Red Hat ENTERPRISE LINUX 4.5.0 Reference Manual

page of 434

/ 434
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Download this manual

Red Hat Enterprise Linux 4.5.0

4.5.0

Reference Guide

ISBN: N/A

Publication date:

Table of Contents

Need help?

Do you have a question about the ENTERPRISE LINUX 4.5.0 and is the answer not in the manual?

Questions and answers

Summary of Contents for Red Hat ENTERPRISE LINUX 4.5.0

Page 1 Red Hat Enterprise Linux 4.5.0 4.5.0 Reference Guide ISBN: N/A Publication date:...
Page 2 Red Hat Enterprise Linux 4.5.0...
Page 3 All other trademarks referenced herein are the property of their respective owners. The GPG fingerprint of the security@redhat.com key is: CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E...
Page 4 Red Hat Enterprise Linux 4.5.0...
Page 5: Table Of Contents
Introduction ......................xvii 1. Changes To This Manual ................xvii 2. Finding Appropriate Documentation .............xviii 2.1. Documentation For First-Time Linux Users ........xviii 2.2. For the More Experienced ..............xx 2.3. Documentation for Linux Gurus ............xx 3. Document Conventions ................xxi 4.
Page 6 Red Hat Enterprise Linux 4.5.0 2.1. FHS Organization ...............25 3. Special File Locations Under Red Hat Enterprise Linux ......30 4. The Directory ................31 sysconfig 1. Files in the Directory ..........31 /etc/sysconfig/ 1.1..............33 /etc/sysconfig/amd 1.2..............33 /etc/sysconfig/apmd 1.3............33 /etc/sysconfig/arpwatch 1.4.
Page 7 5. The File System ..................49 proc 1. A Virtual File System ................49 1.1. Viewing Virtual Files ..............49 1.2. Changing Virtual Files ..............50 2. Top-level Files within the File System ..........50 proc 2.1..................51 /proc/apm 2.2...............51 /proc/buddyinfo 2.3................52 /proc/cmdline 2.4.
Page 8 Red Hat Enterprise Linux 4.5.0 3.11................85 /proc/tty/ 4. Using the Command ..............86 sysctl 5. Additional Resources ................87 5.1. Installed Documentation .............87 5.2. Useful Websites .................87 6. Users and Groups ..................89 1. User and Group Management Tools ............89 2. Standard Users ..................90 3.
Page 9 1. How It Works ..................131 1.1. Required Services ..............132 1.2. NFS and ..............133 portmap 2. Starting and Stopping NFS ..............134 3. NFS Server Configuration ..............135 3.1. The Configuration File ........135 /etc/exports 3.2. The Command ............138 exportfs 4. NFS Client Configuration Files .............139 4.1.
Page 10 Red Hat Enterprise Linux 4.5.0 5.17..................168 Group 5.18................168 ServerAdmin 5.19................168 ServerName 5.20..............169 UseCanonicalName 5.21.................169 DocumentRoot 5.22................169 Directory 5.23..................170 Options 5.24...............170 AllowOverride 5.25..................171 Order 5.26..................171 Allow 5.27..................171 Deny 5.28..................171 UserDir 5.29.
Page 11 5.64..............179 NameVirtualHost 5.65................179 VirtualHost 5.66. Configuration Directives for SSL ..........180 6. Default Modules ..................180 7. Adding Modules ..................181 8. Virtual Hosts ..................182 8.1. Setting Up Virtual Hosts ............182 8.2. The Secure Web Server Virtual Host .........183 9. Additional Resources ................183 9.1.
Page 12 Red Hat Enterprise Linux 4.5.0 4.1. Configuring ..........227 /etc/named.conf 4.2. Configuring ............228 /etc/rndc.conf 4.3. Command Line Options ............229 5. Advanced Features of BIND ..............230 5.1. DNS Protocol Enhancements ............230 5.2. Multiple Views ................230 5.3. Security ...................231 5.4. IP version 6 ................231 6.
Page 13 4.4. Active Directory Security Mode (User-Level Security) ....262 4.5. Server Security Mode (User-Level Security) .......262 5. Samba Account Information Databases ..........263 5.1. Backward Compatible Backends ..........263 5.2. New Backends .................264 6. Samba Network Browsing ..............264 6.1. Workgroup Browsing ..............265 6.2. Domain Browsing ..............266 6.3.
Page 14 Red Hat Enterprise Linux 4.5.0 5.3. Anonymous User Options ............285 5.4. Local User Options ..............285 5.5. Directory Options ..............287 5.6. File Transfer Options ..............288 5.7. Logging Options ...............288 5.8. Network Options ..............289 6. Additional Resources ................292 6.1. Installed Documentation ............292 6.2.
Page 15 1. Packet Filtering ...................327 2. Differences between ........329 iptables ipchains 3. Options Used within Commands ...........330 iptables 3.1. Structure of Options ..........330 iptables 3.2. Command Options ..............330 3.3. Parameter Options ............332 iptables 3.4. Match Options ............333 iptables 3.5. Target Options .................336 3.6.
Page 16 Red Hat Enterprise Linux 4.5.0 2. Files Related to SELinux ..............365 2.1. The Pseudo-File System .........365 /selinux/ 2.2. SELinux Configuration Files ............366 2.3. SELinux Utilities ...............368 3. Additional Resources ................369 3.1. Installed Documentation ............369 3.2. Red Hat Documentation ............369 3.3. Useful Websites ...............369 IV.
Page 17: Introduction
Introduction Welcome to the Red Hat Enterprise Linux Reference Guide. The Red Hat Enterprise Linux Reference Guide contains useful information about the Red Hat Enterprise Linux system. From fundamental concepts, such as the structure of the file system, to the finer points of system security and authentication control, we hope you find this book to be a valuable resource.
Page 18: Finding Appropriate Documentation
Introduction Linux Installation Guide concerning installation issues, the Red Hat Enterprise Linux Introduction to System Administration for basic administration concepts, the Red Hat Enterprise Linux System Administration Guide for general customization instructions, and the Red Hat Enterprise Linux Security Guide for security related instructions. This guide contains information about topics for advanced users.
Page 19 2.1.1. Introduction to Linux Websites • http://www.redhat.com/ — On the Red Hat website, you find links to the Linux Documentation Project (LDP), online versions of the Red Hat Enterprise Linux manuals, FAQs (Frequently Asked Questions), a database which can help you find a Linux Users Group near you, technical information in the Red Hat Support Knowledge Base, and more.
Page 20: For The More Experienced
• linux.redhat.rpm [news:linux.redhat.rpm] — A good place to go if you are having trouble using RPM to accomplish particular objectives. 2.2. For the More Experienced If you have used other Linux distributions, you probably already have a basic grasp of the most frequently used commands.
Page 21: Document Conventions
Document Conventions If you are concerned with the finer points and specifics of the Red Hat Enterprise Linux system, the Red Hat Enterprise Linux Reference Guide is a great resource. If you are a long-time Red Hat Enterprise Linux user, you probably already know that one of the best ways to understand a particular program is to read its source code and/or configuration files.
Page 22: More To Come
Introduction Additionally, the manual uses different strategies to draw your attention to pieces of information. In order of how critical the information is to you, these items are marked as follows: Note A note is typically information that you need to understand the behavior of the system.
Page 23: We Need Feedback
If you find an error in the Red Hat Enterprise Linux Reference Guide, or if you have thought of a way to make this manual better, we would love to hear from you! Please submit a report in Bugzilla (http://bugzilla.redhat.com/bugzilla/) against the component rhel-rg. Be sure to mention the manual's identifier: rhel-rg If you mention the manual's identifier, we know exactly which version of the guide you have.
Page 24 xxiv...
Page 25: System Reference
Part I. System Reference To manage the system effectively, it is crucial to know about its components and how they fit together. This part outlines many important aspects of the system. It covers the boot process, the basic file system layout, the location of crucial system files and file systems, and the basic concepts behind users and groups.
Page 27: Boot Process, Init, And Shutdown
Chapter 1. Boot Process, Init, and Shutdown An important and powerful aspect of Red Hat Enterprise Linux is the open, user-configurable method it uses for starting the operating system. Users are free to configure many aspects of the boot process, including specifying the programs launched at boot-time. Similarly, system shutdown gracefully terminates processes in an organized and configurable way, although customization of this process is rarely required.
Page 28: The Boot Loader
If upgrading the kernel using the Red Hat Update Agent, the boot loader configuration file is updated automatically. More information on Red Hat Network can be found online at the following URL: https://rhn.redhat.com/. Once the second stage boot loader is in memory, it presents the user with a graphical screen showing the different operating systems or kernels it has been configured to boot.
Page 29: The Kernel
The Kernel Note If Symmetric Multi-Processor (SMP) kernel support is installed, more than one option is presented the first time the system is booted. In this situation GRUB displays , which is the Red Hat Enterprise Linux (<kernel-version>-smp) SMP kernel, and , which is Red Hat Enterprise Linux (<kernel-version>) for single processors.
Page 30: The /Sbin/Init Program
Chapter 1. Boot Process, Init... When the kernel is loaded, it immediately initializes and configures the computer's memory and configures the various hardware attached to the system, including all processors, I/O subsystems, and storage devices. It then looks for the compressed image(s) in a initramfs predetermined location in memory, decompresses it directly to...
Page 31 Program /sbin/init -> ../init.d/dc_server K10psacct -> ../init.d/psacct K10radiusd -> ../init.d/radiusd K12dc_client -> ../init.d/dc_client K12FreeWnn -> ../init.d/FreeWnn K12mailman -> ../init.d/mailman K12mysqld -> ../init.d/mysqld K15httpd -> ../init.d/httpd K20netdump-server -> ../init.d/netdump-server K20rstatd -> ../init.d/rstatd K20rusersd -> ../init.d/rusersd K20rwhod -> ../init.d/rwhod K24irda -> ../init.d/irda K25squid ->...
Page 32: Running Additional Programs At Boot Time
Chapter 1. Boot Process, Init... After the system is finished booting, it is possible to log in as root and execute these same scripts to start and stop services. For instance, the command stops the Apache HTTP Server. /etc/rc.d/init.d/httpd stop Each of the symbolic links are numbered to dictate start order.
Page 33: Sysv Init Runlevels
SysV Init Runlevels commands to configure the system's serial ports. Refer to the man page setserial setserial for more information. 4. SysV Init Runlevels The SysV init runlevel system provides a standard process for controlling which programs init launches or halts when initializing a runlevel. SysV init was chosen because it is easier to use and more flexible than the traditional BSD-style init process.
Page 34: Runlevel Utilities
Chapter 1. Boot Process, Init... In general, users operate Red Hat Enterprise Linux at runlevel 3 or runlevel 5 — both full multi-user modes. Users sometimes customize runlevels 2 and 4 to meet specific needs, since they are not used. The default runlevel for the system is listed in .
Page 35: Shutting Down
Shutting Down Refer to the chapter titled Controlling Access to Services in the Red Hat Enterprise Linux System Administration Guide for more information regarding these tools. 5. Shutting Down To shut down Red Hat Enterprise Linux, the root user may issue the /sbin/shutdown command.
Page 37: The Grub Boot Loader
Chapter 2. The GRUB Boot Loader When a computer with Red Hat Enterprise Linux is turned on, the operating system is loaded into memory by a special program called a boot loader. A boot loader usually exists on the system's primary hard drive (or other media device) and has the sole responsibility of loading the Linux kernel with its required files or (in some cases) other operating systems into memory.
Page 38: Features Of Grub
Chapter 2. The GRUB Boot Loader primary boot loader exists on less than 512 bytes of disk space within the MBR and is capable of loading either the Stage 1.5 or Stage 2 boot loader. 2. The Stage 1.5 boot loader is read into memory by the Stage 1 boot loader, if necessary. Some hardware requires an intermediate step to get to the Stage 2 boot loader.
Page 39: Installing Grub
Installing GRUB • GRUB supports Logical Block Addressing (LBA) mode. LBA places the addressing conversion used to find files in the hard drive's firmware, and is used on many IDE and all SCSI hard devices. Before LBA, boot loaders could encounter the 1024-cylinder BIOS limitation, where the BIOS could not find a file after the 1024 cylinder head of the disk.
Page 40: Device Names
Chapter 2. The GRUB Boot Loader One of the most important things to understand before using GRUB is how the program refers to devices, such as hard drives and partitions. This information is particularly important when configuring GRUB to boot multiple operating systems. 4.1.
Page 41: File Names And Blocklists
File Names and Blocklists • If a system has multiple drive devices, it is very important to know how the drive boot order is set in the BIOS. This is a simple task if a system has only IDE or SCSI drives, but if there is a mix of devices, it becomes critical that the type of drive with the boot partition be accessed first.
Page 42: Grub Interfaces
Chapter 2. The GRUB Boot Loader The use of the term root file system has a different meaning in regard to GRUB. It is important to remember that GRUB's root file system has nothing to do with the Linux root file system. The GRUB root file system is the top level of the specified device.
Page 43: Interfaces Load Order
Interfaces Load Order After all changes are made, the b key executes the commands and boots the operating system. The Esc key discards any changes and reloads the standard menu interface. The c key loads the command line interface. For information about changing runlevels using the GRUB menu entry editor, refer to Section 8, “Changing Runlevels at Boot Time”.
Page 44 Chapter 2. The GRUB Boot Loader • — Boots the operating system or chain loader that was last loaded. boot • — Loads the specified file as a chain loader. If the file is chainloader </path/to/file> located on the first sector of the specified partition, use the blocklist notation, , instead of the file name.
Page 45: Grub Menu Configuration File
GRUB Menu Configuration File separated list. The following is an example command: kernel kernel /vmlinuz-2.6.8-1.523 ro root=/dev/VolGroup00/LogVol00 The option in the previous example specifies that the root file system for Linux is located on partition. hda5 • — Configures the root partition for root (<device-type><device-number>,<partition>) GRUB, such as , and mounts the partition.
Page 46: Configuration File Directives
Chapter 2. The GRUB Boot Loader operating system and sets it to autoboot after 10 seconds. Two sections are given, one for each operating system entry, with commands specific to the system disk partition table. Note Note that the default is specified as an integer. This refers to the first line title in the GRUB configuration file.
Page 47: Changing Runlevels At Boot Time
Changing Runlevels at Boot Time • — Prevents a user who does not know the password from editing the password=<password> entries for this menu option. Optionally, it is possible to specify an alternate menu configuration file after the directive. In this case, GRUB restarts the second stage boot loader password=<password>...
Page 48: Installed Documentation
[http://www.gnu.org/software/grub] — The home page of the GNU GRUB project. This site contains information concerning the state of GRUB development and an FAQ. • http://www.redhat.com/mirrors/LDP/HOWTO/mini/Multiboot-with-GRUB.html — Investigates various uses for GRUB, including booting operating systems other than Linux. • http://www.linuxgazette.com/issue64/kohli.html —...
Page 49: File System Structure
Chapter 3. File System Structure 1. Why Share a Common Structure? The file system structure is the most basic level of organization in an operating system. Almost all of the ways an operating system interacts with its users, applications, and security model are dependent upon the way it organizes files on storage devices.
Page 50 Chapter 3. File System Structure The complete standard is available online at http://www.pathname.com/fhs/ [http://www.pathname.com/fhs]. 2.1.1. The Directory /boot/ directory contains static files required to boot the system, such as the Linux kernel. /boot/ These files are essential for the system to boot properly. Warning Do not remove the directory.
Page 51 FHS Organization mounts. For all removeable media, use the directory. /media/ Note This directory must not be used by installation programs. 2.1.7. The Directory /opt/ directory provides storage for large, static application software packages. /opt/ A package placing files in the directory creates a directory bearing the same name as the /opt/ package.
Page 52 Chapter 3. File System Structure arp, clock,halt, init, fsck.*, grub, ifconfig, mingetty, mkfs.*, mkswap, reboot, route, shutdown, swapoff, swapon 2.1.10. The Directory /srv/ directory contains site-specific data served by your system running Red Hat /srv/ Enterprise Linux. This directory gives users the location of data files for a particular service, such as FTP, WWW, or CVS.
Page 53 Special File Locations Under Red Hat The FHS says: hierarchy is for use by the system administrator when /usr/local installing software locally. It needs to be safe from being overwritten when the system software is updated. It may be used for programs and data that are shareable among a group of hosts, but not found in /usr directory is similar in structure to the...
Page 54: Special File Locations Under Red Hat Enterprise Linux
RPM header information for the system. This location may also be used to temporarily store RPMs downloaded while updating the system. For more information about Red Hat Network, refer to the documentation online at https://rhn.redhat.com/. Another location specific to Red Hat Enterprise Linux is the directory.
Page 55: The Sysconfig Directory
