Hide thumbs Also See for ENTERPRISE LINUX 3:
Table of Contents

Advertisement

Red Hat Enterprise Linux 3
Reference Guide

Advertisement

Table of Contents
loading

Summary of Contents for Red Hat ENTERPRISE LINUX 3

  • Page 1 Red Hat Enterprise Linux 3 Reference Guide...
  • Page 2 All other trademarks and copyrights referred to are the property of their respective owners. The GPG fingerprint of the security@redhat.com key is: CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E...
  • Page 3: Table Of Contents

    Table of Contents Introduction............................i 1. Changes To This Manual ....................... i 2. Finding Appropriate Documentation ..................ii 2.1. Documentation For First-Time Linux Users............ii 2.2. For the More Experienced ..................iv 2.3. Documentation for Linux Gurus................v 3. Document Conventions......................v 4.
  • Page 4 7.2. Desktop Environments and Window Managers........... 88 7.3. XFree86 Server Configuration Files ..............89 7.4. Fonts........................95 7.5. Runlevels and XFree86..................98 7.6. Additional Resources ................... 99 II. Network Services Reference...................... 101 8. Network Interfaces......................103 8.1. Network Configuration Files................103 8.2.
  • Page 5 14.1. The File Transport Protocol ................213 14.2. FTP Servers...................... 214 14.3. Files Installed with ................214 vsftpd 14.4. Starting and Stopping ................. 215 vsftpd 14.5. Configuration Options................ 216 vsftpd 14.6. Additional Resources ..................224 III. Security Reference........................227 15. Pluggable Authentication Modules (PAM)..............229 15.1.
  • Page 7: Introduction

    Introduction Welcome to the Red Hat Enterprise Linux Reference Guide. The Red Hat Enterprise Linux Reference Guide contains useful information about the Red Hat En- terprise Linux system. From fundamental concepts, such as the structure of the file system, to the finer points of system security and authentication control, we hope you find this book to be a valuable resource.
  • Page 8: Finding Appropriate Documentation

    HTML, PDF, and RPM versions of the manuals are available on the Red Hat Enterprise Linux Docu- mentation CD and online at http://www.redhat.com/docs/. Note Although this manual reflects the most current information possible, read the Red Hat Enterprise Linux Release Notes for information that may not have been available prior to our documenta- tion being finalized.
  • Page 9: Documentation For First-Time Linux Users

    2.1.1. Introduction to Linux Websites http://www.redhat.com/ — On the Red Hat website, you find links to the Linux Documentation • Project (LDP), online versions of the Red Hat Enterprise Linux manuals, FAQs (Frequently Asked Questions), a database which can help you find a Linux Users Group near you, technical information...
  • Page 10: For The More Experienced

    — Questions or requests for help that do not really fit into traditional categories • go here. linux.redhat.rpm — A good place to go if you are having trouble using RPM to accomplish partic- • ular objectives. 2.1.3. Beginning Linux Books Red Hat Linux for Dummies, 2nd Edition by Jon "maddog"...
  • Page 11: Documentation For Linux Gurus

    Introduction If you are concerned about security issues, the Red Hat Enterprise Linux Security Guide is a great resource — explaining in concise terms best strategies and practices for securing Red Hat Enterprise Linux. 2.3. Documentation for Linux Gurus If you are a long-time Red Hat Enterprise Linux user, you probably already know that one of the best ways to understand a particular program is to read its source code and/or configuration files.
  • Page 12 Introduction [key]-[combination] A combination of keystrokes is represented in this way. For example: The [Ctrl]-[Alt]-[Backspace] key combination exits your graphical session and return you to the graphical login screen or the console. text found on a GUI interface A title, word, or phrase found on a GUI interface screen or window is shown in this style. Text shown in this style is being used to identify a particular GUI screen or an element on a GUI screen (such as text associated with a checkbox or field).
  • Page 13 Introduction replaceable Text used for examples which is meant to be replaced with data provided by the user is displayed in this style. In the following example, is displayed in this style: version-number The directory for the kernel source is , where /usr/src/ version-number / version-number is the version of the kernel installed on this system.
  • Page 14: Using The Mouse

    If you find an error in the Red Hat Enterprise Linux Reference Guide, or if you have thought of a way to make this manual better, we would love to hear from you! Please submit a report in Bugzilla (http://bugzilla.redhat.com/bugzilla/) against the component rhel-rg. Be sure to mention the manual’s identifier: rhel-rg(EN)-3-Print-RHI (2003-07-25T17:13) If you mention the manual’s identifier, we know exactly which version of the guide you have.
  • Page 15 Introduction Note You must activate your product before attempting to connect to Red Hat Network. If your product has not been activated, Red Hat Network rejects registration to channels to which the system is not entitled. Good luck, and thank you for choosing Red Hat Enterprise Linux! The Red Hat Documentation Team...
  • Page 16 Introduction...
  • Page 17: System Reference

    I. System Reference To manage the system effectively, it is crucial to know about its components and how they fit together. This part outlines many important aspects of the system. It covers the boot process, the basic file system layout, the location of crucial system files and file systems, and the basic concepts behind users and groups.
  • Page 19: Boot Process, Init, And Shutdown

    Chapter 1. Boot Process, Init, and Shutdown An important and powerful aspect of Red Hat Enterprise Linux is the open, user-configurable method it uses for starting the operating system. Users are free to configure many aspects of the boot pro- cess, including specifying the programs launched at boot-time.
  • Page 20 If upgrading the kernel using the Red Hat Update Agent, the boot loader configuration file is up- dated automatically. More information on Red Hat Network can be found online at the following URL: https://rhn.redhat.com. Once the second stage boot loader is in memory, it presents the user with a graphical screen showing the different operating systems or kernels it has been configured to boot.
  • Page 21 Chapter 1. Boot Process, Init, and Shutdown If any problems occur using the SMP kernel, try selecting the a non-SMP kernel upon rebooting. Once the second stage boot loader has determined which kernel to boot, it locates the corresponding kernel binary in the directory.
  • Page 22 Chapter 1. Boot Process, Init, and Shutdown To set up the user environment, the kernel executes the program. /sbin/init 1.2.4. The Program /sbin/init program (also called ) coordinates the rest of the boot process and configures /sbin/init init the environment for the user. When the command starts, it becomes the parent or grandparent of all of the processes that init...
  • Page 23 Chapter 1. Boot Process, Init, and Shutdown K46radvd -> ../init.d/radvd K50netdump -> ../init.d/netdump K50snmpd -> ../init.d/snmpd K50snmptrapd -> ../init.d/snmptrapd K50tux -> ../init.d/tux K50vsftpd -> ../init.d/vsftpd K54pxe -> ../init.d/pxe K61ldap -> ../init.d/ldap K65kadmin -> ../init.d/kadmin K65kprop -> ../init.d/kprop K65krb524 -> ../init.d/krb524 K65krb5kdc ->...
  • Page 24: Running Additional Programs At Boot Time

    Chapter 1. Boot Process, Init, and Shutdown As illustrated in this listing, none of the scripts that actually start and stop the services are located in directory. Rather, all of the files in are symbolic links /etc/rc.d/rc5.d/ /etc/rc.d/rc5.d/ pointing to scripts located in the directory.
  • Page 25: Sysv Init Runlevels

    Chapter 1. Boot Process, Init, and Shutdown script is used if serial ports must be setup at boot time. This script runs /etc/rc.serial commands to configure the system’s serial ports. Refer to the man page setserial setserial for more information. 1.4.
  • Page 26: Shutting Down

    — graphical • ) program is a flexible utility for configuring runlevels. redhat-config-services Refer to the chapter titled Controlling Access to Services in the Red Hat Enterprise Linux System Administration Guide for more information regarding these tools. 1.5. Shutting Down To shut down Red Hat Enterprise Linux, the root user may issue the command.
  • Page 27 Chapter 1. Boot Process, Init, and Shutdown PAM console users can use the commands to shut down the system while in run- reboot halt levels 1 through 5. For more information about PAM console users, refer to Section 15.7 PAM and Device Ownership.
  • Page 28 Chapter 1. Boot Process, Init, and Shutdown...
  • Page 29: Boot Loaders

    Chapter 2. Boot Loaders When a computer with Red Hat Enterprise Linux is turned on, the operating system is loaded into memory by a special program called a boot loader. A boot loader usually exists on the system’s primary hard drive (or other media device) and has the sole responsibility of loading the Linux kernel with its required files or (in some cases) other operating systems into memory.
  • Page 30 Chapter 2. Boot Loaders 2. The Stage 1.5 boot loader is read into memory by the Stage 1 boot loader, if necessary. Some hardware requires an intermediate step to get to the Stage 2 boot loader. This is sometimes true when the partition is above the 1024 cylinder head of the hard drive or when using LBA /boot/...
  • Page 31: Installing Grub

    Chapter 2. Boot Loaders 2.3. Installing GRUB If GRUB was not installed during the installation process, it can be installed afterward. Once installed, it automatically becomes the default boot loader. Before installing GRUB, make sure to use the latest GRUB package available or use the GRUB package from the installation CD-ROMs.
  • Page 32 Chapter 2. Boot Loaders The numbering system for devices under GRUB always begins with , not . Failing to make this distinction is one of the most common mistakes made by new users. To give an example, if a system has more than one hard drive, GRUB refers to the first hard drive and the second as .
  • Page 33: Grub Interfaces

    Chapter 2. Boot Loaders The following shows the command with a similar blocklist designation at the GRUB chainloader command line after setting the correct device and partition as root: chainloader +1 2.4.3. The Root File System and GRUB The use of the term root file system has a different meaning in regard to GRUB. It is important to remember that GRUB’s root file system has nothing to do with the Linux root file system.
  • Page 34: Grub Commands

    Chapter 2. Boot Loaders Command Line Interface The command line interface is the most basic of the GRUB interfaces, but it is also the one that grants the most control. The command line makes it possible to type any relevant GRUB commands followed by the [Enter] key to execute them.
  • Page 35: Grub Menu Configuration File

    Chapter 2. Boot Loaders — Passes the stage 2 boot loader location to the stage 1 boot loader, such as stage-2 • (hd0,0)/grub/stage2 — This option tells the command to look for the menu configu- config-file install • ration file specified by , such as config-file (hd0,0)/grub/grub.conf...
  • Page 36 Chapter 2. Boot Loaders # section to load Windows title Windows rootnoverify (hd0,0) chainloader +1 This file configures GRUB to build a menu with Red Hat Enterprise Linux as the default operating system and sets it to autoboot after 10 seconds. Two sections are given, one for each operating system entry, with commands specific to the system disk partition table.
  • Page 37: Lilo

    Chapter 2. Boot Loaders file is left out of the command, a user who knows the password is allowed to edit the current configuration file. For more information about securing GRUB, refer to the chapter titled Workstation Security in the Red Hat Enterprise Linux Security Guide.
  • Page 38: The Lilo Configuration File

    Interfaces for more information about the GRUB command line interface. If upgrading the kernel using the Red Hat Update Agent, the MBR is updated automatically. More information about RHN is available online at https://rhn.redhat.com/. 2.9. The LILO Configuration File The LILO configuration file is .
  • Page 39 Chapter 2. Boot Loaders 2.9.1. Sample /etc/lilo.conf The following is a sample for a system configured to boot two operating systems, /etc/lilo.conf Red Hat Enterprise Linux and DOS: boot=/dev/hda map=/boot/map install=/boot/boot.b prompt timeout=50 message=/boot/message lba32 default=linux image=/boot/vmlinuz-2.4.0-0.43.6 label=linux initrd=/boot/initrd-2.4.0-0.43.6.img read-only root=/dev/hda5 other=/dev/hda1 label=dos...
  • Page 40: Changing Runlevels At Boot Time

    Chapter 2. Boot Loaders — Specifies that the root partition (refer to the line below) is read-only and • read-only root cannot be altered during the boot process. — Specifies which disk partition to use as the root partition. • root=/dev/hda5 —...
  • Page 41 — The original GRUB documentation before the project was • handed off to the Free Software Foundation for further development. http://www.redhat.com/mirrors/LDP/HOWTO/mini/Multiboot-with-GRUB.html — Investigates • various uses for GRUB, including booting operating systems other than Linux. http://www.linuxgazette.com/issue64/kohli.html — An introductory article discussing the configu- •...
  • Page 42 Chapter 2. Boot Loaders...
  • Page 43: File System Structure

