solaris 8 operating environemnt system administration i

8/14/2019 Solaris 8 Operating Environemnt System Administration I

1/451

Sun Educational Services

Solaris 8 Operating Environment System Administration I April 2001

Solaris 8 Operating Environment

System Administration I

SA-238


2/451

Copyright 2001 Sun Microsystems, Inc., 901 San Antonio Road, Palo Alto, California 94303, U.S.A. All rights reserved.Thisproduct or document is protected by copyright and distributed under licensesrestrictingits use, copying, distribution, and decompilation. No part of this product or document may

be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any.

Third-party software, including font technology, is copyrighted and licensed from Sun suppliers.

Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in the U.S. and other countries, exclusivelylicensed through X/Open Company, Ltd.

Sun, Sun Microsystems, the Sun logo, CacheFS, JumpStart, OpenBoot, Solaris, Solaris Management Console, Solaris Web Start, Sun Enterprise 3000, Sun Enterprise 10000, SunOS, andUltra are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.

All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries. Products bearing SPARC trade-marks are based upon an architecture developed by Sun Microsystems, Inc.

The OPEN LOOK and Sun Graphical User Interface was developed by Sun Microsystems, Inc.for its users and licensees. Sun acknowledges the pioneering effortsof Xerox in researchingand developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, whichlicense also covers Suns licensees who implement OPEN LOOK GUIs and otherwise comply with Suns written license agreements.

U.S. Government approval required when exporting the product.

RESTRICTED RIGHTS: Use, duplication, or disclosure by the U.S. Government is subject to restrictions of FAR 52.227-14(g) (2)(6/87) and FAR 52.227-19(6/87), or DFAR 252.227-7015(b)(6/95) and DFAR 227.7202-3(a).

DOCUMENTATION IS PROVIDED AS ISAND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTYOF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS AREHELD TO BE LEGALLY INVALID.


3/451



Preface

About This Course


4/451


Solaris 8 Operating Environment System Administration I Preface, slide ii of xxiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B

Course Goal

Administering the Solaris 8 Operating Environment

involves many tasks, including standalone installation, filesystem management, backups, process control, useradministration, and device management. Students taking thisclass should gain the necessary knowledge and skills to

perform these essential system administration tasks in theSolaris 8 Operating Environment.


5/451


Solaris 8 Operating Environment System Administration I Preface, slide iii of xxiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B

Course Overview

The primary objective of this course is to teach new system

administrators the basics of administering Sunworkstations. You will perform basic administration tasks,such as:

Installing a standalone system Adding users

Backing up and restoring file systems

Adding printer support

Creating file systems and managing disks


6/451


Course Map

Software Installation and Administration

Introduction

Introducing theSolaris 8 OperatingEnvironment System

Administration

Users, Initialization Files, and Security

AddingUsers

SystemSecurity

Devices, Disks, and File Systems

The DirectoryHierarchy

DeviceConfiguration

Disks, Slices,and Format

The Solaris ufsFile System

MountingFile Systems

MaintainingFile Systems

Processes and Printing

ScheduledProcessControl

The SolarisLP PrintService

System Firmware, Boot Process, and Run Levels

TheBoot PROM

The SystemBoot Process


7/451


Solaris 8 Operating Environment System Administration I Preface, slide v of xxiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B

Module-by-Module Overview

Module 1 Introducing the Solaris 8 Operating

Environment System Administration Module 2 Adding Users

Module 3 System Security

Module 4 The Directory Hierarchy

Module 5 Device Configuration

Module 6 Disks, Slices, and Format Module 7 The Solaris Operating Environment ufs

File System


8/451


Solaris 8 Operating Environment System Administration I Preface, slide vi of xxiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B


Module 8 Mounting File Systems

Module 9 Maintaining File Systems

Module 10 Scheduled Process Control

Module 11 The Solaris Operating Environment LPPrint Service

Module 12 The Boot PROM

Module 13 The System Boot Process Module 14 Installing the Solaris 8 Operating

Environment on a Standalone System


9/451


Solaris 8 Operating Environment System Administration I Preface, slide vii of xxiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B


Module 15 Administrating Software Packages

Module 16 Managing Software Patches

Module 17 Backup and Recovery


10/451


Solaris 8 Operating Environment System Administration I Preface, slide viii of xxiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B

Course Objectives

Upon completion of this course, you should be able to:

Define basic system administration tasks and terms

Add users and groups to the system

Configure user initialization files Implement basic system security

Create access control lists (ACLs) on files

Identify disks configured on a system

Define disk slices on a new disk


11/451


Solaris 8 Operating Environment System Administration I Preface, slide ix of xxiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B

Course Objectives

Create and mount a file system

Repair a corrupted file system

View and manage processes

Configure and administer printers Identify the default boot device

Describe the boot process

Change system run levels

Install the Solaris 8 Operating Environment softwareon a standalone workstation


12/451


Solaris 8 Operating Environment System Administration I Preface, slide x of xxiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B

Course Objectives

Add software packages

Add a software patch

Perform a root file system backup and restore


13/451


Solaris 8 Operating Environment System Administration I Preface, slide xi of xxiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B

Skills Gained by Module

Module

Skills Gained 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17Define basic system administrationtasks and terms

Add users and groups to the system

Configure user initialization files

Implement basic system security

Create ACLs on files

Identify disks configured on asystem

Define disk slices on a new disk

Create and mount a file system

Repair a corrupted file system

View and manage processes

Configure and administer printers

Identify the default boot device

Describe the boot process


14/451


Solaris 8 Operating Environment System Administration I Preface, slide xii of xxiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B

Change system run levels

Install the Solaris 8 OperatingEnvironment software on a

standalone workstation

Add a software packages

Add software patch

Perform a root file system backupand restore

Module

Skills Gained 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17


15/451


Solaris 8 Operating Environment System Administration I Preface, slide xiii of xxiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B

Guidelines for Module Pacing

Module Day 1 Day 2 Day 3 Day 4 Day 5

About This Course A.M.