Chapter 4. The sysconfig Directory directory contains a variety of system configuration files for Red Hat /etc/sysconfig/ Enterprise Linux. This chapter outlines some of the files found in the directory, their function, /etc/sysconfig/ and their contents. The information in this chapter is not intended to be complete, as many of these files have a variety of options that are only used in very specific or rare circumstances.
Page 56 Chapter 4. The sysconfig Dire... • keyboard • kudzu • mouse • named • netdump • network • ntpd • pcmcia • radvd • rawdevices • samba • sendmail • selinux • spamassassin • squid • system-config-securitylevel • system-config-users • system-logviewer •...
Page 57: Etc/Sysconfig/Amd
/etc/sysconfig/amd looking through the initscripts in the directory can prove helpful. /etc/rc.d/ 1.1. /etc/sysconfig/amd file contains various parameters used by ; these parameters /etc/sysconfig/amd allow for the automatic mounting and unmounting of file systems. 1.2. /etc/sysconfig/apmd file is used by to configure what power settings to /etc/sysconfig/apmd apmd...
Page 58: Etc/Sysconfig/Clock
Chapter 4. The sysconfig Dire... file defines custom options for the automatic mounting of /etc/sysconfig/autofs devices. This file controls the operation of the automount daemons, which automatically mount file systems when you use them and unmount them after a period of inactivity. File systems can include network file systems, CD-ROMs, diskettes, and other media.
Page 59: Etc/Sysconfig/Desktop
/etc/sysconfig/desktop • — The time zone file under that ZONE=<filename> /usr/share/zoneinfo /etc/localtime is a copy of. The file contains information such as: ZONE="America/New York" Earlier releases of Red Hat Enterprise Linux used the following values (which are deprecated): • , where is one of the following: CLOCKMODE=<value>...
Page 60: Etc/Sysconfig/Exim
Chapter 4. The sysconfig Dire... file is used to pass arguments to the daemon at boot time. /etc/sysconfig/dhcpd dhcpd daemon implements the Dynamic Host Configuration Protocol (DHCP) and the dhcpd Internet Bootstrap Protocol (BOOTP). DHCP and BOOTP assign hostnames to machines on the network.
Page 61: Etc/Sysconfig/Hwconf
/etc/sysconfig/hwconf Warning Do not make changes to this file without careful consideration. By changing the default values, it is possible to corrupt all of the data on the hard drive(s). file may contain the following: /etc/sysconfig/harddisks • , where setting this value to 1 enables DMA. However, with some chipsets and USE_DMA=1 hard drive combinations, DMA can cause data corruption.
Page 62 Chapter 4. The sysconfig Dire... file controls how the system appears and functions during the boot /etc/sysconfig/init process. The following values may be used: • , where is one of the following: BOOTUP=<value> <value> • — The standard color boot display, where the success or failure of devices and color services starting up is shown in different colors.
Page 63 /etc/sysconfig/iptables-config file by typing the following command: /etc/sysconfig/ip6tables /sbin/service ip6tables save Once this file exists, any firewall rules saved in it persists through a system reboot or a service restart. For more information on , refer to Chapter 18, ip6tables iptables 1.18.
Page 64: Etc/Sysconfig/Keyboard
Chapter 4. The sysconfig Dire... • , where specifies the type of dongle being used for infrared DONGLE=<value> <value> communication. This setting exists for people who use serial dongles rather than real infrared ports. A dongle is a device that is attached to a traditional serial port to communicate via infrared.
Page 65: Etc/Sysconfig/Named
/etc/sysconfig/named • , where refers to the full name of the kind of mouse being FULLNAME="<value>" "<value>" used. • , where is one of the following: MOUSETYPE="<value>" "<value>" • — A generic USB wheel mouse. imps2 • — A Microsoft™ mouse. microsoft •...
Page 66: Etc/Sysconfig/Netdump
Chapter 4. The sysconfig Dire... configured. Type for more information. info chroot • , where is any option listed in the man page for except OPTIONS="<value>" <value> named . In place of , use the line above. ROOTDIR For more information about available parameters for this file, refer to the man page.
Page 67: Etc/Sysconfig/Pcmcia
/etc/sysconfig/pcmcia about what parameters are available for this file, use a Web browser to view the following file: (where is the version number of /usr/share/doc/ntp-<version>/ntpd.htm <version> ntpd By default, this file sets the owner of the process to the user ntpd 1.27.
Page 68: Etc/Sysconfig/Selinux
Chapter 4. The sysconfig Dire... file is used to pass arguments to the and the daemons /etc/sysconfig/samba smbd nmbd at boot time. The daemon offers file sharing connectivity for Windows clients on the smbd network. The daemon offers NetBIOS over IP naming services. For more information nmbd about what parameters are available for this file, refer to the man page.
Page 69 /etc/sysconfig/system-config-securitylevel number installed on the system). By default, this file sets to start in daemon mode and squid sets the amount of time before it shuts itself down. 1.35. /etc/sysconfig/system-config-securitylevel file contains all options chosen by the /etc/sysconfig/system-config-securitylevel user the last time the Security Level Configuration Tool ( system-config-securitylevel was run.
Page 70 Chapter 4. The sysconfig Dire... • , where is set to something like , to indicate that a VNCSERVERS=<value> <value> "1:fred" VNC server should be started for user fred on display :1. User fred must have set a VNC password using the command before attempting to connect to the remote VNC vncpasswd server.
Page 71: Additional Resources
For more information on Red Hat Network, refer to the Red Hat Network website online at https://rhn.redhat.com/. 3. Additional Resources This chapter is only intended as an introduction to the files in the directory.
Page 73: The Proc File System
Chapter 5. The proc File System The Linux kernel has two primary functions: to control access to physical devices on the computer and to schedule when and how processes interact with these devices. The /proc/ directory — also called the file system —...
Page 74: Changing Virtual Files
Chapter 5. The proc File System When viewing different virtual files in the file system, some of the information is easily /proc/ understandable while some is not human-readable. This is in part why utilities exist to pull data from virtual files and display it in a useful way. Examples of these utilities include lspci , and free...
Page 75: Proc/Apm
/proc/apm Note In most cases, the content of the files listed in this section are not the same as those installed on your machine. This is because much of the information is specific to the hardware on which Red Hat Enterprise Linux is running for this documentation effort.
Page 76: Proc/Cmdline
Chapter 5. The proc File System 90 of 2^(0*PAGE_SIZE) chunks of memory. Similarly, there are 6 of 2^(1*PAGE_SIZE) chunks, and 2 of 2^(2*PAGE_SIZE) chunks of memory available. row references the first 16 MB on a system, the row references all memory HighMem greater than 4 GB on a system, and the row references all memory in between.
Page 77: Proc/Crypto
/proc/crypto • — Authoritatively identifies the type of processor in the system. For an cpu family Intel-based system, place the number in front of "86" to determine the value. This is particularly helpful for those attempting to identify the architecture of an older system such as a 586, 486, or 386.
Page 78: Proc/Dma
Chapter 5. The proc File System 2. Character devices send data with no preconfigured size. Block devices can send and receive information in blocks of a size configured per device. For more information about devices refer to the following installed documentation: /usr/share/doc/kernel-doc-<version>/Documentation/devices.txt 2.7.
Page 79: Proc/Interrupts
/proc/interrupts The first column signifies whether the file system is mounted on a block device. Those beginning with are not mounted on a device. The second column lists the names of the nodev file systems supported. command cycles through the file systems listed here when one is not specified as an mount argument.
Page 80: Proc/Ioports
Chapter 5. The proc File System 000a0000-000bffff : Video RAM area 000c0000-000c7fff : Video ROM 000f0000-000fffff : System ROM 00100000-07ffffff : System RAM 00100000-00291ba8 : Kernel code 00291ba9-002e09cb : Kernel data e0000000-e3ffffff : VIA Technologies, Inc. VT82C597 [Apollo VP3] e4000000-e7ffffff : PCI Bus #01 e4000000-e4003fff : Matrox Graphics, Inc. MGA G200 AGP e5000000-e57fffff : Matrox Graphics, Inc.
Page 81: Proc/Kmsg
/proc/loadavg 2.15. /proc/kmsg This file is used to hold messages generated by the kernel. These messages are then picked up by other programs, such as /sbin/klogd /bin/dmesg 2.16. /proc/loadavg This file provides a look at the load average in regard to both the CPU and IO over time, as well as additional data used by and other commands.
Page 82: Proc/Meminfo
Chapter 5. The proc File System This file remains in the same state as seen above unless a software RAID or device is present. In that case, view to find the current status of RAID devices. /proc/mdstat file below shows a system with its configured as a RAID 1 device, while /proc/mdstat it is currently re-syncing the disks:...
Page 83 /proc/misc • — The total and free amount of memory, in kilobytes, that is not HighTotal HighFree directly mapped into kernel space. The value can vary based on the type of kernel HighTotal used. • — The total and free amount of memory, in kilobytes, that is directly LowTotal LowFree mapped into kernel space.
Page 84: Proc/Misc
Chapter 5. The proc File System 2.20. /proc/misc This file lists miscellaneous drivers registered on the miscellaneous major device, which is device number 10: 63 device-mapper 175 agpgart 135 rtc 134 apm_bios The first column is the minor number of each device, while the second column shows the driver in use.
Page 85: Proc/Mtrr
/proc/mtrr This file provides a list of all mounts in use by the system: rootfs / rootfs rw 0 0 /proc /proc proc rw,nodiratime 0 0 none /dev ramfs rw 0 0 /dev/mapper/VolGroup00-LogVol00 / ext3 rw 0 0 none /dev ramfs rw 0 0 /proc /proc proc rw,nodiratime 0 0 /sys /sys sysfs rw 0 0 none /dev/pts devpts rw 0 0 usbdevfs /proc/bus/usb usbdevfs rw 0 0 /dev/hda1 /boot ext3 rw 0 0 none /dev/shm tmpfs rw 0 0 none /proc/sys/fs/binfmt_misc binfmt_misc rw...
Page 86: Proc/Pci
Chapter 5. The proc File System • — The major number of the device with this partition. The major number in the major ), corresponds with the block device , in /proc/partitions ide0 /proc/devices • — The minor number of the device with this partition. This serves to separate the minor partitions into different physical devices and relates to the number at the end of the name of the partition.
Page 87 /proc/stat This file gives full information about memory usage on the slab level. Linux kernels greater than version 2.2 use slab pools to manage memory above the page level. Commonly used objects have their own slab pools. Instead of parsing the highly verbose file manually, the /proc/slabinfo /usr/bin/slabtop...
Page 88: Proc/Stat
Chapter 5. The proc File System 2.27. /proc/stat This file keeps track of a variety of different statistics about the system since it was last restarted. The contents of , which can be quite long, usually begins like the /proc/stat following example: cpu 259246 7001 60190 34250993 137517 772 0 cpu0 259246 7001 60190 34250993 137517 772 0 intr 354133732 347209999 2272 0 4 4 0 0 3 1 1249247 0 0 80143 0...
Page 89: Proc/Sysrq-Trigger
Red Hat Enterprise Linux installed on the system: Linux version 2.6.8-1.523 (user@foo.redhat.com) (gcc version 3.4.1 20040714 \ (Red Hat Enterprise Linux 3.4.1-7)) #1 Mon Aug 16 13:27:03 EDT 2004 This information is used for a variety of purposes, including the version data presented when a user logs in.
Page 90 Chapter 5. The proc File System 13 01:28 637 dr-xr-xr-x 3 rpcuser rpcuser 0 Feb 13 01:28 666 These directories are called process directories, as they are named after a program's process ID and contain information specific to that process. The owner and group of each process directory is set to the user running the process.
Page 91: Proc/Bus
/proc/bus/ • — The status of the process. stat • — The status of the memory in use by the process. Below is a sample statm /proc/statm file: 263 210 210 5 0 205 0 The seven columns relate to different memory statistics for the process. From left to right, they report the following aspects of the memory used: 1.
Page 92: Proc/Driver
Chapter 5. The proc File System example, on a standard system containing PCI and USB buses, current data on each of these buses is available within a subdirectory within by the same name, such as /proc/bus/ /proc/bus/pci/ The subdirectories and files available within vary depending on the devices /proc/bus/ connected to the system.
Page 93: Proc/Ide
/proc/ide/ displays the file systems being shared and the permissions granted /proc/fs/nfsd/exports for those file systems. For more on file system sharing with NFS, refer to Chapter 9, Network File System (NFS). 3.5. /proc/ide/ This directory contains information about IDE devices on the system. Each IDE channel is represented as a separate directory, such as .
Page 94: Proc/Irq
Chapter 5. The proc File System • — The capacity of the device, in 512 byte blocks. capacity • — The driver and version used to control the device. driver • — The physical and logical geometry of the device. geometry •...
Page 95: Proc/Scsi
/proc/scsi/ settings and statistics. This directory is primarily used with ATM networking and ADSL cards. • — Lists the various network devices configured on the system, complete with transmit and receive statistics. This file displays the number of bytes each interface has sent and received, the number of packets inbound and outbound, the number of errors seen, the number of packets dropped, and more.
Page 96 Chapter 5. The proc File System The primary file in this directory is , which contains a list of every recognized /proc/scsi/scsi SCSI device. From this listing, the type of device, as well as the model name, vendor, SCSI channel and ID data is available. For example, if a system contains a SCSI CD-ROM, a tape drive, a hard drive, and a RAID controller, this file looks similar to the following: Attached devices: Host: scsi1 Channel: 00 Id: 05 Lun: 00 Vendor: NEC Model:...
Page 97: Proc/Sys
/proc/sys/ megabytes per second, while the tape drive is only communicating at 10 megabytes per second. 3.9. /proc/sys/ directory is different from others in because it not only provides /proc/sys/ /proc/ information about the system but also allows the system administrator to immediately enable and disable kernel features.
Page 98 Chapter 5. The proc File System Note Any configuration changes made using the command disappear when the echo system is restarted. To make configuration changes take effect after the system is rebooted, refer to Section 4, “Using the Command”. sysctl directory contains several subdirectories controlling different aspects of a /proc/sys/ running kernel.
Page 99 /proc/sys/ If RAID support is compiled into the kernel, a directory becomes /proc/sys/dev/raid/ available with at least two files in it: . These settings speed_limit_min speed_limit_max determine the acceleration of RAID devices for I/O intensive tasks, such as resyncing the disks. 3.9.2.
Page 100 Chapter 5. The proc File System space available on the file system containing the log. By default, the file looks like the following: 4 2 30 The first value dictates the percentage of free space required for logging to resume, while the second value sets the threshold percentage of free space when logging is suspended.
Page 101 /proc/sys/ • — Disables randomization of Exec Shield. This may be useful for application debugging purposes. • — Enables randomization of Exec Shield. This is the default value. Note: The file must also be set to to be effective. exec-shield exec-shield-randomize •...
Page 102 Chapter 5. The proc File System • — General kernel warning condition. • — Kernel notice of a normal but significant condition. • — Kernel informational message. • — Kernel debug-level messages. Four values are found in the file: printk Each of these values defines a different rule for dealing with error messages.
Page 103 /proc/sys/ • — Disables raw mode for the keyboard and sets it to XLATE (a limited keyboard mode which does not recognize modifiers such as Alt, Ctrl, or Shift for all keys). • — Kills all processes active in a virtual console. Also called Secure Access Key (SAK), it is often used to verify that the login prompt is spawned from and not a trojan copy init...
Page 104 Chapter 5. The proc File System • — Defines the key code for the System Request Key ( is the default). sysrq-key • — Defines whether the System Request Key is a chorded key combination. sysrq-sticky The accepted values are as follows: •...
Page 105 /proc/sys/ DoS attacks. The idea of a DoS attack is to bombard the targeted system with requests that generate errors and fill up disk partitions with log files or require all of the system's resources to handle the error logging. The settings in are designed to be message_burst message_cost...
Page 106 Chapter 5. The proc File System this file is set to . Setting this file to enables network packet forwarding. • — Specifies the range of ports to be used by TCP or UDP when a ip_local_port_range local port is needed. The first number is the lowest port to be used and the second number specifies the highest port.
Page 107 /proc/sys/ to as swap space. The following files are commonly found in the directory: /proc/sys/vm/ • — Configures block I/O debugging when enabled. All read/write and block block_dump dirtying operations done to files are logged accordingly. This can be useful if diagnosing disk spin up and spin downs for laptop battery conservation.
Page 108 Chapter 5. The proc File System memory space enabled. The default value is , no protection at all. All other integer highmem values are in megabytes, and memory is therefore protected from being allocated by lowmem users. For more information, refer to the following installed documentation: /usr/share/doc/kernel-doc-<version>/Documentation/filesystems/proc.txt •...
Page 109: Proc/Sysvipc
/proc/sysvipc/ • — Specifies the percentage of physical RAM considered when overcommit_ratio is set to . The default value is /proc/sys/vm/overcommit_memory • — Sets the number of pages read in a single attempt. The default value of page-cluster which actually relates to 16 pages, is appropriate for most systems. •...
Page 110: Using The Command