    Chapter 3. File System Structure 3.1. Why Share a Common Structure? An operating system’s file system structure is its most basic level of organization. Almost all of the ways an operating system interacts with its users, applications, and security model are dependent upon the way it organizes files on storage devices.
  • Page 44 Chapter 3. File System Structure 3.2.1.1. The Directory /boot/ directory contains static files required to boot the system, such as the Linux kernel. These /boot/ files are essential for the system to boot properly. Warning Do not remove the directory. Doing so will render the system unbootable. /boot/ 3.2.1.2.
  • Page 45 Chapter 3. File System Structure Large packages that encompass many different sub-packages, each of which accomplish a particular task, are also located in the directory, giving that large package a way to organize itself. In this /opt/ way, our package may have different tools that each go in their own sub-directories, such as sample , each of which can have their own /opt/sample/tool1/...
  • Page 46 Chapter 3. File System Structure |- share/ |- src/ |- tmp -> ../var/tmp/ |- X11R6/ Under the directory, the directory contains executables, contains non-FHS com- /usr/ bin/ dict/ pliant documentation pages, contains system-wide configuration files, is for games, etc/ games contains C header files, contains binaries and other Kerberos-related files, and include/...
  • Page 47 Chapter 3. File System Structure /var |- account/ |- arpwatch/ |- cache/ |- crash/ |- db/ |- empty/ |- ftp/ |- gdm/ |- kerberos/ |- lib/ |- local/ |- lock/ |- log/ |- mail -> spool/mail/ |- mailman/ |- named/ |- nis/ |- opt/ |- preserve/...
  • Page 48: Special File Locations Under Red Hat Enterprise Linux

    RPM header information for the system. This location may also be used to temporarily store RPMs downloaded while updating the system. For more information about Red Hat Network, refer to the documentation online at https://rhn.redhat.com/. Another location specific to Red Hat Enterprise Linux is the directory.
  • Page 49: The Sysconfig Directory

    • firstboot • • harddisks • hwconf • i18n • init • ip6tables-config • iptables-config • irda • keyboard • kudzu • mouse • named • netdump • network • ntpd • pcmcia • radvd • rawdevices • redhat-config-securitylevel...
  • Page 50: Sysconfig Directory

    Chapter 4. The Directory • redhat-config-users • redhat-logviewer • samba • sendmail • spamassassin • squid • • vncservers • xinetd Note If some of the files listed here are not present in the directory, the corresponding /etc/sysconfig/ program may not be installed.
  • Page 51 sysconfig Chapter 4. The Directory — Kerberos is not used for authentication. • , where is one of the following: • USELDAPAUTH= value value — LDAP is used for authentication. • — LDAP is not used for authentication. • 4.1.4. /etc/sysconfig/clock file controls the interpretation of values read from the system hard- /etc/sysconfig/clock...
  • Page 52 sysconfig Chapter 4. The Directory — Selects the KDE desktop environment. • , where is one of the following: • DISPLAYMANAGER= value value — Selects the GNOME Display Manager. GNOME • — Selects the KDE Display Manager. • — Selects the X Display Manager. •...
  • Page 53 sysconfig Chapter 4. The Directory Warning Do not make changes to this file without careful consideration. By changing the default values, it is possible to corrupt all of the data on the hard drive(s). file may contain the following: /etc/sysconfig/harddisks , where setting this value to 1 enables DMA.
  • Page 54 The easiest way iptables to add rules is to use the Security Level Configuration Tool ( redhat-config-securitylevel application to create a firewall. These applications automatically edit this file at the end of the process. Rules can also be created manually using the command.
  • Page 55 sysconfig Chapter 4. The Directory 4.1.16. /etc/sysconfig/irda file controls how infrared devices on the system are configured at /etc/sysconfig/irda startup. The following values may be used: , where is one of the following boolean values: • IRDA= value value — is run, which periodically checks to see if anything is trying to connect to irattach •...
  • Page 56 sysconfig Chapter 4. The Directory 4.1.19. /etc/sysconfig/mouse file is used to specify information about the available mouse. The /etc/sysconfig/mouse following values may be used: , where refers to the full name of the kind of mouse being used. • FULLNAME= value value , where is one of the following:...
  • Page 57 sysconfig Chapter 4. The Directory For more information about what parameters are available for this file, refer to the man page. named For detailed information on how to configure a BIND DNS server, refer to Chapter 12 Berkeley Inter- net Name Domain (BIND). By default, the file contains no parameters. 4.1.21.
  • Page 58 /etc/sysconfig/rawdevices file is used to configure raw device bindings, such as: /etc/sysconfig/rawdevices /dev/raw/raw1 /dev/sda1 /dev/raw/raw2 8 5 4.1.27. /etc/sysconfig/redhat-config-securitylevel file contains all options chosen by the /etc/sysconfig/redhat-config-securitylevel user the last time the Security Level Configuration Tool ( ) was redhat-config-securitylevel run.
  • Page 59 Chapter 4. The Directory 4.1.29. /etc/sysconfig/redhat-logviewer file is the configuration file for the graphical, interac- /etc/sysconfig/redhat-logviewer tive log viewing application, Log Viewer. This file is edited by the Edit => Preferences pull-down menu in the Log Viewer application and should not be edited by hand. For more information on using this application, refer to the chapter called Log Files in the Red Hat Enterprise Linux System Administration Guide.
  • Page 60: Directories In The

    • networking/ ), and its contents should not be edited manually. For more redhat-config-network information about configuring network interfaces using the Network Administration Tool, refer to the chapter called Network Configuration in the Red Hat Enterprise Linux System Administration Guide.
  • Page 61: Additional Resources

    No files in this directory should be edited by hand. For more information on the Red Hat Network, refer to the Red Hat Network website online at https://rhn.redhat.com/. 4.3. Additional Resources This chapter is only intended as an introduction to the files in the directory.
  • Page 62 sysconfig Chapter 4. The Directory...
  • Page 63: The Proc

    Chapter 5. File System proc The Linux kernel has two primary functions: to control access to physical devices on the computer and to schedule when and how processes interact with these devices. The directory — also /proc/ called the file system — contains a hierarchy of special files which represent the current state of proc the kernel —...
  • Page 64: File System

    proc Chapter 5. The File System When viewing different virtual files in the file system, some of the information is easily /proc/ understandable while some is not human-readable. This is in part why utilities exist to pull data from virtual files and display it in a useful way. Examples of these utilities include , and lspci free...
  • Page 65 proc Chapter 5. The File System 5.2.1. /proc/apm This file provides information about the state of the Advanced Power Management (APM) system and is used by the command. If a system with no battery is connected to an AC power source, this virtual file would look similar to the following: 1.16 1.2 0x07 0x01 0xff 0x80 -1% -1 ? Running the...
  • Page 66 proc Chapter 5. The File System runqueue : 0 fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no : yes fpu_exception : yes cpuid level : 2 : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm bogomips : 4771.02 —...
  • Page 67 proc Chapter 5. The File System Block devices: 1 ramdisk 2 fd 3 ide0 9 md 22 ide1 The output from includes the major number and name of the device, and is broken /proc/devices into two major sections: Character devices Block devices Character devices are similar to block devices, except for two basic differences: 1.
  • Page 68 Chapter 5. The proc File System 5.2.8. /proc/filesystems This file displays a list of the file system types currently supported by the kernel. Sample output from a generic looks similar to the following: /proc/filesystems nodev rootfs nodev bdev nodev proc nodev sockfs nodev tmpfs nodev shm...
  • Page 69 proc Chapter 5. The File System The first column refers to the IRQ number. Each CPU in the system has its own column and its own number of interrupts per IRQ. The next column reports the type of interrupt, and the last column contains the name of the device that is located at that IRQ.
  • Page 70 proc Chapter 5. The File System 00f0-00ff : fpu 0170-0177 : ide1 01f0-01f7 : ide0 02f8-02ff : serial(auto) 0376-0376 : ide1 03c0-03df : vga+ 03f6-03f6 : ide0 03f8-03ff : serial(auto) 0cf8-0cff : PCI conf1 d000-dfff : PCI Bus #01 e000-e00f : VIA Technologies, Inc. Bus Master IDE e000-e007 : ide0 e008-e00f : ide1 e800-e87f : Digital Equipment Corporation DECchip 21140 [FasterNet]...
  • Page 71 proc Chapter 5. The File System 5.2.13. /proc/kcore This file represents the physical memory of the system and is stored in the core file format. Unlike most files, displays a size. This value is given in bytes and is equal to the size of the /proc/ kcore physical memory (RAM) used plus 4KB.
  • Page 72 proc Chapter 5. The File System 5.2.17. /proc/locks This file displays the files currently locked by the kernel. The contents of this file contain internal kernel debugging data and can vary tremendously, depending on the use of the system. A sample file for a lightly loaded system looks similar to the following: /proc/locks 1: FLOCK...
  • Page 73 proc Chapter 5. The File System Buffers: 9076 kB Cached: 34204 kB SwapCached: 12636 kB Active: 79352 kB ActiveAnon: 57308 kB ActiveCache: 22044 kB Inact_dirty: 240 kB Inact_laundry: 17468 kB Inact_clean: 984 kB Inact_target: 19608 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 125676 kB...
  • Page 74 proc Chapter 5. The File System — The total number of hugepages for the system. The number is • HugePages_Total derived by dividing by the megabytes set aside for hugepages specified in Hugepagesize . This statistic only appears on x86, Itanium, AMD64, and /proc/sys/vm/hugetlb_pool Intel®...
  • Page 75 proc Chapter 5. The File System 5.2.22. /proc/mounts This file provides a list of all mounts in use by the system: rootfs / rootfs rw 0 0 /dev/hda2 / ext3 rw 0 0 /proc /proc proc rw 0 0 /dev/hda1 /boot ext3 rw 0 0 none /dev/pts devpts rw 0 0 none /dev/shm tmpfs rw 0 0 none /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0...
  • Page 76 proc Chapter 5. The File System 0, device 0, function Host bridge: Intel Corporation 440BX/ZX - 82443BX/ZX Host bridge (rev 3). Master Capable. Latency=64. Prefetchable 32 bit memory at 0xe4000000 [0xe7ffffff]. 0, device 1, function PCI bridge: Intel Corporation 440BX/ZX - 82443BX/ZX AGP bridge (rev 3). Master Capable.
  • Page 77: Using The 5.5. Additional Resources

    proc Chapter 5. The File System ip_fib_hash journal_head 7020 revoke_table revoke_record clip_arp_cache ip_mrt_cache The values in this file occur in the following order: cache name, number of active objects, number of total objects, size of the object, number of active slabs (blocks) of the objects, total number of slabs of the objects, and the number of pages per slab.
  • Page 78: Proc

