandGentoo,providesystemdasanoptionbutdon’tuseitbydefault.Mostsystemdconfigurationfilesresidein/etc/systemdanditssubdirectories.The/etc/rc.conf
file is also sometimes used, although it’s absent by default on Fedora 17 and OpenSUSE 12.1installations.Theseconfigurationfilesconsistofsectionsidentifiedbynamesinbrackets,followedbyassignmentsofvaluestovariables,asinthefollowing:[Manager]
LogLevel=info
#LogTarget=syslog-or-kmsg
LogColor=yes
Ahashmark(#)identifiesacomment;linesbeginningwiththissymbolareignored.Chancesareyou’llfindmostlinesinadefaultconfigurationarecommentedoutinthisway.To control services on a systemd-based computer, either you can useSysV compatibility startup
scripts(ifprovided)oryoucanusethesystemctlutility.Thistooltakesalargenumberofoptionsandcommands,andyoumustalsotypicallypassitaunitname,whichisthenameofaserviceuponwhichitacts.Table5.2summarizesthemostimportantsystemctlcommands.
TABLE5.2systemctlcommandssystemctlcommandname Explanationlist-units Displaysthecurrentstatusofallconfiguredunits.startname Startsthenamedunit.stopname Stopsthenamedunit.reloadname Causesthenamedunittoreloaditsconfigurationfile.restartname Causesthenamedunittoshutdownandrestart.statusname Displaysthestatusofthenamedunit.(YoucanpassaPIDvalueratherthananame,ifyoulike.)enablename Configurestheunittostartwhenthecomputernextboots.disablename Configurestheunittonotstartwhenthecomputernextboots.
Table5.2isincomplete;systemctlisaverycomplextoolwithnumerouscommandsandoptions.Youshouldconsult itsmanpage to learnmoreabout it.Thecommandspresented inTable5.2willhelpyougetstarted, though; theywillhelpyoutoperformsomeof themostcommontasksyou’llwant to do with it. As you can see, these commands provide the same basic features that SysVprovidesinitsstartupscriptsandtoolstomanagethem,suchaschkconfig.The systemctl unit names aren’t quite identical to the SysV startup script names. Typically,
serviceshavethestring.serviceappended.Forinstance,ifyouwantedtohaltthesendmailservice,youwouldtype#systemctlstopsendmail.service
EditingFileswithViViwas the first full-screen text editorwritten forUnix. It’s designed to be small and simple.Vi issmallenoughtofitontiny,floppy-basedemergencybootsystems.Forthisreasonalone,Viisworthlearning;youmayneed touse it inanemergency recoverysituation.Vi is,however,abit strange,particularlyifyou’reusedtoGUItexteditors.TouseVi,youshouldfirstunderstandthethreemodesinwhichitoperates.Onceyouunderstandthosemodes,youcanbeginlearningaboutthetext-editingproceduresViimplements.You’llalsoexaminehowtosavefilesandexitVi.
MostLinuxdistributionsshipwithavariantofViknownasVim,or“ViImproved.”Asthenameimplies,VimsupportsmorefeaturesthantheoriginalVidoes.TheinformationpresentedhereappliestobothViandVim.MostdistributionsthatshipwithVimsupportlaunchingitbytypingvi,asifitweretheoriginalVi.
UnderstandingViModesAtanygivenmoment,Viisrunninginoneofthreemodes:CommandModeThismodeacceptscommands,whichareusuallyenteredassingleletters.Forinstance,iandabothenterinsertmode,althoughinsomewhatdifferentways,asdescribedshortly,andoopensalinebelowthecurrentone.ExModeTomanipulatefiles(includingsavingyourcurrentfileandrunningoutsideprograms),youuseexmode.Youenterexmodefromcommandmodebytypingacolon(:),typicallydirectlyfollowedbythenameoftheex-modecommandyouwanttouse.Afteryouruntheex-modecommand,Vireturnsautomaticallytocommandmode.InsertModeYouentertextininsertmode.Mostkeystrokesresultintextappearingonthescreen.OneimportantexceptionistheEsckey,whichexitsinsertmodeandreturnstocommandmode.
Ifyou’renotsurewhatmodeViisin,presstheEsckey.Doingsoreturnsyoutocommandmode,fromwhichyoucanreenterinsertmode,ifnecessary.
Unfortunately, terminology surroundingVimodes is inconsistent at best.For instance, commandmodeissometimesreferredtoasnormalmode,andinsertmodeissometimescallededitmodeorentrymode.Exmodeoftenisn’tdescribedasamodeatallbutisreferredtoascoloncommands.
ExploringBasicText-EditingProceduresAs a method of learning Vi, consider the task of editing /etc/fstab to add a new disk to thecomputer.Listing5.3showstheoriginalfstabfileusedinthisexample.Ifyouwanttofollowalong,enter it using a text editor withwhich you’re already familiar, and save it to a file on your disk.Alternatively, copy your own computer ’s /etc/fstab file to a temporary location and makeanalogouschangestoit.Listing5.3Sample/etc/fstabfile/dev/sda2/ext4defaults11
/dev/sda1/bootext4defaults12
/dev/sda4/homeext4defaults12
/dev/sda3swapswapdefaults00
tmpfs/dev/shmtmpfsdefaults00
devpts/dev/ptsdevptsgid=5,mode=62000
sysfs/syssysfsdefaults00
proc/procprocdefaults00
Don’ttryeditingyourreal/etc/fstabfileasalearningexercise;amistakecouldrenderyoursystemunbootable!Youmightputyourtestfstabfileinyourhomedirectoryforthisexercise.
Thefirst step tousingVi is to launch itandhave it load the file. In thisexample, typevi fstabwhile in the directory holding the file. The result should resemble Figure 5.3, which shows VirunninginanXfceTerminalwindow.Thetildes(~)downtheleftsideofthedisplayindicatetheendofthefile.(Thisfeatureisabsentonsomesystems,though.)Thebottomlineshowsthestatusofthelastcommand—animplicitfile-loadcommandbecauseyouspecifiedafilenamewhenlaunchingtheprogram.
FIGURE5.3ThelastlineofaVidisplayisastatuslinethatshowsmessagesfromtheprogram.
Youcanaddanewentry tofstabusingVieitherby typing it in itsentiretyorbyduplicatinganexistinglineandthenmodifyingonecopy.Todoitthefirstway,followthesesteps:
1.Movethecursortothebeginningofthe/dev/sda3linebyusingthearrowkeys.2.PresstheO(letterO,notnumber0)key.Thisopensanewlineimmediatelybelowthecurrentline,movesthecursortothatline,andentersinsertmode.
AlthoughVi’scommandsmayseemarcane,manyofthemaremnemonicintheirownway—thatis,they’redesignedtobeeasilyremembered,asintheletterOstandingforopenline.
3.Typeanewentry,suchasthefollowing:/dev/sdb1/home2ext4defaults00
4.PresstheEsckeytoreturntocommandmode.
Topracticemakingchangesbymodifyinganexistingentry,followthesesteps:1.Movethecursor to thebeginningof the/dev/sdb1 lineyou justcreatedbyusing thearrowkeys,ifnecessary;youshouldseethecursorrestingonthefirst/of/dev/sdb1.
Youcanusetheh,j,k,andlkeystomoveleft,down,up,andright,respectively,ifyouprefernottousethearrowkeys.
2.Youmustnowyankonelineoftext.Thistermisusedmuchascopyisusedinmosttexteditors—youcopythetexttoabufferfromwhichyoucanlaterpasteitbackintothefile.Toyanktext,youusetheyycommand,precededbythenumberoflinesyouwanttoyank.Thus,type1yy (donotpresstheEnterkey,though).Theddcommandworksmuchlikeyy,butitdeletesthelinesaswell as copying them to a buffer.Bothyy anddd are special cases of they andd commands,respectively,which yank or delete text in amounts specified by the next character, as in dw todeletethenextword.3.Movethecursortothelinebeforetheonewhereyouwantthenewlinetoappear.4.Typep(again,withoutpressingtheEnterkey).Vipastesthecontentsofthebufferstartingonthe line after the cursor. The file should now have two identical /dev/sdb1 lines. The cursorshouldbe restingat the startof the secondone. Ifyouwant topaste the text into thedocumentstartingonthelinebeforethecursor,useanuppercasePcommand.5.Movethecursor to the1 in/dev/sdb1on the lineyou’ve justpasted.You’reabout tobegincustomizingthisline.6.Untilnow,you’veoperatedVi incommandmode.Youcanuseanyof severalcommands toenter insertmode.At thispoint, themostappropriate isR,whichenters insertmodeso that it’sconfigured for text replacement rather than insertion. If you prefer to insert text rather thanoverwrite it,youcanuseiora (the latter advances the cursor one space,which is sometimesusefulattheendofaline).Forthepurposesoftheseinstructions,typeRtoenterinsertmode.Youshouldsee--REPLACE--appearinthestatusline.7.Type2tochange/dev/sdb1to/dev/sdb2.8.Usethearrowkeystomovethecursortothe2in/home2.Youmustmodifythismountpointname.9.Type3tochange/home2to/home3.
Youcanmakemoreextensivechangestothefstabfile,ifyoulike,butbesuretoworkfromacopyofthefile!
10.ExitinsertmodebypressingtheEsckey.11.Savethefileandquitbytyping:wq.Thisisanexmodecommand,asdescribedshortly.(TheZZcommandisequivalentto:wq.)Many additional commands are available that youmaywant to use in some situations.Here are
someofthehighlights:
ChangeCaseSupposeyouneedtochangethecaseofawordinafile.Insteadofenteringinsertmodeandretypingtheword,youcanusethetilde(~)keyincommandmodetochangethecase.Positionthecursoronthefirstcharacteryouwanttochange,andpress~repeatedlyuntilthetaskisdone.UndoToundoanychange,typeuincommandmode.OpenTextIncommandmode,typingo(alowercaseletterO)openstext—thatis,itinsertsanewlineimmediatelybelowthecurrentoneandentersinsertmodeonthatline.SearchTosearchforwardfortextinafile,type/incommandmode,followedimmediatelybythetextyouwanttolocate.Typing?searchesbackwardratherthanforward.ChangeTextTheccommandchangestextfromwithincommandmode.Youinvokeitmuchlikethedorycommand,asincwtochangethenextwordorcctochangeanentireline.GotoaLineTheGkeybringsyoutoalinethatyouspecify.TheHkey“homes”thecursor—thatis,itmovesthecursortothetoplineofthescreen.TheLkeybringsthekeytothebottomlineofthescreen.ReplaceGloballyToreplacealloccurrencesofonestringwithanother,type:%s/original/replacement/g,whereoriginalistheoriginalstringandreplacementisitsreplacement.Change%toastartinglinenumber,comma,andendinglinenumbertoperformthischangeonasmallrangeoflines.Vioffersagreatdealmoredepththanispresentedhere;theeditorisquitecapable,andsomeLinux
usersareveryattachedtoit.EntirebookshavebeenwrittenaboutVi.Consultoneofthese,oraViWebpagelikehttp://www.vim.org,formoreinformation.
SavingChangesTosavechangestoafile,type:wfromcommandmode.Thisentersexmodeandrunsthewex-modecommand,whichwritesthefileusingwhateverfilenameyouspecifiedwhenyoulaunchedVi.Relatedcommandsenableotherfunctions:EditaNewFileThe:ecommandeditsanewfile.Forinstance,:e/etc/inittabloads/etc/inittabforediting.Viwon’tloadanewfileunlesstheexistingonehasbeensavedsinceitslastchangeorunlessyoufollow:ewithanexclamationmark(!).IncludeanExistingFileThe:rcommandincludesthecontentsofanoldfileinanexistingone.ExecuteanExternalCommandTheex-modecommand:!executestheexternalcommandthatyouspecify.Forinstance,typing:!lsrunsls,enablingyoutoseewhatfilesarepresentinthecurrentdirectory.QuitUsethe:qcommandtoquittheprogram.Aswith:e,thiscommandwon’tworkunlesschangeshavebeensavedoryouappendanexclamationmarktothecommand(asin:q!).Youcancombineexcommandssuchasthesetoperformmultipleactionsinsequence.Forinstance,
typing:wqwriteschangesandthenquitsfromVi.(ZZistheequivalentof:wq.)
Summary
Although Linux distributions are designed to boot painlessly and reliably once installed,understanding theboot processwill helpyouovercomeproblems andmaintainyour system.MostLinux systems employ a boot loader known as GRUB (either GRUBLegacy or GRUB 2). TheseprogramsbothfitthemselvesintothestandardBIOSbootsystem,enablingthecomputertoloadtheLinux kernel. GRUB 2, and some patched versions of GRUB Legacy, also work on EFI-basedcomputers.Thekernelthenrunstheinitprogram,whichinturnreadsvariousconfigurationfilestobootalltheservicesthatmakearunningLinuxsystem.Modifying yourGRUB configuration enables you to boot different Linux kernels or non-Linux
OSs.YoucanalsopassnewbootoptionstoLinux.Oncethesystemisbooted,youcanusethedmesgcommandor log files to study thebootprocess inorder toverify that itwent correctlyor to findcluesastowhyitdidn’t.YoucanusetheVieditortoedityourGRUBconfigurationfile,yoursysteminitializationscripts
andconfigurationfiles,oranyotherplain-textfileonyourcomputer.AlthoughViisold-fashionedinmanyways, it’s small and fits on emergencydisk systems.Every administrator shouldbe familiarwithVi,evenifit’snotyoureditorofchoiceforday-to-dayoperations.
ExamEssentialsDescribehowGRUBLegacyisconfiguredandused.GRUBLegacyusesthemenu.lstorgrub.confconfigurationfilein/boot/grub.Thisfilecontainsglobalandper-imageoptions.Usethegrub-installprogramtoinstallthebootloader.WhenGRUBboots,itpresentsamenuofOSoptionsthatyouselectusingthekeyboardarrowkeys.DescribehowGRUB2isconfiguredandused.GRUB2usesthe/boot/grub/grub.cfgconfigurationfile;however,systemadministratorsarediscouragedfromeditingitdirectly.Instead,theyshouldrelyonautomaticconfigurationscriptsandsetsystem-specificdefaultsin/etc/defaults/grubandthefilesin/etc/grub.d.AswithGRUBLegacy,youcaninstallGRUB2usingthegrub-installprogram.Describethebootprocess.TheCPUrunsthefirmware,thefirmwareloadsandrunsabootloader,thebootloaderloadsandrunssecondarybootloaders(ifneeded)andtheLinuxkernel,theLinuxkernelloadsandrunstheinitialsystemprogram(init),andinitstartstherestofthesystemservicesviastartupscriptsthatarespecifictothestartupsystem(SysV,Upstart,systemd,orsomethingmoreexotic).BIOS-basedcomputerslookforbootloadersinvariousbootsectors,includingtheMBRofaharddriveorthebootsectorofadiskpartitionorfloppydisk.EFI-basedcomputerslookforbootloadersinfilesontheESP.Summarizewheretolookforboot-timeloginformation.Thedmesgcommandprintsoutlogsfromthekernelringbuffer,whichholdsboot-timeandotherkernelmessages.Otherusefulloginformationcanbefoundin/var/log/messagesandotherfilesin/var/log.Summarizetheroleof/sbin/init.TheinitprogramisresponsibleforstartingmanyprogramsandservicesonyourLinuxoperatingsystem.Thisisdonebyrunningprocessesthatarelistedin/etc/inittab,includinganrcscriptthatrunstheSysVinitializationscripts.Explainhowrunlevelsareconfigured.Thedefaultrunlevelisspecifiedwithalinelikeid:2:initdefault:inthe/etc/inittabfile.Usecommandssuchaschkconfig,update-rc.d,
ntsysv,andsystemctltochangewhichservicesarestartedwhenswitchingtospecificrunlevels.Runlevels0,1,and6arereservedforshutdown,single-usermode,andrebooting,respectively.Runlevels3,4,and5arethecommonuserrunlevelsonRedHatandmostotherdistributions,andrunlevel2istheusualuserrunlevelonDebiansystems.Describehowtochangerunlevels.Theprogramsinitandtelinitcanbeusedtochangetootherrunlevels.shutdown,halt,poweroff,andrebootarealsousefulwhenshuttingdown,rebooting,orswitchingtosingle-usermode.DescribeVi’sthreeeditingmodes.Youentertextusinginsertmode,whichsupportstextentryanddeletion.Thecommandandexmodesareusedtoperformmorecomplexcommandsortorunoutsideprogramstooperateonthetextenteredorchangedininsertmode.
ReviewQuestions1.WheremighttheBIOSfindabootloader?
A.RAMB./dev/bootC.MBRD./dev/kmemE.Theswappartition
2.YouwanttobootaLinuxsystemintosingle-usermode.WhatoptionmightyouaddtoaLinuxkernel’soptionslistatabootloadertoaccomplishthistask?
A.oneB.single-userC.1D.telinit6E.telinit1
3.Afterbooting,oneofyourharddisksdoesn’trespond.Whatmightyoudotofindoutwhat’sgonewrong?
A.Checkthe/var/log/diskerrorlogfiletoseewhat’swrong.B.Verifythatthediskislistedin/mnt/disks.C.Checkthecontentsof/etc/inittabtobesureit’smountingthedisk.D.Typedmesg|less,andperusetheoutputfordisk-relatedmessages.E.Checkthemenu.lst,grub.conf,orgrub.cfgconfigurationfile.
4.WhatisthefirstprogramthattheLinuxkernelrunsonceit’sbootedinanormalbootprocess?A.dmesgB.initC.startup
D.rcE.lilo
5.WhichofthefollowingistheGRUB2bootloaderconfigurationfile?A./dev/grubB.TheMBRC./boot/grub/grub.confD./boot/grub/grub.cfgE./boot/grub/menu.lst
6.HowmightyouidentifyaninitialRAMdiskfileinGRUB2?A.initrd/boot/initrd-3.4.2B.initrd=/boot/initrd-3.4.2C.initramfs/boot/initrd-3.4.2D.initramfs=/boot/initrd-3.4.2E.ramdisk=/boot/initrd-3.4.2
7.WhichcommandisusedtoinstallGRUBLegacyintotheMBRofyourfirstSATAharddrive?A.grub(hd0,1)B.grub-install/dev/sda1C.lilo/dev/sdaD.grub-install/dev/sdaE.grub-legacy/dev/sda1
8.Thestringroot(hd1,5)appearsinyour/boot/grub/menu.lstfile.Whatdoesthismean?A.GRUBLegacytellsthekernelthatthekernel’srootpartitionisthefifthpartitionofthefirstdisk.B.GRUBLegacylooksforfilesonthesixthpartitionoftheseconddisk.C.GRUBLegacylooksforfilesonthefifthpartitionofthefirstdisk.D.GRUBLegacyinstallsitselfin/dev/hd1,5.E.GRUBLegacyinstallsitselfin/dev/sdb5.
9.Whatlinein/etc/inittabwouldindicatethatyourdefaultrunlevelis5?A.ca:12345:ctrlaltdel:/sbin/shutdown-t1-a-rnowB.id:5:initdefault:C.si:5:sysinit:/etc/init.d/rcSD.l5:5:wait:/etc/init.d/rc5E.1:2345:respawn:/sbin/getty38400tty1
10.Which runlevelsare reservedbyinit for reboot, shutdown,and single-usermodepurposes?(Selectthree.)
A.0
B.1C.2D.5E.6
11.Youtypethefollowingcommand:$runlevel
53
Whatcanyoutellaboutyourrunlevelstatus?(Selecttwo.)A.Thecurrentrunlevelis5.B.Thecurrentrunlevelis3.C.Thepreviousrunlevelis5.D.Thepreviousrunlevelis3.E.Therunlevelisintheprocessofchanging.
12.Asystemadministratortypesthefollowingcommand:#shutdown-c
Whatistheeffectofthiscommand?A.Apreviouslyscheduledshutdowniscancelled.B.Thesystemshutsdownandrebootsimmediately.C.Thesystemshutsdownandhaltsimmediately.D.Thesystemasksforconfirmationandthenshutsdown.E.ThesystemclosesallopenwindowsinXwithoutshuttingdown.
13. Which of the following commands may not be used instead of shutdown in certaincircumstances(withappropriateoptionsaddedtooneortheothercommand)?
A.rebootB.haltC.poweroffD.telinitE.takedown
14.Youwanttochangetosingle-usermodeonarunningsystem.Whatcommandmightyouusetodothis?
A.runlevel1B.telinit1C.shutdown-1D.single-userE.haltto1
15.Whatdoesrunlevel4do?A.Itrebootsthecomputer.
B.Itstartsamulti-usersystemwithoutXrunning.C.Itstartsamulti-usersystemwithXandanX-basedloginrunning.D.Itstartsthecomputerintosingle-usermode.E.Itspurposeisn’tstandardized,soitcanbeusedforanythingyoulike.
16.HowwouldyouremovetwolinesoftextfromafileusingVi?A.Incommandmode,positionthecursoronthefirstline,andtype2dd.B.Incommandmode,positionthecursoronthelastline,andtype2yy.C.Ininsertmode,positionthecursoratthestartofthefirstline,holddowntheShiftkeywhilepressingtheDownarrowkeytwice,andpresstheDeletekeyonthekeyboard.D.Ininsertmode,positionthecursoratthestartofthefirstline,andpressCtrl+Ktwice.E.Usingyourmouse,selectbothlines,andthenpresstheDeleteorBackspacekey.
17.InVi’scommandmode,youtype:q!.Whatistheeffect?A.Nothing;thisisn’tavalidVicommand.B.Thetext:q!isinsertedintothefileyou’reediting.C.Theprogramterminatesandsavesanyexistingfilesthatareinmemory.D.Theprogramterminateswithoutsavingyourwork.E.Anexclamationpoint(!)overwritesthecharacterunderthecursorinthetext.
18.WhatisanadvantageofVioverEmacs?A.ViisX-basedandsoiseasiertousethanEmacs.B.ViencodestextinEBCDIC,whichismoreflexiblethanEmacs’ASCII.C.Vi’smode-basedoperationspermitittohandlenon-Englishlanguages.D.Viincludesabuilt-inWebbrowserandemailclient;Emacsdoesn’t.E.Viissmallerandsocanfitoncompactemergencysystemsandembeddeddevices.
19. FromVi’s commandmode, you want to enter insert mode. Howmight you do this? (Selectthree.)
A.TypeR.B.Typei.C.Typea.D.Type:.E.PressEsc.
20.HowdoyouexitVi’sinsertmodeinordertotypecommand-modecommands?A.Pressthe~key.B.PresstheEsckey.C.TypeCtrl+XfollowedbyCtrl+C.D.PresstheF10key.E.PresstheShift+Insertkeycombination.
Chapter6
ConfiguringtheXWindowSystem,Localization,andPrinting
THEFOLLOWINGEXAMOBJECTIVESARECOVEREDINTHISCHAPTER:
1.106.1InstallandconfigureX111.106.2Setupadisplaymanager1.106.3Accessibility1.107.3Localizationandinternationalization1.108.4Manageprintersandprinting
MajormoderndesktopOSsallprovidesomeformofgraphicaluserinterface(GUI),whichprovidesthewindows,menus,dialogboxes,flexiblefonts,andsoon,withwhichyou’reprobablyfamiliar.InLinux,themainGUIisknownastheXWindowSystem(orXforshort).Xconfigurationiseitherveryeasy or moderately hard; most distributions today provide auto-detection and easy configurationoptionsduringinstallation,andtheseusuallyworkcorrectly.Whentheydon’torwhenyouwant totweaktheconfiguration,youmustdelveintotheXconfigurationfileoruseaGUIXconfigurationtool.DoingeitherrequiresthatyouknowhowXtreatsthevideohardware,amongotherthings.BeyondbasicX configuration are a few extra topics.These include fonts,GUI login tools, user
desktop environments, usingX for remote access, and localization.Eachof these topics is closelyassociatedwithbasicXconfiguration,buttheyallgobeyonditinonewayoranother,extendingX’scapabilitiesorprovidingmorefeaturesforusers,asdescribedinthischapter.TheXdisplaycanbeconsideredoneformofoutput.Anotherisprinting,andthischaptercovers
thattopic,aswell.Withaproperlyconfiguredprinter,youcanobtainhardcopiesofthedocumentsyoucreateandeditusingbothXandtext-basedapplications.
ConfiguringBasicXFeaturesBasic X configuration specifies features such as the mouse used, the keyboard layout, the screenresolution,thevideorefreshrate,thedisplaycolordepth,andthevideocardyou’reusing.SomeoftheseoptionsrequiretellingXaboutwhathardwareyouhaveinstalled,whereasothersenableyoutoadjust settings on your hardware. In any event, before you proceedwith actual configuration youshouldknowsomethingabouttheXserversthatareavailableforLinux,becauseyourselectionwilldeterminewhatadditional toolsareavailableandwhat filesyoumayneed toadjustmanually.GUIandtext-modeconfigurationutilitiescanhelpyouconfigureX;butsometimesyoumustdelve intotheconfigurationfiles,soknowingtheirformat is important.Thisrequires thatyouknowwhat themajoroptiongroupsdosoyoucanadjustthem.
XServerOptionsforLinuxAlthoughXisbyfarthedominantGUIforLinux,severalimplementationsofXareavailable:XFree86ThedominantXserverinLinuxuntil2004wasXFree86(http://www.xfree86.org).Thisopensourceserversupportsawidearrayofvideocardsandinputdevices,andmostLinuxsoftwarewasoriginallydesignedwithXFree86inmind.AsIwrite,themostrecentversionis4.8.0.Significantchangesoccurredbetween3.3.6andthe4.xseries,andsomeolderutilitiesworkonlywiththe3.3.6andearlierversionsofXFree86.AlthoughatinynumberofelderlysystemsmustrunXFree863.3.6orearlierfordriversupportreasons,mostsystemstodayrunXFree864.xorX.org-X11;thelatterismorecommonondistributionsreleasedsince2004.X.org-X11In2004,mostLinuxdistributionsshiftedfromXFree86toX.org-X11becauseoflicensingchangestoXFree86.X.org-X116.7.0wasbasedonXFree864.3.99,butit’sdevelopedindependentlyuptothecurrentversion,7.7.BecauseX.org-X11isbasedonXFree86,thetwoarevirtuallyidenticalinmostimportantrespects.Onesignificantdifferenceisthenameoftheconfigurationfile;anotheristhedefaultlocationforfonts.Subsequentsectionsofthischapterpointoutthesedifferences.Youcanlearnmoreathttp://www.x.org/wiki/.Accelerated-XThecommercialAccelerated-XserverfromXiGraphics(http://www.xig.com)isanalternativetotheopensourceXFree86andX.org-X11.Inpractice,runningAccelerated-Xisseldomnecessary,butifyouhaveproblemsgettingyourvideocardworking,youmaywanttolookintoAccelerated-X;itsdriverbaseisindependentofthemorepopularopensourcechoices,soit’spossibleyou’llhavebetterluckwithit.TheAccelerated-Xconfigurationtoolsandfilesarecompletelydifferentfromthosedescribedin“MethodsofConfiguringX”and“XConfigurationOptions,”soyou’llneedtoconsultitsdocumentationforhelp.Therestofthischapter ’stopicsstillapplytoAccelerated-X.In practice, it’s usually easiest to stick with whatever X server your distribution provides. For
moderndistributions, this ismostoftenX.org-X11.Forahandfulof elderlyvideocards,youmayneedtoruntheequallyelderlyXFree863.3.6ratherthanamorerecentversion.
UsingManufacturer-ProvidedVideoDriversOneofX’sfunctionsistoprovidedriversthatcontrolthevideocard.XFree86,X.org-X11,andAccelerated-Xallshipwithawidevarietyofdriversthatsupportmostvideocards.Somecards,though,haveweaksupportinthestockpackages.Othercardsaresupportedbythestandarddrivers,butthosedriversdon’tsupportallofthevideodevice’sfeatures.XFree864.xandX.org-X11bothsupportamodulardriverarchitecture,whichmeansyoucandropinadrivermoduleforyourcardanduseitwithminimalchangestoyourXconfiguration.BothAMD(formerlyATI)andnVidiaprovideLinuxvideocarddriversdesignedtoworkwithXFree86andX.org-X11.(BothXserverscanusethesamedrivers.)Thus,ifyouhaveproblemswiththestandardXvideodrivers,youmaywanttocheckwithyourvideocardmanufacturerandthevideocardchipsetmanufacturersforLinuxdrivers.Installingandusingthemanufacturer-providedvideodriversisusuallyamatterofextractingfilesfromatarballandrunninganinstallationscript.Consultthedocumentationthatcomeswiththedriverfordetails.Manyofthesedriversareparticularlyhelpfulforenabling3Daccelerationfeaturesofmoderncards.Thesefeatureswerefirstusedbygamesbutareincreasinglybeingusedbydesktopenvironmentsandothernon-gamesoftware.Oneproblemwithmanufacturer-supplieddriversisthatthey’reoftenproprietary.Youmightnothavesourcecode,whichmeansthedriversmightnotworkonmoreexoticCPUs,andthedriverscouldceaseworkingwithafutureupgradetoyourXserver.TheAMDandnVidiadriversalsobothincludeLinuxkerneldriversasanecessarycomponent,soyou’llneedtoreinstallthedriversifyouupgradeyourkernel.
MethodsofConfiguringXConfiguringX has traditionally been a difficult process because theX configuration file includesmanyarcaneoptions.Thetaskismadesimplerifyoucanuseaconfigurationutility,andmostLinuxdistributions now run such a utility as part of the installation process. If the configuration utilitydoesn’tdoeverythingyouwantittodo,though,youmayneedtodelveintotheXconfigurationfiletosetoptionsmanually,soknowingsomethingaboutitsformatwillhelpalot.YoumustalsoknowhowtogoaboutrestartingXinordertotestyourchanges.
Theupcomingsection“XConfigurationOptions”describesinmoredetailthemajorXfeaturesandhowtocontrolthem.
XConfigurationUtilitiesSeveralconfigurationtoolsforXFree864.xandX.org-X11areavailable:TheXServerItselfTheXserveritselfincludesthecapacitytoquerythehardwareandproduceaconfigurationfile.Todothis,typeXFree86-configure(forXFree86)orXorg-configure(forX.org-X11)asrootwhennoXserverisrunning.Theresultshouldbeafilecalled
/root/XF86Config.new(forXFree86)or/root/xorg.conf.new(forX.org-X11).Thisfilemaynotproduceoptimalresults,butit’satleastastartingpointformanualmodifications.Distribution-SpecificToolsManymoderndistributionsshipwiththeirowncustomXconfigurationtools.TheseincludeRedHat’s(andFedora’s)DisplaySettingstool(accessiblefromthedefaultdesktopmenuorbytypingsystem-config-displayinanxterm)andSUSE’sYaSTandYaST2.Thesetoolsfrequentlyresemblethedistribution’sinstall-timeXconfigurationtools,whichcanvarysubstantially.xf86cfgorxorgcfgThisutilityisnameddifferentlyforXFree86vs.X.org-X11.It’sdeprecated,meaningit’snolongersupported;butifit’spresentonyoursystem,itcanhelpyoutweaksettingsonceXisatleastpartiallyrunning.AlloftheseutilitiesgatherthesametypeofinformationneededtomanuallyconfigureX.Yourbest
betforunderstandingthesetoolsandwhattheywantistounderstandtheunderlyingXconfigurationfile’sformatandcontents.
Ifyou’reusingtheoldXFree863.3.6,thetoolsjustdescribeddon’twork.Instead,you’llneedtouseatoolsuchasxf86config,Xconfigurator,orXF86Setup;oryoucanconfigureXmanually.BecausesofewsystemstodayuseanythingasoldasXFree863.3.6,Idon’tdescribethesetoolsinthisbook.
TheXConfigurationFileFormatTheXconfigurationfile’snameandlocationvarywiththeversionofXbeingrun:X.org-X11Thisserver ’sconfigurationfileiscalledxorg.conf,andit’susuallystoredin/etc/X11,although/etcandseveralotherlocationsarealsoacceptabletotheserver.
ManymodernX.org-X11configurationsomittheXconfigurationfileentirely,insteadrelyingonrun-timeauto-detectionofhardware.Thisoftenworksfine,butifXdoesn’tworkorifsomeofitsfeaturesaresetincorrectly,youmayneedtogenerateanxorg.conffilebytypingXorg-configurewhenXisnotrunningandeditthefilemanually,asdescribedinsubsequentsections.
XFree864.xTheXFree864.xconfigurationfileiscalledXF86Config-4orXF86Config,whichisfoundin/etc/X11orsometimesin/etc.Thisfile’sformatisthesameasfortheX.org-X11configurationfile.XFree863.3.6andearlierTheXconfigurationfile’snameisXF86Config,andthefileismostcommonlylocatedin/etc/X11or/etc.AlthoughthefilenamecanbethesameasforXFree864.x,thefileformatisslightlydifferent.Thisbook,liketheexam,coversthenewerformatusedbyX.org-X11andXFree864.x.AllthreeoftheseclassesofXserveruseconfigurationfilesthatarebrokendownintomulti-line
sections, one section for each major feature. These sections begin with a line consisting of the
keywordSectionandthesectionnameinquotesandendwiththekeywordEndSection:Section"InputDevice"
Identifier"Keyboard0"
Driver"kbd"
Option"XkbModel""pc105"
Option"XkbLayout""us"
Option"AutoRepeat""500200"
EndSection
This section tells X about the keyboard—its model, layout, and so on. Details for the sectionsyou’remostlikelytoneedtoadjustaredescribedshortly,in“XConfigurationOptions.”For themostpart, thedifferentXserverssupport thesamesectionsandmostof thesameoption
names.Afewexceptionstothisruledoexist,though:TheOptionkeywordisn’tusedinXFree863.3.6andearlier.Instead,theoptionname(suchasXkbLayoutorAutoRepeatintheprecedingexample)appearswithoutquotesasthefirstwordontheline.XFree863.3.6andearlierdon’tusetheServerLayoutsection,describedlaterin“PuttingItAllTogether.”XFree863.3.6andearlierlacktheIdentifierandDriverlines,whicharecommonintheXFree864.xandX.org-X11configurationfiles.Somesection-specificfeaturesvarybetweenversions.Idescribethemostimportantoftheseinthecomingpages.
TheXConfigure-and-TestCycleIfyourXconfigurationisn’tworkingcorrectly,youneedtobeabletomodifythatconfigurationandthen test it.ManyLinux distributions configure the system to startX automatically; but startingXautomaticallycanmakeitdifficulttotesttheXconfiguration.ToanewLinuxadministrator,theonlyobviouswaytotestanewconfigurationistorebootthecomputer.AbettersolutionistokickthesystemintoamodeinwhichXisnotstartedautomatically.OnRed
Hat,Fedora,andsimilardistributions,thisgoalcanbeachievedbytypingtelinit3.Thisactionsetsthe computer to use runlevel 3, inwhichX normally doesn’t run. Chapter 5, “Booting Linux andEditingFiles,”coversrunlevelsinmoredetail.Somedistributions,suchasDebian,Ubuntu,andGentoo,don’tuserunlevelsasasignalforwhether
to start X. With such distributions, you must shut down the GUI login server by typing/etc/init.d/xdmstop.(Youmayneedtochangexdmtogdm,kdm,mdm,orlightdm,dependingonyourconfiguration.)OncetheXsessionisshutdown,youcanloginusingatext-modeloginpromptandtweakyourX
settingsmanually,oryoucanusetext-basedXconfigurationprograms.YoucanthentypestartxtostarttheXserveragain.Ifyougetthedesiredresults,quitfromX(typicallybyselectinga“logout”option inyourdesktopenvironment)and typetelinit5 (/etc/init.d/xdmstart inDebianandotherdistributionsthatdon’tuserunlevelstostarttheGUIloginprompt)torestorethesystemtoitsnormalXloginscreen.Ifaftertypingstartxyoudon’tgettheresultsyouwant,youcanendyourXsessionandtrymodifyingthesystemsomemore.IfXisworkingminimallybutyouwanttomodifyitusingX-basedconfigurationtools,youcando
so after typing startx to get a normal X session running. Alternatively, you can reconfigure thesystembeforetakingitoutoftheX-enabledrunlevel.
AnotherapproachtorestartingXistoleavethesysteminitsX-enabledrunlevelandthenkilltheXserver.TheCtrl+Alt+Backspacekeystrokedoesthisonmanysystems,oryoucandoitmanuallywiththekillcommandafterfindingtheappropriateprocessIDwiththepscommand,asshownhere:#psax|grepX
1375?S6:32/usr/bin/X-auth/var/gdm/:0.Xauth
#kill1375
Thisapproachworksbetteronsystemsthatdon’tmaptherunningofXtospecificrunlevels,suchasDebiananditsderivatives.
XConfigurationOptionsWhenediting theXconfiguration file, thebestapproach isusually to identify the feature that’snotworkingandzeroinonthesectionthatcontrolsthisfeature.Youcantheneditthatsection,saveyourchanges,andtestthenewconfiguration.InXFree864.xandX.org-X11,themajorsectionsdescribedhere are called Module, InputDevice, Monitor, Device, Screen, and ServerLayout. You’relikelytohavetwoInputDevicesections,oneforthekeyboardandoneforthemouse.(InXFree863.3.6 and earlier, themouse is handled by a separate Pointer section.) The section order doesn’tmatter.
Fontsareacomplexenoughtopicthatthey’redescribedinmoredetaillater,in“ConfiguringXFonts.”PartofthisconfigurationishandledintheFilessection.
LoadingModulesThe Module section controls the loading of X server modules—drivers for specific features orhardware.Atypicalexamplelookslikethis:Section"Module"
Load"dbe"
Load"extmod"
Load"fbdevhw"
Load"glx"
Load"record"
Load"freetype"
Load"type1"
Load"dri"
EndSection
Eachmodule is named (dbe,extmod, and so on) and is loaded by nameusing theLoad option.Most of these module names can be deciphered with a bit of knowledge about the features theycontrol. For instance, freetype and type1 handle TrueType and Adobe Type 1 font rendering,respectively. If you’re perusing your Module section and see modules you don’t understand, youshouldn’t worry about it; generally speaking, modules that are configured automatically arenecessaryfornormaloperation,oratleasttheydonoharm.Forthemostpart,ifanXconfigurationworks,youshouldn’ttrytoadjusttheModulesection,even
ifyouwanttotweaktheXconfiguration.Sometimes,though,you’llneedtoaddlinestoorremovelinesfromthissection.Thisisparticularlylikelytobenecessaryifyou’reactivating3Dacceleration
supportorsomesortofexoticfeature.Insuchcases,youshouldconsult thedocumentationfor thefeatureyouwanttoactivate.
SettingtheKeyboardThekeyboardisoneoftwocommoninputdevicesconfiguredviaanInputDevicesection:Section"InputDevice"
Identifier"Keyboard0"
Driver"kbd"
Option"XkbModel""pc105"
Option"XkbLayout""us"
Option"AutoRepeat""500200"
EndSection
TheIdentifier lineprovidesa label that’susedbyanothersection(ServerLayout,described in“PuttingItAllTogether”).Thestringgivenonthislineisarbitrary,butforakeyboard,adescriptivenamesuchasthisexample’sKeyboard0willhelpyouunderstandthefile.TheDriverlinetellsXwhatdrivertousetoaccessthekeyboard.Thisshouldbekbd,Keyboard,
or evdev, depending on your X server. The kbd and Keyboard drivers are, as you might expect,keyboard-specificdrivers.Theevdevdriver,bycontrast,isagenericinputdevicedriverthatworkswithmanytypesofinputdevices.Unlessyourkeyboardisn’tworkingatall,youshouldn’tadjustthisline.TheOption linessetvariousoptions thatadjustkeyboardfeatures,suchas themodel, the layout,
andtherepeatrate.Forthemostpart,thedefaultsworkwell;however,youmaywanttochangetheAutoRepeatoptionoradditifit’snotpresent.ThisoptiontellsXwhentobeginrepeatingcharacterswhenyouholddownakeyandhowoftentorepeatthem.Ittakestwonumbersasvalues,enclosedinquotes: the time until the first repeat and the time between subsequent repeats, both expressed inmilliseconds (ms). In the preceding example, the systemwaits 500ms (half a second) for the firstrepeatandthen200msforeachsubsequentrepeat(thatis,fiverepeatspersecond).
Manydesktopenvironmentsandotheruser-levelutilitiesprovidetoolstosetthekeyboardrepeatrate.Thus,theoptionsyousetintheXconfigurationfileareusedasdefaultsonlyandmaybeoverriddenbyusers’settings.
SettingtheMouseAsecondInputDevicesectioncontrolshowXtreatsthemouse:Section"InputDevice"
Identifier"Mouse0"
Driver"mouse"
Option"Protocol""IMPS/2"
Option"Device""/dev/input/mice"
Option"Emulate3Buttons""no"
Option"ZAxisMapping""45"
EndSection
Aswiththekeyboard,theIdentifierlineisusedintheServerLayoutsectiontotellXwhichinputdevicetouse.TheDriverlineidentifiesthedrivertouse:mouse.(Manymodernsystemsuseevdev
forthemouse.)TheOptionlinessetmousecontroloptions.ThemostimportantoftheseareDeviceandProtocol.TheDevice line tellsXwhatLinuxdevice file to read to access themouse. In this example, it’s
/dev/input/mice, but other possibilities include/dev/mouse (a pointer to the realmouse device,whateveritsname),/dev/psaux(forthePS/2mouseport),/dev/usb/usbmouse(anoldidentifierforUSBmice),/dev/ttyS0 (the firstRS-232 serial portmouse), and/dev/ttyS1 (the secondRS-232serialportmouse).Ifyourmouseisworkingatall(evenifitsmotionsareerratic),don’tchangethisline.Ifyourmouseisn’tworking,youmayneedtoexperiment.TheProtocol option tellsXwhat signals to expect from themouse for variousmovements and
buttonpresses.TheAutoprotocolcausesXtotrytoguessthemouse’sprotocol,whichusuallyworkscorrectly.Ifitdoesn’twork,youcantrymorespecificprotocols,suchasIMPS/2andExplorerPS/2,which are very similar in practice. (Note that “PS/2” is both a hardware interface and a softwareprotocol;manyUSBmiceusethePS/2mouseprotocoleventhoughtheydon’tusethePS/2mouseport.)Ifyourmousehasascrollwheel,chancesareyoushoulduseoneoftheseprotocols.Ifyourmouseisolder,youmayneedtotryanolderprotocol,suchasPS/2,Microsoft,orLogitech.Additional options are usually less critical than the Device and Protocol options. The
Emulate3Buttons option tells X whether to treat a chord (that is, a simultaneous press) of bothbuttonsonatwo-buttonmouseasifitwereamiddle-buttonpress.Thisoptionisusuallydisabledonthree-buttonmiceandscrollmice(thescrollwheeldoesdoubledutyasamiddlemousebutton).TheZAxisMappingoptionintheprecedingexamplemapsthescrollwheelactionstothefourthandfifthbuttons,becauseXmusttreatscrollwheelsasiftheywerebuttons.Whenyouscrollupordown,these“button”pressesaregenerated.Softwarecandetectthisandtakeappropriateactions.
SettingtheMonitorSomeof the trickiest aspectsofXconfiguration relate to themonitoroptions.You set these in theMonitorsection,whichcansometimesbequitelarge.AmodestMonitorsectionlookslikethis:Section"Monitor"
Identifier"Monitor0"
ModelName"AOCe2343Fk"
HorizSync30.0-83.0
VertRefresh55.0-75.0
#Mycustom1920x1080mode
Modeline"1920x1080"138.5019201968200020801080108310881111
EndSection
As in the keyboard andmouse configurations, the Identifier option is a free-form string thatcontainsinformationthat’susedtoidentifyamonitor.TheIdentifiercanbejustaboutanythingyoulike. Likewise, the ModelName option can be anything you like; it’s used mainly for your ownedificationwhenreviewingtheconfigurationfile.As you continue down the section, you’ll see the HorizSync and VertRefresh lines, which are
extremelycritical;theydefinetherangeofhorizontalandverticalrefreshratesthatthemonitorcanaccept,inkilohertz(kHz)andhertz(Hz),respectively.Together,thesevaluesdeterminethemonitor ’smaximumresolutionandrefreshrate.Despitethename,theHorizSyncitemalonedoesn’tdeterminethemaximumhorizontal refresh rate.Rather, thisvalue, theVertRefreshvalue, and the resolutiondeterminethemonitor ’smaximumrefreshrate.Xselectsthemaximumrefreshratethatthemonitorwillsupportgiventheresolutionyouspecifyinothersections.SomeXconfigurationutilitiesshowa
listofmonitormodelsorresolutionandrefreshratecombinations(suchas“1024×768at72Hz”).You select an option, and the utility then computes the correct values based on that selection.Thisapproachisoftensimplertohandle,butit’slessprecisethanenteringtheexacthorizontalandverticalsyncvalues.Youshouldenterthesevaluesfromyourmonitor ’smanual.
Don’tsetrandomhorizontalandverticalrefreshrates;onolderhardware,settingthesevaluestoohighcandamageamonitor.(Modernmonitorsignoresignalspresentedattoohigharefreshrate.)
To settle on a resolution, X looks through a series ofmode lines, which are specified via theModeline option. Computingmode lines is tricky, so I don’t recommend you try it unless you’reskilledinsuchmatters.Themodelinesdefinecombinationsofhorizontalandverticaltimingthatcanproduceagivenresolutionandrefreshrate.Forinstance,aparticularmodelinemightdefinea1024×768displayata90Hzrefreshrate,andanothermightrepresent1024×768at72Hz.Somemodelinesrepresentvideomodesthatareoutsidethehorizontalorverticalsyncrangesofa
monitor.Xcancomputethesecasesanddiscardthevideomodesthatamonitorcan’tsupport.Ifaskedtoproduceagivenresolution,Xsearchesallthemodelinesthataccomplishthejob,discardsthosethatthemonitorcan’thandle,andusestheremainingmodelinethatcreatesthehighestrefreshrateatthatresolution.(Ifnomodelinesupportstherequestedresolution,Xdropsdowntoanotherspecifiedresolution,asdescribedshortly,andtriesagain.)AlthoughyoucanincludeanarbitrarynumberofModelineentriesinyourMonitorsection,most
suchfileslacktheseentries.ThereasonisthatXFree864.xandX.org-X11supportafeatureknownasData Display Channel (DDC). This is a protocol that enables monitors to communicate theirmaximumhorizontalandverticalrefreshratesandappropriatemodelinestothecomputer.YoumayneedtocreateaModelineifthisfeaturefails,though.TryperformingaWebsearchonthekeywordsmodeline(ormodeline)andyourdesiredvideoresolution;ortrytheXFree86ModelineGeneratorWebsite (http://xtiming.sourceforge.net/cgi-bin/xtiming.pl),whichcangenerateaModeline foranyresolutionandrefreshrateyouspecify.
SettingtheVideoCardYourmonitorisusuallythemostimportantfactorindeterminingyourmaximumrefreshrateatanygivenresolution,butXsendsdatatothemonitoronlyindirectly,throughthevideocard.Becauseofthis,it’simportantthatyoubeabletoconfigurethiscomponentcorrectly.AnincorrectconfigurationofthevideocardislikelytoresultinaninabilitytostartX.
Inthepast,videohardwarewasalmostalwaysimplementedasaplug-incard.Mostmoderncomputersincludevideohardwareonthemotherboard,though.Despitethisfact,it’scommontorefertoavideocard,evenifthecomputerlacksaseparateplug-incard.
ChoosingtheDriver
SometimesX, andparticularlymodernversions ofX.org-X11, canpick the optimumvideodriverautomatically. Other times, though, you must provide that information in the XF86Config orxorg.conffile.Inparticular,thedrivermoduleissetbyalineintheDevicesection,whichresemblesthefollowing:Driver"nv"
Thislinesetsthenameofthedriver.Thedriversresideinthe/usr/X11R6/lib/modules/drivers/or/usr/lib/xorg/modules/drivers/directory. (Onsomesystems,libbecomeslib64.)Most ofthedrivers’filenamesendin_drv.o,andifyouremovethisportion,you’releftwiththedrivername.Forinstance,nv_drv.ocorrespondstothenvdriver.
SomeXconfigurationutilitiesprovidealargelistofchipsetsandspecificvideocardmodels,soyoucanselectthechipsetorboardfromthislisttohavetheutilityconfigurethisdetail.
IfyoutypeXorg-configuretocreateaninitialconfiguration,theresultingfileislikelytoincludemultipleDevice sections, each for a different driver. Some of these, such asfbdev and vesa, aregenericdriversthatwork—butnotoptimally—onawidevarietyofvideocards.Today,you’remostlikely to use thenv or nouveau drivers (both ofwhichwork on nVidia cards), the radeon driver(whichworksonATI/AMDcards),ortheinteldriver(whichworksonIntelcards).You’llneedtoknowsomethingaboutyourvideohardwaretopickthebestone.Ifyou’reindoubt,youcantryusingeachoneinturn,byspecifyingeachDevicesectioninturnintheScreensection,asdescribedlater,in“SettingtheResolutionandColorDepth.”
SettingCard-SpecificOptionsTheDevicesectionofthexorg.conffilesetsvariousoptionsrelatedtospecificXservers.AtypicalDevicesectionresemblesthefollowing:Section"Device"
Identifier"Videocard0"
Driver"nv"
VendorName"nVidia"
BoardName"GeForce6100"
VideoRam131072
EndSection
TheIdentifierlineprovidesanamethat’susedinthesubsequentScreensectiontoidentifythisparticular Device section. The VendorName and BoardName lines provide information that’s usefulmainlytopeoplereadingthefile.TheVideoRam line is unnecessarywithmost boards because the driver can detect the amount of
RAMinstalledinthecard.Withsomedevices,however,youmayneedtospecifytheamountofRAMinstalledinthecard,inkilobytes.Forinstance,theprecedingexampleindicatesacardwith128MBofRAMinstalled.Manydriverssupportadditionaldriver-specificoptions.Theymayenablesupportforfeaturessuch
ashardwarecursors(specialhardwarethatenablesthecardtohandlemousepointersmoreeasily)orcaches(usingsparememorytospeedupvariousoperations).ConsulttheXF86Configorxorg.conf
manpageorotherdriver-specificdocumentationfordetails.
SettingtheResolutionandColorDepthTheScreensectiontellsXaboutthecombinationofmonitorsandvideocardsyou’reusing.XFree864.x andX.org-X11supportmultiplevideocardsandmonitorsononesystem.Thiscanbehandy ifyou’retestinganewmonitororvideocarddriver.Inanyevent,theScreensectionlookssomethinglikethis:Section"Screen"
Identifier"Screen0"
Device"Videocard0"
Monitor"Monitor0"
DefaultDepth24
SubSection"Display"
Depth24
Modes"1920x1080""1280x1024""1024x768"
EndSubSection
SubSection"Display"
Depth8
Modes"1024x768""800x600""640x480"
EndSubSection
EndSection
TheDeviceandMonitorlinesrefertotheIdentifierlinesinyourDeviceandMonitorsections,respectively.TheScreensectionincludesoneormoreDisplaysubsections,whichdefinethevideomodesthatXmayuse.Thisexamplecreatestwosuchdisplays.Thefirstusesacolordepthof24bits(Depth 24) and possible video mode settings of 1920x1080, 1280x1024, and 1024x768. (Thesevideomodes are actually names that refer to themode lines defined in the Monitor section or tostandardmodelines.)Thesecondpossibledisplayusesan8-bitcolordepth(Depth8)andsupports1024x768,800x600,and640x480videomodes.TochoosebetweentheDisplaysubsections,youincludeaDefaultDepth line.Inthisexample,X
usesthe24-bitdisplayifpossible,unlessit’soverriddenbyotheroptionswhenstartingX.Graphical video modes require a certain amount of RAM on the video card. (On some laptop
computersandcomputerswithvideohardwareintegratedintothemotherboard,aportionofsystemRAMisreservedforthisusebytheBIOS.)ThetotalamountofRAMrequiredisdeterminedbyanequation:R=xres×yres×bpp÷8,388,608In this equation, R is the RAM in megabytes, xres is the x resolution in pixels, yres is the y
resolutioninpixels,andbpp is thebitdepth.For instance,considera1280×1024displayat24-bitcolordepth:R=1280×1024×24÷8,388,608=3.75MBAll modern video cards have at least 32MB of RAM—usually much more. This is more than
enoughtohandleevenveryhighresolutionsat32-bitcolordepth(thegreatestdepthpossible).Thus,videoRAMshouldn’tbealimitingfactorintermsofvideomodeselection,atleastnotwithmodernvideohardware.Veryoldvideocardscanimposelimits,soyoushouldbeawareofthem.
ModernvideocardsshipwithlargeamountsofRAMtosupport3Daccelerationfeatures.Xsupportssuchfeaturesindirectlythroughspecial3Daccelerationpackages,but3Daccelerationsupportislimitedcomparedtobasicvideocardsupport.If3Daccelerationisimportanttoyou,youshouldresearchtheavailabilityofthissupport.
PuttingItAllTogetherXFree864.xandX.org-X11requireasectionthat’snotpresentintheXFree863.3.6configurationfile:ServerLayout.ThissectionlinkstogetheralltheothercomponentsoftheXconfiguration:Section"ServerLayout"
Identifier"singleheadconfiguration"
Screen"Screen0"00
InputDevice"Mouse0""CorePointer"
InputDevice"Keyboard0""CoreKeyboard"
EndSection
Typically, this section identifies one Screen section and two InputDevice sections (for thekeyboardandthemouse).Otherconfigurationsarepossible, though.For instance,XFree864.xandX.org-X11supportmulti-headdisplays, inwhichmultiplemonitorsarecombined to forma largerdesktop than either one alone would support. In these configurations, the ServerLayout sectionincludesmultipleScreensections.
IfAllGoesWell....Inpractice,youmaynotneedtoedittheXconfigurationfile.Asalreadynoted,mostLinuxdistributionsconfigureXautomaticallyatinstallation.Indeed,mostdistributionsnowrelyonlaunch-timeauto-configurationofXalongwithusersettingsforfeaturessuchasresolution,keyboardrepeatrate,andsoon.Desktopenvironmentstypicallyprovideadialogbox,suchastheoneshowninFigure6.1,thatenableyoutosettheresolution,refreshrate,andsometimesotherdisplayoptions.Lookforsuchoptionsinthedesktopenvironment’smainsettingstool,typicallyunderatitlesuchasDisplayorMonitor.
FIGURE6.1Moderndesktopenvironmentsprovideeasy-to-usebutlimitedXconfigurationoptions.
ObtainingXDisplayInformationSometimesit’shelpfultoknowaboutthecapabilitiesofyourdisplay,asit’smanagedbyX.Thetoolforthisjobisxdpyinfo.Whenyoutypexdpyinfo,theresultiscopiousinformationaboutthecurrentdisplay,suchastheXversionnumber,theresolutionandcolordepthofallthecurrentdisplays,andsoon.Muchofthisinformationishighlytechnicalinnature,soyoumaynotunderstanditall.That’sOK.Irecommendyourunthisprogramandperusetheoutput toseewhatyoucanlearnfromit.Ifyoushouldlaterwanttoobtainsimilarinformationonanothercomputer ’sdisplay,you’llknowhowtoobtainit.For stillmore technical information, you can use the -ext extension option to xpdyinfo. The
extension is the name of an X extension, which is a software module that provides extendedcapabilities to X. (The basic xpdyinfo command, without any options, lists all the availableextensions.)
Youcanobtaindetailedtechnicalinformationaboutaspecificwindowwiththexwininfocommand.Inbasicuse,youtypexwininfo,movethemousecursoroverawindow,andclick.Theresultisalistofassorteddataaboutthewindowyouclicked,suchasthefollowing:Absoluteupper-leftX:1171
Absoluteupper-leftY:611
Relativeupper-leftX:6
Relativeupper-leftY:25
Width:657
Height:414
Depth:32
VisualClass:TrueColor
Borderwidth:0
Class:InputOutput
Colormap:0x2800003(notinstalled)
BitGravityState:NorthWestGravity
WindowGravityState:NorthWestGravity
BackingStoreState:NotUseful
SaveUnderState:no
MapState:IsViewable
OverrideRedirectState:no
Corners:+1171+611-92+611-92-55+1171-55
-geometry80x24-86-49
Some of this information, such as the window’s position and size, is easy to interpret. Otherinformation,suchasthecolormapandgravitystate,ishighlytechnical,andIdon’tdescribeitfurtherhere.Youcanpassvariousoptions toxwininfo tomodify the information it displaysor howyouselectawindow,includingthefollowing:AlternateWindowSelectionMethodsThe-ididand-namenameoptionsenableyoutoidentifyawindowbyanIDnumberorbyitsname(normallydisplayedinthewindow’sborder),respectively.The-rootoptionselectstherootwindow—thatis,theentiredisplay.WindowRelationshipsLikeprocesses,windowscanhaveparentsandchildren.Youcanidentifytheserelationshipswiththe-childrenoption.The-treeoptionworksinasimilarway,butitworksrecursively—thatis,itdisplaysinformationonthechildrenofawindow’schildren,andsoon.BasicInformationThe-statsoptionisusedbydefault.Youcanrestricttheoutputbyusingthe-bitsoption,whichlimitsoutputtoinformationonthewindow’sbitstates.AdditionalInformationThe-eventsoptionproducesinformationontheeventsthatthewindowprocesses;-sizedisplaysinformationonsizinghints;-wmdisplayswindowmanagerdata;-shapeismuchlike-statsbutaddsinformationonthewindowandbordershapes;-framemodifiesthedisplaytoincludeinformationonthewindowmanager ’sframe;-metricaddsmeasuresinmillimeters(mm)totheregularpixel-basedmeasures;-englishaddsmeasuresinfeetandinches;and-alldisplaysallavailableinformation.
WindowsinXarecreatedandmanagedbyseveralprograms.Oneofthese,thewindowmanager,handlesthewindow’sbordersandenablesyoutodragthewindowaroundthescreenandresizeit.Somexwininfostatisticsrelatetothewindowexcludingthewindowmanager ’selements,butothersincludetheseelements.Optionssuchas-frameand-wmcanmodifythisoutputordisplayinformationonthewindowmanager ’sfeaturesspecifically.
Wayland:TheFuture?Anentirelynewmethodofmanagingdisplays,knownasWayland(http://wayland.freedesktop.org),isnearingreadinessasIwrite.WaylandisintendedtoaddressmanyoftheproblemswithX,whichsuffersfromadesigndatingbacktothe1980s,beforemanymodernvideofeaturesbecameavailable.Thus,Xishobbledbylegacyfeaturessuchasafontmodelthat’sbeenlargelyreplacedbyadd-onfontlibraries.Wayland-nativeapplicationswon’tuseXatall,whichwilltheoreticallyresultinsimplerapplicationdesign,betterspeed,andfewervideoproblems,particularlyforcertaingraphics-intensiveapplications.ExistingXapplicationswillcontinuetoworkviaanXservertobeincludedwithWayland.Essentially,XwillrunasaprocesswithinWayland,althoughideallythiswillbeastopgapmeasure.ThedevelopersofseveralmajorLinuxdistributions,includingFedoraandUbuntu,haveexpressedanintentiontosupportWayland,eitherasanoptionorasthedefaultgraphicssystem.Thetimetableforsuchachangeisuncertain,though.Furthermore,Waylandhasyettobeacceptedbyusers;ifWaylandpresentsunexpectedproblems,itmayflounder.Youshouldwatchforfuturedevelopmentsconcerningthissoftware.
ConfiguringXFontsFontshave longbeena trouble spot forLinux (ormoreprecisely, forX).Xwascreatedat a timewhen available font technologies were primitive by today’s standards, and although X has beenupdated in variousways to take advantage of newer technologies, these updates have been lackingcomparedtothefontsubsystemsinmostcompetingOSs.X’scorefontsystemcanbesetupfromtheXconfigurationfile.Alternatively,youcanconfigureafontserver—aprogramthatdeliversfontstoone or many computers using network protocols—to handle the fonts. The latest Linux fonttechnology sets up fonts in a way that’smore independent of X and that producesmore pleasingresults,atleasttomostpeople’seyes.
Someapplicationsdon’trelyoneitherXoranyotherstandardlibrarytohandlefonts;theymanagetheirownfontsthemselves.Thispracticeisparticularlycommoninwordprocessors.Ifyouconfigureyourfontsasdescribedherebutfindthatanimportantprogramdoesn’tseethechangesyou’vemade,consultitsdocumentation;youmayneedtotelltheprogramwheretolooktousethefontsyou’veadded.
FontTechnologiesandFormatsFonttechnologiescanbeclassifiedasfallingintooneoftwobroadcategories:BitmapFontsThesimplesttypeoffontformatisthebitmapfont,whichrepresentsfontsmuchlikebitmapgraphics,inwhichindividualpixelsinanarrayareeitheractiveorinactive.Bitmapfontsarefairlyeasytomanipulateanddisplay,fromaprogrammingperspective,whichmakesthemgoodforlow-poweredcomputers.Theproblemisthateachfontmustbeoptimizedfordisplayataparticularresolution.Forinstance,afontthat’s20pixelshighwillappearonesizeonthescreen(typically72to100dotsperinch,ordpi)butwillbemuchsmallerwhenprinted(typicallyat300to1200dpi).Similarly,youneedmultiplefilestodisplayasinglefontatmultiplesizes(suchas9pointversus12point).Thismeansasinglefont,suchasTimes,requirespotentiallydozensofindividualfilesfordisplayatdifferentsizesandondifferentdisplaydevices.Ifyoulackthecorrectfontfile,theresultwillbeanuglyscaleddisplay.OutlineFontsMostmodernfontsaredistributedasoutlinefonts(akascalablefonts).Thistypeofformatrepresentseachcharacterasaseriesoflinesandcurvesinahigh-resolutionmatrix.Thecomputercanscalethisrepresentationtoanyfontsizeorforanydisplayresolution,enablingasinglefontfiletohandleeverypossibleuseofthefont.Themainproblemwithoutlinefontsisthatthisscalingoperationisimperfect;scalablefontsoftenlookslightlyworsethanbitmapfonts,particularlyatsmallsizes.ScalinganddisplayingthefontsalsotakesmoreCPUtimethandisplayingabitmapfont.Thisfactorusedtobeimportant,butonmodernCPUsit’snotmuchofanissue.Bothbitmapandoutline fontscome in severaldifferent formats.Xshipswithanumberofbasic
bitmap and outline fonts, and you’re unlikely to need to deal explicitlywith bitmap fonts or theirformats,soIdon’tdescribetheminanydetail.Outlinefontsareanothermatter,though.ThetwomainformatsareAdobe’sPostScriptType1(Type1forshort)andApple’sTrueType.FontsavailableontheInternetandoncommercialfontCDscomeinoneorbothoftheseformats.XFree863.3.6andearliersupportedType1fontsbutnotTrueTypefonts.XFree864.xandX.org-
X11supportbothType1andTrueTypefonts.
ConfiguringXCoreFontsX core fonts are those that are handled directly by X. To configure these fonts, youmust do twothings:prepareafontdirectorythatholdsthefonts,andaddthefontdirectorytoX’sfontpath.
PreparingaFontDirectory
The first step to installing fonts is to prepare a directory in which to store them. XFree86 hastraditionally stored its fonts in subdirectories of /usr/X11R6/lib/X11/fonts/, but X.org-X11changesthisto/usr/share/fontsor/usr/share/X11/fonts.Ineithercase,ifyou’readdingfontsyou’vedownloadedfromtheInternetorobtainedfromacommercialfontCD-ROM,youmaywanttostore these additional fonts elsewhere, such as /opt/fonts or /usr/local/fonts. (Chapter 4,“ManagingFiles,” includes informationabout the logicbehindLinux’sdirectorysystem.)Youmaywanttocreateseparatesubdirectoriesforfontsindifferentformatsorfromdifferentsources.Whenyou’reinstallingType1fonts,Linuxneedsthefontfileswithnamesthatendin.pfaor.pfb;
these files contain the actual fontdata. (The.pfaand.pfb files store the data in slightly differentformats, but the two file types are equivalent.)Additional files distributedwithType1 fonts aren’tnecessaryforLinux.TrueTypefontscomeas.ttffiles,andthat’sallyouneedforLinux.
LinuxusesfontsinthesameformatthatMacOSX,Windows,OS/2,andmostotherOSsuse.EarlierversionsofMacOSusedfontfilesinspecialMacintosh-only“suitcases,”whichLinuxcan’tusedirectly.IfyouwanttousesuchfontsinLinux,youmustconvertthem.TheFontForgeprogram(http://fontforge.sourceforge.net)candothisconversion,amongotherthings.
Onceyou’vecopiedfontstoadirectory,youmustprepareasummaryfilethatdescribesthefonts.This file is calledfonts.dir, and it beginswith a line that specifies the number of fonts that aredescribed.SubsequentlinesprovideafontfilenameandanXlogicalfontdescription(XLFD),whichisatedious-lookingdescriptionofthefont.Acompletefonts.dirlinecanberatherintimidating:courb.pfa-ibm-Courier-bold-r-normal--0-0-0-0-m-0-iso8859-1
Fortunately, you needn’t create this file manually; programs exist to do so automatically. InXFree864.3and laterand inX.org-X11, thesimplestway todo the job is tousemkfontscale andmkfontdir:#mkfontscale
#mkfontdir
Themkfontscaleprogramreadsall thefonts in thecurrentdirectoryandcreatesafonts.scalefile,which is just like afonts.dir file but describes only outline fonts. Themkfontdir programcombinesthefonts.scalefilewiththefonts.dirfile,creatingitifitdoesn’talreadyexist.Otherprograms toperform this taskalsoexist.Mostnotably,ttmkfdircreatesafonts.dir file
that describes TrueType fonts, and type1inst does the job for Type 1 fonts. The mkfontscaleprogramispreferablebecauseithandlesbothfonttypes,butifyou’reusinganolderdistributionthatlacks this program or if it’s not doing a satisfactory job, you can try one of these alternativeprograms.
AddingFontstoX’sFontPathOnceyou’vesetupfontsinadirectoryandcreatedafonts.dirfiledescribingthem,youmustaddthefontstotheXfontpath.YoudothisbyeditingtheFilessectionoftheXF86Configorxorg.conffile:Section"Files"
FontPath"/usr/share/fonts/100dpi:unscaled"
FontPath"/usr/share/fonts/Type1"
FontPath"/usr/share/fonts/truetype"
FontPath"/usr/share/fonts/URW"
FontPath"/usr/share/fonts/Speedo"
FontPath"/usr/share/fonts/100dpi"
EndSection
IfyourFilessectioncontainsFontPathlinesthatrefertounix:/7100orunix:/-1butthatdon’tlistconventionaldirectories,readthesection“ConfiguringaFontServer”;yoursystemisconfiguredtorelyonanXfontserverforitscorefonts.Inthiscase,youmaywanttomodifyyourfontserverconfigurationratherthanchangetheXcorefontsdirectly,althoughyoucanaddfontdirectoriestohaveXbothusethefontserveranddirectlyhandleyournewfonts.IfyourXserverconfigurationlacksaFilessection,itusesahard-codeddefaultfontpath.YoucanaddyourowncompleteFilessectiontoaddnewfontpaths.
Toaddyournewfontdirectorytothefontpath,duplicateoneoftheexistingFontPath lines,andchange thedirectory specification topoint toyournewdirectory.Theorderof thesedirectories issignificant;whenmatchingfontnames,Xtrieseachdirectoryinturn,soiftwodirectoriesholdfontsofthesamename,thefirstonetakesprecedence.Thus,ifyouwantyournewfontstooverrideanyexisting fonts, place the new directory at the top of the list; if you want existing fonts to takeprecedence,addyourdirectorytotheendofthelist.
The:unscaledstringinthefirstentryintheprecedingexampletellsXtousebitmapfontsfromthisdirectoryonlyiftheyexactlymatchtherequestedfontsize.Withoutthisstring,Xwillattempttoscalebitmapfontsfromafontdirectory(withpoorresults).Typically,bitmapdirectoriesarelistedtwice:oncenearthetopofthefontpathwiththe:unscaledspecificationandagainnearthebottomofthelistwithoutit.Thisproducesquickdisplayofmatchingbitmappedfonts,followedbyanymatchingscalablefonts,followedbyscaledbitmapfonts.
Onceyou’veaddedyourfontdirectorytoX’sfontpath,youshouldtesttheconfiguration.ThemostreliablewaytodothisistoshutdownXandrestartit.(IfyoursystembootsdirectlyintoX,consult“Running an XDMCP Server” for information on doing this.) A quicker approach, but one thatpresents someopportunity forerror, is toadd the fontpath toa runningsystembyusing thexsetprogram:$xsetfp+/your/font/directory
$xsetfprehash
The firstof thesecommandsadds/your/font/directory to theendof the fontpath. (Substitute+fpforfp+toaddthedirectorytothestartoftheexistingfontpath.)ThesecondcommandtellsXtore-examineallthefontdirectoriestorebuildthelistofavailablefonts.Theresultisthatyoushouldnowbe able to access thenew fonts. (You’ll need to restart anyprograms that shoulduse thenew
fonts.)Oneprogramtoquicklytestthematterisxfontsel.ThisprogramenablesyoutoselectanXcorefontfordisplaysoyoucanchecktobesurethefontsyou’veaddedareavailableanddisplayasyouexpect.
ConfiguringaFontServerPrior to thereleaseofXFree864.0,severalLinuxdistributionsbeganusingTrueType-enabledfontserverstoprovideTrueTypefontsupport.Mostdistributionshavenowabandonedthispractice,butsomehaven’t,andfontserverscanbeusefulinsomeenvironments.Afontserverisahandywaytodeliverfontstomanycomputersfromacentrallocation.Thiscan
beagreattime-saverifyouwanttoaddfontstomanycomputers—setthemuptouseafontserverandthentweakthatserver ’sfontconfiguration.Touseafontserver,Xmustlistthatserverinitsfontpath:Section"Files"
FontPath"unix:/7100"
FontPath"tcp/fount.pangaea.edu:7100"
EndSection
Thefirstlineinthisexamplespecifiesalocalfontserver.(Usingunix:/-1ratherthanunix:/7100also works in some cases.) The second line specifies that the font server on the remote systemfount.pangaea.edu is tobeused.Ifyourcomputerisalreadyconfiguredtouseafontserver,youneedn’tchangetheXconfigurationtoaddordeletefonts;instead,youcanmodifythefontserver ’sconfiguration. (You can still modify the X font configuration directly, but it may be cleaner tomanageallthelocalfontsfromoneconfigurationfile.)Toaddfontstoafontserver,youshouldfirstinstallthefontsonthesystem,asdescribedearlierin
“Preparing a Font Directory.” You should then modify the font server ’s configuration file,/etc/X11/fs/config.RatherthanaseriesofFontPathlines,asinthemainXconfigurationfile,thefont server ’s configuration lists the font pathusing thecatalogue keyword as a comma-delimitedlist:catalogue=/usr/share/fonts/100dpi:unscaled,
/usr/share/fonts/Type1,
/usr/share/fonts/truetype,
/usr/share/fonts/URW,
/usr/share/fonts/Speedo,
/usr/share/fonts/100dpi
The catalogue list may span several lines or just one. In either event, all of the entries areseparatedbycommas,butthefinalentryendswithoutacomma.Youcanaddyournewfontdirectoryanywhereinthislist.Onceyou’vesavedyourchanges,youmustrestartthefontserver.Typically,thisisdoneviaSysV
startupscripts(describedinmoredetailinChapter5):#/etc/init.d/xfsrestart
At this point, you should restartX or typexset fp rehash to haveX re-examine its font path,includingthefontsdeliveredviathefontserver.AlthoughXcorefontsandfontserverswereonceveryimportant,mostmodernXapplicationsnow
emphasizeanentirelydifferentfontsystem:Xft.YoucanaddthesamefontsasbothXcorefontsandXftfonts,buttheXftconfigurationrequiresdoingthingsinanewway.
ConfiguringXftFontsXcorefonts(includingfontsdeliveredviaafontserver)haveseveralimportantdrawbacks:
Theyaren’teasytointegratebetweenthescreendisplayandprintedoutput.Thismakesthemawkwardfromthepointofviewofwordprocessingorotherapplicationsthatproduceprintedoutput.They’reserver-based.Thismeansapplicationsmaynotbeabletodirectlyaccessthefontfilesbecausethefontsmaybestoredonadifferentcomputerthantheapplication.Thiscanexacerbatetheprintingintegrationproblem.Theyprovidelimitedornosupportforkerningandotheradvancedtypographicfeatures.Again,thisisaproblemforwordprocessingprogramsandotherprogramsthatmustgenerateprintedoutput.Theydon’tsupportfontsmoothing(akaanti-aliasing).Thistechnologyemploysgraypixels(ratherthanblackorwhitepixels)alongcurvestocreateanillusionofgreaterresolutionthanthedisplaycanproduce.
These problems are deeply embedded in theX core font system, so developers have decided tobypassthatsystem.TheresultistheXftfontsystem,whichisbasedinpartontheFreeTypelibrary(http://www.freetype.org),anopensourcelibraryforrenderingTrueTypeandType1fonts.Xftisaclient-based system,meaning that applications access font files on the computer onwhich they’rerunning. Xft also supports font smoothing and other advanced font features. Overall, the result isgreatlyimprovedfontsupport.Thecost,though,isthatLinuxnowhastwofontsystems:XcorefontsandXftfonts.Fortunately,youcansharethesamefontdirectoriesthroughbothsystems.Ifyou’vepreparedafont
directory as described earlier, in “Preparing a Font Directory,” you can add it to Xft. Load the/etc/fonts/local.conffileintoatexteditor.Lookforanylinesinthisfilethattakethefollowingform:<dir>/font/directory</dir>
Ifsuchlinesarepresent,duplicateoneofthemandchangetheduplicatetopointtoyournewfontdirectory. If such lines don’t exist, create one just before the </fontconfig> line. Be sure not toembedyournewfontdirectoryspecificationwithinacommentblock,though.Commentsbeginwithalinethatreads<!--andendwithalinethatreads-->.
Ifyoucreateafontdirectorythatholdsseveralsubdirectories,youcanaddjustthemaindirectorytolocal.conf.Forinstance,ifyoucreated/opt/fonts/ttand/opt/fonts/type1,adding/opt/fontstolocal.confwillbesufficienttoaccessallthefontsyouinstalledonthesystem.
Onceyou’vemadethesechanges,typefc-cacheasroot.ThiscommandcausesXfttorunthroughitsfontdirectoriesandcreateindexfiles.Thesefilesaresimilar tothefonts.dir file inprinciple,but thedetailsdiffer. Ifyou fail to take this step,you’ll stillbeable to access these fonts,but eachuser ’sprivateXftcachefilewillcontainthelistsoffonts.Generatingthesefilescantakesometime,thusdegradingperformance.TotestyourXftfonts,useanyXft-enabledprogram.MostmodernX-basedLinuxprogramsareso
enabled,soloadingaGUItexteditor,wordprocessor,Webbrowser,orothertoolthatenablesyoutoadjustfontsshoulddothetrick.
ManagingGUILoginsLinux can boot into a purely text-basedmode inwhich the console supports text-based logins andtext-modecommands.Thisconfigurationissuitableforasystemthatrunsasaservercomputerorfor a desktop system for a user who dislikes GUIs. Most desktop users, though, expect theircomputers toboot intoa friendlyGUI.For suchusers,Linuxsupportsa login system that startsXautomaticallyandprovidesaGUIloginscreen.Configuringandmanagingthissystemrequiresyoutounderstandabitofhowthesystemworks,howtorunit,andhowtochangetheconfiguration.
TheXGUILoginSystemAsdescribedlaterinthischapter,in“UsingXforRemoteAccess,”Xisanetwork-enabledGUI.Thisfacthasmany important consequences, andoneof these relates toLinux’sGUI login system.Thissystememploys a network login protocol, theXDisplayManagerControl Protocol (XDMCP). Tohandleremotelogins,anXDMCPserverrunsonacomputerandlistensforconnectionsfromremotecomputers’Xservers.Tohandle local logins,anXDMCPserver runsonacomputerandstarts thelocalcomputer ’sXserver.TheXDMCPserverthenmanagesthelocalXserver ’sdisplay—thatis,itputsupaloginpromptlikethatshowninFigure6.2.
FIGURE6.2AnXDMCPservermanageslocalGUIloginstoaLinuxsystem.
Five XDMCP servers are common on Linux: the X DisplayManager (XDM), the KDEDisplay
Manager (KDM), the GNOME Display Manager (GDM), the MDM Display Manager (MDM; arecursiveacronym),andtheLightDisplayManager(LightDM).AfewmoreexoticXDMCPserversarealsoavailable,butthesefivearethemostimportant.Ofthese,theexamobjectivesexplicitlycoverthefirstthree,sothey’retheonesdescribedhere.Asyoumayguessbytheirnames,KDMandGDMareassociatedwiththeKDEandGNOMEprojects,respectively.MDMisaderivativeofGDM.XDMis the oldest and least feature-heavy of these displaymanagers. LightDM aims to be compact andcompatiblewithmultipledesktopenvironments.Youcanchangewhichdesktopmanageryoursystemusesifyoudon’tlikethedefault.
AlthoughKDMandGDMareassociatedwithKDEandGNOME,respectively,neitherlimitsyourchoiceofdesktopenvironment.Infact,it’spossible,andoftennecessary,torunprogramsassociatedwithonedesktopenvironmentinsideanotherone.Thisworksfine,althoughitincreasesthememoryload.
RunninganXDMCPServerSeveralmethodsexisttostartanXDMCPserver.Thetwomostcommonaretolaunchitmoreorlessdirectlyfrominit,viaanentryin/etc/inittaboritsancillaryconfigurationfiles;ortolaunchitaspartofarunlevel’sstartupscriptset,viaasystemstartupscript.Chapter5describesbothinitandsystemstartupscriptsingeneral,soconsultitforinformationabouttheseprocesses.Whichevermethod isused,manydistributionsconfigure themselves to run theirchosenXDMCP
serverwhentheystartinrunlevel5butnotwhentheystartinrunlevel3.Thisistheonlydifferencebetweenthesetworunlevelsinmostcases.Thus,changingfromrunlevel3torunlevel5startsXandtheXDMCPserveronmanydistributions,andswitchingbacktorunlevel3stopsXandtheXDMCPserver.AsdescribedinmoredetailinChapter5,youcanchangerunlevelsasrootwiththetelinitcommand:#telinit5
PermanentlychangingtherunlevelonaSysV-basedsystemrequireseditingthe/etc/inittabfileand,inparticular,itsidline:id:5:initdefault:
Changethenumber(5inthiscase)totherunlevelyouwanttouseasthedefault.Mostdistributionsthat use Upstart or systemd start the XDMCP server via methods more akin to the methodstraditionallyusedbyDebian,asdescribednext.Afewdistributions—mostnotablyGentoo,Debian,andDebian’sderivatives(includingthepopular
Ubuntu)—attempt to start an XDMCP server in all runlevels (or don’t do so at all). This is donethroughtheuseofaSysVstartupscriptcalledxdm,kdm,orgdm.Thus,youcantemporarilystartorstop the XDMCP server by running this script and passing it the start or stop option. Topermanently enable or disable theXDMCP server, you should adjust your SysV startup scripts, asdescribedinChapter5.Inaddition to thequestionofwhether to runanXDMCPserver is thequestionofwhich XDMCP
server to run.MostdistributionssetadefaultXDMCPserver inonewayoranother.Twocommonmethodsexist:
SelectionviaConfigurationFileSomedistributionshidetheXDMCPserverchoiceinaconfigurationfile,ofteninthe/etc/sysconfigdirectory.InFedora,the/etc/sysconfig/desktopfilesetstheDISPLAYMANAGERvariabletothepathtotheexecutable,asinDISPLAYMANAGER=/bin/xdm.InopenSUSE,/etc/sysconfig/displaymanagersetstheDISPLAYMANAGERvariabletothedisplaymanager ’snameinlowercaseletters,asinDISPLAYMANAGER="xdm".SelectionviaStartupScriptInDebianandderivativedistributions,suchasUbuntu,thedisplaymanagerissetviaaSysV,Upstart,orsystemdstartupscript—usethegdmscripttouseGDM,kdmtouseKDM,andsoon.Bydefault,onlyoneXDMCPserver(andassociatedstartupscript)isinstalled,soifyouwanttochangeyourXDMCPserver,youmayneedtoinstallyourdesiredserver.Chapter5describeshowtoconfigurespecificstartupscriptstorunautomatically.Unfortunately, distributionmaintainers have had a habit of changing the details of howXDMCP
servers are launched from time to time, and the settings are often buried in poorly documentedconfigurationfiles.Thus,youmayneedtogodiggingthroughthefilesinyour/etcdirectorytofindthe correct setting. If you can’t find the setting, try using grep to search for strings such asDISPLAYMANAGERorthenameoftheXDMCPserverthat’scurrentlyrunning.
ConfiguringanXDMCPServerXDMCP servers, like most programs, can be configured. Unfortunately, this configuration variesfromoneservertoanother,althoughtherearesomecommonalities.Inthefollowingpages,IprovidesomedetailsforconfiguringXDM,KDM,andGDM.
ConfiguringXDMXDMis thesimplestof themajorXDMCPservers. Itacceptsusernamesandpasswordsbutdoesn’tenableuserstoperformotheractions,suchaschoosewhichdesktopenvironmenttorun.(Thismustbeconfiguredthroughuserloginfiles.)XDM’smainconfigurationfileis/etc/X11/xdm/xdm-config.Mostdistributionsshipwithabasic
xdm-configfilethatshouldworkfineforalocalworkstation.IfyouwanttoenablethecomputertorespondtoremoteloginrequestsfromotherXserversonthenetworkorifyouwanttoverifythatthesystemisnotsoconfigured,youshouldpayattentiontothisline:DisplayManager.requestPort:0
ThislinetellsXDMtonotaccessaconventionalserverport.ToactivateXDMasaremoteloginserver,youshouldchange0to177,thetraditionalXDMCPport.YoumustthenrestartXDM.Whensoconfigured, users on other computers can initiate remote X-based logins to your computer viaXDMCP.Thiscanbehandyonlocalnetworks,butit’salsoasecurityrisk,whichiswhythedefaultistonotenablesuchaccess.The /etc/X11/xdm/Xaccess file is another important XDM configuration file. If XDM is
configuredtopermitremoteaccess, thisfilecontrolswhomayaccess theXDMserverandinwhatways.Awide-opensystemcontainslinesthatuseanasterisk(*)todenotethatanybodymayaccessthesystem:*
*CHOOSERBROADCAST
ThefirstlinetellsXDMthatanybodymayconnect,andthesecondlinetellsXDMthatanybodymayrequestachooser—adisplayoflocalsystemsthatacceptXDMCPconnections.Tolimitthechoices,youshouldlistindividualcomputersorgroupsofcomputersinsteadofusingtheasteriskwildcard:*.pangaea.edu
tux.example.com
*.pangaea.eduCHOOSERBROADCAST
Thisexample letsanycomputer in thepangaea.edudomainconnector receiveachooser,and italsoletstux.example.comconnectbutnotreceiveachooser.Manyadditionaloptionsaresetinthe/etc/X11/xdm/Xresourcesfile;ithostsXresources,which
are similar to environment variables but apply only to X-based programs. For instance, you canchangethetextdisplayedbyXDMbyalteringthexlogin*greetingresourceinthisfile.
ConfiguringKDMKDM is based partly onXDMand so sharesmany of its configuration options.Unfortunately, thelocation of the KDM configuration files is unpredictable; sometimes KDM uses the XDMconfiguration files, other times they’re stored in /etc/X11/kdm or /etc/kde/kdm, and sometimesthey’restoredinatrulystrangelocationsuchas/usr/lib/kde4/libexec/.
Ifyoucan’tfindtheKDMconfigurationfiles,tryusingyourpackagemanagementtools,describedinChapter2,“ManagingSoftware.”Tryobtaininglistsoffilesinthekdmorkdebasepackageorsomeotherlikelycandidate,andlookfortheKDMconfigurationfiles.
KDMexpandsonXDMbyenablinguserstoselectasessiontypewhentheylogin,toshutdownthecomputerfromthemainKDMprompt,andsoon.Mostoftheseextraoptionsaresetinthekdmrcfile,which appears in the same directory as the otherKDMconfiguration files. Some of these optionsoverride the more common XDM configuration options for the same features. In particular, the[Xdmcp] sectionprovidesoptions relating tonetworkoperation.TheEnable option in that sectionshouldbesettotrueifyouwanttosupportnetworklogins.
ConfiguringGDMGDM is more of a break from XDM than is KDM. GDM doesn’t use the conventional XDMconfiguration files or similar files. Instead, it uses configuration files that are usually stored in/etc/X11/gdmor/etc/gdm.Inthepast,themostimportantofthesefileswasgdm.conf,andithadaformatsimilar to thekdmrc file.More recentversionsofGDM,however,place this file elsewhereandgiveitanewformat.Withtheseversions,youcansetlocaloptionsinthecustom.conffileintheGDMconfigurationdirectory.Thisfiletypicallystartswithnooptions,buttheonesyousetoverridethedefaults.AswithKDM,youshouldsettheenableoptiontoyesinthe[xdmcp]sectionifyouwanttoenableremotelogins.
AGUIcontroltoolforGDMexistsonsomesystemsbutismissingfromothers.Typegdmconfigorgdmsetupasroottolaunchthisprogram,whichenablesyoutosetGDMoptionsusingapoint-and-clickinterface.
LikeKDM,GDMprovidesextraoptionsover thoseofXDM.Theseoptions includetheability tochooseyourloginenvironmentandshutdownthecomputer.GDMisabitunusualinthatitpromptsfor the username and only then presents a prompt for the password.XDMandKDMboth presentfieldsfortheusernameandpasswordsimultaneously.
UsingXforRemoteAccessAsnotedearlier,in“TheXGUILoginSystem,”Xisanetwork-enabledGUI.ThisfactenablesyoutorunLinuxprogramsremotely—youcansetupaLinuxsystemwithXprogramsandrunthemfromotherLinux (orevennon-Linux)computers.Similarly,youcanuseaLinuxcomputerasanaccessterminalforXprogramsthatrunonanon-LinuxUnixcomputer,suchasonerunningSolaris.Todothis, you should first understand something ofX’s networkmodel, includingwhere the client andserver systems are located, how X controls access to itself, and so on. You can then proceed toperformtheremoteaccesses.
XClient-ServerPrinciplesMostpeoplethinkofserversaspowerfulcomputershiddenawayinmachinerooms,andofclientsasthedesktopsystemsthatordinarypeopleuse.Althoughthischaracterizationisoftencorrect,it’sverywrongwhenitcomestoX.Xisaserver,meaningthattheXserverrunsonthecomputeratwhichtheusersits.Xclientsaretheprogramsthatusersrun—xterm,xfontsel,KMail,LibreOffice,andsoon. In most cases, the X server and its clients reside on the same computer, so this peculiarterminologydoesn’tmatter;butwhenyouuseXfor remoteaccess,youmust remember that theXserverrunsontheuser ’scomputer,whiletheXclientsrunontheremotesystem.To make sense of this peculiarity, think of it from the program’s point of view. For instance,
consideraWebbrowsersuchasFirefox.ThisprogramaccessesWebpagesstoredonaWebservercomputer.TheWebserverrespondstorequestsfromFirefoxtoloadfiles.JustasFirefoxloadsfiles,itdisplaysfilesonthescreenandacceptsinputfromitsuser.Fromtheprogram’spointofview,thisactivityismuchlikeretrievingWebpages,butit’shandledbyanXserverratherthanaWebserver.ThisrelationshipisillustratedinFigure6.3.
FIGURE6.3Fromaprogram’spointofview,theXserverworksmuchlikeaconventionalnetworkserversuchasaWebserver.
Ordinarily, Linux is configured in such a way that its X server responds only to local accessrequestsasa securitymeasure.Thus, ifyouwant to runprograms remotely,youmustmake somechangestohaveLinuxloweritsdefenses—butnottoofar,lestyouletanybodyaccesstheXserver,whichcouldresultinsecuritybreaches.
UsingRemoteXClientsSupposeyourlocalnetworkcontainstwomachines.Thecomputercalledzeusisapowerfulmachinethathostsimportantprograms,likeawordprocessoranddataanalysisutilities.Thecomputercalledapolloisamuchlesspowerfulsystem,butithasanadequatemonitorandkeyboard.Therefore,youwant to sit at apollo and run programs that are located on zeus. Both systems run Linux. Toaccomplishthistask,followthesesteps:
1.Logintoapolloand,ifit’snotalreadyrunningX,startit.2.Openaterminal(suchasanxterm)onapollo.3.Typexhost+zeusinapollo’sterminal.Thiscommandtellsapollo toacceptfordisplayinitsXserverdatathatoriginatesonzeus.4.Log intozeus fromapollo.YoumightuseTelnetorSecureShell (SSH), for instance.Theresultshouldbetheabilitytotypecommandsinashellonzeus.5. On zeus, type export DISPLAY=apollo:0.0. (This assumes you’re using bash; if you’reusing tcsh, the command is setenv DISPLAY apollo:0.0.) This command tells zeus to useapollo for the display of X programs. (Chapter 9, “Writing Scripts, Configuring Email, andUsingDatabases,”describesenvironmentvariables,suchasDISPLAY,ingreaterdetail.)6.Typewhateveryouneedtotypetorunprogramsatthezeuscommandprompt.Forinstance,youcouldtypeloffice to launchLibreOffice.Youshouldseetheprogramsopenonapollo’sdisplay, but they’re running on zeus—their computations use zeus’s CPU, they can read filesaccessibleonzeus,andsoon.7.Afteryou’redone,closetheprogramsyou’velaunched,logoffzeus,andtypexhost-zeuson apollo. This tightens security so that a miscreant on zeus won’t be able to modify yourdisplayonapollo.Sometimes,youcanskipsomeofthesesteps.Forinstance,dependingonhowit’sconfigured,SSH
canforwardXconnections,meaningthatSSHinterceptsattemptstodisplayXinformationandpassesthoserequestsontothesystemthatinitiatedtheconnection.Whenthishappens,youcanskipsteps3and5,aswellasthexhostcommandinstep7.(SeetheRealWorldScenariosidebar“EncryptingXConnectionswithSSH.”)
EncryptingXConnectionswithSSHTheSSHprotocolisausefulremote-accesstool.Althoughit’softenconsideredatext-modeprotocol,SSHalsohastheabilitytotunnelnetworkconnections—thatis,tocarryanotherprotocolthroughitsownencryptedconnection.ThisfeatureismostusefulforhandlingremoteXaccess.Youcanperformthestepsdescribedin“UsingRemoteXClients”butomitsteps3and5andthexhostcommandinstep7.ThisgreatlysimplifiestheloginprocessandaddsthebenefitsofSSH’sencryption,whichXdoesn’tprovide.Ontheotherhand,SSH’sencryptionislikelytoslowdownXaccess,althoughifyouenableSSH’scompressionfeatures,thisproblemmaybereducedinseverity.Overall,tunnelingXthroughSSHisthepreferredmethodofremoteXaccess,particularlywhenanynetworkintheprocessisn’ttotallysecure.SSHtunnelingdoesrequirethatcertainoptionsbeset.Inparticular,youmusteitherusethe-Xor-YoptiontothesshclientprogramorsettheForwardX11orForwardX11Trustedoptiontoyesin/etc/ssh_configontheclientsystem.YoumustalsosettheX11Forwardingoptiontoyesinthe/etc/sshd_configfileontheSSHserversystem.TheseoptionsenableSSH’sXforwardingfeature;withouttheseoptions,SSH’sXforwardingwon’twork.
Asanaddedsecuritymeasure,manyLinuxdistributionstodayconfigureXtoignoretruenetworkconnections.Ifyourdistributionissoconfigured, theprecedingstepswon’twork;whenyoutry tolaunch anX program from the remote system, you’ll get an errormessage. Towork around thisproblem,youmustmakeanadditionalchange,dependingonhowXislaunched:GDMOnolderversionsofGDM,checktheGDMconfigurationfile(typically/etc/X11/gdm/gdm.conf):lookforthelineDisallowTCP=true,andchangeittoreadDisallowTCP=false.OnnewerversionsofGDM,edit/etc/gdm/custom.conf,andaddalinethatreadsDisallowTCP=falsetothe[security]section(addingitifrequired).KDMorXDMThesetwoXDMCPserversbothrelyonsettingsintheXserversfile(in/etc/X11/xdmforXDM,andinthislocationorsomeotherhighlyvariablelocationforKDM).Lookforthelinethatbeginswith:0.ThislinecontainsthecommandthatKDMorXDMusestolaunchtheXserver.Ifthislinecontainsthestring-nolistentcp,removethatstringfromtheline.DoingsoeliminatestheoptionthatcausesXtoignoreconventionalnetworkconnections.SpecialopenSUSEConfigurationInopenSUSE,youmustedit/etc/sysconfig/displaymanagerandsettheDISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPENoptiontoyes.XLaunchedfromaText-ModeLoginIfyouloginusingtextmodeandtypestartxtolaunchX,youmayneedtomodifythestartxscriptitself,whichisusuallystoredin/usr/bin.Searchthisscriptforthestring-nolistentcp.Chancesarethisstringwillappearinavariableassignment(suchastodefaultserverargs)orpossiblyinadirectcalltotheXserverprogram.Removethe-nolistentcpoptionfromthisvariableassignmentorprogramcall.Once you’ve made these changes, you’ll need to restart X as described earlier in “Running an
XDMCPServer.”Thereafter,Xshouldrespondtoremoteaccessrequests.
IfXrespondstoremotenetworkrequests,theriskofanintruderusingabugormisconfigurationtotrickusersbydisplayingbogusmessagesonthescreenisgreatlyincreased.Thus,youshoulddisablethisprotectiononlyifyou’resurethatdoingsoisnecessary.YoumaybeabletouseanSSHlinkwithoutdisablingthisprotection.
AnotheroptionforrunningXprogramsremotelyistousetheVirtualNetworkComputing(VNC)system(http://www.realvnc.com).VNCrunsaspecialXserveronthecomputerthat’stobeusedfroma distance, and a special VNC client runs on the computer at which you sit. You use the client todirectlycontact the server.This reversalofclient and server rolesover thenormal stateofaffairswith conventionalX remote access is beneficial in some situations, such aswhen you’re trying toaccessadistantsystemfrombehindcertaintypesoffirewall.VNCisalsoacross-platformprotocol;it’spossibletocontrolaWindowsorMacOSsystemfromLinuxusingVNC,butthisisn’tpossiblewithX.(XserversforWindowsandMacOSareavailable,enablingyoutocontrolaLinuxsystemfromthesenon-LinuxOSs.)
XAccessibilityHistorically,mostcomputershavebeendesignedforindividualswithnormalphysicalcapabilities.Ascomputershavebecomeeverydaytools,though,theneedforpeoplewithvariousdisabilitiestousecomputershasrisen.Linuxprovidestoolstohelpwiththistask.SomebasicXsettings(controlledinxorg.conforXF86Config)canhelpinthisrespect—forinstance,youcanadjustthekeyboardrepeatratetopreventspuriouskeyrepeatsforindividualswhomaykeepkeyspressedlongerthanaverage.Othersettingsareunusualandmayrequiretheuseofuniqueaccessibilitytoolstoset.Someoptionsmustbesetinspecificdesktopenvironments(KDEorGNOME,forexample).
KeyboardandMouseAccessibilityIssuesYou can set many keyboard and mouse options using ordinary desktop environment tools forpersonalizing keyboard and mouse responses. Other options are more exotic, such as onscreenkeyboards.
StandardKeyboardandMouseOptionsMostLinuxdesktopenvironmentsincludekeyboardandmousecontrolpaneloptions.Forinstance,inastandardFedora17GNOMEinstallation,youcanfindthekeyboardoptionsintheKeyboarditemoftheSystemSettingscontrolpanel,andyoucan find themouseoptions in theMouseandTouchpaditem. TheAccessX utility is an older program that works in any desktop environment to providesimilarfeatures.Figure6.4showsAccessXinoperation.Becausethelocationsofsuchoptionscanbecustomizedfromonedistribution toanotherandcanchangefromonerelease toanother,youmayneedtohuntfortheoptionsinyourmenus.
FIGURE6.4AccessXanddesktopenvironmentcontrolpanelsprovideaccessibilityoptions.
TheexamobjectivesmentionAccessX;however,thispackageisnotavailableinmostdistributionsandappearstobeabandoned.Itsfunctionalityhasbeenfoldedintodesktopenvironmentcontrolpanels.Thus,althoughIdescribeAccessX’sfeatures,chancesareyou’llneedtolookforequivalentsinyourdesktopenvironment’scontrolpanel.
KeyboardandmouseaccessibilityfeaturesthatyoucansetwithAccessXorsimilartoolsindesktopenvironmentsincludethefollowing(sometimesunderslightlydifferentnames):StickyKeysWhenenabled,thisoptioncauseskeyboardmodifierkeys(Ctrl,Alt,andShift)to“stick”whenpressed,affectingthenextregularkeytobepressedevenafterreleaseofthestickykey.Thiscanbeusefulforuserswhohavedifficultypressingmultiplekeyssimultaneously.Sometools,includingAccessX,provideadditionaloptionsthataffectthedetailsofhowstickykeyswork.MouseKeysThisoptionenablesyoutousethecursorkeypadonyourkeyboardtoemulateamouse.Bounce(orDebounce)KeysIfausertendstoaccidentallypressasinglekeymultipletimes,thebouncekeysoptionmaybeabletocompensateforthistendency.(Agingkeyboardsalsosometimesproducekeybounce.)SlowKeysWhenactivated,thisoptionrequiresakeytobepressedforlongerthanaspecified
periodoftimebeforeitregistersasakeypress.Thisfeatureisusefulforindividualswhotendtoaccidentallypresskeys.KeyboardRepeatRateTherepeatdelayandratecanbesetusingsliders.ThesesettingsoverridethosesetintheXconfigurationfile;butifyouuseabarewindowmanager,youmayneedtosettheseoptionsintheXconfigurationfile.Disablingkeyboardrepeatorsettingaverylongdelaymaybenecessaryforsomeusers.TimeOutInAccessX,theTimeOutoptionsetsatimeafterwhichitsaccessibilityoptionswillbedisabled.MouseTrackingandClickOptionsTheordinarymousetrackingandclickoptionscanbeadjustedtounusualvaluesforthosewhohavespecialneeds.(ThisandthenexttwooptionsarenotprovidedbyAccessXbutareprovidedbymanydesktopenvironments.)SimulatedMouseClicksSomeenvironmentsletyouconfigurethemousetosimulateaclickwheneverthemousepointerstopsmovingortosimulateadoubleclickwheneverthemousebuttonispressedforanextendedperiod.MouseGesturesGesturesaresimilartokeyboardshortcutsbutareformice;theypermityoutoactivateprogramoptionsbymovingyourmouseinparticularways.