Chapter 5. The proc File System on the device. This allows the driver to place a specific type of header with every block of data transmitted over the device, making it possible for the remote end of the connection to a block of data as just one in a stream of data blocks.
Page 111: Additional Resources
Installed Documentation 5. Additional Resources Below are additional sources of information about file system. proc 5.1. Installed Documentation Below is a list of directories you can consult for more information about the file system. proc These documents are installed through the package.
Page 113: Users And Groups
Chapter 6. Users and Groups The control of users and groups is a core element of Red Hat Enterprise Linux system administration. Users can be either people, meaning accounts tied to physical users, or accounts which exist for specific applications to use. Groups are logical expressions of organization, tying users together for a common purpose.
Page 114: Standard Users
Chapter 6. Users and Groups • — Industry-standard method of administering the file. gpasswd /etc/group • — Tools used for the verification of the password, group, and associated shadow pwck grpck files. • — Tools used for the conversion of passwords to shadow passwords and pwconv pwunconv back to standard passwords.
Page 115: Standard Groups
Standard Groups User Home Directory Shell nscd /sbin/nologin /sbin/nologin postfix /var/spool/postfix /sbin/nologin mailman /var/mailman /sbin/nologin named /var/named /bin/false amanda var/lib/amanda/ /bin/bash postgres /var/lib/pgsql /bin/bash exim /var/spool/exim /sbin/nologin sshd /var/empty/sshd /sbin/nologin rpcuser /var/lib/nfs /sbin/nologin nsfnobody 65534 65534 /var/lib/nfs /sbin/nologin /usr/share/pvm3 /bin/bash apache /var/www /sbin/nologin...
Page 116 Chapter 6. Users and Groups installation. Groups are stored in the file. /etc/group Group Members root root root, bin, daemon daemon root, bin, daemon root, bin, adm root, adm, daemon disk root daemon, lp kmem wheel root mail mail, postfix, exim news news uucp...
Page 117: User Private Groups
User Private Groups Group Members exim named postgres sshd rpcuser nfsnobody 65534 apache mysql webalizer mailnull smmsp squid ldap netdump pcap quaggavt quagga radvd slocate dovecot radiusd Table 6.2. Standard Groups 4. User Private Groups Red Hat Enterprise Linux uses a user private group (UPG) scheme, which makes UNIX groups easier to manage.
Page 118: Group Directories
Chapter 6. Users and Groups UPGs make it safe to set default permissions for a newly created file or directory which allow both the user and that user's group to make modifications to the file or directory. The setting which determines what permissions are applied to a newly created file or directory is called a umask and is configured in the file.
Page 119: Shadow Passwords
Shadow Passwords At this point, because each user's default umask is 002, all members of the group can emacs create and edit files in the directory without the administrator /usr/lib/emacs/site-lisp/ having to change file permissions every time users write new files. 5.
Page 120: Related Books
Chapter 6. Users and Groups User and Group Administrative Applications • — A command to modify password aging policies and account expiration. man chage • — A command to administer the file. man gpasswd /etc/group • — A command to add groups. man groupadd •...
Page 121 Related Books • Red Hat Enterprise Linux Security Guide; Red Hat, Inc. — This companion manual provides security-related aspects of user accounts, namely choosing strong passwords.
Page 123: The X Window System
Before upgrading to the latest version of Red Hat Enterprise Linux, be sure that the video card is compatible with the X11R6.8 release by checking the Red Hat Hardware Compatibility List located online at http://hardware.redhat.com/. The files related to the X11R6.8 release reside primarily in two locations:...
Page 124: Desktop Environments And Window Managers
Chapter 7. The X Window System Contains configuration files for X client and server applications. This includes configuration files for the X server itself, the font server, the X display managers, and many other base components. It is important to note that the configuration file for the newer Fontconfig-based font architecture is (which obsoletes the file).
Page 125: Window Managers
Window Managers • KDE — An alternative desktop environment based on the Qt 3 graphical toolkit. Both GNOME and KDE have advanced productivity applications, such as word processors, spreadsheets, and Web browsers, and provide tools to customize the look and feel of the GUI. Additionally, if both the GTK+ 2 and the Qt libraries are present, KDE applications can run in GNOME and visa versa.
Page 126: Xorg.conf
Chapter 7. The X Window System 3.1. xorg.conf While there is rarely a need to manually edit the file, it is useful to /etc/X11/xorg.conf understand the various sections and optional parameters available, especially when troubleshooting. 3.1.1. The Structure file is comprised of many different sections which address specific /etc/X11/xorg.conf aspects of the system hardware.
Page 127 xorg.conf the use of the Ctrl-Alt-Backspace key combination to immediately terminate the X server. • — When the value of is set to true, this setting "DontZoom" "<boolean>" <boolean> prevents cycling through configured video resolutions using the Ctrl-Alt-Keypad-Plus and Ctrl-Alt-Keypad-Minus key combinations. 3.1.3.
Page 128 Chapter 7. The X Window System Replace with a valid option listed for this section in the man page. <option-name> xorg.conf It is possible to create more than one section. However, the server only reads ServerLayout the first one to appear unless an alternate section is specified as a command ServerLayout line argument.
Page 129 xorg.conf The following example illustrates a typical section for a mouse: InputDevice Section "InputDevice" Identifier "Mouse0" Driver "mouse" Option "Protocol" "IMPS/2" Option "Device" "/dev/input/mice" Option "Emulate3Buttons" "no" EndSection The following entries are commonly used in the section: InputDevice • — Specifies a unique name for this section.
Page 130 Chapter 7. The X Window System Warning Be careful if manually editing values in the section of Monitor . Inappropriate values can damage or destroy a monitor. /etc/X11/xorg.conf Consult the monitor's documentation for a listing of safe operating parameters. The following are commonly entries used in the section: Monitor •...
Page 131 xorg.conf vendor" BoardName "Matrox Millennium G200" VideoRam 8192 Option "dpms" EndSection The following entries are commonly used in the section: Device • — Specifies a unique name for this section. This is a required entry. Identifier Device • — Specifies which driver the X server must load to utilize the video card. A list of Driver drivers can be found in , which is installed with the...
Page 132: Fonts
Chapter 7. The X Window System Section "Screen" Identifier "Screen0" Device "Videocard0" Monitor "Monitor0" DefaultDepth 16 SubSection "Display" Depth 24 Modes "1280x1024" "1280x960" "1152x864" "1024x768" "800x600" "640x480" EndSubSection SubSection "Display" Depth 16 Modes "1152x864" "1024x768" "800x600" "640x480" EndSubSection EndSection The following entries are commonly used in the section: Screen •...
Page 133: Fontconfig
Fontconfig such as anti-aliasing. This system is used automatically for applications programmed using the Qt 3 or GTK+ 2 graphical toolkit. For compatibility, Red Hat Enterprise Linux includes the original font subsystem, called the core X font subsystem. This system, which is over 15 years old, is based around the X Font Server (xfs).
Page 134: Core X Font System
Chapter 7. The X Window System Adding new fonts to the Fontconfig subsystem is a straightforward process. 1. To add fonts system-wide, copy the new fonts into the directory. It is a /usr/share/fonts/ good idea to create a new subdirectory, such as or similar, to help distinguish local/ between user and default installed fonts.
Page 135 Core X Font System 4.2.1. Configuration script starts the server. Several options can be configured /etc/rc.d/init.d/xfs within its configuration file, /etc/X11/fs/config The following lists common options: • — Specifies a list of alternate font servers to be used if this font server is alternate-servers not available.
Page 136: Runlevels And X
Chapter 7. The X Window System 4.2.2. Adding Fonts to To add fonts to the core X font subsystem ( ), follow these steps: 1. If it does not already exist, create a directory called using the /usr/share/fonts/local/ following command as root: mkdir /usr/share/fonts/local/ If creating the directory is necessary, it must be added to the...
Page 137: Runlevel 5
Runlevel 5 directory to define the desktop environment and possibly other X client applications to run. If no file is present, it uses the system default file instead. .xinitrc /etc/X11/xinit/xinitrc The default script then looks for user-defined files and default system files, including xinitrc , and in the user's home directory, and...
Page 138: Additional Resources
Chapter 7. The X Window System screen. Once the user logs into the system, the script runs to /etc/X11/xdm/GiveConsole assign ownership of the console to the user. Then, the script runs to /etc/X11/xdm/Xsession accomplish many of the tasks normally performed by the script when starting X from xinitrc runlevel 3, including setting system and user resources, as well as running the scripts in the...
Page 139: Related Books
Related Books • http://www.X.org/ — Home page of the X.Org Foundation, which produces the X11R6.8 release of the X Window System. The X11R6.8 release is bundled with Red Hat Enterprise Linux to control the necessary hardware and provide a GUI environment. •...
Page 141: Network Services Reference
Part II. Network Services Reference It is possible to deploy a wide variety of network services under Red Hat Enterprise Linux. This part describes how network interfaces are configured as well as provides details about critical network services such as FTP, NFS, the Apache HTTP Server, Sendmail, Postfix, Exim, Fetchmail, Procmail, BIND, LDAP, and Samba.
Page 143: Network Interfaces
Chapter 8. Network Interfaces Under Red Hat Enterprise Linux, all network communications occur between configured software interfaces and physical networking devices connected to the system. The configuration files for network interfaces, and the scripts used to activate and deactivate them, are located in the directory.
Page 144: Interface Configuration Files
Chapter 8. Network Interfaces Caution directory is used by the Network /etc/sysconfig/networking/ Administration Tool ( ) and its contents should not be system-config-network edited manually. In addition, any use of the Network Administration Tool, even launching the application, will override any directives previously set in .
Page 145 Ethernet Interfaces However, it is also possible to edit the configuration files for a given network interface manually. Below is a listing of the configurable parameters in an Ethernet interface configuration file: • , where is one of the following: BOOTPROTO=<protocol>...
Page 146: Ipsec Interfaces
Chapter 8. Network Interfaces in conjunction with HWADDR • ,where is the channel bonding interface to MASTER=<bond-interface> <bond-interface> which the interface the Ethernet interface is linked. This directive is used in conjunction with the directive. SLAVE Refer to Section 2.3, “Channel Bonding Interfaces” for more about channel bonding interfaces.
Page 147 IPsec Interfaces secure IP connection, known as IPsec. For instructions on setting up IPsec using the Network Administration Tool ( ), refer to the chapter titled Network system-config-network Configuration in the Red Hat Enterprise Linux System Administration Guide. For instructions on setting up IPsec manually, refer to the chapter titled Virtual Private Networks in the Red Hat Enterprise Linux Security Guide.
Page 148: Channel Bonding Interfaces
Chapter 8. Network Interfaces (preshared keys) method. • , where is a valid X.509 certificate file for the host. IKE_CERTFILE=<cert-file> <cert-file> • , where is a valid X.509 certificate file for the IKE_PEER_CERTFILE=<cert-file> <cert-file> remote host. • , where . The daemon retrieves the remote IKE_DNSSEC=<answer>...
Page 149: Alias And Clone Files
Alias and Clone Files install bond0 /sbin/modprobe bonding -o bond0 Once is configured, and the channel bonding interface and network /etc/modprobe.conf interfaces are configured, the command can be used to bring up the channel bonding ifup interface. Important Important aspects of the channel bonding interface are controlled through the kernel module.
Page 150: Dialup Interfaces
Chapter 8. Network Interfaces This way a user can bring up the interface using the command eth0 /sbin/ifup eth0-user because the configuration options from are combined. ifcfg-eth0 ifcfg-eth0-user While this is a very basic example, this method can be used with a variety of options and interfaces.
Page 151: Other Interfaces
Other Interfaces device. This option is primarily used in conjunction with SLIP interfaces. • , where is the baud rate of the device. Possible standard values LINESPEED=<value> <value> include , and 57600 38400 19200 9600 • , where is the name of the serial device that is used to MODEMPORT=<device>...
Page 152: Interface Control Scripts
Chapter 8. Network Interfaces • — An infrared interface allows information between devices, such as a laptop ifcfg-irlan0 and a printer, to flow over an infrared link. This works in a similar way to an Ethernet device except that it commonly occurs over a peer-to-peer connection. •...
Page 153: Network Function Files
Network Function Files • — Brings IPsec interfaces up and down. ifup-ipsec ifdown-ipsec • — Brings IPv6 interfaces up and down. ifup-ipv6 ifdown-ipv6 • — Brings up an IPX interface. ifup-ipx • — Brings up a PLIP interface. ifup-plip • —...
Page 154: Additional Resources
Chapter 8. Network Interfaces used to bring interfaces up and down. Rather than forcing each interface control file to contain these functions, they are grouped together in a few files that are called upon when necessary. file contains the most commonly /etc/sysconfig/network-scripts/network-functions used IPv4 functions, which are useful to many interface control scripts.
Page 155: Network File System (Nfs)
Chapter 9. Network File System (NFS) A Network File System (NFS) allows remote hosts to mount file systems over a network and interact with those file systems as though they are mounted locally. This enables system administrators to consolidate resources onto centralized servers on the network. This chapter focuses on fundamental NFS concepts and supplemental information.
Page 156: Required Services
Chapter 9. Network File Syste... The only time NFS performs authentication is when a client system attempts to mount the shared NFS resource. To limit access to the NFS service, TCP wrappers are used. TCP wrappers read the files to determine if a particular /etc/hosts.allow /etc/hosts.deny client or network is permitted or denied access to the NFS service.
Page 157: Nfs And
NFS and portmap • — This process is the NFS server. It works with the Linux kernel to meet the rpc.nfsd dynamic demands of NFS clients, such as providing server threads each time an NFS client connects. This process corresponds to the service.
Page 158: Starting And Stopping Nfs
Chapter 9. Network File Syste... 1.2.1. Troubleshooting NFS and portmap Because provides coordination between RPC services and the port numbers used to portmap communicate with them, it is useful to view the status of current RPC services using portmap when troubleshooting. The command shows each RPC-based service with port rpcinfo numbers, an RPC program number, a version number, and an IP protocol type (TCP or UDP).
Page 159: Nfs Server Configuration
NFS Server Configuration /sbin/service nfs stop option is a shorthand way of stopping and then starting NFS. This is the most restart efficient way to make configuration changes take effect after editing the configuration file for NFS. To restart the server, as root, type: /sbin/service nfs restart (conditional restart) option only starts if it is currently running.
Page 160 Chapter 9. Network File Syste... must be separated by space characters. Options for each of the hosts must be placed in parentheses directly after the host identifier, without any spaces separating the host and the first parenthesis. A line for an exported file system has the following structure: <export><host1>(<options>) <hostN>(<options>)...
Page 161 Configuration File /etc/exports • — Causes the NFS server to delay writing to the disk if it suspects another write wdelay request is imminent. This can improve performance by reducing the number of times the disk must be accessed by separate write commands, reducing write overhead. The no_wdelay option turns off this feature, but is only available when using the option.
Page 162: The Command
Chapter 9. Network File Syste... For example, the following two lines do not mean the same thing: /home bob.example.com(rw) /home bob.example.com (rw) The first line allows only users from read/write access to the bob.example.com directory. The second line allows users from to mount /home bob.example.com...
Page 163: Nfs Client Configuration Files
NFS Client Configuration Files • — Ignores ; only options given from the command line are used to define /etc/exports exported file systems. • — Unexports all shared directories. The command suspends /usr/sbin/exportfs -ua NFS file sharing while keeping all NFS daemons up. To re-enable NFS sharing, type exportfs -r •...
Page 164: Etc/Fstab
Chapter 9. Network File Syste... with the remote directory being mounted, and with </remote/export> </local/directory> the local directory where the remote file system is to be mounted. Refer to the man page for more details. mount If accessing an NFS share by manually issuing the command, the file system must be mount remounted manually after the system is rebooted.
Page 165 autofs particular map type, which takes the form of other configuration files, programs, NIS maps, and other less common mount methods. The file contains lines referring to each of auto.master these mount points, organized in the following manner: <mount-point><map-type> element specifies the location of the mount on the local file system. The <mount-point>...
Page 166: Common Nfs Mount Options
Chapter 9. Network File Syste... This line states that any directory a user tries to access under the local directory (due to /home/ the asterisk character) should result in an NFS mount on the system on server.example.com the mount point .
Page 167: Securing Nfs