Introducing the Solaris 8 OperatingEnvironment System Administration

A.M.

Adding Users A.M.

System Security P.M.The Directory Hierarchy P.M.

Device Configuration A.M.

Disks, Slices, and Format A.M./P.M.

The Solaris Operating Environmentufs FileSystem

P.M.

Mounting File Systems A.M.

Maintaining File Systems A.M.

Scheduled Process Control P.M.

The Solaris Operating Environment LP PrintService

P.M.


16/451


Solaris 8 Operating Environment System Administration I Preface, slide xiv of xxiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B

The Boot PROM A.M.

The System Boot Process A.M./P.M.

Installing the Solaris 8 Operating

Environment on a Standalone System

P.M.

Administrating Software Packages A.M.

Managing Software Patches A.M.

Backup and Recovery P.M.

Module Day 1 Day 2 Day 3 Day 4 Day 5


17/451


Solaris 8 Operating Environment System Administration I Preface, slide xv of xxiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B

Topics Not Covered

Basic UNIX commands Covered in SA-118:

Fundamentals of Solaris 8 Operating Environment forSystem Administrators

Thevi editor Covered in SA-118: Fundamentals of theSolaris 8 Operating Environment for System

Administrators

Basic UNIX file security Covered in SA-118:Fundamentals of the Solaris 8 Operating Environment for

System Administrators JumpStart Covered in SA-288: Solaris 8 Operating

Environment System Administration II


18/451


Solaris 8 Operating Environment System Administration I Preface, slide xvi of xxiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B

Topics Not Covered

Solaris Management Console Covered in SA-288:

Solaris 8 Operating Environment System Administration II NFS configuration Covered in SA-288: Solaris 8

Operating Environment System Administration II

Naming services Covered in SA-288: Solaris 8Operating Environment System Administration II

Troubleshooting Covered in ST-350: Sun SystemsFault Analysis Workshop

System tuning Covered in SA-400: Solaris SystemPerformance Management


19/451


Solaris 8 Operating Environment System Administration I Preface, slide xvii of xxiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B

How Prepared Are You?

To be sure you are prepared to take this course, can you

answer yes to the following questions? Can you use basic UNIX commands to navigate the

Solaris Operating Environment directory tree and tosearch for or manipulate directories and files?

Can you use the vi text editor to create or modify files?

Can you change access permissions on files anddirectories?


20/451


Solaris 8 Operating Environment System Administration I Preface, slide xviii of xxiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B

Introductions

Name

Company affiliation

Title, function, and job responsibility

System administrator experience

Reasons for enrolling in this course

Expectations for this course


21/451


Solaris 8 Operating Environment System Administration I Preface, slide xix of xxiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B

How to Use Course Materials

Course map

Objectives

Lecture

Exercise

Check your progress


22/451


Solaris 8 Operating Environment System Administration I Preface, slide xx of xxiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B

How to Use the Icons

Additional resources

Demonstration

Discussion


23/451


Solaris 8 Operating Environment System Administration I Preface, slide xxi of xxiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B

Exercise objective

Caution

Warning

!


24/451


Solaris 8 Operating Environment System Administration I Preface, slide xxii of xxiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B

Typographical Conventions andSymbols

Courier is used for the names of commands, files, anddirectories, as well as on-screen computer output.

Courier bold is used for characters and numbers that

you type.

Courier italic is used for variables andcommand-line placeholders that are replaced with a

real name or value.

Palatino italic is used for book titles, new words or terms,or words that are emphasized.


25/451



Module 1

Introducing the Solaris 8 OperatingEnvironment System Administration


26/451


Solaris 8 Operating Environment System Administration I Module 1, slide 2 of 8Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services April 2001, Revision B

Objectives

Upon completion of this module, you should be able to:

Define the roles of a Solaris Operating Environmentsystem administrator

Define common system administration terms


27/451



Administering Standalone Systems

Managing user accounts

Maintaining system security

Configuring new devices

Installing and partitioning disk drives

Managing file systems

Scheduling system-related jobs

Maintaining print services


28/451



Administering Standalone Systems

Managing the boot programmable read-only memory

(PROM) Configuring system initialization files

Installing the Solaris Operating Environment software

Administering software packages and patches

Performing backup and recovery operations

Managing disaster recovery


29/451



Administering Client/Server Systems

Configuring a network environment

Setting up the syslog utility

Configuring and administering an NFS environment

Configuring CacheFS file systems

Using automount

Setting up name services

Installing the Solaris Operating Environment using theSolaris JumpStart program


30/451



System Administration Terms

Some common system administration terms are:

Host

Host name

Internet (IP) address

Ethernet address

Server

Client


31/451



Distributed Computing Environment

Host 1 Host 2

Clientprocess

Serverprocess

Clientprocess


32/451



Check Your Progress

Define the roles of a Solaris Operating Environment

system administrator Define common system administration terms


33/451



Module 2

Adding Users


34/451



Objectives


Create and manage user accounts on the local systemusing the admintoolutility

Describe the format of the files /etc/passwd and

/etc/shadow for securing login access Describe the format of the /etc/group file for

maintaining shared and restricted access to files anddirectories

Add, modify, and delete user accounts on the localsystem with the commands useradd, usermod, anduserdel


35/451



Objectives

Add, modify, and delete group accounts for the local

system with the commandsgroupadd

,groupmod

, andgroupdel

Define the two different types of shell initialization files

Describe the shell startup activities during login for thethree main Solaris Operating Environment shells

List the shell initialization files used to set up a userswork environment at login

Describe the purpose of the /etc/skel directory

Modify the initialization files to customize a userswork environment


36/451


37/451



Managing User Accounts

Before you can add user accounts to the system, you must

determine the following information for each new user: Login name

User identification (UID) number

Group identification (GID) number

Comment

home

directory Login shell

Password aging

S Ed i l S i


38/451



Managing User Accounts Withadmintool

admintool enables system administrators to maintain andmodify local system files from the following categories:

Users

Groups

Hosts

Printers

Serial ports

Software

S Ed i l S i


39/451



Storing User and Group AccountInformation

The Solaris Operating Environment stores user account andgroup account information in the following system files:

/etc/passwd Authorized system users have login

account entries in the /etc/passwd file. /etc/shadow All passwords are encrypted and

maintained in a separate shadow file named/etc/shadow.

/etc/group The /etc/group file defines the defaultsystem group accounts.

S Ed ti l S i


40/451



The /etc/passwdFile

root:x:0:1:Super-User:/:/sbin/sh

daemon:x:1:1::/:

bin:x:2:2::/usr/bin:

sys:x:3:3::/:

adm:x:4:4:Admin:/var/adm:

lp:x:71:8:Line Printer Admin:/usr/spool/lp:

smtp:x:0:0:Mail Daemon User:/:

uucp:x:5:5:uucp Admin:/usr/lib/uucp:

nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/

lib/uucp/uucico

listen:x:37:4:Network Admin:/usr/net/nls:nobody:x:60001:60001:Nobody:/:

noaccess:x:60002:60002:No Access User:/:

nobody4:x:65534:65534:SunOS 4.x Nobody:/:



41/451



The /etc/shadowFile

root:LXeoktCoMtwZN:6445::::::

daemon:NP:6445::::::

bin:NP:6445::::::

sys:NP:6445::::::

adm:NP:6445::::::

lp:NP:6445::::::

smtp:NP:6445::::::uucp:NP:6445::::::

nuucp:NP:6445::::::

listen:*LK*:::::::

nobody:NP:6445::::::noaccess:NP:6445::::::

nobody4:NP:6445::::::



42/451



The /etc/groupFile

root::0:rootother::1:

bin::2:root,bin,daemonsys::3:root,bin,sys,admadm::4:root,adm,daemonuucp::5:root,uucpmail::6:root

tty::7:root,tty,admlp::8:root,lp,admnuucp::9:root,nuucpstaff::10:daemon::12:root,daemon

sysadmin::14:lister,toreynobody::60001:noaccess::60002:nogroup::65534:



43/451



Creating and Managing AccountsFrom the Command Line

The following command-line tools add, modify, and deleteuser accounts and group accounts on the local system:

useradd Adds a new user account

usermod Modifies a users account

userdel Deletes a users account

groupadd Adds (creates) a new group account

groupmod Modifies a group account

groupdel Deletes a group account



44/451



Creating User Accounts

You use the useradd command to add an entry for thenew user into the /etc/passwd and /etc/shadow files.

The useradd command also automatically copies allthe initialization files in the/etc/skeldirectory to theusers new home directory.

Command format:

useradd [-u uid][-g gid][-G gid[,gid,.. ]]

[-d dir][-m][-s shell][-c comment] loginname



45/451



Modifying User Accounts

You use the usermod command to modify a userslogin information on the system.

Command format:

usermod [ -u uid[ -o ] ] [ -g gid]

[ -G gid[ , gid] ] [ -d dir] [ -m ][ -s shell ] [ -c comment ] [ -l newlogname ]

[ -f inactive ] [ -e expire ] login



46/451



Deleting User Accounts

You use the userdel command to delete a users loginaccount from the system.

This command also removes the users home directoryand all of its contents, if you request it to do so.

Command format:userdel [ -r ] login



47/451


Adding Group Accounts

As root, you create new group accounts on the localsystem using the groupadd command.

This command adds an entry for the new group intothe /etc/group file.

Command format:groupadd [-g gid[ -o ]] groupname



48/451


Modifying Group Account s

You use the groupmod command to modify thedefinitions of the specified group by modifying theappropriate entry in the /etc/group file.

Command format:

groupmod [-g gid[ -o ]][-n name] groupname



49/451


Deleting Group Accounts

You use the groupdel command to delete a groupaccount from the system.