    Red Hat Enterprise Linux installed on the system: Linux version 2.4.20-1.1931.2.231.2.12.ent (user@foo.redhat.com) (gcc version 3.2.3 200 (Red Hat Enterprise Linux 3.2.3-7)) #1 Thu Jun 19 14:57:04 EDT 2003 This information is used for a variety of purposes, including the version data presented when a user logs in.
  • Page 79 proc Chapter 5. The File System These directories are called process directories, as they are named after a program’s process ID and contain information specific to that process. The owner and group of each process directory is set to the user running the process. When the process is terminated, its process directory vanishes.
  • Page 80 proc Chapter 5. The File System 4. Number of pages that are code. 5. Number of pages of data/stack. 6. Number of library pages. 7. Number of dirty pages. — The status of the process in a more readable form than .
  • Page 81 proc Chapter 5. The File System For example, the subdirectory contains files that track the various devices on /proc/bus/usb/ any USB buses, as well as the drivers required for them. The following is a sample listing of a directory: /proc/bus/usb/ total 0 dr-xr-xr-x 1 root...
  • Page 82 proc Chapter 5. The File System 5.3.5. /proc/ide/ This directory contains information about IDE devices on the system. Each IDE channel is represented as a separate directory, such as . In addition, a file /proc/ide/ide0 /proc/ide/ide1 drivers is available, providing the version number of the various drivers used on the IDE channels: ide-cdrom version 4.59 ide-floppy version 0.97 ide-disk version 1.10...
  • Page 83 proc Chapter 5. The File System — A collection of current parameters of the device. This file usually contains quite a • settings bit of useful, technical information. A sample file for a standard IDE hard disk looks settings similar to the following: name value mode...
  • Page 84 proc Chapter 5. The File System of packets inbound and outbound, the number of errors seen, the number of packets dropped, and more. — Lists Layer2 multicast groups on which each device is listening. • dev_mcast — Lists the IP multicast addresses which this system joined. •...
  • Page 85 proc Chapter 5. The File System Each SCSI driver used by the system has its own directory within , which contains /proc/scsi/ files specific to each SCSI controller using that driver. From the previous example, aic7xxx directories are present, since two drivers are in use. The files in each of the directories megaraid typically contain an I/O address range, IRQ information, and statistics for the SCSI controller using that driver.
  • Page 86 proc Chapter 5. The File System For example, this controller is communicating with the CD-ROM at 20 megabytes per second, while the tape drive is only communicating at 10 megabytes per second. 5.3.9. /proc/sys/ directory is different from others in because it not only provides infor- /proc/sys/ /proc/...
  • Page 87 proc Chapter 5. The File System 5.3.9.1. /proc/sys/dev/ This directory provides parameters for particular devices on the system. Most systems have at least two directories, . Customized kernels can have other directories, such as cdrom raid parport which provides the ability to share one parallel port between multiple device drivers. directory contains a file called , which reveals a number of important CD-ROM cdrom...
  • Page 88 proc Chapter 5. The File System — Lists the number of allocated file handles, used file handles, and the maximum number • file-nr of file handles. — Defines the fixed group ID and user ID, respectively, for use • overflowgid overflowuid with file systems that only support 16-bit group and user IDs.
  • Page 89 proc Chapter 5. The File System — Defines the fixed group ID and user ID, respectively, for use • overflowgid overflowuid with system calls on architectures that only support 16-bit group and user IDs. — Defines the number of seconds the kernel postpones rebooting when the system experi- •...
  • Page 90 proc Chapter 5. The File System — Kills all processes active in a virtual console. Also called the Secure Access Key (SAK), it is • often used to verify that the login prompt is spawned from and not a trojan copy designed init to capture usernames and passwords.
  • Page 91 proc Chapter 5. The File System — Displays the date and time the kernel was last compiled. The first field in this file, such • version , relates to the number of times a kernel was built from the source base. 5.3.9.4.
  • Page 92 proc Chapter 5. The File System dresses, respectively. A value of allows the kernel to respond, while a value of ignores the packets. — Sets the default Time To Live (TTL), which limits the number of hops a packet • ip_default_ttl may make before reaching its destination.
  • Page 93 proc Chapter 5. The File System improve performance on a system using a lot of swap space by telling the kernel to write pages in large chunks, minimizing the number of disk seeks. — Configures the maximum number of memory map areas a process may have. •...
  • Page 94: Proc/Command

    proc Chapter 5. The File System — Sets the number of pages read in a single attempt. The default value of , which • page-cluster actually relates to 16 pages, is appropriate for most systems. — Controls the number of page tables that are cached on a per-processor basis. •...
  • Page 95 proc Chapter 5. The File System To get a quick overview of all settings configurable in the directory, type the /proc/sys/ command as root. This creates a large, comprehensive list, a small portion of /sbin/sysctl -a which looks something like the following: net.ipv4.route.min_delay = 2 kernel.sysrq = 0 kernel.sem = 250...
  • Page 96 proc Chapter 5. The File System 5.5.2. Useful Websites http://www.linuxhq.com/ — This website maintains a complete database of source, patches, and • documentation for various versions of the Linux kernel.
  • Page 97: Users And Groups

    The easiest way to manage users and groups is through the graphical application, User Manager ). For more information on User Manager, refer to the chapter titled User redhat-config-users and Group Configuration in the Red Hat Enterprise Linux System Administration Guide.
  • Page 98: Standard Users

    Chapter 6. Users and Groups 6.2. Standard Users Table 6-1 lists the standard users configured in the file by an "Everything" installation. /etc/passwd The groupid (GID) in this table is the primary group for the user. See Section 6.3 Standard Groups for a listing of standard groups.
  • Page 99: Standard Groups

    Chapter 6. Users and Groups User Home Directory Shell /usr/share/pvm3 /bin/bash apache /var/www /bin/false /etc/X11/fs /sbin/nologin desktop /var/lib/menu/kde /sbin/nologin /var/gdm /sbin/nologin mysql /var/lib/mysql /bin/bash webalizer /var/www/html/usage /sbin/nologin mailnull /var/spool/mqueue /sbin/nologin smmsp /var/spool/mqueue /sbin/nologin squid /var/spool/squid /dev/null ldap /var/lib/ldap /bin/false netdump /var/crash /bin/bash pcap...
  • Page 100 Chapter 6. Users and Groups Group Members news news uucp uucp games gopher lock nobody users utmp floppy vcsa canna nscd postdrop postfix named postgres sshd rpcuser nfsnobody 65534 apache desktop mysql webalizer mailnull smmsp squid...
  • Page 101: User Private Groups

    Chapter 6. Users and Groups Group Members ldap netdump pcap quaggavty quagga radvd slocate Table 6-2. Standard Groups 6.4. User Private Groups Red Hat Enterprise Linux uses a user private group (UPG) scheme, which makes UNIX groups easier to manage. A UPG is created whenever a new user is added to the system.
  • Page 102: Shadow Passwords

    Chapter 6. Users and Groups /usr/bin/gpasswd -a username emacs To allow the users to actually create files in the directory, use the following command: chmod 775 /usr/lib/emacs/site-lisp When a user creates a new file, it is assigned the group of the user’s default private group. Next, set the setgid bit, which assigns everything created in the directory the same group permission as the directory itself ( ).
  • Page 103 Chapter 6. Users and Groups User and Group Administrative Applications — A command to modify password aging policies and account expiration. man chage • — A command to administer the file. man gpasswd /etc/group • — A command to add groups. man groupadd •...
  • Page 104 Chapter 6. Users and Groups...
  • Page 105: The X Window System

    Red Hat Enterprise Linux, be sure the video card is compatible with XFree86 version 4 by checking the Red Hat Hardware Compatibility List located online at http://hardware.redhat.com/. The files related to XFree86 reside primarily in two locations: /usr/X11R6/ Contains X server and some client applications, as well as X header files, libraries, modules, and...
  • Page 106: Desktop Environments And Window Managers

    XFree86 must to be reconfigured. The best way to do this is to use the X Configuration Tool ( redhat-config-xfree86 To start the X Configuration Tool while in an active X session, go to the Main Menu Button (on the Panel) =>...
  • Page 107: Xfree86 Server Configuration Files

    Chapter 7. The X Window System — The Motif window manager is a basic, standalone window manager. Since it is designed to • be a standalone window manager, it should not be used in conjunction with GNOME or KDE. — The minimalist Tab Window Manager, which provides the most basic tool set of any of the •...
  • Page 108 Chapter 7. The X Window System 7.3.1.2. ServerFlags The optional section contains miscellaneous global XFree86 server settings. Any set- ServerFlags tings in this section may be overridden by options placed in the section (refer to ServerLayout Section 7.3.1.3 for details). ServerLayout Each entry within the section is on its own line and begins with the term...
  • Page 109 Chapter 7. The X Window System There must be at least two entries: one for the default mouse and one for the default InputDevice keyboard. The options indicate these are the primary mouse CorePointer CoreKeyboard and keyboard. — An optional entry which specifies extra parameters for the sec- •...
  • Page 110 Chapter 7. The X Window System 7.3.1.6. InputDevice Each section configures one input device for the XFree86 server. Systems typically InputDevice have at least two sections, keyboard and mouse. InputDevice The following example illustrates a typical section for a mouse: InputDevice Section "InputDevice"...
  • Page 111 Chapter 7. The X Window System Warning Be careful if manually editing values in the section of . Inappropriate Monitor /etc/X11/XF86Config values can damage or destroy a monitor. Consult the monitor’s documentation for a listing of safe operating parameters. The following are commonly entries used in the section: Monitor —...
  • Page 112 Chapter 7. The X Window System — An optional parameter which specifies the vendor of the video card. • VendorName — An optional parameter which specifies the name of the video card. • BoardName — An optional parameter which specifies the amount of RAM available on the video •...
  • Page 113: Fonts

    Chapter 7. The X Window System — Specifies the screen modes available at a particular color depth. A • SubSection "Display" section may have multiple subsections, but there must be at least one for the Screen Display color depth specified in the entry.
  • Page 114 Chapter 7. The X Window System Due to the transition to the new font system, GTK+ 1.2 applications are not affected by any changes made via the Font Preferences dialog (accessed by selecting Main Menu Button [on the Panel] => Preferences =>...
  • Page 115 Chapter 7. The X Window System 7.4.2. Core X Font System For compatibility, Red Hat Enterprise Linux provides the core X font subsystem, which uses the X Font Server ( ) to provide fonts to X client applications. The XFree86 server looks for a font server specified in the directive within the FontPath Files...
  • Page 116: Runlevels And Xfree86

    Chapter 7. The X Window System 7.4.2.2. Adding Fonts to To add fonts to the core X font subsystem ( ), follow these steps: 1. If it does not already exist, create a directory called using the /usr/share/fonts/local/ following command as root: mkdir /usr/share/fonts/local/ If creating the directory is necessary, it must be added to the...
  • Page 117: Additional Resources

    Chapter 7. The X Window System The user is returned to a text mode user session after logging out of X from runlevel 3. 7.5.2. Runlevel 5 When the system boots into runlevel 5, a special X client application, called a display manager is launched.
  • Page 118 — Home page of the DRI (Direct Rendering Infrastructure) • project. The DRI is the core hardware 3D acceleration component of XFree86. http://www.redhat.com/mirrors/LDP/HOWTO/XFree86-HOWTO/ — A HOWTO document de- • tailing the manual installation and custom configuration of XFree86. http://www.gnome.org/ — Home of the GNOME project.
  • Page 119: Network Services Reference

    II. Network Services Reference It is possible to deploy a wide variety of network services under Red Hat Enterprise Linux. This part describes how network interfaces are configured as well as provides details about critical network services such as FTP, NFS, the Apache HTTP Server, Sendmail, Postfix, Fetchmail, Procmail, BIND, and LDAP.
  • Page 121: Network Interfaces

    Network Administration Tool /etc/sysconfig/networking/ ) and its contents should not be edited manually. For more information redhat-config-network about configuring network interfaces using the Network Administration Tool, refer to the chapter called Network Configuration in the Red Hat Enterprise Linux System Administration Guide.
  • Page 122 The Network Administration Tool ( ) is an easy way to make changes redhat-config-network to the various network interface configuration files (refer to the chapter titled Network Configuration in the Red Hat Enterprise Linux System Administration Guide for detailed instructions on using this tool).
  • Page 123 Chapter 8. Network Interfaces , where is a name server address to be placed in • DNS{1,2}= address address if the directive is set to /etc/resolv.conf PEERDNS , where is the hardware address of the Ethernet MAC-address • HWADDR= MAC-address device in the form AA:BB:CC:DD:EE:FF.
  • Page 124 Tool ( ) refer to the chapter titled Network Configuration in the Red Hat redhat-config-network Enterprise Linux System Administration Guide. For instructions on setting up IPsec manually, refer to the chapter titled Virtual Private Networks in the Red Hat Enterprise Linux Security Guide.
  • Page 125 Chapter 8. Network Interfaces 8.2.3. Channel Bonding Interfaces Red Hat Enterprise Linux allows administrators to bind multiple network interfaces together into a single channel using the kernel module and a special network interface called a channel bonding bonding interface. Channel bonding enables two or more network interfaces to act as one, simultane- ously increasing the bandwidth and providing redundancy.
  • Page 126 Chapter 8. Network Interfaces 8.2.4. Alias and Clone Files Two lesser-used types of interface configuration files are alias and clone files. Alias interface configuration files follow this naming . They are used primarily to bind multiple addresses to a ifcfg- if-name : alias-value single interface.
  • Page 127 Chapter 8. Network Interfaces LINESPEED=115200 PAPNAME=test USERCTL=true ONBOOT=no PERSIST=no DEFROUTE=yes PEERDNS=yes DEMAND=no IDLETIMEOUT=600 Serial Line Internet Protocol (SLIP) is another dialup interface, although it is used less frequently. SLIP files have interface configuration file names such as ifcfg-sl0 Other options, not already discussed, that may be used in these files include: , where is one of the following: •...
  • Page 128: Interface Control Scripts