Securing NFS • — Disables set-user-identifier or set-group-identifier bits. This prevents remote users nosuid from gaining higher privileges by running a setuid program. • — Specifies the numeric value of the NFS server port. If (the default), then port=num queries the remote host's portmapper for the port number to use. If the remote host's mount NFS daemon is not registered with its portmapper, the standard NFS port number of TCP 2049 is used instead.
Page 168 Chapter 9. Network File Syste... environment, and your security concerns. The following sections explain the differences between implementing security measures with NFSv2, NFSv3, and NFSv4. If at all possible, use of NFSv4 is recommended over other versions of NFS. 5.1.1. Using NFSv2 or NFSv3 NFS controls who can mount an exported file system based on the host making the mount request, not the user that actually uses the file system.
Page 169: File Permissions
File Permissions because of its features and because it is widely deployed. NFSv2 and NFSv3 do not have support for native ACL attributes. Another important security feature of NFSv4 is its removal of the daemon. The rpc.mountd daemon presented possible security holes because of the way it dealt with rpc.mountd filehandlers.
Page 170: Useful Websites
Chapter 9. Network File Syste... • — Gives details for the format of the file used to mount file systems man fstab /etc/fstab at boot-time. • — Provides details on NFS-specific file system export and mount options. man nfs • —...
Page 171: Apache Http Server
Chapter 10. Apache HTTP Server The Apache HTTP Server is a robust, commercial-grade open source Web server developed by the Apache Software Foundation (http://www.apache.org/). Red Hat Enterprise Linux includes the Apache HTTP Server 2.0 as well as a number of server modules designed to enhance its functionality.
Page 172: Packaging Changes In Apache Http Server 2.0
Chapter 10. Apache HTTP Server • Filtering — Modules can act as content filters. Refer to Section 2.4, “Modules and Apache HTTP Server 2.0” for more on how filtering works. • IPv6 Support — The next generation IP addressing format is supported. •...
Page 173: Migrating Apache Http Server 1.3 Configuration Files
Migrating Apache HTTP Server 1.3 Important It is vital that the line specifying the new configuration directory be inserted when migrating an existing configuration. • The programs have been moved. — These utility programs have been logresolve moved from the directory and into the directory.
Page 174: Global Environment Configuration
Chapter 10. Apache HTTP Server In the above command, replace with the version number for the <version-number> apache package. Finally, it is useful to know that the Apache HTTP Server has a testing mode to check for configuration errors. To use access it, type the following command: apachectl configtest 2.1.
Page 175 Configuration Files abstracted to a group of modules called Multi-Processing Modules (MPMs). Unlike other modules, only one module from the MPM group can be loaded by the Apache HTTP Server. There are three MPM modules that ship with 2.0: , and .
Page 176 Chapter 10. Apache HTTP Server the changes into the version 2.0 configuration) copy this section from the stock Apache HTTP Server 2.0 configuration file. Those who do not want to copy the section from the stock Apache HTTP Server 2.0 configuration should note the following: •...
Page 177: Main Server Configuration
Main Server Configuration preceding the one corresponding to . If using the default ResourceConfig AccessConfig values, include them explicitly as files. conf/srm.conf conf/access.conf 2.2. Main Server Configuration The main server configuration section of the configuration file sets up the main server, which responds to any requests that are not handled by a virtual host defined within a <VirtualHost>...
Page 178 Chapter 10. Apache HTTP Server However, agent and referrer logs are still available using the CustomLog LogFormat directives. For more on this topic, refer to the following documentation on the Apache Software Foundation's website: • http://httpd.apache.org/docs-2.0/mod/mod_log_config.html#customlog • http://httpd.apache.org/docs-2.0/mod/mod_log_config.html#logformat 2.2.3. Directory Indexing The deprecated directive has now been removed.
Page 179: Virtual Host Configuration
Virtual Host Configuration For example, the following is a sample Apache HTTP Server 1.3 directive: ErrorDocument 404 "The document was not found To migrate an setting to Apache HTTP Server 2.0, use the following structure: ErrorDocument ErrorDocument 404 "The document was not found" Note the trailing double quote in the previous directive example.
Page 180 Chapter 10. Apache HTTP Server Under Apache HTTP Server 1.3, for example, a Perl script would be handled in its entirety by the Perl module ( ). Under Apache HTTP Server 2.0, the request is initially handled by mod_perl the core module — which serves static files — and is then filtered by mod_perl Exactly how to use this, and all other new features of Apache HTTP Server 2.0, is beyond the scope of this document;...
Page 181 Modules and Apache HTTP Server 2.0 file. For this file to be loaded, and for to work, the /etc/httpd/conf.d/ssl.conf mod_ssl statement must be in the file as described in Include conf.d/*.conf httpd.conf Section 2.1.3, “Dynamic Shared Object (DSO) Support”. directives in SSL virtual hosts must explicitly specify the port number. ServerName For example, the following is a sample Apache HTTP Server 1.3 directive: <VirtualHost _default_:443>...
Page 182 Chapter 10. Apache HTTP Server Foundation's website: • http://httpd.apache.org/docs-2.0/mod/mod_proxy.html 2.4.4. The Module mod_include module is now implemented as a filter and is therefore enabled differently. mod_include Refer to Section 2.4, “Modules and Apache HTTP Server 2.0” for more about filters. For example, the following is a sample Apache HTTP Server 1.3 directive: AddType text/html .shtml AddHandler server-parsed .shtml To migrate this setting to Apache HTTP Server 2.0, use the following structure:...
Page 183 Modules and Apache HTTP Server 2.0 AuthDBMUserFile /var/www/authdb AuthDBMType DB require valid-user </Location> Note that the directive can also be used in files. AuthDBMUserFile .htaccess Perl script, used to manipulate username and password databases, has been dbmmanage replaced by in Apache HTTP Server 2.0. The program offers equivalent htdbm htdbm...
Page 184 Chapter 10. Apache HTTP Server Occurrences of must be replaced with . Additionally, the Apache:: httpd.conf ModPerl:: manner in which handlers are registered has been changed. This is a sample Apache HTTP Server 1.3 configuration: mod_perl <Directory /var/www/perl> SetHandler perl-script PerlHandler Apache::Registry Options +ExecCGI </Directory>...
Page 185: After Installation
After Installation • http://www.php.net/release_4_1_0.php 2.4.9. The Module mod_authz_ldap Red Hat Enterprise Linux ships with the module for the Apache HTTP Server. mod_authz_ldap This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory.
Page 186: Starting And Stopping
Chapter 10. Apache HTTP Server Note Red Hat, Inc. does not ship FrontPage extensions as the Microsoft™ license prohibits the inclusion of these extensions in a third party product. More information about FrontPage extensions and the Apache HTTP Server can be found online at http://www.rtr.com/fpsupport/.
Page 187: Configuration Directives In
Configuration Directives in httpd.conf Note If running the Apache HTTP Server as a secure server, the server password is not required when using the option. reload By default, the service does not start automatically at boot time. To configure the httpd httpd service to start up at boot time, use an initscript utility, such as...
Page 188: Serverroot
Chapter 10. Apache HTTP Server Before editing , make a copy the original file. Creating a backup makes it easier to httpd.conf recover from mistakes made while editing the configuration file. If a mistake is made and the Web server does not work correctly, first review recently edited passages in to verify there are no typos.
Page 189: Keepalivetimeout
KeepAliveTimeout Apache Project recommends a high setting, which improves the server's performance. is set to by default, which should be appropriate for most MaxKeepAliveRequests situations. 5.7. KeepAliveTimeout sets the number of seconds the server waits after a request has been KeepAliveTimeout served before it closes the connection.
Page 190: Listen
Chapter 10. Apache HTTP Server sets a limit on the total number of server processes, or simultaneously connected MaxClients clients, that can run at one time. The main purpose of this directive is to keep a runaway Apache HTTP Server from crashing the operating system. For busy servers this value should be set to a high value.
Page 191: Include
Include accepts connections. 5.11. Include allows other configuration files to be included at runtime. Include The path to these configuration files can be absolute or relative to the ServerRoot Important For the server to use individually packaged modules, such as mod_ssl , and , the following directive must be included in...
Page 192: User
Chapter 10. Apache HTTP Server still processed with the user and group specified in the directives. User Group Note directive replaces the Apache HTTP Server 1.3 SuexecUserGroup configuration of using the directives inside the configuration of User Group sections. VirtualHosts 5.16.
Page 193: Usecanonicalname
UseCanonicalName server. The does not need to match the machine's actual hostname. For example, ServerName the Web server may be , but the server's hostname is actually www.example.com . The value specified in must be a valid Domain Name Service foo.example.com ServerName (DNS) name that can be resolved by the system —...
Page 194: Options
Chapter 10. Apache HTTP Server settings has to be explicitly given those settings. In the default configuration, another container is configured for the Directory DocumentRoot which assigns less rigid parameters to the directory tree so that the Apache HTTP Server can access the files residing there.
Page 195: Order
Allow 5.25. Order directive controls the order in which directives are evaluated. The Order allow deny server is configured to evaluate the directives before the directives for the Allow Deny directory. DocumentRoot 5.26. Allow specifies which client can access a given directory. The client can be , a domain Allow name, an IP address, a partial IP address, a network/netmask pair, and so on.
Page 196: Accessfilename
Chapter 10. Apache HTTP Server and the type map. The server tries to find DirectoryIndex index.html index.html.var either of these files and returns the first one it finds. If it does not find one of these files and is set for that directory, the server generates and returns a listing, in HTML Options Indexes format, of the subdirectories and files within the directory, unless the directory listing feature is turned off.
Page 197: Errorlog
LogLevel 5.35. ErrorLog specifies the file where server errors are logged. By default, this directive is set to ErrorLog /var/log/httpd/error_log 5.36. LogLevel sets how verbose the error messages in the error logs are. can be set LogLevel LogLevel (from least verbose to most verbose) to , or emerg alert...
Page 198: Customlog
Chapter 10. Apache HTTP Server 5.38. CustomLog identifies the log file and the log file format. By default, the log is recorded to the CustomLog file. /var/log/httpd/access_log The default format is the log file format, as illustrated here: CustomLog combined remotehost rfc931 user date "request"...
Page 199: Indexoptions
IndexOptions <file-name> In this example, any requests for at the old location is automatically redirected to <file-name> the new location. For more advanced redirection techniques, use the module included with the mod_rewrite Apache HTTP Server. For more information about configuring the module, refer to mod_rewrite the Apache Software Foundation documentation online at...
Page 200: Defaulticon
Chapter 10. Apache HTTP Server specifies which icon to show in server generated directory listings for files with certain AddIcon extensions. For example, the Web server is set to show the icon for files with binary.gif .bin extensions. .exe 5.47. DefaultIcon specifies the icon displayed in server generated directory listings for files which DefaultIcon...
Page 201: Addtype
AddType sets precedence for different languages in case the client Web browser has LanguagePriority no language preference set. 5.55. AddType Use the directive to define or override a default MIME type and file extension pairs. AddType The following example directive tells the Apache HTTP Server to recognize the file .tgz extension:...
Page 202: Location
Chapter 10. Apache HTTP Server directive allows the server to define environment variables and take BrowserMatch appropriate actions based on the User-Agent HTTP header field — which identifies the client's Web browser type. By default, the Web server uses to deny connections to BrowserMatch specific browsers with known problems and also to disable keepalives and HTTP header flushes for browsers that are known to have problems with those actions.
Page 203: Namevirtualhost
NameVirtualHost • — Specifies whether the cache is a disk, memory, or file descriptor cache. By CacheEnable default configures a disk cache for URLs at or below CacheEnable • — Specifies the name of the directory containing cached files. The default CacheRoot is the directory.
Page 204: Configuration Directives For Ssl
Chapter 10. Apache HTTP Server A commented container is provided in , which illustrates the minimum VirtualHost httpd.conf set of configuration directives necessary for each virtual host. Refer to Section 8, “Virtual Hosts” for more information about virtual hosts. Note The default SSL virtual host container now resides in the file /etc/httpd/conf.d/ssl.conf 5.66.
Page 205: Adding Modules
Adding Modules modules are installed and enabled with the package in Red Hat Enterprise Linux 4.5.0;: httpd mod_access mod_actions mod_alias mod_asis mod_auth mod_auth_anon mod_auth_dbm mod_auth_digest mod_auth_ldap mod_autoindex mod_cache mod_cern_meta mod_cgi mod_dav mod_dav_fs mod_deflate mod_dir mod_disk_cache mod_env mod_expires mod_ext_filter mod_file_cache mod_headers mod_imap mod_include mod_info mod_ldap mod_log_config mod_logio mod_mem_cache mod_mime mod_mime_magic mod_negotiation mod_proxy mod_proxy_connect mod_proxy_ftp mod_proxy_http mod_rewrite mod_setenvif mod_speling mod_status...
Page 206: Virtual Hosts
Chapter 10. Apache HTTP Server Where is the name of the module and is the path to the <module-name> <path/to/module.so> DSO. 8. Virtual Hosts The Apache HTTP Server's built in virtual hosting allows the server to provide different information based on which IP address, hostname, or port is being requested. A complete guide to using virtual hosts is available online at http://httpd.apache.org/docs-2.0/vhosts/.
Page 207: The Secure Web Server Virtual Host
Additional Resources 8.2. The Secure Web Server Virtual Host By default, the Apache HTTP Server is configured as both a non-secure and a secure server. Both the non-secure and secure servers use the same IP address and hostname, but listen on different ports: 80 and 443 respectively.
Page 208: Useful Websites
Chapter 10. Apache HTTP Server 9.1. Useful Websites • http://httpd.apache.org/ — The official website for the Apache HTTP Server with documentation on all the directives and default modules. • http://www.modssl.org/ — The official website for mod_ssl • http://www.apacheweek.com/ — A comprehensive online weekly newsletter about all things Apache.
Page 209: Email
Chapter 11. Email The birth of electronic mail (email) occurred in the early 1960s. The mailbox was a file in a user's home directory that was readable only by that user. Primitive mail applications appended new text messages to the bottom of the file, making the user wade through the constantly growing file to find any particular message.
Page 210: Mail Access Protocols
Chapter 11. Email One important point to make about the SMTP protocol is that it does not require authentication. This allows anyone on the Internet to send email to anyone else or even to large groups of people. It is this characteristic of SMTP that makes junk email or spam possible. Modern SMTP servers attempt to minimize this behavior by allowing only known hosts access to the SMTP server.
Page 211 Mail Access Protocols POP is fully compatible with important Internet messaging standards, such as Multipurpose Internet Mail Extensions (MIME), which allow for email attachments. POP works best for users who have one system on which to read email. It also works well for users who do not have a persistent connection to the Internet or the network containing the mail server.
Page 212: Email Program Classifications
Chapter 11. Email For added security, it is possible to use SSL encryption for client authentication and data transfer sessions. This can be enabled by using the service, or by using the imaps program. Refer to Section 5.1, “Securing Communication” for more /usr/sbin/stunnel information.
Page 213: Mail User Agent
Mail User Agent Any program that actually handles a message for delivery to the point where it can be read by an email client application can be considered an MDA. For this reason, some MTAs (such as Sendmail and Postfix) can fill the role of an MDA when they append new email messages to a local user's mail spool file.
Page 214 Chapter 11. Email different reasons and can operate separately from one another. It is beyond the scope of this section to go into all that Sendmail should or could be configured to do. With literally hundreds of different options and rule sets, entire volumes have been dedicated to helping explain everything that can be done and how to fix things that go wrong.
Page 215 Sendmail @example.com bob@other-example.com To finalize the change, the file must be updated using the following virtusertable.db command as root: makemap hash /etc/mail/virtusertable < /etc/mail/virtusertable This creates an updated file containing the new configuration. virtusertable.db 3.1.3. Common Sendmail Configuration Changes When altering the Sendmail configuration file, it is best not to edit an existing file, but to generate an entirely new file.
Page 216 Chapter 11. Email executing the following command: m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf The default configuration which ships with Red Hat Enterprise Linux works for most SMTP-only sites. However, it does not work for UUCP (UNIX to UNIX Copy) sites. If using UUCP mail transfers, the file must be reconfigured and a new /etc/mail/sendmail.mc...