It deletes the appropriate entry from the /etc/groupfile.

Command format:groupdel groupname



50/451


Exercise: Adding Users and Groups

Exercise Objective

Preparation

Task Summary

Tasks

Exercise Summary

Task Solutions



51/451


Understanding Initialization Files When users log in to the system, their login shells look

for and execute two different types of initializationfiles.

w The first type controls the system-wideenvironment.

w The second type controls the users environment.



52/451


System-Wide Initialization Files As the system administrator, you maintain the system

initialization files to provide an environment for theentire community of users who log in to the system.

These files are provided by the Solaris OperatingEnvironment and reside in the /etc directory.

The two main system initialization files are:

w /etc/profile

w /etc/.login



53/451


User Initialization Files As the system administrator, you set up the users

initialization files and place them in each users homedirectory.

The primary job of a user initialization file is to definethe characteristics of a users work environment, such

as a users search path, environment variables, andwindowing environment.



54/451


Initialization Files for the Six Shells

Shells

System-wide

InitializationFiles

Primary User

Initialization FilesRead at Login

User InitializationFiles Read When a

New Shell IsStarted AfterLogin

Shell PathName

Bourne /etc/profile $HOME/.profile /bin/sh

Korn /etc/profile $HOME/.profile$HOME/.kshrc

$HOME/.kshrc /bin/ksh

C /etc/.login $HOME/.cshrc$HOME/.login

$HOME/.cshrc /bin/csh

Z /etc/zshenv/etc/zprofile

/etc/zshrc

/etc/zlogin

$HOME/.zshenv

$HOME/.zprofile

$HOME/.zlogin

$HOME/.zshrc /bin/zsh



55/451


Initialization Files for the Six Shells

ShellsSystem-wideInitializationFiles

Primary UserInitialization FilesRead at Login

UserInitialization

Files Read Whena New Shell IsStarted AfterLogin

Shell PathName

Bash /etc/profile $HOME/.bash_profile

$HOME/.bash_login$HOME/.profile

$HOME/.bashrc /bin/bash

TC /etc/csh.cshrc/etc/csh.login

$HOME/.cshrc

or

$HOME/.login

$HOME/.tcshrc

or$HOME/.cshrc

/bin/tcsh



56/451


Shell VariablesVariable Name Set By Description

LOGNAME Login Defines the users login name.

HOME Login Sets the path to the users home directory. The defaultargument for cd.

SHELL Login Sets the path to the default shell.

PATH Login Sets the default path the shell searches to findcommands.

MAIL Login Sets the path to the users mailbox.

TERM Not set bydefault

Defines the terminal.

LPDEST Not set by

default

Sets the users default printer.

PWD Shell Defines the current working directory.

PS1 Shell Defines the shell prompt for the Bourne or Korn shell.

prompt Shell Defines the shell prompt for the C shell.



57/451


Setting Environment Variables in UserInitialization Files

Shell Users Initialization FileBourne or Korn VARIABLE=value ; export VARIABLE

For example:

PS1=$HOSTNAME ! $ ; export PS1

C setenv variable value

For example:

setenv prompt \! uname -n %



58/451


Default User Initialization Files

ShellInitialization FileTemplates

Users InitializationFiles

Bourne /etc/skel/local.profile $HOME/.profile

Korn /etc/skel/local.profile $HOME/.profile

C /etc/skel/local.login $HOME/.login

/etc/skel/local.cshrc $HOME/.cshrc



59/451


Exercise: Modifying Initialization Files Exercise Objective

Preparation Task Summary

Tasks

Exercise Summary

Task Solutions



60/451


Check Your Progress Create and manage user accounts on the local system

using the admintoolutility

Describe the format of the files /etc/passwd and/etc/shadow for securing login access

Describe the format of the /etc/group file formaintaining shared and restricted access to files anddirectories

Add, modify, and delete user accounts on the local

system with the commands useradd, usermod, anduserdel



61/451


Check Your Progress Add, modify, and delete group accounts for the local

system with the commands groupadd, groupmod, andgroupdel

Define the two different types of shell initialization files

Describe the shell startup activities during login for thethree main Solaris Operating Environment shells

List the shell initialization files used to set up a userswork environment at login

Describe the purpose of the /etc/skel directory

Modify the initialization files to customize a userswork environment



62/451


Module 3

System Security



63/451


ObjectivesUpon completion of this module, you should be able to:

Create the /var/adm/loginlog file to save failed loginattempts

Monitor system usage with the commands finger,last

, andrusers

Use the su command to become the root user oranother user on the system

Modify the /etc/default/login file to restrict rootaccess



64/451


Objectives Use the commandsidandgroups to identify users and

their group memberships

Change a files owner or a files group using thecommands chown and chgrp, respectively

Explain how the special permissions setuid, setgid,and the Sticky Bit can affect system security

Create, modify, and delete access control lists (ACLs)on files

Control remote login access by maintaining three basicnetwork files: /etc/hosts.equiv, $HOME/.rhosts,and /etc/ftpusers



65/451


Managing System Security OverviewSome basic steps that you should take to manage security atthe user, file, system, and network level include:

Maintaining password and login control

Monitoring system usage

Restricting access to data contained in files

Tracking root logins

Monitoring setuid programs

Controlling remote access on the network



66/451


The pwconvCommand The pwconv command creates and updates the

/etc/shadow file with information from the/etc/passwd file.