    Chapter 8. Network Interfaces , where associates this interface with a dialer configuration in • WVDIALSECT= name name . This file contains the phone number to be dialed and other important infor- /etc/wvdial.conf mation for the interface. 8.2.6. Other Interfaces Other common interface configuration files that use these options include the following: —...
  • Page 129: Network Function Files

    Chapter 8. Network Interfaces — Configures IP aliases from interface configuration files when more than one IP • ifup-aliases address is associated with an interface. — Used to bring Crypto IP Encapsulation (CIPE) interfaces up • ifup-cipcb ifdown-cipcb and down. —...
  • Page 130: Additional Resources

    Chapter 8. Network Interfaces remove tunnels, add and remove IPv6 addresses to an interface, and test for the existence of an IPv6 address on an interface can be found in this file. 8.5. Additional Resources The following are resources which explain more about network interfaces. 8.5.1.
  • Page 131: Network File System (Nfs)

    Chapter 9. Network File System (NFS) A Network File System (NFS) allows remote hosts to mount file systems over a network and interact with those file systems as though they are mounted locally. This enables system administrators to consolidate resources onto centralized servers on the network. This chapter focuses on fundamental NFS concepts and supplemental information.
  • Page 132 Chapter 9. Network File System (NFS) Warning NFS mount privileges are granted to the client host, not the user. Therefore, exported file systems can be accessed by any user on a client host with access permissions. When configuring the NFS shares, be very careful which hosts get read/write permissions ( 9.1.1.
  • Page 133: Starting And Stopping Nfs

    Chapter 9. Network File System (NFS) 9.1.2.1. Troubleshooting NFS and portmap Because provides coordination between RPC services and the port numbers used to com- portmap municate with them, it is useful to view the status of current RPC services using when portmap troubleshooting.
  • Page 134: Nfs Server Configuration

    Enterprise Linux System Administration Guide for more information regarding these tools. 9.3. NFS Server Configuration There are three ways to configure an NFS server under Red Hat Enterprise Linux: using the NFS Server Configuration Tool ( ), manually editing its configuration file redhat-config-nfs ), or using the command. /etc/exports /usr/sbin/exportfs For instructions on using NFS Server Configuration Tool, refer to the chapter titled Network File...
  • Page 135 Chapter 9. Network File System (NFS) single host — Where one particular host is specified with a fully qualified domain name, hostname, • or IP address. wildcards — Where a character is used to take into account a grouping of fully qualified do- •...
  • Page 136 Chapter 9. Network File System (NFS) Each default for every exported file system must be explicitly overridden. For example, if the option is not specified, then the exported file system is shared as read-only. The following is a sample line from which overrides two default options: /etc/exports /another/exported/directory 192.168.0.3(rw,sync)
  • Page 137: Nfs Client Configuration Files

    Chapter 9. Network File System (NFS) — Specifies directories to be exported that are not listed in • -o file-systems /etc/exports Replace file-systems with additional file systems to be exported. These file systems must be formatted the same way they are specified in .
  • Page 138 Chapter 9. Network File System (NFS) 9.4.2. autofs One drawback to using is that, regardless of how infrequently a user accesses the NFS /etc/fstab mounted file system, the system must dedicate resources to keep the mounted file system in place. This is not a problem with one or two mounts, but when the system is maintaining mounts to a dozen systems at one time, overall system performance can suffer.
  • Page 139: Securing Nfs

    Chapter 9. Network File System (NFS) This line states that any directory a user tries to access under the local directory (due to /home/ the asterisk character) should result in an NFS mount on the system on the server.example.com mount point .
  • Page 140: Additional Resources

    Chapter 9. Network File System (NFS) 9.5.1. Host Access NFS controls who can mount an exported file system based on the host making the mount request, not the user that actually uses the file system. Hosts must be given explicit rights to mount the exported file system.
  • Page 141 Chapter 9. Network File System (NFS) information about the NFS implementation for Linux, including a look at various NFS configurations and their impact on file transfer performance. — Contains a comprehensive look at mount options for both NFS server and client •...
  • Page 142 Chapter 9. Network File System (NFS)
  • Page 143: Apache Http Server

    Warning If using the graphical HTTP Configuration Tool ( ), do not hand edit the redhat-config-httpd Apache HTTP Server’s configuration file as the HTTP Configuration Tool regenerates this file when- ever it is used. For more information about the HTTP Configuration Tool, please refer to the chapter titled Apache HTTP Server Configuration in the Red Hat Enterprise Linux System Administration Guide.
  • Page 144: Migrating Apache Http Server 1.3 Configuration Files

    Chapter 10. Apache HTTP Server Multilingual Error Responses — When using Server Side Include (SSI) documents, customizable • error response pages can be delivered in multiple languages. Multiprotocol Support — Multiple protocols are supported. • A more complete list of changes can be found online at http://httpd.apache.org/docs-2.0/. 10.1.2.
  • Page 145 Chapter 10. Apache HTTP Server 10.2. Migrating Apache HTTP Server 1.3 Configuration Files This section is for those migrating an Apache HTTP Server 1.3 configuration file to be utilized by Apache HTTP Server 2.0. If upgrading the to Red Hat Enterprise Linux 3 from Red Hat Enterprise Linux 2.1, then the new stock configuration file for the Apache HTTP Server 2.0 package is installed as and the original version 1.3 is not...
  • Page 146 Chapter 10. Apache HTTP Server For more on this topic, refer to the following documentation on the Apache Software Foundation’s website: • http://httpd.apache.org/docs-2.0/mod/mpm_common.html#listen • http://httpd.apache.org/docs-2.0/mod/core.html#servername 10.2.1.2. Server-Pool Size Regulation When the Apache HTTP Server accepts requests, it dispatches child-processes or threads to handle them.
  • Page 147 Chapter 10. Apache HTTP Server Those who do not want to copy the section from the stock Apache HTTP Server 2.0 configuration should note the following: directives no longer exist. These directives where used • AddModule ClearModuleList to ensure that modules could be enabled in the correct order. The Apache HTTP Server 2.0 API allows modules to specify their ordering, eliminating the need for these two directives.
  • Page 148 Chapter 10. Apache HTTP Server 10.2.2.1. Mapping UserDir directive is used to enable URLs such as to map to UserDir http://example.com/~bob/ a subdirectory within the home directory of the user , such as /home/bob/public_html/ side-effect of this feature allows a potential attacker to determine whether a given username is present on the system.
  • Page 149 Chapter 10. Apache HTTP Server 10.2.2.4. Content Negotiation directive now takes the argument . Existing instances of CacheNegotiatedDocs should be replaced with CacheNegotiatedDocs CacheNegotiatedDocs on For more on this topic, refer to the following documentation on the Apache Software Foundation’s website: http://httpd.apache.org/docs-2.0/mod/mod_negotiation.html#cachenegotiateddocs •...
  • Page 150 Chapter 10. Apache HTTP Server 10.2.4. Modules and Apache HTTP Server 2.0 In Apache HTTP Server 2.0, the module system has been changed to allow modules to be chained together or combined in new and interesting ways. Common Gateway Interface (CGI) scripts, for ex- ample, can generate server-parsed HTML documents which can then be processed by mod_include This opens up a tremendous number of possibilities with regards to how modules can be combined to...
  • Page 151 Chapter 10. Apache HTTP Server It is also important to note that both the directives have been removed. SSLLog SSLLogLevel module now obeys the directives. Refer to Section 10.5.34 mod_ssl ErrorLog LogLevel and Section 10.5.35 for more information about these directives. ErrorLog LogLevel For more on this topic, refer to the following documentation on the Apache Software Foundation’s...
  • Page 152 Chapter 10. Apache HTTP Server 10.2.4.4. The Modules mod_auth_dbm mod_auth_db Apache HTTP Server 1.3 supported two authentication modules, mod_auth_db mod_auth_dbm which used Berkeley Databases and DBM databases respectively. These modules have been com- bined into a single module named in Apache HTTP Server 2.0, which can access mod_auth_dbm several different database formats.
  • Page 153 Chapter 10. Apache HTTP Server For more on this topic, refer to the following documentation on the Apache Software Foundation’s website: http://httpd.apache.org/docs-2.0/mod/mod_auth_dbm.html • 10.2.4.5. The Module mod_perl The configuration for has been moved from into the file mod_perl httpd.conf . For this file to be loaded, and hence for to work, the /etc/httpd/conf.d/perl.conf mod_perl...
  • Page 154: After Installation

    Chapter 10. Apache HTTP Server Under Apache HTTP Server 2.0, use the following directives instead: Files *.php SetOutputFilter PHP SetInputFilter PHP /Files In PHP version 4.2.0 and later the default set of predefined variables which are available in the global scope has changed.
  • Page 155: Starting And Stopping

    Chapter 10. Apache HTTP Server Apache HTTP Secure Server refer to the chapter titled Apache HTTP Secure Server Configuration in the Red Hat Enterprise Linux System Administration Guide. Note Red Hat, Inc. does not ship FrontPage extensions as the Microsoft™ license prohibits the inclusion of these extensions in a third party product.
  • Page 156: Configuration Directives In

    Chapter 10. Apache HTTP Server the Services Configuration Tool program. Refer to the chapter titled Controlling Access to Services in Red Hat Enterprise Linux System Administration Guide for more information regarding these tools. Note If running the Apache HTTP Server as a secure server, the secure server’s password is required after the machine boots when using an encrypted private SSL key.
  • Page 157 Chapter 10. Apache HTTP Server 10.5.3. PidFile names the file where the server records its process ID (PID). By default the PID is listed in PidFile /var/run/httpd.pid 10.5.4. Timeout defines, in seconds, the amount of time that the server waits for receipts and transmissions Timeout during communications.
  • Page 158 Chapter 10. Apache HTTP Server By default, Apache HTTP Server 2.0 defines the server-pool for both the prefork worker MPMs. The following a list of directives found within the MPM-specific server-pool containers. 10.5.9.1. StartServers sets how many server processes are created upon startup. Since the Web server dy- StartServers namically kills and creates server processes based on traffic load, it is not necessary to change this parameter.
  • Page 159 Chapter 10. Apache HTTP Server 10.5.9.6. ThreadsPerChild This value is only used with the MPM. It sets the number of threads within each child process. worker The default value for this directive is 10.5.10. Listen command identifies the ports on which the Web server accepts incoming requests. By Listen default, the Apache HTTP Server is set to listen to port 80 for non-secure Web communications and (in the...
  • Page 160 Chapter 10. Apache HTTP Server 10.5.14. IfDefine tags surround configuration directives that are applied if the "test" stated in the IfDefine tag is true. The directives are ignored if the test is false. IfDefine The test in the tags is a parameter name (for example, ).
  • Page 161 Chapter 10. Apache HTTP Server When specifying a , be sure the IP address and server name pair are included in the ServerName file. /etc/hosts 10.5.19. UseCanonicalName When set to , this directive configures the Apache HTTP Server to reference itself using the value specified in the directives.
  • Page 162 Chapter 10. Apache HTTP Server For this to work, permissions for CGI scripts, and the entire path to the scripts, must be set to 0755. 10.5.22. Options directive controls which server features are available in a particular directory. For Options example, under the restrictive parameters specified for the root directory, is set to only Options...
  • Page 163 Chapter 10. Apache HTTP Server The name for the subdirectory is set to in the default configuration. For example, the public_html server might receive the following request: http://example.com/~username/foo.html The server would look for the file: /home/username/public_html/foo.html In the above example, is the user’s home directory (note that the default path to /home/username/ users’...
  • Page 164 Chapter 10. Apache HTTP Server 10.5.32. DefaultType sets a default content type for the Web server to use for documents whose MIME types DefaultType cannot be determined. The default is text/plain 10.5.33. HostnameLookups can be set to . If is set to , the server au- HostnameLookups double...
  • Page 165 Chapter 10. Apache HTTP Server (request string) Lists the request string exactly as it came from the browser or client. (status) Lists the HTTP status code which was returned to the client host. (bytes) Lists the size of the document. (referrer) %\"%{Referer}i\"...
  • Page 166 Chapter 10. Apache HTTP Server 10.5.41. Redirect When a webpage is moved, can be used to map the file location to a new URL. The format Redirect is as follows: Redirect / old-path / file-name http:// current-domain / current-path / file-name In this example, replace with the old path information for old-path...
  • Page 167 Chapter 10. Apache HTTP Server 10.5.45. AddIcon specifies which icon to show in server generated directory listings for files with certain AddIcon extensions. For example, the Web server is set to show the icon for files with binary.gif .bin extensions. .exe 10.5.46.
  • Page 168 Chapter 10. Apache HTTP Server 10.5.53. LanguagePriority sets precedence for different languages in case the client Web browser has no LanguagePriority language preference set. 10.5.54. AddType Use the directive to define or override a default MIME type and file extension pairs. The AddType following example directive tells the Apache HTTP Server to recognize the file extension:...
  • Page 169 Chapter 10. Apache HTTP Server 10.5.59. Location tags create a container in which access control based on URL Location /Location can be specified. For instance, to allow people connecting from within the server’s domain to see status reports, use the following directives: Location /server-status SetHandler server-status...
  • Page 170 Chapter 10. Apache HTTP Server — Specifies whether the cache is a disk, memory, or file descriptor cache. By default • CacheEnable configures a disk cache for URLs at or below CacheEnable — Specifies the name of the directory containing cached files. The default •...
  • Page 171: Default Modules