Page 217 Sendmail Now, however, Sendmail must be configured to permit any domain to relay mail through the server. To configure relay domains, edit the file and restart /etc/mail/relay-domains Sendmail. However, many times users are bombarded with spam from other servers throughout the Internet.
Page 218: Postfix
Chapter 11. Email using LDAP, first get an LDAP server, such as OpenLDAP, running and properly configured. Then edit the to include the following: /etc/mail/sendmail.mc LDAPROUTE_DOMAIN('yourdomain.com')dnl FEATURE('ldap_routing')dnl Note This is only for a very basic configuration of Sendmail with LDAP. The configuration can differ greatly from this depending on the implementation of LDAP, especially when configuring several Sendmail machines to use a common LDAP server.
Page 219 Postfix Refer to the chapter called Mail Transport Agent (MTA) Configuration in the Red Hat Enterprise Linux System Administration Guide for further details. 3.2.1. The Default Postfix Installation The Postfix executable is . This daemon launches all related processes /usr/sbin/postfix needed to handle mail delivery.
Page 220: Fetchmail
Chapter 11. Email • Edit the file with a text editor, such as /etc/postfix/main.cf • Uncomment the line by removing the hash mark ( ), and replace with mydomain domain.tld the domain the mail server is servicing, such as example.com •...
Page 221 Fetchmail A user's file contains three classes of configuration options: .fetchmailrc • global options — Gives Fetchmail instructions that control the operation of the program or provide settings for every connection that checks for email. • server options — Specifies necessary information about the server being polled, such as the hostname, as well as preferences for specific email servers, such as the port to check or number of seconds to wait before timing out.
Page 222 Chapter 11. Email Note Users are not required to place their password in the file. Omitting .fetchmailrc section causes Fetchmail to ask for a with password '<password>' password when it is launched. Fetchmail has numerous global, server, and local options. Many of these options are rarely used or only apply to very specific situations.
Page 223 Fetchmail after which Fetchmail gives up on a connection attempt. If this value is not set, a default of seconds is assumed. 3.3.4. User Options User options may be placed on their own lines beneath a server option or on the same line as the server option.
Page 224: Mail Delivery Agents
Chapter 11. Email Certain options used after the command can supply important information. fetchmail • — Displays every possible option based on information from --configdump .fetchmailrc and Fetchmail defaults. No email is retrieved for any users when using this option. •...
Page 225: Procmail Configuration
Procmail Configuration quits. Alternatively, the MUA can be configured to execute Procmail any time a message is received so that messages are moved into their correct mailboxes. By default, the presence of or of a file (also called an rc file) in the user's home directory /etc/procmailrc .procmailrc invokes Procmail whenever an MTA receives a new message.
Page 226: Procmail Recipes
Chapter 11. Email MAILDIR=$HOME/Msgs INCLUDERC=$MAILDIR/lists.rc INCLUDERC=$MAILDIR/spam.rc If the user wants to turn off Procmail filtering of their email lists but leave spam control in place, they would comment out the first line with a hash mark character ( INCLUDERC • —...
Page 227 Procmail Recipes Procmail recipes take the following form: :0<flags>: <lockfile-name> * <special-condition-character><condition-1> * <special-condition-character><condition-2> * <special-condition-character><condition-N><special-action-character><action-to-perform> The first two characters in a Procmail recipe are a colon and a zero. Various flags can be placed after the zero to control how Procmail processes the recipe. A colon after the section <flags>...
Page 228 Chapter 11. Email matched this message and was successfully completed. • — Parses the body of the message and looks for matching conditions. • — Uses the body in any resulting action, such as writing the message to a file or forwarding it.
Page 229 Procmail Recipes • — In the condition line, this character inverts the condition, causing a match to occur only if the condition does not match the message. • — Checks if the message is under a specified number of bytes. <...
Page 230 Chapter 11. Email placed in the single spool file called , located within the directory specified by new-mail.spool environment variable. An MUA can then view messages in this file. MAILDIR A basic recipe, such as this, can be placed at the end of all files to direct messages to a default location.
Page 231: Mail User Agents
Mail User Agents SpamAssassin uses header analysis, text analysis, blacklists, a spam-tracking database, and self-learning Bayesian spam analysis to quickly and accurately identify and tag spam. The easiest way for a local user to use SpamAssassin is to place the following line near the top of the file: ~/.procmailrc...
Page 232: Securing Communication
Chapter 11. Email full-featured, graphical email client programs, such as Mozilla Mail or Ximian Evolution, as well as text-based email programs such as mutt For instructions on using these applications, refer to the chapter titled Email Applications in the Red Hat Enterprise Linux Step By Step Guide. The remainder of this section focuses on securing communication between the client and server.
Page 233 Securing Communication Answer all of the questions to complete the process. To create a self-signed SSL certificate for POP, change to the /usr/share/ssl/certs/ directory, and type the following commands as root: rm -f ipop3d.pem make ipop3d.pem Again, answer all of the questions to complete the process. Important Please be sure to remove the default files before...
Page 234: Additional Resources
Chapter 11. Email For more information about how to use , read the man page or refer to the stunnel stunnel documents in the / directory, where /usr/share/doc/stunnel-<version-number> is the version number for <version-number> stunnel 6. Additional Resources The following is a list of additional documentation about email applications. 6.1.
Page 235: Useful Websites
Useful Websites number of the package. spamassassin 6.2. Useful Websites • http://www.redhat.com/mirrors/LDP/HOWTO/Mail-Administrator-HOWTO.html — Provides an overview of how email works, and examines possible email solutions and configurations on the client and server sides. • http://www.redhat.com/mirrors/LDP/HOWTO/Mail-User-HOWTO/ — Looks at email from the...
Page 236 Chapter 11. Email • Removing the Spam: Email Processing and Filtering by Geoff Mulligan; Addison-Wesley Publishing Company — A volume that looks at various methods used by email administrators using established tools, such as Sendmail and Procmail, to manage spam problems. •...
Page 237: Berkeley Internet Name Domain (Bind)
Chapter 12. Berkeley Internet Name Domain (BIND) On most modern networks, including the Internet, users locate other computers by name. This frees users from the daunting task of remembering the numerical network address of network resources. The most effective way to configure a network to allow such name-based connections is to set up a Domain Name Service (DNS) or a nameserver, which resolves hostnames on the network to numerical addresses and vice versa.
Page 238: Nameserver Types
Chapter 12. Berkeley Internet... In this example, defines the top level domain for this FQDN. The name is a example sub-domain under , while is a sub-domain under . The name furthest to the sales example left, , identifies a specific machine hostname. Except for the hostname, each section is a called a zone, which defines a specific namespace.
Page 239: Etc/Named.conf
/etc/named.conf • — The configuration file for the daemon. /etc/named.conf named • directory — The working directory which stores zone, statistic, and cache /var/named/ named files. The next few sections review the BIND configuration files in more detail. /etc/named.conf file is a collection of statements using nested options surrounded by opening named.conf and closing ellipse characters, .
Page 240 Chapter 12. Berkeley Internet... connected. • — Matches no IP addresses. none When used in conjunction with other statements (such as the statement), options statements can be very useful in preventing the misuse of a BIND nameserver. The following example defines two access control lists and uses an statement to options define how they are treated by the nameserver:...
Page 241 Common Statement Types hosts are allowed to query. An access control list, or collection of IP addresses or networks may be used here to only allow particular hosts to query the nameserver. • — Similar to , this option applies to recursive queries. By allow-recursion allow-query default, all hosts are allowed to perform recursive queries on the nameserver.
Page 242 Chapter 12. Berkeley Internet... domains (TLDs) and root zones with an optional exclude list. Delegation is the process of separating a single zone into multiple subzones. In order to create a delegated zone, items known as NS records are used. NameServer records (delegation records) announce the authoritative nameservers for a particular zone.
Page 243 Common Statement Types • — Specifies the slave servers that are allowed to request a transfer of the allow-transfer zone's information. The default is to allow all transfer requests. • — Specifies the hosts that are allowed to dynamically update information in allow-update their zone.
Page 244: Other Statement Types
Chapter 12. Berkeley Internet... 2.1.5. Sample Statements zone Most changes to the file of a master or slave nameserver involves adding, /etc/named.conf modifying, or deleting statements. While these statements can contain many options, zone zone most nameservers require only a small subset to function efficiently. The following zone statements are very basic examples illustrating a master-slave nameserver relationship.
Page 245 Comment Tags • — The encrypted key. secret "<key-value>" Refer to Section 4.2, “Configuring ” for instructions on how to write a /etc/rndc.conf statement. • — Allows for the use of multiple types of logs, called channels. By using the logging option within the statement, a customized type of log, with its own file name...
Page 246: Comment Tags
Chapter 12. Berkeley Internet... 2.3. Comment Tags The following is a list of valid comment tags used within named.conf • — When placed at the beginning of a line, that line is ignored by named • — When placed at the beginning of a line, that line is ignored by named •...
Page 247: Zone File Resource Records
Zone File Resource Records Note The use of the directive is unnecessary if the zone is specified in $ORIGIN because the zone name is used as the value for the /etc/named.conf $ORIGIN directive by default. • — Sets the default Time to Live (TTL) value for the zone. This is the length of time, in $TTL seconds, a zone resource record is valid.
Page 248 Chapter 12. Berkeley Internet... In the following example, an record binds a hostname to an IP address, while a CNAME record points the commonly used hostname to it. server1 IN A 10.0.1.5 www IN CNAME server1 • — Mail eXchange record, which tells where mail sent to a particular namespace controlled by this zone should go.
Page 249 Zone File Resource Records • — Start Of Authority resource record, proclaims important authoritative information about a namespace to the nameserver. Located after the directives, an resource record is the first resource record in a zone file. The following example shows the basic structure of an resource record: @ IN SOA <primary-name-server><hostmaster-email>...
Page 250: Example Zone File
Chapter 12. Berkeley Internet... Seconds Other Time Units 259200 604800 31536000 365D Table 12.1. Seconds compared to other time units The following example illustrates the form an resource record might take when it is populated with real values. @ IN SOA dns1.example.com. hostmaster.example.com. ( 2001062501 ; serial 21600 ;...
Page 251: Using Rndc
Using rndc A reverse name resolution zone file is used to translate an IP address in a particular namespace into a FQDN. It looks very similar to a standard zone file, except that resource records are used to link the IP addresses to a fully qualified domain name. record looks similar to this: <last-IP-digit>...
Page 252: Configuring
Chapter 12. Berkeley Internet... statement, shown in the following example, allows to connect from the controls rndc localhost. controls { inet 127.0.0.1 allow { localhost; } keys { <key-name>; }; }; This statement tells to listen on the default TCP port 953 of the loopback address and named allow commands coming from the localhost, if the proper key is given.
Page 253: Command Line Options
Command Line Options This directive sets a global default key. However, the configuration file can also specify rndc different keys for different servers, as in the following example: server localhost { key "<key-name>"; }; Caution Make sure that only the root user can read or write to the file.
Page 254: Advanced Features Of Bind
Chapter 12. Berkeley Internet... • — Specifies a server other than the listed in -s <server> default-server /etc/rndc.conf • — Specifies a key other than the option in -y <key-name> default-key /etc/rndc.conf Additional information about these options can be found in the man page.
Page 255: Security
IP version 6 5.3. Security BIND supports a number of different methods to protect the updating and transfer of zones, on both master and slave nameservers: • DNSSEC — Short for DNS SECurity, this feature allows for zones to be cryptographically signed with a zone key.
Page 256: Additional Resources
Chapter 12. Berkeley Internet... An omitted semi-colon or unclosed ellipse section can cause to refuse to start. named • Remember to place periods ( ) in zone files after all FQDNs and omit them on hostnames. A period at the end of a domain name denotes a fully qualified domain name. If the period is omitted, then appends the name of the zone or the value to complete it.
Page 257: Useful Websites
PDF version of the BIND 9 Administrator Reference Manual. • http://www.redhat.com/mirrors/LDP/HOWTO/DNS-HOWTO.html — Covers the use of BIND as a resolving, caching nameserver and the configuration of various zone files necessary to serve as the primary nameserver for a domain.
Page 258 Chapter 12. Berkeley Internet... between multiple network services and BIND, with an emphasis on task-oriented, technical topics.
Page 259: Lightweight Directory Access Protocol (Ldap)
Chapter 13. Lightweight Directory Access Protocol (LDAP) The Lightweight Directory Access Protocol (LDAP) is a set of open protocols used to access centrally stored information over a network. It is based on the X.500 standard for directory sharing, but is less complex and resource intensive. For this reason, LDAP is sometimes referred to as "X.500 Lite."...
Page 260: Openldap Features
Chapter 13. Lightweight Direc... 1.1. OpenLDAP Features OpenLDAP includes a number of important features. • LDAPv3 Support — OpenLDAP supports Simple Authentication and Security Layer (SASL), Transport Layer Security (TLS), and Secure Sockets Layer (SSL), among other improvements. Many of the changes in the protocol since LDAPv2 are designed to make LDAP more secure.
Page 261: Openldap Daemons And Utilities
OpenLDAP Daemons and Utilities Each entry can contain as many pairs as needed. A blank line <attrtype>: <attrvalue> indicates the end of an entry. Caution pairs must be defined in a corresponding <attrtype> <attrvalue> schema file to use this information. Any value enclosed within a and a is a variable and can be set whenever a new LDAP...
Page 262 Chapter 13. Lightweight Direc... Important Only the root user may use . However, the directory server /usr/sbin/slapadd runs as the user. Therefore the directory server is unable to modify any files ldap created by . To correct this issue, after using , type the following slapadd slapadd...
Page 263: Nss, Pam, And Ldap
NSS, PAM, and LDAP • — Sets the password for an LDAP user. ldappasswd • — Searches for entries in an LDAP directory using a shell prompt. ldapsearch With the exception of , each of these utilities is more easily used by referencing a ldapsearch file containing the changes to be made rather than typing a command for each entry to be changed within an LDAP directory.
Page 264: Ldap Client Applications
Chapter 13. Lightweight Direc... package adds LDAP support to the PHP4 HTML-embedded scripting language php-ldap via the module. This module allows PHP4 scripts to access /usr/lib/php4/ldap.so information stored in an LDAP directory. Red Hat Enterprise Linux ships with the module for the Apache HTTP Server. mod_authz_ldap This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory.
Page 265: The /Etc/Openldap/Schema/Directory
The directory slapd.at.conf slapd.oc.conf /etc/openldap/schema/redhat/ holds customized schemas distributed by Red Hat for Red Hat Enterprise Linux. All attribute syntax definitions and objectclass definitions are now located in the different schema files. The various schema files are referenced in using /etc/openldap/slapd.conf...
Page 266: Openldap Setup Overview
— The Quick-Start Guide on the OpenLDAP website. • http://www.redhat.com/mirrors/LDP/HOWTO/LDAP-HOWTO.html — The LDAP Linux HOWTO from the Linux Documentation Project, mirrored on Red Hat's website. The basic steps for creating an LDAP server are as follows: 1. Install the , and RPMs.
Page 267 Editing /etc/openldap/slapd.conf so that it reflects a fully qualified domain name. For example: suffix "dc=example,dc=com" entry is the Distinguished Name (DN) for a user who is unrestricted by access rootdn controls or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory.
Page 268: Configuring A System To Authenticate Using Openldap
Chapter 13. Lightweight Direc... Important Only the root user can use . However, the directory server /usr/sbin/slapadd runs as the user. Therefore, the directory server is unable to modify any ldap files created by . To correct this issue, after using , type the slapadd slapadd...
Page 269: Pam And Ldap
PAM and LDAP If editing by hand, add to the appropriate lines. /etc/nsswitch.conf ldap For example: passwd: files ldap shadow: files ldap group: files ldap 7.1. PAM and LDAP To have standard PAM-enabled applications use LDAP for authentication, run the Authentication Configuration Tool ( ) and select Enable system-config-authentication...
Page 270: Migrating Directories From Earlier Releases