It is the pwconv command that relies on the specialvalue of x in the password field of /etc/passwd.

The x indicates the password for the user alreadyexists in the /etc/shadow file.



67/451


Recording Failed Login Attempts You can save failed login attempts to a file, which is a

useful tool for determining if attempts are being made

to break into a system.

You can record failed login attempts in the file/var/adm/loginlog.

By default, the loginlog file does not exist. To enablelogging, you must create this file with read and writepermissions for root only; for example:

# touch /var/adm/loginlog



68/451


Monitoring System Access All systems should be monitored routinely for

unauthorized user access.

Use the who command to see who is on the system. Itlooks in the /var/adm/utmpx file to obtain thisinformation.

The who command displays a list of users currentlylogged in to the local system.

If a user is logged in remotely, the remote host name for

that user is displayed.



69/451


Displaying User Information To display detailed information about users either

locally or remotely, use the finger command.

The finger command displays the users login name,home directory path, login time, login device name,data contained in the comment field of the

/etc/passwd file, login shell, and the name of the host,if logged in remotely.

Command format:

finger -m username

finger -m username@remotehostname



70/451


Displaying a Record of Login Activity Use the last command to display a record of all logins

and logouts with the most recent activity at the top of

the output.

The last command looks in the /var/adm/wtmpx file,which records all logins and logouts.

Each entry includes the user name, the login device, thehost logged in from, the date and time logged in, thetime of logout, and the total login time in hours andminutes, including entries for system reboot times.



71/451


Displaying Users on Remote Systems The rusers command produces output similar to the

who command but displays users logged in on remote

hosts.

A remote host responds only to the rusers commandif its rpc.rusersddaemon is enabled. It is the network

server daemon that returns the list of users on theremote hosts.

Command format:

rusers [ -l ]



72/451


Accessing rootPrivileges You should log in only to the root account to perform

administration tasks. You should avoid performing

routine work as the root user.

This helps protect the system from unauthorizedaccess, as it reduces the likelihood that the system will

be left unattended with root logged in. You can become root on a system by either:

w Logging in directly as root and supplying the root

passwordw Logging in as a regular user and then invoking the

su command and supplying the root password


73/451



74/451


Effective User ID and EffectiveGroup ID

When you run the su command, the effective user ID(EUID) and effective group ID (EGID) are changed tothe new user to whom you have switched.

Access to files and directories is determined by the

value of the EUID and EGID for the switched user,rather than the user ID (UID) number and group ID(GID) numbers of the user who originally logged in tothe system.

This is important because file and directory access isdetermined based on the value of the EUID and EGIDof the user that you have become.



75/451


Using the whoamiCommand The whoami command displays the switched users

effective current user ID (EUID) number.

# whoami

The who am i command displays the users real userID (UID) number.

# who am i



76/451


Using the suCommand toBecome root

To use thesu

command to becomeroot

:1. Log in directly (from the login window) as a regular

user.

2. At the shell prompt in a terminal window, type su,and press Return. Type the root password, andpress Return.

$ suPassword:

#



77/451


Using the suCommand to Becomeroot

3. To display the original login, type the commandwho am i, and press Return.

# who am iuser1 pts/11 Apr 25 15:45 (:0.0)

4. To determine the login name of the user to whichyou switched, type whoami, and press Return.

# whoami

root



78/451


Using the suCommand to Becomeroot

5. To determine where the user is currently located,type pwd, and press Return. The location is theoriginal users home directory.

# pwd

6. To exit the root session and return to the originaluser, type exit, and press Return.

# exit

$



79/451


Using the suCommand to BecomeAnother Regular User

To switch to another user and have that users environment:1. At the shell prompt, type su with the dash () option

and the name of the user to become, and pressReturn. Type the password for the user account, and

press Return.

$ su - user2Password:

$



80/451



2. Determine the login name of the user you switchedto by typing whoami and pressing Return.

$ whoamiuser2

3. Determine where the user is located by typing pwdand pressing Return. The location is the new usershome directory.

$ pwd



81/451



4. Display the login name of the user originally loggedin as by typing who am i and pressing Return.

$ who am i

user1 pts/4 Apr 25 15:55 (:0.0)

5. To return to the original user status and homedirectory, type exit, and press Return.

$ exit



82/451


Exercise: User Access Exercise Objective

Preparation Task Summary

Tasks

Exercise Summary

Task Solutions



83/451


Check Your Progress Create the /var/adm/loginlog file to save failed login

attempts

Monitor system usage with the commands finger,last, and rusers

Use the su command to become the root user or

another user on the system

Modify the /etc/default/login file to restrict rootaccess



84/451


Determining a Users GroupMembership

The groups command displays group memberships for theuser.

To see to which groups you belong:

# groupsstaff class

To list the groups to which a specific user belongs:

# groups user5staff class sysadmin



85/451


Identifying a User AccountYou use theidcommand to identify users by listing their UID,user name, GID number, and group name.