UsingOnscreenKeyboardsIf a user has difficulty using a regular keyboard but can use a mouse, that user can employ anonscreenkeyboard.Thisisanapplicationthatdisplaysanimageofakeyboard.Usingthemousetopressthekeysonthekeyboardimageworksmuchlikeusingarealkeyboard.Someotherkeyboardsrequiretheusertoentertextintotheirownbuffersandthencutandpastethetextfromthekeyboardapplicationintothetargetprogram.Browse themenus for your desktop environment to locate the onscreen keyboards available on
yoursystem.Ifyoucan’t findone,or ifyoudon’t like it,useyourpackagemanager tosearchforsuchprograms—searchingonkeyboardshouldturnupsomeoptions.TheGNOMEOn-ScreenKeyboard(GOK)deservesspecialmentionasaparticularlypowerfultool
in thiscategory.Thisprogramprovidesnotonlyanonscreenkeyboardbutalso tools thatprovideshortcutsforvariousmouse,menu,andtoolbarfeaturesofotherprograms,aswellastoolstohelpusersnavigatetheGNOMEdesktop.YoucanlaunchGOKbytypinggokatacommandprompt.Youcan learn more at the main GOK Web page, http://library.gnome.org/users/gnome-access-guide/stable/gok.html.
ScreenDisplaySettingsUsers with poor eyesight can benefit from adjustments to screen settings and applications. Theseincludefontoptions,contrastsettings,andscreenmagnificationtools.
AdjustingDefaultFontsMost desktop environments provide options to set the default fonts used on the screen. Figure 6.5shows the System Settings dialog box provided with KDE. You can access this by typingsystemsettingsinaterminalwindoworbyselectingConfigureDesktopfromthemainmenuandthenselectingApplicationAppearancefromtheoptionsinthewindowthatappears.Asimilartoolis
availableinXfce,accessiblefromtheAppearanceiteminitsSystemSettingspanel.
FIGURE6.5Linuxdesktopenvironmentsusuallyprovidecontrolpanelswithfontoptions.
Toadjustthefonts,clicktheChoosebuttontotherightofthefontforeachofthemaincategories,suchasGeneralandMenuinFigure6.5.Theresultisafontselectiondialogbox,inwhichyoucanselectthefontfamily(Sans,Times,andsoon),thefontstyle(normal,bold,andsoon),andthefontsizeinpoints.Adjusttheseoptionsuntilyoufindasettingthatworkswell.You’llhavetoadjustthefontforeachofthecategories,oratleastforthosethataremostimportant.
Dyslexicusersoftenbenefitfromaspecialfontthatweightsthebottomsofthecharactersmoreheavilythanthetops.Onesuchfontisavailablefromhttp://dyslexicfonts.com.
Unfortunately,althoughmanyapplicationstaketheircuesonfontsfromthedesktopenvironment’ssettings,othersdon’t.Thus,youmayneedtoadjustoptionsinatleastsomeindividualapplications,aswellasinthedesktopenvironmentasawhole.
AdjustingContrastDesktop environments provide various themes—settings for colors,windowmanager decorations,andsoon.Somethemesarebetter thanothers in termsof legibility.For instance,somethemesareverylowincontrast,andothersarehighincontrast.
Monitorshavetheirowncontrastcontrols.Youcanadjusttheseforbestlegibility,ofcourse,butthecontrastadjustmentsaffordedbydesktopenvironmentsettingsareindependentofamonitor ’scontrastsettings.
InKDE,youcansetthemesinthesameSystemSettingspreferencesdialogboxinwhichyousetthefonts(Figure6.5);youclicktheColorsiconintheleftpaneandselectthethemeyouwanttouse.TheWorkspaceAppearanceitem(accessiblebyclickingOverviewfromthescreenshowninFigure6.5)providesadditionaloptions.XfceprovidessimilaroptionsinitsAppearancecontrolpanel.
UsingMagnifierToolsA screen magnifier application enlarges part of the screen—typically the area immediatelysurroundingthemouse.OnecommonscreenmagnifierisKMag,whichispartoftheKDEsuite.(YoucanuseKMageveninGNOME,Xfce,orotherdesktopenvironments,though.)Touseit,typekmagorselectitfromyourdesktopmenus.TheresultistheKMagwindowonthescreen,whichenlargestheareaaroundthecursorbydefault.
UsingAdditionalAssistiveTechnologiesInadditiontokeyboard,mouse,andconventionaldisplaytools,someprogramscanhelpthosewithspecial needs. Most notably, screen readers and Braille displays can help those who can’t readconventionaldisplays.
ConfiguringLinuxtoSpeakComputer speech synthesis has existed for decades. Today, several speech synthesis products areavailableforLinux,includingthese:OrcaThisprogram,whichisbasedathttp://live.gnome.org/Orca,isascreenreaderthat’sbeenintegratedintoGNOME2.16andlater.EmacspeakSimilartoOrcainmanyrespects,thisprogramaimstoenablethosewithvisualimpairmentstouseaLinuxcomputer.Youcanlearnmoreathttp://emacspeak.sourceforge.net.
UsingBrailleDisplaysABrailledisplayisaspecialtypeofcomputermonitor.Ratherthandisplaydatavisually,itcreatesatactiledisplayoftextualinformationinBraille.Assuch,aBrailledisplayisanefficientwayforthosewithvisualimpairmentstoaccesstext-modeinformation,suchasthatdisplayedataLinuxtext-modeconsole.ManyLinuxtext-modeprogramscanmanageaBrailledisplaywithnochanges.To use a Braille display, special Linux software is required. The BRLTTY
(http://www.mielke.cc/brltty/) project provides a Linux daemon that redirects text-mode consoleoutputtoaBrailledisplay.Itincludesfeaturesthatsupportscrollback,multiplevirtualterminals,andevenspeechsynthesis.Linuxkernelssince2.6.26includedirectsupportforBrailledisplays.Ifyou’refamiliarwithLinux
kernelcompilation,youshouldchecktheAccessibilitySupportoptionsintheDeviceDriversareaof
thekernelconfiguration.
ConfiguringLocalizationandInternationalization
Linux is an internationalOS. Its developers and users reside inmany countries around theworld.Therefore,Linuxsupportsawidevarietyofcharactersets,keyboards,date/timedisplayformats,andotherfeaturesthatcanvaryfromoneregiontoanother.Manyofthesefeaturesaresetupwhenyouanswerquestionsduring installation,butknowingabout them—andhow tochange them—canhelpyoumanageyoursystem,particularlyifyouneedtochangetheseoptionsforanyreason.
SettingYourTimeZoneWhenyoucommunicatewithothercomputers(bysendingemail,transferringfiles,andsoon),thoseother computersmay reside in the same city or around theworld.For this reason, it’s helpful foryour computer to know something about its time zone. This can help keep files’ time stamps setsensiblyandavoidweirdtemporalproblemswhenexchangingdata.Forthemostpart,youneedtobeconcernedwithjustonetimezonesettingforaLinuxcomputer;butsometimesyoumaywanttosetthetimezoneonewayforoneaccountorloginandanotherwayforanotheraccountorlogin.Thus,Idescribebothmethodsofsettingatimezone.
SettingaLinuxComputer’sTimeZoneLinuxusesCoordinatedUniversalTime (UTC) internally. This is the time inGreenwich, England,uncorrectedfordaylightsavingtime.WhenyouwriteafiletodiskonaLinux-nativefilesystem,thetime stamp is stored in UTC. When you use tools such as cron (described in Chapter 7,“AdministeringtheSystem”),they“think”inUTC.Chancesare,though,thatyouuselocaltime.Thus,aLinuxcomputermustbeabletotranslatebetweenlocaltimeandUTC.To perform this translation, Linux needs to know your time zone. Linux looks to the
/etc/localtime file for information about its local time zone. This file is one of the rareconfigurationfilesthat’snotaplain-textfile,soyoushouldn’ttryeditingitwithatexteditor.Thisfilecouldbeafileofitsown,oritcouldbeasymbolicorhardlinktoanotherfile.Ifit’sasymboliclink,youshouldbeabletodetermineyourtimezonebyperformingalongfilelistingtoseethenameofthefiletowhichlocaltimelinks:$ls-l/etc/localtime
lrwxrwxrwx1rootroot36May142008/etc/localtime->
/usr/share/zoneinfo/America/New_York
If/etc/localtimeisaregularfileandnotasymboliclinkorifyouwantfurtherconfirmationofyourtimezone,tryusingthedatecommandbyitself:$date
MonSep312:50:58EDT2012
Theresultincludesastandardthree-lettertimezonecode(EDT inthisexample).Ofcourse,you’llneed toknowthesecodes,orat least thecodeforyourarea.Fora listof timezoneabbreviations,consulthttp://www.timeanddate.com/library/abbreviations/timezones/.Note that the time zone codes
varydependingonwhetherdaylightsavingtimeisactive,buttheLinuxtimezonefilesdon’tchangewiththisdetail.Partofwhatthesefilesdoisdescribewhentochangetheclockfordaylightsavingtime.Ifyouneedtochangeyourtimezone,youshouldcopyorlinkasamplefilefromastandarddirectorylocationtothe/etc/localtimefile:
1.Loginasrootoracquirerootprivileges.2.Changetothe/etcdirectory.3. View the contents of the /usr/share/zoneinfo directory. This directory contains files forcertain time zones named after the zones or the regions to which they apply, such as GMT,Poland, and Japan. Most users will need to look in subdirectories, such as/usr/share/zoneinfo/US for the United States or /usr/share/zoneinfo/America for NorthandSouthAmerica.Thesesubdirectoriescontainzonefilesnamedaftertheregionsorcitiestowhich theyapply,suchasEasternorLos_Angeles. (TheUS subdirectorycontains filesnamedafter time zones or states, whereas the America subdirectory holds files named after cities.)Identifythefileforyourtimezone.Notethatyoumightuseazonefilenamedafteracityotherthan the one in which you reside but that’s in the same time zone as you. For instance, theNew_York fileworks fine ifyou’re inBoston,Philadelphia,Cincinnati,oranyothercity in thesame(Eastern)timezoneasNewYork.4.Ifalocaltimefileexistsin/etc,deleteitorrenameit.(Forinstance,typermlocaltime.)5. Create a symbolic link from your chosen time zone file to the /etc/localtime file. Forinstance, you can type ln -s /usr/share/zoneinfo/US/Eastern localtime to set up acomputerintheU.S.Easterntimezone.Alternatively,youcancopyafile(cp)ratherthancreateasymboliclink(ln-s).If/etcandyourtargetfileareonthesamefilesystem,youcancreateahardlinkratherthanasymboliclinkifyoulike.Atthispoint,yoursystemshouldbeconfiguredtousethetimezoneyou’veselected.Ifyouchanged
timezones,youshouldbeable tosee thedifferenceby typingdate, asdescribedearlier.The timezonecodeonyoursystemshouldchangecomparedtoissuingthiscommandbeforeyouchangedthe/etc/localtimefileorlink.Thetimeshouldalsochangebythenumberofhoursbetweenthetimezonesyou’veselected(giveortakeabitforthetimeittookyoutochangethetimezonefiles).Inadditionto/etc/localtime,somedistributionsuseasecondaryfilewith text-modetimezone
data. This file is called /etc/timezone on Debian and its derivatives. On Fedora and relateddistributions,it’s/etc/sysconfig/clock.Thisfilecontainsalineortwowiththenameofthetimezone,sometimesintheformofavariableassignment.Forinstance, the/etc/timezone fileonmyUbuntusystemlookslikethis:America/New_York
Thisfileprovidesaquickwaytocheckyourtimezone.Itshouldalsobeupdatedwhenyouchangeyourtimezone,lesthigher-levelconfigurationtoolsbecomeconfused.Somedistributionsprovide text-modeorGUI tools tohelpmake timezonechanges.Look for a
programcalledtzsetup, tzselect, tzconfig, or something similar. Typically, these programsaskyouforyourlocationinseveralsteps(startingwithyourcontinent,thenyournation,andperhapsthenyourstateorcity)andcreateanappropriatesymboliclink.
SettinganIndividualLogin’sTimeZone
OnefinalwrinkleontimezoneissuesistheTZenvironmentvariable.(Chapter9coversenvironmentvariables inmore detail.) This environment variable holds time zone information in any of threeformats:
ThemostcommonformatonLinuxis:filename,asin:/usr/share/zoneinfo/Europe/London.Thistellsthesystemthatthetimezoneistheonedescribedinthespecifiedfile.Asecondformat,commononnon-Linuxsystems,isstdoffset,wherestdisathree-characterorlongertimezonename(suchasEST)andoffsetisatimerelativetoUTC,withpositivevaluesrepresentingoffsetswestofthePrimeMeridianandnegativevaluesbeingeastofit.Forinstance,EST+5specifiesU.S.EasternTime.Thisformatisusedwhendaylightsavingtimeisnotineffect.Ifdaylightsavingtimeisineffect,avariantontheprecedingmethodispossible:stdoffsetdst[offset],start[/time],end[time].Thisspecificationaddsthedaylightsavingtimecodeaswellasencodedstartandenddates(andoptionallytimes).Forinstance,EST+5EDT,M3.10.0/2,M11.3.0/2specifiesUSEasternTimewithdaylightsavingtimeencodedwithdatesfor2013.
Inthevastmajorityofcases,youwon’tneedtousetheTZenvironmentvariable.Itcanbeuseful,though, in the event that you’re using a computer remotely—say, if you’re logging into a workcomputerthat’sphysicallylocatedinSanFranciscowhileyou’retravelingtoLondon.UsingTZwillenableprogramsthatusethisvariabletodisplaythecorrectlocaldateandtimeinLondon,despitethefactthatthecomputer ’sglobaltimezoneis(presumably)setforSanFrancisco.Inpractice,theeasiestwaytouseTZforasingleloginistoissueacommandlikethefollowing:$exportTZ=:/usr/share/zoneinfo/Europe/London
ThisexamplesetsthetimezonetoLondonforasinglesessionbutonlyfromtheshellatwhichyoutypethiscommand.Youcanaddthiscommandtoauserstartupscriptifyouwanttouseitregularly.Youshouldnotusethismethodifallacomputer ’sprogramsshouldusethetargettimezone;instead,setitbyadjustingthe/etc/localtimefile,asdescribedearlierin“SettingaLinuxComputer ’sTimeZone.”
QueryingandSettingYourLocaleTolocalizeyourcomputer,youmust firstunderstandwhata locale is inLinuxparlance.Onceyouunderstand the basics, you can identify your current locale and other locales available to you. Ifnecessary,youmayneedtoinstallanotherlocale’sdata.Youcanthensetyourcomputertousethatlocale.
WhatIsaLocale?InLinux,a locale is awayof specifying thecomputer ’s (oruser ’s) language, country, and relatedinformationforpurposesofcustomizingdisplays.Asinglelocaletakesthefollowingform:[language[_territory][.codeset][@modifier]]
Each part of this string has a set of specific acceptable forms. For instance, language can be en(English),fr(French),ja(Japanese),andsoon.Thesearetwo-orthree-lettercodesforlanguages.The territory can beUS (UnitedStates),FR (France),JP (Japan), and so on. These are codes for
specificregions—generallynations.
Thecodeset can beASCII,UTF-8, or other encoding names. TheAmerican StandardCode forInformationInterchange(ASCII)istheoldestandmostprimitiveencodingmethod;itsupports7-bitencodings (generally stored in8-bitbytes) that canhandleEnglish, includingcommonpunctuationand symbols. ASCII can’t handle characters used in many non-English languages, though, so it’sawkwardatbestforinternationaluse.ISO-8859wasanearlyattempttoextendASCII;itemploysaneighth bit to extend ASCII by 128 characters, giving room for the characters needed by a smallnumberofnon-Romanalphabets. ISO-8859 isbrokendownintomanysubstandards,eachofwhichhandlesonelanguageorsmallgroupoflanguages.ISO-8859-1coversWesternEuropeanlanguagesandISO-8859-5providesCyrillicsupport,forinstance.The latest languagecodeset is the8-bitUnicodeTransformationFormat (UTF-8).Like ISO-8859,
UTF-8 starts with ASCII, but it extends it by supporting variable-byte extensions so that a singlecharactercantakeanywherefromonetofourbytestobeencoded.Thisprovidestheabilitytoencodetext in any language supported byUnicode, which is a character set designed to support asmanylanguagesaspossible.ThebigadvantageofUTF-8overISO-8859isthatthere’snoneedtospecifyasubstandard, such as ISO-8859-1 or ISO-8859-5; UTF-8 handles all of its writing systemsautomatically.Themodifier isalocale-specificcodethatmodifieshowitworks.Forinstance,itmayaffectthe
sortorderinalanguage-specificmanner.
WhatIsYourLocale?Alocalecodecanbeassignedtooneormoreofseveralenvironmentvariables.Tolearnhowthesearesetonyoursystem,issuethelocalecommandwithoutanyarguments:$/usr/bin/local
LANG=en_US.UTF-8
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=
Asyoucansee,quiteafewlocalevariablesexist.Whenprogramspayattentiontothesevariables,theyadjustthemselvesappropriatelyforyourlocale.Forinstance,awordprocessormaydefaulttousingcommonU.S.papersizes(suchas8.5×11inches)whentheterritorycodeinLC_PAPERissettoUS,butEuropeanpapersizes(suchasA4,210×297mm)whenterritoryissettoacodeforacountrywherethesepapersizesaremorecommon.Most of the locale variables set specific and obvious features, such as LC_PAPER (paper size),
LC_MEASUREMENT(measurementunits),andsoon.TheLC_ALLvariableisasortofmasteroverride—ifit’sset,itoverridesalltheotherLC_*variables.A relatedenvironmentvariable isLANG. It takes the same typeof locale specificationas theLC_*
variables.ItsetsthelocaleincasetheLC_*variablesaren’tset.Whileyou’reusingthelocalecommand,youshouldtryitwiththe-aoption,whichidentifiesall
thelocalesthatareavailabletoyou:$locale-a
C
en_US.utf8
POSIX
In thisexample(fromanUbuntusystem),veryfewlocalesare installed.Somesystemsmayhavemanymore;oneofmycomputershashundredsoflocalesavailable.
ChangingYourLocaleIfyouwanttochangeyourlocale,youshouldfirstverifythatanappropriateoneisavailabletoyoubyusinglocale-a, as justdescribed. Ifyoudon’t seeappropriatecodes,youmayneed to installadditionalpackages.Unfortunately,namesforthesepackagesaren’tstandardized.YourbestbetistouseaGUIpackagemanagersuchasyumexorSynaptic(describedinChapter2)tosearchonpackagenames and descriptions that include locale or language. In the case of an Ubuntu system thatprovidedjustafewlocales,manymorecouldbeinstalledfrompackagescalledlanguage-support-??,where??isatwo-characterlanguagecode.Totemporarilychangeyourlocale,thesimplestmethodistosettheLC_ALLenvironmentvariable.
Forsafety,youshouldalsosetLANG.Forinstance,tousethelocaleforGreatBritainratherthantheUnitedStates,youcantype$exportLANG=en_GB.UTF-8
$exportLC_ALL=en_GB.UTF-8
Theresultshouldbethatallthelocalevariableschangeforthatsession.Therewillalsobechangesintheoutputofprogramsthathonorlocales.Notethatthischangeaffectsonlythecurrentshellandtheprogramslaunchedfromit;youwon’tseechangesinprogramsthatarealreadyrunningorthatyoulaunchfromanothershell.To permanently change your locale, you can adjust your bash startup script files, such as
~/.bashrcor/etc/profile, asdescribed inChapter1, “ExploringLinuxCommand-LineTools.”(ShellscriptingisdescribedinmoredetailinChapter9,butsettingoradjustingtheLANGandLC_ALLenvironmentvariablesisfairlystraightforward.)X’s configuration file (xorg.conf or XF86Config) includes an option called XkbLayout in the
keyboard’s InputDevice section. This option takes a partial or complete locale specification butconvertedtolowercase—forinstance,usoren_us.utf-8.Adjustingthisoptioncanprovideyouwithaccesstolanguage-orcountry-specifickeys.Afterchangingthisoption,you’llhavetorestartXforthechangestotakeeffect.Some programs and sets of programs may require you to set the language independent of the
overallsystemlocale.Thus,youmayneedtoadjustthelanguageforcertainspecificprograms.Ifaprogramdoesn’t seem to respond to theoverall locale setting, check its documentationor browsethroughitsmenustofindawaytoadjustitsdefaults.One setting requires special mention: LANG=C. When you set LANG to C, programs that see this
environmentvariabledisplayoutputwithoutpassingitthroughlocaletranslations.Thiscanbehelpfulinsomecasesifaprogram’soutputisbeingcorruptedbythelocale—saybyhavingconversionstoUTF-8changecharactersthatneedtobepreservedas8-bitentities.Thus,settingLANG=Ccanhelpto
avoidsometypesofproblems,particularly inpipelinesandscripts thatpassoneprogram’sdata toanotherprograminbinaryform.
Localizationsupportis,tosomeextentoranother,theresponsibilityofeachprogram’sauthor.It’sentirelypossibletowriteaprogramthatsupportsjustonelanguageorasmallsubsetoflanguages.Thus,youwon’tbeabletogeteveryprogramtosupportyourdesiredlanguage,particularlyifit’sanunusualone.
ModifyingText-FileLocalesSometimesit’snecessarytoaccesstextualdatathatoriginatedonasystemthatusedoneencodingbutprocessthedatawithaprogramthatdoesn’tsupportthatencoding.Forinstance,yourpreferredtexteditormightsupportUTF-8butnotISO-8859.IfyoudealexclusivelywithEnglishtextfilesinASCII,thisisn’taproblem;butifyoureceiveanISO-8859-1textfilewithafewnon-Romancharacters,suchascharacterswithumlauts,youreditormightdisplaythosecharactersstrangely.To overcome this problem, the iconv utility converts between character sets. Its syntax is as
follows:iconv-fencoding[-tencoding][inputfile]...
The -f and -t options specify the source and destination encodings. (You can obtain a list ofencodingsbytypingiconv--list.)Ifyouomitthetargetencoding,iconvusesyourcurrentlocaleforguidance.Theprogramsendsoutputtostandardoutput,soifyouwanttostorethedatainafile,youmustredirectit:$iconv-fiso-8859-1-tUTF-8umlautfile.txt>umlautfile-utf8.txt
ConfiguringPrintingMost Linux desktop usersworkwithX, butmany alsoworkwith another outputmedium: printedpages.PrintinginLinuxisacooperativeeffortinvolvingseveraltools.Applicationssubmitprintjobsas PostScript documents. Becausemost Linux systems aren’t connected directly to true PostScriptprinters,aprogramcalledGhostscriptconvertstheprintjobintoaformthatthesystem’sprintercanactuallyhandle.Theprintqueue,whichismanagedbysoftwareknownastheCommonUnixPrintingSystem (CUPS), then sends the job to the printer. At various stages, administrators and users canexaminethecontentsofaprintqueueandmodify thequeue.Understandingthe toolsusedtocreateandmanageprintqueueswillhelpyoutomanageLinuxprinting.
ConceptualizingtheLinuxPrintingArchitectureLinuxprintingisbuiltaroundtheconceptofaprintqueue.Thisisasortofholdingareawherefileswait to be printed. A single computer can support many distinct print queues. These frequentlycorrespondtodifferentphysicalprinters,butit’salsopossibletoconfigureseveralqueuestoprintindifferentways to thesameprinter.For instance,youmightuseonequeue toprint single-sidedandanotherqueuefordouble-sidedprintingonaprinterthatsupportsduplexing.
Userssubmitprintjobsbyusingaprogramcalledlpr.Userscancallthisprogramdirectly,ortheymay letanotherprogramcall it. Ineithercase,lpr sends theprint job intoa specifiedqueue.Thisqueue corresponds to a directory on the hard disk, typically in a subdirectory of the/var/spool/cupsdirectory.TheCUPSdaemonrunsinthebackground,watchingforprintjobstobesubmitted.Theprintingsystemacceptsprintjobsfromlprorfromremotecomputers,monitorsprintqueues, and serves as a sort of “traffic cop,” directingprint jobs in anorderly fashion fromprintqueuestoprinters.
TheexamemphasizestheCUPSprintingsystem,whichisthemostcommonprintingsystemonmodernLinuxsystems.OldersystemsusedtheBSDLinePrinterDaemon(LPD)orthesimilarLPRngprintingsystem.ManyoftheCUPStoolsareworkalikesoftheLPDtools.IfyoueveruseasystemthatrunsLPDorLPRng,you’llfindthatusercommandssuchaslprworkinthewayyouexpect,butconfiguringtheprintermustbedoneinaverydifferentway.
OneimportantandunusualcharacteristicofLinuxprintingisthatit’shighlynetwork-oriented.Asjustnoted,Linuxprinting toolscanacceptprint jobs thatoriginate fromremotesystemsaswellasfrom local ones. Even local print jobs are submitted via network protocols, although they don’tnormally use network hardware, so even a computer with no network connections can print. Inaddition tobeingaserverforprint jobs,CUPScanfunctionasaclient,passingprint jobs toothercomputersthatrunthesameprotocols.Applications can query CUPS about a printer ’s capabilities—its paper sizes, whether it supports
color, and so on. The older LPD and LPRng printing systems didn’t support such bidirectionalcommunication. Thus, support for these features still isn’t universal; some programs makeassumptionsaboutaprinter ’scapabilitiesormustbetoldthingsthatotherprogramscanfigureoutbythemselves.
UnderstandingPostScriptandGhostscriptIfyou’veconfiguredprintersunderWindows,MacOS,OS/2,orcertainotherOSs,you’reprobablyfamiliar with the concept of a printer driver. In these OSs, the printer driver stands between theapplication and the printer queue. In Linux, the printer driver is part of Ghostscript(http://www.cs.wisc.edu/~ghost/), which exists as part of the printer queue, albeit a late part. Thisrelationship can be confusing at times, particularly because not all applications or printers needGhostscript. Ghostscript serves as a way to translate PostScript, a common printer language, intoforms that can be understood bymany different printers.UnderstandingGhostscript’s capabilities,andhowitfitsintoaprinterqueue,canbeimportantforconfiguringprinters.
PostScript:TheDeFactoLinuxPrinterLanguagePostScriptprintersbecamepopularasaccessoriesforUnixsystemsinthe1980s.Unixprintqueuesweren’tdesignedwithWindows-styleprinterdriversinmind,soUnixprogramsthattookadvantageof laser printer features were typically written to produce PostScript output directly. As a result,PostScriptdevelopedintothedefactoprintingstandardforUnixand,byinheritance,Linux.Where
programs on Windows systems were built to interface with the Windows printer driver, similarprogramsonLinuxgeneratePostScriptandsendtheresulttotheLinuxprinterqueue.Some programs violate this standard. Most commonly, many programs can produce raw text
output.Suchoutputseldomposesamajorproblemformodernprinters,althoughsomePostScript-only models choke on raw text. Some other programs can produce either PostScript or PrinterControlLanguage (PCL) output forHewlett-Packard laser printers or theirmany imitators.Averyfewprogramscangenerateoutputthat’sdirectlyacceptedbyothertypesofprinters.The problem with PostScript as a standard is that it’s uncommon on the low- and mid-priced
printerswithwhichLinuxisoftenpaired.Therefore,toprinttosuchprintersusingtraditionalUnixprogramsthatgeneratePostScriptoutput,youneedatranslatorandawaytofitthattranslatorintotheprintqueue.ThisiswhereGhostscriptfitsintothepicture.
Ghostscript:APostScriptTranslatorWhenitusesatraditionalPostScriptprinter,acomputersendsaPostScriptfiledirectlytotheprinter.PostScript is a programming language, albeit one that’s oriented toward the goal of producing aprinted page as output. Ghostscript is a PostScript interpreter that runs on a computer. It takesPostScript input, parses it, and produces output in any of dozens of different bitmap formats,including formats that can be accepted bymany non-PostScript printers. ThismakesGhostscript awaytoturnmanyinexpensiveprintersintoLinux-compatiblePostScriptprintersatverylowcost.OneofGhostscript’sdrawbacksisthatitproduceslargeoutputfiles.APostScriptfilethatproduces
apagefilledwithtextmaybejustafewkilobytesinsize.Ifthispageistobeprintedona600dotsperinch(dpi)printerusingGhostscript,theresultingoutputfilecouldbeaslargeas4MB—assumingit’sblack and white. If the page includes color, the size could bemuch larger. In some sense, this isunimportantbecausethesebigfileswillbestoredonyourharddiskonlybriefly.Theydostillhavetoget from the computer to the printer, though, and this process can be slow. Also, some printers(particularlyolderlaserprinters)mayrequirememoryexpansiontooperatereliablyunderLinux.
ForinformationaboutwhatprintersaresupportedbyGhostscript,checktheGhostscriptWebpageortheOpenPrintingdatabaseWebpage(http://www.openprinting.org/printers).
SqueezingGhostscriptintotheQueuePrintingtoanon-PostScriptprinterinLinuxrequiresfittingGhostscriptintotheprintqueue.Thisisgenerallydonethroughtheuseofasmartfilter.Thisisaprogramthat’scalledaspartoftheprintingprocess.Thesmartfilterexaminesthefilethat’sbeingprinted,determinesitstype,andpassesthefilethroughoneormoreadditionalprogramsbeforetheprintingsoftwaresendsitontotheprinter.Thesmart filter can be configured to call Ghostscript with whatever parameters are appropriate toproduceoutputforthequeue’sprinter.CUPSshipswithitsownsetofsmartfilters,whichitcallsautomaticallywhenyoutellthesystem
whatmodelprinteryou’reusing.CUPSprovidesaWeb-basedconfigurationtool,asdescribedintheupcomingsection“UsingtheWeb-BasedCUPSUtilities.”Thissystem,ordistribution-specificGUIprinterconfigurationtools,canmakesettingupaprinterforCUPSfairlystraightforward.
Theend resultofa typicalLinuxprinterqueueconfiguration is theability to treatanysupportedprinterasifitwereaPostScriptprinter.ApplicationsthatproducePostScriptoutputcanprintdirectlytothequeue.ThesmartfilterdetectsthattheoutputisPostScriptandrunsitthroughGhostscript.Thesmart filtercanalsodetectother file types, suchasplain-textandvariousgraphics files,and itcansendthemthroughappropriateprogramsinsteadoforinadditiontoGhostscriptinordertocreateareasonableprintout.If you have a printer that can process PostScript, the smart filter is usually still involved, but it
doesn’tpassPostScriptthroughGhostscript.Inthiscase,thesmartfilterpassesPostScriptdirectlytotheprinter,but it still sendsother file types throughwhateverprocessing isnecessary to turn themintoPostScript.
RunningaPrintingSystemBecauseLinuxprintingsystemsrunasdaemons,theymustbestartedbeforethey’reuseful.Thistaskisnormallyhandledautomaticallyvia startup scripts in/etc/rc.d,/etc/init.d, or /etc/rc?.d(where?isarunlevelnumber).Lookforstartupscriptsthatcontainthestringcups(orlpdorlprngforoldersystems)intheirnamestolearnwhatyoursystemisrunning.Ifyou’reunsureifaprintingsystemiscurrentlyactive,usethepsutilitytosearchforrunningprocessesbythesenames,asin$psax|grepcups
1896?Ss0:01cupsd
Thisexample shows thatcupsd, theCUPSdaemon, is running, so the system is usingCUPS forprinting.Ifyoucan’tfindanyrunningprintingsystem,consultyourdistribution’sdocumentationtolearnwhat is available and check that the appropriate package is installed.Allmajor distributionsincludestartupscriptsthatshouldstarttheappropriateprintingdaemonwhenthecomputerboots.
ConfiguringCUPSCUPSusesvariousconfigurationfilesinthe/etc/cupsdirectoryanditssubdirectoriestomanageitsoperation.Youcaneditthesefilesdirectly,andyoumayneedtodosoifyouwanttoshareprintersoruseprinterssharedbyotherCUPSsystems.ThesimplestwaytoaddprinterstoCUPS,though,istousethetool’sWeb-basedconfigurationutility.
EditingtheCUPSConfigurationFilesYou can add or delete printers by editing the /etc/cups/printers.conf file, which consists ofprinter definitions. Each definition begins with the name of a printer, identified by the stringDefaultPrinter(forthedefaultprinter)orPrinter(foranondefaultprinter)inanglebrackets(<>),asinthefollowing:<DefaultPrinterokidata>
This linemarks thebeginningofadefinitionforaprinterqueuecalledokidata.Theendof thisdefinition is a line that reads </Printer>. Intervening lines set assorted printer options, such asidentifying strings, the printer ’s location (its local hardware port or network location), its currentstatus, and soon.Additional options are stored in aPostScriptPrinterDefinition (PPD) file that’snamedafter thequeueandstoredinthe/etc/cups/ppdsubdirectory.PPDfilesfollowanindustry-standard format.ForPostScript printers, you canobtain aPPD file from theprintermanufacturer,
typicallyfromadriverCD-ROMorfromthemanufacturer ’sWebsite.CUPSanditsadd-ondriverpacksalsoshipwitha largenumberofPPDfiles thatare installedautomaticallywhenyouuse theWeb-basedconfigurationutilities.Asageneralrule,you’rebetteroffusingtheCUPSWeb-basedconfigurationtoolstoaddprinters
rather than adding printers by directly editing the configuration files. If you like, though, you canstudy the underlying files and tweak the configurations using a text editor to avoid having to gothroughthefullWeb-basedtooltomakeaminorchange.One exception to this rule relates to configuring the CUPSWeb-based interface tool itself and
CUPS’ability to interfacewithotherCUPSsystems.Oneof thegreatadvantagesofCUPSis that itusesanewnetworkprintingprotocol,knownastheInternetPrintingProtocol(IPP), inaddition totheolderLPDprotocolusedbyBSDLPDandLPRng.IPPsupportsafeatureitcallsbrowsing,whichenables computers on a network to automatically exchange printer lists. This feature can greatlysimplify configuring network printing. Youmay need to change some settings in themain CUPSconfigurationfile,/etc/cups/cupsd.conf,toenablethissupport.The /etc/cups/cupsd.conf file, which is structurally similar to the Apache Web server
configurationfile,containsanumberofconfigurationblocksthatspecifywhichothersystemsshouldbeable toaccess it.Eachblockcontrolsaccess toaparticular locationon theserver.Theseblockslooklikethis:<Location/printers>
OrderDeny,Allow
DenyfromAll
BrowseAllowfrom127.0.0.1
BrowseAllowfrom192.168.1.0/24
BrowseAllowfrom@LOCAL
Allowfrom127.0.0.1
Allowfrom192.168.1.0/24
Allowfrom@LOCAL
</Location>
Ifyou’reconfiguringaworkstationwithalocalprinterthatyoudon’twanttoshareorifyouwanttoconfigureaworkstationtouseprinterssharedviaLPDorsomeothernon-IPPprintingprotocol,youshouldn’tneedtoadjust/etc/cups/cupsd.conf.IfyouwanttoaccessremoteIPPprinters,however,youshouldatleastactivatebrowsingbysettingthedirectiveBrowsingOn,asdescribedshortly.Youshouldn’thavetomodifyyourlocationdefinitionsunlessyouwanttoshareyourlocalprinters.
The/printerslocation,shownhere,controlsaccesstotheprintersthemselves.Thefollowinglistincludesfeaturesofthisexample:DirectiveOrderTheOrderDeny,AllowlinetellsCUPSinwhichorderitshouldapplyallowanddenydirectives—inthiscase,allowdirectivesmodifydenydirectives.DefaultPolicyTheDenyfromAlllinetellsthesystemtorefuseallconnectionsexceptthosethatareexplicitlypermitted.BrowsingControlLinesTheBrowseAllowlinestellCUPSfromwhichothersystemsitshouldacceptbrowsingrequests.Inthiscase,itacceptsconnectionsfromitself(127.0.0.1),fromsystems
onthe192.168.1.0/24network,andfromsystemsconnectedtolocalsubnets(@LOCAL).AccessControlLinesTheAllowlinesgivethespecifiedsystemsnon-browseaccesstoprinters—thatis,thosesystemscanprinttolocalprinters.Inmostcases,theAllowlinesarethesameastheBrowseAllowlines.YoucanalsocreateadefinitionthatusesAllowfromAllandthencreatesBrowseDenyandDeny
linestolimitaccess.Asageneralrule,though,theapproachshowninthisexampleissafer.Locationsotherthanthe/printerslocationcanalsobeimportant.Forinstance,there’saroot(/)locationthatspecifiesdefaultaccesspermissionstoallotherlocationsandan/adminlocationthatcontrolsaccesstoCUPSadministrativefunctions.Beforethelocationdefinitionsincupsd.confareafewparametersthatenableordisablebrowsing
andothernetworkoperations.Youshouldlookforthefollowingoptionsspecifically:EnablingBrowsingTheBrowsingdirectiveacceptsOnandOffvalues.TheCUPSdefaultistoenablebrowsing(BrowsingOn),butsomeLinuxdistributionsdisableitbydefault.BrowsingAccessControlTheBrowseAddressdirectivespecifiesthebroadcastaddresstowhichbrowsinginformationshouldbesent.Forinstance,tobroadcastdataonyourprinterstothe192.168.1.0/24subnet,you’dspecifyBrowseAddress192.168.1.255.Onceyou’veconfiguredaCUPSservertogiveothersystemsaccesstoitsprintersviaappropriate
locationdirectionsandonceyou’veconfiguredtheclientsystemstousebrowsingviaBrowsingOn,all thesystemsonthenetworkshouldauto-detectall theprintersonthenetwork.Youdon’tneedtoconfigure the printer on any computer except the one towhich it’s directly connected.All printercharacteristics, including their network locations and PPD files, are propagated automatically byCUPS.Thisfeatureismostimportantinconfiguringlargenetworkswithmanyprintersornetworksonwhichprintersarefrequentlyaddedanddeleted.
ObtainingCUPSPrinterDefinitionsMostLinuxdistributions shipwithCUPSsmart filter support foravarietyofprinters. Ifyoucan’tfindsupportforyourprinter,youcanlookforadditionalprinterdefinitions.ThesedefinitionsmayconsistofPPDfiles,appropriatebehind-the-scenes“glue”totellCUPShowtousethem,andpossiblyGhostscriptdriverfiles.Youcanobtaintheseprinterdefinitionsfromseveralsources:YourLinuxDistributionManydistributionsshipextraprinterdefinitionsundervariousnames,socheckyourdistributionforsuchapackage.Manydistributionsincludesomeofthedriverpackagesdescribednext.FoomaticTheLinuxPrintingWebsitehostsasetofutilitiesandprinterdefinitionsknowncollectivelyasFoomatic(http://www.linuxfoundation.org/en/OpenPrinting/Database/Foomatic).TheseprovidemanyadditionalprinterdefinitionsforCUPS(aswellasforotherprintingsystems).GutenprintTheGutenprintdrivers,originallyknownasGIMPPrint,aftertheGNUImageManipulationProgram(GIMP),supportawidevarietyofprinters.Checkhttp://gimp-print.sourceforge.netformoreinformation.CUPSDDKTheCUPSDriverDevelopmentKit(DDK)isasetoftoolsdesignedtosimplifyCUPSdriverdevelopment.ItshipswithahandfulofdriversforHewlett-PackardandEpsonprintersandisincludedwiththeCUPSsourcecode.PrinterManufacturersSomeprintermanufacturersofferCUPSdriversfortheirprinters.These
maybenothingmorethanFoomatic,Gutenprint,orotheropensourcedrivers;butafewprovideproprietarydrivers,someofwhichsupportadvancedprinterfeaturesthattheopensourcedriversdon’tsupport.Chancesaregoodthatyou’llfindsupportforyourprinterinyourstandardinstallation,particularly
ifyourdistributionhasinstalledtheFoomaticorGutenprintpackage.Ifyoustartconfiguringprintersandcan’tfindyourmodel,though,youshouldlookforanadditionalprinterdefinitionsetfromoneoftheprecedingsources.
UsingtheWeb-BasedCUPSUtilitiesTheCUPSIPPprintingsystemiscloselyrelatedtotheHypertextTransferProtocol(HTTP)usedontheWeb. The protocol is so similar, in fact, that you can access aCUPS daemon by using aWebbrowser.Youneedonlyspecify thatyouwant toaccess theserveronport631—thenormalprinterport.Todoso,enterhttp://localhost:631inaWebbrowseronthecomputerrunningCUPS.(Youmaybe able to substitute the hostname or access CUPS from another computer by using the server ’shostname, depending on your cupsd.conf settings.) This action brings up a list of administrativetasks you can perform. Click Printers or Manage Printers to open the printer management page,showninFigure6.6.
FIGURE6.6CUPSprovidesitsownWeb-basedconfigurationtool.
Ifyou’reconfiguringastand-alonecomputerortheonlyoneonanetworktouseCUPS,theprinterlistmaybeempty,unliketheoneshowninFigure6.6.IfothercomputersonyournetworkuseCUPS,youmayseetheirprintersintheprinterlist,dependingontheirsecuritysettings.Manymoderndistributionsauto-configureUSBprinterswhenyouplugtheminorturnthemon,sotheymaynotneedtobeadded,either.
Youcanadd,delete,ormodifyprinterqueuesusingtheCUPSWebcontrolsystem.Toaddaprinter,followthesesteps:
1.FromtheAdministrationtab,clickAddPrinter.
CUPSislikelytoaskforausernameandpasswordatthispoint.Typerootastheusernameandyourrootpasswordasthepassword.Theneedtopassyourrootpasswordunencryptedisonereasonyoushouldbecautiousaboutconfiguringprintersfromaremotecomputer.
2.Thesystemdisplaysapagethatshowsoptionsforprinterstoaddineachofthreecategories:local printers, discovered network printers, andother network printers. One or more of thesecategoriesmaybeempty.Ifyou’retryingtoaddalocalprinterandthelocalprinterscategoryisempty, either it was auto-detected or CUPS can’t detect any likely printer interface hardware.Check your cables and drivers, and then restart CUPS and reload itsWeb page. If you see anoptionfortheprinteryouwanttoadd,selectitandclickContinue.3.Ifyouenteredanetworkprinter,theresultisapageinwhichyouenterthecompletepathtothedevice.Type thepath,suchaslpd://printserv/brother toprint to thebrother queueon theprintservcomputer.ClickContinuewhenyou’redone.4.CUPSdisplaysapageinwhichyouentertheprinter ’sname,description,andlocation.You’lluse the name to specify the printer in both command-line andGUI tools, so a short one-wordname is best.Thedescription and location fields are bothdescriptive expansions to helpuserspositivelyidentifytheprinter.YoucanalsoclicktheShareThisPrintercheckboxifyouwanttosharetheprinterdefinitionwithotherCUPS-usingcomputersonthenetwork.5.You’llnowseealistofmanufacturers.Selectone,andclickContinue.Alternatively,youcanpointdirectlytoaPPDfileifyouhaveonehandy.Ifyoudothis,you’llskipthenextstep.6.CUPSnowdisplaysacompletelistofprintermodelsintheclassyouselectedinstep5.Selectan appropriatemodel, and clickAddPrinter.Alternatively, you can provide a PPD file if youhaveone.7.Youshouldnowseeapageonwhichyoucansetdefaultoptions,suchas thepapersizeandprint resolution. The details of what options are available depend on the printer model youselected.ChangeanyoptionsyoulikeandclickSetDefaultOptions.Yourprinterisnowdefined.If you click the Printers item at the top of the page, you should be returned to the printers list
(Figure6.6), butyournewprinter shouldbe listed among the existingqueues.Youcanprint a testpagebyclickingthelinktotheprinterandthenselectingPrintTestPagefromthebuttonselectorthat
readsMaintenancebydefault.Ifallgoeswell,atestpagewillemergefromyourprinter.Ifitdoesn’t,go back and review your configuration by selectingModify Printer from the button selector thatreadsAdministrationbydefault.Thisactiontakesyouthroughthestepsforaddingaprinterbutwithyourpreviousselectionsalreadyenteredasthedefaults.Trychangingsomesettingsuntilyougettheprintertowork.
PrintingtoNetworkPrintersIfyournetworkhostsmanyWindowscomputers,youmayusetheServerMessageBlock/CommonInternet File System (SMB/CIFS) for file and printer sharing among Windows systems. Linux’sSambaserveralsoimplementsthisprotocolandsocanbeusedforsharingprintersfromLinux.Ontheflipside,youcanprinttoanSMB/CIFSprinterqueuefromaLinuxsystem.Todoso,you
selectanSMB/CIFSqueueintheprinterconfigurationtool.UnderCUPS,it’scalledWindowsPrinterviaSAMBAinstep2intheprecedingprocedure.Youmustthenprovideyourusername,password,servername,andsharename,buttheformatisn’tobviousfromtheWeb-basedconfigurationtool:smb://username:password@SERVER/SHARE
This is a URI for an SMB/CIFS share. You must substitute appropriate values for username,password,SERVER,andSHARE,ofcourse.Once this isdoneandyou’vefinishedtheconfiguration,youshouldbeabletosubmitprintjobstotheSMB/CIFSshare.
SMB/CIFSprintershostedbyWindowssystemsareusuallynon-PostScriptmodels,soyoumustselectalocalLinuxsmartfilterandGhostscriptdriver,justasyouwouldforalocalprinter.PrintershostedbyLinuxsystemsrunningSamba,bycontrast,arefrequentlyconfiguredtoactlikePostScriptprinters,soyoushouldselectaPostScriptdriverwhenconnectingtothem.
Ifyouwant toprint toaUnixorLinuxserver thatuses theoldLPDprotocol, theURI format issimilarbutomitsausernameandpassword:lpd://hostname/queue
You can use the same format, but substitute ipp:// for lpd://, to print to a CUPS server ifbrowsingisdisabledonyournetwork.In practice, you may be faced with a decision: Should you use LPD, IPP, or SMB/CIFS for
submittingprintjobs?Tobesure,notallprintserverssupportallthreeprotocols,butaLinuxservermight support them all. As a general rule, IPP is the simplest to configure because it supportsbrowsing, whichmeans that CUPS clients shouldn’t need explicit configuration to handle specificprinters. This makes IPP the best choice for Linux-to-Linux printing, assuming both systems runCUPS.WhenCUPSisn’tinuse,LPDisgenerallyeasiertoconfigurethanSMB/CIFS,andithastheadvantageofnotrequiringtheuseofausernameorpasswordtocontrolaccess.BecauseSMB/CIFSsecurity ispassword-oriented,clients typicallystorepasswords inanunencryptedformontheharddisk.Thisfactcanbecomeasecurityliability,particularlyifyouusethesameaccountforprintingasfor other tasks.On theother hand, sometimesusing apasswordon the server providesmoreof asecuritybenefitthantheriskofstoringthatpasswordontheclient.Generallyspeaking,ifclientsarefewandwellprotected,whereastheserverisexposedtotheInternetatlarge,usingpasswordscanbe
beneficial. If clients are numerous and exposed to the Internet, whereas the print server is wellprotected,apassword-freesecuritysystemthatreliesonIPaddressesmaybepreferable.
MonitoringandControllingthePrintQueueYoucanuseseveralutilitiestosubmitprintjobsandtoexamineandmanipulateaLinuxprintqueue.Theseutilitiesarelpr,lpq,lprm,andlpc.All of these commands can take the-P parameter tospecifythattheyoperateonaspecificprintqueue.
PrintingFileswithlprOnce you’ve configured the system to print, you probably want to start printing. As mentionedearlier,Linuxusesthelprprogramtosubmitprintjobs.Thisprogramacceptsmanyoptionsthatyoucanusetomodifytheprogram’saction:SpecifyaQueueNameThe-Pqueuenameoptionenablesyoutospecifyaprintqueue.Thisisusefulifyouhaveseveralprintersorifyou’vedefinedseveralqueuesforoneprinter.Ifyouomitthisoption,thedefaultprinterisused.
IntheoriginalBSDversionoflpr,thereshouldbenospacebetweenthe-Pandthequeuename.LPRngandCUPSaremoreflexibleinthisrespect;youcaninsertaspaceoromititasyouseefit.
DeletetheOriginalFileNormally,lprsendsacopyofthefileyouprintintothequeue,leavingtheoriginalunharmed.Specifyingthe-roptioncauseslprtodeletetheoriginalfileafterprintingit.SuppresstheBannerThe-hoptionsuppressesthebannerforasingleprintjob.EarlyversionsofCUPSdidn’tsupportthisoption,butrecentversionsdo.SpecifyaJobNamePrintjobshavenamestohelpidentifythem,bothwhilethey’reinthequeueandoncethey’reprinted(ifthequeueisconfiguredtoprintbannerpages).Thenameisnormallythenameofthefirstfileintheprintjob,butyoucanchangeitbyincludingthe-Jjobnameoption.The-Cand-Toptionsaresynonymouswith-J.NotifyaUserbyEmailThe-musernameoptioncauseslpdtosendemailtousernamewhentheprintjobiscomplete.ThisoptionwasunavailableinearlyversionsofCUPSbutisavailableinrecentversions.SpecifytheNumberofCopiesYoucanspecifythenumberofcopiesofaprintjobbyusingthe-#numberoption,asin-#3toprintthreecopiesofajob.Suppose you have a file called report.txt that you want to print to the printer attached to the
lexmark queue. This queue is often busy, so you want the system to send email to your account,ljones, when it’s finished so you knowwhen to pick up the printout. You can use the followingcommandtoaccomplishthistask:$lpr-Plexmark-mljonesreport.txt
Thelprcommandisaccessibletoordinaryusersaswellastoroot,soanybodymayprintusingthis command. It’s also called from many programs that need to print directly, such as graphics
programs and word processors. These programs typically give you some way to adjust the printcommandsothatyoucanenterparameterssuchastheprintername.Forinstance,Figure6.7showsFirefox’sPrintdialogbox,which featuresa listof availableprintqueues,Rangeoptions toenableyoutoprintasubsetofthedocument’spages,andaCopiesfieldsothatyoucanprintmultiplecopies.Additional tabsenableyou tosetmoreoptions.Someprogramsprovidea textentryfield inwhichyou type someor all of anlpr command instead of selecting from a list of available queues andoptions.Consulttheprogram’sdocumentationifyou’renotsurehowitworks.
FIGURE6.7MostLinuxprogramsthatcanprintdosobyusinglpr,butmanyhidethedetailsofthelprcommandbehindadialogbox.
Sometimes youwant to process a file in someway prior to sending it to the printer. Chapter 1coverssomecommandsthatcandothis,suchasfmtandpr.Anotherhandyprogramismpage,whichreads plain-text or PostScript files and reformats them so that each printed sheet contains severalreduced-sizepagesfromtheoriginaldocument.Thiscanbeagoodwaytosavepaperifyoudon’tmindareductioninthedocument’stextorimagesize.Inthesimplestcase,youcanusempagemuchasyou’duselpr:$mpage-Plexmarkreport.ps
Thiscommandprints thereport.ps file reduced to fit fourpagesper sheet.Youcanchange thenumber of source pages to fit on each printed pagewith the -1, -2, -4, and -8 options, whichspecifyone, two,four,oreight inputpagesperoutputpage, respectively.Additionalmpageoptionsexist tocontrolfeaturessuchasthepapersize, thefont tobeusedforplain-text inputfiles,andtherangeofinputfilepagestobeprinted.Consultthemanpageformpageformoredetails.
DisplayingPrintQueueInformationwithlpq
Thelpq utility displays information about the print queue—howmany files it contains, how largetheyare,whotheirownersare,andsoon.Byenteringtheuser ’snameasanargument,youcanalsouse thiscommand tocheckonanyprint jobsownedbyaparticularuser.Touselpq to examineaqueue,youcanissueacommandlikethefollowing:$lpq-Php4000
hp4000isreadyandprinting
RankOwnerJobFile(s)TotalSize
activerodsmit1630file:///90112bytes
Ofparticularinterestisthejobnumber—1630inthisexample.Youcanusethisnumbertodeleteajob from the queue or reorder it so that it prints before other jobs. Any user may use the lpqcommand.
RemovingPrintJobswithlprmThelprmcommandremovesoneormorejobsfromtheprintqueue.Youcanissuethiscommandacoupleofways:
Iflprmisusedwithanumber,thatnumberisunderstoodtobethejobID(asshowninlpq’soutput)ofthejobthat’stobedeleted.IfauserrunstheBSDorCUPSlprmandpassesadash(-)totheprogram,itremovesallthejobsbelongingtotheuser.
Thisprogrammayberunbyrootorbyanordinaryuser;butas justnoted, itscapabilitiesvarydependingonwhorunsit.Ordinaryusersmayremoveonlytheirownjobsfromthequeue,butrootmayremoveanybody’sprintjobs.
ControllingthePrintQueueIn theoriginalBSDLPDsystem, thelpcutilitystarts, stops,andreorders jobswithinprintqueues.AlthoughCUPSprovidesanlpccommand,ithasfewfeatures.Insteadofusinglpc,youshouldusetheCUPSWebinterface,whichprovidespoint-and-clickprintqueuemanagement:
YoucandisableaqueuebyclickingtheStopPrinterlinkfortheprinterontheCUPSWebinterface.Whenyoudoso,thislinkchangestoreadStartPrinter,whichreversestheeffectwhenclicked.TheJobslinkalsoprovidesawaytocancelandotherwisemanagespecificjobs.Youcanuseaseriesofcommands,suchascupsenable,cupsdisable,andlpmove,tocontrolthequeue.Thesecommandsenableaqueue,disableaqueue,ormoveajobfromonequeuetoanother.Movingajobcanbehandyifyoumustshutdownaqueueformaintenanceandwanttoredirectthequeue’sexistingjobstoanotherprinter.
InExercise6.1,you’llpracticeusingLinux’sprintingcapabilities.
EXERCISE6.1PrintingwithLinuxToperformthisexercise,youmusthaveaprinterconnectedtoyourLinuxcomputer—eitheralocalprinteroranetworkmodel.Toperformsomeofthesteps,youmustalsohaverootaccesstoyourcomputersothatyoucanmanagethequeue.Tobegin,followthesesteps:1. Launch a Web browser, enter http://localhost:631 as the URI, and then click thePrinterstab.Thisshouldproducealistofprinters,asinFigure6.6.Ifthelistisempty,you’llneedtodefineatleastoneprinterqueue,asdescribedearlier,beforeproceeding.If printers are defined, take note of their names. For purposes of this exercise, I’llassumeaqueuenamedhp4000 exists; change thisnameasnecessary in the followingsteps.2.Typelpr -Php4000 /etc/fstab to obtain a printout of this system configurationfile.Verifythatitprintedcorrectly.3. Type lpq -Php4000 to view the contents of the hp4000 queue. If you’re using asingle-usercomputer,chancesarethequeuewillbeemptyatthispoint.4. Type lpr -Php4000 /etc/fstab; lpq -Php4000. This command prints anothercopyof/etc/fstabandimmediatelydisplaysthecontentsoftheprintqueue.Itshouldnotbeemptythistime,sincethejobwillhavebeensubmittedbutwon’thavehadtimetoclearthequeuebythetimelpqexecutes.5.Inanothershell,typesutoobtainrootaccess.6.Inyourrootshell,typecupsdisablehp4000.Thisactiondisablesthequeue;itwillstillacceptjobs,buttheywon’tprint.7. Type lpr -Php4000 /etc/fstab to obtain yet another printout of /etc/fstab.Becausethequeueisdisabled,itwon’tprint.8.Typelpq-Php4000 to view the contents of the printer queue.Note that, instead ofhp4000isready,lpqreportshp4000isnotready;however,thejobyousubmittedshouldappearinthequeue.Supposeithasajobnumberof497.9.Typelprm-Php4000497(changingthejobnumberforyoursystem).10.Typelpq-Php4000againtoverifythatthejobhasbeenremovedfromthequeue.11.Typecupsenablehp4000inyourrootshell.Thisshouldre-enablethequeue.12.Typelpr-Php4000/etc/fstabtoprintanothercopyofthisfileandverifythattheprinterisactuallyworkingagain.
Usingcupsdisableandcupsenableinthisexercisehastwopurposes:togiveyouexperienceusingthesecommandsandtogiveyouachancetodeleteajobfromthequeue.Ashortfilesuchas/etc/fstabcanbeprintedsoquicklythatyoumightnothavetimetoremoveitfromthequeuebeforeitdisappearsbecauseit’ssittingintheprinter ’souttray!
SummaryXisLinux’sGUIsystem.InpartbecauseofLinux’smodularnature,Xisn’tasingleprogram;you
haveyourchoiceofXserverstorunonLinux.Fortunately,mostLinuxdistributionsusethesameXserverasallothers(X.org-X11).BothX.org-X11anditsmaincompetitor,XFree86,areconfiguredinmuch the same way, using the xorg.conf (for X.org-X11) or XF86Config configuration file.Whatever its name, this file consists of several sections, each ofwhich controls oneX subsystem,suchasthemouse,thekeyboard,orthevideocard.ThisfilealsocontrolsX’scorefontssystem,butyoucanuseafontserverinadditiontothissystem;andmostmodernprogramsarenowemphasizinganentirelynewfontsystem,Xft, insteadofXcorefonts.For this reason,Linuxfontconfigurationcanbecomplex.X’sGUIloginsystemusesanXDMCPserver,whichstartsXandmanages theXdisplay.Several
XDMCPserversareincommonuseinLinux,themostimportantbeingXDM,KDM,andGDM.Theyallperformthesamebasictasks,butconfigurationdetailsdiffer.(XDMisalsolesssophisticatedthanKDM and GDM.) X is a network-enabled GUI, which means you can use an X server to accessprograms runningon another computer.Doing so requires performing a few steps for each loginsession. You can also tunnel X accesses through SSH,which greatly improves the security of theconnection.An assortment of tools can help make Linux more accessible to users with visual or motor
impairments. You can adjust font size, screen contrast, and other display features to improvelegibility;usescreenmagnifiers tohelpusersreadpartofa largerscreen;orevenbypassavisualdisplayentirelyanduseascreenreaderforauditoryoutputoraBrailledisplayfortactileoutput.Onthe inputside,youcanadjustkeyboard repeat rates,usestickykeys,ormodify themouse trackingspeed and click sensitivity to improve users’ ability to input data accurately.You can even have amousestandinforakeyboardorviceversabyusingappropriatesoftware.The secondmain visual output tool on computers is a printer, and Linux provides sophisticated
printer support. TheCUPS packagemanages printers in Linux by accepting local or remote printjobs,passingthemthroughasmartfilterforprocessing,andqueuingthejobssothattheyprintinareasonable order. Most CUPS configuration is best handled via its ownWeb interface, but someoptions(particularlysecurityfeatures)canbesetviatextconfigurationfiles.
ExamEssentialsNamethemajorXserversforLinux.XFree86hasbeenthetraditionalstandardLinuxXserver,butin2004X.org-X11(whichwasbasedonXFree86)rapidlygainedprominenceasthenewstandardLinuxXserver.Accelerated-XisacommercialXserverthatsometimessupportsvideocardsthataren’tsupportedbyXFree86orX.org-X11.DescribetheXconfigurationfileformat.TheXFree86andX.org-X11configurationfileisbrokenintomultiplesections,eachofwhichbeginswiththekeywordSectionandendswithEndSection.EachsectionsetsoptionsrelatedtoasingleXfeature,suchasloadingmodules,specifyingthemousetype,ordescribingthescreenresolutionandcolordepth.SummarizethedifferencesbetweenXcorefonts,afontserver,andXftfonts.XcorefontsaremanageddirectlybyX,andtheylackmodernfontfeaturessuchasfontsmoothing.FontserversintegratewiththeXcorefontsbutrunasseparateprogramsandmayoptionallydeliverfontstomultiplecomputersonanetwork.XftfontsbypasstheXcorefontsystemtoprovideclient-sidefontsinawaythatsupportsmodernfeaturessuchasfontsmoothing.
ExplaintheroleofanXDMCPserver.AnXDMCPserver,suchasXDM,KDM,orGDM,launchesXandcontrolsaccesstoXviaaloginprompt—thatis,itservesasLinux’sGUIloginsystem.XDMCPserversarealsonetwork-enabled,providingawaytologinremotelyfromanotherXserver.DescribeX’sclient-servermodel.AnXserverrunsontheuser ’scomputertocontrolthedisplayandacceptinputfromthekeyboardandmouse.Clientprogramsrunonthesamecomputeroronaremotecomputertodothebulkofthecomputationalwork.TheseclientprogramstreattheXservermuchastheytreatotherservers,requestinginputfromandsendingoutputtothem.ExplainthebenefitsofusingSSHforremoteXaccess.SSHcansimplifyremoteX-basednetworkaccessbyreducingthenumberofstepsrequiredtorunXprogramsfromaremotecomputer.Moreimportant,SSHencryptsdata,whichkeepsinformationsentbetweentheXclientandXserversecurefrompryingeyes.SummarizeXaccessibilityfeatures.Youcanadjustkeyboardandmouseoptionstohelpthosewithmotorimpairmentstousekeyboardsandmiceortosubstituteonedevicefortheother.Fontsize,contrast,andmagnificationtoolscanhelpthosewithvisualimpairments.Finally,textreadersandBrailledisplayscanenableblindindividualstouseaLinuxsystem.DescribehowtosetatimezoneinLinux.Linuxusesabinaryfile,/etc/localtime,todescribethefeaturesofthetimezone.Thisfileiscopiedorlinkedfromarepositoryofsuchfilesatsysteminstallation,butyoucanreplacethefileatanytime.ExplaintheroleofGhostscriptinLinuxprinting.PostScriptisthestandardLinuxprintinglanguage,andGhostscriptconvertsPostScriptintobitmapformatsthatareacceptabletonon-PostScriptprinters.Thus,GhostscriptisacriticaltranslationstepinmanyLinuxprintqueues,althoughit’snotrequiredforPostScriptprinters.SummarizehowprintjobsaresubmittedandmanagedunderLinux.Youuselprtosubmitaprintjobforprinting,oranapplicationprogrammaycalllpritselforimplementitsfunctionalitydirectly.Thelpqutilitysummarizesjobsinaqueue,andlprmcanremoveprintjobsfromaqueue.
ReviewQuestions1.WhenyouconfigureanXserver,youneedtomakechangestoconfigurationfilesandthenstartorrestarttheXserver.Whichofthefollowingcanhelpstreamlinethisprocess?
A. Shut down X by switching to a runlevel in which X doesn’t run automatically, and thenreconfigureitandusestartxtotestXstartup.B.ShutdownXbybootingintosingle-usermode,andthenreconfigureXandusetelinit tostartXrunningagain.C.ReconfigureX,andthenunplugthecomputertoavoidthelengthyshutdownprocessbeforerestartingthesystemandXalongwithit.D.Use thestartx utility to check theX configuration file for errors before restarting theXserver.E. Connect the Linux computer ’s network port directly to the X server, without using anyinterveningrouters,inordertoreducenetworklatency.
2.WhichofthefollowingsummarizestheorganizationoftheXconfigurationfile?A.Thefilecontainsmultiplesections,oneforeachscreen.Eachsectionincludessubsectionsforindividualcomponents(keyboard,videocard,andsoon).B. Configuration options are entered in any order desired. Options relating to specificcomponents(keyboard,videocard,andsoon)maybeinterspersed.C.Thefilebeginswithasummaryofindividualscreens.Configurationoptionsareprecededbyacodewordindicatingthescreentowhichtheyapply.D.Thefileisbrokenintosections,oneormoreforeachcomponent(keyboard,videocard,andsoon).Thefilealsohasoneormoresectionsthatdefinehowtocombinethemainsections.E.ThefileisararebinaryconfigurationfilethatmustbeaccessedusingSQLdatabasetools.
3.Amonitor ’smanuallistsitsrangeofacceptablesynchronizationvaluesas27−96kHzhorizontaland50−160Hzvertical.What implicationsdoes thishave for the resolutionsand refresh rates themonitorcanhandle?
A.Themonitorcanrunatupto160Hzverticalrefreshrateinallresolutions.B.Themonitorcanhandleupto160Hzverticalrefreshratedependingonthecolordepth.C.Themonitorcanhandleupto160Hzverticalrefreshratedependingontheresolution.D.Themonitorcanhandleverticalresolutionsofupto600lines(96,000÷160),butnomore.E.Themonitorcanhandlehorizontalresolutionsofupto600columns(96,000÷160),butnomore.
4.InwhatsectionofXF86Configorxorg.confdoyouspecifytheresolutionthatyouwanttorun?A.IntheServerLayoutsection,usingtheScreenoptionB.IntheMonitorsection,usingtheModelineoptionC.IntheDevicesection,usingtheModelineoptionD.IntheDefaultResolutionsection,usingtheDefineoptionE.IntheScreensection,subsectionDisplay,usingtheModesoption
5.Whatisanadvantageofafontserver?A.Itprovidesfasterfontdisplaysthanareotherwisepossible.B.ItcansimplifyfontmaintenanceonanetworkwithmanyXservers.C.It’stheonlymeansofprovidingTrueTypesupportforXFree864.x.D.ItenablesthecomputertoturnabitmappeddisplayintoanASCIItextfile.E.ItenablesXtousefontsmoothing,whichisn’tpossiblewithcorefonts.
6.WhatmethodsdoLinuxdistributionsusetostartXautomaticallywhenthesystemboots?(Selecttwo.)
A.StartanXDMCPserverfromtheStartfolder.B.StartanXDMCPserverfroman~/.xinitrcscript.C.StartanXDMCPserverviaasystemstartupscript.D.StartanXDMCPserverviaabootmanager.
E.StartanXDMCPserverfrominit.
7.HowwouldyouchangethetextdisplayedbyXDMasagreeting?A.ClickConfigure GreetingfromtheXDMmainmenu,andeditthetextintheresultingdialogbox.B. Pass greeting="text" as a kernel option in the boot loader, changing text to the newgreeting.C.Editthe/etc/X11/xorg.conffile,andchangetheGreetingoptioninthexdmarea.D.Runxdmconfig,andchangethegreetingontheLogintab.E.Editthe/etc/X11/xdm/Xresourcesfile,andchangethetextinthexlogin*greetingline.
8.WhichofthefollowingfeaturesdoKDMandGDMprovidethatXDMdoesn’t?A.AnencryptedremoteX-basedaccessability,improvingnetworksecurityB.Theabilitytoacceptloginsfromremotecomputers,onceproperlyconfiguredC.TheabilitytoselecttheloginenvironmentfromamenuonthemainloginscreenD.AloginscreenthatshowstheusernameandpasswordsimultaneouslyratherthansequentiallyE.AnoptiontologintotextmodeifXshouldfailtostart
9. Which of the following commands tells the X server to accept connections frompenguin.example.com?
A.xhost+penguin.example.comB.exportDISPLAY=penguin.example.com:0C.telnetpenguin.example.comD.xaccesspenguin.example.comE.sshpenguin.example.com
10. To assist an employee who has trouble with keyboard repeat features, you’ve disabled thisfunction in /etc/X11/xorg.conf.Whymight this step not be sufficient to the goal of disablingkeyboardrepeat?
A. GNOME, KDE, or other desktop environment settings for keyboard repeat may overridethosesetinxorg.conf.B.Thexorg.conffilehasbeendeprecated;youshouldinsteadadjustthe/etc/X11/XF86Configfile.C.Keyboardsettings inxorg.confapplyonly toPS/2keyboards;youmustuseusbkbrate toadjustkeyboardrepeatforUSBkeyboards.D.YoumustalsolocateandresettheDIPswitchonthekeyboardtodisablekeyboardrepeat.E. The keyboard repeat options in xorg.conf work only if the keyboard’s nationality is setincorrectly,whichitoftenisnot.
11.Whichofthefollowingprogramsmaybeusedtoprovidecomputer-generatedspeechforuserswhohavetroublereadingcomputerdisplays?(Selecttwo.)
A.SoX
B.BrailleC.OrcaD.talkE.Emacspeak
12. You manage a computer that’s located in Los Angeles, California, but the time zone ismisconfigured as being in Tokyo, Japan. What procedure can you follow to fix this problem?(Selecttwo.)
A.Runhwclock--systohctoupdatetheclocktothecorrecttimezone.B.Delete/etc/localtime,andreplaceitwithanappropriatefilefrom/usr/share/zoneinfo.C. Edit the /etc/tzconfig file so that it specifies North_America/Los_Angeles as the timezone.D.Edit/etc/localtime,andchangethethree-lettertimezonecodeontheTZline.E.Usethetzselectprogramtoselectanew(LosAngeles)timezone.
13.You’reconfiguringaLinuxsystemthatdoesn’tbootanyotherOS.What is therecommendedtimetowhichthecomputer ’shardwareclockshouldbeset?
A.HelsinkitimeB.LocaltimeC.USPacifictimeD.UTCE.Internettime
14.You’vedevelopedascriptthatusesseveralLinuxcommandsandeditstheiroutput.Youwanttobe sure that the script runs correctly on a computer in Great Britain, although you’re locatedelsewhere,sincetheoutputincludesfeaturessuchascurrencysymbolsanddecimalnumbersthataredifferentfromonenationtoanother.Whatmightyoudototestthis?
A.EntertheBIOS,locateandchangethelocationcode,rebootintoLinux,andrunthescript.B.Edit/etc/locale.conf,changealltheLC_*variablestoen_GB.UTF-8,andthenrebootandrunthescript.C.TypeexportLC_ALL=en_GB.UTF-8,andrunthescriptfromthesameshellyouusedtotypethiscommand.D.Typelocale_setGreat_Britain,andrun thescript fromthesameshellyouused to typethiscommand.E.TypeexportTZ=:/usr/share/zoneinfo/Europe/London,andrunthescriptfromthesameshellyouusedtotypethiscommand.
15.WhichcharactersetencodingisthepreferredmethodonmodernLinuxsystems?A.UTF-8B.ASCIIC.ISO-8859-1D.ISO-8859-8
E.ATASCII
16.Whichofthefollowingdescribesthefunctionofasmartfilter?A.Itimprovesthelegibilityofaprintjobbyaddingfontsmoothingtothetext.B. It detects information inprint jobs thatmaybe confidential as ameasure against industrialespionage.C.Itsendsemailtothepersonwhosubmittedtheprintjob,obviatingtheneedtowaitaroundtheprinterforaprintout.D.Itdetectsanddeletesprankprintjobsthatarelikelytohavebeencreatedbymiscreantstryingtowasteyourpaperandink.E. It detects the typeof a file andpasses it throughprograms tomake it printableon agivenmodelofprinter.
17.Whatinformationaboutprintjobsdoesthelpqcommanddisplay?(Selecttwo.)A.ThenameoftheapplicationthatsubmittedthejobB.AnumericaljobIDthatcanbeusedtomanipulatethejobC.TheamountofinkortonerleftintheprinterD.TheusernameofthepersonwhosubmittedthejobE.Theestimatedtimetofinishprintingthejob
18.You’ve submitted several print jobs, but you’ve just realized that youmistakenly submitted ahugedocumentthatyoudidn’twanttoprint.Assumingyoucanidentifywhichjobthiswas,thatit’snotyetprinting,andthatitsjobIDnumberis749,whatcommandwouldyoutypetodeleteitfromtheokidataprintqueue?
A.Theanswerdependsonwhetheryou’reusingBSDLPD,LPRng,orCUPS.B.Typelpdel-Pokidata749.C.Typelprm-Pokidata749.D.Typecupsdisable-Pokidata749.E.Noneoftheabove;thetaskisimpossible.
19.WhichofthefollowingisgenerallytrueofLinuxprogramsthatprint?A.Theysenddatadirectlytotheprinterport.B.TheyproducePostScriptoutputforprinting.C.Theyincludeextensivecollectionsofprinterdrivers.D.Theycanprintonlywiththehelpofadd-oncommercialprograms.E.TheyspecifyuseoftheVerdanafont.
20.Whattoolmightyouusetoprintafour-pagePostScriptfileonasinglesheetofpaper?A.PAMB.mpageC.4FrontD.route
Chapter7
AdministeringtheSystem
THEFOLLOWINGEXAMOBJECTIVESARECOVEREDINTHISCHAPTER:
1.107.1Manageuserandgroupaccountsandrelatedsystemfiles1.107.2Automatesystemadministrationtasksbyschedulingjobs1.108.1Maintainsystemtime1.108.2Systemlogging
MuchofLinuxsystemadministrationdealswithhandlingmundaneday-to-daytasks.Manyof thesetasksrelatetousersandgroups:addingthem,deletingthem,configuringtheirenvironments,andsoon.Onasmallsystemyoumightperformsuch tasks infrequently,butonabusysystemyoumightadjustaccountsfrequently.Inanyevent,youmustknowhowtodothesethings.Anotherclassofday-to-daytasksinvolvesmanagingandreviewinglogfiles.Thesearefilesthatrecorddetailsofsystemoperations,suchasremotelogins.Logfilescanbeinvaluabledebuggingresources,butevenifyouaren’texperiencingaproblem,youshouldreviewthemperiodicallytobesureeverythingisworkingasitshould.ManyLinuxtasksrelatetotime.LinuxkeepstimesomewhatdifferentlythansomeotherOSs,and
understandinghowLinux treats time is important.Soare theskillsneeded toset the time inLinux.(Someautomatedtoolscanbeveryhelpful,butyoumustknowhowtoconfigurethem.)YoucanalsotellLinux to runparticular jobsat specific times in the future.Thiscanbehandy tohelpautomaterepetitivetasks,suchassynchronizingdatawithothersystemsonaregularbasis.
ManagingUsersandGroupsLinuxisamulti-usersystemthatreliesonaccounts—datastructuresandproceduresusedtoidentifyindividual users of a computer. Managing these accounts is a basic but important systemadministration skill. Before delving into the details, I describe a few basic concepts you shouldunderstand about user and group administration.With that out of theway, I describe the tools andconfigurationfilesthatyouemploytomanageusersandgroups.
UnderstandingUsersandGroupsChancesareyouhaveagoodbasicunderstandingofaccountsalready.Fundamentally,Linuxaccountsare like accounts on Windows, Mac OS, and other OSs. Some Web sites use accounts, too.Nonetheless,afewdetailsdeserveexplanation.TheseincludeLinuxusernameconventions,thenatureofLinuxgroups,andthewayLinuxmapsthenumbersitusesinternallytotheusernamesandgroupnamesthatpeoplegenerallyuse.
UnderstandingLinuxUsernamesLinux is fairly flexible about its usernames, althoughdetails vary fromone utility to another.ThemostliberalLinuxnamingrulesrequireusernamestobeginwithaletterandtobenomorethan32characters in length. Aside from the first character, numbers and most punctuation symbols arepermitted,asarebothupper-andlowercasecharacters.Inpractice,though,someimportantutilities,such as the useradd program described in “Adding Users,” impose more restrictive rules. Theserules disallow uppercase letters andmost punctuation characters, although you can sometimes getaway with an underscore (_) or dot (.), and a dollar sign ($) as the last character is permitted.Furthermore, some utilities truncate usernames longer than 8 characters; for this reason, manyadministratorstrytolimitusernamelengthto8characters.Assumingyoucancreateaccountswithmixed-caseusernames,Linux treatsusernames inacase-
sensitiveway.Therefore,asinglecomputercansupportbothellenandEllenasseparateusers.Thispracticecanleadtoagreatdealofconfusion,soit’sbesttoavoidcreatingaccountswhoseusernamesdifferonly incase.The traditionalpractice is touseentirely lowercase letters inLinuxusernames,suchassally,sam,ellen,andgeorge.Usernamesdon’tneedtobebasedonfirstnames,ofcourse—you could use sam_jones, s.jones, sjones, jones, jones17, or d76, to name just a fewpossibilities.Most sites develop a standard method of creating usernames, such as using the firstinitial and the last name. Creating and following such a standard practice can help you locate anaccount thatbelongs toaparticular individual. Ifyourcomputerhasmanyusers, though,youmayfind a naming convention produces duplicates, particularly if your standard is to use initials toshorten usernames. You may be forced to deviate from the standard or incorporate numbers todistinguishbetweenall theDavidsorSmithsof theworld, because each account requires auniqueusername.
LinkingUsersTogetherforProductivityviaGroupsLinuxusesgroupsasameansoforganizingusers.Inmanyways,groupsparallelusers.Inparticular,they’redefinedinsimilarconfigurationfiles,havenamessimilartousernames,andarerepresentedinternallybynumbers(asareaccounts).Groups are not accounts, however. Rather, groups are a means of organizing collections of
accounts,largelyasasecuritymeasure.EveryfileonaLinuxsystemisassociatedwithaspecificuserand a specific group, and various permissions can be assigned to members of that group. Forinstance,groupmembers (suchas facultyatauniversity)maybeallowed to reada file,butothers(suchasstudents)maybedisallowedsuchaccess.BecauseLinuxprovidesaccesstomosthardwaredevices(suchasscannersandtapebackupunits)throughfiles,youcanalsousethissamemechanismtocontrolaccesstohardware.Every group has anywhere from no members to as many members as there are users on the
computer.Groupmembershipiscontrolledthroughthe/etc/groupfile.Thisfilecontainsalistofgroupsandthemembersbelongingtoeachgroup.Thedetailsofthisfile’scontentsaredescribedinthesection“ConfiguringGroups.”Inadditiontomembershipdefinedin/etc/group,eachuserhasadefaultorprimarygroup.The
user ’sprimarygroupissetintheuser ’sconfigurationin/etc/passwd(thefilethatdefinesaccounts).Whenuserslogontothecomputer,theirgroupmembershipissettotheirprimarygroup.Whenuserscreatefilesorlaunchprograms,thosefilesandrunningprogramsareassociatedwithasinglegroup
—thecurrentgroupmembership.Ausercanaccess filesbelonging toothergroupsas longas theuserbelongstothatgroupandthegroupaccesspermissionspermittheaccess.Torunprogramsorcreatefileswithagroupotherthantheprimaryone,however,theusermustrunthenewgrpcommandtoswitchcurrentgroupmembership.Forinstance,tochangetotheproject2group,youmighttypethefollowing:$newgrpproject2
If theuser typingthiscommandis listedasamemberof theproject2group in/etc/group, theuser ’s current groupmembership changes.Thereafter, files created by that userwill be associatedwiththeproject2group.Alternatively,userscanchangethegroupassociatedwithanexistingfilebyusingthechgrporchowncommand,asdescribedinChapter4,“ManagingFiles.”Thisgroupstructureenablesyou todesignasecuritysystemthatpermitsdifferentcollectionsof
userstoeasilyworkonthesamefileswhilesimultaneouslykeepingotherusersofthesamecomputerfrompryingintofilestheyshouldnotbeabletoaccess.Inasimplecase,youmaycreategroupsfordifferentprojects, classes,orworkgroups,witheachuser restricted tooneof thesegroups.Auserwho needs access to multiple groups can be a member of each of these groups—for instance, astudentwho takes twoclassescanbelong to thegroupsassociatedwitheachclass,ora supervisormaybelongtoallthesupervisedgroups.
MappingUIDsandGIDstoUsersandGroupsAsmentionedearlier,Linuxdefinesusersandgroupsbynumbers,referredtoasuserIDs(UIDs)andgroupIDs(GIDs), respectively. Internally,Linux tracksusers andgroupsby thesenumbers, not byname.Forinstance,theusersammaybetiedtoUID523,andellenmaybeUID609.Similarly,thegroupproject1maybeGID512,andproject2maybeGID523.Forthemostpart,thesedetailstakecare of themselves—you use names, and Linux uses /etc/passwd or /etc/group to locate thenumberassociatedwith thename.Youmayoccasionallyneed toknowhowLinuxassignsnumberswhenyoutellittodosomething,though.Thisisparticularlytruewhenyou’retroubleshootingorifyouhavecausetomanuallyedit/etc/passwdor/etc/group.Linuxdistributionsreserveatleastthefirst100userandgroupIDs(0−99)forsystemuse.Themost
important of these is 0,which corresponds toroot (both the user and the group). Subsequent lownumbers are used by accounts and groups that are associated with specific Linux utilities andfunctions.Forinstance,UID2andGID2maybethedaemonaccountandgroup,respectively,whichareusedbyvariousservers;andUID8andGID12mightbethemailaccountandgroup,whichcanbeusedbymail-relatedserversandutilities.Notallaccountandgroupnumbersfrom0to99areinuse;usually,onlyoneortwodozenaccountsandadozenorsogroupsareusedinthisway.Youcancheckyour/etc/passwdand/etc/groupfilestodeterminewhichuserandgroupIDsaresoused.
AsidefromUID0andGID0,UIDandGIDnumbersaren’tfullystandardized.Forinstance,althoughUID2andGID2maptothedaemonaccountanddaemongrouponRedHatandSUSE,onDebianUID2andGID2maptothebinaccountandbingroup;thedaemonaccountandgroupcorrespondtoUID1andGID1.Ifyouneedtorefertoaparticularuserorgroup,usethenameratherthanthenumber.
Thefirstnormaluseraccount isusuallyassignedaUIDof500or (moreoften)1000.Whenyoucreateadditionalaccounts,thesystemtypicallylocatesthenext-highestunusednumber,sotheseconduseryoucreateisUID1001,thethirdis1002,andsoon.Whenyouremoveanaccount,thataccount’sIDnumbermaybereused,buttheautomaticaccount-creationtoolstypicallydon’tdosoifsubsequentnumbersareinuse,leavingagapinthesequence.ThisgapcausesnoharmunlessyouhavesomanyusersthatyourunoutofIDnumbers.(Thelimitis65,536userswiththe2.2.xkernelsandmorethan4.2billionwiththe2.4.xandlaterkernels,includingrootandothersystemaccounts.Thelimitcanbeset lower in configuration files or because of limits in support programs.) In fact, reusing an IDnumbercancauseproblemsifyoudon’tclearawaytheolduser ’sfiles—thenewuserwillbecometheowneroftheolduser ’sfiles,whichcanleadtoconfusion.
Accountnumberinglimitsaresetinthe/etc/login.defsfile.Inparticular,UID_MINandUID_MAXdefinetheminimumandmaximumUIDvaluesforordinaryuseraccounts.Inmoderndistributions,thesevaluesaregenerally1000and60000,respectively.
Typically,GID100 isusers—thedefault group for somedistributions.On anybut a very smallsystem with few users, you’ll probably want to create your own groups. Because differentdistributionshavedifferentdefaultwaysofassigningusers togroups, it’sbest thatyou familiarizeyourselfwithyourdistribution’swayofdoingthisandplanyourowngroup-creationpolicieswiththisinmind.Forinstance,youmaywanttocreateyourowngroupswithincertainrangesofIDstoavoidconflictswiththedistribution’sdefaultuser-andgroup-creationprocesses.It’spossibletocreatemultipleusernamesthatusethesameUIDormultiplegroupnamesthatuse
the sameGID. In somesense, thesearedifferentaccountsorgroups; theyhavedifferententries in/etc/passwdor/etc/group,sotheycanhavedifferenthomedirectories,differentpasswords,andsoon.Because theseusersorgroupsshare IDswithotherusersorgroups, though, they’re treatedidenticallyin termsoffilepermissions.Unlessyouhaveacompellingreasontodoso,youshouldavoidcreatingmultipleusersorgroupsthatshareanID.
IntruderssometimescreateaccountswithUID0togivethemselvesrootprivilegesonthesystemstheyinvade.AnyaccountwithaUIDof0iseffectivelytherootaccount,withallthepowerofthesuperuser.Ifyouspotasuspiciousaccountinyour/etc/passwdfilewithaUIDof0,yoursystemhasprobablybeencompromised.
ConfiguringUserAccountsHowfrequentlyyou’lldousermaintenancedependsonthenatureofthesystemyouadminister.Somesystems, suchas smallpersonalworkstations,needchangesvery rarely.Others, suchasmulti-userserversthatseeheavyuserturnover,mayrequiredailymaintenance.Thelattersituationwouldseemto require more knowledge of user account configuration tools, but even in a seldom-changingsystem,it’susefultoknowhowtoadd,modify,ordeleteaccountssothatyoucandosoquicklyandcorrectlywhenyoudoneedtodoso.
Somesecurity-relatedaccountissuesarecoveredinChapter10,“SecuringYourSystem.”
Thischapterdescribes the traditional text-basedtoolsforaccountcreationandmaintenance.Mostmodern Linux distributions shipwithGUI tools that accomplish the same goals. These tools varyfromonedistributionorenvironmenttoanother,sothey’rehardtosummarizeforLinuxasawhole.The exam also emphasizes the text-based tools. Overall, the text-based tools provide the greatestflexibilityandaremostbroadlyapplicable,butyoucancertainlyusetheGUItoolsifyoulike.
AddingUsersAddinguserscanbeaccomplishedthroughtheuseraddutility.(Thisprogramiscalledadduseronsomedistributions.)Itsbasicsyntaxisasfollows:useradd[-ccomment][-dhome-dir][-eexpire-date][-finactive-days]
[-gdefault-group][-Ggroup[,...]][-m[-kskeleton-dir]|-M]
[-ppassword][-sshell][-uUID[-o]][-r][-n]username
Someoftheseparametersmodifysettingsthatarevalidonlywhenthesystemusesshadowpasswords.Thisisthestandardconfigurationformostdistributionstoday.
In its simplest form,youmay type justuseraddusername,whereusername is theusernameyouwanttocreate.Therestoftheparametersareusedtomodifythedefaultvaluesforthesystem,whicharestoredinthefile/etc/login.defs.Theparametersfortheuseraddcommandmodifytheprogram’soperationinvariousways:CommentThe-ccommentparameterpassesthecommentfieldfortheuser.Someadministratorsstorepublicinformationsuchasauser ’sofficeortelephonenumberinthisfield.Othersstorejusttheuser ’srealnameornoinformationatall.HomeDirectoryYouspecifytheaccount’shomedirectorywiththe-dhome-dirparameter.Thisdefaultsto/home/usernameonmostsystems.AccountExpirationDateSetthedateonwhichtheaccountwillbedisabled,expressedintheformYYYY-MM-DD,withthe-eexpire-dateoption.(Manysystemsacceptalternativeforms,suchasMM-DD-YYYY,aswell.)Thedefaultisforanaccountthatdoesn’texpire.InactiveDaysAnaccountbecomescompletelydisabledacertainnumberofdaysafterapasswordexpires.The-finactive-daysparametersetsthenumberofdays.Avalueof-1disablesthisfeatureandisthedefault.DefaultGroupYousetthenameorGIDoftheuser ’sdefaultgroupwiththe-gdefault-groupoption.Thedefaultforthisvaluevariesfromonedistributiontoanother.AdditionalGroupsThe-Ggroup[,...]parametersetsthenamesorGIDsofoneormoregroupstowhichtheuserbelongs.Thesegroupsneednotbethedefaultgroup,andyoucanspecifymorethanonebyseparatingthemwithcommas.HomeDirectoryOptionsThesystemautomaticallycreatestheuser ’shomedirectoryif-mis
specified.Normally,defaultconfigurationfiles(includingsubdirectories)arecopiedfrom/etc/skel,butyoumayspecifyanothertemplatedirectorywiththe-kskeleton-diroption.Manydistributionsuse-masthedefaultwhenrunninguseradd.NoHomeDirectoryCreationThe-Moptionforcesthesystemtonotautomaticallycreateahomedirectory,evenif/etc/login.defsspecifiesthatthisactionisthedefault.Youmightusethisoption,ofteninconjunctionwith-u(describedshortly)and-d(describedearlier)ifanewaccountisforauserwho’stakingoverthehomedirectoryofanexistinguser—say,becauseanewemployeeisreplacingonewhoisleaving.EncryptedPasswordSpecificationThe-pencrypted-passwordparameterpassesthepre-encryptedpasswordfortheusertothesystem.Theencrypted-passwordvalueisadded,unchanged,tothe/etc/passwdor/etc/shadowfile.Thismeansthatifyoutypeanunencryptedpassword,itwon’tworkasyouprobablyexpect.Inpractice,thisparameterismostusefulinscripts,whichcanencryptapassword(usingcrypt)andthensendtheencryptedresultthroughuseradd.Thedefaultvaluedisablestheaccount,soyoumustrunpasswdtochangetheuser ’spassword.DefaultShellSetthenameoftheuser ’sdefaultloginshellwiththe-sshelloption.Onmostsystems,thisdefaultsto/bin/bash,butyoucanspecifyanothershellorevenaprogramthat’snottraditionallyashell.Forinstance,somesystemsincludeashutdownaccountthatcalls/sbin/shutdown.Loggingintothisaccountimmediatelyshutsdownthecomputer.UIDThe-uUIDparametercreatesanaccountwiththespecifieduserIDvalue(UID).Thisvaluemustbeapositiveinteger,andit’snormallygreaterthan1000foruseraccounts.(SomedistributionspermituseraccountUIDsaslowas500,though.)Systemaccountstypicallyhavenumberslessthan200,andoftenlessthan100.The-ooptionallowsthenumbertobereusedsothattwousernamesareassociatedwithasingleUID.SystemAccountCreationThe-rparameterspecifiesthecreationofasystemaccount—anaccountwithavaluelessthanUID_MIN,asdefinedin/etc/login.defs.Theuseraddcommanddoesn’tcreateahomedirectoryforsystemaccounts.NoUserGroupInsomedistributions,suchasRedHat,thesystemcreatesagroupwiththesamenameasthespecifiedusername.The-nparameterdisablesthisbehavior.Supposeyou’veaddedaharddiskandmounteditas/home2.Youwanttocreateanaccountfora
usernamedSallyinthisdirectoryandplaceherhomedirectoryonthenewdisk.Youwanttomakethenewuseramemberoftheproject1andproject4groups,withdefaultmembershipinproject4.Theuserhasalsorequestedtcshasherdefaultshell.Thefollowingcommandsaccomplishthisgoal:#useradd-m-d/home2/sally-gproject4-Gproject1,project4-s/bin/tcshsally
#passwdsally
Changingpasswordforusersally
NewUNIXpassword:
RetypenewUNIXpassword:
passwd:allauthenticationtokensupdatedsuccessfully
Thepasswdcommandasksforthepasswordtwice,butitdoesnotechowhatyoutype.Thispreventssomebodywhoseesyourscreenfromreadingthepassword.passwdisdescribedinmoredetailshortly,in“SettingaPassword.”
ModifyingUserAccountsUser accounts may be modified in many ways: You can directly edit critical files such as/etc/passwd,modifyuser-specificconfigurationfilesintheaccount’shomedirectory,orusesystemutilitieslikethoseusedtocreateaccounts.Youusuallymodifyanexistinguser ’saccountattheuser ’srequestor to implementsomenewpolicyorsystemchange,suchasmovinghomedirectories toanew hard disk. Sometimes, though, youmust modify an account immediately after its creation inordertocustomizeitinwaysthataren’teasilyhandledthroughtheaccount-creationtoolsorbecauseyourealizeyouforgotaparametertouseradd.
SettingaPasswordAlthough useradd provides the -p parameter to set a password, this tool isn’t very useful whendirectlyaddingauserbecauseitrequiresapre-encryptedpassword.Therefore,it’susuallyeasiesttocreateanaccountindisabledform(bynotusing-pwithuseradd)andsetthepasswordaftercreatingtheaccount.Youcandothiswiththepasswdcommand,whichhasthefollowingsyntax:passwd[-k][-l][-u[-f]][-d][-S][username]
Althoughpasswdisfrequentlyusedtosetorchangepasswords,someofitsactionsdon’tpromptyouforapassword.Instead,theymodifythepasswordinpredictableways,asdescribedshortly.Otherusesproduceapasswordpromptatwhichyoumusttypeanewpassword(twice,toguardagainsttypos).
Theparameterstothiscommandenableyoutomodifyitsbehavior:UpdateExpiredAccountsThe-kparameterindicatesthatthesystemshouldupdateanexpiredaccount.LockAccountsThe-lparameterlocksanaccountbyprefixingtheencryptedpasswordwithanexclamationmark(!).Theresultisthattheusercannolongerlogintotheaccount,butthefilesarestillavailable,andthechangecanbeeasilyundone.Thisparameterisparticularlyhandyifyouwanttotemporarilysuspenduseraccesstoanaccount—say,becauseyou’vespottedsomesuspiciousactivityinvolvingtheaccountorbecauseyouknowauserwon’tbeusingtheaccountforawhileandyouwanttominimizethechanceofitbeingabusedintheinterim.UnlockAccountsThe-uparameterunlocksanaccountbyremovingaleadingexclamationmark.useraddcreatesaccountsthatarelockedandhavenopassword,sousingthiscommandonafreshaccountresultsinanaccountwithnopassword.Normally,passwddoesn’tallowthis—itreturnsanerrorifyouattemptit.Adding-fforcespasswdtoturntheaccountintoonewithnopassword.
RemoveanAccount’sPasswordThe-dparameterremovesthepasswordfromanaccount,renderingitpassword-less.DisplayAccountInformationThe-Soptiondisplaysinformationaboutthepasswordforanaccount—whetherit’ssetandwhattypeofencryptionituses.Ordinaryusersmayusepasswd to change theirpasswords,butmanypasswd parametersmaybe
usedonlybyroot.Specifically,-l,-u,-f,and-darealloff-limits toordinaryusers.Similarly,onlyrootmay specify a username topasswd.When ordinary users run the program, they shouldomit their usernames; passwd will change the password for the user who ran the program. As asecuritymeasure, passwd asks for a user ’s old password before changing the password when anordinaryuserrunstheprogram.Thisprecautionisnottakenwhenrootrunstheprogramsothatthesuperusermaychangeauser ’spasswordwithoutknowingtheoriginalpassword.This isnecessarybecausetheadministratornormallydoesn’tknowtheuser ’spassword.Italsoprovidesawayforthesystemadministratortohelpauserwho’sforgottenapassword—theadministratorcantypepasswdusernameandthenenteranewpasswordfortheuser.Linux passwords may consist of letters, numbers, and punctuation. Linux distinguishes between
upper-andlowercaselettersinpasswords,whichmeansyoucanusemixed-casepasswords,numbers,andpunctuationtoimprovesecurity.
Chapter10providesinformationaboutselectinggoodpasswords.
Exercise7.1providesyouwithpracticeincreatingaccountsonaLinuxsystem.
EXERCISE7.1CreatingUserAccountsThisexerciseexplorestheprocessofcreatinguseraccounts.Afterperformingthisexercise,youshouldbefamiliarwiththetext-modeLinuxaccount-creationtoolsandbeabletocreatenewaccounts,includingpreparingnewusers’homedirectories.Toaddandtestanewaccount,followthesesteps:1.LogintotheLinuxsystemasanormaluser.2.Launchanxterm from the desktop environment’smenu system, if you used aGUIloginmethod.3. Acquire root privileges. You can do this by typing su in an xterm, by selectingSession NewRootConsolefromaKonsole,orbyusingsudo (if it’sconfigured) torunthecommandsinthefollowingsteps.4.Typeuseradd-musername,whereusername is thenameyouwanttobeassociatedwith the account. This command creates an account. The -m parameter tells Linux tocreateahomedirectoryfortheuserandfillitwithdefaultaccountconfigurationfiles.5.Typepasswdusername.You’llbeaskedtoenterapasswordfortheuserandtotypeita second time. Enter a random string or select a password as described in “Setting aPassword.”6.PressCtrl+Alt+F2 togo toa fresh text-mode loginscreen. (Ifyou’realreadyusingmultiplevirtualterminals,youmayneedtouseafunctionkeynumbergreaterthanF2.)7.Trylogginginasthenewusertoverifythattheaccountworksproperly.
Inpractice,creatingaccountsonaproductionsystemmayrequirevariationsonthisprocedure.Youmayneedtouseadditionaloptionsinstep4,forinstance;consultthesection“AddingUsers”ortheuseraddmanpagefordetailsontheseoptions.Furthermore,settingthepasswordmayrequirechanges.Onasmallsystemwithfewusers,youmaybeabletocreateaccountsinthepresenceoftheirfutureusers,inwhichcasetheusercantypethepasswordinstep5.Onothersystems,youmayneedtogeneratepasswordsyourselfandthengivethemtousersinsomeway.
UsingusermodTheusermodprogramcloselyparallelsuseradd initsfeaturesandparameters.Thisutilitychangesanexistingaccount insteadofcreatinganewone, though.Themajordifferencesbetweenuseraddandusermodareasfollows:
usermodallowstheadditionofa-mparameterwhenusedwith-d.The-dparameteralonechangestheuser ’shomedirectory,butitdoesn’tmoveanyfiles.Adding-mcausesusermodtomovetheuser ’sfilestothenewlocation.usermodsupportsa-lparameter,whichchangestheuser ’sloginnametothespecifiedvalue.Forinstance,typingusermod-lsjonessallychangestheusernamefromsallytosjones.Youmaylockandunlockauser ’spasswordwiththe-Land-Uoptions,respectively.Theseoptionsduplicatefunctionalityprovidedbypasswd.
The usermod program changes the contents of /etc/passwd or /etc/shadow, depending on the
optionused.If-misused,usermodalsomovestheuser ’sfiles,asalreadynoted.
Changinganaccount’scharacteristicswhiletheownerisloggedincanhaveundesirableconsequences.Thisisparticularlytrueofthe-d-mcombination,whichcancausethefilesauserisworkingontomove.Mostotherchanges,suchaschangestotheaccount’sdefaultshell,don’ttakeeffectuntiltheuserhasloggedoutandbackinagain.
If you change the account’s UID, this action does not change the UIDs associated with a user ’sexisting files.Becauseof this, theusermay loseaccess to these files.Youcanmanuallyupdate theUIDsonallfilesbyusingthechowncommand,asdescribedinChapter4.Specifically,acommandlikethefollowing,issuedafterchangingtheUIDontheaccountsally,restoresproperownershiponthefilesinsally’shomedirectory:#chown-Rsally/home/sally
This actiondoesnot change the ownership of files that aren’t insally’s home directory. If youbelievesuchfilesexist,youmayneedtotrackthemdownwiththefindcommand,asyou’llseeintheupcomingsection“DeletingAccounts.”Also,thiscommandblindlychangesownershipofallfilesinthe/home/sallydirectory.ThisisprobablyOK,butit’sconceivablethatsomefilesinthatdirectoryshould be owned by somebody else—say, because sally and another user are collaborating on aproject.Whenusingthe-Goptiontoaddausertonewgroups,beawarethatanygroupsnotlistedwillbe
removed.Thegpasswd command,described in theupcoming section“Usinggpasswd,” provides awaytoaddausertooneormorespecificgroupswithoutaffectingexistinggroupmemberships,andsoit’sgenerallypreferableforthispurpose.
UsingchageThe chage command enables you to modify account settings relating to account expiration. It’spossibletoconfigureLinuxaccountssothattheyautomaticallyexpireifeitheroftwoconditionsistrue:
Thepasswordhasn’tbeenchangedinaspecifiedperiodoftime.Thesystemdateispastapredeterminedtime.
Thesesettingsarecontrolledthroughthechageutility,whichhasthefollowingsyntax:chage[-l][-mmindays][-Mmaxdays][-dlastday][-Iinactivedays]
[-Eexpiredate][-Wwarndays]username
Theprogram’sparametersmodifythecommand’sactions:DisplayInformationThe-loptioncauseschagetodisplayaccountexpirationandpasswordaginginformationforaparticularuser.SettheMinimumTimeBetweenPasswordChangesThe-mmindaysparametersetstheminimumnumberofdaysbetweenpasswordchanges.0indicatesthatausercanchangeapasswordmultipletimesinaday,1meansthatausercanchangeapasswordonceaday,2meansthatausermaychangeapasswordonceeverytwodays,andsoon.SettheMaximumTimeBetweenPasswordChangesThe-Mmaxdaysparametersetsthe
maximumnumberofdaysthatmaypassbetweenpasswordchanges.Forinstance,30requiresapasswordchangeapproximatelyonceamonth.
Iftheuserchangesapasswordbeforethedeadline,thecounterisresetfromthepassword-changedate.