Chapter 13. Lightweight Direc... Existing name service Is LDAP Script to Use running? flat files /etc migrate_all_online.sh flat files /etc migrate_all_offline.sh NetInfo migrate_all_netinfo_online.sh NetInfo migrate_all_netinfo_offline.sh NIS (YP) migrate_all_nis_online.sh NIS (YP) migrate_all_nis_offline.sh Table 13.1. LDAP Migration Scripts 8. Migrating Directories from Earlier Releases With Red Hat Enterprise Linux, OpenLDAP uses Sleepycat Software's Berkeley DB system as its on-disk storage format for directories.
Page 271: Useful Websites
Useful Websites and configuration files involved with LDAP. The following is a list of some of the more important man pages. Client Applications • — Describes how to add entries to an LDAP directory. man ldapadd • — Describes how to delete entries within an LDAP directory. man ldapdelete •...
Page 272: Related Books
Chapter 13. Lightweight Direc... • http://www.redhat.com/mirrors/LDP/HOWTO/LDAP-HOWTO.html — A comprehensive, relevant, and updated LDAP HOWTO. • http://www.padl.com/ [http://www.padl.com] — Developers of nss_ldap pam_ldap among other useful LDAP tools. • http://www.kingsmountain.com/ldapRoadmap.shtml — Jeff Hodges' LDAP Road Map contains links to several useful FAQs and emerging news concerning the LDAP protocol.
Page 273: Samba
Chapter 14. Samba Samba is an open source implementation of the Server Message Block (SMB) protocol. It allows the networking of Microsoft Windows®, Linux, UNIX, and other operating systems together, enabling access to Windows-based file and printer shares. Samba's use of SMB allows it to appear as a Windows server to Windows clients.
Page 274: Samba Daemons And Related Services
Chapter 14. Samba • Act as a BDC for a Windows PDC (and vice versa) • Act as an Active Directory domain controller 2. Samba Daemons and Related Services The following is a brief introduction to the individual Samba daemons and services, as well as details on how to start and stop them.
Page 275 Starting and Stopping Samba To start a Samba server, type the following command in a shell prompt while logged in as root: /sbin/service smb start Important To set up a domain member server, you must first join the domain or Active Directory using the command before starting the service.
Page 276: Samba Server Types And The Smb.conf File
Chapter 14. Samba By default, the service does not start automatically at boot time. To configure Samba to start at boot time, use an initscript utility, such as , or the /sbin/chkconfig /usr/sbin/ntsysv Services Configuration Tool program. Refer to the chapter titled Controlling Access to Services in the Red Hat Enterprise Linux System Administration Guide for more information regarding these tools.
Page 277 Stand-alone Server recommended. Any files placed in the share space, regardless of user, are assigned the user/group combination as specified by a generic user ( force ) and group ( ) in the file. user force group smb.conf [global] workgroup = DOCS netbios name = DOCS_SRV security = share [data] comment = Data path = /export force user = docsbot force group = users read only = No guest ok = Yes 3.1.3.
Page 278: Domain Member Server
Chapter 14. Samba [public] comment = Data path = /export force user = docsbot force group = users guest ok = Yes [printers] comment = All Printers path = /var/spool/samba printer admin = john, ed, @admins create mask = 0600 guest ok = Yes printable = Yes use client driver = Yes...
Page 279 Domain Member Server • Configuration of the file on the member server smb.conf • Configuration of Kerberos, including the file, on the member server /etc/krb5.conf • Creation of the machine account on the Active Directory domain server • Association of the member server to the Active Directory domain To create the machine account and join the Windows 2000/2003 Active Directory, Kerberos must first be initialized for the member server wishing to join the Active Directory domain.
Page 280: Domain Controller
Chapter 14. Samba NT4-based domain member server. Becoming a member server of an NT4-based domain is similar to connecting to an Active Directory. The main difference is NT4-based domains do not use Kerberos in their authentication method, making the file simpler. In this instance, smb.conf the Samba member server serves as a pass through to the NT4-based domain server.
Page 281 Domain Controller A domain controller in Windows NT is functionally similar to a Network Information Service (NIS) server in a Linux environment. Domain controllers and NIS servers both host user/group information databases as well as related services. Domain controllers are mainly used for security, including the authentication of users accessing domain resources.
Page 282 Chapter 14. Samba domain master = Yes idmap uid = 15000-20000 idmap gid = 15000-20000 [homes] comment = Home Directories valid users = %S read only = No browseable = No writable = Yes [public] comment = Data path = /export force user = docsbot force group = users guest ok = Yes...
Page 283 Domain Controller redundancy and fail-over by replicating to a Samba BDC. Groups of LDAP PDCs and BDCs with load balancing are ideal for an enterprise environment. On the other hand, LDAP configurations are inherently complex to setup and maintain. If SSL is to be incorporated with LDAP, the complexity instantly multiplies.
Page 284 Chapter 14. Samba Note Implementing LDAP in this file assumes that a working LDAP server smb.conf has been successfully installed on ldap.example.com 3.3.3. Backup Domain Controller (BDC) using LDAP A BDC is an integral part of any enterprise Samba/LDAP solution. The files between smb.conf the PDC and BDC are virtually identical except for the...
Page 285: Samba Security Modes
Samba Security Modes domain master = No ldap suffix = dc=example,dc=com ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Group ldap idmap suffix = ou=People ldap admin dn = cn=Manager ldap ssl = no ldap passwd sync = yes idmap uid = 15000-20000 idmap gid = 15000-20000...
Page 286: Domain Security Mode (User-Level Security)
Chapter 14. Samba the client. The server expects a password for each share, independent of the username. There have been recent reports that Microsoft Windows clients have compatibility issues with share-level security servers. Samba developers strongly discourage use of share-level security. , the directive that sets share-level security is: smb.conf...
Page 287: Samba Account Information Databases
Samba Account Information Databases Note It is highly recommended to not use this mode since there are numerous security drawbacks. , the following directives enable Samba to operate in server security mode: smb.conf [GLOBAL] encrypt passwords = Yes security = server password server = "NetBIOS_of_Domain_Controller"...
Page 288: New Backends
Chapter 14. Samba Warning This type of backend may be deprecated for future releases and replaced by the backend, which does include the SAM extended controls. tdbsam ldapsam_compat backend allows continued OpenLDAP support for use with upgraded ldapsam_compat versions of Samba. This option is ideal for migration, but is not required. This tool will eventually be deprecated.
Page 289: Workgroup Browsing
Workgroup Browsing as servers and if opened, the server's shares and printers that are available are displayed. Network browsing capabilities require NetBIOS over TCP/IP. NetBIOS-based networking uses broadcast (UDP) messaging to accomplish browse list management. Without NetBIOS and WINS as the primary method for TCP/IP hostname resolution, other methods such as static files ) or DNS, must be used.
Page 290: Domain Browsing
Chapter 14. Samba Lowering the directive results in Samba conflicting with other master os level browsers on the same subnet. The higher the value, the higher the priority. The highest a Windows server can operate at is 32. This is a good way of tuning multiple local master browsers.
Page 291: Samba With Cups Printing Support
Samba with CUPS Printing Support currently support WINS replication. In a mixed NT/2000/2003 server and Samba environment, it is recommended that you use the Microsoft WINS capabilities. In a Samba-only environment, it is recommended that you use only one Samba server for WINS. The following is an example of the file in which the Samba server is serving as a smb.conf...
Page 292: Samba Distribution Programs
Chapter 14. Samba [print$] comment = Printer Drivers Share path = /var/lib/samba/drivers write list = ed, john printer admin = ed, john More complicated printing configurations are possible. To add additional security and privacy for printing confidential documents, users can have their own print spooler not located in a public path.
Page 293: Make_Unicodemap
make_unicodemap make_smbcodepage <c|d> <codepage_number> <inputfile> <outputfile> program compiles a binary codepage file from a text-format definition. make_smbcodepage The reverse is also allowed by decompiling a binary codepage file to a text-format definition. This obsolete program is part of the internationalization features of previous versions of Samba which are included by default with the current version of Samba.
Page 294: Nmblookup
Chapter 14. Samba 8.5. nmblookup nmblookup <options> <netbios_name> program resolves NetBIOS names into IP addresses. The program broadcasts nmblookup its query on the local subnet until the target machine replies. Here is an example: nmblookup trek querying trek on 10.1.59.255 10.1.56.45 trek<00>...
Page 295: Rpcclient
rpcclient Home Directory: \\wakko\kristin HomeDir Drive: Logon Script: Profile Path: \\wakko\kristin\profile Domain: WAKKO Account desc: Workstations: Munged dial: Logon time: Logoff time: Mon, 18 Jan 2038 22:14:07 GMT Kickoff time: Mon, 18 Jan 2038 22:14:07 GMT Password last set: Thu, 29 Jan 2004 08:29:28 GMT Password can change: Thu, 29 Jan 2004 08:29:28 GMT Password must change: Mon, 18 Jan 2038 22:14:07 GMTpdbedit -L...
Page 296: Smbgroupedit
Chapter 14. Samba Executing runs commands interactively until a blank line or a 'q' is entered. smbcontrol -i 8.11. smbgroupedit smbgroupedit <options> program maps between Linux groups and Windows groups. It also allows a smbgroupedit Linux group to be a domain group. 8.12.
Page 297: Testparm
testparm program performs backup and restores of Windows-based share files and smbtar directories to a local tape archive. Though similar to the command, the two are not compatible. 8.17. testparm testparm <options> <filename> <hostname IP_address> program checks the syntax of the file.
Page 298: Testprns
Chapter 14. Samba comment = Wakko www path = /var/www/html force user = andriusb force group = users read only = No guest only = Yes 8.18. testprns testprns <printername> <printcapname> program checks if is valid and exists in the .
Page 299: Useful Websites
Useful Websites DNS, DHCP, and printing configuration files. This has step-by-step related information that helps in real-world implementations. • Using Samba, 2nd Edition by Jay T's, Robert Eckstein, and David Collier-Brown; O'Reilly — A good resource for novice to advanced users, which includes comprehensive reference material.
Page 301: Ftp
Chapter 15. File Transfer Protocol (FTP) is one of the oldest and most commonly used protocols found on the Internet today. Its purpose is to reliably transfer files between computer hosts on a network without requiring the user to log directly into the remote host or have knowledge of how to use the remote system.
Page 302: Ftp Servers
FTP server. For more information about configuring and administering Red Hat Content Accelerator, consult the documentation available online at http://www.redhat.com/docs/manuals/tux/. • — A fast, secure FTP daemon which is the preferred FTP server for Red Hat vsftpd Enterprise Linux.
Page 303: Files Installed With
Files Installed with vsftpd directory is the primary shared directory, reassigns to the new /var/ftp/ vsftpd /var/ftp/ root directory, known as . This disallows any potential malicious hacker activities for any directories not contained below the new root directory. Use of these security practices has the following effect on how deals with requests: vsftpd •...
Page 304: Starting And Stopping
Chapter 15. FTP . If is used to grant access to users, /etc/vsftpd/vsftpd.conf /etc/vsftpd.user_list the usernames listed must not appear in /etc/vsftpd.ftpusers • — The directory containing files served by . It also contains the /var/ftp/ vsftpd directory for anonymous users. Both directories are world-readable, but /var/ftp/pub/ writable only by the root user.
Page 305 Starting Multiple Copies of vsftpd each with its own configuration file. To do this, first assign all relevant IP addresses to network devices or alias network devices on the system. Refer to the chapter titled Network Configuration in Red Hat Enterprise Linux System Administration Guide for more information about configuring network devices and device aliases.
Page 306: Vsftpd Configuration Options
Chapter 15. FTP For a detailed list of directives available within 's configuration file, refer to Section 5, vsftpd “ Configuration Options”. vsftpd To configure any additional servers to start automatically at boot time, add the above command to the end of the file.
Page 307: Log In Options And Access Controls
Log In Options and Access Controls this value to . This directive cannot be used in conjunction with the directive. listen_ipv6 The default value is • — When enabled, runs in stand-alone mode, but listens only to IPv6 listen_ipv6 vsftpd sockets.
Page 308 Chapter 15. FTP The default value is • — When enabled, the string specified within this directive is displayed when a ftpd_banner connection is established to the server. This option can be overridden by the banner_file directive. By default displays its standard banner. vsftpd •...
Page 309: Anonymous User Options
Local User Options 5.3. Anonymous User Options The following lists directives which control anonymous user access to the server. To use these options, the directive must be set to anonymous_enable • — When enabled in conjunction with the anon_mkdir_write_enable write_enable directive, anonymous users are allowed to create new directories within a parent directory which has write permissions.
Page 310 Chapter 15. FTP • — When enabled, the FTP command is allowed for local users. chmod_enable SITE CHMOD This command allows the users to change the permissions on files. The default value is • — When enabled, the local users listed in the file specified in the chroot_list_enable directive are placed in a jail upon log in.
Page 311: Directory Options
Directory Options directory field within /etc/passwd The default value is • — Specifies the path to a directory containing configuration files bearing user_config_dir the name of local system users that contain specific setting for that user. Any directive in the user's configuration file overrides those found in /etc/vsftpd/vsftpd.conf There is no default value for this directive.
Page 312: File Transfer Options
Chapter 15. FTP 5.6. File Transfer Options The following lists directives which affect directories. • — When enabled, file downloads are permitted. download_enable The default value is • — When enabled, all files uploaded by anonymous users are owned by the chown_uploads user specified in the directive.
Page 313: Network Options
Network Options must be enabled and must either be set to or, if xferlog_std_format is set to must be enabled. It is important to xferlog_std_format dual_log_enable note that if is set to , the system log is used instead of the file specified in syslog_enable this directive.
Page 314 Chapter 15. FTP • — Specifies the amount of time for a client using passive mode to establish accept_timeout a connection. The default value is • — Specifies the maximum data transfer rate for anonymous users in bytes anon_max_rate per second. The default value is , which does not limit the transfer rate.
Page 315 Network Options connections when is set to listen_ipv6 There is no default value for this directive. If running multiple copies of serving different IP addresses, the vsftpd configuration file for each copy of the daemon must have a different vsftpd value for this directive.
Page 316: Additional Resources
Chapter 15. FTP connections. This setting is used to limit the port range so that firewall rules are easier to create. The default value is , which does not limit the lowest passive port range. The value must not be lower 1024 •...
Page 317: Useful Websites
Useful Websites wrappers configuration files: hosts.allow hosts.deny 6.2. Useful Websites • http://vsftpd.beasts.org/ — The project page is a great place to locate the latest vsftpd documentation and to contact the author of the software. • http://slacksite.com/other/ftp.html — This website provides a concise explanation of the differences between active and passive mode FTP.
Page 319: Security Reference
Part III. Security Reference Using secure protocols is a critical part of maintaining system integrity. This part describes critical tools used for the purpose of user authentication, network access control, and secure network communication. For more information about securing a Red Hat Enterprise Linux system, refer to the Red Hat Enterprise Linux Security Guide.
Page 321: Pluggable Authentication Modules (Pam)
Chapter 16. Pluggable Authentication Modules (PAM) Programs which grant users access to a system verify each user's identity through a process called authentication. Historically, each such program had its own way of performing the task of authentication. Under Red Hat Enterprise Linux, many such programs are configured to use a centralized authentication mechanism called Pluggable Authentication Modules or PAM.
Page 322: Pam Configuration File Format
Chapter 16. Pluggable Authent... 3. PAM Configuration File Format Each PAM configuration file contains a group of directives formatted as follows: <module interface><control flag><module name><module arguments> Each of these elements are explained in the subsequent sections. 3.1. Module Interface There are four types of PAM module interfaces which correlate to different aspects of the authorization process: •...
Page 323: Control Flag
Control Flag Stacking makes it very easy for an administrator to require specific conditions to exist before allowing the user to authenticate. For example, normally uses five stacked rlogin auth modules, as seen in its PAM configuration file: auth required pam_nologin.so auth required pam_securetty.so auth required pam_env.so auth sufficient pam_rhosts_auth.so auth required pam_stack.so service=system-auth Before someone is allowed to use...
Page 324: Module Name
Chapter 16. Pluggable Authent... A newer control flag syntax which allows for more precise control is now available for PAM. Please see the PAM documentation located in the /usr/share/doc/pam-<version-number>/ directory for information on this new syntax (where is the version number <version-number>...