To view your user account information:

$ id

uid=101(user1) gid=300(class)

To view all account information for a specific user:

$ id -a user1

uid=101(user1) gid=300(class) groups=14(sysadmin)



86/451


Changing a Files Ownership With thechownCommand

You use the chown command to change the original owner ofa file or directory to another user on the system.

In this example, user1 owns a file called file7.

# cd /export/home/user1# ls -l file7-rw-r--r-- 1 user1 staff 672 Jun 1 15:11 file7#

w Give this file to a new user named user2.

# chown user2 file7# ls -l file7-rw-r--r-- 1 user2 staff 672 Jun 1 15:12 file7


Ch O h


87/451


Changing Directory Ownership In this example, user1 owns a directory called dir4.

# ls -ld dir4drwxr-xr-x 8 user1 staff 512 Apr 22 12:51 dir4

#

Give this directory and all of its contents (files and

subdirectories) to user2.

# chown -R user2 dir4# ls -ld dir4drwxr-xr-x 8 user2 staff 512 Jun 1 15:14 dir4

#


Ch i U d G O hi


88/451


Changing User and Group OwnershipSimultaneously

The chown command gives the owner the ability tochange both the ownership and group membership ofa file or directory at the same time:

# chown user3:class file2

You can use the -R option to recursively descend adirectory hierarchy, changing ownership and groupmembership on the directory and its contents,simultaneously:

# chown -R user3:class dir1


Ch i Fil G O hi


89/451


Changing a Files Group OwnershipWith thechgrpCommand

Use the chgrp command to change the group ownership offiles or directories to another group on the system.

For example, the file called file4 currently belongs toa group named staff.

# ls -l file4-rw-r--r-- 1 user1 staff 874 Jun 1 15:08 file4

Use thechgrpcommand to give this file to a new group

named class.# chgrp class file4# ls -l file4-rw-r--r-- 1 user1 class 874 Jun 1 15:09 file4


S i l Fil P i i


90/451


Special File PermissionsThree types of special permissions are available for executablefiles and public directories.

Set-user identification (setuid) permission

Set-group identification (setgid) permission

Sticky Bit permission


Th t idP i i


91/451


The setuidPermissionThe setuid permission displays as an s in the ownersexecute field; for example:

-r-sr-xr-x 1 root sys 17156 Jan 5 17:03 /usr/bin/su

To set thesetuidpermissions on an executable file, use

the chmod command and the octal value 4000; forexample:

# chmod 4555 executable_file


Th t idP i i


92/451


The setgidPermissionThe setgid permission displays as an s in the groupsexecute field; for example:

-r-x--s--x 1 root mail 61288 Jan 5 16:57 /usr/bin/mail

To set a setgid permission on an executable file, use

the chmod command and the octal value 2000; forexample:

# chmod 2555 executable_file


Th Sti k Bit P i i


93/451


The Sticky Bit PermissionThe Sticky Bit displays as the letter t in the execute field forother; for example:

# ls -ld /tmp

drwxrwxrwt 6 root sys 719 May 31 03:30 /tmp

To set the Sticky Bit permission on a directory, use thechmod command and the octal value 1000; forexample:

# chmod 1777 public_directory


Exercise: Working With File Owners


94/451


Exercise: Working With File Owners,Groups, and Special Permissions

Exercise Objective

Preparation

Task Summary

Tasks

Exercise Summary

Task Solutions


Check Your Progress


95/451


Check Your Progress Use the commandsidandgroups to identify users and

their group memberships

Change a files owner or a files group using thecommands chown and chgrp, respectively

Explain how the special permissions setuid, setgid,

and the Sticky Bit can affect system security


Access Control Lists (ACLs)


96/451


Access Control Lists (ACLs)ACLs can provide greater control over file access permissionsand provide better file security for the file owner, file group,

other, specific users, and specific groups.


ACL Commands and Options


97/451


ACL Commands and OptionsCommand/Option Description

getfacl

filename(s)

Displays ACL entries on files.

setfacl options

filename(s)

Sets, adds, modifies, and deletes ACL entrieson files.

setfacl -macl_entries

Creates or modifies ACL entries on files.

setfacl -s

acl_entries

Removes old ACL entries on files andreplaces them with new ACL entries.

setfacl -d

acl_entries

Deletes one or more ACL entries on files.


ACL Commands and Options


98/451


ACL Commands and OptionsCommand/Option Description

setfacl -f

acl_file

Specifies an ACL configuration file

containing a list of permissions to be set onother files. acl_file is used as an argumentwith this command only.

setfacl -r Recalculates permissions for the ACL mask.


ACL Entries


99/451


ACL EntriesACL Fields Description

entry-type The type of entry to set file permissions for owner,

owners group, specific users, additional groups, orthe ACL mask.

UID or GID The users name or identification number (UID).The groups name or identification number (GID).

perm Permissions set for entry-type. You can setpermissions symbolically using r, w, x, and - or byusing octal values from 0 to 7.


ACL Entry Examples


100/451


ACL Entry Examples u[ser]::perm Sets permissions for the file owner.

g[roup]::perm Sets permissions for the ownersgroup.

o[ther]:perm Sets permissions for users other thanthe owner or owners group.

u[ser]:UID:perm or u[ser]:username:perm Sets permissions for a specific user.

g[roup]:GID:perm or

g[roup]:groupname:perm Sets permissions for aspecific group.