SettheLastPasswordChangeDateThe-dlastdayparametersetsthelastdayapasswordwaschanged.ThisvalueisnormallymaintainedautomaticallybyLinux,butyoucanusethisparametertoartificiallyalterthepasswordchangecount.lastdayisexpressedintheformatYYYY/MM/DDorasthenumberofdayssinceJanuary1,1970.SettheMaximumInactiveDaysThe-Iinactivedaysparametersetsthenumberofdaysbetweenpasswordexpirationandaccountdisablement.Anexpiredaccountmaynotbeusedormayforcetheusertochangethepasswordimmediatelyuponloggingin,dependingonthedistribution.Adisabledaccountiscompletelydisabled.SettheExpirationDateYoucansetanabsoluteexpirationdatewiththe-Eexpiredateoption.Forinstance,youmightuse-E2013/05/21tohaveanaccountexpireonMay21,2013.ThedatemayalsobeexpressedasthenumberofdayssinceJanuary1,1970.Avalueof-1representsnoexpirationdate.SettheNumberofWarningDaysThe-Wwarndaysoptionsetsthenumberofdaysbeforeaccountexpirationthatthesystemwillwarntheuseroftheimpendingexpiration.It’sgenerallyagoodideatousethisfeaturetoalertusersoftheirsituation,particularlyifyoumakeheavyuseofpassword-changeexpirations.Notethatthesewarningsareusuallyshownonlytotext-modeloginusers;GUIloginusers,file-shareusers,andsoonusuallydon’tseethesemessages.Thechagecommandcannormallybeusedonlybyroot.Theoneexceptiontothisruleisifthe-l
optionisused;thisfeatureallowsordinaryuserstochecktheiraccount-expirationinformation.
DirectlyModifyingAccountConfigurationFilesYoucandirectlymodifyuserconfiguration files.The/etc/passwdand/etc/shadow files controlmostaspectsofanaccount’sbasicfeatures.Bothfilesconsistofasetoflines,onelineperaccount.Eachlinebeginswithausernameandcontinueswithasetoffields,delimitedbycolons(:).Manyofthese itemsmaybemodifiedwithusermod orpasswd.A typical/etc/passwd entry resembles thefollowing:sally:x:1029:100:SallyJones:/home/sally:/bin/bash
Eachfieldhasaspecificmeaning,asfollows:UsernameThefirstfieldineach/etc/passwdlineistheusername(sallyinthisexample).PasswordThesecondfieldhastraditionallybeenreservedforthepassword.MostLinuxsystems,however,useashadowpasswordsysteminwhichthepasswordisstoredin/etc/shadow.Thexintheexample’spasswordfieldisanindicationthatshadowpasswordsareinuse.Inasystemthatdoesn’tuseshadowpasswords,anencryptedpasswordappearshereinstead.UIDFollowingthepasswordistheaccount’suserID(1029inthisexample).
PrimaryGIDThedefaultlogingroupIDisnextinthe/etc/passwdlineforanaccount.TheexampleusesaprimaryGIDof100.CommentThecommentfieldmayhavedifferentcontentsondifferentsystems.Intheprecedingexample,it’stheuser ’sfullname.Somesystemsplaceadditionalinformationhere,inacomma-separatedlist.Suchinformationmayincludetheuser ’stelephonenumber,officenumber,title,andsoon.HomeDirectoryTheuser ’shomedirectoryisnextupinthelist.DefaultShellThedefaultshellisthefinalitemoneachlinein/etc/passwd.Thisisnormally/bin/bash,/bin/tcsh,orsomeothercommoncommandshell.It’spossibletousesomethingunusualhere,though.Forinstance,manysystemsincludeashutdownaccountwith/bin/shutdownastheshell.Ifyoulogintothisaccount,thecomputerimmediatelyshutsdown.Youcancreateuseraccountswithashellof/bin/false,whichpreventsusersfromlogginginasordinaryusersbutleavesotherutilitiesintact.UserscanstillreceivemailandretrieveitviaaremotemailretrievalprotocollikePOPorIMAP,forinstance.Avariantonthisschemeuses/bin/passwdsothatusersmaychangetheirpasswordsremotelybutcan’tloginusingacommandshell.Youcandirectlymodifyanyofthesefields,althoughinashadowpasswordsystem,youprobably
donotwanttomodifythepasswordfield;youshouldmakepassword-relatedchangesviapasswdsothattheycanbeproperlyencryptedandstoredin/etc/shadow.Aswithchangesinitiatedviausermod,it’sbesttochange/etc/passwddirectlyonlywhentheuserinquestionisn’tloggedin,topreventachangefromdisruptinganongoingsession.Like /etc/passwd, /etc/shadow may be edited directly. An /etc/shadow line resembles the
following:sally:$6$EmoFkLZPkHkpczVN2XRcMdyj8/ZeeT5UnTQ:15505:0:-1:7:-1:-1:
Most of these fields correspond to options setwith thechage utility, although some are setwithpasswd,useradd,orusermod.Themeaningofeachcolon-delimitedfieldonthislineisasfollows:UsernameEachlinebeginswiththeusername.NotethattheUIDisnotusedin/etc/shadow;theusernamelinksentriesinthisfiletothosein/etc/passwd.PasswordThepasswordisstoredinencryptedform,soitbearsnoobviousresemblancetotheactualpassword.Anasterisk(*)orexclamationmark(!)denotesanaccountwithnopassword(thatis,theaccountdoesn’tacceptlogins—it’slocked).Thisiscommonforaccountsusedbythesystemitself.Whenyoulockauseraccountviathe-Loptiontousermod,theutilityprependsanexclamationmark(!)tothepasswordfield.Removingtheexclamationmarkunlockstheaccount,restoringtheoriginalpassword.
Ifyou’veforgottentherootpasswordforacomputer,youcanbootwithanemergencyrecoverysystemandcopythecontentsofapasswordfieldforanaccountwhosepasswordyoudoremember.Youcanthenbootnormally,loginasroot,andchangethepassword.Inarealpinch,youcandeletethecontentsofthepasswordfield,whichresultsinarootaccountwithnopassword(thatis,noneisrequiredtologin).Ifyoudothis,besuretoimmediatelychangetherootpasswordafterrebooting!
LastPasswordChangeThenextfield(15505inthisexample)isthedateofthelastpasswordchange.ThisdateisstoredasthenumberofdayssinceJanuary1,1970.DaysUntilaChangeIsAllowedThenextfield(0inthisexample)isthenumberofdaysbeforeapasswordchangeisallowed.DaysBeforeaChangeIsRequiredThisfieldisthenumberofdaysafterthelastpasswordchangebeforeanotherpasswordchangeisrequired.DaysofWarningBeforePasswordExpirationIfyoursystemisconfiguredtoexpirepasswords,youmaysetittowarntheuserwhenanexpirationdateisapproaching.Avalueof7,asintheprecedingexample,istypical.DaysBetweenExpirationandDeactivationLinuxallowsforagapbetweentheexpirationofanaccountanditscompletedeactivation.Anexpiredaccounteithercan’tbeusedorrequiresthattheuserchangethepasswordimmediatelyafterloggingin.Ineithercase,itspasswordremainsintact.Adeactivatedaccount’spasswordiserased,andtheaccountcan’tbeuseduntilit’sreactivatedbythesystemadministrator.ExpirationDateThisfieldshowsthedateonwhichtheaccountwillexpire.Aswiththelastpasswordchangedate,thedateisexpressedasthenumberofdayssinceJanuary1,1970.Thisoptionishelpfulinthecaseofstudents,interns,auditors,contractstaff,seasonalworkers,andsimilartemporaryusers.SpecialFlagThisfieldisreservedforfutureuseandnormallyisn’tusedorcontainsameaninglessvalue.Thisfieldisemptyintheprecedingexample.Forfieldsrelatingtodaycounts,avalueof-1or99999indicatesthattherelevantfeaturehasbeen
disabled.The/etc/shadow values are generally best left tomodification through theusermod andchagecommandsbecausetheycanbetrickytosetmanually—forinstance,it’seasytoforgetaleapyear or the like when computing a date as the number of days since January 1, 1970. Similarly,becauseofitsencryptednature,thepasswordfieldcan’tbeeditedeffectivelyexceptthroughpasswdor similar utilities. You can cut and paste a value from a compatible file or use crypt, but it’sgenerallyeasiertousepasswd.Copyingencryptedpasswordsfromothersystemsisalsosomewhatriskybecauseitmeansthattheuserswillhavethesamepasswordsonbothsystems,andthisfactwillbeobvioustoanybodywho’sacquiredbothencryptedpasswordlists.
The/etc/shadowfileisnormallystoredwithveryrestrictivepermissions,suchasrw-------(600),withownershipbyroot.(Precisepermissionsvaryfromonedistributiontoanother,though.)Thisfactiscriticaltotheshadowpasswordsystem’sutilitybecauseitkeepsnon-rootusersfromreadingthefileandobtainingthepasswordlist,eveninanencryptedform.Bycontrast,/etc/passwdmustbereadablebyordinaryusersandusuallyhasrw-r--r--(644)permissions.Ifyoumanuallymodify/etc/shadow,besureithasthecorrectpermissionswhenyou’redone.
NetworkAccountDatabasesManynetworksemploynetworkaccountdatabases.SuchsystemsincludetheNetworkInformationSystem(NIS),anupdatetothissystemcalledNIS+,theLightweightDirectoryAccessProtocol(LDAP),Kerberosrealms,WindowsNT4.0domains,andActiveDirectory(AD)domains.Allofthesesystemsmoveaccountdatabasemanagementontoasinglecentralizedcomputer(oftenwithoneormorebackupsystems).Theadvantageofthisapproachtoaccountmaintenanceisthatusersandadministratorsneednotdealwithmaintainingaccountsindependentlyonmultiplecomputers.Asingleaccountdatabasecanhandleaccountsondozens(orevenhundredsorthousands)ofdifferentcomputers,greatlysimplifyingday-to-dayadministrativetasksandsimplifyingusers’lives.Usingsuchasystem,though,meansthatmostuseraccountswon’tappearin/etc/passwdand/etc/shadow,andgroupsmaynotappearin/etc/group.(Thesefileswillstillholdinformationonlocalsystemaccountsandgroups,though.)Linuxcanparticipateinthesesystems.Infact,somedistributionsprovideoptionstoenablesuchsupportatOSinstallationtime.Typically,youmustknowthenameorIPaddressoftheserverthathoststhenetworkaccountdatabase,andyoumustknowwhatprotocolthattheserveruses.Youmayalsoneedapasswordorsomeotherprotocol-specificinformation,andtheservermayneedtobeconfiguredtoacceptaccessesfromtheLinuxsystemyou’reconfiguring.ActivatinguseofsuchnetworkaccountdatabasesafterinstallingLinuxisacomplextopic.Itinvolvesinstallingappropriatesoftware,modifyingthe/etc/nsswitch.conffile,andmodifyingthePluggableAuthenticationModule(PAM)configurationfilesin/etc/pam.d.Suchsystemsoftenalterthebehavioroftoolssuchaspasswdandusermodinsubtleornot-so-subtleways.Ifyouneedtousesuchasystem,you’llhavetoconsultdocumentationspecifictotheserviceyouintendtouse.MybookLinuxinaWindowsWorld(O’Reilly,2005)coversthistopicforWindowsNT4.0domains,LDAP,andKerberos;andMarkMinasiandDanYork’sLinuxforWindowsAdministrators(Sybex,2002)coversthistopicforWindowsNT4.0domainsandNIS.
DeletingAccountsOnthesurface,deletinguseraccountsiseasy.Youmayusetheuserdelcommandtodothejobofremoving a user ’s entries from /etc/passwd and, if the system uses shadow passwords,/etc/shadow.Theuserdelcommandtakesjustthreeparameters:RemoveUserFilesThe-ror--removeparametercausesthesystemtoremoveallfilesfromtheuser ’smailspoolandhomedirectory,aswellasthehomedirectory.ForceDeletionYoucanforcedeletionoftheaccountwhileauserisloggedinbyusingthe-for--forceoptioninconjunctionwith-r.Thisoptionalsoforcesremovalofthemailspoolevenifit’sownedbyanotheruserandforcesremovalofthehomedirectoryevenifanotheruserusesthesamehomedirectory.GetHelpThe-hor--helpoptionsummarizesuserdeloptions.
Asanexample,removingthesallyaccountiseasilyaccomplishedwiththefollowingcommand:#userdel-rsally
Youmayomitthe-rparameterifyouwanttopreservetheuser ’sfiles.Beawareofonepotentialcomplication:Usersmaycreatefilesoutsidetheirhomedirectories.Forinstance,manyprogramsusethe /tmp directory as “scratch space,” so user files often wind up there. These files are deletedautomatically after a certain period, but youmay have other directories inwhich usersmay storefiles.Tolocateallsuchfiles,youcanusethefindcommandwithits-uidparameter (or-user, ifyou use find before deleting the account). For instance, if sally wasUID 1029, you can use thefollowingcommandtolocateallherfiles:#find/-uid1029
TheresultisalistoffilesownedbyUID529(formerlysally).Youcanthengothroughthislistanddecidewhat to dowith the files—change their ownership to somebody else, delete them, backthemuptoCD-R,orwhathaveyou.It’swisetodosomethingwiththesefiles,ortheymaybeassignedownershiptoanotheruserifSally’sUIDisreused.Thiscanbecomeawkwardifthefilesexceedthenewuser ’sdiskquotaoriftheycontaininformationthatthenewusershouldnothave—suchapersonmaymistakenlybeaccusedofindiscretionsorevencrimes.Afewservers—mostnotablySamba—keeptheirownlistofusers.Ifyourunsuchaserver,it’sbest
toremovetheuser ’sentryfromthatserver ’suserlistwhenyouremovetheuser ’smainaccount.InthecaseofSamba,thisisnormallydonebymanuallyeditingthesmbpasswdfile(usuallylocatedin/etc,/etc/samba,or/etc/samba.d)anddeletingthelinecorrespondingtotheuserinquestionorbyusingthesmbpasswdcommandandits-xoption,asinsmbpasswd-xsallytodeletethesallyaccountfromSamba’sdatabase.
ConfiguringGroupsLinuxprovidesgroupconfigurationtoolsthatparallelthoseforuseraccountsinmanyways.Groupsarenotaccounts,however,somanyfeaturesofthesetoolsdiffer.Likewise,youcancreateormodifygroups by directly editing the configuration files in question. Their layout is similar to that foraccountcontrolfiles,butthedetailsdiffer.
AddingGroupsLinuxprovidesthegroupaddcommandtoaddanewgroup.Thisutilityissimilartouseraddbuthasfeweroptions.Thegroupaddsyntaxisasfollows:groupadd[-gGID[-o]][-r][-f]groupname
Theparameterstothiscommandenableyoutoadjustitsoperation:SpecifyaGIDYoucanprovideaspecificGIDwiththe-gGIDparameter.Ifyouomitthisparameter,groupaddusesthenextavailableGID.Normally,theGIDyouspecifymustbeunusedbyothergroups,butthe-oparameteroverridesthisbehavior,enablingyoutocreatemultiplegroupsthatshareoneGID.CreateaSystemGroupThe-rparameterinstructsgroupaddtocreateagroupwithaGIDoflessthanSYS_GID_MIN,asdefinedin/etc/login.defs.GroupswithGIDsinthisrangeareconsideredsystemgroups,whichareanalogoustosystemaccounts—they’renormallyusedbysystemtoolsortohelpcontrolaccesstosystemresources,suchashardwaredevicefiles.Notalldistributions
supportthisoption;itwasaddedbyRedHatandhasbeenusedonsomerelateddistributions.RedHatusesGIDsof500andgreaterforuserprivategroups(thatis,groupsnamedafterindividualusers),whichisthereasonforthe-rparameter.ForceCreationNormally,ifyoutrytocreateagroupthatalreadyexists,groupaddreturnsanerrormessage.The-fparametersuppressesthaterrormessage.Notallversionsofgroupaddsupportthisparameter.Inmostcases,you’llcreategroupswithoutspecifyinganyparametersexceptfor thegroupname
itself:#groupaddproject3
Thiscommandcreatestheproject3group,givingitwhateverGIDthesystemfindsconvenient—usually thehighestexistingGIDplus1.Onceyou’vedone this,youcanaddusers to thegroup,asdescribedinthenextsection.Whenyouaddnewusers,youcanaddthemdirectlytothenewgroupwiththe-gand-Gparameterstouseradd,describedearlier.
ModifyingGroupInformationGroupinformation,likeuseraccountinformation,maybemodifiedeitherbyusingutilityprogramsor by directly editing the underlying configuration file, /etc/group. There are fewer options formodifyinggroupsthanformodifyingaccounts,andtheutilitiesandconfigurationfilesaresimilar.Infact,usermodisoneofthetoolsthat’susedtomodifygroups.
UsinggroupmodandusermodThegroupmodcommandmodifiesanexistinggroup’ssettings.Itssyntaxisasfollows:groupmod[-gGID[-o]][-nnewgroupname]oldgroupname
Theoptionstothiscommandmodifyitsoperation:SpecifyaGIDSpecifythenewgroupIDusingthe-gGIDoption.groupmodreturnsanerrorifyouspecifyanewgroupIDthat’salreadyinuse,unlessyouincludethe-oparameter,inwhichcaseyoucancreatetwogroupsthatshareasingleGID.SpecifyaGroupNameSpecifyanewgroupnamewiththe-nnewgroupnameoption.Oneof themostcommongroupmanipulationsyou’llperformisnothandled throughgroupmod;
it’s done with usermod. Specifically, usermod enables you to add a user to a group with its -Gparameter.Forinstance,thefollowingcommandsetssallytobeamemberoftheusers,project1,andproject4groups,anditremovesherfromallothergroups:#usermod-Gusers,project1,project4sally
Besuretolistalltheuser ’scurrentgroupsinadditiontoanygroupstowhichyouwanttoaddtheuser.Omittinganyoftheuser ’scurrentgroupswillremovetheuserfromthosegroups.Youcandiscoverthegroupstowhichausercurrentlybelongswiththegroupscommand,asingroupssally.Toavoidaccidentallyomittingagroup,manysystemadministratorsprefertomodifythe/etc/groupfileinatexteditororusegpasswd.Bothoptionsenableyoutoadduserstogroupswithoutspecifyingauser ’sexistinggroupmemberships.
UsinggpasswdThegpasswdcommandisthegroupequivalenttopasswd.Thegpasswdcommandalsoenablesyoutomodify other group features and to assign group administrators—users who may perform somegroup-related administrative functions for their groups. The basic syntax for this command is asfollows:gpasswd[-auser][-duser][-R][-r][-Auser[,...]][-Muser[,...]]group
Theoptionsforthiscommandmodifyitsactions:AddaUserThe-auseroptionaddsthespecifiedusertothespecifiedgroup.DeleteaUserThe-duseroptiondeletesthespecifieduserfromthespecifiedgroup.DisallownewgrpAdditionsThe-Roptionconfiguresthegrouptonotallowanybodytobecomeamemberthroughnewgrp.RemovePasswordThe-roptionremovesthepasswordfromagroup.AddGroupAdministratorsTherootusermayusethe-Auser[,...]parametertospecifygroupadministrators.Groupadministratorsmayaddmemberstoandremovemembersfromagroupandchangethegrouppassword.Usingthisparametercompletelyoverwritesthelistofadministrators,soifyouwanttoaddanadministratortoanexistingsetofgroupadministrators,youmustspecifyalloftheirusernames.AddUsersThe-Muser[,...]optionworkslike-A,butitalsoaddsthespecifieduser(s)tothelistofgroupmembers.If entered without any parameters except a group name, gpasswd changes the password for the
group. Group passwords enable you to control temporarymembership in a group, as granted bynewgrp.Ordinarily,membersofagroupmayusenewgrptochangetheircurrentgroupmembership(affecting thegroupof files theycreate). Ifapassword isset,even thosewhoaren’tmembersofagroup may become temporary group members; newgrp prompts for a password that, if enteredcorrectly,givestheusertemporarygroupmembership.Unfortunately,someofthesefeaturesaren’timplementedcorrectlyinalldistributions.Inparticular,
password entry by non-groupmembers sometimes does not give group membership—the systemresponds with an access denied error message. The -R option also sometimes doesn’t workcorrectly—groupmemberswhoseprimarygroupmembership iswith another groupmay still usenewgrptosettheirprimarygroupmembership.
DirectlyModifyingGroupConfigurationFilesGroupinformationisstoredprimarilyinthe/etc/group file.Likeaccountconfigurationfiles, the/etc/groupfileisorganizedasasetoflines,onelinepergroup.Atypicallineinthisfileresemblesthefollowing:project1:x:501:sally,sam,ellen,george
Eachfieldisseparatedfromtheothersbyacolon.Themeaningsofthefourfieldsareasfollows:GroupNameThefirstfield(project1intheprecedingexample)isthenameofthegroup.PasswordThesecondfield(xintheprecedingexample)isthegrouppassword.Distributionsthatuseshadowpasswordstypicallyplaceanxinthisfield;othersplacetheencryptedpassworddirectlyinthisfield.GIDThegroupIDnumber(inthisexample’scase,501)goesinthisfield.UserListThefinalfieldisacomma-delimitedlistofgroupmembers.Users may also be members of a group based on their own /etc/passwd file primary group
specification.Forinstance,ifusergeorgehasproject1listedashisprimarygroup,heneednotbelistedintheproject1 line in/etc/group. Ifusergeorgeusesnewgrp tochange toanothergroup,though, he won’t be able to change back to project1 unless he’s listed in the project1 line in/etc/group.Systemswith shadowpasswords also use another file,/etc/gshadow, to store shadowpassword
information about groups. This file stores the shadow password and information for groupadministrators,asdescribedearlierin“Usinggpasswd.”
IfyouconfigureLinuxtouseanetworkaccountdatabase,the/etc/groupfileispresentandmaydefinegroupsimportantforthesystem’sbasicoperation.Aswith/etc/passwdand/etc/shadow,though,importantusergroupsarelikelytobedefinedonlyonthenetworkaccountserver,notin/etc/group.
DeletingGroupsDeletinggroupsisdoneviathegroupdelcommand,whichtakesasingleparameter:agroupname.For instance, groupdel project3 removes the project3 group. You can also delete a group byediting the/etc/group file (and/etc/gshadow, if present) and removing the relevant line for thegroup.It’sgenerallybettertousegroupdel,becausegroupdelcheckstoseewhetherthegroupisanyuser ’s primarygroup. If it is,groupdel refuses to remove the group; youmust change the user ’sprimarygroupordeletetheuseraccountfirst.Aswithdeletingusers,deletinggroupscan leaveorphanedfileson thecomputer.Youcan locate
themwith the find command, which is described in more detail in Chapter 4. For instance, if adeletedgroupusedaGIDof1003,youcanfindallthefilesonthecomputerwiththatGIDbyusingthefollowingcommand:#find/-gid1003
Onceyou’vefoundanyfileswiththedeletedgroup’sownership,youmustdecidewhattodowith
them.Insomecases,leavingthemalonewon’tcauseanyimmediateproblems;butiftheGIDiseverreused,itcanleadtoconfusionandevensecuritybreaches.Therefore,it’susuallybesttodeletethefilesorassignthemothergroupownershipusingthechownorchgrpcommand.
TuningUserandSystemEnvironmentsText-modeuserenvironmentsarecontrolledthroughshellconfigurationfiles.Forbash, thesefilesinclude /etc/profile, /etc/bash.bashrc, ~/.profile, ~/.bashrc, ~/.bash_profile, and~/.profile.Thefilesin/etcareglobalconfigurationfiles,whichaffectallusers; thoseinusers’home directories (which are usually copied from the skeleton directory at account creation, asdescribedearlier)affectindividualusers’accountsandcanbecustomizedbyindividualusers.Thesefilescontrol thevariousbashoptions, includingenvironmentvariables—namedvariables thatholddataforthebenefitofmanyprograms.Forinstance,youmightsetthe$EDITORenvironmentvariabletothenameofyourfavoritetexteditor.Some(butnotall)programsthatlauncheditorspayattentiontothisenvironmentvariableandlaunchtheeditoryouspecify.As a system administrator, you can change the system-wide bash configuration files to add,
remove,orchangetheenvironmentvariablesthatallusersreceive.Generallyspeaking,youshoulddosobecausethedocumentationforaspecificprogramindicatesthatitusesparticularenvironmentvariables.Youcanalsoseeallyourcurrentenvironmentvariablesbytypingenv. (Thelist isratherlong,soyoumaywanttopipeitthroughless,asinenv|less.)Inadditiontosettingdefaultenvironmentvariablesandotherwisemodifyingusers’text-modelogin
environmentbyadjustingtheirbashconfigurationfiles,youcanadjustthedefaultsetoffilescreatedby useradd. As described earlier, in “Adding Users,” useradd copies files from the skeletondirectory(/etc/skelbydefault)intoanewlycreatedhomedirectory.Typically,/etc/skelcontainsahandfulofuserconfigurationfiles,suchas.bashrc.Youcanaddfiles(andevendirectories)tothisdirectory, includinguserconfiguration files, a startingdirectory tree,aREADME file for newusers,andanythingelseyoulike.Becausethesefilesarecopiedintousers’homedirectoriesandusersaregivenownershipofthecopies,theuserscanread,change,andevendeletetheircopiesofthesefiles.Thus,youshouldn’tplaceanyoptionsinthesefilesthataresensitivefromasecuritypointofvieworthatusersshouldnotbeabletochange.(Intruth,entriesyouplaceinglobalbashconfigurationfilescaneasilybeoverriddenbyindividualusersviamanualbashcommandsorotherconfigurationfiles,too.)Also,beawarethatanychangesyoumaketotheglobalfileswon’tautomaticallybemovedintoexistingusers’copiesofthesefiles;changeswillaffectonlythefilesreceivedbynewusers.Thisfactmakes theglobal files (suchas/etc/profile)preferable to/etc/skel foranychanges to systemdefaultsyouwant to implement system-wide,particularly ifyouexpectyou’ll everwant tomodifyyourchanges.
Variousprogramssetenvironmentvariablesthemselves,andsomearemaintainedautomaticallybybash.Forinstance,bashmaintainsthePWDenvironmentvariable,soyoushouldn’ttrytosetitinaconfigurationscript.Also,beawarethatadjustingthebashconfigurationfilesaffectsonlybash.Ifauser ’sdefaultshellissomethingelseorifauserdoesn’tuseatext-modeshell(say,iftheuserlogsintoXandlaunchesprogramsfromaGUImenu),settingenvironmentvariablesinthebashconfigurationfileswilldonogood.
UsingSystemLogFilesLinuxmaintainslogfilesthatrecordvariouskeydetailsaboutsystemoperation.Youmaybeabletobeginusinglogfilesimmediately,butknowinghowtochangethelogfileconfigurationcanalsobeimportant. You do this by configuring the syslogd daemon (a daemon is a program that runscontinuously in the backgroundwaiting for an event to trigger it to perform some action). Someserversandotherprogramsperformtheirownloggingandsomustbeconfiguredindependentlyofsyslogd.Youmayevenwanttoconfigureonecomputertosenditslogfilestoanothersystemasasecuritymeasure.Youshouldalsobeawareofissuessurroundinglogfilerotation;ifyourcomputerdoesn’tproperlymanageexistinglogfiles,theycangrowtoconsumeallyouravailablediskspace,atleastonthepartitiononwhichthey’restored.Inadditiontoconfiguringlogging,youmustbeabletousethelogfilesthatthesystemgenerates.
UnderstandingsyslogdMost Linux systems employ a special daemon to handle log maintenance in a unified way. ThetraditionalLinuxsystemloggerissyslogd,whichisofteninstalledfromapackagecalledsysklogd.The syslogd daemon handlesmessages from servers and other user-mode programs. It’s usuallypairedwithadaemoncalledklogd,whichisgenerallyinstalledfromthesamesysklogdpackageassyslogd.Theklogddaemonmanagesloggingofkernelmessages.
Otherchoicesforsystemloggersexist.Forinstance,syslog-ngisareplacementthatsupportsadvancedfilteringoptions,andmetalogisanotheroption.RecentversionsofFedoraandUbuntuusersyslogd.Thischapterdescribesthetraditionalsyslogdlogger.Othersaresimilarinprinciple,andeveninsomespecificfeatures,butdifferinmanydetails.
The basic idea behind a system logger is to provide a unifiedmeans of handling log files. Thedaemonrunsinthebackgroundandacceptsdatadeliveredfromserversandotherprogramsthatareconfiguredtouse the logdaemon.Thedaemoncanthenuse informationprovidedbytheserver toclassify the message and direct it to an appropriate log file. This configuration enables you toconsolidatemessages fromvarious servers in a handful of standard log files,which can bemuch
easiertouseandmanagethanpotentiallydozensoflogfilesfromthevariousserversrunningonthesystem.Inordertowork,ofcourse,thelogdaemonmustbeconfigured.Inthecaseofsyslogd,thisisdone
throughthe/etc/syslog.conffile.(Thersyslogdconfigurationfileis/etc/rsyslog.confandissimilartosyslog.conf.)Thenextsectiondescribesthesyslog.conffile’sformatinmoredetail.
SettingLoggingOptionsTheformatofthe/etc/syslog.conffileisconceptuallysimplebutprovidesagreatdealofpower.Commentlines,asinmanyLinuxconfigurationfiles,aredenotedbyahashmark(#).Non-commentlinestakethefollowingform:facility.priorityaction
Inthisline,thefacilityisacodewordforthetypeofprogramortoolthatgeneratedthemessagetobelogged;thepriority isacodewordfortheimportanceofthismessage;andtheaction isafile,remotecomputer,orotherlocationthat’stoacceptthemessage.Thefacilityandpriorityareoftenreferredtocollectivelyastheselector.Validcodesforthefacilityareauth,authpriv,cron,daemon,kern,lpr,mail,mark,
news,security,syslog,user,uucp,andlocal0throughlocal7.Manyofthesenamesrefertospecific servers or program classes. For instance, mail servers and other mail-processing toolstypicallylogusingthemailfacility.Mostserversthataren’tcoveredbymore-specificcodesusethedaemonfacility.Thesecurityfacilityisidenticaltoauth,butauthisthepreferredname.Themarkfacility is reservedfor internaluse.Anasterisk(*) refers toall facilities.Youcanspecifymultiplefacilitiesinoneselectorbyseparatingthefacilitieswithcommas(,).Validcodesforthepriorityaredebug,info,notice,warning,warn,error,err,crit,
alert,emerg,andpanic.Thewarningpriorityisidenticaltowarn,errorisidenticaltoerr,andemergisidenticaltopanic.Theerror,warn,andpanicprioritynamesaredeprecated;youshoulduse their equivalents instead. Other than these identical pairs, these priorities represent ascendinglevelsofimportance.Thedebuglevellogsthemostinformation;it’sintended,asthenameimplies,fordebuggingprogramsthataremisbehaving.Theemergprioritylogsthemostimportantmessages,which indicate very serious problems.When a program sends amessage to the system logger, itincludesaprioritycode;theloggerlogsthemessagetoafileifyou’veconfiguredittologmessagesofthatlevelorhigher.Thus,ifyouspecifyaprioritycodeofalert,thesystemwilllogmessagesthatareclassifiedasalertoremergbutnotmessagesofcritorbelow.Anexceptiontothisruleisifyou precede the priority code by an equal sign (=), as in =crit, which describeswhat to dowithmessages of crit priority only. An exclamation mark (!) reverses the meaning of a match. Forinstance, !crit causesmessages below crit priority to be logged.A priority of * refers to allpriorities.Youcanspecifymultipleselectorsforasingleactionbyseparatingtheselectorswithasemicolon
(;). Note that commas are used to separate multiple facilities within a single selector, whereassemicolonsareusedtoseparatemultipleselectorsasawhole.Examplesofcompleteselectorsappearshortly.Mostcommonly,theactionisafilename,typicallyinthe/var/logdirectorytree.Themessages,
syslog,andsecurefilesinthisdirectoryarethreecommonandimportantlogfiles,althoughnotall
distributionsuseallofthesefiles.Otherpossiblelogginglocationsincludeadevicefilenameforaconsole(suchas/dev/console)todisplaydataonthescreen,aremotemachinenameprecededbyanatsign(@)tologdatatothespecifiedsystem,andalistofusernamesofindividualswhoshouldseethemessage if they’re logged in.For the lastof theseoptions, an asterisk (*)means all logged-inusers.Someexamplesshouldhelpclarifytheserules.Firstisafairlyordinaryandsimpleentry:mail.*/var/log/mail
This line sends all log entries identified by the originating program as related to mail to the/var/log/mail file. Most of the entries in a default /etc/syslog.conf file resemble this one.Together,theytypicallycoverallofthefacilitiesmentionedearlier.Somemessagesmaybehandledbymultiplerules.Forinstance,anotherrulemightlooklikethisone:*.emerg*
This line sends all emerg-level messages to the consoles of all users who are logged into thecomputerusingtext-modetools.Ifthislineandtheearliermail.*selectorarebothpresent,emerg-levelmessagesrelatedtomailwillbeloggedto/var/log/mailanddisplayedonusers’consoles.Amorecomplexexamplelogskernelmessagesinvariousways,dependingontheirpriorities:kern.*/var/log/kernel
kern.crit/dev/console
kern.info;kern.!err/var/log/kernel-info
The first of these rules logs all kernel messages to /var/log/kernel. The second line sendscriticalmessagestologger.pangaea.edu.(Thiscomputermustbeconfiguredtoacceptremotelogs,which is a topic not covered in this book.) The third line sends a copy of critical messages to/dev/console,whichcausesthemtobedisplayedonthecomputer ’smaintext-modeconsoledisplay.Finally,thelastlinesendsmessagesthatarebetweeninfoanderrinpriorityto/var/log/kernel-info.Becauseerr is thepriority immediatelyabovecrit andbecauseinfo is the lowest priority,thesefourlinescauseallkernelmessagestobeloggedtwoorthreetimes:onceto/var/log/kernelaswellaseithertotheremotesystemandtheconsoleorto/var/log/kernel-info.Mostdistributionsshipwithreasonablesystemloggersettings,butyoumaywanttoexaminethese
settingsandperhapsadjust them. Ifyouchange them,beaware thatyoumayneed tochangesomeother tools. For instance, all major distributions ship with tools that help rotate log files. If youchange the files towhichsyslogd logsmessages, youmay need to change your log file rotationscriptsaswell.Thistopiciscoveredinthenextsection.In addition to the system logger ’s options, youmaybe able to set loggingoptions in individual
programs.Forinstance,youmaytellprogramstorecordmoreorlessinformationortologroutineinformationatvaryingpriorities.Someprogramsalsoprovidethemeanstologviathesystemlogdaemon or via their ownmechanisms.Details vary greatly from one program to another, so youshouldconsulttheprogram’sdocumentationfordetails.
Mostprogramsthatusethesystemlogdaemonsareserversandothersystemtools.Programsthatindividualsrunlocallyseldomlogdataviathesystemlogdaemon,althoughtherearesomeexceptionstothisrule,suchastheFetchmailprogramforretrievingemailfromremoteservers.
ManuallyLoggingDataFor the most part, the system logger accepts log entries from system tools, such as servers.Occasionally,though,youmaywanttomanuallycreatealogentryorhaveascriptdoso.Thetoolforthisjobisknownaslogger,andithasthefollowingsyntax:logger[-isd][-ffile][-ppri][-ttag][-usocket][message...]
Optionstologgerpermitchangingitsdefaultfunction:RecordloggerPIDThe-ioptionrecordstheprocessID(PID)oftheloggerprocessalongwithotherdata.OutputtoStandardErrorYoucanechodatatostandarderror,aswellastothelogfile,byusingthe-soption.Aninteractivescriptmightusethisfeaturetoalertuserstoproblems.LogUsingDatagramsThe-doptioncausesloggertousedatagramsratherthanastreamconnectiontothesystemloggersocket.Thisisanadvancedfeaturethatyoushoulduseonlyifyou’reinstructedtodosoindocumentationorifyouunderstandthenetworkingissuesinvolved.LogaFileYoucanlogthecontentsofafilebyusingthe-ffileoption.Becautiouswiththisoption;iffileisbig,yoursystemlogfilecangrowtoridiculoussize!IdentifyaPriorityThe-pprioptionspecifiesapriority,asdescribedearlier.LogTagsBydefault,loggerincludesitsnameinthelogfileasatag.Youcanchangethistagwiththe-ttagoption.Thisisusefulifyouwanttoidentifyascriptorotherprogramthatcreatedthelogentryanddon’tcaretorecordthefactthatloggerwasinvolvedintheprocess.SpecifyaSocketOrdinarily,loggercallsthedefaultsystemlogtoolstodoitsjob.Youcanlogdirectlytoanetworksocketusingthe-usocketoptionifyouprefer.SpecifyaMessageIfyoudon’tspecifyafileusing-ffile,loggerwilllogwhateveryoutypeafterotheroptionsasthemessagetobelogged.Ifyoudon’tprovideamessageonthecommandline,loggeracceptsinputyoutypeonsubsequentlinesasinformationtobelogged.YoushouldterminatesuchinputbypressingCtrl+D.Asanexample,supposeyouwanttologthemessage“shuttingdownforsystemmaintenance”tothe
systemlog.Youcandosobytypingthefollowingcommand:$loggershuttingdownforsystemmaintenance
Theresultwillbeanentrylikethefollowing,probablyin/var/log/messages:Jul2914:09:50nessuslogger:shuttingdownforsystemmaintenance
Addingparameterschangesthedetailsofwhat’slogged,asjustdescribed.Youcanplaceacalltologgerinascriptasawayofdocumentingthescript’sactivities.Forinstance,asystembackupscriptmightuseloggertorecorddetailssuchasitsstartandstoptimesandthenumberandsizeofthefiles
ithasbackedup.
RotatingLogFilesLogfilesareintendedtoretaininformationaboutsystemactivitiesforareasonableperiodoftime,butsystemloggingdaemonsprovidenomeanstocontrol thesizeof logfiles.Leftunchecked, logfilescanthereforegrowtoconsumealltheavailablespaceonthepartitiononwhichtheyreside.Toavoid this problem, Linux employs log file rotation tools. These tools rename and optionallycompressthecurrentlogfiles,deleteoldlogfiles,andforcetheloggingsystemtobeginusingnewlogfiles.The most common log rotation tool is a package called logrotate. This program is typically
called on a regular basis via a cron job. (The upcoming section “Running Jobs in the Future”describes cron jobs inmore detail.) The logrotate program consults a configuration file called/etc/logrotate.conf, which includes several default settings and typically refers to files in/etc/logrotate.dtohandlespecificlogfiles.Atypical/etc/logrotate.conffileincludesseveralcomment lines,denotedbyhashmarks (#), aswellas lines to setvariousoptions,as illustratedbyListing7.1.Listing7.1:Sample/etc/logrotate.confFile#Rotatelogsweekly
weekly
#Keep4weeksofoldlogs
rotate4
#Createnewlogfilesafterrotation
create
#Compressoldlogfiles
compress
#Refertofilesforindividualpackages
include/etc/logrotate.d
#Setmiscellaneousoptions
notifempty
nomail
noolddir
#Rotatewtmp,whichisn'thandledbyaspecificprogram
/var/log/wtmp{
monthly
create0664rootutmp
rotate1
}
MostofthelinesinListing7.1setoptionsthatarefairlyself-explanatoryorthatarewellexplainedby thecomments that immediatelyprecede them—for instance, theweekly line sets thedefault logrotationintervaltoonceaweek.Ifyouseeanoptioninyourfilethatyoudon’tunderstand,consultthemanpageforlogrotate.
Becauselogfilerotationishandledbycronjobsthattypicallyrunlateatnight,itwon’thappenifacomputerisroutinelyturnedoffattheendoftheday.ThispracticeiscommonwithWindowsworkstationsbutisuncommonwithservers.Linuxworkstationsshouldeitherbeleftrunningovernightasageneralpracticeorbegivenspecialtoolstoenablelogrotationdespiteroutineshutdowns.Theanacronutility,describedintheupcomingsection“Usinganacron,”isparticularlywellsuitedtothelattertask.
The last few lines ofListing7.1 demonstrate the format for the definition of a specific log file.Thesedefinitionsbeginwiththefilenameforthefile(multiplefilenamesmaybelisted,separatedbyspaces),followedbyanopencurlybrace({).Theyendinaclosecurlybrace(}).Interveninglinessetoptionsthatmayoverridethedefaults.Forinstance,the/var/log/wtmpdefinitioninListing7.1setsthemonthlyoption,whichtellslogrotatetorotatethislogfileonceamonth,overridingthedefaultweeklyoption.Suchdefinitionsarecommonintheindividualfilesin/etc/logrotate.d,whicharetypicallyownedbythepackageswhoselogfilestheyrotate.Thefollowingareexamplesoffeaturesthatareoftensetinthesedefinitions:RotatedFilenamingOrdinarily,rotatedlogfilesacquirenumbers,suchasmessages.1forthefirstrotationofthemessageslogfile.Usingthedateextoptioncausestherotatedlogfiletoobtainadatecodeinstead,asinmessages-20130210fortherotationperformedonFebruary10,2013.CompressionOptionsAsalreadynoted,compresscauseslogrotatetocompresslogfilestosavespace.Thisisdoneusinggzipbydefault,butyoucanspecifyanotherprogramwiththecompresscmdkeyword,asincompresscmdbzip2tousebzip2.Thecompressoptionskeywordenablesyoutopassoptionstothecompressioncommand(say,toimprovethecompressionratio).CreationofNewLogFilesThecreateoptioncauseslogrotatetocreateanewlogfileforusebythesystemloggerorprogram.Thisoptiontakesafilemode,anowner,andagroupasadditionaloptions.Someprogramsdon’tworkwellwiththisoption,though.Mostofthemusethecopytruncateoptioninstead,whichtellslogrotatetocopytheoldlogfiletoanewnameandthenclearallthedataoutoftheoriginalfile.TimeOptionsThedaily,weekly,andmonthlyoptionstellthesystemtorotatethelogfilesatthespecifiedintervals.Theseoptionsaren’talwaysused;someconfigurationsuseasizethresholdratherthanatimethresholdforwhentorotatelogfiles.SizeOptionsThesizekeywordsetsamaximumsizeforalogfile.Ittakesasizeinbytesasanargument(addingk,M,orGtothesizechangesittokilobytes,megabytes,orgigabytes,respectively).Forinstance,size100kcauseslogrotatetorotatethefilewhenitreaches100kBinsize.RotationOptionsTherotatexoptioncausesxcopiesofoldlogfilestobemaintained.Forinstance,ifyousetrotate2forthe/var/log/messagesfile,logrotatewillmaintain/var/log/messages.1and/var/log/messages.2inadditiontotheactive/var/log/messagesfile.Whenthatfileisrotated,/var/log/messages.2isdeleted,/var/log/messages.1isrenamedto/var/log/messages.2,/var/log/messagesbecomes/var/log/messages.1,andanew
/var/log/messagesiscreated.MailOptionsIfyouusemailaddress,logrotatewillemailalogfiletothespecifiedaddresswhenit’srotatedoutofexistence.Usingnomailcausesthesystemtonotsendanyemail;thelogisquietlydeleted.ScriptsTheprerotateandpostrotatekeywordsbothbeginaseriesoflinesthataretreatedasscriptstoberunimmediatelybeforeorafterlogfilerotation,respectively.Inbothcases,thesescriptsendwiththeendscriptkeyword.Thesecommandsarefrequentlyusedtoforcesyslogdoraservertobeginusinganewlogfile.Inmostcases,serversandotherprogramsthatlogdataeitherdosoviathesystemloggingdaemon
or ship with a configuration file that goes in /etc/logrotate.d to handle the server ’s log files.Thesefilesusuallydoareasonable job,butyoumaywant todouble-checkthem.For instance,youmightdiscover thatyour system isconfigured tokeep toomanyor too fewold log files foryourtaste, in which case adjusting the rotate option is in order. You should also check the /var/logdirectoryanditssubdirectorieseverynowandthen.Ifyouseehugenumbersoffilesaccumulatingorif files are growing to unacceptable size, you may want to check the corresponding logrotateconfigurationfiles.Ifanappropriatefiledoesn’texist,createone.Useaworkingfileasatemplate,modifyingitforthenewfile.Payparticularattentiontotheprerotateandpostrotatescripts;youmayneed toconsult thedocumentation for theprogram that’screating the log file to learnhow toforcethatprogramtobeginusinganewlogfile.Inmostcases,logfilesremainonthecomputerthatrecordedthem.Sometimes,though,youmay
wanttocopysuchfilesoff-site.Theeasiestwaytodothismaybetoreconfigurethelogdaemontosendthemessagesyouwanttoarchivetoanothersystem,asdescribedin“SettingLoggingOptions.”Anotherpossibility is to create acron job (as described later, in “Running Jobs in theFuture”) tocopyfiles toanothersystemusinganetworkshare,ssh,orsomeothernetworktool.Youcanalsomanuallycopylogfilesontoremovabledisks,ifyoulike.Therearefewtechnicalreasonstoarchivelogfilesformorethanafewweeks—onlyifaproblemescapesyournoticeforalongtimewilltheybeuseful.Managersorlawyersmaywanttokeepthemaroundforthelongtermforbusinessorlegalreasons,though.
ReviewingLogFileContentsLogfilesdonogoodiftheysimplyaccumulateonthesystem.Theirpurposeistobeusedasameansof identifying problems or documenting normal activity. When a server isn’t responding as youexpect, when a computer refuses logins it should be accepting (or accepting logins it should berefusing), or when a system’s network interface isn’t coming up (to name just three types ofproblems),youshouldcheckyourlogfilesaspartofyourtroubleshootingprocedures.Logfilescanalsobeusefulinlesstroublesomesituations,suchashelpingyoutoidentifytheloadonaserversoastoplanupgrades.Severalprocedures,manyofwhichinvolvetoolsdescribedelsewhereinthisbook,canhelpyouaccessyourlogfiles:PagingThroughWholeLogFilesYoucanuseapagerprogram,suchasless(describedinChapter1,“ExploringLinuxCommand-LineTools”),toviewtheentirecontentsofalogfile.Atexteditorcanfillthesamerole.SearchingforKeywordsYoucanusegrep(describedinChapter1)topulllinesthatcontain
keywordsoutoflogfiles.Thiscanbeparticularlyhandywhenyoudon’tknowwhichlogfileislikelytoholdanentry.Forinstance,typinggrepeth0/var/log/∗locatesalllinesinallfilesinthe/var/logdirectorythatcontainthestringeth0.ExaminingtheStartorEndofaFileYoucanusetheheadortailcommand(describedinChapter1)toexaminethefirstorlastseverallinesofalogfile.Thetailcommandisparticularlyhandy;youcanuseittolookatthelastfewentriesjustafteryoutakesomeactionthatyouexpecttoproducesomediagnosticlogfileentries.MonitoringLogFilesInadditiontocheckingthelastfewlinesofalogfile,tailcanmonitorafileonanongoingbasis,echoinglinestothescreenasthey’readdedtothefile.Youdothiswiththe-foptiontotail,asintail-f/var/log/messages.UsingAdvancedLogAnalysisToolsVariouspackagesexistexpresslyforthepurposeofanalyzinglogfiles.Forinstance,there’sLogcheck,whichispartoftheSentryToolspackage(http://sourceforge.net/projects/sentrytools/).Thispackagecomeswithsomedistributions,suchasMandrivaandDebian.Unfortunately,itrequiresafairamountofcustomizationforyourownsystem,soit’smosteasilyimplementedifitcomeswithyourdistribution,preconfiguredforitslogfileformat.Log file analysis is a skill that’s best learned through experience. Many log file messages are
cryptic,andtheycanbecrypticindifferentwaysfordifferentprograms.Forinstance,considertheseentries:Apr1423:17:00speaker/USR/SBIN/CRON[6026]:(george)CMD
(/usr/bin/fetchmail-f/home/george/.fetchmailrc>/dev/null)
Apr1423:17:52speakersshd[6031]:Acceptedpublickeyforgeorgefrom
::ffff:192.168.1.3port48139ssh2
Thesetwolinesrelatetotwoentirelydifferentevents,buttheyhaveasimilarformat.Bothentriesbeginwithatimestampandthenameofthecomputeronwhichtheactivityoccurred(speakerinthisexample).Nextoneachlineisanidentifierfortheprogramthatloggedtheactivity,includingitsPIDnumber: /USR/SBIN/CRON[6026] and sshd[6031] in this example. Note that these names aregeneratedbytheprogramsthatcreatetheactivity,sotheyaren’tnecessarilyconsistentorevenfullyaccurate. For instance, there is no/USR/SBIN/CRON program, although there is a /usr/sbin/cronprogram.(RecallthatLinuxhasacase-sensitivefilesystem.)Allofthisinformationhelpsyouidentifywhatprogramloggedtheentryandwhenitdidso.The
restofthelogentrycontainstheactualloggeddata.Thefirstentryinthisexampleisfromthecronutility, and it identifies a program run on behalf ofgeorge—specifically,cron ran the fetchmailprogram,passed it thenameof a configuration file via the-f option, and redirected theoutput to/dev/null. The second entry (for sshd) identifies a login from 192.168.1.3 on port 48139, againinvolvingtheusergeorge.Youcanuseentries likethesetohelpidentifymalfunctioningservers,spotsecuritybreaches,and
otherwisedebugyoursystem.Doingso, though, requiresat least somefamiliaritywith thenormallog file contents as well as other system details. For instance, in the preceding example, if yoursystem has no george account, these entries should both be suspicious but you must be familiarenoughwiththeformatof theentries tospot thatgeorge isausername(orbeabletoworkitout).Youmustalsoknowthatyoursystemshouldhavenogeorgeaccount.Overall,youshouldprobablyexamineyour log files from time to time tobecome familiarwith
theircontents.Thiswillhelpyouspotabnormalitieswhen the systembeginsmisbehavingorwhenyouwanttouselogfilestohelptrackdownanunwelcomevisitor.
Logfileentriescanbeconspicuousbytheirabsenceaswellasbysuspiciouscontentwithinthem.Intrudersoftentrytocovertheirtracksbyeditinglogfilestoremovetheentriesthatbetraytheirunauthorizedaccesses.Sometimes,though,they’resloppyaboutthisandjustdeleteallthelogentriesfromthetimeinquestion.Ifyounoticeunusualgapsinyourlogfiles,suchasaspaceofanhourwithnoentriesonasystemthatnormallylogsacoupledozenentriesinthatperiod,youmaywanttoinvestigatefurther.
MaintainingtheSystemTimeLinuxdependsonitssystemclockmorethanmanyOSs.Toolssuchascronandat(describedlater,in “Running Jobs in theFuture”) runprogramsat specified times, themake development tool usesfiles’ timestamps todeterminewhichonesneedattention,andsoon.Thus,youshouldbe familiarwithhowLinuxdealswithtime,howtoset thetimezone,howtoset thetime,andhowtokeeptheclockaccurate.
LinuxTimeConceptsThex86 andx86-64 computers thatmost often runLinux, aswell asmost other computers of thisgeneralclass,havetwobuilt-inclocks.Thefirstoftheseclocks,sometimescalledthehardwareclock,maintainsthetimewhilethecomputeristurnedoff.WhenyoubootLinux,itreadsthehardwareclockandsetsthesoftwareclock to thevalueitretrieves.ThesoftwareclockiswhatLinuxusesformostpurposeswhileit’srunning.MostdesktopOSs, suchasWindowsandpre-XversionsofMacOS,set theirclocks to the local
time.Thisapproachissimpleandconvenientforpeoplewhoareusedtodealingmainlywithlocaltime,butforpurposesofnetworking,it’sinadequate.Whenit’s4:00a.m.inNewYork,it’s1:00a.m.inLosAngeles,sonetworkprotocols thatrelyevenpartlyontimecanbecomeconfused(orat theveryleast,createconfusinglogentries)whentheyoperateacrosstimezones.Linux,likeotherUnix-likeOSs,setsitsclocktoCoordinatedUniversalTime(UTC),whichformostpurposesisidenticaltoGreenwichMeanTime(GMT)—thetimeinGreenwich,England,unadjustedfordaylightsavingtime.ThisapproachmeansthatLinuxsystemsinNewYorkandLosAngeles(andLondonandMoscowandTokyo) shouldhave identical times, assuming all are set correctly.For communicatingwithusers,though,thesesystemsneedtoknowtheirtimezones.Forinstance,whenyoutypels-ltoseeafilelistingcompletewithtimestamps,LinuxreadsthetimestampinUTCandthenaddsorsubtractstheappropriateamountoftimesothatthetimestampappearsinyourlocaltime.Ofcourse,allofthismeansthatyoumustbeabletosetthecomputer ’stimezone.Onmostsystems,thisisdoneatsysteminstallation;thedistribution’sinstallerasksyouforyourtimezoneandsetsthingsupcorrectly.Ifyouerredduringinstallationorifyouneedtochangethetimezoneforanyreason,refertoChapter6,“Configuring theXWindowSystem,Localization, andPrinting,”whichdescribeshow to set yourtimezone.
Theexam’sobjective108.1includesthefiles/usr/share/zoneinfo,/etc/timezone,and/etc/localtime.Thesefilesarealsoincludedunderobjective107.3andaredescribedinChapter6,whichcoversthatobjective.
Linux’sinternaluseofUTCcancomplicatesettingthehardwareclock.Ideally,thehardwareclockshould be set to UTC; but if your system multi-boots between Linux and an OS that expects thehardwareclocktobeinlocaltime,you’llhavetosetthehardwareclocktolocaltimeandconfigureLinux todealwith this fact.For themostpart, this configurationworkswell,butyoumayhave towatchtheclockthefirsttimeyourebootinthespringorfallafterchangingyourclocksbecauseofadaylightsavingtime.DependingonyourLinuxandotherOS’ssettings,yourhardwareclockmayberesetinawayoneOSortheotherdoesn’texpect.Boththehardwareclockandthesoftwareclockarenotoriouslyunreliableonstandardx86andx86-
64hardware;bothclockstendtodrift,soyourclockcaneasilyendupbeingseveralminutesoffthecorrecttimewithinamonthortwoofbeingset.Todealwiththisproblem,Linuxsupportsvariousnetworkprotocolsforsettingthetime.ThemostpopularoftheseistheNetworkTimeProtocol(NTP),whichisdescribedintheupcomingsection“UsingNTP.”
ManuallySettingtheTimeYoucanmanually setyour system’sclock—ormoreprecisely, itsclocks,becauseasnotedearlier,Linuxmaintains two clocks: the hardware clock and the software clock. Themain tool to set thesoftwareclockisdate,whichhasthefollowingsyntaxwhensettingtheclock:date[-u|--utc|--universal][MMDDhhmm[[CC]YY][.ss]]
Usedwithoutanyoptions,thiscommanddisplaysthecurrentdateandtime.Ifyoupassatimetotheprogram,itsetsthesoftwareclocktothattime.Thisformatcontainsamonth,aday,anhour,andaminuteataminimum,all in two-digitcodes(MMDDhhmm).Youcanoptionallyadda2-or4-digityearandthesecondswithinaminuteifyoulike.Youshouldspecifythetimeina24-hourformat.Forinstance,tosetthetimeto3:02p.m.onOctober27,2013,you’dtypethefollowingcommand:#date102715022013
Bydefault,dateassumesyou’respecifying the time in local time. Ifyouwant toset theclock inUTC,includethe-u,--utc,or--universaloption.Becausex86 andx86-64 hardwaremaintains both software and hardware clocks, Linux provides
toolstosynchronizethetwo.Specifically, thehwclockutilityenablesyoutoset thehardwareclockfrom the software clock, or vice versa, as well as do a few other things. Its syntax is fairlystraightforward:hwclock[options]
Youcanspecifyoptionstoaccomplishseveralgoals:ShowtheHardwareClockToviewthehardwareclock,passthe-ror--showoption.Thetimeisdisplayedinlocaltime,evenifthehardwareclockissettoUTC.SettheHardwareClockManuallyTosetthehardwareclocktoadateyouspecify,youneedtwooptions:--setand--date=newdate.Thenewdateisinthedateformatthatthedateprogram
accepts.SettheHardwareClockBasedontheSoftwareClockIfyou’vesetthesoftwareclock,youcansynchronizethehardwareclocktothesamevaluewiththe--systohcoption.SettheHardwareClockBasedontheHardwareClockIfyourhardwareclockisaccuratebutyoursoftwareclockisn’t,youcanusethe--hctosysoptiontosetthesoftwareclocktothehardwareclock’svalue.ThisoptionisoftenusedinaSysVstartupscripttosetthesystemclockwhenthecomputerfirstboots.SpecifyUTCorLocalTimeYoucantellLinuxtotreatthehardwareclockasstoringUTCbyusingthe--utcoptionortotreatitasholdinglocaltimebyusingthe--localtimeoption.Thedefaultiswhicheverwaslastusedwhenthehardwareclockwasset.Ordinarily, youwon’t use hwclock directly very often. Youmay need to use it after a daylight
saving timeshift ifyoumaintainyourhardwareclock in local time,butmostdistributions includescripts thatmanage this taskautomatically.Youmayalsowant touse itonce inawhile tokeep thehardware clock fromdrifting too far froman accurate time; but again,manydistributions do thisautomaticallyaspartofthesystemshutdownprocedure.
Youcanalsosetthehardwareclockviayourcomputer ’sfirmwaresetuputility.Consultyourmotherboardorcomputerhardwaremanualfordetails.Youmustrebootthesystemtodothis,typicallypressingtheDeleteorsomeotherkeyatacriticaltimeearlyinthebootprocess(beforeyourbootloadertakesover).Youmustthenfindthetimeoptionandsetitappropriately.IfLinuxisusingUTC,remembertosettheclocktoUTCratherthanlocaltime.
UsingNTPTypically,aclockonan isolatedcomputerneedn’tbesetwithanygreatprecision. Itdoesn’t reallymatterifthetimeisoffbyafewseconds,orevenafewminutes,solongasthetimeisreasonablyconsistent on that one computer for the purpose ofcron, other scheduling tools, and time stamps.Sometimes, though, maintaining a truly accurate system time is important. This is true for a fewscientific,business,and industrialapplications (suchasastronomicalmeasurementsordeterminingthe start and stop times for television broadcasts). In a networked environment, maintaining thecorrecttimecanbemoreimportant.Timestampsonfilesmaybecomeconfusedifafileserverandits clientshavedifferent times, for instance.Worse, a fewprotocols, suchas theKerberos securitysuite, embed time stamps in their packets and rely on those time stamps for normal systemfunctioning. If two computers usingKerberoshavewildlydifferent times, theymaynot be able tocommunicate. For these reasons, several protocols exist to synchronize the clocks of multiplesystems.Ofthese,NTPisthemostpopularandflexible,soIdescribeit.YoushouldfirstunderstandthebasicprinciplesofNTPoperation.Youcan thengoon toconfiguringanNTPserver foryournetworkandsettingupothersystemsasNTPclients.
UnderstandingNTPBasics
Oneof themostpopular, flexible,andaccuratenetwork time tools isNTP.Thisprotocolcreatesatieredhierarchyof timesources, as illustrated inFigure7.1.At the topof the structure areoneormorehighlyaccurate timesources—typicallyatomicclocksorradioreceivers thatpull their timesfrombroadcasttimesignalsbasedonatomicclocks.Thesearereferredtoasstratum0timeservers,but theyaren’tdirectlyaccessible toanybut thestratum1 timeservers towhich they’reconnected.Thesestratum1computersrunNTPserversthatdeliverthetimetostratum2servers,whichdeliverthetimetostratum3servers,andsoon,foranarbitrarynumberofstrata.
FIGURE7.1NTPenablesanexpandingpyramidofcomputerstosettheirclockstoahighlyaccuratesourcesignal.
Othertime-settingprotocolsincludeonebuiltintotheServerMessageBlock/CommonInternetFileSystem(SMB/CIFS)usedforWindowsfilesharingandimplementedinLinuxbySambaandaprotocolusedbytherdateutilityinLinux.
ThekeytoNTPisthefactthateachservercandelivertimetoanexpandingnumberofclients.Forinstance,ifastratum1serverhas1,000clients,eachofwhichhas1,000clients,andsoon,stratum3willconsistof1,000,000systems,andstratum4willcontain1,000,000,000systems.Eachincreaseinthestratumnumberslightlydecreasestheaccuracyofthetimesignal,butnotbymuch;evenastratum4system’sclockshouldbeaccuratetowellunderasecond,whichisaccurateenoughforalmostallpurposes.Moreimportant,ifyourunanetwork,youcansetasideonecomputerasanNTPserverandsetallyourothercomputers’clocksfromthatoneserver.EvenifyourprimaryNTPserver ’sclockisoffbyasecond,alltheclocksonyournetworkshouldbesettowithinatinyfractionofeachother,whichisthemostimportantconsiderationfortime-dependentnetworkprotocolssuchasKerberos.
NTPworksbymeasuringtheround-triptimeforpacketsbetweentheserverandtheclient.Thetwosystems exchange packets with embedded time stamps; the client then adjusts its time so that it issynchronizedwiththesource’stimestampbutaddsabittothetimereportedbythesourcetoaccountforthepacket’sestimatedtraveltime.Forthisreason,whenyouselectanNTPsource(asdescribednext, in “Locating a Time Source”), you should pick onewith the shortest possible network timedelay, all other things being equal. (In truth, several measures of reliability exist, and the NTPprogramstrytotakethemallintoaccount.)ThemainLinuxNTPserverprogramfunctionsasbothaserverandaclient;itsetsitsclockbased
onthetimeoftheservertowhichit’spointed,anditenablesothersystemstosettheirclocksbasedonitsown.EventheendpointsintheNTPhierarchy(thestratum4andsomestratum3serversinFigure7.1)oftenrunthefullNTPserverpackage.Thereasonis that thissoftwarerunsconstantlyandcanmonitorforandadjusttheclockdriftthat’scommoninx86andothercomputers’clocks,resultinginmuchmoreconsistenttimekeepingthanispossiblewithaprogramthatsimplysetstheclockandthenignores ituntil thenext time theprogramis run. Inotherwords,NTPdoesn’t just reset thesystemclockperiodically;theserverimprovestheaccuracyofthesystemclock.Inpart,thisisdonethroughthentp.drift file,whichisusuallyburiedin/var/lib/ntpbut issometimesstored in/etc.Thisfileholdsinformationaboutthesoftwareclock’sinaccuraciesandsocanbeusedtocorrectforthem.A full NTP server, evenwhen it’s functioning only as anNTP client, periodically checks with itssourcesystemstokeepthesystemtimesetcorrectlyandtoupdatethentp.driftfile.
LocatingaTimeSourceYoumay think that locatinganNTPserverwitha lowstratumnumber (suchasstratum1) is ideal.Althoughit’struethatyourownsystemwillhaveaminutelymoreaccurateclockwhenusingsuchasource, the best approach inmost cases is to synchronize with a stratum 2 or lower system. Thereasonis that thispracticewillhelpkeeptheloadonthestratum1servers low, thusimprovingtheoverallperformanceoftheNTPnetworkasawhole.Anexceptionmightbeifyou’reconfiguringanNTPserverthatwillitselfdeliverthetimetohundredsormorecomputers.TolocateanNTPserver,youshouldconsultoneormoreofseveralsources:YourISPManyInternetserviceproviders(ISPs),includingbusinessnetworksanduniversities,operateNTPserversforthebenefitoftheirusers.Theseserversareusuallyveryclosetoyourowninanetworksense,makingthemgoodchoicesforNTP.YoushouldconsultyourISPorthenetworkingdepartmentatyourorganizationtolearnifsuchasystemisavailable.YourDistribution’sNTPServerSomeLinuxdistributionsoperateNTPserversfortheirusers.Ifyouhappentobeclosetotheseserversinanetworksense,theycanbegoodchoices;however,chancesarethisisn’tthecase,soyoumaywanttolookelsewhere.PublicNTPServerListsListsofpublicNTPserversaremaintainedathttp://support.ntp.org/bin/view/Servers/WebHome.Theseserverscanbegoodchoices,butyou’llneedtolocatetheoneclosesttoyouinanetworksenseandperhapscontactthesiteyouchoosetoobtainpermissiontouseit.PublicNTPServerPoolThepool.ntp.orgsubdomainisdedicatedtoserversthathavevolunteeredtofunctionaspublicNTPservers.Theseserversareaccessedinaround-robinfashionbyhostname,soyoucanendupusingdifferentserverseachtimeyoulaunchNTP.Thus,usingthepublicNTPserverpoolcanbeabitofagamble,buttheresultsareusuallygoodenoughforcasual
usersorifyoudon’twanttospendtimecheckingandmaintainingyourNTPconfiguration.Tousethepool,youcanconfigureyourNTPservertouseeitherthepool.ntp.orgsubdomainnameoranumberedhostwithinthatdomain,suchas0.pool.ntp.org.Youcannarrowthelistgeographicallybyaddingageographicnametothedomainname,asinnorth-america.pool.ntp.orgforserverslocatedinNorthAmerica.Consulthttp://support.ntp.org/bin/view/Servers/NTPPoolServersfordetails.
Theclosestserverinanetworksensemaynotbetheclosestcomputerinageographicsense.Forinstance,anationalISPmayroutealltrafficthroughjustoneortwohubsites.Theresultcanbethattrafficfrom,say,Atlanta,Georgia,toTampa,Florida,maygothroughChicago,Illinois.Suchadetourislikelytoincreaseround-triptimeanddecreasetheaccuracyofNTP.Insuchasituation,auserinAtlantamaybebetteroffusingaChicagoNTPserverthanoneinTampa,eventhoughTampaismuchclosergeographically.
Onceyou’velocatedafewpossibletimeservers, tryusingping todeterminetheround-triptimeforpacketstothissystem.Ifanysystemshaveveryhighpingtimes,youmaywanttoremovethemfromconsideration.
ConfiguringNTPServersWhenyou’resettingupanetworktouseNTP,selectonesystem(orperhapstwoforanetworkwithseveraldozenormorecomputers)tofunctionastheprimaryNTPserver.Thiscomputerneedn’tbeverypowerful,butitmusthavealways-upaccesstotheInternet.YoucantheninstalltheNTPserverandconfigureit.Most Linux distributions ship theNTP software in a package called ntp or ntpd. Look for this
package and, if it’s not already installed, install it. If you can’t find this package, checkhttp://www.ntp.org/downloads.html. This site hosts NTP source code, which you can compile andinstall.Ifyoudon’tinstallyourdistribution’sownNTPpackage,you’llneedtocreateyourownSysVstartupscriptorstarttheNTPdaemoninsomeotherway.OnceNTP is installed, look for its configuration file,/etc/ntp.conf.This filecontainsvarious
NTPoptions,butthemostimportantaretheserverlines:serverclock.example.com
serverntp.pangaea.edu
servertime.luna.edu
EachoftheselinespointstoasingleNTPserver.WhenyourlocalNTPdaemonstartsup,itcontactsalltheserversspecifiedin/etc/ntp.conf,measurestheiraccuracyagainsteachother,andsettlesonone as its primary time source.Typically, you list about three upstream time servers for a systemthat’stoservemanyothercomputers.Thispracticeenablesyourservertoweedoutanyserversthatdeliverabad timesignal, and it alsogivesautomatic fallback incaseanupstreamserverbecomestemporarilyorpermanentlyunavailable.IfyourNTPserverwon’tbeservingmanycomputersitself,youmaywanttoconfigureitforthreeserversinitiallyandthendroptheonesyoursystemisn’tusingasitsprimarytimesourceafteradayortwo.Thiswillreducetheloadontheseservers.You may want to peruse your configuration file for entries to remove. For instance, the
configurationfilemaycontainreferencestoserversyou’drathernotuseorotheroddoptionswithassociated comments thatmakeyou think they’re inappropriate.Generally speaking, you shouldn’tadjustentriesinthentp.conffileotherthanthereferenceserverlines,butspecialcircumstancesorodddefaultfilesmayrequireyoutomakechanges.Onceyou’vemadeyourchanges, startor restartyourNTPdaemon.Typically, this isdoneviaa
SysVstartupscript:#/etc/init.d/ntpdrestart
You may need to change the path to the file, the SysV script filename, or the option (changerestarttostartifyou’restartingNTPforthefirsttime).MostdistributionsconfigureNTPtostartwheneverthesystembootsonceyouinstalltheserver.ConsultChapter5,“BootingLinuxandEditingFiles,”fordetailsofchangingthisconfiguration.To verify that NTP is working, you can use ntpq, which is an interactive program that accepts
variouscommands.Figure7.2 shows it inoperation,displaying theoutputof thepeers command,which displays the servers to which your NTP server is connected. In Figure 7.2, three externalservers are listed, plusLOCAL(0),which is the last-resort reference source of the computer ’s ownclock. The refid column shows the server to which each system is synchronized, the st columnshowsthestratumoftheserver,andadditionalcolumnsshowmoretechnicalinformation.Theserverto which yours is synchronized is denoted by an asterisk (*), other servers with good times areindicatedbyplussigns(+),andmostothersymbols(suchasxand-)denoteservers thathavebeendiscardedfromconsiderationforvariousreasons.Youcanobtainaserver listbypassing-por--peerstontpq,asinntpq-p,withoutenteringinteractivemode.Consultntpq’smanpageformoreinformationaboutitsoperation.
FIGURE7.2ThentpqprogramenablesyoutoverifythatanNTPserverisfunctioningcorrectly.
Youwon’tseeaserverselectedasthesourceuntilafewminutesafteryourestarttheNTPdaemon.ThereasonisthatyourlocalNTPprocesstakesawhiletodeterminewhichofthesourcesisprovidingthebestsignal.
ConfiguringNTPClientsOnceyou’veconfiguredoneormoreNTPservers,youcanconfiguretherestofyourcomputerstopoint to them.Theirconfiguration isdone just like theNTPserverconfiguration,withacoupleof
exceptions:YousetyourNTPclientstorefertotheNTPserver(orservers)you’vejustconfiguredratherthantoanoutsideNTPsource.Thisway,yourlocalsystemswon’tputanunnecessaryburdenontheoutsideNTPserveryou’veselected.YoumaywanttoensurethatyourNTPclientscan’tbeaccessedasservers.Thisisasecuritymeasure.Youcandothiswithaniptablesfirewallruleorbyusingtherestrictdefaultignorelineinntp.conf.ThislinetellstheservertoignoreallincomingNTPrequests.Ideally,youshouldusebothmethods.
Onceyou’veconfiguredaclient,restartitsNTPdaemon.Youcanthenusentpqtocheckitsstatus.Youshouldseethatitrefersonlytoyournetwork’sownNTPserverorservers.Thesesystemsshouldbelistedasbelongingtoastratumwithanumberonehigherthantheserverstowhichtheyrefer.Insomecases,asimplerwaytosetthetimeonaclientistousentpdate.Thisprogramispartof
theNTPsuite,anditperformsaone-timeclocksetting.Touseit,typethecommandnamefollowedbythehostnameorIPaddressofanNTPserver:#ntpdateclock.example.com
SomeNTP packages include a call to ntpdate in their NTP daemon startup scripts in order toensurethatthesystemissettothecorrecttimewhenitstarts.Thentpdatecommand,however,hasbeendeprecatedandcoulddisappearfromtheNTPpackageatanytime.Instead,youcanstartntpdwith its -g option, which enables it to perform a one-time clock setting to a value that’s wildlydivergent from the current time. (Ordinarily,ntpd exits if the time server ’s time differs from thelocaltimebymorethanafewminutes.)
ServingTimetoWindowsSystemsIfyournetworkhostsbothLinuxandWindowscomputers,youmaywanttouseaLinuxsystemasatimesourceforWindowsclientsorconceivablyevenuseaWindowsserverasatimesourceforLinuxclients.OnewaytodothisistorunNTPonWindows.Consulthttp://www.meinberg.de/english/sw/ntp.htmorperformaWebsearchtolocateNTPsoftwareforWindowssystems.ForWindowsNT/200x/XP/Vista,youcantypeNETTIME/SETSNTP:time.server,wheretime.serveristhenameofyourlocalNTPtimeserver.Thiscommandperformsaone-timesettingoftheclockbutdoesn’truninthebackgroundlikethefullNTPpackagedoesonLinux.RunningthiscommandinaWindowsloginscriptmaybeadequateforyourpurposes.Windows7userscantypeW32TM/CONFIG/MANUALPEERLIST:time.serverinsteadoftheNETTIMEcommand.ForolderWindows9x/Mesystems,youcantypeNETTIME\\SERVER/SET/YEStohavethesystemsetthetimetothetimemaintainedbySERVER,whichmustbeaWindowsorSambafileorprintserver.Thiscommanddoesn’tuseNTP,butifyouhaveaLinuxsystemthatrunsbothNTPandSamba,itcanbeagoodwaytogetthejobdone.
RunningJobsintheFutureSomesystemmaintenancetasksshouldbeperformedatregularintervalsandarehighlyautomated.
Forinstance,the/tmpdirectory(whichholdstemporaryfilescreatedbymanyusers)tendstocollectuselessdatafiles,whichyoumightwanttodelete.Linuxprovidesameansofschedulingtaskstorunatspecifiedtimestohandlesuchissues.Thistoolisthecronprogram,whichrunswhatareknownascronjobs.Arelatedtoolisat,whichenablesyoutorunacommandonaone-timebasisataspecifiedpointinthefutureasopposedtodoingsoonaregularbasis,ascrondoes.
UnderstandingtheRoleofcronThecronprogramisadaemon,soitrunscontinuously,lookingforeventsthatcauseittospringintoaction. Unlike most daemons, which are network servers, cron responds to temporal events.Specifically,it“wakesup”onceaminute,examinesconfigurationfilesinthe/var/spool/cronand/etc/cron.d directories and the /etc/crontab file, and executes commands specified by theseconfigurationfilesifthetimematchesthetimelistedinthefiles.Therearetwotypesofcronjobs:systemcronjobsandusercronjobs.Systemcronjobsarerunas
root and perform system-wide maintenance tasks. By default, most Linux distributions includesystemcron jobs that cleanoutold files from/tmp, perform log rotation (asdescribed earlier, in“RotatingLogFiles”),andsoon.Youcanaddtothisrepertoire,asdescribedshortly.Ordinaryuserscan create user cron jobs,whichmight run some user program on a regular basis.You can alsocreateausercronjobasroot,whichmightbehandyifyouneedtoperformsometaskatatimenotsupportedbythesystemcronjobs,whicharescheduledratherrigidly.Oneof thecriticalpoints to rememberaboutcron jobs is that they rununsupervised.Therefore,
youshouldn’tcallanyprograminacronjobifthatprogramrequiresuserinput.Forinstance,youwouldn’trunatexteditorinacronjob,butyoumightrunascriptthatautomaticallymanipulatestextfiles,suchaslogfiles.
CreatingSystemcronJobsThe/etc/crontabfilecontrolssystemcron jobs.This filenormallybeginswithseveral lines thatsetenvironmentvariables,suchas$PATHand$MAILTO(theformersetsthepath,andthelatteristheaddresstowhichprograms’output ismailed).Thefile thencontainsseveral linesthatresemblethefollowing:024***rootrun-parts/etc/cron.daily
Thislinebeginswithfivefieldsthatspecifythetime.Thefieldsare,inorder,theminute(0−59),thehour(0−23),thedayofthemonth(1−31),themonth(1−12),andthedayoftheweek(0−7;both0and7correspondtoSunday).Forthemonthandday-of-the-weekvalues,youcanusethefirstthreelettersofthenameratherthananumber,ifyoulike.
Ausefulmnemonicfortheorderofthetimefieldsisthatthefirstfourfieldsareorderedinincreasingunitsize.Thedayoftheweekdoesn’tfitneatlywithinthispatternandsoisplacedoutsideofit—thatis,inthefifthfield.
Inallcases,youcanspecifymultiplevaluesinseveralways:
Anasterisk(*)matchesallpossiblevalues.Alistseparatedbycommas(suchas0,6,12,18)matchesanyofthespecifiedvalues.Twovaluesseparatedbyadash(-)indicatearange,inclusiveoftheendpoints.Forinstance,9-17inthehourfieldspecifiesatimeoffrom9:00a.m.to5:00p.m.Aslash,whenusedinconjunctionwithsomeothermulti-valueoption,specifiessteppedvalues—arangeinwhichsomemembersareskipped.Forinstance,*/10intheminutefieldindicatesajobthat’srunevery10minutes.
After the first five fields,/etc/crontab entries continuewith the accountname tobeusedwhenexecuting the program (root in the preceding example) and the command to be run (run-parts/etc/cron.daily in this example). The default /etc/crontab entries generally use run-parts,cronloop,orasimilarutilitythatrunsanyexecutablescriptswithinadirectory.Thus,theprecedingexample runsall thescripts in/etc/cron.daily at 4:02a.m. everyday.Mostdistributions includemonthly, daily,weekly, and hourly systemcron jobs, each corresponding to scripts in a directorycalled/etc/cron.interval, where interval is aword associatedwith the run frequency.Othersplacethesescriptsin/etc/cron.d/intervaldirectories.
Theexacttimeschosenforsystemcronjobstoexecutevaryfromonedistributiontoanother.Normally,though,dailyandlonger-intervalcronjobsrunearlyinthemorning—betweenmidnightand6:00a.m.Checkyour/etc/crontabfiletodeterminewhenyoursystemcronjobsrun.
Tocreateanewsystemcronjob,youmaycreateascripttoperformthetaskyouwantperformed(asdescribedinChapter9,“WritingScripts,ConfiguringEmail,andUsingDatabases”)andcopythatscript to theappropriate/etc/cron.intervaldirectory.When theruntimenext rollsaround,cronwillrunthescript.
Beforesubmittingascriptasacronjob,testitthoroughly.Thisisparticularlyimportantifthecronjobwillrunwhenyou’renotaround.Youdon’twantabuginyourcronjobscripttocauseproblemsbyfillingtheharddiskwithuselessfilesorproducingthousandsofemailmessageswhenyou’renotpresenttoquicklycorrecttheproblem.
If you need to run a cron job at a time or interval that’s not supported by the standard/etc/crontab,youcaneithermodifythatfiletochangeoraddthecronjobruntimeorcreateausercron job, as described shortly. If you choose tomodify the system cron job facility, model yourchangesafteranexistingentry,changingthetimesandscriptstoragedirectoryasrequired.
Systemcronjobstoragedirectoriesshouldbeownedbyroot,andonlyrootshouldbeabletowritetothem.Ifordinaryuserscanwritetoasystemcrondirectory,unscrupuloususerscanwritescriptstogivethemselvessuperuserprivilegesandplacetheminthesystemcrondirectory.Thenexttimecronrunsthosescripts,theuserswillgainfulladministrativeaccesstothesystem.
CreatingUsercronJobsTocreate a usercron job, you use thecrontab utility, not to be confusedwith the/etc/crontabconfigurationfile.Thesyntaxforcrontabisasfollows:crontab[-uuser][-l|-e|-r][file]
If given without the -u user parameter, crontab modifies the cron job file (or user crontab)associatedwiththecurrentuser.
Thewordcrontabhasthreerelatedbutdistinctmeanings:Itcanrefertothecrontabprogram,tothe/etc/crontabfile,ortothefilethatholdsusercronjobs.Thismultiplicityofmeaningscanobviouslybeconfusing.Inthisbook,Irefertotheprogrambyusingamonospacedcodefont,Ialwaysincludethecompletepathto/etc/crontab,andIdonotuseamonospacedfontwhenreferringtousercrontabs.Auser ’scrontabfilecandefinemultiplecronjobs.
Thecrontabutilitycanbecomeconfusedbytheuseofsutochangethecurrentuseridentity,soifyouusethiscommand,it’ssafesttoalsouse-uuser,evenwhenyou’remodifyingyourowncrontab.If youwant towork directly on a crontab, use the -l, -r, or -e option. The -l option causes
crontabtodisplaythecurrentcrontab;-rremovesthecurrentcrontab;and-eopensaneditorsothatyoucaneditthecurrentcrontab.(Viisthedefaulteditor,butyoucanchangethisbysettingtheVISUALorEDITORenvironmentvariable.)Alternatively,youcancreateacronjobconfigurationfileandpassthefilenametocrontabusing
thefileparameter.Forinstance,crontab-utbakermy-croncausesthecrontabprogramtousemy-cronfortbaker’scronjobs—thatis,itcopiestbaker’smy-cronfileintothedirectoryinwhichitstoresusercrontabs,makingafewminorchangesalongtheway.Whetheryoucreateacrontabfileandsubmititviathefileparameteroredititvia-e,theformat
oftheusercrontabfileissimilartothatdescribedearlier.YoucansetenvironmentvariablesbyusingtheformVARIABLE=value,oryoucanspecifyacommandprecededbyfivenumbersorwildcardstoindicatewhenthejobistorun.Inausercrontab,youdonotspecifytheusernameusedtoexecutethejob, asyoudowith systemcron jobs.That information is derived from the owner of the crontab.Listing7.2showsasampleusercrontabfile.Thisfilerunstwoprogramsatdifferentintervals:Thefetchmailprogramrunsevery30minutes(onthehourandhalfhour),andclean-adoublerunsonMondays at 2:00 a.m.Bothprogramsare specifiedvia completepaths, but you can include aPATH
environmentvariableandomitthecompletepathspecifications.Listing7.2:ASampleUsercrontabFileSHELL=/bin/bash
MAILTO=tbaker
HOME=/home/tbaker
0,30****/usr/bin/fetchmail-s
02**mon/usr/local/bin/clean-adouble$HOME
Ultimately, user crontab files are stored in the /var/spool/cron, /var/spool/cron/tabs, or/var/spool/cron/crontabs directory. Each file in this directory is named after the user underwhosenameitruns;forexample,tbaker’sfilemightbecalled/var/spool/cron/tabs/tbaker.Youshouldn’tdirectlyeditthefilesinthisdirectory;instead,usecrontabtomakechanges.Accesstothecronfacilitymayberestrictedinseveralways:ExecutablePermissionsThepermissionsonthecronandcrontabprogramsmayberestrictedusingstandardLinuxpermissionsmechanisms,asdescribedinChapter4.Notalldistributionsconfigurethemselvesinthisway,butforthosethatdo,userswhoshouldbeabletoschedulejobsusingcronshouldbeaddedtotheappropriategroup.Thisgroupisoftencalledcron,butyoushouldcheckthegroupownerandpermissionsonthe/usr/sbin/cronand/usr/bin/crontabprogramfilestobesure.AllowedUsersListThe/etc/cron.allowfilecontainsalistofuserswhoshouldbepermittedaccesstocron.Ifthisfileispresent,onlyuserswhosenamesappearinthefilemayusecron;allothersaredeniedaccess.Ifthisfileisn’tpresent,anybodymayusecron,assumingaccessisn’trestrictedbyexecutablepermissionsoradisallowed-userslist.Disallowed-UsersListThe/etc/cron.denyfilecontainsalistofuserswhoshouldbedeniedaccesstocron.Ifthisfileispresent,anyuserwhosenameappearsinthefileisdeniedaccesstocron,butallothersmayuseit,assumingexecutablepermissionsandtheallowed-userslistdon’trestrictaccess.Exercise7.2guidesyouthroughtheprocessofcreatingusercronjobs.
EXERCISE7.2CreatingUsercronJobscronjobscanbeausefulwaytorunprogramsatregulartimes.Inthisexercise,you’llcreateasimpleusercronjobthatwillmailyoutheoutputofanifconfigcommandonadailybasis.Thisexerciseassumesthatyou’reauthorizedtousecronasanordinaryuser.Toconfigureyourcronjob,followthesesteps:1.LogintotheLinuxsystemasanormaluser.2.Launchanxterm from the desktop environment’smenu system, if you used aGUIloginmethod.3.Createandeditafilecalledcronjob inyourhomedirectory.Useyourfavoritetexteditorforthispurpose.Thefileshouldcontainthefollowinglines:SHELL=/bin/bash
MAILTO=yourusername
0012***/sbin/ifconfig
Be sure to type these lines exactly; a typo will cause problems. One exception:Substituteyouremailaddresson theLinuxsystemorelsewhereforyourusername;cronusestheMAILTOenvironmentvariabletodeterminetowhomtoemailtheoutputofcronjobs.
4. Type crontab cronjob to install the cronjob file as a cron job. Note that thiscommandreplacesanyexistingusercrontabs thatmayexist. Ifyou’vealreadydefineduser crontabs foryouraccount,you shouldedityourexistingcronjob file to add thelinecallingifconfigratherthancreateanewfile,ortypecrontab-etoedititscopyfromthecrontabstoragedirectory.5.Wait for noon (00 12 in the cron time format).When this time rolls around, youshouldhaveanewemailwaitingforyouwiththecontentsoftheifconfigoutput.
Insteadofwaitingfornoon,youcansubstituteatimethat’sacoupleofminutesinthefuture.Rememberthatcronspecifiesminutesfirst,followedbythehourina24-hourformat.Forinstance,ifyoucreatethefileat3:52p.m.,youmightenter5415asthefirsttwonumbersonthefinallineofthefile;thiswillcausethecronjobtoexecuteat15:54ona24-hourclock,or3:54p.m.
UsinganacronAlthoughcronisagreattoolforperformingcertaintasks,suchasrotatinglogfiles,onsystemsthatareupmostorallofthetime,it’samuchlessusefultoolonsystemsthatarefrequentlyshutdown,such as notebook computers or even many desktop systems. Frequently, late-night cron jobs areneverexecutedonsuchsystems,whichcanleadtobloatedlogfiles,cluttered/tmpdirectories,andotherproblems.One solution to such problems is anacron (http://anacron.sourceforge.net). This program is
designedasasupplementtocrontoensurethatregularmaintenancejobsareexecutedatreasonableintervals.Itworksbykeepingarecordofprogramsitshouldexecuteandhowfrequentlyitshoulddoso,indays.Wheneveranacronisrun,itcheckstoseewhenitlastexecutedeachoftheprogramsit’sconfiguredtomanage.Ifaperiodgreaterthantheprogram’sexecutionintervalhaspassed,anacron
runstheprogram.Typically,anacron itself isrunfromasystemstartupscript,andperhapsfromacron job. You can then reconfigure your regular system cron jobs as anacron jobs and be surethey’llexecuteevenonsystemsthatareregularlyshutdownforlongstretchesoftime.Like cron, anacron is controlled through a configuration file named after itself:
/etc/anacrontab. This file consists of three main types of lines: comment lines (denoted by aleading hash mark, #), environment variable assignments (as in SHELL=/bin/bash), and jobdefinitionlines.Thislasttypeoflinecontainsfourfields:perioddelayidentifiercommand
Theperiodishowfrequently,indays,thecommandshouldberun.Thedelayisadelayperiod,inminutes,betweenthetimeanacronstartsandthetimethecommandisrun,if itshouldberun.Thisfeatureisintendedtohelpkeepthesystemfrombeingoverloadedifanacrondeterminesitneedstorunmanycommandswhenitstartsup;youcanspecifydifferentdelaytimestostaggertherunningofthejobs.Theidentifierisastringthatidentifiesthecommand.Youcanpassittoanacrononthecommandlinetohaveanacroncheckand,ifnecessary,runonlythatonecommand.Finally,commandis the command to be run. This is a single command or script name, optionally followed by anyparametersitmaytake.Listing7.3showsasample/etc/anacrontabfile.Thisfilesetsacoupleofenvironmentvariables;
PATH isparticularly important ifanyscriptscallprogramswithout specifying theircompletepaths.Thethreejobdefinitionlinestellanacrontoruntherun-partscommand,passingitthenameofadifferentdirectoryforeachline.Thiscommandisusedonsomedistributionstoruncronjobs,sotheeffectofcallingitfromanacronistotakeovercron’sduties.Thefirstline,runonceaday,causesanacrontorun(viarun-parts)thescriptsin/etc/cron.daily;thesecondlinecausesthescriptsin/etc/cron.weeklytoberunonceaweek;andthethird,runonceevery30days,runsthescriptsin/etc/cron.monthly.Listing7.3:Sample/etc/anacrontabFileSHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
#format:perioddelayjob-identifiercommand
15cron.dailyrun-parts/etc/cron.daily
710cron.weeklyrun-parts/etc/cron.weekly
3015cron.monthlyrun-parts/etc/cron.monthly
Ofcourse,todoanygood,anacronmustbecalleditself.Thisistypicallydoneinoneoftwoways:ViaaStartupScriptYoucancreateastartupscripttorunanacron.AsimpleSysVstartupscriptthattakesnooptionsbutthatrunsanacronshoulddothejobifconfiguredtorunfromyourregularrunlevel.Alternatively,youcanplaceacalltoanacroninalocalstartupscript,suchasFedoraandRedHat’s/etc/rc.d/rc.localorSUSE’s/etc/boot.d/boot.local.ViaacronJobYoucancreateacronjobtorunanacron.Typically,thiscallwillreplaceyourregularsystemcronjobentries(in/etc/crontab),andyou’llprobablywanttocallanacrononadailybasisormorefrequently.The startup script approach is best employed on systems that are shut down and started up
frequently,suchaslaptopsordesktopsystemsthatareregularlyshutdownattheendoftheday.Onedrawback to this approach is that it can cause sluggish performancewhen the system is booted ifanacronneedstorunatime-consumingtask.Callinganacronviaacronjobcanshifttheburdentooff-hours,but ifcron can reliably runanacron,cron can as easily and reliably run the jobs that
anacronruns.Typically,youuseacronjobifthesystemissometimes,butnotalways,leftrunningovernight. This ensures that anacron and the jobs it handles are run fairly frequently, if not on acompletelyregularbasis.Alternatively,youcancallanacronmorefrequently thanonceaday.Forinstance,ifit’scalledonceeverysixhours,itwillalmostcertainlybecalledduringatypicaleight-hourworkday.
Foradesktopsystem,youmighttrycallinganacronviaacronjobattheuser ’stypicallunchbreak.Thiswillhelpminimizethedisruptioncausedbyanyresource-intensiveprogramsthatanacronmustrun.
Nomatterhowyourunanacron, you shouldbe sure todisableanycron jobs thatanacron nowhandles.Ifyoudon’tdoso,thosetaskswillbeperformedtwice,whichmayneedlesslyburdenyoursystem.Becauseanacronmeasuresitsrunintervalsindays,it’snotausefulutilityforrunninghourlycron jobs. Thus, you shouldn’t eliminate any hourly system cron jobs when you edit your cronconfigurationforanacron.
UsingatSometimes cron and anacron are overkill. You may simply want to run a single command at aspecificpointinthefutureonaone-timebasisratherthanonanongoingbasis.Forthistask,Linuxprovides another command: at. In ordinary use, this command takes a single option (althoughoptionstofine-tuneitsbehaviorarealsoavailable):atime.Thistimecantakeanyofseveralforms:TimeofDayYoucanspecifythetimeofdayasHH:MM,optionallyfollowedbyAMorPMifyouusea12-hourformat.Ifthespecifiedtimehasalreadypassed,theoperationisscheduledforthenextoccurrenceofthattime—thatis,forthenextday.noon,midnight,orteatimeThesethreekeywordsstandforwhatyou’dexpect(teatimeis4:00p.m.).DaySpecificationToscheduleanatjobmorethan24hoursinadvance,youmustaddadatespecificationafterthetime-of-dayspecification.Thiscanbedoneinnumericform,usingtheformatMMDDYY,MM/DD/YYorDD.MM.YY.Alternatively,youcanspecifythedateasmonth-namedayormonth-namedayyear.ASpecifiedPeriodintheFutureYoucanspecifyatimeusingthekeywordnow,aplussign(+),andatimeperiod,asinnow+2hourstorunajobintwohours.
Theatcommandreliesonadaemon,atd,toberunning.Ifyoursystemdoesn’tstartatdautomatically,youmayneedtoconfigureastartupscripttodoso.
Whenyourunatandgiveitatimespecification,theprogramrespondswithitsownprompt,at>,whichyoucantreatmuchlikeyournormalbashorothercommandshellprompt.Whenyou’redonetypingcommands,pressCtrl+Dtoterminateinput.Alternatively,youcanpassafilewithcommands
byusingthe-fparametertoat,asinat-fcommands.shnoontousethecontentsofcommands.shasthecommandsyouwanttorunatnoon.Theat commandhas several support tools.Themost important of these isatd, theat daemon.
Thisprogrammustberunningforattodoitswork.Ifit’snot,checkforitspresenceusingps.Ifit’snotrunning,lookforastartupscriptandensurethatit’senabled,asdescribedinChapter5.Otheratsupportprogramsincludeatq,whichlistspendingat jobs;atrm,whichremovesanat
jobfromthequeue;andbatch,whichworksmuch likeat but executes jobswhen the system loadlevel dropsbelow0.8.Theseutilities are all fairly simple.Touseatq, simply type its name. (Theprogramdoessupportacoupleofoptions,butchancesareyouwon’tneedthem;consultatq’smanpagefordetails.)Touseatrm,typetheprogramnameandthenumberoftheatjob,asreturnedbyatq.Forinstance,youmighttypeatrm12toremoveatjobnumber12.The at facility supports access restrictions similar to those of cron. Specifically, the
/etc/at.allow and /etc/at.deny files work analogously to the /etc/cron.allow and/etc/cron.deny files.There are a fewwrinkleswithat, though.Specifically, if neitherat.allownorat.denyexists,onlyrootmayuseat.Ifat.allowexists,theusersitlistsaregrantedaccesstoat; if at.deny exists, everybody except thosementioned in this file is granted access to at. Thisdiffersfromcron,inwhicheverybodyisgrantedaccessifneitheraccess-controlfileispresent.Thistighter default security on at means that the program is seldom installed with restrictive executepermissions,butofcourseyoucanuseprogramfilepermissionstodenyordinaryuserstheabilitytorunatifyouwantanextralayerofsecurity.
SummaryRoutine system administration involves a variety of tasks, many of which center around usermanagement. Adding, deleting, andmodifying user accounts and groups are critical tasks that allsystemadministratorsmustmaster.Alsorelatedtousers,youshouldknowwheretogotomodifythedefaultuserenvironment.Systemlogfilesarecriticaltroubleshootingtoolsthataremaintainedbythesystem.Youshouldbe
abletoconfigurewhatdataisloggedtowhatfilesandknowhowtousetheselogfiles.TimemanagementisimportantinLinux.SettingtheLinuxclocks(bothhardwareandsoftware)and
configuringNTPtokeepthesoftwareclockaccurateareimportanttasks.Toolsthatrelyonthetimeincludecron,anacron,andat,whichenablethesystemtorunprogramsinthefuture.Thesetoolsareusedformanycommonsystemtasks,includingrotatinglogfiles.
ExamEssentialsSummarizemethodsofcreatingandmodifyinguseraccounts.Accountscanbecreatedormodifiedwiththehelpoftoolsdesignedforthepurpose,suchasuseraddandusermod.Alternatively,youcandirectlyeditthe/etc/passwdand/etc/shadowfiles,whichholdtheaccountinformation.DescribethefunctionofgroupsinLinux.Linuxgroupsenablesecurityfeaturestobeappliedtoarbitrarygroupsofusers.Eachgroupholdsanarbitrarycollectionofusers,andgroup
permissionscanbesetonfiles,givingallgroupmembersthesameaccessrightstothefiles.Explainthepurposeoftheskeletonfiles.Skeletonfilesprovideacoresetofconfigurationfilesthatshouldbepresentinusers’homedirectorieswhenthosedirectoriesarecreated.Theyprovideastartingpointforuserstomodifytheirimportantshellandotherconfigurationfiles.Summarizehowtoconfiguresystemlogging.Systemloggingiscontrolledviathe/etc/syslog.conffile.Linesinthisfiledescribewhattypesoflogdata,generatedbyprograms,aresenttologfilesandtowhichlogfilesthelogmessagesshouldgo.Describehowlogrotationismanaged.Logrotationiscontrolledviathe/etc/logrotate.conffile(whichtypicallyreferstofilesin/etc/logrotate.d).Entriesinthesefilestellthesystemwhethertorotatelogsatfixedintervalsorwhentheyreachparticularsizes.Whenalogrotates,it’srenamed(andpossiblycompressed),anewlogfileiscreated,andtheoldestarchivedlogfilemaybedeleted.Explainthetwotypesofclocksinx86andx86-64hardware.Thehardwareclockkeepstimewhenthecomputerispowereddown,butitisn’tusedbymostprogramswhilethecomputerisrunning.Suchprogramsrefertothesoftwareclock,whichissetfromthehardwareclockwhenthecomputerboots.SummarizethefunctionofNTP.TheNetworkTimeProtocol(NTP)enablesacomputertosetitsclockbasedonthetimemaintainedbyanNTPserversystem.NTPcanfunctionasatieredprotocol,enablingonesystemtofunctionasaclienttoanNTPserverandasaservertoadditionalNTPclients.Thisstructureenablesasinglehighlyaccuratetimesourcetobeusedbyanywherefromafewto(theoretically)billionsofcomputersviaatieredsystemoflinks.Explainthedifferencebetweensystemandusercronjobs.Systemcronjobsarecontrolledfrom/etc/crontab,arecreatedbyroot,andmayberunasanyuser(butmostcommonlyasroot).Systemcronjobsaretypicallyrunatcertainfixedtimesonanhourly,daily,weekly,ormonthlybasis.Usercronjobsmaybecreatedbyanyuser(varioussecuritymeasurespermitting),arerunundertheauthorityoftheaccountwithwhichthey’reassociated,andmayberunatjustaboutanyrepeatingintervaldesired.
ReviewQuestions1.WhichofthefollowingisalegalLinuxusernamethatwillbeacceptedbyuseradd?
A.larrythemooseB.4saleC.PamJonesD.Samuel_Bernard_Delaney_the_FourthE.tedcho
2.WhyaregroupsimportanttotheLinuxuseradministrationandsecuritymodels?A.Theycanbeusedtoprovideasetofuserswithaccesstofileswithoutgivingallusersaccesstothefiles.B.Theyenableyoutosetasingleloginpasswordforalluserswithinadefinedgroup.
C.Usersmayassignfileownershiptoagroup,therebyhidingtheirowncreationofthefile.D.Bydeletingagroup,youcanquicklyremovetheaccountsforallusersinthegroup.E.Theyenableyoutolinktogethertheaccountdatabasesinagroupoftwoormorecomputers,simplifyingadministration.
3.Anadministratortypeschage-M7time.Whatistheeffectofthiscommand?A.Thetimeaccount’spasswordmustbechangedatleastonceeverysevendays.B.Allusersmustchangetheirpasswordsatleastonceeverysevendays.C.Allusersarepermittedtochangetheirpasswordsatmostseventimes.D.Thetimeaccount’sageissettosevenmonths.E.Theaccountdatabase’stimestampissettosevenmonthsago.
4.Whatiswrongwiththefollowing/etc/passwdfileentry?(Selecttwo.)4sally:x:1029:SallyJones:/home/myhome:/bin/passwd
A.Thedefaultshellissetto/bin/passwd,whichisaninvalidshell.B.Theusernameisinvalid;Linuxusernamescan’tbeginwithanumber.C.Thehomedirectorydoesn’tmatchtheusername.D.EithertheUIDortheGIDfieldismissing.E.Theencryptedpasswordismissing.
5.Youwantsally,tom,anddale tobemembersofthegroupmanagers (GID501).Howwouldyoueditthemanagersentryin/etc/grouptoaccomplishthisgoal?