    Chapter 10. Apache HTTP Server 10.5.66. Configuration Directives for SSL The directives in file can be configured to enable secure Web com- /etc/httpd/conf.d/ssl.conf munications using SSL and TLS. 10.5.66.1. SetEnvIf sets environment variables based on the headers of incoming connections. It is not solely an SetEnvIf SSL directive, though it is present in the supplied file.
  • Page 172: Adding Modules

    Chapter 10. Apache HTTP Server mod_dav_fs.so mod_vhost_alias.so mod_negotiation.so mod_dir.so mod_imap.so mod_actions.so mod_speling.so mod_userdir.so mod_alias.so mod_rewrite.so mod_proxy.so mod_proxy_ftp.so mod_proxy_http.so mod_proxy_connect.so mod_cache.so mod_disk_cache.so mod_file_cache.so mod_mem_cache.so mod_cgi.so Additionally, the following modules are available by installing additional packages: mod_auth_mysql mod_auth_pgsql mod_perl mod_python mod_ssl 10.7. Adding Modules The Apache HTTP Server supports Dynamically Shared Objects (DSOs) or modules, which can easily be loaded at runtime as necessary.
  • Page 173: Virtual Hosts

    Chapter 10. Apache HTTP Server In the above example, change to the name of the module and module-name path/to/module.so to the path to the DSO. 10.8. Virtual Hosts The Apache HTTP Server’s built in virtual hosting allows the server to serve different information based on which IP address, hostname, or port is being requested.
  • Page 174: Additional Resources

    Chapter 10. Apache HTTP Server One aspect of SSL enhanced HTTP transmissions is that they are more resource intensive than the standard HTTP protocol, so a secure server cannot serve as many pages per second. For this reason it is often a good idea to minimize the information available from the secure server, especially on a high traffic Web site.
  • Page 175 Chapter 10. Apache HTTP Server Professional Apache by Peter Wainwright; Wrox Press Ltd — Professional Apache is from Wrox • Press Ltd’s "Programmer to Programmer" series and is aimed at both experienced and novice Web server administrators. Administering Apache by Mark Allan Arnold; Osborne Media Group — This book is targeted at •...
  • Page 176 Chapter 10. Apache HTTP Server...
  • Page 177: Email

    Chapter 11. Email The birth of electronic mail (email) occurred in the early 1960s. The mailbox was a file in a user’s home directory that was readable only by that user. Primitive mail applications appended new text messages to the bottom of the file, making the user had to wade through the constantly growing file to find any particular message.
  • Page 178 Chapter 11. Email 11.1.2. Mail Access Protocols There are two primary protocols used by email client applications to retrieve email from mail servers: the Post Office Protocol (POP) and the Internet Message Access Protocol (IMAP). Unlike SMTP, both of these protocols require connecting clients to authenticate using a username and password.
  • Page 179: Email Program Classifications

    Chapter 11. Email For added security, it is possible to use SSL encryption for client authentication and data transfer sessions. This can be enabled by using the service, or by using the imaps /usr/sbin/stunnel program. Refer to Section 11.5.1 Securing Communication for more information. Other free, as well as commercial, IMAP clients and servers are available, many of which extend the IMAP protocol and provide additional functionality.
  • Page 180: Mail Transport Agents

    Chapter 11. Email 11.2.3. Mail User Agent A Mail User Agent (MUA) is synonymous with an email client application. An MUA is a program that, at the very least, allows a user to read and compose email messages. Many MUAs are capable of retrieving messages via the POP or IMAP protocols, setting up mailboxes to store messages, and sending outbound messages to an MTA.
  • Page 181 Chapter 11. Email Sendmail’s lengthy and detailed configuration file is . Avoid editing /etc/mail/sendmail.cf file directly. Instead, to make configuration changes to Sendmail, edit the sendmail.cf file, back up the original , and then use the /etc/mail/sendmail.mc /etc/mail/sendmail.cf included macro processor to create a new .
  • Page 182 Chapter 11. Email After creating a new file, restart Sendmail for the changes to take effect. /etc/mail/sendmail.cf The easiest way to do this is to type the following command: /sbin/service sendmail restart Important The default file does not allow Sendmail to accept network connections from any sendmail.cf host other than the local computer.
  • Page 183 Chapter 11. Email Sendmail makes it relatively easy to block new spamming techniques being employed to send junk email. It even blocks many of the more usual spamming methods by default. For example, forwarding of SMTP messages, also called relaying, has been disabled by default since Sendmail version 8.9.
  • Page 184 Chapter 11. Email Note This is only for a very basic configuration of Sendmail with LDAP. The configuration can differ greatly from this depending on the implementation of LDAP, especially when configuring several Sendmail machines to use a common LDAP server. Consult for detailed LDAP routing configuration instructions and /usr/share/sendmail-cf/README...
  • Page 185 Chapter 11. Email — Maps email addresses to relay hosts. • transport Important The default file does not allow Postfix to accept network connections from a /etc/postfix/main.cf host other than the local computer. For instructions on configuring Postfix as a server for other clients, refer to Section 11.3.2.2 Basic Postfix Configuration.
  • Page 186 Chapter 11. Email Using preferences in the file, Fetchmail checks for email on a remote server and .fetchmailrc downloads it. It then delivers it to port 25 on the local machine, using the local MTA to place the email in the correct user’s spool file. If Procmail is available, it is launched to filter the email and place it in a mailbox so that it can be read by an MUA.
  • Page 187 Chapter 11. Email Note Users are not required to place their password in the file. Omitting the .fetchmailrc with password section causes Fetchmail to ask for a password when it is launched. ’ password ’ Fetchmail has numerous global, server, and local options. Many of these options are rarely used or only apply to very specific situations.
  • Page 188 Chapter 11. Email — Deletes all previously viewed messages in the queue before retrieving new messages. • flush — Replace with the maximum size max-number-bytes • limit max-number-bytes in bytes that messages are allowed to be when retrieved by Fetchmail. This option is useful with slow network links, when a large message takes too long to download.
  • Page 189: Mail Delivery Agents

    Chapter 11. Email — Quits the Fetchmail daemon process. • --quit More commands and options can be found in the man page. .fetchmailrc fetchmail 11.4. Mail Delivery Agents Red Hat Enterprise Linux includes two primary MDAs, Procmail and . Both of the applications mail are considered Local Delivery Agents and both move email from the MTA’s spool file into the user’s mailbox.
  • Page 190 Chapter 11. Email as blocking spam and managing email lists, that can then be turned off or on by using comment characters in the user’s file. .procmailrc For example, lines in a user’s file may look like this: .procmailrc MAILDIR=$HOME/Msgs INCLUDERC=$MAILDIR/lists.rc INCLUDERC=$MAILDIR/spam.rc If the user wants to turn off Procmail filtering of their email lists but leave spam control in place,...
  • Page 191 Chapter 11. Email The first two characters in a Procmail recipe are a colon and a zero. Various flags can be placed after the zero to control how Procmail processes the recipe. A colon after the section specifies flags that a lockfile is created for this message. If a lockfile is created, the name can be specified by replacing lockfile-name A recipe can contain several conditions to match against the message.
  • Page 192 Chapter 11. Email — Uses the pipe as a filter. • — Parses the header of the message and looks for matching conditions. This occurs by default. • — Uses the header in a resulting action. This is the default behavior. •...
  • Page 193 Chapter 11. Email recipes and useful sample Procmail recipes can be found at various places on the Internet (such as http://www.iki.fi/era/procmail/links.html). The proper use and adaptation of regular expressions can be derived by viewing these recipe examples. In addition, introductory information about basic regular expression rules can be found in the man page.
  • Page 194: Mail User Agents

    Services Configuration Tool ( ), to turn on the service. redhat-config-services spamassassin Refer to Section 1.4.2 Runlevel Utilities for more information about initscript utilities. To configure Procmail to use the SpamAssassin client application instead of the Perl script, place the following line near the top of the file.
  • Page 195 Chapter 11. Email The remainder of this section focuses on securing communication between the client and server. 11.5.1. Securing Communication Popular MUAs included with Red Hat Enterprise Linux, such as Mozilla Mail, Ximian Evolution, offer SSL-encrypted email sessions. mutt Like any other service that flows over a network unencrypted, important email information, such as usernames, passwords, and entire messages, may be intercepted and viewed by users on the net- work.
  • Page 196: Additional Resources

    Chapter 11. Email Important Please be sure to remove the default files before issuing each imapd.pem ipop3d.pem make command. Once finished, execute the command to restart the dae- /sbin/service xinetd restart xinetd mon which controls imapd ipop3d Alternatively, the command can be used as an SSL encryption wrapper around the standard, stunnel non-secure daemons, imapd...
  • Page 197 • overview of how email works, and examines possible email solutions and configurations on the client and server sides. http://www.redhat.com/mirrors/LDP/HOWTO/Mail-User-HOWTO/ — Looks at email from the • user’s perspective, investigates various popular email client applications and gives an introduction to topics such as aliases, forwarding, auto-replying, mailing lists, mail filters, and spam.
  • Page 198 Chapter 11. Email 11.6.3. Related Books Sendmail by Bryan Costales with Eric Allman et al; O’Reilly & Associates — A good Sendmail • reference written with the assistance of the original creator of Delivermail and Sendmail. Removing the Spam: Email Processing and Filtering by Geoff Mulligan; Addison-Wesley Pub- •...
  • Page 199: Berkeley Internet Name Domain (Bind)

    For instructions on configuring BIND using the graphical Domain Name Service Configuration Tool ), refer to the chapter called BIND Configuration in the Red Hat Enterprise redhat-config-bind Linux System Administration Guide. Warning If using the Domain Name Service Configuration Tool, do not manually edit any BIND configuration files as all changes will be overwritten the next time the Domain Name Service Configuration Tool...
  • Page 200 Chapter 12. Berkeley Internet Name Domain (BIND) When looking at how an FQDN is resolved to find the IP address that relates to a particular system, read the name from right to left, with each level of the hierarchy divided by periods ( ).
  • Page 201: Etc/Named.conf

    Chapter 12. Berkeley Internet Name Domain (BIND) 12.2. /etc/named.conf file is a collection of statements using nested options surrounded by opening and named.conf closing ellipse characters, . Administrators must be careful when editing to avoid named.conf syntactical errors as many seemingly minor errors will prevent the service from starting.
  • Page 202 Chapter 12. Berkeley Internet Name Domain (BIND) — Matches any IP address on any network to which the local system is connected. • localnets — Matches no IP addresses. • none When used in conjunction with other statements (such as the statement), statements options...
  • Page 203 Chapter 12. Berkeley Internet Name Domain (BIND) — Specifies which hosts are allowed to query this nameserver. By default, all hosts • allow-query are allowed to query. An access control list, or collection of IP addresses or networks may be used here to only allow particular hosts to query the nameserver.
  • Page 204 Chapter 12. Berkeley Internet Name Domain (BIND) 12.2.1.4. Statement zone statement defines the characteristics of a zone such as the location of its configuration file and zone zone-specific options. This statement can be used to override the global statements. options statement takes the following form: zone zone...
  • Page 205 Chapter 12. Berkeley Internet Name Domain (BIND) — Designates the nameserver as authoritative for this zone. A zone should be set as the master • if the zone’s configuration files reside on the system. master — Designates the nameserver as a slave server for this zone. Also specifies the IP address slave •...
  • Page 206 Chapter 12. Berkeley Internet Name Domain (BIND) — Defines a particular key by name. Keys are used to authenticate various • key " key-name " actions, such as secure updates or the use of the command. Two options are used with rndc —...
  • Page 207: Zone Files