ACL Entry Examples


101/451


ACL Entry Examples m[ask]:perm Sets the ACL mask, which indicates

the maximum permissions allowed for all users, except

the owner, and for all groups.


Adding and Modifying ACLPermissions on a File


102/451


Adding and Modifying ACLPermissions on a File

You can use the setfacl -m command to add or modify ACLpermissions on one or more of the files ACL entries; for example:

# setfacl -m user:user8:6 file.txt

# getfacl file.txt

# file: file.txt# owner: user1

# group: class

user::rwx

user::user8:rw- #effective:r--

group::r-- #effective:r--

mask:r--

other:---


103/451


Determining if a File Has an ACL


104/451


Determining if a File Has an ACLThere are two ways to determine if a file has an ACL:

Use the getfacl command Use the ls -l command

Using the ls -l command on any file that has an ACL

displays a plus (+) sign at the end of the permission modefield; for example:

# ls -l file.txt-rwxr-----+ 1 user1 class 167 Apr 18 11:13 file.txt


Deleting an ACL Entry on a File


105/451


Deleting an ACL Entry on a FileTo delete an ACL entry from a file, use the setfacl -dcommand and specify the entry type and the UID (user name)

or GID (group name). This example deletes an ACL entry from file.txt.

# setfacl -d u:user8 file.txt


Replacing an Entire ACL on a File


106/451


Replacing an Entire ACL on a FileTo replace the entire ACL on a file, you must specify at leastthe basic set of user, group, other, and mask permissions and

file names; for example:# setfacl -s user::rw-,group::r--,other:---,mask:rw-,user:user8:rw- file.txt

# getfacl file.txt# file: file.txt# owner: user1# group: classuser::rw-user:user8:rw- #effective:rw-group::r-- #effective:r--mask:rw-other:---


107/451


Check Your Progress


108/451


g Create, modify, and delete ACLs on files


Managing Remote Access Issues


109/451


g gThree network files provide certain schemes for handlingbasic security issues involving remote user access of a local

system: The /etc/hosts.equiv file

The $HOME/.rhosts file

The /etc/ftpusers file


The /etc/hosts.equivand$HOME/.rhostsFiles


110/451


q$HOME/.rhostsFiles

Typically, when a remote user requests login access to a local

host, the first file read is its /etc/passwd file.

If there is no entry in the local hosts /etc/passwd filefor the remote user, access is denied.

The/etc/hosts.equiv and$HOME/.rhostsfiles bypass thisstandard password-based authentication to determine if aremote user is allowed access to the local host.

The information contained in these two files (if theyexist) determines if remote user access is granted ordenied.


Remote Access

Authentication1


111/451

user1host1

rlogin rcp rsh

Accessallowed

Password

user1/ in/etc/passwd

Superuser

host1in /etc/

hosts.equiv

host1in

$HOME/.rhosts

Password

No

No

No

Yes

Yes

Yes

host1

host5

Yes

Yes

rlogin

No


Entries in the /etc/hosts.equivand$HOME/.rhostsFiles


112/451


$ O /. osts es

While these two files have the same format, the same entries

in each file have different effects.

The /etc/hosts.equiv file applies to the entiresystem, while individual users can maintain their own

$HOME/.rhosts files in their home directoriesBoth files contain a list of one-line entries, which can include:

hostname

hostname username

+


The /etc/hosts.equivFile


113/451


For regular users, this file identifies remote hosts and remoteusers who are considered to be trusted.

If a local hosts /etc/hosts.equiv file contains thehost name of the remote host, then all regular users ofthat remote host are trusted and do not need to supplya password to log in to the local host.

This is particularly useful for sites where it is commonfor regular users to have accounts on many differentsystems, eliminating the security risk of sending ASCII

passwords over the network. The /etc/hosts.equiv file does not exist by default.


The $HOME/.rhostsFile


114/451


While the /etc/hosts.equiv file applies system-wide fornon-root users, the .rhosts file applies to a specific user.

All users, including root, can create and maintain theirown .rhosts files in their home directory.

If the remote host name is listed in this file, it is

considered to be a trusted host and remote user access;in this case, root access is granted on the local host.

The $HOME/.rhosts file does not exist by default; youmust create it in the users home directory.


Restricting FTP Loginsh fil l h f h


115/451


Use the /etc/ftpusers file to list the names of users who areprohibited from running an ftp login on the system.

Each line entry contains the login name for eachrestricted user.

By default, ftpusers lists these system account entries:

rootdaemonbinsysadmlp

uucpnuucplistennobodynoaccessnobody4


The /etc/shellsFileTh / / fil i li f h h ll h


116/451


The /etc/shells file contains a list of the shells on thesystem. This file does not exist by default.

If this file does not exist, then getusershells(3c)uses its own list of shells.