A.managers:501:sallytomdaleB.managers:501:sally:tom:daleC.managers:x:501:sally:tom:daleD.managers:x:501:dale,sally,tomE.managers:501:x:dale\sally\tom
6.Whattypesoffilesmightyouexpecttofindin/etc/skel?(Selectthree.)A.Acopyofthe/etc/shadowfileB.AnemptysetofdirectoriestoencouragegoodfilemanagementpracticesC.AREADMEorsimilarwelcomefilefornewusersD.Astarting.bashrcfileE.TheRPMorDebianpackagemanagementdatabase
7. What would a Linux system administrator type to remove the nemo account and its homedirectory?
A.userdelnemoB.userdel-fnemoC.userdel-rnemoD.rm-r/home/nemo
E.usermod-Dnemo
8.Whichofthefollowingsystemloggingcodesrepresentsthehighestpriority?A.infoB.warningC.critD.debugE.emerg
9.Whichofthefollowingconfigurationfilesdoesthelogrotateprogramconsultforitssettings?A./etc/logrotate.confB./usr/sbin/logrotate/logrotate.confC./usr/src/logrotate/logrotate.confD./etc/logrotate/.confE.~/.logrotate
10.Youwanttocreatealogfileentrynotingthatyou’remanuallyshuttingdownthesystemtoaddanewnetworkcard.Howmightyoucreatethislogentry,justpriortousingshutdown?
A.dmesg-l"shuttingdowntoaddnetworkcard"B.syslogshuttingdowntoaddnetworkcardC.rsyslogd"shuttingdowntoaddnetworkcard"D.loggershuttingdowntoaddnetworkcardE.wall"shuttingdowntoaddnetworkcard"
11.Yourmanagerhas asked thatyouconfigurelogrotate to run on a regular, unattendedbasis.Whatutility/featureshouldyouconfiguretomakethispossible?
A.atB.logrotate.dC.cronD.inittabE.ntpd
12.You’vesetyoursystem(software)clockonaLinux-onlycomputertothecorrecttime,andnowyouwant to set the hardware clock tomatch.What commandmight you type to accomplish thisgoal?
A.date--sethwclockB.ntpdateC.sysclock--tohcD.time--set-hwE.hwclock--utc--systohc
13.Asroot,youtypedate12110710.Whatwillbetheeffect?
A.Thesoftwareclockwillbesetto7:10a.m.onDecember11ofthecurrentyear.B.Thesoftwareclockwillbesetto12:11p.m.onOctober7ofthecurrentyear.C.Thesoftwareclockwillbesetto7:10a.m.onNovember12ofthecurrentyear.D.Thesoftwareclockwillbesetto12:11p.m.onJuly10ofthecurrentyear.E.ThesoftwareclockwillbesettoJuly10intheyear1211.
14.Whatwillbetheeffectofacomputerhavingthefollowingtwolinesin/etc/ntp.conf?serverpool.ntp.org
servertardis.example.org
A.Thelocalcomputer ’sNTPserverwillpollaserverinthepublicNTPserverpool; thefirstserveroptionoverridessubsequentserveroptions.B. The local computer ’s NTP server will poll the tardis.example.org time server; the lastserveroptionoverridesearlierserveroptions.C.Thelocalcomputer ’sNTPserverwillpollbothaserverinthepublicNTPserverpoolandtardis.example.organdusewhicheversiteprovidesthecleanesttimedata.D. The local computer ’s NTP server will refuse to run because of a malformed serverspecificationin/etc/ntp.conf.E.Thelocalcomputer ’sNTPserverwillpollacomputerinthepublicNTPserverpoolbutwillfallbackontardis.example.orgifandonlyifthepublicpoolserverisdown.
15.You’veconfiguredonecomputer(gateway.pangaea.edu)onyourfive-computernetworkasanNTP server that obtains its time signal from ntp.example.com. What computer(s) should yournetwork’sothercomputersuseastheirtimesource(s)?
A.YoushouldconsultapublicNTPserverlisttolocatethebestserverforyou.B.Bothgateway.pangaea.eduandntp.example.com.C.Onlyntp.example.com.D.Onlygateway.pangaea.edu.E.None;NTPshouldbeusedontheInternet,notonsmalllocalnetworks.
16.Whichofthefollowingtasksaremostlikelytobehandledbyacronjob?(Selecttwo.)A.StartinganimportantserverwhenthecomputerbootsB.FindinganddeletingoldtemporaryfilesC.ScriptingsupervisedaccountcreationD.MonitoringthestatusofserversandemailingareporttothesuperuserE.Sendingfilestoaprinterinanorderlymanner
17.Which of the following lines, if used in a usercron job,will run/usr/local/bin/cleanuptwiceaday?
A.157,19***tbaker/usr/local/bin/cleanupB.157,19***/usr/local/bin/cleanupC.15*/2***tbaker/usr/local/bin/cleanup
D.15*/2***/usr/local/bin/cleanupE.2****/usr/local/bin/cleanup
18.You’reinstallingLinuxonalaptopcomputer.Whichofthefollowingprogramsmightyouwanttoaddtoensurethatlogrotationishandledcorrectly?
A.tempusB.anacronC.crontabD.ntpdE.syslog-ng
19.Whatdothefollowingcommandsaccomplish?(TheadministratorpressesCtrl+Daftertypingthesecondcommand.)#atteatime
at>/usr/local/bin/system-maintenance
A.Nothing;thesecommandsaren’tvalid.B.Nothing;teatimeisn’tavalidoptiontoat.C.Nothing;youmayonlytypevalidbashbuilt-incommandsattheat>prompt.D.Nothing;atrequiresyoutopassitthenameofascript,whichteatimeisnot.E.The/usr/local/bin/system-maintenanceprogramorscriptisrunat4:00p.m.
20.HowmightyouscheduleascripttorunonceadayonaLinuxcomputer?(Selecttwo.)A.Placethescript,oralinktoit,in/etc/cron.daily.B.Usetheatcommandtoschedulethespecifiedscripttorunonadailybasisatatimeofyourchoosing.C.Createausercron jobthatcalls thespecifiedscriptonceadayata timeofyourchoosing,andinstallthatcronjobusingcrontab.D.Userun-partstoschedulethespecifiedscripttorunonadailybasis.E.Typecrontab-dscriptname,wherescriptnameisthenameofyourscript
Chapter8
ConfiguringBasicNetworking
THEFOLLOWINGEXAMOBJECTIVESARECOVEREDINTHISCHAPTER:
1.109.1Fundamentalsofinternetprotocols1.109.2Basicnetworkconfiguration1.109.3Basicnetworktroubleshooting1.109.4Configureclient-sideDNS
MostLinuxsystemsareconnected toanetwork,eitherasclientsoras servers (andoftenasboth).EvenhomecomputersanddedicatedappliancessuchassmartphonesusuallyconnecttotheInternet.Forthisreason,settingupLinux’sbasicnetworkingtoolsisnecessaryforfullyconfiguringLinux.Tobeginthistask,youmustfirstunderstandthebasicsofmodernnetworking,suchasthenatureofnetworkaddressesandthetypesoftoolsthatarecommonlyusedonnetworks.Fromthere,youcanmove on to Linux network configuration, including tasks such as setting a computer ’s address,routing, and name resolution. Unfortunately, network configuration sometimes goes wrong;understandingthetoolsandtechniquesusedtodiagnoseandfixnetworkproblemsisanecessarypartofnetworkconfiguration,sothischaptercoversthebasicsofnetworktroubleshooting.
UnderstandingTCP/IPNetworkingNetworkinginvolvesquiteafewcomponentsthatarebuiltatoponeanother.Theseincludenetworkhardware, data packets, and protocols for data exchange. Together, these components make up anetworkstack.ThemostcommonnetworkstacktodayistheTransmissionControlProtocol/InternetProtocol(TCP/IP)stack,butthisisn’ttheonlystackavailable.Nonetheless,understandingthebasicsofTCP/IPtheorywillhelpyoutoconfigureandmanagenetworks.
KnowingtheBasicFunctionsofNetworkHardwareNetworkhardware isdesignedtoenable twoormorecomputers tocommunicatewithoneanother.Moderncomputershavenetworkinterfacesbuiltintotheirmotherboards,butinternal(PCI,PCIe,orsimilar) network cards and external (USB, PC Card, and similar) network interfaces are alsoavailable.Many networks rely on wires or cables to transmit data betweenmachines as electricalimpulses,butnetworkprotocolsthatuseradiowavesorevenlighttodothejobaregrowingrapidlyinpopularity.Sometimes the line between network hardware and peripheral interface ports can be blurry. For
instance,aparallelportnormallyisn’tconsideredanetworkport;butwhenit’susedwiththeParallelLine Interface Protocol (PLIP; http://tldp.org/HOWTO/PLIP.html), the parallel port becomes a
networkdevice.Inthepast,aUSBorRS-232serialportfrequentlybecameanetworkinterfacewhenusedwiththePoint-to-PointProtocol (PPP), typicallyinconjunctionwithatelephonemodem.Suchconnections are rare today,but they’re still possible. If youneed toknowhow to configure aPPPconnection, consult your distribution’s documentation or the PPP HOWTO(http://tldp.org/HOWTO/PPP-HOWTO/).At its core,networkhardware ishardware that facilitates the transferofdatabetweencomputers.
Hardware that’smost oftenused for networking includes features that help this transfer in variousways. For instance, such hardwaremay includeways to address data intended for specific remotecomputers, as described later in the section “Addressing Hardware.”When basically non-networkhardwareispressedintoserviceasanetworkmedium,thelackofsuchfeaturesmaylimittheutilityof the hardware or require extra software to make up for the lack. If extra software is required,you’re unlikely to notice the deficiencies as a user or system administrator because the protocoldrivershandlethework,butthismakesthehardwaremoredifficulttoconfigureandmorepronetosluggishnessorotherproblemsthandedicatednetworkhardware.
InvestigatingTypesofNetworkHardwareLinuxsupportsseveraltypesofcommonnetworkhardware.ThemostcommonoftheseisEthernet,whichcomes inseveralvarieties.MostmodernEthernethardwareuses twisted-pair cabling,whichconsists of pairs of wires twisted around each other to minimize interference. Such varieties ofEthernetareidentifiedbya-TsuffixtotheEthernetvarietyname,asin10Base-Tor100Base-T.Thenumbersdenotethespeedoftheprotocolinmegabitspersecond(Mbps).Inthelate1990s,100Base-Ttook over from 10Base-T as the standard in office and even home networks. More recently,1000Base-TandEthernetvariants thatuseopticalcablingand thatarecapableof1000Mbpsspeeds(that is, gigabit Ethernet) have become the standard, with 10-gigabit Ethernet the new emergingstandard.Other types of network hardware exist, but most are less common than Ethernet. These include
TokenRing,LocalTalk,FiberDistributedDataInterface(FDDI),High-PerformanceParallelInterface(HIPPI),andFibreChannel.TokenRingwascommononsomeIBM-dominatednetworksinthe1990sbut has been steadily losing ground to Ethernet for years. Likewise, LocalTalk was the favoredmedium for earlyMacintoshes, but modernMacs ship with Ethernet instead of LocalTalk. FDDI,HIPPI,andFibreChannelareallhigh-speedinterfacesthatareusedinhigh-performanceapplications.Some of these protocols support significantly greatermaximum cable lengths than does Ethernet,whichmakesthemsuitableforlinkingbuildingsthataremanyyards,orevenmiles,apart.Wireless networking (aka Wi-Fi) is an exception to Ethernet’s dominance. Common wireless
protocolsinclude802.11a,802.11b,802.11g,and802.11n.Theseprotocolssupportmaximumspeedsof 11Mbps (for 802.11b), 54Mbps (for 802.11a and 802.11g), or 300Mbps (for 802.11n).With theexceptionof therarelyused802.11a,Wi-Fiprotocolsarecompatiblewithoneanother,albeitat thespeedoftheslowestprotocolinuse.Wirelessnetworkingisparticularlyusefulforlaptopcomputers,butit’sevenhandyfordesktopcomputersinhomesandsmallofficesthatdon’thaveadequatewirednetworkinfrastructuresinplace.
Ifyouuseawirelessprotocol,yourdataaretransmittedviaradiowaves,whichareeasilyintercepted.Wirelessprotocolsincludeoptionalencryption,butthisfeatureissometimesdisabledbydefault,andsomevarietiesofwirelessencryptionarenotoriouslypoor.Ifyouusewirelessnetworkproducts,besuretoenableWi-FiProtectedAccess(WPA)or,better,WPA2encryption.TheweakerWiredEquivalentPrivacy(WEP)encryptioniseasilybroken.Foraddedprotection,useastrongencryptionprotocol,suchastheSecureShell(SSH)logintoolorSecureSocketsLayer(SSL)encryption,whentransferringanydatathat’sevenremotelysensitive;andbeextracautiousaboutsecurityonnetworksthatsupportwirelessaccess.Inatypicalconfiguration,anintruderwhocanbreakintoyourwirelessaccesspointlookstotherestofyournetworklikeanyotherlocaluser,soprotectingthataccesspointisextremelyimportant.
In addition to the network hardware in your computers, you need network hardware outside thecomputers.Withtheexceptionofwirelessnetworks,youneedsomeformofnetworkcablingthat’suniquetoyourhardwaretype.(For100Base-TEthernet,getcablingthatmeetsatleastCategory5,orCat-5,specifications.GigabitEthernetworksbestwithCat-5eoropticalcables.)Manynetworktypes,includingtwisted-pairEthernet,requiretheuseofacentraldeviceknownasahuborswitch.Youplugeverycomputeronalocalnetworkintothiscentraldevice,asshowninFigure8.1.Thehuborswitchthenpassesdatabetweenthecomputers.
FIGURE8.1Manynetworkslinkcomputerstogetherviaacentraldeviceknownasahuborswitch.
Asageneralrule,switchesaresuperiortohubs.Hubsmirroralltraffictoallcomputers,whereasswitchesaresmartenoughtosendpacketsonlytotheintendeddestination.Switchesalsoallowfull-duplextransmission,inwhichbothpartiescansenddataatthesametime(liketwopeopletalkingonatelephone).Hubspermitonlyhalf-duplex transmission, inwhich the twocomputersmust take turns(liketwopeopleusingwalkie-talkies).Theresultisthatswitcheslettwopairsofcomputersengageinfull-speeddata transferswith eachother;with ahub, these two transferswould interferewith eachother.ComputerswithWi-Fiadapterscanbeconfiguredtocommunicatedirectlywithoneanother,butit’s
morecommontoemployawirelessrouter,whichlinkstogetherbothwirelessandEthernetdevices.Suchroutersalsoprovideconnectionstoanoutsidenetwork—typicallytheInternet,sometimesviaa
broadbandconnection.
UnderstandingNetworkPacketsModernnetworksoperateondiscretechunksofdataknownaspackets.Supposeyouwanttosenda100KiB file from one computer to another. Rather than send the file in one burst of data, yourcomputerbreaksitdownintosmallerchunks.Thesystemmightsend100packetsof1KiBeach,forinstance.Thisway,ifthere’sanerrorsendingonepacket,thecomputercanresendjustthatonepacketratherthantheentirefile.(Manynetworkprotocolsincludeerror-detectionprocedures.)When the recipient system receives packets, itmust hold on to them and reassemble them in the
correctordertore-createthecompletedatastream.It’snotuncommonforpacketstobedelayedoreven lost in transmission,soerror-recoveryproceduresarecritical forprotocols thathandle largetransfers.Sometypesoferrorrecoveryarehandledtransparentlybythenetworkinghardware.Thereareseveraltypesofpackets,andtheycanbestoredwithineachother.Forinstance,Ethernet
includesitsownpackettype(knownasaframe),andthepacketsgeneratedbynetworkingprotocolsthatrunatopEthernet,suchasthosedescribedinthenextsection,arestoredwithinEthernetframes.Alltold,adatatransfercaninvolveseverallayersofwrappingandunwrappingdata.Witheachlayer,packetsfromtheadjacentlayermaybemergedorsplitup.
UnderstandingNetworkProtocolStacksIt’spossible to thinkofnetworkdata atvarious levelsof abstractness.For instance, atone level, anetwork carries data packets for a specific network type (such as Ethernet); the data packets areaddressed to specific computers on a local network. Such a description, while useful forunderstandinga localnetwork, isn’tveryuseful forunderstandinghigher-levelnetworkprotocols,suchasthosethathandleemailtransfers.Thesehigh-levelprotocolsaretypicallydescribedintermsof commands sent back and forthbetween computers, frequentlywithout reference topackets.Theaddresses used at different levels also vary, as explained in the upcoming section “UsingNetworkAddresses.”A protocol stack is a set of software that converts and encapsulates data between layers of
abstraction.Forinstance,thestackcantakethecommandsofemailtransferprotocols,andtheemailmessagesthataretransferred,andpackagethemintopackets.AnotherlayerofthestackcantakethesepacketsandrepackagethemintoEthernetframes.Thereareseverallayerstoanyprotocolstack,andthey interact inhighlyspecifiedways. It’softenpossible toswapoutonecomponent foranotheratanygivenlayer.Forinstance,atthetopofeachstackisaprogramthatusesthestack,suchasanemailclient.Youcanswitchfromoneemailclienttoanotherwithouttoomuchdifficulty;bothrestatopthesame stack. Likewise, if you change a network card, you have to change the driver for that card,whichconstitutesalayerverylowinthestack.Applicationsabovethatdrivercanremainthesame.Eachcomputerinatransactionrequiresacompatibleprotocolstack.Whentheycommunicate,the
computers pass data down their respective stacks and then send data to the partner system, whichpasses the data up its stack. Each layer on the receiving system sees the data as packaged by itscounterpartonthesendingcomputer.ProtocolstacksarefrequentlyrepresentedgraphicallyindiagramslikeFigure8.2,whichshowsthe
configurationoftheTCP/IPprotocolstackthatdominatestheInternettoday.AsshowninFigure8.2,client programs at the application layer initiate data transfers. These requests pass through the
transport,internet,andlinklayersontheclientcomputer,whereupontheyleavetheclientsystemandpasstotheserversystem.(ThistransfercaninvolvealotofcomplexitynotdepictedinFigure8.2.)On the server, theprocess reverses itself,with the serverprogramrunningat theapplication layerreplyingtotheclientprogram.Thisreplyreversesthejourney,travelingdowntheservercomputer ’sstack, across the network, and up the stack on the client. A full-fledged network connection caninvolvemanyback-and-forthdatatransfers.
FIGURE8.2Informationtravels“down”and“up”protocolstacks,beingcheckedandre-packedateachstepoftheway.
WhenspelledwithanuppercaseI,thewordInternetreferstotheglobe-spanningnetworkofnetworkswithwhichyou’renodoubtfamiliar.Whenspelledwithalowercasei,however,thewordinternetreferstoanycollectionofnetworks.Aninternetinthissensecouldbeacoupleofsmallnetworksinsomebody’sbasementwithnooutsideconnections.InternetnetworkingprotocolssuchasTCP/IPcanworkonanyinternet,uptoandincludingtheInternet.
Eachcomponent layerof thesendingsystemisequivalent toa layeron thereceivingsystem,buttheselayersneednotbeabsolutelyidentical.Forinstance,youcanhavedifferentmodelsofnetworkcardatthelinklayer,oryoucanevenuseentirelydifferentnetworkhardwaretypes,suchasEthernetand Token Ring, if some intervening system translates between them. The computers may rundifferentOSsandhenceusedifferent—butlogicallyequivalent—protocolstacks.What’simportantisthatthestacksoperateincompatibleways.LinuxwasdesignedwithTCP/IPinmind,andtheInternetisbuiltatopTCP/IP.Otherprotocolstacks
are available, though, and you may occasionally run into them. In particular, NetBEUI was theoriginal Microsoft and IBM protocol stack forWindows, AppleTalk was Apple’s initial protocolstack,andtheInternetPacketExchange/SequencedPacketExchange(IPX/SPX)wasNovell’sfavoredprotocolstack.All threearenowfadinginimportance,butyoumaystillneedtousetheminsomeenvironments.LinuxsupportsAppleTalkandIPX/SPXbutnotNetBEUI.
KnowingTCP/IPProtocolTypesWithinTCP/IP,severaldifferentprotocolsexist.Eachoftheseprotocolscanbeclassifiedasfallingon one of the four layers of theTCP/IP stack, as shown in Figure8.2. Themost important of theinternet- and transport-layer protocols are the building blocks for the application-layer protocolswithwhichyouinteractmoredirectly.Theseimportantinternet-andtransport-layerprotocolsincludethefollowing:IPTheInternetProtocol(IP)isthecoreprotocolinTCP/IPnetworking.ReferringtoFigure8.2,IPisaninternet-layer(akaanetwork-layerorlayer2)protocol.IPprovidesa“besteffort”methodfortransferringpacketsbetweencomputers—thatis,thepacketsaren’tguaranteedtoreachtheirdestination.Packetsmayalsoarriveoutoforderorcorrupted.OthercomponentsoftheTCP/IPstackmustdealwiththeseissuesandhavetheirownwaysofdoingso.IPisalsotheportionofTCP/IPwithwhichIPaddressesareassociated.(TheRealWorldScenariosidebar“TheComingofIPv6”describesachangeintheIPportionofTCP/IPthat’sunderway.)ICMPTheInternetControlMessageProtocol(ICMP)isasimpleprotocolforcommunicatingdata.ICMPismostoftenusedtosenderrormessagesbetweencomputers—forinstance,tosignalthatarequestedserviceisn’tavailable.ThisisoftendonebymodifyinganIPpacketandreturningittoitssender,whichmeansthatICMPistechnicallyaninternet-layerprotocol,althoughitreliesuponIP.Inmostcases,youwon’tuseprogramsthatgenerateICMPpacketsondemand;they’recreatedbehindthescenesasyouuseotherprotocols.Oneexceptionisthepingprogram,whichisdescribedinmoredetailin“TestingBasicConnectivity.”UDPTheUserDatagramProtocol(UDP)isthesimplestofthecommontransport-layer(akalayer3)TCP/IPprotocols.Itdoesn’tprovidesophisticatedprocedurestocorrectforout-of-orderpackets,guaranteedelivery,orotherwiseimprovethelimitationsofIP.Thisfactcanbeaproblem,butitalsomeansthatUDPcanbefasterthanmore-sophisticatedtoolsthatprovidesuchimprovementstoIP.Commonapplication-layerprotocolsthatarebuiltatopUDPincludetheDomainNameSystem(DNS),theNetworkFileSystem(NFS),andmanystreaming-mediaprotocols.TCPTheTransmissionControlProtocol(TCP)maybethemostwidelyusedtransport-layerprotocolintheTCP/IPstack.UnlikeUDP,TCPcreatesfullconnectionswitherrorcheckingandcorrectionaswellasotherfeatures.Thesefeaturessimplifythecreationofnetworkprotocolsthatmustexchangelargeamountsofdata,butthefeaturescomeatacost:TCPimposesasmallperformancepenalty.Mostoftheapplication-layerprotocolswithwhichyoumayalreadybefamiliar,includingtheSimpleMailTransferProtocol(SMTP),theHypertextTransferProtocol(HTTP),andtheFileTransferProtocol(FTP),arebuiltatopTCP.YoumaynoticethatthenameoftheTCP/IPstackisbuiltupoftwoofthestack’sprotocolnames:
TCPandIP.This isbecausethesetwoprotocolsaresoimportantforTCP/IPnetworkinggenerally.TCP/IP,though,ismuchmorethanjustthesetwoprotocols;itincludesadditionalprotocols,mostofwhich(belowtheapplicationlayer)areratherobscure.Ontheotherhand,aTCP/IPexchangeneednotusebothTCPandIP—itcouldbeaUDPorICMPexchange,forinstance.
TheComingofIPv6TheIPportionofTCP/IPhasbeenatversion4formanyyears.Amajorupgradetothisisunderway,however,anditgoesbythenameIPv6,forIPversion6.ItsmostimportantimprovementsoverIPv4includethefollowing:
IPv4supportsatheoreticalmaximumofabout4billionaddresses.Althoughthismaysoundlikeplenty,thoseaddresseshavenotbeenallocatedasefficientlyaspossible.Therefore,astheInternethasexpanded,thenumberoftrulyavailableaddresseshasbeenshrinkingatarapidrate—infact,theglobalpoolisalreadyexhausted,althoughIPv4addressesremainavailablefromlocalregistriesinmanypartsoftheworld,asoflate2012.IPv6raisesthenumberofaddressesto2128,or3.4×1038.ThisisenoughtogiveeverysquaremillimeteroflandsurfaceonEarth2.2×1018addresses.IPv6makesmulticasting—thesimultaneoustransmissionofdatafromonecomputertomultiplerecipients—partofthebasicIPspecification,comparedtoanoptional(albeitcommonlyimplemented)partofIPv4.IPv6includesanewfeature,knownasstatelessaddressauto-configuration(SLAAC),whichsimplifiesinitialnetworksetup.ThisfeatureissimilarinsomewaystotheDynamicHostConfigurationProtocol(DHCP)that’scommonlyusedonIPv4.(DHCPcanalsobeusedonIPv6;whichworksbestdependsonthelocalnetwork’sconfiguration.)IPv6originatedtheInternetProtocolSecurity(IPsec)tools,whichcanimprovethesecurityofInternetconnections.IPsechassincebeenback-portedtoIPv4.IPv6hasstreamlinedsomedatastructures,enablingquickerprocessingbyrouters.
Moreobscuredifferencesalsoexist.Checkhttp://en.wikipedia.org/wiki/IPv6orhttp://www.ipv6forum.comfordetailedinformationaboutIPv6.IPv6isstartingtoemergeasarealnetworkingforceinmanypartsoftheworld.TheUnitedStates,though,islaggingbehindonIPv6deployment.TheLinuxkernelincludesIPv6support,andmostdistributionsnowattempttoautomaticallyconfigureIPv6networkinginadditiontoIPv4.ChancesarethatbythetimetheaverageofficewillneedIPv6,itwillbestandard.ConfiguringasystemforIPv6issomewhatdifferentfromconfiguringitforIPv4,whichiswhatthischapteremphasizes.
UnderstandingNetworkAddressingInorderforonecomputertocommunicatewithanotheroveranetwork,thecomputersneedtohavesome way to refer to each other. The basic mechanism for doing this is provided by a networkaddress,whichcantakeseveraldifferentforms,dependingonthetypeofnetworkhardware,protocolstack,andsoon.Largeandroutednetworksposeadditionalchallenges tonetworkaddressing,andTCP/IP provides answers to these challenges. Finally, to address a specific program on a remotecomputer,TCP/IPusesaportnumber,which identifiesa specific runningprogram, something liketheway a telephone extension number identifies an individual in a large company. The followingsectionsdescribeallthesemethodsofaddressing.
UsingNetworkAddressesConsideranEthernetnetwork.WhenanEthernetframeleavesonecomputer,it’snormallyaddressedtoanotherEthernetcard.Thisaddressing isdoneusing low-levelEthernet features, independentofthe protocol stack in question. Recall, however, that the Internet is composed of many differentnetworks that use many different low-level hardware components. A user may have a dial-uptelephoneconnection(throughaserialport)butconnecttooneserverthatusesEthernetandanotherthat uses Token Ring. Each of these devices uses a different type of low-level network address.TCP/IP requires somethingmore to integrate across different types of network hardware. In total,threetypesofaddressesareimportantwhenyou’retryingtounderstandnetworkaddressing:networkhardwareaddresses,numericIPaddresses,andtext-basedhostnames.
AddressingHardwareOneofthecharacteristicsofdedicatednetworkhardwaresuchasEthernetorTokenRingcardsisthatthey have unique hardware addresses, also known as Media Access Control (MAC) addresses,programmed into them. In the case of Ethernet, these addresses are 6 bytes in length, and they’regenerally expressed as hexadecimal (base 16) numbers separated by colons.You can discover thehardwareaddressforanEthernetcardbyusingtheifconfigcommand.Typeifconfigethn,wherenisthenumberoftheinterface(0forthefirstcard,1forthesecond,andsoon).You’llseeseverallinesofoutput,includingonelikethefollowing:eth0Linkencap:EthernetHWaddr00:A0:CC:24:BA:02
This line tells you that the device is an Ethernet card and that its hardware address is00:A0:CC:24:BA:02.Whatuse is this, though?Certain low-levelnetworkutilitiesandhardwareusethehardwareaddress.Forinstance,networkswitchesuseittodirectdatapackets.Theswitchdetectsthataparticularaddressisconnectedtoaparticularwire,andsoitsendsdatadirectedatthataddressonlyovertheassociatedwire.TheDynamicHostConfigurationProtocol(DHCP),whichisdescribedin theupcoming section “ConfiguringwithDHCP,” is ameansof automating the configurationofspecificcomputers.IthasanoptionthatusesthehardwareaddresstoconsistentlyassignthesameIPaddresstoagivencomputer.Inaddition,advancednetworkdiagnostictoolsareavailablethatletyouexaminepacketsthatcomefromoraredirectedtospecifichardwareaddresses.Forthemostpart,though,youdon’tneedtobeawareofacomputer ’shardwareaddress.Youdon’t
enteritinmostutilitiesorprograms.It’simportantforwhatitdoesingeneral.
Linuxidentifiesnetworkhardwaredeviceswithtype-specificcodes.Withmostdistributions,Ethernethardwareisethn,wherenisanumberfrom0up.ThefirstEthernetdeviceiseth0,thesecondiseth1,andsoon.(FedorausesamorecomplexEthernetnamingsystem,though.)Wirelessdeviceshavenamesoftheformwlann.UnlikemostLinuxhardwaredevices,networkdevicesdon’thaveentriesin/dev;instead,low-levelnetworkutilitiestakethedevicenamesandworkwiththemdirectly.
ManagingIPAddresses
Earlier, I said thatTCP/IP, at least in its IPv4 incarnation, supports about 4 billion addresses.Thisfigure is based on the size of the IP address used in TCP/IP: 4 bytes (32 bits). Specifically, 232 =4,294,967,296.ForIPv6,16-byte(128-bit)addressesareused.Notalloftheseaddressesareusable;someareoverheadassociatedwithnetworkdefinitions,andsomearereserved.The4-byteIPv4addressand6-byteEthernetaddressaremathematicallyunrelated.Thiscanbethe
casefor IPv6, too,although theIPv6standardallows theIPv6address tobebuilt, inpart, fromthecomputer ’sMACaddress.Inanyevent,theTCP/IPstackconvertsbetweentheMACaddressandtheIPaddressusing theAddressResolutionProtocol (ARP) for IPv4or theNeighborDiscovery Protocol(NDP)forIPv6.Theseprotocolsenableacomputertosendabroadcastquery—amessagethatgoesouttoallthecomputersonthelocalnetwork.ThisqueryasksthecomputerwithagivenIPaddresstoidentifyitself.Whenareplycomesin,itincludesthehardwareaddress,sotheTCP/IPstackcandirecttrafficforagivenIPaddresstothetargetcomputer ’shardwareaddress.
Theprocedureforcomputersthataren’tonthelocalnetworkismorecomplex.Forsuchcomputers,aroutermustbeinvolved.Localcomputerssendpacketsdestinedfordistantaddressestorouters,whichsendthepacketsontootherroutersortotheirdestinationsystems.
IPv4addressesareusuallyexpressedasfourbase-10numbers(0−255)separatedbyperiods,asin172.30.9.102.IfyourLinuxsystem’sprotocolstackisalreadyupandrunning,youcandiscoveritsIPaddressbyusingifconfig,asdescribedearlier.Theoutputincludesalinelikethefollowing,whichidentifiestheIPaddress(inetaddr):inetaddr:172.30.9.102Bcast:172.30.255.255Mask:255.255.0.0
Althoughitisn’tobviousfromtheIPaddressalone,thisaddressisbrokenintotwocomponents:anetworkaddressandacomputeraddress.ThenetworkaddressidentifiesablockofIPaddressesthatare used by one physical network, and the computer address identifies one computer within thatnetwork.Thereasonforthisbreakdownistomakethejobofrouterseasier—ratherthanrecordhowtodirectpacketsdestinedforeachofthe4billionIPaddresses,routerscanbeprogrammedtodirecttrafficbasedonpackets’networkaddresses,whichisamuchsimplerjob.Ordinarily,acomputercandirectlycommunicateonlywithcomputersonitslocalnetworksegment;tocommunicateoutsideofthissetofcomputers,aroutermustbeinvolved.IPv6addressesworkinasimilarway,exceptthatthey’relarger.Specifically,IPv6addressesconsist
of eight groups of four-digit hexadecimal numbers separated by colons, as infed1:0db8:85a3:08d3:1319:8a2e:0370:7334. If one ormore groups of four digits is 0000, thatgroupor thosegroupsmaybeomitted, leaving twocolons.Onlyonesuchgroupofzeroescanbecompressedinthisway,becauseifyouremovedtwogroups,therewouldbenowayoftellinghowmanysetsofzeroeswouldhavetobereplacedineachgroup.The network mask (also known as the subnet mask or netmask) is a number that identifies the
portionoftheIPaddressthat’sanetworkaddressandthepartthat’sacomputeraddress.It’shelpfultothink of this in binary (base 2) because the netmask uses binary 1 values to represent the networkportionof an address andbinary0values to represent the computer address.Thenetworkportionordinarilyleadsthecomputerportion.Expressedinbase10,theseaddressesusuallyconsistof255or0values,255beinganetworkbyteand0beingacomputerbyte. Ifabyte ispartnetworkandpart
computeraddress,itwillhavesomeothervalue.Figure8.3illustratesthisrelationship,usingtheIPaddress172.30.9.102andthenetmask255.255.0.0.
FIGURE8.3TCP/IPaddressesarecombinedwithanetmasktoisolatethenetworkaddress.
Anotherwayofexpressinganetmaskisasasinglenumberrepresentingthenumberofnetworkbitsintheaddress.ThisnumberusuallyfollowstheIPaddressandaslash.Forinstance,172.30.9.102/16isequivalentto172.30.9.102withanetmaskof255.255.0.0—thelastnumbershowsthenetworkportiontobetwosolid8-bitbytesandhenceis16bits.Thelongernotationshowingall4bytesofthenetmaskisreferredtoasdottedquadnotation.IPv6netmasksworkjustlikeIPv4netmasks,exceptthatlargernumbersareinvolved,andIPv6favorshexadecimaloverdecimalnotation.OnmodernIPv4networks,netmasksareoftendescribedinClasslessInter-DomainRouting(CIDR)
form. Such network masks can be broken at any bit boundary for any address. For instance,192.168.1.7 could have a netmask of 255.255.0.0, 255.255.255.0, 255.255.255.128, or various othervalues. (Keeping each byte at 0 or 255 reduces the odds of human error causing problems butsometimes isn’t practical, depending on the required or desired sizes of subnets.) Traditionally,though, IPv4 networks have been broken into one of several classes, as summarized in Table 8.1.ClassesA,B,andCareforgeneralnetworkinguse.ClassDaddressesarereservedformulticasting—sendingdatatomultiplecomputerssimultaneously.ClassEaddressesarereservedforfutureuse.Therearea fewspecialcaseswithinmostof these ranges.For instance, the127.x.y.z addresses arereservedforuseasloopback(akalocalhost)devices—theseaddressesrefertothecomputeronwhichtheaddressisentered.Addressesinwhichallthemachinebitsaresetto1refertothenetworkblockitself—they’reused forbroadcasts.Theultimatebroadcastaddress is255.255.255.255,whichsendsdatatoallcomputersonanetworksegment.(Routersnormallyblockpacketsdirectedtothisaddress.Iftheydidn’t,theInternetcouldeasilybebroughttoitskneesbyafewpeoplefloodingthenetworkwithbroadcastpackets.)
TABLE8.1IPv4networkclassesandprivatenetworkrangesClass Addressrange ReservedprivateaddressesA 1.0.0.0−127.255.255.255 10.0.0.0−10.255.255.255B 128.0.0.0−191.255.255.255 172.16.0.0−172.31.255.255C 192.0.0.0−223.255.255.255 192.168.0.0−192.168.255.255D 224.0.0.0−239.255.255.255 noneE 240.0.0.0−255.255.255.255 none
Withineachof the threegeneral-usenetworkclasses isa rangeofaddressesreservedforprivateuse.Most IP addresses must be assigned to individual computers by a suitable authority, lest twosystemsontheInternetbothtrytouseasingleaddress.Anybodycanusethereservedprivateaddressspaces, though. (These address blocks are sometimes referred to as RFC1918 addresses, after thestandardsdocument—RFC1918—inwhichthey’redefined.)Thecaveatisthatroutersnormallydrop
packetssenttotheseaddresses,effectivelyisolatingthemfromtheInternetasawhole.Theideaisthatthese addresses may be safely used by small private networks. Today, they’re often used behindNetworkAddressTranslation(NAT)routers,whichenablearbitrarynumbersofcomputersto“hide”behindasinglesystem.TheNATroutersubstitutesitsownIPaddressonoutgoingpacketsandthendirectsthereplytothecorrectsystem.ThisisveryhandyifyouwanttoconnectmorecomputerstotheInternetthanyouhaveIPaddresses.
Igenerallyusereservedprivateaddressesforexamplesinthisbook.Unlessotherwisespecified,theseexamplesworkequallywellonconventionalassigned(non-private)IPaddresses.
IPv6hasitsequivalenttoprivateaddresses.IPv6site-localaddressesmayberoutedwithinasitebutnotoff-site.Theybeginwith thehexadecimalnumberfec, fed, fee,or fef.Link-localaddressesarerestrictedtoasinglenetworksegment;theyshouldn’tberoutedatall.Theseaddressesbeginwiththehexadecimalnumberfe8,fe9,fea,orfeb.IPv4 address classesweredesigned to simplify routing; but as the Internet evolved, theybecame
restrictive.Thus,todaytheyservemainlyasawaytosetdefaultnetmasks,suchas255.0.0.0forClassA addresses or 255.255.255.0 for Class C addresses. Most configuration tools set these netmasksautomatically,butyoucanoverridethesettingsifnecessary.IP addresses and netmasks are extremely important for network configuration. If your network
doesn’t useDHCP or a similar protocol to assign IP addresses automatically, youmust configureyoursystem’s IPaddressmanually.Amistake in thisconfigurationcancauseacomplete failureofnetworkingormoresubtleerrors,suchasaninabilitytocommunicatewithjustsomecomputers.
Non-TCP/IPstackshavetheirownaddressingmethods.NetBEUIusesmachinenames;ithasnoseparatenumericaddressingmethod.AppleTalkusestwo16-bitnumbers.TheseaddressingschemesareindependentfromIPaddresses.
BroadcastingDataEarlier, Imentionedbroadcasts.Abroadcast is a typeofnetwork transmission that’s sent toall thecomputers on a local network, or occasionally all of the computers on a remote network. UnderTCP/IP,abroadcastisdonebyspecifyingbinary1valuesinallthemachinebitsoftheIPaddress.ThenetworkportionoftheIPaddressmaybesettothenetwork’sregularvalue,andthisisrequiredfordirected broadcasts—that is, those that are sent to a remote network. (Many routers drop directedbroadcasts, though.) Inmanycases,broadcastsarespecifiedby theuseof255.255.255.255asan IPaddress.Packetsdirectedatthisaddressaresenttoallthemachinesonalocalnetwork.BecausethebroadcastaddressforanetworkisdeterminedbytheIPaddressandnetmask,youcan
convertbetweenthebroadcastaddressandnetmask,givenoneoftheseandacomputer ’sIPaddress.Ifthenetmaskhappenstoconsistofwhole-bytevalues(expressedas0or255indottedquadnotation),the conversion is easy: Replace the IP address components that have 0 values in the dotted quad
netmaskwith255values toget thebroadcastaddress.For instance,consideracomputerwithanIPaddressof172.30.9.102andanetmaskof255.255.0.0.Thefinaltwoelementsofthenetmaskhave0values,soyouswapin255valuesforthesefinaltwoelementsintheIPaddresstoobtainabroadcastaddressof172.30.255.255.In the case of aCIDRaddress that has non-255 and non-0 values in the netmask, the situation is
morecomplexbecauseyoumustresorttobinary(base2)numbers.Forinstance,consideracomputerwithanIPaddressof172.30.9.102andanetmaskof255.255.128.0(thatis,172.30.0.0/17).Expressedinbinary,thesenumbersare10101100000111100000100101100110
11111111111111111000000000000000
Tocreatethebroadcastaddress,youmustsetthetop(networkaddress)valuesto1whenthebottom(netmask)valueis0.Inthiscase,theresultis10101100000111100111111111111111
Convertedbackintobase10notation,theresultingbroadcastaddressis172.30.127.255.Fortunately,youseldomneedtoperformsuchcomputations.Whenconfiguringacomputer,youcanentertheIPaddressandnetmaskandletthecomputerdothebinarycomputations.
UnderstandingHostnamesComputers work with numbers, so it’s not surprising that TCP/IP uses numbers as computeraddresses. People, though,work betterwith names. For this reason,TCP/IP includes away to linknamesforcomputers(knownashostnames)toIPaddresses.Infact,thereareseveralwaystodothis,someofwhicharedescribedinthenextsection,“ResolvingHostnames.”AswithIPaddresses,hostnamesarecomposedoftwoparts:machinenamesanddomainnames.The
formerreferstoaspecificcomputerandthelattertoacollectionofcomputers.Domainnamesarenot equivalent to the network portion of an IP address, though; they’re completely independentconcepts.Domainnamesareregisteredforusebyanindividualororganization,whichmayassignmachinenameswithinthedomainandlinkthosemachinenamestoanyarbitraryIPaddressdesired.Nonetheless, there is frequently some correspondence between domains and network addressesbecause an individual or organization that controls a domain is also likely to want a block of IPaddressesforthecomputersinthatdomain.Internetdomainsarestructuredhierarchically.Atthetopofthehierarchyarethetop-leveldomains
(TLDs), suchas.com,.edu,and.uk.TheseTLDnames appear at theend of an Internet address.Some correspond to nations (such as.uk and.us, for theUnitedKingdom and theUnited States,respectively),butotherscorrespondtoparticulartypesofentities(suchas.comand.edu,whichstandforcommercialandeducationalorganizations,respectively).WithineachTLDarevariousdomainsthat identify specific organizations, such as sybex.com for Sybex or loc.gov for the Library ofCongress. These organizations may optionally break their domains into subdomains, such ascis.upenn.edu for the Computer and Information Science department at the University ofPennsylvania.Evensubdomainsmaybefurthersubdividedintotheirownsubdomains;thisstructurecan continue for many levels but usually doesn’t. Domains and subdomains include specificcomputers,suchaswww.sybex.com,Sybex’sWebserver.When you configure your Linux computer, you may need to know its hostname. This will be
assigned by your network administrator and will be a machine name within your organization’sdomain. If your computer isn’t part of anorganizationalnetwork (say, if it’s a system thatdoesn’t
connect to the Internetatallor if itconnectsonlyviaadial-upaccount),you’llhave tomakeupahostname.Alternatively,youcanregisteradomainname,evenifyoudon’tuseitforrunningyourown servers. Check http://www.icann.org/registrar-reports/accredited-list.html for pointers toaccredited domain registrars. Most registrars charge between $10 and $15 per year for domainregistration. If your network uses DHCP, it may or may not assign your system a hostnameautomatically.
Ifyoumakeupahostname,chooseaninvaliddomainname.Thiswillguaranteethatyoudon’taccidentallygiveyourcomputeranamethatlegitimatelybelongstosomebodyelse.Suchanameconflictmightpreventyoufromcontactingthatsystem,anditcouldcauseotherproblemsaswell,suchasmisdirectedemail.FourTLDs—.example,.invalid,.localhost,and.test—arereservedforsuchpurposes.Threesecond-leveldomains—.example.com,.example.net,and.example.org—arealsoreservedandsomaybesafelyused.
ResolvingHostnamesTheDomain Name System (DNS) is a distributed database of computers that converts between IPaddresses and hostnames. Every domain must maintain at least two DNS servers that can eitherprovide thenames foreverycomputerwithin thedomainor redirectaDNSquery toanotherDNSserverthatcanbetterhandletherequest.Therefore,lookingupahostnameinvolvesqueryingaseriesofDNSservers,eachofwhichredirectsthesearchuntiltheserverthat’sresponsibleforthehostnameis found. In practice, this process is hidden from you because most organizations maintain DNSservers that do all the tediousworkof chattingwithotherDNSservers.Youneedonlypointyourcomputertoyourorganization’sDNSservers.ThisdetailmaybehandledthroughDHCP,oritmaybeinformationyouneedtoconfiguremanually,asdescribedlaterinthesection“ConfiguringLinuxforaLocalNetwork.”Sometimes,youneedtolookupDNSinformationmanually.YoumightdothisifyouknowtheIP
addressofaserver throughnon-DNSmeansandsuspectyourDNSconfiguration isdelivering thewrong address or to checkwhether aDNS server isworking.Several programs canbe helpful inperformingsuchchecks:
nslookupThisprogramperformsDNSlookups(onindividualcomputersbydefault)andreturnstheresults.Italsosportsaninteractivemodeinwhichyoucanperformaseriesofqueries.Thisprogramisofficiallydeprecated,meaningthatit’snolongerbeingmaintainedandwilleventuallybedroppedfromitsparentpackage(bind-utilsorbind-toolsonmostdistributions).Thus,youshouldgetinthehabitofusinghostordiginsteadofnslookup.hostThisprogramservesasareplacementforthesimplerusesofnslookup,butitlacksaninteractivemode,andofcoursemanydetailsofitsoperationdiffer.Inthesimplestcase,youcantypehosttarget.name,wheretarget.nameisthehostnameorIPaddressyouwanttolookup.Youcanaddvariousoptionsthattweaktheprogram’sbasicoperation;consulthost’smanpagefordetails.digThisprogramperformsmorecomplexDNSlookupsthanhost.Althoughyoucanuseitto
findtheIPaddressforasinglehostname(orahostnameforasingleIPaddress),it’smoreflexiblethanhost.whoisYoucanlookupinformationonadomainasawholewiththiscommand.Forinstance,typingwhoissybex.comrevealswhoownsthesybex.comdomain,whotocontactincaseofproblems,andsoon.Youmaywanttousethiscommandwith-H,whichomitsthelengthylegaldisclaimersthatmanydomainregistriesinsistondeliveringalongwithwhoisinformation.Checkthemanpageforwhoisforinformationonadditionaloptions.Exercise8.1illustratestheuseofthenslookup,host,anddigtools.
EXERCISE8.1PracticeResolvingHostnamesThedifferencesbetweennslookup,host,anddigarebestillustratedbyexample.Inthisexercise,you’llpracticeusingthesethreetoolstoperformbothforwardandreverseDNSlookups.Todoso,followthesesteps:1.LogintoaLinuxtext-modesessionorlaunchaterminalwindowinaGUIsession.2. Type nslookup www.google.com. You may substitute another hostname; however,one key point of this hostname is that it resolves to multiple IP addresses, whichnslookup shows onmultiple Name: and Address: lines. This practice is common onextremely popular sites because the load can be balanced across multiple computers.NotealsothatnslookupreportstheIPaddressoftheDNSserverituses,ontheServer:andAddress:lines.(Thelatterincludestheportnumber,asdescribedlater,in“NetworkPorts.”3.Typehostwww.google.com.Theoutputof this command is likely tobe somewhatbriefer thanthatof thenslookupcommand,but it shouldreport thesameIPaddressesfor the server. Although host doesn’t report the DNS server ’s address, it is IPv6-enabled,soitreportsanIPv6address,aswellasthesite’sIPv4addresses.4. Type dig www.google.com. This output is significantly longer than that of eithernslookuporhost.Infact,itcloselyresemblestheformatoftheconfigurationfilesusedtodefineadomain inaDNSserver. In thecaseofwww.google.com, thathostname isdefinedasaCNAMErecordthatpointstowww.l.google.com,whichinturnhasseveralA-recordentriesthatpointtospecificIPaddresses.(Thisstructurecouldchangebythetimeyoureadthis,though,andofcourseit’slikelytobedifferentifyouexamineotherhostnames.)You’llalsoseeseveralNSrecordsthatpointtothedomain’snameservers,andyou’llseeadditionalArecordsthatpointtothenameservers’IPaddresses.5. Perform nslookup, host, and dig queries on IP addresses, such as one of thosereturnedbyyourlookupsonwww.google.com.(Thisisknownasareverse lookup.) Ineachcase,thetoolshouldreturnahostname.Note,however,thatthehostnamemightnotmatchtheoneyouusedoriginally.ThisisbecausemultiplehostnamescanpointtothesameIPaddress,andtheownerofthatIPaddressdecideswhichhostnametolinktotheIPaddressforreverselookuppurposes.Insomecases,thetoolwillreturnanNXDOMAINerror,whichmeansthattheIPaddress’sownerhasn’tconfiguredreverselookups.6. Perform similar queries on other computers, such as ones associated with yourschool,employer,orISP.MosthostnameshavejustoneIPaddressassociatedwiththem,andyoumayseeotherdifferences,too.
SometimesDNSisoverkill.For instance,youmight justneedtoresolveahandfulofhostnames.Thismaybebecauseyou’reconfiguringasmallprivatenetworkthat’snotconnectedtotheInternetatlargeorbecauseyouwanttosetupafewnamesforlocal(orevenremote)computersthataren’tintheglobalDNSdatabase.Forsuchsituations,/etc/hostsmaybejustwhatyouneed.ThisfileholdsmappingsofIPaddressestohostnames,onaone-line-per-mappingbasis.Eachmappingincludesatleastonename,andsometimesmore:127.0.0.1localhost
192.168.7.23apollo.luna.eduapollo
In this example, the name localhost is associated with the 127.0.0.1 address, and the namesapollo.luna.edu and apollo are tied to 192.168.7.23. The first of these linkages is standard; itshouldexistinany/etc/hostsfile.Thesecondlinkageisanexamplethatyoucanmodifyasyouseefit.Thefirstnameisafullhostname,includingthedomainportion;subsequentnamesonthelinearealiases—typicallythehostnamewithoutitsfulldomainspecification.Once you’ve set up an /etc/hosts file, you can refer to computers listed in the file by name,
whether or not those names are recognized by the DNS servers the computer uses. One majordrawback to /etc/hosts is that it’s a purely local file; setting a mapping in one computer ’s/etc/hosts file affects name lookups performedby that computer alone.Thus, to do goodon anentirenetwork,youmustmodifythe/etc/hostsfilesonallofthecomputersonthenetwork.Linuxnormallyperformslookupsin/etc/hostsbeforeitusesDNS.Youcanmodifythisbehavior
byeditingthe/etc/nsswitch.conf file,whichconfigures theNameServiceSwitch(NSS)service.More specifically, youmust adjust the hosts line. This line lists the order of the files and dnsoptions,whichstandfor/etc/hostsandDNS,respectively:hosts:filesdns
ReversetheorderofthefilesanddnsoptionstohavethesystemconsultDNSbeforeitconsults/etc/hosts.
The/etc/nsswitch.conffilesupportsmanymoreoptions.Forinstance,youcanperformnameresolutionusingWindowsNetBIOScallsoraLightweightDirectoryAccessProtocol(LDAP)serverbyaddingappropriateoptionstothehostsline,alongwiththenecessarysupportsoftware.Thepasswd,shadow,andgrouplinescontrolhowLinuxauthenticatesusersandmanagesgroups.Youshouldnotattempttochangetheseconfigurationsunlessyouunderstandthesystemsinvolved,butyoushouldbeawareoftheimportanceof/etc/nsswitch.confgenerally.
In addition to /etc/hosts, Linux supports a file called /etc/networks. It works much like/etc/hosts, but it applies tonetwork addresses, and it reverses theorder of thenames and the IPaddressoneachline:loopback127.0.0.0
mynet192.168.7.0
Thisexamplesetsuptwolinkages:theloopbacknametothe127.0.0.0/8networkandmynetforthe192.168.7.0/24network.It’sseldomnecessarytoeditthisfile.
NetworkPortsContactingaspecificcomputerisimportant,butoneadditionaltypeofaddressingisleft:Thesendermust have an address for a specific program on the remote system. For instance, suppose you’reusingaWebbrowser.TheWebservercomputermayberunningmoreserversthanjustaWebserver—itmayalsoberunninganemailserveroranFTPserver, tonamejust twoofmanypossibilities.Another number beyond the IP address enables you to direct traffic to a specific program. Thisnumberisanetworkportnumber,andprogramsthataccessaTCP/IPnetworktypicallydosothrough
oneormoreports.
PortnumbersarefeaturesoftheUDPandTCPprotocols.Someprotocols,suchasICMP,don’tuseportnumbers.
Whentheystartup,serverstiethemselvestospecificports,whichbyconventionareassociatedwithspecificserverprograms.Forinstance,port25isassociatedwithemailservers,andport80isusedbyWebservers.Table8.2summarizesthepurposesofseveralimportantports.Aclientcandirectitsrequesttoaspecificportandexpecttocontactanappropriateserver.Theclient’sownportnumberisn’tfixed;it’sassignedbytheOS.Becausetheclientinitiatesatransfer,itcanincludeitsownportnumber in the connection request, so clients don’t need fixed port numbers.Assigning client portnumbers dynamically also enables one computer to easily run several instances of a single clientbecausetheywon’tcompeteforaccesstoasingleport.
TABLE8.2Portnumbers,theirpurposes,andtypicalLinuxservers
One key distinction inTCP/IP ports is that betweenprivileged ports andunprivileged ports. Theformerhavenumbers less than1024.UnixandLinuxsystems restrict access toprivilegedports toroot.Theideaisthataclientcanconnecttoaprivilegedportandbeconfidentthattheserverrunningonthatportwasconfiguredbythesystemadministratorandcanthereforebetrusted.Unfortunately,ontoday’sInternet,thistrustwouldbeunjustifiedbasedsolelyontheportnumber,sothisdistinctionisn’tveryuseful.Portnumbersgreaterthan1024maybeaccessedbyordinaryusers.
ClientsandServersAnimportantdistinctionistheonebetweenclientsandservers.Aclientisaprogramthatinitiatesanetworkconnectiontoexchangedata.Aserverlistensforsuchconnectionsandrespondstothem.Forinstance,aWebbrowser,suchasFirefoxorOpera,isaclientprogram.YoulaunchtheprogramanddirectittoaWebpage,whichmeansthattheWebbrowsersendsarequesttotheWeb(HTTP)serveratthespecifiedaddress.TheWebserversendsbackdatainreplytotherequest.Clientscanalsosenddata,likewhenyouenterinformationinaWebformandclickaSubmitorSendbutton.Thetermsclientandservercanalsobeappliedtoentirecomputersthatoperatemostlyinoneortheotherrole.Thus,aphrasesuchasWebserverissomewhatambiguous—itcanrefereithertotheWebserverprogramortothecomputerthatrunsthatprogram.Whenthisdistinctionisimportantandunclearfromcontext,Iclarifyit(forinstance,byreferringto“theWebserverprogram”).
Fortunately, forbasic functioning,youneed todonothing toconfigureportsonaLinuxsystem.Youmayhave todealwith this issue ifyou rununusual servers, though,becauseyoumayneed toconfigurethesystemtolinktheserverstothecorrectports.Thiscansometimesinvolveeditingthe/etc/services file, which maps port numbers to names, enabling you to use names in serverconfigurationsandelsewhere.Thisfileconsistsoflinesthatbeginwithanameandendwithaportnumber,includingthetypeofprotocolituses(TCPorUDP):ssh22/tcp#SSHRemoteLoginProtocol
ssh22/udp#SSHRemoteLoginProtocol
telnet23/tcp
smtp25/tcp
ConfiguringLinuxforaLocalNetworkNow that you know something about how networking functions, the question arises: How do youimplementnetworkinginLinux?MostLinuxdistributionsprovideyouwiththemeanstoconfigureanetworkconnectionduringsysteminstallation.Therefore,chancesaregoodthatnetworkingalreadyfunctionsonyoursystem.Incaseitdoesn’t,though,thefollowingsectionssummarizewhatyoumustdo toget the jobdone.Actual configuration canbedoneusing either the automaticDHCP tool orstaticIPaddresses.Linux’sunderlyingnetworkconfigurationmechanismsrelyonstartupscriptsandtheirconfigurationfiles,butyoumaybeabletouseGUItoolstodothejobinstead.
NetworkHardwareConfigurationThemostfundamentalpartofnetworkconfigurationisgettingthenetworkhardwareupandrunning.Inmost cases, this task is fairly automatic—most distributions shipwith system startup scripts thatauto-detect the network card and load the correct driver module. If you recompile your kernel,buildingthecorrectdriverintothemainkernelfilewillalsoensurethatit’sloadedatsystemstartup.Ifyournetworkhardwareisn’tcorrectlydetected, though,subsequentconfiguration(asdescribed
in the upcoming sections “Configuring with DHCP” and “Configuring with a Static IP Address”)won’twork.Tocorrectthisproblem,youmustloadyournetworkhardwaredriver.Youcandothis
withthemodprobecommand:#modprobetulip
You must know the name of your network hardware’s kernel module (tulip in this example).Chapter3,“ConfiguringHardware,”describes the taskofhardwareconfigurationandactivation inmoredetail.
ConfiguringwithDHCPOne of the easiestways to configure a computer to use a TCP/IP network is to useDHCP,whichenablesonecomputeronanetworktomanagethesettingsformanyothercomputers.Itworkslikethis:When a computer running aDHCPclient boots up, it sends a broadcast in searchof aDHCPserver.The server replies (using nothing but the client’s hardware address)with the configurationinformationtheclientneedstoenableittocommunicatewithothercomputersonthenetwork—mostimportant,theclient’sIPaddressandnetmaskandthenetwork’sgatewayandDNSserveraddresses.TheDHCP servermay alsogive the client a hostname andprovidevariousother details about thenetwork. The client then configures itself with these parameters. The IP address isn’t assignedpermanently;it’sreferredtoasaDHCPlease,andifit’snotrenewed,theDHCPservermaygivetheleasetoanothercomputer.Therefore,fromtimetotimetheclientchecksbackwiththeDHCPservertorenewitslease.ThreeDHCPclientsareincommonuseonLinux:pump,dhclient,anddhcpcd(nottobeconfused
withtheDHCPserver,dhcpd).SomeLinuxdistributionsshipwith justoneof these,butothersshipwithtwoorevenallthree.AlldistributionshaveadefaultDHCPclient—theonethat’sinstalledwhenyoutell thesystemyouwant touseDHCPatsysteminstallation time.Those thatshipwithmultipleDHCPclientstypicallyenableyoutoswapoutoneforanothersimplybyremovingtheoldpackageandinstallingthenewone.Ideally, theDHCP client runs at systembootup.This is usually handled either by its own startup
script,asdescribedinChapter5,“BootingLinuxandEditingFiles,”oraspartofthemainnetworkconfigurationstartupfile(typicallyastartupscriptcallednetworkornetworking).ThesystemoftenusesalineinaconfigurationfiletodeterminewhethertorunaDHCPclient.Forinstance,RedHatand Fedora set this option in a file called/etc/sysconfig/network-scripts/ifcfg-name, wherenameisthenameofthenetworkinterface,suchasp2p1.Thelineinquestionlookslikethis:BOOTPROTO="dhcp"
Recallthatmostdistributionsuseeth0torefertothecomputer ’sfirstEthernetport,eth1forthesecond(ifpresent),andsoon.Fedoranamesitsinterfacesdifferently,though,andinawaythat’sinconsistentfromonecomputertoanother.
If theBOOTPROTO variable is set to something else, changing it as shownherewill configure thesystemtouseDHCP.It’susuallyeasiertouseaGUIconfigurationtooltosetthisoption,though.Ubuntuusesthe/etc/network/interfacesfileforasimilarpurpose,butthedetailsdiffer.Ona
systemthatusesDHCP,alinelikethefollowingappears:ifaceeth0inetdhcp
Detailsmayvary,ofcourse; for instance, the interfacename (eth0)maybe somethingelse.You
mayprefertousetheGUIsystemconfigurationtoolstoadjusttheseoptions.OnceaDHCPclientisconfiguredtorunwhenthecomputerboots,theconfigurationtaskisdone—
at least, if everythingworks as it should. On very rare occasions, youmay need to tweakDHCPsettings to work around client-server incompatibilities or to have the DHCP client do somethingunusual.ConsultthemanpageforyourDHCPclientifyouneedtomakechanges.You’llthenhavetomodifyitsstartupscriptorafiletowhichitrefersinordertochangeitsoperation.Ifyouneed tomanually runaDHCPclient,youcanusuallydo soby typing itsname (asroot),
optionallyfollowedbyanetworkidentifier,asindhclienteth0tohavetheDHCPclientattempttoconfigureeth0withthehelpofanyDHCPserveritfindsonthatnetwork.
ConfiguringwithaStaticIPAddressIfanetworklacksaDHCPserver,youmustprovidebasicnetworkconfigurationoptionsmanually.Youcansettheseoptionsusinginteractivecommands,asdescribedshortly;buttosettheminthelongterm, you adjust a configuration file such as /etc/sysconfig/network-scripts/ifcfg-name or/etc/network/interfaces.Listing8.1showsatypicalifcfg-namefile,configuredtouseastaticIPaddress.(Notethatthisfile’sexactlocationandnamemayvaryfromonedistributiontoanother.)Listing8.1:AsamplenetworkconfigurationfileDEVICE="p2p1"
BOOTPROTO="static"
IPADDR="192.168.29.39"
NETMASK="255.255.255.0"
NETWORK="192.168.29.0"
BROADCAST="192.168.29.255"
GATEWAY="192.168.29.1"
ONBOOT="yes"
Severalspecificitemsarerequired,oratleasthelpful,forstaticIPaddressconfiguration:IPAddressYoucansettheIPaddressmanuallyviatheifconfigcommand(describedinmoredetailshortly)orviatheIPADDRitemintheconfigurationfile.NetworkMaskThenetmaskcanbesetmanuallyviatheifconfigcommandorviatheNETMASKiteminaconfigurationfile.GatewayAddressYoucanmanuallysetthegatewayviatheroutecommand.Tosetitpermanently,youneedtoadjustaconfigurationfile,whichmaybethesameconfigurationfilethatholdsotheroptionsoranotherfile,suchas/etc/sysconfig/network/routes.Ineithercase,theoptionislikelytobecalledGATEWAY.Thegatewayisn’tnecessaryonacomputerthatisn’tconnectedtoawidernetwork—thatis,ifthecomputerworksonlyonalocalnetworkthatcontainsnorouters.DNSSettingsInorderforLinuxtouseDNStotranslatebetweenIPaddressesandhostnames,youmustspecifyatleastoneDNSserverinthe/etc/resolv.conffile.PrecedetheIPaddressoftheDNSserverbythekeywordnameserver,asinnameserver192.168.29.1.Youcanincludeuptothreenameserverlinesinthisfile.Adjustingthisfileisallyouneedtodotosetthenameserveraddresses;youdon’thavetodoanythingelsetomakethesettingpermanent.Youcanalsosetyourcomputer ’slocaldomainnameinthisfileusingthedomainoption,asindomainluna.edutosetthedomaintoluna.edu.
The network configuration script may hold additional options, but most of these are related toothers. For instance, Listing 8.1 has an option specifying the interface name (DEVICE="p2p1"),another that tells the computer to assign a static IP address (BOOTPROTO="static"), and a third tobringuptheinterfacewhenthecomputerboots(ONBOOT="yes").TheNETWORKandBROADCAST itemsin Listing 8.1 are derived from the IPADDR and NETMASK items, but you can change them if youunderstandtheconsequences.Unfortunately,theseconfigurationdetailsvaryfromonedistributiontoanother.Forinstance,ifyou
use Ubuntu, you would edit /etc/network/interfaces rather than /etc/sysconfig/network-scripts/ifcfg-eth0.Thepreciselayoutandformattingofinformationinthetwofilesdiffers,butthesamebasicinformationispresentinbothofthem.Youmayneedtoconsultdistribution-specificdocumentationtolearnaboutthesedetails.Alternatively,GUItoolsareusuallyfairlyeasytofigureout,soyoucanlookforthese.If you aren’t sure what to enter for the basic networking values (the IP address, networkmask,
gatewayaddress,andDNSserveraddresses),youshouldconsultyournetworkadministrator.Donotenterrandomvaluesorvaluesyoumakeupthataresimilartothoseusedbyothersystemsonyournetwork.Doingsoisunlikelytoworkatall,anditcouldconceivablycauseagreatdealoftrouble—say,ifyoumistakenlyuseanIPaddressthat’sreservedforanothercomputer.Asjustmentioned,theifconfigprogramiscriticallyimportantforsettingboththeIPaddressand
netmask.Thisprogramcanalsodisplaycurrentsettings.Basicuseofifconfigtobringupanetworkinterfaceresemblesthefollowing:ifconfiginterfaceupaddrnetmaskmask
For instance, the following command brings up eth0 (the first Ethernet device on mostdistributions)usingtheaddress192.168.29.39andthenetmask255.255.255.0:#ifconfigeth0up192.168.29.39netmask255.255.255.0
This command links the specified IP address to the device so that the computer responds to theaddressandclaimstobethataddresswhensendingdata.Itdoesn’t,though,setuparoutefortrafficbeyondyourcurrentnetwork.Forthat,youneedtousetheroutecommand:#routeadddefaultgw192.168.29.1
Substitute your own gateway address for 192.168.29.1. (Routing and the route command aredescribed inmoredetailshortly, in“ConfiguringRouting.”)Bothifconfigandroutecandisplayinformation on the current network configuration. For ifconfig, omit up and everything thatfollows; for route, omit add and everything that follows. For instance, to view interfaceconfiguration,youmightissuethefollowingcommand:#ifconfigeth0
eth0Linkencap:EthernetHWaddr00:A0:CC:24:BA:02
inetaddr:192.168.29.39Bcast:192.168.29.255Mask:255.255.255.0
UPBROADCASTRUNNINGMULTICASTMTU:1500Metric:1
RXpackets:10469errors:0dropped:0overruns:0frame:0
TXpackets:8557errors:0dropped:0overruns:0carrier:0
collisions:0txqueuelen:100
RXbytes:1017326(993.4Kb)TXbytes:1084384(1.0Mb)
Interrupt:10Baseaddress:0xc800
When configured properly, ifconfig should show a hardware address (HWaddr), an IP address(inet addr), and additional statistics. There should be few or no errors, dropped packets, oroverrunsforbothreceived(RX)andtransmitted(TX)packets. Ideally, few(ifany)collisionsshould
occur,butsomeareunavoidable ifyournetworkusesahubrather thanaswitch. Ifcollisions totalmore than a few percent of the total transmitted and received packets, you may want to considerreplacingahubwithaswitch.Touseroutefordiagnosticpurposes,youmighttrythefollowing:#route-n
KernelIProutingtable
DestinationGatewayGenmaskFlagsMetricRefUseIface
192.168.29.0*255.255.255.0U000eth0
127.0.0.0*255.0.0.0U000lo
0.0.0.0192.168.29.10.0.0.0UG000eth0
The-noptiontoroutecausesittonotattempttofindthehostnamesassociatedwithIPaddresses.Althoughhostnamesareoftenuseful,thislookupcanbesloworfailaltogetherifyourDNSconfigurationisbroken,sousing-nwithrouteissometimesnecessary.
This shows that data destined for 192.168.29.0 (that is, any computerwith an IP address between192.168.29.1and192.168.29.254)goesdirectlyovereth0.The127.0.0.0networkisaspecialinterfacethat“loopsback”totheoriginatingcomputer.Linuxusesthisforsomeinternalnetworkingpurposes.Thelastlineshowsthedefaultroute,whichdescribeswhattodowitheverythingthatdoesn’tmatchany other entry in the routing table. This line specifies the default route’s gateway system as192.168.29.1.Ifit’smissingormisconfigured,someoralltrafficdestinedforexternalnetworks,suchastheInternet,won’tmakeitbeyondyourlocalnetworksegment.AswithDHCPconfiguration, it’s almost always easier touse aGUIconfiguration tool to setup
static IP addresses, at least for new administrators. The exact locations of the configuration filesdifferfromonedistributiontoanother,sotheexampleslistedearliermaynotapplytoyoursystem.
ConfiguringRoutingAs explained earlier, routers pass traffic from one network to another.You configure your Linuxsystem to directly contact systems on the local network. You also give the computer a router ’saddress,whichyoursystemusesasagatewaytotheInternetatlarge.Anytrafficthat’snotdestinedforthelocalnetworkisdirectedatthisrouter,whichpassesitontoitsdestination.Inpractice,therearelikelytobeadozenormoreroutersbetweenyouandmostInternetsites.Eachrouterhasatleasttwo network interfaces and keeps a table of rules concerning where to send data based on thedestination IP address. Your own Linux computer has such a table, but it’s probably very simplecomparedtothoseonmajorInternetrouters.Linuxcanfunctionasarouter,whichmeansitcanlinktwoormorenetworkstogether,directing
traffic between them on the basis of its routing table. This task is handled, in part, by the routecommand.Thiscommandcanbeusedtodomuchmorethanspecifyasinglegatewaysystem,though,asdescribedearlier.Asimplifiedversionoftheroutesyntaxisasfollows:route{add|del}[-net|-host]target[netmasknm][gwgw]
[reject][[dev]interface]
Youspecifyaddordelalongwithatarget(acomputerornetworkaddress)andoptionallyotherparameters.The-netand-hostoptionsforceroutetointerpretthetargetasanetworkorcomputeraddress,respectively.Thenetmaskoptionletsyousetanetmaskasyoudesire,andgwletsyouspecify
a router through which packets to the specified target should go. (Some versions of route usegateway rather than gw.) The reject keyword installs a blocking route, which refuses all trafficdestined for the specified network. (This is not a firewall, though.) Finally, although route canusuallyfigureouttheinterfacedevice(forinstance,eth0)onitsown,youcanforcetheissuewiththedevoption.Asanexample,consideranetworkinwhichpacketsdestinedforthe172.20.0.0/16subnetshouldbe
passedthroughthe172.21.1.1router,whichisn’tthedefaultgatewaysystem.Youcansetupthisroutewiththefollowingcommand:#routeadd-net172.20.0.0netmask255.255.0.0gw172.21.1.1
Incorrectroutingtablescancauseseriousproblemsbecausesomeorallcomputerswon’trespond.Youcanexamineyourroutingtablebytypingroutealoneandcomparetheresultstowhatyourroutingtableshouldbe.(Consultanetworkadministratorifyou’renotsurewhatyourroutingtableshouldcontain.)Youcanthendeleteincorrectroutesandaddnewonestoreplacethem,ifnecessary.Ultimately,ofcourse,changingyourconfigurationfilesisthebestsolution,buttypingacoupleofroutecommandswilldothetrickintheshortterm.
Onemorethingyoumayneedtodoifyou’resettinguparouterisenablingrouting.Ordinarily,aLinuxsystemwon’tforwardpacketsitreceivesfromonesystemthataredirectedatanothersystem.IfLinux is toactasa router, though, itmustaccept thesepacketsandsend themon to thedestinationnetwork(oratleasttoanappropriategateway).Toenablethisfeature,youmustmodifyakeyfileinthe/procfilesystem:#echo"1">/proc/sys/net/ipv4/ip_forward
This command enables IP forwarding. Permanently setting this option requires modifying aconfigurationfile.Somedistributionssetitin/etc/sysctl.conf:net.ipv4.ip_forward=1
Otherdistributionsuseotherconfigurationfilesandoptions,suchas/etc/sysconfig/sysctlanditsIP_FORWARDline.Ifyoucan’tfindit,tryusinggreptosearchforip_forwardorIP_FORWARD,ormodifyalocalstartupscripttoaddthecommandtoperformthechange.
UsingGUIConfigurationToolsMost distributions include their ownGUI configuration tools for network interfaces. For instance,Fedora andRedHat shipwith a customGUI tool calledNetworkConfiguration (system-config-network), and SUSE has a text-mode and GUI tool called YaST. The details of operating theseprogramsdiffer,buttheGUIconfigurationtoolprovidesameanstoentertheinformationdescribedearlier.Although the exam doesn’t cover GUI network configuration tools, they’re generally easier to
locateandusethantheconfigurationfilesinwhichsettingsarestored.Thus,youmaywanttolookfor your distribution’s tool and learn to use it. Once you understand the principles of networkconfiguration (IP addresses,DHCP, and so on), you shouldn’t have trouble entering the necessaryinformationintheGUIfields.
The precise details of how to configure a Linux system using GUI tools differ from onedistribution toanother.For instance,SUSE’sYaSTdoesn’t layout itsoptions inprecisely thesamewayasFedora’sNetworkConfiguration tool.Thebasicprinciples are the same, though;youmustchoosewhethertousestaticIPaddressassignmentoranautomaticsystemsuchasDHCPandenteranumberofkeyoptions,dependingonwhatconfigurationmethodyouchoose.
UsingtheifupandifdownCommandsMostLinuxdistributionstodayshipwithtwocommands,ifupandifdown,thatcombinethefunctionsofseveralothernetworkcommands,mostnotablyifconfigandroute.Intheirsimplestforms,theybringinterfacesuporshutthemdownbasedoninformationinwhateverfilesyourdistributionusestostorenetworkconfigurationdata:#ifupeth0
DeterminingIPinformationforeth0...done.
After you issue this command,eth0will be fully configured, including all routing information,assumingyou’veproperlyconfigureditbyusingyourdistribution’snetworkconfigurationtoolsorby manually editing configuration files such as /etc/network/interfaces and/etc/sysconfig/network-scripts/ifcfg-name.Youcanbringtheinterfacedownwithequaleasebytypingifdowneth0.Theifupandifdowncommandsareusefulforverifyingthatthenetworksettingsareconfigured
properlyforthenexttimethecomputerboots.They’realsousefulifyouwanttoquicklytakedownthenetworkorbringitbackupagain,becauseyoucantypefewercommandsandyoudon’tneedtoremember all the details of IP addresses, routes, and so on. If you need to experiment or debug aproblem,though,usingifconfigandroute individuallyispreferable,becausetheygiveyoufinercontrolovertheprocess.
Theifupandifdowncommandsareimplementedasscriptsthatconsulttheconfigurationfilesandruntherelevantlow-levelcommandsbehindthescenes.
ConfiguringHostnamesThehostnamesdescribedearlier(in“ResolvingHostnames”)areconfiguredinacoupleofways:OnDNSYournetworkadministratorshouldbeabletoaddanentryforyoursystemtoyournetwork’sDNSserver.Thisentryshouldmakeyourcomputeraddressablebynamefromothercomputersonyourlocalnetwork,andperhapsfromtheInternetatlarge.Alternatively,remotesystems’/etc/hostsfilescanbemodifiedtoincludeyoursystem.OnYourLocalComputerVariouslocalprogramsshouldknowyourcomputer ’sname.Forinstance,youmaywanttohaveyourhostnamedisplayedaspartofacommandpromptorenteredautomaticallyinemailmessages.Forthistask,youmustsetyourhostnamelocally.NotethatthisisentirelyindependentofyourDNShostname.Intheory,youcansetthetwotoverydifferentvalues,butthispracticeislikelytoleadtoconfusionandperhapsevenfailureofsomeprogramstooperateproperly.
Themostbasic tool forsettingyourhostnamelocally iscalled,appropriatelyenough,hostname.Typethecommandalonetoseewhatyourhostnameis,ortypeitwithanewnametosetthesystem’shostnametothatname:#hostnamenessus.example.com
Similarcommands,domainnameanddnsdomainname,displayorset thecomputer ’sdomainname(such as example.com). The domainname command sets the domain name as used by NetworkInformation System (NIS),whereas dnsdomainname sets the domain name as used byDNS. Thesecommandsdon’taffectremoteservers—justthenamegiventoprogramsthatusecallsdesignedfortheseservers.ManyLinuxdistributionslookinthe/etc/hostnameor/etc/HOSTNAMEfileforahostnametoset
atboottime.Thus,ifyouwanttosetyourhostnamepermanently,youshouldlookforthesefiles,andifoneispresent,youshouldeditit.Fedorauses/etc/sysconfig/networkforthispurpose,amongothers.Ifyoucan’tfindoneofthesefiles,consultyourdistribution’sdocumentation;it’sconceivablethatyourdistributionstoresitshostnameinsomeunusuallocation.InExercise8.2,you’llfamiliarizeyourselfwithsomeofthetoolsusedtoconfigurebasicnetwork
settings.You’llusethesetoolsbothtostudyandtochangeyournetworkconfiguration.
EXERCISE8.2ConfiguringaNetworkConnectionInthisexercise,theassumptionisthatthecomputeriscorrectlyconfiguredtouseanIPv4Ethernetnetwork,includingbothlocalnetworkaccessandaccesstoalargernetwork(probablytheInternet)viaarouter.Someoftheproceduresinthisexercisecaneasilybreakyournetworkconnectivityifsomethinggoeswrong.Ifthishappens,typingifdownfollowedbyifupisonewaytorecover.Ifthisfails,rebootingthecomputerisalmostcertaintowork,althoughit’saradicalsolution.Tostudyandmodifyyoursystem’snetworkconfiguration,followthesesteps:1.LogintotheLinuxsystemasanormaluser.2.Launchanxterm from the desktop environment’smenu system, if you used aGUIloginmethod.3.Acquirerootprivileges.Youcandothisbytypingsuinanxtermorbyusingsudo(ifit’sconfigured)torunthecommandsinthefollowingsteps.4. Type ifconfig. This command displays information about your local networksettings for all your network interfaces.Most systems have both a loopback interface(lo)andanEthernetinterface(eth0).LookforalineintheEthernetsectionthatincludesthestringinetaddr:.Thefollowing4-bytenumberisyourIPaddress.Writeitdown,aswellasthevalueofyournetmask(Mask:).Studytheotherinformationinthisoutput,too, such as the number of received (RX) and transmitted (TX) packets, the number oferrors,thenumberofcollisions,andtheEthernetadapter ’shardwareaddress.5. Type route -n. The output is your computer ’s routing table information. Thisnormally includes information about the loopback network address (127.0.0.0/24), thelocal network address, and a default route (identified as the route for 0.0.0.0). Somesystemsmaydisplay feweror additional lines, dependingon local configuration.The
defaultrouteincludesanIPaddressundertheGatewaycolumn.Writedownthataddress.6.Usepingtotestconnectivitytobothlocalandremotecomputers.(Thiscommandisdescribedinmoredetailshortly,in“TestingBasicConnectivity.”)YouneedthenameorIPaddressofatleastonelocalcomputerandatleastonedistantcomputer(beyondyourlocalrouter).Typepingaddress,whereaddressisthenameorIPaddressofeachtestmachine.Performthistestforlocalhostor127.0.0.1,yourownmachine(usetheIPaddressyounotedinstep4),yourlocalrouter(usetheIPaddressyounotedinstep5),and a distant computer (if you’re connected to the Internet, you can use an Internet-accessible site, such as www.linux.org). All of these ping tests should be successful.Note, however, that some computers are configured to ignore packets sent by ping.Thus, some of these tests may fail if you run into such systems. You can learn theconfigurationof local computers from their administrators, but for Internet sites, youmaywanttosimplytryanothersiteifthefirstoneyoutestfails.7.BringdownthelocalEthernetconnectionbytypingifconfigeth0down.8. Repeat steps 4−6. Note that the eth0 interface is no longer shown when you typeifconfig,all routesassociatedwith ithavebeen removedfromthe routing table,andpinging systems accessible from the interface no longer works. (Linux retains someinformationaboutitsformerEthernetlink,soyoumaystillbeabletopingthecomputeritselfviaitsformereth0address.)9.Bring the localEthernetconnectionbackupby typingifconfigeth0up addressnetmask mask, where address is the original IP address and mask is the originalnetmask,bothasidentifiedinstep4.10.Repeatsteps4−6.Note that theifconfigcommandautomaticallyaddedbackyourlocalnetworktotheroutingtablebutthatthedefaultrouteisstillmissing.Asaresult,youcan’tcontactanysystemsthatarelocatedoffthelocalnetwork.IfyourDNSserverissuchasystem,thismeansyourabilitytocontactevenlocalmachinesbynamemaybeimpairedaswell.11.Restorethedefaultroutebytypingrouteadddefaultgwgateway,wheregatewayistherouteraddressyouidentifiedinstep5.12.Repeatsteps4−6.Ifyournetworkconfigurationistypical,allconnectivityshouldberestored.(Somemoreexoticsystemsmaystillbelackingcertainroutes.)
UsingPPPwithDSLBroadbandusers,andparticularlythosewithDigitalSubscriberLine(DSL)connections,sometimeshavetouseavariantofPPPtomaketheirconnections.PPPisalogin-basedwaytoaccesstheInternet—youuseaPPPutilitytoinitiateaconnectiontoaremotecomputer,whichincludesanexchangeofausernameandapassword.Adecadeago,PPPwasusedindial-upInternetaccess(andit’sstillusedinthiscapacity),butsomeDSLprovidershaveadaptedPPPfortheirownpurposes.InthecaseofDSL,thisconfigurationmethodiscalledPPPoverEthernet(PPPoE).Inmanycases,thesimplestwaytouseaPPPoEconfigurationistopurchaseabroadbandrouter.ThisdeviceattachestotheDSLmodemandmakesthePPPoEconnection.ThebroadbandrouterthenworksjustlikeanordinaryEthernetorWi-Firouter,asfarasyourlocalcomputersareconcerned,soyoucanconfigureLinuxasyouwouldonanyotherlocalnetwork.IfyoumustconnectaLinuxsystemdirectlytoaDSLnetworkthatusesPPPoE,youmustuseaLinuxPPPoEclient.MostLinuxdistributionsshipwithsuchclients,butconfigurationdetailsvaryfromonedistributiontoanother.Yourbestbetistolookforyourdistribution’sGUInetworkconfigurationtool;chancesare,you’llbeabletofindasetofoptionsthatareclearlylabeledasapplyingtoDSLorPPPoE.
DiagnosingNetworkConnectionsNetwork configuration is a complex task, and unfortunately, things don’t alwayswork as planned.Fortunately, there are a fewcommandsyou canuse to help diagnose a problem.Five of these areping, traceroute, tracepath, netstat, and tcpdump. Each of these commands exercises thenetworkinaparticularwayandprovidesinformationthatcanhelpyoutrackdownthesourceofaproblem.Youcanalsousesomecommonnetworkprogramsthataren’tprimarilydebuggingtoolsinyourdebuggingefforts.
TestingBasicConnectivityThemostbasicnetworktestisthepingcommand,whichsendsasimpleICMPpackettothesystemyou name (via IP address or hostname) and waits for a reply. In Linux, ping continues sendingpackets once every second or so until you interrupt it with a Ctrl+C keystroke. (You can insteadspecifyalimitednumberoftestsviathe-cnumoption.)Here’sanexampleofitsoutput:$ping-c4speaker
PINGspeaker(192.168.1.1)56(84)bytesofdata.
64bytesfromspeaker.example.com(192.168.1.1):icmp_seq=1ttl=64time=0.194ms
64bytesfromspeaker.example.com(192.168.1.1):icmp_seq=2ttl=64time=0.203ms
64bytesfromspeaker.example.com(192.168.1.1):icmp_seq=3ttl=64time=0.229ms
64bytesfromspeaker.example.com(192.168.1.1):icmp_seq=4ttl=64time=0.217ms
---speakerpingstatistics---
4packetstransmitted,4received,0%packetloss,time3002ms
rttmin/avg/max/mdev=0.194/0.210/0.229/0.022ms
Thiscommandsent fourpacketsandwaited for their return,whichoccurredquitequickly (inanaverageof0.210ms)becausethetargetsystemwasonthelocalnetwork.Bypingingsystemsonbothlocalandremotenetworks,youcanisolatewhereanetworkproblemoccurs.Forinstance,ifyoucanping local computers but not remote systems, the problem is most probably in your routerconfiguration. If you can ping by IP address but not by name, the problem is with your DNSconfiguration.
TracingaRouteAstepupfrompingisthetraceroutecommand,whichsendsaseriesofthreetestpacketstoeachcomputerbetweenyoursystemandaspecifiedtargetsystem.Theresultlookssomethinglikethis:$traceroute-n10.1.0.43
tracerouteto10.1.0.43(10.1.0.43),30hopsmax,52bytepackets
1192.168.1.11.021ms36.519ms0.971ms
210.10.88.117.250ms9.959ms9.637ms
310.9.8.1738.799ms19.501ms10.884ms
410.9.8.13321.059ms9.231ms103.068ms
510.9.14.98.554ms12.982ms10.029ms
610.1.0.4410.273ms9.987ms11.215ms
710.1.0.4316.360ms*8.102ms
The-noption to thiscommand tells it todisplay targetcomputers’ IPaddresses rather than theirhostnames.Thiscanspeedup theprocessabit,particularly ifyou’rehavingDNSproblems,and itcansometimesmaketheoutputeasiertoread—butyoumaywanttoknowthehostnamesofproblemsystemsbecausethatcanhelpyoupinpointwho’sresponsibleforaproblem.Thissampleoutputshowsagreatdealofvariabilityinresponsetimes.Thefirsthop,to192.168.1.1,
ispurelylocal;thisrouterrespondedin1.021,36.519,and0.971milliseconds(ms)toitsthreeprobes.(Presumably thesecondprobecaught thesystemwhile itwasbusywithsomethingelse.)Probesofmostsubsequentsystemsareinthe8−20msrange,althoughoneisat103.068ms.Thefinalsystemhasonlytwotimes;themiddleprobeneverreturned,astheasterisk(*)onthislineindicates.Usingtraceroute,youcanlocalizeproblemsinnetworkconnectivity.Highlyvariabletimesand
missing times can indicate a router that’soverloadedor thathas anunreliable link to theprevioussystemon the list. Ifyouseeadramatic jump in times, it typicallymeans that thephysicaldistancebetweentworoutersisgreat.Thisiscommoninintercontinentallinks.Suchjumpsdon’tnecessarilysignifyaproblemunlessthetwosystemsarecloseenoughthatahugejumpisn’texpected.What can you do with the traceroute output? Most immediately, traceroute is helpful in
determining whether a problem in network connectivity exists in a network for which you’reresponsible.For instance, thevariability in the firsthopof theprecedingexamplecould indicate aproblemonthelocalnetwork,butthelostpacketassociatedwiththefinaldestinationmostlikelyisnot a local problem. If the trouble link iswithin your jurisdiction, you can check the status of theproblemsystem,nearbysystems,andthenetworksegmentingeneral.
Someroutersareconfiguredinsuchawaythattracerouteisn’tausefultool;theseroutersblockalltraceroutedata,eithertothemselvesonlyorforallpacketsthatpassthroughthem.IfyourtracerouteoutputcontainsoneortwolinesofallasterisksbuteverythingelseseemsOK,chancesareyou’verunintosuchasystem.Ifyouseenothingbutasterisksafteracertainrouterbutdiagnostictoolssuchaspingstillwork,arouterisprobablyblockingalltracerouteoperations.
Thetracepathprogramisanalternativetotraceroute.Inbasicoperation,it’ssimilar,althoughitproducesonelineofoutputforeachtestpacketandsoyieldslongeroutputsthantraceroute.Therearealsofewertracepathoptionsthantherearetracerouteoptions.
CheckingNetworkStatusAnotherusefuldiagnostictoolisnetstat.ThisissomethingofaSwissArmyknifeofnetworktoolsbecauseitcanbeusedinplaceofseveralothers,dependingontheparametersit’spassed.Itcanalsoreturninformationthat’snoteasilyobtainedinotherways.Examplesincludethefollowing:InterfaceInformationPassnetstatthe--interfaceor-iparametertoobtaininformationaboutyournetworkinterfacessimilartowhatifconfigreturns.(Someversionsofnetstatreturninformationinthesameformat,butothersdisplaytheinformationdifferently.)RoutingInformationYoucanusethe--routeor-rparametertoobtainaroutingtablelistingsimilartowhattheroutecommanddisplays.MasqueradeInformationPassnetstatthe--masqueradeor-MparametertoobtaininformationaboutconnectionsmediatedbyLinux’sNATfeatures,whichoftengobythenameIPmasquerading.NATenablesaLinuxrouterto“hide”anetworkbehindasingleIPaddress.ThiscanbeagoodwaytostretchlimitedIPv4addresses.ProgramUseSomeversionsofnetstatsupportthe--program(or-p)parameter,whichattemptstoprovideinformationabouttheprogramsthatareusingnetworkconnections.Thisattemptisn’talwayssuccessful,butitoftenis,soyoucanseewhatprogramsaremakingoutsideconnections.OpenPortsWhenusedwithvariousotherparameters,orwithoutanyparametersatall,netstatreturnsinformationaboutopenportsandthesystemstowhichtheyconnect.AllConnectionsThe--allor-aoptionisusedinconjunctionwithothers.Itcausesnetstattodisplayinformationabouttheportsthatserverprogramsopentolistenfornetworkconnections,inadditiontoalready-openconnections.ThisuseofnetstatisdescribedinmoredetailinChapter10,“SecuringYourSystem.”Keep in mind that netstat is a very powerful tool, and its options and output aren’t entirely
consistentfromonedistributiontoanother.Youmaywanttoperuseitsmanpageandexperimentwithittolearnwhatitcando.
ExaminingRawNetworkTraffic
One advanced network troubleshooting tool istcpdump. This utility is apacket sniffer, which is aprogram that can intercept network packets and log them or display them on the screen. Packetsnifferscanbeusefuldiagnostictoolsbecausetheyenableyoutoverifythatacomputerisactuallyreceivingdatafromothercomputers.Theyalsoenableyoutoexaminethedatainitsrawform,whichcanbeusefulifyouunderstandenoughoftheprotocol’simplementationdetailstospotproblems.
Althoughpacketsniffersareusefuldiagnostictools,theycanalsobeabused.Forinstance,unscrupulousindividualscanrunpacketsnifferstocapturepasswordsthatotherssendoverthenetwork.Dependingonyournetworkconfiguration,thistrickcanworkevenifthepacketsnifferisn’trunningoneitherthesendingorthereceivingcomputer.Forthisreason,manyorganizationshavepoliciesforbiddingtheuseofpacketsniffersexceptunderlimitedcircumstances.Thus,beforerunningapacketsniffer,youshouldobtainwrittenpermissiontousesuchaprogramfromanindividualwhoisauthorizedtograntsuchpermission.Failuretodosocanleadyouintoserioustrouble,possiblyuptolosingyourjoborevenbeingsued.
Initsmostbasicform,youcanusetcpdumpbytypingitsname:#tcpdump
tcpdump:verboseoutputsuppressed,use-vor-vvforfullprotocoldecode
listeningoneth0,link-typeEN10MB(Ethernet),capturesize96bytes
19:31:55.503759IPspeaker.example.com.631>192.168.1.255.631:UDP,
length:139
19:31:55.505400IPnessus.example.com.33513>speaker.example.com.domain:
46276+PTR?255.1.168.192.in-addr.arpa.(44)
19:31:55.506086IPspeaker.example.com.domain>nessus.example.com.33513:
46276NXDomain*0/1/0(110)
Thefirst thing tonoteabout thiscommand is thatyoumust run itasroot; ordinaryusers aren’tallowed tomonitornetwork traffic in thisway.Once it’s run,tcpdump summarizeswhat it’sdoingandthenbeginsprintinglines,oneforeachpacketitmonitors.(Someoftheselinescanbequitelongand so may take more than one line on your display.) These lines include a time stamp, a stackidentifier(IPinalloftheseexamples),theoriginsystemnameorIPaddressandport,thedestinationsystem name or IP address and port, and packet-specific information. Ordinarily, tcpdump keepsdisplayingpackets indefinitely, soyoumust terminate it bypressingCtrl+C.Alternatively,youcanpassitthe-cnumoptiontohaveitdisplaynumpacketsandthenquit.Even thisbasicoutputcanbeveryhelpful.For instance,consider theprecedingexampleof three
packets, which was captured on nessus.example.com. This computer successfully received onebroadcast packet (addressed to 192.168.1.255) from speaker.example.com’sUDP port 631, sent apacket to speaker.example.com, and received a packet from that system directed atnessus.example.com rather than sent as a broadcast. This sequence verifies that at least minimalcommunication exists between these two computers. If you were having problems establishing aconnection,youcouldruleoutawholerangeofpossibilitiesbasedonthisevidence,suchasfaultycablesorafirewallthatwasblockingtraffic.Ifyouneedmoreinformation,tcpdumpprovidesseveraloptionsthatenhanceormodifyitsoutput.
These include -A to display packet contents in ASCII, -D to display a list of interfaces to which
tcpdumpcanlisten,-ntodisplayalladdressesnumerically,-v(andadditional-voptions,upto-vvv)todisplayadditionalpacket information,and-wfile towrite thecapturedpackets to the specifiedfile.Consulttcpdump’smanpageformoredetailsontheseoptionsandforadditionaloptions.
UsingAdditionalToolsInadditiontospecializednetworkdiagnosticprograms,youcanusesomecommonuserprogramsasdebuggingtools.OneofthemostusefulofthesemaybeTelnet.Thisprogramandprotocolismainlyaremotelogintool; typetheprogramnamefollowedbythenameofaremotesystemtoreceivealoginpromptonthatsystem:$telnetspeaker
Trying192.168.1.1...
Connectedtospeaker.
Escapecharacteris'^]'.
speakerlogin:harry
Password:
Lastlogin:MonApr2521:48:44fromnessus.example.com
Havealotoffun...
harry@speaker:~>
Telnetisapoorchoiceasaremoteloginprotocolbecauseit’sentirelyunencrypted.Asageneralrule,youshouldremovetheTelnetserverfromyoursystemandneverusethetelnetclientprogram.Itcanbeausefullowest-common-denominatorprotocolonsufficientlyprotectedprivatenetworks,though,andthetelnetclientcanalsobeahandytoolfordebugging,asdescribednext.Chapter10describesSSH,whichisamuchsaferalternativetoTelnet.
You can use Telnet to debug network protocols; if you give it a port number after the remotehostname,thetelnetprogramconnectstothatport,enablingyoutointeractwiththeserver:$telnetspeaker25
Trying192.168.1.1...
Connectedtospeaker.
Escapecharacteris'^]'.
220speaker.example.comESMTPPostfix
HELOnessus.example.com
250speaker.example.com
Thisexampleconnectstoport25,whichisusedbyemailservers.Afterconnecting,IenteredaHELOcommand,whichisusedbySMTPtoidentifyaclient;theremotesystemrespondedwitha250code,whichindicatesanacceptedcommand.Ofcourse,touseTelnetinthisway,youmustknowagreatdealabouttheprotocol.Evenwithout
thisknowledge,though,youcanuseTelnettotestwhetheraserverisrunning:Ifyoutrytoconnectbut get aConnectionrefused errormessage, you know that a remote server isn’t running or isinaccessible for some reason (say, because it’s being blocked by a firewall). If you get in (to theEscapecharactermessageshownintheearlierexampleorbeyond),theserverisrunning,althoughitmaynotbeworkingcorrectly.ThistestworksonlyforprotocolsthatuseTCP.SometoolsuseUDPinstead,andTelnetwon’tconnectwiththem.
SometimestheFileTransferProtocol(FTP)canbeausefuldiagnostictool,aswell.Thisprogram,asitsnamesuggests,enablesyoutotransferfilesbetweensystems.Touseit,typetheprogramnamefollowed by the FTP server ’s name. You’ll then see a login prompt and be able to issue FTPcommands:$ftpspeaker
Connectedtospeaker.
220(vsFTPd1.2.1)
Name(speaker:harry):harry
530PleaseloginwithUSERandPASS.
SSLnotavailable
331Pleasespecifythepassword.
Password:
230Loginsuccessful.
RemotesystemtypeisUNIX.
Usingbinarymodetotransferfiles.
ftp>getzathras.wav
local:zathras.wavremote:zathras.wav
200PORTcommandsuccessful.ConsiderusingPASV.
150OpeningBINARYmodedataconnectionforzathras.wav(109986bytes).
226FilesendOK.
109986bytesreceivedin0.104secs(1e+03Kbytes/sec)
ftp>quit
221Goodbye.
Thisexampleretrievesasinglefile,zathras.wav,fromtheremotecomputer.Thebasicftpclientdisplays a file size, transfer time, and transfer rate (1e+03 Kbytes/sec—in otherwords, 1 × 103KiB/s,or1000KiB/s).Thiscanbeausefulwaytotestyournetworktransferspeed,althoughyou’llgetmorereliableresultswithfilesthatareseveralhundredkilobytesorlargerinsize.Inadditiontoget,whichretrievesfiles,youcanissuecommandssuchasputtouploadafile;lsordirtodisplaythe remote system’s directory contents;cd to change directories on the remote system; delete toremoveafile;andquitorexittoexitfromtheprogram.Youcanusethehelpor?commandtoseealistofavailableftpcommands.LikeTelnet,FTPisapoorchoiceofprotocolforsecurityreasons.ThesameSSHprotocolthatcan
substituteforTelnetcanalsohandlemostFTPduties.Oneimportantexceptionexiststotherulenottouse FTP, though: Anonymous FTP sites are a commonmethod of distributing public files on theInternet. You can download Linux itself from anonymous FTP sites. These sites typically take ausernameofanonymous andanypassword (youremailaddress is theconventional reply)andgiveyoureadaccesstotheircontents.Inmostcases,youcan’tuploadfilestoanonymousFTPsites,andyoucanaccessonlyalimitednumberoffiles.
YoucanaccesspublicFTPsitesusingaWebbrowser.EnteraURLthatbeginswithftp://,suchasftp://downloads.example.org,andtheWebbrowserconnectstothesiteusingFTPratherthanHTTP.
Summary
Linuxisanetwork-enabledOS,anditreliesonitsnetworkingfeaturesmorethanmostOSsdo.Thisnetworking is built around TCP/IP, so you should understand the basics of this protocol stack,includingIPaddresses,hostnames,androuting.MostLinuxdistributionsprovidetoolstoconfigurenetworkingduring system installation,but if youwant to temporarilyorpermanently changeyoursettings, you can do so.Tools such asifconfig androute can temporarily change your networkconfiguration,andeditingcriticalfilesorrunningdistribution-specificutilitiesenablesyoutomakeyourchangespermanent.