    Chapter 12. Berkeley Internet Name Domain (BIND) 12.3. Zone Files Zone files contain information about a namespace and are stored in the working directory, named , by default. Each zone file is named according to the option data in the /var/named/ file zone...
  • Page 208 Chapter 12. Berkeley Internet Name Domain (BIND) Consider the following record examples for the zone file: example.com 10.0.1.3 server1 10.0.1.5 Requests for are pointed to 10.0.1.3, while requests for example.com server1.example.com are pointed to 10.0.1.5. — Canonical name record, maps one name to another. This type of record is also known as •...
  • Page 209 Chapter 12. Berkeley Internet Name Domain (BIND) symbol places the directive (or the zone’s name, if the directive is not $ORIGIN $ORIGIN set) as the namespace being defined by this resource record. The hostname of the primary nameserver that is authoritative for this domain is the directive, primary-name-server and the email of the person to contact about this namespace is the...
  • Page 210 Chapter 12. Berkeley Internet Name Domain (BIND) 12.3.3. Example Zone File Seen individually, directives and resource records can be difficult to grasp. However, when placed together in a single file, they become easier to understand. The following example shows a very basic zone file. $ORIGIN example.com $TTL 86400 dns1.example.com.
  • Page 211: Rndc

    Chapter 12. Berkeley Internet Name Domain (BIND) $ORIGIN 1.0.10.in-addr.arpa $TTL 86400 dns1.example.com. hostmaster.example.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day dns1.example.com.
  • Page 212 Chapter 12. Berkeley Internet Name Domain (BIND) key " key-name " { algorithm hmac-md5; secret " key-value "; In this case, the uses the HMAC-MD5 algorithm. Use the following command to key-value generate keys using the HMAC-MD5 algorithm: dnssec-keygen -a hmac-md5 -b bit-length -n HOST key-file-name...
  • Page 213: Advanced Features Of Bind

    Chapter 12. Berkeley Internet Name Domain (BIND) Caution Make sure that only the root user can read or write to the file. /etc/rndc.conf For more information about the file, see the man page. /etc/rndc.conf rndc.conf 12.4.3. Command Line Options command takes the following form: rndc rndc options...
  • Page 214 Chapter 12. Berkeley Internet Name Domain (BIND) Caution Some of these advanced features, such as DNSSEC, TSIG, and IXFR, should only be used in net- work environments with nameservers that support the features. If the network environment includes non-BIND or older BIND nameservers, verify that each advanced feature is supported before at- tempting to use it.
  • Page 215: Common Mistakes To Avoid

    Chapter 12. Berkeley Internet Name Domain (BIND) 12.5.4. IP version 6 BIND version 9 supports name service in IP version 6 (IPv6) environments through the use of zone records. If the network environment includes both IPv4 and IPv6 hosts, use the lightweight resolver lwresd daemon on all network clients.
  • Page 216 Chapter 12. Berkeley Internet Name Domain (BIND) directory — Contains assorted tech- /usr/share/doc/bind- version-number /draft/ • nical documents that reviews issues related to DNS service and some methods proposed to ad- dress them. Replace with the version of installed on the system. version-number bind directory —...
  • Page 217 Chapter 12. Berkeley Internet Name Domain (BIND) http://www.redhat.com/mirrors/LDP/HOWTO/DNS-HOWTO.html — Covers the use of BIND as • a resolving, caching nameserver or the configuration of various zone files necessary to serve as the primary nameserver for a domain. 12.7.3. Related Books Red Hat Enterprise Linux System Administration Guide —...
  • Page 218 Chapter 12. Berkeley Internet Name Domain (BIND)
  • Page 219: Lightweight Directory Access Protocol (Ldap)

    Chapter 13. Lightweight Directory Access Protocol (LDAP) Lightweight Directory Access Protocol (LDAP) is a set of open protocols used to access centrally stored information over a network. It is based on the X.500 standard for directory sharing, but is less complex and resource intensive.
  • Page 220: Ldap Terminology

    Chapter 13. Lightweight Directory Access Protocol (LDAP) LDIFv1 Support — Provides full compliance with the LDAP Data Interchange Format (LDIF) • version 1. Enhanced Stand-Alone LDAP Server — Includes an updated access control system, thread pooling, • better tools, and much more. 13.2.
  • Page 221 Chapter 13. Lightweight Directory Access Protocol (LDAP) There are two servers contained in the package: the Standalone openldap-servers LDAP Daemon ( ) and the Standalone LDAP Update Replication Daemon /usr/sbin/slapd /usr/sbin/slurpd daemon is the standalone LDAP server while the daemon is used to synchronize slapd slurpd changes from one LDAP server to other LDAP servers on the network.
  • Page 222 Chapter 13. Lightweight Directory Access Protocol (LDAP) 13.3.1. NSS, PAM, and LDAP In addition to the OpenLDAP packages, Red Hat Enterprise Linux includes a package called , which enhances LDAP’s ability to integrate into both Linux and other UNIX nss_ldap environments.
  • Page 223: Openldap Configuration Files

    Chapter 13. Lightweight Directory Access Protocol (LDAP) 13.4. OpenLDAP Configuration Files OpenLDAP configuration files are installed into the directory. The following is a /etc/openldap/ brief list highlighting the most important directories and files: — This is the configuration file for all client applications which •...
  • Page 224: Openldap Setup Overview

    URLs: http://www.openldap.org/doc/admin/quickstart.html — The Quick-Start Guide on the OpenLDAP • website. http://www.redhat.com/mirrors/LDP/HOWTO/LDAP-HOWTO.html — The LDAP Linux HOWTO • from the Linux Documentation Project, mirrored on Red Hat’s website. The basic steps for creating an LDAP server are as follows: 1.
  • Page 225: Configuring A System To Authenticate Using Openldap

    Chapter 13. Lightweight Directory Access Protocol (LDAP) When populating an LDAP directory over a network, change the line — replacing the default rootpw value with an encrypted password string. To create an encrypted password string, type the following command: slappasswd When prompted, type and then re-type a password.
  • Page 226 Chapter 13. Lightweight Directory Access Protocol (LDAP) Edit the Configuration Files On the server, edit the file on the LDAP server to • /etc/openldap/slapd.conf make sure it matches the specifics of the organization. Refer to Section 13.6.1 Editing for instructions about editing /etc/openldap/slapd.conf slapd.conf On the client machines, both...
  • Page 227: Migrating Directories From Earlier Releases

    Chapter 13. Lightweight Directory Access Protocol (LDAP) The job of migrating a user database into a format that is LDAP readable falls to a group of migration scripts installed in the same directory. Using Table 13-1, decide which script to run to migrate the user database.
  • Page 228: Additional Resources

    Chapter 13. Lightweight Directory Access Protocol (LDAP) 13.8.1. Migrating 1.x Directories Beginning with Red Hat Linux 7.1, the on-disk storage format used by the LDAP server slapd changed to gdbm. If upgrading an LDAP directory from a system that ran Red Hat Linux 7 or earlier, it is necessary to extract the existing LDAP directories to an LDIF file using the following command: ldbmcat -n ldif_file...
  • Page 229 13.9.2. Useful Websites http://www.openldap.org/ — Home of the OpenLDAP Project. This website contains a wealth of • information about configuring OpenLDAP. http://www.redhat.com/mirrors/LDP/HOWTO/LDAP-HOWTO.html — An older, but still relevant • LDAP HOWTO. http://www.padl.com/ — Developers of , among other useful LDAP •...
  • Page 230 Chapter 13. Lightweight Directory Access Protocol (LDAP) 13.9.3. Related Books Implementing LDAP by Mark Wilcox; Wrox Press, Inc. • Understanding and Deploying LDAP Directory Services by Tim Howes et al.; Macmillan Technical • Publishing...
  • Page 231: Ftp

    Chapter 14. File Transfer Protocol (FTP) is one of the oldest and most commonly used protocols found on the Internet today. Its purpose is to reliably transfer files between computer hosts on a network without requiring the user to log directly into the remote host or have knowledge of how to use the remote system.
  • Page 232: Ftp Servers

    FTP server. For more information about configuring and administering Red Hat Content Accelerator, consult the documentation available online at http://www.redhat.com/docs/manuals/tux/. — a fast, secure FTP daemon which is the preferred FTP server for Red Hat Enterprise •...
  • Page 233: Files Installed With

    Chapter 14. FTP 14.3. Files Installed with vsftpd RPM installs the daemon ( ), its configuration and related files, as vsftpd /usr/sbin/vsftpd well as FTP directories onto the system. The following is a list of the files and directories most often considered when configuring vsftpd —...
  • Page 234: Vsftpd Configuration Options

    Red Hat Enterprise Linux System Administration Guide for instructions about using the Domain Name Service Configuration Tool ( ). For information about BIND and its redhat-config-bind configuration files, refer to Chapter 12 Berkeley Internet Name Domain (BIND). to answer requests on different IP addresses, multiple copies of the daemon must be vsftpd running.
  • Page 235 Chapter 14. FTP All configuration of is handled by its configuration file, . Each vsftpd /etc/vsftpd/vsftpd.conf directive is on its own line within the file and follows the following format: directive = value For each directive, replace directive with a valid directive and with a valid value.
  • Page 236 Chapter 14. FTP — If the directive is set to , this directive spec- • banned_email_file deny_email_enable ifies the file containing a list of anonymous email passwords which are not permitted access to the server. The default value is /etc/vsftpd.banned_emails —...
  • Page 237 Chapter 14. FTP 14.5.3. Anonymous User Options The following is a list of directives which control anonymous user access to the server. To use these options, the directive must be set to anonymous_enable — When enabled in conjunction with the directive, •...
  • Page 238 Chapter 14. FTP Warning Using this configuration opens up a number of security issues, especially for users with upload privileges. For this reason, it is not recommended. — When enabled, all non-anonymous users are logged in as the user , which •...
  • Page 239 Chapter 14. FTP 14.5.6. File Transfer Options The following is a list of directives which affect directories. — When enabled, file downloads are permitted. • download_enable The default value is — When enabled, all files uploaded by anonymous users are owned by the user •...
  • Page 240 Chapter 14. FTP — Specifies the -compatible log file. For this file to be used, • xferlog_file wu-ftpd must be enabled and must be set to . It is also xferlog_enable xferlog_std_format used if is set to dual_log_enable The default value is /var/log/xferlog —...
  • Page 241 Chapter 14. FTP The default value is — Specifies the IP address on which listens for network connections. • listen_address vsftpd There is no default value for this directive. If running multiple copies of serving different IP addresses, the configuration file for each vsftpd copy of the daemon must have a different value for this directive.
  • Page 242: Additional Resources

    Chapter 14. FTP — When enabled, data connections are not checked to make sure they are • pasv_promiscuous originating from the same IP address. This setting is only useful for certain types of tunneling. Caution Do not enable this option unless absolutely necessary as it disables an important security feature which verifies that passive mode connections originate from the same IP address as the control connection that initiates the data transfer.
  • Page 243 Chapter 14. FTP http://slacksite.com/other/ftp.html — This website provides a concise explanation of the differences • between active and passive mode FTP. http://war.jgaa.com/ftp/?cmd=rfc — A comprehensive list of Request for Comments (RFCs) related • to the FTP protocol. 14.6.3. Related Books Red Hat Enterprise Linux Security Guide;...
  • Page 244 Chapter 14. FTP...
  • Page 245: Security Reference