By creating this file, each shell that you want to be recognized

by the system must have a single-line entry, consisting of theshells path, relative to / (root); for example:

# vi /etc/shells

/sbin/sh/bin/sh

/bin/ksh


Exercise: Managing Remote SecurityIssues


117/451


Exercise Objective

Preparation

Task Summary

Tasks Exercise Summary

Task Solutions


Check Your ProgressC t l t l i b i t i i th b i


118/451


Control remote login access by maintaining three basicnetwork files: /etc/hosts.equiv, $HOME/.rhosts,

and /etc/ftpusers


Module 4


119/451


Module 4

The Directory Hierarchy


ObjectivesUpon completion of this module you should be able to:


120/451



Identify the four main file types in the SolarisOperating Environment

Describe the functions provided by regular files,directories, symbolic links, device files, and hard links

Define the function of each subdirectory found directlywithin the root directory


The Solaris Operating EnvironmentFile Types


121/451


The Solaris Operating Environment supports a standard set of

files, which provides for storing data, activating devices, orallowing inter-process communication.

Of the different types of files that exist, there are four

main file types in Solaris Operating Environment,which include:

w Regular or ordinary files

w

Directoriesw Symbolic links

w Device files


Identifying File TypesUse the ls l command to distinguish different file types


122/451


Use the ls l command to distinguish different file types.

The character in the first column of informationindicates the file type; for example:

# cd /etc ; ls -l

drwxr-xr-x 2 adm adm 512 Apr 3 10:42 acct

lrwxrwxrwx 1 root root 14 Apr 3 11:05 aliases -> ./

mail/aliases

-rw-r--r-- 1 root bin 50 Apr 3 10:45 auto_home

(output truncated)

# cd /devices/pci@1f,0/pci@1,1/ide@3 ; ls -l

brw------- 1 root sys 136, 0 Apr 3 11:11 dad@0,0:a

crw------- 1 root sys 136, 0 Apr 3 11:11 dad@0,0:a,raw

(output truncated)


Identifying File TypesThe character in the first column identifies each files type as


123/451


The character in the first column identifies each file s type, asfollows:

- Regular files

d Directories

l

Symbolic links b Block-special device files

c Character-special device files


File Names, Inodes, and Data BlocksAll files in the Solaris Operating Environment make use of a


124/451


All files in the Solaris Operating Environment make use of afile name and a record called an inode. Most files also make

use of data blocks. File names are the objects most often used to access and

manipulate files.

Inodes are the objects the system uses to recordinformation about a file.

Data blocks are units of disk space used to store data.


File Names, Inodes, and Data BlocksA file name is associated with an inode, and an inode provides


125/451


A file name is associated with an inode, and an inode providesaccess to data blocks.

Data blocks

Inode numberfile name


Regular FilesA regular file holds data.


126/451


A regular file holds data.

Data blocks

Inode 1282file1

Creation methods

Text editors

Compilers

Application programs

Database programs

Commands (for example touch)

Data

Text

Binaries

Images

Application data

Databases

Purpose

Regular files store data


DirectoriesDirectories store information that associates file names with


127/451


inode numbers.

Data blocks

file1 = inode 1282

dirA = inode 5314

Inode 4221dir1

Creation methods

mkdir name

Data

Directory

information

Purpose

Directories store data that

associates files names with

inode numbers.


Symbolic LinksA symbolic link is a file that points to another file. A symbolic


128/451


y p ylink contains the path name of the file to which it points.

Data block

./file2

Data blocks

Inode 3561 Inode 1282link1 file2

Data

SinglePathname

Creation method

ln -spathname target

Purpose

Symbolic links refer to other file names.A symbolic link contains the pathname

of the file to which it points.


129/451


Device File ExampleThis example shows the relationship between a device file


130/451


p pdad@0,0:a and the disk device it controls. The inode

information fordad@0,0:a

contains major number 136 andminor number 0.

Inode 90681

dad driver (136)

unix

Device file

Disk device

Kernel modules

(device drivers)

dad@0,0:a

136, 0


Two Categories of Device Files

Device files fall into two categories: character-special devices


131/451


and block-special devices.

Character-special device files:

w The file type c identifies character-special devicefiles.

crw------- 1 root sys 136, 0 Apr 3 11:11 dad@0,0:a,raw

Block-special device files:

w The file type b identifies block-special device files.

brw------- 1 root sys 136, 0 Apr 3 11:11 dad@0,0:a


Hard Links

A hard link is the association between a file name and and h d l k f fil


132/451


inode. A hard link is not a separate type of file.

Data blocks Data blocks

file1 = inode 1282

Inode 1282 Inode 4221file1 dir1


File Names Associated With an InodeNumber


133/451


Use the ln command to create new hard links to regular files.

ln file1 file2 creates a new directory called file2,associated with the same inode associated with file1.

Data blocks Data blocks

file1 = inode 1282

file2 = inode 1282

Inode 1282 Inode 4221file1

file2

dir1


The rootSubdirectories

The Solaris Operating Environment consists of a hierarchy ofiti l t di t i d fil th t f th


134/451


critical system directories and files that are necessary for the

operating system to function properly. / The root of the overall file system name space.

/bin The directory location for standard system

commands or binary files. /dev The primary location for logical device names.

/devices The primary location for physical device

names.


135/451



/opt The default directory or mount point for add-on application packages


136/451


on application packages.

/platform The directory of platform-dependentloadable kernel modules.

/sbin Essential executables used in the booting

process and in manual system failure recovery. /tmp Temporary files; cleared during the boot

sequence.

/usr The directory for programs, scripts, andlibraries used by all system users.



/var The directory for varying files, which usuallyincludes temporary logging or status files


137/451

Solaris

solaris 8 operating environemnt system administration i

Documents