ExamEssentialsDescribetheinformationneededtoconfigureacomputeronastaticIPnetwork.Fourpiecesofinformationareimportant:theIPaddress,thenetmask(akathenetworkmaskorsubnetmask),thenetwork’sgatewayaddress,andtheaddressofatleastoneDNSserver.Thefirsttwoarerequired,butifyouomiteitherorbothofthelattertwo,basicnetworkingwillfunction,butyouwon’tbeabletoconnecttotheInternetorusemostDNShostnames.Determinewhenusing/etc/hostsratherthanDNSmakesthemostsense.The/etc/hostsfileprovidesastaticmappingofhostnamestoIPaddressesonasinglecomputer.Therefore,maintainingthisfileonahandfulofcomputersforasmalllocalnetworkisfairlystraightforward,butwhenthenumberofcomputersrisesbeyondafeworwhenIPaddresseschangefrequently,runningaDNSservertohandlelocalnameresolutionmakesmoresense.SummarizetoolsyoucanusetotranslatebetweenhostnamesandIPaddresses.Thenslookupprogramcanperformthesetranslationsinbothdirectionsusingeithercommand-lineorinteractivemodes,butthisprogramhasbeendeprecated.You’rebetteroffusinghostforsimplelookupsordigformorecomplextasks.Describethefunctionofnetworkports.Networkportsenablepacketstobedirectedtospecificprograms;eachnetwork-enabledprogramattachesitselftooneormoreports,sendingdatafromthatportandreceivingdatadirectedtotheport.Certainportsareassignedtobeusedbyspecificservers,enablingclientprogramstocontactserversbydirectingrequestsatspecificportnumbersontheservercomputers.ExplainwhenyoushouldusestaticIPaddressesorDHCP.StaticIPaddressconfigurationinvolvesmanuallyenteringtheIPaddressandotherinformationandisusedwhenanetworklacksaDynamicHostConfigurationProtocol(DHCP)serverorwhenacomputershouldn’tbeconfiguredbythatserver(say,becausethecomputeristheDHCPserver).DHCPconfigurationiseasiertosetupontheclientbutworksonlyifthenetworkhasaDHCPserversystem.Explainwhattheroutecommandaccomplishes.Theroutecommanddisplaysormodifiestheroutingtable,whichtellsLinuxhowtodirectpacketsbasedontheirdestinationIPaddresses.Describesomebasicnetworkdiagnostictools.Thepingprogramtestsbasicnetworkconnectivity,andtracerouteandtracepathperformsimilarbutmorecomplexteststhatcanhelpyoulocalizewhereonaroutebetweentwosystemsaproblemexists.Thenetstatutilityisageneral-purposenetworkstatustoolthatcanreportawidevarietyofinformationaboutyournetworkconfiguration.Packetsnifferssuchastcpdumpprovidedetailedinformationaboutthenetworkpackets“seen”byacomputer,whichcanbeausefulwaytoverifythatcertainpackettypes
areactuallybeingsentorreceived.
ReviewQuestions1.WhichtypesofnetworkhardwaredoesLinuxsupport?(Selectthree.)
A.TokenRingB.EthernetC.DHCPD.NetBEUIE.FibreChannel
2.WhichofthefollowingisavalidIPv4addressforasinglecomputeronaTCP/IPnetwork?A.202.9.257.33B.63.63.63.63C.107.29.5.3.2D.98.7.104.0/24E.255.255.255.255
3.YouwanttosetupacomputeronalocalnetworkviaastaticTCP/IPconfiguration,butyoulackagatewayaddress.Whichofthefollowingistrue?
A.Becausethegatewayaddressisnecessary,noTCP/IPnetworkingfunctionswillwork.B.TCP/IPnetworkingwillfunction,butyou’llbeunabletoconverthostnamestoIPaddressesorviceversa.C.You’ll be able to communicatewithmachinesonyour local network segmentbut notwithothersystems.D.SinceagatewayisneededonlyforIPv6,you’llbeabletouseIPv4butnotIPv6protocols.E.Withoutagatewayaddressavailable,you’llbeunabletouseDHCPtosimplifyconfiguration.
4.Usingapacket sniffer,younoticea lotof trafficdirectedatTCPport22ona localcomputer.Whatprotocoldoesthistrafficuse,assumingit’susingthestandardport?
A.HTTPB.SMTPC.TelnetD.SSHE.NNTP
5.WhatnetworkportwouldanIMAPservernormallyuseforIMAPexchanges?A.21B.25C.110D.143
E.443
6.WhichofthefollowingarenotLinuxDHCPclients?(Selecttwo.)A.pumpB.dhcpcdC.dhcpdD.dhclientE.ifconfig
7.Which of the following types of information are returned by typing ifconfig eth0? (Selecttwo.)
A.Thenamesofprogramsthatareusingeth0B.TheIPaddressassignedtoeth0C.Thehardwareaddressofeth0D.Thehostnameassociatedwitheth0E.Thekerneldriverusedbyeth0
8.WhichofthefollowingprogramsisconventionallyusedtoperformaDNSlookup?A.hostB.dnslookupC.pumpD.ifconfigE.netstat
9.Whichofthefollowingcommandsshouldyoutypetoaddtohost192.168.0.10adefaultgatewayto192.168.0.1?
A.routeadddefaultgw192.168.0.10192.168.0.1B.routeadddefaultgw192.168.0.1C.routeadd192.168.0.10default192.168.0.1D.route192.168.0.10gw192.168.0.1E.routehostgw192.168.0.1
10.Whichofthefollowingcommandsmightbringupaninterfaceoneth1?(Selecttwo.)A.dhclienteth1B.ifupeth1C.ifconfigeth1D.networketh1E.netstat-upeth1
11.Whatisthepurposeof/etc/hostname,ifit’spresentonthesystem?A.Itholdsthehostnameofapackagerepositoryserver.
B.Itholdsalistofserversthatresolvehostnames.C.ItholdsalistofIPaddressesandassociatedhostnames.D.Itholdsthehostnameofthelocalgatewaycomputer.E.Itholdsthecomputer ’sdefaulthostname.
12. Network accesses to parts of the Internet work fine, but several common sites have stoppedresponding(evenwhenaddressedviarawIPaddresses).Whichofthefollowingtoolswillbemosthelpfulindiagnosingthesourceofthisproblem?
A.netstatB.pingC.tracerouteD.ifconfigE.dig
13.ThepingutilityrespondsnormallywhenyouuseitwithanIPaddressbutnotwhenyouuseitwithahostnamethatyou’repositivecorrespondstothisIPaddress.Whatmightcausethisproblem?(Selecttwo.)
A.Thetargetcomputermaybeconfiguredtoignorepacketsfromping.B.Yourcomputer ’sDNSconfigurationmaybebroken.C.TheDNSconfigurationonthetargetsystemmaybebroken.D.TheroutebetweenyourcomputeranditsDNSservermaybeincorrect.E.Yourcomputer ’shostnamemaybesetincorrectlyin/etc/hostname.
14.HowcanyoulearnwhatprogramsarecurrentlyaccessingthenetworkonaLinuxsystem?A.Typeifconfig-peth0.B.Examine/proc/network/programs.C.Typenetstat-p.D.Examine/etc/xinetd.conf.E.Typedmesg|less.
15. To diagnose a problem with an IMAP server (imap.example.com), you type telnetimap.example.com143fromaremoteclient.Howcanthisprocedurehelpyou?(Selecttwo.)
A.Youcanverifybasicconnectivitybetweentheclientcomputerandtheserverprogram.B.Byexaminingtheoutput,youcanlocateintermediateroutersthataremisbehaving.C.Byusinganencryptedprotocol,youensurethatproblemsaren’tcausedbyapacket-sniffingintruder.D.Onceconnected,youcantypeIMAPcommandstotesttheserver ’sresponsetothem.E.Onceyou’veloggedintotheremotesystem,youcanexamineitsIMAPlogfiles.
16. You’re configuring a new system, and your network administrator scribbles its IP address(172.25.78.89), netmask (255.255.255.0), gateway address (172.25.79.1), and DNS server address(10.24.89.201)onapieceofpaper.Youenterthisinformationintoyourconfigurationfilesandtype
ifup eth0, but you find that you can’t access the Internet with this computer. Which of thefollowingisdefinitelytrue?
A.BecausetheDNSserverisonacompletelydifferentnetwork,itwon’tfunctionproperlyforyoursystem.Youshouldaskforthelocalnetwork’sDNSserver ’sIPaddress.B.Thenetmaskidentifiesthegatewayasbeingonadifferentnetworksegmentthanthecomputeryou’reconfiguring,sothetwocan’tcommunicatedirectly.Youmostlikelymisreadoneaddress.C.BecausetheIPaddressesinvolvedareprivateIPaddresses,there’snowayforthemtoaccesstheInternet.YoumustaskforpublicIPaddressesforthissystemoruseonlyyourlocalprivatenetwork.D.Thecomputer ’sIPaddressisaClassBaddress,butthenetmaskisforaClassCaddress.Thiscombinationcan’tworktogether,soyoumustobtainanewIPaddressornetmask.E.TheifuputilityworksonlyforcomputersthatuseDHCP,sotheuseofastaticIPaddressasspecifiedinthequestionwon’tworkcorrectly.
17.Whatisthepurposeofthe-noptiontoroute?A.Itcausesnooperationtobeperformed;routereportswhatitwoulddoif-nwereomitted.B.Itprecedesspecificationofanetmaskwhensettingtheroute.C.Itlimitsroute’soutputtodescriptionsofnon-Internetroutes.D.Itforcesinterpretationofaprovidedaddressasanetworkaddressratherthanahostaddress.E.ItcausesmachinestobeidentifiedbyIPaddressratherthanhostnameinoutput.
18.Whatisthepurposeof/etc/resolv.conf?A.Itholdsthenamesofnetworkprotocolsandtheportnumberswithwhichthey’reassociated.B.Itcontrolswhetherthecomputer ’snetworkoptionsareconfiguredstaticallyorviaaDHCPserver.C.ItspecifiestheIPaddressofaDHCPserverfromwhichthecomputerattemptstoobtainanIPaddress.D.Itholdstheroutingtableforthecomputer,determiningtheroutethatnetworkpacketstaketoothercomputers.E. Itsets thecomputer ’sdefaultsearchdomainand identifies(byIPaddress) thenameserversthatthecomputermayuse.
19.Whichofthefollowingentriesarefoundinthe/etc/hostsfile?A.AlistofhostsallowedtoremotelyaccessthisoneB.MappingsofIPaddressestohostnamesC.AlistofusersallowedtoremotelyaccessthishostD.PasswordsforremoteWebadministrationE.Alistofportnumbersandtheirassociatedprotocols
20.HowcanyoureconfigureLinuxtouseDNSqueriespriortoconsulting/etc/hosts?A. Edit the /etc/resolv.conf file, and be sure the nameserver dns line comes before thenameserverfilesline.
B.Asroot,typenslookupdns.C.Editthe/etc/named.conffile,andchangethepreferred-resolutionoptionfromfilestodns.D.Edit/etc/nsswitch.conf,andchangetheorderofthefilesanddnsoptionsonthehosts:line.E.Asroot,typediglocaldns.
Chapter9
WritingScripts,ConfiguringEmail,andUsingDatabases
THEFOLLOWINGEXAMOBJECTIVESARECOVEREDINTHISCHAPTER:
1.105.1Customizeandusetheshellenvironment1.105.2Customizeorwritesimplescripts1.105.3SQLdatamanagement1.108.3MailTransferAgent(MTA)basics
Thischaptercoversanumberofmiscellaneoustopics.Thefirstoftheserelatetoshellmanagementandscripting.Linuxshells (introducedinChapter1,“ExploringLinuxCommand-LineTools”)canbe customized in various ways. Knowing how to do this will help you be productive when usingLinux.Youmayevenneed tosetvariousoptions touseparticularprograms,andyoumayneed tomakesimilarchangesonaglobal levelso thatallyouruserscanworkeffectively.Managingyourshell environment is done, essentially, bymodifying standard shell startup scripts, so this chaptercovers scriptingnext.Youcanwrite scripts tohelpautomate tedious repetitive tasksor toperformnewandcomplex tasks.ManyofLinux’sstartupfunctions(described inChapter5,“BootingLinuxandEditingFiles”)areperformedbyscripts,somasteringscriptingwillhelpyoumanagethestartupprocess.ThenextmajortopicofthischapterisStructuredQueryLanguage(SQL)datamanagement.Many
Linux installations rely on a SQL database to store information, and so you may need at least aminimalgroundinginhowtointeractwithSQLdatabases.Finally, this chapterdescribes thebasicsof emailmanagementunderLinux.SeveralLinuxemail
packagesexist,andyou’renotexpectedtounderstandthedetailsoftheirconfigurationfortheexam;however,youshouldknowhowtoconfiguremailforwarding,examinemailqueues,andotherwiseinteractwithaLinuxmailserverthat’salreadybasicallyworking.
ManagingtheShellEnvironmentChapter 1 introduced Linux shell use, including topics such as command completion, history,redirection,and thebasicsofenvironmentvariables.Nowit’s time togofurther,withmoredetailsaboutenvironmentvariables,aliases,andconfigurationfiles.Usingthisinformation,you’llbeabletocustomizeyourshellenvironmenttosuityourpersonal tastesorchangethedefaultenvironmentforalltheusersonyoursystem.
ReviewingEnvironmentVariables
AsdescribedinChapter1,environmentvariablesprovidethemeanstopassnameddata(variables)toprogramslaunchedfromashell.Shellsthemselvesalsorelyonenvironmentvariables.Forinstance,$HOSTNAMEconventionallyholdsthecomputer ’sname,suchascarson.example.com.Aprogramthatneedstoknowthecomputer ’snamecanreferto$HOSTNAMEtoobtainthisinformation.You set an environment variable manually via an equal-sign assignment operator. To make the
variableavailabletoprogramsyoulaunchfromyourshell,youthenusetheexportcommand:$HOSTNAME=carson.example.com
$exportHOSTNAME
Youcancombinethesetwocommandsintooneforbrevity:$exportHOSTNAME=carson.example.com
Onabashcommandline,youcanrefertoanenvironmentvariablebyusingtheechocommandtoexamineasinglevariable (as inecho$HOSTNAME)orby typingenv todisplay all the environmentvariables.
Environmentvariablenamesareusuallyprecededbyadollarsign($)inscriptsandonshellcommandlines,exceptwhenthey’reassigned.Gettingthisdetailwrongcanproduceresultsyouweren’texpecting;forinstance,typingechoHOSTNAMEproducestheoutputHOSTNAMEratherthanthecomputer ’shostname.
Settinganenvironmentvariable as justdescribed sets it permanently for the shellor (whenusedwithexport)forallprogramsyoulaunchfromit.Ifyouwanttosetanenvironmentvariableforjustoneprogram,youcandosowithenv:$envDISPLAY=seeker.example.com:0.0nedit
This command launches the nedit program such that it attempts to use the :0.0 display onseeker.example.com rather than the default local display (or whatever the original DISPLAYenvironment variable specifies; for more on this variable, see the next section). This particularcommand is not guaranteed to work, though, since it depends on the configuration ofseeker.example.com to work. It’s actually possible to omit the env command in most cases;however,envcantakeoptionsthatrequireitsuse.Mostnotably,-ior--ignore-environmentbeginswith a completely empty environment, and -u VARNAME or --unset=VARNAME unsets the specifiedvariable,$VARNAME.Althoughyoucansetenvironmentvariablesmanuallyatabashprompt,amorecommonapproach
is to set them in a global or local bash startup script. These scripts are described inmore detailshortly,in“ModifyingShellConfigurationFiles.”
UnderstandingCommonEnvironmentVariablesYoumay encountermany common environment variables on your system. You can find out howenvironment variables are configured by typing env alone. When it’s typed without options, envreturns all the environment variables that are currently set, in a format similar to that of bashenvironmentvariableassignments:$env|grepHOSTNAME
HOSTNAME=carson.example.com
Of course, the variables you see and their values will be unique to your system and even youraccount—that’s thewholepointofenvironmentvariables.Table9.1summarizescommonvariablesyoumayseeinthisoutput.
TABLE9.1CommonenvironmentvariablesandtheirmeaningsVariablename ExplanationUSERorUSERNAME Thisisyourcurrentusername.It’savariablethat’smaintainedbythesystem.SHELL Thisvariableholdsthepathtothecurrentcommandshell.PWD Thisisthepresentworkingdirectory.Thisenvironmentvariableismaintainedbythesystem.Programsmayuseitto
searchforfileswhenyoudon’tprovideacompletepathname.HOSTNAME ThisisthecurrentTCP/IPhostnameofthecomputer.PATH Thisisanunusuallyimportantenvironmentvariable.Itsetsthepathforasession,whichisacolon-delimitedlistof
directoriesinwhichLinuxsearchesforexecutableprogramswhenyoutypeaprogramname.Forinstance,ifPATHis/bin:/usr/binandyoutypels,Linuxlooksforanexecutableprogramcalledlsin/binandthenin/usr/bin.Ifthecommandyoutypeisn’tonthepath,Linuxrespondswithacommandnotfounderror.ThePATHvariableistypicallybuiltupinseveralconfigurationfiles,suchas/etc/profileandthe.bashrcfileintheuser’shomedirectory.
HOME Thisvariablepointstoyourhomedirectory.Someprogramsuseittohelpthemlookforconfigurationfilesorasadefaultlocationinwhichtostorefiles.
MAIL Thisvariableholdsthelocationoftheuser’smailspool.It’susually/var/spool/mail/username.LANG Thesystemholdsyourcurrentlanguage,specifiedasalocale,usingthisvariable.Localesaredescribedfurtherin
Chapter6,“ConfiguringtheXWindowSystem,Localization,andPrinting.”TZ Youcansetthisenvironmentvariabletoyourowntimezone,whichismostusefulifthat’sdifferentthanthecomputer’s
timezone—forinstance,ifyou’reusingacomputerremotely.Chapter6describestheformatsyoucanusewhensettingthetimezoneinthisway.
LD_LIBRARY_PATHAfewprogramsusethisenvironmentvariabletoindicatedirectoriesinwhichlibraryfilesmaybefound.ItworksmuchlikePATH.
PS1 Thisisthedefaultpromptinbash.Itgenerallyincludesvariablesofitsown,suchas\u(fortheusername),\h(forthehostname),and\W(forthecurrentworkingdirectory).Thisvalueisfrequentlysetin/etc/profile,butit’softenoverriddenbyusers.
TERM Thisvariableisthenameofthecurrentterminaltype.Tomoveatext-modecursoranddisplaytexteffectsforprogramsliketext-modeeditors,Linuxhastoknowwhatcommandstheterminalsupports.TheTERMenvironmentvariablespecifiestheterminalinuse.Thisinformationiscombinedwithdatafromadditionalfilestoprovideterminal-specificcodeinformation.TERMisnormallysetautomaticallyatlogin,butinsomecasesyoumayneedtochangeit.
DISPLAY ThisvariableidentifiesthedisplayusedbyX.It’susually:0.0,whichmeansthefirst(numberedfrom0)displayonthecurrentcomputer.WhenyouuseXinanetworkedenvironment,though,thisvaluemaybeprecededbythenameofthecomputeratwhichyou’resitting,asinmachine4.luna.edu:0.0.Thisvalueissetautomaticallywhenyoulogin,butyoumaychangeitifnecessary.YoucanrunmultipleXsessionsononecomputer,inwhichcaseeachonegetsadifferentDISPLAYnumber—forinstance,:0.0forthefirstsessionand:1.0forthesecond.
EDITOR Someprogramslaunchtheprogrampointedtobythisenvironmentvariablewhentheyneedtocallatexteditorforyoutouse.Thus,changingthisvariabletoyourfavoriteeditorcanhelpyouworkinLinux.It’sbesttosetthisvariabletoatext-modeeditor,though;GUIeditorsmaycauseproblemsifthey’recalledfromaprogramthatwaslaunchedfromatext-modelogin.
ThePATHvariablesometimesincludesthecurrentdirectoryindicator(.)sothatyoucaneasilyrunprogramsinthecurrentdirectory.Thispracticeposesasecurityrisk,though,becauseamiscreantcancreateaprogramwiththesamenameassomeotherprogram(suchasls)andtrickanotheruserintorunningitbysimplyleavingitinadirectorythevictimfrequents.Eventherootusermaybevictimizedthisway.Forthisreason,it’sbesttoomitthecurrentdirectoryfromthePATHvariable,especiallyforthesuperuser.Ifit’sreallyneededforordinaryusers,putitattheendofthepath.
Any given system is likely to have several other environment variables set, but these are fairlyesoteric or relate to specific programs. If a program’s documentation says that it needs certainenvironment variables set, you can set them system-wide in/etc/profile or some other suitablefile,oryoucansettheminuserconfigurationfiles,asyoudeemappropriate.Althoughyoucanseetheentireenvironmentbytypingenv, thisoutputcanbe longenoughtobe
intimidating. If you justwant to know the value of one variable, you can use the echo command,whichechoestothescreenwhatyoutype.Ifyoupassitavariablenameprecededbyadollarsign($),echoreturnsthevalueofthevariable.Here’sanexample:$echo$PS1
[\u@\h\W]$
This command reveals that the PS1 environment variable is set to [\u@\h \W]$, which in turnproducesabashpromptlike[david@penguinhomes]$.Exercise9.1illustrateshowyoucanchangeyourbashprompt.
EXERCISE9.1ChangingYourbashPromptThisexercisedescribeshowtochangeyourbashprompttoshowthecurrenttimeandnumberofjobsmanagedbytheshell.Toaccomplishthistask,followthesesteps:1.LogintotheLinuxsystemasanormaluser.2.Launchanxterm from the desktop environment’smenu system, if you used aGUIloginmethod.3.TypeexportPS1="\T;\jjobs>".Thebackslash(\) is an escape character thatdenotes special data to be inserted into the promptwhenused in thePS1 environmentvariable.\Tisexpandedintothecurrenttimein12-hourformat,and\jisexpandedintothe number of jobs the shellmanages. The man page for bash has a complete list ofexpansions thePS1 variable accepts. The result of typing this command should be animmediatechangeinyourprompttoresemblesomethinglike04:42;0jobs>.4.Waitforaminute,andthenrunaprograminthebackgroundbytypingitsnameandappending an ampersand (&). For instance, you can type xeyes & to run the xeyesprogram from an xterm. You should see the number of jobs increase, and the timeshouldchange.5.Tomakethischangepermanent,editthe.bashrc file inyourhomedirectory.Loadthisfileintoyourfavoriteeditor,andaddalinetoitsendthatreadsexportPS1="\T;\jjobs>".Savethefile,andexittheeditor.(Shellconfigurationfilesaredescribedinmoredetailshortly,in“ModifyingShellConfigurationFiles.”)6.Totestyourchangeto.bashrc, logoutandthenlogbackinagain.Insteadofyourdistribution’sdefaultprompt,youshouldseethenewone.7.Ifyoudon’tlikethenewprompt,edit.bashrcagainanddeletethelineyouaddedinstep5.
UsingAliasesMostLinuxshells,includingbash,supportcommandaliases,whicharenewnamesyoucangiveto
regular commands. Typically, you’ll use aliases to assign easier-to-remember names to obscurecommands, to implement desirable command options as the default for commands, or to create ashortened version of a command tominimize the amount of typing youmust do. You can definealiases inaone-offfashionatanybashprompt,but they’re typically included inyourbash startupscripts,asdescribedshortlyin“ModifyingShellConfigurationFiles.”Toimplementanalias,youusethefollowingsyntax:aliasalias_name='commands'
The alias_name is what you want to type at the command prompt, and the shell substitutescommandsforwhateveryoutype.Asanexample,considerthelscommand,whichliststhecontentsofa directory.A popular option for this command is --color, which color-codes the output, givingdirectories,links,andotherspecialfilesparticularcolorstomakethemstandout.Ifyouwanttousethisoptionasthedefault,youcanusealias:$aliasls='ls--color'
In this example, ls becomes an alias for an extended version of itself. This doesn’t result inrecursion—that is, thels to the right of the equal sign isnot expanded.After you type thisaliascommand,typinglswillworkasifyou’dtypedls--color.Infact,thisparticularaliasispopularenoughthatit’sincludedasastandardpartofmanydistributions’bashstartupscripts.Youcanuseanaliasname that’sunrelated to theoriginal commandname.For instance, suppose
youwanttotypebye insteadoflogout to terminatea text-mode loginsession.Youcandosowithalias:$aliasbye='logout'
In practice, this particular alias isn’t likely to be useful if you type it manually at a commandprompt,becauseyou’lllogoutofasessiononlyonce.Youmightwanttoincludeitinabashstartupscript,though.Ifyoudothat,thenyouwon’tneedtotypethealiasmanuallyateachsession;itwillbecreatedautomaticallywheneveryoulogin.
ModifyingShellConfigurationFilesConfiguringshellsrequireseditingshellconfigurationfiles.Thesefilescanbeclassifiedinacoupleofways.First,filesmaybeglobalfilesthataffectallusersofashellorlocalfilesthataffectjustoneuser.Second,filesmaybeloginfilesthatarelaunchedonlybyaloginprocess(suchasatext-modeconsole login) or non-login files that are launched by other processes (such as when starting anxtermwindow).Theresultisa2×2matrixofconfigurationfiles,asshowninTable9.2.(Thistableshows only bash configuration files; consult your shell’s documentation if you’re using anothershell.)
TABLE9.2CommonbashconfigurationfilesTypeoffile Loginfilelocation Non-loginfilelocationGlobal /etc/profileandfilesin/etc/profile.d /etc/bashrcor/etc/bash.bashrcUser ~/.bash_login,~/.profile,or~/.bash_profile ~/.bashrc
Preciselywhichofthesefilesareuseddiffersfromonedistributiontoanother.Nomatterthename,though, these files are shell scripts. Shell scripting is described in more detail later, in “WritingScripts,”butmostbashstartupscriptscontainaseriesofcommands.Thesecommandsmayincludebothbuilt-inbashcommandsandexternalcommands.
Globalconfigurationfilesaffectallusersofasystem;however,theirsettingsmaybeoverriddenbyindividualusers,eitherinuserconfigurationfilesorincommandstheuserstypethemselves.Thus,youshouldn’trelyonglobalconfigurationfilestosetoptionsthatshouldn’tbechangedbyusers.Forthat,youshouldlooktoglobalsecurityfeatures,suchaspermissionsonexecutablefiles.The /etc/skel directory holds files that are copied to individual users’ home directorieswhen
theiraccountsarecreated.Thesefilesaresometimescalledskeletonfiles.Typically,thissetoffilesincludeslocalbashstartupfiles.Youcanexaminethesefilesand,ifnecessary,alterthemtosuityourlocal needs.Changes to these files affect only new accounts, not existing accounts. If youwant tomakeachange thataffectsbothexistingandnewusers,youshouldeditaglobalconfigurationfileinstead.Justasshellshavestartupscripts,theymayalsohavelogoutscripts—scriptsthatrunwhentheuser
logsout.Forbash,thisscriptis~/.bash_logout.Mostdistributionsdon’tcreatethisscriptaspartofusers’ default home directories, but individual users can do so. The logout script might executeprogramstocleanuptemporarydirectories,removesecuritykeysfrommemory,clearthescreen,orperformothertasksthatareappropriatewhenauserlogsout.
Oneproblemwithlogoutscriptsisthattheymaynotworkwellwhenusersloginmultipletimes.Ifyouregularlyhavemultiplesessionsopen,suchasloginsinmultipleLinuxvirtualterminals,becarefulaboutwhatyoudoinalogoutscriptlestyouwipeoutimportanttemporaryfileswhenyoulogoutofjustonesession.
Another bash configuration file is ~/.inputrc, which helps customize your keyboardconfiguration.Itconsistsoflinesthatlooklikethis:M-Control-u:universal-argument
This line maps theMeta-Ctrl+U keystroke to the universal-argument action. The Meta key isusuallytheEsckeyonx86orx86-64systems,and theuniversal-argumentaction isoneofmanypossibleactionsdefinedby the readline library,which isoneof thebasic text-mode input librariesusedbyLinux.Inmostcases,there’snoneedtoadjustthe~/.inputrcfile,becausethedefaultreadlinemappings
workwellforx86systemswithstandardkeyboards.Ifyoufindthatcertainkeystrokesdon’tworkthewaytheyshouldintextmode,though,youmaywanttoresearchthisconfigurationfilefurther.
Xusesitsownkeyboardinputroutines,so~/.inputrcdoesn’taffectprogramsruninX,eventext-modeprogramsruninsidextermwindows.
WritingScriptsYou’lldomuchofyourworkonaLinuxsystembytypingcommandsatashellprompt.AsyouuseLinux,though,you’relikelytofindsomeofthesetaskstoberepetitive.Ifyouneedtoadd100new
userstothesystem,forinstance,typinguseradd100timescanbetedious.Fortunately,Linuxincludesaway tocut through the tedium:shellscripts.Theseare simpleprogramswritten inan interpretedcomputerlanguagethat’sembeddedintheLinuxshellyouusetotypecommands.MostLinuxsystemsusebashbydefault,soshellscriptsareoftenwritteninthebashshellscripting
language;buttcshandothershellscriptinglanguagesaresimilar.Infact,it’snotuncommontoseeshellscriptsthatruninanycommonLinuxshell.You’renotrestrictedtorunningshellscriptswritteninyourdefaultshell,however;thefirstlineofashellscriptidentifiestheshellthatshouldbeusedtorunit.
ManyLinuxstartupscripts,includingSysVstartupscripts,areinfactshellscripts.Therefore,understandingshellscriptingisnecessaryifyouwanttomodifyaLinuxstartupscript.
Likeanyprogrammingtask,shellscriptingcanbequitecomplex.Consequently,thischapterbarelyscratchesthesurfaceofwhatcanbeaccomplishedthroughshellscripting.Consultabookonthetopic,suchasCameronNewham’sLearningtheBashShell,3rdEdition(O’Reilly,2005)orRichardBlumandChristineBresnahan’sLinuxCommandLineandShellScriptingBible,2ndEdition(Wiley,2011),formoreinformation.
Tocreateashellscript,youmustfirstknowhowtobegineditingone.Onceyoudoso,you’llfindthatoneof theeasiest tasks todo is tocallexternalcommands.Moreadvanced tasks includeusingvariablesandusingconditionalexpressions.
BeginningaShellScriptShellscriptsareplain-textfiles,soyoucreatethemintexteditors.Ashellscriptbeginswithalinethatidentifiestheshellthat’susedtorunit,suchasthefollowing:#!/bin/sh
ThefirsttwocharactersareaspecialcodethattellstheLinuxkernelthatthisisascriptandtousetherestofthelineasapathnametotheprogramthat’stointerpretthescript.(Thislineissometimescalled theshebang,hashbang,hashpling,orpoundbang line.)Shell scripting languagesuse ahashmark(#)asacommentcharacter,sothescriptutilityignoresthisline,althoughthekerneldoesn’t.Onmostsystems,/bin/sh is a symbolic link that points to/bin/bash, but it can point to someothershell. Specifying the script as using /bin/sh guarantees that any Linux system will have a shellprogramtorunthescript;butifthescriptusesanyfeaturesspecifictoaparticularshell,youshouldspecifythatshellinstead—forinstance,use/bin/bashor/bin/tcshinsteadof/bin/sh.Whenyou’redonewritingtheshellscript,youshouldmodifyitsothatit’sexecutable.Youdothis
withthechmodcommand,asdescribedinChapter4,“ManagingFiles.”Specifically,youusethe+xoption toaddexecutepermissions,probably inconjunctionwitha toadd thesepermissions forallusers. For instance, to make a file called my-script executable, you should issue the following
command:$chmoda+xmy-script
You’llthenbeabletoexecutethescriptbytypingitsname,possiblyprecededby./totellLinuxtorunthescript in thecurrentdirectoryrather thansearchingthecurrentpath.Ifyoufail tomakethescript executable, you can still run the script by running the shell program followed by the scriptname(asinbashmy-script),but it’sgenerallybetter tomakethescriptexecutable.If thescript isoneyourunregularly,youmaywanttomoveittoalocationonyourpath,suchas/usr/local/bin.When you do that, youwon’t have to type the complete path ormove to the script’s directory toexecuteit;youcanjusttypemy-script.
It’spossibletosetascript’sSUIDorSGIDbits.(SeeChapter4forinformationabouttheSUIDandSGIDbits.)Doingsoispotentiallydangerous,particularlyifthescriptisownedbyroot,forreasonsdescribedinChapter4.YoushouldthereforebeverycautiousaboutapplyingtheSUIDbittoscripts.
Anotherway to run a script requiresmention: sourcing it. You can source a script by using thesourcekeywordoradot(.),asfollows:$sourcemy-script
$.my-script
Sourcingascriptcausesittoruninthecurrentshell,asopposedtolaunchinganewinstanceoftheshell, as occurs when you run a script by typing its name alone or using the exec command, asdescribedinChapter1.Thishassomeimportantimplications:
Whenyousourceascript,itwillhaveaccesstoenvironmentvariablessetinthecallingshell,evenifyouhaven’texportedthem.Ordinarily,onlyenvironmentvariablesthatyouexplicitlyexportbecomeavailabletoscriptsyourun.Ifyousourceascriptandifthatscriptsetsanenvironmentvariable,thatvariablewillbecomeavailable(orwillbechanged)inthecallingshell.Ifyourunthescriptnormally,anyenvironmentvariablesitsetswillremainlocaltoitandtotheprogramsthatitcalls,evenifthescriptexportsthevariables.Runningascriptinthenormalwaysimposesoverheadcostsassociatedwithlaunchingthenewshell.Thesecostsarenormallynegligible,butifascriptcallsitselfrecursivelyorcallsmanyotherscripts,sourcingthosescriptswithinthefirstscriptmayimproveperformance.Sourcingascriptcausesittoexecuteinthecallingshell’slanguage,whereasrunningascriptnormallycausesittousetheshelllanguagespecifiedonthehashbangline.
UsingCommandsOneofthemostbasicfeaturesofshellscriptsistheabilitytoruncommands.Youcanusebothshellinternal commandsandexternal commands.Mostof thecommandsyou type ina shellpromptareexternal commands—they’re programs located in/bin,/usr/bin, and other directories on yourpath. You can run such programs, as well as internal commands, by including their names in thescript.Youcanalsospecifyparameterstosuchprogramsinascript.Forinstance,supposeyouwantascript that launches twoxtermwindowsand theKMailmail readerprogram.Listing9.1presents a
shellscriptthataccomplishesthisgoal.Listing9.1:Asimplescriptthatlaunchesthreeprograms#!/bin/bash
/usr/bin/xterm&
/usr/bin/xterm&
/usr/bin/kmail&
Aside from the first line that identifies it asa script, thescript looks just like thecommandsyoumighttypetoaccomplishthetaskmanually,exceptforonefact:Thescriptliststhecompletepathstoeach program. This is usually not strictly necessary, but listing the complete path ensures that thescriptwillfindtheprogramsevenifthePATHenvironmentvariablechanges.Ontheotherhand,iftheprogram files move (say, because you upgrade the package from which they’re installed and thepackagerdecidestomovethem),scriptsthatusecompletepathswillbreak.Eachprogram-launchlineinListing9.1endsinanampersand(&).Thischaractertellstheshellto
goontothenextlinewithoutwaitingforthefirsttofinish.IfyouomittheampersandsinListing9.1,the effectwill be that the firstxtermwill open but the secondwon’t open until the first is closed.Likewise,KMailwon’tstartuntilthesecondxtermterminates.Although launching several programs from one script can save time in starting your working
environmentandsomeothersituations,scriptsarealsofrequentlyusedtorunaseriesofprogramsthatmanipulatedatainsomeway.Suchscriptstypicallydonotincludetheampersandsattheendsofthe commandsbecauseonecommandmust runafter anotherormayeven relyonoutput from thefirst.Acomprehensive listofsuchcommandsis impossiblebecauseyoucanrunanyprogramyoucan install in Linux as a command in a script—even another script. A few commands that arecommonlyusedinscriptsincludethefollowing:NormalFileManipulationCommandsThefilemanipulationcommands,suchasls,mv,cp,andrm,areoftenusedinscripts.Youcanusethesecommandstohelpautomaterepetitivefilemaintenancetasks.grepThiscommandisdescribedinChapter1.Itlocatesfilesthatcontainspecificstrings.findWheregrepsearchesforpatternswithinthecontentsoffiles,finddoessobasedonfilenames,ownership,andsimilarcharacteristics.ThiscommandisdescribedinChapter4.cutThiscommandextractstextfromfieldsinafile.It’sfrequentlyusedtoextractvariableinformationfromafilewhosecontentsarehighlypatterned.Touseit,youpassitoneormoreoptionsthatspecifywhatinformationyouwant,followedbyoneormorefilenames.Forinstance,users’homedirectoriesappearinthesixthcolon-delimitedfieldofthe/etc/passwdfile.Youcanthereforetypecut-f6-d":"/etc/passwdtoextractthisinformation.Thesamecommandinascriptwillextractthisinformation,whichyou’llprobablysavetoavariableorpasstoasubsequentcommandviaapipe.sedThisprogramisdescribedinChapter1.Itprovidesmanyofthecapabilitiesofaconventionaltexteditorbutviacommandsthatcanbetypedatacommandpromptorenteredinascript.echoSometimesascriptmustprovideamessagetotheuser;echoisthetooltoaccomplishthisgoal.Youcanpassvariousoptionstoechoorjustastringtobeshowntotheuser.Forinstance,echo"PresstheEnterkey"causesascripttodisplaythespecifiedstring.mailThemailcommandcanbeusedtosendemailfromwithinascript.Passitthe-ssubjectparametertospecifyasubjectline,andgiveitanemailaddressasthelastargument.Ifusedatthecommandline,youthentypeamessageandterminateitwithaCtrl+Dkeystroke.Ifusedfroma
script,youmightomitthesubjectentirely,passitanexternalfileasthemessageusinginputredirection,oruseaheredocumenttopasstexttothemailcommandasinput.(Chapter1describesinputredirectionandheredocuments.)Youmightwanttousethiscommandtosendmailtothesuperuserabouttheactionsofastartupscriptorascriptthatrunsonanautomatedbasis.Thiscommandisdescribedinmoredetaillaterinthischapter.
Manyofthesecommandsareextremelycomplex,andcompletelydescribingthemisbeyondthescopeofthischapter.Youcanconsultthesecommands’manpagesformoreinformation.Afewofthemaredescribedelsewhereinthisbook.
Even if you have a full grasp of how to use some key external commands, simply executingcommands you might when typing them at a command prompt is of limited utility. Manyadministrativetasksrequireyoutomodifywhatyoutypeatacommand,orevenwhatcommandsyouenter,dependingoninformationfromothercommands.Forthisreason,scriptinglanguagesincludeadditionalfeaturestohelpyoumakeyourscriptsuseful.
UsingVariablesVariablescanhelpyouexpandtheutilityofscripts.Avariableisaplaceholderinascriptforavaluethatwillbedeterminedwhenthescriptruns.Variables’valuescanbepassedasparameterstoscripts,generatedinternallytothescripts,orextractedfromthescript’senvironment.Variables that arepassed to the script are frequentlycalledparameters.They’re representedby a
dollarsign($)followedbyanumberfrom0to9—$0standsforthenameofthescript,$1isthefirstparameter to the script, $2 is the second parameter, and so on. To understand how this might beuseful, consider the taskof adding auser.Asdescribed inChapter 7, “Administering theSystem,”creatinganaccountforanewusertypicallyinvolvesrunningatleasttwocommands—useraddandpasswd.Youmayalsoneedtorunadditionalsite-specificcommands,suchascommandsthatcreateunusualuser-owneddirectoriesasidefromtheuser ’shomedirectory.
Theshiftcommandshiftstheparametervariablessothatwhatwouldordinarilybe$2becomes$1,whatwouldbe$3becomes$2,andsoon.Addinganumber,asinshift3,shiftstheassignmentsbythatnumberofunits.Theshiftcommanddoesnotalterthe$0variable,though.Youcanuseshiftinconjunctionwithaloop(describedlater,in“UsingLoops”)toexaminealloftheparameterspassedtoascript,incasetheirorderornumberisunknownwhenyouwritethescript.
As an example of how a script with a parameter variable can help in such situations, considerListing9.2.Thisscriptcreatesanaccountandchangestheaccount’spassword(you’llbepromptedtoenter the password when you run the script). It creates a directory in the /shared directory treecorrespondingtotheaccount,anditsetsasymboliclinktothatdirectoryfromthenewuser ’shomedirectory.Italsoadjustsownershipandpermissionsinawaythatmaybeuseful,dependingonyour
system’sownershipandpermissionspolicies.Listing9.2:Ascriptthatreducesaccount-creationtedium#!/bin/sh
useradd-m$1
passwd$1
mkdir-p/shared/$1
chown$1.users/shared/$1
chmod775/shared/$1
ln-s/shared/$1/home/$1/shared
chown$1.users/home/$1/shared
IfyouuseListing9.2,youneedtypeonlythreethings: thescriptnamewiththedesiredusernameandthepassword(twice).Forinstance,ifthescriptiscalledmkuser,youcanuseitlikethis:#mkuserajones
Changingpasswordforuserajones
Newpassword:
Retypenewpassword:
passwd:allauthenticationtokensupdatedsuccessfully
Mostof the scripts’programsoperate silentlyunless theyencounterproblems, so the interaction(including typing the passwords, which don’t echo to the screen) is a result of just the passwdcommand. In effect, Listing9.2’s script replaces seven lines of commandswith one. Every one ofthoselinesusestheusername,sobyrunningthisscript,youalsoreducethechanceofatypocausingproblems.Anothertypeofvariableisassignedwithinscripts—forinstance,suchvariablescanbesetfromthe
outputofacommand.Thesevariablesarealsoidentifiedbyleadingdollarsigns,butthey’retypicallygivennames thatat leastbeginwitha letter,suchas$Addror$Name. (Whenvaluesareassigned tovariables, the dollar sign is omitted, as illustrated shortly.) You can then use these variables inconjunction with normal commands as if they were command parameters, but the value of thevariableispassedtothecommand.Forinstance,considerListing9.3,whichcheckstoseewhetherthecomputer ’srouterisupwiththe
helpofthepingutility.Thisscriptusestwovariables.Thefirst is$ip,which isextractedfromtheoutputofrouteusingthegrep,tr,andcutcommands.(ThesecommandsaredescribedinChapter1.)Whenyou’reassigningavaluetoavariablefromtheoutputofacommand,thatcommandshouldbe enclosed in back-tick characters (`), which appear on the same key as the tilde (~) on mostkeyboards.Thesearenotordinarysinglequotes,whichappearonthesamekeyastheregularquotecharacter(")onmostkeyboards.Thesecondvariable,$ping,simplypointstothepingprogram.Itcan easily be omitted,with subsequent uses of $ping replaced by the full path to the program orsimplybyping(relyingonthe$PATHenvironmentvariabletofindtheprogram).Variableslikethisaresometimesusedtomakeiteasiertomodifythescriptinthefuture.Forinstance,ifyoumovethepingprogram,youneedonlymodifyonelineofthescript.Variablesthatpointtobinariescanalsobe used in conjunction with conditionals to ensure that the script works on more systems—forinstance,ifpingwerecalledsomethingelseonsomesystems.Listing9.3:Scriptdemonstratingassignmentanduseofvariables#!/bin/sh
ip=`route-n|grepUG|tr-s""|cut-f2-d""`
ping="/bin/ping"
echo"Checkingtoseeif$ipisup..."
$ping-c5$ip
In practice, you use Listing 9.3 by typing the script’s name. The result should be the messageChecking to see if192.168.1.1is up (with 192.168.1.1 replaced by the computer ’s defaultgatewaysystem)andtheoutputfromthepingcommand,whichshouldattempttosendfivepacketstotherouter.Iftherouterisupandisconfiguredtorespondtopings,you’llseefivereturnpacketsandsummaryinformation.Iftherouterisdown,you’llseeerrormessagestotheeffectthatthehostwasunreachable.
Listing9.3isoflimitedpracticaluseandcontainsbugs.Forinstance,thescriptidentifiesthecomputer ’sgatewaymerelybythepresenceofthestringUGintherouter ’soutputlinefromroute.Ifacomputerhastworoutersdefined,thiswon’tworkcorrectly,andtheresultislikelytobeascriptthatmisbehaves.ThepointofListing9.3isnottobeaflawlessprogrambuttodemonstratehowvariablescanbeassignedandused.
ScriptslikeListing9.3,whichobtaininformationfromrunningoneormorecommands,areusefulinconfiguringfeaturesthatrelyonsystem-specificinformationorinformationthatvarieswithtime.Youcanuseasimilarapproachtoobtain thecurrenthostname(usingthehostnamecommand), thecurrenttime(usingdate),thetotaltimethecomputer ’sbeenrunning(usinguptime),freediskspace(usingdf), and so on.When combinedwith conditional expressions (described shortly), variablesbecomeevenmorepowerfulbecausethenyourscriptcanperformoneactionwhenoneconditionismet,andanotherinsomeothercase.Forinstance,ascriptthatinstallssoftwarecancheckfreediskspaceandaborttheinstallationifinsufficientdiskspaceisavailable.Inaddition to assigningvariableswith theassignmentoperator (=), you can read variables from
standard inputusingread,as inreadresponse to read input for subsequentaccessas$response.Thismethodofvariableassignment isuseful forscripts thatmust interactwithusers.For instance,insteadofreadingtheusernamefromthecommandline,Listing9.2maybemodifiedtoprompttheuserfortheusername.Listing9.4showstheresult.Tousethisscript,youtypeitsnamewithouttypingausernameonthecommandline.Thescriptwillthenpromptforausername,andafteryouenterone,thescriptwillattempttocreateanaccountwiththatname.Listing9.4:ModifiedversionofListing9.2thatemploysuserinteraction#!/bin/sh
echo-n"Enterausername:"
readname
useradd-m$name
passwd$name
mkdir-p/shared/$name
chown$name.users/shared/$name
chmod775/shared/$name
ln-s/shared/$name/home/$name/shared
chown$name.users/home/$name/shared
Onespecialtypeofvariablewasmentionedearlierinthischapter:environmentvariables,describedin “Managing the Shell Environment.” Environment variables are assigned and accessed just likeshellscriptvariables.Thedifferenceisthatthescriptorcommandthatsetsanenvironmentvariableuses the export command (in bash) to make the value of the variable accessible to programslaunched from the shell or shell script that made the assignment. In other words, you can set an
environment variable in one script and use it in another script that the first script launches.Environmentvariablesaremostoftenset inshell startupscripts,but thescriptsyouusecanaccessthem. For instance, if your script calls X programs, it might check for the presence of a valid$DISPLAY environment variable and abort if it finds that this variable isn’t set. By convention,environmentvariablenamesarealluppercase,whereasnon-environmentshellscriptvariablesarealllowercaseormixedcase.
UsingConditionalExpressionsScripting languages support several types of conditional expressions. These expressions enable ascript to perform one of several actions contingent on some condition—typically the value of avariable.Onecommoncommandthatusesconditionalexpressionsisif,whichallowsthesystemtotakeoneoftwoactionsdependingonwhethersomeconditionistrue.Theifkeyword’sconditionalexpressionappearsinbracketsaftertheifkeywordandcantakemanyforms.Forinstance,-ffileistrueiffileexistsandisaregularfile;-sfileistrueiffileexistsandhasasizegreaterthan0;andstring1 == string2 is true if the two strings have the same values. (Typically, one or bothstringsisavariable.)Conditionals may be combined together with the logical and (&&) or logical or (||) operators.
Whenconditionalsarecombinedwith&&,bothsidesoftheoperatormustbetruefortheconditionasawholetobetrue.When||isused,ifeithersideoftheoperatoristrue,theconditionasawholeistrue.Tobetterunderstandtheuseofconditionals,considerthefollowingcodefragment:if[-s/tmp/tempstuff]
then
echo"/tmp/tempstufffound;aborting!"
exit
fi
This fragmentcauses the script toexit if the file/tmp/tempstuff ispresent and is larger than0bytes.Thethenkeywordmarksthebeginningofaseriesoflinesthatexecuteonlyiftheconditionalis true,andfi (ifbackward)marks theendof theifblock.Suchcodemaybeuseful if thescriptcreatesandthenlaterdeletesthisfile,becauseitspresenceindicatesthatapreviousrunofthescriptdidn’tsucceedorisstillunderway.Analternativeformforaconditionalexpressionusesthetestkeywordratherthansquarebrackets
aroundtheconditional:iftest-s/tmp/tempstuff
Youcanalsotestacommand’sreturnvaluebyusingthecommandasthecondition:if[command]
then
additional-commands
fi
Inthisexample, theadditional-commandswillberunonlyifcommandcompletessuccessfully. Ifcommandreturnsanerrorcode,theadditional-commandswon’tberun.Conditionalexpressionsmaybeexpandedbyuseoftheelseclause:if[conditional-expression]
then
commands
else
other-commands
fi
Code of this form causes either commands or other-commands to execute, depending on theevaluationofconditional-expression.This isuseful ifsomething shouldhappen inapartof theprogrambutpreciselywhatshouldhappendependsonsomecondition.Forinstance,youmaywanttolaunchoneoftwodifferentfilearchivingprogramsdependingonauser ’sinput.Whatdoyoudoifmorethantwooutcomesarepossible—forinstance,ifausermayprovideany
oneoffourpossibleinputs?Youcannestseveralif/then/elseclauses,butthisgetsawkwardveryquickly.Acleanerapproachistousecase:casewordin
pattern1)command(s);;
pattern2)command(s);;
...
esac
Foracasestatement,awordislikelytobeavariable,andeachpatternisapossiblevalueofthatvariable.Thepatternscanbeexpandedmuchlikefilenames,usingthesamewildcardsandexpansionrules(*tostandforanystring,forinstance).Youcanmatchanarbitrarynumberofpatternsinthisway.Eachsetofcommandsmustendwithadoublesemicolon(;;),andthecasestatementasawholeendsinthestringesac(casebackward).Uponexecution,bash executes the commands associatedwith the first pattern tomatch theword.
Execution then jumps to the line following the esac statement; any intervening commands don’texecute.Ifnopatternsmatchtheword,nocodewithinthecasestatementexecutes.Ifyouwanttohaveadefaultcondition,use*asthefinalpattern;thispatternmatchesanyword,soitscommandswillexecuteifnootherpatternmatches.
UsingLoopsConditional expressions are sometimes used in loops. Loops are structures that tell the script toperformthesametaskrepeatedlyuntilsomeconditionismet(oruntilsomeconditionisnolongermet).Forinstance,Listing9.5showsaloopthatplaysallthe.wavaudiofilesinadirectory.Listing9.5:Ascriptthatexecutesacommandoneverymatchingfileinadirectory#!/bin/bash
fordin`ls*.wav`;do
aplay$d
done
TheaplaycommandisabasicaudiofileplayerthatworkswiththeAdvancedLinuxSoundArchitecture(ALSA)audiodrivers.Onsomesystems,youmayneedtouseplayorsomeothercommandinsteadofaplay.
Theforloopasusedhereexecutesonceforeveryiteminthelistgeneratedbyls*.wav.Eachofthoseitems(filenames)isassignedinturntothe$dvariableandsoispassedtotheaplaycommand.Theseq command can be useful in creatingfor loops (and in otherways, too): This command
generatesalistofnumbersstartingfromitsfirstargumentandcontinuingtoitslastone.Forinstance,typingseq110generates10lines,eachwithanumberbetween1and10.Youcanuseafor loopbeginning for x in `seq 1 10` to have the loop execute 10 times, with the value of $xincrementingwitheachiteration.Ifyoupassjustoneparametertoseq,itinterpretsthatnumberasanendingpoint,with thestartingpointbeing1. Ifyoupass threevalues toseq, it interprets themasastartingvalue,anincrementamount,andanendingvalue.Anothertypeofloopisthewhileloop,whichexecutesforaslongasitsconditionistrue.Thebasic
formofthislooptypeislikethis:while[condition]
do
commands
done
Theuntilloopissimilarinform,butitcontinuesexecutionforaslongasitsconditionisfalse—thatis,untiltheconditionbecomestrue.
UsingFunctionsAfunctionisapartofascriptthatperformsaspecificsubtaskandthatcanbecalledbynamefromother parts of the script. Functions are defined by placing parentheses after the function name andenclosingthelinesthatmakeupthefunctionwithincurlybraces:myfn(){
commands
}
Thekeywordfunctionmayoptionallyprecede thefunctionname.Ineitherevent, thefunction iscalledbynameasifitwereanordinaryinternalorexternalcommand.Functionsareveryusefulinhelpingtocreatemodularscripts.Forinstance,ifyourscriptneedsto
performhalfadozendistinctcomputations,youmayplaceeachcomputationinafunctionandthencall them all in sequence. Listing 9.6 demonstrates the use of functions in a simple program thatcopiesa filebutabortswithanerrormessage if the target filealreadyexists.Thisscriptacceptsatargetandadestinationfilenameandmustpassthosefilenamestothefunctions.Listing9.6:Ascriptdemonstratingtheuseoffunctions#/bin/bash
doit(){
cp$1$2
}
functioncheck(){
if[-s$2]
then
echo"Targetfileexists!Exiting!"
exit
fi
}
check$1$2
doit$1$2
IfyouenterListing9.6andcallitsafercp,youcanuseitlikethis,assumingthefileoriginal.txtexistsanddest.txtdoesn’t:$./safercporiginal.txtdest.txt
$./safercporiginal.txtdest.txt
Targetfileexists!Exiting!
The first runof thecommandsucceededbecausedest.txt didn’t exist.When thecommandwasrun a second time, though, the destination file did exist, so the program terminatedwith the errormessage.Note that the functions aren’t run directly and in the order in which they appear in the script.
They’rerunonlywhencalledinthemainbodyofthescript(whichinListing9.6consistsofjusttwolines,eachcorrespondingtoonefunctioncall).Shell scripts are useful tools, and creating them requires practice. Exercise 9.2 begins your
explorationofshellscripts,butinthelongrunyou’llneedtolearntodesignyourownshellscriptsbydoingmorethancopyingexamplesfromabook.
EXERCISE9.2CreatingaSimpleScriptThisexercisepresentsashellscriptthatgivesyoutheoptionofusinglesstoreadeverytextfile(withanameendingin.txt)inthecurrentdirectory.Tobeginwiththisscript,followthesesteps:1.LogintotheLinuxsystemasanormaluser.2.Launchanxterm from the desktop environment’smenu system, if you used aGUIloginmethod.3.Startaneditor,andtellittoeditafilecalledtestscript.4.Typethefollowinglinesintotheeditor:#!/bin/bash
forfilein`ls*.txt`;do
echo-n"Display$file?"
readanswer
if[$answer=='y']
then
less$file
fi
done
Besureyou’vetypedeverycharactercorrectly;anymistakemaycausethescripttomisbehave.Onecommonerrorismistypingtheback-tickcharacters(`)onthesecondlineasordinarysingle-quotecharacters(').5.Savethefile,andexittheeditor.6.Typechmoda+xtestscripttoaddtheexecutablebittothefile’spermissions.7.Type./testscripttorunthescript.Iftherearenotext(*.txt)filesinyourcurrentdirectory,thescriptdisplaysanosuchfileordirectoryerrormessage;butifanytext files are present, the script gives you the option of viewing each one in turn vialess.
Thisexamplescriptisextremelylimited,butitillustratesseveralimportantscriptfeatures,suchasvariableassignmentanduse,forloops,andif/thenconditionalexpressions.
ManagingEmail
Emailisoneofthemostimportantnetworkservices.What’smore,Linuxreliesonemaileveninacompletely non-networked environment—certain Linux subsystems, such as cron (described inChapter7),mayuseemailtonotifyyouofactivities.Forthisreason,mostLinuxdistributionsshipwithemailserversoftwareinstalledandconfiguredforbasicactivities,andyoushouldhaveabasicunderstandingof how to use these servers to accomplish various tasks.You should understand thebasicsofemailandbeabletoidentifythespecificemailserverpackageyoursystemisrunning.Youshouldalsobeabletosetupemailaliases(alternatenamesforusers)andforwarding(tosendmailforausertoanotherdestination).Finally,youshouldunderstandthesecurityimplicationsofemailsothatyoucanpreventproblemsoridentifythemwhentheyoccur.
UnderstandingEmailSeveral protocols exist tomanage email. Themost common of these is the SimpleMail TransferProtocol (SMTP), which is designed as a push mail protocol, meaning that the sending systeminitiatesthetransfer.Thisdesignisgoodforsendingdata,soSMTPisusedthroughmostofamaildeliverysystem.Thefinalstage,though,oftenemploysapullmailprotocol,suchasthePostOfficeProtocol(POP)ortheInternetMessageAccessProtocol(IMAP).Withtheseprotocols,thereceivingsystem initiates the transfer.This isusefulwhen the receiving system is anenduser ’sworkstation,whichmaynotbepoweredonatalltimesorabletoreceiveincomingconnections.SMTPwasdesignedtoenableamessagetoberelayedthroughanarbitrarynumberofcomputers.
For instance,anendusermaycomposeamessage,which issent to the localSMTPserver. (SMTPserversarealsoknownasmail transferagents,orMTAs.)This server looksupa recipient systemusingtheDomainNameSystem(DNS)andsendsthemessagetothatcomputer.Thissystemmayuseits own internal routing table to redirect the message to another local computer, from which themessagemayberead,eitherdirectlyorviaaPOPorIMAPserver.ThisarrangementisillustratedinFigure9.1.Bearinmindthatthenumberoflinksinthischainisvariableanddependsonhoweachsystem is configured. In the simplest case, local email stays on just one system. In theory, anarbitrarilylargenumberofcomputerscanbeinvolvedinanemailexchange,althoughinpracticeit’sraretoseeemailpassthroughmorethanhalfadozensystems.
FIGURE9.1Emailtypicallytraversesseverallinksbetweensenderandrecipient.
At each step in a relay chain, email is altered.Most important, each server adds aheader to theemail,which is a line that provides information about themessage. In particular,mail servers addReceived:headers todocument thepath themailhas taken. In theory, thisenablesyou to trace theemail back to its source. Unfortunately, spammers and other email abusers have learned to forgeemailheaders,whichgreatlycomplicatessuchanalysis.BecauseanSMTPservercanfunctionasbothaserver(receivingmailfromothersystems)anda
client(sendingmail toothersystems),youmustdealwithbothsidesof theconfigurationequation.Forthemostpart,thischapterandtheexamdon’tcoverallthesedetails,though,justafewofthem.Sometimesacomputerneverfunctionsinoneroleortheother,whichcansimplifymatters—butyou
mustthenbecarefulnottoaccidentallyconfigurethecomputerincorrectly.Inparticular,openrelayconfigurations,inwhichamailserverrelaysmailfromanybody,shouldbeavoided.ThisandothersecurityimplicationsofrunninganSMTPserverarecoveredin“SecuringYourEmailServer.”OnLinux,emailistiedintricatelytouseraccounts.Themailserverholdsincomingmessagesfor
eachuser,typicallyinafilein/var/spool/mail—forinstance,/var/spool/mail/benfholdsmailfor the user benf. Some email servers store incoming mail in subdirectories of the users’ homedirectories,though.Thisincomingmailfileordirectoryisreferredtoastheuser ’smailspool.
Youmayrecallthattheuserdelcommand,describedinChapter7,includesoptionsrelatedtothehandlingofusers’mailspools.Ifyoudeleteauseraccountbutleavetheuser ’smailspoolintact,themailcanstillbeaccessed.Ifthemailserversoftwarestoresmailin/var/spool/mail,leftovermailspoolscancauseproblemsifyoueventuallyre-useanoldusername.Emailcanbesentaswellasreceived.ThetraditionalLinuxapproachtosendingemailistohavelocalprogramscontactthelocalmailservertosendemail.Thelocalmailserverthencontactsitsoutgoingemailserver,asinFigure9.1.MostLinuxemailclients(akamailuseragents,orMUAs),aswellassimilarprogramsonotherplatforms,providetheoptiontodirectlycontactaremoteSMTPserverwhensendingemail.Suchaconfigurationslightlysimplifiestheemailpathbutcanmakeoperationunreliableifthelocalnetworklinkgoesdown.IfyouremailclienttalkstoanSMTPserverthatrunslocally,theemailcanbequeuedfordeliverybytheSMTPserverevenifthenetworkistemporarilydown.
ChoosingEmailSoftwareLinuxsupportsquiteafewemailservers.Chancesare,oneofthemajorserverswillbeinstalledonyoursystembydefault.Ifnotandifyouwanttoinstallone,you’llhavetopickone.Youmayalsowant to changeyour email server if youneed to configure it in advancedways; some servers areeasiertoconfigurethanothersorsupportspecificoptionsthatothersdon’t.FouremailserversaremostpopularonLinux:SendmailThesendmailprogram(http://www.sendmail.org)wasformanyyearsthedominantemailserverpackageontheInternet.Inrecentyearsit’slostsomeofitsdominancetotheotherserversdescribedhere,aswellastoWindowsemailservers.Nonetheless,sendmailremainsapopularserver.It’sverypowerful,butit’salsodifficulttoconfigurebecauseitsconfigurationfileformatsareratherarcane.PostfixPostfix(http://www.postfix.org)wasdesignedasamodularreplacementforsendmail—ratherthanasingleprogramthatdoeseverything(assendmailisdesigned),Postfixusesmultipleprograms,eachofwhichhandlesitsownspecificsmalltask.Thisdesignimprovessecurity,atleastintheory.Postfixtendstobeeasiertoconfigurethansendmail,andit’sbecomethedefaultemailserveronmanyLinuxdistributions.EximAlthoughExim(http://www.exim.org)isamonolithicserver,likesendmail,ithasamuchsimplerconfigurationfileformatandsoiseasiertoconfigure.AfewLinuxdistributionsuseEximasthedefaultemailserver.
qmailThefourthmajorLinuxemailserver,qmail(http://www.qmail.org),isamodularserverwithsecurityasamajordesigngoal.LikePostfixandExim,qmailiseasiertoconfigurethansendmail.It’snotthestandardemailserverinanyLinuxdistributionbecauseitslicenseisabitstrangeandcomplicatesqmaildistributionwithLinux;however,manysystemadministratorslikeqmailenoughthattheyreplacetheirdistributions’standardemailserverswithqmail.You learnwhich email server your Linux distribution runs have severalways to. The twomost
reliablearetouseps(describedinChapter2,“ManagingSoftware”)tolookforrunningprocessesor to use your packagemanagement tools (also described in Chapter 2) to see which package isinstalled.Ineithercase,youmayneedtocheckforeachof theprogramsinturn.Forinstance,youmightseeresultslikethese:$psax|grepsend
31129pts/2R+0:00grepsend
$psax|greppost
7778?Ss0:45/usr/lib/postfix/master
31132pts/2S+0:00greppost
Thesearchforaprocesscontainingthestringsendfailed,butthesearchforpostreturnedaprocesscalled/usr/lib/postfix/master—thus,itappearsthatPostfixisrunningonthissystem.Youcanalsolookforexecutablefilenamesforeachemailserverin/usr/binor/usr/sbin;but
be aware that most Linux email servers include a program called sendmail. This is done forcompatibility reasons; because the original sendmail program was once ubiquitous, providing acompatibleinterfaceforscriptsandadministratorshelpsotherSMTPserverswork.In addition to the SMTP server, a fully functional Linux email system is likely to include other
software:PullMailServersTwopullmailprotocols,POPandIMAP,arepopular.IfaLinuxsystemshouldfunctionasamailserverfromwhichuserscanreadtheiremailremotely,chancesareyou’llinstallaPOPoranIMAPserverpackage,suchasCyrusIMAP(http://cyrusimap.web.cmu.edu/)orDovecot(http://www.dovecot.org).FetchmailThisprogram,basedathttp://fetchmail.berlios.de,fillsanoddgapintheemail-deliverychain.IfyourunasmallsitethatreliesonanexternalISPforemaildelivery,chancesaretheISPsupportsonlyPOPorIMAP.Ifyouwanttouseavarietyofemailclients,youmaywanttorunyourownSMTPserver,andperhapsyourownPOPorIMAPserver,todelivermaillocally.Todothis,youneedaprogramthatpullsmailusingPOPorIMAPandtheninjectsitintoalocalSMTPmailqueue.ThisisthejobofFetchmail.Mostsitesdon’tneedit,butforthosethatdo,it’sindispensable.MailreadersThefinallinkintheemailchainisthemailreader.ExamplesinLinuxincludeEvolution(http://projects.gnome.org/evolution/),KMail(http://userbase.kde.org/KMail),Thunderbird(http://www.mozilla.org/en-US/thunderbird/),andmutt(http://www.mutt.org).Themailutility,whichisinstalledonmostLinuxsystemsbydefault,isthelowest-common-denominatoremailutility.It’sdescribedshortly,in“SendingandReceivingEmail.”MostLinuxemailclientsenablereadingeitherfromalocalmailqueueorfromaremotePOPorIMAPmailserver.Amulti-usersystemislikelytohavemultipleemailclientsinstalled,enablingeachusertochoosewhichclienttouse.Neitherthisbooknortheexamcoverspullmailservers,Fetchmail,ormailreadersinanydetail.
Asapracticalmatter,youmayneedtolearnhowtoconfigureanyorallofthesepackages,dependingon your site’s needs. Fortunately, mail reader configuration, which is the most common task, is
usuallyfairlystraightforward,aslongasyouhaveinformationonthehostnamesofyouroutgoing(SMTP)andincoming(POP,IMAP,orlocalqueue)emailservers.
WorkingwithEmailAlthough setting up an email server for a site is beyond the scope of this book and the exam,managingafewcommonemailserveradministrativetasksisnot.Ithereforedescribesomecommonadministrative tasks involving sending and receiving mail using the mail utility, email queuemanagement,configuringaliases,andforwardingemail.
SendingandReceivingEmailLinuxsupportsawidevarietyofemailclients,someofwhichwerementionedearlier,in“ChoosingEmail Software.” Chances are, you’ll use a full-fledged email client for your personal email;however,youshouldalsoknowhowtousethemailprogram.Thistoolisaverybasiccommand-lineemail utility. It has the advantage of being usable from a script, so you can write a script toautomaticallyhandlesomeemailtasks,andperhapsevenrunthatscriptautomatically.Forinstance,youmightwriteascripttocheckforuserpasswordsthatareabouttoexpireandthenemailtheusersaboutthisimpendingeventsothattheycanchangetheirpasswordsbeforetheiraccountsarelocked.
SomeLinuxsystemsshipwithaprogramcallednailratherthanmail.Thenailprogramsupportsadditionalfeaturescomparedtotheoriginalmail,suchastheabilitytoaddattachments,butthetwoprogramsareverysimilarinbasicoperation.Typically,alinkwiththenamemailpointstonail,soyoucancallnailasmail.
Themailprogramis intended tobeusedon thecommandline tosendorreceivemessages.Thebasicsyntaxformail,includingitsmostusefuloptions,isasfollows:mail[-v][-ssubject][-ccc-addr][-bbcc-addr]to-addr
mail[-v][-f[name]|-uuser]
The first of these syntax lines is used for sending email; the second is used for reading email.(Unlikemostemailreaders,mailonlysupports reading the localemailqueue,notemailstoredonremoteserversandreadviaPOPorIMAP.)Youcanachievevariousgoalswiththeoptionstomail:UseVerboseOperationAswithmanycommands,the-voptionproducesmoreverboseoutput.Thismaybehelpfulifyouneedtodebugproblems.SpecifyaSubjectLineThe-ssubjectoptionenablesyoutospecifyasubjectline.SetaCarbonCopyAddressYoucansendamessagetomultiplepeoplebysendingacarboncopyusingthe-ccc-addror-bbcc-addroptions.Theseoptionsvaryinthatthe-boptionproducesa“blind”carboncopy,meaningthattherecipient’saddressdoesn’tappearintheaddresslist.Thisisusefulifyouwanttodiscreetlysendacopyofanemailtosomebody,butsomespamfiltersmaydeletesuchemails.SettheRecipient’sAddressThemainrecipient’semailaddressterminatesthemailcommand’slineforanoutgoingemail.ReadEmailToreadyouremail,passthe-foptiontotheprogram,optionallyfollowedbythe
nameofthemailspoolfile.Alternatively,youcanusethe-uuseroptiontoreadthemailofthespecifieduser.Thislistofoptionsisincomplete,butitincludesthemostimportantfeatures.Youshouldconsultthe
man page for mail to learn about more exotic options. Remember that some systems use mailwhereasothersusenail,andavailableoptionsdifferforthesetwoprograms.Theprecedingoptionshavethesameeffectforbothprograms;butsomeoptions,suchas-a,havedifferentmeaningsforthetwoprograms.(The-aoptionenablesyoutoinsertanarbitraryemailheaderintheoriginalmail,butinnailit’showyouattachafiletoanoutgoingmessage.)Asanexampleofmailinaction,considerthetaskofsendingaquickemailmessage.Supposeyou
wanttosendanemailtotworecipientsinformingthemofameeting.Youcandosoasfollows:$mail-s"Meetingreminder"[email protected]@example.com
Rememberthemeetingat4:00today!
Afteryou type themail command, theprogramwaits for inputvia standard input,but there’snoprompt.YousignaltheendofthemessagebypressingCtrl+D.Thisexampleshowsasimpleone-linemessage.AfteryoupressCtrl+D,theprogramdisplaystheCc:linetoverifythisoption.Youcanstillchangetheaddressatthispoint,butifyoudon’twantto,youcanpresstheEnterkeyandthemessagewillbeonitsway.Tousemailinascript,youcanuseinputredirectiontopassitthecontentsofafiletobemailed:mail-s"Automatedalert!"</tmp/[email protected]
Thisline,ifincludedinascript,sendsthecontentsof/tmp/alert.txttobenf@example.comwiththespecifiedsubject.Youcanusemailtoreadincomingemail,too,butonlyifit’sstoredonalocalLinuxmailspool.In
thiscase,you’llnormallyusemailinteractively.Typemail,andyou’llseethecontentsofyourmailspool.Eachmessagehasasummarylinethatliststhesender,date,andsubject,amongotherthings:[email protected]:27116/4262Priorities
This ismessage number 46; it’s from [email protected]; it arrived on January 13 at 18:27 (6:27p.m.); ithas116 linesand4262bytes (includingheaders);and itssubject isPriorities.To readamessage,typeitsnumber.Youcanthendeletethemessagebytypingdorreplytoitbytypingr.Asapracticalmatter,mostpeopleprefer tousemore-sophisticatedmailreadersfor theirday-to-
daymailreading.You’llprobablyfindmailmoreusefulforthescriptedsendingofemailthanforreadingemailorsendingpersonalemail.
CheckingtheEmailQueueAnemail servermanages a queue of emailmessages that itmust deliver.This queue is similar insome respects to the queue of print jobs that the Linux printing system handles, as described inChapter 6. Instead of sending jobs to a printer, though, the email server sends emailmessages toanothercomputerorstorestheminlocalusers’mailspools.Thistaskmaysoundsimple,butitcanbesurprisinglycomplex.Theservermaybeaskedtodelivermanymessagesinaveryshortperiodoftime,andthusitmayneedtodelaydeliveryofsomemessageswhileitworksonothers.Furthermore,anynumberofproblemscanleadtotemporaryorpermanentinabilitytodelivermessages.Whenaproblemseems tobe temporary, suchasanetwork routing failure, theemail servermust store themessage and try to deliver it again later. Thus, a Linux computer ’s email queue may contain
undeliveredmessages.KnowinghowtoidentifythesemessagesandmanagethequeuecanhelpyoukeepyourLinuxcomputer ’semailsubsystemworkingsmoothly.The mailq program is the main tool to help in email queue management. This program was
originallypartofthesendmailpackage,butPostfix,Exim,qmail,andotherLinuxSMTPservershaveall implemented compatible commands. Unfortunately, command options differ betweenimplementations.Thebasiccommand,withoutanyoptions,showsthecontentsoftheemailqueueonallsystems:$mailq
-QueueID---Size------ArrivalTime-----Sender/Recipient-------
5B42F963F*440FriJan1813:58:[email protected]
--0Kbytesin1Request.
Thisexample, takenfromasystemrunningPostfix,showsonemessage in thequeue,alongwithrelevantidentifyinginformation.TheexactdisplayformatvariesfromoneSMTPservertoanother.Inmostcases,typingmailqisequivalenttotypingsendmail-bp.Ifyournetworkconnectiongoesdowntemporarilyorifanupstreamemailservergoesdownfora
while,emailmessagescanpileupinthequeue.YourSMTPserverwillordinarilyattemptredeliveryat a laterdate;but ifyournetworkconnectionhas comeupagainandyouwant to clear thequeueimmediately,youcandoso.Typingsendmail-qwilldothejobwithmostSMTPservers,andsomehaveotherequivalentcommands,suchaspostqueueinPostfixorrunqinExim.All email servers offer a wide variety of advanced options to prioritize email delivery, accept
messagesonthecommandline,deletespecificmessagesfromthequeue,debugemailconnections,andsoon.Unfortunately,commandsandprocedurestousethesefeaturesvaryfromoneemailservertoanother.Thus,youshouldconsultyourserver ’sdocumentationtolearnhowtousethesefeatures.
RedirectingEmailEmailaliases enable one address to stand in for another one. For instance, all email servers aresupposed to maintain an account called postmaster. Email to this account should be read bysomebodywho’s responsible formaintaining the system.Oneway to do this is to set up an aliaslinkingthepostmasternametothenameofarealaccount.Youcandothisbyeditingthealiasesfile,whichusuallyresidesin/etcorsometimesin/etc/mail.Thealiases fileformat isfairlystraightforward.Comment linesbeginwithhashmarks(#),and
otherlinestakethefollowingform:name:addr1[,addr2[,...]]
Thenamethatleadsthelineisalocalname,suchaspostmaster.Eachaddress(addr1,addr2,andsoon)canbethenameofalocalaccounttowhichthemessagesareforwarded,thenameofalocalfileinwhichmessagesarestored(denotedbyaleadingslash),acommandthroughwhichmessagesarepiped(denotedbyaleadingverticalbarcharacter),thenameofafilewhosecontentsaretreatedas a seriesof addresses (denotedby a leading:include: string), or a full email address (such [email protected]).Atypicaldefaultconfigurationincludesafewusefulaliasesforaccountssuchaspostmaster.Most
suchconfigurationsmapmostofthesealiasestoroot.Readingmailasrootisinadvisable,though—doingso increases theoddsofasecuritybreachorotherproblembecauseofa typoorbug in themailreader.Thus,youmaywanttosetupanaliaslinelikethefollowing:
root:yourusername
This redirects all of root’s mail, including mail directed to root via another alias, toyourusername,whichcantakeanyoftheformsjustdescribed(it’smostlikelytobealocalusernameoravalidremoteemailaddress).Somemailservers,includingsendmail,Postfix,andqmail,requireyoutocompile/etc/aliasesintoabinaryfilethatcanbeprocessedmorequickly.Todoso,usethenewaliasescommand:#newaliases
Eximhasanewaliasescommandforcompatibilitywithsendmail,butitdoesn’tdoanythingbydefault.
Anotherapproach to redirectingmail is todosoon theuser level. Inparticular,youcanedit the~/.forward file in a user ’s home directory to have mail for that user sent to another address.Specifically,the~/.forward fileshouldcontain thenewaddress—eitherausernameonthecurrentcomputeroranentireemailaddressonanothercomputer.Thisapproachhastheadvantagethatitcanbeemployedbyindividualusers—say,toconsolidateemailfrommultiplesystemsintooneaccountwithout bothering system administrators. A drawback is that it can’t be used to set up aliases fornonexistent accounts or for accounts that lack home directories. The ~/.forward file can also bechanged or deleted by the account owner, whichmight not be desirable if you want to enforce aforwardingrulethattheusershouldn’tbeabletooverride.
SecuringYourEmailServerLike any server, an email server is a potential security risk.Broadly speaking, this risk takes twoforms:BugsBugsintheemailservercanexposeyourcomputertodanger.Intheory,abugmightenablesomebodytogainaccesstoyoursystembysendinganemailorbyconnectingtotheSMTPport(25)viaaTelnetclientandtypingSMTPcommandstotriggerthebug.Forthisreason,manyLinuxdistributionstodaylimitaccesstotheemailservertothelocalcomputeronly.MisconfigurationPoorconfigurationofanemailservercancauseproblems.Emailserversaren’tdesignedtoprovideloginaccess,sotheyaren’tlikelytobeabusabletogainfullloginaccess.Instead,thebigriskisaconfigurationthatwillmakeyoursystemamenacetotheInternet.Themostcommonmisconfigurationofthisnatureisanopenrelay,whichisacomputerthatwillrelaymailfromanycomputertoanyothercomputer.Inthepast,spammersmadeheavyuseofopenrelaysasawaytohelphidetheirtrueidentities,butspammerstodayhavelargelymovedontoothertechniques.Nonetheless,somespammersstillabuseopenrelays.Toguardagainstbugs,youshouldensurethatyouremailserverisupgradedtothelatestversion.
Chapter 2 describes software management, so you should consult it for advice on keeping yoursystemsoftwareuptodate.MajorLinuxdistributionsconfiguretheiremailserverssothattheyaren’topenrelays;however,a
misconfiguration can open your email server. Various Web sites provide tests for suchmisconfigurations.Checkhttp://www.abuse.net/relay.htmlorhttp://www.spamhelp.org/shopenrelay/totestyoursystemtoverifythatit’snotanopenrelay.Thesesites,andotherslikethem,runaseriesof
tests,attemptingtorelayemailthroughyourserver.Ifyourserverisproperlyconfigured,thepagewillreportthatitwasunabletoconnectorthatitwasunabletorelayemail.Ifthetestingsitewasabletorelayemail, though,you’llneedtolearnmoretoproperlyconfigureyourserver.Unfortunately,the steps needed to secure an open relay vary from one email server to another, and they requirerelativelyadvancedconfiguration,whichisbeyondthescopeofthisbookortheexam.Youcanlearnaboutclosingopenrelayconfigurationsinyouremailserver ’sdocumentation.
ManagingDatawithSQLThe Structured Query Language (SQL), as its expanded name suggests, is a language used forretrieving data from a database. In practice, SQL is implemented in several different databaseproducts.Thus,youshouldknowalittleabouttheSQLproductsthatareavailableforLinux.WithaSQLpackageinstalled,youcanbeginlearningabouttheprinciplesofSQLuseandmoveontoactualdatastorageandretrieval.
PickingaSQLPackageSQL is a language for accessing data, and specific SQL packages implement that language. Thisdistinction is similar to that between a network protocol (such as SMTP) and the servers thatimplement it (such as sendmail, Postfix, andExim). In principle, you canuse anySQLpackage tosatisfyyourSQLdatabaseneeds. Inpractice,specificproducts thatstoredatausingSQLmayworkbetter with (or even require) particular packages. Some common choices in Linux include thefollowing:MySQLOracleownsthisSQLimplementation,whichhasbeenreleasedundertheGPL.MostmajorLinuxdistributionsincludeMySQLintheirpackagedatabases.Foracompleteinstallation,you’llprobablyneedtoinstallmultiplepackages,suchasaclient,aserver,andperhapsdevelopmenttools.Youcanlearnmoreathttp://www.mysql.comPostgreSQLThisSQLimplementationevolvedfromtheearlierIngressoftware(thenamePostgreSQLisacompressedformofpost-IngresSQL).It’savailableundertheBSDlicenseandisavailableasmultiplepackagesinmostLinuxdistributions.AswithMySQL,you’llmostlikelyhavetoinstallaclient,aserver,andperhapsadditionalsupportpackages.PostgreSQLisheadquarteredathttp://www.postgresql.org.SQLiteThispackage,basedathttp://www.sqlite.org,isalibrarythatimplementsSQL.Assuch,it’snotastand-alonedatabase;instead,it’sintendedasawaytoprovideprogramswithawaytostoredatausingaSQLinterfacewithintheprogram.IfyouinstallaprogramthatusesSQLite,yourdistribution’spackagemanagershouldinstalltherelevantlibrariesforyou.Ifyouwanttowriteaprogramthatrequiresdatabaseaccessandyoudon’twanttoinstallacompleteclient-serverSQLpackagesuchasMySQLorPostgreSQL,SQLitemaybejustwhatyouneed.TherearedozensmoreSQLdatabaseproductsforLinux.ForthepurposeoflearningSQL,MySQL
orPostgreSQLshoulddofine,oryoucanuseanotherfullimplementationifyouprefer.IfyouhaveaspecificpurposeinmindforusingSQL,though,youshouldresearchSQLpackagesinmoredetail.Youmayneed aparticular product for compatibilitywithother software, or youmayneed aSQLpackagethatprovidesspecificfeatures.Asjustnoted,someSQLpackages,includingMySQLandPostgreSQL,operateonaclient-server
model:Oneprogram(theserver)managesthedatabase,whileanother(theclient)providesusersandprogramswithaccesstothedatabase.Suchimplementationscanworkoveranetwork,enablingusersatmultipleclientsystemstoaccessacentralizeddatabaseserver.
UnderstandingSQLBasicsSQL is a tool for accessing databases, and more specifically, relational databases. Figure 9.2illustratesdata ina relationaldatabase.Each row(sometimesknownasa tuple) representsa singleobjectorother item,andeachcolumn (sometimes referred toasanattributeor field) representsaspecificfeature.Thecombinationofrowsandcolumnsisreferredtoasatable.Eachdatabasemaycontainmultiple tables, and SQL supportsmultiple databases. Thus, to access data, youmust firstselectadatabaseandatable,asdescribedinmoredetailshortly.
FIGURE9.2Arelationaldatabasestoresdatainatable,witheachrowrepresentingoneobjectoritemandeachcolumnrepresentingspecificattributes.
Thedatainatableareunordered,atleastconceptually.(Inpractice,ofcourse,datawillbestoredinsome order on disk, but this order is arbitrary.) You can impose an order on query results, asdescribedshortly;forinstance,youmayretrievedatafromthedatabaserepresentedbyFigure9.2andordertheresultsaccordingtocost(thefinalcolumn).Adatabaseenablesretrievalofinformationthatmatchesspecificcriteria.Youcansearchforallthe
greenobjectsinFigure9.2,forinstance.Youcanalsoinsert,delete,andupdateinformationinatable.SQL supportsmultiple tables, so you can have, for instance, different tables for property in yourofficeandforemployeeswhoworkinyouroffice.Columns (attributes) in a database hold specific types of data, and swapping them aroundmakes
littlesense.Forinstance,it’sclearthatthesecondcolumninFigure9.2isacolor,whereasthefinalcolumnisapriceorvalue,expressedindollars.Itwouldmakelittlesensetoentergreenasapriceor$1.00asacolor.Therestrictionsplacedonwhatmayappearinacolumnareknownasadomainoradata type:Thedomain for the secondcolumn isa setofcolornames,whereas thedomain for thefinalcolumnisanumericvalueexpressedindollars.Table9.3summarizessomecommonSQLdatatypes.
TABLE9.3CommonSQLdatatypeDataTypeName
Purpose
INTEGER(akaINT) 4-byteintegervalueSMALLINT 2-byteintegervalueDECIMAL PrecisionstorageofdecimalvaluesNUMERIC PrecisionstorageofdecimalvaluesFLOAT Floating-pointnumberDOUBLE
PRECISION
Floating-pointnumberstoredwithtwicetheprecisionofFLOAT
DATETIME AdateandtimeDATE AdateTIME Atime,inHH:MM:SSformat;maybeatimeofdayoraperiodoftimeCHAR OneormorecharactersVARCHAR AvariablenumberofcharactersENUM Anenumeratedlist,suchasoneofsmall,medium,orlargeSET Datathatmayhavezeroormorevalues,asinanyofthesetofnuts,sprinkles,fudge,andcherryforicecream
toppings
Additionaldatatypesexist;Table9.3isintendedtogiveyouafeelforwhat’savailableandtolistsomeofthedatatypesyou’relikelytoencounter.Someimplementationssupportuniquedatatypes,too. Each of these data types has its own features. For instance, the numeric data types (INTEGER,DECIMAL,andsoon)canbemanipulatedbymathematicoperators.
UsingMySQLTolearnaboutSQL,youshouldhaveaccesstoaSQLdatabase.Forpurposesofdemonstration,I’musingMySQL as a reference.Other SQL implementations are similar towhat I describe here, butsome details differ. One of these details is how to start the database. In the case ofMySQL, yourdistributionshould includeaSysVorotherstartupscript for theSQLserver.Thisservermayalsoneedtobeconfiguredwithitsownrootpassword.Debianandrelateddistributionswillpromptforthiswhenyouinstallthepackage,butyoumayneedtosetthismanuallywithotherdistributions.
StartingtoUseMySQLTobeginaSQLsession,youshouldfirstensurethattheserverisrunning,asjustdescribed.YoucanthenstarttheSQLclient.InthecaseofMySQL,thisprogramiscalledmysql:$mysql
Ifyou’vejust installedMySQLfor learningpurposes, itmayhavenodatabasesdefined.Tolearnwhat’sdefined,youcanusetheSHOWDATABASEScommand:mysql>SHOWDATABASES;
+--------------------+
|Database|
+--------------------+
|information_schema|
+--------------------+
1rowinset(0.00sec)
ThisexampleillustratesanimportantfeatureofSQL:Commandsareterminatedbysemicolons(;).Thereareafewexceptionstothisrule,butifyouforgetthesemicolon,you’relikelytoseeanewpromptthatreads->ratherthanmysql>,atleastinMySQL.Youcanusethisfacttosplityourcommandsacrossmultiplelines,ifyoulike.Ifyouforgetthesemicolonthatterminatesacommand,youcanenteritbyitselfonthe->promptline.SQLcommandsareconventionallyshowninuppercase,butSQLcommandsarecase-insensitive,soyoucantypeyourcommandsinuppercase,lowercase,oranymixtureofcaseyoulike.
Inthisexample,onedatabaseisalreadydefined:information_schema.Someinstallationsdefineadatabasecalledtest.Ifyouseesuchadatabase,youcanprobablyuseitforyourowntests;however,otherusersmaybeabletoseeandmodifythisdatabase,sodon’tstoreimportantdatainit.Ifyou’renotinchargeoftheSQLinstallation,youshoulddouble-checkwithwhoeverisinchargeofittobesureyoucanusethetestdatabase—oranyotherdatabase,forthatmatter.
CreatingDatabasesandTablesIfnodatabasefortestingpurposesexists,youcancreateonewiththeCREATEDATABASEcommand,whichtakesadatabasenameasanoption:mysql>CREATEDATABASEtest;
QueryOK,1rowaffected(0.00sec)
AlthoughSQLcommandsarecase-insensitive,databasenamesarenot.Thus,besuretocreatethedatabasenameusingwhatevercaseyouintendtousetorefertoitinthefuture.
IfyoutypeSHOWDATABASES;,you’llseethetestdatabaseinadditiontoanythatalreadyexisted.Regardlessofwhethertest(orsomeothertestingdatabase)existedwhenyoufirststartedMySQLorhadtobecreated,youcanbeginusingitwiththeUSEcommand:mysql>USEtest;
Within each database, tables must be created and selected for use. The commands to do so aresimilar to thecommandsused tocreateandselectdatabases. Inanewlycreateddatabase,no tablesexist:mysql>SHOWTABLES;
Emptyset(0.00sec)
TheresponseEmptysetdenotesanemptydatabase.Tofill thedatabasewithdata,youmustfirstdecide on a table structure—what sort of data youwant to record. For instance, Figure 9.2 showsvariousattributesofcommonobjects:theirnames,colors,sizes,hardnesses,andvaluesindollars.Tocreate a table that includes columns for these five attributes, you use a CREATE TABLE command,passingitvariousdetails:mysql>CREATETABLEobjects(nameVARCHAR(30),colorVARCHAR(20),
->sizeFLOAT,hardnessENUM('soft','medium','hard'),
->valueDECIMAL(10,2));
QueryOK,0rowsaffected(0.01sec)
Thisexamplecreatesatablewithfivecolumns:name,color,size,hardness,andvalue.Eachcolumnhasanassociateddata type,asdescribedinTable9.3.Afewpointsworthnotingabout thistabledefinitionareasfollows:
ThenameandcolorcolumnsarebothVARCHARexamples,butwithdifferentsizes:Thenamemaybeupto30characters,whereasthecolormaybeupto20characters.IftheseweredefinedasCHARs,eachnamewouldhavetobeprecisely30charactersinsize,witheachcolorprecisely20characters.AlimitedsetofcolorscanbespecifiedbyusinganENUMratherthanaVARCHAR.Presumablyyouwouldn’twanttolimitobjectnamesthisway.ThesizecolumnisaFLOAT,whichislessprecisethananintegerdatatype,butaFLOATcanholdreal(non-integer)numbers.Figure9.2includessizesininchesandfeet,butinpracticeyou’llneedtoconverteverythingtooneunit—probablyinchesinthiscase.NotethesyntaxfordefiningtheENUM:Thelistofvaluesasawholeisenclosedinparentheses(()),andeachenumeratedvalueisenclosedinsinglequotes(')andseparatedfromothervaluesbyacomma(,).TheDECIMALvalueincludesaspecificationofthenumberofdigits(10inthisexample)andthenumberofdigitsafterthedecimalpoint(2inthisexample),separatedbyacomma.SomeimplementationssupportaMONEYdatatypethatcanbeusedinthiscase,butMySQLlacksthisdatatype,soDECIMAListhebestchoiceforthejob.ADECIMALtypeisbetterforcurrencythanFLOATbecauseaFLOATtypeislikelytointroduceroundingerrorsbecauseofthewaynumbersareencodedinaFLOATvalue.Sucherrorsaretypicallyunacceptableincurrency,althoughtheymaybetolerableinsomeapplications.
Ifyouneedtocreateatablewithothertypesofvalues,youshouldconsult thedocumentationforyourspecificSQLimplementationtoseewhatdatatypesitsupports.With the table created, youmaywant toverify that it’s been created correctly.Youcando soby
typingDESCRIBEobjects;.Theresultshouldbeasummaryofthefieldsyou’vejustcreatedfortheobjectstable.
StoringDataYoucannowbeginstoringdatainyourdatabase.Todoso,usetheINSERTINTOcommand:mysql>INSERTINTOobjects
->VALUES('lizard','green',6,'soft',10.00);
This example creates an entry for the first row of Figure 9.2 (but with one error, which isdeliberate).Youcanverify that thedatabasenowholds this informationby typingSELECT ∗ FROMobjects;.Theresultisalistingofallthedataintheobjectstable,whichinthiscaseshouldbejusttheoneentry.(Thenextsection,“RetrievingData,”coversdataretrievalinmoredetail.)This example entered incorrect data for one field: The lizard is entered in the table as being 6
inchesinsize,ratherthan5.YoucancorrectthiserrorbyusingUPDATE:mysql>UPDATEobjectsSETsize=5WHEREname='lizard';
QueryOK,1rowaffected(0.00sec)
Rowsmatched:1Changed:1Warnings:0
ThisexamplebeginswiththekeywordUPDATEandthetablename(objects).TheexamplethentellsMySQLwhat to update:SETsize=5—inotherwords, set thesize field to5. The WHERE keyword
beginsaspecificationofwhichrowstochange.Inthiscase,withonlyonerowpresent,youcanuseanydataorevenomitWHEREandtherestofthelineuptothesemicolon.Inmostcases,though,youmustprovideenoughcriteriatouniquelyidentifythecolumnyouwanttochange.Inthisexample,thenameoftheobjectisused—hencename='lizard',whichtellsMySQLtochangethedataforallrowsforwhichthenamefieldislizard.Beforeyoucontinuewithdataretrievalactivities,youshouldcompleteadatabase.Exercise9.3will
guideyouthroughthisprocess.
EXERCISE9.3CreatingaSQLDatabaseInthisexercise,you’llcontinuecreatingasmalldatabase.Thisexerciseassumesyou’veperformedthestepsdescribedin“CreatingDatabasesandTables”and“StoringData”andthatyouthereforehaveaSQLdatabasecalledtest,whichcontainsatablecalledobjects,whichcontainsoneentrybasedonthefirstlineinthematrixinFigure9.2.Tocompletethisdatabase,followthesesteps:1.Ifyou’renotcurrentlyrunningMySQL,dosobytypingmysql.2.Ifyou’renotalreadyusingthetestdatabase,typeUSEtest;tobeginusingthetestdatabase.3.TypeINSERTINTOobjectsVALUES('tree','green',120,'medium',200);.(Youmaysplitthiscommandacrosslines,ifyoulike.)ThisentryisbasedonthesecondrowofFigure9.2,butnotethatthesizevaluehasbeenexpressedininches.4.Verify thatyouentered thedatacorrectlyby typingSELECT∗FROMobjects; andverifyingthatthenewentryispresent.5.Repeatstep3(andstep4,ifyoulike)fortheremainingrowsinFigure9.2.
Ifyoulike,youcancontinueandentermoredata;however,ifyoudoso,somesubsequentexamplesmaynotworkasdescribed.
RetrievingDataThewholepointofhavingadatabaseistobeabletoretrievedatafromit.Themaincommandfordoing so has already been described: SELECT. This command’s power lies in its ability to acceptspecificationsofwhattoselect.Youcanuseavarietyofkeywordstoselectdatathatmatchesvariouscriteria,suchasexactmatchesormatchestoarangeofvalues.TheoverallformofSELECTmaybedescribedinthisway:SELECTfield(s)FROMtable[WHEREconditions][ORDERBYfield]
PrevioususesofSELECThaveusedanasterisk(*)asfield(s),meaningthatthecommandreturnsall the columns that match the remaining criteria. You can instead specify columns by name. Forinstance, suppose you’re interested only in the colors and values of objects. You can view thisrestrictedsetofdatausingSELECT:mysql>SELECTvalue,colorFROMobjects;
+--------+--------+
|value|color|
+--------+--------+
|10.00|green|
|200.00|green|
|5.00|white|
|1.00|red|
|0.10|yellow|
+--------+--------+
5rowsinset(0.00sec)
Thefield(s)criteriaappearsasacomma-separatedlistofcolumns.Inthisexample, thecriteriawere listed in the reverseorder fromtheirorder in thedatabase,andso theyappear in the reverseorderintheoutput.Amore interestingway to retrieve data is to useWHEREconditions. This tool has already been
mentioned,inreferencetoupdatingdata.Youcanuseconditionstoretrievespecificdatainseveralways:ExactMatchesUsingacolumnname,anequalsign,andavaluetomatchreturnsonlythoserowsthatmatchthespecifiedvalue.Forinstance,typingSELECT∗FROMobjectsWHEREcolor='green';returnsthetwoentriesforgreenobjects(lizardandtree).NumericTestsYoucanretrievedatathatmatchcertainnumericcriteria.Forinstance,toretrievedataonallobjectsthataregreaterthan10inchesinsize,youcantypeSELECT∗FROMobjectsWHEREsize>10;.AlphabeticTestsThegreater-than(>)andless-than(<)operatorsworkonlettersaswellasnumbers.Thisfactcanbeusedtoretrievedatabasedonthefirstletterofastring,asinSELECT∗FROMobjectsWHEREname>'b';toretrieverecordsforwhichthenamebeginswithborlaterlettersinthealphabet.(Althoughthisexampleusesagreater-thanoperator,itdoesinfactmatchtheletterb.)MultipleTestsYoucancombinemultiplecriteriausingtheANDandORoperators.Forinstance,toretrievedataonsoftobjectsvaluedatmorethan$7.50,youcantypeSELECT∗FROMobjectsWHEREhardness='soft'ANDvalue>7.50;.YoucanhaveMySQLreturnthedataasanorderedlistbyspecifyingafieldnameaftertheORDER
BYkeyword:mysql>SELECT*FROMobjectsWHEREhardness='soft'ORDERBYvalue;
+--------+--------+------+----------+-------+
|name|color|size|hardness|value|
+--------+--------+------+----------+-------+
|banana|yellow|8|soft|0.10|
|pillow|white|18|soft|5.00|
|lizard|green|5|soft|10.00|
+--------+--------+------+----------+-------+
3rowsinset(0.00sec)
CombiningDatafromMultipleTablesAsnotedearlier,adatabasemaycontainmultiple tables.This featureofSQLenablesyou tocreatetables for different functions. For instance, Figure 9.2 might represent a database of objectcharacteristics that are of interest for some reason.Youmight also have a database containing thelocationsandconditions(ona10-pointscale)ofdifferentobjects,asshowninTable9.4.Sometimesyou might want to combine these two tables to create a master table on which you can performqueries.Inordertodoso,though,thetwotablesmusthaveonematchingfieldthatcanbeusedtobindthetwotablestogether,andeachtablemusthaveonefieldwhosevalueuniquelyidentifieseachrow.Thisuniquelyidentifyingfieldisknownasaprimarykey.InthecaseofFigure9.2,thefirstcolumn
(calledname)canserveasaprimarykey.InthecaseofTable9.4,theObjectIDcolumnwilldothejob.
TABLE9.4Dataonobjectlocationsandconditions
Youcancreatethistablemuchasyoucreatedthefirstone:mysql>CREATETABLElocations(idINTEGER,nameVARCHAR(30),
->locationVARCHAR(30),condINTEGER);
mysql>INSERTINTOlocationsVALUES(1,'banana','kitchen',9);
AdditionalINSERToperationswillfilloutthetable.Atthispoint,youcanusetheSELECToperatortoselectdatabasedonfieldsfrombothtables.Forinstance,supposeyouwanttoknowwhereallthegreenobjectsarelocated.Thefirsttable(objects)containscolordatabutnotlocations,whereasthesecondtable(locations)holdslocationsbutnotcolordata.Youcanaccomplishthegoalbyusingafewtricks:mysql>SELECTobjects.name,objects.color,locations.location
->FROMobjects,locations
->WHEREobjects.name=locations.nameANDobjects.color='green';
+--------+-------+-------------+
|name|color|location|
+--------+-------+-------------+
|tree|green|backyard|
|lizard|green|livingroom|
+--------+-------+-------------+
2rowsinset(0.00sec)
MySQL automatically combines the two tables and produces output based on the criteria youspecify.Thefinaloutput in thisexample includes thename,color,andlocationof theobjects,eventhougheachtablehasjusttwoofthosethreevalues.AsecondwaytocombinedatafrommultipletablesistouseJOIN.Thisapproachisverysimilarto
theprecedingone,butyouspecifyonetableusingFROMandtheotherusingJOIN:mysql>SELECTobjects.name,objects.color,locations.location
->FROMobjects
->JOINlocations
->WHEREobjects.name=locations.nameANDobjects.color='green';
Combining data enables you to simplify the structure of your database in certain situations. Theexamplesusedhereillustratethisfact,albeitwithverysmalldatasets.Thedataintheobjects tabledescribesobjectsgenerically,whereasthedatainthelocationstabledescribesobjectsspecifically.A
retail business might use similar tables to describe its inventory—something analogous to theobjects table can hold descriptions of products,whereas something like the locations table canspecify where each box holding a particular product is shelved, perhaps even across multiplewarehousesorstores.Thisdesignenableseachtabletoberelativelysmall.Ifallthedatawerestoredinasingletable,thattablewouldrequiremultipleentriesforeachitem,duplicatingalotofdata.Bysplittingthedataacrosstables,eachtablecanbemuchsmaller,thusreducingstoragespace.A retrieval command that requires special mention is GROUP BY. This command is used in
conjunctionwithmathematicaloperators,suchasSUM(), torestrict theoperationof theoperator tothespecifiedcolumns.Forinstance,supposeyouwanttoknowthetotalvalueofalltheobjectsinthedatabase,groupedbyobjecttype.Youcandosoasfollows,combiningdatafrombothtables:mysql>SELECTobjects.name,objects.value,SUM(value)
->FROMobjects,locations
->WHERElocations.name=objects.name
->GROUPBYvalue;
The result is a summary of the values of all the objects by type.Omitting the GROUP BY clauseproducesanerrormessageinMySQL.
DeletingDataSometimesyourdataneed tobedeleted.Table9.4 suggests that the tree in thebackyard is ill—itscondition rating is just 2 on a 10-point scale. Perhaps you’ll decide to cut it down and thereforeremoveitfromthelocationsdatabase.Todoso,you’llusetheDELETEcommand,whichtakesthefollowingform:DELETEFROMtableWHEREconditions
Forinstance,todeletethatnow-removedtree,youcantypethefollowingcommand:mysql>DELETEFROMlocations
->WHEREname='tree'ANDlocation='backyard';
QueryOK,1rowaffected(0.05sec)
Inthisspecificcase,theWHEREconditionismoredetailedthanitneedstobe,becausethebackyardtreeistheonlyoneinthetable.Asusualwhendeletinganysortofdataonacomputer,though,it’sbettertobeoverlycautiousthansloppy.