    III. Security Reference Using secure protocols is a critical part of maintaining system integrity. This part describes critical tools used for the purpose of user authentication, network access control, and secure network com- munication. For more information about securing a Red Hat Enterprise Linux system, refer to the Red Hat Enterprise Linux Security Guide.
  • Page 247: Pluggable Authentication Modules (Pam)

    Chapter 15. Pluggable Authentication Modules (PAM) Programs which grant users access to a system verify each user’s identity through a process called authentication. Historically, each such program had its own way of performing the task of authen- tication. Under Red Hat Enterprise Linux, many such programs are configured to use a centralized authentication mechanism called Pluggable Authentication Modules or PAM.
  • Page 248 Chapter 15. Pluggable Authentication Modules (PAM) 15.3.1. Module Interface There are four types of PAM module interfaces which correlate to different aspects of the authorization process: — This module interface authenticates the use. For example, it asks for and verifies the valid- •...
  • Page 249 Chapter 15. Pluggable Authentication Modules (PAM) 15.3.2. Control Flag All PAM modules generate a success or failure result when called. Control flags tell PAM what do with the result. Since modules can be stacked in a particular order, control flags decide how important the success or failure of a particular module is to the overall goal of authenticating the user to the service.
  • Page 250: Sample Pam Configuration Files

    Chapter 15. Pluggable Authentication Modules (PAM) In the previous example, replace path-to-file with the full path to the Berkeley DB database file. Invalid arguments are ignored and do not otherwise affect the success or failure of the PAM module. However, most modules will report an error to the file.
  • Page 251 Chapter 15. Pluggable Authentication Modules (PAM) If a password has expired, the password component of the module prompts for a pam_cracklib.so new password. It then tests the newly created password to see whether it can easily be determined by a dictionary-based password cracking program. If it fails this test the first time, it gives the user two more chances to create a strong password, as specified in the argument.
  • Page 252: Creating Pam Modules

    Chapter 15. Pluggable Authentication Modules (PAM) module authenticates the user using in the user’s home pam_rhosts_auth.so .rhosts directory. If this succeeds, PAM immediately considers the authentication to have succeeded. If fails to authenticate the user, the authentication attempt is ignored. pam_rhosts_auth.so auth required...
  • Page 253: Pam And Device Ownership

    Chapter 15. Pluggable Authentication Modules (PAM) 15.6.1. Removing the Timestamp File It is recommended that before walking away from a console where a PAM timestamp is active, the timestamp file be destroyed. To do this from within a graphical environment, click on the authentica- tion icon on the panel.
  • Page 254 Chapter 15. Pluggable Authentication Modules (PAM) 15.7.1. Device Ownership When a user logs into a Red Hat Enterprise Linux system, the module is called pam_console.so or the graphical login programs, gdm and kdm. If this user is the first user to log in at the login physical console —...
  • Page 255: Additional Resources

    Chapter 15. Pluggable Authentication Modules (PAM) 15.8. Additional Resources The following resources further explain methods to use and configure PAM. In addition to these resources, read the PAM configuration files on the system to better understand how they are structured. 15.8.1.
  • Page 256 Chapter 15. Pluggable Authentication Modules (PAM)
  • Page 257: Tcp Wrappers

    Chapter 16. TCP Wrappers and xinetd Controlling access to network services is one of the most important security tasks facing a server administrator. Fortunately, under Red Hat Enterprise Linux there are a number of tools which do just that. For instance, an -based firewall filters out unwelcome network packets within the iptables kernel’s network stack.
  • Page 258: Tcp Wrappers Configuration Files

    xinetd Chapter 16. TCP Wrappers and 16.1. TCP Wrappers The TCP wrappers package ( ) is installed by default and provides host-based tcp_wrappers access control to network services. The most important component within the package is the library. In general terms, a TCP wrapped service is one that has been /usr/lib/libwrap.a compiled against the library.
  • Page 259 xinetd Chapter 16. TCP Wrappers and 1. References . — The TCP wrapped service sequentially parses the /etc/hosts.allow file and applies the first rule specified for that service. If it finds a /etc/hosts.allow matching rule, it allows the connection. If not, it moves on to step 2. 2.
  • Page 260 xinetd Chapter 16. TCP Wrappers and vsftpd : .example.com This rule instructs TCP wrappers to watch for connections to the FTP daemon ( ) from any vsftpd host in the domain. If this rule appears in , the connection is accepted. example.com hosts.allow If this rule appears in...
  • Page 261 xinetd Chapter 16. TCP Wrappers and IP address ending with a period ( ) — Placing a period at the end of an IP address matches all • hosts sharing the initial numeric groups of an IP address. The following example applies to any host within the network: 192.168.x.x...
  • Page 262 xinetd Chapter 16. TCP Wrappers and 16.2.1.4. Operators At present, access control rules accept one operator, . It can be used in both the daemon list EXCEPT and the client list of a rule. operator allows specific exceptions to broader matches within the same rule. EXCEPT In the following example from a file, all...
  • Page 263 xinetd Chapter 16. TCP Wrappers and Note In practice, this example does not work until the syslog daemon ( ) is configured to log to syslogd facility. Refer to the man page for information about configuring custom log local0 syslog.conf facilities.
  • Page 264 xinetd Chapter 16. TCP Wrappers and — Supplies a variety of client information, such as the username and hostname, or the username • and IP address. — Supplies the daemon process name. • — Supplies the client’s hostname (or IP address, if the hostname is unavailable). •...
  • Page 265: Xinetd Xinetd

    xinetd Chapter 16. TCP Wrappers and connection is established, does not interfere further with communication between the client xinetd host and the server. 16.4. Configuration Files xinetd The configuration files for are as follows: xinetd — The global configuration file. •...
  • Page 266 xinetd Chapter 16. TCP Wrappers and 16.4.2. The Directory /etc/xinetd.d/ The files in the directory contains the configuration files for each service managed /etc/xinetd.d/ and the names of the files correlate to the service. As with , this file is read xinetd xinetd.conf only when the...
  • Page 267 xinetd Chapter 16. TCP Wrappers and — Logs the remote host’s IP address ( • HOST log_on_failure log_on_success — Logs the process ID of the server receiving the request ( • log_on_success — Logs the remote user using the method defined in RFC 1413 for all multi-threaded •...
  • Page 268 xinetd Chapter 16. TCP Wrappers and In this example, when client system from the 10.0.1.0/24 network, such as 10.0.1.2, tries to access the Telnet service, it receives a message stating the following message: Connection closed by foreign host. In addition, their login attempts are logged in as follows: /var/log/secure May 15 17:38:49 boo xinetd[16252]: START: telnet pid=16256 from=10.0.1.2...
  • Page 269: Additional Resources

    xinetd Chapter 16. TCP Wrappers and But the advantages of the options are most clearly evident when they are used bind redirect together. By binding a service to a particular IP address on a system and then redirecting requests for this service to a second machine that only the first machine can see, an internal system can be used to provide services for a totally different network.
  • Page 270 xinetd Chapter 16. TCP Wrappers and 16.5. Additional Resources Additional information concerning TCP wrappers and is available from system documenta- xinetd tion and on the Internet. 16.5.1. Installed Documentation The bundled documentation on your system is a good place to start looking for additional TCP Wrap- pers, , and access control configuration options.
  • Page 271: Iptables

    Chapter 17. iptables Installed with Red Hat Enterprise Linux are advanced tools for network packet filtering — the process of controlling network packets as they enter, move through, and exit the network stack within the ker- nel. Pre-2.4 kernels relied on for packet filtering and used lists of rules applied to packets ipchains at each step of the filtering process.
  • Page 272: Differences Between

    iptables Chapter 17. FORWARD — Applies to network packets routed through the host. • The built-in chains for the table are as follows: PREROUTING — Alters network packets when they arrive. • OUTPUT — Alters locally-generated network packets before they are sent out. •...
  • Page 273: Options Used Within

    iptables Chapter 17. Order matters when placing options in a rule. Previously, with , the order of the rule • ipchains options did not matter. The command uses stricter syntax. For example, in iptables iptables commands the protocol (ICMP, TCP, or UDP) must be specified before the source or destination ports.
  • Page 274 iptables Chapter 17. 17.3.2. Command Options Command options instruct to perform a specific action. Only one command option is iptables allowed per command. With the exception of the help command, all commands are written iptables in upper-case characters. commands are as follows: iptables —...
  • Page 275 iptables Chapter 17. — Sets the destination hostname, IP address, or network of a packet that matches the rule. When • matching a network, the following IP address/netmask formats are supported: — Where N.N.N.N is the IP address range and M.M.M.M is the netmask. N.N.N.N /M.M.M.M •...
  • Page 276 iptables Chapter 17. and aliases of network services and the port numbers they use, view the file. The /etc/services match option is synonymous with --destination-port --dport To specify a specific range of port numbers, separate the two numbers with a colon ( ), such as .
  • Page 277 iptables Chapter 17. 17.3.4.3. ICMP Protocol The following match options are available for the Internet Control Message Protocol (ICMP) ( icmp — Sets the name or number of the ICMP type to match with the rule. A list of valid •...
  • Page 278 iptables Chapter 17. — Matches a MAC address of the network interface card that sent the packet. --mac-source • To exclude a MAC address from a rule, place an exclamation point ( ) after the --mac-source match option. To view other match options available through modules, refer to the man page.
  • Page 279: Rules

    iptables Chapter 17. target accepts (where is the rejection type) type REJECT --reject-with type allowing more detailed information to be sent back with the error packet. The message is the default error given if no other option is used. For a full list port-unreachable type options, refer to the...
  • Page 280: Saving

    Security Level Configuration Tool ( ) — A graphical inter- • redhat-config-securitylevel face for creating, activating, and saving basic firewall rules. For more information about how to use this tool, refer to the chapter titled Basic Firewall Configuration in the Red Hat Enterprise Linux System Administration Guide.
  • Page 281: Additional Resources

    iptables Chapter 17. 17.5.1. Control Scripts Configuration File iptables The behavior of the initscripts is controlled by the iptables /etc/sysconfig/iptables-config configuration file. The following is a list of directives contained within this file: — Specifies a space-separated list of additional modules to load •...
  • Page 282 Linux kernel, plus an introduction to constructing basic iptables commands. http://www.redhat.com/support/resources/networking/firewall.html — This webpage links to a va- • riety of update-to-date packet filter resources. Red Hat Enterprise Linux Security Guide; Red Hat, Inc. — Contains a chapter about the role of •...
  • Page 283: Kerberos

    Chapter 18. Kerberos System security and integrity within a network can be unwieldy. It can occupy the time of several administrators just to keep track of what services are being run on a network and the manner in which these services are used. Moreover, authenticating users to network services can prove dangerous when the method used by the protocol is inherently insecure, as evidenced by the transfer of unencrypted passwords over a network under the FTP and Telnet protocols.
  • Page 284: Kerberos Terminology

    Chapter 18. Kerberos Kerberos assumes that each user is trusted and is using an untrusted host on an untrusted network. • Its primary goal is to prevent unencrypted passwords from being sent across that network. However, if anyone other than the proper user has access to the one host that issues tickets used for authenti- cation —...
  • Page 285 Chapter 18. Kerberos GSS-API The Generic Security Service Application Program Interface (defined in RFC-2743 published by The Internet Engineering Task Force) is a set of functions which provide security services. This API is used by clients and services to authenticate to each other without either program having specific knowledge of the underlying mechanism.
  • Page 286: How Kerberos Works

    Chapter 18. Kerberos Ticket-granting Server (TGS) A server that issues tickets for a desired service which are in turn given to users for access to the service. The TGS usually runs on the same host as the KDC. Ticket-granting Ticket (TGT) A special ticket that allows the client to obtain additional tickets without applying for them from the KDC.
  • Page 287: Kerberos And Pam

    Chapter 18. Kerberos Note Kerberos depends on certain network services to work correctly. First, Kerberos requires approximate clock synchronization between the machines on the network. Therefore, a clock synchronization program should be set up for the network, such as . For more about configuring , refer ntpd ntpd...
  • Page 288 Chapter 18. Kerberos pose. Refer to for details about /usr/share/doc/ntp- version-number /index.htm how to set up Network Time Protocol servers and http://www.eecis.udel.edu/~ntp for additional information about NTP. 2. Install the , and packages on the dedicated krb5-libs krb5-server krb5-workstation machine which runs the KDC. This machine needs to be very secure — if possible, it should not run any services other than the KDC.
  • Page 289: Configuring A Kerberos 5 Client