Page 325 Sample PAM Configuration Files auth required pam_securetty.so This module makes sure that if the user is trying to log in as root, the tty on which the user is logging in is listed in the file, if that file exists. /etc/securetty auth required pam_unix.so shadow nullok This module prompts the user for a password and then checks the password using the...
Page 326 Chapter 16. Pluggable Authent... password required pam_unix.so shadow nullok use_authtok This line specifies that if the program changes the user's password, it should use the password component of the module to do so. This only happens if the portion of the pam_unix.so auth module has determined that the password needs to be changed.
Page 327: Creating Pam Modules
Creating PAM Modules refer to Chapter 20, SSH Protocol. auth required pam_env.so This line loads the module, which sets the environmental variables specified in pam_env.so /etc/security/pam_env.conf auth sufficient pam_rhosts_auth.so module authenticates the user using in the user's home pam_rhosts_auth.so .rhosts directory.
Page 328: Pam And Administrative Credential Caching
Chapter 16. Pluggable Authent... 6. PAM and Administrative Credential Caching A variety of graphical administrative tools under Red Hat Enterprise Linux give users elevated privileges for up to five minutes via the module. It is important to understand pam_timestamp.so how this mechanism works because a user who walks away from a terminal while is in effect leaves the machine open to manipulation by anyone with pam_timestamp.so physical access to the console.
Page 329: Pam And Device Ownership
PAM and Device Ownership module accepts several directives. Below are the two most commonly pam_timestamp.so used options: • — Specifies the number of seconds the during which the timestamp file timestamp_timeout is valid (in seconds). The default value is 300 seconds (five minutes). •...
Page 330: Application Access
Chapter 16. Pluggable Authent... Doing this prevents remote users from gaining access to devices and restricted applications on the machine. If the gdm, kdm, or xdm display manager configuration file has been altered to allow remote users to log in and the host is configured to run at any multiple user runlevel other than 5, it is advisable to remove the directive entirely <xconsole>...
Page 331: Useful Websites
Useful Websites • — Good introductory information on PAM, including the structure and purpose of man pam the PAM configuration files. Note that although this man page talks about the file, the actual configuration files for PAM under Red Hat Enterprise Linux /etc/pam.conf are in the directory.
Page 333: Tcp Wrappers And Xinetd
Chapter 17. TCP Wrappers and xinetd Controlling access to network services is one of the most important security tasks facing a server administrator. Red Hat Enterprise Linux provides several tools which do just that. For instance, an -based firewall filters out unwelcome network packets within the kernel's iptables network stack.
Page 334: Advantages Of Tcp Wrappers
Chapter 17. TCP Wrappers and ... Note To determine if a network service binary is linked against , type the libwrap.a following command as the root user: ldd binary-name | grep libwrap Replace with the name of the network service binary. <binary-name>...
Page 335: Formatting Access Rules
Formatting Access Rules the service is granted. The following are important points to consider when using TCP wrappers to protect network services: • Because access rules in are applied first, they take precedence over rules hosts.allow specified in . Therefore, if access to a service is allowed in , a rule hosts.deny hosts.allow...
Page 336 Chapter 17. TCP Wrappers and ... • — A comma separated list of hostnames, host IP addresses, special patterns <client list> (refer to Section 2.1.2, “Patterns”), or special wildcards (refer to Section 2.1.1, “Wildcards”) which identify the hosts effected by the rule. The client list also accepts operators listed in Section 2.1.4, “Operators”...
Page 337 Formatting Access Rules • — Matches any host where the hostname or host address are unknown or where UNKNOWN the user is unknown. • — Matches any host where the hostname does not match the host address. PARANOID Caution , and wildcards should be used with care as a KNOWN UNKNOWN...
Page 338 Chapter 17. TCP Wrappers and ... pair declarations are not supported. Only IPv6 rules can use this format. • [IPv6 address]/prefixlen pair — [net]/prefixlen pairs can also be used as a pattern to control access to a particular group of IPv6 addresses. The following example would apply to any host with an address range of through 3ffe:505:2:1::...
Page 339: Option Fields
Option Fields restarting the service. portmap Widely used services, such as NIS and NFS, depend on to operate, so be aware of portmap these limitations. 2.1.4. Operators At present, access control rules accept one operator, . It can be used in both the EXCEPT daemon list and the client list of a rule.
Page 340 Chapter 17. TCP Wrappers and ... sshd : .example.com : severity emerg It is also possible to specify a facility using the option. The following example logs any severity SSH connection attempts by hosts from the domain to the facility with a example.com local0 priority of...
Page 341 Option Fields • — Replaces the requested service with the specified command. This directive is often twist used to set up traps for intruders (also called "honey pots"). It can also be used to send messages to connecting clients. The directive must occur at the end of the rule line.
Page 342: Xinetd
Chapter 17. TCP Wrappers and ... domain, execute the command to log the attempt, including the client hostname (by using echo expansion), to a special file: sshd : .example.com \ : spawn /bin/echo `/bin/date` access denied to %h>>/var/log/sshd.log \ : deny Similarly, expansions can be used to personalize messages back to the client.
Page 343: The /Etc/Xinetd.d/Directory
Directory /etc/xinetd.d/ file contains general configuration settings which effect every service /etc/xinetd.conf under 's control. It is read once when the service is started, so for configuration xinetd xinetd changes to take effect, the administrator must restart the service. Below is a sample xinetd file: /etc/xinetd.conf...
Page 344: Altering Xinetd Configuration Files
Chapter 17. TCP Wrappers and ... The format of files in the directory use the same conventions as /etc/xinetd.d/ . The primary reason the configuration for each service is stored in a /etc/xinetd.conf separate file is to make customization easier and less likely to effect other services. To gain an understanding of how these files are structured, consider the file: /etc/xinetd.d/telnet...
Page 345 Altering Configuration Files xinetd • — Logs the exit status or termination signal of the service ( EXIT log_on_success • — Logs the remote host's IP address ( HOST log_on_failure log_on_success • — Logs the process ID of the server receiving the request ( log_on_success •...
Page 346 Chapter 17. TCP Wrappers and ... For example, the following file can be used to block Telnet access from /etc/xinetd.d/telnet a particular network group and restrict the overall time range that even allowed users can log in: service telnet { disable = no flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID no_access = 10.0.1.0/24 log_on_success += PID HOST EXIT access_times = 09:45-16:15 } In this example, when a client system from the 10.0.1.0/24 network, such as 10.0.1.2, tries to...
Page 347 Altering Configuration Files xinetd service to one IP address on the system. Once configured, the option only allows requests bind for the proper IP address to access the service. In this way, different services can be bound to different network interfaces based on need. This is particularly useful for systems with multiple network adapters or with multiple IP addresses configured.
Page 348: Additional Resources
Chapter 17. TCP Wrappers and ... access control and logging options are also available for additional protection. 4.3.4. Resource Management Options daemon can add a basic level of protection from a Denial of Service (DoS) attacks. xinetd Below is a list of directives which can aid in limiting the effectiveness of such attacks: •...
Page 349: Useful Websites
Useful Websites • — The man page for the super service daemon. man xinetd xinetd Configuration Files • — The man page for the TCP wrappers hosts access control files. man 5 hosts_access • — The man page for the TCP wrappers options fields. man hosts_options •...
Page 351: Iptables
Chapter 18. iptables Included with Red Hat Enterprise Linux are advanced tools for network packet filtering — the process of controlling network packets as they enter, move through, and exit the network stack within the kernel. Kernel versions prior to 2.4 relied on for packet filtering and used ipchains lists of rules applied to packets at each step of the filtering process.
Page 352 Chapter 18. iptables Each table has a group of built-in chains which correspond to the actions performed on the packet by the netfilter. The built-in chains for the table are as follows: filter • INPUT — Applies to network packets that are targeted for the host. •...
Page 353: Differences Between Iptables And Ipchains
Differences between iptables ipchains Regardless of their destination, when packets match a particular rule in one of the tables, a target or action is applied to them. If the rule specifies an target for a matching packet, ACCEPT the packet skips the rest of the rule checks and is allowed to continue to its destination. If a rule specifies a target, that packet is refused access to the system and nothing is sent back to DROP...
Page 354: Options Used Within Iptables Commands
Chapter 18. iptables rewritten network filter. For more specific information, refer to the Linux Packet Filtering HOWTO referenced in Section 7, “Additional Resources”. 3. Options Used within Commands iptables Rules for filtering packets are put in place using the command. The following aspects iptables of the packet are most often used as criteria: •...
Page 355 Command Options Command options instruct to perform a specific action. Only one command option is iptables allowed per command. With the exception of the help command, all commands are iptables written in upper-case characters. commands are as follows: iptables • —...
Page 356: Parameter Options
Chapter 18. iptables DROP. • — Replaces a rule in the specified chain. The rule's number must be specified after the chain's name. The first rule in a chain corresponds to rule number one. • — Deletes a user-specified chain. Deleting a built-in chain for any table is not allowed. •...
Page 357: Iptables Match Options
Match Options iptables Enterprise Linux RPM package, such as , and , among others. iptables MARK REJECT Refer to the man page for more information about these and other targets. iptables It is also possible to direct a packet matching this rule to a user-defined chain outside of the current chain so that other rules can be applied to the packet.
Page 358 Chapter 18. iptables point character ( ) as a flag after the option causes all non-SYN packets to be --syn matched. • — Allows TCP packets with specific set bits, or flags, to match a rule. The --tcp-flags match option accepts two parameters. The first parameter is the mask, which --tcp-flags sets the flags to be examined in the packet.
Page 359 Match Options iptables The following match options are available for the Internet Control Message Protocol (ICMP) ( icmp • — Sets the name or number of the ICMP type to match with the rule. A list of --icmp-type valid ICMP names can be retrieved by typing the command.
Page 360: Target Options
Chapter 18. iptables connection not previously seen. • — The matching packet is starting a new connection related in some way to an RELATED existing connection. These connection states can be used in combination with one another by separating them with commas, such as -m state --state INVALID,NEW •...
Page 361: Listing Options
Listing Options There are many extended target modules, most of which only apply to specific tables or situations. A couple of the most popular target modules included by default in Red Hat Enterprise Linux are: • — Logs all packets that match this rule. Since the packets are logged by the kernel, the file determines where these log entries are written.
Page 362: Saving Iptables Rules
Chapter 18. iptables hostname and network service format. • — Lists rules in each chain next to their numeric order in the chain. This --line-numbers option is useful when attempting to delete the specific rule in a chain or to locate where to insert a rule within a chain.
Page 363 Control Scripts iptables activating, deactivating, and performing other functions of via its initscript. Replace iptables in the command with one of the following directives: <option> • — If a firewall is configured (meaning exists), all running start /etc/sysconfig/iptables are stopped completely and then started using the iptables /sbin/iptables-restore command.
Page 364: Iptables Control Scripts Configuration File
Chapter 18. iptables For more information about IPv6 and netfilter, refer to Section 6, “ ip6tables IPv6”. 5.1. Control Scripts Configuration File iptables The behavior of the initscripts is controlled by the iptables configuration file. The following is a list of directives /etc/sysconfig/iptables-config contained within this file: •...
Page 365: And Ipv6
and IPv6 ip6tables • — Returns domain or hostnames within a status output. and IPv6 ip6tables If the package is installed, netfilter under Red Hat Enterprise Linux can filter the iptables-ipv6 next-generation IPv6 Internet protocol. The command used to manipulate the IPv6 netfilter is .
Page 366 Chapter 18. iptables commands. iptables • http://www.redhat.com/support/resources/networking/firewall.html — This webpage links to a variety of update-to-date packet filter resources.
Page 367: Kerberos
Chapter 19. Kerberos System security and integrity within a network can be unwieldy. It can occupy the time of several administrators just to keep track of what services are being run on a network and the manner in which these services are used. Moreover, authenticating users to network services can prove dangerous when the method used by the protocol is inherently insecure, as evidenced by the transfer of unencrypted passwords over a network under the FTP and Telnet protocols.
Page 368: Kerberos Terminology
Chapter 19. Kerberos online Kerberos FAQ: http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html [http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#pwconvert] • Kerberos has only partial compatibility with the Pluggable Authentication Modules (PAM) system used by most Red Hat Enterprise Linux servers. For more information about this issue, refer to Section 4, “Kerberos and PAM”.
Page 369 Kerberos Terminology credentials A temporary set of electronic credentials that verify the identity of a client for a particular service. Also called a ticket. credential cache or ticket file A file which contains the keys for encrypting communications between a user and various network services.
Page 370: How Kerberos Works
Chapter 19. Kerberos randomly set for services. realm A network that uses Kerberos, composed of one or more servers called KDCs and a potentially large number of clients. service A program accessed over the network. ticket A temporary set of electronic credentials that verify the identity of a client for a particular service.
Page 371: Kerberos And Pam
Kerberos and PAM request a new ticket for that specific service from the TGS. The service ticket is then used to authenticate the user to that service transparently. Warning The Kerberos system can be compromised any time any user on the network authenticates against a non-kerberized service by sending a password in plain text.
Page 372: Configuring A Kerberos 5 Server
Chapter 19. Kerberos Administrators should be careful to not allow users to authenticate to most network services using Kerberos passwords. Many protocols used by these services do not encrypt the password before sending it over the network, destroying the benefits of the Kerberos system. For example, users should not be allowed to authenticate using their Kerberos passwords over Telnet.
Page 373 Configuring a Kerberos 5 Server lowercase. For full details about the formats of these configuration files, refer to their respective man pages. 4. Create the database using the utility from a shell prompt: kdb5_util /usr/kerberos/sbin/kdb5_util create -s command creates the database that stores keys for the Kerberos realm. The create switch forces creation of a stash file in which the master server key is stored.
Page 374: Configuring A Kerberos 5 Client
Chapter 19. Kerberos 7. Add principals for the users using the command with addprinc kadmin kadmin are command line interfaces to the KDC. As such, many commands are kadmin.local available after launching the program. Refer to the man page for more kadmin kadmin information.
Page 375: Additional Resources
Additional Resources Now that the principal has been created, keys can be extracted for the workstation by running on the workstation itself, and using the command within kadmin ktadd kadmin ktadd -k /etc/krb5.keytab host/blah.example.com 4. To use other kerberized network services, they must first be started. Below is a list of some common kerberized services and instructions about enabling them: •...
Page 376: Useful Websites
Chapter 19. Kerberos must be installed. • Kerberos man pages — There are a number of man pages for the various applications and configuration files involved with a Kerberos implementation. The following is a list of some of the more important man pages. Client Applications •...
Page 377 Useful Websites • ftp://athena-dist.mit.edu/pub/kerberos/doc/usenix.PS — The PostScript version of Kerberos: An Authentication Service for Open Network Systems by Jennifer G. Steiner, Clifford Neuman, and Jeffrey I. Schiller. This document is the original paper describing Kerberos. • http://web.mit.edu/kerberos/www/dialogue.html — Designing an Authentication System: a Dialogue in Four Scenes originally by Bill Bryant in 1988, modified by Theodore Ts'o in 1997.
Page 379: Ssh Protocol
Chapter 20. SSH Protocol SSH™ (or Secure SHell) is a protocol which facilitates secure communications between two systems using a client/server architecture and allows users to log into server host systems remotely. Unlike other remote communication protocols, such as FTP or Telnet, SSH encrypts the login session, making it impossible for intruders to collect unencrypted passwords.
Page 380: Ssh Protocol Versions