Beforedeletingdata,tryusingSELECTtoseewhatdatayourWHEREconditionsmatch.Doingthiswillhelpyoupreventaccidentallydeletingtoomuchdata.
YoucandeleteallthedatafromatablebyusingavariantoftheDELETEcommand:DELETE∗fromlocations;.Thiscommanddeletesall thetable’sdatawithoutdeletingthetableitself.Thismaybeuseful if the table is hopelessly messed up from experimentation. An even more drastic deletionoperation is DROP: DROP TABLE locations;. This example completely eliminates the locationstable.Naturally,thisisanextremelydangerouscommand,butyoumaywanttouseitwhencleaningupyourownSQLpracticesession.
LearningMoreAboutSQLSQL isaverycomplex topic,and thischaptercanonlyscratch the surface.Formore information,
youshouldreadmorefromvarioussources.YourownSQLpackage’sdocumentationcanbeagoodstartingpoint,particularlyifyouneedtousefeaturesthatareuniquetoyourimplementation.BooksonSQL,suchasAlanBeaulieu’sLearningSQL,2ndEdition(O’Reilly,2009)andAlexKriegel’sSQLBible(Wiley,2008),arealsoworthreadingifyouneedtodomorethantrivialSQLwork.
SummarySerious Linux administrators must have at least a basic understanding of shell scripts. Manyconfiguration and startup files are in fact shell scripts, and being able to read them, and perhapsmodify them,will help you administer your system.Being able to create new shell scripts is alsoimportant, because doing so will help you simplify tedious tasks and create site-specific tools bygluingtogethermultipleprogramstoaccomplishyourgoals.Emailserveradministrationisanothertask with which you must have at least a passing familiarity. Although most Linux systems don’toperateasemailserversinthesenseofcomputerswhoseprimarydutyistohandleemail,mostLinuxinstallationsdoincludeemailserversforprocessinglocallygeneratedemailandsometimestosendemail to outside systems or even to receive email for local users. You can configure emailforwarding and perform a few other tweaks without delving too heavily into email serverconfiguration.The final topicof thischapter,SQLuse,willhelpyoumanagesimpledatabases storedusing the
SQL language.Many programs rely onSQL for their operation, so being able to perform simpleSQLquerieswillhelpyouworkwiththeseprograms.Youmayevendecidetosetupdatabasestohelpmanageyourowntasks,suchastrackingwhereyoukeepthingsinyourofficeorhome.
ExamEssentialsExplainthefunctionofenvironmentvariables.Environmentvariablesareusedtostoreinformationonthesystemforthebenefitofrunningprograms.ExamplesincludethePATHenvironmentvariable,whichholdsthelocationsofexecutableprograms,andHOSTNAME,whichholdsthesystem’shostname.Describehowashellscriptcanbeuseful.Ashellscriptcombinesseveralcommands,possiblyincludingconditionalexpressions,variables,andotherprogrammingfeatures,tomakethescriptresponddynamicallytoasystem.Therefore,ashellscriptcanreduceadministrativeeffortbyperformingaseriesofrepetitivetasksatonecommand.Describethepurposeofshellaliases.Aliasesenableyoutocreateacommand“shortcut”—asimplecommandthatcanstandinforadifferentorlongercommand.Aliasesaretypicallydefinedinshellstartupscriptsasawaytocreateashortenedversionofacommand,tohaveusefuloptionsforacommandbeusedasnewdefaults,ortocreateaneasier-to-rememberversionofacommand.SummarizethemajorSMTPserversforLinux.SendmailwasthemostcommonSMTPserveradecadeagoandisstillverypopulartoday.PostfixandEximareoftensuppliedasthedefaultmailserversonmoderndistributions,whereasqmailissometimesinstalledbyadministratorsbutisn’tthedefaultforanymajordistribution.Postfixandqmailusemodulardesigns,whereassendmailandEximaremonolithic.
Explainthedifferencebetweenanemailaliasandemailforwarding.Anemailaliasisconfiguredsystemwide,typicallyin/etc/aliases.Itcansetupforwardingforanylocaladdress,evenifthataddressdoesn’tcorrespondtoarealaccount;andifthesystemisproperlyconfigured,onlyrootmayedit/etc/aliasesandthereforemodifyaliases.Emailforwarding,ontheotherhand,ishandledbythe~/.forwardfileinauser ’shomedirectory;it’sintendedasameansforuserstocontroltheirownemailforwardingwithoutbotheringthesystemadministrator.SummarizethestructureofaSQLdatabase.EachSQLinstallationconsistsofanumberofnameddatabases,eachofwhichinturnmaycontainmultipletables.Eachtablecanbethoughtofasatwo-dimensionalarrayofdata.Eachrowinatabledescribessomeobjectorconcept(inventoryitems,employees,moviesinapersonalDVDcollection,andsoon),andeachcolumninatableholdsdataabouttheseobjectsorconcepts(modelnumber,salary,ordirector,forexample).DescribethecommandsusedtoenterdatainaSQLdatabase.TheINSERTcommandinsertsasingleentryintoadatabase.Itrequiresatablenameandasetofvalues,asinINSERTINTOmoviesVALUES('Brazil','TerryGilliam',1985);.TheUPDATEcommandcanbeusedinasimilarwaytoupdateanexistingentry,butyoumustuseSETtospecifythecolumntosetandWHEREtoidentifytheroworrowstobemodified.ExplainthecommandsusedtoextractdatafromaSQLdatabase.TheSELECTcommandretrievesdatafromaSQLdatabase.Itcanbeusedwithavarietyofadditionaloptions,suchasFROM,JOIN,andWHERE,toidentifythetableortablesfromwhichdatashouldberetrievedandtolocatespecificvaluesofinterest.
ReviewQuestions1. Where is the best location for the current directory indicator (.) to reside in root’s PATHenvironmentvariable?
A.BeforeallotherdirectoriesB.AfterallotherdirectoriesC.AtanylocationexceptthelastoneD.WhereverisconvenientE.Nowhere;itshouldn’tbeinroot’spath
2. Youwant to create a shortcut for the command cd ~/papers/trade.Which of the followinglines,ifenteredinabashstartupscript,willaccomplishthisgoal?
A.aliascdpt='cd~/papers/trade'B.exportcdpt='cd~/papers/trade'C.cd~/papers/tradeD.shortcutcdpt"cd~/papers/trade"E.envcdpt`cd~/papers/trade`
3.WhatisthepurposeoftheEDITORenvironmentvariable?A. Set to Y (the default), the shell environment permits editing of commands; set to N, such
editingisdisallowed.B. It specifies the filename of the text editor that bash uses by default while you’re enteringcommandsatitsprompt.C.Ifyoutypeeditfilenameatacommandprompt,theprogramspecifiedbyEDITORwillbelaunched.D.SettoGUI,programscallaGUIeditor;settoTEXT,programscallatext-basededitor.E.SomeprogramsrefertoEDITORtodeterminewhatexternaleditortolaunchwhentheyneedtolaunchone.
4.Inwhatenvironmentvariableisthecurrentworkingdirectorystored?A.PATHB.CWDC.PWDD.PRESENTE.WORKING
5.Whichofthefollowingcommands,iftypedinabashshell,willcreateanenvironmentvariablecalledMYVARwiththecontentsmystuffthatwillbeaccessibletosubsequentlylaunchedprograms?
A.exportMYVAR='mystuff'B.MYVAR='mystuff'C.$MYVAR==mystuffD.echo$MYVARmystuffE.setenvMYVARmystuff
6.Whatfilemightausermodifytoalterhisorherownbashenvironment?A.~/.startupB./etc/bashrcC./home/.bashrcD./home/profilercE.~/.bashrc
7.Whatcommandsmightyouuse(alongwithappropriateoptions)tolearnthevalueofaspecificenvironmentvariable?(Selecttwo.)
A.envB.DISPLAYC.exportD.echoE.cat
8.Afterusingatexteditortocreateashellscript,whatstepshouldyoutakebeforetryingtousethescript?
A.SettheSUIDbitusingchmod.B.Copythescripttothe/usr/bin/scriptsdirectory.C.Compilethescriptbytypingbashscriptname,wherescriptnameisthescript’sname.D.Runaviruscheckeronthescripttobesureitcontainsnoviruses.E.Setoneormoreexecutablebitsusingchmod.
9.Describetheeffectofthefollowingshortscript,cp1,ifit’scalledascp1big.cbig.cc:#!/bin/bash
cp$2$1
A.Ithasthesameeffectasthecpcommand—copyingthecontentsofbig.ctobig.cc.B.ItcompilestheCprogrambig.candcallstheresultbig.cc.C.Itcopiesthecontentsofbig.cctobig.c,eliminatingtheoldbig.c.D.ItconvertstheCprogrambig.cintoaC++programcalledbig.cc.E.Itinterpretsthebig.candbig.ccfilesasbashscripts.
10.Whatisthepurposeofconditionalexpressionsinshellscripts?A.Theypreventscriptsfromexecutingiflicenseconditionsaren’tmet.B.Theydisplayinformationaboutthescript’scomputerenvironment.C.Theyenablethescripttotakedifferentactionsinresponsetovariabledata.D.TheyenablescriptstolearninamannerreminiscentofPavlovianconditioning.E.Theyimprovecodequalitybyimprovingitsreadability.
11. Which of the following lines identify valid shell scripts on a normally configured system?(Selecttwo.)
A.#!/bin/scriptB.#!/bin/bashC.!#/bin/tcshD.#!/bin/shE.!#/bin/zsh
12.Whichofthefollowingarevalidloopingstatementsinbashshellscripting?(Selectthree.)A.forB.whileC.gotoD.untilE.case
13. Your SMTP email server, mail.luna.edu, receives a message addressed [email protected]. There is no postmaster account on this computer. Assuming thesystemisproperlyconfigured,howshouldtheemailserverrespond?
A.Acceptthemessage,butdosoveryslowlysoastotieupthesender ’sresources.
B.Bouncethemessagesothatthesenderknowstheaccountdoesn’texist.C.Holdthemessageinthelocalmailqueueuntilthepostmasteraccountiscreated.D.Deletethemessagewithoutbouncingitsoastoreduceemailclutter.E.Delivertheemailtoanotheraccount,eitherlocallyoronanothercomputer.
14.WhichofthefollowingisnotapopularSMTPserverforLinux?A.PostfixB.SendmailC.FetchmailD.EximE.qmail
15.Youseethefollowinglineinascript:mail-s"Error"-cabort</tmp/msgroot
Whatistheeffectofthisline,ifandwhenitexecutes?A. An email is sent to the user Error, the script is aborted using root privileges, and errormessagesarewrittento/tmp/msg.B.AnemailwiththesubjectofErrorandthecontentsfrom/tmp/msgissenttothelocalusersrootandabort.C.AnemailwiththesubjectofErrorandthecontentsof/tmp/msgissenttothelocaluserroot,andthenthescriptisaborted.D.AnemailissentwithErrorprioritytothelocaluserroot,andtheemailsystemisthenshutdownwitherrormessagesbeingstoredin/tmp/msg.E.AnemailwiththesubjectofErrorandcontentsof/tmp/msgissenttoroot,andinformationonthisisloggedwithpriorityabort.
16.YourInternetconnectionhasgonedownforseveralhours.Whatistrueofemailsentbyyouruserstooff-siterecipientsviaaproperlyconfiguredlocalSMTPserver?
A.TheSMTPserverwillrefusetoacceptemailfromlocalclientsduringtheoutage.B.Emailwillbeneitherdelayednorlost.C.Allemailsentduringtheoutagewillbelost.D.Emailwillbedelayedbyafewhoursbutnotlost.E.RecipientswillhavetoretrievethemailviaPOPorIMAP.
17.Youexamineyour/etc/aliasesfileandfinditcontainsthefollowingline:root:jody
Whatcanyouconcludefromthis?A.Emailaddressedtojodyonthissystemwillbesenttothelocaluserroot.B.Emailaddressedtorootonthissystemwillbesenttothelocaluserjody.C.Thelocaluserjodyhasbrokenintothesystemandacquiredrootprivileges.D.Thelocaluserjodyhaspermissiontoreademaildirectlyfromroot’smailqueue.
E.Theadministratormayloginusingeitherusername:rootorjody.
18.You’vejustinstalledMySQLandrunitbytypingmysql.Howwouldyoucreateadatabasecalledfishtostoredataondifferentvarietiesoffish?
A.TypeNEWDATABASEfish;atthemysql>prompt.B.TypeCREATEDATABASEfish;atthemysql>prompt.C.TypeNEWDATABASEFISH;atthemysql>prompt.D.TypeDATABASECREATEfish;atthemysql>prompt.E.TypeDBCREATEfish;atthemysql>prompt.
19.WhichofthefollowingaretruestatementsaboutSQLtables?(Selecttwo.)A.MultipletablesmayexistinasingleSQLdatabase.B.Tablesmaybecombinedforcross-tablesearchesusingtheDROPcommand.C.Tablesconsistofrows,eachofwhichholdsattributes,andcolumns,eachofwhichdefinesaspecificdatabaseitem.D.Carefultabledesigncanreducetheamountofdataentryanddatabasestoragesize.E.Tablesarestoredondiskusingalossycompressionalgorithm.
20.WhatistheeffectofthefollowingSQLcommand,assumingthevariousnamesanddataexist?mysql>UPDATEstarsSETmagnitude=2.25WHEREstarname='Mintaka';
A. It returns database entries from the stars table for all stars with magnitude of 2.25 andstarnameofMintaka.B.ItsetsthevalueofthestarsfieldinthemagnitudesettoMintaka,usingaprecisionof2.25.C. It sets the value of the magnitude field to 2.25 for any item in the stars table with thestarnameofMintaka.D.Itcombinesthestarsandmagnitude=2.25tables,returningallitemsforwhichstarnameisMintaka.E. It updates the stars database, creating a new entry with a starname of Mintaka and amagnitudeof2.25.
Chapter10
SecuringYourSystem
THEFOLLOWINGEXAMOBJECTIVESARECOVEREDINTHISCHAPTER:
1.110.1Performsecurityadministrationtasks1.110.2Setuphostsecurity1.110.3Securingdatawithencryption
Chancesare,you takebasic securitymeasures inyourdaily life—locking thedoor toyourhouse,avoidingunsafeneighborhoods,keepingvaluablesoutofsightinyourcar,andsoon.Suchmeasurescanminimizetheriskofatheftorevenpersonalinjury,andsimilarmeasuresonacomputercanhelpprotectthecomputerfromcompromise.Thischaptercoversseveralsecurityissues:restrictingaccesstothecomputerbyportnumber,managingthesecurityofindividualprograms,managingpasswords,settingmiscellaneous account security options, andusing encryption to secure data.Understandingthesebasicswillhelpyoubegintosecureyourcomputer.
Thereisnosuchthingasa100percentsecurecomputer.Youcantakestepstoimprovesecurity,butnoonesteporsetofstepswillabsolutelyguaranteethatyou’llhavenoproblems.Youmustdecideforyourself(ortheorganizationforwhichyouworkmustdecide)justhowmuchefforttoputintosecuringyoursystemsandlivewiththelevelofthreatthatremains.Thischapter ’ssecurityinformationcanhelpyoustartsecuringyourcomputer;butifyouneedmorethanverybasicsecurity,you’llhavetolearnanddomorethanIcandescribehere.
AdministeringNetworkSecurityLinuxsystemsareoftenusedasservercomputers,oratleastthey’reconnectedtotheInternetmoreor less directly. On such systems, network security is particularly important, because incorrectlyconfigured servers canprovidemiscreantswith away intoyour computer todowhateverdamagethey like.Severalmethodsof protectingnetworked computers fromunwantedoutside access exist.Someofthesimplestofthesemethodsinvolveshuttingdownorrestrictingaccesstonetworkserversbycontrollingthenetworkportstheyuse.(NetworkportsaredescribedinChapter8,“ConfiguringBasicNetworking.”)Youcancheckforexistingnetworkconnections,checkforopenports(thatis,portsthatareinusebyaserverprogram),usesuperserverrestrictionstolimitaccess,anddisableserversyou’renotusing.
Thepopularmediausesthetermhackertorefertocomputercriminals.Thiswordhasanoldermeaning,though:Itreferstoindividualswhoareskilledwithcomputers(andparticularlywithprogramming),whoenjoytheseactivities,andwhousetheirskillstoproductiveandlegalends.ManyLinuxprogrammersconsiderthemselveshackersinthispositivesense.Therefore,Iuseanotherterm,cracker,torefertocomputercriminals.
UsingSuperServerRestrictionsMany network server programs open network ports and listen for connections directly. Someprograms,though,workthroughanintermediary:asuperserver.This isaprogramthat listensfornetworkconnectionsonbehalfofanotherprogramandthen,whenaconnectionisinitiated,handsoffcontrolofthatconnectiontotheintendedserver.Thisactivitymaysoundlikepointlesscomplication,but it actually has several advantages over a more direct connection. For instance, using a superservercan reducememory load if the super serverhandles several servers thatare seldomused—mostof the time,only thesuperserverandperhapsoneor twoof theservers ithandleswillbe inmemory.Anotheradvantageissecurity:Youcanemploysecuritychecksinthesuperservertoprotectall the servers that the super server manages. In the following pages, I describe the basics ofconfiguringLinux’s twomajorsuperservers,inetdandxinetd,withparticularemphasison theirsecurity features. In the case of inetd, security is handled by a package called TCP Wrappers.xinetd’ssecurityfeaturesarebuiltintoxinetditself,bycontrast.
Wheneverpossible,applyredundantaccesscontrols.Forinstance,youcanusebothaserver ’sownsecurityfeaturesandTCPWrappersorxinetdtoblockunwantedaccess.Doingthishelpsprotectagainstbugsandmisconfiguration—ifaproblememergesinthesuperserverconfiguration,forinstance,thesecondaryblockwillprobablyhalttheintruder.Ifyouconfigurethesystemcarefully,suchanaccesswillalsoleavealogfilemessagethatyou’llsee,soyou’llbealertedtothefactthatthesuperserverdidn’tdoitsjob.
ConfiguringinetdTheinetdpackagewasoncethestandardsuperserverinLinux,andit’sstillusedonsomesystems.Overthepastdecade,though,xinetdhasgainedsubstantialground,soyoursystemmayusexinetdinstead.Typepsax|grepinetdtoseewhichsuperserverisrunningonyoursystem—theoutputshould include a linewith either the inetd or xinetd command. Some systems run neither superserver,though.Ifyoursystemhasinetdinstalled,thenextfewpagescoverit.
SettingUpinetdYou control servers that launch via inetd through the /etc/inetd.conf file or files in
/etc/inetd.d.The/etc/inetd.conffileconsistsofaseriesoflines,oneforeachserver.Atypicallineresemblesthefollowing:ftpstreamtcpnowaitroot/usr/sbin/tcpd/usr/sbin/in.ftpd-l
Thisandseveralsubsequentexamplesrefertoin.ftpd,anFTPserverthatwasoncequitepopularbutthat’sbeenreplacedonmanysystemsbyotherFTPservers.Someoftheseserverscannotberunfromasuperserver.
Insteadofusingasinglemonolithic/etc/inetd.conffile,recentversionsofinetdenableyoutosplit the configuration into several files in the /etc/inetd.d directory. Doing so enables you toeasilyaddordeleteserverconfigurationsbyaddingordeletingtheirconfigurationfiles.Forbrevity,the following paragraphs refer only to /etc/inetd.conf, but the description applies to files in/etc/inetd.d,aswell.Each line in /etc/inetd.conf consists of several fields separated by one or more spaces. The
meaningsofthesefieldsareasfollows:ServiceNameThefirstfield(ftpintheprecedingexample)isthenameoftheserviceasitappearsinthe/etc/servicesfile.SocketTypeThesockettypeentrytellsthesystemwhattypeofconnectiontoexpect—areliabletwo-wayconnection(stream),alessreliableconnectionwithlessoverhead(dgram),alow-levelconnectiontothenetwork(raw),orvariousothers.Thedifferencesbetweenthesetypesarehighlytechnical;yourmainconcernineditingthisentryshouldbetocorrectlytypethevaluespecifiedbytheserver ’sdocumentation.ProtocolThisistheTCP/IPtransport-layerprotocolused,usuallytcporudp.Wait/NoWaitFordgramsockettypes,thisentryspecifieswhethertheserverconnectstoitsclientandfreesthesocket(nowait)orprocessesallitspacketsandthentimesout(wait).Serversthatuseothersockettypesshouldspecifynowaitinthisfield.UserThisistheusernameusedtoruntheserver.Therootandnobodyusersarecommonchoices,butothersarepossibleaswell.Asageneralrule,youshouldrunserverswithalow-privilegeuserwheneverpossibleasasecurityprecaution.Someserversrequirerootaccess,though.Consulttheserver ’sdocumentationfordetails.ServerNameThisisthefilenameoftheserver.Intheprecedingexample,theserverisspecifiedas/usr/sbin/tcpd,whichistheTCPWrappersbinary.Asdescribedshortlyin“ControllingAccessviaTCPWrappers,”thisprogramisanimportantsecuritytoolandshouldusuallybeincludedasthemeansoflaunchingprogramsviainetd.ParametersEverythingaftertheservernameconsistsofparametersthatarepassedtotheserver.IfyouuseTCPWrappers,youpassthenameofthetruetargetserver(suchas/usr/sbin/in.ftpd)inthisfield,alongwithitsparameters.Thehashmark(#) isacommentsymbolfor/etc/inetd.conf.Therefore, ifaserver isrunning
viainetdandyouwanttodisableit,youcanplaceahashmarkatthestartoftheline.Ifyouwanttoadda server toinetd.conf, youneed to create an entry for it.Most servers that canbe run from
inetd includesampleentriesintheirdocumentation.Manydistributionsshipwithinetd.conf filesthatincludeentriesforcommonserversaswell,althoughmanyofthemarecommentedout;removethehashmarkatthestartofthelinetoactivatetheserver.Aftermodifyinginetd.conf,youmustrestarttheinetdsuperserver.Youcangenerallyrestartit
byusingyourstartupscriptsystem,asdescribedinChapter5,“BootingLinuxandEditingFiles.”Onmostcomputers,typingsomethingsimilartothefollowingshouldwork:#/etc/init.d/inetdrestart
Alternatively, you can tellinetd to reload its configuration by using areload parameter ratherthan restart. The restart option shuts down the server and then starts it again. When you usereload, the server never stops running; it just rereads the configuration file and implements anychanges. As a practical matter, the two are similar. Using restart is more likely to correctlyimplementchanges,butit’salsomorelikelytodisruptexistingconnections.Instead of using theSysV startup scripts, you can usekill orkillall (described in Chapter 2,
“ManagingSoftware”)topasstheSIGHUPsignaltoinetd.Thissignalcausesmanyservers,includinginetd,toreloadtheirconfigurationfiles.Forinstance,youcantypekill-HUPpidifyouknowtheprocess ID (PID) of inetd, or you can type killall -HUP inetd to have all instances of inetdreload their configuration files. (Ordinarily, only one instance of inetd runs on a system.) Inpractice,thisshouldworkverymuchlikethereloadoptiontotheSysVstartupscript—infact,suchscriptsoftenusethistechniquetoimplementthisoption.
It’sgenerallywisetodisableasmanyserversaspossibleininetd.conf(orthexinetdconfigurationfiles,ifyouusexinetd).Asageneralrule,ifyoudon’tunderstandwhataserverdoes,disableit.Thiswillimprovethesecurityofyoursystembyeliminatingpotentiallybuggyormisconfiguredserversfromtheequation.
ControllingAccessviaTCPWrappersThe TCPWrappers package provides a program known as tcpd. Instead of having inetd call aserverdirectly,inetdcallstcpd,whichdoes two things: Itcheckswhetheraclient isauthorized toaccesstheserver,andiftheclienthasthisauthorization,tcpdcallstheserverprogram.TCPWrappers is configured through two files: /etc/hosts.allow and /etc/hosts.deny. The
first of these specifies computers that are allowed access to the system in a particular way, theimplication being that systems not listed are not permitted access. By contrast, hosts.deny listscomputers thatarenotallowedaccess;allothersaregrantedaccess to thesystem. Ifacomputer islistedinbothfiles,hosts.allowtakesprecedence.Bothfilesusethesamebasicformat.Thefilesconsistoflinesofthefollowingform:daemon-list:client-list
Thedaemon-listisalistofservers,usingthenamesfortheserversthatappearin/etc/services.Wildcardsarealsoavailable,suchasALLforallservers.Theclient-list isa listofcomputers tobegrantedordeniedaccess to thespecifieddaemons.
You can specify computers by name or by IP address, and you can specify a network by using a
leadingortrailingdot(.)whenidentifyingnetworksbynameorIPaddressblock,respectively.Forinstance, .luna.edu blocks all computers in the luna.edu domain, and 192.168.7. blocks allcomputersinthe192.168.7.0/24network.Youcanalsousewildcardsintheclient-list,suchasALL(allcomputers).EXCEPTcreatesanexception.Forinstance,whenplacedinhosts.deny,192.168.7.EXCEPT192.168.7.105blocksallcomputersinthe192.168.7.0/24networkexceptfor192.168.7.105.The man pages for hosts.allow and hosts.deny (they’re actually the same document) provide
additional information aboutmore advanced features. You should consult them as you build TCPWrappersrules.
RememberthatnotallserversareprotectedbyTCPWrappers.Normally,onlythoseserversthatinetdrunsviatcpdaresoprotected.Suchserversofteninclude,butarenotlimitedto,Telnet,FTP,TFTP,rlogin,finger,POP,andIMAPservers.AfewserverscanindependentlyparsetheTCPWrappersconfigurationfiles,though;consulttheserver ’sdocumentationifindoubt.
ConfiguringxinetdThexinetdprogramisanextendedsuperserver.ItprovidesthefunctionalityofinetdplussecurityoptionsthataresimilartothoseofTCPWrappers.ModernversionsofFedora,Mandriva,RedHat,SUSE,andafewotherdistributionsusexinetdbydefault.Otherdistributionsmayuseitinthefuture.Ifyoulike,youcanreplaceinetdwithxinetdonanydistribution.
SettingUpxinetdThe/etc/xinetd.conf file controlsxinetd. On distributions that use xinetd by default, this filecontainsonlyglobaldefaultoptionsandadirective to includefilesstored in/etc/xinetd.d.Eachserver that should runviaxinetd then installs a file in/etc/xinetd.dwith its ownconfigurationoptions.Whethertheentryforaservergoesin/etc/xinetd.conforafilein/etc/xinetd.d,itcontains
informationsimilartothatintheinetd.conffile.Thexinetdconfigurationfile,though,spreadstheinformationacrossmultiplelinesandlabelsitmoreexplicitly.Listing10.1showsanexamplethat’sequivalenttotheearlierinetd.confentryfrom“SettingUpinetd.”Thisentryprovidespreciselythesame information as the inetd.conf entry except that it doesn’t include a reference to/usr/sbin/tcpd, the TCP Wrappers binary. Because xinetd includes similar functionality, it’sgenerallynotusedwithTCPWrappers.Listing10.1:Samplexinetdconfigurationentryserviceftp
{
socket_type=stream
protocol=tcp
wait=no
user=root
server=/usr/sbin/in.ftpd
server_args=-l
}
One additional xinetd.conf parameter is commonly present: disable. If you include the linedisable=yesinaservicedefinition,xinetdignorestheentry.Someserverpackagesinstallstartupfilesin/etc/xinetd.dthathavethisoptionsetbydefault;youmusteditthefileandchangetheentrytoreaddisable=notoenabletheserver.Youcanalsodisableasetofserversbylistingtheirnamesinthedefaultssectionofthemainxinetd.conffileonalinecalleddisabled,as indisabled=ftpshell.Aswithinetd,afteryoumakechangestoxinetd’sconfiguration,youmustrestartthesuperserver.
Youdothisbytypingacommandsimilartotheoneusedtorestartinetd.Aswiththatcommand,youcanuseeitherreloadorrestart,withsimilareffects:#/etc/init.d/xinetdrestart
Alsoaswithinetd,youmaypasstheSIGHUPsignaltoxinetdviathekillorkillallcommandtohaveitreloaditsconfigurationfile.Thisapproachmaybepreferableifyou’reusingadistributionthatdoesn’tuseaconventionalSysVstartupscripttolaunchxinetd.
ControllingAccessviaxinetdSecurity is handled on a server-by-server basis through the use of configuration parameters in/etc/xinetd.confortheserver-specificconfigurationfiles.Someoftheseoptionsaresimilartothefunctionofhosts.allowandhosts.deny:NetworkInterfaceThebindoptiontellsxinetdtolistenononlyonenetworkinterfacefortheservice.Forinstance,youcanspecifybind=192.168.23.7onaroutertohaveitlistenonlyontheEthernetcardassociatedwiththataddress.Thisfeatureisextremelyusefulinrouters,butitisn’tasusefulincomputerswithjustonenetworkinterface.Youcan,however,usethisoptiontobindaserveronlytotheloopbackinterface,127.0.0.1,ifaservershouldbeavailableonlylocally.YoumightdothiswithaconfigurationtoolliketheSambaWebAdministrationTool(SWAT).Asynonymforthisoptionisinterface.AllowedIPorNetworkAddressesYoucanusetheonly_fromoptiontospecifyIPaddresses,networks(asin192.168.78.0/24),orcomputernamesonthisline,separatedbyspaces.Theresultisthatxinetdwillacceptconnectionsonlyfromtheseaddresses,similartoTCPWrappers’hosts.allowentries.DisallowedIPorNetworkAddressesTheno_accessoptionistheoppositeofonly_from;youlistcomputersornetworksherethatyouwanttoblacklist.Thisissimilartothehosts.denyfileofTCPWrappers.AccessTimesTheaccess_timesoptionsetstimesduringwhichusersmayaccesstheserver.Thetimerangeisspecifiedintheformhour:min-hour:min,usinga24-hourclock.Notethatthisoptionaffectsonlythetimesduringwhichtheserverwillrespond.Ifthexinetdaccess_timesoptionissetto8:00-17:00andsomebodylogsinat4:59p.m.(oneminutebeforetheendtime),thatusermaycontinueusingthesystemwellbeyondthe5:00p.m.cutofftime.Youshouldentertheseoptionsintothefilesin/etc/xinetd.dthatcorrespondtotheserversyou
wanttoprotect.Placethelinesbetweentheopeningbrace({)andclosingbrace(})fortheservice.Ifyouwant to restrictall yourxinetd-controlled servers, you can place the entries in thedefaultssectionin/etc/xinetd.conf.
SomeserversprovideaccesscontrolmechanismssimilartothoseofTCPWrappersorxinetd.Forinstance,SambaprovideshostsallowandhostsdenyoptionsthatworkmuchliketheTCPWrappersfileentries.Theseoptionsaremostcommononserversthatareawkwardorimpossibletorunviainetdorxinetd.
ConfiguringaFirewallAlthoughtheexamobjectivesdon’tmentionfirewalls,youshouldbefamiliarwiththeconcept.Afirewallisacomputerthatrestrictsaccesstoothercomputersorsoftwarethatrunsonasinglecomputertoprotectitalone.Broadlyspeaking,twotypesoffirewallsexist:packet-filterfirewalls,whichworkbyblockingorpermittingaccessbasedonlow-levelinformationinindividualdatapackets(suchassourceanddestinationIPaddressesandports),andproxyfilters,whichpartiallyprocessatransaction(suchasaWebpageretrieval)andblockordenyaccessbasedonhigh-levelfeaturesinthistransaction(suchasthefilenameofanimageintheWebpage).InLinux,thekernelincludespacket-filterfirewallcapabilities,whichcanbeprogrammedviatheiptablesprogram.Youcansetuprulesbytypingiptablesfollowedbyvariousoptionsthatdefinespecificrestrictions,suchaslimitsontheIPaddressesthatmayaccessaspecificnetworkport.Creatinganeffectivefirewallrequireslearningiptablesindetailandwritingascriptthatcallsthisprogramrepeatedlytosetupspecificrules.ManydistributionsmakethingseasierbyprovidingagenericfirewallscriptthatyoucanconfigureusingaGUItool.Thesetoolsaregenerallydesignedforprotectingasinglecomputeragainstunwantedoutsideaccess.Checkyourdistribution’sGUIsystemadministrationoptionsforafirewallconfigurationtool.Youmaybeabletosetsecuritybasedonafewlevels(high,medium,andlowsecurity,forinstance)orinasomewhatmorerefinedmanner.Linuxcanalsofunctionasafirewallcomputerthatprotectsanentirenetwork;however,suchaconfigurationislikelytorequirein-depthknowledgeofiptables,aswellastopicssuchasconfiguringLinuxasarouter.
DisablingUnusedServersQuitea fewserverprogramsshipwithmostLinuxdistributions,whichcanbeagreatadvantage—youdon’tneedtohuntforserversyouwanttorun.Ontheotherhand,thisveryadvantagecanbeadrawback;ifyou’renotcareful,youcanenduprunningaserverandnotevenrealizeit’sinstalled!For this reason,youshouldperiodically search for serversandshutdownanyyou find thataren’treallynecessary.Youmustbeginthistaskbylocatingunwantedservers.Severaltoolstodosoexist,suchasnetstat,lsof,andremotenetworkscanners.Youcanalsosearchyourlocalconfigurationfilesforcluesaboutwhatmayberunning.Disablingunusedserverscanbedonebyuninstallingthepackageorbyreconfiguringtheserver.
UsingnetstatOneway to begin diagnosing network security is to look for network activity or open ports on acomputer.Onetoolthatcanhelpinthisrespectisnetstat.ThisprogramistheSwissArmyknifeofnetwork status tools; it providesmany different options and output formats to deliver informationabout routing tables, interface statistics, and so on. For spotting unnecessary servers, you can usenetstatwithits-aand-poptions,asshownhere:#netstat-ap
ActiveInternetconnections(serversandestablished)
ProtoRecv-QSend-QLocalAddressForeignAddressState
PID/Programname
tcp00*:ftp*:*LISTEN
690/inetd
tcp00teela.rodsbooks.com:sshnessus.rodsbooks.:39361ESTABLISHED
787/sshd
I’vetrimmedmostoftheentriesfromthisoutputtomakeitmanageableasanexample.Also,netstatcanberunasanordinaryuser,butitmaynotreturnasmuchinformation.Specifically,onlyrootandaprocess’sownerseethePIDandprogramnameofaprocess.
This version of the netstat command shows active network connections, which can reveal thepresenceofserversthatarerunningonyourcomputer.TheLocalAddressandForeignAddresscolumnsspecify the localandremoteaddresses, includingboth thehostnameor IPaddressand theportnumberorassociatednamefrom/etc/services.Thefirstofthetwoentriesshownhereisn’tactively connected, so the local address, the foreign address, and the port number are all listed asasterisks(*).Thisentrydoesspecify the localport, though:ftp.This line indicates thataserver isrunningontheftpport(TCPport21).TheStatecolumnspecifiesthattheserverislisteningforaconnection.Thefinalcolumninthisoutput,underthePID/Programnameheading,indicatesthattheprocesswithaprocessID(PID)of690isusingthisport.Inthiscase,it’sinetd.Inotherwords,thisserverisrunningandlisteningforconnections,butnobodyiscurrentlyconnectedtoit.The second output line indicates that a connection has been established between
teela.rodsbooks.com and nessus.rodsbooks.com (the second hostname is truncated). The localsystem(teela)isusingthesshport(TCPport22),andtheclient(nessus)isusingport39361ontheclientsystem.Theprocessthat’shandlingthisconnectiononthelocalsystemissshd,runningasPID787.Itmaytakesometimetoperusetheoutputofnetstat,butdoingsowill leaveyouwithamuch-
improvedunderstandingofyourcomputer ’snetworkconnections. Ifyouspot servers listening forconnections that you didn’t realize were active, you should investigate the matter further. Someserversmaybeinnocentorevennecessary.Othersmaybepointlesssecurityrisks.
Whenyouusethe-poptiontoobtainthenameandPIDoftheprocessusingaport,thenetstatoutputiswiderthan80columns.Youmaywanttoopenanextra-wideterminalwindowtohandlethisoutputorredirectittoafilethatyoucanstudyinatexteditorcapableofdisplayingmorethan80columns.Toquicklyspotserverslisteningforconnections,typenetstat-lpratherthannetstat-ap.Theresultwillshowallserversthatarelisteningforconnections,omittingclientconnectionsandspecificserverinstancesthatarealreadyconnectedtoclients.
Exercise10.1demonstratestheuseofnetstattomonitornetworkportuse.
EXERCISE10.1MonitorNetworkPortUseTogetstartedwithnetstat,followthesesteps:1.LogintotheLinuxsystemasanormaluser.(Acquiringrootprivilegeswillproducemorecompleteoutput,asdescribedearlier,butisn’tstrictlynecessaryforthisexercise.)2.Launcha terminal from thedesktopenvironment’smenusystem ifyouusedaGUIloginmethod.3.Typenetstat-ap|less,andpagethroughtheoutput.Chancesare,you’llseequitea few entries for servers that are listening for connections and for establishedconnections to local servers or from local clients to remote servers. Pay particularattentiontoserversthatarelisteningfornewconnections—thatis,thosethatlistLISTENintheStatecolumnoftheoutput.4.Typenetstat-ap|grepssh to find connections involvingSSH.Dependingonyourconfigurationandtheserversyouhaverunning,youmayseenooutputormanylinesofoutput.5. In another login session or xterm window, initiate an SSH connection to anothercomputer.Forinstance,typesshremote.luna.edutoconnecttoremote.luna.edu.6. Type netstat -ap | grep ssh in your original session (not in your SSHconnection).Comparetheoutputtothatwhichyouobtainedinstep4.Theoutputshouldhaveanadditionalline,reflectingthesessionyouinitiatedinstep5.7.LogoutoftheSSHsessionyouinitiated.8.Typenetstat-ap|grepsshagain.Theoutputshouldbemissingthelineforthesessionyou’venowclosed.
Ifyou’reusingamulti-usersystem,additionalSSHsessionsmaycomeandgoduringthecourseofthisexercise,reflectingtheactivitiesofotherusers.
UsinglsofThe lsof program nominally lists open files. It can be used to identify what files are open in adirectory,findwho’saccessingthem,andsoon.Thedefinitionoffileusedbylsofisbroad,though;itincludesnetworkconnections.Thus,youcanuselsofinsteadofnetstatforsometasks,including
locatingserversthatareinuse.Initsmostbasicforminthisrole,youshouldpassthe-iparametertolsof:#lsof-i
COMMANDPIDUSERFDTYPEDEVICESIZENODENAME
ssh2498rodsmith3uIPv43292662TCP
nessus.rodsbooks.com:53106->seeker.rodsbooks.com:ssh(ESTABLISHED)
exim44827Debian-exim5uIPv43369596TCP*:smtp(LISTEN)
sshd4997root3uIPv413273TCP*:ssh(LISTEN)
Asintheoutputofnetstatshownearlier,thisoutputistruncatedforbrevity’ssake.Thisexampleshowstwotypesofconnections.Thefirstnon-headerline,whichbeginswithssh,showsanoutgoingconnectionfromnessus.rodsbooks.com (thesystemonwhich thecommandwas typed) to thesshportonseeker.rodsbooks.com.SuchconnectionsareidentifiedbytheexistenceoftwohostnamesintheNAME columnandby thekeywordESTABLISHED in the samecolumn.Thenext two lines,whichbeginwithexim4andsshd,showtwoserversthatarelisteningforconnectionsonthesmtpandsshports, respectively. These lines are identified by the fact that the NAME column takes the form*:service (LISTEN), where service is the service name or port number. Other columns in theoutputrevealadditionalinformation,suchasthePIDandusernameassociatedwiththeportaccess.
Ifyoutypelsof-iasanordinaryuser,you’llseeonlyyourownnetworkconnections;thus,inorderforthiscommandtobeausefuldiagnosticforsystemsecurity,youmustrunitasroot.
Youcanrestricttheoutputoflsofbyincludinganaddressafterthe-ioption.Theaddresstakesthefollowingform:[46][protocol][@hostname|hostaddr][:service|port]
Thedigit4or6representsanIPv4orIPv6connection,theprotocolistheprotocoltype(TCPorUDP),thehostnameorhostaddristhecomputerhostnameorIPaddressassociatedwiththeremotesystem,theserviceisaservicename(from/etc/services),andtheport istheportnumber.Forinstance,supposeyouwanttoverifythatnoFTPserverisrunningonacomputer.YoucansearchforanyconnectionsassociatedwiththeFTPport:#lsof-i:ftp
Alternatively,youcanreplaceftpwith21,because21istheportnumberassociatedwiththeFTPport. (Table 8.2 in Chapter 8 summarizes the common network port numbers.) In either case, thiscommand returns a list of all processes associated with FTP connections, both incoming andoutgoing.Ifnosuchconnectionsexist,thecommandreturnsnooutput;thesystemsimplyproducesanewcommandprompt.Besuretonotewhichoutputlinesarelinkedwithserverasopposedtoclientprocesses.Evenifyou’renot runninganFTPserver locally, theprecedingcommandmayproducedozensoflinesofoutputifusersonthecomputeraremakinguseofFTPclients.To perform a general audit of your system’s network connections, you should typelsof -i by
itself,without restricting theoutput.You’llprobablywant topipe theoutput throughless oruse aterminal’sscrollbuffertoreviewtheoutput.PipingtheoutputthroughgreptosearchforthestringLISTENcanbeashortcuttofindactiveservers:#lsof-i|grepLISTEN
Pagingthroughtherawoutput(withoutusinggreptosearchforLISTEN)willprovideyouwithabetterideaofyoursystem’soverallnetworkuse.Youcouldconceivablyspotsomethingsuspicious,such as an outgoing network connection to a sensitive computer that the client shouldn’t becontacting. This network activity may indicate active cracking attempts by a user of the client,intrusionbyanoutsider,ortheworkofanautomatedwormorTrojanhorseprogram.Ifyou identifyprograms that shouldn’tbe running, suchasunnecessaryservers,youcanuse the
command name, PID, and other information to help shut them down. The preceding section“DisablingUnusedServers”describeshowtodothisinmoredetail.Anotheruseoflsof is in identifyingwho’s accessing files.Thismight be handy if you need to
unmount a filesystem (including a network filesystem) but can’t because of in-use files or if yoususpectinappropriateactivitiesinvolvingfileaccess.
UsingRemoteNetworkScannersNetworkscanners,suchasNmap(http://www.insecure.org/nmap/)orNessus(http://www.nessus.org),can scan for open ports on the local computer or on other computers. The more sophisticatedscanners, includingNessus, check for knownvulnerabilities, so they can tell youwhether a servermaybecompromisedshouldyoudecidetoleaveitrunning.
Networkscannersareusedbycrackerstolocatelikelytargetsystems,aswellasbynetworkadministratorsforlegitimatepurposes.Manyorganizationshavepoliciesforbiddingtheuseofnetworkscannersexceptunderspecificconditions.Therefore,youshouldcheckthesepoliciesandobtainexplicitpermission,signedandinwriting,toperformanetworkscan.Failuretodosocouldcostyouyourjoborevenresultincriminalcharges,evenifyourintentionsarehonorable.
Nmapiscapableofperformingabasiccheckforopenports.Passthe-sTparameterandthenameofthetargetsystemtoit,asshownhere:$nmap-sTseeker.rodsbooks.com
StartingNmap4.53(http://insecure.org)at2008-09-0415:38EDT
Interestingportsonseeker.rodsbooks.com(192.168.1.6):
Notshown:1704closedports
PORTSTATESERVICE
22/tcpopenssh
80/tcpopenhttp
2049/tcpopennfs
3306/tcpopenmysql
Nmapdone:1IPaddress(1hostup)scannedin0.100seconds
Aswiththeoutputofnetstatandlsofshownearlier,thisoutputhasbeentrimmedforbrevity’ssake.
Thisoutputshowsfouropenports:22,80,2049,and3306,usedbyssh,http,nfs,andmysql,respectively.Ifyouweren’tawarethattheseportswereactive,youshouldlogintothescannedsystem
andinvestigatefurther,usingnetstat,lsof,orpstolocatetheprogramsusingtheseportsand,ifdesired,shutthemdown.The-sToptionspecifiesascanofTCPports.Afewservers,though,runonUDP ports, so you need to scan them by typing nmap -sU hostname. (This usage requires rootprivileges,unlikescanningTCPports.)Nmap is capable of more-sophisticated scans, including “stealth” scans that aren’t likely to be
noticedbymosttypesoffirewalls,pingscanstodetectwhichhostsareactive,andmore.TheNmapman page provides details. Nessus, which is built atop Nmap, provides a GUI and a means ofperformingautomatedandstill-more-sophisticatedtests.Nessuscomesasseparateclientandservercomponents;theclientenablesyoutocontroltheserver,whichdoestheactualwork.Whenyouuseanetworkscanner,youshouldconsiderthefactthattheportsyouseefromyourtest
systemmaynotbe the sameas those thatmightbevisible to an attacker.This issue isparticularlyimportantifyou’retestingasystemthatresidesbehindafirewallfromanothersystemthat’sbehindthe same firewall.Your test system is likely to reveal accessibleports thatwouldnotbeaccessiblefromtheoutsideworld.Ontheotherhand,acrackeronyourlocalnetworkwouldmostlikelyhaveaccesssimilartoyourown,soyoushouldn’tbecomplacentbecauseyouuseafirewall.Nonetheless,firewallscanbeimportanttoolsforhidingserverswithoutshuttingthemdown.
Youcanuseastand-aloneLinuxbootCD-ROMtoperformsecuritychecksonanetwork.Toolsintendedforthispurpose,suchasBackTrack(http://www.backtrack-linux.org),provideeasyaccesstoNmapandothernetworksecuritytools,enablingquickchecksofnetworksecurityevenifnocomputeronthatnetworkregularlyrunsLinux.
ExaminingConfigurationFilesMostLinuxserverpackagesincludeconfigurationfiles.Thus,youmaybeabletospotinstalledbutunwantedserversbylookingfortheirconfigurationfiles.Onmostsystems,twoclassesoffilesareimportant:thosecontrollingstartupscriptsandthosecontrollingyoursuperserver.Startup scripts are described in Chapter 5, so review that chapter for details of how they’re
managed. Generally speaking, you’ll look in /etc/rc?.d, /etc/init.d/rc?.d, or/etc/rc.d/rc?.d,where? isyourdefault runlevelnumber, forSysVstartup scriptswhosenamestaketheformS##server,where##isanumberandserveristhenameoftheserver.Ifyoufindsuchascriptforaserveryouknowyoudon’twanttorun,youshoulddisableitusingyourSysVstartupscriptediting tools,asdescribed inChapter5. IfyourdistributionusesUpstartorsystemd, though,you’llneedtolookelsewheretofindtherelevantstartupfiles.Beawarethatmanystartupscriptsstartentiresubsystemsthataren’tdirectlynetwork-related.Thus,
you’llprobablyseestartupscriptsthatyoudon’trecognize.Youshouldn’tautomaticallydisablethesescripts,becausetheymaybenecessaryevenifyoudon’trecognizethename.Ifindoubt,leaveitinplaceuntilyoucanresearchthematterfurther.
TrydoingaWebsearchonthenameofthestartupscript(minustheSandsequencenumberorothercomponentsuniquetoyourstartupsystem),possiblyinconjunctionwith“Linux”or“startupscript.”Chancesare,you’llfindahelpfulreference.
The other major configuration-file class you should examine is the super server configuration.Thus,youshouldcheckyourinetdorxinetdconfigurationfilesforunwantedservers.Also,unlikesystem startup scripts, super servers launch network servers only, not non-network services.Therefore, you should take amore aggressive approach to disabling entries you don’t recognizefromyoursuperserverconfigurationthanyoudowithsystemstartupscripts.On computers using the SysV startup system, /etc/inittab deserves examination. This file,
describedinChapter5,controlssomeoftheearlieststagesofthestartupprocess.Ofgreatestinterestfromasecuritypointofviewis thefact thatolder/etc/inittab installationsstarted theprocessesused to accept text-mode logins, as well as similar processes used to accept logins via dial-upmodemsandRS-232serialports.Theseprocessesarecalledgettyorsomevariantofthis,suchasmingetty. Ordinarily, a Linux machine must have at least one such process running, and it’scontrolledviaan/etc/inittabentrysuchasthefollowing:1:2345:respawn:/sbin/mingetty--nocleartty1
The first character of this line (1) specifies the virtual terminal (VT) it controls. Most Linuxdistributions include similar lines for the first sixVTs, and there’s usually no need to adjust theselines. Lines that begin with S#, where # is a number, control login via RS-232 serial ports andmodems:S0:2345:respawn:/usr/sbin/mgetty-F-s57600/dev/ttyS0
If you want to use a modem with the computer but don’t want to enable remote logins via themodem,youshouldensurethat/etc/inittabdoesnothavesuchlines.Modern systems that lack /etc/inittab or have only very basic /etc/inittab files typically
movethesefunctionsintootherfiles,suchasSysVstartupscriptsorfilesin/etc/init.Youwon’tordinarilyneed tomodify suchconfigurations,butyoumaywant to check tobe sureyour systemisn’tlisteningfordial-upmodemconnectionsunnecessarily.Filescalled/etc/init/tty#(where#isa number) control local login access, whereas /etc/init/ttyS# files control RS-232 serial ormodemaccess.
UninstallingorReconfiguringServersOnceyou’ve identifiedanunnecessaryserver,your taskbecomesoneof shutting itdown.Broadlyspeaking,twooptionsexist:
Youcandisabletheserverbychangingitsstartupscriptconfigurationorbydisablingitinyoursystem’ssuperserver.ConsultChapter5andtheprecedingsectionsoninetdandxinetdfordetailsonhowtoperformthesetasks.Disablingtheserverinthiswayhastheadvantagethatyoucaneasilyreactivatetheserverinthefutureifyoudecidetodoso.Ithasthedisadvantagethattheserver ’sfileswillcontinuetoconsumediskspace,andtheservermightbeaccidentallyreactivatedinthefuture.Youcancompletelyuninstalltheserverusingyourdistribution’spackagemanagementtoolsor
byotherwisedeletingitsfiles.Chapter2,“ManagingSoftware,”describesthistask.Completelyuninstallingsoftwarehastheadvantageofreducingtheriskofaccidentalreactivation,butithasthedrawbackthatitwilltakemoreefforttoreactivatetheservershouldyoudecidetodosointhefuture.
Overall, completely removing the server is generally preferable unless you merely want totemporarilydisableaserver.Ifyoudecidetoreactivatetheserverinthefuture,youcanalwaysre-installit.
AdministeringLocalSecuritySecurity isn’t limited to networking—local security issues can be as much of a threat as remoteintruders.Thus,youshouldattendtosomelocalsecuritymatters:securingpasswords,limitingrootaccesstothecomputer,settinguserlimits,andtrackingdownSUID/SGIDfiles.
SecuringPasswordsAdefaultLinuxconfigurationreliesheavilyonpasswords.Users’passwordsaretheirkeysintothesystem,andcarelesshandlingofpasswordsismuchlikecarelesshandlingofphysicalkeys—securitybreachescanresult.Understandingtheserisksiscriticaltomaintainingsystemsecurity,butthisisonetaskforwhichyoumustenlistthehelpofyourusers;afterall,they’retheoneswhoareinpossessionof their passwords! You should also be aware of some of the tools Linux provides to help keeppasswords secure. (Most of the details concerning password-related commands are described inChapter7,“AdministeringtheSystem.”)
PasswordRisksPasswordscanendupincrackers’handsinvariousways,andyoumusttakestepstominimizetheserisks.Stepsyoucantaketoimproveyoursystem’ssecurityincludethefollowing:UseStrongPasswordsUsersshouldemploygoodpasswords,asdescribedshortlyin“ChoosingaGoodPassword.”Thispracticewon’teliminateallrisk,though.ChangePasswordsFrequentlyYoucanminimizethechanceofdamageduetoacompromisedpasswordbychangingpasswordsfrequently.SomeLinuxtoolscanhelptoenforcesuchchanges,asdescribedbrieflyin“ToolsforManagingPasswords”andinmoredetailinChapter7.UseShadowPasswordsIfacrackerwho’sbrokenintoyoursystemthroughanordinaryuseraccountcanreadthepasswordfileorifoneofyourregularusersisacrackerwhohasaccesstothepasswordfile,thatindividualcanrunanyofseveralpassword-crackingprogramsonthefile.Forthisreason,youshoulduseshadowpasswordsstoredin/etc/shadowwheneverpossible.AllmajorLinuxdistributionsuseshadowpasswordsbydefault.Ifyoursdoesn’t,consulttheupcomingsection“ToolsforManagingPasswords”forinformationaboutenablingthisfeature.KeepPasswordsSecretYoushouldremindyourusersnottorevealtheirpasswordstoothers.Suchtrustissometimesmisplaced,andsometimesevenawell-intentionedpasswordrecipientmayslipupandletthepasswordfallintothewronghands.Thiscanhappenbywritingthepassworddown,storingitinelectronicform,orsendingitbyemailorotherelectronicmeans.Usersshouldn’temailtheirownpasswordseventothemselves,becauseemailcanbeintercepted.
UseSecureRemoteLoginProtocolsCertainremoteloginprotocolsareinherentlyinsecure;alldatatraversethenetworkinanunencryptedform.Interveningcomputerscanbeconfiguredtosnatchpasswordsfromsuchsessions.Becauseofthis,it’sbesttodisableTelnet,FTP,andotherprotocolsthatusecleartextpasswordsinfavorofprotocolsthatencryptpasswords,suchasSSH.BeAlerttoShoulderSurfingIfyourusersloginusingpublicterminals,asiscommononcollegecampuses,inInternetcafes,andthelike,it’spossiblethatotherswillbeabletowatchthemtypetheirpasswords—apracticesometimescalledshouldersurfing.Usersshouldbealerttothispossibilityandminimizesuchloginsifpossible.UseEachPasswordonJustOneSystemIfonecomputer ’spassworddatabaseiscompromisedandifusersofthatsystemreusetheirpasswordsonothersystems,thoseothersystemscanbecompromised.Forthisreason,it’sbesttouseeachpasswordjustonce.Unfortunately,theproliferationofWebsitesthatrequirepasswordsforaccessmakesthisrulealmostimpossibletoenforce,atleastwithoutviolatingtheruleofnotwritingthepassworddown.(ModernWebbrowserscanrememberpasswordsforyou,butthisisdonebystoringtheminafile—essentially,writingthemdown.)Areasonablecompromisemightbetouseonepasswordfortheleast-sensitiveWebsites(suchasonlinenewspapers)anduniquepasswordsforsensitiveWebsites(suchasbankingsites)andloginaccounts.BeAlerttoSocialEngineeringCrackersoftenusesocialengineeringtoobtainpasswords.Thispracticeinvolvestrickingindividualsintogivinguptheirpasswordsbypretendingtobeasystemadministratororbyotherwisemisleadingvictims.Amazingly,alargepercentageofpeoplefallforthisploy.Arelatedpracticeisphishing,inwhichanattackerputsupafakeWebsiteorsendsanemailpretendingtobefromsomebodyelse.Thevictimisthenluredintorevealingsensitivedata(suchascreditcardnumbers).Someofthesestepsarethingsyoucando,suchasreplacinginsecureremoteloginprotocolswith
encrypted ones. Others are things your users must do. This illustrates the importance of usereducation,particularlyonsystemswithmanyusers.
ChoosingaGoodPasswordAsageneral rule,people tend tobe lazywhen it comes to security. Incomputer terms, thismeansusers tend topickpasswords that are easy toguess, and they change thosepasswords infrequently.Both these conditions make a cracker ’s life easier, particularly if the cracker knows the victim.Fortunately,Linux includes tools tohelpmakeyourusers selectgoodpasswordsandchange themregularly.Poorbutcommonpasswordsincludethosebasedonthefollowing:Thenamesoffamilymembers,friends,andpetsFavoritebooks,movies,televisionshows,orthecharactersinanyoftheseTelephonenumbers,streetaddresses,orSocialSecuritynumbersAnyothermeaningfulpersonalinformationAnysinglewordthat’sfoundinadictionary(inanylanguage)Anysimplekeyboardoralphanumericcombination,suchasqwertyor123456
The best possible passwords are random collections of letters, digits, and punctuation.Unfortunately, such passwords are difficult to remember. A reasonable compromise is to build apasswordintwosteps:
1.Chooseabasethat’seasytorememberbutdifficulttoguess.2.Modifythatbaseinwaysthatincreasethedifficultyofguessingthepassword.Oneapproachtobuildingabaseistousetwounrelatedwords,suchasbunandpen.Youcanthen
mergethesetwowords(bunpen).Anotherapproach,andonethat’sarguablybetterthanthefirst,istousethefirstlettersofaphrasethat’smeaningfultotheuser.Forinstance,thefirstlettersof“yesterdayIwenttothedentist”becomeyiwttd.Inbothcases,thebaseshouldnotbeawordinanylanguage.Asageneralrule,thelongerthepassword,thebetter.OlderversionsofLinuxcouldhandlepasswordsofnomore than eight characters, but those limits have been lifted by the use of theMD5 and SHApasswordhashes,whicharethestandardonmodernLinuxdistributions.ManyLinuxsystemsrequirepasswords to be at least four to six characters in length; the passwd utility won’t accept anythingshorterthanthedistribution’sminimum.Withthebaseinhand,it’stimetomodifyittocreateapassword.Theusershouldapplyatleasta
coupleofseveralpossiblemodifications:AddingNumbersorPunctuationOneimportantmodificationistoinsertrandomnumbersorpunctuationinthebase.Thisstepmightyield,forinstance,bu3npe&nory#i9wttd.Asageneralrule,addatleasttwosymbolsornumbers.MixingCaseLinuxusescase-sensitivepasswords,sojumblingthecaseofletterscanimprovesecurity.ApplyingthisrulemightproduceBu3nPE&nandy#i9WttD,forinstance.ReversingOrderAchangethat’sveryweakbyitselfbutthatcanaddsomewhattosecuritywhenusedinconjunctionwiththeothersistoreversetheorderofsomeorallletters.Youmightapplythistojustonewordofatwo-wordbase.ThiscouldyieldBu3nn&EPandDttW9i#y,forinstance.GrowingtheHaystackAwould-beintruder ’staskofdiscoveringapasswordhasbeenlikenedtofindinganeedleinahaystack.Onewaytomakethistaskharderistoincreasethesizeofthehaystack.Inpasswordterms,thismeansmakingapasswordlonger.Youcandothisbyusinglongerwordsorphrases,ofcourse,butthiscanmakeapasswordhardertorememberandtype.Evenasizeincreasethatsimplyrepeatsasinglecharactercanbehelpful.Thus,youmightturnthepasswordsintoBu3nn&EPiiiiiiiiiiorDtt:::::::::::W9i#y.Yourbesttoolforgettinguserstopickgoodpasswordsistoeducatethem.Tellthemthatpasswords
can be guessed by malicious individuals who know them or even who target them and look uppersonal information in telephonebooks,onWebpages,andsoon.Tell them that,althoughLinuxencrypts its passwords internally, programs exist that feed entire dictionaries through Linux’spassword encryption algorithms for comparison to encrypted passwords. If a match is found, thecrackerhasfoundthepassword.Therefore,usingapasswordthat’snotinadictionary,andthatisn’tasimple variant of a dictionary word, improves security substantially. Tell your users that theiraccountsmightbeusedasa first step towardcompromising theentirecomputerorasa launchingpoint for attacks on other computers. Explain to your users that they should never reveal theirpasswordstoothers,evenpeopleclaimingtobesystemadministrators—thisisacommonscam,butreal systemadministrators don’t needusers’ passwords.You should alsowarn themnot to use thesamepasswordonmultiplesystemsbecausedoingsoquicklyturnsacompromisedaccountononesystemintoacompromisedaccountonallthesystems.Tellingyourusersthesethingswillhelpthemunderstandthereasonsforyourconcern,andit’slikelytohelpmotivateatleastsomeofthemtopickgoodpasswords.Ifyourusersareunconcernedafterbeingtoldthesethings(andinanylargeinstallation,somewill
be),you’llhavetorelyonthecheckspossibleinpasswd.Mostdistributions’implementationsofthisutility require a minimum password length (typically four to eight characters). They also usuallycheck the password against a dictionary, thusweeding out some of the absoluteworst passwords.Somerequirethatapasswordcontainatleastoneortwodigitsorpunctuation.
Password-crackingprograms,suchasJohntheRipper(http://www.openwall.com/john/),areeasytoobtain.Youmightconsiderrunningsuchprogramsonyourownencryptedpassworddatabasetospotpoorpasswords,andinfact,thisisagoodpolicyinmanycases.It’salsogroundsfordismissalinmanyorganizationsandcanevenresultincriminalchargesbeingbrought,atleastifdonewithoutauthorization.Ifyouwanttoweedoutbadpasswordsthisway,discussthematterwithyoursuperiorsandobtainwrittenpermissionfromapersonwiththeauthoritytograntitbeforeproceeding.Takeextremecarewiththefilesinvolved,too;it’sbesttocrackthepasswordsonacomputerwithnonetworkconnections.
Anotherpasswordsecurity issue ispasswordchanges.Frequentlychangingpasswordsminimizesthewindowofopportunityforcrackerstododamage;ifacrackerobtainsapasswordbutitchangesbefore thecrackercanuse it (orbefore thecrackercandofurtherdamageusing thecompromisedaccount),thepasswordchangehasaverteddisaster.Asdescribedshortly,youcanconfigureaccountsto require periodic password changes.When so configured, an accountwill stop accepting loginsafteratimeifthepasswordisn’tchangedperiodically.(Youcanconfigurethesystemtowarnuserswhen this time isapproaching.)This isaverygoodoption toenableonsensitivesystemsor thosewithmanyusers.Don’tsettheexpiretimetoolow,though—ifusershavetochangetheirpasswordstoo frequently, they’ll probably just switch between a couple of passwords or pick poor ones.Preciselywhat“toolow”apasswordchangetimeisdependsontheenvironment.Formostsystems,onetosixmonthsisprobablyareasonablechangetime,butforsomeitmaybelongerorshorter.
ToolsforManagingPasswordsMost Linux distributions use shadow passwords by default, and for the most part, this chapter iswritten with the assumption that this feature is active. In addition to providing extra security bymoving hashed passwords out of the world-readable /etc/passwd file and into the more secure/etc/shadowfile,shadowpasswordsaddextraaccountinformation.One of the advantages of shadow passwords is that they support password aging and account
expirationfeatures.Thesefeaturesenableyoutoenforcepasswordchangesatregularintervalsortoautomaticallydisableanaccountafteraspecifiedperiodoftime.Youcanenablethesefeaturesandsetthetimesusingthechagecommand,whichisdescribedinmoredetailinChapter7.Theusermodutility,describedinChapter7,canbeusedtoadjustsomeshadowpasswordfeatures,
such as account expiration dates. The chage command is more thorough with respect to accountsecurityfeatures,butusermodcanadjustmorenon-securityaccountfeatures.
LimitingrootAccessBecauserootcandoanythingonaLinuxcomputer,accesstothataccountmustofcoursebelimited.
Onasystemwithasingleadministrator,thiscanbeaccomplishedbyhavingtheadministratorsetauniquerootpasswordthatnobodyelseknows.Thisusercanthenlogindirectlyasrootorusesutoacquire root privileges.Thesu command’sname stands for switchuser, and it’s used to change auser ’sapparentidentity.Typingsualoneresultsinapromptfortherootpassword.Iftheusertypesthatpasswordcorrectly,thesessioneffectivelybecomesarootsession.Youcanalsotypeausernameafter su to acquire that user ’s privileges. When root does so, no password is required. (This issometimeshandyforinvestigatingproblemsreportedbyasingleuser.)Torunasingleprogramwithrootprivileges,use-ctospecifytheprogramname,asinsu-c"lsof-i"torunlsof-iasroot.Loggingindirectlyasrootisgenerallydiscouragedforseveralreasons:Norecordofwhotyped
thepasswordappearsinlogfiles; therootpasswordcanbeinterceptedinvariousways;andif theuserleavestheterminal,apasserbycanhijackthecomputer.Usingsuissomewhatbetterthanadirectloginfromasecuritypointofview,becauseuseofsugenerallyleavesatraceinsystemlogsofwhobecameroot.Amethodofacquiringrootaccessthatissomewhatmoresecurethaneitherdirectloginsorsuis
sudo.Thisprogramrunsasinglecommandasroot;forinstance,torunlsof-iasroot,youtype$sudolsof-i
[sudo]passwordforgeorgia:
In this example, the computer prompts for the user’s (georgia’s) password, not for the rootpassword.The ideabehindsudo is that you first configure the computer to accept certain users assudousers.Thoseusersmaythenusetheirownpasswordstoperformsuperusertasks,evenifthoseusersdon’thavetherootpassword.(Somesudoconfigurationsrequireuserstoenterthesuperuser ’spassword rather than their own password, though.) You can even fine-tune what tasks users mayperform.Thisisdoneviathe/etc/sudoersconfigurationfile.Youmusteditthisconfigurationfileviavisudo,whichisavariantofVi(describedinChapter5)that’susedonlytoedit/etc/sudoers.The/etc/sudoersfileconsistsoftwotypesofentries:aliasesanduserspecifications.Aliasesare
basically variables; you can use them to define groups of commands, groups of users, and so on.User specifications link users tomachines and commands (possibly using aliases for some or alloptions).Thus,youcanconfiguresudoerssuchthatgeorgiacanrunnetworkprogramswithrootprivilegesbutnotaccountmaintenancetools,whereasgeorgecanrunaccountmaintenancetoolsbutnotnetworkprograms.Yourdefault/etc/sudoersfileprobablyincludesseveralexamples.Considerthefollowinglines:##Storage
Cmnd_AliasSTORAGE=/sbin/fdisk,/sbin/sfdisk,/sbin/parted,
/sbin/partprobe,/bin/mount,/bin/umount
##Processes
Cmnd_AliasPROCESSES=/bin/nice,/bin/kill,/usr/bin/kill,/usr/bin/killall
%sysALL=STORAGE,PROCESSES
%diskALL=STORAGE
%wheelALL=(ALL)ALL
Thisexampledefinestwocommandaliases,STORAGEandPROCESSES,eachofwhichstandsinforasetofcommands.Userswhoaremembersofthesysgroupmayusebothsetsofcommands;userswho are members of the disk group may use the STORAGE commands but not the PROCESSEScommands; and members of the wheel group may use all commands, whether or not they’reexplicitlymentionedin/etc/sudoers.Somedistributions,suchasUbuntu,makeheavyuseofsudo;thesedistributionsaredesignedtobe
administeredexclusivelyviasudo, and they set up an/etc/sudoers file that provides at least oneuserwitheasyaccesstoallsystemutilities.Otherdistributionsdon’trelyonsudothisway,althoughyoucantweakyoursudoconfigurationtoenableadministrationviasudoifyoulike.
SettingLogin,Process,andMemoryLimitsSometimesyoumaywanttoimposelimitsonhowmanytimesusersmaylogin,howmuchCPUtimethey can consume, howmuchmemory they can use, and so on. Imposing such limits is best donethroughaPluggableAuthenticationModules (PAM)modulecalledpam_limits.MostmajorLinuxdistributionsusethismoduleaspartoftheirstandardPAMconfiguration,sochancesareyouwon’tneed to add it; however, you will still need to configure pam_limits. You do so by editing itsconfiguration file, /etc/security/limits.conf. This file contains comments (denoted by a hashmark,#)andlimitlinesthatconsistoffourfields:domaintypeitemvalue
Eachofthesefieldsspecifiesaparticulartypeofinformation:TheDomainThedomaindescribestheentitytowhichthelimitapplies.Itcanbeausername;agroupname,whichtakestheform@groupname;oranasterisk(*)wildcard,whichmatcheseverybody.HardorSoftLimitsThetypefieldspecifiesthelimitashardorsoft.Ahardlimitisimposedbythesystemadministratorandcannotbeexceededunderanycircumstances,whereasasoftlimitmaybetemporarilyexceededbyauser.Youcanalsouseadash(-)tosignifythatalimitisbothhardandsoft.TheLimitedItemTheitemfieldspecifieswhattypeofitemisbeinglimited.Examplesincludecore(thesizeofcorefiles),data(thesizeofaprogram’sdataarea),fsize(thesizeoffilescreatedbytheuser),nofile(thenumberofopendatafiles),rss(theresidentsetsize),stack(thestacksize),cpu(theCPUtimeofasingleprocessinminutes),nproc(thenumberofconcurrentprocesses),maxlogins(thenumberofsimultaneouslogins),andpriority(theprocesspriority).Thedata,rss,andstackitemsallrelatetomemoryconsumedbyaprogram.Theseandothermeasuresofdatacapacityaremeasuredinkilobytes.TheValueThefinalfieldspecifiesthevaluethat’stobeappliedtothelimit.Asanexample,considerasystemonwhichcertainusersshouldbeable to log inandperforma
limitednumberofactionsbutnotstayloggedinindefinitelyandconsumevastamountsofCPUtime.Youcanuseaconfigurationlikethisone:@limitedhardcpu2
ThisconfigurationappliesahardCPUlimitoftwominutestothelimitedgroup.Membersofthisgroupcanloginandrunprograms;butifoneofthoseprogramsconsumesmorethantwominutesofCPUtime,itwillbeterminated.
CPUtimeandtotalsystemaccesstimearetwoentirelydifferentthings.CPUtimeiscalculatedbasedontheamountoftimetheCPUisactivelyprocessingauser ’sdata.Idletime(forinstance,whenauser ’sshellisactivebutnoCPU-intensivetasksarerunning)doesn’tcount.Thus,ausercanloginandremainloggedinforhoursevenwithaverylowhardCPUtimelimit.ThislimitisintendedtopreventproblemscausedbyuserswhorunveryCPU-intensiveprogramsonsystemsthatshouldn’tbeusedforsuchpurposes.
Anotherwaytosetlimitsonsystemresourceuseisviatheulimitcommand.Thiscommandisabashbuilt-incommand,soitaffectsonlybashandprogramslaunchedfromit.Theulimitsyntaxisasfollows:ulimit[options[limit]]
Theoptionsdefinewhatisbeinglimited:CoreFileLimitsThe-coptionlimitsthesizeofcoredumps,whicharefilescreatedfordebuggingpurposesincertaintypesofprogramcrashes.FileLimitsThe-foptionlimitsthesizeoffilesthatmaybecreatedbytheshell,and-nlimitsthenumberofopenfiledescriptors.(Mostsystemsdon’thonorthe-nlimits,though.)ProcessLimitsThe-uoptionlimitsthenumberofprocessesausermayrun,and-tlimitsthetotalCPUtimeinseconds.MemoryLimitsThe-voptionsetsthetotalamountofvirtualmemoryavailabletotheshell,-ssetsthemaximumstacksize,-msetsthemaximumresidentsetsize,-dlimitsprograms’datasetsize,and-lsetsthemaximumsizethatmaybelockedintomemory.HardandSoftLimitsThe-Hand-Soptionsmodifyotheroptions,causingthemtobesetashardorsoftlimits,respectively.Hardlimitsmaynotbesubsequentlyincreased,butsoftlimitsmaybe.Ifneitheroptionisprovided,ulimitsetsboththehardandsoftlimitsforthefeaturespecified.CurrentSettingsPassing-acausesulimittoreportitscurrentsettings.Thelimit is typically a numeric value associatedwith the limit. Theulimit command is often
foundinsystemoruserbashstartupscripts,typicallyasulimit-c0,inordertopreventcreationofcore files,which can sometimes clutter a filesystem. If your users perform software development,youmaywanttoensurethatyoudonotsetthislimit,oratleastsetitasasoftlimit(asinulimit-Sc0)sousersmayoverrideitwhennecessary.
Becauseulimitisabashbuilt-incommand,itsutilityasasystemsecuritytoolislimited.IfusershaveaccesstoGUIlogintoolsorcanlogintothesysteminanywaythatbypassesbash(suchasviaSSH,dependingonhowit’sconfigured),restrictionsimposedbyulimitbecomemeaningless.Thus,youshouldtreatulimitasawaytopreventproblemsbecauseofaccidental,ratherthanintentional,abuseofthesystem.
Oneparticularlyradicalapproachtosecurityistousethe/etc/nologinfile.Ifthisfileispresent,
only root may log into the computer. Other users are shown the contents of this file when theyattempttologin.Inmanyrespects, this is likesettingcriticalsystemlimits to0forallotherusers.This file ismost likely to be useful on dedicated server systems that have no regular console orremoteshellusers.
LocatingSUID/SGIDFilesChapter4,“ManagingFiles,”describestheSUIDandSGIDbits.Inbrief,thesearespecialflagsthatmaybeappliedtoexecutableprogramfiles,causingLinuxtotreattheprogramasifitwererunbytheprogramfile’sowner(forSUID)orbythefile’sgroup(forSGID)ratherthanbytheindividualwhoactuallyrantheprogram.Forinstance,ifaprogram’sSUIDbitissetandiftheprogramfileisownedbybruce, theprogram,when runbyanybody,will be able to access all the filesownedbybruceandotherwisebehaveasifbrucehadrunit.TheSUIDandSGIDbitsarefrequentlyassociatedwiththerootaccountinordertoenablethemto
performtasksthatrequirespecialprivilege.Forinstance,thepasswdprogram(describedinChapter7)isSUIDrootbecauseonlyrootmaymodifytheLinuxpassworddatabase.Thus,foranordinaryusertochangeapassword,somemechanismmustexisttorunaprocessasroot.Thatmechanism,inthecaseofpasswd,istheSUIDbit.The problemwith all of this is that the SUID and SGID bits can be security risks. For instance,
supposethermprogram’sSUIDbitwasset.Thisprogramisnormallyownedbyroot,sosettingtheSUIDbitonrmwouldmeanthatanyusercoulddeleteanyfileonthecomputer.AlthoughnoLinuxdistribution sets the SUID bit on rm by default, the SUID bit can be set inappropriately. This canhappenbyaccident(say,amistypedcommandbyroot),bymalice(ifacrackergainsaccesstothesystem),orbecauseofamoresubtlemisconfigurationbythedistributionmaintainer(theSUIDbitsetunnecessarilyonaprogramforwhichit’slessblatantlyinappropriatethanrm).EveniftheSUIDorSGID bit is set appropriately, a bug in the program can become more serious because the bugexecutesasroot.Ifthebugenablesuserstowritefiles,forexample,anyusercanexploitthebugtooverwritecriticalsystemconfigurationfiles.Forthesereasons,youshouldperiodicallyreviewyoursystemtofindalltheSUIDprogramsand,ifappropriate,changetheirconfiguration.Todothis,youcanusethefindcommand,whichisdescribedindetailinChapter4.Inparticular,
youcanusethe-permmodeoption,whichsearchesforfileswiththespecifiedpermissionmode.TosearchforSUIDandSGIDfiles,youshouldpassamodeof+6000.ThesymbolicrepresentationfortheSUIDandSGIDbits is6000, and theplus sign (+) tellsfind to locate any filewith anyof thespecifiedbitsset.(YoucouldsearchforSUIDfilesalonebypassing+4000orSGIDalonebypassing+2000.)Youmayalsowanttopass-typef,whichrestricts thesearchtoregularfiles.(Directoriesuse the SUID and SGID bits differently, as described in Chapter 4.) Thus, to search the entirecomputerforSUIDandSGIDprograms,youtypethis:#find/-perm+6000-typef
Theresultisalistoffiles,oneperline,thathaveeithertheSUIDortheSGIDbitsset.Programsthatarelikelytobepresentinthislistincludesu,ping,mount,passwd,umount,andsudo.Theseprograms all have a legitimate need to be so configured.Most systems have additional SUID andSGIDprograms,someofwhichmayseemtrivial.Forinstance,somegamesareassociatedwiththegamesgroupandsettheSGIDbit.Thisconfigurationenablesuserstomodifythegames’system-widehigh-score files. Ifyouhavedoubts aboutwhether theprogram reallyneedsSUIDorSGIDstatus,
youshouldinvestigatefurther.TryverifyingthepackageintegrityusingyourpackagemanagementtoolsandperformaWebsearchontheprogramnameand“SUID”or“SGID,”asappropriate.YoucanalsotrychangingtheSUIDstatusoftheprogramusingchmod,asdescribedinChapter4,andseeifitstillworksasitshouldwhenrunbyanormaluser.
ProgramsthatareSUIDorSGIDroot,butthatshouldn’tbe,canbeasignofsystemcompromise.Crackersmightreconfigureprogramsthiswayinordertomoreeasilydotheirdirtywork.Thus,ifyoufindsuchprograms,investigatetheoverallintegrityofthesystem.Ontheotherhand,ifadistributionmaintainersettheSUIDorSGIDbitunnecessarily,thisisn’tcauseforconcernaboutabreak-in,althoughyoumaywanttofixthematter.Likewise,accidentalmisconfigurationbyyouoranotheradministratorisn’tcauseformassivesystemupheaval—butyou’llneedtodigabitdeepertoascertainwhethersuchachangewasaccidentalorasignofadeeperproblem.
ConfiguringSSHIn thepast,Telnetwas the remote text-mode loginprotocol of choiceonLinux andUnix systems.Unfortunately,Telnetisseverelylackinginsecurityfeatures.Thus,inrecentyearsSSHhasgrowninpopularity, and it is now the preferred remote login tool. SSH can also handle file transfer taskssimilartothoseofFTP.Forthesereasons,knowinghowtoconfigureSSHcanbeveryhelpful.ThistaskrequiresknowingabitaboutSSHgenerallyandabouttheSSHconfigurationfileunderLinux.Asisusualinthischapter,IconcludethelookatSSHwithinformationaboutthesecurityimplicationsofrunningtheserver.
SSHiscomplexenoughthatIcan’tcovermorethanitsbasicsinthischapter.ConsultOpenSSH’sdocumentationorabookonthetopic,suchasSSH,TheSecureShell:TheDefinitiveGuide,SecondEdition,byDanielJ.Barrett,RichardSilverman,andRobertG.Byrnes(O’Reilly,2005)orSSHMastery:OpenSSH,PuTTY,TunnelsandKeys(CreateSpace,2012)byMichaelW.Lucas,formoredetails.
SSHBasicsLinux supports remote login access through several different servers, including Telnet, VirtualNetworkComputing(VNC),andevenX.Unfortunately,mostofthesemethodssufferfromamajordrawback:Theytransferalldataoverthenetworkinunencryptedform.Thisfactmeansthatanybodywhocanmonitornetwork trafficcaneasily snatch sensitivedata,often includingpasswords. (VNCandafewotherprotocolsencryptpasswordsbutnototherdata.)Thislimitationputsaseriousdentintheutilityof these remote login tools; afterall, ifusinga remoteaccessprotocolmeansyou’llbegivingawaysensitivedataorcompromisingyourentirecomputer,it’snotaveryusefulprotocol.
Non-encryptingremoteaccesstoolsareparticularlyriskyforperformingworkasroot,eitherbyloggingindirectlyasrootorbylogginginasanordinaryuserandthenusingsu,sudo,orothertoolstoacquirerootprivileges.
SSHwas designed to close this potentiallymajor security hole by employing strong encryptiontechniques for all parts of the network connection. SSH encrypts the password exchange and allsubsequentdatatransfers,makingitamuchsaferprotocolforremoteaccess.Inadditiontoencryption,SSHprovidesfiletransferfeaturesandtheabilitytotunnelothernetwork
protocols—that is, to enable non-encrypted protocols to piggyback their data over an SSHconnection,thusdeliveringSSH’sencryptionadvantagestootherprotocols.ThisfeatureisfrequentlyemployedinconjunctionwithX,enablingencryptedremoteGUIaccess,asdescribedinChapter6,“ConfiguringtheXWindowSystem,Localization,andPrinting.”Of course, SSH’s advantages don’t comewithout a price.Themain drawbackofSSH is that the
encryptionanddecryptionconsumeCPUtime.ThisfactslowsdownSSHconnectionscomparedtothose of direct connections and can degrade overall system performance. This effect is modest,though, particularly for plain text-mode connections. If you tunnel a protocol that transfersmuchmoredata,suchasX,youmayseeagreaterperformancedropwhenusingSSH.Eveninthiscase,theimprovedsecurityisgenerallyworththeslightspeedcost.SeveralSSHserversareavailable forLinux,but themostpopularby far is theOpenSSHserver
(http://www.openssh.org).ThisprogramwasoneofthefirstopensourceimplementationsoftheSSHprotocol, which was developed by the commercial SSH Communications Security(http://www.ssh.com),whoseserver isnowsoldunder thenameSSHTectia.OpenSSH,SSHTectia,andotherSSHproductscaninteroperatewithoneanother,assumingthey’reallconfiguredtosupportatleastonecommonleveloftheSSHprotocol.OpenSSH6.1,thelatestversionasIwrite,supportsSSHlevels1.3,1.5,and2.0,with2.0beingthepreferredlevelbecauseofknownvulnerabilitiesintheearlierversions.
OpenSSHiscloselyassociatedwiththeOpenBSDOS,soitsWebsitehasanOpenBSDbias.Ifyouvisitthesite,youmaywanttoclicktheLinuxlinkundertheForOtherOS’sheading.YoucanfindLinux-compatiblesourcecodeandbinariesfromthatsite,andOpenSSHnowshipswithmostLinuxdistributions.
OpenSSHmaybe launchedviaeithera super server (inetdorxinetd) or aSysV startup script.The lattermethod is preferred because the servermay need to performCPU-intensive tasks uponstarting, so if it’s started froma super serverOpenSSHmaybe sluggish to respond to connectionrequests,particularlyonsystemswithweakerCPUs.MostdistributionsdeliversuitablestartupscriptswiththeirSSHpackages.IfyoumakechangestoyourSSHconfiguration,youmayneedtopassthereloadorrestartoptiontothestartupscript,asin/etc/init.d/sshdreload.(Chapter5coversstartupscriptsinmoredetail.)Howeverit’slaunched,theOpenSSHserverbinarynameissshd—thesameasthebinarynameforSSHTectia.
SettingSSHOptionsforYourComputerForthemostpart,SSHworksreasonablywellwhenit’sfirstinstalled,soyoumaynotneedtomakeanychangestoitsconfiguration.Ifyoudoneedtomakechanges,though,thesearemostlyhandledthroughthemainSSHconfigurationfile,/etc/ssh/sshd_config.YoucanalsoeditsomeadditionalfilestolimitaccesstotheSSHserverortochangehowSSHmanagestheloginprocess.
ConfiguringBasicSSHFeaturesThe/etc/ssh/sshd_configfileconsistsmainlyofoptionlinesthattakethefollowingform:Optionvalue
Don’tconfusethesshd_configfilewiththessh_configfile.TheformercontrolstheOpenSSHserver,whereasthelattercontrolstheSSHclientprogram,ssh.
Inadditiontoconfigurationlines,thesshd_configfileholdscomments,whicharedenotedbyhashmarks (#). Most sample configuration files include a large number of SSH options that arecommentedout;theselinesspecifythedefaultvalues,souncommentingthelineswithoutotherwisechangingthemwillhavenoeffect.Ifyouwanttochangeanoption,uncommentthelineandchangeit.Mostoptions’defaultvaluesaresuitableformostsystems.Thefollowinglistincludessomethatyoumaywanttocheckand,perhaps,change:ProtocolThisoptionspecifiestheprotocollevelsOpenSSHunderstands.Possiblevaluesare1and2.YoucanconfigureOpenSSHtosupportbothprotocolsbyseparatingthembyacomma,asin1,2or2,1,whichareequivalent.GiventhefactthatOpenSSHprotocollevel1hasbeencompromised,thesafestconfigurationistosetProtocol2.Thislimitstheserver ’sabilitytocommunicatewitholderclients,though.PermitRootLoginBydefault,thisoptionissettoyes,whichenablesOpenSSHtoacceptdirectloginsbyroot.ThisissaferthanasimilarconfigurationunderTelnet,butforabitofaddedsecurity,setthisvaluetono.Theresultwillbethatanybodywantingtoperformremoteworkasrootwillneedtofirstloginasanordinaryuser,whichmeansthatanintruderwhohassomehowacquiredtherootpasswordwillalsoneedaregularusernameanditspassword.(Ifthecomputerisconfiguredtoallowanordinaryusertoworkviasudo,though,acompromiseofthatuser ’saccountwouldalsoeffectivelybeacompromiseoftherootaccount.)X11ForwardingThisoptionspecifieswhetherOpenSSH’sXtunnelingfeaturesshouldbeactive.IfyouwanttoenableremoteuserstorunXprogramsviaSSH,youmustsetthisoptiontoyes.Doingsocanslightlydegradesecurityoftheclient’sXdisplay,though,dependingoncertainotheroptions;hencetheconservativedefaultvalueofno.For information about additional options, consult the man page for sshd_config. If you make
changestotheSSHconfiguration,remembertorestartitusingtheserver ’sSysVstartupscript.
SSHKeysPart of SSH’s security involves encryption keys. Each server system and each user have a unique
number,orkey,foridentificationpurposes.Infact,SSHusesasecuritysystemthatinvolvestwokeys:a public key and a private key. These two keys aremathematically linked in such a way that dataencryptedwithaparticularpublickeymaybedecryptedonlywith thematchingprivatekey.Whenestablishingaconnection,eachsidesends itspublickey to theother.Thereafter,eachsideencryptsdatawith the other side’s public key, ensuring that the data can be decrypted only by the intendedrecipient.Inpractice,thisisjustthefirststepoftheprocess,butit’scritical.What’smore,SSHclientstypicallyretainthepublickeysofserversthey’vecontacted.Thisenablesthemtospotchangestothepublickey.Suchchangescanbesignsoftampering,soifaclientdetectssuchachange,itwillwarnitsuserofthisfact.MostOpenSSHserverstartupscriptsincludecodethatlooksforstoredpublicandprivatekeysand,
ifthey’renotpresent,generatesthem.Intotal,fourtosixkeysareneeded:publicandprivatekeysfortwo or three encryption tools SSH supports. These keys are normally stored in/etc/ssh and arecalled ssh_host_rsa_key and ssh_host_dsa_key for private keys,with .pub filename extensionsaddedforpublickeys.Somesystemsaddssh_host_rsa1_keyanditsassociatedpublickey.Ifyoursystemdoesn’thavethesekeysandyoucan’tgettheSSHservertostartup,youcantrygeneratingthekeyswiththessh-keygencommand:#ssh-keygen-q-trsa1-f/etc/ssh/ssh_host_key-C''-N''
#ssh-keygen-q-trsa-f/etc/ssh/ssh_host_rsa_key-C''-N''
#ssh-keygen-q-tdsa-f/etc/ssh/ssh_host_dsa_key-C''-N''
Eachofthesecommandsgeneratesbothaprivatekey(namedinthe-fparameter)andapublickey(withthesamenamebutwith.pubappended).Don’trunthesessh-keygencommands if theSSHkeyfilesalreadyexist.Replacing theworking
fileswill causeclientswho’vealreadyconnected to theSSHserver tocomplainabout thechangedkeysandpossiblyrefusetoestablishaconnection.
Besuretheprivatekeysaresuitablyprotected;ifanintruderobtainsoneofthesekeys,theintrudercanimpersonateyoursystem.Typically,thesefilesshouldhave0600(-rw-------)permissionsandbeownedbyroot.Thepublickeyfiles(with.pubfilenameextensions)shouldbereadablebyallusers,though.
Whenyouconfigureaclientsystem,youmaywanttoconsidercreatingaglobalcacheofhostkeys.Asalreadynoted,thesshprogramrecordshostkeysforeachindividualuser.(Itstorestheseinthe~/.ssh/known_hostsfile.)Whenyousetuptheclient,youcanpopulatetheglobalssh_known_hostsfile,which isnormally stored in/etcor/etc/ssh.Doing so ensures that thepublickey list is asaccurateasthesourcesyouusetopopulatetheglobalfile.Italsoeliminatesconfirmationmessageswhenusersconnecttothehostswhosekeysyou’veselectedtoincludeintheglobalfile.Howdoyoucreatethisfile?Onesimplewayistocopythefilefromauseraccountthat’sbeenused
to connect to the servers you want to include. For instance, you can type cp
/home/ecernan/.ssh/known_hosts/etc/ssh/ssh_known_hoststouseecernan’sfile.
Inthepast,youcouldreviewSSH’sknownhostsfileinatexteditor,sinceit’satext-modefile.Today,though,OpenSSH4.0andnewersupporthashingofthedatainthisfile.Whenthisfeatureisenabled,theinformationishashed(thatis,encryptedusingaone-wayencryptionalgorithm)andstoredinhashedform.Theideaisthatyou’llstillbeabletoauthenticateSSHserverstowhichyouconnect,becauseahashofthetypedhostnamewillmatchahashofthestoredhostname;butifanintruderstealsyourknownhostsfile,theintruderwillbeunabletodeterminetheidentitiesofthecomputerstowhichyou’vebeenconnecting.Anunfortunatesideeffectofthishashingisthatyoucan’ttellwhatserversitdescribesyourself.
ControllingSSHAccessYoucanlimitwhomayaccessanSSHserverinvariousways.Themostobviousandbasicmethodisvia password authentication. The usual SSH authentication method is to employ a username andpassword,muchasTelnetdoes.(Thesshclientprogramsendstheusernameautomaticallyoraspartofthecommandline,soyouwon’tseeausernamepromptwhenlogginginviassh.)Beyondpasswordauthentication,SSHsupportsseveralothertypesoflimitations:TCPWrappersIfyourunSSHfromasuperserveroriftheserverwascompiledwithTCPWrapperssupport,youcanusethe/etc/hosts.allowand/etc/hosts.denyfilestolimitaccessbyIPaddress.NotethatifyoulaunchSSHviaasystemstartupscript,thisapproachworksonlyiftheserverwascompiledtosupportit.Thissupportmayormaynotbepresentinyourdistribution’sstandardSSHpackage.FirewallsAswithallservers,youcanrestrictaccessbyusingafirewall.SSHusesTCPport22.Technically,thisisn’tanSSHfeature,butit’scertainlyusefulforprotectinganSSHserver./etc/nologinIfthisfileispresent,SSHhonorsit.Asdescribedearlier,thisfile’spresencemeansthatonlyrootmaylogin.Whenanon-rootusertriestologinlocally,thefile’scontentsaredisplayedasanerrormessage;however,OpenSSHdoesn’tdothis.
CopyingFilesviaSSHMost users employ the ssh client program, which provides remote login access—type sshothersystemtologintoothersystemusingthesameusernameyou’reusingontheclientsystem;oraddausername,asinsshuser@othersystem,tologinusinganotherusername.SSHincludesafile-copyingcommand,too:scp.Thiscommandworksmuchlikethecpcommand
for copying files locally; however, you must specify the target computer, and optionally theusername, justbefore thetargetfilename.For instance, tocopythefilemasterpiece.c to thelisaaccountonleonardo.example.com,[email protected]:
Thecolon(:)thatterminatesthiscommandisextremelyimportant;ifyouomitit,you’llfindthatscpworkslikecp,andyou’llendupwithafilecalledlisa@leonardo.example.comontheoriginalsystem.Ifyouwanttorenamethefile,youcandosobyincludingthenewnamefollowingthecolon.Likewise,youcanplacethefileinaparticulardirectoryinthesameway,asfollows:
[email protected]:~/art/mona.c
Thisexamplecopiesmasterpiece.ctothe~/artdirectoryonthetargetcomputerandrenamesitmona.c.Ifthespecifieddirectorydoesn’texist,anerrorresults,andthefileisnottransferred.Ifyouspecifyadirectorywithoutatrailingslashorfilenameandyoumistypethedirectoryname,scpwillcopythefileandrenameittoyourmistypeddirectoryname.(scpworksjustlikecpinthisrespect.)
ConfiguringLoginsWithoutPasswordsIfyouuseSSHalotorifyouuseitinautomatedtools,you’llnodoubtbecomeannoyedbytheneedtotypeapasswordwitheveryconnection.Thereisawayaroundthisrequirement:YoucansetuptheSSHclientwithkeysandgivetheclient’spublickeytotheservercomputer.Withthisconfiguration,theSSHclientcomputercanidentifyitself,possiblyobviatingtheneedforyoutotypeapassword.
ConfiguringSSHtooperatewithouttheuseofpasswordsisconvenient,butitdoesincreasesecurityrisks.Ifsomebodyyoudon’ttrustevergainsaccesstoyouraccountontheSSHclientsystem,thatpersonwillbeabletologintotheSSHserversystemasyouwithoutthebenefitofyourpassword.Thus,youshouldcreateapassword-lessloginonlyfromaclientthat’sverywellprotected,ifatall.Configuringaccesstotherootaccountinthiswayisparticularlyrisky.
ToconfigureSSHtonotrequireapassword,followthesesteps:1.LogintotheSSHclientsystemastheuserwhowillbeperformingremoteaccess.2.Typethefollowingcommandtogenerateaversion2SSHkey:$ssh-keygen-q-trsa-f~/.ssh/id_rsa-C''-N''
Step2generatesaversion2key.Youcaninsteadgenerateaversion1keybytypingssh-keygen-q-tdsa-f~/.ssh/id_dsa-C''-N''.Thisgeneratesid_dsaandid_dsa.pubfiles.ThisprocedureisnotrecommendedbecauseSSHversion1isnotassecureasversion1;however,youmayneedtouseversion1toconnecttosomeservers.
3.Step2generates twofiles:id_rsaandid_rsa.pub.Transfer thesecondof these files to theSSHservercomputerinanywaythat’sconvenient—viaaUSBflashdrive,byusingscp,orbyanyothermeans.Copythefileunderatemporaryname,suchastemp.rsa.4.LogintotheSSHserversystem.IfyouuseSSH,you’llneedtotypeyourpassword.5.Addthecontentsofthefileyou’vejusttransferredtotheendofthe~/.ssh/authorized_keysfile.(Thisfileissometimescalled~/.ssh/authorized_keys2,soyoushouldchecktoseewhichis present. If neither is present, you may need to experiment.) Typing cat ~/temp.rsa >>
~/.ssh/authorized_keysshoulddothisjob,ifyoustoredtheoriginalfileas~/temp.rsa.6.Onsomesystems,youmayneedtomodifypermissionsonthe~/.ssh/authorized_keysfileandon thedirectories leading to it.Theauthorized_keys filemay require 0600 permissions,
andyoumayneedtoremovewritepermissionsforanybut theaccount’sowneronyourhomedirectoryandonthe~/.sshdirectory.IfyounowlogoutoftheSSHserversystemandtrytologinagainviaSSHfromtheclient,you
shouldn’tbepromptedforapassword;thetwocomputershandletheauthenticationautomatically.Ifthisdoesn’twork,chancesare the~/.ssh/authorized_keys fileneedsanothername,asdescribedearlier.Youmayalsowanttocheckthatthefileincludesalinematchingthecontentsoftheoriginalpublic-keyfileontheclient.Someolderclientsmayrequireyoutospecifythatyouuseversion2oftheSSHprotocolbyincludingthe-2option:$ssh-2server
Usingssh-agentAnother SSH authentication option is to use the ssh-agent program. This program requires apassword to initiate connections, so it’s more secure than configuring logins without passwords;however,ssh-agentremembersyourpassword,soyouneedtypeitonlyonceperlocalsession.Tousessh-agent,followthesesteps:
1. Follow the procedure for enabling no-password logins described in “Configuring LoginsWithoutPasswords,”butwithonechange:Omitthe-N''optionfromthessh-keygencommandinstep2.You’llbeaskedforapassphraseat thisstep.ThispassphrasewillbeyourkeyforallSSHloginsmanagedviassh-agent.2.OntheSSHclientsystem,typessh-agent/bin/bash.Thislaunchesssh-agent,whichinturnlaunchesbash.You’llusethisbashsessionforsubsequentSSHlogins.3. In your new shell, type ssh-add ~/.ssh/id_rsa. This adds your RSA key to the set that’smanagedbyssh-agent.You’llbeaskedtotypeyourSSHpassphraseatthistime.Fromthispointon,wheneveryouuseSSHtoconnect toaremotesystemtowhichyou’vegiven
yourpublickey,youwon’tneedtotypeapassword.Youwill,however,havetorepeatsteps2and3wheneveryoulogout,andthebenefitswillaccrueonlytotheshelllaunchedinstep2oranyshellsyoulaunchfromthatone.Ifyoumakeheavyuseofthisfacility,youcaninsertssh-agentintoyournormalloginprocedure.
Forinstance,youcanedit/etc/passwdsothatssh-agent/bin/bashisyourloginshell.ForaGUIlogin, you can rename your normal GUI login script (for instance, change ~/.xsession to~/.xsession-nossh)andcreateanewGUIloginscriptthatcallsssh-agentwiththerenamedscriptasitsparameter.Eitheractioninsertsssh-agentattherootofyouruserprocesstreesothatanycalltoSSHusesssh-agent.
UsingSSHLoginScriptsOrdinarily,anSSHtext-modeloginsessionruns theuser ’sconfiguredshell,whichruns theshell’sdefinedloginscripts.TheOpenSSHserveralsosupportsitsownloginscript,sshrc(normallystoredin /etc or /etc/ssh). The OpenSSH server runs this script using /bin/sh, which is normally asymboliclinktobash,soyoucantreatitasanordinarybashscript.
SettingUpSSHPortTunnelsSSHhastheabilitytoextenditsencryptioncapabilitiestootherprotocols,butdoingsorequiresextra
configuration.Thewaythisisdoneisknownastunneling.Chapter6describedaspecialtypeofSSHtunnelinginvolvingX,buttheprocesscanworkforotherprotocols.Figure10.1 illustrates thebasic ideabehindanSSH tunnel.Theservercomputer runs twoserver
programs: a server for the tunneled protocol (Figure10.1 uses the InternetMailAccess Protocol,IMAP, as an example) and an SSH server. The client computer also runs two clients: one for thetunneled protocol and one for SSH. The SSH client also listens for connections for the tunneledprotocol;it’seffectivelybothaclientandaserver.WhentheSSHclientreceivesaconnectionfromthetunneledprotocol’sclient,theresultisthatthetunneledprotocol’sconnectionisencryptedusingSSH, tunneled to the SSH server, and then directed to the target server. Thus, data pass over thenetworkinencryptedform,evenifthetargetprotocoldoesn’tsupportencryption.
FIGURE10.1AnSSHtunnelextendsSSH’sencryptionbenefitstootherprotocols.
Of course, all of this requires special configuration. The default configuration on the serverenables tunneling; but to be sure, check the /etc/ssh/sshd_config file on the server for thefollowingoption:AllowTcpForwardingno
Ifthislineispresent,changenotoyes.Ifit’snotpresentorifit’salreadysettoyes,youshouldn’tneedtochangeyourSSHserverconfiguration.Ontheclientside,youmustestablishaspecialSSHconnectiontotheservercomputer.Youdothis
withthenormalsshclientprogram,butyoumustpass itseveralparameters.Anexamplewillhelpillustratethisuseofssh:#ssh-N-f-L142:mail.luna.edu:[email protected]
The-Nand-foptionstellsshtonotexecutearemotecommandandtoexecuteinthebackgroundafter asking for a password, respectively. These options are necessary to create a tunnel. The -Loptionspecifiesthelocalportonwhichtolisten, theremotecomputertowhichtoconnect,andtheport on the remote computer towhich to connect. This example listens on the local port 142 andconnectstoport143onmail.luna.edu.(You’relikelytousethesameportnumberonbothends;Ichanged the local port number in this example to more clearly distinguish between the local andremote port numbers.) The final parameter ([email protected] in this example) is the remoteusernameandcomputertowhichthetunnelgoes.Notethatthiscomputerneednotbethesameasthetargetsystemspecifiedvia-L.