    Chapter 18. Kerberos 8. Verify that the KDC is issuing tickets. First, run to obtain a ticket and store it in a creden- kinit tial cache file. Next, use to view the list of credentials in the cache and use klist kdestroy destroy the cache and the credentials it contains.
  • Page 290: Additional Resources

    Chapter 18. Kerberos CVS — A kerberized CVS server, , uses a principal with a root of and is • gserver otherwise identical to the CVS pserver For details about how to enable services, refer to the chapter titled Controlling Access to Services in the Red Hat Enterprise Linux System Administration Guide.
  • Page 291 Chapter 18. Kerberos Configuration Files — Describes the format and options available within the configuration man krb5.conf • file for the Kerberos V5 library. — Describes the format and options available within the configuration file man kdc.conf • for the Kerberos V5 Authentication Server (AS) and Key Distribution Center (KDC). 18.7.2.
  • Page 292 Chapter 18. Kerberos...
  • Page 293: Ssh Protocol

    Chapter 19. SSH Protocol SSH™ (or Secure SHell) is a protocol which facilitates secure communications between two systems using a client/server architecture and allowing users to log into server host systems remotely. But unlike other remote communication protocols such as FTP or Telnet, SSH encrypts the login session, making it impossible for intruders to collect unencrypted passwords.
  • Page 294: Ssh Protocol Versions

    Chapter 19. SSH Protocol Impersonation of a particular host — Using this strategy, an attacker’s system is configured to pose • as the intended recipient of a transmission. If this strategy works, the user’s system will remain unaware that it is communicating with the wrong host. This attack can be mounted through techniques known as DNS poisoning or IP spoofing Both techniques intercept potentially sensitive information, and if the interception is made for hostile...
  • Page 295 Chapter 19. SSH Protocol 19.3.1. Transport Layer The primary role of the transport layer is to facilitate safe and secure communication between the two hosts at the time of authentication and during subsequent communication. The transport layer accom- plishes this by handling the encryption and decryption of data, and by providing integrity protection of data packets as they are sent and received.
  • Page 296: Openssh Configuration Files

    Chapter 19. SSH Protocol 19.3.3. Channels After a successful authentication over the SSH transport layer, multiple channels are opened via a technique called multiplexing . Each of these channels handles communication for different terminal sessions and for forwarded X11 sessions. Both clients and servers can create a new channel.
  • Page 297: More Than A Secure Shell

    Chapter 19. SSH Protocol — This file holds a list of authorized public keys for servers. When the client • authorized_keys connects to a server, the server authenticates the client by checking its signed public key stored within this file. —...
  • Page 298: Requiring Ssh For Remote Connections

    Chapter 19. SSH Protocol To create a TCP/IP port forwarding channel which listens for connections on the localhost, use the following command: ssh -L local-port:remote-hostname:remote-port username@hostname Note Setting up port forwarding to listen on ports below 1024 requires root level access. To check email on a server called using POP3 through an encrypted connection, mail.example.com...
  • Page 299: Additional Resources

    To disable insecure connection methods to the system, use the command line program , the chkconfig ncurses-based program ntsysv, or the Services Configuration Tool ( redhat-config-services graphical application. All of these tools require root level access. , ntsysv, and the Ser- For more information on runlevels and configuring services with chkconfig vices Configuration Tool, refer to the chapter titled Controlling Access to Services in the Red Hat...
  • Page 300 Chapter 19. SSH Protocol 19.7.2. Useful Websites http://www.openssh.com — The OpenSSH FAQ page, bug reports, mailing lists, project goals, and • a more technical explanation of the security features. http://www.openssl.org — The OpenSSL FAQ page, mailing lists, and a description of the project •...
  • Page 301: Appendixes

    IV. Appendixes Table of Contents A. General Parameters and Modules .................... 285...
  • Page 303: General Parameters And Modules

    Appendix A. General Parameters and Modules This appendix is provided to illustrate some of the possible parameters available for common hardware device drivers , which under Red Hat Enterprise Linux are called kernel modules. In most cases, the default parameters will work. However, there may be times when extra module parameters are necessary for a device to function properly or to override the module’s default parameters for the device.
  • Page 304: Ethernet Parameters

    Appendix A. General Parameters and Modules Hardware Module Parameters NCR53c810/820/720, 53c7,8xx.o NCR53c700/710/700-66 Adaptec AACRAID aacraid.o Adaptec 28xx, R9xx, 39xx aic7xxx.o AHA-284x, AHA-29xx, AHA-394x, AHA-398x, AHA-274x, AHA-274xT, AHA-2842, AHA-2910B, AHA-2920C, AHA-2930/U/U2, AHA-2940/W/U/UW/AU/, U2W/U2/U2B/, U2BOEM, AHA-2944D/WD/UD/UWD, AHA-2950U2/W/B, AHA-3940/U/W/UW/, AUW/U2W/U2B, AHA-3950U2D, AHA-3985/U/W/UW, AIC-777x, AIC-785x, AIC-786x, AIC-787x, AIC-788x , AIC-789x, AIC-3860 ICP RAID Controller...
  • Page 305 Appendix A. General Parameters and Modules Hardware Module Parameters >RTL8139, SMC EZ Card 8139too.o Fast Ethernet, RealTek cards using RTL8129, or RTL8139 Fast Ethernet chipsets Intel Ether Express/100 e100_speed_duplex=X e100.o driver If X = 0 = autodetect speed and duplex 1 = 10Mbps, half duplex 2 = 10Mbps, full duplex 3 = 100Mbps, half duplex...
  • Page 306 Modules in the Red Hat Enterprise Linux System Administration Guide for more information. For additional information about using more than one Ethernet card, refer to the Linux Ethernet- HOWTO online at http://www.redhat.com/mirrors/LDP/HOWTO/Ethernet-HOWTO.html. A.3.2. The Channel Bonding Module Red Hat Enterprise Linux allows administrators to bind NICs together into a single channel using the kernel module and a special network interface called a channel bonding interface.
  • Page 307 Appendix A. General Parameters and Modules — Sets an XOR (exclusive-or) policy for fault tolerance and load balancing. Using this method • the interface matches up the incoming request’s MAC address with the MAC address for one of the slave NICs. Once this link is established, transmissions are sent out sequentially beginning with the first available interface.
  • Page 308 Appendix A. General Parameters and Modules — Specifies an integer value for the type of multicast support desired. • multicast= Acceptable values for this parameter are: — Disables multicast support. • — Enables multicast support, but only on the active slave. •...
  • Page 309: Index

    Index (See Apache HTTP Server) Apache HTTP Server migration to 2.0, 127 Symbols .fetchmailrc, 168 features of, 125 global options, 169 file system changes, 126 server options, 169 migration from 1.3, 127 user options, 169 MPM specific directives, 139 .procmailrc, 171 packaging changes, 126 /etc/named.conf additional resources, 156...
  • Page 310 autofs, 120 boot loaders, 19, 11 (See Also NFS) (See Also LILO) (See Also GRUB) definition of, 11 types of ELILO, 11 Basic Input/Output System GRUB, 11 (See BIOS) LILO, 11 Berkeley Internet Name Domain OS/400, 11 (See BIND) YABOOT, 11 BIND z/IPL, 11 additional resources, 197...
  • Page 311 AddIconByEncoding, 148 ServerAdmin, 142 AddIconByType, 148 ServerName, 142 AddLanguage, 149 ServerRoot, 138 AddType, 150 ServerSignature, 147 Alias, 147 SetEnvIf, 153 Allow, 144 SSL configuration, 153 AllowOverride, 144 StartServers, 140 BrowserMatch, 150 ThreadsPerChild, 141 CacheNegotiatedDocs, 145 Timeout, 139 CustomLog, 147 TypesConfig, 145 DefaultIcon, 149 UseCanonicalName, 143 DefaultType, 146...
  • Page 312 DirectoryIndex filtering out, 176 Apache configuration directive, 145 types display managers Mail Delivery Agent, 161 (See XFree86) Mail Transfer Agent, 161 DNS, 181 Mail User Agent, 162 (See Also BIND) epoch, 59 introducing, 181 (See Also /proc/stat) documentation definition of, 59 experienced user, iv ErrorDocument finding appropriate, ii...
  • Page 313 79 hugepages shared directories, 83 configuration of, 74 standard, 81 tools for management of groupadd, 79, 83 redhat-config-users, 83 User Manager, 79 IfDefine user private, 83 Apache configuration directive, 142 GRUB, 11, 2 ifdown, 110 (See Also boot loaders)
  • Page 314 initrd directory, 30 introduction, i KDE, 88 ip6tables (See Also XFree86) control scripts KeepAlive panic, 262 Apache configuration directive, 139 restart, 262 KeepAliveTimeout save, 262 Apache configuration directive, 139 start, 262 Kerberos status, 262 additional resources, 272 stop, 262 installed documentation, 272 useful websites, 273 introducing, 263 advantages of, 265...
  • Page 315 slapadd, 202 installed documentation, 22 slapcat, 202 related books, 23 slapcat-gdbm, 202 useful websites, 22 slapd, 202 boot process, 19 slapindex, 202 changing runlevels with, 22 slappasswd, 202 configuration file slurpd, 202 /etc/lilo.conf, 20 utilities, 202 definition of, 19 authentication using, 207 role in boot process, 2 Authentication Configuration Tool, 207 lilo.conf, 20...
  • Page 316 Apache configuration directive, 140 related books, 123 MinSpareThreads useful websites, 123 Apache configuration directive, 140 client mnt directory, 26 /etc/fstab, 119 module parameters autofs, 120 (See kernel modules) configuration, 119 modules mount options, 121 (See kernel modules) condrestart, 115 (See kernel modules) Apache how it works, 113 loading, 154...
  • Page 317 proc directory, 27 proc file system packet filtering /proc/apm, 47 (See iptables) /proc/bus/ directory, 62 /proc/cmdline, 47 additional resources, 237 /proc/cpuinfo, 47 installed documentation, 237 /proc/devices useful websites, 237 block devices, 48 advantages of, 229 character devices, 48 configuration files, 229 /proc/dma, 49 control flags, 231 /proc/driver/ directory, 63...
  • Page 318 /proc/version, 60 configuration of, 8 additional resources, 77 (See Also services) installed documentation, 77 useful websites, 78 changing files within, 46, 68, 76 files within, top-level, 46 sbin directory, 27 introduced, 45 ScriptAlias process directories, 60 Apache configuration directive, 147 subdirectories within, 60 SCSI modules viewing files within, 45...
  • Page 319 (See Also LDAP) /etc/sysconfig/pcmcia, 39 SpamAssassin /etc/sysconfig/radvd, 40 using with Procmail, 176 /etc/sysconfig/rawdevices, 40 SSH protocol, 275 additional resources, 281 /etc/sysconfig/redhat-config-securitylevel , 40 installed documentation, 281 /etc/sysconfig/redhat-config-users, 40 related books, 282 /etc/sysconfig/redhat-logviewer, 41 useful websites, 282 /etc/sysconfig/rhn/ directory, 43 authentication, 277 configuration files, 278...
  • Page 320 personal HTML directories, 144 standard, 80 TCP wrappers, 246 tools for management of (See Also xinetd) User Manager, 79 additional resources, 252 useradd, 79 installed documentation, 252 UID, 79 related books, 252 usr directory, 27 useful websites, 252 usr/local/ directory, 28 advantages of, 240 configuration files /etc/hosts.allow, 240, 240...
  • Page 321 introducing, 95 X Font Server, 97 webmaster X Render Extension, 95 email address for, 142 xfs, 97 window managers xfs configuration, 97 (See XFree86) xfs, adding fonts to, 98 Xft, 95 introducing, 87 runlevels 3, 98 (See XFree86) 5, 99 X Window System runlevels and, 98 (See XFree86)
  • Page 322 z/IPL, 11 (See Also boot loaders)
  • Page 323: Colophon

    Colophon The manuals are written in DocBook SGML v4.1 format. The HTML and PDF formats are produced using custom DSSSL stylesheets and custom jade wrapper scripts. The DocBook SGML files are written in Emacs with the help of PSGML mode. Garrett LeSage created the admonition graphics (note, tip, important, caution, and warning).

Table of Contents