Chapter 20. SSH Protocol these threats can be categorized as follows: • Interception of communication between two systems — In this scenario, the attacker can be somewhere on the network between the communicating entities, copying any information passed between them. The attacker may intercept and keep the information, or alter the information and send it on to the intended recipient.
Page 381: Event Sequence Of An Ssh Connection
Transport Layer 3. Event Sequence of an SSH Connection The following series of events help protect the integrity of SSH communication between two hosts. • A cryptographic handshake is made so that the client can verify that it is communicating with the correct server.
Page 382: Authentication
Chapter 20. SSH Protocol Caution It is possible for an attacker to masquerade as an SSH server during the initial contact since the local system does not know the difference between the intended server and a false one set up by an attacker. To help prevent this, verify the integrity of a new SSH server by contacting the server administrator before connecting for the first time or in the event of a host key mismatch.
Page 383: Openssh Configuration Files
OpenSSH Configuration Files server and is used to direct communication to that channel. This is done so that different types of sessions do not affect one another and so that when a given session ends, its channel can be closed without disrupting the primary SSH connection. Channels also support flow-control, which allows them to send and receive data in an orderly fashion.
Page 384: More Than A Secure Shell
Chapter 20. SSH Protocol • — This file holds a list of authorized public keys for servers. When the authorized_keys client connects to a server, the server authenticates the client by checking its signed public key stored within this file. •...
Page 385: Port Forwarding
Port Forwarding After supplying the root password for the server, the Red Hat Update Agent appears and allows the remote user to safely update the remote system. 5.2. Port Forwarding SSH can secure otherwise insecure TCP/IP protocols via port forwarding. When using this technique, the SSH server becomes an encrypted conduit to the SSH client.
Page 386: Requiring Ssh For Remote Connections
Chapter 20. SSH Protocol Port forwarding can also be used to get information securely through network firewalls. If the firewall is configured to allow SSH traffic via its standard port (22) but blocks access to other ports, a connection between two hosts using the blocked ports is still possible by redirecting their communication over an established SSH connection.
Page 387: Useful Websites
Useful Websites • The directory — Replace /usr/share/doc/openssh-<version-number>/ with the installed version of the OpenSSH package. This directory <version-number> contains a README with basic information about the OpenSSH project and a file called with general information about the SSH protocol. RFC.nroff •...
Page 389: Selinux
Chapter 21. SELinux Security-Enhanced Linux, or SELinux, is a security architecture integrated into the 2.6.x kernel using the linux security modules (LSM). It is a project of the United States National Security Agency (NSA) and the SELinux community. SELinux integration into Red Hat Enterprise Linux was a joint effort between the NSA and Red Hat.
Page 390: Selinux Configuration Files
Chapter 21. SELinux The following example shows sample contents of the directory: /selinux/ -rw-rw-rw- 1 root root 0 Sep 22 13:14 access dr-xr-xr-x 1 root root 0 Sep 22 13:14 booleans --w------- 1 root root 0 Sep 22 13:14 commit_pending_bools -rw-rw-rw- 1 root root 0 Sep 22 13:14 context -rw-rw-rw- 1 root root 0 Sep 22 13:14 create --w------- 1 root root 0 Sep 22 13:14 disable -rw-r--r-- 1 root root 0 Sep 22 13:14 enforce -rw------- 1 root root 0 Sep 22 13:14 load...
Page 391 SELinux Configuration Files stopped the initial traversal and kept further denial messages from occurring. • — SELinux is fully disabled. SELinux hooks are disengaged from the kernel and disabled the pseudo-file system is unregistered. Actions made while SELinux is disabled may cause the file system to no longer have the proper security context as defined by the policy.
Page 392: Selinux Utilities
Chapter 21. SELinux • — Full SELinux protection, for all daemons. Security contexts are defined for all strict subjects and objects, and every single action is processed by the policy enforcement server. 2.2.2. The Directory /etc/selinux/ directory is the primary location for all policy files as well as the main /etc/selinux/ configuration file.
Page 393: Additional Resources
HTML and PDF formats. Although many of these links are not Red Hat Enterprise Linux specific, some concepts may apply. • http://fedora.redhat.com/docs/ — Homepage for the Fedora documentation project, which contains Fedora Core specific materials that may be more timely, since the release cycle is much shorter.
Page 395: Appendixes
Part IV. Appendixes...
Page 397: General Parameters And Modules
Appendix A. General Parameters and Modules This chapter is provided to illustrate some of the possible parameters available for common hardware device drivers , which under Red Hat Enterprise Linux are called kernel modules. In most cases, the default parameters do work. However, there may be times when extra module parameters are necessary for a device to function properly or to override the module's default parameters for the device.
Page 398 Appendix A. General Parameter... hidp 16193 rfcomm 37849 l2cap 23873 10 hidp,rfcomm bluetooth 50085 5 hidp,rfcomm,l2cap sunrpc 153725 dm_mirror 29073 dm_mod 57433 1 dm_mirror video 17221 16257 i2c_ec 5569 1 sbs container 4801 button 7249 battery 10565 asus_acpi 16857 5701 ipv6 246113 13065...
Page 399 Kernel Module Utilities For each line, the first column is the name of the module, the second column is the size of the module, and the third column is the use count. output is less verbose and easier to read than the output from viewing /sbin/lsmod /proc/modules To load a kernel module, use the...
Page 400: Persistent Module Loading
Appendix A. General Parameter... Another useful kernel module utility is . Use the command to display modinfo /sbin/modinfo information about a kernel module. The general syntax is: /sbin/modinfo [options]<module> Options include , which displays a brief description of the module, and , which lists the parameters the module supports.
Page 401: Storage Parameters
Storage parameters command is also useful for listing various information about a modinfo kernel module, such as version, dependencies, paramater options, and aliases. 4. Storage parameters Hardware Module Parameters 3ware Storage Controller and 3w-xxxx.ko, 3w-9xxx.ko 9000 series Adaptec Advanced Raid aacraid.ko —...
Page 402 Appendix A. General Parameter... Hardware Module Parameters Default is to use suggestion from Firmware. — Request a acbsize specific adapter control block (FIB) size. Valid values are 512, 2048, 4096 and 8192. Default is to use suggestion from Firmware. Adaptec 28xx, R9xx, 39xx aic7xxx.ko —...
Page 403 Storage parameters Hardware Module Parameters Timeout (0/256ms,1/128ms,2/64ms,3/32ms) IBM ServeRAID ips.ko LSI Logic MegaRAID Mailbox megaraid_mbox.ko — Set to unconf_disks Driver expose unconfigured disks to kernel (default=0) — Max wait for busy_wait mailbox in microseconds if busy (default=10) — Maximum max_sectors number of sectors per IO command (default=128) —...
Page 404 Appendix A. General Parameter... Hardware Module Parameters scanning for devices from highest ALPA to lowest — Seconds lpfc_nodev_tmo driver will hold I/O waiting for a device to come back — Select lpfc_topology Fibre Channel topology — Select lpfc_link_speed link speed —...
Page 405 Storage parameters Hardware Module Parameters — lpfc_poll_tmo Milliseconds driver will wait between polling FCP ring HP Smart Array cciss.ko LSI Logic MPT Fusion mptbase.ko mptctl.ko — MSI mpt_msi_enable mptfc.ko mptlan.ko mptsas.ko Support Enable mptscsih.ko mptspi.ko — mptfc_dev_loss_tmo Initial time the driver programs the transport to wait for an rport to return following a device loss event.
Page 406 Appendix A. General Parameter... Hardware Module Parameters Option to enable extended error logging. — Enables ql2xfdmienable FDMI registratons. NCR, Symbios and LSI 8xx sym53c8xx — The cmd_per_lun and 1010 maximum number of tags to use by default — More detailed tag_ctrl control over tags per LUN —...
Page 407: Ethernet Parameters
Ethernet Parameters Hardware Module Parameters here to prevent controllers from being attached — Set other settings to safe a "safe mode" Table A.1. Storage Module Parameters 5. Ethernet Parameters Important Most modern Ethernet-based network interface cards (NICs), do not require module parameters to alter settings.
Page 408 Appendix A. General Parameter... Hardware Module Parameters 3c59x: same as full_duplex, but applies to all NICs if full_duplex is unset — 3c59x hw_checksums Hardware checksum checking by adapter(s) (0-1) — 3c59x 802.3x flow_ctrl flow control usage (PAUSE only) (0-1) — 3c59x: Turn enable_wol on Wake-on-LAN for adapter(s) (0-1)
Page 409 Ethernet Parameters Hardware Module Parameters — 3c59x: use use_mmio memory-mapped PCI I/O resource (0-1) RTL8139, SMC EZ Card Fast 8139too.ko Ethernet, RealTek cards using RTL8129, or RTL8139 Fast Ethernet chipsets Broadcom 4400 10/100 PCI b44.ko — B44 bitmapped b44_debug ethernet driver debugging message enable value Broadcom NetXtreme II...
Page 410 Appendix A. General Parameter... Hardware Module Parameters — Receive RxIntDelay Interrupt Delay — Receive RxAbsIntDelay Absolute Interrupt Delay — InterruptThrottleRate Interrupt Throttling Rate — SmartPowerDownEnable Enable PHY smart power down — Enable KumeranLockLoss Kumeran lock loss workaround Myricom 10G driver (10GbE) myri10ge.ko —...
Page 411 Ethernet Parameters Hardware Module Parameters Can a small skb cross a 4KB boundary? — myri10ge_initial_mtu Initial MTU — myri10ge_napi_weight Set NAPI weight myri10ge_watchdog_timeout — Set watchdog timeout — myri10ge_max_irq_loops Set stuck legacy IRQ detection threshold NatSemi DP83815 Fast natsemi.ko — DP8381x MTU (all Ethernet boards) —...
Page 412 Appendix A. General Parameter... Hardware Module Parameters — pcnet32 Vesa pcnet32vlb local bus (VLB) support (0/1) — pcnet32 initial options option setting(s) (0-15) — pcnet32 full full_duplex duplex setting(s) (1) — pcnet32 mode for homepna 79C978 cards (1 for HomePNA, 0 for Ethernet, default Ethernet RealTek RTL-8169 Gigabit r8169.ko...
Page 413 Ethernet Parameters Hardware Module Parameters — MTU (all boards) — Debug level (0-6) debug — Copy rx_copybreak breakpoint for copy-only-tiny-frames — Maximum intr_latency interrupt latency, in microseconds — Maximum small_frames size of receive frames that bypass interrupt latency (0,64,128,256,512) — Deprecated: Bits options 0-3: media type, bit 17: full duplex...
Page 414: Using Multiple Ethernet Cards
/etc/modprobe.conf For additional information about using multiple Ethernet cards, refer to the Linux Ethernet-HOWTO online at http://www.redhat.com/mirrors/LDP/HOWTO/Ethernet-HOWTO.html. 5.2. The Channel Bonding Module Red Hat Enterprise Linux allows administrators to bind NICs together into a single channel...
Page 415 The Channel Bonding Module using the kernel module and a special network interface, called a channel bonding bonding interface. Channel bonding enables two or more network interfaces to act as one, simultaneously increasing the bandwidth and providing redundancy. To channel bond multiple network interfaces, the administrator must perform the following steps: 1.
Page 416 Appendix A. General Parameter... • — Specifies one of four policies allowed for the module. Acceptable values for mode= bonding this parameter are: — Sets a round-robin policy for fault tolerance and load balancing. Transmissions are received and sent out sequentially on each bonded slave interface beginning with the first one available.
Page 417 The Channel Bonding Module value is set to by default, which disables it. • — Specifies (in milliseconds) how long to wait before enabling a link. The value updelay= must be a multiple of the value specified in the parameter. The value is set to miimon default, which disables it.
Page 418: Additional Resources
Appendix A. General Parameter... package installed to read this file): /usr/share/doc/kernel-doc-<kernel-version>/Documentation/networking/ bonding.txt for detailed instructions regarding bonding interfaces. 6. Additional Resources For more information on kernel modules and their utilities, refer to the following resources. 6.1. Installed Documentation • man page — description and explanation of its output. lsmod •...
Page 419: Index
Apache configuration directive, 177 Index Alias Apache configuration directive, 174 Allow Symbols Apache configuration directive, 171 AllowOverride .fetchmailrc, 196 Apache configuration directive, 170 global options, 198 Apache (see Apache HTTP Server) server options, 198 Apache HTTP Server user options, 199 .procmailrc, 201 migration to 2.0, 149 /boot/ directory, 26...
Page 420 Index UserDir directive, 153 definition of, 213 virtual host configuration, 155 nameserver types Multi-Processing Modules caching-only, 214 activating worker MPM, 150 forwarding, 214 prefork, 150 master, 214 worker, 150 slave, 214 reloading, 162 rndc program, 227 restarting, 162 /etc/rndc.conf, 228 running without security, 182 command line options, 229 server status reports, 178...
Page 421 ErrorLog, 173 ExtendedStatus, 167 for cache functionality, 178 cache directives for Apache, 178 Group, 168 CacheNegotiatedDocs HeaderName, 176 Apache configuration directive, 172 HostnameLookups, 172 caching-only nameserver (see BIND) IfDefine, 167 CGI scripts IfModule, 165 allowing execution outside cgi-bin, 170 Include, 167 outside the ScriptAlias, 177 IndexIgnore, 176 channel bonding...
Page 422 Index Timeout, 164 display managers (see X) TypesConfig, 172 DNS, 213 UseCanonicalName, 169 (see also BIND) User, 168 introducing, 213 UserDir, 171 documentation VirtualHost, 179 experienced user, xx CustomLog finding appropriate, xviii Apache configuration directive, 174 first-time users, xviii newsgroups, xix websites, xix guru, xx DefaultIcon...
Page 423 filtering out, 206 files, proc file system types changing, 50, 86 Mail Delivery Agent, 188 viewing, 49, 86 Mail Transfer Agent, 188 findsmb program, 268 Mail User Agent, 189 forwarding nameserver (see BIND) epoch, 64 frame buffer device, 54 (see also /proc/stat) (see also /proc/fb) definition of, 64 FrontPage, 162...
Page 424 Index boot process, 13 Apache configuration directive, 165 Changing Runlevels at Boot Time, 23 ifup, 128 changing runlevels with, 18 Include commands, 19 Apache configuration directive, 167 configuration file IndexIgnore /boot/grub/grub.conf, 21 Apache configuration directive, 176 structure, 21 IndexOptions definition of, 13 Apache configuration directive, 175 features, 14 init command, 6...
Page 425 panic, 338 Ticket-granting Ticket (TGT), 346 restart, 338 kernel save, 338, 338 role in boot process, 5 start, 338 kernel modules status, 338 /etc/rc.modules, 376 stop, 338 Ethernet modules match options, 333 parameters, 383 modules, 335 supporting multiple cards, 390 options, 330 introducing, 373 commands, 330...
Page 426 Index editing /etc/ldap.conf, 244 LoadModule editing /etc/nsswitch.conf, 244 Apache configuration directive, 167 editing /etc/openldap/ldap.conf, 244 Location editing slapd.conf, 244 Apache configuration directive, 178 packages, 244 LogFormat PAM, 245 Apache configuration directive, 173 setting up clients, 244 LogLevel client applications, 240 Apache configuration directive, 173 configuration files lsmod, 373...
Page 427 loading, 181 portmap, 133 the own, 181 reloading, 134 default, 180 required services, 132 MTA (see Mail Transfer Agent) restarting, 134 MUA (see Mail User Agent) security, 143 mwm, 101 file permissions, 145 (see also X) host access, 143 NFSv2/NFSv3 host access, 144 NFSv4 host access, 144 server configuration, 135 named daemon (see BIND)
Page 428 Index configuration files, 297 /proc/bus/ directory, 67 control flags, 299 /proc/cmdline, 52 definition of, 297 /proc/cpuinfo, 52 Kerberos and, 347 /proc/crypto, 53 modules, 298 /proc/devices arguments, 300 block devices, 53 components, 298 character devices, 53 creating, 303 /proc/dma, 54 interfaces, 298 /proc/driver/ directory, 68 location of, 300 /proc/execdomains, 54...
Page 429 /proc/sys/vm/ directory, 82 /var/lib/rpm/, 30 /proc/sysrq-trigger, 65 /var/spool/up2date, 30 /proc/sysvipc/ directory, 85 Redirect /proc/tty/ directory, 85 Apache configuration directive, 174 /proc/uptime, 65 rmmod, 375 /proc/version, 65 root nameserver (see BIND) additional resources, 87 rpcclient program, 271 installed documentation, 87 rpcinfo, 134 useful websites, 87 runlevels (see init command) changing files within, 50, 73, 86...
Page 430 Index findsmb, 268 PDC using tdbsam, 257 make_smbcodepage, 268 Secure File and Print Server example, make_unicodemap, 269 net, 269 WINS, 266 nmblookup, 270 sbin directory, 27 pdbedit, 270 ScriptAlias rpcclient, 271 Apache configuration directive, 174 smbcacls, 271 SCSI modules (see kernel modules) smbclient, 271 security smbcontrol, 271...
Page 431 Tool, 10 insecure protocols and, 362 Services Configuration Tool, 10 layers of (see also services) channels, 358 SetEnvIf transport layer, 357 Apache configuration directive, 180 port forwarding, 361 setserial command requiring for remote login, 362 configuring, 8 security risks, 355 shadow (see password) version 1, 356 shadow passwords...
Page 432 Index formatting rules within, 311 /etc/sysconfig/ntpd, 42 hosts access files, 310 /etc/sysconfig/pcmcia, 43 log option, 315 /etc/sysconfig/radvd, 43 operators, 315 /etc/sysconfig/rawdevices, 43 option fields, 315 /etc/sysconfig/samba, 43 patterns, 313 /etc/sysconfig/selinux, 44 shell command option, 316 /etc/sysconfig/sendmail, 44 spawn option, 316 /etc/sysconfig/spamassassin, 44 twist option, 316 /etc/sysconfig/squid, 44...
Page 433 UID, 89 usr directory, 28 usr/local/ directory, 28 wbinfo program, 274 webmaster email address for, 168 var directory, 29 window managers (see X) var/lib/rpm/ directory, 30 var/spool/up2date/ directory, 30 virtual file system (see proc file system) virtual files (see proc file system) /etc/X11/xorg.conf virtual hosts boolean values for, 102...
Page 434 Index FreeType, 109 xinit (see X) introducing, 108 Xorg (see Xorg) X Font Server, 110 X Render Extension, 109 xfs, 110 YABOOT, 13 xfs configuration, 111 (see also boot loaders) xfs, adding fonts to, 112 Xft, 109 introducing, 99 z/IPL, 13 runlevels (see also boot loaders) 3, 112...

Red Hat ENTERPRISE LINUX 4.5.0 Reference Manual

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Red Hat ENTERPRISE LINUX 4.5.0

Summary of Contents for Red Hat ENTERPRISE LINUX 4.5.0