IfyouwantSSHontheclientsystemtolistentoaprivilegedport(thatis,onenumberedbelow1024),youmustexecutethesshprogramasroot,asshownintheprecedingexample.Iflisteningtoanon-privilegedportisacceptable,thesshclientcanberunasanormaluser.
Withthetunnelestablished,youcanusetheclientprogramtoconnecttothelocalportspecifiedbythefirstnumberinthe-Lparameter(port142intheprecedingexample).Forinstance,thisexampleisintended to forward IMAP traffic, soyou’dconfigureamail readeron theclient to retrieve IMAPemail from port 142 onlocalhost.When the email reader does this, SSH kicks in and forwardstraffictotheSSHserver,whichthenpassesthedataontotheSSHservercomputer ’slocalport143,which is presumably running the real IMAP server. All of this is hidden from the email readerprogram;asfarasit’sconcerned,it’sretrievingemailfromalocalIMAPserver.
SSHSecurityConsiderationsSSHisintendedtosolvesecurityproblemsratherthancreatethem.Indeed,onthewholeusingSSHissuperiortousingTelnetforremotelogins,andSSHcanalsotakeoverFTP-likefunctionsandtunnelotherprotocols.Thus,SSHisabigsecuritypluscomparedtousingless-securetools.Likeallservers,though,SSHcanbeasecurityliabilityifit’srununnecessarilyorinappropriately.
Ideally,youshouldconfigureSSHtoacceptonlyprotocol level2connectionsand to refusedirectroot logins. IfX forwarding is unnecessary, you should disable this feature. If possible, useTCPWrappersorafirewalltolimitthemachinesthatcancontactanSSHserver.Aswithallservers,youshouldkeepSSHuptodate;there’salwaysthepossibilityofabugcausingproblems.Youshouldconsiderwhetheryoureallyneedaremotetext-modeloginserver.Suchaservercanbe
agreatconvenience—oftenenoughtojustifythemodestriskinvolved.Forextremelyhigh-securitysystems,though,usingthecomputerexclusivelyfromtheconsolemaybeanappropriateapproachtosecurity.OneunusualsecurityissuewithSSHisitskeys.Asnotedearlier,theprivate-keyfilesareextremely
sensitiveandshouldbeprotectedfrompryingeyes.Remembertoprotectthebackupsofthesefiles,aswell—don’tleaveasystembackuptapelyingaroundwhereitcanbeeasilystolen.
UsingGPGSSHisdesignedtoencryptinteractiveloginsessionsandfiletransfers.Sometimes,though,anothertype of encryption is desirable: Youmaywant to encrypt emailmessages or files sent to anotherperson via some othermeans. Email was never designed as a secure data transfer tool, andmostemailmessagespassthroughseveralemailserversandnetworkrouters.Acompromiseatanyoneofthesepointsenablesacrackertosniffemailtrafficandextractsensitivedata,suchascreditcardorSocialSecuritynumbers.Encryptingyouremailkeepssuchdetailsprivate.The usual tool for encrypting email is the GNU Privacy Guard (GPG or GnuPG;
http://www.gnupg.org)package.Thispackageisanopensourcere-implementationoftheproprietary
PrettyGoodPrivacy(PGP).Inadditiontoencryptingentiremessages,GPGenablesyoutodigitally“sign”messages.Usedinthisway,messagescanbereadbyrecipientswholacktheGPGsoftwareorappropriatekeys;but thosewhohavethese toolscanverify that thecontentshaven’tbeentamperedwith.
GeneratingKeysTobeginusingGPG,youshouldfirstinstallthesoftware.Chancesare,yourdistributionincludesitasastandardpackage,soyoucaninstallitthatway.Oncethisisdone,youmustgeneratekeys.GPGkeysareconceptuallysimilartoSSHkeys:Youneedaprivatekey(akaasecretkey)andapublickey.Asthenamesimply,theprivatekeyiskeptprivate,butthepublickeyispubliclyavailable.Youcansignyourmessageswithyourprivatekey,andreaderscanverifyitwithyourpublickey;oryoucanencryptamessagewithanotheruser ’spublickey,anditcanbedecryptedonlywiththatuser ’sprivatekey.Togeneratekeys,youusethegpgprogramwithits--gen-keyoption:$gpg--gen-key
Theprogramwillaskyouaseriesofquestions.Inmostcases,answeringwiththedefaultsshouldworkwell,althoughyoumayhavetotypeinyourfullnameandemailaddress.Thekeysarestoredinakeyring(afilethatholdskeys)inthe~/.gnupgdirectory.Onceyou’vegeneratedyourkeys,youcanexportyourpublickey:$gpg--exportname>gpg.pub
This command saves the public key associatedwithname in the filegpg.pub. You can use youremail address as name. (If you create additional public keys or add others’ public keys to yourkeyring, you can specify their names to export those keys.) You can then make your public keyavailable to others so that they may encrypt email messages sent to you or verify your signedmessages.Addingthe--armoroptionproducesASCIIoutput,whichmaybepreferableifyouintendtoemailthekey.YoucanmakethefileaccessibleonyourWebsite,transferitasanemailattachment,ordistributeitinvariousotherways.Oneimportantmethodofdistributingyourpublickeyisviaakeyserver.Thisisanetworkserver
that functions much like a keyring. To send your public key to a keyserver, you can use the --keyserverhostnameand--send-keyskeynameoptionstogpg,asfollows:[email protected]
Thisexamplesendsthepublickeyforjennie@luna.edufromyourpublickeyringtotheserveratpgp.mit.edu.Thereafter,anybodywhowantstocanretrievethekeyfromthatserver.(pgp.mit.eduisapopularsiteforhostingPGPpublickeys.)
ImportingKeysToencryptemailyousendtoothers,youmustobtaintheirpublickeys.Askyourcorrespondentshowtoobtainthem.Onceyou’vedoneso,youcanaddtheirkeystoyourkeyring(thatis,thesetofkeysGPGmaintains):$gpg--importfilename
Thiscommandaddsfilenametoyoursetofpublickeysbelongingtootherpeople.
Althoughpublickeysare,bydefinition,public,therearesecurityconcernsrelatingtothem.Specifically,youshouldbesureyouusealegitimatepublickey.Hypothetically,amiscreantcouldpublishafakepublickeyinordertoobtainsensitivecommunicationsorfakeasignedemail.Forinstance,GeorgemightdistributeafakeGPGpublickeythatclaimedtobefromHarold.GeorgecouldtheneithersignmessagesclaimingtobefromHaroldorinterceptemailsenttoHaroldthatwasencryptedusingthefakekey.Thus,youshoulduseassecureacommunicationmethodaspossibletodistributeyourpublickeyandtoreceivepublickeysfromothers.
Onceyou’vecreatedyourownkeyand,perhaps,importedkeysfromothers,youcanseewhatkeysareavailablebyusingthe--list-keysoptiontogpg:$gpg--list-keys
/home/gjones/.gnupg/pubring.gpg
---------------------------------
pub1024D/190EDB2E2008-09-05
uidGeorgeA.Jones<[email protected]>
sub2048g/0D657AC82008-09-05
pub1024D/A8B2061A2008-09-05
uidJennieMartin<[email protected]>
sub2048g/4F33EF6B2008-09-05
Theuidlinescontainidentifiersyou’llusewhenencryptingordecryptingdata,soyoushouldpayparticularattentiontothatinformation.
RevokingaKeySometimes,youmighthavecausetorevokeapublickey.Forinstance,supposeyou’vestoredacopyofyourprivatekeyonalaptopcomputerandthatlaptopisstolen,orperhapssomeemployeeshaveleftyourorganizationandyounolongerwantthoseindividualstobeabletousethekeysassociatedwiththeiremployeeaccounts.Torevokeakey,youusethe--gen-revokekeynameoptiontogpg:[email protected]
Theprogramasksyoutoanswerafewquestions,suchasthereasonforrevokingthekey.Itthengeneratesakeyblock,suchasthefollowing:-----BEGINPGPPUBLICKEYBLOCK-----Version:GnuPGv2.0.19 (GNU/Linux)Comment:
Arevocationcertificateshouldfollow
iEwEIBECAAwFAlBPvbkFHQBG28bACgkQbBimvBMO2y4uzwCeQiLkZx8jl2jk+
hn0OKUl3EznmBQAn2WvtuQW+AP6wlvOvNU/qYi8a7t8=s0/s
-----ENDPGPPUBLICKEYBLOCK-----
Youshouldcopythistextintoafile(say,revocation.gpg)andimportthefiletoyourkeyring:$gpg--importrevocation.gpg
If you’ve distributed public keys associated with the revoked key, you should distribute thisrevocation, too. Ifyou’vesentyourpublickeys toaGPGkeyserver,youcanpassyourrevocationalonginthesamewayyousentyouroriginalpublickey:[email protected]
Oncethisisdone,youcangenerateanddistributeanewsetofkeys,ifdesired.
EncryptingandDecryptingDataToencryptdata,youusegpgwithits--outand--encryptoptionsand,optionally,--recipientand--armor:$gpg--outencrypted-file--recipientuid--armor--encryptoriginal-file
YoucanusetheUIDfromagpg--list-keysoutput,orjusttheemailaddressportion,astheuidinthiscommand.Ifyouhaven’tsignedtherecipient’skey,you’llhavetoverifythatyouwanttousethatkey.Theresultisanewfile,encrypted-file,whichholdsanencryptedversionoforiginal-file.Ifyouomitthe--armoroption,theresultingfileisabinaryfile;ifyousenditasemail,you’llneed to send it as an attachment or otherwise encode it for transmission over the text-based emailsystem.Ifyouincludethe--armoroption,theoutputisASCII,soyoucancutandpastetheencryptedmessageintoanemailorsenditasanattachment.If you receive a message or file that was encrypted with your public key, you can reverse the
encryptionbyusingthe--decryptoption:$gpg--outdecrypted-file--decryptencrypted-file
You’llbeaskedtoenteryourpassphrase.Theresultshouldbeadecryptedversionoftheoriginalfile.In practice, GPG can be even easier to use than this description may make you think. GPG is
primarilyusedtosecureandverifyemail,somostLinuxemailclientsprovideGPGinterfaces.Theseoptionscallgpgwith appropriate options to encrypt, sign, or decryptmessages.Details vary fromoneemailclienttoanother,soyoushouldconsultyouremailclient’sdocumentationfordetails.
SigningMessagesandVerifyingSignaturesAsnotedearlier,GPGcanbeusedtosignmessagessothatrecipientsknowtheycomefromyou.Todoso,usethe--signor--clearsignoptiontogpg:$gpg--clearsignoriginal-file
The--signoptioncreatesanewfilewiththesamenameastheoriginal,butwith.gpgappendedtothefilename.Thisfileisencryptedusingyourprivatekeysothatitmaybedecryptedonlywithyourpublickey.Thismeans thatanybodywithyourpublickeymayread themessage,butanybodywhocanreaditknowsit’sfromyou.The--clearsignoptionworkssimilarly,butitleavesthemessagetextunencryptedandonlyaddsanencryptedsignaturethatcanbeverifiedusingyourpublickey.The--clearsignoptioncreatesafilewithanamethatendsin.asc.Ifyoureceiveasignedmessage,youcanverifythesignatureusingthe--verifyoptiontogpg:$gpg--verifyreceived-file
Ifanyofthekeysinyourkeyringcandecodethemessageorverifythesignature,gpgdisplaysaGoodsignaturemessage.To read amessage thatwas encryptedvia the--sign option, youmustdecryptthemessageviathe--decryptoption,asdescribedearlier.
SummaryMaintainingsystemsecurityisbothimportantandtime-consuming.Agreatdealofsecurityemphasisisonnetworksecurity,andforthis,configuringyoursuperserveranddisablingunusedserverswill
go a long way. Attending to passwords and performing miscellaneous tasks to keep your localaccountsfrombecomingsecurityrisksarealsoimportantsecuritytasks.Encryption is a hot topic in security. SSH is a protocol and tool that can handlemany network
encryptiontasksbyencryptingtwo-wayconnectionsbetweencomputers.Typicallyusedasaremoteloginprotocol,SSHcanalsobeusedtotransferfilesorencryptotherprotocols.Whenyouwanttoencryptdatasenttoanotherindividualviaatoolsuchasemail,youcandosowiththehelpofGPG.Thispackageenablesyoutoencrypt individualfiles,whichcanthenbeattachedtoorembeddedinemailmessagesanddecryptedbytherecipient.
ExamEssentialsIdentifythepurposeofasuperserver.Superservers,suchasinetdandxinetd,manageincomingnetworkconnectionsformultipleservers.Theycanaddsecurityandconveniencefeatures,andtheycanhelpminimizethememoryloadimposedbyseldom-accessedservers.Explainthefunctionofsuperserverportaccesscontrols.Superserversorprogramscalledbythem(suchasTCPWrappers)canrestrictaccesstoportsfortheserverstheymanage.Theserestrictionsoccuratahigherlevelthanafirewall’srestrictions,andtheyapplyonlytotheserversmanagedbythesuperserver.Summarizethetoolsyoucanusetoidentifytheserversrunningonacomputer.Thenetstatandlsofprogramsbothprovideoptionstolistall(orasubsetof)theopennetworkconnections,aswellasprogramsthatarelisteningforconnections.Remotenetworkscanners,suchasNmap,canprobeanothercomputerforopennetworkports.Perusaloflocalconfigurationfilescanalsoprovidecluestowhat’srunningonacomputer.DescribewhySUIDandSGIDprogramsarepotentiallyrisky.ThesetuserID(SUID)andsetgroupID(SGID)bitstellLinuxtoruntheprogramastheuserorgroupthatownsthefile.Thisisparticularlyriskywhenrootownstheprogramfilebecauseitessentiallyelevatesalluserstorootforthepurposesofrunningthefile,makingbugsintheprogrammoredangerousandraisingthepossibilityofacleveruserabusingtheprogramtoacquirefullrootprivilegesorotherwisewreakinghavoc.Explainwhyshadowpasswordsareimportant.Shadowpasswordsstorepasswordhashesinafilethatcan’tbereadbyordinaryusers,thusmakingitharderformiscreantsonthelocalsystemtoreadthehashedpasswordsandusebrute-forceattackstodiscoverotherusers’passwords.ModernLinuxdistributionsuseshadowpasswordsbydefault.Explainhowtogenerateagoodpassword.Ideally,passwordsshouldberandom.Failingthat,onegoodapproachistogenerateabasethat’shardtoguessandthenmodifyitbyaddingdigitsandpunctuation,changingthecaseofsomecharacters,changingletterorder,andsignificantlyincreasingthelengthofthepassword(evenwithrepeatedcharacters).ExplainwhySSHisthepreferredremotetext-modelogintool.TheSecureShell(SSH)protocolprovidesencryptionforalltraffic,includingboththepasswordexchangeandallsubsequentdataexchanges,whereasoldertools,suchasTelnet,donot.ThismakesSSHmuchsafer(ifnot100percentsafe)fortheexchangeofsensitivedata,particularlyoveruntrustednetworkssuchastheInternet.
IdentifythemostimportantSSHconfigurationfile.TheSSHserveriscontrolledthroughthe/etc/ssh/sshd_configfile.TheSSHclientconfigurationfileis/etc/ssh/ssh_config;don’tconfusethetwo.DescribethefunctionofGPG.GPGenablespublic-keyencryptionofindividualfilesoremailmessages.YoucanuseGPGtoencryptsensitivedatafortransmissionoveremailorotherinsecuremeans.
ReviewQuestions1.Typinglsof-i|grepLISTENasrootproduces three linesofoutput,corresponding to thesendmail,sshd,andproftpdservers.Whatcanyouconcludeaboutthesecurityofthissystem?
A.Everything’sOK;thepresenceofsshdensuresthatdataarebeingencryptedviaSSH.B.Thesendmailandsshd serversareOK,but theFTPprotocolusedbyproftpd is insecureandshouldneverbeused.C.ThesendmailservershouldbereplacedbyPostfixorqmailforimprovedsecurity,butsshdandproftpdarefine.D. Because sendmail and proftpd both use unencrypted text-mode data transfers, neither isappropriateonanetwork-connectedcomputer.E.Noconclusioncanbedrawnwithoutfurtherinformation;thelistedserversmayormaynotbeappropriateorauthentic.
2.Aspartofasecurityaudit,youplantouseNmaptocheckallthecomputersonyournetworkforunnecessary servers. Which of the following tasks should you do prior to running your Nmapcheck?
A.Backup/etc/passwdonthetargetsystemstoeliminatethepossibilityofitsbeingdamaged.B.ObtaintherootpasswordstothetargetsystemssothatyoucanproperlyconfigurethemtoaccepttheNmapprobes.C.ObtainwrittenpermissionfromyourbosstoperformtheNmapsweep.D.Configure/etc/sudoersonthecomputeryouintendtouseforthesweep,togiveyourselftheabilitytorunNmap.E.Disableanyfirewallbetweenthecomputerthat’srunningNmapandtheserversyouintendtoscan.
3.YourloginserverisusingPAM,andyouwanttolimitusers’accesstosystemresources.Whichconfigurationfilewillyouneedtoedit?
A./etc/limits.confB./etc/pam/limits.confC./etc/security/limits.confD./etc/security/pam/limits.confE./usr/local/limits.conf
4.Whichofthefollowingtoolsmightyouusetocheckforopenportsonalocalcomputer?(Select
three.)A.NmapB.netstatC.lsofD.portmapE.services
5.Which of the following commandswill locate all program files on a computer onwhich theSUIDbitisset?
A.find/-typeSUIDB.find/-perm+4000-typefC.find/-perm+SUID-typefD.find/-type+4000E.find/-suid
6.The/etc/sudoersfileonacomputerincludesthefollowingline.Whatisitseffect?%adminALL=(ALL)ALL
A.Membersoftheadmingroupmayrunallprogramswithrootprivilegesbyusingsudo.B.Users in theadmin user alias, defined earlier in the file,may run all programswith rootprivilegesbyusingsudo.C.Theadminuseraliasisdefinedtoincludeallusersonthesystem.D.Theadmincommandaliasisdefinedtoincludeallcommands.E.Theuseradminmayrunallprogramsonthecomputerasrootbyusingsudo.
7.Which commandwould you type, asroot, to discover all the open network connections on aLinuxcomputer?
A.lsof-caB.netstat-apC.ifconfigeth0D.nmap-sTlocalhostE.top-net
8.Aserver/computercombinationappearsinbothhosts.allowandhosts.deny.What’stheresultofthisconfigurationwhenTCPWrappersruns?
A.TCPWrappersrefusestorunandlogsanerrorin/var/log/messages.B.Thesystem’sadministratorispagedtodecidewhethertoallowaccess.C.hosts.denytakesprecedence;theclientisdeniedaccesstotheserver.D.hosts.allowtakesprecedence;theclientisgrantedaccesstotheserver.E.Theclientisgrantedaccesstotheserverifnootherclientiscurrentlyaccessingit.
9.Whenisthebindoptionofxinetdmostuseful?
A.WhenyouwanttoruntwoserversononeportB.WhenyouwanttospecifycomputersbynameratherthanIPaddressC.WhenxinetdisrunningonasystemwithtwonetworkinterfacesD.WhenresolvingconflictsbetweendifferentserversE.WhenxinetdmanagesaDNSserverprogram
10.You’ve discovered that theWaiter program (a network server) is running inappropriately onyourcomputer.YouthereforelocateitsSysVstartupscriptandshutitdownbyremovingthatscriptfromyourdefault runlevel.Howcanyou further reduce the risk that theWaiterprogramwill beabusedbyoutsiders?(Selecttwo.)
A.ByblockingtheWaiterprogram’sportusingafirewallruleB.ByreadingtheWaiterprogram’sdocumentationtolearnhowtorunitinstealthmodeC.BytunnelingtheWaiterprogram’sportthroughSSHD.ByuninstallingtheWaiterpackageE.ByuninstallinganyclientsassociatedwithWaiterfromtheservercomputer
11.Youwant tousexinetd access controls to limitwhomay access a server that’s launchedviaxinetd. Specifically, only users on the 192.168.7.0/24 network block should be able to use thatserver.Howmayyoudothis?
A. Enter hosts_allow = 192.168.7.0/24 in the /etc/xinetd.d configuration file for theserverinquestion.B.Enteronly_from=192.168.7.0/24inthe/etc/xinetd.dconfigurationfilefortheserverinquestion.C.Enterserver:192.168.7.,whereserver is theserver ’sname, in the/etc/hosts.allowfile.D.Enterserver:192.168.7.,whereserver is the server ’s name, in the/etc/hosts.denyfile.E.Typeiptables-L192.168.7.0toenableonlyusersof192.168.7.0/24toaccesstheserver.
12.Ofthefollowing,whichisthebestpassword?A.OdysseusB.iA71Oci^My~~~~~~C.pickettomatoD.Denver2ColoradoE.123456
13. Which of the following types of attacks involves sending bogus email to lure unsuspectingindividualsintodivulgingsensitivefinancialorotherinformation?
A.PhishingB.ScriptkiddiesC.SpoofingD.Ensnaring
E.Hacking
14.Ordinaryusersreportbeingunabletologontoacomputer,butroothasnoproblemsdoingso.Whatmightyoucheckfortoexplainthissituation?
A.AmisbehavingsyslogddaemonB.Aloginprocessthat’srunningasrootC.Thepresenceofan/etc/nologinfileD.ThepresenceofanSUIDbiton/bin/loginE.Inappropriateuseofshadowpasswords
15.WhichserversmightyouconsiderretiringafteractivatinganSSHserver?(Selecttwo.)A.SMTPB.TelnetC.FTPD.NTPE.Samba
16.Youfindthatthessh_host_dsa_keyfilein/etc/sshhas0666(-rw-rw-rw-)permissions.YourSSHserverhasbeeninoperationforseveralmonths.Shouldyoubeconcerned?
A.YesB.NoC.Onlyifthessh_host_dsa_key.pubfileisalsoworld-readableD.Onlyifyou’relaunchingSSHfromasuperserverE.Onlyifyou’reusingalaptopcomputer
17. For best SSH server security, how should you set the Protocol option in/etc/ssh/sshd_config?
A.Protocol1B.Protocol2C.Protocol1,2D.Protocol2,1E.Protocol*
18.WhyisitunwisetoallowroottologondirectlyusingSSH?A.Disallowingdirectroot accessmeans that theSSHservermaybe runbyanon-root user,improvingsecurity.B.Therootpasswordshouldneverbesentoveranetworkconnection;allowingrootloginsinthiswayisinvitingdisaster.C.SSHstoresalllogininformation,includingpasswords,inapubliclyreadablefile.D.When loggedonusingSSH,root’s commandscanbe easily interceptedandduplicatedbyundesirableelements.
E.Somebodywiththerootpasswordbutnootherpasswordcanthenbreakintothecomputer.
19.You’vedownloadedaGPGpublickeyfromaWebsite, into thefilefredkey.pub.Whatmustyoudowiththiskeytouseit?
A.Typeinspect-gpgfredkey.pub.B.Typegpg--readkeyfredkey.pub.C.Typeimport-gpgfredkey.pub.D.Typegpg--importfredkey.pub.E.Typegpg-importfredkey.pub.
20.Youwanttosendanencryptedmessagetoanemailcorrespondent.YoubothhaveGPG.Whatdoyouneedtoexchangebeforeyoucansendyourencryptedmessage?
A.YourcorrespondentmustobtainyourGPGpublickey.B.YourcorrespondentmustobtainyourGPGprivatekey.C.Youmustexchangeprivatekeyswithyourcorrespondent.D.Youmustobtainyourcorrespondent’sGPGprivatekey.E.Youmustobtainyourcorrespondent’sGPGpublickey.
Chapter1:ExploringLinuxCommand-LineTools
1.D.Anyoftheseapproacheswillwork,oratleastmightwork.(Youmighterrwhenperforminganyofthem.)OptionBorCislikelytobethemostefficientapproach;withalongfilenametotype,optionAislikelytobetedious.
2.E.Theecho command is implemented internally tobash, although an external version is alsoavailable on most systems. The cat, less, tee, and sed commands are not implementedinternallytobash,althoughtheycanbecalledfrombashasexternalcommands.
3. E. The echo command echoes what follows to standard output, and $PROC is an environmentvariable.Thus,echo$PROCdisplays thevalueof the$PROCenvironmentvariable,meaning that itmust have been set to the specified value by you, one of your configuration files, or a programyou’ve run. Although many environment variables are set to particular values to conveyinformation,$PROCisn’tastandardenvironmentvariablethatmightbeassociatedwithinformationdescribedinoptionsA,B,C,orD.
4.A.Thepwdcommandprints(tostandardoutput)thenameofthecurrentworkingdirectory.Theremainingoptionsaresimplyincorrect,althoughoptionBdescribesthecdcommand,andvarioustoolscanbeusedtoreformatwidetextfordisplayorprintinginfewercolumns,asinoptionC.
5.D.Theexeccommandcauses therestof thecommandtoreplace thecurrentshell.Thus,whenyouexit fromgedit in this scenario, the resultwillbe the sameas ifyou’d terminated the shell;namely,thextermwindowwillclose.Theexeccommanddoesn’traisetheexecutionprivilege,sooptionAisincorrect.(Thesuandsudocommandscanraiseexecutionprivilege,though.)Becausethextermwindowcloses,optionBisincorrect.Xwon’tordinarilyterminatewhenasinglextermdoes, and definitely not if that xterm was launched from a window manager, so option C isincorrect.Theexeccommanddoesnotcausere-executionof thecommandafter thefirst instanceterminates,sooptionEisincorrect.
6.A.Thedot(.)characterreferstothecurrentworkingdirectory,andtheslash(/)isadirectoryseparator.Thus,precedingaprogramnameby./unambiguouslyidentifiestheintentiontoruntheprogramthat’sstoredin thecurrentdirectory.OptionBwill runthefirst instanceof theprogramthat’sfoundonthecurrentpath.Becausepathsoftenomitthecurrentdirectoryforsecurityreasons,this option is likely to fail. The run command isn’t a standard Linux command, so option C isunlikelytodoanything,muchlesswhatthequestionspecifies.OptionDwouldbecorrectexceptthatitreversestheorderofthetwocharacters.Theeffectistoattempttorunthe.myprogfileintheroot(/) directory. This file probably doesn’t exist, and even if it did, it’s not the file the questionspecifies should be run. Option E runs the first instance of myprog found on the path, andadditionally it runs the program in the background. (Chapter 2 covers background execution inmoredetail.)
7.E.Bydefault,manusesthelesspagertodisplayinformationonmostLinuxsystems,sooptionE
iscorrect.AlthoughanX-basedversionofmandoesexist(xman),thebasicmandoesn’tuseacustomX-basedapplication(optionA),nordoesituseFirefox(optionB)ortheVieditor(optionD).Theinfocommandisacompetingdocumentationsystemtoman,sooptionCisincorrect.
8. C. The > redirection operator stores a command’s standard output in a file, overwriting thecontentsofanyexisting fileby the specifiedname, sooptionC iscorrect.OptionAspecifies thestandardinputredirectionsothatifconfigwilltakethecontentsoffile.txtasinput.OptionBisalmost correct; the>> redirection operator redirects standard output, as requested, but it appendsdatatothespecifiedfileratherthanoverwritingit.OptionDspecifiesapipe;theoutputofifconfigissentthroughthefile.txtprogram,ifitexists.(Chancesareitdoesn’t,soyou’dgetacommandnot found error message.) Option E redirects standard error, rather than standard output, tofile.txt,andsoisincorrect.
9.C.The&>redirectionoperatorsendsbothstandardoutputandstandarderrortothespecifiedfile,asoptionCstates.(Thenameofthefile,input.txt,isintentionallydeceptive,buttheusageisstillvalid.)OptionAmentionsstandarderrorbutdescribesitasifitwereaninputstream,whichit’snot;it’sanoutputstream.OptionBmentionsstandardinput,butthe&>operatordoesn’taffectstandardinput.BecauseonlyoptionCiscorrect,neitheroptionDnorEcanbecorrect.
10.E. Inprinciple,youcanpipe togetherasmanycommandsasyou like. (Inpractice,ofcourse,therewillbe limitsbasedoninputbuffersize,memory,andsoon,but these limitsarefarhigherthanthe2,3,4,or16commandsspecifiedinoptionsA,B,C,andD.)
11.B.Theteecommandsendsitsoutputbothtostandardoutputandtoanamedfile.Thus,placingthe tee command (with an output filename) after another command and a pipe will achieve thedesiredeffect.OptionsAandDredirectgabby’soutputtoafile,whichmeansyouwon’tbeabletoseetheoutputandinteractwithit.OptionCsendsthecontentsofgabby-out.txttogabbyasinput,whichisn’twhat’sdesired,either.OptionEattemptstorungabby-out.txtasaprogramanduseitsoutputascommand-lineargumentstogabby,whichisnotwhat’sdesired.
12.C.The2>redirectionoperatorredirectsstandarderroronly,leavingstandardoutputunaffected.Sendingstandarderror to/dev/nullgets ridof it.Thus,optionC iscorrect.OptionApipes thestandard output of verbose through the quiet program, which isn’t a standard Linux program.Option B sends both standard output and standard error to /dev/null, so you won’t be able tointeract with the program, as the question specifies you must be able to do. Option D redirectsstandardoutputonlytothejunk.txtfile,soonceagain,interactionwillbeimpossible—andyou’llseetheunwantederrormessagesonthescreen.OptionE’squiet-modeprogramisfictitious(oratleastnon-standard),sothisoptionisincorrect.
13.A.OptionAcorrectlydescribesthedifferencebetweenthesetworedirectionoperators.OptionBis almost correct, but the>> operatorwill create a new file if one doesn’t already exist. The >>operatordoesnotredirectstandarderror(asstatedinoptionC)orstandardinput(asstatedinoptionD).Both operatorswill create a new file if one doesn’t already exist, contrary towhat optionEstates.
14.C.Thetail command displays the final 10 lines of a file, so optionC is correct. (You canchangethenumberoflinesdisplayedwiththe-noption.)Theuniqcommand(optionA)removesduplicate lines froma list.Thecutcommand(optionB)echoes thespecifiedcharactersor fields
froman input text file.Thewc command (optionD)displayscountsof thenumberofcharacters,words,andlinesinafile.Thefmtcommand(optionE)isaplain-textformatter.
15.A.Theprprogramtakesatextfileasinputandaddsformattingfeaturesintendedforprinting,suchasaheaderandblanklinestoseparatepages.Thecommandalsopipestheoutputthroughlpr(whichisaLinuxprintingcommand).OptionAdescribestheseeffectsandsoiscorrect.OptionBdescribestheeffectofthecatprogram,andsoisincorrect.Theconversionoftabstospacescanbedonebytheexpandprogram,sooptionCisincorrect.Althoughthespecifiedcommanddoesprintreport.txt,errormessagesarenotstoredinthelprfile,sooptionDisincorrect.BecauseoptionAiscorrect,optionEisincorrect.
16.B,C,D.Thenlcommandnumbers lines,so itdoes this taskwithoutanyspecialoptions,andoptionBiscorrect.(Itsoptionscanfine-tunethewayitnumberslines,though.)Thecatcommandcanalsonumberlinesviaits-band-noptions;-bnumbersnon-blanklines,whereas-nnumbersalllines(includingblanklines).Thus,optionsCandDarebothcorrect.Neitherthefmtcommandnortheodcommandwillnumberthelinesoftheinputfile,sooptionsAandEarebothincorrect.
17.C.Thesedutilitycanbeusedto“stream”textandchangeonevaluetoanother.Inthiscase,thesoption is used to replace dog with mutt, making option C correct. The syntax in option A isincorrect,andchoicesBandDareincorrectbecausegrepdoesn’tincludethefunctionalityneededtomakethechanges.OptionEcombinesfmt,cut,andredirectioninawaythatsimplywon’tworktoachievethedesiredgoal.
18.B.Thefmtcommandperformsthedesiredtaskofshorteninglonglinesbyinsertingcarriagereturns.Itsendsitsresultstostandardoutput,sooptionBusesoutputredirectiontosavetheresultsinanewfile.ThesedcommandofoptionAwon’taccomplishanythinguseful;itonlyreplacesthestringCtrl-MwiththestringNL.Although thesestringsarebothsometimesusedasabbreviationsfor carriage returns or new lines, the replacement of these literal strings isn’t what’s required.Option C creates an exact copy of the original file, with the long single-line paragraphs intact.AlthoughoptionD’sprcommandisaformattingtool, itwon’treformat individualparagraphs.Itwill also add headers that you probably don’twant.OptionE’sgrep command searches for textwithinfiles;itwon’treformattextfiles.
19.A.Thegrep utility is used to findmatching textwithin a file and print those lines. It acceptsregular expressions,whichmeans you can place in brackets the two characters that differ in thewordsforwhichyou’relooking.Thus,optionAiscorrect.Thesyntaxforsed,od,cat,andfindwouldn’tperformthespecifiedtask,sooptionsBthroughEareallincorrect.
20.C.Thebracket expressionwithin thed[o-u]g regular expression in optionCmeans that anythree-characterstringbeginning ind,ending ing, andwith themiddle characterbeingbetweenoand u will match. These results meet the question’s criteria. Option A’s dot matches any singlecharacter, sod.gmatches all threewords. The bracket expression [ou] in optionBmatches thecharactersoandu,butnoothervalues.Sincethequestionspecifiesthatsomeothermatcheswillbemade,thisoptionisincorrect.OptionD’sdi*gmatchesdig;diig;diiig;oranyotherword thatbeginswithd,endswithg,andcontainsanynumberofilettersinbetween.Thus,optionDmatchesdigbutnotdogordugasrequired.OptionE,likeOptionA,usesadottomatchanycharacter,soitwillactuallymatchcertainfour-letterwords,butnotdogordug.
Chapter2:ManagingSoftware1.D.Because theymust be compiled prior to installation, source packages requiremore time toinstall thanbinarypackagesdo,contrary tooptionD’sassertion, thusmaking thisoptioncorrect.Theotheroptionsalldescribeadvantagesofsourcepackagesoverbinarypackages.
2.A. The two systems use different databases,whichmakes coordinating between them difficult.Thus, using them both simultaneously is inadvisable, making option A correct. Packagemanagement systems don’t share information, but neither do their databases actively conflict, sooptionBisincorrect.Installingthesamelibrariesusingbothsystemswouldalmostguaranteethatthe files served by both systems would conflict with one another, making option C incorrect.Actively using both RPM and Debian packages isn’t common on any distribution, although it’spossiblewithallofthem,sooptionDisincorrect.Thealienprogramconvertsbetweenpackageformats.Althoughit requires thatbothsystemsbe installed toconvertbetweenthem,alien isnotrequiredtoinstallboththesesystems.Thus,optionEisincorrect.
3.E.RPMsareusuallyportableacrossdistributions,butoccasionallytheycontainincompatibilities,so option E is correct. The package format and software licensing have nothing to dowith oneanother,sooptionAisincorrect.Thereisno--convert-distribparametertorpm,sooptionBisincorrect.Althoughrecompilingasourcepackagecanhelpworkaroundincompatibilities,thisstepisnotalwaysrequired,sooptionCisincorrect.Binarypackagescan’tberebuiltforanotherCPUarchitecture,sooptionDis incorrect,althoughsourcepackagesmayberebuilt foranysupportedarchitectureprovidedthesourcecodedoesn’trelyonanyCPU-specificfeatures.
4.B.The-ioperationinstallssoftware,sooptionBiscorrect.(The-vand-hoptionscauseastatusdisplayof theprogressof theoperation,whichwasn’tmentioned in theoption.)Uninstallation isperformedbythe-eoperation,andrebuildingsourceRPMsisdonebythe--rebuildoperation(toeitherrpmorrpmbuild,dependingontheRPMversion),sooptionsAandCareincorrect.Althoughthe filename megaprog.rpm is missing several conventional RPM filename components, the rpmutility doesn’t use the filename as a package validity check, so option D is incorrect. Option Edescribes apackageupgrade,which is handledby the-U operation,not-i as in the question, sooptionEisincorrect.
5.A.Therpm2cpio programextracts data fromanRPM file and converts it into acpio archivethat’s sent to standard output. Piping the results through cpio and using the -i and --make-directories options, as in option A, will extract those files to the current directory. Option Bcreatesacpiofilecalledmake-directoriesthatcontainsthefilesfromtheRPMpackage.OptionCwilluninstallthepackagecalledmyfonts.rpm(butnotthemyfontspackage).Thealienutilityhasno--to-extract target, sooptionD is invalid.Therpmbuildutilitybuildsa sourceRPMintoabinaryRPM,makingoptionEincorrect.
6.E.Anuppercase-P invokes the purge operation,which completely removes a package and itsconfigurationfiles,sooptionEiscorrect.The-eparameteruninstallsapackageforrpm,butnotfordpkg, so optionA is incorrect. The lowercase-p causesdpkg to print information about thepackage’s contents, so option B is incorrect. The -r parameter removes a package but leaves
configuration files behind, so options C and D are both incorrect. (Option D also specifies acompletefilename,whichisn’tusedforremovingapackage—youshouldspecifyonlytheshorterpackagename.)
7.C.YoucanspecifyDebianpackagearchivesites in/etc/apt/sources.list,and thenyoucantype apt-get update and apt-get upgrade to quickly update a Debian system to the latestpackages, so option C is correct. GUI package management tools for Debian and relateddistributions exist, but they aren’t apt-get, so option A is incorrect. The alien program canconvertatarballandinstalltheconvertedpackageonaDebiansystem,butapt-getcan’tdothis,sooptionBisincorrect.dpkgandapt-getbothcomewithallDebian-baseddistributions,sooptionDisincorrect.ThedpkgprogramcaninstallonlyDebianpackagesonDebian-basedsystems,butapt-getcanworkwithbothpackagesystems,sooptionEisbackward.
8.E.The--get-selectionsactiontodpkgdisplaysthenamesofallinstalledpackages,makingoptionE correct. There is no showall option to apt-get, so option A is incorrect. The showpkgsubcommand to apt-cache displays information about a named package; when used without apackagename,asinoptionB,itdisplaysnodata.Thedpkg-ractionremovesapackage,sooptionC would remove the package called allpkgs if it were installed. The dpkg -i action installs apackage,sooptionDisincorrect—andthatoptiondoesn’tlistapackagename,whichthe-iactionrequires.
9.D.Theupdateoptiontoapt-getcausesretrievalofnewinformation,asdescribedinoptionD.This option is perfectly valid, contrary to option A’s assertion. The apt-get program doesn’tpermit you to upload information to the Internet repositories, so optionB is incorrect.OptionCdescribestheeffectoftheupgradeordist-upgradeoptions,nottheupdateoption.Theupgradeordist-upgradeoptionscanupgradeAPTitself,butupdatealonewon’tdothejob,sooptionEisincorrect.
10.A,B.Theyumutility’supdateandupgradeoptionsarenearlyidenticalineffect,andeithercanbeusedtoupgradeanindividualpackage,suchasunzip,sooptionsAandBarebothcorrect.Theprimary command options to yum don’t use dashes, so options C andD are both incorrect. Thecheck-update option to yum checks for the availability of updates but does not install them, sooptionEisincorrect.
11.B.Yumusesfilesinthe/etc/yum.repos.ddirectorytolocateitsrepositories,soyoucanaddtothe repository list by adding files to this subdirectory, as option B specifies, typically either byinstallinganRPMorbyaddingafilemanually.OptionAdescribesamethodofaddingarepositoryto a computer that uses APT, not Yum. Option C’s add-repository subcommand is fictitious.Although the/etc/yum.conf filedescribed inoptionsDandE is real, itdoesn’tstore repositorydata.
12. B. The /etc/ld.so.conf file holds the global library path, so editing it is the preferredapproach. You must then type ldconfig to have the system update its library path cache. Thus,option B is correct. Although you can add a directory to the library path by altering theLD_LIBRARY_PATHenvironmentvariableglobally,as inoptionA, thisapproachisn’t thepreferredone,sothisoptionisincorrect.OptionCsimplywon’twork.OptionDalsowon’twork,althoughlinkingindividuallibraryfileswouldwork.Thismethodisn’tthepreferredoneforaddingawhole
directory, though. The ldd utility displays information on libraries used by executable files, sooptionEwon’thavethedesiredeffect.
13.D.Librariesareselectedbyprogrammers,notbyusersorsystemadministrators.Ifyoudon’tlike thewidgets provided by one library, you have few options, and optionD is correct. (Manywidgetsetsdoprovideagreatdealofconfigurability,though,soyoumaybeabletoworkaroundthe problem in otherways.) OptionsA, B, and E describe fictitious options to ldconfig, rpm,dpkg, and thekernel.OptionCwouldn’twork;Qt-usingprogramswould crashwhen they foundGTK+librariesinplaceoftheQtlibrariestheywereexpecting.
14.D.Thekill programaccepts various signals in numeric or named form (9 in this example)alongwithaprocessIDnumber(11287inthisexample).Signal9correspondstoSIGKILL,whichisanextremewaytokillprocessesthathaverunoutofcontrol.Thus,optionDdescribestheeffectofthiscommand.Althoughyoumightusekilltokillnetworkprocesses,youcan’tpasskillaTCPport number and expect it to work, so option A is incorrect. The program also won’t displayinformationaboutthenumberofprocessesthathavebeenkilled,makingoptionBincorrect.TodoasoptionCsuggests,you’dneedtotellkilltopassSIGHUP(signal1),sothecommandwouldbekill-111287,andoptionCisincorrect.Thekillprogramcan’tchangethepriorityofaprocess,sooptionEisincorrect.
15.C,D.Thetoputilitydisplaysadynamic listofprocessesorderedaccording to theirCPUusealongwithadditional system information, including loadaverages, sooptionC is correct. Ifyouwant only the load average at a specific moment, uptime (option D) may be better because itpresents less extraneous information—it shows the current time, the time since the system wasbooted,thenumberofactiveusers,andtheloadaverages.OptionA’sldcommandhasnothingtodowithdisplayingloadaverages(it’saprogrammingtoolthatlinkstogetherprogrammodulesintoanexecutableprogram).TherearenostandardLinuxprogramscalledload(optionB)orla (optionE).
16.A.The--forestoptiontopsshowsparent-childrelationshipsbycreatingvisuallinksbetweenprocessnamesinthepsoutput,makingoptionAcorrect.(Listing2.4showsthiseffect.)OptionsBandCarebothvalidps commands, but neither creates the specified effect.OptionDdescribes afictitiouspsoption.SinceoptionsB,C,andDareincorrect,optionEisalsonecessarilyincorrect.
17.A.CPU-intensiveprogramsroutinelyconsume90percentormoreofavailableCPUtime,butnotallsystemsrunsuchprograms.Furthermore,sometypesofprogrambugscancreatesuchCPUloads.Thus,optionA is correct, andyoumust investigate themattermore.What isdfcomp? Is itdesignedasaCPU-intensiveprogram?IsitconsumingthismuchCPUtimeconsistently,orwasthisabriefburstofactivity?OptionsB,C,D,andEalljumptoconclusionsorpresentfictitiousreasonsforthebehaviorbeingnormalorabnormal.
18.E.Thejobscommandsummarizesprocessesthatwerelaunchedfromyourcurrentshell.Whennosuchprocessesare running,jobs returnsnothing, sooptionE is correct.Thejobs commanddoesn’tcheckorsummarizeCPUload,sooptionAis incorrect.Thejobscommandalsodoesn’tcheckforprocessesrunfromshellsotherthanthecurrentone,sooptionBisincorrect(processesrunning under your username could have been launched from another shell or from a GUIenvironment).ThereisnostandardjobsshellinLinux,sooptionCisincorrect.Becausethejobs
outputislimitedtoyourownprocessesintheshellyou’rerunning,ablankoutputdoesnotindicateacrashedsystem,makingoptionDincorrect.
19. C, E. The nice command launches a program (crunch in this example) with increased ordecreased priority. The default prioritywhen none is specified is 10, and the nice -10 crunchcommandalsosetsthepriorityto10,sooptionsCandEareequivalent.OptionAisn’tavalidnicecommandbecausenicehasno--valueoption.OptionBisavalidnicecommand,but itsets thepriorityto−10ratherthan10.DespitethesimilarityinformofoptionsCandD,optionDisnotavalidnicecommand,andsoisincorrect.(Whenpassinganumericvaluetonice,youmustuseaprecedingdash,-,or-n.)
20.D,E.Linuxinsulatesusers’actionsfromoneanother,andthisruleappliestorenice;onlyrootmaymodifythepriorityofotherusers’processes,sooptionDiscorrect.Similarly,onlyrootmayincrease the priority of a process, in order to prevent users from setting their processes tomaximumpriority,thusstealingCPUtimefromothers,sooptionEiscorrect.OptionAcorrectlydescribesnice,butnotrenice;thewholepointofreniceistobeabletochangetheprioritiesofexistingprocesses.ContrarytooptionB,renicedoesn’tcareabouttheshellfromwhichreniceorthetargetprogramwaslaunched.Usersmayuserenicetodecreasetheirownprocesses’priorities,contrarytooptionC.
Chapter3:ConfiguringHardware1.B,C. IRQs3and4arecommondefaults forRS-232serialports, sooptionsBandCarebothcorrect.IRQ1isreservedforthekeyboard,sooptionAisincorrect.IRQ8isreservedforusebythereal-timeclock,sooptionDisincorrect.AlthoughIRQ16existsonmodernsystems,itdidn’texistonearlyx86systems,anditspurposeisn’tstandardized.
2. A. Modern firmware (BIOSs and EFIs) provide the means to disable many onboard devices,includingsoundhardware,incaseyoudon’twanttousethem,sooptionAiscorrect.AlthoughthealsactlutilitymentionedinoptionBisreal,it’susedtoloadorstoresoundcardmixersettings,nottodisablethesoundhardware.ThelsmodcommandmentionedinoptionCdisplaysinformationabout loaded kernel modules, but it doesn’t remove them or disable the hardware they use.Similarly,optionD’slspcidisplaysinformationonPCIdevicesbutcan’tdisablethem.ContrarytooptionD,on-boardsoundhardwarecanusuallybedisabled.
3.E.Theudevsoftwarecreatesandmanagesadynamic/devdirectorytree,addingentriestothatdirectoryfordevicesthatexistonthetargetsystem,sooptionEiscorrect.Theudevsoftwarehasnothing todowithsoftwaredevelopment (optionA). Itdoesn’tunloaddrivers (optionB)or loaddrivers(optionC),althoughitdoesrespondtotheloadingofdriversbycreatingappropriateentriesin/dev.Italsodoesn’tstoreBIOSconfigurationoptionsinafile(optionD).
4.E.SATAdisksareusuallyhandledbyLinux’sSCSIsubsystemandsoarereferredtoas/dev/sdx;however, some drivers handle these disks as if they were PATA disks and so refer to them as/dev/hdx. Thus, option E is correct, and both options A and C are incorrect. The /dev/mapperdirectoryholdsdevicefilesrelatedtoLVMandRAIDconfigurations,notdiskpartitionidentifiers,sooptionBisincorrect.OptionD(C:)ishowWindowswouldlikelyrefertothefirstpartitiononthedisk,butLinuxdoesn’tusethisstyleofdiskidentifier.
5.A,C,D.Therearenofilescalled/proc/ioaddressesor/proc/hardware,sooptionsBandEare both incorrect. All the other files listed contain useful information; /proc/ioports holdsinformation about I/O ports, /proc/dma holds information about DMA port usage, and/proc/interruptsholdsinformationaboutIRQs.
6. B. Logical partitions are numbered 5 and up, and they reside in an extended partition with anumberbetween1and4.Therefore,oneofthefirsttwopartitionsmustbeanextendedpartitionthathouses partitions 5 and 6,making optionB correct.Because one of the first two partitions is anextendedpartition,theothermustbeaprimarypartition,andtherecanbenomoreofeithertypeofpartition.ThismakesoptionA incorrect.Gaps in the rangeofpartitions1−4arenormal inMBRdisks, contrary to optionC.Because logical partitions are numbered starting at 5, their numberswon’t change if /dev/sda3 is subsequently added, so option D is incorrect. On MBR disks,partitions 1−4must be primary or extended partitions; logical partitions are numbered 5 and up.Thus,optionEisincorrect.
7.E.The/etc/fstabfilecontainsthemappingofpartitionstomountpoints,so/etcmustbeanordinary directory on the root partition, not on a separate partition, making option E correct.AlthoughoptionA’sstatementthatthesystemwon’tbootiscorrect,thereasonisnot;/homeholds
userfiles,notcriticalsystemfiles.OptionsBandCdescriberestrictionsthatdon’texist.OptionDwouldbecorrectif/etcwerenotaseparatepartition.
8.D.The/homedirectory(optionD)isfrequentlyplacedonitsownpartitioninordertoisolateitfrom the rest of the system and sometimes to enable use of a particular filesystemor filesystemmountoptions.The/binand/sbindirectories(optionsAandB)shouldneverbesplitofffromtheroot(/)filesystembecausetheycontaincriticalexecutablefilesthatmustbeaccessibleinordertodo the most basic work, including mounting filesystems. The /mnt directory (option C) oftencontainssubdirectoriesusedformountingfloppydisks,CD-ROMs,andotherremovablemediaormaybeusedforthispurposeitself.It’sseldomusedtodirectlyaccessharddiskpartitions,althoughit can be used for this purpose. The /dev directory (option E) usually corresponds to a virtualfilesystem,whichholdspseudo-filesbutisnotstoredonadiskpartition.
9. A. The 0x0f partition type code is one of two common partition type codes for an extendedpartition.(Theotheris0x05.)The0x82codereferstoaLinuxswappartition,and0x83denotesaLinux filesystempartition.Thus, it appears that thisdiskholdsLinuxpartitions,makingoptionAcorrect. DOS, Windows 9x/Me, Windows NT/200x/XP, FreeBSD, and Mac OS X all use otherpartitiontypecodesfortheirpartitions,sooptionsB,C,andEareallincorrect.(MacOSXisalsorarely installed toMBRdisks.)Partitionsexist, inpart, toenabledifferentOSs to store theirdataside-by-sideonthesamedisk,somixingseveralpartitiontypes(evenfordifferentOSs)ononediskdoesnotindicatediskcorruption,makingoptionDincorrect.
10.C.Linux’sfdiskdoesn’twritechangestodiskuntilyouexittheprogrambytypingw.Typingqexitswithoutwritingthosechanges,sotypingqinthissituationwillavertdisaster,makingoptionCcorrect.Typingw(optionB)wouldbepreciselythewrongthingtodo.Becausefdiskdoesn’twritechangesuntilyoutypew,thedamageisnotyetdone,contrarytooptionA.Typingu(optionD)ort(optionE)woulddonothingusefulbecausethosearen’tundocommands.
11. E. The mkfs command creates a new filesystem, overwriting any existing data and thereforemakingexistingfilesinaccessible,asstatedinoptionE.Thiscommanddoesn’tsetthepartitiontypecodeinthepartitiontable,sooptionAisincorrect.Themkfscommandisdestructive,contrarytooptionB.The-text2optiontellsmkfstocreateanext2filesystem;it’saperfectlyvalidoption,sooptionC is incorrect. Although mkfs could (destructively) convert ext2fs to ext4fs, the -t ext2optionclearlyindicatesthatanext2filesystemisbeingcreated,sooptionDisincorrect.
12.B.Although theyhave similarnamesandpurposes,Linux’sfdisk isn’tmodeled afterDOS’sFDISK, so option B is correct and option A is not. DOS’s FDISK does not have GUI controls,contrary to option C. Linux’s fdisk does not format floppy disks, contrary to option D. BothprogramsmanageMBRdisks,contrarytooptionE.
13.E.Swappartitionsaren’tmountedinthewayfilesystemsare,sotheyhavenoassociatedmountpoints,makingoptionEcorrect.
14.C.The-toptionisusedtotellfsckwhatfilesystemtouse,sooptionCiscorrect.(Ifthisoptionisn’tused,fsckdeterminesthefilesystemtypeautomatically.)The-Aoption(optionA)causesfsckto check all the filesystemsmarked to be checked in/etc/fstab.The-N option (optionB) tellsfsck to takeno action and todisplaywhat itwouldnormallydowithoutdoing it.The-C option(optionD)displaysatext-modeprogressindicatorofthecheckprocess.The-foption(optionE)is
fictitious.
15.A.Adefaultuseofdfreportsthepercentageofdiskspaceused(optionD)andthemountpointforeachfilesystem(optionE).Thenumberofinodes(optionB)andfilesystemtypes(optionC)canbothbeobtainedbypassingparameterstodf.Thisutilitydoesnotreporthowlongafilesystemhasbeenmounted(optionA),sothatoptioniscorrect.
16.D.Thejournalofajournalingfilesystemrecordspendingoperations,resultinginquickerdiskchecks after an uncontrolled shutdown, so optionD is correct. Contrary to optionA, journalingfilesystemsare,asaclass,newer thannon-journalingfilesystems; in fact, the journalingext3fs isbuiltuponthenon-journalingext2fs.Althoughdiskchecksarequickerwithjournalingfilesystemsthanwithnon-journalingfilesystems, journalingfilesystemsdohavefsckutilities,and thesemaystillneedtoberunfromtimetotime,sooptionBisincorrect.AllLinux-nativefilesystemssupportLinux ownership and permissions; this isn’t an advantage of journaling filesystems, contrary tooptionC.The journalof a journaling filesystemdoesn’tprovideanunlimited“undo” feature, sooptionEisincorrect.
17. E. When typed without a filesystem type specification, mount attempts to auto-detect thefilesystemtype.Ifthemediacontainsanyofthespecifiedfilesystems,itshouldbedetectedandthediskmounted,sooptionEiscorrect.
18.B.The/etc/fstabfileconsistsoflinesthatcontainthedeviceidentifier, themountpoint, thefilesystemtypecode,filesystemmountoptions,thedumpflag,andthefilesystemcheckfrequency,inthat order. Option B provides this information in the correct order and so will work. Option Areversesthesecondandthirdfieldsbut isotherwisecorrect.OptionsC,D,andEallscrambletheorderofthefirstthreefieldsandalsospecifythenoautomountoption,whichcausesthefilesystemtonotmountautomaticallyatboottime.
19.A,B,C.Theuser,users,andowneroptionsin/etc/fstaballenableordinaryuserstomountafilesystem,butwithslightlydifferentimplications:userenablesanybody tomounta filesystem,andonlythatusermayunmountit;usersenablesanybodytomountafilesystem,andanybodymayunmountit;andownerenablesonlytheownerofthemountpointtomountorunmountafilesystem.Thus, optionsA,B, andC are all correct. Theowners parameter of optionD doesn’t exist. Theuid=1000parameterofoptionEtellsLinuxtosettheownershipoffilestoUID1000onfilesystemsthat lackLinux permissions features.Although thismight be desirable for some disks, it doesn’tenabletheuserwithUID1000tomountthedisk,sooptionEisincorrect.
20.A.OptionAcorrectlydescribesthesafeprocedureforremovingaremovablemediumthatlacksalockingmechanismfromaLinuxcomputer.(Insteadoftypingumount/media/usb,youcouldtypeumount/dev/sdb1; inthiscontext, thetwocommandsareequivalent.)OptionBreversestheorder of operations; theumount commandmust be typedbefore you physically remove the flashdrive.OptionCalsohasitbackward;thesynccommandwouldneedtobeissuedbefore removingthedrive. (Thesync command can prevent damagewhen removingdisks, but it isn’t a completesubstituteforumount.)Thereisnostandardusbdrive-removecommandinLinux,andifyouweretowriteascript thatcallsumountandcall itusbdrive-remove,pulling theflashdrivequickly,asoptionDdescribes,wouldbeexactlythewrongthingtodo.ThefsckcommandofoptionEchecksafilesystemforerrors.It’snotnecessarytodothisbeforeremovingadisk,anditwon’tunmount
Chapter4:ManagingFiles1. B. The touch utility updates a file’s time stamps, as option B specifies. (If the specified filedoesn’texist,touchcreatesanemptyfile.)Youcan’tmovefileswithtouch;that’sthejobofthemvcommand,sooptionAisincorrect.Varioustoolscanconvertend-of-lineformats,buttouchisnotone of them, so option C is incorrect. Testing the validity of disk structures, as in option D, isnormallydoneonawhole-filesystembasiswithfsckandrelatedtools;touchcan’tdothisjob.Youcanwritecacheddatatodiskforawholefilesystembyunmountingitorbyusingsync,buttouchcan’tdothis,sooptionEisincorrect.
2.A,D.The-sand--symbolicoptionstolnareequivalent,andbothcreateasymbolic(akasoft)link.Thus,optionsAandDarebothcorrect.OptionsB,C,andEareallfictitious.
3.A.The-lparameterproducesalonglisting,includingfilesizes.The-aparameterproducesalistingof all files in adirectory, including thedot files.Combining the twoproduces thedesiredinformation(alongwithinformationaboutotherfiles),sooptionAiscorrect.The-p,-R,-d,and-Foptionsdon’thavethespecifiedeffects,sotheremainingoptionsareallincorrect.
4.D.Whenmovingfromonepartitionordisktoanother,mvmustnecessarilyreadandcopythefileand then delete the original if that copywas successful, as stated in optionD. If both filesystemssupportownershipandpermissions, they’llbepreserved;mvdoesn’tneedanexplicit--preserveoption todo this,and thispreservationdoesnot relyonhavingexactly thesamefilesystemtypes.Thus, option A is incorrect. Although mv doesn’t physically rewrite data when moving within asinglelow-levelfilesystem,thisapproachcan’tworkwhenyou’recopyingtoaseparatelow-levelfilesystem(suchasfromaharddisktoapendrive);ifthedataisn’twrittentothenewlocation,itwon’t be accessible should the disk be inserted in another computer.Thus, optionB is incorrect.Althoughnotallfilesystemssupportownershipandpermissions,manydo,andtheseattributesarepreservedwhenmovingfilesbetweenthem,sooptionCis incorrect.AlthoughFATisacommonchoiceonremovablemediabecauseofitsexcellentcross-platformsupport,otherfilesystemswillworkonsuchdisks,sooptionEisincorrect.
5.A,B.Ifyoutrytocreateadirectoryinsideadirectorythatdoesn’texist,mkdirrespondswithaNosuchfileordirectoryerror.The--parentsparametertellsmkdir toautomaticallycreateallnecessaryparentdirectoriesinsuchsituations,sooptionAiscorrect.Youcanalsomanuallydothisbycreatingeachnecessarydirectoryseparately,sooptionBisalsocorrect.(It’spossiblethatmkdironewouldn’tbenecessaryinthisexampleifthedirectoryonealreadyexisted.Noharmwillcomefrom trying to create a directory that already exists, although mkdir will return a File existserror.)Typingtouch/bin/mkdir,asoptionCsuggests,will likely result inanerrormessage iftypedasanormaluserandwon’thelpiftypedasroot,so thisoptionis incorrect.Clearingawayexisting directories in the one/two/three tree won’t help, so option D is incorrect. Option E’smktreecommandisfictitious.
6.D,E.ThecpioandtarprogramsarecommonLinuxarchive-creationutilities,sooptionsDandE are both correct. The restore command restores (but does not back up) data; its backupcounterpartcommandisdump.Thus,optionAisincorrect.Thevicommandlaunchesatexteditor;
it’s not used to create archives, so optionB is incorrect.There is no standardtape command inLinux,sooptionCisincorrect.
7. E. With the tar utility, the --list (t) command is used to read the archive and display itscontents. The --verbose (v) option creates a verbose file listing, and --file (f) specifies thefilename—data79.tarinthiscase.OptionEusesallofthesefeatures.OptionsA,B,C,andDallsubstituteothercommandsfor--list,whichisrequiredbythequestion.
8.A.Symboliclinkscanpointacrossfilesystems,socreatingasymboliclinkfromonefilesystem(inwhichyourhomedirectoryresides)toanother(ontheCD-ROM)isn’taproblem,makingoptionAcorrect.Hardlinks,asinoptionsB,C,andD,arerestrictedtoasinglefilesystemandsowon’twork for the described purpose. Because symbolic links will work as described, option E isincorrect.
9.E.OptionEisthecorrectcommand.Typingchownralph:tonysomefile.txt,asinoptionA,setstheownerofthefiletoralphandthegrouptotony.ThechmodcommandusedinoptionsBandDisused tochangefilepermissions,notownership.OptionCreverses theorderof the filenameandtheowner.
10.C,E.Thedcharacterthatleadsthemodeindicatesthatthefileisactuallyadirectory(optionC),and ther symbol in ther-x triplet at theendof the symbolicmode indicates thatallusersof thesystem have read access to the directory (option E). Symbolic links are denoted by leading lcharacters,whichthismodelacks,sooptionAisincorrect.Althoughthexsymbolsusuallydenoteexecutable program files, as specified in option B, in the case of directories this permission bitindicatesthatthedirectory’scontentsmaybesearched;executingadirectoryismeaningless.SUIDbits are indicated by an s character in place of the owner ’s execute bit position in the symbolicmode.Sincethispositionholdsanxinthisexample,optionDisincorrect.
11.C.ThesetuserID(SUID)bitenablesprogramstorunastheprogram’sownerratherthanastheuserwhoranthem.ThismakesSUIDrootprogramsrisky,sosettingtheSUIDbitonroot-ownedprogramsshouldbedoneonlywhenit’srequiredfortheprogram’snormalfunctioning,asstatedinoptionC.ThisshouldcertainlynotbedoneforallprogramsbecausetheSUIDbitisnotrequiredofall executable programs as optionA asserts. Although the SUID root configuration does enableprograms to access device files, the device files’ permissions can bemodified to give programsaccesstothosefiles,ifthisisrequired,sooptionBisincorrect.AlthoughSUIDrootprogramsareasecurityrisk,asstatedinoptionD,they’reanecessaryriskforafewprograms,sooptionDgoestoo far. Many program files that should not be SUID root are owned by root, so option E isincorrect.
12. E. Using symbolicmodes, the o+r option adds read (r) permissions to the world (o). Thus,optionEiscorrect.OptionAsets themodetorwxr----x,which isabitoddanddoesn’tprovideworldreadaccesstothefile,althoughitdoesprovideworldexecuteaccess.OptionBsetsthemodetorw-r-----,whichgivestheworldnoaccesswhatsoevertothefile.OptionCaddsreadaccesstothefilefortheowner(u) if theownerdoesn’talreadyhavethisaccess; itdoesn’taffect theworldpermissions.OptionDremovesreadaccessforallusers,soit’sincorrect.
13.D.OptionD,027, removeswritepermissions for thegroupandallworldpermissions. (Filesnormally don’t have execute permissions set, but explicitly removing write permissions when
removingreadpermissionsensuresreasonablebehaviorfordirectories.)OptionA,640,istheoctalequivalentofthedesiredrw-r-----permissions;buttheumasksetsthebitsthataretoberemovedfrompermissions,notthosethataretobeset.OptionB,210,wouldremovewritepermissionfortheowner,but itwouldn’tremovewritepermissionfor thegroup,whichis incorrect.Thiswouldalso leave all world permissions open. Option C, 022, wouldn’t removeworld read permission.OptionE,138,isaninvalidumask,sinceallthedigitsintheumaskmustbebetween0and7.
14.E.Usingquotasrequireskernelsupport,theusrquotaorgrpquota(foruserorgroupquotas)filesystemmountoption,andactivationviathequotaoncommand(whichoftenappears insystemstartupscripts).Thus,optionEiscorrect.OptionAsuggeststhatquotaonisnotnecessary,whichisincorrect.OptionB’sstatementthatgrpquotaisinvalidisincorrect.OptionC’sstatementthattheseoptionsdisablequotasupportisbackward.Theusrquotaandgrpquotaoptionsarebothvalid,sooptionDisincorrect.
15.B.Therepquotautilityisusedtosummarizethequotainformationaboutthefilesystem.Whenusedwiththe-aoption, itshowsthis informationforall filesystems,sooptionBiscorrect.Thiscommandwon’treturnusefulinformationwhentypedalone,though,sooptionAisincorrect.Thequotacheckutilitychecksquotainformationaboutadiskandwritescorrections,sooptionsCandDarebothincorrect.Theedquotautilityenablesyoutoeditquotainformation.Itdoesn’tsummarizequotainformation,and-aisn’tavalidoptiontoedquota.Thus,optionEisincorrect.
16. D. The /opt directory tree exists to hold programs that aren’t a standard part of a Linuxdistribution,suchascommercialprograms.Theseprogramsshouldinstallintheirowndirectoriesunder /opt; these directories usually have bin subdirectories of their own, although this isn’trequired.Thus, optionD is correct (that is, it’s a plausible possibility).The/usr/sbin directoryholdsprogramsthatarenormallyrunonlybythesystemadministrator,soit’snotalikelylocation,makingoptionAincorrect.The/etc/X11directoryholdsX-relatedconfigurationfiles,soit’sveryunlikely thatWonderCalcwill be housed there,making option B incorrect. The /boot directoryholdscriticalsystembootfiles,sooptionCisincorrect.The/sbindirectory,like/usr/sbin,isanunlikely location for user files, so option E is incorrect. (Furthermore, /sbin seldom containssubdirectories.)
17.A.Thefindutility(optionA)operatesbysearchingallfilesinadirectorytree,andsoit’slikelyto take a long time to search all of a computer ’s directories. The locate program uses aprecompileddatabase,whereissearchesa limitedsetofdirectories,andtype searches theshell’spathandbuilt-incommands,sothesecommandswilltakelesstime.Thus,optionsB,C,D,andEareallincorrect.
18.C.Thetypecommandidentifiesacommand,asexecutedbytheshell,asbeingabuilt-inshellcommand, a shell alias, or an external command, whereas the whereis command helps find thelocationofexternalcommandfiles.Thus,optionCiscorrect.Neithertypenorwhereis identifiestheCPUarchitectureofaprogramfile,canlocatecommandsbasedonintendedpurpose,completeanincompletelytypedcommand,oridentifyacommandasabinaryorascript;thus,theremainingoptionsareallincorrect.
19.B.Thefindcommandincludestheabilitytosearchbyusernameusingthe-usernameoption,wherenameistheusername;thus,optionBiscorrect.The-uidoptiontofindcanalsolocatefiles
ownedbyauser,butittakesanumericuserID(UID)numberasanargument,sooptionAisn’tquitecorrect. The locate command provides no ability to search by user, so options C and D areincorrect. Although option E is a valid find command, it finds all the files under /home with afilenameofkaren,notallfilesownedbytheuserkaren,sothisoptionisincorrect.
20. D. The which program searches the path just as bash does, but it prints the path to the firstexecutable program it finds on the path. Thus, option D is correct. The which program doesn’tconduct anexhaustive searchof the system, so there couldbemanymore files calledman on thesystem,contrary tooptionA.Systempackage tools andwhich aren’t closely related; optionB isincorrect.Although/usr/bin/manwouldberunwhentheuserwhosewhichoutputmatchesthatinthequestion typesman, thismaynotbe trueofothersbecause thepathcanvary fromoneuser toanother.Thus,optionCisincorrect.Thewhichprogramdoesn’trevealfileownershipinformation,sooptionEisincorrect.
Chapter5:BootingLinuxandEditingFiles1.C.TheMasterBootRecord(MBR)cancontainaboot loader that isupto446bytes insize,sooptionCiscorrect.Ifmorespaceisrequired, thebootloadermust loadasecondarybootloader.AlthoughthebootloaderisloadedintoRAM(optionA),it’snotstoredtherepermanentlybecauseRAMisvolatilestorage.Both/dev/bootand/dev/kmem(optionsBandD)arereferencestofilesonLinuxfilesystems;they’remeaningfulonlyaftertheBIOShasfoundabootloaderandrunitandlotsofotherbootprocesseshaveoccurred.Theswappartition(optionE) isusedasanadjunct toRAM;theBIOSwon’tlookthereforabootloader.
2.C.Runlevel1 is single-usermode,andadding thedigit1 to thekernel’soptions line inabootloaderwilllaunchthesysteminthisrunlevel,sooptionCiscorrect.OptionsAandBbothpresentinvalidkerneloptionsandsoareincorrect.AlthoughthetelinitcommandspecifiedinoptionsDandEwillchangetherunleveloncethecomputerisrunningandrunlevel1isasingle-usermode,thesecommandsarenotpassedtothekernelviaabootloader,sotheseoptionsarebothincorrect.
3.D.Thekernelringbuffer,whichcanbeviewedbytypingdmesg (piping this throughless isagood supplement), contains messages from the kernel, including those from hardware drivers.Thesemessagesmayprovideaclueaboutwhythediskdidn’tappear;thus,optionDiscorrect.The/var/log/diskerrorfile(optionA)isfictitious,asis/mnt/disks(optionB).The/etc/inittabfile(optionC)doesn’tdirectlycontroldiskaccessandsoisunlikelytoprovideusefulinformation.The files specified in optionC areGRUBLegacy andGRUB 2 configuration files,which don’tcontaininformationthatcouldexplainwhyadiskisn’tresponding.
4. B. Ordinarily, Linux runs init (option B) as the first program; init then runs, via variousscripts,otherprograms.Thedmesgprogram(optionA) isauserdiagnosticand information toolused to access the kernel ring buffer; it’s not part of the startup process. The startup program(option C) is fictitious. The rc program (option D) is a script that some versions of init call,typicallyindirectly,duringthestartupsequence,butit’snotthefirstprogramthekernelruns.LILOisanolderbootloaderforLinuxonBIOSsystems,andlilo(optionE)isthecommandthatinstallsthisbootloadertotheMBR.Sincebootloadersrunbeforethekernelloads,thisoptionisincorrect.
5.D.OptionDisthecorrectGRUB2configurationfile.OptionAisafictitiousfile;itdoesn’texist.AlthoughsomeofGRUB2’sbootloadercodemaybewrittentotheMBR,asimpliedbyoptionB,thisisn’tthelocationoftheprogram’sconfigurationfile.OptionsCandDarebothpossiblenamesfortheGRUBLegacyconfigurationfile,butthatnameisnotsharedbyGRUB2.
6.A.TheinitrdkeywordidentifiesaninitialRAMdiskfileintheGRUB2configurationfile,anda space separates this keyword from the filename. (Several variants on this syntax are possible.)OptionBaddsanequal sign (=),which renders the syntax incorrect.OptionsC,D,andEuse theincorrectinitramfsandramdiskkeywordsinsteadofinitrd.
7.D.Youusegrub-install to install theGRUBLegacyboot loader code into anMBRor bootsector.Whenusinggrub-install,youspecify thebootsectoronthecommandline.TheMBRisthefirstsectoronaharddrive,soyougiveit theLinuxdeviceidentifierfor theentireharddisk,/dev/sda. Hence, option D is correct. Option A specifies using the grub utility, which is an
interactive tool, and the device identifier shown in optionA is aGRUB-style identifier forwhatwouldprobablybethe/dev/sda3partitioninLinux.OptionBisalmostcorrectbutinstallsGRUBtothe/dev/sda1partition’sbootsectorratherthantheharddisk’sMBR.OptionCisthecommandtoinstallLILOtotheMBRratherthantoinstallGRUB.OptionEcontainsthesameerrorasoptionB,anditalsousesthefictitiousgrub-legacycommand.
8.B.TherootkeywordinaGRUBLegacyconfigurationfile tells theboot loaderwheretolookfor files, including its own configuration files, kernel files, and so on. Because GRUB Legacynumbers both disks and partitions starting from 0, (hd1,5) refers to the sixth partition on theseconddisk,asoptionBspecifies.OptionAisincorrectbecauseyoupasstheLinuxrootpartitiontothekernelonthekernelline,notviatheGRUBrootkeyword.OptionsA,C,andEallmisinterprettheGRUBnumbering scheme.TheGRUB installation location is specified on thegrub-installcommandline,sooptionsDandEareincorrect;and/dev/hd1,5isn’tastandardLinuxdevicefile,sooptionDisincorrect.
9.B.Theinitdefaultactionspecifiesthedefaultrunlevel,sooptionBiscorrect.Theremainingoptionsarealltakenfromactual/etc/inittabfilesbutdon’thavethespecifiedmeaning.
10.A,B,E.Runlevel0(optionA)isthereservedrunlevelforhaltingthesystem.Runlevel1(optionB) is reserved for single-usermode.Runlevel6 (optionE) is reserved for rebooting.Runlevel2(optionC)isthedefaultrunlevelonDebianandmostdistributionsderivedfromit,butitdoesnoneof the things described in the question. Runlevel 5 (option D) is a regular, user-configurablerunlevel,whichisn’tnormallyusedforthethingsdescribedinthequestion.(ManysystemsuseitforaregularbootwithaGUIloginprompt.)
11.B,C.The firstnumber in therunleveloutput is theprevious runlevel (the letterN isused toindicatethatthesystemhasn’tchangedrunlevelssincebooting).Thesecondnumberisthecurrentrunlevel.Hence,optionsBandCarebothcorrect,whileoptionsAandDareboth incorrect.Therunlevelchangesveryquickly,andtherunlevelutilitydoesn’tprovideacodeto indicate that therunlevelisintheprocessofbeingchanged,sooptionEisincorrect.
12.A.The-coptiontoshutdowncancelsapreviouslyscheduledshutdown,asstated inoptionA.Options B and C describe the effects of the -r and -h options to shutdown, respectively. Noshutdownoptionasksforconfirmationbeforetakingaction,althoughyoucandelayashutdownbyspecifyingashutdowntimeinthefuture,sooptionDisincorrect.NoshutdownoptionclosesopenwindowsinX,exceptasaconsequenceofshuttingdown,sooptionEisincorrect.
13. E. There is no standard takedown command in Linux, so option E is correct. The rebootcommand(optionA)isequivalenttoshutdown-r,halt(optionB)isequivalenttoshutdown-H,poweroff (option C) is equivalent to shutdown -P, and telinit 0 (option D) is equivalent toshutdown-H.
14.B.Thetelinitcommandisusedtochangerunlevels;whenit’spassedthe1parameter,as inoption B, telinit changes to runlevel 1, which is single-user mode. The runlevel command(optionA)displaysthecurrentrunlevelbutdoesn’tchangerunlevels.Althoughtelinitcanbeusedto shutdownor reboot thecomputer, theshutdown command (optionC)can’tbeused tochangerunlevelsexcept to runlevel0or6.There isnostandardsingle-user command (optionD).Thehaltcommand(optionE),likeshutdown,can’tbeusedtochangetosingle-usermode.
15. E. Runlevel 4 isn’t standardized, and most distributions don’t use it for anything specific(althoughinpracticeitwilldosomethingifyouenterit).Thus,youcansafelyredefinerunlevel4toachievespecificgoals,andoptionEiscorrect.OptionAdescribesrunlevel6.OptionBdescribesrunlevel 3 on Red Hat and related distributions. Option C describes runlevel 5 on Red Hat andrelateddistributions.OptionDdescribesrunlevel1.
16.A. InVi,dd is the command-modecommand that deletes lines.Preceding this commandby anumber deletes that number of lines. Thus, option A is correct. Although yy works similarly, itcopies(yanks)textratherthandeletingit,sooptionBisincorrect.OptionCworksinmanymoremoderntexteditors,butnotinVi.OptionDworksinEmacsandsimilartexteditors,butnotinVi.OptionEworksinmanyGUItexteditors,butnotinVi.
17.D.The:q!Vi commanddoes asoptionD states.OptionsAandEareboth simply incorrect.OptionBwouldbecorrectifthiscommandweretypedwhileinVi’sinsertmode,butthequestionspecifiesthatcommandmodeisinuse.ToachieveoptionC,thecommandwouldbe:wq,not:q!.
18.E.ViisincludedonLinuxemergencydisks,embeddedsystems,andothersystemswherespaceisatapremiumbecauseitsexecutableistiny.Emacsis,incontrast,abehemoth.Thus,optionEiscorrect. Contrary to option A, Vi isn’t an X-based program (although X-based Vi variants areavailable);EmacscanbeusedintextmodeorwithX.ExtendedBinaryCodedDecimalInterchangeCode(EBCDIC)isanobscure8-bitcharacterencodingsystemusedonsomeveryoldmainframeOSs. When run on Linux, Vi doesn’t use EBCDIC; furthermore, EBCDIC offers few or noadvantagesovertheAmericanStandardCodeforInformationInterchange(ASCII).Thus,optionBis incorrect.Vi’smodes, referred to in optionC, have nothing to dowith non-English languagesupport.OptionDisbackward;it’sEmacsthatincludesaWebbrowser,emailclient,andotheradd-ons.
19.A,B,C.TypingR(optionA)incommandmodeentersinsertmodewiththesystemconfiguredtooverwriteexistingtext.Typingiora(optionsBandC,respectively)entersinsertmodewiththesystem configured to insert text. (The i and a commands differ in how they place the cursor; aadvancesonespace.)Typing:(optionD)incommandmodeentersexmode(youtypicallytypetheex-modecommandon thesamecommandline immediatelyafter thecolon).Pressing theEsckey(optionE)returnsVitocommandmodefrominsertmode.
20. B. The Esc key exits Vi’s insert mode, as option B specifies. Typing a tilde (~) inserts thatcharacter into the file, so optionA is incorrect. TheCtrl+X,Ctrl+C key combination exits fromEmacs, but it’s not a defined Vi key sequence, so option C is incorrect. The F10 key and theShift+Insertkeycombinationalsoaren’tdefinedinVi,sooptionsDandEarebothincorrect.
Chapter6:ConfiguringtheXWindowSystem,Localization,andPrinting
1.A.OnmostLinuxsystems,somerunlevelsdon’trunXbydefault,sousingoneof themalongwiththestartxprogram(whichstartsXrunning)canbeaneffectivewaytoquicklytestchangestoanXconfiguration,makingoptionAcorrect.Thetelinitprogramchangesrunlevels,whichisalengthyprocesscomparedtousingstartx, sooptionB is incorrect.Unplugging thecomputer toavoidtheshutdownprocessisself-defeatingbecauseyou’llhavetosufferthroughalongstartup(ifyouuseanon-journalingfilesystem),anditcanalsoresultindataloss.Thus,optionCisincorrect.Thestartxutilitydoesn’tchecktheveracityofanXconfigurationfile;itstartsXrunningfromatext-modelogin,makingoptionDincorrect.ReconfiguringanXserverdoesnotnormallyrequirenetworkaccess;theXserverrunsonthecomputeratwhichyousit.Thus,optionEisincorrect.
2. D. The XF86Config and xorg.conf file design enables you to define variants or multiplecomponents and easily combineor recombine themas necessary, using the structure specified inoptionD.OptionsA,B,andCalldescribe fictitious structures.OptionE is incorrectbecause theX.org-X11andXFree86configurationfilesuseatext-modestructure,notabinarystructure.
3.C.Theverticalrefreshraterangeincludesamaximumvalue,butthatvaluemaybereducedwhenthe resolution and vertical refresh rate would demand a higher horizontal refresh rate than themonitor can handle. Thus, optionC is correct. Since the resolution affects themaximum refreshrate,optionAisincorrect.Thecolordepthisirrelevanttoresolutionandrefreshratecalculations,so option B is incorrect. The computations shown in options D and E are bogus, making theseoptionsincorrect.
4.E.OptionEdescribesthecorrectlocationforthisoption.TheServerLayoutsection(referencedinoptionA)combinesall theotheroptions togetherbutdoesn’t set the resolution.TheModelineoptionintheMonitorsection(asdescribedinoptionB)definesonepossibleresolution,buttheremaybe severalModeline entries definingmany resolutions, and there’s noguarantee that anyofthemwillbeused.TheModelineoptiondoesn’texistintheDevicesection(assuggestedbyoptionC), nor is that section where the resolution is set. There is no DefaultResolution section (asreferencedinoptionD).
5.B.BymaintainingfontsononefontserverandpointingotherXserverstothatfontserver,youcanreducetheadministrativecostofmaintainingthefontsonallthesystems,sooptionBiscorrect.Font servers don’t produce faster font displays than X’s local font handling; if anything, theoppositeistrue.Thus,optionAisincorrect.XFree864.xsupportsTrueTypefontsdirectly,sooptionC is incorrect. Converting a bitmapped display intoASCII text is a function of optical characterrecognition(OCR)software,notafontserver,sooptionDisincorrect.NeitherXcorefontsnorafontserverhandlesfontsmoothing;forthat,youneedXft.Thus,optionEisincorrect.
6.C,E.XDMCPserversare typically launchedeither fromasystemstartupscriptorbyinit (asspecifiedin/etc/inittab),asdescribedinoptionsCandE.TheXDMCPserverthenstartsX.TheStartfoldermentionedinoptionAisaWindowsconstruct,notaLinuxconstruct.The~/.xinitrc
scriptmentionedinoptionBisanXloginscriptusedwhenstartingXfromthecommandlineviastartx;it’snotusedtoautomaticallystartXwhenthesystemboots.Abootmanager,asdescribedinoptionD,launchesthekernel;itdoesn’tdirectlystartX,sooptionDisincorrect.
7. E. TheXDMgreeting is a resource set in the /etc/X11/xdm/Xresources file, so option E iscorrect.XDMdoesn’t offermany options on itsmain screen and certainly not one to change itsgreeting,asdescribedinoptionA.Thekerneldoesn’tdirectlyhandletheloginprocess,nordoesitpassoptionsdirectlytoXDM,sooptionBisincorrect.Althoughthexorg.conffilementionedinoption C is real, this file provides no XDM configuration options because XDM is a separateprogramfromtheXserver.Thereisnostandardxdmconfigprogram,asmentionedinoptionD.
8.C.KDMandGDMaddmanyfeatures,oneofwhichisamenuthatenablesusers toselect theirdesktop environment or window manager when they log in rather than specifying it in aconfigurationfile,asoptionCstates.OptionAdescribesoneoftheadvantagesoftheSecureShell(SSH) as a remote-access protocol. Option B describes a feature common to all three XDMCPservers.OptionDdescribes thewaybothKDMandXDMfunction;GDMis theone thatpresentsusernameandpasswordfieldsinseriesratherthansimultaneously.AlthoughafailureofXtostartusuallyresultsinafallbacktoatext-modelogin,thisfeatureisnotprovidedbytheXDMCPserver,sooptionEisincorrect.
9. A. The xhost command controls various aspects of the local X server, including the remotecomputers from which it will accept connections, making option A correct. Option B sets theDISPLAY environment variable, which doesn’t directly affect the X server (it does tell X clientswhich X server to use). Option C initiates a text-mode remote login session withpenguin.example.com. Option D’s xaccess is a fictitious program. Although logging intopenguin.example.comviasshmayalsoinitiateanXtunnel,thisisn’tguaranteed,andsuchatunneldoesn’tcausethelocalXservertoacceptdirectconnectionsfromtheremotecomputer,sooptionEisincorrect.
10.A.AsstatedinoptionA,GNOME,KDE,andotheruserprogramsoftenoverridethekeyboardrepeat settings in the X configuration file. Option B has it almost backward; most LinuxdistributionshaveabandonedXFree86,andthereforeitsXF86Configfile,infavorofX.org-X11anditsxorg.conffile.OptionCispurefiction;xorg.confsettingsapplytoallvarietiesofkeyboards,andthereisnostandardusbkbrateprogram.Althoughsomekeyboardsdohavehardwareswitches,theydon’taffectX’sabilitytocontrolthekeyboardrepeatrate,contrarytooptionD.Althoughyoucansetakeyboard’snationalityinxorg.conf,thisoptionisindependentofthekeyboardrepeatratesettings,sooptionEisincorrect.
11.C,E.TheOrcaandEmacspeakprogramsbothprovide text-to-speechconversionfacilities,sooptionsCandEarebothcorrect.Brailleisaformofwritingthatusesbumpsorholesinasurfacethatcanbefeltbythereader.AlthoughLinuxsupportsBrailleoutputdevices,thequestionspecifiescomputer-generated speech,whichBraille is not, so optionB is incorrect. SoX (optionA) is anaudioformatconverter,butitwon’tconvertfromtexttospeech.Thetalkprogram(optionD)isanearlyUnixonlinetext-mode“chat”program,butithasnobuilt-inspeechsynthesiscapabilities.
12. B, E. Time zones are determined by the/etc/localtime file, so replacing that onewith thecorrectfile(aselectionisstoredin/usr/share/zoneinfo)willfixtheproblem,makingoptionBcorrect. (Youmayalsoneed toedit/etc/timezone or someother file tokeepautomaticutilities
from becoming confused.) Utilities such as tzselect will make these changes for you afterpromptingyouforyourlocation,sooptionEisalsocorrect.ThehwclockprogrammentionedinoptionAreadsandwritesdatafromthesystem’shardwareclock.Althoughit reliesontimezonedata, it can’t adjust your system’s time zone itself. There is no standard /etc/tzconfig file,althoughthetzconfigprogram,liketzselect,canhelpyouset the timezone.Thus,optionCisincorrect. The /etc/localtime file is a binary format; you shouldn’t attempt to edit it in a texteditor,makingoptionDincorrect.
13. D. Linux, like Unix, maintains its time internally in Coordinated Universal Time (UTC), sosetting the computer ’s hardware clock to UTC (option D) is the recommended procedure forcomputers that runonlyLinux.AlthoughLinusTorvalds spent timeat theUniversityofHelsinki,Helsinki time (as in option A) has no special place in Linux. Local time (as in option B) isappropriateifthecomputerdual-bootstoanOS,suchasWindows,thatrequiresthehardwareclocktobe set to local time,but this is the second-bestoption for aLinux-only system.OptionC’sUSPacifictime,likeHelsinkitime,hasnospecialsignificanceinLinux.Internettime(optionE)isanobscurewaytomeasuretimethatdivideseachdayinto1,000“beats.”It’snotatimezoneandisnotanappropriatewaytosetyourhardwareclock.
14.C.TheLC_ALLenvironmentvariable(optionC),whenset,adjustsallthelocale(LC_*)variables,sosettingthisandthenrunningthescriptwillmaketheprogramsthatyourscriptusesworkasifona British computer. The BIOS has no location code data, so option A is incorrect. There is nostandard/etc/locale.conffile,sooptionBisincorrect.Thereisnostandardlocale_setutility,sooptionDisincorrect.AlthoughsettingtheTZenvironmentvariable,asinoptionE,willsetthetimezoneforyourlocalshelltothatforGreatBritain,thiswon’taffectthesortoftextformattingoptionsnotedinthequestion.
15.A.TheUnicodeTransformationFormat8(UTF-8)standardcanencodecharactersforjustaboutany language onEarth,while looking just like ordinaryASCII to programs that only understandASCII.Thus,UTF-8 (optionA) is the preferredmethod for character encodingwhen a choice ispossible.ASCII(optionB)isanoldstandardthat’sadequateforEnglishandafewotherlanguages,but it lacks some or all characters needed bymost languages. ISO-8859 (options C and D) is astandard that extendsASCII, but it requires separate encodings for different languages and so isawkwardwhen a computermust process data frommultiple languages. ATASCII (option E) is avariant ofASCIIused in the1980sbyAtari for its homecomputers; it’s obsolete and inadequatetoday.
16.E.Thesmart filtermakesaprintqueue“smart” in that itcanacceptdifferent file types (plaintext,PostScript,graphics,andsoon)andprintthemallcorrectly,asinoptionE.Fontsmoothingisusefulonlow-resolutioncomputermonitors,butnotonmostprinters,andaddingfontsmoothingisnota functionofasmart filter, sooptionA is incorrect.Asmart filterdoesn’tdetectconfidentialinformation(optionB)orprankprintjobs(optionD).Thelprprogramcanbegivenaparametertoemailauserwhenthejobfinishes(optionC),butthesmartfilterdoesn’tdothis.
17.B,D.The job ID (optionB) and jobowner (optionD) arebothdisplayedbylpq.Unless theapplicationembedsitsownname(optionA)inthefilename,thatinformationwon’tbepresent.Mostprinters lack Linux utilities to query ink or toner status (option C); certainly lpq can’t do this.Althoughknowingwhenyourjobwillfinishprinting(optionE)wouldbehandy,thisinformationis
wellbeyondlpq’scapabilitiestoprovide.
18.C.Thelprm command (optionC) deletes a job from the print queue. It can take the-Pqueueoption to specify thequeueandaprint jobnumberorvariousotherparameters to specifywhichjobstodelete.BSDLPD,LPRng,andCUPSallimplementthelprmcommand,soyoucanuseitwithanyofthesesystems,makingoptionAincorrect.OptionBpresentsthecorrectsyntaxbutthewrongcommandname;thereisnostandardlpdelcommand.Thecupsdisablecommandcanbeusedtodisablethewholequeue,butnottodeleteasingleprintjob,sooptionDisincorrect.BecauseoptionCiscorrect,optionEobviouslyisnot.
19. B. PostScript is the de facto printing standard forUnix and Linux programs, as specified inoptionB.Linuxprogramsgenerallydonot senddatadirectly to theprinterport (optionA);onamulti-tasking, multi-user system, this would produce chaos because of competing print jobs.Althoughafewprogramsincludeprinterdrivercollections,mostforgothisinfavorofgeneratingPostScript, making option C incorrect. Printing utilities come standard with Linux; add-oncommercialutilitiesaren’trequired,sooptionDisincorrect.Verdanaisoneofseveral“Webfonts”releasedbyMicrosoft.AlthoughmanyLinuxprogramscanuseVerdanaforprintingif thefontisinstalled,mostLinuxdistributionsdon’tinstallVerdanabydefault,andfewLinuxprogramsuseitforprintingbydefaultevenifit’sinstalled,sooptionEiscorrect.
20.B.Thempageutility(optionB)printsmultipleinputpagesonasingleoutputpage,soit’sideallysuited to the specified task. PAM (optionA) is the PluggableAuthenticationModules, a tool forhelpingtoauthenticateusers.4Front(optionC)isthenameofacompanythatproducescommercialsounddriversforLinux.Theroutecommand(optionD) isused todisplayorconfigureaLinuxroutingtable.The411toppmprogram(optionE)convertsfilesfromSony’s.411imagefileformattothe.ppmimagefileformat;itdoesn’tdothespecifiedtask.
Chapter7:AdministeringtheSystem1.A.ALinux usernamemust contain fewer than 32 characters and startwith a letter, and itmayconsistofletters,numbers,andcertainsymbols.Theuseraddutilityimposesadditionalrestrictions:Uppercaselettersandmostsymbolsarenotpermitted.Oftheseoptions,onlyoptionAmeetsallofthesecriteria.OptionBbeginswithanumberandsoisinvalid.OptionCisalegalLinuxusernamebutwon’tbeacceptedbyuseraddbecauseofitsuppercaseletters.OptionDistoolongtobelegalat33characters,anditcontainsuppercaselettersandunderscoresymbols.OptionEisalegalLinuxusernamebutwon’tbeacceptedbyuseraddbecauseofthespaceinthename.
2.A.Groupsprovideagoodmethodoffile-accesscontrol,asdescribedinoptionA.Althoughtheymayhavepasswords,thesearenotaccountloginpasswords,asoptionBsuggests;thosepasswordsare set on a per-account basis. Files do have associated groups, but these are in addition toindividual file ownership and so they can’t be used to mask the file’s owner, making option Cincorrect.Deletingagroupdoesnotdeletealltheaccountsassociatedwiththegroup,sooptionDisincorrect. Groups are not fundamentally a cross-computer construct, contrary to option E. (Thisoption describes the function of network account databases such as LDAP accounts or ActiveDirectory.)
3.A.Thechagecommandchangesvariousaccountexpirationoptions.The-M parameter sets themaximumnumberofdaysforwhichapasswordisvalid,andinthecontextofthegivencommand,timeisausername.Thus,optionAiscorrect.OptionsB,C,D,andEareallmadeup.
4. B, D. As stated in option B, Linux usernames may not begin with numbers, so the username(4sally)isinvalid.The/etc/passwdentrieshavethirdandfourthfieldsoftheUIDandtheGID,but this linehasonlyoneof those fields (whichone is intended is impossible todetermine); thisexampleline’sfourthfieldisclearlythefifthfieldofavalidentry.Thus,optionDiscorrect.OptionAisincorrectbecause,although/bin/passwdisanunorthodoxloginshell,it’sperfectlyvalid.Thisconfigurationmightbeusedon,say,aSambafileserveroraPOPmailserver toenableusers tochange their passwords via SSH without granting login shell access. Option C is a correctobservation but an incorrect answer; the username and the user ’s home directory name need notmatch.The encryptedpassword is officially stored in the second field (x in this example), but inpractice,mostLinuxcomputersuseshadowpasswords,andanxvalueforthepasswordisconsistentwiththisuse,sooptionEisincorrect.
5.D.OptionDshowsavalid/etc/groupentry thathas thedesiredeffect. (Note that theorderofusers inthecomma-separateduser list isunimportant.)OptionAhastwoproblems:It’smissingapassword field (x in the correct entry), and the usernames are separated by spaces rather thancommas. Option B also has two problems: It’s missing a password field, and its usernames areseparatedbycolonsratherthancommas.OptionChasjustoneproblem:Itsusernamesareseparatedby colons rather than commas. Option E has two problems: Its password and GID fields arereversed,anditsusernamesareseparatedbybackslashesratherthancommas.
6.B,C,D.Files in/etc/skel are copied from this directory to newusers’ homedirectories bycertainaccount-creationtools.Thus,filesyouwantinallnewusers’homedirectoriesshouldreside
in/etc/skel.OptionsB,C,andDalldescribereasonablepossibilities,althoughnoneisabsolutelyrequired. Including a copy of /etc/shadow in /etc/skel (option A) would be a very bad idea,because thiswouldgiveallusersaccess toallotherusers’encryptedpasswords,at leastasof themomentofaccountcreation.Youwouldn’tlikelyfindpackagemanagementdatabases(optionE)in/etc/skel, sinceusersdon’t needprivileged access to thisdata, nordo theyneed individualizedcopiesofit.
7.C.Theuserdelcommanddeletesanaccount,andthe-roptiontouserdel(optionC)causesittodeletetheuser ’shomedirectoryandmailspool,thussatisfyingthetermsofthequestion.OptionAdeletes the account but leaves the user ’s home directory intact. Option B does the same; the -foptionforcesaccountdeletionandfileremovalundersomecircumstances,butit’smeaningfulonlywhen -r is also used. OptionD’s rm command deletes the user ’s home directory (assuming it’slocatedintheconventionalplace,giventheusername)butdoesn’tdeletetheuser ’saccount.OptionE’susermod command canmodify accounts, including locking them, but it can’t delete accounts.Furthermore,the-Doptiontousermodisfictitious.
8.E.Theemergprioritycode(optionE)isthehighestcodeavailableandsoishigherthanalltheotheroptions.(Thepaniccodeisequivalenttoemergbutisn’toneoftheoptions.)Fromhighesttolowestpriorities,thecodesgivenasoptionsareemerg,crit,warning,info,anddebug.
9.A.Thelogrotate programconsults a configuration file called/etc/logrotate.conf (optionA), which includes several default settings and typically refers to files in /etc/logrotate.d tohandlespecificlogfiles.Theremainingoptionsareallfictitious,atleastasworkinglogfilesforlogrotate.
10. D. The logger utility can be used to create a one-time log file entry that you specify. In itssimplest form, it takes no special arguments, just amessage to be inserted in the log file, as inoptionD.ThedmesgutilityinoptionAisusedtoreviewthekernelringbuffer;itdoesn’tcreatelogfileentries.OptionB’ssyslogcommandisn’taLinuxuser-modecommand,althoughitisthenameoftheloggingsystemgenerically,aswellasaprogramminglanguagecommandname.OptionC’srsyslogd is thenameofoneofseveralsystemloggingdaemons; itmaintains thesystemlogbutisn’tusedtomanuallyinsertlogentries.OptionE’swallcommandwritesamessagetoallusers’terminals.Althoughyoumightwant tousewallprior toshuttingdownsoas toalertusersof thisfact,itwon’tcreatealogfileentryasthequestionrequires.
11.C.Thelogrotateprogramcanbestartedautomatically—andunattended—onaregularbasisbyaddinganentryforitincron,sooptionCiscorrect.Theatutility(optionA)wouldbeusedifyouwantedtheprogramtorunonlyonce.logrotate.d(optionB)defineshowtheprogramistohandlespecificlogfiles.Theinittabfile(optionD)isusedforservicesandstartupandnotforindividualprograms. The ntpd program (option E) is the Network Time Protocol daemon, whichsynchronizesthesystem’sclockwithoutsidetimesources.
12.E.Thehwclockutilityisusedtovieworsetthehardwareclock.The--utcoptiontellsittouseUTC,whichisappropriateforaLinux-onlysystem,and--systohcsetsthehardwareclockbasedonthecurrentvalueofthesoftwareclock.Thus,optionEiscorrect.OptionA’sdateutilitycanbeusedtosetthesoftwareclockbutnotthehardwareclock;ithasno--sethwclockoption.OptionB’sntpdateisusedtosetthesoftwareclocktothetimemaintainedbyanNTPserver;itdoesn’tdirectly
setthehardwareclock.OptionC’ssysclockutilityisfictitious.OptionD’stimecommandisusedtotimehowlongacommandtakestocomplete;ithasno--setor--hwoptionanddoesnotsetthehardwareclock.
13.A.Theformatofthedatecommand’sdatecodeis[MMDDhhmm[[CC]YY][.ss]].Given thatthe question specified an eight-digit code, thismeans that the ordering of the items, in two-digitblocks, ismonth-day-hour-minute.OptionAcorrectlyparses thisorder,whereasoptionsB,C,D,andEdonot.
14.C.Multipleserverentriesin/etc/ntp.conftellthesystemtopollallthenamedserversandtouse whichever one provides the best time data. Thus, option C is correct. (The pool.ntp.orgsubdomainandnumberedcomputerswithinthatsubdomaingiveround-robinaccesstoavarietyofpublic time servers.)OptionsA andB both incorrectly state that oneserver statement overridesanother,wheninfactthisisn’tthecase.Theserverstatementsshowninthequestionareproperlyformed.Theseserverentriesareproperlyformed,sooptionDisincorrect.Althoughitistruethatthis configuration will result in use of tardis.example.com should the public-pool server beunavailable, as option E states, this is not the only reason the NTP server will usetardis.example.com;thiscouldhappenifthepublic-poolserverprovidesaninferiortimesignal,forinstance.Thus,optionEisincorrect.
15.D.Onceyou’veconfiguredonecomputeronyournetworktouseanoutsidetimesourceandrunNTP,therestofyourcomputersshouldusethefirstcomputerastheirtimereference.Thispracticereduces the loadon theexternal timeservers,aswellasyourownexternalnetwork traffic.Thus,optionD is correct. (Very largenetworksmightconfigure twoor three internal timeservers thatrefertooutsideserversforredundancy,butthisisn’tnecessaryforthesmallnetworkdescribedinthe question.) Option A describes the procedure to locate a time server for the first computerconfigured(gateway.pangaea.edu)butnotforsubsequentcomputers.Althoughconfiguringothercomputerstousentp.example.cominsteadoforinadditiontogateway.pangaea.eduispossible,doingsowillneedlesslyincreaseyournetworktrafficandtheloadonthentp.example.comserver.Thus,optionsBandCareboth incorrect.Contrary tooptionE,NTP is suitable foruseonsmalllocalnetworks,andinfactit’sveryhelpfulifyouusecertainprotocols,suchasKerberos.
16.B,D.Thecronutilityisagoodtoolforperformingtasksthatcanbedoneinanunsupervisedmanner,suchasdeletingoldtemporaryfiles(optionB)orcheckingtoseethatserversarerunningcorrectly (option D). Tasks that require interaction, such as creating accounts (option C), aren’tgoodcandidatesforcronjobs,whichmustexecuteunsupervised.Althoughacronjobcouldrestartacrashedserver, it’snotnormallyused to starta serverwhen thesystemboots (optionA); that’sdone through system startup scripts or a super server. Sending files to a printer (option E) isgenerallyhandledbyaprintserversuchasCUPS.
17.B.Usercronjobsdon’tincludeausernamespecification(tbakerinoptionsAandC).The*/2specificationforthehourinoptionsCandDcausesthejobtoexecuteeveryotherhour;the7,19specification in options A and B causes it to execute twice a day, on the 7th and 19th hours (inconjunctionwiththe15minutespecification,thatmeansat7:15a.m.and7:15p.m.).Thus,optionBprovidesthecorrectsyntaxandrunsthejobtwiceaday,asthequestionspecifies,whereasoptionsA,C,andDallgetsomethingwrong.OptionEcausesthejobtorunonceanhour,nottwiceaday.
18. B. The anacron program is a supplement to cron that helps ensure that log rotation, /tmp
directorycleanup,andothertraditionalcrontasksarehandledevenwhenthecomputerisshutdown(and,hence,whencronisn’trunning)forextendedperiodsoftime.Thus,thisistheprogramtoaddtothesystemtoachievethestatedgoal,andoptionBiscorrect.ThereisnocommonLinuxutilitycalledtempus,sooptionAis incorrect.OptionC’scrontab is thenameofafileorprogramforcontrollingcron,which is likely tobeanunreliablemeansof log rotationona laptopcomputer.Thentpdprogram(optionE)istheNTPdaemon,whichhelpskeepthesystemclockinsyncwithanexternalsource.Althoughrunningntpdonalaptopcomputerispossible,itwon’tdirectlyhelpwiththetaskofschedulinglogrotation.Thesyslog-ngpackageisanalternativesystemlogdaemon,butthisprogramdoesn’thelpsolvetheproblemofpotentiallyunreliablelogrotationonlaptopswhenusingstandardcronutilities.
19.E.Theatcommandrunsaspecifiedprogramatthestatedtimeinthefuture.Thistimemaybespecified inseveralways,oneofwhich isteatime,whichstands for4:00p.m.Thus,optionD iscorrect.TheobjectionsstatedinoptionsA,B,C,andDareallinvalid.(Youmaypassascripttoatwiththe-fparameter,butthisisn’trequired,contrarytooptionD.)
20.A,C.Thecontentsof/etc/cron.daily areautomatically runonadailybasis inmostLinuxdistributions,andthecrontabutilitycancreateusercronjobsthatrunprogramsatarbitrarytimeintervals, so bothA andC are correct.Theat commandnoted in optionB can be used to run aprogramasingle time,butnotonaregularbasis (suchasdaily).OptionD’srun-partsutility isusedbysomedistributionsasa tool tohelprunprogramsin the/etc/cron.* subdirectories,butit’snotused toschedule jobs.Although thecrontabprogramcanmaintainusercrontabs, it’snotusedasshowninoptionE,andithasno-dparameteratall.
Chapter8:ConfiguringBasicNetworking1.A,B,E.Ethernet(optionB)iscurrentlythemostcommontypeofwirednetworkhardwareforlocalnetworks.Linuxsupportsitverywell,andLinuxalsoincludessupportforTokenRing(optionA)andFibreChannel(optionE)networkhardware.DHCP(optionC)isaprotocolusedtoobtainaTCP/IPconfigurationoveraTCP/IPnetwork.It’snotatypeofnetworkhardware,butitcanbeusedoverhardwarethatsupportsTCP/IP.NetBEUI(optionD)isanetworkstackthatcanbeusedinsteadoforinadditiontoTCP/IPovervarioustypesofnetworkhardware.Linuxdoesn’tsupportNetBEUIdirectly.
2.B.IPaddressesconsistoffour1-bytenumbers(0−255).They’renormallyexpressedinbase10and separated by periods. 63.63.63.63 meets these criteria, so option B is correct. 202.9.257.33includesonevalue(257)that’snota1-bytenumber,sooptionAisincorrect.107.29.5.3.2includesfive1-bytenumbers, sooptionC is incorrect.98.7.104.0/24 (optionD) is anetworkaddress—thetrailing /24 indicates that the final byte is a machine identifier, and the first 3 bytes specify thenetwork.OptionE,255.255.255.255,meetsthebasicformofanIPaddress,butit’saspecialcase—thisisabroadcastaddressthatreferstoallcomputers,ratherthanthesinglecomputerspecifiedbythequestion.
3.C.Thegatewaycomputerisarouterthattransfersdatabetweentwoormorenetworksegments.Assuch,ifacomputerisn’tconfiguredtouseagateway,itwon’tbeabletocommunicatebeyonditslocal network segment,makingoptionC correct.Agateway is not necessary for communicatingwithothersystemsonthelocalnetworksegment,sooptionAisincorrect.IfyourDNSserverisonadifferentnetworksegment,nameresolutionviaDNSwon’twork,asstatedinoptionB;however,othertypesofnameresolution,suchas/etc/hostsfileentries,willstillwork,andtheDNSservermightbeonthelocalnetworksegment,sooptionBisincorrect.Gatewaysplaythesamefunctioninboth IPv4and IPv6networking, sooptionD is incorrect.DHCPfunctions finewithoutagateway,provided aDHCP server is on the same local network segment as its clients (as is normally thecase),sooptionEisincorrect.
4.D.TheSecureShell(SSH)protocolusesport22,soifthetraffictoport22isusingthecorrectprotocol,it’sSSHtraffic,andoptionDiscorrect.TheHypertextTransferProtocol(HTTP;optionA) isconventionallyboundtoport80; theSimpleMailTransferProtocol(SMTP;optionB)usesport25;Telnet(optionC)usesport22;andtheNetworkNewsTransferProtocol(NNTP;optionE)usesport119.Noneofthesewouldnormallybedirectedtoport22.
5.D.TheInteractiveMailAccessProtocol(IMAP)isassignedtoTCPport143.Ports21,25,110,and 443 are assigned to the File Transfer Protocol (FTP), the Simple Mail Transfer Protocol(SMTP),thePostOfficeProtocolversion3(POP-3),andtheHypertextTransferProtocoloverSSL(HTTPS), respectively. Although some IMAP server programs also support POP-3 and mightthereforelistentobothports110and143,thequestionspecifiesIMAPexchanges,sooptionDistheonlycorrectanswer.
6.C,E.OptionC,dhcpd, istheLinuxDHCPserver.OptionE,ifconfig,canbeusedfornetworkconfigurationbutisnotitselfaDHCPclient.TheothersareallDHCPclients.AnygivencomputerwillusejustoneDHCPclient(ornoneatall),butfromonetothreeofA,B,andDwillbeavailable
choices.
7.B,C.Whenused todisplay informationon an interface,ifconfig shows the hardware and IPaddresses(optionsBandC)oftheinterface,theprotocols(suchasTCP/IP)boundtotheinterface,andstatisticsontransmittedandreceivedpackets.Thiscommanddoesnotreturninformationaboutprogramsusingtheinterface(optionA),thehostnameassociatedwiththeinterface(optionD),orthekerneldriverusedbytheinterface(optionE).
8.A.Thehostprogram(optionA)isacommonlyusedprogramtoperformaDNSlookup.Thereis no standard dnslookup program (option B), although the nslookup program is a deprecatedprogramforperformingDNSlookups.pump(optionC)isaDHCPclient.ifconfig (optionD) isused for configuration of networking parameters and cards. netstat (option E) is a general-purposenetworkdiagnostictool.
9. B. To add a default gateway of 192.168.0.1, the commandwould be route add default gw192.168.0.1,asinoptionB.SpecifyingtheIPaddressofthehostsystem(asinoptionsA,C,andD)is not necessary and in factwill confuse theroute command.Althoughroute provides a -hostoption,usinghost (withoutadash),as inoptionE, is incorrect.Furthermore,optionEomits thecriticaladdparameter.
10.A,B.Thedhclientutility,ifinstalled,attemptstoconfigureandbringupthenetwork(s)passedtoitasoptions(orallnetworksifit’sgivennooptions)usingaDHCPserverforguidance.Thus,option A may work, although it won’t work if no DHCP server is available. Option B applieswhatever network options are configured using distribution-specific tools and brings up thenetwork.Thus,optionsAandBbothmaywork,althoughneitherisguaranteedtowork.OptionCdisplaysthenetworkstatusofeth1,butitwon’tactivateeth1ifit’snotalreadyactive.Thereisnostandard network utility in Linux, so option D won’t work. The netstat utility is a networkdiagnostictool;itwon’tbringupanetworkinterface,sooptionEisincorrect.
11. E. Although not all systems use /etc/hostname, option E correctly describes it for thosesystemsthatuseit.Thefileorfilesthatholdinformationonpackagerepositoryserversvaryfromone package system to another, so option A is incorrect. Option B describes the purpose of/etc/resolv.conf.OptionCdescribesthepurposeof/etc/hosts.OptionDdoesn’tdescribeanystandardLinuxconfigurationfile,althoughthegatewaycomputer ’sIPaddressislikelytoappearinadistribution-specificconfigurationfile.
12. C. The traceroute command (option C) identifies the computers that lie between your owncomputerandadestinationcomputer,alongwithsomeverybasicinformationaboutnetworkpackettravel timeandreliability.Thus,traceroutecanhelpyoutrackdownthesourceof thedescribedproblem—perhapsarouter that’scritical toreachingallof thenon-responsivesystemshasfailed.The netstat and ifconfig utilities of options A and D both provide information about localnetworkconfigurationoptions,buttheymostlikelywon’tbeofmuchhelpindiagnosingaproblemthataffectsonlysomesites.Thepingutility(optionB)mayhelpyouquicklyidentifysitesthathavefailedbutwon’tbeofmuchusebeyondthat.Youcanusedig(optionE)toobtaininformationonthemappingofhostnamestoIPaddresses,butitwon’thelpinresolvingbasicconnectivityproblems.
13.B,D.DNSproblemscanmanifestasanabilitytoconnecttocomputersusingIPaddressesbutnotusinghostnames.Thus,optionsBandD(andvariousotherDNS-relatedproblems)couldcreate
thesymptomsdescribed.Ifthetargetsystemwereconfiguredtoignorepingpackets,asdescribedinoptionA,thenitwouldn’trespondwhenyouidentifieditbyIPaddress.Thetargetsystem’sDNSconfiguration(optionC)doesn’tenterintotheequation,becauseitrespondstothepingrequestviaIPaddressalone.Yourowncomputer ’slocallysethostname(in/etc/hostname) isn’tusedbytheremotesystemtoreply,sooptionEisincorrect.
14.C.Thenetstatprogramproducesvariousnetworkstatistics,includingtheprocessIDs(PIDs)andnamesofprogramscurrentlyaccessingthenetworkwhenpassedthe-pparameter.Thus,optionC is correct. The ifconfig program can’t produce this information, and the -p option to thisprogram is fictitious, so optionA is incorrect.OptionB’s/proc/network/programs file is alsofictitious.OptionC’s/etc/xinetd.conffileisrealandmayprovidesomeinformationaboutsomeservers that are using the network (as described in Chapter 10); but this file won’t provideinformation about all servers,much less about clients that are accessing the network. Thedmesgcommanddisplaysthekernelringbuffer,whichdoesn’tcontaininformationonprogramsthatarecurrentlyaccessingthenetwork,sooptionEisincorrect.
15.A,D. If youget any response at all, youknow that thebasicnetwork connection isworking,including that the server is responding to the client.With basic knowledge of IMAP commands,telnet enables you to test the server ’s responses in more detail than most IMAP clients (mailreaders) permit. Thus, optionsA andD are both correct.OptionC describes the functionality oftraceroute or tracepath; telnet provides no information about intermediate routers’functionality, so option B is incorrect. Because neither telnet nor IMAP on port 143 usesencryption, optionC is incorrect.Furthermore, a packet sniffer is likely tohaveno effect on thetransferofdata;itjustcopiesthedatasothatthepacketsniffer ’susercanseeit.Althoughtelnetcan be used for remote access in away that couldmake optionE correct, the question specifiesusingtelnettoconnecttoport143,whichistheIMAPport,nottheTelnetport.Thus,optionEisincorrect.(Furthermore,usingtelnet forremoteadministrationisveryrisky,sincetelnet isanunencryptedprotocol.)
16.B.Thecomputer ’sIPaddress(172.25.78.89)andnetmask(255.255.255.0)meanthatthecomputercandirectlyaddresscomputerswithIPaddressesintherangeof172.25.78.1to172.25.78.254,butthegateway address (172.25.79.1) is outside of this range.Thus, either the IP address or the gatewayaddressiswrong,andoptionBiscorrect.NothingaboutthewayDNSoperatesnecessitatesthattheDNSserverbeonthesamenetworksegmentastheDNSclient,sooptionAisincorrect.Althoughprivate IP addresses are often isolated from the Internet, as optionC specifies,NetworkAddressTranslation(NAT)cangetaroundthislimitation.Thus,althoughtherecouldbesometruthtooptionC,it’snotcertaintobetrue.TheclassA/B/Cdistinctionsarejustguidelinesthatcanbeoverriddenbyspecificconfigurations.Thus,optionDisincorrect.OptionE’sassertionthatifupisusedonlyoncomputersthatuseDHCPisincorrect;ifupcanworkoncomputersthatusestaticIPaddresses,providedthattherelevantinformationisenteredcorrectly.
17.E.The-noptionisusedwhenyouwanttouseroutetodisplaythecurrentroutingtable,anditdoes as optionE specifies. There is noroute parameter that behaves as optionsA orC specify.OptionBdescribesthepurposeofthenetmaskparametertoroute.OptionDdescribesthepurposeofthe-netparametertoroute.
18. E. Option E correctly identifies the function of /etc/resolv.conf. Option A describes the
purposeof/etc/services.Variousdistribution-specific configuration filesperform the functiondescribed in option B, but /etc/resolv.conf is not one of these files. A DHCP client sends abroadcasttolocateaDHCPserver;thereisnoclientconfigurationfilethatholdstheDHCPserver ’saddress, as optionCdescribes.The routing table ismaintained internally, althoughbasic routinginformationmaybestoredindistribution-specificconfigurationfiles,sooptionDisalsoincorrect.
19. B. The /etc/hosts file holds mappings of IP addresses to hostnames, on a one-line-per-mappingbasis.Thus,optionBiscorrect.Thefiledoesnotlisttheusers(optionC)orotherhosts(optionA)allowedtoremotelyaccessthisone,affectremoteadministrationthroughaWebbrowser(optionD),ormapportnumberstoprotocols(optionE).
20.D.The/etc/nsswitch.conf file controls the order of name resolution, amongother things.OptionDcorrectlydescribestheprocedureforchangingtheorderinwhichLinuxperformsnameresolution.The/etc/resolv.conffilementionedinoptionAcontrolstheDNSserversthatLinuxconsults, but it doesn’t control access to/etc/hosts.OptionB’snslookup command resolves ahostname,sooptionBwillreturntheIPaddressofthecomputercalleddns,ifLinuxcanfindsuchasystem. The /etc/named.conf file of option C is the configuration file for the standard nameserver.Thisserverisn’tlikelytobeinstalledonmostLinuxsystems,andevenifitis,theproceduredescribedinoptionCisinvalid.LikeoptionB’snslookup,optionE’sdiglooksuphostname-to-IP-addressmappings,sooptionEwilldisplaysuchmappingsforthecomputerscalledlocalanddns,iftheyexist.
Chapter9:WritingScripts,ConfiguringEmail,andUsingDatabases
1.E.Thecurrentdirectoryindicatorisparticularlydangerousinroot’sPATHenvironmentvariablebecause it can be used by unscrupulous local users to trick root into running programs of theunscrupuloususer ’sdesign.Thus,optionEiscorrectandalltheotheroptionsareincorrect.
2. A. The alias built-in command creates a duplicate name for a (potentially much longer)command.OptionA shows the correct syntax for using this built-in command; it causes the newaliascdpt towork like themuch longercd~/papers/trade.Theexport command inoptionBcreatesanenvironmentvariablecalledcdptthatholdsthevaluecd~/papers/trade.Thiswillhavenousefuleffect.OptionC,ifplacedinabashstartupscript,willcausetheuser ’scurrentdirectoryto shift to ~/papers/trade immediately after the user logs in. There is no standard shortcutcommand,sooptionDismeaningless.Althoughenv isavalidcommand, it’sused incorrectly inoptionE,andsothisoptionisincorrect.
3.E.Someprogramsuse theEDITOR environment variable as described in optionE.Contrary tooptionA, the EDITOR environment variable has nothing to do with command-line editing.Whenyou’retypingatabashcommandprompt,bashitselfprovidessimpleeditingfeatures,sooptionBisincorrect.(Youcanlaunchtheeditorspecifiedby$EDITORbytypingCtrl+XfollowedbyCtrl+E,though.) The edit command doesn’t behave as option C suggests. (This command may beconfigureddifferentlyondifferentsystems.)YoucancreatelinkscalledGUIandTEXT tohave theEDITORenvironmentvariablebehaveasoptionDsuggests,butthisisn’tanormalconfiguration.
4.C.ThePWDenvironmentvariableholdsthepresentworkingdirectory,sooptionCiscorrect.ThePATH environment variable (option A) holds a colon-delimited list of directories in whichexecutable programs are stored so that they may be run without specifying their completepathnames.TherearenostandardCWD,PRESENT,orWORKINGenvironmentvariables,sooptionsB,D,andEareallincorrect.
5.A.OptionAcreatesthedesiredenvironmentvariable.OptionBcreatesalocalvariable—butnotanenvironmentvariable—calledMYVAR,holdingthevaluemystuff.AftertypingoptionB,youcanalsotypeexportMYVARtoachievethedesiredgoal,butoptionBbyitselfisinsufficient.OptionCisn’t a validbash shell command.OptionDdisplays the contents of theMYVAR variable and alsoechoesmystufftothescreen,butitdoesn’tchangethecontentsofanyenvironmentvariable.OptionE’ssetenvisn’tavalidbashcommand,butitwillsetanenvironmentvariableintcsh.
6.E.The~/.bashrc file isanon-loginbash startup script file.As such, it canbeused toalter auser ’sbashenvironment,andoptionEiscorrect.Thereisnostandard~/.startupfileforbash,sooptionAis incorrect.The/etc/bashrc file isaglobalbash startupscript.Editing itwillmodifyusers’bash environments, but an individual user should not be able tomodify it, so optionB isincorrect.Thereisnostandard/home/.bashrcfile;thisoptionwouldbecorrectonlyiftheuser ’shome directorywere set to /home, which would almost certainly be an error. Thus, option C isincorrect.Likewise,optionD’s/home/profilercdoesn’t refer toauser ’sconfigurationfile;and
evenifitdid,profilercisn’tavalidbashconfigurationfilename(although~/.profileisavaliduserconfigurationfileand/etc/profileisavalidglobalconfigurationfile).
7. A,D. The env command displays all defined environment variables, so optionA satisfies thequestion. (In practice, you might pipe the results through grep to find the value of a specificenvironment variable.) The echo command, when passed the name of a specific environmentvariable,displaysitscurrentvalue,sooptionDisalsocorrect.DISPLAYisanenvironmentvariable,butit’snotacommandfordisplayingenvironmentvariables,sooptionBisincorrect.Youcanusetheexport command tocreateanenvironmentvariablebutnot todisplay thecurrent settings forone,sooptionCisincorrect.OptionE’scatcommandconcatenatesfilesordisplaysthecontentsofafiletothescreen,butitdoesn’tdisplayenvironmentvariables.
8.E.Scripts,likebinaryprograms,normallyhaveatleastoneexecutablebitset,althoughtheycanberunincertainwayswithoutthisfeature.Thus,youshouldusechmod,asinoptionE.Youshouldnot, however, use chmod to set the set-user-ID (SUID) bit, as in option A, since this would be asecurity risk formost scripts.There is no standard/usr/bin/scripts directory, and scripts canresideinanydirectory,sooptionBisincorrect.Scriptsareinterpretedprograms,whichmeanstheydon’tneedtobecompiled,makingoptionCincorrect.(Typingbashscriptnamewillrunthescript,though.)VirusesareextremelyrareinLinux,andbecauseyoujustcreatedthescript,theonlywaysitcouldpossiblycontainaviruswouldbeifyoursystemwasalreadyinfectedorifyouwroteitasavirus.Thus,optionDisincorrect.
9.C.Thecpcommandistheonlyonecalledinthescript,andthatcommandcopiesfiles.Becausethescriptpassesthearguments($1and$2)tocpinreverseorder,theireffectisreversed—wherecpcopiesitsfirstargumenttothesecondname,thecp1scriptcopiesthesecondargumenttothefirstname. Thus, option C is correct. Because the order of arguments to cp is reversed, option A isincorrect.Thecpcommandhasnothingtodowithcompiling(optionB)orconverting(optionD)CorC++ programs, so neither does the script. The reference to/bin/bash in the first line of thescriptidentifiesthescriptitselfasbeingabashscript;itdoesnotcausetheargumentstothescripttoberunasbashscripts,sooptionEisincorrect.
10.C.Conditionalexpressionsenablethescript toexecutedifferentsetsof instructionsdependingon some condition, as described in option C. They have nothing to do with license conditions(optionA),thecomputer ’senvironment(optionB),orPavlovianconditioning(optionD).Althoughcode readability can be influenced by proper or improper use of many programming features,including conditional expressions, this isn’t the primary purpose of conditional expressions, sooptionEisincorrect.
11.B,D.Validshellscriptsbeginwiththecharacters#!andthecompletepathtoaprogramthatcanrunthescript.OptionsBandDbothmeet thisdescription,because/bin/bash isashellprogramthat’sinstalledonvirtuallyallLinuxsystemsand/bin/shisusuallyalinkto/bin/bashortosomeothervalidshell.Thereisnostandard/bin/scriptprogram,sooptionAisincorrect.OptionsCandEarebothalmostcorrect;/bin/tcshand/bin/zsharevalidshellsonmanysystems,buttheorderofthefirsttwocharactersisreversed,sothisoptionisincorrect.
12.A,B,D.Thefor,while, anduntil statements are all valid looping statements in bash, sooptionsA,B, andD are all correct.There is nogoto statement inbash’s scripting language, so
option C is incorrect. The case statement is a conditional, not a looping, statement in bash, sooptionEisincorrect.
13.E.AllSMTPemailserversaresupposedtoacceptemailtopostmaster.Linuxsystemstypicallydo so by using an alias to forward the email to another local user, or occasionally to a user onanother computer. Thus, option E is correct. OptionAwould be rude and pointless in this case,although this type of response is used by some administratorswhen receivingmail from knownspamsites,soastodegradespammers’operations.OptionsBandDbothdescribenon-deliveryofthemessage,inviolationofproperemailserverconfiguration.OptionCiseffectivelythesameasoptionDunlesscreationofthepostmasteraccountisimminent,andanemailserverwouldhavenowayofknowingthis.
14.C.TheFetchmailprogramisatoolforretrievingemailfromremotePOPorIMAPserversandinjectingitintoalocal(orremote)SMTPemailqueue.Assuch,it’snotanSMTPserver,sooptionCiscorrect.Postfix(optionA),sendmail(optionB),Exim(optionD),andqmail(optionE)areallpopularSMTPemailserversforLinux.
15.B.The-soptiontomailsetsthemessagesubjectline,and-csetscarboncopy(cc:)recipients.Inputredirection(via<)readsthecontentsofalineintomailasamessage.Amailcommandlinenormallyterminateswiththeprimaryrecipient.Thus,optionBcorrectlydescribestheeffectofthespecifiedline.OptionsA,C,D,andEareallconfusedintheirinterpretationoftheeffectsofmailparameters.OptionsB andD also confuse input and output redirection, and optionA incorrectlysuggeststhatascript(orthemailprogram)canelevateitsrunstatustorootprivileges.
16.D.SMTPserversacceptlocalemailfordeliveryeveniftheirInternetconnectionsaredown.Ifthe SMTP server can’t contact recipient servers, the SMTP server holds the email and attemptsdelivery later, so option D is correct. Because SMTP servers don’t check on the availability ofremote servers until after email is accepted for delivery, option A is incorrect. Option B can’tpossiblybecorrectunlesstheserverhasabackupInternetconnection,whichwasn’tspecifiedinthequestion.OptionC isn’t correctbecause theSMTPserverwillhold themail andattemptdeliverylater.Howrecipientsretrievetheirmailisnotunderyourcontrol,sooptionEisincorrect.
17.B.The/etc/aliasesfileconfiguressystem-wideemailforwarding.ThespecifiedlinedoesasoptionBdescribes.Aconfigurationlikethisoneiscommon.OptionAhasthingsreversed.OptionC is not a valid conclusion from this evidence alone, although an intruder may conceivably beinterestedinredirectingroot’semail;soifjodyshouldn’tbereceivingroot’semail,thisshouldbeinvestigatedfurther.AlthoughtheeffectofoptionD(jodyreadingroot’semail)isnearlyidenticalto thecorrectanswer ’seffect, theyaredifferent;jody cannotdirectlyaccess the fileordirectorythat isroot’semailqueue. Instead, thedescribedconfiguration redirectsroot’s email intojody’semailqueue.Thus,optionDisincorrect.Because/etc/aliasesisanemailconfigurationfile,notanaccountconfigurationfile,itcan’thavetheeffectdescribedinoptionE.
18.B.TheCREATEDATABASE command creates a new databasewith the specified name.BecauseSQLcommands are case-insensitive, this commandmaybe typed inuppercaseor lowercase, andoptionBiscorrect.OptionsAandCbothusetheincorrectcommandNEWratherthanCREATE,andoptionCspecifiesthedatabasenameasFISHratherthanfish.(Databasenamesarecase-sensitive.)OptionD reverses the order of theCREATE andDATABASE keywords.Option E uses the fictitiouscommandDB.
19.A,D.Asingledatabasemayholdmultipletables,asoptionAsuggests.OptionDisalsocorrect;bysplittingdataacross tables(suchas into tablesdescribingobjectsgenericallyandspecifically),databases can bemore space-efficient. OptionB is incorrect because the DROP command doesn’tcombinetables;itdeletesatable!OptionCisincorrectbecauseitreversesthemeaningofrowsandcolumnsinaSQLtable.Alossycompressionalgorithm,asthenamesuggests,deliberatelycorruptsorlosessomedata—anunacceptableoptionforatextdatabase,makingoptionEincorrect.(Lossycompressionisusedforsomeaudioandvideofileformats,though.)
20.C.TheUPDATEcommandmodifiesexistingdatabasetableentries,andinthiscaseitdoessoasoptionCdescribes.OptionBalsodescribes anupdateoperation, but in a confused and incorrectway.OptionsAandDbothdescribedatabaseretrievaloperations,butUPDATEdoesn’tretrievedata.OptionEmistakenly identifiesstars as a databasename, but it’s a table name; and itmistakenlyidentifiestheoperationasaddinganewentry(INSERTinSQL)ratherthanasmodifyinganexistingentry(UPDATEinSQL).
Chapter10:SecuringYourSystem1.E.Theservernamesaloneareinsufficienttodeterminewhetherthey’relegitimate.Thecomputerinquestionmayormaynotneedtorunanyoftheseservers,andtheirpresencemayormaynotbeintentional,accidental,orthesignofanintrusion.Thus,optionEiscorrect.ContrarytooptionA,themerepresenceofanSSHserverdoesnotensuresecurity.Although,asoptionBasserts,FTPisnotasecureprotocol,it’sstillusefulinsomesituations,sothemerepresenceofanFTPserverisnot, by itself, grounds for suspicion.Similarly, inoptionC, although someadministratorspreferPostfixorqmail tosendmail forsecurity reasons,sendmail isn’tnecessarilybad,and thenamesalone don’t guarantee that the sshd and proftpd servers are legitimate. As option D states,sendmail andproftpd both use unencrypted text-mode transfers; but this is appropriate in somesituations,sooptionDisincorrect.
2. C. Although Nmap and other port scanners are useful security tools, they’re also used bycrackers,andmanyorganizationshavepoliciesrestrictingtheiruse.Thus,youshouldalwaysobtainpermissiontousesuchtoolspriortousingthem,asoptionCspecifies.Aportscannercan’tcausedamageto/etc/passwd,sothere’snoneedtobackitup,contrarytooptionA.Aportscanneralsodoesn’tneedtherootpasswordonatargetsystemtooperate,soyoudon’tneedthisinformation,making option B incorrect. (In fact, asking for the root password could be seen as extremelysuspicious!)AlthoughyoucouldusesudotorunNmap,there’snoneedtodosotoperformaTCPscan,andyoucanperformaUDPscanbyrunningNmapasrootinotherways(suchasviaadirectloginor byusingsu). Thus, optionD isn’t strictly necessary, although youmightwant to tweak/etc/sudoers as amatterof systempolicy.Asa firewall ispartofyournetwork’s security,youprobablywantitrunningwhenyouperformanetworkscan,contrarytooptionE.Furthermore,itwouldbesafertoleavethefirewallrunningandscanfrombehindit,ifyouwanttotestthesecurityofthenetworkincaseofafirewallbreach.
3.C.The/etc/security/limits.conf (optionC)fileholds theconfigurationsettings thatallowyoutolimitusers’access.Theotheroptionslisteddon’tgivethecorrectpathtothisfile.
4.A,B,C.Nmap(optionA)isusuallyusedtoperformscansofremotecomputers,butitcanscanthecomputeronwhichit’srun,aswell.Thenetstat (optionB)andlsof (optionC)utilitiescanbothidentifyprogramsthatarelisteningforconnections(thatis,openports)onthelocalcomputer.Theportmapprogram(optionD)isusedbytheNetworkFileSystem(NFS)andsomeotherservers,but it’s not used to identify openports.There is no standardLinux services program (optionE),althoughthe/etc/servicesfileholdsamappingofportnumberstocommonservicenames.
5. B. The -perm option to find locates files with the specified permissions, and +4000 is apermissioncodethatmatchesSUIDfiles.The-typefoptionrestrictsmatchestofilesinordertoavoidfalsealarmsondirectories.OptionBusesthesefeaturescorrectly.OptionsA,C,andDusethesefeaturesincorrectly.OptionEspecifiesafictitious-suidparametertofind.
6.A.OptionAcorrectlydescribesthemeaningofthespecifiedline.Apercentsign(%)identifiesaLinuxgroupname,andtheremainderofthelinetellssudoerstoenableusersofthatgrouptorunallprogramsasrootbyusingsudo.Theremainingoptionsallmisinterpretoneormoreelements
ofthisconfigurationfileentry.
7.B.Thenetstatcommandcandowhatisdescribedinthequestion.Todoso,the-apoptionstothecommandaregoodchoices,sooptionBiscorrect.Althoughlsofcanalsoaccomplishthejob,the-ca option is incorrect; this option restricts output to processeswhose names beginwitha.Thus, option A is incorrect. Option C’s ifconfig command doesn’t display open networkconnections,soit’sincorrect.AlthoughoptionD’snmapcommandwilllocateportsthatareopenonthelocalhost interface, it doesn’t locate all openconnections, nor does it locate connectionsonanythingbutthelocalhostinterface.OptionD’stopcommanddisplaysalistofprocessessortedbyCPUuse,notopennetworkconnections(and-netisaninvalidoptiontotop,aswell).
8.D.OptionDiscorrect.TCPWrappersusesthisfeaturetoallowyoutooverridebroaddenialsbyaddingmore specific explicit accesspermissions tohosts.allow, aswhen setting a default denypolicy(ALL:ALL)inhosts.deny.
9.C.Thebindoptionofxinetdletsyoutieaservertojustonenetworkinterfaceratherthanlinktothem all, so option C is correct. It has nothing to dowith runningmultiple servers on one port(option A), specifying computers by hostname (option B), resolving conflicts between servers(optionD),ortheBerkeleyInternetNameDomain(BIND)oranyotherDNSserver(optionE).
10. A, D. Using a firewall rule to blockWaiter ’s port, as in option A, can increase security byprovidingredundancy;ifWaiterisaccidentallyruninthefuture,thefirewallrulewillblockaccesstoitsport.Uninstallingtheprogram,asinoptionD,improvessecuritybyreducingtheriskthattheprogram will be accidentally run in the future. Most programs don’t have a “stealth” mode, sooptionBis incorrect.(Furthermore,reading thedocumentation isn’tenough; to improvesecurity,youmustchangesomeconfiguration.)TunnelingWaiter ’sconnectionsmighthavesomebenefitinsomesituations,but this configuration requires setuponbothclient and servercomputersandbyitself leaves the server ’s port open, so option C is incorrect. Clients associated with the serverprogram,installedontheservercomputer,poselittleornoriskofabuseoftheassociatedserver;it’sclientsonothercomputersthataremostlikelytobeusedtoabuseaserverprogram,andyoucan’tcontrolthat.Thus,optionEisincorrect.
11.B.OptionBcorrectlydescribeshowtoaccomplishthisgoal.OptionAisincorrectbecausethehosts_allow option isn’t a legalxinetd configuration file option.OptionC correctly describeshowtoconfigurethedescribedrestrictionusingTCPWrappers,whichisgenerallyusedwithinetd,butit’snotthewaythisisdoneusingxinetd.OptionDalsodescribesaTCPWrappersdescription,butitreversesthemeaning.OptionE’siptablesutilityconfiguresafirewall.Althoughafirewallrulecouldbeausefulredundantmeasure,thequestionspecifiesaxinetdconfiguration;andoptionE’suseofiptablesisincorrect.
12.B. Ideally,passwordsshouldbecompletelyrandombutstillmemorable.OptionB’spasswordwasgeneratedfromapersonallymeaningfulacronymandthenmodifiedtochangethecaseofsomeletters, add random numbers and symbols, and extend its length using a repeated character. Thiscreates a password that’s close to random but still memorable. Option A uses a well-knownmythologicalfigure,whoislikelytobeinadictionary.OptionCusestwocommonwords,whichisarguablybetterthanoptionA,butnotbymuch.OptionDusestwocloselyrelatedwordsseparatedbyasinglenumber,whichisalsoapoorchoiceforapassword.OptionEusesasequentialseriesofnumbers,whichisapoor(butsadlycommon)passwordchoice.
13. A. Phishing (option A) involves sending bogus email or setting up fakeWeb sites that lureunsuspecting individuals into divulging sensitive financial or other information. Script kiddies(optionB)areintruderswhouserootkits.Spoofing(optionC)involvespretendingdataiscomingfrom one computer when it’s coming from another. Ensnaring (optionD) isn’t a type of attack.Hacking(optionE)referstoeitherlawfuluseofacomputerforprogrammingorotheradvancedtasksorbreakingintocomputers.
14.C.The/etc/nologinfile,ifpresent,preventsloginsfromordinaryusers;onlyrootmaylogin. You might set this file when performing maintenance and then forget to remove it, thusexplainingthesymptomsinthequestion.Thus,optionCiscorrect.ThesyslogddaemonmentionedinoptionArecordssystemmessagesandisunlikelytoproducethespecifiedsymptoms.TheloginprocessordinarilyrunsasrootandisnormallySUIDroot,sooptionsBandDarealsoincorrect.Shadowpasswords,asinoptionE,areusedonalmostallmodernLinuxsystems,andarenotlikelytocausethesesymptoms.
15. B, C. SSH is most directly a replacement for Telnet (option B), but SSH also includes file-transfer features that enable it to replace FTP (optionC) inmany situations. SSH is not a directreplacementfortheSimpleMailTransferProtocol(SMTP;optionA),theNetworkTimeProtocol(NTP;optionD),orSamba(optionE).
16.A.Thessh_host_dsa_keyfileholdsoneofthreecriticalprivatekeysforSSH.Thefactthatthiskeyisreadable(andwriteable!)totheentireworldisdisturbing,sooptionAiscorrect.Inprinciple,amiscreant who has acquired this filemight be able to redirect traffic andmasquerade as yoursystem,dupingusersintodeliveringpasswordsandothersensitivedata.Becauseof this,optionB(No)isanincorrectresponse,andtheconditionsimposedbyoptionsC,D,andEareallirrelevant,makingalloftheseoptionsincorrect.
17. B. SSH protocol level 2 is more secure than protocol level 1; thus, option B (specifyingacceptanceof level 2 only) is the safest approach.OptionA is the least safe approach because itprecludes the use of the safer level 2. Options C and D are exactly equivalent in practice; bothsupportbothprotocollevels.OptionEisinvalid.
18.E.Allowingonlynormalusers to log inviaSSHeffectively requires twopasswords for anyremoterootmaintenance, improvingsecurity, sooptionE iscorrect.Whetherornotyoupermitrootlogins,theSSHservermustnormallyrunasroot,sinceSSHusesport22,aprivilegedport.Thus, option A is incorrect. SSH encrypts all connections, so it’s unlikely that the password, orcommands issuedduring anSSH session,will be intercepted, so optionB isn’t amajor concern.(Nonetheless, some administrators prefer not to take even this small risk.) SSH doesn’t storepasswordsinafile,sooptionCisincorrect.BecauseSSHemploysencryption,optionDisincorrect(thisoptionbetterdescribesTelnetthanSSH).
19.D.OptionDprovidesthecorrectcommandtoimportfredkey.pubpriortouse.Theinspect-gpg,import-gpg,andgpg-importcommandsofoptionsA,C,andEarefictitious;andthereisno--readkeyoptiontogpg,asoptionBsuggests.
20. E. The usual method of sending encrypted messages with GPG entails the sender using therecipient’spublickeytoencryptthemessage.Thus,optionEiscorrect.OptionAwouldbecorrectif your correspondent needed to send you an encryptedmessage, but the question only specifiesyoursendingtheencryptedmessage.OptionsB,C,andDallentaildeliveryofprivatekeys,whichis
inadvisableatbest,becauseprivatekeys in thewronghandspermit theholder to impersonate thepersonwhoownsthekeys.
AppendixB
AbouttheAdditionalStudyToolsInthisappendix:
AdditionalStudyToolsSystemRequirementsUsingtheStudyToolsTroubleshooting
AdditionalStudyToolsThe following sections are arranged by category and summarize the software and other goodiesyou’ll find from the companionWeb site. If you need help with installing the items, refer to theinstallationinstructionsinthe“UsingtheStudyTools”sectionofthisappendix.
Theadditionalstudytoolscanbefoundathttp://www.sybex.com/go/lpic3e.Here,youwillgetinstructionsonhowtodownloadthefilestoyourharddrive.
SybexTestEngineThe files contain the Sybex test engine, which includes two bonus practice exams, as well as theassessmenttestandthechapterreviewquestions,whicharealsoincludedinthebookitself.
ElectronicFlashcardsThesehandyelectronicflashcardsarejustwhattheysoundlike.Onesidecontainsaquestion,andtheothersideshowstheanswer.
PDFofGlossaryofTermsWehaveincludedanelectronicversionoftheglossaryin.pdfformat.YoucanviewtheelectronicversionoftheglossarywithAdobeReader.
AdobeReaderWe’vealsoincludedalinktodownloadAdobeReadersoyoucanviewPDFfilesthataccompanythebook’s content. For more information on Adobe Reader or to check for a newer version, visitAdobe’sWebsiteathttp://www.adobe.com/products/reader/.
SystemRequirementsMake sure your computermeets theminimum system requirements shown in the following list. Ifyour computerdoesn’tmatchup tomostof these requirements, youmayhaveproblemsusing thesoftwareandfiles.Forthelatestandgreatestinformation,pleaserefertotheReadMefilelocatedinthedownloads.WindowsUsers
APCrunningMicrosoftWindows98,Windows2000,WindowsNT4(withSP4orlater),WindowsMe,WindowsXP,WindowsVista,orWindows7AnInternetconnection
LinuxUsersAcomputerwithFlashPlayer9AnInternetconnection
MacUsersAcomputerwithOSXorlaterAnInternetconnection
UsingtheStudyToolsInstallationonaWindowsmachine:1.Downloadthe.ZIPfiletoyourharddrive,andunziptoanappropriatelocation.Instructionsonwheretodownloadthisfilecanbefoundhere:http://www.sybex.com/go/lpic3e.2.ClicktheStart.EXEfiletoopenthestudytoolsfile.3.Readthelicenseagreement,andthenclicktheAcceptbuttonifyouwanttousethestudytools.Themain interface appears. The interface allows you to access the contentwith just one or two
clicks.InstallationonaLinuxmachine:1.Downloadthe.ZIPfiletoyourharddrive,andunziptoanappropriatelocation.Instructionsonwheretodownloadthisfilecanbefoundhere:http://www.sybex.com/go/lpic3e.2.OpentheStart.htmlfileinaninternetbrowsertoopenthestudytoolsfile.3.Readthelicenseagreement,andthenclicktheAcceptbuttonifyouwanttousethestudytools.InstallationonaMacmachine:1.Downloadthe.ZIPfiletoyourharddrive,andunziptoanappropriatelocation.Instructionsonwheretodownloadthisfilecanbefoundhere:http://www.sybex.com/go/lpic3e.2.Clicktheimagefiletomountthevolumetoyourdesktop.3.OpentheJWSvolumeonyourdesktopandclickStart.4.Readthelicenseagreement,andthenclicktheAcceptbuttonifyouwanttousethestudytools.
TroubleshootingWiley has attempted to provide programs thatwork onmost computerswith theminimum system
requirements.Alas,yourcomputermaydiffer,andsomeprogramsmaynotworkproperlyforsomereason.Thetwolikeliestproblemsarethatyoudon’thaveenoughmemory(RAM)fortheprogramsyou
want to use or you have other programs running that are affecting installation or running of aprogram.Ifyougetanerrormessagesuchas“Notenoughmemory”or“Setupcannotcontinue,”tryoneormoreofthefollowingsuggestionsandthentryusingthesoftwareagain:Turnoff any antivirus software running on your computer. Installation programs sometimesmimicvirusactivityandmaymakeyourcomputerincorrectlybelievethatit’sbeinginfectedbyavirus.Closeallrunningprograms.Themoreprogramsyouhaverunning,thelessmemoryisavailabletootherprograms.Installationprogramstypicallyupdatefilesandprograms;soifyoukeepotherprogramsrunning,installationmaynotworkproperly.HaveyourlocalcomputerstoreaddmoreRAMtoyourcomputer.Thisis,admittedly,adrasticandsomewhatexpensive step.However, addingmorememorycan reallyhelp the speedofyourcomputerandallowmoreprogramstorunatthesametime.
CustomerCareIfyouhavetroublewiththebook’scompanionstudytools,pleasecall theWileyProductTechnicalSupportphonenumberat(800)762-2974oremailthemathttp://sybex.custhelp.com/.
IndexA.afilenameextensionAccelerated-Xserveraccessfiles.SeepermissionsremoterootSSHxinetdconfiguration
accesscontrollinesinCUPSprintingaccesscontrollists(ACLs)accesstimes,fileaccessibilityissuesAccessXutilityaccounts.SeeusersanduseraccountsACLs(accesscontrollists)actionsrunlevelssystemlogfiles
ActiveDirectory(AD)domainsactiveservicesAddressResolutionProtocol(ARP)addressesDMAI/OIP.SeeIPaddressesnetwork.Seenetworkaddresses
addusercommandadministration.Seesystemadministrationadministrators,groupAdvancedLinuxSoundArchitecture(ALSA)audiodriversAdvancedTechnologyAttachment(ATA)harddiskinterfacesaliascommandaliasescommandsemailroot
aliasesfilealiasing,fontalienutility
aligning,partitionsallowedIPandnetworkaddressesalloweduserslistsatcommandjobscronjobs
alphabetictestsinSELECTALSA(AdvancedLinuxSoundArchitecture)audiodriversalternativebootloadersalternativebootsystemsAmericanStandardCodeforInformationInterchange(ASCII)ampersands(&)backgroundprogramsredirectionscripts
anacronprogramanalysistoolsforsystemlogfilesandoperatorsscriptsSELECT
anonymousFTPsitesanti-aliasingforfontsaplaycommandAPM(ApplePartitionMap)appendmodeattributeappendingfilesarchivelimiting
ApplePartitionMap(APM)AppleTalkprotocolapt-cacheprogramapt-getprogramaptitudepackagemanagerarchitecturepackagesprinting
archivingfilescpcommandcpioprogramddcommandtarutility
arguments,commandlineARP(AddressResolutionProtocol)
ASCII(AmericanStandardCodeforInformationInterchange)assignmentofvariablesasterisks(∗)casestatementscronjobsdomainsfacilitiesfilenamesgrepharddiskmonitoringnetstatNTPserverspasswordsregularexpressionsroutetracingSELECTXDMserveraccess
atcommandatsigns(@)forsystemlogfilesATA(AdvancedTechnologyAttachment)harddiskinterfacesatomicclocksatqprogramattributesfilesSQL
authenticationinSSHauthorized_keysfileautofilesystemmountingAutoRepeatkeyboardsettingavailablekernelmodulesdisplay
Bback-quotecharacters(`)inscriptstextwith
backgroundgraphicsinGRUBbackgroundprocessesbackslashes(\)bashpromptEFIloaderfilenamesregularexpressions
backtickcharacters(`)
inscriptstextwith
BackTracktoolbackupsfilesystemmountsopticalmediapartitionsfor
bad-blockchecksbannersforprintjobsbash(BourneAgainShell).bash_historyfilebash_logoutscript/.bashrcfileBasicInput/OutputSystem(BIOS)andbootloadersbootprocessrole
basicregularexpressionsBerkeleyInternetNameDomain(BIND)BerkeleyStandardDistribution(BSD)bgcommand/bindirectory/bin/shfilebinarypackagecreationBIND(BerkeleyInternetNameDomain)BIOS(BasicInput/OutputSystem)andbootloadersbootprocessrole
BIOSBootPartitionsbitmapfontsblanklineswithcatblkidcommandblockdevicesblockingroutesbodynumberingstyle/bootdirectorybootdiskanddevicegeometry/boot/efifile/boot/grub/grub.cfgfile/boot/grub/grub.conffile/boot/grub/menu.lstfile
/boot/grubpartitionbootloadersalternativedamagedEFIGRUBGRUB2overview
bootmanagers/bootpartitionbootprocessexamessentialsextractinginformationaboutwithoutkeyboardsmessagesrunlevels.SeerunlevelsstepssummaryVieditor
bootsectorsbootsystems,alternativebootablepartitionsbootlogddaemonBOOTPROTOvariablebouncekeysoptionBourneshell(bsh)BourneAgainShell(bash)braces({})/etc/apt/apt.conffunctionsGRUB2bootloaderlogrotationfilesxinetdconfiguration
brackets([])filenamesregularexpressions
BrailledisplaybreakingfilesintopiecesBRLTTYprojectbroadcastqueriesbroadcastingdatabrowsingcontrolinCUPSprintingbrowsinginIPP
BSD(BerkeleyStandardDistribution)BSDpsoptionsbshshell(Bourne)Btrfsfilesystembugsinemailserversbuildnumbersforpackagesbuildarchtranslatelinesbytescountingextractingtextbysplittingfilesby
CClibrary(libc)Cshellcablingcachesfilesystemunmountinglibrarypackage
carats(^)catregularexpressions
carboncopyaddressescaseandcase-sensitivitycommandhistorytextfilenamespasswordsregularexpressionssortingfilesusernamesVieditor
casestatementscatcommandcdcommandcdrecordcommandCentOSdistributioncentralprocessingunits(CPUs)informationaboutlimitsmulti-coreprocesspriorityprocesstime
cfdisktoolchagecommandchainloadingchannelsinDMACHARdatatypecharacterdevicesfiletypecodecharactersetconversionscharacterscountingextractingtextbyregularexpressionstranslating
chattrcommandcheck-updatecommandchecksumsforpackageschgrpcommandchipsetsinbootmessageschkconfigcommandchmodcommandchoosersinXDMchords,mousechowncommandgroupsoptionsandUIDs
CHS(cylinder/head/sector)geometryClasslessInter-DomainRouting(CIDR)cleancommandcleaningDebianpackagesclickoptionsclientsNTPremotevs.serversXWindowSystem
clockscodesfiletypepartitiontype
codesetscoldplugdevicescolons(:)
chown/etc/group/etc/inittab/etc/passwdhardwareaddressesIPaddressesPATHdirectoriesSSHfilecopyingVieditor
colorfilelistingsXWindowSystemsettings
colorink-jetprinterscolumnsinSQLcombiningfilestables
commandcompletioncommandlinesexamessentialsgeneratingregularexpressions.Seeregularexpressionsshells.Seeshellsandshellenvironmentsummarytextfiltercommands
combiningfilesformattingfilessummarizingfilestransformingfilesviewingfiles
CommandmodeinVieditorcommandsaliaseseditinghelpsystemhistoryinternalandexternallaunchingprocessespipingredirectingscriptsstreams
commas(,)comments
cronjobsENUMlistsfacilitiesfilemodesfilesystemlistsfontsgroupsGRUBdrivenumbersmountoptionsSELECTsortfieldsSSHuserlistsVi
commentsaliasesfileanacronjobsconfigurationfiles/etc/apt/sources.list/etc/inetd.conf/etc/security/limits.conffilesystemmountinglogrotationfilesscriptsSSHconfigurationsystemlogfilessystemduseraccounts
CommonUnixPrintingSystem(CUPS)configurationfilesprinterdefinitionsweb-basedutilities
comparingtarfilescompressionoptionsfileattributelogrotationfiles
computeraddressconcatenatingfilesconditionalexpressionsconfigurationfilesexaminingshellenvironment
conflicts,packageconnections,network.Seenetworkconnections
contrastsettingsconvertingcharactersetspackageformatsspacestotabstabstospaces
CoordinatedUniversalTime(UTC)copy-inmodecopy-outmodecopy-passmodecopyingfilescoredumpscores,CPUscorruptingdiskscpcommandcpioprogramCPUs(centralprocessingunits)informationaboutlimitsmulti-coreprocesspriorityprocesstime
crackersCREATEDATABASEcommandCREATETABLEcommandcreationdateinfilelistingscredentialsoptioncronprogramforanacronjobcreationlogrotationpurpose
cronlooputilitycrontabutilitycrontabscshshellCUPS(CommonUnixPrintingSystem)configurationfilesprinterdefinitionsWeb-basedutilities
CUPSDriverDevelopmentKitcupsddaemon
cupsdisablecommandcupsenablecommandcurlybraces({})/etc/apt/apt.conffunctionsGRUB2bootloaderlogrotationfilesxinetdconfiguration
currentdirectorycurrentrunlevelscutcommandcylinder/head/sector(CHS)geometrycylinders
DD-Bus(DesktopBus)daemonsdamagedbootloadersdashes(-)attributescronjobsfilenamesfilesystemoptionslimitslprmlsoptionspermissionsprocessprioritypsoptionsranges
DataDisplayChannel(DDC)featuredatapipesdatatypesinSQLdatabasesMySQL.SeeMySQLnetworkaccountSQL
datagramsdatecommanddaysettingforatcommandddcommandDDC(DataDisplayChannel)featureDDK(DriverDevelopmentKit)
deactivationdateDebianpackagesapt-cachecommandsapt-getcommandsaptitudemanagerconvertingtodistributionsandconventionsdpkgcommandsdselectprogrammanagingvs.otherpackageformatsreconfiguringSynaptictooltoolsconfiguration
debouncekeysdebugfscommanddebuggingfilesystemsnetworkprotocols
DECIMALdatatypedefaultsconfigurationfileshellsCUPSprintingpolicyfilesystemoptionsfontsgroupsGRUBOSloginshellsownershipandpermissionsroutesrunlevels
delayperiodswithanacronjobsDELETEcommanddeletedinodesdeletingaccountscommandhistorytextdirectoriesduplicatelinesfilesgrouppasswordsgroupsMySQLdatapartitions
usersfromgroupsdependenciesapt-cachekernelmodulespackagessharedlibraries
deplistcommanddepthcolorfilesearchesharddiskmonitoring
DESCRIBEcommandDesktopBus(D-Bus)/devdirectory/dev/cdromdirectory/dev/consoledirectory/dev/dvddirectory/dev/hdadirectory/dev/input/micefile/dev/mapperdirectory/dev/mousefile/dev/nullfile/dev/sddirectory/dev/stdirectorydevicescoldplugandhotplugcommonfiletypecodesfilesystemmountsfilesystemunmountsXWindowSystemsettings
dfcommandDFS(DomainFileSystem)dhclientclientDHCP(DynamicHostConfigurationProtocol)DHCPleasesdhcpcdclientdigprogramDigitalSubscriberLine(DSL)connectionsdirectmemoryaddressing(DMA)directivesorderforCUPSprintingdirectories
changingcreatingdeletingdiskusemonitoringbyfilelistingsfiletypecodehardlinkspermissions
disablingon-boardhardwaresystemctlunusedservers
disallowedIPandnetworkaddressesdisalloweduserslistsatcommandjobscronjobs
disallowinggroupadditionsdisksanddiskdrivesbootcorruptingfloppy.SeefloppydisksanddrivesGRUBreferenceshard.SeeharddisksRAM
displaycontrastfontsinformationaboutmagnifiertoolsresolutionandcolordepth
DISPLAYenvironmentvariableDLLs(dynamiclinklibraries)DMA(directmemoryaddressing)dmesgcommandDNS(DomainNameSystem)emailhostnamessettings
dnsdomainnamecommanddollarsigns($)catenvironmentvariablesregularexpressions
scriptvariablesDomainFileSystem(DFS)DomainNameSystem(DNS)emailhostnamessettings
domainnamecommanddomainsActiveDirectorydatabasehostnameslimits
dotfilesdots(.)chownfilenamesIPaddressesregularexpressionsscriptsTCPwrappersusernames
dottedquadnotationdouble-spacedoutputinprintingdpkgcommandsetdependencies
dpkg-reconfigureprogramDriverDevelopmentKit(DDK)driversaudiomanufacturer-providednetworkhardwareprinterUSBvideocards
DROPTABLEcommand.dscfilesdselectutilityDSL(DigitalSubscriberLine)connectionsducommanddual-bootsystemsdumpe2fscommandduplicatecommands
duplicatelinesremovalduplicatepackagefilesandfeaturesDynamicHostConfigurationProtocol(DHCP)dynamiclibrariesdynamiclinklibraries(DLLs)
Ee2fsckcommandechocommandenvironmentvariablesscriptstextlines
editingcommandhistorycommands
EDITORenvironmentvariableeditorscommandhistorytextscriptsVi
edquotacommandEEPROM(electronicallyerasableprogrammableread-onlymemory)EFI(ExtensibleFirmwareInterface)EFILinuxLoader(ELILO)EFISystemPartition(ESP)systemefibootmgrcommand8-bitUnicodeTransformationFormat8.3filenameselectronicallyerasableprogrammableread-onlymemory(EEPROM)ELILO(EFILinuxLoader)elsekeywordEmacseditorEmacspeakspeechsynthesisproductemailencryptingexamessentialslogrotationoptionsoverviewqueuesredirectingsendingandreceivingserversecurity
softwaresummary
emergencydisksystemsemulation,mouseenablingCUPSbrowsingon-boardhardwarequotassystemctl
encryptionGPGpasswordsSSH.SeeSSH(SecureShell)wirelessnetworksXWindowSystem
endoffiles,viewingendoflinescatregularexpressions
ENUMdatatypeenvcommandenv-updateutilityenvironmentvariablescommonpurposescriptssettingusers
equalsigns(=)aliasesattributesdatabasematchesenvironmentvariablesfilemodesGRUB2bootloadersystemlogfilesvariables
erasecommanderrorprotection,partitionsforesacstatementescapinginregularexpressionsESP(EFISystemPartition)system/etcdirectory
aliasesexecutablesin
/etc/aliasesfile/etc/anacrontabfile/etc/apt/apt.conffile/etc/apt/sources.listfile/etc/at.allowfile/etc/at.denyfile/etc/bash.bashrcfile/etc/bashrcfile/etc/cron.allowfile/etc/cron.ddirectories/etc/cron.dailyfile/etc/cron.denyfile/etc/cron.monthlyfile/etc/cron.weeklyfile/etc/crontabfile/etc/crontabfile.dailyfile/etc/cupsdirectory/etc/cups/ppddirectory/etc/cups/printers.conffile/etc/default/grubfile/etc/dpkg/dpkg.cfgfile/etc/env.ddirectory/etc/fonts/local.conffile/etc/fstabfileeditingfilesystemchecksfilesystemmountingquotasswapspace
/etc/groupfileeditingGIDslinesinmembership
/etc/grub.ddirectory/etc/gshadowfile/etc/hostnamefile/etc/hostsfile/etc/hosts.allowfile/etc/hosts.denyfile
/etc/hotplugdirectory/etc/hotplug/usbdirectory/etc/hotplug/usb.usermapfile/etc/inetd.conffile/etc/inetd.ddirectory/etc/init.ddirectory/etc/init.d/ntpdrestartcommand/etc/init.d/rcscript/etc/init.d/sshdscript/etc/init.d/xdmstartcommand/etc/init.d/xdmstopcommand/etc/init.d/xfsrestartcommand/etc/init/ttyfile/etc/inittabfilebootprocessrunlevelssecurityissuesandUpstartXDMCPservers
/etc/kde/kdmdirectory/etc/ld.so.cachefile/etc/ld.so.conf.ddirectory/etc/ld.so.conffile/etc/localtimefile/etc/login.defsfile/etc/logrotate.conffile/etc/logrotate.ddirectory/etc/maildirectory/etc/modprobe.conffile/etc/mtabfile/etc/network/interfacesfile/etc/networksfile/etc/nologinfile/etc/nsswitch.conffile/etc/ntp.conffile/etc/pam.ddirectory/etc/passwdfileeditingfieldsGIDsandUIDspasswordsuseraccounts
usermodfor/etc/profilefile/etc/rc.conffile/etc/rc.ddirectory/etc/rc.d/boot.localfile/etc/rc.d/rc.localfile/etc/rc.d/rcscript/etc/resolv.conffile/etc/rpmrcfile/etc/rsyslog.conffile/etc/security/limits.conffile/etc/servicesfile/etc/shadowfilefieldspasswordsusermodfor
/etc/skeldirectory/etc/sshfile/etc/ssh_configfile/etc/ssh/sshd_configfile/etc/sshd_configfile/etc/sudoersfile/etc/sysconfigdirectory/etc/sysconfig/clockfile/etc/sysconfig/displaymanagerfile/etc/sysconfig/networkfile/etc/sysconfig/network-scripts/ifcfgfile/etc/sysconfig/sysctl.conffile/etc/sysctl.conffile/etc/syslog.conffile/etc/systemddirectory/etc/timezonefile/etc/udevdirectory/etc/usbmgrdirectory/etc/usbmgr/usbmgr.conffile/etc/X11/fs/configfile/etc/X11/gdmdirectory/etc/X11/gdm.conffile/etc/X11/gdm/gdm.conffile/etc/X11/kdmdirectory/etc/X11/X.orgX11file/etc/X11/xdmdirectory
/etc/X11/xdm/Xaccessfile/etc/X11/xdm/xdm-configfile/etc/X11/xdm/Xresourcesfile/etc/X11/xdm/Xserversfile/etc/X11/XF86Configfile/etc/XF86Configfile/etc/xinetd.conffile/etc/xinetd.ddirectory/etc/yum.conffile/etc/yum.repos.ddirectoryEthernetframeshardware
EvolutionmailreaderExmodeinVieditorexactmatcheswithSELECTexclamationmarks(!)lockedaccountspasswordsscriptssystemlogfilesVieditor
execcommandexecutepermissionsEximprogramexitcommandexpandcommandexpansioncardsexpansionrulesforwildcardsexpirationdatesforuseraccountsexpiredaccounts,updatingexportcommandexportingenvironmentvariablesGPGkeys
expressions.Seeregularexpressionsext2fsorext2(SecondExtendedFileSystem)ext3fsorext3(ThirdExtendedFileSystem)ext4fsorext4(FourthExtendedFileSystem)extendedHFSextendedpartitionsextendedregularexpressions
ExtensibleFirmwareInterface(EFI)ExtentsFileSystem(XFS)externalcommandsexternaldisksEXTLINUXbootloaderextractingbootprocessinformationfilesRPMdatatarfilestext
FfacilitiesinsystemlogfilesFAT(FileAllocationTable)filesystemfc-cachecommandFCEDITenvironmentvariableFDDI(FiberDistributedDataInterface)fdformatcommandfdisktoolFedoradistributionfetchmailprogramfgcommandFHS(FilesystemHierarchyStandard)commondirectoriesoverview
fikeywordFiberDistributedDataInterface(FDDI)FibreChannelfieldsextractingtextbyjoiningfilesbysortSQL
FileAllocationTable(FAT)filesystemfileglobbingfilesizeinfilelistingsFileTransferProtocol(FTP)filenames,filesearchesbyfilesarchivingattributes
breakingintopiecescombiningcopyingdeletingdirectories.Seedirectoriesexamessentialsextractingformattinggroupshexadecimaldisplaysjoininglimitslinkslistinglocating.Seelocatingfilesmodesmovingnamingoctaldisplaysopenownershippagingthroughpermissions.Seepermissionspreparingforprintingrenamingsortingsummarizingsummarytimestampstransformingundeletingviewingwordcounts
FilesystemHierarchyStandard(FHS)commondirectoriesoverview
FilesystemStandard(FSSTND)filesystemscheckingcommontypescreatingdebugginginformationjournals
layoutsmountingpartitionstunableparameterstuningunmountingvirtual
filtersprintingproxytext
combiningfilesformattingfilessummarizingfilestransformingfilesviewingfiles
findcommandarchivedfilesoptionsscriptsSUID/SGIDfileswithUIDs
firewallsflashmemoryFLOATdatatypefloppydisksanddrivesbootloadersoncorruptingdetectingdriversformattingGRUBvirusesfrom
fmtcommandFontForgeprogramfontsdefaultdirectoriespathsserverstechnologiesandformatsXcoreXft
fonts.dirfile
fonts.scalefileFoomaticprinterdefinitionsfootersnumberingstyleforloopsforcingactionsaccountdeletionfileoverwritesfilesystemunmountsgroupcreationkernelmoduleloadingkernelmoduleremovalpackageinstallations
formfeedsinprintingformatsfontslinenumberingtime
formattingpartitionstextfiles
forwardfileforwardslashes(/)cronjobsdirectoriesfilenameshelpsystemIPaddressespaging
forwardingfeatureinXWindowSystemFourthExtendedFileSystem(ext4fsorext4)framesFreeTypelibraryFROMclauseinSELECTfsckcommandfsck.ext2filefsck.ext3fileFSSTND(FilesystemStandard)FTP(FileTransferProtocol)full-duplextransmissionsfunctionkeywordfunctionsinscripts
G
gatewayaddressesGDM(GNOMEDisplayManager)configuringremoteaccess
gdmstartupscriptgdmconfigcommandgdmsetupcommandGeneralPublicLicense(GPL)Gentoodistributiongeometrysettingsgestures,mousegetfaclcommandGhostscriptGIDs(groupIDs)configurationfilesSGIDfilesspecifyingusersandgroups
gigabitEthernetGIMPPrintdriversGIMPToolKit(GTK+)glibc(GNUClibrary)versionglobalconfigurationfilesGloballyUniqueIdentifiers(GUIDs)globbingGMT(GreenwichMeanTime)GNOME(GNUNetworkObjectModelEnvironment)desktopenvironmentGNOMEDisplayManager(GDM)configuringremoteaccess
GNOMEOn-ScreenKeyboard(GOK)gnome-system-monitortoolGNUClibrary(glibc)versionGNUEnscriptprogramGNUNetworkObjectModelEnvironment(GNOME)desktopenvironmentGNUPartedtoolGNUPrivacyGuard(GPG)encryptinganddecryptingdatakeysmessagesigning
GNUpsoptionsGOK(GNOMEOn-ScreenKeyboard)
gpasswdcommandGPG(GNUPrivacyGuard)encryptinganddecryptingdatakeysmessagesigning
GPL(GeneralPublicLicense)GPT(GUIDPartitionTable)partitionsgrandtotalsinharddiskmonitoringGrandUnifiedBootLoader.SeeGRUB(GrandUnifiedBootLoader)graphicaluserinterfaces(GUIs).SeeXWindowSystemgraphicsforGRUBgreaterthansigns(>)librarypathsredirection
GreenwichMeanTime(GMT)grepcommandpipingwithregularexpressionsscriptssystemlogfiles
GROUPBYcommandgroupIDs(GIDs)configurationfilesSGIDfilesspecifyingusersandgroups
groupaddcommandgroupdelcommandgroupmodcommandgroupsaddingdeletingfileslinkingusersinmodifyingpermissionsUIDsandGIDsuseraccounts
growisofscommandgrpquotaoptionGRUB(GrandUnifiedBootLoader)globaloptionsinstalling
interactingwithnomenclatureandquirksper-imageoptions
GRUB2bootloadergrub.efifilegrub-installcommandGTK+(GIMPToolKit)GUIconfigurationtoolsGUIDPartitionTable(GPT)partitionsGUIDs(GloballyUniqueIdentifiers)GUIs(graphicaluserinterfaces).SeeXWindowSystemgummibootbootmanagergunziputilityGutenprintdrivers
HhackersHAL(HardwareAbstractionLayer)daemonhaldtoolhalf-duplextransmissionshaltcommandHaltOnoptionharddisksexternalGRUBlayout
filesystems.SeefilesystemsLVMmountpointspartitions.Seepartitionsswapspace
monitoringusePATAquotasSATASCSI
hardlimitshardlinkshardwareBIOSbootdisksandgeometrysettingsbootmessagescoldplugandhotplugdevices
configurationDMAaddressesexamessentialsexpansioncardsfilesystems.SeefilesystemsharddisklayoutharddisksinterruptrequestsI/Oaddresseskernelmodulesnetworkpartitions.SeepartitionssummaryUSBdevices
HardwareAbstractionLayer(HAL)daemonhardwareaddresseshardwareclockhashmarks(#)aliasesfileanacronjobs/etc/apt/sources.list/etc/inetd.conf/etc/security/limits.conffilesystemmountinglogrotationfilesrpmscriptsSSHconfigurationsystemlogfilessystemd
hashbanglineshashinghostnameshashplinglinesheadcommandheadersemailnumberingstyleprinting
heads,drivehelpaptitudepackagemanagerwithlesspartitionspsoptions
shellsheredocumentshexadecimalfiledisplayhiddenfilesHierarchicalFileSystem(HFS)hierarchyofprocesseshigh-levelformattingHigh-PerformanceParallelInterface(HIPPI)historycommandhistoryofcommandshomedirectoriesconfigurationfilesuseraccounts
/homedirectoryHOMEenvironmentvariable/homepartitionhostprogramhostnamecommandHOSTNAMEenvironmentvariablehostnamesaddressesconfiguringhashingresolving
hotplugdeviceshotplugtoolHTTP(HypertextTransferProtocol)hubsnetworkUSB
hungprocesseshwclockutilityHypertextTransferProtocol(HTTP)hyphens.Seedashes(-)
IICMP(InternetControlMessageProtocol)iconvutilityIDnumbersgroup.SeegroupIDs(GIDs)GUIDsPIDs.SeeprocessIDs(PIDs)
SCSIdisksUIDs.SeeuserIDs(UIDs)
id_rsafileid_rsa.pubfileidentificationcodesforrunlevelsifkeywordifconfigcommandhardwareaddressesIPaddresses
ifdowncommandifupcommandIMAP(InternetMessageAccessProtocol)immutablefilesimportingGPGkeysin.ftpdserverinactivedayssettingsincompatiblelibrariesandsupportprogramsIndustryStandardArchitecture(ISA)businetcommandinetdpackageinfocommandinfopagesinitprograminitializationprocessinodesdeleteddescriptioninformationmonitoring
input/output(I/O)servicesinputredirectionInputDevicesectionsinXWindowSysteminputrcscriptINSERTINTOcommandInsertmodeinVieditorinsmodcommandinstallcommandinstalledfiledatabaseinteractivemodeforcopyingfilesinternalcommandsinternationalizationlocalesettings
timezonesInternetInternetControlMessageProtocol(ICMP)InternetMessageAccessProtocol(IMAP)InternetPacketExchange/SequencedPacketExchange(IPX/SPX)InternetPrintingProtocol(IPP)InternetProtocol(IP)InternetProtocolSecurity(IPsec)Internetserviceproviders(ISPs)astimesourceinternetsinterpretingbootprocessmessagesinterruptrequests(IRQs)intervalsforfilesystemchecksI/OaddressesIP(InternetProtocol)IPaddressesbroadcastsnetstatstaticxinetdconfiguration
IPmasqueradingIPP(InternetPrintingProtocol)IPsec(InternetProtocolSecurity)iptablescommandIPv6(IPversion6)IPX/SPX(InternetPacketExchange/SequencedPacketExchange)IRQs(interruptrequests)ISA(IndustryStandardArchitecture)busISO-8859codesetISO-9660filesystemisofsmoduleISOLINUXbootloaderISPs(Internetserviceproviders)astimesource
JJFS(JournaledFileSystem)jobsprintscheduling
anacronatcron
jobscommandJohntheRipperprogramJOINclauseinSELECTjoincommandjoiningfilesJolietfilesystemJournaledFileSystem(JFS)journalingattributejournals,filesystemjumpersforSCSIdisks
KKDE(KDesktopEnvironment)KDERedHatrepositoryKDM(KDEDisplayManager)configuringremoteaccess
kdmstartupscriptKerberoskernelbootprocessEFIbootloaderGRUBinformation
kernelmodulesinformationloadingremoving
kernelringbufferskernelspaceprogramskeyboardsaccessibilityissuesbootingwithoutconfiguringonscreen
keyringsinGPGkeysGPGSSH
killcommandkillallcommandkillingprocesses
klogddaemonkmagcommandKMagmagnifiertoolKMailprogramkonsolecommandkpmtoolkshshell(Korn)
Llabels,filesystemLANGenvironmentvariablelanguagesinlocalesLBA(logicalblockaddressing)modeLC_environmentvariablesLD_LIBRARY_PATHenvironmentvariableLDAP(LightweightDirectoryAccessProtocol)ldconfigcommandlddcommandLDPATHvariablesleases,DHCPleftmargininprintinglengthpasswordsprintingpages
lesspagerbootprocessmessageshelpsystemsystemlogfilestextfiles
lessthansigns(<)forredirection/libdirectory/lib/libc.so/6file/lib/modulesdirectorylibc(Clibrary)librariesmissingshared.Seesharedlibraries
LightDisplayManager(LightDM)LightweightDirectoryAccessProtocol(LDAP)LILO(LinuxLoader)lineendscat
regularexpressionslinenumberswithcatLinePrinterDaemon(LPD)linearblockaddressinglinesduplicatemergingnumbering
linksfilessharedlibraries
LinuxDocumentationProjectlistcommandsystemctlyum
list_deleted_inodescommandlist_requestscommandlistingfilesLivnarepositorylncommandloadaverage,displayingloaders.SeebootloadersloadingkernelmodulesXservermodules
localnetworksDHCPconfigurationGUIconfigurationtoolshardwareconfigurationhostnamesifupandifdowncommandsnetworkconnectionconfigurationroutingconfigurationstaticIPaddresses
localsecuritylocaltimelocalecommandlocaleschangingdescriptiondeterminingtextfiles
localhostdeviceaddresses
localinstallcommandlocalizationlocalesettings.Seelocalestimezones
LocalTalknetworkslocalupdatecommand,yumlocateutilitylocatingfilesbootprocessmessagesdirectoryconventionsexerciseFHSsystemfindcommandlocateutilitywhereisprogramwhichcommand
lockingaccountslogfilesrotationsystem.Seesystemlogfilestracking
Logchecktoolloggertoollogicalblockaddressing(LBA)modelogicaloperatorsscriptsSELECT
logicalpartitionslogicalvolumemanagement(LVM)loginslimitssettingwithoutpasswordsSSHscriptsXWindowSystem
logoutcommandlogoutscriptslogrotatetoollongfilelistingslongfilenamesystemsloopbackaddressesloopbackdevicesloopsinscriptslow-levelformatting
lpcutilityLPD(LinePrinterDaemon)lpdcommandlpmovecommandlpqcommandlprcommandlprmcommandlscommandfileownershiplinksoptionspermissions
lsdelcommandlsmodcommandlsofprogramlspcicommandlsusbutilitylvcreateutilityLVM(logicalvolumemanagement)lvscanutility
MMAC(MediaAccessControl)addressesmachineinformationmachinenamesmagnifiertoolsmail.SeeemailmailcommandMAILenvironmentvariablemailoptionsforlogrotationfilesmailprogrammailreadersmailspoolsmailtransferagents(MTAs)mailuseragents(MUAs)mailqprogramMAILTOenvironmentvariablesmakeutilitymanpagesmanufacturer-providedvideodriversmasqueradeinformationmasterbootrecords(MBRs)
masterPATAdisksmatchinglinesinregularexpressionsMBRpartitionsMBRs(masterbootrecords)MDMDisplayManagerMediaAccessControl(MAC)addresses/mediadirectory/mediapartitionmemorylibrarieslimitssettingprocessusevideo
merginglinesmessagesigninginGPGmessagesbootprocesssystemlogfiles
minussigns.Seedashes(-)misconfigurationofemailserversmismatchednamesmissinglibrariesandsupportprogramsmkdircommandmkdosfstoolmke2fsprogrammkfontdirprogrammkfontscaleprogrammkfstoolmkisofscommandmkpartcommandmkswapcommand/mntdirectory/mntpartitionmodesdirectoriesfilesmonitorsrunlevelVieditor
modificationtime,changingmodinfocommandmodprobecommand
networkhardwaredriversoptionsquotas
modulestacksmoduleskernelXWindowSystem
monitoringharddiskuselogfilesnetworkportuseprintqueues
monitorscontrastcontrolsXWindowSystemsettings
monthinsortingfilesmountcommandmountpointsfilesystemmountsfilesystemunmountspartitions
mountedfilesystemsmountedharddisksmountingfilesystemsmouseaccessibilityissuesXWindowSystemsettings
movingfilespartitionsprintjobs
mpagecommandmsdosfilesystemcodeMTAs(mailtransferagents)MUAs(mailuseragents)multi-columnprintingoutputmulti-headdisplaysmulti-OSsupportmulti-threadedprogramsmulti-usermodemulti-volumetarfilesmulticasting
multiplepartitionsmultipletestsinSELECTmuttmailreadermvcommandMySQLcombiningdatadatabasesandtablesdeletingdataexamessentialsretrievingdatastartingstoringdatasummary
mysqlprogram
NnailprogramNameServiceSwitch(NSS)namedpipesfiletypecodenamesdisksfilesgroupshostnameresolutionkernelkernelmodulesmismatchednodespackagesprintjobssystemctl
NAT(NetworkAddressTranslation)routersnativemethodsinUpstartNeighborDiscoveryProtocol(NDP)Nessusscannernestingif/then/elseclausesNETTIMEcommandNetBEUIprotocolnetmasksnetstatcommandnetworkaccountdatabasesNetworkAddressTranslation(NAT)routersnetworkaddresses
broadcastingdatahardwarehostnamesIPIPv6portsxinetdconfiguration
NetworkConfigurationtoolnetworkconnectionsconfiguringFTPcommandsrawnetworktrafficstatusTelnettestingtracing
NetworkFileSystem(NFS)NetworkInformationSystem(NIS)networkportsoverviewusemonitoring
networkprintersnetworkscannersnetworkstacksNetworkTimeProtocol(NTP)clientconfigurationoverviewserverconfigurationtimesources
networkingaddresses.Seenetworkaddressesconnections.Seenetworkconnectionsexamessentialshardwarelocalnetworks.SeelocalnetworkspacketsprotocolstackssummaryTCP/IP
hardwareprotocolstackstypes
NewTechnologyFileSystem(NTFS)newaliasescommand
newgrpcommandNFS(NetworkFileSystem)nfs-commonscriptnicecommandNIS(NetworkInformationSystem)nlcommandnmapcommandNMapscannerNNTPSERVERenvironmentvariablenodenamesnohupprogramnon-blanklinesnumberingoptionnon-LinuxrootnslookupprogramNSS(NameServiceSwitch)NTFS(NewTechnologyFileSystem)NTFS-3GfilesystemNTP(NetworkTimeProtocol)clientconfigurationoverviewserverconfigurationtimesources
ntp.driftfilentppackagentpdpackagentpdatecommandntpqprogramnumberofcopiesforprintjobsnumberinglinesnumbersinpasswordsnumericsortsnumerictestswithSELECT
Ooctalfiledisplaysoctalpermissionsodcommandon-boardhardwareonscreenkeyboardsopenfileslistingopenportsopenrelays
OpenFirmwareprogramOpenPrintingdatabaseOpenSSHserveropenSUSEconfiguration/optdirectory/opt/fontsdirectory/opt/local/fontsdirectory/optpartitionoptflagslinesopticalmediaoptions,commandoroperatorsscriptsSELECT
OrcaspeechsynthesisproductORDERBYkeywordOS(operatingsystem)GRUBinformation
outlinefontsoutputprintingredirection
ownershipdefaultsfilesfilesystemmounting
PpackagescachesDebian.SeeDebianpackagesdependenciesandconflictsformatconversionsoverviewrebuildingRPM.SeeRPM(RPMPackageManager)andRPMssharedlibraries.SeesharedlibrariesSQLstartupscriptproblemsversions
packet-filterfirewallspacketsniffers
packetspagelengthinprintingpageseparatorsinlinenumberingpagewidthinprintingpagingthroughfilesPAM(PluggableAuthenticationModules)pam_limitsmoduleparagraphs,reformattingParallelAdvancedTechnologyAttachment(PATA)ParallelLineInterfaceProtocol(PLIP)parallelportsparametersfilesystemsscriptsserverconfigurationfiles
parentdirectoriesparentprocessIDs(PPIDs)parentheses()ENUMlistsfunctionsregularexpressions
PartedMagicdisksystemPartedtoolpartitionsaligningarchivingbootprocesscommoncreatingdeletingdisplayingfdisktoolfilesystemsGNUPartedtoolGRUBGRUB2monitoringharddiskusebymountpointspreparingpurposeswapsystems
passwdcommand
passwordschangerequirementschangingconfigurationfilescrackingprogramsfilesystemmountsgoodgroupshistoryfilesrisksrootsettingSMB/CIFSSSHloginswithouttoolsuseraccounts
pastecommandPATA(ParallelAdvancedTechnologyAttachment)PATHenvironmentvariablepathsarchivingfilesexternalcommandsfontssharedlibraries
patterninputfilesinregularexpressionsPCI(PeripheralComponentInterconnect)buscardconfigurationIRQs
PCL(PrinterControlLanguage)peerscommandper-imageoptionsinGRUBperiodsettingforatcommandperiods(.)chownfilenamesIPaddressesregularexpressionsscriptsTCPwrappersusernames
PeripheralComponentInterconnect(PCI)buscardconfigurationIRQs
permissionmode,searchingforfilesbypermissionsarchivingfilesbitschmodcommandcopyingfilescronjobsdefaultsdirectories/etc/shadowspecial
PermitRootLoginoption.pfaand.pfbfilesPGP(PrettyGoodPrivacy)phishingphysicalvolumesPIDs(processIDs)bootprocessdisplayinginkillingprocessessystemlogfiles
pingcommandpipesfiletypecodepipingdataplatters,diskplaycommandPLIP(ParallelLineInterfaceProtocol)Plug-and-Play(PnP)-styleconfigurationPluggableAuthenticationModules(PAM)plussigns(+)atcommandattributesfindNTPserversregularexpressions
PnP(Plug-and-Play)-styleconfigurationPoint-to-PointProtocol(PPP)pools,NTPserverPOP(PostOfficeProtocol)portnumbersportsmonitoringnetstat
networkopenSSHtunnelsUSB
POST(power-onself-test)PostOfficeProtocol(POP)PostfixprogramPostgreSQLpackagepostmasteraccountPostScriptPrinterDefinition(PPD)filesPostScriptprinterlanguagePostScriptType1fontspoundbanglinespoundsigns(#).Seehashmarks(#)power-onself-test(POST)poweroffcommandPPD(PostScriptPrinterDefinition)filesPPIDs(parentprocessIDs)PPP(Point-to-PointProtocol)PPPoE(PPPoverEthernet)prcommandPrettyGoodPrivacy(PGP)primarybootloadersprimarygroupsprimarykeysprimarypartitionsPrinterControlLanguage(PCL)printerdefinitionsprintingarchitectureCUPSconfigurationexamessentialsexercisekernelinformationtonetworkprintersPostScriptandGhostscriptpreparingfilesforprintermanufacturersqueuesrunningsystemssummary
prioritiesprocesses
systemlogfilesprivatekeysGPGSSH
privilegedports/procdirectory/proc/bus/usbdirectory/proc/dmafile/procfilesystem/proc/interruptsfile/proc/ioportsfileprocessIDs(PIDs)bootprocessdisplayinginkillingprocessessystemlogfiles
processesforegroundandbackgroundkernelinformationkillinglistsmemorylimitssettingprioritiesrunlevels
processors.Seecentralprocessingunits(CPUs).profilefilesprogramsbackgroundexecutingrunningpersistently
progress,filesystemcheckingprompts,changingprotectiveMBRprotocolstacksprotocolsmouseserverconfigurationfilesSSHconfiguration
providescommandproxyfiltersPS_PERSONALITYenvironmentvariablepsprogramemail
optionsoutputinterpretationsearchingforrunningprocesses
PS1environmentvariablepublickeysGPGSSH
pullmailprotocolspumpclientpunctuationinpasswordspvcreateutilitypwdcommandPWDenvironmentvariable
QqmailprogramQtwidgetsetsquestionmarks(?)filenamesregularexpressionssearches
queuesdisplayingemailGhostscriptforprint
quotapackagequotacheckcommandquotaoncommandquotasenablingsetting
quotationmarks(“)commandoptionsinfilenames
RRAMdisksrandomaccessmemory(RAM)librariesvideo
rangeexpressionsinregularexpressions
rangeofvaluesinfilenamesrawnetworktrafficrcprogramrc-updateprogramreadcommandread-onlyfilesystemsmountingreadpermissionsread/writefilesystemsmountingrebootcommandrebuildinglibrarycachepackages
receivingemailreconfiguringserversrecursivecopiesrecursivefilenamelistingsrecursivesearchesingrepRedHatdistributionpackagenamingXconfigurationtools
RedHatEnterpriseLinux(RHEL)redirectingemailinputandoutput
reduced-sizepagesrEFIndprogramrEFItprogramreformattingparagraphsrefreshratesformonitorsregisteringdomainnamesregularexpressionsgrepwithforlinenumberingoverviewsedwith
ReiserFSfilesystemdescriptionjournalingpartitionmonitoring
relationaldatabasesreleasenumbersforpackagesreleases,kernel
reloadcommandinsystemctlremoteaccessinXWindowSystemremoteloginprotocolsremotenetworkscannersremovecommandremovingDebianpackageskernelmodulesoptionspasswordsprintjobsyumpackages
renamingfilesrenicecommandrepeatrateforkeyboardsrepetitionoperatorsinregularexpressionsreplacingpackagesVieditortext
repquotacommandreservedblocksinfilesystemsresistorpacksforSCSIdisksresizingpartitionsresolutionmonitorsvideocards
resolvedepcommandresolvinghostnamesresources,XDMrestartcommandinsystemctlretrievingMySQLdatareversesortsreversingpasswordorderrevokingGPGkeysRHEL(RedHatEnterpriseLinux)risks,passwordrmcommandrmdircommandrmmodcommandRockRidgeextensionsrootaccountaccess
cronjobsdefaultusersettingsfileownershipkillingprocessespasswordspathspermissionsUIDs
rootdirectory/rootdirectoryrootfilesystem/rootpartitionrootpartitionsinGRUB/root/XF86Config.newfile/root/xorg.conf.newfilerotatingsystemlogfilesroutecommandroutetracingroutingconfiguringrowsinSQLRPM(RPMPackageManager)andRPMsconvertingtodependenciesdistributionsandconventionsvs.otherpackageformatspackages
creatingdataextractionmanaging
rpmcommandsYum
rpm2cpioprogramrpmbuildprogramRpmfindsiteRS-232portsrsyslogdloggerrun-partsutilityrunlevelcommandrunlevelschangingcheckingcurrentfunctions
halt,reboot,andpoweroffinitandtelinitmanagingservicesshutdownSysVstartupscripts
runningprogramspersistently
SSAS(SerialAttachedSCSI)busSATA(SerialAdvancedTechnologyAttachment)savingVieditorchanges/sbindirectory/sbin/initprogramscalablefontsscaledunitsinharddiskmonitoringscanners,networkschedulingtasksanacronatcron
scpcommandscreendisplaysettingscontrastfontsmagnifiertoolsresolutionandcolordepth
screenreadersscriptsanacronjobsbeginningcommandsconditionalexpressionsconfigurationfilescreatingfunctionslogrotationfileslogoutloopsoverviewrunlevelsstartup.Seestartupscriptsvariables
XDMCPserversSCSI(SmallComputerSystemInterface)diskssearchcommandsearchesbootprocessmessagescommandhistoryDebianpackagesfiles.SeelocatingfileswithlessregularexpressionssystemlogfilesVieditoryum
SecondExtendedFileSystem(ext2fsorext2)secretkeysinGPGsectorsSecureBootfeaturesecuredeletionsSecureShell.SeeSSH(SecureShell)SecureSocketsLayer(SSL)encryptionsecurityconfigurationfilesdisablingunusedserversemailserversexamessentialsfileownershipfirewallsFTPGPGinetdpackagelocallogin,process,andmemorylimitsnetworkportmonitoringpartitionsforremotenetworkscannersrootaccessserveruninstallingandreconfiguringSSH.SeeSSH(SecureShell)SUID/SGIDfilessummarysuperserverrestrictionsTCPWrappersxinetd
sedcommand
regularexpressionsscripts
SELECTcommandsemicolons(;)casestatementsMySQLsystemlogfiles
sendingemailsendmailprogramseqcommandSerialAdvancedTechnologyAttachment(SATA)SerialAttachedSCSI(SAS)busServerMessageBlock/CommonInternetFileSystem(SMB/CIFS)serversvs.clientsdisablingemailsecurityfontsuperserverrestrictions
inetdconfigurationxinetdconfiguration
uninstallingandreconfiguringXWindowSystem
servicesI/Orunlevelsserverconfigurationfiles
sessions,processesassociatedwithsetcommandsetgroupID(SGID)optionsetkeywordinGRUB2setuserID(SUID)optionsetfaclcommandsetpciutilitysfdiskutilitySGIDfiles,locatingSGID(setgroupID)optionshadowpasswordsshareablefilesinFHSsharedlibrariesdependenciespathsprinciples
rebuildinglibrarycacheshebanglinesshellcommandSHELLenvironmentvariableshellsandshellenvironmentaliasescommandcompletioncommandhistoryconfigurationfilesenvironmentvariablesexamessentialshelpsysteminternalandexternalcommandsoptionsscripts.Seescriptsstartingsummary
shiftcommandshouldersurfingSHOWDATABASEScommandshow_super_statscommandSHOWTABLEScommandshutdowncommandSIGHUPsignalSIGKILLsignalsignalsforprocessessigningGPGmessagesSIGTERMsignalSimpleMailTransferProtocol(SMTP)simulatedmouseclickssingle-usermodesizefilelimitsinfilelistingslogrotationfilespartitionssearchingforfilesby
skeletonfilesSLAAC(statelessaddressauto-configuration)slashes(/)cronjobsdirectoriesfilenames
helpsystemIPaddressespaging
slavePATAdisksslocateutilityslowkeysSmallComputerSystemInterface(SCSI)diskssmartfiltersSMB/CIFS(ServerMessageBlock/CommonInternetFileSystem)smbpasswdcommandsmoothingfontsSMTP(SimpleMailTransferProtocol)sniffers.sofilenameextensionsocialengineeringsocketsfiletypecodeserverconfigurationfilessystemlogfiles
softlimitssoftlinkssoftwareexamessentialspackages.Seepackagesprocesses.Seeprocessessummary
softwareclocksortcommandsortingfilesprocesses
sourcingscriptsspacesconvertingtabstoconvertingtotabsusernames
.specfilesspecialcharacterswithcatspeechsynthesisproductssplitcommandspools,mailSQL(StructuredQueryLanguage)
basicsMySQL.SeeMySQLpackages
SQLitepackagesquarebrackets([])filenamesregularexpressions
SSH(SecureShell)accesscontrolauthenticationbasicsconfiguringfilecopyingkeysloginscriptsloginswithoutpasswordsporttunnelssecurityissuesXWindowSystem
ssh-agentprogramssh_host_dsa_keyfilessh_host_rsa_keyfilessh-keygencommandssh_known_hostsfileSSHTectiaserverSSL(SecureSocketsLayer)encryptionStampedeformatstandarderror(stderr)standardinput(stdin)standardoutput(stdout)startcommandinsystemctlstartoffiles,viewingstartoflinesinregularexpressionsstartupscriptsanacronjobsconfigurationfilespackageproblemsrunlevelsXDMCPservers
startxcommandstatelessaddressauto-configuration(SLAAC)staticfilesinFHSstaticIPaddresses
staticlibrariesstatisticswithapt-cachestatscommandstatus,networkstatuscommandinsystemctlstderr(standarderror)stdin(standardinput)stdout(standardoutput)stickybitsforpermissionsstickykeysstopcommandinsystemctlstoringMySQLdatastrataintimeserversstreamsstrongpasswordsStructuredQueryLanguage(SQL)basicsMySQL.SeeMySQLpackages
sucommandsubdomainssubexpressionsinregularexpressionssubjectlinesinemailsubnetmaskssudoprogramSUIDfiles,locatingSUID(setuserID)optionsummarieswithharddiskmonitoringsummarizingcommandsforfilesSuperGRUBDisksuperserverrestrictionsinetdconfigurationxinetdconfiguration
superblockssuperuser.Seerootaccountsupportprograms,missingSUSEdistributionswapspaceswaponcommandswitchessymboliclinksSynaptictool
sysfsvirtualfilesystemsysklogdpackageSyslinuxProjectsyslog-ngloggersyslogddaemonsystemaccountssystemadministrationexamessentialsgroups.Seegroupslogfiles.Seesystemlogfilesschedulingtasks
anacronatcron
summarysystemtimemanagement
NTPtimeconceptstimesetting
users.Seeusersanduseraccountssystem-config-displaycommandsystem-config-networktoolsystemcronjobssystemenvironmenttuningsystemlogfilesmanualloggingreviewingcontentsrotatingsettingssyslogd
SystemSettingsdialogboxsystemtimemanagementNTPtimeconceptstimesetting
systemctlutilitysystemdpackageSysVstartupscriptsconfigurationfilesproblemsrunlevelsandsystemdpackagewithUpstart
XDMCPservers
TTabkeyforcommandcompletiontablescombiningdeletingMySQLpartitionSQL
tabs,convertingspacestotagsforsystemlogfilestailcommandtail-mergingprocesstarutilitytarballstargetfiles,linkingtaskschedulinganacronatcron
TCP(TransmissionControlProtocol)TCP/IP(TransmissionControlProtocol/InternetProtocol)hardwareprotocolstackstypes
TCPwrapperstcpdprogramtcpdumpcommandtcshshellteecommandteletype(TTY)codetelinitprogramrunlevelsXWindowSystemXDMCPservers
telnetprogramTelnetprotocolTERMenvironmentvariableterminatingshellsterminationsforSCSIbusterritoriesinlocales
testkeywordtestingnetworkconnectivitytextandtextfileswithbackticksdisplayingextractingfiltercommands
combiningfilesformattingfilessummarizingfilestransformingfilesviewingfiles
localestexteditorscommandhistorytextscriptsVi
text-modeXloginthenkeywordThirdExtendedFileSystem(ext3fsorext3)3DaccelerationsupportThunderbirdmailreadertildecharacter(~)backupfileshomedirectoryVieditor
timecommandtimemanagementNTPtimeconceptstimesetting
timeofdaysettingforatcommandtimeoptionsforlogrotationfilesTimeOutsettingforaccessibilitytimestampstimezonestimeoutsinGRUBtitlesinGRUBTLDs(top-leveldomains)/tmpdirectory/tmppartitionTokenRingnetworkstop-leveldomains(TLDs)
toptooltouchcommandtrcommandtracepathprogramtraceroutecommandtracingroutestrackinglogfilesmouse
tracks,disktransformingfilestranslatingcharactersTransmissionControlProtocol(TCP)TransmissionControlProtocol/InternetProtocol(TCP/IP)hardwareprotocolstackstypes
transposingcommandhistorytextTrueTypefonts.ttffilesttmkfdirprogramTTY(teletype)codetune2fscommandtuningfilesystemstunnelsinSSHtuplesinSQLtwisted-paircablingType1fontstypecommandTZvariabletzconfigprogramtzselectprogramtzsetupprogram
UudevtoolUDF(UniversalDiscFormat)UDP(UserDatagramProtocol)UEFI(UnifiedEFI)UIDs.SeeuserIDs(UIDs)ulimitcommandumaskcommand
umasksumountcommandexternaldisksfilesystems
umsdosfilesystemunamecommandundeletingfilesunderscores(_)filenamesusernames
unexpandcommandUnicodeformatUnicodeTransformationFormat(UTF-8)UnifiedEFI(UEFI)uniformresourceidentifiers(URIs)uninstallationpackagesservers
uniqcommandUniversalDiscFormat(UDF)UniversalSerialBus.SeeUSB(UniversalSerialBus)devicesuniversallyuniqueidentifiers(UUIDs)Unix98psoptionsunlockingaccountsunmetdependencieswithapt-cacheunmountingexternaldisksfilesystems
unprivilegedports:unscaledspecificationunsetcommandunshareablefilesinFHSuntilloopsunusedservers,disablingUPDATEcommandinMySQLupdatecommandinyumupdatecopiesupdate-rc.dprogramupdatingDebianpackagesexpiredaccountslibrarycachelinks
tarfilesyumpackages
upgradecommandinyumupgradingpackagesDebiandepended-onyum
UpstartprocessuptimecommandURIs(uniformresourceidentifiers)USB(UniversalSerialBus)devicesdriversmanagingoverviewports
usbmgrpackageUSEcommandusercronjobsUserDatagramProtocol(UDP)USERenvironmentvariableuserIDs(UIDs)changingconfigurationfilesdeletedaccountssearchingforfilesbyuseraccounts
usermasksuser-mountablemediauserspaceprogramsuseraddutilityuserdelcommandusermodcommandUSERNAMEenvironmentvariableusernamescharacteristicsconfigurationfilesfilesystemmountsprocessesserverconfigurationfiles
usersanduseraccountsaddingchangingconfigurationfiles
configuringcreatingdeletingenvironmentsexpirationsettingsingroupspasswordsprocessesscriptsforUIDs.SeeuserIDs(UIDs)usernames
/usrdirectory/usr/libdirectory/usr/lib/rpm/rpmrcfile/usr/localdirectory/usr/localpartition/usrpartition/usr/share/fontsdirectory/usr/share/X11/fontsdirectory/usr/share/zoneinfodirectory/usr/X11R6directory/usr/X11R6/lib/modules/driversdirectory/usr/X11R6/lib/X11/fontsdirectoryUTC(CoordinatedUniversalTime)UTF-8(UnicodeTransformationFormat)UUIDs(universallyuniqueidentifiers)
V/vardirectory/var/lib/dpkgdirectory/var/lib/ntpfile/var/logdirectory/var/log/bootfile/var/log/boot.logfile/var/log/dmesgdirectory/var/log/kerneldirectory/var/log/kernel-infofiles/var/log/mailfile/var/log/messagesdirectory/var/log/syslogdirectory/var/log/wtmpfile/varpartition
/var/spool/crondirectory/var/spool/cupsdirectory/var/spool/maildirectoryVARCHARdatatypevariablefilesinFHSvariablesassignmentenvironment.Seeenvironmentvariablesscripts
vendorsofUSBdriversverboseoutputarchivingfilesemailfilesystemcheckingfilesystemmountingkernelmoduleslibrarycacheUSBdrivers
verifyingarchivingfilesGPGmessages
versionskernelpackagesUSBdrivers
verticalbars(|)pipingregularexpressionsscripts
vfatdrivervfatmodulevgcreateutilityVieditormodesproceduressavingchanges
videocontrastfontsmagnifiertoolsmanufacturer-provideddriversresolutionandcolordepth
videocardsettings
viewingcommandsforfilesVimeditorvirtualfilesystemsvirtualmemorylimitsVirtualNetworkComputing(VNC)systemvirusesfromfloppydiskVISUALenvironmentvariablevisudoeditorVNC(VirtualNetworkComputing)systemvolumemanagement
WwarningdayssettingWaylanddisplaymethodwccommandweb-basedutilitiesforCUPSWEP(WiredEquivalentPrivacy)encryptionwhatprovidescommandWHEREconditionsDELETESELECT
whereisprogramwhichcommandwhileloopswhoiscommandWi-FiProtectedAccess(WPA)protocolWi-FiprotocolswideoutputwithpswidgetsetswidgetswidthofprintingpageswildcardcharacterscasestatementsfilenameexpansionrulesharddiskmonitoringSELECT
WindowsNT4.0domainsWindowssystemstimeserversWiredEquivalentPrivacy(WEP)encryptionwirelessnetworkingwordcountsworkingdirectory
worldpermissionsWPA(Wi-FiProtectedAccess)protocolWPA2encryptionwrappers,TCPwritecommandwritepermissions
XX.SeeXWindowSystemXDisplayManager(XDM)configuringremoteaccess
XDisplayManagerControlProtocol(XDMCP)serversconfiguringrunning
Xlogicalfontdescriptions(XLFDs)X.org-X11serverconfigurationtoolsfordrivers
XWindowSystemconfigurationfileformatconfigurationutilitiesconfigure-and-testcycledisplayinformationexamessentialsfontskeyboardandmouseaccessibilitykeyboardsettingslocalizationandinternationalizationloginsmoduleloadingmonitorsettingsmousesettingsoptionsprinting.Seeprintingremoteaccessscreendisplaysettingsspeechsynthesissummaryvideocardsettings
X11ForwardingoptionxargscommandXconfiguratortool
XDM(XDisplayManager)configuringremoteaccess
xdmscriptXDMCP(XDisplayManagerControlProtocol)serversconfiguringrunning
xdpyinfotoolxf86cfgutilityXF86ConfigfileXF86Config-4filexf86configtoolXF86SetuptoolXFree86serverconfigurationfileformatconfigurationtoolsdrivers
XFS(ExtentsFileSystem)xfs_admincommandxfs_checkcommandxfs_dbcommandxfs_infocommandxfs_metadumpcommandxfs_repaircommandXftfontsxinetdserverXkbLayoutoptionXLFDs(Xlogicalfontdescriptions)xorg.conffilexorgcfgutilityxsetprogramxtermprogramxwininfocommand
YyankoperationinViYaSTtoolYellowDogdistributionsYumpackagerconfigurationfilesyumcommands
yumdownloader